summaryrefslogtreecommitdiff
path: root/docs/Samba-Guide/SBE-TheSmallOffice.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/Samba-Guide/SBE-TheSmallOffice.xml')
-rw-r--r--docs/Samba-Guide/SBE-TheSmallOffice.xml1270
1 files changed, 1270 insertions, 0 deletions
diff --git a/docs/Samba-Guide/SBE-TheSmallOffice.xml b/docs/Samba-Guide/SBE-TheSmallOffice.xml
new file mode 100644
index 0000000000..ee68508934
--- /dev/null
+++ b/docs/Samba-Guide/SBE-TheSmallOffice.xml
@@ -0,0 +1,1270 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<chapter id="small">
+ <title>Small Office Networking</title>
+
+ <para>
+ So far, this book has focused on the basics of simple yet effective
+ network solutions. Network administrators who take pride in their work
+ (that's most of us, right?) take care to deliver what our users want,
+ but not too much more. If we make things too complex, we confound our users and
+ increase costs of network ownership. A professional network manager
+ avoids the temptation to put too much pizazz into the way that the network
+ operates. Some creativity is helpful, but do keep it under control.
+ </para>
+
+ <para><indexterm>
+ <primary>Netware</primary>
+ </indexterm>
+ Five years ago there were two companies from which a lesson can be learned.
+ In one case the network administrator spent three months building a new
+ network to replace an old Netware server. What he delivered had all the
+ bells and whistles he could muster. There were a few teething problems
+ during the change-over, nothing serious but a little disruptive all the
+ same. Users were exposed to many changes at once. The network
+ administrator was asked to resign two months after implementing the
+ new system. This was necessary because so many staff had complained
+ they had lost time and were not happy with the new network.
+ Everything was automated and he delivered more features than any advanced
+ user could think of. He was just too smart for his own good.
+ </para>
+
+ <para>
+ In the case of the other company, a new network manager was appointed
+ to oversee the replacement of a LanTastic network with an MS Windows
+ NT 4.0 network. He had the replacement installed and operational within
+ two weeks. Before installation and change-over, he called a meeting to
+ explain to all users what was going to happen, how it would affect them
+ and that he would be available 24 hours a day to help them transition.
+ One week after conversion, he held another meeting asking for cooperation
+ in the introduction of a few new features that would help to make life
+ easier. Network users were thrilled with what he was doing to help
+ them. The network he implemented was nowhere near as complex as the first example, had fewer
+ features, and yet he had happy users. Months later he was still adding
+ new innovations. He always asked the users if a
+ particular feature was what they wanted. He asked his boss for a raise
+ and got it. He often told me, <quote>Always keep a few new tricks up your
+ sleeves for when you need them.</quote> Was he smart? You decide. Let's
+ get on with our next exercise.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ Abmas Accounting Inc. has grown. Mr. Meany likes you and says he knew you
+ were the right person for the job. That's why he asked you to install the
+ new server. The past few months have been hard work. You advised Mr. Meany
+ that it is time for a change. Abmas now has 52 users, having acquired an
+ investment consulting business recently. The new users were added to the
+ network without any problems.
+ </para>
+
+ <para>
+ Some of the Windows clients are getting to be past their use-by date.
+ You have found damaged and unusable software on some of the workstations
+ that came with the acquired business and found some machines that are
+ in need of both hardware and software maintenance.
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para>
+ <indexterm><primary>Windows XP</primary></indexterm>
+ Mr. Meany has decided to retire in 12 months. He wants you to help him
+ make the business run better. Many of the new staff want notebook computers.
+ They visit customer business premises with the need to use local network
+ facilities; these users are technically competent. The company uses a
+ business application that requires Windows XP Professional. In short, a
+ complete client upgrade is about to happen. Mr. Meany told you that he is working
+ on another business acquisition and that by the time he retires there will be
+ 80 to 100 users.
+ </para>
+
+ <para>
+ Mr. Meany is not concerned about security. He wants to make it easier for
+ staff to do their work. He has hired you to help him appoint a full-time
+ network manager before he retires. Above all, he says he is investing in
+ the ability to grow. He is determined to live his lifelong dream and
+ hand the business over to a bright and capable executive who can make
+ things happen. This means your network design must cope well with
+ growth.
+ </para>
+
+ <para>
+ In a few months, Abmas will require an Internet connection for email
+ and so staff easily obtain software updates. Mr. Meany is warming up to the
+ installation of anti-virus software, but is not yet ready to approve
+ this expense. He told you to spend the money a virus scanner costs
+ on better quality notebook computers for mobile users.
+ </para>
+
+ <para>
+ One of Mr. Meany's golfing partners sold him on the idea to buy new laser
+ printers. One black only, the other a color laser printer. Staff support
+ the need for a color printer so they can present more attractive proposals
+ and reports.
+ </para>
+
+ <para>
+ Mr. Meany also asked if it would be possible for one of the staff to manage
+ user accounts from the Windows desktop. That person will be responsible for
+ basic operations.
