diff options
Diffstat (limited to 'docs/htmldocs/advancednetworkmanagement.html')
| -rw-r--r-- | docs/htmldocs/advancednetworkmanagement.html | 555 | 
1 files changed, 555 insertions, 0 deletions
| diff --git a/docs/htmldocs/advancednetworkmanagement.html b/docs/htmldocs/advancednetworkmanagement.html new file mode 100644 index 0000000000..a57b74f275 --- /dev/null +++ b/docs/htmldocs/advancednetworkmanagement.html @@ -0,0 +1,555 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>Advanced Network Manangement</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="SAMBA Project Documentation" +HREF="samba-howto-collection.html"><LINK +REL="UP" +TITLE="Advanced Configuration" +HREF="optional.html"><LINK +REL="PREVIOUS" +TITLE="Unified Logons between Windows NT and UNIX using Winbind" +HREF="winbind.html"><LINK +REL="NEXT" +TITLE="System and Account Policies" +HREF="policymgmt.html"></HEAD +><BODY +CLASS="CHAPTER" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>SAMBA Project Documentation</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="winbind.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="policymgmt.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="CHAPTER" +><H1 +><A +NAME="ADVANCEDNETWORKMANAGEMENT" +></A +>Chapter 16. Advanced Network Manangement</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>16.1. <A +HREF="advancednetworkmanagement.html#AEN2870" +>Configuring Samba Share Access Controls</A +></DT +><DT +>16.2. <A +HREF="advancednetworkmanagement.html#AEN2908" +>Remote Server Administration</A +></DT +><DT +>16.3. <A +HREF="advancednetworkmanagement.html#AEN2925" +>Network Logon Script Magic</A +></DT +></DL +></DIV +><P +>This section attempts to document peripheral issues that are of great importance to network +administrators who want to improve network resource access control, to automate the user +environment, and to make their lives a little easier.</P +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2870" +>16.1. Configuring Samba Share Access Controls</A +></H1 +><P +>This section deals with how to configure Samba per share access control restrictions. +By default samba sets no restrictions on the share itself. Restrictions on the share itself +can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can +connect to a share. In the absence of specific restrictions the default setting is to allow +the global user <SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Everyone</I +></SPAN +> Full Control (ie: Full control, Change and Read).</P +><P +>At this time Samba does NOT provide a tool for configuring access control setting on the Share +itself. Samba does have the capacity to store and act on access control settings, but  the only +way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for +Computer Management.</P +><P +>Samba stores the per share access control settings in a file called <TT +CLASS="FILENAME" +>share_info.tdb</TT +>. +The location of this file on your system will depend on how samba was compiled. The default location +for samba's tdb files is under <TT +CLASS="FILENAME" +>/usr/local/samba/var</TT +>. If the <TT +CLASS="FILENAME" +>tdbdump</TT +> +utility has been compiled and installed on your system then you can examine the contents of this file +by: <KBD +CLASS="USERINPUT" +>tdbdump share_info.tdb</KBD +>.</P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2880" +>16.1.1. Share Permissions Management</A +></H2 +><P +>The best tool for the task is platform dependant. Choose the best tool for your environmemt.</P +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN2883" +>16.1.1.1. Windows NT4 Workstation/Server</A +></H3 +><P +>The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. +Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. +You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.</P +><DIV +CLASS="PROCEDURE" +><P +><B +>Instructions</B +></P +><OL +TYPE="1" +><LI +><P +>Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu +select Computer, then click on the Shared Directories entry.</P +></LI +><LI +><P +>	Now click on the share that you wish to manage, then click on the Properties tab, next click on +	the Permissions tab. Now you can Add or change access control settings as you wish.</P +></LI +></OL +></DIV +></DIV +><DIV +CLASS="SECT3" +><H3 +CLASS="SECT3" +><A +NAME="AEN2892" +>16.1.1.2. Windows 200x/XP</A +></H3 +><P +>On MS Windows NT4/200x/XP system access control lists on the share itself are set using native +tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, +then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows +<SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>Everyone</I +></SPAN +> Full Control on the Share.</P +><P +>MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the +Microsoft Management Console (MMC). This tool is located by clicking on <TT +CLASS="FILENAME" +>Control Panel -> +Administrative Tools -> Computer Management</TT +>.</P +><DIV +CLASS="PROCEDURE" +><P +><B +>Instructions</B +></P +><OL +TYPE="1" +><LI +><P +>	After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', +	select 'Connect to another computer'. If you are not logged onto a domain you will be prompted +	to enter a domain login user identifier and a password. This will authenticate you to the domain. +	If you where already logged in with administrative privilidge this step is not offered.</P +></LI +><LI +><P +>If the Samba server is not shown in the Select Computer box, then type in the name of the target +Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] +next to 'Shared Folders' in the left panel.</P +></LI +><LI +><P +>Now in the right panel, double-click on the share you wish to set access control permissions on. +Then click on the tab 'Share Permissions'. It is now possible to add access control entities +to the shared folder. Do NOT forget to set what type of access (full control, change, read) you +wish to assign for each entry.