Large number of small fixes to the layout and the build system.

(This used to be commit 73fac0653c774a8ed8654b064fd63d4e486f6b0f)

1 files changed, 1256 insertions, 0 deletions

diff --git a/docs/Samba3-ByExample/SBE-TheSmallOffice.xml b/docs/Samba3-ByExample/SBE-TheSmallOffice.xml
new file mode 100644
index 0000000000..8cb71820ed
--- /dev/null
+++ b/docs/Samba3-ByExample/SBE-TheSmallOffice.xml
@@ -0,0 +1,1256 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<chapter id="small">
+  <title>Small Office Networking</title>
+
+	<para>
+	<link linkend="simple"/> focused on the basics of simple yet effective
+	network solutions. Network administrators who take pride in their work 
+	(that's most of us, right?) take care to deliver what our users want, 
+	but not too much more. If we make things too complex, we confound our users
+	and increase costs of network ownership. A professional network manager 
+	avoids the temptation to put too much pizazz into the way that the network 
+	operates. Some creativity is helpful, but keep it under control &smbmdash;
+	good advice that the following two scenarios illustrate.
+	</para>
+
+	<para>
+	<indexterm><primary>Netware</primary></indexterm>
+	In one case the network administrator of a mid-sized company spent three
+	months building a new network to replace an old Netware server. What he
+	delivered had all the bells and whistles he could muster. There were a
+	few teething problems during the changeover, nothing serious but a little
+	disruptive all the same. Users were exposed to many changes at once. The
+	network administrator was asked to resign two months after implementing
+	the new system because so many staff complained they had lost time and
+	were not happy with the new network.  Everything was automated, and he
+	delivered more features than any advanced user could think of. He was
+	just too smart for his own good.
+	</para>
+
+	<para>
+	In the case of the other company, a new network manager was appointed
+	to oversee the replacement of a LanTastic network with an MS Windows
+	NT 4.0 network. He had the replacement installed and operational within
+	two weeks. Before installation and changeover, he called a meeting to
+	explain to all users what was going to happen, how it would affect them,
+	and that he would be available 24 hours a day to help them transition.
+	One week after conversion, he held another meeting asking for cooperation
+	in the introduction of a few new features that would help to make life
+	easier. Network users were thrilled with the help he provided. The network
+	he implemented was nowhere near as complex as in the first example, had fewer
+	features, and yet he had happy users. Months later he was still adding
+	new innovations. He always asked the users if a
+	particular feature was what they wanted. He asked his boss for a raise
+	and got it. He often told me, <quote>Always keep a few new tricks up your
+	sleeves for when you need them.</quote> Was he smart? You decide. Let's
+	get on with our next exercise.
+	</para>
+
+<sect1>
+	<title>Introduction</title>
+
+	<para>
+	Abmas Accounting has grown. Mr. Meany likes you and says he knew you
+	were the right person for the job. That's why he asked you to install the
+	new server. The past few months have been hard work. You advised Mr. Meany
+	that it is time for a change. Abmas now has 52 users, having acquired an
+	investment consulting business recently. The new users were added to the
+	network without any problems.
+	</para>
+
+	<para>
+	Some of the Windows clients are nearly past their use-by date. 
+	You found damaged and unusable software on some of the workstations
+	that came with the acquired business and found some machines 
+	in need of both hardware and software maintenance. 
+	</para>
+
+	<sect2>
+		<title>Assignment Tasks</title>
+
+		<para>
+		<indexterm><primary>Windows XP</primary></indexterm>
+		Mr. Meany is retiring in 12 months. Before he goes, he wants you to help ensure
+		that the business is running efficiently. Many of the new staff want notebook
+		computers.  They visit customer business premises and need to use local network
+		facilities; these users are technically competent. The company uses a
+		business application that requires Windows XP Professional. In short, a complete
+		client upgrade is about to happen. Mr. Meany told you that he is working
+		on another business acquisition and that by the time he retires there will be
+		80 to 100 users.
+		</para>
+
+		<para>
+		Mr. Meany is not concerned about security. He wants to make it easier for
+		staff to do their work. He has hired you to help him appoint a full-time
+		network manager before he retires. Above all, he says he is investing in
+		the ability to grow. He is determined to live his lifelong dream and
+		hand the business over to a bright and capable executive who can make
+		things happen. This means your network design must cope well with
+		growth.
+		</para>
+
+		<para>
+		In a few months, Abmas will require an Internet connection for email and so
+		that staff can easily obtain software updates. Mr. Meany is warming up to
+		the installation of antivirus software but is not yet ready to approve
+		this expense. He told you to spend the money a virus scanner costs
+		on better quality notebook computers for mobile users.
+		</para>
+
+		<para>
+		One of Mr. Meany's golfing partners convinced him to buy new laser
+		printers, one black only, the other a color laser printer. Staff support
+		the need for a color printer so they can present more attractive proposals
+		and reports.
+		</para>
+
+		<para>
+		Mr. Meany also asked if it would be possible for one of the staff to manage
+		user accounts from the Windows desktop. That person will be responsible for
+		basic operations.
+		</para>
+
+	</sect2>
+</sect1>
+
+<sect1>
+	<title>Dissection and Discussion</title>
+
+	<para>
+	What are the key requirements in this business example? A quick review indicates
+	a need for
+	</para>
+
+	<itemizedlist>
+		<listitem><para>
+		Scalability, from 52 to over 100 users in 12 months
+		</para></listitem>
+
+		<listitem><para>
+		Mobile computing capability
+		<indexterm><primary>mobile computing</primary></indexterm>
+		</para></listitem>
+
+		<listitem><para>
+		Improved reliability and usability
+		</para></listitem>
+
+		<listitem><para>
+		Easier administration
+		</para></listitem>
+	</itemizedlist>
+
+	<para>
+	In this instance the installed Linux system is assumed to be a Red Hat Linux Fedora Core2 server 
+	(as in <link linkend="AccountingOffice"/>).