+ </para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ What are the key requirements in this business example? A quick review indicates
+ a need for:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Scalability &smbmdash; from 52 to over 100 users in 12 months
+ </para></listitem>
+
+ <listitem><para>
+ Mobile computing capability
+ <indexterm><primary>mobile computing</primary></indexterm>
+ </para></listitem>
+
+ <listitem><para>
+ Improved reliability and usability
+ </para></listitem>
+
+ <listitem><para>
+ Easier administration
+ </para></listitem>
+ </itemizedlist>
+
+ <para>
+ In this instance the installed Linux system is assumed to be a Red Hat Linux Fedora Core2 server
+ (as in <link linkend="AccountingOffice"/>).
+
+ </para>
+
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ <indexterm><primary>DHCP</primary></indexterm>
+ <indexterm><primary>DNS</primary></indexterm>
+ <indexterm><primary>WINS</primary></indexterm>
+ <indexterm><primary>Domain</primary></indexterm>
+ It is time to implement a domain security environment. You will use the <constant>
+ smbpasswd</constant> (default) backend. You should implement a DHCP server. There is no need to
+ run DNS at this time, but the system will use WINS. The Domain name will be <constant>
+ BILLMORE</constant>. This time, the name of the server will be <constant>SLEETH</constant>.
+ </para>
+
+ <para>
+ All printers will be configured as DHCP clients. The DHCP server will assign
+ the printer a fixed IP address by way of its Ethernet interface (MAC) address.
+ See <link linkend="dhcp01"/>.
+ </para>
+
+ <note><para>
+ The &smb.conf; file you are creating in this exercise can be used with equal effectiveness
+ with Samba-2.2.x series releases. This is deliberate so that in the next chapter it is
+ possible to start with the installation that you have created here, migrate it
+ to a Samba-3 configuration and then secure the system further. Configurations following
+ this one will utilize features that may not be supported in Samba-2.2.x releases.
+ However, you should note that the examples in each chapter start with the assumption
+ that a fresh new installation is being effected.
+ </para></note>
+
+ <para>
+ Later on, when the Internet connection is implemented, you will add DNS as well as
+ other enhancements. It is important that you plan accordingly.
+ </para>
+
+ <para>
+ <indexterm><primary>ether-switch</primary></indexterm>
+ You have split the network into two separate areas. Each has its own ether-switch.
+ There are 20 users on the accounting network and 32 users on the financial services
+ network. The server has two network interfaces, one serving each network. The
+ network printers will be located in a central area. You plan to install the new
+ printers and keep the old printer in use also.
+ </para>
+
+ <para>
+ You will provide separate file storage areas for each business entity. The old system
+ will go away, accounting files will be handled under a single directory, and files will
+ be stored under customer name, not under a personal work area. Staff will be made
+ responsible for file location, so maintain the old share point.
+ </para>
+
+ <para>
+ Given that DNS will not be used, you will configure WINS name resolution for UNIX
+ hostname name resolution.
+ </para>
+
+ <para>
+ <indexterm><primary>Domain</primary><secondary>groups</secondary></indexterm>
+ <indexterm><primary>UNIX</primary><secondary>groups</secondary></indexterm>
+ It is necessary to map Windows Domain Groups to UNIX groups as a minimum. It is
+ advisable to also map Windows Local Groups to UNIX groups. Additionally, the two
+ key staff groups in the firm are Accounting Staff and Financial Services Staff.
+ For these, it is necessary to create UNIX groups as well as Windows Domain Groups.
+ </para>
+
+ <para>
+ In the sample &smb.conf; file, you have configured Samba to call the UNIX <command>groupadd</command>
+ to add group entries. This utility does not permit the addition of group names that
+ contain upper-case characters or spaces. This is considered a bug. The <command>groupadd</command>
+ is part of the <command>shadow-utils</command> Open Source Software package.
+ A later release of this package may have been patched to resolve this bug.
+ If your operating platform has this bug, it means that attempts to add a Windows Domain
+ Group that has either a space or upper-case characters in it will fail. See <emphasis>TOSHARG</emphasis>, Section 11.3.1,
+ Example 11.1, for more information.
+ </para>
+
+ <para>
+ <indexterm><primary>CUPS</primary></indexterm>
+ Vendor-supplied printer drivers will be installed on each client. The CUPS print spooler
+ on the UNIX host will be operated in <constant>raw</constant> mode.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para>
+ Mr. Meany is an old-school manager. He sets the rules and wants to see compliance.
+ He is willing to spend money on things he believes are of value. You need more
+ time to convince him of real priorities.
+ </para>
+
+ <para>
+ Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be
+ supplied with anti-virus software? Above all, demonstrate good purchase value and remember
+ to make your users happy.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Implementation</title>
+
+ <para><indexterm>
+ <primary>migration</primary>
+ </indexterm>
+ In this example, the assumption is made that this server is being configured from a clean start.
+ The alternate approach could be to demonstrate the migration of the system that is documented
+ in <link linkend="AcctgNet"/> to meet the new requirements. The decision to treat this case, as with
+ future examples, as a new installation is based on the premise that you can determine
+ the migration steps from the information provided in the separate chapter on this subject.
+ Additionally, a fresh installation makes the example easier to follow.
+ </para>
+
+ <para><indexterm>
+ <primary>group membership</primary>
+ </indexterm>
+ Each user will be given a home directory on the UNIX system, which will be available as a private
+ share. Two additional shares will be created, one for the Accounting Department and the other for
+ the Financial Services Department. Network users will be given access to these shares by way
+ of group membership.
