From fa96398866a4bcdcc13b42ab4f8d3f516cd9238a Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 16 Jun 2005 01:33:35 +0000 Subject: Stage 1 of PHPTR Edits. (This used to be commit 64a9e3e8619bf33dcf6b0ff8171b47a3e2581239) --- docs/Samba3-HOWTO/TOSHARG-FastStart.xml | 267 ++++++++++++++++---------------- 1 file changed, 136 insertions(+), 131 deletions(-) (limited to 'docs/Samba3-HOWTO/TOSHARG-FastStart.xml') diff --git a/docs/Samba3-HOWTO/TOSHARG-FastStart.xml b/docs/Samba3-HOWTO/TOSHARG-FastStart.xml index 108c787d64..5d1df13111 100644 --- a/docs/Samba3-HOWTO/TOSHARG-FastStart.xml +++ b/docs/Samba3-HOWTO/TOSHARG-FastStart.xml @@ -10,7 +10,7 @@ When we first asked for suggestions for inclusion in the Samba HOWTO documentation, someone wrote asking for example configurations &smbmdash; and lots of them. That is remarkably -difficult to do, without losing a lot of value that can be derived from presenting +difficult to do without losing a lot of value that can be derived from presenting many extracts from working systems. That is what the rest of this document does. It does so with extensive descriptions of the configuration possibilities within the context of the chapter that covers it. We hope that this chapter is the medicine @@ -19,21 +19,21 @@ that has been requested. The information in this chapter is very sparse compared with the book Samba-3 by Example -that was written after the original version of this book was nearly complete. Samba-3 by Example +that was written after the original version of this book was nearly complete. Samba-3 by Example was the result of feedback from reviewers during the final copy editing of the first edition. It -was interesting to see that reader feedback mirrored that given be the original reviewers. +was interesting to see that reader feedback mirrored that given by the original reviewers. In any case, a month and a half was spent in doing basic research to better understand what -new as well as experienced network administrators would best benefit from. The book Samba-3 by Example +new as well as experienced network administrators would best benefit from. The book Samba-3 by Example is the result of that research. What is presented in the few pages of this book is covered -far more comprehensively in the second edition of Samba-3 by Example. The second edition +far more comprehensively in the second edition of Samba-3 by Example. The second edition of both books will be released at the same time. So in summary, the book The Official Samba-3 HOWTO & Reference Guide is intended -as the equivalent of a auto mechanics' repair guide. The book Samba-3 by Example is the -equivalent of the drivers guide that explains how to drive the car. If you want complete network -configuration examples go to Samba-3 by Example. +as the equivalent of an auto mechanic's repair guide. The book Samba-3 by Example is the +equivalent of the driver's guide that explains how to drive the car. If you want complete network +configuration examples, go to Samba-3 by Example. @@ -50,7 +50,7 @@ features. These additional features are covered in the remainder of this documen The examples used here have been obtained from a number of people who made requests for example configurations. All identities have been obscured to protect -the guilty and any resemblance to unreal non-existent sites is deliberate. +the guilty, and any resemblance to unreal nonexistent sites is deliberate. @@ -80,16 +80,15 @@ mirror of the system described in , The next example is of a secure office file and print server that will be accessible only to users who have an account on the system. This server is meant to closely resemble a -Workgroup file and print server, but has to be more secure than an anonymous access machine. +workgroup file and print server, but has to be more secure than an anonymous access machine. This type of system will typically suit the needs of a small office. The server provides no -network logon facilities, offers no Domain Control; instead it is just a network -attached storage (NAS) device and a print server. +network logon facilities, offers no domain control; instead it is just a network-attached storage (NAS) device and a print server. Finally, we start looking at more complex systems that will either integrate into existing -Microsoft Windows networks, or replace them entirely. The examples provided cover domain -member servers as well as Samba Domain Control (PDC/BDC) and finally describes in detail +MS Windows networks or replace them entirely. The examples provided cover domain +member servers as well as Samba domain control (PDC/BDC) and finally describes in detail a large distributed network with branch offices in remote locations. @@ -106,17 +105,17 @@ clearly beyond the scope of this text. It is also assumed that Samba has been correctly installed, either by way