~zulcss/samba/server-dailies-3.0.37

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�5.�Making Happy Users</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part�I.�Example Network Configurations"><link rel="prev" href="Big500users.html" title="Chapter�4.�The 500-User Office"><link rel="next" href="2000users.html" title="Chapter�6.�A Distributed 2000-User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�5.�Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a>�</td><th width="60%" align="center">Part�I.�Example Network Configurations</th><td width="20%" align="right">�<a accesskey="n" href="2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter�5.�Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id2571048">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id2571190">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2571288">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2571425">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2571882">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2573760">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2573776">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2573956">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2576854">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id2580803">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2580823">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id2580918">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id2581163">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2581274">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2581407">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id2582162">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id2582477">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id2582657">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id2583160">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id2583195">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2583229">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id2583345">Questions and Answers</a></span></dt></dl></div><p>

It is said that “<span class="quote">a day that is without troubles is not fulfilling. Rather, give

me a day of troubles well handled so that I can be content with my achievements.</span>”

</p><p>

In the world of computer networks, problems are as varied as the people who create them

or experience them. The design of the network implemented in <a class="link" href="Big500users.html" title="Chapter�4.�The 500-User Office">“The 500-User Office”</a>

may create problems for some network users. The following lists some of the problems that

may occur:

</p><a class="indexterm" name="id2570626"></a><a class="indexterm" name="id2570632"></a><a class="indexterm" name="id2570642"></a><a class="indexterm" name="id2570648"></a><a class="indexterm" name="id2570655"></a><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>

A significant number of network administrators have responded to the guidance given

here. It should be noted that there are sites that have a single PDC for many hundreds of

concurrent network clients. Network bandwidth, network bandwidth utilization, and server load

are among the factors that determine the maximum number of Windows clients that

can be served by a single domain controller (PDC or BDC) on a network segment. It is possible

to operate with only a single PDC over a routed network. What is possible is not necessarily

<span class="emphasis"><em>best practice</em></span>. When Windows client network logons begin to fail with

the message that the domain controller cannot be found or that the user account cannot

be found (when you know it exists), that may be an indication that the domain controller is

overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows

clients is conservative and if followed will minimize problems but it is not absolute.

</p></div><div class="variablelist"><dl><dt><span class="term">Users experiencing difficulty logging onto the network</span></dt><dd><p>

When a Windows client logs onto the network, many data packets are exchanged

between the client and the server that is providing the network logon services.

Each request between the client and the server must complete within a specific

time limit. This is one of the primary factors that govern the installation of

multiple domain controllers (usually called secondary or backup controllers).

As a rough rule, there should be one such backup controller for every

30 to 150 clients. The actual limits are determined by network operational

characteristics.

</p><p>

If the domain controller provides only network logon services

and all file and print activity is handled by domain member servers, one domain

controller per 150 clients on a single network segment may suffice. In any

case, it is highly recommended to have a minimum of one domain controller (PDC or BDC)

per network segment. It is better to have at least one BDC on the network

segment that has a PDC. If the domain controller is also used as a file and

print server, the number of clients it can service reliably is reduced,

and generally for low powered hardware should not exceed 30 machines (Windows

workstations plus domain member servers) per domain controller. Many sites are

able to operate with more clients per domain controller, the number of clients

that can be supported is limited by the CPU speed, memory and the workload on

the Samba server as well as network bandwidth utilization.

</p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p>

Slow logons and log-offs may be caused by many factors that include:

</p><div class="itemizedlist"><ul type="disc"><li><p>

Excessive delays in the resolution of a NetBIOS name to its IP

address. This may be observed when an overloaded domain controller

is also the WINS server. Another cause may be the failure to use

a WINS server (this assumes that there is a single network segment).

</p></li><li><p>

Network traffic collisions due to overloading of the network

segment. One short-term workaround to this may be to replace

network HUBs with Ethernet switches.

</p></li><li><p>

Defective networking hardware. Over the past few years, we have seen

on the Samba mailing list a significant increase in the number of

problems that were traced to a defective network interface controller,

a defective HUB or Ethernet switch, or defective cabling. In most cases,

it was the erratic nature of the problem that ultimately pointed to

the cause of the problem.

</p></li><li><p>

Excessively large roaming profiles. This type of problem is typically

the result of poor user education as well as poor network management.

It can be avoided by users not storing huge quantities of email in

MS Outlook PST files as well as by not storing files on the desktop.

These are old bad habits that require much discipline and vigilance

on the part of network management.

</p></li><li><p>

You should verify that the Windows XP WebClient service is not running.

The use of the WebClient service has been implicated in many Windows

networking-related problems.

</p></li></ul></div><p>

</p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p>

Loss of access to network resources during client operation may be caused by a number

of factors, including:

</p><div class="itemizedlist"><ul type="disc"><li><p>

Network overload (typically indicated by a high network collision rate)

</p></li><li><p>

Server overload

</p></li><li><p>

Timeout causing the client to close a connection that is in use but has

100

been latent (no traffic) for some time (5 minutes or more)

101

</p></li><li><p>

102

103

Defective networking hardware

104

</p></li></ul></div><p>

105

106

No matter what the cause, a sudden loss of access to network resources can

107

result in BSOD (blue screen of death) situations that necessitate rebooting of the client

108

workstation. In the case of a mild problem, retrying to access the network drive of the printer

109

may restore operations, but in any case this is a serious problem that may lead to the next

110

problem, data corruption.

111

</p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p>

112

113

Data corruption is one of the most serious problems. It leads to uncertainty, anger, and

114

frustration, and generally precipitates immediate corrective demands. Management response

115

to this type of problem may be rational, as well as highly irrational. There have been

116

cases where management has fired network staff for permitting this situation to occur without

117

immediate correction. There have been situations where perfectly functional hardware was thrown

118

out and replaced, only to find the problem caused by a low-cost network hardware item. There

119

have been cases where server operating systems were replaced, or where Samba was updated,

120

only to later isolate the problem due to defective client software.

121

</p></dd></dl></div><p>

122

In this chapter, you can work through a number of measures that significantly arm you to

123

anticipate and combat network performance issues. You can work through complex and thorny

124

methods to improve the reliability of your network environment, but be warned that all such steps

125

demand the price of complexity.

126

</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571048"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p>

127

128

Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some

129

constraints that are described in this section.

130

</p><p>

131

132

133

134

135

The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.

136

That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats

137

them. A user account and a machine account are indistinguishable from each other, except that

138

the machine account ends in a $ character, as do trust accounts.

139

</p><p>

140

141

142

The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID

143

is a design decision that was made a long way back in the history of Samba development. It is

144

unlikely that this decision will be reversed or changed during the remaining life of the

145

Samba-3.x series.

146

</p><p>

147

148

149

The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that

150

must refer back to the host operating system on which Samba is running. The name service

151

switch (NSS) is the preferred mechanism that shields applications (like Samba) from the

152

need to know everything about every host OS it runs on.

153

</p><p>

154

Samba asks the host OS to provide a UID via the “<span class="quote">passwd</span>”, “<span class="quote">shadow</span>”

155

and “<span class="quote">group</span>” facilities in the NSS control (configuration) file. The best tool

156

for achieving this is left up to the UNIX administrator to determine. It is not imposed by

157

Samba. Samba provides winbindd together with its support libraries as one method. It is

158

possible to do this via LDAP, and for that Samba provides the appropriate hooks so that

159

all account entities can be located in an LDAP directory.

160

</p><p>

161

162

For many the weapon of choice is to use the PADL nss_ldap utility. This utility must

163

be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That

164

is fundamentally an LDAP design question. The information provided on the Samba list and

165

in the documentation is directed at providing working examples only. The design

166

of an LDAP directory is a complex subject that is beyond the scope of this documentation.

167

</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571190"></a>Introduction</h2></div></div></div><p>

168

You just opened an email from Christine that reads:

169

</p><p>

170

Good morning,

171

</p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top">�</td><td width="80%" valign="top"><p>

172

A few months ago we sat down to design the network. We discussed the challenges ahead and we all

173

agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated

174

that we would have some time to resolve any issues that might be encountered.

175

</p><p>

176

As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them

177

resigned yesterday afternoon because she was under duress to complete some critical projects. She

178

suffered a blue screen of death situation just as she was finishing four hours of intensive work, all

179

of which was lost. She has a unique requirement that involves storing large files on her desktop.

180

Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it

181

takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all

182

network logon traffic passes over the network links between our buildings, logging on may take

183

three or four attempts due to blue screen problems associated with network timeouts.

184

</p><p>

185

A few of us worked to help her out of trouble. We convinced her to stay and promised to fully

186

resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard

187

limits on what our users can do with their desktops. Otherwise, we face staff losses

188

that can surely do harm to our growth as well as to staff morale. I am sure we can better deal

189

with the consequences of what we know we must do than we can with the unrest we have now.

190

</p><p>

191

Stan and I have discussed the current situation. We are resolved to help our users and protect

192

the well being of Abmas. Please acknowledge this advice with consent to proceed as required to

193

regain control of our vital IT operations.

194

195

</p><p>

196

197

198

Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a

199

single domain controller is a poor design that has obvious operational effects that may

200

frustrate users. Here is your reply:

201

202

Christine, Your diligence and attention to detail are much valued. Stan and I fully support your

203

proposals to resolve the issues. I am confident that your plans fully realized will significantly

204

boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.

205

Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait

206

for approval; I appreciate the urgency.

207

</p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571288"></a>Assignment Tasks</h3></div></div></div><p>

208

The priority of assigned tasks in this chapter is:

209

</p><div class="orderedlist"><ol type="1"><li><p>

210

211

212

213

214

Implement Backup Domain Controllers (BDCs) in each building. This involves

215

a change from a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous

216

chapter to an LDAP-based backend.

217

</p><p>

218

You can implement a single central LDAP server for this purpose.

219

</p></li><li><p>

220

221

222

223

224

Rectify the problem of excessive logon times. This involves redirection of

225

folders to network shares as well as modification of all user desktops to

226

exclude the redirected folders from being loaded at login time. You can also

227

create a new default profile that can be used for all new users.

228

</p></li></ol></div><p>

229

230

You configure a new MS Windows XP Professional workstation disk image that you roll out

231

to all desktop users. The instructions you have created are followed on a staging machine

232

from which all changes can be carefully tested before inflicting them on your network users.

233

</p><p>

234

235

This is the last network example in which specific mention of printing is made. The example

236

again makes use of the CUPS printing system.

237

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571425"></a>Dissection and Discussion</h2></div></div></div><p>

238

239

240

241

The implementation of Samba BDCs necessitates the installation and configuration of LDAP.

242

For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial

243

LDAP servers in current use with Samba-3 include:

244

</p><div class="itemizedlist"><ul type="disc"><li><p>

245

246

Novell <a class="ulink" href="http://www.novell.com/products/edirectory/" target="_top">eDirectory</a>

247

is being successfully used by some sites. Information on how to use eDirectory can be

248

obtained from the Samba mailing lists or from Novell.

249

</p></li><li><p>

250

251

IBM <a class="ulink" href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli

252

Directory Server</a> can be used to provide the Samba LDAP backend. Example schema

253

files are provided in the Samba source code tarball under the directory

254

<code class="filename">~samba/example/LDAP.</code>

255

</p></li><li><p>

256

257

Sun <a class="ulink" href="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml" target="_top">ONE Identity

258

Server product suite</a> provides an LDAP server that can be used for Samba.

259

Example schema files are provided in the Samba source code tarball under the directory

260

<code class="filename">~samba/example/LDAP.</code>

261

</p></li></ul></div><p>

262

A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial

263

offerings, it requires that you manually edit the server configuration files and manually

264

initialize the LDAP directory database. OpenLDAP itself has only command-line tools to

265

help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.

266

</p><p>

267

268

For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite

269

adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include

270

GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database

271

requires an understanding of what you are doing, why you are doing it, and the tools that you must use.

272

</p><p>

273

274

275

276

277

278

279

280

When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.

281

High availability operation may be obtained through directory replication/synchronization and

282

master/slave server configurations. OpenLDAP is a mature platform to host the organizational

283

directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more.

284

The price paid through learning how to design an LDAP directory schema in implementation and configuration

285

of management tools is well rewarded by performance and flexibility and the freedom to manage directory

286

contents with greater ability to back up, restore, and modify the directory than is generally possible

287

with Microsoft Active Directory.

288

</p><p>

289

290

291

292

293

A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory

294

tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured

295

for a specific task orientation. It comes with a set of administrative tools that is entirely customized

296

for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange

297

server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator

298

who wants to build a custom directory solution. Microsoft provides an application called

299

300

MS ADAM</a> that provides more generic LDAP services, yet it does not have the vanilla-like services

301

of OpenLDAP.

302

</p><p>

303

304

305

You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly

306

if you find the challenge of learning about LDAP directories, schemas, configuration, and management

307

tools and the creation of shell and Perl scripts a bit

308

challenging. OpenLDAP can be easily customized, though it includes

309

many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file

310

that is required for use as a passdb backend.

311

</p><p>

312

313

For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,

314

there are a few nice Web-based tools that may help you to manage your users and groups more effectively.

315

The Web-based tools you might like to consider include the

316

<a class="ulink" href="http://lam.sourceforge.net/" target="_top">LDAP Account Manager</a> (LAM) and the Webmin-based

317

<a class="ulink" href="http://www.webmin.com" target="_top">Webmin</a> Idealx

318

<a class="ulink" href="http://webmin.idealx.org/index.en.html" target="_top">CGI tools</a>.

319

</p><p>

320

Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of

321

these, so it may be useful to them:

322

<a class="ulink" href="http://biot.com/gq" target="_top">GQ</a>, a GTK-based LDAP browser;

323

LDAP <a class="ulink" href="http://www.iit.edu/~gawojar/ldap/" target="_top">Browser/Editor</a>

324

<a class="ulink" href="http://www.jxplorer.org/" target="_top">; JXplorer</a> (by Computer Associates);

325

and <a class="ulink" href="http://phpldapadmin.sourceforge.net/" target="_top">phpLDAPadmin</a>.

326

</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

327

The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal

328

security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided

329

is considered to consist of the barest essentials only. You are strongly encouraged to learn more about

330

LDAP before attempting to deploy it in a business-critical environment.

331

</p></div><p>

332

Information to help you get started with OpenLDAP is available from the

333

<a class="ulink" href="http://www.openldap.org/pub/" target="_top">OpenLDAP web site</a>. Many people have found the book

334

<a class="ulink" href="http://www.oreilly.com/catalog/ldapsa/index.html" target="_top"><span class="emphasis"><em>LDAP System Administration</em></span>,</a>

335

by Jerry Carter quite useful.

336

</p><p>

337

338

339

340

341

Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the

342

main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must

343

be loaded over the WAN connection. The addition of BDCs on each network segment significantly

344

improves overall network performance for most users, but it is not enough. You must gain control over

345

user desktops, and this must be done in a way that wins their support and does not cause further loss of

346

staff morale. The following procedures solve this problem.

347

</p><p>

348

349

There is also an opportunity to implement smart printing features. You add this to the Samba configuration

350

so that future printer changes can be managed without need to change desktop configurations.

351

</p><p>

352

You add the ability to automatically download new printer drivers, even if they are not installed

353

in the default desktop profile. Only one example of printing configuration is given. It is assumed that

354

you can extrapolate the principles and use them to install all printers that may be needed.

355

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571882"></a>Technical Issues</h3></div></div></div><p>

356

357

358

359

The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory

360

server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system

361

accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account

362

attributes Samba needs. Samba-3 can use the LDAP backend to store:

363

</p><div class="itemizedlist"><ul type="disc"><li><p>Windows Networking User Accounts</p></li><li><p>Windows NT Group Accounts</p></li><li><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p>

364

365

366

367

368

369

370

371

372

373

The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking

374

accounts in the LDAP backend. This implies the need to use the

375

<a class="ulink" href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools</a>. The resolution

376

of the UNIX group name to its GID must be enabled from either the <code class="filename">/etc/group</code>

377

or from the LDAP backend. This requires the use of the PADL <code class="filename">nss_ldap</code> tool-set

378

that integrates with the NSS. The same requirements exist for resolution

379

of the UNIX username to the UID. The relationships are demonstrated in <a class="link" href="happy.html#sbehap-LDAPdiag" title="Figure�5.1.�The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">“The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts”</a>.

380

</p><div class="figure"><a name="sbehap-LDAPdiag"></a><p class="title"><b>Figure�5.1.�The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div></div><br class="figure-break"><p>

381

382

383

You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really

384

ought to learn how to configure secure communications over LDAP so that site security is not

385

at risk. This is not covered in the following guidance.

386

</p><p>

387

388

389

390

391

When OpenLDAP has been made operative, you configure the PDC called <code class="constant">MASSIVE</code>.

392

You initialize the Samba <code class="filename">secrets.tdb<sub></sub></code> file. Then you

393

create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.

394

You need to decide how best to create user and group accounts. A few hints are, of course, provided.

395

You can also find on the enclosed CD-ROM, in the <code class="filename">Chap06</code> directory, a few tools

396

that help to manage user and group configuration.

397

</p><p>

398

399

400

401

In order to effect folder redirection and to add robustness to the implementation,

402

create a network default profile. All network users workstations are configured to use

403

the new profile. Roaming profiles will automatically be deleted from the workstation

404

when the user logs off.

405

</p><p>

406

407

The profile is configured so that users cannot change the appearance

408

of their desktop. This is known as a mandatory profile. You make certain that users

409

are able to use their computers efficiently.

410

</p><p>

411

412

A network logon script is used to deliver flexible but consistent network drive

413

connections.

414

</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p>

415

416

417

418

419

Samba versions prior to 3.0.11 necessitated the use of a domain administrator account

420

that maps to the UNIX UID=0. The UNIX operating system permits only the <code class="constant">root</code>

421

user to add user and group accounts. Samba 3.0.11 introduced a new facility known as

422

<code class="constant">Privileges</code>, which provides five new privileges that

423

can be assigned to users and/or groups; see Table 5.1.

