Docbook XML conversion: projdoc

(This used to be commit f7c9df751459da2d4a996d5f0135334fb3f87f69)

1 files changed, 291 insertions, 0 deletions

diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml
new file mode 100644
index 0000000000..dc2a78f5a6
--- /dev/null
+++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml
@@ -0,0 +1,291 @@
+<chapter id="AdvancedNetworkManagement">
+<chapterinfo>
+	&author.jht;
+    <pubdate>April 3 2003</pubdate>
+</chapterinfo>
+
+<title>Advanced Network Manangement</title>
+
+<para>
+This section attempts to document peripheral issues that are of great importance to network
+administrators who want to improve network resource access control, to automate the user
+environment, and to make their lives a little easier.
+</para>
+
+<sect1>
+<title>Configuring Samba Share Access Controls</title>
+
+<para>
+This section deals with how to configure Samba per share access control restrictions.
+By default samba sets no restrictions on the share itself. Restrictions on the share itself
+can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
+connect to a share. In the absence of specific restrictions the default setting is to allow
+the global user <emphasis>Everyone</emphasis> Full Control (ie: Full control, Change and Read).
+</para>
+
+<para>
+At this time Samba does NOT provide a tool for configuring access control setting on the Share
+itself. Samba does have the capacity to store and act on access control settings, but  the only
+way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for
+Computer Management.
+</para>
+
+<para>
+Samba stores the per share access control settings in a file called <filename>share_info.tdb</filename>.
+The location of this file on your system will depend on how samba was compiled. The default location
+for samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename>
+utility has been compiled and installed on your system then you can examine the contents of this file
+by: <userinput>tdbdump share_info.tdb</userinput>.
+</para>
+
+<sect2>
+<title>Share Permissions Management</title>
+
+<para>
+The best tool for the task is platform dependant. Choose the best tool for your environmemt.
+</para>
+
+<sect3>
+<title>Windows NT4 Workstation/Server</title>
+<para>
+The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
+Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
+You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.
+</para>
+
+<procedure>
+<title>Instructions</title>
+<step><para>
+Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu
+select Computer, then click on the Shared Directories entry.
+</para></step>
+
+<step><para>
+	Now click on the share that you wish to manage, then click on the Properties tab, next click on
+	the Permissions tab. Now you can Add or change access control settings as you wish.
+</para></step>
+</procedure>
+
+</sect3>
+
+<sect3>
+<title>Windows 200x/XP</title>
+
+<para>
+On MS Windows NT4/200x/XP system access control lists on the share itself are set using native
+tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
+then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows
+<emphasis>Everyone</emphasis> Full Control on the Share.
+</para>
+
+<para>
+MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the
+Microsoft Management Console (MMC). This tool is located by clicking on <filename>Control Panel ->
+Administrative Tools -> Computer Management</filename>.
+</para>
+
+<procedure>
+<title>Instructions</title>
+<step><para>
+	After launching the MMC with the Computer Management snap-in, click on the menu item 'Action',
+	select 'Connect to another computer'. If you are not logged onto a domain you will be prompted
+	to enter a domain login user identifier and a password. This will authenticate you to the domain.
+	If you where already logged in with administrative privilidge this step is not offered.
+</para></step>
+
+<step><para>
+If the Samba server is not shown in the Select Computer box, then type in the name of the target
+Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+]
+next to 'Shared Folders' in the left panel.
+</para></step>
+
+<step><para>
+Now in the right panel, double-click on the share you wish to set access control permissions on.
+Then click on the tab 'Share Permissions'. It is now possible to add access control entities
+to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
+wish to assign for each entry.
+</para></step>
+</procedure>
+
+<warning>
+<para>
+Be careful. If you take away all permissions from the Everyone user without removing this user
+then effectively no user will be able to access the share. This is a result of what is known as
+ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone
+will have no access even if this user is given explicit full control access.
+</para>
+</warning>
+
+</sect3>
+</sect2>
+</sect1>
+
+<sect1>
+<title>Remote Server Administration</title>
+
+<para>
+<emphasis>How do I get 'User Manager' and 'Server Manager'?</emphasis>
+</para>
+
+<para>
+Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains',
+the 'Server Manager'?
+</para>
+
+<para>
+Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me
+systems.  The tools set includes:
+</para>
+
+<itemizedlist>
+	<listitem><para>Server Manager</para></listitem> 
+	<listitem><para>User Manager for Domains</para></listitem> 
+	<listitem><para>Event Viewer</para></listitem> 
+</itemizedlist>
+
+<para>
+Click here to download the archived file <ulink 
+url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink>
+</para>
+
+<para>
+The Windows NT 4.0 version of the 'User Manager for 
+Domains' and 'Server Manager' are available from Microsoft via ftp 
+from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink>
+</para>
+
+</sect1>
+<sect1>
+<title>Network Logon Script Magic</title>
+
+<para>
+This section needs work. Volunteer contributions most welcome. Please send your patches or updates
+to <ulink url="mailto:jht@samba.org">John Terpstra</ulink>.
+</para>
+
+<para>
+There are several opportunities for creating a custom network startup configuration environment.
+</para>
+
+<simplelist>
+	<member>No Logon Script</member>
+	<member>Simple universal Logon Script that applies to all users</member>
+	<member>Use of a conditional Logon Script that applies per user or per group attirbutes</member>
+	<member>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
+	a custom Logon Script and then execute it.</member>
+	<member>User of a tool such as KixStart</member>
+</simplelist>
+
+<para>
+The Samba source code tree includes two logon script generation/execution tools. See <filename>examples</filename> directory <filename>genlogon</filename> and <filename>ntlogon</filename> subdirectories.
+</para>
+
+<para>
+The following listings are from the genlogon directory.
+</para>
+
+<para>
+This is the genlogon.pl file:
+
+<programlisting>
+	#!/usr/bin/perl
+	#
+	# genlogon.pl
+	#
+	# Perl script to generate user logon scripts on the fly, when users
+	# connect from a Windows client.  This script should be called from smb.conf
+	# with the %U, %G and %L parameters. I.e:
+	#
+	#       root preexec = genlogon.pl %U %G %L
+	#
+	# The script generated will perform
+	# the following:
+	#
+	# 1. Log the user connection to /var/log/samba/netlogon.log
+	# 2. Set the PC's time to the Linux server time (which is maintained
+	#    daily to the National Institute of Standard's Atomic clock on the
+	#    internet.
+	# 3. Connect the user's home drive to H: (H for Home).
+	# 4. Connect common drives that everyone uses.
+	# 5. Connect group-specific drives for certain user groups.
+	# 6. Connect user-specific drives for certain users.
+	# 7. Connect network printers.
+
+	# Log client connection
+	#($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+	($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+	open LOG, ">>/var/log/samba/netlogon.log";
+	print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n";
+	close LOG;
+
+	# Start generating logon script
+	open LOGON, ">/shared/netlogon/$ARGV[0].bat";
+	print LOGON "\@ECHO OFF\r\n";
+
+	# Connect shares just use by Software Development group
+	if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
+	{
+		print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
+	}
+
+	# Connect shares just use by Technical Support staff
+	if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
+	{
+		print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
+	}
+
+	# Connect shares just used by Administration staff
+	If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
+	{
+		print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
+		print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
+	}
+
+	# Now connect Printers.  We handle just two or three users a little
+	# differently, because they are the exceptions that have desktop
+	# printers on LPT1: - all other user's go to the LaserJet on the
+	# server.
+	if ($ARGV[0] eq 'jim'
+	    || $ARGV[0] eq 'yvonne')
+	{
+		print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
+		print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+	}
+	else
+	{
+		print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
+		print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+	}
+
+	# All done! Close the output file.
+	close LOGON;
+</programlisting>
+</para>
+
+<para>
+Those wishing to use more elaborate or capable logon processing system should check out the following sites:
+</para>
+
+<simplelist>
+	<member>http://www.craigelachie.org/rhacer/ntlogon</member>
+	<member>http://www.kixtart.org</member>
+	<member>http://support.microsoft.com/default.asp?scid=kb;en-us;189105</member>
+</simplelist>
+
+<sect2>
+<title>Adding printers without user intervention</title>
+
+<para>
+Printers may be added automatically during logon script processing through the use of:
+
+<programlisting>
+	rundll32 printui.dll,PrintUIEntry /?
+</programlisting>
+
+See the documentation in the Microsoft knowledgebase article no: 189105 referred to above.
+</para>
+</sect2>
+
+</sect1>
+</chapter>
+