summaryrefslogtreecommitdiff
path: root/docs/Samba-Guide/Chap06-MakingHappyUsers.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/Samba-Guide/Chap06-MakingHappyUsers.xml')
-rw-r--r--docs/Samba-Guide/Chap06-MakingHappyUsers.xml3786
1 files changed, 3786 insertions, 0 deletions
diff --git a/docs/Samba-Guide/Chap06-MakingHappyUsers.xml b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml
new file mode 100644
index 0000000000..c8a547ac67
--- /dev/null
+++ b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml
@@ -0,0 +1,3786 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="happy">
+ <title>Making Users Happy</title>
+
+ <para>
+ It has been said, <quote>A day that is without troubles is not fulfilling. Rather, give
+ me a day of troubles well handled so that I can be content with my achievements.</quote>
+ </para>
+
+ <para>
+ In the world of computer networks, problems are as varied as the people who create them
+ or experience them. The design of the network implemented in the last chapter may
+ create problems for some network users. The following lists some of the problems that
+ may occur:
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Users experiencing difficulty logging onto the network</term>
+ <listitem><para>
+ <indexterm>
+ <primary>network</primary>
+ <secondary>logon</secondary>
+ </indexterm>
+ When a Windows client logs onto the network, many data packets are exchanged
+ between the client and the server that is providing the network logon services.
+ Each request between the client and the server must complete within a specific
+ time limit. This is one of the primary factors that govern the installation of
+ <indexterm>
+ <primary>multiple domain controllers</primary>
+ </indexterm>
+ multiple domain controllers (usually called secondary or backup controllers).
+ As a rough rule, there should be one such backup controller for every
+ 30 to 150 clients. The actual limits are determined by network operational
+ characteristics.
+ </para>
+
+ <para>
+ If the domain controller provides only network logon services
+ and all file and print activity is handled by Domain Member servers, one Domain
+ Controller per 150 clients on a single network segment may suffice. In any
+ case, it is highly recommended to have a minimum of one Domain Controller (PDC or BDC)
+ per network segment. It is better to have at least one BDC on the network
+ segment that has a PDC. If the Domain Controller is also used as a file and
+ print server, the number of clients it can service reliably is reduced
+ and a common rule is not to exceed 30 machines (Windows workstations plus
+ Domain Member servers) per Domain Controller.
+ </para></listitem></varlistentry>
+
+ <varlistentry>
+ <term>Slow logons and log-offs</term>
+ <listitem><para>
+ <indexterm>
+ <primary>slow logon</primary>
+ </indexterm>
+ Slow logons and log-offs may be caused by many factors that include:
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>NetBIOS</primary>
+ <secondary>name resolution</secondary>
+ <tertiary>delays</tertiary>
+ </indexterm><indexterm>
+ <primary>WINS</primary>
+ <secondary>server</secondary>
+ </indexterm>
+ Excessive delays in the resolution of a NetBIOS name to its IP
+ address. This may be observed when an overloaded domain controller
+ is also the WINS server. Another cause may be the failure to use
+ a WINS server (this assumes that there is a single network segment).
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>traffic collisions</primary>
+ </indexterm><indexterm>
+ <primary>HUB</primary>
+ </indexterm><indexterm>
+ <primary>Etherswitch</primary>
+ </indexterm>
+ Network traffic collisions due to overloading of the network
+ segment &smbmdash; one short-term workaround to this may be to replace
+ network HUBs with Ether-switches.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>networking hardware</primary>
+ <secondary>defective</secondary>
+ </indexterm>
+ Defective networking hardware. Over the past few years, we have seen
+ on the Samba mailing list a significant increase in the number of
+ problems that were traced to a defective network interface controller,
+ a defective HUB or Etherswitch, or defective cabling. In most cases,
+ it was the erratic nature of the problem that ultimately pointed to
+ the cause of the problem.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>profile</primary>
+ <secondary>roaming</secondary>
+ </indexterm><indexterm>
+ <primary>MS Outlook</primary>
+ <secondary>PST file</secondary>
+ </indexterm>
+ Excessively large roaming profiles. This type of problem is typically
+ the result of poor user eduction, as well as poor network management.
+ It can be avoided by users not storing huge quantities of email in
+ MS Outlook PST files, as well as by not storing files on the desktop.
+ These are old bad habits that require much discipline and vigilance
+ on the part of network management.
+ </para></listitem>
+ </itemizedlist>
+
+ <listitem><para><indexterm>
+ <primary>WebClient</primary>
+ </indexterm>
+ You should verify that the Windows XP WebClient service is not running.
+ The use of the WebClient service has been implicated in many Windows
+ networking related problems.
+ </para></listitem>
+
+ </para></listitem></varlistentry>
+
+ <varlistentry>
+ <term>Loss of access to network drives and printer resources</term>
+ <listitem><para>
+ Loss of access to network resources during client operation may be caused by a number
+ of factors including:
+ </para>
+
+ <itemizedlist>
+ <listitem><para><indexterm>
+ <primary>network</primary>
+ <secondary>overload</secondary>
+ </indexterm>
+ Network overload (typically indicated by a high network collision rate)
+ </para></listitem>
+
+ <listitem><para>
+ Server overload
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>network</primary>
+ <secondary>timeout</secondary>
+ </indexterm>
+ Timeout causing the client to close a connection that is in use, but has
+ been latent (no traffic) for some time (5 minutes or more)
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>network hardware</primary>
+ <secondary>defective</secondary>
+ </indexterm>
+ Defective networking hardware
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>data</primary>
+ <secondary>corruption</secondary>
+ </indexterm>
+ No matter what the cause, a sudden operational loss of access to network resources can
+ result in BSOD (blue screen of death) situations that necessitate rebooting of the client
+ workstation. In the case of a mild problem, retrying to access the network drive of printer
+ may restore operations, but in any case this is a serious problem as it may lead to the next
+ problem, data corruption.
+ </para></listitem></varlistentry>
+
+ <varlistentry>
+ <term>Potential data corruption</term>
+ <listitem><para><indexterm>
+ <primary>data</primary>
+ <secondary>corruption</secondary>
+ </indexterm>
+ Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
+ frustration, and generally precipitates immediate corrective demands. Management response
+ to this type of problem may be rational, as well as highly irrational. There have been
+ cases where management has fired network staff for permitting this situation to occur without
+ immediate correction. There have been situations where perfectly functional hardware was thrown
+ out and replaced, only to find the problem caused by a low-cost network hardware item. There
+ have been cases where server operating systems were replaced, or where Samba was updated,
+ only to later isolate the problem due to defective client software.
+ </para></listitem></varlistentry>
+ </variablelist>
+
+ <para>
+ In this chapter, you can work through a number of measures that significantly arm you to
+ anticipate and to combat network performance issues. You can work through complex and thorny
+ methods to improve the reliability of your network environment, but be warned that all such steps
+ demand the price of complexity.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ Mr. Bob Jordan just opened an email from Christine that reads:
+ </para>
+
+ <para>
+ Bob,
+ <blockquote><attribution>Christine</attribution><para>
+ A few months ago we sat down to design the network. We discussed the challenges ahead and we all
+ agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
+ that we would have some time to resolve any issues that might be encountered.
+ </para>
+
+ <para>
+ As you now know we started off on the wrong foot. We have a lot of unhappy users. One of them
+ resigned yesterday afternoon because she was under duress to complete some critical projects. She
+ suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
+ of which was lost. She has a unique requirement that involves storing large files on her desktop.
+ Mary's desktop profile is nearly 1 Gigabyte in size. As a result of her desktop configuration, it
+ takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
+ network logon traffic passes over the network links between our buildings, logging on may take
+ three or four attempts due to blue screen problems associated with network timeouts.
+ </para>
+
+ <para>
+ A few of us worked to help her out of trouble. We convinced her to stay and promised to fully
+ resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard
+ limits on what our users can do with their desktops. If we do not do this, we face staff losses
+ that can surely do harm to our growth, as well as to staff morale. I am sure we can better deal
+ with the consequences of what we know we must do than we can with the unrest we have now.
+ </para>
+
+ <para>
+ Stan and I have discussed the current situation. We are resolved to help our users and protect
+ the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
+ regain control of our vital IT operations.
+ </para></blockquote>
+ </para>
+
+ <para><indexterm>
+ <primary>compromise</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>multi-segment</secondary>
+ </indexterm>
+ Every compromise has consequences. Having a large routed (i.e., multi-segment) network with only a
+ single domain controller is a poor design that has obvious operational effects that may
+ frustrate users. Here is Bob's reply:
+ <blockquote><attribution>Bob</attribution><para>
+ Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
+ proposals to resolve the issues. I am confident that your plans fully realized will significantly
+ boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
+ Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
+ for approval; I appreciate the urgency.
+ </para></blockquote>
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para>
+ The priority of assigned tasks in this chapter is:
+ </para>
+
+ <orderedlist>
+ <listitem><para><indexterm>
+ <primary>Backup Domain Controller</primary>
+ <see>BDC</see>
+ </indexterm><indexterm>
+ <primary>BDC</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>migration</primary>
+ </indexterm>
+ Implement Backup Domain Controllers (BDCs) in each building. This involves
+ a change from use of a <emphasis>tdbsam</emphasis> backend that was used in the previous
+ chapter, to use an LDAP-based backend.
+ </para>
+
+ <para>
+ You can implement a single central LDAP server for this purpose.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>logon time</primary>
+ </indexterm><indexterm>
+ <primary>network share</primary>
+ </indexterm><indexterm>
+ <primary>default profile</primary>
+ </indexterm><indexterm>
+ <primary>profile</primary>
+ <secondary>default</secondary>
+ </indexterm>
+ Rectify the problem of excessive logon times. This involves redirection of
+ folders to network shares as well as modification of all user desktops to
+ exclude the redirected folders from being loaded at login time. You can also
+ create a new default profile that can be used for all new users.
+ </para></listitem>
+
+ </orderedlist>
+
+ <para><indexterm>
+ <primary>disk image</primary>
+ </indexterm>
+ You configure a new MS Windows XP Professional Workstation disk image that you
+ roll out to all desktop users. The instructions you have created are followed on a
+ staging machine from which all changes can be carefully tested before inflicting them on
+ your network users.
+ </para>
+
+ <para><indexterm>
+ <primary>CUPS</primary>
+ </indexterm>
+ This is the last network example in which specific mention of printing is made. The example
+ again makes use of the CUPS printing system.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para><indexterm>
+ <primary>BDC</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm>
+ The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
+ For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
+ LDAP servers in current use with Samba-3 include:
+ </para>
+
+ <itemizedlist><indexterm>
+ <primary>eDirectory</primary>
+ </indexterm>
+ <listitem><para>Novell <ulink
+ url="http://www.novell.com/products/edirectory/">eDirectory.</ulink>
+ eDirectory is being successfully used by some sites. Information on how to use eDirectory can be
+ obtained from the Samba mailing lists or from Novell.</para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>Tivoli Directory Server</primary>
+ </indexterm>IBM
+ <ulink
+ url="http://www-306.ibm.com/software/tivoli/products/directory-server/">Tivoli Directory Server,</ulink>
+ can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba
+ source code tarball under the directory <filename>~samba/example/LDAP.</filename></para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>Sun ONE Identity Server</primary>
+ </indexterm>Sun
+ <ulink
+ url="http://www.sun.com/software/sunone/identity/index.html">ONE Identity Server.</ulink>
+ This product suite provides an LDAP server that can be used for Samba. Example schema files are
+ provided in the Samba source code tarball under the directory
+ <filename>~samba/example/LDAP.
+ </filename></para></listitem>
+ </itemizedlist>
+
+ <para>
+ A word of caution is fully in order. OpenLDAP is purely an LDAP server and unlike commercial
+ offerings, it requires that you manually edit the server configuration files and manually
+ initialize the LDAP directory database. OpenLDAP itself has only command line tools to
+ help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
+ </para>
+
+ <para><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm>
+ For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
+ adequate. If you are migrating from Microsoft Active Directory, be
+ warned that OpenLDAP does not include
+ GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
+ requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
+ </para>
+
+ <para><indexterm>
+ <primary>Identity Management</primary>
+ </indexterm><indexterm>
+ <primary>high availability</primary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>replication</secondary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>synchronization</secondary>
+ </indexterm><indexterm>
+ <primary>performance</primary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>management</secondary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>schema</secondary>
+ </indexterm>
+ When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
+ High availability operation may be obtained through directory replication/synchronization and
+ master/slave server configurations. OpenLDAP is a mature platform to host the organizational
+ directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more.
+ The price paid through learning how to design an LDAP directory schema in implementation and configuration
+ of management tools is well rewarded by performance and flexibility, and the freedom to manage directory
+ contents with greater ability to back up, restore, and modify the directory than is generally possible
+ with Microsoft Active Directory.
+ </para>
+
+ <para><indexterm>
+ <primary>comparison</primary>
+ <secondary>Active Directory &amp; OpenLDAP</secondary>
+ </indexterm><indexterm>
+ <primary>ADAM</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>OpenLDAP</primary>
+ </indexterm>
+ A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
+ tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely pre-configured
+ for a specific task orientation. It comes with a set of administrative tools that is entirely customized
+ for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
+ server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
+ who wants to built a custom directory solution. Microsoft Active Directory is a generic LDAP server that has
+ been pre-configured for a specific task. Microsoft provides an application called
+ <ulink url="http://www.microsoft.com/windowsserver2003/adam/default.mspx">
+ MS ADAM</ulink> that provides more-generic LDAP services, yet it does not have the vanilla-like services
+ of OpenLDAP.
+ </para>
+
+ <para><indexterm>
+ <primary>directory</primary>
+ <secondary>schema</secondary>
+ </indexterm><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm>
+ You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
+ if you find the challenge of learning about LDAP directories, schemas, configuration, and management
+ tools, and the creation of shell and Perl scripts a bit
+ challenging. OpenLDAP can be easily customized, though it includes
+ many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
+ that is required for use as a passdb backend.
+ </para>
+
+ <para>
+ For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
+ there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
+ The Web-based tools you might like to consider include: The <ulink
+ url="http://lam.sourceforge.net/">LDAP
+ Account Manager</ulink> (LAM), as well as the <ulink
+ url="http://www.webmin.com">Webmin</ulink>-based Idealx
+ <ulink url="http://webmin.idealx.org/index.en.html">CGI tools.</ulink>
+ </para>
+
+ <para>
+ Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of
+ these so it may be useful to include passing reference to them.
+ The first is <ulink url="http://biot.com/gq">GQ</ulink>, a GTK-ased LDAP browser;
+ LDAP <ulink url="http://www.iit.edu/~gawojar/ldap/">Browser/Editor,</ulink>
+ <ulink url="http://www.jxplorer.org/">JXplorer</ulink> (by Computer Associates),
+ and the last is called <ulink url="http://phpldapadmin.sourceforge.net/">phpLDAPadmin.</ulink>
+ </para>
+
+ <note><para>
+ The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly lacks
+ security. No form of secure LDAP communications is attempted. The LDAP configuration information provided
+ is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
+ LDAP before attempting to deploy it in a business-critical environment.
