diff options
Diffstat (limited to 'docs/guide/Chap03-TheSmallOffice.xml')
| -rw-r--r-- | docs/guide/Chap03-TheSmallOffice.xml | 1310 |
1 files changed, 1310 insertions, 0 deletions
diff --git a/docs/guide/Chap03-TheSmallOffice.xml b/docs/guide/Chap03-TheSmallOffice.xml new file mode 100644 index 0000000000..fa40097f59 --- /dev/null +++ b/docs/guide/Chap03-TheSmallOffice.xml @@ -0,0 +1,1310 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ + + <!-- Stuff for xincludes --> + <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd"> + %xinclude; + + <!-- entities files to use --> + <!ENTITY % global_entities SYSTEM '../entities/global.entities'> + %global_entities; + +]> + +<chapter id="small"> + <title>Small Office Networking</title> + + <para> + So far, this book has focused on the basics of simple yet effective + network solutions. Network administrators who take pride in their work + (that's most of us, right?) take care to deliver what our users want, + but not too much more. If we make things too complex, we confound our users and + increase costs of network ownership. A professional network manager + avoids the temptation to put too much pizazz into the way that the network + operates. Some creativity is helpful, but do keep it under control. + </para> + + <para><indexterm> + <primary>Netware</primary> + </indexterm> + Five years ago there were two companies from which a lesson can be learned. + In one case the network administrator spent three months building a new + network to replace an old Netware server. What he delivered had all the + bells and whistles he could muster. There were a few teething problems + during the change-over, nothing serious but a little disruptive all the + same. Users were exposed to many changes at once. The network + administrator was asked to resign two months after implementing the + new system. This was necessary because so many staff had complained + they had lost time and were not happy with the new network. + Everything was automated and he delivered more features than any advanced + user could think of. He was just too smart for his own good. + </para> + + <para> + In the case of the other company, a new network manager was appointed + to oversee the replacement of a LanTastic network with an MS Windows + NT 4.0 network. He had the replacement installed and operational within + two weeks. Before installation and change-over, he called a meeting to + explain to all users what was going to happen, how it would affect them + and that he would be available 24 hours a day to help them transition. + One week after conversion, he held another meeting asking for cooperation + in the introduction of a few new features that would help to make life + easier. Network users were thrilled with what he was doing to help + them. The network he implemented was nowhere near as complex as the first example, had fewer + features, and yet he had happy users. Months later he was still adding + new innovations. He always asked the users if a + particular feature was what they wanted. He asked his boss for a raise + and got it. He often told me, <quote>Always keep a few new tricks up your + sleeves for when you need them.</quote> Was he smart? You decide. Let's + get on with our next exercise. + </para> + +<sect1> + <title>Introduction</title> + + <para> + Abmas Accounting Inc. has grown. Mr. Meany likes you and says he knew you + were the right person for the job. That's why he asked you to install the + new server. The past few months have been hard work. You advised Mr. Meany + that it is time for a change. Abmas now has 52 users, having acquired an + investment consulting business recently. The new users were added to the + network without any problems. + </para> + + <para> + Some of the Windows clients are getting to be past their use-by date. + You have found damaged and unusable software on some of the workstations + that came with the acquired business and found some machines that are + in need of both hardware and software maintenance. + </para> + + <sect2> + <title>Assignment Tasks</title> + + <para> + <indexterm><primary>Windows XP</primary></indexterm> + Mr. Meany has decided to retire in 12 months. He wants you to help him + make the business run better. Many of the new staff want notebook computers. + They visit customer business premises with the need to use local network + facilities; these users are technically competent. The company uses a + business application that requires Windows XP Professional. In short, a + complete client upgrade is about to happen. Mr. Meany told you that he is working + on another business acquisition and that by the time he retires there will be + 80 to 100 users. + </para> + + <para> + Mr. Meany is not concerned about security. He wants to make it easier for + staff to do their work. He has hired you to help him appoint a full-time + network manager before he retires. Above all, he says he is investing in + the ability to grow. He is determined to live his lifelong dream and + hand the business over to a bright and capable executive who can make + things happen. This means your network design must cope well with + growth. + </para> + + <para> + In a few months, Abmas will require an Internet connection for email + and so staff easily obtain software updates. Mr. Meany is warming up to the + installation of anti-virus software, but is not yet ready to approve + this expense. He told you to spend the money a virus scanner costs + on better quality notebook computers for mobile users. + </para> + + <para> + One of Mr. Meany's golfing partners sold him on the idea to buy new laser + printers. One black only, the other a color laser printer. Staff support + the need for a color printer so they can present more attractive proposals + and reports. + </para> + + <para> + Mr. Meany also asked if it would be possible for one of the staff to manage + user accounts from the Windows desktop. That person will be responsible for + basic operations. + </para> + + </sect2> +</sect1> + +<sect1> + <title>Dissection and Discussion</title> + + <para> + What are the key requirements in