1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406
4407
4408
4409
4410
|
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="happy">
<title>Making Happy Users</title>
<para>
It is said that <quote>a day that is without troubles is not fulfilling. Rather, give
me a day of troubles well handled so that I can be content with my achievements.</quote>
</para>
<para>
In the world of computer networks, problems are as varied as the people who create them
or experience them. The design of the network implemented in <link linkend="Big500users"/>
may create problems for some network users. The following lists some of the problems that
may occur:
</para>
<indexterm><primary>PDC</primary></indexterm>
<indexterm><primary>network bandwidth</primary><secondary>utilization</secondary></indexterm>
<indexterm><primary>BDC</primary></indexterm>
<indexterm><primary>user account</primary></indexterm>
<indexterm><primary>PDC/BDC ratio</primary></indexterm>
<caution><para>
A significant number of network administrators have responded to the guidance given
here. It should be noted that there are sites that have a single PDC for many hundreds of
concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
are among the factors that determine the maximum number of Windows clients that
can be served by a single domain controller (PDC or BDC) on a network segment. It is possible
to operate with only a single PDC over a routed network. What is possible is not necessarily
<emphasis>best practice</emphasis>. When Windows client network logons begin to fail with
the message that the domain controller cannot be found or that the user account cannot
be found (when you know it exists), that may be an indication that the domain controller is
overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows
clients is conservative and if followed will minimize problems &smbmdash; but it is not absolute.
</para></caution>
<variablelist>
<varlistentry>
<term>Users experiencing difficulty logging onto the network</term>
<listitem><para>
<indexterm><primary>network</primary><secondary>logon</secondary></indexterm>
<indexterm><primary>multiple domain controllers</primary></indexterm>
When a Windows client logs onto the network, many data packets are exchanged
between the client and the server that is providing the network logon services.
Each request between the client and the server must complete within a specific
time limit. This is one of the primary factors that govern the installation of
multiple domain controllers (usually called secondary or backup controllers).
As a rough rule, there should be one such backup controller for every
30 to 150 clients. The actual limits are determined by network operational
characteristics.
</para>
<para>
If the domain controller provides only network logon services
and all file and print activity is handled by domain member servers, one domain
controller per 150 clients on a single network segment may suffice. In any
case, it is highly recommended to have a minimum of one domain controller (PDC or BDC)
per network segment. It is better to have at least one BDC on the network
segment that has a PDC. If the domain controller is also used as a file and
print server, the number of clients it can service reliably is reduced,
and a common rule is not to exceed 30 machines (Windows workstations plus
domain member servers) per domain controller.
</para></listitem>
</varlistentry>
<varlistentry>
<term>Slow logons and log-offs</term>
<listitem><para>
<indexterm><primary>slow logon</primary></indexterm>
Slow logons and log-offs may be caused by many factors that include:
<itemizedlist>
<listitem><para>
<indexterm><primary>NetBIOS</primary><secondary>name resolution</secondary><tertiary>delays</tertiary></indexterm>
<indexterm><primary>WINS</primary><secondary>server</secondary></indexterm>
Excessive delays in the resolution of a NetBIOS name to its IP
address. This may be observed when an overloaded domain controller
is also the WINS server. Another cause may be the failure to use
a WINS server (this assumes that there is a single network segment).
</para></listitem>
<listitem><para>
<indexterm><primary>traffic collisions</primary></indexterm>
<indexterm><primary>HUB</primary></indexterm>
<indexterm><primary>ethernet switch</primary></indexterm>
Network traffic collisions due to overloading of the network
segment. One short-term workaround to this may be to replace
network HUBs with Ethernet switches.
</para></listitem>
<listitem><para>
<indexterm><primary>networking hardware</primary><secondary>defective</secondary></indexterm>
Defective networking hardware. Over the past few years, we have seen
on the Samba mailing list a significant increase in the number of
problems that were traced to a defective network interface controller,
a defective HUB or Ethernet switch, or defective cabling. In most cases,
it was the erratic nature of the problem that ultimately pointed to
the cause of the problem.
</para></listitem>
<listitem><para>
<indexterm><primary>profile</primary><secondary>roaming</secondary></indexterm>
<indexterm><primary>MS Outlook</primary><secondary>PST file</secondary></indexterm>
Excessively large roaming profiles. This type of problem is typically
the result of poor user education as well as poor network management.
It can be avoided by users not storing huge quantities of email in
MS Outlook PST files as well as by not storing files on the desktop.
These are old bad habits that require much discipline and vigilance
on the part of network management.
</para></listitem>
<listitem><para>
<indexterm><primary>WebClient</primary></indexterm>
You should verify that the Windows XP WebClient service is not running.
The use of the WebClient service has been implicated in many Windows
networking-related problems.
</para></listitem>
</itemizedlist>
</para></listitem>
</varlistentry>
<varlistentry>
<term>Loss of access to network drives and printer resources</term>
<listitem><para>
Loss of access to network resources during client operation may be caused by a number
of factors, including:
</para>
<itemizedlist>
<listitem><para>
<indexterm><primary>network</primary><secondary>overload</secondary></indexterm>
Network overload (typically indicated by a high network collision rate)
</para></listitem>
<listitem><para>
Server overload
</para></listitem>
<listitem><para>
<indexterm><primary>network</primary><secondary>timeout</secondary></indexterm>
Timeout causing the client to close a connection that is in use but has
been latent (no traffic) for some time (5 minutes or more)
</para></listitem>
<listitem><para>
<indexterm><primary>network hardware</primary><secondary>defective</secondary></indexterm>
Defective networking hardware
</para></listitem>
</itemizedlist>
<para>
<indexterm><primary>data</primary><secondary>corruption</secondary></indexterm>
No matter what the cause, a sudden loss of access to network resources can
result in BSOD (blue screen of death) situations that necessitate rebooting of the client
workstation. In the case of a mild problem, retrying to access the network drive of the printer
may restore operations, but in any case this is a serious problem that may lead to the next
problem, data corruption.
</para></listitem>
</varlistentry>
<varlistentry>
<term>Potential data corruption</term>
<listitem><para>
<indexterm><primary>data</primary><secondary>corruption</secondary></indexterm>
Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
frustration, and generally precipitates immediate corrective demands. Management response
to this type of problem may be rational, as well as highly irrational. There have been
cases where management has fired network staff for permitting this situation to occur without
immediate correction. There have been situations where perfectly functional hardware was thrown
out and replaced, only to find the problem caused by a low-cost network hardware item. There
have been cases where server operating systems were replaced, or where Samba was updated,
only to later isolate the problem due to defective client software.
</para></listitem>
</varlistentry>
</variablelist>
<para>
In this chapter, you can work through a number of measures that significantly arm you to
anticipate and combat network performance issues. You can work through complex and thorny
methods to improve the reliability of your network environment, but be warned that all such steps
demand the price of complexity.
</para>
<sect1>
<title>Regarding LDAP Directories and Windows Computer Accounts</title>
<para>
<indexterm><primary>LDAP</primary><secondary>directory</secondary></indexterm>
Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some
constraints that are described in this section.
</para>
<para>
<indexterm><primary>POSIX</primary></indexterm>
<indexterm><primary>SambaSAMAccount</primary></indexterm>
<indexterm><primary>machine account</primary></indexterm>
<indexterm><primary>trust account</primary></indexterm>
The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
them. A user account and a machine account are indistinguishable from each other, except that
the machine account ends in a $ character, as do trust accounts.
</para>
<para>
<indexterm><primary>account</primary></indexterm>
<indexterm><primary>UID</primary></indexterm>
The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID
is a design decision that was made a long way back in the history of Samba development. It is
unlikely that this decision will be reversed or changed during the remaining life of the
Samba-3.x series.
</para>
<para>
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>NSS</primary></indexterm>
The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
must refer back to the host operating system on which Samba is running. The name service
switch (NSS) is the preferred mechanism that shields applications (like Samba) from the
need to know everything about every host OS it runs on.
</para>
<para>
Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>
and <quote>group</quote> facilities in the NSS control (configuration) file. The best tool
for achieving this is left up to the UNIX administrator to determine. It is not imposed by
Samba. Samba provides winbindd together with its support libraries as one method. It is
possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
all account entities can be located in an LDAP directory.
</para>
<para>
<indexterm><primary>nss_ldap</primary></indexterm>
For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
is fundamentally an LDAP design question. The information provided on the Samba list and
in the documentation is directed at providing working examples only. The design
of an LDAP directory is a complex subject that is beyond the scope of this documentation.
</para>
</sect1>
<sect1>
<title>Introduction</title>
<para>
You just opened an email from Christine that reads:
</para>
<para>
Good morning,
<blockquote><attribution>Christine</attribution><para>
A few months ago we sat down to design the network. We discussed the challenges ahead and we all
agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
that we would have some time to resolve any issues that might be encountered.
</para>
<para>
As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them
resigned yesterday afternoon because she was under duress to complete some critical projects. She
suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
of which was lost. She has a unique requirement that involves storing large files on her desktop.
Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it
takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
network logon traffic passes over the network links between our buildings, logging on may take
three or four attempts due to blue screen problems associated with network timeouts.
</para>
<para>
A few of us worked to help her out of trouble. We convinced her to stay and promised to fully
resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard
limits on what our users can do with their desktops. Otherwise, we face staff losses
that can surely do harm to our growth as well as to staff morale. I am sure we can better deal
with the consequences of what we know we must do than we can with the unrest we have now.
</para>
<para>
Stan and I have discussed the current situation. We are resolved to help our users and protect
the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
regain control of our vital IT operations.
</para></blockquote>
</para>
<para>
<indexterm><primary>compromise</primary></indexterm>
<indexterm><primary>network</primary><secondary>multi-segment</secondary></indexterm>
Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a
single domain controller is a poor design that has obvious operational effects that may
frustrate users. Here is your reply:
</para>
<blockquote><attribution>Bob</attribution><para>
Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
proposals to resolve the issues. I am confident that your plans fully realized will significantly
boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
for approval; I appreciate the urgency.
</para></blockquote>
<sect2>
<title>Assignment Tasks</title>
<para>
The priority of assigned tasks in this chapter is:
</para>
<orderedlist>
<listitem><para>
<indexterm><primary>Backup Domain Controller</primary><see>BDC</see></indexterm>
<indexterm><primary>BDC</primary></indexterm>
<indexterm><primary>tdbsam</primary></indexterm>
<indexterm><primary>LDAP</primary></indexterm><indexterm><primary>migration</primary></indexterm>
Implement Backup Domain Controllers (BDCs) in each building. This involves
a change from a <emphasis>tdbsam</emphasis> backend that was used in the previous
chapter to an LDAP-based backend.
</para>
<para>
You can implement a single central LDAP server for this purpose.
</para></listitem>
<listitem><para>
<indexterm><primary>logon time</primary></indexterm>
<indexterm><primary>network share</primary></indexterm>
<indexterm><primary>default profile</primary></indexterm>
<indexterm><primary>profile</primary><secondary>default</secondary></indexterm>
Rectify the problem of excessive logon times. This involves redirection of
folders to network shares as well as modification of all user desktops to
exclude the redirected folders from being loaded at login time. You can also
create a new default profile that can be used for all new users.
</para></listitem>
</orderedlist>
<para>
<indexterm><primary>disk image</primary></indexterm>
You configure a new MS Windows XP Professional workstation disk image that you roll out
to all desktop users. The instructions you have created are followed on a staging machine
from which all changes can be carefully tested before inflicting them on your network users.
</para>
<para>
<indexterm><primary>CUPS</primary></indexterm>
This is the last network example in which specific mention of printing is made. The example
again makes use of the CUPS printing system.
</para>
</sect2>
</sect1>
<sect1>
<title>Dissection and Discussion</title>
<para>
<indexterm><primary>BDC</primary></indexterm>
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>OpenLDAP</primary></indexterm>
The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
LDAP servers in current use with Samba-3 include:
</para>
<itemizedlist>
<listitem><para>
<indexterm><primary>eDirectory</primary></indexterm>
Novell <ulink url="http://www.novell.com/products/edirectory/">eDirectory</ulink>
is being successfully used by some sites. Information on how to use eDirectory can be
obtained from the Samba mailing lists or from Novell.
</para></listitem>
<listitem><para>
<indexterm><primary>Tivoli Directory Server</primary></indexterm>
IBM <ulink url="http://www-306.ibm.com/software/tivoli/products/directory-server/">Tivoli
Directory Server</ulink> can be used to provide the Samba LDAP backend. Example schema
files are provided in the Samba source code tarball under the directory
<filename>~samba/example/LDAP.</filename>
</para></listitem>
<listitem><para>
<indexterm><primary>Sun ONE Identity Server</primary></indexterm>
Sun <ulink url="http://www.sun.com/software/sunone/identity/index.html">ONE Identity
Server product suite</ulink> provides an LDAP server that can be used for Samba.
Example schema files are provided in the Samba source code tarball under the directory
<filename>~samba/example/LDAP.</filename>
</para></listitem>
</itemizedlist>
<para>
A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial
offerings, it requires that you manually edit the server configuration files and manually
initialize the LDAP directory database. OpenLDAP itself has only command-line tools to
help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
</para>
<para>
<indexterm><primary>Active Directory</primary></indexterm>
For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include
GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
</para>
<para>
<indexterm><primary>Identity Management</primary></indexterm>
<indexterm><primary>high availability</primary></indexterm>
<indexterm><primary>directory</primary><secondary>replication</secondary></indexterm>
<indexterm><primary>directory</primary><secondary>synchronization</secondary></indexterm>
<indexterm><primary>performance</primary></indexterm>
<indexterm><primary>directory</primary><secondary>management</secondary></indexterm>
<indexterm><primary>directory</primary><secondary>schema</secondary></indexterm>
When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
High availability operation may be obtained through directory replication/synchronization and
master/slave server configurations. OpenLDAP is a mature platform to host the organizational
directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more.
The price paid through learning how to design an LDAP directory schema in implementation and configuration
of management tools is well rewarded by performance and flexibility and the freedom to manage directory
contents with greater ability to back up, restore, and modify the directory than is generally possible
with Microsoft Active Directory.
</para>
<para>
<indexterm><primary>comparison</primary><secondary>Active Directory & OpenLDAP</secondary></indexterm>
<indexterm><primary>ADAM</primary></indexterm>
<indexterm><primary>Active Directory</primary></indexterm>
<indexterm><primary>OpenLDAP</primary></indexterm>
A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured
for a specific task orientation. It comes with a set of administrative tools that is entirely customized
for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
who wants to build a custom directory solution. Microsoft provides an application called
<ulink url="http://www.microsoft.com/windowsserver2003/adam/default.mspx">
MS ADAM</ulink> that provides more generic LDAP services, yet it does not have the vanilla-like services
of OpenLDAP.
</para>
<para>
<indexterm><primary>directory</primary><secondary>schema</secondary></indexterm>
<indexterm><primary>passdb backend</primary></indexterm>
You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
if you find the challenge of learning about LDAP directories, schemas, configuration, and management
tools and the creation of shell and Perl scripts a bit
challenging. OpenLDAP can be easily customized, though it includes
many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
that is required for use as a passdb backend.
</para>
<para>
<indexterm><primary>interoperability</primary></indexterm>
For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
The Web-based tools you might like to consider include the
<ulink url="http://lam.sourceforge.net/">LDAP Account Manager</ulink> (LAM) and the Webmin-based
<ulink url="http://www.webmin.com">Webmin</ulink> Idealx
<ulink url="http://webmin.idealx.org/index.en.html">CGI tools</ulink>.
</para>
<para>
Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of
these, so it may be useful to them:
<ulink url="http://biot.com/gq">GQ</ulink>, a GTK-based LDAP browser;
LDAP <ulink url="http://www.iit.edu/~gawojar/ldap/">Browser/Editor</ulink>
<ulink url="http://www.jxplorer.org/">; JXplorer</ulink> (by Computer Associates);
and <ulink url="http://phpldapadmin.sourceforge.net/">phpLDAPadmin</ulink>.
</para>
<note><para>
The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
LDAP before attempting to deploy it in a business-critical environment.
</para></note>
<para>
Information to help you get started with OpenLDAP is available from the
<ulink url="http://www.openldap.org/pub/">OpenLDAP web site</ulink>. Many people have found the book
<ulink url="http://www.booksense.com/product/info.jsp?isbn=1565924916"><emphasis>LDAP System Administration</emphasis>,</ulink>
by Jerry Carter quite useful.
</para>
<para>
<indexterm><primary>BDC</primary></indexterm>
<indexterm><primary>network</primary><secondary>segment</secondary></indexterm>
<indexterm><primary>performance</primary></indexterm>
<indexterm><primary>network</primary><secondary>wide-area</secondary></indexterm>
Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
be loaded over the WAN connection. The addition of BDCs on each network segment significantly
improves overall network performance for most users, but it is not enough. You must gain control over
user desktops, and this must be done in a way that wins their support and does not cause further loss of
staff morale. The following procedures solve this problem.
