1
<?xml version="1.0" encoding="iso-8859-1"?>
2
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3
<chapter id="Big500users">
4
<title>The 500-User Office</title>
7
The Samba-3 networking you explored in <link linkend="secure"/> covers the finer points of
8
configuration of peripheral services such as DHCP and DNS, and WINS. You experienced
9
implementation of a simple configuration of the services that are important adjuncts
10
to successful deployment of Samba.
14
An analysis of the history of postings to the Samba mailing list easily demonstrates
15
that the two most prevalent Samba problem areas are
20
Defective resolution of a NetBIOS name to its IP address
31
so far in this book have focused on implementation of the simplest printing processes
32
involving no print job processing intelligence. In this chapter, you maintain
33
that same approach to printing, but <link linkend="happy"/> presents an opportunity
34
to make printing more complex for the administrator while making it easier for the user.
38
<indexterm><primary>WINS server</primary></indexterm>
39
<indexterm><primary>tdbsam</primary></indexterm>
40
<indexterm><primary>passdb backend</primary></indexterm>
41
<link linkend="secure"/> demonstrates operation of a DHCP server and a DNS server
42
as well as a central WINS server. You validated the operation of these services and
43
saw an effective implementation of a Samba domain controller using the
44
<parameter>tdbsam</parameter> passdb backend.
48
The objective of this chapter is to introduce more complex techniques that can be used to
49
improve manageability of Samba as networking needs grow. In this chapter, you implement
50
a distributed DHCP server environment, a distributed DNS server arrangement, a centralized
51
WINS server, and a centralized Samba domain controller.
55
A note of caution is important regarding the Samba configuration that is used in this
56
chapter. The use of a single domain controller on a routed, multisegment network is
57
a poor design choice that leads to potential network user complaints.
58
This chapter demonstrates some successful
59
techniques in deployment and configuration management. This should be viewed as a
60
foundation chapter for complex Samba deployments.
64
As you master the techniques presented here, you may find much better methods to
65
improve network management and control while reducing human resource overheads.
66
You should take the opportunity to innovate and expand on the methods presented
67
here and explore them to the fullest.
71
<title>Introduction</title>
74
Business continues to go well for Abmas. Mr. Meany is driving your success and the
75
network continues to grow thanks to the hard work Christine has done. You recently
76
hired Stanley Soroka as manager of information systems. Christine recommended Stan
77
to the role. She told you Stan is so good at handling Samba that he can make a cast
78
iron rocking horse that is embedded in concrete kick like a horse at a rodeo. You
79
need skills like his. Christine and Stan get along just fine. Let's see what
80
you can get out of this pair as they plot the next-generation networks.
84
Ten months ago Abmas closed an acquisition of a property insurance business. The
85
founder lost interest in the business and decided to sell it to Mr. Meany. Because
86
they were former university classmates, the purchase was concluded with mutual assent.
87
The acquired business is located at the other end of town in much larger facilities.
88
The old Abmas building has become too small. Located on the same campus as the newly
89
acquired business are two empty buildings that are ideal to provide Abmas with
90
opportunity for growth.
94
Abmas has now completed the purchase of the two empty buildings, and you are
95
to install a new network and relocate staff in nicely furnished new facilities.
96
The new network is to be used to fully integrate company operations. You have
97
decided to locate the new network operations control center in the larger building
98
in which the insurance group is located to take advantage of an ideal floor space
99
and to allow Stan and Christine to fully stage the new network and test it before
100
it is rolled out. Your strategy is to complete the new network so that it
101
is ready for operation when the old office moves into the new premises.
105
<title>Assignment Tasks</title>
108
The acquired business had 280 network users. The old Abmas building housed
109
220 network users in unbelievably cramped conditions. The network that
110
initially served 130 users now handles 220 users quite well.
114
The two businesses will be fully merged to create a single campus company.
115
The Property Insurance Group (PIG) houses 300 employees, the new Accounting
116
Services Group (ASG) will be in a small building (BLDG1) that houses 50
117
employees, and the Financial Services Group (FSG) will be housed in a large
118
building that has capacity for growth (BLDG2). Building 2 houses 150 network
123
You have decided to connect the building using fiber optic links between new
124
routers. As a backup, the buildings are interconnected using line-of-sight
125
high-speed infrared facilities. The infrared connection provides a
126
secondary route to be used during periods of high demand for network
131
The Internet gateway is upgraded to 15 Mb/sec service. Your ISP
132
provides on your premises a fully managed Cisco PIX firewall. You no longer need
133
to worry about firewall facilities on your network.
137
Stanley and Christine have purchased new server hardware. Christine wants to
138
roll out a network that has whistles and bells. Stan wants to start off with
139
a simple to manage, not-too-complex network. He believes that network
140
users need to be gradually introduced to new features and capabilities and not
141
rushed into an environment that may cause disorientation and loss of productivity.
145
Your intrepid network team has decided to implement a network configuration
146
that closely mirrors the successful system you installed in the old Abmas building.
147
The new network infrastructure is owned by Abmas, but all desktop systems
148
are being procured through a new out-source services and leasing company. Under
149
the terms of a deal with Mr. M. Proper (CEO), DirectPointe, Inc., provides
150
all desktop systems and includes full level-one help desk support for
151
a flat per-machine monthly fee. The deal allows you to add workstations on demand.
152
This frees Stan and Christine to deal with deeper issues as they emerge and
153
permits Stan to work on creating new future value-added services.
157
DirectPointe Inc. receives from you a new standard desktop configuration
158
every four months. They automatically roll that out to each desktop system.
159
You must keep DirectPointe informed of all changes.
163
<primary>PDC</primary>
165
The new network has a single Samba Primary Domain Controller (PDC) located in the
166
Network Operation Center (NOC). Buildings 1 and 2 each have a local server
167
for local application servicing. It is a domain member. The new system
168
uses the <parameter>tdbsam</parameter> passdb backend.
172
Printing is based on raw pass-through facilities just as it has been used so far.
173
All printer drivers are installed on the desktop and notebook computers.
180
<title>Dissection and Discussion</title>
183
<indexterm><primary>network load factors</primary></indexterm>
184
The example you are building in this chapter is of a network design that works, but this
185
does not make it a design that is recommended. As a general rule, there should be at least
186
one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind
187
this recommendation is that correct operation of MS Windows clients requires rapid
188
network response to all SMB/CIFS requests. The same rule says that if there are more than
189
50 clients per domain controller, they are too busy to service requests. Let's put such
190
rules aside and recognize that network load affects the integrity of domain controller
191
responsiveness. This network will have 500 clients serviced by one central domain
192
controller. This is not a good omen for user satisfaction. You, of course, address this
193
very soon (see <link linkend="happy"/>).
197
<title>Technical Issues</title>
200
Stan has talked you into a horrible compromise, but it is addressed. Just make
201
certain that the performance of this network is well validated before going live.
205
Design decisions made in this design include the following:
210
<indexterm><primary>PDC</primary></indexterm>
211
<indexterm><primary>LDAP</primary></indexterm>
212
<indexterm><primary>identity management</primary></indexterm>
213
A single PDC is being implemented. This limitation is based on the choice not to
214
use LDAP. Many network administrators fear using LDAP because of the perceived
215
complexity of implementation and management of an LDAP-based backend for all user
216
identity management as well as to store network access credentials.
