summaryrefslogtreecommitdiff
path: root/docs/Samba3-HOWTO/TOSHARG-AdvancedNetworkAdmin.xml
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2005-06-10 20:29:09 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:46:44 -0500
commit06aa63b6f19131071800985746b445dee42d91eb (patch)
tree5f7aaa77fc7375919463ae40d05933d44688f071 /docs/Samba3-HOWTO/TOSHARG-AdvancedNetworkAdmin.xml
parentb82eb1abe3641a80ad6f431dd2fd625dc229eaed (diff)
downloadsamba-06aa63b6f19131071800985746b445dee42d91eb.tar.gz
samba-06aa63b6f19131071800985746b445dee42d91eb.tar.bz2
samba-06aa63b6f19131071800985746b445dee42d91eb.zip
Large number of small fixes to the layout and the build system.
(This used to be commit 73fac0653c774a8ed8654b064fd63d4e486f6b0f)
Diffstat (limited to 'docs/Samba3-HOWTO/TOSHARG-AdvancedNetworkAdmin.xml')
-rw-r--r--docs/Samba3-HOWTO/TOSHARG-AdvancedNetworkAdmin.xml403
1 files changed, 403 insertions, 0 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-AdvancedNetworkAdmin.xml b/docs/Samba3-HOWTO/TOSHARG-AdvancedNetworkAdmin.xml
new file mode 100644
index 0000000000..66b4c27406
--- /dev/null
+++ b/docs/Samba3-HOWTO/TOSHARG-AdvancedNetworkAdmin.xml
@@ -0,0 +1,403 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<chapter id="AdvancedNetworkManagement">
+<chapterinfo>
+ &author.jht;
+ <pubdate>April 3 2003</pubdate>
+</chapterinfo>
+
+<title>Advanced Network Management</title>
+
+<para>
+This section documents peripheral issues that are of great importance to network
+administrators who want to improve network resource access control, to automate the user
+environment and to make their lives a little easier.
+</para>
+
+<sect1>
+<title>Features and Benefits</title>
+
+<para>
+Often the difference between a working network environment and a well appreciated one can
+best be measured by the <emphasis>little things</emphasis> that make everything work more
+harmoniously. A key part of every network environment solution is the
+ability to remotely
+manage MS Windows workstations, remotely access the Samba server, provide customized
+logon scripts, as well as other housekeeping activities that help to sustain more reliable
+network operations.
+</para>
+
+<para>
+This chapter presents information on each of these areas. They are placed here, and not in
+other chapters, for ease of reference.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Remote Server Administration</title>
+
+
+<para><quote>How do I get `User Manager' and `Server Manager'?</quote></para>
+
+<para>
+<indexterm><primary>User Manager</primary></indexterm>
+<indexterm><primary>Server Manager</primary></indexterm>
+<indexterm><primary>Event Viewer</primary></indexterm>
+Since I do not need to buy an <application>NT4 Server</application>, how do I get the `User Manager for Domains'
+and the `Server Manager'?
+</para>
+
+<para>
+<indexterm><primary>Nexus.exe</primary></indexterm>
+Microsoft distributes a version of these tools called <filename>Nexus.exe</filename> for installation
+on <application>Windows 9x/Me</application> systems. The tools set includes:
+</para>
+
+<itemizedlist>
+ <listitem><para>Server Manager</para></listitem>
+ <listitem><para>User Manager for Domains</para></listitem>
+ <listitem><para>Event Viewer</para></listitem>
+</itemizedlist>
+
+<para>
+Download the archived file at <ulink noescape="1" url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE.</ulink>
+</para>
+
+<para>
+<indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
+The <application>Windows NT 4.0</application> version of the `User Manager for
+Domains' and `Server Manager' are available from Microsoft <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">via ftp</ulink>.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Remote Desktop Management</title>
+
+<para>
+There are a number of possible remote desktop management solutions that range from free
+through costly. Do not let that put you off. Sometimes the most costly solution is the
+most cost effective. In any case, you will need to draw your own conclusions as to which
+is the best tool in your network environment.
+</para>
+
+ <sect2>
+ <title>Remote Management from NoMachine.Com</title>
+
+ <para>
+ <indexterm><primary>NoMachine.Com</primary></indexterm>
+ The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
+ It is presented in slightly edited form (with author details omitted for privacy reasons).
+ The entire answer is reproduced below with some comments removed.
+ </para>
+
+ <para><quote>
+ I have a wonderful Linux/Samba server running as pdc for a network. Now I would like to add remote
+ desktop capabilities so users outside could login to the system and get their desktop up from home or
+ another country.
+ </quote></para>
+
+ <para><quote>
+ Is there a way to accomplish this? Do I need a Windows Terminal Server? Do I need to configure it so
+ it is a member of the domain or a BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
+ even if the computer is in a domain?