</para>
<para>
<indexterm><primary>smart printing</primary></indexterm>
There is also an opportunity to implement smart printing features. You add this to the Samba configuration
so that future printer changes can be managed without need to change desktop configurations.
</para>
<para>
You add the ability to automatically download new printer drivers, even if they are not installed
in the default desktop profile. Only one example of printing configuration is given. It is assumed that
you can extrapolate the principles and use them to install all printers that may be needed.
</para>
<sect2>
<title>Technical Issues</title>
<para>
<indexterm><primary>identity</primary><secondary>management</secondary></indexterm>
<indexterm><primary>directory</primary><secondary>server</secondary></indexterm>
<indexterm><primary>Posix</primary></indexterm>
The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account
attributes Samba needs. Samba-3 can use the LDAP backend to store:
</para>
<itemizedlist>
<listitem><para>Windows Networking User Accounts</para></listitem>
<listitem><para>Windows NT Group Accounts</para></listitem>
<listitem><para>Mapping Information between UNIX Groups and Windows NT Groups</para></listitem>
<listitem><para>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</para></listitem>
</itemizedlist>
<para>
<indexterm><primary>UNIX accounts</primary></indexterm>
<indexterm><primary>Windows accounts</primary></indexterm>
<indexterm><primary>PADL LDAP tools</primary></indexterm>
<indexterm><primary>/etc/group</primary></indexterm>
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>name service switch</primary><see>NSS</see></indexterm>
<indexterm><primary>NSS</primary></indexterm>
<indexterm><primary>UID</primary></indexterm>
<indexterm><primary>nss_ldap</primary></indexterm>
The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
accounts in the LDAP backend. This implies the need to use the
<ulink url="http://www.padl.com/Contents/OpenSourceSoftware.html">PADL LDAP tools</ulink>. The resolution
of the UNIX group name to its GID must be enabled from either the <filename>/etc/group</filename>
or from the LDAP backend. This requires the use of the PADL <filename>nss_ldap</filename> tool-set
that integrates with the NSS. The same requirements exist for resolution
of the UNIX username to the UID. The relationships are demonstrated in <link linkend="sbehap-LDAPdiag"/>.
</para>
<figure id="sbehap-LDAPdiag">
<title>The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</title>
<imagefile scale="50">UNIX-Samba-and-LDAP</imagefile>
</figure>
<para>
<indexterm><primary>security</primary></indexterm>
<indexterm><primary>LDAP</primary><secondary>secure</secondary></indexterm>
You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
ought to learn how to configure secure communications over LDAP so that site security is not
at risk. This is not covered in the following guidance.
</para>
<para>
<indexterm><primary>PDC</primary></indexterm>
<indexterm><primary>LDAP Interchange Format</primary><see>LDIF</see></indexterm>
<indexterm><primary>LDIF</primary></indexterm>
<indexterm><primary>secrets.tdb</primary></indexterm>
When OpenLDAP has been made operative, you configure the PDC called <constant>MASSIVE</constant>.
You initialize the Samba <filename>secrets.tdb<subscript></subscript></filename> file. Then you
create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.
You need to decide how best to create user and group accounts. A few hints are, of course, provided.
You can also find on the enclosed CD-ROM, in the <filename>Chap06</filename> directory, a few tools
that help to manage user and group configuration.
</para>
<para>
<indexterm><primary>folder redirection</primary></indexterm>
<indexterm><primary>default profile</primary></indexterm>
<indexterm><primary>roaming profile</primary></indexterm>
In order to effect folder redirection and to add robustness to the implementation,
create a network default profile. All network users workstations are configured to use
the new profile. Roaming profiles will automatically be deleted from the workstation
when the user logs off.
</para>
<para>
<indexterm><primary>mandatory profile</primary></indexterm>
The profile is configured so that users cannot change the appearance
of their desktop. This is known as a mandatory profile. You make certain that users
are able to use their computers efficiently.
</para>
<para>
<indexterm><primary>logon script</primary></indexterm>
A network logon script is used to deliver flexible but consistent network drive
connections.
</para>
<sect3 id="sbehap-ppc">
<title>Addition of Machines to the Domain</title>
<para>
<indexterm><primary></primary></indexterm>
<indexterm><primary></primary></indexterm>
<indexterm><primary></primary></indexterm>
<indexterm><primary></primary></indexterm>
Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
that maps to the UNIX UID=0. The UNIX operating system permits only the <constant>root</constant>
user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
<constant>Privileges</constant>, which provides five new privileges that
can be assigned to users and/or groups; see Table 5.1.
</para>
<table id="sbehap-privs">
<title>Current Privilege Capabilities</title>
<tgroup cols="2">
<colspec align="left"/>
<colspec align="left"/>
<thead>
<row>
<entry align="left">Privilege</entry>
<entry align="left">Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><para>SeMachineAccountPrivilege</para></entry>
<entry><para>Add machines to domain</para></entry>
</row>
<row>
<entry><para>SePrintOperatorPrivilege</para></entry>
<entry><para>Manage printers</para></entry>
</row>
<row>
<entry><para>SeAddUsersPrivilege</para></entry>
<entry><para>Add users and groups to the domain</para></entry>
</row>
<row>
<entry><para>SeRemoteShutdownPrivilege</para></entry>
<entry><para>Force shutdown from a remote system</para></entry>
</row>
<row>
<entry><para>SeDiskOperatorPrivilege</para></entry>
<entry><para>Manage disk share</para></entry>
</row>
</tbody>
</tgroup>
</table>
<para>
In this network example use is made of one of the supported privileges purely to demonstrate
how any user can now be given the ability to add machines to the domain using a normal user account
that has been given the appropriate privileges.
</para>
</sect3>
<sect3>
<title>Roaming Profile Background</title>
<para>
As XP roaming profiles grow, so does the amount of time it takes to log in and out.
</para>
<para>
<indexterm><primary>roaming profile</primary></indexterm>
<indexterm><primary>HKEY_CURRENT_USER</primary></indexterm>
<indexterm><primary>NTUSER.DAT</primary></indexterm>
<indexterm><primary>%USERNAME%</primary></indexterm>
An XP roaming profile consists of the <constant>HKEY_CURRENT_USER</constant> hive file
<filename>NTUSER.DAT</filename> and a number of folders (My Documents, Application Data,
Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
network with the default configuration of MS Windows NT/200x/XPP, all this data is
copied to the local machine under the <filename>C:\Documents and Settings\%USERNAME%</filename>
directory. While the user is logged in, any changes made to any of these folders or to the
<constant>HKEY_CURRENT_USER</constant> branch of the registry are made to the local copy
of the profile. At logout the profile data is copied back to the server. This behavior
can be changed through appropriate registry changes and/or through changes to the default
user profile. In the latter case, it updates the registry with the values that are set in the
profile <filename>NTUSER.DAT</filename>
file.
</para>
<para>
The first challenge is to reduce the amount of data that must be transferred to and
from the profile server as roaming profiles are processed. This includes removing
all the shortcuts in the Recent directory, making sure the cache used by the Web browser
is not being dumped into the <filename>Application Data</filename> folder, removing the
Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the
user to not place large files on the desktop and to use his or her mapped home directory
instead of the <filename>My Documents</filename> folder for saving documents.
</para>
<para>
<indexterm><primary>My Documents</primary></indexterm>
Using a folder other than <filename>My Documents</filename> is a nuisance for
some users, since many applications use it by default.
</para>
<para>
<indexterm><primary>roaming profiles</primary></indexterm>
<indexterm><primary>Local Group Policy</primary></indexterm>
<indexterm><primary>NTUSER.DAT</primary></indexterm>
The secret to rapid loading of roaming profiles is to prevent unnecessary data from
being copied back and forth, without losing any functionality. This is not difficult;
it can be done by making changes to the Local Group Policy on each client as well
as changing some paths in each user's <filename>NTUSER.DAT</filename> hive.
</para>
<para>
<indexterm><primary>Network Default Profile</primary></indexterm>
<indexterm><primary>redirected folders</primary></indexterm>
Every user profile has its own <filename>NTUSER.DAT</filename> file. This means
you need to edit every user's profile, unless a better method can be
followed. Fortunately, with the right preparations, this is not difficult.
It is possible to remove the <filename>NTUSER.DAT</filename> file from each
user's profile. Then just create a Network Default Profile. Of course, it is
necessary to copy all files from redirected folders to the network share to which
they are redirected.
</para>
</sect3>
<sect3 id="sbehap-locgrppol">
<title>The Local Group Policy</title>
<para>
<indexterm><primary>Group Policy Objects</primary></indexterm>
<indexterm><primary>Active Directory</primary></indexterm>
<indexterm><primary>PDC</primary></indexterm>
<indexterm><primary>Group Policy editor</primary></indexterm>
Without an Active Directory PDC, you cannot take full advantage of Group Policy
Objects. However, you can still make changes to the Local Group Policy by using
the Group Policy editor (<command>gpedit.msc</command>).
</para>
<para>
The <emphasis>Exclude directories in roaming profile</emphasis> settings can
be found under
<menuchoice>
<guimenu>User Configuration</guimenu>
<guimenuitem>Administrative Templates</guimenuitem>
<guimenuitem>System</guimenuitem>
<guimenuitem>User Profiles</guimenuitem>
</menuchoice>.
By default this setting contains
<quote>Local Settings; Temporary Internet Files; History; Temp</quote>.
</para>
<para>
Simply add the folders you do not wish to be copied back and forth to this
semicolon-separated list. Note that this change must be made on all clients
that are using roaming profiles.
</para>
</sect3>
<sect3>
<title>Profile Changes</title>
<para>
<indexterm><primary>NTUSER.DAT</primary></indexterm>
<indexterm><primary>%USERNAME%</primary></indexterm>
There are two changes that should be done to each user's profile. Move each of
the directories that you have excluded from being copied back and forth out of
the usual profile path. Modify each user's <filename>NTUSER.DAT</filename> file
to point to the new paths that are shared over the network instead of to the default
path (<filename>C:\Documents and Settings\%USERNAME%</filename>).
</para>
<para>
<indexterm><primary>Default User</primary></indexterm>
<indexterm><primary>regedt32</primary></indexterm>
The above modifies existing user profiles. So that newly created profiles have
these settings, you need to modify the <filename>NTUSER.DAT</filename> in
the <filename>C:\Documents and Settings\Default User</filename> folder on each
client machine, changing the same registry keys. You could do this by copying
<filename>NTUSER.DAT</filename> to a Linux box and using <command>regedt32</command>.
The basic method is described under <link linkend="redirfold"/>.
</para>
</sect3>
<sect3>
<title>Using a Network Default User Profile</title>
<para>
<indexterm><primary>NETLOGON</primary></indexterm>
<indexterm><primary>NTUSER.DAT</primary></indexterm>
If you are using Samba as your PDC, you should create a file share called
<constant>NETLOGON</constant> and within that create a directory called
<filename>Default User</filename>, which is a copy of the desired default user
configuration (including a copy of <filename>NTUSER.DAT</filename>).
If this share exists and the <filename>Default User</filename> folder exists,
the first login from a new account pulls its configuration from it.
See also <ulink url="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html">
the Real Men Don't Click</ulink> Web site.
</para>
</sect3>
<sect3>
<title>Installation of Printer Driver Auto-Download</title>
<para>
<indexterm><primary>printing</primary><secondary>dumb</secondary></indexterm>
<indexterm><primary>dumb printing</primary></indexterm>
<indexterm><primary>Raw Print Through</primary></indexterm>
The subject of printing is quite topical. Printing problems run second place to name
resolution issues today. So far in this book, you have experienced only what is generally
known as <quote>dumb</quote> printing. Dumb printing is the arrangement by which all drivers
are manually installed on each client and the printing subsystems perform no filtering
or intelligent processing. Dumb printing is easily understood. It usually works without
many problems, but it has its limitations also. Dumb printing is better known as
<command>Raw-Print-Through</command> printing.
</para>
<para>
<indexterm><primary>printing</primary><secondary>drag-and-drop</secondary></indexterm>
<indexterm><primary>printing</primary><secondary>point-n-click</secondary></indexterm>
Samba permits the configuration of <command>smart</command> printing using the Microsoft
Windows point-and-click (also called drag-and-drop) printing. What this provides is
essentially the ability to print to any printer. If the local client does not yet have a
driver installed, the driver is automatically downloaded from the Samba server and
installed on the client. Drag-and-drop printing is neat; it means the user never needs
to fuss with driver installation, and that is a <trademark>Good Thing,</trademark>
isn't it?
</para>
<para>
There is a further layer of print job processing that is known as <command>intelligent</command>
printing that automatically senses the file format of data submitted for printing and
then invokes a suitable print filter to convert the incoming data stream into a format
suited to the printer to which the job is dispatched.
</para>
<para>
<indexterm><primary>CUPS</primary></indexterm>
<indexterm><primary>Easy Software Products</primary></indexterm>
<indexterm><primary>Postscript</primary></indexterm>
The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
detect the data format and apply a print filter. This means that it is feasible to install
on all Windows clients a single printer driver for use with all printers that are routed
through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately,
<ulink url="http://www.easysw.com">Easy Software Products</ulink>, the authors of CUPS, have
released a PostScript printing driver for Windows. It can be installed into the Samba
printing backend so that it automatically downloads to the client when needed.
</para>
<para>
This means that so long as there is a CUPS driver for the printer, all printing from Windows
software can use PostScript, no matter what the actual printer language for the physical
device is. It also means that the administrator can swap out a printer with a totally
different type of device without ever needing to change a client workstation driver.
</para>
<para>
This book is about Samba-3, so you can confine the printing style to just the smart
style of installation. Those interested in further information regarding intelligent
printing should review documentation on the Easy Software Products Web site.
</para>
</sect3>
<sect3 id="sbeavoid">
<title>Avoiding Failures: Solving Problems Before They Happen</title>
<para>
It has often been said that there are three types of people in the world: those who
have sharp minds and those who forget things. Please do not ask what the third group
is like! Well, it seems that many of us have company in the second group. There must
be a good explanation why so many network administrators fail to solve apparently
simple problems efficiently and effectively.
</para>
<para>
Here are some diagnostic guidelines that can be referred to when things go wrong:
</para>
<sect4>
<title>Preliminary Advice: Dangers Can Be Avoided</title>
<para>
The best advice regarding how to mend a broken leg is <quote>Never break a leg!</quote>
</para>
<para>
<indexterm><primary>LDAP</primary></indexterm>
Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice
regarding the best way to remedy LDAP and Samba problems: <quote>Avoid them like the plague!</quote>
</para>
<para>
If you are now asking yourself how problems can be avoided, the best advice is to start
out your learning experience with a <emphasis>known-good configuration.</emphasis> After
you have seen a fully working solution, a good way to learn is to make slow and progressive
changes that cause things to break, then observe carefully how and why things ceased to work.
</para>
<para>
The examples in this chapter (also in the book as a whole) are known to work. That means
that they could serve as the kick-off point for your journey through fields of knowledge.
Use this resource carefully; we hope it serves you well.
</para>
<warning><para>
Do not be lulled into thinking that you can easily adopt the examples in this
book and adapt them without first working through the examples provided. A little
thing overlooked can cause untold pain and may permanently tarnish your experience.
</para></warning>
</sect4>
<sect4>
<title>The Name Service Caching Daemon</title>
<para>
The name service caching daemon (nscd) is a primary cause of difficulties with name
resolution, particularly where <command>winbind</command> is used. Winbind does its
own caching, thus nscd causes double caching which can lead to peculiar problems during
debugging. As a rule, it is a good idea to turn off the name service caching daemon.
</para>
<para>
Operation of the name service caching daemon is controlled by the
<filename>/etc/nscd.conf</filename> file. Typical contents of this file are as follows:
<screen>
# /etc/nscd.conf
# An example Name Service Cache config file. This file is needed by nscd.
# Legal entries are:
# logfile <file>
# debug-level <level>
# threads <threads to use>
# server-user <user to run server as instead of root>
# server-user is ignored if nscd is started with -S parameters
# stat-user <user who is allowed to request statistics>
# reload-count unlimited|<number>
#
# enable-cache <service> <yes|no>
# positive-time-to-live <service> <time in seconds>
# negative-time-to-live <service> <time in seconds>
# suggested-size <service> <prime number>
# check-files <service> <yes|no>
# persistent <service> <yes|no>
# shared <service> <yes|no>
# Currently supported cache names (services): passwd, group, hosts
# logfile /var/log/nscd.log
# threads 6
# server-user nobody
# stat-user somebody
debug-level 0
# reload-count 5
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to
# cache hosts will cause your local system to not be able to trust
# forward/reverse lookup checks. DO NOT USE THIS if your system relies on
# this sort of security mechanism. Use a caching DNS server instead.
enable-cache hosts no
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
</screen>
It is feasible to comment out the <constant>passwd</constant> and <constant>group</constant>
entries so they will not be cached. Alternatively, it is often simpler to just disable the
<command>nscd</command> service by executing (on Novell SUSE Linux):
<screen>
&rootprompt; chkconfig nscd off
&rootprompt; rcnscd off
</screen>
</para>
</sect4>
<sect4>
<title>Debugging LDAP</title>
<para>
<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
<indexterm><primary>loglevel</primary></indexterm>
<indexterm><primary>slapd</primary></indexterm>
In the example <filename>/etc/openldap/slapd.conf</filename> control file
(see <link linkend="sbehap-dbconf"/>) there is an entry for <constant>loglevel 256</constant>.
