~ubuntu-branches/ubuntu/lucid/samba/lucid-proposed

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�3.�Small Office Networking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.64.1"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="previous" href="simple.html" title="Chapter�2.�No Frills Samba Servers"><link rel="next" href="secure.html" title="Chapter�4.�Secure Office Networking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�3.�Small Office Networking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="simple.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="secure.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="small"></a>Chapter�3.�Small Office Networking</h2></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="small.html#id2515052">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id2515076">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id2515137">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id2515193">Technical Issues</a></span></dt><dt><span class="sect2"><a href="small.html#id2515405">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id2515426">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id2517298">Validation</a></span></dt><dt><span class="sect2"><a href="small.html#id2517971">Notebook Computers: A Special Case</a></span></dt><dt><span class="sect2"><a href="small.html#id2517997">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id2518074">Questions and Answers</a></span></dt></dl></div><p>

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�3.�Small Office Networking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="simple.html" title="Chapter�2.�No Frills Samba Servers"><link rel="next" href="secure.html" title="Chapter�4.�Secure Office Networking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�3.�Small Office Networking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="simple.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="secure.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="small"></a>Chapter�3.�Small Office Networking</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="small.html#id2535100">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id2535124">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id2535193">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id2535249">Technical Issues</a></span></dt><dt><span class="sect2"><a href="small.html#id2535461">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id2535483">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="small.html#id2537323">Validation</a></span></dt><dt><span class="sect2"><a href="small.html#id2538002">Notebook Computers: A Special Case</a></span></dt><dt><span class="sect2"><a href="small.html#id2538028">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="small.html#id2538104">Questions and Answers</a></span></dt></dl></div><p>

So far, this book has focused on the basics of simple yet effective

network solutions. Network administrators who take pride in their work

(that's most of us, right?) take care to deliver what our users want,

increase costs of network ownership. A professional network manager

avoids the temptation to put too much pizazz into the way that the network

operates. Some creativity is helpful, but do keep it under control.

</p><p><a class="indexterm" name="id2514988"></a>

</p><p><a class="indexterm" name="id2535052"></a>

Five years ago there were two companies from which a lesson can be learned.

In one case the network administrator spent three months building a new

network to replace an old Netware server. What he delivered had all the

and got it. He often told me, “<span class="quote"><span class="emphasis"><em>Always keep a few new tricks up your

sleeves for when you need them.</em></span></span>” Was he smart? You decide. Let's

get on with our next exercise.

</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2515052"></a>Introduction</h2></div></div><div></div></div><p>

</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2535100"></a>Introduction</h2></div></div></div><p>

Abmas Accounting Inc. has grown. Mr. Meany likes you and says he knew you

were the right person for the job. That's why he asked you to install the

new server. The past few months have been hard work. You advised Mr. Meany

You have found damaged and unusable software on some of the workstations

that came with the acquired business and found some machines that are

in need of both hardware and software maintenance.

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2515076"></a>Assignment Tasks</h3></div></div><div></div></div><p>

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2535124"></a>Assignment Tasks</h3></div></div></div><p>

Mr. Meany has decided to retire in 12 months. He wants you to help him

make the business run better. Many of the new staff want notebook computers.

They visit customer business premises with the need to use local network

Mr. Meany also asked if it would be possible for one of the staff to manage

user accounts from the Windows desktop. That person will be responsible for

basic operations.

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2515137"></a>Dissection and Discussion</h2></div></div><div></div></div><p>

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2535193"></a>Dissection and Discussion</h2></div></div></div><p>

What are the key requirements in this business example? A quick review indicates

a need for:

</p><div class="itemizedlist"><ul type="disc"><li><p>

Scalability from 52 to over 100 users in 12 months

</p></li><li><p>

Mobile computing capability

</p></li><li><p>

Improved reliability and usability

</p></li><li><p>

Easier administration

</p></li></ul></div><p>

In this instance the installed Linux system is assumed to be a Red Hat Linux 9.0 server

In this instance the installed Linux system is assumed to be a Red Hat Linux Fedora Core2 server

(as in <a href="simple.html#AccountingOffice" title="Accounting Office">???</a>).

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2515193"></a>Technical Issues</h3></div></div><div></div></div><p>

100

101

102

103

104

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2535249"></a>Technical Issues</h3></div></div></div><p>

100

101

102

103

104

105

It is time to implement a domain security environment. You will use the <tt class="constant">

106

smbpasswd</tt> (default) backend. You should implement a DHCP server. There is no need to

107

run DNS at this time, but the system will use WINS. The Domain name will be <tt class="constant">

122

Later on, when the Internet connection is implemented, you will add DNS as well as

123

other enhancements. It is important that you plan accordingly.

124

</p><p>

125

125

126

You have split the network into two separate areas. Each has its own ether-switch.

127

There are 20 users on the accounting network and 32 users on the financial services

128

network. The server has two network interfaces, one serving each network. The

137

Given that DNS will not be used, you will configure WINS name resolution for UNIX

138

hostname name resolution.

