summaryrefslogtreecommitdiff
path: root/docs/guide/Chap04-SecureOfficeServer.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/guide/Chap04-SecureOfficeServer.xml')
-rw-r--r--docs/guide/Chap04-SecureOfficeServer.xml2757
1 files changed, 2757 insertions, 0 deletions
diff --git a/docs/guide/Chap04-SecureOfficeServer.xml b/docs/guide/Chap04-SecureOfficeServer.xml
new file mode 100644
index 0000000000..80741cc680
--- /dev/null
+++ b/docs/guide/Chap04-SecureOfficeServer.xml
@@ -0,0 +1,2757 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+ <!-- Stuff for xincludes -->
+ <!ENTITY % xinclude SYSTEM "../entities/xinclude.dtd">
+ %xinclude;
+
+ <!-- entities files to use -->
+ <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
+ %global_entities;
+
+]>
+
+<chapter id="secure">
+ <title>Secure Office Networking</title>
+
+ <para>
+ Congratulations, your Samba networking skills are developing nicely. You started out
+ with three simple networks in Chapter 2, and then in Chapter 3 you designed and built a
+ network that provides a high degree of flexibility, integrity, and dependability. It
+ was enough for the basic needs each was designed to fulfill. In this chapter you
+ address a more complex set of needs. The solution you explore is designed
+ to introduce you to basic features that are specific to Samba-3.
+ </para>
+
+ <para>
+ You should note that a working and secure solution could be implemented using Samba-2.2.x.
+ In the exercises presented here, you are gradually using more Samba-3 specific features
+ so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given.
+ To avoid confusion, this book is all about Samba-3. Let's get the exercises in this
+ chapter under way.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work
+ well done. It is one year since the last network upgrade. You have been quite busy.
+ Two months ago Mr. Meany gave approval to hire Christine Roberson who has taken over
+ general network management. Soon she will provide primary user support. You have demonstrated
+ you can delegate responsibility, and plan and execute
+ to that plan. Above all, you have shown Mr. Meany that you are a responsible person.
+ Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never
+ expected. You are Mr. Bob Jordan and will take charge of business operations. Mr. Meany
+ is retiring and has entrusted the business to your capable hands.
+ </para>
+
+ <para>
+ Mr. Meany may be retiring from this company, but not from work. He is taking the opportunity to develop
+ Abmas Inc. into a larger and more substantial company. He says that it took him many
+ years to wake up to the fact that there is no future in just running a business. He
+ now realizes there is great personal reward and satisfaction in creation of career
+ opportunities for people in the local community. He wants to do more for others as he is
+ doing for you, Bob Jordan. Today he spent a lot of time talking about the grand plan.
+ He has plans for growth that you will deal with in the chapters ahead.
+ </para>
+
+ <para>
+ Over the past year, the growth projections were exceeded. The network has grown to
+ meet the needs of 130 users. Along with growth, the demand for improved services
+ and better functionality has also developed. You are about to make an interim
+ improvement and then hand over all Help desk and network maintenance to Christine.
+ Christine has professional certifications in Microsoft Windows as well as in Linux;
+ she is a hard worker and quite likable. Christine does not want to manage the department
+ (although she manages well). She gains job satisfaction when left to sort things out.
+ Occasionally she wants to work with you on a challenging problem. When you told her
+ about your move, she almost resigned, although she was reassured that a new manager would
+ be hired to run Information Technology and she would be responsible only for operations.
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para>
+ You promised the staff Internet services including web browsing, electronic mail, virus
+ protection, and a company Web site. Christine is keen to help turn the vision into
+ reality. Let's see how close you can get to the promises made.
+ </para>
+
+ <para>
+ The network you are about to deliver will service 130 users today. Within 12 months,
+ Abmas will aquire another company. Mr. Meany claims that within two years there will be
+ well over 500 users on the network. You have bought into the big picture, so prepare
+ for growth.
+ </para>
+
+ <para>
+ You have purchased a new server, will implement a new network infrastructure, and
+ reward all staff with a new computer. Notebook computers will not be replaced at this time.
+ </para>
+
+ <para>
+ You have decided to not recycle old network components. The only items that will be
+ carried forward are notebook computers. You offered staff new notebooks, but not
+ one person wanted the disruption for what was perceived as a marginal update.
+ You have made the decision to give everyone a new desktop computer, even to those
+ who have a notebook computer.
+ </para>
+
+ <para>
+ You have procured a DSL Internet connection that provides 1.5 Megabit/sec (bidirectional)
+ and a 10 MBit/sec ethernet port. You have registered the domain
+ <constant>abmas.us</constant>, and the Internet Service Provider (ISP) is supplying
+ secondary DNS. Information furnished by your ISP is shown in <link linkend="chap4netid"/>.
+ </para>
+
+ <para>
+ It is of paramount priority that under no circumstances will Samba offer
+ service access from an Internet connection. You are paying an ISP to
+ give, as part of their value-added services, full firewall protection for your
+ connection to the outside world. The only services allowed in from
+ the Internet side are the following destination ports: <constant>http/https (ports
+ 80 and 443), email (port 25), DNS (port 53)</constant>. All Internet traffic
+ will be allowed out after network address translation (NAT). No internal IP addresses
+ are permitted through the NAT filter as complete privacy of internal network
+ operations must be assured.
+ </para>
+
+ <table id="chap4netid">
+ <title>Abmas.US ISP Information</title>
+ <tgroup cols="2">
+ <colspec align="left"/>
+ <colspec align="center"/>
+ <thead>
+ <row>
+ <entry>Parameter</entry>
+ <entry>Value</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Server IP Address</entry>
+ <entry>123.45.67.66</entry>
+ </row>
+ <row>
+ <entry>DSL Device IP Address</entry>
+ <entry>123.45.67.65</entry>
+ </row>
+ <row>
+ <entry>Network Address</entry>
+ <entry>123.45.67.64/30</entry>
+ </row>
+ <row>
+ <entry>Gateway Address</entry>
+ <entry>123.45.54.65</entry>
+ </row>
+ <row>
+ <entry>Primary DNS Server</entry>
+ <entry>123.45.54.65</entry>
+ </row>
+ <row>
+ <entry>Secondary DNS Server</entry>
+ <entry>123.45.54.32</entry>
+ </row>
+ <row>
+ <entry>Forwarding DNS Server</entry>
+ <entry>123.45.12.23</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+<figure id="ch04net">
+ <title>Abmas Network Topology &smbmdash; 130 Users</title>
+ <mediaobject>
+ <imageobject role="latex">
+ <imagedata fileref="guide/images/chap4-net.png" scale="90" scalefit="1"/>
+ </imageobject>
+ <imageobject>
+ <imagedata fileref="guide/images/chap4-net.png" scale="90" scalefit="1"/>
+ </imageobject>
+ </mediaobject>
+</figure>
+
+ <para>
+ Christine has recommended that desktop systems should be installed from a single cloned
+ master system that has a minimum of locally installed software and loads all software
+ off a central application server. The benefit of having the central application server
+ is that it allows single point maintenance of all business applications, something
+ Christine is keen to pursue. She further recommended installation of anti-virus
+ software on workstations as well as on the Samba server. Christine is paranoid of
+ potential virus infection and insists on a comprehensive approach to detective
+ as well as corrective action to protect network operations.
+ </para>
+
+ <para>
+ A significant concern is the problem of managing company growth. Recently, a number
+ of users had to share a PC while waiting for new machines to arrive. This presented
+ some problems with desktop computers and software installation into the new users'
+ desktop profile.
+ </para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ Many of the conclusions you draw here are obvious. Some requirements are not very clear
+ or may simply be your means of drawing the most out of Samba-3. Much can be done more simply
+ than you will demonstrate here, but keep in mind that the network must scale to at least 500
+ users. This means that some functionality will be over-designed for the current 130 user
+ environment.
+ </para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para>
+ In this exercise we are using a 24-bit subnet mask for the two local networks. This,
+ of course, limits our network to a maximum of 253 usable IP addresses. The network
+ address range chosen is one of the ranges assigned by RFC1918 for private networks.
+ When the number of users on the network begins to approach the limit of usable
+ addresses, it would be a good idea to switch to a network address specified in RFC1918
+ in the 172.16.0.0/16 range. This is done in the following chapters.
+ </para>
+
+ <para>
+ <indexterm><primary>tdbsam</primary></indexterm>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ The high growth rates projected are a good reason to use the <constant>tdbsam</constant>
+ passdb backend. The use of <constant>smbpasswd</constant> for the backend may result in
+ performance problems. The <constant>tdbsam</constant> passdb backend offers features that
+ are not available with the older flat ASCII-based <constant>smbpasswd</constant> database.
+ </para>
+
+ <para>
+ <indexterm><primary>risk</primary></indexterm>
+ The proposed network design uses a single server to act as an Internet services host for
+ electronic mail, Web serving, remote administrative access vis SSH, as well as for
+ Samba-based file and print services. This design is often chosen by sites that feel
+ they cannot afford or justify the cost or overhead of having separate servers. It must
+ be realized that if security of this type of server should ever be violated (compromised),
+ the whole network and all data is at risk. Many sites continue to choose this type
+ of solution; therefore, this chapter provides detailed coverage of key implementation
+ aspects.
+ </para>
+
+ <para>
+ Samba will be configured to specifically not operate on the ethernet interface that is
+ directly connected to the Internet.
+ </para>
+
+ <para>
+ <indexterm><primary>iptables</primary></indexterm>
+ <indexterm><primary>NAT</primary></indexterm>
+ <indexterm><primary>Network Address Translation</primary><see>NAT</see></indexterm>
+ <indexterm>
+ <primary>firewall</primary>
+ </indexterm>
+ You know that your ISP is providing full firewall services, but you cannot rely on that.
+ Always assume that human error will occur, so be prepared by using Linux firewall facilities
+ based on <command>iptables</command> to effect Network Address Translation (NAT). Block all
+ incoming traffic except to permitted well-known ports. You must also allow incoming packets
+ to established outgoing connections. You will permit all internal outgoing requests.
+ </para>
+
+ <para>
+ The configuration of Web serving, Web proxy services, electronic mail, and the details of
+ generic anti-virus handling are beyond the scope of this book and therefore are not
+ covered, except insofar as this affects Samba-3.
+ </para>
+
+ <para><indexterm>
+ <primary>login</primary>
+ </indexterm>
+ Notebook computers are configured to use a network login when in the office and a
+ local account to login while away from the office. Users store all work done in
+ transit (away from the office) by using a local share for work files. Standard procedures
+ will dictate that on completion of the work that necessitates mobile file access, all
+ work files are moved back to secure storage on the office server. Staff is instructed
+ to not carry on any company notebook computer any files that are not absolutely required.
+ This is a preventative measure to protect client information as well as business private
+ records.
+ </para>
+
+ <para><indexterm>
+ <primary>application server</primary>
+ </indexterm>
+ All applications are served from the central server from a share called <constant>apps</constant>.
+ Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network
+ (or administrative) installation. Accounting and financial management software can also
+ be run only from the central application server. Notebook users are provided with
+ locally installed applications on a need-to-have basis only.
+ </para>
+
+ <para>
+ <indexterm><primary>roaming profiles</primary></indexterm>
+ The introduction of roaming profiles support means that users can move between
+ desktop computer systems without constraint while retaining full access to their data.
+ The desktop travels with them as they move.