this business example? A quick review indicates + a need for: + </para> + + <itemizedlist> + <listitem><para> + Scalability &smbmdash; from 52 to over 100 users in 12 months + </para></listitem> + + <listitem><para> + Mobile computing capability + <indexterm><primary>mobile computing</primary></indexterm> + </para></listitem> + + <listitem><para> + Improved reliability and usability + </para></listitem> + + <listitem><para> + Easier administration + </para></listitem> + </itemizedlist> + + <para> + In this instance the installed Linux system is assumed to be a Red Hat Linux 9.0 server + (as in <link linkend="AccountingOffice"/>). + + </para> + + + <sect2> + <title>Technical Issues</title> + + <para> + <indexterm><primary>smbpasswd</primary></indexterm> + <indexterm><primary>DHCP</primary></indexterm> + <indexterm><primary>DNS</primary></indexterm> + <indexterm><primary>WINS</primary></indexterm> + <indexterm><primary>Domain</primary></indexterm> + It is time to implement a domain security environment. You will use the <constant> + smbpasswd</constant> (default) backend. You should implement a DHCP server. There is no need to + run DNS at this time, but the system will use WINS. The Domain name will be <constant> + BILLMORE</constant>. This time, the name of the server will be <constant>SLEETH</constant>. + </para> + + <para> + All printers will be configured as DHCP clients. The DHCP server will assign + the printer a fixed IP address by way of its Ethernet interface (MAC) address. + See <link linkend="dhcp01"/>. + </para> + + <note><para> + The &smb.conf; file you are creating in this exercise can be used with equal effectiveness + with Samba-2.2.x series releases. This is deliberate so that in the next chapter it is + possible to start with the installation that you have created here, migrate it + to a Samba-3 configuration and then secure the system further. Configurations following + this one will utilize features that may not be supported in Samba-2.2.x releases. + However, you should note that the examples in each chapter start with the assumption + that a fresh new installation is being effected. + </para></note> + + <para> + Later on, when the Internet connection is implemented, you will add DNS as well as + other enhancements. It is important that you plan accordingly. + </para> + + <para> + <indexterm><primary>ether-switch</primary></indexterm> + You have split the network into two separate areas. Each has its own ether-switch. + There are 20 users on the accounting network and 32 users on the financial services + network. The server has two network interfaces, one serving each network. The + network printers will be located in a central area. You plan to install the new + printers and keep the old printer in use also. + </para> + + <para> + You will provide separate file storage areas for each business entity. The old system + will go away, accounting files will be handled under a single directory, and files will + be stored under customer name, not under a personal work area. Staff will be made + responsible for file location, so maintain the old share point. + </para> + + <para> + Given that DNS will not be used, you will configure WINS name resolution for UNIX + hostname name resolution. + </para> + + <para> + <indexterm><primary>Domain</primary><secondary>groups</secondary></indexterm> + <indexterm><primary>UNIX</primary><secondary>groups</secondary></indexterm> + It is necessary to map Windows Domain Groups to UNIX groups as a minimum. It is + advisable to also map Windows Local Groups to UNIX groups. Additionally, the two + key staff groups in the firm are Accounting Staff and Financial Services Staff. + For these, it is necessary to create UNIX groups as well as Windows Domain Groups. + </para> + + <para> + In the sample &smb.conf; file, you have configured Samba to call the UNIX <command>groupadd</command> + to add group entries. This utility does not permit the addition of group names that + contain upper-case characters or spaces. This is considered a bug. The <command>groupadd</command> + is part of the <command>shadow-utils</command> Open Source Software package. + A later release of this package may have been patched to resolve this bug. + If your operating platform has this bug, it means that attempts to add a Windows Domain + Group that has either a space or upper-case characters in it will fail. See <emphasis>TOSHARG</emphasis>, Section 11.3.1, + Example 11.1, for more information. + </para> + + <para> + <indexterm><primary>CUPS</primary></indexterm> + Vendor-supplied printer drivers will be installed on each client. The CUPS print spooler + on the UNIX host will be operated in <constant>raw</constant> mode. + </para> + + </sect2> + + <sect2> + <title>Political Issues</title> + + <para> + Mr. Meany is an old-school manager. He sets the rules and wants to see compliance. + He is willing to spend money on things he believes are of value. You need more + time to convince him of real priorities. + </para> + + <para> + Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be + supplied with anti-virus software? Above all, demonstrate good purchase value and remember + to make your users happy. + </para> + + </sect2> + +</sect1> + +<sect1> + <title>Implementation</title> + + <para><indexterm> + <primary>migration</primary> + </indexterm> + In this example, the assumption is made that this server is being configured from a clean start. + The alternate approach could be to demonstrate the migration of the system that is documented + in <link linkend="AcctgNet"/> to meet the new requirements. The decision to treat this case, as with + future examples, as a new installation is based on the premise that you can determine + the migration steps from the information provided in the separate chapter on this subject. + Additionally, a fresh installation makes the example easier to follow. + </para> + + <para><indexterm> + <primary>group membership</primary> + </indexterm> + Each user will be given a home directory on the UNIX system, which will be available as a private + share. Two additional shares will be created, one