To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter
and restart <command>slapd</command>.
</para>
<para>
<indexterm><primary>/etc/syslog.conf</primary></indexterm>
<indexterm><primary>/var/log/ldaplogs</primary></indexterm>
LDAP log information can be directed into a file that is separate from the normal system
log files by changing the <filename>/etc/syslog.conf</filename> file so it has the following
contents:
<screen>
# Some foreign boot scripts require local7
#
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
local4.* -/var/log/ldaplogs
</screen>
In this case, all LDAP-related logs will be directed to the file
<filename>/var/log/ldaplogs</filename>. This makes it easy to track LDAP errors.
The snippet provides a simple example of usage that can be modified to suit
local site needs. The configuration used later in this chapter reflects such
customization with the intent that LDAP log files will be stored at a location
that meets local site needs and wishes more fully.
</para>
</sect4>
<sect4>
<title>Debugging NSS_LDAP</title>
<para>
The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
<filename>/etc/ldap.conf</filename> file the following parameters:
<screen>
debug 256
logdir /data/logs
</screen>
Create the log directory as follows:
<screen>
&rootprompt; mkdir /data/logs
</screen>
</para>
<para>
The diagnostic process should follow these steps:
</para>
<procedure>
<title>NSS_LDAP Diagnostic Steps</title>
<step><para>
Verify the <constant>nss_base_passwd, nss_base_shadow, nss_base_group</constant> entries
in the <filename>/etc/ldap.conf</filename> file and compare them closely with the directory
tree location that was chosen when the directory was first created.
</para>
<para>
One way this can be done is by executing:
<screen>
&rootprompt; slapcat | grep Group | grep dn
dn: ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz
dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz
</screen>
The first line is the DIT entry point for the container for POSIX groups. The correct entry
for the <filename>/etc/ldap.conf</filename> for the <constant>nss_base_group</constant>
parameter therefore is the distinguished name (dn) as applied here:
<screen>
nss_base_group ou=Groups,dc=abmas,dc=biz?one
</screen>
The same process may be followed to determine the appropriate dn for user accounts.
If the container for computer accounts is not the same as that for users (see the &smb.conf;
file entry for <constant>ldap machine suffix</constant>), it may be necessary to set the
following DIT dn in the <filename>/etc/ldap.conf</filename> file:
<screen>
nss_base_passwd dc=abmas,dc=biz?sub
</screen>
This instructs LDAP to search for machine as well as user entries from the top of the DIT
down. This is inefficient, but at least should work. Note: It is possible to specify multiple
<constant>nss_base_passwd</constant> entries in the <filename>/etc/ldap.conf</filename> file; they
will be evaluated sequentially. Let us consider an example of use where the following DIT
has been implemented:
</para>
<para>
<itemizedlist>
<listitem><para>All user accounts are stored under the DIT: ou=Users,dc=abmas,dc=biz</para></listitem>
<listitem><para>All user login accounts are under the DIT: ou=People,ou-Users,dc=abmas,dc=biz</para></listitem>
<listitem><para>All computer accounts are under the DIT: ou=Computers,ou=Users,dc=abmas,dc=biz</para></listitem>
</itemizedlist>
</para>
<para>
The appropriate multiple entry for the <constant>nss_base_passwd</constant> directive
in the <filename>/etc/ldap.conf</filename> file may be:
<screen>
nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one
nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
</screen>
</para></step>
<step><para>
Perform lookups such as:
<screen>
&rootprompt; getent passwd
</screen>
Each such lookup will create an entry in the <filename>/data/log</filename> directory
for each such process executed. The contents of each file created in this directory
may provide a hint as to the cause of the a problem that is under investigation.
</para></step>
<step><para>
For additional diagnostic information, check the contents of the <filename>/var/log/messages</filename>
to see what error messages are being generated as a result of the LDAP lookups. Here is an example of
a successful lookup:
<screen>
slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539
(IP=0.0.0.0:389)
slapd[12164]: conn=0 op=0 BIND dn="" method=128
slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=
slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
slapd[12164]: conn=0 op=2 UNBIND
slapd[12164]: conn=0 fd=10 closed
slapd[12164]: conn=1 fd=10 ACCEPT from
IP=127.0.0.1:33540 (IP=0.0.0.0:389)
slapd[12164]: conn=1 op=0 BIND
dn="cn=Manager,dc=abmas,dc=biz" method=128
slapd[12164]: conn=1 op=0 BIND
dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0
slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=
slapd[12164]: conn=1 op=1 SRCH
base="ou=People,dc=abmas,dc=biz" scope=1 deref=0
filter="(objectClass=posixAccount)"
slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword
uidNumber gidNumber cn
homeDirectory loginShell gecos description objectClass
slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0
nentries=2 text=
slapd[12164]: conn=1 fd=10 closed
</screen>
</para></step>
<step><para>
Check that the bindpw entry in the <filename>/etc/ldap.conf</filename> or in the
<filename>/etc/ldap.secrets</filename> file is correct, as specified in the
<filename>/etc/openldap/slapd.conf</filename> file.
</para></step>
</procedure>
</sect4>
<sect4>
<title>Debugging Samba</title>
<para>
The following parameters in the &smb.conf; file can be useful in tracking down Samba-related problems:
<screen>
[global]
...
log level = 5
log file = /var/log/samba/%m.log
max log size = 0
...
</screen>
This will result in the creation of a separate log file for every client from which connections
are made. The log file will be quite verbose and will grow continually. Do not forget to
change these lines to the following when debugging has been completed:
<screen>
[global]
...
log level = 1
log file = /var/log/samba/%m.log
max log size = 50
...
</screen>
</para>
<para>
The log file can be analyzed by executing:
<screen>
&rootprompt; cd /var/log/samba
&rootprompt; grep -v "^\[200" machine_name.log
</screen>
</para>
<para>
Search for hints of what may have failed by looking for the words <emphasis>fail</emphasis>
and <emphasis>error</emphasis>.
</para>
</sect4>
<sect4>
<title>Debugging on the Windows Client</title>
<para>
MS Windows 2000 Professional and Windows XP Professional clients can be configured
to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
version of MS Windows.
</para>
</sect4>
</sect3>
</sect2>
<sect2>
<title>Political Issues</title>
<para>
MS Windows network users are generally very sensitive to limits that may be imposed when
confronted with locked-down workstation configurations. The challenge you face must
be promoted as a choice between reliable, fast network operation and a constant flux
of problems that result in user irritation.
</para>
</sect2>
<sect2>
<title>Installation Checklist</title>
<para>
You are starting a complex project. Even though you went through the installation of a complex
network in <link linkend="Big500users"/>, this network is a bigger challenge because of the
large number of complex applications that must be configured before the first few steps
can be validated. Take stock of what you are about to undertake, prepare yourself, and
frequently review the steps ahead while making at least a mental note of what has already
been completed. The following task list may help you to keep track of the task items
that are covered:
</para>
<itemizedlist>
<listitem><para>Samba-3 PDC Server Configuration</para>
<orderedlist>
<listitem><para>DHCP and DNS servers</para></listitem>
<listitem><para>OpenLDAP server</para></listitem>
<listitem><para>PAM and NSS client tools</para></listitem>
<listitem><para>Samba-3 PDC</para></listitem>
<listitem><para>Idealx smbldap scripts</para></listitem>
<listitem><para>LDAP initialization</para></listitem>
<listitem><para>Create user and group accounts</para></listitem>
<listitem><para>Printers</para></listitem>
<listitem><para>Share point directory roots</para></listitem>
<listitem><para>Profile directories</para></listitem>
<listitem><para>Logon scripts</para></listitem>
<listitem><para>Configuration of user rights and privileges</para></listitem>
</orderedlist>
</listitem>
<listitem><para>Samba-3 BDC Server Configuration</para>
<orderedlist>
<listitem><para>DHCP and DNS servers</para></listitem>
<listitem><para>PAM and NSS client tools</para></listitem>
<listitem><para>Printers</para></listitem>
<listitem><para>Share point directory roots</para></listitem>
<listitem><para>Profiles directories</para></listitem>
</orderedlist>
</listitem>
<listitem><para>Windows XP Client Configuration</para>
<orderedlist>
<listitem><para>Default profile folder redirection</para></listitem>
<listitem><para>MS Outlook PST file relocation</para></listitem>
<listitem><para>Delete roaming profile on logout</para></listitem>
<listitem><para>Upload printer drivers to Samba servers</para></listitem>
<listitem><para>Install software</para></listitem>
<listitem><para>Creation of roll-out images</para></listitem>
</orderedlist>
</listitem>
</itemizedlist>
</sect2>
</sect1>
<sect1>
<title>Samba Server Implementation</title>
<para>
<indexterm><primary>file servers</primary></indexterm>
<indexterm><primary>BDC</primary></indexterm>
The network design shown in <link linkend="chap6net"/> is not comprehensive. It is assumed
that you will install additional file servers and possibly additional BDCs.
</para>
<figure id="chap6net">
<title>Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend</title>
<imagefile scale="50">chap6-net</imagefile>
</figure>
<para>
<indexterm><primary>SUSE Linux</primary></indexterm>
<indexterm><primary>Red Hat Linux</primary></indexterm>
All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE
Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
adjust the locations for your particular Linux system distribution/implementation.
</para>
<note><para>
The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools
scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball,
please verify that the versions you are about to use are matching. The smbldap-tools package
uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are
issued for POSIX accounts. The LDAP rdn under which this information is stored are called
<constant>uidNumber</constant> and <constant>gidNumber</constant> respectively. These may be
located in any convenient part of the directory information tree (DIT). In the examples that
follow they have been located under <constant>dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</constant>.
They could just as well be located under the rdn <constant>cn=NextFreeUnixId</constant>.
</para></note>
<para>
The steps in the process involve changes from the network configuration shown in
<link linkend="Big500users"/>. Before implementing the following steps, you must
have completed the network implementation shown in that chapter. If you are starting
with newly installed Linux servers, you must complete the steps shown in
<link linkend="ch5-dnshcp-setup"/> before commencing at <link linkend="ldapsetup"/>.
</para>
<sect2 id="ldapsetup">
<title>OpenLDAP Server Configuration</title>
<para>
<indexterm><primary>nss_ldap</primary></indexterm>
<indexterm><primary>pam_ldap</primary></indexterm>
<indexterm><primary>openldap</primary></indexterm>
Confirm that the packages shown in <link linkend="oldapreq"/> are installed on your system.
</para>
<table id="oldapreq">
<title>Required OpenLDAP Linux Packages</title>
<tgroup cols="3">
<colspec align="left"/>
<colspec align="left"/>
<colspec align="left"/>
<thead>
<row>
<entry align="center">SUSE Linux 8.x</entry>
<entry align="center">SUSE Linux 9.x</entry>
<entry align="center">Red Hat Linux</entry>
</row>
</thead>
<tbody>
<row>
<entry>nss_ldap</entry>
<entry>nss_ldap</entry>
<entry>nss_ldap</entry>
</row>
<row>
<entry>pam_ldap</entry>
<entry>pam_ldap</entry>
<entry>pam_ldap</entry>
</row>
<row>
<entry>openldap2</entry>
<entry>openldap2</entry>
<entry>openldap</entry>
</row>
<row>
<entry>openldap2-client</entry>
<entry>openldap2-client</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>
Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method
for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you
follow these guidelines, the resulting system should work fine.
</para>
<procedure>
<title>OpenLDAP Server Configuration Steps</title>
<step><para>
<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
Install the file shown in <link linkend="sbehap-slapdconf"/> in the directory
<filename>/etc/openldap</filename>.
</para></step>
<step><para>
<indexterm><primary>/data/ldap</primary></indexterm>
<indexterm><primary>group account</primary></indexterm>
<indexterm><primary>user account</primary></indexterm>
Remove all files from the directory <filename>/data/ldap</filename>, making certain that
the directory exists with permissions:
<screen>
&rootprompt; ls -al /data | grep ldap
drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
</screen>
This may require you to add a user and a group account for LDAP if they do not exist.
</para></step>
<step><para>
<indexterm><primary>DB_CONFIG</primary></indexterm>
Install the file shown in <link linkend="sbehap-dbconf"/> in the directory
<filename>/data/ldap</filename>. In the event that this file is added after <constant>ldap</constant>
has been started, it is possible to cause the new settings to take effect by shutting down
the <constant>LDAP</constant> server, executing the <command>db_recover</command> command inside the
<filename>/data/ldap</filename> directory, and then restarting the <constant>LDAP</constant> server.
</para></step>
<step><para>
<indexterm><primary>syslog</primary></indexterm>
Performance logging can be enabled and should preferably be sent to a file on
a file system that is large enough to handle significantly sized logs. To enable
the logging at a verbose level to permit detailed analysis, uncomment the entry in
the <filename>/etc/openldap/slapd.conf</filename> shown as <quote>loglevel 256</quote>.
</para>
<para>
Edit the <filename>/etc/syslog.conf</filename> file to add the following at the end
of the file:
<screen>
local4.* -/data/ldap/log/openldap.log
</screen>
Note: The path <filename>/data/ldap/log</filename> should be set at a location
that is convenient and that can store a large volume of data.
</para></step>
</procedure>
<example id="sbehap-dbconf">
<title>LDAP DB_CONFIG File</title>
<screen>
set_cachesize 0 150000000 1
set_lg_regionmax 262144
set_lg_bsize 2097152
#set_lg_dir /var/log/bdb
set_flags DB_LOG_AUTOREMOVE
</screen>
</example>
<example id="sbehap-slapdconf">
<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part A</title>
<screen>
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
access to dn.base=""
by self write
by * auth
access to attr=userPassword
by self write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by * read
by anonymous auth
#loglevel 256
schemacheck on
idletimeout 30
backend bdb
database bdb
checkpoint 1024 5
cachesize 10000
suffix "dc=abmas,dc=biz"
rootdn "cn=Manager,dc=abmas,dc=biz"
# rootpw = not24get
rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
directory /data/ldap
</screen>
</example>
<example id="sbehap-slapdconf2">
<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part B</title>
<screen>
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
</screen>
</example>
</sect2>
<sect2 id="sbehap-PAM-NSS">
<title>PAM and NSS Client Configuration</title>
<para>
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>NSS</primary></indexterm>
<indexterm><primary>PAM</primary></indexterm>
The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and
groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure
the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
</para>
<para>
<indexterm><primary>Pluggable Authentication Modules</primary><see>PAM</see></indexterm>
<indexterm><primary>pam_unix2.so</primary></indexterm>
Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
correct configuration of PAM. The <command>pam_ldap</command> open source package provides the
PAM modules that most people would use. On SUSE Linux systems, the <command>pam_unix2.so</command>
module also has the ability to redirect authentication requests through LDAP.
</para>
<para>
<indexterm><primary>YaST</primary></indexterm>
<indexterm><primary>SUSE Linux</primary></indexterm>
<indexterm><primary>Red Hat Linux</primary></indexterm>
<indexterm><primary>authconfig</primary></indexterm>
You have chosen to configure these services by directly editing the system files, but of course, you
know that this configuration can be done using system tools provided by the Linux system vendor.
SUSE Linux has a facility in YaST (the system admin tool) through <menuchoice><guimenu>yast</guimenu>
<guimenuitem>system</guimenuitem><guimenuitem>ldap-client</guimenuitem></menuchoice> that permits
configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <command>authconfig</command>
tool for this.
</para>
<procedure>
<title>PAM and NSS Client Configuration Steps</title>
<step><para>
<indexterm><primary>/lib/libnss_ldap.so.2</primary></indexterm>
<indexterm><primary>/etc/ldap.conf</primary></indexterm>
<indexterm><primary>nss_ldap</primary></indexterm>
Execute the following command to find where the <filename>nss_ldap</filename> module
expects to find its control file:
<screen>
&rootprompt; strings /lib/libnss_ldap.so.2 | grep conf
</screen>
The preferred and usual location is <filename>/etc/ldap.conf</filename>.
</para></step>
<step><para>
On the server <constant>MASSIVE</constant>, install the file shown in
<link linkend="sbehap-nss01"/> into the path that was obtained from the step above.