424

</p><div class="table"><a name="sbehap-privs"></a><p class="title"><b>Table�5.1.�Current Privilege Capabilities</b></p><div class="table-contents"><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="left"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="left"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="left"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="left"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr></tbody></table></div></div><br class="table-break"><p>

425

In this network example use is made of one of the supported privileges purely to demonstrate

426

how any user can now be given the ability to add machines to the domain using a normal user account

427

that has been given the appropriate privileges.

428

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572394"></a>Roaming Profile Background</h4></div></div></div><p>

429

As XP roaming profiles grow, so does the amount of time it takes to log in and out.

430

</p><p>

431

432

433

434

435

An XP roaming profile consists of the <code class="constant">HKEY_CURRENT_USER</code> hive file

436

<code class="filename">NTUSER.DAT</code> and a number of folders (My Documents, Application Data,

437

Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the

438

network with the default configuration of MS Windows NT/200x/XPP, all this data is

439

copied to the local machine under the <code class="filename">C:\Documents and Settings\%USERNAME%</code>

440

directory. While the user is logged in, any changes made to any of these folders or to the

441

<code class="constant">HKEY_CURRENT_USER</code> branch of the registry are made to the local copy

442

of the profile. At logout the profile data is copied back to the server. This behavior

443

can be changed through appropriate registry changes and/or through changes to the default

444

user profile. In the latter case, it updates the registry with the values that are set in the

445

profile <code class="filename">NTUSER.DAT</code>

446

file.

447

</p><p>

448

The first challenge is to reduce the amount of data that must be transferred to and

449

from the profile server as roaming profiles are processed. This includes removing

450

all the shortcuts in the Recent directory, making sure the cache used by the Web browser

451

is not being dumped into the <code class="filename">Application Data</code> folder, removing the

452

Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the

453

user to not place large files on the desktop and to use his or her mapped home directory

454

instead of the <code class="filename">My Documents</code> folder for saving documents.

455

</p><p>

456

457

Using a folder other than <code class="filename">My Documents</code> is a nuisance for

458

some users, since many applications use it by default.

459

</p><p>

460

461

462

463

The secret to rapid loading of roaming profiles is to prevent unnecessary data from

464

being copied back and forth, without losing any functionality. This is not difficult;

465

it can be done by making changes to the Local Group Policy on each client as well

466

as changing some paths in each user's <code class="filename">NTUSER.DAT</code> hive.

467

</p><p>

468

469

470

Every user profile has its own <code class="filename">NTUSER.DAT</code> file. This means

471

you need to edit every user's profile, unless a better method can be

472

followed. Fortunately, with the right preparations, this is not difficult.

473

It is possible to remove the <code class="filename">NTUSER.DAT</code> file from each

474

user's profile. Then just create a Network Default Profile. Of course, it is

475

necessary to copy all files from redirected folders to the network share to which

476

they are redirected.

477

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-locgrppol"></a>The Local Group Policy</h4></div></div></div><p>

478

479

480

481

482

Without an Active Directory PDC, you cannot take full advantage of Group Policy

483

Objects. However, you can still make changes to the Local Group Policy by using

484

the Group Policy editor (<code class="literal">gpedit.msc</code>).

485

</p><p>

486

The <span class="emphasis"><em>Exclude directories in roaming profile</em></span> settings can

487

be found under

488

<span class="guimenu">User Configuration</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>.

489

By default this setting contains

490

“<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”.

491

</p><p>

492

Simply add the folders you do not wish to be copied back and forth to this

493

semicolon-separated list. Note that this change must be made on all clients

494

that are using roaming profiles.

495

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572694"></a>Profile Changes</h4></div></div></div><p>

496

497

498

There are two changes that should be done to each user's profile. Move each of

499

the directories that you have excluded from being copied back and forth out of

500

the usual profile path. Modify each user's <code class="filename">NTUSER.DAT</code> file

501

to point to the new paths that are shared over the network instead of to the default

502

path (<code class="filename">C:\Documents and Settings\%USERNAME%</code>).

503

</p><p>

504

505

506

The above modifies existing user profiles. So that newly created profiles have

507

these settings, you need to modify the <code class="filename">NTUSER.DAT</code> in

508

the <code class="filename">C:\Documents and Settings\Default User</code> folder on each

509

client machine, changing the same registry keys. You could do this by copying

510

<code class="filename">NTUSER.DAT</code> to a Linux box and using <code class="literal">regedt32</code>.

511

The basic method is described under <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">“Configuration of Default Profile with Folder Redirection”</a>.

512

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572788"></a>Using a Network Default User Profile</h4></div></div></div><p>

513

514

515

If you are using Samba as your PDC, you should create a file share called

516

<code class="constant">NETLOGON</code> and within that create a directory called

517

<code class="filename">Default User</code>, which is a copy of the desired default user

518

configuration (including a copy of <code class="filename">NTUSER.DAT</code>).

519

If this share exists and the <code class="filename">Default User</code> folder exists,

520

the first login from a new account pulls its configuration from it.

521

See also <a class="ulink" href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top">

522

the Real Men Don't Click</a> Web site.

523

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572847"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p>

524

525

526

527

The subject of printing is quite topical. Printing problems run second place to name

528

resolution issues today. So far in this book, you have experienced only what is generally

529

known as “<span class="quote">dumb</span>” printing. Dumb printing is the arrangement by which all drivers

530

are manually installed on each client and the printing subsystems perform no filtering

531

or intelligent processing. Dumb printing is easily understood. It usually works without

532

many problems, but it has its limitations also. Dumb printing is better known as

533

<code class="literal">Raw-Print-Through</code> printing.

534

</p><p>

535

536

537

Samba permits the configuration of <code class="literal">smart</code> printing using the Microsoft

538

Windows point-and-click (also called drag-and-drop) printing. What this provides is

539

essentially the ability to print to any printer. If the local client does not yet have a

540

driver installed, the driver is automatically downloaded from the Samba server and

541

installed on the client. Drag-and-drop printing is neat; it means the user never needs

542

to fuss with driver installation, and that is a <span class="trademark">Good Thing,</span>™

543

isn't it?

544

</p><p>

545

There is a further layer of print job processing that is known as <code class="literal">intelligent</code>

546

printing that automatically senses the file format of data submitted for printing and

547

then invokes a suitable print filter to convert the incoming data stream into a format

548

suited to the printer to which the job is dispatched.

549

</p><p>

550

551

552

553

The CUPS printing subsystem is capable of intelligent printing. It has the capacity to

554

detect the data format and apply a print filter. This means that it is feasible to install

555

on all Windows clients a single printer driver for use with all printers that are routed

556

through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately,

557

<a class="ulink" href="http://www.easysw.com" target="_top">Easy Software Products</a>, the authors of CUPS, have

558

released a PostScript printing driver for Windows. It can be installed into the Samba

559

printing backend so that it automatically downloads to the client when needed.

560

</p><p>

561

This means that so long as there is a CUPS driver for the printer, all printing from Windows

562

software can use PostScript, no matter what the actual printer language for the physical

563

device is. It also means that the administrator can swap out a printer with a totally

564

different type of device without ever needing to change a client workstation driver.

565

</p><p>

566

This book is about Samba-3, so you can confine the printing style to just the smart

567

style of installation. Those interested in further information regarding intelligent

568

printing should review documentation on the Easy Software Products Web site.

569

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbeavoid"></a>Avoiding Failures: Solving Problems Before They Happen</h4></div></div></div><p>

570

It has often been said that there are three types of people in the world: those who

571

have sharp minds and those who forget things. Please do not ask what the third group

572

is like! Well, it seems that many of us have company in the second group. There must

573

be a good explanation why so many network administrators fail to solve apparently

574

simple problems efficiently and effectively.

575

</p><p>

576

Here are some diagnostic guidelines that can be referred to when things go wrong:

577

</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573037"></a>Preliminary Advice: Dangers Can Be Avoided</h5></div></div></div><p>

578

The best advice regarding how to mend a broken leg is “<span class="quote">Never break a leg!</span>”

579

</p><p>

580

581

Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice

582

regarding the best way to remedy LDAP and Samba problems: “<span class="quote">Avoid them like the plague!</span>”

583

</p><p>

584

If you are now asking yourself how problems can be avoided, the best advice is to start

585

out your learning experience with a <span class="emphasis"><em>known-good configuration.</em></span> After

586

you have seen a fully working solution, a good way to learn is to make slow and progressive

587

changes that cause things to break, then observe carefully how and why things ceased to work.

588

</p><p>

589

The examples in this chapter (also in the book as a whole) are known to work. That means

590

that they could serve as the kick-off point for your journey through fields of knowledge.

591

Use this resource carefully; we hope it serves you well.

592

</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>

593

Do not be lulled into thinking that you can easily adopt the examples in this

594

book and adapt them without first working through the examples provided. A little

595

thing overlooked can cause untold pain and may permanently tarnish your experience.

596

</p></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573097"></a>The Name Service Caching Daemon</h5></div></div></div><p>

597

The name service caching daemon (nscd) is a primary cause of difficulties with name

598

resolution, particularly where <code class="literal">winbind</code> is used. Winbind does its

599

own caching, thus nscd causes double caching which can lead to peculiar problems during

600

debugging. As a rule, it is a good idea to turn off the name service caching daemon.

601

</p><p>

602

Operation of the name service caching daemon is controlled by the

603

<code class="filename">/etc/nscd.conf</code> file. Typical contents of this file are as follows:

604

</p><pre class="screen">

605

# /etc/nscd.conf

606

# An example Name Service Cache config file. This file is needed by nscd.

607

# Legal entries are:

608

# logfile <file>

609

# debug-level <level>

610

# threads <threads to use>

611

# server-user <user to run server as instead of root>

612

# server-user is ignored if nscd is started with -S parameters

613

# stat-user <user who is allowed to request statistics>

614

# reload-count unlimited|<number>

615

616

# enable-cache <service> <yes|no>

617

# positive-time-to-live <service> <time in seconds>

618

# negative-time-to-live <service> <time in seconds>

619

# suggested-size <service> <prime number>

620

# check-files <service> <yes|no>

621

# persistent <service> <yes|no>

622

# shared <service> <yes|no>

623

# Currently supported cache names (services): passwd, group, hosts

624

# logfile /var/log/nscd.log

625

# threads 6

626

# server-user nobody

627

# stat-user somebody

628

debug-level 0

629

# reload-count 5

630

enable-cache passwd yes

631

positive-time-to-live passwd 600

632

negative-time-to-live passwd 20

633

suggested-size passwd 211

634

check-files passwd yes

635

persistent passwd yes

636

shared passwd yes

637

enable-cache group yes

638

positive-time-to-live group 3600

639

negative-time-to-live group 60

640

suggested-size group 211

641

check-files group yes

642

persistent group yes

643

shared group yes

644

# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to

645

# cache hosts will cause your local system to not be able to trust

646

# forward/reverse lookup checks. DO NOT USE THIS if your system relies on

647

# this sort of security mechanism. Use a caching DNS server instead.

648

enable-cache hosts no

649

positive-time-to-live hosts 3600

650

negative-time-to-live hosts 20

651

suggested-size hosts 211

652

check-files hosts yes

653

persistent hosts yes

654

shared hosts yes

655

</pre><p>

656

It is feasible to comment out the <code class="constant">passwd</code> and <code class="constant">group</code>

657

entries so they will not be cached. Alternatively, it is often simpler to just disable the

658

<code class="literal">nscd</code> service by executing (on Novell SUSE Linux):

659

</p><pre class="screen">

660

<code class="prompt">root# </code> chkconfig nscd off

661

<code class="prompt">root# </code> rcnscd off

662

</pre><p>

663

</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573271"></a>Debugging LDAP</h5></div></div></div><p>

664

665

666

667

In the example <code class="filename">/etc/openldap/slapd.conf</code> control file

668

(see <a class="link" href="happy.html#sbehap-dbconf" title="Example�5.1.�LDAP DB_CONFIG File">“LDAP DB_CONFIG File”</a>) there is an entry for <code class="constant">loglevel 256</code>.

669

To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter

670

and restart <code class="literal">slapd</code>.

671

</p><p>

672

673

674

LDAP log information can be directed into a file that is separate from the normal system

675

log files by changing the <code class="filename">/etc/syslog.conf</code> file so it has the following

676

contents:

677

</p><pre class="screen">

678

# Some foreign boot scripts require local7

679

680

local0,local1.* -/var/log/localmessages

681

local2,local3.* -/var/log/localmessages

682

local5.* -/var/log/localmessages

683

local6,local7.* -/var/log/localmessages

684

local4.* -/var/log/ldaplogs

685

</pre><p>

686

In this case, all LDAP-related logs will be directed to the file

687

<code class="filename">/var/log/ldaplogs</code>. This makes it easy to track LDAP errors.

688

The snippet provides a simple example of usage that can be modified to suit

689

local site needs. The configuration used later in this chapter reflects such

690

customization with the intent that LDAP log files will be stored at a location

691

that meets local site needs and wishes more fully.

692

</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573377"></a>Debugging NSS_LDAP</h5></div></div></div><p>

693

The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the

694

<code class="filename">/etc/ldap.conf</code> file the following parameters:

695

</p><pre class="screen">

696

debug 256

697

logdir /data/logs

698

</pre><p>

699

Create the log directory as follows:

700

</p><pre class="screen">

701

<code class="prompt">root# </code> mkdir /data/logs

702

</pre><p>

703

</p><p>

704

The diagnostic process should follow these steps:

705

</p><div class="procedure"><a name="id2573421"></a><p class="title"><b>Procedure�5.1.�NSS_LDAP Diagnostic Steps</b></p><ol type="1"><li><p>

706

Verify the <code class="constant">nss_base_passwd, nss_base_shadow, nss_base_group</code> entries

707

in the <code class="filename">/etc/ldap.conf</code> file and compare them closely with the directory

708

tree location that was chosen when the directory was first created.

709

</p><p>

710

One way this can be done is by executing:

711

</p><pre class="screen">

712

<code class="prompt">root# </code> slapcat | grep Group | grep dn

713

dn: ou=Groups,dc=abmas,dc=biz

714

dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz

715

dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz

716

dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz

717

dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz

718

dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz

719

dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz

720

dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz

721

dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz

722

</pre><p>

723

The first line is the DIT entry point for the container for POSIX groups. The correct entry

724

for the <code class="filename">/etc/ldap.conf</code> for the <code class="constant">nss_base_group</code>

725

parameter therefore is the distinguished name (dn) as applied here:

726

</p><pre class="screen">

727

nss_base_group ou=Groups,dc=abmas,dc=biz?one

728

</pre><p>

729

The same process may be followed to determine the appropriate dn for user accounts.

730

If the container for computer accounts is not the same as that for users (see the <code class="filename">smb.conf</code>

731

file entry for <code class="constant">ldap machine suffix</code>), it may be necessary to set the

732

following DIT dn in the <code class="filename">/etc/ldap.conf</code> file:

733

</p><pre class="screen">

734

nss_base_passwd dc=abmas,dc=biz?sub

735

</pre><p>

736

This instructs LDAP to search for machine as well as user entries from the top of the DIT

737

down. This is inefficient, but at least should work. Note: It is possible to specify multiple

738

<code class="constant">nss_base_passwd</code> entries in the <code class="filename">/etc/ldap.conf</code> file; they

739

will be evaluated sequentially. Let us consider an example of use where the following DIT

740

has been implemented:

741

</p><p>

742

</p><div class="itemizedlist"><ul type="disc"><li><p>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</p></li><li><p>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</p></li><li><p>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</p></li></ul></div><p>

743

</p><p>

744

The appropriate multiple entry for the <code class="constant">nss_base_passwd</code> directive

745

in the <code class="filename">/etc/ldap.conf</code> file may be:

746

</p><pre class="screen">

747

nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one

748

nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one

749

</pre><p>

750

</p></li><li><p>

751

Perform lookups such as:

752

</p><pre class="screen">

753

<code class="prompt">root# </code> getent passwd

754

</pre><p>

755

Each such lookup will create an entry in the <code class="filename">/data/log</code> directory

756

for each such process executed. The contents of each file created in this directory

757

may provide a hint as to the cause of the a problem that is under investigation.

758

</p></li><li><p>

759

For additional diagnostic information, check the contents of the <code class="filename">/var/log/messages</code>

760

to see what error messages are being generated as a result of the LDAP lookups. Here is an example of

761

a successful lookup:

762

</p><pre class="screen">

763

slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539

764

(IP=0.0.0.0:389)

765

slapd[12164]: conn=0 op=0 BIND dn="" method=128

766

slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=

767

slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0

768

filter="(objectClass=*)"

769

slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0

770

nentries=1 text=

771

slapd[12164]: conn=0 op=2 UNBIND

772

slapd[12164]: conn=0 fd=10 closed

773

slapd[12164]: conn=1 fd=10 ACCEPT from

774

IP=127.0.0.1:33540 (IP=0.0.0.0:389)

775

slapd[12164]: conn=1 op=0 BIND

776

dn="cn=Manager,dc=abmas,dc=biz" method=128

777

slapd[12164]: conn=1 op=0 BIND

778

dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0

779

slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=

780

slapd[12164]: conn=1 op=1 SRCH

781

base="ou=People,dc=abmas,dc=biz" scope=1 deref=0

782

filter="(objectClass=posixAccount)"

783

slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword

784

uidNumber gidNumber cn

785

homeDirectory loginShell gecos description objectClass

786

slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0

787

nentries=2 text=

788

slapd[12164]: conn=1 fd=10 closed

789

790

</pre><p>

791

</p></li><li><p>

792

Check that the bindpw entry in the <code class="filename">/etc/ldap.conf</code> or in the

793

<code class="filename">/etc/ldap.secrets</code> file is correct, as specified in the

794

<code class="filename">/etc/openldap/slapd.conf</code> file.