+ </para>
+
+ <para>
+ <indexterm><primary>UNIX</primary><secondary>groups</secondary></indexterm>
+ UNIX group membership is the primary mechanism by which Windows Domain users will be granted
+ rights and privileges within the Windows environment.
+ </para>
+
+ <para><indexterm>
+ <primary>sticky bit</primary>
+ </indexterm>
+ The user <command>alanm</command> will be made the owner of all files. This will be preserved
+ by setting the sticky bit (set UID/GID) on the top-level directories.
+ </para>
+
+ <image id="acct2net">
+ <imagedescription>Abmas Accounting &smbmdash; 52 User Network Topology</imagedescription>
+ <imagefile scale="65">acct2net</imagefile>
+ </image>
+
+ <procedure>
+ <step><para>
+ Using UNIX/Linux system tools, name the server <constant>sleeth</constant>.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/hosts</primary></indexterm>
+ Place an entry for the machine <constant>sleeth</constant> in the <filename>/etc/hosts</filename>.
+ The printers are network attached, so it is desirable that there should be entries for the
+ network printers also. An example <filename>/etc/hosts</filename> file is shown here:
+<screen>
+192.168.1.1 sleeth sleeth1
+192.168.2.1 sleeth2
+192.168.1.10 hplj6
+192.168.1.11 hplj4
+192.168.2.10 qms
+</screen>
+ </para></step>
+
+ <step><para>
+ Install the Samba-3 binary RPM from the Samba-Team FTP site.
+ </para></step>
+
+ <step><para>
+ Install the ISC DHCP server using the UNIX/Linux system tools available to you.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>/etc/rc.d/rc.local</primary>
+ </indexterm><indexterm>
+ <primary>IP forwarding</primary>
+ </indexterm><indexterm>
+ <primary>router</primary>
+ </indexterm><indexterm>
+ <primary>/proc/sys/net/ipv4/ip_forward</primary>
+ </indexterm>
+ Given that Samba will be operating over two network interfaces and clients on each side
+ may want to be able to reach clients on the other side, it is imperative that IP forwarding
+ shall be enabled. Use the system tool of your choice to enable IP forwarding. In the
+ absence of such a tool on the Linux system, add to the <filename>/etc/rc.d/rc.local</filename>
+ file an entry as follows:
+<screen>
+echo 1 > /proc/sys/net/ipv4/ip_forward
+</screen>
+ This causes the Linux kernel to forward IP packets so that it acts as a router.
+ </para></step>
+
+ <step><para>
+ Install the &smb.conf; file as shown in <link linkend="acct2conf"/> and
+ <link linkend="acct3conf"/>. Combine these two examples to form a single
+ <filename>/etc/samba/smb.conf</filename> file.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ Add the user <command>root</command> to the Samba password backend:
+<screen>
+&rootprompt; smbpasswd -a root
+New SMB password: XXXXXXX
+Retype new SMB password: XXXXXXX
+&rootprompt;
+</screen>
+ <indexterm><primary>administrator</primary></indexterm>
+ This is the Windows Domain Administrator password. Never delete this account from
+ the password backend after Windows Domain Groups have been initialized. If you delete
+ this account, your system is crippled. You cannot restore this account
+ and your Samba server is no longer capable of being administered.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>username map</primary></indexterm>
+ Create the username map file to permit the <constant>root</constant> account to be called
+ <constant>Administrator</constant> from the Windows network environment. To do this, create
+ the file <filename>/etc/samba/smbusers</filename> with the following contents:
+<screen>
+####
+# User mapping file
+####
+# File Format
+# -----------
+# Unix_ID = Windows_ID
+#
+# Examples:
+# root = Administrator
+# janes = "Jane Smith"
+# jimbo = Jim Bones
+#
+# Note: If the name contains a space it must be double quoted.
+# In the example above the name 'jimbo' will be mapped to Windows
+# user names 'Jim' and 'Bones' because the space was not quoted.
+#######################################################################
+root = Administrator
+####
+# End of File
+####
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>initGrps.sh</primary></indexterm>
+ Create and map Windows Domain Groups to UNIX groups. A sample script is provided in
+ <link linkend="initGrps"/>. Create a file containing this script. We called ours
+ <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed,
+ and then execute the script. Sample output should be as follows:
+
+<example id="initGrps">
+<title>Script to Map Windows NT Groups to UNIX Groups</title>
+<indexterm><primary>initGrps.sh</primary></indexterm>
+<screen>
+#!/bin/bash
+#
+# initGrps.sh
+#
+
+# Create UNIX groups
+groupadd acctsdep
+groupadd finsrvcs
+
+# Map Windows Domain Groups to UNIX groups
+net groupmap modify ntgroup="Domain Admins" unixgroup=root
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+
+# Add Functional Domain Groups
+net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
+net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
+</screen>
+</example>
+
+<screen>
+&rootprompt; chmod 755 initGrps.sh
+&rootprompt; cd /etc/samba
+&rootprompt; ./initGrps.sh
+Updated mapping entry for Domain Admins
+Updated mapping entry for Domain Users
+Updated mapping entry for Domain Guests
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Accounts Dept to the mapping db
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Domain Guests to the mapping db
+
+&rootprompt; cd /etc/samba
+&rootprompt; net groupmap list | sort
+Account Operators (S-1-5-32-548) -> -1
+Accounts Dept (S-1-5-21-194350-25496802-3394589-2003) -> acctsdep
+Administrators (S-1-5-32-544) -> -1
+Backup Operators (S-1-5-32-551) -> -1
+Domain Admins (S-1-5-21-194350-25496802-3394589-512) -> root
+Domain Guests (S-1-5-21-194350-25496802-3394589-514) -> nobody
+Domain Users (S-1-5-21-194350-25496802-3394589-513) -> users
+Financial Services (S-1-5-21-194350-25496802-3394589-2005) -> finsrvcs
+Guests (S-1-5-32-546) -> -1
+Power Users (S-1-5-32-547) -> -1
+Print Operators (S-1-5-32-550) -> -1
+Replicators (S-1-5-32-552) -> -1
+System Operators (S-1-5-32-549) -> -1
+Users (S-1-5-32-545) -> -1
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/passwd</primary></indexterm>
+ <indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ For each user who needs to be given a Windows Domain account, make an entry in the
+ <filename>/etc/passwd</filename> file as well as in the Samba password backend.