of installation -of the packages that are provided by the operating system vendor, or through other means. +of the packages that are provided by the operating system vendor or through other means. - Stand-alone Server + Standalone Server Server TypeStand-alone - A Stand-alone Server implies no more than the fact that it is not a Domain Controller - and it does not participate in Domain Control. It can be a simple workgroup-like - server, or it may be a complex server that is a member of a domain security context. + A standalone server implies no more than the fact that it is not a domain controller + and it does not participate in domain control. It can be a simple, workgroup-like + server, or it can be a complex server that is a member of a domain security context. @@ -137,10 +136,13 @@ of the packages that are provided by the operating system vendor, or through oth change. - The configuration file is: + + The configuration file is presented in Anonymous Read-Only Server + Configuration. + - Anonymous Read-Only Server Configuration + Anonymous Read-Only Server Configuration Global parameters @@ -171,9 +173,9 @@ of the packages that are provided by the operating system vendor, or through oth - Installation Procedure &smbmdash; Read-Only Server + Installation Procedure: Read-Only Server - Add user to system (with creation of the users' home directory): + Add user to system (with creation of the user's home directory): &rootprompt;useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb @@ -233,12 +235,12 @@ Press enter to see a dump of your service definitions - Configure your Microsoft Windows client for workgroup MIDEARTH, + Configure your MS Windows client for workgroup MIDEARTH, set the machine name to ROBBINS, reboot, wait a few (2 - 5) minutes, - then open Windows Explorer and visit the network neighborhood. + then open Windows Explorer and visit the Network Neighborhood. The machine HOBBIT should be visible. When you click this machine icon, it should open up to reveal the data share. After - clicking the share it, should open up to reveal the files previously + you click the share, it should open up to reveal the files previously placed in the /export directory. @@ -259,7 +261,7 @@ Press enter to see a dump of your service definitions The difference is that shared access is now forced to the user identity of jackb and to the primary group jackb belongs to. One other refinement we can make is to add the user jackb to the smbpasswd file. - To do this execute: + To do this, execute: &rootprompt;smbpasswd -a jackb New SMB password: m0r3pa1n @@ -275,8 +277,9 @@ Added user jackb. The complete, modified &smb.conf; file is as shown in . -Modified Anonymous Read-Write smb.conf - + +Modified Anonymous Read-Write smb.conf + Global parameters MIDEARTH @@ -323,12 +326,13 @@ Added user jackb. - In this configuration it is undesirable to present the Add Printer Wizard and we do - not want to have automatic driver download, so we will disable it in the following + In this configuration, it is undesirable to present the Add Printer Wizard, and we do + not want to have automatic driver download, so we disable it in the following configuration. is the resulting &smb.conf; file. -Anonymous Print Server smb.conf + +Anonymous Print Server smb.conf Global parameters @@ -376,12 +380,12 @@ Added user jackb. Directory permissions should be set for public read-write with the - sticky-bit set as shown: + sticky bit set as shown: &rootprompt;chmod a+trw TX /var/spool/samba The purpose of setting the sticky bit is to prevent who does not own the temporary print file - from being able to take control of it with the potential for devious mis-use. + from being able to take control of it with the potential for devious misuse. @@ -389,8 +393,8 @@ Added user jackb. MIMEraw raw printing - On CUPS enabled systems there is a facility to pass raw data directly to the printer without - intermediate processing via CUPS print filters. Where use of this mode of operation is desired + On CUPS-enabled systems there is a facility to pass raw data directly to the printer without + intermediate processing via CUPS print filters. Where use of this mode of operation is desired, it is necessary to configure a raw printing device. It is also necessary to enable the raw mime handler in the /etc/mime.conv and /etc/mime.types files. Refer to . @@ -419,19 +423,19 @@ Added user jackb. - Site users will be: Jack Baumbach, Mary Orville and Amed Sehkah. Each will have + Site users will be Jack Baumbach, Mary Orville, and Amed Sehkah. Each will have a password (not shown in further examples). Mary will be the printer administrator and will own all files in the public share. - This configuration will be based on User Level Security that + This configuration will be based on user-level security that is the default, and for which the default