+	
+	</para>
+	
+
+	<sect2>
+		<title>Technical Issues</title>
+
+		<para>
+		<indexterm><primary>smbpasswd</primary></indexterm>
+		<indexterm><primary>DHCP</primary></indexterm>
+		<indexterm><primary>DNS</primary></indexterm>
+		<indexterm><primary>WINS</primary></indexterm>
+		<indexterm><primary>Domain</primary></indexterm>
+		It is time to implement a domain security environment. You will use the <constant>
+		smbpasswd</constant> (default) backend. You should implement a DHCP server. There is no need to
+		run DNS at this time, but the system will use WINS. The domain name will be <constant>
+		BILLMORE</constant>. This time, the name of the server will be <constant>SLEETH</constant>.
+		</para>
+
+                <para>
+		All printers will be configured as DHCP clients. The DHCP server will assign 
+		the printer a fixed IP address by way of its Ethernet interface (MAC) address.
+		See <link linkend="dhcp01"/>.
+                </para>
+
+		<note><para>
+		The &smb.conf; file you are creating in this exercise can be used with equal effectiveness
+		with Samba-2.2.x series releases. This is deliberate so that in the next chapter it is
+		possible to start with the installation that you have created here, migrate it
+		to a Samba-3 configuration, and then secure the system further. Configurations following
+		this one utilize features that may not be supported in Samba-2.2.x releases.
+		However, you should note that the examples in each chapter start with the assumption
+		that a fresh new installation is being effected.
+		</para></note>
+
+		<para>
+		Later on, when the Internet connection is implemented, you will add DNS as well as
+		other enhancements. It is important that you plan accordingly.
+		</para>
+
+		<para>
+		<indexterm><primary>Ethernet switch</primary></indexterm>
+		You have split the network into two separate areas. Each has its own Ethernet switch.
+		There are 20 users on the accounting network and 32 users on the financial services
+		network. The server has two network interfaces, one serving each network. The 
+		network printers will be located in a central area. You plan to install the new 
+		printers and keep the old printer in use also.
+		</para>
+
+		<para>
+		You will provide separate file storage areas for each business entity. The old system
+		will go away, accounting files will be handled under a single directory, and files will
+		be stored under customer name, not under a personal work area. Staff will be made
+		responsible for file location, so the old share point must be maintained.
+		</para>
+
+		<para>
+		Given that DNS will not be used, you will configure WINS name resolution for UNIX 
+		hostname name resolution.
+		</para>
+
+		<para>
+		<indexterm><primary>Domain</primary><secondary>groups</secondary></indexterm>
+		<indexterm><primary>UNIX</primary><secondary>groups</secondary></indexterm>
+		It is necessary to map Windows Domain Groups to UNIX groups. It is
+		advisable to also map Windows Local Groups to UNIX groups. Additionally, the two
+		key staff groups in the firm are accounting staff and financial services staff.
+		For these, it is necessary to create UNIX groups as well as Windows Domain Groups.
+		</para>
+
+		<para>
+		In the sample &smb.conf; file, you have configured Samba to call the UNIX
+		<command>groupadd</command> to add group entries. This utility does not permit
+		the addition of group names that contain uppercase characters or spaces. This
+		is considered a bug. The <command>groupadd</command> is part of the
+		<command>shadow-utils</command> open source software package.  A later release
+		of this package may have been patched to resolve this bug.  If your operating
+		platform has this bug, it means that attempts to add a Windows Domain Group that
+		has either a space or uppercase characters in it will fail. See
+		<emphasis>TOSHARG</emphasis>, Chapter 11, Section 11.3.1, Example 11.1, for
+		more information.
+		</para>
+
+		<para>
+		<indexterm><primary>CUPS</primary></indexterm>
+		Vendor-supplied printer drivers will be installed on each client. The CUPS print
+		spooler on the UNIX host will be operated in <constant>raw</constant> mode.
+		</para>
+
+	</sect2>
+
+	<sect2>
+		<title>Political Issues</title>
+
+		<para>
+		Mr. Meany is an old-school manager. He sets the rules and wants to see compliance.
+		He is willing to spend money on things he believes are of value. You need more
+		time to convince him of real priorities.
+		</para>
+
+		<para>
+		Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be
+		supplied with antivirus software? Above all, demonstrate good purchase value and remember
+		to make your users happy.
+		</para>
+
+	</sect2>
+
+</sect1>
+
+<sect1>
+	<title>Implementation</title>
+
+	<para>
+	<indexterm><primary>migration</primary></indexterm>
+	In this example, the assumption is made that this server is being configured from a clean start.
+	The alternate approach could be to demonstrate the migration of the system that is documented
+	in <link linkend="AcctgNet"/> to meet the new requirements. The decision to treat this case, as with
+	future examples, as a new installation is based on the premise that you can determine
+	the migration steps from the information provided in <link linkend="ntmigration"/>.
+	Additionally, a fresh installation makes the example easier to follow.
+	</para>
+
+	<para>
+	<indexterm><primary>group membership</primary></indexterm>
+	Each user will be given a home directory on the UNIX system, which will be available as a private
+	share. Two additional shares will be created, one for the accounting department and the other for
+	the financial services department. Network users will be given access to these shares by way
+	of group membership.
+	</para>
+
+	<para>
+	<indexterm><primary>UNIX</primary><secondary>groups</secondary></indexterm>
+	UNIX group membership is the primary mechanism by which Windows Domain users will be granted
+	rights and privileges within the Windows environment.
+	</para>
+
+	<para>
+	<indexterm><primary>sticky bit</primary></indexterm>
+	The user <command>alanm</command> will be made the owner of all files. This will be preserved
+	by setting the sticky bit (set UID/GID) on the top-level directories.
