From 8f8a9f01909ba29e2b781310baeeaaddc3f15f0d Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Tue, 22 Apr 2008 10:09:40 -0500 Subject: Moving docs tree to docs-xml to make room for generated docs in the release tarball. (This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14) --- .../Samba3-ByExample/SBE-SecureOfficeServer.xml | 2693 ++++++++++++++++++++ 1 file changed, 2693 insertions(+) create mode 100644 docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml (limited to 'docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml') diff --git a/docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml b/docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml new file mode 100644 index 0000000000..e03c0106b0 --- /dev/null +++ b/docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml @@ -0,0 +1,2693 @@ + + + + Secure Office Networking + + + Congratulations, your Samba networking skills are developing nicely. You started out + with three simple networks in , and then in + you designed and built a network that provides a high degree of flexibility, integrity, + and dependability. It was enough for the basic needs each was designed to fulfill. In + this chapter you address a more complex set of needs. The solution you explore + introduces you to basic features that are specific to Samba-3. + + + + You should note that a working and secure solution could be implemented using Samba-2.2.x. + In the exercises presented here, you are gradually using more Samba-3-specific features, + so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given. + To avoid confusion, this book is all about Samba-3. Let's get the exercises in this + chapter underway. + + + + Introduction + + + You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work + well done. It is one year since the last network upgrade. You have been quite busy. + Two months ago Mr. Meany gave approval to hire Christine Roberson, who has taken over + general network management. Soon she will provide primary user support. You have + demonstrated that you can delegate responsibility and can plan and execute according + to that plan. Above all, you have shown Mr. Meany that you are a responsible person. + Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never + expected: You are going to take charge of business operations. Mr. Meany + is retiring and has entrusted the business to your capable hands. + + + + Mr. Meany may be retiring from this company, but not from work. He is taking the + opportunity to develop Abmas Accounting into a larger and more substantial company. + He says that it took him many years to learn that there is no future in just running + a business. He now realizes there is great personal satisfaction in the creation of + career opportunities for people in the local community. He wants to do more for others, + as he is doing for you. Today he spent a lot of time talking about his grand plan + for growth, which you will deal with in the chapters ahead. + + + + Over the past year, the growth projections were exceeded. The network has grown to + meet the needs of 130 users. Along with growth, the demand for improved services + and better functionality has also developed. You are about to make an interim + improvement and then hand over all Help desk and network maintenance to Christine. + Christine has professional certifications in Microsoft Windows as well as in Linux; + she is a hard worker and quite likable. Christine does not want to manage the department + (although she manages well). She gains job satisfaction when left to sort things out. + Occasionally she wants to work with you on a challenging problem. When you told her + about your move, she almost resigned, although she was reassured that a new manager would + be hired to run Information Technology, and she would be responsible only for operations. + + + + Assignment Tasks + + + You promised the staff Internet services including Web browsing, electronic mail, virus + protection, and a company Web site. Christine is eager to help turn the vision into + reality. Let's see how close you can get to the promises made. + + + + The network you are about to deliver will service 130 users today. Within a year, + Abmas will aquire another company. Mr. Meany claims that within 2 years there will be + well over 500 users on the network. You have bought into the big picture, so prepare + for growth. You have purchased a new server and will implement a new network infrastructure. + + + + You have decided to not recycle old network components. The only items that will be + carried forward are notebook computers. You offered staff new notebooks, but not + one person wanted the disruption for what was perceived as a marginal update. + You decided to give everyone, even the notebook user, a new desktop computer. + + + + You procured a DSL Internet connection that provides 1.5 Mb/sec (bidirectional) + and a 10 Mb/sec ethernet port. You registered the domain + abmas.us, and the Internet Service Provider (ISP) is supplying + secondary DNS. Information furnished by your ISP is shown in . + + + + It is of paramount priority that under no circumstances will Samba offer + service access from an Internet connection. You are paying an ISP to + give, as part of its value-added services, full firewall protection for your + connection to the outside world. The only services allowed in from + the Internet side are the following destination ports: http/https (ports + 80 and 443), email (port 25), DNS (port 53). All Internet traffic + will be allowed out after network address translation (NAT). No internal IP addresses + are permitted through the NAT filter because complete privacy of internal network + operations must be assured. + + + + Abmas.US ISP Information + + + + + + Parameter + Value + + + + + Server IP Address + 123.45.67.66 + + + DSL Device IP Address + 123.45.67.65 + + + Network Address + 123.45.67.64/30 + + + Gateway Address + 123.45.54.65 + + + Primary DNS Server + 123.45.54.65 + + + Secondary DNS Server + 123.45.54.32 + + + Forwarding DNS Server + 123.45.12.23 + + + +
+ +
+ Abmas Network Topology &smbmdash; 130 Users + chap4-net +
+ + + Christine recommended that desktop systems should be installed from a single cloned + master system that has a minimum of locally installed software and loads all software + off a central application server. The benefit of having the central application server + is that it allows single-point maintenance of all business applications, a more + efficient way to manage software. She further recommended installation of antivirus + software on workstations as well as on the Samba server. Christine knows the dangers + of potential virus infection and insists on a comprehensive approach to detective + as well as corrective action to protect network operations. + + + + A significant concern is the problem of managing company growth. Recently, a number + of users had to share a PC while waiting for new machines to arrive. This presented + some problems with desktop computers and software installation into the new users' + desktop profiles. + + + + + + + Dissection and Discussion + + + Many of the conclusions you draw here are obvious. Some requirements are not very clear + or may simply be your means of drawing the most out of Samba-3. Much can be done more simply + than you will demonstrate here, but keep in mind that the network must scale to at least 500 + users. This means that some functionality will be overdesigned for the current 130-user + environment. + + + + Technical Issues + + + In this exercise we use a 24-bit subnet mask for the two local networks. This, + of course, limits our network to a maximum of 253 usable IP addresses. The network + address range chosen is one assigned by RFC1918 for private networks. + When the number of users on the network begins to approach the limit of usable + addresses, it is a good idea to switch to a network address specified in RFC1918 + in the 172.16.0.0/16 range. This is done in subsequent chapters. + + + + tdbsam + smbpasswd + The high growth rates projected are a good reason to use the tdbsam + passdb backend. The use of smbpasswd for the backend may result in + performance problems. The tdbsam passdb backend offers features that + are not available with the older, flat ASCII-based smbpasswd database. + + + + risk + The proposed network design uses a single server to act as an Internet services host for + electronic mail, Web serving, remote administrative access via SSH, + Samba-based file and print services. This design is often chosen by sites that feel + they cannot afford or justify the cost or overhead of having separate servers. It must + be realized that if security of this type of server should ever be violated (compromised), + the whole network and all data is at risk. Many sites continue to choose this type + of solution; therefore, this chapter provides detailed coverage of key implementation + aspects. + + + + Samba will be configured to specifically not operate on the Ethernet interface that is + directly connected to the Internet. + + + + iptables + NAT + Network Address TranslationNAT + firewall + You know that your ISP is providing full firewall services, but you cannot rely on that. + Always assume that human error will occur, so be prepared by using Linux firewall facilities + based on iptables to effect NAT. Block all + incoming traffic except to permitted well-known ports. You must also allow incoming packets + to establish outgoing connections. You will permit all internal outgoing requests. + + + + The configuration of Web serving, Web proxy services, electronic mail, and the details of + generic antivirus handling are beyond the scope of this book and therefore are not + covered except insofar as this affects Samba-3. + + + + login + Notebook