139

</p><p>

140

141

140

141

142

It is necessary to map Windows Domain Groups to UNIX groups as a minimum. It is

143

advisable to also map Windows Local Groups to UNIX groups. Additionally, the two

144

key staff groups in the firm are Accounting Staff and Financial Services Staff.

153

Group that has either a space or upper-case characters in it will fail. See <span class="emphasis"><em>TOSHARG</em></span>, Section 11.3.1,

154

Example 11.1, for more information.

155

</p><p>

156

156

157

Vendor-supplied printer drivers will be installed on each client. The CUPS print spooler

158

on the UNIX host will be operated in <tt class="constant">raw</tt> mode.

159

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2515405"></a>Political Issues</h3></div></div><div></div></div><p>

159

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2535461"></a>Political Issues</h3></div></div></div><p>

160

Mr. Meany is an old-school manager. He sets the rules and wants to see compliance.

161

He is willing to spend money on things he believes are of value. You need more

162

time to convince him of real priorities.

164

Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be

165

supplied with anti-virus software? Above all, demonstrate good purchase value and remember

166

to make your users happy.

167

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2515426"></a>Implementation</h2></div></div><div></div></div><p><a class="indexterm" name="id2515433"></a>

167

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2535483"></a>Implementation</h2></div></div></div><p><a class="indexterm" name="id2535489"></a>

168

In this example, the assumption is made that this server is being configured from a clean start.

169

The alternate approach could be to demonstrate the migration of the system that is documented

170

in <a href="simple.html#AcctgNet" title="Implementation">???</a> to meet the new requirements. The decision to treat this case, as with

171

future examples, as a new installation is based on the premise that you can determine

172

the migration steps from the information provided in the separate chapter on this subject.

173

Additionally, a fresh installation makes the example easier to follow.

174

</p><p><a class="indexterm" name="id2515459"></a>

174

</p><p><a class="indexterm" name="id2535516"></a>

175

Each user will be given a home directory on the UNIX system, which will be available as a private

176

share. Two additional shares will be created, one for the Accounting Department and the other for

177

the Financial Services Department. Network users will be given access to these shares by way

178

of group membership.

179

</p><p>

180

180

181

UNIX group membership is the primary mechanism by which Windows Domain users will be granted

182

rights and privileges within the Windows environment.

183

</p><p><a class="indexterm" name="id2515491"></a>

183

</p><p><a class="indexterm" name="id2535547"></a>

184

The user <span><b class="command">alanm</b></span> will be made the owner of all files. This will be preserved

185

by setting the sticky bit (set UID/GID) on the top-level directories.

186

</p><div class="figure"><a name="acct2net"></a><p class="title"><b>Figure�3.1.�Abmas Accounting 52 User Network Topology</b></p><div class="mediaobject"><img src="images/acct2net.png" width="351" alt="Abmas Accounting 52 User Network Topology"></div></div><div class="procedure"><ol type="1"><li><p>

187

Using UNIX/Linux system tools, name the server <tt class="constant">sleeth</tt>.

188

</p></li><li><p>

189

189

190

Place an entry for the machine <tt class="constant">sleeth</tt> in the <tt class="filename">/etc/hosts</tt>.

191

The printers are network attached, so it is desirable that there should be entries for the

192

network printers also. An example <tt class="filename">/etc/hosts</tt> file is shown here:

201

Install the Samba-3 binary RPM from the Samba-Team FTP site.

202

</p></li><li><p>

203

Install the ISC DHCP server using the UNIX/Linux system tools available to you.

204

</p></li><li><p><a class="indexterm" name="id2515625"></a><a class="indexterm" name="id2515633"></a><a class="indexterm" name="id2515641"></a><a class="indexterm" name="id2515648"></a>

204

</p></li><li><p><a class="indexterm" name="id2535681"></a><a class="indexterm" name="id2535689"></a><a class="indexterm" name="id2535697"></a><a class="indexterm" name="id2535705"></a>

205

Given that Samba will be operating over two network interfaces and clients on each side

206

may want to be able to reach clients on the other side, it is imperative that IP forwarding

207

shall be enabled. Use the system tool of your choice to enable IP forwarding. In the

215

Install the <tt class="filename">smb.conf</tt> file as shown in <a href="small.html#acct2conf" title="Example�3.3.�Accounting Office Network smb.conf File [globals] Section">???</a> and

216

<a href="small.html#acct3conf" title="Example�3.4.�Accounting Office Network smb.conf File Services and Shares Section">???</a>. Combine these two examples to form a single

217

<tt class="filename">/etc/samba/smb.conf</tt> file.