+ </para></note>
+
+ <para>
+ Information to help you get started with OpenLDAP is available from the
+ <ulink url="http://www.openldap.org/pub/">
+ OpenLDAP Web Site.</ulink> Many people have found the book <ulink
+ url="http://www.booksense.com/product/info.jsp?isbn=1565924916">
+ LDAP System Administration,</ulink> written by Jerry Carter, quite useful.
+ </para>
+
+ <para><indexterm>
+ <primary>BDC</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>segment</secondary>
+ </indexterm><indexterm>
+ <primary>performance</primary>
+ </indexterm><indexterm>
+ <primary>network</primary>
+ <secondary>wide-area</secondary>
+ </indexterm>
+ Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
+ main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
+ be loaded over the wide-area network connection. This addition of BDCs on each network segment significantly
+ improves overall network performance for most users, but this is not enough. You must gain control over
+ user desktops, and this must be done in a way that wins their support and does not cause further loss of
+ staff morale. The following procedures solve this problem.
+ </para>
+
+ <para><indexterm>
+ <primary>smart printing</primary>
+ </indexterm>
+ There is also an opportunity to implement smart printing features. You add this to the Samba configuration
+ so that future printer changes can be managed without need to change desktop configurations.
+ </para>
+
+ <para>
+ You add the ability to automatically download new printer drivers, even if they are not installed
+ in the default desktop profile. Only one example of printing configuration is given. It is assumed that
+ you can extrapolate the principles and use this to install all printers that may be needed.
+ </para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para><indexterm>
+ <primary>identity</primary>
+ <secondary>management</secondary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>server</secondary>
+ </indexterm><indexterm>
+ <primary>Posix</primary>
+ </indexterm>
+ The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
+ server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
+ accounts are stored Posix schema extensions. Samba provides its own schema to permit storage of account
+ attributes Samba needs. Samba-3 can use the LDAP backend to store:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Windows Networking User Accounts</para></listitem>
+ <listitem><para>Windows NT Group Accounts</para></listitem>
+ <listitem><para>Mapping Information between UNIX Groups and Windows NT Groups</para></listitem>
+ <listitem><para>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary>UNIX accounts</primary>
+ </indexterm><indexterm>
+ <primary>Windows accounts</primary>
+ </indexterm><indexterm>
+ <primary>PADL LDAP tools</primary>
+ </indexterm><indexterm>
+ <primary>/etc/group</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>name service switch</primary>
+ <see>NSS</see>
+ </indexterm><indexterm>
+ <primary>NSS</primary>
+ </indexterm><indexterm>
+ <primary>UID</primary>
+ </indexterm><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm>
+ The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
+ accounts in the LDAP backend. This implies the need to use the
+ <ulink url="http://www.padl.com/Contents/OpenSourceSoftware.html">PADL LDAP tools.</ulink> The resolution
+ of the UNIX group name to its GID must be enabled from either the
+ <filename>/etc/group</filename>
+ or from the LDAP backend. This requires the use of the PADL <filename>nss_ldap</filename> toolset
+ that integrates with the name service switcher (NSS). The same requirements exist for resolution
+ of the UNIX username to the UID. The relationships are demonstrated in <link linkend="ch6-LDAPdiag"/>.
+ </para>
+
+ <image id="ch6-LDAPdiag">
+ <description>The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</description>
+ <imagefile scale="70">UNIX-Samba-and-LDAP.png</imagefile>
+ </image>
+
+ <para><indexterm>
+ <primary>security</primary>
+ </indexterm><indexterm>
+ <primary>LDAP</primary>
+ <secondary>secure</secondary>
+ </indexterm>
+ You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
+ ought to learn how to configure secure communications over LDAP so that sites security is not
+ at risk. This is not covered in the following guidance.
+ </para>
+
+ <para><indexterm>
+ <primary>PDC</primary>
+ </indexterm><indexterm>
+ <primary>LDAP Interchange Format</primary>
+ <see>LDIF</see>
+ </indexterm><indexterm>
+ <primary>LDIF</primary>
+ </indexterm><indexterm>
+ <primary>secrets.tdb</primary>
+ </indexterm>
+ When OpenLDAP has been made operative, you configure the Primary Domain Controller (PDC)
+ called <constant>MASSIVE</constant>. You initialize the Samba
+ <filename>secrets.tdb<subscript></subscript></filename>
+ file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database
+ can be initialized. You need to decide how best to create user and group accounts. A few
+ hints are, of course, provided. You can also find on the enclosed
+ CD-ROM, in the <filename>Chap06</filename>
+ directory, a few tools that help to manage user and group configuration.
+ </para>
+
+ <para><indexterm>
+ <primary>folder redirection</primary>
+ </indexterm><indexterm>
+ <primary>default profile</primary>
+ </indexterm><indexterm>
+ <primary>roaming profile</primary>
+ </indexterm>
+ In order to effect folder redirection and to add robustness to the implementation,
+ create a network Default Profile. All network users workstations are configured to use
+ the new profile. Roaming profiles will automatically be deleted from the workstation
+ when the user logs off.
+ </para>
+
+ <para><indexterm>
+ <primary>mandatory profile</primary>
+ </indexterm>
+ The profile is configured so that users cannot change the appearance
+ of their desktop. This is known as a mandatory profile. You make certain that users
+ are able to use their computers efficiently.
+ </para>
+
+ <para><indexterm>
+ <primary>logon scrip</primary>
+ </indexterm>
+ A network logon script is used to deliver flexible but consistent network drive
+ connections.
+ </para>
+
+ <sect3>
+ <title>Roaming Profile Background</title>
+
+ <para>
+ As XP roaming profiles grow, so does the amount of time it takes to log in and out.
+ </para>
+
+ <para><indexterm>
+ <primary>roaming profile</primary>
+ </indexterm><indexterm>
+ <primary>HKEY_CURRENT_USER</primary>
+ </indexterm><indexterm>
+ <primary>NTUSER.DAT</primary>
+ </indexterm><indexterm>
+ <primary>%USERNAME%</primary>
+ </indexterm>
+ An XP Roaming Profile consists of the <constant>HKEY_CURRENT_USER</constant> hive file
+ <filename>NTUSER.DAT</filename> and a number of folders (My Documents, Application Data,
+ Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
+ network with the default configuration of MS Windows NT/200x/XPP, all this data is
+ copied to the local machine. By default it is copied to the local machine, under the
+ <filename>C:\Documents and Settings\%USERNAME%</filename> directory. While the user is logged in,
+ any changes made to any of these folders or to the <constant>HKEY_CURRENT_USER</constant>
+ branch of the registry are made to the local copy of the profile. At logout the profile
+ data is copied back to the server. This behavior can be changed through appropriate
+ registry changes and/or through changes to the Default User profile. In the latter case,
+ it updates the registry with the values that are set in the
+ profile <filename>NTUSER.DAT</filename>
+ file.
+ </para>
+
+ <para>
+ The first challenge is to reduce the amount of data that must be transferred to and
+ from the profile server as roaming profiles are processed. This includes removing
+ all the shortcuts in the Recent directory, making sure the cache used by the web browser
+ is not being dumped into the <filename>Application Data</filename> folder, removing the
+ Java plug-in's cache (the .jpi_cache directory in the profile), as well as training the
+ user to not place large files on the Desktop and to use his mapped home directory for
+ saving documents instead of the <filename>My Documents</filename> folder.
+ </para>
+
+ <para><indexterm>
+ <primary>My Documents</primary>
+ </indexterm>
+ Using a folder other than <filename>My Documents</filename> is a nuisance for
+ some users since many applications use it by default.
+ </para>
+
+ <para><indexterm>
+ <primary>roaming profiles</primary>
+ </indexterm><indexterm>
+ <primary>Local Group Policy</primary>
+ </indexterm><indexterm>
+ <primary>NTUSER.DAT</primary>
+ </indexterm>
+ The secret to rapid loading of roaming profiles is to prevent unnecessary data from
+ being copied back and forth, without losing any functionality. This is not difficult;
+ it can be done by making changes to the Local Group Policy on each client as well
+ as changing some paths in each user's <filename>NTUSER.DAT</filename> hive.
+ </para>
+
+ <para><indexterm>
+ <primary>Network Default Profile</primary>
+ </indexterm><indexterm>
+ <primary>redirected folders</primary>
+ </indexterm>
+ Every user profile has their own <filename>NTUSER.DAT</filename> file. This means
+ you need to edit every user's profile, unless a better method can be
+ followed. Fortunately, with the right preparations, this is not difficult.
+ It is possible to remove the <filename>NTUSER.DAT</filename> file from each
+ user's profile. Then just create a Network Default Profile. Of course, it is
+ necessary to copy all files from redirected folders to the network share to which
+ they are redirected.
+ </para>
+
+ </sect3>
+
+ <sect3 id="ch6-locgrppol">
+ <title>The Local Group Policy</title>
+ <para><indexterm>
+ <primary>Group Policy Objects</primary>
+ </indexterm><indexterm>
+ <primary>Active Directory</primary>
+ </indexterm><indexterm>
+ <primary>PDC</primary>
+ </indexterm><indexterm>
+ <primary>Group Policy editor</primary>
+ </indexterm>
+ Without an Active Directory PDC, you cannot take full advantage of Group Policy
+ Objects. However, you can still make changes to the Local Group Policy by using
+ the Group Policy editor (<command>gpedit.msc</command>).
+ </para>
+
+ <para>
+ The <emphasis>Exclude directories in roaming profile</emphasis> settings can
+ be found under
+ <menuchoice>
+ <guimenu>User Configuration</guimenu>
+ <guimenuitem>Administrative Templates</guimenuitem>
+ <guimenuitem>System</guimenuitem>
+ <guimenuitem>User Profiles</guimenuitem>
+ </menuchoice>.
+ By default this setting contains:
+ <quote>Local Settings;Temporary Internet Files;History;Temp</quote>.
+ </para>
+
+ <para>
+ Simply add the folders you do not wish to be copied back and forth to this
+ semi-colon separated list. Note that this change must be made on all clients
+ that are using roaming profiles.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Profile Changes</title>
+ <para><indexterm>
+ <primary>NTUSER.DAT</primary>
+ </indexterm><indexterm>
+ <primary>%USERNAME%</primary>
+ </indexterm>
+ There are two changes that should be done to each user's profile. Move each of
+ the directories that you have excluded from being copied back and forth out of
+ the usual profile path. Modify each user's <filename>NTUSER.DAT</filename> file
+ to point to the new paths that are shared over the network, instead of the default
+ path (<filename>C:\Documents and Settings\%USERNAME%</filename>).
+ </para>
+
+ <para><indexterm>
+ <primary>Default User</primary>
+ </indexterm><indexterm>
+ <primary>regedt32</primary>
+ </indexterm>
+ The above modifies existing user profiles. So that newly created profiles have
+ these settings, you will need to modify the <filename>NTUSER.DAT</filename> in
+ the <filename>C:\Documents and Settings\Default User</filename> folder on each
+ client machine, changing the same registry keys. You could do this by copying
+ <filename>NTUSER.DAT</filename> to a Linux box and using
+ <command>regedt32</command>.
+ The basic method is described under <link linkend="redirfold"/>.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Using a Network Default User Profile</title>
+
+ <para><indexterm>
+ <primary>NETLOGON</primary>
+ </indexterm><indexterm>
+ <primary>NTUSER.DAT</primary>
+ </indexterm>
+ If you are using Samba as your PDC, you should create a file-share called
+ <constant>NETLOGON</constant> and within that create a directory called
+ <filename>Default User</filename>, which is a copy of the desired default user
+ configuration (including a copy of <filename>NTUSER.DAT</filename>.
+ If this share exists and the <filename>Default User</filename> folder exists,
+ the first login from a new account pulls its configuration from it.
+ See also: <ulink
+ url="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html">
+ the Real Men Don't Click</ulink> Web site.
+ </para>
+
+ </sect3>
+
+ <sect3>
+ <title>Installation of Printer Driver Auto-Download</title>
+
+ <para><indexterm>
+ <primary>printing</primary>
+ <secondary>dumb</secondary>
+ </indexterm><indexterm>
+ <primary>dumb printing</primary>
+ </indexterm><indexterm>
+ <primary>Raw Print Through</primary>
+ </indexterm>
+ The subject of printing is quite topical. Printing problems run second place to name
+ resolution issues today. So far in this book, you have experienced only what is generally
+ known as <quote>dumb</quote> printing. Dumb printing is the arrangement where all drivers
+ are manually installed on each client and the printing subsystems perform no filtering
+ or intelligent processing. Dumb printing is easily understood. It usually works without
+ many problems, but it has its limitations also. Dumb printing is better known as
+ <command>Raw Print Through</command> printing.
+ </para>
+
+ <para><indexterm>
+ <primary>printing</primary>
+ <secondary>drag-and-drop</secondary>
+ </indexterm><indexterm>
+ <primary>printing</primary>
+ <secondary>point-n-click</secondary>
+ </indexterm>
+ Samba permits the configuration of <command>Smart</command> printing using the Microsoft
+ Windows point-and-click (also called drag-and-drop) printing. What this provides is
+ essentially the ability to print to any printer. If the local client does not yet have a
+ driver installed, the driver is automatically downloaded from the Samba server and
+ installed on the client. Drag-and-drop printing is neat; it means the user never needs
+ to fuss with driver installation, and that is a <trademark>Good Thing</trademark>,
+ isn't it?
+ </para>
+
+ <para>
+ There is a further layer of print job processing that is known as <command>Intelligent</command>
+ printing that automatically senses the file format of data submitted for printing and
+ then invokes a suitable print filter to convert the incoming data stream into a format
+ suited to the printer to which the job is dispatched.
+ </para>
+
+ <para><indexterm>
+ <primary>CUPS</primary>
+ </indexterm><indexterm>
+ <primary>Postscript</primary>
+ </indexterm>
+ The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
+ detect the data format and apply a print filter. This means that it is feasible to install
+ on all Windows clients a single printer driver for use with all printers that are routed
+ through CUPS. The most sensible driver to use is one for a Postscript printer. Fortunately,
+ <ulink url="http://www.easysw.com">Easy Software Products,</ulink> the authors of CUPS have
+ released a Postscript printing driver for Windows. It can be installed into the Samba
+ printing backend so that it automatically downloads to the client when needed.
+ </para>
+
+ <para>
+ This means that so long as there is a CUPS driver for the printer, all printing from Windows
+ software can use Postscript, no matter what the actual printer language for the physical
+ device is. It also means that the administrator can swap out a printer with a totally
+ different type of device without ever needing to change a client workstation driver.