+ </para>
+
+ <para>
+ <indexterm><primary>DNS</primary></indexterm>
+ The DNS server implementation must now address both internal needs as well as external
+ needs. You forward DNS lookups to your ISP provided server as well as the
+ <constant>abmas.us</constant> external secondary DNS server.
+ </para>
+
+ <para>
+ <indexterm><primary>dynamic DNS</primary></indexterm>
+ <indexterm><primary>DDNS</primary><see>dynamic
+ DNS</see></indexterm><indexterm>
+ <primary>DHCP server</primary>
+ </indexterm>
+ Compared with the DHCP server configuration in <link linkend="dhcp01"/>, the configuration used
+ in this example has to deal with the presence of an Internet connection. The scope set for it
+ ensures that no DHCP services will be offered on the external connection. All printers are
+ configured as DHCP clients, so that the DHCP server assigns the printer a fixed IP
+ address by way of the ethernet interface (MAC) address. One additional feature of this DHCP
+ server configuration file is the inclusion of parameters to allow dynamic DNS (DDNS) operation.
+ </para>
+
+ <para>
+ This is the first implementation that depends on a correctly functioning DNS server.
+ Comprehensive steps are included to provide for a fully functioning DNS server that also
+ is enabled for dynamic DNS operation. This means that DHCP clients can be auto-registered
+ with the DNS server.
+ </para>
+
+ <para>
+ You are taking the opportunity to manually set the netbios name of the Samba server to
+ a name other than what will be automatically resolved. You are doing this to ensure that
+ the machine has the same NetBIOS name on both network segments.
+ </para>
+
+ <para>
+ As in the previous network configuration, printing in this network configuration uses
+ direct raw printing (i.e., no smart printing and no print driver auto-download to Windows
+ clients). Printer drivers are installed on the Windows client manually. This is not
+ a problem given that Christine is to install and configure one single workstation and
+ then clone that configuration, using Norton Ghost, to all workstations. Each machine is
+ identical, so this should pose no problem.
+ </para>
+
+ <sect3>
+ <title>Hardware Requirements</title>
+
+ <para><indexterm>
+ <primary>memory requirements</primary>
+ </indexterm>
+ This server runs a considerable number of services. From similarly configured Linux
+ installations the approximate calculated memory requirements will be as that shown in
+ <link linkend="ch4memoryest"/>.
+
+<example id="ch4memoryest">
+<title>Estimation of Memory Requirements</title>
+<screen>
+Application Memory per User 130 Users 500 Users
+ Name (MBytes) Total MBytes Total MBytes
+----------- --------------- ------------ ------------
+DHCP 2.5 3 3
+DNS 16.0 16 16
+Samba (nmbd) 16.0 16 16
+Samba (winbind) 16.0 16 16
+Samba (smbd) 4.0 520 2000
+Apache 10.0 (20 User) 200 200
+CUPS 3.5 16 32
+Basic OS 256.0 256 256
+ -------------- --------------
+ Total: 1043 MBytes 2539 MBytes
+ -------------- --------------
+</screen>
+</example>
+ You would choose to add a safety margin of at least 50% to these estimates. The minimum
+ system memory recommended for initial startup would be 1 GByte, but to permit the system
+ to scale to 500 users, it would make sense to provision the machine with 4 GBytes memory.
+ An initial configuration with only 1 GByte memory would lead to early performance complaints
+ as the system load builds up. Given the low cost of memory, it would not make sense to
+ compromise in this area.
+ </para>
+
+ <para><indexterm>
+ <primary>bandwidth calculations</primary>
+ </indexterm>
+ Aggregate Input/Output loads should be considered for sizing network configuration as
+ well as disk subsystems. For network bandwidth calculations, one would typically use an
+ estimate of 0.1 MBytes/sec per user. This would suggest that 100-Base-T (approx. 10 MBytes/sec)
+ would deliver below acceptable capacity for the initial user load. It is, therefore, a good
+ idea to begin with 1 Gigabit ethernet cards for the two internal networks, each attached
+ to a 1 Gigabit Etherswitch that provides connectivity to an expandable array of 100-Base-T
+ switched ports.
+ </para>
+
+ <para><indexterm>
+ <primary>network segments</primary>
+ </indexterm><indexterm>
+ <primary>RAID</primary>
+ </indexterm>
+ Considering the choice of 1 Gigabit ethernet interfaces for the two local network segments,
+ the aggregate network I/O capacity will be 2100 MBit/sec (about 230 MBytes/sec), an I/O
+ demand that would require a fast disk storage I/O capability. Peak disk throughput is
+ limited by the disk sub-system chosen. It would be desirable to provide the maximum
+ I/O bandwidth that can be afforded. If a low-cost solution must be chosen, the use of
+ 3Ware IDE RAID Controllers makes a good choice. These controllers can be fitted into a
+ 64 bit, 66 MHz PCI-X slot. They appear to the operating system as a high speed SCSI
+ controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MByte/sec).
+ Alternative SCSI-based hardware RAID controllers should also be considered. Alternately,
+ it would make sense to purchase well-known branded hardware that has appropriate performance
+ specifications. As a minimum, one should attempt to provide a disk sub-system that can
+ deliver I/O rates of at least 100 MBytes/sec.
+ </para>
+
+ <para>
+ Disk storage requirements may be calculated as shown in <link linkend="ch4diskest"/>.
+
+<example id="ch4diskest">
+<title>Estimation of Disk Storage Requirements</title>
+<screen>
+Corporate Data: 100 MBytes/user per year
+Email Storage: 500 MBytes/user per year
+Applications: 5000 MBytes
+Safety Buffer: At least 50%
+
+Given 500 Users and 2 years:
+-----------------------------
+ Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes
+ Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes
+ Applications: 5000 MBytes = 5 GBytes
+ ----------------------------
+ Total: 605 GBytes
+ Add 50% buffer 303 GBytes
+ Recommended Storage: 908 GBytes
+</screen>
+</example>
+ <indexterm>
+ <primary>storage capacity</primary>
+ </indexterm>
+ The preferred storage capacity should be approximately 1 TeraByte. Use of RAID level 5
+ with two hot spare drives would require an 8 drive by 200 GByte capacity per drive array.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+
+ <sect2>
+ <title>Political Issues</title>
+
+ <para>
+ Your industry is coming under increasing accountability pressures. Increased paranoia
+ is necessary so you can demonstrate that you have acted with due diligence. You must
+ not trust your Internet connection.
+ </para>
+
+ <para>
+ Apart from permitting more efficient management of business applications through use of
+ an application server, your primary reason for the decision to implement this is that it
+ gives you greater control over software licensing.
+ </para>
+
+ <para><indexterm>
+ <primary>Outlook Express</primary>
+ </indexterm>
+ You are well aware that the current configuration results in some performance issues
+ as the size of the desktop profile grows. Given that users use Microsoft Outlook
+ Express, you know that the storage implications of the <constant>.PST</constant> file
+ is something that needs to be addressed later on.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Implementation</title>
+
+ <para>
+ <link linkend="ch04net"/> demonstrates the overall design of the network that you will implement.
+ </para>
+
+ <para>
+ The information presented here assumes that you are already familiar with many basic steps.
+ As this stands, the details provided already extend well beyond just the necessities of
+ Samba configuration. This decision is deliberate to ensure that key determinants
+ of a successful installation are not overlooked. This is the last case that documents
+ the finite minutiae of DHCP and DNS server configuration. Beyond the information provided
+ here, there are many other good reference books on these subjects.
+ </para>
+
+ <para>
+ The &smb.conf; file has the following noteworthy features:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ The NetBIOS name of the Samba server is set to <constant>DIAMOND</constant>.
+ </para></listitem>
+
+ <listitem><para>
+ The Domain name is set to <constant>PROMISES</constant>.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>broadcast messages</primary>
+ </indexterm><indexterm>
+ <primary>interfaces</primary>
+ </indexterm><indexterm>
+ <primary>bind interfaces only</primary>
+ </indexterm>
+ Ethernet interface <constant>eth0</constant> is attached to the Internet connection
+ and is externally exposed. This interface is explicitly not available for Samba to use.
+ Samba listens on this interface for broadcast messages, but does not broadcast any
+ information on <constant>eth0</constant>, nor does it accept any connections from it.
+ This is achieved by way of the <parameter>interfaces</parameter> parameter and the
+ <parameter>bind interfaces only</parameter> entry.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>passdb backend</primary>
+ </indexterm><indexterm>
+ <primary>tdbsam</primary>
+ </indexterm><indexterm>
+ <primary>binary database</primary>
+ </indexterm>
+ The <parameter>passdb backend</parameter> parameter specifies the creation and use
+ of the <constant>tdbsam</constant> password backend. This is a binary database that
+ has excellent scalability for a large number of user account entries.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>WINS serving</primary>
+ </indexterm><indexterm>
+ <primary>wins support</primary>
+ </indexterm><indexterm>
+ <primary>name resolve order</primary>
+ </indexterm>
+ WINS serving is enabled by the <smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>,
+ and name resolution is set to use it by means of the <smbconfoption><name>name resolve order</name>
+ <value>wins bcast hosts</value></smbconfoption> entry.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>time server</primary>
+ </indexterm>
+ The Samba server is configured for use by Windows clients as a time server.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>CUPS</primary>
+ </indexterm><indexterm>
+ <primary>printing</primary>
+ </indexterm><indexterm>
+ <primary>printcap name</primary>
+ </indexterm>
+ Samba is configured to directly interface with CUPS via the direct internal interface
+ that is provided by CUPS libraries. This is achieved with the
+ <smbconfoption><name>printing</name><value>CUPS</value></smbconfoption> as well as the
+ <smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption> entries.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>user management</primary>
+ </indexterm><indexterm>
+ <primary>group management</primary>
+ </indexterm><indexterm>
+ <primary>SRVTOOLS.EXE</primary>
+ </indexterm>
+ External interface scripts are provided to enable Samba to interface smoothly to
+ essential operating system functions for user and group management. This is important
+ to enable workstations to join the Domain, and is also important so that you can use
+ the Windows NT4 Domain User Manager, as well as the Domain Server Manager. These tools
+ are provided as part of the <filename>SRVTOOLS.EXE</filename> toolkit that can be
+ downloaded from the Microsoft FTP <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">site.</ulink>
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>User Mode</primary>
+ </indexterm>
+ The &smb.conf; file specifies that the Samba server will operate in (default) <parameter>
+ security = user</parameter> mode<footnote>See <emphasis>TOSHARG</emphasis>, Chapter 3. This is necessary
+ so that Samba can act as a Domain Controller (PDC); see <emphasis>TOSHARG</emphasis>, Chapter 4 for
+ additional information.</footnote> (User Mode).
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>logon services</primary>
+ </indexterm><indexterm>
+ <primary>logon script</primary>
+ </indexterm>
+ Domain logon services as well as a Domain logon script are specified. The logon script
+ will be used to add robustness to the overall network configuration.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>roaming profiles</primary>
+ </indexterm><indexterm>
+ <primary>logon path</primary>
+ </indexterm><indexterm>
+ <primary>profile share</primary>
+ </indexterm>
+ Roaming profiles are enabled through the specification of the parameter, <smbconfoption><name>logon path</name>
+ <value>\\%L\profiles\%U</value></smbconfoption>. The value of this parameter translates the
+ <constant>%L</constant> to the name by which the Samba server is called by the client (for this
+ configuration, it translates to the name <constant>DIAMOND</constant>), and the <constant>%U</constant>
+ will translate to the name of the user within the context of the connection made to the profile share.