for the Accounting Department and the other for + the Financial Services Department. Network users will be given access to these shares by way + of group membership. + </para> + + <para> + <indexterm><primary>UNIX</primary><secondary>groups</secondary></indexterm> + UNIX group membership is the primary mechanism by which Windows Domain users will be granted + rights and privileges within the Windows environment. + </para> + + <para><indexterm> + <primary>sticky bit</primary> + </indexterm> + The user <command>alanm</command> will be made the owner of all files. This will be preserved + by setting the sticky bit (set UID/GID) on the top-level directories. + </para> + +<figure id="acct2net"> + <title>Abmas Accounting &smbmdash; 52 User Network Topology</title> + <mediaobject> + <imageobject role="latex"> + <imagedata fileref="guide/images/acct2net.png" scale="100" scalefit="1"/> + </imageobject> + <imageobject> + <imagedata fileref="guide/images/acct2net.png" scale="100" scalefit="1"/> + </imageobject> + </mediaobject> +</figure> + + <procedure> + <step><para> + Using UNIX/Linux system tools, name the server <constant>sleeth</constant>. + </para></step> + + <step><para> + <indexterm><primary>/etc/hosts</primary></indexterm> + Place an entry for the machine <constant>sleeth</constant> in the <filename>/etc/hosts</filename>. + The printers are network attached, so it is desirable that there should be entries for the + network printers also. An example <filename>/etc/hosts</filename> file is shown here: +<screen> +192.168.1.1 sleeth sleeth1 +192.168.2.1 sleeth2 +192.168.1.10 hplj6 +192.168.1.11 hplj4 +192.168.2.10 qms +</screen> + </para></step> + + <step><para> + Install the Samba-3 binary RPM from the Samba-Team FTP site. + </para></step> + + <step><para> + Install the ISC DHCP server using the UNIX/Linux system tools available to you. + </para></step> + + <step><para><indexterm> + <primary>/etc/rc.d/rc.local</primary> + </indexterm><indexterm> + <primary>IP forwarding</primary> + </indexterm><indexterm> + <primary>router</primary> + </indexterm><indexterm> + <primary>/proc/sys/net/ipv4/ip_forward</primary> + </indexterm> + Given that Samba will be operating over two network interfaces and clients on each side + may want to be able to reach clients on the other side, it is imperative that IP forwarding + shall be enabled. Use the system tool of your choice to enable IP forwarding. In the + absence of such a tool on the Linux system, add to the <filename>/etc/rc.d/rc.local</filename> + file an entry as follows: +<screen> +echo 1 > /proc/sys/net/ipv4/ip_forward +</screen> + This causes the Linux kernel to forward IP packets so that it acts as a router. + </para></step> + + <step><para> + Install the &smb.conf; file as shown in <link linkend="acct2conf"/> and + <link linkend="acct3conf"/>. Combine these two examples to form a single + <filename>/etc/samba/smb.conf</filename> file. + </para></step> + + <step><para><indexterm> + <primary>smbpasswd</primary> + </indexterm> + Add the user <command>root</command> to the Samba password backend: +<screen> +&rootprompt; smbpasswd -a root +New SMB password: XXXXXXX +Retype new SMB password: XXXXXXX +&rootprompt; +</screen> + <indexterm><primary>administrator</primary></indexterm> + This is the Windows Domain Administrator password. Never delete this account from + the password backend after Windows Domain Groups have been initialized. If you delete + this account, your system is crippled. You cannot restore this account + and your Samba server is no longer capable of being administered. + </para></step> + + <step><para> + <indexterm><primary>username map</primary></indexterm> + Create the username map file to permit the <constant>root</constant> account to be called + <constant>Administrator</constant> from the Windows network environment. To do this, create + the file <filename>/etc/samba/smbusers</filename> with the following contents: +<screen> +#### +# User mapping file +#### +# File Format +# ----------- +# Unix_ID = Windows_ID +# +# Examples: +# root = Administrator +# janes = "Jane Smith" +# jimbo = Jim Bones +# +# Note: If the name contains a space it must be double quoted. +# In the example above the name 'jimbo' will be mapped to Windows +# user names 'Jim' and 'Bones' because the space was not quoted. +####################################################################### +root = Administrator +#### +# End of File +#### +</screen> + </para></step> + + <step><para> + <indexterm><primary>initGrps.sh</primary></indexterm> + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in + <link linkend="initGrps"/>. Create a file containing this script. We called ours + <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed, + and then execute the script. Sample output should be as follows: + +<example id="initGrps"> +<title>Script to Map Windows NT Groups to UNIX Groups</title> +<indexterm><primary>initGrps.sh</primary></indexterm> +<screen> +#!/bin/bash +# +# initGrps.sh +# + +# Create UNIX groups +groupadd acctsdep +groupadd finsrvcs + +# Map Windows Domain Groups to UNIX groups +net groupmap modify ntgroup="Domain Admins" unixgroup=root +net groupmap modify ntgroup="Domain Users" unixgroup=users +net groupmap modify ntgroup="Domain Guests" unixgroup=nobody + +# Add Functional Domain Groups +net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d +net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d + +# Map Windows NT machine local groups to local UNIX groups +net groupmap modify ntgroup="Administrators" unixgroup=sys +net groupmap modify ntgroup="Users" unixgroup=public +net groupmap modify ntgroup="Guests" unixgroup=nobody +net groupmap modify ntgroup="System Operators" unixgroup=daemon +net groupmap modify ntgroup="Account Operators" unixgroup=wheel +net groupmap modify ntgroup="Backup Operators" unixgroup=bin +net groupmap modify ntgroup="Print Operators" unixgroup=lp +net groupmap modify ntgroup="Replicators" unixgroup=kmem +net groupmap modify ntgroup="Power Users" unixgroup=ntadmin +</screen> +</example> + +<screen> +&rootprompt; chmod 755 initGrps.sh +&rootprompt; /etc/samba # ./initGrps.sh +Updated mapping entry for Domain Admins +Updated mapping entry for Domain Users +Updated mapping entry for Domain Guests +No rid or sid specified, choosing algorithmic mapping +Successfully added group Accounts Dept to the mapping db +No rid or sid specified, choosing algorithmic mapping +Successfully added group Domain Guests to the mapping db +Updated mapping entry for Administrators +Updated mapping entry for Users +Updated mapping entry for Guests +Updated mapping entry for System Operators +Updated mapping entry for Account Operators +Updated mapping entry for Backup Operators +Updated mapping entry for Print Operators +Updated mapping entry for Replicators +Updated mapping entry for Power Users + +&rootprompt; /etc/samba # net groupmap list | sort +Account Operators (S-1-5-32-548) -> wheel +Accounts Dept (S-1-5-21-194350-25496802-3394589-2003) -> acctsdep +Administrators (S-1-5-32-544) -> sys +Backup Operators (S-1-5-32-551) -> bin +Domain Admins (S-1-5-21-194350-25496802-3394589-512) -> root +Domain Guests (S-1-5-21-194350-25496802-3394589-514) -> nobody +Domain Users (S-1-5-21-194350-25496802-3394589-513) -> users +Financial Services (S-1-5-21-194350-25496802-3394589-2005) -> finsrvcs +Guests (S-1-5-32-546) -> nobody +Power Users (S-1-5-32-547) -> ntadmin +Print Operators (S-1-5-32-550) -> lp +Replicators (S-1-5-32-552) -> kmem +System Operators (S-1-5-32-549) -> daemon +Users (S-1-5-32-545) -> public +</screen> + </para></step> + + <step><para> + <indexterm><primary>/etc/passwd</primary></indexterm> + <indexterm><primary>password</primary><secondary>backend</secondary></indexterm> + <indexterm><primary>smbpasswd</primary></indexterm> + For each user who needs to be given a Windows Domain account, make an entry in the + <filename>/etc/passwd</filename> file as well as in the Samba password backend. + Use the system tool of your choice to create the UNIX system accounts and use the Samba + <command>smbpasswd</command> program to create the Domain user accounts. + </para> + + <para> + <indexterm><primary>useradd</primary></indexterm> + <indexterm><primary>adduser</primary></indexterm> + <indexterm><primary>user</primary><secondary>management</secondary></indexterm> + There are a number of tools for user management under UNIX. Commonly known ones include: + <command>useradd</command>, <command>adduser</command>. In addition to these, there are a plethora of custom + tools. With the tool of your choice, create a home directory for each user. + </para></step> + + <step><para> + Using the preferred tool for your UNIX system, add each user to the UNIX groups created + previously as necessary. File system access control will be based on UNIX group membership. + </para></step> + + <step><para> + Create the directory mount point for the disk sub-system that is mounted to provide + data storage for company files. In this case the mount point indicated in the &smb.conf; + file is <filename>/data</filename>. Format the file system as required, mount the formatted + file system partition using <command>mount</command>, + and make the appropriate changes in <filename>/etc/fstab</filename>. + </para></step> + + <step><para> + Create the top-level file storage directories are follows: +<screen> +&rootprompt; mkdir -p /data/{accounts,finsvcs} +&rootprompt; chown -R root.root /data +&rootprompt; chown -R alanm.accounts /data/accounts +&rootprompt; chown -R alanm.finsvcs /data/finsvcs +&rootprompt; chmod -R ug+rwx,o+rx-w /data +</screen> + Each department is responsible for creating its own directory structure within its + share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>. + The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>. + </para></step> + + <step><para> + Configure the printers with the IP addresses as shown in <link linkend="acct2net"/>. + Follow the instructions in the manufacturers' manuals to permit printing to port 9100. + This allows the CUPS spooler to print using raw mode protocols. + <indexterm><primary>CUPS</primary></indexterm> + <indexterm><primary>raw printing</primary></indexterm> + </para></step> + + <step><para> + <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm><indexterm> + <primary>lpadmin</primary> + </indexterm> + Configure the CUPS Print Queues as follows: +<screen> +&rootprompt; lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E +&rootprompt; lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E +&rootprompt; lpadmin -p qms -v socket://192.168.2.10:9100 -E +</screen> + <indexterm><primary>print filter</primary></indexterm> + This creates the necessary print queues with no assigned print filter. + </para></step> + + <step><para> + <indexterm><primary>mime type</primary></indexterm> + <indexterm><primary>/etc/mime.convs</primary></indexterm> + <indexterm><primary>application/octet-stream</primary></indexterm> + Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line: +<screen> +application/octet-stream application/vnd.cups-raw 0 - +</screen> + </para></step> + + <step><para> + <indexterm><primary>/etc/mime.types</primary></indexterm> + Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line: +<screen> +application/octet-stream +</screen> + </para></step> + + <step><para><indexterm> + <primary>DHCP Server</primary> + </indexterm> + Using your favorite system editor, create an <filename>/etc/dhcpd.conf</filename> with the + contents as shown in <link linkend="dhcp01"/>. +<example id="dhcp01"> +<title>Abmas Accounting DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title> +<indexterm><primary>/etc/dhcpd.conf</primary></indexterm> +<screen> +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; + +option ntp-servers 192.168.1.1; +option domain-name "abmas.biz"; +option domain-name-servers 192.168.1.1, 192.168.2.1; +option netbios-name-servers 192.168.1.1, 192.168.2.1; +option netbios-node-type 8; +### NOTE ### +# netbios-node-type=8 means set clients to Hybrid Mode +# so they will use Unicast communication with the WINS +# server and thus reduce the level of UDP broadcast +# traffic by up to 90%. +############ + +subnet 192.168.1.