diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.23a/docs/htmldocs/manpages/smb.conf.5.html samba-3.0.23b/docs/htmldocs/manpages/smb.conf.5.html
--- samba-3.0.23a/docs/htmldocs/manpages/smb.conf.5.html 2006-07-06 05:17:53.000000000 -0500
+++ samba-3.0.23b/docs/htmldocs/manpages/smb.conf.5.html 2006-08-07 05:03:00.000000000 -0500
@@ -2114,19 +2114,18 @@
CDROM drives), although setting this parameter of no
is not really recommended even in this case.
Be careful about disabling locking either globally or in a
specific service, as lack of locking may result in data corruption.
- You should never need to set this parameter.
No default
lock spin count (G)
This parameter controls the number of times
- that smbd should attempt to gain a byte range lock on the
- behalf of a client request. Experiments have shown that
- Windows 2k servers do not reply with a failure if the lock
- could not be immediately granted, but try a few more times
- in case the lock could later be acquired. This behavior
- is used to support PC database formats such as MS Access
- and FoxPro.
-
Default: lock spin count = 3
+ You should never need to set this parameter.
No default
lock spin count (G)
This parameter has been made inoperative in Samba 3.0.24.
+ The functionality it contolled is now controlled by the parameter
+ lock spin time.
+
Default: lock spin count = 0
lock spin time (G)
The time in microseconds that smbd should
- pause before attempting to gain a failed lock. See
- lock spin count for more details.
Default: lock spin time = 10
+ keep waiting to see if a failed lock request can
+ be granted. This parameter has changed in default
+ value from Samba 3.0.23 from 10 to 200. The associated
+ lock spin count parameter is
+ no longer used in Samba 3.0.24. You should not need
+ to change the value of this parameter.
Default: lock spin time = 200
log file (G)
This option allows you to override the name of the Samba log file (also known as the debug file).
@@ -2145,7 +2144,7 @@
logon drive (G)
This parameter specifies the local path to which the home directory will be
- connected (see logon home) and is only used by NT
+ connected (see logon home) and is only used by NT
Workstations.
Note that this option is only useful if Samba is set up as a logon server.
@@ -2172,12 +2171,12 @@
in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does
net use /home but use the whole string when dealing with profiles.
- Note that in prior versions of Samba, the logon path was returned rather than
+ Note that in prior versions of Samba, the logon path was returned rather than
logon home. This broke net use /home
but allowed profiles outside the home directory. The current implementation is correct, and can be used for
profiles if you use the above trick.
- Disable this feature by setting logon home = "" - using the empty string.
+ Disable this feature by setting logon home = "" - using the empty string.
This option is only useful if Samba is set up as a logon server.
Default: logon home = \\%N\%U
@@ -2188,7 +2187,7 @@
This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are
stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming
profiles. To find out how to handle roaming profiles for Win 9X system, see the
- logon home parameter.
+ logon home parameter.
This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
machine. It also specifies the directory from which the "Application Data", (desktop, start menu, network neighborhood, programs and other
@@ -2217,7 +2216,7 @@
provided system tool.
Note that this option is only useful if Samba is set up as a domain controller.
Disable the use of roaming profiles by setting the value of this parameter to the empty string. For
- example, logon path = "". Take note that even if the default setting
+ example, logon path = "". Take note that even if the default setting
in the smb.conf file is the empty string, any value specified in the user account settings in the passdb
backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use
requires that the user account settings must also be blank.
@@ -2234,7 +2233,7 @@
must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.
The script must be a relative path to the [netlogon] service. If the [netlogon]
- service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:
+ service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:
/usr/local/samba/netlogon/STARTUP.BAT
@@ -2274,7 +2273,7 @@
will have the SPOOLED or PRINTING status.
Note that it is good practice to include the absolute path
in the lppause command as the PATH may not be available to the server.
Default: lppause command =
# Currently no default value is given to
- this string, unless the value of the printing
+ this string, unless the value of the printing
parameter is SYSV, in which case the default is :
lp -i %p-%j -H hold or if the value of the
printing parameter is
@@ -2322,11 +2321,11 @@
executed on the server host in order to restart or continue
printing or spooling a specific print job.
This command should be a program or script which takes
a printer name and job number to resume the print job. See
- also the lppause command parameter.
If a %p is given then the printer name
+ also the lppause command parameter.
If a %p is given then the printer name
is put in its place. A %j is replaced with
the job number (an integer).
Note that it is good practice to include the absolute path
in the lpresume command as the PATH may not
- be available to the server.
See also the printing parameter.
Default: Currently no default value is given
+ be available to the server.
See also the printing parameter.
Default: Currently no default value is given
to this string, unless the value of the printing
parameter is SYSV, in which case the default is :
lp -i %p-%j -H resume
or if the value of the printing parameter
is SOFTQ, then the default is:
Default: lprm command = determined by printing parameter
machine password timeout (G)
- If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change
+ If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change
the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb
. This parameter specifies how often this password will be changed, in seconds. The default is one
week (expressed in seconds), the same as a Windows NT Domain member server.
See also smbpasswd(8),
- and the security = domain parameter.
+ and the security = domain parameter.
Default: machine password timeout = 604800
magic output (S)
This parameter specifies the name of a file which will contain output created by a magic script (see the
- magic script parameter below).
+ magic script parameter below).
Warning
If two clients use the same magic script
in the same directory the output file content is undefined.
Default: magic output = <magic script name>.out
@@ -2373,7 +2372,7 @@
executed on behalf of the connected user.
Scripts executed in this way will be deleted upon
completion assuming that the user has the appropriate level
of privilege and the file permissions allow the deletion.
If the script generates output, output will be sent to
- the file specified by the magic output
+ the file specified by the magic output
parameter (see above).
Note that some shells are unable to interpret scripts
containing CR/LF instead of CR as
the end-of-line marker. Magic scripts must be executable
@@ -2394,7 +2393,7 @@
So to map html to htm
you would use:
One very useful case is to remove the annoying ;1 off
the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of
@@ -2406,7 +2405,7 @@
mangled names (S)
This controls whether non-DOS names under UNIX
should be mapped to DOS-compatible names ("mangled") and made visible,
- or whether non-DOS names should simply be ignored.
See the section on name mangling for
+ or whether non-DOS names should simply be ignored.
See the section on name mangling for
details on how to control the mangling process.
If mangling is used then the mangling algorithm is as follows:
The first (up to) five alphanumeric characters
before the rightmost dot of the filename are preserved, forced
to upper case, and appear as the first (up to) five characters
@@ -2416,7 +2415,7 @@
extension). The final extension is included in the hash calculation
only if it contains any upper case characters or is longer than three
characters.
Note that the character to use may be specified using
- the mangling char
+ the mangling char
option, if you don't like '~'.
Files whose UNIX name begins with a dot will be
presented as DOS hidden files. The mangled name will be created as
for other filenames, but with the leading dot removed and "___" as
@@ -2440,7 +2439,7 @@
Example: mangle prefix = 4
mangling char (S)
This controls what character is used as
- the magic character in name mangling. The
+ the magic character in name mangling. The
default is a '~' but this may interfere with some software. Use this option to set
it to whatever you prefer. This is effective only when mangling method is hash.
Default: mangling char = ~
@@ -2473,23 +2472,23 @@
any file it touches from becoming executable under UNIX. This can
be quite annoying for shared source code, documents, etc...
- Note that this requires the create mask parameter to be set such that owner
+ Note that this requires the create mask parameter to be set such that owner
execute bit is not masked out (i.e. it must include 100). See the parameter
- create mask for details.
+ create mask for details.
Default: map archive = yes
map hidden (S)
This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.
- Note that this requires the create mask to be set such that the world execute
- bit is not masked out (i.e. it must include 001). See the parameter create mask
+ Note that this requires the create mask to be set such that the world execute
+ bit is not masked out (i.e. it must include 001). See the parameter create mask
for details.
No default
map read only (S)
This controls how the DOS read only attribute should be mapped from a UNIX filesystem.
This parameter can take three different values, which tell smbd(8) how to display the read only attribute on files, where either
- store dos attributes is set to No, or no extended attribute is
- present. If store dos attributes is set to yes then this
+ store dos attributes is set to No, or no extended attribute is
+ present. If store dos attributes is set to yes then this
parameter is ignored. This is a new parameter introduced in Samba version 3.0.21.
The three settings are :
Yes - The read only DOS attribute is mapped to the inverse of the user
@@ -2502,18 +2501,18 @@
is reported as being set on the file.
No - The read only DOS attribute is unaffected by permissions, and can only be set by
- the store dos attributes method. This may be useful for exporting mounted CDs.
+ the store dos attributes method. This may be useful for exporting mounted CDs.
Default: map read only = yes
map system (S)
This controls whether DOS style system files should be mapped to the UNIX group execute bit.
- Note that this requires the create mask to be set such that the group
+ Note that this requires the create mask to be set such that the group
execute bit is not masked out (i.e. it must include 010). See the parameter
- create mask for details.
+ create mask for details.
Default: map system = no
-
map to guest (G)
This parameter is only useful in SECURITY =
+
map to guest (G)
This parameter is only useful in SECURITY =
security modes other than security = share
- i.e. user, server,
and domain.
This parameter can take four different values, which tell
@@ -2523,9 +2522,9 @@
default.
Bad User - Means user
logins with an invalid password are rejected, unless the username
does not exist, in which case it is treated as a guest login and
- mapped into the guest account.
Bad Password - Means user logins
+ mapped into the guest account.
Bad Password - Means user logins
with an invalid password are treated as a guest login and mapped
- into the guest account. Note that
+ into the guest account. Note that
this can cause problems as it means that any user incorrectly typing
their password will be silently logged on as "guest" - and
will not know the reason they cannot access files they think
@@ -2555,7 +2554,7 @@
If max connections is greater than 0 then connections
will be refused if this number of connections to the service are already open. A value
of zero mean an unlimited number of connections may be made.
Record lock files are used to implement this feature. The lock files will be stored in
- the directory specified by the lock directory option.
Default: max connections = 0
+ the directory specified by the lock directory option.
Default: max connections = 0
Example: max connections = 10
@@ -2645,7 +2644,7 @@
never need to change this parameter. The default is 3 days.
Default: max ttl = 259200
max wins ttl (G)
This option tells smbd(8) when acting as a WINS server
- (wins support = yes) what the maximum
+ (wins support = yes) what the maximum
'time to live' of NetBIOS names that nmbd
will grant will be (in seconds). You should never need to change this
parameter. The default is 6 days (518400 seconds).
Default: max wins ttl = 518400
@@ -2706,18 +2705,18 @@
min protocol (G)
The value of the parameter (a string) is the
lowest SMB protocol dialect than Samba will support. Please refer
- to the max protocol
+ to the max protocol
parameter for a list of valid protocol names and a brief description
of each. You may also wish to refer to the C source code in
source/smbd/negprot.c for a listing of known protocol
dialects supported by clients.
If you are viewing this parameter as a security measure, you should
- also refer to the lanman auth parameter. Otherwise, you should never need
+ also refer to the lanman auth parameter. Otherwise, you should never need
to change this parameter.
Default: min protocol = CORE
Example: min protocol = NT1
min wins ttl (G)
This option tells nmbd(8)
- when acting as a WINS server (wins support = yes) what the minimum 'time to live'
+ when acting as a WINS server (wins support = yes) what the minimum 'time to live'
of NetBIOS names that nmbd will grant will be (in
seconds). You should never need to change this parameter. The default
is 6 hours (21600 seconds).
Default: min wins ttl = 21600
@@ -2727,7 +2726,7 @@
the value of the parameter. When clients attempt to connect to
this share, they are redirected to the proxied share using
the SMB-Dfs protocol.
Only Dfs roots can act as proxy shares. Take a look at the
- msdfs root and host msdfs
+ msdfs root and host msdfs
options to find out how to set up a Dfs root share.
No default
Example: msdfs proxy = \otherserver\someshare
msdfs root (S)
If set to yes, Samba treats the
@@ -2763,9 +2762,9 @@
useful for active directory domains and results in a DNS query for the SRV RR entry matching
_ldap._tcp.domain.
wins : Query a name with
- the IP address listed in the WINSSERVER parameter. If no WINS server has
+ the IP address listed in the WINSSERVER parameter. If no WINS server has
been specified this method will be ignored.
bcast : Do a broadcast on
- each of the known local interfaces listed in the interfaces
+ each of the known local interfaces listed in the interfaces
parameter. This is the least reliable of the name resolution
methods as it depends on the target host being on a locally
connected subnet.
The example below will cause the local lmhosts file to be examined
@@ -2817,7 +2816,7 @@
it will be mounted on the Samba client directly from the directory
server. When Samba is returning the home share to the client, it
will consult the NIS map specified in
- homedir map and return the server
+ homedir map and return the server
listed there.
Note that for this option to work there must be a working
NIS system and the Samba server with this option must also
be a logon server.
Default: nis homedir = no
@@ -2856,7 +2855,7 @@
should obey PAM's account and session management directives. The
default behavior is to use PAM for clear text authentication only
and to ignore any account or session management. Note that Samba
- always ignores PAM for authentication in the case of encrypt passwords = yes. The reason
+ always ignores PAM for authentication in the case of encrypt passwords = yes. The reason
is that PAM modules cannot support the challenge/response
authentication mechanism needed in the presence of SMB password encryption.
Default: obey pam restrictions = no
@@ -2867,7 +2866,7 @@
client can supply a username to be used by the server. Enabling
this parameter will force the server to only use the login
names from the user list and is only really
- useful in security = share level security.
Note that this also means Samba won't try to deduce
+ useful in security = share level security.
Note that this also means Samba won't try to deduce
usernames from the service name. This can be annoying for
the [homes] section. To get around this you could use user =
%S which means your user list
@@ -2915,11 +2914,11 @@
docs/ directory.
Oplocks may be selectively turned off on certain files with a share. See
- the veto oplock files parameter. On some systems
+ the veto oplock files parameter. On some systems
oplocks are recognized by the underlying operating system. This
allows data synchronization between all access to oplocked files,
whether it be via Samba or NFS or a local UNIX process. See the
- kernel oplocks parameter for details.
+ kernel oplocks parameter for details.
Default: oplocks = yes
os2 driver map (G)
The parameter is used to define the absolute
@@ -2935,7 +2934,7 @@
os level (G)
This integer value controls what level Samba
advertises itself as for browse elections. The value of this
parameter determines whether nmbd(8)
-has a chance of becoming a local master browser for the workgroup in the local broadcast area.
+has a chance of becoming a local master browser for the workgroup in the local broadcast area.
Note :By default, Samba will win a local master browsing election over all Microsoft operating
systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can
effectively isolate a subnet for browsing purposes. This parameter is largely auto-configured in the Samba-3
@@ -2949,9 +2948,9 @@
this parameter, it is possible to use PAM's password change control
flag for Samba. If enabled, then PAM will be used for password
changes when requested by an SMB client instead of the program listed in
- passwd program.
+ passwd program.
It should be possible to enable this without changing your
- passwd chat parameter for most setups.
Default: pam password change = no
+ passwd chat parameter for most setups.
Default: pam password change = no
panic action (G)
This is a Samba developer option that allows a
system command to be called when either smbd(8) or smbd(8) crashes. This is usually used to
@@ -2968,53 +2967,33 @@
this check, which involves deliberatly attempting a
bad logon to the remote server.
Default: paranoid server security = yes
-
passdb backend (G)
This option allows the administrator to chose which backends
- to retrieve and store passwords with. This allows (for example) both
- smbpasswd and tdbsam to be used without a recompile. Multiple
- backends can be specified, separated by spaces. The backends will be
- searched in the order they are specified. New users are always added
- to the first backend specified.
This parameter is in two parts, the backend's name, and a 'location'
+
passdb backend (G)
This option allows the administrator to chose which backend
+ will be used for storing user and possibly group information. This allows
+ you to swap between dfferent storage mechanisms without recompile.
The parameter value is divided into two parts, the backend's name, and a 'location'
string that has meaning only to that particular backed. These are separated
by a : character.
Available backends can include:
smbpasswd - The default smbpasswd
backend. Takes a path to the smbpasswd file as an optional argument.
tdbsam - The TDB based password storage
backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
- in the private dir directory.
ldapsam - The LDAP based passdb
+ in the private dir directory.
ldapsam - The LDAP based passdb
backend. Takes an LDAP URL as an optional argument (defaults to
ldap://localhost)
LDAP connections should be secured where possible. This may be done using either
- Start-TLS (see ldap ssl) or by
+ Start-TLS (see ldap ssl) or by
specifying ldaps:// in
the URL argument.
Multiple servers may also be specified in double-quotes, if your
LDAP libraries supports the LDAP URL notation.
(OpenLDAP does).
-
nisplussam -
- The NIS+ based passdb backend. Takes name NIS domain as
- an optional argument. Only works with sun NIS+ servers.
-
mysql -
- The MySQL based passdb backend. Takes an identifier as
- argument. Read the Samba HOWTO Collection for configuration
- details.
@@ -3027,15 +3006,15 @@
conversation that takes places between smbd(8) and the local password changing
program to change the user's password. The string describes a
sequence of response-receive pairs that smbd(8) uses to determine what to send to the
- passwd program and what to expect back. If the expected output is not
+ passwd program and what to expect back. If the expected output is not
received then the password is not changed.
This chat sequence is often quite site specific, depending
on what local methods are used for password control (such as NIS
- etc).
Note that this parameter only is only used if the unix password sync parameter is set to yes. This sequence is
+ etc).
Note that this parameter only is only used if the unix password sync parameter is set to yes. This sequence is
then called AS ROOT when the SMB password in the
smbpasswd file is being changed, without access to the old password
cleartext. This means that root must be able to reset the user's password without
knowing the text of the previous password. In the presence of
- NIS/YP, this means that the passwd program must
+ NIS/YP, this means that the passwd program must
be executed on the NIS master.
The string can contain the macro %n which is substituted
for the new password. The chat sequence can also contain the standard
@@ -3044,7 +3023,7 @@
a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces
in them into a single string.
If the send string in any part of the chat sequence is a full
stop ".", then no string is sent. Similarly, if the
- expect string is a full stop then no string is expected.
If the pam password change parameter is set to yes, the
+ expect string is a full stop then no string is expected.
If the pam password change parameter is set to yes, the
chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
output. The \n macro is ignored for PAM conversions.
Default: passwd chat = *new*password* %n\n*new*password* %n\n *changed*
@@ -3055,13 +3034,13 @@
parameter is run in debug mode. In this mode the
strings passed to and received from the passwd chat are printed
in the smbd(8) log with a
- debug level
+ debug level
of 100. This is a dangerous option as it will allow plaintext passwords
to be seen in the smbd log. It is available to help
Samba admins debug their passwd chat scripts
when calling the passwd program and should
be turned off after this has been done. This option has no effect if the
- pam password change
+ pam password change
paramter is set. This parameter is off by default.
Default: passwd chat debug = no
passwd chat timeout (G)
This integer specifies the number of seconds smbd will wait for an initial
@@ -3108,7 +3087,7 @@
process a new connection.
A value of zero will cause only two attempts to be
made - the password as is and the password in all-lower case.
This parameter is used only when using plain-text passwords. It is
not at all used when encrypted passwords as in use (that is the default
- since samba-3.0.0). Use this only when encrypt passwords = No.
Default: password level = 0
+ since samba-3.0.0). Use this only when encrypt passwords = No.
Default: password level = 0
Example: password level = 4
@@ -3124,7 +3103,7 @@
Samba will use the standard LDAP port of tcp/389. Note that port numbers
have no effect on password servers for Windows NT 4.0 domains or netbios
connections.
If parameter is a name, it is looked up using the
- parameter name resolve order and so may resolved
+ parameter name resolve order and so may resolved
by any method and order described in that parameter.
The password server must be a machine capable of using
the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
user level security mode.
Note
Using a password server means your UNIX box (running
@@ -3186,7 +3165,7 @@
on this connection. Any occurrences of %m
will be replaced by the NetBIOS name of the machine they are
connecting from. These replacements are very useful for setting
- up pseudo home directories for users.
Note that this path will be based on root dir
+ up pseudo home directories for users.
Note that this path will be based on root dir
if one was specified.
Of course, this could get annoying after a while :-)
- See also preexec close and postexec.
+ See also preexec close and postexec.
Default: preexec =
Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log
preexec close (S)
- This boolean option controls whether a non-zero return code from preexec
+ This boolean option controls whether a non-zero return code from preexec
should close the service being connected to.
Default: preexec close = no
@@ -3235,7 +3214,7 @@
If this is set to yes, on startup, nmbd will force
an election, and it will have a slight advantage in winning the election. It is recommended that this
- parameter is used in conjunction with domain master = yes, so that
+ parameter is used in conjunction with domain master = yes, so that
nmbd can guarantee becoming a domain master.
Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT)
@@ -3249,7 +3228,7 @@
for homes and printers services that would otherwise not be
visible.
Note that if you just want all printers in your
- printcap file loaded then the load printers
+ printcap file loaded then the load printers
option is easier.
Default: preload =
@@ -3263,7 +3242,7 @@
preserve case (S)
This controls if new filenames are created with the case that the client passes, or if
- they are forced to be the default case.
+ they are forced to be the default case.
See the section on NAME MANGLING for a fuller discussion.