+ </para>
+
+ <para>
+ This book is about Samba-3, so you can confine the printing style to just the smart
+ style of installation. Those interested in further information regarding intelligent
+ printing should review documentation on the Easy Software Products Web site.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para>
+ MS Windows network users are generally very sensitive to limits that may be imposed when
+ confronted with locked-down workstation configurations. The challenge you face must
+ be promoted as a choice between reliable and fast network operation, and a constant flux
+ of problems that result in user irritation.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Installation Check-List</title>
+
+ <para>
+ You are starting a complex project. Even though you have gone through the installation
+ of a complex network in chapter 5, this network is a bigger challenge because of the
+ large number of complex applications that must be configured before the first few steps
+ can be validated. Take stock of what you are about to undertake, prepare yourself, and
+ frequently review the steps ahead while making at least a mental note of what has already
+ been completed. The following task list may help you to keep track of the task items
+ that are covered:
+ </para>
+
+
+ <itemizedlist>
+ <listitem><para>Samba-3 PDC Server Configuration</para>
+ <orderedlist>
+ <listitem><para>DHCP and DNS Servers</para></listitem>
+ <listitem><para>OpenLDAP Server</para></listitem>
+ <listitem><para>PAM and NSS Client Tools</para></listitem>
+ <listitem><para>Samba-3 PDC</para></listitem>
+ <listitem><para>Idealx SMB-LDAP Scripts</para></listitem>
+ <listitem><para>LDAP Initialization</para></listitem>
+ <listitem><para>Create User and Group Accounts</para></listitem>
+ <listitem><para>Printers</para></listitem>
+ <listitem><para>Share Point Directory Roots</para></listitem>
+ <listitem><para>Profile Directories</para></listitem>
+ </orderedlist>
+ </listitem>
+ <listitem><para>Samba-3 BDC Server Configuration</para>
+ <orderedlist>
+ <listitem><para>DHCP and DNS Servers</para></listitem>
+ <listitem><para>PAM and NSS Client Tools</para></listitem>
+ <listitem><para>Printers</para></listitem>
+ <listitem><para>Share Point Directory Roots</para></listitem>
+ <listitem><para>Profiles Directories</para></listitem>
+ </orderedlist>
+ </listitem>
+ <listitem><para>Samba-3 BDC Server Configuration</para></listitem>
+ <listitem><para>Windows XP Client Configuration</para>
+ <orderedlist>
+ <listitem><para>Default Profile Folder Redirection</para></listitem>
+ <listitem><para>MS Outlook PST File Relocation</para></listitem>
+ <listitem><para>Delete Roaming Profile on Logout</para></listitem>
+ <listitem><para>Upload Printer Drivers to Samba Servers</para></listitem>
+ <listitem><para>Install Software</para></listitem>
+ <listitem><para>Creation of Roll-out Images</para></listitem>
+ </orderedlist>
+ </listitem>
+ </itemizedlist>
+
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Samba Server Implementation</title>
+
+ <para><indexterm>
+ <primary>file servers</primary>
+ </indexterm><indexterm>
+ <primary>BDC</primary>
+ </indexterm>
+ The network design shown in <link linkend="chap6net"/> is not comprehensive. It is assumed
+ that you will install additional file servers, and possibly additional BDCs.
+ </para>
+
+ <image id="chap6net">
+ <description>Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend.</description>
+ <imagefile scale="70">chap6-net.png</imagefile>
+ </image>
+
+ <para><indexterm>
+ <primary>SUSE Linux</primary>
+ </indexterm><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm>
+ All configuration files and locations are shown for SUSE Linux 9.0. The file locations for
+ Red Hat Linux are similar. You may need to adjust the locations for your particular
+ Linux system distribution/implementation.
+ </para>
+
+ <para>
+ The steps in the process involve changes from the network configuration
+ shown in <link linkend="Big500users"/>.
+ Before implementing the following steps, you must have completed the network implementation shown
+ in that chapter. If you are starting with newly installed Linux servers, you must complete
+ the steps shown in <link linkend="ch5-dnshcp-setup"/> before commencing
+ at <link linkend="ldapsetup"/>:
+ </para>
+
+ <sect2 id="ldapsetup">
+ <title>OpenLDAP Server Configuration</title>
+
+ <para><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm><indexterm>
+ <primary>pam_ldap</primary>
+ </indexterm><indexterm>
+ <primary>openldap</primary>
+ </indexterm>
+ Confirm that the packages shown in <link linkend="oldapreq"/> are installed on your system.
+ </para>
+
+ <table id="oldapreq">
+ <title>Required OpenLDAP Linux Packages</title>
+ <tgroup cols="3">
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry align="center">SUSE Linux 8.x</entry>
+ <entry align="center">SUSE Linux 9</entry>
+ <entry align="center">Red Hat Linux 9</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>nss_ldap</entry>
+ <entry>nss_ldap</entry>
+ <entry>nss_ldap</entry>
+ </row>
+ <row>
+ <entry>pam_ldap</entry>
+ <entry>pam_ldap</entry>
+ <entry>pam_ldap</entry>
+ </row>
+ <row>
+ <entry>openldap2</entry>
+ <entry>openldap2</entry>
+ <entry>openldap</entry>
+ </row>
+ <row>
+ <entry>openldap2-client</entry>
+ <entry>openldap2-client</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry></entry>
+ <entry>openldap2-back-perl</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry></entry>
+ <entry>openldap2-back-monitor</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry></entry>
+ <entry>openldap2-back-ldap</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry></entry>
+ <entry>openldap2-back-meta</entry>
+ <entry></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para>
+ Samba-3 and OpenLDAP will have a degree of inter-dependence that is unavoidable. The method
+ for boot-strapping the LDAP and Samba-3 configuration is relatively straight forward. If you
+ follow these guidelines, the resulting system should work fine.
+ </para>
+
+<?latex \newpage ?>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>/etc/openldap/slapd.conf</primary>
+ </indexterm>
+ Install the file shown in <link linkend="ch6-slapdconf"/> in the directory
+ <filename>/etc/openldap</filename>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/var/lib/ldap</primary>
+ </indexterm><indexterm>
+ <primary>group account</primary>
+ </indexterm><indexterm>
+ <primary>user account</primary>
+ </indexterm>
+ Remove all files from the directory <filename>/var/lib/ldap</filename>, making certain that
+ the directory exists with permissions:
+<screen>
+&rootprompt; ls -al /var/lib | grep ldap
+drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
+</screen>
+ This may require you to add a user and a group account for LDAP if they do not exist.
+ </para></step>
+
+ </procedure>
+
+
+<example id="ch6-slapdconf">
+<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename></title>
+<screen>
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba.schema
+
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+database ldbm
+suffix "dc=abmas,dc=biz"
+rootdn "cn=Manager,dc=abmas,dc=biz"
+
+# rootpw = not24get
+rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
+
+directory /var/lib/ldap
+
+# Indices to maintain
+index objectClass eq
+index cn pres,sub,eq
+index sn pres,sub,eq
+index uid pres,sub,eq
+index displayName pres,sub,eq
+index uidNumber eq
+index gidNumber eq
+index memberUID eq
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+</screen>
+</example>
+
+ </sect2>
+
+ <sect2 id="ch6-PAM-NSS">
+ <title>PAM and NSS Client Configuration</title>
+
+ <para><indexterm>
+ <primary>LDAP</primary>
+ </indexterm><indexterm>
+ <primary>NSS</primary>
+ </indexterm><indexterm>
+ <primary>PAM</primary>
+ </indexterm>
+ The steps that follow involve configuration of LDAP, Name Service Switch (NSS) LDAP-based resolution
+ of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead
+ configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
+ </para>
+
+ <para>
+ Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
+ that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
+ correct configuration of the Pluggable Authentication
+ Modules<indexterm>
+ <primary>Pluggable Authentication Modules</primary>
+ <see>PAM</see>
+ </indexterm><indexterm>
+ <primary>pam_unix2.so</primary>
+ </indexterm>
+ (PAM). The <command>pam_ldap</command>
+ open source package provides the PAM modules that most people would use. On SUSE Linux systems,
+ the <command>pam_unix2.so</command> module also has the ability to redirect authentication requests
+ through LDAP.
+ </para>
+
+ <para><indexterm>
+ <primary>YaST</primary>
+ </indexterm><indexterm>
+ <primary>SUSE Linux</primary>
+ </indexterm><indexterm>
+ <primary>Red Hat Linux</primary>
+ </indexterm><indexterm>
+ <primary>authconfig</primary>
+ </indexterm>
+ You have chosen to configure these services by directly editing the system files but, of course, you
+ know that this configuration can be done using system tools provided by the Linux system vendor.
+ SUSE Linux has a facility in YaST (the system admin tool) through <menuchoice><guimenu>yast</guimenu>
+ <guimenuitem>system</guimenuitem><guimenuitem>ldap-client</guimenuitem></menuchoice> that permits
+ configuration of SUSE Linux as an LDAP client. Red Hat Linux provides
+ the <command>authconfig</command>
+ tool for this.
+ </para>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>/lib/libnss_ldap.so.2</primary>
+ </indexterm><indexterm>
+ <primary>/etc/ldap.conf</primary>
+ </indexterm><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm>
+ Execute the following command to find where the <filename>nss_ldap</filename> module
+ expects to find its control file:
+<screen>
+&rootprompt; strings /lib/libnss_ldap.so.2 | grep conf
+</screen>
+ The preferred and usual location is <filename>/etc/ldap.conf</filename>.
+ </para></step>
+
+ <step><para>
+ On the server <constant>MASSIVE</constant>, install the file shown in
+ <link linkend="ch6-nss01"/> into the path that was obtained from the step above.
+ On the servers called <constant>BLDG1</constant> and <constant>BLDG2</constant>, install the file shown in
+ <link linkend="ch6-nss02"/> into the path that was obtained from the step above.
+ </para></step>
+
+<example id="ch6-nss01">
+<title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
+<screen>
+SIZELIMIT 200
+TIMELIMIT 15
+DEREF never
+
+host 127.0.0.1
+base dc=abmas,dc=biz
+binddn cn=Manager,dc=abmas,dc=biz
+bindpw not24get
+
+pam_password exop
+
+nss_base_passwd ou=People,dc=abmas,dc=biz?one
+nss_base_shadow ou=People,dc=abmas,dc=biz?one
+nss_base_group ou=Groups,dc=abmas,dc=biz?one
+</screen>
+</example>
+
+<example id="ch6-nss02">
+<title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
+<screen>
+SIZELIMIT 200
+TIMELIMIT 15
+DEREF never
+
+host 172.16.0.1
+base dc=abmas,dc=biz
+binddn cn=Manager,dc=abmas,dc=biz
+bindpw not24get
+
+pam_password exop
+
+nss_base_passwd ou=People,dc=abmas,dc=biz?one
+nss_base_shadow ou=People,dc=abmas,dc=biz?one
+nss_base_group ou=Groups,dc=abmas,dc=biz?one
+</screen>
+</example>
+
+ <step><para><indexterm>
+ <primary>/etc/nsswitch.conf</primary>
+ </indexterm>
+ Edit the NSS control file (<filename>/etc/nsswitch.conf</filename>) so that the lines that
+ control user and group resolution will obtain information from the normal system files as
+ well as from <command>ldap</command> as follows:
+<screen>
+passwd: files ldap
+shadow: files ldap
+group: files ldap
+hosts: files dns wins
+</screen>
+ Later, when the LDAP database has been initialized and user and group accounts have been
+ added, you can validate resolution of the LDAP resolver process. The inclusion of
+ WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
+ resolved to their IP addresses, whether or not they are DHCP clients.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>pam_unix2.so</primary>
+ <secondary>use_ldap</secondary>
+ </indexterm>
+ For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
+ files in the <filename>/etc/pam.d</filename> directory:
+ <command>login, password, samba, sshd</command>.
+ In each file, locate every entry that has the <command>pam_unix2.so</command> entry and add to the
+ line the entry <command>use_ldap</command> as shown for the
+ <command>login</command> module in
+ this example:
+<screen>
+#%PAM-1.0
+auth requisite pam_unix2.so nullok use_ldap #set_secrpc
+auth required pam_securetty.so
+auth required pam_nologin.so
+#auth required pam_homecheck.so
+auth required pam_env.so
+auth required pam_mail.so
+account required pam_unix2.so use_ldap
+password required pam_pwcheck.s nullok
+password required pam_unix2.so nullok use_first_pass \
+ use_authtok use_ldap
+session required pam_unix2.so none use_ldap # debug or trace
+session required pam_limits.so
+</screen>
+ </para>
+
+ <para><indexterm>
+ <primary>pam_ldap.so</primary>
+ </indexterm>
+ On other Linux systems that do not have an LDAP-enabled <command>pam_unix2.so</command> module,
+ you must edit these files by adding the <command>pam_ldap.so</command> modules as shown here:
+<screen>
+#%PAM-1.0
+auth required pam_securetty.so
+auth required pam_nologin.so
+auth sufficient pam_ldap.so
+auth required pam_unix2.so nullok try_first_pass #set_secrpc
+account sufficient pam_ldap.so
+account required pam_unix2.so
+password required pam_pwcheck.so nullok
+password required pam_ldap.so use_first_pass use_authtok
+password required pam_unix2.so nullok use_first_pass use_authtok
+session required pam_unix2.so none # debug or trace
+session required pam_limits.so
+session required pam_env.so
+session optional pam_mail.so
+</screen>
+ This example does have the LDAP-enabled <command>pam_unix2.so</command>, but simply
+ demonstrates the use of the <command>pam_ldap.so</command> module. You can use either
+ implementation, but if the <command>pam_unix2.so</command> on your system supports
+ LDAP, you probably want to use it, rather than add an additional module.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2 id="ch6-massive">
+ <title>Samba-3 PDC Configuration</title>
+
+ <para><indexterm>
+ <primary>Samba RPM Packages</primary>
+ </indexterm>
+ Verify that the Samba-3.0.2 (or later) packages are installed on each SUSE Linux server
+ before following the steps below. If Samba-3.0.2 (or later) is not installed, you have the
+ choice to either build your own or to obtain the packages from a dependable source.
+ Packages for SUSE Linux 8.2 and 9.0, and Red Hat 9.0 are included on the CD-ROM that
+ is included at the back of this book.
+ </para>
+
+ <procedure>
+ <title>Configuration of PDC Called: <constant>MASSIVE</constant></title>
+ <step><para>
+ Install the files in <link linkend="ch6-massive-smbconfa"/>,
+ <link linkend="ch6-massive-smbconfb"/>, <link linkend="ch6-shareconfa"/>,
+ and <link linkend="ch6-shareconfb"/> into the <filename>/etc/samba/</filename>
+ directory. The three files should be added together to form the &smb.conf;
+ file.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>testparm</primary>
+ </indexterm>
+ Verify the contents of the &smb.conf; file that is generated by Samba
+ as it collates all the included files. You do this by executing:
+<screen>
+&rootprompt; testparm -s &gt; test.conf
+</screen>
+ The output that is created should be free from errors, as shown here:
+
+<screen>
+Processing section "[homes]"
+Processing section "[printers]"
+Processing section "[apps]"
+Processing section "[netlogon]"
+Processing section "[profiles]"
+Processing section "[profdata]"
+Processing section "[IPC$]"
+Processing section "[accounts]"
+Processing section "[service]"
+Processing section "[pidata]"
+Loaded services file OK.