+ Use the system tool of your choice to create the UNIX system accounts and use the Samba
+ <command>smbpasswd</command> program to create the Domain user accounts.
+ </para>
+
+ <para>
+ <indexterm><primary>useradd</primary></indexterm>
+ <indexterm><primary>adduser</primary></indexterm>
+ <indexterm><primary>user</primary><secondary>management</secondary></indexterm>
+ There are a number of tools for user management under UNIX. Commonly known ones include:
+ <command>useradd</command>, <command>adduser</command>. In addition to these, there are a plethora of custom
+ tools. With the tool of your choice, create a home directory for each user.
+ </para></step>
+
+ <step><para>
+ Using the preferred tool for your UNIX system, add each user to the UNIX groups created
+ previously as necessary. File system access control will be based on UNIX group membership.
+ </para></step>
+
+ <step><para>
+ Create the directory mount point for the disk sub-system that is mounted to provide
+ data storage for company files. In this case the mount point indicated in the &smb.conf;
+ file is <filename>/data</filename>. Format the file system as required, mount the formatted
+ file system partition using <command>mount</command>,
+ and make the appropriate changes in <filename>/etc/fstab</filename>.
+ </para></step>
+
+ <step><para>
+ Create the top-level file storage directories are follows:
+<screen>
+&rootprompt; mkdir -p /data/{accounts,finsvcs}
+&rootprompt; chown -R root.root /data
+&rootprompt; chown -R alanm.accounts /data/accounts
+&rootprompt; chown -R alanm.finsvcs /data/finsvcs
+&rootprompt; chmod -R ug+rwx,o+rx-w /data
+</screen>
+ Each department is responsible for creating its own directory structure within its
+ share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
+ The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
+ </para></step>
+
+ <step><para>
+ Configure the printers with the IP addresses as shown in <link linkend="acct2net"/>.
+ Follow the instructions in the manufacturers' manuals to permit printing to port 9100.
+ This allows the CUPS spooler to print using raw mode protocols.
+ <indexterm><primary>CUPS</primary></indexterm>
+ <indexterm><primary>raw printing</primary></indexterm>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm><indexterm>
+ <primary>lpadmin</primary>
+ </indexterm>
+ Configure the CUPS Print Queues as follows:
+<screen>
+&rootprompt; lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E
+&rootprompt; lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E
+&rootprompt; lpadmin -p qms -v socket://192.168.2.10:9100 -E
+</screen>
+ <indexterm><primary>print filter</primary></indexterm>
+ This creates the necessary print queues with no assigned print filter.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime type</primary></indexterm>
+ <indexterm><primary>/etc/mime.convs</primary></indexterm>
+ <indexterm><primary>application/octet-stream</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/mime.types</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>DHCP Server</primary>
+ </indexterm>
+ Using your favorite system editor, create an <filename>/etc/dhcpd.conf</filename> with the
+ contents as shown in <link linkend="dhcp01"/>.
+<example id="dhcp01">
+<title>Abmas Accounting DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title>
+<indexterm><primary>/etc/dhcpd.conf</primary></indexterm>
+<screen>
+default-lease-time 86400;
+max-lease-time 172800;
+default-lease-time 86400;
+
+option ntp-servers 192.168.1.1;
+option domain-name "abmas.biz";
+option domain-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-node-type 8;
+### NOTE ###
+# netbios-node-type=8 means set clients to Hybrid Mode
+# so they will use Unicast communication with the WINS
+# server and thus reduce the level of UDP broadcast
+# traffic by up to 90%.