+ </quote></para>
+
+ <para>
+ Answer provided: Check out the new offer of <quote>NX</quote> software from
+ <ulink noescape="1" url="http://www.nomachine.com/">NoMachine</ulink>.
+ </para>
+
+ <para>
+ It implements an easy-to-use interface to the Remote X protocol as
+ well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
+ performance much better than anything you may have ever seen.
+ </para>
+
+ <para>
+ Remote X is not new at all, but what they did achieve successfully is
+ a new way of compression and caching technologies that makes the thing
+ fast enough to run even over slow modem/ISDN connections.
+ </para>
+
+ <para>
+ I could test drive their (public) Red Hat machine in Italy, over a loaded
+ Internet connection, with enabled thumbnail previews in KDE konqueror
+ which popped up immediately on <quote>mouse-over</quote>. From inside that (remote X)
+ session I started a rdesktop session on another, a Windows XP machine.
+ To test the performance, I played Pinball. I am proud to announce
+ that my score was 631750 points at first try.
+ </para>
+
+ <para>
+ NX performs better on my local LAN than any of the other <quote>pure</quote>
+ connection methods I am using from time to time: TightVNC, rdesktop or
+ Remote X. It is even faster than a direct crosslink connection between
+ two nodes.
+ </para>
+
+ <para>
+ I even got sound playing from the Remote X app to my local boxes, and
+ had a working <quote>copy'n'paste</quote> from an NX window (running a KDE session
+ in Italy) to my Mozilla mailing agent. These guys are certainly doing
+ something right!
+ </para>
+
+ <para>
+ I recommend to test drive NX to anybody with a only a passing interest in remote computing
+ <ulink noescape="1" url="http://www.nomachine.com/testdrive.php">http://www.nomachine.com/testdrive.php</ulink>.
+ </para>
+
+ <para>
+ Just download the free of charge client software (available for Red Hat,
+ SuSE, Debian and Windows) and be up and running within five minutes (they
+ need to send you your account data, though, because you are assigned
+ a real UNIX account on their testdrive.nomachine.com box.
+ </para>
+
+ <para>
+ They plan to get to the point were you can have NX application servers
+ running as a cluster of nodes, and users simply start an NX session locally,
+ and can select applications to run transparently (apps may even run on
+ another NX node, but pretend to be on the same as used for initial login,
+ because it displays in the same window. You also can run it
+ full-screen, and after a short time you forget that it is a remote session
+ at all).
+ </para>
+
+ <para>
+ Now the best thing for last: All the core compression and caching
+ technologies are released under the GPL and available as source code
+ to anybody who wants to build on it! These technologies are working,
+ albeit started from the command line only (and very inconvenient to
+ use in order to get a fully running remote X session up and running.)
+ </para>
+
+ <para>
+ To answer your questions:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ You do not need to install a terminal server; XP has RDP support built in.
+ </para></listitem>
+
+ <listitem><para>
+ NX is much cheaper than Citrix &smbmdash; and comparable in performance, probably faster.
+ </para></listitem>
+
+ <listitem><para>
+ You do not need to hack XP &smbmdash; it just works.
+ </para></listitem>
+
+ <listitem><para>
+ You log into the XP box from remote transparently (and I think there is no
+ need to change anything to get a connection, even if authentication is against a domain).
+ </para></listitem>
+
+ <listitem><para>
+ The NX core technologies are all Open Source and released under the GPL &smbmdash;
+ you can now use a (very inconvenient) command-line at no cost,
+ but you can buy a comfortable (proprietary) NX GUI front end for money.
+ </para></listitem>
+
+ <listitem><para>
+ NoMachine are encouraging and offering help to OSS/Free Software implementations
+ for such a front end too, even if it means competition to them (they have written
+ to this effect even to the LTSP, KDE and GNOME developer mailing lists).
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+<title>Network Logon Script Magic</title>
+
+<para>
+There are several opportunities for creating a custom network startup configuration environment.
+</para>
+
+<itemizedlist>
+ <listitem><para>No Logon Script.</para></listitem>
+ <listitem><para>Simple universal Logon Script that applies to all users.</para></listitem>
+ <listitem><para>Use of a conditional Logon Script that applies per user or per group attributes.</para></listitem>
+ <listitem><para>Use of Samba's preexec and postexec functions on access to the NETLOGON share to create
+ a custom logon script and then execute it.</para></listitem>
+ <listitem><para>User of a tool such as KixStart.</para></listitem>
+</itemizedlist>
+
+<para>
+The Samba source code tree includes two logon script generation/execution tools.
+See <filename>examples</filename> directory <filename>genlogon</filename> and
+<filename>ntlogon</filename> subdirectories.
+</para>
+
+<para>
+The following listings are from the genlogon directory.