+ It is the administrator's responsibility to ensure there is a directory in the root of the
+ profile share for each user. This directory must be owned by the user also. An exception to this
+ requirement is when a profile is created for group use.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>virus</primary>
+ </indexterm><indexterm>
+ <primary>opportunistic locking</primary>
+ </indexterm>
+ Precautionary veto is effected for particular Windows file names that have been targeted by
+ virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking
+ controls. This should help to prevent lock contention related file access problems.
+ </para></listitem>
+
+ <listitem><para><indexterm>
+ <primary>IPC$</primary>
+ </indexterm>
+ Explicit controls are effected to restrict access to the <constant>IPC$</constant> share to
+ local networks only. The <constant>IPC$</constant> share plays an important role in network
+ browsing and in establishment of network connections.
+ </para></listitem>
+
+ <listitem><para>
+ Every user has a private home directory on the UNIX/Linux host. This is mapped to
+ a network drive that is the same for all users.
+ </para></listitem>
+
+ </itemizedlist>
+
+ <para>
+ The configuration of the server is the most complex so far. The following steps are used:
+ </para>
+
+ <orderedlist numeration="arabic">
+ <listitem><para>
+ Basic System Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Samba Configuration
+ </para></listitem>
+
+ <listitem><para>
+ DHCP and DNS Server Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Printer Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Process Start-up Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Validation
+ </para></listitem>
+
+ <listitem><para>
+ Application Share Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Windows Client Configuration
+ </para></listitem>
+ </orderedlist>
+
+ <para>
+ The following sections cover each step in logical and defined detail.
+ </para>
+
+ <sect2 id="ch4bsc">
+ <title>Basic System Configuration</title>
+
+ <para><indexterm>
+ <primary>SUSE Enterprise Linux Server</primary>
+ </indexterm>
+ The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been
+ freshly installed. It prepares basic files so that the system is ready for comprehensive
+ operation in line with the network diagram shown in <link linkend="ch04net"/>.
+ </para>
+
+ <procedure>
+ <step><para><indexterm>
+ <primary>hostname</primary>
+ </indexterm>
+ Using the UNIX/Linux system tools, name the server <constant>server.abmas.us</constant>.
+ Verify that your hostname is correctly set by running:
+<screen>
+&rootprompt; uname -n
+server
+</screen>
+ An alternate method to verify the hostname is:
+<screen>
+&rootprompt; hostname -f
+server.abmas.us
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/hosts</primary></indexterm><indexterm>
+ <primary>localhost</primary>
+ </indexterm>
+ Edit your <filename>/etc/hosts</filename> file to include the primary names and addresses
+ of all network interfaces that are on the host server. This is necessary so that during
+ startup the system can resolve all its own names to the IP address prior to
+ startup of the DNS server. An example of entries that should be in the
+ <filename>/etc/hosts</filename> file is:
+<screen>
+127.0.0.1 localhost
+192.168.1.1 sleeth1.abmas.biz sleeth1 diamond
+192.168.2.1 sleeth2.abmas.biz sleeth2
+123.45.67.66 server.abmas.us server
+</screen>
+ You should check the startup order of your system. If the CUPS print server is started before
+ the DNS server (<command>named</command>), you should also include an entry for the printers
+ in the <filename>/etc/hosts</filename> file, as follows:
+<screen>
+192.168.1.20 qmsa.abmas.biz qmsa
+192.168.1.30 hplj6a.abmas.biz hplj6a
+192.168.2.20 qmsf.abmas.biz qmsf
+192.168.2.30 hplj6f.abmas.biz hplj6f
+</screen>
+ <indexterm>
+ <primary>named</primary>
+ </indexterm><indexterm>
+ <primary>cupsd</primary>
+ </indexterm><indexterm>
+ <primary>daemon</primary>
+ </indexterm>
+ The printer entries are not necessary if <command>named</command> is started prior to
+ startup of <command>cupsd</command>, the CUPS daemon.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/rc.d/boot.local</primary></indexterm>
+ <indexterm><primary>IP forwarding</primary></indexterm><indexterm>
+ <primary>/proc/sys/net/ipv4/ip_forward</primary>
+ </indexterm>
+ The host server is acting as a router between the two internal network segments as well
+ as for all Internet access. This necessitates that IP forwarding must be enabled. This can be
+ achieved by adding to the <filename>/etc/rc.d/boot.local</filename> an entry as follows:
+<screen>
+echo 1 > /proc/sys/net/ipv4/ip_forward
+</screen>
+ To ensure that your kernel is capable of IP forwarding during configuration, you may
+ wish to execute that command manually also. This setting permits the Linux system to
+ act as a router.<footnote>ED NOTE: You may want to do the echo command last and include
+ "0" in the init scripts since it opens up your network for a short time.</footnote>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>firewall</primary>
+ </indexterm><indexterm>
+ <primary>abmas-netfw.sh</primary>
+ </indexterm>
+ Installation of a basic firewall and network address translation facility is necessary.
+ The following script can be installed in the <filename>/usr/local/sbin</filename>
+ directory. It is executed from the <filename>/etc/rc.d/boot.local</filename> startup
+ script. In your case, this script is called <filename>abmas-netfw.sh</filename>. The
+ script contents are shown in <link linkend="ch4natfw"/>.
+
+<example id="ch4natfw">
+<title>NAT Firewall Configuration Script</title>
+<screen>
+#!/bin/sh
+echo -e "\n\nLoading NAT firewall.\n"
+IPTABLES=/usr/sbin/iptables
+EXTIF="eth0"
+INTIFA="eth1"
+INTIFB="eth2"
+
+/sbin/depmod -a
+/sbin/insmod ip_tables
+/sbin/insmod ip_conntrack
+/sbin/insmod ip_conntrack_ftp
+/sbin/insmod iptable_nat
+/sbin/insmod ip_nat_ftp
+$IPTABLES -P INPUT DROP
+$IPTABLES -F INPUT
+$IPTABLES -P OUTPUT ACCEPT
+$IPTABLES -F OUTPUT
+$IPTABLES -P FORWARD DROP
+$IPTABLES -F FORWARD
+$IPTABLES -t nat -F
+$IPTABLES -A INPUT -i lo -j ACCEPT
+$IPTABLES -A INPUT -i $INTIFA -j ACCEPT
+$IPTABLES -A INPUT -i $INTIFB -j ACCEPT
+$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
+# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS
+for i in 22 25 53 80 443
+do
+ $IPTABLES -A INPUT -i $EXTIF -p tcp -dport $i -j ACCEPT
+done
+# Allow DNS(udp)
+$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT
+echo "Allow all connections OUT and only existing and specified ones IN"
+$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \
+ --state ESTABLISHED,RELATED -j ACCEPT
+$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT
+$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT
+$IPTABLES -A FORWARD -j LOG
+echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
+$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
+echo "1" > /proc/sys/net/ipv4/ip_forward
+echo -e "\nNAT firewall done.\n"
+</screen>
+</example>
+ </para></step>
+
+ <step><para>
+ Execute the following to make the script executable:
+<screen>
+&rootprompt; chmod 755 /usr/local/sbin/abmas-natfw.sh
+</screen>
+ You must now edit <filename>/etc/rc.d/boot.local</filename> to add an entry
+ that runs your <command>abmas-natfw.sh</command> script. The following
+ entry works for you:
+<screen>
+#! /bin/sh
+#
+# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany.
+# All rights reserved.
+#
+# Author: Werner Fink, 1996
+# Burchard Steinbild, 1996
+#
+# /etc/init.d/boot.local
+#
+# script with local commands to be executed from init on system startup
+#
+# Here you should add things that should happen directly after booting
+# before we're going to the first run level.
+#
+/usr/local/sbin/abmas-natfw.sh
+</screen>
+ </para></step>
+ </procedure>
+
+ <para><indexterm>
+ <primary>/etc/hosts</primary>
+ </indexterm>
+ The server is now ready for Samba configuration. During the validation step, you remove
+ the entry for the Samba server <constant>diamond</constant> from the <filename>/etc/hosts</filename>
+ file. This is done after you are satisfied that DNS-based name resolution is functioning correctly.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Samba Configuration</title>
+
+ <para>
+ When you have completed this section, the Samba server is ready for testing and validation;
+ however, testing and validation have to wait until DHCP, DNS, and Printing (CUPS) services have
+ been configured.
+ </para>
+
+ <procedure>
+ <step><para>
+ Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary
+ RPM file is called <filename>samba-3.0.2-1.i386.rpm</filename>, one way to install this
+ file is as follows:
+<screen>
+&rootprompt; rpm -Uvh samba-3.0.2-1.i386.rpm
+</screen>
+ This operation must be performed while logged in as the <command>root</command> user.
+ Successful operation is clearly indicated. If this installation should fail for any reason,
+ refer to the operating system manufacturer's documentation for guidance.
+ </para></step>
+
+ <step><para>
+ Install the &smb.conf; file shown in <link linkend="promisnet"/>, <link linkend="promisnetsvca"/>,
+ and <link linkend="promisnetsvcb"/>. Concatenate (join) all three files to make a single &smb.conf;
+ file. The final, fully qualified path for this file should be <filename>/etc/samba/smb.conf</filename>.
