summaryrefslogtreecommitdiff
path: root/docs/guide/Chap02-SimpleOfficeServer.xml
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2004-04-07 10:15:11 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:45:43 -0500
commit992f1e6b8f86b346fddd266b04d29cde69585633 (patch)
tree878573999a6831aa14cd6b8072263eb5d5910aa4 /docs/guide/Chap02-SimpleOfficeServer.xml
parent65c0fd59203a3d9c4cb685e3a739f29f6f0c4fd6 (diff)
downloadsamba-992f1e6b8f86b346fddd266b04d29cde69585633.tar.gz
samba-992f1e6b8f86b346fddd266b04d29cde69585633.tar.bz2
samba-992f1e6b8f86b346fddd266b04d29cde69585633.zip
Add all the source files from the old CVS tree,
add the 5 missing chapters from the HOWTO and add jht's Samba by Example book. (This used to be commit 9fb5bcb93e57c5162b3ee6f9c7d777dc0269d100)
Diffstat (limited to 'docs/guide/Chap02-SimpleOfficeServer.xml')
-rw-r--r--docs/guide/Chap02-SimpleOfficeServer.xml1604
1 files changed, 1604 insertions, 0 deletions
diff --git a/docs/guide/Chap02-SimpleOfficeServer.xml b/docs/guide/Chap02-SimpleOfficeServer.xml
new file mode 100644
index 0000000000..52e27bd6ce
--- /dev/null
+++ b/docs/guide/Chap02-SimpleOfficeServer.xml
@@ -0,0 +1,1604 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="simple">
+ <title>No Frills Samba Servers</title>
+
+ <para>
+ Congratulations, you managed to get past the opening chapter. To some, this is where the interesting
+ exercises begin. This is the start of the real journey toward the Samba deployment of a lifetime.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ This chapter lays the groundwork for understanding the basics of Samba operation.
+ Instead of a bland technical discussion, each principle is demonstrated by way of a
+ real-world scenario for which a working solution<footnote>The examples given mirror those documented
+ in TOSHARG Chapter 2, Section 2.3.1. You may gain additional insight from the Stand-alone server
+ configurations covered in TOSHARG sections 2.3.1.2 through 2.3.1.4.
+ </footnote> is fully described.
+ </para>
+
+ <para>
+ The practical exercises take you on a journey through a drafting office, a charity administration
+ office, and an accounting office. You may choose to apply any or all of these to your own environment.
+ </para>
+
+ <para>
+ Every assignment case can be implemented far more creatively, but remember that the solutions you
+ create are designed to demonstrate a particular solution possibility. With experience, you should
+ find much improved solutions compared with those presented here. By the time you complete this book,
+ you should aim to be a Samba expert, so do attempt to find better solutions and try them as you work your
+ way through the examples.
+ </para>
+
+</sect1>
+<sect1>
+ <title>Assignment Tasks</title>
+
+ <para>
+ Each case presented highlights different aspects of Windows networking for which a simple
+ Samba-based solution can be provided. Each has subtly different requirements taken from real-world cases.
+ Each is briefly reviewed to cover points of highlight. In each example, instructions are based
+ on the assumption that the official Samba Team RPM package has been installed.
+ </para>
+
+ <para>
+ This chapter has three assignments built around ficticious companies:
+ </para>
+
+ <para>
+ <itemizedlist>
+ <listitem><para>A drafting office</para></listitem>
+ <listitem><para>A charity administration office</para></listitem>
+ <listitem><para>An accounting office</para></listitem>
+ </itemizedlist>
+ </para>
+
+ <para>
+ Let's get started.
+ </para>
+
+ <sect2>
+ <title>Drafting Office</title>
+
+ <para>
+ Our fictitious company is called <emphasis>Abmas Design Inc.</emphasis> This is a three-person
+ computer-aided design (CAD) business that often has more work than can be handled. The
+ business owner hires contract draftspeople from wherever he can. They bring their own
+ notebook computers into the office. There are four permanent drafting machines. Abmas has a
+ collection of over 10 years of plans that must be available for all draftsmen to reference.
+ Abmas hires the services of an experienced network engineer to update the
+ plans that are stored on a central server one day per month. She knows how to upload
+ plans from each machine. The files available from the server must remain read-only.
+ Anyone should be able to access the plans at any time and without barriers or difficulty.
+ </para>
+
+ <para><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm>
+ Mr. Bob Jordan has asked you to install the new server as economically as possible. The central
+ server has a Pentium-IV 1.6GHz CPU, 768MB RAM, a 20GB IDE boot drive, a 160GB IDE second disk
+ to store plans, and a 100-base-T Ethernet card. You have already installed Red Hat Linux 9.0 and
+ have upgraded Samba to version 3.0.2 using the RPM package that is provided from the Samba
+ <ulink url="http://www.samba.org">FTP</ulink> sites.
+ </para>
+
+ <para><indexterm>
+ <primary>consultant</primary>
+ </indexterm>
+ The four permanent drafting machines (Microsoft Windows workstations) have attached printers
+ and plotters that are shared on a peer-to-peer basis by any/all network users. The intent
+ is to continue to share printers in this manner. The three permanent staff work together with
+ all contractors to store all new work on one PC. A daily copy is made of the work storage
+ area to another PC for safekeeping. When the network consultant arrives, the weekly work
+ area is copied to the central server and the files are removed from the main weekly storage
+ machine. The office works best with this arrangement and does not want to change anything.
+ Old habits are too ingrained.
+ </para>
+
+ <sect3>
+ <title>Dissection and Discussion</title>
+
+ <para><indexterm>
+ <primary>file server</primary>
+ <secondary>read-only</secondary>
+ </indexterm>
+ The requirements for this server installation demand simplicity. An anonymous read-only
+ file server adequately meets all needs. The network consultant determines how
+ to upload all files from the weekly storage area to the server. This installation should
+ focus only on critical aspects of the installation.
+ </para>
+
+ <para>
+ It is not necessary to have specific users on the server. The site has a method for storing
+ all design files (plans). Each plan is stored in a directory that is named YYYYWW<footnote>
+ This information is given purely as an example of how data may be stored in such a way that it
+ will be easy to locate records at a later date. The example is not meant to imply any instructions
+ that may be construed as essential to the design of the solution, this is something you will almost
+ certainly want to determine for yourself.</footnote>, where
+ YYYY is the year, and WW is the week of the year. This arrangement allows work to be stored
+ by week of year to preserve the filing technique the site is familiar with.