On the servers called <constant>BLDG1</constant> and <constant>BLDG2</constant>, install the file shown in
<link linkend="sbehap-nss02"/> into the path that was obtained from the step above.
</para></step>
<example id="sbehap-nss01">
<title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
<screen>
host 127.0.0.1
base dc=abmas,dc=biz
binddn cn=Manager,dc=abmas,dc=biz
bindpw not24get
timelimit 50
bind_timelimit 50
bind_policy hard
idle_timelimit 3600
pam_password exop
nss_base_passwd ou=People,dc=abmas,dc=biz?one
nss_base_shadow ou=People,dc=abmas,dc=biz?one
nss_base_group ou=Groups,dc=abmas,dc=biz?one
ssl off
</screen>
</example>
<example id="sbehap-nss02">
<title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
<screen>
host 172.16.0.1
base dc=abmas,dc=biz
binddn cn=Manager,dc=abmas,dc=biz
bindpw not24get
timelimit 50
bind_timelimit 50
bind_policy hard
idle_timelimit 3600
pam_password exop
nss_base_passwd ou=People,dc=abmas,dc=biz?one
nss_base_shadow ou=People,dc=abmas,dc=biz?one
nss_base_group ou=Groups,dc=abmas,dc=biz?one
ssl off
</screen>
</example>
<step><para>
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
Edit the NSS control file (<filename>/etc/nsswitch.conf</filename>) so that the lines that
control user and group resolution will obtain information from the normal system files as
well as from <command>ldap</command>:
<screen>
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns wins
</screen>
Later, when the LDAP database has been initialized and user and group accounts have been
added, you can validate resolution of the LDAP resolver process. The inclusion of
WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
resolved to their IP addresses, whether or not they are DHCP clients.
</para>
<note><para>
Some Linux systems (Novell SUSE Linux in particular) add entries to the <filename>nsswitch.conf</filename>
file that may cause operational problems with the configuration methods adopted in this book. It is
advisable to comment out the entries <constant>passwd_compat</constant> and <constant>group_compat</constant>
where they are found in this file.
</para></note>
<para>
Even at the risk of overstating the issue, incorrect and inappropriate configuration of the
<filename>nsswitch.conf</filename> file is a significant cause of operational problems with LDAP.
</para></step>
<step><para>
<indexterm><primary>pam_unix2.so</primary><secondary>use_ldap</secondary></indexterm>
For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
files in the <filename>/etc/pam.d</filename> directory: <command>login</command>, <command>password</command>,
<command>samba</command>, <command>sshd</command>. In each file, locate every entry that has the
<command>pam_unix2.so</command> entry and add to the line the entry <command>use_ldap</command> as shown
for the <command>login</command> module in this example:
<screen>
#%PAM-1.0
auth requisite pam_unix2.so nullok use_ldap #set_secrpc
auth required pam_securetty.so
auth required pam_nologin.so
#auth required pam_homecheck.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so use_ldap
password required pam_pwcheck.s nullok
password required pam_unix2.so nullok use_first_pass \
use_authtok use_ldap
session required pam_unix2.so none use_ldap # debug or trace
session required pam_limits.so
</screen>
</para>
<para>
<indexterm><primary>pam_ldap.so</primary></indexterm>
On other Linux systems that do not have an LDAP-enabled <command>pam_unix2.so</command> module,
you must edit these files by adding the <command>pam_ldap.so</command> modules as shown here:
<screen>
#%PAM-1.0
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth required pam_unix2.so nullok try_first_pass #set_secrpc
account sufficient pam_ldap.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_ldap.so use_first_pass use_authtok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_unix2.so none # debug or trace
session required pam_limits.so
session required pam_env.so
session optional pam_mail.so
</screen>
This example does have the LDAP-enabled <command>pam_unix2.so</command>, but simply
demonstrates the use of the <command>pam_ldap.so</command> module. You can use either
implementation, but if the <command>pam_unix2.so</command> on your system supports
LDAP, you probably want to use it rather than add an additional module.
</para></step>
</procedure>
</sect2>
<sect2 id="sbehap-massive">
<title>Samba-3 PDC Configuration</title>
<para>
<indexterm><primary>Samba RPM Packages</primary></indexterm>
Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server
before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the
choice to either build your own or obtain the packages from a dependable source.
Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for
Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that
is included with this book.
</para>
<procedure>
<title>Configuration of PDC Called <constant>MASSIVE</constant></title>
<step><para>
Install the files in <link linkend="sbehap-massive-smbconfa"/>,
<link linkend="sbehap-massive-smbconfb"/>, <link linkend="sbehap-shareconfa"/>,
and <link linkend="sbehap-shareconfb"/> into the <filename>/etc/samba/</filename>
directory. The three files should be added together to form the &smb.conf;
master file. It is a good practice to call this file something like
<filename>smb.conf.master</filename> and then to perform all file edits
on the master file. The operational &smb.conf; is then generated as shown in
the next step.
</para></step>
<step><para>
<indexterm><primary>testparm</primary></indexterm>
Create and verify the contents of the &smb.conf; file that is generated by:
<screen>
&rootprompt; testparm -s smb.conf.master > smb.conf
</screen>
Immediately follow this with the following:
<screen>
&rootprompt; testparm
</screen>
The output that is created should be free from errors, as shown here:
<screen>
Load smb config files from /etc/samba/smb.conf
Processing section "[accounts]"
Processing section "[service]"
Processing section "[pidata]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[apps]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[profdata]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
</screen>
</para></step>
<step><para>
Delete all runtime files from prior Samba operation by executing (for SUSE
Linux):
<screen>
&rootprompt; rm /etc/samba/*tdb
&rootprompt; rm /var/lib/samba/*tdb
&rootprompt; rm /var/lib/samba/*dat
&rootprompt; rm /var/log/samba/*
</screen>
</para></step>
<step><para>
<indexterm><primary>secrets.tdb</primary></indexterm>
<indexterm><primary>smbpasswd</primary></indexterm>
Samba-3 communicates with the LDAP server. The password that it uses to
authenticate to the LDAP server must be stored in the <filename>secrets.tdb</filename>
file. Execute the following to create the new <filename>secrets.tdb</filename> files
and store the password for the LDAP Manager:
<screen>
&rootprompt; smbpasswd -w not24get
</screen>
The expected output from this command is:
<screen>
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
</screen>
</para></step>
<step><para>
<indexterm><primary>smbd</primary></indexterm>
<indexterm><primary>net</primary><secondary>getlocalsid</secondary></indexterm>
Samba-3 generates a Windows Security Identifier (SID) only when <command>smbd</command>
has been started. For this reason, you start Samba. After a few seconds delay,
execute:
<screen>
&rootprompt; smbclient -L localhost -U%
&rootprompt; net getlocalsid
</screen>
A report such as the following means that the domain SID has not yet
been written to the <filename>secrets.tdb</filename> or to the LDAP backend:
<screen>
[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
failed to bind to server ldap://massive.abmas.biz
with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
(unknown)
[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
smbldap_search_suffix: Problem during the LDAP search:
(unknown) (Timed out)
</screen>
The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server
is not running, this operation will fail by way of a timeout, as shown previously. This is
normal output; do not worry about this error message. When the domain has been created and
written to the <filename>secrets.tdb</filename> file, the output should look like this:
<screen>
SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
</screen>
If, after a short delay (a few seconds), the domain SID has still not been written to
the <filename>secrets.tdb</filename> file, it is necessary to investigate what
may be misconfigured. In this case, carefully check the &smb.conf; file for typographical
errors (the most common problem). The use of the <command>testparm</command> is highly
recommended to validate the contents of this file.
</para></step>
<step><para>
When a positive domain SID has been reported, stop Samba.
</para></step>
<step><para>
<indexterm><primary>NFS server</primary></indexterm>
<indexterm><primary>/etc/exports</primary></indexterm>
<indexterm><primary>BDC</primary></indexterm>
<indexterm><primary>rsync</primary></indexterm>
Configure the NFS server for your Linux system. So you can complete the steps that
follow, enter into the <filename>/etc/exports</filename> the following entry:
<screen>
/home *(rw,root_squash,sync)
</screen>
This permits the user home directories to be used on the BDC servers for testing
purposes. You, of course, decide what is the best way for your site to distribute
data drives, and you create suitable backup and restore procedures for Abmas
I'd strongly recommend that for normal operation the BDC is completely independent
of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite
closely. If you do use NFS, do not forget to start the NFS server as follows:
<screen>
&rootprompt; rcnfsserver start
</screen>
</para></step>
</procedure>
<para>
Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
configuration of the LDAP server.
</para>
<example id="sbehap-massive-smbconfa">
<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="unix charset">LOCALE</smbconfoption>
<smbconfoption name="workgroup">MEGANET2</smbconfoption>
<smbconfoption name="netbios name">MASSIVE</smbconfoption>
<smbconfoption name="interfaces">eth1, lo</smbconfoption>
<smbconfoption name="bind interfaces only">Yes</smbconfoption>
<smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
<smbconfoption name="enable privileges">Yes</smbconfoption>
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
<smbconfoption name="log level">1</smbconfoption>
<smbconfoption name="syslog">0</smbconfoption>
<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
<smbconfoption name="max log size">50</smbconfoption>
<smbconfoption name="smb ports">139</smbconfoption>
<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
<smbconfoption name="time server">Yes</smbconfoption>
<smbconfoption name="printcap name">CUPS</smbconfoption>
<smbconfoption name="show add printer wizard">No</smbconfoption>
<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption>
<smbconfoption name="delete user script">/opt/IDEALX/sbin/smbldap-userdel "%u"</smbconfoption>
<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption>
<smbconfoption name="delete group script">/opt/IDEALX/sbin/smbldap-groupdel "%g"</smbconfoption>
<smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</smbconfoption>
<smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</smbconfoption>
<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</smbconfoption>
<smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w "%u"</smbconfoption>
</smbconfblock>
</example>
<example id="sbehap-massive-smbconfb">
<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title>
<smbconfblock>
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
<smbconfoption name="logon drive">X:</smbconfoption>
<smbconfoption name="domain logons">Yes</smbconfoption>
<smbconfoption name="preferred master">Yes</smbconfoption>
<smbconfoption name="wins support">Yes</smbconfoption>
<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
<smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
<smbconfoption name="idmap uid">10000-20000</smbconfoption>
<smbconfoption name="idmap gid">10000-20000</smbconfoption>
<smbconfoption name="map acl inherit">Yes</smbconfoption>
<smbconfoption name="printing">cups</smbconfoption>
<smbconfoption name="printer admin">root, chrisr</smbconfoption>
</smbconfblock>
</example>
</sect2>
<sect2 id="sbeidealx">
<title>Install and Configure Idealx smbldap-tools Scripts</title>
<para>
<indexterm><primary>Idealx</primary><secondary>smbldap-tools</secondary></indexterm>
The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
on the LDAP server. You have chosen the Idealx scripts because they are the best-known
LDAP configuration scripts. The use of these scripts will help avoid the necessity
to create custom scripts. It is easy to download them from the Idealx
<ulink url="http://samba.idealx.org/index.en.html">Web site</ulink>. The tarball may
be directly <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz">downloaded</ulink>
from this site also. Alternatively, you may obtain the
<ulink url="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm">smbldap-tools-0.9.1-1.src.rpm</ulink>
file that may be used to build an installable RPM package for your Linux system.
</para>
<note><para>
The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must
change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>).
</para></note>
<para>
The smbldap-tools are located in <filename>/opt/IDEALX/sbin</filename>.
The scripts are not needed on BDC machines because all LDAP updates are handled by
the PDC alone.
</para>
<sect3>
<title>Installation of smbldap-tools from the Tarball</title>
<para>
To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:
</para>
<procedure id="idealxscript">
<title>Unpacking and Installation Steps for the <constant>smbldap-tools</constant> Tarball</title>
<step><para>
Create the <filename>/opt/IDEALX/sbin</filename> directory, and set its permissions
and ownership as shown here:
<screen>
&rootprompt; mkdir -p /opt/IDEALX/sbin
&rootprompt; chown root:root /opt/IDEALX/sbin
&rootprompt; chmod 755 /opt/IDEALX/sbin
&rootprompt; mkdir -p /etc/smbldap-tools
&rootprompt; chown root:root /etc/smbldap-tools
&rootprompt; chmod 755 /etc/smbldap-tools
</screen>
</para></step>
<step><para>
If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
Change into either the directory extracted from the tarball or the smbldap-tools
directory in your <filename>/usr/share/doc/packages</filename> directory tree.
</para></step>
<step><para>
Copy all the <filename>smbldap-*</filename> and the <filename>configure.pl</filename> files into the
<filename>/opt/IDEALX/sbin</filename> directory, as shown here:
<screen>
&rootprompt; cd smbldap-tools-0.9.1/
&rootprompt; cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/
&rootprompt; cp smbldap*conf /etc/smbldap-tools/
&rootprompt; chmod 750 /opt/IDEALX/sbin/smbldap-*
&rootprompt; chmod 750 /opt/IDEALX/sbin/configure.pl
&rootprompt; chmod 640 /etc/smbldap-tools/smbldap.conf
&rootprompt; chmod 600 /etc/smbldap-tools/smbldap_bind.conf
</screen>
</para></step>
<step><para>
The smbldap-tools scripts master control file must now be configured.
Change to the <filename>/opt/IDEALX/sbin</filename> directory, then edit the
<filename>smbldap_tools.pm</filename> to affect the changes
shown here:
<screen>
...
# ugly funcs using global variables and spawning openldap clients
my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
...
</screen>
</para></step>
<step><para>
To complete the configuration of the smbldap-tools, set the permissions and ownership
by executing the following commands:
<screen>
&rootprompt; chown root:root /opt/IDEALX/sbin/*
&rootprompt; chmod 755 /opt/IDEALX/sbin/smbldap-*
&rootprompt; chmod 640 /opt/IDEALX/sbin/smb*pm
</screen>
The smbldap-tools scripts are now ready for the configuration step outlined in
<link linkend="smbldap-init"/>.
</para></step>
</procedure>
</sect3>
<sect3>
<title>Installing smbldap-tools from the RPM Package</title>
<para>
In the event that you have elected to use the RPM package provided by Idealx, download the
source RPM <filename>smbldap-tools-0.9.1-1.src.rpm</filename>, then follow this procedure:
</para>
<procedure>
<title>Installation Steps for <constant>smbldap-tools</constant> RPM's</title>
<step><para>
Install the source RPM that has been downloaded as follows:
<screen>
&rootprompt; rpm -i smbldap-tools-0.9.1-1.src.rpm
</screen>
</para></step>
<step><para>
Change into the directory in which the SPEC files are located. On SUSE Linux:
<screen>
&rootprompt; cd /usr/src/packages/SPECS
</screen>
On Red Hat Linux systems:
<screen>
&rootprompt; cd /usr/src/redhat/SPECS
</screen>
</para></step>
<step><para>
Edit the <filename>smbldap-tools.spec</filename> file to change the value of the
<constant>_sysconfig</constant> macro as shown here:
<screen>
%define _prefix /opt/IDEALX
%define _sysconfdir /etc
</screen>
Note: Any suitable directory can be specified.
</para></step>
<step><para>
Build the package by executing:
<screen>
&rootprompt; rpmbuild -ba -v smbldap-tools.spec
</screen>
A build process that has completed without error will place the installable binary
files in the directory <filename>../RPMS/noarch</filename>.
</para></step>
<step><para>
Install the binary package by executing:
<screen>
&rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm
</screen>
</para></step>
</procedure>
<para>
The Idealx scripts should now be ready for configuration using the steps outlined in
<link linkend="smbldap-init">Configuration of smbldap-tools</link>.
</para>
</sect3>
<sect3 id="smbldap-init">
<title>Configuration of smbldap-tools</title>
<para>
Prior to use, the smbldap-tools must be configured to match the settings in the &smb.conf; file
and to match the settings in the <filename>/etc/openldap/slapd.conf</filename> file. The assumption
is made that the &smb.conf; file has correct contents. The following procedure ensures that
this is completed correctly:
</para>
<para>
The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included
in the &smb.conf; file.
</para>
<procedure>
<title>Configuration Steps for <constant>smbldap-tools</constant> to Enable Use</title>
<step><para>
Change into the directory that contains the <filename>configure.pl</filename> script.
<screen>
&rootprompt; cd /opt/IDEALX/sbin
</screen>
</para></step>
<step><para>
Execute the <filename>configure.pl</filename> script as follows:
<screen>
&rootprompt; ./configure.pl
</screen>
The interactive use of this script for the PDC is demonstrated here:
<screen>
&rootprompt; /opt/IDEALX/sbin/configure.pl
merlin:/opt/IDEALX/sbin # ./configure.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
Samba Config File Location [/etc/samba/smb.conf] >
smbldap-tools configuration file Location (global parameters)
[/etc/opt/IDEALX/smbldap-tools/smbldap.conf] >
smbldap Config file Location (bind parameters)
[/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [MEGANET2] >
. netbios name: netbios name of the samba controler
netbios name [MASSIVE] >
. logon drive: local path to which the home directory
will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] >
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\MASSIVE\%U'
logon home (press the "." character if you don't want homeDirectory)
[\\MASSIVE\%U] >
. logon path: directory where roaming profiles are stored.