is to store Microsoft Windows-compatible encrypted passwords in a file called /etc/samba/smbpasswd. - The default &smb.conf; entry that makes this happen is: - smbpasswd, guest. Since this is the default + The default &smb.conf; entry that makes this happen is + smbpasswd, guest. Since this is the default, it is not necessary to enter it into the configuration file. Note that guest backend is - added to the list of active passdb backends not matter was it specified directly in Samba configuration + added to the list of active passdb backends no matter whether it specified directly in Samba configuration file or not. @@ -440,7 +444,7 @@ Added user jackb. Installing the Secure Office Server office server - Add all users to the Operating System: + Add all users to the operating system: &rootprompt;useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb &rootprompt;useradd -c "Mary Orville" -m -g users -p secret maryo @@ -450,10 +454,11 @@ Added user jackb. Configure the Samba &smb.conf; file as shown in . - + + - Secure Office Server smb.conf - +Secure Office Server smb.conf + Global parameters MIDEARTH @@ -486,8 +491,8 @@ Added user jackb. Yes Yes No - - + + Initialize the Microsoft Windows password database with the new users: @@ -530,7 +535,7 @@ Added user ameds. &rootprompt; nmbd; smbd; - Both applications automatically will execute as daemons. Those who are paranoid about + Both applications automatically execute as daemons. Those who are paranoid about maintaining control can add the -D flag to coerce them to start up in daemon mode. @@ -592,8 +597,8 @@ smb: \> q By now you should be getting the hang of configuration basics. Clearly, it is time to - explore slightly more complex examples. For the remainder of this chapter we will abbreviate - instructions since there are previous examples. + explore slightly more complex examples. For the remainder of this chapter we abbreviate + instructions, since there are previous examples. @@ -603,10 +608,9 @@ smb: \> q Domain Member Server - Server TypeDomain Member - In this instance we will consider the simplest server configuration we can get away with + In this instance we consider the simplest server configuration we can get away with to make an accounting department happy. Let's be warned, the users are accountants and they do have some nasty demands. There is a budget for only one server for this department. @@ -616,23 +620,23 @@ smb: \> q Internal politics are typical of a medium-sized organization; Human Resources is of the opinion that they run the ISG because they are always adding and disabling users. Also, departmental managers have to fight tooth and nail to gain basic network resources access for - their staff. Accounting is different though, they get exactly what they want. So this should + their staff. Accounting is different, though, they get exactly what they want. So this should set the scene. - We will use the users from the last example. The accounting department - has a general printer that all departmental users may. There is also a check printer - that may be used only by the person who has authority to print checks. The Chief Financial - Officer (CFO) wants that printer to be completely restricted and for it to be located in the + We use the users from the last example. The accounting department + has a general printer that all departmental users may use. There is also a check printer + that may be used only by the person who has authority to print checks. The chief financial + officer (CFO) wants that printer to be completely restricted and for it to be located in the private storage area in her office. It therefore must be a network printer. - Accounting department uses an accounting application called SpytFull + The accounting department uses an accounting application called SpytFull that must be run from a central application server. The software is licensed to run only off one server, there are no workstation components, and it is run off a mapped share. The data - store is in a UNIX-based SQL backend. The UNIX gurus look after that, so is not our + store is in a UNIX-based SQL backend. The UNIX gurus look after that, so it is not our problem. @@ -640,7 +644,7 @@ smb: \> q The accounting department manager (maryo) wants a general filing system as well as a separate file storage area for form letters (nastygrams). The form letter area should be read-only to all accounting staff except the manager. The general filing system has to have a structured - layout with a general area for all staff to store general documents, as well as a separate + layout with a general area for all staff to store general documents as well as a separate file area for each member of her team that is private to that person, but she wants full access to all areas. Users must have a private home share for personal work-related files