~ubuntu-branches/ubuntu/maverick/samba/maverick-security
» Revision
91
: docs/htmldocs/Samba3-ByExample/happy.html
« back to all changes in this revision
Viewing changes to docs/htmldocs/Samba3-ByExample/happy.html
- browse files at revision 91
- compare with another revision
- download diff
- download tarball
- view history from revision 91
- Committer: Bazaar Package Importer
- Author(s): Chuck Short
- Date: 2010-01-29 06:16:15 UTC
- mfrom: (0.27.9 upstream) (0.34.4 squeeze)
- Revision ID: james.westby@ubuntu.com-20100129061615-37hs6xqpsdhjq3ld
Tags: 2:3.4.5~dfsg-1ubuntu1
* Merge from debian testing. Remaining changes:
+ debian/patches/VERSION.patch:
- set SAMBA_VERSION_SUFFIX to Ubuntu.
+ debian/smb.conf:
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
- Set 'usershare allow guests', so that usershare admins are allowed to create
public shares in additon to authenticated ones.
- add map to guest = Bad user, maps bad username to gues access.
+ debian/samba-common.conf:
- Do not change priority to high if dhclient3 is installed.
- Use priority medium instead of high for the workgroup question.
+ debian/mksambapasswd.awk:
- Do not add user with UID less than 1000 to smbpasswd.
+ debian/control:
- Make libswbclient0 replace/conflict with hardy's likewise-open.
- Don't build against ctdb, since its not in main yet.
+ debian/rules:
- Enable "native" PIE hardening.
- Add BIND_NOW to maximize benefit of RELRO hardening.
+ Add ufw integration:
- Created debian/samba.ufw.profile.
- debian/rules, debian/samba.dirs, debian/samba.files: install
+ Add apoort hook:
- Created debian/source_samba.py.
- debian/rules, debian/samba.dirs, debian/samba-common-bin.files: install
+ debian/rules, debian/samba.if-up: allow "NetworkManager" as a recognized address
family... it's obviously /not/ an address family, but it's what gets
sent when using NM, so we'll cope for now. (LP: #462169). Taken from karmic-proposed.
+ debian/control: Recommend keyutils for smbfs (LP: #493565)
+ Dropped patches:
- debian/patches/security-CVE-2009-3297.patch: No longer needed
- debian/patches/fix-too-many-open-files.patch: No longer needed
+ debian/patches/VERSION.patch:
- set SAMBA_VERSION_SUFFIX to Ubuntu.
+ debian/smb.conf:
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] share, and add a comment about "valid users = %s"
to show users how to restrict access to \\server\username to only username.
- Set 'usershare allow guests', so that usershare admins are allowed to create
public shares in additon to authenticated ones.
- add map to guest = Bad user, maps bad username to gues access.
+ debian/samba-common.conf:
- Do not change priority to high if dhclient3 is installed.
- Use priority medium instead of high for the workgroup question.
+ debian/mksambapasswd.awk:
- Do not add user with UID less than 1000 to smbpasswd.
+ debian/control:
- Make libswbclient0 replace/conflict with hardy's likewise-open.
- Don't build against ctdb, since its not in main yet.
+ debian/rules:
- Enable "native" PIE hardening.
- Add BIND_NOW to maximize benefit of RELRO hardening.
+ Add ufw integration:
- Created debian/samba.ufw.profile.
- debian/rules, debian/samba.dirs, debian/samba.files: install
+ Add apoort hook:
- Created debian/source_samba.py.
- debian/rules, debian/samba.dirs, debian/samba-common-bin.files: install
+ debian/rules, debian/samba.if-up: allow "NetworkManager" as a recognized address
family... it's obviously /not/ an address family, but it's what gets
sent when using NM, so we'll cope for now. (LP: #462169). Taken from karmic-proposed.
+ debian/control: Recommend keyutils for smbfs (LP: #493565)
+ Dropped patches:
- debian/patches/security-CVE-2009-3297.patch: No longer needed
- debian/patches/fix-too-many-open-files.patch: No longer needed
- files added:
- .pc/debian-changes-2:3.4.5~dfsg-1ubuntu1
- .pc/debian-changes-2:3.4.5~dfsg-1ubuntu1/source3
- .pc/debian-changes-2:3.4.5~dfsg-1ubuntu1/source3/client
- files removed:
- .pc/fix-manpages-warnings.patch
- .pc/fix-manpages-warnings.patch/docs
- .pc/fix-manpages-warnings.patch/docs/manpages
- .pc/fix-too-many-open-files.patch
- .pc/fix-too-many-open-files.patch/source3
- .pc/fix-too-many-open-files.patch/source3/include
- .pc/fix-too-many-open-files.patch/source3/param
- .pc/fix-too-many-open-files.patch/source3/smbd
- .pc/security-CVE-2009-3297.patch
- .pc/security-CVE-2009-3297.patch/source3
- .pc/security-CVE-2009-3297.patch/source3/client
- files modified:
- .pc/VERSION.patch/source3/VERSION
added
removed
docs/htmldocs/Samba3-ByExample/happy.html
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�5.�Making Happy Users</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part�I.�Example Network Configurations"><link rel="prev" href="Big500users.html" title="Chapter�4.�The 500-User Office"><link rel="next" href="2000users.html" title="Chapter�6.�A Distributed 2000-User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�5.�Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a>�</td><th width="60%" align="center">Part�I.�Example Network Configurations</th><td width="20%" align="right">�<a accesskey="n" href="2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter�5.�Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id2571048">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id2571190">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2571288">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2571425">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2571882">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2573760">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2573776">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2573956">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2576854">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id2580803">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2580823">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id2580918">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id2581163">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2581274">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2581407">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id2582162">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id2582477">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id2582657">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id2583160">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id2583195">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2583229">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id2583345">Questions and Answers</a></span></dt></dl></div><p>
2
It is said that “<span class="quote">a day that is without troubles is not fulfilling. Rather, give
3
me a day of troubles well handled so that I can be content with my achievements.</span>”
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�5.�Making Happy Users</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part�I.�Example Network Configurations"><link rel="prev" href="Big500users.html" title="Chapter�4.�The 500-User Office"><link rel="next" href="2000users.html" title="Chapter�6.�A Distributed 2000-User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�5.�Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a>�</td><th width="60%" align="center">Part�I.�Example Network Configurations</th><td width="20%" align="right">�<a accesskey="n" href="2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter�5.�Making Happy Users"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter�5.�Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id2577106">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id2577248">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2577346">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2577483">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2577941">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2579819">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2579834">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2580015">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2582912">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id2586862">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2586882">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id2586977">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id2587221">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2587332">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2587466">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id2588220">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id2588536">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id2588716">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id2589218">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id2589254">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2589288">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id2589403">Questions and Answers</a></span></dt></dl></div><p>
2
It is said that <span class="quote">“<span class="quote">a day that is without troubles is not fulfilling. Rather, give
3
me a day of troubles well handled so that I can be content with my achievements.</span>”</span>
4
4
</p><p>
5
5
In the world of computer networks, problems are as varied as the people who create them
6
6
or experience them. The design of the network implemented in <a class="link" href="Big500users.html" title="Chapter�4.�The 500-User Office">“The 500-User Office”</a>
7
7
may create problems for some network users. The following lists some of the problems that
8
8
may occur:
9
</p><a class="indexterm" name="id2570626"></a><a class="indexterm" name="id2570632"></a><a class="indexterm" name="id2570642"></a><a class="indexterm" name="id2570648"></a><a class="indexterm" name="id2570655"></a><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>
9
</p><a class="indexterm" name="id2576684"></a><a class="indexterm" name="id2576691"></a><a class="indexterm" name="id2576700"></a><a class="indexterm" name="id2576707"></a><a class="indexterm" name="id2576714"></a><div class="caution" title="Caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>
10
10
A significant number of network administrators have responded to the guidance given
11
11
here. It should be noted that there are sites that have a single PDC for many hundreds of
12
12
concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
19
19
overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows
20
20
clients is conservative and if followed will minimize problems but it is not absolute.
21
21
</p></div><div class="variablelist"><dl><dt><span class="term">Users experiencing difficulty logging onto the network</span></dt><dd><p>
22
<a class="indexterm" name="id2570700"></a>
23
<a class="indexterm" name="id2570710"></a>
22
<a class="indexterm" name="id2576759"></a>
23
<a class="indexterm" name="id2576768"></a>
24
24
When a Windows client logs onto the network, many data packets are exchanged
25
25
between the client and the server that is providing the network logon services.
26
26
Each request between the client and the server must complete within a specific
30
30
30 to 150 clients. The actual limits are determined by network operational
31
31
characteristics.
32
32
</p><p>
33
<a class="indexterm" name="id2570730"></a>
34
<a class="indexterm" name="id2570736"></a>
35
<a class="indexterm" name="id2570743"></a>
33
<a class="indexterm" name="id2576788"></a>
34
<a class="indexterm" name="id2576795"></a>
35
<a class="indexterm" name="id2576801"></a>
36
36
If the domain controller provides only network logon services
37
37
and all file and print activity is handled by domain member servers, one domain
38
38
controller per 150 clients on a single network segment may suffice. In any
46
46
that can be supported is limited by the CPU speed, memory and the workload on
47
47
the Samba server as well as network bandwidth utilization.
48
48
</p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p>
49
<a class="indexterm" name="id2570776"></a>
49
<a class="indexterm" name="id2576835"></a>
50
50
Slow logons and log-offs may be caused by many factors that include:
51
51
52
</p><div class="itemizedlist"><ul type="disc"><li><p>
53
<a class="indexterm" name="id2570790"></a>
54
<a class="indexterm" name="id2570802"></a>
52
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
53
<a class="indexterm" name="id2576848"></a>
54
<a class="indexterm" name="id2576860"></a>
55
55
Excessive delays in the resolution of a NetBIOS name to its IP
56
56
address. This may be observed when an overloaded domain controller
57
57
is also the WINS server. Another cause may be the failure to use
58
58
a WINS server (this assumes that there is a single network segment).
59
</p></li><li><p>
60
<a class="indexterm" name="id2570820"></a>
61
<a class="indexterm" name="id2570827"></a>
62
<a class="indexterm" name="id2570834"></a>
59
</p></li><li class="listitem"><p>
60
<a class="indexterm" name="id2576879"></a>
61
<a class="indexterm" name="id2576886"></a>
62
<a class="indexterm" name="id2576892"></a>
63
63
Network traffic collisions due to overloading of the network
64
64
segment. One short-term workaround to this may be to replace
65
65
network HUBs with Ethernet switches.
66
</p></li><li><p>
67
<a class="indexterm" name="id2570848"></a>
66
</p></li><li class="listitem"><p>
67
<a class="indexterm" name="id2576907"></a>
68
68
Defective networking hardware. Over the past few years, we have seen
69
69
on the Samba mailing list a significant increase in the number of
70
70
problems that were traced to a defective network interface controller,
71
71
a defective HUB or Ethernet switch, or defective cabling. In most cases,
72
72
it was the erratic nature of the problem that ultimately pointed to
73
73
the cause of the problem.
74
</p></li><li><p>
75
<a class="indexterm" name="id2570869"></a>
76
<a class="indexterm" name="id2570878"></a>
74
</p></li><li class="listitem"><p>
75
<a class="indexterm" name="id2576927"></a>
76
<a class="indexterm" name="id2576936"></a>
77
77
Excessively large roaming profiles. This type of problem is typically
78
78
the result of poor user education as well as poor network management.
79
79
It can be avoided by users not storing huge quantities of email in
80
80
MS Outlook PST files as well as by not storing files on the desktop.
81
81
These are old bad habits that require much discipline and vigilance
82
82
on the part of network management.
83
</p></li><li><p>
84
<a class="indexterm" name="id2570898"></a>
83
</p></li><li class="listitem"><p>
84
<a class="indexterm" name="id2576957"></a>
85
85
You should verify that the Windows XP WebClient service is not running.
86
86
The use of the WebClient service has been implicated in many Windows
87
87
networking-related problems.
89
89
</p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p>
90
90
Loss of access to network resources during client operation may be caused by a number
91
91
of factors, including:
92
</p><div class="itemizedlist"><ul type="disc"><li><p>
93
<a class="indexterm" name="id2570931"></a>
92
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
93
<a class="indexterm" name="id2576989"></a>
94
94
Network overload (typically indicated by a high network collision rate)
95
</p></li><li><p>
95
</p></li><li class="listitem"><p>
96
96
Server overload
97
</p></li><li><p>
98
<a class="indexterm" name="id2570950"></a>
97
</p></li><li class="listitem"><p>
98
<a class="indexterm" name="id2577009"></a>
99
99
Timeout causing the client to close a connection that is in use but has
100
100
been latent (no traffic) for some time (5 minutes or more)
101
</p></li><li><p>
102
<a class="indexterm" name="id2570966"></a>
101
</p></li><li class="listitem"><p>
102
<a class="indexterm" name="id2577025"></a>
103
103
Defective networking hardware
104
104
</p></li></ul></div><p>
105
<a class="indexterm" name="id2570981"></a>
105
<a class="indexterm" name="id2577039"></a>
106
106
No matter what the cause, a sudden loss of access to network resources can
107
107
result in BSOD (blue screen of death) situations that necessitate rebooting of the client
108
108
workstation. In the case of a mild problem, retrying to access the network drive of the printer
109
109
may restore operations, but in any case this is a serious problem that may lead to the next
110
110
problem, data corruption.
111
111
</p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p>
112
<a class="indexterm" name="id2571014"></a>
112
<a class="indexterm" name="id2577073"></a>
113
113
Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
114
114
frustration, and generally precipitates immediate corrective demands. Management response
115
115
to this type of problem may be rational, as well as highly irrational. There have been
123
123
anticipate and combat network performance issues. You can work through complex and thorny
124
124
methods to improve the reliability of your network environment, but be warned that all such steps
125
125
demand the price of complexity.
126
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571048"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p>
127
<a class="indexterm" name="id2571056"></a>
126
</p><div class="sect1" title="Regarding LDAP Directories and Windows Computer Accounts"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2577106"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p>
127
<a class="indexterm" name="id2577115"></a>
128
128
Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some
129
129
constraints that are described in this section.
130
130
</p><p>
131
<a class="indexterm" name="id2571071"></a>
132
<a class="indexterm" name="id2571078"></a>
133
<a class="indexterm" name="id2571085"></a>
134
<a class="indexterm" name="id2571092"></a>
131
<a class="indexterm" name="id2577130"></a>
132
<a class="indexterm" name="id2577136"></a>
133
<a class="indexterm" name="id2577143"></a>
134
<a class="indexterm" name="id2577150"></a>
135
135
The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
136
136
That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
137
137
them. A user account and a machine account are indistinguishable from each other, except that
138
138
the machine account ends in a $ character, as do trust accounts.
139
139
</p><p>
140
<a class="indexterm" name="id2571108"></a>
141
<a class="indexterm" name="id2571115"></a>
140
<a class="indexterm" name="id2577167"></a>
141
<a class="indexterm" name="id2577173"></a>
142
142
The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID
143
143
is a design decision that was made a long way back in the history of Samba development. It is
144
144
unlikely that this decision will be reversed or changed during the remaining life of the
145
145
Samba-3.x series.
146
146
</p><p>
147
<a class="indexterm" name="id2571130"></a>
148
<a class="indexterm" name="id2571136"></a>
147
<a class="indexterm" name="id2577188"></a>
148
<a class="indexterm" name="id2577195"></a>
149
149
The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
150
150
must refer back to the host operating system on which Samba is running. The name service
151
151
switch (NSS) is the preferred mechanism that shields applications (like Samba) from the
152
152
need to know everything about every host OS it runs on.
153
153
</p><p>
154
Samba asks the host OS to provide a UID via the “<span class="quote">passwd</span>”, “<span class="quote">shadow</span>”
155
and “<span class="quote">group</span>” facilities in the NSS control (configuration) file. The best tool
154
Samba asks the host OS to provide a UID via the <span class="quote">“<span class="quote">passwd</span>”</span>, <span class="quote">“<span class="quote">shadow</span>”</span>
155
and <span class="quote">“<span class="quote">group</span>”</span> facilities in the NSS control (configuration) file. The best tool
156
156
for achieving this is left up to the UNIX administrator to determine. It is not imposed by
157
157
Samba. Samba provides winbindd together with its support libraries as one method. It is
158
158
possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
159
159
all account entities can be located in an LDAP directory.
160
160
</p><p>
161
<a class="indexterm" name="id2571174"></a>
161
<a class="indexterm" name="id2577232"></a>
162
162
For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
163
163
be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
164
164
is fundamentally an LDAP design question. The information provided on the Samba list and
165
165
in the documentation is directed at providing working examples only. The design
166
166
of an LDAP directory is a complex subject that is beyond the scope of this documentation.
167
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571190"></a>Introduction</h2></div></div></div><p>
167
</p></div><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2577248"></a>Introduction</h2></div></div></div><p>
168
168
You just opened an email from Christine that reads:
169
169
</p><p>
170
170
Good morning,
193
193
regain control of our vital IT operations.
194
194
</p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Christine</span></td></tr></table></div><p>
195
195
</p><p>
196
<a class="indexterm" name="id2571252"></a>
197
<a class="indexterm" name="id2571259"></a>
196
<a class="indexterm" name="id2577310"></a>
197
<a class="indexterm" name="id2577318"></a>
198
198
Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a
199
199
single domain controller is a poor design that has obvious operational effects that may
200
200
frustrate users. Here is your reply:
204
204
boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
205
205
Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
206
206
for approval; I appreciate the urgency.
207
</p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571288"></a>Assignment Tasks</h3></div></div></div><p>
207
</p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" title="Assignment Tasks"><div class="titlepage"><div><div><h3 class="title"><a name="id2577346"></a>Assignment Tasks</h3></div></div></div><p>
208
208
The priority of assigned tasks in this chapter is:
209
</p><div class="orderedlist"><ol type="1"><li><p>
210
<a class="indexterm" name="id2571308"></a>
211
<a class="indexterm" name="id2571317"></a>
212
<a class="indexterm" name="id2571323"></a>
213
<a class="indexterm" name="id2571330"></a><a class="indexterm" name="id2571336"></a>
209
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
210
<a class="indexterm" name="id2577366"></a>
211
<a class="indexterm" name="id2577375"></a>
212
<a class="indexterm" name="id2577382"></a>
213
<a class="indexterm" name="id2577389"></a><a class="indexterm" name="id2577394"></a>
214
214
Implement Backup Domain Controllers (BDCs) in each building. This involves
215
215
a change from a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous
216
216
chapter to an LDAP-based backend.
217
217
</p><p>
218
218
You can implement a single central LDAP server for this purpose.
219
</p></li><li><p>
220
<a class="indexterm" name="id2571358"></a>
221
<a class="indexterm" name="id2571365"></a>
222
<a class="indexterm" name="id2571372"></a>
223
<a class="indexterm" name="id2571379"></a>
219
</p></li><li class="listitem"><p>
220
<a class="indexterm" name="id2577417"></a>
221
<a class="indexterm" name="id2577424"></a>
222
<a class="indexterm" name="id2577430"></a>
223
<a class="indexterm" name="id2577437"></a>
224
224
Rectify the problem of excessive logon times. This involves redirection of
225
225
folders to network shares as well as modification of all user desktops to
226
226
exclude the redirected folders from being loaded at login time. You can also
227
227
create a new default profile that can be used for all new users.