795

</p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573672"></a>Debugging Samba</h5></div></div></div><p>

796

The following parameters in the <code class="filename">smb.conf</code> file can be useful in tracking down Samba-related problems:

797

</p><pre class="screen">

798

[global]

799

...

800

log level = 5

801

log file = /var/log/samba/%m.log

802

max log size = 0

803

...

804

</pre><p>

805

This will result in the creation of a separate log file for every client from which connections

806

are made. The log file will be quite verbose and will grow continually. Do not forget to

807

change these lines to the following when debugging has been completed:

808

</p><pre class="screen">

809

[global]

810

...

811

log level = 1

812

log file = /var/log/samba/%m.log

813

max log size = 50

814

...

815

</pre><p>

816

</p><p>

817

The log file can be analyzed by executing:

818

</p><pre class="screen">

819

<code class="prompt">root# </code> cd /var/log/samba

820

<code class="prompt">root# </code> grep -v "^\[200" machine_name.log

821

</pre><p>

822

</p><p>

823

Search for hints of what may have failed by looking for the words <span class="emphasis"><em>fail</em></span>

824

and <span class="emphasis"><em>error</em></span>.

825

</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573743"></a>Debugging on the Windows Client</h5></div></div></div><p>

826

MS Windows 2000 Professional and Windows XP Professional clients can be configured

827

to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search

828

the Microsoft knowledge base for detailed instructions. The techniques vary a little with each

829

version of MS Windows.

830

</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573760"></a>Political Issues</h3></div></div></div><p>

831

MS Windows network users are generally very sensitive to limits that may be imposed when

832

confronted with locked-down workstation configurations. The challenge you face must

833

be promoted as a choice between reliable, fast network operation and a constant flux

834

of problems that result in user irritation.

835

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573776"></a>Installation Checklist</h3></div></div></div><p>

836

You are starting a complex project. Even though you went through the installation of a complex

837

network in <a class="link" href="Big500users.html" title="Chapter�4.�The 500-User Office">“The 500-User Office”</a>, this network is a bigger challenge because of the

838

large number of complex applications that must be configured before the first few steps

839

can be validated. Take stock of what you are about to undertake, prepare yourself, and

840

frequently review the steps ahead while making at least a mental note of what has already

841

been completed. The following task list may help you to keep track of the task items

842

that are covered:

843

</p><div class="itemizedlist"><ul type="disc"><li><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>OpenLDAP server</p></li><li><p>PAM and NSS client tools</p></li><li><p>Samba-3 PDC</p></li><li><p>Idealx smbldap scripts</p></li><li><p>LDAP initialization</p></li><li><p>Create user and group accounts</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profile directories</p></li><li><p>Logon scripts</p></li><li><p>Configuration of user rights and privileges</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>PAM and NSS client tools</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profiles directories</p></li></ol></div></li><li><p>Windows XP Client Configuration</p><div class="orderedlist"><ol type="1"><li><p>Default profile folder redirection</p></li><li><p>MS Outlook PST file relocation</p></li><li><p>Delete roaming profile on logout</p></li><li><p>Upload printer drivers to Samba servers</p></li><li><p>Install software</p></li><li><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573956"></a>Samba Server Implementation</h2></div></div></div><p>

844

845

846

The network design shown in <a class="link" href="happy.html#chap6net" title="Figure�5.2.�Network Topology 500 User Network Using ldapsam passdb backend">“Network Topology 500 User Network Using ldapsam passdb backend”</a> is not comprehensive. It is assumed

847

that you will install additional file servers and possibly additional BDCs.

848

</p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure�5.2.�Network Topology 500 User Network Using ldapsam passdb backend</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend"></div></div></div><br class="figure-break"><p>

849

850

851

All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE

852

Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to

853

adjust the locations for your particular Linux system distribution/implementation.

854

</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

855

The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools

856

scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball,

857

please verify that the versions you are about to use are matching. The smbldap-tools package

858

uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are

859

issued for POSIX accounts. The LDAP rdn under which this information is stored are called

860

<code class="constant">uidNumber</code> and <code class="constant">gidNumber</code> respectively. These may be

861

located in any convenient part of the directory information tree (DIT). In the examples that

862

follow they have been located under <code class="constant">dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</code>.

863

They could just as well be located under the rdn <code class="constant">cn=NextFreeUnixId</code>.

864

</p></div><p>

865

The steps in the process involve changes from the network configuration shown in

866

<a class="link" href="Big500users.html" title="Chapter�4.�The 500-User Office">“The 500-User Office”</a>. Before implementing the following steps, you must

867

have completed the network implementation shown in that chapter. If you are starting

868

with newly installed Linux servers, you must complete the steps shown in

869

<a class="link" href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">“Installation of DHCP, DNS, and Samba Control Files”</a> before commencing at <a class="link" href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">“OpenLDAP Server Configuration”</a>.

870

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p>

871

872

873

874

Confirm that the packages shown in <a class="link" href="happy.html#oldapreq" title="Table�5.2.�Required OpenLDAP Linux Packages">“Required OpenLDAP Linux Packages”</a> are installed on your system.

875

</p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table�5.2.�Required OpenLDAP Linux Packages</b></p><div class="table-contents"><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left">�</td></tr></tbody></table></div></div><br class="table-break"><p>

876

Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method

877

for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you

878

follow these guidelines, the resulting system should work fine.

879

</p><div class="procedure"><a name="id2574268"></a><p class="title"><b>Procedure�5.2.�OpenLDAP Server Configuration Steps</b></p><ol type="1"><li><p>

880

881

Install the file shown in <a class="link" href="happy.html#sbehap-slapdconf" title="Example�5.2.�LDAP Master Configuration File /etc/openldap/slapd.conf Part A">“LDAP Master Configuration File /etc/openldap/slapd.conf Part A”</a> in the directory

882

<code class="filename">/etc/openldap</code>.

883

</p></li><li><p>

884

885

886

887

Remove all files from the directory <code class="filename">/data/ldap</code>, making certain that

888

the directory exists with permissions:

889

</p><pre class="screen">

890

<code class="prompt">root# </code> ls -al /data | grep ldap

891

drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap

892

</pre><p>

893

This may require you to add a user and a group account for LDAP if they do not exist.

894

</p></li><li><p>

895

896

Install the file shown in <a class="link" href="happy.html#sbehap-dbconf" title="Example�5.1.�LDAP DB_CONFIG File">“LDAP DB_CONFIG File”</a> in the directory

897

<code class="filename">/data/ldap</code>. In the event that this file is added after <code class="constant">ldap</code>

898

has been started, it is possible to cause the new settings to take effect by shutting down

899

the <code class="constant">LDAP</code> server, executing the <code class="literal">db_recover</code> command inside the

900

<code class="filename">/data/ldap</code> directory, and then restarting the <code class="constant">LDAP</code> server.

901

</p></li><li><p>

902

903

Performance logging can be enabled and should preferably be sent to a file on

904

a file system that is large enough to handle significantly sized logs. To enable

905

the logging at a verbose level to permit detailed analysis, uncomment the entry in

906

the <code class="filename">/etc/openldap/slapd.conf</code> shown as “<span class="quote">loglevel 256</span>”.

907

</p><p>

908

Edit the <code class="filename">/etc/syslog.conf</code> file to add the following at the end

909

of the file:

910

</p><pre class="screen">

911

local4.* -/data/ldap/log/openldap.log

912

</pre><p>

913

Note: The path <code class="filename">/data/ldap/log</code> should be set at a location

914

that is convenient and that can store a large volume of data.

915

</p></li></ol></div><div class="example"><a name="sbehap-dbconf"></a><p class="title"><b>Example�5.1.�LDAP DB_CONFIG File</b></p><div class="example-contents"><pre class="screen">

916

set_cachesize 0 150000000 1

917

set_lg_regionmax 262144

918

set_lg_bsize 2097152

919

#set_lg_dir /var/log/bdb

920

set_flags DB_LOG_AUTOREMOVE

921

</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf"></a><p class="title"><b>Example�5.2.�LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen">

922

include /etc/openldap/schema/core.schema

923

include /etc/openldap/schema/cosine.schema

924

include /etc/openldap/schema/inetorgperson.schema

925

include /etc/openldap/schema/nis.schema

926

include /etc/openldap/schema/samba3.schema

927

928

pidfile /var/run/slapd/slapd.pid

929

argsfile /var/run/slapd/slapd.args

930

931

access to dn.base=""

932

by self write

933

by * auth

934

935

access to attr=userPassword

936

by self write

937

by * auth

938

939

access to attr=shadowLastChange

940

by self write

941

by * read

942

943

access to *

944

by * read

945

by anonymous auth

946

947

#loglevel 256

948

949

schemacheck on

950

idletimeout 30

951

backend bdb

952

database bdb

953

checkpoint 1024 5

954

cachesize 10000

955

956

suffix "dc=abmas,dc=biz"

957

rootdn "cn=Manager,dc=abmas,dc=biz"

958

959

# rootpw = not24get

960

rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV

961

962

directory /data/ldap

963

</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf2"></a><p class="title"><b>Example�5.3.�LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part B</b></p><div class="example-contents"><pre class="screen">

964

# Indices to maintain

965

index objectClass eq

966

index cn pres,sub,eq

967

index sn pres,sub,eq

968

index uid pres,sub,eq

969

index displayName pres,sub,eq

970

index uidNumber eq

971

index gidNumber eq

972

index memberUID eq

973

index sambaSID eq

974

index sambaPrimaryGroupSID eq

975

index sambaDomainName eq

976

index default sub

977

</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p>

978

979

980

981

The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and

982

groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure

983

the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.

984

</p><p>

985

986

987

Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely

988

that you may want to use them for UNIX system (Linux) local machine logons. This necessitates

989

correct configuration of PAM. The <code class="literal">pam_ldap</code> open source package provides the

990

PAM modules that most people would use. On SUSE Linux systems, the <code class="literal">pam_unix2.so</code>

991

module also has the ability to redirect authentication requests through LDAP.

992

</p><p>

993

994

995

996

997

You have chosen to configure these services by directly editing the system files, but of course, you

998

know that this configuration can be done using system tools provided by the Linux system vendor.

999

SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span> → <span class="guimenuitem">system</span> → <span class="guimenuitem">ldap-client</span> that permits

1000

configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <code class="literal">authconfig</code>

1001

tool for this.

1002

</p><div class="procedure"><a name="id2574694"></a><p class="title"><b>Procedure�5.3.�PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example�5.4.�Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen">

1003

host 127.0.0.1

1004

1005

base dc=abmas,dc=biz

1006

1007

binddn cn=Manager,dc=abmas,dc=biz

1008

bindpw not24get

1009

1010

timelimit 50

1011

bind_timelimit 50

1012

bind_policy hard

1013

1014

idle_timelimit 3600

1015

1016

pam_password exop

1017

1018

nss_base_passwd ou=People,dc=abmas,dc=biz?one

1019

nss_base_shadow ou=People,dc=abmas,dc=biz?one

1020

nss_base_group ou=Groups,dc=abmas,dc=biz?one

1021

1022

ssl off

1023

</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-nss02"></a><p class="title"><b>Example�5.5.�Configuration File for NSS LDAP Clients Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen">

1024

host 172.16.0.1

1025

1026

base dc=abmas,dc=biz

1027

1028

binddn cn=Manager,dc=abmas,dc=biz

1029

bindpw not24get

1030

1031

timelimit 50

1032

bind_timelimit 50

1033

bind_policy hard

1034

1035

idle_timelimit 3600

1036

1037

pam_password exop

1038

1039

nss_base_passwd ou=People,dc=abmas,dc=biz?one

1040

nss_base_shadow ou=People,dc=abmas,dc=biz?one

1041

nss_base_group ou=Groups,dc=abmas,dc=biz?one

1042

1043

ssl off

1044

</pre></div></div><br class="example-break"><ol type="1"><li><p>

1045

1046

1047

1048

Execute the following command to find where the <code class="filename">nss_ldap</code> module

1049

expects to find its control file:

1050

</p><pre class="screen">

1051

<code class="prompt">root# </code> strings /lib/libnss_ldap.so.2 | grep conf

1052

</pre><p>

1053

The preferred and usual location is <code class="filename">/etc/ldap.conf</code>.

1054

</p></li><li><p>

1055

On the server <code class="constant">MASSIVE</code>, install the file shown in

1056

<a class="link" href="happy.html#sbehap-nss01" title="Example�5.4.�Configuration File for NSS LDAP Support /etc/ldap.conf">“Configuration File for NSS LDAP Support /etc/ldap.conf”</a> into the path that was obtained from the step above.

1057

On the servers called <code class="constant">BLDG1</code> and <code class="constant">BLDG2</code>, install the file shown in

1058

<a class="link" href="happy.html#sbehap-nss02" title="Example�5.5.�Configuration File for NSS LDAP Clients Support /etc/ldap.conf">“Configuration File for NSS LDAP Clients Support /etc/ldap.conf”</a> into the path that was obtained from the step above.

1059

</p></li><li><p>

1060

1061

Edit the NSS control file (<code class="filename">/etc/nsswitch.conf</code>) so that the lines that

1062

control user and group resolution will obtain information from the normal system files as

1063

well as from <code class="literal">ldap</code>:

1064

</p><pre class="screen">

1065

passwd: files ldap

1066

shadow: files ldap

1067

group: files ldap

1068

hosts: files dns wins

1069

</pre><p>

1070

Later, when the LDAP database has been initialized and user and group accounts have been

1071

added, you can validate resolution of the LDAP resolver process. The inclusion of

1072

WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be

1073

resolved to their IP addresses, whether or not they are DHCP clients.

1074

</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

1075

Some Linux systems (Novell SUSE Linux in particular) add entries to the <code class="filename">nsswitch.conf</code>

1076

file that may cause operational problems with the configuration methods adopted in this book. It is

1077

advisable to comment out the entries <code class="constant">passwd_compat</code> and <code class="constant">group_compat</code>

1078

where they are found in this file.

1079

</p></div><p>

1080

Even at the risk of overstating the issue, incorrect and inappropriate configuration of the

1081

<code class="filename">nsswitch.conf</code> file is a significant cause of operational problems with LDAP.

1082

</p></li><li><p>

1083

1084

For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following

1085

files in the <code class="filename">/etc/pam.d</code> directory: <code class="literal">login</code>, <code class="literal">password</code>,

1086

<code class="literal">samba</code>, <code class="literal">sshd</code>. In each file, locate every entry that has the

1087

<code class="literal">pam_unix2.so</code> entry and add to the line the entry <code class="literal">use_ldap</code> as shown

1088

for the <code class="literal">login</code> module in this example:

1089

</p><pre class="screen">

1090

#%PAM-1.0

1091

auth requisite pam_unix2.so nullok use_ldap #set_secrpc

1092

auth required pam_securetty.so

1093

auth required pam_nologin.so

1094

#auth required pam_homecheck.so

1095

auth required pam_env.so

1096

auth required pam_mail.so

1097

account required pam_unix2.so use_ldap

1098

password required pam_pwcheck.s nullok

1099

password required pam_unix2.so nullok use_first_pass \

1100

use_authtok use_ldap

1101

session required pam_unix2.so none use_ldap # debug or trace

1102

session required pam_limits.so

1103

</pre><p>

1104

</p><p>

1105

1106

On other Linux systems that do not have an LDAP-enabled <code class="literal">pam_unix2.so</code> module,

1107

you must edit these files by adding the <code class="literal">pam_ldap.so</code> modules as shown here:

1108

</p><pre class="screen">

1109

#%PAM-1.0

1110

auth required pam_securetty.so

1111

auth required pam_nologin.so

1112

auth sufficient pam_ldap.so

1113

auth required pam_unix2.so nullok try_first_pass #set_secrpc

1114

account sufficient pam_ldap.so

1115

account required pam_unix2.so

1116

password required pam_pwcheck.so nullok

1117

password required pam_ldap.so use_first_pass use_authtok

1118

password required pam_unix2.so nullok use_first_pass use_authtok

1119

session required pam_unix2.so none # debug or trace

1120

session required pam_limits.so

1121

session required pam_env.so

1122

session optional pam_mail.so

1123

</pre><p>

1124

This example does have the LDAP-enabled <code class="literal">pam_unix2.so</code>, but simply

1125

demonstrates the use of the <code class="literal">pam_ldap.so</code> module. You can use either

1126

implementation, but if the <code class="literal">pam_unix2.so</code> on your system supports

1127

LDAP, you probably want to use it rather than add an additional module.

1128

</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p>

1129

1130

Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server

1131

before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the

1132

choice to either build your own or obtain the packages from a dependable source.

1133

Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for

1134

Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that

1135

is included with this book.

1136

</p><div class="procedure"><a name="id2575107"></a><p class="title"><b>Procedure�5.4.�Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol type="1"><li><p>

1137

Install the files in <a class="link" href="happy.html#sbehap-massive-smbconfa" title="Example�5.6.�LDAP Based smb.conf File, Server: MASSIVE global Section: Part A">“LDAP Based smb.conf File, Server: MASSIVE global Section: Part A”</a>,

1138

<a class="link" href="happy.html#sbehap-massive-smbconfb" title="Example�5.7.�LDAP Based smb.conf File, Server: MASSIVE global Section: Part B">“LDAP Based smb.conf File, Server: MASSIVE global Section: Part B”</a>, <a class="link" href="happy.html#sbehap-shareconfa" title="Example�5.10.�LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>,

1139

and <a class="link" href="happy.html#sbehap-shareconfb" title="Example�5.11.�LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a> into the <code class="filename">/etc/samba/</code>

1140

directory. The three files should be added together to form the <code class="filename">smb.conf</code>

1141

master file. It is a good practice to call this file something like

1142

<code class="filename">smb.conf.master</code> and then to perform all file edits

1143

on the master file. The operational <code class="filename">smb.conf</code> is then generated as shown in

1144

the next step.

