diff options
author | Jelmer Vernooij <jelmer@samba.org> | 2004-04-07 10:15:11 +0000 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:45:43 -0500 |
commit | 992f1e6b8f86b346fddd266b04d29cde69585633 (patch) | |
tree | 878573999a6831aa14cd6b8072263eb5d5910aa4 /docs/guide/Chap02-SimpleOfficeServer.xml | |
parent | 65c0fd59203a3d9c4cb685e3a739f29f6f0c4fd6 (diff) | |
download | samba-992f1e6b8f86b346fddd266b04d29cde69585633.tar.gz samba-992f1e6b8f86b346fddd266b04d29cde69585633.tar.bz2 samba-992f1e6b8f86b346fddd266b04d29cde69585633.zip |
Add all the source files from the old CVS tree,
add the 5 missing chapters from the HOWTO
and add jht's Samba by Example book.
(This used to be commit 9fb5bcb93e57c5162b3ee6f9c7d777dc0269d100)
Diffstat (limited to 'docs/guide/Chap02-SimpleOfficeServer.xml')
-rw-r--r-- | docs/guide/Chap02-SimpleOfficeServer.xml | 1604 |
1 files changed, 1604 insertions, 0 deletions
diff --git a/docs/guide/Chap02-SimpleOfficeServer.xml b/docs/guide/Chap02-SimpleOfficeServer.xml new file mode 100644 index 0000000000..52e27bd6ce --- /dev/null +++ b/docs/guide/Chap02-SimpleOfficeServer.xml @@ -0,0 +1,1604 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ + + <!-- Stuff for xincludes --> + <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd"> + %xinclude; + + <!-- entities files to use --> + <!ENTITY % global_entities SYSTEM '../entities/global.entities'> + %global_entities; + +]> + +<chapter id="simple"> + <title>No Frills Samba Servers</title> + + <para> + Congratulations, you managed to get past the opening chapter. To some, this is where the interesting + exercises begin. This is the start of the real journey toward the Samba deployment of a lifetime. + </para> + +<sect1> + <title>Introduction</title> + + <para> + This chapter lays the groundwork for understanding the basics of Samba operation. + Instead of a bland technical discussion, each principle is demonstrated by way of a + real-world scenario for which a working solution<footnote>The examples given mirror those documented + in TOSHARG Chapter 2, Section 2.3.1. You may gain additional insight from the Stand-alone server + configurations covered in TOSHARG sections 2.3.1.2 through 2.3.1.4. + </footnote> is fully described. + </para> + + <para> + The practical exercises take you on a journey through a drafting office, a charity administration + office, and an accounting office. You may choose to apply any or all of these to your own environment. + </para> + + <para> + Every assignment case can be implemented far more creatively, but remember that the solutions you + create are designed to demonstrate a particular solution possibility. With experience, you should + find much improved solutions compared with those presented here. By the time you complete this book, + you should aim to be a Samba expert, so do attempt to find better solutions and try them as you work your + way through the examples. + </para> + +</sect1> +<sect1> + <title>Assignment Tasks</title> + + <para> + Each case presented highlights different aspects of Windows networking for which a simple + Samba-based solution can be provided. Each has subtly different requirements taken from real-world cases. + Each is briefly reviewed to cover points of highlight. In each example, instructions are based + on the assumption that the official Samba Team RPM package has been installed. + </para> + + <para> + This chapter has three assignments built around ficticious companies: + </para> + + <para> + <itemizedlist> + <listitem><para>A drafting office</para></listitem> + <listitem><para>A charity administration office</para></listitem> + <listitem><para>An accounting office</para></listitem> + </itemizedlist> + </para> + + <para> + Let's get started. + </para> + + <sect2> + <title>Drafting Office</title> + + <para> + Our fictitious company is called <emphasis>Abmas Design Inc.</emphasis> This is a three-person + computer-aided design (CAD) business that often has more work than can be handled. The + business owner hires contract draftspeople from wherever he can. They bring their own + notebook computers into the office. There are four permanent drafting machines. Abmas has a + collection of over 10 years of plans that must be available for all draftsmen to reference. + Abmas hires the services of an experienced network engineer to update the + plans that are stored on a central server one day per month. She knows how to upload + plans from each machine. The files available from the server must remain read-only. + Anyone should be able to access the plans at any time and without barriers or difficulty. + </para> + + <para><indexterm> + <primary>Red Hat Linux</primary> + </indexterm> + Mr. Bob Jordan has asked you to install the new server as economically as possible. The central + server has a Pentium-IV 1.6GHz CPU, 768MB RAM, a 20GB IDE boot drive, a 160GB IDE second disk + to store plans, and a 100-base-T Ethernet card. You have already installed Red Hat Linux 9.0 and + have upgraded Samba to version 3.0.2 using the RPM package that is provided from the Samba + <ulink url="http://www.samba.org">FTP</ulink> sites. + </para> + + <para><indexterm> + <primary>consultant</primary> + </indexterm> + The four permanent drafting machines (Microsoft Windows workstations) have attached printers + and plotters that are shared on a peer-to-peer basis by any/all network users. The intent + is to continue to share printers in this manner. The three permanent staff work together with + all contractors to store all new work on one PC. A daily copy is made of the work storage + area to another PC for safekeeping. When the network consultant arrives, the weekly work + area is copied to the central server and the files are removed from the main weekly storage + machine. The office works best with this arrangement and does not want to change anything. + Old habits are too ingrained. + </para> + + <sect3> + <title>Dissection and Discussion</title> + + <para><indexterm> + <primary>file server</primary> + <secondary>read-only</secondary> + </indexterm> + The requirements for this server installation demand simplicity. An anonymous read-only + file server adequately meets all needs. The network consultant determines how + to upload all files from the weekly storage area to the server. This installation should + focus only on critical aspects of the installation. + </para> + + <para> + It is not necessary to have specific users on the server. The site has a method for storing + all design files (plans). Each plan is stored in a directory that is named YYYYWW<footnote> + This information is given purely as an example of how data may be stored in such a way that it + will be easy to locate records at a later date. The example is not meant to imply any instructions + that may be construed as essential to the design of the solution, this is something you will almost + certainly want to determine for yourself.