228
228
</p></li></ol></div><p>
229
<a class="indexterm" name="id2571398"></a>
229
<a class="indexterm" name="id2577456"></a>
230
230
You configure a new MS Windows XP Professional workstation disk image that you roll out
231
231
to all desktop users. The instructions you have created are followed on a staging machine
232
232
from which all changes can be carefully tested before inflicting them on your network users.
233
233
</p><p>
234
<a class="indexterm" name="id2571412"></a>
234
<a class="indexterm" name="id2577471"></a>
235
235
This is the last network example in which specific mention of printing is made. The example
236
236
again makes use of the CUPS printing system.
237
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571425"></a>Dissection and Discussion</h2></div></div></div><p>
238
<a class="indexterm" name="id2571433"></a>
239
<a class="indexterm" name="id2571439"></a>
240
<a class="indexterm" name="id2571446"></a>
237
</p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2577483"></a>Dissection and Discussion</h2></div></div></div><p>
238
<a class="indexterm" name="id2577491"></a>
239
<a class="indexterm" name="id2577498"></a>
240
<a class="indexterm" name="id2577505"></a>
241
241
The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
242
242
For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
243
243
LDAP servers in current use with Samba-3 include:
244
</p><div class="itemizedlist"><ul type="disc"><li><p>
245
<a class="indexterm" name="id2571464"></a>
244
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
245
<a class="indexterm" name="id2577522"></a>
246
246
Novell <a class="ulink" href="http://www.novell.com/products/edirectory/" target="_top">eDirectory</a>
247
247
is being successfully used by some sites. Information on how to use eDirectory can be
248
248
obtained from the Samba mailing lists or from Novell.
249
</p></li><li><p>
250
<a class="indexterm" name="id2571484"></a>
249
</p></li><li class="listitem"><p>
250
<a class="indexterm" name="id2577542"></a>
251
251
IBM <a class="ulink" href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli
252
252
Directory Server</a> can be used to provide the Samba LDAP backend. Example schema
253
253
files are provided in the Samba source code tarball under the directory
254
254
<code class="filename">~samba/example/LDAP.</code>
255
</p></li><li><p>
256
<a class="indexterm" name="id2571511"></a>
255
</p></li><li class="listitem"><p>
256
<a class="indexterm" name="id2577570"></a>
257
257
Sun <a class="ulink" href="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml" target="_top">ONE Identity
258
258
Server product suite</a> provides an LDAP server that can be used for Samba.
259
259
Example schema files are provided in the Samba source code tarball under the directory
264
264
initialize the LDAP directory database. OpenLDAP itself has only command-line tools to
265
265
help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
266
266
</p><p>
267
<a class="indexterm" name="id2571548"></a>
267
<a class="indexterm" name="id2577607"></a>
268
268
For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
269
269
adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include
270
270
GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
271
271
requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
272
272
</p><p>
273
<a class="indexterm" name="id2571566"></a>
274
<a class="indexterm" name="id2571573"></a>
275
<a class="indexterm" name="id2571580"></a>
276
<a class="indexterm" name="id2571589"></a>
277
<a class="indexterm" name="id2571598"></a>
278
<a class="indexterm" name="id2571605"></a>
279
<a class="indexterm" name="id2571614"></a>
273
<a class="indexterm" name="id2577624"></a>
274
<a class="indexterm" name="id2577631"></a>
275
<a class="indexterm" name="id2577638"></a>
276
<a class="indexterm" name="id2577647"></a>
277
<a class="indexterm" name="id2577657"></a>
278
<a class="indexterm" name="id2577663"></a>
279
<a class="indexterm" name="id2577673"></a>
280
280
When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
281
281
High availability operation may be obtained through directory replication/synchronization and
282
282
master/slave server configurations. OpenLDAP is a mature platform to host the organizational
286
286
contents with greater ability to back up, restore, and modify the directory than is generally possible
287
287
with Microsoft Active Directory.
288
288
</p><p>
289
<a class="indexterm" name="id2571639"></a>
290
<a class="indexterm" name="id2571649"></a>
291
<a class="indexterm" name="id2571656"></a>
292
<a class="indexterm" name="id2571663"></a>
289
<a class="indexterm" name="id2577698"></a>
290
<a class="indexterm" name="id2577707"></a>
291
<a class="indexterm" name="id2577714"></a>
292
<a class="indexterm" name="id2577721"></a>
293
293
A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
294
294
tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured
295
295
for a specific task orientation. It comes with a set of administrative tools that is entirely customized
300
300
MS ADAM</a> that provides more generic LDAP services, yet it does not have the vanilla-like services
301
301
of OpenLDAP.
302
302
</p><p>
303
<a class="indexterm" name="id2571692"></a>
304
<a class="indexterm" name="id2571701"></a>
303
<a class="indexterm" name="id2577751"></a>
304
<a class="indexterm" name="id2577760"></a>
305
305
You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
306
306
if you find the challenge of learning about LDAP directories, schemas, configuration, and management
307
307
tools and the creation of shell and Perl scripts a bit
309
309
many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
310
310
that is required for use as a passdb backend.
311
311
</p><p>
312
<a class="indexterm" name="id2571719"></a>
312
<a class="indexterm" name="id2577778"></a>
313
313
For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
314
314
there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
315
315
The Web-based tools you might like to consider include the
323
323
LDAP <a class="ulink" href="http://www.iit.edu/~gawojar/ldap/" target="_top">Browser/Editor</a>
324
324
<a class="ulink" href="http://www.jxplorer.org/" target="_top">; JXplorer</a> (by Computer Associates);
325
325
and <a class="ulink" href="http://phpldapadmin.sourceforge.net/" target="_top">phpLDAPadmin</a>.
326
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
326
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
327
327
The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
328
328
security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
329
329
is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
334
334
<a class="ulink" href="http://www.oreilly.com/catalog/ldapsa/index.html" target="_top"><span class="emphasis"><em>LDAP System Administration</em></span>,</a>
335
335
by Jerry Carter quite useful.
336
336
</p><p>
337
<a class="indexterm" name="id2571817"></a>
338
<a class="indexterm" name="id2571824"></a>
339
<a class="indexterm" name="id2571833"></a>
340
<a class="indexterm" name="id2571840"></a>
337
<a class="indexterm" name="id2577876"></a>
338
<a class="indexterm" name="id2577882"></a>
339
<a class="indexterm" name="id2577892"></a>
340
<a class="indexterm" name="id2577898"></a>
341
341
Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
342
342
main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
343
343
be loaded over the WAN connection. The addition of BDCs on each network segment significantly
345
345
user desktops, and this must be done in a way that wins their support and does not cause further loss of
346
346
staff morale. The following procedures solve this problem.
347
347
</p><p>
348
<a class="indexterm" name="id2571862"></a>
348
<a class="indexterm" name="id2577921"></a>
349
349
There is also an opportunity to implement smart printing features. You add this to the Samba configuration
350
350
so that future printer changes can be managed without need to change desktop configurations.
351
351
</p><p>
352
352
You add the ability to automatically download new printer drivers, even if they are not installed
353
353
in the default desktop profile. Only one example of printing configuration is given. It is assumed that
354
354
you can extrapolate the principles and use them to install all printers that may be needed.
355
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571882"></a>Technical Issues</h3></div></div></div><p>
356
<a class="indexterm" name="id2571890"></a>
357
<a class="indexterm" name="id2571899"></a>
358
<a class="indexterm" name="id2571908"></a>
355
</p><div class="sect2" title="Technical Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id2577941"></a>Technical Issues</h3></div></div></div><p>
356
<a class="indexterm" name="id2577949"></a>
357
<a class="indexterm" name="id2577958"></a>
358
<a class="indexterm" name="id2577967"></a>
359
359
The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
360
360
server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
361
361
accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account
362
362
attributes Samba needs. Samba-3 can use the LDAP backend to store:
363
</p><div class="itemizedlist"><ul type="disc"><li><p>Windows Networking User Accounts</p></li><li><p>Windows NT Group Accounts</p></li><li><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p>
364
<a class="indexterm" name="id2571949"></a>
365
<a class="indexterm" name="id2571956"></a>
366
<a class="indexterm" name="id2571963"></a>
367
<a class="indexterm" name="id2571970"></a>
368
<a class="indexterm" name="id2571977"></a>
369
<a class="indexterm" name="id2571984"></a>
370
<a class="indexterm" name="id2571993"></a>
371
<a class="indexterm" name="id2571999"></a>
372
<a class="indexterm" name="id2572006"></a>
363
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Windows Networking User Accounts</p></li><li class="listitem"><p>Windows NT Group Accounts</p></li><li class="listitem"><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li class="listitem"><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p>
364
<a class="indexterm" name="id2578008"></a>
365
<a class="indexterm" name="id2578015"></a>
366
<a class="indexterm" name="id2578022"></a>
367
<a class="indexterm" name="id2578028"></a>
368
<a class="indexterm" name="id2578035"></a>
369
<a class="indexterm" name="id2578042"></a>
370
<a class="indexterm" name="id2578051"></a>
371
<a class="indexterm" name="id2578058"></a>
372
<a class="indexterm" name="id2578064"></a>
373
373
The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
374
374
accounts in the LDAP backend. This implies the need to use the
375
375
<a class="ulink" href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools</a>. The resolution
378
378
that integrates with the NSS. The same requirements exist for resolution
379
379
of the UNIX username to the UID. The relationships are demonstrated in <a class="link" href="happy.html#sbehap-LDAPdiag" title="Figure�5.1.�The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">“The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts”</a>.
380
380
</p><div class="figure"><a name="sbehap-LDAPdiag"></a><p class="title"><b>Figure�5.1.�The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div></div><br class="figure-break"><p>
381
<a class="indexterm" name="id2572091"></a>
382
<a class="indexterm" name="id2572098"></a>
381
<a class="indexterm" name="id2578150"></a>
382
<a class="indexterm" name="id2578157"></a>
383
383
You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
384
384
ought to learn how to configure secure communications over LDAP so that site security is not
385
385
at risk. This is not covered in the following guidance.
386
386
</p><p>
387
<a class="indexterm" name="id2572115"></a>
388
<a class="indexterm" name="id2572121"></a>
389
<a class="indexterm" name="id2572131"></a>
390
<a class="indexterm" name="id2572138"></a>
387
<a class="indexterm" name="id2578173"></a>
388
<a class="indexterm" name="id2578180"></a>
389
<a class="indexterm" name="id2578189"></a>
390
<a class="indexterm" name="id2578196"></a>
391
391
When OpenLDAP has been made operative, you configure the PDC called <code class="constant">MASSIVE</code>.
392
392
You initialize the Samba <code class="filename">secrets.tdb<sub></sub></code> file. Then you
393
393
create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.
395
395
You can also find on the enclosed CD-ROM, in the <code class="filename">Chap06</code> directory, a few tools
396
396
that help to manage user and group configuration.
397
397
</p><p>
398
<a class="indexterm" name="id2572172"></a>
399
<a class="indexterm" name="id2572178"></a>
400
<a class="indexterm" name="id2572185"></a>
398
<a class="indexterm" name="id2578230"></a>
399
<a class="indexterm" name="id2578237"></a>
400
<a class="indexterm" name="id2578244"></a>
401
401
In order to effect folder redirection and to add robustness to the implementation,
402
402
create a network default profile. All network users workstations are configured to use
403
403
the new profile. Roaming profiles will automatically be deleted from the workstation
404
404
when the user logs off.
405
405
</p><p>
406
<a class="indexterm" name="id2572205"></a>
406
<a class="indexterm" name="id2578263"></a>
407
407
The profile is configured so that users cannot change the appearance
408
408
of their desktop. This is known as a mandatory profile. You make certain that users
409
409
are able to use their computers efficiently.
410
410
</p><p>
411
<a class="indexterm" name="id2572218"></a>
411
<a class="indexterm" name="id2578277"></a>
412
412
A network logon script is used to deliver flexible but consistent network drive
413
413
connections.
414
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p>
415
<a class="indexterm" name="id2572240"></a>
416
<a class="indexterm" name="id2572245"></a>
417
<a class="indexterm" name="id2572251"></a>
418
<a class="indexterm" name="id2572256"></a>
414
</p><div class="sect3" title="Addition of Machines to the Domain"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p>
415
<a class="indexterm" name="id2578299"></a>
416
<a class="indexterm" name="id2578304"></a>
417
<a class="indexterm" name="id2578309"></a>
418
<a class="indexterm" name="id2578315"></a>
419
419
Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
420
420
that maps to the UNIX UID=0. The UNIX operating system permits only the <code class="constant">root</code>
421
421
user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
425
425
In this network example use is made of one of the supported privileges purely to demonstrate
426
426
how any user can now be given the ability to add machines to the domain using a normal user account
427
427
that has been given the appropriate privileges.
428
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572394"></a>Roaming Profile Background</h4></div></div></div><p>
428
</p></div><div class="sect3" title="Roaming Profile Background"><div class="titlepage"><div><div><h4 class="title"><a name="id2578452"></a>Roaming Profile Background</h4></div></div></div><p>
429
429
As XP roaming profiles grow, so does the amount of time it takes to log in and out.
430
430
</p><p>
431
<a class="indexterm" name="id2572407"></a>
432
<a class="indexterm" name="id2572414"></a>
433
<a class="indexterm" name="id2572420"></a>
434
<a class="indexterm" name="id2572427"></a>
431
<a class="indexterm" name="id2578465"></a>
432
<a class="indexterm" name="id2578472"></a>
433
<a class="indexterm" name="id2578479"></a>
434
<a class="indexterm" name="id2578486"></a>
435
435
An XP roaming profile consists of the <code class="constant">HKEY_CURRENT_USER</code> hive file
436
436
<code class="filename">NTUSER.DAT</code> and a number of folders (My Documents, Application Data,
437
437
Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
453
453
user to not place large files on the desktop and to use his or her mapped home directory
454
454
instead of the <code class="filename">My Documents</code> folder for saving documents.
455
455
</p><p>
456
<a class="indexterm" name="id2572506"></a>
456
<a class="indexterm" name="id2578565"></a>
457
457
Using a folder other than <code class="filename">My Documents</code> is a nuisance for
458
458
some users, since many applications use it by default.
459
459
</p><p>
460
<a class="indexterm" name="id2572524"></a>
461
<a class="indexterm" name="id2572531"></a>
462
<a class="indexterm" name="id2572538"></a>
460
<a class="indexterm" name="id2578583"></a>
461
<a class="indexterm" name="id2578590"></a>
462
<a class="indexterm" name="id2578597"></a>
463
463
The secret to rapid loading of roaming profiles is to prevent unnecessary data from
464
464
being copied back and forth, without losing any functionality. This is not difficult;
465
465
it can be done by making changes to the Local Group Policy on each client as well
466
466
as changing some paths in each user's <code class="filename">NTUSER.DAT</code> hive.
467
467
</p><p>
468
<a class="indexterm" name="id2572559"></a>
469
<a class="indexterm" name="id2572566"></a>
468
<a class="indexterm" name="id2578618"></a>
469
<a class="indexterm" name="id2578625"></a>
470
470
Every user profile has its own <code class="filename">NTUSER.DAT</code> file. This means
471
471
you need to edit every user's profile, unless a better method can be
472
472
followed. Fortunately, with the right preparations, this is not difficult.
474
474
user's profile. Then just create a Network Default Profile. Of course, it is
475
475
necessary to copy all files from redirected folders to the network share to which
476
476
they are redirected.
477
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-locgrppol"></a>The Local Group Policy</h4></div></div></div><p>
478
<a class="indexterm" name="id2572607"></a>
479
<a class="indexterm" name="id2572614"></a>
480
<a class="indexterm" name="id2572620"></a>
481
<a class="indexterm" name="id2572627"></a>
477
</p></div><div class="sect3" title="The Local Group Policy"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-locgrppol"></a>The Local Group Policy</h4></div></div></div><p>
478
<a class="indexterm" name="id2578665"></a>
479
<a class="indexterm" name="id2578672"></a>
480
<a class="indexterm" name="id2578679"></a>
481
<a class="indexterm" name="id2578686"></a>
482
482
Without an Active Directory PDC, you cannot take full advantage of Group Policy
483
483
Objects. However, you can still make changes to the Local Group Policy by using
484
484
the Group Policy editor (<code class="literal">gpedit.msc</code>).
487
487
be found under
488
488
<span class="guimenu">User Configuration</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>.
489
489
By default this setting contains
490
“<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”.
490
<span class="quote">“<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”</span>.
491
491
</p><p>
492
492
Simply add the folders you do not wish to be copied back and forth to this
493
493
semicolon-separated list. Note that this change must be made on all clients
494
494
that are using roaming profiles.
495
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572694"></a>Profile Changes</h4></div></div></div><p>
496
<a class="indexterm" name="id2572702"></a>
497
<a class="indexterm" name="id2572709"></a>
495
</p></div><div class="sect3" title="Profile Changes"><div class="titlepage"><div><div><h4 class="title"><a name="id2578753"></a>Profile Changes</h4></div></div></div><p>
496
<a class="indexterm" name="id2578761"></a>
497
<a class="indexterm" name="id2578768"></a>
498
498
There are two changes that should be done to each user's profile. Move each of
499
499
the directories that you have excluded from being copied back and forth out of
500
500
the usual profile path. Modify each user's <code class="filename">NTUSER.DAT</code> file
501
501
to point to the new paths that are shared over the network instead of to the default
502
502
path (<code class="filename">C:\Documents and Settings\%USERNAME%</code>).
503
503
</p><p>
504
<a class="indexterm" name="id2572737"></a>
505
<a class="indexterm" name="id2572744"></a>
504
<a class="indexterm" name="id2578795"></a>
505
<a class="indexterm" name="id2578802"></a>
506
506
The above modifies existing user profiles. So that newly created profiles have
507
507
these settings, you need to modify the <code class="filename">NTUSER.DAT</code> in
508
508
the <code class="filename">C:\Documents and Settings\Default User</code> folder on each
509
509
client machine, changing the same registry keys. You could do this by copying
510
510
<code class="filename">NTUSER.DAT</code> to a Linux box and using <code class="literal">regedt32</code>.
511
511
The basic method is described under <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">“Configuration of Default Profile with Folder Redirection”</a>.
512
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572788"></a>Using a Network Default User Profile</h4></div></div></div><p>
513
<a class="indexterm" name="id2572797"></a>
514
<a class="indexterm" name="id2572804"></a>
512
</p></div><div class="sect3" title="Using a Network Default User Profile"><div class="titlepage"><div><div><h4 class="title"><a name="id2578847"></a>Using a Network Default User Profile</h4></div></div></div><p>
513
<a class="indexterm" name="id2578855"></a>
514
<a class="indexterm" name="id2578862"></a>
515
515
If you are using Samba as your PDC, you should create a file share called
516
516
<code class="constant">NETLOGON</code> and within that create a directory called
517
517
<code class="filename">Default User</code>, which is a copy of the desired default user
520
520
the first login from a new account pulls its configuration from it.
521
521
See also <a class="ulink" href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top">
522
522
the Real Men Don't Click</a> Web site.