computers are configured to use a network login when in the office and a + local account to log in while away from the office. Users store all work done in + transit (away from the office) by using a local share for work files. Standard procedures + dictate that on completion of the work that necessitates mobile file access, all + work files are moved back to secure storage on the office server. Staff is instructed + to not carry on any company notebook computer any files that are not absolutely required. + This is a preventative measure to protect client information as well as private business + records. + + + + application server + All applications are served from the central server from a share called apps. + Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network + (or administrative) installation. Accounting and financial management software can also + be run only from the central application server. Notebook users are provided with + locally installed applications on a need-to-have basis only. + + + + roaming profiles + The introduction of roaming profiles support means that users can move between + desktop computer systems without constraint while retaining full access to their data. + The desktop travels with them as they move. + + + + DNS + The DNS server implementation must now address both internal and external + needs. You forward DNS lookups to your ISP-provided server as well as the + abmas.us external secondary DNS server. + + + + dynamic DNS + DDNSdynamic DNS + DHCP server + Compared with the DHCP server configuration in , , the + configuration used in this example has to deal with the presence of an Internet connection. + The scope set for it ensures that no DHCP services will be offered on the external + connection. All printers are configured as DHCP clients so that the DHCP server assigns + the printer a fixed IP address by way of the Ethernet interface (MAC) address. One additional + feature of this DHCP server configuration file is the inclusion of parameters to allow dynamic + DNS (DDNS) operation. + + + + This is the first implementation that depends on a correctly functioning DNS server. + Comprehensive steps are included to provide for a fully functioning DNS server that also + is enabled for DDNS operation. This means that DHCP clients can be autoregistered + with the DNS server. + + + + You are taking the opportunity to manually set the netbios name of the Samba server to + a name other than what will be automatically resolved. You are doing this to ensure that + the machine has the same NetBIOS name on both network segments. + + + + As in the previous network configuration, printing in this network configuration uses + direct raw printing (i.e., no smart printing and no print driver autodownload to Windows + clients). Printer drivers are installed on the Windows client manually. This is not + a problem because Christine is to install and configure one single workstation and + then clone that configuration, using Norton Ghost, to all workstations. Each machine is + identical, so this should pose no problem. + + + + Hardware Requirements + + + memory requirements + This server runs a considerable number of services. From similarly configured Linux + installations, the approximate calculated memory requirements are as shown in + . + + +Estimation of Memory Requirements + +Application Memory per User 130 Users 500 Users + Name (MBytes) Total MBytes Total MBytes +----------- --------------- ------------ ------------ +DHCP 2.5 3 3 +DNS 16.0 16 16 +Samba (nmbd) 16.0 16 16 +Samba (winbind) 16.0 16 16 +Samba (smbd) 4.0 520 2000 +Apache 10.0 (20 User) 200 200 +CUPS 3.5 16 32 +Basic OS 256.0 256 256 + -------------- -------------- + Total: 1043 MBytes 2539 MBytes + -------------- -------------- + + + You should add a safety margin of at least 50% to these estimates. The minimum + system memory recommended for initial startup 1 GB, but to permit the system + to scale to 500 users, it makes sense to provision the machine with 4 GB memory. + An initial configuration with only 1 GB memory would lead to early performance complaints + as the system load builds up. Given the low cost of memory, it does not make sense to + compromise in this area. + + + + bandwidth calculations + Aggregate input/output loads should be considered for sizing network configuration as + well as disk subsystems. For network bandwidth calculations, one would typically use an + estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec) + would deliver below acceptable capacity for the initial user load. It is therefore a good + idea to begin with 1 Gb Ethernet cards for the two internal networks, each attached + to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T + switched ports. + + + + network segments + RAID + Considering the choice of 1 Gb Ethernet interfaces for the two local network segments, + the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O + demand that would require a fast disk storage I/O capability. Peak disk throughput is + limited by the disk subsystem chosen. It is desirable to provide the maximum + I/O bandwidth affordable. If a low-cost solution must be chosen, + 3Ware IDE RAID Controllers are a good choice. These controllers can be fitted into a + 64-bit, 66 MHz PCI-X slot. They appear to the operating system as a high-speed SCSI + controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MB/sec). + Alternative SCSI-based hardware RAID controllers should also be considered. Alternately, + it makes sense to purchase well-known, branded hardware that has appropriate performance + specifications. As a minimum, one should attempt to provide a disk subsystem that can + deliver I/O rates of at least 100 MB/sec. + + + + Disk storage requirements may be calculated as shown in . + + +Estimation of Disk Storage Requirements + +Corporate Data: 100 MBytes/user per year +Email Storage: 500 MBytes/user per year +Applications: 5000 MBytes +Safety Buffer: At least 50% + +Given 500 Users and 2 years: +----------------------------- + Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes + Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes + Applications: 5000 MBytes = 5 GBytes + ---------------------------- + Total: 605 GBytes + Add 50% buffer 303 GBytes + Recommended Storage: 908 GBytes + + + storage capacity + The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5 + with two hot spare drives would require an 8-drive by 200 GB capacity per drive array. + + + + + + + + + Political Issues + + + Your industry is coming under increasing accountability pressures. Increased paranoia + is necessary so you can demonstrate that you have acted with due diligence. You must + not trust your Internet connection. + + + + Apart from permitting more efficient management of business applications through use of + an application server, your primary reason for the decision to implement this is that it + gives you greater control over software licensing. + + + + Outlook Express + You are well aware that the current configuration results in some performance issues + as the size of the desktop profile grows. Given that users use Microsoft Outlook + Express, you know that the storage implications of the .PST file + is something that needs to be addressed later. + + + + + + + + Implementation + + + demonstrates the overall design of the network that you will implement. + + + + The information presented here assumes that you are already familiar with many basic steps. + As this stands, the details provided already extend well beyond just the necessities of + Samba configuration. This decision is deliberate to ensure that key determinants + of a successful installation are not overlooked. This is the last case that documents + the finite minutiae of DHCP and DNS server configuration. Beyond the information provided + here, there are many other good reference books on these subjects. + + + + The &smb.conf; file has the following noteworthy features: + + + + + The NetBIOS name of the Samba server is set to DIAMOND. + + + + The Domain name is set to PROMISES. + + + + broadcast messages + interfaces + bind interfaces only + Ethernet interface eth0 is attached to the Internet connection + and is externally exposed. This interface is explicitly not available for Samba to use. + Samba listens on this interface for broadcast messages but does not broadcast any + information on eth0, nor does it accept any connections from it. + This is achieved by way of the interfaces parameter and the + bind interfaces only entry. + + + + passdb backend + tdbsam + binary database + The passdb backend parameter specifies the creation and use + of the tdbsam password backend. This is a binary database that + has excellent scalability for a large number of user account entries. + + + + WINS serving + wins support + name resolve order + WINS serving is enabled by the Yes, + and name resolution is set to use it by means of the + wins bcast hosts entry. + + + + time server + The Samba server is configured for use by Windows clients as a time server. + + + + CUPS + printing + printcap name + Samba is configured to directly interface with CUPS via the direct internal interface + that is provided by CUPS libraries. This is achieved with the + CUPS as well as the + CUPS entries. + + + + user management + group management + SRVTOOLS.EXE + External interface scripts are provided to enable Samba to interface smoothly to + essential operating system functions for user and group management. This is important + to enable workstations to join the Domain and is also important so that you can use + the Windows NT4 Domain User Manager as well as the Domain Server Manager. These tools + are provided as part of the SRVTOOLS.EXE toolkit that can be + downloaded from the Microsoft FTP + site. + + + + User Mode + The &smb.conf; file specifies that the Samba server will operate in (default) + security = user modeSee TOSHARG2, Chapter 3. + This is necessary so that Samba can act as a Domain Controller (PDC); see + TOSHARG2, Chapter 4, for additional information. + (User Mode). + + + + logon services + logon script + Domain logon services as well as a Domain logon script are specified. The logon script + will be used to add robustness to the overall network configuration. + + + + roaming profiles + logon path + profile share + Roaming profiles are enabled through the specification of the parameter, + \\%L\profiles\%U. The value of this parameter translates the + %L to the name by which the Samba server is called by the client (for this + configuration, it translates to the name DIAMOND), and the %U + will translate to the name of the user within the context of the connection made to the profile share. + It is the administrator's responsibility to ensure there is a directory in the root of the + profile share for each user. This directory must be owned by the user also. An exception to this + requirement is when a profile is created for group use. + + + + virus + opportunistic locking + Precautionary veto is effected for particular Windows file names that have been targeted by + virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking + controls. This should help to prevent lock contention-related file access problems. + + + + Every user has a private home directory on the UNIX/Linux host. This is mapped to + a network drive that is the same for all users. + + + + + + The configuration of the server is the most complex so far. The following steps are used: + + + + + Basic System Configuration + + + + Samba Configuration + + + + DHCP and DNS Server Configuration + + + + Printer Configuration + + + + Process Start-up Configuration + + + + Validation + + + + Application Share Configuration + + + + Windows Client Configuration + + + + + The following sections cover each step in logical and defined detail. + + + + Basic System Configuration + + + SUSE Enterprise Linux Server + The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been + freshly installed. It prepares basic files so that the system is ready for comprehensive + operation in line with the network diagram shown in . + + + + Server Configuration Steps + + + hostname + Using the UNIX/Linux system tools, name the server server.abmas.us. + Verify that your hostname is correctly set by running: + +&rootprompt; uname -n +server + + An alternate method to verify the hostname is: + +&rootprompt; hostname -f +server.abmas.us + + + + + /etc/hosts + localhost + Edit your /etc/hosts file to include the primary names and addresses + of all network interfaces that are on the host server. This is necessary so that during + startup the system can resolve all its own names to the IP address prior to + startup of the DNS server. An example of entries that should be in the + /etc/hosts file is: + +127.0.0.1 localhost +192.168.1.1 sleeth1.abmas.biz sleeth1 diamond +192.168.2.1 sleeth2.abmas.biz sleeth2 +123.45.67.66 server.abmas.us server + + You should check the startup order of your system. If the CUPS print server is started before + the DNS server (named), you should also include an entry for the printers + in the /etc/hosts file, as follows: + +192.168.1.20 qmsa.abmas.biz qmsa +192.168.1.30 hplj6a.abmas.biz hplj6a +192.168.2.20 qmsf.abmas.biz qmsf +192.168.2.30 hplj6f.abmas.biz hplj6f + + named + cupsd + daemon + The printer entries are not necessary if named is started prior to + startup of cupsd, the CUPS daemon. + + + + /etc/rc.d/boot.local + IP forwarding + /proc/sys/net/ipv4/ip_forward + The host server is acting as a router between the two internal network segments as well + as for all Internet access. This necessitates that IP forwarding be enabled. This can be + achieved by adding to the /etc/rc.d/boot.local an entry as follows: + +echo 1 > /proc/sys/net/ipv4/ip_forward + + To ensure that your kernel is capable of IP forwarding during configuration, you may + wish to execute that command manually also. This setting permits the Linux system to + act as a router.You may want to do the echo command last and include + "0" in the init scripts, since it opens up your network for a short time. + + + + firewall + abmas-netfw.sh + Installation of a basic firewall and NAT facility is necessary. + The following script can be installed in the /usr/local/sbin + directory. It is executed from the /etc/rc.d/boot.local startup + script. In your case, this script is called abmas-netfw.sh. The + script contents are shown in . + + +NAT Firewall Configuration Script + +#!/bin/sh +echo -e "\n\nLoading NAT firewall.\n" +IPTABLES=/usr/sbin/iptables +EXTIF="eth0" +INTIFA="eth1" +INTIFB="eth2" + +/sbin/depmod -a +/sbin/modprobe ip_tables +/sbin/modprobe ip_conntrack +/sbin/modprobe ip_conntrack_ftp +/sbin/modprobe iptable_nat +/sbin/modprobe ip_nat_ftp +$IPTABLES -P INPUT DROP +$IPTABLES -F INPUT +$IPTABLES -P OUTPUT ACCEPT +$IPTABLES -F OUTPUT +$IPTABLES -P FORWARD DROP +$IPTABLES -F FORWARD + +$IPTABLES -A INPUT -i lo -j ACCEPT +$IPTABLES -A INPUT -i $INTIFA -j ACCEPT +$IPTABLES -A INPUT -i $INTIFB -j ACCEPT +$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT +# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS +for i in 22 25 53 80 443 +do + $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT +done +# Allow DNS(udp) +$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT +echo "Allow all connections OUT and only existing and specified ones IN" +$IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \ + --state ESTABLISHED,RELATED -j ACCEPT +$IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \ + --state ESTABLISHED,RELATED -j ACCEPT +$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT +$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT +$IPTABLES -A FORWARD -j LOG +echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" +$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE +echo "1" > /proc/sys/net/ipv4/ip_forward +echo -e "\nNAT firewall done.\n" + + + + + + Execute the following to make the script executable: + +&rootprompt; chmod 755 /usr/local/sbin/abmas-natfw.sh + + You must now edit /etc/rc.d/boot.local to add an entry + that runs your abmas-natfw.sh script. The following + entry works for you: + +#! /bin/sh +# +# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany. +# All rights reserved. +# +# Author: Werner Fink, 1996 +# Burchard Steinbild, 1996 +# +# /etc/init.d/boot.local +# +# script with local commands to be executed from init on system startup +# +# Here you should add things that should happen directly after booting +# before we're going to the first run level. +# +/usr/local/sbin/abmas-natfw.sh + + + + + + /etc/hosts + The server is now ready for Samba configuration. During the validation step, you remove + the entry for the Samba server diamond from the /etc/hosts + file. This is done after you are satisfied that DNS-based name resolution is functioning correctly. + + + + + + Samba Configuration + + + When you have completed this section, the Samba server is ready for testing and validation; + however, testing and validation have to wait until DHCP, DNS, and printing (CUPS) services have + been configured. + + + + Samba Configuration Steps + + + Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary + RPM file is called samba-3.0.20-1.i386.rpm, one way to install this + file is as follows: + +&rootprompt; rpm -Uvh samba-3.0.20-1.i386.rpm + + This operation must be performed while logged in as the root user. + Successful operation is clearly indicated. If this installation should fail for any reason, + refer to the operating system manufacturer's documentation for guidance. + + + + Install the &smb.conf; file shown in , , + and . Concatenate (join) all three files to make a single &smb.conf; + file. The final, fully qualified path for this file should be /etc/samba/smb.conf. + + +130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; [globals] Section + +Global parameters + +PROMISES +DIAMOND +eth1, eth2, lo +Yes +tdbsam +Yes +/usr/bin/passwd %u +*New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed* +/etc/samba/smbusers +Yes +1 +0 +/var/log/samba/%m +50 +139 +wins bcast hosts +Yes +CUPS +No +/usr/sbin/useradd -m '%u' +/usr/sbin/userdel -r '%u' +/usr/sbin/groupadd '%g' +/usr/sbin/groupdel '%g' +/usr/sbin/usermod -G '%g' '%u' +/usr/sbin/useradd -s /bin/false -d /tmp '%u' +/var/lib/samba/scripts/shutdown.sh +/sbin/shutdown -c +scripts\logon.bat +\\%L\profiles\%U +X: +\\%L\%U +Yes +Yes +Yes +Yes +Yes +cups +Raw +/*.eml/*.nws/*.{*}/ +/*.doc/*.xls/*.mdb/ + + + + +130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part A + + +Home Directories +%S +No +No + + +SMB Print Spool +/var/spool/samba +Yes +Yes +Yes +Yes +No + + +Network Logon Service +/var/lib/samba/netlogon +Yes +No + + +Profile Share +/var/lib/samba/profiles +No +Yes + + +Accounting Files +/data/accounts +No + + + + +130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part B + + +Financial Services Files +/data/service +No + + +Property Insurance Files +/data/pidata +No + + +Application Files +/apps +Yes +bjordan + + + + + + administrator + smbpasswd + + Add the root user to the password backend as follows: + +&rootprompt; smbpasswd -a root +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +&rootprompt; + + The root account is the UNIX equivalent of the Windows Domain Administrator. + This account is essential in the regular maintenance of your Samba server. It must never be + deleted. If for any reason the account is deleted, you may not be able to recreate this account + without considerable trouble. + + + + username map + Create the username map file to permit the root account to be called + Administrator from the Windows network environment. To do this, create + the file /etc/samba/smbusers with the following contents: + +#### +# User mapping file +#### +# File Format +# ----------- +# Unix_ID = Windows_ID +# +# Examples: +# root = Administrator +# janes = "Jane Smith" +# jimbo = Jim Bones +# +# Note: If the name contains a space it must be double quoted. +# In the example above the name 'jimbo' will be mapped to Windows +# user names 'Jim' and 'Bones' because the space was not quoted. +####################################################################### +root = Administrator +#### +# End of File +#### + + + + + initGrps.sh + netgroupmapadd + netgroupmapmodify + netgroupmaplist + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in , + . Create a file containing this script. We called ours + /etc/samba/initGrps.sh. Set this file so it can be executed, + and then execute the script. Sample output should be as follows: + + +Script to Map Windows NT Groups to UNIX Groups +initGrps.sh + +#!