</footnote>, where + YYYY is the year, and WW is the week of the year. This arrangement allows work to be stored + by week of year to preserve the filing technique the site is familiar with. + There is another customer directory that is alphabetically listed. At the top level are 26 + directories (A-Z), in each is a second level of directory for the first plus second letter of the name + (A-Z); inside each is a directory by the customers' name. Inside each directory is a symbolic + link to each design drawing/plan. This way of storing customer data files permits all + plans to be located both by customer name, as well as by the date the work was performed, without + demanding the disk space that would be needed if a duplicate file copy were to be stored. + The share containing the plans is called <emphasis>Plans</emphasis>. + </para> + + </sect3> + + <sect3> + <title>Implementation</title> + + <para> + It is assumed that the server is fully installed and ready for installation and + configuration of Samba 3.0.2 and any support files needed. All TCP/IP addresses + have been hard coded. In our case the IP address of the Samba server is + <constant>192.168.1.1</constant> and the netmask is <constant>255.255.255.0</constant>. + The host name of the server used was <constant>server</constant>. + </para> + + <procedure> + <title>Samba Server Configuration</title> + + <step><para> + Download the Samba-3 RPM packages for Red Hat Linux 9.0 from the Samba + <ulink url="http://www.samba.org">FTP servers.</ulink> + </para></step> + + <step><para><indexterm> + <primary>RPM</primary> + <secondary>install</secondary> + </indexterm><indexterm> + <primary>package</primary> + </indexterm> + Install the RPM package as using either the Red Hat Linux preferred GUI + tool or using the <command>rpm</command>, as follows: +<screen> +&rootprompt; rpm -Uvh samba-3.0.2-1.i386.rpm +</screen> + </para></step> + + <step><para> + Create a mount point for the file system that will be used to store all data files. + You can create a directory called <filename>/plans</filename> as follows: +<screen> +&rootprompt; mkdir /plans +&rootprompt; chmod 755 /plans +</screen> + The 755 permissions on this directory (mount point) permit the owner to read, write + and execute, and the group and everyone else to read and execute only. + </para> + + <para><indexterm> + <primary>file system</primary> + <secondary>Ext3</secondary> + </indexterm> + Use Red Hat Linux system tools (refer to Red Hat instructions for instructions) + to format the 160GB hard drive with a suitable file system. An Ext3 file system + is suitable. Configure this drive to automatically mount using the <filename>/plans</filename> + directory as the mount point. + </para></step> + + <step><para> + Install the &smb.conf; file shown in <link linkend="draft-smbconf"/> in the + <filename>/etc/samba</filename> directory. + +<smbconfexample id="draft-smbconf"> +<title>Drafting Office &smb.conf; File</title> +<smbconfcomment>Global Parameters</smbconfcomment> +<smbconfsection>[global]</smbconfsection> +<smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption> +<smbconfoption><name>security</name><value>SHARE</value></smbconfoption> + +<smbconfsection>[Plans]</smbconfsection> +<smbconfoption><name>path</name><value>/plans</value></smbconfoption> +<smbconfoption><name>read only</name><value>Yes</value></smbconfoption> +<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption> +</smbconfexample> + </para></step> + + <step><para><indexterm> + <primary>/etc/hosts</primary> + </indexterm> + Verify that the <filename>/etc/hosts</filename> file contains the following entry: +<screen> +192.168.1.1 server +</screen> + </para></step> + + <step><para><indexterm> + <primary>samba</primary> + <secondary>starting samba</secondary> + </indexterm><indexterm> + <primary>chkconfig</primary> + </indexterm> + <indexterm><primary>starting samba</primary></indexterm> + Use the standard system tool to start Samba and to configure it to restart + automatically at every system reboot. For example: +<screen> +&rootprompt; chkconfig smb on +&rootprompt; /etc/rc.d/init.d/smb restart +</screen> + </para></step> + + </procedure> + + <procedure> + <title>Windows Client Configuration</title> + + <step><para> + Make certain that all clients are set to the same network address range as + has been used for the Samba server. For example, one client might have an IP + address 192.168.1.10. + </para></step> + + <step><para><indexterm> + <primary>netmask</primary> + </indexterm> + Ensure that the netmask used on the Windows clients matches that used + for the Samba server. All clients must have the same netmask. For example, + 255.255.255.0. + </para></step> + + <step><para><indexterm> + <primary>workgroup</primary> + </indexterm> + Set the workgroup name on all clients to <constant>MIDEARTH</constant>. + </para></step> + + <step><para> + Verify on each client that the machine called <constant>SERVER</constant> + is visible in the <guimenu>Network Neighborhood</guimenu>, that it is + possible to connect to it and see the share <guimenuitem>Plans</guimenuitem>, + and that it is possible to open that share to reveal its contents. + </para></step> + + </procedure> + + </sect3> + + <sect3 id="validate1"> + <title>Validation</title> + + <para><indexterm> + <primary>validation</primary> + </indexterm> + The first priority in validating the new Samba configuration should be to check + that Samba answers on the loop-back interface. Then it is time to check that Samba + answers its own name correctly. Last, check that a client can connect to the Samba + server. + </para> + + <procedure> + <step><para><indexterm> + <primary>smbd</primary> + </indexterm><indexterm> + <primary>daemon</primary> + </indexterm><indexterm> + <primary>smbclient</primary> + </indexterm> + To check the ability to access the <command>smbd</command> daemon + services, execute the following: +<screen> +&rootprompt; smbclient -L localhost -U% + Sharename Type Comment + --------- ---- ------- + Plans Disk + IPC$ IPC IPC Service (Samba 3.0.2) + ADMIN$ IPC IPC Service (Samba 3.0.2) + + Server Comment + --------- ------- + SERVER Samba 3.0.2 + + Workgroup Master + --------- -------- + MIDEARTH SERVER +</screen> + <indexterm> + <primary>loopback</primary> + </indexterm><indexterm> + <primary>NULL connection</primary> + </indexterm> + This indicates that Samba is able to respond on the loopback interface to + a NULL connection. The <parameter>-U%</parameter> means send an empty + username and an empty password. This command should be repeated after + Samba has been running for 15 minutes. + </para></step> + + <step><para> + Now verify that Samba correctly handles being passed a username + and password, and that it answers its own name. Execute the following: +<screen> +&rootprompt; smbclient -L server -Uroot%password +</screen> + The output should be identical to the previous response. Samba has been + configured to ignore all usernames given; instead it uses the + <parameter>guest account</parameter> for all connections. + </para></step> + + <step><para><indexterm> + <primary>Windows Explorer</primary> + </indexterm><indexterm> + <primary>Network Neighborhood</primary> + </indexterm> + From the Windows 9x/Me client, launch Windows Explorer, + <menuchoice> + <guiicon>[Desktop: right-click] Network Neighborhood</guiicon> + <guimenu>Explore</guimenu> + <guimenuitem>[Left Panel] [+] Entire Network</guimenuitem> + <guimenuitem>[Left Panel] [+] Server</guimenuitem> + <guimenuitem>[Left Panel] [+] Plans</guimenuitem> + </menuchoice>. In the right panel you should see the files and directories + (folders) that are in the <guiicon>Plans</guiicon> share. + </para></step> + </procedure> + + </sect3> + + </sect2> + + <sect2> + <title>Charity Administration Office</title> + + <para> + The fictitious charity organization is called <emphasis>Abmas Vision NL</emphasis>. This is an + office that has five networked computers. Staff are all volunteers with frequent staff changes. + Ms. Amy May, the director of operations, wants a no-hassle network. Anyone should be able to + use any PC. Only two Windows applications are used: a custom funds tracking and management package + that stores all files on the central server and Microsoft Word. The office prepares mail-out + letters, letters of invitation, and thank-you notes. All files