diff options
Diffstat (limited to 'docs/docbook/projdoc/AdvancedNetworkAdmin.sgml')
| -rw-r--r-- | docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 291 |
1 files changed, 291 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml new file mode 100644 index 0000000000..dc2a78f5a6 --- /dev/null +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml @@ -0,0 +1,291 @@ +<chapter id="AdvancedNetworkManagement"> +<chapterinfo> + &author.jht; + <pubdate>April 3 2003</pubdate> +</chapterinfo> + +<title>Advanced Network Manangement</title> + +<para> +This section attempts to document peripheral issues that are of great importance to network +administrators who want to improve network resource access control, to automate the user +environment, and to make their lives a little easier. +</para> + +<sect1> +<title>Configuring Samba Share Access Controls</title> + +<para> +This section deals with how to configure Samba per share access control restrictions. +By default samba sets no restrictions on the share itself. Restrictions on the share itself +can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can +connect to a share. In the absence of specific restrictions the default setting is to allow +the global user <emphasis>Everyone</emphasis> Full Control (ie: Full control, Change and Read). +</para> + +<para> +At this time Samba does NOT provide a tool for configuring access control setting on the Share +itself. Samba does have the capacity to store and act on access control settings, but the only +way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for +Computer Management. +</para> + +<para> +Samba stores the per share access control settings in a file called <filename>share_info.tdb</filename>. +The location of this file on your system will depend on how samba was compiled. The default location +for samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename> +utility has been compiled and installed on your system then you can examine the contents of this file +by: <userinput>tdbdump share_info.tdb</userinput>. +</para> + +<sect2> +<title>Share Permissions Management</title> + +<para> +The best tool for the task is platform dependant. Choose the best tool for your environmemt. +</para> + +<sect3> +<title>Windows NT4 Workstation/Server</title> +<para> +The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. +Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. +You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below. +</para> + +<procedure> +<title>Instructions</title> +<step><para> +Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu +select Computer, then click on the Shared Directories entry. +</para></step> + +<step><para> + Now click on the share that you wish to manage, then click on the Properties tab, next click on + the Permissions tab. Now you can Add or change access control settings as you wish. +</para></step> +</procedure> + +</sect3> + +<sect3> +<title>Windows 200x/XP</title> + +<para> +On MS Windows NT4/200x/XP system access control lists on the share itself are set using native +tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, +then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows +<emphasis>Everyone</emphasis> Full Control on the Share. +</para> + +<para> +MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the +Microsoft Management Console (MMC). This tool is located by clicking on <filename>Control Panel -> +Administrative Tools -> Computer Management</filename>. +</para> + +<procedure> +<title>Instructions</title> +<step><para> + After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', + select 'Connect to another computer'. If you are not logged onto a domain you will be prompted + to enter a domain login user identifier and a password. This will authenticate you to the domain. + If you where already logged in with administrative privilidge this step is not offered. +</para></step> + +<step><para> +If the Samba server is not shown in the Select Computer box, then type in the name of the target +Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] +next to 'Shared Folders' in the left panel. +</para></step> + +<step><para> +Now in the right panel, double-click on the share you wish to set access control permissions on. +Then click on the tab 'Share Permissions'. It is now possible to add access control entities +to the shared folder. Do NOT forget to set what type of access (full control, change, read) you +wish to assign for each entry. +</para></step> +</procedure> + +<warning> +<para> +Be careful. If you take away all permissions from the Everyone user without removing this user +then effectively no user will be able to access the share. This is a result of what is known as +ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone +will have no access even if this user is given explicit full control access. +</para> +</warning> + +</sect3> +</sect2> +</sect1> + +<sect1> +<title>Remote Server Administration</title> + +<para> +<emphasis>How do I get 'User Manager' and 'Server Manager'?</emphasis> +</para> + +<para> +Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains', +the 'Server Manager'? +</para> + +<para> +Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me +systems. The tools set includes: +</para> + +<itemizedlist> + <listitem><para>Server Manager</para></listitem> + <listitem><para>User Manager for Domains</para></listitem> + <listitem><para>Event Viewer</para></listitem> +</itemizedlist> + +<para> +Click here to download the archived file <ulink +url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink> +</para> + +<para> +The Windows NT 4.0 version of the 'User Manager for +Domains' and 'Server Manager' are available from Microsoft via ftp +from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink> +</para> + +</sect1> +<sect1> +<title>Network Logon Script Magic</title> + +<para> +This section needs work. Volunteer contributions most welcome. Please send your patches or updates +to <ulink url="mailto:jht@samba.org">John Terpstra</ulink>. +</para> + +<para> +There are several opportunities for creating a custom network startup configuration environment. +</para> + +<simplelist> + <member>No Logon Script</member> + <member>Simple universal Logon Script that applies to all users</member> + <member>Use of a conditional Logon Script that applies per user or per group attirbutes</member> + <member>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create + a custom Logon Script and then execute it.</member> + <member>User of a tool such as KixStart</member> +</simplelist> + +<para> +The Samba source code tree includes two logon script generation/execution tools. See <filename>examples</filename> directory <filename>genlogon</filename> and <filename>ntlogon</filename> subdirectories. +</para> + +<para> +The following listings are from the genlogon directory. +</para> + +<para> +This is the genlogon.pl file: + +<programlisting> + #!/usr/bin/perl + # + # genlogon.pl + # + # Perl script to generate user logon scripts on the fly, when users + # connect from a Windows client. This script should be called from smb.conf + # with the %U, %G and %L parameters. I.e: + # + # root preexec = genlogon.pl %U %G %L + # + # The script generated will perform + # the following: + # + # 1. Log the user connection to /var/log/samba/netlogon.log + # 2. Set the PC's time to the Linux server time (which is maintained + # daily to the National Institute of Standard's Atomic clock on the + # internet. + # 3. Connect the user's home drive to H: (H for Home). + # 4. Connect common drives that everyone uses. + # 5. Connect group-specific drives for certain user groups. + # 6. Connect user-specific drives for certain users. + # 7. Connect network printers. + + # Log client connection + #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); + open LOG, ">>/var/log/samba/netlogon.log"; + print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n"; + close LOG; + + # Start generating logon script + open LOGON, ">/shared/netlogon/$ARGV[0].bat"; + print LOGON "\@ECHO OFF\r\n"; + + # Connect shares just use by Software Development group + if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") + { + print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; + } + + # Connect shares just use by Technical Support staff + if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") + { + print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; + } + + # Connect shares just used by Administration staff + If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") + { + print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; + print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; + } + + # Now connect Printers. We handle just two or three users a little + # differently, because they are the exceptions that have desktop + # printers on LPT1: - all other user's go to the LaserJet on the + # server. + if ($ARGV[0] eq 'jim' + || $ARGV[0] eq 'yvonne') + { + print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + else + { + print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; + print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; + } + + # All done! Close the output file. + close LOGON; +</programlisting> +</para> + +<para> +Those wishing to use more elaborate or capable logon processing system should check out the following sites: +</para> + +<simplelist> + <member>http://www.craigelachie.org/rhacer/ntlogon</member> + <member>http://www.kixtart.org</member> + <member>http://support.microsoft.com/default.asp?scid=kb;en-us;189105</member> +</simplelist> + +<sect2> +<title>Adding printers without user intervention</title> + +<para> +Printers may be added automatically during logon script processing through the use of: + +<programlisting> + rundll32 printui.dll,PrintUIEntry /? +</programlisting> + +See the documentation in the Microsoft knowledgebase article no: 189105 referred to above. +</para> +</sect2> + +</sect1> +</chapter> + |