summaryrefslogtreecommitdiff
path: root/docs/Samba-Guide
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2004-06-20 12:43:16 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:45:56 -0500
commit83a17815a7689f1f6f7ca57161a0e804277c75f9 (patch)
treee1cec10510da7038e843f71c9ba95a0e6bc5f494 /docs/Samba-Guide
parent9eb45e211cbc28bbd28837a17dcec3df29d6f455 (diff)
downloadsamba-83a17815a7689f1f6f7ca57161a0e804277c75f9.tar.gz
samba-83a17815a7689f1f6f7ca57161a0e804277c75f9.tar.bz2
samba-83a17815a7689f1f6f7ca57161a0e804277c75f9.zip
New structure for the docs:
- Same name for a doc everywhere (howto -> Samba-HOWTO-Collection, etc) - Shorter and more clearly structured Makefile - Make it possible to change the paths for the images (This used to be commit 96f6c05f25acc8a9bb1977b8bd5cc97ce511b6b1)
Diffstat (limited to 'docs/Samba-Guide')
-rw-r--r--docs/Samba-Guide/Chap01-WindowsNetworkingPrimer.xml1292
-rw-r--r--docs/Samba-Guide/Chap02-SimpleOfficeServer.xml1590
-rw-r--r--docs/Samba-Guide/Chap03-TheSmallOffice.xml1301
-rw-r--r--docs/Samba-Guide/Chap04-SecureOfficeServer.xml2750
-rw-r--r--docs/Samba-Guide/Chap05-500UserNetwork.xml1996
-rw-r--r--docs/Samba-Guide/Chap06-MakingHappyUsers.xml3786
-rw-r--r--docs/Samba-Guide/Chap07-2000UserNetwork.xml1760
-rw-r--r--docs/Samba-Guide/Chap08-MigrateNT4Samba3.xml1242
-rw-r--r--docs/Samba-Guide/Chap09-AddingUNIXClients.xml2516
-rw-r--r--docs/Samba-Guide/Chap10-KerberosFastStart.xml2086
-rw-r--r--docs/Samba-Guide/Chap10b-DomainAppsSupport.xml1100
-rw-r--r--docs/Samba-Guide/Chap11-HighAvailability.xml766
-rw-r--r--docs/Samba-Guide/Chap12-Appendix.xml1641
-rw-r--r--docs/Samba-Guide/acknowledgements.xml60
-rw-r--r--docs/Samba-Guide/conventions.xml64
-rw-r--r--docs/Samba-Guide/foreword.xml118
-rw-r--r--docs/Samba-Guide/front-matter.xml22
-rw-r--r--docs/Samba-Guide/glossary.xml270
-rw-r--r--docs/Samba-Guide/gpl.xml423
-rw-r--r--docs/Samba-Guide/images/AccountingNetwork.diabin0 -> 2002 bytes
-rw-r--r--docs/Samba-Guide/images/AccountingNetwork.pngbin0 -> 12581 bytes
-rw-r--r--docs/Samba-Guide/images/Charity-Network.diabin0 -> 2588 bytes
-rw-r--r--docs/Samba-Guide/images/Charity-Network.pngbin0 -> 14160 bytes
-rw-r--r--docs/Samba-Guide/images/Domain-WorkgroupAnnouncement.pngbin0 -> 37482 bytes
-rw-r--r--docs/Samba-Guide/images/HostAnnouncment.pngbin0 -> 38156 bytes
-rw-r--r--docs/Samba-Guide/images/LocalMasterAnnouncement.pngbin0 -> 38525 bytes
-rw-r--r--docs/Samba-Guide/images/NullConnect.pngbin0 -> 21931 bytes
-rw-r--r--docs/Samba-Guide/images/UNIX-Samba-and-LDAP.diabin0 -> 2395 bytes
-rw-r--r--docs/Samba-Guide/images/UNIX-Samba-and-LDAP.pngbin0 -> 26820 bytes
-rw-r--r--docs/Samba-Guide/images/UserConnect.pngbin0 -> 22583 bytes
-rw-r--r--docs/Samba-Guide/images/UserMgrNT4.pngbin0 -> 24026 bytes
-rw-r--r--docs/Samba-Guide/images/WINREPRESSME-Capture.pngbin0 -> 57046 bytes
-rw-r--r--docs/Samba-Guide/images/WINREPRESSME-Capture2.pngbin0 -> 50864 bytes
-rw-r--r--docs/Samba-Guide/images/Windows-ME-WINEPRESSME-Startup-30min-ProtocolStats.pngbin0 -> 6460 bytes
-rw-r--r--docs/Samba-Guide/images/Windows-ME-WINEPRESSME-Startup-30min-TraceStats.pngbin0 -> 8005 bytes
-rw-r--r--docs/Samba-Guide/images/WindowsXP-NullConnection.pngbin0 -> 23120 bytes
-rw-r--r--docs/Samba-Guide/images/WindowsXP-UserConnection.pngbin0 -> 24505 bytes
-rw-r--r--docs/Samba-Guide/images/XP-screen001.pngbin0 -> 14290 bytes
-rw-r--r--docs/Samba-Guide/images/acct2net.diabin0 -> 2948 bytes
-rw-r--r--docs/Samba-Guide/images/acct2net.pngbin0 -> 15985 bytes
-rw-r--r--docs/Samba-Guide/images/ch7-dual-additive-LDAP-Ok.diabin0 -> 1262 bytes
-rw-r--r--docs/Samba-Guide/images/ch7-dual-additive-LDAP-Ok.pngbin0 -> 8285 bytes
-rw-r--r--docs/Samba-Guide/images/ch7-dual-additive-LDAP.diabin0 -> 1375 bytes
-rw-r--r--docs/Samba-Guide/images/ch7-dual-additive-LDAP.pngbin0 -> 11799 bytes
-rw-r--r--docs/Samba-Guide/images/ch7-fail-overLDAP.diabin0 -> 1130 bytes
-rw-r--r--docs/Samba-Guide/images/ch7-fail-overLDAP.pngbin0 -> 6227 bytes
-rw-r--r--docs/Samba-Guide/images/ch7-singleLDAP.diabin0 -> 948 bytes
-rw-r--r--docs/Samba-Guide/images/ch7-singleLDAP.pngbin0 -> 3028 bytes
-rw-r--r--docs/Samba-Guide/images/ch8-migration.diabin0 -> 1779 bytes
-rw-r--r--docs/Samba-Guide/images/ch8-migration.pngbin0 -> 16610 bytes
-rw-r--r--docs/Samba-Guide/images/chap4-net.diabin0 -> 3356 bytes
-rw-r--r--docs/Samba-Guide/images/chap4-net.pngbin0 -> 24030 bytes
-rw-r--r--docs/Samba-Guide/images/chap5-net.diabin0 -> 4528 bytes
-rw-r--r--docs/Samba-Guide/images/chap5-net.pngbin0 -> 39268 bytes
-rw-r--r--docs/Samba-Guide/images/chap6-net.diabin0 -> 4698 bytes
-rw-r--r--docs/Samba-Guide/images/chap6-net.pngbin0 -> 40201 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-idresol.diabin0 -> 2757 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-idresol.pngbin0 -> 21304 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net-A.diabin0 -> 9625 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net-A.pngbin0 -> 85518 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net-Ar.pngbin0 -> 97993 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net.diabin0 -> 9256 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net.pngbin0 -> 75323 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net2-B.diabin0 -> 9831 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net2-B.pngbin0 -> 88103 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net2-Br.pngbin0 -> 99789 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net2.diabin0 -> 9769 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net2.pngbin0 -> 86194 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-net2r.pngbin0 -> 95770 bytes
-rw-r--r--docs/Samba-Guide/images/chap7-netr.pngbin0 -> 84215 bytes
-rw-r--r--docs/Samba-Guide/images/chap9-ADSDC.diabin0 -> 3024 bytes
-rw-r--r--docs/Samba-Guide/images/chap9-ADSDC.pngbin0 -> 32779 bytes
-rw-r--r--docs/Samba-Guide/images/chap9-SambaDC.diabin0 -> 3403 bytes
-rw-r--r--docs/Samba-Guide/images/chap9-SambaDC.pngbin0 -> 30331 bytes
-rw-r--r--docs/Samba-Guide/images/lam-config.pngbin0 -> 73791 bytes
-rw-r--r--docs/Samba-Guide/images/lam-group-members.pngbin0 -> 64719 bytes
-rw-r--r--docs/Samba-Guide/images/lam-groups.pngbin0 -> 80476 bytes
-rw-r--r--docs/Samba-Guide/images/lam-hosts.pngbin0 -> 73319 bytes
-rw-r--r--docs/Samba-Guide/images/lam-login.pngbin0 -> 66970 bytes
-rw-r--r--docs/Samba-Guide/images/lam-users.pngbin0 -> 83488 bytes
-rw-r--r--docs/Samba-Guide/images/openmag.pngbin0 -> 18146 bytes
-rw-r--r--docs/Samba-Guide/images/wxpp001.pngbin0 -> 31712 bytes
-rw-r--r--docs/Samba-Guide/images/wxpp004.pngbin0 -> 29694 bytes
-rw-r--r--docs/Samba-Guide/images/wxpp006.pngbin0 -> 12651 bytes
-rw-r--r--docs/Samba-Guide/images/wxpp007.pngbin0 -> 12781 bytes
-rw-r--r--docs/Samba-Guide/images/wxpp008.pngbin0 -> 19550 bytes
-rw-r--r--docs/Samba-Guide/images/wxpp010.pngbin0 -> 19725 bytes
-rw-r--r--docs/Samba-Guide/images/wxpp011.pngbin0 -> 8579 bytes
-rw-r--r--docs/Samba-Guide/images/wxpp012.pngbin0 -> 8918 bytes
-rw-r--r--docs/Samba-Guide/images/wxpp013.pngbin0 -> 30107 bytes
-rw-r--r--docs/Samba-Guide/images/wxpp015.pngbin0 -> 9713 bytes
-rw-r--r--docs/Samba-Guide/index.xml53
-rw-r--r--docs/Samba-Guide/inside-cover.xml47
-rw-r--r--docs/Samba-Guide/preface.xml437
94 files changed, 25320 insertions, 0 deletions
diff --git a/docs/Samba-Guide/Chap01-WindowsNetworkingPrimer.xml b/docs/Samba-Guide/Chap01-WindowsNetworkingPrimer.xml
new file mode 100644
index 0000000000..d677e4cba3
--- /dev/null
+++ b/docs/Samba-Guide/Chap01-WindowsNetworkingPrimer.xml
@@ -0,0 +1,1292 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="primer">
+ <title>Networking Primer</title>
+
+<?latex \pagenumbering{arabic} ?>
+
+ <para>
+ You are about to use the equivalent of a microscope to look at the information
+ that runs through the veins of a Windows network. We do more to observe the information than
+ to interrogate it. When you are done with this chapter, you should have a good understanding
+ of the types of information that flow over the network. Do not worry, this is not
+ a biology lesson. We won't lose you in unnecessary detail. Think to yourself, <quote>This
+ is easy,</quote> then tackle each exercise without fear.
+ </para>
+
+ <para>
+ Samba can be configured with a minimum of complexity. Simplicity should be mastered
+ before you get too deeply into complexities. Let's get moving, we have work to do.
+ </para>
+
+<sect1>
+ <title>Requirements and Notes</title>
+ <para>
+ Successful completion of this chapter requires two Microsoft Windows 9x/Me Workstations,
+ as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet
+ card connected using a hub. Also required is one additional server (either Windows
+ NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network
+ sniffer and analysis application (ethereal is a good choice). All work should be undertaken
+ on a quiet network where there is no other traffic. It is best to use a dedicated hub
+ with only the machines under test connected at the time of the exercises.
+ </para>
+
+ <para><indexterm>
+ <primary>Ethereal</primary>
+ </indexterm>
+ Ethereal has become the network protocol analyzer of choice for many network administrators.
+ You may find more information regarding this tool from the
+ <ulink url="http://www.ethereal.com">Ethereal</ulink> Web site. Ethereal installation
+ files for Windows may be obtained from the Ethereal Web site. Ethereal is provided with
+ SUSE and Red Hat Linux distributions, as well as many other Linux distributions. It may
+ not be installed on your system by default. If it is not installed, you may also need
+ to install the <command>libpcap </command> software before you can install or use Ethereal.
+ Please refer to the instructions for your operating system or to the Ethereal Web site
+ for information regarding the installation and operation of Ethereal.
+ </para>
+
+ <para>
+ To obtain <command>ethereal</command> for your system, please visit the Ethereal
+ <ulink url="http://www.ethereal.com/download.html#binaries">download site.</ulink>
+ </para>
+
+ <note><para>
+ The successful completion of this chapter requires that you capture network traffic
+ using <command>ethereal</command>. It is recommended that you use a hub, not an
+ etherswitch. It is necessary for the device used to act as a repeater, not as a
+ filter. Ethernet switches may filter out traffic that is not directed at the machine
+ that is used to monitor traffic; this would not allow you to complete the projects.
+ </para></note>
+
+ <para>
+ <indexterm><primary>network</primary><secondary>captures</secondary></indexterm>
+ Do not worry too much if you do not have access to all this equipment; network captures
+ from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly
+ into the analytical part of the exercises if you so desire.
+ </para>
+
+ <para><indexterm>
+ <primary>network</primary>
+ <secondary>sniffer</secondary>
+ </indexterm><indexterm>
+ <primary>protocol analysis</primary>
+ </indexterm>
+ Please do not be alarmed at the use of a high-powered analysis tool (ethereal) in this
+ first chapter. We expose you only to a minimum of detail necessary to complete
+ the exercises in this chapter. If you choose to use any other network sniffer and protocol
+ analysis tool, be advised that it may not allow you to examine the contents of
+ recently added security protocols used by Windows 200x/XP.
+ </para>
+
+ <para>
+ You could just skim through the exercises and try to absorb the key points made.
+ The exercises provide all the information necessary to convince the die-hard network
+ engineer. You possibly do not require so much convincing and may just want to move on,
+ in which case you should at least read <link linkend="chap01conc"/>.
+ </para>
+
+ <para>
+ <link linkend="chap01qa"/> also provides useful information
+ that may help you to avoid significantly time-consuming networking problems.
+ </para>
+</sect1>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows
+ network computing. If you want a solid technical grounding, do not gloss over these exercises.
+ The points covered are recurrent issues on the Samba mailing lists.
+ </para>
+
+ <para><indexterm>
+ <primary>network</primary>
+ <secondary>broadcast</secondary>
+ </indexterm>
+ You can see from these exercises that Windows networking involves quite a lot of network
+ broadcast traffic. You can look into the contents of some packets, but only to see
+ some particular information that the Windows client sends to a server in the course of
+ establishing a network connection.
+ </para>
+
+ <para>
+ To many people, browsing is everything that happens when one uses Microsoft Internet Explorer.
+ It is only when you start looking at network traffic and noting the protocols
+ and types of information that are used that you can begin to appreciate the complexities of
+ Windows networking and, more importantly, what needs to be configured so that it can work.
+ Detailed information regarding browsing is provided in the recommended
+ preparatory reading.
+ </para>
+
+ <para>
+ Recommended preparatory reading: <emphasis>The Official Samba-3 HOWTO and Reference Guide</emphasis> (TOSHARG)
+ Chapter 9, <quote>Network Browsing,</quote> and Chapter 3, <quote>Server Types and
+ Security Modes.</quote>
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para><indexterm>
+ <primary>browsing</primary>
+ </indexterm>
+ You are about to witness how Microsoft Windows computer networking functions. The
+ exercises step through identification of how a client machine establishes a
+ connection to a remote Windows server. You observe how Windows machines find
+ each other (i.e., how browsing works), and how the two key types of user identification
+ (share mode security and user mode security) are affected.
+ </para>
+
+ <para><indexterm>
+ <primary>network</primary>
+ <secondary>analyzer</secondary>
+ </indexterm>
+ The networking protocols used by MS Windows networking when working with Samba
+ use TCP/IP as the transport protocol. The protocols that are specific to Windows
+ networking are encapsulated in TCP/IP. The network analyzer we use (ethereal)
+ is able to show you the contents of the TCP/IP packets (or messages).
+ </para>
+
+ <procedure id="chap01tasks">
+ <title>Chapter 1 &smbmdash; Tasks</title>
+
+ <step><para><indexterm>
+ <primary>network</primary>
+ <secondary>trace</secondary>
+ </indexterm><indexterm>
+ <primary>host announcement</primary>
+ </indexterm><indexterm>
+ <primary>name resolution</primary>
+ </indexterm>
+ Examine network traces to witness SMB broadcasts, host announcements,
+ and name resolution processes.
+ </para></step>
+
+ <step><para>
+ Examine network traces to witness how share mode security functions.
+ </para></step>
+
+ <step><para>
+ Examine network traces to witness the use of user mode security.
+ </para></step>
+
+ <step><para>
+ Review traces of network logons for a Windows 9x/Me client as well as
+ a Domain logon for a Windows XP Professional client.
+ </para></step>
+ </procedure>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Exercises</title>
+
+ <para>
+ <indexterm><primary>ethereal</primary></indexterm>
+ You are embarking on a course of discovery. The first part of the exercise requires
+ two MS Windows 9x/Me systems. We called one machine <constant>WINEPRESSME</constant> and the
+ other <constant>MILGATE98</constant>. Each needs an IP address; we used <literal>10.1.1.10</literal>
+ and <literal>10.1.1.11</literal>. The test machines need to be networked via a <emphasis>hub</emphasis>. A UNIX/Linux
+ machine is required to run <command>ethereal</command> to enable the network activity to be captured.
+ It is important that the machine from which network activity is captured must not interfere with
+ the operation of the Windows workstations. It is helpful for this machine to be passive (does not
+ send broadcast information) to the network.
+ </para>
+
+ <para>
+ For these exercises, our test environment consisted of a SUSE 8.2 Professional Linux Workstation running
+ VMWare 3.2. The following VMWare images were prepared:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Windows 98 &smbmdash; name: MILGATE98.</para></listitem>
+ <listitem><para>Windows Me &smbmdash; name: WINEPRESSME.</para></listitem>
+ <listitem><para>Windows XP Professional &smbmdash; name: LightrayXP.</para></listitem>
+ <listitem><para>Samba-3.0.2 running on a SUSE Enterprise Linux 8.0 machine.</para></listitem>
+ </itemizedlist>
+
+ <para>
+ Choose a workgroup name (MIDEARTH) for each exercise.
+ </para>
+
+ <para>
+ <indexterm><primary>ethereal</primary></indexterm>
+ The network captures provided on the CD-ROM at the back of this book were captured using <constant>ethereal</constant>
+ version <literal>0.9.10</literal>. A later version suffices without problems, but an earlier version may not
+ expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all
+ packets has also been included. This makes it possible for you to do all the studying you like without the need to
+ perform the time-consuming equipment configuration and test work. This is a good time to point out the value
+ that can be derived from this book really does warrant your taking sufficient time to practice each exercise with
+ care and attention to detail.
+ </para>
+
+ <sect2>
+ <title>Single Machine Broadcast Activity</title>
+
+ <para>
+ In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes.
+ </para>
+
+ <procedure>
+ <step><para>
+ Start the machine from which network activity will be monitored (using <command>ethereal</command>).
+ Launch <command>ethereal</command>, click
+ <menuchoice>
+ <guimenu>Capture</guimenu>
+ <guimenuitem>Start</guimenuitem>
+ </menuchoice>.
+ </para>
+
+ <para>
+ Click the following:
+ <orderedlist>
+ <listitem>Update list of packets in real time</listitem>
+ <listitem>Automatic scrolling in live capture</listitem>
+ <listitem>Enable MAC name resolution </listitem>
+ <listitem>Enable network name resolution </listitem>
+ <listitem>Enable transport name resolution</listitem>
+ </orderedlist>
+ Click <guibutton>OK</guibutton>.
+ </para></step>
+
+ <step><para>
+ Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring,
+ do not press any keyboard keys, do not click any on-screen icons or menus; and do not answer any dialog boxes.
+ </para></step>
+
+ <step><para>
+ At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you can go back to it later.
+ Leave this machine running in preparation for the task in <link linkend="secondmachine"/>.
+ </para></step>
+
+ <step><para>
+ Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol
+ was used. Identify the timing between messages of identical types.
+ </para></step>
+
+ </procedure>
+
+ <sect3>
+ <title>Findings</title>
+
+ <para>
+ The summary of the first 10 minutes of the packet capture should look like <link linkend="pktcap01"/>.
+ A screenshot of a later stage of the same capture is shown in <link linkend="pktcap02"/>.
+ </para>
+
+ <image id="pktcap01">
+ <imagefile scale="53">WINREPRESSME-Capture.png</imagefile>
+ <description>Windows Me &smbmdash; Broadcasts &smbmdash; The First 10 Minutes</description>
+ </image>
+
+ <image id="pktcap02">
+ <description>Windows Me &smbmdash; Later Broadcast Sample</description>
+ <imagefile scale="57">WINREPRESSME-Capture2.png</imagefile>
+ </image>
+
+ <para><indexterm>
+ <primary>Local Master Browser</primary>
+ <see>LMB</see>
+ </indexterm><indexterm>
+ <primary>LMB</primary>
+ </indexterm>
+ Broadcast messages observed are shown in <link linkend="capsstats01"/>.
+ Actual observations vary a little, but not by much.
+ Early in the startup process, the Windows Me machine broadcasts its name for two reasons;
+ first to ensure that its name would not result in a name clash, and second to establish its
+ presence with the Local Master Browser (LMB).
+ </para>
+
+ <table id="capsstats01">
+ <title>Windows Me &smbmdash; Startup Broadcast Capture Statistics</title>
+ <tgroup cols="4">
+ <colspec align="left" colwidth="3*"/>
+ <colspec align="center"/>
+ <colspec align="center"/>
+ <colspec align="left" colwidth="3*"/>
+ <thead>
+ <row>
+ <entry>Message</entry>
+ <entry>Type</entry>
+ <entry>Num</entry>
+ <entry>Notes</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>WINEPRESSME&lt;00&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.6 sec apart.</entry>
+ </row>
+ <row>
+ <entry>WINEPRESSME&lt;03&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.6 sec apart.</entry>
+ </row>
+ <row>
+ <entry>WINEPRESSME&lt;20&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.75 sec apart.</entry>
+ </row>
+ <row>
+ <entry>MIDEARTH&lt;00&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.75 sec apart.</entry>
+ </row>
+ <row>
+ <entry>MIDEARTH&lt;1d&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.75 sec apart.</entry>
+ </row>
+ <row>
+ <entry>MIDEARTH&lt;1e&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.75 sec apart.</entry>
+ </row>
+ <row>
+ <entry>MIDEARTH&lt;1b&gt;</entry>
+ <entry>Qry</entry>
+ <entry>84</entry>
+ <entry>300 sec apart at stable operation.</entry>
+ </row>
+ <row>
+ <entry>__MSBROWSE__</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>Registered after winning election to Browse Master.</entry>
+ </row>
+ <row>
+ <entry>JHT&lt;03&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 x 2. This is the name of the user that logged onto Windows.</entry>
+ </row>
+ <row>
+ <entry>Host Announcement WINEPRESSME</entry>
+ <entry>Ann</entry>
+ <entry>2</entry>
+ <entry>Observed at 10 sec.</entry>
+ </row>
+ <row>
+ <entry>Domain/Workgroup Announcement MIDEARTH</entry>
+ <entry>Ann</entry>
+ <entry>18</entry>
+ <entry>300 sec apart at stable operation.</entry>
+ </row>
+ <row>
+ <entry>Local Master Announcement WINEPRESSME</entry>
+ <entry>Ann</entry>
+ <entry>18</entry>
+ <entry>300 sec apart at stable operation.</entry>
+ </row>
+ <row>
+ <entry>Get Backup List Request</entry>
+ <entry>Qry</entry>
+ <entry>12</entry>
+ <entry>6 x 2 early in startup, 0.5 sec apart.</entry>
+ </row>
+ <row>
+ <entry>Browser Election Request</entry>
+ <entry>Ann</entry>
+ <entry>10</entry>
+ <entry>5 x 2 early in startup.</entry>
+ </row>
+ <row>
+ <entry>Request Announcement WINEPRESSME</entry>
+ <entry>Ann</entry>
+ <entry>4</entry>
+ <entry>Early in startup.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para><indexterm>
+ <primary>election</primary>
+ </indexterm><indexterm>
+ <primary>browse master</primary>
+ </indexterm>
+ From the packet trace, it should be noted that no messages were propagated over TCP/IP;
+ all employed UDP/IP. When steady state operation has been achieved, there is a cycle
+ of various announcements, re-election of a browse master, and name queries. These create
+ the symphony of announcements by which network browsing is made possible.
+ </para>
+
+ <para><indexterm>
+ <primary>CIFS</primary>
+ </indexterm>
+ For detailed information regarding the precise behavior of the CIFS/SMB protocols, the
+ reader is referred to the book <quote>Implementing CIFS: The Common Internet File System,</quote>
+ by Christopher Hertel, Publisher: Prentice Hall PTR, ISBN: 013047116X.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2 id="secondmachine">
+ <title>Second Machine Startup Broadcast Interaction</title>
+
+ <para>
+ At this time, the machine you used to capture the single system startup trace should still be running.
+ The objective of this task is to identify the interaction of two machines in respect to broadcast activity.
+ </para>
+
+ <procedure>
+ <step><para>
+ On the machine from which network activity will be monitored (using <command>ethereal</command>),
+ launch <command>ethereal</command> and click
+ <menuchoice>
+ <guimenu>Capture</guimenu>
+ <guimenuitem>Start</guimenuitem>
+ </menuchoice>.
+ </para>
+
+ <para>
+ Click:
+ <orderedlist>
+ <listitem>Update list of packets in real time</listitem>
+ <listitem>Automatic scrolling in live capture</listitem>
+ <listitem>Enable MAC name resolution </listitem>
+ <listitem>Enable network name resolution </listitem>
+ <listitem>Enable transport name resolution</listitem>
+ </orderedlist>
+ Click <guibutton>OK</guibutton>.
+ </para></step>
+
+ <step><para>
+ Start the second Windows 9x/Me machine. Let it run for 15-20 minutes. While monitoring, do not press
+ any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
+ </para></step>
+
+ <step><para>
+ At the conclusion of the capture time, stop the capture. Be sure to save the captured data so you
+ can examine the network data capture again at a later date should that be necessary.
+ </para></step>
+
+ <step><para>
+ Analyze the capture trace, taking note of the transport protocols used, the types of messages observed,
+ and what interaction took place between the two machines. Leave both machines running for the next task.
+ </para></step>
+ </procedure>
+
+ <sect3>
+ <title>Findings</title>
+
+ <para>
+ <link linkend="capsstats02"/> summarizes capture statistics observed. As in the previous case,
+ all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second
+ Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash
+ (i.e., the name is already registered by another machine) on the network segment. Those wishing
+ to explore the inner details of the precise mechanism of how this functions should refer to
+ the book <quote>Implementing CIFS: The Common Internet File System,</quote> referred to previously.
+ </para>
+
+ <table id="capsstats02">
+ <title>Second Machine (Windows 98) &smbmdash; Capture Statistics</title>
+ <tgroup cols="4">
+ <colspec align="left" colwidth="3*"/>
+ <colspec align="center"/>
+ <colspec align="center"/>
+ <colspec align="left" colwidth="3*"/>
+ <thead>
+ <row>
+ <entry>Message</entry>
+ <entry>Type</entry>
+ <entry>Num</entry>
+ <entry>Notes</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>MILGATE98&lt;00&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.6 sec apart.</entry>
+ </row>
+ <row>
+ <entry>MILGATE98&lt;03&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.6 sec apart.</entry>
+ </row>
+ <row>
+ <entry>MILGATE98&lt;20&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.75 sec apart.</entry>
+ </row>
+ <row>
+ <entry>MIDEARTH&lt;00&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.75 sec apart.</entry>
+ </row>
+ <row>
+ <entry>MIDEARTH&lt;1d&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.75 sec apart.</entry>
+ </row>
+ <row>
+ <entry>MIDEARTH&lt;1e&gt;</entry>
+ <entry>Reg</entry>
+ <entry>8</entry>
+ <entry>4 lots of 2, 0.75 sec apart.</entry>
+ </row>
+ <row>
+ <entry>MIDEARTH&lt;1b&gt;</entry>
+ <entry>Qry</entry>
+ <entry>18</entry>
+ <entry>900 sec apart at stable operation.</entry>
+ </row>
+ <row>
+ <entry>JHT&lt;03&gt;</entry>
+ <entry>Reg</entry>
+ <entry>2</entry>
+ <entry>This is the name of the user that logged onto Windows.</entry>
+ </row>
+ <row>
+ <entry>Host Announcement MILGATE98</entry>
+ <entry>Ann</entry>
+ <entry>14</entry>
+ <entry>Every 120 sec.</entry>
+ </row>
+ <row>
+ <entry>Domain/Workgroup Announcement MIDEARTH</entry>
+ <entry>Ann</entry>
+ <entry>6</entry>
+ <entry>900 sec apart at stable operation.</entry>
+ </row>
+ <row>
+ <entry>Local Master Announcement WINEPRESSME</entry>
+ <entry>Ann</entry>
+ <entry>6</entry>
+ <entry>Insufficient detail to determine frequency.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para>
+ <indexterm><primary>host announcement</primary></indexterm>
+ <indexterm><primary>Local Master Announcement</primary></indexterm>
+ <indexterm><primary>Workgroup Announcement</primary></indexterm>
+ Observation of the contents of Host Announcements, Domain/Workgroup Announcements,
+ and Local Master Announcements is instructive. These messages convey a significant
+ level of detail regarding the nature of each machine that is on the network. An example
+ dissection of a Host Announcement is given in <link linkend="hostannounce"/>.
+ </para>
+
+ </sect3>
+
+ <image id="hostannounce">
+ <description>Typical Windows 9x/Me Host Announcement</description>
+ <imagefile scale="55">HostAnnouncment.png</imagefile>
+ </image>
+
+ </sect2>
+
+ <sect2>
+ <title>Simple Windows Client Connection Characteristics</title>
+
+ <para>
+ The purpose of this exercise is to discover how Microsoft Windows clients create (establish)
+ connections with remote servers. The methodology involves analysis of a key aspect of how
+ Windows clients access remote servers: the session setup protocol.
+ </para>
+
+ <procedure>
+ <step><para>
+ Configure a Windows 9x/Me machine (MILGATE98) with a share called <constant>Stuff</constant>.
+ Create a <parameter>Full Access</parameter> control password on this share.
+ </para></step>
+
+ <step><para>
+ Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make sure that it exports
+ no shared resources.
+ </para></step>
+
+ <step><para>
+ Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both
+ machines using a user name (JHT) of your choice. Wait approximately two minutes before proceeding.
+ </para></step>
+
+ <step><para>
+ Start ethereal (or the network sniffer of your choice).
+ </para></step>
+
+ <step><para>
+ From the WINEPRESSME machine, right-click <guimenu>Network Neighborhood</guimenu>, select
+ <guimenuitem>Explore</guimenuitem>, select
+ <menuchoice>
+ <guimenuitem>My Network Places</guimenuitem>
+ <guimenuitem>Entire Network</guimenuitem>
+ <guimenuitem>MIDEARTH</guimenuitem>
+ <guimenuitem>MILGATE98</guimenuitem>
+ <guimenuitem>Stuff</guimenuitem>
+ </menuchoice>.
+ Enter the password you set for the <constant>Full Control</constant> mode for the
+ <constant>Stuff</constant> share.
+ </para></step>
+
+ <step><para>
+ When the share called <constant>Stuff</constant> is being displayed, stop the capture.
+ Save the captured data in case it is needed for later analysis.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>session setup</primary></indexterm>
+ From the top of the packets captured, scan down to locate the first packet that has
+ interpreted as <constant>Session Setup AndX, User: anonymous; Tree Connect AndX,
+ Path: \\MILGATE98\IPC$</constant>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Session Setup</primary>
+ </indexterm><indexterm>
+ <primary>Tree Connect</primary>
+ </indexterm>
+ In the dissection (analysis) panel, expand the <constant>SMB, Session Setup AndX Request,
+ and Tree Connect AndX Request</constant>. Examine both operations. Identify the name of
+ the user Account and what password was used. The Account name should be empty.
+ This is a <constant>NULL</constant> session setup packet.
+ </para></step>
+
+ <step><para>
+ Return to the packet capture sequence. There will be a number of packets that have been
+ decoded of the type <constant>Session Setup AndX</constant>. Locate the last such packet
+ that was targeted at the <constant>\\MILGATE98\IPC$</constant> service.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>password length</primary></indexterm>
+ <indexterm><primary>User Mode</primary></indexterm>
+ Dissect this packet as per the one above. This packet should have a password length
+ of 24 (characters) and should have a password field, the contents of which is a
+ long hexadecimal number. Observe the name in the Account field. This is a User Mode
+ session setup packet.
+ </para></step>
+ </procedure>
+
+ <sect3>
+ <title>Findings and Comments</title>
+
+ <para>
+ <indexterm><primary>IPC$</primary></indexterm>
+ The <constant>IPC$</constant> share serves a vital purpose<footnote>TOSHARG, Sect 4.5.1</footnote>
+ in SMB/CIFS based networking. A Windows client connects to this resource to obtain the list of
+ resources that are available on the server. The server responds with the shares and print queues that
+ are available. In most but not all cases, the connection is made with a <constant>NULL</constant>
+ username and a <constant>NULL</constant> password.
+ </para>
+
+ <para>
+ <indexterm><primary>account credentials</primary></indexterm>
+ The two packets examined are material evidence with respect to how Windows clients may
+ interoperate with Samba. Samba requires every connection setup to be authenticated using
+ valid UNIX account credentials (UID/GID). This means that even a <constant>NULL</constant>
+ session setup can be established only by automatically mapping it to a valid UNIX
+ account.
+ </para>
+
+ <para>
+ <indexterm><primary>NULL session</primary></indexterm><indexterm>
+ <primary>guest account</primary>
+ </indexterm>
+ <indexterm><primary>nobody</primary></indexterm>
+ Samba has a special name for the <constant>NULL</constant>, or empty, user account.
+ It calls that the <smbconfoption><name>guest account</name></smbconfoption>. The
+ default value of this parameter is <constant>nobody</constant>; however, this can be
+ changed to map the function of the guest account to any other UNIX identity. Some
+ UNIX administrators prefer to map this account to the system default anonymous
+ FTP account. A sample NULL Session Setup AndX packet dissection is shown in
+ <link linkend="nullconnect"/>.
+ </para>
+
+ <image id="nullconnect">
+ <description>Typical Windows 9x/Me NULL SessionSetUp AndX Request</description>
+
+ <imagefile scale="65">NullConnect.png</imagefile>
+ </image>
+
+ <para>
+ <indexterm><primary>nobody</primary></indexterm>
+ <indexterm><primary>/etc/passwd</primary></indexterm>
+ <indexterm><primary>guest account</primary></indexterm>
+ When a UNIX/Linux system does not have a <constant>nobody</constant> user account
+ (<filename>/etc/passwd</filename>), the operation of the <constant>NULL</constant>
+ account cannot validate and thus connections that utilize the guest account
+ fail. This breaks all ability to browse the Samba server and is a common
+ problem reported on the Samba mailing list. A sample User Mode Session Setup AndX
+ is shown in <link linkend="userconnect"/>.
+ </para>
+
+ <image id="userconnect">
+ <description>Typical Windows 9x/Me User SessionSetUp AndX Request</description>
+ <imagefile scale="65">UserConnect.png</imagefile>
+ </image>
+
+ <para>
+ <indexterm><primary>encrypted</primary></indexterm>
+ The User Mode connection packet contains the account name and the domain name.
+ The password is provided in Microsoft encrypted form, and its length is shown
+ as 24 characters. This is the length of Microsoft encrypted passwords.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2>
+ <title>Windows 200x/XP Client Interaction with Samba-3</title>
+
+ <para>
+ By now you may be asking, <quote>Why did you choose to work with Windows 9x/Me?</quote>
+ </para>
+
+ <para>
+ First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise
+ on the Windows networking protocols, but rather to provide prescriptive guidance for deployment of Samba.
+ Second, by starting out with the simple protocol, it can be demonstrated that the more complex case mostly
+ follows the same principles.
+ </para>
+
+ <para>
+ The following exercise demonstrates the case that even MS Windows XP Professional with up-to-date service
+ updates also uses the <constant>NULL</constant> account, as well as user accounts. Simply follow the procedure
+ to complete this exercise.
+ </para>
+
+ <para>
+ To complete this exercise, you need a Windows XP Professional client that has been configured as
+ a Domain Member of either a Samba controlled domain or a Windows NT4 or 200x Active Directory domain.
+ Here we do not provide details for how to configure this, as full coverage is provided later in this book.
+ </para>
+
+ <procedure>
+
+ <step><para>
+ Start your Domain Controller. Also, start the ethereal monitoring machine, launch ethereal,
+ and then wait for the next step to complete.
+ </para></step>
+
+ <step><para>
+ Start the Windows XP Client and wait five minutes before proceeding.
+ </para></step>
+
+ <step><para>
+ On the machine from which network activity will be monitored (using <command>ethereal</command>),
+ launch <command>ethereal</command> and click
+ <menuchoice>
+ <guimenu>Capture</guimenu>
+ <guimenuitem>Start</guimenuitem>
+ </menuchoice>.
+ </para>
+
+ <para>
+ Click:
+ <orderedlist>
+ <listitem>Update list of packets in real time</listitem>
+ <listitem>Automatic scrolling in live capture</listitem>
+ <listitem>Enable MAC name resolution </listitem>
+ <listitem>Enable network name resolution </listitem>
+ <listitem>Enable transport name resolution</listitem>
+ </orderedlist>
+ Click <guibutton>OK</guibutton>.
+ </para></step>
+
+ <step><para>
+ On the Windows XP Professional client: Press <guimenu>Ctrl-Alt-Delete</guimenu> to bring
+ up the domain logon screen. Log in using valid credentials for a domain user account.
+ </para></step>
+
+ <step><para>
+ Now proceed to connect to the Domain Controller as follows:
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>(right-click) My Network Places</guimenuitem>
+ <guimenuitem>Explore</guimenuitem>
+ <guimenuitem>{Left Panel} [+] Entire Network</guimenuitem>
+ <guimenuitem>{Left Panel} [+] Microsoft Windows Network</guimenuitem>
+ <guimenuitem>{Left Panel} [+] Midearth</guimenuitem>
+ <guimenuitem>{Left Panel} [+] Frodo</guimenuitem>
+ <guimenuitem>{Left Panel} [+] data</guimenuitem>
+ </menuchoice>. Close the explorer window.
+ </para>
+
+ <para>
+ In this step, our domain name is <constant>Midearth</constant>, the domain controller is called
+ <constant>Frodo</constant>, and we have connected to a share called <constant>data</constant>.
+ </para></step>
+
+ <step><para>
+ Stop the capture on the <command>ethereal</command> monitoring machine. Be sure to save the captured data
+ to a file so that you can refer to it again later.
+ </para></step>
+
+ <step><para>
+ If desired, the Windows XP Professional client and the Domain Controller are no longer needed for exercises
+ in this chapter.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>NTLMSSP_AUTH</primary></indexterm>
+ <indexterm><primary>session setup</primary></indexterm>
+ From the top of the packets captured, scan down to locate the first packet that has
+ interpreted as <constant>Session Setup AndX Request, NTLMSSP_AUTH</constant>.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>GSS-API</primary></indexterm>
+ <indexterm><primary>SPNEGO</primary></indexterm>
+ <indexterm><primary>NTLMSSP</primary></indexterm>
+ In the dissection (analysis) panel, expand the <constant>SMB, Session Setup AndX Request</constant>.
+ Expand the packet decode information, beginning at the <constant>Security Blob:</constant>
+ entry. Expand the <constant>GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</constant>
+ keys. This should reveal that this is a <constant>NULL</constant> session setup packet.
+ The <constant>User name: NULL</constant> indicates this. An example decode is shown in
+ <link linkend="XPCap01"/>.
+ </para></step>
+
+ <step><para>
+ Return to the packet capture sequence. There will be a number of packets that have been
+ decoded of the type <constant>Session Setup AndX Request</constant>. Click the last such packet that
+ has been decoded as <constant>Session Setup AndX Request, NTLMSSP_AUTH</constant>.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>encrypted password</primary></indexterm>
+ In the dissection (analysis) panel, expand the <constant>SMB, Session Setup AndX Request</constant>.
+ Expand the packet decode information, beginning at the <constant>Security Blob:</constant>
+ entry. Expand the <constant>GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</constant>
+ keys. This should reveal that this is a <constant>User Mode</constant> session setup packet.
+ The <constant>User name: jht</constant> indicates this. An example decode is shown in
+ <link linkend="XPCap02"/>. In this case the user name was <constant>jht</constant>. This packet
+ decode includes the <constant>Lan Manager Response:</constant> and the <constant>NTLM Response:</constant>.
+ The value of these two parameters is the Microsoft encrypted password hashes, respectively, the LanMan
+ password and then the NT (case-preserving) password hash.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>password length</primary></indexterm>
+ <indexterm><primary>User Mode</primary></indexterm>
+ The passwords are 24 characters long hexadecimal numbers. This packet confirms that this is a User Mode
+ session setup packet.
+ </para></step>
+
+ </procedure>
+
+ <image id="XPCap01">
+ <description>Typical Windows XP NULL Session Setup AndX Request</description>
+ <imagefile scale="70">WindowsXP-NullConnection.png</imagefile>
+ </image>
+
+ <image id="XPCap02">
+ <description>Typical Windows XP User Session Setup AndX Request</description>
+ <imagefile scale="70">WindowsXP-UserConnection.png</imagefile>
+ </image>
+
+ <sect3>
+ <title>Discussion</title>
+
+ <para><indexterm>
+ <primary>NULL-Session</primary>
+ </indexterm>
+ This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled
+ in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles
+ remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a
+ <constant>NULL-Session</constant> connection to query and locate resources on an advanced network
+ technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated
+ connection must be made before resources can be used.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2>
+ <title>Conclusions to Exercises</title>
+
+ <para>
+ In summary, the following points have been established in this chapter:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast
+ oriented messaging protocols to provide knowledge of network services.
+ </para></listitem>
+
+ <listitem><para>
+ Network browsing protocols query information stored on Browse Masters that manage
+ information provided by NetBIOS Name Registrations and by way of on-going Host
+ Announcements and Workgroup Announcements.
+ </para></listitem>
+
+ <listitem><para>
+ All Samba servers must be configured with a mechanism for mapping the <constant>NULL-Session</constant>
+ to a valid but non-privileged UNIX system account.
+ </para></listitem>
+
+ <listitem><para>
+ The use of Microsoft encrypted passwords is built right into the fabric of Windows
+ networking operations. Such passwords cannot be provided from the UNIX <filename>/etc/passwd</filename>
+ database and thus must be stored elsewhere on the UNIX system in a manner that Samba can
+ use. Samba-2.x permitted such encrypted passwords to be stored in the <constant>smbpasswd</constant>
+ file or in an LDAP database. Samba-3 permits that use of multiple different <parameter>passdb backend</parameter>
+ databases, in concurrent deploy. Refer to <emphasis>TOSHARG</emphasis>, Chapter 10, <quote>Account Information Databases.</quote>
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1 id="chap01conc">
+ <title>Dissection and Discussion</title>
+
+ <para>
+ <indexterm><primary>guest account</primary></indexterm>
+ The exercises demonstrate the use of the <constant>guest</constant> account, the way that
+ MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections
+ between a client and a server are established.
+ </para>
+
+ <para>
+ Those wishing background information regarding NetBIOS name types should refer to
+ the Microsoft Knowledge Base Article
+ <ulink url="http://support.microsoft.com/support/kb/articles/Q102/78/8.asp">Q102878.</ulink>
+ </para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para>
+ <indexterm><primary>guest account</primary></indexterm>
+ Network browsing involves SMB broadcast announcements, SMB enumeration requests,
+ connections to the <constant>IPC$</constant> share, share enumerations, and SMB connection
+ setup processes. The use of anonymous connections to a Samba server involve the use of
+ the <parameter>guest account</parameter> that must map to a valid UNIX UID.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1 id="chap01qa">
+ <title>Questions and Answers</title>
+
+ <para>
+ The questions and answers given in this section are designed to highlight important aspects of Microsoft
+ Windows networking.
+ </para>
+
+ <qandaset defaultlabel="chap01qa" type="number">
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the significance of the MIDEARTH&lt;1b&gt; type query?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ <indexterm><primary>Domain Master Browser</primary><see>DMB</see></indexterm>
+ <indexterm><primary>DMB</primary></indexterm>
+ This is a broadcast announcement by which the Windows machine is attempting to
+ locate a Domain Master Browser (DMB) in the event that it might exist on the network.
+ Refer to <emphasis>TOSHARG</emphasis> Chapter 9, Section 9.7, <quote>Technical Overview of Browsing</quote>
+ for details regarding the function of the DMB and its role in network browsing.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the significance of the MIDEARTH&lt;1d&gt; type name registration?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ <indexterm><primary>Local Master Browser</primary><see>LMB</see></indexterm>
+ <indexterm><primary>LMB</primary></indexterm>
+ This name registration records the machine IP addresses of the Local Master Browsers (LMBs).
+ Network clients can query this name type to obtain a list of browser servers from the
+ Master Browser.
+ </para>
+
+ <para>
+ The LMB is responsible for monitoring all host announcements on the local network and for
+ collating the information contained within them. Using this information, it can provide answers to other Windows
+ network clients that request information such as:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ The list of machines known to the LMB (i.e., the browse list)
+ </para></listitem>
+
+ <listitem><para>
+ The IP addresses of all Domain Controllers known for the Domain
+ </para></listitem>
+
+ <listitem><para>
+ The IP addresses of LMBs
+ </para></listitem>
+
+ <listitem><para>
+ The IP address of the DMB (if one exists)
+ </para></listitem>
+
+ <listitem><para>
+ The IP address of the LMB on the local segment
+ </para></listitem>
+ </itemizedlist>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the role and significance of the &lt;01&gt;&lt;02&gt;__MSBROWSE__&lt;02&gt;&lt;01&gt;
+ name registration?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ <indexterm><primary>Browse Master</primary></indexterm>
+ This name is registered by the Browse Master to broadcast and receive domain announcements.
+ Its scope is limited to the local network segment, or subnet. By querying this name type,
+ Master Browsers on networks that have multiple domains can find the names of Master Browsers
+ for each domain.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the significance of the MIDEARTH&lt;1e&gt; type name registration?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ <indexterm><primary>Browser Election Service</primary></indexterm>
+ This name is registered by all Browse Masters in a domain or workgroup. The registration
+ name type is known as the Browser Election Service. Master Browsers register themselves
+ with this name type so that Domain Master Browsers can locate them to perform cross-subnet
+ browse list updates. This name type is also used to initiate elections for Master Browsers.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ <indexterm><primary>guest account</primary></indexterm>
+ What is the significance of the <parameter>guest account</parameter> in smb.conf?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ This parameter specifies the default UNIX account to which MS Windows networking
+ NULL session connections are mapped. The default name for the UNIX account used for
+ this mapping is called <constant>nobody</constant>. If the UNIX/Linux system that
+ is hosting Samba does not have a <constant>nobody</constant> account and an alternate
+ mapping has not been specified, network browsing will not work at all.
+ </para>
+
+ <para>
+ It should be noted that the <parameter>guest account</parameter> is essential to
+ Samba operation. Either the operating system must have an account called <constant>nobody</constant>
+ or there must be an entry in the &smb.conf; file with a valid UNIX account. For example,
+ <smbconfoption><name>guest account</name><value>ftp</value></smbconfoption>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Is it possible to reduce network broadcast activity with Samba-3?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ <indexterm><primary>WINS</primary></indexterm>
+ <indexterm><primary>NetBIOS</primary></indexterm>
+ Yes, there are two ways to do this. The first involves use of WINS (See <emphasis>TOSHARG</emphasis>, Chapter 9,
+ Section 9.5, <quote>WINS &smbmdash; The Windows Inter-networking Name Server</quote>), the
+ alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires
+ a correctly configured DNS server (see <emphasis>TOSHARG</emphasis>, Chapter 9, Section 9.3, <quote>Discussion</quote>).
+ </para>
+
+ <para>
+ <indexterm><primary>broadcast</primary></indexterm>
+ <indexterm><primary>NetBIOS</primary><secondary>Node Type</secondary></indexterm>
+ <indexterm><primary>Hybrid</primary></indexterm>
+ The use of WINS reduces network broadcast traffic. The reduction is greatest when all network
+ clients are configured to operate in <parameter>Hybrid Mode</parameter>. This can be effected through
+ use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is
+ beneficial to configure Samba to use <smbconfoption><name>name resolve order</name><value>wins host
+ bcast</value></smbconfoption>.
+ </para>
+
+ <note><para>
+ Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as
+ well as with Samba-3.
+ </para></note>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Can I just use plain-text passwords with Samba?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Yes, you can configure Samba to use plain-text passwords, though this does create a few problems.
+ </para>
+
+ <para>
+ First, the use of <filename>/etc/passwd</filename> based plain-text passwords requires that registry
+ modifications be made on all MS Windows client machines to enable plain-text passwords support. This
+ significantly diminishes the security of MS Windows client operation. Many network administrators
+ are bitterly opposed to doing this.
+ </para>
+
+ <para>
+ Second, Microsoft has not maintained plain-text password support since the default setting was made
+ disabling this. When network connections are dropped by the client it is not be possible to re-establish
+ the connection automatically. Users need to log off and then log on again. Plain-text password support
+ may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing
+ environment.
+ </para>
+
+ <para>
+ Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling.
+ Just create user accounts by running: <command>smbpasswd -a 'username'</command>
+ </para>
+
+ <para>
+ It is not possible to add a user to the <parameter>passdb backend</parameter> database unless there is
+ a UNIX system account for that user. On systems that run <command>winbindd</command> to access the Samba
+ PDC/BDC to provide Windows user and group accounts, the <parameter>idmap uid, idmap gid</parameter> ranges
+ set in the &smb.conf; file provide the local UID/GIDs needed for local identity management purposes.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What parameter in the &smb.conf; file is used to enable the use of encrypted passwords?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The parameter in the &smb.conf; file that controls this behavior is known as <parameter>encrypt
+ passwords</parameter>. The default setting for this in Samba-3 is <constant>Yes (Enabled)</constant>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Is it necessary to specify <smbconfoption><name>encrypt passwords</name><value>Yes</value></smbconfoption>
+ when Samba-3 is configured as a Domain Member?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ No. This is the default behavior.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Is it necessary to specify a <parameter>guest account</parameter> when Samba-3 is configured
+ as a Domain Member server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Yes. This is a local function on the server. The default setting is to use the UNIX account
+ <constant>nobody</constant>. If this account does not exist on the UNIX server, then it is
+ necessary to provide a <smbconfoption><name>guest account</name><value>an_account</value></smbconfoption>,
+ where <constant>an_account</constant> is a valid local UNIX user account.
+ </para>
+
+ </answer>
+ </qandaentry>
+ </qandaset>
+
+</sect1>
+
+</chapter>
+
diff --git a/docs/Samba-Guide/Chap02-SimpleOfficeServer.xml b/docs/Samba-Guide/Chap02-SimpleOfficeServer.xml
new file mode 100644
index 0000000000..4e42b52039
--- /dev/null
+++ b/docs/Samba-Guide/Chap02-SimpleOfficeServer.xml
@@ -0,0 +1,1590 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="simple">
+ <title>No Frills Samba Servers</title>
+
+ <para>
+ Congratulations, you managed to get past the opening chapter. To some, this is where the interesting
+ exercises begin. This is the start of the real journey toward the Samba deployment of a lifetime.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ This chapter lays the groundwork for understanding the basics of Samba operation.
+ Instead of a bland technical discussion, each principle is demonstrated by way of a
+ real-world scenario for which a working solution<footnote>The examples given mirror those documented
+ in TOSHARG Chapter 2, Section 2.3.1. You may gain additional insight from the Stand-alone server
+ configurations covered in TOSHARG sections 2.3.1.2 through 2.3.1.4.
+ </footnote> is fully described.
+ </para>
+
+ <para>
+ The practical exercises take you on a journey through a drafting office, a charity administration
+ office, and an accounting office. You may choose to apply any or all of these to your own environment.
+ </para>
+
+ <para>
+ Every assignment case can be implemented far more creatively, but remember that the solutions you
+ create are designed to demonstrate a particular solution possibility. With experience, you should
+ find much improved solutions compared with those presented here. By the time you complete this book,
+ you should aim to be a Samba expert, so do attempt to find better solutions and try them as you work your
+ way through the examples.
+ </para>
+
+</sect1>
+<sect1>
+ <title>Assignment Tasks</title>
+
+ <para>
+ Each case presented highlights different aspects of Windows networking for which a simple
+ Samba-based solution can be provided. Each has subtly different requirements taken from real-world cases.
+ Each is briefly reviewed to cover points of highlight. In each example, instructions are based
+ on the assumption that the official Samba Team RPM package has been installed.
+ </para>
+
+ <para>
+ This chapter has three assignments built around ficticious companies:
+ </para>
+
+ <para>
+ <itemizedlist>
+ <listitem><para>A drafting office</para></listitem>
+ <listitem><para>A charity administration office</para></listitem>
+ <listitem><para>An accounting office</para></listitem>
+ </itemizedlist>
+ </para>
+
+ <para>
+ Let's get started.
+ </para>
+
+ <sect2>
+ <title>Drafting Office</title>
+
+ <para>
+ Our fictitious company is called <emphasis>Abmas Design Inc.</emphasis> This is a three-person
+ computer-aided design (CAD) business that often has more work than can be handled. The
+ business owner hires contract draftspeople from wherever he can. They bring their own
+ notebook computers into the office. There are four permanent drafting machines. Abmas has a
+ collection of over 10 years of plans that must be available for all draftsmen to reference.
+ Abmas hires the services of an experienced network engineer to update the
+ plans that are stored on a central server one day per month. She knows how to upload
+ plans from each machine. The files available from the server must remain read-only.
+ Anyone should be able to access the plans at any time and without barriers or difficulty.
+ </para>
+
+ <para><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm>
+ Mr. Bob Jordan has asked you to install the new server as economically as possible. The central
+ server has a Pentium-IV 1.6GHz CPU, 768MB RAM, a 20GB IDE boot drive, a 160GB IDE second disk
+ to store plans, and a 100-base-T Ethernet card. You have already installed Red Hat Linux 9.0 and
+ have upgraded Samba to version 3.0.2 using the RPM package that is provided from the Samba
+ <ulink url="http://www.samba.org">FTP</ulink> sites.
+ </para>
+
+ <para><indexterm>
+ <primary>consultant</primary>
+ </indexterm>
+ The four permanent drafting machines (Microsoft Windows workstations) have attached printers
+ and plotters that are shared on a peer-to-peer basis by any/all network users. The intent
+ is to continue to share printers in this manner. The three permanent staff work together with
+ all contractors to store all new work on one PC. A daily copy is made of the work storage
+ area to another PC for safekeeping. When the network consultant arrives, the weekly work
+ area is copied to the central server and the files are removed from the main weekly storage
+ machine. The office works best with this arrangement and does not want to change anything.
+ Old habits are too ingrained.
+ </para>
+
+ <sect3>
+ <title>Dissection and Discussion</title>
+
+ <para><indexterm>
+ <primary>file server</primary>
+ <secondary>read-only</secondary>
+ </indexterm>
+ The requirements for this server installation demand simplicity. An anonymous read-only
+ file server adequately meets all needs. The network consultant determines how
+ to upload all files from the weekly storage area to the server. This installation should
+ focus only on critical aspects of the installation.
+ </para>
+
+ <para>
+ It is not necessary to have specific users on the server. The site has a method for storing
+ all design files (plans). Each plan is stored in a directory that is named YYYYWW<footnote>
+ This information is given purely as an example of how data may be stored in such a way that it
+ will be easy to locate records at a later date. The example is not meant to imply any instructions
+ that may be construed as essential to the design of the solution, this is something you will almost
+ certainly want to determine for yourself.</footnote>, where
+ YYYY is the year, and WW is the week of the year. This arrangement allows work to be stored
+ by week of year to preserve the filing technique the site is familiar with.
+ There is another customer directory that is alphabetically listed. At the top level are 26
+ directories (A-Z), in each is a second level of directory for the first plus second letter of the name
+ (A-Z); inside each is a directory by the customers' name. Inside each directory is a symbolic
+ link to each design drawing/plan. This way of storing customer data files permits all
+ plans to be located both by customer name, as well as by the date the work was performed, without
+ demanding the disk space that would be needed if a duplicate file copy were to be stored.
+ The share containing the plans is called <emphasis>Plans</emphasis>.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Implementation</title>
+
+ <para>
+ It is assumed that the server is fully installed and ready for installation and
+ configuration of Samba 3.0.2 and any support files needed. All TCP/IP addresses
+ have been hard coded. In our case the IP address of the Samba server is
+ <constant>192.168.1.1</constant> and the netmask is <constant>255.255.255.0</constant>.
+ The host name of the server used was <constant>server</constant>.
+ </para>
+
+ <procedure>
+ <title>Samba Server Configuration</title>
+
+ <step><para>
+ Download the Samba-3 RPM packages for Red Hat Linux 9.0 from the Samba
+ <ulink url="http://www.samba.org">FTP servers.</ulink>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>RPM</primary>
+ <secondary>install</secondary>
+ </indexterm><indexterm>
+ <primary>package</primary>
+ </indexterm>
+ Install the RPM package as using either the Red Hat Linux preferred GUI
+ tool or using the <command>rpm</command>, as follows:
+<screen>
+&rootprompt; rpm -Uvh samba-3.0.2-1.i386.rpm
+</screen>
+ </para></step>
+
+ <step><para>
+ Create a mount point for the file system that will be used to store all data files.
+ You can create a directory called <filename>/plans</filename> as follows:
+<screen>
+&rootprompt; mkdir /plans
+&rootprompt; chmod 755 /plans
+</screen>
+ The 755 permissions on this directory (mount point) permit the owner to read, write
+ and execute, and the group and everyone else to read and execute only.
+ </para>
+
+ <para><indexterm>
+ <primary>file system</primary>
+ <secondary>Ext3</secondary>
+ </indexterm>
+ Use Red Hat Linux system tools (refer to Red Hat instructions for instructions)
+ to format the 160GB hard drive with a suitable file system. An Ext3 file system
+ is suitable. Configure this drive to automatically mount using the <filename>/plans</filename>
+ directory as the mount point.
+ </para></step>
+
+ <step><para>
+ Install the &smb.conf; file shown in <link linkend="draft-smbconf"/> in the
+ <filename>/etc/samba</filename> directory.
+
+<smbconfexample id="draft-smbconf">
+<title>Drafting Office &smb.conf; File</title>
+<smbconfcomment>Global Parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
+<smbconfoption><name>security</name><value>SHARE</value></smbconfoption>
+
+<smbconfsection>[Plans]</smbconfsection>
+<smbconfoption><name>path</name><value>/plans</value></smbconfoption>
+<smbconfoption><name>read only</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+</smbconfexample>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/hosts</primary>
+ </indexterm>
+ Verify that the <filename>/etc/hosts</filename> file contains the following entry:
+<screen>
+192.168.1.1 server
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>samba</primary>
+ <secondary>starting samba</secondary>
+ </indexterm><indexterm>
+ <primary>chkconfig</primary>
+ </indexterm>
+ <indexterm><primary>starting samba</primary></indexterm>
+ Use the standard system tool to start Samba and to configure it to restart
+ automatically at every system reboot. For example:
+<screen>
+&rootprompt; chkconfig smb on
+&rootprompt; /etc/rc.d/init.d/smb restart
+</screen>
+ </para></step>
+
+ </procedure>
+
+ <procedure>
+ <title>Windows Client Configuration</title>
+
+ <step><para>
+ Make certain that all clients are set to the same network address range as
+ has been used for the Samba server. For example, one client might have an IP
+ address 192.168.1.10.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>netmask</primary>
+ </indexterm>
+ Ensure that the netmask used on the Windows clients matches that used
+ for the Samba server. All clients must have the same netmask. For example,
+ 255.255.255.0.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>workgroup</primary>
+ </indexterm>
+ Set the workgroup name on all clients to <constant>MIDEARTH</constant>.
+ </para></step>
+
+ <step><para>
+ Verify on each client that the machine called <constant>SERVER</constant>
+ is visible in the <guimenu>Network Neighborhood</guimenu>, that it is
+ possible to connect to it and see the share <guimenuitem>Plans</guimenuitem>,
+ and that it is possible to open that share to reveal its contents.
+ </para></step>
+
+ </procedure>
+
+ </sect3>
+
+ <sect3 id="validate1">
+ <title>Validation</title>
+
+ <para><indexterm>
+ <primary>validation</primary>
+ </indexterm>
+ The first priority in validating the new Samba configuration should be to check
+ that Samba answers on the loop-back interface. Then it is time to check that Samba
+ answers its own name correctly. Last, check that a client can connect to the Samba
+ server.
+ </para>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>smbd</primary>
+ </indexterm><indexterm>
+ <primary>daemon</primary>
+ </indexterm><indexterm>
+ <primary>smbclient</primary>
+ </indexterm>
+ To check the ability to access the <command>smbd</command> daemon
+ services, execute the following:
+<screen>
+&rootprompt; smbclient -L localhost -U%
+ Sharename Type Comment
+ --------- ---- -------
+ Plans Disk
+ IPC$ IPC IPC Service (Samba 3.0.2)
+ ADMIN$ IPC IPC Service (Samba 3.0.2)
+
+ Server Comment
+ --------- -------
+ SERVER Samba 3.0.2
+
+ Workgroup Master
+ --------- --------
+ MIDEARTH SERVER
+</screen>
+ <indexterm>
+ <primary>loopback</primary>
+ </indexterm><indexterm>
+ <primary>NULL connection</primary>
+ </indexterm>
+ This indicates that Samba is able to respond on the loopback interface to
+ a NULL connection. The <parameter>-U%</parameter> means send an empty
+ username and an empty password. This command should be repeated after
+ Samba has been running for 15 minutes.
+ </para></step>
+
+ <step><para>
+ Now verify that Samba correctly handles being passed a username
+ and password, and that it answers its own name. Execute the following:
+<screen>
+&rootprompt; smbclient -L server -Uroot%password
+</screen>
+ The output should be identical to the previous response. Samba has been
+ configured to ignore all usernames given; instead it uses the
+ <parameter>guest account</parameter> for all connections.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Windows Explorer</primary>
+ </indexterm><indexterm>
+ <primary>Network Neighborhood</primary>
+ </indexterm>
+ From the Windows 9x/Me client, launch Windows Explorer,
+ <menuchoice>
+ <guiicon>[Desktop: right-click] Network Neighborhood</guiicon>
+ <guimenu>Explore</guimenu>
+ <guimenuitem>[Left Panel] [+] Entire Network</guimenuitem>
+ <guimenuitem>[Left Panel] [+] Server</guimenuitem>
+ <guimenuitem>[Left Panel] [+] Plans</guimenuitem>
+ </menuchoice>. In the right panel you should see the files and directories
+ (folders) that are in the <guiicon>Plans</guiicon> share.
+ </para></step>
+ </procedure>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2>
+ <title>Charity Administration Office</title>
+
+ <para>
+ The fictitious charity organization is called <emphasis>Abmas Vision NL</emphasis>. This is an
+ office that has five networked computers. Staff are all volunteers with frequent staff changes.
+ Ms. Amy May, the director of operations, wants a no-hassle network. Anyone should be able to
+ use any PC. Only two Windows applications are used: a custom funds tracking and management package
+ that stores all files on the central server and Microsoft Word. The office prepares mail-out
+ letters, letters of invitation, and thank-you notes. All files must be stored in perpetuity.
+ The custom funds tracking and management software has been configured to use a server named
+ <constant>SERVER</constant>, a share named <constant>FTMFILES</constant>, and a printer queue
+ named <constant>PRINTQ</constant> that uses preprinted stationery, thus demanding a
+ dedicated printer. This printer does not need to be mapped to a local printer on the workstations.
+ </para>
+
+ <para><indexterm>
+ <primary>print queue</primary>
+ </indexterm><indexterm>
+ <primary>print spooler</primary>
+ </indexterm>
+ Printer handling in Samba results in a significant level of confusion. Samba presents to the
+ MS Windows client only a print queue. The Samba <command>smbd</command> process passes a
+ print job sent to it from the Windows client to the native UNIX printing system. The native
+ UNIX printing system (spooler) places the job in a print queue from which it is
+ delivered to the printer. In this book, network diagrams refer to a printer by the name
+ of the print queue that services that printer. It does not matter what the fully qualified
+ name (or the host name) of a network attached printer is. The UNIX print spooler is configured
+ to correctly deliver all jobs to the printer.
+ </para>
+
+ <para>
+ This organization has a policy forbidding use of privately owned computers on site as a measure
+ to prevent leakage of confidential information. Only the five PCs owned by Abmas Vision NL are
+ used on this network.
+ </para>
+
+ <para><indexterm>
+ <primary>SUSE Enterprise Linux Server</primary>
+ </indexterm>
+ The central server was donated by a local computer store. It is a dual processor Pentium-III
+ server, has 1GB RAM, a 3-Ware IDE RAID Controller that has 4 x 200GB IDE hard drives, and a
+ 100-base-T network card. The office has 100-base-T permanent network connections that go to
+ a central hub and all equipment is new. The five network computers all are equipped with Microsoft
+ Windows Me. Funding is limited, so the server has no operating system on it. You have approval
+ to install Samba on Linux, but just make sure it works without problems. There are two HP LaserJet
+ 5 PS printers that are network connected. The second printer is to be used for general
+ office and letter printing. Your recommendation to allow only the Linux server to print directly
+ to the printers was accepted. You have supplied SUSE Enterprise Linux Server version 8.0 and
+ have upgraded Samba to version 3.0.2.
+ </para>
+
+ <sect3>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ <indexterm><primary>force user</primary></indexterm><indexterm>
+ <primary>nt acl support</primary>
+ </indexterm><indexterm>
+ <primary>UID</primary>
+ </indexterm><indexterm>
+ <primary>Posix</primary>
+ </indexterm>
+ This installation demands simplicity. Frequent turn-over of volunteer staff would indicate that
+ a network environment that requires users to logon might be problematic. It is suggested that the
+ best solution for this office would be one where the user can log onto any PC with any username
+ and password. Samba can accommodate an office like this by using the <parameter>force user</parameter>
+ parameter in share and printer definitions. The use of the <parameter>force user</parameter>
+ ensures that all files are owned by same user identifier (UID) and thus ensures that there
+ will never be a problem with file access due to file access permissions. Additionally, you elect
+ to use the <parameter>nt acl support = No</parameter> option to ensure that no attempts can be
+ made to write access control lists (Posix type) to any file or directory. This prevents
+ an inadvertent ACL from overriding actual file permissions.
+ </para>
+
+ <para>
+ <indexterm><primary>SUID</primary></indexterm>
+ <indexterm><primary>SGID</primary></indexterm>
+ <indexterm><primary>security</primary><secondary>share mode</secondary></indexterm>
+ This organization is a prime candidate for Share Mode security. The <parameter>force user</parameter>
+ allows all files to be owned by the same user and group. In addition to this, it would not hurt to
+ set SUID and set SGID shared directories. This means that all new files that are created, no matter
+ who creates it, are owned by the owner or group of the directory in which they are created.
+ For further information regarding the significance of the SUID/SGID settings, see
+ <link linkend="ch12-SUIDSGID"/>.
+ </para>
+
+ <para>
+ <indexterm><primary>CUPS</primary></indexterm>
+ <indexterm><primary>printing</primary><secondary>raw</secondary></indexterm><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm><indexterm>
+ <primary>SUSE Linux</primary>
+ </indexterm>
+ All client workstations print to a print queue on the server. This ensures that print jobs
+ continue to print in the event that a user may shut down the workstation immediately after
+ sending a job to the printer. Today, both Red Hat Linux and SUSE Linux use CUPS-based printing.
+ Older Linux systems offered a choice to use either the LPRng printing system, or CUPS. It appears, however,
+ that CUPS has now become the leading UNIX printing technology.
+ </para>
+
+ <para>
+ <indexterm><primary>print queue</primary></indexterm>
+ The print queues are set up as <constant>Raw</constant> devices, which means that CUPS will
+ not do intelligent print processing, and vendor supplied drivers be installed locally on the
+ Windows clients.
+ </para>
+
+ <para>
+ The hypothetical software (Funds Tracking and Management) referred to is representative of
+ custom-built software that directly uses a NetBIOS interface. Most such software originated in
+ the days of MS/PC DOS. NetBIOS names are upper-case (and functionally are case insensitive),
+ thus some old software applications would permit only upper-case names to be entered.
+ Some such applications were later ported to MS Windows but retain the upper-case network
+ resource naming conventions because customers are familiar with that. We made the decision
+ to name shares and print queues for this application in upper-case also for the same reason.
+ Nothing would break if you were to use lower-case names, but that decision might create a need
+ to re-educate staff &smbmdash; something well avoided at this time.
+ </para>
+
+ <para>
+ NetBIOS networking does not print directly to a printer. Instead, all printing is done to a
+ print queue. The print spooling system is responsible for communicating with the physical
+ printer. In this example, therefore, the resource that is referred to as <constant>PRINTQ</constant>
+ really is just a print queue. The name of the print queue is held to be representative of
+ the device to which the print spooler delivers print jobs.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Implementation</title>
+
+ <para>
+ It is assumed that the server is fully installed and ready for configuration of
+ Samba 3.0.2 and for necessary support files. All TCP/IP addresses should be hard coded.
+ In our case, the IP address of the Samba server is 192.168.1.1 and the netmask is
+ 255.255.255.0. The host name of the server used was <constant>server</constant>.
+ The office network is built as shown in <link linkend="charitynet"/>.
+ </para>
+
+ <image id="charitynet">
+ <description>Charity Administration Office Network</description>
+ <imagefile scale="100">Charity-Network.png</imagefile>
+ </image>
+
+ <procedure>
+ <title>Samba Server Configuration</title>
+
+ <step><para><indexterm>
+ <primary>groupadd</primary>
+ </indexterm>
+ Create a group account for office file storage as follows:
+<screen>
+&rootprompt; groupadd office
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>useradd</primary>
+ </indexterm><indexterm>
+ <primary>passwd</primary>
+ </indexterm>
+ Create a user account for office file storage as follows:
+<screen>
+&rootprompt; useradd -m abmas
+&rootprompt; passwd abmas
+Changing password for abmas.
+New password: XXXXXXXX
+Re-enter new password: XXXXXXXX
+Password changed
+</screen>
+ where XXXXXXXX is a secret password.
+ </para></step>
+
+ <step><para>
+ Use the 3-Ware IDE RAID Controller firmware utilities to configure the four 200GB
+ drives as a single RAID level 5 drive, with one drive set aside as the hot spare.
+ (Refer to the 3-Ware RAID Controller Manual for the manufacturers' preferred procedure.)
+ The resulting drive has a capacity of approximately 500GB of usable space.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>permissions</primary>
+ </indexterm>
+ Create a mount point for the file system that can be used to store all data files.
+ Create a directory called <filename>/data</filename> as follows:
+<screen>
+&rootprompt; mkdir /data
+&rootprompt; chmod 755 /data
+</screen>
+ The 755 permissions on this directory (mount point) permit the owner to read, write and execute,
+ and the group and everyone else to read and execute only.
+ </para></step>
+
+ <step><para>
+ Use SUSE Linux system tools (refer to the SUSE Administrators Guide for correct
+ procedures) to format the partition with a suitable file system. The reiserfs file system
+ is suitable. Configure this drive to automount using the <filename>/data</filename>
+ directory as the mount point. It must be mounted before proceeding.
+ </para></step>
+
+ <step><para>
+ Under the directory called <filename>/data</filename> create two directories
+ named <filename>ftmfiles</filename> and <filename>officefiles</filename>, and set
+ ownership and permissions as follows:
+<screen>
+&rootprompt; mkdir -p /data/{ftmfiles,officefiles/{letters,invitations,misc}}
+&rootprompt; chown -R abmas.office /data
+&rootprompt; chmod -R ug+rwxs,o-w,o+rx /data
+</screen>
+ These demonstrate compound operations. The <command>mkdir</command> command
+ creates in one step these directories:
+<programlisting>
+/data/fmtfiles
+/data/officefiles
+/data/officefiles/letters
+/data/officefiles/invitations
+/data/officefiles/misc
+</programlisting>
+ The <command>chown</command> operation sets the owner to the user <constant>abmas</constant>
+ and the group to <constant>office</constant> on all directories just created. And
+ the <command>chmod</command> operation recursively sets the permissions so that
+ the owner and group have SUID/SGID with read/write/execute permission, and everyone else has
+ read and execute permission. This means that all files and directories are created
+ with the same owner and group as the directory in which they are created. Any new
+ directories created still have the same owner, group, and permissions as the
+ directory they are in. This should eliminate all permissions-based file access problems.
+ For more information on this subject, refer to <emphasis>TOSHARG</emphasis>, Chapter 13, <emphasis>File, Directory
+ and Share Access Controls</emphasis>, or refer to the UNIX man page for the
+ <command>chmod</command> and the <command>chown</command> commands.
+
+ </para></step>
+
+ <step><para>
+ Install the &smb.conf; file shown in <link linkend="charity-smbconf"/> in the
+ <filename>/etc/samba</filename> directory.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>smbd</primary></indexterm>
+ We must ensure that the <command>smbd</command> can resolve the name of the Samba
+ server to its IP address. Verify that the <filename>/etc/hosts</filename> file
+ contains the following entry:
+<screen>
+192.168.1.1 server
+</screen>
+ </para></step>
+
+ <step><para>
+ Configure the printers with the IP address as shown in <link linkend="charitynet"/>.
+ Follow the instructions in the manufacturers' manual to permit printing to port 9100,
+ so that the CUPS spooler can print using raw mode protocols.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>lpadmin</primary>
+ </indexterm>
+ Configure the CUPS Print Queues as follows:
+<screen>
+&rootprompt; lpadmin -p PRINTQ -v socket://192.168.1.20:9100 -E
+&rootprompt; lpadmin -p hplj5 -v socket://192.168.1.30:9100 -E
+</screen>
+ This creates the necessary print queues with no assigned print filter.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime type</primary></indexterm><indexterm>
+ <primary>/etc/cups/mime.convs</primary>
+ </indexterm><indexterm>
+ <primary>application/octet-stream</primary>
+ </indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/cups/mime.types</primary>
+ </indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>starting samba</primary></indexterm>
+ Use the standard system tool to start Samba and CUPS to configure them to restart
+ automatically at every system reboot. For example:
+ </para>
+
+ <para>
+ <indexterm><primary>starting samba</primary></indexterm>
+ <indexterm><primary>starting
+ CUPS</primary></indexterm><indexterm>
+ <primary>chkconfig</primary>
+ </indexterm>
+<screen>
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig cups on
+&rootprompt; /etc/rc.d/init.d/smb restart
+&rootprompt; /etc/rc.d/init.d/cups restart
+</screen>
+ </para></step>
+
+ </procedure>
+
+<smbconfexample id="charity-smbconf">
+<title>Charity Administration Office &smb.conf; File</title>
+<smbconfcomment>Global Parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
+<smbconfoption><name>security</name><value>SHARE</value></smbconfoption>
+<smbconfoption><name>printing</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+<smbconfoption><name>wins support</name><value>yes</value></smbconfoption>
+
+<smbconfsection>[FTMFILES]</smbconfsection>
+<smbconfoption><name>comment</name><value>Funds Tracking &amp; Management Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/ftmfiles</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>force user</name><value>abmas</value></smbconfoption>
+<smbconfoption><name>force group</name><value>office</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>nt acl support</name><value>No</value></smbconfoption>
+
+<smbconfsection>[office]</smbconfsection>
+<smbconfoption><name>comment</name><value>General Office Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/officefiles</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>force user</name><value>abmas</value></smbconfoption>
+<smbconfoption><name>force group</name><value>office</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>nt acl support</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>Print Temporary Spool Configuration</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+ <procedure>
+ <title>Windows Client Configuration</title>
+
+ <step><para>
+ Configure clients to the network settings shown in <link linkend="charitynet"/>.
+ </para></step>
+
+ <step><para>
+ Ensure that the netmask used on the Windows clients matches that used
+ for the Samba server. All clients must have the same netmask. For example,
+ <constant>255.255.255.0</constant>.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>WINS</primary></indexterm>
+ On all Windows clients, set the WINS Server address to <constant>192.168.1.1</constant>,
+ the IP address of the server.
+ </para></step>
+
+ <step><para>
+ Set the workgroup name on all clients to <constant>MIDEARTH</constant>.
+ </para></step>
+
+ <step><para><indexterm>
+ <secondary>logon</secondary>
+ </indexterm>
+ Install the <quote>Client for Microsoft Networks.</quote> Ensure that the only option
+ enabled in its properties is the option <quote>Logon and restore network connections.</quote>
+ </para></step>
+
+ <step><para>
+ Click <guibutton>OK</guibutton> when you are prompted to reboot the system. Reboot the
+ system, then logon using any user name and password you choose.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>My Network Places</primary>
+ </indexterm>
+ Verify on each client that the machine called <constant>SERVER</constant>
+ is visible in <guimenu>My Network Places</guimenu>, that it is
+ possible to connect to it and see the share <guimenuitem>office</guimenuitem>,
+ and that it is possible to open that share to reveal its contents.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>password caching</primary>
+ </indexterm><indexterm>
+ <primary>regedit</primary>
+ </indexterm>
+ Disable password caching on all Windows 9x/Me machines using the registry change file
+ shown in <link linkend="MEreg"/>. Be sure to remove all files that have the
+ <filename>PWL</filename> extension that are in the <filename>C:\WINDOWS</filename>
+ directory.
+<example id="MEreg">
+<title>Windows Me &smbmdash; Registry Edit File: Disable Password Caching</title>
+<screen>
+REGEDIT4
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
+ Windows\CurrrentVersion\Policies\Network]
+ "DisablePwdCaching"=dword:00000001
+</screen>
+</example>
+ The best way to apply this is to save the patch in a file called
+ <filename>ME-dpwc.reg</filename> and then execute:
+<screen>
+C:\WINDOWS: regedit ME-dpwc.reg
+</screen>
+ </para></step>
+
+ <step><para>
+ Instruct all users to log onto the workstation using a name of their own
+ choosing, with a password of their own choosing. The Samba server has been
+ configured to ignore the username and password given.
+ </para></step>
+
+ <step><para>
+ On each Windows Me workstation, configure a network drive mapping to drive <filename>G:</filename>
+ that redirects to the uniform naming convention (UNC) resource
+ <filename>\\server\officefiles</filename>. Make this a permanent drive connection as follows:
+ <procedure>
+ <step><para>
+ <menuchoice>
+ <guimenu>(Right-click) My Network</guimenu>
+ <guimenuitem>Map Network Drive...</guimenuitem>
+ </menuchoice>
+ </para></step>
+
+ <step><para>
+ In the box labeled <quote>Drive:</quote>, type G.
+ </para></step>
+
+ <step><para>
+ In the box labeled <quote>Path:</quote>, enter
+ <filename>\\server\officefiles</filename>.
+ </para></step>
+
+ <step><para>
+ Click <guimenuitem>Reconnect at logon</guimenuitem>.
+ Click <guibutton>OK</guibutton>.
+ </para></step>
+
+ </procedure>
+ </para></step>
+
+ <step><para>
+ On each workstation, install the Funds Tracking and Management software following the
+ manufacturer's instructions.
+ <procedure>
+ <step><para>
+ During installation, you are prompted for the name of the Windows 98
+ server. Enter the name <constant>SERVER</constant>.
+ </para></step>
+ <step><para>
+ You are prompted for the name of the data share.
+ The prompt defaults to <constant>FTMFILES</constant>. Press enter to accept the default value.
+ </para></step>
+ <step><para>
+ You are now prompted for the print queue name. The default prompt is the name of
+ the server you entered (<constant>SERVER</constant> as follows:
+ <constant>\\SERVER\PRINTQ</constant>). Simply accept the default and press enter to
+ continue. The software now completes the installation.
+ </para></step>
+ </procedure>
+ </para></step>
+
+ <step><para>
+ Install an office automation software package of the customer's choice. Either Microsoft
+ Office 2003 Standard or OpenOffice 1.1.0 suffices for any functions the office may
+ need to perform. Repeat this on each workstation.
+ </para></step>
+
+ <step><para>
+ Install a printer on each using the following steps:
+
+ <procedure>
+ <step><para>
+ Click <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Settings</guimenuitem>
+ <guimenuitem>Printers</guimenuitem>
+ <guiicon>Add Printer</guiicon>
+ <guibutton>Next</guibutton>
+ </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
+ Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
+ </para></step>
+
+ <step><para>
+ Click <guibutton>Next</guibutton>. In the panel labeled
+ <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
+ In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
+ <constant>HP LaserJet 5/5M Postscript</constant>. Click <guibutton>Next</guibutton>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
+ <constant>FILE:</constant>. Accept the default printer name by clicking
+ <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
+ test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
+ <guibutton>Finish</guibutton>.
+ </para></step>
+
+ <step><para>
+ You may be prompted for the name of a file to print to. If so, close the
+ dialog panel. Right-click <menuchoice>
+ <guiicon>HP LaserJet 5/5M Postscript</guiicon>
+ <guimenuitem>Properties</guimenuitem>
+ <guimenusub>Details (Tab)</guimenusub>
+ <guimenubutton>Add Port</guimenubutton>
+ </menuchoice>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
+ the print queue on the Samba server as follows: <constant>\\SERVER\hplj5</constant>.
+ Click <menuchoice>
+ <guibutton>OK</guibutton>
+ <guibutton>OK</guibutton>
+ </menuchoice> to complete the installation.
+ </para></step>
+
+ <step><para>
+ It is a good idea to test the functionality of the complete installation before
+ handing the newly configured network over to the Charity Administration Office
+ for production use.
+ </para></step>
+
+ </procedure>
+
+ </para></step>
+
+ </procedure>
+
+ </sect3>
+
+ <sect3>
+ <title>Validation</title>
+
+ <para>
+ Use the same validation process as was followed in <link linkend="validate1"/>.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2 id="AccountingOffice">
+ <title>Accounting Office</title>
+
+ <para>
+ The office of Abmas Accounting Inc. is a 40-year-old family-run business. There are nine permanent
+ computer users. The network clients were upgraded two years ago. All computers run Windows 2000
+ Professional. This year the server will be upgraded from an old Windows NT4 server (actually
+ running Windows NT4 Workstation, which worked fine as there were fewer than 10 users) that has
+ run in workgroup (Stand-Alone) mode, to a new Linux server running Samba.
+ </para>
+
+ <para>
+ The office does not want a Domain Server. Mr. Alan Meany wants to keep the Windows 2000 Professional
+ clients running as workgroup machines so that any staff member can take a machine home and keep
+ working. It has worked well so far and your task is to replace the old server. All users have
+ their own workstation logon (you configured it that way when the machines were installed).
+ Mr. Meany wants the new system to operate the same way as the old Windows NT4 server &smbmdash; users
+ cannot access each others' files, but he can access everyone's files. Each person's work files are
+ in a separate share on the server. Users logon to their Windows workstation with their username
+ and enter an assigned password; they do not need to enter a password when accessing their files
+ on the server.
+ </para>
+
+ <para><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm>
+ The new server will run Red Hat Linux 9.0. You should install Samba-3.0.2 and
+ copy all files off the old system to the new one. The existing Windows NT4 server has a parallel
+ port HP LaserJet 4 printer that is shared by all. The printer driver is installed on each
+ workstation. You must not change anything on the workstations. Mr. Meany gave instructions to
+ replace the server <quote>but leave everything else alone to avoid staff unrest.</quote>
+ </para>
+
+ <para>
+ You have tried to educate Mr. Meany and found that he has no interest to understand networking.
+ He believes that Windows for Workgroups 3.11 was <quote>the best server Microsoft ever sold
+ </quote> and that Windows NT and 2000 are <quote>too fang-dangled complex!</quote>
+ </para>
+
+ <sect3>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ <indexterm><primary>security</primary><secondary>user mode</secondary></indexterm>
+ The requirements of this network installation are not unusual. The staff are not interested in the
+ details of networking. Passwords are never changed. In this example solution, we demonstrate the use
+ of User Mode security in a simple context. Directories should be set SGID to ensure that members
+ of a common group can access the contents. Each user has his or her own share to which only they
+ can connect. Mr. Meany's share will be a top level directory above the share point for each employee.
+ Mr. Meany is a member of the same group as his staff and is able to access their work files.
+ The well used HP LaserJet 4 is available as a service called <constant>hplj</constant>.
+ </para>
+
+ <para>
+ You have finished configuring the new hardware and have just completed installation of Red Hat Linux
+ 9.0. Roll up your sleeves and let's get to work.
+ </para>
+
+ </sect3>
+
+ <sect3 id="AcctgNet">
+ <title>Implementation</title>
+
+ <para>
+ The workstations have fixed IP addresses. The old server runs Windows NT4 Workstation, so it
+ cannot be running as a WINS server. It is best that the new configuration preserves the same
+ configuration. The office does not use Internet access, so security really is not an issue.
+ </para>
+
+ <para>
+ The core information regarding the users, their passwords, the directory share point, and the
+ share name is given in <link linkend="acctingnet"/>. The overall network topology is shown in
+ <link linkend="acctingnet2"/>. All machines have been configured as indicated prior to the
+ start of Samba configuration. The following prescriptive steps may now commence.
+ </para>
+
+ <image id="acctingnet2">
+ <description>Accounting Office Network Topology</description>
+ <imagefile scale="100">AccountingNetwork.png</imagefile>
+ </image>
+
+ <table id="acctingnet">
+ <title>Accounting Office Network Information</title>
+ <tgroup cols="6">
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry>User</entry>
+ <entry>Login-ID</entry>
+ <entry>Password</entry>
+ <entry>Share Name</entry>
+ <entry>Directory</entry>
+ <entry>Wkst</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Alan Meany</entry>
+ <entry>alan</entry>
+ <entry>alm1961</entry>
+ <entry>alan</entry>
+ <entry>/data</entry>
+ <entry>PC1</entry>
+ </row>
+ <row>
+ <entry>James Meany</entry>
+ <entry>james</entry>
+ <entry>jimm1962</entry>
+ <entry>james</entry>
+ <entry>/data/james</entry>
+ <entry>PC2</entry>
+ </row>
+ <row>
+ <entry>Jeannie Meany</entry>
+ <entry>jeannie</entry>
+ <entry>jema1965</entry>
+ <entry>jeannie</entry>
+ <entry>/data/jeannie</entry>
+ <entry>PC3</entry>
+ </row>
+ <row>
+ <entry>Suzy Millicent</entry>
+ <entry>suzy</entry>
+ <entry>suzy1967</entry>
+ <entry>suzy</entry>
+ <entry>/data/suzy</entry>
+ <entry>PC4</entry>
+ </row>
+ <row>
+ <entry>Ursula Jenning</entry>
+ <entry>ujen</entry>
+ <entry>ujen1974</entry>
+ <entry>ursula</entry>
+ <entry>/data/ursula</entry>
+ <entry>PC5</entry>
+ </row>
+ <row>
+ <entry>Peter Pan</entry>
+ <entry>peter</entry>
+ <entry>pete1984</entry>
+ <entry>peter</entry>
+ <entry>/data/peter</entry>
+ <entry>PC6</entry>
+ </row>
+ <row>
+ <entry>Dale Roland</entry>
+ <entry>dale</entry>
+ <entry>dale1986</entry>
+ <entry>dale</entry>
+ <entry>/data/dale</entry>
+ <entry>PC7</entry>
+ </row>
+ <row>
+ <entry>Bertrand E Paoletti</entry>
+ <entry>eric</entry>
+ <entry>eric1993</entry>
+ <entry>eric</entry>
+ <entry>/data/eric</entry>
+ <entry>PC8</entry>
+ </row>
+ <row>
+ <entry>Russell Lewis</entry>
+ <entry>russ</entry>
+ <entry>russ2001</entry>
+ <entry>russell</entry>
+ <entry>/data/russell</entry>
+ <entry>PC9</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+<?latex \newpage ?>
+
+ <procedure>
+ <title>Migration from Windows NT4 Workstation System to Samba-3</title>
+
+ <step><para><indexterm>
+ <primary>migration</primary>
+ </indexterm>
+ Rename the old server from <constant>CASHPOOL</constant> to <constant>STABLE</constant>
+ by logging onto the console as the <constant>Administrator</constant>. Restart the machine
+ following system prompts.
+ </para></step>
+
+ <step><para>
+ Name the new server <constant>CASHPOOL</constant> using the standard configuration method.
+ Restart the machine following system prompts.
+ </para></step>
+
+ <step><para>
+ Install the latest Samba-3 binary Red Hat Linux RPM that is available from the
+ Samba FTP site.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>group account</primary>
+ </indexterm><indexterm>
+ <primary>groupadd</primary>
+ </indexterm>
+ Add a group account for the office to use. Execute the following:
+<screen>
+&rootprompt; groupadd accts
+</screen>
+ </para></step>
+
+ <step><para>
+ Install the &smb.conf; file shown<footnote>This example makes use of the
+ <parameter>smbpasswd</parameter> file. It does so in an obtuse way since the use of
+ the <parameter>passdb backend</parameter> has not been specified in the &smb.conf;
+ file. This means that you are depending on correct default behavior.</footnote>
+ in <link linkend="acctconf"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>useradd</primary>
+ </indexterm><indexterm>
+ <primary>passwd</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ For each user who uses this system (see <link linkend="acctingnet"/>),
+ execute the following:
+<screen>
+&rootprompt; useradd -m -G accts -c "Name of User" "LoginID"
+&rootprompt; passwd "LoginID"
+Changing password for user "LoginID"
+New Password: XXXXXXXXX &lt;-- the password from the table
+Retype new password: XXXXXXXXX
+&rootprompt; smbpasswd -a "LoginID"
+New SMB password: XXXXXXXXX &lt;-- the password from the table
+Retype new SMB password: XXXXXXXXX
+Added user "LoginID"
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>data storage</primary>
+ </indexterm>
+ Create the directory structure for the file shares by executing the following:
+<screen>
+&rootprompt; mkdir -p /data
+&rootprompt; chown alan /data
+&rootprompt; for i in james suzy ursula peter dale eric jeannie russell
+> do
+> mkdir -p /data/$i
+> chown $i /data/$i
+> done
+&rootprompt; chgrp -R accts /data
+&rootprompt; chmod -R ug+rwxs,o-r+x /data
+</screen>
+ The data storage structure is now prepared for use.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>lpadmin</primary>
+ </indexterm>
+ Configure the CUPS Print Queues as follows:
+<screen>
+&rootprompt; lpadmin -p hplj -v parallel:/dev/lp0 -E
+</screen>
+ This creates the necessary print queues with no assigned print filter.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime types</primary></indexterm><indexterm>
+ <primary>/etc/cups/mime.convs</primary>
+ </indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/cups/mime.types</primary>
+ </indexterm><indexterm>
+ <primary>application/octet-stream</primary>
+ </indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>starting samba</primary></indexterm>
+ Use the standard system tool to start Samba and CUPS to configure them to restart
+ automatically at every system reboot. For example:
+ </para>
+
+ <para>
+ <indexterm><primary>starting samba</primary></indexterm>
+ <indexterm><primary>starting
+ CUPS</primary></indexterm><indexterm>
+ <primary>chkconfig</primary>
+ </indexterm>
+<screen>
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig cups on
+&rootprompt; /etc/rc.d/init.d/smb restart
+&rootprompt; /etc/rc.d/init.d/cups restart
+</screen>
+ </para></step>
+
+ <step><para>
+ On Alan's workstation, use Windows explorer to migrate the files from the old server
+ to the new server. The new server should appear in the <guimenu>Network Neighborhood</guimenu>
+ with the name of the old server (<constant>CASHPOOL</constant>).
+
+ <procedure>
+
+ <step><para>
+ Logon to Alan's workstation as the user <constant>alan</constant>.
+ </para></step>
+
+ <step><para>
+ Launch a second instance of Windows explorer and navigate to the share called
+ <guiicon>files</guiicon> on the server called <guimenu>STABLE</guimenu>.
+ </para></step>
+
+ <step><para>
+ Click in the right panel, and press <guimenu>Ctrl-A</guimenu> to select all files and
+ directories. Press <guimenu>Ctrl-C</guimenu> to instruct Windows that you wish to
+ copy all selected items.
+ </para></step>
+
+ <step><para>
+ Launch the Windows explorer, and navigate to the share called <guiicon>files</guiicon>
+ on the server called <guimenu>CASHPOOL</guimenu>. Click in the right panel, and then press
+ <guimenu>Ctrl-V</guimenu> to commence the copying process.
+ </para></step>
+
+ </procedure>
+ </para></step>
+
+ <step><para>
+ Verify that the files are being copied correctly from the Windows NT4 machine to the Samba-3 server.
+ This is best done on the Samba-3 server. Check the contents of the directory tree under
+ <filename>/data</filename>. This can be done by executing the following command:
+<screen>
+&rootprompt; ls -aR /data
+</screen>
+ Make certain to check the ownership and permissions on all files. If in doubt, execute the following:
+<screen>
+&rootprompt; chown alan /data
+&rootprompt; for i in james suzy ursula peter dale eric jeannie russell
+> do
+> chown $i /data/$i
+> done
+&rootprompt; chgrp -R accts /data
+&rootprompt; chmod -R ug+rwxs,o-r+x /data
+</screen>
+ </para></step>
+
+ <step><para>
+ The migration of all data should now be complete. It is time to validate the installation.
+ For this, you should make sure all applications, including printing, work before asking the
+ customer to test drive the new network.
+ </para></step>
+
+ </procedure>
+
+<smbconfexample id="acctconf">
+<title>Accounting Office Network &smb.conf; File</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>BILLMORE</value></smbconfoption>
+<smbconfoption><name>printing</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+
+<smbconfsection>[files]</smbconfsection>
+<smbconfoption><name>comment</name><value>Work area files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/%U</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[master]</smbconfsection>
+<smbconfoption><name>comment</name><value>Master work area files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>alan</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>Print Temporary Spool Configuration</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+ </sect3>
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ The following questions and answers draw from the examples in this chapter.
+ Many design decisions are impacted by the configurations chosen. The intent
+ is to expose some of the hidden implications.
+ </para>
+
+ <qandaset defaultlabel="chap02qa" type="number">
+ <qandaentry>
+ <question>
+
+ <para>
+ What makes an anonymous Samba server more simple than an non-anonymous Samba server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ In the anonymous server, the only account used is the <constant>guest</constant> account.
+ In a non-anonymous configuration, it is necessary to add real user accounts to both the
+ UNIX system and to the Samba configuration. Non-anonymous servers require additional
+ administration.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ How is the operation of the parameter <parameter>force user</parameter> different from
+ setting the root directory of the share SUID?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The parameter <parameter>force user</parameter> causes all operations on the share to assume the UID
+ of the forced user. The new default GID that applies is the primary GID of the forced user.
+ This gives all users of this resource the actual privilege of the forced user.
+ </para>
+
+ <para>
+ When a directory is set SUID, the operating system forces files that are written within it
+ to be owned by the owner of the directory. While this happens, the user who is using the share
+ has only the level of privilege he or she is assigned within the operating system context.
+ </para>
+
+ <para>
+ The parameter <parameter>force user</parameter> has potential security implications that go
+ beyond the actual share root directory. Be careful and wary of using this parameter.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ When would you use both the per share parameter <parameter>force user</parameter> as well
+ as setting the share root directory SUID?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ You would use both parameters when it is necessary to guarantee that all share handling operations
+ are conducted as the forced user, while all file and directory creation are done as the SUID
+ directory owner.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is better about CUPS printing than LPRng printing?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ CUPS is a print spooling system that has integrated remote management facilities, provides completely
+ automated print processing/preprocessing, and has the potential to be configured to automatically
+ apply print preprocessing filters to ensure that a print job submitted is correctly rendered for the
+ target printer. CUPS includes an image file RIP that supports printing of image files to
+ non-PostScript printers. CUPS has lots of bells and whistles and is more like a super-charged MS Windows
+ NT/200x print monitor and processor. Its complexity can be eliminated or turbo-charged to suit
+ any fancy.
+ </para>
+
+ <para>
+ The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print
+ spooler functionality. It provides the same interface and meets RFC1179 requirements. LPRng is capable
+ of being configured to act like CUPS, but it is in principle a replacement for the old Berkeley lpr/lpd
+ spooler. LPRng is generally preferred by those who are familiar with Berkeley lpr/lpd.
+ </para>
+
+ <para>
+ Which is better is a matter of personal taste. It depends on what you want to do and how you want to
+ do it and manage it. Most modern Linux systems ship with CUPS as the default print management system.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ When should Windows client IP addresses be hard coded?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ When there are few MS Windows clients, little client change, no mobile users, and users are not
+ inclined to tamper with network settings, it is a safe and convenient matter to hard-code Windows
+ client TCP/IP settings. Given that it is possible to lock down the Windows desktop and remove
+ user ability to access network configuration controls, fixed configuration eliminates the need
+ for a DHCP server. This reduces maintenance overheads and eliminates a possible point of network
+ failure.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Under what circumstances would it be best to use a DHCP server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ In network configurations where there are mobile users, or where Windows client PCs move around
+ (particularly between offices or between subnets), it makes complete sense to control all Windows
+ client configurations using a DHCP server. Additionally, when users do tamper with the network
+ settings, the use of DHCP can be used to normalize all client settings.
+ </para>
+
+ <para>
+ One of the least appreciated benefits of using a DHCP server to assign all network client
+ device TCP/IP settings is that it makes it a pain-free process to change network TCP/IP
+ settings, change network addressing, or enhance the ability of client devices to
+ benefit from new network services.
+ </para>
+
+ <para>
+ Another benefit of modern DHCP servers is the ability of the DHCP server to register dynamically
+ assigned IP addresses with the DNS server. The benefits of Dynamic DNS (DDNS) are considerable in
+ a large Windows network environment.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the purpose of setting the parameter <parameter>guest ok</parameter> on a share?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ If this parameter is yes for a service, then no password is required to connect to the service.
+ Privileges are those of the guest account.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ When would you set the global parameter <parameter>disable spoolss</parameter>?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Setting this parameter to <constant>Yes</constant> disables Samba's support for the SPOOLSS set of
+ MS-RPC's and yields behavior identical to Samba 2.0.x. Windows NT/2000 clients can downgrade to
+ using LanMan style printing commands. Windows 9x/ME are unaffected by the parameter. However, this
+ disables the ability to upload printer drivers to a Samba server via the Windows NT/200x Add Printer
+ Wizard or by using the NT printer properties dialog window. It also disables the capability of
+ Windows NT/200x clients to download print drivers from the Samba host on demand. Be extremely careful about
+ setting this parameter.
+ </para>
+
+ <para>
+ The alternate parameter <parameter>use client driver</parameter> applies only to Windows NT/200x clients. It has no
+ effect on Windows 95/98/ME clients. When serving a printer to Windows NT/200x clients without first installing a valid
+ printer driver on the Samba host, the client is required to install a local printer driver. From this point on,
+ the client treats the printer as a local printer and not a network printer connection. This is much the same behavior
+ that occurs when <parameter>disable spoolss = yes</parameter>.
+ </para>
+
+ <para>
+ Under normal circumstances, the NT/200x client attempts to open the network printer using MS-RPC. Because the client
+ considers the printer to be local, it attempts to issue the OpenPrinterEx() call requesting access rights associated
+ with the logged on user. If the user possesses local administrator rights but not root privilege on the Samba host (often
+ the case), the OpenPrinterEx() call fails. The result is that the client now displays an "Access Denied; Unable
+ to connect" message in the printer queue window (even though jobs may be printed successfully). This parameter MUST
+ not be enabled on a print share that has valid print driver installed on the Samba server.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why would you disable password caching on Windows 9x/Me clients?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Windows 9x/Me workstations that are set at default (password caching enabled) store the username and
+ password in files located in the Windows master directory. Such files can be scavenged (read off a client
+ machine) and decrypted, thus revealing the user's access credentials for all systems the user may have accessed.
+ It is most insecure to allow any Windows 9x/Me client to operate with password caching enabled.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ The example of Abmas Accounting Inc. uses User Mode security. How does this provide anonymous access?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The example used does not provide anonymous access. Since the clients are all Windows 2000 Professional,
+ and given that users are logging onto their machines, by default the client attempts to connect to
+ a remote server using currently logged in user credentials. By ensuring that the user's login ID and
+ password is the same as those set on the Samba server, access is transparent and does not require
+ separate user authentication.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
+
diff --git a/docs/Samba-Guide/Chap03-TheSmallOffice.xml b/docs/Samba-Guide/Chap03-TheSmallOffice.xml
new file mode 100644
index 0000000000..f874a8b678
--- /dev/null
+++ b/docs/Samba-Guide/Chap03-TheSmallOffice.xml
@@ -0,0 +1,1301 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="small">
+ <title>Small Office Networking</title>
+
+ <para>
+ So far, this book has focused on the basics of simple yet effective
+ network solutions. Network administrators who take pride in their work
+ (that's most of us, right?) take care to deliver what our users want,
+ but not too much more. If we make things too complex, we confound our users and
+ increase costs of network ownership. A professional network manager
+ avoids the temptation to put too much pizazz into the way that the network
+ operates. Some creativity is helpful, but do keep it under control.
+ </para>
+
+ <para><indexterm>
+ <primary>Netware</primary>
+ </indexterm>
+ Five years ago there were two companies from which a lesson can be learned.
+ In one case the network administrator spent three months building a new
+ network to replace an old Netware server. What he delivered had all the
+ bells and whistles he could muster. There were a few teething problems
+ during the change-over, nothing serious but a little disruptive all the
+ same. Users were exposed to many changes at once. The network
+ administrator was asked to resign two months after implementing the
+ new system. This was necessary because so many staff had complained
+ they had lost time and were not happy with the new network.
+ Everything was automated and he delivered more features than any advanced
+ user could think of. He was just too smart for his own good.
