summaryrefslogtreecommitdiff
path: root/docs/htmldocs/advancednetworkmanagement.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/advancednetworkmanagement.html')
-rw-r--r--docs/htmldocs/advancednetworkmanagement.html555
1 files changed, 555 insertions, 0 deletions
diff --git a/docs/htmldocs/advancednetworkmanagement.html b/docs/htmldocs/advancednetworkmanagement.html
new file mode 100644
index 0000000000..a57b74f275
--- /dev/null
+++ b/docs/htmldocs/advancednetworkmanagement.html
@@ -0,0 +1,555 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Advanced Network Manangement</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="samba-howto-collection.html"><LINK
+REL="UP"
+TITLE="Advanced Configuration"
+HREF="optional.html"><LINK
+REL="PREVIOUS"
+TITLE="Unified Logons between Windows NT and UNIX using Winbind"
+HREF="winbind.html"><LINK
+REL="NEXT"
+TITLE="System and Account Policies"
+HREF="policymgmt.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="winbind.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="policymgmt.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="ADVANCEDNETWORKMANAGEMENT"
+></A
+>Chapter 16. Advanced Network Manangement</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>16.1. <A
+HREF="advancednetworkmanagement.html#AEN2870"
+>Configuring Samba Share Access Controls</A
+></DT
+><DT
+>16.2. <A
+HREF="advancednetworkmanagement.html#AEN2908"
+>Remote Server Administration</A
+></DT
+><DT
+>16.3. <A
+HREF="advancednetworkmanagement.html#AEN2925"
+>Network Logon Script Magic</A
+></DT
+></DL
+></DIV
+><P
+>This section attempts to document peripheral issues that are of great importance to network
+administrators who want to improve network resource access control, to automate the user
+environment, and to make their lives a little easier.</P
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2870"
+>16.1. Configuring Samba Share Access Controls</A
+></H1
+><P
+>This section deals with how to configure Samba per share access control restrictions.
+By default samba sets no restrictions on the share itself. Restrictions on the share itself
+can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
+connect to a share. In the absence of specific restrictions the default setting is to allow
+the global user <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Everyone</I
+></SPAN
+> Full Control (ie: Full control, Change and Read).</P
+><P
+>At this time Samba does NOT provide a tool for configuring access control setting on the Share
+itself. Samba does have the capacity to store and act on access control settings, but the only
+way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for
+Computer Management.</P
+><P
+>Samba stores the per share access control settings in a file called <TT
+CLASS="FILENAME"
+>share_info.tdb</TT
+>.
+The location of this file on your system will depend on how samba was compiled. The default location
+for samba's tdb files is under <TT
+CLASS="FILENAME"
+>/usr/local/samba/var</TT
+>. If the <TT
+CLASS="FILENAME"
+>tdbdump</TT
+>
+utility has been compiled and installed on your system then you can examine the contents of this file
+by: <KBD
+CLASS="USERINPUT"
+>tdbdump share_info.tdb</KBD
+>.</P
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN2880"
+>16.1.1. Share Permissions Management</A
+></H2
+><P
+>The best tool for the task is platform dependant. Choose the best tool for your environmemt.</P
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN2883"
+>16.1.1.1. Windows NT4 Workstation/Server</A
+></H3
+><P
+>The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
+Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
+You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.</P
+><DIV
+CLASS="PROCEDURE"
+><P
+><B
+>Instructions</B
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu
+select Computer, then click on the Shared Directories entry.</P
+></LI
+><LI
+><P
+> Now click on the share that you wish to manage, then click on the Properties tab, next click on
+ the Permissions tab. Now you can Add or change access control settings as you wish.</P
+></LI
+></OL
+></DIV
+></DIV
+><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN2892"
+>16.1.1.2. Windows 200x/XP</A
+></H3
+><P
+>On MS Windows NT4/200x/XP system access control lists on the share itself are set using native
+tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
+then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Everyone</I
+></SPAN
+> Full Control on the Share.</P
+><P
+>MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the
+Microsoft Management Console (MMC). This tool is located by clicking on <TT
+CLASS="FILENAME"
+>Control Panel -&#62;
+Administrative Tools -&#62; Computer Management</TT
+>.</P
+><DIV
+CLASS="PROCEDURE"
+><P
+><B
+>Instructions</B
+></P
+><OL
+TYPE="1"
+><LI
+><P
+> After launching the MMC with the Computer Management snap-in, click on the menu item 'Action',
+ select 'Connect to another computer'. If you are not logged onto a domain you will be prompted
+ to enter a domain login user identifier and a password. This will authenticate you to the domain.
+ If you where already logged in with administrative privilidge this step is not offered.</P
+></LI
+><LI
+><P
+>If the Samba server is not shown in the Select Computer box, then type in the name of the target
+Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+]
+next to 'Shared Folders' in the left panel.</P
+></LI
+><LI
+><P
+>Now in the right panel, double-click on the share you wish to set access control permissions on.
