diff options
Diffstat (limited to 'docs/docbook/projdoc/AdvancedNetworkAdmin.sgml')
| -rw-r--r-- | docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 291 |
1 files changed, 0 insertions, 291 deletions
diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml deleted file mode 100644 index dc2a78f5a6..0000000000 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml +++ /dev/null @@ -1,291 +0,0 @@ -<chapter id="AdvancedNetworkManagement"> -<chapterinfo> - &author.jht; - <pubdate>April 3 2003</pubdate> -</chapterinfo> - -<title>Advanced Network Manangement</title> - -<para> -This section attempts to document peripheral issues that are of great importance to network -administrators who want to improve network resource access control, to automate the user -environment, and to make their lives a little easier. -</para> - -<sect1> -<title>Configuring Samba Share Access Controls</title> - -<para> -This section deals with how to configure Samba per share access control restrictions. -By default samba sets no restrictions on the share itself. Restrictions on the share itself -can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can -connect to a share. In the absence of specific restrictions the default setting is to allow -the global user <emphasis>Everyone</emphasis> Full Control (ie: Full control, Change and Read). -</para> - -<para> -At this time Samba does NOT provide a tool for configuring access control setting on the Share -itself. Samba does have the capacity to store and act on access control settings, but the only -way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for -Computer Management. -</para> - -<para> -Samba stores the per share access control settings in a file called <filename>share_info.tdb</filename>. -The location of this file on your system will depend on how samba was compiled. The default location -for samba's tdb files is under <filename>/usr/local/samba/var</filename>. If the <filename>tdbdump</filename> -utility has been compiled and installed on your system then you can examine the contents of this file -by: <userinput>tdbdump share_info.tdb</userinput>. -</para> - -<sect2> -<title>Share Permissions Management</title> - -<para> -The best tool for the task is platform dependant. Choose the best tool for your environmemt. -</para> - -<sect3> -<title>Windows NT4 Workstation/Server</title> -<para> -The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. -Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. -You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below. -</para> - -<procedure> -<title>Instructions</title> -<step><para> -Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu -select Computer, then click on the Shared Directories entry. -</para></step> - -<step><para> - Now click on the share that you wish to manage, then click on the Properties tab, next click on - the Permissions tab. Now you can Add or change access control settings as you wish. -</para></step> -</procedure> - -</sect3> - -<sect3> -<title>Windows 200x/XP</title> - -<para> -On MS Windows NT4/200x/XP system access control lists on the share itself are set using native -tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, -then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows -<emphasis>Everyone</emphasis> Full Control on the Share. -</para> - -<para> -MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the -Microsoft Management Console (MMC). This tool is located by clicking on <filename>Control Panel -> -Administrative Tools -> Computer Management</filename>. -</para> - -<procedure> -<title>Instructions</title> -<step><para> - After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', - select 'Connect to another computer'. If you are not logged onto a domain you will be prompted - to enter a domain login user identifier and a password. This will authenticate you to the domain. - If you where already logged in with administrative privilidge this step is not offered. -</para></step> - -<step><para> -If the Samba server is not shown in the Select Computer box, then type in the name of the target -Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] -next to 'Shared Folders' in the left panel. -</para></step> - -<step><para> -Now in the right panel, double-click on the share you wish to set access control permissions on. -Then click on the tab 'Share Permissions'. It is now possible to add access control entities -to the shared folder. Do NOT forget to set what type of access (full control, change, read) you -wish to assign for each entry. -</para></step> -</procedure> - -<warning> -<para> -Be careful. If you take away all permissions from the Everyone user without removing this user -then effectively no user will be able to access the share. This is a result of what is known as -ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone -will have no access even if this user is given explicit full control access. -</para> -</warning> - -</sect3> -</sect2> -</sect1> - -<sect1> -<title>Remote Server Administration</title> - -<para> -<emphasis>How do I get 'User Manager' and 'Server Manager'?