Default: preserve case = yes
@@ -3272,7 +3251,7 @@
clients may open, write to and submit spool files on the directory
specified for the service.
Note that a printable service will ALWAYS allow writing
to the service path (user privileges permitting) via the spooling
- of print data. The read only parameter controls only non-printing access to
+ of print data. The read only parameter controls only non-printing access to
the resource.
Default: printable = no
printcap cache time (G)
This option specifies the number of seconds before the printing
@@ -3290,7 +3269,7 @@
/etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this.
To use the CUPS printing interface set printcap name = cups . This should
- be supplemented by an addtional setting printing = cups in the [global]
+ be supplemented by an addtional setting printing = cups in the [global]
section. printcap name = cups will use the "dummy" printcap
created by CUPS, as specified in your CUPS configuration file.
@@ -3343,17 +3322,17 @@
printable service nor a global print command, spool files will
be created but not processed and (most importantly) not removed.
Note that printing may fail on some UNIXes from the
nobody account. If this happens then create
- an alternative guest account that can print and set the guest account
+ an alternative guest account that can print and set the guest account
in the [global] section.
You can form quite complex print commands by realizing
that they are just passed to a shell. For example the following
will log a print job, print the file, then remove it. Note that
';' is the usual separator for command in shell scripts.
You may have to vary this command considerably depending
on how you normally print files on your system. The default for
- the parameter varies depending on the setting of the printing
+ the parameter varies depending on the setting of the printing
parameter.
Default: For printing = BSD, AIX, QNX, LPRNG
or PLP :
print command = lpr -r -P%p %s
For printing = SYSV or HPUX :
print command = lp -c -d%p %s; rm %s
For printing = SOFTQ :
print command = lp -d%p -s %s; rm %s
For printing = CUPS : If SAMBA is compiled against
- libcups, then printcap = cups
+ libcups, then printcap = cups
uses the CUPS API to
submit jobs, etc. Otherwise it maps to the System V
commands with the -oraw option for printing, i.e. it
@@ -3385,7 +3364,7 @@
If specified in the [global] section, the printer name given will be used for any printable service that
does not have its own printer name specified.
- The default value of the printer name may be lp on many
+ The default value of the printer name may be lp on many
systems.
Default: printer name = none
@@ -3452,7 +3431,7 @@
queueresume command (S)
This parameter specifies the command to be
executed on the server host in order to resume the printer queue. It
is the command to undo the behavior that is caused by the
- previous parameter (queuepause command).
This command should be a program or script which takes
+ previous parameter (queuepause command).
This command should be a program or script which takes
a printer name as its only parameter and resumes the printer queue,
such that queued jobs are resubmitted to the printer.
This command is not supported by Windows for Workgroups,
but can be issued from the Printers window under Windows 95
@@ -3472,15 +3451,15 @@
read list (S)
This is a list of users that are given read-only access to a service. If the connecting user is in this list
- then they will not be given write access, no matter what the read only option is set
- to. The list can include group names using the syntax described in the invalid users
+ then they will not be given write access, no matter what the read only option is set
+ to. The list can include group names using the syntax described in the invalid users
parameter.
-
This parameter will not work with the security = share in
+
This parameter will not work with the security = share in
Samba 3.0. This is by design.
Default: read list =
Example: read list = mary, @students
-
read only (S)
An inverted synonym is writeable.
If this parameter is yes, then users
+
read only (S)
An inverted synonym is writeable.
If this parameter is yes, then users
of a service may not create or modify files in the service's
directory.
Note that a printable service (printable = yes)
will ALWAYS allow writing to the directory
@@ -3516,7 +3495,7 @@
the above line would cause nmbd to announce itself
to the two given IP addresses using the given workgroup names. If you leave out the
- workgroup name then the one given in the workgroup parameter
+ workgroup name then the one given in the workgroup parameter
is used instead.
The IP addresses you choose would normally be the broadcast addresses of the remote
@@ -3553,7 +3532,7 @@
that the remote machine is available, is listening, nor that it
is in fact the browse master on its segment.
- The remote browse sync may be used on networks
+ The remote browse sync may be used on networks
where there is no WINS server, and may be used on disjoint networks where
each network has its own WINS server.
The security advantage of using restrict anonymous = 2 is removed
- by setting guest ok = yes on any share.
+ by setting guest ok = yes on any share.
Default: restrict anonymous = 0
root
This parameter is a synonym for root directory.
root dir
This parameter is a synonym for root directory.
root directory (G)
The server will chroot() (i.e.
@@ -3625,7 +3604,7 @@
It may also check for, and deny access to, soft links to other
parts of the filesystem, or attempts to use ".." in file names
to access other directories (depending on the setting of the
- wide smbconfoptions parameter).
+ wide smbconfoptions parameter).
Adding a root directory entry other
than "/" adds an extra level of security, but at a price. It
absolutely ensures that no access is given to files not in the
@@ -3680,9 +3659,9 @@
want to mainly setup shares without a password (guest shares). This
is commonly used for a shared printer server. It is more difficult
to setup guest shares with security = user, see
- the map to guestparameter for details.
It is possible to use smbd in a
+ the map to guestparameter for details.
It is possible to use smbd in a
hybrid mode where it is offers both user and share
- level security under different NetBIOS aliases.
The different settings will now be explained.
SECURITY = SHARE
When clients connect to a share level security server they
+ level security under different NetBIOS aliases.
The different settings will now be explained.
SECURITY = SHARE
When clients connect to a share level security server they
need not log onto the server with a valid username and password before
attempting to connect to a shared resource (although modern clients
such as Windows 95/98 and Windows NT will send a logon request with
@@ -3695,10 +3674,10 @@
in share level security, smbd uses several
techniques to determine the correct UNIX user to use on behalf
of the client.
A list of possible UNIX usernames to match with the given
- client password is constructed using the following methods :
If the guest only parameter is set, then all the other
- stages are missed and only the guest account username is checked.
+ client password is constructed using the following methods :
If the guest only parameter is set, then all the other
+ stages are missed and only the guest account username is checked.
Is a username is sent with the share connection
- request, then this username (after mapping - see username map),
+ request, then this username (after mapping - see username map),
is added as a potential username.
If the client did a previous logon
request (the SessionSetup SMB call) then the
@@ -3707,7 +3686,7 @@
added as a potential username.
The NetBIOS name of the client is added to
the list as a potential username.
-
Any users on the user list are added as potential usernames.
+
Any users on the user list are added as potential usernames.
If the guest only parameter is
not set, then this list is then tried with the supplied password.
The first user for whom the password matches will be used as the
@@ -3719,17 +3698,17 @@
be used in granting access.
This is the default security setting in Samba 3.0.
With user-level security a client must first "log-on" with a
- valid username and password (which can be mapped using the username map
- parameter). Encrypted passwords (see the encrypted passwords parameter) can also
- be used in this security mode. Parameters such as user and guest only if set are then applied and
+ valid username and password (which can be mapped using the username map
+ parameter). Encrypted passwords (see the encrypted passwords parameter) can also
+ be used in this security mode. Parameters such as user and guest only if set are then applied and
may change the UNIX user to use on this connection, but only after
the user has been successfully authenticated.
Note that the name of the resource being
requested is not sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the guest account.
- See the map to guest parameter for details on doing this.
This mode will only work correctly if net(8) has been used to add this
- machine into a Windows NT Domain. It expects the encrypted passwords
+ the server to automatically map unknown users into the guest account.
+ See the map to guest parameter for details on doing this.
This mode will only work correctly if net(8) has been used to add this
+ machine into a Windows NT Domain. It expects the encrypted passwords
parameter to be set to yes. In this
mode Samba will try to validate the username/password by passing
it to a Windows NT Primary or Backup Domain Controller, in exactly
@@ -3743,13 +3722,13 @@
requested is not sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the guest account.
- See the map to guest parameter for details on doing this.
See also the password server parameter and
+ the encrypted passwords parameter.
SECURITY = SERVER
In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
NT box. If this fails it will revert to security = user. It expects the
- encrypted passwords parameter to be set to yes, unless the remote
+ encrypted passwords parameter to be set to yes, unless the remote
server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot
revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the chapter about the User Database in
the Samba HOWTO Collection for details on how to set this up.
@@ -3769,10 +3748,10 @@
requested is not sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the guest account.
- See the map to guest parameter for details on doing this.
See also the password server parameter and the
- encrypted passwords parameter.
SECURITY = ADS
In this mode, Samba will act as a domain member in an ADS realm. To operate
+ the server to automatically map unknown users into the guest account.
+ See the map to guest parameter for details on doing this.
See also the password server parameter and the
+ encrypted passwords parameter.
SECURITY = ADS
In this mode, Samba will act as a domain member in an ADS realm. To operate
in this mode, the machine running Samba will need to have Kerberos installed
and configured and Samba will need to be joined to the ADS realm using the
net utility.
Note that this mode does NOT make Samba operate as a Active Directory Domain
@@ -3785,7 +3764,7 @@
UNIX permission on a file using the native NT security dialog box.
This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
- in this mask from being modified. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
+ in this mask from being modified. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
@@ -3800,7 +3779,7 @@
server schannel (G)
This controls whether the server offers or even demands the use of the netlogon schannel.
- server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel.
+ server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel.
This is only the case for Windows NT4 before SP4.
Please note that with this set to no you will have to apply the WindowsXP
@@ -3874,8 +3853,8 @@
short preserve case (S)
This boolean parameter controls if new files
which conform to 8.3 syntax, that is all in upper case and of
suitable length, are created upper case, or if they are forced
- to be the default case
- . This option can be use with preserve case = yes
+ to be the default case
+ . This option can be use with preserve case = yes
to permit long filenames to retain their case, while short
names are lowered.
Default: short preserve case = yes
@@ -3975,10 +3954,10 @@
store dos attributes (S)
If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or
READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such
- as occurs with map hidden and map readonly). When set, DOS
+ as occurs with map hidden and map readonly). When set, DOS
attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or
- directory. For no other mapping to occur as a fall-back, the parameters map hidden,
- map system, map archive and map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended
+ directory. For no other mapping to occur as a fall-back, the parameters map hidden,
+ map system, map archive and map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended
attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an
EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for
extended attributes to work, also extended attributes must be compiled into the Linux kernel.
@@ -4120,8 +4099,8 @@
passwords to be made over a longer period. Once all users have encrypted representations of their passwords
in the smbpasswd file this parameter should be set to no.
- In order for this parameter to be operative the encrypt passwords parameter must
- be set to no. The default value of encrypt passwords = Yes. Note: This must be set to no for this update encrypted to work.
+ In order for this parameter to be operative the encrypt passwords parameter must
+ be set to no. The default value of encrypt passwords = Yes. Note: This must be set to no for this update encrypted to work.
Note that even when this parameter is set a user authenticating to smbd
must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd)
@@ -4193,7 +4172,7 @@
they will be able to do no more damage than if they started a
telnet session. The daemon runs as the user that they log in as,
so they cannot do anything that user cannot do.
To restrict a service to a particular set of users you
- can use the valid users parameter.
If any of the usernames begin with a '@' then the name
+ can use the valid users parameter.
If any of the usernames begin with a '@' then the name
will be looked up first in the NIS netgroups list (if Samba
is compiled with netgroup support), followed by a lookup in
the UNIX groups database and will expand to a list of all users
@@ -4283,7 +4262,7 @@
Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and
fred is remapped to mary then you will actually be connecting to
\\server\mary and will need to supply a password suitable for mary not
- fred. The only exception to this is the username passed to the password server (if you have one). The password server will receive whatever username the client
+ fred. The only exception to this is the username passed to the password server (if you have one). The password server will receive whatever username the client
supplies without modification.
Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been
@@ -4311,7 +4290,7 @@
# no username map
username map script (G)
This script is a mutually exclusive alternative to the
- username map parameter. This parameter
+ username map parameter. This parameter
specifies and external program or script that must accept a single
command line option (the username transmitted in the authentication
request) and return a line line on standard output (the name to which
@@ -4484,11 +4463,11 @@
Each entry must be a unix path, not a DOS path and must not include the
unix directory separator '/'.
- Note that the case sensitive option is applicable in vetoing files.
+ Note that the case sensitive option is applicable in vetoing files.
One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when
trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this
- deletion will fail unless you also set the delete veto files
+ deletion will fail unless you also set the delete veto files
parameter to yes.
Setting this parameter will affect the performance of Samba, as it will be forced to check all files
@@ -4508,11 +4487,11 @@
Default: veto files = No files or directories are vetoed.
veto oplock files (S)
- This parameter is only valid when the oplocks
+ This parameter is only valid when the oplocks
parameter is turned on for a share. It allows the Samba administrator
to selectively turn off the granting of oplocks on selected files that
match a wildcarded list, similar to the wildcarded list used in the
- veto files parameter.
+ veto files parameter.
You might want to do this on files that you know will be heavily contended
for by clients. A good example of this is in the NetBench SMB benchmark
@@ -4698,12 +4677,12 @@
workgroup (G)
This controls what workgroup your server will
appear to be in when queried by clients. Note that this parameter
also controls the Domain name used with
- the security = domain
+ the security = domain
setting.
Default: workgroup = WORKGROUP
Example: workgroup = MYGROUP
-
writable
This parameter is a synonym for writeable.
writeable (S)
Inverted synonym for read only.
No default
write cache size (S)
If this integer parameter is set to non-zero value,
+
writable
This parameter is a synonym for writeable.
writeable (S)
Inverted synonym for read only.
No default
write cache size (S)
If this integer parameter is set to non-zero value,
Samba will create an in-memory cache for each oplocked file
(it does not do this for
non-oplocked files). All writes that the client does not request
@@ -4724,14 +4703,14 @@
write list (S)
This is a list of users that are given read-write access to a service. If the
connecting user is in this list then they will be given write access, no matter
- what the read only option is set to. The list can
+ what the read only option is set to. The list can
include group names using the @group syntax.
Note that if a user is in both the read list and the write list then they will be
given write access.
By design, this parameter will not work with the
- security = share in Samba 3.0.
+ security = share in Samba 3.0.
Although the configuration file permits service names to contain spaces, your client software may not.
Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.
@@ -4765,8 +4744,8 @@
for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme
care when designing these sections. In particular, ensure that the permissions on spool directories are
correct.
-
VERSION
This man page is correct for version 3.0 of the Samba suite.
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.23a/docs/htmldocs/manpages/swat.8.html samba-3.0.23b/docs/htmldocs/manpages/swat.8.html
--- samba-3.0.23a/docs/htmldocs/manpages/swat.8.html 2006-07-06 05:18:13.000000000 -0500
+++ samba-3.0.23b/docs/htmldocs/manpages/swat.8.html 2006-08-07 05:03:20.000000000 -0500
@@ -10,8 +10,8 @@
information such as what printcap file to use, as well as
descriptions of all the services that the server is to provide.
See smb.conf for more information.
-
-a
This option disables authentication and puts
- swat in demo mode. In that mode anyone will be able to modify
+
-a
This option disables authentication and
+ places swat in demo mode. In that mode anyone will be able to modify
the smb.conf file.
WARNING: Do NOT enable this option on a production
server.
-P
This option restricts read-only users to the password
management page. swat can then be used to change
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.23a/docs/htmldocs/manpages/wbinfo.1.html samba-3.0.23b/docs/htmldocs/manpages/wbinfo.1.html
--- samba-3.0.23a/docs/htmldocs/manpages/wbinfo.1.html 2006-07-06 05:18:19.000000000 -0500
+++ samba-3.0.23b/docs/htmldocs/manpages/wbinfo.1.html 2006-08-07 05:03:27.000000000 -0500
@@ -1,83 +1,87 @@
-
The wbinfo program queries and returns information
created and used by the winbindd(8) daemon.
The winbindd(8) daemon must be configured
and running for the wbinfo program to be able
- to return information.
OPTIONS
-a username%password
Attempt to authenticate a user via winbindd.
+ to return information.
OPTIONS
-a|--authenticate username%password
Attempt to authenticate a user via winbindd.
This checks both authenticaion methods and reports its results.
Note
Do not be tempted to use this
functionality for authentication in third-party
- applications. Instead use ntlm_auth(1).
-c user
Create a local winbind user.
-
-C group
Create a local winbindd group.
+ applications. Instead use ntlm_auth(1).
--allocate-gid
Get a new GID out of idmap
+
--allocate-uid
Get a new UID out of idmap
+
--all-domains
List all domains (trusted and
+ own domain).
--domain name
This parameter sets the domain on which any specified
operations will performed. If special domain name '.' is used to represent
the current domain to which winbindd belongs. Currently only the
--sequence,
-u, and -g options honor this parameter.
-
-g
This option will list all groups available
+
-D|--domain-info domain
Show most of the info we have about the domain.
+
-g|--domain-groups
This option will list all groups available
in the Windows NT domain for which the samba(7) daemon is operating in. Groups in all trusted domains
will also be listed. Note that this operation does not assign
group ids to any groups that have not already been
seen by winbindd(8).
--get-auth-user
Print username and password used by winbindd
during session setup to a domain controller. Username
- and password can be set using '-A'. Only available for
- root.
-G gid
Try to convert a UNIX group id to a Windows
+ and password can be set using --set-auth-user.
+ Only available for root.
--getdcname domain
Get the DC name for the specified domain.
+
-G|--gid-to-sid gid
Try to convert a UNIX group id to a Windows
NT SID. If the gid specified does not refer to one within
- the idmap gid range then the operation will fail.
-I ip
The -I option
+ the idmap gid range then the operation will fail.
-i|--user-info user
Get user info.
+
-I|--WINS-by-ip ip
The -I option
queries winbindd(8) to send a node status
request to get the NetBIOS name associated with the IP address
specified by the ip parameter.
-
-m
Produce a list of domains trusted by the
+
-K|--krb5auth username%password
Attempt to authenticate a user via Kerberos.
+
-m|--trusted-domains
Produce a list of domains trusted by the
Windows NT server winbindd(8) contacts
when resolving names. This list does not include the Windows
NT domain the server is a Primary Domain Controller for.
-
-n name
The -n option
+
-n|--name-to-sid name
The -n option
queries winbindd(8) for the SID
associated with the name specified. Domain names can be specified
before the user name by using the winbind separator character.
For example CWDOM1/Administrator refers to the Administrator
user in the domain CWDOM1. If no domain is specified then the
domain used is the one specified in the smb.conf(5)workgroup
- parameter.
-N name
The -N option
+ parameter.
-N|--WINS-by-name name
The -N option
queries winbindd(8) to query the WINS
server for the IP address associated with the NetBIOS name
specified by the name parameter.
-
-o user:group
Add a winbindd local group as a secondary group
- for the specified winbindd local user.
-
-O user:group
Remove a winbindd local group as a secondary group
- for the specified winbindd local user.
-
-p
Check whether winbindd is still alive.
+
--own-domain
List own domain.
+
-p|--ping
Check whether winbindd is still alive.
Prints out either 'succeeded' or 'failed'.
-
-r username
Try to obtain the list of UNIX group ids
+
-r|--user-groups username
Try to obtain the list of UNIX group ids
to which the user belongs. This only works for users
defined on a Domain Controller.
-
-s sid
Use -s to resolve
+
-s|--sid-to-name sid
Use -s to resolve
a SID to a name. This is the inverse of the -n
option above. SIDs must be specified as ASCII strings
in the traditional Microsoft format. For example,
- S-1-5-21-1455342024-3071081365-2475485837-500.
--set-auth-user username%password
Store username and password used by winbindd
+ S-1-5-21-1455342024-3071081365-2475485837-500.
--separator
Get the active winbind separator.
+
--sequence
Show sequence numbers of
+ all known domains
--set-auth-user username%password
Store username and password used by winbindd
during session setup to a domain controller. This enables
winbindd to operate in a Windows 2000 domain with Restrict
Anonymous turned on (a.k.a. Permissions compatiable with
Windows 2000 servers only).
-
--sequence
Show sequence numbers of
- all known domains
-S sid
Convert a SID to a UNIX user id. If the SID
- does not correspond to a UNIX user mapped by winbindd(8) then the operation will fail.
-t
Verify that the workstation trust account
+
-S|--sid-to-uid sid
Convert a SID to a UNIX user id. If the SID
+ does not correspond to a UNIX user mapped by winbindd(8) then the operation will fail.
-t|--check-secret
Verify that the workstation trust account
created when the Samba server is added to the Windows NT
- domain is working.
-u
This option will list all users available
+ domain is working.
-u|--domain-users
This option will list all users available
in the Windows NT domain for which the winbindd(8) daemon is operating in. Users in all trusted domains
will also be listed. Note that this operation does not assign
user ids to any users that have not already been seen by winbindd(8)
- .
-U uid
Try to convert a UNIX user id to a Windows NT
+ .
--user-domgroups SID
Get user domain groups.
+
--user-sids SID
Get user group SIDs for user.
+
-U|--uid-to-sid uid
Try to convert a UNIX user id to a Windows NT
SID. If the uid specified does not refer to one within
- the idmap uid range then the operation will fail.
-x user
Delete an existing local winbind user.
-
-X group
Delete an existing local winbindd group.
-
-Y sid
Convert a SID to a UNIX group id. If the SID
+ the idmap uid range then the operation will fail.
-Y|--sid-to-gid sid
Convert a SID to a UNIX group id. If the SID
does not correspond to a UNIX group mapped by winbindd(8) then
the operation will fail.