218

</p></li><li><p><a class="indexterm" name="id2515717"></a>

218

</p></li><li><p><a class="indexterm" name="id2535774"></a>

219

Add the user <span><b class="command">root</b></span> to the Samba password backend:

220

</p><pre class="screen">

221

<tt class="prompt">root# </tt> smbpasswd -a root

223

Retype new SMB password: XXXXXXX

224

225

</pre><p>

226

226

227

This is the Windows Domain Administrator password. Never delete this account from

228

the password backend after Windows Domain Groups have been initialized. If you delete

229

this account, your system is crippled. You cannot restore this account

230

and your Samba server is no longer capable of being administered.

231

</p></li><li><p>

232

232

233

Create the username map file to permit the <tt class="constant">root</tt> account to be called

234

<tt class="constant">Administrator</tt> from the Windows network environment. To do this, create

235

the file <tt class="filename">/etc/samba/smbusers</tt> with the following contents:

256

####

257

</pre><p>

258

</p></li><li><p>

259

259

260

Create and map Windows Domain Groups to UNIX groups. A sample script is provided in

261

<a href="small.html#initGrps" title="Example�3.1.�Script to Map Windows NT Groups to UNIX Groups">???</a>. Create a file containing this script. We called ours

262

<tt class="filename">/etc/samba/initGrps.sh</tt>. Set this file so it can be executed,

263

and then execute the script. Sample output should be as follows:

264

265

</p><div class="example"><a name="initGrps"></a><p class="title"><b>Example�3.1.�Script to Map Windows NT Groups to UNIX Groups</b></p><a class="indexterm" name="id2515847"></a><pre class="screen">

265

266

#!/bin/bash

267

268

# initGrps.sh

312

Users (S-1-5-32-545) -> -1

313

</pre><p>

314

</p></li><li><p>

315

316

317

315

316

317

318

For each user who needs to be given a Windows Domain account, make an entry in the

319

<tt class="filename">/etc/passwd</tt> file as well as in the Samba password backend.

320

Use the system tool of your choice to create the UNIX system accounts and use the Samba

321

<span><b class="command">smbpasswd</b></span> program to create the Domain user accounts.

322

</p><p>

323

324

325

323

324

325

326

There are a number of tools for user management under UNIX. Commonly known ones include:

327

<span><b class="command">useradd</b></span>, <span><b class="command">adduser</b></span>. In addition to these, there are a plethora of custom

328

tools. With the tool of your choice, create a home directory for each user.

351

Configure the printers with the IP addresses as shown in <a href="small.html#acct2net" title="Figure�3.1.�Abmas Accounting 52 User Network Topology">???</a>.

352

Follow the instructions in the manufacturers' manuals to permit printing to port 9100.

353

This allows the CUPS spooler to print using raw mode protocols.

354

355

354

355

356

</p></li><li><p>

357

357

358

Configure the CUPS Print Queues as follows:

359

</p><pre class="screen">

360

<tt class="prompt">root# </tt> lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E

361

<tt class="prompt">root# </tt> lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E

362

<tt class="prompt">root# </tt> lpadmin -p qms -v socket://192.168.2.10:9100 -E

363

</pre><p>

364

364

365

This creates the necessary print queues with no assigned print filter.

366

</p></li><li><p>

367

368

369

367

368

369

370

Edit the file <tt class="filename">/etc/cups/mime.convs</tt> to uncomment the line:

371

</p><pre class="screen">

372

application/octet-stream application/vnd.cups-raw 0 -

373

</pre><p>

374

</p></li><li><p>

375

375

376

Edit the file <tt class="filename">/etc/cups/mime.types</tt> to uncomment the line:

377

</p><pre class="screen">

378

application/octet-stream

379

</pre><p>

380

</p></li><li><p><a class="indexterm" name="id2516297"></a>

380

</p></li><li><p><a class="indexterm" name="id2536347"></a>

381

Using your favorite system editor, create an <tt class="filename">/etc/dhcpd.conf</tt> with the

382

contents as shown in <a href="small.html#dhcp01" title="Example�3.2.�Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">???</a>.

383

</p><div class="example"><a name="dhcp01"></a><p class="title"><b>Example�3.2.�Abmas Accounting DHCP Server Configuration File <tt class="filename">/etc/dhcpd.conf</tt></b></p><a class="indexterm" name="id2516335"></a><pre class="screen">

383

384

default-lease-time 86400;

385

max-lease-time 172800;

386

default-lease-time 86400;

428

Use the standard system tool to start Samba and CUPS and configure them to start

429

automatically at every system reboot. For example:

430

</p><p>

431

432

433

434

431

432

433

434

435

</p><pre class="screen">

436

<tt class="prompt">root# </tt> chkconfig dhpc on

437

<tt class="prompt">root# </tt> chkconfig smb on

441

<tt class="prompt">root# </tt> /etc/rc.d/init.d/cups restart

442

</pre><p>

443

</p></li><li><p>

444

445

446

447

448

444

445

446

447

448

449

Configure the Name Service Switch (NSS) to handle WINS based name resolution.