+</screen>
+ </para></step>
+
+ <step><para>
+ Delete all run-time files from prior Samba operation by executing (for SUSE
+ Linux):
+<screen>
+&rootprompt; rm /etc/samba/*tdb
+&rootprompt; rm /var/lib/samba/*tdb
+&rootprompt; rm /var/lib/samba/*dat
+&rootprompt; rm /var/log/samba/*
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>secrets.tdb</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ Samba-3 communicates with the LDAP server. The password that it uses to
+ authenticate to the LDAP server must be stored in the <filename>secrets.tdb</filename>
+ file. Execute the following to create the new <filename>secrets.tdb</filename> files
+ and store the password for the LDAP Manager:
+<screen>
+&rootprompt; smbpasswd -w not24get
+</screen>
+ The expected output from this command is:
+<screen>
+Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbd</primary>
+ </indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>getlocalsid</secondary>
+ </indexterm>
+ Samba-3 generates a Windows Security Identifier only when <command>smbd</command>
+ has been started. For this reason, you start Samba. After a few seconds delay,
+ execute:
+<screen>
+&rootprompt; smbclient -L localhost -U%
+&rootprompt; net getlocalsid
+</screen>
+ A report such as the following means that the Domain Security Identifier (SID) has not yet
+ been written to the <filename>secrets.tdb</filename> or to the LDAP backend:
+<screen>
+[2003/12/16 22:32:20, 0] utils/net.c:net_getlocalsid(414)
+ Can't fetch domain SID for name: MASSIVE
+</screen>
+ When the Domain has been created and written to the <filename>secrets.tdb</filename>
+ file, the output should look like this:
+<screen>
+SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
+</screen>
+ If, after a short delay (a few seconds), the Domain SID has still not been written to
+ the <filename>secrets.tdb</filename> file, it is necessary to investigate what
+ may be mis-configured. In this case, carefully check the &smb.conf; file for typographical
+ errors (the most common problem). The use of the <command>testparm</command> is highly
+ recommended to validate the contents of this file.
+ </para></step>
+
+ <step><para>
+ When a positive Domain SID has been reported, stop Samba.
+ </para></step>
+
+ <step><para>
+ <indexterm>
+ <primary>NFS server</primary>
+ </indexterm>
+ <indexterm>
+ <primary>/etc/exports</primary>
+ </indexterm>
+ <indexterm>
+ <primary>BDC</primary>
+ </indexterm>
+ <indexterm>
+ <primary>rsync</primary>
+ </indexterm>
+ Configure the NFS server for your Linux system. So you can complete the steps that
+ follow, enter into the <filename>/etc/exports</filename> the following entry:
+<screen>
+/home *(rw,root_squash,sync)
+</screen>
+ This permits the user home directories to be used on the BDC servers for testing
+ purposes. You, of course, decide what is the best way for your site to distribute
+ data drives, as well as creating suitable backup and restore procedures for Abmas Inc.
+ I'd strongly recommend that for normal operation the BDC is completely independent
+ of the PDC. rsync is a useful tool here as it resembles the NT replication service quite
+ closely. If you do use NFS, do not forget to start the NFS server as follows:
+<screen>
+&rootprompt; rcnfs start
+</screen>
+ </para></step>
+ </procedure>
+
+ <para>
+ Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
+ configuration of the LDAP server.
+ </para>
+
+<smbconfexample id="ch6-massive-smbconfa">
+<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+ <smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+ <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
+ <smbconfoption><name>netbios name</name><value>MASSIVE</value></smbconfoption>
+ <smbconfoption><name>interfaces</name><value>eth1, lo</value></smbconfoption>
+ <smbconfoption><name>bind interfaces only</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+ <smbconfoption><name>log level</name><value>1</value></smbconfoption>
+ <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+ <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+ <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+ <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+ <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+ <smbconfoption><name>time server</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+ <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+ <smbconfoption><name>add user script</name><value>/var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'</value></smbconfoption>
+ <smbconfoption><name>delete user script</name><value>/var/lib/samba/sbin/smbldap-userdel.pl %u</value></smbconfoption>
+ <smbconfoption><name>add group script</name><value>/var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'</value></smbconfoption>
+ <smbconfoption><name>delete group script</name><value>/var/lib/samba/sbin/smbldap-groupdel.pl '%g'</value></smbconfoption>
+ <smbconfoption><name>add user to group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+ <member><parameter>smbldap-groupmod.pl -m '%u' '%g'</parameter></member>
+ <smbconfoption><name>delete user from group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+ <member><parameter>smbldap-groupmod.pl -x '%u' '%g'</parameter></member>
+ <smbconfoption><name>set primary group script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+ <member><parameter>smbldap-usermod.pl -g '%g' '%u'</parameter></member>
+ <smbconfoption><name>add machine script</name><value>/var/lib/samba/sbin/</value></smbconfoption>
+ <member><parameter>smbldap-useradd.pl -w '%u'</parameter></member>
+ <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+ <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
+ <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+ <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch6-massive-smbconfb">
+<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title>
+ <smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
+ <smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>idmap backend</name><value>ldap:ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>map acl inherit</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+ <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption>
+</smbconfexample>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Install and Configure Idealx SMB-LDAP Scripts</title>
+
+ <para><indexterm>
+ <primary>Idealx</primary>
+ <secondary>smbldap-tools</secondary>
+ </indexterm>
+ The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
+ on the LDAP server. You have chosen the Idealx scripts since they are part of the
+ Samba-3 package distribution. On your SUSE Linux system, you find these scripts in the
+ <filename>/usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools</filename>
+ directory. On a Red Hat Linux system, they are in a similar path. If you cannot find
+ the scripts on your system, it is easy enough to download them from the Idealx
+ <ulink url="http://samba.idealx.org/index.en.html">Web Site.</ulink> The tarball may
+ be directly <ulink
+ url="http://samba.idealx.org/dist/smbldap-tools-0.8.2.tgz">downloaded</ulink>
+ for this site, also.
+ </para>
+
+ <para>
+ In your installation, the smbldap-tools are located in <filename>/var/lib/samba/sbin</filename>.
+ They can be installed in any convenient directory of your choice, in which case you must
+ change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>).
+ </para>
+
+ <para>
+ The scripts are not needed on BDC machines because all LDAP updates are handled by
+ the PDC alone.
+ </para>
+
+ <procedure id="idealxscript">
+ <step><para>
+ Create the <filename>/var/lib/samba/sbin</filename> directory, and set its permissions
+ and ownership as shown here:
+<screen>
+&rootprompt; mkdir -p /var/lib/samba/sbin
+&rootprompt; chown root.root /var/lib/samba/sbin
+&rootprompt; chmod 755 /var/lib/samba/sbin
+</screen>
+ </para></step>
+
+ <step><para>
+ If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
+ Change into either the directory extracted from the tarball, or else into the smbldap-tools
+ directory in your <filename>/usr/share/doc/packages</filename> directory tree.
+ </para></step>
+
+ <step><para>
+ Copy all the <filename>.pl</filename> and <filename>.pm</filename> files into the
+ <filename>/var/lib/samba/sbin</filename> directory, as shown here:
+<screen>
+&rootprompt; cd /usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools
+&rootprompt; cp *.pl *.pm /var/lib/samba/sbin
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>mkntpasswd</primary>
+ </indexterm>
+ You must compile the <command>mkntpasswd</command> tool and then install it into
+ the <filename>/var/lib/samba/sbin</filename> directory, as shown here:
+<screen>
+&rootprompt; cd mkntpwd
+&rootprompt; make
+gcc -O2 -DMPU8086 -c -o getopt.o getopt.c
+gcc -O2 -DMPU8086 -c -o md4.o md4.c
+gcc -O2 -DMPU8086 -c -o mkntpwd.o mkntpwd.c
+mkntpwd.c: In function `main':
+mkntpwd.c:37: warning: return type of `main' is not `int'
+gcc -O2 -DMPU8086 -c -o smbdes.o smbdes.c
+gcc -O2 -DMPU8086 -o mkntpwd getopt.o md4.o mkntpwd.o smbdes.o
+&rootprompt; cp mkntpwd /var/lib/samba/sbin
+</screen>
+ The smbldap-tools scripts must now be configured.
+ </para></step>
+
+ <step><para>
+ Change to the <filename>/var/lib/samba/sbin</filename> directory, and edit the
+ <filename>/var/lib/samba/sbin/smbldap_conf.pm</filename> to affect the changes
+ shown here:
+<screen>
+# Put your own SID
+# to obtain this number do: "net getlocalsid"
+#$SID='S-1-5-21-1671648649-242858427-2873575837';
+$SID='S-1-5-21-3504140859-1010554828-2431957765';
+...
+# LDAP Suffix
+# Ex: $suffix = "dc=IDEALX,dc=ORG";
+$suffix = "dc=abmas,dc=biz";
+...
+# Where are stored Users
+# Ex: $usersdn = "ou=Users,$suffix"; ...
+$usersou = q(People);
+$usersdn = "ou=$usersou,$suffix";
+
+# Where are stored Computers
+# Ex: $computersdn = "ou=Computers,$suffix"; ...
+$computersou = q(People);
+$computersdn = "ou=$computersou,$suffix";
+
+# Where are stored Groups
+# Ex $groupsdn = "ou=Groups,$suffix"; ...
+$groupsou = q(Groups);
+$groupsdn = "ou=$groupsou,$suffix";
+
+# Default scope Used
+$scope = "sub";
+
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
+$hash_encrypt="MD5";
+...
+############################
+# Credential Configuration #
+############################
+# Bind DN used
+# Ex: $binddn = "cn=admin,$suffix"; ...
+$binddn = "cn=Manager,$suffix";
+
+# Bind DN passwd used
+# Ex: $bindpasswd = 'secret'; for 'secret'
+$bindpasswd = 'not24get';
+...
+# Login defs
+# Default Login Shell
+# Ex: $_userLoginShell = q(/bin/bash);
+#$_userLoginShell = q(_LOGINSHELL_);
+$_userLoginShell = q(/bin/bash);
+
+# Home directory prefix (without username)
+# Ex: $_userHomePrefix = q(/home/);
+#$_userHomePrefix = q(_HOMEPREFIX_);
+$_userHomePrefix = q(/home/);
+...
+# The UNC path to home drives location without the
+# username last extension (will be dynamically prepended)
+# Ex: q(\\\\My-PDC-netbios-name\\homes)
+# Just comment this if you want to use the smb.conf
+# 'logon home' directive # and/or desabling roaming profiles
+#$_userSmbHome = q(\\\\_PDCNAME_\\homes);
+$_userSmbHome = q(\\\\MASSIVE\\homes);
+
+# The UNC path to profiles locations without the username
+# last extension (will be dynamically prepended)
+# Ex: q(\\\\My-PDC-netbios-name\\profiles\\)
+# Just comment this if you want to use the smb.conf
+# 'logon path' directive and/or desabling roaming profiles
+$_userProfile = q(\\\\MASSIVE\\profiles\\);
+
+# The default Home Drive Letter mapping
+# (automatically mapped at logon time if home directory exists)
+# Ex: q(U:) for U:
+#$_userHomeDrive = q(_HOMEDRIVE_);
+$_userHomeDrive = q(H:);
+...
+# Allows not to use smbpasswd
+# (if $with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer mkntpwd... most of the time, it's a wise choice :-)
+$with_smbpasswd = 0;
+$smbpasswd = "/usr/bin/smbpasswd";
+$mk_ntpasswd = "/var/lib/samba/sbin/mkntpwd";
+...
+</screen>
+ </para></step>
+
+ <step><para>
+ To complete the configuration of the smbldap-tools, set the permissions and ownership
+ by executing the following commands:
+<screen>
+&rootprompt; chown root.root /var/lib/samba/sbin/*
+&rootprompt; chmod 755 /var/lib/samba/sbin/smb*pl
+&rootprompt; chmod 640 /var/lib/samba/sbin/smb*pm
+&rootprompt; chmod 555 /var/lib/samba/sbin/mkntpwd
+</screen>
+ The smbldap-tools scripts are now ready for use.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2>
+ <title>LDAP Initialization and Creation of User and Group Accounts</title>
+
+ <para>
+ The LDAP database must be populated with well-known Windows Domain user accounts and Domain Group
+ accounts before Samba can be used. The following procedures step you through the process.
+ </para>
+
+ <para>
+ At this time, Samba-3 requires that on a PDC all UNIX (Posix) group accounts that are
+ mapped (linked) to Windows Domain Group accounts must be in the LDAP database. It does not
+ hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
+ database. From a UNIX system perspective, the NSS resolver checks system files before
+ referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
+ does not need to ask LDAP.
+ </para>
+
+ <para>
+ Addition of an account to the LDAP backend can be done in a number of ways:
+ </para>
+
+ <blockquote><para><indexterm>
+ <primary>NIS</primary>
+ </indexterm><indexterm>
+ <primary>/etc/passwd</primary>
+ </indexterm><indexterm>
+ <primary>Posix accounts</primary>
+ </indexterm><indexterm>
+ <primary>pdbedit</primary>
+ </indexterm><indexterm>
+ <primary>SambaSamAccount</primary>
+ </indexterm><indexterm>
+ <primary>PosixAccount</primary>
+ </indexterm>
+ If you always have a user account in the <filename>/etc/passwd</filename> on every
+ server or in a NIS(+) backend, it is not necessary to add Posix accounts for them in
+ LDAP. In this case, you can add Windows Domain user accounts using the
+ <command>pdbedit</command> utility. Use of this tool from the command line adds the
+ SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
+ </para>
+
+ <para>
+ If you decide that it is probably a good idea to add both the PosixAccount attributes
+ as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
+ In the example system you are installing in this exercise, you are making use of the
+ Idealx smbldap-tools scripts. A copy of these tools, pre-configured for this system,
+ is included on the enclosed CD-ROM under <filename>Chap06/Tools.</filename>
+ </para></blockquote>
+
+ <para><indexterm>
+ <primary>Idealx</primary>
+ <secondary>smbldap-tools</secondary>
+ </indexterm>
+ If you wish to have more control over how the LDAP database is initialized or
+ want not to use the Idealx smbldap-tools, you should refer to <link
+ linkend="altldapcfg"/>.
+ </para>
+
+ <para><indexterm>
+ <primary>smbldap-populate.pl</primary>
+ </indexterm>
+ The following steps initialize the LDAP database, and then you can add user and group
+ accounts that Samba can use. You use the <command>smbldap-populate.pl</command> to
+ seed the LDAP database. You then manually add the accounts shown in <link linkend="ch6-bigacct"/>.
+ The list of users does not cover all 500 network users; it provides examples only.
+ </para>
+
+ <note><para><indexterm>
+ <primary>LDAP</primary>
+ <secondary>database</secondary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>People container</secondary>
+ </indexterm><indexterm>
+ <primary>directory</primary>
+ <secondary>Computers container</secondary>
+ </indexterm>
+ In the following examples, as the LDAP database is initialized, we do create a container
+ for Computer (machine) accounts. In the Samba-3 &smb.conf; files, specific use is made
+ of the People container, not the Computers container, for domain member accounts. This is not a
+ mistake; it is a deliberate action that is necessitated by the fact that there is a bug in Samba-3
+ that prevents it from being able to search the LDAP database for computer accounts if they are
+ placed in the Computers container. By placing all machine accounts in the People container, we
+ are able to side-step this bug. It is expected that at some time in the future this problem will
+ be resolved. At that time, it will be possible to use the Computers container in order to keep
+ machine accounts separate from user accounts.