-V
Prints the program version number.
-h|--help
Print a summary of command line options.
-
EXIT STATUS
The wbinfo program returns 0 if the operation
+
EXIT STATUS
The wbinfo program returns 0 if the operation
succeeded, or 1 if the operation failed. If the winbindd(8) daemon is not working wbinfo will always return
- failure.
VERSION
This man page is correct for version 3.0 of
- the Samba suite.
The original Samba software and related utilities
were created by Andrew Tridgell. Samba is now developed
by the Samba Team as an Open Source project similar
to the way the Linux kernel is developed.
There is something indeed mystical about things that are
big. Large networks exhibit a certain magnetism and exude a sense of
importance that obscures reality. You and I know that it is no more
@@ -30,7 +30,7 @@
Samba are largely under control. So in this section you focus on the
specifics of implementing LDAP changes, Samba changes, and approach and
design of the solution and its deployment.
-
Introduction
+
Introduction
Abmas is a miracle company. Most businesses would have collapsed under
the weight of rapid expansion that this company has experienced. Samba
is flexible, so there is no need to reinstall the whole operating
@@ -39,19 +39,19 @@
and then do a near-live conversion. There is no need to reinstall a
Samba server just to change the way your network should function.
-
+
Network growth is common to all organizations. In this exercise,
your preoccupation is with the mechanics of implementing Samba and
LDAP so that network users on each network segment can work
without impediment.
-
Assignment Tasks
+
Assignment Tasks
Starting with the configuration files for the server called
MASSIVE in ???, you now deal with the
issues that are particular to large distributed networks. Your task
is simple identify the challenges, consider the
alternatives, and then design and implement a solution.
-
+
Remember, you have users based in London (UK), Los Angeles,
Washington. DC, and, three buildings in New York. A significant portion
of your workforce have notebook computers and roam all over the
@@ -72,18 +72,18 @@
You have outsourced all desktop deployment and management to
DirectPointe. Your concern is server maintenance and third-level
support. Build a plan and show what must be done.
-
Dissection and Discussion
-
-
+
Dissection and Discussion
+
+
In ???, you implemented an LDAP server that provided the
passdb backend for the Samba servers. You
explored ways to accelerate Windows desktop profile handling and you
took control of network performance.
-
-
-
-
+
+
+
+
The implementation of an LDAP-based passdb backend (known as
ldapsam in Samba parlance), or some form of database
that can be distributed, is essential to permit the deployment of Samba
@@ -96,8 +96,8 @@
support the range of account facilities demanded by modern network
managers.
-
-
+
+
The new tdbsam facility supports functionality
that is similar to an ldapsam, but the lack of
distributed infrastructure sorely limits the scope for its
@@ -105,10 +105,10 @@
an XML-based backend, or for that matter, why not use an SQL-based
backend? Is support for these tools broken? Answers to these
questions require a bit of background.
-
-
-
-
+
+
+
+What is a directory? A directory is a
collection of information regarding objects that can be accessed to
rapidly find information that is relevant in a particular and
@@ -116,19 +116,19 @@
generally more often searched (read) than updated. As a consequence, the
information is organized to facilitate read access rather than to
support transaction processing.
-
-
-
-
+
+
+
+
The Lightweight Directory Access Protocol (LDAP) differs
considerably from a traditional database. It has a simple search
facility that uniquely makes a highly preferred mechanism for managing
user identities. LDAP provides a scalable mechanism for distributing
the data repository and for keeping all copies (slaves) in sync with
the master repository.
-
-
-
+
+
+
Samba is a flexible and powerful file and print sharing
technology. It can use many external authentication sources and can be
part of a total authentication and identity management
@@ -136,7 +136,7 @@
are Microsoft Active Directory and LDAP. Sites that specifically wish to
avoid the proprietary implications of Microsoft Active Directory
naturally gravitate toward OpenLDAP.
-
+
In ???, you had to deal with a locally routed
network. All deployment concerns focused around making users happy,
and that simply means taking control over all network practices and
@@ -147,12 +147,12 @@
between offices. You must take into account the way users need to
access information globally. And you must make the network robust
enough so that it can sustain partial breakdown without causing loss of
-productivity.
Technical Issues
+productivity.
Technical Issues
There are at least three areas that need to be addressed as you
approach the challenge of designing a network solution for the newly
expanded business:
-
- User needs such as mobility and data access
The nature of Windows networking protocols
Identity management infrastructure needs
Let's look at each in turn.
User Needs
+
+ User needs such as mobility and data access
The nature of Windows networking protocols
Identity management infrastructure needs
Let's look at each in turn.
User Needs
The new company has three divisions. Staff for each division are spread across
the company. Some staff are office-bound and some are mobile users. Mobile
users travel globally. Some spend considerable periods working in other offices.
@@ -163,7 +163,7 @@
curtail user needs. Parts of the global Internet infrastructure remain shielded
off for reasons outside the scope of this discussion.
-
+
Decisions must be made regarding where data is to be stored, how it will be
replicated (if at all), and what the network bandwidth implications are. For
example, one decision that can be made is to give each office its own master
@@ -174,8 +174,8 @@
This way, they can synchronize all files that have changed since each logon
to the network.
-
-
+
+
No matter which way you look at this, the bandwidth requirements
for acceptable performance are substantial even if only 10 percent of
staff are global data users. A company with 3,500 employees,
@@ -188,11 +188,11 @@
profile involves a transfer of over 750 KB from the profile
server to and from the client.
-
+
Obviously then, user needs and wide-area practicalities dictate the economic and
technical aspects of your network design as well as for standard operating procedures.
-
The Nature of Windows Networking Protocols
-
+
The Nature of Windows Networking Protocols
+
Network logons that include roaming profile handling requires from 140 KB to 2 MB.
The inclusion of support for a minimal set of common desktop applications can push
the size of a complete profile to over 15 MB. This has substantial implications
@@ -200,8 +200,8 @@
determining the nature and style of mandatory profiles that may be enforced as
part of a total service-level assurance program that might be implemented.
-
-
+
+
One way to reduce the network bandwidth impact of user logon
traffic is through folder redirection. In ???, you
implemented this in the new Windows XP Professional standard
@@ -210,14 +210,14 @@
also be excluded from synchronization to and from the server on
logon or logout. Redirected folders are analogous to network drive
connections.
-
+
Of course, network applications should only be run off
local application servers. As a general rule, even with 2 Mb/sec
network bandwidth, it would not make sense at all for someone who
is working out of the London office to run applications off a
server that is located in New York.
-
+
When network bandwidth becomes a precious commodity (that is most
of the time), there is a significant demand to understand network
processes and to mold the limits of acceptability around the
@@ -226,15 +226,15 @@
When a Windows NT4/200x/XP Professional client user logs onto
the network, several important things must happen.
-
+
The client obtains an IP address via DHCP. (DHCP is
necessary so that users can roam between offices.)
-
-
+
+
The client must register itself with the WINS and/or DNS server.
-
+
The client must locate the closest domain controller.
The client must log onto a domain controller and obtain as part of
@@ -256,15 +256,15 @@
name both by broadcast and Unicast registration that is directed
at the WINS server.
-
-
+
+
Given that the client is already a domain member, it then sends
a directed (Unicast) request to the WINS server seeking the list of
IP addresses for domain controllers (NetBIOS name type 0x1C). The
WINS server replies with the information requested.
-
-
-
+
+
+
The client sends two netlogon mailslot broadcast requests
to the local network and to each of the IP addresses returned by
the WINS server. Whichever answers this request first appears to
@@ -274,9 +274,9 @@
was listed in the WINS server response to a request for the list of
domain controllers.
-
-
-
+
+
+
The logon process begins with negotiation of the SMB/CIFS
protocols that are to be used; this is followed by an exchange of
information that ultimately includes the client sending the
@@ -287,10 +287,10 @@
needs. A secondary fact we need to know is, what happens when
local domain controllers fail or break?
-
-
-
-
+
+
+
+
Under most circumstances, the nearest domain controller
responds to the netlogon mailslot broadcast. The exception to this
norm occurs when the nearest domain controller is too busy or is out
@@ -299,18 +299,18 @@
domain controllers. Since there can be only one PDC, all additional
domain controllers are by definition BDCs.
-
-
+
+
The provision of sufficient servers that are BDCs is an
important design factor. The second important design factor
involves how each of the BDCs obtains user authentication
data. That is the subject of the next section, which involves key
decisions regarding Identity Management facilities.
-
Identity Management Needs
-
-
-
-
+
Identity Management Needs
+
+
+
+
Network managers recognize that in large organizations users
generally need to be given resource access based on needs, while
being excluded from other resources for reasons of privacy. It is
@@ -319,9 +319,9 @@
by which user credentials are validated and filtered and appropriate
rights and privileges are allocated.
-
-
-
+
+
+
Unfortunately, network resources tend to have their own Identity
Management facilities, the quality and manageability of which varies
from quite poor to exceptionally good. Corporations that use a mixture
@@ -333,7 +333,7 @@
What was once called Yellow Pages is today known
as Network Information System (NIS).
-
+
NIS gained a strong following throughout the UNIX/VMS space in a short
period of time and retained that appeal and use for over a decade.
Security concerns and inherent limitations have caused it to enter its
@@ -343,9 +343,9 @@
demands as the demand for directory services that can be coupled with
other information systems is catching on.
-
-
-
+
+
+
Nevertheless, both NIS and NIS+ continue to hold ground in
business areas where UNIX still has major sway. Examples of
organizations that remain firmly attached to the use of NIS and
@@ -353,14 +353,14 @@
and large corporations that have a scientific or engineering
focus.
-
-
+
+
Today's networking world needs a scalable, distributed Identity
Management infrastructure, commonly called a directory. The most
popular technologies today are Microsoft Active Directory service
and a number of LDAP implementations.
-
+
The problem of managing multiple directories has become a focal
point over the past decade, creating a large market for
metadirectory products and services that allow organizations that
@@ -369,15 +369,15 @@
another. The attendant benefit to end users is the promise of
having to remember and deal with fewer login identities and
passwords.
-
+
The challenge of every large network is to find the optimum
balance of internal systems and facilities for Identity
Management resources. How well the solution is chosen and
implemented has potentially significant impact on network bandwidth
and systems response needs.
-
-
-
+
+
+
In ???, you implemented a single LDAP server for the
entire network. This may work for smaller networks, but almost
certainly fails to meet the needs of large and complex networks. The
@@ -386,8 +386,8 @@
What is the best method for implementing master/slave LDAP
servers within the context of a distributed 2,000-user network is a
question that remains to be answered.
-
-
+
+
One possibility that has great appeal is to create a single,
large distributed domain. The practical implications of this
design (see ???) demands the placement of
@@ -398,7 +398,7 @@
productivity against the cost of network management and
maintenance.
-
+
The network design in ??? takes the approach
that management of networks that are too remote to be managed
effectively from New York ought to be given a certain degree of
@@ -409,22 +409,22 @@
the ability for network users to roam globally without some compromise
in how they may access global resources.
-
+
Desk-bound users need not be negatively affected by this design, since
the use of interdomain trusts can be used to satisfy the need for global
data sharing.
-
-
+
+
When Samba-3 is configured to use an LDAP backend, it stores the domain
account information in a directory entry. This account entry contains the
domain SID. An unintended but exploitable side effect is that this makes it
possible to operate with more than one PDC on a distributed network.
-
-
-
+
+
+
How might this peculiar feature be exploited? The answer is simple. It is
imperative that each network segment have its own WINS server. Major
servers on remote network segments can be given a static WINS entry in
@@ -434,8 +434,8 @@
same domain SID. Since all domain account information can be stored in a
single LDAP backend, users have unfettered ability to roam.
-
-
+
+
This concept has not been exhaustively validated, though we can see no reason
why this should not work. The important facets are the following: The name of
the domain must be identical in all locations. Each network segment must have
@@ -446,10 +446,10 @@
on every network segment. Finally, the BDCs should each use failover LDAP servers
that are in fact slave LDAP servers on the local segments.
-
-
-
-
+
+
+
+
With a single master LDAP server, all network updates are effected on a single
server. In the event that this should become excessively fragile or network
bandwidth limiting, one could implement a delegated LDAP domain. This is also
@@ -463,7 +463,7 @@
administrators must of necessity follow the same standard
procedures for managing the directory, because retroactive correction of
inconsistent directory information can be exceedingly difficult.
-
Political Issues
+
Political Issues
As organizations grow, the number of points of control increases
also. In a large distributed organization, it is important that the
Identity Management system be capable of being updated from
@@ -471,11 +471,11 @@
become usable in a reasonable period, typically
minutes rather than days (the old limitation of highly manual
systems).
-
Implementation
-
-
-
-
+
Implementation
+
+
+
+
Samba-3 has the ability to use multiple password (authentication and
identity resolution) backends. The diagram in ???
demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system
@@ -483,13 +483,13 @@
authentication and identity resolution (obtaining a UNIX UID/GID)
using the specific systems shown.
Figure 6.1. Samba and Authentication Backend Search Pathways
-
-
-
-
-
-
-
+
+
+
+
+
+
+
Samba is capable of using the smbpasswd,
tdbsam, xmlsam,
and mysqlsam authentication databases. The SMB
@@ -497,7 +497,7 @@
backend. LDAP is the preferred passdb backend for distributed network
operations.
-
+
Additionally, it is possible to use multiple passdb backends
concurrently as well as have multiple LDAP backends. As a result, you
can specify a failover LDAP backend. The syntax for specifying a
@@ -509,8 +509,8 @@
This configuration tells Samba to use a single LDAP server, as shown in ???.
Figure 6.2. Samba Configuration to Use a Single LDAP Server
-
+
The addition of a failover LDAP server can simply be done by adding a
second entry for the failover server to the single ldapsam
entry, as shown here (note the particular use of the double quotes):
@@ -532,7 +532,7 @@
ldapsam:ldap://slave.abmas.biz
...
-
+
The effect of this style of entry is that Samba lists the users
that are in both LDAP databases. If both contain the same information,
it results in each record being shown twice. This is, of course, not the
@@ -553,9 +553,9 @@
It is assumed that the network you are working with follows in a
pattern similar to what was covered in ???. The following steps
permit the operation of a master/slave OpenLDAP arrangement.
-
Procedure 6.1. Implementation Steps for an LDAP Slave Server
-
-
+
Procedure 6.1. Implementation Steps for an LDAP Slave Server
+
+
Log onto the master LDAP server as root.
You are about to change the configuration of the LDAP server, so it
makes sense to temporarily halt it. Stop OpenLDAP from running on
@@ -568,7 +568,7 @@
root# service ldap stop
-
+
Edit the /etc/openldap/slapd.conf file so it
matches the content of ???.
-
-
+
+
Change directory to a suitable place to dump the contents of the
LDAP server. The dump file (and LDIF file) is used to preload
the slave LDAP server database. You can dump the database by executing:
@@ -602,7 +602,7 @@
Each record is written to the file.
-
+
Copy the file LDAP-transfer-LDIF.txt to the intended
slave LDAP server. A good location could be in the directory
/etc/openldap/preload.
@@ -652,9 +652,9 @@
root# chkconfig ldap on
-
-
-
+
+
+
Go back to the master LDAP server. Execute the following to start LDAP as well
as slurpd, the synchronization daemon, as shown here:
Example 6.4. Primary Domain Controller smb.conf File Part B
[IPC$]
path = /tmp
[accounts]
comment = Accounting Files
path = /data/accounts
read only = No
[service]
comment = Financial Services Files
path = /data/service
read only = No
[pidata]
comment = Property Insurance Files
path = /data/pidata
read only = No
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
Example 6.5. Primary Domain Controller smb.conf File Part C
[apps]
comment = Application Files
path = /apps
admin users = bjones
read only = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root, Administrator
guest ok = Yes
locking = No
[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
admin users = root, Administrator
Example 6.6. Backup Domain Controller smb.conf File Part A
# # Global parameters
[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = BLDG1
passdb backend = ldapsam:ldap://lapdc.abmas.biz
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
os level = 63
domain master = No
wins server = 192.168.2.1
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz
utmp = Yes
idmap backend = ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
[accounts]
comment = Accounting Files
path = /data/accounts
read only = No
[service]
comment = Financial Services Files
path = /data/service
read only = No
Example 6.7. Backup Domain Controller smb.conf File Part B
[pidata]
comment = Property Insurance Files
path = /data/pidata
read only = No
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[apps]
comment = Application Files
path = /apps
admin users = bjones
read only = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No
[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes
Key Points Learned
+
Where Samba-3 is used as a domain controller, the use of LDAP is an
essential component to permit the use of BDCs.
-
+
Replication of the LDAP master server to create a network of BDCs
is an important mechanism for limiting WAN traffic.
@@ -808,55 +808,55 @@
Roaming profiles must be contained to the local network segment. Any
departure from this may clog wide-area arteries and slow legitimate network
traffic to a crawl.
-
Figure 6.6. Network Topology 2000 User Complex Design A
Figure 6.7. Network Topology 2000 User Complex Design B
Questions and Answers
+
Figure 6.6. Network Topology 2000 User Complex Design A
Figure 6.7. Network Topology 2000 User Complex Design B
Questions and Answers
There is much rumor and misinformation regarding the use of MS Windows networking protocols.
These questions are just a few of those frequently asked.
-
+
+
Is it true that DHCP uses lots of WAN bandwidth?
-
-
-
+
+
+
It is a smart practice to localize DHCP servers on each network segment. As a
rule, there should be two DHCP servers per network segment. This means that if
one server fails, there is always another to service user needs. DHCP requests use
only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network
routers. This makes it possible to run fewer DHCP servers.
-
-
+
+
A DHCP network address request and confirmation usually results in about six UDP packets.
The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP
clients and that uses a 24-hour IP address lease. This means that all clients renew
@@ -874,28 +874,28 @@
From this can be seen that the traffic impact would be minimal.
-
-
+
+
Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link,
the impact of the update is no more than the DHCP IP address renewal traffic and thus
still insignificant for most practical purposes.
-
-
-
+
+
+
How much background communication takes place between a master LDAP server and its slave LDAP servers?
-
+
The process that controls the replication of data from the master LDAP server to the slave LDAP
servers is called slurpd. The slurpd remains nascent (quiet)
until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete)
two user accounts requires less than 10KB traffic.
-
+
LDAP has a database. Is LDAP not just a fancy database front end?
-
-
-
-
+
+
+
+
LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific
data storage system. This type of database is indexed so that records can be rapidly located, but the
database is not generic and can be used only in particular pre-programmed ways. General external
@@ -904,17 +904,17 @@
orientation and typically allows external programs to perform ad hoc queries, even across data tables.
An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific
simple queries. The term database is heavily overloaded and thus much misunderstood.
-
-
+
+
Can Active Directory obtain account information from an OpenLDAP server?
-
+
No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP
database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface
to OpenLDAP using standard LDAP queries and updates.
-
+
What are the parts of a roaming profile? How large is each part?
-
+
A roaming profile consists of
Desktop folders such as Desktop, My Documents,
@@ -922,39 +922,39 @@
Cookies, Application Data,
Local Settings, and more. See ???, ???.
-
+
Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all
such folders can be redirected to network drive resources. See ???
for more information regarding folder redirection.
A static or rewritable portion that is typically only a few files (2-5 KB of information).
-
-
+
+
The registry load file that modifies the HKEY_LOCAL_USER hive. This is
the NTUSER.DAT file. It can be from 0.4 to 1.5 MB.
-
+
Microsoft Outlook PST files may be stored in the Local Settings\Application Data
folder. It can be up to 2 GB in size per PST file.
-
+
Can the My Documents folder be stored on a network drive?
-
-
+
+
Yes. More correctly, such folders can be redirected to network shares. No specific network drive
connection is required. Registry settings permit this to be redirected directly to a UNC (Universal
Naming Convention) resource, though it is possible to specify a network drive letter instead of a
UNC name. See ???.
-
-
-
-
+
+
+
+
How much WAN bandwidth does WINS consume?
-
-
-
+
+
+
MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache.
This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS
server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day,
@@ -966,7 +966,7 @@
In conclusion, the total load afforded through WINS traffic is again marginal to total operational
usage as it should be.
-
+
How many BDCs should I have? What is the right number of Windows clients per server?
It is recommended to have at least one BDC per network segment, including the segment served
@@ -980,19 +980,19 @@
As unsatisfactory as the answer might sound, it all depends on network and server load
characteristics.
-
-
+
+
I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
run an NIS server?
The correct answer to both questions is yes. But do understand that an LDAP server has
a configurable schema that can store far more information for many more purposes than
just NIS.
-
+
Can I use NIS in place of LDAP?
-
-
+
+
No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal
with the types of data necessary for interoperability with Microsoft Windows networking. The use
of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.23a/docs/htmldocs/Samba3-ByExample/appendix.html samba-3.0.23b/docs/htmldocs/Samba3-ByExample/appendix.html
--- samba-3.0.23a/docs/htmldocs/Samba3-ByExample/appendix.html 2006-07-06 05:19:12.000000000 -0500
+++ samba-3.0.23b/docs/htmldocs/Samba3-ByExample/appendix.html 2006-08-07 05:04:18.000000000 -0500
@@ -1,18 +1,18 @@
-
+
+
Information presented here is considered to be either basic or well-known material that is informative
yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that
the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps
different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical,
as shown in the example given below.
