diff options
Diffstat (limited to 'docs/docbook/projdoc/AdvancedNetworkAdmin.sgml')
-rw-r--r-- | docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 178 |
1 files changed, 178 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml new file mode 100644 index 0000000000..fe0774810b --- /dev/null +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml @@ -0,0 +1,178 @@ +<chapter id="AdvancedNetworkManagement"> +<chapterinfo> + <author> + <firstname>John H</firstname><surname>Terpstra</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address> + <email>jht@samba.org</email> + </address> + </affiliation> + </author> + <pubdate>April 3 2003</pubdate> +</chapterinfo> + +<title>Advanced Network Manangement</title> + +<para> +This section attempts to document peripheral issues that are of great importance to network +administrators who want to improve network resource access control, to automate the user +environment, and to make their lives a little easier. +</para> + +<sect1> +<title>Configuring Samba Share Access Controls</title> + +<para> +This section deals with how to configure Samba per share access control restrictions. +By default samba sets no restrictions on the share itself. Restrictions on the share itself +can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can +connect to a share. In the absence of specific restrictions the default setting is to allow +the global user <emphasis>Everyone</emphasis> Full Control (ie: Full control, Change and Read). +</para> + +<para> +At this time Samba does NOT provide a tool for configuring access control setting on the Share +itself. Samba does have the capacity to store and act on access control settings, but the only +way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for +Computer Management. +</para> + +<para> +Samba stores the per share access control settings in a file called <filename>share_info.tdb</filename>. +The location of this file on your system will depend on how samba was compiled. The default location +for samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename> +utility has been compiled and installed on your system then you can examine the contents of this file +by: <filename>tdbdump share_info.tdb</filename>. +</para> + +<sect2> +<title>Share Permissions Management</title> + +<para> +The best tool for the task is platform dependant. Choose the best tool for your environmemt. +</para> + +<sect3> +<title>Windows NT4 Workstation/Server</title> +<para> +The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. +Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. +You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below. +</para> + +<para> +Instructions: +</para> + + <para> + Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu + select Computer, then click on the Shared Directories entry. + </para> + + <para> + Now click on the share that you wish to manage, then click on the Properties tab, next click on + the Permissions tab. Now you can Add or change access control settings as you wish. + </para> + +</sect3> + +<sect3> +<title>Windows 200x/XP</title> + +<para> +On MS Windows NT4/200x/XP system access control lists on the share itself are set using native +tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, +then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows +<emphasis>Everyone</emphasis> Full Control on the Share. +</para> + +<para> +MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the +Microsoft Management Console (MMC). This tool is located by clicking on <filename>Control Panel -> +Administrative Tools -> Computer Management</filename>. +</para> + +<para> +Instructions: +</para> + <para> + After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', + select 'Connect to another computer'. If you are not logged onto a domain you will be prompted + to enter a domain login user identifier and a password. This will authenticate you to the domain. + If you where already logged in with administrative privilidge this step is not offered. + </para> + + <para> + If the Samba server is not shown in the Select Computer box, then type in the name of the target + Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] + next to 'Shared Folders' in the left panel. + </para> + + <para> + Now in the right panel, double-click on the share you wish to set access control permissions on. + Then click on the tab 'Share Permissions'. It is now possible to add access control entities + to the shared folder. Do NOT forget to set what type of access (full control, change, read) you + wish to assign for each entry. + </para> + + <note> + <para> + Be careful. If you take away all permissions from the Everyone user without removing this user + then effectively no user will be able to access the share. This is a result of what is known as + ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone + will have no access even if this user is given explicit full control access. + </para> + </note> + +</sect3> +</sect2> +</sect1> + +<sect1> +<title>Remote Server Administration</title> + +<para> +<emphasis>How do I get 'User Manager' and 'Server Manager'?</emphasis> +</para> + +<para> +Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains', +the 'Server Manager'? +</para> + +<para> +Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me +systems. The tools set includes: +</para> + +<itemizedlist> + <listitem><para>Server Manager</para></listitem> + + <listitem><para>User Manager for Domains</para></listitem> + + <listitem><para>Event Viewer</para></listitem> +</itemizedlist> + +<para> +Click here to download the archived file <ulink +url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink> +</para> + +<para> +The Windows NT 4.0 version of the 'User Manager for +Domains' and 'Server Manager' are available from Microsoft via ftp +from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink> +</para> + +</sect1> +<sect1> +<title>Network Logon Script Magic</title> + +<para> +This section needs work. Volunteer contributions most welcome. Please send your patches or updates +to jht@samba.org. +</para> + +</chapter> + |