+	</para>
+
+	<image id="acct2net">
+		<imagedescription>Abmas Accounting &smbmdash; 52-User Network Topology</imagedescription>
+		<imagefile scale="100">acct2net</imagefile>
+	</image>
+
+	<procedure>
+	<title>Server Installation Steps</title>
+
+		<step><para>
+		Using UNIX/Linux system tools, name the server <constant>sleeth</constant>.
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>/etc/hosts</primary></indexterm>
+		Place an entry for the machine <constant>sleeth</constant> in the <filename>/etc/hosts</filename>.
+		The printers are network attached, so there should be entries for the
+		network printers also. An example <filename>/etc/hosts</filename> file is shown here:
+<screen>
+192.168.1.1     sleeth sleeth1
+192.168.2.1     sleeth2
+192.168.1.10    hplj6
+192.168.1.11    hplj4
+192.168.2.10    qms
+</screen>
+		</para></step>
+
+		<step><para>
+		Install the Samba-3 binary RPM from the Samba-Team FTP site.
+		</para></step>
+
+		<step><para>
+		Install the ISC DHCP server using the UNIX/Linux system tools available to you.
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>/etc/rc.d/rc.local</primary></indexterm>
+		<indexterm><primary>IP forwarding</primary></indexterm>
+		<indexterm><primary>router</primary></indexterm>
+		<indexterm><primary>/proc/sys/net/ipv4/ip_forward</primary></indexterm>
+		Because Samba will be operating over two network interfaces and clients on each side
+		may want to be able to reach clients on the other side, it is imperative that IP forwarding
+		is enabled. Use the system tool of your choice to enable IP forwarding. In the
+		absence of such a tool on the Linux system, add to the <filename>/etc/rc.d/rc.local</filename>
+		file an entry as follows:
+<screen>
+echo 1 > /proc/sys/net/ipv4/ip_forward
+</screen>
+		This causes the Linux kernel to forward IP packets so that it acts as a router.
+		</para></step>
+
+		<step><para>
+		Install the &smb.conf; file as shown in <link linkend="acct2conf"/> and 
+		<link linkend="acct3conf"/>. Combine these two examples to form a single
+		<filename>/etc/samba/smb.conf</filename> file.
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>smbpasswd</primary></indexterm>
+		Add the user <command>root</command> to the Samba password backend:
+<screen>
+&rootprompt; smbpasswd -a root
+New SMB password: XXXXXXX
+Retype new SMB password: XXXXXXX
+&rootprompt;
+</screen>
+		<indexterm><primary>administrator</primary></indexterm>
+		This is the Windows Domain Administrator password. Never delete this account from
+		the password backend after Windows Domain Groups have been initialized. If you delete
+		this account, your system is crippled. You cannot restore this account,
+		and your Samba server can no longer be administered.
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>username map</primary></indexterm>
+		Create the username map file to permit the <constant>root</constant> account to be called 
+		<constant>Administrator</constant> from the Windows network environment. To do this, create
+		the file <filename>/etc/samba/smbusers</filename> with the following contents:
+<screen>
+####
+# User mapping file
+####
+# File Format
+# -----------
+# Unix_ID = Windows_ID
+#
+# Examples:
+# root = Administrator
+# janes = "Jane Smith"
+# jimbo = Jim Bones
+#
+# Note: If the name contains a space it must be double quoted.
+#       In the example above the name 'jimbo' will be mapped to Windows
+#       user names 'Jim' and 'Bones' because the space was not quoted.
+#######################################################################
+root = Administrator
+####
+# End of File
+####
+</screen>
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>initGrps.sh</primary></indexterm>
+		Create and map Windows Domain Groups to UNIX groups. A sample script is provided in
+		<link linkend="initGrps"/>. Create a file containing this script. We called ours 
+		<filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed,
+		and then execute the script. Sample output should be as follows:
+
+<example id="initGrps">
+<title>Script to Map Windows NT Groups to UNIX Groups</title>
+<indexterm><primary>initGrps.sh</primary></indexterm>
+<screen>
+#!/bin/bash
+#
+# initGrps.sh
+#
+
+# Create UNIX groups
+groupadd acctsdep
+groupadd finsrvcs
+
+# Map Windows Domain Groups to UNIX groups
+net groupmap modify ntgroup="Domain Admins"  unixgroup=root
+net groupmap modify ntgroup="Domain Users"   unixgroup=users
+net groupmap modify ntgroup="Domain Guests"  unixgroup=nobody
+
+# Add Functional Domain Groups
+net groupmap add ntgroup="Accounts Dept"  unixgroup=acctsdep type=d
+net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
+</screen>
+</example>
+
+<screen>
+&rootprompt; chmod 755 initGrps.sh
+&rootprompt; cd /etc/samba 
+&rootprompt; ./initGrps.sh
+Updated mapping entry for Domain Admins
+Updated mapping entry for Domain Users
+Updated mapping entry for Domain Guests
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Accounts Dept to the mapping db
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Domain Guests to the mapping db
+
+&rootprompt; cd /etc/samba 
+&rootprompt; net groupmap list | sort
+Account Operators (S-1-5-32-548) -> -1
+Accounts Dept (S-1-5-21-194350-25496802-3394589-2003) -> acctsdep
+Administrators (S-1-5-32-544) -> -1
+Backup Operators (S-1-5-32-551) -> -1
+Domain Admins (S-1-5-21-194350-25496802-3394589-512) -> root
+Domain Guests (S-1-5-21-194350-25496802-3394589-514) -> nobody
+Domain Users (S-1-5-21-194350-25496802-3394589-513) -> users
+Financial Services (S-1-5-21-194350-25496802-3394589-2005) -> finsrvcs
+Guests (S-1-5-32-546) -> -1
+Power Users (S-1-5-32-547) -> -1
+Print Operators (S-1-5-32-550) -> -1
+Replicators (S-1-5-32-552) -> -1
+System Operators (S-1-5-32-549) -> -1
+Users (S-1-5-32-545) -> -1
+</screen>
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>/etc/passwd</primary></indexterm>
+		<indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
+		<indexterm><primary>smbpasswd</primary></indexterm>
+		For each user who needs to be given a Windows Domain account, make an entry in the
+		<filename>/etc/passwd</filename> file as well as in the Samba password backend.
