1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Appendix�A.�Appendix: A Collection of Useful Tid-bits</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.64.1"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="previous" href="HA.html" title="Chapter�12.�Performance, Reliability, and Availability"><link rel="next" href="gpl.html" title="Appendix�B.�GNU General Public License"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Appendix�A.�Appendix: A Collection of Useful Tid-bits</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="HA.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="gpl.html">Next</a></td></tr></table><hr></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="appendix"></a>Appendix�A.�Appendix: A Collection of Useful Tid-bits</h2></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2570405">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2570824">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2571169">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2571181">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2571230">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2571334">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2571394">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id2571958">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2573376">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2573524">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2573608">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></div><p><a class="indexterm" name="id2569796"></a><a class="indexterm" name="id2569803"></a>
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Appendix�A.�Appendix: A Collection of Useful Tid-bits</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="HA.html" title="Chapter�13.�Performance, Reliability, and Availability"><link rel="next" href="gpl.html" title="Appendix�B.�GNU General Public License"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Appendix�A.�Appendix: A Collection of Useful Tid-bits</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="HA.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="gpl.html">Next</a></td></tr></table><hr></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="appendix"></a>Appendix�A.�Appendix: A Collection of Useful Tid-bits</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2596337">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2596757">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2597092">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2597104">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2597153">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2597293">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2597353">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id2597909">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2599324">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2599471">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2599555">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></div><p><a class="indexterm" name="id2595728"></a><a class="indexterm" name="id2595735"></a>
2
2
Information presented here is considered to be either basic or well-known material that is informative
3
3
yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that
4
4
the process for joining a Windows client to a Samba-controlled Windows Domain may somehow involve steps
5
5
different from doing so with Windows NT4 or a Windows ADS Domain. Be assured that the steps are identical,
6
6
as shown in the example given below.
7
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domjoin"></a>Joining a Domain: Windows 200x/XP Professional</h2></div></div><div></div></div><p><a class="indexterm" name="id2569836"></a>
7
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domjoin"></a>Joining a Domain: Windows 200x/XP Professional</h2></div></div></div><p><a class="indexterm" name="id2595768"></a>
8
8
Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
9
9
This section steps through the process for making a Windows 200x/XP Professional machine a
10
10
member of a Domain Security environment. It should be noted that this process is identical
47
47
The “<span class="quote"><span class="emphasis"><em>Welcome to the MIDEARTH domain</em></span></span>” dialog box should appear. At this point, the machine must be rebooted.
48
48
Joining the domain is now complete.
49
</p></li></ol></div><p><a class="indexterm" name="id2570285"></a><a class="indexterm" name="id2570293"></a>
49
</p></li></ol></div><p><a class="indexterm" name="id2596217"></a><a class="indexterm" name="id2596225"></a>
50
50
The screen capture shown in <a href="appendix.html#wxpp007" title="Figure�A.4.�The Computer Name Changes Panel Domain MIDEARTH.">???</a> has a button labeled <span class="guimenu">More...</span>. This button opens a
51
51
panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members
52
52
of Microsoft Active Directory. Active Directory is heavily oriented around the DNS name space.
53
</p><p><a class="indexterm" name="id2570320"></a><a class="indexterm" name="id2570328"></a>
53
</p><p><a class="indexterm" name="id2596253"></a><a class="indexterm" name="id2596261"></a>
54
54
Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers
55
55
register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server
56
56
to find the services (like which machines are Domain Controllers or which machines have the Netlogon service running).
57
</p><p><a class="indexterm" name="id2570348"></a>
57
</p><p><a class="indexterm" name="id2596280"></a>
58
58
The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix,
59
59
this does not affect Domain Membership, but it can break network browsing and the ability to resolve your computer name to
60
60
a valid IP address.
62
62
The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain.
63
63
Where the client is a member of a Samba Domain, it is preferable to leave this field blank.