+ </para>
+
+ <para>
+ In the case of the other company, a new network manager was appointed
+ to oversee the replacement of a LanTastic network with an MS Windows
+ NT 4.0 network. He had the replacement installed and operational within
+ two weeks. Before installation and change-over, he called a meeting to
+ explain to all users what was going to happen, how it would affect them
+ and that he would be available 24 hours a day to help them transition.
+ One week after conversion, he held another meeting asking for cooperation
+ in the introduction of a few new features that would help to make life
+ easier. Network users were thrilled with what he was doing to help
+ them. The network he implemented was nowhere near as complex as the first example, had fewer
+ features, and yet he had happy users. Months later he was still adding
+ new innovations. He always asked the users if a
+ particular feature was what they wanted. He asked his boss for a raise
+ and got it. He often told me, <quote>Always keep a few new tricks up your
+ sleeves for when you need them.</quote> Was he smart? You decide. Let's
+ get on with our next exercise.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ Abmas Accounting Inc. has grown. Mr. Meany likes you and says he knew you
+ were the right person for the job. That's why he asked you to install the
+ new server. The past few months have been hard work. You advised Mr. Meany
+ that it is time for a change. Abmas now has 52 users, having acquired an
+ investment consulting business recently. The new users were added to the
+ network without any problems.
+ </para>
+
+ <para>
+ Some of the Windows clients are getting to be past their use-by date.
+ You have found damaged and unusable software on some of the workstations
+ that came with the acquired business and found some machines that are
+ in need of both hardware and software maintenance.
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para>
+ <indexterm><primary>Windows XP</primary></indexterm>
+ Mr. Meany has decided to retire in 12 months. He wants you to help him
+ make the business run better. Many of the new staff want notebook computers.
+ They visit customer business premises with the need to use local network
+ facilities; these users are technically competent. The company uses a
+ business application that requires Windows XP Professional. In short, a
+ complete client upgrade is about to happen. Mr. Meany told you that he is working
+ on another business acquisition and that by the time he retires there will be
+ 80 to 100 users.
+ </para>
+
+ <para>
+ Mr. Meany is not concerned about security. He wants to make it easier for
+ staff to do their work. He has hired you to help him appoint a full-time
+ network manager before he retires. Above all, he says he is investing in
+ the ability to grow. He is determined to live his lifelong dream and
+ hand the business over to a bright and capable executive who can make
+ things happen. This means your network design must cope well with
+ growth.
+ </para>
+
+ <para>
+ In a few months, Abmas will require an Internet connection for email
+ and so staff easily obtain software updates. Mr. Meany is warming up to the
+ installation of anti-virus software, but is not yet ready to approve
+ this expense. He told you to spend the money a virus scanner costs
+ on better quality notebook computers for mobile users.
+ </para>
+
+ <para>
+ One of Mr. Meany's golfing partners sold him on the idea to buy new laser
+ printers. One black only, the other a color laser printer. Staff support
+ the need for a color printer so they can present more attractive proposals
+ and reports.
+ </para>
+
+ <para>
+ Mr. Meany also asked if it would be possible for one of the staff to manage
+ user accounts from the Windows desktop. That person will be responsible for
+ basic operations.
+ </para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ What are the key requirements in this business example? A quick review indicates
+ a need for:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Scalability &smbmdash; from 52 to over 100 users in 12 months
+ </para></listitem>
+
+ <listitem><para>
+ Mobile computing capability
+ <indexterm><primary>mobile computing</primary></indexterm>
+ </para></listitem>
+
+ <listitem><para>
+ Improved reliability and usability
+ </para></listitem>
+
+ <listitem><para>
+ Easier administration
+ </para></listitem>
+ </itemizedlist>
+
+ <para>
+ In this instance the installed Linux system is assumed to be a Red Hat Linux 9.0 server
+ (as in <link linkend="AccountingOffice"/>).
+
+ </para>
+
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ <indexterm><primary>DHCP</primary></indexterm>
+ <indexterm><primary>DNS</primary></indexterm>
+ <indexterm><primary>WINS</primary></indexterm>
+ <indexterm><primary>Domain</primary></indexterm>
+ It is time to implement a domain security environment. You will use the <constant>
+ smbpasswd</constant> (default) backend. You should implement a DHCP server. There is no need to
+ run DNS at this time, but the system will use WINS. The Domain name will be <constant>
+ BILLMORE</constant>. This time, the name of the server will be <constant>SLEETH</constant>.
+ </para>
+
+ <para>
+ All printers will be configured as DHCP clients. The DHCP server will assign
+ the printer a fixed IP address by way of its Ethernet interface (MAC) address.
+ See <link linkend="dhcp01"/>.
+ </para>
+
+ <note><para>
+ The &smb.conf; file you are creating in this exercise can be used with equal effectiveness
+ with Samba-2.2.x series releases. This is deliberate so that in the next chapter it is
+ possible to start with the installation that you have created here, migrate it
+ to a Samba-3 configuration and then secure the system further. Configurations following
+ this one will utilize features that may not be supported in Samba-2.2.x releases.
+ However, you should note that the examples in each chapter start with the assumption
+ that a fresh new installation is being effected.
+ </para></note>
+
+ <para>
+ Later on, when the Internet connection is implemented, you will add DNS as well as
+ other enhancements. It is important that you plan accordingly.
+ </para>
+
+ <para>
+ <indexterm><primary>ether-switch</primary></indexterm>
+ You have split the network into two separate areas. Each has its own ether-switch.
+ There are 20 users on the accounting network and 32 users on the financial services
+ network. The server has two network interfaces, one serving each network. The
+ network printers will be located in a central area. You plan to install the new
+ printers and keep the old printer in use also.
+ </para>
+
+ <para>
+ You will provide separate file storage areas for each business entity. The old system
+ will go away, accounting files will be handled under a single directory, and files will
+ be stored under customer name, not under a personal work area. Staff will be made
+ responsible for file location, so maintain the old share point.
+ </para>
+
+ <para>
+ Given that DNS will not be used, you will configure WINS name resolution for UNIX
+ hostname name resolution.
+ </para>
+
+ <para>
+ <indexterm><primary>Domain</primary><secondary>groups</secondary></indexterm>
+ <indexterm><primary>UNIX</primary><secondary>groups</secondary></indexterm>
+ It is necessary to map Windows Domain Groups to UNIX groups as a minimum. It is
+ advisable to also map Windows Local Groups to UNIX groups. Additionally, the two
+ key staff groups in the firm are Accounting Staff and Financial Services Staff.
+ For these, it is necessary to create UNIX groups as well as Windows Domain Groups.
+ </para>
+
+ <para>
+ In the sample &smb.conf; file, you have configured Samba to call the UNIX <command>groupadd</command>
+ to add group entries. This utility does not permit the addition of group names that
+ contain upper-case characters or spaces. This is considered a bug. The <command>groupadd</command>
+ is part of the <command>shadow-utils</command> Open Source Software package.
+ A later release of this package may have been patched to resolve this bug.
+ If your operating platform has this bug, it means that attempts to add a Windows Domain
+ Group that has either a space or upper-case characters in it will fail. See <emphasis>TOSHARG</emphasis>, Section 11.3.1,
+ Example 11.1, for more information.
+ </para>
+
+ <para>
+ <indexterm><primary>CUPS</primary></indexterm>
+ Vendor-supplied printer drivers will be installed on each client. The CUPS print spooler
+ on the UNIX host will be operated in <constant>raw</constant> mode.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para>
+ Mr. Meany is an old-school manager. He sets the rules and wants to see compliance.
+ He is willing to spend money on things he believes are of value. You need more
+ time to convince him of real priorities.
+ </para>
+
+ <para>
+ Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be
+ supplied with anti-virus software? Above all, demonstrate good purchase value and remember
+ to make your users happy.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Implementation</title>
+
+ <para><indexterm>
+ <primary>migration</primary>
+ </indexterm>
+ In this example, the assumption is made that this server is being configured from a clean start.
+ The alternate approach could be to demonstrate the migration of the system that is documented
+ in <link linkend="AcctgNet"/> to meet the new requirements. The decision to treat this case, as with
+ future examples, as a new installation is based on the premise that you can determine
+ the migration steps from the information provided in the separate chapter on this subject.
+ Additionally, a fresh installation makes the example easier to follow.
+ </para>
+
+ <para><indexterm>
+ <primary>group membership</primary>
+ </indexterm>
+ Each user will be given a home directory on the UNIX system, which will be available as a private
+ share. Two additional shares will be created, one for the Accounting Department and the other for
+ the Financial Services Department. Network users will be given access to these shares by way
+ of group membership.
+ </para>
+
+ <para>
+ <indexterm><primary>UNIX</primary><secondary>groups</secondary></indexterm>
+ UNIX group membership is the primary mechanism by which Windows Domain users will be granted
+ rights and privileges within the Windows environment.
+ </para>
+
+ <para><indexterm>
+ <primary>sticky bit</primary>
+ </indexterm>
+ The user <command>alanm</command> will be made the owner of all files. This will be preserved
+ by setting the sticky bit (set UID/GID) on the top-level directories.
+ </para>
+
+ <image id="acct2net">
+ <description>Abmas Accounting &smbmdash; 52 User Network Topology</description>
+ <imagefile scale="100">acct2net.png</imagefile>
+ </image>
+
+ <procedure>
+ <step><para>
+ Using UNIX/Linux system tools, name the server <constant>sleeth</constant>.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/hosts</primary></indexterm>
+ Place an entry for the machine <constant>sleeth</constant> in the <filename>/etc/hosts</filename>.
+ The printers are network attached, so it is desirable that there should be entries for the
+ network printers also. An example <filename>/etc/hosts</filename> file is shown here:
+<screen>
+192.168.1.1 sleeth sleeth1
+192.168.2.1 sleeth2
+192.168.1.10 hplj6
+192.168.1.11 hplj4
+192.168.2.10 qms
+</screen>
+ </para></step>
+
+ <step><para>
+ Install the Samba-3 binary RPM from the Samba-Team FTP site.
+ </para></step>
+
+ <step><para>
+ Install the ISC DHCP server using the UNIX/Linux system tools available to you.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/rc.d/rc.local</primary>
+ </indexterm><indexterm>
+ <primary>IP forwarding</primary>
+ </indexterm><indexterm>
+ <primary>router</primary>
+ </indexterm><indexterm>
+ <primary>/proc/sys/net/ipv4/ip_forward</primary>
+ </indexterm>
+ Given that Samba will be operating over two network interfaces and clients on each side
+ may want to be able to reach clients on the other side, it is imperative that IP forwarding
+ shall be enabled. Use the system tool of your choice to enable IP forwarding. In the
+ absence of such a tool on the Linux system, add to the <filename>/etc/rc.d/rc.local</filename>
+ file an entry as follows:
+<screen>
+echo 1 > /proc/sys/net/ipv4/ip_forward
+</screen>
+ This causes the Linux kernel to forward IP packets so that it acts as a router.
+ </para></step>
+
+ <step><para>
+ Install the &smb.conf; file as shown in <link linkend="acct2conf"/> and
+ <link linkend="acct3conf"/>. Combine these two examples to form a single
+ <filename>/etc/samba/smb.conf</filename> file.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ Add the user <command>root</command> to the Samba password backend:
+<screen>
+&rootprompt; smbpasswd -a root
+New SMB password: XXXXXXX
+Retype new SMB password: XXXXXXX
+&rootprompt;
+</screen>
+ <indexterm><primary>administrator</primary></indexterm>
+ This is the Windows Domain Administrator password. Never delete this account from
+ the password backend after Windows Domain Groups have been initialized. If you delete
+ this account, your system is crippled. You cannot restore this account
+ and your Samba server is no longer capable of being administered.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>username map</primary></indexterm>
+ Create the username map file to permit the <constant>root</constant> account to be called
+ <constant>Administrator</constant> from the Windows network environment. To do this, create
+ the file <filename>/etc/samba/smbusers</filename> with the following contents:
+<screen>
+####
+# User mapping file
+####
+# File Format
+# -----------
+# Unix_ID = Windows_ID
+#
+# Examples:
+# root = Administrator
+# janes = "Jane Smith"
+# jimbo = Jim Bones
+#
+# Note: If the name contains a space it must be double quoted.
+# In the example above the name 'jimbo' will be mapped to Windows
+# user names 'Jim' and 'Bones' because the space was not quoted.
+#######################################################################
+root = Administrator
+####
+# End of File
+####
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>initGrps.sh</primary></indexterm>
+ Create and map Windows Domain Groups to UNIX groups. A sample script is provided in
+ <link linkend="initGrps"/>. Create a file containing this script. We called ours
+ <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed,
+ and then execute the script. Sample output should be as follows:
+
+<example id="initGrps">
+<title>Script to Map Windows NT Groups to UNIX Groups</title>
+<indexterm><primary>initGrps.sh</primary></indexterm>
+<screen>
+#!/bin/bash
+#
+# initGrps.sh
+#
+
+# Create UNIX groups
+groupadd acctsdep
+groupadd finsrvcs
+
+# Map Windows Domain Groups to UNIX groups
+net groupmap modify ntgroup="Domain Admins" unixgroup=root
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+
+# Add Functional Domain Groups
+net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
+net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
+
+# Map Windows NT machine local groups to local UNIX groups
+net groupmap modify ntgroup="Administrators" unixgroup=sys
+net groupmap modify ntgroup="Users" unixgroup=public
+net groupmap modify ntgroup="Guests" unixgroup=nobody
+net groupmap modify ntgroup="System Operators" unixgroup=daemon
+net groupmap modify ntgroup="Account Operators" unixgroup=wheel
+net groupmap modify ntgroup="Backup Operators" unixgroup=bin
+net groupmap modify ntgroup="Print Operators" unixgroup=lp
+net groupmap modify ntgroup="Replicators" unixgroup=kmem
+net groupmap modify ntgroup="Power Users" unixgroup=ntadmin
+</screen>
+</example>
+
+<screen>
+&rootprompt; chmod 755 initGrps.sh
+&rootprompt; /etc/samba # ./initGrps.sh
+Updated mapping entry for Domain Admins
+Updated mapping entry for Domain Users
+Updated mapping entry for Domain Guests
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Accounts Dept to the mapping db
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Domain Guests to the mapping db
+Updated mapping entry for Administrators
+Updated mapping entry for Users
+Updated mapping entry for Guests
+Updated mapping entry for System Operators
+Updated mapping entry for Account Operators
+Updated mapping entry for Backup Operators
+Updated mapping entry for Print Operators
+Updated mapping entry for Replicators
+Updated mapping entry for Power Users
+
+&rootprompt; /etc/samba # net groupmap list | sort
+Account Operators (S-1-5-32-548) -> wheel
+Accounts Dept (S-1-5-21-194350-25496802-3394589-2003) -> acctsdep
+Administrators (S-1-5-32-544) -> sys
+Backup Operators (S-1-5-32-551) -> bin
+Domain Admins (S-1-5-21-194350-25496802-3394589-512) -> root
+Domain Guests (S-1-5-21-194350-25496802-3394589-514) -> nobody
+Domain Users (S-1-5-21-194350-25496802-3394589-513) -> users
+Financial Services (S-1-5-21-194350-25496802-3394589-2005) -> finsrvcs
+Guests (S-1-5-32-546) -> nobody
+Power Users (S-1-5-32-547) -> ntadmin
+Print Operators (S-1-5-32-550) -> lp
+Replicators (S-1-5-32-552) -> kmem
+System Operators (S-1-5-32-549) -> daemon
+Users (S-1-5-32-545) -> public
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/passwd</primary></indexterm>
+ <indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ For each user who needs to be given a Windows Domain account, make an entry in the
+ <filename>/etc/passwd</filename> file as well as in the Samba password backend.
+ Use the system tool of your choice to create the UNIX system accounts and use the Samba
+ <command>smbpasswd</command> program to create the Domain user accounts.
+ </para>
+
+ <para>
+ <indexterm><primary>useradd</primary></indexterm>
+ <indexterm><primary>adduser</primary></indexterm>
+ <indexterm><primary>user</primary><secondary>management</secondary></indexterm>
+ There are a number of tools for user management under UNIX. Commonly known ones include:
+ <command>useradd</command>, <command>adduser</command>. In addition to these, there are a plethora of custom
+ tools. With the tool of your choice, create a home directory for each user.
+ </para></step>
+
+ <step><para>
+ Using the preferred tool for your UNIX system, add each user to the UNIX groups created
+ previously as necessary. File system access control will be based on UNIX group membership.
+ </para></step>
+
+ <step><para>
+ Create the directory mount point for the disk sub-system that is mounted to provide
+ data storage for company files. In this case the mount point indicated in the &smb.conf;
+ file is <filename>/data</filename>. Format the file system as required, mount the formatted
+ file system partition using <command>mount</command>,
+ and make the appropriate changes in <filename>/etc/fstab</filename>.
+ </para></step>
+
+ <step><para>
+ Create the top-level file storage directories are follows:
+<screen>
+&rootprompt; mkdir -p /data/{accounts,finsvcs}
+&rootprompt; chown -R root.root /data
+&rootprompt; chown -R alanm.accounts /data/accounts
+&rootprompt; chown -R alanm.finsvcs /data/finsvcs
+&rootprompt; chmod -R ug+rwx,o+rx-w /data
+</screen>
+ Each department is responsible for creating its own directory structure within its
+ share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
+ The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
+ </para></step>
+
+ <step><para>
+ Configure the printers with the IP addresses as shown in <link linkend="acct2net"/>.
+ Follow the instructions in the manufacturers' manuals to permit printing to port 9100.
+ This allows the CUPS spooler to print using raw mode protocols.
+ <indexterm><primary>CUPS</primary></indexterm>
+ <indexterm><primary>raw printing</primary></indexterm>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm><indexterm>
+ <primary>lpadmin</primary>
+ </indexterm>
+ Configure the CUPS Print Queues as follows:
+<screen>
+&rootprompt; lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E
+&rootprompt; lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E
+&rootprompt; lpadmin -p qms -v socket://192.168.2.10:9100 -E
+</screen>
+ <indexterm><primary>print filter</primary></indexterm>
+ This creates the necessary print queues with no assigned print filter.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime type</primary></indexterm>
+ <indexterm><primary>/etc/mime.convs</primary></indexterm>
+ <indexterm><primary>application/octet-stream</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/mime.types</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>DHCP Server</primary>
+ </indexterm>
+ Using your favorite system editor, create an <filename>/etc/dhcpd.conf</filename> with the
+ contents as shown in <link linkend="dhcp01"/>.
+<example id="dhcp01">
+<title>Abmas Accounting DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title>
+<indexterm><primary>/etc/dhcpd.conf</primary></indexterm>
+<screen>
+default-lease-time 86400;
+max-lease-time 172800;
+default-lease-time 86400;
+
+option ntp-servers 192.168.1.1;
+option domain-name "abmas.biz";
+option domain-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-node-type 8;
+### NOTE ###
+# netbios-node-type=8 means set clients to Hybrid Mode
+# so they will use Unicast communication with the WINS
+# server and thus reduce the level of UDP broadcast
+# traffic by up to 90%.
+############
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+ range dynamic-bootp 192.168.1.128 192.168.1.254;
+ option subnet-mask 255.255.255.0;
+ option routers 192.168.1.1;
+ allow unknown-clients;
+ host hplj4 {
+ hardware ethernet 08:00:46:7a:35:e4;
+ fixed-address 192.168.1.10;
+ }
+ host hplj6 {
+ hardware ethernet 00:03:47:cb:81:e0;
+ fixed-address 192.168.1.11;
+ }
+ }
+subnet 192.168.2.0 netmask 255.255.255.0 {
+ range dynamic-bootp 192.168.2.128 192.168.2.254;
+ option subnet-mask 255.255.255.0;
+ option routers 192.168.2.1;
+ allow unknown-clients;
+ host qms {
+ hardware ethernet 01:04:31:db:e1:c0;
+ fixed-address 192.168.1.10;
+ }
+ }
+subnet 127.0.0.0 netmask 255.0.0.0 {
+ }
+</screen>
+</example>
+ </para></step>
+
+
+ <step><para>
+ Use the standard system tool to start Samba and CUPS and configure them to start
+ automatically at every system reboot. For example:
+ </para>
+
+ <para>
+ <indexterm><primary>chkconfig</primary></indexterm>
+ <indexterm><primary>starting dhcpd</primary></indexterm>
+ <indexterm><primary>starting samba</primary></indexterm>
+ <indexterm><primary>starting CUPS</primary></indexterm><indexterm>
+ <primary>chkconfig</primary>
+ </indexterm>
+<screen>
+&rootprompt; chkconfig dhpc on
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig cups on
+&rootprompt; /etc/rc.d/init.d/dhcp restart
+&rootprompt; /etc/rc.d/init.d/smb restart
+&rootprompt; /etc/rc.d/init.d/cups restart
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>Name Service Switch</primary></indexterm>
+ <indexterm><primary>NSS</primary><see>Name Service Switch</see></indexterm>
+ <indexterm><primary>DNS</primary></indexterm><indexterm>
+ <primary>DNS server</primary>
+ </indexterm>
+ <indexterm><primary>WINS</primary></indexterm>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ Configure the Name Service Switch (NSS) to handle WINS based name resolution.
+ Since this system does not use a DNS server, it is safe to remove this option from
+ the NSS configuration. Edit the <filename>/etc/nsswitch.conf</filename> file so that
+ the <constant>hosts:</constant> entry looks like this:
+<screen>
+hosts: files wins
+</screen>
+ </para></step>
+
+ </procedure>
+
+<smbconfexample id="acct2conf">
+<title>Accounting Office Network &smb.conf; File &smbmdash; [globals] Section</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>BILLMORE</value></smbconfoption>
+<smbconfoption><name>passwd chat</name><value>*New*Password* \</value></smbconfoption>
+<member><parameter>%n\n*Re-enter*new*password* %n\n *Password*changed*</parameter></member>
+<smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+<smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+<smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+<smbconfoption><name>add user script</name><value>/usr/sbin/useradd -m %u</value></smbconfoption>
+<smbconfoption><name>delete user script</name><value>/usr/sbin/userdel -r %u</value></smbconfoption>
+<smbconfoption><name>add group script</name><value>/usr/sbin/groupadd %g</value></smbconfoption>
+<smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel %g</value></smbconfoption>
+<smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G %g %u</value></smbconfoption>
+<smbconfoption><name>add machine script</name><value>/usr/sbin/useradd \</value></smbconfoption>
+<member><parameter>-s /bin/false -d /dev/null %u</parameter></member>
+<smbconfoption><name>logon script</name><value>scripts\login.bat</value></smbconfoption>
+<smbconfoption><name>logon path</name><value> </value></smbconfoption>
+<smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+<smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printing</name><value>CUPS</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="acct3conf">
+<title>Accounting Office Network &smb.conf; File &smbmdash; Services and Shares Section</title>
+<smbconfsection>[homes]</smbconfsection>
+<smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[netlogon]</smbconfsection>
+<smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/%U</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[accounts]</smbconfsection>
+<smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%G</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[finsvcs]</smbconfsection>
+<smbconfoption><name>comment</name><value>Financial Service Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/finsvcs</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%G</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+ <sect2>
+ <title>Validation</title>
+
+ <para>
+ Does everything function as it ought? That is the key question at this point.
+ Here are some simple steps to validate your Samba server configuration.
+ </para>
+
+ <procedure>
+
+ <step><para><indexterm>
+ <primary>testparm</primary>
+ </indexterm>
+ If your &smb.conf; file has bogus options or parameters, this may cause Samba
+ to refuse to start. The first step should always be to validate the contents
+ of this file by running:
+<screen>
+&rootprompt; testparm -s
+Load smb config files from smb.conf
+Processing section "[homes]"
+Processing section "[printers]"
+Processing section "[netlogon]"
+Processing section "[accounts]"
+Processing section "[service]"
+Loaded services file OK.
+# Global parameters
+[global]
+ workgroup = BILLMORE
+ passwd chat = *New*Password* \
+ %n\n *Re-enter*new*password* %n\n *Password*changed*
+ username map = /etc/samba/smbusers
+ syslog = 0
+ name resolve order = wins bcast hosts
+ printcap name = CUPS
+ show add printer wizard = No
+ add user script = /usr/sbin/useradd -m %u
+ delete user script = /usr/sbin/userdel -r %u
+ add group script = /usr/sbin/groupadd %g
+ delete group script = /usr/sbin/groupdel %g
+ add user to group script = /usr/sbin/usermod -G %g %u
+ add machine script = /usr/sbin/useradd
+ -s /bin/false -d /dev/null %u
+ logon script = scripts\logon.bat
+ logon path =
+ logon drive = X:
+ domain logons = Yes
+ preferred master = Yes
+ wins support = Yes
+ printing = cups
+...
+### Remainder cut to save space ###
+</screen>
+ The inclusion of an invalid parameter (say one called dogbert) would generate an
+ error as follows:
+<screen>
+Unknown parameter encountered: "dogbert"
+Ignoring unknown parameter "dogbert"
+</screen>
+ Clear away all errors before proceeding and start or restart samba as necessary.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>check samba
+ daemons</primary></indexterm><indexterm>
+ <primary>nmbd</primary>
+ </indexterm><indexterm>
+ <primary>smbd</primary>
+ </indexterm><indexterm>
+ <primary>winbindd</primary>
+ </indexterm>
+ Check that the Samba server is running:
+<screen>
+&rootprompt; ps ax | grep mbd
+14244 ? S 0:00 /usr/sbin/nmbd -D
+14245 ? S 0:00 /usr/sbin/nmbd -D
+14290 ? S 0:00 /usr/sbin/smbd -D
+
+$rootprompt; ps ax | grep winbind
+14293 ? S 0:00 /usr/sbin/winbindd -B
+14295 ? S 0:00 /usr/sbin/winbindd -B
+</screen>
+ The <command>winbindd</command> daemon is running in split mode (normal) so there are also
+ two instances of it. For more information regarding winbindd, see <emphasis>TOSHARG</emphasis>, Chapter 20,
+ Section 20.3. The single instance of <command>smbd</command> is normal.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>anonymous connection</primary></indexterm>
+ Check that an anonymous connection can be made to the Samba server:
+<screen>
+&rootprompt; smbclient -L localhost -U%
+
+ Sharename Type Comment
+ --------- ---- -------
+ netlogon Disk Network Logon Service
+ accounts Disk Accounting Files
+ finsvcs Disk Financial Service Files
+ IPC$ IPC IPC Service (Samba3)
+ ADMIN$ IPC IPC Service (Samba3)
+ hplj4 Printer Hewlett-Packard LaserJet 4
+ hplj6 Printer Hewlett-Packard LaserJet 6
+ qms Printer QMS Magicolor Laser Printer XXXX
+
+ Server Comment
+ --------- -------
+ SLEETH Samba 3.0.2
+
+ Workgroup Master
+ --------- -------
+ BILLMORE SLEETH
+</screen>
+ This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent
+ of browsing the server from a Windows client to obtain a list of shares on the server.
+ The <constant>-U%</constant> argument means, send a "<constant>NULL</constant> username and
+ a <constant>NULL</constant> password."
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>dhcp client validation</primary></indexterm>
+ <indexterm><primary>printer
+ validation</primary></indexterm><indexterm>
+ <primary>/etc/dhcpd.conf</primary>
+ </indexterm>
+ Verify that the printers have the IP addresses assigned in the DHCP server configuration file.
+ The easiest way to do this is to ping the printer name. Immediately after the ping response
+ has been received, execute <command>arp -a</command> to find the MAC address of the printer
+ that has responded. Now you can compare the IP address and the MAC address of the printer
+ with the configuration information in the <filename>/etc/dhcpd.conf</filename> file. They
+ should, of course, match. For example:
+<screen>
+&rootprompt; ping hplj4
+PING hplj4 (192.168.1.11) 56(84) bytes of data.
+64 bytes from hplj4 (192.168.1.11): icmp_seq=1 ttl=64 time=0.113 ms
+
+&rootprompt; arp -a
+hplj4 (192.168.1.11) at 08:00:46:7A:35:E4 [ether] on eth0
+</screen>
+ The MAC address <constant>08:00:46:7A:35:E4</constant> matches that specified for the
+ IP address from which the printer has responded and with the entry for it in the
+ <filename>/etc/dhcpd.conf</filename> file.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>authenticated connection</primary></indexterm>
+ Make an authenticated connection to the server using the <command>smbclient</command> tool:
+<screen>
+&rootprompt; smbclient //sleeth/accounts -U alanm
+Password: XXXXXXX
+smb: \&gt; dir
+ . D 0 Sun Nov 9 01:28:34 2003
+ .. D 0 Sat Aug 16 17:24:26 2003
+ .mc DH 0 Sat Nov 8 21:57:38 2003
+ .qt DH 0 Fri Sep 5 00:48:25 2003
+ SMB D 0 Sun Oct 19 23:04:30 2003
+ Documents D 0 Sat Nov 1 00:31:51 2003
+ xpsp1a_en_x86.exe 131170400 Sun Nov 2 01:25:44 2003
+
+ 65387 blocks of size 65536. 28590 blocks available
+smb: \> q
+</screen>
+ </para></step>
+
+ </procedure>
+
+ </sect2>
+
+
+ <procedure>
+ <title>Windows XP Professional Client Configuration</title>
+
+ <step><para>
+ Configure clients to the network settings shown in <link linkend="acct2net"/>.
+ All clients use DHCP for TCP/IP protocol stack configuration.
+ <indexterm><primary>WINS</primary></indexterm>
+ <indexterm><primary>DHCP</primary></indexterm>
+ DHCP configures all Windows clients to use the WINS Server address <constant>192.168.1.1</constant>.
+ </para></step>
+
+ <step><para>
+ Join the Windows Domain called <constant>BILLMORE</constant>. Use the Domain Administrator
+ user name <constant>root</constant> and the SMB password you assigned to this account.
+ A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
+ a Windows Domain is given in <link linkend="domjoin"/>.
+ Reboot the machine as prompted and then logon using a Domain User account.
+ </para></step>
+
+ <step><para>
+ Verify on each client that the machine called <constant>SLEETH</constant>
+ is visible in <guimenu>My Network Places</guimenu>, that it is
+ possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>
+ and <guimenuitem>finsvcs</guimenuitem>,
+ and that it is possible to open that share to reveal its contents.
+ </para></step>
+
+ <step><para>
+ Instruct all users to log onto the workstation using their assigned user name and password.
+ </para></step>
+
+ <step><para>
+ Install a printer on each using the following steps:
+
+ <procedure>
+ <step><para>
+ Click <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Settings</guimenuitem>
+ <guimenuitem>Printers</guimenuitem>
+ <guiicon>Add Printer</guiicon>
+ <guibutton>Next</guibutton>
+ </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
+ Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
+ </para></step>
+
+ <step><para>
+ Click <guibutton>Next</guibutton>. In the panel labeled
+ <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
+ In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
+ <constant>HP LaserJet 4</constant>. Click <guibutton>Next</guibutton>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
+ <constant>FILE:</constant>. Accept the default printer name by clicking
+ <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
+ test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
+ <guibutton>Finish</guibutton>.
+ </para></step>
+
+ <step><para>
+ You may be prompted for the name of a file to print to. If so, close the
+ dialog panel. Right-click <menuchoice>
+ <guiicon>HP LaserJet 4</guiicon>
+ <guimenuitem>Properties</guimenuitem>
+ <guimenusub>Details (Tab)</guimenusub>
+ <guimenubutton>Add Port</guimenubutton>
+ </menuchoice>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
+ the print queue on the Samba server as follows: <constant>\\SERVER\hplj4</constant>.
+ Click <menuchoice>
+ <guibutton>OK</guibutton>
+ <guibutton>OK</guibutton>
+ </menuchoice> to complete the installation.
+ </para></step>
+
+ <step><para>
+ Repeat the printer installation steps above for the HP LaserJet 6 printer
+ as well as for the QMS Magicolor XXXX laser printer.
+ </para></step>
+ </procedure>
+ </para></step>
+ </procedure>
+
+ <sect2>
+ <title>Notebook Computers: A Special Case</title>
+
+ <para>
+ As a network administrator, you already know how to create local machine accounts for Windows 200x/XP
+ Professional systems. This is the preferred solution to provide continuity of work for notebook users
+ so that absence from the office network environment does not become a barrier to productivity.
+ </para>
+
+ <para>
+ By creating a local machine account that has the same user name and password as you create for that
+ user in the Windows Domain environment, the user can log onto the machine locally and still
+ transparently access network resources as if logged onto the domain itself. There are some trade-offs
+ that mean that as the network is more tightly secured it becomes necessary to modify Windows client
+ configuration somewhat.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para>
+ In this network design and implementation exercise, you have created a Windows NT4 style Domain
+ Controller using Samba-3.0.2. As a result of following these guidelines meant that you experienced
+ and implemented several important aspects of Windows networking. In the next chapter of this book,
+ you build on the experience gained. These are the highlights from this chapter:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ <indexterm><primary>DHCP</primary></indexterm>
+ You implemented a DHCP Server and Microsoft Windows clients were able to obtain all necessary
+ network configuration settings from this server.
+ </para></listitem>
+
+ <listitem><para>
+ <indexterm><primary>Domain Controller</primary></indexterm>
+ You created a Windows Domain Controller. You were able to use the network logon service
+ and successfully joined Windows 200x/XP Professional clients to the Domain.
+ </para></listitem>
+
+ <listitem><para>
+ <indexterm><primary>CUPS</primary></indexterm>
+ You created raw print queues in the CUPS printing system. You maintained a simple
+ printing system so that all users can share centrally managed printers. You installed
+ native printer drivers on the Windows clients.
+ </para></listitem>
+
+ <listitem><para>
+ You experienced the benefits of centrally managed user accounts on the server.
+ </para></listitem>
+
+ <listitem><para>
+ You offered Mobile notebook users a solution that allows them to continue to work
+ while away from the office and not connected to the corporate network.
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that
+ may help.
+ </para>
+
+ <qandaset defaultlabel="chap03qa" type="number">
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the key benefit of using DHCP to configure Windows client TCP/IP stacks?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ First and foremost, portability. It means that notebook users can move between
+ the Abmas office and client offices (so long as they, too, use DHCP) without having to manually
+ reconfigure their machines. It also means that when they work from their home environments
+ either using DHCP assigned addressing or when using dial-up networking, settings such as
+ default routes and DNS server addresses that apply only to the Abmas office environment do
+ not interfere with remote operations. This is an extremely important feature of DHCP.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Are there any DHCP server configuration parameters in the <filename>/etc/dhcpd.conf</filename>
+ that should be noted in particular?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Yes. The configuration you created automatically provides each client with the IP address
+ of your WINS server. It also configures the client to preferentially register NetBIOS names
+ with the WINS server, and then instructs the client to first query the WINS server when a
+ NetBIOS machine name needs to be resolved to an IP Address. This means that this configuration
+ results in far lower UDP broadcast traffic than would be the case if WINS was not used.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Is it possible to create a Windows Domain account that is specifically called <constant>Administrator</constant>?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ You can surely create a Windows Domain Account called <constant>Administrator</constant>. It is also
+ possible to map that account so that it has the effective UNIX UID of 0. This way it isn't
+ necessary to use the <parameter>username map</parameter> facility to map this account to the UNIX
+ account called <constant>root</constant>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why is it necessary to give the Windows Domain <constant>Administrator</constant> a UNIX UID of 0?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The Windows Domain <constant>Administrator</constant> account is the most privileged account that
+ exists on the Windows platform. This user can change any setting, add/delete or modify user
+ accounts, and completely reconfigure the system. The equivalent to this account in the UNIX
+ environment is the <constant>root</constant> account. If you want to permit the Windows Domain
+ Administrator to manage accounts, as well as permissions, privileges, and security
+ settings within the Domain and on the Samba server, equivalent rights must be assigned. This is
+ achieved with the <constant>root</constant> UID equal to 0.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him
+ <constant>root</constant> access. How can we do this?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Users who are members of the <constant>Domain Admins</constant> group can add machines to the
+ Domain. This group is mapped to the UNIX group account called <constant>root</constant>
+ (or equivalent on <constant>wheel</constant> on some UNIX systems) that has a GID of 0.
+ This must be the primary GID of the account of the user who is a member of the Windows <constant>
+ Domain Admins</constant> account.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why must I map Windows Domain Groups to UNIX groups?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account
+ has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are:
+ <guimenu>Domain Guests, Domain Users, Domain Admins</guimenu>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ I deleted my <constant>root</constant> account and now I cannot add it back! What can I do?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ This is a nasty problem. Fortunately, here is a solution.
+ </para>
+
+ <procedure>
+ <step><para>
+ Back up your existing configuration files in case you need to restore them.
+ </para></step>
+
+ <step><para>
+ Rename the <filename>group_mapping.tdb</filename> file.
+ </para></step>
+
+ <step><para>
+ Use the <command>smbpasswd</command> to add the root account.
+ </para></step>
+
+ <step><para>
+ Restore the <filename>group_mapping.tdb</filename> file.
+ </para></step>
+ </procedure>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ When I run <command>net groupmap list</command>, it reports a group called <guimenu>Administrators</guimenu>
+ as well as <guimenu>Domain Admins</guimenu>. What is the difference between them?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The group called <guimenu>Administrators</guimenu> is representative of the same account that would be
+ present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain
+ Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This
+ may change at some later date. These accounts are provided only so that security objects are correctly shown.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the effect of changing the name of a Samba server, or of changing the Domain name?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ In the event that you elect to change the name of the Samba server, on restarting <command>smbd</command>,
+ Windows security identifiers are changed. In the case of a Stand-Alone server or a Domain Member server,
+ the machine SID is changed. This may break Domain Membership. In the case of a change of the Domain name
+ (Workgroup name), the Domain SID is changed. This affects all Domain Memberships.
+ </para>
+
+ <para>
+ If it becomes necessary to change either the Server name or the Domain name, be sure to back up the respective
+ SID before the change is made. You can back up the SID from use of the <command>net getlocalsid</command> (Samba-3),
+ or by way of the <command>smbpasswd</command> (Samba-2.2.x). To change the SID, you use the same tool. Be sure
+ to check the man page for this command for detailed instructions regarding the steps involved.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ How can I manage user accounts from my Windows XP Professional workstation?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Samba-3 implements a Windows NT4 style security domain architecture. This type of Domain cannot
+ be managed using tools present on a Windows XP Professional installation. You may download from the
+ Microsoft Web site the SRVTOOLS.EXE package. Extract it into the directory from which you wish to use
+ it. This package extracts the tools known as: <command>User Manager for Domains, Server Manager, Event
+ Viewer</command>. You may use the <guimenu>User Manager for Domains</guimenu> to manage your Samba-3
+ Domain user and group accounts. Of course, you do need to be logged on as the <constant>Administrator</constant>
+ for the Samba-3 Domain. It may help to log on as the <constant>root</constant> account.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
+
diff --git a/docs/Samba-Guide/Chap04-SecureOfficeServer.xml b/docs/Samba-Guide/Chap04-SecureOfficeServer.xml
new file mode 100644
index 0000000000..5ec4ab2166
--- /dev/null
+++ b/docs/Samba-Guide/Chap04-SecureOfficeServer.xml
@@ -0,0 +1,2750 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="secure">
+ <title>Secure Office Networking</title>
+
+ <para>
+ Congratulations, your Samba networking skills are developing nicely. You started out
+ with three simple networks in Chapter 2, and then in Chapter 3 you designed and built a
+ network that provides a high degree of flexibility, integrity, and dependability. It
+ was enough for the basic needs each was designed to fulfill. In this chapter you
+ address a more complex set of needs. The solution you explore is designed
+ to introduce you to basic features that are specific to Samba-3.
+ </para>
+
+ <para>
+ You should note that a working and secure solution could be implemented using Samba-2.2.x.
+ In the exercises presented here, you are gradually using more Samba-3 specific features
+ so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given.
+ To avoid confusion, this book is all about Samba-3. Let's get the exercises in this
+ chapter under way.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work
+ well done. It is one year since the last network upgrade. You have been quite busy.
+ Two months ago Mr. Meany gave approval to hire Christine Roberson who has taken over
+ general network management. Soon she will provide primary user support. You have demonstrated
+ you can delegate responsibility, and plan and execute
+ to that plan. Above all, you have shown Mr. Meany that you are a responsible person.
+ Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never
+ expected. You are Mr. Bob Jordan and will take charge of business operations. Mr. Meany
+ is retiring and has entrusted the business to your capable hands.
+ </para>
+
+ <para>
+ Mr. Meany may be retiring from this company, but not from work. He is taking the opportunity to develop
+ Abmas Inc. into a larger and more substantial company. He says that it took him many
+ years to wake up to the fact that there is no future in just running a business. He
+ now realizes there is great personal reward and satisfaction in creation of career
+ opportunities for people in the local community. He wants to do more for others as he is
+ doing for you, Bob Jordan. Today he spent a lot of time talking about the grand plan.
+ He has plans for growth that you will deal with in the chapters ahead.
+ </para>
+
+ <para>
+ Over the past year, the growth projections were exceeded. The network has grown to
+ meet the needs of 130 users. Along with growth, the demand for improved services
+ and better functionality has also developed. You are about to make an interim
+ improvement and then hand over all Help desk and network maintenance to Christine.
+ Christine has professional certifications in Microsoft Windows as well as in Linux;
+ she is a hard worker and quite likable. Christine does not want to manage the department
+ (although she manages well). She gains job satisfaction when left to sort things out.
+ Occasionally she wants to work with you on a challenging problem. When you told her
+ about your move, she almost resigned, although she was reassured that a new manager would
+ be hired to run Information Technology and she would be responsible only for operations.
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para>
+ You promised the staff Internet services including web browsing, electronic mail, virus
+ protection, and a company Web site. Christine is keen to help turn the vision into
+ reality. Let's see how close you can get to the promises made.
+ </para>
+
+ <para>
+ The network you are about to deliver will service 130 users today. Within 12 months,
+ Abmas will aquire another company. Mr. Meany claims that within two years there will be
+ well over 500 users on the network. You have bought into the big picture, so prepare
+ for growth.
+ </para>
+
+ <para>
+ You have purchased a new server, will implement a new network infrastructure, and
+ reward all staff with a new computer. Notebook computers will not be replaced at this time.
+ </para>
+
+ <para>
+ You have decided to not recycle old network components. The only items that will be
+ carried forward are notebook computers. You offered staff new notebooks, but not
+ one person wanted the disruption for what was perceived as a marginal update.
+ You have made the decision to give everyone a new desktop computer, even to those
+ who have a notebook computer.
+ </para>
+
+ <para>
+ You have procured a DSL Internet connection that provides 1.5 Megabit/sec (bidirectional)
+ and a 10 MBit/sec ethernet port. You have registered the domain
+ <constant>abmas.us</constant>, and the Internet Service Provider (ISP) is supplying
+ secondary DNS. Information furnished by your ISP is shown in <link linkend="chap4netid"/>.
+ </para>
+
+ <para>
+ It is of paramount priority that under no circumstances will Samba offer
+ service access from an Internet connection. You are paying an ISP to
+ give, as part of their value-added services, full firewall protection for your
+ connection to the outside world. The only services allowed in from
+ the Internet side are the following destination ports: <constant>http/https (ports
+ 80 and 443), email (port 25), DNS (port 53)</constant>. All Internet traffic
+ will be allowed out after network address translation (NAT). No internal IP addresses
+ are permitted through the NAT filter as complete privacy of internal network
+ operations must be assured.
+ </para>
+
+ <table id="chap4netid">
+ <title>Abmas.US ISP Information</title>
+ <tgroup cols="2">
+ <colspec align="left"/>
+ <colspec align="center"/>
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Server IP Address</entry>
+ <entry>123.45.67.66</entry>
+ </row>
+ <row>
+ <entry>DSL Device IP Address</entry>
+ <entry>123.45.67.65</entry>
+ </row>
+ <row>
+ <entry>Network Address</entry>
+ <entry>123.45.67.64/30</entry>
+ </row>
+ <row>
+ <entry>Gateway Address</entry>
+ <entry>123.45.54.65</entry>
+ </row>
+ <row>
+ <entry>Primary DNS Server</entry>
+ <entry>123.45.54.65</entry>
+ </row>
+ <row>
+ <entry>Secondary DNS Server</entry>
+ <entry>123.45.54.32</entry>
+ </row>
+ <row>
+ <entry>Forwarding DNS Server</entry>
+ <entry>123.45.12.23</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <image id="ch04net">
+ <description>Abmas Network Topology &smbmdash; 130 Users</description>
+ <imagefile scale="90">chap4-net.png</imagefile>
+ </image>
+
+ <para>
+ Christine has recommended that desktop systems should be installed from a single cloned
+ master system that has a minimum of locally installed software and loads all software
+ off a central application server. The benefit of having the central application server
+ is that it allows single point maintenance of all business applications, something
+ Christine is keen to pursue. She further recommended installation of anti-virus
+ software on workstations as well as on the Samba server. Christine is paranoid of
+ potential virus infection and insists on a comprehensive approach to detective
+ as well as corrective action to protect network operations.
+ </para>
+
+ <para>
+ A significant concern is the problem of managing company growth. Recently, a number
+ of users had to share a PC while waiting for new machines to arrive. This presented
+ some problems with desktop computers and software installation into the new users'
+ desktop profile.
+ </para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ Many of the conclusions you draw here are obvious. Some requirements are not very clear
+ or may simply be your means of drawing the most out of Samba-3. Much can be done more simply
+ than you will demonstrate here, but keep in mind that the network must scale to at least 500
+ users. This means that some functionality will be over-designed for the current 130 user
+ environment.
+ </para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para>
+ In this exercise we are using a 24-bit subnet mask for the two local networks. This,
+ of course, limits our network to a maximum of 253 usable IP addresses. The network
+ address range chosen is one of the ranges assigned by RFC1918 for private networks.
+ When the number of users on the network begins to approach the limit of usable
+ addresses, it would be a good idea to switch to a network address specified in RFC1918
+ in the 172.16.0.0/16 range. This is done in the following chapters.
+ </para>
+
+ <para>
+ <indexterm><primary>tdbsam</primary></indexterm>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ The high growth rates projected are a good reason to use the <constant>tdbsam</constant>
+ passdb backend. The use of <constant>smbpasswd</constant> for the backend may result in
+ performance problems. The <constant>tdbsam</constant> passdb backend offers features that
+ are not available with the older flat ASCII-based <constant>smbpasswd</constant> database.
+ </para>
+
+ <para>
+ <indexterm><primary>risk</primary></indexterm>
+ The proposed network design uses a single server to act as an Internet services host for
+ electronic mail, Web serving, remote administrative access vis SSH, as well as for
+ Samba-based file and print services. This design is often chosen by sites that feel
+ they cannot afford or justify the cost or overhead of having separate servers. It must
+ be realized that if security of this type of server should ever be violated (compromised),
+ the whole network and all data is at risk. Many sites continue to choose this type
+ of solution; therefore, this chapter provides detailed coverage of key implementation
+ aspects.
+ </para>
+
+ <para>
+ Samba will be configured to specifically not operate on the ethernet interface that is
+ directly connected to the Internet.
+ </para>
+
+ <para>
+ <indexterm><primary>iptables</primary></indexterm>
+ <indexterm><primary>NAT</primary></indexterm>
+ <indexterm><primary>Network Address Translation</primary><see>NAT</see></indexterm>
+ <indexterm>
+ <primary>firewall</primary>
+ </indexterm>
+ You know that your ISP is providing full firewall services, but you cannot rely on that.
+ Always assume that human error will occur, so be prepared by using Linux firewall facilities
+ based on <command>iptables</command> to effect Network Address Translation (NAT). Block all
+ incoming traffic except to permitted well-known ports. You must also allow incoming packets
+ to established outgoing connections. You will permit all internal outgoing requests.
+ </para>
+
+ <para>
+ The configuration of Web serving, Web proxy services, electronic mail, and the details of
+ generic anti-virus handling are beyond the scope of this book and therefore are not
+ covered, except insofar as this affects Samba-3.
+ </para>
+
+ <para><indexterm>
+ <primary>login</primary>
+ </indexterm>
+ Notebook computers are configured to use a network login when in the office and a
+ local account to login while away from the office. Users store all work done in
+ transit (away from the office) by using a local share for work files. Standard procedures
+ will dictate that on completion of the work that necessitates mobile file access, all
+ work files are moved back to secure storage on the office server. Staff is instructed
+ to not carry on any company notebook computer any files that are not absolutely required.
+ This is a preventative measure to protect client information as well as business private
+ records.
+ </para>
+
+ <para><indexterm>
+ <primary>application server</primary>
+ </indexterm>
+ All applications are served from the central server from a share called <constant>apps</constant>.
+ Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network
+ (or administrative) installation. Accounting and financial management software can also
+ be run only from the central application server. Notebook users are provided with
+ locally installed applications on a need-to-have basis only.
+ </para>
+
+ <para>
+ <indexterm><primary>roaming profiles</primary></indexterm>
+ The introduction of roaming profiles support means that users can move between
+ desktop computer systems without constraint while retaining full access to their data.
+ The desktop travels with them as they move.
+ </para>
+
+ <para>
+ <indexterm><primary>DNS</primary></indexterm>
+ The DNS server implementation must now address both internal needs as well as external
+ needs. You forward DNS lookups to your ISP provided server as well as the
+ <constant>abmas.us</constant> external secondary DNS server.
+ </para>
+
+ <para>
+ <indexterm><primary>dynamic DNS</primary></indexterm>
+ <indexterm><primary>DDNS</primary><see>dynamic
+ DNS</see></indexterm><indexterm>
+ <primary>DHCP server</primary>
+ </indexterm>
+ Compared with the DHCP server configuration in <link linkend="dhcp01"/>, the configuration used
+ in this example has to deal with the presence of an Internet connection. The scope set for it
+ ensures that no DHCP services will be offered on the external connection. All printers are
+ configured as DHCP clients, so that the DHCP server assigns the printer a fixed IP
+ address by way of the ethernet interface (MAC) address. One additional feature of this DHCP
+ server configuration file is the inclusion of parameters to allow dynamic DNS (DDNS) operation.
+ </para>
+
+ <para>
+ This is the first implementation that depends on a correctly functioning DNS server.
+ Comprehensive steps are included to provide for a fully functioning DNS server that also
+ is enabled for dynamic DNS operation. This means that DHCP clients can be auto-registered
+ with the DNS server.
+ </para>
+
+ <para>
+ You are taking the opportunity to manually set the netbios name of the Samba server to
+ a name other than what will be automatically resolved. You are doing this to ensure that
+ the machine has the same NetBIOS name on both network segments.
+ </para>
+
+ <para>
+ As in the previous network configuration, printing in this network configuration uses
+ direct raw printing (i.e., no smart printing and no print driver auto-download to Windows
+ clients). Printer drivers are installed on the Windows client manually. This is not
+ a problem given that Christine is to install and configure one single workstation and
+ then clone that configuration, using Norton Ghost, to all workstations. Each machine is
+ identical, so this should pose no problem.
+ </para>
+
+ <sect3>
+ <title>Hardware Requirements</title>
+
+ <para><indexterm>
+ <primary>memory requirements</primary>
+ </indexterm>
+ This server runs a considerable number of services. From similarly configured Linux
+ installations the approximate calculated memory requirements will be as that shown in
+ <link linkend="ch4memoryest"/>.
+
+<example id="ch4memoryest">
+<title>Estimation of Memory Requirements</title>
+<screen>
+Application Memory per User 130 Users 500 Users
+ Name (MBytes) Total MBytes Total MBytes
+----------- --------------- ------------ ------------
+DHCP 2.5 3 3
+DNS 16.0 16 16
+Samba (nmbd) 16.0 16 16
+Samba (winbind) 16.0 16 16
+Samba (smbd) 4.0 520 2000
+Apache 10.0 (20 User) 200 200
+CUPS 3.5 16 32
+Basic OS 256.0 256 256
+ -------------- --------------
+ Total: 1043 MBytes 2539 MBytes
+ -------------- --------------
+</screen>
+</example>
+ You would choose to add a safety margin of at least 50% to these estimates. The minimum
+ system memory recommended for initial startup would be 1 GByte, but to permit the system
+ to scale to 500 users, it would make sense to provision the machine with 4 GBytes memory.
+ An initial configuration with only 1 GByte memory would lead to early performance complaints
+ as the system load builds up. Given the low cost of memory, it would not make sense to
+ compromise in this area.
+ </para>
+
+ <para><indexterm>
+ <primary>bandwidth calculations</primary>
+ </indexterm>
+ Aggregate Input/Output loads should be considered for sizing network configuration as
+ well as disk subsystems. For network bandwidth calculations, one would typically use an
+ estimate of 0.1 MBytes/sec per user. This would suggest that 100-Base-T (approx. 10 MBytes/sec)
+ would deliver below acceptable capacity for the initial user load. It is, therefore, a good
+ idea to begin with 1 Gigabit ethernet cards for the two internal networks, each attached
+ to a 1 Gigabit Etherswitch that provides connectivity to an expandable array of 100-Base-T
+ switched ports.
+ </para>
+
+ <para><indexterm>
+ <primary>network segments</primary>
+ </indexterm><indexterm>
+ <primary>RAID</primary>
+ </indexterm>
+ Considering the choice of 1 Gigabit ethernet interfaces for the two local network segments,
+ the aggregate network I/O capacity will be 2100 MBit/sec (about 230 MBytes/sec), an I/O
+ demand that would require a fast disk storage I/O capability. Peak disk throughput is
+ limited by the disk sub-system chosen. It would be desirable to provide the maximum
+ I/O bandwidth that can be afforded. If a low-cost solution must be chosen, the use of
+ 3Ware IDE RAID Controllers makes a good choice. These controllers can be fitted into a
+ 64 bit, 66 MHz PCI-X slot. They appear to the operating system as a high speed SCSI
+ controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MByte/sec).
+ Alternative SCSI-based hardware RAID controllers should also be considered. Alternately,
+ it would make sense to purchase well-known branded hardware that has appropriate performance
+ specifications. As a minimum, one should attempt to provide a disk sub-system that can
+ deliver I/O rates of at least 100 MBytes/sec.
+ </para>
+
+ <para>
+ Disk storage requirements may be calculated as shown in <link linkend="ch4diskest"/>.
+
+<example id="ch4diskest">
+<title>Estimation of Disk Storage Requirements</title>
+<screen>
+Corporate Data: 100 MBytes/user per year
+Email Storage: 500 MBytes/user per year
+Applications: 5000 MBytes
+Safety Buffer: At least 50%
+
+Given 500 Users and 2 years:
+-----------------------------
+ Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes
+ Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes
+ Applications: 5000 MBytes = 5 GBytes
+ ----------------------------
+ Total: 605 GBytes
+ Add 50% buffer 303 GBytes
+ Recommended Storage: 908 GBytes
+</screen>
+</example>
+ <indexterm>
+ <primary>storage capacity</primary>
+ </indexterm>
+ The preferred storage capacity should be approximately 1 TeraByte. Use of RAID level 5
+ with two hot spare drives would require an 8 drive by 200 GByte capacity per drive array.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para>
+ Your industry is coming under increasing accountability pressures. Increased paranoia
+ is necessary so you can demonstrate that you have acted with due diligence. You must
+ not trust your Internet connection.
+ </para>
+
+ <para>
+ Apart from permitting more efficient management of business applications through use of
+ an application server, your primary reason for the decision to implement this is that it
+ gives you greater control over software licensing.
+ </para>
+
+ <para><indexterm>
+ <primary>Outlook Express</primary>
+ </indexterm>
+ You are well aware that the current configuration results in some performance issues
+ as the size of the desktop profile grows. Given that users use Microsoft Outlook
+ Express, you know that the storage implications of the <constant>.PST</constant> file
+ is something that needs to be addressed later on.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Implementation</title>
+
+ <para>
+ <link linkend="ch04net"/> demonstrates the overall design of the network that you will implement.
+ </para>
+
+ <para>
+ The information presented here assumes that you are already familiar with many basic steps.
+ As this stands, the details provided already extend well beyond just the necessities of
+ Samba configuration. This decision is deliberate to ensure that key determinants
+ of a successful installation are not overlooked. This is the last case that documents
+ the finite minutiae of DHCP and DNS server configuration. Beyond the information provided
+ here, there are many other good reference books on these subjects.
+ </para>
+
+ <para>
+ The &smb.conf; file has the following noteworthy features:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ The NetBIOS name of the Samba server is set to <constant>DIAMOND</constant>.
+ </para></listitem>
+
+ <listitem><para>
+ The Domain name is set to <constant>PROMISES</constant>.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>broadcast messages</primary>
+ </indexterm><indexterm>
+ <primary>interfaces</primary>
+ </indexterm><indexterm>
+ <primary>bind interfaces only</primary>
+ </indexterm>
+ Ethernet interface <constant>eth0</constant> is attached to the Internet connection
+ and is externally exposed. This interface is explicitly not available for Samba to use.
+ Samba listens on this interface for broadcast messages, but does not broadcast any
+ information on <constant>eth0</constant>, nor does it accept any connections from it.
+ This is achieved by way of the <parameter>interfaces</parameter> parameter and the
+ <parameter>bind interfaces only</parameter> entry.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>binary database</primary>
+ </indexterm>
+ The <parameter>passdb backend</parameter> parameter specifies the creation and use
+ of the <constant>tdbsam</constant> password backend. This is a binary database that
+ has excellent scalability for a large number of user account entries.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>WINS serving</primary>
+ </indexterm><indexterm>
+ <primary>wins support</primary>
+ </indexterm><indexterm>
+ <primary>name resolve order</primary>
+ </indexterm>
+ WINS serving is enabled by the <smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>,
+ and name resolution is set to use it by means of the <smbconfoption><name>name resolve order</name>
+ <value>wins bcast hosts</value></smbconfoption> entry.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>time server</primary>
+ </indexterm>
+ The Samba server is configured for use by Windows clients as a time server.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>CUPS</primary>
+ </indexterm><indexterm>
+ <primary>printing</primary>
+ </indexterm><indexterm>
+ <primary>printcap name</primary>
+ </indexterm>
+ Samba is configured to directly interface with CUPS via the direct internal interface
+ that is provided by CUPS libraries. This is achieved with the
+ <smbconfoption><name>printing</name><value>CUPS</value></smbconfoption> as well as the
+ <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption> entries.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>user management</primary>
+ </indexterm><indexterm>
+ <primary>group management</primary>
+ </indexterm><indexterm>
+ <primary>SRVTOOLS.EXE</primary>
+ </indexterm>
+ External interface scripts are provided to enable Samba to interface smoothly to
+ essential operating system functions for user and group management. This is important
+ to enable workstations to join the Domain, and is also important so that you can use
+ the Windows NT4 Domain User Manager, as well as the Domain Server Manager. These tools
+ are provided as part of the <filename>SRVTOOLS.EXE</filename> toolkit that can be
+ downloaded from the Microsoft FTP <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">site.</ulink>
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>User Mode</primary>
+ </indexterm>
+ The &smb.conf; file specifies that the Samba server will operate in (default) <parameter>
+ security = user</parameter> mode<footnote>See <emphasis>TOSHARG</emphasis>, Chapter 3. This is necessary
+ so that Samba can act as a Domain Controller (PDC); see <emphasis>TOSHARG</emphasis>, Chapter 4 for
+ additional information.</footnote> (User Mode).
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>logon services</primary>
+ </indexterm><indexterm>
+ <primary>logon script</primary>
+ </indexterm>
+ Domain logon services as well as a Domain logon script are specified. The logon script
+ will be used to add robustness to the overall network configuration.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>roaming profiles</primary>
+ </indexterm><indexterm>
+ <primary>logon path</primary>
+ </indexterm><indexterm>
+ <primary>profile share</primary>
+ </indexterm>
+ Roaming profiles are enabled through the specification of the parameter, <smbconfoption><name>logon path</name>
+ <value>\\%L\profiles\%U</value></smbconfoption>. The value of this parameter translates the
+ <constant>%L</constant> to the name by which the Samba server is called by the client (for this
+ configuration, it translates to the name <constant>DIAMOND</constant>), and the <constant>%U</constant>
+ will translate to the name of the user within the context of the connection made to the profile share.
+ It is the administrator's responsibility to ensure there is a directory in the root of the
+ profile share for each user. This directory must be owned by the user also. An exception to this
+ requirement is when a profile is created for group use.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>virus</primary>
+ </indexterm><indexterm>
+ <primary>opportunistic locking</primary>
+ </indexterm>
+ Precautionary veto is effected for particular Windows file names that have been targeted by
+ virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking
+ controls. This should help to prevent lock contention related file access problems.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>IPC$</primary>
+ </indexterm>
+ Explicit controls are effected to restrict access to the <constant>IPC$</constant> share to
+ local networks only. The <constant>IPC$</constant> share plays an important role in network
+ browsing and in establishment of network connections.
+ </para></listitem>
+
+ <listitem><para>
+ Every user has a private home directory on the UNIX/Linux host. This is mapped to
+ a network drive that is the same for all users.
+ </para></listitem>
+
+ </itemizedlist>
+
+ <para>
+ The configuration of the server is the most complex so far. The following steps are used:
+ </para>
+
+ <orderedlist numeration="arabic">
+ <listitem><para>
+ Basic System Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Samba Configuration
+ </para></listitem>
+
+ <listitem><para>
+ DHCP and DNS Server Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Printer Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Process Start-up Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Validation
+ </para></listitem>
+
+ <listitem><para>
+ Application Share Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Windows Client Configuration
+ </para></listitem>
+ </orderedlist>
+
+ <para>
+ The following sections cover each step in logical and defined detail.
+ </para>
+
+ <sect2 id="ch4bsc">
+ <title>Basic System Configuration</title>
+
+ <para><indexterm>
+ <primary>SUSE Enterprise Linux Server</primary>
+ </indexterm>
+ The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been
+ freshly installed. It prepares basic files so that the system is ready for comprehensive
+ operation in line with the network diagram shown in <link linkend="ch04net"/>.
+ </para>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>hostname</primary>
+ </indexterm>
+ Using the UNIX/Linux system tools, name the server <constant>server.abmas.us</constant>.
+ Verify that your hostname is correctly set by running:
+<screen>
+&rootprompt; uname -n
+server
+</screen>
+ An alternate method to verify the hostname is:
+<screen>
+&rootprompt; hostname -f
+server.abmas.us
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/hosts</primary></indexterm><indexterm>
+ <primary>localhost</primary>
+ </indexterm>
+ Edit your <filename>/etc/hosts</filename> file to include the primary names and addresses
+ of all network interfaces that are on the host server. This is necessary so that during
+ startup the system can resolve all its own names to the IP address prior to
+ startup of the DNS server. An example of entries that should be in the
+ <filename>/etc/hosts</filename> file is:
+<screen>
+127.0.0.1 localhost
+192.168.1.1 sleeth1.abmas.biz sleeth1 diamond
+192.168.2.1 sleeth2.abmas.biz sleeth2
+123.45.67.66 server.abmas.us server
+</screen>
+ You should check the startup order of your system. If the CUPS print server is started before
+ the DNS server (<command>named</command>), you should also include an entry for the printers
+ in the <filename>/etc/hosts</filename> file, as follows:
+<screen>
+192.168.1.20 qmsa.abmas.biz qmsa
+192.168.1.30 hplj6a.abmas.biz hplj6a
+192.168.2.20 qmsf.abmas.biz qmsf
+192.168.2.30 hplj6f.abmas.biz hplj6f
+</screen>
+ <indexterm>
+ <primary>named</primary>
+ </indexterm><indexterm>
+ <primary>cupsd</primary>
+ </indexterm><indexterm>
+ <primary>daemon</primary>
+ </indexterm>
+ The printer entries are not necessary if <command>named</command> is started prior to
+ startup of <command>cupsd</command>, the CUPS daemon.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/rc.d/boot.local</primary></indexterm>
+ <indexterm><primary>IP forwarding</primary></indexterm><indexterm>
+ <primary>/proc/sys/net/ipv4/ip_forward</primary>
+ </indexterm>
+ The host server is acting as a router between the two internal network segments as well
+ as for all Internet access. This necessitates that IP forwarding must be enabled. This can be
+ achieved by adding to the <filename>/etc/rc.d/boot.local</filename> an entry as follows:
+<screen>
+echo 1 > /proc/sys/net/ipv4/ip_forward
+</screen>
+ To ensure that your kernel is capable of IP forwarding during configuration, you may
+ wish to execute that command manually also. This setting permits the Linux system to
+ act as a router.<footnote>ED NOTE: You may want to do the echo command last and include
+ "0" in the init scripts since it opens up your network for a short time.</footnote>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>firewall</primary>
+ </indexterm><indexterm>
+ <primary>abmas-netfw.sh</primary>
+ </indexterm>
+ Installation of a basic firewall and network address translation facility is necessary.
+ The following script can be installed in the <filename>/usr/local/sbin</filename>
+ directory. It is executed from the <filename>/etc/rc.d/boot.local</filename> startup
+ script. In your case, this script is called <filename>abmas-netfw.sh</filename>. The
+ script contents are shown in <link linkend="ch4natfw"/>.
+
+<example id="ch4natfw">
+<title>NAT Firewall Configuration Script</title>
+<screen>
+#!/bin/sh
+echo -e "\n\nLoading NAT firewall.\n"
+IPTABLES=/usr/sbin/iptables
+EXTIF="eth0"
+INTIFA="eth1"
+INTIFB="eth2"
+
+/sbin/depmod -a
+/sbin/insmod ip_tables
+/sbin/insmod ip_conntrack
+/sbin/insmod ip_conntrack_ftp
+/sbin/insmod iptable_nat
+/sbin/insmod ip_nat_ftp
+$IPTABLES -P INPUT DROP
+$IPTABLES -F INPUT
+$IPTABLES -P OUTPUT ACCEPT
+$IPTABLES -F OUTPUT
+$IPTABLES -P FORWARD DROP
+$IPTABLES -F FORWARD
+$IPTABLES -t nat -F
+$IPTABLES -A INPUT -i lo -j ACCEPT
+$IPTABLES -A INPUT -i $INTIFA -j ACCEPT
+$IPTABLES -A INPUT -i $INTIFB -j ACCEPT
+$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
+# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS
+for i in 22 25 53 80 443
+do
+ $IPTABLES -A INPUT -i $EXTIF -p tcp -dport $i -j ACCEPT
+done
+# Allow DNS(udp)
+$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT
+echo "Allow all connections OUT and only existing and specified ones IN"
+$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \
+ --state ESTABLISHED,RELATED -j ACCEPT
+$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT
+$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT
+$IPTABLES -A FORWARD -j LOG
+echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
+$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
+echo "1" > /proc/sys/net/ipv4/ip_forward
+echo -e "\nNAT firewall done.\n"
+</screen>
+</example>
+ </para></step>
+
+ <step><para>
+ Execute the following to make the script executable:
+<screen>
+&rootprompt; chmod 755 /usr/local/sbin/abmas-natfw.sh
+</screen>
+ You must now edit <filename>/etc/rc.d/boot.local</filename> to add an entry
+ that runs your <command>abmas-natfw.sh</command> script. The following
+ entry works for you:
+<screen>
+#! /bin/sh
+#
+# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany.
+# All rights reserved.
+#
+# Author: Werner Fink, 1996
+# Burchard Steinbild, 1996
+#
+# /etc/init.d/boot.local
+#
+# script with local commands to be executed from init on system startup
+#
+# Here you should add things that should happen directly after booting
+# before we're going to the first run level.
+#
+/usr/local/sbin/abmas-natfw.sh
+</screen>
+ </para></step>
+ </procedure>
+
+ <para><indexterm>
+ <primary>/etc/hosts</primary>
+ </indexterm>
+ The server is now ready for Samba configuration. During the validation step, you remove
+ the entry for the Samba server <constant>diamond</constant> from the <filename>/etc/hosts</filename>
+ file. This is done after you are satisfied that DNS-based name resolution is functioning correctly.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Samba Configuration</title>
+
+ <para>
+ When you have completed this section, the Samba server is ready for testing and validation;
+ however, testing and validation have to wait until DHCP, DNS, and Printing (CUPS) services have
+ been configured.
+ </para>
+
+ <procedure>
+ <step><para>
+ Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary
+ RPM file is called <filename>samba-3.0.2-1.i386.rpm</filename>, one way to install this
+ file is as follows:
+<screen>
+&rootprompt; rpm -Uvh samba-3.0.2-1.i386.rpm
+</screen>
+ This operation must be performed while logged in as the <command>root</command> user.
+ Successful operation is clearly indicated. If this installation should fail for any reason,
+ refer to the operating system manufacturer's documentation for guidance.
+ </para></step>
+
+ <step><para>
+ Install the &smb.conf; file shown in <link linkend="promisnet"/>, <link linkend="promisnetsvca"/>,
+ and <link linkend="promisnetsvcb"/>. Concatenate (join) all three files to make a single &smb.conf;
+ file. The final, fully qualified path for this file should be <filename>/etc/samba/smb.conf</filename>.
+
+<smbconfexample id="promisnet">
+<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; [globals] Section</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>PROMISES</value></smbconfoption>
+<smbconfoption><name>netbios name</name><value>DIAMOND</value></smbconfoption>
+<smbconfoption><name>interfaces</name><value>eth1, eth2, lo</value></smbconfoption>
+<smbconfoption><name>bind interfaces only</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>passdb backend</name><value>tdbsam</value></smbconfoption>
+<smbconfoption><name>pam password change</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>passwd chat</name><value>*New*Password* %n\n *Re-enter*new*password*</value></smbconfoption>
+<member><parameter> %n\n *Password*changed*</parameter></member>
+<smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+<smbconfoption><name>unix password sync</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>log level</name><value>1</value></smbconfoption>
+<smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+<smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+<smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+<smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+<smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+<smbconfoption><name>time server</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+<smbconfoption><name>add user script</name><value>/usr/sbin/useradd -m %u</value></smbconfoption>
+<smbconfoption><name>delete user script</name><value>/usr/sbin/userdel -r %u</value></smbconfoption>
+<smbconfoption><name>add group script</name><value>/usr/sbin/groupadd %g</value></smbconfoption>
+<smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel %g</value></smbconfoption>
+<smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G %g %u</value></smbconfoption>
+<smbconfoption><name>add machine script</name><value>/usr/sbin/useradd</value></smbconfoption>
+<member><parameter>-s /bin/false -d /dev/null %u</parameter></member>
+<smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
+<smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
+<smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+<smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
+<smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+<smbconfoption><name>logon home</name><value>\\%L\%U</value></smbconfoption>
+<smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>utmp</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>map acl inherit</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+<smbconfoption><name>veto files</name><value>/*.eml/*.nws/*.{*}/</value></smbconfoption>
+<smbconfoption><name>veto oplock files</name><value>/*.doc/*.xls/*.mdb/</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="promisnetsvca">
+<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part A</title>
+<smbconfsection>[IPC$]</smbconfsection>
+<smbconfoption><name>path</name><value>/tmp</value></smbconfoption>
+<smbconfoption><name>hosts allow</name><value>192.168.1.0/24, 192.168.2.0/24, 127.0.0.1</value></smbconfoption>
+<smbconfoption><name>hosts deny</name><value>0.0.0.0/0</value></smbconfoption>
+
+<smbconfsection>[homes]</smbconfsection>
+<smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>default devmode</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[netlogon]</smbconfsection>
+<smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>locking</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="promisnetsvcb">
+<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part B</title>
+<smbconfsection>[profiles]</smbconfsection>
+<smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+
+<smbconfsection>[accounts]</smbconfsection>
+<smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[service]</smbconfsection>
+<smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[apps]</smbconfsection>
+<smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/apps</value></smbconfoption>
+<smbconfoption><name>read only</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>admin users</name><value>bjordan</value></smbconfoption>
+</smbconfexample>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>administrator</primary></indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ Add the <constant>root</constant> user to the password backend as follows:
+<screen>
+&rootprompt; smbpasswd -a root
+New SMB password: XXXXXXXX
+Retype new SMB password: XXXXXXXX
+&rootprompt;
+</screen>
+ The <constant>root</constant> account is the UNIX equivalent of the Windows Domain Administrator.
+ This account is essential in the regular maintenance of your Samba server. It must never be
+ deleted. If for any reason the account is deleted, you may not be able to recreate this account
+ without considerable trouble.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>username map</primary></indexterm>
+ Create the username map file to permit the <constant>root</constant> account to be called
+ <constant>Administrator</constant> from the Windows network environment. To do this, create
+ the file <filename>/etc/samba/smbusers</filename> with the following contents:
+<screen>
+####
+# User mapping file
+####
+# File Format
+# -----------
+# Unix_ID = Windows_ID
+#
+# Examples:
+# root = Administrator
+# janes = "Jane Smith"
+# jimbo = Jim Bones
+#
+# Note: If the name contains a space it must be double quoted.
+# In the example above the name 'jimbo' will be mapped to Windows
+# user names 'Jim' and 'Bones' because the space was not quoted.
+#######################################################################
+root = Administrator
+####
+# End of File
+####
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>initGrps.sh</primary></indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>groupmap</secondary>
+ <tertiary>add</tertiary>
+ </indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>groupmap</secondary>
+ <tertiary>modify</tertiary>
+ </indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>groupmap</secondary>
+ <tertiary>list</tertiary>
+ </indexterm>
+ Create and map Windows Domain Groups to UNIX groups. A sample script is provided in
+ <link linkend="initGrps"/>. Create a file containing this script. We called ours
+ <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed,
+ and then execute the script. Sample output should be as follows:
+
+<example id="ch4initGrps">
+<title>Script to Map Windows NT Groups to UNIX Groups</title>
+<indexterm><primary>initGrps.sh</primary></indexterm>
+<screen>
+#!/bin/bash
+#
+# initGrps.sh
+#
+
+# Create UNIX groups
+groupadd acctsdep
+groupadd finsrvcs
+
+# Map Windows Domain Groups to UNIX groups
+net groupmap modify ntgroup="Domain Admins" unixgroup=root
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+
+# Add Functional Domain Groups
+net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
+net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
+
+# Map Windows NT machine local groups to local UNIX groups
+# Mapping of local groups is not necessary and not functional
+# for this installation.
+</screen>
+</example>
+
+<screen>
+&rootprompt; chmod 755 initGrps.sh
+&rootprompt; /etc/samba # ./initGrps.sh
+Updated mapping entry for Domain Admins
+Updated mapping entry for Domain Users
+Updated mapping entry for Domain Guests
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Accounts Dept to the mapping db
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Domain Guests to the mapping db
+
+&rootprompt; /etc/samba # net groupmap list | sort
+Account Operators (S-1-5-32-548) -> -1
+Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep
+Administrators (S-1-5-32-544) -> -1
+Backup Operators (S-1-5-32-551) -> -1
+Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root
+Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody
+Domain Users (S-1-5-21-179504-2437109-488451-513) -> users
+Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs
+Guests (S-1-5-32-546) -> -1
+Power Users (S-1-5-32-547) -> -1
+Print Operators (S-1-5-32-550) -> -1
+Replicators (S-1-5-32-552) -> -1
+System Operators (S-1-5-32-549) -> -1
+Users (S-1-5-32-545) -> -1
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>useradd</primary></indexterm>
+ <indexterm><primary>adduser</primary></indexterm>
+ <indexterm><primary>passwd</primary></indexterm>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ <indexterm><primary>/etc/passwd</primary></indexterm>
+ <indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
+ <indexterm><primary>user</primary><secondary>management</secondary></indexterm>
+ There is one preparatory step without which you will not have a working Samba
+ network environment. You must add an account for each network user.
+ For each user who needs to be given a Windows Domain account, make an entry in the
+ <filename>/etc/passwd</filename> file, as well as in the Samba password backend.
+ Use the system tool of your choice to create the UNIX system account, and use the Samba
+ <command>smbpasswd</command> to create a Domain user account.
+ There are a number of tools for user management under UNIX. Commonly known ones include:
+ <command>useradd, adduser</command>. In addition to these, there are a plethora of custom
+ tools. You also want to create a home directory for each user.
+ You can do this by executing the following steps for each user:
+<screen>
+&rootprompt; useradd -m <parameter>username</parameter>
+&rootprompt; passwd <parameter>username</parameter>
+Changing password for <parameter>username</parameter>.
+New password: XXXXXXXX
+Re-enter new password: XXXXXXXX
+Password changed
+&rootprompt; smbpasswd -a <parameter>username</parameter>
+New SMB password: XXXXXXXX
+Retype new SMB password: XXXXXXXX
+Added user <parameter>username</parameter>.
+</screen>
+ You do of course use a valid user login ID in place of <parameter>username</parameter>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>file system</primary>
+ <secondary>access control</secondary>
+ </indexterm><indexterm>
+ <primary>file system</primary>
+ <secondary>permissions</secondary>
+ </indexterm><indexterm>
+ <primary>group membership</primary>
+ </indexterm>
+ Using the preferred tool for your UNIX system, add each user to the UNIX groups created
+ previously as necessary. File system access control will be based on UNIX group membership.
+ </para></step>
+
+ <step><para>
+ Create the directory mount point for the disk sub-system that can be mounted to provide
+ data storage for company files. In this case the mount point indicated in the &smb.conf;
+ file is <filename>/data</filename>. Format the file system as required, and mount the formatted
+ file system partition using appropriate system tools.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>file system</primary><secondary>permissions</secondary></indexterm>
+ Create the top-level file storage directories for data and applications as follows:
+<screen>
+&rootprompt; mkdir -p /data/{accounts,finsvcs}
+&rootprompt; mkdir -p /apps
+&rootprompt; chown -R root.root /data
+&rootprompt; chown -R root.root /apps
+&rootprompt; chown -R bjordan.accounts /data/accounts
+&rootprompt; chown -R bjordan.finsvcs /data/finsvcs
+&rootprompt; chmod -R ug+rwxs,o-rwx /data
+&rootprompt; chmod -R ug+rwx,o+rx-w /apps
+</screen>
+ Each department is responsible for creating its own directory structure within the departmental
+ share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
+ The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
+ The <filename>/apps</filename> directory is the root of the <constant>apps</constant> share
+ that provides the application server infrastructure.
+ </para></step>
+
+ <step><para>
+ The &smb.conf; file specifies an infrastructure to support roaming profiles and network
+ logon services. You can now create the file system infrastructure to provide the
+ locations on disk that these services require. Adequate planning is essential
+ since desktop profiles can grow to be quite large. For planning purposes, a minimum of
+ 200 Megabytes of storage should be allowed per user for profile storage. The following
+ commands create the directory infrastructure needed:
+<screen>
+&rootprompt; mkdir -p /var/spool/samba
+&rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
+&rootprompt; chown -R root.root /var/spool/samba
+&rootprompt; chown -R root.root /var/lib/samba
+&rootprompt; chmod a+rwxt /var/spool/samba
+</screen>
+ For each user account that is created on the system, the following commands should be
+ executed:
+<screen>
+&rootprompt; mkdir /var/lib/samba/profiles/'username'
+&rootprompt; chown 'username'.users /var/lib/samba/profiles/'username'
+&rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>logon scrip</primary>
+ </indexterm><indexterm>
+ <primary>unix2dos</primary>
+ </indexterm><indexterm>
+ <primary>dos2unix</primary>
+ </indexterm>
+ Create a logon script. It is important that each line is correctly terminated with
+ a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
+ works if the right tools (<constant>unix2dos</constant> and <constant>dos2unix</constant>) are installed.
+ First, create a file called <filename>/var/lib/samba/netlogon/scripts/logon.bat.unix</filename>
+ with the following contents:
+<screen>
+net time \\diamond /set /yes
+net use h: /home
+net use p: \\diamond\apps
+</screen>
+ Convert the UNIX file to a DOS file using the <command>unix2dos</command> as shown here:
+<screen>
+&rootprompt; unix2dos &lt; /var/lib/samba/netlogon/scripts/logon.bat.unix \
+ &gt; /var/lib/samba/netlogon/scripts/logon.bat
+</screen>
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2 id="ch4dhcpdns">
+ <title>Configuration of DHCP and DNS Servers</title>
+
+ <para>
+ DHCP services are a basic component of the entire network client installation. DNS operation is
+ foundational to Internet access as well as to trouble-free operation of local networking. When
+ you have completed this section, the server should be ready for solid duty operation.
+ </para>
+
+ <procedure>
+ <step><para>
+ <indexterm><primary>/etc/dhcpd.conf</primary></indexterm>
+ Create a file called <filename>/etc/dhcpd.conf</filename> with the contents as
+ shown in <link linkend="prom-dhcp"/>.
+
+<example id="prom-dhcp">
+<title>DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title>
+<screen>
+# Abmas Accounting Inc. - Chapter 4
+default-lease-time 86400;
+max-lease-time 172800;
+default-lease-time 86400;
+option ntp-servers 192.168.1.1;
+option domain-name "abmas.biz";
+option domain-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-node-type 8; ### Node type = Hybrid ###
+ddns-updates on; ### Dynamic DNS enabled ###
+ddns-update-style ad-hoc;
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+ range dynamic-bootp 192.168.1.128 192.168.1.254;
+ option subnet-mask 255.255.255.0;
+ option routers 192.168.1.1;
+ allow unknown-clients;
+ host qmsa {
+ hardware ethernet 08:00:46:7a:35:e4;
+ fixed-address 192.168.1.20;
+ }
+ host hplj6a {
+ hardware ethernet 00:03:47:cb:81:e0;
+ fixed-address 192.168.1.30;
+ }
+ }
+subnet 192.168.2.0 netmask 255.255.255.0 {
+ range dynamic-bootp 192.168.2.128 192.168.2.254;
+ option subnet-mask 255.255.255.0;
+ option routers 192.168.2.1;
+ allow unknown-clients;
+ host qmsf {
+ hardware ethernet 01:04:31:db:e1:c0;
+ fixed-address 192.168.1.20;
+ }
+ host hplj6f {
+ hardware ethernet 00:03:47:cf:83:e2;
+ fixed-address 192.168.2.30;
+ }
+ }
+subnet 127.0.0.0 netmask 255.0.0.0 {
+ }
+subnet 123.45.67.64 netmask 255.255.255.252 {
+ }
+</screen>
+</example>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/named.conf</primary></indexterm>
+ Create a file called <filename>/etc/named.conf</filename> that has the combined contents
+ of the <link linkend="ch4namedcfg"/>, <link linkend="ch4namedvarfwd"/>, and
+ <link linkend="ch4namedvarrev"/> files that are concatenated (merged) in this
+ specific order.
+ </para></step>
+
+ <step><para>
+ Create the files shown in their directories as follows:
+
+ <table if="namedrscfiles">
+ <title>DNS (named) Resource Files</title>
+ <tgroup cols="2">
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry>Reference</entry>
+ <entry>File Location</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><link linkend="loopback"/></entry>
+ <entry>/var/lib/named/localhost.zone</entry>
+ </row>
+ <row>
+ <entry><link linkend="dnsloopy"/></entry>
+ <entry>/var/lib/named/127.0.0.zone</entry>
+ </row>
+ <row>
+ <entry><link linkend="roothint"/></entry>
+ <entry>/var/lib/named/root.hint</entry>
+ </row>
+ <row>
+ <entry><link linkend="abmasbiz"/></entry>
+ <entry>/var/lib/named/master/abmas.biz.hosts</entry>
+ </row>
+ <row>
+ <entry><link linkend="abmasus"/></entry>
+ <entry>/var/lib/named/abmas.us.hosts</entry>
+ </row>
+ <row>
+ <entry><link linkend="eth1zone"/></entry>
+ <entry>/var/lib/named/192.168.1.0.rev</entry>
+ </row>
+ <row>
+ <entry><link linkend="eth2zone"/></entry>
+ <entry>/var/lib/named/192.168.2.0.rev</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+<example id="ch4namedcfg">
+<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Master Section</title>
+<indexterm><primary>/etc/named.conf</primary></indexterm>
+<screen>
+###
+# Abmas Biz DNS Control File
+###
+# Date: November 15, 2003
+###
+options {
+ directory "/var/lib/named";
+ forwarders {
+ 123.45.12.23;
+ };
+ forward first;
+ listen-on {
+ mynet;
+ };
+ auth-nxdomain yes;
+ multiple-cnames yes;
+ notify no;
+};
+
+zone "." in {
+ type hint;
+ file "root.hint";
+};
+
+zone "localhost" in {
+ type master;
+ file "localhost.zone";
+};
+
+zone "0.0.127.in-addr.arpa" in {
+ type master;
+ file "127.0.0.zone";
+};
+
+acl mynet {
+ 192.168.1.0/24;
+ 192.168.2.0/24;
+ 127.0.0.1;
+};
+
+acl seconddns {
+ 123.45.54.32;
+}
+
+</screen>
+</example>
+
+<example id="ch4namedvarfwd">
+<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Forward Lookup Definition Section</title>
+<screen>
+zone "abmas.biz" {
+ type master;
+ file "/var/lib/named/master/abmas.biz.hosts";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+
+zone "abmas.us" {
+ type master;
+ file "/var/lib/named/master/abmas.us.hosts";
+ allow-query {
+ all;
+ };
+ allow-transfer {
+ seconddns;
+ };
+};
+</screen>
+</example>
+
+<example id="ch4namedvarrev">
+<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Reverse Lookup Definition Section</title>
+<screen>
+zone "1.168.192.in-addr.arpa" {
+ type master;
+ file "/var/lib/named/master/192.168.1.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+
+zone "2.168.192.in-addr.arpa" {
+ type master;
+ file "/var/lib/named/master/192.168.2.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+</screen>
+</example>
+
+<example id="eth1zone">
+<title>DNS 192.168.1 Reverse Zone File</title>
+<screen>
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. (
+ 2003021825 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS sleeth1.abmas.biz.
+$ORIGIN 1.168.192.in-addr.arpa.
+1 PTR sleeth1.abmas.biz.
+20 PTR qmsa.abmas.biz.
+30 PTR hplj6a.abmas.biz.
+</screen>
+</example>
+
+<example id="eth2zone">
+<title>DNS 192.168.2 Reverse Zone File</title>
+<screen>
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. (
+ 2003021825 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS sleeth2.abmas.biz.
+$ORIGIN 2.168.192.in-addr.arpa.
+1 PTR sleeth2.abmas.biz.
+20 PTR qmsf.abmas.biz.
+30 PTR hplj6f.abmas.biz.
+</screen>
+</example>
+
+<example id="abmasbiz">
+<title>DNS Abmas.biz Forward Zone File</title>
+<screen>
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. (
+ 2003021833 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS dns.abmas.biz.
+ MX 10 sleeth1.abmas.biz.
+$ORIGIN abmas.biz.
+sleeth1 A 192.168.1.1
+sleeth2 A 192.168.2.1
+qmsa A 192.168.1.20
+hplj6a A 192.168.1.30
+qmsf A 192.168.2.20
+hplj6f A 192.168.2.30
+dns CNAME sleeth1
+diamond CNAME sleeth1
+mail CNAME sleeth1
+</screen>
+</example>
+
+<example id="abmasus">
+<title>DNS Abmas.us Forward Zone File</title>
+<screen>
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+abmas.us IN SOA server.abmas.us. root.abmas.us. (
+ 2003021833 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS dns.abmas.us.
+ NS dns2.abmas.us.
+ MX 10 server.abmas.us.
+$ORIGIN abmas.us.
+server A 123.45.67.66
+dns2 A 123.45.54.32
+gw A 123.45.67.65
+www CNAME server
+mail CNAME server
+dns CNAME server
+</screen>
+</example>
+
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/resolv.conf</primary></indexterm><indexterm>
+ <primary>name resolution</primary>
+ </indexterm>
+ All DNS name resolution should be handled locally. To ensure that the server is configured
+ correctly to handle this, edit <filename>/etc/resolv.conf</filename> to have the following
+ content:
+<screen>
+search abmas.us abmas.biz
+nameserver 127.0.0.1
+nameserver 123.45.54.23
+</screen>
+ <indexterm>
+ <primary>DNS server</primary>
+ </indexterm>
+ This instructs the name resolver function (when configured correctly) to ask the DNS server
+ that is running locally to resolve names to addresses. In the event that the local name server
+ is not available, ask the name server provided by the ISP. The latter, of course, does not resolve
+ purely local names to IP addresses.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ The final step is to edit the <filename>/etc/nsswitch.conf</filename> file.
+ This file controls the operation of the various resolver libraries that are part of the Linux
+ Glibc libraries. Edit this file so that it contains the following entries:
+<screen>
+hosts: files dns wins
+</screen>
+ </para></step>
+ </procedure>
+
+ <para>
+ The basic DHCP and DNS services are now ready for validation testing. Before you can proceed,
+ there are a few more steps along the road. First, configure the print spooling and print
+ processing system. Then you can configure the server so that all services
+ start automatically on reboot. You must also manually start all services prior to validation testing.
+ </para>
+
+ </sect2>
+
+ <sect2 id="ch4ptrcfg">
+ <title>Printer Configuration</title>
+
+ <para>
+ </para>
+
+ <procedure>
+ <step><para>
+ Configure each printer to be a DHCP client carefully following the manufacturer's guidelines.
+ </para></step>
+
+ <step><para>
+ Follow the instructions in the printer manufacturers' manuals to permit printing to port 9100.
+ Use any other port the manufacturer specifies for direct mode, raw printing and adjust the
+ port as necessary in the following example commands.
+ This allows the CUPS spooler to print using raw mode protocols.
+ <indexterm><primary>CUPS</primary></indexterm>
+ <indexterm><primary>raw printing</primary></indexterm>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm><indexterm>
+ <primary>lpadmin</primary>
+ </indexterm>
+ Configure the CUPS Print Queues as follows:
+<screen>
+&rootprompt; lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E
+&rootprompt; lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E
+&rootprompt; lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E
+&rootprompt; lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E
+</screen>
+ <indexterm><primary>print filter</primary></indexterm>
+ This has created the necessary print queues with no assigned print filter.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>enable</primary>
+ </indexterm>
+ Print queues may not be enabled at creation. Use <command>lpc stat</command> to check
+ the status of the print queues and if necessary make certain that the queues you have
+ just created are enabled by executing the following:
+<screen>
+&rootprompt; /usr/bin/enable qmsa
+&rootprompt; /usr/bin/enable hplj6a
+&rootprompt; /usr/bin/enable qmsf
+&rootprompt; /usr/bin/enable hplj6f
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>accept</primary>
+ </indexterm>
+ Even though your print queues may be enabled, it is still possible that they
+ are not accepting print jobs. A print queue services incoming printing
+ requests only when configured to do so. Ensure that your print queues are
+ set to accept incoming jobs by executing the following commands:
+<screen>
+&rootprompt; /usr/bin/accept qmsa
+&rootprompt; /usr/bin/accept hplj6a
+&rootprompt; /usr/bin/accept qmsf
+&rootprompt; /usr/bin/accept hplj6f
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime type</primary></indexterm>
+ <indexterm><primary>/etc/mime.convs</primary></indexterm>
+ <indexterm><primary>application/octet-stream</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/mime.types</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para>
+ Printing drivers are installed on each network client workstation.
+ </para></step>
+ </procedure>
+
+ <para>
+ The UNIX system print queues have been configured and are ready for validation testing.
+ </para>
+
+ </sect2>
+
+ <sect2 id="procstart">
+ <title>Process Startup Configuration</title>
+
+ <para>
+ <indexterm><primary>chkconfig</primary></indexterm>
+ There are two essential steps to process startup configuration. First, the process
+ must be configured so that it automatically restarts each time the server
+ is rebooted. This step involves use of the <command>chkconfig</command> tool that
+ creates the appropriate symbolic links from the master daemon control file that is
+ located in the <filename>/etc/rc.d</filename> directory, to the <filename>/etc/rc'x'.d</filename>
+ directories. Links are created so that when the system run-level is changed, the
+ necessary start or kill script is run.
+ </para>
+
+ <para>
+ <indexterm><primary>/etc/xinetd.d</primary></indexterm><indexterm>
+ <primary>inetd</primary>
+ </indexterm><indexterm>
+ <primary>xinetd</primary>
+ </indexterm><indexterm>
+ <primary>chkconfig</primary>
+ </indexterm><indexterm>
+ <primary>super daemon</primary>
+ </indexterm>
+ In the event that a service is not run as a daemon, but via the inter-networking
+ super daemon (<command>inetd</command> or <command>xinetd</command>), then the <command>chkconfig</command>
+ tool makes the necessary entries in the <filename>/etc/xinetd.d</filename> directory
+ and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to
+ re-read its control files.
+ </para>
+
+ <para>
+ Last, each service must be started to permit system validation to proceed.
+ </para>
+
+ <procedure>
+ <step><para>
+ Use the standard system tool to configure each service to restart
+ automatically at every system reboot. For example:
+ <indexterm><primary>chkconfig</primary></indexterm>
+<screen>
+&rootprompt; chkconfig dhpc on
+&rootprompt; chkconfig named on
+&rootprompt; chkconfig cups on
+&rootprompt; chkconfig smb on
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>starting dhcpd</primary></indexterm>
+ <indexterm><primary>starting samba</primary></indexterm>
+ <indexterm><primary>starting CUPS</primary></indexterm>
+ Now start each service to permit the system to be validated.
+ Execute each of the following in the sequence shown:
+
+<screen>
+&rootprompt; /etc/rc.d/init.d/dhcp restart
+&rootprompt; /etc/rc.d/init.d/named restart
+&rootprompt; /etc/rc.d/init.d/cups restart
+&rootprompt; /etc/rc.d/init.d/smb restart
+</screen>
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2 id="ch4valid">
+ <title>Validation</title>
+
+ <para><indexterm>
+ <primary>validation</primary>
+ </indexterm>
+ Complex networking problems are most often caused by simple things that are poorly or incorrectly
+ configured. The validation process adopted here should be followed carefully; it is the result of the
+ experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should
+ refrain from taking shortcuts, from making basic assumptions, and from not exercising due process
+ and diligence in network validation. By thoroughly testing and validating every step in the process
+ of network installation and configuration, you can save yourself from sleepless nights and restless
+ days. A well debugged network is a foundation for happy network users and network administrators.
+ Later in this book you learn how to make users happier. For now, it is enough to learn to
+ validate. Let's get on with it.
+ </para>
+
+ <procedure>
+
+ <step><para>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ One of the most important facets of Samba configuration is to ensure that
+ name resolution functions correctly. You can test name resolution
+ with a few simple tests. The most basic name resolution is provided from the
+ <filename>/etc/hosts</filename> file. To test its operation, make a
+ temporary edit to the <filename>/etc/nsswitch.conf</filename> file. Using
+ your favorite editor, change the entry for <constant>hosts</constant> to read:
+<screen>
+hosts: files
+</screen>
+ When you have saved this file, execute the following command:
+<screen>
+&rootprompt; ping diamond
+PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms
+
+--- sleeth1.abmas.biz ping statistics ---
+4 packets transmitted, 4 received, 0% packet loss, time 3016ms
+rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms
+</screen>
+ This proves that name resolution via the <filename>/etc/hosts</filename> file
+ is working.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ So far, your installation is going particularly well. In this step we validate
+ DNS server and name resolution operation. Using your favorite UNIX system editor,
+ change the <filename>/etc/nsswitch.conf</filename> file so that the
+ <constant>hosts</constant> entry reads:
+<screen>
+hosts: dns
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>named</primary></indexterm>
+ Before you test DNS operation, it is a good idea to verify that the DNS server
+ is running by executing the following:
+<screen>
+&rootprompt; ps ax | grep named
+ 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log
+ 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 2552 pts/2 S 0:00 grep named
+</screen>
+ This means that we are ready to check DNS operation. Do so by executing:
+ <indexterm><primary>ping</primary></indexterm>
+<screen>
+&rootprompt; ping diamond
+PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms
+
+--- sleeth1.abmas.biz ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 999ms
+rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms
+</screen>
+ You should take a few more steps to validate DNS server operation, as follows:
+<screen>
+&rootprompt; host -f diamond.abmas.biz
+sleeth1.abmas.biz has address 192.168.1.1
+</screen>
+ <indexterm><primary>/etc/hosts</primary></indexterm>
+ You may now remove the entry called <constant>diamond</constant> from the
+ <filename>/etc/hosts</filename> file. It does not hurt to leave it there,
+ but its removal reduces the number of administrative steps for this name.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ WINS is a great way to resolve NetBIOS names to their IP address. You can test
+ the operation of WINS by starting <command>nmbd</command> (manually, or by way
+ of the Samba startup method shown in <link linkend="procstart"/>). You must edit
+ the <filename>/etc/nsswitch.conf</filename> file so that the <constant>hosts</constant>
+ entry is as follows:
+<screen>
+hosts: wins
+</screen>
+ The next step is to make certain that Samba is running using <command>ps ax|grep mbd</command>, and then execute the following:
+<screen>
+&rootprompt; ping diamond
+PING diamond (192.168.1.1) 56(84) bytes of data.
+64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms
+64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms
+</screen>
+ <indexterm><primary>ping</primary></indexterm>
+ Now that you can relax with the knowledge that all three major forms of name
+ resolution to IP address resolution are working, edit the <filename>/etc/nsswitch.conf</filename>
+ again. This time you add all three forms of name resolution to this file.
+ Your edited entry for <constant>hosts</constant> should now look like this:
+<screen>
+hosts: file dns wins
+</screen>
+ The system is looking good. Let's move on.
+ </para></step>
+
+ <step><para>
+ It would give peace of mind to know that the DHCP server is running
+ and available for service. You can validate DHCP services by running:
+
+<screen>
+&rootprompt; ps ax | grep dhcp
+ 2618 ? S 0:00 /usr/sbin/dhcpd ...
+ 8180 pts/2 S 0:00 grep dhcp
+</screen>
+ This shows that the server is running. The proof of whether or not it is working
+ comes when you try to add the first DHCP client to the network.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>testparm</primary></indexterm>
+ This is a good point at which to start validating Samba operation. You are
+ content that name resolution is working for basic TCP/IP needs. Let's move on.
+ If your &smb.conf; file has bogus options or parameters, this may cause Samba
+ to refuse to start. The first step should always be to validate the contents
+ of this file by running:
+<screen>
+&rootprompt; testparm -s
+Load smb config files from /etc/samba/smb.conf
+Processing section "[IPC$]"
+Processing section "[homes]"
+Processing section "[printers]"
+Processing section "[netlogon]"
+Processing section "[profiles]"
+Processing section "[accounts]"
+Processing section "[service]"
+Processing section "[apps]"
+Loaded services file OK.
+# Global parameters
+[global]
+ workgroup = PROMISES
+ netbios name = DIAMOND
+ interfaces = eth1, eth2, lo
+ bind interfaces only = Yes
+ passdb backend = tdbsam
+ pam password change = Yes
+ passwd chat = *New*Password* %n\n \
+ *Re-enter*new*password* %n\n *Password*changed*
+ username map = /etc/samba/smbusers
+ unix password sync = Yes
+ log level = 1
+ syslog = 0
+ log file = /var/log/samba/%m
+ max log size = 50
+ smb ports = 139 445
+ name resolve order = wins bcast hosts
+ time server = Yes
+ printcap name = CUPS
+ show add printer wizard = No
+ add user script = /usr/sbin/useradd -m %u
+ delete user script = /usr/sbin/userdel -r %u
+ add group script = /usr/sbin/groupadd %g
+ delete group script = /usr/sbin/groupdel %g
+ add user to group script = /usr/sbin/usermod -G %g %u
+ add machine script = /usr/sbin/useradd \
+ -s /bin/false -d /dev/null %u
+ shutdown script = /var/lib/samba/scripts/shutdown.sh
+ abort shutdown script = /sbin/shutdown -c
+ logon script = scripts\logon.bat
+ logon path = \\%L\profiles\%U
+ logon drive = X:
+ logon home = \\%L\%U
+ domain logons = Yes
+ preferred master = Yes
+ wins support = Yes
+ utmp = Yes
+ winbind use default domain = Yes
+ map acl inherit = Yes
+ printing = cups
+ veto files = /*.eml/*.nws/riched20.dll/*.{*}/
+ veto oplock files = /*.doc/*.xls/*.mdb/
+
+[IPC$]
+ path = /tmp
+ hosts allow = 192.168.1.0/24, 192.168.2.0/24, 127.0.0.1
+ hosts deny = 0.0.0.0/0
+...
+### Remainder cut to save space ###
+</screen>
+ Clear away all errors before proceeding.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>check samba daemons</primary></indexterm>
+ <indexterm><primary>smbd</primary></indexterm>
+ <indexterm><primary>nmbd</primary></indexterm>
+ <indexterm><primary>winbindd</primary></indexterm>
+ Check that the Samba server is running:
+<screen>
+&rootprompt; ps ax | grep mbd
+14244 ? S 0:00 /usr/sbin/nmbd -D
+14245 ? S 0:00 /usr/sbin/nmbd -D
+14290 ? S 0:00 /usr/sbin/smbd -D
+
+$rootprompt; ps ax | grep winbind
+14293 ? S 0:00 /usr/sbin/winbindd -B
+14295 ? S 0:00 /usr/sbin/winbindd -B
+</screen>
+ The <command>winbindd</command> daemon is running in split mode (normal), so there are also
+ two instances<footnote>For more information regarding winbindd, see <emphasis>TOSHARG</emphasis>,
+ Chapter 20, Section 20.3. The single instance of <command>smbd</command> is normal. One additional
+ <command>smbd</command> slave process is spawned for each SMB/CIFS client
+ connection.</footnote> of it.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>anonymous
+ connection</primary></indexterm>
+ <indexterm>
+ <primary>smbclient</primary>
+ </indexterm>
+ Check that an anonymous connection can be made to the Samba server:
+<screen>
+&rootprompt; smbclient -L localhost -U%
+
+ Sharename Type Comment
+ --------- ---- -------
+ IPC$ IPC IPC Service (Samba 3.0.2)
+ netlogon Disk Network Logon Service
+ profiles Disk Profile Share
+ accounts Disk Accounting Files
+ service Disk Financial Services Files
+ apps Disk Application Files
+ ADMIN$ IPC IPC Service (Samba 3.0.2)
+ hplj6a Printer hplj6a
+ hplj6f Printer hplj6f
+ qmsa Printer qmsa
+ qmsf Printer qmsf
+
+ Server Comment
+ --------- -------
+ DIAMOND Samba CVS 3.0.2
+
+ Workgroup Master
+ --------- -------
+ PROMISES DIAMOND
+</screen>
+ This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent
+ of browsing the server from a Windows client to obtain a list of shares on the server.