must be stored in perpetuity. + The custom funds tracking and management software has been configured to use a server named + <constant>SERVER</constant>, a share named <constant>FTMFILES</constant>, and a printer queue + named <constant>PRINTQ</constant> that uses preprinted stationery, thus demanding a + dedicated printer. This printer does not need to be mapped to a local printer on the workstations. + </para> + + <para><indexterm> + <primary>print queue</primary> + </indexterm><indexterm> + <primary>print spooler</primary> + </indexterm> + Printer handling in Samba results in a significant level of confusion. Samba presents to the + MS Windows client only a print queue. The Samba <command>smbd</command> process passes a + print job sent to it from the Windows client to the native UNIX printing system. The native + UNIX printing system (spooler) places the job in a print queue from which it is + delivered to the printer. In this book, network diagrams refer to a printer by the name + of the print queue that services that printer. It does not matter what the fully qualified + name (or the host name) of a network attached printer is. The UNIX print spooler is configured + to correctly deliver all jobs to the printer. + </para> + + <para> + This organization has a policy forbidding use of privately owned computers on site as a measure + to prevent leakage of confidential information. Only the five PCs owned by Abmas Vision NL are + used on this network. + </para> + + <para><indexterm> + <primary>SUSE Enterprise Linux Server</primary> + </indexterm> + The central server was donated by a local computer store. It is a dual processor Pentium-III + server, has 1GB RAM, a 3-Ware IDE RAID Controller that has 4 x 200GB IDE hard drives, and a + 100-base-T network card. The office has 100-base-T permanent network connections that go to + a central hub and all equipment is new. The five network computers all are equipped with Microsoft + Windows Me. Funding is limited, so the server has no operating system on it. You have approval + to install Samba on Linux, but just make sure it works without problems. There are two HP LaserJet + 5 PS printers that are network connected. The second printer is to be used for general + office and letter printing. Your recommendation to allow only the Linux server to print directly + to the printers was accepted. You have supplied SUSE Enterprise Linux Server version 8.0 and + have upgraded Samba to version 3.0.2. + </para> + + <sect3> + <title>Dissection and Discussion</title> + + <para> + <indexterm><primary>force user</primary></indexterm><indexterm> + <primary>nt acl support</primary> + </indexterm><indexterm> + <primary>UID</primary> + </indexterm><indexterm> + <primary>Posix</primary> + </indexterm> + This installation demands simplicity. Frequent turn-over of volunteer staff would indicate that + a network environment that requires users to logon might be problematic. It is suggested that the + best solution for this office would be one where the user can log onto any PC with any username + and password. Samba can accommodate an office like this by using the <parameter>force user</parameter> + parameter in share and printer definitions. The use of the <parameter>force user</parameter> + ensures that all files are owned by same user identifier (UID) and thus ensures that there + will never be a problem with file access due to file access permissions. Additionally, you elect + to use the <parameter>nt acl support = No</parameter> option to ensure that no attempts can be + made to write access control lists (Posix type) to any file or directory. This prevents + an inadvertent ACL from overriding actual file permissions. + </para> + + <para> + <indexterm><primary>SUID</primary></indexterm> + <indexterm><primary>SGID</primary></indexterm> + <indexterm><primary>security</primary><secondary>share mode</secondary></indexterm> + This organization is a prime candidate for Share Mode security. The <parameter>force user</parameter> + allows all files to be owned by the same user and group. In addition to this, it would not hurt to + set SUID and set SGID shared directories. This means that all new files that are created, no matter + who creates it, are owned by the owner or group of the directory in which they are created. + For further information regarding the significance of the SUID/SGID settings, see + <link linkend="ch12-SUIDSGID"/>. + </para> + + <para> + <indexterm><primary>CUPS</primary></indexterm> + <indexterm><primary>printing</primary><secondary>raw</secondary></indexterm><indexterm> + <primary>Red Hat Linux</primary> + </indexterm><indexterm> + <primary>SUSE Linux</primary> + </indexterm> + All client workstations print to a print queue on the server. This ensures that print jobs + continue to print in the event that a user may shut down the workstation immediately after + sending a job to the printer. Today, both Red Hat Linux and SUSE Linux use CUPS-based printing. + Older Linux systems offered a choice to use either the LPRng printing system, or CUPS. It appears, however, + that CUPS has now become the leading UNIX printing technology. + </para> + + <para> + <indexterm><primary>print queue</primary></indexterm> + The print queues are set up as <constant>Raw</constant> devices, which means that CUPS will + not do intelligent print processing, and vendor supplied drivers be installed locally on the + Windows clients. + </para> + + <para> + The hypothetical software (Funds Tracking and Management) referred to is representative of + custom-built software that directly uses a NetBIOS interface. Most such software originated in + the days of MS/PC DOS. NetBIOS names are upper-case (and functionally are case insensitive), + thus some old software applications would permit only upper-case names to be entered. + Some such applications were later ported to MS Windows but retain the upper-case network + resource naming conventions because customers are familiar with that. We made the decision + to name shares and print queues for this application in upper-case also for the same reason. + Nothing would break if you were to use lower-case names, but that decision might create a need + to re-educate staff &smbmdash; something well avoided at this time. + </para> + + <para> + NetBIOS networking does not print directly to a printer. Instead, all printing is done to a + print queue. The print spooling system is responsible for communicating with the physical + printer. In this example, therefore, the resource that is referred to as <constant>PRINTQ</constant> + really is just a print queue. The name of the print queue is held to be representative of + the device to which the print spooler delivers print jobs. + </para> + + </sect3> + + <sect3> + <title>Implementation</title> + + <para> + It is assumed that the server is fully installed and ready for configuration of + Samba 3.0.2 and for necessary support files. All TCP/IP addresses should be hard coded. + In our case, the IP address of the Samba server is 192.168.1.1 and the netmask is + 255.255.255.0. The host name of the server used was <constant>server</constant>. + The office network is built as shown in <link linkend="charitynet"/>. + </para> + +<figure id="charitynet"> + <title>Charity Administration Office Network</title> + <mediaobject> + <imageobject role="latex"> + <imagedata fileref="guide/images/Charity-Network.png" scale="100" scalefit="1"/> + </imageobject> + <imageobject> + <imagedata fileref="guide/images/Charity-Network.png" scale="100" scalefit="1"/> + </imageobject> + </mediaobject> +</figure> + + <procedure> + <title>Samba Server