+ </para></note>
+
+
+ <table id="ch6-bigacct">
+ <title>Abmas Network Users and Groups</title>
+ <tgroup cols="4">
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry align="center">Account Name</entry>
+ <entry align="center">Type</entry>
+ <entry align="center">ID</entry>
+ <entry align="center">Password</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Robert Jordan</entry>
+ <entry>User</entry>
+ <entry>bobj</entry>
+ <entry>n3v3r2l8</entry>
+ </row>
+ <row>
+ <entry>Stanley Soroka</entry>
+ <entry>User</entry>
+ <entry>stans</entry>
+ <entry>impl13dst4r</entry>
+ </row>
+ <row>
+ <entry>Christine Roberson</entry>
+ <entry>User</entry>
+ <entry>chrisr</entry>
+ <entry>S9n0nw4ll</entry>
+ </row>
+ <row>
+ <entry>Mary Vortexis</entry>
+ <entry>User</entry>
+ <entry>maryv</entry>
+ <entry>kw13t0n3</entry>
+ </row>
+ <row>
+ <entry>Accounts</entry>
+ <entry>Group</entry>
+ <entry>Accounts</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>Finances</entry>
+ <entry>Group</entry>
+ <entry>Finances</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>Insurance</entry>
+ <entry>Group</entry>
+ <entry>PIOps</entry>
+ <entry></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <procedure id="creatacc">
+ <step><para>
+ Start the LDAP server by executing:
+<screen>
+&rootprompt; rcldap start
+Starting ldap-server done
+</screen>
+ </para></step>
+
+ <step><para>
+ Change to the <filename>/var/lib/samba/sbin</filename> directory.
+ </para></step>
+
+ <step><para>
+ Execute the script that will populate the LDAP database as shown here:
+<screen>
+&rootprompt; ./smbldap-populate.pl
+Using builtin directory structure
+adding new entry: dc=abmas,dc=biz
+adding new entry: ou=People,dc=abmas,dc=biz
+adding new entry: ou=Groups,dc=abmas,dc=biz
+adding new entry: ou=Computers,dc=abmas,dc=biz
+adding new entry: uid=Administrator,ou=People,dc=abmas,dc=biz
+adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
+adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Users,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Guests,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Power Users,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Account Operators,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Server Operators,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Replicator,ou=Groups,dc=abmas,dc=biz
+adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
+</screen>
+ </para></step>
+
+ <step><para>
+ It is necessary to restart the LDAP server as shown here:
+<screen>
+&rootprompt; rcldap restart
+Shutting down ldap-server done
+Starting ldap-server done
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>slapcat</primary>
+ </indexterm>
+ So that we can use a global IDMAP repository the LDAP directory must have a container object for IDMAP data.
+ There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
+ the simplest is to execute:
+<screen>
+&rootprompt; slapcat | grep -i idmap
+dn: ou=Idmap,dc=abmas,dc=biz
+ou: idmap
+</screen>
+ <indexterm>
+ <primary>ldapadd</primary>
+ </indexterm>
+ If the execution of this command does not return IDMAP entries, you need to create an LDIF
+ template file (see <link linkend="ch6-ldifadd"/>). You can add the required entries using
+ the following command:
+<screen>
+&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
+ -w not24get &lt; /etc/openldap/idmap.LDIF
+</screen>
+ Samba automatically populates this LDAP directory container when it needs to.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>slapcat</primary>
+ </indexterm>
+ It looks like all has gone well, as expected. Let's confirm that this is the case
+ by running a few tests. First we check the contents of the database directly
+ by running <command>slapcat</command> as follows (the output has been cut down):
+<screen>
+&rootprompt; slapcat
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+dc: abmas
+o: abmas
+structuralObjectClass: organization
+entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
+creatorsName: cn=Manager,dc=abmas,dc=biz
+createTimestamp: 20031217234200Z
+entryCSN: 2003121723:42:00Z#0x0001#0#0000
+modifiersName: cn=Manager,dc=abmas,dc=biz
+modifyTimestamp: 20031217234200Z
+...
+dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 553
+cn: Domain Computers
+description: Netbios Domain Computers accounts
+sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
+sambaGroupType: 2
+displayName: Domain Computers
+structuralObjectClass: posixGroup
+entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
+creatorsName: cn=Manager,dc=abmas,dc=biz
+createTimestamp: 20031217234206Z
+entryCSN: 2003121723:42:06Z#0x0002#0#0000
+modifiersName: cn=Manager,dc=abmas,dc=biz
+modifyTimestamp: 20031217234206Z
+</screen>
+ This looks good so far.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>ldapsearch</primary>
+ </indexterm>
+ The next step is to prove that the LDAP server is running and responds to a
+ search request. Execute the following as shown (output has been cut to save space):
+<screen>
+&rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
+# extended LDIF
+#
+# LDAPv3
+# base &lt;dc=abmas,dc=biz&gt; with scope sub
+# filter: (ObjectClass=*)
+# requesting: ALL
+#
+
+# abmas.biz
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+dc: abmas
+o: abmas
+
+# People, abmas.biz
+dn: ou=People,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: People
+...
+# Domain Computers, Groups, abmas.biz
+dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 553
+cn: Domain Computers
+description: Netbios Domain Computers accounts
+sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
+sambaGroupType: 2
+displayName: Domain Computers
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 20
+# numEntries: 19
+</screen>
+ Good. It is all working just fine.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>getent</primary>
+ </indexterm>
+ You must now make certain that the NSS resolver can interrogate LDAP also.
+ Execute the following commands:
+<screen>
+&rootprompt; getent passwd | grep Administrator
+Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false
+
+&rootprompt; getent group | grep Domain
+Domain Admins:x:512:Administrator
+Domain Users:x:513:
+Domain Guests:x:514:
+Domain Computers:x:553:
+</screen><indexterm>
+ <primary>nss_ldap</primary>
+ </indexterm>
+ This demonstrates that the <command>nss_ldap</command> library is functioning
+ as it should.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbldap-useradd.pl</primary>
+ </indexterm><indexterm>
+ <primary>smbldap-passwd.pl</primary>
+ </indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ Our database is now ready for the addition of network users. For each user for
+ whom an account must be created, execute the following:
+<screen>
+&rootprompt; ./smbldap-useradd.pl -m -a <constant>username</constant>
+&rootprompt; ./smbldap-passwd.pl <constant>username</constant>
+Changing password for <constant>username</constant>
+New password : XXXXXXXX
+Retype new password : XXXXXXXX
+
+&rootprompt; smbpasswd <constant>username</constant>
+New SMB password: XXXXXXXX
+Retype new SMB password: XXXXXXXX
+</screen>
+ Where <constant>username</constant> is the login ID for each user.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>getent</primary>
+ </indexterm>
+ Now verify that the UNIX (Posix) accounts can be resolved via NSS by executing the
+ following:
+<screen>
+&rootprompt; getent passwd
+...
+Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false
+nobody:x:999:514:nobody:/dev/null:/bin/false
+bobj:x:1000:513:System User:/home/bobj:/bin/bash
+stans:x:1001:513:System User:/home/stans:/bin/bash
+chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
+maryv:x:1003:513:System User:/home/maryv:/bin/bash
+
+&rootprompt; id chrisr
+uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
+</screen>
+ This confirms that the UNIX (Posix) user accounts can be resolved from LDAP.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbldap-usermod.pl</primary>
+ </indexterm>
+ In the above listing, you can see that the user <constant>Administrator</constant>
+ has been given UID=998. This means that operations conducted from a Windows client
+ using tools such as the Domain User Manager fails under UNIX because the
+ management of user and group accounts requires that the UID=0. You decide to rectify
+ this immediately as demonstrated here:
+<screen>
+&rootprompt; cd /var/lib/samba/sbin
+&rootprompt; ./smbldap-usermod.pl -u 0 Administrator
+</screen>
+ </para></step>
+
+ <step><para>
+ Make certain that a home directory has been created for every user by listing the
+ directories in <filename>/home</filename> as follows:
+<screen>
+&rootprompt; ls -al /home
+drwxr-xr-x 8 root root 176 Dec 17 18:50 ./
+drwxr-xr-x 21 root root 560 Dec 15 22:19 ../
+drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/
+drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/
+drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/
+drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
+</screen>
+ This is precisely what we want to see.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>ldapsam</primary>
+ </indexterm><indexterm>
+ <primary>pdbedit</primary>
+ </indexterm>
+ The final validation step involves making certain that Samba-3 can obtain the user
+ accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
+<screen>
+&rootprompt; pdbedit -Lv chrisr
+Unix username: chrisr
+NT username: chrisr
+Account Flags: [U ]
+User SID: S-1-5-21-3504140859-1010554828-2431957765-3004
+Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513
+Full Name: System User
+Home Directory: \\MASSIVE\homes
+HomeDir Drive: H:
+Logon Script: chrisr.cmd
+Profile Path: \\MASSIVE\profiles\chrisr
+Domain: MEGANET2
+Account desc: System User
+Workstations:
+Munged dial:
+Logon time: 0
+Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Password last set: Wed, 17 Dec 2003 17:17:40 GMT
+Password can change: Wed, 17 Dec 2003 17:17:40 GMT
+Password must change: Mon, 18 Jan 2038 20:14:07 GMT
+</screen>
+ This looks good. Of course, you fully expected that it would all work, didn't you?
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbldap-groupadd.pl</primary>
+ </indexterm>
+ Now you add the group accounts that are used on the Abmas network. Execute
+ the following exactly as shown:
+<screen>
+&rootprompt; ./smbldap-groupadd.pl -a Accounts
+&rootprompt; ./smbldap-groupadd.pl -a Finances
+&rootprompt; ./smbldap-groupadd.pl -a PIOps
+</screen>
+ The addition of groups does not involve keyboard interaction, so the lack of console
+ output is of no concern.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>getent</primary>
+ </indexterm>
+ You really do want to confirm that UNIX group resolution from LDAP is functioning
+ as it should. Let's do this as shown here:
+<screen>
+&rootprompt; getent group
+...
+Domain Admins:x:512:Administrator
+Domain Users:x:513:bobj,stans,chrisr,maryv
+Domain Guests:x:514:
+...
+Accounts:x:1000:
+Finances:x:1001:
+PIOps:x:1002:
+</screen>
+ The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
+ as our own site-specific group accounts, are correctly listed. This is looking good.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>net</primary>
+ <secondary>groupmap</secondary>
+ <tertiary>list</tertiary>
+ </indexterm>
+ The final step we need to validate is that Samba can see all the Windows Domain Groups
+ and that they are correctly mapped to the respective UNIX group account. To do this,
+ just execute the following command:
+<screen>
+&rootprompt; net groupmap list
+Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
+Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
+Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
+...
+Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
+Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
+PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
+</screen>
+ This is looking good. Congratulations &smbmdash; it works! Note that in the above output
+ the lines where shortened by replacing the middle value (1010554828) of the SID with the
+ elipsis (...).
+ </para></step>
+
+ <step><para>
+ The server you have so carefully built is now ready for another important step. You
+ start the Samba-3 server and validate its operation. Execute the following to render all
+ the processes needed fully operative so that, on system reboot, they are automatically
+ started:
+<screen>
+&rootprompt; chkconfig named on
+&rootprompt; chkconfig dhcpd on
+&rootprompt; chkconfig ldap on
+&rootprompt; chkconfig nmb on
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig winbind on
+&rootprompt; rcnmb start
+&rootprompt; rcsmb start
+&rootprompt; rcwinbind start
+</screen>
+ </para></step>
+
+ <step><para>
+ The next step might seem a little odd at this point, but take note that you are about to
+ start <command>winbindd</command> which must be able to authenticate to the PDC via the
+ localhost interface. This requires a Domain account for the PDC. This account can be
+ easily created by joining the PDC to the Domain by executing the following command:
+<screen>
+&rootprompt; net rpc join -U Administrator%not24get
+Joined domain MEGANET2.
+</screen>
+ This indicates that the Domain security account for the BDC has been correctly created.
+ </para></step>
+
+ <step><para>
+ At this time it is necessary to restart <command>winbindd</command> so that it can
+ correctly authenticate to the PDC. The following command achieves that:
+<screen>
+&rootprompt; rcwinbind restart
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbclient</primary>
+ </indexterm>
+ You may now check Samba-3 operation as follows:
+<screen>
+&rootprompt; smbclient -L massive -U%
+
+ Sharename Type Comment
+ --------- ---- -------
+ IPC$ IPC IPC Service (Samba 3.0.1)
+ accounts Disk Accounting Files
+ service Disk Financial Services Files
+ pidata Disk Property Insurance Files
+ apps Disk Application Files
+ netlogon Disk Network Logon Service
+ profiles Disk Profile Share
+ profdata Disk Profile Data Share
+ ADMIN$ IPC IPC Service (Samba 3.0.1)
+
+ Server Comment
+ --------- -------
+ MASSIVE Samba 3.0.1
+
+ Workgroup Master
+ --------- -------
+ MEGANET2 MASSIVE
+</screen>
+ This shows that an anonymous connection is working.
+ </para></step>
+
+ <step><para>
+ For your finale, let's try an authenticated connection. Follow this as shown:
+<screen>
+&rootprompt; smbclient //massive/bobj -Ubobj%n3v3r2l8
+smb: \> dir
+ . D 0 Wed Dec 17 01:16:19 2003
+ .. D 0 Wed Dec 17 19:04:42 2003
+ bin D 0 Tue Sep 2 04:00:57 2003
+ Documents D 0 Sun Nov 30 07:28:20 2003
+ public_html D 0 Sun Nov 30 07:28:20 2003
+ .urlview H 311 Fri Jul 7 06:55:35 2000
+ .dvipsrc H 208 Fri Nov 17 11:22:02 1995
+
+ 57681 blocks of size 524288. 57128 blocks available
+smb: \> q
+</screen>
+ Well done. All is working fine.
+ </para></step>
+ </procedure>
+
+ <para>
+ The server <constant>MASSIVE</constant> is now configured, and it is time to move onto the next task.
+ </para>
+
+ </sect2>
+
+ <sect2 id="ch6-ptrcfg">
+ <title>Printer Configuration</title>
+
+ <para><indexterm>
+ <primary>CUPS</primary>
+ </indexterm>
+ The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
+ taken care of in the &smb.conf; file. The only preparation needed for
+ <constant>smart</constant>
+ printing to be possible involves creation of the directories in which Samba-3 stores
+ Windows printing driver files.
+ </para>
+
+ <procedure>
+
+ <step><para>
+ Configure all network attached printers to have a fixed IP address.
+ </para></step>
+
+ <step><para>
+ Create an entry in the DNS database on the server <constant>MASSIVE</constant>
+ in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
+ and in the reverse lookup database for the network segment that the printer is to
+ be located in. Example configuration files for similar zones were presented in
+ <link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>.
