From dc56f3b507c4bf09b8f4962e080ccc9da8e853a7 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sun, 1 May 2005 19:24:18 +0000 Subject: Applying feedback fixes. (This used to be commit 04cf9b6510c7781385ddfc0a608d5ea2616f0ba5) --- docs/Samba-Guide/SBE-MakingHappyUsers.xml | 328 ++++++++++++------------------ 1 file changed, 128 insertions(+), 200 deletions(-) (limited to 'docs/Samba-Guide/SBE-MakingHappyUsers.xml') diff --git a/docs/Samba-Guide/SBE-MakingHappyUsers.xml b/docs/Samba-Guide/SBE-MakingHappyUsers.xml index 6078e1438d..9ea4061fe0 100644 --- a/docs/Samba-Guide/SBE-MakingHappyUsers.xml +++ b/docs/Samba-Guide/SBE-MakingHappyUsers.xml @@ -285,12 +285,9 @@ clients is conservative and if followed will minimize problems - but it is not a - - compromise - - network - multi-segment - + + compromise + networkmulti-segment Every compromise has consequences. Having a large routed (i.e., multi-segment) network with only a single domain controller is a poor design that has obvious operational effects that may frustrate users. Here is Bob's reply: @@ -311,37 +308,26 @@ clients is conservative and if followed will minimize problems - but it is not a - - Backup Domain Controller - BDC - - BDC - - tdbsam - - LDAP - - migration - - Implement Backup Domain Controllers (BDCs) in each building. This involves - a change from use of a tdbsam backend that was used in the previous - chapter, to use an LDAP-based backend. + + + Backup Domain ControllerBDC + BDC + tdbsam + LDAPmigration + Implement Backup Domain Controllers (BDCs) in each building. This involves + a change from use of a tdbsam backend that was used in the previous + chapter, to use an LDAP-based backend. You can implement a single central LDAP server for this purpose. - - logon time - - network share - - default profile - - profile - default - + + logon time + network share + default profile + profiledefault Rectify the problem of excessive logon times. This involves redirection of folders to network shares as well as modification of all user desktops to exclude the redirected folders from being loaded at login time. You can also @@ -350,18 +336,16 @@ clients is conservative and if followed will minimize problems - but it is not a - - disk image - + + disk image You configure a new MS Windows XP Professional Workstation disk image that you roll out to all desktop users. The instructions you have created are followed on a staging machine from which all changes can be carefully tested before inflicting them on your network users. - - CUPS - + + CUPS This is the last network example in which specific mention of printing is made. The example again makes use of the CUPS printing system. @@ -373,43 +357,35 @@ clients is conservative and if followed will minimize problems - but it is not a Dissection and Discussion - - BDC - - LDAP - - OpenLDAP - + + BDC + LDAP + OpenLDAP The implementation of Samba BDCs necessitates the installation and configuration of LDAP. For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial LDAP servers in current use with Samba-3 include: - - eDirectory - - Novell eDirectory. + + eDirectory + Novell eDirectory. eDirectory is being successfully used by some sites. Information on how to use eDirectory can be - obtained from the Samba mailing lists or from Novell. + obtained from the Samba mailing lists or from Novell. + - - Tivoli Directory Server - IBM - Tivoli Directory Server, + + Tivoli Directory Server + IBM Tivoli Directory Server, can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba - source code tarball under the directory ~samba/example/LDAP. + source code tarball under the directory ~samba/example/LDAP. + - - Sun ONE Identity Server - Sun - ONE Identity Server. + + Sun ONE Identity Server + Sun ulink url="http://www.sun.com/software/sunone/identity/index.html">ONE Identity Server. This product suite provides an LDAP server that can be used for Samba. Example schema files are - provided in the Samba source code tarball under the directory - ~samba/example/LDAP. - + provided in the Samba source code tarball under the directory ~samba/example/LDAP. + @@ -419,9 +395,8 @@ clients is conservative and if followed will minimize problems - but it is not a help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges. - - Active Directory - + + Active Directory For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include @@ -429,25 +404,14 @@ clients is conservative and if followed will minimize problems - but it is not a requires an understanding of what you are doing, why you are doing it, and the tools that you must use. - - Identity Management - - high availability - - directory - replication - - directory - synchronization - - performance - - directory - management - - directory - schema - + + Identity Management + high