220
<indexterm><primary>BDC</primary></indexterm>
221
<indexterm><primary>machine secret password</primary></indexterm>
222
Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the
223
only choice that makes sense with 500 users is to use the tdbsam passwd backend.
224
This type of backend is not receptive to replication to BDCs. If the tdbsam
225
<filename>passdb.tdb</filename> file is replicated to BDCs using
226
<command>rsync</command>, there are two potential problems: (1) data that is in
227
memory but not yet written to disk will not be replicated, and (2) domain member
228
machines periodically change the secret machine password. When this happens, there
229
is no mechanism to return the changed password to the PDC.
233
All domain user, group, and machine accounts are managed on the PDC. This makes
234
for a simple mode of operation but has to be balanced with network performance and
235
integrity of operations considerations.
239
<indexterm><primary>WINS</primary></indexterm>
240
A single central WINS server is being used. The PDC is also the WINS server.
241
Any attempt to operate a routed network without a WINS server while using NetBIOS
242
over TCP/IP protocols does not work unless on each client the name resolution
243
entries for the PDC are added to the <filename>LMHOSTS</filename>. This file is
244
normally located on the Windows XP Professional client in the
245
<filename>C:\WINDOWS\SYSTEM32\ETC\DRIVERS</filename> directory.
249
At this time the Samba WINS database cannot be replicated. That is
250
why a single WINS server is being implemented. This should work without a problem.
254
<indexterm><primary>winbindd</primary></indexterm>
255
BDCs make use of <command>winbindd</command> to provide
256
access to domain security credentials for file system access and object storage.
260
<indexterm><primary>DHCP</primary><secondary>relay</secondary></indexterm>
261
<indexterm><primary>DHCP</primary><secondary>requests</secondary></indexterm>
262
Configuration of Windows XP Professional clients is achieved using DHCP. Each
263
subnet has its own DHCP server. Backup DHCP serving is provided by one
264
alternate DHCP server. This necessitates enabling of the DHCP Relay agent on
265
all routers. The DHCP Relay agent must be programmed to pass DHCP Requests from the
266
network directed at the backup DHCP server.
270
All network users are granted the ability to print to any printer that is
271
network-attached. All printers are available from each server. Print jobs that
272
are spooled to a printer that is not on the local network segment are automatically
273
routed to the print spooler that is in control of that printer. The specific details
274
of how this might be done are demonstrated for one example only.
278
The network address and subnetmask chosen provide 1022 usable IP addresses in
279
each subnet. If in the future more addresses are required, it would make sense
280
to add further subnets rather than change addressing.
289
<title>Political Issues</title>
292
This case gets close to the real world. You and I know the right way to implement
293
domain control. Politically, we have to navigate a minefield. In this case, the need is to
294
get the PDC rolled out in compliance with expectations and also to be ready to save the day
295
by having the real solution ready before it is needed. That real solution is presented in
296
<link linkend="happy"/>.
304
<title>Implementation</title>
307
The following configuration process begins following installation of Red Hat Fedora Core2 on the
308
three servers shown in the network topology diagram in <link linkend="chap05net"/>. You have
309
selected hardware that is appropriate to the task.
312
<figure id="chap05net">
313
<title>Network Topology &smbmdash; 500 User Network Using tdbsam passdb backend.</title>
314
<imagefile scale="50">chap5-net</imagefile>
317
<sect2 id="ch5-dnshcp-setup">
318
<title>Installation of DHCP, DNS, and Samba Control Files</title>
321
Carefully install the configuration files into the correct locations as shown in
322
<link linkend="ch5-filelocations"/>. You should validate that the full file path is
327
The abbreviation shown in this table as <constant>{VLN}</constant> refers to
328
the directory location beginning with <filename>/var/lib/named</filename>.
332
<table id="ch5-filelocations"><title>Domain: <constant>MEGANET</constant>, File Locations for Servers</title>
334
<colspec colname='c1' align="left"/>
335
<colspec colname='c2' align="left"/>
336
<colspec colname='c3' align="center"/>
337
<colspec colname='c4' align="center"/>
338
<colspec colname='c5' align="center"/>
341
<entry align="center" namest='c1' nameend='c2'>File Information</entry>
342
<entry align="center" namest="c3" nameend="c5">Server Name</entry>
345
<entry align="center">Source</entry>
346
<entry align="center">Target Location</entry>
347
<entry align="center">MASSIVE</entry>
348
<entry align="center">BLDG1</entry>
349
<entry align="center">BLDG2</entry>
354
<entry><link linkend="ch5-massivesmb"/></entry>
355
<entry><filename>/etc/samba/smb.conf</filename></entry>
361
<entry><link linkend="ch5-dc-common"/></entry>
362
<entry><filename>/etc/samba/dc-common.conf</filename></entry>
368
<entry><link linkend="ch5-commonsmb"/></entry>
369
<entry><filename>/etc/samba/common.conf</filename></entry>
375
<entry><link linkend="ch5-bldg1-smb"/></entry>
376
<entry><filename>/etc/samba/smb.conf</filename></entry>
382
<entry><link linkend="ch5-bldg2-smb"/></entry>
383
<entry><filename>/etc/samba/smb.conf</filename></entry>
389
<entry><link linkend="ch5-dommem-smb"/></entry>
390
<entry><filename>/etc/samba/dommem.conf</filename></entry>
396
<entry><link linkend="massive-dhcp"/></entry>
397
<entry><filename>/etc/dhcpd.conf</filename></entry>
403
<entry><link linkend="bldg1dhcp"/></entry>
404
<entry><filename>/etc/dhcpd.conf</filename></entry>
410
<entry><link linkend="bldg2dhcp"/></entry>
411
<entry><filename>/etc/dhcpd.conf</filename></entry>
417
<entry><link linkend="massive-nameda"/></entry>
418
<entry><filename>/etc/named.conf (part A)</filename></entry>
424
<entry><link linkend="massive-namedb"/></entry>
425
<entry><filename>/etc/named.conf (part B)</filename></entry>
431
<entry><link linkend="massive-namedc"/></entry>
432
<entry><filename>/etc/named.conf (part C)</filename></entry>
438
<entry><link linkend="abmasbizdns"/></entry>
439
<entry><filename>{VLN}/master/abmas.biz.hosts</filename></entry>
445
<entry><link linkend="abmasusdns"/></entry>
446
<entry><filename>{VLN}/master/abmas.us.hosts</filename></entry>
452
<entry><link linkend="bldg12nameda"/></entry>
453
<entry><filename>/etc/named.conf (part A)</filename></entry>
459
<entry><link linkend="bldg12namedb"/></entry>
460
<entry><filename>/etc/named.conf (part B)</filename></entry>
466
<entry><link linkend="loopback"/></entry>
467
<entry><filename>{VLN}/localhost.zone</filename></entry>
473
<entry><link linkend="dnsloopy"/></entry>
474
<entry><filename>{VLN}/127.0.0.zone</filename></entry>
480
<entry><link linkend="roothint"/></entry>
481
<entry><filename>{VLN}/root.hint</filename></entry>
493
<title>Server Preparation: All Servers</title>
496
The following steps apply to all servers. Follow each step carefully.