+############
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+ range dynamic-bootp 192.168.1.128 192.168.1.254;
+ option subnet-mask 255.255.255.0;
+ option routers 192.168.1.1;
+ allow unknown-clients;
+ host hplj4 {
+ hardware ethernet 08:00:46:7a:35:e4;
+ fixed-address 192.168.1.10;
+ }
+ host hplj6 {
+ hardware ethernet 00:03:47:cb:81:e0;
+ fixed-address 192.168.1.11;
+ }
+ }
+subnet 192.168.2.0 netmask 255.255.255.0 {
+ range dynamic-bootp 192.168.2.128 192.168.2.254;
+ option subnet-mask 255.255.255.0;
+ option routers 192.168.2.1;
+ allow unknown-clients;
+ host qms {
+ hardware ethernet 01:04:31:db:e1:c0;
+ fixed-address 192.168.1.10;
+ }
+ }
+subnet 127.0.0.0 netmask 255.0.0.0 {
+ }
+</screen>
+</example>
+ </para></step>
+
+
+ <step><para>
+ Use the standard system tool to start Samba and CUPS and configure them to start
+ automatically at every system reboot. For example:
+ </para>
+
+ <para>
+ <indexterm><primary>chkconfig</primary></indexterm>
+ <indexterm><primary>starting dhcpd</primary></indexterm>
+ <indexterm><primary>starting samba</primary></indexterm>
+ <indexterm><primary>starting CUPS</primary></indexterm><indexterm>
+ <primary>chkconfig</primary>
+ </indexterm>
+<screen>
+&rootprompt; chkconfig dhpc on
+&rootprompt; chkconfig smb on
+&rootprompt; chkconfig cups on
+&rootprompt; /etc/rc.d/init.d/dhcp restart
+&rootprompt; /etc/rc.d/init.d/smb restart
+&rootprompt; /etc/rc.d/init.d/cups restart
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>Name Service Switch</primary></indexterm>
+ <indexterm><primary>NSS</primary><see>Name Service Switch</see></indexterm>
+ <indexterm><primary>DNS</primary></indexterm><indexterm>
+ <primary>DNS server</primary>
+ </indexterm>
+ <indexterm><primary>WINS</primary></indexterm>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ Configure the Name Service Switch (NSS) to handle WINS based name resolution.
+ Since this system does not use a DNS server, it is safe to remove this option from
+ the NSS configuration. Edit the <filename>/etc/nsswitch.conf</filename> file so that
+ the <constant>hosts:</constant> entry looks like this:
+<screen>
+hosts: files wins
+</screen>
+ </para></step>
+
+ </procedure>
+
+<smbconfexample id="acct2conf">
+<title>Accounting Office Network &smb.conf; File &smbmdash; [globals] Section</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">BILLMORE</smbconfoption>
+<smbconfoption name="passwd chat">*New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed*</smbconfoption>
+<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
+<smbconfoption name="syslog">0</smbconfoption>
+<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
+<smbconfoption name="printcap name">CUPS</smbconfoption>
+<smbconfoption name="show add printer wizard">No</smbconfoption>
+<smbconfoption name="add user script">/usr/sbin/useradd -m '%u'</smbconfoption>
+<smbconfoption name="delete user script">/usr/sbin/userdel -r '%u'</smbconfoption>
+<smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption>
+<smbconfoption name="delete group script">/usr/sbin/groupdel '%g'</smbconfoption>
+<smbconfoption name="add user to group script">/usr/sbin/usermod -G '%g' '%u'</smbconfoption>
+<smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</smbconfoption>
+<smbconfoption name="logon script">scripts\login.bat</smbconfoption>
+<smbconfoption name="logon path"> </smbconfoption>
+<smbconfoption name="logon drive">X:</smbconfoption>
+<smbconfoption name="domain logons">Yes</smbconfoption>
+<smbconfoption name="preferred master">Yes</smbconfoption>
+<smbconfoption name="wins support">Yes</smbconfoption>
+<smbconfoption name="printing">CUPS</smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="acct3conf">
+<title>Accounting Office Network &smb.conf; File &smbmdash; Services and Shares Section</title>
+<smbconfsection name="[homes]"/>
+<smbconfoption name="comment">Home Directories</smbconfoption>
+<smbconfoption name="valid users">%S</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[printers]"/>
+<smbconfoption name="comment">SMB Print Spool</smbconfoption>
+<smbconfoption name="path">/var/spool/samba</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+<smbconfoption name="use client driver">Yes</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[netlogon]"/>
+<smbconfoption name="comment">Network Logon Service</smbconfoption>
+<smbconfoption name="path">/data/%U</smbconfoption>
+<smbconfoption name="valid users">%S</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+
+<smbconfsection name="[accounts]"/>
+<smbconfoption name="comment">Accounting Files</smbconfoption>
+<smbconfoption name="path">/data/accounts</smbconfoption>
+<smbconfoption name="valid users">%G</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+
+<smbconfsection name="[finsvcs]"/>
+<smbconfoption name="comment">Financial Service Files</smbconfoption>
+<smbconfoption name="path">/data/finsvcs</smbconfoption>
+<smbconfoption name="valid users">%G</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+</smbconfexample>
+
+ <sect2>
+ <title>Validation</title>
+
+ <para>
+ Does everything function as it ought? That is the key question at this point.
+ Here are some simple steps to validate your Samba server configuration.
+ </para>
+
+ <procedure>
+
+ <step><para><indexterm>
+ <primary>testparm</primary>
+ </indexterm>
+ If your &smb.conf; file has bogus options or parameters, this may cause Samba
+ to refuse to start. The first step should always be to validate the contents
+ of this file by running:
+<screen>
+&rootprompt; testparm -s
+Load smb config files from smb.conf
+Processing section "[homes]"
+Processing section "[printers]"
+Processing section "[netlogon]"
+Processing section "[accounts]"
+Processing section "[service]"
+Loaded services file OK.