+		Use the system tool of your choice to create the UNIX system accounts, and use the Samba
+		<command>smbpasswd</command> program to create the Domain user accounts.
+		</para>
+
+		<para>
+		<indexterm><primary>useradd</primary></indexterm>
+		<indexterm><primary>adduser</primary></indexterm>
+		<indexterm><primary>user</primary><secondary>management</secondary></indexterm>
+		There are a number of tools for user management under UNIX, such as
+		<command>useradd</command> and <command>adduser</command>, as well as a plethora of custom
+		tools. With the tool of your choice, create a home directory for each user.
+		</para></step>
+
+		<step><para>
+		Using the preferred tool for your UNIX system, add each user to the UNIX groups created
+		previously, as necessary. File system access control will be based on UNIX group membership.
+		</para></step>
+
+		<step><para>
+		Create the directory mount point for the disk subsystem that is mounted to provide
+		data storage for company files. In this case the mount point is indicated in the &smb.conf;
+		file is <filename>/data</filename>. Format the file system as required, mount the formatted
+		file system partition using <command>mount</command>, 
+		and make the appropriate changes in <filename>/etc/fstab</filename>.
+		</para></step>
+
+		<step><para>
+		Create the top-level file storage directories are follows:
+<screen>
+&rootprompt; mkdir -p /data/{accounts,finsvcs}
+&rootprompt; chown -R root:root /data
+&rootprompt; chown -R alanm:accounts /data/accounts
+&rootprompt; chown -R alanm:finsvcs /data/finsvcs
+&rootprompt; chmod -R ug+rwx,o+rx-w /data
+</screen>
+		Each department is responsible for creating its own directory structure within its
+		share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
+		The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
+		</para></step>
+
+		<step><para>
+		Configure the printers with the IP addresses as shown in <link linkend="acct2net"/>.
+		Follow the instructions in the manufacturers' manuals to permit printing to port 9100.
+		This allows the CUPS spooler to print using raw mode protocols.
+		<indexterm><primary>CUPS</primary></indexterm>
+		<indexterm><primary>raw printing</primary></indexterm>
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
+		<indexterm><primary>lpadmin</primary></indexterm>
+		Configure the CUPS Print Queues as follows:
+<screen>
+&rootprompt; lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E
+&rootprompt; lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E
+&rootprompt; lpadmin -p qms -v socket://192.168.2.10:9100 -E
+</screen>
+		<indexterm><primary>print filter</primary></indexterm>
+		This creates the necessary print queues with no assigned print filter.
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>mime type</primary></indexterm>
+		<indexterm><primary>/etc/mime.convs</primary></indexterm>
+		<indexterm><primary>application/octet-stream</primary></indexterm>
+		Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream     application/vnd.cups-raw      0     -
+</screen>
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>/etc/mime.types</primary></indexterm>
+		Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>DHCP Server</primary></indexterm>
+		Using your favorite system editor, create an <filename>/etc/dhcpd.conf</filename> with the
+		contents as shown in <link linkend="dhcp01"/>.
+<example id="dhcp01">
+<title>Abmas Accounting DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title>
+<indexterm><primary>/etc/dhcpd.conf</primary></indexterm>
+<screen>
+default-lease-time 86400;
+max-lease-time 172800;
+default-lease-time 86400;
+
+option ntp-servers 192.168.1.1;
+option domain-name "abmas.biz";
+option domain-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-node-type 8;
+### NOTE ###
+# netbios-node-type=8 means set clients to Hybrid Mode
+#   so they will use Unicast communication with the WINS
+#   server and thus reduce the level of UDP broadcast
+#   traffic by up to 90%.
+############
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+	range dynamic-bootp 192.168.1.128 192.168.1.254;
+	option subnet-mask 255.255.255.0;
+	option routers 192.168.1.1;
+	allow unknown-clients;
+	host hplj4 {
+		hardware ethernet 08:00:46:7a:35:e4;
+		fixed-address 192.168.1.10;
+		}
+	host hplj6 {
+		hardware ethernet 00:03:47:cb:81:e0;
+		fixed-address 192.168.1.11;
+		}
+	}
+subnet 192.168.2.0 netmask 255.255.255.0 {
+	range dynamic-bootp 192.168.2.128 192.168.2.254;
+	option subnet-mask 255.255.255.0;
+	option routers 192.168.2.1;
+	allow unknown-clients;
+	host qms {
+		hardware ethernet 01:04:31:db:e1:c0;
+		fixed-address 192.168.1.10;
+		}
+	}
+subnet 127.0.0.0 netmask 255.0.0.0 {
+	}
+</screen>
+</example>
+		</para></step>
+
+
+		<step><para>
+		Use the standard system tool to start Samba and CUPS and configure them to start
+		automatically at every system reboot. For example,
+		</para>
+
+		<para>
+		<indexterm><primary>chkconfig</primary></indexterm>
+		<indexterm><primary>starting dhcpd</primary></indexterm>
+		<indexterm><primary>starting samba</primary></indexterm>
+		<indexterm><primary>starting CUPS</primary></indexterm>
+		<indexterm><primary>chkconfig</primary></indexterm>
+<screen>
+&rootprompt; chkconfig dhcp on
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig cups on
+&rootprompt; /etc/rc.d/init.d/dhcp restart
+&rootprompt; /etc/rc.d/init.d/smb restart
+&rootprompt; /etc/rc.d/init.d/cups restart
+</screen>
+		</para></step>
+
+		<step><para>
+		<indexterm><primary>name service switch</primary></indexterm>
+		<indexterm><primary>NSS</primary><see>same service switch</see></indexterm>
+		<indexterm><primary>DNS</primary></indexterm>
+		<indexterm><primary>DNS server</primary></indexterm>
+		<indexterm><primary>WINS</primary></indexterm>
+		<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+		Configure the name service switch (NSS) to handle WINS-based name resolution.