/bin/bash +# +# initGrps.sh +# + +# Create UNIX groups +groupadd acctsdep +groupadd finsrvcs + +# Map Windows Domain Groups to UNIX groups +net groupmap add ntgroup="Domain Admins" unixgroup=root type=d +net groupmap add ntgroup="Domain Users" unixgroup=users type=d +net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d + +# Add Functional Domain Groups +net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d +net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d +net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d + +# Map Windows NT machine local groups to local UNIX groups +# Mapping of local groups is not necessary and not functional +# for this installation. + + + + +&rootprompt; chmod 755 initGrps.sh +&rootprompt; /etc/samba # ./initGrps.sh +Updated mapping entry for Domain Admins +Updated mapping entry for Domain Users +Updated mapping entry for Domain Guests +No rid or sid specified, choosing algorithmic mapping +Successfully added group Accounts Dept to the mapping db +No rid or sid specified, choosing algorithmic mapping +Successfully added group Domain Guests to the mapping db + +&rootprompt; /etc/samba # net groupmap list | sort +Account Operators (S-1-5-32-548) -> -1 +Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep +Administrators (S-1-5-32-544) -> -1 +Backup Operators (S-1-5-32-551) -> -1 +Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root +Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody +Domain Users (S-1-5-21-179504-2437109-488451-513) -> users +Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs +Guests (S-1-5-32-546) -> -1 +Power Users (S-1-5-32-547) -> -1 +Print Operators (S-1-5-32-550) -> -1 +Replicators (S-1-5-32-552) -> -1 +System Operators (S-1-5-32-549) -> -1 +Users (S-1-5-32-545) -> -1 + + + + + useradd + adduser + passwd + smbpasswd + /etc/passwd + passwordbackend + usermanagement + There is one preparatory step without which you will not have a working Samba + network environment. You must add an account for each network user. + For each user who needs to be given a Windows Domain account, make an entry in the + /etc/passwd file as well as in the Samba password backend. + Use the system tool of your choice to create the UNIX system account, and use the Samba + smbpasswd to create a Domain user account. + There are a number of tools for user management under UNIX, such as + useradd, and adduser, as well as a plethora of custom + tools. You also want to create a home directory for each user. + You can do this by executing the following steps for each user: + +&rootprompt; useradd -m username +&rootprompt; passwd username +Changing password for username. +New password: XXXXXXXX +Re-enter new password: XXXXXXXX +Password changed +&rootprompt; smbpasswd -a username +New SMB password: XXXXXXXX +Retype new SMB password: XXXXXXXX +Added user username. + + You do of course use a valid user login ID in place of username. + + + + file systemaccess control + file systempermissions + group membership + Using the preferred tool for your UNIX system, add each user to the UNIX groups created + previously as necessary. File system access control will be based on UNIX group membership. + + + + Create the directory mount point for the disk subsystem that can be mounted to provide + data storage for company files. In this case the mount point is indicated in the &smb.conf; + file is /data. Format the file system as required, and mount the formatted + file system partition using appropriate system tools. + + + + file systempermissions + Create the top-level file storage directories for data and applications as follows: + +&rootprompt; mkdir -p /data/{accounts,finsrvcs} +&rootprompt; mkdir -p /apps +&rootprompt; chown -R root:root /data +&rootprompt; chown -R root:root /apps +&rootprompt; chown -R bjordan:acctsdep /data/accounts +&rootprompt; chown -R bjordan:finsrvcs /data/finsrvcs +&rootprompt; chmod -R ug+rwxs,o-rwx /data +&rootprompt; chmod -R ug+rwx,o+rx-w /apps + + Each department is responsible for creating its own directory structure within the departmental + share. The directory root of the accounts share is /data/accounts. + The directory root of the finsvcs share is /data/finsvcs. + The /apps directory is the root of the apps share + that provides the application server infrastructure. + + + + The &smb.conf; file specifies an infrastructure to support roaming profiles and network + logon services. You can now create the file system infrastructure to provide the + locations on disk that these services require. Adequate planning is essential, + since desktop profiles can grow to be quite large. For planning purposes, a minimum of + 200 MB of storage should be allowed per user for profile storage. The following + commands create the directory infrastructure needed: + +&rootprompt; mkdir -p /var/spool/samba +&rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles} +&rootprompt; chown -R root:root /var/spool/samba +&rootprompt; chown -R root:root /var/lib/samba +&rootprompt; chmod a+rwxt /var/spool/samba +&rootprompt; chmod 2775 /var/lib/samba/profiles +&rootprompt; chgrp users /var/lib/samba/profiles + + For each user account that is created on the system, the following commands should be + executed: + +&rootprompt; mkdir /var/lib/samba/profiles/'username' +&rootprompt; chown 'username':users /var/lib/samba/profiles/'username' +&rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username' + + + + + logon scrip + unix2dos + dos2unix + Create a logon script. It is important that each line is correctly terminated with + a carriage return and line-feed combination (i.e., DOS encoding). The following procedure + works if the right tools (unix2dos and dos2unix) are installed. + First, create a file called /var/lib/samba/netlogon/scripts/logon.bat.unix + with the following contents: + +net time \\diamond /set /yes +net use h: /home +net use p: \\diamond\apps + + Convert the UNIX file to a DOS file using the unix2dos as shown here: + +&rootprompt; unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \ + > /var/lib/samba/netlogon/scripts/logon.bat + + + + + + + + Configuration of DHCP and DNS Servers + + + DHCP services are a basic component of the entire network client installation. DNS operation is + foundational to Internet access as well as to trouble-free operation of local networking. When + you have completed this section, the server should be ready for solid duty operation. + + + + DHCP and DNS Server Configuration Steps + + + /etc/dhcpd.conf + Create a file called /etc/dhcpd.conf with the contents as + shown in . + + +DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename> + +# Abmas Accounting Inc. +default-lease-time 86400; +max-lease-time 172800; +default-lease-time 86400; +option ntp-servers 192.168.1.1; +option domain-name "abmas.biz"; +option domain-name-servers 192.168.1.1, 192.168.2.1; +option netbios-name-servers 192.168.1.1, 192.168.2.1; +option netbios-node-type 8; ### Node type = Hybrid ### +ddns-updates on; ### Dynamic DNS enabled ### +ddns-update-style interim; + +subnet 192.168.1.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.1.128 192.168.1.254; + option subnet-mask 255.255.255.0; + option routers 192.168.1.1; + allow unknown-clients; + host qmsa { + hardware ethernet 08:00:46:7a:35:e4; + fixed-address 192.168.1.20; + } + host hplj6a { + hardware ethernet 00:03:47:cb:81:e0; + fixed-address 192.168.1.30; + } + } +subnet 192.168.2.0 netmask 255.255.255.0 { + range dynamic-bootp 192.168.2.128 192.168.2.254; + option subnet-mask 255.255.255.0; + option routers 192.168.2.1; + allow unknown-clients; + host qmsf { + hardware ethernet 01:04:31:db:e1:c0; + fixed-address 192.168.1.20; + } + host hplj6f { + hardware ethernet 00:03:47:cf:83:e2; + fixed-address 192.168.2.30; + } + } +subnet 127.0.0.0 netmask 255.0.0.0 { + } +subnet 123.45.67.64 netmask 255.255.255.252 { + } + + + + + + /etc/named.conf + Create a file called /etc/named.conf that has the combined contents + of the , , and + files that are concatenated (merged) in this + specific order. + + + + Create the files shown in their respective directories as shown in DNS + (named) Resource Files. + + + DNS (named) Resource Files + + + + + + Reference + File Location + + + + + + /var/lib/named/localhost.zone + + + + /var/lib/named/127.0.0.zone + + + + /var/lib/named/root.hint + + + + /var/lib/named/master/abmas.biz.hosts + + + + /var/lib/named/abmas.us.hosts + + + + /var/lib/named/192.168.1.0.rev + + + + /var/lib/named/192.168.2.0.rev + + + +