64
</p><p><a class="indexterm" name="id2570373"></a>
64
</p><p><a class="indexterm" name="id2596306"></a>
65
65
According to Microsoft documentation, “<span class="quote"><span class="emphasis"><em>If this computer belongs to a group with <tt class="constant">Group Policy</tt>
66
66
enabled on <span><b class="command">Primary DNS suffice of this computer</b></span>, the string specified in the Group Policy is used
67
67
as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is
68
68
used only if Group Policy is disabled or unspecified.</em></span></span>”
69
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2570405"></a>Samba System File Location</h2></div></div><div></div></div><p><a class="indexterm" name="id2570412"></a><a class="indexterm" name="id2570420"></a><a class="indexterm" name="id2570428"></a>
69
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596337"></a>Samba System File Location</h2></div></div></div><p><a class="indexterm" name="id2596344"></a><a class="indexterm" name="id2596352"></a><a class="indexterm" name="id2596360"></a>
70
70
One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team
71
71
build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is
72
72
in the <tt class="filename">/usr/local/samba</tt> directory. This is a perfectly reasonable location, particularly given all the other
75
75
Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team
77
</p><p><a class="indexterm" name="id2570463"></a><a class="indexterm" name="id2570475"></a><a class="indexterm" name="id2570482"></a><a class="indexterm" name="id2570494"></a><a class="indexterm" name="id2570501"></a><a class="indexterm" name="id2570512"></a><a class="indexterm" name="id2570520"></a><a class="indexterm" name="id2570528"></a><a class="indexterm" name="id2570536"></a><a class="indexterm" name="id2570544"></a><a class="indexterm" name="id2570552"></a><a class="indexterm" name="id2570560"></a><a class="indexterm" name="id2570568"></a><a class="indexterm" name="id2570576"></a><a class="indexterm" name="id2570584"></a><a class="indexterm" name="id2570592"></a>
77
</p><p><a class="indexterm" name="id2596396"></a><a class="indexterm" name="id2596407"></a><a class="indexterm" name="id2596415"></a><a class="indexterm" name="id2596426"></a><a class="indexterm" name="id2596434"></a><a class="indexterm" name="id2596445"></a><a class="indexterm" name="id2596453"></a><a class="indexterm" name="id2596461"></a><a class="indexterm" name="id2596469"></a><a class="indexterm" name="id2596476"></a><a class="indexterm" name="id2596484"></a><a class="indexterm" name="id2596492"></a><a class="indexterm" name="id2596500"></a><a class="indexterm" name="id2596508"></a><a class="indexterm" name="id2596516"></a><a class="indexterm" name="id2596524"></a>
78
78
Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy
79
79
System (FHS), have elected to locate the configuration files under the <tt class="filename">/etc/samba</tt> directory, common binary
80
80
files (those used by users) in the <tt class="filename">/usr/bin</tt> directory, and the administrative files (daemons) in the
83
83
<tt class="filename">/usr/share/swat</tt>. There are additional support files for <span><b class="command">smbd</b></span> in the
84
84
<tt class="filename">/usr/lib/samba</tt> directory tree. The files located there include the dynamically loadable modules for the
85
85
passdb backend as well as for the VFS modules.
86
</p><p><a class="indexterm" name="id2570661"></a><a class="indexterm" name="id2570669"></a><a class="indexterm" name="id2570677"></a>
86
</p><p><a class="indexterm" name="id2596593"></a><a class="indexterm" name="id2596601"></a><a class="indexterm" name="id2596609"></a>
87
87
Samba creates run-time control files and generates log files. The run-time control files (tdb and dat files) are stored in
88
88
the <tt class="filename">/var/lib/samba</tt> directory. Log files are created in <tt class="filename">/var/log/samba.</tt>
90
90
When Samba is built and installed using the default Samba Team process, all files are located under the
91
91
<tt class="filename">/usr/local/samba</tt> directory tree. This makes it simple to find the files that Samba owns.
92
</p><p><a class="indexterm" name="id2570715"></a>
92
</p><p><a class="indexterm" name="id2596648"></a>
93
93
One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location
94
94
of all files called <span><b class="command">smbd</b></span>. Here is an example:
95
95
</p><pre class="screen">
117
117
If you wish to locate the Samba version, just run:
118
118
</p><pre class="screen">
119
119
<tt class="prompt">root# </tt> /path-to-binary-file/smbd -V
123
123
Many people have been caught by installation of Samba using the default Samba Team process when it was already installed
124
124
by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by
125
executing:<a class="indexterm" name="id2570788"></a>
125
executing:<a class="indexterm" name="id2596721"></a>
126
126
</p><pre class="screen">
127
127
<tt class="prompt">root# </tt> rpm -qa | grep samba
130
samba3-winbind-3.0.2-1
132
samba3-python-3.0.2-1
135
samba3-client-3.0.2-1
136
samba3-cifsmount-3.0.2-1
137
</pre><p><a class="indexterm" name="id2570811"></a>
130
samba3-winbind-3.0.12-1
132
samba3-python-3.0.12-1
133
samba3-utils-3.0.12-1
135
samba3-client-3.0.12-1
136
samba3-cifsmount-3.0.12-1
137
</pre><p><a class="indexterm" name="id2596744"></a>
138
138
The package names, of course, vary according to how the vendor, or the binary package builder, prepared them.