1145

</p></li><li><p>

1146

1147

Create and verify the contents of the <code class="filename">smb.conf</code> file that is generated by:

1148

</p><pre class="screen">

1149

<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf

1150

</pre><p>

1151

Immediately follow this with the following:

1152

</p><pre class="screen">

1153

<code class="prompt">root# </code> testparm

1154

</pre><p>

1155

The output that is created should be free from errors, as shown here:

1156

1157

</p><pre class="screen">

1158

Load smb config files from /etc/samba/smb.conf

1159

Processing section "[accounts]"

1160

Processing section "[service]"

1161

Processing section "[pidata]"

1162

Processing section "[homes]"

1163

Processing section "[printers]"

1164

Processing section "[apps]"

1165

Processing section "[netlogon]"

1166

Processing section "[profiles]"

1167

Processing section "[profdata]"

1168

Processing section "[print$]"

1169

Loaded services file OK.

1170

Server role: ROLE_DOMAIN_PDC

1171

Press enter to see a dump of your service definitions

1172

</pre><p>

1173

</p></li><li><p>

1174

Delete all runtime files from prior Samba operation by executing (for SUSE

1175

Linux):

1176

</p><pre class="screen">

1177

<code class="prompt">root# </code> rm /etc/samba/*tdb

1178

<code class="prompt">root# </code> rm /var/lib/samba/*tdb

1179

<code class="prompt">root# </code> rm /var/lib/samba/*dat

1180

<code class="prompt">root# </code> rm /var/log/samba/*

1181

</pre><p>

1182

</p></li><li><p>

1183

1184

1185

Samba-3 communicates with the LDAP server. The password that it uses to

1186

authenticate to the LDAP server must be stored in the <code class="filename">secrets.tdb</code>

1187

file. Execute the following to create the new <code class="filename">secrets.tdb</code> files

1188

and store the password for the LDAP Manager:

1189

</p><pre class="screen">

1190

<code class="prompt">root# </code> smbpasswd -w not24get

1191

</pre><p>

1192

The expected output from this command is:

1193

</p><pre class="screen">

1194

Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb

1195

</pre><p>

1196

</p></li><li><p>

1197

1198

1199

Samba-3 generates a Windows Security Identifier (SID) only when <code class="literal">smbd</code>

1200

has been started. For this reason, you start Samba. After a few seconds delay,

1201

execute:

1202

</p><pre class="screen">

1203

<code class="prompt">root# </code> smbclient -L localhost -U%

1204

<code class="prompt">root# </code> net getlocalsid

1205

</pre><p>

1206

A report such as the following means that the domain SID has not yet

1207

been written to the <code class="filename">secrets.tdb</code> or to the LDAP backend:

1208

</p><pre class="screen">

1209

[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)

1210

failed to bind to server ldap://massive.abmas.biz

1211

with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server

1212

(unknown)

1213

[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)

1214

smbldap_search_suffix: Problem during the LDAP search:

1215

(unknown) (Timed out)

1216

</pre><p>

1217

The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server

1218

is not running, this operation will fail by way of a timeout, as shown previously. This is

1219

normal output; do not worry about this error message. When the domain has been created and

1220

written to the <code class="filename">secrets.tdb</code> file, the output should look like this:

1221

</p><pre class="screen">

1222

SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765

1223

</pre><p>

1224

If, after a short delay (a few seconds), the domain SID has still not been written to

1225

the <code class="filename">secrets.tdb</code> file, it is necessary to investigate what

1226

may be misconfigured. In this case, carefully check the <code class="filename">smb.conf</code> file for typographical

1227

errors (the most common problem). The use of the <code class="literal">testparm</code> is highly

1228

recommended to validate the contents of this file.

1229

</p></li><li><p>

1230

When a positive domain SID has been reported, stop Samba.

1231

</p></li><li><p>

1232

1233

1234

1235

1236

Configure the NFS server for your Linux system. So you can complete the steps that

1237

follow, enter into the <code class="filename">/etc/exports</code> the following entry:

1238

</p><pre class="screen">

1239

/home *(rw,root_squash,sync)

1240

</pre><p>

1241

This permits the user home directories to be used on the BDC servers for testing

1242

purposes. You, of course, decide what is the best way for your site to distribute

1243

data drives, and you create suitable backup and restore procedures for Abmas

1244

I'd strongly recommend that for normal operation the BDC is completely independent

1245

of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite

1246

closely. If you do use NFS, do not forget to start the NFS server as follows:

1247

</p><pre class="screen">

1248

<code class="prompt">root# </code> rcnfsserver start

1249

</pre><p>

1250

</p></li></ol></div><p>

1251

Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with

1252

configuration of the LDAP server.

1253

</p><div class="example"><a name="sbehap-massive-smbconfa"></a><p class="title"><b>Example�5.6.�LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2575564"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2575576"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2575588"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id2575600"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id2575611"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575623"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2575636"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575648"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2575660"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2575671"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2575683"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2575694"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2575706"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2575718"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2575730"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575742"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2575753"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2575766"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2575778"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2575790"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575803"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575815"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575828"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575841"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2575854"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-massive-smbconfb"></a><p class="title"><b>Example�5.7.�LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2575892"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2575904"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2575916"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2575927"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575939"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575951"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575962"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2575974"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2575986"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2575998"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2576010"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2576022"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2576034"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2576047"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2576058"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2576070"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2576082"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2576094"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeidealx"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p>

1254

1255

The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts

1256

on the LDAP server. You have chosen the Idealx scripts because they are the best-known

1257

LDAP configuration scripts. The use of these scripts will help avoid the necessity

1258

to create custom scripts. It is easy to download them from the Idealx

1259

<a class="ulink" href="http://samba.idealx.org/index.en.html" target="_top">Web site</a>. The tarball may

1260

be directly <a class="ulink" href="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz" target="_top">downloaded</a>

1261

from this site also. Alternatively, you may obtain the

1262

<a class="ulink" href="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm" target="_top">smbldap-tools-0.9.1-1.src.rpm</a>

1263

file that may be used to build an installable RPM package for your Linux system.

1264

</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

1265

The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must

1266

change the path to them in your <code class="filename">smb.conf</code> file on the PDC (<code class="constant">MASSIVE</code>).

1267

</p></div><p>

1268

The smbldap-tools are located in <code class="filename">/opt/IDEALX/sbin</code>.

1269

The scripts are not needed on BDC machines because all LDAP updates are handled by

1270

the PDC alone.

1271

</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2576187"></a>Installation of smbldap-tools from the Tarball</h4></div></div></div><p>

1272

To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:

1273

</p><div class="procedure"><a name="idealxscript"></a><p class="title"><b>Procedure�5.5.�Unpacking and Installation Steps for the <code class="constant">smbldap-tools</code> Tarball</b></p><ol type="1"><li><p>

1274

Create the <code class="filename">/opt/IDEALX/sbin</code> directory, and set its permissions

1275

and ownership as shown here:

1276

</p><pre class="screen">

1277

<code class="prompt">root# </code> mkdir -p /opt/IDEALX/sbin

1278

<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin

1279

<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin

1280

<code class="prompt">root# </code> mkdir -p /etc/smbldap-tools

1281

<code class="prompt">root# </code> chown root:root /etc/smbldap-tools

1282

<code class="prompt">root# </code> chmod 755 /etc/smbldap-tools

1283

</pre><p>

1284

</p></li><li><p>

1285

If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.

1286

Change into either the directory extracted from the tarball or the smbldap-tools

1287

directory in your <code class="filename">/usr/share/doc/packages</code> directory tree.

1288

</p></li><li><p>

1289

Copy all the <code class="filename">smbldap-*</code> and the <code class="filename">configure.pl</code> files into the

1290

<code class="filename">/opt/IDEALX/sbin</code> directory, as shown here:

1291

</p><pre class="screen">

1292

<code class="prompt">root# </code> cd smbldap-tools-0.9.1/

1293

<code class="prompt">root# </code> cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/

1294

<code class="prompt">root# </code> cp smbldap*conf /etc/smbldap-tools/

1295

<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/smbldap-*

1296

<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/configure.pl

1297

<code class="prompt">root# </code> chmod 640 /etc/smbldap-tools/smbldap.conf

1298

<code class="prompt">root# </code> chmod 600 /etc/smbldap-tools/smbldap_bind.conf

1299

</pre><p>

1300

</p></li><li><p>

1301

The smbldap-tools scripts master control file must now be configured.

1302

Change to the <code class="filename">/opt/IDEALX/sbin</code> directory, then edit the

1303

<code class="filename">smbldap_tools.pm</code> to affect the changes

1304

shown here:

1305

</p><pre class="screen">

1306

...

1307

# ugly funcs using global variables and spawning openldap clients

1308

1309

my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";

1310

my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";

1311

...

1312

</pre><p>

1313

</p></li><li><p>

1314

To complete the configuration of the smbldap-tools, set the permissions and ownership

1315

by executing the following commands:

1316

</p><pre class="screen">

1317

<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin/*

1318

<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin/smbldap-*

1319

<code class="prompt">root# </code> chmod 640 /opt/IDEALX/sbin/smb*pm

1320

</pre><p>

1321

The smbldap-tools scripts are now ready for the configuration step outlined in

1322

<a class="link" href="happy.html#smbldap-init" title="Configuration of smbldap-tools">“Configuration of smbldap-tools”</a>.

1323

</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2576439"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p>

1324

In the event that you have elected to use the RPM package provided by Idealx, download the

1325

source RPM <code class="filename">smbldap-tools-0.9.1-1.src.rpm</code>, then follow this procedure:

1326

</p><div class="procedure"><a name="id2576457"></a><p class="title"><b>Procedure�5.6.�Installation Steps for <code class="constant">smbldap-tools</code> RPM's</b></p><ol type="1"><li><p>

1327

Install the source RPM that has been downloaded as follows:

1328

</p><pre class="screen">

1329

<code class="prompt">root# </code> rpm -i smbldap-tools-0.9.1-1.src.rpm

1330

</pre><p>

1331

</p></li><li><p>

1332

Change into the directory in which the SPEC files are located. On SUSE Linux:

1333

</p><pre class="screen">

1334

<code class="prompt">root# </code> cd /usr/src/packages/SPECS

1335

</pre><p>

1336

On Red Hat Linux systems:

1337

</p><pre class="screen">

1338

<code class="prompt">root# </code> cd /usr/src/redhat/SPECS

1339

</pre><p>

1340

</p></li><li><p>

1341

Edit the <code class="filename">smbldap-tools.spec</code> file to change the value of the

1342

<code class="constant">_sysconfig</code> macro as shown here:

1343

</p><pre class="screen">

1344

%define _prefix /opt/IDEALX

1345

%define _sysconfdir /etc

1346

</pre><p>

1347

Note: Any suitable directory can be specified.

1348

</p></li><li><p>

1349

Build the package by executing:

1350

</p><pre class="screen">

1351

<code class="prompt">root# </code> rpmbuild -ba -v smbldap-tools.spec

1352

</pre><p>

1353

A build process that has completed without error will place the installable binary

1354

files in the directory <code class="filename">../RPMS/noarch</code>.

1355

</p></li><li><p>

1356

Install the binary package by executing:

1357

</p><pre class="screen">

1358

<code class="prompt">root# </code> rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm

1359

</pre><p>

1360

</p></li></ol></div><p>

1361

The Idealx scripts should now be ready for configuration using the steps outlined in

1362

<a class="link" href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>.

1363

</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p>

1364

Prior to use, the smbldap-tools must be configured to match the settings in the <code class="filename">smb.conf</code> file

1365

and to match the settings in the <code class="filename">/etc/openldap/slapd.conf</code> file. The assumption

1366

is made that the <code class="filename">smb.conf</code> file has correct contents. The following procedure ensures that

1367

this is completed correctly:

1368

</p><p>

1369

The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included

1370

in the <code class="filename">smb.conf</code> file.

1371

</p><div class="procedure"><a name="id2576652"></a><p class="title"><b>Procedure�5.7.�Configuration Steps for <code class="constant">smbldap-tools</code> to Enable Use</b></p><ol type="1"><li><p>

1372

Change into the directory that contains the <code class="filename">configure.pl</code> script.

1373

</p><pre class="screen">

1374

<code class="prompt">root# </code> cd /opt/IDEALX/sbin

1375

</pre><p>

1376

</p></li><li><p>

1377

Execute the <code class="filename">configure.pl</code> script as follows:

1378

</p><pre class="screen">

1379

<code class="prompt">root# </code> ./configure.pl

1380

</pre><p>

1381

The interactive use of this script for the PDC is demonstrated here:

1382

</p><pre class="screen">

1383

<code class="prompt">root# </code> /opt/IDEALX/sbin/configure.pl

1384

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1385

smbldap-tools script configuration

1386

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1387

Before starting, check

1388

. if your samba controller is up and running.

1389

. if the domain SID is defined (you can get it with the

1390

'net getlocalsid')

1391

1392

. you can leave the configuration using the Crtl-c key combination

1393

. empty value can be set with the "." character

1394

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1395

Looking for configuration files...

1396

1397

Samba Config File Location [/etc/samba/smb.conf] >

1398

smbldap-tools configuration file Location (global parameters)

1399

[/etc/opt/IDEALX/smbldap-tools/smbldap.conf] >

1400

smbldap Config file Location (bind parameters)

1401

[/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] >

1402

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1403

Let's start configuring the smbldap-tools scripts ...

1404

1405

. workgroup name: name of the domain Samba act as a PDC

1406

workgroup name [MEGANET2] >

1407

. netbios name: netbios name of the samba controler

1408

netbios name [MASSIVE] >

1409

. logon drive: local path to which the home directory

1410

will be connected (for NT Workstations). Ex: 'H:'

1411

logon drive [H:] >

1412

. logon home: home directory location (for Win95/98 or NT Workstation)

1413

(use %U as username) Ex:'\\MASSIVE\%U'

1414

logon home (press the "." character if you don't want homeDirectory)

1415

[\\MASSIVE\%U] >

1416

. logon path: directory where roaming profiles are stored.

1417

Ex:'\\MASSIVE\profiles\%U'

1418

logon path (press the "." character

1419

if you don't want roaming profile) [\\%L\profiles\%U] >

1420

. home directory prefix (use %U as username)

1421

[/home/%U] > /data/users/%U

1422

. default users' homeDirectory mode [700] >

1423

. default user netlogon script (use %U as username)

1424

[scripts\logon.bat] >

1425

default password validation time (time in days) [45] > 900

1426

. ldap suffix [dc=abmas,dc=biz] >

1427

. ldap group suffix [ou=Groups] >

1428

. ldap user suffix [ou=People,ou=Users] >

1429

. ldap machine suffix [ou=Computers,ou=Users] >

1430

. Idmap suffix [ou=Idmap] >

1431

. sambaUnixIdPooldn: object where you want to store the next uidNumber

1432

and gidNumber available for new users and groups

1433

sambaUnixIdPooldn object (relative to ${suffix})

1434

[sambaDomainName=MEGANET2] >

1435

. ldap master server: IP adress or DNS name of the master

1436

(writable) ldap server

1437

ldap master server [massive.abmas.biz] >

1438

. ldap master port [389] >

1439

. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] >

1440

. ldap master bind password [] >

1441

. ldap slave server: IP adress or DNS name of the slave ldap server:

1442

can also be the master one

1443

ldap slave server [massive.abmas.biz] >

1444

. ldap slave port [389] >

1445

. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] >

1446

. ldap slave bind password [] >

1447

. ldap tls support (1/0) [0] >

1448

. SID for domain MEGANET2: SID of the domain

1449

(can be obtained with 'net getlocalsid MASSIVE')

1450

SID for domain MEGANET2

1451

[S-1-5-21-3504140859-1010554828-2431957765]] >

1452

. unix password encryption: encryption used for unix passwords

1453

unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5

1454

. default user gidNumber [513] >

1455

. default computer gidNumber [515] >

1456

. default login shell [/bin/bash] >

1457

. default skeleton directory [/etc/skel] >

1458

. default domain name to append to mail adress [] > abmas.biz

1459

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1460

backup old configuration files:

1461

/etc/opt/IDEALX/smbldap-tools/smbldap.conf->

1462

/etc/opt/IDEALX/smbldap-tools/smbldap.conf.old

1463

/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf->

1464

/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old

1465

writing new configuration file:

1466

/etc/opt/IDEALX/smbldap-tools/smbldap.conf done.

1467

/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done.

1468

</pre><p>

1469

Since a slave LDAP server has not been configured, it is necessary to specify the IP

1470

address of the master LDAP server for both the master and the slave configuration

1471

prompts.

1472

</p></li><li><p>

1473

Change to the directory that contains the <code class="filename">smbldap.conf</code> file,

1474

then verify its contents.

1475

</p></li></ol></div><p>

1476

The smbldap-tools are now ready for use.

1477

</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2576854"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p>

1478

The LDAP database must be populated with well-known Windows domain user accounts and domain group

1479

accounts before Samba can be used. The following procedures step you through the process.

1480

</p><p>

1481

At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are

1482

mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not

1483

hurt to have UNIX user and group accounts in both the system files as well as in the LDAP

1484

database. From a UNIX system perspective, the NSS resolver checks system files before

1485

referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it

1486

does not need to ask LDAP.

1487

</p><p>

1488

Addition of an account to the LDAP backend can be done in two ways:

1489

</p><div class="itemizedlist"><ul type="disc"><li><p>

1490

1491

1492

1493

1494

1495

1496

If you always have a user account in the <code class="filename">/etc/passwd</code> on every

1497

server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in

1498

LDAP. In this case, you can add Windows domain user accounts using the

1499

<code class="literal">pdbedit</code> utility. Use of this tool from the command line adds the

1500

SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.

