1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�7.�A Distributed 2000 User Network</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.64.1"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="previous" href="happy.html" title="Chapter�6.�Making Users Happy"><link rel="next" href="migration.html" title="Chapter�8.�Migrating NT4 Domain to Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�7.�A Distributed 2000 User Network</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="happy.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="2000users"></a>Chapter�7.�A Distributed 2000 User Network</h2></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="2000users.html#id2542861">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id2542893">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id2542957">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id2543244">Technical Issues</a></span></dt><dt><span class="sect2"><a href="2000users.html#id2544382">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id2544400">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id2548047">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id2548114">Questions and Answers</a></span></dt></dl></div><p>There is something indeed mystical about things that are
2
big. Large networks exhibit a certain magnetism and exude a sense of
3
importance that obscures reality. You and I know that it is no more
4
difficult to secure a large network than it is a small one. We all
5
know that over and above a particular number of network clients, the
6
rules no longer change; the only real dynamic is the size of the domain
7
(much like a kingdom) over which the network ruler (oops, administrator)
8
has control. The real dynamic then transforms from the technical to the
9
political. Then again, that point is often reached well before the
10
kingdom (or queendom) grows large.</p><p>If you have systematically worked your way to this chapter, hopefully you
11
have found some gems and techniques that are applicable in your
12
world. The network designs you have worked with in this book with have their
13
strong points as well as weak ones. That is to be expected given that
14
they are based on real business environments, excepting that the facts
15
have been moulded to serve the purposes of this book.</p><p>This chapter is intent on wrapping up issues that are central to
16
implementation and design of progressively larger networks. Are you ready
17
for this chapter? Good, it is time to move on.</p><p>In previous chapters, you made the assumption that your network
18
administration staff need detailed instruction right down to the
19
nuts-and-bolts of implementing the solution. That's is still the case,
20
but they have graduated now. You decide to document only those issues,
21
methods and techniques that are new or complex. Routine tasks such as
22
implementing a DNS or a DHCP server are under control. Even the basics of
23
Samba are largely under control. So in this section you focus on the
24
specifics of implementing LDAP changes, Samba changes, and approach and
25
design of the solution and its deployment.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2542861"></a>Introduction</h2></div></div><div></div></div><p>
26
Abmas is a miracle company. Most businesses would have collapsed under
27
the weight of rapid expansion that this company has experienced. Samba
28
is flexible, so there is no need to reinstall the whole operating
29
system just because you need to implement a new network design. In fact,
30
you can keep an old server running right up to the moment of cut-over
31
and then do a near-live conversion. There is no need to reinstall a
32
Samba server just to change the way your network should function.
33
</p><p><a class="indexterm" name="id2542880"></a>
34
Network growth is common to all organizations. In this exercise,
35
your preoccupation is with the mechanics of implementing Samba and
36
LDAP so that network users on each network segment can work
37
without impediment.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2542893"></a>Assignment Tasks</h3></div></div><div></div></div><p>
38
Starting with the configuration files for the server called
39
<tt class="constant">MASSIVE</tt> in Chapter 6, you now deal with the
40
issues that are particular to large distributed networks. Your task
41
is simple identify the challenges, consider the
42
alternatives, and then design and implement a solution.</p><p><a class="indexterm" name="id2542915"></a>
43
Remember, you have users based in London (UK), Los Angeles,
44
Washington DC, and three buildings in New York. A significant portion
45
of your workforce have notebook computers and roam all over the
46
world. Some dial into the office, others use VPN connections over the
47
Internet and others just move between buildings.</p><p>What do you say to an employee who normally uses a desktop
48
system but must spend six weeks on the road with a notebook computer?
49
She is concerned over email access and how to keep co-workers current
50
with changing documents.</p><p>To top it all off, you have one network support person and one
51
Help desk person based in London, a single person dedicated to all
52
network operations in Los Angeles, five staff for user administration
53
and Help desk in New York, plus one <span class="emphasis"><em>floater</em></span> for
54
Washington DC.</p><p>You have outsourced all desktop deployment and management to
55
DirectPointe,Inc. Your concern is server maintenance and third-level
56
support. Build a plan and show what must be done.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2542957"></a>Dissection and Discussion</h2></div></div><div></div></div><p><a class="indexterm" name="id2542964"></a><a class="indexterm" name="id2542972"></a>
57
In the previous chapter, you implemented an LDAP server that provided the
58
<i class="parameter"><tt>passdb backend</tt></i> for the Samba servers. You
59
explored ways to accelerate Windows desktop profile handling and you
60
took control of network performance.
61
</p><p><a class="indexterm" name="id2542993"></a><a class="indexterm" name="id2543001"></a><a class="indexterm" name="id2543009"></a><a class="indexterm" name="id2543016"></a>
62
The implementation of an LDAP-based passdb backend (known as
63
<span class="emphasis"><em>ldapsam</em></span> in Samba parlance), or some form of database
64
that can be distributed, is essential to permit the deployment of Samba
65
Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem
66
is that the <span class="emphasis"><em>tdbsam</em></span> style passdb backend does not
67
lend itself to being replicated. The older plain-text-based
68
<span class="emphasis"><em>smbpasswd</em></span> style passdb backend can be replicated
69
using a tool such as <span><b class="command">rsync</b></span>, but
70
<span class="emphasis"><em>smbpasswd</em></span> suffers the drawback that it does not
71
support the range of account facilities demanded by modern network
72
managers.</p><p><a class="indexterm" name="id2543057"></a><a class="indexterm" name="id2543065"></a>
73
The new <span class="emphasis"><em>tdbsam</em></span> facility supports functionality
74
that is similar to an <span class="emphasis"><em>ldapsam</em></span>, but the lack of
75
distributed infrastructure sorely limits the scope for its
76
deployment. This does raise the following questions: "Why can't I just use
77
an XML based backend, or for that matter, why not use an SQL based
78
backend?" "Is support for these tools broken?" No. Answers to these
79
questions require a bit of background.</p><p><a class="indexterm" name="id2543090"></a><a class="indexterm" name="id2543098"></a><a class="indexterm" name="id2543106"></a><a class="indexterm" name="id2543114"></a>
80
<span class="emphasis"><em>What is a directory?</em></span> A directory is a
81
collection of information regarding objects that can be accessed to
82
rapidly find information that is relevant in a particular and
83
consistent manner. A directory differs from a database in that it is
84
generally more often searched (read) than updated. As a consequence, the
85
information is organized to facilitate read access rather than to
86
support transaction processing.</p><p><a class="indexterm" name="id2543135"></a><a class="indexterm" name="id2543147"></a><a class="indexterm" name="id2543155"></a><a class="indexterm" name="id2543163"></a>
87
The Lightweight Directory Access Protocol (LDAP) differs
88
considerably from a traditional database. It has a simple search
89
facility that uniquely makes a highly preferred mechanism for managing
90
user identities. LDAP provides a scalable mechanism for distributing
91
the data repository and for keeping all copies (slaves) in sync with
92
the master repository.</p><p><a class="indexterm" name="id2543180"></a><a class="indexterm" name="id2543188"></a><a class="indexterm" name="id2543196"></a>
93
Samba is a flexible and powerful file and print sharing
94
technology. It can use many external authentication sources and can be
95
part of a total authentication and identity management
96
infrastructure. The two most important external sources for large sites
97
are Microsoft Active Directory and LDAP. Sites that specifically wish to
98
avoid the proprietary implications of Microsoft Active Directory
99
naturally gravitate toward OpenLDAP.</p><p><a class="indexterm" name="id2543215"></a>
100
In Chapter 6, you had to deal with a locally routed
101
network. All deployment concerns focused around making users happy,
102
and that simply means taking control over all network practices and
103
usage so that no one user is disadvantaged by any other. The real
104
lesson is one of understanding that no matter how much network
105
bandwidth you provide, bandwidth remains a precious resource.</p><p>In this chapter, you must now consider how the overall network must
106
function. In particular, you must be concerned with users who move
107
between offices. You must take into account the way users need to
108
access information globally. And you must make the network robust
109
enough so that it can sustain partial breakdown without causing loss of
110
productivity.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2543244"></a>Technical Issues</h3></div></div><div></div></div><p>There are at least three areas that need to be addressed as you
111
approach the challenge of designing a network solution for the newly
112
expanded business. These are:</p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2543261"></a>
113