500
<title>Server Preparation Steps</title>
503
Using the UNIX/Linux system tools, set the name of the server as shown in the network
504
topology diagram in <link linkend="chap05net"/>. For SUSE Linux products, the tool
505
that permits this is called <command>yast2</command>; for Red Hat Linux products,
506
you can use the <command>netcfg</command> tool.
507
Verify that your hostname is correctly set by running:
509
&rootprompt; uname -n
511
An alternate method to verify the hostname is:
513
&rootprompt; hostname -f
518
<indexterm><primary>/etc/hosts</primary></indexterm>
519
<indexterm><primary>named</primary></indexterm>
520
Edit your <filename>/etc/hosts</filename> file to include the primary names and addresses
521
of all network interfaces that are on the host server. This is necessary so that during
522
startup the system is able to resolve all its own names to the IP address prior to
523
startup of the DNS server. You should check the startup order of your system. If the
524
CUPS print server is started before the DNS server (<command>named</command>), you
525
should also include an entry for the printers in the <filename>/etc/hosts</filename> file.
529
<indexterm><primary>/etc/resolv.conf</primary></indexterm>
530
All DNS name resolution should be handled locally. To ensure that the server is configured
531
correctly to handle this, edit <filename>/etc/resolv.conf</filename> so it has the following
534
search abmas.us abmas.biz
537
This instructs the name resolver function (when configured correctly) to ask the DNS server
538
that is running locally to resolve names to addresses.
543
<indexterm><primary>administrator</primary></indexterm>
544
<indexterm><primary>smbpasswd</primary></indexterm>
545
Add the <constant>root</constant> user to the password backend:
547
&rootprompt; smbpasswd -a root
548
New SMB password: XXXXXXXX
549
Retype new SMB password: XXXXXXXX
552
The <constant>root</constant> account is the UNIX equivalent of the Windows domain administrator.
553
This account is essential in the regular maintenance of your Samba server. It must never be
554
deleted. If for any reason the account is deleted, you may not be able to recreate this account
555
without considerable trouble.
559
<indexterm><primary>username map</primary></indexterm>
560
<indexterm><primary>/etc/samba/smbusers</primary></indexterm>
561
Create the username map file to permit the <constant>root</constant> account to be called
562
<constant>Administrator</constant> from the Windows network environment. To do this, create
563
the file <filename>/etc/samba/smbusers</filename> with the following contents:
570
# Unix_ID = Windows_ID
573
# root = Administrator
574
# janes = "Jane Smith"
577
# Note: If the name contains a space it must be double quoted.
578
# In the example above the name 'jimbo' will be mapped to Windows
579
# user names 'Jim' and 'Bones' because the space was not quoted.
580
#######################################################################
589
Configure all network-attached printers to have a fixed IP address.
593
Create an entry in the DNS database on the server <constant>MASSIVE</constant>
594
in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
595
and in the reverse lookup database for the network segment that the printer is
596
located in. Example configuration files for similar zones were presented in <link linkend="secure"/>,
597
<link linkend="abmasbiz"/> and <link linkend="eth2zone"/>.
601
Follow the instructions in the printer manufacturer's manuals to permit printing
602
to port 9100. Use any other port the manufacturer specifies for direct mode,
603
raw printing. This allows the CUPS spooler to print using raw mode protocols.
604
<indexterm><primary>CUPS</primary></indexterm>
605
<indexterm><primary>raw printing</primary></indexterm>
609
<indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
610
Only on the server to which the printer is attached configure the CUPS Print
613
&rootprompt; lpadmin -p <parameter>printque</parameter> -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
615
<indexterm><primary>print filter</primary></indexterm>
616
This step creates the necessary print queue to use no assigned print filter. This
617
is ideal for raw printing, that is, printing without use of filters.
618
The name <parameter>printque</parameter> is the name you have assigned for
619
the particular printer.
623
Print queues may not be enabled at creation. Make certain that the queues
624
you have just created are enabled by executing the following:
626
&rootprompt; /usr/bin/enable <parameter>printque</parameter>
631
Even though your print queue may be enabled, it is still possible that it
632
does not accept print jobs. A print queue services incoming printing
633
requests only when configured to do so. Ensure that your print queue is
634
set to accept incoming jobs by executing the following command:
636
&rootprompt; /usr/bin/accept <parameter>printque</parameter>
641
<indexterm><primary>mime type</primary></indexterm>
642
<indexterm><primary>/etc/mime.convs</primary></indexterm>
643
<indexterm><primary>application/octet-stream</primary></indexterm>
644
This step, as well as the next one, may be omitted where CUPS version 1.1.18
645
or later is in use. Although it does no harm to follow it anyway, and may
646
help to avoid time spent later trying to figure out why print jobs may be
647
disappearing without a trace. Look at these two steps as <emphasis>insurance</emphasis>
648
against lost time. Edit file <filename>/etc/cups/mime.convs</filename> to
651
application/octet-stream application/vnd.cups-raw 0 -
656
<indexterm><primary>/etc/mime.types</primary></indexterm>
657
Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
659
application/octet-stream
664
Refer to the CUPS printing manual for instructions regarding how to configure
665
CUPS so that print queues that reside on CUPS servers on remote networks
666
route print jobs to the print server that owns that queue. The default setting
667
on your CUPS server may automatically discover remotely installed printers and
668
may permit this functionality without requiring specific configuration.
672
As part of the roll-out program, you need to configure the application's
673
server shares. This can be done once on the central server and may then be
674
replicated using a tool such as <command>rsync</command>. Refer to the man
675
page for <command>rsync</command> for details regarding use. The notes in
676
<link linkend="ch4appscfg"/> may help in your decisions to use an application
683
Logon scripts that are run from a domain controller (PDC or BDC) are capable of using semi-intelligent
684
processes to automap Windows client drives to an application server that is nearest to the client. This
685
is considerably more difficult when a single PDC is used on a routed network. It can be done, but not
686
as elegantly as you see in the next chapter.
692
<title>Server-Specific Preparation</title>
695
There are some steps that apply to particular server functionality only. Each step is critical
696
to correct server operation. The following step-by-step installation guidance will assist you
697
in working through the process of configuring the PDC and then both BDC's.
701
<title>Configuration for Server: <constant>MASSIVE</constant></title>
704
The steps presented here attempt to implement Samba installation in a generic manner. While
705
some steps are clearly specific to Linux, it should not be too difficult to apply them to
706
your platform of choice.
710
<title>Primary Domain Controller Preparation</title>
713
<indexterm><primary>/etc/rc.d/boot.local</primary></indexterm>
714
<indexterm><primary>IP forwarding</primary></indexterm>
715
The host server acts as a router between the two internal network segments as well
716
as for all Internet access. This necessitates that IP forwarding be enabled. This can be
717
achieved by adding to the <filename>/etc/rc.d/boot.local</filename> an entry as follows:
719
echo 1 > /proc/sys/net/ipv4/ip_forward
721
To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute
722
that command manually also. This setting permits the Linux system to act as a router.