+ There is another customer directory that is alphabetically listed. At the top level are 26
+ directories (A-Z), in each is a second level of directory for the first plus second letter of the name
+ (A-Z); inside each is a directory by the customers' name. Inside each directory is a symbolic
+ link to each design drawing/plan. This way of storing customer data files permits all
+ plans to be located both by customer name, as well as by the date the work was performed, without
+ demanding the disk space that would be needed if a duplicate file copy were to be stored.
+ The share containing the plans is called <emphasis>Plans</emphasis>.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Implementation</title>
+
+ <para>
+ It is assumed that the server is fully installed and ready for installation and
+ configuration of Samba 3.0.2 and any support files needed. All TCP/IP addresses
+ have been hard coded. In our case the IP address of the Samba server is
+ <constant>192.168.1.1</constant> and the netmask is <constant>255.255.255.0</constant>.
+ The host name of the server used was <constant>server</constant>.
+ </para>
+
+ <procedure>
+ <title>Samba Server Configuration</title>
+
+ <step><para>
+ Download the Samba-3 RPM packages for Red Hat Linux 9.0 from the Samba
+ <ulink url="http://www.samba.org">FTP servers.</ulink>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>RPM</primary>
+ <secondary>install</secondary>
+ </indexterm><indexterm>
+ <primary>package</primary>
+ </indexterm>
+ Install the RPM package as using either the Red Hat Linux preferred GUI
+ tool or using the <command>rpm</command>, as follows:
+<screen>
+&rootprompt; rpm -Uvh samba-3.0.2-1.i386.rpm
+</screen>
+ </para></step>
+
+ <step><para>
+ Create a mount point for the file system that will be used to store all data files.
+ You can create a directory called <filename>/plans</filename> as follows:
+<screen>
+&rootprompt; mkdir /plans
+&rootprompt; chmod 755 /plans
+</screen>
+ The 755 permissions on this directory (mount point) permit the owner to read, write
+ and execute, and the group and everyone else to read and execute only.
+ </para>
+
+ <para><indexterm>
+ <primary>file system</primary>
+ <secondary>Ext3</secondary>
+ </indexterm>
+ Use Red Hat Linux system tools (refer to Red Hat instructions for instructions)
+ to format the 160GB hard drive with a suitable file system. An Ext3 file system
+ is suitable. Configure this drive to automatically mount using the <filename>/plans</filename>
+ directory as the mount point.
+ </para></step>
+
+ <step><para>
+ Install the &smb.conf; file shown in <link linkend="draft-smbconf"/> in the
+ <filename>/etc/samba</filename> directory.
+
+<smbconfexample id="draft-smbconf">
+<title>Drafting Office &smb.conf; File</title>
+<smbconfcomment>Global Parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
+<smbconfoption><name>security</name><value>SHARE</value></smbconfoption>
+
+<smbconfsection>[Plans]</smbconfsection>
+<smbconfoption><name>path</name><value>/plans</value></smbconfoption>
+<smbconfoption><name>read only</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+</smbconfexample>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/hosts</primary>
+ </indexterm>
+ Verify that the <filename>/etc/hosts</filename> file contains the following entry:
+<screen>
+192.168.1.1 server
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>samba</primary>
+ <secondary>starting samba</secondary>
+ </indexterm><indexterm>
+ <primary>chkconfig</primary>
+ </indexterm>
+ <indexterm><primary>starting samba</primary></indexterm>
+ Use the standard system tool to start Samba and to configure it to restart
+ automatically at every system reboot. For example:
+<screen>
+&rootprompt; chkconfig smb on
+&rootprompt; /etc/rc.d/init.d/smb restart
+</screen>
+ </para></step>
+
+ </procedure>
+
+ <procedure>
+ <title>Windows Client Configuration</title>
+
+ <step><para>
+ Make certain that all clients are set to the same network address range as
+ has been used for the Samba server. For example, one client might have an IP
+ address 192.168.1.10.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>netmask</primary>
+ </indexterm>
+ Ensure that the netmask used on the Windows clients matches that used
+ for the Samba server. All clients must have the same netmask. For example,
+ 255.255.255.0.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>workgroup</primary>
+ </indexterm>
+ Set the workgroup name on all clients to <constant>MIDEARTH</constant>.
+ </para></step>
+
+ <step><para>
+ Verify on each client that the machine called <constant>SERVER</constant>
+ is visible in the <guimenu>Network Neighborhood</guimenu>, that it is
+ possible to connect to it and see the share <guimenuitem>Plans</guimenuitem>,
+ and that it is possible to open that share to reveal its contents.
+ </para></step>
+
+ </procedure>
+
+ </sect3>
+
+ <sect3 id="validate1">
+ <title>Validation</title>
+
+ <para><indexterm>
+ <primary>validation</primary>
+ </indexterm>
+ The first priority in validating the new Samba configuration should be to check
+ that Samba answers on the loop-back interface. Then it is time to check that Samba
+ answers its own name correctly. Last, check that a client can connect to the Samba
+ server.
+ </para>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>smbd</primary>
+ </indexterm><indexterm>
+ <primary>daemon</primary>
+ </indexterm><indexterm>
+ <primary>smbclient</primary>
+ </indexterm>
+ To check the ability to access the <command>smbd</command> daemon
+ services, execute the following:
+<screen>
+&rootprompt; smbclient -L localhost -U%
+ Sharename Type Comment
+ --------- ---- -------
+ Plans Disk
+ IPC$ IPC IPC Service (Samba 3.0.2)
+ ADMIN$ IPC IPC Service (Samba 3.0.2)
+
+ Server Comment
+ --------- -------
+ SERVER Samba 3.0.2
+
+ Workgroup Master
+ --------- --------
+ MIDEARTH SERVER
+</screen>
+ <indexterm>
+ <primary>loopback</primary>
+ </indexterm><indexterm>
+ <primary>NULL connection</primary>
+ </indexterm>
+ This indicates that Samba is able to respond on the loopback interface to
+ a NULL connection. The <parameter>-U%</parameter> means send an empty
+ username and an empty password. This command should be repeated after
+ Samba has been running for 15 minutes.
+ </para></step>
+
+ <step><para>
+ Now verify that Samba correctly handles being passed a username
+ and password, and that it answers its own name. Execute the following:
+<screen>
+&rootprompt; smbclient -L server -Uroot%password
+</screen>
+ The output should be identical to the previous response. Samba has been
+ configured to ignore all usernames given; instead it uses the
+ <parameter>guest account</parameter> for all connections.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Windows Explorer</primary>
+ </indexterm><indexterm>
+ <primary>Network Neighborhood</primary>
+ </indexterm>
+ From the Windows 9x/Me client, launch Windows Explorer,
+ <menuchoice>
+ <guiicon>[Desktop: right-click] Network Neighborhood</guiicon>
+ <guimenu>Explore</guimenu>
+ <guimenuitem>[Left Panel] [+] Entire Network</guimenuitem>
+ <guimenuitem>[Left Panel] [+] Server</guimenuitem>
+ <guimenuitem>[Left Panel] [+] Plans</guimenuitem>
+ </menuchoice>. In the right panel you should see the files and directories
+ (folders) that are in the <guiicon>Plans</guiicon> share.