User needs such as mobility and data access</p></li><li><p>The nature of Windows networking protocols</p></li><li><p>Identity management infrastructure needs</p></li></ul></div><p>Let's look at each in turn.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2543293"></a>User Needs</h4></div></div><div></div></div><p>The new company has three divisions. Staff for each division
114
are spread across the company. Some staff are office-bound and
115
some are mobile users. Mobile users travel globally. Some spend
116
considerable periods working in other offices. Everyone wants to be
117
able to work without constraint of productivity.</p><p>The challenge is not insignificant. In some parts of the world,
118
even dial-up connectivity is poor, while in other regions political
119
encumbrances severely curtail user needs. Parts of the global
120
Internet infrastructure remain shielded-off for reasons outside
121
the scope of this discussion.</p><p><a class="indexterm" name="id2543317"></a>
122
Decisions must be made regarding where data is to be stored, how
123
it will be replicated (if at all), and what the network bandwidth
124
implications are. For example, one decision that can be made is
125
to give each office its own master file storage area that can be
126
synchronized to a central repository in New York. This would permit
127
global data to be backed up from a single location. The
128
synchronization tool could be <span><b class="command">rsync,</b></span> run via a
129
cron job. Mobile users may use off-line file storage under Windows
130
XP Professional. This way, they can synchronize all files that have
131
changed since each logon to the network.</p><p><a class="indexterm" name="id2543344"></a><a class="indexterm" name="id2543356"></a>
132
No matter which way you look at this, the bandwidth requirements
133
for acceptable performance are substantial even if only 10 percent of
134
staff are global data users. A company with 3500 employees
135
and 280 of those were mobile users, and who used a similarly distributed
136
network, found they needed at least 2 Megabit/sec connectivity
137
between the UK and US offices. Even over 2 Mb/s bandwidth, this
138
company abandoned any attempt to run roaming profile usage for
139
mobile users. At that time, the average roaming profile took 480
140
Kbytes, while today the minimum Windows XP Professional roaming
141
profile involves a transfer of over 750 Kbytes from the profile
142
server to/from the client.</p><p><a class="indexterm" name="id2543380"></a>
143
Obviously then, user needs and wide-area practicalities
144
dictate the economic and technical aspects of your network
145
design as well as for standard operating procedures.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2543394"></a>The Nature of Windows Networking Protocols</h4></div></div><div></div></div><p><a class="indexterm" name="id2543401"></a>
146
Network logons that include roaming profile handling requires
147
from 140 Kbytes to 2 Mbytes. The inclusion of support for a minimal
148
set of common desktop applications can push the size of a complete
149
profile to over 15 Mbytes. This has substantial implications so far
150
as location of user profiles is concerned. Additionally, it is a
151
significant factor in determining the nature and style of mandatory
152
profiles that may be enforced as part of a total service level
153
assurance program that might be implemented.</p><p><a class="indexterm" name="id2543425"></a><a class="indexterm" name="id2543433"></a>
154
One way to reduce the network bandwidth impact of user logon
155
traffic is through folder redirection. In Chapter 6, you
156
implemented this in the new Windows XP Professional standard
157
desktop configuration. When desktop folders such as <span class="guimenu">My
158
Documents</span> are redirected to a network drive, they should
159
also be excluded from synchronization to/from the server on
160
logon/out. Redirected folders are analogous to network drive
161
connections.</p><p><a class="indexterm" name="id2543458"></a>
162
Of course, network applications should only be run off
163
local application servers. As a general rule, even with 2 Mbit/sec
164
network bandwidth, it would not make sense at all for someone who
165
is working out of the London office to run applications off a
166
server that is located in New York.</p><p><a class="indexterm" name="id2543474"></a>
167
When network bandwidth becomes a precious commodity (that is most
168
of the time), there is a significant demand to understand network
169
processes and to mould the limits of acceptability around the
170
constraints of affordability.</p><p>When a Windows NT4/200x/XP Professional client user logs onto
171
the network, several important things must happen.</p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2543499"></a>
172
The client obtains an IP address via DHCP. (DHCP is
173
necessary so that users can roam between offices.)</p></li><li><p><a class="indexterm" name="id2543515"></a><a class="indexterm" name="id2543523"></a>
174
The client must register itself with the WINS and/or DNS
175
server.</p></li><li><p><a class="indexterm" name="id2543539"></a>
176
The client must locate the closest Domain Controller.</p></li><li><p>The client must log onto a Domain Controller and obtain as
177
part of that process the location of the user's profile, load
178
it, connect to redirected folders, and establish all network
179
drive and printer connections.</p></li><li><p>The Domain Controller must be able to resolve the user's
180
credentials before the logon process is fully implemented.</p></li></ul></div><p>Given that this book is about Samba and the fact that it
181
implements the Windows NT4 style domain semantics, it makes little
182
sense to compare Samba with Microsoft Active Directory insofar as
183
the logon protocols and principles of operation are
184
concerned. The following information pertains exclusively to the
185
interaction between a Windows XP Professional workstation and a
186
Samba-3.0.2 server. In the discussion that follows, use is made of
187
DHCP and WINS.</p><p>As soon as the Windows workstation starts up, it obtains an
188
IP address. This is immediately followed by registration of its
189
name both by broadcast and Unicast registration that is directed
190
at the WINS server.</p><p><a class="indexterm" name="id2543594"></a><a class="indexterm" name="id2543602"></a><a class="indexterm" name="id2543613"></a>
191
Given that the client is already a Domain Member, it then sends
192
a directed (Unicast) request to the WINS server seeking the list of
193
IP addresses for domain controllers (NetBIOS name type 0x1C). The
194
WINS server replies with the information requested.</p><p><a class="indexterm" name="id2543629"></a><a class="indexterm" name="id2543640"></a><a class="indexterm" name="id2543648"></a>
195
The client sends two netlogon mailslot broadcast requests
196
to the local network and to each of the IP addresses returned by
197
the WINS server. Whichever answers this request first appears to
198
be the machine that the Windows XP client attempts to use to
199
process the network logon. The mailslot messages use UDP broadcast
200
to the local network and UDP Unicast directed at each machine that
201
was listed in the WINS server response to a request for the list of
202
Domain Controllers.</p><p><a class="indexterm" name="id2543668"></a><a class="indexterm" name="id2543679"></a><a class="indexterm" name="id2543687"></a>
203
The logon process begins with negotiation of the SMB/CIFS
204
protocols that are to be used; this is followed by an exchange of
205
information that ultimately includes the client sending the
206
credentials with which the user is attempting to logon. The logon
207
server must now approve the further establishment of the
208
connection, but that is a good point to halt for now. The priority
209
here must center around identification of network infrastructure
210
needs. A secondary fact we need to know is, what happens when
211
local Domain Controllers fail or break?</p><p><a class="indexterm" name="id2543708"></a><a class="indexterm" name="id2543716"></a><a class="indexterm" name="id2543723"></a><a class="indexterm" name="id2543731"></a>
212
Under most circumstances, the nearest Domain Controller
213
responds to the netlogon mailslot broadcast. The exception to this
214
norm occurs when the nearest Domain Controller is too busy or is out
215
of service. Herein lies an important fact. This means it is
216
important that every network segment should have at least two
217
Domain Controllers. Since there can be only one Primary Domain
218
Controller (PDC), all additional Domain Controllers are by definition
219
Backup Domain Controllers (BDCs).</p><p><a class="indexterm" name="id2543751"></a><a class="indexterm" name="id2543759"></a>
220
The provision of sufficient servers that are BDCs is an
221
important design factor. The second important design factor
222
involves how each of the BDCs obtains user authentication
223
data. That is the subject of the next section as it involves key
224
decisions regarding Identity Management facilities.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2543776"></a>Identity Management Needs</h4></div></div><div></div></div><p><a class="indexterm" name="id2543782"></a><a class="indexterm" name="id2543790"></a><a class="indexterm" name="id2543798"></a><a class="indexterm" name="id2543806"></a>
225
Network managers recognize that in large organizations users
226
generally need to be given resource access based on needs, while
227
being excluded from other resources for reasons of privacy. It is,
228
therefore, essential that all users identify themselves at the
229
point of network access. The network logon is the principal means
230
by which user credentials are validated and filtered, and appropriate
231
rights and privileges are allocated.</p><p><a class="indexterm" name="id2543825"></a><a class="indexterm" name="id2543833"></a><a class="indexterm" name="id2543841"></a>
232
Unfortunately, network resources tend to have their own Identity
233
Management facilities, the quality and manageability of which varies
234
from quite poor to exceptionally good. Corporations that use a mixture
235
of systems soon discover that until recently, few systems were
236
designed to interoperate. For example, UNIX systems each have an
237
independent user database. Sun Microsystems developed a facility that
238
was originally called <tt class="constant">Yellow Pages</tt>, and was renamed
239
when a telephone company objected to the use of its trademark.