523
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572847"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p>
524
<a class="indexterm" name="id2572855"></a>
525
<a class="indexterm" name="id2572865"></a>
526
<a class="indexterm" name="id2572872"></a>
523
</p></div><div class="sect3" title="Installation of Printer Driver Auto-Download"><div class="titlepage"><div><div><h4 class="title"><a name="id2578906"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p>
524
<a class="indexterm" name="id2578914"></a>
525
<a class="indexterm" name="id2578923"></a>
526
<a class="indexterm" name="id2578930"></a>
527
527
The subject of printing is quite topical. Printing problems run second place to name
528
528
resolution issues today. So far in this book, you have experienced only what is generally
529
known as “<span class="quote">dumb</span>” printing. Dumb printing is the arrangement by which all drivers
529
known as <span class="quote">“<span class="quote">dumb</span>”</span> printing. Dumb printing is the arrangement by which all drivers
530
530
are manually installed on each client and the printing subsystems perform no filtering
531
531
or intelligent processing. Dumb printing is easily understood. It usually works without
532
532
many problems, but it has its limitations also. Dumb printing is better known as
533
533
<code class="literal">Raw-Print-Through</code> printing.
534
534
</p><p>
535
<a class="indexterm" name="id2572900"></a>
536
<a class="indexterm" name="id2572910"></a>
535
<a class="indexterm" name="id2578959"></a>
536
<a class="indexterm" name="id2578968"></a>
537
537
Samba permits the configuration of <code class="literal">smart</code> printing using the Microsoft
538
538
Windows point-and-click (also called drag-and-drop) printing. What this provides is
539
539
essentially the ability to print to any printer. If the local client does not yet have a
547
547
then invokes a suitable print filter to convert the incoming data stream into a format
548
548
suited to the printer to which the job is dispatched.
549
549
</p><p>
550
<a class="indexterm" name="id2572957"></a>
551
<a class="indexterm" name="id2572963"></a>
552
<a class="indexterm" name="id2572970"></a>
550
<a class="indexterm" name="id2579015"></a>
551
<a class="indexterm" name="id2579022"></a>
552
<a class="indexterm" name="id2579029"></a>
553
553
The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
554
554
detect the data format and apply a print filter. This means that it is feasible to install
555
555
on all Windows clients a single printer driver for use with all printers that are routed
566
566
This book is about Samba-3, so you can confine the printing style to just the smart
567
567
style of installation. Those interested in further information regarding intelligent
568
568
printing should review documentation on the Easy Software Products Web site.
569
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbeavoid"></a>Avoiding Failures: Solving Problems Before They Happen</h4></div></div></div><p>
569
</p></div><div class="sect3" title="Avoiding Failures: Solving Problems Before They Happen"><div class="titlepage"><div><div><h4 class="title"><a name="sbeavoid"></a>Avoiding Failures: Solving Problems Before They Happen</h4></div></div></div><p>
570
570
It has often been said that there are three types of people in the world: those who
571
571
have sharp minds and those who forget things. Please do not ask what the third group
572
572
is like! Well, it seems that many of us have company in the second group. There must
574
574
simple problems efficiently and effectively.
575
575
</p><p>
576
576
Here are some diagnostic guidelines that can be referred to when things go wrong:
577
</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573037"></a>Preliminary Advice: Dangers Can Be Avoided</h5></div></div></div><p>
578
The best advice regarding how to mend a broken leg is “<span class="quote">Never break a leg!</span>”
577
</p><div class="sect4" title="Preliminary Advice: Dangers Can Be Avoided"><div class="titlepage"><div><div><h5 class="title"><a name="id2579096"></a>Preliminary Advice: Dangers Can Be Avoided</h5></div></div></div><p>
578
The best advice regarding how to mend a broken leg is <span class="quote">“<span class="quote">Never break a leg!</span>”</span>
579
579
</p><p>
580
<a class="indexterm" name="id2573053"></a>
580
<a class="indexterm" name="id2579112"></a>
581
581
Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice
582
regarding the best way to remedy LDAP and Samba problems: “<span class="quote">Avoid them like the plague!</span>”
582
regarding the best way to remedy LDAP and Samba problems: <span class="quote">“<span class="quote">Avoid them like the plague!</span>”</span>
583
583
</p><p>
584
584
If you are now asking yourself how problems can be avoided, the best advice is to start
585
585
out your learning experience with a <span class="emphasis"><em>known-good configuration.</em></span> After
589
589
The examples in this chapter (also in the book as a whole) are known to work. That means
590
590
that they could serve as the kick-off point for your journey through fields of knowledge.
591
591
Use this resource carefully; we hope it serves you well.
592
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
592
</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
593
593
Do not be lulled into thinking that you can easily adopt the examples in this
594
594
book and adapt them without first working through the examples provided. A little
595
595
thing overlooked can cause untold pain and may permanently tarnish your experience.
596
</p></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573097"></a>The Name Service Caching Daemon</h5></div></div></div><p>
596
</p></div></div><div class="sect4" title="The Name Service Caching Daemon"><div class="titlepage"><div><div><h5 class="title"><a name="id2579156"></a>The Name Service Caching Daemon</h5></div></div></div><p>
597
597
The name service caching daemon (nscd) is a primary cause of difficulties with name
598
598
resolution, particularly where <code class="literal">winbind</code> is used. Winbind does its
599
599
own caching, thus nscd causes double caching which can lead to peculiar problems during
660
660
<code class="prompt">root# </code> chkconfig nscd off
661
661
<code class="prompt">root# </code> rcnscd off
662
662
</pre><p>
663
</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573271"></a>Debugging LDAP</h5></div></div></div><p>
664
<a class="indexterm" name="id2573279"></a>
665
<a class="indexterm" name="id2573286"></a>
666
<a class="indexterm" name="id2573293"></a>
663
</p></div><div class="sect4" title="Debugging LDAP"><div class="titlepage"><div><div><h5 class="title"><a name="id2579330"></a>Debugging LDAP</h5></div></div></div><p>
664
<a class="indexterm" name="id2579338"></a>
665
<a class="indexterm" name="id2579345"></a>
666
<a class="indexterm" name="id2579351"></a>
667
667
In the example <code class="filename">/etc/openldap/slapd.conf</code> control file
668
668
(see <a class="link" href="happy.html#sbehap-dbconf" title="Example�5.1.�LDAP DB_CONFIG File">“LDAP DB_CONFIG File”</a>) there is an entry for <code class="constant">loglevel 256</code>.
669
669
To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter
670
670
and restart <code class="literal">slapd</code>.
671
671
</p><p>
672
<a class="indexterm" name="id2573328"></a>
673
<a class="indexterm" name="id2573335"></a>
672
<a class="indexterm" name="id2579387"></a>
673
<a class="indexterm" name="id2579394"></a>
674
674
LDAP log information can be directed into a file that is separate from the normal system
675
675
log files by changing the <code class="filename">/etc/syslog.conf</code> file so it has the following
676
676
contents:
689
689
local site needs. The configuration used later in this chapter reflects such
690
690
customization with the intent that LDAP log files will be stored at a location
691
691
that meets local site needs and wishes more fully.
692
</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573377"></a>Debugging NSS_LDAP</h5></div></div></div><p>
692
</p></div><div class="sect4" title="Debugging NSS_LDAP"><div class="titlepage"><div><div><h5 class="title"><a name="id2579436"></a>Debugging NSS_LDAP</h5></div></div></div><p>
693
693
The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
694
694
<code class="filename">/etc/ldap.conf</code> file the following parameters:
695
695
</p><pre class="screen">
702
702
</pre><p>
703
703
</p><p>
704
704
The diagnostic process should follow these steps:
705
</p><div class="procedure"><a name="id2573421"></a><p class="title"><b>Procedure�5.1.�NSS_LDAP Diagnostic Steps</b></p><ol type="1"><li><p>
705
</p><div class="procedure" title="Procedure�5.1.�NSS_LDAP Diagnostic Steps"><a name="id2579479"></a><p class="title"><b>Procedure�5.1.�NSS_LDAP Diagnostic Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
706
706
Verify the <code class="constant">nss_base_passwd, nss_base_shadow, nss_base_group</code> entries
707
707
in the <code class="filename">/etc/ldap.conf</code> file and compare them closely with the directory
708
708
tree location that was chosen when the directory was first created.
739
739
will be evaluated sequentially. Let us consider an example of use where the following DIT
740
740
has been implemented:
741
741
</p><p>
742
</p><div class="itemizedlist"><ul type="disc"><li><p>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</p></li><li><p>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</p></li><li><p>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</p></li></ul></div><p>
742
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</p></li><li class="listitem"><p>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</p></li><li class="listitem"><p>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</p></li></ul></div><p>
743
743
</p><p>
744
744
The appropriate multiple entry for the <code class="constant">nss_base_passwd</code> directive
745
745
in the <code class="filename">/etc/ldap.conf</code> file may be:
747
747
nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one
748
748
nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
749
749
</pre><p>
750
</p></li><li><p>
750
</p></li><li class="step" title="Step 2"><p>
751
751
Perform lookups such as:
752
752
</p><pre class="screen">
753
753
<code class="prompt">root# </code> getent passwd
755
755
Each such lookup will create an entry in the <code class="filename">/data/log</code> directory
756
756
for each such process executed. The contents of each file created in this directory
757
757
may provide a hint as to the cause of the a problem that is under investigation.
758
</p></li><li><p>
758
</p></li><li class="step" title="Step 3"><p>
759
759
For additional diagnostic information, check the contents of the <code class="filename">/var/log/messages</code>
760
760
to see what error messages are being generated as a result of the LDAP lookups. Here is an example of
761
761
a successful lookup:
788
788
slapd[12164]: conn=1 fd=10 closed
789
789
790
790
</pre><p>
791
</p></li><li><p>
791
</p></li><li class="step" title="Step 4"><p>
792
792
Check that the bindpw entry in the <code class="filename">/etc/ldap.conf</code> or in the
793
793
<code class="filename">/etc/ldap.secrets</code> file is correct, as specified in the
794
794
<code class="filename">/etc/openldap/slapd.conf</code> file.
795
</p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573672"></a>Debugging Samba</h5></div></div></div><p>
795
</p></li></ol></div></div><div class="sect4" title="Debugging Samba"><div class="titlepage"><div><div><h5 class="title"><a name="id2579730"></a>Debugging Samba</h5></div></div></div><p>
796
796
The following parameters in the <code class="filename">smb.conf</code> file can be useful in tracking down Samba-related problems:
797
797
</p><pre class="screen">
798
798
[global]
822
822
</p><p>
823
823
Search for hints of what may have failed by looking for the words <span class="emphasis"><em>fail</em></span>
824
824
and <span class="emphasis"><em>error</em></span>.
825
</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573743"></a>Debugging on the Windows Client</h5></div></div></div><p>
825
</p></div><div class="sect4" title="Debugging on the Windows Client"><div class="titlepage"><div><div><h5 class="title"><a name="id2579801"></a>Debugging on the Windows Client</h5></div></div></div><p>
826
826
MS Windows 2000 Professional and Windows XP Professional clients can be configured
827
827
to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
828
828
the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
829
829
version of MS Windows.
830
</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573760"></a>Political Issues</h3></div></div></div><p>
830
</p></div></div></div><div class="sect2" title="Political Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id2579819"></a>Political Issues</h3></div></div></div><p>
831
831
MS Windows network users are generally very sensitive to limits that may be imposed when
832
832
confronted with locked-down workstation configurations. The challenge you face must
833
833
be promoted as a choice between reliable, fast network operation and a constant flux
834
834
of problems that result in user irritation.
835
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573776"></a>Installation Checklist</h3></div></div></div><p>
835
</p></div><div class="sect2" title="Installation Checklist"><div class="titlepage"><div><div><h3 class="title"><a name="id2579834"></a>Installation Checklist</h3></div></div></div><p>
836
836
You are starting a complex project. Even though you went through the installation of a complex
837
837
network in <a class="link" href="Big500users.html" title="Chapter�4.�The 500-User Office">“The 500-User Office”</a>, this network is a bigger challenge because of the
838
838
large number of complex applications that must be configured before the first few steps
840
840
frequently review the steps ahead while making at least a mental note of what has already
841
841
been completed. The following task list may help you to keep track of the task items
842
842
that are covered:
843
</p><div class="itemizedlist"><ul type="disc"><li><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>OpenLDAP server</p></li><li><p>PAM and NSS client tools</p></li><li><p>Samba-3 PDC</p></li><li><p>Idealx smbldap scripts</p></li><li><p>LDAP initialization</p></li><li><p>Create user and group accounts</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profile directories</p></li><li><p>Logon scripts</p></li><li><p>Configuration of user rights and privileges</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>PAM and NSS client tools</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profiles directories</p></li></ol></div></li><li><p>Windows XP Client Configuration</p><div class="orderedlist"><ol type="1"><li><p>Default profile folder redirection</p></li><li><p>MS Outlook PST file relocation</p></li><li><p>Delete roaming profile on logout</p></li><li><p>Upload printer drivers to Samba servers</p></li><li><p>Install software</p></li><li><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573956"></a>Samba Server Implementation</h2></div></div></div><p>
844
<a class="indexterm" name="id2573964"></a>
845
<a class="indexterm" name="id2573971"></a>
843
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>DHCP and DNS servers</p></li><li class="listitem"><p>OpenLDAP server</p></li><li class="listitem"><p>PAM and NSS client tools</p></li><li class="listitem"><p>Samba-3 PDC</p></li><li class="listitem"><p>Idealx smbldap scripts</p></li><li class="listitem"><p>LDAP initialization</p></li><li class="listitem"><p>Create user and group accounts</p></li><li class="listitem"><p>Printers</p></li><li class="listitem"><p>Share point directory roots</p></li><li class="listitem"><p>Profile directories</p></li><li class="listitem"><p>Logon scripts</p></li><li class="listitem"><p>Configuration of user rights and privileges</p></li></ol></div></li><li class="listitem"><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>DHCP and DNS servers</p></li><li class="listitem"><p>PAM and NSS client tools</p></li><li class="listitem"><p>Printers</p></li><li class="listitem"><p>Share point directory roots</p></li><li class="listitem"><p>Profiles directories</p></li></ol></div></li><li class="listitem"><p>Windows XP Client Configuration</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Default profile folder redirection</p></li><li class="listitem"><p>MS Outlook PST file relocation</p></li><li class="listitem"><p>Delete roaming profile on logout</p></li><li class="listitem"><p>Upload printer drivers to Samba servers</p></li><li class="listitem"><p>Install software</p></li><li class="listitem"><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" title="Samba Server Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2580015"></a>Samba Server Implementation</h2></div></div></div><p>
844
<a class="indexterm" name="id2580023"></a>
845
<a class="indexterm" name="id2580030"></a>
846
846
The network design shown in <a class="link" href="happy.html#chap6net" title="Figure�5.2.�Network Topology 500 User Network Using ldapsam passdb backend">“Network Topology 500 User Network Using ldapsam passdb backend”</a> is not comprehensive. It is assumed
847
847
that you will install additional file servers and possibly additional BDCs.
848
848
</p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure�5.2.�Network Topology 500 User Network Using ldapsam passdb backend</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend"></div></div></div><br class="figure-break"><p>
849
<a class="indexterm" name="id2574034"></a>
850
<a class="indexterm" name="id2574041"></a>
849
<a class="indexterm" name="id2580092"></a>
850
<a class="indexterm" name="id2580099"></a>
851
851
All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE
852
852
Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
853
853
adjust the locations for your particular Linux system distribution/implementation.
854
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
854
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
855
855
The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools
856
856
scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball,
857
857
please verify that the versions you are about to use are matching. The smbldap-tools package
867
867
have completed the network implementation shown in that chapter. If you are starting
868
868
with newly installed Linux servers, you must complete the steps shown in
869
869
<a class="link" href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">“Installation of DHCP, DNS, and Samba Control Files”</a> before commencing at <a class="link" href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">“OpenLDAP Server Configuration”</a>.
870
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p>
871
<a class="indexterm" name="id2574122"></a>
872
<a class="indexterm" name="id2574129"></a>
873
<a class="indexterm" name="id2574136"></a>
870
</p><div class="sect2" title="OpenLDAP Server Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p>
871
<a class="indexterm" name="id2580181"></a>
872
<a class="indexterm" name="id2580187"></a>
873
<a class="indexterm" name="id2580194"></a>
874
874
Confirm that the packages shown in <a class="link" href="happy.html#oldapreq" title="Table�5.2.�Required OpenLDAP Linux Packages">“Required OpenLDAP Linux Packages”</a> are installed on your system.
875
875
</p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table�5.2.�Required OpenLDAP Linux Packages</b></p><div class="table-contents"><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left">�</td></tr></tbody></table></div></div><br class="table-break"><p>
876
876
Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method
877
877
for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you
878
878
follow these guidelines, the resulting system should work fine.
879
</p><div class="procedure"><a name="id2574268"></a><p class="title"><b>Procedure�5.2.�OpenLDAP Server Configuration Steps</b></p><ol type="1"><li><p>
880
<a class="indexterm" name="id2574279"></a>
879
</p><div class="procedure" title="Procedure�5.2.�OpenLDAP Server Configuration Steps"><a name="id2580326"></a><p class="title"><b>Procedure�5.2.�OpenLDAP Server Configuration Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
880
<a class="indexterm" name="id2580338"></a>
881
881
Install the file shown in <a class="link" href="happy.html#sbehap-slapdconf" title="Example�5.2.�LDAP Master Configuration File /etc/openldap/slapd.conf Part A">“LDAP Master Configuration File /etc/openldap/slapd.conf Part A”</a> in the directory
882
882
<code class="filename">/etc/openldap</code>.
883
</p></li><li><p>
884
<a class="indexterm" name="id2574307"></a>
885
<a class="indexterm" name="id2574314"></a>
886
<a class="indexterm" name="id2574321"></a>
883
</p></li><li class="step" title="Step 2"><p>
884
<a class="indexterm" name="id2580366"></a>
885
<a class="indexterm" name="id2580373"></a>
886
<a class="indexterm" name="id2580380"></a>
887
887
Remove all files from the directory <code class="filename">/data/ldap</code>, making certain that
888
888
the directory exists with permissions:
889
889
</p><pre class="screen">
891
891
drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
892
892
</pre><p>
893
893
This may require you to add a user and a group account for LDAP if they do not exist.
894
</p></li><li><p>
895
<a class="indexterm" name="id2574357"></a>
894
</p></li><li class="step" title="Step 3"><p>
895
<a class="indexterm" name="id2580415"></a>
896
896
Install the file shown in <a class="link" href="happy.html#sbehap-dbconf" title="Example�5.1.�LDAP DB_CONFIG File">“LDAP DB_CONFIG File”</a> in the directory
897
897
<code class="filename">/data/ldap</code>. In the event that this file is added after <code class="constant">ldap</code>
898
898
has been started, it is possible to cause the new settings to take effect by shutting down
899
899
the <code class="constant">LDAP</code> server, executing the <code class="literal">db_recover</code> command inside the
900
900
<code class="filename">/data/ldap</code> directory, and then restarting the <code class="constant">LDAP</code> server.
901
</p></li><li><p>
902
<a class="indexterm" name="id2574410"></a>
901
</p></li><li class="step" title="Step 4"><p>
902
<a class="indexterm" name="id2580468"></a>
903
903
Performance logging can be enabled and should preferably be sent to a file on
904
904
a file system that is large enough to handle significantly sized logs. To enable
905
905
the logging at a verbose level to permit detailed analysis, uncomment the entry in
906
the <code class="filename">/etc/openldap/slapd.conf</code> shown as “<span class="quote">loglevel 256</span>”.
