46
46
that can be supported is limited by the CPU speed, memory and the workload on
47
47
the Samba server as well as network bandwidth utilization.
48
48
</p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p>
49
<a class="indexterm" name="id2570776"></a>
49
<a class="indexterm" name="id2576835"></a>
50
50
Slow logons and log-offs may be caused by many factors that include:
52
</p><div class="itemizedlist"><ul type="disc"><li><p>
53
<a class="indexterm" name="id2570790"></a>
54
<a class="indexterm" name="id2570802"></a>
52
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
53
<a class="indexterm" name="id2576848"></a>
54
<a class="indexterm" name="id2576860"></a>
55
55
Excessive delays in the resolution of a NetBIOS name to its IP
56
56
address. This may be observed when an overloaded domain controller
57
57
is also the WINS server. Another cause may be the failure to use
58
58
a WINS server (this assumes that there is a single network segment).
60
<a class="indexterm" name="id2570820"></a>
61
<a class="indexterm" name="id2570827"></a>
62
<a class="indexterm" name="id2570834"></a>
59
</p></li><li class="listitem"><p>
60
<a class="indexterm" name="id2576879"></a>
61
<a class="indexterm" name="id2576886"></a>
62
<a class="indexterm" name="id2576892"></a>
63
63
Network traffic collisions due to overloading of the network
64
64
segment. One short-term workaround to this may be to replace
65
65
network HUBs with Ethernet switches.
67
<a class="indexterm" name="id2570848"></a>
66
</p></li><li class="listitem"><p>
67
<a class="indexterm" name="id2576907"></a>
68
68
Defective networking hardware. Over the past few years, we have seen
69
69
on the Samba mailing list a significant increase in the number of
70
70
problems that were traced to a defective network interface controller,
71
71
a defective HUB or Ethernet switch, or defective cabling. In most cases,
72
72
it was the erratic nature of the problem that ultimately pointed to
73
73
the cause of the problem.
75
<a class="indexterm" name="id2570869"></a>
76
<a class="indexterm" name="id2570878"></a>
74
</p></li><li class="listitem"><p>
75
<a class="indexterm" name="id2576927"></a>
76
<a class="indexterm" name="id2576936"></a>
77
77
Excessively large roaming profiles. This type of problem is typically
78
78
the result of poor user education as well as poor network management.
79
79
It can be avoided by users not storing huge quantities of email in
80
80
MS Outlook PST files as well as by not storing files on the desktop.
81
81
These are old bad habits that require much discipline and vigilance
82
82
on the part of network management.
84
<a class="indexterm" name="id2570898"></a>
83
</p></li><li class="listitem"><p>
84
<a class="indexterm" name="id2576957"></a>
85
85
You should verify that the Windows XP WebClient service is not running.
86
86
The use of the WebClient service has been implicated in many Windows
87
87
networking-related problems.
89
89
</p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p>
90
90
Loss of access to network resources during client operation may be caused by a number
91
91
of factors, including:
92
</p><div class="itemizedlist"><ul type="disc"><li><p>
93
<a class="indexterm" name="id2570931"></a>
92
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
93
<a class="indexterm" name="id2576989"></a>
94
94
Network overload (typically indicated by a high network collision rate)
95
</p></li><li class="listitem"><p>
98
<a class="indexterm" name="id2570950"></a>
97
</p></li><li class="listitem"><p>
98
<a class="indexterm" name="id2577009"></a>
99
99
Timeout causing the client to close a connection that is in use but has
100
100
been latent (no traffic) for some time (5 minutes or more)
102
<a class="indexterm" name="id2570966"></a>
101
</p></li><li class="listitem"><p>
102
<a class="indexterm" name="id2577025"></a>
103
103
Defective networking hardware
104
104
</p></li></ul></div><p>
105
<a class="indexterm" name="id2570981"></a>
105
<a class="indexterm" name="id2577039"></a>
106
106
No matter what the cause, a sudden loss of access to network resources can
107
107
result in BSOD (blue screen of death) situations that necessitate rebooting of the client
108
108
workstation. In the case of a mild problem, retrying to access the network drive of the printer
109
109
may restore operations, but in any case this is a serious problem that may lead to the next
110
110
problem, data corruption.
111
111
</p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p>
112
<a class="indexterm" name="id2571014"></a>
112
<a class="indexterm" name="id2577073"></a>
113
113
Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
114
114
frustration, and generally precipitates immediate corrective demands. Management response
115
115
to this type of problem may be rational, as well as highly irrational. There have been
123
123
anticipate and combat network performance issues. You can work through complex and thorny
124
124
methods to improve the reliability of your network environment, but be warned that all such steps
125
125
demand the price of complexity.
126
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571048"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p>
127
<a class="indexterm" name="id2571056"></a>
126
</p><div class="sect1" title="Regarding LDAP Directories and Windows Computer Accounts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2577106"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p>
127
<a class="indexterm" name="id2577115"></a>
128
128
Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some
129
129
constraints that are described in this section.
131
<a class="indexterm" name="id2571071"></a>
132
<a class="indexterm" name="id2571078"></a>
133
<a class="indexterm" name="id2571085"></a>
134
<a class="indexterm" name="id2571092"></a>
131
<a class="indexterm" name="id2577130"></a>
132
<a class="indexterm" name="id2577136"></a>
133
<a class="indexterm" name="id2577143"></a>
134
<a class="indexterm" name="id2577150"></a>
135
135
The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
136
136
That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
137
137
them. A user account and a machine account are indistinguishable from each other, except that
138
138
the machine account ends in a $ character, as do trust accounts.
140
<a class="indexterm" name="id2571108"></a>
141
<a class="indexterm" name="id2571115"></a>
140
<a class="indexterm" name="id2577167"></a>
141
<a class="indexterm" name="id2577173"></a>
142
142
The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID
143
143
is a design decision that was made a long way back in the history of Samba development. It is
144
144
unlikely that this decision will be reversed or changed during the remaining life of the
145
145
Samba-3.x series.
147
<a class="indexterm" name="id2571130"></a>
148
<a class="indexterm" name="id2571136"></a>
147
<a class="indexterm" name="id2577188"></a>
148
<a class="indexterm" name="id2577195"></a>
149
149
The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
150
150
must refer back to the host operating system on which Samba is running. The name service
151
151
switch (NSS) is the preferred mechanism that shields applications (like Samba) from the
152
152
need to know everything about every host OS it runs on.
154
Samba asks the host OS to provide a UID via the “<span class="quote">passwd</span>”, “<span class="quote">shadow</span>”
155
and “<span class="quote">group</span>” facilities in the NSS control (configuration) file. The best tool
154
Samba asks the host OS to provide a UID via the <span class="quote">“<span class="quote">passwd</span>”</span>, <span class="quote">“<span class="quote">shadow</span>”</span>
155
and <span class="quote">“<span class="quote">group</span>”</span> facilities in the NSS control (configuration) file. The best tool
156
156
for achieving this is left up to the UNIX administrator to determine. It is not imposed by
157
157
Samba. Samba provides winbindd together with its support libraries as one method. It is
158
158
possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
159
159
all account entities can be located in an LDAP directory.
161
<a class="indexterm" name="id2571174"></a>
161
<a class="indexterm" name="id2577232"></a>
162
162
For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
163
163
be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
164
164
is fundamentally an LDAP design question. The information provided on the Samba list and
165
165
in the documentation is directed at providing working examples only. The design
166
166
of an LDAP directory is a complex subject that is beyond the scope of this documentation.
167
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571190"></a>Introduction</h2></div></div></div><p>
167
</p></div><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2577248"></a>Introduction</h2></div></div></div><p>
168
168
You just opened an email from Christine that reads:
204
204
boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
205
205
Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
206
206
for approval; I appreciate the urgency.
207
</p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571288"></a>Assignment Tasks</h3></div></div></div><p>
207
</p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" title="Assignment Tasks"><div class="titlepage"><div><div><h3 class="title"><a name="id2577346"></a>Assignment Tasks</h3></div></div></div><p>
208
208
The priority of assigned tasks in this chapter is:
209
</p><div class="orderedlist"><ol type="1"><li><p>
210
<a class="indexterm" name="id2571308"></a>
211
<a class="indexterm" name="id2571317"></a>
212
<a class="indexterm" name="id2571323"></a>
213
<a class="indexterm" name="id2571330"></a><a class="indexterm" name="id2571336"></a>
209
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
210
<a class="indexterm" name="id2577366"></a>
211
<a class="indexterm" name="id2577375"></a>
212
<a class="indexterm" name="id2577382"></a>
213
<a class="indexterm" name="id2577389"></a><a class="indexterm" name="id2577394"></a>
214
214
Implement Backup Domain Controllers (BDCs) in each building. This involves
215
215
a change from a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous
216
216
chapter to an LDAP-based backend.
218
218
You can implement a single central LDAP server for this purpose.