+ The <constant>-U%</constant> argument means "send a <constant>NULL</constant> username and
+ a <constant>NULL</constant> password."
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>dhcp client validation</primary></indexterm>
+ <indexterm><primary>printer validation</primary></indexterm>
+ <indexterm><primary>arp</primary></indexterm>
+ Verify that each printer has the IP address assigned in the DHCP server configuration file.
+ The easiest way to do this is to ping the printer name. Immediately after the ping response
+ has been received, execute <command>arp -a</command> to find the MAC address of the printer
+ that has responded. Now you can compare the IP address and the MAC address of the printer
+ with the configuration information in the <filename>/etc/dhcpd.conf</filename> file. They
+ should, of course, match. For example:
+<screen>
+&rootprompt; ping hplj6
+PING hplj6a (192.168.1.30) 56(84) bytes of data.
+64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms
+
+&rootprompt; arp -a
+hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0
+</screen>
+ <indexterm>
+ <primary>/etc/dhcpd.conf</primary>
+ </indexterm>
+ The MAC address <constant>00:03:47:CB:81:E0</constant> matches that specified for the
+ IP address from which the printer has responded and with the entry for it in the
+ <filename>/etc/dhcpd.conf</filename> file. Repeat this for each printer configured.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>authenticated connection</primary></indexterm>
+ Make an authenticated connection to the server using the <command>smbclient</command> tool:
+<screen>
+&rootprompt; smbclient //diamond/accounts -U gholmes
+Password: XXXXXXX
+smb: \> dir
+ . D 0 Thu Nov 27 15:07:09 2003
+ .. D 0 Sat Nov 15 17:40:50 2003
+ zakadmin.exe 161424 Thu Nov 27 15:06:52 2003
+ zak.exe 6066384 Thu Nov 27 15:06:52 2003
+ dhcpd.conf 1256 Thu Nov 27 15:06:52 2003
+ smb.conf 2131 Thu Nov 27 15:06:52 2003
+ initGrps.sh A 1089 Thu Nov 27 15:06:52 2003
+ POLICY.EXE 86542 Thu Nov 27 15:06:52 2003
+
+ 55974 blocks of size 65536. 33968 blocks available
+smb: \> q
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>nmap</primary></indexterm>
+ Your new server is connected to an Internet accessible connection. Before you start
+ your firewall, you should run a port scanner against your system. You should repeat that
+ after the firewall has been started. This helps you understand what extent the
+ server may be vulnerable to external attack. One way you can do this is by using an
+ external service provided such as the <ulink url="http://www.dslreports.com/scan">DSL Reports</ulink>
+ tools. Alternately, if you can gain root-level access to a remote
+ UNIX/Linux system that has the <command>nmap</command> tool, you can run this as follows:
+<screen>
+&rootprompt; nmap -v -sT server.abmas.us
+
+Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
+Host server.abmas.us (123.45.67.66) appears to be up ... good.
+Initiating Connect() Scan against server.abmas.us (123.45.67.66)
+Adding open port 6000/tcp
+Adding open port 873/tcp
+Adding open port 445/tcp
+Adding open port 10000/tcp
+Adding open port 901/tcp
+Adding open port 631/tcp
+Adding open port 25/tcp
+Adding open port 111/tcp
+Adding open port 32770/tcp
+Adding open port 3128/tcp
+Adding open port 53/tcp
+Adding open port 80/tcp
+Adding open port 443/tcp
+Adding open port 139/tcp
+Adding open port 22/tcp
+The Connect() Scan took 0 seconds to scan 1601 ports.
+Interesting ports on server.abmas.us (123.45.67.66):
+(The 1587 ports scanned but not shown below are in state: closed)
+Port State Service
+22/tcp open ssh
+25/tcp open smtp
+53/tcp open domain
+80/tcp open http
+111/tcp open sunrpc
+139/tcp open netbios-ssn
+443/tcp open https
+445/tcp open microsoft-ds
+631/tcp open ipp
+873/tcp open rsync
+901/tcp open samba-swat
+3128/tcp open squid-http
+6000/tcp open X11
+10000/tcp open snet-sensor-mgmt
+32770/tcp open sometimes-rpc3
+
+Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
+</screen>
+ The above scan was run before the external interface was locked down with the NAT-firewall
+ script you created above. The following results are obtained after the firewall rules
+ have been put into place:
+<screen>
+&rootprompt; nmap -v -sT server.abmas.us
+
+Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
+Host server.abmas.us (123.45.67.66) appears to be up ... good.
+Initiating Connect() Scan against server.abmas.us (123.45.67.66)
+Adding open port 53/tcp
+Adding open port 22/tcp
+The Connect() Scan took 168 seconds to scan 1601 ports.
+Interesting ports on server.abmas.us (123.45.67.66):
+(The 1593 ports scanned but not shown below are in state: filtered)
+Port State Service
+22/tcp open ssh
+25/tcp closed smtp
+53/tcp open domain
+80/tcp closed http
+443/tcp closed https
+
+Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
+</screen>
+ </para></step>
+
+ </procedure>
+
+ </sect2>
+
+ <sect2 id="ch4appscfg">
+ <title>Application Share Configuration</title>
+
+ <para><indexterm>
+ <primary>application server</primary>
+ </indexterm><indexterm>
+ <primary>administrative installation</primary>
+ </indexterm>
+ The use of an application server is a key mechanism by which desktop administration overheads
+ can be reduced. Check the application manual for your software to identify how best to
+ create an administrative installation.
+ </para>
+
+ <para>
+ Some Windows software will only run locally on the desktop computer. Such software
+ is typically not suited for administrative installation. Administratively installed software
+ permits one or more of the following installation choices:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Install software fully onto a workstation, storing data files on the same workstation.
+ </para></listitem>
+
+ <listitem><para>
+ Install software fully onto a workstation with central network data file storage.
+ </para></listitem>
+
+ <listitem><para>
+ Install software to run off a central application server with data files stored
+ on the local workstation. This is often called a minimum installation, or a
+ network client installation.
+ </para></listitem>
+
+ <listitem><para>
+ Install software to run off a central application server with data files stored
+ on a central network share. This type of installation often prevents storage
+ of work files on the local workstation.
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary></primary>
+ </indexterm>
+ A common application deployed in this environment is an office suite.
+ Enterprise editions of Microsoft Office XP Professional can be administratively installed
+ by launching the installation from a command shell. The command that achieves this is:
+ <command>setup /a</command>. It results in a set of prompts through which various
+ installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource
+ Kit for more information regarding this mode of installation of MS Office XP Professional.
+ The full administrative installation of MS Office XP Professional requires approximately
+ 650 MB of disk space.
+ </para>
+
+ <para>
+ When the MS Office XP Professional product has been installed to the administrative network
+ share, the product can be installed onto a workstation by executing the normal setup program.
+ The installation process now provides a choice to either perform a minimum installation
+ or a full local installation. A full local installation takes over 100 MB of disk space.
+ A network workstation (minimum) installation requires typically 10-15 MB of
+ local disk space. In the later case, when the applications are used, they load over the network.
+ </para>
+
+ <para><indexterm>
+ <primary>Service Packs</primary>
+ </indexterm><indexterm>
+ <primary>Microsoft Office</primary>
+ </indexterm>
+ Microsoft Office Service Packs can be unpacked to update an administrative share. This makes
+ it possible to update MS Office XP Professional for all users from a single installation
+ of the service pack and generally circumvents the need to run updates on each network
+ Windows client.
+ </para>
+
+ <para>
+ The default location for MS Office XP Professional data files can be set through registry
+ editing or by way of configuration options inside each Office XP Professional application.
+ </para>
+
+ <para><indexterm>
+ <primary>OpenOffice</primary>
+ </indexterm>
+ OpenOffice.Org OpenOffice Version 1.1.0 is capable of being installed locally. It can also
+ be installed to run off a network share. The latter is a most desirable solution for office-bound
+ network users and for administrative staff alike. It permits quick and easy updates
+ to be rolled out to all users with a minimum of disruption and with maximum flexibility.
+ </para>
+
+ <para>
+ The process for installation of administrative shared OpenOffice involves download of the
+ distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area.
+ When fully extracted using the un-zipping tool of your choosing, change into the Windows
+ installation files directory then execute <command>setup -net</command>. You are
+ prompted on screen for the target installation location. This is the administrative
+ share point. The full administrative OpenOffice share takes approximately 150 MB of disk
+ space.
+ </para>
+
+ <sect3>
+ <title>Comments Regarding Software Terms of Use</title>
+ <para>
+ Many single-user products can be installed into an administrative share, but
+ personal versions of products such as Microsoft Office XP Professional do not permit this.
+ Many people do not like terms of use typical with commercial products, so a few comments
+ regarding software licensing seem important and thus are included below.
+ </para>
+
+ <para>
+ Please do not use an administrative installation of proprietary and commercially licensed
+ software products to violate the copyright holders' property. All software is licensed,
+ particularly software that is licensed for use free of charge. All software is the property
+ of the copyright holder, unless the author and/or copyright holder has explicitly disavowed
+ ownership and has placed the software into the public domain.
+ </para>
+
+ <para>
+ Software that is under the GNU General Public License, like proprietary software, is
+ licensed in a way that restricts use. For example, if you modify GPL software and then
+ distribute the binary version of your modifications, you must offer to provide the source
+ code as well. This is a form of restriction that is designed to maintain the momentum
+ of the diffusion of technology and to protect against the withholding of innovations.
+ </para>
+
+ <para>
+ Commercial and proprietary software generally restrict use to those who have paid the
+ license fees and who comply with the licensee's terms of use. Software that is released
+ under the GNU General Public License is restricted to particular terms and conditions
+ also. Whatever the licensing terms may be, if you do not approve of the terms of use,
+ please do not use the software.
+ </para>
+
+ <para><indexterm>
+ <primary>GPL</primary>
+ </indexterm>
+ Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided
+ with the source code.
+ </para>
+ </sect3>
+
+ </sect2>
+
+ <sect2 id="ch4wincfg">
+ <title>Windows Client Configuration</title>
+
+ <para>
+ Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs
+ to reinstall many of the notebook computers that will be recycled for use with the new network
+ configuration. The smartest way to handle the challenge of the roll-out program is to build
+ a staged system for each type of target machine, and then use an image replication tool such as Norton
+ Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can
+ be done with notebook computers as long as they are identical or sufficiently similar.
+ </para>
+
+ <procedure>
+ <step><para>
+ Install MS Windows XP Professional. During installation, configure the client to use DHCP for
+ TCP/IP protocol configuration.
+ <indexterm><primary>WINS</primary></indexterm>
+ <indexterm><primary>DHCP</primary></indexterm>
+ DHCP configures all Windows clients to use the WINS Server address that has been defined
+ for the local subnet.
+ </para></step>
+
+ <step><para>
+ Join the Windows Domain <constant>PROMISES</constant>. Use the Domain Administrator
+ user name <constant>root</constant> and the SMB password you assigned to this account.
+ A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
+ a Windows Domain is given in <link linkend="domjoin"/>.
+ Reboot the machine as prompted and then logon using the Domain Administrator account
+ (<constant>root</constant>.
+ </para></step>
+
+ <step><para>
+ Verify <constant>DIAMOND</constant> is visible in <guimenu>My Network Places</guimenu>,
+ that it is possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>,
+ <guimenuitem>apps</guimenuitem>, and <guimenuitem>finsvcs</guimenuitem>,
+ and that it is possible to open each share to reveal its contents.
+ </para></step>
+
+ <step><para>
+ Create a drive mapping to the <constant>apps</constant> share on the server <constant>DIAMOND</constant>.
+ </para></step>
+
+ <step><para>
+ Perform an administrative installation of each application to be used. Select the options
+ that you wish to use. Of course, you can choose to run applications over the network, correct?
+ </para></step>
+
+ <step><para>
+ Now install all applications to be installed locally. Typical tools includes: Adobe Acrobat,
+ NTP-based time synchronization software, drivers for specific local devices such as finger-print
+ scanners, and the like. Probably the most significant application for local installation
+ is anti-virus software.
+ </para></step>
+
+ <step><para>
+ Now install all four printers onto the staging system. The printers you install
+ include the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will
+ also configure identical printers that are located in the financial services department.
+ Install printers on each machine using the following steps:
+
+ <procedure>
+ <step><para>
+ Click <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Settings</guimenuitem>
+ <guimenuitem>Printers</guimenuitem>
+ <guiicon>Add Printer</guiicon>
+ <guibutton>Next</guibutton>
+ </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
+ Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
+ </para></step>
+
+ <step><para>
+ Click <guibutton>Next</guibutton>. In the panel labeled
+ <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
+ In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
+ <constant>HP LaserJet 6</constant>. Click <guibutton>Next</guibutton>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
+ <constant>FILE:</constant>. Accept the default printer name by clicking
+ <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
+ test page?,</quote> click <guimenuitem>No</guimenuitem>. Click
+ <guibutton>Finish</guibutton>.
+ </para></step>
+
+ <step><para>
+ You may be prompted for the name of a file to print to. If so, close the
+ dialog panel. Right-click <menuchoice>
+ <guiicon>HP LaserJet 6</guiicon>
+ <guimenuitem>Properties</guimenuitem>
+ <guimenusub>Details (Tab)</guimenusub>
+ <guimenubutton>Add Port</guimenubutton>
+ </menuchoice>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
+ the print queue on the Samba server as follows: <constant>\\DIAMOND\hplj6a</constant>.
+ Click <menuchoice>
+ <guibutton>OK</guibutton>
+ <guibutton>OK</guibutton>
+ </menuchoice> to complete the installation.
+ </para></step>
+
+ <step><para>
+ Repeat the printer installation steps above for both HP LaserJet 6 printers
+ as well as for both QMS Magicolor laser printers.
+ </para></step>
+ </procedure>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>defragmentation</primary>
+ </indexterm>
+ When you are satisfied that the staging systems are complete, use the appropriate procedure to
+ remove the client from the domain. Reboot the system and then log on as the local administrator
+ and clean out all temporary files stored on the system. Before shutting down, use the disk
+ defragmentation tool so that the file system is in an optimal condition before replication.
+ </para></step>
+
+ <step><para>
+ Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the
+ machine to a network share on the server.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Windows security identifier</primary>
+ <see>SID</see>
+ </indexterm><indexterm>
+ <primary>SID</primary>
+ </indexterm>
+ You may now replicate the image to the target machines using the appropriate Norton Ghost
+ procedure. Make sure to use the procedure that ensures each machine has a unique
+ Windows security identifier (SID). When the installation of the disk image has completed, boot the PC.
+ </para></step>
+
+ <step><para>
+ Log onto the machine as the local Administrator (the only option), and join the machine to
+ the Domain following the procedure set out in <link linkend="domjoin"/>. The system is now
+ ready for the user to logon, providing you have created a network logon account for that
+ user, of course.
+ </para></step>
+
+ <step><para>
+ Instruct all users to log onto the workstation using their assigned user name and password.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para>
+ How do you feel, Bob? You have built a capable network, a truly ambitious project.
+ Just as well, you have Christine to help you. Future network updates can be handled by
+ your staff. You must be a satisfied manager. Let's review the achievements.
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ A simple firewall has been configured to protect the server in the event that
+ the ISP firewall service should fail.
+ </para></listitem>
+
+ <listitem><para>
+ The Samba configuration uses measures to ensure that only local network users
+ can connect to SMB/CIFS services.
+ </para></listitem>
+
+ <listitem><para>
+ Samba uses the new <constant>tdbsam</constant> passdb backend facility.
+ Considerable complexity was added to Samba functionality.
+ </para></listitem>
+
+ <listitem><para>
+ A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS
+ server.
+ </para></listitem>
+
+ <listitem><para>
+ The DNS server was configured to permit DDNS only for local network clients. This
+ server also provides primary DNS services for the company Internet presence.
+ </para></listitem>
+
+ <listitem><para>
+ You introduced an application server, as well as the concept of cloning a Windows
+ client in order to effect improved standardization of desktops and to reduce
+ the costs of network management.
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ </para>
+
+ <qandaset defaultlabel="chap04qa" type="number">
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the maximum number of account entries that the <parameter>tdbsam</parameter> passdb backend can handle?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The tdb data structure and support system can handle more entries than the number of accounts
+ that are possible on most UNIX systems. There is a practical limit that would come into play
+ long before a performance boundary would be anticipated. That practical limit is controlled
+ by the nature of Windows networking. There are few Windows file and print servers
+ that can handle more than a few hundred concurrent client connections. The key limiting factors
+ that predicate off-loading of services to additional servers are memory capacity, the number
+ of CPUs, network bandwidth, and disk I/O limitations. All of these are readily exhausted by
+ just a few hundred concurrent active users. Such bottlenecks can best be removed by segmentation
+ of the network (distributing network load across multiple networks).
+ </para>
+ <para>
+ As the network grows, it becomes necessary to provide additional authentication servers (domain
+ controllers). The tdbsam is limited to a single machine and cannot be reliably replicated.
+ This means that practical limits on network design dictate the point at which a distributed
+ passdb backend is required; at this time, there is no real alternative other than ldapsam (LDAP).
+ </para>
+
+ <para>
+ The guideline provided in <emphasis>TOSHARG</emphasis>, Chapter 10, Section 10.1.2, is to limit the number of accounts
+ in the tdbsam backend to 250. This is the point at which most networks tend to want backup domain
+ controllers (BDCs). Samba-3 does not provide a mechanism for replicating tdbsam data so it can be used
+ by a BDC. The limitation of 250 users per tdbsam is predicated only on the need for replication
+ not on the limits<footnote>Bench tests have shown that tdbsam is a very effective database technology.
+ There is surprisingly little performance loss even with over 4000 users.</footnote> of the tdbsam backend itself.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Would Samba operate any better if the OS Level is set to a value higher than 35?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value
+ of 35 already assures Samba of precedence over MS Windows products in browser elections. There is
+ no gain to be had from setting this higher.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at
+ a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special
+ Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why has a path been specified in the <parameter>IPC$</parameter> share?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ This is done so that in the event that a software bug may permit a client connection to the IPC$ share to
+ obtain access to the file system, it does so at a location that presents least risk. Under normal operation
+ this type of paranoid step should not be necessary. The use of this parameter should not be necessary.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why does the &smb.conf; file in this exercise include an entry for <smbconfoption><name>smb ports</name></smbconfoption>?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port
+ used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS
+ over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By
+ specifying the use of port 139 before port 445, the intent is to reduce unsuccessful service connection attempts.
+ The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain
+ member, the default behavior is highly beneficial and should not be changed.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the difference between a print queue and a printer?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ A printer is a physical device that is connected either directly to the network or to a computer
+ via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a
+ hard copy printout. Network attached printers that use TCP/IP-based printing generally accept a
+ single print data stream and block all secondary attempts to dispatch jobs concurrently to the
+ same device. If many clients were to concurrently print directly via TCP/IP to the same printer,
+ it would result in a huge amount of network traffic through continually failing connection attempts.
+ </para>
+
+ <para>
+ A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or
+ print requests. When the data stream has been fully received the input stream is closed,
+ the job is then submitted to a sequential print queue where the job is stored until
+ the printer is ready to receive the job.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Can all MS Windows application software be installed onto an application server share?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Much older Windows software is not compatible with installation to and execution off
+ an application server. Enterprise versions of Microsoft Office XP Professional can
+ be installed to an application server. Retail consumer versions of Microsoft Office XP
+ Professional do not permit installation to an application server share and can be installed
+ and used only to/from a local workstation hard disk.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why use dynamic DNS (DDNS)?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ When DDNS records are updated directly from the DHCP server, it is possible for
+ network clients that are not NetBIOS enabled, and thus cannot use WINS, to locate
+ Windows clients via DNS.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why would you use WINS as well as DNS-based name resolution?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is
+ a name like <quote>myhost.mydomain.tld,</quote> where <parameter>tld</parameter>
+ means <constant>top level domain</constant>. A FQDN is a long hand but easy to remember
+ expression that may be up to 1024 characters in length and that represents an IP address.
+ A NetBIOS name is always 16 characters long. The 16<superscript>th</superscript> character
+ is a name type indicator. A specific name type is registered<footnote>
+ See <emphasis>TOSHARG</emphasis>, Chapter 9 for more information.</footnote> for each
+ type of service that is provided by the Windows server or client and that may be registered
+ where a WINS server is in use.
+ </para>
+
+ <para>
+ WINS is a mechanism by which a client may locate the IP Address that corresponds to a
+ NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name
+ that includes a particular registered NetBIOS name type. DNS does not provide a mechanism
+ that permits handling of the NetBIOS name type information.
+ </para>
+
+ <para>
+ DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular
+ hostname or service name that has been registered in the DNS database for a particular domain.
+ A DNS server has limited scope of control and is said to be authoritative for the zone over
+ which it has control.
+ </para>
+
+ <para>
+ Windows 200x Active Directory requires the registration in the DNS zone for the domain it
+ controls of service locator<footnote>See TOSHARG, Chapter 9, Section 9.3.3</footnote> records
+ that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also
+ requires the registration of special records that are called global catalog (GC) entries
+ and site entries by which domain controllers and other essential ADS servers may be located.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What are the major benefits of using an application server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The use of an application server can significantly reduce application update maintenance.
+ By providing a centralized application share, software updates need be applied to only
+ one location for all major applications used. This results in faster update roll-outs and
+ significantly better application usage control.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
diff --git a/docs/Samba-Guide/Chap05-500UserNetwork.xml b/docs/Samba-Guide/Chap05-500UserNetwork.xml
new file mode 100644
index 0000000000..3c679c1b09
--- /dev/null
+++ b/docs/Samba-Guide/Chap05-500UserNetwork.xml
@@ -0,0 +1,1996 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="Big500users">
+ <title>The 500-User Office</title>
+
+ <para>
+ The Samba-3 networking you explored in the previous chapter covers the finer points of
+ configuration of peripheral services such as DHCP and DNS, and WINS. You experienced
+ implementation of a simple configuration of the services that are important adjuncts
+ to successful deployment of Samba.
+ </para>
+
+ <para>
+ An analysis of the history of postings to the Samba mailing list easily demonstrates
+ that the two most prevalent Samba problem areas are:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Defective resolution of a NetBIOS name to its IP address
+ </para></listitem>
+
+ <listitem><para>
+ Printing problems
+ </para></listitem>
+
+ </itemizedlist>
+
+ <para>
+ The next chapter deals with more complex printing configurations. The exercises
+ so far in this book have focused on implementation of the simplest printing processes
+ involving no print job processing intelligence. In this chapter, you maintain
+ that same approach to printing, but in the following chapter, there is an opportunity
+ to make printing more complex for the administrator while making it easier for the user.
+ </para>
+
+ <para><indexterm>
+ <primary>WINS server</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm>
+ The previous chapter demonstrates operation of a DHCP server and a DNS server,
+ as well as a central WINS server. You validated the operation of these services and
+ saw an effective implementation of a Samba Domain Controller using the
+ <parameter>tdbsam</parameter> passdb backend.
+ </para>
+
+ <para>
+ The objective of this chapter is to introduce more complex techniques that can be used to
+ improve manageability of Samba as networking needs grow. In this chapter, you implement
+ a distributed DHCP server environment, a distributed DNS server arrangement, a centralized
+ WINS server, and a centralized Samba Domain Controller.
+ </para>
+
+ <para>
+ A note of caution is important regarding the Samba configuration that is used in this
+ chapter. The use of a single Domain Controller on a routed, multi-segment network is
+ a poor design choice that leads to potential network user complaints. As stated
+ in the paragraph above, the objective in this chapter is to demonstrate some successful
+ techniques in deployment and configuration management. This should be viewed as a
+ foundation chapter for complex Samba deployments.
+ </para>
+
+ <para>
+ As you master the techniques presented here, you may find much better methods to
+ improve network management and control while reducing human resource overheads.
+ You should take the opportunity to innovate and expand on the methods presented
+ here and explore them to the fullest.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ Business continues to go well for Abmas. Mr. Meany is driving your success and the
+ network continues to grow thanks to the hard work Christine has done. You recently
+ hired Stanley Soroka as Manager of Information Systems. Christine recommended Stan
+ to the role. She told you Stan is so good at handling Samba that he can make a cast
+ iron rocking horse that is embedded in concrete kick like a horse at a rodeo. You
+ need skills like his. Christine and Stan get along just fine. Let's see what
+ you can get out of this pair as they plot the next generation networks.
+ </para>
+
+ <para>
+ Ten months ago Abmas closed an acquisition of a property insurance business. The
+ founder lost interest in the business and decided to sell it to Mr. Meany.
+ Because they were former university classmates, the purchase was concluded with mutual assent. The
+ acquired business is located at the other end of town in much larger facilities.
+ The old Abmas building has become too small. Located on the same campus as the
+ newly acquired business are two empty buildings that are ideal to provide
+ Abmas with opportunity for growth.
+ </para>
+
+ <para>
+ Abmas has now completed the purchase of the two empty buildings and you are
+ to install a new network and relocate staff in nicely furnished new facilities.
+ The new network is to be used to fully integrate company operations. You have
+ decided to locate the new network operations control center in the larger building
+ in which the insurance group is located to take advantage of an ideal floor space
+ and to allow Stan and Christine to fully stage the new network and test it before
+ it is rolled out. Your strategy is to complete the new network so that it
+ is ready for operation when the old office moves into the new premises.
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para>
+ The acquired business had 280 network users. The old Abmas building housed
+ 220 network users in unbelievably cramped conditions. The network that
+ initially served 130 users now handles 220 users quite well.
+ </para>
+
+ <para>
+ The two businesses will be fully merged to create a single campus company.
+ The Property Insurance Group (PIG) houses 300 employees, the new Accounting
+ Services Group (ASG) will be in a small building (BLDG1) that houses 50
+ employees, and the Financial Services Group (FSG) will be housed in a large
+ building that has capacity for growth (BLDG2). Building 2 houses 150 network
+ users.
+ </para>
+
+ <para>
+ You have decided to connect the building using fiber optic links between new
+ routers. As a backup, the buildings are interconnected using line-of-sight
+ high-speed infrared facilities. The infrared connection provides a
+ secondary route to be used during periods of high demand for network
+ bandwidth.
+ </para>
+
+ <para>
+ The Internet gateway is upgraded to 15 Megabit/sec service. Your ISP
+ provides on your premises a fully managed Cisco PIX firewall. You no longer need
+ to worry about firewall facilities on your network.
+ </para>
+
+ <para>
+ Stanley Soroka and Christine have purchased new server hardware. Christine wants to
+ roll out a network that has whistles and bells. Stan wants to start off with
+ a simple to manage, not-too-complex network. He is of the opinion that network
+ users need to be gradually introduced to new features and capabilities and not
+ rushed into an environment that may cause disorientation and loss of productivity.
+ </para>
+
+ <para>
+ Your intrepid network team has decided to implement a network configuration
+ that closely mirrors the successful system you installed in the old Abmas building.
+ The new network infrastructure is owned by Abmas, but all desktop systems
+ are being procured through a new out-source services and leasing company. Under
+ the terms of a deal with Mr. M. Proper (CEO), DirectPointe Inc., provides
+ all desktop systems and includes full level-one Help desk support for
+ a flat per-machine monthly fee. The deal allows you to add workstations on demand.
+ This frees Stan and Christine to deal with deeper issues as they emerge and
+ permits Stan to work on creating new future value-added services.
+ </para>
+
+ <para>
+ DirectPointe Inc. receives from you a new standard desktop configuration
+ every four months. They automatically roll that out to each desktop system.
+ You must keep DirectPointe informed of all changes.
+ </para>
+
+ <para><indexterm>
+ <primary>PDC</primary>
+ </indexterm>
+ The new network has a single Samba Domain Controller (PDC) located in the
+ Network Operation Center (NOC). Buildings 1 and 2 each have a local server
+ for local application servicing. It is a Domain Member. The new system
+ uses the <parameter>tdbsam</parameter> passdb backend.
+ </para>
+
+ <para>
+ Printing is based on raw pass-through facilities as it has been used so far.
+ All printer drivers are installed on the desktop and notebook computers.
+ </para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ <indexterm><primary>network load factors</primary></indexterm>
+ The example you are building in this chapter is an example of a network design that works,
+ but this does not make it a design that is recommended. As a general rule, there should
+ be at least one Backup Domain Controller per 50 Windows network clients. The principle behind
+ this recommendation is the fact that correct operation of MS Windows clients requires rapid
+ network response to all SMB/CIFS requests. The same rule says that if there are more than
+ 50 clients per Domain Controller they are too busy to service requests. Let's put such
+ rules aside and recognize that network load affects the integrity of Domain Controller
+ responsiveness. This network will have 500 clients serviced by one central Domain
+ Controller. This is not a good omen for user satisfaction. You, of course, address this
+ very soon (see next chapter).
+ </para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para>
+ Stan has talked you into a horrible compromise, but it is addressed. Just make
+ certain that the performance of this network is well validated before going live.
+ </para>
+
+ <para>
+ Design decisions made in this design include:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ <indexterm><primary>PDC</primary></indexterm>
+ <indexterm><primary>LDAP</primary></indexterm>
+ <indexterm><primary>identity management</primary></indexterm>
+ A single Primary Domain Controller (PDC) is being implemented. This limitation
+ is based on the choice not to use LDAP. Many network administrators fear using
+ LDAP based on the perceived complexity of implementation and management of an
+ LDAP-based backend for all user identity management as well as to store network
+ access credentials.
+ </para></listitem>
+
+ <listitem><para>
+ <indexterm><primary>BDC</primary></indexterm>
+ <indexterm><primary>machine secret password</primary></indexterm>
+ Because of the refusal to use an LDAP (ldapsam) passdb backend at this time,
+ the only choice that makes sense with 500 users is to use the tdbsam passwd backend.
+ This type of backend is not receptive to replication to Backup Domain Controllers.
+ If the tdbsam <filename>passdb.tdb</filename> file is replicated to Backup Domain
+ Controllers (BDCs) using <command>rsync</command>, there are two potential problems:
+ 1) Data that is in memory but not yet written to disk will not be replicated,
+ and 2) Domain Member machines periodically change the secret machine password. When
+ this happens, there is no mechanism to return the changed password to the PDC.
+ </para></listitem>
+
+ <listitem><para>
+ All Domain user, group, and machine accounts are managed on the PDC. This makes
+ for a simple mode of operation, but has to be balanced with network performance and
+ integrity of operations considerations.
+ </para></listitem>
+
+ <listitem><para>
+ <indexterm><primary>WINS</primary></indexterm>
+ A single central WINS server is being used. The PDC is also the WINS server.
+ Any attempt to operate a routed network without a WINS server while using NetBIOS
+ over TCP/IP protocols does not work unless on each client the name resolution
+ entries for the PDC are added to the <filename>LMHOSTS</filename>. This file is
+ normally located on the Windows XP Professional client in the
+ <filename>C:\WINDOWS\SYSTEM32\ETC\DRIVERS</filename> directory.
+ </para></listitem>
+
+ <listitem><para>
+ At this time the Samba WINS database is not capable of being replicated. That is
+ why a single WINS server is being implemented. This should work without a problem.
+ </para></listitem>
+
+ <listitem><para>
+ <indexterm><primary>winbindd</primary></indexterm>
+ Backup Domain Controllers make use of <command>winbindd</command> to provide
+ access to Domain security credentials for file system access and object storage.
+ </para></listitem>
+
+ <listitem><para>
+ <indexterm><primary>DHCP</primary><secondary>relay</secondary></indexterm>
+ <indexterm><primary>DHCP</primary><secondary>requests</secondary></indexterm>
+ Configuration of Windows XP Professional clients is achieved using DHCP. Each
+ subnet has its own DHCP server. Backup DHCP serving is provided by one
+ alternate DHCP server. This necessitates enabling of the DHCP Relay agent on
+ all routers. The DHCP Relay agent must be programmed to pass DHCP Requests from the
+ network directed at the backup DHCP server.
+ </para></listitem>
+
+ <listitem><para>
+ All network users are granted the ability to print to any printer that is network
+ attached. All printers are available from each server. Print jobs that are spooled
+ to a printer that is not on the local network segment are automatically routed to
+ the print spooler that is in control of that printer. The specific details of how this
+ might be done is demonstrated for one example only.
+ </para></listitem>
+
+ <listitem><para>
+ The network address and sub-netmask chosen provide 1022 usable IP addresses in
+ each subnet. If in the future more addresses are required, it would make sense
+ to add further subnets rather than change addressing.
+ </para></listitem>
+
+ </itemizedlist>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para>
+ This case gets close to the real world. You and I know the right way to implement
+ Domain Control. Politically, we have to navigate a mine field. In this case, the need is to
+ get the PDC rolled out in compliance with expectations and also to be ready to save the day
+ by having the real solution ready before it is needed. That real solution is presented in
+ the next chapter.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Implementation</title>
+
+ <para>
+ The following configuration process begins following installation of Red Hat Linux 9.0 on the
+ three servers shown in the network topology diagram in <link linkend="chap05net"/>. You have
+ selected hardware that is appropriate to the task.
+ </para>
+
+ <image id="chap05net">
+ <description>Network Topology &smbmdash; 500 User Network Using tdbsam passdb backend.</description>
+ <imagefile scale="80">chap5-net.png</imagefile>
+ </image>
+
+ <sect2 id="ch5-dnshcp-setup">
+ <title>Installation of DHCP, DNS, and Samba Control Files</title>
+
+ <para>
+ Carefully install the configuration files into the correct locations as shown in
+ <link linkend="ch5-filelocations"/>. You should validate that the full file path is
+ correct as shown.
+ </para>
+
+ <para>
+ The abbreviation shown in this table as <constant>{VLN}</constant> means
+ the directory location beginning with <filename>/var/lib/named</filename>.
+ </para>
+
+
+ <table id="ch5-filelocations"><title>Domain: <constant>MEGANET</constant>, File Locations for Servers</title>
+ <tgroup cols="5">
+ <colspec colname='c1' align="left"/>
+ <colspec colname='c2' align="left"/>
+ <colspec colname='c3' align="center"/>
+ <colspec colname='c4' align="center"/>
+ <colspec colname='c5' align="center"/>
+ <thead>
+ <row>
+ <entry align="center" namest='c1' nameend='c2'>File Information</entry>
+ <entry align="center" namest="c3" nameend="c5">Server Name</entry>
+ </row>
+ <row>
+ <entry align="center">Source</entry>
+ <entry align="center">Target Location</entry>
+ <entry align="center">MASSIVE</entry>
+ <entry align="center">BLDG1</entry>
+ <entry align="center">BLDG2</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><link linkend="ch5-massivesmb"/></entry>
+ <entry><filename>/etc/samba/smb.conf</filename></entry>
+ <entry>Yes</entry>
+ <entry>No</entry>
+ <entry>No</entry>
+ </row>
+ <row>
+ <entry><link linkend="ch5-dc-common"/></entry>
+ <entry><filename>/etc/samba/dc-common.conf</filename></entry>
+ <entry>Yes</entry>
+ <entry>No</entry>
+ <entry>No</entry>
+ </row>
+ <row>
+ <entry><link linkend="ch5-commonsmb"/></entry>
+ <entry><filename>/etc/samba/common.conf</filename></entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ </row>
+ <row>
+ <entry><link linkend="ch5-bldg1-smb"/></entry>
+ <entry><filename>/etc/samba/smb.conf</filename></entry>
+ <entry>No</entry>
+ <entry>Yes</entry>
+ <entry>No</entry>
+ </row>
+ <row>
+ <entry><link linkend="ch5-bldg2-smb"/></entry>
+ <entry><filename>/etc/samba/smb.conf</filename></entry>
+ <entry>No</entry>
+ <entry>No</entry>
+ <entry>Yes</entry>
+ </row>
+ <row>
+ <entry><link linkend="ch5-dommem-smb"/></entry>
+ <entry><filename>/etc/samba/dommem.conf</filename></entry>
+ <entry>No</entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ </row>
+ <row>
+ <entry><link linkend="massive-dhcp"/></entry>
+ <entry><filename>/etc/dhcpd.conf</filename></entry>
+ <entry>Yes</entry>
+ <entry>No</entry>
+ <entry>No</entry>
+ </row>
+ <row>
+ <entry><link linkend="bldg1dhcp"/></entry>
+ <entry><filename>/etc/dhcpd.conf</filename></entry>
+ <entry>No</entry>
+ <entry>Yes</entry>
+ <entry>No</entry>
+ </row>
+ <row>
+ <entry><link linkend="bldg2dhcp"/></entry>
+ <entry><filename>/etc/dhcpd.conf</filename></entry>
+ <entry>No</entry>
+ <entry>No</entry>
+ <entry>Yes</entry>
+ </row>
+ <row>
+ <entry><link linkend="massive-nameda"/></entry>
+ <entry><filename>/etc/named.conf (part A)</filename></entry>
+ <entry>Yes</entry>
+ <entry>No</entry>
+ <entry>No</entry>
+ </row>
+ <row>
+ <entry><link linkend="massive-namedb"/></entry>
+ <entry><filename>/etc/named.conf (part B)</filename></entry>
+ <entry>Yes</entry>
+ <entry>No</entry>
+ <entry>No</entry>
+ </row>
+ <row>
+ <entry><link linkend="massive-namedc"/></entry>
+ <entry><filename>/etc/named.conf (part C)</filename></entry>
+ <entry>Yes</entry>
+ <entry>No</entry>
+ <entry>No</entry>
+ </row>
+ <row>
+ <entry><link linkend="abmasbizdns"/></entry>
+ <entry><filename>{VLN}/master/abmas.biz.hosts</filename></entry>
+ <entry>Yes</entry>
+ <entry>No</entry>
+ <entry>No</entry>
+ </row>
+ <row>
+ <entry><link linkend="abmasusdns"/></entry>
+ <entry><filename>{VLN}/master/abmas.us.hosts</filename></entry>
+ <entry>Yes</entry>
+ <entry>No</entry>
+ <entry>No</entry>
+ </row>
+ <row>
+ <entry><link linkend="bldg12nameda"/></entry>
+ <entry><filename>/etc/named.conf (part A)</filename></entry>
+ <entry>No</entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ </row>
+ <row>
+ <entry><link linkend="bldg12namedb"/></entry>
+ <entry><filename>/etc/named.conf (part B)</filename></entry>
+ <entry>No</entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ </row>
+ <row>
+ <entry><link linkend="loopback"/></entry>
+ <entry><filename>{VLN}/localhost.zone</filename></entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ </row>
+ <row>
+ <entry><link linkend="dnsloopy"/></entry>
+ <entry><filename>{VLN}/127.0.0.zone</filename></entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ </row>
+ <row>
+ <entry><link linkend="roothint"/></entry>
+ <entry><filename>{VLN}/root.hint</filename></entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ <entry>Yes</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ </sect2>
+
+ <sect2>
+ <title>Server Preparation &smbmdash; All Servers</title>
+
+ <para>
+ The following steps apply to all servers. Follow each step carefully.
+ </para>
+
+ <procedure>
+ <step><para>
+ Using the UNIX/Linux system tools, set the name of the server as shown in the network
+ topology diagram in <link linkend="chap05net"/>. For SUSE Linux products, the tool
+ that permits this is called <command>yast2</command>; for Red Hat Linux products,
+ you can use the <command>netcfg</command> tool.
+ Verify that your hostname is correctly set by running:
+<screen>
+&rootprompt; uname -n
+</screen>
+ An alternate method to verify the hostname is:
+<screen>
+&rootprompt; hostname -f
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/hosts</primary></indexterm><indexterm>
+ <primary>named</primary>
+ </indexterm>
+ Edit your <filename>/etc/hosts</filename> file to include the primary names and addresses
+ of all network interfaces that are on the host server. This is necessary so that during
+ startup the system is able to resolve all its own names to the IP address prior to
+ startup of the DNS server. You should check the startup order of your system. If the
+ CUPS print server is started before the DNS server (<command>named</command>), you
+ should also include an entry for the printers in the <filename>/etc/hosts</filename> file.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/resolv.conf</primary></indexterm>
+ All DNS name resolution should be handled locally. To ensure that the server is configured
+ correctly to handle this, edit <filename>/etc/resolv.conf</filename> so it has the following
+ content:
+<screen>
+search abmas.us abmas.biz
+nameserver 127.0.0.1
+</screen>
+ This instructs the name resolver function (when configured correctly) to ask the DNS server
+ that is running locally to resolve names to addresses.
+ </para></step>
+
+
+ <step><para>
+ <indexterm><primary>administrator</primary></indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ Add the <constant>root</constant> user to the password backend as follows:
+<screen>
+&rootprompt; smbpasswd -a root
+New SMB password: XXXXXXXX
+Retype new SMB password: XXXXXXXX
+&rootprompt;
+</screen>
+ The <constant>root</constant> account is the UNIX equivalent of the Windows Domain Administrator.
+ This account is essential in the regular maintenance of your Samba server. It must never be
+ deleted. If for any reason the account is deleted, you may not be able to recreate this account
+ without considerable trouble.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>username map</primary></indexterm><indexterm>
+ <primary>/etc/samba/smbusers</primary>
+ </indexterm>
+ Create the username map file to permit the <constant>root</constant> account to be called
+ <constant>Administrator</constant> from the Windows network environment. To do this, create
+ the file <filename>/etc/samba/smbusers</filename> with the following contents:
+<screen>
+####
+# User mapping file
+####
+# File Format
+# -----------
+# Unix_ID = Windows_ID
+#
+# Examples:
+# root = Administrator
+# janes = "Jane Smith"
+# jimbo = Jim Bones
+#
+# Note: If the name contains a space it must be double quoted.
+# In the example above the name 'jimbo' will be mapped to Windows
+# user names 'Jim' and 'Bones' because the space was not quoted.
+#######################################################################
+root = Administrator
+####
+# End of File
+####
+</screen>
+ </para></step>
+
+ <step><para>
+ Configure all network attached printers to have a fixed IP address.
+ </para></step>
+
+ <step><para>
+ Create an entry in the DNS database on the server <constant>MASSIVE</constant>
+ in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
+ and in the reverse lookup database for the network segment that the printer is
+ located in. Example configuration files for similar zones were presented in
+ <link linkend="abmasbiz"/> and <link linkend="eth2zone"/>.
+ </para></step>
+
+ <step><para>
+ Follow the instructions in the printer manufacturer's manuals to permit printing
+ to port 9100. Use any other port the manufacturer specifies for direct mode,
+ raw printing. This allows the CUPS spooler to print using raw mode protocols.
+ <indexterm><primary>CUPS</primary></indexterm>
+ <indexterm><primary>raw printing</primary></indexterm>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
+ Only on the server to which the printer is attached configure the CUPS Print
+ Queues as follows:
+<screen>
+&rootprompt; lpadmin -p <parameter>printque</parameter> -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
+</screen>
+ <indexterm><primary>print filter</primary></indexterm>
+ This step creates the necessary print queue to use no assigned print filter. This
+ is ideal for raw printing, i.e., printing without use of filters.
+ The name <parameter>printque</parameter> is the name you have assigned for
+ the particular printer.
+ </para></step>
+
+ <step><para>
+ Print queues may not be enabled at creation. Make certain that the queues
+ you have just created are enabled by executing the following:
+<screen>
+&rootprompt; /usr/bin/enable <parameter>printque</parameter>
+</screen>
+ </para></step>
+
+ <step><para>
+ Even though your print queue may be enabled, it is still possible that it
+ does not accept print jobs. A print queue services incoming printing
+ requests only when configured to do so. Ensure that your print queue is
+ set to accept incoming jobs by executing the following command:
+<screen>
+&rootprompt; /usr/bin/accept <parameter>printque</parameter>
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime type</primary></indexterm>
+ <indexterm><primary>/etc/mime.convs</primary></indexterm>
+ <indexterm><primary>application/octet-stream</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/mime.types</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para>
+ Refer to the CUPS printing manual for instructions regarding how to configure
+ CUPS so that print queues that reside on CUPS servers on remote networks
+ route print jobs to the print server that owns that queue. The default setting
+ on your CUPS server may automatically discover remotely installed printers and
+ may permit this functionality without requiring specific configuration.
+ </para></step>
+
+ <step><para>
+ As part of the rollout program, you need to configure the application's
+ server shares. This can be done once on the central server and may then be
+ replicated using a tool such as <command>rsync</command>. Refer to the man
+ page for <command>rsync</command> for details regarding use. The notes in
+ <link linkend="ch4appscfg"/> may help in your decisions to use an application
+ server facility.
+ </para></step>
+
+ </procedure>
+
+ <note><para>
+ Logon scripts that are run from a Domain Controller (PDC or BDC) are capable of using semi-intelligent
+ processes to auto-map Windows client drives to an application server that is nearest to the client. This
+ is considerably more difficult when a single PDC is used on a routed network. It can be done, but not
+ as elegantly as you see in the next chapter.
+ </para></note>
+
+ </sect2>
+
+ <sect2>
+ <title>Server Specific Preparation</title>
+
+ <para>
+ There are some steps that apply to particular server functionality only. Each step is critical
+ to correct server operation.
+ </para>
+
+ <sect3>
+ <title>Configuration for Server: <constant>MASSIVE</constant></title>
+
+ <procedure>
+ <step><para>
+ <indexterm><primary>/etc/rc.d/boot.local</primary></indexterm>
+ <indexterm><primary>IP forwarding</primary></indexterm>
+ The host server acts as a router between the two internal network segments as well
+ as for all Internet access. This necessitates that IP forwarding must be enabled. This can be
+ achieved by adding to the <filename>/etc/rc.d/boot.local</filename> an entry as follows:
+<screen>
+echo 1 > /proc/sys/net/ipv4/ip_forward
+</screen>
+ To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute
+ that command manually also. This setting permits the Linux system to act as a router.
+ </para></step>
+
+ <step><para>
+ This server is dual hosted (i.e., has two network interfaces) &smbmdash; one goes to the Internet,
+ and the other to a local network that has a router that is the gateway to the remote networks.
+ You must, therefore, configure the server with route table entries so that it can find machines
+ on the remote networks. You can do this using the appropriate system tools for your Linux
+ server or using static entries that you place in one of the system startup files. It is best
+ to always use the tools that the operating system vendor provided. In the case of SUSE Linux, the
+ best tool to do this is YaST (refer to SUSE Administration Manual); in the case of Red Hat,
+ this is best done using the graphical system configuration tools (see the Red Hat documentation).
+ An example of how this may be done manually is as follows:
+<screen>
+&rootprompt; route add net 172.16.4.0 netmask 255.255.252.0 gw 172.16.0.128
+&rootprompt; route add net 172.16.8.0 netmask 255.255.252.0 gw 172.16.0.128
+</screen>
+ If you just execute these commands manually, the route table entries you have created are
+ not persistent across system reboots. You may add these commands directly to the local
+ startup files as follows: (SUSE) <filename>/etc/rc.d/boot.local</filename>, (Red Hat)
+ <filename>/etc/rc.d/init.d/rc.local</filename>.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ The final step that must be completed is to edit the <filename>/etc/nsswitch.conf</filename> file.
+ This file controls the operation of the various resolver libraries that are part of the Linux
+ Glibc libraries. Edit this file so that it contains the following entries:
+<screen>
+hosts: files dns wins
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>initGrps.sh</primary></indexterm>
+ Create and map Windows Domain Groups to UNIX groups. A sample script is provided in
+ <link linkend="ch5-initgrps"/>. Create a file containing this script. You called yours
+ <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed
+ and then execute the script. An example of the execution of this script as well as its
+ validation are shown in Chapter 4, Section 4.3.2, Step 5.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/passwd</primary></indexterm>
+ <indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ For each user who needs to be given a Windows Domain account, make an entry in the
+ <filename>/etc/passwd</filename> file, as well as in the Samba password backend.
+ Use the system tool of your choice to create the UNIX system account and use the Samba
+ <command>smbpasswd</command> to create a Domain user account.
+ </para>
+
+ <para>
+ <indexterm><primary>useradd</primary></indexterm>
+ <indexterm><primary>adduser</primary></indexterm>
+ <indexterm><primary>user</primary><secondary>management</secondary></indexterm>
+ There are a number of tools for user management under UNIX. Commonly known ones include:
+ <command>useradd, adduser</command>. In addition to these, there is a plethora of custom
+ tools. With the tool of your choice, create a home directory for each user.
+ </para></step>
+
+ <step><para>
+ Using the preferred tool for your UNIX system, add each user to the UNIX groups created
+ previously as necessary. File system access control based on UNIX group membership.
+ </para></step>
+
+ <step><para>
+ Create the directory mount point for the disk sub-system that is to be mounted to provide
+ data storage for company files. In this case, the mount point indicated in the &smb.conf;
+ file is <filename>/data</filename>. Format the file system as required and mount the formatted
+ file system partition using appropriate system tools.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>file system</primary>
+ <secondary>permissions</secondary></indexterm>
+ Create the top-level file storage directories for data and applications as follows:
+<screen>
+&rootprompt; mkdir -p /data/{accounts,finsvcs,pidata}
+&rootprompt; mkdir -p /apps
+&rootprompt; chown -R root.root /data
+&rootprompt; chown -R root.root /apps
+&rootprompt; chown -R bjordan.accounts /data/accounts
+&rootprompt; chown -R bjordan.finsvcs /data/finsvcs
+&rootprompt; chown -R bjordan.finsvcs /data/pidata
+&rootprompt; chmod -R ug+rwxs,o-rwx /data
+&rootprompt; chmod -R ug+rwx,o+rx-w /apps
+</screen>
+ Each department is responsible for creating its own directory structure within the departmental
+ share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
+ The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
+ The <filename>/apps</filename> directory is the root of the <constant>apps</constant> share
+ that provides the application server infrastructure.
+ </para></step>
+
+ <step><para>
+ The &smb.conf; file specifies an infrastructure to support roaming profiles and network
+ logon services. You can now create the file system infrastructure to provide the
+ locations on disk that these services require. Adequate planning is essential
+ since desktop profiles can grow to be quite large. For planning purposes, a minimum of
+ 200 Megabytes of storage should be allowed per user for profile storage. The following
+ commands create the directory infrastructure needed:
+<screen>
+&rootprompt; mkdir -p /var/spool/samba
+&rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
+&rootprompt; chown -R root.root /var/spool/samba
+&rootprompt; chown -R root.root /var/lib/samba
+&rootprompt; chmod a+rwxt /var/spool/samba
+</screen>
+ For each user account that is created on the system, the following commands should be
+ executed:
+<screen>
+&rootprompt; mkdir /var/lib/samba/profiles/'username'
+&rootprompt; chown 'username'.users /var/lib/samba/profiles/'username'
+&rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
+</screen>
+ </para></step>
+
+ <step><para>
+ Create a logon script. It is important that each line is correctly terminated with
+ a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
+ works if the right tools (<constant>unxi2dos</constant> and <constant>dos2unix</constant>) are installed.
+ First, create a file called <filename>/var/lib/samba/netlogon/scripts/logon.bat.unix</filename>
+ with the following contents:
+<screen>
+net time \\massive /set /yes
+net use h: /home
+</screen>
+ Convert the UNIX file to a DOS file as follows:
+<screen>
+&rootprompt; dos2unix &lt; /var/lib/samba/netlogon/scripts/logon.bat.unix \
+ &gt; /var/lib/samba/netlogon/scripts/logon.bat
+</screen>
+ </para></step>
+
+ <step><para>
+ There is one preparatory step without which you cannot have a working Samba network
+ environment. You must add an account for each network user. You can do this by executing
+ the following steps for each user:
+<screen>
+&rootprompt; useradd -m <parameter>username</parameter>
+&rootprompt; passwd <parameter>username</parameter>
+Changing password for <parameter>username</parameter>.
+New password: XXXXXXXX
+Re-enter new password: XXXXXXXX
+Password changed
+&rootprompt; smbpasswd -a <parameter>username</parameter>
+New SMB password: XXXXXXXX
+Retype new SMB password: XXXXXXXX
+Added user <parameter>username</parameter>.
+</screen>
+ You do, of course, use a valid user login ID in place of <parameter>username</parameter>.
+ </para></step>
+
+ <step><para>
+ Follow the processes shown in <link linkend="ch5-procstart"/> to start all services.
+ </para></step>
+
+ <step><para>
+ Your server is ready for validation testing. Do not proceed with the steps in
+ <link linkend="ch5-domsvrspec"/> until after the operation of the server has been
+ validated following the same methods as outlined in <link linkend="ch4valid"/>.
+ </para></step>
+
+ </procedure>
+
+ </sect3>
+
+ <sect3 id="ch5-domsvrspec">
+ <title>Configuration Specific to Domain Member Servers: <constant>BLDG1, BLDG2</constant></title>
+
+ <procedure>
+ <step><para>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ The final step that must be completed is to edit the <filename>/etc/nsswitch.conf</filename> file.
+ This file controls the operation of the various resolver libraries that are part of the Linux
+ Glibc libraries. Edit this file so that it contains the following entries:
+<screen>
+passwd: files winbind
+group: files winbind
+hosts: files dns wins
+</screen>
+ </para></step>
+
+ <step><para>
+ Follow the steps outlined in <link linkend="ch5-procstart"/> to start all services. Do not
+ start Samba at this time. Samba is controlled by the process called <command>smb</command>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>rpc</secondary>
+ <tertiary>join</tertiary>
+ </indexterm>
+ At this time, you must now attempt to join the Domain Member servers to the Domain. The following
+ instructions should be executed to effect this:
+<screen>
+&rootprompt; net rpc join
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>service</primary>
+ <secondary>smb</secondary>
+ <tertiary>start</tertiary>
+ </indexterm>
+ You now start the Samba services by executing:
+<screen>
+&rootprompt; service smb start
+</screen>
+ </para></step>
+
+ <step><para>
+ Your server is ready for validation testing. Do not proceed with the steps in
+ <link linkend="ch5-domsvrspec"/> until after the operation of the server has been
+ validated following the same methods as outlined in <link linkend="ch4valid"/>.
+ </para></step>
+
+ </procedure>
+
+ </sect3>
+
+ </sect2>
+
+<!-- One -->
+<smbconfexample id="ch5-massivesmb">
+<title>Server: MASSIVE (PDC), File: <filename>/etc/samba/smb.conf</filename></title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>MEGANET</value></smbconfoption>
+<smbconfoption><name>netbios name</name><value>MASSIVE</value></smbconfoption>
+<smbconfoption><name>interfaces</name><value>eth1, lo</value></smbconfoption>
+<smbconfoption><name>bind interfaces only</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>passdb backend</name><value>tdbsam</value></smbconfoption>
+<smbconfoption><name>add user script</name><value>/usr/sbin/useradd -m %u</value></smbconfoption>
+<smbconfoption><name>delete user script</name><value>/usr/sbin/userdel -r %u</value></smbconfoption>
+<smbconfoption><name>add group script</name><value>/usr/sbin/groupadd %g</value></smbconfoption>
+<smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel %g</value></smbconfoption>
+<smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G %g %u</value></smbconfoption>
+<smbconfoption><name>add machine script</name><value>/usr/sbin/useradd -s /bin/false -d /dev/null %u</value></smbconfoption>
+<smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>include</name><value>/etc/samba/dc-common.conf</value></smbconfoption>
+
+<smbconfsection>[IPC$]</smbconfsection>
+<smbconfoption><name>path</name><value>/tmp</value></smbconfoption>
+<smbconfoption><name>hosts allow</name><value>172.16.0.0/16, 127.0.0.1</value></smbconfoption>
+<smbconfoption><name>hosts deny</name><value>0.0.0.0/0</value></smbconfoption>
+
+<smbconfsection>[accounts]</smbconfsection>
+<smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[service]</smbconfsection>
+<smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[pidata]</smbconfsection>
+<smbconfoption><name>comment</name><value>Property Insurance Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/pidata</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+<!-- Two -->
+<smbconfexample id="ch5-dc-common">
+<title>Server: MASSIVE (PDC), File: <filename>/etc/samba/dc-common.conf</filename></title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
+<smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
+<smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+<smbconfoption><name>logon path</name><value>\%L\profiles\%U</value></smbconfoption>
+<smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+<smbconfoption><name>logon home</name><value>\%L\%U</value></smbconfoption>
+<smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>include</name><value>/etc/samba/common.conf</value></smbconfoption>
+
+<smbconfsection>[homes]</smbconfsection>
+<smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[netlogon]</smbconfsection>
+<smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>locking</name><value>No</value></smbconfoption>
+
+<smbconfsection>[profiles]</smbconfsection>
+<smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+</smbconfexample>
+
+<!-- Three -->
+<smbconfexample id="ch5-commonsmb">
+<title>Common Samba Configuration File: <filename>/etc/samba/common.conf</filename></title>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+<smbconfoption><name>log level</name><value>1</value></smbconfoption>
+<smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+<smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+<smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+<smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+<smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+<smbconfoption><name>time server</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+<smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
+<smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
+<smbconfoption><name>utmp</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>map acl inherit</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+<smbconfoption><name>veto files</name><value>/*.eml/*.nws/*.{*}/</value></smbconfoption>
+<smbconfoption><name>veto oplock files</name><value>/*.doc/*.xls/*.mdb/</value></smbconfoption>
+<smbconfoption><name>include</name><value> </value></smbconfoption>
+
+<smbconfcomment>Share and Service Definitions are common to all servers</smbconfcomment>
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>default devmode</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[apps]</smbconfsection>
+<smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/apps</value></smbconfoption>
+<smbconfoption><name>admin users</name><value>bjordan</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>include</name><value></value></smbconfoption>
+</smbconfexample>
+
+<!-- Four -->
+<smbconfexample id="ch5-bldg1-smb">
+<title>Server: BLDG1 (Member), File: smb.conf</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>MEGANET</value></smbconfoption>
+<smbconfoption><name>netbios name</name><value>BLDG1</value></smbconfoption>
+<smbconfoption><name>include</name><value>/etc/samba/dom-mem.conf</value></smbconfoption>
+</smbconfexample>
+
+<!-- Five -->
+<smbconfexample id="ch5-bldg2-smb">
+<title>Server: BLDG2 (Member), File: smb.conf</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>MEGANET</value></smbconfoption>
+<smbconfoption><name>netbios name</name><value>BLDG2</value></smbconfoption>
+<smbconfoption><name>include</name><value>/etc/samba/dom-mem.conf</value></smbconfoption>
+</smbconfexample>
+
+<!-- Six -->
+<smbconfexample id="ch5-dommem-smb">
+<title>Common Domain Member Include File: dom-mem.conf</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
+<smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
+<smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>wins server</name><value>172.16.0.1</value></smbconfoption>
+<smbconfoption><name>idmap uid</name><value>15000-20000</value></smbconfoption>
+<smbconfoption><name>idmap gid</name><value>15000-20000</value></smbconfoption>
+<smbconfoption><name>include</name><value>/etc/samba/common.conf</value></smbconfoption>
+</smbconfexample>
+
+<!-- Seven -->
+<example id="massive-dhcp">
+<title>Server: MASSIVE, File: dhcpd.conf</title>
+<screen>
+# Abmas Accounting Inc. - Chapter 5/MASSIVE
+
+default-lease-time 86400;
+max-lease-time 172800;
+default-lease-time 86400;
+ddns-updates on;
+ddns-update-style ad-hoc;
+
+option ntp-servers 172.16.0.1;
+option domain-name "abmas.biz";
+option domain-name-servers 172.16.0.1, 172.16.4.1;
+option netbios-name-servers 172.16.0.1;
+option netbios-node-type 8;
+
+subnet 172.16.1.0 netmask 255.255.252.0 {
+ range dynamic-bootp 172.16.1.0 172.16.2.255;
+ option subnet-mask 255.255.252.0;
+ option routers 172.16.0.1, 172.16.0.128;
+ allow unknown-clients;
+ }
+subnet 172.16.4.0 netmask 255.255.252.0 {
+ range dynamic-bootp 172.16.7.0 172.16.7.254;
+ option subnet-mask 255.255.252.0;
+ option routers 172.16.4.128;
+ allow unknown-clients;
+ }
+subnet 172.16.8.0 netmask 255.255.252.0 {
+ range dynamic-bootp 172.16.11.0 172.16.11.254;
+ option subnet-mask 255.255.252.0;
+ option routers 172.16.4.128;
+ allow unknown-clients;
+ }
+subnet 127.0.0.0 netmask 255.0.0.0 {
+ }
+subnet 123.45.67.64 netmask 255.255.255.252 {
+ }
+</screen>
+</example>
+
+<!-- Eight -->
+<example id="bldg1dhcp">
+<title>Server: BLDG1, File: dhcpd.conf</title>
+<screen>
+# Abmas Accounting Inc. - Chapter 5/BLDG1
+
+default-lease-time 86400;
+max-lease-time 172800;
+default-lease-time 86400;
+ddns-updates on;
+ddns-update-style ad-hoc;
+
+option ntp-servers 172.16.0.1;
+option domain-name "abmas.biz";
+option domain-name-servers 172.16.0.1, 172.16.4.1;
+option netbios-name-servers 172.16.0.1;
+option netbios-node-type 8;
+
+subnet 172.16.1.0 netmask 255.255.252.0 {
+ range dynamic-bootp 172.16.3.0 172.16.2.254;
+ option subnet-mask 255.255.252.0;
+ option routers 172.16.0.1, 172.16.0.128;
+ allow unknown-clients;
+ }
+subnet 172.16.4.0 netmask 255.255.252.0 {
+ range dynamic-bootp 172.16.5.0 172.16.6.255;
+ option subnet-mask 255.255.252.0;
+ option routers 172.16.4.128;
+ allow unknown-clients;
+ }
+subnet 127.0.0.0 netmask 255.0.0.0 {
+ }
+</screen>
+</example>
+
+<!-- Nine -->
+<example id="bldg2dhcp">
+<title>Server: BLDG2, File: dhcpd.conf</title>
+<screen>
+# Abmas Accounting Inc. - Chapter 5/BLDG1
+
+default-lease-time 86400;
+max-lease-time 172800;
+default-lease-time 86400;
+ddns-updates on;
+ddns-update-style ad-hoc;
+
+option ntp-servers 172.16.0.1;
+option domain-name "abmas.biz";
+option domain-name-servers 172.16.0.1, 172.16.4.1;
+option netbios-name-servers 172.16.0.1;
+option netbios-node-type 8;
+
+subnet 172.16.8.0 netmask 255.255.252.0 {
+ range dynamic-bootp 172.16.9.0 172.16.10.255;
+ option subnet-mask 255.255.252.0;
+ option routers 172.16.8.128;
+ allow unknown-clients;
+ }
+subnet 127.0.0.0 netmask 255.0.0.0 {
+ }
+</screen>
+</example>
+
+<!-- Ten -->
+<example id="massive-nameda">
+<title>Server: MASSIVE, File: named.conf, Part: A</title>
+<screen>
+###
+# Abmas Biz DNS Control File
+###
+# Date: November 15, 2003
+###
+options {
+ directory "/var/lib/named";
+ forwarders {
+ 123.45.12.23;
+ 123.45.54.32;
+ };
+ forward first;
+ listen-on {
+ mynet;
+ };
+ auth-nxdomain yes;
+ multiple-cnames yes;
+ notify no;
+};
+
+zone "." in {
+ type hint;
+ file "root.hint";
+};
+
+zone "localhost" in {
+ type master;
+ file "localhost.zone";
+};
+
+zone "0.0.127.in-addr.arpa" in {
+ type master;
+ file "127.0.0.zone";
+};
+
+acl mynet {
+ 172.16.0.0/24;
+ 172.16.4.0/24;
+ 172.16.8.0/24;
+ 127.0.0.1;
+};
+
+acl seconddns {
+ 123.45.54.32;
+}
+</screen>
+</example>
+
+<!-- Eleven -->
+<example id="massive-namedb">
+<title>Server: MASSIVE, File: named.conf, Part: B</title>
+<screen>
+zone "abmas.biz" {
+ type master;
+ file "/var/lib/named/master/abmas.biz.hosts";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+
+zone "abmas.us" {
+ type master;
+ file "/var/lib/named/master/abmas.us.hosts";
+ allow-query {
+ all;
+ };
+ allow-transfer {
+ seconddns;
+ };
+};
+</screen>
+</example>
+
+<!-- Twelve -->
+<example id="massive-namedc">
+<title>Server: MASSIVE, File: named.conf, Part: C</title>
+<screen>
+zone "0.16.172.in-addr.arpa" {
+ type master;
+ file "/var/lib/named/master/172.16.0.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+
+zone "4.16.172.in-addr.arpa" {
+ type master;
+ file "/var/lib/named/master/172.16.4.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+
+zone "8.16.172.in-addr.arpa" {
+ type master;
+ file "/var/lib/named/master/172.16.8.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+</screen>
+</example>
+
+<!-- Thirteen -->
+<example id="abmasbizdns">
+<title>Forward Zone File: abmas.biz.hosts</title>
+<screen>
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+abmas.biz IN SOA massive.abmas.biz. root.abmas.biz. (
+ 2003021833 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS massive.abmas.biz.
+ NS bldg1.abmas.biz.
+ NS bldg2.abmas.biz.
+ MX 10 massive.abmas.biz.
+$ORIGIN abmas.biz.
+massive A 172.16.0.1
+router0 A 172.16.0.128
+bldg1 A 172.16.4.1
+router4 A 172.16.4.128
+bldg2 A 172.16.8.1
+router8 A 172.16.8.128
+</screen>
+</example>
+
+<!-- Forteen -->
+<example id="abmasusdns">
+<title>Forward Zone File: abmas.biz.hosts</title>
+<screen>
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+abmas.us IN SOA server.abmas.us. root.abmas.us. (
+ 2003021833 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS dns.abmas.us.
+ NS dns2.abmas.us.
+ MX 10 server.abmas.us.
+$ORIGIN abmas.us.
+server A 123.45.67.66
+dns2 A 123.45.54.32
+gw A 123.45.67.65
+www CNAME server
+mail CNAME server
+dns CNAME server
+</screen>
+</example>
+
+<!-- Fifteen -->
+<example id="bldg12nameda">
+<title>Servers: BLDG1/BLDG2, File: named.conf, Part: A</title>
+<screen>
+###
+# Abmas Biz DNS Control File
+###
+# Date: November 15, 2003
+###
+options {
+ directory "/var/lib/named";
+ forwarders {
+ 172.16.0.1;
+ };
+ forward first;
+ listen-on {
+ mynet;
+ };
+ auth-nxdomain yes;
+ multiple-cnames yes;
+ notify no;
+};
+
+zone "." in {
+ type hint;
+ file "root.hint";
+};
+
+zone "localhost" in {
+ type master;
+ file "localhost.zone";
+};
+
+zone "0.0.127.in-addr.arpa" in {
+ type master;
+ file "127.0.0.zone";
+};
+
+acl mynet {
+ 172.16.0.0/24;
+ 172.16.4.0/24;
+ 172.16.8.0/24;
+ 127.0.0.1;
+};
+
+acl seconddns {
+ 123.45.54.32;
+}
+</screen>
+</example>
+
+<!-- Sixteen -->
+<example id="bldg12namedb">
+<title>Servers: BLDG1/BLDG2, File: named.conf, Part: B</title>
+<screen>
+zone "abmas.biz" {
+ type slave;
+ file "/var/lib/named/slave/abmas.biz.hosts";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+};
+
+zone "0.16.172.in-addr.arpa" {
+ type slave;
+ file "/var/lib/slave/master/172.16.0.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+};
+
+zone "4.16.172.in-addr.arpa" {
+ type slave;
+ file "/var/lib/named/slave/172.16.4.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+};
+
+zone "8.16.172.in-addr.arpa" {
+ type slave;
+ file "/var/lib/named/slave/172.16.8.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+};
+</screen>
+</example>
+
+
+<!-- Seventeen -->
+<example id="ch5-initgrps">
+<title>Initialize Groups Script, File: /etc/samba/initGrps.sh</title>
+<screen>
+#!/bin/bash
+
+# Create UNIX groups
+groupadd acctsdep
+groupadd finsrvcs
+groupadd piops
+
+# Map Windows Domain Groups to UNIX groups
+net groupmap modify ntgroup="Domain Admins" unixgroup=root
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+
+# Add Functional Domain Groups
+net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
+net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
+net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
+</screen>
+</example>
+
+<!-- End of Examples -->
+
+ <sect2 id="ch5-procstart">
+ <title>Process Startup Configuration</title>
+
+ <para>
+ <indexterm><primary>chkconfig</primary></indexterm><indexterm>
+ <primary>daemon control</primary>
+ </indexterm>
+ There are two essential steps to process startup configuration. A process
+ must be configured so that it is automatically restarted each time the server
+ is rebooted. This step involves use of the <command>chkconfig</command> tool that
+ created appropriate symbolic links from the master daemon control file that is
+ located in the <filename>/etc/rc.d</filename> directory to the <filename>/etc/rc'x'.d</filename>
+ directories. Links are created so that when the system run-level is changed, the
+ necessary start or kill script is run.
+ </para>
+
+ <para>
+ <indexterm><primary>/etc/xinetd.d</primary></indexterm>
+ In the event that a service is provided not as a daemon but via the inter-networking
+ super daemon (<command>inetd</command> or <command>xinetd</command>), then the <command>chkconfig</command>
+ tool makes the necessary entries in the <filename>/etc/xinetd.d</filename> directory
+ and sends a hang-up (HUP) signal to the super daemon, thus forcing it to
+ re-read its control files.
+ </para>
+
+ <para>
+ Last, each service must be started to permit system validation to proceed.
+ </para>
+
+ <procedure>
+ <step><para>
+ Use the standard system tool to configure each service to restart
+ automatically at every system reboot. For example:
+ <indexterm><primary>chkconfig</primary></indexterm>
+<screen>
+&rootprompt; chkconfig dhpc on
+&rootprompt; chkconfig named on
+&rootprompt; chkconfig cups on
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig swat on
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>starting dhcpd</primary></indexterm>
+ <indexterm><primary>starting samba</primary></indexterm>
+ <indexterm><primary>starting CUPS</primary></indexterm>
+ Now start each service to permit the system to be validated.
+ Execute each of the following in the sequence shown:
+
+<screen>
+&rootprompt; service dhcp restart
+&rootprompt; service named restart
+&rootprompt; service cups restart
+&rootprompt; service smb restart
+&rootprompt; service swat restart
+</screen>
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2 id="ch5wincfg">
+ <title>Windows Client Configuration</title>
+
+ <para>
+ The procedure for desktop client configuration for the network in this chapter is similar to
+ that used for the previous one. There are a few subtle changes that should be noted.
+ </para>
+
+ <procedure>
+ <step><para>
+ Install MS Windows XP Professional. During installation, configure the client to use DHCP for
+ TCP/IP protocol configuration.
+ <indexterm><primary>WINS</primary></indexterm>
+ <indexterm><primary>DHCP</primary></indexterm>
+ DHCP configures all Windows clients to use the WINS Server address that has been defined
+ for the local subnet.
+ </para></step>
+
+ <step><para>
+ Join the Windows Domain <constant>MEGANET</constant>. Use the Domain Administrator
+ user name <constant>root</constant> and the SMB password you assigned to this account.
+ A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
+ a Windows Domain is given in <link linkend="domjoin"/>.
+ Reboot the machine as prompted and then logon using the Domain Administrator account
+ (<constant>root</constant>).
+ </para></step>
+
+ <step><para>
+ Verify that the server called <constant>MEGANET</constant> is visible in <guimenu>My Network Places</guimenu>,
+ that it is possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>,
+ <guimenuitem>apps</guimenuitem>, and <guimenuitem>finsvcs</guimenuitem>,
+ and that it is possible to open each share to reveal its contents.
+ </para></step>
+
+ <step><para>
+ Create a drive mapping to the <constant>apps</constant> share on a server. At this time, it does
+ not particularly matter which application server is used. It is necessary to manually
+ set a persistent drive mapping to the local applications server on each workstation at the time of
+ installation. This step is avoided by the improvements to the design of the network configuration
+ in the next chapter.
+ </para></step>
+
+ <step><para>
+ Perform an administrative installation of each application to be used. Select the options
+ that you wish to use. Of course, you choose to run applications over the network, correct?
+ </para></step>
+
+ <step><para>
+ Now install all applications to be installed locally. Typical tools includes: Adobe Acrobat,
+ NTP-based time synchronization software, drivers for specific local devices such as fingerprint
+ scanners, and the like. Probably the most significant application to be locally installed
+ is anti-virus software.
+ </para></step>
+
+ <step><para>
+ Now install all four printers onto the staging system. The printers you install
+ include the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you
+ also configure use of the identical printers that are located in the financial services department.
+ Install printers on each machine using the following steps:
+
+ <procedure>
+ <step><para>
+ Click <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Settings</guimenuitem>
+ <guimenuitem>Printers</guimenuitem>
+ <guiicon>Add Printer</guiicon>
+ <guibutton>Next</guibutton>
+ </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
+ Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
+ </para></step>
+
+ <step><para>
+ Click <guibutton>Next</guibutton>. In the panel labeled
+ <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
+ In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
+ <constant>HP LaserJet 6</constant>. Click <guibutton>Next</guibutton>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
+ <constant>FILE:</constant>. Accept the default printer name by clicking
+ <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
+ test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
+ <guibutton>Finish</guibutton>.
+ </para></step>
+
+ <step><para>
+ You may be prompted for the name of a file to print to. If so, close the
+ dialog panel. Right-click <menuchoice>
+ <guiicon>HP LaserJet 6</guiicon>
+ <guimenuitem>Properties</guimenuitem>
+ <guimenusub>Details (Tab)</guimenusub>
+ <guimenubutton>Add Port</guimenubutton>
+ </menuchoice>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
+ the print queue on the Samba server as follows: <constant>\\BLDG1\hplj6a</constant>.
+ Click <menuchoice>
+ <guibutton>OK</guibutton>
+ <guibutton>OK</guibutton>
+ </menuchoice> to complete the installation.
+ </para></step>
+
+ <step><para>
+ Repeat the printer installation steps above for both HP LaserJet 6 printers
+ as well as for both QMS Magicolor laser printers. Remember to install all
+ printers, but to set the destination port for each to the server on the
+ local network. For example, a workstation in the Accounting group should
+ have all printers directed at the server <constant>BLDG1</constant>.
+ You may elect to point all desktop workstation configurations at the
+ server called <constant>MASSIVE</constant> and then in your deployment
+ procedures, it would be wise to document the need to redirect the printer
+ configuration (as well as the applications server drive mapping) to the
+ server on the network segment on which the workstation is to be located.
+ </para></step>
+ </procedure>
+ </para></step>
+
+ <step><para>
+ When you are satisfied that the staging systems are complete, use the appropriate procedure to
+ remove the client from the domain. Reboot the system, and then log on as the local administrator
+ and clean out all temporary files stored on the system. Before shutting down, use the disk
+ defragmentation tool so that the file system is in an optimal condition before replication.
+ </para></step>
+
+ <step><para>
+ Boot the workstation using the Norton (Symantec) Ghosting disk (or CD-ROM) and image the
+ machine to a network share on the server.
+ </para></step>
+
+ <step><para>
+ You may now replicate the image using the appropriate Norton Ghost procedure to the target
+ machines. Make sure to use the procedure that ensures each machine has a unique
+ Windows security identifier (SID). When the installation of the disk image has completed, boot the PC.
+ </para></step>
+
+ <step><para>
+ Log onto the machine as the local Administrator (the only option), and join the machine to
+ the Domain following the procedure set out in <link linkend="domjoin"/>. You must now set the
+ persistent drive mapping to the applications server that the user is to use. The system is now
+ ready for the user to logon, providing you have created a network logon account for that
+ user, of course.
+ </para></step>
+
+ <step><para>
+ Instruct all users to log onto the workstation using their assigned user name and password.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para>
+ The network you have just deployed has been a valuable exercise in forced constraint.
+ You have deployed a network that works well, although you may soon start to see
+ performance problems, at which time the modifications demonstrated in the following
+ chapter bring the network to life. The following key learning points were experienced:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ The power of using &smb.conf; include files
+ </para></listitem>
+
+ <listitem><para>
+ Use of a single PDC over a routed network
+ </para></listitem>
+
+ <listitem><para>
+ Joining a Samba-3 Domain Member server to a Samba-3 Domain
+ </para></listitem>
+
+ <listitem><para>
+ Configuration of winbind to use Domain Users and Groups for Samba access
+ to resources on the Domain Member servers
+ </para></listitem>
+
+ <listitem><para>
+ The introduction of roaming profiles
+ </para></listitem>
+
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ </para>
+
+ <qandaset defaultlabel="chap01qa" type="number">
+ <qandaentry>
+ <question>
+
+ <para>
+ The example &smb.conf; files in this chapter make use of the <parameter>include</parameter> facility.
+ How may I get to see what the actual working &smb.conf; settings are?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ You may readily see the net compound effect of the included files by running:
+<screen>
+&rootprompt; testparm -s | less
+</screen>
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why does the include file <filename>common.conf</filename> have an empty include statement?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The use of the empty include statement nullifies further includes. For example, let's say you
+ desire to have just an smb.conf file that is built from the array of include files of which the
+ master control file is called <filename>master.conf</filename>. The following command
+ produces a compound &smb.conf; file.
+<screen>
+&rootprompt; testparm -s /etc/samba/master.conf > /etc/samba/smb.conf
+</screen>
+ If the include parameter was not in the common.conf file, the final &smb.conf; file leaves
+ the include in place, even though the file it points to has already been included. This is a bug
+ that will be fixed at a future date.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ I accept that the simplest configuration necessary to do the job is the best. The use of <parameter>tdbsam</parameter>
+ passdb backend is much simpler than having to manage an LDAP-based <parameter>ldapsam</parameter> passdb backend.
+ I tried using <command>rsync</command> to replicate the <filename>passdb.tdb</filename>, and it seems to work fine!
+ So what is the problem?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Replication of the <parameter>tdbsam</parameter> database file can result in loss of currency in its
+ contents between the PDC and BDCs. The most notable symptom is that workstations may not be able
+ to log onto the network following a reboot and may have to re-join the Domain to recover network
+ access capability.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server
+ offers an IP address lease, but it is the client that determines which offer is accepted, no matter how many
+ offers are made. Under normal operation, the client accepts the first offer it receives.
+ </para>
+
+ <para>
+ The only exception to this rule is when the client makes a directed request from a specific DHCP server
+ for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ How does the Windows client find the PDC?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The Windows client obtains the WINS server address from the DHCP lease information. It also
+ obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast)
+ to register itself with the WINS server and to obtain enumeration of vital network information to
+ enable it to operate successfully.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why did you enable IP forwarding (routing) only on the server called <constant>MASSIVE</constant>?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The server called <constant>MASSIVE</constant> is acting as a router to the Internet. No other server
+ (BLDG1 or BLDG2) has any need for IP forwarding since they are attached only to their own network.
+ Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network
+ segments to the router that is its gateway to them.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ You did nothing special to implement roaming profiles. Why?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional
+ clients is to use roaming profiles.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ On the Domain Member computers, you configured winbind in the <filename>/etc/nsswitch.conf</filename> file.
+ You did not configure any PAM settings. Is this an omission?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ PAM is needed only for authentication. When Samba is using Microsoft encrypted passwords, it makes only
+ marginal use of PAM. PAM configuration handles only authentication. If you want to log onto the Domain
+ Member servers using Windows networking user names and passwords, it is necessary to configure PAM
+ to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name
+ service switcher (NSS).
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed
+ in <emphasis>TOSHARG</emphasis>, where it has a full chapter dedicated to the subject. While we are on the
+ subject, it should be noted that you should definitely not use SWAT on any system that makes use
+ of &smb.conf; <parameter>include</parameter> files because SWAT optimizes them out into an aggregated
+ file but leaves in place a broken reference to the top layer include file. SWAT was not designed to
+ handle this functionality gracefully.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ The Domain Controller has an auto-shutdown script. Isn't that dangerous?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
+
diff --git a/docs/Samba-Guide/Chap06-MakingHappyUsers.xml b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml
new file mode 100644
index 0000000000..c8a547ac67
--- /dev/null
+++ b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml
@@ -0,0 +1,3786 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="happy">
+ <title>Making Users Happy</title>
+
+ <para>
+ It has been said, <quote>A day that is without troubles is not fulfilling. Rather, give
+ me a day of troubles well handled so that I can be content with my achievements.</quote>
+ </para>
+
+ <para>
+ In the world of computer networks, problems are as varied as the people who create them
+ or experience them. The design of the network implemented in the last chapter may
+ create problems for some network users. The following lists some of the problems that
+ may occur:
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Users experiencing difficulty logging onto the network</term>
+ <listitem><para>
+ <indexterm>
+ <primary>network</primary>
+ <secondary>logon</secondary>
+ </indexterm>
+ When a Windows client logs onto the network, many data packets are exchanged
+ between the client and the server that is providing the network logon services.
+ Each request between the client and the server must complete within a specific
+ time limit. This is one of the primary factors that govern the installation of
+ <indexterm>
+ <primary>multiple domain controllers</primary>
+ </indexterm>
+ multiple domain controllers (usually called secondary or backup controllers).
+ As a rough rule, there should be one such backup controller for every
+ 30 to 150 clients. The actual limits are determined by network operational
+ characteristics.
+ </para>
+
+ <para>
+ If the domain controller provides only network logon services
+ and all file and print activity is handled by Domain Member servers, one Domain
+ Controller per 150 clients on a single network segment may suffice. In any
+ case, it is highly recommended to have a minimum of one Domain Controller (PDC or BDC)
+ per network segment. It is better to have at least one BDC on the network
+ segment that has a PDC. If the Domain Controller is also used as a file and
+ print server, the number of clients it can service reliably is reduced
+ and a common rule is not to exceed 30 machines (Windows workstations plus
+ Domain Member servers) per Domain Controller.
+ </para></listitem></varlistentry>
+
+ <varlistentry>
+ <term>Slow logons and log-offs</term>
+ <listitem><para>
+ <indexterm>
+ <primary>slow logon</primary>
+ </indexterm>
+ Slow logons and log-offs may be caused by many factors that include:
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>NetBIOS</primary>
+ <secondary>name resolution</secondary>
+ <tertiary>delays</tertiary>
+ </indexterm><indexterm>
+ <primary>WINS</primary>
+ <secondary>server</secondary>
+ </indexterm>
+ Excessive delays in the resolution of a NetBIOS name to its IP
+ address. This may be observed when an overloaded domain controller
+ is also the WINS server. Another cause may be the failure to use
+ a WINS server (this assumes that there is a single network segment).
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>traffic collisions</primary>
+ </indexterm><indexterm>
+ <primary>HUB</primary>
+ </indexterm><indexterm>
+ <primary>Etherswitch</primary>
+ </indexterm>
+ Network traffic collisions due to overloading of the network
+ segment &smbmdash; one short-term workaround to this may be to replace
+ network HUBs with Ether-switches.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>networking hardware</primary>
+ <secondary>defective</secondary>
+ </indexterm>
+ Defective networking hardware. Over the past few years, we have seen
+ on the Samba mailing list a significant increase in the number of
+ problems that were traced to a defective network interface controller,
+ a defective HUB or Etherswitch, or defective cabling. In most cases,
+ it was the erratic nature of the problem that ultimately pointed to
+ the cause of the problem.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>profile</primary>
+ <secondary>roaming</secondary>
+ </indexterm><indexterm>
+ <primary>MS Outlook</primary>
+ <secondary>PST file</secondary>
+ </indexterm>
+ Excessively large roaming profiles. This type of problem is typically
+ the result of poor user eduction, as well as poor network management.
+ It can be avoided by users not storing huge quantities of email in
+ MS Outlook PST files, as well as by not storing files on the desktop.
+ These are old bad habits that require much discipline and vigilance
+ on the part of network management.
+ </para></listitem>
+ </itemizedlist>
+
+ <listitem><para><indexterm>
+ <primary>WebClient</primary>
+ </indexterm>
+ You should verify that the Windows XP WebClient service is not running.
+ The use of the WebClient service has been implicated in many Windows
+ networking related problems.
+ </para></listitem>
+
+ </para></listitem></varlistentry>
+
+ <varlistentry>
+ <term>Loss of access to network drives and printer resources</term>
+ <listitem><para>
+ Loss of access to network resources during client operation may be caused by a number
+ of factors including:
+ </para>
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>network</primary>
+ <secondary>overload</secondary>
+ </indexterm>
+ Network overload (typically indicated by a high network collision rate)
+ </para></listitem>
+
+ <listitem><para>
+ Server overload
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>network</primary>
+ <secondary>timeout</secondary>
+ </indexterm>
+ Timeout causing the client to close a connection that is in use, but has
+ been latent (no traffic) for some time (5 minutes or more)
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>network hardware</primary>
+ <secondary>defective</secondary>
+ </indexterm>
+ Defective networking hardware
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>data</primary>
+ <secondary>corruption</secondary>
+ </indexterm>
+ No matter what the cause, a sudden operational loss of access to network resources can
+ result in BSOD (blue screen of death) situations that necessitate rebooting of the client
+ workstation. In the case of a mild problem, retrying to access the network drive of printer
+ may restore operations, but in any case this is a serious problem as it may lead to the next
+ problem, data corruption.
+ </para></listitem></varlistentry>
+
+ <varlistentry>
+ <term>Potential data corruption</term>
+ <listitem><para><indexterm>
+ <primary>data</primary>
+ <secondary>corruption</secondary>
+ </indexterm>
+ Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
+ frustration, and generally precipitates immediate corrective demands. Management response
+ to this type of problem may be rational, as well as highly irrational. There have been
+ cases where management has fired network staff for permitting this situation to occur without
+ immediate correction. There have been situations where perfectly functional hardware was thrown
+ out and replaced, only to find the problem caused by a low-cost network hardware item. There
+ have been cases where server operating systems were replaced, or where Samba was updated,
+ only to later isolate the problem due to defective client software.
+ </para></listitem></varlistentry>
+ </variablelist>
+
+ <para>
+ In this chapter, you can work through a number of measures that significantly arm you to
+ anticipate and to combat network performance issues. You can work through complex and thorny
+ methods to improve the reliability of your network environment, but be warned that all such steps
+ demand the price of complexity.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ Mr. Bob Jordan just opened an email from Christine that reads:
+ </para>
+
+ <para>
+ Bob,
+ <blockquote><attribution>Christine</attribution><para>
+ A few months ago we sat down to design the network. We discussed the challenges ahead and we all
+ agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
+ that we would have some time to resolve any issues that might be encountered.
+ </para>
+
+ <para>
+ As you now know we started off on the wrong foot. We have a lot of unhappy users. One of them
+ resigned yesterday afternoon because she was under duress to complete some critical projects. She
+ suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
+ of which was lost. She has a unique requirement that involves storing large files on her desktop.
+ Mary's desktop profile is nearly 1 Gigabyte in size. As a result of her desktop configuration, it
+ takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
+ network logon traffic passes over the network links between our buildings, logging on may take
+ three or four attempts due to blue screen problems associated with network timeouts.
+ </para>
+
+ <para>
+ A few of us worked to help her out of trouble. We convinced her to stay and promised to fully
+ resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard
+ limits on what our users can do with their desktops. If we do not do this, we face staff losses
+ that can surely do harm to our growth, as well as to staff morale. I am sure we can better deal
+ with the consequences of what we know we must do than we can with the unrest we have now.
+ </para>
+
+ <para>
+ Stan and I have discussed the current situation. We are resolved to help our users and protect
+ the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
+ regain control of our vital IT operations.
+ </para></blockquote>
+ </para>
+
+ <para><indexterm>
+ <primary>compromise</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>multi-segment</secondary>
+ </indexterm>
+ Every compromise has consequences. Having a large routed (i.e., multi-segment) network with only a
+ single domain controller is a poor design that has obvious operational effects that may
+ frustrate users. Here is Bob's reply:
+ <blockquote><attribution>Bob</attribution><para>
+ Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
+ proposals to resolve the issues. I am confident that your plans fully realized will significantly
+ boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
+ Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
+ for approval; I appreciate the urgency.
+ </para></blockquote>
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para>
+ The priority of assigned tasks in this chapter is:
+ </para>
+
+ <orderedlist>
+ <listitem><para><indexterm>
+ <primary>Backup Domain Controller</primary>
+ <see>BDC</see>
+ </indexterm><indexterm>
+ <primary>BDC</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>migration</primary>
+ </indexterm>
+ Implement Backup Domain Controllers (BDCs) in each building. This involves
+ a change from use of a <emphasis>tdbsam</emphasis> backend that was used in the previous
+ chapter, to use an LDAP-based backend.
+ </para>
+
+ <para>
+ You can implement a single central LDAP server for this purpose.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>logon time</primary>
+ </indexterm><indexterm>
+ <primary>network share</primary>
+ </indexterm><indexterm>
+ <primary>default profile</primary>
+ </indexterm><indexterm>
+ <primary>profile</primary>
+ <secondary>default</secondary>
+ </indexterm>
+ Rectify the problem of excessive logon times. This involves redirection of
+ folders to network shares as well as modification of all user desktops to
+ exclude the redirected folders from being loaded at login time. You can also
+ create a new default profile that can be used for all new users.
+ </para></listitem>
+
+ </orderedlist>
+
+ <para><indexterm>
+ <primary>disk image</primary>
+ </indexterm>
+ You configure a new MS Windows XP Professional Workstation disk image that you
+ roll out to all desktop users. The instructions you have created are followed on a
+ staging machine from which all changes can be carefully tested before inflicting them on
+ your network users.
+ </para>
+
+ <para><indexterm>
+ <primary>CUPS</primary>
+ </indexterm>
+ This is the last network example in which specific mention of printing is made. The example
+ again makes use of the CUPS printing system.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para><indexterm>
+ <primary>BDC</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm>
+ The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
+ For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
+ LDAP servers in current use with Samba-3 include:
+ </para>
+
+ <itemizedlist><indexterm>
+ <primary>eDirectory</primary>
+ </indexterm>
+ <listitem><para>Novell <ulink
+ url="http://www.novell.com/products/edirectory/">eDirectory.</ulink>
+ eDirectory is being successfully used by some sites. Information on how to use eDirectory can be
+ obtained from the Samba mailing lists or from Novell.</para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>Tivoli Directory Server</primary>
+ </indexterm>IBM
+ <ulink
+ url="http://www-306.ibm.com/software/tivoli/products/directory-server/">Tivoli Directory Server,</ulink>
+ can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba
+ source code tarball under the directory <filename>~samba/example/LDAP.</filename></para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>Sun ONE Identity Server</primary>
+ </indexterm>Sun
+ <ulink
+ url="http://www.sun.com/software/sunone/identity/index.html">ONE Identity Server.</ulink>
+ This product suite provides an LDAP server that can be used for Samba. Example schema files are
+ provided in the Samba source code tarball under the directory
+ <filename>~samba/example/LDAP.
+ </filename></para></listitem>
+ </itemizedlist>
+
+ <para>
+ A word of caution is fully in order. OpenLDAP is purely an LDAP server and unlike commercial
+ offerings, it requires that you manually edit the server configuration files and manually
+ initialize the LDAP directory database. OpenLDAP itself has only command line tools to
+ help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
+ </para>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm>
+ For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
+ adequate. If you are migrating from Microsoft Active Directory, be
+ warned that OpenLDAP does not include
+ GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
+ requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
+ </para>
+
+ <para><indexterm>
+ <primary>Identity Management</primary>
+ </indexterm><indexterm>
+ <primary>high availability</primary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>replication</secondary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>synchronization</secondary>
+ </indexterm><indexterm>
+ <primary>performance</primary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>management</secondary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>schema</secondary>
+ </indexterm>
+ When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
+ High availability operation may be obtained through directory replication/synchronization and
+ master/slave server configurations. OpenLDAP is a mature platform to host the organizational
+ directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more.
+ The price paid through learning how to design an LDAP directory schema in implementation and configuration
+ of management tools is well rewarded by performance and flexibility, and the freedom to manage directory
+ contents with greater ability to back up, restore, and modify the directory than is generally possible
+ with Microsoft Active Directory.
+ </para>
+
+ <para><indexterm>
+ <primary>comparison</primary>
+ <secondary>Active Directory &amp; OpenLDAP</secondary>
+ </indexterm><indexterm>
+ <primary>ADAM</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm>
+ A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
+ tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely pre-configured
+ for a specific task orientation. It comes with a set of administrative tools that is entirely customized
+ for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
+ server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
+ who wants to built a custom directory solution. Microsoft Active Directory is a generic LDAP server that has
+ been pre-configured for a specific task. Microsoft provides an application called
+ <ulink url="http://www.microsoft.com/windowsserver2003/adam/default.mspx">
+ MS ADAM</ulink> that provides more-generic LDAP services, yet it does not have the vanilla-like services
+ of OpenLDAP.
+ </para>
+
+ <para><indexterm>
+ <primary>directory</primary>
+ <secondary>schema</secondary>
+ </indexterm><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm>
+ You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
+ if you find the challenge of learning about LDAP directories, schemas, configuration, and management
+ tools, and the creation of shell and Perl scripts a bit
+ challenging. OpenLDAP can be easily customized, though it includes
+ many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
+ that is required for use as a passdb backend.
+ </para>
+
+ <para>
+ For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
+ there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
+ The Web-based tools you might like to consider include: The <ulink
+ url="http://lam.sourceforge.net/">LDAP
+ Account Manager</ulink> (LAM), as well as the <ulink
+ url="http://www.webmin.com">Webmin</ulink>-based Idealx
+ <ulink url="http://webmin.idealx.org/index.en.html">CGI tools.</ulink>
+ </para>
+
+ <para>
+ Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of
+ these so it may be useful to include passing reference to them.
+ The first is <ulink url="http://biot.com/gq">GQ</ulink>, a GTK-ased LDAP browser;
+ LDAP <ulink url="http://www.iit.edu/~gawojar/ldap/">Browser/Editor,</ulink>
+ <ulink url="http://www.jxplorer.org/">JXplorer</ulink> (by Computer Associates),
+ and the last is called <ulink url="http://phpldapadmin.sourceforge.net/">phpLDAPadmin.</ulink>
+ </para>
+
+ <note><para>
+ The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly lacks
+ security. No form of secure LDAP communications is attempted. The LDAP configuration information provided
+ is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
+ LDAP before attempting to deploy it in a business-critical environment.
+ </para></note>
+
+ <para>
+ Information to help you get started with OpenLDAP is available from the
+ <ulink url="http://www.openldap.org/pub/">
+ OpenLDAP Web Site.</ulink> Many people have found the book <ulink
+ url="http://www.booksense.com/product/info.jsp?isbn=1565924916">
+ LDAP System Administration,</ulink> written by Jerry Carter, quite useful.
+ </para>
+
+ <para><indexterm>
+ <primary>BDC</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>segment</secondary>
+ </indexterm><indexterm>
+ <primary>performance</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>wide-area</secondary>
+ </indexterm>
+ Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
+ main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
+ be loaded over the wide-area network connection. This addition of BDCs on each network segment significantly
+ improves overall network performance for most users, but this is not enough. You must gain control over
+ user desktops, and this must be done in a way that wins their support and does not cause further loss of
+ staff morale. The following procedures solve this problem.
+ </para>
+
+ <para><indexterm>
+ <primary>smart printing</primary>
+ </indexterm>
+ There is also an opportunity to implement smart printing features. You add this to the Samba configuration
+ so that future printer changes can be managed without need to change desktop configurations.
+ </para>
+
+ <para>
+ You add the ability to automatically download new printer drivers, even if they are not installed
+ in the default desktop profile. Only one example of printing configuration is given. It is assumed that
+ you can extrapolate the principles and use this to install all printers that may be needed.
+ </para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para><indexterm>
+ <primary>identity</primary>
+ <secondary>management</secondary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>Posix</primary>
+ </indexterm>
+ The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
+ server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
+ accounts are stored Posix schema extensions. Samba provides its own schema to permit storage of account
+ attributes Samba needs. Samba-3 can use the LDAP backend to store:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Windows Networking User Accounts</para></listitem>
+ <listitem><para>Windows NT Group Accounts</para></listitem>
+ <listitem><para>Mapping Information between UNIX Groups and Windows NT Groups</para></listitem>
+ <listitem><para>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>UNIX accounts</primary>
+ </indexterm><indexterm>
+ <primary>Windows accounts</primary>
+ </indexterm><indexterm>
+ <primary>PADL LDAP tools</primary>
+ </indexterm><indexterm>
+ <primary>/etc/group</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>name service switch</primary>
+ <see>NSS</see>
+ </indexterm><indexterm>
+ <primary>NSS</primary>
+ </indexterm><indexterm>
+ <primary>UID</primary>
+ </indexterm><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm>
+ The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
+ accounts in the LDAP backend. This implies the need to use the
+ <ulink url="http://www.padl.com/Contents/OpenSourceSoftware.html">PADL LDAP tools.</ulink> The resolution
+ of the UNIX group name to its GID must be enabled from either the
+ <filename>/etc/group</filename>
+ or from the LDAP backend. This requires the use of the PADL <filename>nss_ldap</filename> toolset
+ that integrates with the name service switcher (NSS). The same requirements exist for resolution
+ of the UNIX username to the UID. The relationships are demonstrated in <link linkend="ch6-LDAPdiag"/>.
+ </para>
+
+ <image id="ch6-LDAPdiag">
+ <description>The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</description>
+ <imagefile scale="70">UNIX-Samba-and-LDAP.png</imagefile>
+ </image>
+
+ <para><indexterm>
+ <primary>security</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>secure</secondary>
+ </indexterm>
+ You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
+ ought to learn how to configure secure communications over LDAP so that sites security is not
+ at risk. This is not covered in the following guidance.
+ </para>
+
+ <para><indexterm>
+ <primary>PDC</primary>
+ </indexterm><indexterm>
+ <primary>LDAP Interchange Format</primary>
+ <see>LDIF</see>
+ </indexterm><indexterm>
+ <primary>LDIF</primary>
+ </indexterm><indexterm>
+ <primary>secrets.tdb</primary>
+ </indexterm>
+ When OpenLDAP has been made operative, you configure the Primary Domain Controller (PDC)
+ called <constant>MASSIVE</constant>. You initialize the Samba
+ <filename>secrets.tdb<subscript></subscript></filename>
+ file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database
+ can be initialized. You need to decide how best to create user and group accounts. A few
+ hints are, of course, provided. You can also find on the enclosed
+ CD-ROM, in the <filename>Chap06</filename>
+ directory, a few tools that help to manage user and group configuration.
+ </para>
+
+ <para><indexterm>
+ <primary>folder redirection</primary>
+ </indexterm><indexterm>
+ <primary>default profile</primary>
+ </indexterm><indexterm>
+ <primary>roaming profile</primary>
+ </indexterm>
+ In order to effect folder redirection and to add robustness to the implementation,
+ create a network Default Profile. All network users workstations are configured to use
+ the new profile. Roaming profiles will automatically be deleted from the workstation
+ when the user logs off.
+ </para>
+
+ <para><indexterm>
+ <primary>mandatory profile</primary>
+ </indexterm>
+ The profile is configured so that users cannot change the appearance
+ of their desktop. This is known as a mandatory profile. You make certain that users
+ are able to use their computers efficiently.
+ </para>
+
+ <para><indexterm>
+ <primary>logon scrip</primary>
+ </indexterm>
+ A network logon script is used to deliver flexible but consistent network drive
+ connections.
+ </para>
+
+ <sect3>
+ <title>Roaming Profile Background</title>
+
+ <para>
+ As XP roaming profiles grow, so does the amount of time it takes to log in and out.
+ </para>
+
+ <para><indexterm>
+ <primary>roaming profile</primary>
+ </indexterm><indexterm>
+ <primary>HKEY_CURRENT_USER</primary>
+ </indexterm><indexterm>
+ <primary>NTUSER.DAT</primary>
+ </indexterm><indexterm>
+ <primary>%USERNAME%</primary>
+ </indexterm>
+ An XP Roaming Profile consists of the <constant>HKEY_CURRENT_USER</constant> hive file
+ <filename>NTUSER.DAT</filename> and a number of folders (My Documents, Application Data,
+ Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
+ network with the default configuration of MS Windows NT/200x/XPP, all this data is
+ copied to the local machine. By default it is copied to the local machine, under the
+ <filename>C:\Documents and Settings\%USERNAME%</filename> directory. While the user is logged in,
+ any changes made to any of these folders or to the <constant>HKEY_CURRENT_USER</constant>
+ branch of the registry are made to the local copy of the profile. At logout the profile
+ data is copied back to the server. This behavior can be changed through appropriate
+ registry changes and/or through changes to the Default User profile. In the latter case,
+ it updates the registry with the values that are set in the
+ profile <filename>NTUSER.DAT</filename>
+ file.
+ </para>
+
+ <para>
+ The first challenge is to reduce the amount of data that must be transferred to and
+ from the profile server as roaming profiles are processed. This includes removing
+ all the shortcuts in the Recent directory, making sure the cache used by the web browser
+ is not being dumped into the <filename>Application Data</filename> folder, removing the
+ Java plug-in's cache (the .jpi_cache directory in the profile), as well as training the
+ user to not place large files on the Desktop and to use his mapped home directory for
+ saving documents instead of the <filename>My Documents</filename> folder.
+ </para>
+
+ <para><indexterm>
+ <primary>My Documents</primary>
+ </indexterm>
+ Using a folder other than <filename>My Documents</filename> is a nuisance for
+ some users since many applications use it by default.
+ </para>
+
+ <para><indexterm>
+ <primary>roaming profiles</primary>
+ </indexterm><indexterm>
+ <primary>Local Group Policy</primary>
+ </indexterm><indexterm>
+ <primary>NTUSER.DAT</primary>
+ </indexterm>
+ The secret to rapid loading of roaming profiles is to prevent unnecessary data from
+ being copied back and forth, without losing any functionality. This is not difficult;
+ it can be done by making changes to the Local Group Policy on each client as well
+ as changing some paths in each user's <filename>NTUSER.DAT</filename> hive.
+ </para>
+
+ <para><indexterm>
+ <primary>Network Default Profile</primary>
+ </indexterm><indexterm>
+ <primary>redirected folders</primary>
+ </indexterm>
+ Every user profile has their own <filename>NTUSER.DAT</filename> file. This means
+ you need to edit every user's profile, unless a better method can be
+ followed. Fortunately, with the right preparations, this is not difficult.