240
What was once called <tt class="constant">Yellow Pages</tt> is today known
241
as <tt class="constant">Network Information System</tt> (NIS).</p><p><a class="indexterm" name="id2543881"></a>
242
NIS gained a strong following throughout the UNIX/VMS space in a
243
short period of time and retained that appeal and use
244
for over a decade. Security concerns as well as inherent limitations
245
have caused it to enter its twilight. NIS did not gain widespread
246
appeal outside of the UNIX world and was not universally
247
adopted. Sun updated this to a more secure implementation called
248
NIS+, but even it has fallen victim to changing demands as the
249
demand for directory services that can be coupled with other
250
information systems is catching on.</p><p><a class="indexterm" name="id2543902"></a><a class="indexterm" name="id2543910"></a><a class="indexterm" name="id2543918"></a>
251
Nevertheless, both NIS and NIS+ continue to hold ground in
252
business areas where UNIX still has major sway. Examples of
253
organizations that remain firmly attached to the use of NIS and
254
NIS+ includes large government departments, education institutions,
255
as well as large corporations that have a scientific or engineering
256
focus.</p><p><a class="indexterm" name="id2543935"></a><a class="indexterm" name="id2543943"></a>
257
Today's networking world needs a scalable, distributed Identity
258
Management infrastructure, commonly called a directory. The most
259
popular technologies today are Microsoft Active Directory service
260
and a number of LDAP implementations.</p><p><a class="indexterm" name="id2543958"></a>
261
The problem of managing multiple directories has become a focal
262
point over the past decade. This has created a large market for
263
meta-directory products and services that allow organizations that
264
have multiple directories and multiple management and control
265
centers to provision information from one directory into
266
another. The attendant benefit to end users is the promise of
267
having to remember and deal with fewer login identities and
268
passwords.</p><p><a class="indexterm" name="id2543978"></a>
269
The challenge of every large network is to find the optimum
270
balance of internal systems and facilities for Identity
271
Management resources. How well the solution is chosen and
272
implemented has potentially significant impact on network bandwidth
273
and systems response needs.</p><p><a class="indexterm" name="id2543998"></a><a class="indexterm" name="id2544005"></a><a class="indexterm" name="id2544017"></a>
274
In Chapter 6, you implemented a single LDAP server for the
275
entire network. This may work for smaller networks, but almost
276
certainly fails to meet the needs of large and complex networks. The
277
following section documents how one may implement a single
278
master LDAP server, with multiple slave servers.</p><p>What is the best method for implementing master/slave LDAP
279
servers within the context of a distributed 2000 user network is a
280
question that remains to be answered.</p><p><a class="indexterm" name="id2544043"></a><a class="indexterm" name="id2544051"></a>
281
One possibility that has great appeal is to create one single
282
large distributed domain. The practical implications of this
283
design (see <a href="2000users.html#chap7net" title="Figure�7.1.�Network Topology 2000 User Complex Design A">???</a>) demands the placement of
284
sufficient BDCs in each location. Additionally, network
285
administrators must make sure that profiles are not transferred
286
over the wide-area links, except as a totally unavoidable
287
measure. Network design must balance the risk of loss of user
288
productivity against the cost of network management and
289
maintenance.</p><p><a class="indexterm" name="id2544078"></a>
290
The network design in <a href="2000users.html#chap7net2" title="Figure�7.2.�Network Topology 2000 User Complex Design B">???</a> takes the
291
approach that management of networks that are too remote to be
292
capable of being managed effectively from New York ought
293
to be given a certain degree of autonomy. With this rationale, the
294
Los Angeles and London networks, though fully integrated with that
295
on the east coast of the USA, each have their own domain name space
296
and can be independently managed and controlled. One of the key
297
drawbacks of this design is that it flies in the face of the
298
ability for network users to roam globally without some compromise
299
in how they may access global resources.</p><p><a class="indexterm" name="id2544106"></a>
300
Desk-bound users need not be negatively affected by this
301
design, since the use of interdomain trusts can be used to satisfy
302
the need for global data sharing.</p><p><a class="indexterm" name="id2544120"></a><a class="indexterm" name="id2544128"></a><a class="indexterm" name="id2544140"></a>
303
When Samba-3 is configured to use an LDAP backend, it stores the domain
304
account information in a directory entry. This account entry contains
305
the domain SID. An unintended but exploitable side effect is that
306
this makes it possible to operate with more than one PDC on a
307
distributed network.</p><p><a class="indexterm" name="id2544156"></a><a class="indexterm" name="id2544164"></a><a class="indexterm" name="id2544172"></a>
308
How might this peculiar feature be exploited? The answer is
309
simple. It is imperative that each network segment should have its
310
own WINS server. Major servers on remote network segments can be
311
given a static WINS entry in the <tt class="filename">wins.dat</tt> file
312
on each WINS server. This allows all essential data to be
313
visible from all locations. Each location would, however, function
314
as if it is an independent domain, while all sharing the same
315
domain SID. Since all domain account information can be stored in a
316
single LDAP backend, users have unfettered ability to
317
roam.</p><p><a class="indexterm" name="id2544198"></a><a class="indexterm" name="id2544210"></a>
318
This concept has not been exhaustively validated, though we can
319
see no reason why this should not work. The important facets
320
are: The name of the domain must be identical in all
321
locations. Each network segment must have its own WINS server. The
322
name of the PDC must be the same in all locations; this
323
necessitates the use of NetBIOS name aliases for each PDC so that
324
they can be accessed globally using the alias and not the PDC's
325
primary name. A single master LDAP server can be based in New York,
326
with multiple LDAP slave servers located on every network
327
segment. Finally, the BDCs should each use fail-over LDAP servers
328
that are in fact slave LDAP servers on the local segments.</p><p><a class="indexterm" name="id2544233"></a><a class="indexterm" name="id2544245"></a><a class="indexterm" name="id2544252"></a><a class="indexterm" name="id2544264"></a>
329
With a single master LDAP server, all network updates are
330
effected on a single server. In the event that this should become
331
excessively fragile or network bandwidth limiting, one could
332
implement a delegated LDAP domain. This is also known as a
333
partitioned (or multiple partition) LDAP database
334
and as a distributed LDAP directory.</p><p>As the LDAP directory grows, it becomes increasingly important
335
that its structure is implemented in a manner that mirrors
336
organizational needs, so as to limit network update and
337
referential traffic. It should be noted that all directory
338
administrators must of necessity follow the same standard
339
procedures for managing the directory, as retroactive correction of
340
inconsistent directory information can be exceedingly difficult.</p><div class="figure"><a name="chap7net"></a><p class="title"><b>Figure�7.1.�Network Topology 2000 User Complex Design A</b></p><div class="mediaobject"><img src="images/chap7-net-Ar.png" width="432" alt="Network Topology 2000 User Complex Design A"></div></div><div class="figure"><a name="chap7net2"></a><p class="title"><b>Figure�7.2.�Network Topology 2000 User Complex Design B</b></p><div class="mediaobject"><img src="images/chap7-net2-Br.png" width="432" alt="Network Topology 2000 User Complex Design B"></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2544382"></a>Political Issues</h3></div></div><div></div></div><p>As organizations grow, the number of points of control increase
341
also. In a large distributed organization, it is important that the
342
Identity Management system must be capable of being updated from
343
many locations, and it is equally important that changes made should
344
become capable of being used in a reasonable period, typically
345
minutes rather than days (the old limitation of highly manual
346
systems).</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2544400"></a>Implementation</h2></div></div><div></div></div><p><a class="indexterm" name="id2544407"></a><a class="indexterm" name="id2544415"></a><a class="indexterm" name="id2544423"></a><a class="indexterm" name="id2544430"></a>
347
Samba-3 has the ability to use multiple password (authentication
348
and identity resolution) backends. The diagram in <a href="2000users.html#chap7idres" title="Figure�7.3.�Samba and Authentication Backend Search Pathways">???</a> demonstrates how Samba uses winbind, LDAP,
349
and NIS, the traditional system password database. The diagram only
350
documents the mechanisms for authentication and identity resolution
351
(obtaining a UNIX UID/GID) using the specific systems shown.