Ex:'\\MASSIVE\profiles\%U'
logon path (press the "." character if you don't want roaming profile)
[\\%L\profiles\%U] >
. home directory prefix (use %U as username) [/home/%U] > /data/users/%U
. default users' homeDirectory mode [700] >
. default user netlogon script (use %U as username) [scripts\logon.bat] >
default password validation time (time in days) [45] > 900
. ldap suffix [dc=abmas,dc=biz] >
. ldap group suffix [ou=Groups] >
. ldap user suffix [ou=People,ou=Users] >
. ldap machine suffix [ou=Computers,ou=Users] >
. Idmap suffix [ou=Idmap] >
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix})
[sambaDomainName=MEGANET2] >
. ldap master server: IP adress or DNS name of the master
(writable) ldap server
ldap master server [massive.abmas.biz] >
. ldap master port [389] >
. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] >
. ldap master bind password [] >
. ldap slave server: IP adress or DNS name of the slave ldap server:
can also be the master one
ldap slave server [massive.abmas.biz] >
. ldap slave port [389] >
. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] >
. ldap slave bind password [] >
. ldap tls support (1/0) [0] >
. SID for domain MEGANET2: SID of the domain
(can be obtained with 'net getlocalsid MASSIVE')
SID for domain MEGANET2 [S-1-5-21-3504140859-1010554828-2431957765]] >
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
. default user gidNumber [513] >
. default computer gidNumber [515] >
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail adress [] > abmas.biz
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
/etc/opt/IDEALX/smbldap-tools/smbldap.conf->
/etc/opt/IDEALX/smbldap-tools/smbldap.conf.old
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf->
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/opt/IDEALX/smbldap-tools/smbldap.conf done.
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done.
</screen>
Since a slave LDAP server has not been configured, it is necessary to specify the IP
address of the master LDAP server for both the master and the slave configuration
prompts.
</para></step>
<step><para>
Change to the directory that contains the <filename>smbldap.conf</filename> file,
then verify its contents.
</para></step>
</procedure>
<para>
The smbldap-tools are now ready for use.
</para>
</sect3>
</sect2>
<sect2>
<title>LDAP Initialization and Creation of User and Group Accounts</title>
<para>
The LDAP database must be populated with well-known Windows domain user accounts and domain group
accounts before Samba can be used. The following procedures step you through the process.
</para>
<para>
At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are
mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not
hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
database. From a UNIX system perspective, the NSS resolver checks system files before
referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
does not need to ask LDAP.
</para>
<para>
Addition of an account to the LDAP backend can be done in two ways:
</para>
<itemizedlist>
<listitem><para>
<indexterm><primary>NIS</primary></indexterm>
<indexterm><primary>/etc/passwd</primary></indexterm>
<indexterm><primary>Posix accounts</primary></indexterm>
<indexterm><primary>pdbedit</primary></indexterm>
<indexterm><primary>SambaSamAccount</primary></indexterm>
<indexterm><primary>PosixAccount</primary></indexterm>
If you always have a user account in the <filename>/etc/passwd</filename> on every
server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in
LDAP. In this case, you can add Windows domain user accounts using the
<command>pdbedit</command> utility. Use of this tool from the command line adds the
SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
</para>
<para>
This is the least desirable method because when LDAP is used as the passwd backend Samba
expects the POSIX account to be in LDAP also. It is possible to use the PADL account
migration tool to migrate all system accounts from either the <filename>/etc/passwd</filename>
files, or from NIS, to LDAP.
</para></listitem>
<listitem><para>
If you decide that it is probably a good idea to add both the PosixAccount attributes
as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
In the example system you are installing in this exercise, you are making use of the
Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,
is included on the enclosed CD-ROM under <filename>Chap06/Tools.</filename>
</para></listitem>
</itemizedlist>
<para>
<indexterm><primary>Idealx</primary><secondary>smbldap-tools</secondary></indexterm>
If you wish to have more control over how the LDAP database is initialized or
if you don't want to use the Idealx smbldap-tools, you should refer to
<link linkend="appendix"/>, <link linkend="altldapcfg"/>.
</para>
<para>
<indexterm><primary>smbldap-populate</primary></indexterm>
The following steps initialize the LDAP database, and then you can add user and group
accounts that Samba can use. You use the <command>smbldap-populate</command> to
seed the LDAP database. You then manually add the accounts shown in <link linkend="sbehap-bigacct"/>.
The list of users does not cover all 500 network users; it provides examples only.
</para>
<note><para>
<indexterm><primary>LDAP</primary><secondary>database</secondary></indexterm>
<indexterm><primary>directory</primary><secondary>People container</secondary></indexterm>
<indexterm><primary>directory</primary><secondary>Computers container</secondary></indexterm>
In the following examples, as the LDAP database is initialized, we do create a container
for Computer (machine) accounts. In the Samba-3 &smb.conf; files, specific use is made
of the People container, not the Computers container, for domain member accounts. This is not a
mistake; it is a deliberate action that is necessitated by the fact that the resolution of
a machine (computer) account to a UID is done via NSS. The only way this can be handled is
using the NSS (<filename>/etc/nsswitch.conf</filename>) entry for <constant>passwd</constant>,
which is resolved using the <filename>nss_ldap</filename> library. The configuration file for
the <filename>nss_ldap</filename> library is the file <filename>/etc/ldap.conf</filename> that
provides only one possible LDAP search command that is specified by the entry called
<constant>nss_base_passwd</constant>. This means that the search path must take into account
the directory structure so that the LDAP search will commence at a level that is above
both the Computers container and the Users (or People) container. If this is done, it is
necessary to use a search that will descend the directory tree so that the machine account
can be found. Alternatively, by placing all machine accounts in the People container, we
are able to sidestep this limitation. This is the simpler solution that has been adopted
in this chapter.
</para></note>
<table id="sbehap-bigacct">
<title>Abmas Network Users and Groups</title>
<tgroup cols="4">
<colspec align="left"/>
<colspec align="left"/>
<colspec align="left"/>
<colspec align="left"/>
<thead>
<row>
<entry align="center">Account Name</entry>
<entry align="center">Type</entry>
<entry align="center">ID</entry>
<entry align="center">Password</entry>
</row>
</thead>
<tbody>
<row>
<entry>Robert Jordan</entry>
<entry>User</entry>
<entry>bobj</entry>
<entry>n3v3r2l8</entry>
</row>
<row>
<entry>Stanley Soroka</entry>
<entry>User</entry>
<entry>stans</entry>
<entry>impl13dst4r</entry>
</row>
<row>
<entry>Christine Roberson</entry>
<entry>User</entry>
<entry>chrisr</entry>
<entry>S9n0nw4ll</entry>
</row>
<row>
<entry>Mary Vortexis</entry>
<entry>User</entry>
<entry>maryv</entry>
<entry>kw13t0n3</entry>
</row>
<row>
<entry>Accounts</entry>
<entry>Group</entry>
<entry>Accounts</entry>
<entry></entry>
</row>
<row>
<entry>Finances</entry>
<entry>Group</entry>
<entry>Finances</entry>
<entry></entry>
</row>
<row>
<entry>Insurance</entry>
<entry>Group</entry>
<entry>PIOps</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<procedure id="creatacc">
<title>LDAP Directory Initialization Steps</title>
<step><para>
Start the LDAP server by executing:
<screen>
&rootprompt; rcldap start
Starting ldap-server done
</screen>
</para></step>
<step><para>
Change to the <filename>/opt/IDEALX/sbin</filename> directory.
</para></step>
<step><para>
Execute the script that will populate the LDAP database as shown here:
<screen>
&rootprompt; ./smbldap-populate -a root -k 0 -m 0
</screen>
The expected output from this is:
<screen>
Using workgroup name from smb.conf: sambaDomainName=MEGANET2
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=> Warning: you must update smbldap.conf configuration file to :
=> sambaUnixIdPooldn parameter must be set
to "sambaDomainName=MEGANET2,dc=abmas,dc=biz"
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Using builtin directory structure
adding new entry: dc=abmas,dc=biz
adding new entry: ou=People,dc=abmas,dc=biz
adding new entry: ou=Groups,dc=abmas,dc=biz
entry ou=People,dc=abmas,dc=biz already exist.
adding new entry: ou=Idmap,dc=abmas,dc=biz
adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz
adding new entry: uid=root,ou=People,dc=abmas,dc=biz
adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
</screen>
</para></step>
<step><para>
Edit the <filename>/etc/smbldap-tools/smbldap.conf</filename> file so that the following
information is changed from:
<screen>
# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
</screen>
to read, after modification:
<screen>
# Where to store next uidNumber and gidNumber available
#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
</screen>
</para></step>
<step><para>
It is necessary to restart the LDAP server as shown here:
<screen>
&rootprompt; rcldap restart
Shutting down ldap-server done
Starting ldap-server done
</screen>
</para></step>
<step><para>
<indexterm><primary>slapcat</primary></indexterm>
So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data.
There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
the simplest is to execute:
<screen>
&rootprompt; slapcat | grep -i idmap
dn: ou=Idmap,dc=abmas,dc=biz
ou: idmap
</screen>
<indexterm> <primary>ldapadd</primary></indexterm>
If the execution of this command does not return IDMAP entries, you need to create an LDIF
template file (see <link linkend="sbehap-ldifadd"/>). You can add the required entries using
the following command:
<screen>
&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
-w not24get < /etc/openldap/idmap.LDIF
</screen>
Samba automatically populates this LDAP directory container when it needs to.
</para></step>
<step><para>
<indexterm><primary>slapcat</primary></indexterm>
It looks like all has gone well, as expected. Let's confirm that this is the case
by running a few tests. First we check the contents of the database directly
by running <command>slapcat</command> as follows (the output has been cut down):
<screen>
&rootprompt; slapcat
dn: dc=abmas,dc=biz
objectClass: dcObject
objectClass: organization
dc: abmas
o: abmas
structuralObjectClass: organization
entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
creatorsName: cn=Manager,dc=abmas,dc=biz
createTimestamp: 20031217234200Z
entryCSN: 2003121723:42:00Z#0x0001#0#0000
modifiersName: cn=Manager,dc=abmas,dc=biz
modifyTimestamp: 20031217234200Z
...
dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 553
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
sambaGroupType: 2
displayName: Domain Computers
structuralObjectClass: posixGroup
entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
creatorsName: cn=Manager,dc=abmas,dc=biz
createTimestamp: 20031217234206Z
entryCSN: 2003121723:42:06Z#0x0002#0#0000
modifiersName: cn=Manager,dc=abmas,dc=biz
modifyTimestamp: 20031217234206Z
</screen>
This looks good so far.
</para></step>
<step><para>
<indexterm><primary>ldapsearch</primary></indexterm>
The next step is to prove that the LDAP server is running and responds to a
search request. Execute the following as shown (output has been cut to save space):
<screen>
&rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=abmas,dc=biz> with scope sub
# filter: (ObjectClass=*)
# requesting: ALL
#
# abmas.biz
dn: dc=abmas,dc=biz
objectClass: dcObject
objectClass: organization
dc: abmas
o: abmas
# People, abmas.biz
dn: ou=People,dc=abmas,dc=biz
objectClass: organizationalUnit
ou: People
...
# Domain Computers, Groups, abmas.biz
dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 553
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
sambaGroupType: 2
displayName: Domain Computers
# search result
search: 2
result: 0 Success
# numResponses: 20
# numEntries: 19
</screen>
Good. It is all working just fine.
</para></step>
<step><para>
<indexterm><primary>getent</primary></indexterm>
You must now make certain that the NSS resolver can interrogate LDAP also.
Execute the following commands:
<screen>
&rootprompt; getent passwd | grep root
root:x:998:512:Netbios Domain Administrator:/home:/bin/false
&rootprompt; getent group | grep Domain
Domain Admins:x:512:root
Domain Users:x:513:
Domain Guests:x:514:
Domain Computers:x:553:
</screen>
<indexterm><primary>nss_ldap</primary></indexterm>
This demonstrates that the <command>nss_ldap</command> library is functioning
as it should. If these two steps fail to produce this information, refer to
<link linkend="sbeavoid"/> for diagnostic procedures that can be followed to
isolate the cause of the problem. Proceed to the next step only when the previous steps
have been successfully completed.
</para></step>
<step><para>
<indexterm><primary>smbldap-useradd</primary></indexterm>
<indexterm><primary>smbldap-passwd</primary></indexterm>
<indexterm><primary>smbpasswd</primary></indexterm>
Our database is now ready for the addition of network users. For each user for
whom an account must be created, execute the following:
<screen>
&rootprompt; ./smbldap-useradd -m -a <constant>username</constant>
&rootprompt; ./smbldap-passwd <constant>username</constant>
Changing password for <constant>username</constant>
New password : XXXXXXXX
Retype new password : XXXXXXXX
&rootprompt; smbpasswd <constant>username</constant>
New SMB password: XXXXXXXX
Retype new SMB password: XXXXXXXX
</screen>
where <constant>username</constant> is the login ID for each user.
</para></step>
<step><para>
<indexterm><primary>getent</primary></indexterm>
Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the
following:
<screen>
&rootprompt; getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
...
root:x:0:512:Netbios Domain Administrator:/home:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
bobj:x:1000:513:System User:/home/bobj:/bin/bash
stans:x:1001:513:System User:/home/stans:/bin/bash
chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
maryv:x:1003:513:System User:/home/maryv:/bin/bash
</screen>
This demonstrates that user account resolution via LDAP is working.
</para></step>
<step><para>
This step will determine whether or not identity resolution is working correctly.
Do not procede is this step fails, rather find the cause of the failure. The
<command>id</command> command may be used to validate your configuration so far,
as shown here:
<screen>
&rootprompt; id chrisr
uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
</screen>
This confirms that the UNIX (POSIX) user account information can be resolved from LDAP
by system tools that make a getentpw() system call.
</para></step>
<step><para>
<indexterm><primary>smbldap-usermod</primary></indexterm>
The root account must have UID=0; if not, this means that operations conducted from
a Windows client using tools such as the Domain User Manager fails under UNIX because
the management of user and group accounts requires that the UID=0. Additionally, it is
a good idea to make certain that no matter how root account credentials are resolved,
the home directory and shell are valid. You decide to effect this immediately
as demonstrated here:
<screen>
&rootprompt; cd /opt/IDEALX/sbin
&rootprompt; ./smbldap-usermod -u 0 -d /root -s /bin/bash root
</screen>
</para></step>
<step><para>
Verify that the changes just made to the <constant>root</constant> account were
accepted by executing:
<screen>
&rootprompt; getent passwd | grep root
root:x:0:0:root:/root:/bin/bash
root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
</screen>
This demonstrates that the changes were accepted.
</para></step>
<step><para>
Make certain that a home directory has been created for every user by listing the
directories in <filename>/home</filename> as follows:
<screen>
&rootprompt; ls -al /home
drwxr-xr-x 8 root root 176 Dec 17 18:50 ./
drwxr-xr-x 21 root root 560 Dec 15 22:19 ../
drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/
drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/
drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/
drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
</screen>
This is precisely what we want to see.
</para></step>
<step><para>
<indexterm><primary>ldapsam</primary></indexterm>
<indexterm><primary>pdbedit</primary></indexterm>
The final validation step involves making certain that Samba-3 can obtain the user
accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
<screen>
&rootprompt; pdbedit -Lv chrisr
Unix username: chrisr
NT username: chrisr
Account Flags: [U ]
User SID: S-1-5-21-3504140859-1010554828-2431957765-3004
Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513
Full Name: System User
Home Directory: \\MASSIVE\homes
HomeDir Drive: H:
Logon Script: scripts\login.cmd
Profile Path: \\MASSIVE\profiles\chrisr
Domain: MEGANET2
Account desc: System User
Workstations:
Munged dial:
Logon time: 0
Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
Password last set: Wed, 17 Dec 2003 17:17:40 GMT
Password can change: Wed, 17 Dec 2003 17:17:40 GMT
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
</screen>
This looks good. Of course, you fully expected that it would all work, didn't you?
</para></step>
<step><para>
<indexterm><primary>smbldap-groupadd</primary></indexterm>
Now you add the group accounts that are used on the Abmas network. Execute
the following exactly as shown:
<screen>
&rootprompt; ./smbldap-groupadd -a Accounts
&rootprompt; ./smbldap-groupadd -a Finances
&rootprompt; ./smbldap-groupadd -a PIOps
</screen>
The addition of groups does not involve keyboard interaction, so the lack of console
output is of no concern.