Joining a Domain: Windows 200x/XP Professional
-
+
Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
This section steps through the process for making a Windows 200x/XP Professional machine a
member of a Domain Security environment. It should be noted that this process is identical
when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC.
-
Procedure 15.1. Steps to Join a Domain
+
Procedure 15.1. Steps to Join a Domain
Click Start.
Right-click My Computer, and then select Properties.
@@ -50,19 +50,19 @@
The “Welcome to the MIDEARTH domain” dialog box should appear. At this point, the machine must be rebooted.
Joining the domain is now complete.
-
-
+
+
The screen capture shown in ??? has a button labeled More.... This button opens a
panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members
of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace.
-
-
+
+
Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers
register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server
to find the services (like which machines are domain controllers or which machines have the Netlogon service running).
-
+
The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix,
this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to
a valid IP address.
@@ -70,12 +70,12 @@
The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain.
Where the client is a member of a Samba domain, it is preferable to leave this field blank.
-
+
According to Microsoft documentation, “If this computer belongs to a group with Group Policy
enabled on Primary DNS suffice of this computer, the string specified in the Group Policy is used
as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is
used only if Group Policy is disabled or unspecified.”
-
Samba System File Location
+
Samba System File Location
One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team
build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is
in the /usr/local/samba directory. This is a perfectly reasonable location, particularly given all the other
@@ -83,7 +83,7 @@
Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team
default.
-
+
Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy
System (FHS), have elected to locate the configuration files under the /etc/samba directory, common binary
files (those used by users) in the /usr/bin directory, and the administrative files (daemons) in the
@@ -92,13 +92,13 @@
/usr/share/swat. There are additional support files for smbd in the
/usr/lib/samba directory tree. The files located there include the dynamically loadable modules for the
passdb backend as well as for the VFS modules.
-
+
Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in
the /var/lib/samba directory. Log files are created in /var/log/samba.
When Samba is built and installed using the default Samba Team process, all files are located under the
/usr/local/samba directory tree. This makes it simple to find the files that Samba owns.
-
+
One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location
of all files called smbd. Here is an example:
@@ -131,7 +131,7 @@
Many people have been caught by installation of Samba using the default Samba Team process when it was already installed
by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by
- executing:
+ executing:
The package names, of course, vary according to how the vendor, or the binary package builder, prepared them.
-
Starting Samba
+
Starting Samba
Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services.
An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba, there
are three daemons, two of which are needed as a minimum.
@@ -186,19 +186,19 @@
fi
exit 0
nmbd
-
-
+
+
This daemon handles all name registration and resolution requests. It is the primary vehicle involved
in network browsing. It handles all UDP-based protocols. The nmbd daemon should
be the first command started as part of the Samba startup process.
smbd
-
-
+
+
This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also
manages local authentication. It should be started immediately following the startup of nmbd.
winbindd
-
-
+
+
This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when
Samba has trust relationships with another domain. The winbindd daemon will check the
smb.conf file for the presence of the idmap uid and idmap gid
@@ -252,22 +252,22 @@
echo "Usage: smb {start|stop|restart|status}"
exit 1
esac
-
+
SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently
executed from the command line is shown in ???. This can be located in the directory
/sbin in a file called samba. This type of control script should be
owned by user root and group root, and set so that only root can execute it.
-
+
A sample startup script for a Red Hat Linux system is shown in ???.
This file could be located in the directory /etc/rc.d and can be called
samba. A similar startup script is required to control winbind.
If you want to find more information regarding startup scripts please refer to the packaging section of
the Samba source code distribution tarball. The packaging files for each platform include a
startup control file.
-
DNS Configuration Files
+
DNS Configuration Files
The following files are common to all DNS server configurations. Rather than repeat them multiple times, they
are presented here for general reference.
-
The Forward Zone File for the Loopback Adaptor
+
The Forward Zone File for the Loopback Adaptor
The forward zone file for the loopback address never changes. An example file is shown
in ???. All traffic destined for an IP address that is hosted on a
physical interface on the machine itself is routed to the loopback adaptor. This is
@@ -284,7 +284,7 @@
IN NS @
IN A 127.0.0.1
-
The Reverse Zone File for the Loopback Adaptor
+
The Reverse Zone File for the Loopback Adaptor
The reverse zone file for the loopback address as shown in ???
is necessary so that references to the address 127.0.0.1 can be
resolved to the correct name of the interface.
@@ -344,15 +344,15 @@
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
-
DNS Root Server Hint File
+
DNS Root Server Hint File
The content of the root hints file as shown in ??? changes slowly over time.
Periodically this file should be updated from the source shown. Because
of its size, this file is located at the end of this chapter.
-
Alternative LDAP Database Initialization
+
Alternative LDAP Database Initialization
The following procedure may be used as an alternative means of configuring
the initial LDAP database. Many administrators prefer to have greater control
over how system files get configured.
-
Initialization of the LDAP Database
+
Initialization of the LDAP Database
The first step to get the LDAP server ready for action is to create the LDIF file from
which the LDAP database will be preloaded. This is necessary to create the containers
into which the user, group, and other accounts are written. It is also necessary to
@@ -705,14 +705,14 @@
sambaGroupType: 2
displayName: Domain Users
description: Domain Users
-
The LDAP Account Manager
-
-
-
-
-
-
-
+
The LDAP Account Manager
+
+
+
+
+
+
+
The LDAP Account Manager (LAM) is an application suite that has been written in PHP.
LAM can be used with any Web server that has PHP4 support. It connects to the LDAP
server either using unencrypted connections or via SSL/TLS. LAM can be used to manage
@@ -724,24 +724,24 @@
The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter
of 2005.
LAM is a useful tool that provides a simple Web-based device that can be used to
manage the contents of the LDAP directory to:
-
-
-
+
+
+
Display user/group/host and Domain entries.
Manage entries (Add/Delete/Edit).
Filter and sort entries.
Store and use multiple operating profiles.
Edit organizational units (OUs).
Upload accounts from a file.
Is compatible with Samba-2.2.x and Samba-3.
When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba
user, group, and windows domain member machine accounts.
-
-
-
-
+
+
+
+
The default password is “lam.” It is highly recommended that you use only
an SSL connection to your Web server for all remote operations involving LAM. If you
want secure connections, you must configure your Apache Web server to permit connections
@@ -760,7 +760,7 @@
For example, on SUSE Linux Enterprise Server 9, copy to the
/srv/www/htdocs directory.
-
+
Set file permissions using the following commands:
-
-
+
+
An example file is shown in ???.
This is the minimum configuration that must be completed. The LAM profile
file can be created using a convenient wizard that is part of the LAM
@@ -794,7 +794,7 @@
lam.conf then, using your favorite editor,
change the settings to match local site needs.
-
+
An example of a working file is shown here in ???.
This file has been stripped of comments to keep the size small. The comments
and help information provided in the profile file that the wizard creates
@@ -802,12 +802,12 @@
Your configuration file obviously reflects the configuration options that
are preferred at your site.
-
+
It is important that your LDAP server is running at the time that LAM is
being configured. This permits you to validate correct operation.
An example of the LAM login screen is provided in ???.
Figure 15.6. The LDAP Account Manager Login Screen
-
+
The LAM configuration editor has a number of options that must be managed correctly.
An example of use of the LAM configuration editor is shown in ???.
It is important that you correctly set the minimum and maximum UID/GID values that are
@@ -817,13 +817,13 @@
the initial settings to be made. Do not forget to reset these to sensible values before
using LAM to add additional users and groups.
Figure 15.7. The LDAP Account Manager Configuration Screen
-
+
LAM has some nice, but unusual features. For example, one unexpected feature in most application
screens permits the generation of a PDF file that lists configuration information. This is a well
thought out facility. This option has been edited out of the following screen shots to conserve
space.
-
+
When you log onto LAM the opening screen drops you right into the user manager as shown in
???. This is a logical action as it permits the most-needed facility
to be used immediately. The editing of an existing user, as with the addition of a new user,
@@ -837,7 +837,7 @@
shows a sub-screen from the group editor that permits users to be assigned secondary group
memberships.
Figure 15.9. The LDAP Account Manager Group Edit Screen
Figure 15.10. The LDAP Account Manager Group Membership Edit Screen
-
+
The final screen presented here is one that you should not normally need to use. Host accounts will
be automatically managed using the smbldap-tools scripts. This means that the screen ???
will, in most cases, not be used.
@@ -883,7 +883,7 @@
samba3: yes
cachetimeout: 5
pwdhash: SSHA
-
IDEALX Management Console
+
IDEALX Management Console
IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive
web-based management interface for UNIX and Linux systems.
@@ -897,7 +897,7 @@
For further information regarding IMC refer to the web site.
Prebuilt RPM packages are also available.
-
Effect of Setting File and Directory SUID/SGID Permissions Explained
+
Effect of Setting File and Directory SUID/SGID Permissions Explained
The setting of the SUID/SGID bits on the file or directory permissions flag has particular
consequences. If the file is executable and the SUID bit is set, it executes with the privilege
of (with the UID of) the owner of the file. For example, if you are logged onto a system as
@@ -967,34 +967,34 @@
total 1
drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
-
Shared Data Integrity
+
Shared Data Integrity
The integrity of shared data is often viewed as a particularly emotional issue, especially where
there are concurrent problems with multiuser data access. Contrary to the assertions of some who have
experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
The solution to concurrent multiuser data access problems must consider three separate areas
- from which the problem may stem:
-
application-level locking controls
client-side locking controls
server-side locking controls
+ from which the problem may stem:
+
application-level locking controls
client-side locking controls
server-side locking controls
Many database applications use some form of application-level access control. An example of one
well-known application that uses application-level locking is Microsoft Access. Detailed guidance
is provided here because this is the most common application for which problems have been reported.
-
+
Common applications that are affected by client- and server-side locking controls include MS
Excel and Act!. Important locking guidance is provided here.
-
Microsoft Access
+
Microsoft Access
The best advice that can be given is to carefully read the Microsoft knowledgebase articles that
cover this area. Examples of relevant documents include:
-
Make sure that your MS Access database file is configured for multiuser access (not set for
exclusive open). Open MS Access on each client workstation, then set the following: (Menu bar) Tools+Options+[tab] General. Set network path to Default database folder: \\server\share\folder.
You can configure MS Access file sharing behavior as follows: click [tab] Advanced.
- Set:
-
Default open mode: Shared
Default Record Locking: Edited Record
Open databases using record_level locking
+ Set:
+
Default open mode: Shared
Default Record Locking: Edited Record
Open databases using record_level locking
You must now commit the changes so that they will take effect. To do so, click
ApplyOk. At this point, you should exit MS Access, restart
it, and then validate that these settings have not changed.
-
Act! Database Sharing
+
Act! Database Sharing
Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you
must disable opportunistic locking on the server and all workstations. Failure to do so
results in data corruption. This information is available from the Act! Web site
@@ -1002,7 +1002,7 @@
1998223162925
as well as from article
200110485036.
-
+
These documents clearly state that opportunistic locking must be disabled on both
the server (Samba in the case we are interested in here), as well as on every workstation
from which the centrally shared Act! database will be accessed. Act! provides
@@ -1010,18 +1010,18 @@
registry settings that may otherwise interfere with the operation of Act!
Registered Act! users may download this utility from the Act! Web
site.
-
Opportunistic Locking Controls
+
Opportunistic Locking Controls
Third-party Windows applications may not be compatible with the use of opportunistic file
- and record locking. For applications that are known not to be compatible,[14] oplock
+ and record locking. For applications that are known not to be compatible,[14] oplock
support may need to be disabled both on the Samba server and on the Windows workstations.
-
+
Oplocks enable a Windows client to cache parts of a file that are being
edited. Another windows client may then request to open the file with the
ability to write to it. The server will then ask the original workstation
that had the file open with a write lock to release its lock. Before
doing so, that workstation must flush the file from cache memory to the
disk or network drive.
-
+
Disabling of Oplocks usage may require server and client changes.
Oplocks may be disabled by file, by file pattern, on the share, or on the
Samba server.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.23a/docs/htmldocs/Samba3-ByExample/Big500users.html samba-3.0.23b/docs/htmldocs/Samba3-ByExample/Big500users.html
--- samba-3.0.23a/docs/htmldocs/Samba3-ByExample/Big500users.html 2006-07-06 05:19:04.000000000 -0500
+++ samba-3.0.23b/docs/htmldocs/Samba3-ByExample/Big500users.html 2006-08-07 05:04:10.000000000 -0500
@@ -1,4 +1,4 @@
-
The Samba-3 networking you explored in ??? covers the finer points of
configuration of peripheral services such as DHCP and DNS, and WINS. You experienced
implementation of a simple configuration of the services that are important adjuncts
@@ -17,9 +17,9 @@
that same approach to printing, but ??? presents an opportunity
to make printing more complex for the administrator while making it easier for the user.
-
-
-
+
+
+ ??? demonstrates operation of a DHCP server and a DNS server
as well as a central WINS server. You validated the operation of these services and
saw an effective implementation of a Samba domain controller using the
@@ -41,7 +41,7 @@
improve network management and control while reducing human resource overheads.
You should take the opportunity to innovate and expand on the methods presented
here and explore them to the fullest.
-
Introduction
+
Introduction
Business continues to go well for Abmas. Mr. Meany is driving your success and the
network continues to grow thanks to the hard work Christine has done. You recently
hired Stanley Soroka as manager of information systems. Christine recommended Stan
@@ -66,7 +66,7 @@
and to allow Stan and Christine to fully stage the new network and test it before
it is rolled out. Your strategy is to complete the new network so that it
is ready for operation when the old office moves into the new premises.
-
Assignment Tasks
+
Assignment Tasks
The acquired business had 280 network users. The old Abmas building housed
220 network users in unbelievably cramped conditions. The network that
initially served 130 users now handles 220 users quite well.
@@ -107,7 +107,7 @@
DirectPointe Inc. receives from you a new standard desktop configuration
every four months. They automatically roll that out to each desktop system.
You must keep DirectPointe informed of all changes.
-
+
The new network has a single Samba Primary Domain Controller (PDC) located in the
Network Operation Center (NOC). Buildings 1 and 2 each have a local server
for local application servicing. It is a domain member. The new system
@@ -115,8 +115,8 @@
Printing is based on raw pass-through facilities just as it has been used so far.
All printer drivers are installed on the desktop and notebook computers.
-
Dissection and Discussion
-
+
Dissection and Discussion
+
The example you are building in this chapter is of a network design that works, but this
does not make it a design that is recommended. As a general rule, there should be at least
one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind
@@ -127,22 +127,22 @@
responsiveness. This network will have 500 clients serviced by one central domain
controller. This is not a good omen for user satisfaction. You, of course, address this
very soon (see ???).
-
Technical Issues
+
Technical Issues
Stan has talked you into a horrible compromise, but it is addressed. Just make
certain that the performance of this network is well validated before going live.
Design decisions made in this design include the following:
-
-
-
+
+
+
A single PDC is being implemented. This limitation is based on the choice not to
use LDAP. Many network administrators fear using LDAP because of the perceived
complexity of implementation and management of an LDAP-based backend for all user
identity management as well as to store network access credentials.
-
-
+
+
Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the
only choice that makes sense with 500 users is to use the tdbsam passwd backend.
This type of backend is not receptive to replication to BDCs. If the tdbsam
@@ -156,7 +156,7 @@
for a simple mode of operation but has to be balanced with network performance and
integrity of operations considerations.
-
+
A single central WINS server is being used. The PDC is also the WINS server.
Any attempt to operate a routed network without a WINS server while using NetBIOS
over TCP/IP protocols does not work unless on each client the name resolution
@@ -167,12 +167,12 @@
At this time the Samba WINS database cannot be replicated. That is
why a single WINS server is being implemented. This should work without a problem.
-
+
BDCs make use of winbindd to provide
access to domain security credentials for file system access and object storage.
-
-
+
+
Configuration of Windows XP Professional clients is achieved using DHCP. Each
subnet has its own DHCP server. Backup DHCP serving is provided by one
alternate DHCP server. This necessitates enabling of the DHCP Relay agent on
@@ -188,13 +188,13 @@
The network address and subnetmask chosen provide 1022 usable IP addresses in
each subnet. If in the future more addresses are required, it would make sense
to add further subnets rather than change addressing.
-
Political Issues
+
Political Issues
This case gets close to the real world. You and I know the right way to implement
domain control. Politically, we have to navigate a minefield. In this case, the need is to
get the PDC rolled out in compliance with expectations and also to be ready to save the day
by having the real solution ready before it is needed. That real solution is presented in
???.
-
Implementation
+
Implementation
The following configuration process begins following installation of Red Hat Fedora Core2 on the
three servers shown in the network topology diagram in ???. You have
selected hardware that is appropriate to the task.
@@ -205,9 +205,9 @@
The abbreviation shown in this table as {VLN} refers to
the directory location beginning with /var/lib/named.
-
Table 4.1. Domain: MEGANET, File Locations for Servers
The following steps apply to all servers. Follow each step carefully.
-
Procedure 4.1. Server Preparation Steps
+
Procedure 4.1. Server Preparation Steps
Using the UNIX/Linux system tools, set the name of the server as shown in the network
topology diagram in ???. For SUSE Linux products, the tool
that permits this is called yast2; for Red Hat Linux products,
@@ -221,8 +221,8 @@
root# hostname -f
-
-
+
+
Edit your /etc/hosts file to include the primary names and addresses
of all network interfaces that are on the host server. This is necessary so that during
startup the system is able to resolve all its own names to the IP address prior to
@@ -230,7 +230,7 @@
CUPS print server is started before the DNS server (named), you
should also include an entry for the printers in the /etc/hosts file.
-
+
All DNS name resolution should be handled locally. To ensure that the server is configured
correctly to handle this, edit /etc/resolv.conf so it has the following
content:
@@ -241,8 +241,8 @@
This instructs the name resolver function (when configured correctly) to ask the DNS server
that is running locally to resolve names to addresses.
-
-
+
+
Add the root user to the password backend:
root# smbpasswd -a root
@@ -255,8 +255,8 @@
deleted. If for any reason the account is deleted, you may not be able to recreate this account
without considerable trouble.
-
-
+
+
Create the username map file to permit the root account to be called
Administrator from the Windows network environment. To do this, create
the file /etc/samba/smbusers with the following contents:
@@ -294,16 +294,16 @@
Follow the instructions in the printer manufacturer's manuals to permit printing
to port 9100. Use any other port the manufacturer specifies for direct mode,
raw printing. This allows the CUPS spooler to print using raw mode protocols.
-
-
+
+
-
+
Only on the server to which the printer is attached configure the CUPS Print
Queues as follows:
-
+
This step creates the necessary print queue to use no assigned print filter. This
is ideal for raw printing, that is, printing without use of filters.
The name printque is the name you have assigned for
@@ -323,9 +323,9 @@
root# /usr/bin/accept printque
-
-
-
+
+
+
This step, as well as the next one, may be omitted where CUPS version 1.1.18
or later is in use. Although it does no harm to follow it anyway, and may
help to avoid time spent later trying to figure out why print jobs may be
@@ -336,7 +336,7 @@
application/octet-stream application/vnd.cups-raw 0 -
-
+
Edit the file /etc/cups/mime.types to uncomment the line:
application/octet-stream
@@ -359,17 +359,17 @@
processes to automap Windows client drives to an application server that is nearest to the client. This
is considerably more difficult when a single PDC is used on a routed network. It can be done, but not
as elegantly as you see in the next chapter.
-
Server-Specific Preparation
+
Server-Specific Preparation
There are some steps that apply to particular server functionality only. Each step is critical
to correct server operation. The following step-by-step installation guidance will assist you
in working through the process of configuring the PDC and then both BDC's.
-
Configuration for Server: MASSIVE
+
Configuration for Server: MASSIVE
The steps presented here attempt to implement Samba installation in a generic manner. While
some steps are clearly specific to Linux, it should not be too difficult to apply them to
your platform of choice.
-
+
+
The host server acts as a router between the two internal network segments as well
as for all Internet access. This necessitates that IP forwarding be enabled. This can be
achieved by adding to the /etc/rc.d/boot.local an entry as follows:
@@ -397,7 +397,7 @@
startup files as follows: (SUSE) /etc/rc.d/boot.local, (Red Hat)
/etc/rc.d/init.d/rc.local.
-
+
The final step that must be completed is to edit the /etc/nsswitch.conf file.
This file controls the operation of the various resolver libraries that are part of the Linux
Glibc libraries. Edit this file so that it contains the following entries:
@@ -405,24 +405,24 @@
hosts: files dns wins
-
+
Create and map Windows domain groups to UNIX groups. A sample script is provided in
???. Create a file containing this script. You called yours
/etc/samba/initGrps.sh. Set this file so it can be executed
and then execute the script. An example of the execution of this script as well as its
validation are shown in Section 4.3.2, Step 5.
-
-
-
+
+
+
For each user who needs to be given a Windows domain account, make an entry in the
/etc/passwd file as well as in the Samba password backend.
Use the system tool of your choice to create the UNIX system account, and use the Samba
smbpasswd to create a domain user account.
-
-
-
+
+
+
There are a number of tools for user management under UNIX, such as
useradd, adduser, as well as a plethora of custom
tools. With the tool of your choice, create a home directory for each user.