352
</p><div class="figure"><a name="chap7idres"></a><p class="title"><b>Figure�7.3.�Samba and Authentication Backend Search Pathways</b></p><div class="mediaobject"><img src="images/chap7-idresol.png" width="432" alt="Samba and Authentication Backend Search Pathways"></div></div><p><a class="indexterm" name="id2544497"></a><a class="indexterm" name="id2544505"></a><a class="indexterm" name="id2544513"></a><a class="indexterm" name="id2544521"></a><a class="indexterm" name="id2544529"></a><a class="indexterm" name="id2544537"></a><a class="indexterm" name="id2544545"></a>
353
Samba is capable of using the <tt class="constant">smbpasswd</tt>,
354
<tt class="constant">tdbsam</tt>, <tt class="constant">xmlsam</tt>,
355
and <tt class="constant">mysqlsam</tt> authentication databases. The SMB
356
passwords can, of course, also be stored in an LDAP ldapsam
357
backend. LDAP is the preferred passdb backend for distributed network
358
operations.</p><p><a class="indexterm" name="id2544574"></a>
359
Additionally, it is possible to use multiple passdb backends
360
concurrently as well as have multiple LDAP backends. As a result, one
361
can specify a fail-over LDAP backend. The syntax for specifying a
362
single LDAP backend in <tt class="filename">smb.conf</tt> is:
363
</p><pre class="screen">
365
passdb backend = ldapsam:ldap://master.abmas.biz
368
This configuration tells Samba to use a single LDAP server as shown in
369
<a href="2000users.html#ch7singleLDAP" title="Figure�7.4.�Samba Configuration to Use a Single LDAP Server">???</a>.
370
</p><div class="figure"><a name="ch7singleLDAP"></a><p class="title"><b>Figure�7.4.�Samba Configuration to Use a Single LDAP Server</b></p><div class="mediaobject"><img src="images/ch7-singleLDAP.png" alt="Samba Configuration to Use a Single LDAP Server"></div></div><p>
371
<a class="indexterm" name="id2544650"></a><a class="indexterm" name="id2544662"></a>
372
The addition of a fail-over LDAP server can simply be done by adding a
373
second entry for the fail-over server to the single
374
<i class="parameter"><tt>ldapsam</tt></i> entry as shown here (note the particular
375
use of the double quotes):
376
</p><pre class="screen">
378
passdb backend = ldapsam:"ldap://master.abmas.biz \
379
ldap://slave.abmas.biz"
382
This configuration tells Samba to use a master LDAP server, with fail-over to a slave server if necessary,
383
as shown in <a href="2000users.html#ch7dualLDAP" title="Figure�7.5.�Samba Configuration to Use a Dual (Fail-over) LDAP Server">???</a>.
384
</p><div class="figure"><a name="ch7dualLDAP"></a><p class="title"><b>Figure�7.5.�Samba Configuration to Use a Dual (Fail-over) LDAP Server</b></p><div class="mediaobject"><img src="images/ch7-fail-overLDAP.png" alt="Samba Configuration to Use a Dual (Fail-over) LDAP Server"></div></div><p>
385
</p><p>Some folks have tried to implement this without the use of
386
double quotes as shown above. This is the type of entry they had
388
</p><pre class="screen">
390
passdb backend = ldapsam:ldap://master.abmas.biz \
391
ldapsam:ldap://slave.abmas.biz
394
<a class="indexterm" name="id2544752"></a>
395
The effect of this style of entry is that Samba lists the users
396
that are in both LDAP databases. If both contain the same information,
397
it results in each record being shown twice. This is, of course, not the
398
solution desired for a fail-over implementation. The net effect of this
399
configuration is shown in <a href="2000users.html#ch7dualadd" title="Figure�7.6.�Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!">???</a>
400
</p><div class="figure"><a name="ch7dualadd"></a><p class="title"><b>Figure�7.6.�Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</b></p><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP.png" width="432" alt="Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!"></div></div><p>
401
If, however, each LDAP database contains unique information, this may
402
well be an advantageous way to effectively integrate multiple LDAP databases
403
into one seemingly contiguous directory. Only the first database will be updated.
404
An example of this configuration is shown in <a href="2000users.html#ch7dualok" title="Figure�7.7.�Samba Configuration to Use Two LDAP Databases - The result is additive.">???</a>.
405
</p><div class="figure"><a name="ch7dualok"></a><p class="title"><b>Figure�7.7.�Samba Configuration to Use Two LDAP Databases - The result is additive.</b></p><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP-Ok.png" width="432" alt="Samba Configuration to Use Two LDAP Databases - The result is additive."></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
406
When the use of ldapsam is specified twice, as shown here, it is imperative
407
that the two LDAP directories must be disjoint. If the entries are for a
408
master LDAP server as well as its own slave server, updates to the LDAP
409
database may end up being lost or corrupted. You may safely use multiple
410
LDAP backends only so long as both are entirely separate from each other.
411
</p></div><p>It is assumed that the network you are working with follows in a
412
pattern similar to what has been covered in Chapter 6. The following steps
413
permit the operation of a Master/Slave OpenLDAP arrangement.</p><div class="procedure"><ol type="1"><li><p>
414
<a class="indexterm" name="id2544901"></a><a class="indexterm" name="id2544909"></a>
415
Log onto the master LDAP server as <tt class="constant">root</tt>.
416
You are about to change the configuration of the LDAP server, so it
417
makes sense to temporarily halt it. Stop OpenLDAP from running on
418
SUSE Linux by executing:
419
</p><pre class="screen">
420
<tt class="prompt">root# </tt> rcldap stop
422
On Red Hat Linux, you can do this by executing:
423
</p><pre class="screen">
424
<tt class="prompt">root# </tt> service ldap stop
426
</p></li><li><p><a class="indexterm" name="id2544955"></a>
427
Edit the <tt class="filename">/etc/openldap/slapd.conf</tt> file so it
428
matches the content of <a href="2000users.html#ch7-LDAP-master" title="Example�7.1.�LDAP Master Server Configuration File /etc/openldap/slapd.conf">???</a>.
429
</p></li><li><p><a class="indexterm" name="id2544984"></a><a class="indexterm" name="id2544992"></a>
430
Change directory to a suitable place to dump the contents of the
431
LDAP server. The dump file (and LDIF file) is used to preload
432
the Slave LDAP server database. You can dump the database by executing:
433
</p><pre class="screen">
434
<tt class="prompt">root# </tt> slapcat -v -l LDAP-transfer-LDIF.txt
436
Each record is written to the file.