+
+<smbconfexample id="promisnet">
+<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; [globals] Section</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection>[global]</smbconfsection>
+<smbconfoption><name>workgroup</name><value>PROMISES</value></smbconfoption>
+<smbconfoption><name>netbios name</name><value>DIAMOND</value></smbconfoption>
+<smbconfoption><name>interfaces</name><value>eth1, eth2, lo</value></smbconfoption>
+<smbconfoption><name>bind interfaces only</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>passdb backend</name><value>tdbsam</value></smbconfoption>
+<smbconfoption><name>pam password change</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>passwd chat</name><value>*New*Password* %n\n *Re-enter*new*password*</value></smbconfoption>
+<member><parameter> %n\n *Password*changed*</parameter></member>
+<smbconfoption><name>username map</name><value>/etc/samba/smbusers</value></smbconfoption>
+<smbconfoption><name>unix password sync</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>log level</name><value>1</value></smbconfoption>
+<smbconfoption><name>syslog</name><value>0</value></smbconfoption>
+<smbconfoption><name>log file</name><value>/var/log/samba/%m</value></smbconfoption>
+<smbconfoption><name>max log size</name><value>50</value></smbconfoption>
+<smbconfoption><name>smb ports</name><value>139 445</value></smbconfoption>
+<smbconfoption><name>name resolve order</name><value>wins bcast hosts</value></smbconfoption>
+<smbconfoption><name>time server</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printcap name</name><value>CUPS</value></smbconfoption>
+<smbconfoption><name>show add printer wizard</name><value>No</value></smbconfoption>
+<smbconfoption><name>add user script</name><value>/usr/sbin/useradd -m %u</value></smbconfoption>
+<smbconfoption><name>delete user script</name><value>/usr/sbin/userdel -r %u</value></smbconfoption>
+<smbconfoption><name>add group script</name><value>/usr/sbin/groupadd %g</value></smbconfoption>
+<smbconfoption><name>delete group script</name><value>/usr/sbin/groupdel %g</value></smbconfoption>
+<smbconfoption><name>add user to group script</name><value>/usr/sbin/usermod -G %g %u</value></smbconfoption>
+<smbconfoption><name>add machine script</name><value>/usr/sbin/useradd</value></smbconfoption>
+<member><parameter>-s /bin/false -d /dev/null %u</parameter></member>
+<smbconfoption><name>shutdown script</name><value>/var/lib/samba/scripts/shutdown.sh</value></smbconfoption>
+<smbconfoption><name>abort shutdown script</name><value>/sbin/shutdown -c</value></smbconfoption>
+<smbconfoption><name>logon script</name><value>scripts\logon.bat</value></smbconfoption>
+<smbconfoption><name>logon path</name><value>\\%L\profiles\%U</value></smbconfoption>
+<smbconfoption><name>logon drive</name><value>X:</value></smbconfoption>
+<smbconfoption><name>logon home</name><value>\\%L\%U</value></smbconfoption>
+<smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>preferred master</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>wins support</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>utmp</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>map acl inherit</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printing</name><value>cups</value></smbconfoption>
+<smbconfoption><name>veto files</name><value>/*.eml/*.nws/*.{*}/</value></smbconfoption>
+<smbconfoption><name>veto oplock files</name><value>/*.doc/*.xls/*.mdb/</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="promisnetsvca">
+<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part A</title>
+<smbconfsection>[IPC$]</smbconfsection>
+<smbconfoption><name>path</name><value>/tmp</value></smbconfoption>
+<smbconfoption><name>hosts allow</name><value>192.168.1.0/24, 192.168.2.0/24, 127.0.0.1</value></smbconfoption>
+<smbconfoption><name>hosts deny</name><value>0.0.0.0/0</value></smbconfoption>
+
+<smbconfsection>[homes]</smbconfsection>
+<smbconfoption><name>comment</name><value>Home Directories</value></smbconfoption>
+<smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[printers]</smbconfsection>
+<smbconfoption><name>comment</name><value>SMB Print Spool</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/spool/samba</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>printable</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>use client driver</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>default devmode</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>browseable</name><value>No</value></smbconfoption>
+
+<smbconfsection>[netlogon]</smbconfsection>
+<smbconfoption><name>comment</name><value>Network Logon Service</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/netlogon</value></smbconfoption>
+<smbconfoption><name>guest ok</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>locking</name><value>No</value></smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="promisnetsvcb">
+<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part B</title>
+<smbconfsection>[profiles]</smbconfsection>
+<smbconfoption><name>comment</name><value>Profile Share</value></smbconfoption>
+<smbconfoption><name>path</name><value>/var/lib/samba/profiles</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+<smbconfoption><name>profile acls</name><value>Yes</value></smbconfoption>
+
+<smbconfsection>[accounts]</smbconfsection>
+<smbconfoption><name>comment</name><value>Accounting Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/accounts</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[service]</smbconfsection>
+<smbconfoption><name>comment</name><value>Financial Services Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/data/service</value></smbconfoption>
+<smbconfoption><name>read only</name><value>No</value></smbconfoption>
+
+<smbconfsection>[apps]</smbconfsection>
+<smbconfoption><name>comment</name><value>Application Files</value></smbconfoption>
+<smbconfoption><name>path</name><value>/apps</value></smbconfoption>
+<smbconfoption><name>read only</name><value>Yes</value></smbconfoption>
+<smbconfoption><name>admin users</name><value>bjordan</value></smbconfoption>
+</smbconfexample>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>administrator</primary></indexterm><indexterm>
+ <primary>smbpasswd</primary>
+ </indexterm>
+ Add the <constant>root</constant> user to the password backend as follows:
+<screen>
+&rootprompt; smbpasswd -a root
+New SMB password: XXXXXXXX
+Retype new SMB password: XXXXXXXX
+&rootprompt;
+</screen>
+ The <constant>root</constant> account is the UNIX equivalent of the Windows Domain Administrator.
+ This account is essential in the regular maintenance of your Samba server. It must never be
+ deleted. If for any reason the account is deleted, you may not be able to recreate this account
+ without considerable trouble.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>username map</primary></indexterm>
+ Create the username map file to permit the <constant>root</constant> account to be called
+ <constant>Administrator</constant> from the Windows network environment. To do this, create
+ the file <filename>/etc/samba/smbusers</filename> with the following contents:
+<screen>
+####
+# User mapping file
+####
+# File Format
+# -----------
+# Unix_ID = Windows_ID
+#
+# Examples:
+# root = Administrator
+# janes = "Jane Smith"
+# jimbo = Jim Bones
+#
+# Note: If the name contains a space it must be double quoted.
+# In the example above the name 'jimbo' will be mapped to Windows
+# user names 'Jim' and 'Bones' because the space was not quoted.
+#######################################################################
+root = Administrator
+####
+# End of File
+####
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>initGrps.sh</primary></indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>groupmap</secondary>
+ <tertiary>add</tertiary>
+ </indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>groupmap</secondary>
+ <tertiary>modify</tertiary>
+ </indexterm><indexterm>
+ <primary>net</primary>
+ <secondary>groupmap</secondary>
+ <tertiary>list</tertiary>
+ </indexterm>
+ Create and map Windows Domain Groups to UNIX groups. A sample script is provided in
+ <link linkend="initGrps"/>. Create a file containing this script. We called ours
+ <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed,
+ and then execute the script. Sample output should be as follows:
+
+<example id="ch4initGrps">
+<title>Script to Map Windows NT Groups to UNIX Groups</title>
+<indexterm><primary>initGrps.sh</primary></indexterm>
+<screen>
+#!/bin/bash
+#
+# initGrps.sh
+#
+
+# Create UNIX groups
+groupadd acctsdep
+groupadd finsrvcs
+
+# Map Windows Domain Groups to UNIX groups
+net groupmap modify ntgroup="Domain Admins" unixgroup=root
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+
+# Add Functional Domain Groups
+net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
+net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
+
+# Map Windows NT machine local groups to local UNIX groups
+# Mapping of local groups is not necessary and not functional
+# for this installation.
+</screen>
+</example>
+
+<screen>
+&rootprompt; chmod 755 initGrps.sh
+&rootprompt; /etc/samba # ./initGrps.sh
+Updated mapping entry for Domain Admins
+Updated mapping entry for Domain Users
+Updated mapping entry for Domain Guests
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Accounts Dept to the mapping db
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Domain Guests to the mapping db
+
+&rootprompt; /etc/samba # net groupmap list | sort
+Account Operators (S-1-5-32-548) -> -1
+Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep
+Administrators (S-1-5-32-544) -> -1
+Backup Operators (S-1-5-32-551) -> -1
+Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root
+Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody
+Domain Users (S-1-5-21-179504-2437109-488451-513) -> users
+Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs
+Guests (S-1-5-32-546) -> -1
+Power Users (S-1-5-32-547) -> -1
+Print Operators (S-1-5-32-550) -> -1
+Replicators (S-1-5-32-552) -> -1
+System Operators (S-1-5-32-549) -> -1
+Users (S-1-5-32-545) -> -1
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>useradd</primary></indexterm>
+ <indexterm><primary>adduser</primary></indexterm>
+ <indexterm><primary>passwd</primary></indexterm>
+ <indexterm><primary>smbpasswd</primary></indexterm>
+ <indexterm><primary>/etc/passwd</primary></indexterm>
+ <indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
+ <indexterm><primary>user</primary><secondary>management</secondary></indexterm>
+ There is one preparatory step without which you will not have a working Samba
+ network environment. You must add an account for each network user.
+ For each user who needs to be given a Windows Domain account, make an entry in the
+ <filename>/etc/passwd</filename> file, as well as in the Samba password backend.
+ Use the system tool of your choice to create the UNIX system account, and use the Samba
+ <command>smbpasswd</command> to create a Domain user account.
+ There are a number of tools for user management under UNIX. Commonly known ones include:
+ <command>useradd, adduser</command>. In addition to these, there are a plethora of custom
+ tools. You also want to create a home directory for each user.
+ You can do this by executing the following steps for each user:
+<screen>
+&rootprompt; useradd -m <parameter>username</parameter>
+&rootprompt; passwd <parameter>username</parameter>
+Changing password for <parameter>username</parameter>.
+New password: XXXXXXXX
+Re-enter new password: XXXXXXXX
+Password changed
+&rootprompt; smbpasswd -a <parameter>username</parameter>
+New SMB password: XXXXXXXX
+Retype new SMB password: XXXXXXXX
+Added user <parameter>username</parameter>.
+</screen>
+ You do of course use a valid user login ID in place of <parameter>username</parameter>.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>file system</primary>
+ <secondary>access control</secondary>
+ </indexterm><indexterm>
+ <primary>file system</primary>
+ <secondary>permissions</secondary>
+ </indexterm><indexterm>
+ <primary>group membership</primary>
+ </indexterm>
+ Using the preferred tool for your UNIX system, add each user to the UNIX groups created
+ previously as necessary. File system access control will be based on UNIX group membership.
+ </para></step>
+
+ <step><para>
+ Create the directory mount point for the disk sub-system that can be mounted to provide
+ data storage for company files. In this case the mount point indicated in the &smb.conf;
+ file is <filename>/data</filename>. Format the file system as required, and mount the formatted
+ file system partition using appropriate system tools.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>file system</primary><secondary>permissions</secondary></indexterm>
+ Create the top-level file storage directories for data and applications as follows:
+<screen>
+&rootprompt; mkdir -p /data/{accounts,finsvcs}
+&rootprompt; mkdir -p /apps
+&rootprompt; chown -R root.root /data
+&rootprompt; chown -R root.root /apps
+&rootprompt; chown -R bjordan.accounts /data/accounts
+&rootprompt; chown -R bjordan.finsvcs /data/finsvcs
+&rootprompt; chmod -R ug+rwxs,o-rwx /data
+&rootprompt; chmod -R ug+rwx,o+rx-w /apps
+</screen>
+ Each department is responsible for creating its own directory structure within the departmental
+ share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
+ The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
+ The <filename>/apps</filename> directory is the root of the <constant>apps</constant> share
+ that provides the application server infrastructure.
+ </para></step>
+
+ <step><para>
+ The &smb.conf; file specifies an infrastructure to support roaming profiles and network
+ logon services. You can now create the file system infrastructure to provide the
+ locations on disk that these services require. Adequate planning is essential
+ since desktop profiles can grow to be quite large. For planning purposes, a minimum of
+ 200 Megabytes of storage should be allowed per user for profile storage. The following
+ commands create the directory infrastructure needed:
+<screen>
+&rootprompt; mkdir -p /var/spool/samba
+&rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
+&rootprompt; chown -R root.root /var/spool/samba
+&rootprompt; chown -R root.root /var/lib/samba
+&rootprompt; chmod a+rwxt /var/spool/samba
+</screen>
+ For each user account that is created on the system, the following commands should be
+ executed:
+<screen>
+&rootprompt; mkdir /var/lib/samba/profiles/'username'
+&rootprompt; chown 'username'.users /var/lib/samba/profiles/'username'
+&rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>logon scrip</primary>
+ </indexterm><indexterm>
+ <primary>unix2dos</primary>
+ </indexterm><indexterm>
+ <primary>dos2unix</primary>
+ </indexterm>
+ Create a logon script. It is important that each line is correctly terminated with
+ a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
+ works if the right tools (<constant>unix2dos</constant> and <constant>dos2unix</constant>) are installed.