+ </para></step>
+ </procedure>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2>
+ <title>Charity Administration Office</title>
+
+ <para>
+ The fictitious charity organization is called <emphasis>Abmas Vision NL</emphasis>. This is an
+ office that has five networked computers. Staff are all volunteers with frequent staff changes.
+ Ms. Amy May, the director of operations, wants a no-hassle network. Anyone should be able to
+ use any PC. Only two Windows applications are used: a custom funds tracking and management package
+ that stores all files on the central server and Microsoft Word. The office prepares mail-out
+ letters, letters of invitation, and thank-you notes. All files must be stored in perpetuity.
+ The custom funds tracking and management software has been configured to use a server named
+ <constant>SERVER</constant>, a share named <constant>FTMFILES</constant>, and a printer queue
+ named <constant>PRINTQ</constant> that uses preprinted stationery, thus demanding a
+ dedicated printer. This printer does not need to be mapped to a local printer on the workstations.
+ </para>
+
+ <para><indexterm>
+ <primary>print queue</primary>
+ </indexterm><indexterm>
+ <primary>print spooler</primary>
+ </indexterm>
+ Printer handling in Samba results in a significant level of confusion. Samba presents to the
+ MS Windows client only a print queue. The Samba <command>smbd</command> process passes a
+ print job sent to it from the Windows client to the native UNIX printing system. The native
+ UNIX printing system (spooler) places the job in a print queue from which it is
+ delivered to the printer. In this book, network diagrams refer to a printer by the name
+ of the print queue that services that printer. It does not matter what the fully qualified
+ name (or the host name) of a network attached printer is. The UNIX print spooler is configured
+ to correctly deliver all jobs to the printer.
+ </para>
+
+ <para>
+ This organization has a policy forbidding use of privately owned computers on site as a measure
+ to prevent leakage of confidential information. Only the five PCs owned by Abmas Vision NL are
+ used on this network.
+ </para>
+
+ <para><indexterm>
+ <primary>SUSE Enterprise Linux Server</primary>
+ </indexterm>
+ The central server was donated by a local computer store. It is a dual processor Pentium-III
+ server, has 1GB RAM, a 3-Ware IDE RAID Controller that has 4 x 200GB IDE hard drives, and a
+ 100-base-T network card. The office has 100-base-T permanent network connections that go to
+ a central hub and all equipment is new. The five network computers all are equipped with Microsoft
+ Windows Me. Funding is limited, so the server has no operating system on it. You have approval
+ to install Samba on Linux, but just make sure it works without problems. There are two HP LaserJet
+ 5 PS printers that are network connected. The second printer is to be used for general
+ office and letter printing. Your recommendation to allow only the Linux server to print directly
+ to the printers was accepted. You have supplied SUSE Enterprise Linux Server version 8.0 and
+ have upgraded Samba to version 3.0.2.
+ </para>
+
+ <sect3>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ <indexterm><primary>force user</primary></indexterm><indexterm>
+ <primary>nt acl support</primary>
+ </indexterm><indexterm>
+ <primary>UID</primary>
+ </indexterm><indexterm>
+ <primary>Posix</primary>
+ </indexterm>
+ This installation demands simplicity. Frequent turn-over of volunteer staff would indicate that
+ a network environment that requires users to logon might be problematic. It is suggested that the
+ best solution for this office would be one where the user can log onto any PC with any username
+ and password. Samba can accommodate an office like this by using the <parameter>force user</parameter>
+ parameter in share and printer definitions. The use of the <parameter>force user</parameter>
+ ensures that all files are owned by same user identifier (UID) and thus ensures that there
+ will never be a problem with file access due to file access permissions. Additionally, you elect
+ to use the <parameter>nt acl support = No</parameter> option to ensure that no attempts can be
+ made to write access control lists (Posix type) to any file or directory. This prevents
+ an inadvertent ACL from overriding actual file permissions.
+ </para>
+
+ <para>
+ <indexterm><primary>SUID</primary></indexterm>
+ <indexterm><primary>SGID</primary></indexterm>
+ <indexterm><primary>security</primary><secondary>share mode</secondary></indexterm>
+ This organization is a prime candidate for Share Mode security. The <parameter>force user</parameter>
+ allows all files to be owned by the same user and group. In addition to this, it would not hurt to
+ set SUID and set SGID shared directories. This means that all new files that are created, no matter
+ who creates it, are owned by the owner or group of the directory in which they are created.
+ For further information regarding the significance of the SUID/SGID settings, see
+ <link linkend="ch12-SUIDSGID"/>.
+ </para>
+
+ <para>
+ <indexterm><primary>CUPS</primary></indexterm>
+ <indexterm><primary>printing</primary><secondary>raw</secondary></indexterm><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm><indexterm>
+ <primary>SUSE Linux</primary>
+ </indexterm>
+ All client workstations print to a print queue on the server. This ensures that print jobs
+ continue to print in the event that a user may shut down the workstation immediately after
+ sending a job to the printer. Today, both Red Hat Linux and SUSE Linux use CUPS-based printing.
+ Older Linux systems offered a choice to use either the LPRng printing system, or CUPS. It appears, however,
+ that CUPS has now become the leading UNIX printing technology.
+ </para>
+
+ <para>
+ <indexterm><primary>print queue</primary></indexterm>
+ The print queues are set up as <constant>Raw</constant> devices, which means that CUPS will
+ not do intelligent print processing, and vendor supplied drivers be installed locally on the
+ Windows clients.
+ </para>
+
+ <para>
+ The hypothetical software (Funds Tracking and Management) referred to is representative of
+ custom-built software that directly uses a NetBIOS interface. Most such software originated in
+ the days of MS/PC DOS. NetBIOS names are upper-case (and functionally are case insensitive),
+ thus some old software applications would permit only upper-case names to be entered.
+ Some such applications were later ported to MS Windows but retain the upper-case network
+ resource naming conventions because customers are familiar with that. We made the decision
+ to name shares and print queues for this application in upper-case also for the same reason.
+ Nothing would break if you were to use lower-case names, but that decision might create a need
+ to re-educate staff &smbmdash; something well avoided at this time.