437
</p></li><li><p><a class="indexterm" name="id2545026"></a>
438
Copy the file <tt class="filename">LDAP-transfer-LDIF.txt</tt> to the intended
439
slave LDAP server. A good location could be in the directory
440
<tt class="filename">/etc/openldap/preload</tt>.
442
Log onto the slave LDAP server as <tt class="constant">root</tt>. You can
443
now configure this server so the <tt class="filename">/etc/openldap/slapd.conf</tt>
444
file matches the content of <a href="2000users.html#ch7-LDAP-slave" title="Example�7.2.�LDAP Slave Configuration File /etc/openldap/slapd.conf">???</a>.
446
Change directory to the location in which you stored the
447
<tt class="filename">LDAP-transfer-LDIF.txt</tt> file (<tt class="filename">/etc/openldap/preload</tt>).
448
While in this directory, execute:
449
</p><pre class="screen">
450
<tt class="prompt">root# </tt> slapadd -v -l LDAP-transfer-LDIF.txt
452
If all goes well, the following output confirms that the data is being loaded
454
</p><pre class="screen">
455
added: "dc=abmas,dc=biz" (00000001)
456
added: "cn=sambaadmin,dc=abmas,dc=biz" (00000002)
457
added: "cn=updateuser,dc=abmas,dc=biz" (00000003)
458
added: "ou=People,dc=abmas,dc=biz" (00000004)
459
added: "ou=Groups,dc=abmas,dc=biz" (00000005)
460
added: "ou=Computers,dc=abmas,dc=biz" (00000006)
461
added: "uid=Administrator,ou=People,dc=abmas,dc=biz" (00000007)
462
added: "uid=nobody,ou=People,dc=abmas,dc=biz" (00000008)
463
added: "cn=Domain Admins,ou=Groups,dc=abmas,dc=biz" (00000009)
464
added: "cn=Domain Users,ou=Groups,dc=abmas,dc=biz" (0000000a)
465
added: "cn=Domain Guests,ou=Groups,dc=abmas,dc=biz" (0000000b)
466
added: "uid=bobj,ou=People,dc=abmas,dc=biz" (0000000c)
467
added: "sambaDomainName=MEGANET2,dc=abmas,dc=biz" (0000000d)
468
added: "uid=stans,ou=People,dc=abmas,dc=biz" (0000000e)
469
added: "uid=chrisr,ou=People,dc=abmas,dc=biz" (0000000f)
470
added: "uid=maryv,ou=People,dc=abmas,dc=biz" (00000010)
471
added: "cn=Accounts,ou=Groups,dc=abmas,dc=biz" (00000011)
472
added: "cn=Finances,ou=Groups,dc=abmas,dc=biz" (00000012)
473
added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013)
476
Now start the LDAP server and set it to run automatically on system reboot
478
</p><pre class="screen">
479
<tt class="prompt">root# </tt> rcldap start
480
<tt class="prompt">root# </tt> chkconfig ldap on
482
On Red Hat Linux, you would execute the following:
483
</p><pre class="screen">
484
<tt class="prompt">root# </tt> service ldap start
485
<tt class="prompt">root# </tt> chkconfig ldap on
487
<a class="indexterm" name="id2545195"></a><a class="indexterm" name="id2545203"></a><a class="indexterm" name="id2545211"></a>
489
Go back to the master LDAP server. Execute the following to start LDAP as well
490
as <span><b class="command">slurpd</b></span>, the synchronization daemon, as shown here:
491
</p><pre class="screen">
492
<tt class="prompt">root# </tt> rcldap start
493
<tt class="prompt">root# </tt> chkconfig ldap on
494
<tt class="prompt">root# </tt> rcslurpd start
495
<tt class="prompt">root# </tt> chkconfig slurpd on
497
<a class="indexterm" name="id2545265"></a>
498
On Red Hat Linux, check the equivalent command to start <span><b class="command">slurpd</b></span>.
499
</p></li><li><p><a class="indexterm" name="id2545286"></a>
500
On the master ldap server you may now add an account to validate that replication
501
is working. Assuming the configuration shown in Chapter 6, execute:
502
</p><pre class="screen">
503
<tt class="prompt">root# </tt> /var/lib/samba/sbin/smbldap-useradd.pl -a fruitloop
506
On the slave LDAP server, change to the directory <tt class="filename">/var/lib/ldap</tt>.
507
There should now be a file called <tt class="filename">replogfile</tt>. If replication worked
508
as expected, the content of this file should be:
509
</p><pre class="screen">
511
dn: uid=fruitloop,ou=People,dc=abmas,dc=biz
513
replace: sambaProfilePath
514
sambaProfilePath: \\MASSIVE\profiles\fruitloop
516
replace: sambaHomePath
517
sambaHomePath: \\MASSIVE\homes
520
entryCSN: 2003122700:43:38Z#0x0005#0#0000
522
replace: modifiersName
523
modifiersName: cn=Manager,dc=abmas,dc=biz
525
replace: modifyTimestamp
526
modifyTimestamp: 20031227004338Z
530
Given that this first slave LDAP server is now working correctly, you may now
531
implement additional slave LDAP servers as required.
532
</p></li></ol></div><div class="example"><a name="ch7-LDAP-master"></a><p class="title"><b>Example�7.1.�LDAP Master Server Configuration File <tt class="filename">/etc/openldap/slapd.conf</tt></b></p><pre class="screen">
533
include /etc/openldap/schema/core.schema
534
include /etc/openldap/schema/cosine.schema
535
include /etc/openldap/schema/inetorgperson.schema
536
include /etc/openldap/schema/nis.schema
537
include /etc/openldap/schema/samba.schema
539
pidfile /var/run/slapd/slapd.pid
540
argsfile /var/run/slapd/slapd.args
543
suffix "dc=abmas,dc=biz"
544
rootdn "cn=Manager,dc=abmas,dc=biz"
547
rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
549
replica host=lapdc.abmas.biz:389
550
suffix="dc=abmas,dc=biz"
551
binddn="cn=updateuser,dc=abmas,dc=biz"
552
bindmethod=simple credentials=not24get
554
access to attrs=sambaLMPassword,sambaNTPassword
555
by dn="cn=updateuser,dc=abmas,dc=biz" write
558
replogfile /var/lib/ldap/replogfile
560
directory /var/lib/ldap
562
# Indices to maintain
566
index uid pres,sub,eq
567
index displayName pres,sub,eq
572
index sambaPrimaryGroupSID eq
573
index sambaDomainName eq
575
</pre></div><div class="example"><a name="ch7-LDAP-slave"></a><p class="title"><b>Example�7.2.�LDAP Slave Configuration File <tt class="filename">/etc/openldap/slapd.conf</tt></b></p><pre class="screen">
576
include /etc/openldap/schema/core.schema
577
include /etc/openldap/schema/cosine.schema
578
include /etc/openldap/schema/inetorgperson.schema
579
include /etc/openldap/schema/nis.schema
580
include /etc/openldap/schema/samba.schema
582
pidfile /var/run/slapd/slapd.pid
583
argsfile /var/run/slapd/slapd.args
586
suffix "dc=abmas,dc=biz"
587
rootdn "cn=Manager,dc=abmas,dc=biz"
590
rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
593
by dn=cn=updateuser,dc=abmas,dc=biz write
596
updatedn cn=updateuser,dc=abmas,dc=biz
597
updateref ldap://massive.abmas.biz
598
replogfile /var/lib/ldap/replogfile
600
directory /var/lib/ldap
602
# Indices to maintain
606
index uid pres,sub,eq
607
index displayName pres,sub,eq
612
index sambaPrimaryGroupSID eq
613
index sambaDomainName eq
615
</pre></div><div class="example"><a name="ch7-massmbconfA"></a><p class="title"><b>Example�7.3.�Primary Domain Controller smb.conf File Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2545494"></a><i class="parameter"><tt>
617
unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2545510"></a><i class="parameter"><tt>
619
workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2545525"></a><i class="parameter"><tt>
621
passdb backend = ldapsam:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2545542"></a><i class="parameter"><tt>
623
username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2545558"></a><i class="parameter"><tt>
625
log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2545574"></a><i class="parameter"><tt>
627
syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2545589"></a><i class="parameter"><tt>
629
log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2545604"></a><i class="parameter"><tt>
631
max log size = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2545620"></a><i class="parameter"><tt>
633
smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2545636"></a><i class="parameter"><tt>
635
name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2545653"></a><i class="parameter"><tt>
637
time server = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2545668"></a><i class="parameter"><tt>
639
printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2545684"></a><i class="parameter"><tt>
641
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2545701"></a><i class="parameter"><tt>
643
delete user script = /var/lib/samba/sbin/smbldap-userdel.pl %u</tt></i></td></tr><tr><td><a class="indexterm" name="id2545717"></a><i class="parameter"><tt>
645
add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'</tt></i></td></tr><tr><td><a class="indexterm" name="id2545734"></a><i class="parameter"><tt>
647
delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g'</tt></i></td></tr><tr><td><a class="indexterm" name="id2545750"></a><i class="parameter"><tt>
649
add user to group script = /var/lib/samba/sbin/</tt></i></td></tr><tr><td><i class="parameter"><tt>smbldap-groupmod.pl -m '%g' '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2545774"></a><i class="parameter"><tt>
651
delete user from group script = /var/lib/samba/sbin/</tt></i></td></tr><tr><td><i class="parameter"><tt>smbldap-groupmod.pl -x '%g' '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2545798"></a><i class="parameter"><tt>
653
set primary group script = /var/lib/samba/sbin/</tt></i></td></tr><tr><td><i class="parameter"><tt>smbldap-usermod.pl -g '%g' '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2545822"></a><i class="parameter"><tt>