+ First, create a file called <filename>/var/lib/samba/netlogon/scripts/logon.bat.unix</filename>
+ with the following contents:
+<screen>
+net time \\diamond /set /yes
+net use h: /home
+net use p: \\diamond\apps
+</screen>
+ Convert the UNIX file to a DOS file using the <command>unix2dos</command> as shown here:
+<screen>
+&rootprompt; unix2dos &lt; /var/lib/samba/netlogon/scripts/logon.bat.unix \
+ &gt; /var/lib/samba/netlogon/scripts/logon.bat
+</screen>
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2 id="ch4dhcpdns">
+ <title>Configuration of DHCP and DNS Servers</title>
+
+ <para>
+ DHCP services are a basic component of the entire network client installation. DNS operation is
+ foundational to Internet access as well as to trouble-free operation of local networking. When
+ you have completed this section, the server should be ready for solid duty operation.
+ </para>
+
+ <procedure>
+ <step><para>
+ <indexterm><primary>/etc/dhcpd.conf</primary></indexterm>
+ Create a file called <filename>/etc/dhcpd.conf</filename> with the contents as
+ shown in <link linkend="prom-dhcp"/>.
+
+<example id="prom-dhcp">
+<title>DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title>
+<screen>
+# Abmas Accounting Inc. - Chapter 4
+default-lease-time 86400;
+max-lease-time 172800;
+default-lease-time 86400;
+option ntp-servers 192.168.1.1;
+option domain-name "abmas.biz";
+option domain-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-node-type 8; ### Node type = Hybrid ###
+ddns-updates on; ### Dynamic DNS enabled ###
+ddns-update-style ad-hoc;
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+ range dynamic-bootp 192.168.1.128 192.168.1.254;
+ option subnet-mask 255.255.255.0;
+ option routers 192.168.1.1;
+ allow unknown-clients;
+ host qmsa {
+ hardware ethernet 08:00:46:7a:35:e4;
+ fixed-address 192.168.1.20;
+ }
+ host hplj6a {
+ hardware ethernet 00:03:47:cb:81:e0;
+ fixed-address 192.168.1.30;
+ }
+ }
+subnet 192.168.2.0 netmask 255.255.255.0 {
+ range dynamic-bootp 192.168.2.128 192.168.2.254;
+ option subnet-mask 255.255.255.0;
+ option routers 192.168.2.1;
+ allow unknown-clients;
+ host qmsf {
+ hardware ethernet 01:04:31:db:e1:c0;
+ fixed-address 192.168.1.20;
+ }
+ }
+ host hplj6f {
+ hardware ethernet 00:03:47:cf:83:e2;
+ fixed-address 192.168.2.30;
+ }
+subnet 127.0.0.0 netmask 255.0.0.0 {
+ }
+subnet 123.45.67.64 netmask 255.255.255.252 {
+ }
+</screen>
+</example>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/named.conf</primary></indexterm>
+ Create a file called <filename>/etc/named.conf</filename> that has the combined contents
+ of the <link linkend="ch4namedcfg"/>, <link linkend="ch4namedvarfwd"/>, and
+ <link linkend="ch4namedvarrev"/> files that are concatenated (merged) in this
+ specific order.
+ </para></step>
+
+ <step><para>
+ Create the files shown in their directories as follows:
+
+ <table if="namedrscfiles">
+ <title>DNS (named) Resource Files</title>
+ <tgroup cols="2">
+ <colspec align="left"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry>Reference</entry>
+ <entry>File Location</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><link linkend="loopback"/></entry>
+ <entry>/var/lib/named/localhost.zone</entry>
+ </row>
+ <row>
+ <entry><link linkend="dnsloopy"/></entry>
+ <entry>/var/lib/named/127.0.0.zone</entry>
+ </row>
+ <row>
+ <entry><link linkend="roothint"/></entry>
+ <entry>/var/lib/named/root.hint</entry>
+ </row>
+ <row>
+ <entry><link linkend="abmasbiz"/></entry>
+ <entry>/var/lib/named/master/abmas.biz.hosts</entry>
+ </row>
+ <row>
+ <entry><link linkend="abmasus"/></entry>
+ <entry>/var/lib/named/abmas.us.hosts</entry>
+ </row>
+ <row>
+ <entry><link linkend="eth1zone"/></entry>
+ <entry>/var/lib/named/192.168.1.0.rev</entry>
+ </row>
+ <row>
+ <entry><link linkend="eth2zone"/></entry>
+ <entry>/var/lib/named/192.168.2.0.rev</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+<example id="ch4namedcfg">
+<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Master Section</title>
+<indexterm><primary>/etc/named.conf</primary></indexterm>
+<screen>
+###
+# Abmas Biz DNS Control File
+###
+# Date: November 15, 2003
+###
+options {
+ directory "/var/lib/named";
+ forwarders {
+ 123.45.12.23;
+ };
+ forward first;
+ listen-on {
+ mynet;
+ };
+ auth-nxdomain yes;
+ multiple-cnames yes;
+ notify no;
+};
+
+zone "." in {
+ type hint;
+ file "root.hint";
+};
+
+zone "localhost" in {
+ type master;
+ file "localhost.zone";
+};
+
+zone "0.0.127.in-addr.arpa" in {
+ type master;
+ file "127.0.0.zone";
+};
+
+acl mynet {
+ 192.168.1.0/24;
+ 192.168.2.0/24;
+ 127.0.0.1;
+};
+
+acl seconddns {
+ 123.45.54.32;
+}
+
+</screen>
+</example>
+
+<example id="ch4namedvarfwd">
+<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Forward Lookup Definition Section</title>
+<screen>
+zone "abmas.biz" {
+ type master;
+ file "/var/lib/named/master/abmas.biz.hosts";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+
+zone "abmas.us" {
+ type master;
+ file "/var/lib/named/master/abmas.us.hosts";
+ allow-query {
+ all;
+ };
+ allow-transfer {
+ seconddns;
+ };
+};
+</screen>
+</example>
+
+<example id="ch4namedvarrev">
+<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Reverse Lookup Definition Section</title>
+<screen>
+zone "1.168.192.in-addr.arpa" {
+ type master;
+ file "/var/lib/named/master/192.168.1.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+
+zone "2.168.192.in-addr.arpa" {
+ type master;
+ file "/var/lib/named/master/192.168.2.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+</screen>
+</example>
+
+<example id="eth1zone">
+<title>DNS 192.168.1 Reverse Zone File</title>
+<screen>
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. (
+ 2003021825 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS sleeth1.abmas.biz.
+$ORIGIN 1.168.192.in-addr.arpa.
+1 PTR sleeth1.abmas.biz.
+20 PTR qmsa.abmas.biz.
+30 PTR hplj6a.abmas.biz.
+</screen>
+</example>
+
+<example id="eth2zone">
+<title>DNS 192.168.2 Reverse Zone File</title>
+<screen>
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. (
+ 2003021825 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS sleeth2.abmas.biz.
+$ORIGIN 2.168.192.in-addr.arpa.
+1 PTR sleeth2.abmas.biz.
+20 PTR qmsf.abmas.biz.
+30 PTR hplj6f.abmas.biz.
+</screen>
+</example>
+
+<example id="abmasbiz">
+<title>DNS Abmas.biz Forward Zone File</title>
+<screen>
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. (
+ 2003021833 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS dns.abmas.biz.
+ MX 10 mail.abmas.biz.
+$ORIGIN abmas.biz.
+sleeth1 A 192.168.1.1
+sleeth2 A 192.168.2.1
+qmsa A 192.168.1.20
+hplj6a A 192.168.1.30
+qmsf A 192.168.2.20
+hplj6f A 192.168.2.30
+dns CNAME sleeth1
+diamond CNAME sleeth1
+</screen>
+</example>
+
+<example id="abmasus">
+<title>DNS Abmas.us Forward Zone File</title>
+<screen>
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+abmas.us IN SOA server.abmas.us. root.abmas.us. (
+ 2003021833 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS dns.abmas.us.
+ NS dns2.abmas.us.
+ MX 10 mail.abmas.us.
+$ORIGIN abmas.us.
+server A 123.45.67.66
+dns2 A 123.45.54.32
+gw A 123.45.67.65
+www CNAME server
+mail CNAME server
+dns CNAME server
+</screen>
+</example>
+
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/resolv.conf</primary></indexterm><indexterm>
+ <primary>name resolution</primary>
+ </indexterm>
+ All DNS name resolution should be handled locally. To ensure that the server is configured
+ correctly to handle this, edit <filename>/etc/resolv.conf</filename> to have the following
+ content:
+<screen>
+search abmas.us abmas.biz
+nameserver 127.0.0.1
+nameserver 123.45.54.23
+</screen>
+ <indexterm>
+ <primary>DNS server</primary>
+ </indexterm>
+ This instructs the name resolver function (when configured correctly) to ask the DNS server
+ that is running locally to resolve names to addresses. In the event that the local name server
+ is not available, ask the name server provided by the ISP. The latter, of course, does not resolve
+ purely local names to IP addresses.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ The final step is to edit the <filename>/etc/nsswitch.conf</filename> file.
+ This file controls the operation of the various resolver libraries that are part of the Linux
+ Glibc libraries. Edit this file so that it contains the following entries:
+<screen>
+hosts: files dns wins
+</screen>
+ </para></step>
+ </procedure>
+
+ <para>
+ The basic DHCP and DNS services are now ready for validation testing. Before you can proceed,
+ there are a few more steps along the road. First, configure the print spooling and print
+ processing system. Then you can configure the server so that all services
+ start automatically on reboot. You must also manually start all services prior to validation testing.
+ </para>
+
+ </sect2>
+
+ <sect2 id="ch4ptrcfg">
+ <title>Printer Configuration</title>
+
+ <para>
+ </para>
+
+ <procedure>
+ <step><para>
+ Configure each printer to be a DHCP client carefully following the manufacturer's guidelines.
+ </para></step>
+
+ <step><para>
+ Follow the instructions in the printer manufacturers' manuals to permit printing to port 9100.
+ Use any other port the manufacturer specifies for direct mode, raw printing and adjust the
+ port as necessary in the following example commands.
+ This allows the CUPS spooler to print using raw mode protocols.
+ <indexterm><primary>CUPS</primary></indexterm>
+ <indexterm><primary>raw printing</primary></indexterm>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm><indexterm>
+ <primary>lpadmin</primary>
+ </indexterm>
+ Configure the CUPS Print Queues as follows:
+<screen>
+&rootprompt; lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E
+&rootprompt; lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E
+&rootprompt; lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E
+&rootprompt; lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E
+</screen>
+ <indexterm><primary>print filter</primary></indexterm>
+ This has created the necessary print queues with no assigned print filter.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>enable</primary>
+ </indexterm>
+ Print queues may not be enabled at creation. Use <command>lpc stat</command> to check
+ the status of the print queues and if necessary make certain that the queues you have
+ just created are enabled by executing the following:
+<screen>
+&rootprompt; /usr/bin/enable qmsa
+&rootprompt; /usr/bin/enable hplj6a
+&rootprompt; /usr/bin/enable qmsf
+&rootprompt; /usr/bin/enable hplj6f
+</screen>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>accept</primary>
+ </indexterm>
+ Even though your print queues may be enabled, it is still possible that they
+ are not accepting print jobs. A print queue services incoming printing
+ requests only when configured to do so. Ensure that your print queues are
+ set to accept incoming jobs by executing the following commands:
+<screen>
+&rootprompt; /usr/bin/accept qmsa
+&rootprompt; /usr/bin/accept hplj6a
+&rootprompt; /usr/bin/accept qmsf
+&rootprompt; /usr/bin/accept hplj6f
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>mime type</primary></indexterm>
+ <indexterm><primary>/etc/mime.convs</primary></indexterm>
+ <indexterm><primary>application/octet-stream</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
+<screen>
+application/octet-stream application/vnd.cups-raw 0 -
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/mime.types</primary></indexterm>
+ Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
+<screen>
+application/octet-stream
+</screen>
+ </para></step>
+
+ <step><para>
+ Printing drivers are installed on each network client workstation.