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.1.128 192.168.1.254; + option subnet-mask 255.255.255.0; + option routers 192.168.1.1; + allow unknown-clients; + host hplj4 { + hardware ethernet 08:00:46:7a:35:e4; + fixed-address 192.168.1.10; + } + host hplj6 { + hardware ethernet 00:03:47:cb:81:e0; + fixed-address 192.168.1.11; + } + } + +subnet 192.168.2.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.2.128 192.168.2.254; + option subnet-mask 255.255.255.0; + option routers 192.168.2.1; + allow unknown-clients; + host qms { + hardware ethernet 01:04:31:db:e1:c0; + fixed-address 192.168.1.10; + } + } + +subnet 127.0.0.0 netmask 255.0.0.0 { + } +</screen> +</example> + </para></step> + + + <step><para> + Use the standard system tool to start Samba and CUPS and configure them to start + automatically at every system reboot. For example: + </para> + + <para> + <indexterm><primary>chkconfig</primary></indexterm> + <indexterm><primary>starting dhcpd</primary></indexterm> + <indexterm><primary>starting samba</primary></indexterm> + <indexterm><primary>starting CUPS</primary></indexterm><indexterm> + <primary>chkconfig</primary> + </indexterm> +<screen> +&rootprompt; chkconfig dhpc on +&rootprompt; chkconfig smb on +&rootprompt; chkconfig cups on +&rootprompt; /etc/rc.d/init.d/dhcp restart +&rootprompt; /etc/rc.d/init.d/smb restart +&rootprompt; /etc/rc.d/init.d/cups restart +</screen> + </para></step> + + <step><para> + <indexterm><primary>Name Service Switch</primary></indexterm> + <indexterm><primary>NSS</primary><see>Name Service Switch</see></indexterm> + <indexterm><primary>DNS</primary></indexterm><indexterm> + <primary>DNS server</primary> + </indexterm> + <indexterm><primary>WINS</primary></indexterm> + <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> + Configure the Name Service Switch (NSS) to handle WINS based name resolution. + Since this system does not use a DNS server, it is safe to remove this option from + the NSS configuration. Edit the <filename>/etc/nsswitch.conf</filename> file so that + the <constant>hosts:</constant> entry looks like this: +<screen> +hosts: files wins +</screen> + </para></step> + + </procedure> + +<smbconfexample id="acct2conf"> +<title>Accounting Office Network &smb.conf; File &smbmdash; [globals] Section</title> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection>[global]</smbconfsection> +<smbconfoption><name>workgroup</name><value>BILLMORE</value></smbconfoption> +<smbconfoption><name>passwd chat</name><value>*New*Password* \</value></smbconfoption> +<member><parameter>%n\n*Re-enter*new*password* %n\n *Password*changed*</parameter></member> +<smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption> +<smbconfoption><name>syslog</name><value>0</value></smbconfoption> +<smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption> +<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption> +<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption> +<smbconfoption><name>add user script</name><value>/usr/sbin/useradd -m %u</value></smbconfoption> +<smbconfoption><name>delete user script</name><value>/usr/sbin/userdel -r %u</value></smbconfoption> +<smbconfoption><name>add group script</name><value>/usr/sbin/groupadd %g</value></smbconfoption> +<smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel %g</value></smbconfoption> +<smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G %g %u</value></smbconfoption> +<smbconfoption><name>add machine script</name><value>/usr/sbin/useradd \</value></smbconfoption> +<member><parameter>-s /bin/false -d /dev/null %u</parameter></member> +<smbconfoption><name>logon script</name><value>scripts\login.bat</value></smbconfoption> +<smbconfoption><name>logon path</name><value> </value></smbconfoption> +<smbconfoption><name>logon drive</name><value>X:</value></smbconfoption> +<smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption> +<smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption> +<smbconfoption><name>wins support</name><value>Yes</value></smbconfoption> +<smbconfoption><name>printing</name><value>CUPS</value></smbconfoption> +</smbconfexample> + +<smbconfexample id="acct3conf"> +<title>Accounting Office Network &smb.conf; File &smbmdash; Services and Shares Section</title> +<smbconfsection>[homes]</smbconfsection> +<smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption> +<smbconfoption><name>valid users</name><value>%S</value></smbconfoption> +<smbconfoption><name>read only</name><value>No</value></smbconfoption> +<smbconfoption><name>browseable</name><value>No</value></smbconfoption> + +<smbconfsection>[printers]</smbconfsection> +<smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption> +<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption> +<smbconfoption><name>printable</name><value>Yes</value></smbconfoption> +<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption> +<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption> +<smbconfoption><name>browseable</name><value>No</value></smbconfoption> + +<smbconfsection>[netlogon]</smbconfsection> +<smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption> +<smbconfoption><name>path</name><value>/data/%U</value></smbconfoption> +<smbconfoption><name>valid users</name><value>%S</value></smbconfoption> +<smbconfoption><name>read only</name><value>No</value></smbconfoption> + +<smbconfsection>[accounts]</smbconfsection> +<smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption> +<smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption> +<smbconfoption><name>valid users</name><value>%G</value></smbconfoption> +<smbconfoption><name>read only</name><value>No</value></smbconfoption> + +<smbconfsection>[finsvcs]</smbconfsection> +<smbconfoption><name>comment</name><value>Financial Service Files</value></smbconfoption> +<smbconfoption><name>path</name><value>/data/finsvcs</value></smbconfoption> +<smbconfoption><name>valid users</name><value>%G</value></smbconfoption> +<smbconfoption><name>read only</name><value>No</value></smbconfoption> +</smbconfexample> + + <sect2> + <title>Validation</title> + + <para> + Does everything function as it ought? That is