655
add machine script = /var/lib/samba/sbin/</tt></i></td></tr><tr><td><i class="parameter"><tt>smbldap-useradd.pl -w '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2545845"></a><i class="parameter"><tt>
657
shutdown script = /var/lib/samba/scripts/shutdown.sh</tt></i></td></tr><tr><td><a class="indexterm" name="id2545862"></a><i class="parameter"><tt>
659
abort shutdown script = /sbin/shutdown -c</tt></i></td></tr><tr><td><a class="indexterm" name="id2545878"></a><i class="parameter"><tt>
661
logon script = scripts\logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2545894"></a><i class="parameter"><tt>
663
logon path = \\%L\profiles\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2545909"></a><i class="parameter"><tt>
665
logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2545925"></a><i class="parameter"><tt>
667
domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2545941"></a><i class="parameter"><tt>
669
domain master = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2545957"></a><i class="parameter"><tt>
671
wins support = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2545972"></a><i class="parameter"><tt>
673
ldap suffix = dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2545988"></a><i class="parameter"><tt>
675
ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2546005"></a><i class="parameter"><tt>
677
ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2546020"></a><i class="parameter"><tt>
679
ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2546036"></a><i class="parameter"><tt>
681
ldap idmap suffix = ou=Idmap</tt></i></td></tr><tr><td><a class="indexterm" name="id2546052"></a><i class="parameter"><tt>
683
ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2546069"></a><i class="parameter"><tt>
685
idmap backend = ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2546085"></a><i class="parameter"><tt>
687
idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2546100"></a><i class="parameter"><tt>
689
idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2546116"></a><i class="parameter"><tt>
691
printer admin = root</tt></i></td></tr><tr><td><a class="indexterm" name="id2546132"></a><i class="parameter"><tt>
693
printing = cups</tt></i></td></tr></table></div><div class="example"><a name="ch7-massmbconfB"></a><p class="title"><b>Example�7.4.�Primary Domain Controller smb.conf File Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[IPC$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546170"></a><i class="parameter"><tt>
695
path = /tmp</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[accounts]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546194"></a><i class="parameter"><tt>
697
comment = Accounting Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2546210"></a><i class="parameter"><tt>
699
path = /data/accounts</tt></i></td></tr><tr><td><a class="indexterm" name="id2546225"></a><i class="parameter"><tt>
701
read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[service]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546250"></a><i class="parameter"><tt>
703
comment = Financial Services Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2546266"></a><i class="parameter"><tt>
705
path = /data/service</tt></i></td></tr><tr><td><a class="indexterm" name="id2546282"></a><i class="parameter"><tt>
707
read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[pidata]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546306"></a><i class="parameter"><tt>
709
comment = Property Insurance Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2546322"></a><i class="parameter"><tt>
711
path = /data/pidata</tt></i></td></tr><tr><td><a class="indexterm" name="id2546338"></a><i class="parameter"><tt>
713
read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546362"></a><i class="parameter"><tt>
715
comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2546378"></a><i class="parameter"><tt>
717
valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2546394"></a><i class="parameter"><tt>
719
read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2546409"></a><i class="parameter"><tt>
721
browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546434"></a><i class="parameter"><tt>
723
comment = SMB Print Spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2546449"></a><i class="parameter"><tt>
725
path = /var/spool/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2546465"></a><i class="parameter"><tt>
727
guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2546481"></a><i class="parameter"><tt>
729
printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2546496"></a><i class="parameter"><tt>
731
browseable = No</tt></i></td></tr></table></div><div class="example"><a name="ch7-massmbconfC"></a><p class="title"><b>Example�7.5.�Primary Domain Controller smb.conf File Part C</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[apps]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546535"></a><i class="parameter"><tt>
733
comment = Application Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2546550"></a><i class="parameter"><tt>
735
path = /apps</tt></i></td></tr><tr><td><a class="indexterm" name="id2546566"></a><i class="parameter"><tt>
737
admin users = bjones</tt></i></td></tr><tr><td><a class="indexterm" name="id2546581"></a><i class="parameter"><tt>
739
read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546606"></a><i class="parameter"><tt>
741
comment = Network Logon Service</tt></i></td></tr><tr><td><a class="indexterm" name="id2546622"></a><i class="parameter"><tt>
743
path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><a class="indexterm" name="id2546637"></a><i class="parameter"><tt>
745
admin users = root, Administrator</tt></i></td></tr><tr><td><a class="indexterm" name="id2546654"></a><i class="parameter"><tt>
747
guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2546669"></a><i class="parameter"><tt>
749
locking = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546693"></a><i class="parameter"><tt>
751
comment = Profile Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2546709"></a><i class="parameter"><tt>
753
path = /var/lib/samba/profiles</tt></i></td></tr><tr><td><a class="indexterm" name="id2546725"></a><i class="parameter"><tt>
755
read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2546740"></a><i class="parameter"><tt>
757
profile acls = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profdata]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546765"></a><i class="parameter"><tt>
759
comment = Profile Data Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2546781"></a><i class="parameter"><tt>
761
path = /var/lib/samba/profdata</tt></i></td></tr><tr><td><a class="indexterm" name="id2546796"></a><i class="parameter"><tt>
763
read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2546812"></a><i class="parameter"><tt>
765
profile acls = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546837"></a><i class="parameter"><tt>
767
comment = Printer Drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2546852"></a><i class="parameter"><tt>
769
path = /var/lib/samba/drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2546868"></a><i class="parameter"><tt>
771
write list = root</tt></i></td></tr><tr><td><a class="indexterm" name="id2546884"></a><i class="parameter"><tt>
773
admin users = root, Administrator</tt></i></td></tr></table></div><div class="example"><a name="ch7-slvsmbocnfA"></a><p class="title"><b>Example�7.6.�Backup Domain Controller smb.conf File Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># # Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2546929"></a><i class="parameter"><tt>
775
unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2546945"></a><i class="parameter"><tt>
777
workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2546960"></a><i class="parameter"><tt>
779
netbios name = BLDG1</tt></i></td></tr><tr><td><a class="indexterm" name="id2546976"></a><i class="parameter"><tt>
781
passdb backend = ldapsam:ldap://lapdc.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2546993"></a><i class="parameter"><tt>
783
username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2547009"></a><i class="parameter"><tt>
785
log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2547024"></a><i class="parameter"><tt>
787
syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2547040"></a><i class="parameter"><tt>
789
log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2547055"></a><i class="parameter"><tt>
791
max log size = 50</tt></i></td></tr><tr><td><a class="indexterm" name="id2547071"></a><i class="parameter"><tt>
793
smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2547087"></a><i class="parameter"><tt>
795
name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2547104"></a><i class="parameter"><tt>
797
printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2547119"></a><i class="parameter"><tt>
799
show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2547135"></a><i class="parameter"><tt>