+ + +DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Master Section +/etc/named.conf + +### +# Abmas Biz DNS Control File +### +# Date: November 15, 2003 +### +options { + directory "/var/lib/named"; + forwarders { + 123.45.12.23; + }; + forward first; + listen-on { + mynet; + }; + auth-nxdomain yes; + multiple-cnames yes; + notify no; +}; + +zone "." in { + type hint; + file "root.hint"; +}; + +zone "localhost" in { + type master; + file "localhost.zone"; +}; + +zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; +}; + +acl mynet { + 192.168.1.0/24; + 192.168.2.0/24; + 127.0.0.1; +}; + +acl seconddns { + 123.45.54.32; +}; + + + + + +DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Forward Lookup Definition Section + +zone "abmas.biz" { + type master; + file "/var/lib/named/master/abmas.biz.hosts"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "abmas.us" { + type master; + file "/var/lib/named/master/abmas.us.hosts"; + allow-query { + any; + }; + allow-transfer { + seconddns; + }; +}; + + + + +DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Reverse Lookup Definition Section + +zone "1.168.192.in-addr.arpa" { + type master; + file "/var/lib/named/master/192.168.1.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + +zone "2.168.192.in-addr.arpa" { + type master; + file "/var/lib/named/master/192.168.2.0.rev"; + allow-query { + mynet; + }; + allow-transfer { + mynet; + }; + allow-update { + mynet; + }; +}; + + + + +DNS 192.168.1 Reverse Zone File + +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( + 2003021825 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS sleeth1.abmas.biz. +$ORIGIN 1.168.192.in-addr.arpa. +1 PTR sleeth1.abmas.biz. +20 PTR qmsa.abmas.biz. +30 PTR hplj6a.abmas.biz. + + + + +DNS 192.168.2 Reverse Zone File + +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( + 2003021825 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS sleeth2.abmas.biz. +$ORIGIN 2.168.192.in-addr.arpa. +1 PTR sleeth2.abmas.biz. +20 PTR qmsf.abmas.biz. +30 PTR hplj6f.abmas.biz. + + + + +DNS Abmas.biz Forward Zone File + +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS dns.abmas.biz. + MX 10 mail.abmas.biz. +$ORIGIN abmas.biz. +sleeth1 A 192.168.1.1 +sleeth2 A 192.168.2.1 +qmsa A 192.168.1.20 +hplj6a A 192.168.1.30 +qmsf A 192.168.2.20 +hplj6f A 192.168.2.30 +dns CNAME sleeth1 +diamond CNAME sleeth1 +mail CNAME sleeth1 + + + + +DNS Abmas.us Forward Zone File + +$ORIGIN . +$TTL 38400 ; 10 hours 40 minutes +abmas.us IN SOA server.abmas.us. root.abmas.us. ( + 2003021833 ; serial + 10800 ; refresh (3 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 38400 ; minimum (10 hours 40 minutes) + ) + NS dns.abmas.us. + NS dns2.abmas.us. + MX 10 mail.abmas.us. +$ORIGIN abmas.us. +server A 123.45.67.66 +dns2 A 123.45.54.32 +gw A 123.45.67.65 +www CNAME server +mail CNAME server +dns CNAME server + + + + + + + /etc/resolv.conf + name resolution + + All DNS name resolution should be handled locally. To ensure that the server is configured + correctly to handle this, edit /etc/resolv.conf to have the following + content: + +search abmas.us abmas.biz +nameserver 127.0.0.1 +nameserver 123.45.54.23 + + + DNS server + + This instructs the name resolver function (when configured correctly) to ask the DNS server + that is running locally to resolve names to addresses. In the event that the local name server + is not available, ask the name server provided by the ISP. The latter, of course, does not resolve + purely local names to IP addresses. + + + + /etc/nsswitch.conf + The final step is to edit the /etc/nsswitch.conf file. + This file controls the operation of the various resolver libraries that are part of the Linux + Glibc libraries. Edit this file so that it contains the following entries: + +hosts: files dns wins + + + + + + The basic DHCP and DNS services are now ready for validation testing. Before you can proceed, + there are a few more steps along the road. First, configure the print spooling and print + processing system. Then you can configure the server so that all services + start automatically on reboot. You must also manually start all services prior to validation testing. + + + + + + Printer Configuration + + + Network administrators who are new to CUPS based-printing typically experience some difficulty mastering + its powerful features. The steps outlined in this section are designed to navigate around the distractions + of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a + transparent print queue that performs no filtering, and only minimal handling of each print job that is + submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that + the correct printer driver must be installed on all clients. + + + + Printer Configuration Steps + + + Configure each printer to be a DHCP client, carefully following the manufacturer's guidelines. + + + + Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. + Use any other port the manufacturer specifies for direct-mode raw printing, and adjust the + port as necessary in the following example commands. + This allows the CUPS spooler to print using raw mode protocols. + CUPS + raw printing + + + + CUPSqueue + lpadmin + + Configure the CUPS Print Queues as follows: + +&rootprompt; lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E +&rootprompt; lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E +&rootprompt; lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E +&rootprompt; lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E + + print filter + This creates the necessary print queues with no assigned print filter. + + + + enable + + Print queues may not be enabled at creation. Use lpc stat to check + the status of the print queues and, if necessary, make certain that the queues you have + just created are enabled by executing the following: + +&rootprompt; /usr/bin/enable qmsa +&rootprompt; /usr/bin/enable hplj6a +&rootprompt; /usr/bin/enable qmsf +&rootprompt; /usr/bin/enable hplj6f + + + + + accept + + Even though your print queues may be enabled, it is still possible that they + are not accepting print jobs. A print queue services incoming printing + requests only when configured to do so. Ensure that your print queues are + set to accept incoming jobs by executing the following commands: + +&rootprompt; /usr/sbin/accept qmsa +&rootprompt; /usr/sbin/accept hplj6a +&rootprompt; /usr/sbin/accept qmsf +&rootprompt; /usr/sbin/accept hplj6f + + + + + mime type + /etc/mime.convs + application/octet-stream + Edit the file /etc/cups/mime.convs to uncomment the line: + +application/octet-stream application/vnd.cups-raw 0 - + + + + + /etc/mime.types + Edit the file /etc/cups/mime.types to uncomment the line: + +application/octet-stream + + + + + Printing drivers are installed on each network client workstation. + + + + + Note: If the parameter cups options = Raw is specified in the &smb.conf; file, + the last two steps can be omitted with CUPS version 1.1.18, or later. + + + + The UNIX system print queues have been configured and are ready for validation testing. + + + + + + Process Startup Configuration + + + chkconfig + There are two essential steps to process startup configuration. First, the process + must be configured so that it automatically restarts each time the server + is rebooted. This step involves use of the chkconfig tool that + creates the appropriate symbolic links from the master daemon control file that is + located in the /etc/rc.d directory, to the /etc/rc'x'.d + directories. Links are created so that when the system run level is changed, the + necessary start or kill script is run. + + + + /etc/xinetd.d + inetd + xinetd + chkconfig + super daemon + In the event that a service is not run as a daemon, but via the internetworking + super daemon (inetd or xinetd), then the chkconfig + tool makes the necessary entries in the /etc/xinetd.d directory + and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to + re-read its control files. + + + + Last, each service must be started to permit system validation to proceed. + + + + + Use the standard system tool to configure each service to restart + automatically at every system reboot. For example, + chkconfig + +&rootprompt; chkconfig dhpcd on +&rootprompt; chkconfig named on +&rootprompt; chkconfig cups on +&rootprompt; chkconfig smb on + + + + + starting dhcpd + starting samba + starting CUPS + Now start each service to permit the system to be validated. + Execute each of the following in the sequence shown: + + +&rootprompt; /etc/rc.d/init.d/dhcpd restart +&rootprompt; /etc/rc.d/init.d/named restart +&rootprompt; /etc/rc.d/init.d/cups restart +&rootprompt; /etc/rc.d/init.d/smb restart + + + + + + + + Validation + + + validation + Complex networking problems are most often caused by simple things that are poorly or incorrectly + configured. The validation process adopted here should be followed carefully; it is the result of the + experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should + refrain from taking shortcuts, from making basic assumptions, and from not exercising due process + and diligence in network validation. By thoroughly testing and validating every step in the process + of network installation and configuration, you can save yourself from sleepless nights and restless + days. A well debugged network is a foundation for happy network users and network administrators. + Later in this book you learn how to make users happier. For now, it is enough to learn to + validate. Let's get on with it. + + + + Server Validation Steps + + + /etc/nsswitch.conf + One of the most important facets of Samba configuration is to ensure that + name resolution functions correctly. You can check name resolution + with a few simple tests. The most basic name resolution is provided from the + /etc/hosts file. To test its operation, make a + temporary edit to the /etc/nsswitch.conf file. Using + your favorite editor, change the entry for hosts to read: + +hosts: files + + When you have saved this file, execute the following command: + +&rootprompt; ping diamond +PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. +64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms + +--- sleeth1.abmas.biz ping statistics --- +4 packets transmitted, 4 received, 0% packet loss, time 3016ms +rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms + + This proves that name resolution via the /etc/hosts file + is working. + + + + /etc/nsswitch.conf + So far, your installation is going particularly well. In this step we validate + DNS server and name resolution operation. Using your favorite UNIX system editor, + change the /etc/nsswitch.conf file so that the + hosts entry reads: + +hosts: dns + + + + + named + Before you test DNS operation, it is a good idea to verify that the DNS server + is running by executing the following: + +&rootprompt; ps ax | grep named + 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log + 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named + 2552 pts/2 S 0:00 grep named + + This means that we are ready to check DNS operation. Do so by executing: + ping + +&rootprompt; ping diamond +PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. +64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms +64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms + +--- sleeth1.abmas.biz ping statistics --- +2 packets transmitted, 2 received, 0% packet loss, time 999ms +rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms + + You should take a few more steps to validate DNS server operation, as follows: + +&rootprompt; host -f diamond.abmas.biz +sleeth1.abmas.biz has address 192.168.1.1 + + /etc/hosts + You may now remove the entry called diamond from the + /etc/hosts file. It does not hurt to leave it there, + but its removal reduces the number of administrative steps for this name. + + + + /etc/nsswitch.conf + WINS is a great way to resolve NetBIOS names to their IP address. You can test + the operation of WINS by starting nmbd (manually or by way + of the Samba startup method shown in ). You must edit + the /etc/nsswitch.conf file so that the hosts + entry is as follows: + +hosts: wins + + The next step is to make certain that Samba is running using ps ax | grep mbd. + The nmbd daemon will provide the WINS name resolution service when the + &smb.conf; file [global] parameter Yes has been specified. Having validated that Samba is operational, + excute the following: + +&rootprompt; ping diamond +PING diamond (192.168.1.1) 56(84) bytes of data. +64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms +64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms + + ping + Now that you can relax with the knowledge that all three major forms of name + resolution to IP address resolution are working, edit the /etc/nsswitch.conf + again. This time you add all three forms of name resolution to this file. + Your edited entry for hosts should now look like this: + +hosts: files dns wins + + The system is looking good. Let's move on. + + + + It would give you peace of mind to know that the DHCP server is running + and available for service. You can validate DHCP services by running: + + +&rootprompt; ps ax | grep dhcp + 2618 ? S 0:00 /usr/sbin/dhcpd ... + 8180 pts/2 S 0:00 grep dhcp + + This shows that the server is running. The proof of whether or not it is working + comes when you try to add the first DHCP client to the network. + + + + testparm + This is a good point at which to start validating Samba operation. You are + content that name resolution is working for basic TCP/IP needs. Let's move on. + If your &smb.conf; file has bogus options or parameters, this may cause Samba + to refuse to start. The first step should always be to validate the contents + of this file by running: + +&rootprompt; testparm -s +Load smb config files from smb.conf +Processing section "[homes]" +Processing section "[printers]" +Processing section "[netlogon]" +Processing section "[profiles]" +Processing section "[accounts]" +Processing section "[service]" +Processing section "[apps]" +Loaded services file OK. +# Global parameters +[global] + workgroup = PROMISES + netbios name = DIAMOND + interfaces = eth1, eth2, lo + bind interfaces only = Yes + passdb backend = tdbsam + pam password change = Yes + passwd program = /usr/bin/passwd '%u' + passwd chat = *New*Password* %n\n \ + *Re-enter*new*password* %n\n *Password*changed* + username map = /etc/samba/smbusers + unix password sync = Yes + log level = 1 + syslog = 0 + log file = /var/log/samba/%m + max log size = 50 + smb ports = 139 + name resolve order = wins bcast hosts + time server = Yes + printcap name = CUPS + show add printer wizard = No + add user script = /usr/sbin/useradd -m '%u' + delete user script = /usr/sbin/userdel -r '%u' + add group script = /usr/sbin/groupadd '%g' + delete group script = /usr/sbin/groupdel '%g' + add user to group script = /usr/sbin/usermod -G '%g' '%u' + add machine script = /usr/sbin/useradd \ + -s /bin/false -d /dev/null '%u' + shutdown script = /var/lib/samba/scripts/shutdown.sh + abort shutdown script = /sbin/shutdown -c + logon script = scripts\logon.bat + logon path = \\%L\profiles\%U + logon drive = X: + logon home = \\%L\%U + domain logons = Yes + preferred master = Yes + wins support = Yes + utmp = Yes + winbind use default domain = Yes + map acl inherit = Yes + cups options = Raw + veto files = /*.eml/*.nws/*.{*}/ + veto oplock files = /*.doc/*.xls/*.mdb/ + +[homes] + comment = Home Directories + valid users = %S + read only = No + browseable = No +... +### Remainder cut to save space ### + + Clear away all errors before proceeding. + + + + check samba daemons + smbd + nmbd + winbindd + Check that the Samba server is running: + +&rootprompt; ps ax | grep mbd +14244 ? S 0:00 /usr/sbin/nmbd -D +14245 ? S 0:00 /usr/sbin/nmbd -D +14290 ? S 0:00 /usr/sbin/smbd -D + +$rootprompt; ps ax | grep winbind +14293 ? S 0:00 /usr/sbin/winbindd -B +14295 ? S 0:00 /usr/sbin/winbindd -B + + The winbindd daemon is running in split mode (normal), so there are also + two instancesFor more information regarding winbindd, see TOSHARG2, + Chapter 23, Section 23.3. The single instance of smbd is normal. One additional + smbd slave process is spawned for each SMB/CIFS client + connection. of it. + + + + anonymous + connection + + smbclient + + Check that an anonymous connection can be made to the Samba server: + +&rootprompt; smbclient -L localhost -U% + + Sharename Type Comment + --------- ---- ------- + IPC$ IPC IPC Service (Samba 3.0.20) + netlogon Disk Network Logon Service + profiles Disk Profile Share + accounts Disk Accounting Files + service Disk Financial Services Files + apps Disk Application Files + ADMIN$ IPC IPC Service (Samba 3.0.20) + hplj6a Printer hplj6a + hplj6f Printer hplj6f + qmsa Printer qmsa + qmsf Printer qmsf + + Server Comment + --------- ------- + DIAMOND Samba 3.0.20 + + Workgroup Master + --------- ------- + PROMISES DIAMOND + + This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent + of browsing the server from a Windows client to obtain a list of shares on the server. + The -U% argument means to send a NULL username and + a NULL password. + + + + dhcp client validation + printer validation + arp + Verify that each printer has the IP address assigned in the DHCP server configuration file. + The easiest way to do this is to ping the printer name. Immediately after the ping response + has been received, execute arp -a to find the MAC address of the printer + that has responded. Now you can compare the IP address and the MAC address of the printer + with the configuration information in the /etc/dhcpd.conf file. They + should, of course, match. For example, + +&rootprompt; ping hplj6 +PING hplj6a (192.168.1.30) 56(84) bytes of data. +64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms + +&rootprompt; arp -a +hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0 + + + /etc/dhcpd.conf + + The MAC address 00:03:47:CB:81:E0 matches that specified for the + IP address from which the printer has responded and with the entry for it in the + /etc/dhcpd.conf file. Repeat this for each printer configured. + + + + authenticated connection + Make an authenticated connection to the server using the smbclient tool: + +&rootprompt; smbclient //diamond/accounts -U gholmes +Password: XXXXXXX +smb: \> dir + . D 0 Thu Nov 27 15:07:09 2003 + .. D 0 Sat Nov 15 17:40:50 2003 + zakadmin.exe 161424 Thu Nov 27 15:06:52 2003 + zak.exe 6066384 Thu Nov 27 15:06:52 2003 + dhcpd.conf 1256 Thu Nov 27 15:06:52 2003 + smb.conf 2131 Thu Nov 27 15:06:52 2003 + initGrps.sh A 1089 Thu Nov 27 15:06:52 2003 + POLICY.EXE 86542 Thu Nov 27 15:06:52 2003 + + 55974 blocks of size 65536. 