the key question at this point. + Here are some simple steps to validate your Samba server configuration. + </para> + + <procedure> + + <step><para><indexterm> + <primary>testparm</primary> + </indexterm> + If your &smb.conf; file has bogus options or parameters, this may cause Samba + to refuse to start. The first step should always be to validate the contents + of this file by running: +<screen> +&rootprompt; testparm -s +Load smb config files from smb.conf +Processing section "[homes]" +Processing section "[printers]" +Processing section "[netlogon]" +Processing section "[accounts]" +Processing section "[service]" +Loaded services file OK. +# Global parameters +[global] + workgroup = BILLMORE + passwd chat = *New*Password* \ + %n\n *Re-enter*new*password* %n\n *Password*changed* + username map = /etc/samba/smbusers + syslog = 0 + name resolve order = wins bcast hosts + printcap name = CUPS + show add printer wizard = No + add user script = /usr/sbin/useradd -m %u + delete user script = /usr/sbin/userdel -r %u + add group script = /usr/sbin/groupadd %g + delete group script = /usr/sbin/groupdel %g + add user to group script = /usr/sbin/usermod -G %g %u + add machine script = /usr/sbin/useradd + -s /bin/false -d /dev/null %u + logon script = scripts\logon.bat + logon path = + logon drive = X: + domain logons = Yes + preferred master = Yes + wins support = Yes + printing = cups +... +### Remainder cut to save space ### +</screen> + The inclusion of an invalid parameter (say one called dogbert) would generate an + error as follows: +<screen> +Unknown parameter encountered: "dogbert" +Ignoring unknown parameter "dogbert" +</screen> + Clear away all errors before proceeding and start or restart samba as necessary. + </para></step> + + <step><para> + <indexterm><primary>check samba + daemons</primary></indexterm><indexterm> + <primary>nmbd</primary> + </indexterm><indexterm> + <primary>smbd</primary> + </indexterm><indexterm> + <primary>winbindd</primary> + </indexterm> + Check that the Samba server is running: +<screen> +&rootprompt; ps ax | grep mbd +14244 ? S 0:00 /usr/sbin/nmbd -D +14245 ? S 0:00 /usr/sbin/nmbd -D +14290 ? S 0:00 /usr/sbin/smbd -D + +$rootprompt; ps ax | grep winbind +14293 ? S 0:00 /usr/sbin/winbindd -B +14295 ? S 0:00 /usr/sbin/winbindd -B +</screen> + The <command>winbindd</command> daemon is running in split mode (normal) so there are also + two instances of it. For more information regarding winbindd, see <emphasis>TOSHARG</emphasis>, Chapter 20, + Section 20.3. The single instance of <command>smbd</command> is normal. + </para></step> + + <step><para> + <indexterm><primary>anonymous connection</primary></indexterm> + Check that an anonymous connection can be made to the Samba server: +<screen> +&rootprompt; smbclient -L localhost -U% + + Sharename Type Comment + --------- ---- ------- + netlogon Disk Network Logon Service + accounts Disk Accounting Files + finsvcs Disk Financial Service Files + IPC$ IPC IPC Service (Samba3) + ADMIN$ IPC IPC Service (Samba3) + hplj4 Printer Hewlett-Packard LaserJet 4 + hplj6 Printer Hewlett-Packard LaserJet 6 + qms Printer QMS Magicolor Laser Printer XXXX + + Server Comment + --------- ------- + SLEETH Samba 3.0.2 + + Workgroup Master + --------- ------- + BILLMORE SLEETH +</screen> + This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent + of browsing the server from a Windows client to obtain a list of shares on the server. + The <constant>-U%</constant> argument means, send a "<constant>NULL</constant> username and + a <constant>NULL</constant> password." + </para></step> + + <step><para> + <indexterm><primary>dhcp client validation</primary></indexterm> + <indexterm><primary>printer + validation</primary></indexterm><indexterm> + <primary>/etc/dhcpd.conf</primary> + </indexterm> + Verify that the printers have the IP addresses assigned in the DHCP server configuration file. + The easiest way to do this is to ping the printer name. Immediately after the ping response + has been received, execute <command>arp -a</command> to find the MAC address of the printer + that has responded. Now you can compare the IP address and the MAC address of the printer + with the configuration information in the <filename>/etc/dhcpd.conf</filename> file. They + should, of course, match. For example: +<screen> +&rootprompt; ping hplj4 +PING hplj4 (192.168.1.11) 56(84) bytes of data. +64 bytes from hplj4 (192.168.1.11): icmp_seq=1 ttl=64 time=0.113 ms + +&rootprompt; arp -a +hplj4 (192.168.1.11) at 08:00:46:7A:35:E4 [ether] on eth0 +</screen> + The MAC address <constant>08:00:46:7A:35:E4</constant> matches that specified for the + IP address from which the printer has responded and with the entry for it in the + <filename>/etc/dhcpd.conf</filename> file. + </para></step> + + <step><para> + <indexterm><primary>authenticated connection</primary></indexterm> + Make an authenticated connection to the server using the <command>smbclient</command> tool: +<screen> +&rootprompt; smbclient //sleeth/accounts -U alanm +Password: XXXXXXX +smb: \> dir + . D 0 Sun Nov 9 01:28:34 2003 + .. D 0 Sat Aug 16 17:24:26 2003 + .mc DH 0 Sat Nov 8 21:57:38 2003 + .qt DH 0 Fri Sep 5 00:48:25 2003 + SMB D 0 Sun Oct 19 23:04:30 2003 + Documents D 0 Sat Nov 1 00:31:51 2003 + xpsp1a_en_x86.exe 131170400 Sun Nov 2 01:25:44 2003 + + 65387 blocks of size 65536. 