726
This server is dual hosted (i.e., has two network interfaces) &smbmdash; one goes to the Internet
727
and the other to a local network that has a router that is the gateway to the remote networks.
728
You must therefore configure the server with route table entries so that it can find machines
729
on the remote networks. You can do this using the appropriate system tools for your Linux
730
server or using static entries that you place in one of the system startup files. It is best
731
to always use the tools that the operating system vendor provided. In the case of SUSE Linux, the
732
best tool to do this is YaST (refer to SUSE Administration Manual); in the case of Red Hat,
733
this is best done using the graphical system configuration tools (see the Red Hat documentation).
734
An example of how this may be done manually is as follows:
736
&rootprompt; route add net 172.16.4.0 netmask 255.255.252.0 gw 172.16.0.128
737
&rootprompt; route add net 172.16.8.0 netmask 255.255.252.0 gw 172.16.0.128
739
If you just execute these commands manually, the route table entries you have created are
740
not persistent across system reboots. You may add these commands directly to the local
741
startup files as follows: (SUSE) <filename>/etc/rc.d/boot.local</filename>, (Red Hat)
742
<filename>/etc/rc.d/init.d/rc.local</filename>.
746
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
747
The final step that must be completed is to edit the <filename>/etc/nsswitch.conf</filename> file.
748
This file controls the operation of the various resolver libraries that are part of the Linux
749
Glibc libraries. Edit this file so that it contains the following entries:
751
hosts: files dns wins
756
<indexterm><primary>initGrps.sh</primary></indexterm>
757
Create and map Windows domain groups to UNIX groups. A sample script is provided in
758
<link linkend="ch5-initgrps"/>. Create a file containing this script. You called yours
759
<filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed
760
and then execute the script. An example of the execution of this script as well as its
761
validation are shown in Section 4.3.2, Step 5.
765
<indexterm><primary>/etc/passwd</primary></indexterm>
766
<indexterm><primary>password</primary><secondary>backend</secondary></indexterm>
767
<indexterm><primary>smbpasswd</primary></indexterm>
768
For each user who needs to be given a Windows domain account, make an entry in the
769
<filename>/etc/passwd</filename> file as well as in the Samba password backend.
770
Use the system tool of your choice to create the UNIX system account, and use the Samba
771
<command>smbpasswd</command> to create a domain user account.
775
<indexterm><primary>useradd</primary></indexterm>
776
<indexterm><primary>adduser</primary></indexterm>
777
<indexterm><primary>user</primary><secondary>management</secondary></indexterm>
778
There are a number of tools for user management under UNIX, such as
779
<command>useradd</command>, <command>adduser</command>, as well as a plethora of custom
780
tools. With the tool of your choice, create a home directory for each user.
784
Using the preferred tool for your UNIX system, add each user to the UNIX groups created
785
previously as necessary. File system access control is based on UNIX group membership.
789
Create the directory mount point for the disk subsystem that is to be mounted to provide
790
data storage for company files, in this case, the mount point indicated in the &smb.conf;
791
file is <filename>/data</filename>. Format the file system as required and mount the formatted
792
file system partition using appropriate system tools.
796
<indexterm><primary>file system</primary>
797
<secondary>permissions</secondary></indexterm>
798
Create the top-level file storage directories for data and applications as follows:
800
&rootprompt; mkdir -p /data/{accounts,finsvcs,pidata}
801
&rootprompt; mkdir -p /apps
802
&rootprompt; chown -R root:root /data
803
&rootprompt; chown -R root:root /apps
804
&rootprompt; chown -R bjordan:accounts /data/accounts
805
&rootprompt; chown -R bjordan:finsvcs /data/finsvcs
806
&rootprompt; chown -R bjordan:finsvcs /data/pidata
807
&rootprompt; chmod -R ug+rwxs,o-rwx /data
808
&rootprompt; chmod -R ug+rwx,o+rx-w /apps
810
Each department is responsible for creating its own directory structure within the departmental
811
share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>.
812
The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>.
813
The <filename>/apps</filename> directory is the root of the <constant>apps</constant> share
814
that provides the application server infrastructure.
818
The &smb.conf; file specifies an infrastructure to support roaming profiles and network
819
logon services. You can now create the file system infrastructure to provide the
820
locations on disk that these services require. Adequate planning is essential
821
because desktop profiles can grow to be quite large. For planning purposes, a minimum of
822
200 MB of storage should be allowed per user for profile storage. The following
823
commands create the directory infrastructure needed:
825
&rootprompt; mkdir -p /var/spool/samba
826
&rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
827
&rootprompt; chown -R root:root /var/spool/samba
828
&rootprompt; chown -R root:root /var/lib/samba
829
&rootprompt; chmod a+rwxt /var/spool/samba
831
For each user account that is created on the system, the following commands should be
834
&rootprompt; mkdir /var/lib/samba/profiles/'username'
835
&rootprompt; chown 'username':users /var/lib/samba/profiles/'username'
836
&rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
841
<indexterm><primary>unix2dos</primary></indexterm>
842
<indexterm><primary>dos2unix</primary></indexterm>
843
Create a logon script. It is important that each line is correctly terminated with
844
a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
845
works if the right tools (<constant>unxi2dos</constant> and <constant>dos2unix</constant>) are installed.
846
First, create a file called <filename>/var/lib/samba/netlogon/scripts/logon.bat.unix</filename>
847
with the following contents:
849
net time \\massive /set /yes
852
Convert the UNIX file to a DOS file:
854
&rootprompt; dos2unix < /var/lib/samba/netlogon/scripts/logon.bat.unix \
855
> /var/lib/samba/netlogon/scripts/logon.bat
860
There is one preparatory step without which you cannot have a working Samba network
861
environment. You must add an account for each network user. You can do this by executing
862
the following steps for each user:
864
&rootprompt; useradd -m <parameter>username</parameter>
865
&rootprompt; passwd <parameter>username</parameter>
866
Changing password for <parameter>username</parameter>.
867
New password: XXXXXXXX
868
Re-enter new password: XXXXXXXX
870
&rootprompt; smbpasswd -a <parameter>username</parameter>
871
New SMB password: XXXXXXXX
872
Retype new SMB password: XXXXXXXX
873
Added user <parameter>username</parameter>.
875
You do, of course, use a valid user login ID in place of <parameter>username</parameter>.
879
Follow the processes shown in <link linkend="ch5-procstart"/> to start all services.
883
Your server is ready for validation testing. Do not proceed with the steps in
884
<link linkend="ch5-domsvrspec"/> until after the operation of the server has been
885
validated following the same methods as outlined in <link linkend="secure"/>, <link linkend="ch4valid"/>.
892
<sect3 id="ch5-domsvrspec">
893
<title>Configuration Specific to Domain Member Servers: <constant>BLDG1, BLDG2</constant></title>
896
The following steps will guide you through the nuances of implementing BDCs for the broadcast
897
isolated network segments. Remember that if the target installation platform is not Linux, it may
898
be necessary to adapt some commands to the equivalent on the target platform.