+ </para></step>
+ </procedure>
+
+ <para>
+ The UNIX system print queues have been configured and are ready for validation testing.
+ </para>
+
+ </sect2>
+
+ <sect2 id="procstart">
+ <title>Process Startup Configuration</title>
+
+ <para>
+ <indexterm><primary>chkconfig</primary></indexterm>
+ There are two essential steps to process startup configuration. First, the process
+ must be configured so that it automatically restarts each time the server
+ is rebooted. This step involves use of the <command>chkconfig</command> tool that
+ creates the appropriate symbolic links from the master daemon control file that is
+ located in the <filename>/etc/rc.d</filename> directory, to the <filename>/etc/rc'x'.d</filename>
+ directories. Links are created so that when the system run-level is changed, the
+ necessary start or kill script is run.
+ </para>
+
+ <para>
+ <indexterm><primary>/etc/xinetd.d</primary></indexterm><indexterm>
+ <primary>inetd</primary>
+ </indexterm><indexterm>
+ <primary>xinetd</primary>
+ </indexterm><indexterm>
+ <primary>chkconfig</primary>
+ </indexterm><indexterm>
+ <primary>super daemon</primary>
+ </indexterm>
+ In the event that a service is not run as a daemon, but via the inter-networking
+ super daemon (<command>inetd</command> or <command>xinetd</command>), then the <command>chkconfig</command>
+ tool makes the necessary entries in the <filename>/etc/xinetd.d</filename> directory
+ and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to
+ re-read its control files.
+ </para>
+
+ <para>
+ Last, each service must be started to permit system validation to proceed.
+ </para>
+
+ <procedure>
+ <step><para>
+ Use the standard system tool to configure each service to restart
+ automatically at every system reboot. For example:
+ <indexterm><primary>chkconfig</primary></indexterm>
+<screen>
+&rootprompt; chkconfig dhpc on
+&rootprompt; chkconfig named on
+&rootprompt; chkconfig cups on
+&rootprompt; chkconfig smb on
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>starting dhcpd</primary></indexterm>
+ <indexterm><primary>starting samba</primary></indexterm>
+ <indexterm><primary>starting CUPS</primary></indexterm>
+ Now start each service to permit the system to be validated.
+ Execute each of the following in the sequence shown:
+
+<screen>
+&rootprompt; /etc/rc.d/init.d/dhcp restart
+&rootprompt; /etc/rc.d/init.d/named restart
+&rootprompt; /etc/rc.d/init.d/cups restart
+&rootprompt; /etc/rc.d/init.d/smb restart
+</screen>
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2 id="ch4valid">
+ <title>Validation</title>
+
+ <para><indexterm>
+ <primary>validation</primary>
+ </indexterm>
+ Complex networking problems are most often caused by simple things that are poorly or incorrectly
+ configured. The validation process adopted here should be followed carefully; it is the result of the
+ experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should
+ refrain from taking shortcuts, from making basic assumptions, and from not exercising due process
+ and diligence in network validation. By thoroughly testing and validating every step in the process
+ of network installation and configuration, you can save yourself from sleepless nights and restless
+ days. A well debugged network is a foundation for happy network users and network administrators.
+ Later in this book you learn how to make users happier. For now, it is enough to learn to
+ validate. Let's get on with it.
+ </para>
+
+ <procedure>
+
+ <step><para>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ One of the most important facets of Samba configuration is to ensure that
+ name resolution functions correctly. You can test name resolution
+ with a few simple tests. The most basic name resolution is provided from the
+ <filename>/etc/hosts</filename> file. To test its operation, make a
+ temporary edit to the <filename>/etc/nsswitch.conf</filename> file. Using
+ your favorite editor, change the entry for <constant>hosts</constant> to read:
+<screen>
+hosts: files
+</screen>
+ When you have saved this file, execute the following command:
+<screen>
+&rootprompt; ping diamond
+PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms
+
+--- sleeth1.abmas.biz ping statistics ---
+4 packets transmitted, 4 received, 0% packet loss, time 3016ms
+rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms
+</screen>
+ This proves that name resolution via the <filename>/etc/hosts</filename> file
+ is working.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ So far, your installation is going particularly well. In this step we validate
+ DNS server and name resolution operation. Using your favorite UNIX system editor,
+ change the <filename>/etc/nsswitch.conf</filename> file so that the
+ <constant>hosts</constant> entry reads:
+<screen>
+hosts: dns
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>named</primary></indexterm>
+ Before you test DNS operation, it is a good idea to verify that the DNS server
+ is running by executing the following:
+<screen>
+&rootprompt; ps ax | grep named
+ 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log
+ 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 2552 pts/2 S 0:00 grep named
+</screen>
+ This means that we are ready to check DNS operation. Do so by executing:
+ <indexterm><primary>ping</primary></indexterm>
+<screen>
+&rootprompt; ping diamond
+PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms
+
+--- sleeth1.abmas.biz ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 999ms
+rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms
+</screen>
+ You should take a few more steps to validate DNS server operation, as follows:
+<screen>
+&rootprompt; host -f diamond.abmas.biz
+sleeth1.abmas.biz has address 192.168.1.1
+</screen>
+ <indexterm><primary>/etc/hosts</primary></indexterm>
+ You may now remove the entry called <constant>diamond</constant> from the
+ <filename>/etc/hosts</filename> file. It does not hurt to leave it there,
+ but its removal reduces the number of administrative steps for this name.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
+ WINS is a great way to resolve NetBIOS names to their IP address. You can test
+ the operation of WINS by starting <command>nmbd</command> (manually, or by way
+ of the Samba startup method shown in <link linkend="procstart"/>). You must edit
+ the <filename>/etc/nsswitch.conf</filename> file so that the <constant>hosts</constant>
+ entry is as follows:
+<screen>
+hosts: wins
+</screen>
+ The next step is to make certain that Samba is running using <command>ps ax|grep mbd</command>, and then execute the following:
+<screen>
+&rootprompt; ping diamond
+PING diamond (192.168.1.1) 56(84) bytes of data.
+64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms
+64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms
+</screen>
+ <indexterm><primary>ping</primary></indexterm>
+ Now that you can relax with the knowledge that all three major forms of name
+ resolution to IP address resolution are working, edit the <filename>/etc/nsswitch.conf</filename>
+ again. This time you add all three forms of name resolution to this file.
+ Your edited entry for <constant>hosts</constant> should now look like this:
+<screen>
+hosts: file dns wins
+</screen>
+ The system is looking good. Let's move on.
+ </para></step>
+
+ <step><para>
+ It would give peace of mind to know that the DHCP server is running
+ and available for service. You can validate DHCP services by running:
+
+<screen>
+&rootprompt; ps ax | grep dhcp
+ 2618 ? S 0:00 /usr/sbin/dhcpd ...
+ 8180 pts/2 S 0:00 grep dhcp
+</screen>
+ This shows that the server is running. The proof of whether or not it is working
+ comes when you try to add the first DHCP client to the network.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>testparm</primary></indexterm>
+ This is a good point at which to start validating Samba operation. You are
+ content that name resolution is working for basic TCP/IP needs. Let's move on.
+ If your &smb.conf; file has bogus options or parameters, this may cause Samba
+ to refuse to start. The first step should always be to validate the contents
+ of this file by running:
+<screen>
+&rootprompt; testparm -s
+Load smb config files from /etc/samba/smb.conf
+Processing section "[IPC$]"
+Processing section "[homes]"
+Processing section "[printers]"
+Processing section "[netlogon]"
+Processing section "[profiles]"
+Processing section "[accounts]"
+Processing section "[service]"
+Processing section "[apps]"
+Loaded services file OK.
+# Global parameters
+[global]
+ workgroup = PROMISES
+ netbios name = DIAMOND
+ interfaces = eth1, eth2, lo
+ bind interfaces only = Yes
+ passdb backend = tdbsam
+ pam password change = Yes
+ passwd chat = *New*Password* %n\n \
+ *Re-enter*new*password* %n\n *Password*changed*
+ username map = /etc/samba/smbusers
+ unix password sync = Yes
+ log level = 1
+ syslog = 0
+ log file = /var/log/samba/%m
+ max log size = 50
+ smb ports = 139 445
+ name resolve order = wins bcast hosts
+ time server = Yes
+ printcap name = CUPS
+ show add printer wizard = No
+ add user script = /usr/sbin/useradd -m %u
+ delete user script = /usr/sbin/userdel -r %u
+ add group script = /usr/sbin/groupadd %g
+ delete group script = /usr/sbin/groupdel %g
+ add user to group script = /usr/sbin/usermod -G %g %u
+ add machine script = /usr/sbin/useradd \
+ -s /bin/false -d /dev/null %u
+ shutdown script = /var/lib/samba/scripts/shutdown.sh
+ abort shutdown script = /sbin/shutdown -c
+ logon script = scripts\logon.bat
+ logon path = \\%L\profiles\%U
+ logon drive = X:
+ logon home = \\%L\%U
+ domain logons = Yes
+ preferred master = Yes
+ wins support = Yes
+ utmp = Yes
+ winbind use default domain = Yes
+ map acl inherit = Yes
+ printing = cups
+ veto files = /*.eml/*.nws/riched20.dll/*.{*}/
+ veto oplock files = /*.doc/*.xls/*.mdb/
+
+[IPC$]
+ path = /tmp
+ hosts allow = 192.168.1.0/24, 192.168.2.0/24, 127.0.0.1
+ hosts deny = 0.0.0.0/0
+...
+### Remainder cut to save space ###
+</screen>
+ Clear away all errors before proceeding.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>check samba daemons</primary></indexterm>
+ <indexterm><primary>smbd</primary></indexterm>
+ <indexterm><primary>nmbd</primary></indexterm>
+ <indexterm><primary>winbindd</primary></indexterm>
+ Check that the Samba server is running:
+<screen>
+&rootprompt; ps ax | grep mbd
+14244 ? S 0:00 /usr/sbin/nmbd -D
+14245 ? S 0:00 /usr/sbin/nmbd -D
+14290 ? S 0:00 /usr/sbin/smbd -D
+
+$rootprompt; ps ax | grep winbind
+14293 ? S 0:00 /usr/sbin/winbindd -B
+14295 ? S 0:00 /usr/sbin/winbindd -B
+</screen>
+ The <command>winbindd</command> daemon is running in split mode (normal), so there are also
+ two instances<footnote>For more information regarding winbindd, see <emphasis>TOSHARG</emphasis>,
+ Chapter 20, Section 20.3. The single instance of <command>smbd</command> is normal. One additional
+ <command>smbd</command> slave process is spawned for each SMB/CIFS client
+ connection.</footnote> of it.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>anonymous
+ connection</primary></indexterm>
+ <indexterm>
+ <primary>smbclient</primary>
+ </indexterm>
+ Check that an anonymous connection can be made to the Samba server:
+<screen>
+&rootprompt; smbclient -L localhost -U%
+
+ Sharename Type Comment
+ --------- ---- -------
+ IPC$ IPC IPC Service (Samba 3.0.2)
+ netlogon Disk Network Logon Service
+ profiles Disk Profile Share
+ accounts Disk Accounting Files
+ service Disk Financial Services Files
+ apps Disk Application Files
+ ADMIN$ IPC IPC Service (Samba 3.0.2)
+ hplj6a Printer hplj6a
+ hplj6f Printer hplj6f
+ qmsa Printer qmsa
+ qmsf Printer qmsf
+
+ Server Comment
+ --------- -------
+ DIAMOND Samba CVS 3.0.2
+
+ Workgroup Master
+ --------- -------
+ PROMISES DIAMOND
+</screen>
+ This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent
+ of browsing the server from a Windows client to obtain a list of shares on the server.