+# Global parameters
+[global]
+ workgroup = BILLMORE
+ passwd chat = *New*Password* \
+ %n\n *Re-enter*new*password* %n\n *Password*changed*
+ username map = /etc/samba/smbusers
+ syslog = 0
+ name resolve order = wins bcast hosts
+ printcap name = CUPS
+ show add printer wizard = No
+ add user script = /usr/sbin/useradd -m '%u'
+ delete user script = /usr/sbin/userdel -r '%u'
+ add group script = /usr/sbin/groupadd '%g'
+ delete group script = /usr/sbin/groupdel '%g'
+ add user to group script = /usr/sbin/usermod -G '%g' '%u'
+ add machine script = /usr/sbin/useradd
+ -s /bin/false -d /var/lib/nobody '%u'
+ logon script = scripts\logon.bat
+ logon path =
+ logon drive = X:
+ domain logons = Yes
+ preferred master = Yes
+ wins support = Yes
+ printing = cups
+...
+### Remainder cut to save space ###
+</screen>
+ The inclusion of an invalid parameter (say one called dogbert) would generate an
+ error as follows:
+<screen>
+Unknown parameter encountered: "dogbert"
+Ignoring unknown parameter "dogbert"
+</screen>
+ Clear away all errors before proceeding and start or restart samba as necessary.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>check samba
+ daemons</primary></indexterm><indexterm>
+ <primary>nmbd</primary>
+ </indexterm><indexterm>
+ <primary>smbd</primary>
+ </indexterm><indexterm>
+ <primary>winbindd</primary>
+ </indexterm>
+ Check that the Samba server is running:
+<screen>
+&rootprompt; ps ax | grep mbd
+14244 ? S 0:00 /usr/sbin/nmbd -D
+14245 ? S 0:00 /usr/sbin/nmbd -D
+14290 ? S 0:00 /usr/sbin/smbd -D
+
+$rootprompt; ps ax | grep winbind
+14293 ? S 0:00 /usr/sbin/winbindd -B
+14295 ? S 0:00 /usr/sbin/winbindd -B
+</screen>
+ The <command>winbindd</command> daemon is running in split mode (normal) so there are also
+ two instances of it. For more information regarding winbindd, see <emphasis>TOSHARG</emphasis>,
+ Chapter 22, Section 22.3. The single instance of <command>smbd</command> is normal.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>anonymous connection</primary></indexterm>
+ Check that an anonymous connection can be made to the Samba server:
+<screen>
+&rootprompt; smbclient -L localhost -U%
+
+ Sharename Type Comment
+ --------- ---- -------
+ netlogon Disk Network Logon Service
+ accounts Disk Accounting Files
+ finsvcs Disk Financial Service Files
+ IPC$ IPC IPC Service (Samba3)
+ ADMIN$ IPC IPC Service (Samba3)
+ hplj4 Printer Hewlett-Packard LaserJet 4
+ hplj6 Printer Hewlett-Packard LaserJet 6
+ qms Printer QMS Magicolor Laser Printer XXXX
+
+ Server Comment
+ --------- -------
+ SLEETH Samba 3.0.12
+
+ Workgroup Master
+ --------- -------
+ BILLMORE SLEETH
+</screen>
+ This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent
+ of browsing the server from a Windows client to obtain a list of shares on the server.
+ The <constant>-U%</constant> argument means, send a "<constant>NULL</constant> username and
+ a <constant>NULL</constant> password."
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>dhcp client validation</primary></indexterm>
+ <indexterm><primary>printer
+ validation</primary></indexterm><indexterm>
+ <primary>/etc/dhcpd.conf</primary>
+ </indexterm>
+ Verify that the printers have the IP addresses assigned in the DHCP server configuration file.
+ The easiest way to do this is to ping the printer name. Immediately after the ping response
+ has been received, execute <command>arp -a</command> to find the MAC address of the printer
+ that has responded. Now you can compare the IP address and the MAC address of the printer
+ with the configuration information in the <filename>/etc/dhcpd.conf</filename> file. They
+ should, of course, match. For example:
+<screen>
+&rootprompt; ping hplj4
+PING hplj4 (192.168.1.11) 56(84) bytes of data.
+64 bytes from hplj4 (192.168.1.11): icmp_seq=1 ttl=64 time=0.113 ms
+
+&rootprompt; arp -a
+hplj4 (192.168.1.11) at 08:00:46:7A:35:E4 [ether] on eth0
+</screen>
+ The MAC address <constant>08:00:46:7A:35:E4</constant> matches that specified for the
+ IP address from which the printer has responded and with the entry for it in the
+ <filename>/etc/dhcpd.conf</filename> file.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>authenticated connection</primary></indexterm>
+ Make an authenticated connection to the server using the <command>smbclient</command> tool:
+<screen>
+&rootprompt; smbclient //sleeth/accounts -U alanm
+Password: XXXXXXX
+smb: \&gt; dir
+ . D 0 Sun Nov 9 01:28:34 2003
+ .. D 0 Sat Aug 16 17:24:26 2003
+ .mc DH 0 Sat Nov 8 21:57:38 2003
+ .qt DH 0 Fri Sep 5 00:48:25 2003
+ SMB D 0 Sun Oct 19 23:04:30 2003
+ Documents D 0 Sat Nov 1 00:31:51 2003
+ xpsp1a_en_x86.exe 131170400 Sun Nov 2 01:25:44 2003
+
+ 65387 blocks of size 65536. 28590 blocks available
+smb: \> q
+</screen>
+ </para></step>
+
+ </procedure>
+
+ </sect2>
+
+
+ <procedure>
+ <title>Windows XP Professional Client Configuration</title>
+
+ <step><para>
+ Configure clients to the network settings shown in <link linkend="acct2net"/>.