450

Since this system does not use a DNS server, it is safe to remove this option from

451

the NSS configuration. Edit the <tt class="filename">/etc/nsswitch.conf</tt> file so that

453

</p><pre class="screen">

454

hosts: files wins

455

</pre><p>

456

</p></li></ol></div><div class="example"><a name="acct2conf"></a><p class="title"><b>Example�3.3.�Accounting Office Network smb.conf File [globals] Section</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2516561"></a><i class="parameter"><tt>

457

458

workgroup = BILLMORE</tt></i></td></tr><tr><td><a class="indexterm" name="id2516576"></a><i class="parameter"><tt>

459

460

passwd chat = *New*Password* \</tt></i></td></tr><tr><td><i class="parameter"><tt>%n\n*Re-enter*new*password* %n\n *Password*changed*</tt></i></td></tr><tr><td><a class="indexterm" name="id2516600"></a><i class="parameter"><tt>

461

462

username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2516616"></a><i class="parameter"><tt>

463

464

syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2516632"></a><i class="parameter"><tt>

465

466

name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2516648"></a><i class="parameter"><tt>

467

468

printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2516663"></a><i class="parameter"><tt>

469

470

show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2516679"></a><i class="parameter"><tt>

471

472

add user script = /usr/sbin/useradd -m '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2516696"></a><i class="parameter"><tt>

473

474

delete user script = /usr/sbin/userdel -r '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2516712"></a><i class="parameter"><tt>

475

476

add group script = /usr/sbin/groupadd '%g'</tt></i></td></tr><tr><td><a class="indexterm" name="id2516728"></a><i class="parameter"><tt>

477

478

delete group script = /usr/sbin/groupdel '%g'</tt></i></td></tr><tr><td><a class="indexterm" name="id2516744"></a><i class="parameter"><tt>

479

480

add user to group script = /usr/sbin/usermod -G '%g' '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2516761"></a><i class="parameter"><tt>

481

482

add machine script = /usr/sbin/useradd \</tt></i></td></tr><tr><td><i class="parameter"><tt>-s /bin/false -d /dev/null '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2516784"></a><i class="parameter"><tt>

483

484

logon script = scripts\login.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2516800"></a><i class="parameter"><tt>

485

486

logon path = </tt></i></td></tr><tr><td><a class="indexterm" name="id2516816"></a><i class="parameter"><tt>

487

488

logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2516831"></a><i class="parameter"><tt>

489

490

domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2516847"></a><i class="parameter"><tt>

491

492

preferred master = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2516863"></a><i class="parameter"><tt>

493

494

wins support = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2516879"></a><i class="parameter"><tt>

495

496

printing = CUPS</tt></i></td></tr></table></div><div class="example"><a name="acct3conf"></a><p class="title"><b>Example�3.4.�Accounting Office Network smb.conf File Services and Shares Section</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2516917"></a><i class="parameter"><tt>

497

498

comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2516932"></a><i class="parameter"><tt>

499

500

valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2516948"></a><i class="parameter"><tt>

501

502

read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2516964"></a><i class="parameter"><tt>

503

504

browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2516988"></a><i class="parameter"><tt>

505

506

comment = SMB Print Spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2517004"></a><i class="parameter"><tt>

507

508

path = /var/spool/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2517020"></a><i class="parameter"><tt>

509

510

printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2517036"></a><i class="parameter"><tt>

511

512

guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2517051"></a><i class="parameter"><tt>

513

514

use client driver = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2517067"></a><i class="parameter"><tt>

515

516

browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><a class="indexterm" name="id2517092"></a><i class="parameter"><tt>

517

518

comment = Network Logon Service</tt></i></td></tr><tr><td><a class="indexterm" name="id2517108"></a><i class="parameter"><tt>

519

520

path = /data/%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2517123"></a><i class="parameter"><tt>

521

522

valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2517139"></a><i class="parameter"><tt>

523

524

read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[accounts]</tt></i></td></tr><tr><td><a class="indexterm" name="id2517163"></a><i class="parameter"><tt>

525

526

comment = Accounting Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2517179"></a><i class="parameter"><tt>

527

528

path = /data/accounts</tt></i></td></tr><tr><td><a class="indexterm" name="id2517195"></a><i class="parameter"><tt>

529

530

valid users = %G</tt></i></td></tr><tr><td><a class="indexterm" name="id2517211"></a><i class="parameter"><tt>

531

532

read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[finsvcs]</tt></i></td></tr><tr><td><a class="indexterm" name="id2517235"></a><i class="parameter"><tt>

533

534

comment = Financial Service Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2517252"></a><i class="parameter"><tt>

535

536

path = /data/finsvcs</tt></i></td></tr><tr><td><a class="indexterm" name="id2517267"></a><i class="parameter"><tt>

537

538

valid users = %G</tt></i></td></tr><tr><td><a class="indexterm" name="id2517282"></a><i class="parameter"><tt>

539

540

read only = No</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2517298"></a>Validation</h3></div></div><div></div></div><p>

456

457

458

workgroup = BILLMORE</tt></i></td></tr><tr><td><a class="indexterm" name="id2536626"></a><i class="parameter"><tt>