801
logon script = scripts\logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2547151"></a><i class="parameter"><tt>
803
logon path = \\%L\profiles\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2547167"></a><i class="parameter"><tt>
805
logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2547182"></a><i class="parameter"><tt>
807
domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2547198"></a><i class="parameter"><tt>
809
os level = 63</tt></i></td></tr><tr><td><a class="indexterm" name="id2547214"></a><i class="parameter"><tt>
811
domain master = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2547230"></a><i class="parameter"><tt>
813
wins server = 192.168.2.1</tt></i></td></tr><tr><td><a class="indexterm" name="id2547245"></a><i class="parameter"><tt>
815
ldap suffix = dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2547261"></a><i class="parameter"><tt>
817
ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2547278"></a><i class="parameter"><tt>
819
ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2547293"></a><i class="parameter"><tt>
821
ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2547309"></a><i class="parameter"><tt>
823
ldap idmap suffix = ou=Idmap</tt></i></td></tr><tr><td><a class="indexterm" name="id2547325"></a><i class="parameter"><tt>
825
ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2547341"></a><i class="parameter"><tt>
827
utmp = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2547357"></a><i class="parameter"><tt>
829
idmap backend = ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2547373"></a><i class="parameter"><tt>
831
idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2547388"></a><i class="parameter"><tt>
833
idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2547404"></a><i class="parameter"><tt>
835
printing = cups</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[accounts]</tt></i></td></tr><tr><td><a class="indexterm" name="id2547429"></a><i class="parameter"><tt>
837
comment = Accounting Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2547444"></a><i class="parameter"><tt>
839
path = /data/accounts</tt></i></td></tr><tr><td><a class="indexterm" name="id2547460"></a><i class="parameter"><tt>
841
read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[service]</tt></i></td></tr><tr><td><a class="indexterm" name="id2547485"></a><i class="parameter"><tt>
843
comment = Financial Services Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2547501"></a><i class="parameter"><tt>
845
path = /data/service</tt></i></td></tr><tr><td><a class="indexterm" name="id2547516"></a><i class="parameter"><tt>
847
read only = No</tt></i></td></tr></table></div><div class="example"><a name="ch7-slvsmbocnfB"></a><p class="title"><b>Example�7.7.�Backup Domain Controller smb.conf File Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[pidata]</tt></i></td></tr><tr><td><a class="indexterm" name="id2547554"></a><i class="parameter"><tt>
849
comment = Property Insurance Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2547571"></a><i class="parameter"><tt>
851
path = /data/pidata</tt></i></td></tr><tr><td><a class="indexterm" name="id2547586"></a><i class="parameter"><tt>
853
read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2547610"></a><i class="parameter"><tt>
855
comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2547626"></a><i class="parameter"><tt>
857
valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2547642"></a><i class="parameter"><tt>
859
read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2547657"></a><i class="parameter"><tt>
861
browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2547682"></a><i class="parameter"><tt>
863
comment = SMB Print Spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2547698"></a><i class="parameter"><tt>
865
path = /var/spool/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2547713"></a><i class="parameter"><tt>
867
guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2547729"></a><i class="parameter"><tt>
869
printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2547744"></a><i class="parameter"><tt>
871
browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[apps]</tt></i></td></tr><tr><td><a class="indexterm" name="id2547769"></a><i class="parameter"><tt>
873
comment = Application Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2547785"></a><i class="parameter"><tt>
875
path = /apps</tt></i></td></tr><tr><td><a class="indexterm" name="id2547801"></a><i class="parameter"><tt>
877
admin users = bjones</tt></i></td></tr><tr><td><a class="indexterm" name="id2547816"></a><i class="parameter"><tt>
879
read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><a class="indexterm" name="id2547840"></a><i class="parameter"><tt>
881
comment = Network Logon Service</tt></i></td></tr><tr><td><a class="indexterm" name="id2547857"></a><i class="parameter"><tt>
883
path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><a class="indexterm" name="id2547872"></a><i class="parameter"><tt>
885
guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2547888"></a><i class="parameter"><tt>
887
locking = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><a class="indexterm" name="id2547912"></a><i class="parameter"><tt>
889
comment = Profile Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2547928"></a><i class="parameter"><tt>
891
path = /var/lib/samba/profiles</tt></i></td></tr><tr><td><a class="indexterm" name="id2547944"></a><i class="parameter"><tt>
893
read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2547959"></a><i class="parameter"><tt>
895
profile acls = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profdata]</tt></i></td></tr><tr><td><a class="indexterm" name="id2547984"></a><i class="parameter"><tt>
897
comment = Profile Data Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2548000"></a><i class="parameter"><tt>
899
path = /var/lib/samba/profdata</tt></i></td></tr><tr><td><a class="indexterm" name="id2548015"></a><i class="parameter"><tt>
901
read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2548031"></a><i class="parameter"><tt>
903
profile acls = Yes</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2548047"></a>Key Points Learned</h3></div></div><div></div></div><p>
904
</p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2548060"></a><a class="indexterm" name="id2548068"></a>
905
Where Samba-3 is used as a Domain Controller, the use of LDAP is an
906
essential component necessary to permit the use of BDCs.
907
</p></li><li><p><a class="indexterm" name="id2548082"></a>
908
Replication of the LDAP master server to create a network of BDCs
909
is an important mechanism for limiting wide-area network traffic.
911
Network administration presents many complex challenges, most of which
912
can be satisfied by good design, but that also require sound communication
913
and unification of management practices. This can be highly challenging in
914
a large, globally distributed network.
916
Roaming profiles must be contained to the local network segment. Any
917
departure from this may clog wide-area arteries and slow legitimate network
919
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2548114"></a>Questions and Answers</h2></div></div><div></div></div><p>
920
There is much rumor and misinformation regarding the use of MS Windows networking protocols.
921
These questions are just a few of those frequently asked.
922
</p><div class="qandaset"><dl><dt> <a href="2000users.html#id2548130">DHCPnetworkbandwidth
923
Is it true that DHCP uses lots of wide-area network bandwidth?
924
</a></dt><dt> <a href="2000users.html#id2548281">background communicationLDAPmaster/slavebackground communication
925
How much background communication takes place between a Master LDAP
926
server and its slave LDAP servers?
927
</a></dt><dt> <a href="2000users.html#id2548348">
928
LDAP has a database. Is LDAP not just a fancy database front end?
929
</a></dt><dt> <a href="2000users.html#id2548429">OpenLDAP
930
Can Active Directory obtain account information from an OpenLDAP server?
931
</a></dt><dt> <a href="2000users.html#id2548467">
932
What are the parts of a roaming profile? How large is each part?
933
</a></dt><dt> <a href="2000users.html#id2548592">
934
Can the My Documents folder be stored on a network drive?
935
</a></dt><dt> <a href="2000users.html#id2548643">wide-areanetworkbandwidthWINS
936
How much wide-area network bandwidth does WINS consume?
937
</a></dt><dt> <a href="2000users.html#id2548750">
938
How many BDCs should I have? What is the right number of Windows clients per server?
939
</a></dt><dt> <a href="2000users.html#id2548786">NIS serverLDAP
940
I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
942
</a></dt><dt> <a href="2000users.html#id2548823">
943
Can I use NIS in place of LDAP?
944
</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2548130"></a><a name="id2548132"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548136"></a><a class="indexterm" name="id2548143"></a>
945
Is it true that DHCP uses lots of wide-area network bandwidth?