+ </para>
+
+ <para>
+ NetBIOS networking does not print directly to a printer. Instead, all printing is done to a
+ print queue. The print spooling system is responsible for communicating with the physical
+ printer. In this example, therefore, the resource that is referred to as <constant>PRINTQ</constant>
+ really is just a print queue. The name of the print queue is held to be representative of
+ the device to which the print spooler delivers print jobs.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Implementation</title>
+
+ <para>
+ It is assumed that the server is fully installed and ready for configuration of
+ Samba 3.0.2 and for necessary support files. All TCP/IP addresses should be hard coded.
+ In our case, the IP address of the Samba server is 192.168.1.1 and the netmask is
+ 255.255.255.0. The host name of the server used was <constant>server</constant>.
+ The office network is built as shown in <link linkend="charitynet"/>.
+ </para>
+
+<figure id="charitynet">
+ <title>Charity Administration Office Network</title>
+ <mediaobject>
+ <imageobject role="latex">
+ <imagedata fileref="guide/images/Charity-Network.png" scale="100" scalefit="1"/>
+ </imageobject>
+ <imageobject>
+ <imagedata fileref="guide/images/Charity-Network.png" scale="100" scalefit="1"/>
+ </imageobject>
+ </mediaobject>
+</figure>
+
+ <procedure>
+ <title>Samba Server Configuration</title>
+
+ <step><para><indexterm>
+ <primary>groupadd</primary>
+ </indexterm>
+ Create a group account for office file storage as follows:
+<screen>
+&rootprompt; groupadd office
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>useradd</primary>
+ </indexterm><indexterm>
+ <primary>passwd</primary>
+ </indexterm>
+ Create a user account for office file storage as follows:
+<screen>
+&rootprompt; useradd -m abmas
+&rootprompt; passwd abmas
+Changing password for abmas.
+New password: XXXXXXXX
+Re-enter new password: XXXXXXXX
+Password changed
+</screen>
+ where XXXXXXXX is a secret password.
+ </para></step>
+
+ <step><para>
+ Use the 3-Ware IDE RAID Controller firmware utilities to configure the four 200GB
+ drives as a single RAID level 5 drive, with one drive set aside as the hot spare.
+ (Refer to the 3-Ware RAID Controller Manual for the manufacturers' preferred procedure.)
+ The resulting drive has a capacity of approximately 500GB of usable space.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>permissions</primary>
+ </indexterm>
+ Create a mount point for the file system that can be used to store all data files.
+ Create a directory called <filename>/data</filename> as follows:
+<screen>
+&rootprompt; mkdir /data
+&rootprompt; chmod 755 /data
+</screen>
+ The 755 permissions on this directory (mount point) permit the owner to read, write and execute,
+ and the group and everyone else to read and execute only.
+ </para></step>
+
+ <step><para>
+ Use SUSE Linux system tools (refer to the SUSE Administrators Guide for correct
+ procedures) to format the partition with a suitable file system. The reiserfs file system
+ is suitable. Configure this drive to automount using the <filename>/data</filename>
+ directory as the mount point. It must be mounted before proceeding.
+ </para></step>
+
+ <step><para>
+ Under the directory called <filename>/data</filename> create two directories
+ named <filename>ftmfiles</filename> and <filename>officefiles</filename>, and set
+ ownership and permissions as follows:
+<screen>
+&rootprompt; mkdir -p /data/{ftmfiles,officefiles/{letters,invitations,misc}}
+&rootprompt; chown -R abmas.office /data
+&rootprompt; chmod -R ug+rwxs,o-w,o+rx /data
+</screen>
+ These demonstrate compound operations. The <command>mkdir</command> command
+ creates in one step these directories:
+<programlisting>
+/data/fmtfiles
+/data/officefiles
+/data/officefiles/letters
+/data/officefiles/invitations
+/data/officefiles/misc
+</programlisting>
+ The <command>chown</command> operation sets the owner to the user <constant>abmas</constant>
+ and the group to <constant>office</constant> on all directories just created. And
+ the <command>chmod</command> operation recursively sets the permissions so that
+ the owner and group have SUID/SGID with read/write/execute permission, and everyone else has
+ read and execute permission. This means that all files and directories are created
+ with the same owner and group as the directory in which they are created. Any new
+ directories created still have the same owner, group, and permissions as the
+ directory they are in. This should eliminate all permissions-based file access problems.
+ For more information on this subject, refer to <emphasis>TOSHARG</emphasis>, Chapter 13, <emphasis>File, Directory
+ and Share Access Controls</emphasis>, or refer to the UNIX man page for the
+ <command>chmod</command> and the <command>chown</command> commands.
+
+ </para></step>
+
+ <step><para>
+ Install the &smb.conf; file shown in <link linkend="charity-smbconf"/> in the
+ <filename>/etc/samba</filename> directory.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>smbd</primary></indexterm>
+ We must ensure that the <command>smbd</command> can resolve the name of the Samba
+ server to its IP address. Verify that the <filename>/etc/hosts</filename> file
+ contains the following entry:
+<screen>
+192.168.1.1 server
+</screen>
+ </para></step>
+
+ <step><para>
+ Configure the printers with the IP address as shown in <link linkend="charitynet"/>.
+ Follow the instructions in the manufacturers' manual to permit printing to port 9100,
+ so that the CUPS spooler can print using raw mode protocols.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>lpadmin</primary>
+ </indexterm>
+ Configure the CUPS Print Queues as follows:
+<screen>
+&rootprompt; lpadmin -p PRINTQ -v socket://192.168.1.20:9100 -E
+&rootprompt; lpadmin -p hplj5 -v socket://192.168.1.30:9100 -E
+</screen>
+ This creates the necessary print queues with no assigned print filter.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime type</primary></indexterm><indexterm>
+ <primary>/etc/cups/mime.convs</primary>
+ </indexterm><indexterm>
+ <primary>application/octet-stream</primary>
+ </indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/cups/mime.types</primary>
+ </indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>starting samba</primary></indexterm>
+ Use the standard system tool to start Samba and CUPS to configure them to restart
+ automatically at every system reboot. For example:
+ </para>
+
+ <para>
+ <indexterm><primary>starting samba</primary></indexterm>
+ <indexterm><primary>starting
+ CUPS</primary></indexterm><indexterm>
+ <primary>chkconfig</primary>
+ </indexterm>
+<screen>
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig cups on
+&rootprompt; /etc/rc.d/init.d/smb restart
+&rootprompt; /etc/rc.d/init.d/cups restart
+</screen>
+ </para></step>
+
+ </procedure>
+
+<smbconfexample id="charity-smbconf">
+<title>Charity Administration Office &smb.conf; File</title>
+<smbconfcomment>Global Parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption>
+<smbconfoption><name>security</name><value>SHARE</value></smbconfoption>
+<smbconfoption><name>printing</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+<smbconfoption><name>wins support</name><value>yes</value></smbconfoption>
+
+<smbconfsection>[FTMFILES]</smbconfsection>
+<smbconfoption><name>comment</name><value>Funds Tracking &amp; Management Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/ftmfiles</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>force user</name><value>abmas</value></smbconfoption>
+<smbconfoption><name>force group</name><value>office</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>nt acl support</name><value>No</value></smbconfoption>
+
+<smbconfsection>[office]</smbconfsection>
+<smbconfoption><name>comment</name><value>General Office Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/officefiles</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>force user</name><value>abmas</value></smbconfoption>
+<smbconfoption><name>force group</name><value>office</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>nt acl support</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>Print Temporary Spool Configuration</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+ <procedure>
+ <title>Windows Client Configuration</title>
+
+ <step><para>
+ Configure clients to the network settings shown in <link linkend="charitynet"/>.