@@ -435,7 +435,7 @@
file is /data. Format the file system as required and mount the formatted
file system partition using appropriate system tools.
-
+
Create the top-level file storage directories for data and applications as follows:
-
-
+
+
Create a logon script. It is important that each line is correctly terminated with
a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
works if the right tools (unxi2dos and dos2unix) are installed.
@@ -518,8 +518,8 @@
The following steps will guide you through the nuances of implementing BDCs for the broadcast
isolated network segments. Remember that if the target installation platform is not Linux, it may
be necessary to adapt some commands to the equivalent on the target platform.
-
+
The final step that must be completed is to edit the /etc/nsswitch.conf file.
This file controls the operation of the various resolver libraries that are part of the Linux
Glibc libraries. Edit this file so that it contains the following entries:
@@ -532,14 +532,14 @@
Follow the steps outlined in ??? to start all services. Do not
start Samba at this time. Samba is controlled by the process called smb.
-
+
You must now attempt to join the domain member servers to the domain. The following
instructions should be executed to effect this:
root# net rpc join
-
+
You now start the Samba services by executing:
root# service smb start
@@ -548,7 +548,7 @@
Your server is ready for validation testing. Do not proceed with the steps in
??? until after the operation of the server has been
validated following the same methods as outlined in ???.
-
Example 4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
# Global parameters
[global]
workgroup = MEGANET
netbios name = MASSIVE
interfaces = eth1, lo
bind interfaces only = Yes
passdb backend = tdbsam
smb ports = 139
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
# Abmas Accounting Inc.
default-lease-time 86400;
@@ -889,17 +889,17 @@
groupadd piops
# Map Windows Domain Groups to UNIX groups
-net groupmap modify ntgroup="Domain Admins" unixgroup=root
-net groupmap modify ntgroup="Domain Users" unixgroup=users
-net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+net groupmap add ntgroup="Domain Admins" unixgroup=root type=d
+net groupmap add ntgroup="Domain Users" unixgroup=users type=d
+net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d
# Add Functional Domain Groups
net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
Process Startup Configuration
-
-
+
+
There are two essential steps to process startup configuration. A process
must be configured so that it is automatically restarted each time the server
is rebooted. This step involves use of the chkconfig tool that
@@ -908,7 +908,7 @@
directories. Links are created so that when the system run-level is changed, the
necessary start or kill script is run.
-
+
In the event that a service is provided not as a daemon but via the internetworking
super daemon (inetd or xinetd), then the chkconfig
tool makes the necessary entries in the /etc/xinetd.d directory
@@ -918,10 +918,10 @@
Last, each service must be started to permit system validation to proceed. The following steps
are for a Red Hat Linux system, please adapt them to suit the target OS platform on which you
are installing Samba.
-
Procedure 4.4. Process Startup Configuration Steps
+
Procedure 4.4. Process Startup Configuration Steps
Use the standard system tool to configure each service to restart
automatically at every system reboot. For example,
-
+
root# chkconfig dhpc on
root# chkconfig named on
@@ -930,9 +930,9 @@
root# chkconfig swat on
-
-
-
+
+
+
Now start each service to permit the system to be validated.
Execute each of the following in the sequence shown:
@@ -946,11 +946,11 @@
Windows Client Configuration
The procedure for desktop client configuration for the network in this chapter is similar to
that used for the previous one. There are a few subtle changes that should be noted.
-
Procedure 4.5. Windows Client Configuration Steps
+
Procedure 4.5. Windows Client Configuration Steps
Install MS Windows XP Professional. During installation, configure the client to use DHCP for
TCP/IP protocol configuration.
-
-
+
+
DHCP configures all Windows clients to use the WINS Server address that has been defined
for the local subnet.
@@ -985,7 +985,7 @@
also configure use of the identical printers that are located in the financial services department.
Install printers on each machine using the following steps:
-
Procedure 4.6. Steps to Install Printer Drivers on Windows Clients
+
Procedure 4.6. Steps to Install Printer Drivers on Windows Clients
Click Start->Settings->Printers+Add Printer+Next. Do not click Network printer.
Ensure that Local printer is selected.
@@ -1038,7 +1038,7 @@
user, of course.
Instruct all users to log onto the workstation using their assigned username and password.
-
Key Points Learned
+
Key Points Learned
The network you have just deployed has been a valuable exercise in forced constraint.
You have deployed a network that works well, although you may soon start to see
performance problems, at which time the modifications demonstrated in ???
@@ -1054,33 +1054,33 @@
to resources on the domain member servers
The example smb.conf files in this chapter make use of the include facility.
How may I get to see what the actual working smb.conf settings are?
@@ -1088,7 +1088,7 @@
root# testparm -s | less
-
+
Why does the include file common.conf have an empty include statement?
The use of the empty include statement nullifies further includes. For example, let's say you
@@ -1101,7 +1101,7 @@
If the include parameter was not in the common.conf file, the final smb.conf file leaves
the include in place, even though the file it points to has already been included. This is a bug
that will be fixed at a future date.
-
+
I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam
passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend.
I tried using rsync to replicate the passdb.tdb, and it seems to work fine!
@@ -1111,7 +1111,7 @@
contents between the PDC and BDCs. The most notable symptom is that workstations may not be able
to log onto the network following a reboot and may have to rejoin the domain to recover network
access capability.
-
+
You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server
@@ -1120,26 +1120,26 @@
The only exception to this rule is when the client makes a directed request from a specific DHCP server
for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash.
-
+
How does the Windows client find the PDC?
The Windows client obtains the WINS server address from the DHCP lease information. It also
obtains from the DHCP lease information the parameter that causes it to use directed UDP (UDP Unicast)
to register itself with the WINS server and to obtain enumeration of vital network information to
enable it to operate successfully.
-
+
Why did you enable IP forwarding (routing) only on the server called MASSIVE?
The server called MASSIVE is acting as a router to the Internet. No other server
(BLDG1 or BLDG2) has any need for IP forwarding because they are attached only to their own network.
Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network
segments to the router that is its gateway to them.
-
+
You did nothing special to implement roaming profiles. Why?
Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional
clients is to use roaming profiles.
-
+
On the domain member computers, you configured winbind in the /etc/nsswitch.conf file.
You did not configure any PAM settings. Is this an omission?
@@ -1148,7 +1148,7 @@
member servers using Windows networking usernames and passwords, it is necessary to configure PAM
to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name
service switch (NSS).
-
+
You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed
@@ -1157,7 +1157,7 @@
of smb.confinclude files because SWAT optimizes them out into an aggregated
file but leaves in place a broken reference to the top-layer include file. SWAT was not designed to
handle this functionality gracefully.
-
+
The domain controller has an auto-shutdown script. Isn't that dangerous?
Well done, you spotted that! I guess it is dangerous. It is good to know that you can do this, though.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.23a/docs/htmldocs/Samba3-ByExample/ch14.html samba-3.0.23b/docs/htmldocs/Samba3-ByExample/ch14.html
--- samba-3.0.23a/docs/htmldocs/Samba3-ByExample/ch14.html 2006-07-06 05:19:11.000000000 -0500
+++ samba-3.0.23b/docs/htmldocs/Samba3-ByExample/ch14.html 2006-08-07 05:04:17.000000000 -0500
@@ -1,9 +1,9 @@
-
+
One of the most difficult to answer questions in the information technology industry is, “What is
support?”. That question irritates some folks, as much as common answers may annoy others.
-
+
The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to
an Internet service provider who, instead of listening to the problem to find a solution, blandly replies:
“Oh, Linux? We do not support Linux!”. It has happened to me, and similar situations happen
@@ -15,50 +15,50 @@
at the right time, no matter the situation. Support is all that it takes to take away pain, disruption,
inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk.
-
-
-
+
+
+
One of the forces that has become a driving force for the adoption of open source software is the fact that
many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or
that have been found wanting for other reasons.
-
-
+
+
In recognition of the need for needs satisfaction as the primary experience an information technology user or
consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience
in respect of problem resolution.
-
-
-
+
+
+
In the open source software arena there are two support options: free support and paid-for (commercial)
support.
-
Free Support
-
-
-
-
-
-
+
Free Support
+
+
+
+
+
+
Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help
facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user
supported mutual assistance.
-
-
-
-
-
+
+
+
+
+
The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments.
Information regarding subscription to the Samba mailing list can be found on the Samba web site. The public mailing list that can be used to obtain
free, user contributed, support is called the samba list. The email address for this list
is at mail:samba@samba.org. Information regarding the Samba IRC channels may be found on
the Samba IRC web page.
-
-
-
-
+
+
+
+
As a general rule, it is considered poor net behavior to contact a Samba Team member directly
for free support. Most active members of the Samba Team work exceptionally long hours to assist
users who have demonstrated a qualified problem. Some team members may respond to direct email
@@ -66,9 +66,9 @@
Team members actually provide professional paid-for Samba support and it is therefore wise
to show appropriate discretion and reservation in all direct contact.
-
-
-
+
+
+
When you stumble across a Samba bug, often the quickest way to get it resolved is by posting
a bug report. All such reports are mailed to
the responsible code maintainer for action. The better the report, and the more serious it is,
@@ -76,16 +76,16 @@
the reported bug it is likely to be rejected. It is up to you to provide sufficient information
that will permit the problem to be reproduced.
-
+
We all recognize that sometimes free support does not provide the answer that is sought within
the time-frame required. At other times the problem is elusive and you may lack the experience
necessary to isolate the problem and thus to resolve it. This is a situation where is may be
prudent to purchase paid-for support.
-
Commercial Support
+
Commercial Support
There are six basic support oriented services that are most commonly sought by Samba sites:
Assistance with network design
Staff Training
Assistance with Samba network deployment and installation
Priority telephone or email Samba configuration assistance
Trouble-shooting and diagnostic assistance
Provision of quality assured ready-to-install Samba binary packages
-
-
+
+
Information regarding companies that provide professional Samba support can be obtained by performing a Google
search, as well as by reference to the Samba Support web page. Companies who notify the Samba Team
that they provide commercial support are given a free listing that is sorted by the country of origin.
@@ -93,13 +93,13 @@
provider and to satisfy yourself that both the company and its staff are able to deliver what is required of
them.
-
+
The policy within the Samba Team is to treat all commercial support providers equally and to show no
preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else.
You are encouraged to obtain the services needed from a company in your local area. The open source movement
is pro-community; so do what you can to help a local business to prosper.
-
+
Open source software support can be found in any quality, at any price and in any place you can
to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for
suffering in the mistaken belief that Samba is unsupported software it is supported.
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.23a/docs/htmldocs/Samba3-ByExample/DMSMig.html samba-3.0.23b/docs/htmldocs/Samba3-ByExample/DMSMig.html
--- samba-3.0.23a/docs/htmldocs/Samba3-ByExample/DMSMig.html 2006-07-06 05:19:09.000000000 -0500
+++ samba-3.0.23b/docs/htmldocs/Samba3-ByExample/DMSMig.html 2006-08-07 05:04:15.000000000 -0500
@@ -1,4 +1,4 @@
-
Part II. Domain Members, Updating Samba and Migration
Part II. Domain Members, Updating Samba and Migration
This section Samba-3 by Example covers two main topics: How to add
Samba Domain Member Servers and Samba Domain Member Clients to a Samba domain, the other
subject is that of how to migrate from and NT4 Domain, a NetWare server, or from an earlier
@@ -7,4 +7,4 @@
Those who are making use of the chapter on Adding UNIX clients and servers running Samba
to a Samba or a Windows networking domain may also benefit by referring to the book
The Official Samba-3 HOWTO and Reference Guide.
-
+
+
+
+
+
You've come a long way now. You have pretty much mastered Samba-3 for
most uses it can be put to. Up until now, you have cast Samba-3 in the leading
role, and where authentication was required, you have used one or another of
@@ -14,7 +14,7 @@
implementing Samba and Samba-supported services in a domain controlled by
the latest Windows authentication technologies. Let's get started this is
leading edge.
-
Introduction
+
Introduction
Abmas has continued its miraculous growth; indeed, nothing seems to be able
to stop its diversification into multiple (and seemingly unrelated) fields.
Its latest acquisition is Abmas Snack Foods, a big player in the snack-food
@@ -30,17 +30,17 @@
You have decided to set the ball rolling by introducing Samba-3 into the network
gradually, taking over key services and easing the way to a full migration and,
therefore, integration into Abmas's existing business later.
-
Assignment Tasks
-
-
+
Assignment Tasks
+
+
You've promised the skeptical Abmas Snack Foods management team
that you can show them how Samba can ease itself and other Open Source
technologies into their existing infrastructure and deliver sound business
advantages. Cost cutting is high on their agenda (a major promise of the
acquisition). You have chosen Web proxying and caching as your proving ground.
-
-
+
+
Abmas Snack Foods has several thousand users housed at its head office
and multiple regional offices, plants, and warehouses. A high proportion of
the business's work is done online, so Internet access for most of these
@@ -50,9 +50,9 @@
the team soon discovered proxying and caching. In fact, they became one of
the earliest commercial users of Microsoft ISA.
-
-
-
+
+
+
The team is not happy with ISA. Because it never lived up to its marketing promises,
it underperformed and had reliability problems. You have pounced on the opportunity
to show what Open Source can do. The one thing they do like, however, is ISA's
@@ -63,7 +63,7 @@
This is a hands-on exercise. You build software applications so
that you obtain the functionality Abmas needs.
-
Dissection and Discussion
+
Dissection and Discussion
The key requirements in this business example are straightforward. You are not required
to do anything new, just to replicate an existing system, not lose any existing features,
and improve performance. The key points are:
@@ -73,20 +73,20 @@
Distributed system to accommodate load and geographical distribution of users
Seamless and transparent interoperability with the existing Active Directory domain
-
Technical Issues
-
-
-
-
-
-
-
-
-
-
-
-
-
+
Technical Issues
+
+
+
+
+
+
+
+
+
+
+
+
+
Functionally, the user's Internet Explorer requests a browsing session with the
Squid proxy, for which it offers its AD authentication token. Squid hands off
the authentication request to the Samba-3 authentication helper application
@@ -107,25 +107,25 @@
Configuring, compiling, and then installing the supporting Samba-3 components
Tying it all together
-
Political Issues
+
Political Issues
You are a stranger in a strange land, and all eyes are upon you. Some would even like to see
you fail. For you to gain the trust of your newly acquired IT people, it is essential that your
solution does everything the old one did, but does it better in every way. Only then
will the entrenched positions consider taking up your new way of doing things on a
wider scale.
-
Implementation
-
+
Implementation
+
First, your system needs to be prepared and in a known good state to proceed. This consists
of making sure that everything the system depends on is present and that everything that could
interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3
packages and updating them if necessary. If conflicting packages of these programs are installed,
they must be removed.
-
+
The following packages should be available on your Red Hat Linux system:
-
-
+
+
krb5-libs
krb5-devel
@@ -136,14 +136,14 @@
pam_krb5
-
+
In the case of SUSE Linux, these packages are called:
heimdal-lib
heimdal-devel
-
+
heimdal
pam_krb5
@@ -152,26 +152,26 @@
them from the vendor's installation media. Follow the administrative guide
for your Linux system to ensure that the packages are correctly updated.
Note
-
-
-
+
+
+
If the requirement is for interoperation with MS Windows Server 2003, it
will be necessary to ensure that you are using MIT Kerberos version 1.3.1
or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
updating.
-
-
+
+
Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
Removal of Pre-Existing Conflicting RPMs
-
+
If Samba and/or Squid RPMs are installed, they should be updated. You can
build both from source.
-
-
-
+
+
+
Locating the packages to be un-installed can be achieved by running:
+
+
+
+
The systems Kerberos installation must be configured to communicate with
your primary Active Directory server (ADS KDC).
@@ -193,13 +193,13 @@
although the current default Red Hat MIT version 1.2.7 gives acceptable results
unless you are using Windows 2003 servers.
-
-
-
-
-
-
-
+
+
+
+
+
+
+
Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an /etc/krb5.conf
file in order to work correctly. All ADS domains automatically create SRV records in the
DNS zone Kerberos.REALM.NAME for each KDC in the realm. Since both
@@ -207,25 +207,25 @@
automatically find the KDCs. In addition, krb5.conf allows
specifying only a single KDC, even if there is more than one. Using the DNS lookup
allows the KRB5 libraries to use whichever KDCs are available.
-
Procedure 12.1. Kerberos Configuration Steps
-
+
Procedure 12.1. Kerberos Configuration Steps
+
If you find the need to manually configure the krb5.conf, you should edit it
to have the contents shown in ???. The final fully qualified path for this file
should be /etc/krb5.conf.
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
be in UPPERCASE, or you will get an error: “Cannot find KDC for requested realm while getting
initial credentials”. Kerberos is picky about time synchronization. The time
@@ -241,7 +241,7 @@
NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
when you try to join the realm.
-
+
You are now ready to test your installation by issuing the command:
shows the Kerberos tickets cached by the system.
-
Samba Configuration
-
+
Samba Configuration
+
Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it
has the necessary components to interface with Active Directory.
-
Procedure 12.2. Securing Samba-3 With ADS Support Steps
-
-
-
-
-
+
Procedure 12.2. Securing Samba-3 With ADS Support Steps
+
+
+
+
+
Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
FTP site. The official Samba Team
RPMs for Red Hat Fedora Linux contain the ntlm_auth tool
needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
-
-
+
+
The necessary, validated RPM packages for SUSE Linux may be obtained from
the SerNet FTP site that
is located in Germany. All SerNet RPMs are validated, have the necessary
@@ -293,11 +293,11 @@
Using your favorite editor, change the /etc/samba/smb.conf
file so it has contents similar to the example shown in ???.
-
-
- i
-
-
+
+
+ i
+
+
Next you need to create a computer account in the Active Directory.
This sets up the trust relationship needed for other clients to
authenticate to the Samba server with an Active Directory Kerberos ticket.
@@ -307,11 +307,11 @@
root# net ads join -U administrator%vulcon
-
-
-
-
-
+
+
+
+
+
Your new Samba binaries must be started in the standard manner as is applicable
to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
@@ -320,11 +320,11 @@
root# winbindd -B
-
-
-
-
-
+
+
+
+
+
We now need to test that Samba is communicating with the Active
Directory domain; most specifically, we want to see whether winbind
is enumerating users and groups. Issue the following commands:
@@ -357,8 +357,8 @@
This enumerates all the groups in your Active Directory tree.
-
-
+
+
Squid uses the ntlm_auth helper build with Samba-3.
You may test ntlm_auth with the command:
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
The ntlm_auth helper, when run from a command line as the user
“root”, authenticates against your Active Directory domain (with
the aid of winbind). It manages this by reading from the winbind privileged pipe.
@@ -395,37 +395,37 @@
root# chgrp squid /var/lib/samba/winbindd_privileged
root# chmod 750 /var/lib/samba/winbindd_privileged
-
NSS Configuration
-
-
-
+
NSS Configuration
+
+
+
For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
Edit your /etc/nsswitch.conf file so it has the parameters shown
in ???.
-
Example 12.2. Samba Configuration File: /etc/samba/smb.conf
[global]
workgroup = LONDON
netbios name = W2K3S
realm = LONDON.ABMAS.BIZ
security = ads
encrypt passwords = yes
password server = w2k3s.london.abmas.biz
# separate domain and username with '/', like DOMAIN/username
winbind separator = /
# use UIDs from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use GIDs from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind user default domain = yes
Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
+
Example 12.2. Samba Configuration File: /etc/samba/smb.conf
[global]
workgroup = LONDON
netbios name = W2K3S
realm = LONDON.ABMAS.BIZ
security = ads
encrypt passwords = yes
password server = w2k3s.london.abmas.biz
# separate domain and username with '/', like DOMAIN/username
winbind separator = /
# use UIDs from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use GIDs from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind user default domain = yes
Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
+
+
Squid must be configured correctly to interact with the Samba-3
components that handle Active Directory authentication.
-
Configuration
Procedure 12.3. Squid Configuration Steps
-
-
-
+
Configuration
Procedure 12.3. Squid Configuration Steps
+
+
+
If your Linux distribution is SUSE Linux 9, the version of Squid
supplied is already enabled to use the winbind helper agent. You
can therefore omit the steps that would build the Squid binary
programs.
-
-
-
-
-
+
+
+
+
+
Squid, by default, runs as the user nobody. You need to
add a system user squid and a system group
squid if they are not set up already (if the default
@@ -433,16 +433,16 @@
squid user in /etc/passwd
and a squid group in /etc/group if these aren't there already.
-
-
+
+
You now need to change the permissions on Squid's var
directory. Enter the following command:
root# chown -R squid /var/cache/squid
-
-
+
+
Squid must also have control over its logging. Enter the following commands:
+
+
+
+
+
Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
Windows clients use, even when accessing traditional services such as Web browsers. Depending
on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over
the cookie-based authentication regime used by all competing browsers. It is Samba's implementation
of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter.
-
Questions and Answers
-
-
-
-
+
Questions and Answers
+
+
+
+
The development of the ntlm_auth module was first discussed in many Open Source circles
in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of
ntlm_auth during one of the late developer meetings that took place. Since that time, the
@@ -522,34 +522,34 @@
You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
-
What does Samba have to do with Web proxy serving?