Configuration</title> + + <step><para><indexterm> + <primary>groupadd</primary> + </indexterm> + Create a group account for office file storage as follows: +<screen> +&rootprompt; groupadd office +</screen> + </para></step> + + <step><para><indexterm> + <primary>useradd</primary> + </indexterm><indexterm> + <primary>passwd</primary> + </indexterm> + Create a user account for office file storage as follows: +<screen> +&rootprompt; useradd -m abmas +&rootprompt; passwd abmas +Changing password for abmas. +New password: XXXXXXXX +Re-enter new password: XXXXXXXX +Password changed +</screen> + where XXXXXXXX is a secret password. + </para></step> + + <step><para> + Use the 3-Ware IDE RAID Controller firmware utilities to configure the four 200GB + drives as a single RAID level 5 drive, with one drive set aside as the hot spare. + (Refer to the 3-Ware RAID Controller Manual for the manufacturers' preferred procedure.) + The resulting drive has a capacity of approximately 500GB of usable space. + </para></step> + + <step><para><indexterm> + <primary>permissions</primary> + </indexterm> + Create a mount point for the file system that can be used to store all data files. + Create a directory called <filename>/data</filename> as follows: +<screen> +&rootprompt; mkdir /data +&rootprompt; chmod 755 /data +</screen> + The 755 permissions on this directory (mount point) permit the owner to read, write and execute, + and the group and everyone else to read and execute only. + </para></step> + + <step><para> + Use SUSE Linux system tools (refer to the SUSE Administrators Guide for correct + procedures) to format the partition with a suitable file system. The reiserfs file system + is suitable. Configure this drive to automount using the <filename>/data</filename> + directory as the mount point. It must be mounted before proceeding. + </para></step> + + <step><para> + Under the directory called <filename>/data</filename> create two directories + named <filename>ftmfiles</filename> and <filename>officefiles</filename>, and set + ownership and permissions as follows: +<screen> +&rootprompt; mkdir -p /data/{ftmfiles,officefiles/{letters,invitations,misc}} +&rootprompt; chown -R abmas.office /data +&rootprompt; chmod -R ug+rwxs,o-w,o+rx /data +</screen> + These demonstrate compound operations. The <command>mkdir</command> command + creates in one step these directories: +<programlisting> +/data/fmtfiles +/data/officefiles +/data/officefiles/letters +/data/officefiles/invitations +/data/officefiles/misc +</programlisting> + The <command>chown</command> operation sets the owner to the user <constant>abmas</constant> + and the group to <constant>office</constant> on all directories just created. And + the <command>chmod</command> operation recursively sets the permissions so that + the owner and group have SUID/SGID with read/write/execute permission, and everyone else has + read and execute permission. This means that all files and directories are created + with the same owner and group as the directory in which they are created. Any new + directories created still have the same owner, group, and permissions as the + directory they are in. This should eliminate all permissions-based file access problems. + For more information on this subject, refer to <emphasis>TOSHARG</emphasis>, Chapter 13, <emphasis>File, Directory + and Share Access Controls</emphasis>, or refer to the UNIX man page for the + <command>chmod</command> and the <command>chown</command> commands. + + </para></step> + + <step><para> + Install the &smb.conf; file shown in <link linkend="charity-smbconf"/> in the + <filename>/etc/samba</filename> directory. + </para></step> + + <step><para> + <indexterm><primary>smbd</primary></indexterm> + We must ensure that the <command>smbd</command> can resolve the name of the Samba + server to its IP address. Verify that the <filename>/etc/hosts</filename> file + contains the following entry: +<screen> +192.168.1.1 server +</screen> + </para></step> + + <step><para> + Configure the printers with the IP address as shown in <link linkend="charitynet"/>. + Follow the instructions in the manufacturers' manual to permit printing to port 9100, + so that the CUPS spooler can print using raw mode protocols. + </para></step> + + <step><para><indexterm> + <primary>lpadmin</primary> + </indexterm> + Configure the CUPS Print Queues as follows: +<screen> +&rootprompt; lpadmin -p PRINTQ -v socket://192.168.1.20:9100 -E +&rootprompt; lpadmin -p hplj5 -v socket://192.168.1.30:9100 -E +</screen> + This creates the necessary print queues with no assigned print filter. + </para></step> + + <step><para> + <indexterm><primary>mime type</primary></indexterm><indexterm> + <primary>/etc/cups/mime.convs</primary> + </indexterm><indexterm> + <primary>application/octet-stream</primary> + </indexterm> + Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line: +<screen> +application/octet-stream application/vnd.cups-raw 0 - +</screen> + </para></step> + + <step><para><indexterm> + <primary>/etc/cups/mime.types</primary> + </indexterm> + Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line: +<screen> +application/octet-stream +</screen> + </para></step> + + <step><para> + <indexterm><primary>starting samba</primary></indexterm> + Use the standard system tool to start Samba and CUPS to configure them to restart + automatically at every system reboot. For example: + </para> + + <para> + <indexterm><primary>starting samba</primary></indexterm> + <indexterm><primary>starting + CUPS</primary></indexterm><indexterm> + <primary>chkconfig</primary> + </indexterm> +<screen> +&rootprompt; chkconfig smb on +&rootprompt; chkconfig cups on +&rootprompt; /etc/rc.d/init.d/smb restart +&rootprompt; /etc/rc.d/init.d/cups restart +</screen> + </para></step> + + </procedure> + +<smbconfexample id="charity-smbconf"> +<title>Charity Administration Office &smb.conf; File</title> +<smbconfcomment>Global Parameters</smbconfcomment> +<smbconfsection>[global]</smbconfsection> +<smbconfoption><name>workgroup</name><value>MIDEARTH</value></smbconfoption> +<smbconfoption><name>security</name><value>SHARE</value></smbconfoption> +<smbconfoption><name>printing</name><value>CUPS</value></smbconfoption> +<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption> +<smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption> +<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption> +<smbconfoption><name>wins support</name><value>yes</value></smbconfoption> + +<smbconfsection>[FTMFILES]</smbconfsection> +<smbconfoption><name>comment</name><value>Funds Tracking & Management Files</value></smbconfoption> +<smbconfoption><name>path</name><value>/data/ftmfiles</value></smbconfoption> +<smbconfoption><name>read only</name><value>No</value></smbconfoption> +<smbconfoption><name>force user</name><value>abmas</value></smbconfoption> +<smbconfoption><name>force group</name><value>office</value></smbconfoption> +<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption> +<smbconfoption><name>nt acl support</name><value>No</value></smbconfoption> + +<smbconfsection>[office]</smbconfsection> +<smbconfoption><name>comment</name><value>General Office Files</value></smbconfoption> +<smbconfoption><name>path</name><value>/data/officefiles</value></smbconfoption> +<smbconfoption><name>read only</name><value>No</value></smbconfoption> +<smbconfoption><name>force user</name><value>abmas</value></smbconfoption> +<smbconfoption><name>force group</name><value>office</value></smbconfoption> +<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption> +<smbconfoption><name>nt acl