139
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2570824"></a>Starting Samba</h2></div></div><div></div></div><p><a class="indexterm" name="id2570831"></a>
139
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596757"></a>Starting Samba</h2></div></div></div><p><a class="indexterm" name="id2596764"></a>
140
140
Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services.
141
141
An example of a service is the Apache Web server for which the daemon is called <span><b class="command">httpd</b></span>. In the case of Samba, there
142
142
are three daemons, two of which are needed as a minimum.
179
179
</pre></div><div class="variablelist"><dl><dt><span class="term">nmbd</span></dt><dd><p>
180
<a class="indexterm" name="id2570893"></a>
181
<a class="indexterm" name="id2570900"></a>
180
<a class="indexterm" name="id2596826"></a>
181
<a class="indexterm" name="id2596833"></a>
182
182
This daemon handles all name registration and resolution requests. It is the primary vehicle involved
183
183
in network browsing. It handles all UDP-based protocols. The <span><b class="command">nmbd</b></span> daemon should
184
184
be the first command started as part of the Samba startup process.
185
185
</p></dd><dt><span class="term">smbd</span></dt><dd><p>
186
<a class="indexterm" name="id2570930"></a>
187
<a class="indexterm" name="id2570936"></a>
186
<a class="indexterm" name="id2596862"></a>
187
<a class="indexterm" name="id2596869"></a>
188
188
This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also
189
189
manages local authentication. It should be started immediately following the startup of <span><b class="command">nmbd</b></span>.
190
190
</p></dd><dt><span class="term">winbindd</span></dt><dd><p>
191
<a class="indexterm" name="id2570965"></a>
192
<a class="indexterm" name="id2570972"></a>
191
<a class="indexterm" name="id2596898"></a>
192
<a class="indexterm" name="id2596905"></a>
193
193
This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when
194
194
Samba has trust relationships with another Domain. The <span><b class="command">winbindd</b></span> daemon will check the
195
195
<tt class="filename">smb.conf</tt> file for the presence of the <i class="parameter"><tt>idmap uid</tt></i> and <i class="parameter"><tt>idmap gid</tt></i>
243
243
echo "Usage: smb {start|stop|restart|status}"
246
</pre></div><p><a class="indexterm" name="id2571090"></a>
246
</pre></div><p><a class="indexterm" name="id2597013"></a>
247
247
SUSE Linux implements individual control over each Samba daemon. A samba control script that can be conveniently
248
248
executed from the command line is shown in <a href="appendix.html#ch12SL" title="Example�A.1.�A Useful Samba Control Script for SuSE Linux">???</a>. This can be located in the directory
249
249
<tt class="filename">/sbin</tt> in a file called <tt class="filename">samba</tt>. This type of control script should be
250
250
owned by user root and group root, and set so that only root can execute it.
251
</p><p><a class="indexterm" name="id2571126"></a>
251
</p><p><a class="indexterm" name="id2597049"></a>
252
252
A sample startup script for a Red Hat Linux system is shown in <a href="appendix.html#ch12RHscript" title="Example�A.2.�">???</a>.
253
253
This file could be located in the directory <tt class="filename">/etc/rc.d</tt> and can be called
254
254
<tt class="filename">samba</tt>. A similar startup script is required to control <span><b class="command">winbind</b></span>.
255
255
If you want to find more information regarding startup scripts please refer to the packaging section of
256
256
the Samba source code distribution tarball. The packaging files for each platform include a
257
257
startup control file.
258
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571169"></a>DNS Configuration Files</h2></div></div><div></div></div><p>
258
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2597092"></a>DNS Configuration Files</h2></div></div></div><p>
259
259
The following files are common to all DNS server configurations. Rather than repeat them multiple times, they
260
260
are presented here for general reference.