459

460

passwd chat = *New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed*</tt></i></td></tr><tr><td><a class="indexterm" name="id2536643"></a><i class="parameter"><tt>

461

462

username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2536659"></a><i class="parameter"><tt>

463

464

syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2536674"></a><i class="parameter"><tt>

465

466

name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2536690"></a><i class="parameter"><tt>

467

468

printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2536705"></a><i class="parameter"><tt>

469

470

show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2536720"></a><i class="parameter"><tt>

471

472

add user script = /usr/sbin/useradd -m '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2536737"></a><i class="parameter"><tt>

473

474

delete user script = /usr/sbin/userdel -r '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2536753"></a><i class="parameter"><tt>

475

476

add group script = /usr/sbin/groupadd '%g'</tt></i></td></tr><tr><td><a class="indexterm" name="id2536769"></a><i class="parameter"><tt>

477

478

delete group script = /usr/sbin/groupdel '%g'</tt></i></td></tr><tr><td><a class="indexterm" name="id2536785"></a><i class="parameter"><tt>

479

480

add user to group script = /usr/sbin/usermod -G '%g' '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2536801"></a><i class="parameter"><tt>

481

482

add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2536817"></a><i class="parameter"><tt>

483

484

logon script = scripts\login.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2536833"></a><i class="parameter"><tt>

485

486

logon path = </tt></i></td></tr><tr><td><a class="indexterm" name="id2536848"></a><i class="parameter"><tt>

487

488

logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2536863"></a><i class="parameter"><tt>

489

490

domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2536879"></a><i class="parameter"><tt>

491

492

preferred master = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2536894"></a><i class="parameter"><tt>

493

494

wins support = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2536910"></a><i class="parameter"><tt>

495

496

497

498

comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2536963"></a><i class="parameter"><tt>

499

500

valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2536979"></a><i class="parameter"><tt>

501

502

read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2536994"></a><i class="parameter"><tt>

503

504

browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2537018"></a><i class="parameter"><tt>

505

506

comment = SMB Print Spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2537034"></a><i class="parameter"><tt>

507

508

path = /var/spool/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2537049"></a><i class="parameter"><tt>

509

510

printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2537065"></a><i class="parameter"><tt>

511

512

guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2537080"></a><i class="parameter"><tt>

513

514

use client driver = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2537096"></a><i class="parameter"><tt>

515

516

browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><a class="indexterm" name="id2537120"></a><i class="parameter"><tt>

517

518

comment = Network Logon Service</tt></i></td></tr><tr><td><a class="indexterm" name="id2537136"></a><i class="parameter"><tt>

519

520

path = /data/%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2537151"></a><i class="parameter"><tt>

521

522

valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2537167"></a><i class="parameter"><tt>

523

524

read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[accounts]</tt></i></td></tr><tr><td><a class="indexterm" name="id2537191"></a><i class="parameter"><tt>

525

526

comment = Accounting Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2537206"></a><i class="parameter"><tt>

527

528

path = /data/accounts</tt></i></td></tr><tr><td><a class="indexterm" name="id2537222"></a><i class="parameter"><tt>

529

530

valid users = %G</tt></i></td></tr><tr><td><a class="indexterm" name="id2537237"></a><i class="parameter"><tt>

531

532

read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[finsvcs]</tt></i></td></tr><tr><td><a class="indexterm" name="id2537261"></a><i class="parameter"><tt>

533

534

comment = Financial Service Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2537278"></a><i class="parameter"><tt>

535

536

path = /data/finsvcs</tt></i></td></tr><tr><td><a class="indexterm" name="id2537292"></a><i class="parameter"><tt>

537

538

valid users = %G</tt></i></td></tr><tr><td><a class="indexterm" name="id2537308"></a><i class="parameter"><tt>

539

540

read only = No</tt></i></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2537323"></a>Validation</h3></div></div></div><p>

541

Does everything function as it ought? That is the key question at this point.

542

Here are some simple steps to validate your Samba server configuration.

543

</p><div class="procedure"><ol type="1"><li><p><a class="indexterm" name="id2517316"></a>

543

</p><div class="procedure"><ol type="1"><li><p><a class="indexterm" name="id2537341"></a>

544

If your <tt class="filename">smb.conf</tt> file has bogus options or parameters, this may cause Samba

545

to refuse to start. The first step should always be to validate the contents

546

of this file by running:

569

delete group script = /usr/sbin/groupdel '%g'

570

add user to group script = /usr/sbin/usermod -G '%g' '%u'

571

add machine script = /usr/sbin/useradd

572

-s /bin/false -d /dev/null '%u'

572

-s /bin/false -d /var/lib/nobody '%u'

573

logon script = scripts\logon.bat

574

logon path =

575

logon drive = X:

588

</pre><p>

589

Clear away all errors before proceeding and start or restart samba as necessary.