+		Since this system does not use a DNS server, it is safe to remove this option from
+		the NSS configuration. Edit the <filename>/etc/nsswitch.conf</filename> file so that
+		the <constant>hosts:</constant> entry looks like this:
+<screen>
+hosts:	files wins
+</screen>
+		</para></step>
+
+	</procedure>
+
+<smbconfexample id="acct2conf">
+<title>Accounting Office Network &smb.conf; File &smbmdash; [globals] Section</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">BILLMORE</smbconfoption>
+<smbconfoption name="passwd chat"> </smbconfoption>
+<member><parameter>*New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed*</parameter></member>
+<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
+<smbconfoption name="syslog">0</smbconfoption>
+<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
+<smbconfoption name="printcap name">CUPS</smbconfoption>
+<smbconfoption name="show add printer wizard">No</smbconfoption>
+<smbconfoption name="add user script">/usr/sbin/useradd -m '%u'</smbconfoption>
+<smbconfoption name="delete user script">/usr/sbin/userdel -r '%u'</smbconfoption>
+<smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption>
+<smbconfoption name="delete group script">/usr/sbin/groupdel '%g'</smbconfoption>
+<smbconfoption name="add user to group script">/usr/sbin/usermod -G '%g' '%u'</smbconfoption>
+<smbconfoption name="add machine script"> </smbconfoption>
+<member><parameter>/usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</parameter></member>
+<smbconfoption name="logon script">scripts\login.bat</smbconfoption>
+<smbconfoption name="logon path"> </smbconfoption>
+<smbconfoption name="logon drive">X:</smbconfoption>
+<smbconfoption name="domain logons">Yes</smbconfoption>
+<smbconfoption name="preferred master">Yes</smbconfoption>
+<smbconfoption name="wins support">Yes</smbconfoption>
+<smbconfoption name="printing">CUPS</smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="acct3conf">
+<title>Accounting Office Network &smb.conf; File &smbmdash; Services and Shares Section</title>
+<smbconfsection name="[homes]"/>
+<smbconfoption name="comment">Home Directories</smbconfoption>
+<smbconfoption name="valid users">%S</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[printers]"/>
+<smbconfoption name="comment">SMB Print Spool</smbconfoption>
+<smbconfoption name="path">/var/spool/samba</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+<smbconfoption name="use client driver">Yes</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[netlogon]"/>
+<smbconfoption name="comment">Network Logon Service</smbconfoption>
+<smbconfoption name="path">/data/%U</smbconfoption>
+<smbconfoption name="valid users">%S</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+
+<smbconfsection name="[accounts]"/>
+<smbconfoption name="comment">Accounting Files</smbconfoption>
+<smbconfoption name="path">/data/accounts</smbconfoption>
+<smbconfoption name="valid users">%G</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+
+<smbconfsection name="[finsvcs]"/>
+<smbconfoption name="comment">Financial Service Files</smbconfoption>
+<smbconfoption name="path">/data/finsvcs</smbconfoption>
+<smbconfoption name="valid users">%G</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+</smbconfexample>
+
+		<sect2>
+		<title>Validation</title>
+
+		<para>
+		Does everything function as it ought? That is the key question at this point.
+		Here are some simple steps to validate your Samba server configuration.
+		</para>
+
+		<procedure>
+		<title>Validation Steps</title>
+
+			<step><para>
+			<indexterm><primary>testparm</primary></indexterm>
+			If your &smb.conf; file has bogus options or parameters, this may cause Samba
+			to refuse to start. The first step should always be to validate the contents
+			of this file by running:
+<screen>
+&rootprompt; testparm -s
+Load smb config files from smb.conf
+Processing section "[homes]"
+Processing section "[printers]"
+Processing section "[netlogon]"
+Processing section "[accounts]"
+Processing section "[service]"
+Loaded services file OK.
+# Global parameters
+[global]
+        workgroup = BILLMORE
+        passwd chat = *New*Password* \
+		%n\n *Re-enter*new*password* %n\n *Password*changed*
+        username map = /etc/samba/smbusers
+        syslog = 0
+        name resolve order = wins bcast hosts
+        printcap name = CUPS
+        show add printer wizard = No
+        add user script = /usr/sbin/useradd -m '%u'
+        delete user script = /usr/sbin/userdel -r '%u'
+        add group script = /usr/sbin/groupadd '%g'
+        delete group script = /usr/sbin/groupdel '%g'
+        add user to group script = /usr/sbin/usermod -G '%g' '%u'
+        add machine script = /usr/sbin/useradd 
+				-s /bin/false -d /var/lib/nobody '%u'
+        logon script = scripts\logon.bat
+        logon path =
+        logon drive = X:
+        domain logons = Yes
+        preferred master = Yes
+        wins support = Yes
+...
+### Remainder cut to save space ###
+</screen>
+			The inclusion of an invalid parameter (say one called dogbert) would generate an
+			error as follows:
+<screen>
+Unknown parameter encountered: "dogbert"
+Ignoring unknown parameter "dogbert"
+</screen>
+			Clear away all errors before proceeding, and start or restart samba as necessary.