1501

</p><p>

1502

This is the least desirable method because when LDAP is used as the passwd backend Samba

1503

expects the POSIX account to be in LDAP also. It is possible to use the PADL account

1504

migration tool to migrate all system accounts from either the <code class="filename">/etc/passwd</code>

1505

files, or from NIS, to LDAP.

1506

</p></li><li><p>

1507

If you decide that it is probably a good idea to add both the PosixAccount attributes

1508

as well as the SambaSamAccount attributes for each user, then a suitable script is needed.

1509

In the example system you are installing in this exercise, you are making use of the

1510

Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,

1511

is included on the enclosed CD-ROM under <code class="filename">Chap06/Tools.</code>

1512

</p></li></ul></div><p>

1513

1514

If you wish to have more control over how the LDAP database is initialized or

1515

if you don't want to use the Idealx smbldap-tools, you should refer to

1516

<a class="link" href="appendix.html" title="Chapter�15.�A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">“Alternative LDAP Database Initialization”</a>.

1517

</p><p>

1518

1519

The following steps initialize the LDAP database, and then you can add user and group

1520

accounts that Samba can use. You use the <code class="literal">smbldap-populate</code> to

1521

seed the LDAP database. You then manually add the accounts shown in <a class="link" href="happy.html#sbehap-bigacct" title="Table�5.3.�Abmas Network Users and Groups">“Abmas Network Users and Groups”</a>.

1522

The list of users does not cover all 500 network users; it provides examples only.

1523

</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

1524

1525

1526

1527

In the following examples, as the LDAP database is initialized, we do create a container

1528

for Computer (machine) accounts. In the Samba-3 <code class="filename">smb.conf</code> files, specific use is made

1529

of the People container, not the Computers container, for domain member accounts. This is not a

1530

mistake; it is a deliberate action that is necessitated by the fact that the resolution of

1531

a machine (computer) account to a UID is done via NSS. The only way this can be handled is

1532

using the NSS (<code class="filename">/etc/nsswitch.conf</code>) entry for <code class="constant">passwd</code>,

1533

which is resolved using the <code class="filename">nss_ldap</code> library. The configuration file for

1534

the <code class="filename">nss_ldap</code> library is the file <code class="filename">/etc/ldap.conf</code> that

1535

provides only one possible LDAP search command that is specified by the entry called

1536

<code class="constant">nss_base_passwd</code>. This means that the search path must take into account

1537

the directory structure so that the LDAP search will commence at a level that is above

1538

both the Computers container and the Users (or People) container. If this is done, it is

1539

necessary to use a search that will descend the directory tree so that the machine account

1540

can be found. Alternatively, by placing all machine accounts in the People container, we

1541

are able to sidestep this limitation. This is the simpler solution that has been adopted

1542

in this chapter.

1543

</p></div><div class="table"><a name="sbehap-bigacct"></a><p class="title"><b>Table�5.3.�Abmas Network Users and Groups</b></p><div class="table-contents"><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left">�</td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left">�</td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left">�</td></tr></tbody></table></div></div><br class="table-break"><div class="procedure"><a name="creatacc"></a><p class="title"><b>Procedure�5.8.�LDAP Directory Initialization Steps</b></p><ol type="1"><li><p>

1544

Start the LDAP server by executing:

1545

</p><pre class="screen">

1546

<code class="prompt">root# </code> rcldap start

1547

Starting ldap-server done

1548

</pre><p>

1549

</p></li><li><p>

1550

Change to the <code class="filename">/opt/IDEALX/sbin</code> directory.

1551

</p></li><li><p>

1552

Execute the script that will populate the LDAP database as shown here:

1553

</p><pre class="screen">

1554

<code class="prompt">root# </code> ./smbldap-populate -a root -k 0 -m 0

1555

</pre><p>

1556

The expected output from this is:

1557

</p><pre class="screen">

1558

Using workgroup name from smb.conf: sambaDomainName=MEGANET2

1559

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1560

=> Warning: you must update smbldap.conf configuration file to :

1561

=> sambaUnixIdPooldn parameter must be set

1562

to "sambaDomainName=MEGANET2,dc=abmas,dc=biz"

1563

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1564

Using builtin directory structure

1565

adding new entry: dc=abmas,dc=biz

1566

adding new entry: ou=People,dc=abmas,dc=biz

1567

adding new entry: ou=Groups,dc=abmas,dc=biz

1568

entry ou=People,dc=abmas,dc=biz already exist.

1569

adding new entry: ou=Idmap,dc=abmas,dc=biz

1570

adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz

1571

adding new entry: uid=root,ou=People,dc=abmas,dc=biz

1572

adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz

1573

adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz

1574

adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz

1575

adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz

1576

adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz

1577

adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz

1578

adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz

1579

adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz

1580

adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz

1581

</pre><p>

1582

</p></li><li><p>

1583

Edit the <code class="filename">/etc/smbldap-tools/smbldap.conf</code> file so that the following

1584

information is changed from:

1585

</p><pre class="screen">

1586

# Where to store next uidNumber and gidNumber available

1587

sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

1588

</pre><p>

1589

to read, after modification:

1590

</p><pre class="screen">

1591

# Where to store next uidNumber and gidNumber available

1592

#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

1593

sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"

1594

</pre><p>

1595

</p></li><li><p>

1596

It is necessary to restart the LDAP server as shown here:

1597

</p><pre class="screen">

1598

<code class="prompt">root# </code> rcldap restart

1599

Shutting down ldap-server done

1600

Starting ldap-server done

1601

</pre><p>

1602

</p></li><li><p>

1603

1604

So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data.

1605

There are several ways you can check that your LDAP database is able to receive IDMAP information. One of

1606

the simplest is to execute:

1607

</p><pre class="screen">

1608

<code class="prompt">root# </code> slapcat | grep -i idmap

1609

dn: ou=Idmap,dc=abmas,dc=biz

1610

ou: idmap

1611

</pre><p>

1612

1613

If the execution of this command does not return IDMAP entries, you need to create an LDIF

1614

template file (see <a class="link" href="happy.html#sbehap-ldifadd" title="Example�5.12.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">“LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF”</a>). You can add the required entries using

1615

the following command:

1616

</p><pre class="screen">

1617

<code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \

1618

-w not24get < /etc/openldap/idmap.LDIF

1619

</pre><p>

1620

Samba automatically populates this LDAP directory container when it needs to.

1621

</p></li><li><p>

1622

1623

It looks like all has gone well, as expected. Let's confirm that this is the case

1624

by running a few tests. First we check the contents of the database directly

1625

by running <code class="literal">slapcat</code> as follows (the output has been cut down):

1626

</p><pre class="screen">

1627

<code class="prompt">root# </code> slapcat

1628

dn: dc=abmas,dc=biz

1629

objectClass: dcObject

1630

objectClass: organization

1631

dc: abmas

1632

o: abmas

1633

structuralObjectClass: organization

1634

entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43

1635

creatorsName: cn=Manager,dc=abmas,dc=biz

1636

createTimestamp: 20031217234200Z

1637

entryCSN: 2003121723:42:00Z#0x0001#0#0000

1638

modifiersName: cn=Manager,dc=abmas,dc=biz

1639

modifyTimestamp: 20031217234200Z

1640

...

1641

dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz

1642

objectClass: posixGroup

1643

objectClass: sambaGroupMapping

1644

gidNumber: 553

1645

cn: Domain Computers

1646

description: Netbios Domain Computers accounts

1647

sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553

1648

sambaGroupType: 2

1649

displayName: Domain Computers

1650

structuralObjectClass: posixGroup

1651

entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43

1652

creatorsName: cn=Manager,dc=abmas,dc=biz

1653

createTimestamp: 20031217234206Z

1654

entryCSN: 2003121723:42:06Z#0x0002#0#0000

1655

modifiersName: cn=Manager,dc=abmas,dc=biz

1656

modifyTimestamp: 20031217234206Z

1657

</pre><p>

1658

This looks good so far.

1659

</p></li><li><p>

1660

1661

The next step is to prove that the LDAP server is running and responds to a

1662

search request. Execute the following as shown (output has been cut to save space):

1663

</p><pre class="screen">

1664

<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"

1665

# extended LDIF

1666

1667

# LDAPv3

1668

# base <dc=abmas,dc=biz> with scope sub

1669

# filter: (ObjectClass=*)

1670

# requesting: ALL

1671

1672

1673

# abmas.biz

1674

dn: dc=abmas,dc=biz

1675

objectClass: dcObject

1676

objectClass: organization

1677

dc: abmas

1678

o: abmas

1679

1680

# People, abmas.biz

1681

dn: ou=People,dc=abmas,dc=biz

1682

objectClass: organizationalUnit

1683

ou: People

1684

...

1685

# Domain Computers, Groups, abmas.biz

1686

dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz

1687

objectClass: posixGroup

1688

objectClass: sambaGroupMapping

1689

gidNumber: 553

1690

cn: Domain Computers

1691

description: Netbios Domain Computers accounts

1692

sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553

1693

sambaGroupType: 2

1694

displayName: Domain Computers

1695

1696

# search result

1697

search: 2

1698

result: 0 Success

1699

1700

# numResponses: 20

1701

# numEntries: 19

1702

</pre><p>

1703

Good. It is all working just fine.

1704

</p></li><li><p>

1705

1706

You must now make certain that the NSS resolver can interrogate LDAP also.

1707

Execute the following commands:

1708

</p><pre class="screen">

1709

<code class="prompt">root# </code> getent passwd | grep root

1710

root:x:998:512:Netbios Domain Administrator:/home:/bin/false

1711

1712

<code class="prompt">root# </code> getent group | grep Domain

1713

Domain Admins:x:512:root

1714

Domain Users:x:513:

1715

Domain Guests:x:514:

1716

Domain Computers:x:553:

1717

</pre><p>

1718

1719

This demonstrates that the <code class="literal">nss_ldap</code> library is functioning

1720

as it should. If these two steps fail to produce this information, refer to

1721

<a class="link" href="happy.html#sbeavoid" title="Avoiding Failures: Solving Problems Before They Happen">“Avoiding Failures: Solving Problems Before They Happen”</a> for diagnostic procedures that can be followed to

1722

isolate the cause of the problem. Proceed to the next step only when the previous steps

1723

have been successfully completed.

1724

</p></li><li><p>

1725

1726

1727

1728

Our database is now ready for the addition of network users. For each user for

1729

whom an account must be created, execute the following:

1730

</p><pre class="screen">

1731

<code class="prompt">root# </code> ./smbldap-useradd -m -a <code class="constant">username</code>

1732

<code class="prompt">root# </code> ./smbldap-passwd <code class="constant">username</code>

1733

Changing password for <code class="constant">username</code>

1734

New password : XXXXXXXX

1735

Retype new password : XXXXXXXX

1736

1737

<code class="prompt">root# </code> smbpasswd <code class="constant">username</code>

1738

New SMB password: XXXXXXXX

1739

Retype new SMB password: XXXXXXXX

1740

</pre><p>

1741

where <code class="constant">username</code> is the login ID for each user.

1742

</p></li><li><p>

1743

1744

Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the

1745

following:

1746

</p><pre class="screen">

1747

<code class="prompt">root# </code> getent passwd

1748

root:x:0:0:root:/root:/bin/bash

1749

bin:x:1:1:bin:/bin:/bin/bash

1750

...

1751

root:x:0:512:Netbios Domain Administrator:/home:/bin/false

1752

nobody:x:999:514:nobody:/dev/null:/bin/false

1753

bobj:x:1000:513:System User:/home/bobj:/bin/bash

1754

stans:x:1001:513:System User:/home/stans:/bin/bash

1755

chrisr:x:1002:513:System User:/home/chrisr:/bin/bash

1756

maryv:x:1003:513:System User:/home/maryv:/bin/bash

1757

</pre><p>

1758

This demonstrates that user account resolution via LDAP is working.

1759

</p></li><li><p>

1760

This step will determine whether or not identity resolution is working correctly.

1761

Do not procede is this step fails, rather find the cause of the failure. The

1762

<code class="literal">id</code> command may be used to validate your configuration so far,

1763

as shown here:

1764

</p><pre class="screen">

1765

<code class="prompt">root# </code> id chrisr

1766

uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)

1767

</pre><p>

1768

This confirms that the UNIX (POSIX) user account information can be resolved from LDAP

1769

by system tools that make a getentpw() system call.

1770

</p></li><li><p>

1771

1772

The root account must have UID=0; if not, this means that operations conducted from

1773

a Windows client using tools such as the Domain User Manager fails under UNIX because

1774

the management of user and group accounts requires that the UID=0. Additionally, it is

1775

a good idea to make certain that no matter how root account credentials are resolved,

1776

the home directory and shell are valid. You decide to effect this immediately

1777

as demonstrated here:

1778

</p><pre class="screen">

1779

<code class="prompt">root# </code> cd /opt/IDEALX/sbin

1780

<code class="prompt">root# </code> ./smbldap-usermod -u 0 -d /root -s /bin/bash root

1781

</pre><p>

1782

</p></li><li><p>

1783

Verify that the changes just made to the <code class="constant">root</code> account were

1784

accepted by executing:

1785

</p><pre class="screen">

1786

<code class="prompt">root# </code> getent passwd | grep root

1787

root:x:0:0:root:/root:/bin/bash

1788

root:x:0:512:Netbios Domain Administrator:/root:/bin/bash

1789

</pre><p>

1790

This demonstrates that the changes were accepted.

1791

</p></li><li><p>

1792

Make certain that a home directory has been created for every user by listing the

1793

directories in <code class="filename">/home</code> as follows:

1794

</p><pre class="screen">

1795

<code class="prompt">root# </code> ls -al /home

1796

drwxr-xr-x 8 root root 176 Dec 17 18:50 ./

1797

drwxr-xr-x 21 root root 560 Dec 15 22:19 ../

1798

drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/

1799

drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/

1800

drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/

1801

drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/

1802

</pre><p>

1803

This is precisely what we want to see.

1804

</p></li><li><p>

1805

1806

1807

The final validation step involves making certain that Samba-3 can obtain the user

1808

accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:

1809

</p><pre class="screen">

1810

<code class="prompt">root# </code> pdbedit -Lv chrisr

1811

Unix username: chrisr

1812

NT username: chrisr

1813

Account Flags: [U ]

1814

User SID: S-1-5-21-3504140859-1010554828-2431957765-3004

1815

Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513

1816

Full Name: System User

1817

Home Directory: \\MASSIVE\homes

1818

HomeDir Drive: H:

1819

Logon Script: scripts\login.cmd

1820

Profile Path: \\MASSIVE\profiles\chrisr

1821

Domain: MEGANET2

1822

Account desc: System User

1823

Workstations:

1824

Munged dial:

1825

Logon time: 0

1826

Logoff time: Mon, 18 Jan 2038 20:14:07 GMT

1827

Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT

1828

Password last set: Wed, 17 Dec 2003 17:17:40 GMT

1829

Password can change: Wed, 17 Dec 2003 17:17:40 GMT

1830

Password must change: Mon, 18 Jan 2038 20:14:07 GMT

1831

Last bad password : 0

1832

Bad password count : 0

1833

Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

1834

</pre><p>

1835

This looks good. Of course, you fully expected that it would all work, didn't you?

1836

</p></li><li><p>

1837

1838

Now you add the group accounts that are used on the Abmas network. Execute

1839

the following exactly as shown:

1840

</p><pre class="screen">

1841

<code class="prompt">root# </code> ./smbldap-groupadd -a Accounts

1842

<code class="prompt">root# </code> ./smbldap-groupadd -a Finances

1843

<code class="prompt">root# </code> ./smbldap-groupadd -a PIOps

1844

</pre><p>

1845

The addition of groups does not involve keyboard interaction, so the lack of console

1846

output is of no concern.

1847

</p></li><li><p>

1848

1849

You really do want to confirm that UNIX group resolution from LDAP is functioning

1850

as it should. Let's do this as shown here:

1851

</p><pre class="screen">

1852

<code class="prompt">root# </code> getent group

1853

...

1854

Domain Admins:x:512:root

1855

Domain Users:x:513:bobj,stans,chrisr,maryv

1856

Domain Guests:x:514:

1857

...

1858

Accounts:x:1000:

1859

Finances:x:1001:

1860

PIOps:x:1002:

1861

</pre><p>

1862

The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well

1863

as our own site-specific group accounts, are correctly listed. This is looking good.

1864

</p></li><li><p>

1865

1866

The final step we need to validate is that Samba can see all the Windows domain groups

1867

and that they are correctly mapped to the respective UNIX group account. To do this,

1868

just execute the following command:

1869

</p><pre class="screen">

1870

<code class="prompt">root# </code> net groupmap list

1871

Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins

1872

Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users

1873

Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests

1874

...

1875

Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts

1876

Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances

1877

PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps

1878

</pre><p>

1879

This is looking good. Congratulations it works! Note that in the above output

1880

the lines were shortened by replacing the middle value (1010554828) of the SID with the

1881

ellipsis (...).

1882

</p></li><li><p>

1883

The server you have so carefully built is now ready for another important step. You

1884

start the Samba-3 server and validate its operation. Execute the following to render all

1885

the processes needed fully operative so that, on system reboot, they are automatically

1886

started:

1887

</p><pre class="screen">

1888

<code class="prompt">root# </code> chkconfig named on

1889

<code class="prompt">root# </code> chkconfig dhcpd on

1890

<code class="prompt">root# </code> chkconfig ldap on

1891

<code class="prompt">root# </code> chkconfig nmb on

1892

<code class="prompt">root# </code> chkconfig smb on

1893

<code class="prompt">root# </code> chkconfig winbind on

1894

<code class="prompt">root# </code> rcnmb start

1895

<code class="prompt">root# </code> rcsmb start

1896

<code class="prompt">root# </code> rcwinbind start

1897

</pre><p>

1898

</p></li><li><p>

1899

The next step might seem a little odd at this point, but take note that you are about to

1900

start <code class="literal">winbindd</code>, which must be able to authenticate to the PDC via the

1901

localhost interface with the <code class="literal">smbd</code> process. This account can be

1902

easily created by joining the PDC to the domain by executing the following command:

1903

</p><pre class="screen">

1904

<code class="prompt">root# </code> net rpc join -S MASSIVE -U root%not24get

1905

</pre><p>

1906

Note: Before executing this command on the PDC, both <code class="literal">nmbd</code> and

1907

<code class="literal">smbd</code> must be started so that the <code class="literal">net</code> command

1908

can communicate with <code class="literal">smbd</code>. The expected output is as follows:

1909

</p><pre class="screen">

1910

Joined domain MEGANET2.