+Then click on the tab 'Share Permissions'. It is now possible to add access control entities
+to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
+wish to assign for each entry.</P
+></LI
+></OL
+></DIV
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>Be careful. If you take away all permissions from the Everyone user without removing this user
+then effectively no user will be able to access the share. This is a result of what is known as
+ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone
+will have no access even if this user is given explicit full control access.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2908"
+>16.2. Remote Server Administration</A
+></H1
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>How do I get 'User Manager' and 'Server Manager'?</I
+></SPAN
+></P
+><P
+>Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains',
+the 'Server Manager'?</P
+><P
+>Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me
+systems. The tools set includes:</P
+><P
+></P
+><UL
+><LI
+><P
+>Server Manager</P
+></LI
+><LI
+><P
+>User Manager for Domains</P
+></LI
+><LI
+><P
+>Event Viewer</P
+></LI
+></UL
+><P
+>Click here to download the archived file <A
+HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
+TARGET="_top"
+>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
+></P
+><P
+>The Windows NT 4.0 version of the 'User Manager for
+Domains' and 'Server Manager' are available from Microsoft via ftp
+from <A
+HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
+TARGET="_top"
+>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN2925"
+>16.3. Network Logon Script Magic</A
+></H1
+><P
+>This section needs work. Volunteer contributions most welcome. Please send your patches or updates
+to <A
+HREF="mailto:jht@samba.org"
+TARGET="_top"
+>John Terpstra</A
+>.</P
+><P
+>There are several opportunities for creating a custom network startup configuration environment.</P
+><P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>No Logon Script</TD
+></TR
+><TR
+><TD
+>Simple universal Logon Script that applies to all users</TD
+></TR
+><TR
+><TD
+>Use of a conditional Logon Script that applies per user or per group attirbutes</TD
+></TR
+><TR
+><TD
+>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
+ a custom Logon Script and then execute it.</TD
+></TR
+><TR
+><TD
+>User of a tool such as KixStart</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+><P
+>The Samba source code tree includes two logon script generation/execution tools. See <TT
+CLASS="FILENAME"
+>examples</TT
+> directory <TT
+CLASS="FILENAME"
+>genlogon</TT
+> and <TT
+CLASS="FILENAME"
+>ntlogon</TT
+> subdirectories.</P
+><P
+>The following listings are from the genlogon directory.</P
+><P
+>This is the genlogon.pl file:
+
+<PRE
+CLASS="PROGRAMLISTING"
+> #!/usr/bin/perl
+ #
+ # genlogon.pl
+ #
+ # Perl script to generate user logon scripts on the fly, when users
+ # connect from a Windows client. This script should be called from smb.conf
+ # with the %U, %G and %L parameters. I.e:
+ #
+ # root preexec = genlogon.pl %U %G %L
+ #
+ # The script generated will perform
+ # the following:
+ #
+ # 1. Log the user connection to /var/log/samba/netlogon.log
+ # 2. Set the PC's time to the Linux server time (which is maintained
+ # daily to the National Institute of Standard's Atomic clock on the
+ # internet.
+ # 3. Connect the user's home drive to H: (H for Home).
+ # 4. Connect common drives that everyone uses.
+ # 5. Connect group-specific drives for certain user groups.
+ # 6. Connect user-specific drives for certain users.
+ # 7. Connect network printers.
+
+ # Log client connection
+ #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+ ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
+ open LOG, "&#62;&#62;/var/log/samba/netlogon.log";
+ print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n";
+ close LOG;
+
+ # Start generating logon script
+ open LOGON, "&#62;/shared/netlogon/$ARGV[0].bat";
+ print LOGON "\@ECHO OFF\r\n";
+
+ # Connect shares just use by Software Development group
+ if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
+ {
+ print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
+ }
+
+ # Connect shares just use by Technical Support staff
+ if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
+ {
+ print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
+ }
+
+ # Connect shares just used by Administration staff
+ If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
+ {
+ print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
+ print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
+ }
+
+ # Now connect Printers. We handle just two or three users a little
+ # differently, because they are the exceptions that have desktop
+ # printers on LPT1: - all other user's go to the LaserJet on the
+ # server.
+ if ($ARGV[0] eq 'jim'
+ || $ARGV[0] eq 'yvonne')
+ {
+ print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
+ print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+ }
+ else
+ {
+ print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
+ print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
+ }
+
+ # All done! Close the output file.
+ close LOGON;</PRE
+></P
+><P
+>Those wishing to use more elaborate or capable logon processing system should check out the following sites:</P
+><P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>http://www.craigelachie.org/rhacer/ntlogon</TD
+></TR
+><TR
+><TD
+>http://www.kixtart.org</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="winbind.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="samba-howto-collection.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="policymgmt.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Unified Logons between Windows NT and UNIX using Winbind</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="optional.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>System and Account Policies</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file