906
the <code class="filename">/etc/openldap/slapd.conf</code> shown as <span class="quote">“<span class="quote">loglevel 256</span>”</span>.
907
907
</p><p>
908
908
Edit the <code class="filename">/etc/syslog.conf</code> file to add the following at the end
909
909
of the file:
974
974
index sambaPrimaryGroupSID eq
975
975
index sambaDomainName eq
976
976
index default sub
977
</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p>
978
<a class="indexterm" name="id2574568"></a>
979
<a class="indexterm" name="id2574575"></a>
980
<a class="indexterm" name="id2574582"></a>
977
</pre></div></div><br class="example-break"></div><div class="sect2" title="PAM and NSS Client Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p>
978
<a class="indexterm" name="id2580627"></a>
979
<a class="indexterm" name="id2580634"></a>
980
<a class="indexterm" name="id2580640"></a>
981
981
The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and
982
982
groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure
983
983
the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
984
984
</p><p>
985
<a class="indexterm" name="id2574596"></a>
986
<a class="indexterm" name="id2574606"></a>
985
<a class="indexterm" name="id2580655"></a>
986
<a class="indexterm" name="id2580664"></a>
987
987
Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
988
988
that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
989
989
correct configuration of PAM. The <code class="literal">pam_ldap</code> open source package provides the
990
990
PAM modules that most people would use. On SUSE Linux systems, the <code class="literal">pam_unix2.so</code>
991
991
module also has the ability to redirect authentication requests through LDAP.
992
992
</p><p>
993
<a class="indexterm" name="id2574634"></a>
994
<a class="indexterm" name="id2574641"></a>
995
<a class="indexterm" name="id2574648"></a>
996
<a class="indexterm" name="id2574655"></a>
993
<a class="indexterm" name="id2580693"></a>
994
<a class="indexterm" name="id2580699"></a>
995
<a class="indexterm" name="id2580706"></a>
996
<a class="indexterm" name="id2580713"></a>
997
997
You have chosen to configure these services by directly editing the system files, but of course, you
998
998
know that this configuration can be done using system tools provided by the Linux system vendor.
999
999
SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span> → <span class="guimenuitem">system</span> → <span class="guimenuitem">ldap-client</span> that permits
1000
1000
configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <code class="literal">authconfig</code>
1001
1001
tool for this.
1002
</p><div class="procedure"><a name="id2574694"></a><p class="title"><b>Procedure�5.3.�PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example�5.4.�Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen">
1002
</p><div class="procedure" title="Procedure�5.3.�PAM and NSS Client Configuration Steps"><a name="id2580753"></a><p class="title"><b>Procedure�5.3.�PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example�5.4.�Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen">
1003
1003
host 127.0.0.1
1004
1004
1005
1005
base dc=abmas,dc=biz
1041
1041
nss_base_group ou=Groups,dc=abmas,dc=biz?one
1042
1042
1043
1043
ssl off
1044
</pre></div></div><br class="example-break"><ol type="1"><li><p>
1045
<a class="indexterm" name="id2574706"></a>
1046
<a class="indexterm" name="id2574713"></a>
1047
<a class="indexterm" name="id2574720"></a>
1044
</pre></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
1045
<a class="indexterm" name="id2580764"></a>
1046
<a class="indexterm" name="id2580772"></a>
1047
<a class="indexterm" name="id2580778"></a>
1048
1048
Execute the following command to find where the <code class="filename">nss_ldap</code> module
1049
1049
expects to find its control file:
1050
1050
</p><pre class="screen">
1051
1051
<code class="prompt">root# </code> strings /lib/libnss_ldap.so.2 | grep conf
1052
1052
</pre><p>
1053
1053
The preferred and usual location is <code class="filename">/etc/ldap.conf</code>.
1054
</p></li><li><p>
1054
</p></li><li class="step" title="Step 2"><p>
1055
1055
On the server <code class="constant">MASSIVE</code>, install the file shown in
1056
1056
<a class="link" href="happy.html#sbehap-nss01" title="Example�5.4.�Configuration File for NSS LDAP Support /etc/ldap.conf">“Configuration File for NSS LDAP Support /etc/ldap.conf”</a> into the path that was obtained from the step above.
1057
1057
On the servers called <code class="constant">BLDG1</code> and <code class="constant">BLDG2</code>, install the file shown in
1058
1058
<a class="link" href="happy.html#sbehap-nss02" title="Example�5.5.�Configuration File for NSS LDAP Clients Support /etc/ldap.conf">“Configuration File for NSS LDAP Clients Support /etc/ldap.conf”</a> into the path that was obtained from the step above.
1059
</p></li><li><p>
1060
<a class="indexterm" name="id2574854"></a>
1059
</p></li><li class="step" title="Step 3"><p>
1060
<a class="indexterm" name="id2580912"></a>
1061
1061
Edit the NSS control file (<code class="filename">/etc/nsswitch.conf</code>) so that the lines that
1062
1062
control user and group resolution will obtain information from the normal system files as
1063
1063
well as from <code class="literal">ldap</code>:
1071
1071
added, you can validate resolution of the LDAP resolver process. The inclusion of
1072
1072
WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
1073
1073
resolved to their IP addresses, whether or not they are DHCP clients.
1074
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1074
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1075
1075
Some Linux systems (Novell SUSE Linux in particular) add entries to the <code class="filename">nsswitch.conf</code>
1076
1076
file that may cause operational problems with the configuration methods adopted in this book. It is
1077
1077
advisable to comment out the entries <code class="constant">passwd_compat</code> and <code class="constant">group_compat</code>
1079
1079
</p></div><p>
1080
1080
Even at the risk of overstating the issue, incorrect and inappropriate configuration of the
1081
1081
<code class="filename">nsswitch.conf</code> file is a significant cause of operational problems with LDAP.
1082
</p></li><li><p>
1083
<a class="indexterm" name="id2574929"></a>
1082
</p></li><li class="step" title="Step 4"><p>
1083
<a class="indexterm" name="id2580988"></a>
1084
1084
For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
1085
1085
files in the <code class="filename">/etc/pam.d</code> directory: <code class="literal">login</code>, <code class="literal">password</code>,
1086
1086
<code class="literal">samba</code>, <code class="literal">sshd</code>. In each file, locate every entry that has the
1102
1102
session required pam_limits.so
1103
1103
</pre><p>
1104
1104
</p><p>
1105
<a class="indexterm" name="id2575008"></a>
1105
<a class="indexterm" name="id2581067"></a>
1106
1106
On other Linux systems that do not have an LDAP-enabled <code class="literal">pam_unix2.so</code> module,
1107
1107
you must edit these files by adding the <code class="literal">pam_ldap.so</code> modules as shown here:
1108
1108
</p><pre class="screen">
1125
1125
demonstrates the use of the <code class="literal">pam_ldap.so</code> module. You can use either
1126
1126
implementation, but if the <code class="literal">pam_unix2.so</code> on your system supports
1127
1127
LDAP, you probably want to use it rather than add an additional module.
1128
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p>
1129
<a class="indexterm" name="id2575091"></a>
1128
</p></li></ol></div></div><div class="sect2" title="Samba-3 PDC Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p>
1129
<a class="indexterm" name="id2581150"></a>
1130
1130
Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server
1131
1131
before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the
1132
1132
choice to either build your own or obtain the packages from a dependable source.
1133
1133
Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for
1134
1134
Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that
1135
1135
is included with this book.
1136
</p><div class="procedure"><a name="id2575107"></a><p class="title"><b>Procedure�5.4.�Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol type="1"><li><p>
1136
</p><div class="procedure" title="Procedure�5.4.�Configuration of PDC Called MASSIVE"><a name="id2581166"></a><p class="title"><b>Procedure�5.4.�Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
1137
1137
Install the files in <a class="link" href="happy.html#sbehap-massive-smbconfa" title="Example�5.6.�LDAP Based smb.conf File, Server: MASSIVE global Section: Part A">“LDAP Based smb.conf File, Server: MASSIVE global Section: Part A”</a>,
1138
1138
<a class="link" href="happy.html#sbehap-massive-smbconfb" title="Example�5.7.�LDAP Based smb.conf File, Server: MASSIVE global Section: Part B">“LDAP Based smb.conf File, Server: MASSIVE global Section: Part B”</a>, <a class="link" href="happy.html#sbehap-shareconfa" title="Example�5.10.�LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>,
1139
1139
and <a class="link" href="happy.html#sbehap-shareconfb" title="Example�5.11.�LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a> into the <code class="filename">/etc/samba/</code>
1142
1142
<code class="filename">smb.conf.master</code> and then to perform all file edits
1143
1143
on the master file. The operational <code class="filename">smb.conf</code> is then generated as shown in
1144
1144
the next step.
1145
</p></li><li><p>
1146
<a class="indexterm" name="id2575184"></a>
1145
</p></li><li class="step" title="Step 2"><p>
1146
<a class="indexterm" name="id2581242"></a>
1147
1147
Create and verify the contents of the <code class="filename">smb.conf</code> file that is generated by:
1148
1148
</p><pre class="screen">
1149
1149
<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf
1170
1170
Server role: ROLE_DOMAIN_PDC
1171
1171
Press enter to see a dump of your service definitions
1172
1172
</pre><p>
1173
</p></li><li><p>
1173
</p></li><li class="step" title="Step 3"><p>
1174
1174
Delete all runtime files from prior Samba operation by executing (for SUSE
1175
1175
Linux):
1176
1176
</p><pre class="screen">
1179
1179
<code class="prompt">root# </code> rm /var/lib/samba/*dat
1180
1180
<code class="prompt">root# </code> rm /var/log/samba/*
1181
1181
</pre><p>
1182
</p></li><li><p>
1183
<a class="indexterm" name="id2575283"></a>
1184
<a class="indexterm" name="id2575290"></a>
1182
</p></li><li class="step" title="Step 4"><p>
1183
<a class="indexterm" name="id2581342"></a>
1184
<a class="indexterm" name="id2581348"></a>
1185
1185
Samba-3 communicates with the LDAP server. The password that it uses to
1186
1186
authenticate to the LDAP server must be stored in the <code class="filename">secrets.tdb</code>
1187
1187
file. Execute the following to create the new <code class="filename">secrets.tdb</code> files
1193
1193
</p><pre class="screen">
1194
1194
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
1195
1195
</pre><p>
1196
</p></li><li><p>
1197
<a class="indexterm" name="id2575339"></a>
1198
<a class="indexterm" name="id2575345"></a>
1196
</p></li><li class="step" title="Step 5"><p>
1197
<a class="indexterm" name="id2581397"></a>
1198
<a class="indexterm" name="id2581404"></a>
1199
1199
Samba-3 generates a Windows Security Identifier (SID) only when <code class="literal">smbd</code>
1200
1200
has been started. For this reason, you start Samba. After a few seconds delay,
1201
1201
execute:
1226
1226
may be misconfigured. In this case, carefully check the <code class="filename">smb.conf</code> file for typographical
1227
1227
errors (the most common problem). The use of the <code class="literal">testparm</code> is highly
1228
1228
recommended to validate the contents of this file.
1229
</p></li><li><p>
1229
</p></li><li class="step" title="Step 6"><p>
1230
1230
When a positive domain SID has been reported, stop Samba.
1231
</p></li><li><p>
1232
<a class="indexterm" name="id2575457"></a>
1233
<a class="indexterm" name="id2575464"></a>
1234
<a class="indexterm" name="id2575471"></a>
1235
<a class="indexterm" name="id2575478"></a>
1231
</p></li><li class="step" title="Step 7"><p>
1232
<a class="indexterm" name="id2581516"></a>
1233
<a class="indexterm" name="id2581523"></a>
1234
<a class="indexterm" name="id2581530"></a>
1235
<a class="indexterm" name="id2581536"></a>
1236
1236
Configure the NFS server for your Linux system. So you can complete the steps that
1237
1237
follow, enter into the <code class="filename">/etc/exports</code> the following entry:
1238
1238
</p><pre class="screen">
1250
1250
</p></li></ol></div><p>
1251
1251
Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
1252
1252
configuration of the LDAP server.
1253
</p><div class="example"><a name="sbehap-massive-smbconfa"></a><p class="title"><b>Example�5.6.�LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2575564"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2575576"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2575588"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id2575600"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id2575611"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575623"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2575636"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575648"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2575660"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2575671"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2575683"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2575694"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2575706"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2575718"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2575730"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575742"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2575753"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2575766"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2575778"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2575790"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575803"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575815"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575828"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575841"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2575854"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-massive-smbconfb"></a><p class="title"><b>Example�5.7.�LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2575892"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2575904"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2575916"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2575927"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575939"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575951"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575962"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2575974"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2575986"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2575998"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2576010"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2576022"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2576034"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2576047"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2576058"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2576070"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2576082"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2576094"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeidealx"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p>
1254
<a class="indexterm" name="id2576120"></a>
1253
</p><div class="example"><a name="sbehap-massive-smbconfa"></a><p class="title"><b>Example�5.6.�LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2581623"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2581635"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2581646"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id2581658"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id2581670"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2581682"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2581694"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2581706"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2581718"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2581730"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2581741"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2581753"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2581765"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2581776"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2581788"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2581800"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2581812"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2581824"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2581836"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2581849"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2581861"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2581874"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2581887"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2581900"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2581913"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-massive-smbconfb"></a><p class="title"><b>Example�5.7.�LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td><a class="indexterm" name="id2581950"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2581962"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2581974"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2581986"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2581997"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2582009"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2582021"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2582033"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2582045"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2582057"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2582069"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2582081"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2582093"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2582105"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2582117"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2582129"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2582141"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2582152"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" title="Install and Configure Idealx smbldap-tools Scripts"><div class="titlepage"><div><div><h3 class="title"><a name="sbeidealx"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p>
1254
<a class="indexterm" name="id2582178"></a>
1255
1255
The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
1256
1256
on the LDAP server. You have chosen the Idealx scripts because they are the best-known
1257
1257
LDAP configuration scripts. The use of these scripts will help avoid the necessity
1261
1261
from this site also. Alternatively, you may obtain the
1262
1262
<a class="ulink" href="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm" target="_top">smbldap-tools-0.9.1-1.src.rpm</a>
1263
1263
file that may be used to build an installable RPM package for your Linux system.
1264
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1264
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1265
1265
The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must
1266
1266
change the path to them in your <code class="filename">smb.conf</code> file on the PDC (<code class="constant">MASSIVE</code>).
1267
1267
</p></div><p>
1268
1268
The smbldap-tools are located in <code class="filename">/opt/IDEALX/sbin</code>.
1269
1269
The scripts are not needed on BDC machines because all LDAP updates are handled by
1270
1270
the PDC alone.
1271
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2576187"></a>Installation of smbldap-tools from the Tarball</h4></div></div></div><p>
1271
</p><div class="sect3" title="Installation of smbldap-tools from the Tarball"><div class="titlepage"><div><div><h4 class="title"><a name="id2582245"></a>Installation of smbldap-tools from the Tarball</h4></div></div></div><p>
1272
1272
To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:
1273
</p><div class="procedure"><a name="idealxscript"></a><p class="title"><b>Procedure�5.5.�Unpacking and Installation Steps for the <code class="constant">smbldap-tools</code> Tarball</b></p><ol type="1"><li><p>
1273
</p><div class="procedure" title="Procedure�5.5.�Unpacking and Installation Steps for the smbldap-tools Tarball"><a name="idealxscript"></a><p class="title"><b>Procedure�5.5.�Unpacking and Installation Steps for the <code class="constant">smbldap-tools</code> Tarball</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
1274
1274
Create the <code class="filename">/opt/IDEALX/sbin</code> directory, and set its permissions
1275
1275
and ownership as shown here:
1276
1276
</p><pre class="screen">
1281
1281
<code class="prompt">root# </code> chown root:root /etc/smbldap-tools
1282
1282
<code class="prompt">root# </code> chmod 755 /etc/smbldap-tools
1283
1283
</pre><p>
1284
</p></li><li><p>
1284
</p></li><li class="step" title="Step 2"><p>
1285
1285
If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
1286
1286
Change into either the directory extracted from the tarball or the smbldap-tools
1287
1287
directory in your <code class="filename">/usr/share/doc/packages</code> directory tree.
1288
</p></li><li><p>
1288
</p></li><li class="step" title="Step 3"><p>
1289
1289
Copy all the <code class="filename">smbldap-*</code> and the <code class="filename">configure.pl</code> files into the
1290
1290
<code class="filename">/opt/IDEALX/sbin</code> directory, as shown here:
1291
1291
</p><pre class="screen">
1297
1297
<code class="prompt">root# </code> chmod 640 /etc/smbldap-tools/smbldap.conf
1298
1298
<code class="prompt">root# </code> chmod 600 /etc/smbldap-tools/smbldap_bind.conf
1299
1299
</pre><p>
1300
</p></li><li><p>
1300
</p></li><li class="step" title="Step 4"><p>
1301
1301
The smbldap-tools scripts master control file must now be configured.
1302
1302
Change to the <code class="filename">/opt/IDEALX/sbin</code> directory, then edit the
1303
1303
<code class="filename">smbldap_tools.pm</code> to affect the changes
1310
1310
my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
1311
1311
...
1312
1312
</pre><p>
1313
</p></li><li><p>
1313
</p></li><li class="step" title="Step 5"><p>
1314
1314
To complete the configuration of the smbldap-tools, set the permissions and ownership
1315
1315
by executing the following commands:
1316
1316
</p><pre class="screen">
1320
1320
</pre><p>
1321
1321
The smbldap-tools scripts are now ready for the configuration step outlined in
1322
1322
<a class="link" href="happy.html#smbldap-init" title="Configuration of smbldap-tools">“Configuration of smbldap-tools”</a>.
1323
</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2576439"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p>
1323
</p></li></ol></div></div><div class="sect3" title="Installing smbldap-tools from the RPM Package"><div class="titlepage"><div><div><h4 class="title"><a name="id2582498"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p>
1324
1324
In the event that you have elected to use the RPM package provided by Idealx, download the
1325
1325
source RPM <code class="filename">smbldap-tools-0.9.1-1.src.rpm</code>, then follow this procedure:
1326
</p><div class="procedure"><a name="id2576457"></a><p class="title"><b>Procedure�5.6.�Installation Steps for <code class="constant">smbldap-tools</code> RPM's</b></p><ol type="1"><li><p>
1326
</p><div class="procedure" title="Procedure�5.6.�Installation Steps for smbldap-tools RPM's"><a name="id2582516"></a><p class="title"><b>Procedure�5.6.�Installation Steps for <code class="constant">smbldap-tools</code> RPM's</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
1327
1327
Install the source RPM that has been downloaded as follows:
1328
1328
</p><pre class="screen">
1329
1329
<code class="prompt">root# </code> rpm -i smbldap-tools-0.9.1-1.src.rpm
1330
1330
</pre><p>
1331
</p></li><li><p>
1331
</p></li><li class="step" title="Step 2"><p>
1332
1332
Change into the directory in which the SPEC files are located. On SUSE Linux:
1333
1333
</p><pre class="screen">
1334
1334
<code class="prompt">root# </code> cd /usr/src/packages/SPECS
1337
1337
</p><pre class="screen">
1338
1338
<code class="prompt">root# </code> cd /usr/src/redhat/SPECS
1339
1339
</pre><p>
1340
</p></li><li><p>
1340
</p></li><li class="step" title="Step 3"><p>
1341
1341
Edit the <code class="filename">smbldap-tools.spec</code> file to change the value of the
1342
1342
<code class="constant">_sysconfig</code> macro as shown here:
1343
1343
</p><pre class="screen">
1345
1345
%define _sysconfdir /etc
1346
1346
</pre><p>
1347
1347
Note: Any suitable directory can be specified.
