1
<?xml version="1.0" encoding="iso-8859-1"?>
2
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3
<chapter id="AdvancedNetworkManagement">
6
<pubdate>June 15 2005</pubdate>
9
<title>Advanced Network Management</title>
12
<indexterm><primary>access control</primary></indexterm>
13
This section documents peripheral issues that are of great importance to network
14
administrators who want to improve network resource access control, to automate the user
15
environment, and to make their lives a little easier.
19
<title>Features and Benefits</title>
22
Often the difference between a working network environment and a well-appreciated one can
23
best be measured by the <emphasis>little things</emphasis> that make everything work more
24
harmoniously. A key part of every network environment solution is the ability to remotely
25
manage MS Windows workstations, remotely access the Samba server, provide customized
26
logon scripts, as well as other housekeeping activities that help to sustain more reliable
31
This chapter presents information on each of these areas. They are placed here, and not in
32
other chapters, for ease of reference.
38
<title>Remote Server Administration</title>
41
<para><quote>How do I get User Manager and Server Manager?</quote></para>
44
<indexterm><primary>User Manager</primary></indexterm>
45
<indexterm><primary>Server Manager</primary></indexterm>
46
<indexterm><primary>Event Viewer</primary></indexterm>
47
Since I do not need to buy an <application>NT4 server</application>, how do I get the User Manager for Domains
48
and the Server Manager?
52
<indexterm><primary>Nexus.exe</primary></indexterm>
53
<indexterm><primary>Windows 9x/Me</primary></indexterm>
54
Microsoft distributes a version of these tools called <filename>Nexus.exe</filename> for installation
55
on <application>Windows 9x/Me</application> systems. The tools set includes:
59
<listitem><para>Server Manager</para></listitem>
60
<listitem><para>User Manager for Domains</para></listitem>
61
<listitem><para>Event Viewer</para></listitem>
65
Download the archived file at the Microsoft <ulink noescape="1"
66
url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">Nexus</ulink> link.
70
<indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
71
<indexterm><primary>User Manager for Domains</primary></indexterm>
72
<indexterm><primary>Server Manager</primary></indexterm>
73
The <application>Windows NT 4.0</application> version of the User Manager for
74
Domains and Server Manager are available from Microsoft
75
<ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">via ftp</ulink>.
81
<title>Remote Desktop Management</title>
84
<indexterm><primary>remote desktop management</primary></indexterm>
85
<indexterm><primary>network environment</primary></indexterm>
86
There are a number of possible remote desktop management solutions that range from free
87
through costly. Do not let that put you off. Sometimes the most costly solution is the
88
most cost effective. In any case, you will need to draw your own conclusions as to which
89
is the best tool in your network environment.
93
<title>Remote Management from NoMachine.Com</title>
96
<indexterm><primary>NoMachine.Com</primary></indexterm>
97
The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
98
It is presented in slightly edited form (with author details omitted for privacy reasons).
99
The entire answer is reproduced below with some comments removed.
103
<indexterm><primary>remote desktop capabilities</primary></indexterm>
104
I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote
105
desktop capabilities so users outside could login to the system and get their desktop up from home or
110
<indexterm><primary>Windows Terminal server</primary></indexterm>
111
<indexterm><primary>BDC</primary></indexterm>
112
<indexterm><primary>PDC</primary></indexterm>
113
<indexterm><primary>remote login</primary></indexterm>
114
Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so
115
it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login
116
even if the computer is in a domain?
120
Answer provided: Check out the new offer of <quote>NX</quote> software from
121
<ulink noescape="1" url="http://www.nomachine.com/">NoMachine</ulink>.
125
<indexterm><primary>Remote X protocol</primary></indexterm>
126
<indexterm><primary>VNC/RFB</primary></indexterm>
127
<indexterm><primary>rdesktop/RDP</primary></indexterm>
128
It implements an easy-to-use interface to the Remote X protocol as
129
well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
130
performance much better than anything you may have ever seen.
134
<indexterm><primary>modem/ISDN</primary></indexterm>
135
Remote X is not new at all, but what they did achieve successfully is
136
a new way of compression and caching technologies that makes the thing
137
fast enough to run even over slow modem/ISDN connections.
141
<indexterm><primary>KDE konqueror</primary></indexterm>
142
<indexterm><primary>mouse-over</primary></indexterm>
143
<indexterm><primary>rdesktop</primary></indexterm>
144
<indexterm><primary></primary></indexterm>
145
I test drove their (public) Red Hat machine in Italy, over a loaded
146
Internet connection, with enabled thumbnail previews in KDE konqueror,
147
which popped up immediately on <quote>mouse-over</quote>. From inside that (remote X)
148
session I started a rdesktop session on another, a Windows XP machine.
149
To test the performance, I played Pinball. I am proud to announce
150
that my score was 631,750 points at first try.