</P +></LI +></OL +></DIV +><DIV +CLASS="WARNING" +><P +></P +><TABLE +CLASS="WARNING" +WIDTH="100%" +BORDER="0" +><TR +><TD +WIDTH="25" +ALIGN="CENTER" +VALIGN="TOP" +><IMG +SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +HSPACE="5" +ALT="Warning"></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +><P +>Be careful. If you take away all permissions from the Everyone user without removing this user +then effectively no user will be able to access the share. This is a result of what is known as +ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone +will have no access even if this user is given explicit full control access.</P +></TD +></TR +></TABLE +></DIV +></DIV +></DIV +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2908" +>16.2. Remote Server Administration</A +></H1 +><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>How do I get 'User Manager' and 'Server Manager'?</I +></SPAN +></P +><P +>Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains', +the 'Server Manager'?</P +><P +>Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me +systems.  The tools set includes:</P +><P +></P +><UL +><LI +><P +>Server Manager</P +></LI +><LI +><P +>User Manager for Domains</P +></LI +><LI +><P +>Event Viewer</P +></LI +></UL +><P +>Click here to download the archived file <A +HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE" +TARGET="_top" +>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A +></P +><P +>The Windows NT 4.0 version of the 'User Manager for  +Domains' and 'Server Manager' are available from Microsoft via ftp  +from <A +HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" +TARGET="_top" +>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A +></P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2925" +>16.3. Network Logon Script Magic</A +></H1 +><P +>This section needs work. Volunteer contributions most welcome. Please send your patches or updates +to <A +HREF="mailto:jht@samba.org" +TARGET="_top" +>John Terpstra</A +>.</P +><P +>There are several opportunities for creating a custom network startup configuration environment.</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>No Logon Script</TD +></TR +><TR +><TD +>Simple universal Logon Script that applies to all users</TD +></TR +><TR +><TD +>Use of a conditional Logon Script that applies per user or per group attirbutes</TD +></TR +><TR +><TD +>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create +	a custom Logon Script and then execute it.</TD +></TR +><TR +><TD +>User of a tool such as KixStart</TD +></TR +></TBODY +></TABLE +><P +></P +><P +>The Samba source code tree includes two logon script generation/execution tools. See <TT +CLASS="FILENAME" +>examples</TT +> directory <TT +CLASS="FILENAME" +>genlogon</TT +> and <TT +CLASS="FILENAME" +>ntlogon</TT +> subdirectories.</P +><P +>The following listings are from the genlogon directory.</P +><P +>This is the genlogon.pl file: + +<PRE +CLASS="PROGRAMLISTING" +>	#!/usr/bin/perl +	# +	# genlogon.pl +	# +	# Perl script to generate user logon scripts on the fly, when users +	# connect from a Windows client.  This script should be called from smb.conf +	# with the %U, %G and %L parameters. I.e: +	# +	#       root preexec = genlogon.pl %U %G %L +	# +	# The script generated will perform +	# the following: +	# +	# 1. Log the user connection to /var/log/samba/netlogon.log +	# 2. Set the PC's time to the Linux server time (which is maintained +	#    daily to the National Institute of Standard's Atomic clock on the +	#    internet. +	# 3. Connect the user's home drive to H: (H for Home). +	# 4. Connect common drives that everyone uses. +	# 5. Connect group-specific drives for certain user groups. +	# 6. Connect user-specific drives for certain users. +	# 7. Connect network printers. + +	# Log client connection +	#($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); +	($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); +	open LOG, ">>/var/log/samba/netlogon.log"; +	print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n"; +	close LOG; + +	# Start generating logon script +	open LOGON, ">/shared/netlogon/$ARGV[0].bat"; +	print LOGON "\@ECHO OFF\r\n"; + +	# Connect shares just use by Software Development group +	if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") +	{ +		print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; +	} + +	# Connect shares just use by Technical Support staff +	if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") +	{ +		print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; +	} + +	# Connect shares just used by Administration staff +	If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") +	{ +		print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; +		print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; +	} + +	# Now connect Printers.  We handle just two or three users a little +	# differently, because they are the exceptions that have desktop +	# printers on LPT1: - all other user's go to the LaserJet on the +	# server. +	if ($ARGV[0] eq 'jim' +	    || $ARGV[0] eq 'yvonne') +	{ +		print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; +		print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; +	} +	else +	{ +		print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; +		print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; +	} + +	# All done! Close the output file. +	close LOGON;</PRE +></P +><P +>Those wishing to use more elaborate or capable logon processing system should check out the following sites:</P +><P +></P +><TABLE +BORDER="0" +><TBODY +><TR +><TD +>http://www.craigelachie.org/rhacer/ntlogon</TD +></TR +><TR +><TD +>http://www.kixtart.org</TD +></TR +></TBODY +></TABLE +><P +></P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="winbind.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="samba-howto-collection.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="policymgmt.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Unified Logons between Windows NT and UNIX using Winbind</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="optional.html" +ACCESSKEY="U" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>System and Account Policies</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file | 