+ </para></step>
+
+ <step><para>
+ Follow the instructions in the printer manufacturers' manuals to permit printing
+ to port 9100. Use any other port the manufacturer specifies for direct mode,
+ raw printing. This allows the CUPS spooler to print using raw mode protocols.
+ <indexterm><primary>CUPS</primary></indexterm>
+ <indexterm><primary>raw printing</primary></indexterm>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>lpadmin</primary>
+ </indexterm>
+ <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
+ Only on the server to which the printer is attached, configure the CUPS Print
+ Queues as follows:
+<screen>
+&rootprompt; lpadmin -p <parameter>printque</parameter> -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
+</screen>
+ <indexterm><primary>print filter</primary></indexterm>
+ This step creates the necessary print queue to use no assigned print filter. This
+ is ideal for raw printing, i.e., printing without use of filters.
+ The name <parameter>printque</parameter> is the name you have assigned for
+ the particular printer.
+ </para></step>
+
+ <step><para>
+ Print queues may not be enabled at creation. Make certain that the queues
+ you have just created are enabled by executing the following:
+<screen>
+&rootprompt; /usr/bin/enable <parameter>printque</parameter>
+</screen>
+ </para></step>
+
+ <step><para>
+ Even though your print queue may be enabled, it is still possible that it
+ may not accept print jobs. A print queue will service incoming printing
+ requests only when configured to do so. Ensure that your print queue is
+ set to accept incoming jobs by executing the following commands:
+<screen>
+&rootprompt; /usr/bin/accept <parameter>printque</parameter>
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime type</primary></indexterm>
+ <indexterm><primary>/etc/mime.convs</primary></indexterm>
+ <indexterm><primary>application/octet-stream</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/mime.types</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para>
+ Refer to the CUPS printing manual for instructions regarding how to configure
+ CUPS so that print queues that reside on CUPS servers on remote networks
+ route print jobs to the print server that owns that queue. The default setting
+ on your CUPS server may automatically discover remotely installed printers and
+ may permit this functionality without requiring specific configuration.
+ </para></step>
+
+ <step><para>
+ The following action creates the necessary directory sub-system. Follow these
+ steps to printing heaven:
+<screen>
+&rootprompt; mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
+&rootprompt; chown -R root.root /var/lib/samba/drivers
+&rootprompt; chmod -R ug=rwx,o=rx /var/lib/samba/drivers
+</screen>
+ </para></step>
+
+ </procedure>
+
+ </sect2>
+
+</sect1>
+
+<sect1 id="ch6-bldg1">
+ <title>Samba-3 BDC Configuration</title>
+
+ <procedure>
+ <title>Configuration of BDC Called: <constant>BLDG1</constant></title>
+ <step><para>
+ Install the files in <link linkend="ch6-bldg1-smbconf"/>,
+ <link linkend="ch6-shareconfa"/>, and <link linkend="ch6-shareconfb"/>
+ into the <filename>/etc/samba/</filename> directory. The three files
+ should be added together to form the &smb.conf; file.
+ </para></step>
+
+ <step><para>
+ Verify the &smb.conf; file as in step 2 of <link
+ linkend="ch6-massive"/>.
+ </para></step>
+
+ <step><para>
+ Carefully follow the steps outlined in <link linkend="ch6-PAM-NSS"/>, taking
+ particular note to install the correct <filename>ldap.conf</filename>.
+ </para></step>
+
+ <step><para>
+ Verify that the NSS resolver is working. You may need to cycle the run level
+ to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
+ commands:
+<screen>
+&rootprompt; init 1
+</screen>
+ After the run level has been achieved, you are prompted to provide the
+ <constant>root</constant> password. Log on, and then execute:
+<screen>
+&rootprompt; init 5
+</screen>
+ When the normal logon prompt appears, log into the system as
+ <constant>root</constant>
+ and then execute these commands:
+<screen>
+&rootprompt; getent passwd
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/bin/bash
+daemon:x:2:2:Daemon:/sbin:/bin/bash
+lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
+mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
+...
+Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false
+nobody:x:999:514:nobody:/dev/null:/bin/false
+bobj:x:1000:513:System User:/home/bobj:/bin/bash
+stans:x:1001:513:System User:/home/stans:/bin/bash
+chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
+maryv:x:1003:513:System User:/home/maryv:/bin/bash
+vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
+bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
+</screen>
+ This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>getent</primary>
+ </indexterm>
+ The next step in the verification process involves testing the operation of UNIX group
+ resolution via the NSS LDAP resolver. Execute these commands:
+<screen>
+&rootprompt; getent group
+root:x:0:
+bin:x:1:daemon
+daemon:x:2:
+sys:x:3:
+...
+Domain Admins:x:512:Administrator
+Domain Users:x:513:bobj,stans,chrisr,maryv,jht
+Domain Guests:x:514:
+Administrators:x:544:
+Users:x:545:
+Guests:x:546:nobody
+Power Users:x:547:
+Account Operators:x:548:
+Server Operators:x:549:
+Print Operators:x:550:
+Backup Operators:x:551:
+Replicator:x:552:
+Domain Computers:x:553:
+Accounts:x:1000:
+Finances:x:1001:
+PIOps:x:1002:
+</screen>
+ This is also the correct and desired output, because it demonstrates that the LDAP client
+ is able to communicate correctly with the LDAP server
+ (<constant>MASSIVE</constant>).
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ You must now set the LDAP administrative password into the
+ Samba-3 <filename>secrets.tdb</filename>
+ file by executing this command:
+<screen>
+&rootprompt; smbpasswd -w not24get
+Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
+</screen>
+ </para></step>
+
+ <step><para>
+ Now you must obtain the Domain Security Identifier from the PDC and store it into the
+ <filename>secrets.tdb</filename> file also. This step is not necessary with an LDAP
+ passdb backend because Samba-3 obtains the Domain SID from the
+ sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
+ add the SID to the <filename>secrets.tdb</filename>, and if you wish to do so, this
+ command can achieve that:
+<screen>
+&rootprompt; net rpc getsid MEGANET2
+Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
+ for Domain MEGANET2 in secrets.tdb
+</screen>
+ When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
+ any special action to join it to the Domain. However, winbind communicates with the
+ Domain Controller that is running on the localhost and must be able to authenticate,
+ thus requiring that the BDC should be joined to the Domain. The process of joining
+ the Domain creates the necessary authentication accounts.
+ </para></step>
+
+ <step><para>
+ To join the Samba BDC to the Domain execute the following:
+<screen>
+&rootprompt; net rpc join -U Administrator%not24get
+Joined domain MEGANET2.
+</screen>
+ This indicates that the Domain security account for the BDC has been correctly created.
+ </para></step>
+
+ <step><para>
+ <indexterm>
+ <primary>pdbedit</primary>
+ </indexterm>
+ Verify that user and group account resolution works via Samba-3 tools as follows:
+<screen>
+&rootprompt; pdbedit -L
+Administrator:0:Administrator
+nobody:65534:nobody
+bobj:1000:System User
+stans:1001:System User
+chrisr:1002:System User
+maryv:1003:System User
+bldg1$:1006:bldg1$
+
+&rootprompt; net groupmap list
+Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
+Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
+Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
+Administrators (S-1-5-21-3504140859-...-2431957765-544) -> Administrators
+...
+Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
+Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
+PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
+</screen>
+ The above results show that all things are in order.
+ </para></step>
+
+ <step><para>
+ The server you have so carefully built is now ready for another important step. Now
+ start the Samba-3 server and validate its operation. Execute the following to render all
+ the processes needed fully operative so that, upon system reboot, they are automatically
+ started:
+<screen>
+&rootprompt; chkconfig named on
+&rootprompt; chkconfig dhcpd on
+&rootprompt; chkconfig nmb on
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig winbind on
+&rootprompt; rcnmb start
+&rootprompt; rcsmb start
+&rootprompt; rcwinbind start
+</screen>
+ Samba-3 should now be running and is ready for a quick test. But not quite yet!
+ </para></step>
+
+ <step><para>
+ Your new <constant>BLDG1, BLDG2</constant> servers do not have home directories for users.
+ To rectify this using the SUSE yast2 utility or by manually
+ editing the <filename>/etc/fstab</filename>
+ file, add a mount entry to mount the <constant>home</constant> directory that has been exported
+ from the <constant>MASSIVE</constant> server. Mount this resource before proceeding. An alternate
+ approach could be to create local home directories for users who are to use these machines.
+ This is a choice that you, as system administrator, must make. The following entry in the
+ <filename>/etc/fstab</filename> file suffices for now:
+<screen>
+massive.abmas.biz:/home /home nfs rw 0 0
+</screen>
+ To mount this resource, execute:
+<screen>
+&rootprompt; mount -a
+</screen>
+ Verify that the home directory has been mounted as follows:
+<screen>
+&rootprompt; df | grep home
+massive:/home 29532988 283388 29249600 1% /home
+</screen>
+ </para></step>
+
+ <step><para>
+ Implement a quick check using one of the users that is in the LDAP database. Here you go:
+<screen>
+&rootprompt; smbclient //bldg1/bobj -Ubobj%n3v3r2l8
+smb: \> dir
+ . D 0 Wed Dec 17 01:16:19 2003
+ .. D 0 Wed Dec 17 19:04:42 2003
+ bin D 0 Tue Sep 2 04:00:57 2003
+ Documents D 0 Sun Nov 30 07:28:20 2003
+ public_html D 0 Sun Nov 30 07:28:20 2003
+ .urlview H 311 Fri Jul 7 06:55:35 2000
+ .dvipsrc H 208 Fri Nov 17 11:22:02 1995
+
+ 57681 blocks of size 524288. 57128 blocks available
+smb: \> q
+</screen>
+ </para></step>
+
+ </procedure>
+
+ <procedure id="ch6-bldg2">
+ <title>Configuration of BDC Called: <constant>BLDG2</constant></title>
+ <step><para>
+ Install the files in <link linkend="ch6-bldg2-smbconf"/>,
+ <link linkend="ch6-shareconfa"/>, and <link linkend="ch6-shareconfb"/>
+ into the <filename>/etc/samba/</filename> directory. The three files
+ should be added together to form the &smb.conf; file.
+ </para></step>
+
+ <step><para>
+ Follow carefully the steps shown in <link linkend="ch6-bldg1"/>, starting at step 2.
+ </para></step>
+
+ </procedure>
+
+<smbconfexample id="ch6-bldg1-smbconf">
+<title>LDAP Based &smb.conf; File, Server: BLDG1</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+ <smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+ <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
+ <smbconfoption><name>netbios name</name><value>BLDG1</value></smbconfoption>
+ <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+ <smbconfoption><name>log level</name><value>1</value></smbconfoption>
+ <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+ <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+ <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+ <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+ <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+ <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+ <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+ <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+ <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
+ <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+ <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>domain master</name><value>No</value></smbconfoption>
+ <smbconfoption><name>wins server</name><value>172.16.0.1</value></smbconfoption>
+ <smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
+ <smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
+ <smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>idmap backend</name><value>ldap:ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+ <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption>
+</smbconfexample>
+
+
+<smbconfexample id="ch6-bldg2-smbconf">
+<title>LDAP Based &smb.conf; File, Server: BLDG2</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+ <smbconfoption><name>unix charset</name><value>LOCALE</value></smbconfoption>
+ <smbconfoption><name>workgroup</name><value>MEGANET2</value></smbconfoption>
+ <smbconfoption><name>netbios name</name><value>BLDG2</value></smbconfoption>
+ <smbconfoption><name>passdb backend</name><value>ldapsam:ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+ <smbconfoption><name>log level</name><value>1</value></smbconfoption>
+ <smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+ <smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+ <smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+ <smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+ <smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+ <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+ <smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+ <smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+ <smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
+ <smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+ <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>domain master</name><value>No</value></smbconfoption>
+ <smbconfoption><name>wins server</name><value>172.16.0.1</value></smbconfoption>
+ <smbconfoption><name>ldap suffix</name><value>dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>ldap machine suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap user suffix</name><value>ou=People</value></smbconfoption>
+ <smbconfoption><name>ldap group suffix</name><value>ou=Groups</value></smbconfoption>
+ <smbconfoption><name>ldap idmap suffix</name><value>ou=Idmap</value></smbconfoption>
+ <smbconfoption><name>ldap admin dn</name><value>cn=Manager,dc=abmas,dc=biz</value></smbconfoption>
+ <smbconfoption><name>idmap backend</name><value>ldap://massive.abmas.biz</value></smbconfoption>
+ <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
+ <smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+ <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption>
+</smbconfexample>
+
+
+<smbconfexample id="ch6-shareconfa">
+<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A</title>
+<smbconfsection>[accounts]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[service]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[pidata]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Property Insurance Files</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/data/pidata</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[homes]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+ <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+ <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+ <smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+ <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch6-shareconfb">
+<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B</title>
+<smbconfsection>[apps]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/apps</value></smbconfoption>
+ <smbconfoption><name>admin users</name><value>bjordan</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[netlogon]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
+ <smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+ <smbconfoption><name>locking</name><value>No</value></smbconfoption>
+
+<smbconfsection>[profiles]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+ <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+
+<smbconfsection>[profdata]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Profile Data Share</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/var/lib/samba/profdata</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>No</value></smbconfoption>
+ <smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+
+<smbconfsection>[print$]</smbconfsection>
+ <smbconfoption><name>comment</name><value>Printer Drivers</value></smbconfoption>
+ <smbconfoption><name>path</name><value>/var/lib/samba/drivers</value></smbconfoption>
+ <smbconfoption><name>browseable</name><value>yes</value></smbconfoption>
+ <smbconfoption><name>guest ok</name><value>no</value></smbconfoption>
+ <smbconfoption><name>read only</name><value>yes</value></smbconfoption>
+ <smbconfoption><name>write list</name><value>Administrator, chrisr</value></smbconfoption>
+</smbconfexample>
+
+<example id="ch6-ldifadd">
+<title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
+<screen>
+dn: ou=Idmap,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: idmap
+structuralObjectClass: organizationalUnit
+</screen>
+</example>
+
+</sect1>
+
+<sect1>
+ <title>Miscellaneous Server Preparation Tasks</title>
+
+ <para>
+ My father would say, <quote>Dinner is not over until the dishes have been done.</quote>
+ The makings of a great network environment take a lot of effort and attention to detail.
+ So far you have completed most of the complex (and to many administrators, the interesting
+ part of server configuration) steps, but remember to tie it all together. Here are
+ a few more steps that must be completed so that your network runs like a well-rehearsed
+ orchestra.
+ </para>
+
+ <sect2>
+ <title>Configuring Directory Share Point Roots</title>
+
+ <para>
+ In your &smb.conf; file, you have specified Windows shares. Each has a
+ <parameter>path</parameter>
+ parameter. Even though it is obvious to all, one of the common Samba networking problems is
+ caused by forgetting to verify that every such share root directory actually exists and that it
+ has the necessary permissions and ownership.