261
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571181"></a>The Forward Zone File for the Loopback Adaptor</h3></div></div><div></div></div><p>
261
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2597104"></a>The Forward Zone File for the Loopback Adaptor</h3></div></div></div><p>
262
262
The forward zone file for the loopback address never changes. An example file is shown
263
263
in <a href="appendix.html#loopback" title="Example�A.3.�DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a>. All traffic destined for an IP address that is hosted on a
264
264
physical interface on the machine itself is routed to the loopback adaptor. This is
335
335
. 3600000 NS M.ROOT-SERVERS.NET.
336
336
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
338
</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571334"></a>DNS Root Server Hint File</h3></div></div><div></div></div><p>
338
</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2597293"></a>DNS Root Server Hint File</h3></div></div></div><p>
339
339
The content of the root hints file as shown in <a href="appendix.html#roothint" title="Example�A.5.�DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a> changes slowly over time.
340
340
Periodically this file should be updated from the source shown. Because
341
341
of its size this file is located at the end of this appendix.
342
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="altldapcfg"></a>Alternative LDAP Database Initialization</h2></div></div><div></div></div><p><a class="indexterm" name="id2571366"></a><a class="indexterm" name="id2571377"></a>
342
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="altldapcfg"></a>Alternative LDAP Database Initialization</h2></div></div></div><p><a class="indexterm" name="id2597324"></a><a class="indexterm" name="id2597336"></a>
343
343
The following procedure may be used as an alternative means of configuring
344
344
the initial LDAP database. Many administrators prefer to have greater control
345
345
over how system files get configured.
346
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571394"></a>Initialization of the LDAP Database</h3></div></div><div></div></div><p><a class="indexterm" name="id2571401"></a><a class="indexterm" name="id2571409"></a><a class="indexterm" name="id2571420"></a>
346
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2597353"></a>Initialization of the LDAP Database</h3></div></div></div><p><a class="indexterm" name="id2597360"></a><a class="indexterm" name="id2597368"></a><a class="indexterm" name="id2597379"></a>
347
347
The first step to get the LDAP server ready for action is to create the LDIF file from
348
348
which the LDAP database will be preloaded. This is necessary to create the containers
349
349
into which the user, group, and so on, accounts is written. It is also necessary to
631
631
description: Posix and Samba LDAP Identity Database
632
structuralObjectClass: organization
634
633
dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG
635
634
objectClass: organizationalRole
637
636
description: Directory Manager
638
structuralObjectClass: organizationalRole
640
638
dn: ou=People,dc=INETDOMAIN,dc=TLDORG
642
640
objectClass: organizationalUnit
644
structuralObjectClass: organizationalUnit
646
643
dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG
648
645
objectClass: organizationalUnit
650
structuralObjectClass: organizationalUnit
652
648
dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG
654
650
objectClass: organizationalUnit
656
structuralObjectClass: organizationalUnit
658
653
dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG
660
655
objectClass: organizationalUnit
662
structuralObjectClass: organizationalUnit
664
658
dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG
665
659
objectClass: sambaDomain
699
691
sambaGroupType: 2
700
692
displayName: Domain Users
701
693
description: Domain Users
702
structuralObjectClass: posixGroup
703
</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571958"></a>The LDAP Account Manager</h2></div></div><div></div></div><p><a class="indexterm" name="id2571965"></a><a class="indexterm" name="id2571972"></a><a class="indexterm" name="id2571983"></a><a class="indexterm" name="id2571991"></a><a class="indexterm" name="id2571999"></a><a class="indexterm" name="id2572006"></a><a class="indexterm" name="id2572014"></a>
694
</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2597909"></a>The LDAP Account Manager</h2></div></div></div><p><a class="indexterm" name="id2597916"></a><a class="indexterm" name="id2597924"></a><a class="indexterm" name="id2597935"></a><a class="indexterm" name="id2597942"></a><a class="indexterm" name="id2597950"></a><a class="indexterm" name="id2597958"></a><a class="indexterm" name="id2597966"></a>
704
695
The LDAP Account Manager (LAM) is an application suite that has been written in PHP.
705
696
LAM can be used with any Web server that has PHP4 support. It connects to the LDAP
706
697
server either using unencrypted connections or via SSL. LAM can be used to manage
711
702
home page and from its mirror sites. LAM has been released under the GNU GPL version 2.