+ All clients use DHCP for TCP/IP protocol stack configuration.
+ <indexterm><primary>WINS</primary></indexterm>
+ <indexterm><primary>DHCP</primary></indexterm>
+ DHCP configures all Windows clients to use the WINS Server address <constant>192.168.1.1</constant>.
+ </para></step>
+
+ <step><para>
+ Join the Windows Domain called <constant>BILLMORE</constant>. Use the Domain Administrator
+ user name <constant>root</constant> and the SMB password you assigned to this account.
+ A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
+ a Windows Domain is given in <link linkend="domjoin"/>.
+ Reboot the machine as prompted and then logon using a Domain User account.
+ </para></step>
+
+ <step><para>
+ Verify on each client that the machine called <constant>SLEETH</constant>
+ is visible in <guimenu>My Network Places</guimenu>, that it is
+ possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>
+ and <guimenuitem>finsvcs</guimenuitem>,
+ and that it is possible to open that share to reveal its contents.
+ </para></step>
+
+ <step><para>
+ Instruct all users to log onto the workstation using their assigned user name and password.
+ </para></step>
+
+ <step><para>
+ Install a printer on each using the following steps:
+ </para>
+
+ <procedure>
+ <step><para>
+ Click <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Settings</guimenuitem>
+ <guimenuitem>Printers</guimenuitem>
+ <guiicon>Add Printer</guiicon>
+ <guibutton>Next</guibutton>
+ </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
+ Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
+ </para></step>
+
+ <step><para>
+ Click <guibutton>Next</guibutton>. In the panel labeled
+ <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
+ In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
+ <constant>HP LaserJet 4</constant>. Click <guibutton>Next</guibutton>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
+ <constant>FILE:</constant>. Accept the default printer name by clicking
+ <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
+ test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
+ <guibutton>Finish</guibutton>.
+ </para></step>
+
+ <step><para>
+ You may be prompted for the name of a file to print to. If so, close the
+ dialog panel. Right-click <menuchoice>
+ <guiicon>HP LaserJet 4</guiicon>
+ <guimenuitem>Properties</guimenuitem>
+ <guisubmenu>Details (Tab)</guisubmenu>
+ <guimenuitem>Add Port</guimenuitem>
+ </menuchoice>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
+ the print queue on the Samba server as follows: <constant>\\SERVER\hplj4</constant>.
+ Click <menuchoice>
+ <guibutton>OK</guibutton>
+ <guibutton>OK</guibutton>
+ </menuchoice> to complete the installation.
+ </para></step>
+
+ <step><para>
+ Repeat the printer installation steps above for the HP LaserJet 6 printer
+ as well as for the QMS Magicolor XXXX laser printer.
+ </para></step>
+ </procedure>
+ </step>
+ </procedure>
+
+ <sect2>
+ <title>Notebook Computers: A Special Case</title>
+
+ <para>
+ As a network administrator, you already know how to create local machine accounts for Windows 200x/XP
+ Professional systems. This is the preferred solution to provide continuity of work for notebook users
+ so that absence from the office network environment does not become a barrier to productivity.
+ </para>
+
+ <para>
+ By creating a local machine account that has the same user name and password as you create for that
+ user in the Windows Domain environment, the user can log onto the machine locally and still
+ transparently access network resources as if logged onto the domain itself. There are some trade-offs
+ that mean that as the network is more tightly secured it becomes necessary to modify Windows client
+ configuration somewhat.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para>
+ In this network design and implementation exercise, you have created a Windows NT4 style Domain
+ Controller using Samba-3.0.12. As a result of following these guidelines meant that you experienced
+ and implemented several important aspects of Windows networking. In the next chapter of this book,
+ you build on the experience gained. These are the highlights from this chapter:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ <indexterm><primary>DHCP</primary></indexterm>
+ You implemented a DHCP Server and Microsoft Windows clients were able to obtain all necessary
+ network configuration settings from this server.
+ </para></listitem>
+
+ <listitem><para>
+ <indexterm><primary>Domain Controller</primary></indexterm>
+ You created a Windows Domain Controller. You were able to use the network logon service
+ and successfully joined Windows 200x/XP Professional clients to the Domain.
+ </para></listitem>
+
+ <listitem><para>
+ <indexterm><primary>CUPS</primary></indexterm>
+ You created raw print queues in the CUPS printing system. You maintained a simple
+ printing system so that all users can share centrally managed printers. You installed
+ native printer drivers on the Windows clients.
+ </para></listitem>
+
+ <listitem><para>
+ You experienced the benefits of centrally managed user accounts on the server.