+ </para></step>
+
+ <step><para>
+ Ensure that the netmask used on the Windows clients matches that used
+ for the Samba server. All clients must have the same netmask. For example,
+ <constant>255.255.255.0</constant>.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>WINS</primary></indexterm>
+ On all Windows clients, set the WINS Server address to <constant>192.168.1.1</constant>,
+ the IP address of the server.
+ </para></step>
+
+ <step><para>
+ Set the workgroup name on all clients to <constant>MIDEARTH</constant>.
+ </para></step>
+
+ <step><para><indexterm>
+ <secondary>logon</secondary>
+ </indexterm>
+ Install the <quote>Client for Microsoft Networks.</quote> Ensure that the only option
+ enabled in its properties is the option <quote>Logon and restore network connections.</quote>
+ </para></step>
+
+ <step><para>
+ Click <guibutton>OK</guibutton> when you are prompted to reboot the system. Reboot the
+ system, then logon using any user name and password you choose.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>My Network Places</primary>
+ </indexterm>
+ Verify on each client that the machine called <constant>SERVER</constant>
+ is visible in <guimenu>My Network Places</guimenu>, that it is
+ possible to connect to it and see the share <guimenuitem>office</guimenuitem>,
+ and that it is possible to open that share to reveal its contents.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>password caching</primary>
+ </indexterm><indexterm>
+ <primary>regedit</primary>
+ </indexterm>
+ Disable password caching on all Windows 9x/Me machines using the registry change file
+ shown in <link linkend="MEreg"/>. Be sure to remove all files that have the
+ <filename>PWL</filename> extension that are in the <filename>C:\WINDOWS</filename>
+ directory.
+<example id="MEreg">
+<title>Windows Me &smbmdash; Registry Edit File: Disable Password Caching</title>
+<screen>
+REGEDIT4
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
+ Windows\CurrrentVersion\Policies\Network]
+ "DisablePwdCaching"=dword:00000001
+</screen>
+</example>
+ The best way to apply this is to save the patch in a file called
+ <filename>ME-dpwc.reg</filename> and then execute:
+<screen>
+C:\WINDOWS: regedit ME-dpwc.reg
+</screen>
+ </para></step>
+
+ <step><para>
+ Instruct all users to log onto the workstation using a name of their own
+ choosing, with a password of their own choosing. The Samba server has been
+ configured to ignore the username and password given.
+ </para></step>
+
+ <step><para>
+ On each Windows Me workstation, configure a network drive mapping to drive <filename>G:</filename>
+ that redirects to the uniform naming convention (UNC) resource
+ <filename>\\server\officefiles</filename>. Make this a permanent drive connection as follows:
+ <procedure>
+ <step><para>
+ <menuchoice>
+ <guimenu>(Right-click) My Network</guimenu>
+ <guimenuitem>Map Network Drive...</guimenuitem>
+ </menuchoice>
+ </para></step>
+
+ <step><para>
+ In the box labeled <quote>Drive:</quote>, type G.
+ </para></step>
+
+ <step><para>
+ In the box labeled <quote>Path:</quote>, enter
+ <filename>\\server\officefiles</filename>.
+ </para></step>
+
+ <step><para>
+ Click <guimenuitem>Reconnect at logon</guimenuitem>.
+ Click <guibutton>OK</guibutton>.
+ </para></step>
+
+ </procedure>
+ </para></step>
+
+ <step><para>
+ On each workstation, install the Funds Tracking and Management software following the
+ manufacturer's instructions.
+ <procedure>
+ <step><para>
+ During installation, you are prompted for the name of the Windows 98
+ server. Enter the name <constant>SERVER</constant>.
+ </para></step>
+ <step><para>
+ You are prompted for the name of the data share.
+ The prompt defaults to <constant>FTMFILES</constant>. Press enter to accept the default value.
+ </para></step>
+ <step><para>
+ You are now prompted for the print queue name. The default prompt is the name of
+ the server you entered (<constant>SERVER</constant> as follows:
+ <constant>\\SERVER\PRINTQ</constant>). Simply accept the default and press enter to
+ continue. The software now completes the installation.
+ </para></step>
+ </procedure>
+ </para></step>
+
+ <step><para>
+ Install an office automation software package of the customer's choice. Either Microsoft
+ Office 2003 Standard or OpenOffice 1.1.0 suffices for any functions the office may
+ need to perform. Repeat this on each workstation.
+ </para></step>
+
+ <step><para>
+ Install a printer on each using the following steps:
+
+ <procedure>
+ <step><para>
+ Click <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Settings</guimenuitem>
+ <guimenuitem>Printers</guimenuitem>
+ <guiicon>Add Printer</guiicon>
+ <guibutton>Next</guibutton>
+ </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
+ Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
+ </para></step>
+
+ <step><para>
+ Click <guibutton>Next</guibutton>. In the panel labeled
+ <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
+ In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
+ <constant>HP LaserJet 5/5M Postscript</constant>. Click <guibutton>Next</guibutton>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
+ <constant>FILE:</constant>. Accept the default printer name by clicking
+ <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
+ test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
+ <guibutton>Finish</guibutton>.
+ </para></step>
+
+ <step><para>
+ You may be prompted for the name of a file to print to. If so, close the
+ dialog panel. Right-click <menuchoice>
+ <guiicon>HP LaserJet 5/5M Postscript</guiicon>
+ <guimenuitem>Properties</guimenuitem>
+ <guimenusub>Details (Tab)</guimenusub>
+ <guimenubutton>Add Port</guimenubutton>
+ </menuchoice>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
+ the print queue on the Samba server as follows: <constant>\\SERVER\hplj5</constant>.
+ Click <menuchoice>
+ <guibutton>OK</guibutton>
+ <guibutton>OK</guibutton>
+ </menuchoice> to complete the installation.