712
703
The current version of LAM is 0.4.3. Release of version 0.5 is expected some time early
714
</p><p><a class="indexterm" name="id2572046"></a><a class="indexterm" name="id2572054"></a><a class="indexterm" name="id2572062"></a>
705
</p><p><a class="indexterm" name="id2597998"></a><a class="indexterm" name="id2598006"></a><a class="indexterm" name="id2598014"></a>
716
707
</p><div class="itemizedlist"><ul type="disc"><li><p>A web server that will work with PHP4.</p></li><li><p>PHP4 (available from the <a href="http://www.php.net/" target="_top">
717
708
PHP</a> home page.)</p></li><li><p>OpenLDAP 2.0 or later.</p></li><li><p>A Web browser that supports CSS.</p></li><li><p>Perl.</p></li><li><p>The gettext package.</p></li><li><p>mcrypt + mhash (optional since version 0.4.3).</p></li><li><p>It is also a good idea to install SSL support.</p></li></ul></div><p>
718
709
LAM is a useful tool that provides a simple Web-based device that can be used to
719
manage the contents of the LDAP directory to:<a class="indexterm" name="id2572126"></a><a class="indexterm" name="id2572134"></a><a class="indexterm" name="id2572142"></a>
710
manage the contents of the LDAP directory to:<a class="indexterm" name="id2598077"></a><a class="indexterm" name="id2598086"></a><a class="indexterm" name="id2598094"></a>
720
711
</p><div class="itemizedlist"><ul type="disc"><li><p>Display user/group/host and Domain entries.</p></li><li><p>Manages entries (Add/Delete/Edit).</p></li><li><p>Filter and sort entries.</p></li><li><p>Set LAM administrator accounts.</p></li><li><p>Store and use multiple operating profiles.</p></li><li><p>Edit organizational units (OUs).</p></li><li><p>Upload accounts from a file.</p></li><li><p></p>Is compatible with Samba-2.2.x and Samba-3.</li></ul></div><p>
721
712
When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba
722
713
user, group, and windows domain member machine accounts.
723
</p><p><a class="indexterm" name="id2572202"></a><a class="indexterm" name="id2572210"></a><a class="indexterm" name="id2572218"></a><a class="indexterm" name="id2572225"></a>
714
</p><p><a class="indexterm" name="id2598153"></a><a class="indexterm" name="id2598161"></a><a class="indexterm" name="id2598169"></a><a class="indexterm" name="id2598177"></a>
724
715
The default password is “<span class="quote"><span class="emphasis"><em>lam.</em></span></span>” It is highly recommended that you use only
725
716
an SSL connection to your Web server for all remote operations involving LAM. If you
726
717
want secure connections, you must configure your Apache Web server to permit connections
748
739
<tt class="prompt">root# </tt> chmod 755 /srv/www/htdocs/lam/config
749
740
<tt class="prompt">root# </tt> chmod 755 /srv/www/htdocs/lam/lib/*pl
751
</p></li><li><p><a class="indexterm" name="id2572357"></a>
742
</p></li><li><p><a class="indexterm" name="id2598309"></a>
752
743
Using your favorite editor create the following <tt class="filename">config.cfg</tt>
753
744
LAM configuration file:
754
745
</p><pre class="screen">
755
746
<tt class="prompt">root# </tt> cd /srv/www/htdocs/lam/config
756
747
<tt class="prompt">root# </tt> cp config.cfg_sample config.cfg
757
748
<tt class="prompt">root# </tt> vi config.cfg
758
</pre><p><a class="indexterm" name="id2572400"></a><a class="indexterm" name="id2572412"></a>
749
</pre><p><a class="indexterm" name="id2598352"></a><a class="indexterm" name="id2598363"></a>
759
750
An example file is shown in <a href="appendix.html#lamcfg" title="Example�A.11.�Example LAM Configuration File config.cfg">???</a>.
760
751
This is the minimum configuration that must be completed. The LAM profile
761
752
file can be created using a convenient wizard that is part of the LAM
769
760
<tt class="filename">lam.conf_sample</tt> file to a file called
770
761
<tt class="filename">lam.conf</tt> then, using your favorite editor,
771
762
change the settings to match local site needs.
772
</p></li></ol></div><p><a class="indexterm" name="id2572474"></a>
763
</p></li></ol></div><p><a class="indexterm" name="id2598425"></a>
773
764
An example of a working file is shown here in <a href="appendix.html#lamconf" title="Example�A.12.�LAM Profile Control File lam.conf">???</a>.
774
765
This file has been stripped of comments to keep the size small. The comments
775
766
and help information provided in the profile file that the wizard creates
776
767
is very useful and will help many administrators to avoid pitfalls.