+			</para></step>
+
+			<step><para>
+			<indexterm><primary>check samba daemons</primary></indexterm>
+			<indexterm><primary>nmbd</primary></indexterm>
+			<indexterm><primary>smbd</primary></indexterm>
+			<indexterm><primary>winbindd</primary></indexterm>
+			Check that the Samba server is running:
+<screen>
+&rootprompt; ps ax | grep mbd
+14244 ?        S      0:00 /usr/sbin/nmbd -D
+14245 ?        S      0:00 /usr/sbin/nmbd -D
+14290 ?        S      0:00 /usr/sbin/smbd -D
+
+$rootprompt; ps ax | grep winbind
+14293 ?        S     0:00 /usr/sbin/winbindd -B
+14295 ?        S     0:00 /usr/sbin/winbindd -B
+</screen>
+			The <command>winbindd</command> daemon is running in split mode (normal), so there are also
+			two instances of it. For more information regarding <command>winbindd</command>, see <emphasis>TOSHARG</emphasis>,
+			Chapter 23, Section 23.3. The single instance of <command>smbd</command> is normal.
+			</para></step>
+	
+			<step><para>
+			<indexterm><primary>anonymous connection</primary></indexterm>
+			Check that an anonymous connection can be made to the Samba server:
+<screen>
+&rootprompt; smbclient -L localhost -U%
+
+        Sharename      Type      Comment
+        ---------      ----      -------
+        netlogon       Disk      Network Logon Service
+        accounts       Disk      Accounting Files
+        finsvcs        Disk      Financial Service Files
+        IPC$           IPC       IPC Service (Samba3)
+        ADMIN$         IPC       IPC Service (Samba3)
+        hplj4          Printer   Hewlett-Packard LaserJet 4
+        hplj6          Printer   Hewlett-Packard LaserJet 6
+        qms            Printer   QMS Magicolor Laser Printer XXXX
+
+        Server               Comment
+        ---------            -------
+        SLEETH               Samba 3.0.20
+
+        Workgroup            Master
+        ---------            -------
+        BILLMORE             SLEETH
+</screen>
+			This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent
+			of browsing the server from a Windows client to obtain a list of shares on the server.
+			The <constant>-U%</constant> argument means to send a <constant>NULL</constant> username and
+			a <constant>NULL</constant> password.
+			</para></step>
+
+			<step><para>
+			<indexterm><primary>dhcp client validation</primary></indexterm>
+			<indexterm><primary>printer validation</primary></indexterm>
+			<indexterm><primary>/etc/dhcpd.conf</primary></indexterm>
+			Verify that the printers have the IP addresses assigned in the DHCP server configuration file.
+			The easiest way to do this is to ping the printer name. Immediately after the ping response
+			has been received, execute <command>arp -a</command> to find the MAC address of the printer
+			that has responded. Now you can compare the IP address and the MAC address of the printer
+			with the configuration information in the <filename>/etc/dhcpd.conf</filename> file. They
+			should, of course, match. For example,
+<screen>
+&rootprompt; ping hplj4
+PING hplj4 (192.168.1.11) 56(84) bytes of data.
+64 bytes from hplj4 (192.168.1.11): icmp_seq=1 ttl=64 time=0.113 ms
+
+&rootprompt; arp -a
+hplj4 (192.168.1.11) at 08:00:46:7A:35:E4 [ether] on eth0
+</screen>
+			The MAC address <constant>08:00:46:7A:35:E4</constant> matches that specified for the
+			IP address from which the printer has responded and the entry for it in the
+			<filename>/etc/dhcpd.conf</filename> file.
+			</para></step>
+	
+			<step><para>
+			<indexterm><primary>authenticated connection</primary></indexterm>
+			Make an authenticated connection to the server using the <command>smbclient</command> tool:
+<screen>
+&rootprompt; smbclient //sleeth/accounts -U alanm
+Password: XXXXXXX
+smb: \&gt; dir
+  .                          D        0  Sun Nov  9 01:28:34 2003
+  ..                         D        0  Sat Aug 16 17:24:26 2003
+  .mc                       DH        0  Sat Nov  8 21:57:38 2003
+  .qt                       DH        0  Fri Sep  5 00:48:25 2003
+  SMB                        D        0  Sun Oct 19 23:04:30 2003
+  Documents                  D        0  Sat Nov  1 00:31:51 2003
+  xpsp1a_en_x86.exe           131170400  Sun Nov  2 01:25:44 2003
+
+           65387 blocks of size 65536. 28590 blocks available
+smb: \> q
+</screen>
+			</para></step>
+	
+		</procedure>
+
+		</sect2>
+
+
+	<procedure>
+	<title>Windows XP Professional Client Configuration</title>
+
+		<step><para>
+		Configure clients to the network settings shown in <link linkend="acct2net"/>.
+		All clients use DHCP for TCP/IP protocol stack configuration.
+		<indexterm><primary>WINS</primary></indexterm>
+		<indexterm><primary>DHCP</primary></indexterm>
+		DHCP configures all Windows clients to use the WINS Server address <constant>192.168.1.1</constant>.
+		</para></step>
+
+		<step><para>
+		Join the Windows Domain called <constant>BILLMORE</constant>. Use the Domain Administrator
+		username <constant>root</constant> and the SMB password you assigned to this account.
+		A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
+		a Windows Domain is given in Appendix A, <link linkend="domjoin"/>. 
+		Reboot the machine as prompted and then log on using a Domain User account.
+		</para></step>
+
+		<step><para>
+		Verify on each client that the machine called <constant>SLEETH</constant>
+		is visible in <guimenu>My Network Places</guimenu>, that it is
+		possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>
+		 and <guimenuitem>finsvcs</guimenuitem>,
+		and that it is possible to open that share to reveal its contents.
+		</para></step>
+
+		<step><para>
+		Instruct all users to log onto the workstation using their assigned username and password.