+ It is possible to remove the <filename>NTUSER.DAT</filename> file from each
+ user's profile. Then just create a Network Default Profile. Of course, it is
+ necessary to copy all files from redirected folders to the network share to which
+ they are redirected.
+ </para>
+
+ </sect3>
+
+ <sect3 id="ch6-locgrppol">
+ <title>The Local Group Policy</title>
+ <para><indexterm>
+ <primary>Group Policy Objects</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>PDC</primary>
+ </indexterm><indexterm>
+ <primary>Group Policy editor</primary>
+ </indexterm>
+ Without an Active Directory PDC, you cannot take full advantage of Group Policy
+ Objects. However, you can still make changes to the Local Group Policy by using
+ the Group Policy editor (<command>gpedit.msc</command>).
+ </para>
+
+ <para>
+ The <emphasis>Exclude directories in roaming profile</emphasis> settings can
+ be found under
+ <menuchoice>
+ <guimenu>User Configuration</guimenu>
+ <guimenuitem>Administrative Templates</guimenuitem>
+ <guimenuitem>System</guimenuitem>
+ <guimenuitem>User Profiles</guimenuitem>
+ </menuchoice>.
+ By default this setting contains:
+ <quote>Local Settings;Temporary Internet Files;History;Temp</quote>.
+ </para>
+
+ <para>
+ Simply add the folders you do not wish to be copied back and forth to this
+ semi-colon separated list. Note that this change must be made on all clients
+ that are using roaming profiles.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Profile Changes</title>
+ <para><indexterm>
+ <primary>NTUSER.DAT</primary>
+ </indexterm><indexterm>
+ <primary>%USERNAME%</primary>
+ </indexterm>
+ There are two changes that should be done to each user's profile. Move each of
+ the directories that you have excluded from being copied back and forth out of
+ the usual profile path. Modify each user's <filename>NTUSER.DAT</filename> file
+ to point to the new paths that are shared over the network, instead of the default
+ path (<filename>C:\Documents and Settings\%USERNAME%</filename>).
+ </para>
+
+ <para><indexterm>
+ <primary>Default User</primary>
+ </indexterm><indexterm>
+ <primary>regedt32</primary>
+ </indexterm>
+ The above modifies existing user profiles. So that newly created profiles have
+ these settings, you will need to modify the <filename>NTUSER.DAT</filename> in
+ the <filename>C:\Documents and Settings\Default User</filename> folder on each
+ client machine, changing the same registry keys. You could do this by copying
+ <filename>NTUSER.DAT</filename> to a Linux box and using
+ <command>regedt32</command>.
+ The basic method is described under <link linkend="redirfold"/>.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Using a Network Default User Profile</title>
+
+ <para><indexterm>
+ <primary>NETLOGON</primary>
+ </indexterm><indexterm>
+ <primary>NTUSER.DAT</primary>
+ </indexterm>
+ If you are using Samba as your PDC, you should create a file-share called
+ <constant>NETLOGON</constant> and within that create a directory called
+ <filename>Default User</filename>, which is a copy of the desired default user
+ configuration (including a copy of <filename>NTUSER.DAT</filename>.
+ If this share exists and the <filename>Default User</filename> folder exists,
+ the first login from a new account pulls its configuration from it.
+ See also: <ulink
+ url="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html">
+ the Real Men Don't Click</ulink> Web site.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Installation of Printer Driver Auto-Download</title>
+
+ <para><indexterm>
+ <primary>printing</primary>
+ <secondary>dumb</secondary>
+ </indexterm><indexterm>
+ <primary>dumb printing</primary>
+ </indexterm><indexterm>
+ <primary>Raw Print Through</primary>
+ </indexterm>
+ The subject of printing is quite topical. Printing problems run second place to name
+ resolution issues today. So far in this book, you have experienced only what is generally
+ known as <quote>dumb</quote> printing. Dumb printing is the arrangement where all drivers
+ are manually installed on each client and the printing subsystems perform no filtering
+ or intelligent processing. Dumb printing is easily understood. It usually works without
+ many problems, but it has its limitations also. Dumb printing is better known as
+ <command>Raw Print Through</command> printing.
+ </para>
+
+ <para><indexterm>
+ <primary>printing</primary>
+ <secondary>drag-and-drop</secondary>
+ </indexterm><indexterm>
+ <primary>printing</primary>
+ <secondary>point-n-click</secondary>
+ </indexterm>
+ Samba permits the configuration of <command>Smart</command> printing using the Microsoft
+ Windows point-and-click (also called drag-and-drop) printing. What this provides is
+ essentially the ability to print to any printer. If the local client does not yet have a
+ driver installed, the driver is automatically downloaded from the Samba server and
+ installed on the client. Drag-and-drop printing is neat; it means the user never needs
+ to fuss with driver installation, and that is a <trademark>Good Thing</trademark>,
+ isn't it?
+ </para>
+
+ <para>
+ There is a further layer of print job processing that is known as <command>Intelligent</command>
+ printing that automatically senses the file format of data submitted for printing and
+ then invokes a suitable print filter to convert the incoming data stream into a format
+ suited to the printer to which the job is dispatched.
+ </para>
+
+ <para><indexterm>
+ <primary>CUPS</primary>
+ </indexterm><indexterm>
+ <primary>Postscript</primary>
+ </indexterm>
+ The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
+ detect the data format and apply a print filter. This means that it is feasible to install
+ on all Windows clients a single printer driver for use with all printers that are routed
+ through CUPS. The most sensible driver to use is one for a Postscript printer. Fortunately,
+ <ulink url="http://www.easysw.com">Easy Software Products,</ulink> the authors of CUPS have
+ released a Postscript printing driver for Windows. It can be installed into the Samba
+ printing backend so that it automatically downloads to the client when needed.
+ </para>
+
+ <para>
+ This means that so long as there is a CUPS driver for the printer, all printing from Windows
+ software can use Postscript, no matter what the actual printer language for the physical
+ device is. It also means that the administrator can swap out a printer with a totally
+ different type of device without ever needing to change a client workstation driver.
+ </para>
+
+ <para>
+ This book is about Samba-3, so you can confine the printing style to just the smart
+ style of installation. Those interested in further information regarding intelligent
+ printing should review documentation on the Easy Software Products Web site.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para>
+ MS Windows network users are generally very sensitive to limits that may be imposed when
+ confronted with locked-down workstation configurations. The challenge you face must
+ be promoted as a choice between reliable and fast network operation, and a constant flux
+ of problems that result in user irritation.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Installation Check-List</title>
+
+ <para>
+ You are starting a complex project. Even though you have gone through the installation
+ of a complex network in chapter 5, this network is a bigger challenge because of the
+ large number of complex applications that must be configured before the first few steps
+ can be validated. Take stock of what you are about to undertake, prepare yourself, and
+ frequently review the steps ahead while making at least a mental note of what has already
+ been completed. The following task list may help you to keep track of the task items
+ that are covered:
+ </para>
+
+
+ <itemizedlist>
+ <listitem><para>Samba-3 PDC Server Configuration</para>
+ <orderedlist>
+ <listitem><para>DHCP and DNS Servers</para></listitem>
+ <listitem><para>OpenLDAP Server</para></listitem>
+ <listitem><para>PAM and NSS Client Tools</para></listitem>
+ <listitem><para>Samba-3 PDC</para></listitem>
+ <listitem><para>Idealx SMB-LDAP Scripts</para></listitem>
+ <listitem><para>LDAP Initialization</para></listitem>
+ <listitem><para>Create User and Group Accounts</para></listitem>
+ <listitem><para>Printers</para></listitem>
+ <listitem><para>Share Point Directory Roots</para></listitem>
+ <listitem><para>Profile Directories</para></listitem>
+ </orderedlist>
+ </listitem>
+ <listitem><para>Samba-3 BDC Server Configuration</para>
+ <orderedlist>
+ <listitem><para>DHCP and DNS Servers</para></listitem>
+ <listitem><para>PAM and NSS Client Tools</para></listitem>
+ <listitem><para>Printers</para></listitem>
+ <listitem><para>Share Point Directory Roots</para></listitem>
+ <listitem><para>Profiles Directories</para></listitem>
+ </orderedlist>
+ </listitem>
+ <listitem><para>Samba-3 BDC Server Configuration</para></listitem>
+ <listitem><para>Windows XP Client Configuration</para>
+ <orderedlist>
+ <listitem><para>Default Profile Folder Redirection</para></listitem>
+ <listitem><para>MS Outlook PST File Relocation</para></listitem>
+ <listitem><para>Delete Roaming Profile on Logout</para></listitem>
+ <listitem><para>Upload Printer Drivers to Samba Servers</para></listitem>
+ <listitem><para>Install Software</para></listitem>
+ <listitem><para>Creation of Roll-out Images</para></listitem>
+ </orderedlist>
+ </listitem>
+ </itemizedlist>
+
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Samba Server Implementation</title>
+
+ <para><indexterm>
+ <primary>file servers</primary>
+ </indexterm><indexterm>
+ <primary>BDC</primary>
+ </indexterm>
+ The network design shown in <link linkend="chap6net"/> is not comprehensive. It is assumed
+ that you will install additional file servers, and possibly additional BDCs.
+ </para>
+
+ <image id="chap6net">
+ <description>Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend.</description>
+ <imagefile scale="70">chap6-net.png</imagefile>
+ </image>
+
+ <para><indexterm>
+ <primary>SUSE Linux</primary>
+ </indexterm><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm>
+ All configuration files and locations are shown for SUSE Linux 9.0. The file locations for
+ Red Hat Linux are similar. You may need to adjust the locations for your particular
+ Linux system distribution/implementation.
+ </para>
+
+ <para>
+ The steps in the process involve changes from the network configuration
+ shown in <link linkend="Big500users"/>.
+ Before implementing the following steps, you must have completed the network implementation shown
+ in that chapter. If you are starting with newly installed Linux servers, you must complete
+ the steps shown in <link linkend="ch5-dnshcp-setup"/> before commencing
+ at <link linkend="ldapsetup"/>:
+ </para>
+
+ <sect2 id="ldapsetup">
+ <title>OpenLDAP Server Configuration</title>
+
+ <para><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm><indexterm>
+ <primary>pam_ldap</primary>
+ </indexterm><indexterm>
+ <primary>openldap</primary>
+ </indexterm>
+ Confirm that the packages shown in <link linkend="oldapreq"/> are installed on your system.
+ </para>
+
+ <table id="oldapreq">
+ <title>Required OpenLDAP Linux Packages</title>
+ <tgroup cols="3">
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry align="center">SUSE Linux 8.x</entry>
+ <entry align="center">SUSE Linux 9</entry>
+ <entry align="center">Red Hat Linux 9</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>nss_ldap</entry>
+ <entry>nss_ldap</entry>
+ <entry>nss_ldap</entry>
+ </row>
+ <row>
+ <entry>pam_ldap</entry>
+ <entry>pam_ldap</entry>
+ <entry>pam_ldap</entry>
+ </row>
+ <row>
+ <entry>openldap2</entry>
+ <entry>openldap2</entry>
+ <entry>openldap</entry>
+ </row>
+ <row>
+ <entry>openldap2-client</entry>
+ <entry>openldap2-client</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry></entry>
+ <entry>openldap2-back-perl</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry></entry>
+ <entry>openldap2-back-monitor</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry></entry>
+ <entry>openldap2-back-ldap</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry></entry>
+ <entry>openldap2-back-meta</entry>
+ <entry></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para>
+ Samba-3 and OpenLDAP will have a degree of inter-dependence that is unavoidable. The method
+ for boot-strapping the LDAP and Samba-3 configuration is relatively straight forward. If you
+ follow these guidelines, the resulting system should work fine.
+ </para>
+
+<?latex \newpage ?>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>/etc/openldap/slapd.conf</primary>
+ </indexterm>
+ Install the file shown in <link linkend="ch6-slapdconf"/> in the directory
+ <filename>/etc/openldap</filename>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/var/lib/ldap</primary>
+ </indexterm><indexterm>
+ <primary>group account</primary>
+ </indexterm><indexterm>
+ <primary>user account</primary>
+ </indexterm>
+ Remove all files from the directory <filename>/var/lib/ldap</filename>, making certain that
+ the directory exists with permissions:
+<screen>
+&rootprompt; ls -al /var/lib | grep ldap
+drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
+</screen>
+ This may require you to add a user and a group account for LDAP if they do not exist.
+ </para></step>
+
+ </procedure>
+
+
+<example id="ch6-slapdconf">
+<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename></title>
+<screen>
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba.schema
+
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+database ldbm
+suffix "dc=abmas,dc=biz"
+rootdn "cn=Manager,dc=abmas,dc=biz"
+
+# rootpw = not24get
+rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
+
+directory /var/lib/ldap
+
+# Indices to maintain
+index objectClass eq
+index cn pres,sub,eq
+index sn pres,sub,eq
+index uid pres,sub,eq
+index displayName pres,sub,eq
+index uidNumber eq
+index gidNumber eq
+index memberUID eq
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+</screen>
+</example>
+
+ </sect2>
+
+ <sect2 id="ch6-PAM-NSS">
+ <title>PAM and NSS Client Configuration</title>
+
+ <para><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>NSS</primary>
+ </indexterm><indexterm>
+ <primary>PAM</primary>
+ </indexterm>
+ The steps that follow involve configuration of LDAP, Name Service Switch (NSS) LDAP-based resolution
+ of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead
+ configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
+ </para>
+
+ <para>
+ Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
+ that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
+ correct configuration of the Pluggable Authentication
+ Modules<indexterm>
+ <primary>Pluggable Authentication Modules</primary>
+ <see>PAM</see>
+ </indexterm><indexterm>
+ <primary>pam_unix2.so</primary>
+ </indexterm>
+ (PAM). The <command>pam_ldap</command>
+ open source package provides the PAM modules that most people would use. On SUSE Linux systems,
+ the <command>pam_unix2.so</command> module also has the ability to redirect authentication requests
+ through LDAP.
+ </para>
+
+ <para><indexterm>
+ <primary>YaST</primary>
+ </indexterm><indexterm>
+ <primary>SUSE Linux</primary>
+ </indexterm><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm><indexterm>
+ <primary>authconfig</primary>
+ </indexterm>
+ You have chosen to configure these services by directly editing the system files but, of course, you
+ know that this configuration can be done using system tools provided by the Linux system vendor.
+ SUSE Linux has a facility in YaST (the system admin tool) through <menuchoice><guimenu>yast</guimenu>
+ <guimenuitem>system</guimenuitem><guimenuitem>ldap-client</guimenuitem></menuchoice> that permits
+ configuration of SUSE Linux as an LDAP client. Red Hat Linux provides
+ the <command>authconfig</command>
+ tool for this.
+ </para>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>/lib/libnss_ldap.so.2</primary>
+ </indexterm><indexterm>
+ <primary>/etc/ldap.conf</primary>
+ </indexterm><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm>
+ Execute the following command to find where the <filename>nss_ldap</filename> module
+ expects to find its control file:
+<screen>
+&rootprompt; strings /lib/libnss_ldap.so.2 | grep conf
+</screen>
+ The preferred and usual location is <filename>/etc/ldap.conf</filename>.
+ </para></step>
+
+ <step><para>
+ On the server <constant>MASSIVE</constant>, install the file shown in
+ <link linkend="ch6-nss01"/> into the path that was obtained from the step above.
+ On the servers called <constant>BLDG1</constant> and <constant>BLDG2</constant>, install the file shown in
+ <link linkend="ch6-nss02"/> into the path that was obtained from the step above.
+ </para></step>
+
+<example id="ch6-nss01">
+<title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
+<screen>
+SIZELIMIT 200
+TIMELIMIT 15
+DEREF never
+
+host 127.0.0.1
+base dc=abmas,dc=biz
+binddn cn=Manager,dc=abmas,dc=biz
+bindpw not24get
+
+pam_password exop
+
+nss_base_passwd ou=People,dc=abmas,dc=biz?one
+nss_base_shadow ou=People,dc=abmas,dc=biz?one
+nss_base_group ou=Groups,dc=abmas,dc=biz?one
+</screen>
+</example>
+
+<example id="ch6-nss02">
+<title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
+<screen>
+SIZELIMIT 200
+TIMELIMIT 15
+DEREF never
+
+host 172.16.0.1
+base dc=abmas,dc=biz
+binddn cn=Manager,dc=abmas,dc=biz
+bindpw not24get
+
+pam_password exop
+
+nss_base_passwd ou=People,dc=abmas,dc=biz?one
+nss_base_shadow ou=People,dc=abmas,dc=biz?one
+nss_base_group ou=Groups,dc=abmas,dc=biz?one
+</screen>
+</example>
+
+ <step><para><indexterm>
+ <primary>/etc/nsswitch.conf</primary>
+ </indexterm>
+ Edit the NSS control file (<filename>/etc/nsswitch.conf</filename>) so that the lines that
+ control user and group resolution will obtain information from the normal system files as
+ well as from <command>ldap</command> as follows:
+<screen>
+passwd: files ldap
+shadow: files ldap
+group: files ldap
+hosts: files dns wins
+</screen>
+ Later, when the LDAP database has been initialized and user and group accounts have been
+ added, you can validate resolution of the LDAP resolver process. The inclusion of
+ WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
+ resolved to their IP addresses, whether or not they are DHCP clients.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>pam_unix2.so</primary>
+ <secondary>use_ldap</secondary>
+ </indexterm>
+ For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
+ files in the <filename>/etc/pam.d</filename> directory:
+ <command>login, password, samba, sshd</command>.
+ In each file, locate every entry that has the <command>pam_unix2.so</command> entry and add to the
+ line the entry <command>use_ldap</command> as shown for the
+ <command>login</command> module in
+ this example:
+<screen>
+#%PAM-1.0
+auth requisite pam_unix2.so nullok use_ldap #set_secrpc
+auth required pam_securetty.so
+auth required pam_nologin.so
+#auth required pam_homecheck.so
+auth required pam_env.so
+auth required pam_mail.so
+account required pam_unix2.so use_ldap
+password required pam_pwcheck.s nullok
+password required pam_unix2.so nullok use_first_pass \
+ use_authtok use_ldap
+session required pam_unix2.so none use_ldap # debug or trace
+session required pam_limits.so
+</screen>
+ </para>
+
+ <para><indexterm>
+ <primary>pam_ldap.so</primary>
+ </indexterm>
+ On other Linux systems that do not have an LDAP-enabled <command>pam_unix2.so</command> module,
+ you must edit these files by adding the <command>pam_ldap.so</command> modules as shown here:
+<screen>
+#%PAM-1.0
+auth required pam_securetty.so
+auth required pam_nologin.so
+auth sufficient pam_ldap.so
+auth required pam_unix2.so nullok try_first_pass #set_secrpc
+account sufficient pam_ldap.so
+account required pam_unix2.so
+password required pam_pwcheck.so nullok
+password required pam_ldap.so use_first_pass use_authtok
+password required pam_unix2.so nullok use_first_pass use_authtok
+session required pam_unix2.so none # debug or trace
+session required pam_limits.so
+session required pam_env.so
+session optional pam_mail.so
+</screen>
+ This example does have the LDAP-enabled <command>pam_unix2.so</command>, but simply
+ demonstrates the use of the <command>pam_ldap.so</command> module. You can use either
+ implementation, but if the <command>pam_unix2.so</command> on your system supports
+ LDAP, you probably want to use it, rather than add an additional module.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2 id="ch6-massive">
+ <title>Samba-3 PDC Configuration</title>
+
+ <para><indexterm>
+ <primary>Samba RPM Packages</primary>
+ </indexterm>
+ Verify that the Samba-3.0.2 (or later) packages are installed on each SUSE Linux server
+ before following the steps below. If Samba-3.0.2 (or later) is not installed, you have the
+ choice to either build your own or to obtain the packages from a dependable source.
+ Packages for SUSE Linux 8.2 and 9.0, and Red Hat 9.0 are included on the CD-ROM that
+ is included at the back of this book.
+ </para>
+
+ <procedure>
+ <title>Configuration of PDC Called: <constant>MASSIVE</constant></title>
+ <step><para>
+ Install the files in <link linkend="ch6-massive-smbconfa"/>,
+ <link linkend="ch6-massive-smbconfb"/>, <link linkend="ch6-shareconfa"/>,
+ and <link linkend="ch6-shareconfb"/> into the <filename>/etc/samba/</filename>
+ directory. The three files should be added together to form the &smb.conf;
+ file.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>testparm</primary>
+ </indexterm>
+ Verify the contents of the &smb.conf; file that is generated by Samba
+ as it collates all the included files. You do this by executing:
+<screen>
+&rootprompt; testparm -s &gt; test.conf
+</screen>
+ The output that is created should be free from errors, as shown here:
+
+<screen>
+Processing section "[homes]"
+Processing section "[printers]"
+Processing section "[apps]"
+Processing section "[netlogon]"
+Processing section "[profiles]"
+Processing section "[profdata]"
+Processing section "[IPC$]"
+Processing section "[accounts]"
+Processing section "[service]"
+Processing section "[pidata]"
+Loaded services file OK.
+</screen>
+ </para></step>
+
+ <step><para>
+ Delete all run-time files from prior Samba operation by executing (for SUSE
+ Linux):
+<screen>
+&rootprompt; rm /etc/samba/*tdb
+&rootprompt; rm /var/lib/samba/*tdb
+&rootprompt; rm /var/lib/samba/*dat
+&rootprompt; rm /var/log/samba/*
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>secrets.tdb</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ Samba-3 communicates with the LDAP server. The password that it uses to
+ authenticate to the LDAP server must be stored in the <filename>secrets.tdb</filename>
+ file. Execute the following to create the new <filename>secrets.tdb</filename> files
+ and store the password for the LDAP Manager:
+<screen>
+&rootprompt; smbpasswd -w not24get
+</screen>
+ The expected output from this command is:
+<screen>
+Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbd</primary>
+ </indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>getlocalsid</secondary>
+ </indexterm>
+ Samba-3 generates a Windows Security Identifier only when <command>smbd</command>
+ has been started. For this reason, you start Samba. After a few seconds delay,
+ execute:
+<screen>
+&rootprompt; smbclient -L localhost -U%
+&rootprompt; net getlocalsid
+</screen>
+ A report such as the following means that the Domain Security Identifier (SID) has not yet
+ been written to the <filename>secrets.tdb</filename> or to the LDAP backend:
+<screen>
+[2003/12/16 22:32:20, 0] utils/net.c:net_getlocalsid(414)
+ Can't fetch domain SID for name: MASSIVE
+</screen>
+ When the Domain has been created and written to the <filename>secrets.tdb</filename>
+ file, the output should look like this:
+<screen>
+SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
+</screen>
+ If, after a short delay (a few seconds), the Domain SID has still not been written to
+ the <filename>secrets.tdb</filename> file, it is necessary to investigate what
+ may be mis-configured. In this case, carefully check the &smb.conf; file for typographical
+ errors (the most common problem). The use of the <command>testparm</command> is highly
+ recommended to validate the contents of this file.
+ </para></step>
+
+ <step><para>
+ When a positive Domain SID has been reported, stop Samba.
+ </para></step>
+
+ <step><para>
+ <indexterm>
+ <primary>NFS server</primary>
+ </indexterm>
+ <indexterm>
+ <primary>/etc/exports</primary>
+ </indexterm>
+ <indexterm>
+ <primary>BDC</primary>
+ </indexterm>
+ <indexterm>
+ <primary>rsync</primary>
+ </indexterm>
+ Configure the NFS server for your Linux system. So you can complete the steps that
+ follow, enter into the <filename>/etc/exports</filename> the following entry:
+<screen>
+/home *(rw,root_squash,sync)
+</screen>
+ This permits the user home directories to be used on the BDC servers for testing
+ purposes. You, of course, decide what is the best way for your site to distribute
+ data drives, as well as creating suitable backup and restore procedures for Abmas Inc.
+ I'd strongly recommend that for normal operation the BDC is completely independent
+ of the PDC. rsync is a useful tool here as it resembles the NT replication service quite
+ closely. If you do use NFS, do not forget to start the NFS server as follows:
+<screen>
+&rootprompt; rcnfs start
+</screen>
+ </para></step>
+ </procedure>
+
+ <para>
+ Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
+ configuration of the LDAP server.
+ </para>
+
+<smbconfexample id="ch6-massive-smbconfa">
+<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+ <smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+ <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
+ <smbconfoption><name>netbios name</name><value>MASSIVE</value></smbconfoption>
+ <smbconfoption><name>interfaces</name><value>eth1, lo</value></smbconfoption>
+ <smbconfoption><name>bind interfaces only</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+ <smbconfoption><name>log level</name><value>1</value></smbconfoption>
+ <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+ <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+ <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+ <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+ <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+ <smbconfoption><name>time server</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+ <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+ <smbconfoption><name>add user script</name><value>/var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'</value></smbconfoption>
+ <smbconfoption><name>delete user script</name><value>/var/lib/samba/sbin/smbldap-userdel.pl %u</value></smbconfoption>
+ <smbconfoption><name>add group script</name><value>/var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'</value></smbconfoption>
+ <smbconfoption><name>delete group script</name><value>/var/lib/samba/sbin/smbldap-groupdel.pl '%g'</value></smbconfoption>
+ <smbconfoption><name>add user to group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+ <member><parameter>smbldap-groupmod.pl -m '%u' '%g'</parameter></member>
+ <smbconfoption><name>delete user from group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+ <member><parameter>smbldap-groupmod.pl -x '%u' '%g'</parameter></member>
+ <smbconfoption><name>set primary group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+ <member><parameter>smbldap-usermod.pl -g '%g' '%u'</parameter></member>
+ <smbconfoption><name>add machine script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+ <member><parameter>smbldap-useradd.pl -w '%u'</parameter></member>
+ <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+ <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
+ <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+ <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch6-massive-smbconfb">
+<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title>
+ <smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
+ <smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>idmap backend</name><value>ldap:ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>map acl inherit</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+ <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption>
+</smbconfexample>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Install and Configure Idealx SMB-LDAP Scripts</title>
+
+ <para><indexterm>
+ <primary>Idealx</primary>
+ <secondary>smbldap-tools</secondary>
+ </indexterm>
+ The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
+ on the LDAP server. You have chosen the Idealx scripts since they are part of the
+ Samba-3 package distribution. On your SUSE Linux system, you find these scripts in the
+ <filename>/usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools</filename>
+ directory. On a Red Hat Linux system, they are in a similar path. If you cannot find
+ the scripts on your system, it is easy enough to download them from the Idealx
+ <ulink url="http://samba.idealx.org/index.en.html">Web Site.</ulink> The tarball may
+ be directly <ulink
+ url="http://samba.idealx.org/dist/smbldap-tools-0.8.2.tgz">downloaded</ulink>
+ for this site, also.
+ </para>
+
+ <para>
+ In your installation, the smbldap-tools are located in <filename>/var/lib/samba/sbin</filename>.
+ They can be installed in any convenient directory of your choice, in which case you must
+ change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>).
+ </para>
+
+ <para>
+ The scripts are not needed on BDC machines because all LDAP updates are handled by
+ the PDC alone.
+ </para>
+
+ <procedure id="idealxscript">
+ <step><para>
+ Create the <filename>/var/lib/samba/sbin</filename> directory, and set its permissions
+ and ownership as shown here:
+<screen>
+&rootprompt; mkdir -p /var/lib/samba/sbin
+&rootprompt; chown root.root /var/lib/samba/sbin
+&rootprompt; chmod 755 /var/lib/samba/sbin
+</screen>
+ </para></step>
+
+ <step><para>
+ If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
+ Change into either the directory extracted from the tarball, or else into the smbldap-tools
+ directory in your <filename>/usr/share/doc/packages</filename> directory tree.
+ </para></step>
+
+ <step><para>
+ Copy all the <filename>.pl</filename> and <filename>.pm</filename> files into the
+ <filename>/var/lib/samba/sbin</filename> directory, as shown here:
+<screen>
+&rootprompt; cd /usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools
+&rootprompt; cp *.pl *.pm /var/lib/samba/sbin
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>mkntpasswd</primary>
+ </indexterm>
+ You must compile the <command>mkntpasswd</command> tool and then install it into
+ the <filename>/var/lib/samba/sbin</filename> directory, as shown here:
+<screen>
+&rootprompt; cd mkntpwd
+&rootprompt; make
+gcc -O2 -DMPU8086 -c -o getopt.o getopt.c
+gcc -O2 -DMPU8086 -c -o md4.o md4.c
+gcc -O2 -DMPU8086 -c -o mkntpwd.o mkntpwd.c
+mkntpwd.c: In function `main':
+mkntpwd.c:37: warning: return type of `main' is not `int'
+gcc -O2 -DMPU8086 -c -o smbdes.o smbdes.c
+gcc -O2 -DMPU8086 -o mkntpwd getopt.o md4.o mkntpwd.o smbdes.o
+&rootprompt; cp mkntpwd /var/lib/samba/sbin
+</screen>
+ The smbldap-tools scripts must now be configured.
+ </para></step>
+
+ <step><para>
+ Change to the <filename>/var/lib/samba/sbin</filename> directory, and edit the
+ <filename>/var/lib/samba/sbin/smbldap_conf.pm</filename> to affect the changes
+ shown here:
+<screen>
+# Put your own SID
+# to obtain this number do: "net getlocalsid"
+#$SID='S-1-5-21-1671648649-242858427-2873575837';
+$SID='S-1-5-21-3504140859-1010554828-2431957765';
+...
+# LDAP Suffix
+# Ex: $suffix = "dc=IDEALX,dc=ORG";
+$suffix = "dc=abmas,dc=biz";
+...
+# Where are stored Users
+# Ex: $usersdn = "ou=Users,$suffix"; ...
+$usersou = q(People);
+$usersdn = "ou=$usersou,$suffix";
+
+# Where are stored Computers
+# Ex: $computersdn = "ou=Computers,$suffix"; ...
+$computersou = q(People);
+$computersdn = "ou=$computersou,$suffix";
+
+# Where are stored Groups
+# Ex $groupsdn = "ou=Groups,$suffix"; ...
+$groupsou = q(Groups);
+$groupsdn = "ou=$groupsou,$suffix";
+
+# Default scope Used
+$scope = "sub";
+
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
+$hash_encrypt="MD5";
+...
+############################
+# Credential Configuration #
+############################
+# Bind DN used
+# Ex: $binddn = "cn=admin,$suffix"; ...
+$binddn = "cn=Manager,$suffix";
+
+# Bind DN passwd used
+# Ex: $bindpasswd = 'secret'; for 'secret'
+$bindpasswd = 'not24get';
+...
+# Login defs
+# Default Login Shell
+# Ex: $_userLoginShell = q(/bin/bash);
+#$_userLoginShell = q(_LOGINSHELL_);
+$_userLoginShell = q(/bin/bash);
+
+# Home directory prefix (without username)
+# Ex: $_userHomePrefix = q(/home/);
+#$_userHomePrefix = q(_HOMEPREFIX_);
+$_userHomePrefix = q(/home/);
+...
+# The UNC path to home drives location without the
+# username last extension (will be dynamically prepended)
+# Ex: q(\\\\My-PDC-netbios-name\\homes)
+# Just comment this if you want to use the smb.conf
+# 'logon home' directive # and/or desabling roaming profiles
+#$_userSmbHome = q(\\\\_PDCNAME_\\homes);
+$_userSmbHome = q(\\\\MASSIVE\\homes);
+
+# The UNC path to profiles locations without the username
+# last extension (will be dynamically prepended)
+# Ex: q(\\\\My-PDC-netbios-name\\profiles\\)
+# Just comment this if you want to use the smb.conf
+# 'logon path' directive and/or desabling roaming profiles
+$_userProfile = q(\\\\MASSIVE\\profiles\\);
+
+# The default Home Drive Letter mapping
+# (automatically mapped at logon time if home directory exists)
+# Ex: q(U:) for U:
+#$_userHomeDrive = q(_HOMEDRIVE_);
+$_userHomeDrive = q(H:);
+...
+# Allows not to use smbpasswd
+# (if $with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer mkntpwd... most of the time, it's a wise choice :-)
+$with_smbpasswd = 0;
+$smbpasswd = "/usr/bin/smbpasswd";
+$mk_ntpasswd = "/var/lib/samba/sbin/mkntpwd";
+...
+</screen>
+ </para></step>
+
+ <step><para>
+ To complete the configuration of the smbldap-tools, set the permissions and ownership
+ by executing the following commands:
+<screen>
+&rootprompt; chown root.root /var/lib/samba/sbin/*
+&rootprompt; chmod 755 /var/lib/samba/sbin/smb*pl
+&rootprompt; chmod 640 /var/lib/samba/sbin/smb*pm
+&rootprompt; chmod 555 /var/lib/samba/sbin/mkntpwd
+</screen>
+ The smbldap-tools scripts are now ready for use.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2>
+ <title>LDAP Initialization and Creation of User and Group Accounts</title>
+
+ <para>
+ The LDAP database must be populated with well-known Windows Domain user accounts and Domain Group
+ accounts before Samba can be used. The following procedures step you through the process.
+ </para>
+
+ <para>
+ At this time, Samba-3 requires that on a PDC all UNIX (Posix) group accounts that are
+ mapped (linked) to Windows Domain Group accounts must be in the LDAP database. It does not
+ hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
+ database. From a UNIX system perspective, the NSS resolver checks system files before
+ referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
+ does not need to ask LDAP.
+ </para>
+
+ <para>
+ Addition of an account to the LDAP backend can be done in a number of ways:
+ </para>
+
+ <blockquote><para><indexterm>
+ <primary>NIS</primary>
+ </indexterm><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm><indexterm>
+ <primary>Posix accounts</primary>
+ </indexterm><indexterm>
+ <primary>pdbedit</primary>
+ </indexterm><indexterm>
+ <primary>SambaSamAccount</primary>
+ </indexterm><indexterm>
+ <primary>PosixAccount</primary>
+ </indexterm>
+ If you always have a user account in the <filename>/etc/passwd</filename> on every
+ server or in a NIS(+) backend, it is not necessary to add Posix accounts for them in
+ LDAP. In this case, you can add Windows Domain user accounts using the
+ <command>pdbedit</command> utility. Use of this tool from the command line adds the
+ SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
+ </para>
+
+ <para>
+ If you decide that it is probably a good idea to add both the PosixAccount attributes
+ as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
+ In the example system you are installing in this exercise, you are making use of the
+ Idealx smbldap-tools scripts. A copy of these tools, pre-configured for this system,
+ is included on the enclosed CD-ROM under <filename>Chap06/Tools.</filename>
+ </para></blockquote>
+
+ <para><indexterm>
+ <primary>Idealx</primary>
+ <secondary>smbldap-tools</secondary>
+ </indexterm>
+ If you wish to have more control over how the LDAP database is initialized or
+ want not to use the Idealx smbldap-tools, you should refer to <link
+ linkend="altldapcfg"/>.
+ </para>
+
+ <para><indexterm>
+ <primary>smbldap-populate.pl</primary>
+ </indexterm>
+ The following steps initialize the LDAP database, and then you can add user and group
+ accounts that Samba can use. You use the <command>smbldap-populate.pl</command> to
+ seed the LDAP database. You then manually add the accounts shown in <link linkend="ch6-bigacct"/>.
+ The list of users does not cover all 500 network users; it provides examples only.
+ </para>
+
+ <note><para><indexterm>
+ <primary>LDAP</primary>
+ <secondary>database</secondary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>People container</secondary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>Computers container</secondary>
+ </indexterm>
+ In the following examples, as the LDAP database is initialized, we do create a container
+ for Computer (machine) accounts. In the Samba-3 &smb.conf; files, specific use is made
+ of the People container, not the Computers container, for domain member accounts. This is not a
+ mistake; it is a deliberate action that is necessitated by the fact that there is a bug in Samba-3
+ that prevents it from being able to search the LDAP database for computer accounts if they are
+ placed in the Computers container. By placing all machine accounts in the People container, we
+ are able to side-step this bug. It is expected that at some time in the future this problem will
+ be resolved. At that time, it will be possible to use the Computers container in order to keep
+ machine accounts separate from user accounts.
+ </para></note>
+
+
+ <table id="ch6-bigacct">
+ <title>Abmas Network Users and Groups</title>
+ <tgroup cols="4">
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry align="center">Account Name</entry>
+ <entry align="center">Type</entry>
+ <entry align="center">ID</entry>
+ <entry align="center">Password</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Robert Jordan</entry>
+ <entry>User</entry>
+ <entry>bobj</entry>
+ <entry>n3v3r2l8</entry>
+ </row>
+ <row>
+ <entry>Stanley Soroka</entry>
+ <entry>User</entry>
+ <entry>stans</entry>
+ <entry>impl13dst4r</entry>
+ </row>
+ <row>
+ <entry>Christine Roberson</entry>
+ <entry>User</entry>
+ <entry>chrisr</entry>
+ <entry>S9n0nw4ll</entry>
+ </row>
+ <row>
+ <entry>Mary Vortexis</entry>
+ <entry>User</entry>
+ <entry>maryv</entry>
+ <entry>kw13t0n3</entry>
+ </row>
+ <row>
+ <entry>Accounts</entry>
+ <entry>Group</entry>
+ <entry>Accounts</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>Finances</entry>
+ <entry>Group</entry>
+ <entry>Finances</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>Insurance</entry>
+ <entry>Group</entry>
+ <entry>PIOps</entry>
+ <entry></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <procedure id="creatacc">
+ <step><para>
+ Start the LDAP server by executing:
+<screen>
+&rootprompt; rcldap start
+Starting ldap-server done
+</screen>
+ </para></step>
+
+ <step><para>
+ Change to the <filename>/var/lib/samba/sbin</filename> directory.
+ </para></step>
+
+ <step><para>
+ Execute the script that will populate the LDAP database as shown here:
+<screen>
+&rootprompt; ./smbldap-populate.pl
+Using builtin directory structure
+adding new entry: dc=abmas,dc=biz
+adding new entry: ou=People,dc=abmas,dc=biz
+adding new entry: ou=Groups,dc=abmas,dc=biz
+adding new entry: ou=Computers,dc=abmas,dc=biz
+adding new entry: uid=Administrator,ou=People,dc=abmas,dc=biz
+adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
+adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Users,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Guests,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Power Users,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Account Operators,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Server Operators,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Replicator,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
+</screen>
+ </para></step>
+
+ <step><para>
+ It is necessary to restart the LDAP server as shown here:
+<screen>
+&rootprompt; rcldap restart
+Shutting down ldap-server done
+Starting ldap-server done
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>slapcat</primary>
+ </indexterm>
+ So that we can use a global IDMAP repository the LDAP directory must have a container object for IDMAP data.
+ There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
+ the simplest is to execute:
+<screen>
+&rootprompt; slapcat | grep -i idmap
+dn: ou=Idmap,dc=abmas,dc=biz
+ou: idmap
+</screen>
+ <indexterm>
+ <primary>ldapadd</primary>
+ </indexterm>
+ If the execution of this command does not return IDMAP entries, you need to create an LDIF
+ template file (see <link linkend="ch6-ldifadd"/>). You can add the required entries using
+ the following command:
+<screen>
+&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
+ -w not24get &lt; /etc/openldap/idmap.LDIF
+</screen>
+ Samba automatically populates this LDAP directory container when it needs to.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>slapcat</primary>
+ </indexterm>
+ It looks like all has gone well, as expected. Let's confirm that this is the case
+ by running a few tests. First we check the contents of the database directly
+ by running <command>slapcat</command> as follows (the output has been cut down):
+<screen>
+&rootprompt; slapcat
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+dc: abmas
+o: abmas
+structuralObjectClass: organization
+entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
+creatorsName: cn=Manager,dc=abmas,dc=biz
+createTimestamp: 20031217234200Z
+entryCSN: 2003121723:42:00Z#0x0001#0#0000
+modifiersName: cn=Manager,dc=abmas,dc=biz
+modifyTimestamp: 20031217234200Z
+...
+dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 553
+cn: Domain Computers
+description: Netbios Domain Computers accounts
+sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
+sambaGroupType: 2
+displayName: Domain Computers
+structuralObjectClass: posixGroup
+entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
+creatorsName: cn=Manager,dc=abmas,dc=biz
+createTimestamp: 20031217234206Z
+entryCSN: 2003121723:42:06Z#0x0002#0#0000
+modifiersName: cn=Manager,dc=abmas,dc=biz
+modifyTimestamp: 20031217234206Z
+</screen>
+ This looks good so far.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>ldapsearch</primary>
+ </indexterm>
+ The next step is to prove that the LDAP server is running and responds to a
+ search request. Execute the following as shown (output has been cut to save space):
+<screen>
+&rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
+# extended LDIF
+#
+# LDAPv3
+# base &lt;dc=abmas,dc=biz&gt; with scope sub
+# filter: (ObjectClass=*)
+# requesting: ALL
+#
+
+# abmas.biz
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+dc: abmas
+o: abmas
+
+# People, abmas.biz
+dn: ou=People,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: People
+...
+# Domain Computers, Groups, abmas.biz
+dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 553
+cn: Domain Computers
+description: Netbios Domain Computers accounts
+sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
+sambaGroupType: 2
+displayName: Domain Computers
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 20
+# numEntries: 19
+</screen>
+ Good. It is all working just fine.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>getent</primary>
+ </indexterm>
+ You must now make certain that the NSS resolver can interrogate LDAP also.
+ Execute the following commands:
+<screen>
+&rootprompt; getent passwd | grep Administrator
+Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false
+
+&rootprompt; getent group | grep Domain
+Domain Admins:x:512:Administrator
+Domain Users:x:513:
+Domain Guests:x:514:
+Domain Computers:x:553:
+</screen><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm>
+ This demonstrates that the <command>nss_ldap</command> library is functioning
+ as it should.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbldap-useradd.pl</primary>
+ </indexterm><indexterm>
+ <primary>smbldap-passwd.pl</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ Our database is now ready for the addition of network users. For each user for
+ whom an account must be created, execute the following:
+<screen>
+&rootprompt; ./smbldap-useradd.pl -m -a <constant>username</constant>
+&rootprompt; ./smbldap-passwd.pl <constant>username</constant>
+Changing password for <constant>username</constant>
+New password : XXXXXXXX
+Retype new password : XXXXXXXX
+
+&rootprompt; smbpasswd <constant>username</constant>
+New SMB password: XXXXXXXX
+Retype new SMB password: XXXXXXXX
+</screen>
+ Where <constant>username</constant> is the login ID for each user.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>getent</primary>
+ </indexterm>
+ Now verify that the UNIX (Posix) accounts can be resolved via NSS by executing the
+ following:
+<screen>
+&rootprompt; getent passwd
+...
+Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false
+nobody:x:999:514:nobody:/dev/null:/bin/false
+bobj:x:1000:513:System User:/home/bobj:/bin/bash
+stans:x:1001:513:System User:/home/stans:/bin/bash
+chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
+maryv:x:1003:513:System User:/home/maryv:/bin/bash
+
+&rootprompt; id chrisr
+uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
+</screen>
+ This confirms that the UNIX (Posix) user accounts can be resolved from LDAP.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbldap-usermod.pl</primary>
+ </indexterm>
+ In the above listing, you can see that the user <constant>Administrator</constant>
+ has been given UID=998. This means that operations conducted from a Windows client
+ using tools such as the Domain User Manager fails under UNIX because the
+ management of user and group accounts requires that the UID=0. You decide to rectify
+ this immediately as demonstrated here:
+<screen>
+&rootprompt; cd /var/lib/samba/sbin
+&rootprompt; ./smbldap-usermod.pl -u 0 Administrator
+</screen>
+ </para></step>
+
+ <step><para>
+ Make certain that a home directory has been created for every user by listing the
+ directories in <filename>/home</filename> as follows:
+<screen>
+&rootprompt; ls -al /home
+drwxr-xr-x 8 root root 176 Dec 17 18:50 ./
+drwxr-xr-x 21 root root 560 Dec 15 22:19 ../
+drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/
+drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/
+drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/
+drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
+</screen>
+ This is precisely what we want to see.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>ldapsam</primary>
+ </indexterm><indexterm>
+ <primary>pdbedit</primary>
+ </indexterm>
+ The final validation step involves making certain that Samba-3 can obtain the user
+ accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
+<screen>
+&rootprompt; pdbedit -Lv chrisr
+Unix username: chrisr
+NT username: chrisr
+Account Flags: [U ]
+User SID: S-1-5-21-3504140859-1010554828-2431957765-3004
+Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513
+Full Name: System User
+Home Directory: \\MASSIVE\homes
+HomeDir Drive: H:
+Logon Script: chrisr.cmd
+Profile Path: \\MASSIVE\profiles\chrisr
+Domain: MEGANET2
+Account desc: System User
+Workstations:
+Munged dial:
+Logon time: 0
+Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Password last set: Wed, 17 Dec 2003 17:17:40 GMT
+Password can change: Wed, 17 Dec 2003 17:17:40 GMT
+Password must change: Mon, 18 Jan 2038 20:14:07 GMT
+</screen>
+ This looks good. Of course, you fully expected that it would all work, didn't you?
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbldap-groupadd.pl</primary>
+ </indexterm>
+ Now you add the group accounts that are used on the Abmas network. Execute
+ the following exactly as shown:
+<screen>
+&rootprompt; ./smbldap-groupadd.pl -a Accounts
+&rootprompt; ./smbldap-groupadd.pl -a Finances
+&rootprompt; ./smbldap-groupadd.pl -a PIOps
+</screen>
+ The addition of groups does not involve keyboard interaction, so the lack of console
+ output is of no concern.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>getent</primary>
+ </indexterm>
+ You really do want to confirm that UNIX group resolution from LDAP is functioning
+ as it should. Let's do this as shown here:
+<screen>
+&rootprompt; getent group
+...
+Domain Admins:x:512:Administrator
+Domain Users:x:513:bobj,stans,chrisr,maryv
+Domain Guests:x:514:
+...
+Accounts:x:1000:
+Finances:x:1001:
+PIOps:x:1002:
+</screen>
+ The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
+ as our own site-specific group accounts, are correctly listed. This is looking good.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>groupmap</secondary>
+ <tertiary>list</tertiary>
+ </indexterm>
+ The final step we need to validate is that Samba can see all the Windows Domain Groups
+ and that they are correctly mapped to the respective UNIX group account. To do this,
+ just execute the following command:
+<screen>
+&rootprompt; net groupmap list
+Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
+Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
+Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
+...
+Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
+Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
+PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
+</screen>
+ This is looking good. Congratulations &smbmdash; it works! Note that in the above output
+ the lines where shortened by replacing the middle value (1010554828) of the SID with the
+ elipsis (...).
+ </para></step>
+
+ <step><para>
+ The server you have so carefully built is now ready for another important step. You
+ start the Samba-3 server and validate its operation. Execute the following to render all
+ the processes needed fully operative so that, on system reboot, they are automatically
+ started:
+<screen>
+&rootprompt; chkconfig named on
+&rootprompt; chkconfig dhcpd on
+&rootprompt; chkconfig ldap on
+&rootprompt; chkconfig nmb on
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig winbind on
+&rootprompt; rcnmb start
+&rootprompt; rcsmb start
+&rootprompt; rcwinbind start
+</screen>
+ </para></step>
+
+ <step><para>
+ The next step might seem a little odd at this point, but take note that you are about to
+ start <command>winbindd</command> which must be able to authenticate to the PDC via the
+ localhost interface. This requires a Domain account for the PDC. This account can be
+ easily created by joining the PDC to the Domain by executing the following command:
+<screen>
+&rootprompt; net rpc join -U Administrator%not24get
+Joined domain MEGANET2.
+</screen>
+ This indicates that the Domain security account for the BDC has been correctly created.
+ </para></step>
+
+ <step><para>
+ At this time it is necessary to restart <command>winbindd</command> so that it can
+ correctly authenticate to the PDC. The following command achieves that:
+<screen>
+&rootprompt; rcwinbind restart
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbclient</primary>
+ </indexterm>
+ You may now check Samba-3 operation as follows:
+<screen>
+&rootprompt; smbclient -L massive -U%
+
+ Sharename Type Comment
+ --------- ---- -------
+ IPC$ IPC IPC Service (Samba 3.0.1)
+ accounts Disk Accounting Files
+ service Disk Financial Services Files
+ pidata Disk Property Insurance Files
+ apps Disk Application Files
+ netlogon Disk Network Logon Service
+ profiles Disk Profile Share
+ profdata Disk Profile Data Share
+ ADMIN$ IPC IPC Service (Samba 3.0.1)
+
+ Server Comment
+ --------- -------
+ MASSIVE Samba 3.0.1
+
+ Workgroup Master
+ --------- -------
+ MEGANET2 MASSIVE
+</screen>
+ This shows that an anonymous connection is working.
+ </para></step>
+
+ <step><para>
+ For your finale, let's try an authenticated connection. Follow this as shown:
+<screen>
+&rootprompt; smbclient //massive/bobj -Ubobj%n3v3r2l8
+smb: \> dir
+ . D 0 Wed Dec 17 01:16:19 2003
+ .. D 0 Wed Dec 17 19:04:42 2003
+ bin D 0 Tue Sep 2 04:00:57 2003
+ Documents D 0 Sun Nov 30 07:28:20 2003
+ public_html D 0 Sun Nov 30 07:28:20 2003
+ .urlview H 311 Fri Jul 7 06:55:35 2000
+ .dvipsrc H 208 Fri Nov 17 11:22:02 1995
+
+ 57681 blocks of size 524288. 57128 blocks available
+smb: \> q
+</screen>
+ Well done. All is working fine.
+ </para></step>
+ </procedure>
+
+ <para>
+ The server <constant>MASSIVE</constant> is now configured, and it is time to move onto the next task.
+ </para>
+
+ </sect2>
+
+ <sect2 id="ch6-ptrcfg">
+ <title>Printer Configuration</title>
+
+ <para><indexterm>
+ <primary>CUPS</primary>
+ </indexterm>
+ The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
+ taken care of in the &smb.conf; file. The only preparation needed for
+ <constant>smart</constant>
+ printing to be possible involves creation of the directories in which Samba-3 stores
+ Windows printing driver files.
+ </para>
+
+ <procedure>
+
+ <step><para>
+ Configure all network attached printers to have a fixed IP address.
+ </para></step>
+
+ <step><para>
+ Create an entry in the DNS database on the server <constant>MASSIVE</constant>
+ in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
+ and in the reverse lookup database for the network segment that the printer is to
+ be located in. Example configuration files for similar zones were presented in
+ <link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>.
+ </para></step>
+
+ <step><para>
+ Follow the instructions in the printer manufacturers' manuals to permit printing
+ to port 9100. Use any other port the manufacturer specifies for direct mode,
+ raw printing. This allows the CUPS spooler to print using raw mode protocols.
+ <indexterm><primary>CUPS</primary></indexterm>
+ <indexterm><primary>raw printing</primary></indexterm>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>lpadmin</primary>
+ </indexterm>
+ <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
+ Only on the server to which the printer is attached, configure the CUPS Print
+ Queues as follows:
+<screen>
+&rootprompt; lpadmin -p <parameter>printque</parameter> -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
+</screen>
+ <indexterm><primary>print filter</primary></indexterm>
+ This step creates the necessary print queue to use no assigned print filter. This
+ is ideal for raw printing, i.e., printing without use of filters.
+ The name <parameter>printque</parameter> is the name you have assigned for
+ the particular printer.
+ </para></step>
+
+ <step><para>
+ Print queues may not be enabled at creation. Make certain that the queues
+ you have just created are enabled by executing the following:
+<screen>
+&rootprompt; /usr/bin/enable <parameter>printque</parameter>
+</screen>
+ </para></step>
+
+ <step><para>
+ Even though your print queue may be enabled, it is still possible that it
+ may not accept print jobs. A print queue will service incoming printing
+ requests only when configured to do so. Ensure that your print queue is
+ set to accept incoming jobs by executing the following commands:
+<screen>
+&rootprompt; /usr/bin/accept <parameter>printque</parameter>
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime type</primary></indexterm>
+ <indexterm><primary>/etc/mime.convs</primary></indexterm>
+ <indexterm><primary>application/octet-stream</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/mime.types</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para>
+ Refer to the CUPS printing manual for instructions regarding how to configure
+ CUPS so that print queues that reside on CUPS servers on remote networks
+ route print jobs to the print server that owns that queue. The default setting
+ on your CUPS server may automatically discover remotely installed printers and
+ may permit this functionality without requiring specific configuration.
+ </para></step>
+
+ <step><para>
+ The following action creates the necessary directory sub-system. Follow these
+ steps to printing heaven:
+<screen>
+&rootprompt; mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
+&rootprompt; chown -R root.root /var/lib/samba/drivers
+&rootprompt; chmod -R ug=rwx,o=rx /var/lib/samba/drivers
+</screen>
+ </para></step>
+
+ </procedure>
+
+ </sect2>
+
+</sect1>
+
+<sect1 id="ch6-bldg1">
+ <title>Samba-3 BDC Configuration</title>
+
+ <procedure>
+ <title>Configuration of BDC Called: <constant>BLDG1</constant></title>
+ <step><para>
+ Install the files in <link linkend="ch6-bldg1-smbconf"/>,
+ <link linkend="ch6-shareconfa"/>, and <link linkend="ch6-shareconfb"/>
+ into the <filename>/etc/samba/</filename> directory. The three files
+ should be added together to form the &smb.conf; file.
+ </para></step>
+
+ <step><para>
+ Verify the &smb.conf; file as in step 2 of <link
+ linkend="ch6-massive"/>.
+ </para></step>
+
+ <step><para>
+ Carefully follow the steps outlined in <link linkend="ch6-PAM-NSS"/>, taking
+ particular note to install the correct <filename>ldap.conf</filename>.
+ </para></step>
+
+ <step><para>
+ Verify that the NSS resolver is working. You may need to cycle the run level
+ to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
+ commands:
+<screen>
+&rootprompt; init 1
+</screen>
+ After the run level has been achieved, you are prompted to provide the
+ <constant>root</constant> password. Log on, and then execute:
+<screen>
+&rootprompt; init 5
+</screen>
+ When the normal logon prompt appears, log into the system as
+ <constant>root</constant>
+ and then execute these commands:
+<screen>
+&rootprompt; getent passwd
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/bin/bash
+daemon:x:2:2:Daemon:/sbin:/bin/bash
+lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
+mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
+...
+Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false
+nobody:x:999:514:nobody:/dev/null:/bin/false
+bobj:x:1000:513:System User:/home/bobj:/bin/bash
+stans:x:1001:513:System User:/home/stans:/bin/bash
+chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
+maryv:x:1003:513:System User:/home/maryv:/bin/bash
+vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
+bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
+</screen>
+ This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>getent</primary>
+ </indexterm>
+ The next step in the verification process involves testing the operation of UNIX group
+ resolution via the NSS LDAP resolver. Execute these commands:
+<screen>
+&rootprompt; getent group
+root:x:0:
+bin:x:1:daemon
+daemon:x:2:
+sys:x:3:
+...
+Domain Admins:x:512:Administrator
+Domain Users:x:513:bobj,stans,chrisr,maryv,jht
+Domain Guests:x:514:
+Administrators:x:544:
+Users:x:545:
+Guests:x:546:nobody
+Power Users:x:547:
+Account Operators:x:548:
+Server Operators:x:549:
+Print Operators:x:550:
+Backup Operators:x:551:
+Replicator:x:552:
+Domain Computers:x:553:
+Accounts:x:1000:
+Finances:x:1001:
+PIOps:x:1002:
+</screen>
+ This is also the correct and desired output, because it demonstrates that the LDAP client
+ is able to communicate correctly with the LDAP server
+ (<constant>MASSIVE</constant>).
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ You must now set the LDAP administrative password into the
+ Samba-3 <filename>secrets.tdb</filename>
+ file by executing this command:
+<screen>
+&rootprompt; smbpasswd -w not24get
+Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
+</screen>
+ </para></step>
+
+ <step><para>
+ Now you must obtain the Domain Security Identifier from the PDC and store it into the
+ <filename>secrets.tdb</filename> file also. This step is not necessary with an LDAP
+ passdb backend because Samba-3 obtains the Domain SID from the
+ sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
+ add the SID to the <filename>secrets.tdb</filename>, and if you wish to do so, this
+ command can achieve that:
+<screen>
+&rootprompt; net rpc getsid MEGANET2
+Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
+ for Domain MEGANET2 in secrets.tdb
+</screen>
+ When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
+ any special action to join it to the Domain. However, winbind communicates with the
+ Domain Controller that is running on the localhost and must be able to authenticate,
+ thus requiring that the BDC should be joined to the Domain. The process of joining
+ the Domain creates the necessary authentication accounts.
+ </para></step>
+
+ <step><para>
+ To join the Samba BDC to the Domain execute the following:
+<screen>
+&rootprompt; net rpc join -U Administrator%not24get
+Joined domain MEGANET2.
+</screen>
+ This indicates that the Domain security account for the BDC has been correctly created.
+ </para></step>
+
+ <step><para>
+ <indexterm>
+ <primary>pdbedit</primary>
+ </indexterm>
+ Verify that user and group account resolution works via Samba-3 tools as follows:
+<screen>
+&rootprompt; pdbedit -L
+Administrator:0:Administrator
+nobody:65534:nobody
+bobj:1000:System User
+stans:1001:System User
+chrisr:1002:System User
+maryv:1003:System User
+bldg1$:1006:bldg1$
+
+&rootprompt; net groupmap list
+Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
+Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
+Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
+Administrators (S-1-5-21-3504140859-...-2431957765-544) -> Administrators
+...
+Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
+Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
+PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
+</screen>
+ The above results show that all things are in order.
+ </para></step>
+
+ <step><para>
+ The server you have so carefully built is now ready for another important step. Now
+ start the Samba-3 server and validate its operation. Execute the following to render all
+ the processes needed fully operative so that, upon system reboot, they are automatically
+ started:
+<screen>
+&rootprompt; chkconfig named on
+&rootprompt; chkconfig dhcpd on
+&rootprompt; chkconfig nmb on
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig winbind on
+&rootprompt; rcnmb start
+&rootprompt; rcsmb start
+&rootprompt; rcwinbind start
+</screen>
+ Samba-3 should now be running and is ready for a quick test. But not quite yet!
+ </para></step>
+
+ <step><para>
+ Your new <constant>BLDG1, BLDG2</constant> servers do not have home directories for users.
+ To rectify this using the SUSE yast2 utility or by manually
+ editing the <filename>/etc/fstab</filename>
+ file, add a mount entry to mount the <constant>home</constant> directory that has been exported
+ from the <constant>MASSIVE</constant> server. Mount this resource before proceeding. An alternate
+ approach could be to create local home directories for users who are to use these machines.
+ This is a choice that you, as system administrator, must make. The following entry in the
+ <filename>/etc/fstab</filename> file suffices for now:
+<screen>
+massive.abmas.biz:/home /home nfs rw 0 0
+</screen>
+ To mount this resource, execute:
+<screen>
+&rootprompt; mount -a
+</screen>
+ Verify that the home directory has been mounted as follows:
+<screen>
+&rootprompt; df | grep home
+massive:/home 29532988 283388 29249600 1% /home
+</screen>
+ </para></step>
+
+ <step><para>
+ Implement a quick check using one of the users that is in the LDAP database. Here you go:
+<screen>
+&rootprompt; smbclient //bldg1/bobj -Ubobj%n3v3r2l8
+smb: \> dir
+ . D 0 Wed Dec 17 01:16:19 2003
+ .. D 0 Wed Dec 17 19:04:42 2003
+ bin D 0 Tue Sep 2 04:00:57 2003
+ Documents D 0 Sun Nov 30 07:28:20 2003
+ public_html D 0 Sun Nov 30 07:28:20 2003
+ .urlview H 311 Fri Jul 7 06:55:35 2000
+ .dvipsrc H 208 Fri Nov 17 11:22:02 1995
+
+ 57681 blocks of size 524288. 57128 blocks available
+smb: \> q
+</screen>
+ </para></step>
+
+ </procedure>
+
+ <procedure id="ch6-bldg2">
+ <title>Configuration of BDC Called: <constant>BLDG2</constant></title>
+ <step><para>
+ Install the files in <link linkend="ch6-bldg2-smbconf"/>,
+ <link linkend="ch6-shareconfa"/>, and <link linkend="ch6-shareconfb"/>
+ into the <filename>/etc/samba/</filename> directory. The three files
+ should be added together to form the &smb.conf; file.
+ </para></step>
+
+ <step><para>
+ Follow carefully the steps shown in <link linkend="ch6-bldg1"/>, starting at step 2.
+ </para></step>
+
+ </procedure>
+
+<smbconfexample id="ch6-bldg1-smbconf">
+<title>LDAP Based &smb.conf; File, Server: BLDG1</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+ <smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+ <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
+ <smbconfoption><name>netbios name</name><value>BLDG1</value></smbconfoption>
+ <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+ <smbconfoption><name>log level</name><value>1</value></smbconfoption>
+ <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+ <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+ <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+ <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+ <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+ <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+ <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+ <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+ <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
+ <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+ <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>domain master</name><value>No</value></smbconfoption>
+ <smbconfoption><name>wins server</name><value>172.16.0.1</value></smbconfoption>
+ <smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
+ <smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
+ <smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>idmap backend</name><value>ldap:ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+ <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption>
+</smbconfexample>
+
+
+<smbconfexample id="ch6-bldg2-smbconf">
+<title>LDAP Based &smb.conf; File, Server: BLDG2</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+ <smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+ <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
+ <smbconfoption><name>netbios name</name><value>BLDG2</value></smbconfoption>
+ <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+ <smbconfoption><name>log level</name><value>1</value></smbconfoption>
+ <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+ <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+ <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+ <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+ <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+ <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+ <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+ <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+ <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
+ <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+ <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>domain master</name><value>No</value></smbconfoption>
+ <smbconfoption><name>wins server</name><value>172.16.0.1</value></smbconfoption>
+ <smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
+ <smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
+ <smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>idmap backend</name><value>ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+ <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption>
+</smbconfexample>
+
+
+<smbconfexample id="ch6-shareconfa">
+<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A</title>
+<smbconfsection>[accounts]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[service]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[pidata]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Property Insurance Files</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/data/pidata</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[homes]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+ <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+ <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+ <smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+ <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch6-shareconfb">
+<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B</title>
+<smbconfsection>[apps]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/apps</value></smbconfoption>
+ <smbconfoption><name>admin users</name><value>bjordan</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[netlogon]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
+ <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>locking</name><value>No</value></smbconfoption>
+
+<smbconfsection>[profiles]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+ <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+
+<smbconfsection>[profdata]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Profile Data Share</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/var/lib/samba/profdata</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+ <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+
+<smbconfsection>[print$]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Printer Drivers</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/var/lib/samba/drivers</value></smbconfoption>
+ <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
+ <smbconfoption><name>guest ok</name><value>no</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>yes</value></smbconfoption>
+ <smbconfoption><name>write list</name><value>Administrator, chrisr</value></smbconfoption>
+</smbconfexample>
+
+<example id="ch6-ldifadd">
+<title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
+<screen>
+dn: ou=Idmap,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: idmap
+structuralObjectClass: organizationalUnit
+</screen>
+</example>
+
+</sect1>
+
+<sect1>
+ <title>Miscellaneous Server Preparation Tasks</title>
+
+ <para>
+ My father would say, <quote>Dinner is not over until the dishes have been done.</quote>
+ The makings of a great network environment take a lot of effort and attention to detail.
+ So far you have completed most of the complex (and to many administrators, the interesting
+ part of server configuration) steps, but remember to tie it all together. Here are
+ a few more steps that must be completed so that your network runs like a well-rehearsed
+ orchestra.
+ </para>
+
+ <sect2>
+ <title>Configuring Directory Share Point Roots</title>
+
+ <para>
+ In your &smb.conf; file, you have specified Windows shares. Each has a
+ <parameter>path</parameter>
+ parameter. Even though it is obvious to all, one of the common Samba networking problems is
+ caused by forgetting to verify that every such share root directory actually exists and that it
+ has the necessary permissions and ownership.
+ </para>
+
+ <para>
+ Here is an example, but remember to create the directory needed for every share:
+<screen>
+&rootprompt; mkdir -p /data/{accounts,finsvcs,piops}
+&rootprompt; mkdir -p /apps
+&rootprompt; chown -R root.root /data
+&rootprompt; chown -R root.root /apps
+&rootprompt; chown -R bobj.Accounts /data/accounts
+&rootprompt; chown -R bobj.Finances /data/finsvcs
+&rootprompt; chown -R bobj.PIOps /data/pidata
+&rootprompt; chmod -R ug+rwxs,o-rwx /data
+&rootprompt; chmod -R ug+rwx,o+rx-w /apps
+</screen>
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Configuring Profile Directories</title>
+
+ <para>
+ You made a conscious decision to do everything it would take to improve network client
+ performance. One of your decisions was to implement folder redirection. This means that Windows
+ user desktop profiles are now made up of two components &smbmdash; a dynamically loaded part and a set of file
+ network folders.
+ </para>
+
+ <para>
+ For this arrangement to work, every user needs a directory structure for the network folder
+ portion of their profile as shown here:
+<screen>
+&rootprompt; mkdir -p /var/lib/samba/profdata
+&rootprompt; chown root.root /var/lib/samba/profdata
+&rootprompt; chmod 755 /var/lib/samba/profdata
+
+# Per user structure
+&rootprompt; cd /var/lib/samba/profdata
+&rootprompt; mkdir -p <emphasis>username</emphasis>
+&rootprompt; for i in InternetFiles Cookies History AppData \
+ LocalSettings MyPictures MyDocuments Recent
+&rootprompt; do
+&rootprompt; mkdir <emphasis>username</emphasis>/$i
+&rootprompt; done
+&rootprompt; chown -R <emphasis>username</emphasis>.Domain\ Users <emphasis>username</emphasis>
+&rootprompt; chmod -R 750 <emphasis>username</emphasis>
+</screen>
+ </para>
+
+ <para><indexterm>
+ <primary>roaming profile</primary>
+ </indexterm><indexterm>
+ <primary>mandatory profile</primary>
+ </indexterm>
+ You have three options insofar as the dynamically loaded portion of the roaming profile
+ is concerned:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>You may permit the user to obtain a default profile.</para></listitem>
+ <listitem><para>You can create a mandatory profile.</para></listitem>
+ <listitem><para>You can create a group profile (which is almost always a mandatory profile).</para></listitem>
+ </itemizedlist>
+
+ <para>
+ Mandatory profiles cannot be overwritten by a user. The change from
+ a user profile to a mandatory profile is effected by renaming the
+ <filename>NTUSER.DAT</filename> to
+ <filename>NTUSER.MAN</filename>, i.e., just by changing the filename
+ extension.
+ </para>
+
+ <para><indexterm>
+ <primary>SRVTOOLS.EXE</primary>
+ </indexterm><indexterm>
+ <primary>Domain User Manager</primary>
+ </indexterm>
+ The location of the profile that a user can obtain is set in the users' account in the LDAP passdb backend.
+ You can manage this using the Idealx smbldap-tools or using the
+ <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">Windows NT4 Domain User Manager.</ulink>
+ </para>
+
+ <para>
+ It may not be obvious that you must ensure that the root directory for the user's profile exists
+ and has the needed permissions. Use the following commands to create this directory:
+<screen>
+&rootprompt; mkdir -p /var/lib/samba/profiles/<emphasis>username</emphasis>
+&rootprompt; chown <emphasis>username</emphasis>.Domain\ Users
+ /var/lib/samba/profiles/<emphasis>username</emphasis>
+&rootprompt; chmod 700 /var/lib/samba/profiles/<emphasis>username</emphasis>
+</screen>
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Preparation of Logon Scripts</title>
+
+ <para><indexterm>
+ <primary>logon script</primary>
+ </indexterm>
+ The use of a logon script with Windows XP Professional is an option that every site should consider.
+ Unless you have locked down the desktop so the user cannot change anything, there is risk that
+ a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
+ can help to restore persistent network folder (drive) and printer connections in a predictable
+ manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
+ user attaches to another company's network that forces environment changes that are alien to your
+ network.
+ </para>
+
+ <para>
+ If you decide to use network logon scripts, by reference to the &smb.conf; files for the Domain
+ Controllers, you see that the path to the share point for the
+ <constant>NETLOGON</constant>
+ share defined is <filename>/var/lib/samba/netlogon</filename>. The path defined for the logon
+ script inside that share is <filename>scripts\logon.bat</filename>. This means that as a Windows
+ NT/200x/XP client logs onto the network, it tries to obtain the file
+ <filename>logon.bat</filename>
+ from the fully qualified path <filename>/var/lib/samba/netlogon/scripts</filename>. This fully
+ qualified path should, therefore, exist whether you install the
+ <filename>logon.bat</filename>.
+ </para>
+
+ <para>
+ You can, of course, create the fully qualified path by executing:
+<screen>
+&rootprompt; mkdir -p /var/lib/samba/netlogon/scripts
+</screen>
+ </para>
+
+ <para>
+ You should research the options for logon script implementation by referring to <emphasis>TOSHARG</emphasis>, Chapter 21,
+ Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon
+ facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart.</ulink>
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Windows Client Configuration</title>
+
+ <para><indexterm>
+ <primary>NETLOGON</primary>
+ </indexterm>
+ In the next few sections, you can configure a new Windows XP Professional disk image on a staging
+ machine. You will configure all software, printer settings, profile and policy handling, and desktop
+ default profile settings on this system. When it is complete, you copy the contents of the
+ <filename>C:\Documents and Settings\Default User</filename> directory to a directory with the same
+ name in the <constant>NETLOGON</constant> share on the Domain Controllers.
+ </para>
+
+ <para>
+ Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
+ One knowledge-base article in particular stands out. See:
+ <ulink
+ url="http://support.microsoft.com/default.aspx&amp;scid=kb;en-us;168475">How to Create a
+ Base Profile for All Users.</ulink>
+
+ </para>
+
+ <sect2 id="redirfold">
+ <title>Configuration of Default Profile with Folder Redirection</title>
+
+ <para><indexterm>
+ <primary>folder redirection</primary>
+ </indexterm>
+ Log onto the Windows XP Professional workstation as the local <constant>Administrator</constant>.
+ It is necessary to expose folders that are generally hidden to provide
+ access to the <constant>Default User</constant>
+ folder.
+ </para>
+
+ <procedure>
+ <title>Expose Hidden Folders</title>
+
+ <step><para>
+ Launch the Windows Explorer by clicking
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>My Computer</guimenuitem>
+ <guimenuitem>Tools</guimenuitem>
+ <guimenuitem>Folder Options</guimenuitem>
+ <guimenuitem>View Tab</guimenuitem>
+ </menuchoice>.
+ Select <guilabel>Show hidden files and folders</guilabel>,
+ and click <guibutton>OK</guibutton>.
+ Exit Windows Explorer.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>regedt32</primary>
+ </indexterm>
+ Launch the Registry Editor. Click
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Run</guimenuitem>
+ </menuchoice>. Key in <command>regedt32</command>, and click
+ <guibutton>OK</guibutton>.
+ </para></step>
+ </procedure>
+
+ <para>
+ </para>
+
+ <procedure id="ch6-rdrfldr">
+ <title>Redirect Folders in Default System User Profile</title>
+
+ <step><para><indexterm>
+ <primary>HKEY_LOCAL_MACHINE</primary>
+ </indexterm><indexterm>
+ <primary>Default User</primary>
+ </indexterm>
+ Give focus to <constant>HKEY_LOCAL_MACHINE</constant> hive entry in the left panel.
+ Click <menuchoice>
+ <guimenu>File</guimenu>
+ <guimenuitem>Load Hive...</guimenuitem>
+ <guimenuitem>[Panel] Documents and Settings</guimenuitem>
+ <guimenuitem>[Panel] Default User</guimenuitem>
+ <guimenuitem>NTUSER</guimenuitem>
+ <guimenuitem>Open</guimenuitem>
+ </menuchoice>. In the dialog box that opens, enter the
+ key name <constant>Default</constant>
+ and click <guibutton>OK</guibutton>.
+ </para></step>
+
+ <step><para>
+ Browse inside the newly loaded Default folder to:
+<screen>
+HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
+ CurrentVersion\Explorer\User Shell Folders\
+</screen>
+ The contents of the right panel reveals the contents as
+ shown in <link linkend="XP-screen001"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>%USERPROFILE%</primary>
+ </indexterm><indexterm>
+ <primary>%LOGONSERVER%</primary>
+ </indexterm>
+ You edit hive keys. Acceptable values to replace the
+ <constant>%USERPROFILE%</constant> variable includes:
+
+ <itemizedlist>
+ <listitem><para>A drive letter such as: <constant>U:</constant></para></listitem>
+ <listitem><para>A direct network path such as:
+ <constant>\\MASSIVE\profdata</constant></para></listitem>
+ <listitem><para>A network redirection (UNC name) that contains a macro such as: </para>
+ <para><constant>\\%LOGONSERVER%\profdata\</constant></para></listitem>
+ </itemizedlist>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>registry keys</primary>
+ </indexterm>
+ Set the registry keys as shown in <link linkend="proffold"/>. Your implementation makes the assumption
+ that users have statically located machines. Notebook computers (mobile users) need to be
+ accommodated using local profiles. This is not an uncommon assumption.
+ </para></step>
+
+ <step><para>
+ Click back to the root of the loaded hive <constant>Default</constant>.
+ Click <menuchoice><guimenu>File</guimenu><guimenuitem>Unload Hive...</guimenuitem>
+ <guimenuitem>Yes</guimenuitem></menuchoice>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Registry Editor</primary>
+ </indexterm>
+ Click <menuchoice><guimenu>File</guimenu><guimenuitem>Exit</guimenuitem></menuchoice>. This exits the
+ Registry Editor.
+ </para></step>
+
+ <step><para>
+ Now follow the procedure given in <link linkend="ch6-locgrppol"/>. Make sure that each folder you
+ have redirected is in the exclusion list.
+ </para></step>
+
+ <step><para>
+ You are now ready to copy<footnote><para>
+ There is an alternate method by which a Default User profile can be added to the
+ <constant>NETLOGON</constant> share. This facility in the Windows System tool
+ permits profiles to be exported. The export target may be a particular user or
+ group profile share point, or else into the <constant>NETLOGON</constant> share.
+ In this case, the profile directory must be named
+ <constant>Default User</constant>.
+ </para></footnote>
+ the Default User profile to the Samba Domain Controllers. Launch Microsoft
+ Windows Explorer, and use it to copy the full contents of the
+ directory <filename>Default User</filename>
+ that is in the <filename>C:\Documents and Settings</filename> to the root directory of the
+ <constant>NETLOGON</constant> share. If the <constant>NETLOGON</constant> share has the defined
+ UNIX path of <filename>/var/lib/samba/netlogon</filename>, when the copy is complete there must be
+ a directory in there called <filename>Default User</filename>.
+ </para></step>
+
+ </procedure>
+
+ <procedure>
+ <title>Reset Folder Display to Original Behavior</title>
+
+ <step><para>
+ To launch the Windows Explorer, click
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>My Computer</guimenuitem>
+ <guimenuitem>Tools</guimenuitem>
+ <guimenuitem>Folder Options</guimenuitem>
+ <guimenuitem>View Tab</guimenuitem>
+ </menuchoice>.
+ Deselect <guilabel>Show hidden files and folders</guilabel>,
+ and click <guibutton>OK</guibutton>.
+ Exit Windows Explorer.
+ </para></step>
+
+ </procedure>
+
+ <image id="XP-screen001">
+ <description>Windows XP Professional &smbmdash; User Shared Folders</description>
+ <imagefile scale="65">XP-screen001.png</imagefile>
+ </image>
+
+<table id="proffold">
+ <title>Default Profile Redirections</title>
+ <tgroup cols="2">
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry>Registry Key</entry>
+ <entry>Redirected Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Cache</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</entry>
+ </row>
+ <row>
+ <entry>Cookies</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\Cookies</entry>
+ </row>
+ <row>
+ <entry>History</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\History</entry>
+ </row>
+ <row>
+ <entry>Local AppData</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\AppData</entry>
+ </row>
+ <row>
+ <entry>Local Settings</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</entry>
+ </row>
+ <row>
+ <entry>My Pictures</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\MyPictures</entry>
+ </row>
+ <row>
+ <entry>Personal</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</entry>
+ </row>
+ <row>
+ <entry>Recent</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\Recent</entry>
+ </row>
+ </tbody>
+ </tgroup>
+</table>
+
+ </sect2>
+
+ <sect2>
+ <title>Configuration of MS Outlook to Relocate PST File</title>
+
+ <para><indexterm>
+ <primary>Outlook</primary>
+ <secondary>PST</secondary>
+ </indexterm>
+ Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
+ It is the nature of email storage that this file grows, at times quite rapidly.
+ So that users' email is available to them at every workstation they may log onto,
+ it is common practice in well-controlled sites to redirect the PST folder to the
+ users' home directory. Follow these steps for each user who wishes to do this.
+ </para>
+
+ <note><para>
+ It is presumed that Outlook Express has been configured for use.
+ </para></note>
+
+ <para>
+ Launch Outlook Express 6. Click
+ <menuchoice>
+ <guimenu>Tools</guimenu>
+ <guimenuitem>Options</guimenuitem>
+ <guimenuitem>Maintenance</guimenuitem>
+ <guimenuitem>Store Folder</guimenuitem>
+ <guimenuitem>Change</guimenuitem>
+ </menuchoice>.
+ </para>
+
+ <para>
+ Follow the on-screen prompts to relocate the PST file to the desired location.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Configure Delete Cached Profiles on Logout</title>
+
+ <para>
+ To configure the Windows XP Professional client to auto-delete roaming profiles on logout:
+ </para>
+
+ <para><indexterm>
+ <primary>MMC</primary>
+ </indexterm>
+ Click
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Run</guimenuitem>
+ </menuchoice>. In the dialog box, enter: <command>MMC</command>
+ and click <guibutton>OK</guibutton>.
+ </para>
+
+ <para>
+ Follow these steps to set the default behavior of the staging machine so that all roaming
+ profiles are deleted as network users log out of the system. Click
+ <menuchoice>
+ <guimenu>File</guimenu>
+ <guimenuitem>Add/Remove Snap-in</guimenuitem>
+ <guimenuitem>Add</guimenuitem>
+ <guimenuitem>Group Policy</guimenuitem>
+ <guimenuitem>Add</guimenuitem>
+ <guimenuitem>Finish</guimenuitem>
+ <guimenuitem>Close</guimenuitem>
+ <guimenuitem>OK</guimenuitem>
+ </menuchoice>.
+ </para>
+
+ <para><indexterm>
+ <primary>Microsoft Management Console</primary>
+ <see>MMC</see>
+ </indexterm>
+ The Microsoft Management Console now shows the <guimenu>Group Policy</guimenu>
+ utility that enables you to set the policies needed. In the left panel, click
+ <menuchoice>
+ <guimenuitem>Local Computer Policy</guimenuitem>
+ <guimenuitem>Administrative Templates</guimenuitem>
+ <guimenuitem>System</guimenuitem>
+ <guimenuitem>User Profiles</guimenuitem>
+ </menuchoice>. In the right panel, set the properties shown here by double-clicking on each
+ item as shown:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Do not check for user ownership of Roaming Profile Folders = Enabled</para></listitem>
+ <listitem><para>Delete cached copies of roaming profiles = Enabled</para></listitem>
+ </itemizedlist>
+
+ <para>
+ Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
+ made of this system to deploy the new standard desktop system.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Uploading Printer Drivers to Samba Servers</title>
+
+ <para><indexterm>
+ <primary>printing</primary>
+ <secondary>drag-and-drop</secondary>
+ </indexterm>
+ Users want to be able to use network printers. You have a vested interest in making
+ it easy for them to print. You have chosen to install the printer drivers onto the Samba
+ servers and to enable point-and-click (drag-and-drop) printing. This process results in
+ Samba being able to automatically provide the Windows client with the driver necessary to
+ print to the printer chosen. The following procedure must be followed for every network
+ printer:
+ </para>
+
+ <procedure>
+ <step><para>
+ Join your Windows XP Professional workstation (the staging machine) to the
+ <constant>MEGANET2</constant> Domain. If you are not sure of the procedure,
+ follow the guidance given in <link linkend="domjoin"/>.
+ </para></step>
+
+ <step><para>
+ After the machine has re-booted, log onto the workstation as the domain
+ <constant>Administrator</constant>.
+ </para></step>
+
+ <step><para>
+ Launch MS Windows Explorer. Navigate in the left panel. Click
+ <menuchoice>
+ <guimenu>My Network Places</guimenu>
+ <guimenuitem>Entire Network</guimenuitem>
+ <guimenuitem>Microsoft Windows Network</guimenuitem>
+ <guimenuitem>Meganet2</guimenuitem>
+ <guimenuitem>Massive</guimenuitem>
+ </menuchoice>. Click on <guimenu>Massive</guimenu>
+ <guimenu>Printers and Faxes</guimenu>.
+ </para></step>
+
+ <step><para>
+ Identify a printer that is shown in the right panel. Let us assume the printer is called
+ <constant>ps01-color</constant>. Right-click on the <guimenu>ps01-color</guimenu> icon
+ and select the <guimenu>Properties</guimenu> entry. This opens a dialog box that indicates
+ that <quote>The printer driver is not installed on this computer. Some printer properties
+ will not be accessible unless you install the printer driver. Do you want to install the
+ driver now?</quote> It is important at this point you answer <guimenu>No</guimenu>.
+ </para></step>
+
+ <step><para>
+ The printer properties panel for the <guimenu>ps01-color</guimenu> printer on the server
+ <constant>MASSIVE</constant> is displayed. Click the <guimenu>Advanced</guimenu> tab.
+ Note that the box labelled <guimenu>Driver</guimenu> is empty. Click the <guimenu>New Driver</guimenu>
+ button that is next to the <guimenu>Driver</guimenu> box. This launches the quote<quote>Add Printer Wizard</quote>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Add Printer Wizard</primary>
+ <secondary>APW</secondary>
+ </indexterm><indexterm>
+ <primary>APW</primary>
+ </indexterm>
+ The <quote>Add Printer Driver Wizard on <constant>MASSIVE</constant></quote> panel
+ is now presented. Click <guimenu>Next</guimenu> to continue. From the left panel, select the
+ Printer Manufacturer. In your case, you are adding a driver for a printer manufactured by
+ Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
+ <guimenu>Next</guimenu>, and then <guimenu>Finish</guimenu> to commence driver upload. A
+ progress bar appears and instructs you as each file is being uploaded and that it is being
+ directed at the network server <constant>\\massive\ps01-color</constant>.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>printers</primary><secondary>Advanced</secondary></indexterm>
+ <indexterm><primary>printers</primary><secondary>Properties</secondary></indexterm>
+ <indexterm><primary>printers</primary><secondary>Sharing</secondary></indexterm>
+ <indexterm><primary>printers</primary><secondary>General</secondary></indexterm>
+ <indexterm><primary>printers</primary><secondary>Security</secondary></indexterm>
+ <indexterm><primary>AD printer publishing</primary></indexterm>
+ The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
+ you are returned to the <guimenu>Advanced</guimenu> tab in the <guimenu>Properties</guimenu> panel.
+ You can set the Location (under the <guimenu>General</guimenu> tab), and Security settings (under
+ the <guimenu>Security</guimenu> tab). Under the <guimenu>Sharing</guimenu> tab it is possible to
+ load additional printer drivers, there is also a check-box in this tab called <quote>List in the
+ directory</quote>. When this box is checked the printer will be published in Active Directory
+ (Applicable to Active Directory use only.)
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>printers</primary><secondary>Default Settings</secondary></indexterm>
+ Click <guimenu>OK</guimenu>. It will take a minute or so to upload the settings to the server.
+ You are now returned to the <guimenu>Printers and Faxes on Massive</guimenu> monitor.
+ Right-click on the printer, click <menuchoice><guimenu>Properties</guimenu>
+ <guimenuitem>Device Settings</guimenuitem> </menuchoice>. Now change the settings to suit
+ your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
+ you need to reverse them changes back to their original settings.
+ </para></step>
+
+ <step><para>
+ This is necessary so that the printer settings are initialized in the Samba printers
+ database. Click <guimenu>Apply</guimenu> to commit your settings. Revert any settings you changed
+ just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
+ Click <guimenu>Apply</guimenu> again.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>Print Test Page</primary></indexterm>
+ Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
+ click the <guimenu>General</guimenu> tab. Now click the <guimenu>Print Test Page</guimenu> button.
+ A test page should print. Verify that it has printed correctly. Then click <guimenu>OK</guimenu>
+ in the panel that is newly presented. Click <guimenu>OK</guimenu> on the <guimenu>ps01-color on
+ massive Properties</guimenu> panel.
+ </para></step>
+
+ <step><para>
+ You must repeat this process for all network printers (i.e., for every printer, on each server).
+ When you have finished uploading drivers to all printers, close all applications. The next task
+ is to install software your users require to do their work.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2>
+ <title>Software Installation</title>
+
+ <para>
+ Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
+ a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
+ Notebooks require special handling that is beyond the scope of this chapter.
+ </para>
+
+ <para>
+ For desktop systems, the installation of software onto administratively centralized application servers
+ make a lot of sense. This means that you can manage software maintenance from a central
+ perspective and that only minimal application stub-ware needs to be installed onto the desktop
+ systems. You should proceed with software installation and default configuration as far as is humanly
+ possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
+ of software operations and configuration.
+ </para>
+
+ <para>
+ When you believe that the overall configuration is complete, be sure to create a shared group profile
+ and migrate that to the Samba server for later re-use when creating custom mandatory profiles, just in
+ case a user may have specific needs you had not anticipated.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Roll-out Image Creation</title>
+
+ <para>
+ The final steps before preparing the distribution Norton Ghost image file you might follow are:
+ </para>
+
+ <blockquote><para>
+ Un-join the domain &smbmdash; Each workstation requires a unique name and must be independently
+ joined into Domain Membership.
+ </para></blockquote>
+
+ <blockquote><para>
+ Defragment the hard disk &smbmdash; While not obvious to the uninitiated, defragmentation results
+ in better performance and often significantly reduces the size of the compressed disk image. That
+ also means it will take less time to deploy the image onto 500 workstations.
+ </para></blockquote>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Key Points Learned</title>
+
+ <para>
+ This chapter has introduced many new concepts. Is it a sad fact that the example presented deliberately
+ avoided any consideration of security. Security does not just happen; you must design it into your total
+ network. Security begins with a systems design and implementation that anticipates hostile behavior from
+ users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
+ they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
+ practices, you must not deploy the design presented in this book in an environment where there is risk
+ of compromise.
+ </para>
+
+ <para><indexterm>
+ <primary>Access Control Lists</primary>
+ <see>ACLs</see>
+ </indexterm><indexterm>
+ <primary>ACLs</primary>
+ </indexterm>
+ As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs) and it must be
+ configured to use secure protocols for all communications over the network. Of course, secure networking
+ does not result just from systems design and implementation but involves constant user education
+ training, and above all disciplined attention to detail and constant searching for signs of unfriendly
+ or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
+ Jerry Carter's book <ulink
+ url="http://www.booksense.com/product/info.jsp&amp;isbn=1565924916"><emphasis>LDAP System
+ Administration</emphasis></ulink> is a good place to start reading about OpenLDAP as well as security considerations.
+ </para>
+
+ <para>
+ The substance of this chapter that has been deserving of particular attention includes:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Implementation of an OpenLDAP-based passwd backend &smbmdash; necessary to support distributed
+ Domain Control.
+ </para></listitem>
+
+ <listitem><para>
+ Implementation of Samba Primary and Secondary Domain Controllers with a common LDAP backend
+ for user and group accounts that is shared with the UNIX system through the PADL nns_ldap and
+ pam_ldap toolsets.
+ </para></listitem>
+
+ <listitem><para>
+ Use of the Idealx smbldap-tools scripts for UNIX (Posix) account management as well as
+ to manage Samba Windows user and group accounts.
+ </para></listitem>
+
+ <listitem><para>
+ The basics of implementation of Group Policy controls for Windows network clients.
+ </para></listitem>
+
+ <listitem><para>
+ Control over roaming profiles, with particular focus on folder redirection to network drives.
+ </para></listitem>
+
+ <listitem><para>
+ Use of the CUPS printing system together with Samba-based printer driver auto-download.
+ </para></listitem>
+ </itemizedlist>
+
+</sect1>
+
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ Well, here we are at the end of this chapter and we have only ten questions to help you to
+ remember so much. There are bound to be some sticky issues here.
+ </para>
+
+ <qandaset defaultlabel="chap06qa">
+ <qandaentry>
+ <question>
+
+ <para>
+ Why did you not cover secure practices? Isn't it rather irresponsible to instruct
+ network administrators to implement insecure solutions?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Let's get this right. This is a book about Samba, not about OpenLDAP and secure
+ communication protocols for subjects other than Samba. Earlier on, you note
+ that the Dynamic DNS and DHCP solutions also used no protective secure communications
+ protocols. The reason for this is simple: There are so many ways of implementing
+ secure protocols that this book would have been even larger and more complex.
+ </para>
+
+ <para>
+ The solutions presented here all work (at least they did for me). Network administrators
+ have the interest and the need to be better trained and instructed in secure networking
+ practices and ought to implement safe systems. I made the decision, right or wrong,
+ to keep this material as simple as possible. The intent of this book is to demonstrate
+ a working solution and not to discuss too many peripheral issues.
+ </para>
+
+ <para>
+ This book makes little mention of backup techniques. Does that mean that I am recommending
+ that you should implement a network without provision for data recovery and for disaster
+ management? Back to our focus: The deployment of Samba has been clearly demonstrated.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
+ you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
+ to the Linux I might be using?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
+ for a standard Linux distribution. The differences are marginal. Surely you know
+ your Linux platform and you do have access to administration manuals for it. This
+ book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
+ the Samba part of the book; all the other bits are peripheral (but important) to
+ creation of a total network solution.
+ </para>
+
+ <para>
+ What I find interesting is the attention reviewers give to Linux installation and to
+ the look and feel of the desktop, but does that make for a great server? In this book,
+ I have paid particular attention to the details of creating a whole solution framework.
+ I have not tightened every nut and bolt, but I have touched on all the issues you
+ need to be familiar with. Over the years many people have approached me wanting to
+ know the details of exactly how to implement a DHCP and Dynamic DNS server with Samba
+ and WINS. In this chapter, it is plain to see what needs to be configured to provide
+ transparent interoperability. Likewise for CUPS and Samba interoperation. These are
+ key stumbling areas for many people.
+ </para>
+
+ <para>
+ At every critical junction, I have provided comparative guidance for both SUSE and
+ Red Hat Linux. Both manufacturers have done a great job in furthering the cause
+ of open source software. I favor neither and respect both. I like particular
+ features of both products (companies also). No bias in presentation is intended.
+ Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ You did not use SWAT to configure Samba. Is there something wrong with it?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ That is a good question. As it is, the &smb.conf; file configurations are presented
+ in as direct a format as possible. Adding SWAT into the equation would have complicated
+ matters. I sought simplicity of implementation. The fact is that I did use SWAT to
+ create the files in the first place.
+ </para>
+
+ <para>
+ There are people in the Linux and open source community who feel that SWAT is dangerous
+ and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
+ hope to have brought their interests on board. SWAT is well covered is <emphasis>TOSHARG</emphasis>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ You have exposed a well-used password <emphasis>not24get</emphasis>. Is that
+ not irresponsible?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Well, I had to use a password of some sort. At least this one has been consistently
+ used throughout. I guess you can figure out that in a real deployment it would make
+ sense to use a more secure and original password.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ The Idealx smbldap-tools create many domain group accounts that are not used. Is that
+ a good thing?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ I took this up with Idealx and found them most willing to change that in the next version.
+ Let's give Idealx some credit for the contribution they have made. I appreciate their work
+ and, besides, it does no harm to create accounts that are not now used as at some time
+ Samba may well use them.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Can I use LDAP just for Samba accounts and not for UNIX system accounts?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Yes, you can do that for user accounts only. Samba requires there to be a Posix (UNIX)
+ group account for every Windows Domain group account. But if you put your users into
+ the system password account, how do you plan to keep all domain controller system
+ password files in sync? I think that having everything in LDAP makes a lot of sense
+ for the UNIX admin who is still learning the craft and is migrating from MS Windows.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why are the Windows Domain RID portions not the same as the UNIX UID?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
+ This algorithm ought to ensure that there will be no clashes with well-known RIDs.
+ Well-known RIDs have special significance to MS Windows clients. The automatic
+ assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
+ permit you to override that to some extent. See the &smb.conf; man page entry
+ for <parameter>algorithmic rid base</parameter>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Printer configuration examples all show printing to the HP port 9100. Does this
+ mean that I must have HP printers for these solutions to work?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ No. You can use any type of printer and must use the interfacing protocol supported
+ by the printer. Many networks use LPR/LPD print servers to which are attached
+ PCL printers, InkJet printers, plotters, and so on. At home I use a USB attached
+ Inject printer. Use the appropriate device URI (Universal Resource Interface)
+ argument to the <constant>lpadmin -v</constant> option that is right for your
+ printer.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Is folder redirection dangerous? I've heard that you can lose your data that way.
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The only loss of data I know of that involved folder redirection was caused by
+ manual misuse of the redirection tool. The administrator redirected a folder to
+ a network drive and said he wanted to migrate (move) the data over. Then he
+ changed his mind, so he moved the folder back to the roaming profile. This time,
+ he declined to move the data because he thought it was still in the local profile
+ folder. That was not the case, so by declining to move the data back, he wiped out
+ the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Is it really necessary to set a local Group Policy to exclude the redirected
+ folders from the roaming profile?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Yes. If you do not do this, the data will still be copied from the network folder
+ (share) to the local cached copy of the profile.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
diff --git a/docs/Samba-Guide/Chap07-2000UserNetwork.xml b/docs/Samba-Guide/Chap07-2000UserNetwork.xml
new file mode 100644
index 0000000000..73134cf108
--- /dev/null
+++ b/docs/Samba-Guide/Chap07-2000UserNetwork.xml
@@ -0,0 +1,1760 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="2000users">
+ <title>A Distributed 2000 User Network</title>
+
+ <para>There is something indeed mystical about things that are
+ big. Large networks exhibit a certain magnetism and exude a sense of
+ importance that obscures reality. You and I know that it is no more
+ difficult to secure a large network than it is a small one. We all
+ know that over and above a particular number of network clients, the
+ rules no longer change; the only real dynamic is the size of the domain
+ (much like a kingdom) over which the network ruler (oops, administrator)
+ has control. The real dynamic then transforms from the technical to the
+ political. Then again, that point is often reached well before the
+ kingdom (or queendom) grows large.</para>
+
+ <para>If you have systematically worked your way to this chapter, hopefully you
+ have found some gems and techniques that are applicable in your
+ world. The network designs you have worked with in this book with have their
+ strong points as well as weak ones. That is to be expected given that
+ they are based on real business environments, excepting that the facts
+ have been moulded to serve the purposes of this book.</para>
+
+ <para>This chapter is intent on wrapping up issues that are central to
+ implementation and design of progressively larger networks. Are you ready
+ for this chapter? Good, it is time to move on.</para>
+
+ <para>In previous chapters, you made the assumption that your network
+ administration staff need detailed instruction right down to the
+ nuts-and-bolts of implementing the solution. That's is still the case,
+ but they have graduated now. You decide to document only those issues,
+ methods and techniques that are new or complex. Routine tasks such as
+ implementing a DNS or a DHCP server are under control. Even the basics of
+ Samba are largely under control. So in this section you focus on the
+ specifics of implementing LDAP changes, Samba changes, and approach and
+ design of the solution and its deployment.</para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ Abmas is a miracle company. Most businesses would have collapsed under
+ the weight of rapid expansion that this company has experienced. Samba
+ is flexible, so there is no need to reinstall the whole operating
+ system just because you need to implement a new network design. In fact,
+ you can keep an old server running right up to the moment of cut-over
+ and then do a near-live conversion. There is no need to reinstall a
+ Samba server just to change the way your network should function.
+ </para>
+
+ <para><indexterm>
+ <primary>LDAP</primary>
+ </indexterm>
+ Network growth is common to all organizations. In this exercise,
+ your preoccupation is with the mechanics of implementing Samba and
+ LDAP so that network users on each network segment can work
+ without impediment.</para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para>
+ Starting with the configuration files for the server called
+ <constant>MASSIVE</constant> in Chapter 6, you now deal with the
+ issues that are particular to large distributed networks. Your task
+ is simple &smbmdash; identify the challenges, consider the
+ alternatives, and then design and implement a solution.</para>
+
+ <para><indexterm>
+ <primary>VPN</primary>
+ </indexterm>
+ Remember, you have users based in London (UK), Los Angeles,
+ Washington DC, and three buildings in New York. A significant portion
+ of your workforce have notebook computers and roam all over the
+ world. Some dial into the office, others use VPN connections over the
+ Internet and others just move between buildings.</para>
+
+ <para>What do you say to an employee who normally uses a desktop
+ system but must spend six weeks on the road with a notebook computer?
+ She is concerned over email access and how to keep co-workers current
+ with changing documents.</para>
+
+ <para>To top it all off, you have one network support person and one
+ Help desk person based in London, a single person dedicated to all
+ network operations in Los Angeles, five staff for user administration
+ and Help desk in New York, plus one <emphasis>floater</emphasis> for
+ Washington DC.</para>
+
+ <para>You have outsourced all desktop deployment and management to
+ DirectPointe,Inc. Your concern is server maintenance and third-level
+ support. Build a plan and show what must be done.</para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm>
+ In the previous chapter, you implemented an LDAP server that provided the
+ <parameter>passdb backend</parameter> for the Samba servers. You
+ explored ways to accelerate Windows desktop profile handling and you
+ took control of network performance.