777
768
Your configuration file obviously reflects the configuration options that
778
769
are preferred at your site.
779
</p><p><a class="indexterm" name="id2572498"></a>
770
</p><p><a class="indexterm" name="id2598450"></a>
780
771
It is important that your LDAP server is running at the time that LAM is
781
772
being configured. This permits you to validate correct operation.
782
773
An example of the LAM login screen is provided in <a href="appendix.html#lam-login" title="Figure�A.6.�The LDAP Account Manager Login Screen">???</a>.
783
</p><div class="figure"><a name="lam-login"></a><p class="title"><b>Figure�A.6.�The LDAP Account Manager Login Screen</b></p><div class="mediaobject"><img src="images/lam-login.png" width="270" alt="The LDAP Account Manager Login Screen"></div></div><p><a class="indexterm" name="id2572564"></a>
774
</p><div class="figure"><a name="lam-login"></a><p class="title"><b>Figure�A.6.�The LDAP Account Manager Login Screen</b></p><div class="mediaobject"><img src="images/lam-login.png" width="270" alt="The LDAP Account Manager Login Screen"></div></div><p><a class="indexterm" name="id2598516"></a>
784
775
The LAM configuration editor has a number of options that must be managed correctly.
785
776
An example of use of the LAM configuration editor is shown in <a href="appendix.html#lam-config" title="Figure�A.7.�The LDAP Account Manager Configuration Screen">???</a>.
786
777
It is important that you correctly set the minimum and maximum UID/GID values that are
789
780
The best work-around is to temporarily set the minimum values to zero (0) to permit
790
781
the initial settings to be made. Do not forget to reset these to sensible values before
791
782
using LAM to add additional users and groups.
792
</p><div class="figure"><a name="lam-config"></a><p class="title"><b>Figure�A.7.�The LDAP Account Manager Configuration Screen</b></p><div class="mediaobject"><img src="images/lam-config.png" width="270" alt="The LDAP Account Manager Configuration Screen"></div></div><p><a class="indexterm" name="id2572639"></a>
783
</p><div class="figure"><a name="lam-config"></a><p class="title"><b>Figure�A.7.�The LDAP Account Manager Configuration Screen</b></p><div class="mediaobject"><img src="images/lam-config.png" width="270" alt="The LDAP Account Manager Configuration Screen"></div></div><p><a class="indexterm" name="id2598591"></a>
793
784
LAM has some nice, but unusual features. For example, one unexpected feature in most application
794
785
screens permits the generation of a PDF file that lists configuration information. This is a well
795
786
thought out facility. This option has been edited out of the following screen shots to conserve
797
</p><p><a class="indexterm" name="id2572656"></a>
788
</p><p><a class="indexterm" name="id2598607"></a>
798
789
When you log onto LAM the opening screen drops you right into the user manager as shown in
799
790
<a href="appendix.html#lam-user" title="Figure�A.8.�The LDAP Account Manager User Edit Screen">???</a>. This is a logical action as it permits the most-needed facility
800
791
to be used immediately. The editing of an existing user, as with the addition of a new user,
807
798
for user accounts, group accounts may be rapidly dealt with. <a href="appendix.html#lam-group-mem" title="Figure�A.10.�The LDAP Account Manager Group Membership Edit Screen">???</a>
808
799
shown a sub-screen from the group editor that permits users to be assigned secondary group
810
</p><div class="figure"><a name="lam-group"></a><p class="title"><b>Figure�A.9.�The LDAP Account Manager Group Edit Screen</b></p><div class="mediaobject"><img src="images/lam-groups.png" width="270" alt="The LDAP Account Manager Group Edit Screen"></div></div><div class="figure"><a name="lam-group-mem"></a><p class="title"><b>Figure�A.10.�The LDAP Account Manager Group Membership Edit Screen</b></p><div class="mediaobject"><img src="images/lam-group-members.png" width="270" alt="The LDAP Account Manager Group Membership Edit Screen"></div></div><p><a class="indexterm" name="id2572841"></a><a class="indexterm" name="id2572848"></a>
801
</p><div class="figure"><a name="lam-group"></a><p class="title"><b>Figure�A.9.�The LDAP Account Manager Group Edit Screen</b></p><div class="mediaobject"><img src="images/lam-groups.png" width="270" alt="The LDAP Account Manager Group Edit Screen"></div></div><div class="figure"><a name="lam-group-mem"></a><p class="title"><b>Figure�A.10.�The LDAP Account Manager Group Membership Edit Screen</b></p><div class="mediaobject"><img src="images/lam-group-members.png" width="270" alt="The LDAP Account Manager Group Membership Edit Screen"></div></div><p><a class="indexterm" name="id2598792"></a><a class="indexterm" name="id2598800"></a>
811
802
The final screen presented here is one that you should not normally need to use. Host accounts will
812
803
be automatically managed using the smbldap-tools scripts. This means that the screen <a href="appendix.html#lam-host" title="Figure�A.11.�The LDAP Account Manager Host Edit Screen">???</a>
813
804
will, in most cases, not be used.