1348
</p></li><li><p>
1348
</p></li><li class="step" title="Step 4"><p>
1349
1349
Build the package by executing:
1350
1350
</p><pre class="screen">
1351
1351
<code class="prompt">root# </code> rpmbuild -ba -v smbldap-tools.spec
1352
1352
</pre><p>
1353
1353
A build process that has completed without error will place the installable binary
1354
1354
files in the directory <code class="filename">../RPMS/noarch</code>.
1355
</p></li><li><p>
1355
</p></li><li class="step" title="Step 5"><p>
1356
1356
Install the binary package by executing:
1357
1357
</p><pre class="screen">
1358
1358
<code class="prompt">root# </code> rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm
1360
1360
</p></li></ol></div><p>
1361
1361
The Idealx scripts should now be ready for configuration using the steps outlined in
1362
1362
<a class="link" href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>.
1363
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p>
1363
</p></div><div class="sect3" title="Configuration of smbldap-tools"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p>
1364
1364
Prior to use, the smbldap-tools must be configured to match the settings in the <code class="filename">smb.conf</code> file
1365
1365
and to match the settings in the <code class="filename">/etc/openldap/slapd.conf</code> file. The assumption
1366
1366
is made that the <code class="filename">smb.conf</code> file has correct contents. The following procedure ensures that
1368
1368
</p><p>
1369
1369
The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included
1370
1370
in the <code class="filename">smb.conf</code> file.
1371
</p><div class="procedure"><a name="id2576652"></a><p class="title"><b>Procedure�5.7.�Configuration Steps for <code class="constant">smbldap-tools</code> to Enable Use</b></p><ol type="1"><li><p>
1371
</p><div class="procedure" title="Procedure�5.7.�Configuration Steps for smbldap-tools to Enable Use"><a name="id2582711"></a><p class="title"><b>Procedure�5.7.�Configuration Steps for <code class="constant">smbldap-tools</code> to Enable Use</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
1372
1372
Change into the directory that contains the <code class="filename">configure.pl</code> script.
1373
1373
</p><pre class="screen">
1374
1374
<code class="prompt">root# </code> cd /opt/IDEALX/sbin
1375
1375
</pre><p>
1376
</p></li><li><p>
1376
</p></li><li class="step" title="Step 2"><p>
1377
1377
Execute the <code class="filename">configure.pl</code> script as follows:
1378
1378
</p><pre class="screen">
1379
1379
<code class="prompt">root# </code> ./configure.pl
1469
1469
Since a slave LDAP server has not been configured, it is necessary to specify the IP
1470
1470
address of the master LDAP server for both the master and the slave configuration
1471
1471
prompts.
1472
</p></li><li><p>
1472
</p></li><li class="step" title="Step 3"><p>
1473
1473
Change to the directory that contains the <code class="filename">smbldap.conf</code> file,
1474
1474
then verify its contents.
1475
1475
</p></li></ol></div><p>
1476
1476
The smbldap-tools are now ready for use.
1477
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2576854"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p>
1477
</p></div></div><div class="sect2" title="LDAP Initialization and Creation of User and Group Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2582912"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p>
1478
1478
The LDAP database must be populated with well-known Windows domain user accounts and domain group
1479
1479
accounts before Samba can be used. The following procedures step you through the process.
1480
1480
</p><p>
1486
1486
does not need to ask LDAP.
1487
1487
</p><p>
1488
1488
Addition of an account to the LDAP backend can be done in two ways:
1489
</p><div class="itemizedlist"><ul type="disc"><li><p>
1490
<a class="indexterm" name="id2576888"></a>
1491
<a class="indexterm" name="id2576894"></a>
1492
<a class="indexterm" name="id2576901"></a>
1493
<a class="indexterm" name="id2576908"></a>
1494
<a class="indexterm" name="id2576915"></a>
1495
<a class="indexterm" name="id2576922"></a>
1489
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
1490
<a class="indexterm" name="id2582946"></a>
1491
<a class="indexterm" name="id2582953"></a>
1492
<a class="indexterm" name="id2582960"></a>
1493
<a class="indexterm" name="id2582966"></a>
1494
<a class="indexterm" name="id2582973"></a>
1495
<a class="indexterm" name="id2582980"></a>
1496
1496
If you always have a user account in the <code class="filename">/etc/passwd</code> on every
1497
1497
server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in
1498
1498
LDAP. In this case, you can add Windows domain user accounts using the
1503
1503
expects the POSIX account to be in LDAP also. It is possible to use the PADL account
1504
1504
migration tool to migrate all system accounts from either the <code class="filename">/etc/passwd</code>
1505
1505
files, or from NIS, to LDAP.
1506
</p></li><li><p>
1506
</p></li><li class="listitem"><p>
1507
1507
If you decide that it is probably a good idea to add both the PosixAccount attributes
1508
1508
as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
1509
1509
In the example system you are installing in this exercise, you are making use of the
1510
1510
Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,
1511
1511
is included on the enclosed CD-ROM under <code class="filename">Chap06/Tools.</code>
1512
1512
</p></li></ul></div><p>
1513
<a class="indexterm" name="id2576982"></a>
1513
<a class="indexterm" name="id2583040"></a>
1514
1514
If you wish to have more control over how the LDAP database is initialized or
1515
1515
if you don't want to use the Idealx smbldap-tools, you should refer to
1516
1516
<a class="link" href="appendix.html" title="Chapter�15.�A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">“Alternative LDAP Database Initialization”</a>.
1517
1517
</p><p>
1518
<a class="indexterm" name="id2577009"></a>
1518
<a class="indexterm" name="id2583067"></a>
1519
1519
The following steps initialize the LDAP database, and then you can add user and group
1520
1520
accounts that Samba can use. You use the <code class="literal">smbldap-populate</code> to
1521
1521
seed the LDAP database. You then manually add the accounts shown in <a class="link" href="happy.html#sbehap-bigacct" title="Table�5.3.�Abmas Network Users and Groups">“Abmas Network Users and Groups”</a>.
1522
1522
The list of users does not cover all 500 network users; it provides examples only.
1523
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1524
<a class="indexterm" name="id2577038"></a>
1525
<a class="indexterm" name="id2577047"></a>
1526
<a class="indexterm" name="id2577056"></a>
1523
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1524
<a class="indexterm" name="id2583097"></a>
1525
<a class="indexterm" name="id2583106"></a>
1526
<a class="indexterm" name="id2583115"></a>
1527
1527
In the following examples, as the LDAP database is initialized, we do create a container
1528
1528
for Computer (machine) accounts. In the Samba-3 <code class="filename">smb.conf</code> files, specific use is made
1529
1529
of the People container, not the Computers container, for domain member accounts. This is not a
1540
1540
can be found. Alternatively, by placing all machine accounts in the People container, we
1541
1541
are able to sidestep this limitation. This is the simpler solution that has been adopted
1542
1542
in this chapter.
1543
</p></div><div class="table"><a name="sbehap-bigacct"></a><p class="title"><b>Table�5.3.�Abmas Network Users and Groups</b></p><div class="table-contents"><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left">�</td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left">�</td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left">�</td></tr></tbody></table></div></div><br class="table-break"><div class="procedure"><a name="creatacc"></a><p class="title"><b>Procedure�5.8.�LDAP Directory Initialization Steps</b></p><ol type="1"><li><p>
1543
</p></div><div class="table"><a name="sbehap-bigacct"></a><p class="title"><b>Table�5.3.�Abmas Network Users and Groups</b></p><div class="table-contents"><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left">�</td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left">�</td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left">�</td></tr></tbody></table></div></div><br class="table-break"><div class="procedure" title="Procedure�5.8.�LDAP Directory Initialization Steps"><a name="creatacc"></a><p class="title"><b>Procedure�5.8.�LDAP Directory Initialization Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
1544
1544
Start the LDAP server by executing:
1545
1545
</p><pre class="screen">
1546
1546
<code class="prompt">root# </code> rcldap start
1547
1547
Starting ldap-server done
1548
1548
</pre><p>
1549
</p></li><li><p>
1549
</p></li><li class="step" title="Step 2"><p>
1550
1550
Change to the <code class="filename">/opt/IDEALX/sbin</code> directory.
1551
</p></li><li><p>
1551
</p></li><li class="step" title="Step 3"><p>
1552
1552
Execute the script that will populate the LDAP database as shown here:
1553
1553
</p><pre class="screen">
1554
1554
<code class="prompt">root# </code> ./smbldap-populate -a root -k 0 -m 0
1579
1579
adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
1580
1580
adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
1581
1581
</pre><p>
1582
</p></li><li><p>
1582
</p></li><li class="step" title="Step 4"><p>
1583
1583
Edit the <code class="filename">/etc/smbldap-tools/smbldap.conf</code> file so that the following
1584
1584
information is changed from:
1585
1585
</p><pre class="screen">
1592
1592
#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1593
1593
sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
1594
1594
</pre><p>
1595
</p></li><li><p>
1595
</p></li><li class="step" title="Step 5"><p>
1596
1596
It is necessary to restart the LDAP server as shown here:
1597
1597
</p><pre class="screen">
1598
1598
<code class="prompt">root# </code> rcldap restart
1599
1599
Shutting down ldap-server done
1600
1600
Starting ldap-server done
1601
1601
</pre><p>
1602
</p></li><li><p>
1603
<a class="indexterm" name="id2577476"></a>
1602
</p></li><li class="step" title="Step 6"><p>
1603
<a class="indexterm" name="id2583535"></a>
1604
1604
So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data.
1605
1605
There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
1606
1606
the simplest is to execute:
1609
1609
dn: ou=Idmap,dc=abmas,dc=biz
1610
1610
ou: idmap
1611
1611
</pre><p>
1612
<a class="indexterm" name="id2577500"></a>
1612
<a class="indexterm" name="id2583558"></a>
1613
1613
If the execution of this command does not return IDMAP entries, you need to create an LDIF
1614
1614
template file (see <a class="link" href="happy.html#sbehap-ldifadd" title="Example�5.12.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">“LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF”</a>). You can add the required entries using
1615
1615
the following command:
1618
1618
-w not24get < /etc/openldap/idmap.LDIF
1619
1619
</pre><p>
1620
1620
Samba automatically populates this LDAP directory container when it needs to.
1621
</p></li><li><p>
1622
<a class="indexterm" name="id2577540"></a>
1621
</p></li><li class="step" title="Step 7"><p>
1622
<a class="indexterm" name="id2583598"></a>
1623
1623
It looks like all has gone well, as expected. Let's confirm that this is the case
1624
1624
by running a few tests. First we check the contents of the database directly
1625
1625
by running <code class="literal">slapcat</code> as follows (the output has been cut down):
1656
1656
modifyTimestamp: 20031217234206Z
1657
1657
</pre><p>
1658
1658
This looks good so far.
1659
</p></li><li><p>
1660
<a class="indexterm" name="id2577591"></a>
1659
</p></li><li class="step" title="Step 8"><p>
1660
<a class="indexterm" name="id2583649"></a>
1661
1661
The next step is to prove that the LDAP server is running and responds to a
1662
1662
search request. Execute the following as shown (output has been cut to save space):
1663
1663
</p><pre class="screen">
1701
1701
# numEntries: 19
1702
1702
</pre><p>
1703
1703
Good. It is all working just fine.
1704
</p></li><li><p>
1705
<a class="indexterm" name="id2577648"></a>
1704
</p></li><li class="step" title="Step 9"><p>
1705
<a class="indexterm" name="id2583706"></a>
1706
1706
You must now make certain that the NSS resolver can interrogate LDAP also.
1707
1707
Execute the following commands:
1708
1708
</p><pre class="screen">
1715
1715
Domain Guests:x:514:
1716
1716
Domain Computers:x:553:
1717
1717
</pre><p>
1718
<a class="indexterm" name="id2577677"></a>
1718
<a class="indexterm" name="id2583736"></a>
1719
1719
This demonstrates that the <code class="literal">nss_ldap</code> library is functioning
1720
1720
as it should. If these two steps fail to produce this information, refer to
1721
1721
<a class="link" href="happy.html#sbeavoid" title="Avoiding Failures: Solving Problems Before They Happen">“Avoiding Failures: Solving Problems Before They Happen”</a> for diagnostic procedures that can be followed to
1722
1722
isolate the cause of the problem. Proceed to the next step only when the previous steps
1723
1723
have been successfully completed.
1724
</p></li><li><p>
1725
<a class="indexterm" name="id2577708"></a>
1726
<a class="indexterm" name="id2577715"></a>
1727
<a class="indexterm" name="id2577722"></a>
1724
</p></li><li class="step" title="Step 10"><p>
1725
<a class="indexterm" name="id2583766"></a>
1726
<a class="indexterm" name="id2583773"></a>
1727
<a class="indexterm" name="id2583780"></a>
1728
1728
Our database is now ready for the addition of network users. For each user for
1729
1729
whom an account must be created, execute the following:
1730
1730
</p><pre class="screen">
1739
1739
Retype new SMB password: XXXXXXXX
1740
1740
</pre><p>
1741
1741
where <code class="constant">username</code> is the login ID for each user.
1742
</p></li><li><p>
1743
<a class="indexterm" name="id2577783"></a>
1742
</p></li><li class="step" title="Step 11"><p>
1743
<a class="indexterm" name="id2583841"></a>
1744
1744
Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the
1745
1745
following:
1746
1746
</p><pre class="screen">
1756
1756
maryv:x:1003:513:System User:/home/maryv:/bin/bash
1757
1757
</pre><p>
1758
1758
This demonstrates that user account resolution via LDAP is working.
1759
</p></li><li><p>
1759
</p></li><li class="step" title="Step 12"><p>
1760
1760
This step will determine whether or not identity resolution is working correctly.
1761
1761
Do not procede is this step fails, rather find the cause of the failure. The
1762
1762
<code class="literal">id</code> command may be used to validate your configuration so far,
1767
1767
</pre><p>
1768
1768
This confirms that the UNIX (POSIX) user account information can be resolved from LDAP
1769
1769
by system tools that make a getentpw() system call.
1770
</p></li><li><p>
1771
<a class="indexterm" name="id2577849"></a>
1770
</p></li><li class="step" title="Step 13"><p>
1771
<a class="indexterm" name="id2583907"></a>
1772
1772
The root account must have UID=0; if not, this means that operations conducted from
1773
1773
a Windows client using tools such as the Domain User Manager fails under UNIX because
1774
1774
the management of user and group accounts requires that the UID=0. Additionally, it is
1779
1779
<code class="prompt">root# </code> cd /opt/IDEALX/sbin
1780
1780
<code class="prompt">root# </code> ./smbldap-usermod -u 0 -d /root -s /bin/bash root
1781
1781
</pre><p>
1782
</p></li><li><p>
1782
</p></li><li class="step" title="Step 14"><p>
1783
1783
Verify that the changes just made to the <code class="constant">root</code> account were
1784
1784
accepted by executing:
1785
1785
</p><pre class="screen">
1788
1788
root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
1789
1789
</pre><p>
1790
1790
This demonstrates that the changes were accepted.
1791
</p></li><li><p>
1791
</p></li><li class="step" title="Step 15"><p>
1792
1792
Make certain that a home directory has been created for every user by listing the
1793
1793
directories in <code class="filename">/home</code> as follows:
1794
1794
</p><pre class="screen">
1801
1801
drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
1802
1802
</pre><p>
1803
1803
This is precisely what we want to see.
1804
</p></li><li><p>
1805
<a class="indexterm" name="id2577948"></a>
1806
<a class="indexterm" name="id2577955"></a>
1804
</p></li><li class="step" title="Step 16"><p>
1805
<a class="indexterm" name="id2584006"></a>
1806
<a class="indexterm" name="id2584013"></a>
1807
1807
The final validation step involves making certain that Samba-3 can obtain the user
1808
1808
accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
1809
1809
</p><pre class="screen">
1833
1833
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
1834
1834
</pre><p>
1835
1835
This looks good. Of course, you fully expected that it would all work, didn't you?
1836
</p></li><li><p>
1837
<a class="indexterm" name="id2578000"></a>
1836
</p></li><li class="step" title="Step 17"><p>
1837
<a class="indexterm" name="id2584058"></a>
1838
1838
Now you add the group accounts that are used on the Abmas network. Execute
1839
1839
the following exactly as shown:
1840
1840
</p><pre class="screen">
1844
1844
</pre><p>
1845
1845
The addition of groups does not involve keyboard interaction, so the lack of console
1846
1846
output is of no concern.
1847
</p></li><li><p>
1848
<a class="indexterm" name="id2578042"></a>
1847
</p></li><li class="step" title="Step 18"><p>
1848
<a class="indexterm" name="id2584100"></a>
1849
1849
You really do want to confirm that UNIX group resolution from LDAP is functioning
1850
1850
as it should. Let's do this as shown here:
1851
1851
</p><pre class="screen">
1861
1861
</pre><p>
1862
1862
The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
1863
1863
as our own site-specific group accounts, are correctly listed. This is looking good.
1864
</p></li><li><p>
1865
<a class="indexterm" name="id2578075"></a>
1864
</p></li><li class="step" title="Step 19"><p>
1865
<a class="indexterm" name="id2584133"></a>
1866
1866
The final step we need to validate is that Samba can see all the Windows domain groups
1867
1867
and that they are correctly mapped to the respective UNIX group account. To do this,
1868
1868
just execute the following command:
1879
1879
This is looking good. Congratulations it works! Note that in the above output
1880
1880
the lines were shortened by replacing the middle value (1010554828) of the SID with the
1881
1881
ellipsis (...).
1882
</p></li><li><p>
1882
</p></li><li class="step" title="Step 20"><p>
1883
1883
The server you have so carefully built is now ready for another important step. You
1884
1884
start the Samba-3 server and validate its operation. Execute the following to render all
1885
1885
the processes needed fully operative so that, on system reboot, they are automatically
1895
1895
<code class="prompt">root# </code> rcsmb start
1896
1896
<code class="prompt">root# </code> rcwinbind start
1897
1897
</pre><p>
1898
</p></li><li><p>
1898
</p></li><li class="step" title="Step 21"><p>
1899
1899
The next step might seem a little odd at this point, but take note that you are about to
1900
1900
start <code class="literal">winbindd</code>, which must be able to authenticate to the PDC via the
1901
1901
localhost interface with the <code class="literal">smbd</code> process. This account can be
1910
1910
Joined domain MEGANET2.
1911
1911
</pre><p>
1912
1912
This indicates that the domain security account for the PDC has been correctly created.