154
<indexterm><primary>NX</primary></indexterm>
155
<indexterm><primary>TightVNC</primary></indexterm>
156
<indexterm><primary>rdesktop</primary></indexterm>
157
<indexterm><primary>Remote X</primary></indexterm>
158
NX performs better on my local LAN than any of the other <quote>pure</quote>
159
connection methods I use from time to time: TightVNC, rdesktop or
160
Remote X. It is even faster than a direct crosslink connection between
165
<indexterm><primary>Remote X</primary></indexterm>
166
<indexterm><primary>KDE session</primary></indexterm>
167
<indexterm><primary>copy'n'paste</primary></indexterm>
168
I even got sound playing from the Remote X app to my local boxes, and
169
had a working <quote>copy'n'paste</quote> from an NX window (running a KDE session
170
in Italy) to my Mozilla mailing agent. These guys are certainly doing
175
I recommend test driving NX to anybody with a only a passing interest in remote computing
176
the <ulink noescape="1" url="http://www.nomachine.com/testdrive.php">NX</ulink> utility.
180
Just download the free-of-charge client software (available for Red Hat,
181
SuSE, Debian and Windows) and be up and running within 5 minutes (they
182
need to send you your account data, though, because you are assigned
183
a real UNIX account on their testdrive.nomachine.com box).
187
They plan to get to the point were you can have NX application servers
188
running as a cluster of nodes, and users simply start an NX session locally
189
and can select applications to run transparently (apps may even run on
190
another NX node, but pretend to be on the same as used for initial login,
191
because it displays in the same window. You also can run it
192
full-screen, and after a short time you forget that it is a remote session
197
<indexterm><primary>GPL</primary></indexterm>
198
Now the best thing for last: All the core compression and caching
199
technologies are released under the GPL and available as source code
200
to anybody who wants to build on it! These technologies are working,
201
albeit started from the command line only (and very inconvenient to
202
use in order to get a fully running remote X session up and running).
206
To answer your questions:
211
You do not need to install a terminal server; XP has RDP support built in.
215
NX is much cheaper than Citrix &smbmdash; and comparable in performance, probably faster.
219
You do not need to hack XP &smbmdash; it just works.
223
You log into the XP box from remote transparently (and I think there is no
224
need to change anything to get a connection, even if authentication is against a domain).
228
The NX core technologies are all Open Source and released under the GPL &smbmdash;
229
you can now use a (very inconvenient) command line at no cost,
230
but you can buy a comfortable (proprietary) NX GUI front end for money.
234
<indexterm><primary>OSS/Free Software</primary></indexterm>
235
<indexterm><primary>LTSP</primary></indexterm>
236
<indexterm><primary>KDE</primary></indexterm>
237
<indexterm><primary>GNOME</primary></indexterm>
238
<indexterm><primary>NoMachine</primary></indexterm>
239
NoMachine is encouraging and offering help to OSS/Free Software implementations
240
for such a front-end too, even if it means competition to them (they have written
241
to this effect even to the LTSP, KDE, and GNOME developer mailing lists).
247
<title>Remote Management with ThinLinc</title>
249
Another alternative for remote access is <emphasis>ThinLinc</emphasis> from Cendio.
253
<indexterm><primary>ThinLinc</primary></indexterm>
254
<indexterm><primary>terminal server</primary></indexterm>
255
<indexterm><primary>Linux</primary></indexterm>
256
<indexterm><primary>Solaris</primary></indexterm>
257
<indexterm><primary>TightVNC</primary></indexterm>
258
<indexterm><primary>SSH</primary></indexterm>
259
<indexterm><primary>NFS</primary></indexterm>
260
<indexterm><primary>PulseAudio</primary></indexterm>
261
ThinLinc is a terminal server solution that is available for Linux and Solaris based on standard
262
protocols such as SSH, TightVNC, NFS and PulseAudio.
266
<indexterm><primary>LAN</primary></indexterm>
267
<indexterm><primary>thin client</primary></indexterm>
268
ThinLinc an be used both in the LAN environment to implement a Thin Client strategy for an organization, and as
269
secure remote access solution for people working from remote locations, even over smallband connections.
270
ThinLinc is free to use for a single concurrent user.
274
<indexterm><primary>Citrix</primary></indexterm>
275
<indexterm><primary>Windows Terminal Server</primary></indexterm>
276
<indexterm><primary>Java</primary></indexterm>
277
The product can also be used as a frontend to access Windows Terminal Server or Citrix farms, or even Windows
278
XP machines, securing the connection via the ssh protocol. The client is available both for Linux (supporting
279
all Linux distributions as well as numerous thin terminals) and for Windows. A Java-based Web client is also
284
ThinLinc may be evaluated by connecting to Cendio's demo system, see
285
<ulink noescape="1" url="http://www.cendio.com">Cendio's</ulink> web site
286
<ulink noescape="1" url="http://www.cendio.com/testdrive">testdrive</ulink> center.
