1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
|
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!-- entities files to use -->
<!ENTITY % global_entities SYSTEM '../entities/global.entities'>
%global_entities;
]>
<preface id="preface">
<title>Preface</title>
<para>
Network administrators live busy lives. We face distractions and pressures
that drive us to seek proven, working case scenarios that can be easily
implemented. Often this approach lands us in trouble. There is a
saying that, geometrically speaking, the shortest distance between two
points is a straight line, but practically we find that the quickest
route to a stable network solution is the long way around.
</para>
<para>
This book is your means to the straight path. It provides step-by-step,
proven, working examples of Samba deployments. If you want to deploy
Samba-3 with the least effort, or if you want to become an expert at deploying
Samba-3 without having to search through lots of documentation, this
book is the ticket to your destination.
</para>
<para>
Samba is software that can be run on a platform other than Microsoft Windows,
for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems.
Samba uses the TCP/IP protocol that is installed on the host server. When
correctly configured, it allows that host to interact with a Microsoft Windows
client or server as if it is a Windows file and print server. This book
will help you to implement Windows-compatible file and print services.
</para>
<para>
The examples presented in this book are typical of various businesses and
reflect the problems and challenges they face. Care has been taken to preserve
attitudes, perceptions, practices, and demands from real network case studies.
The maximum benefit may be obtained from this book by working carefully through
each exercise. You may be in a hurry to satisfy a specific need, so feel
free to locate the example that most closely matches your need, copy it, and
innovate as much as you like. Above all, enjoy the process of learning the
secrets of MS Windows networking that is truly liberated by Samba.
</para>
<para>
The focus of attention in this book is Samba-3. Specific notes are made in
respect of how Samba may be made secure. This book does not attempt to provide
detailed information regarding secure operation and configuration of peripheral
services and applications such as OpenLDAP, DNS and DHCP, the need for which
can be met from other resources that are dedicated to the subject.
</para>
<sect1>
<title>Why Is This Book Necessary?</title>
<para>
This book is the result of observations and feedback. The feedback from
the Samba-HOWTO-Collection has been positive and complimentary. There
have been requests for far more worked examples, a
<quote>Samba Cookbook,</quote> and for training materials to
help kick-start the process of mastering Samba.
</para>
<para>
The Samba mailing list's users have asked for sample configuration files
that work. It is natural to question one's own ability to correctly
configure a complex tool such as Samba until a minimum necessary
knowledge level has been attained.
</para>
<para>
The Samba-HOWTO-Collection, as do <emphasis>The Official Samba-3 HOWTO and
Reference Guide</emphasis>, document Samba features and functionality in
a topical context. This book takes a completely different approach. It
walks through Samba network configurations that are working within particular
environmental contexts, providing documented step-by-step implementations.
All example case configuration files, scripts, and other tools are provided
on the CD-ROM. This book is descriptive, provides detailed diagrams, and
makes deployment of Samba-3 a breeze.
</para>
<sect2>
<title>Samba 3.0.12 Update Edition</title>
<para>
The Samba 3.0.x series has been remarkably popular. At the time this book first
went to print samba-3.0.2 was being released. There have been significant modifications
and enhancements between samba-3.0.2 and samba-3.0.11 (the current release) that
necessitate this documentation update. This update has the specific intent to
refocus this books so that its guidance can be followed for samba-3.0.12
and beyond. Further changes are expected as Samba-3 matures further and will
be reflected in future updates.
</para>
<para>
The changes shown in <link linkend="pref-new"/> are incorporated in this update:
</para>
<table id="pref-new">
<title></title>
<tgroup cols="2">
<colspec align="left"/>
<colspec align="justify"/>
<thead>
<row>
<entry align="left">
<para>
New Feature
</para>
</entry>
<entry align="left">
<para>
Description
</para>
</entry>
</row>
</thead>
<tbody>
<row>
<entry>
<para>
Winbind Case Handling
</para>
</entry>
<entry>
<para>
User and group names returned by <command>winbindd</command> are now converted to lower case
for better consistency. Samba implementations that depend on the case of information returned
by winbind (such as %u and %U) must now convert the dependency to expecting lower case values.
This affects mail spool files, home directories, valid user lines in the &smb.conf; file, etc.
</para>
</entry>
</row>
<row>
<entry>
<para>
Schema Changes
</para>
</entry>
<entry>
<para>
Addition of code to handle password aging, password uniqueness controls, bad
password instances at logon time, have made necessary extensions to the SambaSAM
schema. This change affects all sites that use LDAP and means that the directory
schema must be updated.