902
<title>Backup Domain Controller Configuration Steps</title>
905
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
906
The final step that must be completed is to edit the <filename>/etc/nsswitch.conf</filename> file.
907
This file controls the operation of the various resolver libraries that are part of the Linux
908
Glibc libraries. Edit this file so that it contains the following entries:
910
passwd: files winbind
912
hosts: files dns wins
917
Follow the steps outlined in <link linkend="ch5-procstart"/> to start all services. Do not
918
start Samba at this time. Samba is controlled by the process called <command>smb</command>.
922
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
923
You must now attempt to join the domain member servers to the domain. The following
924
instructions should be executed to effect this:
926
&rootprompt; net rpc join
931
<indexterm><primary>service</primary><secondary>smb</secondary><tertiary>start</tertiary></indexterm>
932
You now start the Samba services by executing:
934
&rootprompt; service smb start
939
Your server is ready for validation testing. Do not proceed with the steps in
940
<link linkend="ch5-domsvrspec"/> until after the operation of the server has been
941
validated following the same methods as outlined in <link linkend="ch4valid"/>.
951
<example id="ch5-massivesmb">
952
<title>Server: MASSIVE (PDC), File: <filename>/etc/samba/smb.conf</filename></title>
954
<smbconfcomment>Global parameters</smbconfcomment>
955
<smbconfsection name="[global]"/>
956
<smbconfoption name="workgroup">MEGANET</smbconfoption>
957
<smbconfoption name="netbios name">MASSIVE</smbconfoption>
958
<smbconfoption name="interfaces">eth1, lo</smbconfoption>
959
<smbconfoption name="bind interfaces only">Yes</smbconfoption>
960
<smbconfoption name="passdb backend">tdbsam</smbconfoption>
961
<smbconfoption name="smb ports">139</smbconfoption>
962
<smbconfoption name="add user script">/usr/sbin/useradd -m '%u'</smbconfoption>
963
<smbconfoption name="delete user script">/usr/sbin/userdel -r '%u'</smbconfoption>
964
<smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption>
965
<smbconfoption name="delete group script">/usr/sbin/groupdel '%g'</smbconfoption>
966
<smbconfoption name="add user to group script">/usr/sbin/usermod -G '%g' '%u'</smbconfoption>
967
<smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</smbconfoption>
968
<smbconfoption name="preferred master">Yes</smbconfoption>
969
<smbconfoption name="wins support">Yes</smbconfoption>
970
<smbconfoption name="include">/etc/samba/dc-common.conf</smbconfoption>
972
<smbconfsection name="[accounts]"/>
973
<smbconfoption name="comment">Accounting Files</smbconfoption>
974
<smbconfoption name="path">/data/accounts</smbconfoption>
975
<smbconfoption name="read only">No</smbconfoption>
977
<smbconfsection name="[service]"/>
978
<smbconfoption name="comment">Financial Services Files</smbconfoption>
979
<smbconfoption name="path">/data/service</smbconfoption>
980
<smbconfoption name="read only">No</smbconfoption>
982
<smbconfsection name="[pidata]"/>
983
<smbconfoption name="comment">Property Insurance Files</smbconfoption>
984
<smbconfoption name="path">/data/pidata</smbconfoption>
985
<smbconfoption name="read only">No</smbconfoption>
990
<example id="ch5-dc-common">
991
<title>Server: MASSIVE (PDC), File: <filename>/etc/samba/dc-common.conf</filename></title>
993
<smbconfcomment>Global parameters</smbconfcomment>
994
<smbconfsection name="[global]"/>
995
<smbconfoption name="shutdown script">/var/lib/samba/scripts/shutdown.sh</smbconfoption>
996
<smbconfoption name="abort shutdown script">/sbin/shutdown -c</smbconfoption>
997
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
998
<smbconfoption name="logon path">\%L\profiles\%U</smbconfoption>
999
<smbconfoption name="logon drive">X:</smbconfoption>
1000
<smbconfoption name="logon home">\%L\%U</smbconfoption>
1001
<smbconfoption name="domain logons">Yes</smbconfoption>
1002
<smbconfoption name="preferred master">Yes</smbconfoption>
1003
<smbconfoption name="include">/etc/samba/common.conf</smbconfoption>
1005
<smbconfsection name="[homes]"/>
1006
<smbconfoption name="comment">Home Directories</smbconfoption>
1007
<smbconfoption name="valid users">%S</smbconfoption>
1008
<smbconfoption name="read only">No</smbconfoption>
1009
<smbconfoption name="browseable">No</smbconfoption>
1011
<smbconfsection name="[netlogon]"/>
1012
<smbconfoption name="comment">Network Logon Service</smbconfoption>
1013
<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
1014
<smbconfoption name="guest ok">Yes</smbconfoption>
1015
<smbconfoption name="locking">No</smbconfoption>
1017
<smbconfsection name="[profiles]"/>
1018
<smbconfoption name="comment">Profile Share</smbconfoption>
1019
<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
1020
<smbconfoption name="read only">No</smbconfoption>
1021
<smbconfoption name="profile acls">Yes</smbconfoption>
1026
<example id="ch5-commonsmb">
1027
<title>Common Samba Configuration File: <filename>/etc/samba/common.conf</filename></title>
1029
<smbconfsection name="[global]"/>
1030
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
1031
<smbconfoption name="log level">1</smbconfoption>
1032
<smbconfoption name="syslog">0</smbconfoption>
1033
<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
1034
<smbconfoption name="max log size">50</smbconfoption>
1035
<smbconfoption name="smb ports">139</smbconfoption>
1036
<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
1037
<smbconfoption name="time server">Yes</smbconfoption>
1038
<smbconfoption name="printcap name">CUPS</smbconfoption>
1039
<smbconfoption name="show add printer wizard">No</smbconfoption>
1040
<smbconfoption name="shutdown script">/var/lib/samba/scripts/shutdown.sh</smbconfoption>
1041
<smbconfoption name="abort shutdown script">/sbin/shutdown -c</smbconfoption>
1042
<smbconfoption name="utmp">Yes</smbconfoption>
1043
<smbconfoption name="map acl inherit">Yes</smbconfoption>
1044
<smbconfoption name="printing">cups</smbconfoption>
1045
<smbconfoption name="veto files">/*.eml/*.nws/*.{*}/</smbconfoption>
1046
<smbconfoption name="veto oplock files">/*.doc/*.xls/*.mdb/</smbconfoption>
1047
<smbconfoption name="include"> </smbconfoption>