1913
</p></li><li><p>
1913
</p></li><li class="step" title="Step 22"><p>
1914
1914
At this time it is necessary to restart <code class="literal">winbindd</code> so that it can
1915
1915
correctly authenticate to the PDC. The following command achieves that:
1916
1916
</p><pre class="screen">
1917
1917
<code class="prompt">root# </code> rcwinbind restart
1918
1918
</pre><p>
1919
</p></li><li><p>
1920
<a class="indexterm" name="id2578290"></a>
1919
</p></li><li class="step" title="Step 23"><p>
1920
<a class="indexterm" name="id2584348"></a>
1921
1921
You may now check Samba-3 operation as follows:
1922
1922
</p><pre class="screen">
1923
1923
<code class="prompt">root# </code> smbclient -L massive -U%
1943
1943
MEGANET2 MASSIVE
1944
1944
</pre><p>
1945
1945
This shows that an anonymous connection is working.
1946
</p></li><li><p>
1946
</p></li><li class="step" title="Step 24"><p>
1947
1947
For your finale, let's try an authenticated connection:
1948
1948
</p><pre class="screen">
1949
1949
<code class="prompt">root# </code> smbclient //massive/bobj -Ubobj%n3v3r2l8
1962
1962
Well done. All is working fine.
1963
1963
</p></li></ol></div><p>
1964
1964
The server <code class="constant">MASSIVE</code> is now configured, and it is time to move onto the next task.
1965
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p>
1966
<a class="indexterm" name="id2578401"></a>
1965
</p></div><div class="sect2" title="Printer Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p>
1966
<a class="indexterm" name="id2584459"></a>
1967
1967
The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
1968
1968
taken care of in the <code class="filename">smb.conf</code> file. The only preparation needed for <code class="constant">smart</code>
1969
1969
printing to be possible involves creation of the directories in which Samba-3 stores
1970
1970
Windows printing driver files.
1971
</p><div class="procedure"><a name="id2578423"></a><p class="title"><b>Procedure�5.9.�Printer Configuration Steps</b></p><ol type="1"><li><p>
1971
</p><div class="procedure" title="Procedure�5.9.�Printer Configuration Steps"><a name="id2584481"></a><p class="title"><b>Procedure�5.9.�Printer Configuration Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
1972
1972
Configure all network-attached printers to have a fixed IP address.
1973
</p></li><li><p>
1973
</p></li><li class="step" title="Step 2"><p>
1974
1974
Create an entry in the DNS database on the server <code class="constant">MASSIVE</code>
1975
1975
in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code>
1976
1976
and in the reverse lookup database for the network segment that the printer is to
1977
1977
be located in. Example configuration files for similar zones were presented in <a class="link" href="secure.html" title="Chapter�3.�Secure Office Networking">“Secure Office Networking”</a>,
1978
1978
<a class="link" href="secure.html#abmasbiz" title="Example�3.14.�DNS Abmas.biz Forward Zone File">“DNS Abmas.biz Forward Zone File”</a> and in <a class="link" href="secure.html#eth2zone" title="Example�3.13.�DNS 192.168.2 Reverse Zone File">“DNS 192.168.2 Reverse Zone File”</a>.
1979
</p></li><li><p>
1979
</p></li><li class="step" title="Step 3"><p>
1980
1980
Follow the instructions in the printer manufacturers' manuals to permit printing
1981
1981
to port 9100. Use any other port the manufacturer specifies for direct mode,
1982
1982
raw printing. This allows the CUPS spooler to print using raw mode protocols.
1983
<a class="indexterm" name="id2578484"></a>
1984
<a class="indexterm" name="id2578491"></a>
1985
</p></li><li><p>
1986
<a class="indexterm" name="id2578504"></a>
1987
<a class="indexterm" name="id2578511"></a>
1983
<a class="indexterm" name="id2584542"></a>
1984
<a class="indexterm" name="id2584549"></a>
1985
</p></li><li class="step" title="Step 4"><p>
1986
<a class="indexterm" name="id2584563"></a>
1987
<a class="indexterm" name="id2584569"></a>
1988
1988
Only on the server to which the printer is attached, configure the CUPS Print
1989
1989
Queues as follows:
1990
1990
</p><pre class="screen">
1991
1991
<code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em>
1992
1992
-v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E
1993
1993
</pre><p>
1994
<a class="indexterm" name="id2578546"></a>
1994
<a class="indexterm" name="id2584605"></a>
1995
1995
This step creates the necessary print queue to use no assigned print filter. This
1996
1996
is ideal for raw printing, that is, printing without use of filters.
1997
1997
The name <em class="parameter"><code>printque</code></em> is the name you have assigned for
1998
1998
the particular printer.
1999
</p></li><li><p>
1999
</p></li><li class="step" title="Step 5"><p>
2000
2000
Print queues may not be enabled at creation. Make certain that the queues
2001
2001
you have just created are enabled by executing the following:
2002
2002
</p><pre class="screen">
2003
2003
<code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em>
2004
2004
</pre><p>
2005
</p></li><li><p>
2005
</p></li><li class="step" title="Step 6"><p>
2006
2006
Even though your print queue may be enabled, it is still possible that it
2007
2007
may not accept print jobs. A print queue will service incoming printing
2008
2008
requests only when configured to do so. Ensure that your print queue is
2010
2010
</p><pre class="screen">
2011
2011
<code class="prompt">root# </code> /usr/bin/accept <em class="parameter"><code>printque</code></em>
2012
2012
</pre><p>
2013
</p></li><li><p>
2014
<a class="indexterm" name="id2578628"></a>
2015
<a class="indexterm" name="id2578635"></a>
2016
<a class="indexterm" name="id2578642"></a>
2013
</p></li><li class="step" title="Step 7"><p>
2014
<a class="indexterm" name="id2584686"></a>
2015
<a class="indexterm" name="id2584693"></a>
2016
<a class="indexterm" name="id2584700"></a>
2017
2017
Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line:
2018
2018
</p><pre class="screen">
2019
2019
application/octet-stream application/vnd.cups-raw 0 -
2020
2020
</pre><p>
2021
</p></li><li><p>
2022
<a class="indexterm" name="id2578670"></a>
2021
</p></li><li class="step" title="Step 8"><p>
2022
<a class="indexterm" name="id2584729"></a>
2023
2023
Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line:
2024
2024
</p><pre class="screen">
2025
2025
application/octet-stream
2026
2026
</pre><p>
2027
</p></li><li><p>
2027
</p></li><li class="step" title="Step 9"><p>
2028
2028
Refer to the CUPS printing manual for instructions regarding how to configure
2029
2029
CUPS so that print queues that reside on CUPS servers on remote networks
2030
2030
route print jobs to the print server that owns that queue. The default setting
2031
2031
on your CUPS server may automatically discover remotely installed printers and
2032
2032
may permit this functionality without requiring specific configuration.
2033
</p></li><li><p>
2033
</p></li><li class="step" title="Step 10"><p>
2034
2034
The following action creates the necessary directory subsystem. Follow these
2035
2035
steps to printing heaven:
2036
2036
</p><pre class="screen">
2038
2038
<code class="prompt">root# </code> chown -R root:root /var/lib/samba/drivers
2039
2039
<code class="prompt">root# </code> chmod -R ug=rwx,o=rx /var/lib/samba/drivers
2040
2040
</pre><p>
2041
</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure"><a name="id2578754"></a><p class="title"><b>Procedure�5.10.�Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol type="1"><li><p>
2041
</p></li></ol></div></div></div><div class="sect1" title="Samba-3 BDC Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure" title="Procedure�5.10.�Configuration of BDC Called: BLDG1"><a name="id2584812"></a><p class="title"><b>Procedure�5.10.�Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2042
2042
Install the files in <a class="link" href="happy.html#sbehap-bldg1-smbconf" title="Example�5.8.�LDAP Based smb.conf File, Server: BLDG1">“LDAP Based smb.conf File, Server: BLDG1”</a>,
2043
2043
<a class="link" href="happy.html#sbehap-shareconfa" title="Example�5.10.�LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>, and <a class="link" href="happy.html#sbehap-shareconfb" title="Example�5.11.�LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a>
2044
2044
into the <code class="filename">/etc/samba/</code> directory. The three files
2045
2045
should be added together to form the <code class="filename">smb.conf</code> file.
2046
</p></li><li><p>
2046
</p></li><li class="step" title="Step 2"><p>
2047
2047
Verify the <code class="filename">smb.conf</code> file as in step 2 of <a class="link" href="happy.html#sbehap-massive" title="Samba-3 PDC Configuration">“Samba-3 PDC Configuration”</a>.
2048
</p></li><li><p>
2048
</p></li><li class="step" title="Step 3"><p>
2049
2049
Carefully follow the steps outlined in <a class="link" href="happy.html#sbehap-PAM-NSS" title="PAM and NSS Client Configuration">“PAM and NSS Client Configuration”</a>, taking
2050
2050
particular note to install the correct <code class="filename">ldap.conf</code>.
2051
</p></li><li><p>
2051
</p></li><li class="step" title="Step 4"><p>
2052
2052
Verify that the NSS resolver is working. You may need to cycle the run level
2053
2053
to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
2054
2054
commands:
2080
2080
bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
2081
2081
</pre><p>
2082
2082
This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
2083
</p></li><li><p>
2084
<a class="indexterm" name="id2578914"></a>
2083
</p></li><li class="step" title="Step 5"><p>
2084
<a class="indexterm" name="id2584972"></a>
2085
2085
The next step in the verification process involves testing the operation of UNIX group
2086
2086
resolution via the NSS LDAP resolver. Execute these commands:
2087
2087
</p><pre class="screen">
2110
2110
</pre><p>
2111
2111
This is also the correct and desired output, because it demonstrates that the LDAP client
2112
2112
is able to communicate correctly with the LDAP server (<code class="constant">MASSIVE</code>).
2113
</p></li><li><p>
2114
<a class="indexterm" name="id2578955"></a>
2113
</p></li><li class="step" title="Step 6"><p>
2114
<a class="indexterm" name="id2585013"></a>
2115
2115
You must now set the LDAP administrative password into the Samba-3 <code class="filename">secrets.tdb</code>
2116
2116
file by executing this command:
2117
2117
</p><pre class="screen">
2118
2118
<code class="prompt">root# </code> smbpasswd -w not24get
2119
2119
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
2120
2120
</pre><p>
2121
</p></li><li><p>
2121
</p></li><li class="step" title="Step 7"><p>
2122
2122
Now you must obtain the domain SID from the PDC and store it into the
2123
2123
<code class="filename">secrets.tdb</code> file also. This step is not necessary with an LDAP
2124
2124
passdb backend because Samba-3 obtains the domain SID from the
2135
2135
domain controller that is running on the localhost and must be able to authenticate,
2136
2136
thus requiring that the BDC should be joined to the domain. The process of joining
2137
2137
the domain creates the necessary authentication accounts.
2138
</p></li><li><p>
2138
</p></li><li class="step" title="Step 8"><p>
2139
2139
To join the Samba BDC to the domain, execute the following:
2140
2140
</p><pre class="screen">
2141
2141
<code class="prompt">root# </code> net rpc join -U root%not24get
2142
2142
Joined domain MEGANET2.
2143
2143
</pre><p>
2144
2144
This indicates that the domain security account for the BDC has been correctly created.
2145
</p></li><li><p>
2146
<a class="indexterm" name="id2579056"></a>
2145
</p></li><li class="step" title="Step 9"><p>
2146
<a class="indexterm" name="id2585114"></a>
2147
2147
Verify that user and group account resolution works via Samba-3 tools as follows:
2148
2148
</p><pre class="screen">
2149
2149
<code class="prompt">root# </code> pdbedit -L
2169
2169
PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
2170
2170
</pre><p>
2171
2171
These results show that all things are in order.
2172
</p></li><li><p>
2172
</p></li><li class="step" title="Step 10"><p>
2173
2173
The server you have so carefully built is now ready for another important step. Now
2174
2174
start the Samba-3 server and validate its operation. Execute the following to render all
2175
2175
the processes needed fully operative so that, upon system reboot, they are automatically
2185
2185
<code class="prompt">root# </code> rcwinbind start
2186
2186
</pre><p>
2187
2187
Samba-3 should now be running and is ready for a quick test. But not quite yet!
2188
</p></li><li><p>
2188
</p></li><li class="step" title="Step 11"><p>
2189
2189
Your new <code class="constant">BLDG1, BLDG2</code> servers do not have home directories for users.
2190
2190
To rectify this using the SUSE yast2 utility or by manually editing the <code class="filename">/etc/fstab</code>
2191
2191
file, add a mount entry to mount the <code class="constant">home</code> directory that has been exported
2205
2205
<code class="prompt">root# </code> df | grep home
2206
2206
massive:/home 29532988 283388 29249600 1% /home
2207
2207
</pre><p>
2208
</p></li><li><p>
2208
</p></li><li class="step" title="Step 12"><p>
2209
2209
Implement a quick check using one of the users that is in the LDAP database. Here you go:
2210
2210
</p><pre class="screen">
2211
2211
<code class="prompt">root# </code> smbclient //bldg1/bobj -Ubobj%n3v3r2l8
2224
2224
</p></li></ol></div><p>
2225
2225
Now that the first BDC (<code class="constant">BDLG1</code>) has been configured it is time to build
2226
2226
and configure the second BDC server (<code class="constant">BLDG2</code>) as follows:
2227
</p><div class="procedure"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure�5.11.�Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol type="1"><li><p>
2227
</p><div class="procedure" title="Procedure�5.11.�Configuration of BDC Called BLDG2"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure�5.11.�Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2228
2228
Install the files in <a class="link" href="happy.html#sbehap-bldg2-smbconf" title="Example�5.9.�LDAP Based smb.conf File, Server: BLDG2">“LDAP Based smb.conf File, Server: BLDG2”</a>,
2229
2229
<a class="link" href="happy.html#sbehap-shareconfa" title="Example�5.10.�LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>, and <a class="link" href="happy.html#sbehap-shareconfb" title="Example�5.11.�LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a>
2230
2230
into the <code class="filename">/etc/samba/</code> directory. The three files
2231
2231
should be added together to form the <code class="filename">smb.conf</code> file.
2232
</p></li><li><p>
2232
</p></li><li class="step" title="Step 2"><p>
2233
2233
Follow carefully the steps shown in <a class="link" href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">“Samba-3 BDC Configuration”</a>, starting at step 2.
2234
</p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example�5.8.�LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2579402"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2579413"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2579425"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id2579437"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579449"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579461"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2579473"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2579485"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2579496"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2579508"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2579520"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2579531"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2579544"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2579555"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579568"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2579580"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2579591"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2579603"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579615"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579626"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2579638"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579650"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2579662"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2579674"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2579686"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2579698"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579710"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579722"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2579734"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2579746"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2579758"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example�5.9.�LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2579804"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2579816"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2579828"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id2579840"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579852"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579864"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2579876"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2579887"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2579899"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2579911"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2579922"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2579934"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2579946"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2579958"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579970"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2579982"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2579994"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2580006"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580017"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580029"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2580041"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580053"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2580065"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2580077"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2580089"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2580101"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580113"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580125"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2580137"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2580148"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2580160"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example�5.10.�LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2580206"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580218"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2580230"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2580250"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580262"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2580274"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2580294"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580306"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2580318"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2580338"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2580350"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2580362"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580373"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2580394"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2580405"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2580417"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580429"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580440"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example�5.11.�LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2580486"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580498"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2580509"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id2580521"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2580542"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2580553"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2580565"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580577"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2580597"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2580609"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2580621"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580633"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2580653"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2580665"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2580677"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580689"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2580709"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2580721"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2580733"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580744"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id2580756"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580768"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example�5.12.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen">
2234
</p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example�5.8.�LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2585460"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2585472"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2585484"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id2585496"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2585508"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2585520"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2585532"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2585543"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2585555"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2585567"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2585578"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2585590"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2585602"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2585614"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2585626"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2585638"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2585650"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2585662"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2585673"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2585685"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2585697"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2585709"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2585721"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2585733"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2585745"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2585757"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2585769"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2585781"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2585793"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2585804"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2585816"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example�5.9.�LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2585863"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2585874"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2585886"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id2585898"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2585910"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2585922"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2585934"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2585946"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2585957"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2585969"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2585981"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2585992"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2586005"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2586016"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586029"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2586041"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2586052"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2586064"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586076"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586088"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2586099"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586111"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2586123"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2586135"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2586147"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2586159"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586171"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586184"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2586195"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2586207"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2586219"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example�5.10.�LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2586265"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586277"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2586288"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2586309"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586320"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2586332"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2586353"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586365"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2586376"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2586397"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2586408"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2586420"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586432"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2586452"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2586464"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2586476"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586487"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586499"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example�5.11.�LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2586545"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586557"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2586568"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id2586580"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2586600"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2586612"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2586624"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586635"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2586656"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2586668"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2586680"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586691"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2586712"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2586724"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2586736"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586747"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2586768"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2586780"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2586791"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586803"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id2586815"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586826"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example�5.12.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen">
2235
2235
dn: ou=Idmap,dc=abmas,dc=biz
2236
2236
objectClass: organizationalUnit
2237
2237
ou: idmap
2238
2238
structuralObjectClass: organizationalUnit
2239
</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2580803"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p>
2240
My father would say, “<span class="quote">Dinner is not over until the dishes have been done.</span>”
2239
</pre></div></div><br class="example-break"></div><div class="sect1" title="Miscellaneous Server Preparation Tasks"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2586862"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p>
2240
My father would say, <span class="quote">“<span class="quote">Dinner is not over until the dishes have been done.</span>”</span>
2241
2241
The makings of a great network environment take a lot of effort and attention to detail.
2242
2242
So far, you have completed most of the complex (and to many administrators, the interesting
2243
2243
part of server configuration) steps, but remember to tie it all together. Here are
2244
2244
a few more steps that must be completed so that your network runs like a well-rehearsed
2245
2245
orchestra.
2246
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2580823"></a>Configuring Directory Share Point Roots</h3></div></div></div><p>
2246
</p><div class="sect2" title="Configuring Directory Share Point Roots"><div class="titlepage"><div><div><h3 class="title"><a name="id2586882"></a>Configuring Directory Share Point Roots</h3></div></div></div><p>
2247
2247
In your <code class="filename">smb.conf</code> file, you have specified Windows shares. Each has a <em class="parameter"><code>path</code></em>
2248
2248
parameter. Even though it is obvious to all, one of the common Samba networking problems is
2249
2249
caused by forgetting to verify that every such share root directory actually exists and that it
2261
2261
<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data
2262
2262
<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps
2263
2263
</pre><p>
2264
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2580918"></a>Configuring Profile Directories</h3></div></div></div><p>
2264
</p></div><div class="sect2" title="Configuring Profile Directories"><div class="titlepage"><div><div><h3 class="title"><a name="id2586977"></a>Configuring Profile Directories</h3></div></div></div><p>
2265
2265
You made a conscious decision to do everything it would take to improve network client
2266
2266
performance. One of your decisions was to implement folder redirection. This means that Windows
2267
2267
user desktop profiles are now made up of two components: a dynamically loaded part and a set of file
2286
2286
<code class="prompt">root# </code> chmod -R 750 <span class="emphasis"><em>username</em></span>
2287
2287
</pre><p>
2288
2288
</p><p>
2289
<a class="indexterm" name="id2581034"></a>
2290
<a class="indexterm" name="id2581041"></a>
2289
<a class="indexterm" name="id2587093"></a>
2290
<a class="indexterm" name="id2587100"></a>
2291
2291
You have three options insofar as the dynamically loaded portion of the roaming profile
2292
2292
is concerned:
2293
</p><div class="itemizedlist"><ul type="disc"><li><p>You may permit the user to obtain a default profile.</p></li><li><p>You can create a mandatory profile.</p></li><li><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p>
2293
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>You may permit the user to obtain a default profile.</p></li><li class="listitem"><p>You can create a mandatory profile.</p></li><li class="listitem"><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p>
2294
2294
Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory
2295
2295
profile is effected by renaming the <code class="filename">NTUSER.DAT</code> to <code class="filename">NTUSER.MAN</code>,
2296
2296
that is, just by changing the filename extension.