220
<a class="indexterm" name="id2571358"></a>
221
<a class="indexterm" name="id2571365"></a>
222
<a class="indexterm" name="id2571372"></a>
223
<a class="indexterm" name="id2571379"></a>
219
</p></li><li class="listitem"><p>
220
<a class="indexterm" name="id2577417"></a>
221
<a class="indexterm" name="id2577424"></a>
222
<a class="indexterm" name="id2577430"></a>
223
<a class="indexterm" name="id2577437"></a>
224
224
Rectify the problem of excessive logon times. This involves redirection of
225
225
folders to network shares as well as modification of all user desktops to
226
226
exclude the redirected folders from being loaded at login time. You can also
227
227
create a new default profile that can be used for all new users.
228
228
</p></li></ol></div><p>
229
<a class="indexterm" name="id2571398"></a>
229
<a class="indexterm" name="id2577456"></a>
230
230
You configure a new MS Windows XP Professional workstation disk image that you roll out
231
231
to all desktop users. The instructions you have created are followed on a staging machine
232
232
from which all changes can be carefully tested before inflicting them on your network users.
234
<a class="indexterm" name="id2571412"></a>
234
<a class="indexterm" name="id2577471"></a>
235
235
This is the last network example in which specific mention of printing is made. The example
236
236
again makes use of the CUPS printing system.
237
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571425"></a>Dissection and Discussion</h2></div></div></div><p>
238
<a class="indexterm" name="id2571433"></a>
239
<a class="indexterm" name="id2571439"></a>
240
<a class="indexterm" name="id2571446"></a>
237
</p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2577483"></a>Dissection and Discussion</h2></div></div></div><p>
238
<a class="indexterm" name="id2577491"></a>
239
<a class="indexterm" name="id2577498"></a>
240
<a class="indexterm" name="id2577505"></a>
241
241
The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
242
242
For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
243
243
LDAP servers in current use with Samba-3 include:
244
</p><div class="itemizedlist"><ul type="disc"><li><p>
245
<a class="indexterm" name="id2571464"></a>
244
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
245
<a class="indexterm" name="id2577522"></a>
246
246
Novell <a class="ulink" href="http://www.novell.com/products/edirectory/" target="_top">eDirectory</a>
247
247
is being successfully used by some sites. Information on how to use eDirectory can be
248
248
obtained from the Samba mailing lists or from Novell.
250
<a class="indexterm" name="id2571484"></a>
249
</p></li><li class="listitem"><p>
250
<a class="indexterm" name="id2577542"></a>
251
251
IBM <a class="ulink" href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli
252
252
Directory Server</a> can be used to provide the Samba LDAP backend. Example schema
253
253
files are provided in the Samba source code tarball under the directory
254
254
<code class="filename">~samba/example/LDAP.</code>
256
<a class="indexterm" name="id2571511"></a>
255
</p></li><li class="listitem"><p>
256
<a class="indexterm" name="id2577570"></a>
257
257
Sun <a class="ulink" href="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml" target="_top">ONE Identity
258
258
Server product suite</a> provides an LDAP server that can be used for Samba.
259
259
Example schema files are provided in the Samba source code tarball under the directory
264
264
initialize the LDAP directory database. OpenLDAP itself has only command-line tools to
265
265
help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
267
<a class="indexterm" name="id2571548"></a>
267
<a class="indexterm" name="id2577607"></a>
268
268
For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
269
269
adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include
270
270
GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
271
271
requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
273
<a class="indexterm" name="id2571566"></a>
274
<a class="indexterm" name="id2571573"></a>
275
<a class="indexterm" name="id2571580"></a>
276
<a class="indexterm" name="id2571589"></a>
277
<a class="indexterm" name="id2571598"></a>
278
<a class="indexterm" name="id2571605"></a>
279
<a class="indexterm" name="id2571614"></a>
273
<a class="indexterm" name="id2577624"></a>
274
<a class="indexterm" name="id2577631"></a>
275
<a class="indexterm" name="id2577638"></a>
276
<a class="indexterm" name="id2577647"></a>
277
<a class="indexterm" name="id2577657"></a>
278
<a class="indexterm" name="id2577663"></a>
279
<a class="indexterm" name="id2577673"></a>
280
280
When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
281
281
High availability operation may be obtained through directory replication/synchronization and
282
282
master/slave server configurations. OpenLDAP is a mature platform to host the organizational
345
345
user desktops, and this must be done in a way that wins their support and does not cause further loss of
346
346
staff morale. The following procedures solve this problem.
348
<a class="indexterm" name="id2571862"></a>
348
<a class="indexterm" name="id2577921"></a>
349
349
There is also an opportunity to implement smart printing features. You add this to the Samba configuration
350
350
so that future printer changes can be managed without need to change desktop configurations.
352
352
You add the ability to automatically download new printer drivers, even if they are not installed
353
353
in the default desktop profile. Only one example of printing configuration is given. It is assumed that
354
354
you can extrapolate the principles and use them to install all printers that may be needed.
355
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571882"></a>Technical Issues</h3></div></div></div><p>
356
<a class="indexterm" name="id2571890"></a>
357
<a class="indexterm" name="id2571899"></a>
358
<a class="indexterm" name="id2571908"></a>
355
</p><div class="sect2" title="Technical Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id2577941"></a>Technical Issues</h3></div></div></div><p>
356
<a class="indexterm" name="id2577949"></a>
357
<a class="indexterm" name="id2577958"></a>
358
<a class="indexterm" name="id2577967"></a>
359
359
The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
360
360
server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
361
361
accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account
362
362
attributes Samba needs. Samba-3 can use the LDAP backend to store:
363
</p><div class="itemizedlist"><ul type="disc"><li><p>Windows Networking User Accounts</p></li><li><p>Windows NT Group Accounts</p></li><li><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p>
364
<a class="indexterm" name="id2571949"></a>
365
<a class="indexterm" name="id2571956"></a>
366
<a class="indexterm" name="id2571963"></a>
367
<a class="indexterm" name="id2571970"></a>
368
<a class="indexterm" name="id2571977"></a>
369
<a class="indexterm" name="id2571984"></a>
370
<a class="indexterm" name="id2571993"></a>
371
<a class="indexterm" name="id2571999"></a>
372
<a class="indexterm" name="id2572006"></a>
363
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Windows Networking User Accounts</p></li><li class="listitem"><p>Windows NT Group Accounts</p></li><li class="listitem"><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li class="listitem"><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p>
364
<a class="indexterm" name="id2578008"></a>
365
<a class="indexterm" name="id2578015"></a>
366
<a class="indexterm" name="id2578022"></a>
367
<a class="indexterm" name="id2578028"></a>
368
<a class="indexterm" name="id2578035"></a>
369
<a class="indexterm" name="id2578042"></a>
370
<a class="indexterm" name="id2578051"></a>
371
<a class="indexterm" name="id2578058"></a>
372
<a class="indexterm" name="id2578064"></a>
373
373
The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
374
374
accounts in the LDAP backend. This implies the need to use the
375
375
<a class="ulink" href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools</a>. The resolution
378
378
that integrates with the NSS. The same requirements exist for resolution
379
379
of the UNIX username to the UID. The relationships are demonstrated in <a class="link" href="happy.html#sbehap-LDAPdiag" title="Figure�5.1.�The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">“The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts”</a>.
380
380
</p><div class="figure"><a name="sbehap-LDAPdiag"></a><p class="title"><b>Figure�5.1.�The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div></div><br class="figure-break"><p>
381
<a class="indexterm" name="id2572091"></a>
382
<a class="indexterm" name="id2572098"></a>
381
<a class="indexterm" name="id2578150"></a>
382
<a class="indexterm" name="id2578157"></a>
383
383
You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
384
384
ought to learn how to configure secure communications over LDAP so that site security is not
385
385
at risk. This is not covered in the following guidance.
387
<a class="indexterm" name="id2572115"></a>
388
<a class="indexterm" name="id2572121"></a>
389
<a class="indexterm" name="id2572131"></a>
390
<a class="indexterm" name="id2572138"></a>
387
<a class="indexterm" name="id2578173"></a>
388
<a class="indexterm" name="id2578180"></a>
389
<a class="indexterm" name="id2578189"></a>
390
<a class="indexterm" name="id2578196"></a>
391
391
When OpenLDAP has been made operative, you configure the PDC called <code class="constant">MASSIVE</code>.
392
392
You initialize the Samba <code class="filename">secrets.tdb<sub></sub></code> file. Then you
393
393
create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.
395
395
You can also find on the enclosed CD-ROM, in the <code class="filename">Chap06</code> directory, a few tools
396
396
that help to manage user and group configuration.
398
<a class="indexterm" name="id2572172"></a>
399
<a class="indexterm" name="id2572178"></a>
400
<a class="indexterm" name="id2572185"></a>
398
<a class="indexterm" name="id2578230"></a>
399
<a class="indexterm" name="id2578237"></a>
400
<a class="indexterm" name="id2578244"></a>
401
401
In order to effect folder redirection and to add robustness to the implementation,
402
402
create a network default profile. All network users workstations are configured to use
403
403
the new profile. Roaming profiles will automatically be deleted from the workstation
404
404
when the user logs off.