1049
<smbconfcomment>Share and Service Definitions are common to all servers</smbconfcomment>
1050
<smbconfsection name="[printers]"/>
1051
<smbconfoption name="comment">SMB Print Spool</smbconfoption>
1052
<smbconfoption name="path">/var/spool/samba</smbconfoption>
1053
<smbconfoption name="guest ok">Yes</smbconfoption>
1054
<smbconfoption name="printable">Yes</smbconfoption>
1055
<smbconfoption name="use client driver">Yes</smbconfoption>
1056
<smbconfoption name="default devmode">Yes</smbconfoption>
1057
<smbconfoption name="browseable">No</smbconfoption>
1059
<smbconfsection name="[apps]"/>
1060
<smbconfoption name="comment">Application Files</smbconfoption>
1061
<smbconfoption name="path">/apps</smbconfoption>
1062
<smbconfoption name="admin users">bjordan</smbconfoption>
1063
<smbconfoption name="read only">No</smbconfoption>
1068
<example id="ch5-bldg1-smb">
1069
<title>Server: BLDG1 (Member), File: smb.conf</title>
1071
<smbconfcomment>Global parameters</smbconfcomment>
1072
<smbconfsection name="[global]"/>
1073
<smbconfoption name="workgroup">MEGANET</smbconfoption>
1074
<smbconfoption name="netbios name">BLDG1</smbconfoption>
1075
<smbconfoption name="include">/etc/samba/dom-mem.conf</smbconfoption>
1080
<example id="ch5-bldg2-smb">
1081
<title>Server: BLDG2 (Member), File: smb.conf</title>
1083
<smbconfcomment>Global parameters</smbconfcomment>
1084
<smbconfsection name="[global]"/>
1085
<smbconfoption name="workgroup">MEGANET</smbconfoption>
1086
<smbconfoption name="netbios name">BLDG2</smbconfoption>
1087
<smbconfoption name="include">/etc/samba/dom-mem.conf</smbconfoption>
1092
<example id="ch5-dommem-smb">
1093
<title>Common Domain Member Include File: dom-mem.conf</title>
1095
<smbconfcomment>Global parameters</smbconfcomment>
1096
<smbconfsection name="[global]"/>
1097
<smbconfoption name="shutdown script">/var/lib/samba/scripts/shutdown.sh</smbconfoption>
1098
<smbconfoption name="abort shutdown script">/sbin/shutdown -c</smbconfoption>
1099
<smbconfoption name="preferred master">Yes</smbconfoption>
1100
<smbconfoption name="wins server">172.16.0.1</smbconfoption>
1101
<smbconfoption name="idmap uid">15000-20000</smbconfoption>
1102
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
1103
<smbconfoption name="include">/etc/samba/common.conf</smbconfoption>
1108
<example id="massive-dhcp">
1109
<title>Server: MASSIVE, File: dhcpd.conf</title>
1111
# Abmas Accounting Inc.
1113
default-lease-time 86400;
1114
max-lease-time 172800;
1115
default-lease-time 86400;
1117
ddns-update-style interim;
1119
option ntp-servers 172.16.0.1;
1120
option domain-name "abmas.biz";
1121
option domain-name-servers 172.16.0.1, 172.16.4.1;
1122
option netbios-name-servers 172.16.0.1;
1123
option netbios-node-type 8;
1125
subnet 172.16.1.0 netmask 255.255.252.0 {
1126
range dynamic-bootp 172.16.1.0 172.16.2.255;
1127
option subnet-mask 255.255.252.0;
1128
option routers 172.16.0.1, 172.16.0.128;
1129
allow unknown-clients;
1131
subnet 172.16.4.0 netmask 255.255.252.0 {
1132
range dynamic-bootp 172.16.7.0 172.16.7.254;
1133
option subnet-mask 255.255.252.0;
1134
option routers 172.16.4.128;
1135
allow unknown-clients;
1137
subnet 172.16.8.0 netmask 255.255.252.0 {
1138
range dynamic-bootp 172.16.11.0 172.16.11.254;
1139
option subnet-mask 255.255.252.0;
1140
option routers 172.16.4.128;
1141
allow unknown-clients;
1143
subnet 127.0.0.0 netmask 255.0.0.0 {
1145
subnet 123.45.67.64 netmask 255.255.255.252 {
1151
<example id="bldg1dhcp">
1152
<title>Server: BLDG1, File: dhcpd.conf</title>
1154
# Abmas Accounting Inc.
1156
default-lease-time 86400;
1157
max-lease-time 172800;
1158
default-lease-time 86400;
1160
ddns-update-style ad-hoc;
1162
option ntp-servers 172.16.0.1;
1163
option domain-name "abmas.biz";
1164
option domain-name-servers 172.16.0.1, 172.16.4.1;
1165
option netbios-name-servers 172.16.0.1;
1166
option netbios-node-type 8;
1168
subnet 172.16.1.0 netmask 255.255.252.0 {
1169
range dynamic-bootp 172.16.3.0 172.16.3.255;
1170
option subnet-mask 255.255.252.0;
1171
option routers 172.16.0.1, 172.16.0.128;
1172
allow unknown-clients;
1174
subnet 172.16.4.0 netmask 255.255.252.0 {
1175
range dynamic-bootp 172.16.5.0 172.16.6.255;
1176
option subnet-mask 255.255.252.0;
1177
option routers 172.16.4.128;
1178
allow unknown-clients;
1180
subnet 127.0.0.0 netmask 255.0.0.0 {
1186
<example id="bldg2dhcp">
1187
<title>Server: BLDG2, File: dhcpd.conf</title>
1189
# Abmas Accounting Inc.
1191
default-lease-time 86400;
1192
max-lease-time 172800;
1193
default-lease-time 86400;
1195
ddns-update-style interim;
1197
option ntp-servers 172.16.0.1;
1198
option domain-name "abmas.biz";
1199
option domain-name-servers 172.16.0.1, 172.16.4.1;
1200
option netbios-name-servers 172.16.0.1;
1201
option netbios-node-type 8;
1203
subnet 172.16.8.0 netmask 255.255.252.0 {
1204
range dynamic-bootp 172.16.9.0 172.16.10.255;
1205
option subnet-mask 255.255.252.0;
1206
option routers 172.16.8.128;
1207
allow unknown-clients;
1209
subnet 127.0.0.0 netmask 255.0.0.0 {
1215
<example id="massive-nameda">
1216
<title>Server: MASSIVE, File: named.conf, Part: A</title>
1219
# Abmas Biz DNS Control File
1221
# Date: November 15, 2003
1224
directory "/var/lib/named";
1234
multiple-cnames yes;
1243
zone "localhost" in {
1245
file "localhost.zone";
1248
zone "0.0.127.in-addr.arpa" in {
1250
file "127.0.0.zone";
1267
<example id="massive-namedb">
1268
<title>Server: MASSIVE, File: named.conf, Part: B</title>
1272
file "/var/lib/named/master/abmas.biz.hosts";
1286
file "/var/lib/named/master/abmas.us.hosts";
1298
<example id="massive-namedc">
1299
<title>Server: MASSIVE, File: named.conf, Part: C</title>
1301
zone "0.16.172.in-addr.arpa" {
1303
file "/var/lib/named/master/172.16.0.0.rev";
1315
zone "4.16.172.in-addr.arpa" {
1317
file "/var/lib/named/master/172.16.4.0.rev";
1329
zone "8.16.172.in-addr.arpa" {
1331
file "/var/lib/named/master/172.16.8.0.rev";
1346
<example id="abmasbizdns">
1347
<title>Forward Zone File: abmas.biz.hosts</title>
1350
$TTL 38400 ; 10 hours 40 minutes
1351
abmas.biz IN SOA massive.abmas.biz. root.abmas.biz. (
1353
10800 ; refresh (3 hours)
1354
3600 ; retry (1 hour)
1355
604800 ; expire (1 week)
1356
38400 ; minimum (10 hours 40 minutes)
1358
NS massive.abmas.biz.