+ The <constant>-U%</constant> argument means "send a <constant>NULL</constant> username and
+ a <constant>NULL</constant> password."
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>dhcp client validation</primary></indexterm>
+ <indexterm><primary>printer validation</primary></indexterm>
+ <indexterm><primary>arp</primary></indexterm>
+ Verify that each printer has the IP address assigned in the DHCP server configuration file.
+ The easiest way to do this is to ping the printer name. Immediately after the ping response
+ has been received, execute <command>arp -a</command> to find the MAC address of the printer
+ that has responded. Now you can compare the IP address and the MAC address of the printer
+ with the configuration information in the <filename>/etc/dhcpd.conf</filename> file. They
+ should, of course, match. For example:
+<screen>
+&rootprompt; ping hplj6
+PING hplj6a (192.168.1.30) 56(84) bytes of data.
+64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms
+
+&rootprompt; arp -a
+hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0
+</screen>
+ <indexterm>
+ <primary>/etc/dhcpd.conf</primary>
+ </indexterm>
+ The MAC address <constant>00:03:47:CB:81:E0</constant> matches that specified for the
+ IP address from which the printer has responded and with the entry for it in the
+ <filename>/etc/dhcpd.conf</filename> file. Repeat this for each printer configured.
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>authenticated connection</primary></indexterm>
+ Make an authenticated connection to the server using the <command>smbclient</command> tool:
+<screen>
+&rootprompt; smbclient //diamond/accounts -U gholmes
+Password: XXXXXXX
+smb: \> dir
+ . D 0 Thu Nov 27 15:07:09 2003
+ .. D 0 Sat Nov 15 17:40:50 2003
+ zakadmin.exe 161424 Thu Nov 27 15:06:52 2003
+ zak.exe 6066384 Thu Nov 27 15:06:52 2003
+ dhcpd.conf 1256 Thu Nov 27 15:06:52 2003
+ smb.conf 2131 Thu Nov 27 15:06:52 2003
+ initGrps.sh A 1089 Thu Nov 27 15:06:52 2003
+ POLICY.EXE 86542 Thu Nov 27 15:06:52 2003
+
+ 55974 blocks of size 65536. 33968 blocks available
+smb: \> q
+</screen>
+ </para></step>
+
+ <step><para>
+ <indexterm><primary>nmap</primary></indexterm>
+ Your new server is connected to an Internet accessible connection. Before you start
+ your firewall, you should run a port scanner against your system. You should repeat that
+ after the firewall has been started. This helps you understand what extent the
+ server may be vulnerable to external attack. One way you can do this is by using an
+ external service provided such as the <ulink url="http://www.dslreports.com/scan">DSL Reports</ulink>
+ tools. Alternately, if you can gain root-level access to a remote
+ UNIX/Linux system that has the <command>nmap</command> tool, you can run this as follows:
+<screen>
+&rootprompt; nmap -v -sT server.abmas.us
+
+Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
+Host server.abmas.us (123.45.67.66) appears to be up ... good.
+Initiating Connect() Scan against server.abmas.us (123.45.67.66)
+Adding open port 6000/tcp
+Adding open port 873/tcp
+Adding open port 445/tcp
+Adding open port 10000/tcp
+Adding open port 901/tcp
+Adding open port 631/tcp
+Adding open port 25/tcp
+Adding open port 111/tcp
+Adding open port 32770/tcp
+Adding open port 3128/tcp
+Adding open port 53/tcp
+Adding open port 80/tcp
+Adding open port 443/tcp
+Adding open port 139/tcp
+Adding open port 22/tcp
+The Connect() Scan took 0 seconds to scan 1601 ports.
+Interesting ports on server.abmas.us (123.45.67.66):
+(The 1587 ports scanned but not shown below are in state: closed)
+Port State Service
+22/tcp open ssh
+25/tcp open smtp
+53/tcp open domain
+80/tcp open http
+111/tcp open sunrpc
+139/tcp open netbios-ssn
+443/tcp open https
+445/tcp open microsoft-ds
+631/tcp open ipp
+873/tcp open rsync
+901/tcp open samba-swat
+3128/tcp open squid-http
+6000/tcp open X11
+10000/tcp open snet-sensor-mgmt
+32770/tcp open sometimes-rpc3
+
+Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
+</screen>
+ The above scan was run before the external interface was locked down with the NAT-firewall
+ script you created above. The following results are obtained after the firewall rules
+ have been put into place:
+<screen>
+&rootprompt; nmap -v -sT server.abmas.us
+
+Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
+Host server.abmas.us (123.45.67.66) appears to be up ... good.
+Initiating Connect() Scan against server.abmas.us (123.45.67.66)
+Adding open port 53/tcp
+Adding open port 22/tcp
+The Connect() Scan took 168 seconds to scan 1601 ports.
+Interesting ports on server.abmas.us (123.45.67.66):
+(The 1593 ports scanned but not shown below are in state: filtered)
+Port State Service
+22/tcp open ssh
+25/tcp closed smtp
+53/tcp open domain
+80/tcp closed http
+443/tcp closed https
+
+Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
+</screen>
+ </para></step>
+
+ </procedure>
+
+ </sect2>
+
+ <sect2 id="ch4appscfg">
+ <title>Application Share Configuration</title>
+
+ <para><indexterm>
+ <primary>application server</primary>
+ </indexterm><indexterm>
+ <primary>administrative installation</primary>
+ </indexterm>
+ The use of an application server is a key mechanism by which desktop administration overheads
+ can be reduced. Check the application manual for your software to identify how best to
+ create an administrative installation.
+ </para>
+
+ <para>
+ Some Windows software will only run locally on the desktop computer. Such software
+ is typically not suited for administrative installation. Administratively installed software
+ permits one or more of the following installation choices:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ Install software fully onto a workstation, storing data files on the same workstation.
+ </para></listitem>
+
+ <listitem><para>
+ Install software fully onto a workstation with central network data file storage.
+ </para></listitem>
+
+ <listitem><para>
+ Install software to run off a central application server with data files stored
+ on the local workstation. This is often called a minimum installation, or a
+ network client installation.
+ </para></listitem>
+
+ <listitem><para>
+ Install software to run off a central application server with data files stored
+ on a central network share. This type of installation often prevents storage
+ of work files on the local workstation.
+ </para></listitem>
+ </itemizedlist>
+
+ <para><indexterm>
+ <primary></primary>
+ </indexterm>
+ A common application deployed in this environment is an office suite.
+ Enterprise editions of Microsoft Office XP Professional can be administratively installed
+ by launching the installation from a command shell. The command that achieves this is:
+ <command>setup /a</command>. It results in a set of prompts through which various
+ installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource
+ Kit for more information regarding this mode of installation of MS Office XP Professional.
+ The full administrative installation of MS Office XP Professional requires approximately
+ 650 MB of disk space.
+ </para>
+
+ <para>
+ When the MS Office XP Professional product has been installed to the administrative network
+ share, the product can be installed onto a workstation by executing the normal setup program.
+ The installation process now provides a choice to either perform a minimum installation
+ or a full local installation. A full local installation takes over 100 MB of disk space.
+ A network workstation (minimum) installation requires typically 10-15 MB of
+ local disk space. In the later case, when the applications are used, they load over the network.
+ </para>
+
+ <para><indexterm>
+ <primary>Service Packs</primary>
+ </indexterm><indexterm>
+ <primary>Microsoft Office</primary>
+ </indexterm>
+ Microsoft Office Service Packs can be unpacked to update an administrative share. This makes
+ it possible to update MS Office XP Professional for all users from a single installation
+ of the service pack and generally circumvents the need to run updates on each network
+ Windows client.
+ </para>
+
+ <para>
+ The default location for MS Office XP Professional data files can be set through registry
+ editing or by way of configuration options inside each Office XP Professional application.
+ </para>
+
+ <para><indexterm>
+ <primary>OpenOffice</primary>
+ </indexterm>
+ OpenOffice.Org OpenOffice Version 1.1.0 is capable of being installed locally. It can also
+ be installed to run off a network share. The latter is a most desirable solution for office-bound
+ network users and for administrative staff alike. It permits quick and easy updates
+ to be rolled out to all users with a minimum of disruption and with maximum flexibility.
+ </para>
+
+ <para>
+ The process for installation of administrative shared OpenOffice involves download of the
+ distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area.
+ When fully extracted using the un-zipping tool of your choosing, change into the Windows
+ installation files directory then execute <command>setup -net</command>. You are
+ prompted on screen for the target installation location. This is the administrative
+ share point. The full administrative OpenOffice share takes approximately 150 MB of disk
+ space.
+ </para>
+
+ <sect3>
+ <title>Comments Regarding Software Terms of Use</title>
+ <para>
+ Many single-user products can be installed into an administrative share, but
+ personal versions of products such as Microsoft Office XP Professional do not permit this.
+ Many people do not like terms of use typical with commercial products, so a few comments
+ regarding software licensing seem important and thus are included below.
+ </para>
+
+ <para>
+ Please do not use an administrative installation of proprietary and commercially licensed
+ software products to violate the copyright holders' property. All software is licensed,
+ particularly software that is licensed for use free of charge. All software is the property
+ of the copyright holder, unless the author and/or copyright holder has explicitly disavowed
+ ownership and has placed the software into the public domain.
+ </para>
+
+ <para>
+ Software that is under the GNU General Public License, like proprietary software, is
+ licensed in a way that restricts use. For example, if you modify GPL software and then
+ distribute the binary version of your modifications, you must offer to provide the source
+ code as well. This is a form of restriction that is designed to maintain the momentum
+ of the diffusion of technology and to protect against the withholding of innovations.
+ </para>
+
+ <para>
+ Commercial and proprietary software generally restrict use to those who have paid the
+ license fees and who comply with the licensee's terms of use. Software that is released
+ under the GNU General Public License is restricted to particular terms and conditions
+ also. Whatever the licensing terms may be, if you do not approve of the terms of use,
+ please do not use the software.
+ </para>
+
+ <para><indexterm>
+ <primary>GPL</primary>
+ </indexterm>
+ Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided
+ with the source code.
+ </para>
+ </sect3>
+
+ </sect2>
+
+ <sect2 id="ch4wincfg">
+ <title>Windows Client Configuration</title>
+
+ <para>
+ Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs
+ to reinstall many of the notebook computers that will be recycled for use with the new network
+ configuration. The smartest way to handle the challenge of the roll-out program is to build
+ a staged system for each type of target machine, and then use an image replication tool such as Norton
+ Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can
+ be done with notebook computers as long as they are identical or sufficiently similar.
+ </para>
+
+ <procedure>
+ <step><para>
+ Install MS Windows XP Professional. During installation, configure the client to use DHCP for
+ TCP/IP protocol configuration.
+ <indexterm><primary>WINS</primary></indexterm>
+ <indexterm><primary>DHCP</primary></indexterm>
+ DHCP configures all Windows clients to use the WINS Server address that has been defined
+ for the local subnet.