+ </para></step>
+
+ <step><para>
+ It is a good idea to test the functionality of the complete installation before
+ handing the newly configured network over to the Charity Administration Office
+ for production use.
+ </para></step>
+
+ </procedure>
+
+ </para></step>
+
+ </procedure>
+
+ </sect3>
+
+ <sect3>
+ <title>Validation</title>
+
+ <para>
+ Use the same validation process as was followed in <link linkend="validate1"/>.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+ <sect2 id="AccountingOffice">
+ <title>Accounting Office</title>
+
+ <para>
+ The office of Abmas Accounting Inc. is a 40-year-old family-run business. There are nine permanent
+ computer users. The network clients were upgraded two years ago. All computers run Windows 2000
+ Professional. This year the server will be upgraded from an old Windows NT4 server (actually
+ running Windows NT4 Workstation, which worked fine as there were fewer than 10 users) that has
+ run in workgroup (Stand-Alone) mode, to a new Linux server running Samba.
+ </para>
+
+ <para>
+ The office does not want a Domain Server. Mr. Alan Meany wants to keep the Windows 2000 Professional
+ clients running as workgroup machines so that any staff member can take a machine home and keep
+ working. It has worked well so far and your task is to replace the old server. All users have
+ their own workstation logon (you configured it that way when the machines were installed).
+ Mr. Meany wants the new system to operate the same way as the old Windows NT4 server &smbmdash; users
+ cannot access each others' files, but he can access everyone's files. Each person's work files are
+ in a separate share on the server. Users logon to their Windows workstation with their username
+ and enter an assigned password; they do not need to enter a password when accessing their files
+ on the server.
+ </para>
+
+ <para><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm>
+ The new server will run Red Hat Linux 9.0. You should install Samba-3.0.2 and
+ copy all files off the old system to the new one. The existing Windows NT4 server has a parallel
+ port HP LaserJet 4 printer that is shared by all. The printer driver is installed on each
+ workstation. You must not change anything on the workstations. Mr. Meany gave instructions to
+ replace the server <quote>but leave everything else alone to avoid staff unrest.</quote>
+ </para>
+
+ <para>
+ You have tried to educate Mr. Meany and found that he has no interest to understand networking.
+ He believes that Windows for Workgroups 3.11 was <quote>the best server Microsoft ever sold
+ </quote> and that Windows NT and 2000 are <quote>too fang-dangled complex!</quote>
+ </para>
+
+ <sect3>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ <indexterm><primary>security</primary><secondary>user mode</secondary></indexterm>
+ The requirements of this network installation are not unusual. The staff are not interested in the
+ details of networking. Passwords are never changed. In this example solution, we demonstrate the use
+ of User Mode security in a simple context. Directories should be set SGID to ensure that members
+ of a common group can access the contents. Each user has his or her own share to which only they
+ can connect. Mr. Meany's share will be a top level directory above the share point for each employee.
+ Mr. Meany is a member of the same group as his staff and is able to access their work files.
+ The well used HP LaserJet 4 is available as a service called <constant>hplj</constant>.
+ </para>
+
+ <para>
+ You have finished configuring the new hardware and have just completed installation of Red Hat Linux
+ 9.0. Roll up your sleeves and let's get to work.
+ </para>
+
+ </sect3>
+
+ <sect3 id="AcctgNet">
+ <title>Implementation</title>
+
+ <para>
+ The workstations have fixed IP addresses. The old server runs Windows NT4 Workstation, so it
+ cannot be running as a WINS server. It is best that the new configuration preserves the same
+ configuration. The office does not use Internet access, so security really is not an issue.
+ </para>
+
+ <para>
+ The core information regarding the users, their passwords, the directory share point, and the
+ share name is given in <link linkend="acctingnet"/>. The overall network topology is shown in
+ <link linkend="acctingnet2"/>. All machines have been configured as indicated prior to the
+ start of Samba configuration. The following prescriptive steps may now commence.
+ </para>
+
+ <figure id="acctingnet2">
+ <title>Accounting Office Network Topology</title>
+ <mediaobject>
+ <imageobject role="latex">
+ <imagedata fileref="guide/images/AccountingNetwork.png" scale="100" scalefit="1"/>
+ </imageobject>
+ <imageobject>
+ <imagedata fileref="guide/images/AccountingNetwork.png" scale="100" scalefit="1"/>
+ </imageobject>
+ </mediaobject>
+ </figure>
+
+ <table id="acctingnet">
+ <title>Accounting Office Network Information</title>
+ <tgroup cols="6">
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry>User</entry>
+ <entry>Login-ID</entry>
+ <entry>Password</entry>
+ <entry>Share Name</entry>
+ <entry>Directory</entry>
+ <entry>Wkst</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Alan Meany</entry>
+ <entry>alan</entry>
+ <entry>alm1961</entry>
+ <entry>alan</entry>
+ <entry>/data</entry>
+ <entry>PC1</entry>
+ </row>
+ <row>
+ <entry>James Meany</entry>
+ <entry>james</entry>
+ <entry>jimm1962</entry>
+ <entry>james</entry>
+ <entry>/data/james</entry>
+ <entry>PC2</entry>
+ </row>
+ <row>
+ <entry>Jeannie Meany</entry>
+ <entry>jeannie</entry>
+ <entry>jema1965</entry>
+ <entry>jeannie</entry>
+ <entry>/data/jeannie</entry>
+ <entry>PC3</entry>
+ </row>
+ <row>
+ <entry>Suzy Millicent</entry>
+ <entry>suzy</entry>
+ <entry>suzy1967</entry>
+ <entry>suzy</entry>
+ <entry>/data/suzy</entry>
+ <entry>PC4</entry>
+ </row>
+ <row>
+ <entry>Ursula Jenning</entry>
+ <entry>ujen</entry>
+ <entry>ujen1974</entry>
+ <entry>ursula</entry>
+ <entry>/data/ursula</entry>
+ <entry>PC5</entry>
+ </row>
+ <row>
+ <entry>Peter Pan</entry>
+ <entry>peter</entry>
+ <entry>pete1984</entry>
+ <entry>peter</entry>
+ <entry>/data/peter</entry>
+ <entry>PC6</entry>
+ </row>
+ <row>
+ <entry>Dale Roland</entry>
+ <entry>dale</entry>
+ <entry>dale1986</entry>
+ <entry>dale</entry>
+ <entry>/data/dale</entry>
+ <entry>PC7</entry>
+ </row>
+ <row>
+ <entry>Bertrand E Paoletti</entry>
+ <entry>eric</entry>
+ <entry>eric1993</entry>
+ <entry>eric</entry>
+ <entry>/data/eric</entry>
+ <entry>PC8</entry>
+ </row>
+ <row>
+ <entry>Russell Lewis</entry>
+ <entry>russ</entry>
+ <entry>russ2001</entry>
+ <entry>russell</entry>
+ <entry>/data/russell</entry>
+ <entry>PC9</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+<?latex \newpage ?>
+
+ <procedure>
+ <title>Migration from Windows NT4 Workstation System to Samba-3</title>
+
+ <step><para><indexterm>
+ <primary>migration</primary>
+ </indexterm>
+ Rename the old server from <constant>CASHPOOL</constant> to <constant>STABLE</constant>
+ by logging onto the console as the <constant>Administrator</constant>. Restart the machine
+ following system prompts.