406
<a class="indexterm" name="id2572205"></a>
406
<a class="indexterm" name="id2578263"></a>
407
407
The profile is configured so that users cannot change the appearance
408
408
of their desktop. This is known as a mandatory profile. You make certain that users
409
409
are able to use their computers efficiently.
411
<a class="indexterm" name="id2572218"></a>
411
<a class="indexterm" name="id2578277"></a>
412
412
A network logon script is used to deliver flexible but consistent network drive
414
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p>
415
<a class="indexterm" name="id2572240"></a>
416
<a class="indexterm" name="id2572245"></a>
417
<a class="indexterm" name="id2572251"></a>
418
<a class="indexterm" name="id2572256"></a>
414
</p><div class="sect3" title="Addition of Machines to the Domain"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p>
415
<a class="indexterm" name="id2578299"></a>
416
<a class="indexterm" name="id2578304"></a>
417
<a class="indexterm" name="id2578309"></a>
418
<a class="indexterm" name="id2578315"></a>
419
419
Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
420
420
that maps to the UNIX UID=0. The UNIX operating system permits only the <code class="constant">root</code>
421
421
user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
453
453
user to not place large files on the desktop and to use his or her mapped home directory
454
454
instead of the <code class="filename">My Documents</code> folder for saving documents.
456
<a class="indexterm" name="id2572506"></a>
456
<a class="indexterm" name="id2578565"></a>
457
457
Using a folder other than <code class="filename">My Documents</code> is a nuisance for
458
458
some users, since many applications use it by default.
460
<a class="indexterm" name="id2572524"></a>
461
<a class="indexterm" name="id2572531"></a>
462
<a class="indexterm" name="id2572538"></a>
460
<a class="indexterm" name="id2578583"></a>
461
<a class="indexterm" name="id2578590"></a>
462
<a class="indexterm" name="id2578597"></a>
463
463
The secret to rapid loading of roaming profiles is to prevent unnecessary data from
464
464
being copied back and forth, without losing any functionality. This is not difficult;
465
465
it can be done by making changes to the Local Group Policy on each client as well
466
466
as changing some paths in each user's <code class="filename">NTUSER.DAT</code> hive.
468
<a class="indexterm" name="id2572559"></a>
469
<a class="indexterm" name="id2572566"></a>
468
<a class="indexterm" name="id2578618"></a>
469
<a class="indexterm" name="id2578625"></a>
470
470
Every user profile has its own <code class="filename">NTUSER.DAT</code> file. This means
471
471
you need to edit every user's profile, unless a better method can be
472
472
followed. Fortunately, with the right preparations, this is not difficult.
488
488
<span class="guimenu">User Configuration</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>.
489
489
By default this setting contains
490
“<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”.
490
<span class="quote">“<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”</span>.
492
492
Simply add the folders you do not wish to be copied back and forth to this
493
493
semicolon-separated list. Note that this change must be made on all clients
494
494
that are using roaming profiles.
495
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572694"></a>Profile Changes</h4></div></div></div><p>
496
<a class="indexterm" name="id2572702"></a>
497
<a class="indexterm" name="id2572709"></a>
495
</p></div><div class="sect3" title="Profile Changes"><div class="titlepage"><div><div><h4 class="title"><a name="id2578753"></a>Profile Changes</h4></div></div></div><p>
496
<a class="indexterm" name="id2578761"></a>
497
<a class="indexterm" name="id2578768"></a>
498
498
There are two changes that should be done to each user's profile. Move each of
499
499
the directories that you have excluded from being copied back and forth out of
500
500
the usual profile path. Modify each user's <code class="filename">NTUSER.DAT</code> file
501
501
to point to the new paths that are shared over the network instead of to the default
502
502
path (<code class="filename">C:\Documents and Settings\%USERNAME%</code>).
504
<a class="indexterm" name="id2572737"></a>
505
<a class="indexterm" name="id2572744"></a>
504
<a class="indexterm" name="id2578795"></a>
505
<a class="indexterm" name="id2578802"></a>
506
506
The above modifies existing user profiles. So that newly created profiles have
507
507
these settings, you need to modify the <code class="filename">NTUSER.DAT</code> in
508
508
the <code class="filename">C:\Documents and Settings\Default User</code> folder on each
509
509
client machine, changing the same registry keys. You could do this by copying
510
510
<code class="filename">NTUSER.DAT</code> to a Linux box and using <code class="literal">regedt32</code>.
511
511
The basic method is described under <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">“Configuration of Default Profile with Folder Redirection”</a>.
512
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572788"></a>Using a Network Default User Profile</h4></div></div></div><p>
513
<a class="indexterm" name="id2572797"></a>
514
<a class="indexterm" name="id2572804"></a>
512
</p></div><div class="sect3" title="Using a Network Default User Profile"><div class="titlepage"><div><div><h4 class="title"><a name="id2578847"></a>Using a Network Default User Profile</h4></div></div></div><p>
513
<a class="indexterm" name="id2578855"></a>
514
<a class="indexterm" name="id2578862"></a>
515
515
If you are using Samba as your PDC, you should create a file share called
516
516
<code class="constant">NETLOGON</code> and within that create a directory called
517
517
<code class="filename">Default User</code>, which is a copy of the desired default user
520
520
the first login from a new account pulls its configuration from it.
521
521
See also <a class="ulink" href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top">
522
522
the Real Men Don't Click</a> Web site.
523
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572847"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p>
524
<a class="indexterm" name="id2572855"></a>
525
<a class="indexterm" name="id2572865"></a>
526
<a class="indexterm" name="id2572872"></a>
523
</p></div><div class="sect3" title="Installation of Printer Driver Auto-Download"><div class="titlepage"><div><div><h4 class="title"><a name="id2578906"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p>
524
<a class="indexterm" name="id2578914"></a>
525
<a class="indexterm" name="id2578923"></a>
526
<a class="indexterm" name="id2578930"></a>
527
527
The subject of printing is quite topical. Printing problems run second place to name
528
528
resolution issues today. So far in this book, you have experienced only what is generally
529
known as “<span class="quote">dumb</span>” printing. Dumb printing is the arrangement by which all drivers
529
known as <span class="quote">“<span class="quote">dumb</span>”</span> printing. Dumb printing is the arrangement by which all drivers
530
530
are manually installed on each client and the printing subsystems perform no filtering
531
531
or intelligent processing. Dumb printing is easily understood. It usually works without
532
532
many problems, but it has its limitations also. Dumb printing is better known as
533
533
<code class="literal">Raw-Print-Through</code> printing.
535
<a class="indexterm" name="id2572900"></a>
536
<a class="indexterm" name="id2572910"></a>
535
<a class="indexterm" name="id2578959"></a>
536
<a class="indexterm" name="id2578968"></a>
537
537
Samba permits the configuration of <code class="literal">smart</code> printing using the Microsoft
538
538
Windows point-and-click (also called drag-and-drop) printing. What this provides is
539
539
essentially the ability to print to any printer. If the local client does not yet have a
840
840
frequently review the steps ahead while making at least a mental note of what has already
841
841
been completed. The following task list may help you to keep track of the task items
842
842
that are covered:
843
</p><div class="itemizedlist"><ul type="disc"><li><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>OpenLDAP server</p></li><li><p>PAM and NSS client tools</p></li><li><p>Samba-3 PDC</p></li><li><p>Idealx smbldap scripts</p></li><li><p>LDAP initialization</p></li><li><p>Create user and group accounts</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profile directories</p></li><li><p>Logon scripts</p></li><li><p>Configuration of user rights and privileges</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>PAM and NSS client tools</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profiles directories</p></li></ol></div></li><li><p>Windows XP Client Configuration</p><div class="orderedlist"><ol type="1"><li><p>Default profile folder redirection</p></li><li><p>MS Outlook PST file relocation</p></li><li><p>Delete roaming profile on logout</p></li><li><p>Upload printer drivers to Samba servers</p></li><li><p>Install software</p></li><li><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573956"></a>Samba Server Implementation</h2></div></div></div><p>
844
<a class="indexterm" name="id2573964"></a>
845
<a class="indexterm" name="id2573971"></a>
843
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>DHCP and DNS servers</p></li><li class="listitem"><p>OpenLDAP server</p></li><li class="listitem"><p>PAM and NSS client tools</p></li><li class="listitem"><p>Samba-3 PDC</p></li><li class="listitem"><p>Idealx smbldap scripts</p></li><li class="listitem"><p>LDAP initialization</p></li><li class="listitem"><p>Create user and group accounts</p></li><li class="listitem"><p>Printers</p></li><li class="listitem"><p>Share point directory roots</p></li><li class="listitem"><p>Profile directories</p></li><li class="listitem"><p>Logon scripts</p></li><li class="listitem"><p>Configuration of user rights and privileges</p></li></ol></div></li><li class="listitem"><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>DHCP and DNS servers</p></li><li class="listitem"><p>PAM and NSS client tools</p></li><li class="listitem"><p>Printers</p></li><li class="listitem"><p>Share point directory roots</p></li><li class="listitem"><p>Profiles directories</p></li></ol></div></li><li class="listitem"><p>Windows XP Client Configuration</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Default profile folder redirection</p></li><li class="listitem"><p>MS Outlook PST file relocation</p></li><li class="listitem"><p>Delete roaming profile on logout</p></li><li class="listitem"><p>Upload printer drivers to Samba servers</p></li><li class="listitem"><p>Install software</p></li><li class="listitem"><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" title="Samba Server Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2580015"></a>Samba Server Implementation</h2></div></div></div><p>
844
<a class="indexterm" name="id2580023"></a>
845
<a class="indexterm" name="id2580030"></a>
846
846
The network design shown in <a class="link" href="happy.html#chap6net" title="Figure�5.2.�Network Topology 500 User Network Using ldapsam passdb backend">“Network Topology 500 User Network Using ldapsam passdb backend”</a> is not comprehensive. It is assumed
847
847
that you will install additional file servers and possibly additional BDCs.