+ </para></step>
+
+ <step><para>
+ Join the Windows Domain <constant>PROMISES</constant>. Use the Domain Administrator
+ user name <constant>root</constant> and the SMB password you assigned to this account.
+ A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
+ a Windows Domain is given in <link linkend="domjoin"/>.
+ Reboot the machine as prompted and then logon using the Domain Administrator account
+ (<constant>root</constant>.
+ </para></step>
+
+ <step><para>
+ Verify <constant>DIAMOND</constant> is visible in <guimenu>My Network Places</guimenu>,
+ that it is possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>,
+ <guimenuitem>apps</guimenuitem>, and <guimenuitem>finsvcs</guimenuitem>,
+ and that it is possible to open each share to reveal its contents.
+ </para></step>
+
+ <step><para>
+ Create a drive mapping to the <constant>apps</constant> share on the server <constant>DIAMOND</constant>.
+ </para></step>
+
+ <step><para>
+ Perform an administrative installation of each application to be used. Select the options
+ that you wish to use. Of course, you can choose to run applications over the network, correct?
+ </para></step>
+
+ <step><para>
+ Now install all applications to be installed locally. Typical tools includes: Adobe Acrobat,
+ NTP-based time synchronization software, drivers for specific local devices such as finger-print
+ scanners, and the like. Probably the most significant application for local installation
+ is anti-virus software.
+ </para></step>
+
+ <step><para>
+ Now install all four printers onto the staging system. The printers you install
+ include the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will
+ also configure identical printers that are located in the financial services department.
+ Install printers on each machine using the following steps:
+
+ <procedure>
+ <step><para>
+ Click <menuchoice>
+ <guimenu>Start</guimenu>
+ <guimenuitem>Settings</guimenuitem>
+ <guimenuitem>Printers</guimenuitem>
+ <guiicon>Add Printer</guiicon>
+ <guibutton>Next</guibutton>
+ </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
+ Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
+ </para></step>
+
+ <step><para>
+ Click <guibutton>Next</guibutton>. In the panel labeled
+ <guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
+ In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
+ <constant>HP LaserJet 6</constant>. Click <guibutton>Next</guibutton>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
+ <constant>FILE:</constant>. Accept the default printer name by clicking
+ <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
+ test page?,</quote> click <guimenuitem>No</guimenuitem>. Click
+ <guibutton>Finish</guibutton>.
+ </para></step>
+
+ <step><para>
+ You may be prompted for the name of a file to print to. If so, close the
+ dialog panel. Right-click <menuchoice>
+ <guiicon>HP LaserJet 6</guiicon>
+ <guimenuitem>Properties</guimenuitem>
+ <guimenusub>Details (Tab)</guimenusub>
+ <guimenubutton>Add Port</guimenubutton>
+ </menuchoice>.
+ </para></step>
+
+ <step><para>
+ In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
+ the print queue on the Samba server as follows: <constant>\\DIAMOND\hplj6a</constant>.
+ Click <menuchoice>
+ <guibutton>OK</guibutton>
+ <guibutton>OK</guibutton>
+ </menuchoice> to complete the installation.
+ </para></step>
+
+ <step><para>
+ Repeat the printer installation steps above for both HP LaserJet 6 printers
+ as well as for both QMS Magicolor laser printers.
+ </para></step>
+ </procedure>
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>defragmentation</primary>
+ </indexterm>
+ When you are satisfied that the staging systems are complete, use the appropriate procedure to
+ remove the client from the domain. Reboot the system and then log on as the local administrator
+ and clean out all temporary files stored on the system. Before shutting down, use the disk
+ defragmentation tool so that the file system is in an optimal condition before replication.
+ </para></step>
+
+ <step><para>
+ Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the
+ machine to a network share on the server.
+ </para></step>
+
+ <step><para><indexterm>
+ <primary>Windows security identifier</primary>
+ <see>SID</see>
+ </indexterm><indexterm>
+ <primary>SID</primary>
+ </indexterm>
+ You may now replicate the image to the target machines using the appropriate Norton Ghost
+ procedure. Make sure to use the procedure that ensures each machine has a unique
+ Windows security identifier (SID). When the installation of the disk image has completed, boot the PC.
+ </para></step>
+
+ <step><para>
+ Log onto the machine as the local Administrator (the only option), and join the machine to
+ the Domain following the procedure set out in <link linkend="domjoin"/>. The system is now
+ ready for the user to logon, providing you have created a network logon account for that
+ user, of course.
+ </para></step>
+
+ <step><para>
+ Instruct all users to log onto the workstation using their assigned user name and password.
+ </para></step>
+ </procedure>
+
+ </sect2>
+
+ <sect2>
+ <title>Key Points Learned</title>
+
+ <para>
+ How do you feel, Bob? You have built a capable network, a truly ambitious project.
+ Just as well, you have Christine to help you. Future network updates can be handled by
+ your staff. You must be a satisfied manager. Let's review the achievements.
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ A simple firewall has been configured to protect the server in the event that
+ the ISP firewall service should fail.
+ </para></listitem>
+
+ <listitem><para>
+ The Samba configuration uses measures to ensure that only local network users
+ can connect to SMB/CIFS services.
+ </para></listitem>
+
+ <listitem><para>
+ Samba uses the new <constant>tdbsam</constant> passdb backend facility.
+ Considerable complexity was added to Samba functionality.
+ </para></listitem>
+
+ <listitem><para>
+ A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS
+ server.
+ </para></listitem>
+
+ <listitem><para>
+ The DNS server was configured to permit DDNS only for local network clients. This
+ server also provides primary DNS services for the company Internet presence.
+ </para></listitem>
+
+ <listitem><para>
+ You introduced an application server, as well as the concept of cloning a Windows
+ client in order to effect improved standardization of desktops and to reduce
+ the costs of network management.
+ </para></listitem>
+ </itemizedlist>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Questions and Answers</title>
+
+ <para>
+ </para>
+
+ <qandaset defaultlabel="chap04qa" type="number">
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the maximum number of account entries that the <parameter>tdbsam</parameter> passdb backend can handle?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The tdb data structure and support system can handle more entries than the number of accounts
+ that are possible on most UNIX systems. There is a practical limit that would come into play
+ long before a performance boundary would be anticipated. That practical limit is controlled
+ by the nature of Windows networking. There are few Windows file and print servers
+ that can handle more than a few hundred concurrent client connections. The key limiting factors
+ that predicate off-loading of services to additional servers are memory capacity, the number
+ of CPUs, network bandwidth, and disk I/O limitations. All of these are readily exhausted by
+ just a few hundred concurrent active users. Such bottlenecks can best be removed by segmentation
+ of the network (distributing network load across multiple networks).
+ </para>
+ <para>
+ As the network grows, it becomes necessary to provide additional authentication servers (domain
+ controllers). The tdbsam is limited to a single machine and cannot be reliably replicated.
+ This means that practical limits on network design dictate the point at which a distributed
+ passdb backend is required; at this time, there is no real alternative other than ldapsam (LDAP).
+ </para>
+
+ <para>
+ The guideline provided in <emphasis>TOSHARG</emphasis>, Chapter 10, Section 10.1.2, is to limit the number of accounts
+ in the tdbsam backend to 250. This is the point at which most networks tend to want backup domain
+ controllers (BDCs). Samba-3 does not provide a mechanism for replicating tdbsam data so it can be used
+ by a BDC. The limitation of 250 users per tdbsam is predicated only on the need for replication
+ not on the limits<footnote>Bench tests have shown that tdbsam is a very effective database technology.
+ There is surprisingly little performance loss even with over 4000 users.</footnote> of the tdbsam backend itself.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Would Samba operate any better if the OS Level is set to a value higher than 35?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value
+ of 35 already assures Samba of precedence over MS Windows products in browser elections. There is
+ no gain to be had from setting this higher.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at
+ a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special
+ Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why has a path been specified in the <parameter>IPC$</parameter> share?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ This is done so that in the event that a software bug may permit a client connection to the IPC$ share to
+ obtain access to the file system, it does so at a location that presents least risk. Under normal operation
+ this type of paranoid step should not be necessary. The use of this parameter should not be necessary.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why does the &smb.conf; file in this exercise include an entry for <smbconfoption><name>smb ports</name></smbconfoption>?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port
+ used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS
+ over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By
+ specifying the use of port 139 before port 445, the intent is to reduce unsuccessful service connection attempts.
+ The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain
+ member, the default behavior is highly beneficial and should not be changed.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What is the difference between a print queue and a printer?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ A printer is a physical device that is connected either directly to the network or to a computer
+ via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a
+ hard copy printout. Network attached printers that use TCP/IP-based printing generally accept a
+ single print data stream and block all secondary attempts to dispatch jobs concurrently to the
+ same device. If many clients were to concurrently print directly via TCP/IP to the same printer,
+ it would result in a huge amount of network traffic through continually failing connection attempts.
+ </para>
+
+ <para>
+ A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or
+ print requests. When the data stream has been fully received the input stream is closed,
+ the job is then submitted to a sequential print queue where the job is stored until
+ the printer is ready to receive the job.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Can all MS Windows application software be installed onto an application server share?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ Much older Windows software is not compatible with installation to and execution off
+ an application server. Enterprise versions of Microsoft Office XP Professional can
+ be installed to an application server. Retail consumer versions of Microsoft Office XP
+ Professional do not permit installation to an application server share and can be installed
+ and used only to/from a local workstation hard disk.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why use dynamic DNS (DDNS)?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ When DDNS records are updated directly from the DHCP server, it is possible for
+ network clients that are not NetBIOS enabled, and thus cannot use WINS, to locate
+ Windows clients via DNS.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ Why would you use WINS as well as DNS-based name resolution?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is
+ a name like <quote>myhost.mydomain.tld,</quote> where <parameter>tld</parameter>
+ means <constant>top level domain</constant>. A FQDN is a long hand but easy to remember
+ expression that may be up to 1024 characters in length and that represents an IP address.
+ A NetBIOS name is always 16 characters long. The 16<superscript>th</superscript> character
+ is a name type indicator. A specific name type is registered<footnote>
+ See <emphasis>TOSHARG</emphasis>, Chapter 9 for more information.</footnote> for each
+ type of service that is provided by the Windows server or client and that may be registered
+ where a WINS server is in use.
+ </para>
+
+ <para>
+ WINS is a mechanism by which a client may locate the IP Address that corresponds to a
+ NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name
+ that includes a particular registered NetBIOS name type. DNS does not provide a mechanism
+ that permits handling of the NetBIOS name type information.
+ </para>
+
+ <para>
+ DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular
+ hostname or service name that has been registered in the DNS database for a particular domain.
+ A DNS server has limited scope of control and is said to be authoritative for the zone over
+ which it has control.
+ </para>
+
+ <para>
+ Windows 200x Active Directory requires the registration in the DNS zone for the domain it
+ controls of service locator<footnote>See TOSHARG, Chapter 9, Section 9.3.3</footnote> records
+ that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also
+ requires the registration of special records that are called global catalog (GC) entries
+ and site entries by which domain controllers and other essential ADS servers may be located.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question>
+
+ <para>
+ What are the major benefits of using an application server?
+ </para>
+
+ </question>
+ <answer>
+
+ <para>
+ The use of an application server can significantly reduce application update maintenance.
+ By providing a centralized application share, software updates need be applied to only
+ one location for all major applications used. This results in faster update roll-outs and
+ significantly better application usage control.
+ </para>
+
+ </answer>
+ </qandaentry>
+
+ </qandaset>
+
+</sect1>
+
+</chapter>
+