851
</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12-SUIDSGID"></a>Effect of Setting File and Directory SUID/SGID Permissions Explained</h2></div></div><div></div></div><a class="indexterm" name="id2573007"></a><a class="indexterm" name="id2573014"></a><p>
842
</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12-SUIDSGID"></a>Effect of Setting File and Directory SUID/SGID Permissions Explained</h2></div></div></div><a class="indexterm" name="id2598949"></a><a class="indexterm" name="id2598956"></a><p>
852
843
The setting of the SUID/SGID bits on the file or directory permissions flag has particular
853
844
consequences. If the file is executable and the SUID bit is set, it executes with the privilege
854
845
of (with the UID of) the owner of the file. For example, if you are logged onto a system as
919
910
drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
921
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12dblck"></a>Shared Data Integrity</h2></div></div><div></div></div><p><a class="indexterm" name="id2573245"></a><a class="indexterm" name="id2573253"></a>
912
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12dblck"></a>Shared Data Integrity</h2></div></div></div><p><a class="indexterm" name="id2599187"></a><a class="indexterm" name="id2599195"></a>
922
913
The integrity of shared data is often viewed as a particularly emotional issue, especially where
923
914
there are concurrent problems with multi-user data access. Contrary to the assertions of some who have
924
915
experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
926
917
The solution to concurrent multi-user data access problems must consider three separate areas
927
from which the problem may stem:<a class="indexterm" name="id2573276"></a><a class="indexterm" name="id2573287"></a><a class="indexterm" name="id2573299"></a>
928
</p><div class="itemizedlist"><ul type="disc"><li><p>application level locking controls.</p></li><li><p>client side locking controls.</p></li><li><p>server side locking controls.</p></li></ul></div><p><a class="indexterm" name="id2573331"></a><a class="indexterm" name="id2573339"></a>
918
from which the problem may stem:<a class="indexterm" name="id2599223"></a><a class="indexterm" name="id2599235"></a><a class="indexterm" name="id2599246"></a>
919
</p><div class="itemizedlist"><ul type="disc"><li><p>application level locking controls.</p></li><li><p>client side locking controls.</p></li><li><p>server side locking controls.</p></li></ul></div><p><a class="indexterm" name="id2599279"></a><a class="indexterm" name="id2599287"></a>
929
920
Many database applications use some form of application-level access control. An example of one
930
921
well-known application that uses application-level locking is Microsoft Access. Detailed guidance
931
922
is provided given that this is the most common application for which problems have been reported.
932
</p><p><a class="indexterm" name="id2573356"></a><a class="indexterm" name="id2573364"></a>
923
</p><p><a class="indexterm" name="id2599303"></a><a class="indexterm" name="id2599311"></a>
933
924
Common applications that are affected by client- and server-side locking controls include MS
934
925
Excel and Act!. Important locking guidance is provided here.
935
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573376"></a>Microsoft Access</h3></div></div><div></div></div><p>
926
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2599324"></a>Microsoft Access</h3></div></div></div><p>
936
927
The best advice that can be given is to carefully read the Microsoft knowledge base articles that
937
928
cover this area. Examples of relevant documents includes:
938
</p><div class="itemizedlist"><ul type="disc"><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</p></li><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</p></li></ul></div><p><a class="indexterm" name="id2573403"></a><a class="indexterm" name="id2573415"></a>
929
</p><div class="itemizedlist"><ul type="disc"><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</p></li><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</p></li></ul></div><p><a class="indexterm" name="id2599351"></a><a class="indexterm" name="id2599362"></a>
939
930
Make sure that your MS Access database file is configured for multi-user access (not set for
940
931
exclusive open). Open MS Access on each client workstation then set the following: <span class="guimenu">(Menu bar) Tools</span>+<span class="guimenu">Options</span>+<span class="guimenu">[tab] General</span>. Set network path to Default database folder: <tt class="filename">\\server\share\folder</tt>.