590

</p></li><li><p>

591

591

592

Check that the Samba server is running:

593

</p><pre class="screen">

594

<tt class="prompt">root# </tt> ps ax | grep mbd

601

14295 ? S 0:00 /usr/sbin/winbindd -B

602

</pre><p>

603

The <span><b class="command">winbindd</b></span> daemon is running in split mode (normal) so there are also

604

two instances of it. For more information regarding winbindd, see <span class="emphasis"><em>TOSHARG</em></span>, Chapter 20,

605

Section 20.3. The single instance of <span><b class="command">smbd</b></span> is normal.

604

two instances of it. For more information regarding winbindd, see <span class="emphasis"><em>TOSHARG</em></span>,

605

Chapter 22, Section 22.3. The single instance of <span><b class="command">smbd</b></span> is normal.

606

</p></li><li><p>

607

607

608

Check that an anonymous connection can be made to the Samba server:

609

</p><pre class="screen">

610

<tt class="prompt">root# </tt> smbclient -L localhost -U%

622

623

Server Comment

624

--------- -------

625

SLEETH Samba 3.0.2

625

SLEETH Samba 3.0.12

626

627

Workgroup Master

628

--------- -------

633

The <tt class="constant">-U%</tt> argument means, send a "<tt class="constant">NULL</tt> username and

634

a <tt class="constant">NULL</tt> password."

635

</p></li><li><p>

636

637

636

637

638

Verify that the printers have the IP addresses assigned in the DHCP server configuration file.

639

The easiest way to do this is to ping the printer name. Immediately after the ping response

640

has been received, execute <span><b class="command">arp -a</b></span> to find the MAC address of the printer

653

IP address from which the printer has responded and with the entry for it in the

654

<tt class="filename">/etc/dhcpd.conf</tt> file.

655

</p></li><li><p>

656

656

657

Make an authenticated connection to the server using the <span><b class="command">smbclient</b></span> tool:

658

</p><pre class="screen">

659

<tt class="prompt">root# </tt> smbclient //sleeth/accounts -U alanm

670

65387 blocks of size 65536. 28590 blocks available

671

smb: \> q

672

</pre><p>

673

</p></li></ol></div></div><div class="procedure"><p class="title"><b>Procedure�3.3.�Windows XP Professional Client Configuration</b></p><ol type="1"><li><p>

673

</p></li></ol></div></div><div class="procedure"><a name="id2537668"></a><p class="title"><b>Procedure�3.3.�Windows XP Professional Client Configuration</b></p><ol type="1"><li><p>

674

Configure clients to the network settings shown in <a href="small.html#acct2net" title="Figure�3.1.�Abmas Accounting 52 User Network Topology">???</a>.

675

All clients use DHCP for TCP/IP protocol stack configuration.

676

677

676

677

678

DHCP configures all Windows clients to use the WINS Server address <tt class="constant">192.168.1.1</tt>.

679

</p></li><li><p>

680

Join the Windows Domain called <tt class="constant">BILLMORE</tt>. Use the Domain Administrator

692

Instruct all users to log onto the workstation using their assigned user name and password.

693

</p></li><li><p>

694

Install a printer on each using the following steps:

695

696

</p><div class="procedure"><ol type="1"><li><p>

695

</p><div class="procedure"><ol type="1"><li><p>

697

696

Click <span class="guimenu">Start</span>-><span class="guimenuitem">Settings</span>-><span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>.

698

697

Ensure that <span class="guimenuitem">Local printer</span> is selected.

699

698

</p></li><li><p>

709

708

<span class="guibutton">Finish</span>.

710

709

</p></li><li><p>

711

710

You may be prompted for the name of a file to print to. If so, close the

712

dialog panel. Right-click <span class="guiicon">HP LaserJet 4</span>-><span class="guimenuitem">Properties</span>.

711

dialog panel. Right-click <span class="guiicon">HP LaserJet 4</span>-><span class="guimenuitem">Properties</span>-><span class="guisubmenu">Details (Tab)</span>-><span class="guimenuitem">Add Port</span>.

713

712

</p></li><li><p>

714

713

In the panel labeled <span class="guimenuitem">Network</span>, enter the name of

715

714

the print queue on the Samba server as follows: <tt class="constant">\\SERVER\hplj4</tt>.

717

716

</p></li><li><p>

718

717

Repeat the printer installation steps above for the HP LaserJet 6 printer

719

718

as well as for the QMS Magicolor XXXX laser printer.

720

</p></li></ol></div><p>

721

</p></li></ol></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2517971"></a>Notebook Computers: A Special Case</h3></div></div><div></div></div><p>

719

</p></li></ol></div></li></ol></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2538002"></a>Notebook Computers: A Special Case</h3></div></div></div><p>

722

720

As a network administrator, you already know how to create local machine accounts for Windows 200x/XP

723

721

Professional systems. This is the preferred solution to provide continuity of work for notebook users

724

722

so that absence from the office network environment does not become a barrier to productivity.