support</name><value>No</value></smbconfoption> + +<smbconfsection>[printers]</smbconfsection> +<smbconfoption><name>comment</name><value>Print Temporary Spool Configuration</value></smbconfoption> +<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption> +<smbconfoption><name>printable</name><value>Yes</value></smbconfoption> +<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption> +<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption> +<smbconfoption><name>browseable</name><value>No</value></smbconfoption> +</smbconfexample> + + <procedure> + <title>Windows Client Configuration</title> + + <step><para> + Configure clients to the network settings shown in <link linkend="charitynet"/>. + </para></step> + + <step><para> + Ensure that the netmask used on the Windows clients matches that used + for the Samba server. All clients must have the same netmask. For example, + <constant>255.255.255.0</constant>. + </para></step> + + <step><para> + <indexterm><primary>WINS</primary></indexterm> + On all Windows clients, set the WINS Server address to <constant>192.168.1.1</constant>, + the IP address of the server. + </para></step> + + <step><para> + Set the workgroup name on all clients to <constant>MIDEARTH</constant>. + </para></step> + + <step><para><indexterm> + <secondary>logon</secondary> + </indexterm> + Install the <quote>Client for Microsoft Networks.</quote> Ensure that the only option + enabled in its properties is the option <quote>Logon and restore network connections.</quote> + </para></step> + + <step><para> + Click <guibutton>OK</guibutton> when you are prompted to reboot the system. Reboot the + system, then logon using any user name and password you choose. + </para></step> + + <step><para><indexterm> + <primary>My Network Places</primary> + </indexterm> + Verify on each client that the machine called <constant>SERVER</constant> + is visible in <guimenu>My Network Places</guimenu>, that it is + possible to connect to it and see the share <guimenuitem>office</guimenuitem>, + and that it is possible to open that share to reveal its contents. + </para></step> + + <step><para><indexterm> + <primary>password caching</primary> + </indexterm><indexterm> + <primary>regedit</primary> + </indexterm> + Disable password caching on all Windows 9x/Me machines using the registry change file + shown in <link linkend="MEreg"/>. Be sure to remove all files that have the + <filename>PWL</filename> extension that are in the <filename>C:\WINDOWS</filename> + directory. +<example id="MEreg"> +<title>Windows Me &smbmdash; Registry Edit File: Disable Password Caching</title> +<screen> +REGEDIT4 + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ + Windows\CurrrentVersion\Policies\Network] + "DisablePwdCaching"=dword:00000001 +</screen> +</example> + The best way to apply this is to save the patch in a file called + <filename>ME-dpwc.reg</filename> and then execute: +<screen> +C:\WINDOWS: regedit ME-dpwc.reg +</screen> + </para></step> + + <step><para> + Instruct all users to log onto the workstation using a name of their own + choosing, with a password of their own choosing. The Samba server has been + configured to ignore the username and password given. + </para></step> + + <step><para> + On each Windows Me workstation, configure a network drive mapping to drive <filename>G:</filename> + that redirects to the uniform naming convention (UNC) resource + <filename>\\server\officefiles</filename>. Make this a permanent drive connection as follows: + <procedure> + <step><para> + <menuchoice> + <guimenu>(Right-click) My Network</guimenu> + <guimenuitem>Map Network Drive...</guimenuitem> + </menuchoice> + </para></step> + + <step><para> + In the box labeled <quote>Drive:</quote>, type G. + </para></step> + + <step><para> + In the box labeled <quote>Path:</quote>, enter + <filename>\\server\officefiles</filename>. + </para></step> + + <step><para> + Click <guimenuitem>Reconnect at logon</guimenuitem>. + Click <guibutton>OK</guibutton>. + </para></step> + + </procedure> + </para></step> + + <step><para> + On each workstation, install the Funds Tracking and Management software following the + manufacturer's instructions. + <procedure> + <step><para> + During installation, you are prompted for the name of the Windows 98 + server. Enter the name <constant>SERVER</constant>. + </para></step> + <step><para> + You are prompted for the name of the data share. + The prompt defaults to <constant>FTMFILES</constant>. Press enter to accept the default value. + </para></step> + <step><para> + You are now prompted for the print queue name. The default prompt is the name of + the server you entered (<constant>SERVER</constant> as follows: + <constant>\\SERVER\PRINTQ</constant>). Simply accept the default and press enter to + continue. The software now completes the installation. + </para></step> + </procedure> + </para></step> + + <step><para> + Install an office automation software package of the customer's choice. Either Microsoft + Office 2003 Standard or OpenOffice 1.1.0 suffices for any functions the office may + need to perform. Repeat this on each workstation. + </para></step> + + <step><para> + Install a printer on each using the following steps: + + <procedure> + <step><para> + Click <menuchoice> + <guimenu>Start</guimenu> + <guimenuitem>Settings</guimenuitem> + <guimenuitem>Printers</guimenuitem> + <guiicon>Add Printer</guiicon> + <guibutton>Next</guibutton> + </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>. + Ensure that <guimenuitem>Local printer</guimenuitem> is selected. + </para></step> + + <step><para> + Click <guibutton>Next</guibutton>. In the panel labeled + <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>. + In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called + <constant>HP LaserJet 5/5M Postscript</constant>. Click <guibutton>Next</guibutton>. + </para></step> + + <step><para> + In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select + <constant>FILE:</constant>. Accept the default printer name by clicking + <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a + test page?</quote>, click <guimenuitem>No</guimenuitem>. Click + <guibutton>Finish</guibutton>. + </para></step> + + <step><para> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <menuchoice> + <guiicon>HP LaserJet 5/5M Postscript</guiicon> + <guimenuitem>Properties</guimenuitem> + <guimenusub>Details (Tab)</guimenusub> + <guimenubutton>Add Port</guimenubutton> + </menuchoice>. + </para></step> + + <step><para> + In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of + the print queue on the Samba server as follows: <constant>\\SERVER\hplj5</constant>. + Click <menuchoice> + <guibutton>OK</guibutton> + <guibutton>OK</guibutton> + </menuchoice> to complete the installation. + </para></step> + + <step><para> + It is a good idea to test the functionality of the complete installation before + handing the newly configured network over to the Charity Administration Office + for production use. + </para></step> + + </procedure> + + </para></step> + + </procedure> + + </sect3> + + <sect3> + <title>Validation</title> + + <para> + Use the same validation process as was followed in <link linkend="validate1"/>. + </para> + + </sect3> + + </sect2> + + <sect2 id="AccountingOffice"> + <title>Accounting Office</title> + + <para> + The office of Abmas Accounting Inc. is a 40-year-old family-run business. There are nine permanent + computer users. The network clients were upgraded two years ago. All computers run Windows 2000 + Professional. This year the server will be upgraded from an old Windows NT4 server (actually + running Windows NT4 Workstation, which worked fine as there were fewer than 10 