</para>
</entry>
</row>
<row>
<entry>
<para>
Username Map Handling
</para>
</entry>
<entry>
<para>
Samba-3.0.8 redefined the behavior: Local authentication results in a username map file
lookup before authenticating the connection. All authentication via an external domain
controller will result in the use of the fully qualified name (i.e.: DOMAIN\username)
after the user has been successfully authenticated.
</para>
</entry>
</row>
<row>
<entry>
<para>
UNIX extension handling
</para>
</entry>
<entry>
<para>
Symbolicly linked files and directories on the UNIX host to absolute paths will
now be followed. This can be turned off using <quote>wide links = No</quote> in
the share stanza in the &smb.conf; file. Turning off <quote>wide links</quote>
support will degrade server performance because each path must be checked.
</para>
</entry>
</row>
<row>
<entry>
<para>
Privileges Support
</para>
</entry>
<entry>
<para>
Versions of Samba prior to samba-3.0.11 required the use of the UNIX <constant>root</constant>
account from network Windows clients. The new <quote>enable privileges = Yes</quote> capability
means that functions such as adding machines to the domain, managing printers, etc. can now
be delegated to normal user accounts or to groups of users.
</para>
</entry>
</row>
</tbody>
</tgroup>
</table>
</sect2>
</sect1>
<sect1>
<title>Prerequisites</title>
<para>
This book is not a tutorial on UNIX or Linux administration. UNIX and Linux
training is best obtained from books dedicated to the subject. This book
assumes that you have at least the basic skill necessary to use these operating
systems, and that you can use a basic system editor to edit and configure files.
It has been written with the assumption that you have experience with Samba,
have read <emphasis>The Official Samba-3 HOWTO and Reference Guide</emphasis> and
the Samba-HOWTO-Collection, or that you have familiarity with Microsoft Windows.
</para>
<para>
If you do not have this experience, you can follow the examples in this book but may
find yourself at times intimidated by assumptions made. In this situation, you
may need to refer to administrative guides or manuals for your operating system
platform to find what is the best method to achieve what the text of this book describes.
</para>
</sect1>
<sect1>
<title>Approach</title>
<para>
The first chapter deals with some rather thorny network analysis issues. Do not be
put off by this. The information you glean, even without a detailed understanding
of network protocol analysis, can help you understand how Windows networking functions.
</para>
<para>
Each following chapter of this book opens with the description of a networking solution
sought by a hypothetical site. Bob Jordan is a hypothetical decision maker
for an imaginary company, <constant>Abmas Biz NL</constant>. We will use the
non-existent domain name <constant>abmas.biz</constant>. All <emphasis>facts</emphasis>
presented regarding this company are fictitious and have been drawn from a variety of real
business scenarios over many years. Not one of these reveal the identify of the
real-world company from which the scenario originated.
</para>
<para>
In any case, Mr. Jordan likes to give all his staff nasty little assignments.
Stanley Saroka is one of his proteges; Christine Roberson is the network administrator
Bob trusts. Jordan is inclined to treat other departments well because they finance
Abmas IT operations.
</para>
<para>
Each chapter presents a summary of the network solution we have chosen to
demonstrate together with a rationale to help you to understand the
thought process that drove that solution. The chapter then documents in precise
detail all configuration files and steps that must be taken to implement the
example solution. Anyone wishing to gain serious value from this book will
do well to take note of the implications of points made, so watch out for the
<emphasis>this means that</emphasis> notations.
</para>
<para>
Each chapter has a set of questions and answers to help you to
to understand and digest key attributes of the solutions presented.
</para>
</sect1>
<sect1>
<title>Summary of Topics</title>
<para>
Our first assignment is to understand how Microsoft Windows products
function in the network environment. That is where we start. Let's take
just a few moments to get a bird's eye view of this book. Remember that
this is a book about file and print technology deployment; there are
great examples of printing solutions. Here we go.