290
Cendio is a major contributor to several open source projects including
291
<ulink noescape="1" url="http://www.tightvnc.com">TightVNC</ulink>,
292
<ulink noescape="1" url="http://pulseaudio.org">PulseAudio</ulink> , unfsd,
293
<ulink noescape="1" url="http://www.python.org">Python</ulink> and
294
<ulink noescape="1" url="http://www.rdesktop.org">rdesktop</ulink>.
301
<title>Network Logon Script Magic</title>
304
There are several opportunities for creating a custom network startup configuration environment.
308
<listitem><para>No Logon Script.</para></listitem>
309
<listitem><para>Simple universal Logon Script that applies to all users.</para></listitem>
310
<listitem><para>Use of a conditional Logon Script that applies per-user or per-group attributes.</para></listitem>
311
<listitem><para>Use of Samba's preexec and postexec functions on access to the NETLOGON share to create
312
a custom logon script and then execute it.</para></listitem>
313
<listitem><para>User of a tool such as KixStart.</para></listitem>
317
The Samba source code tree includes two logon script generation/execution tools.
318
See <filename>examples</filename> directory <filename>genlogon</filename> and
319
<filename>ntlogon</filename> subdirectories.
323
The following listings are from the genlogon directory.
328
<indexterm><primary>genlogon.pl</primary></indexterm>
329
This is the <filename>genlogon.pl</filename> file:
336
# Perl script to generate user logon scripts on the fly, when users
337
# connect from a Windows client. This script should be called from
338
# smb.conf with the %U, %G and %L parameters. I.e:
340
# root preexec = genlogon.pl %U %G %L
342
# The script generated will perform
345
# 1. Log the user connection to /var/log/samba/netlogon.log
346
# 2. Set the PC's time to the Linux server time (which is maintained
347
# daily to the National Institute of Standards Atomic clock on the
349
# 3. Connect the user's home drive to H: (H for Home).
350
# 4. Connect common drives that everyone uses.
351
# 5. Connect group-specific drives for certain user groups.
352
# 6. Connect user-specific drives for certain users.
353
# 7. Connect network printers.
355
# Log client connection
356
#($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
357
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
358
open LOG, ">>/var/log/samba/netlogon.log";
359
print LOG "$mon/$mday/$year $hour:$min:$sec";
360
print LOG " - User $ARGV[0] logged into $ARGV[1]\n";
363
# Start generating logon script
364
open LOGON, ">/shared/netlogon/$ARGV[0].bat";
365
print LOGON "\@ECHO OFF\r\n";
367
# Connect shares just use by Software Development group
368
if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
370
print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
373
# Connect shares just use by Technical Support staff
374
if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
376
print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
379
# Connect shares just used by Administration staff
380
If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
382
print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
383
print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
386
# Now connect Printers. We handle just two or three users a little
387
# differently, because they are the exceptions that have desktop
388
# printers on LPT1: - all other user's go to the LaserJet on the
390
if ($ARGV[0] eq 'jim'
391
|| $ARGV[0] eq 'yvonne')
393
print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
394
print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
398
print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
399
print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
402
# All done! Close the output file.
408
Those wishing to use a more elaborate or capable logon processing system should check out these sites:
412
<listitem><para><ulink noescape="1" url="http://www.craigelachie.org/rhacer/ntlogon">http://www.craigelachie.org/rhacer/ntlogon</ulink></para></listitem>
413
<listitem><para><ulink noescape="1" url="http://www.kixtart.org">http://www.kixtart.org</ulink></para></listitem>
417
<title>Adding Printers without User Intervention</title>
421
<indexterm><primary>rundll32</primary></indexterm>
422
Printers may be added automatically during logon script processing through the use of:
424
&dosprompt;<userinput>rundll32 printui.dll,PrintUIEntry /?</userinput>
427
See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft Knowledge Base article 189105</ulink>.
432
<title>Limiting Logon Connections</title>
435
Sometimes it is necessary to limit the number of concurrent connections to a
436
Samba shared resource. For example, a site may wish to permit only one network
441
The Samba <parameter>preexec script</parameter> parameter can be used to permit only one
442
connection per user. Though this method is not foolproof and may have side effects,
443
the following contributed method may inspire someone to provide a better solution.
447
This is not a perfect solution because Windows clients can drop idle connections
448
with an auto-reconnect capability that could result in the appearance that a share
449
is no longer in use, while actually it is. Even so, it demonstrates the principle
450
of use of the <parameter>preexec script</parameter> parameter.
454
The following share configuration demonstrates use of the script shown in <link linkend="Tpees"/>.
458
preexec script = /sbin/PermitSingleLogon.sh
465
<title>Script to Enforce Single Resource Logon</title>
470
RESULT=$(smbstatus -S -u $1 2> /dev/null | awk 'NF \
471
> 6 {print $1}' | sort | uniq -d)
473
if [ "X${RESULT}" == X ]; then