users) that has + run in workgroup (Stand-Alone) mode, to a new Linux server running Samba. + </para> + + <para> + The office does not want a Domain Server. Mr. Alan Meany wants to keep the Windows 2000 Professional + clients running as workgroup machines so that any staff member can take a machine home and keep + working. It has worked well so far and your task is to replace the old server. All users have + their own workstation logon (you configured it that way when the machines were installed). + Mr. Meany wants the new system to operate the same way as the old Windows NT4 server &smbmdash; users + cannot access each others' files, but he can access everyone's files. Each person's work files are + in a separate share on the server. Users logon to their Windows workstation with their username + and enter an assigned password; they do not need to enter a password when accessing their files + on the server. + </para> + + <para><indexterm> + <primary>Red Hat Linux</primary> + </indexterm> + The new server will run Red Hat Linux 9.0. You should install Samba-3.0.2 and + copy all files off the old system to the new one. The existing Windows NT4 server has a parallel + port HP LaserJet 4 printer that is shared by all. The printer driver is installed on each + workstation. You must not change anything on the workstations. Mr. Meany gave instructions to + replace the server <quote>but leave everything else alone to avoid staff unrest.</quote> + </para> + + <para> + You have tried to educate Mr. Meany and found that he has no interest to understand networking. + He believes that Windows for Workgroups 3.11 was <quote>the best server Microsoft ever sold + </quote> and that Windows NT and 2000 are <quote>too fang-dangled complex!</quote> + </para> + + <sect3> + <title>Dissection and Discussion</title> + + <para> + <indexterm><primary>security</primary><secondary>user mode</secondary></indexterm> + The requirements of this network installation are not unusual. The staff are not interested in the + details of networking. Passwords are never changed. In this example solution, we demonstrate the use + of User Mode security in a simple context. Directories should be set SGID to ensure that members + of a common group can access the contents. Each user has his or her own share to which only they + can connect. Mr. Meany's share will be a top level directory above the share point for each employee. + Mr. Meany is a member of the same group as his staff and is able to access their work files. + The well used HP LaserJet 4 is available as a service called <constant>hplj</constant>. + </para> + + <para> + You have finished configuring the new hardware and have just completed installation of Red Hat Linux + 9.0. Roll up your sleeves and let's get to work. + </para> + + </sect3> + + <sect3 id="AcctgNet"> + <title>Implementation</title> + + <para> + The workstations have fixed IP addresses. The old server runs Windows NT4 Workstation, so it + cannot be running as a WINS server. It is best that the new configuration preserves the same + configuration. The office does not use Internet access, so security really is not an issue. + </para> + + <para> + The core information regarding the users, their passwords, the directory share point, and the + share name is given in <link linkend="acctingnet"/>. The overall network topology is shown in + <link linkend="acctingnet2"/>. All machines have been configured as indicated prior to the + start of Samba configuration. The following prescriptive steps may now commence. + </para> + + <figure id="acctingnet2"> + <title>Accounting Office Network Topology</title> + <mediaobject> + <imageobject role="latex"> + <imagedata fileref="guide/images/AccountingNetwork.png" scale="100" scalefit="1"/> + </imageobject> + <imageobject> + <imagedata fileref="guide/images/AccountingNetwork.png" scale="100" scalefit="1"/> + </imageobject> + </mediaobject> + </figure> + + <table id="acctingnet"> + <title>Accounting Office Network Information</title> + <tgroup cols="6"> + <colspec align="left"/> + <colspec align="left"/> + <colspec align="left"/> + <colspec align="left"/> + <colspec align="left"/> + <colspec align="left"/> + <thead> + <row> + <entry>User</entry> + <entry>Login-ID</entry> + <entry>Password</entry> + <entry>Share Name</entry> + <entry>Directory</entry> + <entry>Wkst</entry> + </row> + </thead> + <tbody> + <row> + <entry>Alan Meany</entry> + <entry>alan</entry> + <entry>alm1961</entry> + <entry>alan</entry> + <entry>/data</entry> + <entry>PC1</entry> + </row> + <row> + <entry>James Meany</entry> + <entry>james</entry> + <entry>jimm1962</entry> + <entry>james</entry> + <entry>/data/james</entry> + <entry>PC2</entry> + </row> + <row> + <entry>Jeannie Meany</entry> + <entry>jeannie</entry> + <entry>jema1965</entry> + <entry>jeannie</entry> + <entry>/data/jeannie</entry> + <entry>PC3</entry> + </row> + <row> + <entry>Suzy Millicent</entry> + <entry>suzy</entry> + <entry>suzy1967</entry> + <entry>suzy</entry> + <entry>/data/suzy</entry> + <entry>PC4</entry> + </row> + <row> + <entry>Ursula Jenning</entry> + <entry>ujen</entry> + <entry>ujen1974</entry> + <entry>ursula</entry> + <entry>/data/ursula</entry> + <entry>PC5</entry> + </row> + <row> + <entry>Peter Pan</entry> + <entry>peter</entry> + <entry>pete1984</entry> + <entry>peter</entry> + <entry>/data/peter</entry> + <entry>PC6</entry> + </row> + <row> + <entry>Dale Roland</entry> + <entry>dale</entry> + <entry>dale1986</entry> + <entry>dale</entry> + <entry>/data/dale</entry> + <entry>PC7</entry> + </row> + <row> + <entry>Bertrand E Paoletti</entry> + <entry>eric</entry> + <entry>eric1993</entry> + <entry>eric</entry> + <entry>/data/eric</entry> + <entry>PC8</entry> + </row> + <row> + <entry>Russell Lewis</entry> + <entry>russ</entry> + <entry>russ2001</entry> + <entry>russell</entry> + <entry>/data/russell</entry> + <entry>PC9</entry> + </row> + </tbody> + </tgroup> + </table> + +<?latex \newpage ?> + + <procedure> + <title>Migration from Windows NT4 Workstation System to Samba-3</title> + + <step><para><indexterm> + <primary>migration</primary> + </indexterm> + Rename the old server from <constant>CASHPOOL</constant> to <constant>STABLE</constant> + by logging onto the console as the <constant>Administrator</constant>. Restart the machine + following system prompts. + </para></step> + + <step><para> + Name the new server <constant>CASHPOOL</constant> using the standard configuration method. + Restart the machine following system prompts. + </para></step> + + <step><para> + Install the latest Samba-3 binary Red Hat Linux RPM that is available from the + Samba FTP site. + </para></step> + + <step><para><indexterm> + <primary>group account</primary> + </indexterm><indexterm> + <primary>groupadd</primary> + </indexterm> + Add a group account for the office to use. Execute the following: +<screen> +&rootprompt; groupadd accts +</screen> + </para></step> + + <step><para> + Install the &smb.conf; file shown<footnote>This example makes use of the + <parameter>smbpasswd</parameter> file. It does so in an obtuse way since the use of + the <parameter>passdb backend</parameter> has not been specified in the &smb.conf; + file. This means that you are depending on correct default behavior.