</para></step>
<step><para>
<indexterm><primary>getent</primary></indexterm>
You really do want to confirm that UNIX group resolution from LDAP is functioning
as it should. Let's do this as shown here:
<screen>
&rootprompt; getent group
...
Domain Admins:x:512:root
Domain Users:x:513:bobj,stans,chrisr,maryv
Domain Guests:x:514:
...
Accounts:x:1000:
Finances:x:1001:
PIOps:x:1002:
</screen>
The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
as our own site-specific group accounts, are correctly listed. This is looking good.
</para></step>
<step><para>
<indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>list</tertiary></indexterm>
The final step we need to validate is that Samba can see all the Windows domain groups
and that they are correctly mapped to the respective UNIX group account. To do this,
just execute the following command:
<screen>
&rootprompt; net groupmap list
Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
...
Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
</screen>
This is looking good. Congratulations &smbmdash; it works! Note that in the above output
the lines were shortened by replacing the middle value (1010554828) of the SID with the
ellipsis (...).
</para></step>
<step><para>
The server you have so carefully built is now ready for another important step. You
start the Samba-3 server and validate its operation. Execute the following to render all
the processes needed fully operative so that, on system reboot, they are automatically
started:
<screen>
&rootprompt; chkconfig named on
&rootprompt; chkconfig dhcpd on
&rootprompt; chkconfig ldap on
&rootprompt; chkconfig nmb on
&rootprompt; chkconfig smb on
&rootprompt; chkconfig winbind on
&rootprompt; rcnmb start
&rootprompt; rcsmb start
&rootprompt; rcwinbind start
</screen>
</para></step>
<step><para>
The next step might seem a little odd at this point, but take note that you are about to
start <command>winbindd</command>, which must be able to authenticate to the PDC via the
localhost interface with the <command>smbd</command> process. This account can be
easily created by joining the PDC to the domain by executing the following command:
<screen>
&rootprompt; net rpc join -S MASSIVE -U root%not24get
</screen>
Note: Before executing this command on the PDC, both <command>nmbd</command> and
<command>smbd</command> must be started so that the <command>net</command> command
can communicate with <command>smbd</command>. The expected output is as follows:
<screen>
Joined domain MEGANET2.
</screen>
This indicates that the domain security account for the PDC has been correctly created.
</para></step>
<step><para>
At this time it is necessary to restart <command>winbindd</command> so that it can
correctly authenticate to the PDC. The following command achieves that:
<screen>
&rootprompt; rcwinbind restart
</screen>
</para></step>
<step><para>
<indexterm><primary>smbclient</primary></indexterm>
You may now check Samba-3 operation as follows:
<screen>
&rootprompt; smbclient -L massive -U%
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 3.0.20)
accounts Disk Accounting Files
service Disk Financial Services Files
pidata Disk Property Insurance Files
apps Disk Application Files
netlogon Disk Network Logon Service
profiles Disk Profile Share
profdata Disk Profile Data Share
ADMIN$ IPC IPC Service (Samba 3.0.20)
Server Comment
--------- -------
MASSIVE Samba 3.0.20
Workgroup Master
--------- -------
MEGANET2 MASSIVE
</screen>
This shows that an anonymous connection is working.
</para></step>
<step><para>
For your finale, let's try an authenticated connection:
<screen>
&rootprompt; smbclient //massive/bobj -Ubobj%n3v3r2l8
smb: \> dir
. D 0 Wed Dec 17 01:16:19 2003
.. D 0 Wed Dec 17 19:04:42 2003
bin D 0 Tue Sep 2 04:00:57 2003
Documents D 0 Sun Nov 30 07:28:20 2003
public_html D 0 Sun Nov 30 07:28:20 2003
.urlview H 311 Fri Jul 7 06:55:35 2000
.dvipsrc H 208 Fri Nov 17 11:22:02 1995
57681 blocks of size 524288. 57128 blocks available
smb: \> q
</screen>
Well done. All is working fine.
</para></step>
</procedure>
<para>
The server <constant>MASSIVE</constant> is now configured, and it is time to move onto the next task.
</para>
</sect2>
<sect2 id="sbehap-ptrcfg">
<title>Printer Configuration</title>
<para>
<indexterm><primary>CUPS</primary></indexterm>
The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
taken care of in the &smb.conf; file. The only preparation needed for <constant>smart</constant>
printing to be possible involves creation of the directories in which Samba-3 stores
Windows printing driver files.
</para>
<procedure>
<title>Printer Configuration Steps</title>
<step><para>
Configure all network-attached printers to have a fixed IP address.
</para></step>
<step><para>
Create an entry in the DNS database on the server <constant>MASSIVE</constant>
in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
and in the reverse lookup database for the network segment that the printer is to
be located in. Example configuration files for similar zones were presented in <link linkend="secure"/>,
<link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>.
</para></step>
<step><para>
Follow the instructions in the printer manufacturers' manuals to permit printing
to port 9100. Use any other port the manufacturer specifies for direct mode,
raw printing. This allows the CUPS spooler to print using raw mode protocols.
<indexterm><primary>CUPS</primary></indexterm>
<indexterm><primary>raw printing</primary></indexterm>
</para></step>
<step><para>
<indexterm><primary>lpadmin</primary></indexterm>
<indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
Only on the server to which the printer is attached, configure the CUPS Print
Queues as follows:
<screen>
&rootprompt; lpadmin -p <parameter>printque</parameter>
-v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
</screen>
<indexterm><primary>print filter</primary></indexterm>
This step creates the necessary print queue to use no assigned print filter. This
is ideal for raw printing, that is, printing without use of filters.
The name <parameter>printque</parameter> is the name you have assigned for
the particular printer.
</para></step>
<step><para>
Print queues may not be enabled at creation. Make certain that the queues
you have just created are enabled by executing the following:
<screen>
&rootprompt; /usr/bin/enable <parameter>printque</parameter>
</screen>
</para></step>
<step><para>
Even though your print queue may be enabled, it is still possible that it
may not accept print jobs. A print queue will service incoming printing
requests only when configured to do so. Ensure that your print queue is
set to accept incoming jobs by executing the following commands:
<screen>
&rootprompt; /usr/bin/accept <parameter>printque</parameter>
</screen>
</para></step>
<step><para>
<indexterm><primary>mime type</primary></indexterm>
<indexterm><primary>/etc/mime.convs</primary></indexterm>
<indexterm><primary>application/octet-stream</primary></indexterm>
Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
<screen>
application/octet-stream application/vnd.cups-raw 0 -
</screen>
</para></step>
<step><para>
<indexterm><primary>/etc/mime.types</primary></indexterm>
Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
<screen>
application/octet-stream
</screen>
</para></step>
<step><para>
Refer to the CUPS printing manual for instructions regarding how to configure
CUPS so that print queues that reside on CUPS servers on remote networks
route print jobs to the print server that owns that queue. The default setting
on your CUPS server may automatically discover remotely installed printers and
may permit this functionality without requiring specific configuration.
</para></step>
<step><para>
The following action creates the necessary directory subsystem. Follow these
steps to printing heaven:
<screen>
&rootprompt; mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
&rootprompt; chown -R root:root /var/lib/samba/drivers
&rootprompt; chmod -R ug=rwx,o=rx /var/lib/samba/drivers
</screen>
</para></step>
</procedure>
</sect2>
</sect1>
<sect1 id="sbehap-bldg1">
<title>Samba-3 BDC Configuration</title>
<procedure>
<title>Configuration of BDC Called: <constant>BLDG1</constant></title>
<step><para>
Install the files in <link linkend="sbehap-bldg1-smbconf"/>,
<link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
into the <filename>/etc/samba/</filename> directory. The three files
should be added together to form the &smb.conf; file.
</para></step>
<step><para>
Verify the &smb.conf; file as in step 2 of <link
linkend="sbehap-massive"/>.
</para></step>
<step><para>
Carefully follow the steps outlined in <link linkend="sbehap-PAM-NSS"/>, taking
particular note to install the correct <filename>ldap.conf</filename>.
</para></step>
<step><para>
Verify that the NSS resolver is working. You may need to cycle the run level
to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
commands:
<screen>
&rootprompt; init 1
</screen>
After the run level has been achieved, you are prompted to provide the
<constant>root</constant> password. Log on, and then execute:
<screen>
&rootprompt; init 5
</screen>
When the normal logon prompt appears, log into the system as <constant>root</constant>
and then execute these commands:
<screen>
&rootprompt; getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
...
root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
nobody:x:999:514:nobody:/dev/null:/bin/false
bobj:x:1000:513:System User:/home/bobj:/bin/bash
stans:x:1001:513:System User:/home/stans:/bin/bash
chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
maryv:x:1003:513:System User:/home/maryv:/bin/bash
vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
</screen>
This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
</para></step>
<step><para>
<indexterm><primary>getent</primary></indexterm>
The next step in the verification process involves testing the operation of UNIX group
resolution via the NSS LDAP resolver. Execute these commands:
<screen>
&rootprompt; getent group
root:x:0:
bin:x:1:daemon
daemon:x:2:
sys:x:3:
...
Domain Admins:x:512:root
Domain Users:x:513:bobj,stans,chrisr,maryv,jht
Domain Guests:x:514:
Administrators:x:544:
Users:x:545:
Guests:x:546:nobody
Power Users:x:547:
Account Operators:x:548:
Server Operators:x:549:
Print Operators:x:550:
Backup Operators:x:551:
Replicator:x:552:
Domain Computers:x:553:
Accounts:x:1000:
Finances:x:1001:
PIOps:x:1002:
</screen>
This is also the correct and desired output, because it demonstrates that the LDAP client
is able to communicate correctly with the LDAP server (<constant>MASSIVE</constant>).
</para></step>
<step><para>
<indexterm><primary>smbpasswd</primary></indexterm>
You must now set the LDAP administrative password into the Samba-3 <filename>secrets.tdb</filename>
file by executing this command:
<screen>
&rootprompt; smbpasswd -w not24get
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
</screen>
</para></step>
<step><para>
Now you must obtain the domain SID from the PDC and store it into the
<filename>secrets.tdb</filename> file also. This step is not necessary with an LDAP
passdb backend because Samba-3 obtains the domain SID from the
sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
add the SID to the <filename>secrets.tdb</filename>, and if you wish to do so, this
command can achieve that:
<screen>
&rootprompt; net rpc getsid MEGANET2
Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
for Domain MEGANET2 in secrets.tdb
</screen>
When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
any special action to join it to the domain. However, winbind communicates with the
domain controller that is running on the localhost and must be able to authenticate,
thus requiring that the BDC should be joined to the domain. The process of joining
the domain creates the necessary authentication accounts.
</para></step>
<step><para>
To join the Samba BDC to the domain, execute the following:
<screen>
&rootprompt; net rpc join -U root%not24get
Joined domain MEGANET2.
</screen>
This indicates that the domain security account for the BDC has been correctly created.
</para></step>
<step><para>
<indexterm>
<primary>pdbedit</primary>
</indexterm>
Verify that user and group account resolution works via Samba-3 tools as follows:
<screen>
&rootprompt; pdbedit -L
root:0:root
nobody:65534:nobody
bobj:1000:System User
stans:1001:System User
chrisr:1002:System User
maryv:1003:System User
bldg1$:1006:bldg1$
&rootprompt; net groupmap list
Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
Administrators (S-1-5-21-3504140859-...-2431957765-544) -> Administrators
...
Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
</screen>
These results show that all things are in order.
</para></step>
<step><para>
The server you have so carefully built is now ready for another important step. Now
start the Samba-3 server and validate its operation. Execute the following to render all
the processes needed fully operative so that, upon system reboot, they are automatically
started:
<screen>
&rootprompt; chkconfig named on
&rootprompt; chkconfig dhcpd on
&rootprompt; chkconfig nmb on
&rootprompt; chkconfig smb on
&rootprompt; chkconfig winbind on
&rootprompt; rcnmb start
&rootprompt; rcsmb start
&rootprompt; rcwinbind start
</screen>
Samba-3 should now be running and is ready for a quick test. But not quite yet!
</para></step>
<step><para>
Your new <constant>BLDG1, BLDG2</constant> servers do not have home directories for users.
To rectify this using the SUSE yast2 utility or by manually editing the <filename>/etc/fstab</filename>
file, add a mount entry to mount the <constant>home</constant> directory that has been exported
from the <constant>MASSIVE</constant> server. Mount this resource before proceeding. An alternate
approach could be to create local home directories for users who are to use these machines.
This is a choice that you, as system administrator, must make. The following entry in the
<filename>/etc/fstab</filename> file suffices for now:
<screen>
massive.abmas.biz:/home /home nfs rw 0 0
</screen>
To mount this resource, execute:
<screen>
&rootprompt; mount -a
</screen>
Verify that the home directory has been mounted as follows:
<screen>
&rootprompt; df | grep home
massive:/home 29532988 283388 29249600 1% /home
</screen>
</para></step>
<step><para>
Implement a quick check using one of the users that is in the LDAP database. Here you go:
<screen>
&rootprompt; smbclient //bldg1/bobj -Ubobj%n3v3r2l8
smb: \> dir
. D 0 Wed Dec 17 01:16:19 2003
.. D 0 Wed Dec 17 19:04:42 2003
bin D 0 Tue Sep 2 04:00:57 2003
Documents D 0 Sun Nov 30 07:28:20 2003
public_html D 0 Sun Nov 30 07:28:20 2003
.urlview H 311 Fri Jul 7 06:55:35 2000
.dvipsrc H 208 Fri Nov 17 11:22:02 1995
57681 blocks of size 524288. 57128 blocks available
smb: \> q
</screen>
</para></step>
</procedure>
<para>
Now that the first BDC (<constant>BDLG1</constant>) has been configured it is time to build
and configure the second BDC server (<constant>BLDG2</constant>) as follows:
</para>
<procedure id="sbehap-bldg2">
<title>Configuration of BDC Called <constant>BLDG2</constant></title>
<step><para>
Install the files in <link linkend="sbehap-bldg2-smbconf"/>,
<link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
into the <filename>/etc/samba/</filename> directory. The three files
should be added together to form the &smb.conf; file.
</para></step>
<step><para>
Follow carefully the steps shown in <link linkend="sbehap-bldg1"/>, starting at step 2.