1911

</pre><p>

1912

This indicates that the domain security account for the PDC has been correctly created.

1913

</p></li><li><p>

1914

At this time it is necessary to restart <code class="literal">winbindd</code> so that it can

1915

correctly authenticate to the PDC. The following command achieves that:

1916

</p><pre class="screen">

1917

<code class="prompt">root# </code> rcwinbind restart

1918

</pre><p>

1919

</p></li><li><p>

1920

1921

You may now check Samba-3 operation as follows:

1922

</p><pre class="screen">

1923

<code class="prompt">root# </code> smbclient -L massive -U%

1924

1925

Sharename Type Comment

1926

--------- ---- -------

1927

IPC$ IPC IPC Service (Samba 3.0.20)

1928

accounts Disk Accounting Files

1929

service Disk Financial Services Files

1930

pidata Disk Property Insurance Files

1931

apps Disk Application Files

1932

netlogon Disk Network Logon Service

1933

profiles Disk Profile Share

1934

profdata Disk Profile Data Share

1935

ADMIN$ IPC IPC Service (Samba 3.0.20)

1936

1937

Server Comment

1938

--------- -------

1939

MASSIVE Samba 3.0.20

1940

1941

Workgroup Master

1942

--------- -------

1943

MEGANET2 MASSIVE

1944

</pre><p>

1945

This shows that an anonymous connection is working.

1946

</p></li><li><p>

1947

For your finale, let's try an authenticated connection:

1948

</p><pre class="screen">

1949

<code class="prompt">root# </code> smbclient //massive/bobj -Ubobj%n3v3r2l8

1950

smb: \> dir

1951

. D 0 Wed Dec 17 01:16:19 2003

1952

.. D 0 Wed Dec 17 19:04:42 2003

1953

bin D 0 Tue Sep 2 04:00:57 2003

1954

Documents D 0 Sun Nov 30 07:28:20 2003

1955

public_html D 0 Sun Nov 30 07:28:20 2003

1956

.urlview H 311 Fri Jul 7 06:55:35 2000

1957

.dvipsrc H 208 Fri Nov 17 11:22:02 1995

1958

1959

57681 blocks of size 524288. 57128 blocks available

1960

smb: \> q

1961

</pre><p>

1962

Well done. All is working fine.

1963

</p></li></ol></div><p>

1964

The server <code class="constant">MASSIVE</code> is now configured, and it is time to move onto the next task.

1965

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p>

1966

1967

The configuration for Samba-3 to enable CUPS raw-print-through printing has already been

1968

taken care of in the <code class="filename">smb.conf</code> file. The only preparation needed for <code class="constant">smart</code>

1969

printing to be possible involves creation of the directories in which Samba-3 stores

1970

Windows printing driver files.

1971

</p><div class="procedure"><a name="id2578423"></a><p class="title"><b>Procedure�5.9.�Printer Configuration Steps</b></p><ol type="1"><li><p>

1972

Configure all network-attached printers to have a fixed IP address.

1973

</p></li><li><p>

1974

Create an entry in the DNS database on the server <code class="constant">MASSIVE</code>

1975

in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code>

1976

and in the reverse lookup database for the network segment that the printer is to

1977

be located in. Example configuration files for similar zones were presented in <a class="link" href="secure.html" title="Chapter�3.�Secure Office Networking">“Secure Office Networking”</a>,

1978

<a class="link" href="secure.html#abmasbiz" title="Example�3.14.�DNS Abmas.biz Forward Zone File">“DNS Abmas.biz Forward Zone File”</a> and in <a class="link" href="secure.html#eth2zone" title="Example�3.13.�DNS 192.168.2 Reverse Zone File">“DNS 192.168.2 Reverse Zone File”</a>.

1979

</p></li><li><p>

1980

Follow the instructions in the printer manufacturers' manuals to permit printing

1981

to port 9100. Use any other port the manufacturer specifies for direct mode,

1982

raw printing. This allows the CUPS spooler to print using raw mode protocols.

1983

1984

1985

</p></li><li><p>

1986

1987

1988

Only on the server to which the printer is attached, configure the CUPS Print

1989

Queues as follows:

1990

</p><pre class="screen">

1991

<code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em>

1992

-v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E

1993

</pre><p>

1994

1995

This step creates the necessary print queue to use no assigned print filter. This

1996

is ideal for raw printing, that is, printing without use of filters.

1997

The name <em class="parameter"><code>printque</code></em> is the name you have assigned for

1998

the particular printer.

1999

</p></li><li><p>

2000

Print queues may not be enabled at creation. Make certain that the queues

2001

you have just created are enabled by executing the following:

2002

</p><pre class="screen">

2003

<code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em>

2004

</pre><p>

2005

</p></li><li><p>

2006

Even though your print queue may be enabled, it is still possible that it

2007

may not accept print jobs. A print queue will service incoming printing

2008

requests only when configured to do so. Ensure that your print queue is

2009

set to accept incoming jobs by executing the following commands:

2010

</p><pre class="screen">

2011

<code class="prompt">root# </code> /usr/bin/accept <em class="parameter"><code>printque</code></em>

2012

</pre><p>

2013

</p></li><li><p>

2014

2015

2016

2017

Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line:

2018

</p><pre class="screen">

2019

application/octet-stream application/vnd.cups-raw 0 -

2020

</pre><p>

2021

</p></li><li><p>

2022

2023

Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line:

2024

</p><pre class="screen">

2025

application/octet-stream

2026

</pre><p>

2027

</p></li><li><p>

2028

Refer to the CUPS printing manual for instructions regarding how to configure

2029

CUPS so that print queues that reside on CUPS servers on remote networks

2030

route print jobs to the print server that owns that queue. The default setting

2031

on your CUPS server may automatically discover remotely installed printers and

2032

may permit this functionality without requiring specific configuration.

2033

</p></li><li><p>

2034

The following action creates the necessary directory subsystem. Follow these

2035

steps to printing heaven:

2036

</p><pre class="screen">

2037

<code class="prompt">root# </code> mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}

2038

<code class="prompt">root# </code> chown -R root:root /var/lib/samba/drivers

2039

<code class="prompt">root# </code> chmod -R ug=rwx,o=rx /var/lib/samba/drivers

2040

</pre><p>

2041

</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure"><a name="id2578754"></a><p class="title"><b>Procedure�5.10.�Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol type="1"><li><p>

2042

Install the files in <a class="link" href="happy.html#sbehap-bldg1-smbconf" title="Example�5.8.�LDAP Based smb.conf File, Server: BLDG1">“LDAP Based smb.conf File, Server: BLDG1”</a>,

2043

<a class="link" href="happy.html#sbehap-shareconfa" title="Example�5.10.�LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>, and <a class="link" href="happy.html#sbehap-shareconfb" title="Example�5.11.�LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a>

2044

into the <code class="filename">/etc/samba/</code> directory. The three files

2045

should be added together to form the <code class="filename">smb.conf</code> file.

2046

</p></li><li><p>

2047

Verify the <code class="filename">smb.conf</code> file as in step 2 of <a class="link" href="happy.html#sbehap-massive" title="Samba-3 PDC Configuration">“Samba-3 PDC Configuration”</a>.

2048

</p></li><li><p>

2049

Carefully follow the steps outlined in <a class="link" href="happy.html#sbehap-PAM-NSS" title="PAM and NSS Client Configuration">“PAM and NSS Client Configuration”</a>, taking

2050

particular note to install the correct <code class="filename">ldap.conf</code>.

2051

</p></li><li><p>

2052

Verify that the NSS resolver is working. You may need to cycle the run level

2053

to 1 and back to 5 before the NSS LDAP resolver functions. Follow these

2054

commands:

2055

</p><pre class="screen">

2056

<code class="prompt">root# </code> init 1

2057

</pre><p>

2058

After the run level has been achieved, you are prompted to provide the

2059

<code class="constant">root</code> password. Log on, and then execute:

2060

</p><pre class="screen">

2061

<code class="prompt">root# </code> init 5

2062

</pre><p>

2063

When the normal logon prompt appears, log into the system as <code class="constant">root</code>

2064

and then execute these commands:

2065

</p><pre class="screen">

2066

<code class="prompt">root# </code> getent passwd

2067

root:x:0:0:root:/root:/bin/bash

2068

bin:x:1:1:bin:/bin:/bin/bash

2069

daemon:x:2:2:Daemon:/sbin:/bin/bash

2070

lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash

2071

mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false

2072

...

2073

root:x:0:512:Netbios Domain Administrator:/root:/bin/bash

2074

nobody:x:999:514:nobody:/dev/null:/bin/false

2075

bobj:x:1000:513:System User:/home/bobj:/bin/bash

2076

stans:x:1001:513:System User:/home/stans:/bin/bash

2077

chrisr:x:1002:513:System User:/home/chrisr:/bin/bash

2078

maryv:x:1003:513:System User:/home/maryv:/bin/bash

2079

vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false

2080

bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false

2081

</pre><p>

2082

This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.

2083

</p></li><li><p>

2084

2085

The next step in the verification process involves testing the operation of UNIX group

2086

resolution via the NSS LDAP resolver. Execute these commands:

2087

</p><pre class="screen">

2088

<code class="prompt">root# </code> getent group

2089

root:x:0:

2090

bin:x:1:daemon

2091

daemon:x:2:

2092

sys:x:3:

2093

...

2094

Domain Admins:x:512:root

2095

Domain Users:x:513:bobj,stans,chrisr,maryv,jht

2096

Domain Guests:x:514:

2097

Administrators:x:544:

2098

Users:x:545:

2099

Guests:x:546:nobody

2100

Power Users:x:547:

2101

Account Operators:x:548:

2102

Server Operators:x:549:

2103

Print Operators:x:550:

2104

Backup Operators:x:551:

2105

Replicator:x:552:

2106

Domain Computers:x:553:

2107

Accounts:x:1000:

2108

Finances:x:1001:

2109

PIOps:x:1002:

2110

</pre><p>

2111

This is also the correct and desired output, because it demonstrates that the LDAP client

2112

is able to communicate correctly with the LDAP server (<code class="constant">MASSIVE</code>).

2113

</p></li><li><p>

2114

2115

You must now set the LDAP administrative password into the Samba-3 <code class="filename">secrets.tdb</code>

2116

file by executing this command:

2117

</p><pre class="screen">

2118

<code class="prompt">root# </code> smbpasswd -w not24get

2119

Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb

2120

</pre><p>

2121

</p></li><li><p>

2122

Now you must obtain the domain SID from the PDC and store it into the

2123

<code class="filename">secrets.tdb</code> file also. This step is not necessary with an LDAP

2124

passdb backend because Samba-3 obtains the domain SID from the

2125

sambaDomain object it automatically stores in the LDAP backend. It does not hurt to

2126

add the SID to the <code class="filename">secrets.tdb</code>, and if you wish to do so, this

2127

command can achieve that:

2128

</p><pre class="screen">

2129

<code class="prompt">root# </code> net rpc getsid MEGANET2

2130

Storing SID S-1-5-21-3504140859-1010554828-2431957765 \

2131

for Domain MEGANET2 in secrets.tdb

2132

</pre><p>

2133

When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take

2134

any special action to join it to the domain. However, winbind communicates with the

2135

domain controller that is running on the localhost and must be able to authenticate,

2136

thus requiring that the BDC should be joined to the domain. The process of joining

2137

the domain creates the necessary authentication accounts.

2138

</p></li><li><p>

2139

To join the Samba BDC to the domain, execute the following:

2140

</p><pre class="screen">

2141

<code class="prompt">root# </code> net rpc join -U root%not24get

2142

Joined domain MEGANET2.

2143

</pre><p>

2144

This indicates that the domain security account for the BDC has been correctly created.

2145

</p></li><li><p>

2146

2147

Verify that user and group account resolution works via Samba-3 tools as follows:

2148

</p><pre class="screen">

2149

<code class="prompt">root# </code> pdbedit -L

2150

root:0:root

2151

nobody:65534:nobody

2152

bobj:1000:System User

2153

stans:1001:System User

2154

chrisr:1002:System User

2155

maryv:1003:System User

2156

bldg1$:1006:bldg1$

2157

2158

<code class="prompt">root# </code> net groupmap list

2159

Domain Admins (S-1-5-21-3504140859-...-2431957765-512) ->

2160

Domain Admins

2161

Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users

2162

Domain Guests (S-1-5-21-3504140859-...-2431957765-514) ->

2163

Domain Guests

2164

Administrators (S-1-5-21-3504140859-...-2431957765-544) ->

2165

Administrators

2166

...

2167

Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts

2168

Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances

2169

PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps

2170

</pre><p>

2171

These results show that all things are in order.

2172

</p></li><li><p>

2173

The server you have so carefully built is now ready for another important step. Now

2174

start the Samba-3 server and validate its operation. Execute the following to render all

2175

the processes needed fully operative so that, upon system reboot, they are automatically

2176

started:

2177

</p><pre class="screen">

2178

<code class="prompt">root# </code> chkconfig named on

2179

<code class="prompt">root# </code> chkconfig dhcpd on

2180

<code class="prompt">root# </code> chkconfig nmb on

2181

<code class="prompt">root# </code> chkconfig smb on

2182

<code class="prompt">root# </code> chkconfig winbind on

2183

<code class="prompt">root# </code> rcnmb start

2184

<code class="prompt">root# </code> rcsmb start

2185

<code class="prompt">root# </code> rcwinbind start

2186

</pre><p>

2187

Samba-3 should now be running and is ready for a quick test. But not quite yet!

2188

</p></li><li><p>

2189

Your new <code class="constant">BLDG1, BLDG2</code> servers do not have home directories for users.

2190

To rectify this using the SUSE yast2 utility or by manually editing the <code class="filename">/etc/fstab</code>

2191

file, add a mount entry to mount the <code class="constant">home</code> directory that has been exported

2192

from the <code class="constant">MASSIVE</code> server. Mount this resource before proceeding. An alternate

2193

approach could be to create local home directories for users who are to use these machines.

2194

This is a choice that you, as system administrator, must make. The following entry in the

2195

<code class="filename">/etc/fstab</code> file suffices for now:

2196

</p><pre class="screen">

2197

massive.abmas.biz:/home /home nfs rw 0 0

2198

</pre><p>

2199

To mount this resource, execute:

2200

</p><pre class="screen">

2201

<code class="prompt">root# </code> mount -a

2202

</pre><p>

2203

Verify that the home directory has been mounted as follows:

2204

</p><pre class="screen">

2205

<code class="prompt">root# </code> df | grep home

2206

massive:/home 29532988 283388 29249600 1% /home

2207

</pre><p>

2208

</p></li><li><p>

2209

Implement a quick check using one of the users that is in the LDAP database. Here you go:

2210

</p><pre class="screen">

2211

<code class="prompt">root# </code> smbclient //bldg1/bobj -Ubobj%n3v3r2l8

2212

smb: \> dir

2213

. D 0 Wed Dec 17 01:16:19 2003

2214

.. D 0 Wed Dec 17 19:04:42 2003

2215

bin D 0 Tue Sep 2 04:00:57 2003

2216

Documents D 0 Sun Nov 30 07:28:20 2003

2217

public_html D 0 Sun Nov 30 07:28:20 2003

2218

.urlview H 311 Fri Jul 7 06:55:35 2000

2219

.dvipsrc H 208 Fri Nov 17 11:22:02 1995

2220

2221

57681 blocks of size 524288. 57128 blocks available

2222

smb: \> q

2223

</pre><p>

2224

</p></li></ol></div><p>

2225

Now that the first BDC (<code class="constant">BDLG1</code>) has been configured it is time to build

2226

and configure the second BDC server (<code class="constant">BLDG2</code>) as follows:

2227

</p><div class="procedure"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure�5.11.�Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol type="1"><li><p>

2228

Install the files in <a class="link" href="happy.html#sbehap-bldg2-smbconf" title="Example�5.9.�LDAP Based smb.conf File, Server: BLDG2">“LDAP Based smb.conf File, Server: BLDG2”</a>,

2229

2230

into the <code class="filename">/etc/samba/</code> directory. The three files

2231

should be added together to form the <code class="filename">smb.conf</code> file.

2232

</p></li><li><p>

2233

Follow carefully the steps shown in <a class="link" href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">“Samba-3 BDC Configuration”</a>, starting at step 2.

2234

</p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example�5.8.�LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2579402"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2579413"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2579425"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id2579437"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579449"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579461"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2579473"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2579485"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2579496"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2579508"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2579520"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2579531"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2579544"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2579555"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579568"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2579580"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2579591"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2579603"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579615"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579626"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2579638"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579650"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2579662"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2579674"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2579686"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2579698"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579710"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579722"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2579734"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2579746"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2579758"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example�5.9.�LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2579804"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2579816"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2579828"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id2579840"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579852"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579864"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2579876"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2579887"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2579899"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2579911"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2579922"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2579934"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2579946"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2579958"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579970"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2579982"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2579994"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2580006"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580017"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580029"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2580041"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580053"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2580065"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2580077"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2580089"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2580101"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580113"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580125"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2580137"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2580148"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2580160"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example�5.10.�LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2580206"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580218"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2580230"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2580250"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580262"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2580274"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2580294"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580306"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2580318"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2580338"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2580350"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2580362"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580373"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2580394"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2580405"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2580417"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580429"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580440"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example�5.11.�LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2580486"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580498"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2580509"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id2580521"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2580542"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2580553"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2580565"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580577"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2580597"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2580609"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2580621"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580633"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2580653"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2580665"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2580677"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580689"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2580709"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2580721"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2580733"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580744"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id2580756"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580768"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example�5.12.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen">

2235

dn: ou=Idmap,dc=abmas,dc=biz

2236

objectClass: organizationalUnit

2237

ou: idmap

2238

structuralObjectClass: organizationalUnit

2239

</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2580803"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p>

2240

My father would say, “<span class="quote">Dinner is not over until the dishes have been done.</span>”

2241

The makings of a great network environment take a lot of effort and attention to detail.