2297
2297
</p><p>
2298
<a class="indexterm" name="id2581091"></a>
2299
<a class="indexterm" name="id2581098"></a>
2298
<a class="indexterm" name="id2587150"></a>
2299
<a class="indexterm" name="id2587156"></a>
2300
2300
The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend.
2301
2301
You can manage this using the Idealx smbldap-tools or using the
2302
2302
<a class="ulink" href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">Windows NT4 Domain User Manager</a>.
2309
2309
/var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
2310
2310
<code class="prompt">root# </code> chmod 700 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
2311
2311
</pre><p>
2312
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2581163"></a>Preparation of Logon Scripts</h3></div></div></div><p>
2313
<a class="indexterm" name="id2581171"></a>
2312
</p></div><div class="sect2" title="Preparation of Logon Scripts"><div class="titlepage"><div><div><h3 class="title"><a name="id2587221"></a>Preparation of Logon Scripts</h3></div></div></div><p>
2313
<a class="indexterm" name="id2587229"></a>
2314
2314
The use of a logon script with Windows XP Professional is an option that every site should consider.
2315
2315
Unless you have locked down the desktop so the user cannot change anything, there is risk that
2316
2316
a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
2335
2335
You should research the options for logon script implementation by referring to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 24,
2336
2336
Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon
2337
2337
facilities in use today is called <a class="ulink" href="http://www.kixtart.org" target="_top">KiXtart</a>.
2338
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2581274"></a>Assigning User Rights and Privileges</h3></div></div></div><p>
2338
</p></div><div class="sect2" title="Assigning User Rights and Privileges"><div class="titlepage"><div><div><h3 class="title"><a name="id2587332"></a>Assigning User Rights and Privileges</h3></div></div></div><p>
2339
2339
The ability to perform tasks such as joining Windows clients to the domain can be assigned to
2340
2340
normal user accounts. By default, only the domain administrator account (<code class="constant">root</code> on UNIX
2341
2341
systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
2347
2347
Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
2348
2348
are granted rights can be restricted to particular machines. It is left to the network administrator
2349
2349
to determine which rights should be provided and to whom.
2350
</p><div class="procedure"><a name="id2581309"></a><p class="title"><b>Procedure�5.12.�Steps for Assignment of User Rights and Privileges</b></p><ol type="1"><li><p>
2350
</p><div class="procedure" title="Procedure�5.12.�Steps for Assignment of User Rights and Privileges"><a name="id2587368"></a><p class="title"><b>Procedure�5.12.�Steps for Assignment of User Rights and Privileges</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2351
2351
Log onto the PDC as the <code class="constant">root</code> account.
2352
</p></li><li><p>
2352
</p></li><li class="step" title="Step 2"><p>
2353
2353
Execute the following command to grant the <code class="constant">Domain Admins</code> group all
2354
2354
rights and privileges:
2355
2355
</p><pre class="screen">
2361
2361
</pre><p>
2362
2362
Repeat this step on each domain controller, in each case substituting the name of the server
2363
2363
(e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE.
2364
</p></li><li><p>
2364
</p></li><li class="step" title="Step 3"><p>
2365
2365
In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
2366
2366
to the domain. Execute the following only on the PDC. It is not necessary to do this on
2367
2367
BDCs or on DMS machines because machine accounts are only ever added by the PDC:
2370
2370
"MEGANET2\bobj" SeMachineAccountPrivilege
2371
2371
Successfully granted rights.
2372
2372
</pre><p>
2373
</p></li><li><p>
2373
</p></li><li class="step" title="Step 4"><p>
2374
2374
Verify that privilege assignments have been correctly applied by executing:
2375
2375
</p><pre class="screen">
2376
2376
net rpc rights list accounts -Uroot%not24get
2405
2405
SeRemoteShutdownPrivilege
2406
2406
SeDiskOperatorPrivilege
2407
2407
</pre><p>
2408
</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2581407"></a>Windows Client Configuration</h2></div></div></div><p>
2409
<a class="indexterm" name="id2581416"></a>
2408
</p></li></ol></div></div></div><div class="sect1" title="Windows Client Configuration"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2587466"></a>Windows Client Configuration</h2></div></div></div><p>
2409
<a class="indexterm" name="id2587474"></a>
2410
2410
In the next few sections, you can configure a new Windows XP Professional disk image on a staging
2411
2411
machine. You will configure all software, printer settings, profile and policy handling, and desktop
2412
2412
default profile settings on this system. When it is complete, you copy the contents of the
2418
2418
"<a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475" target="_top">How to Create a
2419
2419
Base Profile for All Users."</a>
2420
2420
2421
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p>
2422
<a class="indexterm" name="id2581466"></a>
2421
</p><div class="sect2" title="Configuration of Default Profile with Folder Redirection"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p>
2422
<a class="indexterm" name="id2587524"></a>
2423
2423
Log onto the Windows XP Professional workstation as the local <code class="constant">Administrator</code>.
2424
2424
It is necessary to expose folders that are generally hidden to provide access to the
2425
2425
<code class="constant">Default User</code> folder.
2426
</p><div class="procedure"><a name="id2581484"></a><p class="title"><b>Procedure�5.13.�Expose Hidden Folders</b></p><ol type="1"><li><p>
2426
</p><div class="procedure" title="Procedure�5.13.�Expose Hidden Folders"><a name="id2587542"></a><p class="title"><b>Procedure�5.13.�Expose Hidden Folders</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2427
2427
Launch the Windows Explorer by clicking
2428
2428
<span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>.
2429
2429
Select <span class="guilabel">Show hidden files and folders</span>,
2430
2430
and click <span class="guibutton">OK</span>. Exit Windows Explorer.
2431
</p></li><li><p>
2432
<a class="indexterm" name="id2581550"></a>
2431
</p></li><li class="step" title="Step 2"><p>
2432
<a class="indexterm" name="id2587609"></a>
2433
2433
Launch the Registry Editor. Click
2434
2434
<span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. Key in <code class="literal">regedt32</code>, and click
2435
2435
<span class="guibutton">OK</span>.
2436
2436
</p></li></ol></div><p>
2437
</p><div class="procedure"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure�5.14.�Redirect Folders in Default System User Profile</b></p><ol type="1"><li><p>
2438
<a class="indexterm" name="id2581608"></a>
2439
<a class="indexterm" name="id2581615"></a>
2437
</p><div class="procedure" title="Procedure�5.14.�Redirect Folders in Default System User Profile"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure�5.14.�Redirect Folders in Default System User Profile</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2438
<a class="indexterm" name="id2587667"></a>
2439
<a class="indexterm" name="id2587673"></a>
2440
2440
Give focus to <code class="constant">HKEY_LOCAL_MACHINE</code> hive entry in the left panel.
2441
2441
Click <span class="guimenu">File</span> → <span class="guimenuitem">Load Hive...</span> → <span class="guimenuitem">Documents and Settings</span> → <span class="guimenuitem">Default User</span> → <span class="guimenuitem">NTUSER</span> → <span class="guimenuitem">Open</span>. In the dialog box that opens, enter the key name
2442
2442
<code class="constant">Default</code> and click <span class="guibutton">OK</span>.
2443
</p></li><li><p>
2443
</p></li><li class="step" title="Step 2"><p>
2444
2444
Browse inside the newly loaded Default folder to:
2445
2445
</p><pre class="screen">
2446
2446
HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
2447
2447
CurrentVersion\Explorer\User Shell Folders\
2448
2448
</pre><p>
2449
2449
The right panel reveals the contents as shown in <a class="link" href="happy.html#XP-screen001" title="Figure�5.3.�Windows XP Professional User Shared Folders">“Windows XP Professional User Shared Folders”</a>.
2450
</p></li><li><p>
2451
<a class="indexterm" name="id2581708"></a>
2452
<a class="indexterm" name="id2581714"></a>
2450
</p></li><li class="step" title="Step 3"><p>
2451
<a class="indexterm" name="id2587766"></a>
2452
<a class="indexterm" name="id2587773"></a>
2453
2453
You edit hive keys. Acceptable values to replace the
2454
2454
<code class="constant">%USERPROFILE%</code> variable includes:
2455
2455
2456
</p><div class="itemizedlist"><ul type="disc"><li><p>A drive letter such as <code class="constant">U:</code></p></li><li><p>A direct network path such as
2457
<code class="constant">\\MASSIVE\profdata</code></p></li><li><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p>
2458
</p></li><li><p>
2459
<a class="indexterm" name="id2581761"></a>
2456
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A drive letter such as <code class="constant">U:</code></p></li><li class="listitem"><p>A direct network path such as
2457
<code class="constant">\\MASSIVE\profdata</code></p></li><li class="listitem"><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p>
2458
</p></li><li class="step" title="Step 4"><p>
2459
<a class="indexterm" name="id2587820"></a>
2460
2460
Set the registry keys as shown in <a class="link" href="happy.html#proffold" title="Table�5.4.�Default Profile Redirections">“Default Profile Redirections”</a>. Your implementation makes the assumption
2461
2461
that users have statically located machines. Notebook computers (mobile users) need to be
2462
2462
accommodated using local profiles. This is not an uncommon assumption.
2463
</p></li><li><p>
2463
</p></li><li class="step" title="Step 5"><p>
2464
2464
Click back to the root of the loaded hive <code class="constant">Default</code>.
2465
2465
Click <span class="guimenu">File</span> → <span class="guimenuitem">Unload Hive...</span> → <span class="guimenuitem">Yes</span>.
2466
</p></li><li><p>
2467
<a class="indexterm" name="id2581816"></a>
2466
</p></li><li class="step" title="Step 6"><p>
2467
<a class="indexterm" name="id2587875"></a>
2468
2468
Click <span class="guimenu">File</span> → <span class="guimenuitem">Exit</span>. This exits the
2469
2469
Registry Editor.
2470
</p></li><li><p>
2470
</p></li><li class="step" title="Step 7"><p>
2471
2471
Now follow the procedure given in <a class="link" href="happy.html#sbehap-locgrppol" title="The Local Group Policy">“The Local Group Policy”</a>. Make sure that each folder you
2472
2472
have redirected is in the exclusion list.
2473
</p></li><li><p>
2474
You are now ready to copy<sup>[<a name="id2581860" href="#ftn.id2581860" class="footnote">11</a>]</sup>
2473
</p></li><li class="step" title="Step 8"><p>
2474
You are now ready to copy<sup>[<a name="id2587919" href="#ftn.id2587919" class="footnote">11</a>]</sup>
2475
2475
the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer,
2476
2476
and use it to copy the full contents of the directory <code class="filename">Default User</code> that
2477
2477
is in the <code class="filename">C:\Documents and Settings</code> to the root directory of the
2482
2482
Before punching out new desktop images for the client workstations, it is perhaps a good idea that
2483
2483
desktop behavior should be returned to the original Microsoft settings. The following steps achieve
2484
2484
that ojective:
2485
</p><div class="procedure"><a name="id2581927"></a><p class="title"><b>Procedure�5.15.�Reset Folder Display to Original Behavior</b></p><ul><li><p>
2485
</p><div class="procedure" title="Procedure�5.15.�Reset Folder Display to Original Behavior"><a name="id2587986"></a><p class="title"><b>Procedure�5.15.�Reset Folder Display to Original Behavior</b></p><ul class="procedure"><li class="step" title="Step 1"><p>
2486
2486
To launch the Windows Explorer, click
2487
2487
<span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>.
2488
2488
Deselect <span class="guilabel">Show hidden files and folders</span>, and click <span class="guibutton">OK</span>.
2489
2489
Exit Windows Explorer.
2490
</p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure�5.3.�Windows XP Professional User Shared Folders</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div></div><br class="figure-break"><div class="table"><a name="proffold"></a><p class="title"><b>Table�5.4.�Default Profile Redirections</b></p><div class="table-contents"><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582162"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p>
2491
<a class="indexterm" name="id2582170"></a>
2492
<a class="indexterm" name="id2582180"></a>
2490
</p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure�5.3.�Windows XP Professional User Shared Folders</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div></div><br class="figure-break"><div class="table"><a name="proffold"></a><p class="title"><b>Table�5.4.�Default Profile Redirections</b></p><div class="table-contents"><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" title="Configuration of MS Outlook to Relocate PST File"><div class="titlepage"><div><div><h3 class="title"><a name="id2588220"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p>
2491
<a class="indexterm" name="id2588229"></a>
2492
<a class="indexterm" name="id2588238"></a>
2493
2493
Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
2494
2494
It is the nature of email storage that this file grows, at times quite rapidly.
2495
2495
So that users' email is available to them at every workstation they may log onto,
2498
2498
</p><p>
2499
2499
To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave
2500
2500
slightly differently), follow these steps:
2501
</p><div class="procedure"><a name="id2582202"></a><p class="title"><b>Procedure�5.16.�Outlook PST File Relocation</b></p><ol type="1"><li><p>
2501
</p><div class="procedure" title="Procedure�5.16.�Outlook PST File Relocation"><a name="id2588260"></a><p class="title"><b>Procedure�5.16.�Outlook PST File Relocation</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2502
2502
Close Outlook if it is open.
2503
</p></li><li><p>
2503
</p></li><li class="step" title="Step 2"><p>
2504
2504
From the <span class="guimenu">Control Panel</span>, launch the Mail icon.
2505
</p></li><li><p>
2505
</p></li><li class="step" title="Step 3"><p>
2506
2506
Click <span class="guimenu">Email Accounts.</span>
2507
</p></li><li><p>
2507
</p></li><li class="step" title="Step 4"><p>
2508
2508
Make a note of the location of the PST file(s). From this location, move
2509
2509
the files to the desired new target location. The most desired new target location
2510
2510
may well be the users' home directory.
2511
</p></li><li><p>
2511
</p></li><li class="step" title="Step 5"><p>
2512
2512
Add a new data file, selecting the PST file in the new desired target location.
2513
Give this entry (not the filename) a new name such as “<span class="quote">Personal Mail Folders.</span>”
2513
Give this entry (not the filename) a new name such as <span class="quote">“<span class="quote">Personal Mail Folders.</span>”</span>
2514
2514
</p><p>
2515
2515
Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems
2516
2516
following these instructions. Feedback from users suggests that where IMAP is used the PST
2518
2518
MS Outlook's Send/Receive button. If anyone has sucessfully relocated PST files where IMAP is
2519
2519
used please email <code class="literal">jht@samba.org</code> with useful tips and suggestions so that
2520
2520
this warning can be removed or modified.
2521
</p></li><li><p>
2521
</p></li><li class="step" title="Step 6"><p>
2522
2522
Close the <span class="guimenu">Date Files</span> windows, then click <span class="guimenu">Email Accounts</span>.
2523
</p></li><li><p>
2523
</p></li><li class="step" title="Step 7"><p>
2524
2524
Select <span class="guimenu">View of Change</span> exiting email accounts, click <span class="guibutton">Next.</span>
2525
</p></li><li><p>
2525
</p></li><li class="step" title="Step 8"><p>
2526
2526
Change the <span class="guimenu">Mail Delivery Location</span> so as to use the data file in the new
2527
2527
target location.
2528
</p></li><li><p>
2528
</p></li><li class="step" title="Step 9"><p>
2529
2529
Go back to the <span class="guimenu">Data Files</span> window, then delete the old data file entry.
2530
</p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2531
<a class="indexterm" name="id2582352"></a>
2530
</p></li></ol></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2531
<a class="indexterm" name="id2588410"></a>
2532
2532
You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise
2533
2533
the user may be not be able to retrieve contacts when addressing a new email message.
2534
</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2535
<a class="indexterm" name="id2582366"></a>
2534
</p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2535
<a class="indexterm" name="id2588425"></a>
2536
2536
Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook
2537
2537
Express storage files can not be redirected to network shares. The options panel will not permit
2538
2538
this, but they can be moved to folders outside of the user's profile. They can also be excluded
2541
2541
While it is possible to redirect the data stores for Outlook Express data stores by editing the
2542
2542
registry, experience has shown that data corruption and loss of email messages will result.
2543
2543
</p><p>
2544
<a class="indexterm" name="id2582389"></a>
2545
<a class="indexterm" name="id2582396"></a>
2544
<a class="indexterm" name="id2588448"></a>
2545
<a class="indexterm" name="id2588454"></a>
2546
2546
In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with
2547
2547
roaming profiles this can result in excruciatingly long login and logout behavior will files are
2548
2548
synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming
2549
2549
profiles are used.
2550
2550
</p></div><p>
2551
<a class="indexterm" name="id2582412"></a>
2551
<a class="indexterm" name="id2588470"></a>
2552
2552
Microsoft does not support storing PST files on network shares, although the practice does appear
2553
2553
to be rather popular. Anyone who does relocation the PST file to a network resource should refer
2554
2554
the Microsoft <a class="ulink" href="http://support.microsoft.com/kb/297019/" target="_top">reference</a> to better
2555
2555
understand the issues.
2556
2556
</p><p>
2557
<a class="indexterm" name="id2582432"></a>
2557
<a class="indexterm" name="id2588491"></a>
2558
2558
Apart from manually moving PST files to a network share, it is possible to set the default PST
2559
2559
location for new accounts by following the instructions at the WindowsITPro <a class="ulink" href="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html" target="_top">web</a> site.
2560
2560
</p><p>
2561
<a class="indexterm" name="id2582452"></a>
2561
<a class="indexterm" name="id2588511"></a>
2562
2562
User feedback suggests that disabling of oplocks on PST files will significantly improve
2563
2563
network performance by reducing locking overheads. One way this can be done is to add to the
2564
2564
<code class="filename">smb.conf</code> file stanza for the share the PST file the following:
2565
2565
</p><pre class="screen">
2566
2566
veto oplock files = /*.pdf/*.PST/
2567
2567
</pre><p>
2568
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582477"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p>
2568
</p></div><div class="sect2" title="Configure Delete Cached Profiles on Logout"><div class="titlepage"><div><div><h3 class="title"><a name="id2588536"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p>
2569
2569
Configure the Windows XP Professional client to auto-delete roaming profiles on logout:
2570
2570
</p><p>
2571
<a class="indexterm" name="id2582490"></a>
2571
<a class="indexterm" name="id2588549"></a>
2572
2572
Click
2573
2573
<span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. In the dialog box, enter <code class="literal">MMC</code> and click <span class="guibutton">OK</span>.
2574
2574
</p><p>
2576
2576
profiles are deleted as network users log out of the system. Click
2577
2577
<span class="guimenu">File</span> → <span class="guimenuitem">Add/Remove Snap-in</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Group Policy</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Finish</span> → <span class="guimenuitem">Close</span> → <span class="guimenuitem">OK</span>.