and for materials not related to departmental operations. @@ -651,7 +655,7 @@ smb: \> q The server valinor will be a member server of the company domain. - Accounting will have only a local server. User accounts will be on the Domain Controllers + Accounting will have only a local server. User accounts will be on the domain controllers, as will desktop profiles and all network policy files. @@ -662,13 +666,14 @@ smb: \> q - Configure &smb.conf; according to - and . - + Configure &smb.conf; according to Member server smb.conf + (globals) and Member server smb.conf (shares + and services). + - - Member server smb.conf (globals) - + +Member server smb.conf (globals) + Global parameters MIDEARTH @@ -681,11 +686,12 @@ smb: \> q 15000-20000 Yes cups - + + - - Member server smb.conf (shares and services) - + +Member server smb.conf (shares and services) + Home Directories %S @@ -713,12 +719,11 @@ smb: \> q Yes Yes No - - - + + -netrpc + netrpc Join the domain. Note: Do not start Samba until this step has been completed! &rootprompt;net rpc join -Uroot%'bigsecret' @@ -733,7 +738,7 @@ Joined domain MIDEARTH. Start Samba following the normal method for your operating system platform. - If you wish to this manually execute as root: + If you wish to do this manually, execute as root: smbd nmbd winbindd @@ -746,7 +751,7 @@ Joined domain MIDEARTH. - Configure the name service switch control file on your system to resolve user and group names + Configure the name service switch (NSS) control file on your system to resolve user and group names via winbind. Edit the following lines in /etc/nsswitch.conf: passwd: files winbind @@ -825,25 +830,25 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false Server TypeDomain Controller - For the remainder of this chapter the focus is on the configuration of Domain Control. + For the remainder of this chapter the focus is on the configuration of domain control. The examples that follow are for two implementation strategies. Remember, our objective is to create a simple but working solution. The remainder of this book should help to highlight opportunity for greater functionality and the complexity that goes with it. - A Domain Controller configuration can be achieved with a simple configuration using the new + A domain controller configuration can be achieved with a simple configuration using the new tdbsam password backend. This type of configuration is good for small - offices, but has limited scalability (cannot be replicated) and performance can be expected + offices, but has limited scalability (cannot be replicated), and performance can be expected to fall as the size and complexity of the domain increases. The use of tdbsam is best limited to sites that do not need - more than a primary Domain Controller (PDC). As the size of a domain grows the need - for additional Domain Controllers becomes apparent. Do not attempt to under-resource - a Microsoft Windows network environment; Domain Controllers provide essential - authentication services. The following are symptoms of an under-resourced Domain Control + more than a Primary Domain Controller (PDC). As the size of a domain grows the need + for additional domain controllers becomes apparent. Do not attempt to under-resource + a Microsoft Windows network environment; domain controllers provide essential + authentication services. The following are symptoms of an under-resourced domain control environment: @@ -853,27 +858,27 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false - File access on a Domain Member server intermittently fails, giving a permission denied + File access on a domain member server intermittently fails, giving a permission denied error message. - A more scalable Domain Control authentication backend option might use - Microsoft Active Directory, or an LDAP-based backend. Samba-3 provides - for both options as a Domain Member server. As a PDC Samba-3 is not able to provide + A more scalable domain control authentication backend option might use + Microsoft Active Directory or an LDAP-based backend. Samba-3 provides + for both options as a domain member server. As a PDC, Samba-3 is not able to provide an exact alternative to the functionality that is available with Active Directory. Samba-3 can provide a scalable LDAP-based PDC/BDC solution. The tdbsam authentication backend provides no facility to replicate - the contents of the database, except by external means. (i.e., there is no self-contained protocol - in Samba-3 for Security Account Manager database [SAM] replication.) + the contents of the database, except by external means (i.e., there is no self-contained protocol + in Samba-3 for Security Account Manager database [SAM] replication). - If you need more than one Domain Controller, do not use a tdbsam authentication backend. + If you need more than one domain controller, do