</footnote> + in <link linkend="acctconf"/>. + </para></step> + + <step><para><indexterm> + <primary>useradd</primary> + </indexterm><indexterm> + <primary>passwd</primary> + </indexterm><indexterm> + <primary>smbpasswd</primary> + </indexterm> + For each user who uses this system (see <link linkend="acctingnet"/>), + execute the following: +<screen> +&rootprompt; useradd -m -G accts -c "Name of User" "LoginID" +&rootprompt; passwd "LoginID" +Changing password for user "LoginID" +New Password: XXXXXXXXX <-- the password from the table +Retype new password: XXXXXXXXX +&rootprompt; smbpasswd -a "LoginID" +New SMB password: XXXXXXXXX <-- the password from the table +Retype new SMB password: XXXXXXXXX +Added user "LoginID" +</screen> + </para></step> + + <step><para><indexterm> + <primary>data storage</primary> + </indexterm> + Create the directory structure for the file shares by executing the following: +<screen> +&rootprompt; mkdir -p /data +&rootprompt; chown alan /data +&rootprompt; for i in james suzy ursula peter dale eric jeannie russell +> do +> mkdir -p /data/$i +> chown $i /data/$i +> done +&rootprompt; chgrp -R accts /data +&rootprompt; chmod -R ug+rwxs,o-r+x /data +</screen> + The data storage structure is now prepared for use. + </para></step> + + <step><para><indexterm> + <primary>lpadmin</primary> + </indexterm> + Configure the CUPS Print Queues as follows: +<screen> +&rootprompt; lpadmin -p hplj -v parallel:/dev/lp0 -E +</screen> + This creates the necessary print queues with no assigned print filter. + </para></step> + + <step><para> + <indexterm><primary>mime types</primary></indexterm><indexterm> + <primary>/etc/cups/mime.convs</primary> + </indexterm> + Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line: +<screen> +application/octet-stream application/vnd.cups-raw 0 - +</screen> + </para></step> + + <step><para><indexterm> + <primary>/etc/cups/mime.types</primary> + </indexterm><indexterm> + <primary>application/octet-stream</primary> + </indexterm> + Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line: +<screen> +application/octet-stream +</screen> + </para></step> + + <step><para> + <indexterm><primary>starting samba</primary></indexterm> + Use the standard system tool to start Samba and CUPS to configure them to restart + automatically at every system reboot. For example: + </para> + + <para> + <indexterm><primary>starting samba</primary></indexterm> + <indexterm><primary>starting + CUPS</primary></indexterm><indexterm> + <primary>chkconfig</primary> + </indexterm> +<screen> +&rootprompt; chkconfig smb on +&rootprompt; chkconfig cups on +&rootprompt; /etc/rc.d/init.d/smb restart +&rootprompt; /etc/rc.d/init.d/cups restart +</screen> + </para></step> + + <step><para> + On Alan's workstation, use Windows explorer to migrate the files from the old server + to the new server. The new server should appear in the <guimenu>Network Neighborhood</guimenu> + with the name of the old server (<constant>CASHPOOL</constant>). + + <procedure> + + <step><para> + Logon to Alan's workstation as the user <constant>alan</constant>. + </para></step> + + <step><para> + Launch a second instance of Windows explorer and navigate to the share called + <guiicon>files</guiicon> on the server called <guimenu>STABLE</guimenu>. + </para></step> + + <step><para> + Click in the right panel, and press <guimenu>Ctrl-A</guimenu> to select all files and + directories. Press <guimenu>Ctrl-C</guimenu> to instruct Windows that you wish to + copy all selected items. + </para></step> + + <step><para> + Launch the Windows explorer, and navigate to the share called <guiicon>files</guiicon> + on the server called <guimenu>CASHPOOL</guimenu>. Click in the right panel, and then press + <guimenu>Ctrl-V</guimenu> to commence the copying process. + </para></step> + + </procedure> + </para></step> + + <step><para> + Verify that the files are being copied correctly from the Windows NT4 machine to the Samba-3 server. + This is best done on the Samba-3 server. Check the contents of the directory tree under + <filename>/data</filename>. This can be done by executing the following command: +<screen> +&rootprompt; ls -aR /data +</screen> + Make certain to check the ownership and permissions on all files. If in doubt, execute the following: +<screen> +&rootprompt; chown alan /data +&rootprompt; for i in james suzy ursula peter dale eric jeannie russell +> do +> chown $i /data/$i +> done +&rootprompt; chgrp -R accts /data +&rootprompt; chmod -R ug+rwxs,o-r+x /data +</screen> + </para></step> + + <step><para> + The migration of all data should now be complete. It is time to validate the installation. + For this, you should make sure all applications, including printing, work before asking the + customer to test drive the new network. + </para></step> + + </procedure> + +<smbconfexample id="acctconf"> +<title>Accounting Office Network &smb.conf; File</title> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection>[global]</smbconfsection> +<smbconfoption><name>workgroup</name><value>BILLMORE</value></smbconfoption> +<smbconfoption><name>printing</name><value>CUPS</value></smbconfoption> +<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption> +<smbconfoption><name>disable spoolss</name><value>Yes</value></smbconfoption> +<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption> + +<smbconfsection>[files]</smbconfsection> +<smbconfoption><name>comment</name><value>Work area files</value></smbconfoption> +<smbconfoption><name>path</name><value>/data/%U</value></smbconfoption> +<smbconfoption><name>valid users</name><value>%S</value></smbconfoption> +<smbconfoption><name>read only</name><value>No</value></smbconfoption> + +<smbconfsection>[master]</smbconfsection> +<smbconfoption><name>comment</name><value>Master work area files</value></smbconfoption> +<smbconfoption><name>path</name><value>/data</value></smbconfoption> +<smbconfoption><name>valid users</name><value>alan</value></smbconfoption> +<smbconfoption><name>read only</name><value>No</value></smbconfoption> + +<smbconfsection>[printers]</smbconfsection> +<smbconfoption><name>comment</name><value>Print Temporary Spool Configuration</value></smbconfoption> +<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption> +<smbconfoption><name>printable</name><value>Yes</value></smbconfoption> +<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption> +<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption> +<smbconfoption><name>browseable</name><value>No</value></smbconfoption> +</smbconfexample> + + </sect3> + </sect2> +</sect1> + +<sect1> + <title>Questions and Answers</title> + + <para> + The following questions and answers draw from the examples in this chapter. + Many design decisions are impacted by the configurations chosen. The intent + is to expose some of the hidden implications. + </para> + + <qandaset defaultlabel="chap02qa" type="number"> + <qandaentry> + <question> + + <para> + What makes an anonymous Samba server more simple than an non-anonymous Samba server? + </para> + + </question> + <answer> + + <para> + In the anonymous server, the only account used is the <constant>guest</constant> account. + In a non-anonymous configuration, it is necessary to add real user accounts to both the + UNIX system and to the Samba configuration. Non-anonymous servers require additional + administration. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + How is the operation of the parameter <parameter>force user</parameter> different from + setting the root directory of the share SUID? + </para> + + </question> + <answer> + + <para> + The parameter <parameter>force user</parameter> causes all operations on the share to assume the UID + of the forced user. The new default GID that applies is the primary GID of the forced user. + This gives all users of this resource the actual privilege of the forced user. + </para> + + <para> + When a directory is set SUID, the operating system forces files that are written within it + to be owned by the owner of the directory. While this happens, the user who is using the share + has only the level of privilege he or she is assigned within the operating system context. + </para> + + <para> + The parameter <parameter>force user</parameter> has potential security implications that go + beyond the actual share root directory. Be careful and wary of using this parameter. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + When would you use both the per share parameter <parameter>force user</parameter> as well + as setting the share root directory SUID? + </para> + + </question> + <answer> + + <para> + You would use both parameters when it is necessary to guarantee that all share handling operations + are conducted as the forced user, while all file and directory creation are done as the SUID + directory owner. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + What is better about CUPS printing than LPRng printing? + </para> + + </question> + <answer> + + <para> + CUPS is a print spooling system that has integrated remote management facilities, provides completely + automated print processing/preprocessing, and has the potential to be configured to automatically + apply print preprocessing filters to ensure that a print job submitted is correctly rendered for the + target printer. CUPS includes an image file RIP that supports printing of image files to + non-PostScript printers. CUPS has lots of bells and whistles and is more like a super-charged MS Windows + NT/200x print monitor and processor. Its complexity can be eliminated or turbo-charged to suit + any fancy. + </para> + + <para> + The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print + spooler functionality. It provides the same interface and meets RFC1179 requirements. LPRng is capable + of being configured to act like CUPS, but it is in principle a replacement for the old Berkeley lpr/lpd + spooler. LPRng is generally preferred by those who are familiar with Berkeley lpr/lpd. + </para> + + <para> + Which is better is a matter of personal taste. It depends on what you want to do and how you want to + do it and manage it. Most modern Linux systems ship with CUPS as the default print management system. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + When should Windows client IP addresses be hard coded? + </para> + + </question> + <answer> + + <para> + When there are few MS Windows clients, little client change, no mobile users, and users are not + inclined to tamper with network settings, it is a safe and convenient matter to hard-code Windows + client TCP/IP settings. Given that it is possible to lock down the Windows desktop and remove + user ability to access network configuration controls, fixed configuration eliminates the need + for a DHCP server. This reduces maintenance overheads and eliminates a possible point of network + failure. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Under what circumstances would it be best to use a DHCP server? + </para> + + </question> + <answer> + + <para> + In network configurations where there are mobile users, or where Windows client PCs move around + (particularly between offices or between subnets), it makes complete sense to control all Windows + client configurations using a DHCP server. Additionally, when users do tamper with the network + settings, the use of DHCP can be used to normalize all client settings. + </para> + + <para> + One of the least appreciated benefits of using a DHCP server to assign all network client + device TCP/IP settings is that it makes it a pain-free process to change network TCP/IP + settings, change network addressing, or enhance the ability of client devices to + benefit from new network services. + </para> + + <para> + Another benefit of modern DHCP servers is the ability of the DHCP server to register dynamically + assigned IP addresses with the DNS server. The benefits of Dynamic DNS (DDNS) are considerable in + a large Windows network environment. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + What is the purpose of setting the parameter <parameter>guest ok</parameter> on a share? + </para> + + </question> + <answer> + + <para> + If this parameter is yes for a service, then no password is required to connect to the service. + Privileges are those of the guest account. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + When would you set the global parameter <parameter>disable spoolss</parameter>? + </para> + + </question> + <answer> + + <para> + Setting this parameter to <constant>Yes</constant> disables Samba's support for the SPOOLSS set of + MS-RPC's and yields behavior identical to Samba 2.0.x. Windows NT/2000 clients can downgrade to + using LanMan style printing commands. Windows 9x/ME are unaffected by the parameter. However, this + disables the ability to upload printer drivers to a Samba server via the Windows NT/200x Add Printer + Wizard or by using the NT printer properties dialog window. It also disables the capability of + Windows NT/200x clients to download print drivers from the Samba host on demand. Be extremely careful about + setting this parameter. + </para> + + <para> + The alternate parameter <parameter>use client driver</parameter> applies only to Windows NT/200x clients. It has no + effect on Windows 95/98/ME clients. When serving a printer to Windows NT/200x clients without first installing a valid + printer driver on the Samba host, the client is required to install a local printer driver. From this point on, + the client treats the printer as a local printer and not a network printer connection. This is much the same behavior + that occurs when <parameter>disable spoolss = yes</parameter>. + </para> + + <para> + Under normal circumstances, the NT/200x client attempts to open the network printer using MS-RPC. Because the client + considers the printer to be local, it attempts to issue the OpenPrinterEx() call requesting access rights associated + with the logged on user. If the user possesses local administrator rights but not root privilege on the Samba host (often + the case), the OpenPrinterEx() call fails. The result is that the client now displays an "Access Denied; Unable + to connect" message in the printer queue window (even though jobs may be printed successfully). This parameter MUST + not be enabled on a print share that has valid print driver installed on the Samba server. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Why would you disable password caching on Windows 9x/Me clients? + </para> + + </question> + <answer> + + <para> + Windows 9x/Me workstations that are set at default (password caching enabled) store the username and + password in files located in the Windows master directory. Such files can be scavenged (read off a client + machine) and decrypted, thus revealing the user's access credentials for all systems the user may have accessed. + It is most insecure to allow any Windows 9x/Me client to operate with password caching enabled. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + The example of Abmas Accounting Inc. uses User Mode security. How does this provide anonymous access? + </para> + + </question> + <answer> + + <para> + The example used does not provide anonymous access. Since the clients are all Windows 2000 Professional, + and given that users are logging onto their machines, by default the client attempts to connect to + a remote server using currently logged in user credentials. By ensuring that the user's login ID and + password is the same as those set on the Samba server, access is transparent and does not require + separate user authentication. + </para> + + </answer> + </qandaentry> + + </qandaset> + +</sect1> + +</chapter> + |