+ </para></listitem>
+
+ <listitem><para>
+ You offered Mobile notebook users a solution that allows them to continue to work
+ while away from the office and not connected to the corporate network.
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that
+ may help.
+ </para>
+
+ <qandaset>
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the key benefit of using DHCP to configure Windows client TCP/IP stacks?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ First and foremost, portability. It means that notebook users can move between
+ the Abmas office and client offices (so long as they, too, use DHCP) without having to manually
+ reconfigure their machines. It also means that when they work from their home environments
+ either using DHCP assigned addressing or when using dial-up networking, settings such as
+ default routes and DNS server addresses that apply only to the Abmas office environment do
+ not interfere with remote operations. This is an extremely important feature of DHCP.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Are there any DHCP server configuration parameters in the <filename>/etc/dhcpd.conf</filename>
+ that should be noted in particular?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Yes. The configuration you created automatically provides each client with the IP address
+ of your WINS server. It also configures the client to preferentially register NetBIOS names
+ with the WINS server, and then instructs the client to first query the WINS server when a
+ NetBIOS machine name needs to be resolved to an IP Address. This means that this configuration
+ results in far lower UDP broadcast traffic than would be the case if WINS was not used.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Is it possible to create a Windows Domain account that is specifically called <constant>Administrator</constant>?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ You can surely create a Windows Domain Account called <constant>Administrator</constant>. It is also
+ possible to map that account so that it has the effective UNIX UID of 0. This way it isn't
+ necessary to use the <parameter>username map</parameter> facility to map this account to the UNIX
+ account called <constant>root</constant>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why is it necessary to give the Windows Domain <constant>Administrator</constant> a UNIX UID of 0?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The Windows Domain <constant>Administrator</constant> account is the most privileged account that
+ exists on the Windows platform. This user can change any setting, add/delete or modify user
+ accounts, and completely reconfigure the system. The equivalent to this account in the UNIX
+ environment is the <constant>root</constant> account. If you want to permit the Windows Domain
+ Administrator to manage accounts, as well as permissions, privileges, and security
+ settings within the Domain and on the Samba server, equivalent rights must be assigned. This is
+ achieved with the <constant>root</constant> UID equal to 0.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him
+ <constant>root</constant> access. How can we do this?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Users who are members of the <constant>Domain Admins</constant> group can add machines to the
+ Domain. This group is mapped to the UNIX group account called <constant>root</constant>
+ (or equivalent on <constant>wheel</constant> on some UNIX systems) that has a GID of 0.
+ This must be the primary GID of the account of the user who is a member of the Windows <constant>
+ Domain Admins</constant> account.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why must I map Windows Domain Groups to UNIX groups?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account
+ has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are:
+ <guimenu>Domain Guests, Domain Users, Domain Admins</guimenu>.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ I deleted my <constant>root</constant> account and now I cannot add it back! What can I do?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ This is a nasty problem. Fortunately, here is a solution.
+ </para>
+
+ <procedure>
+ <step><para>
+ Back up your existing configuration files in case you need to restore them.
+ </para></step>
+
+ <step><para>
+ Rename the <filename>group_mapping.tdb</filename> file.
+ </para></step>
+
+ <step><para>
+ Use the <command>smbpasswd</command> to add the root account.
+ </para></step>
+
+ <step><para>
+ Restore the <filename>group_mapping.tdb</filename> file.
+ </para></step>
+ </procedure>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ When I run <command>net groupmap list</command>, it reports a group called <guimenu>Administrators</guimenu>
+ as well as <guimenu>Domain Admins</guimenu>. What is the difference between them?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The group called <guimenu>Administrators</guimenu> is representative of the same account that would be
+ present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain
+ Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This
+ may change at some later date. These accounts are provided only so that security objects are correctly shown.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the effect of changing the name of a Samba server, or of changing the Domain name?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ In the event that you elect to change the name of the Samba server, on restarting <command>smbd</command>,
+ Windows security identifiers are changed. In the case of a Stand-Alone server or a Domain Member server,
+ the machine SID is changed. This may break Domain Membership. In the case of a change of the Domain name
+ (Workgroup name), the Domain SID is changed. This affects all Domain Memberships.
+ </para>
+
+ <para>
+ If it becomes necessary to change either the Server name or the Domain name, be sure to back up the respective
+ SID before the change is made. You can back up the SID from use of the <command>net getlocalsid</command> (Samba-3),
+ or by way of the <command>smbpasswd</command> (Samba-2.2.x). To change the SID, you use the same tool. Be sure
+ to check the man page for this command for detailed instructions regarding the steps involved.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ How can I manage user accounts from my Windows XP Professional workstation?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Samba-3 implements a Windows NT4 style security domain architecture. This type of Domain cannot
+ be managed using tools present on a Windows XP Professional installation. You may download from the
+ Microsoft Web site the SRVTOOLS.EXE package. Extract it into the directory from which you wish to use
+ it. This package extracts the tools known as: <command>User Manager for Domains, Server Manager, Event
+ Viewer</command>. You may use the <guimenu>User Manager for Domains</guimenu> to manage your Samba-3
+ Domain user and group accounts. Of course, you do need to be logged on as the <constant>Administrator</constant>
+ for the Samba-3 Domain. It may help to log on as the <constant>root</constant> account.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
+