-
-
-
-
-
+
+
+
+
+
To provide transparent interoperability between Windows clients and the network services
that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit
of Open Source software is that it can readily be reused. The current ntlm_auth
module is basically a wrapper around authentication code from the core of the Samba project.
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
The ntlm_auth module supports basic plain-text authentication and NTLMSSP
protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
the user being interrupted via his or her Windows logon credentials. This facility is available with
@@ -557,36 +557,36 @@
There are a few open source initiatives to provide support for these protocols in the Apache Web server
also.
-
+
The short answer is that by adding a wrapper around key authentication components of Samba, other
projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
-
+
What other services does Samba provide?
-
-
-
-
-
+
+
+
+
+
Samba-3 is a file and print server. The core components that provide this functionality are smbd,
nmbd, and the identity resolver daemon, winbindd.
-
-
+
+
Samba-3 is an SMB/CIFS client. The core component that provides this is called smbclient.
-
-
-
-
-
+
+
+
+
+
Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities.
Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules
to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
server products).
-
+
Does use of Samba (ntlm_auth) improve the performance of Squid?
Not really. Samba's ntlm_auth module handles only authentication. It requires that
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.23a/docs/htmldocs/Samba3-ByExample/ExNetworks.html samba-3.0.23b/docs/htmldocs/Samba3-ByExample/ExNetworks.html
--- samba-3.0.23a/docs/htmldocs/Samba3-ByExample/ExNetworks.html 2006-07-06 05:19:06.000000000 -0500
+++ samba-3.0.23b/docs/htmldocs/Samba3-ByExample/ExNetworks.html 2006-08-07 05:04:12.000000000 -0500
@@ -1,6 +1,7 @@
This section of Samba-3 by Example provides example network
configurations that can be copied, or modified as needed, and deployed as-is.
+The contents have been marginally updated to reflect changes made in Samba=3.0.23.
Best use can be made of this book by finding in this section the network design and
layout that best approximates your estimated needs. It is recommended that you will
@@ -19,4 +20,4 @@
commercial support options may be obtained from the commercial
support pages from
the Samba web site.
-
+
+
+
Well, you have reached one of the last chapters of this book. It is customary to attempt
to wrap up the theme and contents of a book in what is generally regarded as the
chapter that should draw conclusions. This book is a suspense thriller, and since
@@ -10,8 +10,8 @@
regarding some of the things everyone can do to deliver a reliable Samba-3 network.
In a world so full of noise, how can the sparrow be heard?
-
--Anonymous
Introduction
-
+
--Anonymous
Introduction
+
The sparrow is a small bird whose sounds are drowned out by the noise of the busy
world it lives in. Likewise, the simple steps that can be taken to improve the
reliability and availability of a Samba network are often drowned out by the volume
@@ -20,22 +20,22 @@
itself to discussion of clustering because each clustering methodology uses its own
custom tools and methods. Only passing comments are offered concerning these methods.
-
-
-
+
+
+ A search
for “samba cluster” produced 71,600 hits. And a search for “highly available samba”
and “highly available windows” produced an amazing number of references.
It is clear from the resources on the Internet that Windows file and print services
availability, reliability, and scalability are of vital interest to corporate network users.
-
+
So without further background, you can review a checklist of simple steps that
can be taken to ensure acceptable network performance while keeping costs of ownership
well under control.
-
Dissection and Discussion
-
-
+
Dissection and Discussion
+
+
If it is your purpose to get the best mileage out of your Samba servers, there is one rule that
must be obeyed. If you want the best, keep your implementation as simple as possible. You may
well be forced to introduce some complexities, but you should do so only as a last resort.
@@ -44,8 +44,8 @@
make life easier for your successor. Simple implementations can be more readily audited than can
complex ones.
-
-
+
+
Problems reported by users fall into three categories: configurations that do not work, those
that have broken behavior, and poor performance. The term broken behavior
means that the function of a particular Samba component appears to work sometimes, but not at
@@ -54,12 +54,12 @@
list of Windows machines in MS Explorer changes, sometimes listing machines that are running
and at other times not listing them even though the machines are in use on the network.
-
-
-
-
-
-
+
+
+
+
+
+
A significant number of reports concern problems with the smbfs file system
driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that
smbfs is part of Samba, simply because Samba includes the front-end tools
@@ -70,32 +70,32 @@
common infrastructure with some Samba components, but they are not maintained as part of
Samba and are really foreign to it.
-
+
The new project, cifsfs, is destined to replace smbfs.
It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in
this project.
Table 13.1 lists typical causes of:
Not Working (NW)
Broken Behavior (BB)
Poor Performance (PP)
Table 13.1. Effect of Common Problems
Problem
NW
BB
PP
File locking
-
X
-
Hardware problems
X
X
X
Incorrect authentication
X
X
-
Incorrect configuration
X
X
X
LDAP problems
X
X
-
Name resolution
X
X
X
Printing problems
X
X
-
Slow file transfer
-
-
X
Winbind problems
X
X
-
-
+
It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate
problems that affect basic network operation. This book has provided sufficient working examples
to help you to avoid all these problems.
-
Guidelines for Reliable Samba Operation
-
-
+
Guidelines for Reliable Samba Operation
+
+
Your objective is to provide a network that works correctly, can grow at all times, is resilient
at times of extreme demand, and can scale to meet future needs. The following subject areas provide
pointers that can help you today.
-
Name Resolution
+
Name Resolution
There are three basic current problem areas: bad hostnames, routed networks, and network collisions.
These are covered in the following discussion.
-
Bad Hostnames
-
-
-
-
-
+
Bad Hostnames
+
+
+
+
+
When configured as a DHCP client, a number of Linux distributions set the system hostname
to localhost. If the parameter netbios name is not
specified to something other than localhost, the Samba server appears
@@ -107,13 +107,13 @@
the local Windows machine itself. Hostnames must be valid for Windows networking to function
correctly.
-
+
A few sites have tried to name Windows clients and Samba servers with a name that begins
with the digits 1-9. This does not work either because it may result in the client or
server attempting to use that name as an IP address.
-
-
+
+
A Samba server called FRED in a NetBIOS domain called COLLISION
in a network environment that is part of the fully-qualified Internet domain namespace known
as parrots.com, results in DNS name lookups for fred.parrots.com
@@ -122,49 +122,49 @@
attempts to resolve fred.parrots.com.parrots.com, which most likely
fails given that you probably do not have this in your DNS namespace.
Note
-
-
-
+
+
+
An Active Directory realm called collision.parrots.com is perfectly okay,
although it too must be capable of being resolved via DNS, something that functions correctly
if Windows 200x ADS has been properly installed and configured.
-
Routed Networks
-
-
-
+
Routed Networks
+
+
+
NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use
of UDP-based broadcast traffic, as you saw during the exercises in ???.
-
-
-
+
+
+
UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based
networking cannot function across routed networks (i.e., multi-subnet networks) unless
special provisions are made:
-
-
-
+
+
+
Either install on every Windows client an LMHOSTS file (located in the directory
C:\windows\system32\drivers\etc). It is also necessary to
add to the Samba server smb.conf file the parameters remote announce
and remote browse sync. For more information, refer to the online
manual page for the smb.conf file.
-
+
Or configure Samba as a WINS server, and configure all network clients to use that
WINS server in their TCP/IP configuration.
Note
-
-
+
+
The use of DNS is not an acceptable substitute for WINS. DNS does not store specific
information regarding NetBIOS networking particulars that get stored in the WINS
name resolution database and that Windows clients require and depend on.
-
Network Collisions
-
-
-
-
+
Network Collisions
+
+
+
+
Excessive network activity causes NetBIOS network timeouts. Timeouts may result in
blue screen of death (BSOD) experiences. High collision rates may be caused by excessive
UDP broadcast activity, by defective networking hardware, or through excessive network
@@ -173,9 +173,9 @@
The use of WINS is highly recommended to reduce network broadcast traffic, as outlined
in ???.
-
-
-
+
+
+
Under no circumstances should the facility be supported by many routers, known as NetBIOS
forwarding, unless you know exactly what you are doing. Inappropriate use of this
facility can result in UDP broadcast storms. In one case in 1999, a university network became
@@ -183,13 +183,13 @@
testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was
less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance
immediately returned to 11 MB/sec.
-
Samba Configuration
+
Samba Configuration
As a general rule, the contents of the smb.conf file should be kept as simple as possible.
No parameter should be specified unless you know it is essential to operation.
-
-
-
+
+
+
Many UNIX administrators like to fully document the settings in the smb.conf file. This is a
bad idea because it adds content to the file. The smb.conf file is re-read by every smbd
process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so).
@@ -197,7 +197,7 @@
As the size of the smb.conf file grows, the risk of introducing parsing errors also increases.
It is recommended to keep a fully documented smb.conf file on hand, and then to operate Samba only
with an optimized file.
-
+
The preferred way to maintain a documented file is to call it something like smb.conf.master.
You can generate the optimized file by executing:
@@ -223,7 +223,7 @@
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
-
+
You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C.
The important thing to note is the noted Server role, as well as warning messages. Noted configuration
conflicts must be remedied before proceeding. For example, the following error message represents a
@@ -233,28 +233,28 @@
cannot be set in the smb.conf file. nmbd will abort with this setting.
-
-
-
+
+
+
There are two parameters that can cause severe network performance degradation: socket options
and socket address. The socket options parameter was often necessary
when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from
this parameter being set. Do not use either parameter unless it has been proven necessary to use them.
-
-
-
-
+
+
+
+
Another smb.conf parameter that may cause severe network performance degradation is the
strict sync parameter. Do not use this at all. There is no good reason
to use this with any modern Windows client. The strict sync is often
used with the sync always parameter. This, too, can severely
degrade network performance, so do not set it; if you must, do so with caution.
-
-
-
-
+
+
+
+
Finally, many network administrators deliberately disable opportunistic locking support. While this
does not degrade Samba performance, it significantly degrades Windows client performance because
this disables local file caching on Windows clients and forces every file read and written to
@@ -262,12 +262,12 @@
support, do so only on the share on which it is required. That way, all other shares can provide
oplock support for operations that are tolerant of it. See ??? for more
information.
-
Use and Location of BDCs
-
-
-
-
-
+
Use and Location of BDCs
+
+
+
+
+
On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon
processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of
authentication and logon processing. When a sole BDC on a routed network segment gets heavily
@@ -275,13 +275,13 @@
to a BDC on a distant network segment. This significantly hinders WAN operations
and is undesirable.
-
-
+
+
As a general guide, instead of adding domain member servers to a network, you would be better advised
to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add
domain member servers. This practice ensures that there are always sufficient domain controllers
to handle logon requests and authentication traffic.
-
Use One Consistent Version of MS Windows Client
+
Use One Consistent Version of MS Windows Client
Every network client has its own peculiarities. From a management perspective, it is easier to deal
with one version of MS Windows that is maintained to a consistent update level than it is to deal
with a mixture of clients.
@@ -289,61 +289,61 @@
On a number of occasions, particular Microsoft service pack updates of a Windows server or client
have necessitated special handling from the Samba server end. If you want to remain sane, keep you
client workstation configurations consistent.
-
For Scalability, Use SAN-Based Storage on Samba Servers
-
-
+
For Scalability, Use SAN-Based Storage on Samba Servers
+
+
Many SAN-based storage systems permit more than one server to share a common data store.
Use of a shared SAN data store means that you do not need to use time- and resource-hungry data
synchronization techniques.
-
-
+
+
The use of a collection of relatively low-cost front-end Samba servers that are coupled to
a shared backend SAN data store permits load distribution while containing costs below that
of installing and managing a complex clustering facility.
-
Distribute Network Load with MSDFS
-
-
+
Distribute Network Load with MSDFS
+
+
Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits
data to be accessed from a single share and yet to actually be distributed across multiple actual
servers. Refer to TOSHARG2, Chapter 19, for information regarding
implementation of an MSDFS installation.
-
-
+
+
The combination of multiple backend servers together with a front-end server and use of MSDFS
can achieve almost the same as you would obtain with a clustered Samba server.
-
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
-
-
-
+
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
+
+
+
Consider using rsync to replicate data across the WAN during times
of low utilization. Users can then access the replicated data store rather than needing to do so
across the WAN. This works best for read-only data, but with careful planning can be
implemented so that modified files get replicated back to the point of origin. Be careful with your
implementation if you choose to permit modification and return replication of the modified file;
otherwise, you may inadvertently overwrite important data.
-
Hardware Problems
-
-
-
-
-
-
+
Hardware Problems
+
+
+
+
+
+
Networking hardware prices have fallen sharply over the past 5 years. A surprising number
of Samba networking problems over this time have been traced to defective network interface
cards (NICs) or defective HUBs, switches, and cables.
-
+
Not surprising is the fact that network administrators do not like to be shown to have made
a bad decision. Money saved in buying low-cost hardware may result in high costs incurred
in corrective action.
-
-
-
-
-
+
+
+
+
+
Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent
or persistent data corruption, slow network throughput, low performance, or even as BSOD
problems with MS Windows clients. In one case, a company updated several workstations with newer, faster
@@ -352,14 +352,14 @@
Defective hardware problems may take patience and persistence before the real cause can be discovered.
-
+
Networking hardware defects can significantly impact perceived Samba performance, but defective
RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server
operations. One business came to this realization only after replacing a Samba installation with MS
Windows Server 2000 running on the same hardware. The root of the problem completely eluded the network
administrator until the entire server was replaced. While you may well think that this would never
happen to you, experience shows that given the right (unfortunate) circumstances, this can happen to anyone.
-
Large Directories
+
Large Directories
There exist applications that create or manage directories containing many thousands of files. Such
applications typically generate many small files (less than 100 KB). At the best of times, under UNIX,
listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x,
@@ -379,7 +379,7 @@
that the file system is on will be thrashing wildly.
Samba-3.0.12 and later, includes new code that radically improves Samba perfomance. The secret to this is
- really in the case sensitive = True line. This tells smbd never to scan
+ really in the case sensitive = True line. This tells smbd never to scan
for case-insensitive versions of names. So if an application asks for a file called FOO,
and it can not be found by a simple stat call, then smbd will return "file not found" immediately without
scanning the containing directory for a version of a different case.
@@ -399,7 +399,7 @@
All files and directories under the path directory must be in the same case
as specified in the smb.conf stanza. This means that smbd will not be able to find lower case
filenames with these settings. Note, this is done on a per-share basis.
-
Key Points Learned
+
Key Points Learned
This chapter has touched in broad sweeps on a number of simple steps that can be taken
to ensure that your Samba network is resilient, scalable, and reliable, and that it
performs well.
@@ -408,7 +408,7 @@
In the long term, that may not be you. Spare a thought for your successor and give him or
her an even break.
-
+
Last, but not least, you should not only keep the network design simple, but also be sure it is
well documented. This book may serve as your pattern for documenting every
aspect of your design, its implementation, and particularly the objects and assumptions
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.23a/docs/htmldocs/Samba3-ByExample/happy.html samba-3.0.23b/docs/htmldocs/Samba3-ByExample/happy.html
--- samba-3.0.23a/docs/htmldocs/Samba3-ByExample/happy.html 2006-07-06 05:19:05.000000000 -0500
+++ samba-3.0.23b/docs/htmldocs/Samba3-ByExample/happy.html 2006-08-07 05:04:11.000000000 -0500
@@ -1,4 +1,4 @@
-
It is said that “a day that is without troubles is not fulfilling. Rather, give
me a day of troubles well handled so that I can be content with my achievements.”
@@ -6,7 +6,7 @@
or experience them. The design of the network implemented in ???
may create problems for some network users. The following lists some of the problems that
may occur:
-
Caution
+
Caution
A significant number of network administrators have responded to the guidance given
here. It should be noted that there are sites that have a single PDC for many hundreds of
concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
@@ -19,8 +19,8 @@
overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows
clients is conservative and if followed will minimize problems but it is not absolute.
Users experiencing difficulty logging onto the network
-
-
+
+
When a Windows client logs onto the network, many data packets are exchanged
between the client and the server that is providing the network logon services.
Each request between the client and the server must complete within a specific
@@ -30,9 +30,9 @@
30 to 150 clients. The actual limits are determined by network operational
characteristics.
-
-
-
+
+
+
If the domain controller provides only network logon services
and all file and print activity is handled by domain member servers, one domain
controller per 150 clients on a single network segment may suffice. In any
@@ -46,25 +46,25 @@
that can be supported is limited by the CPU speed, memory and the workload on
the Samba server as well as network bandwidth utilization.
Slow logons and log-offs
-
+
Slow logons and log-offs may be caused by many factors that include:
-
-
+
+
Excessive delays in the resolution of a NetBIOS name to its IP
address. This may be observed when an overloaded domain controller
is also the WINS server. Another cause may be the failure to use
a WINS server (this assumes that there is a single network segment).
-
-
-
+
+
+
Network traffic collisions due to overloading of the network
segment. One short-term workaround to this may be to replace
network HUBs with Ethernet switches.
-
+
Defective networking hardware. Over the past few years, we have seen
on the Samba mailing list a significant increase in the number of
problems that were traced to a defective network interface controller,
@@ -72,8 +72,8 @@
it was the erratic nature of the problem that ultimately pointed to
the cause of the problem.
-
-
+
+
Excessively large roaming profiles. This type of problem is typically
the result of poor user education as well as poor network management.
It can be avoided by users not storing huge quantities of email in
@@ -81,7 +81,7 @@
These are old bad habits that require much discipline and vigilance
on the part of network management.
-
+
You should verify that the Windows XP WebClient service is not running.
The use of the WebClient service has been implicated in many Windows
networking-related problems.
@@ -90,26 +90,26 @@
Loss of access to network resources during client operation may be caused by a number
of factors, including:
-
+
Network overload (typically indicated by a high network collision rate)
Server overload
-
+
Timeout causing the client to close a connection that is in use but has
been latent (no traffic) for some time (5 minutes or more)
-
+
Defective networking hardware
-
+
No matter what the cause, a sudden loss of access to network resources can
result in BSOD (blue screen of death) situations that necessitate rebooting of the client
workstation. In the case of a mild problem, retrying to access the network drive of the printer
may restore operations, but in any case this is a serious problem that may lead to the next
problem, data corruption.
Potential data corruption
-
+
Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
frustration, and generally precipitates immediate corrective demands. Management response
to this type of problem may be rational, as well as highly irrational. There have been
@@ -123,29 +123,29 @@
anticipate and combat network performance issues. You can work through complex and thorny
methods to improve the reliability of your network environment, but be warned that all such steps
demand the price of complexity.
-
Regarding LDAP Directories and Windows Computer Accounts
-
+
Regarding LDAP Directories and Windows Computer Accounts
+
Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some
constraints that are described in this section.
-
-
-
-
+
+
+
+
The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
them. A user account and a machine account are indistinguishable from each other, except that
the machine account ends in a $ character, as do trust accounts.
-
-
+
+
The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID
is a design decision that was made a long way back in the history of Samba development. It is
unlikely that this decision will be reversed or changed during the remaining life of the
Samba-3.x series.
-
-
+
+
The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
must refer back to the host operating system on which Samba is running. The name service
switch (NSS) is the preferred mechanism that shields applications (like Samba) from the
@@ -158,13 +158,13 @@
possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
all account entities can be located in an LDAP directory.
-
+
For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
is fundamentally an LDAP design question. The information provided on the Samba list and
in the documentation is directed at providing working examples only. The design
of an LDAP directory is a complex subject that is beyond the scope of this documentation.
-
Introduction
+
Introduction
You just opened an email from Christine that reads:
Good morning,
@@ -193,8 +193,8 @@
regain control of our vital IT operations.
--Christine
-
-
+
+
Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a
single domain controller is a poor design that has obvious operational effects that may
frustrate users. Here is your reply:
@@ -204,56 +204,56 @@
boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
for approval; I appreciate the urgency.
-
--Bob
Assignment Tasks
+
--Bob
Assignment Tasks
The priority of assigned tasks in this chapter is:
-
-
-
-
+
+
+
+
Implement Backup Domain Controllers (BDCs) in each building. This involves
a change from a tdbsam backend that was used in the previous
chapter to an LDAP-based backend.
You can implement a single central LDAP server for this purpose.
-
-
-
-
+
+
+
+
Rectify the problem of excessive logon times. This involves redirection of
folders to network shares as well as modification of all user desktops to
exclude the redirected folders from being loaded at login time. You can also
create a new default profile that can be used for all new users.
-
+
You configure a new MS Windows XP Professional workstation disk image that you roll out
to all desktop users. The instructions you have created are followed on a staging machine
from which all changes can be carefully tested before inflicting them on your network users.
-
+
This is the last network example in which specific mention of printing is made. The example
again makes use of the CUPS printing system.
-
Dissection and Discussion
-
-
-
+
Dissection and Discussion
+
+
+
The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
LDAP servers in current use with Samba-3 include:
-
+
Novell eDirectory
is being successfully used by some sites. Information on how to use eDirectory can be
obtained from the Samba mailing lists or from Novell.
-
+
IBM Tivoli
Directory Server can be used to provide the Samba LDAP backend. Example schema
files are provided in the Samba source code tarball under the directory
~samba/example/LDAP.
-
+
Sun ONE Identity
Server product suite provides an LDAP server that can be used for Samba.