33968 blocks available +smb: \> q + + + + + nmap + Your new server is connected to an Internet-accessible connection. Before you start + your firewall, you should run a port scanner against your system. You should repeat that + after the firewall has been started. This helps you understand to what extent the + server may be vulnerable to external attack. One way you can do this is by using an + external service, such as the DSL Reports + tools. Alternately, if you can gain root-level access to a remote + UNIX/Linux system that has the nmap tool, you can run the following: + +&rootprompt; nmap -v -sT server.abmas.us + +Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) +Host server.abmas.us (123.45.67.66) appears to be up ... good. +Initiating Connect() Scan against server.abmas.us (123.45.67.66) +Adding open port 6000/tcp +Adding open port 873/tcp +Adding open port 445/tcp +Adding open port 10000/tcp +Adding open port 901/tcp +Adding open port 631/tcp +Adding open port 25/tcp +Adding open port 111/tcp +Adding open port 32770/tcp +Adding open port 3128/tcp +Adding open port 53/tcp +Adding open port 80/tcp +Adding open port 443/tcp +Adding open port 139/tcp +Adding open port 22/tcp +The Connect() Scan took 0 seconds to scan 1601 ports. +Interesting ports on server.abmas.us (123.45.67.66): +(The 1587 ports scanned but not shown below are in state: closed) +Port State Service +22/tcp open ssh +25/tcp open smtp +53/tcp open domain +80/tcp open http +111/tcp open sunrpc +139/tcp open netbios-ssn +443/tcp open https +445/tcp open microsoft-ds +631/tcp open ipp +873/tcp open rsync +901/tcp open samba-swat +3128/tcp open squid-http +6000/tcp open X11 +10000/tcp open snet-sensor-mgmt +32770/tcp open sometimes-rpc3 + +Nmap run completed -- 1 IP address (1 host up) scanned in 1 second + + The above scan was run before the external interface was locked down with the NAT-firewall + script you created above. The following results are obtained after the firewall rules + have been put into place: + +&rootprompt; nmap -v -sT server.abmas.us + +Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) +Host server.abmas.us (123.45.67.66) appears to be up ... good. +Initiating Connect() Scan against server.abmas.us (123.45.67.66) +Adding open port 53/tcp +Adding open port 22/tcp +The Connect() Scan took 168 seconds to scan 1601 ports. +Interesting ports on server.abmas.us (123.45.67.66): +(The 1593 ports scanned but not shown below are in state: filtered) +Port State Service +22/tcp open ssh +25/tcp closed smtp +53/tcp open domain +80/tcp closed http +443/tcp closed https + +Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds + + + + + + + + + Application Share Configuration + + + application server + administrative installation + The use of an application server is a key mechanism by which desktop administration overheads + can be reduced. Check the application manual for your software to identify how best to + create an administrative installation. + + + + Some Windows software will only run locally on the desktop computer. Such software + is typically not suited for administrative installation. Administratively installed software + permits one or more of the following installation choices: + + + + + Install software fully onto a workstation, storing data files on the same workstation. + + + + Install software fully onto a workstation with central network data file storage. + + + + Install software to run off a central application server with data files stored + on the local workstation. This is often called a minimum installation, or a + network client installation. + + + + Install software to run off a central application server with data files stored + on a central network share. This type of installation often prevents storage + of work files on the local workstation. + + + + + + A common application deployed in this environment is an office suite. + Enterprise editions of Microsoft Office XP Professional can be administratively installed + by launching the installation from a command shell. The command that achieves this is + setup /a. It results in a set of prompts through which various + installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource + Kit for more information regarding this mode of installation of MS Office XP Professional. + The full administrative installation of MS Office XP Professional requires approximately + 650 MB of disk space. + + + + When the MS Office XP Professional product has been installed to the administrative network + share, the product can be installed onto a workstation by executing the normal setup program. + The installation process now provides a choice to either perform a minimum installation + or a full local installation. A full local installation takes over 100 MB of disk space. + A network workstation (minimum) installation requires typically 10 MB to 15 MB of + local disk space. In the latter case, when the applications are used, they load over the network. + + + + Service Packs + Microsoft Office + Microsoft Office Service Packs can be unpacked to update an administrative share. This makes + it possible to update MS Office XP Professional for all users from a single installation + of the service pack and generally circumvents the need to run updates on each network + Windows client. + + + + The default location for MS Office XP Professional data files can be set through registry + editing or by way of configuration options inside each Office XP Professional application. + + + + OpenOffice + OpenOffice.Org OpenOffice Version 1.1.0 can be installed locally. It can also + be installed to run off a network share. The latter is a most desirable solution for office-bound + network users and for administrative staff alike. It permits quick and easy updates + to be rolled out to all users with a minimum of disruption and with maximum flexibility. + + + + The process for installation of administrative shared OpenOffice involves download of the + distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area. + When fully extracted using the unzipping tool of your choosing, change into the Windows + installation files directory then execute setup -net. You are + prompted on screen for the target installation location. This is the administrative + share point. The full administrative OpenOffice share takes approximately 150 MB of disk + space. + + + + Comments Regarding Software Terms of Use + + Many single-user products can be installed into an administrative share, but + personal versions of products such as Microsoft Office XP Professional do not permit this. + Many people do not like terms of use typical with commercial products, so a few comments + regarding software licensing seem important. + + + + Please do not use an administrative installation of proprietary and commercially licensed + software products to violate the copyright holders' property. All software is licensed, + particularly software that is licensed for use free of charge. All software is the property + of the copyright holder unless the author and/or copyright holder has explicitly disavowed + ownership and has placed the software into the public domain. + + + + Software that is under the GNU General Public License, like proprietary software, is + licensed in a way that restricts use. For example, if you modify GPL software and then + distribute the binary version of your modifications, you must offer to provide the source + code as well. This restriction is designed to maintain the momentum + of the diffusion of technology and to protect against the withholding of innovations. + + + + Commercial and proprietary software generally restrict use to those who have paid the + license fees and who comply with the licensee's terms of use. Software that is released + under the GNU General Public License is restricted to particular terms and conditions + also. Whatever the licensing terms may be, if you do not approve of the terms of use, + please do not use the software. + + + + GPL + Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided + with the source code. + + + + + + + Windows Client Configuration + + + Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs + to reinstall many of the notebook computers that will be recycled for use with the new network + configuration. The smartest way to handle the challenge of the roll-out program is to build + a staged system for each type of target machine, and then use an image replication tool such as Norton + Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can + be done with notebook computers as long as they are identical or sufficiently similar. + + + + Windows Client Configuration Procedure + + + WINS + DHCP + Install MS Windows XP Professional. During installation, configure the client to use DHCP for + TCP/IP protocol configuration. DHCP configures all Windows clients to use the WINS Server + address that has been defined for the local subnet. + + + + Join the Windows Domain PROMISES. Use the Domain Administrator + username root and the SMB password you assigned to this account. + A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to + a Windows Domain is given in , . + Reboot the machine as prompted and then log on using the Domain Administrator account + (root). + + + + Verify DIAMOND is visible in My Network Places, + that it is possible to connect to it and see the shares accounts, + apps, and finsvcs, and that it is + possible to open each share to reveal its contents. + + + + Create a drive mapping to the apps share on the server DIAMOND. + + + + Perform an administrative installation of each application to be used. Select the options + that you wish to use. Of course, you can choose to run applications over the network, correct? + + + + Now install all applications to be installed locally. Typical tools include Adobe Acrobat, + NTP-based time synchronization software, drivers for specific local devices such as fingerprint + scanners, and the like. Probably the most significant application for local installation + is antivirus software. + + + + Now install all four printers onto the staging system. The printers you install + include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will + also configure identical printers that are located in the financial services department. + Install printers on each machine following the steps shown in the Windows client printer + preparation procedure below. + + + + defragmentation + When you are satisfied that the staging systems are complete, use the appropriate procedure to + remove the client from the domain. Reboot the system and then log on as the local administrator + and clean out all temporary files stored on the system. Before shutting down, use the disk + defragmentation tool so that the file system is in optimal condition before replication. + + + + Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the + machine to a network share on the server. + + + + Windows security identifierSID + SID + You may now replicate the image to the target machines using the appropriate Norton Ghost + procedure. Make sure to