2242

So far, you have completed most of the complex (and to many administrators, the interesting

2243

part of server configuration) steps, but remember to tie it all together. Here are

2244

a few more steps that must be completed so that your network runs like a well-rehearsed

2245

orchestra.

2246

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2580823"></a>Configuring Directory Share Point Roots</h3></div></div></div><p>

2247

In your <code class="filename">smb.conf</code> file, you have specified Windows shares. Each has a <em class="parameter"><code>path</code></em>

2248

parameter. Even though it is obvious to all, one of the common Samba networking problems is

2249

caused by forgetting to verify that every such share root directory actually exists and that it

2250

has the necessary permissions and ownership.

2251

</p><p>

2252

Here is an example, but remember to create the directory needed for every share:

2253

</p><pre class="screen">

2254

<code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs,piops}

2255

<code class="prompt">root# </code> mkdir -p /apps

2256

<code class="prompt">root# </code> chown -R root:root /data

2257

<code class="prompt">root# </code> chown -R root:root /apps

2258

<code class="prompt">root# </code> chown -R bobj:Accounts /data/accounts

2259

<code class="prompt">root# </code> chown -R bobj:Finances /data/finsvcs

2260

<code class="prompt">root# </code> chown -R bobj:PIOps /data/piops

2261

<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data

2262

<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps

2263

</pre><p>

2264

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2580918"></a>Configuring Profile Directories</h3></div></div></div><p>

2265

You made a conscious decision to do everything it would take to improve network client

2266

performance. One of your decisions was to implement folder redirection. This means that Windows

2267

user desktop profiles are now made up of two components: a dynamically loaded part and a set of file

2268

network folders.

2269

</p><p>

2270

For this arrangement to work, every user needs a directory structure for the network folder

2271

portion of his or her profile as shown here:

2272

</p><pre class="screen">

2273

<code class="prompt">root# </code> mkdir -p /var/lib/samba/profdata

2274

<code class="prompt">root# </code> chown root:root /var/lib/samba/profdata

2275

<code class="prompt">root# </code> chmod 755 /var/lib/samba/profdata

2276

2277

# Per user structure

2278

<code class="prompt">root# </code> cd /var/lib/samba/profdata

2279

<code class="prompt">root# </code> mkdir -p <span class="emphasis"><em>username</em></span>

2280

<code class="prompt">root# </code> for i in InternetFiles Cookies History AppData \

2281

LocalSettings MyPictures MyDocuments Recent

2282

<code class="prompt">root# </code> do

2283

<code class="prompt">root# </code> mkdir <span class="emphasis"><em>username</em></span>/$i

2284

<code class="prompt">root# </code> done

2285

<code class="prompt">root# </code> chown -R <span class="emphasis"><em>username</em></span>:Domain\ Users <span class="emphasis"><em>username</em></span>

2286

<code class="prompt">root# </code> chmod -R 750 <span class="emphasis"><em>username</em></span>

2287

</pre><p>

2288

</p><p>

2289

2290

2291

You have three options insofar as the dynamically loaded portion of the roaming profile

2292

is concerned:

2293

</p><div class="itemizedlist"><ul type="disc"><li><p>You may permit the user to obtain a default profile.</p></li><li><p>You can create a mandatory profile.</p></li><li><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p>

2294

Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory

2295

profile is effected by renaming the <code class="filename">NTUSER.DAT</code> to <code class="filename">NTUSER.MAN</code>,

2296

that is, just by changing the filename extension.

2297

</p><p>

2298

2299

2300

The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend.

2301

You can manage this using the Idealx smbldap-tools or using the

2302

<a class="ulink" href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">Windows NT4 Domain User Manager</a>.

2303

</p><p>

2304

It may not be obvious that you must ensure that the root directory for the user's profile exists

2305

and has the needed permissions. Use the following commands to create this directory:

2306

</p><pre class="screen">

2307

<code class="prompt">root# </code> mkdir -p /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>

2308

<code class="prompt">root# </code> chown <span class="emphasis"><em>username</em></span>:Domain\ Users

2309

/var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>

2310

<code class="prompt">root# </code> chmod 700 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>

2311

</pre><p>

2312

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2581163"></a>Preparation of Logon Scripts</h3></div></div></div><p>

2313

2314

The use of a logon script with Windows XP Professional is an option that every site should consider.

2315

Unless you have locked down the desktop so the user cannot change anything, there is risk that

2316

a vital network drive setting may be broken or that printer connections may be lost. Logon scripts

2317

can help to restore persistent network folder (drive) and printer connections in a predictable

2318

manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)

2319

user attaches to another company's network that forces environment changes that are alien to your

2320

network.

2321

</p><p>

2322

If you decide to use network logon scripts, by reference to the <code class="filename">smb.conf</code> files for the domain

2323

controllers, you see that the path to the share point for the <code class="constant">NETLOGON</code>

2324

share defined is <code class="filename">/var/lib/samba/netlogon</code>. The path defined for the logon

2325

script inside that share is <code class="filename">scripts\logon.bat</code>. This means that as a Windows

2326

NT/200x/XP client logs onto the network, it tries to obtain the file <code class="filename">logon.bat</code>

2327

from the fully qualified path <code class="filename">/var/lib/samba/netlogon/scripts</code>. This fully

2328

qualified path should therefore exist whether you install the <code class="filename">logon.bat</code>.

2329

</p><p>

2330

You can, of course, create the fully qualified path by executing:

2331

</p><pre class="screen">

2332

<code class="prompt">root# </code> mkdir -p /var/lib/samba/netlogon/scripts

2333

</pre><p>

2334

</p><p>

2335

You should research the options for logon script implementation by referring to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 24,

2336

Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon

2337

facilities in use today is called <a class="ulink" href="http://www.kixtart.org" target="_top">KiXtart</a>.

2338

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2581274"></a>Assigning User Rights and Privileges</h3></div></div></div><p>

2339

The ability to perform tasks such as joining Windows clients to the domain can be assigned to

2340

normal user accounts. By default, only the domain administrator account (<code class="constant">root</code> on UNIX

2341

systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant

2342

this privilege in a very limited fashion to particular accounts.

2343

</p><p>

2344

By default, even Samba-3.0.11 does not grant any rights even to the <code class="constant">Domain Admins</code>

2345

group. Here we grant this group all privileges.

2346

</p><p>

2347

Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who

2348

are granted rights can be restricted to particular machines. It is left to the network administrator

2349

to determine which rights should be provided and to whom.

2350

</p><div class="procedure"><a name="id2581309"></a><p class="title"><b>Procedure�5.12.�Steps for Assignment of User Rights and Privileges</b></p><ol type="1"><li><p>

2351

Log onto the PDC as the <code class="constant">root</code> account.

2352

</p></li><li><p>

2353

Execute the following command to grant the <code class="constant">Domain Admins</code> group all

2354

rights and privileges:

2355

</p><pre class="screen">

2356

<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \

2357

"MEGANET2\Domain Admins" SeMachineAccountPrivilege \

2358

SePrintOperatorPrivilege SeAddUsersPrivilege \

2359

SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

2360

Successfully granted rights.

2361

</pre><p>

2362

Repeat this step on each domain controller, in each case substituting the name of the server

2363

(e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE.

2364

</p></li><li><p>

2365

In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations

2366

to the domain. Execute the following only on the PDC. It is not necessary to do this on

2367

BDCs or on DMS machines because machine accounts are only ever added by the PDC:

2368

</p><pre class="screen">

2369

<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \

2370

"MEGANET2\bobj" SeMachineAccountPrivilege

2371

Successfully granted rights.

2372

</pre><p>

2373

</p></li><li><p>

2374

Verify that privilege assignments have been correctly applied by executing:

2375

</p><pre class="screen">

2376

net rpc rights list accounts -Uroot%not24get

2377

MEGANET2\bobj

2378

SeMachineAccountPrivilege

2379

2380

S-0-0

2381

No privileges assigned

2382

2383

BUILTIN\Print Operators

2384

No privileges assigned

2385

2386

BUILTIN\Account Operators

2387

No privileges assigned

2388

2389

BUILTIN\Backup Operators

2390

No privileges assigned

2391

2392

BUILTIN\Server Operators

2393

No privileges assigned

2394

2395

BUILTIN\Administrators

2396

No privileges assigned

2397

2398

Everyone

2399

No privileges assigned

2400

2401

MEGANET2\Domain Admins

2402

SeMachineAccountPrivilege

2403

SePrintOperatorPrivilege

2404

SeAddUsersPrivilege

2405

SeRemoteShutdownPrivilege

2406

SeDiskOperatorPrivilege

2407

</pre><p>

2408

</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2581407"></a>Windows Client Configuration</h2></div></div></div><p>

2409

2410

In the next few sections, you can configure a new Windows XP Professional disk image on a staging

2411

machine. You will configure all software, printer settings, profile and policy handling, and desktop

2412

default profile settings on this system. When it is complete, you copy the contents of the

2413

<code class="filename">C:\Documents and Settings\Default User</code> directory to a directory with the same

2414

name in the <code class="constant">NETLOGON</code> share on the domain controllers.

2415

</p><p>

2416

Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.

2417

One knowledge-base article in particular stands out:

2418

"<a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475" target="_top">How to Create a

2419

Base Profile for All Users."</a>

2420

2421

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p>

2422

2423

Log onto the Windows XP Professional workstation as the local <code class="constant">Administrator</code>.

2424

It is necessary to expose folders that are generally hidden to provide access to the

2425

<code class="constant">Default User</code> folder.

2426

</p><div class="procedure"><a name="id2581484"></a><p class="title"><b>Procedure�5.13.�Expose Hidden Folders</b></p><ol type="1"><li><p>

2427

Launch the Windows Explorer by clicking

2428

<span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>.

2429

Select <span class="guilabel">Show hidden files and folders</span>,

2430

and click <span class="guibutton">OK</span>. Exit Windows Explorer.

2431

</p></li><li><p>

2432

2433

Launch the Registry Editor. Click

2434

<span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. Key in <code class="literal">regedt32</code>, and click

2435

<span class="guibutton">OK</span>.

2436

</p></li></ol></div><p>

2437

</p><div class="procedure"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure�5.14.�Redirect Folders in Default System User Profile</b></p><ol type="1"><li><p>

2438

2439

2440

Give focus to <code class="constant">HKEY_LOCAL_MACHINE</code> hive entry in the left panel.

2441

Click <span class="guimenu">File</span> → <span class="guimenuitem">Load Hive...</span> → <span class="guimenuitem">Documents and Settings</span> → <span class="guimenuitem">Default User</span> → <span class="guimenuitem">NTUSER</span> → <span class="guimenuitem">Open</span>. In the dialog box that opens, enter the key name

2442

<code class="constant">Default</code> and click <span class="guibutton">OK</span>.

2443

</p></li><li><p>

2444

Browse inside the newly loaded Default folder to:

2445

</p><pre class="screen">

2446

HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\

2447

CurrentVersion\Explorer\User Shell Folders\

2448

</pre><p>

2449

The right panel reveals the contents as shown in <a class="link" href="happy.html#XP-screen001" title="Figure�5.3.�Windows XP Professional User Shared Folders">“Windows XP Professional User Shared Folders”</a>.

2450

</p></li><li><p>

2451

2452

2453

You edit hive keys. Acceptable values to replace the

2454

<code class="constant">%USERPROFILE%</code> variable includes:

2455

2456

</p><div class="itemizedlist"><ul type="disc"><li><p>A drive letter such as <code class="constant">U:</code></p></li><li><p>A direct network path such as

2457

<code class="constant">\\MASSIVE\profdata</code></p></li><li><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p>

2458

</p></li><li><p>

2459

2460

Set the registry keys as shown in <a class="link" href="happy.html#proffold" title="Table�5.4.�Default Profile Redirections">“Default Profile Redirections”</a>. Your implementation makes the assumption

2461

that users have statically located machines. Notebook computers (mobile users) need to be

2462

accommodated using local profiles. This is not an uncommon assumption.

2463

</p></li><li><p>

2464

Click back to the root of the loaded hive <code class="constant">Default</code>.

2465

Click <span class="guimenu">File</span> → <span class="guimenuitem">Unload Hive...</span> → <span class="guimenuitem">Yes</span>.

2466

</p></li><li><p>

2467

2468

Click <span class="guimenu">File</span> → <span class="guimenuitem">Exit</span>. This exits the

2469

Registry Editor.

2470

</p></li><li><p>

2471

Now follow the procedure given in <a class="link" href="happy.html#sbehap-locgrppol" title="The Local Group Policy">“The Local Group Policy”</a>. Make sure that each folder you

2472

have redirected is in the exclusion list.

2473

</p></li><li><p>

2474

You are now ready to copy<sup>[<a name="id2581860" href="#ftn.id2581860" class="footnote">11</a>]</sup>

2475

the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer,

2476

and use it to copy the full contents of the directory <code class="filename">Default User</code> that

2477

is in the <code class="filename">C:\Documents and Settings</code> to the root directory of the

2478

<code class="constant">NETLOGON</code> share. If the <code class="constant">NETLOGON</code> share has the defined

2479

UNIX path of <code class="filename">/var/lib/samba/netlogon</code>, when the copy is complete there must

2480

be a directory in there called <code class="filename">Default User</code>.

2481

</p></li></ol></div><p>

2482

Before punching out new desktop images for the client workstations, it is perhaps a good idea that

2483

desktop behavior should be returned to the original Microsoft settings. The following steps achieve

2484

that ojective:

2485

</p><div class="procedure"><a name="id2581927"></a><p class="title"><b>Procedure�5.15.�Reset Folder Display to Original Behavior</b></p><ul><li><p>

2486

To launch the Windows Explorer, click

2487

2488

Deselect <span class="guilabel">Show hidden files and folders</span>, and click <span class="guibutton">OK</span>.

2489

Exit Windows Explorer.

2490

</p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure�5.3.�Windows XP Professional User Shared Folders</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div></div><br class="figure-break"><div class="table"><a name="proffold"></a><p class="title"><b>Table�5.4.�Default Profile Redirections</b></p><div class="table-contents"><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582162"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p>

2491

2492

2493

Microsoft Outlook can store a Personal Storage file, generally known as a PST file.

2494

It is the nature of email storage that this file grows, at times quite rapidly.

2495

So that users' email is available to them at every workstation they may log onto,

2496

it is common practice in well-controlled sites to redirect the PST folder to the

2497

users' home directory. Follow these steps for each user who wishes to do this.

2498

</p><p>

2499

To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave

2500

slightly differently), follow these steps:

2501

</p><div class="procedure"><a name="id2582202"></a><p class="title"><b>Procedure�5.16.�Outlook PST File Relocation</b></p><ol type="1"><li><p>

2502

Close Outlook if it is open.

2503

</p></li><li><p>

2504

From the <span class="guimenu">Control Panel</span>, launch the Mail icon.

2505

</p></li><li><p>

2506

Click <span class="guimenu">Email Accounts.</span>

2507

</p></li><li><p>

2508

Make a note of the location of the PST file(s). From this location, move

2509

the files to the desired new target location. The most desired new target location

2510

may well be the users' home directory.

2511

</p></li><li><p>

2512

Add a new data file, selecting the PST file in the new desired target location.

2513

Give this entry (not the filename) a new name such as “<span class="quote">Personal Mail Folders.</span>”

2514

</p><p>

2515

Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems

2516

following these instructions. Feedback from users suggests that where IMAP is used the PST

2517

file is used to store rules and filters. When the PST store is relocated it appears to break

2518

MS Outlook's Send/Receive button. If anyone has sucessfully relocated PST files where IMAP is

2519

used please email <code class="literal">jht@samba.org</code> with useful tips and suggestions so that

2520

this warning can be removed or modified.

2521

</p></li><li><p>

2522

Close the <span class="guimenu">Date Files</span> windows, then click <span class="guimenu">Email Accounts</span>.

2523

</p></li><li><p>

2524

Select <span class="guimenu">View of Change</span> exiting email accounts, click <span class="guibutton">Next.</span>

2525

</p></li><li><p>

2526

Change the <span class="guimenu">Mail Delivery Location</span> so as to use the data file in the new

2527

target location.

2528

</p></li><li><p>

2529

Go back to the <span class="guimenu">Data Files</span> window, then delete the old data file entry.

2530

</p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

2531

2532

You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise

2533

the user may be not be able to retrieve contacts when addressing a new email message.

2534

</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

2535

2536

Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook

2537

Express storage files can not be redirected to network shares. The options panel will not permit

2538

this, but they can be moved to folders outside of the user's profile. They can also be excluded

2539

from folder synchronization as part of the roaming profile.

2540

</p><p>

2541

While it is possible to redirect the data stores for Outlook Express data stores by editing the

2542

registry, experience has shown that data corruption and loss of email messages will result.

2543

</p><p>

2544

2545

2546

In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with

2547

roaming profiles this can result in excruciatingly long login and logout behavior will files are

2548

synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming

2549

profiles are used.