+ </para>
+
+ <para><indexterm>
+ <primary>ldapsam</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm><indexterm>
+ <primary>replicated</primary>
+ </indexterm>
+ The implementation of an LDAP-based passdb backend (known as
+ <emphasis>ldapsam</emphasis> in Samba parlance), or some form of database
+ that can be distributed, is essential to permit the deployment of Samba
+ Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem
+ is that the <emphasis>tdbsam</emphasis> style passdb backend does not
+ lend itself to being replicated. The older plain-text-based
+ <emphasis>smbpasswd</emphasis> style passdb backend can be replicated
+ using a tool such as <command>rsync</command>, but
+ <emphasis>smbpasswd</emphasis> suffers the drawback that it does not
+ support the range of account facilities demanded by modern network
+ managers.</para>
+
+ <para><indexterm>
+ <primary>XML</primary>
+ </indexterm><indexterm>
+ <primary>SQL</primary>
+ </indexterm>
+ The new <emphasis>tdbsam</emphasis> facility supports functionality
+ that is similar to an <emphasis>ldapsam</emphasis>, but the lack of
+ distributed infrastructure sorely limits the scope for its
+ deployment. This does raise the following questions: "Why can't I just use
+ an XML based backend, or for that matter, why not use an SQL based
+ backend?" "Is support for these tools broken?" No. Answers to these
+ questions require a bit of background.</para>
+
+ <para><indexterm>
+ <primary>directory</primary>
+ </indexterm><indexterm>
+ <primary>database</primary>
+ </indexterm><indexterm>
+ <primary>transaction processing</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm>
+ <emphasis>What is a directory?</emphasis> A directory is a
+ collection of information regarding objects that can be accessed to
+ rapidly find information that is relevant in a particular and
+ consistent manner. A directory differs from a database in that it is
+ generally more often searched (read) than updated. As a consequence, the
+ information is organized to facilitate read access rather than to
+ support transaction processing.</para>
+
+ <para><indexterm>
+ <primary>Lightweight Directory Access Protocol </primary>
+ <see>LDAP</see>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>master</primary>
+ </indexterm><indexterm>
+ <primary>slave</primary>
+ </indexterm>
+ The Lightweight Directory Access Protocol (LDAP) differs
+ considerably from a traditional database. It has a simple search
+ facility that uniquely makes a highly preferred mechanism for managing
+ user identities. LDAP provides a scalable mechanism for distributing
+ the data repository and for keeping all copies (slaves) in sync with
+ the master repository.</para>
+
+ <para><indexterm>
+ <primary>identity management</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm>
+ Samba is a flexible and powerful file and print sharing
+ technology. It can use many external authentication sources and can be
+ part of a total authentication and identity management
+ infrastructure. The two most important external sources for large sites
+ are Microsoft Active Directory and LDAP. Sites that specifically wish to
+ avoid the proprietary implications of Microsoft Active Directory
+ naturally gravitate toward OpenLDAP.</para>
+
+ <para><indexterm>
+ <primary>network</primary>
+ <secondary>routed</secondary>
+ </indexterm>
+ In Chapter 6, you had to deal with a locally routed
+ network. All deployment concerns focused around making users happy,
+ and that simply means taking control over all network practices and
+ usage so that no one user is disadvantaged by any other. The real
+ lesson is one of understanding that no matter how much network
+ bandwidth you provide, bandwidth remains a precious resource.</para>
+
+ <para>In this chapter, you must now consider how the overall network must
+ function. In particular, you must be concerned with users who move
+ between offices. You must take into account the way users need to
+ access information globally. And you must make the network robust
+ enough so that it can sustain partial breakdown without causing loss of
+ productivity.</para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para>There are at least three areas that need to be addressed as you
+ approach the challenge of designing a network solution for the newly
+ expanded business. These are:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><indexterm>
+ <primary>mobility</primary>
+ </indexterm>
+ User needs such as mobility and data access</para>
+ </listitem>
+ <listitem>
+ <para>The nature of Windows networking protocols</para>
+ </listitem>
+ <listitem>
+ <para>Identity management infrastructure needs</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Let's look at each in turn.</para>
+
+ <sect3>
+ <title>User Needs</title>
+
+ <para>The new company has three divisions. Staff for each division
+ are spread across the company. Some staff are office-bound and
+ some are mobile users. Mobile users travel globally. Some spend
+ considerable periods working in other offices. Everyone wants to be
+ able to work without constraint of productivity.</para>
+
+ <para>The challenge is not insignificant. In some parts of the world,
+ even dial-up connectivity is poor, while in other regions political
+ encumbrances severely curtail user needs. Parts of the global
+ Internet infrastructure remain shielded-off for reasons outside
+ the scope of this discussion.</para>
+
+ <para><indexterm>
+ <primary>synchronize</primary>
+ </indexterm>
+ Decisions must be made regarding where data is to be stored, how
+ it will be replicated (if at all), and what the network bandwidth
+ implications are. For example, one decision that can be made is
+ to give each office its own master file storage area that can be
+ synchronized to a central repository in New York. This would permit
+ global data to be backed up from a single location. The
+ synchronization tool could be <command>rsync,</command> run via a
+ cron job. Mobile users may use off-line file storage under Windows
+ XP Professional. This way, they can synchronize all files that have
+ changed since each logon to the network.</para>
+
+ <para><indexterm>
+ <primary>bandwidth</primary>
+ <secondary>requirements</secondary>
+ </indexterm><indexterm>
+ <primary>roaming profile</primary>
+ </indexterm>
+ No matter which way you look at this, the bandwidth requirements
+ for acceptable performance are substantial even if only 10 percent of
+ staff are global data users. A company with 3500 employees
+ and 280 of those were mobile users, and who used a similarly distributed
+ network, found they needed at least 2 Megabit/sec connectivity
+ between the UK and US offices. Even over 2 Mb/s bandwidth, this
+ company abandoned any attempt to run roaming profile usage for
+ mobile users. At that time, the average roaming profile took 480
+ Kbytes, while today the minimum Windows XP Professional roaming
+ profile involves a transfer of over 750 Kbytes from the profile
+ server to/from the client.</para>
+
+ <para><indexterm>
+ <primary>wide-area</primary>
+ </indexterm>
+ Obviously then, user needs and wide-area practicalities
+ dictate the economic and technical aspects of your network
+ design as well as for standard operating procedures.</para>
+
+ </sect3>
+
+ <sect3>
+ <title>The Nature of Windows Networking Protocols</title>
+
+ <para><indexterm>
+ <primary>profile</primary>
+ <secondary>mandatory</secondary>
+ </indexterm>
+ Network logons that include roaming profile handling requires
+ from 140 Kbytes to 2 Mbytes. The inclusion of support for a minimal
+ set of common desktop applications can push the size of a complete
+ profile to over 15 Mbytes. This has substantial implications so far
+ as location of user profiles is concerned. Additionally, it is a
+ significant factor in determining the nature and style of mandatory
+ profiles that may be enforced as part of a total service level
+ assurance program that might be implemented.</para>
+
+ <para><indexterm>
+ <primary>logon traffic</primary>
+ </indexterm><indexterm>
+ <primary>redirected folders</primary>
+ </indexterm>
+ One way to reduce the network bandwidth impact of user logon
+ traffic is through folder redirection. In Chapter 6, you
+ implemented this in the new Windows XP Professional standard
+ desktop configuration. When desktop folders such as <guimenu>My
+ Documents</guimenu> are redirected to a network drive, they should
+ also be excluded from synchronization to/from the server on
+ logon/out. Redirected folders are analogous to network drive
+ connections.</para>
+
+ <para><indexterm>
+ <primary>application servers</primary>
+ </indexterm>
+ Of course, network applications should only be run off
+ local application servers. As a general rule, even with 2 Mbit/sec
+ network bandwidth, it would not make sense at all for someone who
+ is working out of the London office to run applications off a
+ server that is located in New York.</para>
+
+ <para><indexterm>
+ <primary>affordability</primary>
+ </indexterm>
+ When network bandwidth becomes a precious commodity (that is most
+ of the time), there is a significant demand to understand network
+ processes and to mould the limits of acceptability around the
+ constraints of affordability.</para>
+
+ <para>When a Windows NT4/200x/XP Professional client user logs onto
+ the network, several important things must happen.</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><indexterm>
+ <primary>DHCP</primary>
+ </indexterm>
+ The client obtains an IP address via DHCP. (DHCP is
+ necessary so that users can roam between offices.)</para>
+ </listitem>
+ <listitem>
+ <para><indexterm>
+ <primary>WINS</primary>
+ </indexterm><indexterm>
+ <primary>DNS</primary>
+ </indexterm>
+ The client must register itself with the WINS and/or DNS
+ server.</para>
+ </listitem>
+ <listitem>
+ <para><indexterm>
+ <primary>Domain Controller</primary>
+ <secondary>closest</secondary>
+ </indexterm>
+ The client must locate the closest Domain Controller.</para>
+ </listitem>
+ <listitem>
+ <para>The client must log onto a Domain Controller and obtain as
+ part of that process the location of the user's profile, load
+ it, connect to redirected folders, and establish all network
+ drive and printer connections.</para>
+ </listitem>
+ <listitem>
+ <para>The Domain Controller must be able to resolve the user's
+ credentials before the logon process is fully implemented.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Given that this book is about Samba and the fact that it
+ implements the Windows NT4 style domain semantics, it makes little
+ sense to compare Samba with Microsoft Active Directory insofar as
+ the logon protocols and principles of operation are
+ concerned. The following information pertains exclusively to the
+ interaction between a Windows XP Professional workstation and a
+ Samba-3.0.2 server. In the discussion that follows, use is made of
+ DHCP and WINS.</para>
+
+ <para>As soon as the Windows workstation starts up, it obtains an
+ IP address. This is immediately followed by registration of its
+ name both by broadcast and Unicast registration that is directed
+ at the WINS server.</para>
+
+ <para><indexterm>
+ <primary>Unicast</primary>
+ </indexterm><indexterm>
+ <primary>broadcast</primary>
+ <secondary>directed</secondary>
+ </indexterm><indexterm>
+ <primary>NetBIOS</primary>
+ </indexterm>
+ Given that the client is already a Domain Member, it then sends
+ a directed (Unicast) request to the WINS server seeking the list of
+ IP addresses for domain controllers (NetBIOS name type 0x1C). The
+ WINS server replies with the information requested.</para>
+
+ <para><indexterm>
+ <primary>broadcast</primary>
+ <secondary>mailslot</secondary>
+ </indexterm><indexterm>
+ <primary>Unicast</primary>
+ </indexterm><indexterm>
+ <primary>WINS</primary>
+ </indexterm>
+ The client sends two netlogon mailslot broadcast requests
+ to the local network and to each of the IP addresses returned by
+ the WINS server. Whichever answers this request first appears to
+ be the machine that the Windows XP client attempts to use to
+ process the network logon. The mailslot messages use UDP broadcast
+ to the local network and UDP Unicast directed at each machine that
+ was listed in the WINS server response to a request for the list of
+ Domain Controllers.</para>
+
+ <para><indexterm>
+ <primary>protocol</primary>
+ <secondary>negotiation</secondary>
+ </indexterm><indexterm>
+ <primary>logon server</primary>
+ </indexterm><indexterm>
+ <primary>fail</primary>
+ </indexterm>
+ The logon process begins with negotiation of the SMB/CIFS
+ protocols that are to be used; this is followed by an exchange of
+ information that ultimately includes the client sending the
+ credentials with which the user is attempting to logon. The logon
+ server must now approve the further establishment of the
+ connection, but that is a good point to halt for now. The priority
+ here must center around identification of network infrastructure
+ needs. A secondary fact we need to know is, what happens when
+ local Domain Controllers fail or break?</para>
+
+ <para><indexterm>
+ <primary>Domain Controller</primary>
+ </indexterm><indexterm>
+ <primary>PDC</primary>
+ </indexterm><indexterm>
+ <primary>BDC</primary>
+ </indexterm><indexterm>
+ <primary>netlogon</primary>
+ </indexterm>
+ Under most circumstances, the nearest Domain Controller
+ responds to the netlogon mailslot broadcast. The exception to this
+ norm occurs when the nearest Domain Controller is too busy or is out
+ of service. Herein lies an important fact. This means it is
+ important that every network segment should have at least two
+ Domain Controllers. Since there can be only one Primary Domain
+ Controller (PDC), all additional Domain Controllers are by definition
+ Backup Domain Controllers (BDCs).</para>
+
+ <para><indexterm>
+ <primary>authentication</primary>
+ </indexterm><indexterm>
+ <primary>Identity Management</primary>
+ </indexterm>
+ The provision of sufficient servers that are BDCs is an
+ important design factor. The second important design factor
+ involves how each of the BDCs obtains user authentication
+ data. That is the subject of the next section as it involves key
+ decisions regarding Identity Management facilities.</para>
+
+ </sect3>
+
+ <sect3>
+ <title>Identity Management Needs</title>
+
+ <para><indexterm>
+ <primary>privacy</primary>
+ </indexterm><indexterm>
+ <primary>user credentials</primary>
+ </indexterm><indexterm>
+ <primary>validated</primary>
+ </indexterm><indexterm>
+ <primary>privileges</primary>
+ </indexterm>
+ Network managers recognize that in large organizations users
+ generally need to be given resource access based on needs, while
+ being excluded from other resources for reasons of privacy. It is,
+ therefore, essential that all users identify themselves at the
+ point of network access. The network logon is the principal means
+ by which user credentials are validated and filtered, and appropriate
+ rights and privileges are allocated.</para>
+
+ <para><indexterm>
+ <primary>Identity Management</primary>
+ </indexterm><indexterm>
+ <primary>Yellow Pages</primary>
+ </indexterm><indexterm>
+ <primary>NIS</primary>
+ </indexterm>
+ Unfortunately, network resources tend to have their own Identity
+ Management facilities, the quality and manageability of which varies
+ from quite poor to exceptionally good. Corporations that use a mixture
+ of systems soon discover that until recently, few systems were
+ designed to interoperate. For example, UNIX systems each have an
+ independent user database. Sun Microsystems developed a facility that
+ was originally called <constant>Yellow Pages</constant>, and was renamed
+ when a telephone company objected to the use of its trademark.
+ What was once called <constant>Yellow Pages</constant> is today known
+ as <constant>Network Information System</constant> (NIS).</para>
+
+ <para><indexterm>
+ <primary>NIS+</primary>
+ </indexterm>
+ NIS gained a strong following throughout the UNIX/VMS space in a
+ short period of time and retained that appeal and use
+ for over a decade. Security concerns as well as inherent limitations
+ have caused it to enter its twilight. NIS did not gain widespread
+ appeal outside of the UNIX world and was not universally
+ adopted. Sun updated this to a more secure implementation called
+ NIS+, but even it has fallen victim to changing demands as the
+ demand for directory services that can be coupled with other
+ information systems is catching on.</para>
+
+ <para><indexterm>
+ <primary>NIS</primary>
+ </indexterm><indexterm>
+ <primary>government</primary>
+ </indexterm><indexterm>
+ <primary>education</primary>
+ </indexterm>
+ Nevertheless, both NIS and NIS+ continue to hold ground in
+ business areas where UNIX still has major sway. Examples of
+ organizations that remain firmly attached to the use of NIS and
+ NIS+ includes large government departments, education institutions,
+ as well as large corporations that have a scientific or engineering
+ focus.</para>
+
+ <para><indexterm>
+ <primary>scalable</primary>
+ </indexterm><indexterm>
+ <primary>distributed</primary>
+ </indexterm>
+ Today's networking world needs a scalable, distributed Identity
+ Management infrastructure, commonly called a directory. The most
+ popular technologies today are Microsoft Active Directory service
+ and a number of LDAP implementations.</para>
+
+ <para><indexterm>
+ <primary>multiple directories</primary>
+ </indexterm>
+ The problem of managing multiple directories has become a focal
+ point over the past decade. This has created a large market for
+ meta-directory products and services that allow organizations that
+ have multiple directories and multiple management and control
+ centers to provision information from one directory into
+ another. The attendant benefit to end users is the promise of
+ having to remember and deal with fewer login identities and
+ passwords.</para>
+
+ <para><indexterm>
+ <primary>network</primary>
+ <secondary>bandwidth</secondary>
+ </indexterm>
+ The challenge of every large network is to find the optimum
+ balance of internal systems and facilities for Identity
+ Management resources. How well the solution is chosen and
+ implemented has potentially significant impact on network bandwidth
+ and systems response needs.</para>
+
+ <para><indexterm>
+ <primary>LDAP server</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>master</secondary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>slave</secondary>
+ </indexterm>
+ In Chapter 6, you implemented a single LDAP server for the
+ entire network. This may work for smaller networks, but almost
+ certainly fails to meet the needs of large and complex networks. The
+ following section documents how one may implement a single
+ master LDAP server, with multiple slave servers.</para>
+
+ <para>What is the best method for implementing master/slave LDAP
+ servers within the context of a distributed 2000 user network is a
+ question that remains to be answered.</para>
+
+ <para><indexterm>
+ <primary>distributed domain</primary>
+ </indexterm><indexterm>
+ <primary>wide-area</primary>
+ </indexterm>
+ One possibility that has great appeal is to create one single
+ large distributed domain. The practical implications of this
+ design (see <link linkend="chap7net"/>) demands the placement of
+ sufficient BDCs in each location. Additionally, network
+ administrators must make sure that profiles are not transferred
+ over the wide-area links, except as a totally unavoidable
+ measure. Network design must balance the risk of loss of user
+ productivity against the cost of network management and
+ maintenance.</para>
+
+ <para><indexterm>
+ <primary>domain name space</primary>
+ </indexterm>
+ The network design in <link linkend="chap7net2"/> takes the
+ approach that management of networks that are too remote to be
+ capable of being managed effectively from New York ought
+ to be given a certain degree of autonomy. With this rationale, the
+ Los Angeles and London networks, though fully integrated with that
+ on the east coast of the USA, each have their own domain name space
+ and can be independently managed and controlled. One of the key
+ drawbacks of this design is that it flies in the face of the
+ ability for network users to roam globally without some compromise
+ in how they may access global resources.</para>
+
+ <para><indexterm>
+ <primary>interdomain trusts</primary>
+ </indexterm>
+ Desk-bound users need not be negatively affected by this
+ design, since the use of interdomain trusts can be used to satisfy
+ the need for global data sharing.</para>
+
+ <para><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>backend</secondary>
+ </indexterm><indexterm>
+ <primary>SID</primary>
+ </indexterm>
+ When Samba-3 is configured to use an LDAP backend, it stores the domain
+ account information in a directory entry. This account entry contains
+ the domain SID. An unintended but exploitable side effect is that
+ this makes it possible to operate with more than one PDC on a
+ distributed network.</para>
+
+ <para><indexterm>
+ <primary>WINS</primary>
+ </indexterm><indexterm>
+ <primary>wins.dat</primary>
+ </indexterm><indexterm>
+ <primary>SID</primary>
+ </indexterm>
+ How might this peculiar feature be exploited? The answer is
+ simple. It is imperative that each network segment should have its
+ own WINS server. Major servers on remote network segments can be
+ given a static WINS entry in the <filename>wins.dat</filename> file
+ on each WINS server. This allows all essential data to be
+ visible from all locations. Each location would, however, function
+ as if it is an independent domain, while all sharing the same
+ domain SID. Since all domain account information can be stored in a
+ single LDAP backend, users have unfettered ability to
+ roam.</para>
+
+ <para><indexterm>
+ <primary>NetBIOS name</primary>
+ <secondary>aliases</secondary>
+ </indexterm><indexterm>
+ <primary>fail-over</primary>
+ </indexterm>
+ This concept has not been exhaustively validated, though we can
+ see no reason why this should not work. The important facets
+ are: The name of the domain must be identical in all
+ locations. Each network segment must have its own WINS server. The
+ name of the PDC must be the same in all locations; this
+ necessitates the use of NetBIOS name aliases for each PDC so that
+ they can be accessed globally using the alias and not the PDC's
+ primary name. A single master LDAP server can be based in New York,
+ with multiple LDAP slave servers located on every network
+ segment. Finally, the BDCs should each use fail-over LDAP servers
+ that are in fact slave LDAP servers on the local segments.</para>
+
+ <para><indexterm>
+ <primary>LDAP</primary>
+ <secondary>updates</secondary>
+ </indexterm><indexterm>
+ <primary>domain tree</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>database</secondary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>directory</secondary>
+ </indexterm>
+ With a single master LDAP server, all network updates are
+ effected on a single server. In the event that this should become
+ excessively fragile or network bandwidth limiting, one could
+ implement a delegated LDAP domain. This is also known as a
+ partitioned (or multiple partition) LDAP database
+ and as a distributed LDAP directory.</para>
+
+ <para>As the LDAP directory grows, it becomes increasingly important
+ that its structure is implemented in a manner that mirrors
+ organizational needs, so as to limit network update and
+ referential traffic. It should be noted that all directory
+ administrators must of necessity follow the same standard
+ procedures for managing the directory, as retroactive correction of
+ inconsistent directory information can be exceedingly difficult.</para>
+
+ <image id="chap7net">
+ <description>Network Topology &smbmdash; 2000 User Complex Design A</description>
+ <imagefile scale="80">chap7-net-Ar.png</imagefile>
+ </image>
+
+ <image id="chap7net2">
+ <description>Network Topology &smbmdash; 2000 User Complex Design B</description>
+ <imagefile scale="80">chap7-net2-Br.png</imagefile>
+ </image>
+
+ </sect3>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para>As organizations grow, the number of points of control increase
+ also. In a large distributed organization, it is important that the
+ Identity Management system must be capable of being updated from
+ many locations, and it is equally important that changes made should
+ become capable of being used in a reasonable period, typically
+ minutes rather than days (the old limitation of highly manual
+ systems).</para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Implementation</title>
+
+ <para><indexterm>
+ <primary>winbind</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>UID</primary>
+ </indexterm><indexterm>
+ <primary>GID</primary>
+ </indexterm>
+ Samba-3 has the ability to use multiple password (authentication
+ and identity resolution) backends. The diagram in <link
+ linkend="chap7idres"/> demonstrates how Samba uses winbind, LDAP,
+ and NIS, the traditional system password database. The diagram only
+ documents the mechanisms for authentication and identity resolution
+ (obtaining a UNIX UID/GID) using the specific systems shown.
+ </para>
+
+ <image id="chap7idres">
+ <description>Samba and Authentication Backend Search Pathways</description>
+ <imagefile scale="80">chap7-idresol.png</imagefile>
+ </image>
+
+ <para><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm><indexterm>
+ <primary>xmlsam</primary>
+ </indexterm><indexterm>
+ <primary>SMB passwords</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>mysqlsam</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>distributed</primary>
+ </indexterm>
+ Samba is capable of using the <constant>smbpasswd</constant>,
+ <constant>tdbsam</constant>, <constant>xmlsam</constant>,
+ and <constant>mysqlsam</constant> authentication databases. The SMB
+ passwords can, of course, also be stored in an LDAP ldapsam
+ backend. LDAP is the preferred passdb backend for distributed network
+ operations.</para>
+
+ <para><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm>
+ Additionally, it is possible to use multiple passdb backends
+ concurrently as well as have multiple LDAP backends. As a result, one
+ can specify a fail-over LDAP backend. The syntax for specifying a
+ single LDAP backend in &smb.conf; is:
+<screen>
+...
+passdb backend = ldapsam:ldap://master.abmas.biz
+...
+</screen>
+ This configuration tells Samba to use a single LDAP server as shown in
+ <link linkend="ch7singleLDAP"/>.
+ <image id="ch7singleLDAP">
+ <description>Samba Configuration to Use a Single LDAP Server</description>
+ <imagefile scale="100">ch7-singleLDAP.png</imagefile>
+ </image>
+ <indexterm>
+ <primary>LDAP</primary>
+ <secondary>fail-over</secondary>
+ </indexterm><indexterm>
+ <primary>fail-over</primary>
+ </indexterm>
+ The addition of a fail-over LDAP server can simply be done by adding a
+ second entry for the fail-over server to the single
+ <parameter>ldapsam</parameter> entry as shown here (note the particular
+ use of the double quotes):
+<screen>
+...
+passdb backend = ldapsam:"ldap://master.abmas.biz \
+ ldap://slave.abmas.biz"
+...
+</screen>
+ This configuration tells Samba to use a master LDAP server, with fail-over to a slave server if necessary,
+ as shown in <link linkend="ch7dualLDAP"/>.
+ <image id="ch7dualLDAP">
+ <description>Samba Configuration to Use a Dual (Fail-over) LDAP Server</description>
+ <imagefile scale="100">ch7-fail-overLDAP.png</imagefile>
+ </image>
+ </para>
+
+ <para>Some folks have tried to implement this without the use of
+ double quotes as shown above. This is the type of entry they had
+ created:
+<screen>
+...
+passdb backend = ldapsam:ldap://master.abmas.biz \
+ ldapsam:ldap://slave.abmas.biz
+...
+</screen>
+ <indexterm>
+ <primary>contiguous directory</primary>
+ </indexterm>
+ The effect of this style of entry is that Samba lists the users
+ that are in both LDAP databases. If both contain the same information,
+ it results in each record being shown twice. This is, of course, not the
+ solution desired for a fail-over implementation. The net effect of this
+ configuration is shown in <link linkend="ch7dualadd"/>
+ </para>
+
+ <image id="ch7dualadd">
+ <description>Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</description>
+ <imagefile scale="80">ch7-dual-additive-LDAP.png</imagefile>
+ </image>
+
+ <para>
+ If, however, each LDAP database contains unique information, this may
+ well be an advantageous way to effectively integrate multiple LDAP databases
+ into one seemingly contiguous directory. Only the first database will be updated.
+ An example of this configuration is shown in <link linkend="ch7dualok"/>.
+ </para>
+
+ <image id="ch7dualok">
+ <description>Samba Configuration to Use Two LDAP Databases - The result is additive.</description>
+ <imagefile scale="80">ch7-dual-additive-LDAP-Ok.png</imagefile>
+ </image>
+
+ <note><para>
+ When the use of ldapsam is specified twice, as shown here, it is imperative
+ that the two LDAP directories must be disjoint. If the entries are for a
+ master LDAP server as well as its own slave server, updates to the LDAP
+ database may end up being lost or corrupted. You may safely use multiple
+ LDAP backends only so long as both are entirely separate from each other.
+ </para></note>
+
+ <para>It is assumed that the network you are working with follows in a
+ pattern similar to what has been covered in Chapter 6. The following steps
+ permit the operation of a Master/Slave OpenLDAP arrangement.</para>
+
+ <procedure>
+
+ <step><para>
+ <indexterm>
+ <primary>SUSE Linux</primary>
+ </indexterm><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm>
+ Log onto the master LDAP server as <constant>root</constant>.
+ You are about to change the configuration of the LDAP server, so it
+ makes sense to temporarily halt it. Stop OpenLDAP from running on
+ SUSE Linux by executing:
+<screen>
+&rootprompt; rcldap stop
+</screen>
+ On Red Hat Linux, you can do this by executing:
+<screen>
+&rootprompt; service ldap stop
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/openldap/slapd.conf</primary>
+ </indexterm>
+ Edit the <filename>/etc/openldap/slapd.conf</filename> file so it
+ matches the content of <link linkend="ch7-LDAP-master"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>LDIF</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>preload</secondary>
+ </indexterm>
+ Change directory to a suitable place to dump the contents of the
+ LDAP server. The dump file (and LDIF file) is used to preload
+ the Slave LDAP server database. You can dump the database by executing:
+<screen>
+&rootprompt; slapcat -v -l LDAP-transfer-LDIF.txt
+</screen>
+ Each record is written to the file.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>LDAP-transfer-LDIF.txt</primary>
+ </indexterm>
+ Copy the file <filename>LDAP-transfer-LDIF.txt</filename> to the intended
+ slave LDAP server. A good location could be in the directory
+ <filename>/etc/openldap/preload</filename>.
+ </para></step>
+
+ <step><para>
+ Log onto the slave LDAP server as <constant>root</constant>. You can
+ now configure this server so the <filename>/etc/openldap/slapd.conf</filename>
+ file matches the content of <link linkend="ch7-LDAP-slave"/>.
+ </para></step>
+
+ <step><para>
+ Change directory to the location in which you stored the
+ <filename>LDAP-transfer-LDIF.txt</filename> file (<filename>/etc/openldap/preload</filename>).
+ While in this directory, execute:
+<screen>
+&rootprompt; slapadd -v -l LDAP-transfer-LDIF.txt
+</screen>
+ If all goes well, the following output confirms that the data is being loaded
+ as intended:
+<screen>
+added: "dc=abmas,dc=biz" (00000001)
+added: "cn=sambaadmin,dc=abmas,dc=biz" (00000002)
+added: "cn=updateuser,dc=abmas,dc=biz" (00000003)
+added: "ou=People,dc=abmas,dc=biz" (00000004)
+added: "ou=Groups,dc=abmas,dc=biz" (00000005)
+added: "ou=Computers,dc=abmas,dc=biz" (00000006)
+added: "uid=Administrator,ou=People,dc=abmas,dc=biz" (00000007)
+added: "uid=nobody,ou=People,dc=abmas,dc=biz" (00000008)
+added: "cn=Domain Admins,ou=Groups,dc=abmas,dc=biz" (00000009)
+added: "cn=Domain Users,ou=Groups,dc=abmas,dc=biz" (0000000a)
+added: "cn=Domain Guests,ou=Groups,dc=abmas,dc=biz" (0000000b)
+added: "uid=bobj,ou=People,dc=abmas,dc=biz" (0000000c)
+added: "sambaDomainName=MEGANET2,dc=abmas,dc=biz" (0000000d)
+added: "uid=stans,ou=People,dc=abmas,dc=biz" (0000000e)
+added: "uid=chrisr,ou=People,dc=abmas,dc=biz" (0000000f)
+added: "uid=maryv,ou=People,dc=abmas,dc=biz" (00000010)
+added: "cn=Accounts,ou=Groups,dc=abmas,dc=biz" (00000011)
+added: "cn=Finances,ou=Groups,dc=abmas,dc=biz" (00000012)
+added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013)
+</screen>
+ </para></step>
+
+ <step><para>
+ Now start the LDAP server and set it to run automatically on system reboot
+ by executing:
+<screen>
+&rootprompt; rcldap start
+&rootprompt; chkconfig ldap on
+</screen>
+ On Red Hat Linux, you would execute the following:
+<screen>
+&rootprompt; service ldap start
+&rootprompt; chkconfig ldap on
+</screen>
+ <indexterm>
+ <primary>chkconfig</primary>
+ </indexterm><indexterm>
+ <primary>service</primary>
+ </indexterm><indexterm>
+ <primary>rcldap</primary>
+ </indexterm>
+ </para></step>
+
+ <step><para>
+ Go back to the master LDAP server. Execute the following to start LDAP as well
+ as <command>slurpd</command>, the synchronization daemon, as shown here:
+<screen>
+&rootprompt; rcldap start
+&rootprompt; chkconfig ldap on
+&rootprompt; slurpd start
+&rootprompt; chkconfig slurpd on
+</screen>
+ <indexterm>
+ <primary>slurpd</primary>
+ </indexterm>
+ On Red Hat Linux, check the equivalent command to start <command>slurpd</command>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbldap-useradd.pl</primary>
+ </indexterm>
+ On the master slave server you may now add an account to validate that replication
+ is working. Assuming the configuration shown in Chapter 6, execute:
+<screen>
+&rootprompt; /var/lib/samba/sbin/smbldap-useradd.pl -a fruitloop
+</screen>
+ </para></step>
+
+ <step><para>
+ On the slave LDAP server, change to the directory <filename>/var/lib/ldap</filename>.
+ There should now be a file called <filename>replogfile</filename>. If replication worked
+ as expected, the content of this file should be:
+<screen>
+time: 1072486403
+dn: uid=fruitloop,ou=People,dc=abmas,dc=biz
+changetype: modify
+replace: sambaProfilePath
+sambaProfilePath: \\MASSIVE\profiles\fruitloop
+-
+replace: sambaHomePath
+sambaHomePath: \\MASSIVE\homes
+-
+replace: entryCSN
+entryCSN: 2003122700:43:38Z#0x0005#0#0000
+-
+replace: modifiersName
+modifiersName: cn=Manager,dc=abmas,dc=biz
+-
+replace: modifyTimestamp
+modifyTimestamp: 20031227004338Z
+-
+</screen>
+ </para></step>
+
+ <step><para>
+ Given that this first slave LDAP server is now working correctly, you may now
+ implement additional slave LDAP servers as required.
+ </para></step>
+
+ </procedure>
+
+<example id="ch7-LDAP-master">
+<title>LDAP Master Server Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename></title>
+<screen>
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba.schema
+
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+database ldbm
+suffix "dc=abmas,dc=biz"
+rootdn "cn=Manager,dc=abmas,dc=biz"
+
+# rootpw = not24get
+rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
+
+replica host=lapdc.abmas.biz:389
+ suffix="dc=abmas,dc=biz"
+ binddn="cn=updateuser,dc=abmas,dc=biz"
+ bindmethod=simple credentials=not24get
+
+access to attrs=sambaLMPassword,sambaNTPassword
+ by dn="cn=updateuser,dc=abmas,dc=biz" write
+ by * none
+
+replogfile /var/lib/ldap/replogfile
+
+directory /var/lib/ldap
+
+# Indices to maintain
+index objectClass eq
+index cn pres,sub,eq
+index sn pres,sub,eq
+index uid pres,sub,eq
+index displayName pres,sub,eq
+index uidNumber eq
+index gidNumber eq
+index memberUID eq
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+</screen>
+</example>
+
+<example id="ch7-LDAP-slave">
+<title>LDAP Slave Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename></title>
+<screen>
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba.schema
+
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+database ldbm
+suffix "dc=abmas,dc=biz"
+rootdn "cn=Manager,dc=abmas,dc=biz"
+
+# rootpw = not24get
+rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
+
+access to *
+ by dn=cn=updateuser,dc=abmas,dc=biz write
+ by * read
+
+updatedn cn=updateuser,dc=abmas,dc=biz
+updateref ldap://massive.abmas.biz
+replogfile /var/lib/ldap/replogfile
+
+directory /var/lib/ldap
+
+# Indices to maintain
+index objectClass eq
+index cn pres,sub,eq
+index sn pres,sub,eq
+index uid pres,sub,eq
+index displayName pres,sub,eq
+index uidNumber eq
+index gidNumber eq
+index memberUID eq
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+</screen>
+</example>
+
+<smbconfexample id="ch7-massmbconfA">
+<title>Primary Domain Controller &smb.conf; File &smbmdash; Part A</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+<smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
+<smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption>
+<smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+<smbconfoption><name>log level</name><value>1</value></smbconfoption>
+<smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+<smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+<smbconfoption><name>max log size</name><value>0</value></smbconfoption>
+<smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+<smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+<smbconfoption><name>time server</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>add user script</name><value>/var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'</value></smbconfoption>
+<smbconfoption><name>delete user script</name><value>/var/lib/samba/sbin/smbldap-userdel.pl %u</value></smbconfoption>
+<smbconfoption><name>add group script</name><value>/var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'</value></smbconfoption>
+<smbconfoption><name>delete group script</name><value>/var/lib/samba/sbin/smbldap-groupdel.pl '%g'</value></smbconfoption>
+<smbconfoption><name>add user to group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+<member><parameter>smbldap-groupmod.pl -m '%g' '%u'</parameter></member>
+<smbconfoption><name>delete user from group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+<member><parameter>smbldap-groupmod.pl -x '%g' '%u'</parameter></member>
+<smbconfoption><name>set primary group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+<member><parameter>smbldap-usermod.pl -g '%g' '%u'</parameter></member>
+<smbconfoption><name>add machine script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+<member><parameter>smbldap-useradd.pl -w '%u'</parameter></member>
+<smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
+<smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
+<smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+<smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
+<smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+<smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>domain master</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
+<smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
+<smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
+<smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
+<smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
+<smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
+<smbconfoption><name>idmap backend</name><value>ldap://massive.abmas.biz</value></smbconfoption>
+<smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+<smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+<smbconfoption><name>printer admin</name><value>root</value></smbconfoption>
+<smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch7-massmbconfB">
+<title>Primary Domain Controller &smb.conf; File &smbmdash; Part B</title>
+<smbconfsection>[IPC$]</smbconfsection>
+<smbconfoption><name>path</name><value>/tmp</value></smbconfoption>
+
+<smbconfsection>[accounts]</smbconfsection>
+<smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[service]</smbconfsection>
+<smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[pidata]</smbconfsection>
+<smbconfoption><name>comment</name><value>Property Insurance Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/pidata</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[homes]</smbconfsection>
+<smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch7-massmbconfC">
+<title>Primary Domain Controller &smb.conf; File &smbmdash; Part C</title>
+<smbconfsection>[apps]</smbconfsection>
+<smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/apps</value></smbconfoption>
+<smbconfoption><name>admin users</name><value>bjones</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[netlogon]</smbconfsection>
+<smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
+<smbconfoption><name>admin users</name><value>root, Administrator</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>locking</name><value>No</value></smbconfoption>
+
+<smbconfsection>[profiles]</smbconfsection>
+<smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+
+<smbconfsection>[profdata]</smbconfsection>
+<smbconfoption><name>comment</name><value>Profile Data Share</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/profdata</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+
+<smbconfsection>[print$]</smbconfsection>
+<smbconfoption><name>comment</name><value>Printer Drivers</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/drivers</value></smbconfoption>
+<smbconfoption><name>write list</name><value>root</value></smbconfoption>
+<smbconfoption><name>admin users</name><value>root, Administrator</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch7-slvsmbocnfA">
+<title>Backup Domain Controller &smb.conf; File &smbmdash; Part A</title>
+<smbconfcomment># Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+<smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
+<smbconfoption><name>netbios name</name><value>BLDG1</value></smbconfoption>
+<smbconfoption><name>passdb backend</name><value>ldapsam:ldap://lapdc.abmas.biz</value></smbconfoption>
+<smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+<smbconfoption><name>log level</name><value>1</value></smbconfoption>
+<smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+<smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+<smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+<smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+<smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+<smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+<smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
+<smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+<smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>os level</name><value>63</value></smbconfoption>
+<smbconfoption><name>domain master</name><value>No</value></smbconfoption>
+<smbconfoption><name>wins server</name><value>192.168.2.1</value></smbconfoption>
+<smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
+<smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
+<smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
+<smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
+<smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
+<smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
+<smbconfoption><name>utmp</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>idmap backend</name><value>ldap://massive.abmas.biz</value></smbconfoption>
+<smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+<smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+<smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+
+<smbconfsection>[accounts]</smbconfsection>
+<smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[service]</smbconfsection>
+<smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch7-slvsmbocnfB">
+<title>Backup Domain Controller &smb.conf; File &smbmdash; Part B</title>
+<smbconfsection>[pidata]</smbconfsection>
+<smbconfoption><name>comment</name><value>Property Insurance Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/pidata</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[homes]</smbconfsection>
+<smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[apps]</smbconfsection>
+<smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/apps</value></smbconfoption>
+<smbconfoption><name>admin users</name><value>bjones</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[netlogon]</smbconfsection>
+<smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>locking</name><value>No</value></smbconfoption>
+
+<smbconfsection>[profiles]</smbconfsection>
+<smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+
+<smbconfsection>[profdata]</smbconfsection>
+<smbconfoption><name>comment</name><value>Profile Data Share</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/profdata</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+</smbconfexample>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para>
+ </para>
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>BDC</primary>
+ </indexterm>
+ Where Samba-3 is used as a Domain Controller, the use of LDAP is an
+ essential component necessary to permit the use of BDCs.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>wide-area</primary>
+ </indexterm>
+ Replication of the LDAP master server to create a network of BDCs
+ is an important mechanism for limiting wide-area network traffic.
+ </para></listitem>
+
+ <listitem><para>
+ Network administration presents many complex challenges, most of which
+ can be satisfied by good design, but that also require sound communication
+ and unification of management practices. This can be highly challenging in
+ a large, globally distributed network.
+ </para></listitem>
+
+ <listitem><para>
+ Roaming profiles must be contained to the local network segment. Any
+ departure from this may clog wide-area arteries and slow legitimate network
+ traffic to a crawl.
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ There is much rumor and misinformation regarding the use of MS Windows networking protocols.
+ These questions are just a few of those frequently asked.
+ </para>
+
+ <qandaset defaultlabel="chap07qa">
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>DHCP</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>bandwidth</secondary>
+ </indexterm>
+ Is it true that DHCP uses lots of wide-area network bandwidth?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>DHCP</primary>
+ <secondary>Relay Agent</secondary>
+ </indexterm><indexterm>
+ <primary>routers</primary>
+ </indexterm><indexterm>
+ <primary>DHCP</primary>
+ <secondary>servers</secondary>
+ </indexterm>
+ It is a smart practice to localize DHCP servers on each network segment. As a
+ rule, there should be two DHCP servers per network segment. This means that if
+ one server fails, there is always another to service user needs. DHCP requests use
+ only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network
+ routers. This makes it possible to run fewer DHCP servers.
+ </para>
+
+ <para><indexterm>
+ <primary>DHCP</primary>
+ <secondary>request</secondary>
+ </indexterm><indexterm>
+ <primary>DHCP</primary>
+ <secondary>traffic</secondary>
+ </indexterm>
+ A DHCP network address request and confirmation usually results in about six UDP packets.
+ The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP
+ clients and that uses a 24-hour IP address lease. This means that all clients renew
+ their IP address lease every 24 hours. If we assume an average packet length equal to the
+ maximum (just to be on the safe side), and we have a 128 Kbit/sec wide-area connection,
+ how significant would the DHCP traffic be if all of it were to use DHCP Relay?
+ </para>
+
+ <para>
+ I must stress that this is a bad design, but here is the calculation:
+<screen>
+Daily Network Capacity: 128,000 (Kbits/s) / 8 (bits/byte)
+ x 3600 (sec/hr) x 24 (hrs/day)= 2288 Mbytes/day.
+
+DHCP traffic: 300 (clients) x 6 (packets)
+ x 512 (bytes/packet) = 0.9 Mbytes/day.
+</screen>
+ From this can be seen that the traffic impact would be minimal.
+ </para>
+
+ <para><indexterm>
+ <primary>DNS</primary>
+ <secondary>Dynamic</secondary>
+ </indexterm><indexterm>
+ <primary>DHCP</primary>
+ </indexterm>
+ Even when DHCP is configured to do DNS update (Dynamic DNS) over a wide-area link,
+ the impact of the update is no more than the DHCP IP address renewal traffic and, thus,
+ still insignificant for most practical purposes.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>background communication</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>master/slave</secondary>
+ <tertiary>background communication</tertiary>
+ </indexterm>
+ How much background communication takes place between a Master LDAP
+ server and its slave LDAP servers?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>slurpd</primary>
+ </indexterm>
+ The process that controls the replication of data from the Master LDAP server to the Slave LDAP
+ servers is called <command>slurpd</command>. The <command>slurpd</command> remains nascent (quiet)
+ until an update must be propagated. The propagation traffic per LDAP salve to update (add/modify/delete)
+ two user accounts requires less than 10Kbytes traffic.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ LDAP has a database. Is LDAP not just a fancy database front end?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>database</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>database</secondary>
+ </indexterm><indexterm>
+ <primary>SQL</primary>
+ </indexterm><indexterm>
+ <primary>transactional</primary>
+ </indexterm>
+ LDAP does store its data in a database of sorts. In fact the LDAP backend is an application-specific
+ data storage system. This type of database is indexed so that records can be rapidly located, but the
+ database is not generic and can be used only in particular pre-programmed ways. General external
+ applications do not gain access to the data. This type of database is used also by SQL servers. Both
+ an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional
+ orientation and typically allows external programs to perform ad-hoc queries, even across data tables.
+ An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific
+ simple queries. The term <constant>database</constant> is heavily overloaded and, thus, much misunderstood.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm>
+ Can Active Directory obtain account information from an OpenLDAP server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>meta-directory</primary>
+ </indexterm>
+ No, at least not directly. It is possible to provision Active Directory from/to an OpenLDAP
+ database through use of a meta-directory server. Microsoft MMS (now called MIIS) can interface
+ to OpenLDAP using standard LDAP queries/updates.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What are the parts of a roaming profile? How large is each part?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>roaming profile</primary>
+ </indexterm>
+ A roaming profile consists of:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Desktop folders such as: <constant>Desktop, My Documents, My Pictures, My Music, Internet Files,
+ Cookies, Application Data, Local Settings,</constant> and more. See <link linkend="XP-screen001"/>.
+ </para>
+
+ <para><indexterm>
+ <primary>folder redirection</primary>
+ </indexterm>
+ Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all
+ such folders can be redirected to network drive resources. See <link linkend="redirfold"/>
+ for more information regarding folder redirection.
+ </para></listitem>
+
+ <listitem><para>
+ A static or re-writable portion that is typically only a few files (2-5 Kbytes of information).
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>NTUSER.DAT</primary>
+ </indexterm><indexterm>
+ <primary>HKEY_LOCAL_USER</primary>
+ </indexterm>
+ The registry load file that modifies the <constant>HKEY_LOCAL_USER</constant> hive. This is
+ the <filename>NTUSER.DAT</filename> file. It can be from 0.4-1.5 MBytes.
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>Microsoft Outlook</primary>
+ <secondary>PST files</secondary>
+ </indexterm>
+ Microsoft Outlook PST files may be stored in the <constant>Local Settings\Application Data</constant>
+ folder. It can be up to 2 Gbytes in size per PST file.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Can the <constant>My Documents</constant> folder be stored on a network drive?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>UNC name</primary>
+ </indexterm><indexterm>
+ <primary>Universal Naming Convention</primary>
+ <see>UNC name</see>
+ </indexterm>
+ Yes. More correctly, such folders can be redirected to network shares. No specific network drive
+ connection is required. Registry settings permit this to be redirected directly to a UNC (Universal
+ Naming Convention) resource, though it is possible to specify a network drive letter instead of a
+ UNC name. See <link linkend="redirfold"/>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>wide-area</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>bandwidth</secondary>
+ </indexterm><indexterm>
+ <primary>WINS</primary>
+ </indexterm>
+ How much wide-area network bandwidth does WINS consume?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>NetBIOS</primary>
+ <secondary>name cache</secondary>
+ </indexterm><indexterm>
+ <primary>WINS server</primary>
+ </indexterm><indexterm>
+ <primary>domain replication</primary>
+ </indexterm>
+ MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache.
+ This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS
+ server, the total bandwidth demand measured at the WINS server, averaged over an eight-hour working day,
+ was less than 30 Kbytes/sec. Analysis of network traffic over a six-week period showed that the total
+ of all background traffic consumed about 11 percent of available bandwidth over 64 Kbit/sec links.
+ Back-ground traffic consisted of domain replication, WINS queries, DNS lookups, authentication
+ traffic. Each of 11 branch offices had a 64 Kbit/sec wide-area link, with a 1.5 Mbit/sec main connection
+ that aggregated the branch office connections plus an Internet connection.
+ </para>
+
+ <para>
+ In conclusion, the total load afforded through WINS traffic is again marginal to total operational
+ usage &smbmdash; as it should be.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ How many BDCs should I have? What is the right number of Windows clients per server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ It is recommended to have at least one BDC per network segment, including the segment served
+ by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the
+ load demand pattern of client usage. I have seen sites that function without problem with 200
+ clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular
+ company, there was a drafting office that has 30 CAD/CAM operators served by one server, a print
+ server; and an application server. While all three were BDCs, typically only the print server would
+ service network logon requests after the first 10 users had started to use the network. This was
+ a reflection of the service load placed on both the application server and the data server.
+ </para>
+
+ <para>
+ As unsatisfactory as the answer might sound, it all depends on network and server load
+ characteristics.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>NIS server</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm>
+ I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
+ run an NIS server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The correct answer to both questions is yes. But do understand that an LDAP server has
+ a configurable schema that can store far more information for many more purposes than
+ just NIS.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Can I use NIS in place of LDAP?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>NIS</primary>
+ </indexterm><indexterm>
+ <primary>NIS schema</primary>
+ </indexterm>
+ No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal
+ with the types of data necessary for interoperability with Microsoft Windows networking. The use
+ of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also
+ a Samba-specific schema extension.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
+
diff --git a/docs/Samba-Guide/Chap08-MigrateNT4Samba3.xml b/docs/Samba-Guide/Chap08-MigrateNT4Samba3.xml
new file mode 100644
index 0000000000..a6b196f365
--- /dev/null
+++ b/docs/Samba-Guide/Chap08-MigrateNT4Samba3.xml
@@ -0,0 +1,1242 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="migration">
+ <title>Migrating NT4 Domain to Samba-3</title>
+
+ <para>
+ Ever since Microsoft announced that they are discontinuing support for Windows
+ NT4, Samba users started to ask for detailed instructions for how to migrate
+ from NT4 to Samba-3. This chapter provides background information that should
+ meet these needs.
+ </para>
+
+ <para>
+ One wonders how many NT4 systems will be left in service by the time you read this
+ book though.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para><indexterm>
+ <primary>migration</primary>
+ </indexterm>
+ Network administrators who want to migrate off a Windows NT4 environment know
+ one thing with certainty. They feel that NT4 has been abandoned and they want
+ to update. The desire to get off NT4 and to not adopt Windows 200x and Active
+ Directory is driven by a mixture of concerns over complexity, cost, fear of
+ failure, and much more.
+ </para>
+
+ <para><indexterm>
+ <primary>group policies</primary>
+ </indexterm><indexterm>
+ <primary>accounts</primary>
+ <secondary>user</secondary>
+ </indexterm><indexterm>
+ <primary>accounts</primary>
+ <secondary>group</secondary>
+ </indexterm><indexterm>
+ <primary>accounts</primary>
+ <secondary>machine</secondary>
+ </indexterm>
+ The migration from NT4 to Samba-3 can involve a number of factors, including:
+ migration of data to another server, migration of network environment controls
+ such as group policies, and finally migration of the users, groups, and machine
+ accounts.
+ </para>
+
+ <para><indexterm>
+ <primary>accounts</primary>
+ <secondary>Domain</secondary>
+ </indexterm>
+ It should be pointed out now that it is possible to migrate some systems from
+ Windows NT4 Domain environments to a Samba-3 Domain Environment. This is certainly
+ not possible in every case. It is possible to just migrate the Domain accounts
+ to Samba-3 and then to switch machines, but as a hands-off transition, this is more
+ an exception than the rule. Most systems require some tweaking and adjusting
+ following migration before an environment that is acceptable for immediate use
+ is obtained.
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>ldapsam</primary>
+ </indexterm><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm>
+ You are about to migrate an MS Windows NT4 Domain accounts database to
+ a Samba-3 server. The Samba-3 server is using a
+ <parameter>passdb backend</parameter> based on LDAP. The
+ <constant>ldapsam</constant> is ideal because an LDAP backend can be distributed
+ for use with BDCs &smbmdash; generally essential for larger networks.
+ </para>
+
+ <para>
+ Your objective is to document the process of migrating user and group accounts
+ from several NT4 Domains into a single Samba-3 LDAP backend database.
+ </para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para><indexterm>
+ <primary>snap-shot</primary>
+ </indexterm><indexterm>
+ <primary>NT4 registry</primary>
+ </indexterm><indexterm>
+ <primary>registry</primary>
+ <secondary>keys</secondary>
+ <tertiary>SAM</tertiary>
+ </indexterm><indexterm>
+ <primary>registry</primary>
+ <secondary>keys</secondary>
+ <tertiary>SECURITY</tertiary>
+ </indexterm><indexterm>
+ <primary>SAM</primary>
+ </indexterm><indexterm>
+ <primary>Security Account Manager</primary>
+ <see>SAM</see>
+ </indexterm>
+ The migration process takes a snap-shot of information that is stored in the
+ Windows NT4 registry based accounts database. That information resides in
+ the Security Account Manager (SAM) portion of the NT4 Registry under keys called
+ <constant>SAM</constant> and <constant>SECURITY</constant>.
+ </para>
+
+ <warning><para><indexterm>
+ <primary>crippled</primary>
+ </indexterm><indexterm>
+ <primary>inoperative</primary>
+ </indexterm>
+ The Windows NT4 registry keys called <constant>SAM</constant> and <constant>SECURITY</constant>
+ are protected so that you cannot view the contents. If you change the security setting
+ to reveal the contents under these hive keys, your Windows NT4 Domain is crippled. Do not
+ do this unless you are willing to render your domain controller inoperative.
+ </para></warning>
+
+ <para><indexterm>
+ <primary>migration</primary>
+ <secondary>objectives</secondary>
+ </indexterm><indexterm>
+ <primary>disruptive</primary>
+ </indexterm>
+ Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are.
+ While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server,
+ that may not be a good idea from an administration perspective. Since you are going through a
+ certain amount of disruptive activity anyhow, why not take this as an opportunity to review
+ the structure of the network, how Windows clients are controlled and how they
+ interact with the network environment.
+ </para>
+
+ <para><indexterm>
+ <primary>network</primary>
+ <secondary>logon scripts</secondary>
+ </indexterm><indexterm>
+ <primary>profiles share</primary>
+ </indexterm><indexterm>
+ <primary>security descriptors</primary>
+ </indexterm>
+ MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed
+ have done little to keep the NT4 server environment up-to-date with more recent Windows releases,
+ particularly Windows XP Professional. The migration provides opportunity to revise and update
+ roaming profile deployment as well as folder redirection. Given that you must port the
+ greater network configuration of this from the old NT4 server to the new Samba-3 server, you
+ also must validate the security descriptors in the profiles share as well as network logon
+ scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this
+ as a good time to update desktop systems also. In all, the extra effort should constitute no
+ real disruption to users, rather with due diligence and care should make their network experience
+ a much happier one.
+ </para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para><indexterm>
+ <primary>strategic</primary>
+ </indexterm>
+ Migration of an NT4 Domain user and group database to Samba-3 involves a certain strategic
+ element. Many sites have asked for instructions regarding merging of multiple different NT4
+ Domains into one Samba-3 LDAP database. It would appear that this is viewed as a significant
+ added value compared with the alternative of migration to Windows Server 200x and Active
+ Directory. The diagram in <link linkend="ch8-migration"/> illustrates the effect of migration
+ from a Windows NT4 Domain to a Samba Domain.
+ </para>
+
+ <image id="ch8-migration">
+ <description>Schematic Explaining the <command>net rpc vampire</command> Process</description>
+ <imagefile scale="80">ch8-migration.png</imagefile>
+ </image>
+
+ <para>
+ In any case, the migration process involves the following steps:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Prepare the target Samba-3 server. This involves configuring Samba-3 for
+ migration to either a tdbsam or an ldapsam backend.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>uppercase</primary>
+ </indexterm><indexterm>
+ <primary>Posix</primary>
+ </indexterm><indexterm>
+ <primary>lower-case</primary>
+ </indexterm>
+ Clean up the source NT4 PDC. Delete all accounts that need not be migrated.
+ Delete all files that should not be migrated. Where possible, change NT Group
+ names so there are no spaces or uppercase characters. This is important if
+ the target UNIX host insists on Posix compliant all lower-case user and group
+ names.
+ </para></listitem>
+
+ <listitem><para>
+ Step through the migration process.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>PDC</primary>
+ </indexterm>
+ Remove the NT4 PDC from the network.
+ </para></listitem>
+
+ <listitem><para>
+ Upgrade the Samba-3 server from a BDC to a PDC, and validate all account
+ information.
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>merge</primary>
+ </indexterm><indexterm>
+ <primary>passdb.tdb</primary>
+ </indexterm>
+ If you are wanting to merge multiple NT4 Domain account databases into one Samba Domain,
+ you must now dump the contents of the first migration and edit it as appropriate. Now clean
+ out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>), or the LDAP database
+ files. You must start each migration with a new database into which you merge your NT4
+ domains.
+ </para>
+
+ <para><indexterm>
+ <primary>dump</primary>
+ </indexterm>
+ At this point, you are ready to perform the second migration following the same steps as
+ for the first. In other words, dump the database, edit it, and then you may merge the
+ dump for the first and second migrations.
+ </para>
+
+ <para><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>migrate</primary>
+ </indexterm><indexterm>
+ <primary>Domain SID</primary>
+ </indexterm>
+ You must be careful. If you choose to migrate to an LDAP backend, your dump file
+ now contains the full account information, including the Domain SID. The Domain SID for each
+ of the two NT4 Domains will be different. You must choose one, and change the Domain
+ portion of the account SIDs so that all are the same.
+ </para>
+
+ <para><indexterm>
+ <primary>passdb.tdb</primary>
+ </indexterm><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm><indexterm>
+ <primary>merged</primary>
+ </indexterm><indexterm>
+ <primary>logon script</primary>
+ </indexterm><indexterm>
+ <primary>logon hours</primary>
+ </indexterm><indexterm>
+ <primary>logon machines</primary>
+ </indexterm><indexterm>
+ <primary>profile path</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>LDAP backend</primary>
+ </indexterm><indexterm>
+ <primary>export</primary>
+ </indexterm><indexterm>
+ <primary>import</primary>
+ </indexterm>
+ If you choose to use a tdbsam (<filename>passdb.tdb</filename>) backend file, your best choice
+ is to use <command>pdbedit</command> to export the contents of the tdbsam file into an
+ smbpasswd data file. This automatically strips out all Domain specific information,
+ such as logon hours, logon machines, logon script, profile path, as well as the Domain SID.
+ The resulting file can be easily merged with other migration attempts (each of which must start
+ with a clean file). It should also be noted that all users that end up in the merged smbpasswd
+ file must have an account in <filename>/etc/passwd</filename>. The resulting smbpasswd file
+ may be exported/imported into either a tdbsam (<filename>passdb.tdb</filename>), or else into
+ an LDAP backend.
+ </para>
+
+ <image id="NT4DUM">
+ <description>View of Accounts in NT4 Domain User Manager</description>
+ <imagefile scale="50">UserMgrNT4.png</imagefile>
+ </image>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para>
+ The merging of multiple Windows NT4 style Domains into a single LDAP-backend-based Samba-3
+ Domain may be seen by those who had power over them as a loss of prestige or a loss of
+ power. The imposition of a single Domain may even be seen as a threat. So in migrating and
+ merging account databases, be consciously aware of the political fall-out in which you
+ may find yourself entangled when key staff feel a loss of prestige.
+ </para>
+
+ <para>
+ The best advice that can be given to those who set out to merge NT4 Domains into one single
+ Samba-3 Domain is to promote (sell) the action as one that reduces costs and delivers
+ greater network interoperability and manageability.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Implementation</title>
+
+ <para>
+ You can present here the steps and example output for two NT4 to Samba-3 Domain migrations. The
+ first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the
+ scripts you specify in the &smb.conf; file for the <parameter>add user script</parameter>
+ collection of parameters are used to effect the addition of accounts into the passdb backend.
+ </para>
+
+ <sect2>
+ <title>NT4 Migration Using LDAP Backend</title>
+
+ <para>
+ In this instance, you migrate an NT4 PDC to an LDAP backend. The accounts you are about
+ to migrate are shown in <link linkend="NT4DUM"/>. In this example you make use of the
+ smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend.
+ Four scripts are essential to the migration process. There are other scripts that will be required
+ for daily management, but these are not critical to migration. The critical scripts are dependant
+ on which passdb backend is being used. Refer to <link linkend="ch8-vampire"/> to see which scripts
+ must be provided so that the migration process can complete.
+ </para>
+
+ <para>
+ Do verify that you have correctly specified in the &smb.conf; file the scripts, and arguments
+ that should be passed to them, before attempting to perform the account migration.
+ </para>
+
+ <table id="ch8-vampire">
+ <title>Samba &smb.conf; Scripts Essential to Migration</title>
+ <tgroup cols="3">
+ <colspec align="left"/>
+ <colspec align="center"/>
+ <colspec align="center"/>
+ <thead>
+ <row>
+ <entry>Entity</entry>
+ <entry>ldapsam Script</entry>
+ <entry>tdbsam Script</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Add User Accounts</entry>
+ <entry>smbldap-useradd.pl</entry>
+ <entry>useradd</entry>
+ </row>
+ <row>
+ <entry>Delete User Accounts</entry>
+ <entry>smbldap-userdel.pl</entry>
+ <entry>userdel</entry>
+ </row>
+ <row>
+ <entry>Add Group Accounts</entry>
+ <entry>smbldap-groupadd.pl</entry>
+ <entry>groupadd</entry>
+ </row>
+ <row>
+ <entry>Delete Group Accounts</entry>
+ <entry>smbldap-groupdel.pl</entry>
+ <entry>groupdel</entry>
+ </row>
+ <row>
+ <entry>Add User to Group</entry>
+ <entry>smbldap-groupmod.pl</entry>
+ <entry>usermod (See Note)</entry>
+ </row>
+ <row>
+ <entry>Add Machine Accounts</entry>
+ <entry>smbldap-useradd.pl</entry>
+ <entry>useradd</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <note><para>
+ The UNIX/Linux <command>usermod</command> utility does not permit simple user addition to (or deletion
+ of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this
+ capability you will need to create your own tool to do this. Alternately, you can search the web
+ to locate a utility called <command>groupmem</command> (by George Kraft) that provides this functionality.
+ The <command>groupmem</command> utility was contributed to the shadow package but has not surfaced
+ in the formal commands provided by Linux distributions (March 2004).
+ </para></note>
+
+ <para>
+ Before starting the migration, all dead accounts were removed using the User Manager for Domains.
+ </para>
+
+ <procedure>
+ <step><para>
+ Install and configure the Samba-3 server precisely as shown in Chapter 6 for the server
+ called <constant>MASSIVE</constant>. The Domain name <constant>MEGANET</constant> must
+ match that of the NT4 Domain from which you are about to migrate. Do not execute any Samba
+ executables.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>domain master</primary>
+ </indexterm><indexterm>
+ <primary>BDC</primary>
+ </indexterm>
+ Edit the &smb.conf; file to temporarily change the parameter
+ <smbconfoption><name>domain master</name><value>No</value></smbconfoption> so
+ the Samba server functions as a BDC for the purpose of migration.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>preload.LDIF</primary>
+ </indexterm>
+ Create a file called <filename>preload.LDIF</filename> as shown in <link linkend="ch8-LDIF"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>slapadd</primary>
+ </indexterm>
+ Preload the LDAP database so it is ready to receive the information from the NT4 PDC.
+ This pre-loads the LDAP directory with the top-level information, as well as the
+ top level containers for user, group, computer, and domain account data. Execute the
+ instruction shown here:
+<screen>
+&rootprompt; slapadd -v -l preload.LDIF
+added: "dc=abmas,dc=biz" (00000001)
+added: "cn=Manager,dc=abmas,dc=biz" (00000002)
+added: "ou=People,dc=abmas,dc=biz" (00000003)
+added: "ou=Computers,dc=abmas,dc=biz" (00000004)
+added: "ou=Groups,dc=abmas,dc=biz" (00000005)
+added: "ou=Idmap,dc=abmas,dc=biz" (00000006)
+added: "ou=Domains,dc=abmas,dc=biz" (00000007)
+</screen>
+ </para></step>
+
+ <step><para>
+ Start the LDAP server.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>ping</primary>
+ </indexterm>
+ Verify that the NT4 PDC can be reached:
+<screen>
+&rootprompt; ping nt4s
+PING nt4s.abmas.biz (192.168.2.250) 56(84) bytes of data.
+64 bytes from NT4S (192.168.2.250): icmp_seq=1 ttl=128 time=10.2 ms
+64 bytes from NT4S (192.168.2.250): icmp_seq=2 ttl=128 time=0.518 ms
+64 bytes from NT4S (192.168.2.250): icmp_seq=3 ttl=128 time=0.578 ms
+
+--- nt4s.abmas.biz ping statistics ---
+3 packets transmitted, 3 received, 0% packet loss, time 2003ms
+rtt min/avg/max/mdev = 0.518/3.773/10.223/4.560 ms
+</screen>
+ It can. Great.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbclient</primary>
+ </indexterm>
+ Validate that the resources on the NT4 PDC can be listed:
+<screen>
+&rootprompt; smbclient -L nt4s -UAdministrator%not24get
+
+ Sharename Type Comment
+ --------- ---- -------
+ NETLOGON Disk Logon server share
+ IPC$ IPC Remote IPC
+ UserProfiles Disk All Network User Profiles
+
+ Server Comment
+ --------- -------
+ NT4S
+
+ Workgroup Master
+ --------- -------
+ MEGANET NT4S
+</screen>
+ This looks good.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Domain SID</primary>
+ </indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>rpc</secondary>
+ <tertiary>getsid</tertiary>
+ </indexterm>
+ At this point, it is necessary to fetch the Domain SID from the NT4 PDC and
+ apply that to the Samba-3 BDC (soon to be PDC):
+<screen>
+&rootprompt; net rpc getsid -S NT4S -W MEGANET
+Storing SID S-1-5-21-1988699175-926296742-1295600288 for
+ Domain MEGANET in secrets.tdb
+</screen>
+ Done.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>secrets.tdb</primary>
+ </indexterm><indexterm>
+ <primary>validate</primary>
+ </indexterm><indexterm>
+ <primary>tdbdump</primary>
+ </indexterm>
+ At this point, you can validate that the information is correct in the
+ <filename>secrets.tdb</filename> file, as shown here:
+<screen>
+&rootprompt; tdbdump /etc/samba/secrets.tdb
+{
+key = "SECRETS/SID/MASSIVE"
+data = "\01\04\00\00\00\00\00\05\15\00\00\00'$\89v\A6*67\A0J9M\
+00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\
+00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
+}
+{
+key = "SECRETS/LDAP_BIND_PW/cn=Manager,dc=abmas,dc=biz"
+data = "not24get\00"
+}
+</screen>
+ This has returned the information expected.
+ </para></step>
+
+<note><para>
+The <command>tdbdump</command> utility is a utility that you can build from the Samba source
+code tree. Not all Linux binary distributions include this tool. If it is missing from your
+Linux distribution you will need to build this yourself, or else for-go its use.
+</para></note>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>rpc</secondary>
+ <tertiary>join</tertiary>
+ </indexterm>
+ We are ready to join the NT4 Domain as a BDC by executing the following:
+<screen>
+&rootprompt; net rpc join -S NT4S -W MEGANET -U Administrator%not24get
+Joined domain MEGANET.
+</screen>
+ Done.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>rpc</secondary>
+ <tertiary>vampire</tertiary>
+ </indexterm>
+ The Samba-3 BDC is now ready to receive the NT4 PDC accounts database, as shown here:
+<screen>
+&rootprompt; net rpc vampire -S NT4S
+Fetching DOMAIN database
+SAM_DELTA_DOMAIN_INFO not handled
+Creating account: Administrator
+Creating account: Guest
+Creating account: NT4S$
+Creating account: massive$
+Creating account: barryf
+Creating account: gdaison
+Creating account: atrikhoffer
+Creating account: hramsbotham
+Creating account: fsellerby
+Creating account: jrhapsody
+Group members of Domain Admins:
+Group members of Domain Users: NT4S$(primary),massive$(primary),
+Group members of Domain Guests: nobody(primary),
+Group members of rubberboot:
+Group members of engineers:
+Group members of accounting:
+Group members of catalyst:
+Group members of shipping:
+Group members of receiving:
+Group members of marketiod:
+Group members of sales:
+Fetching BUILTIN database
+SAM_DELTA_DOMAIN_INFO not handled
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>domain master</primary>
+ </indexterm><indexterm>
+ <primary>PDC</primary>
+ </indexterm>
+ Edit the &smb.conf; file to reset the parameter
+ <smbconfoption><name>domain master</name><value>Yes</value></smbconfoption> so that
+ the Samba server functions as a PDC for the purpose of migration.
+ </para></step>
+ </procedure>
+
+<example id ="ch8-LDIF">
+<title>LDAP Preload LDIF file &smbmdash; <filename>preload.LDIF</filename></title>
+<screen>
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+dc: abmas
+o: Abmas Demo
+description: POSIX and Samba LDAP Identity Database
+structuralObjectClass: organization
+
+dn: cn=Manager,dc=abmas,dc=biz
+objectClass: organizationalRole
+cn: Manager
+description: Directory Manager
+structuralObjectClass: organizationalRole
+
+dn: ou=People,dc=abmas,dc=biz
+objectClass: top
+objectClass: organizationalUnit
+ou: People
+structuralObjectClass: organizationalUnit
+
+dn: ou=Groups,dc=abmas,dc=biz
+objectClass: top
+objectClass: organizationalUnit
+ou: Groups
+structuralObjectClass: organizationalUnit
+
+dn: ou=Idmap,dc=abmas,dc=biz
+objectClass: top
+objectClass: organizationalUnit
+ou: Idmap
+structuralObjectClass: organizationalUnit
+
+dn: ou=Domains,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: Domains
+structuralObjectClass: organizationalUnit
+</screen>
+</example>
+
+ </sect2>
+
+ <sect2>
+ <title>NT4 Migration Using tdbsam Backend</title>
+
+ <para>
+ In this example, you have chosen to change the Domain name of the NT4 server from
+ <constant>DRUGPREP</constant> to <constant>MEGANET</constant> prior to the use
+ of the vampire (migration) tool. This migration process makes use of Linux system tools
+ (like <command>useradd</command>) to add the accounts that are migrated into the
+ UNIX/Linux <filename>/etc/passwd</filename>, and <filename>/etc/group</filename>
+ databases. These entries must therefore be present, and correct options specified,
+ in your &smb.conf; file or else the migration does not work as it should.
+ </para>
+
+ <procedure>
+ <step><para>
+ Prepare a Samba-3 server precisely per the instructions shown in Chapter 5.
+ Set the workgroup name to <constant>MEGANET</constant>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>domain master</primary>
+ </indexterm><indexterm>
+ <primary>BDC</primary>
+ </indexterm>
+ Edit the &smb.conf; file to temporarily change the parameter
+ <smbconfoption><name>domain master</name><value>No</value></smbconfoption> so
+ the Samba server functions as a BDC for the purpose of migration.
+ </para></step>
+
+ <step><para>
+ Start Samba as you have done previously.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>rpc</secondary>
+ <tertiary>join</tertiary>
+ </indexterm>
+ Join the NT4 Domain as a BDC, as shown here:
+<screen>
+&rootprompt; net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get
+Joined domain MEGANET.
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>rpc</secondary>
+ <tertiary>vampire</tertiary>
+ </indexterm>
+ You may vampire the accounts from the NT4 PDC by executing the command, as shown here:
+<screen>
+&rootprompt; net rpc vampire -S oldnt4pdc -U Administrator%not24get
+Fetching DOMAIN database
+SAM_DELTA_DOMAIN_INFO not handled
+Creating unix group: 'Domain Admins'
+Creating unix group: 'Domain Users'
+Creating unix group: 'Domain Guests'
+Creating unix group: 'Engineers'
+Creating unix group: 'Marketoids'
+Creating account: Administrator
+Creating account: Guest
+Creating account: oldnt4pdc$
+Creating account: jacko
+Creating account: maryk
+Creating account: bridge
+Creating account: sharpec
+Creating account: jimbo
+Creating account: dhenwick
+Creating account: dork
+Creating account: blue
+Creating account: billw
+Creating account: massive$
+Group members of Engineers: Administrator,
+ sharpec(primary),bridge,billw(primary),dhenwick
+Group members of Marketoids: Administrator,jacko(primary),
+ maryk(primary),jimbo,blue(primary),dork(primary)
+Creating unix group: 'Gnomes'
+Fetching BUILTIN database
+SAM_DELTA_DOMAIN_INFO not handled
+Creating unix group: 'Account Operators'
+Creating unix group: 'Administrators'
+Creating unix group: 'Backup Operators'
+Creating unix group: 'Guests'
+Creating unix group: 'Print Operators'
+Creating unix group: 'Replicator'
+Creating unix group: 'Server Operators'
+Creating unix group: 'Users'
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>pdbedit</primary>
+ </indexterm>
+ At this point, we can validate our migration. Let's look at the accounts
+ in the form as they would be seen in a smbpasswd file. This achieves that:
+<screen>
+&rootprompt; pdbedit -Lw
+Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3:
+ AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[UX ]:LCT-3DF7AA9F:
+jimbo:512:6E9A2A51F64A1BD5C187B8085FE1D9DF:
+ CDF7E305E639966E489A0CEFB95EE5E0:[UX ]:LCT-3E9362BC:
+sharpec:511:E4301A7CD8FDD1EC6BBF9BC19CDF8151:
+ 7000255938831D5B948C95C1931534C5:[UX ]:LCT-3E8B42C4:
+dhenwick:513:DCD8886141E3F892AAD3B435B51404EE:
+ 2DB36465949CB938DD98C312EFDC2639:[UX ]:LCT-3E939F41:
+bridge:510:3FE6873A43101B46417EAF50CFAC29C3:
+ 891741F481AF111B4CAA09A94016BD01:[UX ]:LCT-3E8B4291:
+blue:515:256D41D2559BB3D2AAD3B435B51404EE:
+ 9CCADDA4F7D281DD0FAD321478C6F971:[UX ]:LCT-3E939FDC:
+diamond$:517:6C8E7B64EDCDBC4218B6345447A4454B:
+ 3323AC63C666CFAACB60C13F65D54E9A:[S ]:LCT-00000000:
+oldnt4pdc$:507:3E39430CDCABB5B09ED320D0448AE568:
+ 95DBAF885854A919C7C7E671060478B9:[S ]:LCT-3DF7AA9F:
+Guest:506:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DUX ]:LCT-3E93A008:
+billw:516:85380CA7C21B6EBE168C8150662AF11B:
+ 5D7478508293709937E55FB5FBA14C17:[UX ]:LCT-3FED7CA1:
+dork:514:78C70DDEC35A35B5AAD3B435B51404EE:
+ 0AD886E015AC595EC0AF40E6C9689E1A:[UX ]:LCT-3E939F9A:
+jacko:508:BC472F3BF9A0A5F63832C92FC614B7D1:
+ 0C6822AAF85E86600A40DC73E40D06D5:[UX ]:LCT-3E8B4242:
+maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C:
+ CF271B744F7A55AFDA277FF88D80C527:[UX ]:LCT-3E8B4270:
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>pdbedit</primary>
+ </indexterm>
+ An expanded view of a user account entry shows more of what was
+ obtained from the NT4 PDC:
+<screen>
+sleeth:~ # pdbedit -Lv maryk
+Unix username: maryk
+NT username: maryk
+Account Flags: [UX ]
+User SID: S-1-5-21-5672968813-926296742-3245673225-1003
+Primary Group SID: S-1-5-21-5672968813-926296742-3245673225-1007
+Full Name: Mary Kathleen
+Home Directory: \\diamond\maryk
+HomeDir Drive: X:
+Logon Script: scripts\logon.bat
+Profile Path: \\diamond\profiles\maryk
+Domain: MEGANET
+Account desc: Peace Maker
+Workstations:
+Munged dial:
+Logon time: 0
+Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Password last set: Wed, 02 Apr 2003 13:05:04 GMT
+Password can change: 0
+Password must change: Mon, 18 Jan 2038 20:14:07 GMT
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>group</secondary>
+ </indexterm>
+ And this command lists the long names of the groups that have been
+ imported (vampired) from the NT4 PDC:
+<screen>
+&rootprompt; net group -l -Uroot%not24get -Smassive
+
+Group name Comment
+-----------------------------
+Engineers Snake Oil Engineers
+Marketoids Untrustworthy Hype Vendors
+Gnomes Plain Vanilla Garden Gnomes
+Replicator Supports file replication in a domain
+Guests Users granted guest access to the computer/domain
+Administrators Members can fully administer the computer/domain
+Users Ordinary users
+</screen>
+ Everything looks well and in order.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>domain master</primary>
+ </indexterm><indexterm>
+ <primary>PDC</primary>
+ </indexterm>
+ Edit the &smb.conf; file to reset the parameter
+ <smbconfoption><name>domain master</name><value>Yes</value></smbconfoption> so
+ the Samba server functions as a PDC for the purpose of migration.
+ </para></step>
+ </procedure>
+ </sect2>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para>
+ Migration of an NT4 PDC database to a Samba-3 PDC is possible.
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ An LDAP backend is a suitable vehicle for NT4 migrations.
+ </para></listitem>
+
+ <listitem><para>
+ A tdbsam backend can be used to perform a migration.
+ </para></listitem>
+
+ <listitem><para>
+ Multiple NT4 Domains can be merged into a single Samba-3
+ Domain.
+ </para></listitem>
+
+ <listitem><para>
+ The net Samba-3 Domain most likely requires some
+ administration and updating before going live.
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ </para>
+
+ <qandaset defaultlabel="chap08qa" type="number">
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>clean database</primary>
+ </indexterm>
+ Why must I start each migration with a clean database?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>merge</primary>
+ </indexterm>
+ This is a recommendation that permits the data from each NT4 Domain to
+ be kept separate until you are ready to merge them. Also, if you do not do this,
+ you may find errors due to users or groups from multiple Domains having the
+ same name, but different SIDs. It is better to permit each migration to complete
+ without undue errors and then to handle the merging of vampired data under
+ proper supervision.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>Domain SID</primary>
+ </indexterm>
+ Is it possible to set my Domain SID to anything I like?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>auto-generated SID</primary>
+ </indexterm><indexterm>
+ <primary>SID</primary>
+ </indexterm><indexterm>
+ <primary>Domain SID</primary>
+ </indexterm>
+ Yes, so long as the SID you create has the same structure as an auto-generated SID.
+ The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where
+ the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why
+ would you really want to create your own SID? I cannot think of a good reason.
+ You may want to set the SID to one that is already in use somewhere on your network,
+ but that is a little different from straight out creating your own Domain SID.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm><indexterm>
+ <primary>/etc/group</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm><indexterm>
+ <primary>accounts</primary>
+ <secondary>user</secondary>
+ </indexterm><indexterm>
+ <primary>accounts</primary>
+ <secondary>group</secondary>
+ </indexterm><indexterm>
+ <primary>accounts</primary>
+ <secondary>Domain</secondary>
+ </indexterm>
+ When using a tdbsam passdb backend, why must I have all Domain user and group accounts
+ in <filename>/etc/passwd</filename> and <filename>/etc/group</filename>?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>UID</primary>
+ </indexterm><indexterm>
+ <primary>GID</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm><indexterm>
+ <primary>Posix</primary>
+ </indexterm><indexterm>
+ <primary>LDAP database</primary>
+ </indexterm>
+ Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba
+ does not fabricate the UNIX IDs from thin air, but rather requires them to be located
+ in a suitable place.
+ </para>
+
+ <para>
+ When migrating a <filename>smbpasswd</filename> file to an LDAP backend, the
+ UID of each account is taken together with the account information in the
+ <filename>/etc/passwd</filename> and both sets of data are used to create the account
+ entrt in the LDAP database.
+ </para>
+
+ <para>
+ If you elect to create the Posix account also, the entire UNIX account is copied to the
+ LDAP backend. The same occurs with NT groups and UNIX groups. At the conclusion of
+ migration to the LDAP database, the accounts may be removed from the UNIX database files.
+ In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in
+ LDAP, require UIDs/GIDs.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>validate</primary>
+ </indexterm><indexterm>
+ <primary>connectivity</primary>
+ </indexterm><indexterm>
+ <primary>migration</primary>
+ </indexterm>
+ Why did you validate connectivity before attempting migration?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Access validation before attempting to migrate NT4 Domain accounts helps to pin-point
+ potential problems that may otherwise affect or impede account migration. I am always
+ mindful of the 4P's of migration &smbmdash; Planning Prevents Poor Performance.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ How would you merge 10 tdbsam-based domains into an LDAP database?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>risk</primary>
+ </indexterm><indexterm>
+ <primary>dump</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>Samba Domain</primary>
+ </indexterm><indexterm>
+ <primary>UID</primary>
+ </indexterm><indexterm>
+ <primary>GID</primary>
+ </indexterm><indexterm>
+ <primary>pdbedit</primary>
+ </indexterm><indexterm>
+ <primary>transfer</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>tool</primary>
+ </indexterm>
+ If you have 10 tdbsam Samba Domains, there is considerable risk that there are a number of
+ accounts that have the same UNIX identifier (UID/GID). This means that you almost
+ certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd
+ file format and then manually edit all records to ensure that each has a unique UID. Each
+ file can then be imported a number of ways. You can use the <command>pdbedit</command> tool,
+ to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to
+ tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that
+ you have migrated before handing over access to a user. After all, too many users with a bad
+ migration experience may threaten your career.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>machine accounts</primary>
+ </indexterm><indexterm>
+ <primary>accounts</primary>
+ <secondary>machine</secondary>
+ </indexterm>
+ I want to change my Domain name after I migrate all accounts from an NT4 Domain to a
+ Samba-3 Domain. Does it make any sense to migrate the machine accounts in that case?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>registry</primary>
+ </indexterm><indexterm>
+ <primary>un-join</primary>
+ </indexterm><indexterm>
+ <primary>rejoin</primary>
+ </indexterm><indexterm>
+ <primary>tattooing</primary>
+ </indexterm>
+ I would recommend not. The machine accounts should still work, but there are registry entries
+ on each Windows NT4 and upward client that have a tattoo of the old domain name. If you
+ un-join the domain and then rejoin the newly renamed Samba-3 Domain, you can be certain to avoid
+ this tattooing effect.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>multiple group mappings</primary>
+ </indexterm>
+ After merging multiple NT4 Domains into a Samba-3 Domain, I lost all multiple group mappings. Why?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm><indexterm>
+ <primary>/etc/group</primary>
+ </indexterm>
+ Samba-3 currently does not implement multiple group membership internally. If you use the Windows
+ NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group
+ membership is stored in the Posix groups area. If you use either tdbsam or smbpasswd backend,
+ then multiple group membership is handled through the UNIX groups file. When you dump the user
+ accounts no group account information is provided. When you edit (change) UIDs and GIDs in each
+ file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <filename>/etc/passwd</filename>
+ and <filename>/etc/group</filename> information also. That is where the multiple group information
+ is most closely at your fingertips.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ How can I reset group membership after loading the account information into the LDAP database?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>SRVTOOLS.EXE</primary>
+ </indexterm>
+ You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The
+ installation file is called <filename>SRVTOOLS.EXE</filename>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>group names</primary>
+ </indexterm>
+ What are the limits or constraints that apply to group names?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>limit</primary>
+ </indexterm><indexterm>
+ <primary>shadow-utils</primary>
+ </indexterm><indexterm>
+ <primary>groupadd</primary>
+ </indexterm><indexterm>
+ <primary>groupdel</primary>
+ </indexterm><indexterm>
+ <primary>groupmod</primary>
+ </indexterm><indexterm>
+ <primary>account names</primary>
+ </indexterm>
+ A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group
+ name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows
+ groups can contain upper- and lower-case characters, as well as spaces.
+ Many UNIX system do not permit the use of upper-case characters, and some do not permit the
+ space character either. A number of systems (i.e., Linux) work fine with both upper-case
+ and space characters in group names, but the shadow-utils package that provides the group
+ control functions (<command>groupadd, groupmod, groupdel</command>, and so on) do not permit them.
+ Also, a number of UNIX systems management tools enforce their own particular interpretation
+ of the Posix standards, and likewise do not permit upper-case or space characters in group
+ or user account names. You have to experiment with your system to find what its
+ peculiarities are.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>vampire</primary>
+ </indexterm>
+ My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3
+ LDAP backend system using the vampire process?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux
+ kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs,
+ you would not be able to migrate 323,000 accounts because this number can not fit into a 16-bit unsigned
+ integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts.
+ Please check this carefully before you attempt to effect a migration using the vampire process.
+ </para>
+
+ <para><indexterm>
+ <primary>Migration speed</primary>
+ </indexterm>
+ Migration speed depends much on the processor speed, the network speed, disk I/O capability, and
+ LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory, that was mirroring LDAP
+ to a second identical system over 1 gigabit ethernet, I was able to migrate around 180 user accounts
+ per minute. Migration would obviously go much faster if LDAP mirroring is turned off during the migration.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
+
diff --git a/docs/Samba-Guide/Chap09-AddingUNIXClients.xml b/docs/Samba-Guide/Chap09-AddingUNIXClients.xml
new file mode 100644
index 0000000000..e46fc22396
--- /dev/null
+++ b/docs/Samba-Guide/Chap09-AddingUNIXClients.xml
@@ -0,0 +1,2516 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="unixclients">
+ <title>Adding UNIX/LINUX Servers and Clients</title>
+
+ <para><indexterm>
+ <primary>Open Magazine</primary>
+ </indexterm><indexterm>
+ <primary>survey</primary>
+ </indexterm>
+ The most frequently discussed Samba subjects over the past two years have focused around Domain Control and printing.
+ It is well known that Samba is a file and print server. A recent survey conducted by Open Magazine found
+ that of all respondents: 97% use Samba for file and print services, and 68% use Samba for Domain Control. See the
+ <ulink url="http://www.open-mag.com/cgi-bin/opencgi/surveys/survey.cgi?survey_name=samba">Open-Mag</ulink>
+ Web site for current information. The survey results as found on January 14, 2004, as shown in
+ <link linkend="ch09openmag"/>.
+ </para>
+
+ <image id="ch09openmag">
+ <description>Open Magazine Samba Survey</description>
+ <imagefile scale="60">openmag.png</imagefile>
+ </image>
+
+ <para>
+ While Domain Control is an exciting subject, basic file and print sharing remains the staple bread-and-butter
+ function that Samba provides. Yet this book may give the appearance of having focused too much on more
+ exciting aspects of Samba deployment. This chapter directs your attention to provide important information on
+ the addition of Samba servers into your present Windows network &smbmdash; whatever the controlling technology
+ may be. So let's get back to Abmas and our good friends Bob Jordan and company.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para><indexterm>
+ <primary>Linux desktop</primary>
+ </indexterm><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>server</secondary>
+ </indexterm>
+ Bob Jordan looks back over the achievements of the past year or two. Daily events are rather straightforward
+ with not too many distractions or problems. Bob, your team is doing well, but a number of employees
+ are asking for Linux desktop systems. Your network has grown and demands additional Domain Member servers. Let's
+ get on with this; Christine and Stan are ready to go.
+ </para>
+
+ <para><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>desktop</secondary>
+ </indexterm>
+ Stan Soroka is firmly in control of the Department of the Future, while Christine is enjoying a stable and
+ predictable network environment. It is time to add more servers and to add Linux desktops. It is
+ time to meet the demands of future growth and endure trial by fire. Go on, walk the steps
+ with Stan and Company.
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm>
+ You must now add UNIX/Linux Domain Member servers to your network. You have a friend who has a Windows 2003
+ Active Directory Domain network who wants to add a Samba/Linux server and has asked Christine to help him
+ out. Your real objective is to help Christine to see more of the way the Microsoft world lives and use
+ her help to get validation that Samba really does live up to expectations.
+ </para>
+
+ <para>
+ Over the past six months, you have hired several new staff who want Linux on their desktops. You must integrate
+ these systems to make sure that Abmas is not building islands of technology. You ask Christine to
+ do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make
+ the right decision, don't you?
+ </para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para><indexterm>
+ <primary>winbind</primary>
+ </indexterm>
+ Recent Samba mailing list activity is witness to how many sites are using winbind. Some have no trouble
+ at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning
+ an inability to achieve identical user and group IDs between Windows and UNIX environments.
+ </para>
+
+ <para>
+ You provide step-by-step implementations of the various tools that can be used for identity
+ resolution. You also provide working examples of solutions for integrated authentication for
+ both UNIX/Linux and Windows environments.
+ </para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para>
+ One of the great challenges we face when people ask us, <quote>What is the best way to solve
+ this problem?</quote> is to get beyond the facts so we can not only clearly comprehend
+ the immediate technical problem, but also understand how needs may change.
+ </para>
+
+ <para><indexterm>
+ <primary>integrate</primary>
+ </indexterm>
+ There are a few facts we should note when dealing with the question of how best to
+ integrate UNIX/Linux clients and servers into a Windows networking environment:
+ </para>
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>Domain Controller</primary>
+ </indexterm><indexterm>
+ <primary>authoritative</primary>
+ </indexterm><indexterm>
+ <primary>accounts</primary>
+ <secondary>authoritative</secondary>
+ </indexterm><indexterm>
+ <primary>PDC</primary>
+ </indexterm><indexterm>
+ <primary>BDC</primary>
+ </indexterm>
+ A Domain Controller (PDC or BDC) is always authoritative for all accounts in its Domain.
+ This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs
+ to the same values that the PDC resolved them to.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>local accounts</primary>
+ </indexterm><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>authoritative</secondary>
+ <tertiary>local accounts</tertiary>
+ </indexterm><indexterm>
+ <primary>Domain accounts</primary>
+ </indexterm><indexterm>
+ <primary>winbindd</primary>
+ </indexterm>
+ A Domain Member can be authoritative for local accounts, but is never authoritative for
+ Domain accounts. If a user is accessing a Domain Member server and that user's account
+ is not known locally, the Domain Member server must resolve the identity of that user
+ from the Domain in which that user's account resides. It must then map that ID to a
+ UID/GID pair that it can use locally. This is handled by <command>winbindd</command>.
+ </para></listitem>
+
+ <listitem><para>
+ Samba, when running on a Domain Member server, can resolve user identities from a
+ number of sources:
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>getpwnam</primary>
+ </indexterm><indexterm>
+ <primary>getgrnam</primary>
+ </indexterm><indexterm>
+ <primary>NSS</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>NIS</primary>
+ </indexterm>
+ By executing a system <command>getpwnam()</command> or <command>getgrnam()</command> call.
+ On systems that support it, this utilizes the name service switch (NSS) facility to
+ resolve names according to the configuration of the <filename>/etc/nsswitch.conf</filename>
+ file. NSS can be configured to use LDAP, winbind, NIS, or local files.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm><indexterm>
+ <primary>PADL</primary>
+ </indexterm><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm>
+ Performing, via NSS, a direct LDAP search (where an LDAP passdb backend has been configured).
+ This requires the use of the PADL nss_ldap tool (or equivalent).
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>winbindd</primary>
+ </indexterm><indexterm>
+ <primary>SID</primary>
+ </indexterm><indexterm>
+ <primary>winbindd_idmap.tdb</primary>
+ </indexterm><indexterm>
+ <primary>winbindd_cache.tdb</primary>
+ </indexterm>
+ Directly by querying <command>winbindd</command>. The <command>winbindd</command>
+ contact a Domain Controller to attempt to resolve the identity of the user or group. It
+ receives the Windows networking security identifier (SID) for that appropriate
+ account and then allocates a local UID or GID from the range of available IDs and
+ creates an entry in its <filename>winbindd_idmap.tdb</filename> and
+ <filename>winbindd_cache.tdb</filename> files.
+ </para>
+
+ <para><indexterm>
+ <primary>idmap backend</primary>
+ </indexterm><indexterm>
+ <primary>mapping</primary>
+ </indexterm>
+ If the parameter
+ <smbconfoption><name>idmap backend</name><value>ldap:ldap://myserver.domain</value></smbconfoption>
+ was specified and the LDAP server has been configured with a container in which it may
+ store the IDMAP entries, all Domain Members may share a common mapping.
+ </para></listitem>
+ </itemizedlist>
+ </para>
+
+ <para>
+ Irrespective of how &smb.conf; is configured, winbind creates and caches a local copy of
+ the ID mapping database. It uses the <filename>winbindd_idmap.tdb</filename>, and
+ <filename>winbindd_cache.tdb</filename> files to do this.
+ </para>
+
+ <para>
+ Which of the above resolver methods is chosen is determined by the way that Samba is configured
+ in the &smb.conf; file. Some of the configuration options are rather less than obvious to the
+ casual user.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>winbind enable local accounts</primary>
+ </indexterm><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>servers</secondary>
+ </indexterm><indexterm>
+ <primary>Domain Controllers</primary>
+ </indexterm>
+ If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable
+ of being resolved using) the name service switch (NSS) facility, it is imperative to use the
+ <smbconfoption><name>winbind enable local accounts</name><value>Yes</value></smbconfoption>
+ in the &smb.conf; file. This parameter specifically applies only to Domain Controllers,
+ not to Domain Member servers.
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>Posix accounts</primary>
+ </indexterm><indexterm>
+ <primary>Samba accounts</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm>
+ For many administrators, it should be plain that the use of an LDAP-based repository for all network
+ accounts (both for Posix accounts as well as for Samba accounts) provides the most elegant and
+ controllable facility. You eventually appreciate the decision to use LDAP.
+ </para>
+
+ <para><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm><indexterm>
+ <primary>identifiers</primary>
+ </indexterm><indexterm>
+ <primary>resolve</primary>
+ </indexterm>
+ If your network account information resides in an LDAP repository, you should use it ahead of any
+ alternative method. This means that if it is humanly possible to use the <command>nss_ldap</command>
+ tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, as it provides
+ a more readily controllable method for asserting the exact same user and group identifiers
+ throughout the network.
+ </para>
+
+ <para><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>winbind trusted domains only</primary>
+ </indexterm><indexterm>
+ <primary>getpwnam</primary>
+ </indexterm><indexterm>
+ <primary>smbd</primary>
+ </indexterm><indexterm>
+ <primary>Trusted Domains</primary>
+ </indexterm><indexterm>
+ <primary>External Domains</primary>
+ </indexterm>
+ In the situation where UNIX accounts are held on the Domain Member server itself, the only effective
+ way to use them involves the &smb.conf; entry
+ <smbconfoption><name>winbind trusted domains only</name><value>Yes</value></smbconfoption>. This forces
+ Samba (<command>smbd</command>) to perform a <command>getpwnam()</command> system call that can
+ then be controlled via <filename>/etc/nsswitch.conf</filename> file settings. The use of this parameter
+ disables the use of Samba with Trusted Domains (i.e., External Domains).
+ </para>
+
+ <para><indexterm>
+ <primary>appliance mode</primary>
+ </indexterm><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>winbindd</primary>
+ </indexterm><indexterm>
+ <primary>automatically allocate</primary>
+ </indexterm>
+ Winbind can be used to create an appliance mode Domain Member server. In this capacity, <command>winbindd</command>
+ is configured to automatically allocate UIDs/GIDs from numeric ranges set in the &smb.conf; file. The allocation
+ is made for all accounts that connect to that Domain Member server, whether within its own Domain or from
+ Trusted Domains. If not stored in an LDAP backend, each Domain Member maintains its own unique mapping database.
+ This means that it is almost certain that a given user who accesses two Domain Member servers does not have the
+ same UID/GID on both servers &smbmdash; however, this is transparent to the Windows network user. This data
+ is stored in the <filename>winbindd_idmap.tdb</filename> and <filename>winbindd_cache.tdb</filename> files.
+ </para>
+
+ <para><indexterm>
+ <primary>mapping</primary>
+ </indexterm>
+ The use of an LDAP backend for the Winbind IDMAP facility permits Windows Domain security identifiers (SIDs)
+ mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all Domain Member
+ servers so configured. This solves one of the major headaches for network administrators who need to copy
+ files between/across network file servers.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm><indexterm>
+ <primary>NIS</primary>
+ </indexterm><indexterm>
+ <primary>yellow pages</primary>
+ <see>NIS</see>
+ </indexterm><indexterm>
+ <primary>identity management</primary>
+ </indexterm>
+ One of the most fierce conflicts recently being waged is one of resistance to the adoption of LDAP, in
+ particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP
+ is different and requires a new approach to the need for a better identity management solution. The more
+ you work with LDAP, the more its power and flexibility emerges from its dark, cavernous chasm.
+ </para>
+
+ <para>
+ LDAP is a most suitable solution for heterogenous environments. If you need crypto, add Kerberos.
+ The reason these are preferable is because they are heterogenous. Windows solutions of this sort are NOT
+ heterogenous by design. This is fundamental &smbmdash; it isn't religious or political. This also doesn't say that
+ you can't use Windows Active Directory in a heterogenous environment &smbmdash; it can be done, it just requires
+ commercial integration products &smbmdash; it's just not what Active Directory was designed for.
+ </para>
+
+ <para><indexterm>
+ <primary>directory</primary>
+ </indexterm><indexterm>
+ <primary>management</primary>
+ </indexterm>
+ A number of long-term UNIX devotees have recently commented in various communications that the Samba Team
+ is the first application group to almost force network administrators to use LDAP. It should be pointed
+ out that we resisted this as long as we could. It is not out of laziness or out of malice that LDAP has
+ finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total
+ organizational directory needs.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Implementation</title>
+
+ <para><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>client</secondary>
+ </indexterm><indexterm>
+ <primary>Domain Controller</primary>
+ </indexterm>
+ The Domain Member server and the Domain Member client are at the center of focus in this chapter.
+ Configuration of Samba-3 Domain Controller has been covered in earlier chapters, so if your
+ interest is in Domain Controller configuration, you will not find that here. You will find good
+ oil that helps you to add Domain Member servers and clients.
+ </para>
+
+ <para><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>workstations</secondary>
+ </indexterm>
+ In practice, Domain Member servers and Domain Member workstations are very different entities, but in
+ terms of technology they share similar core infrastructure. A technologist would argue that servers
+ and workstations are identical. Many users would argue otherwise, given that in a well-disciplined
+ environment a workstation (client) is a device from which a user creates documents and files that
+ are located on servers. A workstation is frequently viewed as a disposable (easy to replace) item,
+ but a server is viewed as a core component of the business.
+ </para>
+
+ <para><indexterm>
+ <primary>workstation</primary>
+ </indexterm>
+ One can look at this another way. If a workstation breaks down, one user is affected, but if a
+ server breaks down, hundreds of users may not be able to work. The services that a workstation
+ must provide are document and file production oriented; a server provides information storage
+ and is distribution oriented.
+ </para>
+
+ <para><indexterm>
+ <primary>authentication process</primary>
+ </indexterm><indexterm>
+ <primary>logon process</primary>
+ </indexterm><indexterm>
+ <primary>user identities</primary>
+ </indexterm>
+ <emphasis>Why is this important?</emphasis> &smbmdash; For starters, we must identify what
+ components of the operating system and its environment must be configured. Also, it is necessary
+ to recognize where the interdependencies between the various services to be used are.
+ In particular, it is important to understand the operation of each critical part of the
+ authentication process, the logon process, and how user identities get resolved and applied
+ within the operating system and applications (like Samba) that depend on this and may
+ actually contribute to it.
+ </para>
+
+ <para>
+ So, while here we demonstrate how to implement the technology. It is done within a context of
+ what type of service need must be fulfilled.
+ </para>
+
+ <sect2 id="sdcsdmldap">
+ <title>Samba Domain with Samba Domain Member Server &smbmdash; Using LDAP</title>
+
+ <para><indexterm>
+ <primary>ldapsam</primary>
+ </indexterm><indexterm>
+ <primary>ldapsam backend</primary>
+ </indexterm><indexterm>
+ <primary>IDMAP</primary>
+ </indexterm><indexterm>
+ <primary>mapping</primary>
+ <secondary>consistent</secondary>
+ </indexterm><indexterm>
+ <primary>winbindd</primary>
+ </indexterm><indexterm>
+ <primary>foreign SID</primary>
+ </indexterm>
+ In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using
+ an LDAP ldapsam backend. In this example, we are adding to the LDAP backend database (directory)
+ containers for use by the IDMAP facility. This makes it possible to have globally consistent
+ mapping of SIDs to/from UIDs/GIDs. This means that you are running <command>winbindd</command>
+ as part of your configuration. The primary purpose of running <command>winbindd</command> (within
+ this operational context) is to permit mapping of foreign SIDs (those not originating from our
+ own Domain). Foreign SIDs can come from any external Domain or from Windows clients that do not
+ belong to a Domain.
+ </para>
+
+ <para><indexterm>
+ <primary>winbindd</primary>
+ </indexterm><indexterm>
+ <primary>getpwnam</primary>
+ </indexterm><indexterm>
+ <primary>NSS</primary>
+ </indexterm>
+ If your installation is accessed only from clients that are members of your own domain, then
+ it is not necessary to run <command>winbindd</command> as long as all users can be resolved
+ locally via the <command>getpwnam()</command> system call. On NSS-enabled systems, this condition
+ is met by having:
+ </para>
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm><indexterm>
+ <primary>/etc/group</primary>
+ </indexterm>
+ All accounts in <filename>/etc/passwd</filename> or in <filename>/etc/group</filename>.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>NSS</primary>
+ </indexterm><indexterm>
+ <primary>compat</primary>
+ </indexterm><indexterm>
+ <primary>compat</primary>
+ </indexterm><indexterm>
+ <primary>ldap</primary>
+ </indexterm><indexterm>
+ <primary>nis</primary>
+ </indexterm><indexterm>
+ <primary>nisplus</primary>
+ </indexterm><indexterm>
+ <primary>hesoid</primary>
+ </indexterm><indexterm>
+ <primary>ldap</primary>
+ </indexterm><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm><indexterm>
+ <primary>PADL Software</primary>
+ </indexterm>
+ Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs
+ via multiple methods. The methods typically include: <command>files, compat, db, ldap,
+ nis, nisplus, hesoid.</command> When correctly installed, Samba adds to this list
+ the <command>winbindd</command> facility. The ldap facility is frequently the nss_ldap
+ tool provided by PADL Software.
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>Identity resolution</primary>
+ </indexterm>
+ The diagram in <link linkend="ch9-sambadc"/> demonstrates the relationship of samba and system
+ components that are involved in the Identity resolution process where Samba is used as a Domain
+ Member server within a Samba Domain Control network.
+ </para>
+
+<image id="ch9-sambadc">
+ <description>Samba Domain: Samba Member Server</description>
+ <imagefile scale="75">chap9-SambaDC.png</imagefile>
+</image>
+
+ <para><indexterm>
+ <primary>IDMAP</primary>
+ </indexterm><indexterm>
+ <primary>foreign</primary>
+ </indexterm>
+ In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam
+ to obtain authentication and user identity information. The IDMAP information is stored in the LDAP
+ backend so that it can be shared by all Domain Member servers so that every user will have a
+ consistent UID and GID across all of them. The IDMAP facility will be used for all foreign
+ (i.e., not having the same SID as the Domain it is a member of) Domains. The configuration of
+ NSS will ensure that all unix processes will obtain a consistent UID/GID.
+ </para>
+
+ <para>
+ The instructions given here apply to the Samba environment as shown in Chapters 6 and 7.
+ If your network does not have an LDAP slave server (i.e., Chapter 6 configuration), you
+ must change the target LDAP server from <constant>lapdc</constant> to <constant>massive.</constant>
+ </para>
+
+ <procedure>
+ <title>Configuration of LDAP-Based Identity Resolution</title>
+
+ <step><para>
+ Create the &smb.conf; file as shown in <link linkend="ch9-sdmsdc"/>. Locate
+ this file in the directory <filename>/etc/samba</filename>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>ldap.conf</primary>
+ </indexterm>
+ Configure the file that will be used by <constant>nss_ldap</constant> to
+ locate and communicate with the LDAP server. This file is called <filename>ldap.conf</filename>.
+ If your implementation of <constant>nss_ldap</constant> is consistent with
+ the defaults suggested by PADL (the authors), it will be located in the
+ <filename>/etc</filename> directory. On some systems, the default location is
+ the <filename>/etc/openldap</filename> directory. Change the parameters inside
+ the file that is located on your OS so it matches <link linkend="ch9-sdmlcnf"/>.
+ To find the correct location of this file, you can obtain this from the
+ library that will be used by executing the following:
+<screen>
+&rootprompt; strings /lib/libnss_ldap* | grep ldap.conf
+/etc/ldap.conf
+</screen>
+ </para></step>
+
+ <step><para>
+ Configure the name service switch (NSS) control file so it matches the one shown
+ in <link linkend="ch9-sdmnss"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Identity resolution</primary>
+ </indexterm><indexterm>
+ <primary>getent</primary>
+ </indexterm>
+ Before proceeding to configure Samba, validate the operation of the NSS Identity
+ resolution via LDAP by executing:
+<screen>
+&rootprompt; getent passwd
+...
+root:x:0:512:Netbios Domain Administrator:/root:/bin/false
+nobody:x:999:514:nobody:/dev/null:/bin/false
+bobj:x:1000:513:Robert Jordan:/home/bobj:/bin/bash
+stans:x:1001:513:Stanley Soroka:/home/stans:/bin/bash
+chrisr:x:1002:513:Christine Roberson:/home/chrisr:/bin/bash
+maryv:x:1003:513:Mary Vortexis:/home/maryv:/bin/bash
+jht:x:1004:513:John H Terpstra:/home/jht:/bin/bash
+bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
+temptation$:x:1009:553:temptation$:/dev/null:/bin/false
+vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
+fran$:x:1008:553:fran$:/dev/null:/bin/false
+josephj:x:1007:513:Joseph James:/home/josephj:/bin/bash
+</screen>
+ You should notice the location of the users' home directories. First, make certain that
+ the home directories exist on the Domain Member server; otherwise, the home directory
+ share is not available. The home directories could be mounted off a domain controller
+ using NFS, or by any other suitable means. Second, the absence of the Domain name in the
+ home directory path is indicative that Identity resolution is not being done via Winbind.
+<screen>
+&rootprompt; getent group
+...
+Domain Admins:x:512:root,jht
+Domain Users:x:513:bobj,stans,chrisr,maryv,jht,josephj
+Domain Guests:x:514:
+Accounts:x:1000:
+Finances:x:1001:
+PIOps:x:1002:
+sammy:x:4321:
+</screen>
+ <indexterm>
+ <primary>secondary group</primary>
+ </indexterm><indexterm>
+ <primary>primary group</primary>
+ </indexterm><indexterm>
+ <primary>group membership</primary>
+ </indexterm>
+ This shows that all is working as it should. Notice that in the LDAP database
+ the users primary and secondary group memberships are identical. It is not
+ necessary to add secondary group memberships (in the group database) if the
+ user is already a member via primary group membership in the password database.
+ When using winbind, it is in fact undesirable to do this as it results in
+ doubling up of group memberships and may break winbind under certain conditions.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>slapcat</primary>
+ </indexterm>
+ The LDAP directory must have a container object for IDMAP data. There are several ways you can
+ check that your LDAP database is able to receive IDMAP information. One of the simplest is to
+ execute:
+<screen>
+&rootprompt; slapcat | grep -i idmap
+dn: ou=Idmap,dc=abmas,dc=biz
+ou: idmap
+</screen>
+ <indexterm>
+ <primary>ldapadd</primary>
+ </indexterm>
+ If the execution of this command does not return IDMAP entries, you need to create an LDIF
+ template file (see <link linkend="ch9-ldifadd"/>). You can add the required entries using the following command:
+<screen>
+&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
+ -w not24get &lt; /etc/openldap/idmap.LDIF
+</screen>
+ Samba automatically populates this LDAP directory container when it needs to.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>rpc</secondary>
+ <tertiary>join</tertiary>
+ </indexterm><indexterm>
+ <primary>Domain join</primary>
+ </indexterm>
+ The system is ready to join the Domain. Execute the following:
+<screen>
+net rpc join -U root%not24et
+Joined domain MEGANET2.