946
</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548162"></a><a class="indexterm" name="id2548174"></a><a class="indexterm" name="id2548182"></a>
947
It is a smart practice to localize DHCP servers on each network segment. As a
948
rule, there should be two DHCP servers per network segment. This means that if
949
one server fails, there is always another to service user needs. DHCP requests use
950
only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network
951
routers. This makes it possible to run fewer DHCP servers.
952
</p><p><a class="indexterm" name="id2548203"></a><a class="indexterm" name="id2548214"></a>
953
A DHCP network address request and confirmation usually results in about six UDP packets.
954
The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP
955
clients and that uses a 24-hour IP address lease. This means that all clients renew
956
their IP address lease every 24 hours. If we assume an average packet length equal to the
957
maximum (just to be on the safe side), and we have a 128 Kbit/sec wide-area connection,
958
how significant would the DHCP traffic be if all of it were to use DHCP Relay?
960
I must stress that this is a bad design, but here is the calculation:
961
</p><pre class="screen">
962
Daily Network Capacity: 128,000 (Kbits/s) / 8 (bits/byte)
963
x 3600 (sec/hr) x 24 (hrs/day)= 2288 Mbytes/day.
965
DHCP traffic: 300 (clients) x 6 (packets)
966
x 512 (bytes/packet) = 0.9 Mbytes/day.
968
From this can be seen that the traffic impact would be minimal.
969
</p><p><a class="indexterm" name="id2548254"></a><a class="indexterm" name="id2548265"></a>
970
Even when DHCP is configured to do DNS update (Dynamic DNS) over a wide-area link,
971
the impact of the update is no more than the DHCP IP address renewal traffic and, thus,
972
still insignificant for most practical purposes.
973
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2548281"></a><a name="id2548283"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548286"></a><a class="indexterm" name="id2548295"></a>
974
How much background communication takes place between a Master LDAP
975
server and its slave LDAP servers?
976
</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548318"></a>
977
The process that controls the replication of data from the Master LDAP server to the Slave LDAP
978
servers is called <span><b class="command">slurpd</b></span>. The <span><b class="command">slurpd</b></span> remains nascent (quiet)
979
until an update must be propagated. The propagation traffic per LDAP salve to update (add/modify/delete)
980
two user accounts requires less than 10Kbytes traffic.
981
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2548348"></a><a name="id2548350"></a><b></b></td><td align="left" valign="top"><p>
982
LDAP has a database. Is LDAP not just a fancy database front end?
983
</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548361"></a><a class="indexterm" name="id2548368"></a><a class="indexterm" name="id2548380"></a><a class="indexterm" name="id2548387"></a>
984
LDAP does store its data in a database of sorts. In fact the LDAP backend is an application-specific
985
data storage system. This type of database is indexed so that records can be rapidly located, but the
986
database is not generic and can be used only in particular pre-programmed ways. General external
987
applications do not gain access to the data. This type of database is used also by SQL servers. Both
988
an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional
989
orientation and typically allows external programs to perform ad-hoc queries, even across data tables.
990
An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific
991
simple queries. The term <tt class="constant">database</tt> is heavily overloaded and, thus, much misunderstood.
992
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2548429"></a><a name="id2548432"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548435"></a>
993
Can Active Directory obtain account information from an OpenLDAP server?
994
</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548450"></a>
995
No, at least not directly. It is possible to provision Active Directory from/to an OpenLDAP
996
database through use of a meta-directory server. Microsoft MMS (now called MIIS) can interface
997
to OpenLDAP using standard LDAP queries/updates.
998
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2548467"></a><a name="id2548469"></a><b></b></td><td align="left" valign="top"><p>
999
What are the parts of a roaming profile? How large is each part?
1000
</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548480"></a>
1001
A roaming profile consists of:
1002
</p><div class="itemizedlist"><ul type="disc"><li><p>
1003
Desktop folders such as: <tt class="constant">Desktop, My Documents, My Pictures, My Music, Internet Files,
1004
Cookies, Application Data, Local Settings,</tt> and more. See <a href="happy.html#XP-screen001" title="Figure�6.3.�Windows XP Professional User Shared Folders">???</a>.
1005
</p><p><a class="indexterm" name="id2548511"></a>
1006
Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all
1007
such folders can be redirected to network drive resources. See <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>
1008
for more information regarding folder redirection.
1010
A static or re-writable portion that is typically only a few files (2-5 Kbytes of information).
1011
</p></li><li><p><a class="indexterm" name="id2548538"></a><a class="indexterm" name="id2548546"></a>
1012
The registry load file that modifies the <tt class="constant">HKEY_LOCAL_USER</tt> hive. This is
1013
the <tt class="filename">NTUSER.DAT</tt> file. It can be from 0.4-1.5 MBytes.
1014
</p></li></ul></div><p><a class="indexterm" name="id2548570"></a>
1015
Microsoft Outlook PST files may be stored in the <tt class="constant">Local Settings\Application Data</tt>
1016
folder. It can be up to 2 Gbytes in size per PST file.
1017
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2548592"></a><a name="id2548594"></a><b></b></td><td align="left" valign="top"><p>
1018
Can the <tt class="constant">My Documents</tt> folder be stored on a network drive?
1019
</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548608"></a><a class="indexterm" name="id2548616"></a>
1020
Yes. More correctly, such folders can be redirected to network shares. No specific network drive
1021
connection is required. Registry settings permit this to be redirected directly to a UNC (Universal
1022
Naming Convention) resource, though it is possible to specify a network drive letter instead of a
1023
UNC name. See <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>.
1024
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2548643"></a><a name="id2548645"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548648"></a><a class="indexterm" name="id2548656"></a><a class="indexterm" name="id2548667"></a>
1025
How much wide-area network bandwidth does WINS consume?
1026
</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548683"></a><a class="indexterm" name="id2548694"></a><a class="indexterm" name="id2548702"></a>
1027
MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache.
1028
This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS
1029
server, the total bandwidth demand measured at the WINS server, averaged over an eight-hour working day,
1030
was less than 30 Kbytes/sec. Analysis of network traffic over a six-week period showed that the total
1031
of all background traffic consumed about 11 percent of available bandwidth over 64 Kbit/sec links.
1032
Back-ground traffic consisted of domain replication, WINS queries, DNS lookups, authentication
1033
traffic. Each of 11 branch offices had a 64 Kbit/sec wide-area link, with a 1.5 Mbit/sec main connection
1034
that aggregated the branch office connections plus an Internet connection.
1036
In conclusion, the total load afforded through WINS traffic is again marginal to total operational
1037
usage as it should be.
1038
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2548750"></a><a name="id2548752"></a><b></b></td><td align="left" valign="top"><p>
1039
How many BDCs should I have? What is the right number of Windows clients per server?
1040
</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
1041
It is recommended to have at least one BDC per network segment, including the segment served
1042
by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the
1043
load demand pattern of client usage. I have seen sites that function without problem with 200
1044
clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular
1045
company, there was a drafting office that has 30 CAD/CAM operators served by one server, a print
1046
server; and an application server. While all three were BDCs, typically only the print server would
1047
service network logon requests after the first 10 users had started to use the network. This was
1048
a reflection of the service load placed on both the application server and the data server.
1050
As unsatisfactory as the answer might sound, it all depends on network and server load
1052
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2548786"></a><a name="id2548788"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548791"></a><a class="indexterm" name="id2548799"></a>
1053
I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
1055
</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
1056
The correct answer to both questions is yes. But do understand that an LDAP server has
1057
a configurable schema that can store far more information for many more purposes than
1059
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2548823"></a><a name="id2548825"></a><b></b></td><td align="left" valign="top"><p>
1060
Can I use NIS in place of LDAP?
1061
</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2548835"></a><a class="indexterm" name="id2548843"></a>
1062
No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal
1063
with the types of data necessary for interoperability with Microsoft Windows networking. The use
1064
of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also
1065
a Samba-specific schema extension.
1066
</p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="happy.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�6.�Making Users Happy�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�8.�Migrating NT4 Domain to Samba-3</td></tr></table></div></body></html>