availability + directoryreplication + directorysynchronization + performance + directorymanagement + directoryschema When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. High availability operation may be obtained through directory replication/synchronization and master/slave server configurations. OpenLDAP is a mature platform to host the organizational @@ -458,16 +422,11 @@ clients is conservative and if followed will minimize problems - but it is not a with Microsoft Active Directory. - - comparison - Active Directory & OpenLDAP - - ADAM - - Active Directory - - OpenLDAP - + + comparisonActive Directory & OpenLDAP + ADAM + Active Directory + OpenLDAP A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely pre-configured for a specific task orientation. It comes with a set of administrative tools that is entirely customized @@ -479,12 +438,9 @@ clients is conservative and if followed will minimize problems - but it is not a of OpenLDAP. - - directory - schema - - passdb backend - + + directoryschema + passdb backend You may wish to consider out-sourcing the development of your OpenLDAP directory to an expert, particularly if you find the challenge of learning about LDAP directories, schemas, configuration, and management tools, and the creation of shell and Perl scripts a bit @@ -526,17 +482,11 @@ clients is conservative and if followed will minimize problems - but it is not a written by Jerry Carter, quite useful. - - BDC - - network - segment - - performance - - network - wide-area - + + BDC + networksegment + performance + networkwide-area Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must be loaded over the wide-area network connection. This addition of BDCs on each network segment significantly @@ -545,9 +495,8 @@ clients is conservative and if followed will minimize problems - but it is not a staff morale. The following procedures solve this problem. - - smart printing - + + smart printing There is also an opportunity to implement smart printing features. You add this to the Samba configuration so that future printer changes can be managed without need to change desktop configurations. @@ -561,15 +510,10 @@ clients is conservative and if followed will minimize problems - but it is not a Technical Issues - - identity - management - - directory - server - - Posix - + + identitymanagement + directoryserver + Posix The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system accounts are stored Posix schema extensions. Samba provides its own schema to permit storage of account @@ -583,31 +527,20 @@ clients is conservative and if followed will minimize problems - but it is not a ID Mappings for SIDs to UIDs (also for foreign Domain SIDs) - - UNIX accounts - - Windows accounts - - PADL LDAP tools - - /etc/group - - LDAP - - name service switch - NSS - - NSS - - UID - - nss_ldap - + + UNIX accounts + Windows accounts + PADL LDAP tools + /etc/group + LDAP + name service switchNSS + NSS + UID + nss_ldap The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking accounts in the LDAP backend. This implies the need to use the PADL LDAP tools. The resolution - of the UNIX group name to its GID must be enabled from either the - /etc/group + of the UNIX group name to its GID must be enabled from either the /etc/group or from the LDAP backend. This requires the use of the PADL nss_ldap tool-set that integrates with the name service switch (NSS). The same requirements exist for resolution of the UNIX username to the UID. The relationships are demonstrated in . @@ -629,23 +562,15 @@ clients is conservative and if followed will minimize problems - but it is not a at risk. This is not covered in the following guidance. - - PDC - - LDAP Interchange Format - LDIF - - LDIF - - secrets.tdb - + + PDC + LDAP Interchange FormatLDIF + LDIFsecrets.tdb When OpenLDAP has been made operative, you configure the Primary Domain Controller (PDC) - called MASSIVE. You initialize the Samba - secrets.tdb + called MASSIVE. You initialize the Samba secrets.tdb file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized. You need to decide how best to create user and group accounts. A few - hints are, of course, provided. You can also find on the enclosed - CD-ROM, in the Chap06 + hints are, of course, provided. You can also find on the enclosed CD-ROM, in the Chap06 directory, a few tools that help to manage user and group configuration. @@ -744,15 +669,11 @@ clients is conservative and if followed will minimize problems - but it is not a As XP roaming profiles grow, so does the amount of time it takes to log in and out. - - roaming profile - - HKEY_CURRENT_USER - - NTUSER.DAT - - %USERNAME% - + + roaming profile + HKEY_CURRENT_USER + NTUSER.DAT + %USERNAME% An XP Roaming Profile consists of the HKEY_CURRENT_USER hive