+</screen>
+ This indicates that the Domain join succeeded.
+ </para></step>
+
+ <step><para>
+ You may now start Samba in the usual manner and your Samba Domain Member server
+ is ready for use. Just add shares as required.
+ </para></step>
+
+ </procedure>
+
+<smbconfexample id="ch9-sdmsdc">
+<title>Samba Domain Member in Samba Domain Control Context &smbmdash; &smb.conf; File</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+<smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
+<smbconfoption><name>security</name><value>DOMAIN</value></smbconfoption>
+<smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+<smbconfoption><name>log level</name><value>10</value></smbconfoption>
+<smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+<smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+<smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+<smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+<smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>wins server</name><value>192.168.2.1</value></smbconfoption>
+<smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
+<smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
+<smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
+<smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
+<smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
+<smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
+<smbconfoption><name>idmap backend</name><value>ldap:ldap://lapdc.abmas.biz</value></smbconfoption>
+<smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+<smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+<smbconfoption><name>winbind trusted domains only</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printer admin</name><value>root</value></smbconfoption>
+<smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+
+<smbconfsection>[homes]</smbconfsection>
+<smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[print$]</smbconfsection>
+<smbconfoption><name>comment</name><value>Printer Drivers</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/drivers</value></smbconfoption>
+<smbconfoption><name>admin users</name><value>root, Administrator</value></smbconfoption>
+<smbconfoption><name>write list</name><value>root</value></smbconfoption>
+</smbconfexample>
+
+<example id="ch9-ldifadd">
+<title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
+<screen>
+dn: ou=Idmap,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: idmap
+structuralObjectClass: organizationalUnit
+</screen>
+</example>
+
+<example id="ch9-sdmlcnf">
+<title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
+<screen>
+URI ldap://massive.abmas.biz ldap://massive.abmas.biz:636
+host 192.168.2.1
+base dc=abmas,dc=biz
+binddn cn=Manager,dc=abmas,dc=biz
+bindpw not24get
+
+pam_password exop
+
+nss_base_passwd ou=People,dc=abmas,dc=biz?one
+nss_base_shadow ou=People,dc=abmas,dc=biz?one
+nss_base_group ou=Groups,dc=abmas,dc=biz?one
+ssl no
+</screen>
+</example>
+
+<example id="ch9-sdmnss">
+<title>NSS using LDAP for Identity Resolution &smbmdash; File: <filename>/etc/nsswitch.conf</filename></title>
+<screen>
+passwd: compat ldap
+group: compat ldap
+
+hosts: files dns wins
+networks: files dns
+
+services: files
+protocols: files
+rpc: files
+ethers: files
+netmasks: files
+netgroup: files
+publickey: files
+
+bootparams: files
+automount: files
+aliases: files
+</screen>
+</example>
+
+ </sect2>
+
+ <sect2 id="wdcsdm">
+ <title>NT4/Samba Domain with Samba Domain Member Server &smbmdash; Using Winbind</title>
+
+ <para>
+ You need to use this method for creating a Samba Domain Member server if any of the following conditions
+ prevail:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ LDAP support (client) is not installed on the system.
+ </para></listitem>
+
+ <listitem><para>
+ There are mitigating circumstances forcing a decision not to use LDAP.
+ </para></listitem>
+
+ <listitem><para>
+ The Samba Domain Member server must be part of a Windows NT4 Domain.
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>Windows ADS Domain</primary>
+ </indexterm><indexterm>
+ <primary>Samba Domain</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm>
+ Later in the chapter, you can see how to configure a Samba Domain Member server for a Windows ADS Domain.
+ Right now your objective is to configure a Samba server that can be a member of a Windows NT4 style
+ Domain and/or does not use LDAP.
+ </para>
+
+ <note><para><indexterm>
+ <primary>duplicate accounts</primary>
+ </indexterm>
+ If you use <command>winbind</command> for Identity resolution, do make sure that there are no
+ duplicate accounts.
+ </para>
+
+ <para><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm>
+ For example, do not have more than one account that has UID=0 in the password database. If there
+ is an account called <constant>root</constant> in the <filename>/etc/passwd</filename> database,
+ it is okay to have an account called <constant>root</constant> in the LDAP ldapsam or in the
+ tdbsam. But if there are two accounts in the passdb backend that have the same UID, winbind will
+ break. This means that the <constant>Administrator</constant> account must be called
+ <constant>root</constant>.
+ </para>
+
+ <para><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm><indexterm>
+ <primary>ldapsam</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm>
+ Winbind will break if there is an account in <filename>/etc/passwd</filename> that has
+ the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only.
+ </para></note>
+
+ <para><indexterm>
+ <primary>credentials</primary>
+ </indexterm><indexterm>
+ <primary>traverse</primary>
+ </indexterm><indexterm>
+ <primary>wide-area</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>wide-area</secondary>
+ </indexterm><indexterm>
+ <primary>tdbdump</primary>
+ </indexterm>
+ The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials.
+ The winbind information is locally cached in the <filename>winbindd_cache.tdb winbindd_idmap.tdb</filename>
+ files. This provides considerable performance benefits compared with the LDAP solution, particularly
+ where the LDAP lookups must traverse wide-area network links. You may examine the contents of these
+ files using the tool <command>tdbdump</command>, though you may have to build this from the Samba
+ source code if it has not been supplied as part of a binary package distribution that you may be using.
+ </para>
+
+ <procedure>
+ <title>Configuration of Winbind-Based Identity Resolution</title>
+
+ <step><para>
+ Using your favorite text editor, create the &smb.conf; file so it has the contents
+ shown in <link linkend="ch0-NT4DSDM"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/nsswitch.conf</primary>
+ </indexterm>
+ Edit the <filename>/etc/nsswitch.conf</filename> so it has the entries shown in
+ <link linkend="ch9-nsswbnd"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>rpc</secondary>
+ <tertiary>join</tertiary>
+ </indexterm>
+ The system is ready to join the Domain. Execute the following:
+<screen>
+net rpc join -U root%not24et
+Joined domain MEGANET2.
+</screen>
+ This indicates that the Domain join succeed.
+
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>winbind</primary>
+ </indexterm><indexterm>
+ <primary>wbinfo</primary>
+ </indexterm>
+ Validate operation of <command>winbind</command> using the <command>wbinfo</command>
+ tool as follows:
+<screen>
+&rootprompt; wbinfo -u
+MEGANET2+root
+MEGANET2+nobody
+MEGANET2+jht
+MEGANET2+maryv
+MEGANET2+billr
+MEGANET2+jelliott
+MEGANET2+dbrady
+MEGANET2+joeg
+MEGANET2+balap
+</screen>
+ This shows that Domain users have been listed correctly.
+<screen>
+&rootprompt; wbinfo -g
+MEGANET2+Domain Admins
+MEGANET2+Domain Users
+MEGANET2+Domain Guests
+MEGANET2+Accounts
+MEGANET2+Finances
+MEGANET2+PIOps
+</screen>
+ This shows that Domain groups have been correctly obtained also.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>NSS</primary>
+ </indexterm><indexterm>
+ <primary>getent</primary>
+ </indexterm><indexterm>
+ <primary>winbind</primary>
+ </indexterm>
+ The next step verifies that NSS is able to obtain this information
+ correctly from <command>winbind</command> also.
+<screen>
+&rootprompt; getent passwd
+...
+MEGANET2+root:x:10000:10001:NetBIOS Domain Admin:
+ /home/MEGANET2/root:/bin/bash
+MEGANET2+nobody:x:10001:10001:nobody:
+ /home/MEGANET2/nobody:/bin/bash
+MEGANET2+jht:x:10002:10001:John H Terpstra:
+ /home/MEGANET2/jht:/bin/bash
+MEGANET2+maryv:x:10003:10001:Mary Vortexis:
+ /home/MEGANET2/maryv:/bin/bash
+MEGANET2+billr:x:10004:10001:William Randalph:
+ /home/MEGANET2/billr:/bin/bash
+MEGANET2+jelliott:x:10005:10001:John G Elliott:
+ /home/MEGANET2/jelliott:/bin/bash
+MEGANET2+dbrady:x:10006:10001:Darren Brady:
+ /home/MEGANET2/dbrady:/bin/bash
+MEGANET2+joeg:x:10007:10001:Joe Green:
+ /home/MEGANET2/joeg:/bin/bash
+MEGANET2+balap:x:10008:10001:Bala Pillay:
+ /home/MEGANET2/balap:/bin/bash
+</screen>
+ The user account information has been correctly obtained. This information has
+ been merged with the winbind template information configured in the &smb.conf; file.
+<screen>
+&rootprompt;# getent group
+...
+MEGANET2+Domain Admins:x:10000:MEGANET2+root,MEGANET2+jht
+MEGANET2+Domain Users:x:10001:MEGANET2+jht,MEGANET2+maryv,\
+ MEGANET2+billr,MEGANET2+jelliott,MEGANET2+dbrady,\
+ MEGANET2+joeg,MEGANET2+balap
+MEGANET2+Domain Guests:x:10002:MEGANET2+nobody
+MEGANET2+Accounts:x:10003:
+MEGANET2+Finances:x:10004:
+MEGANET2+PIOps:x:10005:
+</screen>
+ </para></step>
+
+ <step><para>
+ The Samba member server of a Windows NT4 Domain is ready for use.
+ </para></step>
+ </procedure>
+
+<smbconfexample id="ch0-NT4DSDM">
+<title>Samba Domain Member Server &smb.conf; File for NT4 Domain</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+<smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
+<smbconfoption><name>security</name><value>DOMAIN</value></smbconfoption>
+<smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+<smbconfoption><name>log level</name><value>1</value></smbconfoption>
+<smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+<smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+<smbconfoption><name>max log size</name><value>0</value></smbconfoption>
+<smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+<smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>wins server</name><value>192.168.2.1</value></smbconfoption>
+<smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+<smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+<smbconfoption><name>template primary group</name><value>"Domain Users"</value></smbconfoption>
+<smbconfoption><name>template shell</name><value>/bin/bash</value></smbconfoption>
+<smbconfoption><name>winbind separator</name><value>+</value></smbconfoption>
+<smbconfoption><name>printer admin</name><value>root</value></smbconfoption>
+<smbconfoption><name>hosts allow</name><value>192.168.2., 192.168.3., 127.</value></smbconfoption>
+<smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+
+<smbconfsection>[homes]</smbconfsection>
+<smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[print$]</smbconfsection>
+<smbconfoption><name>comment</name><value>Printer Drivers</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/drivers</value></smbconfoption>
+<smbconfoption><name>admin users</name><value>root, Administrator</value></smbconfoption>
+<smbconfoption><name>write list</name><value>root</value></smbconfoption>
+</smbconfexample>
+
+<example id="ch9-nsswbnd">
+<title>Name Service Switch Control File: <filename>/etc/nsswitch.conf</filename></title>
+<screen>
+# /etc/nsswitch.conf
+
+passwd: compat winbind
+group: compat winbind
+
+hosts: files dns wins
+networks: files dns
+
+services: files
+protocols: files
+rpc: files
+ethers: files
+netmasks: files
+netgroup: files
+publickey: files
+
+bootparams: files
+automount: files
+aliases: files
+</screen>
+</example>
+
+ </sect2>
+
+ <sect2 id="adssdm">
+ <title>Active Directory Domain with Samba Domain Member Server</title>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ <secondary>join</secondary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>server</secondary>
+ </indexterm>
+ One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory
+ Domain using Kerberos protocols. This makes it possible to operate an entire Windows network
+ without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An
+ exhaustively complete discussion of the protocols is not possible in this book; perhaps a
+ later book may explore the intricacies of the NetBIOS-less operation that Samba-3 can participate
+ in. For now, we simply focus on how a Samba-3 server can be made a Domain Member server.
+ </para>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>Identity resolution</primary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm>
+ The diagram in <link linkend="ch9-adsdc"/> demonstrates how Samba-3 interfaces with
+ Microsoft Active Directory components. It should be noted that if Microsoft Windows Services
+ for UNIX has been installed and correctly configured, it is possible to use client LDAP
+ for Identity resolution just as can be done with Samba-3 when using an LDAP passdb backend.
+ The UNIX tool that you need for this, as in the case of LDAP on UNIX/Linux, is the PADL
+ Software nss_ldap tool-set. Compared with use of winbind and Kerberos, the use of
+ LDAP-based Identity resolution is a little less secure. In view of the fact that this solution
+ requires additional software to be installed on the Windows 200x ADS Domain Controllers,
+ and that means more management overhead, it is likely that most Samba-3 ADS client sites
+ may elect to use winbind.
+ </para>
+
+ <para>
+ Do not attempt to use this procedure if you are not 100 percent certain that the build of Samba-3
+ you are using has been compiled and linked with all the tools necessary for this to work.
+ Given the importance of this step, you must first validate that the Samba-3 message block
+ daemon (<command>smbd</command>) has the necessary features.
+ </para>
+
+ <para>
+ The hypothetical domain you are using in this example assumes that the Abmas London office
+ decided to take their own lead (some would say this is a typical behavior in a global
+ corporate world; besides, a little divergence and conflict makes for an interesting life).
+ The Windows Server 2003 ADS Domain is called <constant>london.abmas.biz</constant> and the
+ name of the server is <constant>W2K3S</constant>. In ADS realm terms, the Domain Controller
+ is known as <constant>w2k3s.london.abmas.biz</constant>. In NetBIOS nomenclature, the
+ Domain Name is <constant>LONDON</constant> and the server name is <constant>W2K3S</constant>.
+ </para>
+
+ <image id="ch9-adsdc">
+ <description>Active Directory Domain: Samba Member Server</description>
+ <imagefile scale="75">chap9-ADSDC.png</imagefile>
+ </image>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>smbd</primary>
+ </indexterm>
+ Before you try to use Samba-3, you want to know for certain that your executables have
+ support for Kerberos and for LDAP. Execute the following to identify whether or
+ not this build is perhaps suitable for use:
+<screen>
+&rootprompt; cd /usr/sbin
+&rootprompt; smbd -b | grep KRB
+ HAVE_KRB5_H
+ HAVE_ADDR_TYPE_IN_KRB5_ADDRESS
+ HAVE_KRB5
+ HAVE_KRB5_AUTH_CON_SETKEY
+ HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES
+ HAVE_KRB5_GET_PW_SALT
+ HAVE_KRB5_KEYBLOCK_KEYVALUE
+ HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
+ HAVE_KRB5_MK_REQ_EXTENDED
+ HAVE_KRB5_PRINCIPAL_GET_COMP_STRING
+ HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES
+ HAVE_KRB5_STRING_TO_KEY
+ HAVE_KRB5_STRING_TO_KEY_SALT
+ HAVE_LIBKRB5
+</screen>
+ The above output was obtained on a SuSE Linux system and shows the output for
+ Samba that has been compiled and linked with the Heimdal Kerberos libraries.
+ The following is a typical output that will be found on a Red Hat Linux system that
+ has been linked with the MIT Kerberos libraries:
+<screen>
+&rootprompt; cd /usr/sbin
+&rootprompt; smbd -b | grep KRB
+ HAVE_KRB5_H
+ HAVE_ADDRTYPE_IN_KRB5_ADDRESS
+ HAVE_KRB5
+ HAVE_KRB5_AUTH_CON_SETUSERUSERKEY
+ HAVE_KRB5_ENCRYPT_DATA
+ HAVE_KRB5_FREE_DATA_CONTENTS
+ HAVE_KRB5_FREE_KTYPES
+ HAVE_KRB5_GET_PERMITTED_ENCTYPES
+ HAVE_KRB5_KEYTAB_ENTRY_KEY
+ HAVE_KRB5_LOCATE_KDC
+ HAVE_KRB5_MK_REQ_EXTENDED
+ HAVE_KRB5_PRINCIPAL2SALT
+ HAVE_KRB5_PRINC_COMPONENT
+ HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
+ HAVE_KRB5_SET_REAL_TIME
+ HAVE_KRB5_STRING_TO_KEY
+ HAVE_KRB5_TKT_ENC_PART2
+ HAVE_KRB5_USE_ENCTYPE
+ HAVE_LIBGSSAPI_KRB5
+ HAVE_LIBKRB5
+</screen>
+ You can validate that Samba has been compiled and linked with LDAP support
+ by executing:
+<screen>
+&rootprompt; smbd -b | grep LDAP
+massive:/usr/sbin # smbd -b | grep LDAP
+ HAVE_LDAP_H
+ HAVE_LDAP
+ HAVE_LDAP_DOMAIN2HOSTLIST
+ HAVE_LDAP_INIT
+ HAVE_LDAP_INITIALIZE
+ HAVE_LDAP_SET_REBIND_PROC
+ HAVE_LIBLDAP
+ LDAP_SET_REBIND_PROC_ARGS
+</screen>
+ This does look promising; <command>smbd</command> has been built with Kerberos and LDAP
+ support. You are relieved to know that it is safe to progress.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Kerberos</primary>
+ <secondary>libraries</secondary>
+ </indexterm><indexterm>
+ <primary>MIT Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>Heimdal Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ <secondary>MIT</secondary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ <secondary>Heimdal</secondary>
+ </indexterm><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm><indexterm>
+ <primary>SUSE Linux</primary>
+ </indexterm><indexterm>
+ <primary>SerNet</primary>
+ </indexterm><indexterm>
+ <primary>validated</primary>
+ </indexterm>
+ The next step is to identify which version of the Kerberos libraries have been used.
+ In order to permit Samba-3 to interoperate with Windows 2003 Active Directory, it is
+ essential that it has been linked with either MIT Kerberos version 1.3.1 or later,
+ or that it has been linked with Heimdal Kerberos 0.6 plus specific patches. You may
+ identify what version of the MIT Kerberos libraries are installed on your system by
+ executing (on Red Hat Linux):
+<screen>
+&rootprompt; rpm -q krb5
+</screen>
+ Or on SUSE Linux, execute:
+<screen>
+&rootprompt; rpm -q heimdal
+</screen>
+ Please note that the RPMs provided by the Samba-Team are known to be working and have
+ been validated. Red Hat Linux RPMs may be obtained from the Samba FTP sites. SUSE
+ Linux RPMs may be obtained from <ulink url="ftp://ftp.sernet.de">Sernet</ulink> in
+ Germany.
+ </para>
+
+ <para>
+ From this point on, you are certain that the Samba-3 build you are using has the
+ necessary capabilities. You can now configure Samba-3 and the name service
+ switcher (NSS).
+ </para></step>
+
+ <step><para>
+ Using you favorite editor, configure the &smb.conf; file that is located in the
+ <filename>/etc/samba</filename> directory so that it has the contents shown
+ in <link linkend="ch9-adssdm"/>.
+ </para></step>
+
+ <step><para>
+ Edit or create the NSS control file so it has the contents shown in <link linkend="ch9-nsswbnd"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/samba/secrets.tdb</primary>
+ </indexterm>
+ Delete the file <filename>/etc/samba/secrets.tdb</filename>, if it exists. Of course, you
+ do keep a backup, don't you?
+ </para></step>
+
+ <step><para>
+ Delete the tdb files that cache Samba information. You keep a backup of the old
+ files, of course. You also remove all files to ensure that nothing can pollute your
+ nice, new configuration. Execute the following (example is for SUSE Linux):
+<screen>
+&rootprompt; rm /var/lib/samba/*tdb
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>testparm</primary>
+ </indexterm>
+ Validate your &smb.conf; file using <command>testparm</command> (as you have
+ done previously). Correct all errors reported before proceeding. The command you
+ execute is:
+<screen>
+&rootprompt; testparm -s | less
+</screen>
+ Now that you are satisfied that your Samba server is ready to join the Windows
+ ADS Domain, let's move on.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>ads</secondary>
+ <tertiary>join</tertiary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm>
+ This is a good time to double-check everything and then execute the following
+ command when everything you have done has checked out okay:
+<screen>
+&rootprompt; net ads join -UAdministrator%not24get
+Using short domain name -- LONDON
+Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ'
+</screen>
+ You have successfully made your Samba-3 server a member of the ADS Domain
+ using Kerberos protocols.
+ </para>
+
+ <para><indexterm>
+ <primary>silent return</primary>
+ </indexterm><indexterm>
+ <primary>failed join</primary>
+ </indexterm>
+ In the event that you receive no output messages, a silent return means that the
+ Domain join failed. You should use <command>ethereal</command> to identify what
+ may be failing. Common causes of a failed join include:
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>name resolution</primary>
+ <secondary>Defective</secondary>
+ </indexterm>
+ Defective or misconfigured DNS name resolution.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>Restrictive security</primary>
+ </indexterm>
+ Restrictive security settings on the Windows 200x ADS Domain controller
+ preventing needed communications protocols. You can check this by searching
+ the Windows Server 200x Event Viewer.
+ </para></listitem>
+
+ <listitem><para>
+ Incorrectly configured &smb.conf; file settings.
+ </para></listitem>
+
+ <listitem><para>
+ Lack of support of necessary Kerberos protocols because the version of MIT
+ Kerberos (or Heimdal) in use is not up to date enough to support the necessary
+ functionality.
+ </para></listitem>
+ </itemizedlist>
+ <indexterm>
+ <primary>net</primary>
+ <secondary>rpc</secondary>
+ <tertiary>join</tertiary>
+ </indexterm><indexterm>
+ <primary>RPC</primary>
+ </indexterm><indexterm>
+ <primary>mixed mode</primary>
+ </indexterm>
+ In any case, never execute the <command>net rpc join</command> command in an attempt
+ to join the Samba server to the Domain, unless you wish not to use the Kerberos
+ security protocols. Use of the older RPC-based Domain join facility requires that
+ Windows Server 200x ADS has been configured appropriately for mixed mode operation.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>tdbdump</primary>
+ </indexterm><indexterm>
+ <primary>/etc/samba/secrets.tdb</primary>
+ </indexterm>
+ If the <command>tdbdump</command> is installed on your system (not essential),
+ you can look inside the <filename>/etc/samba/secrets.tdb</filename> file. If
+ you wish to do this, execute:
+<screen>
+&rootprompt; tdbdump secrets.tdb
+{
+key = "SECRETS/SID/LONDON"
+data = "\01\04\00\00\00\00\00\05\15\00\00\00\EBw\86\F1\ED\BD\
+ F6{\5C6\E5W\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\
+ 00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\
+ 00\00\00\00\00\00\00\00"
+}
+{
+key = "SECRETS/MACHINE_PASSWORD/LONDON"
+data = "le3Q5FPnN5.ueC\00"
+}
+{
+key = "SECRETS/MACHINE_SEC_CHANNEL_TYPE/LONDON"
+data = "\02\00\00\00"
+}
+{
+key = "SECRETS/MACHINE_LAST_CHANGE_TIME/LONDON"
+data = "E\89\F6?"
+}
+</screen>
+ This is given to demonstrate to the skeptics that this process truly does work.
+ </para></step>
+
+ <step><para>
+ It is now time to start Samba in the usual way (as has been done many time before
+ in this book).
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>wbinfo</primary>
+ </indexterm>
+ This is a good time to verify that everything is working. First, check that
+ winbind is able to obtain the list of users and groups from the ADS Domain Controller.
+ Execute the following:
+<screen>
+&rootprompt; wbinfo -u
+LONDON+Administrator
+LONDON+Guest
+LONDON+SUPPORT_388945a0
+LONDON+krbtgt
+LONDON+jht
+</screen>
+ Good, the list of users was obtained. Now do likewise for group accounts:
+<screen>
+&rootprompt; wbinfo -g
+LONDON+Domain Computers
+LONDON+Domain Controllers
+LONDON+Schema Admins
+LONDON+Enterprise Admins
+LONDON+Domain Admins
+LONDON+Domain Users
+LONDON+Domain Guests
+LONDON+Group Policy Creator Owners
+LONDON+DnsUpdateProxy
+</screen>
+ Excellent. That worked also, as expected.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>getent</primary>
+ </indexterm>
+ Now repeat this via NSS to validate that full Identity resolution is
+ functional as required. Execute:
+<screen>
+&rootprompt; getent passwd
+...
+LONDON+Administrator:x:10000:10000:Administrator:
+ /home/LONDON/administrator:/bin/bash
+LONDON+Guest:x:10001:10001:Guest:
+ /home/LONDON/guest:/bin/bash
+LONDON+SUPPORT_388945a0:x:10002:10000:SUPPORT_388945a0:
+ /home/LONDON/support_388945a0:/bin/bash
+LONDON+krbtgt:x:10003:10000:krbtgt:
+ /home/LONDON/krbtgt:/bin/bash
+LONDON+jht:x:10004:10000:John H. Terpstra:
+ /home/LONDON/jht:/bin/bash
+</screen>
+ Okay, ADS user accounts are being resolved. Now you try group resolution as follows:
+<screen>
+&rootprompt; getent group
+...
+LONDON+Domain Computers:x:10002:
+LONDON+Domain Controllers:x:10003:
+LONDON+Schema Admins:x:10004:LONDON+Administrator
+LONDON+Enterprise Admins:x:10005:LONDON+Administrator
+LONDON+Domain Admins:x:10006:LONDON+jht,LONDON+Administrator
+LONDON+Domain Users:x:10000:
+LONDON+Domain Guests:x:10001:
+LONDON+Group Policy Creator Owners:x:10007:LONDON+Administrator
+LONDON+DnsUpdateProxy:x:10008:
+</screen>
+ This is very pleasing. Everything works as expected.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>ads</secondary>
+ <tertiary>info</tertiary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm>
+ You may now perform final verification that communications between Samba-3 winbind and
+ the Active Directory server is using Kerberos protocols. Execute the following:
+<screen>
+&rootprompt; net ads info
+LDAP server: 192.168.2.123
+LDAP server name: w2k3s
+Realm: LONDON.ABMAS.BIZ
+Bind Path: dc=LONDON,dc=ABMAS,dc=BIZ
+LDAP port: 389
+Server time: Sat, 03 Jan 2004 02:44:44 GMT
+KDC server: 192.168.2.123
+Server time offset: 2
+</screen>
+ It should be noted that Kerberos protocols are time-clock critical. You should
+ keep all server time clocks synchronized using the network time protocol (NTP).
+ In any case, the output we obtained confirms that all systems are operational.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>ads</secondary>
+ <tertiary>status</tertiary>
+ </indexterm>
+ There is one more action you elect to take, just because you are paranoid and disbelieving,
+ so you execute the following command:
+<programlisting>
+&rootprompt; net ads status -UAdministrator%not24get
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+objectClass: computer
+cn: fran
+distinguishedName: CN=fran,CN=Computers,DC=london,DC=abmas,DC=biz
+instanceType: 4
+whenCreated: 20040103092006.0Z
+whenChanged: 20040103092006.0Z
+uSNCreated: 28713
+uSNChanged: 28717
+name: fran
+objectGUID: 58f89519-c467-49b9-acb0-f099d73696e
+userAccountControl: 69632
+badPwdCount: 0
+codePage: 0
+countryCode: 0
+badPasswordTime: 0
+lastLogoff: 0
+lastLogon: 127175965783327936
+localPolicyFlags: 0
+pwdLastSet: 127175952062598496
+primaryGroupID: 515
+objectSid: S-1-5-21-4052121579-2079768045-1474639452-1109
+accountExpires: 9223372036854775807
+logonCount: 13
+sAMAccountName: fran$
+sAMAccountType: 805306369
+operatingSystem: Samba
+operatingSystemVersion: 3.0.2-SUSE
+dNSHostName: fran
+userPrincipalName: HOST/fran@LONDON.ABMAS.BIZ
+servicePrincipalName: CIFS/fran.london.abmas.biz
+servicePrincipalName: CIFS/fran
+servicePrincipalName: HOST/fran.london.abmas.biz
+servicePrincipalName: HOST/fran
+objectCategory: CN=Computer,CN=Schema,CN=Configuration,
+ DC=london,DC=abmas,DC=biz
+isCriticalSystemObject: FALSE
+-------------- Security Descriptor (revision: 1, type: 0x8c14)
+owner SID: S-1-5-21-4052121579-2079768045-1474639452-512
+group SID: S-1-5-21-4052121579-2079768045-1474639452-513
+------- (system) ACL (revision: 4, size: 120, number of ACEs: 2)
+------- ACE (type: 0x07, flags: 0x5a, size: 0x38,
+ mask: 0x20, object flags: 0x3)
+access SID: S-1-1-0
+access type: AUDIT OBJECT
+Permissions:
+ [Write All Properties]
+------- ACE (type: 0x07, flags: 0x5a, size: 0x38,
+ mask: 0x20, object flags: 0x3)
+access SID: S-1-1-0
+access type: AUDIT OBJECT
+Permissions:
+ [Write All Properties]
+------- (user) ACL (revision: 4, size: 1944, number of ACEs: 40)
+------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
+access SID: S-1-5-21-4052121579-2079768045-1474639452-512
+access type: ALLOWED
+Permissions: [Full Control]
+------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
+access SID: S-1-5-32-548
+...
+------- ACE (type: 0x05, flags: 0x12, size: 0x38,
+ mask: 0x10, object flags: 0x3)
+access SID: S-1-5-9
+access type: ALLOWED OBJECT
+Permissions:
+ [Read All Properties]
+-------------- End Of Security Descriptor
+</programlisting>
+ And now you have conclusive proof that your Samba-3 ADS Domain Member Server
+ called <constant>FRAN</constant>, is able to communicate fully with the ADS
+ Domain Controllers.
+ </para></step>
+ </procedure>
+
+
+ <para>
+ Your Samba-3 ADS Domain Member server is ready for use. During training sessions,
+ you may be asked what is inside the <filename>winbindd_cache.tdb and winbindd_idmap.tdb</filename>
+ files. Since curiosity just took hold of you, execute the following:
+<programlisting>
+&rootprompt; tdbdump /var/lib/samba/winbindd_idmap.tdb
+{
+key = "S-1-5-21-4052121579-2079768045-1474639452-501\00"
+data = "UID 10001\00"
+}
+{
+key = "UID 10005\00"
+data = "S-1-5-21-4052121579-2079768045-1474639452-1111\00"
+}
+{
+key = "GID 10004\00"
+data = "S-1-5-21-4052121579-2079768045-1474639452-518\00"
+}
+{
+key = "S-1-5-21-4052121579-2079768045-1474639452-502\00"
+data = "UID 10003\00"
+}
+...
+
+&rootprompt; tdbdump /var/lib/samba/winbindd_cache.tdb
+{
+key = "UL/LONDON"
+data = "\00\00\00\00bp\00\00\06\00\00\00\0DAdministrator\0D
+ Administrator-S-1-5-21-4052121579-2079768045-1474639452-500-
+ S-1-5-21-4052121579-2079768045-1474639452-513\05Guest\05
+ Guest-S-1-5-21-4052121579-2079768045-1474639452-501-
+ S-1-5-21-4052121579-2079768045-1474639452-514\10
+ SUPPORT_388945a0\10SUPPORT_388945a0.
+ S-1-5-21-4052121579-2079768045-1474639452-1001-
+ S-1-5-21-4052121579-2079768045-1474639452-513\06krbtgt\06
+ krbtgt-S-1-5-21-4052121579-2079768045-1474639452-502-
+ S-1-5-21-4052121579-2079768045-1474639452-513\03jht\10
+ John H. Terpstra.S-1-5-21-4052121579-2079768045-1474639452-1110-
+ S-1-5-21-4052121579-2079768045-1474639452-513"
+}
+{
+key = "GM/S-1-5-21-4052121579-2079768045-1474639452-512"
+data = "\00\00\00\00bp\00\00\02\00\00\00.
+ S-1-5-21-4052121579-2079768045-1474639452-1110\03
+ jht\01\00\00\00-S-1-5-21-4052121579-2079768045-1474639452-500\0D
+ Administrator\01\00\00\00"
+}
+{
+key = "SN/S-1-5-21-4052121579-2079768045-1474639452-513"
+data = "\00\00\00\00xp\00\00\02\00\00\00\0CDomain Users"
+}
+{
+key = "GM/S-1-5-21-4052121579-2079768045-1474639452-518"
+data = "\00\00\00\00bp\00\00\01\00\00\00-
+ S-1-5-21-4052121579-2079768045-1474639452-500\0D
+ Administrator\01\00\00\00"
+}
+{
+key = "SEQNUM/LONDON\00"
+data = "xp\00\00C\92\F6?"
+}
+{
+key = "U/S-1-5-21-4052121579-2079768045-1474639452-1110"
+data = "\00\00\00\00xp\00\00\03jht\10John H. Terpstra.
+ S-1-5-21-4052121579-2079768045-1474639452-1110-
+ S-1-5-21-4052121579-2079768045-1474639452-513"
+}
+{
+key = "NS/S-1-5-21-4052121579-2079768045-1474639452-502"
+data = "\00\00\00\00bp\00\00-
+ S-1-5-21-4052121579-2079768045-1474639452-502"
+}
+{
+key = "SN/S-1-5-21-4052121579-2079768045-1474639452-1001"
+data = "\00\00\00\00bp\00\00\01\00\00\00\10SUPPORT_388945a0"
+}
+{
+key = "SN/S-1-5-21-4052121579-2079768045-1474639452-500"
+data = "\00\00\00\00bp\00\00\01\00\00\00\0DAdministrator"
+}
+{
+key = "U/S-1-5-21-4052121579-2079768045-1474639452-502"
+data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt-
+ S-1-5-21-4052121579-2079768045-1474639452-502-
+ S-1-5-21-4052121579-2079768045-1474639452-513"
+}
+....
+</programlisting>
+ Now all is revealed. Your curiosity, as well as that of those with you, has been put at ease.
+ May this server serve well all who happen upon it.
+ </para>
+
+<smbconfexample id="ch9-adssdm">
+<title>Samba Domain Member &smb.conf; File for Active Directory Membership</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+<smbconfoption><name>workgroup</name><value>LONDON</value></smbconfoption>
+<smbconfoption><name>realm</name><value>LONDON.ABMAS.BIZ</value></smbconfoption>
+<smbconfoption><name>server string</name><value>Samba 3.0.2</value></smbconfoption>
+<smbconfoption><name>security</name><value>ADS</value></smbconfoption>
+<smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+<smbconfoption><name>log level</name><value>1</value></smbconfoption>
+<smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+<smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+<smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>ldap ssl</name><value>no</value></smbconfoption>
+<smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+<smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+<smbconfoption><name>template primary group</name><value>"Domain Users"</value></smbconfoption>
+<smbconfoption><name>template shell</name><value>/bin/bash</value></smbconfoption>
+<smbconfoption><name>winbind separator</name><value>+</value></smbconfoption>
+<smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+
+<smbconfsection>[homes]</smbconfsection>
+<smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[print$]</smbconfsection>
+<smbconfoption><name>comment</name><value>Printer Drivers</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/drivers</value></smbconfoption>
+<smbconfoption><name>admin users</name><value>root, Administrator</value></smbconfoption>
+<smbconfoption><name>write list</name><value>root</value></smbconfoption>
+</smbconfexample>
+
+ </sect2>
+
+ <sect2>
+ <title>UNIX/Linux Client Domain Member</title>
+
+ <para><indexterm>
+ <primary>user credentials</primary>
+ </indexterm>
+ So far this chapter has been mainly concerned with the provision of file and print
+ services for Domain Member servers. However, an increasing number of UNIX/Linux
+ workstations are being installed that do not act as file or print servers to anyone
+ other than a single desktop user. The key demand for desktop systems is to be able
+ to log onto any UNIX/Linux or Windows desktop using the same network user credentials.
+ </para>
+
+ <para><indexterm>
+ <primary>Single Sign-On</primary>
+ <see>SOS</see>
+ </indexterm>
+ The ability to use a common set of user credential across a variety of network systems
+ is generally regarded as a Single Sign-On (SOS) solution. SOS systems are sold by a
+ large number of vendors and include a range of technologies such as:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Proxy sign-on
+ </para></listitem>
+
+ <listitem><para>
+ Federated directory provisioning
+ </para></listitem>
+
+ <listitem><para>
+ Meta-directory server solutions
+ </para></listitem>
+
+ <listitem><para>
+ Replacement authentication systems
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>Identity management</primary>
+ </indexterm>
+ There are really only three solutions that provide integrated authentication and
+ user Identity management facilities:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Samba Winbind (free)
+ </para></listitem>
+
+ <listitem><para>
+ <ulink url="http://www.padl.com">PADL</ulink> PAM and LDAP Tools (free)
+ </para></listitem>
+
+ <listitem><para>
+ <ulink url="http://www.vintela.com">Vintela</ulink> Authentication Services (Commercial)
+ </para></listitem>
+ </itemizedlist>
+
+ <para>
+ The following guidelines are pertinent in respect of the deployment of winbind-based authentication
+ and Identity resolution with the express purpose of allowing users to log onto UNIX/Linux desktops
+ using Windows network Domain user credentials (username and password).
+ </para>
+
+ <para>
+ You should note that it is possible to use LDAP-based PAM and NSS tools to permit distributed
+ systems logons (SSO) providing user and group accounts are stored in an LDAP directory. This
+ provides logon services for UNIX/Linux users, while Windows users obtain their sign-on
+ support via Samba-3.
+ </para>
+
+ <para><indexterm>
+ <primary>Windows Services for UNIX</primary>
+ <see>SUS</see>
+ </indexterm>
+ On the other hand, if the authentication and Identity resolution backend must be provided by
+ a Windows NT4 style Domain or from an Active Directory Domain that does not have the Microsoft
+ Windows Services for UNIX (SUS) installed, winbind is your best friend. Specific guidance for these
+ situations now follows.
+ </para>
+
+ <para><indexterm>
+ <primary>PAM</primary>
+ </indexterm><indexterm>
+ <primary>Identity resolution</primary>
+ </indexterm><indexterm>
+ <primary>NSS</primary>
+ </indexterm>
+ To permit users to log onto a Linux system using Windows network credentials, you need to
+ configure Identity resolution (NSS) and PAM. This means that the basic steps include those
+ outlined above with the addition of PAM configuration. Given that most workstations (desktop/client)
+ usually do not need to provide file and print services to a group of users, the configuration
+ of shares and printers is generally less important. Often this allows the share specifications
+ to be entirely removed from the &smb.conf; file. That is obviously an administrator decision.
+ </para>
+
+ <sect3>
+ <title>NT4 Domain Member</title>
+
+ <para>
+ The following steps provide a Linux system that users can log onto using
+ Windows NT4 Domain (or Samba-3) Domain network credentials:
+ </para>
+
+ <procedure>
+ <step><para>
+ Follow the steps outlined in <link linkend="wdcsdm"/> and ensure that
+ all validation tests function as shown.
+ </para></step>
+
+ <step><para>
+ Identify what services users must log onto. On Red Hat Linux, if it is
+ intended that the user shall be given access to all services, it may be
+ most expeditious to simply configure the file
+ <filename>/etc/pam.d/system-auth</filename>.
+ </para></step>
+
+ <step><para>
+ Carefully make a backup copy of all PAM configuration files before you
+ begin making changes. If you break the PAM configuration, please note
+ that you may need to use an emergency boot process to recover your Linux
+ system. It is possible to break the ability to log into the system if
+ PAM files are incorrectly configured. The entire directory
+ <filename>/etc/pam.d</filename> should be backed up to a safe location.
+ </para></step>
+
+ <step><para>
+ If you require only console login support, edit the <filename>/etc/pam.d/login</filename>
+ so it matches <link linkend="ch9-pamwnbdlogin"/>.
+ </para></step>
+
+ <step><para>
+ To provide the ability to log onto the graphical desktop interface, you must edit
+ the files <filename>gdm</filename> and <filename>xdm</filename> in the
+ <filename>/etc/pam.d</filename> directory.
+ </para></step>
+
+ <step><para>
+ Edit only one file at a time. Carefully validate its operation before attempting
+ to reboot the machine.
+ </para></step>
+ </procedure>
+
+ </sect3>
+
+ <sect3>
+ <title>ADS Domain Member</title>
+
+ <para>
+ This procedure should be followed to permit a Linux network client (workstation/desktop)
+ to permit users to log on using Microsoft Active Directory based user credentials.
+ </para>
+
+ <procedure>
+ <step><para>
+ Follow the steps outlined in <link linkend="adssdm"/> and ensure that
+ all validation tests function as shown.
+ </para></step>
+
+ <step><para>
+ Identify what services users must log onto. On Red Hat Linux, if it is
+ intended that the user shall be given access to all services, it may be
+ most expeditious to simply configure the file
+ <filename>/etc/pam.d/system-auth</filename> as shown in <link linkend="ch9-rhsysauth"/>.
+ </para></step>
+
+ <step><para>
+ Carefully make a backup copy of all PAM configuration files before you
+ begin making changes. If you break the PAM configuration, please note
+ that you may need to use an emergency boot process to recover your Linux
+ system. It is possible to break the ability to log into the system if
+ PAM files are incorrectly configured. The entire directory
+ <filename>/etc/pam.d</filename> should be backed up to a safe location.
+ </para></step>
+
+ <step><para>
+ If you require only console login support, edit the <filename>/etc/pam.d/login</filename>
+ so it matches <link linkend="ch9-pamwnbdlogin"/>.
+ </para></step>
+
+ <step><para>
+ To provide the ability to log onto the graphical desktop interface, you must edit
+ the files <filename>gdm</filename> and <filename>xdm</filename> in the
+ <filename>/etc/pam.d</filename> directory.
+ </para></step>
+
+ <step><para>
+ Edit only one file at a time. Carefully validate its operation before attempting
+ to reboot the machine.
+ </para></step>
+ </procedure>
+
+ </sect3>
+
+<example id="ch9-pamwnbdlogin">
+<title>SUSE: PAM <filename>login</filename> Module Using Winbind</title>
+<screen>
+# /etc/pam.d/login
+
+#%PAM-1.0
+auth sufficient pam_unix2.so nullok
+auth sufficient pam_winbind.so use_first_pass use_authtok
+auth required pam_securetty.so
+auth required pam_nologin.so
+auth required pam_env.so
+auth required pam_mail.so
+account sufficient pam_unix2.so
+account sufficient pam_winbind.so user_first_pass use_authtok
+password required pam_pwcheck.so nullok
+password sufficient pam_unix2.so nullok use_first_pass use_authtok
+password sufficient pam_winbind.so use_first_pass use_authtok
+session sufficient pam_unix2.so none
+session sufficient pam_winbind.so use_first_pass use_authtok
+session required pam_limits.so
+</screen>
+</example>
+
+<example id="ch9-pamwbndxdm">
+<title>SUSE: PAM <filename>xdm</filename> Module Using Winbind</title>
+<screen>
+# /etc/pam.d/gdm (/etc/pam.d/xdm)
+
+#%PAM-1.0
+auth sufficient pam_unix2.so nullok
+auth sufficient pam_winbind.so use_first_pass use_authtok
+account sufficient pam_unix2.so
+account sufficient pam_winbind.so use_first_pass use_authtok
+password sufficient pam_unix2.so
+password sufficient pam_winbind.so use_first_pass use_authtok
+session sufficient pam_unix2.so
+session sufficient pam_winbind.so use_first_pass use_authtok
+session required pam_dev perm.so
+session required pam_resmgr.so
+</screen>
+</example>
+
+<example id="ch9-rhsysauth">
+<title>Red Hat 9: PAM System Authentication File: <filename>/etc/pam.d/system-auth</filename> Module Using Winbind</title>
+<screen>
+#%PAM-1.0
+auth required /lib/security/$ISA/pam_env.so
+auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
+auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
+auth required /lib/security/$ISA/pam_deny.so
+
+account required /lib/security/$ISA/pam_unix.so
+account sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
+
+password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
+# Note: The above line is complete. There is nothing following the '='
+password sufficient /lib/security/$ISA/pam_unix.so \
+ nullok use_authtok md5 shadow
+password sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
+password required /lib/security/$ISA/pam_deny.so
+
+session required /lib/security/$ISA/pam_limits.so
+session sufficient /lib/security/$ISA/pam_unix.so
+session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
+</screen>
+</example>
+
+ </sect2>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para>
+ The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you
+ learned how to integrate such servers so that the UID/GID mappings they use can be consistent
+ across all Domain Member servers. You also discovered how to implement the ability to use Samba
+ or Windows Domain account credentials to log onto a UNIX/Linux client.
+ </para>
+
+ <para>
+ The following are key points noted:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Domain Controllers are always authoritative for the Domain.
+ </para></listitem>
+
+ <listitem><para>
+ Domain Members may have local accounts and must be able to resolve the identity of
+ Domain user accounts. Domain user account identity must map to a local UID/GID. That
+ local UID/GID can be stored in LDAP. This way, it is possible to share the IDMAP data
+ across all Domain Member machines.
+ </para></listitem>
+
+ <listitem><para>
+ Resolution of user and group identities on Domain Member machines may be implemented
+ using direct LDAP services or using winbind.
+ </para></listitem>
+
+ <listitem><para>
+ On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for Identity management
+ and PAM is responsible for authentication of logon credentials (user name and password).
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ The following questions were obtained from the mailing list and also from private discussions
+ with Windows network administrators.
+ </para>
+
+ <qandaset defaultlabel="chap09qa" type="number">
+ <qandaentry>
+ <question>
+
+ <para>
+ We use NIS for all UNIX accounts. Why do we need winbind?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>NIS</primary>
+ </indexterm><indexterm>
+ <primary>encrypted passwords</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm><indexterm>
+ <primary>Winbind</primary>
+ </indexterm>
+ You can use NIS for your UNIX accounts. NIS does not store the Windows encrypted
+ passwords that need to be stored in one of the acceptable passdb backends.
+ Your choice of backend is limited to <parameter>smbpasswd</parameter> or
+ <parameter>tdbsam</parameter>. Winbind is needed to handle the resolution of
+ SIDs from trusted domains to local UID/GID values.
+ </para>
+
+ <para><indexterm>
+ <primary>winbind trusted domains only</primary>
+ </indexterm><indexterm>
+ <primary>getpwnam()</primary>
+ </indexterm>
+ On a Domain Member server, you effectively map Windows Domain users to local users
+ that are in your NIS database by specifying the <parameter>winbind trusted domains
+ only</parameter>. This causes user and group account lookups to be routed via
+ the <command>getpwnam()</command> family of systems calls. On an NIS-enabled client,
+ this pushes the resolution of users and groups out through NIS.
+ </para>
+
+ <para>
+ As a general rule, it is always a good idea to run winbind on all Samba servers.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Our IT management people do not like LDAP, but are looking at Microsoft Active Directory.
+ Which is better?<indexterm>
+ <primary>Active Directory</primary>
+ </indexterm>
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>LDAP</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>schema</primary>
+ </indexterm>
+ Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos
+ infrastructure. Most IT managers who object to LDAP do so because of the fact that
+ an LDAP server is most often supplied as a raw tool that needs to be configured, and
+ for which the administrator must create the schema, create the administration tools and
+ devise the backup and recovery facilities in a site dependent manner. LDAP servers
+ in general are seen as a high-energy, high-risk facility.
+ </para>
+
+ <para><indexterm>
+ <primary>management</primary>
+ </indexterm>
+ Microsoft Active Directory by comparison is easy to install, configure, and
+ is supplied with all tools necessary to implement and manage the directory. For sites
+ that lack a lot of technical competence, Active Directory is a good choice. For sites
+ that have the technical competence to handle Active Directory well, LDAP is a good
+ alternative. The real issue that needs to be addressed is what type of solution does
+ the site want? If management wants a choice to use an alternative, they may want to
+ consider the options. On the other hand, if management just wants a solution that works,
+ Microsoft Active Directory is a good solution.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ We want to implement a Samba PDC, four Samba BDCs, and 10 Samba servers. Is it possible
+ to use NIS in place of LDAP?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>NIS</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>encrypted passwords</primary>
+ </indexterm><indexterm>
+ <primary>synchronized</primary>
+ </indexterm><indexterm>
+ <primary>secure account password</primary>
+ </indexterm><indexterm>
+ <primary>PDC</primary>
+ </indexterm><indexterm>
+ <primary>BDC</primary>
+ </indexterm>
+ Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping
+ the Windows (SMB) encrypted passwords database correctly synchronized across the entire
+ network. Workstations (Windows client machines) periodically change their Domain
+ Membership secure account password. How can you keep changes that are on remote BDCs
+ synchronized on the PDC?
+ </para>
+
+ <para><indexterm>
+ <primary>centralized storage</primary>
+ </indexterm><indexterm>
+ <primary>management</primary>
+ </indexterm><indexterm>
+ <primary>network Identities</primary>
+ </indexterm>
+ LDAP is a more elegant solution because it permits centralized storage and management
+ of all network Identities (user, group and machine accounts) together with all information
+ Samba needs to provide to network clients and their users.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Are you suggesting that users should not log onto a Domain Member server? If so, why?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>security</primary>
+ </indexterm><indexterm>
+ <primary>data</primary>
+ <secondary>integrity</secondary>
+ </indexterm><indexterm>
+ <primary>mapped drives</primary>
+ </indexterm>
+ Many UNIX administrators mock the model that the Personal Computer industry has adopted
+ as normative since the early days of Novell Netware. One may well argue that the old
+ perception of the necessity to keep users off file and print servers was a result of
+ fears concerning the security and integrity of data. It was a simple and generally
+ effective measure to keep users away from servers, except through mapped drives.
+ </para>
+
+ <para><indexterm>
+ <primary>user logins</primary>
+ </indexterm><indexterm>
+ <primary>risk</primary>
+ </indexterm><indexterm>
+ <primary>user errors</primary>
+ </indexterm><indexterm>
+ <primary>strategy</primary>
+ </indexterm><indexterm>
+ <primary>policy</primary>
+ </indexterm>
+ UNIX administrators are fully correct in asserting that UNIX servers and workstations
+ are identical in terms of the software that is installed. They correctly assert that
+ in a well secured environment it is safe to store files on a system that has hundreds
+ of users. But all network administrators must factor into the decision to allow or
+ reject general user logins to a UNIX system that is principally a file and print
+ server. One must take account of the risk to operations through simple user errors.
+ Only then can one begin to appraise the best strategy and adopt a site-specific
+ policy that best protects the needs of users and of the organization alike.
+ </para>
+
+ <para><indexterm>
+ <primary>system level logins</primary>
+ </indexterm>
+ From experience, it is my recommendation to keep general system level logins to a
+ practical minimum and to eliminate them if possible. This should not be taken as a
+ hard rule, though. The better question is, what works best for the site?
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>winbind enable local accounts</primary>
+ </indexterm><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm><indexterm>
+ <primary>options list</primary>
+ </indexterm><indexterm>
+ <primary>ACL</primary>
+ </indexterm><indexterm>
+ <primary>share</primary>
+ </indexterm>
+ In my &smb.conf; file, I enabled the parameter <parameter>winbind enable local accounts
+ </parameter> on all Domain Member servers, but it does not work. The accounts I put in
+ <filename>/etc/passwd</filename> do not show up in the options list when I try to set an
+ ACL on a share. What have I done wrong?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>local users</primary>
+ </indexterm><indexterm>
+ <primary>local groups</primary>
+ </indexterm><indexterm>
+ <primary>UNIX account</primary>
+ </indexterm><indexterm>
+ <primary>getpwnam()</primary>
+ </indexterm><indexterm>
+ <primary>getgrgid()</primary>
+ </indexterm><indexterm>
+ <primary>Identity resolution</primary>
+ </indexterm><indexterm>
+ <primary>failure</primary>
+ </indexterm><indexterm>
+ <primary>Domain</primary>
+ </indexterm>
+ The manual page for this &smb.conf; file parameter clearly says, <quote>This parameter
+ controls whether or not winbindd will act as a stand in replacement for the various
+ account management hooks in smb.conf (for example, add user script). If enabled, winbindd
+ will support the creation of local users and groups as another source of UNIX account
+ information available via getpwnam() or getgrgid(), etc...</quote> By default this
+ parameter is already enabled; therefore, the action you are seeing is a result of a failure
+ of Identity resolution in the Domain.
+ </para>
+
+ <para><indexterm>
+ <primary>Domain logons</primary>
+ </indexterm><indexterm>
+ <primary>Identity resolution</primary>
+ </indexterm><indexterm>
+ <primary>Domain</primary>
+ <secondary>user</secondary>
+ </indexterm><indexterm>
+ <primary>Domain</primary>
+ <secondary>group</secondary>
+ </indexterm><indexterm>
+ <primary>UID</primary>
+ </indexterm><indexterm>
+ <primary>GID</primary>
+ </indexterm>
+ These are the accounts that are available for Windows network Domain logons. Providing
+ Identity resolution has been correctly configured on the Domain Controllers, as well as
+ on Domain Member servers. The Domain user and group identities automatically map
+ to a valid local UID and GID pair.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>trusted domains</primary>
+ </indexterm><indexterm>
+ <primary>domain</primary>
+ <secondary>trusted</secondary>
+ </indexterm><indexterm>
+ <primary>winbind trusted domains only</primary>
+ </indexterm><indexterm>
+ <primary>domain members</primary>
+ </indexterm>
+ We want to ensure that only users from our own domain plus from trusted domains can use our
+ Samba servers. In the &smb.conf; file on all servers, we have enabled the <parameter>winbind
+ trusted domains only</parameter> parameter. We now find that users from trusted domains
+ cannot access our servers, and users from Windows clients that are not domain members
+ can also access our servers. Is this a Samba bug?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>distributed</primary>
+ </indexterm><indexterm>
+ <primary>NIS</primary>
+ </indexterm><indexterm>
+ <primary>rsync</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>winbindd</primary>
+ </indexterm><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm>
+ The manual page for this <parameter>winbind trusted domains only</parameter> parameter says,
+ <quote>This parameter is designed to allow Samba servers that are members of a Samba controlled
+ domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users
+ in the hosts primary domain. Therefore, the user <constant>SAMBA\user1</constant> would be
+ mapped to the account <constant>user1</constant> in <filename>/etc/passwd</filename> instead
+ of allocating a new UID for him or her.</quote> This would clearly suggest that you are trying
+ to use this parameter inappropriately.
+ </para>
+
+ <para><indexterm>
+ <primary>valid users</primary>
+ </indexterm>
+ A far better solution would be to use the <parameter>valid users</parameter> by specifying
+ precisely the Domain users and groups that should be permitted access to the shares. You could,
+ for example, set the following parameters:
+<screen>
+[demoshare]
+ path = /export/demodata
+ valid users = @"Domain Users", @"OTHERDOMAIN\Domain Users"
+</screen>
+ </para>
+
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What are the benefits of using LDAP for my Domain Member servers?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>benefit</primary>
+ </indexterm><indexterm>
+ <primary>UID</primary>
+ </indexterm><indexterm>
+ <primary>GID</primary>
+ </indexterm><indexterm>
+ <primary>Domain Controllers</primary>
+ </indexterm><indexterm>
+ <primary>Domain Member servers</primary>
+ </indexterm><indexterm>
+ <primary>copy</primary>
+ </indexterm><indexterm>
+ <primary>replicate</primary>
+ </indexterm><indexterm>
+ <primary>identity</primary>
+ </indexterm>
+ The key benefit of using LDAP is that the UID of all users and the GID of all groups
+ are globally consistent on Domain Controllers as well as on Domain Member servers.
+ This means that it is possible to copy/replicate files across servers without
+ loss of identity.
+ </para>
+
+ <para><indexterm>
+ <primary>Identity resolution</primary>
+ </indexterm><indexterm>
+ <primary>winbind</primary>
+ </indexterm><indexterm>
+ <primary>IDMAP backend</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>Domain Controllers</primary>
+ </indexterm><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>servers</secondary>
+ </indexterm><indexterm>
+ <primary>Posix</primary>
+ </indexterm><indexterm>
+ <primary>account information</primary>
+ </indexterm>
+ When use is made of account Identity resolution via winbind, even when an IDMAP backend
+ is stored in LDAP, the UID/GID on Domain Member servers is consistent, but differs
+ from the ID that the user/group has on Domain Controllers. The winbind allocated UID/GID
+ that is stored in LDAP (or locally) will be in the numeric range specified in the <parameter>
+ idmap uid/gid</parameter> in the &smb.conf; file. On Domain Controllers, the UID/GID is
+ that of the Posix value assigned in the LDAP directory as part of the Posix account information.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Is proper DNS operation necessary for Samba-3 plus LDAP? If so, what must I put into
+ my DNS configuration?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>DNS</primary>
+ <secondary>configuration</secondary>
+ </indexterm><indexterm>
+ <primary>DNS</primary>
+ <secondary>lookup</secondary>
+ </indexterm><indexterm>
+ <primary>hosts</primary>
+ </indexterm><indexterm>
+ <primary>/etc/nsswitch.conf</primary>
+ </indexterm><indexterm>
+ <primary>NSS</primary>
+ </indexterm><indexterm>
+ <primary>/etc/hosts</primary>
+ </indexterm><indexterm>
+ <primary>WINS</primary>
+ <secondary>lookup</secondary>
+ </indexterm>
+ Samba depends on correctly functioning resolution of host names to their IP address. Samba
+ makes no direct DNS lookup calls, but rather redirects all name to address calls via the
+ <command>getXXXbyXXX()</command> function calls. The configuration of the <constant>hosts</constant>
+ entry in the NSS <filename>/etc/nsswitch.conf</filename> file determines how the underlying
+ resolution process is implemented. If the <constant>hosts</constant> entry in your NSS
+ control file says:
+<screen>
+hosts: files dns wins
+</screen>
+ This means that a host name lookup first tries the <filename>/etc/hosts</filename>.
+ If this fails to resolve, it attempts a DNS lookup and if that fails, it tries a
+ WINS lookup.
+ </para>
+
+ <para><indexterm>
+ <primary>NetBIOS</primary>
+ </indexterm><indexterm>
+ <primary>TCP/IP</primary>
+ </indexterm><indexterm>
+ <primary>name resolution</primary>
+ </indexterm>
+ The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has
+ been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS
+ is the preferred name resolution technology. This usually makes most sense when Samba
+ is a client of an Active Directory Domain, where NetBIOS use has been disabled. In this
+ case, the Windows 200x auto-registers all locator records it needs with its own DNS
+ server/s.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Our Windows 2003 Server Active Directory Domain runs with NetBIOS disabled. Can we
+ use Samba-3 with that configuration?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Yes.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>net</primary>
+ <secondary>ads</secondary>
+ <tertiary>join</tertiary>
+ </indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>rpc</secondary>
+ <tertiary>join</tertiary>
+ </indexterm>
+ When I tried to execute <quote>net ads join</quote>, I got no output. It did not work, so
+ I think that it failed. I then executed <quote>net rpc join</quote> and that worked fine.
+ That is okay, isn't it?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>authentication</primary>
+ </indexterm>
+ No. This is not okay. It means that your Samba-3 client has joined the ADS Domain as
+ a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
diff --git a/docs/Samba-Guide/Chap10-KerberosFastStart.xml b/docs/Samba-Guide/Chap10-KerberosFastStart.xml
new file mode 100644
index 0000000000..0851421dfa
--- /dev/null
+++ b/docs/Samba-Guide/Chap10-KerberosFastStart.xml
@@ -0,0 +1,2086 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="kerberos">
+ <title>Active Directory, Kerberos, and Security</title>
+
+ <para><indexterm>
+ <primary>experiment</primary>
+ </indexterm>
+ By this point in the book, you have been exposed to many Samba-3 features and capabilities.
+ More importantly, if you have implemented the examples given, you are well on your way to becoming
+ a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to
+ practice, you likely have thought of improvements and scenarios with which you can experiment. You
+ are rather well plugged in to the many flexible ways Samba can be used.
+ </para>
+
+ <para><indexterm>
+ <primary>criticism</primary>
+ </indexterm>
+ This is a book about Samba-3. Understandably, its intent is to present it in a positive light.
+ The casual observer might conclude that this book is one-eyed about Samba. It is &smbmdash; what
+ would you expect? This chapter exposes some criticisms that have been raised concerning
+ the use of Samba. For each criticism, there are good answers and appropriate solutions.
+ </para>
+
+ <para>
+ Some criticism always comes from deep inside ranks that one would expect to be supportive of a particular
+ decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of
+ criticism develops with respect to Abmas.
+ </para>
+
+ <para><indexterm>
+ <primary>straw-man</primary>
+ </indexterm>
+ This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled
+ out of thin air. They were drawn from comments made by Samba users and from criticism during
+ discussions with Windows network administrators. The tone of the objections reflects as closely
+ as possible that of the original. The case presented is a straw-man example that is designed to
+ permit each objection to be answered as it might occur in real life.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para><indexterm>
+ <primary>acquisitions</primary>
+ </indexterm><indexterm>
+ <primary>risk</primary>
+ </indexterm><indexterm>
+ <primary>assessment</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>Windows 2003 Serve</primary>
+ </indexterm>
+ Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took
+ note of the spectacular projection of Abmas onto the global business stage. Abmas is building an
+ interesting portfolio of companies that includes accounting services, financial advice, investment
+ portfolio management, property insurance, risk assessment, and the recent addition of a a video rental
+ business. The pieces do not always appear to fit together, but Mr. Meany is certainly executing an
+ interesting business growth and development plan. Abmas Video Rentals has been recently acquired.
+ During the time that the acquisition was closing, the Video Rentals business upgraded their Windows
+ NT4-based network to Windows 2003 Server and Active Directory.
+ </para>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm>
+ Bob Jordan has been accepting of the fact that Abmas Video Rentals will use Microsoft Active Directory.
+ The IT team led by Stan Soroka is committed to Samba-3 and to maintaining a uniform technology platform.
+ Stan Soroka's team voiced their disapproval over the decision to permit this business to continue to
+ operate with a solution that is viewed by Christine and her group as <quote>an island of broken
+ technologies.</quote> This comment was made by one of Christine's staff as they were installing a new
+ Samba-3 server at the new business.
+ </para>
+
+
+ <para><indexterm>
+ <primary>consultant</primary>
+ </indexterm><indexterm>
+ <primary>hypothetical</primary>
+ </indexterm>
+ Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer
+ should make such a comment. He felt that he had to prepare in case he might be criticized for his
+ decision to use Active Directory. He decided he would defend his decision by hiring the services
+ of an outside security systems consultant to report<footnote>This report is entirely fictitious.
+ Any resemblance to a factual report is purely coincidental.</footnote> on his unit's operations
+ and to investigate the role of Samba at his site. Here are key extracts from this hypothetical
+ report:
+ </para>
+
+ <blockquote><para><indexterm>
+ <primary>vulnerabilities</primary>
+ </indexterm><indexterm>
+ <primary>integrity</primary>
+ </indexterm><indexterm>
+ <primary>practices</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm>
+ ... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site,
+ has been examined. We find no evidence to support a notion that vulnerabilities exist at your site.
+ ... we took additional steps to validate the integrity of the installation and operation of Active
+ Directory and are pleased that your staff are following sound practices.
+ </para>
+
+ <para>
+ ...
+ </para>
+
+ <para><indexterm>
+ <primary>accounts</primary>
+ <secondary>user</secondary>
+ </indexterm><indexterm>
+ <primary>accounts</primary>
+ <secondary>group</secondary>
+ </indexterm><indexterm>
+ <primary>Backup</primary>
+ </indexterm><indexterm>
+ <primary>disaster recovery</primary>
+ </indexterm><indexterm>
+ <primary>validated</primary>
+ </indexterm><indexterm>
+ <primary>off-site storage</primary>
+ </indexterm>
+ User and Group accounts, and respective privileges, have been well thought out. File system shares are
+ appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and
+ effective off-site storage practices are considered to exceed industry norms.
+ </para>
+
+ <para><indexterm>
+ <primary>compromise</primary>
+ </indexterm><indexterm>
+ <primary>secure</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>secure</secondary>
+ </indexterm>
+ Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain
+ a secure network.
+ </para>
+
+ <para><indexterm>
+ <primary>winbind</primary>
+ </indexterm><indexterm>
+ <primary>security</primary>
+ </indexterm><indexterm>
+ <primary>secure</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>management</secondary>
+ </indexterm>
+ The recently installed Linux file and application server uses a tool called <command>winbind</command>
+ that is indiscriminate about security. All user accounts in Active Directory can be used to access data
+ stored on the Linux system. We are alarmed that secure information is accessible to staff who should
+ not even be aware that it exists. We share the concerns of your network management staff who have gone
+ to great lengths to set fine-grained controls that limit information access to those who need access.
+ It seems incongruous to us that Samba winbind should be permitted to be used as it voids this fine work.
+ </para>
+
+ <para><indexterm>
+ <primary>isolated</primary>
+ </indexterm><indexterm>
+ <primary>firewall</primary>
+ </indexterm><indexterm>
+ <primary>best practices</primary>
+ </indexterm>
+ Graham Judd [head of network administration] has locked down the security of all systems and is following
+ the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network
+ is isolated from the outside world, the [product name removed] firewall is under current contract
+ maintenance support from [the manufacturer]. ... our attempts to penetrate security of your systems
+ failed to find problems common to Windows networking sites. We commend your staff on their attention to
+ detail and for following Microsoft recommended best practices.
+ </para>
+
+ <para>
+ ...
+ </para>
+
+ <para><indexterm>
+ <primary>security</primary>
+ </indexterm><indexterm>
+ <primary>disable</primary>
+ </indexterm><indexterm>
+ <primary>essential</primary>
+ </indexterm><indexterm>
+ <primary>trusted computing</primary>
+ </indexterm>
+ In respect of the use of Samba, we offer the following comments: Samba is in use in nearly half of
+ all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft
+ ... what worries us regarding Samba is the need to disable essential Windows security features such as
+ secure channel support, digital sign'n'seal on all communication traffic, running Active Directory in
+ mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that
+ Samba is not at the full capabilites of Microsoft Windows NT4 server. Microsoft has moved well beyond that
+ with trusted computing initiatives that the Samba developers do not participate in.
+ </para>
+
+ <para><indexterm>
+ <primary>integrity</primary>
+ </indexterm><indexterm>
+ <primary>hackers</primary>
+ </indexterm><indexterm>
+ <primary>accountable</primary>
+ </indexterm><indexterm>
+ <primary>flaws</primary>
+ </indexterm><indexterm>
+ <primary>updates</primary>
+ </indexterm><indexterm>
+ <primary>bug fixes</primary>
+ </indexterm><indexterm>
+ <primary>alarm</primary>
+ </indexterm>
+ One wonders about the integrity of an open source program that is developed by a team of hackers
+ who cannot be held accountable for the flaws in their code. The sheer number of updates and bug
+ fixes they have released should ring alarm bells in any business.
+ </para>
+
+ <para><indexterm>
+ <primary>employment</primary>
+ </indexterm><indexterm>
+ <primary>jobs</primary>
+ </indexterm><indexterm>
+ <primary>risk</primary>
+ </indexterm>
+ Another factor that should be considered is that buying Microsoft products and services helps to
+ provide employment in the IT industry. Samba and Open Source software place those jobs at risk.
+ </para></blockquote>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>independent expert</primary>
+ </indexterm>
+ This is also a challenge to rise above the trouble spot. Bob calls Stan's team together for a simple
+ discussion, but it gets further out of hand. When he returns to his office, he finds the following
+ email in his in-box:
+ </para>
+
+ <para>
+ Bob,
+ </para>
+
+ <blockquote><attribution>Stan</attribution><para>
+ I apologize for the leak of internal discussions to the new business. It reflects poorly on our
+ professionalism and has put you in an unpleasant position. I regret the incident.
+ </para>
+
+ <para>
+ I also wish to advise that two of the recent recruits want to implement Kerberos authentication
+ across all systems. I concur with the desire to improve security. One of the new guys who is championing
+ the move to Kerberos was responsible for the comment that caused the embarrassment.
+ </para>
+
+ <para><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>consultant</primary>
+ </indexterm>
+ I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP,
+ plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect
+ to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent,
+ I would like to hire the services of a well-known Samba consultant to set the record straight.
+ </para>
+
+ <para><indexterm>
+ <primary>criticism</primary>
+ </indexterm><indexterm>
+ <primary>policy</primary>
+ </indexterm><indexterm>
+ <primary>Windows Servers</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>budgetted</primary>
+ </indexterm><indexterm>
+ <primary>financial responsibility</primary>
+ </indexterm>
+ I intend to use this report to answer the criticism raised and would like to establish a policy that we
+ will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered
+ out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain
+ responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce
+ use of any centrally proposed standards, but make all non-compliance the financial responsibility of the
+ out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone.
+ </para></blockquote>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para>
+ Bob agreed with Stan's recommendations and has hired your services to help defuse the powder
+ keg. Your task is to answer each of the issues raised with a tractable answer. You must be able
+ to support your claims, keep emotions to a side, and answer technically.
+ </para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para><indexterm>
+ <primary>tool</primary>
+ </indexterm><indexterm>
+ <primary>benefit</primary>
+ </indexterm><indexterm>
+ <primary>choice</primary>
+ </indexterm><indexterm>
+ <primary>consultant</primary>
+ </indexterm><indexterm>
+ <primary>installation</primary>
+ </indexterm><indexterm>
+ <primary>income</primary>
+ </indexterm><indexterm>
+ <primary>employment</primary>
+ </indexterm>
+ Samba-3 is a tool. No one pounding your door to use Samba. That is a choice that you are free to
+ make or reject. It is likely that your decision to use Samba can benefit your company more than
+ anyone else. The Samba Team obviously believes that the Samba software is a worthy choice.
+ If you hire a consultant to assist with the installation and/or deployment of Samba, or if you hire
+ someone to help manage your Samba installation, you can create income and employment. Alternately,
+ money saved by not spending in the IT area can be spent elsewhere in the business. All money saved
+ or spent creates employment.
+ </para>
+
+ <para><indexterm>
+ <primary>economically sustainable</primary>
+ </indexterm><indexterm>
+ <primary>inter-operability</primary>
+ </indexterm><indexterm>
+ <primary>file and print service</primary>
+ </indexterm><indexterm>
+ <primary>cost</primary>
+ </indexterm><indexterm>
+ <primary>alternative</primary>
+ </indexterm>
+ In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted
+ purely to provide file and print service interoperability on platforms that otherwise cannot provide
+ access to data and to printers for Microsoft Windows clients. Samba is used by some businesses to
+ effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an
+ alternative to the use of a Microsoft file and print serving platforms with no consideration of costs.
+ </para>
+
+ <para><indexterm>
+ <primary>documentation</primary>
+ </indexterm><indexterm>
+ <primary>responsibility</primary>
+ </indexterm><indexterm>
+ <primary>fix</primary>
+ </indexterm><indexterm>
+ <primary>broken</primary>
+ </indexterm>
+ It would be foolish to adopt a technology that might put any data or users at risk. Security affects
+ everyone. The Samba Team are fully cognizant of the responsibility they have to their users.
+ The Samba documentation clearly reveals the fact that full responsibility is accepted to fix anything
+ that is broken.
+ </para>
+
+ <para><indexterm>
+ <primary>commercial</primary>
+ </indexterm><indexterm>
+ <primary>software</primary>
+ </indexterm><indexterm>
+ <primary>commercial software</primary>
+ </indexterm><indexterm>
+ <primary>End User License Agreement</primary>
+ <see>EULA</see>
+ </indexterm><indexterm>
+ <primary>accountable</primary>
+ </indexterm><indexterm>
+ <secondary>liability</secondary>
+ </indexterm><indexterm>
+ <primary>accepts liability</primary>
+ </indexterm><indexterm>
+ <primary>price paid</primary>
+ </indexterm><indexterm>
+ <primary>product defects</primary>
+ </indexterm><indexterm>
+ <primary>reimburse</primary>
+ </indexterm><indexterm>
+ <primary>extent</primary>
+ </indexterm>
+ There is a mistaken perception in the IT industry that commercial software providers are fully
+ accountable for the defects in products. Open Source software comes with no warranty, so it is
+ often assumed that its use confers a higher degree of risk. Everyone should read commercial software
+ End User License Agreements (EULAs). You should determine what real warranty is offered and the
+ extent of liability that is accepted. Doing so soon dispels the popular notion that
+ commercial software vendors are willingly accountable for product defects. In many cases, the
+ commercial vendor accepts liability only to reimburse the price paid for the software.
+ </para>
+
+ <para><indexterm>
+ <primary>consumer</primary>
+ </indexterm><indexterm>
+ <primary>EULA</primary>
+ </indexterm><indexterm>
+ <primary>track record</primary>
+ </indexterm><indexterm>
+ <primary>commercial software</primary>
+ </indexterm><indexterm>
+ <primary>support</primary>
+ </indexterm><indexterm>
+ <primary>vendor</primary>
+ </indexterm>
+ The real issues that a consumer (like you) needs answered is what is the way of escape from technical
+ problems and how long will it take? The average problem turnaround time in the Open Source community is
+ approximately 48 hours. What does the EULA offer? What is the track record in the commercial software
+ industry? What happens when your commercial vendor decides to cease providing support?
+ </para>
+
+ <para><indexterm>
+ <primary>source code</primary>
+ </indexterm><indexterm>
+ <primary>Open Source</primary>
+ </indexterm><indexterm>
+ <primary>hire</primary>
+ </indexterm><indexterm>
+ <primary>programmer</primary>
+ </indexterm><indexterm>
+ <primary>solve</primary>
+ </indexterm><indexterm>
+ <primary>fix</primary>
+ </indexterm><indexterm>
+ <secondary>problem</secondary>
+ </indexterm>
+ Open Source software at least puts you in possession of the source code. This means that when
+ all else fails, you can hire a programmer to solve/fix the problem.
+ </para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para>
+ Each issue is now discussed and, where appropriate, example implementation steps are
+ provided.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Winbind and Security</term>
+ <listitem><para><indexterm>
+ <primary>Winbind</primary>
+ </indexterm><indexterm>
+ <primary>Security</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>administrators</secondary>
+ </indexterm><indexterm>
+ <primary>Domain users</primary>
+ </indexterm><indexterm>
+ <secondary>Domain account</secondary>
+ </indexterm><indexterm>
+ <primary>credentials</primary>
+ </indexterm><indexterm>
+ <primary>Network Neighborhood</primary>
+ </indexterm><indexterm>
+ <primary>UNIX/Linux server</primary>
+ </indexterm><indexterm>
+ <primary>browse</primary>
+ </indexterm><indexterm>
+ <primary>shares</primary>
+ </indexterm>
+ Windows network administrators may be dismayed to find that <command>winbind</command>
+ exposes all Domain users so that they may use their Domain account credentials to
+ log onto a UNIX/Linux system. The fact that all users in the Domain can see the
+ UNIX/Linux server in their Network Neighborhood and can browse the shares on the
+ server seems to excite them further.
+ </para>
+
+ <para><indexterm>
+ <primary>Domain Member server</primary>
+ </indexterm><indexterm>
+ <primary>familiar</primary>
+ </indexterm><indexterm>
+ <primary>fear</primary>
+ </indexterm><indexterm>
+ <primary>unknown</primary>
+ </indexterm>
+ <command>winbind</command> provides for the UNIX/Linux Domain Member server or
+ client, the same as one would obtain by adding a Microsoft Windows server or
+ client to the Domain. The real objection is the fact that Samba is not MS Windows
+ and, therefore, requires handling a little differently from the familiar Windows systems.
+ One must recognize fear of the unknown.
+ </para>
+
+ <para><indexterm>
+ <primary>network administrators</primary>
+ </indexterm><indexterm>
+ <primary>recognize</primary>
+ </indexterm><indexterm>
+ <primary>winbind</primary>
+ </indexterm><indexterm>
+ <primary>over-ride</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ <secondary>management tools</secondary>
+ </indexterm><indexterm>
+ <primary>fears</primary>
+ </indexterm>
+ Windows network administrators need to recognize that <command>winbind</command> does
+ not, and cannot, override account controls set using the Active Directory management
+ tools. The control is the same. Have no fear.
+ </para>
+
+ <para><indexterm>
+ <primary>ADS Domain</primary>
+ </indexterm><indexterm>
+ <primary>account</primary>
+ <secondary>ADS Domain</secondary>
+ </indexterm><indexterm>
+ <primary>winbind</primary>
+ </indexterm><indexterm>
+ <primary>browsing</primary>
+ </indexterm><indexterm>
+ <primary>permits</primary>
+ </indexterm><indexterm>
+ <primary>access</primary>
+ </indexterm><indexterm>
+ <primary>drive mapping</primary>
+ </indexterm><indexterm>
+ <primary>protected</primary>
+ </indexterm><indexterm>
+ <primary>security controls</primary>
+ </indexterm><indexterm>
+ <primary>access controls</primary>
+ </indexterm>
+ Where Samba and the ADS Domain account information obtained through the use of
+ <command>winbind</command> permits access, by browsing or by the drive mapping to
+ a share, to data that should be better protected. This can only happen when security
+ controls have not been properly implemented. Samba permits access controls to be set
+ on:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Shares themselves (i.e., the logical share itself)</para></listitem>
+ <listitem><para>The share definition in &smb.conf;</para></listitem>
+ <listitem><para>The shared directories and files using UNIX permissions</para></listitem>
+ <listitem><para>Using Windows 2000 ACLs &smbmdash; if the file system is Posix enabled</para></listitem>
+ </itemizedlist>
+
+ <para>
+ Examples of each are given in <link linkend="ch10expl"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User and Group Controls</term>
+ <listitem><para><indexterm>
+ <primary>User and Group Controls</primary>
+ </indexterm><indexterm>
+ <primary>management</primary>
+ <secondary>User</secondary>
+ </indexterm><indexterm>
+ <primary>management</primary>
+ <secondary>group</secondary>
+ </indexterm><indexterm>
+ <primary>ADS</primary>
+ </indexterm><indexterm>
+ <primary>permissions</primary>
+ </indexterm><indexterm>
+ <primary>privileges</primary>
+ </indexterm><indexterm>
+ <primary>flexibility</primary>
+ </indexterm><indexterm>
+ <primary>access controls</primary>
+ </indexterm><indexterm>
+ <primary>share definition</primary>
+ </indexterm>
+ User and group management facilities as known in the Windows ADS environment may be
+ used to provide equivalent access control constraints or to provide equivalent
+ permissions and privileges on Samba servers. Samba offers greater flexibility in the
+ use of user and group controls because it has additional layers of control compared to
+ Windows 200x/XP. For example, access controls on a Samba server may be set within
+ the share definition in a manner for which Windows has no equivalent.
+ </para>
+
+ <para><indexterm>
+ <primary>analysis</primary>
+ </indexterm><indexterm>
+ <primary>system security</primary>
+ </indexterm><indexterm>
+ <primary>safe-guards</primary>
+ </indexterm><indexterm>
+ <primary>permissions</primary>
+ <secondary>excessive</secondary>
+ </indexterm><indexterm>
+ <primary>file system</primary>
+ </indexterm><indexterm>
+ <primary>shared resource</primary>
+ </indexterm><indexterm>
+ <primary>share definition</primary>
+ </indexterm>
+ In any serious analysis of system security, it is important to examine the safeguards
+ that remain when all other protective measures fail. An administrator may inadvertently
+ set excessive permissions on the file system of a shared resource, or he may set excessive
+ privileges on the share itself. If that were to happen in a Windows 2003 Server environment,
+ the data would indeed be laid bare to abuse. Yet, within a Samba share definition, it is
+ possible to guard against that by enforcing controls on the share definition itself. You
+ see a practical example of this a little later in this chapter.
+ </para>
+
+ <para><indexterm>
+ <primary>diligence</primary>
+ </indexterm><indexterm>
+ <primary>weakness</primary>
+ </indexterm>
+ The report that is critical of Samba really ought to have exercised greater due
+ diligence, as the real weakness is on the side of a Microsoft Windows environment.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Security Overall</term>
+ <listitem><para><indexterm>
+ <primary>defects</primary>
+ </indexterm>
+ Samba has been designed in such a manner that weaknesses inherent in the design of
+ Microsoft Windows networking ought not to expose the underlying UNIX/Linux file
+ system in any way. All software has potential defects, and Samba is no exception.
+ What matters more is how defects that are discovered get dealt with.
+ </para>
+
+ <para><indexterm>
+ <primary>security</primary>
+ </indexterm><indexterm>
+ <primary>protection</primary>
+ </indexterm><indexterm>
+ <primary>compromise</primary>
+ </indexterm><indexterm>
+ <primary>consequential risk</primary>
+ </indexterm>
+ The Samba Team totally agrees with the necessity to observe and fully implement
+ every security facility to provide a level of protection and security that is necessary
+ and that the end user (or network administrator) needs. Never would the Samba Team
+ recommend a compromise to system security, nor would deliberate defoliation of
+ security be publicly condoned; yet this is the practice by many Windows network
+ administrators just to make happy users who have no notion of consequential risk.
+ </para>
+
+ <para><indexterm>
+ <primary>condemns</primary>
+ </indexterm><indexterm>
+ <primary>security fixes</primary>
+ </indexterm><indexterm>
+ <primary>updates</primary>
+ </indexterm><indexterm>
+ <primary>development</primary>
+ </indexterm><indexterm>
+ <primary>documentation</primary>
+ </indexterm><indexterm>
+ <primary>security updates</primary>
+ </indexterm><indexterm>
+ <primary>turn-around time</primary>
+ </indexterm>
+ The report condemns Samba for releasing updates and security fixes, yet Microsoft
+ on-line updates need to be applied almost weekly. The answer to the criticism made
+ lies in the fact that Samba development is continuing, documentation is improving,
+ user needs are being increasingly met or exceeded, and security updates are issued
+ with a short turnaround time.
+ </para>
+
+ <para><indexterm>
+ <primary>modularization</primary>
+ </indexterm><indexterm>
+ <primary>next generation</primary>
+ </indexterm><indexterm>
+ <primary>responsible</primary>
+ </indexterm><indexterm>
+ <primary>dependability</primary>
+ </indexterm><indexterm>
+ <primary>road-map</primary>
+ <secondary>published</secondary>
+ </indexterm>
+ The release of Samba-4 is expected around late 2004 to early 2005 and involves a near
+ complete rewrite to permit extensive modularization and to prepare Samba for new
+ functionality planned for addition during the next generation series. The Samba Team
+ is responsible and can be depended upon; the history to date would suggest a high
+ degree of dependability as well as on charter development consistent with published
+ road-map projections.
+ </para>
+
+ <para><indexterm>
+ <primary>foundation members</primary>
+ </indexterm><indexterm>
+ <primary>Common Internet File System</primary>
+ <see>CIFS</see>
+ </indexterm><indexterm>
+ <primary>network attached storage</primary>
+ <see>NAS</see>
+ </indexterm><indexterm>
+ <primary>conferences</primary>
+ </indexterm><indexterm>
+ <primary>presence and leadership</primary>
+ </indexterm><indexterm>
+ <primary>leadership</primary>
+ </indexterm><indexterm>
+ <primary>inter-operability</primary>
+ </indexterm>
+ Not well published is the fact that Microsoft was a foundation member of
+ the Common Internet File System (CIFS) initiative, together with the participation
+ of the network attached storage (NAS) industry. Unfortunately, for the past few years,
+ Microsoft has been absent from active involvement at CIFS conferences and has
+ not exercised the leadership expected of a major force in the networking technology
+ space. The Samba Team has maintained consistent presence and leadership at all
+ CIFS conferences and at the interoperability laboratories run concurrently with
+ them.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Cryptographic Controls (schannel, sign'n'seal)</term>
+ <listitem><para><indexterm>
+ <primary>Cryptographic</primary>
+ </indexterm><indexterm>
+ <primary>schannel</primary>
+ </indexterm><indexterm>
+ <primary>digital sign'n'seal</primary>
+ </indexterm>
+ The report correctly mentions the fact that Samba did not support the most recent
+ <constant>schannel</constant> and <constant>digital sign'n'seal</constant> features
+ of Microsoft Windows NT/200x/XPPro products. This is one of the key features
+ of the Samba-3 release. Market research reports take so long to generate that they are
+ seldom a reflection of current practice, and in many respects reports are like a
+ pathology report &smbmdash; they reflect accurately (at best) status at a snap-shot in time.
+ Meanwhile, the world moves on.
+ </para>
+
+ <para><indexterm>
+ <primary>public specifications</primary>
+ </indexterm><indexterm>
+ <primary>protocols</primary>
+ </indexterm><indexterm>
+ <primary>algorithm</primary>
+ </indexterm><indexterm>
+ <primary>compatible</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>traffic</secondary>
+ <tertiary>observation</tertiary>
+ </indexterm><indexterm>
+ <primary>defensible standards</primary>
+ </indexterm><indexterm>
+ <primary>secure networking</primary>
+ </indexterm>
+ It should be pointed out that had clear public specifications for the protocols
+ been published, it would have been much easier to implement this and would have
+ taken less time to do. The sole mechanism used to find an algorithm that is compatible
+ with the methods used by Microsoft has been based on observation of network traffic
+ and trial-and-error implementation of potential techniques. The real value of public
+ and defensible standards is obvious to all, and would have enabled more secure networking
+ for everyone.
+ </para>
+
+ <para><indexterm>
+ <primary>Critics</primary>
+ </indexterm><indexterm>
+ <primary>digital sign'n'seal</primary>
+ </indexterm>
+ Critics of Samba often ignore fundamental problems that may plague (or may have plagued)
+ the users of Microsoft's products also. Those who are first to criticize Samba
+ for not rushing into release of <constant>digital sign'n'seal</constant> support
+ often dismiss the problems that Microsoft has
+ <ulink url="http://support.microsoft.com/default.aspx?kbid=321733">acknowledged</ulink>
+ and for which a fix was provided. In fact,
+ <ulink url="http://www.tangent-systems.com/support/delayedwrite.html">Tangent Systems</ulink>
+ appears even today<footnote>January 2004</footnote> to not be sure that the problem has been resolved.
+ So it is evident that some delay in release of new functionality may have
+ fortuitous consequences.
+ </para>
+
+ <para><indexterm>
+ <primary>secure networking protocols</primary>
+ </indexterm><indexterm>
+ <primary>refereed standards</primary>
+ </indexterm><indexterm>
+ <primary>proprietary</primary>
+ </indexterm><indexterm>
+ <primary>digital rights</primary>
+ </indexterm><indexterm>
+ <primary>protection</primary>
+ </indexterm><indexterm>
+ <primary>networking protocols</primary>
+ </indexterm><indexterm>
+ <primary>diffusion</primary>
+ </indexterm><indexterm>
+ <primary>consumer</primary>
+ </indexterm><indexterm>
+ <primary>choice</primary>
+ </indexterm>
+ One final comment is warranted. If companies want more secure networking protocols,
+ the most effective method by which this can be achieved is by users seeking
+ and working together to help define open and publicly refereed standards. The
+ development of closed source, proprietary methods that are developed in a
+ clandestine framework of secrecy, under claims of digital rights protection, does
+ not favor the diffusion of safe networking protocols, and certainly does not
+ help the consumer to make a better choice.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Active Directory Replacement with Kerberos, LDAP, and Samba</term>
+ <indexterm>
+ <primary>Active Directory</primary>
+ <secondary>Replacement</secondary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>remote procedure call</primary>
+ <see>RPC</see>
+ </indexterm>
+ <listitem><para>
+ <literallayout> </literallayout>
+ The Microsoft networking protocols extensively make use of remote procedure call (RPC)
+ technology. Active Directory is not a simple mixture of LDAP and Kerberos together
+ with file and print services, but rather is a complex intertwined implementation
+ of them that uses RPCs that are not supported by any of these component technologies
+ and yet by which they are made to interoperate in ways that the components do not
+ support.
+ </para>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ <secondary>Server</secondary>
+ </indexterm><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>project maintainers</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm>
+ In order to make the popular request for Samba to be an Active Directory Server a
+ reality, it is necessary to add to OpenLDAP, Kerberos, as well as Samba, RPC calls
+ that are not presently supported. The Samba Team has not been able to gain critical
+ overall support for all project maintainers to work together on the complex
+ challenge of developing and integrating the necessary technologies. Therefore, if
+ the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality
+ into the Samba project, this dream request can not become a reality.
+ </para>
+
+ <para><indexterm>
+ <primary>missing RPC's</primary>
+ </indexterm><indexterm>
+ <primary>road-map</primary>
+ </indexterm><indexterm>
+ <primary>ADS</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>MMC</primary>
+ </indexterm><indexterm>
+ <primary>managed</primary>
+ </indexterm>
+ At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the
+ Samba development roadmap. If it is not on the published roadmap, it cannot be delivered
+ anytime soon. Ergo, ADS server support is not a current goal for Samba development.
+ The Samba Team is most committed to permitting Samba to be a full ADS Domain member
+ that is increasingly capable of being managed using Microsoft Windows MMC tools.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <sect3>
+ <title>Kerberos Exposed</title>
+
+ <para><indexterm>
+ <primary>kerberos</primary>
+ </indexterm><indexterm>
+ <primary>unauthorized activities</primary>
+ </indexterm><indexterm>
+ <primary>authorized location</primary>
+ </indexterm>
+ Kerberos is a network authentication protocol that provides secure authentication for
+ client-server applications by using secret-key cryptography. Firewalls are an insufficient
+ barrier mechanism in todays networking world as at best they only restrict incoming network
+ traffic but can not prevent network traffic that comes from authorized locations from
+ performing unauthorized activities.
+ </para>
+
+ <para><indexterm>
+ <primary>strong cryptography</primary>
+ </indexterm><indexterm>
+ <primary>identity</primary>
+ </indexterm><indexterm>
+ <primary>integrity</primary>
+ </indexterm>
+ Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses
+ strong cryptography so that a client can prove its identity to a server (and vice versa) across an
+ insecure network connection. After a client and server has used Kerberos to prove their identity,
+ they can also encrypt all of their communications to assure privacy and data integrity as they go
+ about their business.
+ </para>
+
+ <para><indexterm>
+ <primary>trusted third-party</primary>
+ </indexterm><indexterm>
+ <primary>principals</primary>
+ </indexterm><indexterm>
+ <primary>trusting</primary>
+ </indexterm><indexterm>
+ <primary>kerberos</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>secret</primary>
+ </indexterm>
+ Kerberos is a trusted third-party service. That means that there is a third party (the kerberos
+ server) that is trusted by all the entities on the network (users and services, usually called
+ principals). All principals share a secret password (or key) with the kerberos server and this
+ enables principals to verify that the messages from the kerberos server are authentic. Thus
+ trusting the kerberos server, users and services can authenticate each other.
+ </para>
+
+ <para><indexterm>
+ <primary>restricted export</primary>
+ </indexterm><indexterm>
+ <primary>MIT Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>Heimdal Kerberos</primary>
+ </indexterm>
+ Kerberos was until recently a technology that was restricted from being exported from the United States.
+ For many years that hindered global adoption of more secure networking technologies both within the USA
+ as well as outside it. A free an unencumbered implementation of MIT Kerberos has been produced in Europe
+ and is available from the University of Paderborn, Sweden. It is known as the Heimdal Kerberos project.
+ In recent times the USA government has removed sanctions affecting the global distribution of MIT Kerberos.
+ It is likely that there will be a significant surge forward in the development of Kerberos enabled applications
+ and in the general deployment and use of Kerberos across the spectrum of the information technology industry.
+ </para>
+
+ <para><indexterm>
+ <primary>Kerberos</primary>
+ <secondary>interoperability</secondary>
+ </indexterm>
+ A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation
+ of it. For example, a 2002 new report by <ulink url="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument">IDG</ulink>
+ states:
+ </para>
+
+ <blockquote><para>
+ A Microsoft Corp. executive testified at the software giant's remedy hearing that the company goes to
+ great lengths to disclose interfaces and protocols that allow third-party software products to interact
+ with Windows. But a lawyer with the states suing Microsoft pointed out that when it comes to the company's
+ use of the Kerberos authentication specification, not everyone agrees.
+ </para>
+
+ <para><indexterm>
+ <primary>Kerberos</primary>
+ <secondary>unspecified fields</secondary>
+ </indexterm>
+ Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared
+ before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version
+ 5 specification that Windows clients use for proprietary purposes and still achieve interoperability with
+ the Microsoft OS. Microsoft takes advantage of unspecified fields in the Kerberos specification for storing
+ Windows-specific authorization data, Short wrote. The designers of Kerberos left these fields undefined so
+ that software developers could add their own authorization information, he said.
+ </para></blockquote>
+
+ <para><indexterm>
+ <primary>DCE</primary>
+ </indexterm><indexterm>
+ <primary>RPC</primary>
+ </indexterm>
+ It so happens that Microsoft Windows clients depend on and expect the contents of the <emphasis>unspecified
+ fields</emphasis> in the Kerberos 5 communications data stream for their Windows interoperability, in
+ particular when Samba is being expected to emulate a Windows Server 200x Domain Controller. But the interoperability
+ issue goes far deeper than this. In the Domain control protocols that are used by MS Windows XP Professional
+ there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment
+ (DCE) remote procedure calls (RPCs) that themselves are an integral part of the SMB/CIFS protocols as used by
+ Microsoft.
+ </para>
+
+ <para>
+ Microsoft makes the following comment in a reference in a <ulink url="http://www.microsoft.com/technet/itsolutions/interop/mgmt/kerberos.asp">
+ technet</ulink> article:
+ </para>
+
+ <blockquote><para><indexterm>
+ <primary>Privilege Attribute Certificates</primary>
+ <see>PAC</see>
+ </indexterm><indexterm>
+ <primary>access control</primary>
+ </indexterm>
+ The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC
+ representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos
+ tickets to convey Privilege Attribute Certificates (PACs) that define user identity and group membership.
+ The DCE PAC is used in a similar manner as Windows NT Security IDs for user authorization and access control.
+ Windows NT services will not be able to translate DCE PACs into Windows NT user and group identifiers. This
+ is not an issue with Kerberos interoperability, but rather an issue of interoperability between DCE and
+ Windows NT access control information.
+ </para></blockquote>
+
+ </sect3>
+
+ </sect2>
+
+</sect1>
+
+<sect1 id="ch10expl">
+ <title>Implementation</title>
+
+ <para>
+ The following procedures outline the implementation of the security measures discussed so far.
+ </para>
+
+ <sect2>
+ <title>Share Access Controls</title>
+
+ <para><indexterm>
+ <primary>Share Access Controls</primary>
+ </indexterm><indexterm>
+ <primary>filter</primary>
+ </indexterm><indexterm>
+ <primary>connection</primary>
+ </indexterm>
+ Access control entries placed on the share itself act as a filter at the time a when CIFS/SMB client (such as
+ Windows XP Pro) attempts to make a connection to the Samba server.
+ </para>
+
+ <procedure>
+ <title>Create/Edit/Delete Share ACLs</title>
+ <step><para><indexterm>
+ <primary>Domain Administrator</primary>
+ </indexterm><indexterm>
+ <primary>account</primary>
+ </indexterm>
+ From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator
+ account (on Samba Domains, this is usually the account called <constant>root</constant>).
+ </para></step>
+
+ <step><para>
+ Click
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Settings</guimenuitem>
+ <guimenuitem>Control Panel</guimenuitem>
+ <guimenuitem>Administrative Tools</guimenuitem>
+ <guimenuitem>Computer Management</guimenuitem>
+ </menuchoice>.
+ </para></step>
+
+ <step><para>
+ In the left panel,
+ <menuchoice>
+ <guimenu>[Right mouse menu item] Computer Management (Local)</guimenu>
+ <guimenuitem>Connect to another computer ...</guimenuitem>
+ <guimenuitem>Browse...</guimenuitem>
+ <guimenuitem>Advanced</guimenuitem>
+ <guimenuitem>Find Now</guimenuitem>
+ </menuchoice>. In the lower panel, click on the name of the server you wish to
+ administer. Click <menuchoice>
+ <guimenu>OK</guimenu>
+ <guimenuitem>OK</guimenuitem>
+ <guimenuitem>OK</guimenuitem>
+ </menuchoice>.<indexterm>
+ <primary>Computer Management</primary>
+ </indexterm>
+ In the left panel, the entry <guimenu>Computer Management (Local)</guimenu> should now reflect
+ the change made. For example, if the server you are administering is called <constant>FRODO</constant>,
+ the Computer Management entry should now say: <guimenu>Computer Management (FRODO)</guimenu>.
+ </para></step>
+
+ <step><para>
+ In the left panel, click <menuchoice>
+ <guimenu>Computer Management (FRODO)</guimenu>
+ <guimenuitem>[+] Shared Folders</guimenuitem>
+ <guimenuitem>Shares</guimenuitem>
+ </menuchoice>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>ACLs</primary>
+ </indexterm><indexterm>
+ <primary>Share Permissions</primary>
+ </indexterm>
+ In the right panel, double-click on the share on which you wish to set/edit ACLs. This
+ will bring up the Properties panel. Click the <guimenu>Share Permissions</guimenu> tab.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>access control settings</primary>
+ </indexterm><indexterm>
+ <primary>Everyone</primary>
+ </indexterm><indexterm>
+ <primary>full control</primary>
+ </indexterm><indexterm>
+ <primary>over-rule</primary>
+ </indexterm><indexterm>
+ <primary>permissions</primary>
+ </indexterm><indexterm>
+ <primary>rejected</primary>
+ </indexterm>
+ You may now edit/add/remove access control settings. Be very careful. Many problems have been
+ created by people who decided that Everyone should be rejected but one particular group should
+ have full control. This is a catch-22 situation because members of that particular group also
+ belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
+ set for the permitted group.
+ </para></step>
+
+ <step><para>
+ When you are done with editing, close all panels by clicking through the <guimenu>OK</guimenu>
+ buttons.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2>
+ <title>Share Definition Controls</title>
+
+ <para><indexterm>
+ <primary>Share Definition</primary>
+ <secondary>Controls</secondary>
+ </indexterm><indexterm>
+ <primary>check-point</primary>
+ </indexterm><indexterm>
+ <primary>pile-driver</primary>
+ </indexterm><indexterm>
+ <primary>credential</primary>
+ </indexterm><indexterm>
+ <primary>powers</primary>
+ </indexterm><indexterm>
+ <primary>privileges</primary>
+ </indexterm>
+ Share-definition-based access controls can be used like a check-point or like a pile-driver. Just as a
+ check-point can be used to require someone who wants to get through to meet certain requirements, so
+ it is possible to require the user (or group the user belongs to) to meet specified credential-related
+ objectives. It can be likened to a pile-driver by overriding default controls, in that having met the
+ credential-related objectives, the user can be granted powers and privileges that would not normally be
+ available under default settings.
+ </para>
+
+ <para><indexterm>
+ <primary>access controls</primary>
+ </indexterm><indexterm>
+ <primary>ACLs</primary>
+ </indexterm><indexterm>
+ <primary>share definition controls</primary>
+ </indexterm><indexterm>
+ <primary>hierarchy of control</primary>
+ </indexterm>
+ It must be emphasized that the controls here discussed can act as a filter, or give rights of passage,
+ that act as a super-structure over normal directory and file access controls. However, share level
+ ACLs act at a higher level than to share definition controls because the user must filter through the
+ share level controls to get to the share definition controls. The proper hierarchy of controls implemented
+ by Samba and Windows networking consists of:
+ </para>
+
+ <orderedlist>
+ <listitem><para>Share Level ACLs</para></listitem>
+ <listitem><para>Share Definition Controls</para></listitem>
+ <listitem><para>Directory and File Permissions</para></listitem>
+ <listitem><para>Directory and File Posix ACLs</para></listitem>
+ </orderedlist>
+
+ <sect3>
+ <title>Check-point Controls</title>
+
+ <para><indexterm>
+ <primary>Check-point Controls</primary>
+ </indexterm>
+ Consider the following extract from a &smb.conf; file defining the share called <constant>Apps</constant>:
+<screen>
+[Apps]
+ comment = Application Share
+ path = /data/apps
+ read only = Yes
+ valid users = @Employees
+</screen>
+ This definition permits only those who are members of the group called <constant>Employees</constant> to
+ access the share.
+ </para>
+
+ <note><para><indexterm>
+ <primary>Domain Member</primary>
+ <secondary>servers</secondary>
+ </indexterm><indexterm>
+ <primary>winbind use default domain</primary>
+ </indexterm><indexterm>
+ <primary>fully qualified</primary>
+ </indexterm><indexterm>
+ <primary>valid users</primary>
+ </indexterm><indexterm>
+ <primary>delimiter</primary>
+ </indexterm>
+ On Domain Member servers and clients, even when the <parameter>winbind use default domain</parameter> has
+ been specified, the use of Domain accounts in security controls requires fully qualified Domain specification,
+ for example, <smbconfoption><name>valid users</name><value>@"MEGANET\Northern Engineers"</value></smbconfoption>.
+ Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a
+ delimiter.
+ </para></note>
+
+ <para><indexterm>
+ <primary>ACL</primary>
+ </indexterm><indexterm>
+ <primary>access</primary>
+ </indexterm><indexterm>
+ <primary>validate</primary>
+ </indexterm>
+ If there is an ACL on the share itself to permit read/write access for all <constant>Employees</constant>
+ as well as read/write for the group <constant>Doctors</constant>, both groups are permitted through
+ to the share. However, at the moment an attempt is made to set up a connection to the share, a member of
+ the group <constant>Doctors</constant>, who is not also a member of the group <constant>Employees</constant>,
+ would immediately fail to validate.
+ </para>
+
+ <para><indexterm>
+ <primary>share definition controls</primary>
+ </indexterm>
+ Consider another example. In this case, you want to permit all members of the group <constant>Employees</constant>
+ to access the <constant>Apps</constant> share, except the user <constant>patrickj</constant>. This can be
+ easily achieved by setting a share level ACL permitting only <constant>Employees</constant> to access the share,
+ and then in the share definition controls excluding just <constant>patrickj</constant>. Here is how that might
+ be done:
+<screen>
+[Apps]
+ comment = Application Share
+ path = /data/apps
+ read only = Yes
+ invalid users = patrickj
+</screen>
+ <indexterm>
+ <primary>permissions</primary>
+ </indexterm>
+ Let us assume that you want to permit the user <constant>gbshaw</constant>, to manage any file in the
+ UNIX/Linux file system directory <filename>/data/apps</filename>, but you do not want to grant any write
+ permissions beyond that directory tree. Here is one way this can be done:
+<screen>
+[Apps]
+ comment = Application Share
+ path = /data/apps
+ read only = Yes
+ invalid users = patrickj
+ admin users = gbshaw
+</screen>
+ <indexterm>
+ <primary>administrative rights</primary>
+ </indexterm>
+ Now we have a set of controls that permits only <constant>Employees</constant> who are also members of
+ the group <constant>Doctors</constant>, excluding the user <constant>patrickj</constant>, to have
+ read-only privilege, but the user <constant>gbshaw</constant> is granted administrative rights.