+ </para></step>
+
+ <step><para>
+ Name the new server <constant>CASHPOOL</constant> using the standard configuration method.
+ Restart the machine following system prompts.
+ </para></step>
+
+ <step><para>
+ Install the latest Samba-3 binary Red Hat Linux RPM that is available from the
+ Samba FTP site.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>group account</primary>
+ </indexterm><indexterm>
+ <primary>groupadd</primary>
+ </indexterm>
+ Add a group account for the office to use. Execute the following:
+<screen>
+&rootprompt; groupadd accts
+</screen>
+ </para></step>
+
+ <step><para>
+ Install the &smb.conf; file shown<footnote>This example makes use of the
+ <parameter>smbpasswd</parameter> file. It does so in an obtuse way since the use of
+ the <parameter>passdb backend</parameter> has not been specified in the &smb.conf;
+ file. This means that you are depending on correct default behavior.</footnote>
+ in <link linkend="acctconf"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>useradd</primary>
+ </indexterm><indexterm>
+ <primary>passwd</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ For each user who uses this system (see <link linkend="acctingnet"/>),
+ execute the following:
+<screen>
+&rootprompt; useradd -m -G accts -c "Name of User" "LoginID"
+&rootprompt; passwd "LoginID"
+Changing password for user "LoginID"
+New Password: XXXXXXXXX &lt;-- the password from the table
+Retype new password: XXXXXXXXX
+&rootprompt; smbpasswd -a "LoginID"
+New SMB password: XXXXXXXXX &lt;-- the password from the table
+Retype new SMB password: XXXXXXXXX
+Added user "LoginID"
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>data storage</primary>
+ </indexterm>
+ Create the directory structure for the file shares by executing the following:
+<screen>
+&rootprompt; mkdir -p /data
+&rootprompt; chown alan /data
+&rootprompt; for i in james suzy ursula peter dale eric jeannie russell
+> do
+> mkdir -p /data/$i
+> chown $i /data/$i
+> done
+&rootprompt; chgrp -R accts /data
+&rootprompt; chmod -R ug+rwxs,o-r+x /data
+</screen>
+ The data storage structure is now prepared for use.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>lpadmin</primary>
+ </indexterm>
+ Configure the CUPS Print Queues as follows:
+<screen>
+&rootprompt; lpadmin -p hplj -v parallel:/dev/lp0 -E
+</screen>
+ This creates the necessary print queues with no assigned print filter.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime types</primary></indexterm><indexterm>
+ <primary>/etc/cups/mime.convs</primary>
+ </indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/cups/mime.types</primary>
+ </indexterm><indexterm>
+ <primary>application/octet-stream</primary>
+ </indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>starting samba</primary></indexterm>
+ Use the standard system tool to start Samba and CUPS to configure them to restart
+ automatically at every system reboot. For example:
+ </para>
+
+ <para>
+ <indexterm><primary>starting samba</primary></indexterm>
+ <indexterm><primary>starting
+ CUPS</primary></indexterm><indexterm>
+ <primary>chkconfig</primary>
+ </indexterm>
+<screen>
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig cups on
+&rootprompt; /etc/rc.d/init.d/smb restart
+&rootprompt; /etc/rc.d/init.d/cups restart
+</screen>
+ </para></step>
+
+ <step><para>
+ On Alan's workstation, use Windows explorer to migrate the files from the old server
+ to the new server. The new server should appear in the <guimenu>Network Neighborhood</guimenu>
+ with the name of the old server (<constant>CASHPOOL</constant>).
+
+ <procedure>
+
+ <step><para>
+ Logon to Alan's workstation as the user <constant>alan</constant>.
+ </para></step>
+
+ <step><para>
+ Launch a second instance of Windows explorer and navigate to the share called
+ <guiicon>files</guiicon> on the server called <guimenu>STABLE</guimenu>.
+ </para></step>
+
+ <step><para>
+ Click in the right panel, and press <guimenu>Ctrl-A</guimenu> to select all files and
+ directories. Press <guimenu>Ctrl-C</guimenu> to instruct Windows that you wish to
+ copy all selected items.
+ </para></step>
+
+ <step><para>
+ Launch the Windows explorer, and navigate to the share called <guiicon>files</guiicon>
+ on the server called <guimenu>CASHPOOL</guimenu>. Click in the right panel, and then press
+ <guimenu>Ctrl-V</guimenu> to commence the copying process.
+ </para></step>
+
+ </procedure>
+ </para></step>
+
+ <step><para>
+ Verify that the files are being copied correctly from the Windows NT4 machine to the Samba-3 server.
+ This is best done on the Samba-3 server. Check the contents of the directory tree under
+ <filename>/data</filename>. This can be done by executing the following command:
+<screen>
+&rootprompt; ls -aR /data
+</screen>
+ Make certain to check the ownership and permissions on all files. If in doubt, execute the following:
+<screen>
+&rootprompt; chown alan /data
+&rootprompt; for i in james suzy ursula peter dale eric jeannie russell
+> do
+> chown $i /data/$i
+> done
+&rootprompt; chgrp -R accts /data
+&rootprompt; chmod -R ug+rwxs,o-r+x /data
+</screen>
+ </para></step>
+
+ <step><para>
+ The migration of all data should now be complete. It is time to validate the installation.
+ For this, you should make sure all applications, including printing, work before asking the
+ customer to test drive the new network.
+ </para></step>
+
+ </procedure>
+
+<smbconfexample id="acctconf">
+<title>Accounting Office Network &smb.conf; File</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>BILLMORE</value></smbconfoption>
+<smbconfoption><name>printing</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+
+<smbconfsection>[files]</smbconfsection>
+<smbconfoption><name>comment</name><value>Work area files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/%U</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[master]</smbconfsection>
+<smbconfoption><name>comment</name><value>Master work area files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>alan</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>Print Temporary Spool Configuration</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+ </sect3>
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ The following questions and answers draw from the examples in this chapter.