Example schema files are provided in the Samba source code tarball under the directory
@@ -264,19 +264,19 @@
initialize the LDAP directory database. OpenLDAP itself has only command-line tools to
help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
-
+
For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include
GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
-
-
-
-
-
-
-
+
+
+
+
+
+
+
When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
High availability operation may be obtained through directory replication/synchronization and
master/slave server configurations. OpenLDAP is a mature platform to host the organizational
@@ -286,10 +286,10 @@
contents with greater ability to back up, restore, and modify the directory than is generally possible
with Microsoft Active Directory.
-
-
-
-
+
+
+
+
A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured
for a specific task orientation. It comes with a set of administrative tools that is entirely customized
@@ -300,8 +300,8 @@
MS ADAM that provides more generic LDAP services, yet it does not have the vanilla-like services
of OpenLDAP.
-
-
+
+
You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
if you find the challenge of learning about LDAP directories, schemas, configuration, and management
tools and the creation of shell and Perl scripts a bit
@@ -309,7 +309,7 @@
many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
that is required for use as a passdb backend.
-
+
For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
The Web-based tools you might like to consider include the
@@ -334,10 +334,10 @@
LDAP System Administration,
by Jerry Carter quite useful.
-
-
-
-
+
+
+
+
Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
be loaded over the WAN connection. The addition of BDCs on each network segment significantly
@@ -345,31 +345,31 @@
user desktops, and this must be done in a way that wins their support and does not cause further loss of
staff morale. The following procedures solve this problem.
-
+
There is also an opportunity to implement smart printing features. You add this to the Samba configuration
so that future printer changes can be managed without need to change desktop configurations.
You add the ability to automatically download new printer drivers, even if they are not installed
in the default desktop profile. Only one example of printing configuration is given. It is assumed that
you can extrapolate the principles and use them to install all printers that may be needed.
-
Technical Issues
-
-
-
+
Technical Issues
+
+
+
The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account
attributes Samba needs. Samba-3 can use the LDAP backend to store:
Windows Networking User Accounts
Windows NT Group Accounts
Mapping Information between UNIX Groups and Windows NT Groups
ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
accounts in the LDAP backend. This implies the need to use the
PADL LDAP tools. The resolution
@@ -378,16 +378,16 @@
that integrates with the NSS. The same requirements exist for resolution
of the UNIX username to the UID. The relationships are demonstrated in ???.
Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts
-
-
+
+
You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
ought to learn how to configure secure communications over LDAP so that site security is not
at risk. This is not covered in the following guidance.
-
-
-
-
+
+
+
+
When OpenLDAP has been made operative, you configure the PDC called MASSIVE.
You initialize the Samba secrets.tdb file. Then you
create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.
@@ -395,27 +395,27 @@
You can also find on the enclosed CD-ROM, in the Chap06 directory, a few tools
that help to manage user and group configuration.
-
-
-
+
+
+
In order to effect folder redirection and to add robustness to the implementation,
create a network default profile. All network users workstations are configured to use
the new profile. Roaming profiles will automatically be deleted from the workstation
when the user logs off.
-
+
The profile is configured so that users cannot change the appearance
of their desktop. This is known as a mandatory profile. You make certain that users
are able to use their computers efficiently.
-
+
A network logon script is used to deliver flexible but consistent network drive
connections.
Addition of Machines to the Domain
-
-
-
-
+
+
+
+
Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
that maps to the UNIX UID=0. The UNIX operating system permits only the root
user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
@@ -425,13 +425,13 @@
In this network example use is made of one of the supported privileges purely to demonstrate
how any user can now be given the ability to add machines to the domain using a normal user account
that has been given the appropriate privileges.
-
Roaming Profile Background
+
Roaming Profile Background
As XP roaming profiles grow, so does the amount of time it takes to log in and out.
-
-
+
-
+
+
An XP roaming profile consists of the HKEY_CURRENT_USER hive file
NTUSER.DAT and a number of folders (My Documents, Application Data,
Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
@@ -453,20 +453,20 @@
user to not place large files on the desktop and to use his or her mapped home directory
instead of the My Documents folder for saving documents.
-
+
Using a folder other than My Documents is a nuisance for
some users, since many applications use it by default.
-
-
+
+
The secret to rapid loading of roaming profiles is to prevent unnecessary data from
being copied back and forth, without losing any functionality. This is not difficult;
it can be done by making changes to the Local Group Policy on each client as well
as changing some paths in each user's NTUSER.DAT hive.
-
-
+
+
Every user profile has its own NTUSER.DAT file. This means
you need to edit every user's profile, unless a better method can be
followed. Fortunately, with the right preparations, this is not difficult.
@@ -475,10 +475,10 @@
necessary to copy all files from redirected folders to the network share to which
they are redirected.
The Local Group Policy
-
-
-
-
+
+
+
+
Without an Active Directory PDC, you cannot take full advantage of Group Policy
Objects. However, you can still make changes to the Local Group Policy by using
the Group Policy editor (gpedit.msc).
@@ -492,26 +492,26 @@
Simply add the folders you do not wish to be copied back and forth to this
semicolon-separated list. Note that this change must be made on all clients
that are using roaming profiles.
-
Profile Changes
-
-
+
Profile Changes
+
+
There are two changes that should be done to each user's profile. Move each of
the directories that you have excluded from being copied back and forth out of
the usual profile path. Modify each user's NTUSER.DAT file
to point to the new paths that are shared over the network instead of to the default
path (C:\Documents and Settings\%USERNAME%).
-
-
+
+
The above modifies existing user profiles. So that newly created profiles have
these settings, you need to modify the NTUSER.DAT in
the C:\Documents and Settings\Default User folder on each
client machine, changing the same registry keys. You could do this by copying
NTUSER.DAT to a Linux box and using regedt32.
The basic method is described under ???.
-
Using a Network Default User Profile
-
-
+
Using a Network Default User Profile
+
+
If you are using Samba as your PDC, you should create a file share called
NETLOGON and within that create a directory called
Default User, which is a copy of the desired default user
@@ -520,10 +520,10 @@
the first login from a new account pulls its configuration from it.
See also
the Real Men Don't Click Web site.
-
Installation of Printer Driver Auto-Download
-
-
-
+
Installation of Printer Driver Auto-Download
+
+
+
The subject of printing is quite topical. Printing problems run second place to name
resolution issues today. So far in this book, you have experienced only what is generally
known as “dumb” printing. Dumb printing is the arrangement by which all drivers
@@ -532,8 +532,8 @@
many problems, but it has its limitations also. Dumb printing is better known as
Raw-Print-Through printing.
-
-
+
+
Samba permits the configuration of smart printing using the Microsoft
Windows point-and-click (also called drag-and-drop) printing. What this provides is
essentially the ability to print to any printer. If the local client does not yet have a
@@ -547,9 +547,9 @@
then invokes a suitable print filter to convert the incoming data stream into a format
suited to the printer to which the job is dispatched.
-
-
-
+
+
+
The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
detect the data format and apply a print filter. This means that it is feasible to install
on all Windows clients a single printer driver for use with all printers that are routed
@@ -574,10 +574,10 @@
simple problems efficiently and effectively.
Here are some diagnostic guidelines that can be referred to when things go wrong:
-
Preliminary Advice: Dangers Can Be Avoided
+
Preliminary Advice: Dangers Can Be Avoided
The best advice regarding how to mend a broken leg is “Never break a leg!”
-
+
Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice
regarding the best way to remedy LDAP and Samba problems: “Avoid them like the plague!”
@@ -593,7 +593,7 @@
Do not be lulled into thinking that you can easily adopt the examples in this
book and adapt them without first working through the examples provided. A little
thing overlooked can cause untold pain and may permanently tarnish your experience.
-
The Name Service Caching Daemon
+
The Name Service Caching Daemon
The name service caching daemon (nscd) is a primary cause of difficulties with name
resolution, particularly where winbind is used. Winbind does its
own caching, thus nscd causes double caching which can lead to peculiar problems during
@@ -660,17 +660,17 @@
root# chkconfig nscd off
root# rcnscd off
-
Debugging LDAP
-
-
-
+
Debugging LDAP
+
+
+
In the example /etc/openldap/slapd.conf control file
(see ???) there is an entry for loglevel 256.
To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter
and restart slapd.
-
-
+
+
LDAP log information can be directed into a file that is separate from the normal system
log files by changing the /etc/syslog.conf file so it has the following
contents:
@@ -689,7 +689,7 @@
local site needs. The configuration used later in this chapter reflects such
customization with the intent that LDAP log files will be stored at a location
that meets local site needs and wishes more fully.
-
Debugging NSS_LDAP
+
Debugging NSS_LDAP
The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
/etc/ldap.conf file the following parameters:
@@ -702,7 +702,7 @@
The diagnostic process should follow these steps:
-
Procedure 5.1. NSS_LDAP Diagnostic Steps
+
Procedure 5.1. NSS_LDAP Diagnostic Steps
Verify the nss_base_passwd, nss_base_shadow, nss_base_group entries
in the /etc/ldap.conf file and compare them closely with the directory
tree location that was chosen when the directory was first created.
@@ -792,7 +792,7 @@
Check that the bindpw entry in the /etc/ldap.conf or in the
/etc/ldap.secrets file is correct, as specified in the
/etc/openldap/slapd.conf file.
-
Debugging Samba
+
Debugging Samba
The following parameters in the smb.conf file can be useful in tracking down Samba-related problems:
[global]
@@ -822,17 +822,17 @@
Search for hints of what may have failed by looking for the words fail
and error.
-
Debugging on the Windows Client
+
Debugging on the Windows Client
MS Windows 2000 Professional and Windows XP Professional clients can be configured
to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
version of MS Windows.
-
Political Issues
+
Political Issues
MS Windows network users are generally very sensitive to limits that may be imposed when
confronted with locked-down workstation configurations. The challenge you face must
be promoted as a choice between reliable, fast network operation and a constant flux
of problems that result in user irritation.
-
Installation Checklist
+
Installation Checklist
You are starting a complex project. Even though you went through the installation of a complex
network in ???, this network is a bigger challenge because of the
large number of complex applications that must be configured before the first few steps
@@ -840,14 +840,14 @@
frequently review the steps ahead while making at least a mental note of what has already
been completed. The following task list may help you to keep track of the task items
that are covered:
-
Samba-3 PDC Server Configuration
DHCP and DNS servers
OpenLDAP server
PAM and NSS client tools
Samba-3 PDC
Idealx smbldap scripts
LDAP initialization
Create user and group accounts
Printers
Share point directory roots
Profile directories
Logon scripts
Configuration of user rights and privileges
Samba-3 BDC Server Configuration
DHCP and DNS servers
PAM and NSS client tools
Printers
Share point directory roots
Profiles directories
Windows XP Client Configuration
Default profile folder redirection
MS Outlook PST file relocation
Delete roaming profile on logout
Upload printer drivers to Samba servers
Install software
Creation of roll-out images
Samba Server Implementation
-
-
+
Samba-3 PDC Server Configuration
DHCP and DNS servers
OpenLDAP server
PAM and NSS client tools
Samba-3 PDC
Idealx smbldap scripts
LDAP initialization
Create user and group accounts
Printers
Share point directory roots
Profile directories
Logon scripts
Configuration of user rights and privileges
Samba-3 BDC Server Configuration
DHCP and DNS servers
PAM and NSS client tools
Printers
Share point directory roots
Profiles directories
Windows XP Client Configuration
Default profile folder redirection
MS Outlook PST file relocation
Delete roaming profile on logout
Upload printer drivers to Samba servers
Install software
Creation of roll-out images
Samba Server Implementation
+
+
The network design shown in ??? is not comprehensive. It is assumed
that you will install additional file servers and possibly additional BDCs.
Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend
-
-
+
+
All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE
Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
adjust the locations for your particular Linux system distribution/implementation.
@@ -868,22 +868,22 @@
with newly installed Linux servers, you must complete the steps shown in
??? before commencing at ???.
OpenLDAP Server Configuration
-
-
-
+
+
+
Confirm that the packages shown in ??? are installed on your system.
Table 5.2. Required OpenLDAP Linux Packages
SUSE Linux 8.x
SUSE Linux 9.x
Red Hat Linux
nss_ldap
nss_ldap
nss_ldap
pam_ldap
pam_ldap
pam_ldap
openldap2
openldap2
openldap
openldap2-client
openldap2-client
Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method
for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you
follow these guidelines, the resulting system should work fine.
-
Procedure 5.2. OpenLDAP Server Configuration Steps
-
+
Procedure 5.2. OpenLDAP Server Configuration Steps
+
Install the file shown in ??? in the directory
/etc/openldap.
-
-
-
+
+
+
Remove all files from the directory /data/ldap, making certain that
the directory exists with permissions:
@@ -892,14 +892,14 @@
This may require you to add a user and a group account for LDAP if they do not exist.
-
+
Install the file shown in ??? in the directory
/data/ldap. In the event that this file is added after ldap
has been started, it is possible to cause the new settings to take effect by shutting down
the LDAP server, executing the db_recover command inside the
/data/ldap directory, and then restarting the LDAP server.
-
+
Performance logging can be enabled and should preferably be sent to a file on
a file system that is large enough to handle significantly sized logs. To enable
the logging at a verbose level to permit detailed analysis, uncomment the entry in
@@ -975,31 +975,31 @@
index sambaDomainName eq
index default sub
PAM and NSS Client Configuration
-
-
-
+
+
+
The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and
groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure
the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
-
-
+
+
Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
correct configuration of PAM. The pam_ldap open source package provides the
PAM modules that most people would use. On SUSE Linux systems, the pam_unix2.so
module also has the ability to redirect authentication requests through LDAP.
-
-
-
-
+
+
+
+
You have chosen to configure these services by directly editing the system files, but of course, you
know that this configuration can be done using system tools provided by the Linux system vendor.
SUSE Linux has a facility in YaST (the system admin tool) through yast->system->ldap-client that permits
configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the authconfig
tool for this.
-
Procedure 5.3. PAM and NSS Client Configuration Steps
Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf
+
Procedure 5.3. PAM and NSS Client Configuration Steps
Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf
host 127.0.0.1
base dc=abmas,dc=biz
@@ -1042,9 +1042,9 @@
ssl off
-
-
-
+
+
+
Execute the following command to find where the nss_ldap module
expects to find its control file:
@@ -1057,7 +1057,7 @@
On the servers called BLDG1 and BLDG2, install the file shown in
??? into the path that was obtained from the step above.
-
+
Edit the NSS control file (/etc/nsswitch.conf) so that the lines that
control user and group resolution will obtain information from the normal system files as
well as from ldap:
@@ -1080,7 +1080,7 @@
Even at the risk of overstating the issue, incorrect and inappropriate configuration of the
nsswitch.conf file is a significant cause of operational problems with LDAP.
-
+
For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
files in the /etc/pam.d directory: login, password,
samba, sshd. In each file, locate every entry that has the
@@ -1102,7 +1102,7 @@
session required pam_limits.so
-
+
On other Linux systems that do not have an LDAP-enabled pam_unix2.so module,
you must edit these files by adding the pam_ldap.so modules as shown here:
@@ -1126,14 +1126,14 @@
implementation, but if the pam_unix2.so on your system supports
LDAP, you probably want to use it rather than add an additional module.
Samba-3 PDC Configuration
-
+
Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server
before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the
choice to either build your own or obtain the packages from a dependable source.
Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for
Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that
is included with this book.
-
Procedure 5.4. Configuration of PDC Called MASSIVE
+
Procedure 5.4. Configuration of PDC Called MASSIVE
Install the files in ???,
???, ???,
and ??? into the /etc/samba/
@@ -1143,7 +1143,7 @@
on the master file. The operational smb.conf is then generated as shown in
the next step.
-
+
Create and verify the contents of the smb.conf file that is generated by:
-
-
+
+
Samba-3 communicates with the LDAP server. The password that it uses to
authenticate to the LDAP server must be stored in the secrets.tdb
file. Execute the following to create the new secrets.tdb files
@@ -1194,8 +1194,8 @@
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
-
-
+
+
Samba-3 generates a Windows Security Identifier (SID) only when smbd
has been started. For this reason, you start Samba. After a few seconds delay,
execute:
@@ -1229,10 +1229,10 @@
When a positive domain SID has been reported, stop Samba.
-
-
-
-
+
+
+
+
Configure the NFS server for your Linux system. So you can complete the steps that
follow, enter into the /etc/exports the following entry:
@@ -1250,8 +1250,8 @@
Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
configuration of the LDAP server.
-
Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
# Global parameters
[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = MASSIVE
interfaces = eth1, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
printing = cups
printer admin = root, chrisr
Install and Configure Idealx smbldap-tools Scripts
+
The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
on the LDAP server. You have chosen the Idealx scripts because they are the best-known
LDAP configuration scripts. The use of these scripts will help avoid the necessity
@@ -1268,7 +1268,7 @@
The smbldap-tools are located in /opt/IDEALX/sbin.
The scripts are not needed on BDC machines because all LDAP updates are handled by
the PDC alone.
-
Installation of smbldap-tools from the Tarball
+
Installation of smbldap-tools from the Tarball
To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:
Procedure 5.5. Unpacking and Installation Steps for the smbldap-tools Tarball
Create the /opt/IDEALX/sbin directory, and set its permissions
@@ -1320,10 +1320,10 @@
The smbldap-tools scripts are now ready for the configuration step outlined in
???.
-
Installing smbldap-tools from the RPM Package
+
Installing smbldap-tools from the RPM Package
In the event that you have elected to use the RPM package provided by Idealx, download the
source RPM smbldap-tools-0.9.1-1.src.rpm, then follow this procedure:
-
Procedure 5.6. Installation Steps for smbldap-tools RPM's
+
Procedure 5.6. Installation Steps for smbldap-tools RPM's
Install the source RPM that has been downloaded as follows:
The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included
in the smb.conf file.
-
Procedure 5.7. Configuration Steps for smbldap-tools to Enable Use
+
Procedure 5.7. Configuration Steps for smbldap-tools to Enable Use
Change into the directory that contains the configure.pl script.
root# cd /opt/IDEALX/sbin
@@ -1474,7 +1474,7 @@
then verify its contents.
The smbldap-tools are now ready for use.
-
LDAP Initialization and Creation of User and Group Accounts
+
LDAP Initialization and Creation of User and Group Accounts
The LDAP database must be populated with well-known Windows domain user accounts and domain group
accounts before Samba can be used. The following procedures step you through the process.
@@ -1487,12 +1487,12 @@
Addition of an account to the LDAP backend can be done in two ways:
-
-
-
-
-
-
+
+
+
+
+
+
If you always have a user account in the /etc/passwd on every
server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in
LDAP. In this case, you can add Windows domain user accounts using the
@@ -1510,20 +1510,20 @@
Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,
is included on the enclosed CD-ROM under Chap06/Tools.
-
+
If you wish to have more control over how the LDAP database is initialized or
if you don't want to use the Idealx smbldap-tools, you should refer to
???, ???.
-
+
The following steps initialize the LDAP database, and then you can add user and group
accounts that Samba can use. You use the smbldap-populate to
seed the LDAP database. You then manually add the accounts shown in ???.
The list of users does not cover all 500 network users; it provides examples only.
Note
-
-
-
+
+
+
In the following examples, as the LDAP database is initialized, we do create a container
for Computer (machine) accounts. In the Samba-3 smb.conf files, specific use is made
of the People container, not the Computers container, for domain member accounts. This is not a
@@ -1600,7 +1600,7 @@
Starting ldap-server done
-
+
So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data.
There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
the simplest is to execute:
@@ -1609,7 +1609,7 @@
dn: ou=Idmap,dc=abmas,dc=biz
ou: idmap
-
+
If the execution of this command does not return IDMAP entries, you need to create an LDIF
template file (see ???). You can add the required entries using
the following command:
@@ -1619,7 +1619,7 @@
Samba automatically populates this LDAP directory container when it needs to.
-
+
It looks like all has gone well, as expected. Let's confirm that this is the case
by running a few tests. First we check the contents of the database directly
by running slapcat as follows (the output has been cut down):
@@ -1657,7 +1657,7 @@
This looks good so far.
-
+
The next step is to prove that the LDAP server is running and responds to a
search request. Execute the following as shown (output has been cut to save space):
@@ -1702,7 +1702,7 @@
Good. It is all working just fine.
-
+
You must now make certain that the NSS resolver can interrogate LDAP also.
Execute the following commands:
-
+
This demonstrates that the nss_ldap library is functioning
as it should. If these two steps fail to produce this information, refer to
??? for diagnostic procedures that can be followed to
isolate the cause of the problem. Proceed to the next step only when the previous steps
have been successfully completed.
-
-
-
+
+
+
Our database is now ready for the addition of network users. For each user for
whom an account must be created, execute the following:
@@ -1740,7 +1740,7 @@
where username is the login ID for each user.
-
+
Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the
following:
@@ -1768,7 +1768,7 @@
This confirms that the UNIX (POSIX) user account information can be resolved from LDAP
by system tools that make a getentpw() system call.
-
+
The root account must have UID=0; if not, this means that operations conducted from
a Windows client using tools such as the Domain User Manager fails under UNIX because
the management of user and group accounts requires that the UID=0. Additionally, it is
@@ -1802,8 +1802,8 @@
This is precisely what we want to see.
-
-
+
+
The final validation step involves making certain that Samba-3 can obtain the user
accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
@@ -1834,7 +1834,7 @@
This looks good. Of course, you fully expected that it would all work, didn't you?