728

726

transparently access network resources as if logged onto the domain itself. There are some trade-offs

729

727

that mean that as the network is more tightly secured it becomes necessary to modify Windows client

730

728

configuration somewhat.

731

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2517997"></a>Key Points Learned</h3></div></div><div></div></div><p>

729

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2538028"></a>Key Points Learned</h3></div></div></div><p>

732

730

In this network design and implementation exercise, you have created a Windows NT4 style Domain

733

Controller using Samba-3.0.2. As a result of following these guidelines meant that you experienced

731

Controller using Samba-3.0.12. As a result of following these guidelines meant that you experienced

734

732

and implemented several important aspects of Windows networking. In the next chapter of this book,

735

733

you build on the experience gained. These are the highlights from this chapter:

736

734

</p><div class="itemizedlist"><ul type="disc"><li><p>

737

735

738

736

You implemented a DHCP Server and Microsoft Windows clients were able to obtain all necessary

739

737

network configuration settings from this server.

740

738

</p></li><li><p>

741

739

742

740

You created a Windows Domain Controller. You were able to use the network logon service

743

741

and successfully joined Windows 200x/XP Professional clients to the Domain.

744

742

</p></li><li><p>

745

743

746

744

You created raw print queues in the CUPS printing system. You maintained a simple

747

745

printing system so that all users can share centrally managed printers. You installed

748

746

native printer drivers on the Windows clients.

751

749

</p></li><li><p>

752

750

You offered Mobile notebook users a solution that allows them to continue to work

753

751

while away from the office and not connected to the corporate network.

754

</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2518074"></a>Questions and Answers</h2></div></div><div></div></div><p>

752

</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2538104"></a>Questions and Answers</h2></div></div></div><p>

755

753

Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that

756

754

may help.

757

</p><div class="qandaset"><dl><dt> <a href="small.html#id2518092">

755

</p><div class="qandaset"><dl><dt>1. <a href="small.html#id2538118">

758

756

What is the key benefit of using DHCP to configure Windows client TCP/IP stacks?

759

</a></dt><dt> <a href="small.html#id2518118">

757

</a></dt><dt>2. <a href="small.html#id2538145">

760

758

Are there any DHCP server configuration parameters in the /etc/dhcpd.conf

761

759

that should be noted in particular?

762

</a></dt><dt> <a href="small.html#id2518150">

760

</a></dt><dt>3. <a href="small.html#id2538177">

763

761

Is it possible to create a Windows Domain account that is specifically called Administrator?

764

</a></dt><dt> <a href="small.html#id2518189">

762

</a></dt><dt>4. <a href="small.html#id2538216">

765

763

Why is it necessary to give the Windows Domain Administrator a UNIX UID of 0?

766

</a></dt><dt> <a href="small.html#id2518231">

764

</a></dt><dt>5. <a href="small.html#id2538257">

767

765

One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him

768

766

root access. How can we do this?

769

</a></dt><dt> <a href="small.html#id2518272">

767

</a></dt><dt>6. <a href="small.html#id2538299">

770

768

Why must I map Windows Domain Groups to UNIX groups?

771

</a></dt><dt> <a href="small.html#id2518300">

769

</a></dt><dt>7. <a href="small.html#id2538326">

772

770

I deleted my root account and now I cannot add it back! What can I do?

773

</a></dt><dt> <a href="small.html#id2518372">

771

</a></dt><dt>8. <a href="small.html#id2538399">

774

772

When I run net groupmap list, it reports a group called Administrators

775

773

as well as Domain Admins. What is the difference between them?

776

</a></dt><dt> <a href="small.html#id2518421">

774

</a></dt><dt>9. <a href="small.html#id2538447">

777

775

What is the effect of changing the name of a Samba server, or of changing the Domain name?

778

</a></dt><dt> <a href="small.html#id2518473">

776

</a></dt><dt>10. <a href="small.html#id2538499">

779

777

How can I manage user accounts from my Windows XP Professional workstation?

780

</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2518092"></a><a name="id2518094"></a><b></b></td><td align="left" valign="top"><p>

778

</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2538118"></a><a name="id2538120"></a><b>1.</b></td><td align="left" valign="top"><p>

781

779

What is the key benefit of using DHCP to configure Windows client TCP/IP stacks?

782

780

</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>

783

781

First and foremost, portability. It means that notebook users can move between

786

784

either using DHCP assigned addressing or when using dial-up networking, settings such as

787

785

default routes and DNS server addresses that apply only to the Abmas office environment do

788

786

not interfere with remote operations. This is an extremely important feature of DHCP.

789

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2518118"></a><a name="id2518121"></a><b></b></td><td align="left" valign="top"><p>

787

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2538145"></a><a name="id2538147"></a><b>2.</b></td><td align="left" valign="top"><p>

790

788

Are there any DHCP server configuration parameters in the <tt class="filename">/etc/dhcpd.conf</tt>

791

789

that should be noted in particular?