+		</para></step>
+
+		<step><para>
+		Install a printer on each using the following steps:
+		</para>
+
+			<procedure>
+				<step><para>
+				Click <menuchoice>
+					<guimenu>Start</guimenu>
+					<guimenuitem>Settings</guimenuitem>
+					<guimenuitem>Printers</guimenuitem>
+					<guiicon>Add Printer</guiicon>
+					<guibutton>Next</guibutton>
+					</menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
+					Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
+				</para></step>
+
+				<step><para>
+				Click <guibutton>Next</guibutton>. In the
+				<guimenuitem>Manufacturer:</guimenuitem> panel, select <constant>HP</constant>.
+				In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
+				<constant>HP LaserJet 4</constant>. Click <guibutton>Next</guibutton>.
+				</para></step>
+
+				<step><para>
+				In the <guimenuitem>Available ports:</guimenuitem> panel, select
+				<constant>FILE:</constant>. Accept the default printer name by clicking
+				<guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
+				test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
+				<guibutton>Finish</guibutton>.
+				</para></step>
+
+				<step><para>
+				You may be prompted for the name of a file to print to. If so, close the
+				dialog panel. Right-click <menuchoice>
+					<guiicon>HP LaserJet 4</guiicon>
+					<guimenuitem>Properties</guimenuitem>
+					<guisubmenu>Details (Tab)</guisubmenu>
+					<guimenuitem>Add Port</guimenuitem>
+					</menuchoice>.
+				</para></step>
+
+				<step><para>
+				In the <guimenuitem>Network</guimenuitem> panel, enter the name of
+				the print queue on the Samba server as follows: <constant>\\SERVER\hplj4</constant>.
+				Click <menuchoice> 
+					<guibutton>OK</guibutton>
+					<guibutton>OK</guibutton>
+					</menuchoice> to complete the installation.
+				</para></step>
+
+				<step><para>
+				Repeat the printer installation steps above for the HP LaserJet 6 printer
+				as well as for the QMS Magicolor XXXX laser printer.
+				</para></step>
+			</procedure>
+		</step>
+	</procedure>
+
+	<sect2>
+	<title>Notebook Computers: A Special Case</title>
+
+	<para>
+	As a network administrator, you already know how to create local machine accounts for Windows 200x/XP
+	Professional systems. This is the preferred solution to provide continuity of work for notebook users
+	so that absence from the office network environment does not become a barrier to productivity.
+	</para>
+
+	<para>
+	By creating a local machine account that has the same username and password as you create for that
+	user in the Windows Domain environment, the user can log onto the machine locally and still
+	transparently access network resources as if logged onto the domain itself. There are some trade-offs
+	that mean that as the network is more tightly secured, it becomes necessary to modify Windows client
+	configuration somewhat.
+	</para>
+
+	</sect2>
+
+	<sect2>
+		<title>Key Points Learned</title>
+
+		<para>
+		In this network design and implementation exercise, you created a Windows NT4-style Domain
+		Controller using Samba-3.0.20. Following these guidelines, you experienced
+		and implemented several important aspects of Windows networking. In the next chapter,
+		you build on the experience. These are the highlights from this chapter:
+		</para>
+
+		<itemizedlist>
+			<listitem><para>
+			<indexterm><primary>DHCP</primary></indexterm>
+			You implemented a DHCP server, and Microsoft Windows clients were able to obtain all necessary
+			network configuration settings from this server.
+			</para></listitem>
+
+			<listitem><para>
+			<indexterm><primary>Domain Controller</primary></indexterm>
+			You created a Windows Domain Controller. You were able to use the network logon service
+			and successfully joined Windows 200x/XP Professional clients to the Domain.
+			</para></listitem>
+
+			<listitem><para>
+			<indexterm><primary>CUPS</primary></indexterm>
+			You created raw print queues in the CUPS printing system. You maintained a simple
+			printing system so that all users can share centrally managed printers. You installed
+			native printer drivers on the Windows clients.
+			</para></listitem>
+
+			<listitem><para>
+			You experienced the benefits of centrally managed user accounts on the server.
+			</para></listitem>
+
+			<listitem><para>
+			You offered Mobile notebook users a solution that allows them to continue to work
+			while away from the office and not connected to the corporate network.
+			</para></listitem>
+		</itemizedlist>
+
+	</sect2>
+
+</sect1>
+
+<sect1>
+	<title>Questions and Answers</title>
+
+	<para>
+	Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that
+	may help.
+	</para>
+
+	<qandaset>
+	<qandaentry>
+	<question>
+
+		<para>
+		What is the key benefit of using DHCP to configure Windows client TCP/IP stacks?
+		</para>
+
+	</question>
+	<answer>
+
+		<para>
+		First and foremost, portability. It means that notebook users can move between
+		the Abmas office and client offices (so long as they, too, use DHCP) without having to manually
+		reconfigure their machines. It also means that when they work from their home environments
+		either using DHCP assigned addressing or when using dial-up networking, settings such as
+		default routes and DNS server addresses that apply only to the Abmas office environment do
+		not interfere with remote operations. This is an extremely important feature of DHCP.
+		</para>
+
+	</answer>
+	</qandaentry>
+
+	<qandaentry>
+	<question>
+
+		<para>
+		Are there any DHCP server configuration parameters in the <filename>/etc/dhcpd.conf</filename>
+		that should be noted in particular?
+		</para>
+
+	</question>
+	<answer>
+
+		<para>
+		Yes. The configuration you created automatically provides each client with the IP address
+		of your WINS server. It also configures the client to preferentially register NetBIOS names
+		with the WINS server, and then instructs the client to first query the WINS server when a
+		NetBIOS machine name needs to be resolved to an IP Address. This configuration
+		results in far lower UDP broadcast traffic than would be the case if WINS was not used.
+		</para>
+
+	</answer>
+	</qandaentry>
+
+	<qandaentry>
+	<question>
+
+		<para>
+		Is it possible to create a Windows Domain account that is specifically called <constant>Administrator</constant>?