-
+
Now you add the group accounts that are used on the Abmas network. Execute
the following exactly as shown:
@@ -1845,7 +1845,7 @@
The addition of groups does not involve keyboard interaction, so the lack of console
output is of no concern.
-
+
You really do want to confirm that UNIX group resolution from LDAP is functioning
as it should. Let's do this as shown here:
@@ -1862,7 +1862,7 @@
The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
as our own site-specific group accounts, are correctly listed. This is looking good.
-
+
The final step we need to validate is that Samba can see all the Windows domain groups
and that they are correctly mapped to the respective UNIX group account. To do this,
just execute the following command:
@@ -1917,7 +1917,7 @@
root# rcwinbind restart
-
+
You may now check Samba-3 operation as follows:
The server MASSIVE is now configured, and it is time to move onto the next task.
Printer Configuration
-
+
The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
taken care of in the smb.conf file. The only preparation needed for smart
printing to be possible involves creation of the directories in which Samba-3 stores
Windows printing driver files.
-
Procedure 5.9. Printer Configuration Steps
+
Procedure 5.9. Printer Configuration Steps
Configure all network-attached printers to have a fixed IP address.
Create an entry in the DNS database on the server MASSIVE
@@ -1980,18 +1980,18 @@
Follow the instructions in the printer manufacturers' manuals to permit printing
to port 9100. Use any other port the manufacturer specifies for direct mode,
raw printing. This allows the CUPS spooler to print using raw mode protocols.
-
-
+
+
-
-
+
+
Only on the server to which the printer is attached, configure the CUPS Print
Queues as follows:
-
+
This step creates the necessary print queue to use no assigned print filter. This
is ideal for raw printing, that is, printing without use of filters.
The name printque is the name you have assigned for
@@ -2011,15 +2011,15 @@
root# /usr/bin/accept printque
-
-
-
+
+
+
Edit the file /etc/cups/mime.convs to uncomment the line:
Procedure 5.10. Configuration of BDC Called: BLDG1
+
Samba-3 BDC Configuration
Procedure 5.10. Configuration of BDC Called: BLDG1
Install the files in ???,
???, and ???
into the /etc/samba/ directory. The three files
@@ -2081,7 +2081,7 @@
This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
-
+
The next step in the verification process involves testing the operation of UNIX group
resolution via the NSS LDAP resolver. Execute these commands:
@@ -2111,7 +2111,7 @@
This is also the correct and desired output, because it demonstrates that the LDAP client
is able to communicate correctly with the LDAP server (MASSIVE).
-
+
You must now set the LDAP administrative password into the Samba-3 secrets.tdb
file by executing this command:
@@ -2143,7 +2143,7 @@
This indicates that the domain security account for the BDC has been correctly created.
-
+
Verify that user and group account resolution works via Samba-3 tools as follows:
root# pdbedit -L
@@ -2231,19 +2231,19 @@
should be added together to form the smb.conf file.
Follow carefully the steps shown in ???, starting at step 2.
-
Example 5.8. LDAP Based smb.conf File, Server: BLDG1
# Global parameters
[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = BLDG1
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
domain master = No
wins server = 172.16.0.1
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
printer admin = root, chrisr
Example 5.9. LDAP Based smb.conf File, Server: BLDG2
# Global parameters
[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = BLDG2
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
domain master = No
wins server = 172.16.0.1
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
printer admin = root, chrisr
Example 5.10. LDAP Based smb.conf File, Shares Section Part A
[accounts]
comment = Accounting Files
path = /data/accounts
read only = No
[service]
comment = Financial Services Files
path = /data/service
read only = No
[pidata]
comment = Property Insurance Files
path = /data/pidata
read only = No
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
Example 5.11. LDAP Based smb.conf File, Shares Section Part B
[apps]
comment = Application Files
path = /apps
admin users = bjordan
read only = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No
[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
browseable = yes
guest ok = no
read only = yes
write list = root, chrisr
Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
+
Example 5.8. LDAP Based smb.conf File, Server: BLDG1
# Global parameters
[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = BLDG1
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
domain master = No
wins server = 172.16.0.1
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
printer admin = root, chrisr
Example 5.9. LDAP Based smb.conf File, Server: BLDG2
# Global parameters
[global]
unix charset = LOCALE
workgroup = MEGANET2
netbios name = BLDG2
passdb backend = ldapsam:ldap://massive.abmas.biz
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
domain master = No
wins server = 172.16.0.1
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://massive.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
printing = cups
printer admin = root, chrisr
Example 5.10. LDAP Based smb.conf File, Shares Section Part A
[accounts]
comment = Accounting Files
path = /data/accounts
read only = No
[service]
comment = Financial Services Files
path = /data/service
read only = No
[pidata]
comment = Property Insurance Files
path = /data/pidata
read only = No
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
Example 5.11. LDAP Based smb.conf File, Shares Section Part B
[apps]
comment = Application Files
path = /apps
admin users = bjordan
read only = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No
[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
browseable = yes
guest ok = no
read only = yes
write list = root, chrisr
Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
My father would say, “Dinner is not over until the dishes have been done.”
The makings of a great network environment take a lot of effort and attention to detail.
So far, you have completed most of the complex (and to many administrators, the interesting
part of server configuration) steps, but remember to tie it all together. Here are
a few more steps that must be completed so that your network runs like a well-rehearsed
orchestra.
-
Configuring Directory Share Point Roots
+
Configuring Directory Share Point Roots
In your smb.conf file, you have specified Windows shares. Each has a path
parameter. Even though it is obvious to all, one of the common Samba networking problems is
caused by forgetting to verify that every such share root directory actually exists and that it
@@ -2261,7 +2261,7 @@
root# chmod -R ug+rwxs,o-rwx /data
root# chmod -R ug+rwx,o+rx-w /apps
-
Configuring Profile Directories
+
Configuring Profile Directories
You made a conscious decision to do everything it would take to improve network client
performance. One of your decisions was to implement folder redirection. This means that Windows
user desktop profiles are now made up of two components: a dynamically loaded part and a set of file
@@ -2286,8 +2286,8 @@
root# chmod -R 750 username
-
-
+
+
You have three options insofar as the dynamically loaded portion of the roaming profile
is concerned:
You may permit the user to obtain a default profile.
You can create a mandatory profile.
You can create a group profile (which is almost always a mandatory profile).
@@ -2295,8 +2295,8 @@
profile is effected by renaming the NTUSER.DAT to NTUSER.MAN,
that is, just by changing the filename extension.
-
-
+
+
The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend.
You can manage this using the Idealx smbldap-tools or using the
Windows NT4 Domain User Manager.
@@ -2309,8 +2309,8 @@
/var/lib/samba/profiles/usernameroot# chmod 700 /var/lib/samba/profiles/username
-
Preparation of Logon Scripts
-
+
Preparation of Logon Scripts
+
The use of a logon script with Windows XP Professional is an option that every site should consider.
Unless you have locked down the desktop so the user cannot change anything, there is risk that
a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
@@ -2335,7 +2335,7 @@
You should research the options for logon script implementation by referring to TOSHARG2, Chapter 24,
Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon
facilities in use today is called KiXtart.
-
Assigning User Rights and Privileges
+
Assigning User Rights and Privileges
The ability to perform tasks such as joining Windows clients to the domain can be assigned to
normal user accounts. By default, only the domain administrator account (root on UNIX
systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
@@ -2347,7 +2347,7 @@
Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
are granted rights can be restricted to particular machines. It is left to the network administrator
to determine which rights should be provided and to whom.
-
Procedure 5.12. Steps for Assignment of User Rights and Privileges
+
Procedure 5.12. Steps for Assignment of User Rights and Privileges
Log onto the PDC as the root account.
Execute the following command to grant the Domain Admins group all
@@ -2405,8 +2405,8 @@
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege
-
Windows Client Configuration
-
+
Windows Client Configuration
+
In the next few sections, you can configure a new Windows XP Professional disk image on a staging
machine. You will configure all software, printer settings, profile and policy handling, and desktop
default profile settings on this system. When it is complete, you copy the contents of the
@@ -2419,24 +2419,24 @@
Base Profile for All Users."
Configuration of Default Profile with Folder Redirection
-
+
Log onto the Windows XP Professional workstation as the local Administrator.
It is necessary to expose folders that are generally hidden to provide access to the
Default User folder.
-
Procedure 5.13. Expose Hidden Folders
+
Procedure 5.13. Expose Hidden Folders
Launch the Windows Explorer by clicking
Start->My Computer->Tools->Folder Options->View Tab.
Select Show hidden files and folders,
and click OK. Exit Windows Explorer.
-
+
Launch the Registry Editor. Click
Start->Run. Key in regedt32, and click
OK.
Procedure 5.14. Redirect Folders in Default System User Profile
-
-
+
+
Give focus to HKEY_LOCAL_MACHINE hive entry in the left panel.
Click File->Load Hive...->Documents and Settings->Default User->NTUSER->Open. In the dialog box that opens, enter the key name
Default and click OK.
@@ -2448,15 +2448,15 @@
The right panel reveals the contents as shown in ???.
-
-
+
+
You edit hive keys. Acceptable values to replace the
%USERPROFILE% variable includes:
A drive letter such as U:
A direct network path such as
\\MASSIVE\profdata
A network redirection (UNC name) that contains a macro such as
%LOGONSERVER%\profdata\
-
+
Set the registry keys as shown in ???. Your implementation makes the assumption
that users have statically located machines. Notebook computers (mobile users) need to be
accommodated using local profiles. This is not an uncommon assumption.
@@ -2464,14 +2464,14 @@
Click back to the root of the loaded hive Default.
Click File->Unload Hive...->Yes.
-
+
Click File->Exit. This exits the
Registry Editor.
Now follow the procedure given in ???. Make sure that each folder you
have redirected is in the exclusion list.
- You are now ready to copy[11]
+ You are now ready to copy[11]
the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer,
and use it to copy the full contents of the directory Default User that
is in the C:\Documents and Settings to the root directory of the
@@ -2482,14 +2482,14 @@
Before punching out new desktop images for the client workstations, it is perhaps a good idea that
desktop behavior should be returned to the original Microsoft settings. The following steps achieve
that ojective:
-
Procedure 5.15. Reset Folder Display to Original Behavior
+
Procedure 5.15. Reset Folder Display to Original Behavior
To launch the Windows Explorer, click
Start->My Computer->Tools->Folder Options->View Tab.
Deselect Show hidden files and folders, and click OK.
Exit Windows Explorer.
-
Figure 5.3. Windows XP Professional User Shared Folders
Table 5.4. Default Profile Redirections
Registry Key
Redirected Value
Cache
%LOGONSERVER%\profdata\%USERNAME%\InternetFiles
Cookies
%LOGONSERVER%\profdata\%USERNAME%\Cookies
History
%LOGONSERVER%\profdata\%USERNAME%\History
Local AppData
%LOGONSERVER%\profdata\%USERNAME%\AppData
Local Settings
%LOGONSERVER%\profdata\%USERNAME%\LocalSettings
My Pictures
%LOGONSERVER%\profdata\%USERNAME%\MyPictures
Personal
%LOGONSERVER%\profdata\%USERNAME%\MyDocuments
Recent
%LOGONSERVER%\profdata\%USERNAME%\Recent
Configuration of MS Outlook to Relocate PST File
-
-
+
Figure 5.3. Windows XP Professional User Shared Folders
Table 5.4. Default Profile Redirections
Registry Key
Redirected Value
Cache
%LOGONSERVER%\profdata\%USERNAME%\InternetFiles
Cookies
%LOGONSERVER%\profdata\%USERNAME%\Cookies
History
%LOGONSERVER%\profdata\%USERNAME%\History
Local AppData
%LOGONSERVER%\profdata\%USERNAME%\AppData
Local Settings
%LOGONSERVER%\profdata\%USERNAME%\LocalSettings
My Pictures
%LOGONSERVER%\profdata\%USERNAME%\MyPictures
Personal
%LOGONSERVER%\profdata\%USERNAME%\MyDocuments
Recent
%LOGONSERVER%\profdata\%USERNAME%\Recent
Configuration of MS Outlook to Relocate PST File
+
+
Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
It is the nature of email storage that this file grows, at times quite rapidly.
So that users' email is available to them at every workstation they may log onto,
@@ -2498,7 +2498,7 @@
To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave
slightly differently), follow these steps:
-
Procedure 5.16. Outlook PST File Relocation
+
Procedure 5.16. Outlook PST File Relocation
Close Outlook if it is open.
From the Control Panel, launch the Mail icon.
@@ -2528,11 +2528,11 @@
Go back to the Data Files window, then delete the old data file entry.
Note
-
+
You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise
the user may be not be able to retrieve contacts when addressing a new email message.
Note
-
+
Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook
Express storage files can not be redirected to network shares. The options panel will not permit
this, but they can be moved to folders outside of the user's profile. They can also be excluded
@@ -2541,34 +2541,34 @@
While it is possible to redirect the data stores for Outlook Express data stores by editing the
registry, experience has shown that data corruption and loss of email messages will result.
-
-
+
+
In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with
roaming profiles this can result in excruciatingly long login and logout behavior will files are
synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming
profiles are used.
-
+
Microsoft does not support storing PST files on network shares, although the practice does appear
to be rather popular. Anyone who does relocation the PST file to a network resource should refer
the Microsoft reference to better
understand the issues.
-
+
Apart from manually moving PST files to a network share, it is possible to set the default PST
location for new accounts by following the instructions at the WindowsITPro web site.
-
+
User feedback suggests that disabling of oplocks on PST files will significantly improve
network performance by reducing locking overheads. One way this can be done is to add to the
smb.conf file stanza for the share the PST file the following:
veto oplock files = /*.pdf/*.PST/
-
Configure Delete Cached Profiles on Logout
+
Configure Delete Cached Profiles on Logout
Configure the Windows XP Professional client to auto-delete roaming profiles on logout:
-
+
Click
Start->Run. In the dialog box, enter MMC and click OK.
@@ -2576,7 +2576,7 @@
profiles are deleted as network users log out of the system. Click
File->Add/Remove Snap-in->Add->Group Policy->Add->Finish->Close->OK.
-
+
The Microsoft Management Console now shows the Group Policy
utility that enables you to set the policies needed. In the left panel, click
Local Computer Policy->Administrative Templates->System->User Profiles. In the right panel, set the properties shown here by double-clicking on each
@@ -2584,15 +2584,15 @@
Do not check for user ownership of Roaming Profile Folders = Enabled
Delete cached copies of roaming profiles = Enabled
Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
made of this system to deploy the new standard desktop system.
-
Uploading Printer Drivers to Samba Servers
-
+
Uploading Printer Drivers to Samba Servers
+
Users want to be able to use network printers. You have a vested interest in making
it easy for them to print. You have chosen to install the printer drivers onto the Samba
servers and to enable point-and-click (drag-and-drop) printing. This process results in
Samba being able to automatically provide the Windows client with the driver necessary to
print to the printer chosen. The following procedure must be followed for every network
printer:
-
Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers
+
Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers
Join your Windows XP Professional workstation (the staging machine) to the
MEGANET2 domain. If you are not sure of the procedure,
follow the guidance given in ???, ???.
@@ -2617,8 +2617,8 @@
Note that the box labeled Driver is empty. Click the New Driver
button that is next to the Driver box. This launches the “Add Printer Wizard”.
-
-
+
+
The “Add Printer Driver Wizard on MASSIVE” panel
is now presented. Click Next to continue. From the left panel, select the
printer manufacturer. In your case, you are adding a driver for a printer manufactured by
@@ -2627,12 +2627,12 @@
progress bar appears and instructs you as each file is being uploaded and that it is being
directed at the network server \\massive\ps01-color.
-
-
-
-
-
-
+
+
+
+
+
+
The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
you are returned to the Advanced tab in the Properties panel.
You can set the Location (under the General tab) and Security settings (under
@@ -2641,7 +2641,7 @@
directory”. When this box is checked, the printer will be published in Active Directory
(Applicable to Active Directory use only.)
-
+
Click OK. It will take a minute or so to upload the settings to the server.
You are now returned to the Printers and Faxes on Massive monitor.
Right-click on the printer, click Properties->Device Settings. Now change the settings to suit
@@ -2653,7 +2653,7 @@
just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
click Apply again.
-
+
Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
click the General tab. Now click the Print Test Page button.
A test page should print. Verify that it has printed correctly. Then click OK
@@ -2663,7 +2663,7 @@
You must repeat this process for all network printers (i.e., for every printer on each server).
When you have finished uploading drivers to all printers, close all applications. The next task
is to install software your users require to do their work.
-
Software Installation
+
Software Installation
Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
Notebooks require special handling that is beyond the scope of this chapter.
@@ -2678,7 +2678,7 @@
When you believe that the overall configuration is complete, be sure to create a shared group profile
and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in
case a user may have specific needs you had not anticipated.
-
Roll-out Image Creation
+
Roll-out Image Creation
The final steps before preparing the distribution Norton Ghost image file you might follow are:
Unjoin the domain Each workstation requires a unique name and must be independently
@@ -2687,7 +2687,7 @@
Defragment the hard disk While not obvious to the uninitiated, defragmentation results
in better performance and often significantly reduces the size of the compressed disk image. That
also means it will take less time to deploy the image onto 500 workstations.
-
Key Points Learned
+
Key Points Learned
This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately
avoided any consideration of security. Security does not just happen; you must design it into your total
network. Security begins with a systems design and implementation that anticipates hostile behavior from
@@ -2696,8 +2696,8 @@
practices, you must not deploy the design presented in this book in an environment where there is risk
of compromise.
-
-
+
+
As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be
configured to use secure protocols for all communications over the network. Of course, secure networking
does not result just from systems design and implementation but involves constant user education
@@ -2724,37 +2724,37 @@
Control over roaming profiles, with particular focus on folder redirection to network drives.
Use of the CUPS printing system together with Samba-based printer driver auto-download.
-
Questions and Answers
+
Questions and Answers
Well, here we are at the end of this chapter and we have only ten questions to help you to
remember so much. There are bound to be some sticky issues here.
-
Why did you not cover secure practices? Isn't it rather irresponsible to instruct
network administrators to implement insecure solutions?
@@ -2773,7 +2773,7 @@
This book makes little mention of backup techniques. Does that mean that I am recommending
that you should implement a network without provision for data recovery and for disaster
management? Back to our focus: The deployment of Samba has been clearly demonstrated.
-
+
You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
to the Linux I might be using?
@@ -2800,7 +2800,7 @@
of open source software. I favor neither and respect both. I like particular
features of both products (companies also). No bias in presentation is intended.
Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
-
+
You did not use SWAT to configure Samba. Is there something wrong with it?
That is a good question. As it is, the smb.conf file configurations are presented
@@ -2811,14 +2811,14 @@
There are people in the Linux and open source community who feel that SWAT is dangerous
and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
hope to have brought their interests on board. SWAT is well covered is TOSHARG2.
-
+
You have exposed a well-used password not24get. Is that
not irresponsible?
Well, I had to use a password of some sort. At least this one has been consistently
used throughout. I guess you can figure out that in a real deployment it would make
sense to use a more secure and original password.
-
+
The Idealx smbldap-tools create many domain group accounts that are not used. Is that
a good thing?
@@ -2826,7 +2826,7 @@
Let's give Idealx some credit for the contribution they have made. I appreciate their work
and, besides, it does no harm to create accounts that are not now used at some time
Samba may well use them.
-
+
Can I use LDAP just for Samba accounts and not for UNIX system accounts?
Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX)
@@ -2834,7 +2834,7 @@
the system password account, how do you plan to keep all domain controller system
password files in sync? I think that having everything in LDAP makes a lot of sense
for the UNIX administrator who is still learning the craft and is migrating from MS Windows.
-
+
Why are the Windows domain RID portions not the same as the UNIX UID?
Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
@@ -2843,7 +2843,7 @@
assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
permit you to override that to some extent. See the smb.conf man page entry
for algorithmic rid base.
-
+
Printer configuration examples all show printing to the HP port 9100. Does this
mean that I must have HP printers for these solutions to work?
@@ -2853,7 +2853,7 @@
inkjet printer. Use the appropriate device URI (Universal Resource Interface)
argument to the lpadmin -v option that is right for your
printer.
-
+
Is folder redirection dangerous? I've heard that you can lose your data that way.
The only loss of data I know of that involved folder redirection was caused by
@@ -2863,13 +2863,13 @@
he declined to move the data because he thought it was still in the local profile
folder. That was not the case, so by declining to move the data back, he wiped out
the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
-
+
Is it really necessary to set a local Group Policy to exclude the redirected
folders from the roaming profile?
Yes. If you do not do this, the data will still be copied from the network folder
(share) to the local cached copy of the profile.
-
[11]
There is an alternate method by which a default user profile can be added to the
NETLOGON share. This facility in the Windows System tool
permits profiles to be exported. The export target may be a particular user or
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.23a/docs/htmldocs/Samba3-ByExample/index.html samba-3.0.23b/docs/htmldocs/Samba3-ByExample/index.html
--- samba-3.0.23a/docs/htmldocs/Samba3-ByExample/index.html 2006-07-06 05:19:43.000000000 -0500
+++ samba-3.0.23b/docs/htmldocs/Samba3-ByExample/index.html 2006-08-07 05:04:49.000000000 -0500
@@ -1,4 +1,4 @@
-