2578
2578
</p><p>
2579
<a class="indexterm" name="id2582586"></a>
2579
<a class="indexterm" name="id2588645"></a>
2580
2580
The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span>
2581
2581
utility that enables you to set the policies needed. In the left panel, click
2582
2582
<span class="guimenuitem">Local Computer Policy</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each
2583
2583
item as shown:
2584
</p><div class="itemizedlist"><ul type="disc"><li><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p>
2584
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li class="listitem"><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p>
2585
2585
Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
2586
2586
made of this system to deploy the new standard desktop system.
2587
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582657"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p>
2588
<a class="indexterm" name="id2582665"></a>
2587
</p></div><div class="sect2" title="Uploading Printer Drivers to Samba Servers"><div class="titlepage"><div><div><h3 class="title"><a name="id2588716"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p>
2588
<a class="indexterm" name="id2588724"></a>
2589
2589
Users want to be able to use network printers. You have a vested interest in making
2590
2590
it easy for them to print. You have chosen to install the printer drivers onto the Samba
2591
2591
servers and to enable point-and-click (drag-and-drop) printing. This process results in
2592
2592
Samba being able to automatically provide the Windows client with the driver necessary to
2593
2593
print to the printer chosen. The following procedure must be followed for every network
2594
2594
printer:
2595
</p><div class="procedure"><a name="id2582684"></a><p class="title"><b>Procedure�5.17.�Steps to Install Printer Drivers on the Samba Servers</b></p><ol type="1"><li><p>
2595
</p><div class="procedure" title="Procedure�5.17.�Steps to Install Printer Drivers on the Samba Servers"><a name="id2588742"></a><p class="title"><b>Procedure�5.17.�Steps to Install Printer Drivers on the Samba Servers</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
2596
2596
Join your Windows XP Professional workstation (the staging machine) to the
2597
2597
<code class="constant">MEGANET2</code> domain. If you are not sure of the procedure,
2598
2598
follow the guidance given in <a class="link" href="appendix.html" title="Chapter�15.�A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">“Joining a Domain: Windows 200x/XP Professional”</a>.
2599
</p></li><li><p>
2599
</p></li><li class="step" title="Step 2"><p>
2600
2600
After the machine has rebooted, log onto the workstation as the domain
2601
2601
<code class="constant">root</code> (this is the Administrator account for the
2602
2602
operating system that is the host platform for this implementation of Samba.
2603
</p></li><li><p>
2603
</p></li><li class="step" title="Step 3"><p>
2604
2604
Launch MS Windows Explorer. Navigate in the left panel. Click
2605
2605
<span class="guimenu">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">Microsoft Windows Network</span> → <span class="guimenuitem">Meganet2</span> → <span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span>
2606
2606
<span class="guimenu">Printers and Faxes</span>.
2607
</p></li><li><p>
2607
</p></li><li class="step" title="Step 4"><p>
2608
2608
Identify a printer that is shown in the right panel. Let us assume the printer is called
2609
2609
<code class="constant">ps01-color</code>. Right-click on the <span class="guimenu">ps01-color</span> icon
2610
2610
and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates
2611
that “<span class="quote">The printer driver is not installed on this computer. Some printer properties
2611
that <span class="quote">“<span class="quote">The printer driver is not installed on this computer. Some printer properties
2612
2612
will not be accessible unless you install the printer driver. Do you want to install the
2613
driver now?</span>” It is important at this point you answer <span class="guimenu">No</span>.
2614
</p></li><li><p>
2613
driver now?</span>”</span> It is important at this point you answer <span class="guimenu">No</span>.
2614
</p></li><li class="step" title="Step 5"><p>
2615
2615
The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server
2616
2616
<code class="constant">MASSIVE</code> is displayed. Click the <span class="guimenu">Advanced</span> tab.
2617
2617
Note that the box labeled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span>
2618
button that is next to the <span class="guimenu">Driver</span> box. This launches the “<span class="quote">Add Printer Wizard</span>”.
2619
</p></li><li><p>
2620
<a class="indexterm" name="id2582873"></a>
2621
<a class="indexterm" name="id2582882"></a>
2622
The “<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>” panel
2618
button that is next to the <span class="guimenu">Driver</span> box. This launches the <span class="quote">“<span class="quote">Add Printer Wizard</span>”</span>.
2619
</p></li><li class="step" title="Step 6"><p>
2620
<a class="indexterm" name="id2588931"></a>
2621
<a class="indexterm" name="id2588940"></a>
2622
The <span class="quote">“<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>”</span> panel
2623
2623
is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the
2624
2624
printer manufacturer. In your case, you are adding a driver for a printer manufactured by
2625
2625
Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
2626
2626
<span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A
2627
2627
progress bar appears and instructs you as each file is being uploaded and that it is being
2628
2628
directed at the network server <code class="constant">\\massive\ps01-color</code>.
2629
</p></li><li><p>
2630
<a class="indexterm" name="id2582930"></a>
2631
<a class="indexterm" name="id2582939"></a>
2632
<a class="indexterm" name="id2582949"></a>
2633
<a class="indexterm" name="id2582958"></a>
2634
<a class="indexterm" name="id2582967"></a>
2635
<a class="indexterm" name="id2582976"></a>
2629
</p></li><li class="step" title="Step 7"><p>
2630
<a class="indexterm" name="id2588989"></a>
2631
<a class="indexterm" name="id2588998"></a>
2632
<a class="indexterm" name="id2589007"></a>
2633
<a class="indexterm" name="id2589016"></a>
2634
<a class="indexterm" name="id2589025"></a>
2635
<a class="indexterm" name="id2589035"></a>
2636
2636
The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
2637
2637
you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel.
2638
2638
You can set the Location (under the <span class="guimenu">General</span> tab) and Security settings (under
2639
2639
the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to
2640
load additional printer drivers; there is also a check-box in this tab called “<span class="quote">List in the
2641
directory</span>”. When this box is checked, the printer will be published in Active Directory
2640
load additional printer drivers; there is also a check-box in this tab called <span class="quote">“<span class="quote">List in the
2641
directory</span>”</span>. When this box is checked, the printer will be published in Active Directory
2642
2642
(Applicable to Active Directory use only.)
2643
</p></li><li><p>
2644
<a class="indexterm" name="id2583031"></a>
2643
</p></li><li class="step" title="Step 8"><p>
2644
<a class="indexterm" name="id2589090"></a>
2645
2645
Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server.
2646
2646
You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor.
2647
2647
Right-click on the printer, click <span class="guimenu">Properties</span> → <span class="guimenuitem">Device Settings</span>. Now change the settings to suit
2648
2648
your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
2649
2649
you need to reverse the changes back to their original settings.
2650
</p></li><li><p>
2650
</p></li><li class="step" title="Step 9"><p>
2651
2651
This is necessary so that the printer settings are initialized in the Samba printers
2652
2652
database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed
2653
2653
just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
2654
2654
click <span class="guimenu">Apply</span> again.
2655
</p></li><li><p>
2656
<a class="indexterm" name="id2583104"></a>
2655
</p></li><li class="step" title="Step 10"><p>
2656
<a class="indexterm" name="id2589163"></a>
2657
2657
Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
2658
2658
click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button.
2659
2659
A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span>
2660
2660
in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on
2661
2661
massive Properties</span> panel.
2662
</p></li><li><p>
2662
</p></li><li class="step" title="Step 11"><p>
2663
2663
You must repeat this process for all network printers (i.e., for every printer on each server).
2664
2664
When you have finished uploading drivers to all printers, close all applications. The next task
2665
2665
is to install software your users require to do their work.
2666
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583160"></a>Software Installation</h3></div></div></div><p>
2666
</p></li></ol></div></div><div class="sect2" title="Software Installation"><div class="titlepage"><div><div><h3 class="title"><a name="id2589218"></a>Software Installation</h3></div></div></div><p>
2667
2667
Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
2668
2668
a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
2669
2669
Notebooks require special handling that is beyond the scope of this chapter.
2678
2678
When you believe that the overall configuration is complete, be sure to create a shared group profile
2679
2679
and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in
2680
2680
case a user may have specific needs you had not anticipated.
2681
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583195"></a>Roll-out Image Creation</h3></div></div></div><p>
2681
</p></div><div class="sect2" title="Roll-out Image Creation"><div class="titlepage"><div><div><h3 class="title"><a name="id2589254"></a>Roll-out Image Creation</h3></div></div></div><p>
2682
2682
The final steps before preparing the distribution Norton Ghost image file you might follow are:
2683
2683
</p><div class="blockquote"><blockquote class="blockquote"><p>
2684
2684
Unjoin the domain Each workstation requires a unique name and must be independently
2687
2687
Defragment the hard disk While not obvious to the uninitiated, defragmentation results
2688
2688
in better performance and often significantly reduces the size of the compressed disk image. That
2689
2689
also means it will take less time to deploy the image onto 500 workstations.
2690
</p></blockquote></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583229"></a>Key Points Learned</h2></div></div></div><p>
2690
</p></blockquote></div></div></div><div class="sect1" title="Key Points Learned"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2589288"></a>Key Points Learned</h2></div></div></div><p>
2691
2691
This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately
2692
2692
avoided any consideration of security. Security does not just happen; you must design it into your total
2693
2693
network. Security begins with a systems design and implementation that anticipates hostile behavior from
2696
2696
practices, you must not deploy the design presented in this book in an environment where there is risk
2697
2697
of compromise.
2698
2698
</p><p>
2699
<a class="indexterm" name="id2583251"></a>
2700
<a class="indexterm" name="id2583260"></a>
2699
<a class="indexterm" name="id2589309"></a>
2700
<a class="indexterm" name="id2589319"></a>
2701
2701
As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be
2702
2702
configured to use secure protocols for all communications over the network. Of course, secure networking
2703
2703
does not result just from systems design and implementation but involves constant user education
2708
2708
as well as security considerations.
2709
2709
</p><p>
2710
2710
The substance of this chapter that has been deserving of particular attention includes:
2711
</p><div class="itemizedlist"><ul type="disc"><li><p>
2711
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
2712
2712
Implementation of an OpenLDAP-based passwd backend, necessary to support distributed
2713
2713
domain control.
2714
</p></li><li><p>
2714
</p></li><li class="listitem"><p>
2715
2715
Implementation of Samba primary and secondary domain controllers with a common LDAP backend
2716
2716
for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and
2717
2717
pam_ldap tool-sets.
2718
</p></li><li><p>
2718
</p></li><li class="listitem"><p>
2719
2719
Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as
2720
2720
to manage Samba Windows user and group accounts.
2721
</p></li><li><p>
2721
</p></li><li class="listitem"><p>
2722
2722
The basics of implementation of Group Policy controls for Windows network clients.
2723
</p></li><li><p>
2723
</p></li><li class="listitem"><p>
2724
2724
Control over roaming profiles, with particular focus on folder redirection to network drives.
2725
</p></li><li><p>
2725
</p></li><li class="listitem"><p>
2726
2726
Use of the CUPS printing system together with Samba-based printer driver auto-download.
2727
</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583345"></a>Questions and Answers</h2></div></div></div><p>
2727
</p></li></ul></div></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2589403"></a>Questions and Answers</h2></div></div></div><p>
2728
2728
Well, here we are at the end of this chapter and we have only ten questions to help you to
2729
2729
remember so much. There are bound to be some sticky issues here.
2730
</p><div class="qandaset"><dl><dt> <a href="happy.html#id2583363">
2730
</p><div class="qandaset" title="Frequently Asked Questions"><a name="id2589415"></a><dl><dt> <a href="happy.html#id2589422">
2731
2731
Why did you not cover secure practices? Isn't it rather irresponsible to instruct
2732
2732
network administrators to implement insecure solutions?
2733
</a></dt><dt> <a href="happy.html#id2583407">
2733
</a></dt><dt> <a href="happy.html#id2589466">
2734
2734
You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
2735
2735
you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
2736
2736
to the Linux I might be using?
2737
</a></dt><dt> <a href="happy.html#id2583468">
2737
</a></dt><dt> <a href="happy.html#id2589527">
2738
2738
You did not use SWAT to configure Samba. Is there something wrong with it?
2739
</a></dt><dt> <a href="happy.html#id2583508">
2739
</a></dt><dt> <a href="happy.html#id2589566">
2740
2740
You have exposed a well-used password not24get. Is that
2741
2741
not irresponsible?
2742
</a></dt><dt> <a href="happy.html#id2583533">
2742
</a></dt><dt> <a href="happy.html#id2589591">
2743
2743
The Idealx smbldap-tools create many domain group accounts that are not used. Is that
2744
2744
a good thing?
2745
</a></dt><dt> <a href="happy.html#id2583559">
2745
</a></dt><dt> <a href="happy.html#id2589618">
2746
2746
Can I use LDAP just for Samba accounts and not for UNIX system accounts?
2747
</a></dt><dt> <a href="happy.html#id2583584">
2747
</a></dt><dt> <a href="happy.html#id2589643">
2748
2748
Why are the Windows domain RID portions not the same as the UNIX UID?
2749
</a></dt><dt> <a href="happy.html#id2583620">
2749
</a></dt><dt> <a href="happy.html#id2589678">
2750
2750
Printer configuration examples all show printing to the HP port 9100. Does this
2751
2751
mean that I must have HP printers for these solutions to work?
2752
</a></dt><dt> <a href="happy.html#id2583649">
2752
</a></dt><dt> <a href="happy.html#id2589708">
2753
2753
Is folder redirection dangerous? I've heard that you can lose your data that way.
2754
</a></dt><dt> <a href="happy.html#id2583677">
2754
</a></dt><dt> <a href="happy.html#id2589735">
2755
2755
Is it really necessary to set a local Group Policy to exclude the redirected
2756
2756
folders from the roaming profile?
2757
</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2583363"></a><a name="id2583366"></a></td><td align="left" valign="top"><p>
2757
</a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question"><td align="left" valign="top"><a name="id2589422"></a><a name="id2589424"></a></td><td align="left" valign="top"><p>
2758
2758
Why did you not cover secure practices? Isn't it rather irresponsible to instruct
2759
2759
network administrators to implement insecure solutions?
2760
2760
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2773
2773
This book makes little mention of backup techniques. Does that mean that I am recommending
2774
2774
that you should implement a network without provision for data recovery and for disaster
2775
2775
management? Back to our focus: The deployment of Samba has been clearly demonstrated.
2776
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583407"></a><a name="id2583409"></a></td><td align="left" valign="top"><p>
2776
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589466"></a><a name="id2589468"></a></td><td align="left" valign="top"><p>
2777
2777
You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
2778
2778
you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
2779
2779
to the Linux I might be using?
2800
2800
of open source software. I favor neither and respect both. I like particular
2801
2801
features of both products (companies also). No bias in presentation is intended.
2802
2802
Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
2803
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583468"></a><a name="id2583470"></a></td><td align="left" valign="top"><p>
2803
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589527"></a><a name="id2589529"></a></td><td align="left" valign="top"><p>
2804
2804
You did not use SWAT to configure Samba. Is there something wrong with it?
2805
2805
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2806
2806
That is a good question. As it is, the <code class="filename">smb.conf</code> file configurations are presented
2811
2811
There are people in the Linux and open source community who feel that SWAT is dangerous
2812
2812
and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
2813
2813
hope to have brought their interests on board. SWAT is well covered is <span class="emphasis"><em>TOSHARG2</em></span>.
2814
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583508"></a><a name="id2583510"></a></td><td align="left" valign="top"><p>
2814
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589566"></a><a name="id2589568"></a></td><td align="left" valign="top"><p>
2815
2815
You have exposed a well-used password <span class="emphasis"><em>not24get</em></span>. Is that
2816
2816
not irresponsible?
2817
2817
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2818
2818
Well, I had to use a password of some sort. At least this one has been consistently
2819
2819
used throughout. I guess you can figure out that in a real deployment it would make
2820
2820
sense to use a more secure and original password.
2821
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583533"></a><a name="id2583535"></a></td><td align="left" valign="top"><p>
2821
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589591"></a><a name="id2589593"></a></td><td align="left" valign="top"><p>
2822
2822
The Idealx smbldap-tools create many domain group accounts that are not used. Is that
2823
2823
a good thing?
2824
2824
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2826
2826
Let's give Idealx some credit for the contribution they have made. I appreciate their work
2827
2827
and, besides, it does no harm to create accounts that are not now used at some time
2828
2828
Samba may well use them.
2829
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583559"></a><a name="id2583561"></a></td><td align="left" valign="top"><p>
2829
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589618"></a><a name="id2589620"></a></td><td align="left" valign="top"><p>
2830
2830
Can I use LDAP just for Samba accounts and not for UNIX system accounts?
2831
2831
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2832
2832
Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX)
2834
2834
the system password account, how do you plan to keep all domain controller system
2835
2835
password files in sync? I think that having everything in LDAP makes a lot of sense
2836
2836
for the UNIX administrator who is still learning the craft and is migrating from MS Windows.
2837
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583584"></a><a name="id2583586"></a></td><td align="left" valign="top"><p>
2837
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589643"></a><a name="id2589645"></a></td><td align="left" valign="top"><p>
2838
2838
Why are the Windows domain RID portions not the same as the UNIX UID?
2839
2839
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2840
2840
Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
2843
2843
assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
2844
2844
permit you to override that to some extent. See the <code class="filename">smb.conf</code> man page entry
2845
2845
for <em class="parameter"><code>algorithmic rid base</code></em>.
2846
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583620"></a><a name="id2583622"></a></td><td align="left" valign="top"><p>
2846
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589678"></a><a name="id2589681"></a></td><td align="left" valign="top"><p>
2847
2847
Printer configuration examples all show printing to the HP port 9100. Does this
2848
2848
mean that I must have HP printers for these solutions to work?
2849
2849
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2853
2853
inkjet printer. Use the appropriate device URI (Universal Resource Interface)
2854
2854
argument to the <code class="constant">lpadmin -v</code> option that is right for your
2855
2855
printer.
2856
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583649"></a><a name="id2583651"></a></td><td align="left" valign="top"><p>
2856
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589708"></a><a name="id2589710"></a></td><td align="left" valign="top"><p>
2857
2857
Is folder redirection dangerous? I've heard that you can lose your data that way.
2858
2858
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2859
2859
The only loss of data I know of that involved folder redirection was caused by
2863
2863
he declined to move the data because he thought it was still in the local profile
2864
2864
folder. That was not the case, so by declining to move the data back, he wiped out
2865
2865
the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
2866
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583677"></a><a name="id2583679"></a></td><td align="left" valign="top"><p>
2866
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589735"></a><a name="id2589737"></a></td><td align="left" valign="top"><p>
2867
2867
Is it really necessary to set a local Group Policy to exclude the redirected
2868
2868
folders from the roaming profile?
2869
2869
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2870
2870
Yes. If you do not do this, the data will still be copied from the network folder
2871
2871
(share) to the local cached copy of the profile.
2872
</p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2581860" href="#id2581860" class="para">11</a>] </sup>
2872
</p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2587919" href="#id2587919" class="para">11</a>] </sup>
2873
2873
There is an alternate method by which a default user profile can be added to the
2874
2874
<code class="constant">NETLOGON</code> share. This facility in the Windows System tool
2875
2875
permits profiles to be exported. The export target may be a particular user or
Loggerhead is a web-based interface for Breezy
Version: 2.0.1