</para></step>
</procedure>
<example id="sbehap-bldg1-smbconf">
<title>LDAP Based &smb.conf; File, Server: BLDG1</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="unix charset">LOCALE</smbconfoption>
<smbconfoption name="workgroup">MEGANET2</smbconfoption>
<smbconfoption name="netbios name">BLDG1</smbconfoption>
<smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
<smbconfoption name="enable privileges">Yes</smbconfoption>
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
<smbconfoption name="log level">1</smbconfoption>
<smbconfoption name="syslog">0</smbconfoption>
<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
<smbconfoption name="max log size">50</smbconfoption>
<smbconfoption name="smb ports">139</smbconfoption>
<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
<smbconfoption name="printcap name">CUPS</smbconfoption>
<smbconfoption name="show add printer wizard">No</smbconfoption>
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
<smbconfoption name="logon drive">X:</smbconfoption>
<smbconfoption name="domain logons">Yes</smbconfoption>
<smbconfoption name="domain master">No</smbconfoption>
<smbconfoption name="wins server">172.16.0.1</smbconfoption>
<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
<smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
<smbconfoption name="idmap uid">10000-20000</smbconfoption>
<smbconfoption name="idmap gid">10000-20000</smbconfoption>
<smbconfoption name="printing">cups</smbconfoption>
<smbconfoption name="printer admin">root, chrisr</smbconfoption>
</smbconfblock>
</example>
<example id="sbehap-bldg2-smbconf">
<title>LDAP Based &smb.conf; File, Server: BLDG2</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="unix charset">LOCALE</smbconfoption>
<smbconfoption name="workgroup">MEGANET2</smbconfoption>
<smbconfoption name="netbios name">BLDG2</smbconfoption>
<smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
<smbconfoption name="enable privileges">Yes</smbconfoption>
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
<smbconfoption name="log level">1</smbconfoption>
<smbconfoption name="syslog">0</smbconfoption>
<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
<smbconfoption name="max log size">50</smbconfoption>
<smbconfoption name="smb ports">139</smbconfoption>
<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
<smbconfoption name="printcap name">CUPS</smbconfoption>
<smbconfoption name="show add printer wizard">No</smbconfoption>
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
<smbconfoption name="logon drive">X:</smbconfoption>
<smbconfoption name="domain logons">Yes</smbconfoption>
<smbconfoption name="domain master">No</smbconfoption>
<smbconfoption name="wins server">172.16.0.1</smbconfoption>
<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
<smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
<smbconfoption name="idmap uid">10000-20000</smbconfoption>
<smbconfoption name="idmap gid">10000-20000</smbconfoption>
<smbconfoption name="printing">cups</smbconfoption>
<smbconfoption name="printer admin">root, chrisr</smbconfoption>
</smbconfblock>
</example>
<example id="sbehap-shareconfa">
<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A</title>
<smbconfblock>
<smbconfsection name="[accounts]"/>
<smbconfoption name="comment">Accounting Files</smbconfoption>
<smbconfoption name="path">/data/accounts</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfsection name="[service]"/>
<smbconfoption name="comment">Financial Services Files</smbconfoption>
<smbconfoption name="path">/data/service</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfsection name="[pidata]"/>
<smbconfoption name="comment">Property Insurance Files</smbconfoption>
<smbconfoption name="path">/data/pidata</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfsection name="[homes]"/>
<smbconfoption name="comment">Home Directories</smbconfoption>
<smbconfoption name="valid users">%S</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
<smbconfsection name="[printers]"/>
<smbconfoption name="comment">SMB Print Spool</smbconfoption>
<smbconfoption name="path">/var/spool/samba</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
</smbconfblock>
</example>
<example id="sbehap-shareconfb">
<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B</title>
<smbconfblock>
<smbconfsection name="[apps]"/>
<smbconfoption name="comment">Application Files</smbconfoption>
<smbconfoption name="path">/apps</smbconfoption>
<smbconfoption name="admin users">bjordan</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfsection name="[netlogon]"/>
<smbconfoption name="comment">Network Logon Service</smbconfoption>
<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfoption name="locking">No</smbconfoption>
<smbconfsection name="[profiles]"/>
<smbconfoption name="comment">Profile Share</smbconfoption>
<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="profile acls">Yes</smbconfoption>
<smbconfsection name="[profdata]"/>
<smbconfoption name="comment">Profile Data Share</smbconfoption>
<smbconfoption name="path">/var/lib/samba/profdata</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="profile acls">Yes</smbconfoption>
<smbconfsection name="[print$]"/>
<smbconfoption name="comment">Printer Drivers</smbconfoption>
<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
<smbconfoption name="browseable">yes</smbconfoption>
<smbconfoption name="guest ok">no</smbconfoption>
<smbconfoption name="read only">yes</smbconfoption>
<smbconfoption name="write list">root, chrisr</smbconfoption>
</smbconfblock>
</example>
<example id="sbehap-ldifadd">
<title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
<screen>
dn: ou=Idmap,dc=abmas,dc=biz
objectClass: organizationalUnit
ou: idmap
structuralObjectClass: organizationalUnit
</screen>
</example>
</sect1>
<sect1>
<title>Miscellaneous Server Preparation Tasks</title>
<para>
My father would say, <quote>Dinner is not over until the dishes have been done.</quote>
The makings of a great network environment take a lot of effort and attention to detail.
So far, you have completed most of the complex (and to many administrators, the interesting
part of server configuration) steps, but remember to tie it all together. Here are
a few more steps that must be completed so that your network runs like a well-rehearsed
orchestra.
</para>
<sect2>
<title>Configuring Directory Share Point Roots</title>
<para>
In your &smb.conf; file, you have specified Windows shares. Each has a <parameter>path</parameter>
parameter. Even though it is obvious to all, one of the common Samba networking problems is
caused by forgetting to verify that every such share root directory actually exists and that it
has the necessary permissions and ownership.
</para>
<para>
Here is an example, but remember to create the directory needed for every share:
<screen>
&rootprompt; mkdir -p /data/{accounts,finsvcs,piops}
&rootprompt; mkdir -p /apps
&rootprompt; chown -R root:root /data
&rootprompt; chown -R root:root /apps
&rootprompt; chown -R bobj:Accounts /data/accounts
&rootprompt; chown -R bobj:Finances /data/finsvcs
&rootprompt; chown -R bobj:PIOps /data/pidata
&rootprompt; chmod -R ug+rwxs,o-rwx /data
&rootprompt; chmod -R ug+rwx,o+rx-w /apps
</screen>
</para>
</sect2>
<sect2>
<title>Configuring Profile Directories</title>
<para>
You made a conscious decision to do everything it would take to improve network client
performance. One of your decisions was to implement folder redirection. This means that Windows
user desktop profiles are now made up of two components: a dynamically loaded part and a set of file
network folders.
</para>
<para>
For this arrangement to work, every user needs a directory structure for the network folder
portion of his or her profile as shown here:
<screen>
&rootprompt; mkdir -p /var/lib/samba/profdata
&rootprompt; chown root:root /var/lib/samba/profdata
&rootprompt; chmod 755 /var/lib/samba/profdata
# Per user structure
&rootprompt; cd /var/lib/samba/profdata
&rootprompt; mkdir -p <emphasis>username</emphasis>
&rootprompt; for i in InternetFiles Cookies History AppData \
LocalSettings MyPictures MyDocuments Recent
&rootprompt; do
&rootprompt; mkdir <emphasis>username</emphasis>/$i
&rootprompt; done
&rootprompt; chown -R <emphasis>username</emphasis>:Domain\ Users <emphasis>username</emphasis>
&rootprompt; chmod -R 750 <emphasis>username</emphasis>
</screen>
</para>
<para>
<indexterm><primary>roaming profile</primary></indexterm>
<indexterm><primary>mandatory profile</primary></indexterm>
You have three options insofar as the dynamically loaded portion of the roaming profile
is concerned:
</para>
<itemizedlist>
<listitem><para>You may permit the user to obtain a default profile.</para></listitem>
<listitem><para>You can create a mandatory profile.</para></listitem>
<listitem><para>You can create a group profile (which is almost always a mandatory profile).</para></listitem>
</itemizedlist>
<para>
Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory
profile is effected by renaming the <filename>NTUSER.DAT</filename> to <filename>NTUSER.MAN</filename>,
that is, just by changing the filename extension.
</para>
<para>
<indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
<indexterm><primary>Domain User Manager</primary></indexterm>
The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend.
You can manage this using the Idealx smbldap-tools or using the
<ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">Windows NT4 Domain User Manager</ulink>.
</para>
<para>
It may not be obvious that you must ensure that the root directory for the user's profile exists
and has the needed permissions. Use the following commands to create this directory:
<screen>
&rootprompt; mkdir -p /var/lib/samba/profiles/<emphasis>username</emphasis>
&rootprompt; chown <emphasis>username</emphasis>:Domain\ Users
/var/lib/samba/profiles/<emphasis>username</emphasis>
&rootprompt; chmod 700 /var/lib/samba/profiles/<emphasis>username</emphasis>
</screen>
</para>
</sect2>
<sect2>
<title>Preparation of Logon Scripts</title>
<para>
<indexterm><primary>logon script</primary></indexterm>
The use of a logon script with Windows XP Professional is an option that every site should consider.
Unless you have locked down the desktop so the user cannot change anything, there is risk that
a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
can help to restore persistent network folder (drive) and printer connections in a predictable
manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
user attaches to another company's network that forces environment changes that are alien to your
network.
</para>
<para>
If you decide to use network logon scripts, by reference to the &smb.conf; files for the domain
controllers, you see that the path to the share point for the <constant>NETLOGON</constant>
share defined is <filename>/var/lib/samba/netlogon</filename>. The path defined for the logon
script inside that share is <filename>scripts\logon.bat</filename>. This means that as a Windows
NT/200x/XP client logs onto the network, it tries to obtain the file <filename>logon.bat</filename>
from the fully qualified path <filename>/var/lib/samba/netlogon/scripts</filename>. This fully
qualified path should therefore exist whether you install the <filename>logon.bat</filename>.
</para>
<para>
You can, of course, create the fully qualified path by executing:
<screen>
&rootprompt; mkdir -p /var/lib/samba/netlogon/scripts
</screen>
</para>
<para>
You should research the options for logon script implementation by referring to <emphasis>TOSHARG2</emphasis>, Chapter 24,
Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon
facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart</ulink>.
</para>
</sect2>
<sect2>
<title>Assigning User Rights and Privileges</title>
<para>
The ability to perform tasks such as joining Windows clients to the domain can be assigned to
normal user accounts. By default, only the domain administrator account (<constant>root</constant> on UNIX
systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
this privilege in a very limited fashion to particular accounts.
</para>
<para>
By default, even Samba-3.0.11 does not grant any rights even to the <constant>Domain Admins</constant>
group. Here we grant this group all privileges.
</para>
<para>
Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
are granted rights can be restricted to particular machines. It is left to the network administrator
to determine which rights should be provided and to whom.
</para>
<procedure>
<title>Steps for Assignment of User Rights and Privileges</title>
<step><para>
Log onto the PDC as the <constant>root</constant> account.
</para></step>
<step><para>
Execute the following command to grant the <constant>Domain Admins</constant> group all
rights and privileges:
<screen>
&rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
"MEGANET2\Domain Admins" SeMachineAccountPrivilege \
SePrintOperatorPrivilege SeAddUsersPrivilege \
SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
Successfully granted rights.
</screen>
Repeat this step on each domain controller, in each case substituting the name of the server
(e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE.
</para></step>
<step><para>
In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
to the domain. Execute the following only on the PDC. It is not necessary to do this on
BDCs or on DMS machines because machine accounts are only ever added by the PDC:
<screen>
&rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
"MEGANET2\bobj" SeMachineAccountPrivilege
Successfully granted rights.
</screen>
</para></step>
<step><para>
Verify that privilege assignments have been correctly applied by executing:
<screen>
net rpc rights list accounts -Uroot%not24get
MEGANET2\bobj
SeMachineAccountPrivilege
S-0-0
No privileges assigned
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
No privileges assigned
Everyone
No privileges assigned
MEGANET2\Domain Admins
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege
</screen>
</para></step>
</procedure>
</sect2>
</sect1>
<sect1>
<title>Windows Client Configuration</title>
<para>
<indexterm><primary>NETLOGON</primary></indexterm>
In the next few sections, you can configure a new Windows XP Professional disk image on a staging
machine. You will configure all software, printer settings, profile and policy handling, and desktop
default profile settings on this system. When it is complete, you copy the contents of the
<filename>C:\Documents and Settings\Default User</filename> directory to a directory with the same
name in the <constant>NETLOGON</constant> share on the domain controllers.
</para>
<para>
Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
One knowledge-base article in particular stands out:
"<ulink url="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475">How to Create a
Base Profile for All Users."</ulink>
</para>
<sect2 id="redirfold">
<title>Configuration of Default Profile with Folder Redirection</title>
<para>
<indexterm><primary>folder redirection</primary></indexterm>
Log onto the Windows XP Professional workstation as the local <constant>Administrator</constant>.
It is necessary to expose folders that are generally hidden to provide access to the
<constant>Default User</constant> folder.
</para>
<procedure>
<title>Expose Hidden Folders</title>
<step><para>
Launch the Windows Explorer by clicking
<menuchoice>
<guimenu>Start</guimenu>
<guimenuitem>My Computer</guimenuitem>
<guimenuitem>Tools</guimenuitem>
<guimenuitem>Folder Options</guimenuitem>
<guimenuitem>View Tab</guimenuitem>
</menuchoice>.
Select <guilabel>Show hidden files and folders</guilabel>,
and click <guibutton>OK</guibutton>. Exit Windows Explorer.
</para></step>
<step><para>
<indexterm><primary>regedt32</primary></indexterm>
Launch the Registry Editor. Click
<menuchoice>
<guimenu>Start</guimenu>
<guimenuitem>Run</guimenuitem>
</menuchoice>. Key in <command>regedt32</command>, and click
<guibutton>OK</guibutton>.
</para></step>
</procedure>
<para>
</para>
<procedure id="sbehap-rdrfldr">
<title>Redirect Folders in Default System User Profile</title>
<step><para>
<indexterm><primary>HKEY_LOCAL_MACHINE</primary></indexterm>
<indexterm><primary>Default User</primary></indexterm>
Give focus to <constant>HKEY_LOCAL_MACHINE</constant> hive entry in the left panel.
Click <menuchoice>
<guimenu>File</guimenu>
<guimenuitem>Load Hive...</guimenuitem>
<guimenuitem>Documents and Settings</guimenuitem>
<guimenuitem>Default User</guimenuitem>
<guimenuitem>NTUSER</guimenuitem>
<guimenuitem>Open</guimenuitem>
</menuchoice>. In the dialog box that opens, enter the key name
<constant>Default</constant> and click <guibutton>OK</guibutton>.
</para></step>
<step><para>
Browse inside the newly loaded Default folder to:
<screen>
HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
CurrentVersion\Explorer\User Shell Folders\
</screen>
The right panel reveals the contents as shown in <link linkend="XP-screen001"/>.
</para></step>
<step><para>
<indexterm><primary>%USERPROFILE%</primary></indexterm>
<indexterm><primary>%LOGONSERVER%</primary></indexterm>
You edit hive keys. Acceptable values to replace the
<constant>%USERPROFILE%</constant> variable includes:
<itemizedlist>
<listitem><para>A drive letter such as <constant>U:</constant></para></listitem>
<listitem><para>A direct network path such as
<constant>\\MASSIVE\profdata</constant></para></listitem>
<listitem><para>A network redirection (UNC name) that contains a macro such as </para>
<para><constant>%LOGONSERVER%\profdata\</constant></para></listitem>
</itemizedlist>
</para></step>
<step><para>
<indexterm><primary>registry keys</primary></indexterm>
Set the registry keys as shown in <link linkend="proffold"/>. Your implementation makes the assumption
that users have statically located machines. Notebook computers (mobile users) need to be
accommodated using local profiles. This is not an uncommon assumption.
</para></step>
<step><para>
Click back to the root of the loaded hive <constant>Default</constant>.
Click <menuchoice><guimenu>File</guimenu><guimenuitem>Unload Hive...</guimenuitem>
<guimenuitem>Yes</guimenuitem></menuchoice>.
</para></step>
<step><para>
<indexterm><primary>Registry Editor</primary></indexterm>
Click <menuchoice><guimenu>File</guimenu><guimenuitem>Exit</guimenuitem></menuchoice>. This exits the
Registry Editor.
</para></step>
<step><para>
Now follow the procedure given in <link linkend="sbehap-locgrppol"/>. Make sure that each folder you
have redirected is in the exclusion list.
</para></step>
<step><para>
You are now ready to copy<footnote><para>
There is an alternate method by which a default user profile can be added to the
<constant>NETLOGON</constant> share. This facility in the Windows System tool
permits profiles to be exported. The export target may be a particular user or
group profile share point or else the <constant>NETLOGON</constant> share.
In this case, the profile directory must be named <constant>Default User</constant>.
</para></footnote>
the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer,
and use it to copy the full contents of the directory <filename>Default User</filename> that
is in the <filename>C:\Documents and Settings</filename> to the root directory of the
<constant>NETLOGON</constant> share. If the <constant>NETLOGON</constant> share has the defined
UNIX path of <filename>/var/lib/samba/netlogon</filename>, when the copy is complete there must
be a directory in there called <filename>Default User</filename>.
</para></step>
</procedure>
<para>
Before punching out new desktop images for the client workstations, it is perhaps a good idea that
desktop behavior should be returned to the original Microsoft settings. The following steps achieve
that ojective:
</para>
<procedure>
<title>Reset Folder Display to Original Behavior</title>
<step><para>
To launch the Windows Explorer, click
<menuchoice>
<guimenu>Start</guimenu>
<guimenuitem>My Computer</guimenuitem>
<guimenuitem>Tools</guimenuitem>
<guimenuitem>Folder Options</guimenuitem>
<guimenuitem>View Tab</guimenuitem>
</menuchoice>.
Deselect <guilabel>Show hidden files and folders</guilabel>, and click <guibutton>OK</guibutton>.
Exit Windows Explorer.
</para></step>
</procedure>
<figure id="XP-screen001">
<title>Windows XP Professional &smbmdash; User Shared Folders</title>
<imagefile scale="65">XP-screen001</imagefile>
</figure>
<table id="proffold">
<title>Default Profile Redirections</title>
<tgroup cols="2">
<colspec align="left"/>
<colspec align="left"/>
<thead>
<row>
<entry>Registry Key</entry>
<entry>Redirected Value</entry>
</row>
</thead>
<tbody>
<row>
<entry>Cache</entry>
<entry>%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</entry>
</row>
<row>
<entry>Cookies</entry>
<entry>%LOGONSERVER%\profdata\%USERNAME%\Cookies</entry>
</row>
<row>
<entry>History</entry>
<entry>%LOGONSERVER%\profdata\%USERNAME%\History</entry>
</row>
<row>
<entry>Local AppData</entry>
<entry>%LOGONSERVER%\profdata\%USERNAME%\AppData</entry>
</row>
<row>
<entry>Local Settings</entry>
<entry>%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</entry>
</row>
<row>
<entry>My Pictures</entry>
<entry>%LOGONSERVER%\profdata\%USERNAME%\MyPictures</entry>
</row>
<row>
<entry>Personal</entry>
<entry>%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</entry>
</row>
<row>
<entry>Recent</entry>
<entry>%LOGONSERVER%\profdata\%USERNAME%\Recent</entry>
</row>
</tbody>
</tgroup>
</table>
</sect2>
<sect2>
<title>Configuration of MS Outlook to Relocate PST File</title>
<para>
<indexterm><primary>Outlook</primary><secondary>PST</secondary></indexterm>
Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
It is the nature of email storage that this file grows, at times quite rapidly.