file NTUSER.DAT and a number of folders (My Documents, Application Data, Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the @@ -777,31 +698,25 @@ clients is conservative and if followed will minimize problems - but it is not a saving documents instead of the My Documents folder. - - My Documents - + + My Documents Using a folder other than My Documents is a nuisance for some users since many applications use it by default. - - roaming profiles - - Local Group Policy - - NTUSER.DAT - - The secret to rapid loading of roaming profiles is to prevent unnecessary data from + + roaming profiles + Local Group Policy + NTUSER.DAT + The secret to rapid loading of roaming profiles is to prevent unnecessary data from being copied back and forth, without losing any functionality. This is not difficult; it can be done by making changes to the Local Group Policy on each client as well as changing some paths in each user's NTUSER.DAT hive. - - Network Default Profile - - redirected folders - + + Network Default Profile + redirected folders Every user profile has their own NTUSER.DAT file. This means you need to edit every user's profile, unless a better method can be followed. Fortunately, with the right preparations, this is not difficult. @@ -1138,6 +1053,7 @@ logdir /data/logs + Diagnostic Guidelines Verify the nss_base_passwd, nss_base_shadow, nss_base_group entries @@ -1484,6 +1400,8 @@ directory information tree (DIT). In the examples that follow they have been loc + Implementing the OpenLDAP Server + /etc/openldap/slapd.conf @@ -1663,6 +1581,8 @@ index default sub + Configuration of NSS and PAM + /lib/libnss_ldap.so.2 @@ -1841,6 +1761,7 @@ session optional pam_mail.so Configuration of PDC Called: <constant>MASSIVE</constant> + Install the files in , , , @@ -2085,6 +2006,8 @@ change the path to them in your &smb.conf; file on the PDC (MASSIVE + Idealx smbldap-tools Configuration + Create the /opt/IDEALX/sbin directory, and set its permissions and ownership as shown here: @@ -2157,6 +2080,7 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; + Installation of smbldap-tools from RPM Install the source RPM that has been downloaded as follows: @@ -2227,6 +2151,7 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; + Configuration of <filename>smbldap.conf Change into the directory that contains the configure.pl script. @@ -2521,6 +2446,8 @@ writing new configuration file: + Validation of Configuration + Start the LDAP server by executing: @@ -3027,6 +2954,7 @@ smb: \> q + Configuration of Raw Printers<title> <step><para> Configure all network attached printers to have a fixed IP address. @@ -3130,6 +3058,7 @@ application/octet-stream <procedure> <title>Configuration of BDC Called: <constant>BLDG1</constant> + Install the files in , , and @@ -3346,6 +3275,7 @@ smb: \> q Configuration of BDC Called: <constant>BLDG2</constant> + Install the files in , , and @@ -3694,6 +3624,8 @@ structuralObjectClass: organizationalUnit + Setting up User Privileges + Log onto the primary domain controller (PDC) as the root account. @@ -3769,9 +3701,8 @@ SeDiskOperatorPrivilege Windows Client Configuration - - NETLOGON - + + NETLOGON In the next few sections, you can configure a new Windows XP Professional disk image on a staging machine. You will configure all software, printer settings, profile and policy handling, and desktop default profile settings on this system. When it is complete, you copy the contents of the @@ -3791,9 +3722,8 @@ SeDiskOperatorPrivilege Configuration of Default Profile with Folder Redirection - - folder redirection - + + folder redirection Log onto the Windows XP Professional workstation as the local Administrator. It is necessary to expose folders that are generally hidden to provide access to the Default User @@ -3813,8 +3743,7 @@ SeDiskOperatorPrivilege View Tab . Select Show hidden files and folders, - and click OK. - Exit Windows Explorer. + and click OK. Exit Windows Explorer. @@ -3849,8 +3778,7 @@ SeDiskOperatorPrivilege NTUSER Open . In the dialog box that opens, enter the - key name Default - and click OK. + key name Default and click OK. @@ -4098,10 +4026,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ Uploading Printer Drivers to Samba Servers - - printing - drag-and-drop - + + printingdrag-and-drop Users want to be able to use network printers. You have a vested interest in making it easy for them to print. You have chosen to install the printer drivers onto the Samba servers and to enable point-and-click (drag-and-drop) printing. This process results in @@ -4111,6 +4037,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ + Uploading Printer Drivers + Join your Windows XP Professional workstation (the staging machine) to the MEGANET2 Domain. If you are not sure of the procedure, -- cgit