28590 blocks available +smb: \> q +</screen> + </para></step> + + </procedure> + + </sect2> + + + <procedure> + <title>Windows XP Professional Client Configuration</title> + + <step><para> + Configure clients to the network settings shown in <link linkend="acct2net"/>. + All clients use DHCP for TCP/IP protocol stack configuration. + <indexterm><primary>WINS</primary></indexterm> + <indexterm><primary>DHCP</primary></indexterm> + DHCP configures all Windows clients to use the WINS Server address <constant>192.168.1.1</constant>. + </para></step> + + <step><para> + Join the Windows Domain called <constant>BILLMORE</constant>. Use the Domain Administrator + user name <constant>root</constant> and the SMB password you assigned to this account. + A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to + a Windows Domain is given in <link linkend="domjoin"/>. + Reboot the machine as prompted and then logon using a Domain User account. + </para></step> + + <step><para> + Verify on each client that the machine called <constant>SLEETH</constant> + is visible in <guimenu>My Network Places</guimenu>, that it is + possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem> + and <guimenuitem>finsvcs</guimenuitem>, + and that it is possible to open that share to reveal its contents. + </para></step> + + <step><para> + Instruct all users to log onto the workstation using their assigned user name and password. + </para></step> + + <step><para> + Install a printer on each using the following steps: + + <procedure> + <step><para> + Click <menuchoice> + <guimenu>Start</guimenu> + <guimenuitem>Settings</guimenuitem> + <guimenuitem>Printers</guimenuitem> + <guiicon>Add Printer</guiicon> + <guibutton>Next</guibutton> + </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>. + Ensure that <guimenuitem>Local printer</guimenuitem> is selected. + </para></step> + + <step><para> + Click <guibutton>Next</guibutton>. In the panel labeled + <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>. + In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called + <constant>HP LaserJet 4</constant>. Click <guibutton>Next</guibutton>. + </para></step> + + <step><para> + In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select + <constant>FILE:</constant>. Accept the default printer name by clicking + <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a + test page?</quote>, click <guimenuitem>No</guimenuitem>. Click + <guibutton>Finish</guibutton>. + </para></step> + + <step><para> + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click <menuchoice> + <guiicon>HP LaserJet 4</guiicon> + <guimenuitem>Properties</guimenuitem> + <guimenusub>Details (Tab)</guimenusub> + <guimenubutton>Add Port</guimenubutton> + </menuchoice>. + </para></step> + + <step><para> + In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of + the print queue on the Samba server as follows: <constant>\\SERVER\hplj4</constant>. + Click <menuchoice> + <guibutton>OK</guibutton> + <guibutton>OK</guibutton> + </menuchoice> to complete the installation. + </para></step> + + <step><para> + Repeat the printer installation steps above for the HP LaserJet 6 printer + as well as for the QMS Magicolor XXXX laser printer. + </para></step> + </procedure> + </para></step> + </procedure> + + <sect2> + <title>Notebook Computers: A Special Case</title> + + <para> + As a network administrator, you already know how to create local machine accounts for Windows 200x/XP + Professional systems. This is the preferred solution to provide continuity of work for notebook users + so that absence from the office network environment does not become a barrier to productivity. + </para> + + <para> + By creating a local machine account that has the same user name and password as you create for that + user in the Windows Domain environment, the user can log onto the machine locally and still + transparently access network resources as if logged onto the domain itself. There are some trade-offs + that mean that as the network is more tightly secured it becomes necessary to modify Windows client + configuration somewhat. + </para> + + </sect2> + + <sect2> + <title>Key Points Learned</title> + + <para> + In this network design and implementation exercise, you have created a Windows NT4 style Domain + Controller using Samba-3.0.2. As a result of following these guidelines meant that you experienced + and implemented several important aspects of Windows networking. In the next chapter of this book, + you build on the experience gained. These are the highlights from this chapter: + </para> + + <itemizedlist> + <listitem><para> + <indexterm><primary>DHCP</primary></indexterm> + You implemented a DHCP Server and Microsoft Windows clients were able to obtain all necessary + network configuration settings from this server. + </para></listitem> + + <listitem><para> + <indexterm><primary>Domain Controller</primary></indexterm> + You created a Windows Domain Controller. You were able to use the network logon service + and successfully joined Windows 200x/XP Professional clients to the Domain. + </para></listitem> + + <listitem><para> + <indexterm><primary>CUPS</primary></indexterm> + You created raw print queues in the CUPS printing system. You maintained a simple + printing system so that all users can share centrally managed printers. You installed + native printer drivers on the Windows clients. + </para></listitem> + + <listitem><para> + You experienced the benefits of centrally managed user accounts on the server. + </para></listitem> + + <listitem><para> + You offered Mobile notebook users a solution that allows them to continue to work + while away from the office and not connected to the corporate network. + </para></listitem> + </itemizedlist> + + </sect2> + +</sect1> + +<sect1> + <title>Questions and Answers</title> + + <para> + Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that + may help. + </para> + + <qandaset defaultlabel="chap03qa" type="number"> + <qandaentry> + <question> + + <para> + What is the key benefit of using DHCP to configure Windows client TCP/IP stacks? + </para> + + </question> + <answer> + + <para> + First and foremost, portability. It means that notebook users can move between + the Abmas office and client offices (so long as they, too, use DHCP) without having to manually + reconfigure their machines. It also means that when they work from their home environments + either using DHCP assigned addressing or when using dial-up networking, settings such as + default routes and DNS server addresses that apply only to the Abmas office environment do + not interfere with remote operations. This is an extremely important feature of DHCP. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Are there any DHCP server configuration parameters in the <filename>/etc/dhcpd.conf</filename> + that should be noted in particular? + </para> + + </question> + <answer> + + <para> + Yes. The configuration you created automatically provides each client with the IP address + of your WINS server. It also configures the client to preferentially register NetBIOS names + with the WINS server, and then instructs the client to first query the WINS server when a + NetBIOS machine name needs to be resolved to an IP Address. This means that this configuration + results in far lower UDP broadcast traffic than would be the case if WINS was not used. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Is it possible to create a Windows Domain account that is specifically called <constant>Administrator</constant>? + </para> + + </question> + <answer> + + <para> + You can surely create a Windows Domain Account called <constant>Administrator</constant>. It is also + possible to map that account so that it has the effective UNIX UID of 0. This way it isn't + necessary to use the <parameter>username map</parameter> facility to map this account to the UNIX + account called <constant>root</constant>. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Why is it necessary to give the Windows Domain <constant>Administrator</constant> a UNIX UID of 0? + </para> + + </question> + <answer> + + <para> + The Windows Domain <constant>Administrator</constant> account is the most privileged account that + exists on the Windows platform. This user can change any setting, add/delete or modify user + accounts, and completely reconfigure the system. The equivalent to this account in the UNIX + environment is the <constant>root</constant> account. If you want to permit the Windows Domain + Administrator to manage accounts, as well as permissions, privileges, and security + settings within the Domain and on the Samba server, equivalent rights must be assigned. This is + achieved with the <constant>root</constant> UID equal to 0. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him + <constant>root</constant> access. How can we do this? + </para> + + </question> + <answer> + + <para> + Users who are members of the <constant>Domain Admins</constant> group can add machines to the + Domain. This group is mapped to the UNIX group account called <constant>root</constant> + (or equivalent on <constant>wheel</constant> on some UNIX systems) that has a GID of 0. + This must be the primary GID of the account of the user who is a member of the Windows <constant> + Domain Admins</constant> account. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Why must I map Windows Domain Groups to UNIX groups? + </para> + + </question> + <answer> + + <para> + Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account + has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are: + <guimenu>Domain Guests, Domain Users, Domain Admins</guimenu>. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + I deleted my <constant>root</constant> account and now I cannot add it back! What can I do? + </para> + + </question> + <answer> + + <para> + This is a nasty problem. Fortunately, here is a solution. + </para> + + <procedure> + <step><para> + Back up your existing configuration files in case you need to restore them. + </para></step> + + <step><para> + Rename the <filename>group_mapping.tdb</filename> file. + </para></step> + + <step><para> + Use the <command>smbpasswd</command> to add the root account. + </para></step> + + <step><para> + Restore the <filename>group_mapping.tdb</filename> file. + </para></step> + </procedure> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + When I run <command>net groupmap list</command>, it reports a group called <guimenu>Administrators</guimenu> + as well as <guimenu>Domain Admins</guimenu>. What is the difference between them? + </para> + + </question> + <answer> + + <para> + The group called <guimenu>Administrators</guimenu> is representative of the same account that would be + present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain + Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This + may change at some later date. These accounts are provided only so that security objects are correctly shown. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + What is the effect of changing the name of a Samba server, or of changing the Domain name? + </para> + + </question> + <answer> + + <para> + In the event that you elect to change the name of the Samba server, on restarting <command>smbd</command>, + Windows security identifiers are changed. In the case of a Stand-Alone server or a Domain Member server, + the machine SID is changed. This may break Domain Membership. In the case of a change of the Domain name + (Workgroup name), the Domain SID is changed. This affects all Domain Memberships. + </para> + + <para> + If it becomes necessary to change either the Server name or the Domain name, be sure to back up the respective + SID before the change is made. You can back up the SID from use of the <command>net getlocalsid</command> (Samba-3), + or by way of the <command>smbpasswd</command> (Samba-2.2.x). To change the SID, you use the same tool. Be sure + to check the man page for this command for detailed instructions regarding the steps involved. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + How can I manage user accounts from my Windows XP Professional workstation? + </para> + + </question> + <answer> + + <para> + Samba-3 implements a Windows NT4 style security domain architecture. This type of Domain cannot + be managed using tools present on a Windows XP Professional installation. You may download from the + Microsoft Web site the SRVTOOLS.EXE package. Extract it into the directory from which you wish to use + it. This package extracts the tools known as: <command>User Manager for Domains, Server Manager, Event + Viewer</command>. You may use the <guimenu>User Manager for Domains</guimenu> to manage your Samba-3 + Domain user and group accounts. Of course, you do need to be logged on as the <constant>Administrator</constant> + for the Samba-3 Domain. It may help to log on as the <constant>root</constant> account. + </para> + + </answer> + </qandaentry> + + </qandaset> + +</sect1> + +</chapter> + |