+		</para>
+
+	</question>
+	<answer>
+
+		<para>
+		You can surely create a Windows Domain account called <constant>Administrator</constant>. It is also
+		possible to map that account so that it has the effective UNIX UID of 0. This way it isn't
+		necessary to use the <parameter>username map</parameter> facility to map this account to the UNIX
+		account called <constant>root</constant>.
+		</para>
+
+	</answer>
+	</qandaentry>
+
+	<qandaentry>
+	<question>
+
+		<para>
+		Why is it necessary to give the Windows Domain <constant>Administrator</constant> a UNIX UID of 0?
+		</para>
+
+	</question>
+	<answer>
+
+		<para>
+		The Windows Domain <constant>Administrator</constant> account is the most privileged account that
+		exists on the Windows platform. This user can change any setting, add, delete, or modify user
+		accounts, and completely reconfigure the system. The equivalent to this account in the UNIX
+		environment is the <constant>root</constant> account. If you want to permit the Windows Domain
+		Administrator to manage accounts as well as permissions, privileges, and security
+		settings within the Domain and on the Samba server, equivalent rights must be assigned. This is
+		achieved with the <constant>root</constant> UID equal to 0.
+		</para>
+
+	</answer>
+	</qandaentry>
+
+	<qandaentry>
+	<question>
+
+		<para>
+		One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him
+		<constant>root</constant> access. How can we do this?
+		</para>
+
+	</question>
+	<answer>
+
+		<para>
+		Users who are members of the <constant>Domain Admins</constant> group can add machines to the
+		Domain. This group is mapped to the UNIX group account called <constant>root</constant>
+		(or the equivalent <constant>wheel</constant> on some UNIX systems) that has a GID of 0.
+		This must be the primary GID of the account of the user who is a member of the Windows <constant>
+		Domain Admins</constant> account.
+		</para>
+
+	</answer>
+	</qandaentry>
+
+	<qandaentry>
+	<question>
+
+		<para>
+		Why must I map Windows Domain Groups to UNIX groups?
+		</para>
+
+	</question>
+	<answer>
+
+		<para>
+		Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account
+		has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are
+		<guimenu>Domain Guests</guimenu>, <guimenu>Domain Users</guimenu>, and <guimenu>Domain Admins</guimenu>.
+		</para>
+
+	</answer>
+	</qandaentry>
+
+	<qandaentry>
+	<question>
+
+		<para>
+		I deleted my <constant>root</constant> account and now I cannot add it back! What can I do?
+		</para>
+
+	</question>
+	<answer>
+
+		<para>
+		This is a nasty problem. Fortunately, there is a solution. 
+		</para>
+
+		<procedure>
+			<step><para>
+			Back up your existing configuration files in case you need to restore them.
+			</para></step>
+
+			<step><para>
+			Rename the <filename>group_mapping.tdb</filename> file. 
+			</para></step>
+
+			<step><para>
+			Use the <command>smbpasswd</command> to add the root account.
+			</para></step>
+
+			<step><para>
+			Restore the <filename>group_mapping.tdb</filename> file.
+			</para></step>
+		</procedure>
+
+	</answer>
+	</qandaentry>
+
+	<qandaentry>
+	<question>
+
+		<para>
+		When I run <command>net groupmap list</command>, it reports a group called <guimenu>Administrators</guimenu>
+		as well as <guimenu>Domain Admins</guimenu>. What is the difference between them?
+		</para>
+
+	</question>
+	<answer>
+
+		<para>
+		The group called <guimenu>Administrators</guimenu> is representative of the same account that would be
+		present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain 
+		Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This
+		may change at some later date. These accounts are provided only so that security objects are correctly shown.
+		</para>
+
+	</answer>
+	</qandaentry>
+
+	<qandaentry>
+	<question>
+
+		<para>
+		What is the effect of changing the name of a Samba server or of changing the Domain name?
+		</para>
+
+	</question>
+	<answer>
+
+		<para>
+		If you elect to change the name of the Samba server, on restarting <command>smbd</command>,
+		Windows security identifiers are changed. In the case of a standalone server or a Domain Member server,
+		the machine SID is changed. This may break Domain membership. In the case of a change of the Domain name
+		(Workgroup name), the Domain SID is changed. This affects all Domain memberships.
+		</para>
+
+		<para>
+		If it becomes necessary to change either the server name or the Domain name, be sure to back up the respective
+		SID before the change is made. You can back up the SID using the <command>net getlocalsid</command> (Samba-3)
+		or the <command>smbpasswd</command> (Samba-2.2.x). To change the SID, you use the same tool. Be sure
+		to check the man page for this command for detailed instructions regarding the steps involved.
+		</para>
+
+	</answer>
+	</qandaentry>
+
+	<qandaentry>
+	<question>
+
+		<para>
+		How can I manage user accounts from my Windows XP Professional workstation?
+		</para>
+
+	</question>
+	<answer>
+
+		<para>
+		Samba-3 implements a Windows NT4-style security domain architecture. This type of Domain cannot
+		be managed using tools present on a Windows XP Professional installation. You may download from the
+		Microsoft Web site the SRVTOOLS.EXE package. Extract it into the directory from which you wish to use
+		it. This package extracts the tools: <command>User Manager for Domains</command>, <command>Server Manager</command>, and <command>Event
+		Viewer</command>. You may use the <guimenu>User Manager for Domains</guimenu> to manage your Samba-3
+		Domain user and group accounts. Of course, you do need to be logged on as the <constant>Administrator</constant>
+		for the Samba-3 Domain. It may help to log on as the <constant>root</constant> account.
+		</para>
+
+	</answer>
+	</qandaentry>
+
+	</qandaset>
+
+</sect1>
+
+</chapter>
+