So that users' email is available to them at every workstation they may log onto,
it is common practice in well-controlled sites to redirect the PST folder to the
users' home directory. Follow these steps for each user who wishes to do this.
</para>
<note><para>
It is presumed that Outlook Express has been configured for use.
</para></note>
<para>
Launch Outlook Express 6. Click
<menuchoice>
<guimenu>Tools</guimenu>
<guimenuitem>Options</guimenuitem>
<guimenuitem>Maintenance</guimenuitem>
<guimenuitem>Store Folder</guimenuitem>
<guimenuitem>Change</guimenuitem>
</menuchoice>.
</para>
<para>
Follow the on-screen prompts to relocate the PST file to the desired location.
</para>
</sect2>
<sect2>
<title>Configure Delete Cached Profiles on Logout</title>
<para>
Configure the Windows XP Professional client to auto-delete roaming profiles on logout:
</para>
<para>
<indexterm><primary>MMC</primary></indexterm>
Click
<menuchoice>
<guimenu>Start</guimenu>
<guimenuitem>Run</guimenuitem>
</menuchoice>. In the dialog box, enter <command>MMC</command> and click <guibutton>OK</guibutton>.
</para>
<para>
Follow these steps to set the default behavior of the staging machine so that all roaming
profiles are deleted as network users log out of the system. Click
<menuchoice>
<guimenu>File</guimenu>
<guimenuitem>Add/Remove Snap-in</guimenuitem>
<guimenuitem>Add</guimenuitem>
<guimenuitem>Group Policy</guimenuitem>
<guimenuitem>Add</guimenuitem>
<guimenuitem>Finish</guimenuitem>
<guimenuitem>Close</guimenuitem>
<guimenuitem>OK</guimenuitem>
</menuchoice>.
</para>
<para>
<indexterm><primary>Microsoft Management Console</primary><see>MMC</see></indexterm>
The Microsoft Management Console now shows the <guimenu>Group Policy</guimenu>
utility that enables you to set the policies needed. In the left panel, click
<menuchoice>
<guimenuitem>Local Computer Policy</guimenuitem>
<guimenuitem>Administrative Templates</guimenuitem>
<guimenuitem>System</guimenuitem>
<guimenuitem>User Profiles</guimenuitem>
</menuchoice>. In the right panel, set the properties shown here by double-clicking on each
item as shown:
</para>
<itemizedlist>
<listitem><para>Do not check for user ownership of Roaming Profile Folders = Enabled</para></listitem>
<listitem><para>Delete cached copies of roaming profiles = Enabled</para></listitem>
</itemizedlist>
<para>
Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
made of this system to deploy the new standard desktop system.
</para>
</sect2>
<sect2>
<title>Uploading Printer Drivers to Samba Servers</title>
<para>
<indexterm><primary>printing</primary><secondary>drag-and-drop</secondary></indexterm>
Users want to be able to use network printers. You have a vested interest in making
it easy for them to print. You have chosen to install the printer drivers onto the Samba
servers and to enable point-and-click (drag-and-drop) printing. This process results in
Samba being able to automatically provide the Windows client with the driver necessary to
print to the printer chosen. The following procedure must be followed for every network
printer:
</para>
<procedure>
<title>Steps to Install Printer Drivers on the Samba Servers</title>
<step><para>
Join your Windows XP Professional workstation (the staging machine) to the
<constant>MEGANET2</constant> domain. If you are not sure of the procedure,
follow the guidance given in Appendix A, <link linkend="domjoin"/>.
</para></step>
<step><para>
After the machine has rebooted, log onto the workstation as the domain
<constant>root</constant> (this is the Administrator account for the
operating system that is the host platform for this implementation of Samba.
</para></step>
<step><para>
Launch MS Windows Explorer. Navigate in the left panel. Click
<menuchoice>
<guimenu>My Network Places</guimenu>
<guimenuitem>Entire Network</guimenuitem>
<guimenuitem>Microsoft Windows Network</guimenuitem>
<guimenuitem>Meganet2</guimenuitem>
<guimenuitem>Massive</guimenuitem>
</menuchoice>. Click on <guimenu>Massive</guimenu>
<guimenu>Printers and Faxes</guimenu>.
</para></step>
<step><para>
Identify a printer that is shown in the right panel. Let us assume the printer is called
<constant>ps01-color</constant>. Right-click on the <guimenu>ps01-color</guimenu> icon
and select the <guimenu>Properties</guimenu> entry. This opens a dialog box that indicates
that <quote>The printer driver is not installed on this computer. Some printer properties
will not be accessible unless you install the printer driver. Do you want to install the
driver now?</quote> It is important at this point you answer <guimenu>No</guimenu>.
</para></step>
<step><para>
The printer properties panel for the <guimenu>ps01-color</guimenu> printer on the server
<constant>MASSIVE</constant> is displayed. Click the <guimenu>Advanced</guimenu> tab.
Note that the box labeled <guimenu>Driver</guimenu> is empty. Click the <guimenu>New Driver</guimenu>
button that is next to the <guimenu>Driver</guimenu> box. This launches the <quote>Add Printer Wizard</quote>.
</para></step>
<step><para>
<indexterm><primary>Add Printer Wizard</primary><secondary>APW</secondary></indexterm>
<indexterm><primary>APW</primary></indexterm>
The <quote>Add Printer Driver Wizard on <constant>MASSIVE</constant></quote> panel
is now presented. Click <guimenu>Next</guimenu> to continue. From the left panel, select the
printer manufacturer. In your case, you are adding a driver for a printer manufactured by
Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
<guimenu>Next</guimenu>, and then <guimenu>Finish</guimenu> to commence driver upload. A
progress bar appears and instructs you as each file is being uploaded and that it is being
directed at the network server <constant>\\massive\ps01-color</constant>.
</para></step>
<step><para>
<indexterm><primary>printers</primary><secondary>Advanced</secondary></indexterm>
<indexterm><primary>printers</primary><secondary>Properties</secondary></indexterm>
<indexterm><primary>printers</primary><secondary>Sharing</secondary></indexterm>
<indexterm><primary>printers</primary><secondary>General</secondary></indexterm>
<indexterm><primary>printers</primary><secondary>Security</secondary></indexterm>
<indexterm><primary>AD printer publishing</primary></indexterm>
The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
you are returned to the <guimenu>Advanced</guimenu> tab in the <guimenu>Properties</guimenu> panel.
You can set the Location (under the <guimenu>General</guimenu> tab) and Security settings (under
the <guimenu>Security</guimenu> tab). Under the <guimenu>Sharing</guimenu> tab it is possible to
load additional printer drivers; there is also a check-box in this tab called <quote>List in the
directory</quote>. When this box is checked, the printer will be published in Active Directory
(Applicable to Active Directory use only.)
</para></step>
<step><para>
<indexterm><primary>printers</primary><secondary>Default Settings</secondary></indexterm>
Click <guimenu>OK</guimenu>. It will take a minute or so to upload the settings to the server.
You are now returned to the <guimenu>Printers and Faxes on Massive</guimenu> monitor.
Right-click on the printer, click <menuchoice><guimenu>Properties</guimenu>
<guimenuitem>Device Settings</guimenuitem> </menuchoice>. Now change the settings to suit
your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
you need to reverse the changes back to their original settings.
</para></step>
<step><para>
This is necessary so that the printer settings are initialized in the Samba printers
database. Click <guimenu>Apply</guimenu> to commit your settings. Revert any settings you changed
just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
click <guimenu>Apply</guimenu> again.
</para></step>
<step><para>
<indexterm><primary>Print Test Page</primary></indexterm>
Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
click the <guimenu>General</guimenu> tab. Now click the <guimenu>Print Test Page</guimenu> button.
A test page should print. Verify that it has printed correctly. Then click <guimenu>OK</guimenu>
in the panel that is newly presented. Click <guimenu>OK</guimenu> on the <guimenu>ps01-color on
massive Properties</guimenu> panel.
</para></step>
<step><para>
You must repeat this process for all network printers (i.e., for every printer on each server).
When you have finished uploading drivers to all printers, close all applications. The next task
is to install software your users require to do their work.
</para></step>
</procedure>
</sect2>
<sect2>
<title>Software Installation</title>
<para>
Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
Notebooks require special handling that is beyond the scope of this chapter.
</para>
<para>
For desktop systems, the installation of software onto administratively centralized application servers
make a lot of sense. This means that you can manage software maintenance from a central
perspective and that only minimal application stubware needs to be installed onto the desktop
systems. You should proceed with software installation and default configuration as far as is humanly
possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
of software operations and configuration.
</para>
<para>
When you believe that the overall configuration is complete, be sure to create a shared group profile
and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in
case a user may have specific needs you had not anticipated.
</para>
</sect2>
<sect2>
<title>Roll-out Image Creation</title>
<para>
The final steps before preparing the distribution Norton Ghost image file you might follow are:
</para>
<blockquote><para>
Unjoin the domain &smbmdash; Each workstation requires a unique name and must be independently
joined into domain membership.
</para></blockquote>
<blockquote><para>
Defragment the hard disk &smbmdash; While not obvious to the uninitiated, defragmentation results
in better performance and often significantly reduces the size of the compressed disk image. That
also means it will take less time to deploy the image onto 500 workstations.
</para></blockquote>
</sect2>
</sect1>
<sect1>
<title>Key Points Learned</title>
<para>
This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately
avoided any consideration of security. Security does not just happen; you must design it into your total
network. Security begins with a systems design and implementation that anticipates hostile behavior from
users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
practices, you must not deploy the design presented in this book in an environment where there is risk
of compromise.
</para>
<para>
<indexterm><primary>Access Control Lists</primary><see>ACLs</see></indexterm>
<indexterm><primary>ACLs</primary></indexterm>
As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be
configured to use secure protocols for all communications over the network. Of course, secure networking
does not result just from systems design and implementation but involves constant user education
training and, above all, disciplined attention to detail and constant searching for signs of unfriendly
or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
Jerry Carter's book <ulink url="http://www.booksense.com/product/info.jsp&isbn=1565924916">
<emphasis>LDAP System Administration</emphasis></ulink> is a good place to start reading about OpenLDAP
as well as security considerations.
</para>
<para>
The substance of this chapter that has been deserving of particular attention includes:
</para>
<itemizedlist>
<listitem><para>
Implementation of an OpenLDAP-based passwd backend, necessary to support distributed
domain control.
</para></listitem>
<listitem><para>
Implementation of Samba primary and secondary domain controllers with a common LDAP backend
for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and
pam_ldap tool-sets.
</para></listitem>
<listitem><para>
Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as
to manage Samba Windows user and group accounts.
</para></listitem>
<listitem><para>
The basics of implementation of Group Policy controls for Windows network clients.
</para></listitem>
<listitem><para>
Control over roaming profiles, with particular focus on folder redirection to network drives.
</para></listitem>
<listitem><para>
Use of the CUPS printing system together with Samba-based printer driver auto-download.
</para></listitem>
</itemizedlist>
</sect1>
<sect1>
<title>Questions and Answers</title>
<para>
Well, here we are at the end of this chapter and we have only ten questions to help you to
remember so much. There are bound to be some sticky issues here.
</para>
<qandaset defaultlabel="chap06qa">
<qandaentry>
<question>
<para>
Why did you not cover secure practices? Isn't it rather irresponsible to instruct
network administrators to implement insecure solutions?
</para>
</question>
<answer>
<para>
Let's get this right. This is a book about Samba, not about OpenLDAP and secure
communication protocols for subjects other than Samba. Earlier on, you note,
that the dynamic DNS and DHCP solutions also used no protective secure communications
protocols. The reason for this is simple: There are so many ways of implementing
secure protocols that this book would have been even larger and more complex.
</para>
<para>
The solutions presented here all work (at least they did for me). Network administrators
have the interest and the need to be better trained and instructed in secure networking
practices and ought to implement safe systems. I made the decision, right or wrong,
to keep this material as simple as possible. The intent of this book is to demonstrate
a working solution and not to discuss too many peripheral issues.
</para>
<para>
This book makes little mention of backup techniques. Does that mean that I am recommending
that you should implement a network without provision for data recovery and for disaster
management? Back to our focus: The deployment of Samba has been clearly demonstrated.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
to the Linux I might be using?
</para>
</question>
<answer>
<para>
Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
for a standard Linux distribution. The differences are marginal. Surely you know
your Linux platform, and you do have access to administration manuals for it. This
book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
the Samba part of the book; all the other bits are peripheral (but important) to
creation of a total network solution.
</para>
<para>
What I find interesting is the attention reviewers give to Linux installation and to
the look and feel of the desktop, but does that make for a great server? In this book,
I have paid particular attention to the details of creating a whole solution framework.
I have not tightened every nut and bolt, but I have touched on all the issues you
need to be familiar with. Over the years many people have approached me wanting to
know the details of exactly how to implement a DHCP and dynamic DNS server with Samba
and WINS. In this chapter, it is plain to see what needs to be configured to provide
transparent interoperability. Likewise for CUPS and Samba interoperation. These are
key stumbling areas for many people.
</para>
<para>
At every critical junction, I have provided comparative guidance for both SUSE and
Red Hat Linux. Both manufacturers have done a great job in furthering the cause
of open source software. I favor neither and respect both. I like particular
features of both products (companies also). No bias in presentation is intended.
Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
You did not use SWAT to configure Samba. Is there something wrong with it?
</para>
</question>
<answer>
<para>
That is a good question. As it is, the &smb.conf; file configurations are presented
in as direct a format as possible. Adding SWAT into the equation would have complicated
matters. I sought simplicity of implementation. The fact is that I did use SWAT to
create the files in the first place.
</para>
<para>
There are people in the Linux and open source community who feel that SWAT is dangerous
and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
hope to have brought their interests on board. SWAT is well covered is <emphasis>TOSHARG2</emphasis>.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
You have exposed a well-used password <emphasis>not24get</emphasis>. Is that
not irresponsible?
</para>
</question>
<answer>
<para>
Well, I had to use a password of some sort. At least this one has been consistently
used throughout. I guess you can figure out that in a real deployment it would make
sense to use a more secure and original password.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
The Idealx smbldap-tools create many domain group accounts that are not used. Is that
a good thing?
</para>
</question>
<answer>
<para>
I took this up with Idealx and found them most willing to change that in the next version.
Let's give Idealx some credit for the contribution they have made. I appreciate their work
and, besides, it does no harm to create accounts that are not now used &smbmdash; at some time
Samba may well use them.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Can I use LDAP just for Samba accounts and not for UNIX system accounts?
</para>
</question>
<answer>
<para>
Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX)
group account for every Windows domain group account. But if you put your users into
the system password account, how do you plan to keep all domain controller system
password files in sync? I think that having everything in LDAP makes a lot of sense
for the UNIX administrator who is still learning the craft and is migrating from MS Windows.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Why are the Windows domain RID portions not the same as the UNIX UID?
</para>
</question>
<answer>
<para>
Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
This algorithm ought to ensure that there will be no clashes with well-known RIDs.
Well-known RIDs have special significance to MS Windows clients. The automatic
assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
permit you to override that to some extent. See the &smb.conf; man page entry
for <parameter>algorithmic rid base</parameter>.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Printer configuration examples all show printing to the HP port 9100. Does this
mean that I must have HP printers for these solutions to work?
</para>
</question>
<answer>
<para>
No. You can use any type of printer and must use the interfacing protocol supported
by the printer. Many networks use LPR/LPD print servers to which are attached
PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached
inkjet printer. Use the appropriate device URI (Universal Resource Interface)
argument to the <constant>lpadmin -v</constant> option that is right for your
printer.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Is folder redirection dangerous? I've heard that you can lose your data that way.
</para>
</question>
<answer>
<para>
The only loss of data I know of that involved folder redirection was caused by
manual misuse of the redirection tool. The administrator redirected a folder to
a network drive and said he wanted to migrate (move) the data over. Then he
changed his mind, so he moved the folder back to the roaming profile. This time,
he declined to move the data because he thought it was still in the local profile
folder. That was not the case, so by declining to move the data back, he wiped out
the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Is it really necessary to set a local Group Policy to exclude the redirected
folders from the roaming profile?
</para>
</question>
<answer>
<para>
Yes. If you do not do this, the data will still be copied from the network folder
(share) to the local cached copy of the profile.
</para>
</answer>
</qandaentry>
</qandaset>
</sect1>
</chapter>
|