848
848
</p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure�5.2.�Network Topology 500 User Network Using ldapsam passdb backend</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend"></div></div></div><br class="figure-break"><p>
849
<a class="indexterm" name="id2574034"></a>
850
<a class="indexterm" name="id2574041"></a>
849
<a class="indexterm" name="id2580092"></a>
850
<a class="indexterm" name="id2580099"></a>
851
851
All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE
852
852
Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
853
853
adjust the locations for your particular Linux system distribution/implementation.
854
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
854
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
855
855
The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools
856
856
scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball,
857
857
please verify that the versions you are about to use are matching. The smbldap-tools package
867
867
have completed the network implementation shown in that chapter. If you are starting
868
868
with newly installed Linux servers, you must complete the steps shown in
869
869
<a class="link" href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">“Installation of DHCP, DNS, and Samba Control Files”</a> before commencing at <a class="link" href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">“OpenLDAP Server Configuration”</a>.
870
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p>
871
<a class="indexterm" name="id2574122"></a>
872
<a class="indexterm" name="id2574129"></a>
873
<a class="indexterm" name="id2574136"></a>
870
</p><div class="sect2" title="OpenLDAP Server Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p>
871
<a class="indexterm" name="id2580181"></a>
872
<a class="indexterm" name="id2580187"></a>
873
<a class="indexterm" name="id2580194"></a>
874
874
Confirm that the packages shown in <a class="link" href="happy.html#oldapreq" title="Table�5.2.�Required OpenLDAP Linux Packages">“Required OpenLDAP Linux Packages”</a> are installed on your system.
875
875
</p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table�5.2.�Required OpenLDAP Linux Packages</b></p><div class="table-contents"><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left">�</td></tr></tbody></table></div></div><br class="table-break"><p>
876
876
Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method
877
877
for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you
878
878
follow these guidelines, the resulting system should work fine.
879
</p><div class="procedure"><a name="id2574268"></a><p class="title"><b>Procedure�5.2.�OpenLDAP Server Configuration Steps</b></p><ol type="1"><li><p>
880
<a class="indexterm" name="id2574279"></a>
879
</p><div class="procedure" title="Procedure�5.2.�OpenLDAP Server Configuration Steps"><a name="id2580326"></a><p class="title"><b>Procedure�5.2.�OpenLDAP Server Configuration Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
880
<a class="indexterm" name="id2580338"></a>
881
881
Install the file shown in <a class="link" href="happy.html#sbehap-slapdconf" title="Example�5.2.�LDAP Master Configuration File /etc/openldap/slapd.conf Part A">“LDAP Master Configuration File /etc/openldap/slapd.conf Part A”</a> in the directory
882
882
<code class="filename">/etc/openldap</code>.
884
<a class="indexterm" name="id2574307"></a>
885
<a class="indexterm" name="id2574314"></a>
886
<a class="indexterm" name="id2574321"></a>
883
</p></li><li class="step" title="Step 2"><p>
884
<a class="indexterm" name="id2580366"></a>
885
<a class="indexterm" name="id2580373"></a>
886
<a class="indexterm" name="id2580380"></a>
887
887
Remove all files from the directory <code class="filename">/data/ldap</code>, making certain that
888
888
the directory exists with permissions:
889
889
</p><pre class="screen">
974
974
index sambaPrimaryGroupSID eq
975
975
index sambaDomainName eq
976
976
index default sub
977
</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p>
978
<a class="indexterm" name="id2574568"></a>
979
<a class="indexterm" name="id2574575"></a>
980
<a class="indexterm" name="id2574582"></a>
977
</pre></div></div><br class="example-break"></div><div class="sect2" title="PAM and NSS Client Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p>
978
<a class="indexterm" name="id2580627"></a>
979
<a class="indexterm" name="id2580634"></a>
980
<a class="indexterm" name="id2580640"></a>
981
981
The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and
982
982
groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure
983
983
the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
985
<a class="indexterm" name="id2574596"></a>
986
<a class="indexterm" name="id2574606"></a>
985
<a class="indexterm" name="id2580655"></a>
986
<a class="indexterm" name="id2580664"></a>
987
987
Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
988
988
that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
989
989
correct configuration of PAM. The <code class="literal">pam_ldap</code> open source package provides the
990
990
PAM modules that most people would use. On SUSE Linux systems, the <code class="literal">pam_unix2.so</code>
991
991
module also has the ability to redirect authentication requests through LDAP.
993
<a class="indexterm" name="id2574634"></a>
994
<a class="indexterm" name="id2574641"></a>
995
<a class="indexterm" name="id2574648"></a>
996
<a class="indexterm" name="id2574655"></a>
993
<a class="indexterm" name="id2580693"></a>
994
<a class="indexterm" name="id2580699"></a>
995
<a class="indexterm" name="id2580706"></a>
996
<a class="indexterm" name="id2580713"></a>
997
997
You have chosen to configure these services by directly editing the system files, but of course, you
998
998
know that this configuration can be done using system tools provided by the Linux system vendor.
999
999
SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span> → <span class="guimenuitem">system</span> → <span class="guimenuitem">ldap-client</span> that permits
1000
1000
configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <code class="literal">authconfig</code>
1002
</p><div class="procedure"><a name="id2574694"></a><p class="title"><b>Procedure�5.3.�PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example�5.4.�Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen">
1002
</p><div class="procedure" title="Procedure�5.3.�PAM and NSS Client Configuration Steps"><a name="id2580753"></a><p class="title"><b>Procedure�5.3.�PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example�5.4.�Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen">
1005
1005
base dc=abmas,dc=biz
1041
1041
nss_base_group ou=Groups,dc=abmas,dc=biz?one
1044
</pre></div></div><br class="example-break"><ol type="1"><li><p>
1045
<a class="indexterm" name="id2574706"></a>
1046
<a class="indexterm" name="id2574713"></a>
1047
<a class="indexterm" name="id2574720"></a>
1044
</pre></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
1045
<a class="indexterm" name="id2580764"></a>
1046
<a class="indexterm" name="id2580772"></a>
1047
<a class="indexterm" name="id2580778"></a>
1048
1048
Execute the following command to find where the <code class="filename">nss_ldap</code> module
1049
1049
expects to find its control file:
1050
1050
</p><pre class="screen">
1051
1051
<code class="prompt">root# </code> strings /lib/libnss_ldap.so.2 | grep conf
1053
1053
The preferred and usual location is <code class="filename">/etc/ldap.conf</code>.
1054
</p></li><li class="step" title="Step 2"><p>
1055
1055
On the server <code class="constant">MASSIVE</code>, install the file shown in
1056
1056
<a class="link" href="happy.html#sbehap-nss01" title="Example�5.4.�Configuration File for NSS LDAP Support /etc/ldap.conf">“Configuration File for NSS LDAP Support /etc/ldap.conf”</a> into the path that was obtained from the step above.
1057
1057
On the servers called <code class="constant">BLDG1</code> and <code class="constant">BLDG2</code>, install the file shown in
1058
1058
<a class="link" href="happy.html#sbehap-nss02" title="Example�5.5.�Configuration File for NSS LDAP Clients Support /etc/ldap.conf">“Configuration File for NSS LDAP Clients Support /etc/ldap.conf”</a> into the path that was obtained from the step above.
1060
<a class="indexterm" name="id2574854"></a>
1059
</p></li><li class="step" title="Step 3"><p>
1060
<a class="indexterm" name="id2580912"></a>
1061
1061
Edit the NSS control file (<code class="filename">/etc/nsswitch.conf</code>) so that the lines that
1062
1062
control user and group resolution will obtain information from the normal system files as
1063
1063
well as from <code class="literal">ldap</code>:
1125
1125
demonstrates the use of the <code class="literal">pam_ldap.so</code> module. You can use either
1126
1126
implementation, but if the <code class="literal">pam_unix2.so</code> on your system supports
1127
1127
LDAP, you probably want to use it rather than add an additional module.
1128
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p>
1129
<a class="indexterm" name="id2575091"></a>
1128
</p></li></ol></div></div><div class="sect2" title="Samba-3 PDC Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p>
1129
<a class="indexterm" name="id2581150"></a>
1130
1130
Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server
1131
1131
before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the
1132
1132
choice to either build your own or obtain the packages from a dependable source.
1133
1133
Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for
1134
1134
Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that
1135
1135
is included with this book.