</para>
<variablelist>
<varlistentry>
<term>Chapter 1 &smbmdash; Windows Networking Primer</term><listitem>
<para>
Here we cover practical exercises to help us to understand how MS Windows
network protocols function. A network protocol analyzer helps you to
appreciate the fact that Windows networking is highly dependent on broadcast
messaging. Additionally, you can look into network packets that a Windows
client sends to a network server to set up a network connection. On completion,
you should have a basic understanding of how network browsing functions and
have seen some of the information a Windows client sends to
a file and print server to create a connection over which file and print
operations may take place.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 2 &smbmdash; No Frills Samba Servers</term><listitem>
<para>
Here you design a solution for three different business scenarios, each for a
company called Abmas. There are two simple networking problems and one slightly
more complex networking challenge. In the first two cases, Abmas has a small
simple office, and they want to replace a Windows 9x peer-to-peer network. The
third example business uses Windows 2000 Professional. This must be simple,
so let's see how far we can get. If successful, Abmas grows quickly and
soon needs to replace all servers and workstations.
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; This chapter demands:
<itemizedlist>
<listitem><para>Case 1: The simplest &smb.conf; file that may
reasonably be used. Works with Samba-2.x also. This
configuration uses Share Mode security. Encrypted
passwords are not used, so there is no
<filename>smbpasswd</filename> file.
</para></listitem>
<listitem><para>Case 2: Another simple &smb.conf; file that adds
WINS support and printing support. This case deals with
a special requirement that demonstrates how to deal with
purpose-built software that has a particular requirement
for certain share names and printing demands. This
configuration uses Share Mode security and also works with
Samba-2.x. Encrypted passwords are not used, so there is no
<filename>smbpasswd</filename> file.
</para></listitem>
<listitem><para>Case 3: This &smb.conf; configuration uses User Mode
security. The file share configuration demonstrates
the ability to provide master access to an administrator
while restricting all staff to their own work areas.
Encrypted passwords are used, so there is an implicit
<filename>smbpasswd</filename> file.
</para></listitem>
</itemizedlist>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 3 &smbmdash; Small Office Networking</term><listitem>
<para>
Abmas is a successful company now. They have 50 network users
and want a little more varoom from the network. This is a typical
small office and they want better systems to help them to grow. This is
your chance to really give advanced users a bit more functionality and usefulness.
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
makes use of encrypted passwords, so there is an <filename>smbpasswd</filename>
file. It also demonstrates use of the <parameter>valid users</parameter> and
<parameter>valid groups</parameter> to restrict share access. The Windows
clients access the server as Domain members. Mobile users log onto
the Domain while in the office, but use a local machine account while on the
road. The result is an environment that answers mobile computing user needs.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 4 &smbmdash; Secure Office Networking</term><listitem>
<para>
Abmas is growing rapidly now. Money is a little tight, but with 130
network users, security has become a concern. They have many new machines
to install and the old equipment will be retired. This time they want the
new network to scale and grow for at least two years. Start with a sufficient
system and allow room for growth. You are now implementing an Internet
connection and have a few reservations about user expectations.
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
makes use of encrypted passwords, and you can use a <filename>tdbsam</filename>
password backend. Domain logons are introduced. Applications are served from the central
server. Roaming profiles are mandated. Access to the server is tightened up
so that only domain members can access server resources. Mobile computing
needs still are catered to.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 5 &smbmdash; The 500 User Office</term><listitem>
<para>
The two-year projections were met. Congratulations, you are a star.
Now Abmas needs to replace the network. Into the existing user base, they
need to merge a 280-user company they just acquired. It is time to build a serious
network. There are now three buildings on one campus and your assignment is
to keep everyone working while a new network is rolled out. Oh, isn't it nice
to roll out brand new clients and servers! Money is no longer tight, you get
to buy and install what you ask for. You will install routers and a firewall.
This is exciting!
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
makes use of encrypted passwords, and a <filename>tdbsam</filename>
password backend is used. You are not ready to launch into LDAP yet, so you
accept the limitation of having one central Domain Controller with a Domain
Member server in two buildings on your campus. A number of clever techniques
are used to demonstrate some of the smart options built into Samba.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 6 &smbmdash; Making Users Happy</term><listitem>
<para>
Congratulations again. Abmas is happy with your services and you have been given another raise.
Your users are becoming much more capable and are complaining about little
things that need to be fixed. Are you up to the task? Mary says it takes her 20 minutes
to log onto the network and it is killing her productivity. Email is a bit <emphasis>
unreliable</emphasis> &smbmdash; have you been sleeping on the job? We do not discuss the
technology of email but when the use of mail clients breaks because of networking
problems, you had better get on top of it. It's time for a change.