+</para>
+
+
+<para>
+<indexterm><primary>genlogon.pl</primary></indexterm>
+This is the <filename>genlogon.pl</filename> file:
+
+<smbfile name="genlogon.pl">
+<programlisting>
+ #!/usr/bin/perl
+ #
+ # genlogon.pl
+ #
+ # Perl script to generate user logon scripts on the fly, when users
+ # connect from a Windows client. This script should be called from
+ # smb.conf with the %U, %G and %L parameters. I.e:
+ #
+ # root preexec = genlogon.pl %U %G %L
+ #
+ # The script generated will perform
+ # the following:
+ #
+ # 1. Log the user connection to /var/log/samba/netlogon.log
+ # 2. Set the PC's time to the Linux server time (which is maintained
+ # daily to the National Institute of Standards Atomic clock on the
+ # internet.
+ # 3. Connect the user's home drive to H: (H for Home).
+ # 4. Connect common drives that everyone uses.
+ # 5. Connect group-specific drives for certain user groups.
+ # 6. Connect user-specific drives for certain users.
+ # 7. Connect network printers.
+
+ # Log client connection
+ #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+ ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+ open LOG, ">>/var/log/samba/netlogon.log";
+ print LOG "$mon/$mday/$year $hour:$min:$sec";
+ print LOG " - User $ARGV[0] logged into $ARGV[1]\n";
+ close LOG;
+
+ # Start generating logon script
+ open LOGON, ">/shared/netlogon/$ARGV[0].bat";
+ print LOGON "\@ECHO OFF\r\n";
+
+ # Connect shares just use by Software Development group
+ if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
+ {
+ print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
+ }
+
+ # Connect shares just use by Technical Support staff
+ if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
+ {
+ print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
+ }
+
+ # Connect shares just used by Administration staff
+ If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
+ {
+ print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
+ print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
+ }
+
+ # Now connect Printers. We handle just two or three users a little
+ # differently, because they are the exceptions that have desktop
+ # printers on LPT1: - all other user's go to the LaserJet on the
+ # server.
+ if ($ARGV[0] eq 'jim'
+ || $ARGV[0] eq 'yvonne')
+ {
+ print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
+ print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+ }
+ else
+ {
+ print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
+ print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+ }
+
+ # All done! Close the output file.
+ close LOGON;
+</programlisting>
+</smbfile>
+</para>
+
+<para>
+Those wishing to use more elaborate or capable logon processing system should check out these sites:
+</para>
+
+<itemizedlist>
+ <listitem><para><ulink noescape="1" url="http://www.craigelachie.org/rhacer/ntlogon">http://www.craigelachie.org/rhacer/ntlogon</ulink></para></listitem>
+ <listitem><para><ulink noescape="1" url="http://www.kixtart.org">http://www.kixtart.org</ulink></para></listitem>
+</itemizedlist>
+
+<sect2>
+<title>Adding Printers without User Intervention</title>
+
+
+<para>
+<indexterm><primary>rundll32</primary></indexterm>
+Printers may be added automatically during logon script processing through the use of:
+
+<screen>
+&dosprompt;<userinput>rundll32 printui.dll,PrintUIEntry /?</userinput>
+</screen>
+
+See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft knowledgebase article 189105.</ulink>
+</para>
+</sect2>
+
+<sect2>
+ <title>Limiting Logon Connections</title>
+
+ <para>
+ Sometimes it is necessary to limit the number of concurrent connections to a
+ Samba shared resource. For example, a site may wish to permit only one network
+ logon per user.
+ </para>
+
+ <para>
+ The Samba <parameter>preexec script</parameter> parameter can be used to permit only one
+ connection per user. Though this method is not fool-proof, and may have side-effects
+ the following contributed method may inspire someone to provide a better solution.
+ </para>
+
+ <para>
+ This is not a perfect solution because Windows clients can drop idle connections
+ with an auto-reconnect capability that could result in the appearance that a share
+ is no longer in use, while actually it is. Even so, it demonstrates the principle
+ of use of the <parameter>preexec script</parameter> parameter.
+ </para>
+
+ <para>
+ The following share configuration demonstrates use of the script shown in <link linkend="Tpees"/>:
+ <programlisting>
+[myshare]
+ ...
+ preexec script = /sbin/PermitSingleLogon.sh
+ preexec close = Yes
+ ...
+ </programlisting>
+ </para>
+
+<example id="Tpees">
+ <title>Script to Enforce Single Resource Logon</title>
+<screen>
+#!/bin/bash
+
+IFS="-"
+RESULT=$(smbstatus -S -u $1 2> /dev/null | awk 'NF > 6 {print $1}' | sort | uniq -d)
+
+if [ "X${RESULT}" == X ]; then
+ exit 0
+else
+ exit 1
+fi
+</screen>
+</example>
+
+</sect2>
+
+</sect1>
+
+</chapter>