</emphasis> -</para> - -<para> -Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains', -the 'Server Manager'? -</para> - -<para> -Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me -systems. The tools set includes: -</para> - -<itemizedlist> - <listitem><para>Server Manager</para></listitem> - <listitem><para>User Manager for Domains</para></listitem> - <listitem><para>Event Viewer</para></listitem> -</itemizedlist> - -<para> -Click here to download the archived file <ulink -url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink> -</para> - -<para> -The Windows NT 4.0 version of the 'User Manager for -Domains' and 'Server Manager' are available from Microsoft via ftp -from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink> -</para> - -</sect1> -<sect1> -<title>Network Logon Script Magic</title> - -<para> -This section needs work. Volunteer contributions most welcome. Please send your patches or updates -to <ulink url="mailto:jht@samba.org">John Terpstra</ulink>. -</para> - -<para> -There are several opportunities for creating a custom network startup configuration environment. -</para> - -<simplelist> - <member>No Logon Script</member> - <member>Simple universal Logon Script that applies to all users</member> - <member>Use of a conditional Logon Script that applies per user or per group attirbutes</member> - <member>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create - a custom Logon Script and then execute it.</member> - <member>User of a tool such as KixStart</member> -</simplelist> - -<para> -The Samba source code tree includes two logon script generation/execution tools. See <filename>examples</filename> directory <filename>genlogon</filename> and <filename>ntlogon</filename> subdirectories. -</para> - -<para> -The following listings are from the genlogon directory. -</para> - -<para> -This is the genlogon.pl file: - -<programlisting> - #!/usr/bin/perl - # - # genlogon.pl - # - # Perl script to generate user logon scripts on the fly, when users - # connect from a Windows client. This script should be called from smb.conf - # with the %U, %G and %L parameters. I.e: - # - # root preexec = genlogon.pl %U %G %L - # - # The script generated will perform - # the following: - # - # 1. Log the user connection to /var/log/samba/netlogon.log - # 2. Set the PC's time to the Linux server time (which is maintained - # daily to the National Institute of Standard's Atomic clock on the - # internet. - # 3. Connect the user's home drive to H: (H for Home). - # 4. Connect common drives that everyone uses. - # 5. Connect group-specific drives for certain user groups. - # 6. Connect user-specific drives for certain users. - # 7. Connect network printers. - - # Log client connection - #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); - ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); - open LOG, ">>/var/log/samba/netlogon.log"; - print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n"; - close LOG; - - # Start generating logon script - open LOGON, ">/shared/netlogon/$ARGV[0].bat"; - print LOGON "\@ECHO OFF\r\n"; - - # Connect shares just use by Software Development group - if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") - { - print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; - } - - # Connect shares just use by Technical Support staff - if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") - { - print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; - } - - # Connect shares just used by Administration staff - If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") - { - print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; - print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; - } - - # Now connect Printers. We handle just two or three users a little - # differently, because they are the exceptions that have desktop - # printers on LPT1: - all other user's go to the LaserJet on the - # server. - if ($ARGV[0] eq 'jim' - || $ARGV[0] eq 'yvonne') - { - print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; - print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; - } - else - { - print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; - print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; - } - - # All done! Close the output file. - close LOGON; -</programlisting> -</para> - -<para> -Those wishing to use more elaborate or capable logon processing system should check out the following sites: -</para> - -<simplelist> - <member>http://www.craigelachie.org/rhacer/ntlogon</member> - <member>http://www.kixtart.org</member> - <member>http://support.microsoft.com/default.asp?scid=kb;en-us;189105</member> -</simplelist> - -<sect2> -<title>Adding printers without user intervention</title> - -<para> -Printers may be added automatically during logon script processing through the use of: - -<programlisting> - rundll32 printui.dll,PrintUIEntry /? -</programlisting> - -See the documentation in the Microsoft knowledgebase article no: 189105 referred to above. -</para> -</sect2> - -</sect1> -</chapter> - |