1136
</p><div class="procedure"><a name="id2575107"></a><p class="title"><b>Procedure�5.4.�Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol type="1"><li><p>
1136
</p><div class="procedure" title="Procedure�5.4.�Configuration of PDC Called MASSIVE"><a name="id2581166"></a><p class="title"><b>Procedure�5.4.�Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
1137
1137
Install the files in <a class="link" href="happy.html#sbehap-massive-smbconfa" title="Example�5.6.�LDAP Based smb.conf File, Server: MASSIVE global Section: Part A">“LDAP Based smb.conf File, Server: MASSIVE global Section: Part A”</a>,
1138
1138
<a class="link" href="happy.html#sbehap-massive-smbconfb" title="Example�5.7.�LDAP Based smb.conf File, Server: MASSIVE global Section: Part B">“LDAP Based smb.conf File, Server: MASSIVE global Section: Part B”</a>, <a class="link" href="happy.html#sbehap-shareconfa" title="Example�5.10.�LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>,
1139
1139
and <a class="link" href="happy.html#sbehap-shareconfb" title="Example�5.11.�LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a> into the <code class="filename">/etc/samba/</code>
1503
1503
expects the POSIX account to be in LDAP also. It is possible to use the PADL account
1504
1504
migration tool to migrate all system accounts from either the <code class="filename">/etc/passwd</code>
1505
1505
files, or from NIS, to LDAP.
1506
</p></li><li class="listitem"><p>
1507
1507
If you decide that it is probably a good idea to add both the PosixAccount attributes
1508
1508
as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
1509
1509
In the example system you are installing in this exercise, you are making use of the
1510
1510
Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,
1511
1511
is included on the enclosed CD-ROM under <code class="filename">Chap06/Tools.</code>
1512
1512
</p></li></ul></div><p>
1513
<a class="indexterm" name="id2576982"></a>
1513
<a class="indexterm" name="id2583040"></a>
1514
1514
If you wish to have more control over how the LDAP database is initialized or
1515
1515
if you don't want to use the Idealx smbldap-tools, you should refer to
1516
1516
<a class="link" href="appendix.html" title="Chapter�15.�A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">“Alternative LDAP Database Initialization”</a>.
1518
<a class="indexterm" name="id2577009"></a>
1518
<a class="indexterm" name="id2583067"></a>
1519
1519
The following steps initialize the LDAP database, and then you can add user and group
1520
1520
accounts that Samba can use. You use the <code class="literal">smbldap-populate</code> to
1521
1521
seed the LDAP database. You then manually add the accounts shown in <a class="link" href="happy.html#sbehap-bigacct" title="Table�5.3.�Abmas Network Users and Groups">“Abmas Network Users and Groups”</a>.
1522
1522
The list of users does not cover all 500 network users; it provides examples only.
1523
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1524
<a class="indexterm" name="id2577038"></a>
1525
<a class="indexterm" name="id2577047"></a>
1526
<a class="indexterm" name="id2577056"></a>
1523
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1524
<a class="indexterm" name="id2583097"></a>
1525
<a class="indexterm" name="id2583106"></a>
1526
<a class="indexterm" name="id2583115"></a>
1527
1527
In the following examples, as the LDAP database is initialized, we do create a container
1528
1528
for Computer (machine) accounts. In the Samba-3 <code class="filename">smb.conf</code> files, specific use is made
1529
1529
of the People container, not the Computers container, for domain member accounts. This is not a
1962
1962
Well done. All is working fine.
1963
1963
</p></li></ol></div><p>
1964
1964
The server <code class="constant">MASSIVE</code> is now configured, and it is time to move onto the next task.
1965
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p>
1966
<a class="indexterm" name="id2578401"></a>
1965
</p></div><div class="sect2" title="Printer Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p>
1966
<a class="indexterm" name="id2584459"></a>
1967
1967
The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
1968
1968
taken care of in the <code class="filename">smb.conf</code> file. The only preparation needed for <code class="constant">smart</code>
1969
1969
printing to be possible involves creation of the directories in which Samba-3 stores
1970
1970
Windows printing driver files.
1971
</p><div class="procedure"><a name="id2578423"></a><p class="title"><b>Procedure�5.9.�Printer Configuration Steps</b></p><ol type="1"><li><p>
1971
</p><div class="procedure" title="Procedure�5.9.�Printer Configuration Steps"><a name="id2584481"></a><p class="title"><b>Procedure�5.9.�Printer Configuration Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
1972
1972
Configure all network-attached printers to have a fixed IP address.
1973
</p></li><li class="step" title="Step 2"><p>
1974
1974
Create an entry in the DNS database on the server <code class="constant">MASSIVE</code>
1975
1975
in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code>
1976
1976
and in the reverse lookup database for the network segment that the printer is to
1977
1977
be located in. Example configuration files for similar zones were presented in <a class="link" href="secure.html" title="Chapter�3.�Secure Office Networking">“Secure Office Networking”</a>,
1978
1978
<a class="link" href="secure.html#abmasbiz" title="Example�3.14.�DNS Abmas.biz Forward Zone File">“DNS Abmas.biz Forward Zone File”</a> and in <a class="link" href="secure.html#eth2zone" title="Example�3.13.�DNS 192.168.2 Reverse Zone File">“DNS 192.168.2 Reverse Zone File”</a>.
1979
</p></li><li class="step" title="Step 3"><p>
1980
1980
Follow the instructions in the printer manufacturers' manuals to permit printing
1981
1981
to port 9100. Use any other port the manufacturer specifies for direct mode,
1982
1982
raw printing. This allows the CUPS spooler to print using raw mode protocols.
1983
<a class="indexterm" name="id2578484"></a>
1984
<a class="indexterm" name="id2578491"></a>
1986
<a class="indexterm" name="id2578504"></a>
1987
<a class="indexterm" name="id2578511"></a>
1983
<a class="indexterm" name="id2584542"></a>
1984
<a class="indexterm" name="id2584549"></a>
1985
</p></li><li class="step" title="Step 4"><p>
1986
<a class="indexterm" name="id2584563"></a>
1987
<a class="indexterm" name="id2584569"></a>
1988
1988
Only on the server to which the printer is attached, configure the CUPS Print
1989
1989
Queues as follows:
1990
1990
</p><pre class="screen">
1991
1991
<code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em>
1992
1992
-v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E
1994
<a class="indexterm" name="id2578546"></a>
1994
<a class="indexterm" name="id2584605"></a>
1995
1995
This step creates the necessary print queue to use no assigned print filter. This
1996
1996
is ideal for raw printing, that is, printing without use of filters.
1997
1997
The name <em class="parameter"><code>printque</code></em> is the name you have assigned for
1998
1998
the particular printer.
1999
</p></li><li class="step" title="Step 5"><p>
2000
2000
Print queues may not be enabled at creation. Make certain that the queues
2001
2001
you have just created are enabled by executing the following:
2002
2002
</p><pre class="screen">
2003
2003
<code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em>
2005
</p></li><li class="step" title="Step 6"><p>
2006
2006
Even though your print queue may be enabled, it is still possible that it
2007
2007
may not accept print jobs. A print queue will service incoming printing
2008
2008
requests only when configured to do so. Ensure that your print queue is
2038
2038
<code class="prompt">root# </code> chown -R root:root /var/lib/samba/drivers
2039
2039
<code class="prompt">root# </code> chmod -R ug=rwx,o=rx /var/lib/samba/drivers
2041
</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure"><a name="id2578754"></a><p class="title"><b>Procedure�5.10.�Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol type="1"><li><p>
2041
</p></li></ol></div></div></div><div class="sect1" title="Samba-3 BDC Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure" title="Procedure�5.10.�Configuration of BDC Called: BLDG1"><a name="id2584812"></a><p class="title"><b>Procedure�5.10.�Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2042
2042
Install the files in <a class="link" href="happy.html#sbehap-bldg1-smbconf" title="Example�5.8.�LDAP Based smb.conf File, Server: BLDG1">“LDAP Based smb.conf File, Server: BLDG1”</a>,
2043
2043
<a class="link" href="happy.html#sbehap-shareconfa" title="Example�5.10.�LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>, and <a class="link" href="happy.html#sbehap-shareconfb" title="Example�5.11.�LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a>
2044
2044
into the <code class="filename">/etc/samba/</code> directory. The three files
2045
2045
should be added together to form the <code class="filename">smb.conf</code> file.
2046
</p></li><li class="step" title="Step 2"><p>
2047
2047
Verify the <code class="filename">smb.conf</code> file as in step 2 of <a class="link" href="happy.html#sbehap-massive" title="Samba-3 PDC Configuration">“Samba-3 PDC Configuration”</a>.
2048
</p></li><li class="step" title="Step 3"><p>
2049
2049
Carefully follow the steps outlined in <a class="link" href="happy.html#sbehap-PAM-NSS" title="PAM and NSS Client Configuration">“PAM and NSS Client Configuration”</a>, taking
2050
2050
particular note to install the correct <code class="filename">ldap.conf</code>.