1361
MX 10 massive.abmas.biz.
1363
massive A 172.16.0.1
1364
router0 A 172.16.0.128
1366
router4 A 172.16.4.128
1368
router8 A 172.16.8.128
1373
<example id="abmasusdns">
1374
<title>Forward Zone File: abmas.biz.hosts</title>
1377
$TTL 38400 ; 10 hours 40 minutes
1378
abmas.us IN SOA server.abmas.us. root.abmas.us. (
1380
10800 ; refresh (3 hours)
1381
3600 ; retry (1 hour)
1382
604800 ; expire (1 week)
1383
38400 ; minimum (10 hours 40 minutes)
1387
MX 10 mail.abmas.us.
1389
server A 123.45.67.66
1399
<example id="bldg12nameda">
1400
<title>Servers: BLDG1/BLDG2, File: named.conf, Part: A</title>
1403
# Abmas Biz DNS Control File
1405
# Date: November 15, 2003
1408
directory "/var/lib/named";
1417
multiple-cnames yes;
1426
zone "localhost" in {
1428
file "localhost.zone";
1431
zone "0.0.127.in-addr.arpa" in {
1433
file "127.0.0.zone";
1450
<example id="bldg12namedb">
1451
<title>Servers: BLDG1/BLDG2, File: named.conf, Part: B</title>
1455
file "/var/lib/named/slave/abmas.biz.hosts";
1464
zone "0.16.172.in-addr.arpa" {
1466
file "/var/lib/slave/master/172.16.0.0.rev";
1475
zone "4.16.172.in-addr.arpa" {
1477
file "/var/lib/named/slave/172.16.4.0.rev";
1486
zone "8.16.172.in-addr.arpa" {
1488
file "/var/lib/named/slave/172.16.8.0.rev";
1501
<example id="ch5-initgrps">
1502
<title>Initialize Groups Script, File: /etc/samba/initGrps.sh</title>
1506
# Create UNIX groups
1511
# Map Windows Domain Groups to UNIX groups
1512
net groupmap add ntgroup="Domain Admins" unixgroup=root type=d
1513
net groupmap add ntgroup="Domain Users" unixgroup=users type=d
1514
net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d
1516
# Add Functional Domain Groups
1517
net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
1518
net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
1519
net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
1523
<!-- End of Examples -->
1525
<sect2 id="ch5-procstart">
1526
<title>Process Startup Configuration</title>
1529
<indexterm><primary>chkconfig</primary></indexterm>
1530
<indexterm><primary>daemon control</primary></indexterm>
1531
There are two essential steps to process startup configuration. A process
1532
must be configured so that it is automatically restarted each time the server
1533
is rebooted. This step involves use of the <command>chkconfig</command> tool that
1534
created appropriate symbolic links from the master daemon control file that is
1535
located in the <filename>/etc/rc.d</filename> directory to the <filename>/etc/rc'x'.d</filename>
1536
directories. Links are created so that when the system run-level is changed, the
1537
necessary start or kill script is run.
1541
<indexterm><primary>/etc/xinetd.d</primary></indexterm>
1542
In the event that a service is provided not as a daemon but via the internetworking
1543
super daemon (<command>inetd</command> or <command>xinetd</command>), then the <command>chkconfig</command>
1544
tool makes the necessary entries in the <filename>/etc/xinetd.d</filename> directory
1545
and sends a hang-up (HUP) signal to the super daemon, thus forcing it to
1546
re-read its control files.
1550
Last, each service must be started to permit system validation to proceed. The following steps
1551
are for a Red Hat Linux system, please adapt them to suit the target OS platform on which you
1552
are installing Samba.
1556
<title>Process Startup Configuration Steps</title>
1559
Use the standard system tool to configure each service to restart
1560
automatically at every system reboot. For example,
1561
<indexterm><primary>chkconfig</primary></indexterm>
1563
&rootprompt; chkconfig dhpc on
1564
&rootprompt; chkconfig named on
1565
&rootprompt; chkconfig cups on
1566
&rootprompt; chkconfig smb on
1567
&rootprompt; chkconfig swat on
1572
<indexterm><primary>starting dhcpd</primary></indexterm>
1573
<indexterm><primary>starting samba</primary></indexterm>
1574
<indexterm><primary>starting CUPS</primary></indexterm>
1575
Now start each service to permit the system to be validated.
1576
Execute each of the following in the sequence shown:
1579
&rootprompt; service dhcp restart
1580
&rootprompt; service named restart
1581
&rootprompt; service cups restart
1582
&rootprompt; service smb restart
1583
&rootprompt; service swat restart
1590
<sect2 id="ch5wincfg">
1591
<title>Windows Client Configuration</title>
1594
The procedure for desktop client configuration for the network in this chapter is similar to
1595
that used for the previous one. There are a few subtle changes that should be noted.
1599
<title>Windows Client Configuration Steps</title>
1602
Install MS Windows XP Professional. During installation, configure the client to use DHCP for
1603
TCP/IP protocol configuration.
1604
<indexterm><primary>WINS</primary></indexterm>
1605
<indexterm><primary>DHCP</primary></indexterm>
1606
DHCP configures all Windows clients to use the WINS Server address that has been defined
1607
for the local subnet.
1611
Join the Windows domain <constant>MEGANET</constant>. Use the domain administrator
1612
username <constant>root</constant> and the SMB password you assigned to this account.
1613
A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
1614
a Windows domain is given in <link linkend="appendix"/>, <link linkend="domjoin"/>.
1615
Reboot the machine as prompted and then log on using the domain administrator account
1616
(<constant>root</constant>).
1620
Verify that the server called <constant>MEGANET</constant> is visible in <guimenu>My Network Places</guimenu>,
1621
that it is possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>,
1622
<guimenuitem>apps</guimenuitem>, and <guimenuitem>finsvcs</guimenuitem>,
1623
and that it is possible to open each share to reveal its contents.
1627
Create a drive mapping to the <constant>apps</constant> share on a server. At this time, it does
1628
not particularly matter which application server is used. It is necessary to manually
1629
set a persistent drive mapping to the local applications server on each workstation at the time of
1630
installation. This step is avoided by the improvements to the design of the network configuration
1631
in the next chapter.
1635
Perform an administrative installation of each application to be used. Select the options
1636
that you wish to use. Of course, you choose to run applications over the network, correct?
1640
Now install all applications to be installed locally. Typical tools include Adobe Acrobat,
1641
NTP-based time synchronization software, drivers for specific local devices such as fingerprint
1642
scanners, and the like. Probably the most significant application to be locally installed
1643
is antivirus software.
1647
Now install all four printers onto the staging system. The printers you install
1648
include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers, and you
1649
also configure use of the identical printers that are located in the financial services department.
1650
Install printers on each machine using the following steps:
1653
<title>Steps to Install Printer Drivers on Windows Clients</title>
1657
<guimenu>Start</guimenu>
1658
<guimenuitem>Settings</guimenuitem>
1659
<guimenuitem>Printers</guimenuitem>
1660
<guiicon>Add Printer</guiicon>
1661
<guibutton>Next</guibutton>
1662
</menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
1663
Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
1667
Click <guibutton>Next</guibutton>. In the
1668
<guimenuitem>Manufacturer:</guimenuitem> panel, select <constant>HP</constant>.