942
933
You can configure MS Access file sharing behavior as follows: click <span class="guimenu">[tab] Advanced</span>.
943
Set:<a class="indexterm" name="id2573466"></a>
944
</p><div class="itemizedlist"><ul type="disc"><li><p>Default open mode: Shared</p></li><li><p>Default Record Locking: Edited Record</p></li><li><p>Open databases using record_level locking</p></li></ul></div><p><a class="indexterm" name="id2573495"></a>
934
Set:<a class="indexterm" name="id2599413"></a>
935
</p><div class="itemizedlist"><ul type="disc"><li><p>Default open mode: Shared</p></li><li><p>Default Record Locking: Edited Record</p></li><li><p>Open databases using record_level locking</p></li></ul></div><p><a class="indexterm" name="id2599442"></a>
945
936
You must now commit the changes so that they will take effect. To do so, click
946
937
<span class="guimenu">Apply</span><span class="guimenu">Ok</span>. At this point, you should exit MS Access, restart
947
938
it and then validate that these settings have not changed.
948
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573524"></a>Act! Database Sharing</h3></div></div><div></div></div><p><a class="indexterm" name="id2573530"></a><a class="indexterm" name="id2573538"></a>
939
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2599471"></a>Act! Database Sharing</h3></div></div></div><p><a class="indexterm" name="id2599478"></a><a class="indexterm" name="id2599486"></a>
949
940
Where the server sharing the ACT! database(s) is running Samba, Windows NT, 200x or XP, you
950
941
must disable opportunistic locking on the server and all workstations. Failure to do so
951
942
results in data corruption. This information is available from the Act! Web site
953
944
<a href="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925" target="_top">1998223162925</a>
954
945
as well as from article
955
946
<a href="http://itdomino.saleslogix.com/act.nsf/docid/200110485036" target="_top">200110485036</a>.
956
</p><p><a class="indexterm" name="id2573569"></a><a class="indexterm" name="id2573577"></a>
947
</p><p><a class="indexterm" name="id2599516"></a><a class="indexterm" name="id2599524"></a>
957
948
These documents clearly state that opportunistic locking must be disabled on both
958
949
the server (Samba in the case we are interested in here), as well as on every workstation
959
950
from which the centrally shared Act! database will be accessed. Act! provides
961
952
registry settings that may otherwise interfere with the operation of Act!
962
953
Registered Act! users may download this utility from the Act! Web
963
954
<a href="http://www.act.com/support/updates/index.cfm" target="_top">site.</a>
964
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573608"></a>Opportunistic Locking Controls</h3></div></div><div></div></div><p><a class="indexterm" name="id2573615"></a>
955
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2599555"></a>Opportunistic Locking Controls</h3></div></div></div><p><a class="indexterm" name="id2599562"></a>
965
956
Third-party Windows applications may not be compatible with the use of opportunistic file
966
and record locking. For applications that are known not to be compatible,<sup>[<a name="id2573627" href="#ftn.id2573627">14</a>]</sup> oplock
957
and record locking. For applications that are known not to be compatible,<sup>[<a name="id2599574" href="#ftn.id2599574">14</a>]</sup> oplock
967
958
support may need to be disabled both on the Samba server and on the Windows workstations.
968
</p><p><a class="indexterm" name="id2573641"></a><a class="indexterm" name="id2573649"></a><a class="indexterm" name="id2573657"></a>
959
</p><p><a class="indexterm" name="id2599589"></a><a class="indexterm" name="id2599596"></a><a class="indexterm" name="id2599604"></a>
969
960
Oplocks enable a Windows client to cache parts of a file that are being
970
961
edited. Another windows client may then request to open the file with the
971
962
ability to write to it. The server will then ask the original workstation
972
963
that had the file open with a write lock to release it's lock. Before
973
964
doing so, that workstation must flush the file from cache memory to the
974
965
disk or network drive.
975
</p><p><a class="indexterm" name="id2573678"></a>
966
</p><p><a class="indexterm" name="id2599626"></a>
976
967
Disabling of Oplocks usage may require server and client changes.
977
968
Oplocks may be disabled by file, by file pattern, on the share, or on the