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file
makes use of encrypted passwords; a distributed <filename>ldapsam</filename>
password backend is used. Roaming profiles are enabled. Desktop profile controls
are introduced. Check out the techniques that can improve the user experience
of network performance. As a special bonus, this chapter documents how to configure
smart downloading of printer drivers for drag-and-drop printing support. And, yes,
the secret of configuring CUPS is clearly documented. Go for it; this one will
tease you, too.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 7 &smbmdash; A Distributed 2000-User Network</term><listitem>
<para>
Only eight months have passed, and Abmas has acquired another company. You now need to expand
the network further. You have to deal with a network that spans several countries.
There are three new networks in addition to the original three buildings at the head-office
campus. The head office is in New York and you have branch offices in Washington, Los Angeles, and
London. Your desktop standard is Windows XP Professional. In many ways, everything has changed
and yet it must remain the same. Your team is primed for another roll-out. You know there are
further challenges ahead.
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; Slave LDAP servers are introduced. Samba is
configured to use multiple LDAP backends. This is a brief chapter; it assumes that the
technology has been mastered and gets right down to concepts and how to deploy them.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 8 &smbmdash; Migrating NT4 Domain to Samba-3</term><listitem>
<para>
Another six months have <?latex \linebreak ?>
passed. Abmas has acquired yet another company. You will find a
way to migrate all users off the old network onto the existing network without loss
of passwords and will effect the change-over during one weekend. May the force (and caffeine) be with
you, may you keep your back to the wind and may the sun shine on your face.
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; This chapter demonstrates the use of
the <command>net rpc migrate</command> facility using an LDAP ldapsam backend, and also
using a tdbsam passdb backend. Both are much-asked-for examples of NT4 Domain migration.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 9 &smbmdash; Adding UNIX/Linux Servers and Clients</term><listitem>
<para>
Well done, Bob, your team has achieved much. Now help Abmas integrate the entire network.
You want central control and central support and you need to cut costs. How can you reduce administrative
overheads and yet get better control of the network?
</para>
<para>
This chapter has been contributed by Mark Taylor <email>mark.taylor@siriusit.co.uk</email>
and is based on a live site. For further information regarding this example case,
please contact Mark directly.
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; It is time to consider how to add Samba servers
and UNIX and Linux network clients. Users who convert to Linux want to be able to log on
using Windows network accounts. You explore nss_ldap, pam_ldap, winbind, and a few neat
techniques for taking control. Are you ready for this?
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 10 &smbmdash; Active Directory, Kerberos and Security</term><listitem>
<para>
Abmas has acquired another company that has just migrated to running Windows Server 2003 and
Active Directory. One of your staff makes offhand comments that land you in hot water.
A network security auditor is hired by the head of the new business and files a damning
report, and you must address the <emphasis>defects</emphasis> reported. You have hired new
network engineers who want to replace Microsoft Active Directory with a pure Kerberos
solution. How will you handle this?
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; This chapter is your answer. Learn about
share access controls, proper use of UNIX/Linux file system access controls, and Windows
200x Access Control Lists. Follow these steps to beat the critics.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 11 &smbmdash; Integrating Additional Services</term><listitem>
<para>
The battle is almost over, Samba-3 has won the day. Your team are delighted and now you
find yourself at yet another cross-roads. Abmas have acquired a snack food business, you
made promises you must keep. IT costs must be reduced, you have new resistance, but you
will win again. This time you choose to install the Squid proxy server to validate the
fact that Samba is far more than just a file and print server. SPNEGO authentication
support means that your Microsoft Windows clients gain transparent proxy access.
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; Samba provides the <command>ntlm_auth</command>
module that makes it possible for MS Windows Internet Explorer to connect via the Squid Web
and FTP proxy server. You will configure Samba-3 as well as Squid to deliver authenticated
access control based using the Active Directory Domain user security credentials.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Chapter 12 &smbmdash; Performance, Reliability and Availability</term><listitem>
<para>
Bob, are you sure the new Samba server is up to the load? Your network is serving many
users who risk becoming unproductive. What can you do to keep ahead of demand? Can you
keep the cost under control also? What can go wrong?
</para>
<para><emphasis>TechInfo</emphasis> &smbmdash; Hot tips that put chili into your
network. Avoid name resolution problems, identify potential causes of network collisions,
avoid Samba configuration options that will weigh the server down. MS distributed file
services to make your network fly and much more. This chapter contains a good deal of
<quote>Did I tell you about this...?</quote> type of hints to help keep your name on the top
performers list.
</para>
</listitem>
</varlistentry>
</variablelist>
</sect1>
<!-- the conventions used in this book -->
<xi:include href="conventions.xml" xmlns:xi="http://www.w3.org/2003/XInclude" />
</preface>
|