1669
In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
1670
<constant>HP LaserJet 6</constant>. Click <guibutton>Next</guibutton>.
1674
In the <guimenuitem>Available ports:</guimenuitem> panel, select
1675
<constant>FILE:</constant>. Accept the default printer name by clicking
1676
<guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
1677
test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
1678
<guibutton>Finish</guibutton>.
1682
You may be prompted for the name of a file to print to. If so, close the
1683
dialog panel. Right-click <menuchoice>
1684
<guiicon>HP LaserJet 6</guiicon>
1685
<guimenuitem>Properties</guimenuitem>
1686
<guimenusub>Details (Tab)</guimenusub>
1687
<guimenubutton>Add Port</guimenubutton>
1692
In the <guimenuitem>Network</guimenuitem> panel, enter the name of
1693
the print queue on the Samba server as follows: <constant>\\BLDG1\hplj6a</constant>.
1695
<guibutton>OK</guibutton>
1696
<guibutton>OK</guibutton>
1697
</menuchoice> to complete the installation.
1701
Repeat the printer installation steps above for both HP LaserJet 6 printers
1702
as well as for both QMS Magicolor laser printers. Remember to install all
1703
printers but to set the destination port for each to the server on the
1704
local network. For example, a workstation in the accounting group should
1705
have all printers directed at the server <constant>BLDG1</constant>.
1706
You may elect to point all desktop workstation configurations at the
1707
server called <constant>MASSIVE</constant> and then in your deployment
1708
procedures, it would be wise to document the need to redirect the printer
1709
configuration (as well as the applications server drive mapping) to the
1710
server on the network segment on which the workstation is to be located.
1716
When you are satisfied that the staging systems are complete, use the appropriate procedure to
1717
remove the client from the domain. Reboot the system, and then log on as the local administrator
1718
and clean out all temporary files stored on the system. Before shutting down, use the disk
1719
defragmentation tool so that the file system is in optimal condition before replication.
1723
Boot the workstation using the Norton (Symantec) Ghosting disk (or CD-ROM) and image the
1724
machine to a network share on the server.
1728
You may now replicate the image using the appropriate Norton Ghost procedure to the target
1729
machines. Make sure to use the procedure that ensures each machine has a unique
1730
Windows security identifier (SID). When the installation of the disk image is complete, boot the PC.
1734
Log onto the machine as the local Administrator (the only option), and join the machine to
1735
the domain following the procedure set out in <link linkend="appendix"/>, <link linkend="domjoin"/>. You must now set the
1736
persistent drive mapping to the applications server that the user is to use. The system is now
1737
ready for the user to log on, provided you have created a network logon account for that
1742
Instruct all users to log onto the workstation using their assigned username and password.
1749
<title>Key Points Learned</title>
1752
The network you have just deployed has been a valuable exercise in forced constraint.
1753
You have deployed a network that works well, although you may soon start to see
1754
performance problems, at which time the modifications demonstrated in <link linkend="happy"/>
1755
bring the network to life. The following key learning points were experienced:
1760
The power of using &smb.conf; include files
1764
Use of a single PDC over a routed network
1768
Joining a Samba-3 domain member server to a Samba-3 domain
1772
Configuration of winbind to use domain users and groups for Samba access
1773
to resources on the domain member servers
1777
The introduction of roaming profiles
1787
<title>Questions and Answers</title>
1792
<qandaset defaultlabel="chap01qa" type="number">
1797
The example &smb.conf; files in this chapter make use of the <parameter>include</parameter> facility.
1798
How may I get to see what the actual working &smb.conf; settings are?
1805
You may readily see the net compound effect of the included files by running:
1807
&rootprompt; testparm -s | less
1818
Why does the include file <filename>common.conf</filename> have an empty include statement?
1825
The use of the empty include statement nullifies further includes. For example, let's say you
1826
desire to have just an smb.conf file that is built from the array of include files of which the
1827
master control file is called <filename>master.conf</filename>. The following command
1828
produces a compound &smb.conf; file.
1830
&rootprompt; testparm -s /etc/samba/master.conf > /etc/samba/smb.conf
1832
If the include parameter was not in the common.conf file, the final &smb.conf; file leaves
1833
the include in place, even though the file it points to has already been included. This is a bug
1834
that will be fixed at a future date.
1844
I accept that the simplest configuration necessary to do the job is the best. The use of <parameter>tdbsam</parameter>
1845
passdb backend is much simpler than having to manage an LDAP-based <parameter>ldapsam</parameter> passdb backend.
1846
I tried using <command>rsync</command> to replicate the <filename>passdb.tdb</filename>, and it seems to work fine!
1847
So what is the problem?
1854
Replication of the <parameter>tdbsam</parameter> database file can result in loss of currency in its
1855
contents between the PDC and BDCs. The most notable symptom is that workstations may not be able
1856
to log onto the network following a reboot and may have to rejoin the domain to recover network
1867
You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
1874
No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server
1875
offers an IP address lease, but it is the client that determines which offer is accepted, no matter how many
1876
offers are made. Under normal operation, the client accepts the first offer it receives.
1880
The only exception to this rule is when the client makes a directed request from a specific DHCP server
1881
for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash.
1891
How does the Windows client find the PDC?
1898
The Windows client obtains the WINS server address from the DHCP lease information. It also
1899
obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast)
1900
to register itself with the WINS server and to obtain enumeration of vital network information to
1901
enable it to operate successfully.
1911
Why did you enable IP forwarding (routing) only on the server called <constant>MASSIVE</constant>?
1918
The server called <constant>MASSIVE</constant> is acting as a router to the Internet. No other server
1919
(BLDG1 or BLDG2) has any need for IP forwarding because they are attached only to their own network.
1920
Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network
1921
segments to the router that is its gateway to them.
1931
You did nothing special to implement roaming profiles. Why?
1938
Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional
1939
clients is to use roaming profiles.
1949
On the domain member computers, you configured winbind in the <filename>/etc/nsswitch.conf</filename> file.
1950
You did not configure any PAM settings. Is this an omission?
1957
PAM is needed only for authentication. When Samba is using Microsoft encrypted passwords, it makes only
1958
marginal use of PAM. PAM configuration handles only authentication. If you want to log onto the domain
1959
member servers using Windows networking usernames and passwords, it is necessary to configure PAM
1960
to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name
1961
service switch (NSS).
1971
You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
1978
Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed
1979
in <emphasis>TOSHARG2</emphasis>, which has a full chapter dedicated to the subject. While we are on the
1980
subject, it should be noted that you should definitely not use SWAT on any system that makes use
1981
of &smb.conf; <parameter>include</parameter> files because SWAT optimizes them out into an aggregated
1982
file but leaves in place a broken reference to the top-layer include file. SWAT was not designed to
1983
handle this functionality gracefully.
1993
The domain controller has an auto-shutdown script. Isn't that dangerous?
2000
Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though.