use the procedure that ensures each machine has a unique + Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. + + + + Log on to the machine as the local Administrator (the only option), and join the machine to + the Domain, following the procedure set out in , . The system is now + ready for the user to log on, provided you have created a network logon account for that + user, of course. + + + + Instruct all users to log on to the workstation using their assigned username and password. + + + + + Windows Client Printer Preparation Procedure + + + Click + Start + Settings + Printers + Add Printer + Next + . Do not click Network printer. + Ensure that Local printer is selected. + + + + Click Next. In the + Manufacturer: panel, select HP. + In the Printers: panel, select the printer called + HP LaserJet 6. Click Next. + + + + In the Available ports: panel, select + FILE:. Accept the default printer name by clicking + Next. When asked, Would you like to print a + test page?, click No. Click + Finish. + + + + You may be prompted for the name of a file to print to. If so, close the + dialog panel. Right-click + HP LaserJet 6 + Properties + Details (Tab) + Add Port + . + + + + In the Network panel, enter the name of + the print queue on the Samba server as follows: \\DIAMOND\hplj6a. + Click + OK + OK + to complete the installation. + + + + Repeat the printer installation steps above for both HP LaserJet 6 printers + as well as for both QMS Magicolor laser printers. + + + + + + + Key Points Learned + + + How do you feel? You have built a capable network, a truly ambitious project. + Future network updates can be handled by + your staff. You must be a satisfied manager. Let's review the achievements. + + + + + A simple firewall has been configured to protect the server in the event that + the ISP firewall service should fail. + + + + The Samba configuration uses measures to ensure that only local network users + can connect to SMB/CIFS services. + + + + Samba uses the new tdbsam passdb backend facility. + Considerable complexity was added to Samba functionality. + + + + A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS + server. + + + + The DNS server was configured to permit DDNS only for local network clients. This + server also provides primary DNS services for the company Internet presence. + + + + You introduced an application server as well as the concept of cloning a Windows + client in order to effect improved standardization of desktops and to reduce + the costs of network management. + + + + + + + + + Questions and Answers + + + + + + + + + + What is the maximum number of account entries that the tdbsam + passdb backend can handle? + + + + + + + The tdb data structure and support system can handle more entries than the number of + accounts that are possible on most UNIX systems. A practical limit would come into + play long before a performance boundary would be anticipated. That practical limit + is controlled by the nature of Windows networking. There are few Windows file and + print servers that can handle more than a few hundred concurrent client connections. + The key limiting factors that predicate offloading of services to additional servers + are memory capacity, the number of CPUs, network bandwidth, and disk I/O limitations. + All of these are readily exhausted by just a few hundred concurrent active users. + Such bottlenecks can best be removed by segmentation of the network (distributing + network load across multiple networks). + + + + As the network grows, it becomes necessary to provide additional authentication + servers (domain controllers). The tdbsam is limited to a single machine and cannot + be reliably replicated. This means that practical limits on network design dictate + the point at which a distributed passdb backend is required; at this time, there is + no real alternative other than ldapsam (LDAP). + + + + The guideline provided in TOSHARG2, Chapter 10, Section 10.1.2, + is to limit the number of accounts in the tdbsam backend to 250. This is the point + at which most networks tend to want backup domain controllers (BDCs). Samba-3 does + not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The + limitation of 250 users per tdbsam is predicated only on the need for replication, + not on the limitsBench tests have shown that tdbsam is a very + effective database technology. There is surprisingly little performance loss even + with over 4000 users. of the tdbsam backend itself. + + + + + + + + + + Would Samba operate any better if the OS level is set to a value higher than 35? + + + + + + + No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value + of 35 already assures Samba of precedence over MS Windows products in browser elections. There is + no gain to be had from setting this higher. + + + + + + + + + + Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? + + + + + + + At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at + a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special + Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups. + + + + + + + + + + Why has a path been specified in the IPC$ share? + + + + + + + This is done so that in the event that a software bug may permit a client connection to the IPC$ share to + obtain access to the file system, it does so at a location that presents least risk. Under normal operation + this type of paranoid step should not be necessary. The use of this parameter should not be necessary. + + + + + + + + + + Why does the &smb.conf; file in this exercise include an entry for ? + + + + + + + The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port + used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS + over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By + specifying the use of only port 139, the intent is to reduce unsuccessful service connection attempts. + The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain + member, the default behavior is highly beneficial and should not be changed. + + + + + + + + + + What is the difference between a print queue and a printer? + + + + + + + A printer is a physical device that is connected either directly to the network or to a computer + via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a + hard copy printout. Network-attached printers that use TCP/IP-based printing generally accept a + single print data stream and block all secondary attempts to dispatch jobs concurrently to the + same device. If many clients were to concurrently print directly via TCP/IP to the same printer, + it would result in a huge amount of network traffic through continually failing connection attempts. + + + + A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or + print requests. When the data stream has been fully received, the input stream is closed, + and the job is then submitted to a sequential print queue where the job is stored until + the printer is ready to receive the job. + + + + + + + + + + Can all MS Windows application software be installed onto an application server share? + + + + + + + Much older Windows software is not compatible with installation to and execution from + an application server. Enterprise versions of Microsoft Office XP Professional can + be installed to an application server. Retail consumer versions of Microsoft Office XP + Professional do not permit installation to an application server share and can be installed + and used only to/from a local workstation hard disk. + + + + + + + + + + Why use dynamic DNS (DDNS)? + + + + + + + When DDNS records are updated directly from the DHCP server, it is possible for + network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate + Windows clients via DNS. + + + + + + + + + + Why would you use WINS as well as DNS-based name resolution? + + + + + + + WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is + a name like myhost.mydomain.tld where tld + means top-level domain. A FQDN is a longhand but easy-to-remember + expression that may be up to 1024 characters in length and that represents an IP address. + A NetBIOS name is always 16 characters long. The 16th character + is a name type indicator. A specific name type is registered + See TOSHARG2, Chapter 9, for more information. for each + type of service that is provided by the Windows server or client and that may be registered + where a WINS server is in use. + + + + WINS is a mechanism by which a client may locate the IP Address that corresponds to a + NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name + that includes a particular registered NetBIOS name type. DNS does not provide a mechanism + that permits handling of the NetBIOS name type information. + + + + DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular + hostname or service name that has been registered in the DNS database for a particular domain. + A DNS server has limited scope of control and is said to be authoritative for the zone over + which it has control. + + + + Windows 200x Active Directory requires the registration in the DNS zone for the domain it + controls of service locatorSee TOSHARG2, Chapter 9, Section 9.3.3. records + that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also + requires the registration of special records that are called global catalog (GC) entries + and site entries by which domain controllers and other essential ADS servers may be located. + + + + + + + + + + What are the major benefits of using an application server? + + + + + + + The use of an application server can significantly reduce application update maintenance. + By providing a centralized application share, software updates need be applied to only + one location for all major applications used. This results in faster update roll-outs and + significantly better application usage control. + + + + + + + + + + -- cgit