not use a tdbsam authentication backend. @@ -889,15 +894,15 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false A working PDC configuration using the tdbsam - password backend can be found in together with - : - - - -pdbedit - - Engineering Office smb.conf (globals) - + password backend can be found in Engineering Office smb.conf + (globals) together with Engineering Office smb.conf + (shares and services): + pdbedit + + + +Engineering Office smb.conf (globals) + MIDEARTH FRODO @@ -924,13 +929,12 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false 15000-20000 15000-20000 cups - - - + + - - Engineering Office smb.conf (shares and services) - + +Engineering Office smb.conf (shares and services) + Home Directories %S @@ -970,8 +974,8 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false Yes Other resource (share/printer) definitions would follow below. - - + + Create UNIX group accounts as needed using a suitable operating system tool: @@ -993,13 +997,11 @@ maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false -netgroupmap -initGroups.sh - Assign each of the UNIX groups to NT groups: - (It may be useful to copy this text to a shell script called - initGroups.sh.) - Shell script for initializing group mappings - + netgroupmap + initGroups.sh + Assign each of the UNIX groups to NT groups by executing this shell script + (You could name the script initGroups.sh): + #!/bin/bash #### Keep this as a shell script for future re-use @@ -1012,7 +1014,7 @@ net groupmap modify ntgroup="Domain Guests" unixgroup=nobody net groupmap add ntgroup="Designers" unixgroup=designers type=d net groupmap add ntgroup="Engineers" unixgroup=engineers type=d net groupmap add ntgroup="QA Team" unixgroup=qateam type=d - + @@ -1027,7 +1029,7 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d - The above configuration provides a functional Primary Domain Control (PDC) + The above configuration provides a functional PDC system to which must be added file shares and printers as required. @@ -1038,7 +1040,7 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d In this section we finally get to review in brief a Samba-3 configuration that - uses a Light Weight Directory Access (LDAP)-based authentication backend. The + uses a Lightweight Directory Access (LDAP)-based authentication backend. The main reasons for this choice are to provide the ability to host primary and Backup Domain Control (BDC), as well as to enable a higher degree of scalability to meet the needs of a very distributed environment. @@ -1054,7 +1056,7 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d - The Idealx scripts (or equivalent) are needed to manage LDAP based Posix and/or + The Idealx scripts (or equivalent) are needed to manage LDAP-based POSIX and/or SambaSamAccounts. The Idealx scripts may be downloaded from the Idealx Web site. They may also be obtained from the Samba tarball. Linux distributions tend to install the Idealx scripts in the @@ -1070,10 +1072,10 @@ net groupmap add ntgroup="QA Team" unixgroup=qateam type=d Set up the LDAP server. This example is suitable for OpenLDAP 2.1.x. - The /etc/openldap/slapd.conf file: -/etc/openldap/slapd.conf + The /etc/openldap/slapd.conf file. + /etc/openldap/slapd.conf Example slapd.conf file - + # Note commented out lines have been removed include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema @@ -1104,7 +1106,7 @@ index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub - + @@ -1160,8 +1162,9 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb - The &smb.conf; file that drives this backend can be found in example . - + The &smb.conf; file that drives this backend can be found in example LDAP backend smb.conf for PDC. + LDAP backend smb.conf for PDC @@ -1201,7 +1204,7 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb 15000-20000 cups - + Add the LDAP password to the secrets.tdb file so Samba can update @@ -1213,7 +1216,7 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb Add users and groups as required. Users and groups added using Samba tools - will automatically be added to both the LDAP backend as well as to the operating + will automatically be added to both the LDAP backend and the operating system as required. @@ -1231,9 +1234,11 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb Decide if the BDC should have its own LDAP server or not. If the BDC is to be - the LDAP server change the following &smb.conf; as indicated. The default - configuration in uses a central LDAP server. - + the LDAP server, change the following &smb.conf; as indicated. The default + configuration in Remote LDAP BDC smb.conf + uses a central LDAP server. + + Remote LDAP BDC smb.conf @@ -1264,7 +1269,7 @@ userPassword: {SSHA}0jBHgQ1vp4EDX2rEMMfIudvRMJoGwjVb 15000-20000 cups - + Configure the NETLOGON and PROFILES directory as for the PDC in . -- cgit