792

790

</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>

795

793

with the WINS server, and then instructs the client to first query the WINS server when a

796

794

NetBIOS machine name needs to be resolved to an IP Address. This means that this configuration

797

795

results in far lower UDP broadcast traffic than would be the case if WINS was not used.

798

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2518150"></a><a name="id2518152"></a><b></b></td><td align="left" valign="top"><p>

796

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2538177"></a><a name="id2538179"></a><b>3.</b></td><td align="left" valign="top"><p>

799

797

Is it possible to create a Windows Domain account that is specifically called <tt class="constant">Administrator</tt>?

800

798

</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>

801

799

You can surely create a Windows Domain Account called <tt class="constant">Administrator</tt>. It is also

802

800

possible to map that account so that it has the effective UNIX UID of 0. This way it isn't

803

801

necessary to use the <i class="parameter"><tt>username map</tt></i> facility to map this account to the UNIX

804

802

account called <tt class="constant">root</tt>.

805

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2518189"></a><a name="id2518191"></a><b></b></td><td align="left" valign="top"><p>

803

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2538216"></a><a name="id2538218"></a><b>4.</b></td><td align="left" valign="top"><p>

806

804

Why is it necessary to give the Windows Domain <tt class="constant">Administrator</tt> a UNIX UID of 0?

807

805

</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>

808

806

The Windows Domain <tt class="constant">Administrator</tt> account is the most privileged account that

812

810

Administrator to manage accounts, as well as permissions, privileges, and security

813

811

settings within the Domain and on the Samba server, equivalent rights must be assigned. This is

814

812

achieved with the <tt class="constant">root</tt> UID equal to 0.

815

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2518231"></a><a name="id2518233"></a><b></b></td><td align="left" valign="top"><p>

813

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2538257"></a><a name="id2538259"></a><b>5.</b></td><td align="left" valign="top"><p>

816

814

One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him

817

815

<tt class="constant">root</tt> access. How can we do this?

818

816

</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>

821

819

(or equivalent on <tt class="constant">wheel</tt> on some UNIX systems) that has a GID of 0.

822

820

This must be the primary GID of the account of the user who is a member of the Windows <tt class="constant">

823

821

Domain Admins</tt> account.

824

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2518272"></a><a name="id2518275"></a><b></b></td><td align="left" valign="top"><p>

822

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2538299"></a><a name="id2538301"></a><b>6.</b></td><td align="left" valign="top"><p>

825

823

Why must I map Windows Domain Groups to UNIX groups?

826

824

</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>

827

825

Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account

828

826

has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are:

829

827

<span class="guimenu">Domain Guests, Domain Users, Domain Admins</span>.

830

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2518300"></a><a name="id2518302"></a><b></b></td><td align="left" valign="top"><p>

828

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2538326"></a><a name="id2538328"></a><b>7.</b></td><td align="left" valign="top"><p>

831

829

I deleted my <tt class="constant">root</tt> account and now I cannot add it back! What can I do?

832

830

</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>

833

831

This is a nasty problem. Fortunately, here is a solution.

839

837

Use the <span><b class="command">smbpasswd</b></span> to add the root account.

840

838

</p></li><li><p>

841

839

Restore the <tt class="filename">group_mapping.tdb</tt> file.

842

</p></li></ol></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id2518372"></a><a name="id2518375"></a><b></b></td><td align="left" valign="top"><p>

840

</p></li></ol></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id2538399"></a><a name="id2538401"></a><b>8.</b></td><td align="left" valign="top"><p>

843

841

When I run <span><b class="command">net groupmap list</b></span>, it reports a group called <span class="guimenu">Administrators</span>

844

842

as well as <span class="guimenu">Domain Admins</span>. What is the difference between them?

845

843

</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>

847

845

present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain

848

846

Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This

849

847

may change at some later date. These accounts are provided only so that security objects are correctly shown.

850

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2518421"></a><a name="id2518423"></a><b></b></td><td align="left" valign="top"><p>

848

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2538447"></a><a name="id2538449"></a><b>9.</b></td><td align="left" valign="top"><p>

851

849

What is the effect of changing the name of a Samba server, or of changing the Domain name?

852

850

</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>

853

851

In the event that you elect to change the name of the Samba server, on restarting <span><b class="command">smbd</b></span>,

859

857

SID before the change is made. You can back up the SID from use of the <span><b class="command">net getlocalsid</b></span> (Samba-3),

860

858

or by way of the <span><b class="command">smbpasswd</b></span> (Samba-2.2.x). To change the SID, you use the same tool. Be sure

861

859

to check the man page for this command for detailed instructions regarding the steps involved.

862

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2518473"></a><a name="id2518475"></a><b></b></td><td align="left" valign="top"><p>

860

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2538499"></a><a name="id2538501"></a><b>10.</b></td><td align="left" valign="top"><p>

863

861

How can I manage user accounts from my Windows XP Professional workstation?

864

862

</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>

865

863

Samba-3 implements a Windows NT4 style security domain architecture. This type of Domain cannot

Older »