+ </para>
+
+ <para>
+ Here is an example, but remember to create the directory needed for every share:
+<screen>
+&rootprompt; mkdir -p /data/{accounts,finsvcs,piops}
+&rootprompt; mkdir -p /apps
+&rootprompt; chown -R root.root /data
+&rootprompt; chown -R root.root /apps
+&rootprompt; chown -R bobj.Accounts /data/accounts
+&rootprompt; chown -R bobj.Finances /data/finsvcs
+&rootprompt; chown -R bobj.PIOps /data/pidata
+&rootprompt; chmod -R ug+rwxs,o-rwx /data
+&rootprompt; chmod -R ug+rwx,o+rx-w /apps
+</screen>
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Configuring Profile Directories</title>
+
+ <para>
+ You made a conscious decision to do everything it would take to improve network client
+ performance. One of your decisions was to implement folder redirection. This means that Windows
+ user desktop profiles are now made up of two components &smbmdash; a dynamically loaded part and a set of file
+ network folders.
+ </para>
+
+ <para>
+ For this arrangement to work, every user needs a directory structure for the network folder
+ portion of their profile as shown here:
+<screen>
+&rootprompt; mkdir -p /var/lib/samba/profdata
+&rootprompt; chown root.root /var/lib/samba/profdata
+&rootprompt; chmod 755 /var/lib/samba/profdata
+
+# Per user structure
+&rootprompt; cd /var/lib/samba/profdata
+&rootprompt; mkdir -p <emphasis>username</emphasis>
+&rootprompt; for i in InternetFiles Cookies History AppData \
+ LocalSettings MyPictures MyDocuments Recent
+&rootprompt; do
+&rootprompt; mkdir <emphasis>username</emphasis>/$i
+&rootprompt; done
+&rootprompt; chown -R <emphasis>username</emphasis>.Domain\ Users <emphasis>username</emphasis>
+&rootprompt; chmod -R 750 <emphasis>username</emphasis>
+</screen>
+ </para>
+
+ <para><indexterm>
+ <primary>roaming profile</primary>
+ </indexterm><indexterm>
+ <primary>mandatory profile</primary>
+ </indexterm>
+ You have three options insofar as the dynamically loaded portion of the roaming profile
+ is concerned:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>You may permit the user to obtain a default profile.</para></listitem>
+ <listitem><para>You can create a mandatory profile.</para></listitem>
+ <listitem><para>You can create a group profile (which is almost always a mandatory profile).</para></listitem>
+ </itemizedlist>
+
+ <para>
+ Mandatory profiles cannot be overwritten by a user. The change from
+ a user profile to a mandatory profile is effected by renaming the
+ <filename>NTUSER.DAT</filename> to
+ <filename>NTUSER.MAN</filename>, i.e., just by changing the filename
+ extension.
+ </para>
+
+ <para><indexterm>
+ <primary>SRVTOOLS.EXE</primary>
+ </indexterm><indexterm>
+ <primary>Domain User Manager</primary>
+ </indexterm>
+ The location of the profile that a user can obtain is set in the users' account in the LDAP passdb backend.
+ You can manage this using the Idealx smbldap-tools or using the
+ <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">Windows NT4 Domain User Manager.</ulink>
+ </para>
+
+ <para>
+ It may not be obvious that you must ensure that the root directory for the user's profile exists
+ and has the needed permissions. Use the following commands to create this directory:
+<screen>
+&rootprompt; mkdir -p /var/lib/samba/profiles/<emphasis>username</emphasis>
+&rootprompt; chown <emphasis>username</emphasis>.Domain\ Users
+ /var/lib/samba/profiles/<emphasis>username</emphasis>
+&rootprompt; chmod 700 /var/lib/samba/profiles/<emphasis>username</emphasis>
+</screen>
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Preparation of Logon Scripts</title>
+
+ <para><indexterm>
+ <primary>logon script</primary>
+ </indexterm>
+ The use of a logon script with Windows XP Professional is an option that every site should consider.
+ Unless you have locked down the desktop so the user cannot change anything, there is risk that
+ a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
+ can help to restore persistent network folder (drive) and printer connections in a predictable
+ manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
+ user attaches to another company's network that forces environment changes that are alien to your
+ network.
+ </para>
+
+ <para>
+ If you decide to use network logon scripts, by reference to the &smb.conf; files for the Domain
+ Controllers, you see that the path to the share point for the
+ <constant>NETLOGON</constant>
+ share defined is <filename>/var/lib/samba/netlogon</filename>. The path defined for the logon
+ script inside that share is <filename>scripts\logon.bat</filename>. This means that as a Windows
+ NT/200x/XP client logs onto the network, it tries to obtain the file
+ <filename>logon.bat</filename>
+ from the fully qualified path <filename>/var/lib/samba/netlogon/scripts</filename>. This fully
+ qualified path should, therefore, exist whether you install the
+ <filename>logon.bat</filename>.
+ </para>
+
+ <para>
+ You can, of course, create the fully qualified path by executing:
+<screen>
+&rootprompt; mkdir -p /var/lib/samba/netlogon/scripts
+</screen>
+ </para>
+
+ <para>
+ You should research the options for logon script implementation by referring to <emphasis>TOSHARG</emphasis>, Chapter 21,
+ Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon
+ facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart.</ulink>
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Windows Client Configuration</title>
+
+ <para><indexterm>
+ <primary>NETLOGON</primary>
+ </indexterm>
+ In the next few sections, you can configure a new Windows XP Professional disk image on a staging
+ machine. You will configure all software, printer settings, profile and policy handling, and desktop
+ default profile settings on this system. When it is complete, you copy the contents of the
+ <filename>C:\Documents and Settings\Default User</filename> directory to a directory with the same
+ name in the <constant>NETLOGON</constant> share on the Domain Controllers.
+ </para>
+
+ <para>
+ Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
+ One knowledge-base article in particular stands out. See:
+ <ulink
+ url="http://support.microsoft.com/default.aspx&amp;scid=kb;en-us;168475">How to Create a
+ Base Profile for All Users.</ulink>
+
+ </para>
+
+ <sect2 id="redirfold">
+ <title>Configuration of Default Profile with Folder Redirection</title>
+
+ <para><indexterm>
+ <primary>folder redirection</primary>
+ </indexterm>
+ Log onto the Windows XP Professional workstation as the local <constant>Administrator</constant>.
+ It is necessary to expose folders that are generally hidden to provide
+ access to the <constant>Default User</constant>
+ folder.
+ </para>
+
+ <procedure>
+ <title>Expose Hidden Folders</title>
+
+ <step><para>
+ Launch the Windows Explorer by clicking
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>My Computer</guimenuitem>
+ <guimenuitem>Tools</guimenuitem>
+ <guimenuitem>Folder Options</guimenuitem>
+ <guimenuitem>View Tab</guimenuitem>
+ </menuchoice>.
+ Select <guilabel>Show hidden files and folders</guilabel>,
+ and click <guibutton>OK</guibutton>.
+ Exit Windows Explorer.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>regedt32</primary>
+ </indexterm>
+ Launch the Registry Editor. Click
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Run</guimenuitem>
+ </menuchoice>. Key in <command>regedt32</command>, and click
+ <guibutton>OK</guibutton>.
+ </para></step>
+ </procedure>
+
+ <para>
+ </para>
+
+ <procedure id="ch6-rdrfldr">
+ <title>Redirect Folders in Default System User Profile</title>
+
+ <step><para><indexterm>
+ <primary>HKEY_LOCAL_MACHINE</primary>
+ </indexterm><indexterm>
+ <primary>Default User</primary>
+ </indexterm>
+ Give focus to <constant>HKEY_LOCAL_MACHINE</constant> hive entry in the left panel.
+ Click <menuchoice>
+ <guimenu>File</guimenu>
+ <guimenuitem>Load Hive...</guimenuitem>
+ <guimenuitem>[Panel] Documents and Settings</guimenuitem>
+ <guimenuitem>[Panel] Default User</guimenuitem>
+ <guimenuitem>NTUSER</guimenuitem>
+ <guimenuitem>Open</guimenuitem>
+ </menuchoice>. In the dialog box that opens, enter the
+ key name <constant>Default</constant>
+ and click <guibutton>OK</guibutton>.
+ </para></step>
+
+ <step><para>
+ Browse inside the newly loaded Default folder to:
+<screen>
+HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
+ CurrentVersion\Explorer\User Shell Folders\
+</screen>
+ The contents of the right panel reveals the contents as
+ shown in <link linkend="XP-screen001"/>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>%USERPROFILE%</primary>
+ </indexterm><indexterm>
+ <primary>%LOGONSERVER%</primary>
+ </indexterm>
+ You edit hive keys. Acceptable values to replace the
+ <constant>%USERPROFILE%</constant> variable includes:
+
+ <itemizedlist>
+ <listitem><para>A drive letter such as: <constant>U:</constant></para></listitem>
+ <listitem><para>A direct network path such as:
+ <constant>\\MASSIVE\profdata</constant></para></listitem>
+ <listitem><para>A network redirection (UNC name) that contains a macro such as: </para>
+ <para><constant>\\%LOGONSERVER%\profdata\</constant></para></listitem>
+ </itemizedlist>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>registry keys</primary>
+ </indexterm>
+ Set the registry keys as shown in <link linkend="proffold"/>. Your implementation makes the assumption
+ that users have statically located machines. Notebook computers (mobile users) need to be
+ accommodated using local profiles. This is not an uncommon assumption.
+ </para></step>
+
+ <step><para>
+ Click back to the root of the loaded hive <constant>Default</constant>.
+ Click <menuchoice><guimenu>File</guimenu><guimenuitem>Unload Hive...</guimenuitem>
+ <guimenuitem>Yes</guimenuitem></menuchoice>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Registry Editor</primary>
+ </indexterm>
+ Click <menuchoice><guimenu>File</guimenu><guimenuitem>Exit</guimenuitem></menuchoice>. This exits the
+ Registry Editor.
+ </para></step>
+
+ <step><para>
+ Now follow the procedure given in <link linkend="ch6-locgrppol"/>. Make sure that each folder you
+ have redirected is in the exclusion list.
+ </para></step>
+
+ <step><para>
+ You are now ready to copy<footnote><para>
+ There is an alternate method by which a Default User profile can be added to the
+ <constant>NETLOGON</constant> share. This facility in the Windows System tool
+ permits profiles to be exported. The export target may be a particular user or
+ group profile share point, or else into the <constant>NETLOGON</constant> share.
+ In this case, the profile directory must be named
+ <constant>Default User</constant>.
+ </para></footnote>
+ the Default User profile to the Samba Domain Controllers. Launch Microsoft
+ Windows Explorer, and use it to copy the full contents of the
+ directory <filename>Default User</filename>
+ that is in the <filename>C:\Documents and Settings</filename> to the root directory of the
+ <constant>NETLOGON</constant> share. If the <constant>NETLOGON</constant> share has the defined
+ UNIX path of <filename>/var/lib/samba/netlogon</filename>, when the copy is complete there must be
+ a directory in there called <filename>Default User</filename>.
+ </para></step>
+
+ </procedure>
+
+ <procedure>
+ <title>Reset Folder Display to Original Behavior</title>
+
+ <step><para>
+ To launch the Windows Explorer, click
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>My Computer</guimenuitem>
+ <guimenuitem>Tools</guimenuitem>
+ <guimenuitem>Folder Options</guimenuitem>
+ <guimenuitem>View Tab</guimenuitem>
+ </menuchoice>.
+ Deselect <guilabel>Show hidden files and folders</guilabel>,
+ and click <guibutton>OK</guibutton>.
+ Exit Windows Explorer.
+ </para></step>
+
+ </procedure>
+
+ <image id="XP-screen001">
+ <description>Windows XP Professional &smbmdash; User Shared Folders</description>
+ <imagefile scale="65">XP-screen001.png</imagefile>
+ </image>
+
+<table id="proffold">
+ <title>Default Profile Redirections</title>
+ <tgroup cols="2">
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry>Registry Key</entry>
+ <entry>Redirected Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Cache</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</entry>
+ </row>
+ <row>
+ <entry>Cookies</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\Cookies</entry>
+ </row>
+ <row>
+ <entry>History</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\History</entry>
+ </row>
+ <row>
+ <entry>Local AppData</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\AppData</entry>
+ </row>
+ <row>
+ <entry>Local Settings</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</entry>
+ </row>
+ <row>
+ <entry>My Pictures</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\MyPictures</entry>
+ </row>
+ <row>
+ <entry>Personal</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</entry>
+ </row>
+ <row>
+ <entry>Recent</entry>
+ <entry>\\%LOGONSERVER%\profdata\%USERNAME%\Recent</entry>
+ </row>
+ </tbody>
+ </tgroup>
+</table>
+
+ </sect2>
+
+ <sect2>
+ <title>Configuration of MS Outlook to Relocate PST File</title>
+
+ <para><indexterm>
+ <primary>Outlook</primary>
+ <secondary>PST</secondary>
+ </indexterm>
+ Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
+ It is the nature of email storage that this file grows, at times quite rapidly.
+ So that users' email is available to them at every workstation they may log onto,
+ it is common practice in well-controlled sites to redirect the PST folder to the
+ users' home directory. Follow these steps for each user who wishes to do this.
+ </para>
+
+ <note><para>
+ It is presumed that Outlook Express has been configured for use.
+ </para></note>
+
+ <para>
+ Launch Outlook Express 6. Click
+ <menuchoice>
+ <guimenu>Tools</guimenu>
+ <guimenuitem>Options</guimenuitem>
+ <guimenuitem>Maintenance</guimenuitem>
+ <guimenuitem>Store Folder</guimenuitem>
+ <guimenuitem>Change</guimenuitem>
+ </menuchoice>.
+ </para>
+
+ <para>
+ Follow the on-screen prompts to relocate the PST file to the desired location.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Configure Delete Cached Profiles on Logout</title>
+
+ <para>
+ To configure the Windows XP Professional client to auto-delete roaming profiles on logout:
+ </para>
+
+ <para><indexterm>
+ <primary>MMC</primary>
+ </indexterm>
+ Click
+ <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Run</guimenuitem>
+ </menuchoice>. In the dialog box, enter: <command>MMC</command>
+ and click <guibutton>OK</guibutton>.
+ </para>
+
+ <para>
+ Follow these steps to set the default behavior of the staging machine so that all roaming
+ profiles are deleted as network users log out of the system. Click
+ <menuchoice>
+ <guimenu>File</guimenu>
+ <guimenuitem>Add/Remove Snap-in</guimenuitem>
+ <guimenuitem>Add</guimenuitem>
+ <guimenuitem>Group Policy</guimenuitem>
+ <guimenuitem>Add</guimenuitem>
+ <guimenuitem>Finish</guimenuitem>
+ <guimenuitem>Close</guimenuitem>
+ <guimenuitem>OK</guimenuitem>
+ </menuchoice>.