+ The administrative rights conferred upon the user <constant>gbshaw</constant> permit operation as
+ if that user has logged in as the user <constant>root</constant> on the UNIX/Linux system, and thus
+ for access to the directory tree that has been shared (exported) permit the user to override controls
+ that apply to all other users on that resource.
+ </para>
+
+ <para>
+ There are additional check-point controls that may be used. For example, if for the same share we now
+ want to provide the user <constant>peters</constant> with the ability to write to one directory to
+ which he has write privilege in the UNIX file system, you can specifically permit that with the
+ following settings:
+<screen>
+[Apps]
+ comment = Application Share
+ path = /data/apps
+ read only = Yes
+ invalid users = patrickj
+ admin users = gbshaw
+ write list = peters
+</screen>
+ <indexterm>
+ <primary>check-point controls</primary>
+ </indexterm>
+ This is a particularly complex example at this point, but it begins to demonstrate the possibilities.
+ You should refer to the on-line manual page for the &smb.conf; file for more information regarding
+ the check-point controls that Samba implements.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Override Controls</title>
+
+ <para><indexterm>
+ <primary>over-ride controls</primary>
+ </indexterm>
+ Override controls implemented by Samba permit actions like the adoption of a different identity
+ during file system operations, the forced overwriting of normal file and directory permissions,
+ and so on. You should refer to the on-line manual page for the &smb.conf; file for more information regarding
+ the override controls that Samba implements.
+ </para>
+
+ <para>
+ In the following example, you want to create a Windows networking share that any user can access.
+ However, you want all read and write operations to be performed as if the user <constant>billc</constant>
+ and member of the group <constant>Mentors</constant> read/write the files. Here is one way this
+ can be done:
+<screen>
+[someshare]
+ comment = Some Files Everyone May Overwrite
+ path = /data/somestuff
+ read only = No
+ force user = billc
+ force group = Mentors
+</screen>
+ <indexterm>
+ <primary>forced settings</primary>
+ </indexterm><indexterm>
+ <primary>overheads</primary>
+ </indexterm>
+ That is all there is to it. Well, it is almost that simple. The downside of this method is that
+ users are logged onto the Windows client as themselves, and then immediately before accessing the
+ file, Samba makes system calls to change the effective user and group to the forced settings
+ specified, completes the file transaction, and then reverts to the actually logged on identity.
+ This imposes significant overhead on Samba. The alternative way that effectively the same result
+ can be achieved (but with lower system CPU overheads) is described next.
+ </para>
+
+ <para><indexterm>
+ <primary>force user</primary>
+ </indexterm><indexterm>
+ <primary>force group</primary>
+ </indexterm><indexterm>
+ <primary>opportunistic</primary>
+ <secondary>locking</secondary>
+ </indexterm><indexterm>
+ <primary>oplock break</primary>
+ </indexterm><indexterm>
+ <primary>performance degradation</primary>
+ </indexterm>
+ The use of the <parameter>force user</parameter>, or the <parameter>force group</parameter>, may
+ also have a severe impact on system (and in particular Windows client) performance. If opportunistic
+ locking is enabled on the share (the default), it causes an <constant>oplock break</constant> to be
+ sent to the client, even if the client has not opened the file. On networks that have high traffic
+ density, or on links that are routed to a remote network segment, <constant>oplock breaks</constant>
+ can be lost. This results in possible retransmission of the request, or the client may time-out while
+ waiting for the file system transaction (read or write) to complete. The result can be a profound
+ apparent performance degradation as the client continually attempts to reconnect to overcome the
+ effect of the lost <constant>oplock break</constant>, or time-out.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2>
+ <title>Share Point Directory and File Permissions</title>
+
+ <para><indexterm>
+ <primary>security</primary>
+ </indexterm><indexterm>
+ <primary>privilege controls</primary>
+ </indexterm><indexterm>
+ <primary>permission</primary>
+ </indexterm><indexterm>
+ <primary>share definition controls</primary>
+ </indexterm>
+ Samba has been designed and implemented so that it respects as far as is feasible the security and
+ user privilege controls that are built into the UNIX/Linux operating system. Samba does nothing
+ with respect to file system access that violates file system permission settings, unless it is
+ explicitly instructed to do otherwise through share definition controls. Given that Samba obeys
+ UNIX file system controls, this chapter does not document simple information that can be obtained
+ from a basic UNIX training guide. Instead, one common example of a typical problem is used
+ to demonstrate the most effective solution referred to in the immediately preceding paragraph.
+ </para>
+
+ <para><indexterm>
+ <primary>Microsoft Office</primary>
+ </indexterm><indexterm>
+ <primary>Word</primary>
+ </indexterm><indexterm>
+ <primary>Excel</primary>
+ </indexterm>
+ One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of
+ Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence:
+ </para>
+
+ <orderedlist>
+ <listitem><para>
+ A user opens a Work document from a network drive. The file was owned by user <constant>janetp</constant>
+ and <group>users</group>, and was set read/write enabled for everyone.
+ </para></listitem>
+
+ <listitem><para>
+ File changes and edits are made.
+ </para></listitem>
+
+ <listitem><para>
+ The file is saved, and MS Word is closed.
+ </para></listitem>
+
+ <listitem><para>
+ The file is now owned by the user <constant>billc</constant> and group <constant>doctors</constant>,
+ and is set read/write by <constant>billc</constant>, read only by <constant>doctors</constant>, and
+ no access by everyone.
+ </para></listitem>
+
+ <listitem><para>
+ The original owner can not now access her own file and is <quote>justifiably</quote> upset.
+ </para></listitem>
+ </orderedlist>
+
+ <para>
+ There have been many postings over the years that report the same basic problem. Frequently Samba users
+ want to know when this <quote>bug</quote> will be fixed. The fact is, this is not a bug in Samba at all.
+ Here is the real sequence of what happens in the case mentioned above.
+ </para>
+
+ <para><indexterm>
+ <primary>MS Word</primary>
+ </indexterm><indexterm>
+ <primary>ownership</primary>
+ </indexterm><indexterm>
+ <primary>permissions</primary>
+ </indexterm>
+ When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned
+ by the user who creates the file (<constant>billc</constant>) and has the permissions that follow
+ that user's default settings within the operating system (UNIX/Linux). When MS Word has finished writing
+ the file to disk, it then renames the new (temporary) file to the name of the old one. MS Word does not
+ change the ownership or permissions to what they were on the original file. The file is thus a totally
+ new file, and the old one has been deleted in the process.
+ </para>
+
+ <para>
+ Samba received a request to create a new file, and then to rename the file to a new name. The old file that
+ has the same name is now automatically deleted. Samba has no way of knowing that the new file should
+ perhaps have the same ownership and permissions as the old file. To Samba, these are entirely independent
+ operations.
+ </para>
+
+ <para>
+ The question is: <quote>How can we solve the problem?</quote>
+ </para>
+
+ <para>
+ The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these
+ simple steps to create a share in which all files will consistently be owned by the same user and the
+ same group:
+ </para>
+
+
+ <procedure>
+ <title>Using Directory Permissions to Force File User and Group Ownership</title>
+ <step><para>
+ Change your share definition so that it matches this pattern:
+<screen>
+[finance]
+ path = /usr/data/finance
+ browseable = Yes
+ read only = No
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>permissions</primary>
+ <secondary>user</secondary>
+ </indexterm><indexterm>
+ <primary>permissions</primary>
+ <secondary>group</secondary>
+ </indexterm>
+ Set consistent user and group permissions recursively down the directory tree as shown here:
+<screen>
+&rootprompt; chown -R janetp.users /usr/data/finance
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>accessible</primary>
+ </indexterm>
+ Set the files and directory permissions to be read/write for owner and group, and not accessible
+ to others (everyone) using the following command:
+<screen>
+&rootprompt; chmod ug+rwx,o-rwx /usr/data/finance
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>SGID</primary>
+ </indexterm>
+ Set the SGID (super-group) bit on all directories from the top down. This means all files
+ can be created with the permissions of the group set on the directory. It means all users
+ who are members of the group <constant>finance</constant> can read and write all files in
+ the directory. The directory is not readable or writable by anyone who is not in the
+ <constant>finance</constant> group. Simply follow this example:
+<screen>
+&rootprompt; find /usr/data/finance -type d -exec chmod ug+s {}\;
+</screen>
+
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>group membership</primary>
+ </indexterm><indexterm>
+ <primary>primary group</primary>
+ </indexterm><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm>
+ Make sure all users that must have read/write access to the directory have
+ <constant>finance</constant> group membership as their primary group,
+ for example, the group they belong to in <filename>/etc/passwd</filename>.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2>
+ <title>Managing Windows 200x ACLs</title>
+
+ <para><indexterm>
+ <primary>translate</primary>
+ </indexterm><indexterm>
+ <primary>Windows 2000 ACLs</primary>
+ </indexterm><indexterm>
+ <primary>Posix ACLs</primary>
+ </indexterm><indexterm>
+ <primary>side effects</primary>
+ </indexterm>
+ Samba must translate Windows 2000 ACLs to UNIX Posix ACLs. This has some interesting side effects because
+ of the fact that there is not a 1:1 equivalence between them. The as-close-as-possible ACLs match means
+ that some transactions are not possible from MS Windows clients. One of these is to reset the ownership
+ of directories and files. If you want to reset ownership, this must be done from a UNIX/Linux login.
+ </para>
+
+ <para>
+ There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation,
+ either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface.
+ </para>
+
+ <sect3>
+ <title>Using the MMC Computer Management Interface</title>
+
+ <procedure>
+ <step><para>
+ From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator
+ account (on Samba Domains, this is usually the account called <constant>root</constant>).
+ </para></step>
+
+ <step><para>
+ Click
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Settings</guimenuitem>
+ <guimenuitem>Control Panel</guimenuitem>
+ <guimenuitem>Administrative Tools</guimenuitem>
+ <guimenuitem>Computer Management</guimenuitem>
+ </menuchoice>.
+ </para></step>
+
+ <step><para>
+ In the left panel,
+ <menuchoice>
+ <guimenu>[Right mouse menu item] Computer Management (Local)</guimenu>
+ <guimenuitem>Connect to another computer ...</guimenuitem>
+ <guimenuitem>Browse...</guimenuitem>
+ <guimenuitem>Advanced</guimenuitem>
+ <guimenuitem>Find Now</guimenuitem>
+ </menuchoice>. In the lower panel, click on the name of the server you wish to
+ administer. Click <menuchoice>
+ <guimenu>OK</guimenu>
+ <guimenuitem>OK</guimenuitem>
+ <guimenuitem>OK</guimenuitem>
+ </menuchoice>.
+ In the left panel, the entry <guimenu>Computer Management (Local)</guimenu> should now reflect
+ the change made. For example, if the server you are administering is called <constant>FRODO</constant>,
+ the Computer Management entry should now say: <guimenu>Computer Management (FRODO)</guimenu>.
+ </para></step>
+
+ <step><para>
+ In the left panel, click <menuchoice>
+ <guimenu>Computer Management (FRODO)</guimenu>
+ <guimenuitem>[+] Shared Folders</guimenuitem>
+ <guimenuitem>Shares</guimenuitem>
+ </menuchoice>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Security</primary>
+ </indexterm><indexterm>
+ <primary>Properties</primary>
+ </indexterm><indexterm>
+ <primary>Permissions</primary>
+ </indexterm><indexterm>
+ <primary>Samba Domain server</primary>
+ </indexterm>
+ In the right panel, double-click on the share on which you wish to set/edit ACLs. This
+ brings up the Properties panel. Click the <guimenu>Security</guimenu> tab. It is best
+ to edit ACLs using the <constant>Advanced</constant> editing features. Click the
+ <guimenu>Advanced</guimenu> button. This opens a panel that has four tabs. Only the
+ functionality under the <constant>Permissions</constant> tab can be utilized with respect
+ to a Samba Domain server.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>access control</primary>
+ </indexterm><indexterm>
+ <primary>permitted group</primary>
+ </indexterm>
+ You may now edit/add/remove access control settings. Be very careful. Many problems have been
+ created by people who decided that Everyone should be rejected but one particular group should
+ have full control. This is a catch-22 situation because members of that particular group also
+ belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
+ set for the permitted group.
+ </para></step>
+
+ <step><para>
+ When you are done with editing, close all panels by clicking through the <guimenu>OK</guimenu>
+ buttons until the last panel closes.
+ </para></step>
+ </procedure>
+
+ </sect3>
+
+ <sect3>
+ <title>Using MS Windows Explorer (File Manager)</title>
+
+ <para>
+ The following alternative method may be used from a Windows workstation. In this example we work
+ with a Domain called <constant>MEGANET</constant>, a server called <constant>MASSIVE</constant>, and a
+ share called <constant>Apps</constant>. The underlying UNIX/Linux share point for this share is
+ <filename>/data/apps</filename>.
+ </para>
+
+ <procedure>
+ <step><para>
+ Click <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>[right-click] My Computer</guimenuitem>
+ <guimenuitem>Explore</guimenuitem>
+ <guimenuitem>[left panel] [+] My Network Places</guimenuitem>
+ <guimenuitem>[+] Entire Network</guimenuitem>
+ <guimenuitem>[+] Microsoft Windows Network</guimenuitem>
+ <guimenuitem>[+] Meganet</guimenuitem>
+ <guimenuitem>[+] Massive</guimenuitem>
+ <guimenuitem>[right-click] Apps</guimenuitem>
+ <guimenuitem>Properties</guimenuitem>
+ <guimenuitem>Security</guimenuitem>
+ <guimenuitem>Advanced</guimenuitem>
+ </menuchoice>. This opens a panel that has four tabs. Only the functionality under the
+ <constant>Permissions</constant> tab can be utilized in respect to a Samba Domain server.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>full control</primary>
+ </indexterm><indexterm>
+ <primary>over-rule</primary>
+ </indexterm>
+ You may now edit/add/remove access control settings. Be very careful. Many problems have been
+ created by people who decided that Everyone should be rejected but one particular group should
+ have full control. This is a catch-22 situation because members of that particular group also
+ belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
+ set for the permitted group.
+ </para></step>
+
+ <step><para>
+ When you are done with editing, close all panels by clicking through the <guimenu>OK</guimenu>
+ buttons until the last panel closes.
+ </para></step>
+ </procedure>
+
+ </sect3>
+
+ <sect3>
+ <title>Setting Posix ACLs in UNIX/Linux</title>
+
+ <para><indexterm>
+ <primary>desired security setting</primary>
+ </indexterm><indexterm>
+ <primary>shared resource</primary>
+ </indexterm>
+ Yet another alternative method for setting desired security settings on the shared resource files and
+ directories can be achieved by logging into UNIX/Linux and setting Posix ACLs directly using command-line
+ tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9
+ Linux system:
+ </para>
+
+ <procedure>
+ <step><para>
+ Log into the Linux system as the user <constant>root</constant>.
+ </para></step>
+
+ <step><para>
+ Change directory to the location of the exported (shared) Windows file share (Apps), which is in
+ the directory <filename>/data</filename>. Execute the following:
+<screen>
+&rootprompt; cd /data
+</screen>
+ Retrieve the existing Posix ACLs entry by executing:
+<screen>
+&rootprompt; getfacl apps
+# file: apps
+# owner: root
+# group: root
+user::rwx
+group::rwx
+other::r-x
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>recursively</primary>
+ </indexterm>
+ You want to add permission for <constant>AppsMgrs</constant> to enable them to
+ manage the applications (apps) share. It is important to set the ACL recursively
+ so that the AppsMgrs have this capability throughout the directory tree that is
+ being shared. This is done using the <constant>-R</constant> option as shown.
+ Execute the following:
+<screen>
+&rootprompt; setfacl -m -R group:AppsMgrs:rwx /data/apps
+</screen>
+ Because setting an ACL does not provide a response, you immediately validate the command executed
+ as follows:
+<screen>
+&rootprompt; getfacl /data/apps
+# file: apps
+# owner: root
+# group: root
+user::rwx
+group::rwx
+group:AppsMgrs:rwx
+mask::rwx
+other::r-x
+</screen>
+ This confirms that the change of Posix ACL permissions has been effective.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>setfacl</primary>
+ </indexterm><indexterm>
+ <primary>getfacl</primary>
+ </indexterm><indexterm>
+ <primary>directory tree</primary>
+ </indexterm><indexterm>
+ <primary>Windows ACLs</primary>
+ </indexterm><indexterm>
+ <primary>inheritance</primary>
+ </indexterm>
+ It is highly recommend that you should read the on-line manual page for the <command>setfacl</command>
+ and <command>getfacl</command> commands. This provides information regarding how to set/read the default
+ ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent
+ of setting <constant>inheritance</constant> properties.
+ </para></step>
+ </procedure>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para>
+ The mish-mash of issues were thrown together into one chapter because it seemed like a good idea.
+ Looking back, this chapter could be broken into two, but it's too late now. It has been done.
+ The highlights covered are:
+ </para>
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>Winbind</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>password change</primary>
+ </indexterm><indexterm>
+ <primary>logon hours</primary>
+ </indexterm>
+ Winbind honors and does not override account controls set in Active Directory.
+ This means that password change, logon hours, and so on, are (or soon will be) enforced
+ by Samba Winbind. At this time, an out-of-hours login is denied and password
+ change is enforced. At this time, if logon hours expire, the user is not forcibly
+ logged off. That may be implemented at some later date.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>Sign'n'seal</primary>
+ </indexterm><indexterm>
+ <primary>schannel</primary>
+ </indexterm>
+ Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential
+ problems acknowledged by Microsoft as having been fixed, but reported by some as still
+ possibly an open issue.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>inter-operability</primary>
+ </indexterm>
+ The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft
+ Active Directory. The possibility to do this is not planned in the current Samba-3
+ roadmap. Samba-3 does aim to provide further improvements in interoperability so that
+ UNIX/Linux systems may be fully integrated into Active Directory Domains.
+ </para></listitem>
+
+ <listitem><para>
+ This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of
+ the four key methodologies was reviewed with specific reference to example deployment
+ techniques.
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ </para>
+
+ <qandaset defaultlabel="chap10qa" type="number">
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>Sign'n'seal</primary>
+ </indexterm><indexterm>
+ <primary>registry hacks</primary>
+ </indexterm>
+ Does Samba-3 require the <constant>Sign'n'seal</constant> registry hacks needed by Samba-2?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>schannel</primary>
+ </indexterm><indexterm>
+ <primary>Sign'n'seal</primary>
+ </indexterm><indexterm>
+ <primary>registry change</primary>
+ </indexterm>
+ No. Samba-3 fully supports <constant>Sign'n'seal</constant> as well as <constant>schannel</constant>
+ operation. The registry change should not be applied when Samba-3 is used as a Domain Controller.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Does Samba-3 support Active Directory?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm>
+ Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not
+ provide Active Directory services. It cannot be used to replace a Microsoft Active Directory
+ server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit,
+ and it can function as an Active Directory Domain Member server.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>mixed-mode</primary>
+ </indexterm>
+ When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was
+ necessary with Samba-2?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>native</primary>
+ </indexterm>
+ No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x
+ Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation,
+ as Samba-3 can join a native Windows 2003 Server ADS Domain.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>share level access controls</primary>
+ </indexterm>
+ Is it safe to set share level access controls in Samba?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Yes. Share level access controls have been supported since early versions of Samba-2. This is
+ very mature technology. Not enough sites make use of this powerful capability, neither on
+ Windows server or with Samba servers.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>share ACLs</primary>
+ </indexterm>
+ Is it mandatory to set share ACLs to get a secure Samba-3 server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>file system security</primary>
+ </indexterm><indexterm>
+ <primary>Windows 200x ACLs</primary>
+ </indexterm><indexterm>
+ <primary>share definition controls</primary>
+ </indexterm><indexterm>
+ <primary>share level ACL</primary>
+ </indexterm><indexterm>
+ <primary>security</primary>
+ </indexterm>
+ No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides
+ means of securing shares through share definition controls in the &smb.conf; file. The additional
+ support for share level ACLs is like frosting on the cake. It adds to security, but is not essential
+ to it.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>valid users</primary>
+ </indexterm>
+ The <parameter>valid users</parameter> did not work on the <smbconfsection>[homes]</smbconfsection>.
+ Has this functionality been restored yet?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>meta-service</primary>
+ </indexterm>
+ Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard
+ on the <smbconfsection>[homes]</smbconfsection> meta-service. The correct way to specify this is:
+ <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>force user</primary>
+ </indexterm><indexterm>
+ <primary>force group</primary>
+ </indexterm><indexterm>
+ <primary>bias</primary>
+ </indexterm>
+ Is the bias against use of the <parameter>force user</parameter> and <parameter>force group</parameter>
+ really warranted?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>performance</primary>
+ </indexterm>
+ There is no bias. There is a determination to recommend the right tool for the task at hand.
+ After all, it is better than putting users through performance problems, isn't it?
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ The example given for file and directory access control forces all files to be owned by one
+ particular user. I do not like that. Is there any way I can see who created the file?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>SUID</primary>
+ </indexterm>
+ Sure. You do not have to set the SUID bit on the directory. Simply execute the following command
+ to permit file ownership to be retained by the user who created it:
+<screen>
+&rootprompt; find /usr/data/finance -type d -exec chmod g+s {}\;
+</screen>
+ Note that this required no more than removing the <constant>u</constant> argument so that the
+ SUID bit is not set for the owner.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>Computer Management</primary>
+ </indexterm>
+ In the book, <quote>The Official Samba-3 HOWTO and Reference Guide</quote>, you recommended use
+ of the Windows NT4 Server Manager (part of the <filename>SRVTOOLS.EXE</filename>) utility. Why
+ have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>MMC</primary>
+ </indexterm><indexterm>
+ <primary>SRVTOOLS.EXE</primary>
+ </indexterm>
+ Either tool can be used with equal effect. There is no benefit of one over the other, except that
+ the MMC utility is present on all Windows 200x/XP systems and does not require additional software
+ to be downloaded and installed. Note that if you want to manage user and group accounts in your
+ Samba controlled Domain, the only tool that permits that is the NT4 Domain User Manager which
+ is provided as part of the <filename>SRVTOOLS.EXE</filename> utility.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para><indexterm>
+ <primary>valid users</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>Domain Member server</primary>
+ </indexterm>
+ I tried to set <parameter>valid users = @Engineers</parameter>, but it does not work. My Samba
+ server is an Active Directory Domain Member server. Has this been fixed now?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The use of this parameter has always required the full specification of the Domain account, for
+ example, <parameter>valid users = @"MEGANET2\Domain Admins"</parameter>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
+
diff --git a/docs/Samba-Guide/Chap10b-DomainAppsSupport.xml b/docs/Samba-Guide/Chap10b-DomainAppsSupport.xml
new file mode 100644
index 0000000000..7188e7747d
--- /dev/null
+++ b/docs/Samba-Guide/Chap10b-DomainAppsSupport.xml
@@ -0,0 +1,1100 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="DomApps">
+ <title>Integrating Additional Services</title>
+
+ <para><indexterm>
+ <primary>authentication</primary>
+ </indexterm><indexterm>
+ <primary>backends</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm><indexterm>
+ <primary>ldapsam</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm>
+ You've come a long way now. You have pretty much mastered Samba-3 for
+ most uses it can be put to. Up until now, you have cast Samba-3 in the leading
+ role and where authentication was required, you have used one or another of
+ Samba's many authentication backends (from flat text files with smbpasswd
+ to LDAP directory integration with ldapsam). Now you can design a
+ solution for a new Abmas business. This business is running Windows Server
+ 2003 and Active Directory, and these are to stay. It's time to master
+ implementing Samba and Samba-supported services in a domain controlled by
+ the latest Windows authentication technologies. Let's get started &smbmdash; this is
+ leading edge.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ Abmas has continued its miraculous growth; indeed, nothing seems to be able
+ to stop its diversification into multiple (and seemingly unrelated) fields.
+ Its latest acquisition is Abmas Snack Foods, a big player in the snack-food
+ business.
+ </para>
+
+ <para>
+ With this acquisition comes new challenges for you and your team. Abmas Snack
+ Foods is a well-developed business with a huge and heterogeneous network. They
+ already have Windows, Netware, and Proprietary UNIX, but as yet no Samba or Linux.
+ The network is mature and well established, and there is no question of their chosen
+ user authentication scheme being changed for now. You need to take a wise new
+ approach.
+ </para>
+
+ <para>
+ You have decided to set the ball rolling by introducing Samba-3 into the network
+ gradually, taking over key services and easing the way to a full migration and,
+ therefore, integration into Abmas's existing business later.
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para><indexterm>
+ <primary>web</primary>
+ <secondary>proxying</secondary>
+ </indexterm><indexterm>
+ <primary>web</primary>
+ <secondary>caching</secondary>
+ </indexterm>
+ You've promised the skeptical Abmas Snack Foods management team
+ that you can show them how Samba can ease itself and other Open Source
+ technologies into their existing infrastructure and deliver sound business
+ advantages. Cost cutting is high on their agenda (a major promise of the
+ acquisition). You have chosen Web proxying and caching as your proving ground.
+ </para>
+
+ <para><indexterm>
+ <primary>bandwidth</primary>
+ </indexterm><indexterm>
+ <primary>Microsoft ISA</primary>
+ </indexterm>
+ Abmas Snack Foods has several thousand users housed at their Head Office
+ and multiple regional offices, plants, and warehouses. A high proportion of
+ the business's work is done online, so Internet access for most of these
+ users is essential. All Internet access, including all of their regional offices,
+ is funneled through the head office and is the job of the (now your) networking
+ team. The bandwidth requirements were horrific (comparable to a small ISP), and
+ the team soon discovered proxying and caching. In fact, they became one of
+ the earliest commercial users of Microsoft ISA.
+ </para>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>authenticated</primary>
+ </indexterm><indexterm>
+ <primary>proxy</primary>
+ </indexterm>
+ The team is not happy with ISA. Because it never lived up to its marketing promises,
+ it under-performed and had reliability problems. You have pounced on the opportunity
+ to show what Open Source can do. The one thing they do like, however, is ISA's
+ integration with Active Directory. They like that their users, once logged on,
+ are automatically authenticated against the proxy. If your alternative to ISA
+ can operate completely seamlessly in their Active Directory Domain, it will be
+ approved.
+ </para>
+
+ <para>
+ This is a hands-on exercise. You build software applications so
+ that you obtain the functionality Abmas needs.
+ </para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ The key requirements in this business example are straightforward. You are not required
+ to do anything new, just to replicate an existing system, not lose any existing features,
+ and improve performance. The key points are:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Internet access for most employees
+ </para></listitem>
+ <listitem><para>
+ Distributed system to accommodate load and geographical distribution of users
+ </para></listitem>
+ <listitem><para>
+ Seamless and transparent interoperability with the existing Active Directory domain
+ </para></listitem>
+ </itemizedlist>
+
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para><indexterm>
+ <primary>browsing</primary>
+ </indexterm><indexterm>
+ <primary>Squid</primary>
+ </indexterm><indexterm>
+ <primary>Squid proxy</primary>
+ </indexterm><indexterm>
+ <primary>proxy</primary>
+ </indexterm><indexterm>
+ <primary>authentication</primary>
+ </indexterm><indexterm>
+ <primary>Internet Explorer</primary>
+ </indexterm><indexterm>
+ <primary>winbind</primary>
+ </indexterm><indexterm>
+ <primary>NTLM</primary>
+ </indexterm><indexterm>
+ <primary>NTLM authentication daemon</primary>
+ </indexterm><indexterm>
+ <primary>authentication</primary>
+ </indexterm><indexterm>
+ <primary>daemon</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>domain</primary>
+ <secondary>Active Directory</secondary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>token</primary>
+ </indexterm>
+ Functionally, the user's Internet Explorer requests a browsing session with the
+ Squid proxy, for which it offers its AD authentication token. Squid hands off
+ the authentication request to the Samba-3 authentication helper application
+ called <command>ntlm_auth</command>. This helper is a hook into winbind, the
+ Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate
+ against Microsoft Windows Domains, including Active Directory domains. As Active
+ Directory authentication is a modified Kerberos authentication, winbind is assisted
+ in this by local Kerberos 5 libraries configured to check passwords with the Active
+ Directory server. Once the token has been checked, a browsing session is established.
+ This process is entirely transparent and seamless to the user.
+ </para>
+
+ <para>
+ Enabling this consists of:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Preparing the necessary environment using preconfigured packages
+ </para></listitem>
+
+ <listitem><para>
+ Setting up raw Kerberos authentication against the Active Directory domain
+ </para></listitem>
+
+ <listitem><para>
+ Configuring, compiling, and then installing the supporting Samba-3 components
+ </para></listitem>
+
+ <listitem><para>
+ Tying it all together
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para>
+ You are a stranger in a strange land and all eyes are upon you. Some would even like to see
+ you fail. For you to gain the trust of your newly acquired IT people, it is essential that your
+ solution does everything the old one did, but does it better in every way. Only then
+ will the entrenched positions consider taking up your new way of doing things on a
+ wider scale.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Implementation</title>
+
+ <para><indexterm>
+ <primary>Squid</primary>
+ </indexterm>
+ First, your system needs to be prepared and in a known good state to proceed. This consists
+ of making sure that everything the system depends on is present and that everything that could
+ interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3
+ packages and updating them if necessary. If conflicting packages of these programs are installed,
+ they must be removed.
+ </para>
+
+ <para><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm>
+ The following packages should be available on your Red Hat Linux system:
+ </para>
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>krb5</primary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm>
+ krb5-libs
+ </para></listitem>
+
+ <listitem><para>
+ krb5-devel
+ </para></listitem>
+
+ <listitem><para>
+ krb5-workstation
+ </para></listitem>
+
+ <listitem><para>
+ krb5-server
+ </para></listitem>
+
+ <listitem><para>
+ pam_krb5
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>SUSE Linux</primary>
+ </indexterm>
+ In the case of SUSE Linux, these packages are called:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ heimdal-lib
+ </para></listitem>
+
+ <listitem><para>
+ heimdal-devel
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>Heimdal</primary>
+ </indexterm>
+ heimdal
+ </para></listitem>
+
+ <listitem><para>
+ pam_krb5
+ </para></listitem>
+ </itemizedlist>
+
+ <para>
+ If the required packages are not present on your system, you must install
+ them from the vendor's installation media. Follow the administrative guide
+ for your Linux system to ensure that the packages are correctly updated.
+ </para>
+
+ <note><para><indexterm>
+ <primary>MS Windows Server 2003</primary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>MIT</primary>
+ </indexterm>
+ If the requirement is for interoperation with MS Windows Server 2003, it
+ will be necessary to ensure that you are using MIT Kerberos version 1.3.1
+ or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
+ updating.
+ </para>
+
+ <para><indexterm>
+ <primary>Heimdal</primary>
+ </indexterm><indexterm>
+ <primary>SUSE Enterprise Linux Server</primary>
+ </indexterm>
+ Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
+ Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
+ </para></note>
+
+ <sect2 id="ch10-one">
+ <title>Removal of Pre-existing Conflicting RPMs</title>
+
+ <para><indexterm>
+ <primary>Squid</primary>
+ </indexterm>
+ If Samba and/or Squid rpms are installed, they should be updated. You can
+ build both from source.
+ </para>
+
+ <para><indexterm>
+ <primary>rpm</primary>
+ </indexterm><indexterm>
+ <primary>samba</primary>
+ </indexterm><indexterm>
+ <primary>squid</primary>
+ </indexterm>
+ Locating the packages to be uninstalled can be achieved by running:
+<screen>
+&rootprompt; rpm -qa | grep -i samba
+&rootprompt; rpm -qa | grep -i squid
+</screen>
+ The identified packages may be removed using:
+<screen>
+&rootprompt; rpm -e samba-common
+</screen>
+ </para>
+
+ <sect2>
+ <title>Kerberos Configuration</title>
+
+ <para><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>ADS</primary>
+ </indexterm><indexterm>
+ <primary>KDC</primary>
+ </indexterm>
+ The systems Kerberos installation must be configured to communicate with
+ your primary Active Directory server (ADS KDC).
+ </para>
+
+ <para>
+ Strictly speaking, MIT Kerberos version 1.3.1 currently gives the best results,
+ although the current default Red Hat MIT version 1.2.7 gives acceptable results
+ unless you are using Windows 2003 servers.
+ </para>
+
+ <para><indexterm>
+ <primary>MIT</primary>
+ </indexterm><indexterm>
+ <primary>Heimdal</primary>
+ </indexterm><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>/etc/krb5.conf</primary>
+ </indexterm><indexterm>
+ <primary>DNS</primary>
+ <secondary>SRV records</secondary>
+ </indexterm><indexterm>
+ <primary>KDC</primary>
+ </indexterm><indexterm>
+ <primary>DNS</primary>
+ <secondary>lookup</secondary>
+ </indexterm>
+ Officially, neither MIT (1.3.1) nor Heimdal (0.6) Kerberos needs an <filename>/etc/krb5.conf</filename>
+ file in order to work correctly. All ADS domains automatically create SRV records in the
+ DNS zone <constant>Kerberos.REALM.NAME</constant> for each KDC in the realm. Since both
+ MIT and Heimdal, KRB5 libraries default to checking for these records, so they
+ automatically find the KDCs. In addition, <filename>krb5.conf</filename> only allows
+ specifying a single KDC, even there if there is more than one. Using the DNS lookup
+ allows the KRB5 libraries to use whichever KDCs are available.
+ </para>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>krb5.conf</primary>
+ </indexterm>
+ If you find the need to manually configure the <filename>krb5.conf</filename>, you should edit it
+ to have the contents shown in <link linkend="ch10-krb5conf"/>. The final fully qualified path for this file
+ should be <filename>/etc/krb5.conf</filename>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Kerberos</primary>
+ </indexterm><indexterm>
+ <primary>realm</primary>
+ </indexterm><indexterm>
+ <primary>case-sensitive</primary>
+ </indexterm><indexterm>
+ <primary>KDC</primary>
+ </indexterm><indexterm>
+ <primary>synchronization</primary>
+ </indexterm><indexterm>
+ <primary>initial credentials</primary>
+ </indexterm><indexterm>
+ <primary>Clock skew</primary>
+ </indexterm><indexterm>
+ <primary>NTP</primary>
+ </indexterm><indexterm>
+ <primary>DNS</primary>
+ <secondary>lookup</secondary>
+ </indexterm><indexterm>
+ <primary>reverse DNS</primary>
+ </indexterm><indexterm>
+ <primary>NetBIOS name </primary>
+ </indexterm><indexterm>
+ <primary>/etc/hosts</primary>
+ </indexterm><indexterm>
+ <primary>mapping</primary>
+ </indexterm>
+ The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
+ be in UPPERCASE, or you will get an error: <quote>Cannot find KDC for requested realm while getting
+ initial credentials</quote>. Kerberos is picky about time synchronization. The time
+ according to your participating servers must be within 5 minutes or you get an error
+ <quote>kinit(v5): Clock skew too great while getting initial credentials</quote>.
+ Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is
+ 5 minutes). A better solution is to implement NTP throughout your server network.
+ Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC.
+ Also, the name that this reverse lookup maps to must either be the NetBIOS name of
+ the KDC (i.e., the hostname with no domain attached), or it can alternately be the
+ NetBIOS name followed by the realm. If all else fails, you can add a
+ <filename>/etc/hosts</filename> entry mapping the IP address of your KDC to its
+ NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
+ when you try to join the realm.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>kinit</primary>
+ </indexterm>
+ You are now ready to test your installation by issuing the command:
+<screen>
+&rootprompt; kinit [USERNAME@REALM]
+</screen>
+ You are asked for your password, which you should enter. The following
+ is a typical console sequence:
+<screen>
+&rootprompt; kinit ADMINISTRATOR@LONDON.ABMAS.BIZ
+Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
+</screen>
+ Make sure that your password is accepted by the Active Directory KDC.
+ </para></step>
+ </procedure>
+
+<example id="ch10-krb5conf">
+<title>Kerberos Configuration &smbmdash; File: <filename>/etc/krb5.conf</filename></title>
+<screen>
+[libdefaults]
+ default_realm = LONDON.ABMAS.BIZ
+
+[realms]
+ LONDON.ABMAS.BIZ = {
+ kdc = w2k3s.london.abmas.biz
+ }
+</screen>
+</example>
+
+ <para><indexterm>
+ <primary>klist</primary>
+ </indexterm>
+ The command:
+<screen>
+&rootprompt; klist -e
+</screen>
+ shows the Kerberos tickets cached by the system:
+ </para>
+
+ <sect3>
+ <title>Samba Configuration</title>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm>
+ Samba must be configured to correctly use Active Directory. Samba-3 must be used, as
+ this has the necessary components to interface with Active Directory.
+ </para>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm><indexterm>
+ <primary>Samba Tea</primary>
+ </indexterm><indexterm>
+ <primary>Red Hat Fedora Linux</primary>
+ </indexterm><indexterm>
+ <primary>MIT KRB5</primary>
+ </indexterm><indexterm>
+ <primary>ntlm_auth</primary>
+ </indexterm>
+ Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
+ <ulink url="http://ftp.samba.org">FTP site.</ulink> The official Samba Team
+ RPMs for Red Hat Fedora Linux contain the <command>ntlm_auth</command> tool
+ needed, and are linked against MIT KRB5 version 1.3.1 and, therefore, are ready for use.
+ </para>
+
+ <para><indexterm>
+ <primary>SerNet</primary>
+ </indexterm><indexterm>
+ <primary>RPMs</primary>
+ </indexterm>
+ The necessary, validated RPM packages for SUSE Linux may be obtained from
+ the <ulink url="ftp://ftp.sernet.de/pub/samba">SerNet</ulink> FTP site that
+ is located in Germany. All SerNet RPMs are validated, have the necessary
+ <command>ntlm_auth</command> tool, and are statically linked
+ against suitably patched Heimdal 0.6 libraries.
+ </para></step>
+
+ <step><para>
+ Using your favorite editor, change the <filename>/etc/samba/smb.conf</filename>
+ file so it has contents similar to the example shown in <link linkend="ch10-smbconf"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>computer account</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>ads</secondary>
+ <tertiary>join</tertiary>
+ </indexterm><indexterm>
+ <primary>Kerberos ticket</primary>
+ </indexterm><indexterm>
+ <primary>ticket</primary>
+ </indexterm>
+ Next you need to create a computer account in the Active Directory.
+ This sets up the trust relationship needed for other clients to
+ authenticate to the Samba server with an Active Directory Kerberos ticket.
+ This is done with the <quote>net ads join -U [Administrator%Password]</quote>
+ command, as follows:
+<screen>
+&rootprompt; net ads join -U administrator%vulcon
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbd</primary>
+ </indexterm><indexterm>
+ <primary>nmbd</primary>
+ </indexterm><indexterm>
+ <primary>winbindd</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>Samba</primary>
+ </indexterm>
+ Your new Samba binaries must be started in the standard manner as is applicable
+ to the platform you are running on. Alternately, start your Active Directory
+ enabled Samba with the following commands:
+<screen>
+&rootprompt; smbd -D
+&rootprompt; nmbd -D
+&rootprompt; winbindd -B
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>winbind</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ <secondary>domain</secondary>
+ </indexterm><indexterm>
+ <primary>wbinfo</primary>
+ </indexterm><indexterm>
+ <primary>enumerating</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ <secondary>tree</secondary>
+ </indexterm>
+ We now need to test that Samba is communicating with the Active
+ Directory domain; most specifically, we want to see whether winbind
+ is enumerating users and groups. Issue the following commands:
+<screen>
+&rootprompt; wbinfo -t
+checking the trust secret via RPC calls succeeded
+</screen>
+ This tests whether we are authenticating against Active Directory:
+<screen>
+&rootprompt; wbinfo -u
+LONDON+Administrator
+LONDON+Guest
+LONDON+SUPPORT_388945a0
+LONDON+krbtgt
+LONDON+jht
+LONDON+xjht
+</screen>
+ This enumerates all the users in your Active Directory tree:
+<screen>
+&rootprompt; wbinfo -g
+LONDON+Domain Computers
+LONDON+Domain Controllers
+LONDON+Schema Admins
+LONDON+Enterprise Admins
+LONDON+Domain Admins
+LONDON+Domain Users
+LONDON+Domain Guests
+LONDON+Group Policy Creator Owners
+LONDON+DnsUpdateProxy
+</screen>
+ This enumerates all the groups in your Active Directory tree.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Squid</primary>
+ </indexterm><indexterm>
+ <primary>ntlm_auth</primary>
+ </indexterm>
+ Squid uses the <command>ntlm_auth</command> helper build with Samba-3.
+ You may test <command>ntlm_auth</command> with the command:
+<screen>
+&rootprompt; /usr/bin/ntlm_auth --username=jht
+password: XXXXXXXX
+</screen>
+ You are asked for your password, which you should enter. You are rewarded with:
+<screen>
+&rootprompt; NT_STATUS_OK: Success (0x0)
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>ntlm_auth</primary>
+ </indexterm><indexterm>
+ <primary>authenticate</primary>
+ </indexterm><indexterm>
+ <primary>winbind</primary>
+ </indexterm><indexterm>
+ <primary>privileged pipe</primary>
+ </indexterm><indexterm>
+ <primary>squid</primary>
+ </indexterm><indexterm>
+ <primary>chgrp</primary>
+ </indexterm><indexterm>
+ <primary>chmod</primary>
+ </indexterm><indexterm>
+ <primary>failure</primary>
+ </indexterm>
+ The <command>ntlm_auth</command> helper, when run from a command line as the user
+ <quote>root</quote>, authenticates against your Active Directory domain (with
+ the aid of winbind). It manages this by reading from the winbind privileged pipe.
+ Squid is running with the permissions of user <quote>squid</quote> and group
+ <quote>squid</quote> and is not able to do this unless we make a vital change.
+ Squid cannot read from the winbind privilege pipe unless you change the
+ permissions of its directory. This is the single biggest cause of failure in the
+ whole process. Remember to issue the following command (for Red Hat Linux):
+<screen>
+&rootprompt; chgrp squid /var/cache/samba/winbindd_privileged
+&rootprompt; chmod 750 /var/cache/samba/winbindd_privileged
+</screen>
+ For SUSE Linux 9, execute the following:
+<screen>
+&rootprompt; chgrp squid /var/lib/samba/winbindd_privileged
+&rootprompt; chmod 750 /var/lib/samba/winbindd_privileged
+</screen>
+ </para></step>
+
+ </procedure>
+ </sect3>
+
+ <sect3>
+ <title>NSS Configuration</title>
+
+ <para><indexterm>
+ <primary>NSS</primary>
+ </indexterm><indexterm>
+ <primary>winbind</primary>
+ </indexterm><indexterm>
+ <primary>authentication</primary>
+ </indexterm>
+ For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
+ </para>
+
+ <procedure>
+ <step><para>
+ Edit your <filename>/etc/nsswitch.conf</filename> file so it has the parameters shown
+ in <link linkend="ch10-etcnsscfg"/>.
+ </para></step>
+ </procedure>
+
+<smbconfexample id="ch10-smbconf">
+<title>Samba Configuration &smbmdash; File: <filename>/etc/samba/smb.conf</filename></title>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>LONDON</value></smbconfoption>
+<smbconfoption><name>netbios name</name><value>W2K3S</value></smbconfoption>
+<smbconfoption><name>realm</name><value>LONDON.ABMAS.BIZ</value></smbconfoption>
+<smbconfoption><name>security</name><value>ads</value></smbconfoption>
+<smbconfoption><name>encrypt passwords</name><value>yes</value></smbconfoption>
+<smbconfoption><name>password server</name><value>w2k3s.london.abmas.biz</value></smbconfoption>
+
+<smbconfcomment>separate domain and username with '/', like DOMAIN/username</smbconfcomment>
+<smbconfoption><name>winbind separator</name><value>/</value></smbconfoption>
+
+<smbconfcomment>use UIDs from 10000 to 20000 for domain users</smbconfcomment>
+<smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+# use GIDs from 10000 to 20000 for domain groups
+<smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+
+<smbconfcomment>allow enumeration of winbind users and groups</smbconfcomment>
+<smbconfoption><name>winbind enum users</name><value>yes</value></smbconfoption>
+<smbconfoption><name>winbind enum groups</name><value>yes</value></smbconfoption>
+<smbconfoption><name>winbind user default domain</name><value>yes</value></smbconfoption>
+</smbconfexample>
+
+<example id="ch10-etcnsscfg">
+<title>NSS Configuration File Extract &smbmdash; File: <filename>/etc/nsswitch.conf</filename></title>
+<screen>
+passwd: files winbind
+shadow: files
+group: files winbind
+</screen>
+</example>
+
+ </sect3>
+
+ <sect3>
+ <title>Squid Configuration</title>
+
+ <para><indexterm>
+ <primary>Squid</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ <secondary>authentication</secondary>
+ </indexterm>
+ Squid must be configured correctly to interact with the Samba-3
+ components that handle Active Directory authentication.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2>
+ <title>Configuration</title></sect2>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>SUSE Linux</primary>
+ </indexterm><indexterm>
+ <primary>Squid</primary>
+ </indexterm><indexterm>
+ <primary>helper agent</primary>
+ </indexterm>
+ If your Linux distribution is SUSE Linux 9, the version of Squid
+ supplied is already enabled to use the winbind helper agent. You
+ can, therefore, omit the steps that would build the Squid binary
+ programs.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>nobody</primary>
+ </indexterm><indexterm>
+ <primary>squid</primary>
+ </indexterm><indexterm>
+ <primary>rpms</primary>
+ </indexterm><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm><indexterm>
+ <primary>/etc/group</primary>
+ </indexterm>
+ Squid, by default, runs as the user <constant>nobody</constant>. You need to
+ add a system user <constant>squid</constant> and a system group
+ <constant>squid</constant> if they are not set up already (if the default
+ Red Hat squid rpms were installed, they will be). Set up a
+ <constant>squid</constant> user in <filename>/etc/passwd</filename>
+ and a <constant>squid</constant> group in <filename>/etc/group</filename> if these aren't there already.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>permissions</primary>
+ </indexterm><indexterm>
+ <primary>chown</primary>
+ </indexterm>
+ You now need to change the permissions on Squid's <constant>var</constant>
+ directory. Enter the following command:
+<screen>
+&rootprompt; chown -R squid /var/cache/squid
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>logging</primary>
+ </indexterm><indexterm>
+ <primary>Squid</primary>
+ </indexterm>
+ Squid must also have control over its logging. Enter the following commands:
+<screen>
+&rootprompt; chown -R chown squid:squid /var/log/squid
+&rootprompt; chmod 770 /var/log/squid
+</screen>
+ </para></step>
+
+ <step><para>
+ Finally, Squid must be able to write to its disk cache!
+ Enter the following commands:
+<screen>
+&rootprompt; chown -R chown squid:squid /var/cache/squid
+&rootprompt; chmod 770 /var/cache/squid
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/squid/squid.conf</primary>
+ </indexterm>
+ The <filename>/etc/squid/squid.conf</filename> file must be edited to include the lines from
+ <link linkend="etcsquidcfg"/> and <link linkend="etcsquid2"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>cache directories</primary>
+ </indexterm>
+ You must create Squid's cache directories before it may be run. Enter the following command:
+<screen>
+&rootprompt; squid -z
+</screen>
+ </para></step>
+
+ <step><para>
+ Finally, start Squid and enjoy transparent Active Directory authentication.
+ Enter the following command:
+<screen>
+&rootprompt; squid
+</screen>
+ </para></step>
+ </procedure>
+
+<example id="etcsquidcfg">
+<title>Squid Configuration File Extract &smbmdash; <filename>/etc/squid.conf</filename> [ADMINISTRATIVE PARAMETERS Section]</title>
+<screen>
+ cache_effective_user squid
+ cache_effective_group squid
+</screen>
+</example>
+
+<example id="etcsquid2">
+<title>Squid Configuration File extract &smbmdash; File: <filename>/etc/squid.conf</filename> [AUTHENTICATION PARAMETERS Section]</title>
+<screen>
+ auth_param ntlm program /usr/bin/ntlm_auth \
+ --helper-protocol=squid-2.5-ntlmssp
+ auth_param ntlm children 5
+ auth_param ntlm max_challenge_reuses 0
+ auth_param ntlm max_challenge_lifetime 2 minutes
+ auth_param basic program /usr/bin/ntlm_auth \
+ --helper-protocol=squid-2.5-basic
+ auth_param basic children 5
+ auth_param basic realm Squid proxy-caching web server
+ auth_param basic credentialsttl 2 hours
+ acl AuthorizedUsers proxy_auth REQUIRED
+ http_access allow all AuthorizedUsers
+</screen>
+</example>
+
+ </sect2>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para><indexterm>
+ <primary>Web browsers</primary>
+ </indexterm><indexterm>
+ <primary>services</primary>
+ </indexterm><indexterm>
+ <primary>authentication protocols</primary>
+ </indexterm><indexterm>
+ <primary>Web</primary>
+ <secondary>proxy</secondary>
+ <tertiary>access</tertiary>
+ </indexterm><indexterm>
+ <primary>NTLMSSP</primary>
+ </indexterm>
+ Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
+ Windows clients use, even when accessing traditional services such as Web browsers. Depending
+ on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
+ the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over
+ the cookie-based authentication regime used by all competing browsers. It is Samba's implementation
+ of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para><indexterm>
+ <primary>ntlm_auth</primary>
+ </indexterm><indexterm>
+ <primary>SambaXP conference</primary>
+ </indexterm><indexterm>
+ <primary>Goettingen</primary>
+ </indexterm><indexterm>
+ <primary>Italian</primary>
+ </indexterm>
+ The development of the <command>ntlm_auth</command> module was first discussed in many Open Source circles
+ in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of
+ <command>ntlm_auth</command> during one of the late developer meetings that took place. Since that time, the
+ adoption of <command>ntlm_auth</command> has spread considerably.
+ </para>
+
+ <para>
+ The largest report from a site that uses Squid with <command>ntlm_auth</command>-based authentication
+ support uses a dual processor server that has 2 GBytes of memory. It provides Web and FTP proxy services for 10,000
+ users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who
+ wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following
+ comments were made with respect to questions regarding the performance of this installation:
+ </para>
+
+ <blockquote><para>
+ [In our] EXTREMELY optimized environment ... [the] performance impact is almost [nothing]. The <quote>almost</quote>
+ part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case
+ scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
+ </para></blockquote>
+
+ <para>
+ You would be well advised to recognize the fact that all cache-intensive proxying solutions demand a lot of memory.
+ Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
+ out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
+ </para>
+
+ <qandaset defaultlabel="chap10bqa" type="number">
+ <qandaentry>
+ <question>
+
+ <para>
+ What does Samba have to do with Web proxy serving?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <secondary>transparent inter-operability</secondary>
+ </indexterm><indexterm>
+ <primary>Windows clients</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>services</secondary>
+ </indexterm><indexterm>
+ <primary>authentication</primary>
+ </indexterm><indexterm>
+ <primary>wrapper</primary>
+ </indexterm>
+ To provide transparent interoperability between Windows clients and the network services
+ that are used from them, Samba has had to develop tools and facilities that deliver that. The benefit
+ of Open Source software is that it can readily be reused. The current <command>ntlm_auth</command>
+ module is basically a wrapper around authentication code from the core of the Samba project.
+ </para>
+
+ <para><indexterm>
+ <primary>plain-text</primary>
+ </indexterm><indexterm>
+ <primary>authentication</primary>
+ <secondary>plain-text</secondary>
+ </indexterm><indexterm>
+ <primary>Web</primary>
+ <secondary>proxy</secondary>
+ </indexterm><indexterm>
+ <primary>FTP</primary>
+ <secondary>proxy</secondary>
+ </indexterm><indexterm>
+ <primary>NTLMSSP</primary>
+ </indexterm><indexterm>
+ <primary>logon credentials</primary>
+ </indexterm><indexterm>
+ <primary>Windows explorer</primary>
+ </indexterm><indexterm>
+ <primary>Internet Information Server</primary>
+ </indexterm><indexterm>
+ <primary>Apache Web server</primary>
+ </indexterm>
+ The <command>ntlm_auth</command> module supports basic plain-text authentication and NTLMSSP
+ protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
+ the user being interrupted via his/her Windows logon credentials. This facility is available with
+ MS Windows explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
+ There are a few open source initiatives to provide support for these protocols in the Apache Web server
+ also.
+ </para>
+
+ <para><indexterm>
+ <primary>wrapper</primary>
+ </indexterm>
+ The short answer is that by adding a wrapper around key authentication components of Samba, other
+ projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What other services does Samba provide?
+ </para>
+
+ </question>
+ <answer>
+
+ <para><indexterm>
+ <primary>winbindd</primary>
+ </indexterm><indexterm>
+ <primary>Identity resolver</primary>
+ </indexterm><indexterm>
+ <primary>daemon</primary>
+ </indexterm><indexterm>
+ <primary>smbd</primary>
+ </indexterm><indexterm>
+ <primary>file and print server</primary>
+ </indexterm>
+ Samba-3 is a file and print server. The core components that provide this functionality are <command>smbd</command>,
+ <command>nmbd</command>, and the Identity resolver daemon, <command>winbindd</command>.
+ </para>
+
+ <para><indexterm>
+ <primary>SMB/CIFS</primary>
+ </indexterm><indexterm>
+ <primary>smbclient</primary>
+ </indexterm>
+ Samba-3 is an SMB/CIFS client. The core component that provides this is called <command>smbclient</command>.
+ </para>
+
+ <para><indexterm>
+ <primary>modules</primary>
+ </indexterm><indexterm>
+ <primary>utilities</primary>
+ </indexterm><indexterm>
+ <primary>validation</primary>
+ </indexterm><indexterm>
+ <primary>inter-operability</primary>
+ </indexterm><indexterm>
+ <primary>authentication</primary>
+ </indexterm>
+ Samba-3 includes a number of helper tools, plug-in modules, utilities, and test/validation facilities.
+ Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
+ servers and client. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
+ as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switcher modules
+ to permit Identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
+ server products).
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Does use of Samba (<command>ntlm_auth</command>) improve the performance of Squid?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Not really. Samba's <command>ntlm_auth</command> module handles only authentication. It requires that
+ Squid make an external call to <command>ntlm_auth</command> and, therefore, actually incurs a
+ little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
+ Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
+ sufficient memory when using Squid. Just add a little more to accommodate <command>ntlm_auth</command>.
+ </para>
+
+ </answer>
+ </qandaentry>
+ </qandaset>
+
+</sect1>
+
+</chapter>
+
diff --git a/docs/Samba-Guide/Chap11-HighAvailability.xml b/docs/Samba-Guide/Chap11-HighAvailability.xml
new file mode 100644
index 0000000000..d81164a8ee
--- /dev/null
+++ b/docs/Samba-Guide/Chap11-HighAvailability.xml
@@ -0,0 +1,766 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="HA">
+ <title>Performance, Reliability, and Availability</title>
+
+ <para><indexterm>
+ <primary>performance</primary>
+ </indexterm><indexterm>
+ <primary>reliability</primary>
+ </indexterm><indexterm>
+ <primary>availability</primary>
+ </indexterm>
+ Well, you have reached the chapter before the Appendix. It is customary to attempt
+ to wrap up the theme and contents of a book in what is generally regarded as the
+ chapter that should draw conclusions. This book is a suspense thriller and since
+ the plot of the stories told mostly lead you to bigger, better Samba-3 networking
+ solutions, it is perhaps appropriate to close this book with a few pertinent comments
+ regarding some of the things everyone can do to deliver a reliable Samba-3 network.
+ </para>
+
+ <blockquote><attribution>Anonymous</attribution><para>
+ In a world so full of noise, how can the sparrow be heard?
+ </para></blockquote>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para><indexterm>
+ <primary>clustering</primary>
+ </indexterm>
+ The sparrow is a small bird whose sounds are drowned out by the noise of the busy
+ world it lives in. Likewise, the simple steps that can be taken to improve the
+ reliability and availability of a Samba network are often drowned out by the volume
+ of discussions about grandiose Samba clustering designs. This is not intended to
+ suggest that clustering is not important, because clearly it is. This chapter does not devote
+ itself to discussion of clustering because each clustering methodology uses its own
+ custom tools and methods. Only passing comments are offered concerning these methods.
+ </para>
+
+ <para><indexterm>
+ <primary>cluster</primary>
+ </indexterm><indexterm>
+ <primary>samba cluster</primary>
+ </indexterm><indexterm>
+ <primary>scalability</primary>
+ </indexterm>
+<ulink url="http://www.google.com/search?hl=en&amp;lr=&amp;ie=ISO-8859-1&amp;q=samba+cluster&amp;btnG=Google+Search">A search</ulink>
+ for <quote>samba cluster</quote> produced 71,600 hits. And a search for <quote>highly available samba</quote>
+ and <quote>highly available windows</quote> produced an amazing number of references.
+ It is clear from the resources on the Internet that Windows file and print services
+ availability, reliability, and scalability are of vital interest to corporate network users.
+ </para>
+
+ <para><indexterm>
+ <primary>performance</primary>
+ </indexterm>
+ So without further background, you can review a checklist of simple steps that
+ can be taken to ensure acceptable network performance while keeping costs of ownership
+ well under control.
+ </para>
+
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para><indexterm>
+ <primary>simple</primary>
+ </indexterm><indexterm>
+ <primary>complexities</primary>
+ </indexterm>
+ If it is your purpose to get the best mileage out of your Samba servers, there is one rule that
+ must be obeyed. If you want the best, keep your implementation as simple as possible. You may
+ well be forced to introduce some complexities, but you should do so only as a last resort.
+ </para>
+
+ <para>
+ Simple solutions are likely to be easier to get right than are complex ones. They certainly
+ make life easier for your successor. Simple implementations can be more readily audited than can
+ complex ones.
+ </para>
+
+ <para><indexterm>
+ <primary>broken behavior</primary>
+ </indexterm><indexterm>
+ <primary>poor performance</primary>
+ </indexterm>
+ Problems reported by users fall into three categories: configurations that do not work, those
+ that have broken behavior, and poor performance. The term <emphasis>broken behavior</emphasis>
+ means that the function of a partciluar Samba component appears to work sometimes, but not at
+ others. The resulting intermittent operation is clearly unacceptable. An example of
+ <emphasis>broken behavior</emphasis> known to many Windows networking users occurs when the
+ list of Windows machines in MS Explorer changes, sometimes listing machines that are running
+ and at other times not listing them even though the machines are in use on the network.
+ </para>
+
+ <para><indexterm>
+ <primary>smbfs</primary>
+ </indexterm><indexterm>
+ <primary>smbmnt</primary>
+ </indexterm><indexterm>
+ <primary>smbmount</primary>
+ </indexterm><indexterm>
+ <primary>smbumnt</primary>
+ </indexterm><indexterm>
+ <primary>smbumount</primary>
+ </indexterm><indexterm>
+ <primary>front-end</primary>
+ </indexterm>
+ A significant number of reports concern problems with the <command>smbfs</command> file system
+ driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that
+ <command>smbfs</command> is part of Samba, simply because Samba includes the front-end tools
+ that are used to manage <command>smbfs</command>-based file service connections. So, just
+ for the record, the tools <command>smbmnt, smbmount, smbumount,</command> and <command>smbumnt</command> are front-end
+ facilities to core drivers that are supplied as part of the Linux kernel. These tools share a
+ common infrastructure with some Samba components, but they are not maintained as part of
+ Samba and are really foreign to it.
+ </para>
+
+ <para><indexterm>
+ <primary>cifsfs</primary>
+ </indexterm>
+ The new project, <command>cifsfs</command>, is destined to replace <command>smbfs</command>.
+ It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in
+ this project.
+ </para>
+
+ <para>
+ The following table lists typical causes of:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Not Working (NW)</para></listitem>
+ <listitem><para>Broken Behavior (BB)</para></listitem>
+ <listitem><para>Poor Performance (PP)</para></listitem>
+ </itemizedlist>
+
+
+ <table id="ProbList">
+ <title>Effect of Common Problems</title>
+ <tgroup cols="4">
+ <colspec align="left"/>
+ <colspec align="center"/>
+ <colspec align="center"/>
+ <colspec align="center"/>
+ <thead>
+ <row>
+ <entry><para>Problem</para></entry>
+ <entry><para>NW</para></entry>
+ <entry><para>BB</para></entry>
+ <entry><para>PP</para></entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><para>File Locking</para></entry>
+ <entry><para>-</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>-</para></entry>
+ </row>
+ <row>
+ <entry><para>Hardware Problems</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>X</para></entry>
+ </row>
+ <row>
+ <entry><para>Incorrect Authentication</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>-</para></entry>
+ </row>
+ <row>
+ <entry><para>Incorrect Configuration</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>X</para></entry>
+ </row>
+ <row>
+ <entry><para>LDAP Problems</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>-</para></entry>
+ </row>
+ <row>
+ <entry><para>Name Resolution</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>X</para></entry>
+ </row>
+ <row>
+ <entry><para>Printing Problems</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>-</para></entry>
+ </row>
+ <row>
+ <entry><para>Slow File Transfer</para></entry>
+ <entry><para>-</para></entry>
+ <entry><para>-</para></entry>
+ <entry><para>X</para></entry>
+ </row>
+ <row>
+ <entry><para>Winbind Problems</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>X</para></entry>
+ <entry><para>-</para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para><indexterm>
+ <primary>network hygiene</primary>
+ </indexterm>
+ It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate
+ problems that affect basic network operation. This book has provided sufficient working examples
+ to help you to avoid all these problems.
+ </para>
+
+</sect1>
+
+<sect1>
+ <title>Guidelines for Reliable Samba Operation</title>
+
+ <para><indexterm>
+ <primary>resilient</primary>
+ </indexterm><indexterm>
+ <primary>extreme demand</primary>
+ </indexterm>
+ Your objective is to provide a network that works correctly, can grow at all times, is resilient
+ at times of extreme demand, and can scale to meet future needs. The following subject areas provide
+ pointers that can help you today.
+ </para>
+
+ <sect2>
+ <title>Name Resolution</title>
+
+ <para>
+ There are three basic current problem areas: bad hostnames, routed networks, and network collisions.
+ These are covered in the discussion below.
+ </para>
+
+ <sect3>
+ <title>Bad Hostnames</title>
+
+ <para><indexterm>
+ <primary>DHCP</primary>
+ <secondary>client</secondary>
+ </indexterm><indexterm>
+ <primary>netbios name</primary>
+ </indexterm><indexterm>
+ <primary>localhost</primary>
+ </indexterm><indexterm>
+ <primary>/etc/hosts</primary>
+ </indexterm><indexterm>
+ <primary>NetBIOS</primary>
+ </indexterm>
+ When configured as a DHCP client, a number of Linux distributions set the system hostname
+ to <constant>localhost</constant>. If the parameter <parameter>netbios name</parameter> is not
+ specified to something other than <constant>localhost</constant>, the Samba server appears
+ in the Windows Explorer as <constant>LOCALHOST</constant>. Moreover, the entry in the <filename>/etc/hosts</filename>
+ on the Linux server points to IP address <constant>127.0.0.1</constant>. This means that
+ when the Windows client obtains the IP address of the Samba server called <constant>LOCALHOST</constant>,
+ it obtains the IP address <constant>127.0.0.1</constant> and then proceeds to attempt to
+ set up a NetBIOS over TCP/IP connection to it. This cannot work, because that IP address is
+ the local Windows machine itself. Hostnames must be valid for Windows networking to function
+ correctly.
+ </para>
+
+ <para><indexterm>
+ <primary>digits</primary>
+ </indexterm>
+ A few sites have tried to name Windows clients and Samba servers with a name that begins
+ with the digits 1-9. This does not work either because it may result in the client or
+ server attempting to use that name as an IP address.
+ </para>
+
+ <para><indexterm>
+ <primary>DNS</primary>
+ <secondary>name lookup</secondary>
+ </indexterm><indexterm>
+ <primary>resolve</primary>
+ </indexterm>
+ A Samba server called <constant>FRED</constant>, in a NetBIOS Domain called <constant>COLLISION</constant>
+ in a network environment that is part of the fully qualified Internet domain name space known
+ as <constant>parrots.com</constant>, results in DNS name lookups for: <constant>fred.parrots.com</constant>
+ and <constant>collision.parrots.com</constant>. It is, therefore, a mistake to name the Domain
+ (workgroup) <constant>collision.parrots.com</constant> since this results in DNS lookup
+ attempts to resolve: <constant>fred.parrots.com.parrots.com</constant>, which most likely
+ fails given that you probably do not have this in your DNS name space.
+ </para>
+
+ <note><para><indexterm>
+ <primary>Active Directory</primary>
+ <secondary>realm</secondary>
+ </indexterm><indexterm>
+ <primary>ADS</primary>
+ </indexterm><indexterm>
+ <primary>DNS</primary>
+ </indexterm>
+ An Active Directory realm called <constant>collision.parrots.com</constant> is perfectly okay,
+ although it too must be capable of being resolved via DNS, something that functions correctly
+ if Windows 200x ADS has been properly installed and configured.
+ </para></note>
+
+ </sect3>
+
+ <sect3>
+ <title>Routed Networks</title>
+
+ <para><indexterm>
+ <primary>NetBIOS</primary>
+ </indexterm><indexterm>
+ <primary>UDP</primary>
+ <secondary>broadcast</secondary>
+ </indexterm><indexterm>
+ <primary>broadcast</primary>
+ </indexterm>
+ NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use
+ of UDP-based broadcast traffic. You saw that during the exercises in Chapter 1.
+ </para>
+
+ <para><indexterm>
+ <primary>routers</primary>
+ </indexterm><indexterm>
+ <primary>forwarded</primary>
+ </indexterm><indexterm>
+ <primary>multi-subnet</primary>
+ </indexterm>
+ UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based
+ networking cannot function across routed networks (i.e., multi-subnet networks) unless
+ special provisions are made:
+ </para>
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>LMHOSTS</primary>
+ </indexterm><indexterm>
+ <primary>remote announce</primary>
+ </indexterm><indexterm>
+ <primary>remote browse sync</primary>
+ </indexterm>
+ Either install on every Windows client an LMHOSTS file (located in the directory
+ <filename>C:\windows\system32\drivers\etc</filename>). It is also necessary to
+ add to the Samba server &smb.conf; file the parameters: <parameter>remote announce</parameter>
+ and <parameter>remote browse sync</parameter>. For more information, refer to the on-line
+ manual page for the &smb.conf; file.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>WINS</primary>
+ <secondary>server</secondary>
+ </indexterm>
+ Or configure Samba as a WINS server, and configure all network clients to use that
+ WINS server in their TCP/IP configuration.
+ </para></listitem>
+ </itemizedlist>
+
+ <note><para><indexterm>
+ <primary>WINS</primary>
+ <secondary>name resolution</secondary>
+ </indexterm><indexterm>
+ <primary>DNS</primary>
+ </indexterm>
+ The use of DNS is not an acceptable substitute for WINS. DNS does not store specific
+ information regarding NetBIOS networking particulars that does get stored in the WINS
+ name resolution database, and that Windows clients require and depend on.
+ </para></note>
+
+ </sect3>
+
+ <sect3>
+ <title>Network Collisions</title>
+
+ <para><indexterm>
+ <primary>network</primary>
+ <secondary>collisions</secondary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>tiemouts</secondary>
+ </indexterm><indexterm>
+ <primary>collision rates</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>load</secondary>
+ </indexterm>
+ Excessive network activity causes NetBIOS network time-outs. Time-outs may result in
+ blue screen of death (BSOD) experiences. High collision rates may be caused by excessive
+ UDP broadcast activity, by defective networking hardware, or through excessive network
+ loads (another way of saying that the network is poorly designed).
+ </para>
+
+ <para>
+ The use of WINS is highly recommended to reduce network broadcast traffic, as outlined
+ in Chapter 1.
+ </para>
+
+ <para><indexterm>
+ <primary>netbios forwarding</primary>
+ </indexterm><indexterm>
+ <primary>broadcast storms</primary>
+ </indexterm><indexterm>
+ <primary>performance</primary>
+ </indexterm>
+ Under no circumstances should the facility be supported by many routers, known as <constant>NetBIOS
+ forwarding</constant>, unless you know exactly what you are doing. Inappropriate use of this
+ facility can result in UDP broadcast storms. In one case in 1999, a university network became
+ unusable due to this being enabled on all routers. The problem was discovered during performance
+ testing of a Samba server. The maximum throughput on a 100-Base-T (100 MBit/sec) network was
+ less than 15 KBytes/sec. After the NetBIOS forwarding was turned off, file transfer performance
+ immediately returned to 11 MBytes/sec.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2>
+ <title>Samba Configuration</title>
+
+ <para>
+ As a general rule, the contents of the &smb.conf; file should be kept as simple as possible.
+ No parameter should be specified unless you know it is essential to operation.
+ </para>
+
+ <para><indexterm>
+ <primary>document the settings</primary>
+ </indexterm><indexterm>
+ <primary>documented</primary>
+ </indexterm><indexterm>
+ <primary>optimized</primary>
+ </indexterm>
+ Many UNIX administrators like to fully document the settings in the &smb.conf; file. This is a
+ bad idea because it adds content to the file. The &smb.conf; file is re-read by every <command>smbd</command>
+ process every time the file time stamp changes (or, on systems where this does not work, every 20 seconds or so).
+ </para>
+
+ <para>
+ As the size of the &smb.conf; file grows the risk of introduction of parsing errors increases also.
+ It is recommended to keep a fully documented &smb.conf; file on hand, and then to operate Samba only
+ with an optimized file.
+ </para>
+
+ <para><indexterm>
+ <primary>testparm</primary>
+ </indexterm>
+ The preferred way to maintain a documented file is to call it something like <filename>smb.conf.master</filename>.
+ You can generate the optimized file by executing:
+<screen>
+&rootprompt; testparm -s smb.conf.master > smb.conf
+</screen>
+ You should carefully observe all warnings issued. It is also a good practice to execute the following
+ command to confirm correct interpretation of the &smb.conf; file contents:
+<screen>
+&rootprompt; testparm
+Load smb config files from /etc/samba/smb.conf
+Can't find include file /etc/samba/machine.
+Processing section "[homes]"
+Processing section "[print$]"
+Processing section "[netlogon]"
+Processing section "[Profiles]"
+Processing section "[printers]"
+Processing section "[media]"
+Processing section "[data]"
+Processing section "[cdr]"
+Processing section "[apps]"
+Loaded services file OK.
+'winbind separator = +' might cause problems with group membership.
+Server role: ROLE_DOMAIN_PDC
+Press enter to see a dump of your service definitions
+</screen>
+ <indexterm>
+ <primary>fatal problem</primary>
+ </indexterm>
+ You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C.
+ The important thing to note is the noted Server role, as well as warning messages. Noted configuration
+ conflicts must be remedied before proceeding. For example, the following error message represents a
+ common fatal problem:
+<screen>
+ERROR: both 'wins support = true' and 'wins server = &lt;server list&gt;'
+cannot be set in the smb.conf file. nmbd will abort with this setting.
+</screen>
+ </para>
+
+ <para><indexterm>
+ <primary>performance degradation</primary>
+ </indexterm><indexterm>
+ <primary>socket options</primary>
+ </indexterm><indexterm>
+ <primary>socket address</primary>
+ </indexterm>
+ There are two parameters that can cause severe network performance degradation, <parameter>socket options</parameter>
+ and <parameter>socket address</parameter>. The <parameter>socket options</parameter> parameter was often necessary
+ when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from
+ this parameter being set. Do not use either parameter unless it has been proven necessary to use them.
+ </para>
+
+ <para><indexterm>
+ <primary>strict sync</primary>
+ </indexterm><indexterm>
+ <primary>sync always</primary>
+ </indexterm><indexterm>
+ <primary>severely degrade</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>performance</secondary>
+ </indexterm>
+ Another &smb.conf; parameter that may cause severe network performance degradation is the
+ <parameter>strict sync</parameter> parameter. Do not use this at all. There is no good reason
+ to use this with any modern Windows client. The <parameter>strict sync</parameter> is often
+ used together with the <parameter>sync always</parameter> parameter. This, too, can severely
+ degrade network performance, so do not set it or if you must, do so with caution.
+ </para>
+
+ <para><indexterm>
+ <primary>opportunistic locking</primary>
+ </indexterm><indexterm>
+ <primary>file caching</primary>
+ </indexterm><indexterm>
+ <primary>caching</primary>
+ </indexterm><indexterm>
+ <primary>oplocks</primary>
+ </indexterm>
+ Finally, many network administrators deliberately disable opportunistic locking support. While this
+ does not degrade Samba performance, it significantly degrades Windows client performance because
+ this disables local file caching on Windows clients and forces every file read and written to
+ invoke a network read or write call. If for any reason you must disable oplocks (opportunistic locking)
+ support, do so on the share on which it is required only. That way, all other shares can provide
+ oplock support for operations that are tolerant of it. See <link linkend="ch12dblck"/> for more
+ information.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Use and Location of BDCs</title>
+
+ <para><indexterm>
+ <primary>BDC</primary>
+ </indexterm><indexterm>
+ <primary>PDC</primary>
+ </indexterm><indexterm>
+ <primary>routed network</primary>
+ </indexterm><indexterm>
+ <primary>wide-area network</primary>
+ </indexterm><indexterm>
+ <primary>network segment</primary>
+ </indexterm>
+ On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon
+ processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of
+ authentication and logon processing. When a sole BDC on a routed network segment gets heavily
+ loaded, it is possible that network logon requests and authentication requests may be directed
+ to a BDC on a distant network segment. This significantly hinders wide-area network operations
+ and is undesirable.
+ </para>
+
+ <para><indexterm>
+ <primary>Domain Member</primary>
+ </indexterm><indexterm>
+ <primary>Domain Controller</primary>
+ </indexterm>
+ As a general guide, instead of adding Domain Member servers to a network, you would be better advised
+ to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add
+ Domain Member servers. This practice ensures that there is always sufficient Domain Controllers
+ to handle logon requests and authentication traffic.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Use One Consistent Version of MS Windows Client</title>
+
+ <para>
+ Every network client has its own peculiarities. From a management perspective, it is easier to deal
+ with one version of MS Windows that is maintained to a consistent update level, than it is to deal
+ with a mixture of clients.
+ </para>
+
+ <para>
+ On a number of occasions, particular Microsoft service pack updates of a Windows server or client
+ have necessitated special handling from the Samba server end. If you want to remain sane, keep you
+ client workstation configurations consistent.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>For Scalability, Use SAN Based Storage on Samba Servers</title>
+
+ <para><indexterm>
+ <primary>SAN</primary>
+ </indexterm><indexterm>
+ <primary>synchronization</primary>
+ </indexterm>
+ Many SAN-based storage systems permit more than one server to share a common data store.
+ Use of a shared SAN data store means that you do not need to use time- and resource-hungry data
+ synchronization techniques.
+ </para>
+
+ <para><indexterm>
+ <primary>load distribution</primary>
+ </indexterm><indexterm>
+ <primary>clustering</primary>
+ </indexterm>
+ The use of a collection of relatively low-cost front-end Samba servers that are coupled to
+ a shared backend SAN data store permits load distribution while containing costs below that
+ of installing and managing a complex clustering facility.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Distribute Network Load with MSDFS</title>
+
+ <para><indexterm>
+ <primary>MSDFS</primary>
+ </indexterm><indexterm>
+ <primary>distributed</primary>
+ </indexterm>
+ Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits
+ data to be accessed from a single share and yet to actually be distributed across multiple actual
+ servers. Refer to <emphasis>TOSHARG</emphasis>, Chapter 16, for information regarding implementation of an MSDFS installation.
+ </para>
+
+ <para><indexterm>
+ <primary>front-end</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>MSDFS</primary>
+ </indexterm>
+ The combination of multiple back end servers together with a front-end server and use of MSDFS
+ can achieve almost the same as you would obtain with a clustered Samba server.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</title>
+
+ <para><indexterm>
+ <primary>replicate</primary>
+ </indexterm><indexterm>
+ <primary>rsync</primary>
+ </indexterm><indexterm>
+ <primary>wide-area network</primary>
+ </indexterm>
+ Consider using <command>rsync</command> to replicate data across the wide-area network during times
+ of low utilization. Users can then access the replicated data store rather than needing to do so
+ across the wide-area network. This works best for read-only data, but with careful planning can be
+ implemented so that modified files get replicated back to the point of origin. Be careful with your
+ implementation if you choose to permit modification and return replication of the modified file;
+ otherwise, you may inadvertently overwrite important data.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Hardware Problems</title>
+
+ <para><indexterm>
+ <primary>hardware prices</primary>
+ </indexterm><indexterm>
+ <primary>hardware problems</primary>
+ </indexterm><indexterm>
+ <primary>NICs</primary>
+ </indexterm><indexterm>
+ <primary>defective</primary>
+ <secondary>hubs</secondary>
+ </indexterm><indexterm>
+ <primary>defective</primary>
+ <secondary>switches</secondary>
+ </indexterm><indexterm>
+ <primary>defective</primary>
+ <secondary>cables</secondary>
+ </indexterm>
+ Networking hardware prices have fallen sharply over the past five years. A surprising number
+ of Samba networking problems over this time have been traced to defective network interface
+ cards (NICs) or defective hubs, switches, and cables.
+ </para>
+
+ <para><indexterm>
+ <primary>corrective action</primary>
+ </indexterm>
+ Not surprising is the fact that network administrators do not like to be shown to have made
+ a bad decision. Money saved in buying low-cost hardware may result in high costs incurred
+ in corrective action.
+ </para>
+
+ <para><indexterm>
+ <primary>intermittent</primary>
+ </indexterm><indexterm>
+ <primary>data corruption</primary>
+ </indexterm><indexterm>
+ <primary>slow network</primary>
+ </indexterm><indexterm>
+ <primary>low performance</primary>
+ </indexterm><indexterm>
+ <primary>data integrity</primary>
+ </indexterm>
+ Defective NICs, hubs, and switches may appear as intermittent network access problems, intermittent
+ or persistent data corruption, slow network throughput, low performance, or even as blue-screen-of-death (BSOD)
+ problems with MS Windows clients. In one case, a company updated several workstations with newer, faster
+ Windows client machines that triggered problems during logon as well as data integrity problems on
+ an older PC that was unaffected so long as the new machines were kept shut down.
+ </para>
+
+ <para>
+ Defective hardware problems may take patience and persistence before the real cause can be discovered.
+ </para>
+
+ <para><indexterm>
+ <primary>RAID controllers</primary>
+ </indexterm>
+ Networking hardware defects can significantly impact perceived Samba performance, but defective
+ RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server
+ operations. One business came to this realization only after replacing a Samba installation with MS
+ Windows Server 2000 running on the same hardware. The root of the problem completely eluded the network
+ administrator until the entire server was replaced. While you may well think that this would never
+ happen to you, experience shows that given the right (unfortunate) circumstances, this can happen to anyone.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para>
+ This chapter has touched in broad sweeps on a number of simple steps that can be taken
+ to ensure that your Samba network is resilient, scalable, and reliable, and that it
+ performs well.
+ </para>
+
+ <para>
+ Always keep in mind that someone is responsible to maintain and manage your design.
+ In the long term, that may not be you. Spare a thought for your successor and give him or
+ her an even break.
+ </para>
+
+ <para><indexterm>
+ <primary>assumptions</primary>
+ </indexterm>
+ Last, but not least, you should not only keep the network design simple, but it should
+ be well documented. This book may serve as your pattern for documenting every
+ aspect of your design, its implementation, and particularly the objects and assumptions
+ that underlie it.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+</chapter>
+
diff --git a/docs/Samba-Guide/Chap12-Appendix.xml b/docs/Samba-Guide/Chap12-Appendix.xml
new file mode 100644
index 0000000000..c3b244c405
--- /dev/null
+++ b/docs/Samba-Guide/Chap12-Appendix.xml
@@ -0,0 +1,1641 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<appendix id="appendix">
+ <title>Appendix: A Collection of Useful Tid-bits</title>
+
+ <para><indexterm>
+ <primary>material</primary>
+ </indexterm><indexterm>
+ <primary>domain</primary>
+ <secondary>joining</secondary>
+ </indexterm>
+ Information presented here is considered to be either basic or well-known material that is informative
+ yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that
+ the process for joining a Windows client to a Samba-controlled Windows Domain may somehow involve steps
+ different from doing so with Windows NT4 or a Windows ADS Domain. Be assured that the steps are identical,
+ as shown in the example given below.
+ </para>
+
+<sect1 id="domjoin">
+<title>Joining a Domain: Windows 200x/XP Professional</title>
+
+ <para><indexterm>
+ <primary>joining a domain</primary>
+ </indexterm>
+ Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
+ This section steps through the process for making a Windows 200x/XP Professional machine a
+ member of a Domain Security environment. It should be noted that this process is identical
+ when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC.
+ </para>
+
+ <procedure>
+ <step><para>
+ Click <guimenu>Start</guimenu>.
+ </para></step>
+
+ <step><para>
+ Right-click <guimenu>My Computer</guimenu>, and then select <guimenuitem>Properties</guimenuitem>.
+ </para></step>
+
+ <step><para>
+ The opening panel is the same one that can be reached by clicking <guimenu>System</guimenu> on the Control Panel.
+ See <link linkend="wxpp001"></link>.
+ <image id="wxpp001"><imagefile>wxpp001</imagefile><imagedescription>The General Panel.</imagedescription></image>
+ </para></step>
+
+ <step><para>
+ Click the <guimenu>Computer Name</guimenu> tab.
+ This panel shows the <guimenuitem>Computer Description</guimenuitem>, the <guimenuitem>Full computer name</guimenuitem>,
+ and the <guimenuitem>Workgroup</guimenuitem> or <guimenuitem>Domain name</guimenuitem>.
+ </para>
+
+ <para>
+ Clicking the <guimenu>Network ID</guimenu> button launches the configuration wizard. Do not use this with
+ Samba-3. If you wish to change the computer name, or join or leave the domain, click the <guimenu>Change</guimenu> button.
+ See <link linkend="wxpp004"></link>.
+ <image id="wxpp004"><imagefile>wxpp004</imagefile><imagedescription>The Computer Name Panel.</imagedescription></image>
+ </para></step>
+
+ <step><para>
+ Click on <guimenu>Change</guimenu>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP.
+ We join the domain called MIDEARTH. See <link linkend="wxpp006"></link>.
+ <image id="wxpp006"><imagefile>wxpp006</imagefile><imagedescription>The Computer Name Changes Panel.</imagedescription></image>
+ </para></step>
+
+ <step><para>
+ Enter the name <guimenu>MIDEARTH</guimenu> in the field below the Domain radio button.
+ </para>
+
+ <para>
+ This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <link linkend="wxpp007"></link>.
+ <image id="wxpp007"><imagefile>wxpp007</imagefile><imagedescription>The Computer Name Changes Panel &smbmdash; Domain MIDEARTH.</imagedescription></image>
+ </para></step>
+
+ <step><para>
+ Now click the <guimenu>OK</guimenu> button. A dialog box should appear to allow you to provide the credentials (username and password)
+ of a Domain administrative account that has the rights to add machines to the Domain.
+ </para>
+
+ <para>
+ Enter the name <quote>root</quote> and the root password from your Samba-3 server. See <link linkend="wxpp008"></link>.
+ <image id="wxpp008"><imagefile>wxpp008</imagefile><imagedescription>Computer Name Changes &smbmdash; User name and Password Panel.</imagedescription></image>
+ </para></step>
+
+ <step><para>
+ Click <guimenu>OK</guimenu>.
+ </para>
+
+ <para>
+ The <quote>Welcome to the MIDEARTH domain</quote> dialog box should appear. At this point, the machine must be rebooted.
+ Joining the domain is now complete.
+ </para></step>
+
+ </procedure>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>DNS</primary>
+ </indexterm>
+ The screen capture shown in <link linkend="wxpp007"/> has a button labeled <guimenu>More...</guimenu>. This button opens a
+ panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members
+ of Microsoft Active Directory. Active Directory is heavily oriented around the DNS name space.
+ </para>
+
+ <para><indexterm>
+ <primary>Netlogon</primary>
+ </indexterm><indexterm>
+ <primary>DNS</primary><secondary>dynamic</secondary>
+ </indexterm>
+ Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers
+ register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server
+ to find the services (like which machines are Domain Controllers or which machines have the Netlogon service running).
+ </para>
+
+ <para><indexterm>
+ <primary>DNS</primary>
+ <secondary>suffix</secondary>
+ </indexterm>
+ The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix,
+ this does not affect Domain Membership, but it can break network browsing and the ability to resolve your computer name to
+ a valid IP address.
+ </para>
+
+ <para>
+ The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain.
+ Where the client is a member of a Samba Domain, it is preferable to leave this field blank.
+ </para>
+
+ <para><indexterm>
+ <primary>Group Policy</primary>
+ </indexterm>
+ According to Microsoft documentation, <quote>If this computer belongs to a group with <constant>Group Policy</constant>
+ enabled on <command>Primary DNS suffice of this computer</command>, the string specified in the Group Policy is used
+ as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is
+ used only if Group Policy is disabled or unspecified.</quote>
+ </para>
+
+</sect1>
+
+<sect1>
+ <title>Samba System File Location</title>
+
+ <para><indexterm>
+ <primary>default installation</primary>
+ </indexterm><indexterm>
+ <primary>/usr/local/samba</primary>
+ </indexterm><indexterm>
+ <primary>/usr/local</primary>
+ </indexterm>
+ One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team
+ build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is
+ in the <filename>/usr/local/samba</filename> directory. This is a perfectly reasonable location, particularly given all the other
+ Open Source software that installs into the <filename>/usr/local</filename> subdirectories.
+ </para>
+
+ <para>
+ Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team
+ default.
+ </para>
+
+ <para><indexterm>
+ <primary>Free Standards Grou</primary>
+ <see>FSG</see>
+ </indexterm><indexterm>
+ <primary>FSG</primary>
+ </indexterm><indexterm>
+ <primary>Linux Standards Base</primary>
+ <see>LSB</see>
+ </indexterm><indexterm>
+ <primary>LSB</primary>
+ </indexterm><indexterm>
+ <primary>File Hierarchy System</primary>
+ <see>FHS</see>
+ </indexterm><indexterm>
+ <primary>FHS</primary>
+ </indexterm><indexterm>
+ <primary>file locations</primary>
+ </indexterm><indexterm>
+ <primary>/etc/samba</primary>
+ </indexterm><indexterm>
+ <primary>/usr/sbin</primary>
+ </indexterm><indexterm>
+ <primary>/usr/bin</primary>
+ </indexterm><indexterm>
+ <primary>/usr/share</primary>
+ </indexterm><indexterm>
+ <primary>/usr/share/swat</primary>
+ </indexterm><indexterm>
+ <primary>/usr/lib/samba</primary>
+ </indexterm><indexterm>
+ <primary>/usr/share/samba/swat</primary>
+ </indexterm><indexterm>
+ <primary>SWAT</primary>
+ </indexterm><indexterm>
+ <primary>VFS modules</primary>
+ </indexterm>
+ Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy
+ System (FHS), have elected to locate the configuration files under the <filename>/etc/samba</filename> directory, common binary
+ files (those used by users) in the <filename>/usr/bin</filename> directory, and the administrative files (daemons) in the
+ <filename>/usr/sbin</filename> directory. Support files for the Samba Web Admin Tool (SWAT) are located under the
+ <filename>/usr/share</filename> directory, either in <filename>/usr/share/samba/swat</filename> or in
+ <filename>/usr/share/swat</filename>. There are additional support files for <command>smbd</command> in the
+ <filename>/usr/lib/samba</filename> directory tree. The files located there include the dynamically loadable modules for the
+ passdb backend as well as for the VFS modules.
+ </para>
+
+ <para><indexterm>
+ <primary>/var/lib/samba</primary>
+ </indexterm><indexterm>
+ <primary>/var/log/samba</primary>
+ </indexterm><indexterm>
+ <primary>run-time control files</primary>
+ </indexterm>
+ Samba creates run-time control files and generates log files. The run-time control files (tdb and dat files) are stored in
+ the <filename>/var/lib/samba</filename> directory. Log files are created in <filename>/var/log/samba.</filename>
+ </para>
+
+ <para>
+ When Samba is built and installed using the default Samba Team process, all files are located under the
+ <filename>/usr/local/samba</filename> directory tree. This makes it simple to find the files that Samba owns.
+ </para>
+
+ <para><indexterm>
+ <primary>smbd</primary>
+ <secondary>location of files</secondary>
+ </indexterm>
+ One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location
+ of all files called <command>smbd</command>. Here is an example:
+<screen>
+&rootprompt; find / -name smbd -print
+</screen>
+ You can find the location of the configuration files by running:
+<screen>
+&rootprompt; /path-to-binary-file/smbd -b | more
+...
+Paths:
+ SBINDIR: /usr/sbin
+ BINDIR: /usr/bin
+ SWATDIR: /usr/share/samba/swat
+ CONFIGFILE: /etc/samba/smb.conf
+ LOGFILEBASE: /var/log/samba
+ LMHOSTSFILE: /etc/samba/lmhosts
+ LIBDIR: /usr/lib/samba
+ SHLIBEXT: so
+ LOCKDIR: /var/lib/samba
+ PIDDIR: /var/run/samba
+ SMB_PASSWD_FILE: /etc/samba/smbpasswd
+ PRIVATE_DIR: /etc/samba
+...
+</screen>
+ If you wish to locate the Samba version, just run:
+<screen>
+&rootprompt; /path-to-binary-file/smbd -V
+Version 3.0.2-SUSE
+</screen>
+ </para>
+
+ <para>
+ Many people have been caught by installation of Samba using the default Samba Team process when it was already installed
+ by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by
+ executing:<indexterm>
+ <primary>rpm</primary>
+ </indexterm>
+<screen>
+&rootprompt; rpm -qa | grep samba
+samba3-pdb-3.0.2-1
+samba3-vscan-0.3.4-0
+samba3-winbind-3.0.2-1
+samba3-3.0.2-1
+samba3-python-3.0.2-1
+samba3-utils-3.0.2-1
+samba3-doc-3.0.2-1
+samba3-client-3.0.2-1
+samba3-cifsmount-3.0.2-1
+ </screen><indexterm>
+ <primary>package names</primary>
+ </indexterm>
+ The package names, of course, vary according to how the vendor, or the binary package builder, prepared them.
+ </para>
+
+</sect1>
+
+<sect1>
+ <title>Starting Samba</title>
+
+ <para><indexterm>
+ <primary>daemon</primary>
+ </indexterm>
+ Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services.
+ An example of a service is the Apache Web server for which the daemon is called <command>httpd</command>. In the case of Samba, there
+ are three daemons, two of which are needed as a minimum.
+ </para>
+
+ <para>
+ The Samba server is made up of the following daemons:
+ </para>
+
+<example id="ch12SL">
+<title>A Useful Samba Control Script for SuSE Linux</title>
+<screen>
+#!/bin/bash
+#
+# Script to start/stop samba
+# Locate this in /sbin as a file called 'samba'
+
+RCD=/etc/rc.d
+
+if [ z$1 == 'z' ]; then
+ echo $0 - No arguments given; must be start or stop.
+ exit
+fi
+
+if [ $1 == 'start' ]; then
+ ${RCD}/nmb start
+ ${RCD}/smb start
+ ${RCD}/winbind start
+
+fi
+if [ $1 == 'stop' ]; then
+ ${RCD}/smb stop
+ ${RCD}/winbind stop
+ ${RCD}/nmb stop
+fi
+if [ $1 == 'restart' ]; then
+ ${RCD}/smb stop
+ ${RCD}/winbind stop
+ ${RCD}/nmb stop
+ sleep 5
+ ${RCD}/nmb start
+ ${RCD}/smb start
+ ${RCD}/winbind start
+fi
+exit 0
+</screen>
+</example>
+
+ <variablelist>
+ <varlistentry><term>nmbd</term>
+ <listitem><para>
+ <indexterm><primary>smbd</primary></indexterm>
+ <indexterm><primary>starting samba</primary><secondary>smbd</secondary></indexterm>
+ This daemon handles all name registration and resolution requests. It is the primary vehicle involved
+ in network browsing. It handles all UDP-based protocols. The <command>nmbd</command> daemon should
+ be the first command started as part of the Samba startup process.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry><term>smbd</term>
+ <listitem><para>
+ <indexterm><primary>nmbd</primary></indexterm>
+ <indexterm><primary>starting samba</primary><secondary>nmbd</secondary></indexterm>
+ This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also
+ manages local authentication. It should be started immediately following the startup of <command>nmbd</command>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry><term>winbindd</term>
+ <listitem><para>
+ <indexterm><primary>winbindd</primary></indexterm>
+ <indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
+ This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when
+ Samba has trust relationships with another Domain. The <command>winbindd</command> daemon will check the
+ &smb.conf; file for the presence of the <parameter>idmap uid</parameter> and <parameter>idmap gid</parameter>
+ parameters. If they are not found, <command>winbindd</command> bails out and refuses to start.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>
+ When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its
+ integration into the platform as a whole. Please refer to your operating system platform administration manuals for
+ specific information pertaining to correct management of Samba startup.
+ </para>
+
+<example id="ch12RHscript">
+<screen>
+#!/bin/sh
+#
+# chkconfig: 345 81 35
+# description: Starts and stops the Samba smbd and nmbd daemons \
+# used to provide SMB network services.
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+# Source networking configuration.
+. /etc/sysconfig/network
+# Check that networking is up.
+[ ${NETWORKING} = "no" ] &amp;&amp; exit 0
+CONFIG=/etc/samba/smb.conf
+# Check that smb.conf exists.
+[ -f $CONFIG ] || exit 0
+
+# See how we were called.
+case "$1" in
+ start)
+ echo -n "Starting SMB services: "
+ daemon smbd -D; daemon nmbd -D; echo;
+ touch /var/lock/subsys/smb
+ ;;
+ stop)
+ echo -n "Shutting down SMB services: "
+ smbdpids=`ps guax | grep smbd | grep -v grep | awk '{print $2}'`
+ for pid in $smbdpids; do
+ kill -TERM $pid
+ done
+ killproc nmbd -TERM; rm -f /var/lock/subsys/smb
+ echo ""
+ ;;
+ status)
+ status smbd; status nmbd;
+ ;;
+ restart)
+ echo -n "Restarting SMB services: "
+ $0 stop; $0 start;
+ echo "done."
+ ;;
+ *)
+ echo "Usage: smb {start|stop|restart|status}"
+ exit 1
+esac
+</screen>
+</example>
+
+ <para><indexterm>
+ <primary>samba control script</primary>
+ </indexterm>
+ SUSE Linux implements individual control over each Samba daemon. A samba control script that can be conveniently
+ executed from the command line is shown in <link linkend="ch12SL"/>. This can be located in the directory
+ <filename>/sbin</filename> in a file called <filename>samba</filename>. This type of control script should be
+ owned by user root and group root, and set so that only root can execute it.
+ </para>
+
+ <para><indexterm>
+ <primary>startup script</primary>
+ </indexterm>
+ A sample startup script for a Red Hat Linux system is shown in <link linkend="ch12RHscript"/>.
+ This file could be located in the directory <filename>/etc/rc.d</filename> and can be called
+ <filename>samba</filename>. A similar startup script is required to control <command>winbind</command>.
+ If you want to find more information regarding startup scripts please refer to the packaging section of
+ the Samba source code distribution tarball. The packaging files for each platform include a
+ startup control file.
+ </para>
+
+</sect1>
+
+<sect1>
+ <title>DNS Configuration Files</title>
+
+ <para>
+ The following files are common to all DNS server configurations. Rather than repeat them multiple times, they
+ are presented here for general reference.
+ </para>
+
+ <sect2>
+ <title>The Forward Zone File for the Loopback Adaptor</title>
+
+ <para>
+ The forward zone file for the loopback address never changes. An example file is shown
+ in <link linkend="loopback"/>. All traffic destined for an IP address that is hosted on a
+ physical interface on the machine itself is routed to the loopback adaptor. This is
+ a fundamental design feature of the TCP/IP protocol implementation. The loopback adaptor
+ is called <constant>localhost</constant>.
+ </para>
+
+<example id="loopback">
+<title>DNS Localhost Forward Zone File: <filename>/var/lib/named/localhost.zone</filename></title>
+<screen>
+$TTL 1W
+@ IN SOA @ root (
+ 42 ; serial
+ 2D ; refresh
+ 4H ; retry
+ 6W ; expiry
+ 1W ) ; minimum
+
+ IN NS @
+ IN A 127.0.0.1
+</screen>
+</example>
+
+ </sect2>
+
+ <sect2>
+ <title>The Reverse Zone File for the Loopback Adaptor</title>
+
+ <para>
+ The reverse zone file for the loopback address as shown in <link linkend="dnsloopy"/>
+ is necessary so that references to the address <constant>127.0.0.1</constant> can be
+ resolved to the correct name of the interface.
+ </para>
+
+<example id="dnsloopy">
+<title>DNS Localhost Reverse Zone File: <filename>/var/lib/named/127.0.0.zone</filename></title>
+<screen>
+$TTL 1W
+@ IN SOA localhost. root.localhost. (
+ 42 ; serial
+ 2D ; refresh
+ 4H ; retry
+ 6W ; expiry
+ 1W ) ; minimum
+
+ IN NS localhost.
+1 IN PTR localhost.
+</screen>
+</example>
+
+<example id="roothint">
+<title>DNS Root Name Server Hint File: <filename>/var/lib/named/root.hint</filename></title>
+<screen>
+; This file is made available by InterNIC under anonymous FTP as
+; file /domain/named.root
+; on server FTP.INTERNIC.NET
+; last update: Nov 5, 2002. Related version of root zone: 2002110501
+; formerly NS.INTERNIC.NET
+. 3600000 IN NS A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
+; formerly NS1.ISI.EDU
+. 3600000 NS B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
+; formerly C.PSI.NET
+. 3600000 NS C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
+; formerly TERP.UMD.EDU
+. 3600000 NS D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
+; formerly NS.NASA.GOV
+. 3600000 NS E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
+; formerly NS.ISC.ORG
+. 3600000 NS F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
+; formerly NS.NIC.DDN.MIL
+. 3600000 NS G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
+; formerly AOS.ARL.ARMY.MIL
+. 3600000 NS H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
+; formerly NIC.NORDU.NET
+. 3600000 NS I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
+; operated by VeriSign, Inc.
+. 3600000 NS J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
+; housed in LINX, operated by RIPE NCC
+. 3600000 NS K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
+; operated by IANA
+. 3600000 NS L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
+; housed in Japan, operated by WIDE
+. 3600000 NS M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
+; End of File
+</screen>
+</example>
+ </sect2>
+
+ <sect2>
+ <title>DNS Root Server Hint File</title>
+
+ <para>
+ The content of the root hints file as shown in <link linkend="roothint"/> changes slowly over time.
+ Periodically this file should be updated from the source shown. Because
+ of its size this file is located at the end of this appendix.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1 id="altldapcfg">
+ <title>Alternative LDAP Database Initialization</title>
+
+ <para><indexterm>
+ <primary>LDAP</primary>
+ <secondary>database</secondary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>initial configuration</secondary>
+ </indexterm>
+ The following procedure may be used as an alternative means of configuring
+ the initial LDAP database. Many administrators prefer to have greater control
+ over how system files get configured.
+ </para>
+
+ <sect2>
+ <title>Initialization of the LDAP Database</title>
+
+ <para><indexterm>
+ <primary>LDIF</primary>
+ </indexterm><indexterm>
+ <primary>Domain Groups</primary>
+ <secondary>well-known</secondary>
+ </indexterm><indexterm>
+ <primary>SID</primary>
+ </indexterm>
+ The first step to get the LDAP server ready for action is to create the LDIF file from
+ which the LDAP database will be preloaded. This is necessary to create the containers
+ into which the user, group, and so on, accounts is written. It is also necessary to
+ preload the well-known Windows NT Domain Groups, as they must have the correct SID so
+ that they can be recognized as special NT Groups by the MS Windows clients.
+ </para>
+
+ <procedure id="ldapinit">
+ <step><para>
+ Create a directory in which to store the files you use to generate
+ the LDAP LDIF file for your system. Execute the following:
+<screen>
+&rootprompt; mkdir /etc/openldap/SambaInit
+&rootprompt; chown root.root /etc/openldap/SambaInit
+&rootprompt; chmod 700 /etc/openldap/SambaInit
+</screen>
+ </para></step>
+
+ <step><para>
+ Install the files shown in <link linkend="ch6-ldapreconfa"/>, <link linkend="ch6-ldapreconfb"/>,
+ and <link linkend="ch6-ldapreconfc"/> into the directory
+ <filename>/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</filename> These three files are,
+ respectively, Part A, B, and C of the <filename>SMBLDAP-ldif-preconfig.sh</filename> file.
+ </para></step>
+
+ <step><para>
+ Install the files shown in <link linkend="ch6-ldifpata"/> and <link linkend="ch6-ldifpatb"/> into the directory
+ <filename>/etc/openldap/SambaInit/nit-ldif.pat.</filename> These two files are
+ Part A and B, respectively, of the <filename>init-ldif.pat</filename> file.
+ </para></step>
+
+ <step><para>
+ Change to the <filename>/etc/openldap/SambaInit</filename> directory. Execute the following:
+<screen>
+&rootprompt; ./SMBLDAP-ldif-preconfig.sh
+
+How do you wish to refer to your organization?
+Suggestions:
+ Black Tire Company, Inc.
+ Cat With Hat Ltd.
+How would you like your organization name to appear?
+Your organization name is: My Organization
+Enter a new name is this is not what you want, press Enter to Continue.
+Name [My Organization]: Abmas Inc.
+
+Samba Config File Location [/etc/samba/smb.conf]:
+Enter a new full path or press Enter to continue.