2051
</p></li><li class="step" title="Step 4"><p>
2052
2052
Verify that the NSS resolver is working. You may need to cycle the run level
2053
2053
to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
2224
2224
</p></li></ol></div><p>
2225
2225
Now that the first BDC (<code class="constant">BDLG1</code>) has been configured it is time to build
2226
2226
and configure the second BDC server (<code class="constant">BLDG2</code>) as follows:
2227
</p><div class="procedure"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure�5.11.�Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol type="1"><li><p>
2227
</p><div class="procedure" title="Procedure�5.11.�Configuration of BDC Called BLDG2"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure�5.11.�Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2228
2228
Install the files in <a class="link" href="happy.html#sbehap-bldg2-smbconf" title="Example�5.9.�LDAP Based smb.conf File, Server: BLDG2">“LDAP Based smb.conf File, Server: BLDG2”</a>,
2229
2229
<a class="link" href="happy.html#sbehap-shareconfa" title="Example�5.10.�LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>, and <a class="link" href="happy.html#sbehap-shareconfb" title="Example�5.11.�LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a>
2230
2230
into the <code class="filename">/etc/samba/</code> directory. The three files
2231
2231
should be added together to form the <code class="filename">smb.conf</code> file.
2232
</p></li><li class="step" title="Step 2"><p>
2233
2233
Follow carefully the steps shown in <a class="link" href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">“Samba-3 BDC Configuration”</a>, starting at step 2.
2234
</p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example�5.8.�LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2579402"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2579413"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2579425"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id2579437"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579449"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579461"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2579473"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2579485"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2579496"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2579508"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2579520"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2579531"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2579544"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2579555"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579568"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2579580"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2579591"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2579603"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579615"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579626"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2579638"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579650"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2579662"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2579674"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2579686"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2579698"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579710"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579722"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2579734"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2579746"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2579758"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example�5.9.�LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2579804"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2579816"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2579828"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id2579840"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579852"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579864"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2579876"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2579887"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2579899"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2579911"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2579922"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2579934"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2579946"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2579958"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579970"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2579982"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2579994"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2580006"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580017"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580029"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2580041"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580053"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2580065"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2580077"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2580089"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2580101"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580113"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580125"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2580137"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2580148"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2580160"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example�5.10.�LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2580206"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580218"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2580230"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2580250"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580262"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2580274"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2580294"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580306"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2580318"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2580338"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2580350"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2580362"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580373"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2580394"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2580405"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2580417"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580429"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580440"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example�5.11.�LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2580486"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580498"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2580509"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id2580521"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2580542"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2580553"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2580565"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580577"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2580597"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2580609"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2580621"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580633"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2580653"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2580665"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2580677"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580689"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2580709"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2580721"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2580733"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580744"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id2580756"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580768"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example�5.12.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen">
2234
</p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example�5.8.�LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2585460"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2585472"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2585484"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id2585496"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2585508"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2585520"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2585532"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2585543"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2585555"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2585567"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2585578"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2585590"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2585602"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2585614"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2585626"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2585638"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2585650"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2585662"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2585673"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2585685"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2585697"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2585709"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2585721"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2585733"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2585745"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2585757"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2585769"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2585781"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2585793"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2585804"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2585816"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example�5.9.�LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2585863"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2585874"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2585886"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id2585898"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2585910"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2585922"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2585934"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2585946"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2585957"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2585969"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2585981"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2585992"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2586005"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2586016"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586029"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2586041"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2586052"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2586064"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586076"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586088"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2586099"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586111"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2586123"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2586135"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2586147"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2586159"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586171"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586184"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2586195"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2586207"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2586219"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example�5.10.�LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2586265"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586277"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2586288"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2586309"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586320"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2586332"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2586353"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586365"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2586376"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2586397"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2586408"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2586420"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586432"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2586452"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2586464"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2586476"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586487"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586499"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example�5.11.�LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2586545"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586557"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2586568"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id2586580"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2586600"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2586612"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2586624"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586635"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2586656"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2586668"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2586680"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586691"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2586712"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2586724"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2586736"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586747"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2586768"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2586780"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2586791"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586803"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id2586815"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586826"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example�5.12.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen">
2235
2235
dn: ou=Idmap,dc=abmas,dc=biz
2236
2236
objectClass: organizationalUnit
2238
2238
structuralObjectClass: organizationalUnit
2239
</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2580803"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p>
2240
My father would say, “<span class="quote">Dinner is not over until the dishes have been done.</span>”
2239
</pre></div></div><br class="example-break"></div><div class="sect1" title="Miscellaneous Server Preparation Tasks"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2586862"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p>
2240
My father would say, <span class="quote">“<span class="quote">Dinner is not over until the dishes have been done.</span>”</span>
2241
2241
The makings of a great network environment take a lot of effort and attention to detail.
2242
2242
So far, you have completed most of the complex (and to many administrators, the interesting
2243
2243
part of server configuration) steps, but remember to tie it all together. Here are
2244
2244
a few more steps that must be completed so that your network runs like a well-rehearsed
2246
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2580823"></a>Configuring Directory Share Point Roots</h3></div></div></div><p>
2246
</p><div class="sect2" title="Configuring Directory Share Point Roots"><div class="titlepage"><div><div><h3 class="title"><a name="id2586882"></a>Configuring Directory Share Point Roots</h3></div></div></div><p>
2247
2247
In your <code class="filename">smb.conf</code> file, you have specified Windows shares. Each has a <em class="parameter"><code>path</code></em>
2248
2248
parameter. Even though it is obvious to all, one of the common Samba networking problems is
2249
2249
caused by forgetting to verify that every such share root directory actually exists and that it
2418
2418
"<a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475" target="_top">How to Create a
2419
2419
Base Profile for All Users."</a>
2421
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p>
2422
<a class="indexterm" name="id2581466"></a>
2421
</p><div class="sect2" title="Configuration of Default Profile with Folder Redirection"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p>
2422
<a class="indexterm" name="id2587524"></a>
2423
2423
Log onto the Windows XP Professional workstation as the local <code class="constant">Administrator</code>.
2424
2424
It is necessary to expose folders that are generally hidden to provide access to the
2425
2425
<code class="constant">Default User</code> folder.
2426
</p><div class="procedure"><a name="id2581484"></a><p class="title"><b>Procedure�5.13.�Expose Hidden Folders</b></p><ol type="1"><li><p>
2426
</p><div class="procedure" title="Procedure�5.13.�Expose Hidden Folders"><a name="id2587542"></a><p class="title"><b>Procedure�5.13.�Expose Hidden Folders</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2427
2427
Launch the Windows Explorer by clicking
2428
2428
<span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>.
2429
2429
Select <span class="guilabel">Show hidden files and folders</span>,
2430
2430
and click <span class="guibutton">OK</span>. Exit Windows Explorer.
2432
<a class="indexterm" name="id2581550"></a>
2431
</p></li><li class="step" title="Step 2"><p>
2432
<a class="indexterm" name="id2587609"></a>
2433
2433
Launch the Registry Editor. Click
2434
2434
<span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. Key in <code class="literal">regedt32</code>, and click
2435
2435
<span class="guibutton">OK</span>.
2436
2436
</p></li></ol></div><p>
2437
</p><div class="procedure"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure�5.14.�Redirect Folders in Default System User Profile</b></p><ol type="1"><li><p>
2438
<a class="indexterm" name="id2581608"></a>
2439
<a class="indexterm" name="id2581615"></a>
2437
</p><div class="procedure" title="Procedure�5.14.�Redirect Folders in Default System User Profile"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure�5.14.�Redirect Folders in Default System User Profile</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2438
<a class="indexterm" name="id2587667"></a>
2439
<a class="indexterm" name="id2587673"></a>
2440
2440
Give focus to <code class="constant">HKEY_LOCAL_MACHINE</code> hive entry in the left panel.
2441
2441
Click <span class="guimenu">File</span> → <span class="guimenuitem">Load Hive...</span> → <span class="guimenuitem">Documents and Settings</span> → <span class="guimenuitem">Default User</span> → <span class="guimenuitem">NTUSER</span> → <span class="guimenuitem">Open</span>. In the dialog box that opens, enter the key name
2442
2442
<code class="constant">Default</code> and click <span class="guibutton">OK</span>.
2443
</p></li><li class="step" title="Step 2"><p>
2444
2444
Browse inside the newly loaded Default folder to:
2445
2445
</p><pre class="screen">
2446
2446
HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
2447
2447
CurrentVersion\Explorer\User Shell Folders\
2449
2449
The right panel reveals the contents as shown in <a class="link" href="happy.html#XP-screen001" title="Figure�5.3.�Windows XP Professional User Shared Folders">“Windows XP Professional User Shared Folders”</a>.