+ </para>
+
+ <para><indexterm>
+ <primary>Microsoft Management Console</primary>
+ <see>MMC</see>
+ </indexterm>
+ The Microsoft Management Console now shows the <guimenu>Group Policy</guimenu>
+ utility that enables you to set the policies needed. In the left panel, click
+ <menuchoice>
+ <guimenuitem>Local Computer Policy</guimenuitem>
+ <guimenuitem>Administrative Templates</guimenuitem>
+ <guimenuitem>System</guimenuitem>
+ <guimenuitem>User Profiles</guimenuitem>
+ </menuchoice>. In the right panel, set the properties shown here by double-clicking on each
+ item as shown:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>Do not check for user ownership of Roaming Profile Folders = Enabled</para></listitem>
+ <listitem><para>Delete cached copies of roaming profiles = Enabled</para></listitem>
+ </itemizedlist>
+
+ <para>
+ Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
+ made of this system to deploy the new standard desktop system.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Uploading Printer Drivers to Samba Servers</title>
+
+ <para><indexterm>
+ <primary>printing</primary>
+ <secondary>drag-and-drop</secondary>
+ </indexterm>
+ Users want to be able to use network printers. You have a vested interest in making
+ it easy for them to print. You have chosen to install the printer drivers onto the Samba
+ servers and to enable point-and-click (drag-and-drop) printing. This process results in
+ Samba being able to automatically provide the Windows client with the driver necessary to
+ print to the printer chosen. The following procedure must be followed for every network
+ printer:
+ </para>
+
+ <procedure>
+ <step><para>
+ Join your Windows XP Professional workstation (the staging machine) to the
+ <constant>MEGANET2</constant> Domain. If you are not sure of the procedure,
+ follow the guidance given in <link linkend="domjoin"/>.
+ </para></step>
+
+ <step><para>
+ After the machine has re-booted, log onto the workstation as the domain
+ <constant>Administrator</constant>.
+ </para></step>
+
+ <step><para>
+ Launch MS Windows Explorer. Navigate in the left panel. Click
+ <menuchoice>
+ <guimenu>My Network Places</guimenu>
+ <guimenuitem>Entire Network</guimenuitem>
+ <guimenuitem>Microsoft Windows Network</guimenuitem>
+ <guimenuitem>Meganet2</guimenuitem>
+ <guimenuitem>Massive</guimenuitem>
+ </menuchoice>. Click on <guimenu>Massive</guimenu>
+ <guimenu>Printers and Faxes</guimenu>.
+ </para></step>
+
+ <step><para>
+ Identify a printer that is shown in the right panel. Let us assume the printer is called
+ <constant>ps01-color</constant>. Right-click on the <guimenu>ps01-color</guimenu> icon
+ and select the <guimenu>Properties</guimenu> entry. This opens a dialog box that indicates
+ that <quote>The printer driver is not installed on this computer. Some printer properties
+ will not be accessible unless you install the printer driver. Do you want to install the
+ driver now?</quote> It is important at this point you answer <guimenu>No</guimenu>.
+ </para></step>
+
+ <step><para>
+ The printer properties panel for the <guimenu>ps01-color</guimenu> printer on the server
+ <constant>MASSIVE</constant> is displayed. Click the <guimenu>Advanced</guimenu> tab.
+ Note that the box labelled <guimenu>Driver</guimenu> is empty. Click the <guimenu>New Driver</guimenu>
+ button that is next to the <guimenu>Driver</guimenu> box. This launches the quote<quote>Add Printer Wizard</quote>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Add Printer Wizard</primary>
+ <secondary>APW</secondary>
+ </indexterm><indexterm>
+ <primary>APW</primary>
+ </indexterm>
+ The <quote>Add Printer Driver Wizard on <constant>MASSIVE</constant></quote> panel
+ is now presented. Click <guimenu>Next</guimenu> to continue. From the left panel, select the
+ Printer Manufacturer. In your case, you are adding a driver for a printer manufactured by
+ Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
+ <guimenu>Next</guimenu>, and then <guimenu>Finish</guimenu> to commence driver upload. A
+ progress bar appears and instructs you as each file is being uploaded and that it is being
+ directed at the network server <constant>\\massive\ps01-color</constant>.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>printers</primary><secondary>Advanced</secondary></indexterm>
+ <indexterm><primary>printers</primary><secondary>Properties</secondary></indexterm>
+ <indexterm><primary>printers</primary><secondary>Sharing</secondary></indexterm>
+ <indexterm><primary>printers</primary><secondary>General</secondary></indexterm>
+ <indexterm><primary>printers</primary><secondary>Security</secondary></indexterm>
+ <indexterm><primary>AD printer publishing</primary></indexterm>
+ The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
+ you are returned to the <guimenu>Advanced</guimenu> tab in the <guimenu>Properties</guimenu> panel.
+ You can set the Location (under the <guimenu>General</guimenu> tab), and Security settings (under
+ the <guimenu>Security</guimenu> tab). Under the <guimenu>Sharing</guimenu> tab it is possible to
+ load additional printer drivers, there is also a check-box in this tab called <quote>List in the
+ directory</quote>. When this box is checked the printer will be published in Active Directory
+ (Applicable to Active Directory use only.)
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>printers</primary><secondary>Default Settings</secondary></indexterm>
+ Click <guimenu>OK</guimenu>. It will take a minute or so to upload the settings to the server.
+ You are now returned to the <guimenu>Printers and Faxes on Massive</guimenu> monitor.
+ Right-click on the printer, click <menuchoice><guimenu>Properties</guimenu>
+ <guimenuitem>Device Settings</guimenuitem> </menuchoice>. Now change the settings to suit
+ your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
+ you need to reverse them changes back to their original settings.
+ </para></step>
+
+ <step><para>
+ This is necessary so that the printer settings are initialized in the Samba printers
+ database. Click <guimenu>Apply</guimenu> to commit your settings. Revert any settings you changed
+ just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
+ Click <guimenu>Apply</guimenu> again.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>Print Test Page</primary></indexterm>
+ Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
+ click the <guimenu>General</guimenu> tab. Now click the <guimenu>Print Test Page</guimenu> button.
+ A test page should print. Verify that it has printed correctly. Then click <guimenu>OK</guimenu>
+ in the panel that is newly presented. Click <guimenu>OK</guimenu> on the <guimenu>ps01-color on
+ massive Properties</guimenu> panel.
+ </para></step>
+
+ <step><para>
+ You must repeat this process for all network printers (i.e., for every printer, on each server).
+ When you have finished uploading drivers to all printers, close all applications. The next task
+ is to install software your users require to do their work.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2>
+ <title>Software Installation</title>
+
+ <para>
+ Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
+ a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
+ Notebooks require special handling that is beyond the scope of this chapter.
+ </para>
+
+ <para>
+ For desktop systems, the installation of software onto administratively centralized application servers
+ make a lot of sense. This means that you can manage software maintenance from a central
+ perspective and that only minimal application stub-ware needs to be installed onto the desktop
+ systems. You should proceed with software installation and default configuration as far as is humanly
+ possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
+ of software operations and configuration.
+ </para>
+
+ <para>
+ When you believe that the overall configuration is complete, be sure to create a shared group profile
+ and migrate that to the Samba server for later re-use when creating custom mandatory profiles, just in
+ case a user may have specific needs you had not anticipated.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Roll-out Image Creation</title>
+
+ <para>
+ The final steps before preparing the distribution Norton Ghost image file you might follow are:
+ </para>
+
+ <blockquote><para>
+ Un-join the domain &smbmdash; Each workstation requires a unique name and must be independently
+ joined into Domain Membership.
+ </para></blockquote>
+
+ <blockquote><para>
+ Defragment the hard disk &smbmdash; While not obvious to the uninitiated, defragmentation results
+ in better performance and often significantly reduces the size of the compressed disk image. That
+ also means it will take less time to deploy the image onto 500 workstations.
+ </para></blockquote>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Key Points Learned</title>
+
+ <para>
+ This chapter has introduced many new concepts. Is it a sad fact that the example presented deliberately
+ avoided any consideration of security. Security does not just happen; you must design it into your total
+ network. Security begins with a systems design and implementation that anticipates hostile behavior from
+ users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
+ they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
+ practices, you must not deploy the design presented in this book in an environment where there is risk
+ of compromise.
+ </para>
+
+ <para><indexterm>
+ <primary>Access Control Lists</primary>
+ <see>ACLs</see>
+ </indexterm><indexterm>
+ <primary>ACLs</primary>
+ </indexterm>
+ As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs) and it must be
+ configured to use secure protocols for all communications over the network. Of course, secure networking
+ does not result just from systems design and implementation but involves constant user education
+ training, and above all disciplined attention to detail and constant searching for signs of unfriendly
+ or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
+ Jerry Carter's book <ulink
+ url="http://www.booksense.com/product/info.jsp&amp;isbn=1565924916"><emphasis>LDAP System
+ Administration</emphasis></ulink> is a good place to start reading about OpenLDAP as well as security considerations.
+ </para>
+
+ <para>
+ The substance of this chapter that has been deserving of particular attention includes:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Implementation of an OpenLDAP-based passwd backend &smbmdash; necessary to support distributed
+ Domain Control.
+ </para></listitem>
+
+ <listitem><para>
+ Implementation of Samba Primary and Secondary Domain Controllers with a common LDAP backend
+ for user and group accounts that is shared with the UNIX system through the PADL nns_ldap and
+ pam_ldap toolsets.
+ </para></listitem>
+
+ <listitem><para>
+ Use of the Idealx smbldap-tools scripts for UNIX (Posix) account management as well as
+ to manage Samba Windows user and group accounts.
+ </para></listitem>
+
+ <listitem><para>
+ The basics of implementation of Group Policy controls for Windows network clients.
+ </para></listitem>
+
+ <listitem><para>
+ Control over roaming profiles, with particular focus on folder redirection to network drives.
+ </para></listitem>
+
+ <listitem><para>
+ Use of the CUPS printing system together with Samba-based printer driver auto-download.
+ </para></listitem>
+ </itemizedlist>
+
+</sect1>
+
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ Well, here we are at the end of this chapter and we have only ten questions to help you to
+ remember so much. There are bound to be some sticky issues here.
+ </para>
+
+ <qandaset defaultlabel="chap06qa">
+ <qandaentry>
+ <question>
+
+ <para>
+ Why did you not cover secure practices? Isn't it rather irresponsible to instruct
+ network administrators to implement insecure solutions?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Let's get this right. This is a book about Samba, not about OpenLDAP and secure
+ communication protocols for subjects other than Samba. Earlier on, you note
+ that the Dynamic DNS and DHCP solutions also used no protective secure communications
+ protocols. The reason for this is simple: There are so many ways of implementing
+ secure protocols that this book would have been even larger and more complex.
+ </para>
+
+ <para>
+ The solutions presented here all work (at least they did for me). Network administrators
+ have the interest and the need to be better trained and instructed in secure networking
+ practices and ought to implement safe systems. I made the decision, right or wrong,
+ to keep this material as simple as possible. The intent of this book is to demonstrate
+ a working solution and not to discuss too many peripheral issues.
+ </para>
+
+ <para>
+ This book makes little mention of backup techniques. Does that mean that I am recommending
+ that you should implement a network without provision for data recovery and for disaster
+ management? Back to our focus: The deployment of Samba has been clearly demonstrated.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
+ you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
+ to the Linux I might be using?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
+ for a standard Linux distribution. The differences are marginal. Surely you know
+ your Linux platform and you do have access to administration manuals for it. This
+ book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
+ the Samba part of the book; all the other bits are peripheral (but important) to
+ creation of a total network solution.
+ </para>
+
+ <para>
+ What I find interesting is the attention reviewers give to Linux installation and to
+ the look and feel of the desktop, but does that make for a great server? In this book,
+ I have paid particular attention to the details of creating a whole solution framework.
+ I have not tightened every nut and bolt, but I have touched on all the issues you
+ need to be familiar with. Over the years many people have approached me wanting to
+ know the details of exactly how to implement a DHCP and Dynamic DNS server with Samba
+ and WINS. In this chapter, it is plain to see what needs to be configured to provide
+ transparent interoperability. Likewise for CUPS and Samba interoperation. These are
+ key stumbling areas for many people.
+ </para>
+
+ <para>
+ At every critical junction, I have provided comparative guidance for both SUSE and
+ Red Hat Linux. Both manufacturers have done a great job in furthering the cause
+ of open source software. I favor neither and respect both. I like particular
+ features of both products (companies also). No bias in presentation is intended.
+ Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ You did not use SWAT to configure Samba. Is there something wrong with it?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ That is a good question. As it is, the &smb.conf; file configurations are presented
+ in as direct a format as possible. Adding SWAT into the equation would have complicated
+ matters. I sought simplicity of implementation. The fact is that I did use SWAT to
+ create the files in the first place.
+ </para>
+
+ <para>
+ There are people in the Linux and open source community who feel that SWAT is dangerous
+ and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
+ hope to have brought their interests on board. SWAT is well covered is <emphasis>TOSHARG</emphasis>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ You have exposed a well-used password <emphasis>not24get</emphasis>. Is that
+ not irresponsible?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Well, I had to use a password of some sort. At least this one has been consistently
+ used throughout. I guess you can figure out that in a real deployment it would make
+ sense to use a more secure and original password.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ The Idealx smbldap-tools create many domain group accounts that are not used. Is that
+ a good thing?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ I took this up with Idealx and found them most willing to change that in the next version.
+ Let's give Idealx some credit for the contribution they have made. I appreciate their work
+ and, besides, it does no harm to create accounts that are not now used as at some time
+ Samba may well use them.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Can I use LDAP just for Samba accounts and not for UNIX system accounts?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Yes, you can do that for user accounts only. Samba requires there to be a Posix (UNIX)
+ group account for every Windows Domain group account. But if you put your users into
+ the system password account, how do you plan to keep all domain controller system
+ password files in sync? I think that having everything in LDAP makes a lot of sense
+ for the UNIX admin who is still learning the craft and is migrating from MS Windows.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why are the Windows Domain RID portions not the same as the UNIX UID?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
+ This algorithm ought to ensure that there will be no clashes with well-known RIDs.
+ Well-known RIDs have special significance to MS Windows clients. The automatic
+ assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
+ permit you to override that to some extent. See the &smb.conf; man page entry
+ for <parameter>algorithmic rid base</parameter>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Printer configuration examples all show printing to the HP port 9100. Does this
+ mean that I must have HP printers for these solutions to work?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ No. You can use any type of printer and must use the interfacing protocol supported
+ by the printer. Many networks use LPR/LPD print servers to which are attached
+ PCL printers, InkJet printers, plotters, and so on. At home I use a USB attached
+ Inject printer. Use the appropriate device URI (Universal Resource Interface)
+ argument to the <constant>lpadmin -v</constant> option that is right for your
+ printer.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Is folder redirection dangerous? I've heard that you can lose your data that way.
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The only loss of data I know of that involved folder redirection was caused by
+ manual misuse of the redirection tool. The administrator redirected a folder to
+ a network drive and said he wanted to migrate (move) the data over. Then he
+ changed his mind, so he moved the folder back to the roaming profile. This time,
+ he declined to move the data because he thought it was still in the local profile
+ folder. That was not the case, so by declining to move the data back, he wiped out
+ the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Is it really necessary to set a local Group Policy to exclude the redirected
+ folders from the roaming profile?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Yes. If you do not do this, the data will still be copied from the network folder
+ (share) to the local cached copy of the profile.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>