2550

</p></div><p>

2551

2552

Microsoft does not support storing PST files on network shares, although the practice does appear

2553

to be rather popular. Anyone who does relocation the PST file to a network resource should refer

2554

the Microsoft <a class="ulink" href="http://support.microsoft.com/kb/297019/" target="_top">reference</a> to better

2555

understand the issues.

2556

</p><p>

2557

2558

Apart from manually moving PST files to a network share, it is possible to set the default PST

2559

location for new accounts by following the instructions at the WindowsITPro <a class="ulink" href="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html" target="_top">web</a> site.

2560

</p><p>

2561

2562

User feedback suggests that disabling of oplocks on PST files will significantly improve

2563

network performance by reducing locking overheads. One way this can be done is to add to the

2564

<code class="filename">smb.conf</code> file stanza for the share the PST file the following:

2565

</p><pre class="screen">

2566

veto oplock files = /*.pdf/*.PST/

2567

</pre><p>

2568

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582477"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p>

2569

Configure the Windows XP Professional client to auto-delete roaming profiles on logout:

2570

</p><p>

2571

2572

Click

2573

<span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. In the dialog box, enter <code class="literal">MMC</code> and click <span class="guibutton">OK</span>.

2574

</p><p>

2575

Follow these steps to set the default behavior of the staging machine so that all roaming

2576

profiles are deleted as network users log out of the system. Click

2577

<span class="guimenu">File</span> → <span class="guimenuitem">Add/Remove Snap-in</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Group Policy</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Finish</span> → <span class="guimenuitem">Close</span> → <span class="guimenuitem">OK</span>.

2578

</p><p>

2579

2580

The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span>

2581

utility that enables you to set the policies needed. In the left panel, click

2582

<span class="guimenuitem">Local Computer Policy</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each

2583

item as shown:

2584

</p><div class="itemizedlist"><ul type="disc"><li><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p>

2585

Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies

2586

made of this system to deploy the new standard desktop system.

2587

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582657"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p>

2588

2589

Users want to be able to use network printers. You have a vested interest in making

2590

it easy for them to print. You have chosen to install the printer drivers onto the Samba

2591

servers and to enable point-and-click (drag-and-drop) printing. This process results in

2592

Samba being able to automatically provide the Windows client with the driver necessary to

2593

print to the printer chosen. The following procedure must be followed for every network

2594

printer:

2595

</p><div class="procedure"><a name="id2582684"></a><p class="title"><b>Procedure�5.17.�Steps to Install Printer Drivers on the Samba Servers</b></p><ol type="1"><li><p>

2596

Join your Windows XP Professional workstation (the staging machine) to the

2597

<code class="constant">MEGANET2</code> domain. If you are not sure of the procedure,

2598

follow the guidance given in <a class="link" href="appendix.html" title="Chapter�15.�A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">“Joining a Domain: Windows 200x/XP Professional”</a>.

2599

</p></li><li><p>

2600

After the machine has rebooted, log onto the workstation as the domain

2601

<code class="constant">root</code> (this is the Administrator account for the

2602

operating system that is the host platform for this implementation of Samba.

2603

</p></li><li><p>

2604

Launch MS Windows Explorer. Navigate in the left panel. Click

2605

<span class="guimenu">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">Microsoft Windows Network</span> → <span class="guimenuitem">Meganet2</span> → <span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span>

2606

<span class="guimenu">Printers and Faxes</span>.

2607

</p></li><li><p>

2608

Identify a printer that is shown in the right panel. Let us assume the printer is called

2609

<code class="constant">ps01-color</code>. Right-click on the <span class="guimenu">ps01-color</span> icon

2610

and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates

2611

that “<span class="quote">The printer driver is not installed on this computer. Some printer properties

2612

will not be accessible unless you install the printer driver. Do you want to install the

2613

driver now?</span>” It is important at this point you answer <span class="guimenu">No</span>.

2614

</p></li><li><p>

2615

The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server

2616

<code class="constant">MASSIVE</code> is displayed. Click the <span class="guimenu">Advanced</span> tab.

2617

Note that the box labeled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span>

2618

button that is next to the <span class="guimenu">Driver</span> box. This launches the “<span class="quote">Add Printer Wizard</span>”.

2619

</p></li><li><p>

2620

2621

2622

The “<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>” panel

2623

is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the

2624

printer manufacturer. In your case, you are adding a driver for a printer manufactured by

2625

Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click

2626

<span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A

2627

progress bar appears and instructs you as each file is being uploaded and that it is being

2628

directed at the network server <code class="constant">\\massive\ps01-color</code>.

2629

</p></li><li><p>

2630

2631

2632

2633

2634

2635

2636

The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,

2637

you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel.

2638

You can set the Location (under the <span class="guimenu">General</span> tab) and Security settings (under

2639

the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to

2640

load additional printer drivers; there is also a check-box in this tab called “<span class="quote">List in the

2641

directory</span>”. When this box is checked, the printer will be published in Active Directory

2642

(Applicable to Active Directory use only.)

2643

</p></li><li><p>

2644

2645

Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server.

2646

You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor.

2647

Right-click on the printer, click <span class="guimenu">Properties</span> → <span class="guimenuitem">Device Settings</span>. Now change the settings to suit

2648

your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if

2649

you need to reverse the changes back to their original settings.

2650

</p></li><li><p>

2651

This is necessary so that the printer settings are initialized in the Samba printers

2652

database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed

2653

just to initialize the Samba printers database entry for this printer. If you need to revert a setting,

2654

click <span class="guimenu">Apply</span> again.

2655

</p></li><li><p>

2656

2657

Verify that all printer settings are at the desired configuration. When you are satisfied that they are,

2658

click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button.

2659

A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span>

2660

in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on

2661

massive Properties</span> panel.

2662

</p></li><li><p>

2663

You must repeat this process for all network printers (i.e., for every printer on each server).

2664

When you have finished uploading drivers to all printers, close all applications. The next task

2665

is to install software your users require to do their work.

2666

</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583160"></a>Software Installation</h3></div></div></div><p>

2667

Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is

2668

a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.

2669

Notebooks require special handling that is beyond the scope of this chapter.

2670

</p><p>

2671

For desktop systems, the installation of software onto administratively centralized application servers

2672

make a lot of sense. This means that you can manage software maintenance from a central

2673

perspective and that only minimal application stubware needs to be installed onto the desktop

2674

systems. You should proceed with software installation and default configuration as far as is humanly

2675

possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect

2676

of software operations and configuration.

2677

</p><p>

2678

When you believe that the overall configuration is complete, be sure to create a shared group profile

2679

and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in

2680

case a user may have specific needs you had not anticipated.

2681

</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583195"></a>Roll-out Image Creation</h3></div></div></div><p>

2682

The final steps before preparing the distribution Norton Ghost image file you might follow are:

2683

</p><div class="blockquote"><blockquote class="blockquote"><p>

2684

Unjoin the domain Each workstation requires a unique name and must be independently

2685

joined into domain membership.

2686

</p></blockquote></div><div class="blockquote"><blockquote class="blockquote"><p>

2687

Defragment the hard disk While not obvious to the uninitiated, defragmentation results

2688

in better performance and often significantly reduces the size of the compressed disk image. That

2689

also means it will take less time to deploy the image onto 500 workstations.

2690

</p></blockquote></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583229"></a>Key Points Learned</h2></div></div></div><p>

2691

This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately

2692

avoided any consideration of security. Security does not just happen; you must design it into your total

2693

network. Security begins with a systems design and implementation that anticipates hostile behavior from

2694

users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;

2695

they accept them as challenges. For that reason, if not simply from a desire to establish safe networking

2696

practices, you must not deploy the design presented in this book in an environment where there is risk

2697

of compromise.

2698

</p><p>

2699

2700

2701

As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be

2702

configured to use secure protocols for all communications over the network. Of course, secure networking

2703

does not result just from systems design and implementation but involves constant user education

2704

training and, above all, disciplined attention to detail and constant searching for signs of unfriendly

2705

or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.

2706

Jerry Carter's book <a class="ulink" href="http://www.booksense.com/product/info.jsp&isbn=1565924916" target="_top">

2707

<span class="emphasis"><em>LDAP System Administration</em></span></a> is a good place to start reading about OpenLDAP

2708

as well as security considerations.

2709

</p><p>

2710

The substance of this chapter that has been deserving of particular attention includes:

2711

</p><div class="itemizedlist"><ul type="disc"><li><p>

2712

Implementation of an OpenLDAP-based passwd backend, necessary to support distributed

2713

domain control.

2714

</p></li><li><p>

2715

Implementation of Samba primary and secondary domain controllers with a common LDAP backend

2716

for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and

2717

pam_ldap tool-sets.

2718

</p></li><li><p>

2719

Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as

2720

to manage Samba Windows user and group accounts.

2721

</p></li><li><p>

2722

The basics of implementation of Group Policy controls for Windows network clients.

2723

</p></li><li><p>

2724

Control over roaming profiles, with particular focus on folder redirection to network drives.

2725

</p></li><li><p>

2726

Use of the CUPS printing system together with Samba-based printer driver auto-download.

2727

</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583345"></a>Questions and Answers</h2></div></div></div><p>

2728

Well, here we are at the end of this chapter and we have only ten questions to help you to

2729

remember so much. There are bound to be some sticky issues here.

2730

</p><div class="qandaset"><dl><dt> <a href="happy.html#id2583363">

2731

Why did you not cover secure practices? Isn't it rather irresponsible to instruct

2732

network administrators to implement insecure solutions?

2733

</a></dt><dt> <a href="happy.html#id2583407">

2734

You have focused much on SUSE Linux and little on the market leader, Red Hat. Do

2735

you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant

2736

to the Linux I might be using?

2737

</a></dt><dt> <a href="happy.html#id2583468">

2738

You did not use SWAT to configure Samba. Is there something wrong with it?

2739

</a></dt><dt> <a href="happy.html#id2583508">

2740

You have exposed a well-used password not24get. Is that

2741

not irresponsible?

2742

</a></dt><dt> <a href="happy.html#id2583533">

2743

The Idealx smbldap-tools create many domain group accounts that are not used. Is that

2744

a good thing?

2745

</a></dt><dt> <a href="happy.html#id2583559">

2746

Can I use LDAP just for Samba accounts and not for UNIX system accounts?

2747

</a></dt><dt> <a href="happy.html#id2583584">

2748

Why are the Windows domain RID portions not the same as the UNIX UID?

2749

</a></dt><dt> <a href="happy.html#id2583620">

2750

Printer configuration examples all show printing to the HP port 9100. Does this

2751

mean that I must have HP printers for these solutions to work?

2752

</a></dt><dt> <a href="happy.html#id2583649">

2753

Is folder redirection dangerous? I've heard that you can lose your data that way.

2754

</a></dt><dt> <a href="happy.html#id2583677">

2755

Is it really necessary to set a local Group Policy to exclude the redirected

2756

folders from the roaming profile?

2757

</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2583363"></a><a name="id2583366"></a></td><td align="left" valign="top"><p>

2758

Why did you not cover secure practices? Isn't it rather irresponsible to instruct

2759

network administrators to implement insecure solutions?

2760

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

2761

Let's get this right. This is a book about Samba, not about OpenLDAP and secure

2762

communication protocols for subjects other than Samba. Earlier on, you note,

2763

that the dynamic DNS and DHCP solutions also used no protective secure communications

2764

protocols. The reason for this is simple: There are so many ways of implementing

2765

secure protocols that this book would have been even larger and more complex.

2766

</p><p>

2767

The solutions presented here all work (at least they did for me). Network administrators

2768

have the interest and the need to be better trained and instructed in secure networking

2769

practices and ought to implement safe systems. I made the decision, right or wrong,

2770

to keep this material as simple as possible. The intent of this book is to demonstrate

2771

a working solution and not to discuss too many peripheral issues.

2772

</p><p>

2773

This book makes little mention of backup techniques. Does that mean that I am recommending

2774

that you should implement a network without provision for data recovery and for disaster

2775

management? Back to our focus: The deployment of Samba has been clearly demonstrated.

2776

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583407"></a><a name="id2583409"></a></td><td align="left" valign="top"><p>

2777

You have focused much on SUSE Linux and little on the market leader, Red Hat. Do

2778

you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant

2779

to the Linux I might be using?

2780

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

2781

Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications

2782

for a standard Linux distribution. The differences are marginal. Surely you know

2783

your Linux platform, and you do have access to administration manuals for it. This

2784

book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on

2785

the Samba part of the book; all the other bits are peripheral (but important) to

2786

creation of a total network solution.

2787

</p><p>

2788

What I find interesting is the attention reviewers give to Linux installation and to

2789

the look and feel of the desktop, but does that make for a great server? In this book,

2790

I have paid particular attention to the details of creating a whole solution framework.

2791

I have not tightened every nut and bolt, but I have touched on all the issues you

2792

need to be familiar with. Over the years many people have approached me wanting to

2793

know the details of exactly how to implement a DHCP and dynamic DNS server with Samba

2794

and WINS. In this chapter, it is plain to see what needs to be configured to provide

2795

transparent interoperability. Likewise for CUPS and Samba interoperation. These are

2796

key stumbling areas for many people.

2797

</p><p>

2798

At every critical junction, I have provided comparative guidance for both SUSE and

2799

Red Hat Linux. Both manufacturers have done a great job in furthering the cause

2800

of open source software. I favor neither and respect both. I like particular

2801

features of both products (companies also). No bias in presentation is intended.

2802

Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.

2803

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583468"></a><a name="id2583470"></a></td><td align="left" valign="top"><p>

2804

You did not use SWAT to configure Samba. Is there something wrong with it?

2805

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

2806

That is a good question. As it is, the <code class="filename">smb.conf</code> file configurations are presented

2807

in as direct a format as possible. Adding SWAT into the equation would have complicated

2808

matters. I sought simplicity of implementation. The fact is that I did use SWAT to

2809

create the files in the first place.

2810

</p><p>

2811

There are people in the Linux and open source community who feel that SWAT is dangerous

2812

and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I

2813

hope to have brought their interests on board. SWAT is well covered is <span class="emphasis"><em>TOSHARG2</em></span>.

2814

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583508"></a><a name="id2583510"></a></td><td align="left" valign="top"><p>

2815

You have exposed a well-used password <span class="emphasis"><em>not24get</em></span>. Is that

2816

not irresponsible?

2817

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

2818

Well, I had to use a password of some sort. At least this one has been consistently

2819

used throughout. I guess you can figure out that in a real deployment it would make

2820

sense to use a more secure and original password.

2821

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583533"></a><a name="id2583535"></a></td><td align="left" valign="top"><p>

2822

The Idealx smbldap-tools create many domain group accounts that are not used. Is that

2823

a good thing?

2824

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

2825

I took this up with Idealx and found them most willing to change that in the next version.

2826

Let's give Idealx some credit for the contribution they have made. I appreciate their work

2827

and, besides, it does no harm to create accounts that are not now used at some time

2828

Samba may well use them.

2829

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583559"></a><a name="id2583561"></a></td><td align="left" valign="top"><p>

2830

Can I use LDAP just for Samba accounts and not for UNIX system accounts?

2831

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

2832

Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX)

2833

group account for every Windows domain group account. But if you put your users into

2834

the system password account, how do you plan to keep all domain controller system

2835

password files in sync? I think that having everything in LDAP makes a lot of sense

2836

for the UNIX administrator who is still learning the craft and is migrating from MS Windows.

2837

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583584"></a><a name="id2583586"></a></td><td align="left" valign="top"><p>

2838

Why are the Windows domain RID portions not the same as the UNIX UID?

2839

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

2840

Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.

2841

This algorithm ought to ensure that there will be no clashes with well-known RIDs.

2842

Well-known RIDs have special significance to MS Windows clients. The automatic

2843

assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does

2844

permit you to override that to some extent. See the <code class="filename">smb.conf</code> man page entry

2845

for <em class="parameter"><code>algorithmic rid base</code></em>.

2846

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583620"></a><a name="id2583622"></a></td><td align="left" valign="top"><p>

2847

Printer configuration examples all show printing to the HP port 9100. Does this

2848

mean that I must have HP printers for these solutions to work?

2849

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

2850

No. You can use any type of printer and must use the interfacing protocol supported

2851

by the printer. Many networks use LPR/LPD print servers to which are attached

2852

PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached

2853

inkjet printer. Use the appropriate device URI (Universal Resource Interface)

2854

argument to the <code class="constant">lpadmin -v</code> option that is right for your

2855

printer.

2856

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583649"></a><a name="id2583651"></a></td><td align="left" valign="top"><p>

2857

Is folder redirection dangerous? I've heard that you can lose your data that way.

2858

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

2859

The only loss of data I know of that involved folder redirection was caused by

2860

manual misuse of the redirection tool. The administrator redirected a folder to

2861

a network drive and said he wanted to migrate (move) the data over. Then he

2862

changed his mind, so he moved the folder back to the roaming profile. This time,

2863

he declined to move the data because he thought it was still in the local profile

2864

folder. That was not the case, so by declining to move the data back, he wiped out

2865

the data. You cannot hold the tool responsible for that. Caveat emptor still applies.

2866

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583677"></a><a name="id2583679"></a></td><td align="left" valign="top"><p>

2867

Is it really necessary to set a local Group Policy to exclude the redirected

2868

folders from the roaming profile?

2869

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

2870

Yes. If you do not do this, the data will still be copied from the network folder

2871

(share) to the local cached copy of the profile.

2872

</p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2581860" href="#id2581860" class="para">11</a>] </sup>

2873

There is an alternate method by which a default user profile can be added to the

2874

<code class="constant">NETLOGON</code> share. This facility in the Windows System tool

2875

permits profiles to be exported. The export target may be a particular user or

2876

group profile share point or else the <code class="constant">NETLOGON</code> share.

2877

In this case, the profile directory must be named <code class="constant">Default User</code>.

2878

</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Big500users.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="2000users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�4.�The 500-User Office�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�6.�A Distributed 2000-User Network</td></tr></table></div></body></html>