2451
<a class="indexterm" name="id2581708"></a>
2452
<a class="indexterm" name="id2581714"></a>
2450
</p></li><li class="step" title="Step 3"><p>
2451
<a class="indexterm" name="id2587766"></a>
2452
<a class="indexterm" name="id2587773"></a>
2453
2453
You edit hive keys. Acceptable values to replace the
2454
2454
<code class="constant">%USERPROFILE%</code> variable includes:
2456
</p><div class="itemizedlist"><ul type="disc"><li><p>A drive letter such as <code class="constant">U:</code></p></li><li><p>A direct network path such as
2457
<code class="constant">\\MASSIVE\profdata</code></p></li><li><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p>
2459
<a class="indexterm" name="id2581761"></a>
2456
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A drive letter such as <code class="constant">U:</code></p></li><li class="listitem"><p>A direct network path such as
2457
<code class="constant">\\MASSIVE\profdata</code></p></li><li class="listitem"><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p>
2458
</p></li><li class="step" title="Step 4"><p>
2459
<a class="indexterm" name="id2587820"></a>
2460
2460
Set the registry keys as shown in <a class="link" href="happy.html#proffold" title="Table�5.4.�Default Profile Redirections">“Default Profile Redirections”</a>. Your implementation makes the assumption
2461
2461
that users have statically located machines. Notebook computers (mobile users) need to be
2462
2462
accommodated using local profiles. This is not an uncommon assumption.
2463
</p></li><li class="step" title="Step 5"><p>
2464
2464
Click back to the root of the loaded hive <code class="constant">Default</code>.
2465
2465
Click <span class="guimenu">File</span> → <span class="guimenuitem">Unload Hive...</span> → <span class="guimenuitem">Yes</span>.
2467
<a class="indexterm" name="id2581816"></a>
2466
</p></li><li class="step" title="Step 6"><p>
2467
<a class="indexterm" name="id2587875"></a>
2468
2468
Click <span class="guimenu">File</span> → <span class="guimenuitem">Exit</span>. This exits the
2469
2469
Registry Editor.
2470
</p></li><li class="step" title="Step 7"><p>
2471
2471
Now follow the procedure given in <a class="link" href="happy.html#sbehap-locgrppol" title="The Local Group Policy">“The Local Group Policy”</a>. Make sure that each folder you
2472
2472
have redirected is in the exclusion list.
2474
You are now ready to copy<sup>[<a name="id2581860" href="#ftn.id2581860" class="footnote">11</a>]</sup>
2473
</p></li><li class="step" title="Step 8"><p>
2474
You are now ready to copy<sup>[<a name="id2587919" href="#ftn.id2587919" class="footnote">11</a>]</sup>
2475
2475
the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer,
2476
2476
and use it to copy the full contents of the directory <code class="filename">Default User</code> that
2477
2477
is in the <code class="filename">C:\Documents and Settings</code> to the root directory of the
2518
2518
MS Outlook's Send/Receive button. If anyone has sucessfully relocated PST files where IMAP is
2519
2519
used please email <code class="literal">jht@samba.org</code> with useful tips and suggestions so that
2520
2520
this warning can be removed or modified.
2521
</p></li><li class="step" title="Step 6"><p>
2522
2522
Close the <span class="guimenu">Date Files</span> windows, then click <span class="guimenu">Email Accounts</span>.
2523
</p></li><li class="step" title="Step 7"><p>
2524
2524
Select <span class="guimenu">View of Change</span> exiting email accounts, click <span class="guibutton">Next.</span>
2525
</p></li><li class="step" title="Step 8"><p>
2526
2526
Change the <span class="guimenu">Mail Delivery Location</span> so as to use the data file in the new
2527
2527
target location.
2528
</p></li><li class="step" title="Step 9"><p>
2529
2529
Go back to the <span class="guimenu">Data Files</span> window, then delete the old data file entry.
2530
</p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2531
<a class="indexterm" name="id2582352"></a>
2530
</p></li></ol></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2531
<a class="indexterm" name="id2588410"></a>
2532
2532
You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise
2533
2533
the user may be not be able to retrieve contacts when addressing a new email message.
2534
</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2535
<a class="indexterm" name="id2582366"></a>
2534
</p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2535
<a class="indexterm" name="id2588425"></a>
2536
2536
Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook
2537
2537
Express storage files can not be redirected to network shares. The options panel will not permit
2538
2538
this, but they can be moved to folders outside of the user's profile. They can also be excluded
2541
2541
While it is possible to redirect the data stores for Outlook Express data stores by editing the
2542
2542
registry, experience has shown that data corruption and loss of email messages will result.
2544
<a class="indexterm" name="id2582389"></a>
2545
<a class="indexterm" name="id2582396"></a>
2544
<a class="indexterm" name="id2588448"></a>
2545
<a class="indexterm" name="id2588454"></a>
2546
2546
In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with
2547
2547
roaming profiles this can result in excruciatingly long login and logout behavior will files are
2548
2548
synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming
2549
2549
profiles are used.
2551
<a class="indexterm" name="id2582412"></a>
2551
<a class="indexterm" name="id2588470"></a>
2552
2552
Microsoft does not support storing PST files on network shares, although the practice does appear
2553
2553
to be rather popular. Anyone who does relocation the PST file to a network resource should refer
2554
2554
the Microsoft <a class="ulink" href="http://support.microsoft.com/kb/297019/" target="_top">reference</a> to better
2555
2555
understand the issues.
2557
<a class="indexterm" name="id2582432"></a>
2557
<a class="indexterm" name="id2588491"></a>
2558
2558
Apart from manually moving PST files to a network share, it is possible to set the default PST
2559
2559
location for new accounts by following the instructions at the WindowsITPro <a class="ulink" href="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html" target="_top">web</a> site.
2561
<a class="indexterm" name="id2582452"></a>
2561
<a class="indexterm" name="id2588511"></a>
2562
2562
User feedback suggests that disabling of oplocks on PST files will significantly improve
2563
2563
network performance by reducing locking overheads. One way this can be done is to add to the
2564
2564
<code class="filename">smb.conf</code> file stanza for the share the PST file the following:
2565
2565
</p><pre class="screen">
2566
2566
veto oplock files = /*.pdf/*.PST/
2568
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582477"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p>
2568
</p></div><div class="sect2" title="Configure Delete Cached Profiles on Logout"><div class="titlepage"><div><div><h3 class="title"><a name="id2588536"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p>
2569
2569
Configure the Windows XP Professional client to auto-delete roaming profiles on logout:
2571
<a class="indexterm" name="id2582490"></a>
2571
<a class="indexterm" name="id2588549"></a>
2573
2573
<span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. In the dialog box, enter <code class="literal">MMC</code> and click <span class="guibutton">OK</span>.
2576
2576
profiles are deleted as network users log out of the system. Click
2577
2577
<span class="guimenu">File</span> → <span class="guimenuitem">Add/Remove Snap-in</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Group Policy</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Finish</span> → <span class="guimenuitem">Close</span> → <span class="guimenuitem">OK</span>.
2579
<a class="indexterm" name="id2582586"></a>
2579
<a class="indexterm" name="id2588645"></a>
2580
2580
The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span>
2581
2581
utility that enables you to set the policies needed. In the left panel, click
2582
2582
<span class="guimenuitem">Local Computer Policy</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each
2584
</p><div class="itemizedlist"><ul type="disc"><li><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p>
2584
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li class="listitem"><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p>
2585
2585
Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
2586
2586
made of this system to deploy the new standard desktop system.
2587
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582657"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p>
2588
<a class="indexterm" name="id2582665"></a>
2587
</p></div><div class="sect2" title="Uploading Printer Drivers to Samba Servers"><div class="titlepage"><div><div><h3 class="title"><a name="id2588716"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p>
2588
<a class="indexterm" name="id2588724"></a>
2589
2589
Users want to be able to use network printers. You have a vested interest in making
2590
2590
it easy for them to print. You have chosen to install the printer drivers onto the Samba
2591
2591
servers and to enable point-and-click (drag-and-drop) printing. This process results in
2592
2592
Samba being able to automatically provide the Windows client with the driver necessary to
2593
2593
print to the printer chosen. The following procedure must be followed for every network
2595
</p><div class="procedure"><a name="id2582684"></a><p class="title"><b>Procedure�5.17.�Steps to Install Printer Drivers on the Samba Servers</b></p><ol type="1"><li><p>
2595
</p><div class="procedure" title="Procedure�5.17.�Steps to Install Printer Drivers on the Samba Servers"><a name="id2588742"></a><p class="title"><b>Procedure�5.17.�Steps to Install Printer Drivers on the Samba Servers</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2596
2596
Join your Windows XP Professional workstation (the staging machine) to the
2597
2597
<code class="constant">MEGANET2</code> domain. If you are not sure of the procedure,
2598
2598
follow the guidance given in <a class="link" href="appendix.html" title="Chapter�15.�A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">“Joining a Domain: Windows 200x/XP Professional”</a>.
2599
</p></li><li class="step" title="Step 2"><p>
2600
2600
After the machine has rebooted, log onto the workstation as the domain
2601
2601
<code class="constant">root</code> (this is the Administrator account for the
2602
2602
operating system that is the host platform for this implementation of Samba.
2603
</p></li><li class="step" title="Step 3"><p>
2604
2604
Launch MS Windows Explorer. Navigate in the left panel. Click
2605
2605
<span class="guimenu">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">Microsoft Windows Network</span> → <span class="guimenuitem">Meganet2</span> → <span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span>
2606
2606
<span class="guimenu">Printers and Faxes</span>.