+ Many design decisions are impacted by the configurations chosen. The intent
+ is to expose some of the hidden implications.
+ </para>
+
+ <qandaset defaultlabel="chap02qa" type="number">
+ <qandaentry>
+ <question>
+
+ <para>
+ What makes an anonymous Samba server more simple than an non-anonymous Samba server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ In the anonymous server, the only account used is the <constant>guest</constant> account.
+ In a non-anonymous configuration, it is necessary to add real user accounts to both the
+ UNIX system and to the Samba configuration. Non-anonymous servers require additional
+ administration.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ How is the operation of the parameter <parameter>force user</parameter> different from
+ setting the root directory of the share SUID?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The parameter <parameter>force user</parameter> causes all operations on the share to assume the UID
+ of the forced user. The new default GID that applies is the primary GID of the forced user.
+ This gives all users of this resource the actual privilege of the forced user.
+ </para>
+
+ <para>
+ When a directory is set SUID, the operating system forces files that are written within it
+ to be owned by the owner of the directory. While this happens, the user who is using the share
+ has only the level of privilege he or she is assigned within the operating system context.
+ </para>
+
+ <para>
+ The parameter <parameter>force user</parameter> has potential security implications that go
+ beyond the actual share root directory. Be careful and wary of using this parameter.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ When would you use both the per share parameter <parameter>force user</parameter> as well
+ as setting the share root directory SUID?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ You would use both parameters when it is necessary to guarantee that all share handling operations
+ are conducted as the forced user, while all file and directory creation are done as the SUID
+ directory owner.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is better about CUPS printing than LPRng printing?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ CUPS is a print spooling system that has integrated remote management facilities, provides completely
+ automated print processing/preprocessing, and has the potential to be configured to automatically
+ apply print preprocessing filters to ensure that a print job submitted is correctly rendered for the
+ target printer. CUPS includes an image file RIP that supports printing of image files to
+ non-PostScript printers. CUPS has lots of bells and whistles and is more like a super-charged MS Windows
+ NT/200x print monitor and processor. Its complexity can be eliminated or turbo-charged to suit
+ any fancy.
+ </para>
+
+ <para>
+ The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print
+ spooler functionality. It provides the same interface and meets RFC1179 requirements. LPRng is capable
+ of being configured to act like CUPS, but it is in principle a replacement for the old Berkeley lpr/lpd
+ spooler. LPRng is generally preferred by those who are familiar with Berkeley lpr/lpd.
+ </para>
+
+ <para>
+ Which is better is a matter of personal taste. It depends on what you want to do and how you want to
+ do it and manage it. Most modern Linux systems ship with CUPS as the default print management system.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ When should Windows client IP addresses be hard coded?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ When there are few MS Windows clients, little client change, no mobile users, and users are not
+ inclined to tamper with network settings, it is a safe and convenient matter to hard-code Windows
+ client TCP/IP settings. Given that it is possible to lock down the Windows desktop and remove
+ user ability to access network configuration controls, fixed configuration eliminates the need
+ for a DHCP server. This reduces maintenance overheads and eliminates a possible point of network
+ failure.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Under what circumstances would it be best to use a DHCP server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ In network configurations where there are mobile users, or where Windows client PCs move around
+ (particularly between offices or between subnets), it makes complete sense to control all Windows
+ client configurations using a DHCP server. Additionally, when users do tamper with the network
+ settings, the use of DHCP can be used to normalize all client settings.
+ </para>
+
+ <para>
+ One of the least appreciated benefits of using a DHCP server to assign all network client
+ device TCP/IP settings is that it makes it a pain-free process to change network TCP/IP
+ settings, change network addressing, or enhance the ability of client devices to
+ benefit from new network services.
+ </para>
+
+ <para>
+ Another benefit of modern DHCP servers is the ability of the DHCP server to register dynamically
+ assigned IP addresses with the DNS server. The benefits of Dynamic DNS (DDNS) are considerable in
+ a large Windows network environment.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the purpose of setting the parameter <parameter>guest ok</parameter> on a share?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ If this parameter is yes for a service, then no password is required to connect to the service.
+ Privileges are those of the guest account.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ When would you set the global parameter <parameter>disable spoolss</parameter>?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Setting this parameter to <constant>Yes</constant> disables Samba's support for the SPOOLSS set of
+ MS-RPC's and yields behavior identical to Samba 2.0.x. Windows NT/2000 clients can downgrade to
+ using LanMan style printing commands. Windows 9x/ME are unaffected by the parameter. However, this
+ disables the ability to upload printer drivers to a Samba server via the Windows NT/200x Add Printer
+ Wizard or by using the NT printer properties dialog window. It also disables the capability of
+ Windows NT/200x clients to download print drivers from the Samba host on demand. Be extremely careful about
+ setting this parameter.
+ </para>
+
+ <para>
+ The alternate parameter <parameter>use client driver</parameter> applies only to Windows NT/200x clients. It has no
+ effect on Windows 95/98/ME clients. When serving a printer to Windows NT/200x clients without first installing a valid
+ printer driver on the Samba host, the client is required to install a local printer driver. From this point on,
+ the client treats the printer as a local printer and not a network printer connection. This is much the same behavior
+ that occurs when <parameter>disable spoolss = yes</parameter>.
+ </para>
+
+ <para>
+ Under normal circumstances, the NT/200x client attempts to open the network printer using MS-RPC. Because the client
+ considers the printer to be local, it attempts to issue the OpenPrinterEx() call requesting access rights associated
+ with the logged on user. If the user possesses local administrator rights but not root privilege on the Samba host (often
+ the case), the OpenPrinterEx() call fails. The result is that the client now displays an "Access Denied; Unable
+ to connect" message in the printer queue window (even though jobs may be printed successfully). This parameter MUST
+ not be enabled on a print share that has valid print driver installed on the Samba server.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why would you disable password caching on Windows 9x/Me clients?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Windows 9x/Me workstations that are set at default (password caching enabled) store the username and
+ password in files located in the Windows master directory. Such files can be scavenged (read off a client
+ machine) and decrypted, thus revealing the user's access credentials for all systems the user may have accessed.
+ It is most insecure to allow any Windows 9x/Me client to operate with password caching enabled.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ The example of Abmas Accounting Inc. uses User Mode security. How does this provide anonymous access?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The example used does not provide anonymous access. Since the clients are all Windows 2000 Professional,
+ and given that users are logging onto their machines, by default the client attempts to connect to
+ a remote server using currently logged in user credentials. By ensuring that the user's login ID and
+ password is the same as those set on the Samba server, access is transparent and does not require
+ separate user authentication.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
+