+Samba Config File Location [/etc/samba/smb.conf]:
+Domain Name: MEGANET2
+Domain SID: S-1-5-21-3504140859-1010554828-2431957765
+
+The name of your Internet domain is now needed in a special format
+as follows, if your domain name is mydomain.org, what we need is
+the information in the form of:
+ Domain ID: mydomain
+ Top level: org
+If your fully qualified hostname is: snoopy.bazaar.garagesale.net
+where "snoopy" is the name of the machine,
+Then the information needed is:
+ Domain ID: garagesale
+ Top Level: net
+
+Found the following domain name: abmas.biz
+I think the bit we are looking for might be: abmas
+Enter the domain name or press Enter to continue:
+
+The top level organization name I will use is: biz
+Enter the top level org name or press Enter to continue:
+&rootprompt;
+</screen>
+ This creates a file called <filename>MEGANET2.ldif</filename>.
+ </para></step>
+
+ <step><para>
+ It is now time to preload the LDAP database with the following
+ command:
+<screen>
+&rootprompt; slapadd -v -l MEGANET2.ldif
+added: "dc=abmas,dc=biz" (00000001)
+added: "cn=Manager,dc=abmas,dc=biz" (00000002)
+added: "ou=People,dc=abmas,dc=biz" (00000003)
+added: "ou=Computers,dc=abmas,dc=biz" (00000004)
+added: "ou=Groups,dc=abmas,dc=biz" (00000005)
+added: "ou=Domains,dc=abmas,dc=biz" (00000006)
+added: "sambaDomainName=MEGANET2,ou=Domains,dc=abmas,dc=biz" (00000007)
+added: "cn=domadmins,ou=Groups,dc=abmas,dc=biz" (00000008)
+added: "cn=domguests,ou=Groups,dc=abmas,dc=biz" (00000009)
+added: "cn=domusers,ou=Groups,dc=abmas,dc=biz" (0000000a)
+</screen>
+ You should verify that the account information was correctly loaded by executing:
+<screen>
+&rootprompt; slapcat
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+dc: abmas
+o: Abmas Inc.
+description: Posix and Samba LDAP Identity Database
+structuralObjectClass: organization
+entryUUID: af552f8e-c4a1-1027-9002-9421e01bf474
+creatorsName: cn=manager,dc=abmas,dc=biz
+modifiersName: cn=manager,dc=abmas,dc=biz
+createTimestamp: 20031217055747Z
+modifyTimestamp: 20031217055747Z
+entryCSN: 2003121705:57:47Z#0x0001#0#0000
+...
+
+dn: cn=domusers,ou=Groups,dc=abmas,dc=biz
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 513
+cn: domusers
+sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513
+sambaGroupType: 2
+displayName: Domain Users
+description: Domain Users
+structuralObjectClass: posixGroup
+entryUUID: af7e98ba-c4a1-1027-900b-9421e01bf474
+creatorsName: cn=manager,dc=abmas,dc=biz
+modifiersName: cn=manager,dc=abmas,dc=biz
+createTimestamp: 20031217055747Z
+modifyTimestamp: 20031217055747Z
+entryCSN: 2003121705:57:47Z#0x000a#0#0000
+</screen>
+ </para></step>
+
+ <step><para>
+ Your LDAP database is ready for testing. You can now start the LDAP server
+ using the system tool for your Linux operating system. For SUSE Linux, you can
+ do this as follows:
+<screen>
+&rootprompt; rcldap start
+</screen>
+ </para></step>
+
+ <step><para>
+ It is now a good idea to validate that the LDAP server is running correctly.
+ Execute the following:
+<screen>
+&rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
+# extended LDIF
+#
+# LDAPv3
+# base &lt;dc=abmas,dc=biz&gt; with scope sub
+# filter: (ObjectClass=*)
+# requesting: ALL
+#
+
+# abmas.biz
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+dc: abmas
+o: Abmas Inc.
+description: Posix and Samba LDAP Identity Database
+...
+# domusers, Groups, abmas.biz
+dn: cn=domusers,ou=Groups,dc=abmas,dc=biz
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 513
+cn: domusers
+sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513
+sambaGroupType: 2
+displayName: Domain Users
+description: Domain Users
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 11
+# numEntries: 10
+</screen>
+ Your LDAP server is ready for creation of additional accounts.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+<example id="ch6-ldapreconfa">
+<title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part A</title>
+<screen>
+#!/bin/bash
+#
+# This script prepares the ldif LDAP load file only
+#
+
+# Pattern File Name
+file=init-ldif.pat
+
+# The name of my organization
+ORGNAME="My Organization"
+
+# My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets"
+INETDOMAIN="my-domain"
+
+# In the above case, md domain is: buckets.org, TLDORG="org"
+TLDORG="org"
+
+# This is the Samba Domain/Workgroup Name
+DOMNAME="MYWORKGROUP"
+
+#
+# Here We Go ...
+#
+
+cat &gt;&gt;EOF
+
+How do you wish to refer to your organization?
+
+Suggestions:
+ Black Tire Company, Inc.
+ Cat With Hat Ltd.
+
+How would you like your organization name to appear?
+
+EOF
+
+echo "Your organization name is: $ORGNAME"
+echo
+echo "Enter a new name or, press Enter to Continue."
+echo
+</screen>
+</example>
+
+<example id="ch6-ldapreconfb">
+<title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part B</title>
+<screen>
+echo -e -n "Name [$ORGNAME]: "
+ read name
+
+if [ ! -z "$name" ]; then
+ ORGNAME=${name}
+fi
+echo
+sed "s/ORGNAME/${ORGNAME}/g" &lt; $file &gt; $file.tmp1
+
+# Try to find smb.conf
+
+if [ -e /usr/local/samba/lib/smb.conf ]; then
+ CONF=/usr/local/samba/lib/smb.conf
+elif [ -e /etc/samba/smb.conf ]; then
+ CONF=/etc/samba/smb.conf
+fi
+
+echo "Samba Config File Location [$CONF]: "
+echo
+echo "Enter a new full path or press Enter to continue."
+echo
+echo -n "Samba Config File Location [$CONF]: "
+ read name
+if [ ! -z "$name" ]; then
+ CONF=$name
+fi
+echo
+
+# Find the name of our Domain/Workgroup
+DOMNAME=`grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=`
+echo Domain Name: $DOMNAME
+echo
+
+sed "s/DOMNAME/${DOMNAME}/g" &lt; $file.tmp1 &gt; $file.tmp2
+
+DOMSID=`net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"`
+echo Domain SID: $DOMSID
+
+sed "s/DOMSID/${DOMSID}/g" &lt; $file.tmp2 &gt; $file.tmp1
+</screen>
+</example>
+
+<example id="ch6-ldapreconfc">
+<title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part C</title>
+<screen>
+cat &gt;&gt;EOL
+The name of your Internet domain is now needed in a special format
+as follows, if your domain name is mydomain.org, what we need is
+the information in the form of:
+ Domain ID: mydomain
+ Top level: org
+
+If your fully qualified hostname is: snoopy.bazaar.garagesale.net
+where "snoopy" is the name of the machine,
+Then the information needed is:
+ Domain ID: garagesale
+ Top Level: net
+
+EOL
+INETDOMAIN=`hostname -d | cut -f1 -d.`
+echo Found the following domain name: `hostname -d`
+echo "I think the bit we are looking for might be: $INETDOMAIN"
+echo
+echo -n "Enter the domain name or press Enter to continue: "
+ read domnam
+if [ ! -z $domnam ]; then
+ INETDOMAIN=$domnam
+fi
+echo
+sed "s/INETDOMAIN/${INETDOMAIN}/g" &lt; $file.tmp1 &gt; $file.tmp2
+TLDORG=`hostname -d | sed "s/${INETDOMAIN}.//g"`
+echo "The top level organization name I will use is: ${TLDORG}"
+echo
+echo -n "Enter the top level org name or press Enter to continue: "
+ read domnam
+if [ ! -z $domnam ]; then
+ TLDORG=$domnam
+fi
+sed "s/TLDORG/${TLDORG}/g" &lt; $file.tmp2 &gt; $DOMNAME.ldif
+rm $file.tmp*
+exit 0
+</screen>
+</example>
+
+<example id="ch6-ldifpata">
+<title>LDIF Pattern File Used to Pre-configure LDAP &smbmdash; Part A</title>
+<screen>
+dn: dc=INETDOMAIN,dc=TLDORG
+objectClass: dcObject
+objectClass: organization
+dc: INETDOMAIN
+o: ORGNAME
+description: Posix and Samba LDAP Identity Database
+structuralObjectClass: organization
+
+dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG
+objectClass: organizationalRole
+cn: Manager
+description: Directory Manager
+structuralObjectClass: organizationalRole
+
+dn: ou=People,dc=INETDOMAIN,dc=TLDORG
+objectClass: top
+objectClass: organizationalUnit
+ou: People
+structuralObjectClass: organizationalUnit
+
+dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG
+objectClass: top
+objectClass: organizationalUnit
+ou: Computers
+structuralObjectClass: organizationalUnit
+
+dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG
+objectClass: top
+objectClass: organizationalUnit
+ou: Groups
+structuralObjectClass: organizationalUnit
+
+dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG
+objectClass: top
+objectClass: organizationalUnit
+ou: Idmap
+structuralObjectClass: organizationalUnit
+
+dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG
+objectClass: sambaDomain
+sambaDomainName: DOMNAME
+sambaSID: DOMSID
+sambaAlgorithmicRidBase: 1000
+structuralObjectClass: sambaDomain
+</screen>
+</example>
+
+<example id="ch6-ldifpatb">
+<title>LDIF Pattern File Used to Pre-configure LDAP &smbmdash; Part B</title>
+<screen>
+dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 512
+cn: domadmins
+sambaSID: DOMSID-512
+sambaGroupType: 2
+displayName: Domain Admins
+description: Domain Administrators
+structuralObjectClass: posixGroup
+
+dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 514
+cn: domguests
+sambaSID: DOMSID-514
+sambaGroupType: 2
+displayName: Domain Guests
+description: Domain Guests Users
+structuralObjectClass: posixGroup
+
+dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 513
+cn: domusers
+sambaSID: DOMSID-513
+sambaGroupType: 2
+displayName: Domain Users
+description: Domain Users
+structuralObjectClass: posixGroup
+</screen>
+</example>
+
+</sect1>
+
+<sect1>
+<title>The LDAP Account Manager</title>
+
+ <para><indexterm>
+ <primary>LAM</primary>
+ </indexterm><indexterm>
+ <primary>LDAP Account Manager</primary>
+ <see>LAM</see>
+ </indexterm><indexterm>
+ <primary>PHP</primary>
+ </indexterm><indexterm>
+ <primary>unencrypted</primary>
+ </indexterm><indexterm>
+ <primary>SSL</primary>
+ </indexterm><indexterm>
+ <primary>Posix</primary>
+ </indexterm><indexterm>
+ <primary>accounts</primary><secondary>manage</secondary>
+ </indexterm>
+The LDAP Account Manager (LAM) is an application suite that has been written in PHP.
+LAM can be used with any Web server that has PHP4 support. It connects to the LDAP
+server either using unencrypted connections or via SSL. LAM can be used to manage
+Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines
+(hosts).
+</para>
+
+<para>
+LAM is available from the <ulink url="http://sourceforge.net/projects/lam/">LAM</ulink>
+home page and from its mirror sites. LAM has been released under the GNU GPL version 2.
+The current version of LAM is 0.4.3. Release of version 0.5 is expected some time early
+in 2004.
+</para>
+
+ <para><indexterm>
+ <primary>PHP4</primary>
+ </indexterm><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm><indexterm>
+ <primary>Perl</primary>
+ </indexterm>
+Requirements:
+</para>
+
+<itemizedlist>
+ <listitem><para>A web server that will work with PHP4.</para></listitem>
+ <listitem><para>PHP4 (available from the <ulink url="http://www.php.net/">
+ PHP</ulink> home page.)</para></listitem>
+ <listitem><para>OpenLDAP 2.0 or later.</para></listitem>
+ <listitem><para>A Web browser that supports CSS.</para></listitem>
+ <listitem><para>Perl.</para></listitem>
+ <listitem><para>The gettext package.</para></listitem>
+ <listitem><para>mcrypt + mhash (optional since version 0.4.3).</para></listitem>
+ <listitem><para>It is also a good idea to install SSL support.</para></listitem>
+</itemizedlist>
+
+<para>
+LAM is a useful tool that provides a simple Web-based device that can be used to
+ manage the contents of the LDAP directory to:<indexterm>
+ <primary>organizational units</primary>
+ </indexterm><indexterm>
+ <primary>operating profiles</primary>
+ </indexterm><indexterm>
+ <primary>account policies</primary>
+ </indexterm>
+</para>
+
+<itemizedlist>
+ <listitem><para>Display user/group/host and Domain entries.</para></listitem>
+ <listitem><para>Manages entries (Add/Delete/Edit).</para></listitem>
+ <listitem><para>Filter and sort entries.</para></listitem>
+ <listitem><para>Set LAM administrator accounts.</para></listitem>
+ <listitem><para>Store and use multiple operating profiles.</para></listitem>
+ <listitem><para>Edit organizational units (OUs).</para></listitem>
+ <listitem><para>Upload accounts from a file.</para></listitem>
+ <listitem><para></para>Is compatible with Samba-2.2.x and Samba-3.</listitem>
+</itemizedlist>
+
+<para>
+When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba
+user, group, and windows domain member machine accounts.
+</para>
+
+ <para><indexterm>
+ <primary>default password</primary>
+ </indexterm><indexterm>
+ <primary>secure connections</primary>
+ </indexterm><indexterm>
+ <primary>LAM</primary>
+ </indexterm><indexterm>
+ <primary>SSL</primary>
+ </indexterm>
+The default password is <quote>lam.</quote> It is highly recommended that you use only
+an SSL connection to your Web server for all remote operations involving LAM. If you
+want secure connections, you must configure your Apache Web server to permit connections
+to LAM using only SSL.
+</para>
+
+<procedure id="ch6-laminst">
+ <step><para>
+ Extract the LAM package with:
+<screen>
+&rootprompt; tar xzf ldap-account-manager_0.4.3.tar.gz
+</screen>
+Alternately, install the LAM RPM for your system using the following example for
+example:
+<screen>
+&rootprompt; rpm -Uvh ldap-account-manager-0.4.3-1.noarch.rpm
+</screen>
+ </para></step>
+
+ <step><para>
+ Copy the extracted files to the document root directory of your Web server.
+ For example, on SuSE Linux Enterprise Server 8, copy to the
+ <filename>/srv/web/htdocs</filename> directory.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>file permissions</primary>
+ </indexterm>
+ Set file permissions using the following commands:
+<screen>
+&rootprompt; chown -R wwwrun.www /srv/www/htdocs/lam
+&rootprompt; chmod 755 /srv/www/htdocs/lam/sess
+&rootprompt; chmod 755 /srv/www/htdocs/lam/tmp
+&rootprompt; chmod 755 /srv/www/htdocs/lam/config
+&rootprompt; chmod 755 /srv/www/htdocs/lam/lib/*pl
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>LAM</primary>
+ <secondary>configuration file</secondary>
+ </indexterm>
+ Using your favorite editor create the following <filename>config.cfg</filename>
+ LAM configuration file:
+<screen>
+&rootprompt; cd /srv/www/htdocs/lam/config
+&rootprompt; cp config.cfg_sample config.cfg
+&rootprompt; vi config.cfg
+ </screen><indexterm>
+ <primary>LAM</primary>
+ <secondary>profile</secondary>
+ </indexterm><indexterm>
+ <primary>LAM</primary>
+ <secondary>wizard</secondary>
+ </indexterm>
+ An example file is shown in <link linkend="lamcfg"/>.
+ This is the minimum configuration that must be completed. The LAM profile
+ file can be created using a convenient wizard that is part of the LAM
+ configuration suite.
+ </para></step>
+
+ <step><para>
+ Start your Web server then, using your Web browser, connect to
+ <ulink url="http://localhost/lam">LAM</ulink> URL. Click on the
+ the <parameter>Configuration Login</parameter> link then click on the
+ Configuration Wizard link to begin creation of the default profile so that
+ LAM can connect to your LDAP server. Alternately, copy the
+ <filename>lam.conf_sample</filename> file to a file called
+ <filename>lam.conf</filename> then, using your favorite editor,
+ change the settings to match local site needs.
+ </para></step>
+</procedure>
+
+ <para><indexterm>
+ <primary>pitfalls</primary>
+ </indexterm>
+ An example of a working file is shown here in <link linkend="lamconf"/>.
+ This file has been stripped of comments to keep the size small. The comments
+ and help information provided in the profile file that the wizard creates
+ is very useful and will help many administrators to avoid pitfalls.
+ Your configuration file obviously reflects the configuration options that
+ are preferred at your site.
+ </para>
+
+ <para><indexterm>
+ <primary>LAM</primary>
+ <secondary>login screen</secondary>
+ </indexterm>
+ It is important that your LDAP server is running at the time that LAM is
+ being configured. This permits you to validate correct operation.
+ An example of the LAM login screen is provided in <link linkend="lam-login"/>.
+ </para>
+
+ <image id="lam-login">
+ <description>The LDAP Account Manager Login Screen</description>
+ <imagefile scale="50">lam-login.png</imagefile>
+ </image>
+
+ <para><indexterm>
+ <primary>LAM</primary>
+ <secondary>configuration editor</secondary>
+ </indexterm>
+ The LAM configuration editor has a number of options that must be managed correctly.
+ An example of use of the LAM configuration editor is shown in <link linkend="lam-config"/>.
+ It is important that you correctly set the minimum and maximum UID/GID values that are
+ permitted for use at your site. The default values may not be compatible with a need to
+ modify initial default account values for well-known Windows network users and groups.
+ The best work-around is to temporarily set the minimum values to zero (0) to permit
+ the initial settings to be made. Do not forget to reset these to sensible values before
+ using LAM to add additional users and groups.
+ </para>
+
+ <image id="lam-config">
+ <description>The LDAP Account Manager Configuration Screen</description>
+ <imagefile scale="50">lam-config.png</imagefile>
+ </image>
+
+ <para><indexterm>
+ <primary>PDF</primary>
+ </indexterm>
+ LAM has some nice, but unusual features. For example, one unexpected feature in most application
+ screens permits the generation of a PDF file that lists configuration information. This is a well
+ thought out facility. This option has been edited out of the following screen shots to conserve
+ space.
+ </para>
+
+ <para><indexterm>
+ <primary>LAM</primary>
+ <secondary>opening screen</secondary>
+ </indexterm>
+ When you log onto LAM the opening screen drops you right into the user manager as shown in
+ <link linkend="lam-user"/>. This is a logical action as it permits the most-needed facility
+ to be used immediately. The editing of an existing user, as with the addition of a new user,
+ is easy to follow and very clear in both layout and intent. It is a simple matter to edit
+ generic settings, UNIX specific parameters, and then Samba account requirements. Each step
+ involves clicking a button that intuitively drives you through the process. When you have
+ finished editing simply press the <guimenu>Final</guimenu> button.
+ </para>
+
+ <image id="lam-user">
+ <description>The LDAP Account Manager User Edit Screen</description>
+ <imagefile scale="50">lam-users.png</imagefile>
+ </image>
+
+ <para>
+ The edit screen for groups is shown in <link linkend="lam-group"/>. As with the edit screen
+ for user accounts, group accounts may be rapidly dealt with. <link linkend="lam-group-mem"/>
+ shown a sub-screen from the group editor that permits users to be assigned secondary group
+ memberships.
+ </para>
+
+ <image id="lam-group">
+ <description>The LDAP Account Manager Group Edit Screen</description>
+ <imagefile scale="50">lam-groups.png</imagefile>
+ </image>
+
+ <image id="lam-group-mem">
+ <description>The LDAP Account Manager Group Membership Edit Screen</description>
+ <imagefile scale="50">lam-group-members.png</imagefile>
+ </image>
+
+ <para><indexterm>
+ <primary>smbldap-tools</primary>
+ </indexterm><indexterm>
+ <primary>scripts</primary>
+ </indexterm>
+ The final screen presented here is one that you should not normally need to use. Host accounts will
+ be automatically managed using the smbldap-tools scripts. This means that the screen <link linkend="lam-host"/>
+ will, in most cases, not be used.
+ </para>
+
+ <image id="lam-host">
+ <description>The LDAP Account Manager Host Edit Screen</description>
+ <imagefile scale="50">lam-hosts.png</imagefile>
+ </image>
+
+ <para>
+ One aspect of LAM that may annoy some users is the way it forces certain conventions on
+ the administrator. For example, LAM does not permit the creation of Windows user and group
+ accounts that contain upper-case characters or spaces even though the underlying UNIX/Linux
+ operating system may exhibit no problems with them. Given the propensity for using upper-case
+ characters and spaces (particularly in the default Windows account names) this may cause
+ some annoyance. For the rest, LAM is a very useful administrative tool.
+ </para>
+
+<example id="lamcfg">
+<title>Example LAM Configuration File &smbmdash; <filename>config.cfg</filename></title>
+<screen>
+# password to add/delete/rename configuration profiles
+password: not24get
+
+# default profile, without ".conf"
+default: lam
+</screen>
+</example>
+
+<example id="lamconf">
+<title>LAM Profile Control File &smbmdash; <filename>lam.conf</filename></title>
+<screen>
+ServerURL: ldap://massive.abmas.org:389
+Admins: cn=Manager,dc=abmas,dc=biz
+Passwd: not24get
+usersuffix: ou=People,dc=abmas,dc=biz
+groupsuffix: ou=Groups,dc=abmas,dc=biz
+hostsuffix: ou=Computers,dc=abmas,dc=biz
+domainsuffix: ou=Domains,dc=abmas,dc=biz
+MinUID: 0
+MaxUID: 65535
+MinGID: 0
+MaxGID: 65535
+MinMachine: 20000
+MaxMachine: 25000
+userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber
+grouplistAttributes: #cn;#gidNumber;#memberUID;#description
+hostlistAttributes: #cn;#description;#uidNumber;#gidNumber
+maxlistentries: 30
+defaultLanguage: en_GB:ISO-8859-1:English (Britain)
+scriptPath:
+scriptServer:
+samba3: yes
+cachetimeout: 5
+pwdhash: SSHA
+</screen>
+</example>
+
+</sect1>
+
+<sect1 id="ch12-SUIDSGID">
+ <title>Effect of Setting File and Directory SUID/SGID Permissions Explained</title>
+
+ <indexterm><primary>SUID</primary></indexterm>
+ <indexterm><primary>SGID</primary></indexterm>
+ <para>
+ The setting of the SUID/SGID bits on the file or directory permissions flag has particular
+ consequences. If the file is executable and the SUID bit is set, it executes with the privilege
+ of (with the UID of) the owner of the file. For example, if you are logged onto a system as
+ a normal user (let's say as the user <constant>bobj</constant>), and you execute a file that is owned
+ by the user <constant>root</constant> (uid = 0), and the file has the SUID bit set, then the file is
+ executed as if you had logged in as the user <constant>root</constant> and then executed the file.
+ The SUID bit effectively gives you (as <constant>bobj</constant>) administrative privilege for the
+ use of that executable file.
+ </para>
+
+ <para>
+ The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it
+ applies the privilege to the UNIX group setting. In other words, the file executes with the force
+ of capability of the group.
+ </para>
+
+ <para>
+ When the SUID/SGID permissions are set on a directory, all files that are created within that directory
+ is automatically given the ownership of the SUID user and the SGID group, as per the ownership
+ of the directory in which the file is created. This means that the system level <command>create()</command>
+ function executes with the SUID user and/or SGID group of the directory in which the file is
+ created.
+ </para>
+
+ <para>
+ If you want to obtain the SUID behavior, simply execute the following command:
+<screen>
+&rootprompt; chmod u+s file-or-directory
+</screen>
+ To set the SGID properties on a file or a directory, execute this command:
+<screen>
+&rootprompt; chmod g+s file-or-directory
+</screen>
+ And to set both SUID and SGID properties, execute the following:
+<screen>
+&rootprompt; chmod ug+s file-or-directory
+</screen>
+ </para>
+
+ <para>
+ Let's consider the example of a directory <filename>/data/accounts</filename>. The permissions on this
+ directory before setting both SUID and SGID on this directory are:
+<screen>
+&rootprompt; ls -al /data/accounts
+total 1
+drwxr-xr-x 10 root root 232 Dec 18 17:08 .
+drwxr-xr-x 21 root root 600 Dec 17 23:15 ..
+drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/
+drwx------ 2 root root 48 Jan 26 2002 lost+found
+</screen>
+ In this example, if the user <constant>maryv</constant> creates a file, it would be owned by her.
+ If <constant>maryv</constant> has the primary group of <constant>Accounts</constant>, the file is
+ owned by the group <constant>Accounts</constant> as shown in this listing:
+<screen>
+&rootprompt; ls -al /data/accounts/maryvfile.txt
+drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53
+</screen>
+ </para>
+
+ <para>
+ Now you set the SUID and SGID and check the result as follows:
+<screen>
+&rootprompt; chmod ug+s /data/accounts
+&rootprompt; ls -al /data/accounts
+total 1
+drwxr-xr-x 10 root root 232 Dec 18 17:08 .
+drwxr-xr-x 21 root root 600 Dec 17 23:15 ..
+drwsrwsr-x 2 bobj Domain Users 48 Dec 18 17:08 accounts
+drwx------ 2 root root 48 Jan 26 2002 lost+found
+</screen>
+ If <constant>maryv</constant> creates a file in this directory after this change has been made, the
+ file is owned by the user <constant>bobj</constant>, and the group is set to the group
+ <constant>Domain Users</constant> as shown here:
+<screen>
+&rootprompt; chmod ug+s /data/accounts
+&rootprompt; ls -al /data/accounts/maryvfile.txt
+total 1
+drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
+</screen>
+ </para>
+
+</sect1>
+
+<sect1 id="ch12dblck">
+ <title>Shared Data Integrity</title>
+
+ <para><indexterm>
+ <primary>data integrity</primary>
+ </indexterm><indexterm>
+ <primary>multi-user</primary>
+ <secondary>data access</secondary>
+ </indexterm>
+ The integrity of shared data is often viewed as a particularly emotional issue, especially where
+ there are concurrent problems with multi-user data access. Contrary to the assertions of some who have
+ experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
+ </para>
+
+ <para>
+ The solution to concurrent multi-user data access problems must consider three separate areas
+ from which the problem may stem:<indexterm>
+ <primary>locking</primary>
+ <secondary>Application level</secondary>
+ </indexterm><indexterm>
+ <primary>locking</primary>
+ <secondary>Client side</secondary>
+ </indexterm><indexterm>
+ <primary>locking</primary>
+ <secondary>Server side</secondary>
+ </indexterm>
+ </para>
+
+ <itemizedlist>
+ <listitem><para>application level locking controls.</para></listitem>
+ <listitem><para>client side locking controls.</para></listitem>
+ <listitem><para>server side locking controls.</para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>database applications</primary>
+ </indexterm><indexterm>
+ <primary>Microsoft Access</primary>
+ </indexterm>
+ Many database applications use some form of application-level access control. An example of one
+ well-known application that uses application-level locking is Microsoft Access. Detailed guidance
+ is provided given that this is the most common application for which problems have been reported.
+ </para>
+
+ <para><indexterm>
+ <primary>Microsoft Excel</primary>
+ </indexterm><indexterm>
+ <primary>Act!</primary>
+ </indexterm>
+ Common applications that are affected by client- and server-side locking controls include MS
+ Excel and Act!. Important locking guidance is provided here.
+ </para>
+
+
+ <sect2>
+ <title>Microsoft Access</title>
+
+ <para>
+ The best advice that can be given is to carefully read the Microsoft knowledge base articles that
+ cover this area. Examples of relevant documents includes:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</para></listitem>
+ <listitem><para>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</para></listitem>
+ </itemizedlist>
+
+
+ <para><indexterm>
+ <primary>multi-user</primary>
+ <secondary>access</secondary>
+ </indexterm><indexterm>
+ <primary>exclusive open</primary>
+ </indexterm>
+ Make sure that your MS Access database file is configured for multi-user access (not set for
+ exclusive open). Open MS Access on each client workstation then set the following: <menuchoice>
+ <guimenu>(Menu bar) Tools</guimenu><guimenu>Options</guimenu><guimenu>[tab] General</guimenu>
+ </menuchoice>. Set network path to Default database folder: <filename>\\server\share\folder</filename>.
+ </para>
+
+ <para>
+ You can configure MS Access file sharing behavior as follows: click <guimenu>[tab] Advanced</guimenu>.
+ Set:<indexterm>
+ <primary>record locking</primary>
+ </indexterm>
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Default open mode: Shared</para></listitem>
+ <listitem><para>Default Record Locking: Edited Record</para></listitem>
+ <listitem><para>Open databases using record_level locking</para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>MS Access</primary>
+ <secondary>validate</secondary>
+ </indexterm>
+ You must now commit the changes so that they will take effect. To do so, click
+ <guimenu>Apply</guimenu><guimenu>Ok</guimenu>. At this point, you should exit MS Access, restart
+ it and then validate that these settings have not changed.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Act! Database Sharing</title>
+
+ <para><indexterm>
+ <primary>ACT! database</primary>
+ </indexterm><indexterm>
+ <primary>data corruption</primary>
+ </indexterm>
+ Where the server sharing the ACT! database(s) is running Samba, Windows NT, 200x or XP, you
+ must disable opportunistic locking on the server and all workstations. Failure to do so
+ results in data corruption. This information is available from the Act! Web site
+ knowledge-base articles
+ <ulink url="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925">1998223162925</ulink>
+ as well as from article
+ <ulink url="http://itdomino.saleslogix.com/act.nsf/docid/200110485036">200110485036</ulink>.
+ </para>
+
+ <para><indexterm>
+ <primary>opportunistic locking</primary>
+ </indexterm><indexterm>
+ <primary>Act!Diag</primary>
+ </indexterm>
+ These documents clearly state that opportunistic locking must be disabled on both
+ the server (Samba in the case we are interested in here), as well as on every workstation
+ from which the centrally shared Act! database will be accessed. Act! provides
+ a tool called <command>Act!Diag</command> that may be used to disable all workstation
+ registry settings that may otherwise interfere with the operation of Act!
+ Registered Act! users may download this utility from the Act! Web
+ <ulink url="http://www.act.com/support/updates/index.cfm">site.</ulink>
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Opportunistic Locking Controls</title>
+
+ <para><indexterm>
+ <primary>file cacheing</primary>
+ </indexterm>
+ Third-party Windows applications may not be compatible with the use of opportunistic file
+ and record locking. For applications that are known not to be compatible,<footnote>Refer to
+ the application manufacturers' installation guidelines and knowledge base for specific
+ information regarding compatibility. It is often safe to assume that if the software
+ manufacturer does not specifically mention incompatibilities with opportunistic file
+ and record locking, or with Windows client file cacheing, the application is probably
+ compatible with Windows (as well as Samba) default settings.</footnote> oplock
+ support may need to be disabled both on the Samba server and on the Windows workstations.
+ </para>
+
+ <para><indexterm>
+ <primary>cache</primary>
+ </indexterm><indexterm>
+ <primary>write lock</primary>
+ </indexterm><indexterm>
+ <primary>flush</primary>
+ <secondary>cache memory</secondary>
+ </indexterm>
+ Oplocks enable a Windows client to cache parts of a file that are being
+ edited. Another windows client may then request to open the file with the
+ ability to write to it. The server will then ask the original workstation
+ that had the file open with a write lock to release it's lock. Before
+ doing so, that workstation must flush the file from cache memory to the
+ disk or network drive.
+ </para>
+
+ <para><indexterm>
+ <primary>Oplocks</primary>
+ <secondary>disabled</secondary>
+ </indexterm>
+ Disabling of Oplocks usage may require server and client changes.
+ Oplocks may be disabled by file, by file pattern, on the share, or on the
+ samba server.
+ </para>
+
+ <para>
+ The following are examples showing how Oplock support may be managed using
+ Samba &smb.conf; file settings:
+<screen>
+By file: veto oplock files = myfile.mdb
+
+By Pattern: veto oplock files = /*.mdb/
+
+On the Share: oplocks = No
+ level2 oplocks = No
+
+On the server:
+(in [global]) oplocks = No
+ level2 oplocks = No
+</screen>
+ </para>
+
+ <para>
+ The following registry entries on Microsoft Windows XP Professional, 2000 Professional and Windows NT4
+ workstation clients must be configured as shown here:
+<screen>
+REGEDIT4
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
+ Services\LanmanServer\Parameters]
+ "EnableOplocks"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
+ Services\LanmanWorkstation\Parameters]
+ "UseOpportunisticLocking"=dword:00000000
+</screen>
+ </para>
+
+ <para>
+ Comprehensive coverage of file and record locking controls is provided in TOSHARG Chapter 13.
+ The information provided in that chapter was obtained from a wide variety of sources.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+</appendix>
+
diff --git a/docs/Samba-Guide/acknowledgements.xml b/docs/Samba-Guide/acknowledgements.xml
new file mode 100644
index 0000000000..24944fac25
--- /dev/null
+++ b/docs/Samba-Guide/acknowledgements.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<preface lang="en-US">
+<title>Acknowledgments</title>
+
+ <para>
+ <emphasis>Samba-3 by Example</emphasis> would not have been written except
+ as a result of feedback provided by reviewers of the book <emphasis>The
+ Official Samba-3 HOWTO and Reference Guide.</emphasis> I hope this book
+ more than answers the challenge and fills the void that was brought to
+ my attention.
+ </para>
+
+ <para>
+ I am deeply indebted to a large group of diligent people. Space prevents
+ me from listing all of them, but a few stand out as worthy of mention.
+ Jelmer Vernooij made the notable contribution of building the XML production
+ environment and thereby made possible the typesetting of this book.
+ </para>
+
+ <para>
+ Samba would not have come into existence if Andrew Tridgell had not taken
+ the first steps. He continues to lead the project. Under the shadow of his
+ mantle are some great guys who never give up and are always ready to help.
+ Thank you to: Jeremy Allison, Jerry Carter, Andrew Bartlett, Jelmer Vernooij,
+ Alexander Bokovoy, Volker Lendecke, and other team members who answered my
+ continuous stream of questions &smbmdash; all of which resulted in improved content
+ in this book.
+ </para>
+
+ <para>
+ My heartfelt thanks go out also to a small set of reviewers (alphabetically
+ listed) who gave substantial feedback and significant suggestions for improvement:
+ Roland Gruber, Luke Howard, Jon Johnston, Alan Munter, Tarjei Huse, Mike MacIsaac,
+ Scott Mann, Ed Riddle, Santos Soler, Mark Taylor, and Jérôme Tournier.
+ </para>
+
+ <para>
+ My appreciation is extended to a team of over 30 additional reviewers who
+ helped me to find my way around dark corners.
+ </para>
+
+ <para>
+ Particular mention is due to Lyndell, Amos and Melissa who gave me the
+ latitude necessary to spend nearly a entire year writing Samba documentation.
+ </para>
+
+</preface>
diff --git a/docs/Samba-Guide/conventions.xml b/docs/Samba-Guide/conventions.xml
new file mode 100644
index 0000000000..5b069b113a
--- /dev/null
+++ b/docs/Samba-Guide/conventions.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+ <sect1>
+ <title>Conventions Used</title>
+
+ <para>
+ The following notation conventions are used throughout this book:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ TOSHARG is used as an abbreviation for the book, <quote>The Official Samba-3
+ HOWTO and Reference Guide,</quote> Editors: John H. Terpstra and Jelmer R. Vernooij,
+ Publisher: Prentice Hall, ISBN: 0131453556.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Directories and filenames appear in mono-font. For example,
+ <filename>/etc/pam.conf</filename>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Executable names are bolded. For example, <command>smbd</command>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Menu items and buttons appear in bold. For example, click <guibutton>Next</guibutton>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Selecting a menu item is indicated as:
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Control Panel</guimenuitem>
+ <guimenuitem>Administrative Tools</guimenuitem>
+ <guimenuitem>Active Directory Users and Computers</guimenuitem>
+ </menuchoice>
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ </sect1>
+
diff --git a/docs/Samba-Guide/foreword.xml b/docs/Samba-Guide/foreword.xml
new file mode 100644
index 0000000000..402f181ac8
--- /dev/null
+++ b/docs/Samba-Guide/foreword.xml
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<preface lang="en-US">
+<title>Foreword</title>
+
+<sect1><title>By Dan Kusnetzky, IDC</title>
+<blockquote>
+<attribution>
+Dan Kusnetzky, Vice President System Software Research, International Data Corporation
+</attribution>
+
+<para>
+IDC's software research group has been conducting research on the market for software,
+including operating environments, for over twenty years. In 1994, the system software
+research team started to field questions from its subscribers on Linux. We had very
+little empirical data to offer when these queries first were heard, so IDC added Linux
+to its operating environment research agenda. The first demand and supply side research
+containing IDC's findings on Linux started to appear in early 1995.
+</para>
+
+<para>
+IDC has watched as Linux marched from being software for computer hobbyists to being
+a mainstream choice in many markets worldwide. This march is very similar to the adoption
+cycle UNIX experienced in the 1970s and 1980s. Windows repeated this pattern of adoption
+during the 1980s and 1990s. IDC has long projected that Linux would be a mainstream
+choice in nearly all markets by the end of 2005. The software is well down that path
+now and just might beat IDC's projections.
+</para>
+
+<para>
+As of the end of 2002, Linux was the number three desktop or client operating environment,
+responsible for nearly 3% of the worldwide shipments of client operating environment
+software. Linux was the number two server operating environment, responsible for nearly
+25% of the worldwide shipments of server operating environment software. This is an amazing
+level of growth from its rather humble beginnings of holding less than 1% share of either
+client or server operating environment market when IDC first started publishing its findings
+on Linux.
+</para>
+
+<para>
+IDC's demand-side studies have indicated that Linux is most often utilized as a platform
+for basic infrastructure services, such as supporting access to shared files and printers
+or supporting basic networking functions. IDC's most recent survey, conducted in late 2003,
+indicated that supporting file and print services was the most common use of Linux. Samba
+and NFS are the most commonly mentioned approaches to offering file and print services on
+Linux.
+</para>
+
+<para>
+Nearly all of IDC's operating environment studies have shown that Linux is being added
+into organizational networks that already include Windows, UNIX, and mainframe operating
+environments. This, of course, means that interoperability with these operating environments
+is a crucial success factor for Linux.
+</para>
+
+<para>
+All of this leads to the book in hand, <emphasis>Samba-3 By Example</emphasis>, by John H. Terpstra, It addresses
+the most commonly heard questions about bringing Linux and Samba into a Windows or UNIX
+focused environment. Namely, organizations voice concerns about staff having sufficient
+levels of expertise to facilitate development, administration, operations and support activities
+around the adoption of Linux and Samba. I expect <emphasis>Samba-3</emphasis> by Example will be of enormous help
+to Windows or UNIX administrators hoping to gain a level of comfort and familiarity with both
+Linux and Samba.
+</para>
+
+<para>
+Samba is a mature open source software product that is well established as a leading Windows
+file and print technology in use on large-scale UNIX systems. Its stability and scalability
+appears to be well respected. This book demonstrates easy approaches to implementing Samba-3
+no matter whether your network is large or small. It is a book that would make a fine addition
+to the network administrators' library!
+</para>
+</blockquote>
+
+</sect1>
+
+<sect1>
+<title>By Andrew Tridgell, Samba Team</title>
+
+<blockquote><attribution>
+Andrew Tridgell, President, Samba Team
+</attribution>
+
+<para>
+I've always been the sort of computer user that learns best by
+example. Seeing a complete example matching a real-world use of a
+piece of software gives me an understanding of that software far
+better than reading detailed manuals. If, like me, you are the sort of
+computer user that learns best by example then this book is for you.
+</para>
+
+<para>
+I was also delighted to see the use of ethereal to illustrate the
+network protocols used by Samba. Ethereal has developed into a very
+sophisticated network analysis tool, and familiarity with using
+ethereal is a very useful skill for any system administrator.
+</para>
+
+<para>
+Enjoy this book, and make the most of Samba!
+</para>
+</blockquote>
+
+</sect1>
+
+</preface>
diff --git a/docs/Samba-Guide/front-matter.xml b/docs/Samba-Guide/front-matter.xml
new file mode 100644
index 0000000000..17cf92914a
--- /dev/null
+++ b/docs/Samba-Guide/front-matter.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<preface lang="en-US">
+<title>Front Matter</title>
+
+ <para>
+ Just a place holder.
+ </para>
+
+</preface>
diff --git a/docs/Samba-Guide/glossary.xml b/docs/Samba-Guide/glossary.xml
new file mode 100644
index 0000000000..9ee3063b13
--- /dev/null
+++ b/docs/Samba-Guide/glossary.xml
@@ -0,0 +1,270 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<glossary>
+ <title>Glossary</title>
+
+ <glossentry>
+ <glossterm>Access Control List</glossterm>
+ <acronym>ACL</acronym>
+ <glossdef><para>
+ A detailed list of permissions granted to users or groups with respect to file and network
+ resource access.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Active Directory Service</glossterm>
+ <acronym>ADS</acronym>
+ <glossdef><para>
+ A service unique to Microsoft Windows 200x servers that provides a centrally managed
+ directory for management of user identities and computer objects, as well as the
+ permissions each user or computer may be granted to access distributed network resources.
+ ADS uses Kerberos-based authentication and LDAP over Kerberos for directory access.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Common Internet File System</glossterm>
+ <acronym>CIFS</acronym>
+ <glossdef><para>
+ The new name for SMB. Microsoft renamed the SMB protocol to CIFS during
+ the Internet hype in the 1990s. At about the time that the SMB protocol was renamed
+ to CIFS, an additional dialect of the SMB protocol was in development. The need for the
+ deployment of the NetBIOS layer was also removed, thus paving the way for use of the SMB
+ protocol natively over TCP/IP (known as NetBIOS-less SMB or <quote>naked</quote> TCP
+ transport).
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Common UNIX Printing System</glossterm>
+ <acronym>CUPS</acronym>
+ <glossdef><para>
+ A recent implementation of a high-capability printing system for UNIX developed by
+ <ulink url="http://www.easysw.com/">Easy Software Inc.</ulink> The design objective
+ of CUPS was to provide a rich print processing system that has built-in intelligence
+ that is capable of correctly rendering (processing) a file that is submitted for
+ printing even if it was formatted for an entirely different printer.
+ </para>
+ </glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Domain Master Browser</glossterm>
+ <acronym>DMB</acronym>
+ <glossdef><para>
+ The Domain Master Browser maintains a list of all the servers that
+ have announced their services within a given workgroup or NT domain.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Domain Name Service</glossterm>
+ <acronym>DNS</acronym>
+ <glossdef><para>
+ A protocol by which computer hostnames may be resolved to the matching IP address/es.
+ DNS is implemented by the Berkeley Internet Name Daemon. There exists a recent version
+ of DNS that allows dynamic name registration by network clients or by a DHCP server.
+ This recent protocol is known as Dynamic DNS (DDNS).
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Dynamic Host Configuration Protocol</glossterm>
+ <acronym>DHCP</acronym>
+ <glossdef><para>
+ A protocol that was based on the BOOTP protocol that may be used to dynamically assign
+ an IP address, from a reserved pool of addresses, to a network client or device.
+ Additionally, DHCP may assign all network configuration settings and may be used to
+ register a computer name and its address with a Dynamic DNS server.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Ethereal</glossterm>
+ <acronym>ethereal</acronym>
+ <glossdef><para>
+ A network analyzer, also known as: a network sniffer or a protocol analyzer. Ethereal is
+ freely available for UNIX/Linux and Microsoft Windows systems from
+ <ulink url="http://www.ethereal.com">the Ethereal Web site.</ulink>
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Group IDentifier</glossterm>
+ <acronym>GID</acronym>
+ <glossdef><para>
+ The UNIX system Group Identifier; on older systems, a 32-bit unsigned integer, and on
+ newer systems, an unsigned 64-bit integer. The GID is used in UNIX-like operating systems
+ for all group level access control.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Key Distribution Center</glossterm>
+ <acronym>KDC</acronym>
+ <glossdef><para>
+ The Kerberos authentication protocol makes use of security keys (also called a ticket)
+ by which access to network resources is controlled. The issuing of Kerberos tickets
+ is effected by a KDC.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Light Weight Directory Access Protocol</glossterm>
+ <acronym>LDAP</acronym>
+ <glossdef>
+ <para>
+ The Light Weight Directory Access Protocol is a technology that
+ originated from the development of X.500 protocol specifications and
+ implementations. LDAP was designed as a means of rapidly searching
+ through X.500 information. Later LDAP was adapted as an engine that
+ could drive its own directory database. LDAP is not a database per
+ se; rather it is a technology that enables high volume search and
+ locate activity from clients that wish to obtain simply defined
+ information about a sub-set of records that are stored in a
+ database. LDAP does not have a particularly efficient mechanism for
+ storing records in the database, and it has no concept of transaction
+ processing nor of mechanisms for preserving data consistency. LDAP is
+ premised around the notion that the search and read activity far
+ outweigh any need to add, delete, or modify records. LDAP does
+ provide a means for replication of the database so as to keep slave
+ servers up to date with a master. It also has built-in capability to
+ handle external references and deferral.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Local Master Browser</glossterm>
+ <acronym>LMB</acronym>
+ <glossdef><para>
+ The Local Master Browser maintains a list of all servers that have announced themselves
+ within a given workgroup or NT domain on a particular broadcast isolated subnet.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Media Access Control</glossterm>
+ <acronym>MAC</acronym>
+ <glossdef><para>
+ The hard-coded address of the physical layer device that is attached to the network.
+ All network interface controllers must have a hard-coded and unique MAC address. The
+ MAC address is 48 bits long.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>NetBIOS Extended User Interface</glossterm>
+ <acronym>NetBEUI</acronym>
+ <glossdef><para>
+ Very simple network protocol invented by IBM and Microsoft. It is used to do NetBIOS
+ over ethernet with low overhead. NetBEUI is a non-routable protocol.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Network Address Translation</glossterm>
+ <acronym>NAT</acronym>
+ <glossdef><para>
+ Network address translation is a form of IP address masquerading. It ensures that internal
+ private (RFC1918) network addresses from packets inside the network are rewritten so
+ that TCP/IP packets that leave the server over a public connection are seen to come only
+ from the external network address.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Network Basic Input/Output System</glossterm>
+ <acronym>NetBIOS</acronym>
+ <glossdef><para>
+ NetBIOS is a simple application programming interface (API) invented in the 1980s
+ that allows programs to send data to certain network names. NetBIOS is always run over
+ another network protocol such as IPX/SPX, TCP/IP, or Logical Link Control (LLC).
+ NetBIOS run over LLC is best known as NetBEUI (The NetBIOS Extended User Interface
+ &smbmdash; a complete misnomer!).
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>NetBT</glossterm>
+ <acronym>NBT</acronym>
+ <glossdef><para>
+ Protocol for transporting NetBIOS frames over TCP/IP. Uses ports 137, 138, and 139.
+ NetBT is a fully routable protocol.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>NT/LanManager Security Support Provider</glossterm>
+ <acronym>NTLMSSP</acronym>
+ <glossdef><para>
+ The NTLM Security Support Provider (NTLMSSP) service in Windows NT4/200x/XP is responsible for
+ handling all NTLM authentication requests. It is the front end for protocols such as SPNEGO,
+ Schannel, and other technologies. The generic protocol family supported by NTLMSSP is known as
+ GSSAPI, the Generic Security Service Application Program Interface specified in RFC2078.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Server Message Block</glossterm>
+ <acronym>SMB</acronym>
+ <glossdef><para>
+ SMB was the original name of the protocol spoken by Samba. It was invented in the 1980s
+ by IBM and adopted and extended further by Microsoft. Microsoft renamed the protocol to
+ CIFS during the Internet hype in the 1990s.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>The Simple and Protected GSS-API Negotiation</glossterm>
+ <acronym>SPNEGO</acronym>
+ <glossdef><para>
+ The purpose of SPNEGO is to allow a client and server to negotiate a security mechanism for
+ authentication. The protocol is specified in RFC2478 and uses tokens as built via ASN.1 DER.
+ DER refers to Distinguished Encoding Rules. These are a set of common rules for creating
+ binary encodings in a platform-independent manner. Samba has support for SPNEGO.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>The Official Samba-3 HOWTO and Reference Guide</glossterm>
+ <acronym>TOSHARG</acronym>
+ <glossdef><para>
+ This book makes repeated reference to <quote>The Official Samba-3 HOWTO and Reference Guide</quote>
+ by John H. Terpstra (Author) and Jelmer R. Vernooij (Author). This publication is available from
+ Amazon.com. Publisher: Prentice Hall PTR (October 2003),
+ ISBN: 0131453556.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>User IDentifier</glossterm>
+ <acronym>UID</acronym>
+ <glossdef><para>
+ The UNIX system User Identifier; on older systems, a 32-bit unsigned integer, and on newer systems,
+ an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user level access
+ control.
+ </para></glossdef>
+ </glossentry>
+
+ <glossentry>
+ <glossterm>Universal Naming Convention</glossterm>
+ <acronym>UNC</acronym>
+ <glossdef><para>A syntax for specifying the location of network resources (such as file shares).
+ The UNC syntax was developed in the early days of MS DOS 3.x and is used internally by the SMB protocol.
+ </para></glossdef>
+ </glossentry>
+
+</glossary>
diff --git a/docs/Samba-Guide/gpl.xml b/docs/Samba-Guide/gpl.xml
new file mode 100644
index 0000000000..4d0b778031
--- /dev/null
+++ b/docs/Samba-Guide/gpl.xml
@@ -0,0 +1,423 @@
+<appendix>
+ <appendixinfo>
+ <title>GNU General Public License</title>
+ <pubdate>Version 2, June 1991</pubdate>
+ <copyright>
+ <year>1989, 1991</year>
+ <holder>Free Software Foundation, Inc.</holder>
+ </copyright>
+ <legalnotice>
+ <para>
+ <address>Free Software Foundation, Inc.
+ <street>59 Temple Place, Suite 330</street>,
+ <city>Boston</city>,
+ <state>MA</state>
+ <postcode>02111-1307</postcode>
+ <country>USA</country>
+ </address>.
+ </para>
+ <para> Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
+ </para>
+ </legalnotice>
+ <releaseinfo> Version 2, June 1991</releaseinfo>
+ </appendixinfo>
+ <title>GNU General Public License</title>
+ <sect1>
+ <title>Preamble</title>
+ <para> The licenses for most software are designed to take away your
+ freedom to share and change it. By contrast, the GNU General Public License is
+ intended to guarantee your freedom to share and change
+ free software - to make sure the software is free for all its users.
+ This General Public License applies to most of the Free Software
+ Foundation's software and to any other program whose authors commit
+ to using it. (Some other Free Software Foundation software is covered
+ by the GNU Library General Public License instead.) You can apply it
+ to your programs, too.
+ </para>
+ <para> When we speak of free software, we are referring to freedom, not price.
+ Our General Public Licenses are designed to make sure that you have the
+ freedom to distribute copies of free software (and charge for this
+ service if you wish), that you receive source code or can get it if you
+ want it, that you can change the software or use pieces of it in new free
+ programs; and that you know you can do these things.
+ </para>
+ <para> To protect your rights, we need to make restrictions that forbid anyone
+ to deny you these rights or to ask you to surrender the rights. These
+ restrictions translate to certain responsibilities for you if you distribute
+ copies of the software, or if you modify it.
+ </para>
+ <para> For example, if you distribute copies of such a program, whether gratis or
+ for a fee, you must give the recipients all the rights that you have. You
+ must make sure that they, too, receive or can get the source code. And you
+ must show them these terms so they know their rights.
+ </para>
+ <para> We protect your rights with two steps:
+ <orderedlist>
+ <listitem>
+ <para> copyright the software, and
+ </para>
+ </listitem>
+ <listitem>
+ <para> offer you this license which gives you legal permission to copy,
+ distribute and/or modify the software.
+ </para>
+ </listitem>
+ </orderedlist>
+ </para>
+ <para> Also, for each author's protection and ours, we want to make certain that
+ everyone understands that there is no warranty for this free software. If
+ the software is modified by someone else and passed on, we want its
+ recipients to know that what they have is not the original, so that any
+ problems introduced by others will not reflect on the original authors'
+ reputations.
+ </para>
+ <para> Finally, any free program is threatened constantly by software patents.
+ We wish to avoid the danger that redistributors of a free program will
+ individually obtain patent licenses, in effect making the program
+ proprietary. To prevent this, we have made it clear that any patent must be
+ licensed for everyone's free use or not licensed at all.
+ </para>
+ <para> The precise terms and conditions for copying, distribution and modification
+ follow.
+ </para>
+ </sect1>
+ <sect1>
+ <title>TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION</title>
+ <sect2>
+ <title>Section 0</title>
+ <para> This License applies to any program or other work which contains a notice
+ placed by the copyright holder saying it may be distributed under the terms
+ of this General Public License. The "Program", below, refers to any such
+ program or work, and a
+ <quote>work based on the Program
+ </quote> means either
+ the Program or any derivative work under copyright law: that is to say, a
+ work containing the Program or a portion of it, either verbatim or with
+ modifications and/or translated into another language. (Hereinafter, translation
+ is included without limitation in the term
+ <quote>modification
+ </quote>.) Each licensee is addressed as <quote>you</quote>.
+ </para>
+ <para> Activities other than copying, distribution and modification are not covered by
+ this License; they are outside its scope. The act of running the Program is not
+ restricted, and the output from the Program is covered only if its contents
+ constitute a work based on the Program (independent of having been made by running
+ the Program). Whether that is true depends on what the Program does.
+ </para>
+ </sect2>
+ <sect2 id="sect1">
+ <title>Section 1</title>
+ <para> You may copy and distribute verbatim copies of the Program's source code as you
+ receive it, in any medium, provided that you conspicuously and appropriately
+ publish on each copy an appropriate copyright notice and disclaimer of warranty;
+ keep intact all the notices that refer to this License and to the absence of any
+ warranty; and give any other recipients of the Program a copy of this License
+ along with the Program.
+ </para>
+ <para> You may charge a fee for the physical act of transferring a copy, and you may at
+ your option offer warranty protection in exchange for a fee.
+ </para>
+ </sect2>
+ <sect2 id="sect2">
+ <title>Section 2</title>
+ <para> You may modify your copy or copies of the Program or any portion of it, thus
+ forming a work based on the Program, and copy and distribute such modifications
+ or work under the terms of
+ <link linkend="sect1">Section 1
+ </link> above, provided
+ that you also meet all of these conditions:
+ <orderedlist>
+ <listitem>
+ <para> You must cause the modified files to carry prominent notices stating that
+ you changed the files and the date of any change.
+ </para>
+ </listitem>
+ <listitem>
+ <para> You must cause any work that you distribute or publish, that in whole or
+ in part contains or is derived from the Program or any part thereof, to be
+ licensed as a whole at no charge to all third parties under the terms of
+ this License.
+ </para>
+ </listitem>
+ <listitem>
+ <para> If the modified program normally reads commands interactively when run, you
+ must cause it, when started running for such interactive use in the most
+ ordinary way, to print or display an announcement including an appropriate
+ copyright notice and a notice that there is no warranty (or else, saying
+ that you provide a warranty) and that users may redistribute the program
+ under these conditions, and telling the user how to view a copy of this
+ License.
+ <note>
+ <title>Exception:
+ </title>
+ <para> If the Program itself is interactive but does not normally print such an
+ announcement, your work based on the Program is not required to print an
+ announcement.)
+ </para>
+ </note>
+ </para>
+ </listitem>
+ </orderedlist>
+ </para>
+ <para> These requirements apply to the modified work as a whole. If identifiable sections
+ of that work are not derived from the Program, and can be reasonably considered
+ independent and separate works in themselves, then this License, and its terms,
+ do not apply to those sections when you distribute them as separate works. But when
+ you distribute the same sections as part of a whole which is a work based on the
+ Program, the distribution of the whole must be on the terms of this License, whose
+ permissions for other licensees extend to the entire whole, and thus to each and
+ every part regardless of who wrote it.
+ </para>
+ <para> Thus, it is not the intent of this section to claim rights or contest your rights
+ to work written entirely by you; rather, the intent is to exercise the right to control
+ the distribution of derivative or collective works based on the Program.
+ </para>
+ <para> In addition, mere aggregation of another work not based on the Program with the Program
+ (or with a work based on the Program) on a volume of a storage or distribution medium
+ does not bring the other work under the scope of this License.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Section 3
+ </title>
+ <para> You may copy and distribute the Program (or a work based on it, under
+ <link linkend="sect2">Section 2
+ </link> in object code or executable form under the terms of
+ <link linkend="sect1">Sections 1
+ </link> and
+ <link linkend="sect2">2
+ </link> above provided that you also do one of the following:
+ <orderedlist>
+ <listitem>
+ <para> Accompany it with the complete corresponding machine-readable source code, which
+ must be distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+ </para>
+ </listitem>
+ <listitem>
+ <para> Accompany it with a written offer, valid for at least three years, to give any
+ third party, for a charge no more than your cost of physically performing source
+ distribution, a complete machine-readable copy of the corresponding source code,
+ to be distributed under the terms of Sections 1 and 2 above on a medium customarily
+ used for software interchange; or,
+ </para>
+ </listitem>
+ <listitem>
+ <para> Accompany it with the information you received as to the offer to distribute
+ corresponding source code. (This alternative is allowed only for noncommercial
+ distribution and only if you received the program in object code or executable form
+ with such an offer, in accord with Subsection b above.)
+ </para>
+ </listitem>
+ </orderedlist>
+ </para>
+ <para> The source code for a work means the preferred form of the work for making modifications
+ to it. For an executable work, complete source code means all the source code for all modules
+ it contains, plus any associated interface definition files, plus the scripts used to control
+ compilation and installation of the executable. However, as a special exception, the source
+ code distributed need not include anything that is normally distributed (in either source or
+ binary form) with the major components (compiler, kernel, and so on) of the operating system
+ on which the executable runs, unless that component itself accompanies the executable.
+ </para>
+ <para> If distribution of executable or object code is made by offering access to copy from a
+ designated place, then offering equivalent access to copy the source code from the same place
+ counts as distribution of the source code, even though third parties are not compelled to
+ copy the source along with the object code.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Section 4
+ </title>
+ <para> You may not copy, modify, sublicense, or distribute the Program except as expressly provided
+ under this License. Any attempt otherwise to copy, modify, sublicense or distribute the
+ Program is void, and will automatically terminate your rights under this License. However,
+ parties who have received copies, or rights, from you under this License will not have their
+ licenses terminated so long as such parties remain in full compliance.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Section 5
+ </title>
+ <para> You are not required to accept this License, since you have not signed it. However, nothing
+ else grants you permission to modify or distribute the Program or its derivative works.
+ These actions are prohibited by law if you do not accept this License. Therefore, by modifying
+ or distributing the Program (or any work based on the Program), you indicate your acceptance
+ of this License to do so, and all its terms and conditions for copying, distributing or
+ modifying the Program or works based on it.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Section 6
+ </title>
+ <para> Each time you redistribute the Program (or any work based on the Program), the recipient
+ automatically receives a license from the original licensor to copy, distribute or modify
+ the Program subject to these terms and conditions. You may not impose any further restrictions
+ on the recipients' exercise of the rights granted herein. You are not responsible for enforcing
+ compliance by third parties to this License.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Section 7
+ </title>
+ <para> If, as a consequence of a court judgment or allegation of patent infringement or for any other
+ reason (not limited to patent issues), conditions are imposed on you (whether by court order,
+ agreement or otherwise) that contradict the conditions of this License, they do not excuse you
+ from the conditions of this License. If you cannot distribute so as to satisfy simultaneously
+ your obligations under this License and any other pertinent obligations, then as a consequence
+ you may not distribute the Program at all. For example, if a patent license would not permit
+ royalty-free redistribution of the Program by all those who receive copies directly or
+ indirectly through you, then the only way you could satisfy both it and this License would be
+ to refrain entirely from distribution of the Program.
+ </para>
+ <para> If any portion of this section is held invalid or unenforceable under any particular circumstance,
+ the balance of the section is intended to apply and the section as a whole is intended to apply
+ in other circumstances.
+ </para>
+ <para> It is not the purpose of this section to induce you to infringe any patents or other property
+ right claims or to contest validity of any such claims; this section has the sole purpose of
+ protecting the integrity of the free software distribution system, which is implemented by public
+ license practices. Many people have made generous contributions to the wide range of software
+ distributed through that system in reliance on consistent application of that system; it is up
+ to the author/donor to decide if he or she is willing to distribute software through any other
+ system and a licensee cannot impose that choice.
+ </para>
+ <para> This section is intended to make thoroughly clear what is believed to be a consequence of the
+ rest of this License.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Section 8
+ </title>
+ <para> If the distribution and/or use of the Program is restricted in certain countries either by patents
+ or by copyrighted interfaces, the original copyright holder who places the Program under this License
+ may add an explicit geographical distribution limitation excluding those countries, so that
+ distribution is permitted only in or among countries not thus excluded. In such case, this License
+ incorporates the limitation as if written in the body of this License.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Section 9
+ </title>
+ <para> The Free Software Foundation may publish revised and/or new versions of the General Public License
+ from time to time. Such new versions will be similar in spirit to the present version, but may differ
+ in detail to address new problems or concerns.
+ </para>
+ <para> Each version is given a distinguishing version number. If the Program specifies a version number of
+ this License which applies to it and "any later version", you have the option of following the terms
+ and conditions either of that version or of any later version published by the Free Software
+ Foundation. If the Program does not specify a version number of this License, you may choose any
+ version ever published by the Free Software Foundation.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Section 10
+ </title>
+ <para> If you wish to incorporate parts of the Program into other free programs whose distribution
+ conditions are different, write to the author to ask for permission. For software which is copyrighted
+ by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions
+ for this. Our decision will be guided by the two goals of preserving the free status of all
+ derivatives of our free software and of promoting the sharing and reuse of software generally.
+ </para>
+ </sect2>
+ <sect2>
+<title>NO WARRANTY Section 11
+ </title>
+ <para> BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT
+ PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+ OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+ PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Section 12
+ </title>
+ <para> IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR
+ ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU
+ FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+ USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
+ INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH
+ ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+ DAMAGES.
+ </para>
+ <para>END OF TERMS AND CONDITIONS
+ </para>
+ </sect2>
+ </sect1>
+ <sect1>
+ <title>How to Apply These Terms to Your New Programs
+ </title>
+ <para>
+ If you develop a new program, and you want it to be of the greatest
+ possible use to the public, the best way to achieve this is to make it
+ free software which everyone can redistribute and change under these terms.
+ </para>
+ <para>
+ To do so, attach the following notices to the program. It is safest
+ to attach them to the start of each source file to most effectively
+ convey the exclusion of warranty; and each file should have at least
+ the "copyright" line and a pointer to where the full notice is found.
+ </para>
+ <para>
+ &lt;one line to give the program's name and a brief idea of what it does.&gt;
+ Copyright (C) &lt;year&gt; &lt;name of author&gt;
+ </para>
+ <para>
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ </para>
+ <para>
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ </para>
+ <para>
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ </para>
+ <para>
+ Also add information on how to contact you by electronic and paper mail.
+ </para>
+ <para>
+ If the program is interactive, make it output a short notice like this
+ when it starts in an interactive mode:
+ </para>
+ <para>
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+ </para>
+ <para>
+ The hypothetical commands `show w' and `show c' should show the appropriate
+ parts of the General Public License. Of course, the commands you use may
+ be called something other than `show w' and `show c'; they could even be
+ mouse-clicks or menu items--whatever suits your program.
+ </para>
+ <para>
+ You should also get your employer (if you work as a programmer) or your
+ school, if any, to sign a "copyright disclaimer" for the program, if
+ necessary. Here is a sample; alter the names:
+ </para>
+ <para>
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+ </para>
+ <para>
+ &lt;signature of Ty Coon&gt;, 1 April 1989
+ Ty Coon, President of Vice
+ </para>
+ <para>
+ This General Public License does not permit incorporating your program into
+ proprietary programs. If your program is a subroutine library, you may
+ consider it more useful to permit linking proprietary applications with the
+ library. If this is what you want to do, use the GNU Library General
+ Public License instead of this License.
+ </para>
+ </sect1>
+ </appendix>
diff --git a/docs/Samba-Guide/images/AccountingNetwork.dia b/docs/Samba-Guide/images/AccountingNetwork.dia
new file mode 100644
index 0000000000..3484dbad75
--- /dev/null
+++ b/docs/Samba-Guide/images/AccountingNetwork.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/AccountingNetwork.png b/docs/Samba-Guide/images/AccountingNetwork.png
new file mode 100644
index 0000000000..8b1222721d
--- /dev/null
+++ b/docs/Samba-Guide/images/AccountingNetwork.png
Binary files differ
diff --git a/docs/Samba-Guide/images/Charity-Network.dia b/docs/Samba-Guide/images/Charity-Network.dia
new file mode 100644
index 0000000000..ab9c7f5834
--- /dev/null
+++ b/docs/Samba-Guide/images/Charity-Network.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/Charity-Network.png b/docs/Samba-Guide/images/Charity-Network.png
new file mode 100644
index 0000000000..eeb06cc729
--- /dev/null
+++ b/docs/Samba-Guide/images/Charity-Network.png
Binary files differ
diff --git a/docs/Samba-Guide/images/Domain-WorkgroupAnnouncement.png b/docs/Samba-Guide/images/Domain-WorkgroupAnnouncement.png
new file mode 100644
index 0000000000..e65882b2ce
--- /dev/null
+++ b/docs/Samba-Guide/images/Domain-WorkgroupAnnouncement.png
Binary files differ
diff --git a/docs/Samba-Guide/images/HostAnnouncment.png b/docs/Samba-Guide/images/HostAnnouncment.png
new file mode 100644
index 0000000000..56f9fb8576
--- /dev/null
+++ b/docs/Samba-Guide/images/HostAnnouncment.png
Binary files differ
diff --git a/docs/Samba-Guide/images/LocalMasterAnnouncement.png b/docs/Samba-Guide/images/LocalMasterAnnouncement.png
new file mode 100644
index 0000000000..8b22bc35c5
--- /dev/null
+++ b/docs/Samba-Guide/images/LocalMasterAnnouncement.png
Binary files differ
diff --git a/docs/Samba-Guide/images/NullConnect.png b/docs/Samba-Guide/images/NullConnect.png
new file mode 100644
index 0000000000..5320fc6db1
--- /dev/null
+++ b/docs/Samba-Guide/images/NullConnect.png
Binary files differ
diff --git a/docs/Samba-Guide/images/UNIX-Samba-and-LDAP.dia b/docs/Samba-Guide/images/UNIX-Samba-and-LDAP.dia
new file mode 100644
index 0000000000..dfd30fc022
--- /dev/null
+++ b/docs/Samba-Guide/images/UNIX-Samba-and-LDAP.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/UNIX-Samba-and-LDAP.png b/docs/Samba-Guide/images/UNIX-Samba-and-LDAP.png
new file mode 100644
index 0000000000..3dfe36a2af
--- /dev/null
+++ b/docs/Samba-Guide/images/UNIX-Samba-and-LDAP.png
Binary files differ
diff --git a/docs/Samba-Guide/images/UserConnect.png b/docs/Samba-Guide/images/UserConnect.png
new file mode 100644
index 0000000000..0b9acce15e
--- /dev/null
+++ b/docs/Samba-Guide/images/UserConnect.png
Binary files differ
diff --git a/docs/Samba-Guide/images/UserMgrNT4.png b/docs/Samba-Guide/images/UserMgrNT4.png
new file mode 100644
index 0000000000..a69615c1da
--- /dev/null
+++ b/docs/Samba-Guide/images/UserMgrNT4.png
Binary files differ
diff --git a/docs/Samba-Guide/images/WINREPRESSME-Capture.png b/docs/Samba-Guide/images/WINREPRESSME-Capture.png
new file mode 100644
index 0000000000..3b6dc3ae56
--- /dev/null
+++ b/docs/Samba-Guide/images/WINREPRESSME-Capture.png
Binary files differ
diff --git a/docs/Samba-Guide/images/WINREPRESSME-Capture2.png b/docs/Samba-Guide/images/WINREPRESSME-Capture2.png
new file mode 100644
index 0000000000..b9b82c2287
--- /dev/null
+++ b/docs/Samba-Guide/images/WINREPRESSME-Capture2.png
Binary files differ
diff --git a/docs/Samba-Guide/images/Windows-ME-WINEPRESSME-Startup-30min-ProtocolStats.png b/docs/Samba-Guide/images/Windows-ME-WINEPRESSME-Startup-30min-ProtocolStats.png
new file mode 100644
index 0000000000..6e23d1632a
--- /dev/null
+++ b/docs/Samba-Guide/images/Windows-ME-WINEPRESSME-Startup-30min-ProtocolStats.png
Binary files differ
diff --git a/docs/Samba-Guide/images/Windows-ME-WINEPRESSME-Startup-30min-TraceStats.png b/docs/Samba-Guide/images/Windows-ME-WINEPRESSME-Startup-30min-TraceStats.png
new file mode 100644
index 0000000000..f5fd738475
--- /dev/null
+++ b/docs/Samba-Guide/images/Windows-ME-WINEPRESSME-Startup-30min-TraceStats.png
Binary files differ
diff --git a/docs/Samba-Guide/images/WindowsXP-NullConnection.png b/docs/Samba-Guide/images/WindowsXP-NullConnection.png
new file mode 100644
index 0000000000..76d1ac2c9a
--- /dev/null
+++ b/docs/Samba-Guide/images/WindowsXP-NullConnection.png
Binary files differ
diff --git a/docs/Samba-Guide/images/WindowsXP-UserConnection.png b/docs/Samba-Guide/images/WindowsXP-UserConnection.png
new file mode 100644
index 0000000000..d60fefc659
--- /dev/null
+++ b/docs/Samba-Guide/images/WindowsXP-UserConnection.png
Binary files differ
diff --git a/docs/Samba-Guide/images/XP-screen001.png b/docs/Samba-Guide/images/XP-screen001.png
new file mode 100644
index 0000000000..6f0fe58e78
--- /dev/null
+++ b/docs/Samba-Guide/images/XP-screen001.png
Binary files differ
diff --git a/docs/Samba-Guide/images/acct2net.dia b/docs/Samba-Guide/images/acct2net.dia
new file mode 100644
index 0000000000..ca1716254b
--- /dev/null
+++ b/docs/Samba-Guide/images/acct2net.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/acct2net.png b/docs/Samba-Guide/images/acct2net.png
new file mode 100644
index 0000000000..7290dfa827
--- /dev/null
+++ b/docs/Samba-Guide/images/acct2net.png
Binary files differ
diff --git a/docs/Samba-Guide/images/ch7-dual-additive-LDAP-Ok.dia b/docs/Samba-Guide/images/ch7-dual-additive-LDAP-Ok.dia
new file mode 100644
index 0000000000..e6464b9a13
--- /dev/null
+++ b/docs/Samba-Guide/images/ch7-dual-additive-LDAP-Ok.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/ch7-dual-additive-LDAP-Ok.png b/docs/Samba-Guide/images/ch7-dual-additive-LDAP-Ok.png
new file mode 100644
index 0000000000..b8272d2b58
--- /dev/null
+++ b/docs/Samba-Guide/images/ch7-dual-additive-LDAP-Ok.png
Binary files differ
diff --git a/docs/Samba-Guide/images/ch7-dual-additive-LDAP.dia b/docs/Samba-Guide/images/ch7-dual-additive-LDAP.dia
new file mode 100644
index 0000000000..6e1e4979d6
--- /dev/null
+++ b/docs/Samba-Guide/images/ch7-dual-additive-LDAP.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/ch7-dual-additive-LDAP.png b/docs/Samba-Guide/images/ch7-dual-additive-LDAP.png
new file mode 100644
index 0000000000..13a05edc94
--- /dev/null
+++ b/docs/Samba-Guide/images/ch7-dual-additive-LDAP.png
Binary files differ
diff --git a/docs/Samba-Guide/images/ch7-fail-overLDAP.dia b/docs/Samba-Guide/images/ch7-fail-overLDAP.dia
new file mode 100644
index 0000000000..f676e2adfe
--- /dev/null
+++ b/docs/Samba-Guide/images/ch7-fail-overLDAP.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/ch7-fail-overLDAP.png b/docs/Samba-Guide/images/ch7-fail-overLDAP.png
new file mode 100644
index 0000000000..2f24929c84
--- /dev/null
+++ b/docs/Samba-Guide/images/ch7-fail-overLDAP.png
Binary files differ
diff --git a/docs/Samba-Guide/images/ch7-singleLDAP.dia b/docs/Samba-Guide/images/ch7-singleLDAP.dia
new file mode 100644
index 0000000000..b03e7d354a
--- /dev/null
+++ b/docs/Samba-Guide/images/ch7-singleLDAP.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/ch7-singleLDAP.png b/docs/Samba-Guide/images/ch7-singleLDAP.png
new file mode 100644
index 0000000000..74ab7a49d9
--- /dev/null
+++ b/docs/Samba-Guide/images/ch7-singleLDAP.png
Binary files differ
diff --git a/docs/Samba-Guide/images/ch8-migration.dia b/docs/Samba-Guide/images/ch8-migration.dia
new file mode 100644
index 0000000000..04a513bcf0
--- /dev/null
+++ b/docs/Samba-Guide/images/ch8-migration.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/ch8-migration.png b/docs/Samba-Guide/images/ch8-migration.png
new file mode 100644
index 0000000000..8ac2f506dd
--- /dev/null
+++ b/docs/Samba-Guide/images/ch8-migration.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap4-net.dia b/docs/Samba-Guide/images/chap4-net.dia
new file mode 100644
index 0000000000..e8c56643c7
--- /dev/null
+++ b/docs/Samba-Guide/images/chap4-net.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/chap4-net.png b/docs/Samba-Guide/images/chap4-net.png
new file mode 100644
index 0000000000..f59c25bddb
--- /dev/null
+++ b/docs/Samba-Guide/images/chap4-net.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap5-net.dia b/docs/Samba-Guide/images/chap5-net.dia
new file mode 100644
index 0000000000..f4f77ea064
--- /dev/null
+++ b/docs/Samba-Guide/images/chap5-net.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/chap5-net.png b/docs/Samba-Guide/images/chap5-net.png
new file mode 100644
index 0000000000..3af0c9a639
--- /dev/null
+++ b/docs/Samba-Guide/images/chap5-net.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap6-net.dia b/docs/Samba-Guide/images/chap6-net.dia
new file mode 100644
index 0000000000..aa079a4291
--- /dev/null
+++ b/docs/Samba-Guide/images/chap6-net.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/chap6-net.png b/docs/Samba-Guide/images/chap6-net.png
new file mode 100644
index 0000000000..5e549e3273
--- /dev/null
+++ b/docs/Samba-Guide/images/chap6-net.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-idresol.dia b/docs/Samba-Guide/images/chap7-idresol.dia
new file mode 100644
index 0000000000..349d0588a6
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-idresol.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-idresol.png b/docs/Samba-Guide/images/chap7-idresol.png
new file mode 100644
index 0000000000..7071d9a09d
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-idresol.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net-A.dia b/docs/Samba-Guide/images/chap7-net-A.dia
new file mode 100644
index 0000000000..5286014a83
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net-A.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net-A.png b/docs/Samba-Guide/images/chap7-net-A.png
new file mode 100644
index 0000000000..820217bbfd
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net-A.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net-Ar.png b/docs/Samba-Guide/images/chap7-net-Ar.png
new file mode 100644
index 0000000000..2f4d80f47b
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net-Ar.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net.dia b/docs/Samba-Guide/images/chap7-net.dia
new file mode 100644
index 0000000000..a136874e74
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net.png b/docs/Samba-Guide/images/chap7-net.png
new file mode 100644
index 0000000000..ede12fbef4
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net2-B.dia b/docs/Samba-Guide/images/chap7-net2-B.dia
new file mode 100644
index 0000000000..761e41e91a
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net2-B.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net2-B.png b/docs/Samba-Guide/images/chap7-net2-B.png
new file mode 100644
index 0000000000..0fd9cd4063
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net2-B.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net2-Br.png b/docs/Samba-Guide/images/chap7-net2-Br.png
new file mode 100644
index 0000000000..a75a47dc5d
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net2-Br.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net2.dia b/docs/Samba-Guide/images/chap7-net2.dia
new file mode 100644
index 0000000000..653d2b2f69
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net2.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net2.png b/docs/Samba-Guide/images/chap7-net2.png
new file mode 100644
index 0000000000..7bb570c1b0
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net2.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-net2r.png b/docs/Samba-Guide/images/chap7-net2r.png
new file mode 100644
index 0000000000..194fd3c350
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-net2r.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap7-netr.png b/docs/Samba-Guide/images/chap7-netr.png
new file mode 100644
index 0000000000..bbbbbf1cc7
--- /dev/null
+++ b/docs/Samba-Guide/images/chap7-netr.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap9-ADSDC.dia b/docs/Samba-Guide/images/chap9-ADSDC.dia
new file mode 100644
index 0000000000..dd52341d54
--- /dev/null
+++ b/docs/Samba-Guide/images/chap9-ADSDC.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/chap9-ADSDC.png b/docs/Samba-Guide/images/chap9-ADSDC.png
new file mode 100644
index 0000000000..dc91c3e4c4
--- /dev/null
+++ b/docs/Samba-Guide/images/chap9-ADSDC.png
Binary files differ
diff --git a/docs/Samba-Guide/images/chap9-SambaDC.dia b/docs/Samba-Guide/images/chap9-SambaDC.dia
new file mode 100644
index 0000000000..884a4d134a
--- /dev/null
+++ b/docs/Samba-Guide/images/chap9-SambaDC.dia
Binary files differ
diff --git a/docs/Samba-Guide/images/chap9-SambaDC.png b/docs/Samba-Guide/images/chap9-SambaDC.png
new file mode 100644
index 0000000000..f2cccdaeca
--- /dev/null
+++ b/docs/Samba-Guide/images/chap9-SambaDC.png
Binary files differ
diff --git a/docs/Samba-Guide/images/lam-config.png b/docs/Samba-Guide/images/lam-config.png
new file mode 100644
index 0000000000..15f989bf37
--- /dev/null
+++ b/docs/Samba-Guide/images/lam-config.png
Binary files differ
diff --git a/docs/Samba-Guide/images/lam-group-members.png b/docs/Samba-Guide/images/lam-group-members.png
new file mode 100644
index 0000000000..139acb26ba
--- /dev/null
+++ b/docs/Samba-Guide/images/lam-group-members.png
Binary files differ
diff --git a/docs/Samba-Guide/images/lam-groups.png b/docs/Samba-Guide/images/lam-groups.png
new file mode 100644
index 0000000000..38757e0c4a
--- /dev/null
+++ b/docs/Samba-Guide/images/lam-groups.png
Binary files differ
diff --git a/docs/Samba-Guide/images/lam-hosts.png b/docs/Samba-Guide/images/lam-hosts.png
new file mode 100644
index 0000000000..a3c29931d6
--- /dev/null
+++ b/docs/Samba-Guide/images/lam-hosts.png
Binary files differ
diff --git a/docs/Samba-Guide/images/lam-login.png b/docs/Samba-Guide/images/lam-login.png
new file mode 100644
index 0000000000..eb35a49ca6
--- /dev/null
+++ b/docs/Samba-Guide/images/lam-login.png
Binary files differ
diff --git a/docs/Samba-Guide/images/lam-users.png b/docs/Samba-Guide/images/lam-users.png
new file mode 100644
index 0000000000..8254e6d614
--- /dev/null
+++ b/docs/Samba-Guide/images/lam-users.png
Binary files differ
diff --git a/docs/Samba-Guide/images/openmag.png b/docs/Samba-Guide/images/openmag.png
new file mode 100644
index 0000000000..52eca30c35
--- /dev/null
+++ b/docs/Samba-Guide/images/openmag.png
Binary files differ
diff --git a/docs/Samba-Guide/images/wxpp001.png b/docs/Samba-Guide/images/wxpp001.png
new file mode 100644
index 0000000000..2e689a17e2
--- /dev/null
+++ b/docs/Samba-Guide/images/wxpp001.png
Binary files differ
diff --git a/docs/Samba-Guide/images/wxpp004.png b/docs/Samba-Guide/images/wxpp004.png
new file mode 100644
index 0000000000..656f67942e
--- /dev/null
+++ b/docs/Samba-Guide/images/wxpp004.png
Binary files differ
diff --git a/docs/Samba-Guide/images/wxpp006.png b/docs/Samba-Guide/images/wxpp006.png
new file mode 100644
index 0000000000..a20b3ed583
--- /dev/null
+++ b/docs/Samba-Guide/images/wxpp006.png
Binary files differ
diff --git a/docs/Samba-Guide/images/wxpp007.png b/docs/Samba-Guide/images/wxpp007.png
new file mode 100644
index 0000000000..cf41352220
--- /dev/null
+++ b/docs/Samba-Guide/images/wxpp007.png
Binary files differ
diff --git a/docs/Samba-Guide/images/wxpp008.png b/docs/Samba-Guide/images/wxpp008.png
new file mode 100644
index 0000000000..9958c7c873
--- /dev/null
+++ b/docs/Samba-Guide/images/wxpp008.png
Binary files differ
diff --git a/docs/Samba-Guide/images/wxpp010.png b/docs/Samba-Guide/images/wxpp010.png
new file mode 100644
index 0000000000..068a0dfc73
--- /dev/null
+++ b/docs/Samba-Guide/images/wxpp010.png
Binary files differ
diff --git a/docs/Samba-Guide/images/wxpp011.png b/docs/Samba-Guide/images/wxpp011.png
new file mode 100644
index 0000000000..0cf88c04a6
--- /dev/null
+++ b/docs/Samba-Guide/images/wxpp011.png
Binary files differ
diff --git a/docs/Samba-Guide/images/wxpp012.png b/docs/Samba-Guide/images/wxpp012.png
new file mode 100644
index 0000000000..d89f3b5d31
--- /dev/null
+++ b/docs/Samba-Guide/images/wxpp012.png
Binary files differ
diff --git a/docs/Samba-Guide/images/wxpp013.png b/docs/Samba-Guide/images/wxpp013.png
new file mode 100644
index 0000000000..451240ee38
--- /dev/null
+++ b/docs/Samba-Guide/images/wxpp013.png
Binary files differ
diff --git a/docs/Samba-Guide/images/wxpp015.png b/docs/Samba-Guide/images/wxpp015.png
new file mode 100644
index 0000000000..12fe2f31b2
--- /dev/null
+++ b/docs/Samba-Guide/images/wxpp015.png
Binary files differ
diff --git a/docs/Samba-Guide/index.xml b/docs/Samba-Guide/index.xml
new file mode 100644
index 0000000000..1288db26f1
--- /dev/null
+++ b/docs/Samba-Guide/index.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+<book id="S3bE"
+ xmlns:xi="http://www.w3.org/2003/XInclude">
+ <title>Samba-3 by Example</title>
+ <subtitle>Practical Exercises in Successful Samba Deployment</subtitle>
+ <bookinfo>
+ <authorgroup>
+ <author>&person.jht;</author>
+ </authorgroup>
+ <pubdate>February 23, 2004</pubdate>
+ <version>20040220</version>
+ </bookinfo>
+ <?latex \clearpage ?>
+ <para>boo</para>
+ <?latex \clearpage ?>
+ <para>boo</para>
+ <?latex \clearpage ?>
+ <para>boo</para>
+ <xi:include href="inside-cover.xml"/>
+ <xi:include href="acknowledgements.xml"/>
+ <xi:include href="foreword.xml"/>
+ <xi:include href="preface.xml"/>
+ <?latex \cleardoublepage ?>
+ <toc/>
+ <?latex \cleardoublepage ?>
+ <?latex \listofexamples ?>
+ <?latex \cleardoublepage ?>
+ <lot/>
+ <!-- Chapters -->
+ <xi:include href="Chap01-WindowsNetworkingPrimer.xml"/>
+ <xi:include href="Chap02-SimpleOfficeServer.xml"/>
+ <xi:include href="Chap03-TheSmallOffice.xml"/>
+ <xi:include href="Chap04-SecureOfficeServer.xml"/>
+ <xi:include href="Chap05-500UserNetwork.xml"/>
+ <xi:include href="Chap06-MakingHappyUsers.xml"/>
+ <xi:include href="Chap07-2000UserNetwork.xml"/>
+ <xi:include href="Chap08-MigrateNT4Samba3.xml"/>
+ <xi:include href="Chap09-AddingUNIXClients.xml"/>
+ <xi:include href="Chap10-KerberosFastStart.xml"/>
+ <xi:include href="Chap10b-DomainAppsSupport.xml"/>
+ <xi:include href="Chap11-HighAvailability.xml"/>
+ <xi:include href="Chap12-Appendix.xml"/>
+ <?latex \include{gpl}?>
+ <xi:include href="glossary.xml"/>
+ <index/>
+</book>
diff --git a/docs/Samba-Guide/inside-cover.xml b/docs/Samba-Guide/inside-cover.xml
new file mode 100644
index 0000000000..934adf7081
--- /dev/null
+++ b/docs/Samba-Guide/inside-cover.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<preface lang="en-US">
+<title>About the Cover Artwork</title>
+
+ <para>
+ The cover artwork of this book continues a theme chosen for the book,
+ <emphasis>The Official Samba-3 HOWTO and Reference Guide,</emphasis>
+ the cover of which features a Confederate scene. Samba has had a major
+ impact on the network deployment of Microsoft Windows desktop systems.
+ The cover artwork of the two official Samba books tells of events that
+ likewise had a major impact on the future.
+ </para>
+
+ <para>
+ <emphasis>Samba-3 by Example Cover Artwork:</emphasis> King Alfred the Great
+ (born 849, ruled 871-899) was one of the most amazing kings ever to
+ rule England. He defended Anglo-Saxon England from Viking raids, formulated
+ a code of laws, and fostered a rebirth of religious and scholarly activity.
+ His reign exhibits military skill and innovation, sound governance and the
+ ability to inspire men to plan for the future. Alfred liberated England
+ at a time when all resistence seemed futile.
+ </para>
+
+ <para>
+ Samba is a network interoperability solution that provides real choice for network
+ administrators. It is an adjunct to Microsoft Windows networks that provides
+ interoperability of UNIX systems with Microsoft Windows desktop and server systems.
+ You may use Samba to realize the freedom it provides for your network environment
+ thanks to a dedicated team who work behind the scenes to give you a better choice.
+ The efforts of these few dedicated developers continues to shape the future of
+ the Windows interoperability landscape. Enjoy!
+ </para>
+
+</preface>
diff --git a/docs/Samba-Guide/preface.xml b/docs/Samba-Guide/preface.xml
new file mode 100644
index 0000000000..4e847b309a
--- /dev/null
+++ b/docs/Samba-Guide/preface.xml
@@ -0,0 +1,437 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+<preface id="preface">
+ <title>Preface</title>
+
+ <para>
+ Network administrators live busy lives. We face distractions and pressures
+ that drive us to seek proven, working case scenarios that can be easily
+ implemented. Often this approach lands us in trouble. There is a
+ saying that, geometrically speaking, the shortest distance between two
+ points is a straight line, but practically we find that the quickest
+ route to a stable network solution is the long way around.
+ </para>
+
+ <para>
+ This book is your means to the straight path. It provides step-by-step,
+ proven, working examples of Samba deployments. If you want to deploy
+ Samba-3 with the least effort, or if you want to become an expert at deploying
+ Samba-3 without having to search through lots of documentation, this
+ book is the ticket to your destination.
+ </para>
+
+ <para>
+ Samba is software that can be run on a platform other than Microsoft Windows,
+ for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems.
+ Samba uses the TCP/IP protocol that is installed on the host server. When
+ correctly configured, it allows that host to interact with a Microsoft Windows
+ client or server as if it is a Windows file and print server. This book
+ will help you to implement Windows-compatible file and print services.
+ </para>
+
+ <para>
+ The examples presented in this book are typical of various businesses and
+ reflect the problems and challenges they face. Care has been taken to preserve
+ attitudes, perceptions, practices, and demands from real network case studies.
+ The maximum benefit may be obtained from this book by working carefully through
+ each exercise. You may be in a hurry to satisfy a specific need, so feel
+ free to locate the example that most closely matches your need, copy it, and
+ innovate as much as you like. Above all, enjoy the process of learning the
+ secrets of MS Windows networking that is truly liberated by Samba.
+ </para>
+
+ <para>
+ The focus of attention in this book is Samba-3. Specific notes are made in
+ respect of how Samba may be made secure. This book does not attempt to provide
+ detailed information regarding secure operation and configuration of peripheral
+ services and applications such as OpenLDAP, DNS and DHCP, the need for which
+ can be met from other resources that are dedicated to the subject.
+ </para>
+
+ <sect1>
+ <title>Why Is This Book Necessary?</title>
+
+ <para>
+ This book is the result of observations and feedback. The feedback from
+ the Samba-HOWTO-Collection has been positive and complimentary. There
+ have been requests for far more worked examples, a
+ <quote>Samba Cookbook,</quote> and for training materials to
+ help kick-start the process of mastering Samba.
+ </para>
+
+ <para>
+ The Samba mailing list's users have asked for sample configuration files
+ that work. It is natural to question one's own ability to correctly
+ configure a complex tool such as Samba until a minimum necessary
+ knowledge level has been attained.
+ </para>
+
+ <para>
+ The Samba-HOWTO-Collection, as do <emphasis>The Official Samba-3 HOWTO and
+ Reference Guide</emphasis>, document Samba features and functionality in
+ a topical context. This book takes a completely different approach. It
+ walks through Samba network configurations that are working within particular
+ environmental contexts, providing documented step-by-step implementations.
+ All example case configuration files, scripts, and other tools are provided
+ on the CD-ROM. This book is descriptive, provides detailed diagrams, and
+ makes deployment of Samba-3 a breeze.
+ </para>
+
+ </sect1>
+
+ <sect1>
+ <title>Prerequisites</title>
+
+ <para>
+ This book is not a tutorial on UNIX or Linux administration. UNIX and Linux
+ training is best obtained from books dedicated to the subject. This book
+ assumes that you have at least the basic skill necessary to use these operating
+ systems, and that you can use a basic system editor to edit and configure files.
+ It has been written with the assumption that you have experience with Samba,
+ have read <emphasis>The Official Samba-3 HOWTO and Reference Guide</emphasis> and
+ the Samba-HOWTO-Collection, or that you have familiarity with Microsoft Windows.
+ </para>
+
+ <para>
+ If you do not have this experience, you can follow the examples in this book but may
+ find yourself at times intimidated by assumptions made. In this situation, you
+ may need to refer to administrative guides or manuals for your operating system
+ platform to find what is the best method to achieve what the text of this book describes.
+ </para>
+
+ </sect1>
+
+ <sect1>
+ <title>Approach</title>
+
+ <para>
+ The first chapter deals with some rather thorny network analysis issues. Do not be
+ put off by this. The information you glean, even without a detailed understanding
+ of network protocol analysis, can help you understand how Windows networking functions.
+ </para>
+
+ <para>
+ Each following chapter of this book opens with the description of a networking solution
+ sought by a hypothetical site. Bob Jordan is a hypothetical decision maker
+ for an imaginary company, <constant>Abmas Biz NL</constant>. We will use the
+ non-existent domain name <constant>abmas.biz</constant>. All <emphasis>facts</emphasis>
+ presented regarding this company are fictitious and have been drawn from a variety of real
+ business scenarios over many years. Not one of these reveal the identify of the
+ real-world company from which the scenario originated.
+ </para>
+
+ <para>
+ In any case, Mr. Jordan likes to give all his staff nasty little assignments.
+ Stanley Saroka is one of his proteges; Christine Roberson is the network administrator
+ Bob trusts. Jordan is inclined to treat other departments well because they finance
+ Abmas IT operations.
+ </para>
+
+ <para>
+ Each chapter presents a summary of the network solution we have chosen to
+ demonstrate together with a rationale to help you to understand the
+ thought process that drove that solution. The chapter then documents in precise
+ detail all configuration files and steps that must be taken to implement the
+ example solution. Anyone wishing to gain serious value from this book will
+ do well to take note of the implications of points made, so watch out for the
+ <emphasis>this means that</emphasis> notations.
+ </para>
+
+ <para>
+ Each chapter has a set of questions and answers to help you to
+ to understand and digest key attributes of the solutions presented.
+ </para>
+
+ </sect1>
+
+ <sect1>
+ <title>Summary of Topics</title>
+
+ <para>
+ Our first assignment is to understand how Microsoft Windows products
+ function in the network environment. That is where we start. Let's take
+ just a few moments to get a bird's eye view of this book. Remember that
+ this is a book about file and print technology deployment; there are
+ great examples of printing solutions. Here we go.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Chapter 1 &smbmdash; Windows Networking Primer</term><listitem>
+ <para>
+ Here we cover practical exercises to help us to understand how MS Windows
+ network protocols function. A network protocol analyzer helps you to
+ appreciate the fact that Windows networking is highly dependent on broadcast
+ messaging. Additionally, you can look into network packets that a Windows
+ client sends to a network server to set up a network connection. On completion,
+ you should have a basic understanding of how network browsing functions and
+ have seen some of the information a Windows client sends to
+ a file and print server to create a connection over which file and print
+ operations may take place.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 2 &smbmdash; No Frills Samba Servers</term><listitem>
+ <para>
+ Here you design a solution for three different business scenarios, each for a
+ company called Abmas. There are two simple networking problems and one slightly
+ more complex networking challenge. In the first two cases, Abmas has a small
+ simple office, and they want to replace a Windows 9x peer-to-peer network. The
+ third example business uses Windows 2000 Professional. This must be simple,
+ so let's see how far we can get. If successful, Abmas grows quickly and
+ soon needs to replace all servers and workstations.
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter demands:
+ <itemizedlist>
+ <listitem><para>Case 1: The simplest &smb.conf; file that may
+ reasonably be used. Works with Samba-2.x also. This
+ configuration uses Share Mode security. Encrypted
+ passwords are not used, so there is no
+ <filename>smbpasswd</filename> file.
+ </para></listitem>
+
+ <listitem><para>Case 2: Another simple &smb.conf; file that adds
+ WINS support and printing support. This case deals with
+ a special requirement that demonstrates how to deal with
+ purpose-built software that has a particular requirement
+ for certain share names and printing demands. This
+ configuration uses Share Mode security and also works with
+ Samba-2.x. Encrypted passwords are not used, so there is no
+ <filename>smbpasswd</filename> file.
+ </para></listitem>
+
+ <listitem><para>Case 3: This &smb.conf; configuration uses User Mode
+ security. The file share configuration demonstrates
+ the ability to provide master access to an administrator
+ while restricting all staff to their own work areas.
+ Encrypted passwords are used, so there is an implicit
+ <filename>smbpasswd</filename> file.
+ </para></listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 3 &smbmdash; Small Office Networking</term><listitem>
+ <para>
+ Abmas is a successful company now. They have 50 network users
+ and want a little more varoom from the network. This is a typical
+ small office and they want better systems to help them to grow. This is
+ your chance to really give advanced users a bit more functionality and usefulness.
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
+ makes use of encrypted passwords, so there is an <filename>smbpasswd</filename>
+ file. It also demonstrates use of the <parameter>valid users</parameter> and
+ <parameter>valid groups</parameter> to restrict share access. The Windows
+ clients access the server as Domain members. Mobile users log onto
+ the Domain while in the office, but use a local machine account while on the
+ road. The result is an environment that answers mobile computing user needs.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 4 &smbmdash; Secure Office Networking</term><listitem>
+ <para>
+ Abmas is growing rapidly now. Money is a little tight, but with 130
+ network users, security has become a concern. They have many new machines
+ to install and the old equipment will be retired. This time they want the
+ new network to scale and grow for at least two years. Start with a sufficient
+ system and allow room for growth. You are now implementing an Internet
+ connection and have a few reservations about user expectations.
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
+ makes use of encrypted passwords, and you can use a <filename>tdbsam</filename>
+ password backend. Domain logons are introduced. Applications are served from the central
+ server. Roaming profiles are mandated. Access to the server is tightened up
+ so that only domain members can access server resources. Mobile computing
+ needs still are catered to.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 5 &smbmdash; The 500 User Office</term><listitem>
+ <para>
+ The two-year projections were met. Congratulations, you are a star.
+ Now Abmas needs to replace the network. Into the existing user base, they
+ need to merge a 280-user company they just acquired. It is time to build a serious
+ network. There are now three buildings on one campus and your assignment is
+ to keep everyone working while a new network is rolled out. Oh, isn't it nice
+ to roll out brand new clients and servers! Money is no longer tight, you get
+ to buy and install what you ask for. You will install routers and a firewall.
+ This is exciting!
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
+ makes use of encrypted passwords, and a <filename>tdbsam</filename>
+ password backend is used. You are not ready to launch into LDAP yet, so you
+ accept the limitation of having one central Domain Controller with a Domain
+ Member server in two buildings on your campus. A number of clever techniques
+ are used to demonstrate some of the smart options built into Samba.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 6 &smbmdash; Making Users Happy</term><listitem>
+ <para>
+ Congratulations again. Abmas is happy with your services and you have been given another raise.
+ Your users are becoming much more capable and are complaining about little
+ things that need to be fixed. Are you up to the task? Mary says it takes her 20 minutes
+ to log onto the network and it is killing her productivity. Email is a bit <emphasis>
+ unreliable</emphasis> &smbmdash; have you been sleeping on the job? We do not discuss the
+ technology of email but when the use of mail clients breaks because of networking
+ problems, you had better get on top of it. It's time for a change.
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
+ makes use of encrypted passwords; a distributed <filename>ldapsam</filename>
+ password backend is used. Roaming profiles are enabled. Desktop profile controls
+ are introduced. Check out the techniques that can improve the user experience
+ of network performance. As a special bonus, this chapter documents how to configure
+ smart downloading of printer drivers for drag-and-drop printing support. And, yes,
+ the secret of configuring CUPS is clearly documented. Go for it; this one will
+ tease you, too.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 7 &smbmdash; A Distributed 2000-User Network</term><listitem>
+ <para>
+ Only eight months have passed, and Abmas has acquired another company. You now need to expand
+ the network further. You have to deal with a network that spans several countries.
+ There are three new networks in addition to the original three buildings at the head-office
+ campus. The head office is in New York and you have branch offices in Washington, Los Angeles, and
+ London. Your desktop standard is Windows XP Professional. In many ways, everything has changed
+ and yet it must remain the same. Your team is primed for another roll-out. You know there are
+ further challenges ahead.
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; Slave LDAP servers are introduced. Samba is
+ configured to use multiple LDAP backends. This is a brief chapter; it assumes that the
+ technology has been mastered and gets right down to concepts and how to deploy them.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 8 &smbmdash; Migrating NT4 Domain to Samba-3</term><listitem>
+ <para>
+ Another six months have <?latex \linebreak ?>
+ passed. Abmas has acquired yet another company. You will find a
+ way to migrate all users off the old network onto the existing network without loss
+ of passwords and will effect the change-over during one weekend. May the force (and caffeine) be with
+ you, may you keep your back to the wind and may the sun shine on your face.
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter demonstrates the use of
+ the <command>net rpc migrate</command> facility using an LDAP ldapsam backend, and also
+ using a tdbsam passdb backend. Both are much-asked-for examples of NT4 Domain migration.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 9 &smbmdash; Adding UNIX/Linux Servers and Clients</term><listitem>
+ <para>
+ Well done, Bob, your team has achieved much. Now help Abmas integrate the entire network.
+ You want central control and central support and you need to cut costs. How can you reduce administrative
+ overheads and yet get better control of the network?
+ </para>
+
+ <para>
+ This chapter has been contributed by Mark Taylor <email>mark.taylor@siriusit.co.uk</email>
+ and is based on a live site. For further information regarding this example case,
+ please contact Mark directly.
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; It is time to consider how to add Samba servers
+ and UNIX and Linux network clients. Users who convert to Linux want to be able to log on
+ using Windows network accounts. You explore nss_ldap, pam_ldap, winbind, and a few neat
+ techniques for taking control. Are you ready for this?
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 10 &smbmdash; Active Directory, Kerberos and Security</term><listitem>
+ <para>
+ Abmas has acquired another company that has just migrated to running Windows Server 2003 and
+ Active Directory. One of your staff makes offhand comments that land you in hot water.
+ A network security auditor is hired by the head of the new business and files a damning
+ report, and you must address the <emphasis>defects</emphasis> reported. You have hired new
+ network engineers who want to replace Microsoft Active Directory with a pure Kerberos
+ solution. How will you handle this?
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter is your answer. Learn about
+ share access controls, proper use of UNIX/Linux file system access controls, and Windows
+ 200x Access Control Lists. Follow these steps to beat the critics.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 11 &smbmdash; Integrating Additional Services</term><listitem>
+ <para>
+ The battle is almost over, Samba-3 has won the day. Your team are delighted and now you
+ find yourself at yet another cross-roads. Abmas have acquired a snack food business, you
+ made promises you must keep. IT costs must be reduced, you have new resistance, but you
+ will win again. This time you choose to install the Squid proxy server to validate the
+ fact that Samba is far more than just a file and print server. SPNEGO authentication
+ support means that your Microsoft Windows clients gain transparent proxy access.
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; Samba provides the <command>ntlm_auth</command>
+ module that makes it possible for MS Windows Internet Explorer to connect via the Squid Web
+ and FTP proxy server. You will configure Samba-3 as well as Squid to deliver authenticated
+ access control based using the Active Directory Domain user security credentials.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Chapter 12 &smbmdash; Performance, Reliability and Availability</term><listitem>
+ <para>
+ Bob, are you sure the new Samba server is up to the load? Your network is serving many
+ users who risk becoming unproductive. What can you do to keep ahead of demand? Can you
+ keep the cost under control also? What can go wrong?
+ </para>
+
+ <para><emphasis>TechInfo</emphasis> &smbmdash; Hot tips that put chili into your
+ network. Avoid name resolution problems, identify potential causes of network collisions,
+ avoid Samba configuration options that will weigh the server down. MS distributed file
+ services to make your network fly and much more. This chapter contains a good deal of
+ <quote>Did I tell you about this...?</quote> type of hints to help keep your name on the top
+ performers list.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ </sect1>
+
+ <!-- the conventions used in this book -->
+ <xi:include href="conventions.xml" xmlns:xi="http://www.w3.org/2003/XInclude" />
+
+</preface>
+
generated by cgit (git 2.34.1) at 2024-11-06 12:49:51 +0000