2607
</p></li><li class="step" title="Step 4"><p>
2608
2608
Identify a printer that is shown in the right panel. Let us assume the printer is called
2609
2609
<code class="constant">ps01-color</code>. Right-click on the <span class="guimenu">ps01-color</span> icon
2610
2610
and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates
2611
that “<span class="quote">The printer driver is not installed on this computer. Some printer properties
2611
that <span class="quote">“<span class="quote">The printer driver is not installed on this computer. Some printer properties
2612
2612
will not be accessible unless you install the printer driver. Do you want to install the
2613
driver now?</span>” It is important at this point you answer <span class="guimenu">No</span>.
2613
driver now?</span>”</span> It is important at this point you answer <span class="guimenu">No</span>.
2614
</p></li><li class="step" title="Step 5"><p>
2615
2615
The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server
2616
2616
<code class="constant">MASSIVE</code> is displayed. Click the <span class="guimenu">Advanced</span> tab.
2617
2617
Note that the box labeled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span>
2618
button that is next to the <span class="guimenu">Driver</span> box. This launches the “<span class="quote">Add Printer Wizard</span>”.
2620
<a class="indexterm" name="id2582873"></a>
2621
<a class="indexterm" name="id2582882"></a>
2622
The “<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>” panel
2618
button that is next to the <span class="guimenu">Driver</span> box. This launches the <span class="quote">“<span class="quote">Add Printer Wizard</span>”</span>.
2619
</p></li><li class="step" title="Step 6"><p>
2620
<a class="indexterm" name="id2588931"></a>
2621
<a class="indexterm" name="id2588940"></a>
2622
The <span class="quote">“<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>”</span> panel
2623
2623
is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the
2624
2624
printer manufacturer. In your case, you are adding a driver for a printer manufactured by
2625
2625
Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
2626
2626
<span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A
2627
2627
progress bar appears and instructs you as each file is being uploaded and that it is being
2628
2628
directed at the network server <code class="constant">\\massive\ps01-color</code>.
2630
<a class="indexterm" name="id2582930"></a>
2631
<a class="indexterm" name="id2582939"></a>
2632
<a class="indexterm" name="id2582949"></a>
2633
<a class="indexterm" name="id2582958"></a>
2634
<a class="indexterm" name="id2582967"></a>
2635
<a class="indexterm" name="id2582976"></a>
2629
</p></li><li class="step" title="Step 7"><p>
2630
<a class="indexterm" name="id2588989"></a>
2631
<a class="indexterm" name="id2588998"></a>
2632
<a class="indexterm" name="id2589007"></a>
2633
<a class="indexterm" name="id2589016"></a>
2634
<a class="indexterm" name="id2589025"></a>
2635
<a class="indexterm" name="id2589035"></a>
2636
2636
The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
2637
2637
you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel.
2638
2638
You can set the Location (under the <span class="guimenu">General</span> tab) and Security settings (under
2639
2639
the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to
2640
load additional printer drivers; there is also a check-box in this tab called “<span class="quote">List in the
2641
directory</span>”. When this box is checked, the printer will be published in Active Directory
2640
load additional printer drivers; there is also a check-box in this tab called <span class="quote">“<span class="quote">List in the
2641
directory</span>”</span>. When this box is checked, the printer will be published in Active Directory
2642
2642
(Applicable to Active Directory use only.)
2644
<a class="indexterm" name="id2583031"></a>
2643
</p></li><li class="step" title="Step 8"><p>
2644
<a class="indexterm" name="id2589090"></a>
2645
2645
Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server.
2646
2646
You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor.
2647
2647
Right-click on the printer, click <span class="guimenu">Properties</span> → <span class="guimenuitem">Device Settings</span>. Now change the settings to suit
2648
2648
your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
2649
2649
you need to reverse the changes back to their original settings.
2650
</p></li><li class="step" title="Step 9"><p>
2651
2651
This is necessary so that the printer settings are initialized in the Samba printers
2652
2652
database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed
2653
2653
just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
2654
2654
click <span class="guimenu">Apply</span> again.
2656
<a class="indexterm" name="id2583104"></a>
2655
</p></li><li class="step" title="Step 10"><p>
2656
<a class="indexterm" name="id2589163"></a>
2657
2657
Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
2658
2658
click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button.
2659
2659
A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span>
2660
2660
in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on
2661
2661
massive Properties</span> panel.
2662
</p></li><li class="step" title="Step 11"><p>
2663
2663
You must repeat this process for all network printers (i.e., for every printer on each server).
2664
2664
When you have finished uploading drivers to all printers, close all applications. The next task
2665
2665
is to install software your users require to do their work.
2666
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583160"></a>Software Installation</h3></div></div></div><p>
2666
</p></li></ol></div></div><div class="sect2" title="Software Installation"><div class="titlepage"><div><div><h3 class="title"><a name="id2589218"></a>Software Installation</h3></div></div></div><p>
2667
2667
Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
2668
2668
a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
2669
2669
Notebooks require special handling that is beyond the scope of this chapter.
2708
2708
as well as security considerations.
2710
2710
The substance of this chapter that has been deserving of particular attention includes:
2711
</p><div class="itemizedlist"><ul type="disc"><li><p>
2711
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
2712
2712
Implementation of an OpenLDAP-based passwd backend, necessary to support distributed
2713
2713
domain control.
2714
</p></li><li class="listitem"><p>
2715
2715
Implementation of Samba primary and secondary domain controllers with a common LDAP backend
2716
2716
for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and
2717
2717
pam_ldap tool-sets.
2718
</p></li><li class="listitem"><p>
2719
2719
Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as
2720
2720
to manage Samba Windows user and group accounts.
2721
</p></li><li class="listitem"><p>
2722
2722
The basics of implementation of Group Policy controls for Windows network clients.
2723
</p></li><li class="listitem"><p>
2724
2724
Control over roaming profiles, with particular focus on folder redirection to network drives.
2725
</p></li><li class="listitem"><p>
2726
2726
Use of the CUPS printing system together with Samba-based printer driver auto-download.
2727
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583345"></a>Questions and Answers</h2></div></div></div><p>
2727
</p></li></ul></div></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2589403"></a>Questions and Answers</h2></div></div></div><p>
2728
2728
Well, here we are at the end of this chapter and we have only ten questions to help you to
2729
2729
remember so much. There are bound to be some sticky issues here.
2730
</p><div class="qandaset"><dl><dt> <a href="happy.html#id2583363">
2730
</p><div class="qandaset" title="Frequently Asked Questions"><a name="id2589415"></a><dl><dt> <a href="happy.html#id2589422">
2731
2731
Why did you not cover secure practices? Isn't it rather irresponsible to instruct
2732
2732
network administrators to implement insecure solutions?
2733
</a></dt><dt> <a href="happy.html#id2583407">
2733
</a></dt><dt> <a href="happy.html#id2589466">
2734
2734
You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
2735
2735
you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
2736
2736
to the Linux I might be using?
2737
</a></dt><dt> <a href="happy.html#id2583468">
2737
</a></dt><dt> <a href="happy.html#id2589527">
2738
2738
You did not use SWAT to configure Samba. Is there something wrong with it?
2739
</a></dt><dt> <a href="happy.html#id2583508">
2739
</a></dt><dt> <a href="happy.html#id2589566">
2740
2740
You have exposed a well-used password not24get. Is that
2741
2741
not irresponsible?
2742
</a></dt><dt> <a href="happy.html#id2583533">
2742
</a></dt><dt> <a href="happy.html#id2589591">
2743
2743
The Idealx smbldap-tools create many domain group accounts that are not used. Is that
2745
</a></dt><dt> <a href="happy.html#id2583559">
2745
</a></dt><dt> <a href="happy.html#id2589618">
2746
2746
Can I use LDAP just for Samba accounts and not for UNIX system accounts?
2747
</a></dt><dt> <a href="happy.html#id2583584">
2747
</a></dt><dt> <a href="happy.html#id2589643">
2748
2748
Why are the Windows domain RID portions not the same as the UNIX UID?
2749
</a></dt><dt> <a href="happy.html#id2583620">
2749
</a></dt><dt> <a href="happy.html#id2589678">
2750
2750
Printer configuration examples all show printing to the HP port 9100. Does this
2751
2751
mean that I must have HP printers for these solutions to work?
2752
</a></dt><dt> <a href="happy.html#id2583649">
2752
</a></dt><dt> <a href="happy.html#id2589708">
2753
2753
Is folder redirection dangerous? I've heard that you can lose your data that way.
2754
</a></dt><dt> <a href="happy.html#id2583677">
2754
</a></dt><dt> <a href="happy.html#id2589735">
2755
2755
Is it really necessary to set a local Group Policy to exclude the redirected
2756
2756
folders from the roaming profile?
2757
</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2583363"></a><a name="id2583366"></a></td><td align="left" valign="top"><p>
2757
</a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question"><td align="left" valign="top"><a name="id2589422"></a><a name="id2589424"></a></td><td align="left" valign="top"><p>
2758
2758
Why did you not cover secure practices? Isn't it rather irresponsible to instruct
2759
2759
network administrators to implement insecure solutions?
2760
2760
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>