AUTHOR
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
The original rpcclient man page was written by Matthew diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/2000users.html samba-3.0.9/docs/htmldocs/Samba-Guide/2000users.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/2000users.html 2004-10-25 11:16:26.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/2000users.html 2004-11-15 10:15:37.000000000 -0600 @@ -1,4 +1,4 @@ -
Table of Contents
There is something indeed mystical about things that are +
Table of Contents
There is something indeed mystical about things that are big. Large networks exhibit a certain magnetism and exude a sense of importance that obscures reality. You and I know that it is no more difficult to secure a large network than it is a small one. We all @@ -22,7 +22,7 @@ implementing a DNS or a DHCP server are under control. Even the basics of Samba are largely under control. So in this section you focus on the specifics of implementing LDAP changes, Samba changes, and approach and - design of the solution and its deployment.
+ design of the solution and its deployment.
Abmas is a miracle company. Most businesses would have collapsed under the weight of rapid expansion that this company has experienced. Samba is flexible, so there is no need to reinstall the whole operating @@ -30,16 +30,16 @@ you can keep an old server running right up to the moment of cut-over and then do a near-live conversion. There is no need to reinstall a Samba server just to change the way your network should function. -
Network growth is common to all organizations. In this exercise, your preoccupation is with the mechanics of implementing Samba and LDAP so that network users on each network segment can work - without impediment.
+ without impediment.
Starting with the configuration files for the server called MASSIVE in Chapter 6, you now deal with the issues that are particular to large distributed networks. Your task is simple identify the challenges, consider the - alternatives, and then design and implement a solution.
+ alternatives, and then design and implement a solution.
Remember, you have users based in London (UK), Los Angeles, Washington DC, and three buildings in New York. A significant portion of your workforce have notebook computers and roam all over the @@ -53,12 +53,12 @@ and Help desk in New York, plus one floater for Washington DC.
You have outsourced all desktop deployment and management to DirectPointe,Inc. Your concern is server maintenance and third-level - support. Build a plan and show what must be done.
In the previous chapter, you implemented an LDAP server that provided the passdb backend for the Samba servers. You explored ways to accelerate Windows desktop profile handling and you took control of network performance. -
The implementation of an LDAP-based passdb backend (known as ldapsam in Samba parlance), or some form of database that can be distributed, is essential to permit the deployment of Samba @@ -69,34 +69,34 @@ using a tool such as rsync, but smbpasswd suffers the drawback that it does not support the range of account facilities demanded by modern network - managers.
The new tdbsam facility supports functionality that is similar to an ldapsam, but the lack of distributed infrastructure sorely limits the scope for its deployment. This does raise the following questions: "Why can't I just use an XML based backend, or for that matter, why not use an SQL based backend?" "Is support for these tools broken?" No. Answers to these - questions require a bit of background.
+ questions require a bit of background.
What is a directory? A directory is a collection of information regarding objects that can be accessed to rapidly find information that is relevant in a particular and consistent manner. A directory differs from a database in that it is generally more often searched (read) than updated. As a consequence, the information is organized to facilitate read access rather than to - support transaction processing.
+ support transaction processing.
The Lightweight Directory Access Protocol (LDAP) differs considerably from a traditional database. It has a simple search facility that uniquely makes a highly preferred mechanism for managing user identities. LDAP provides a scalable mechanism for distributing the data repository and for keeping all copies (slaves) in sync with - the master repository.
Samba is a flexible and powerful file and print sharing technology. It can use many external authentication sources and can be part of a total authentication and identity management infrastructure. The two most important external sources for large sites are Microsoft Active Directory and LDAP. Sites that specifically wish to avoid the proprietary implications of Microsoft Active Directory - naturally gravitate toward OpenLDAP.
+ naturally gravitate toward OpenLDAP.
In Chapter 6, you had to deal with a locally routed network. All deployment concerns focused around making users happy, and that simply means taking control over all network practices and @@ -107,10 +107,10 @@ between offices. You must take into account the way users need to access information globally. And you must make the network robust enough so that it can sustain partial breakdown without causing loss of - productivity.
There are at least three areas that need to be addressed as you + productivity.
There are at least three areas that need to be addressed as you approach the challenge of designing a network solution for the newly - expanded business. These are:
Let's look at each in turn.
The new company has three divisions. Staff for each division + expanded business. These are:
Let's look at each in turn.
The new company has three divisions. Staff for each division are spread across the company. Some staff are office-bound and some are mobile users. Mobile users travel globally. Some spend considerable periods working in other offices. Everyone wants to be @@ -118,7 +118,7 @@ even dial-up connectivity is poor, while in other regions political encumbrances severely curtail user needs. Parts of the global Internet infrastructure remain shielded-off for reasons outside - the scope of this discussion.
+ the scope of this discussion.
Decisions must be made regarding where data is to be stored, how it will be replicated (if at all), and what the network bandwidth implications are. For example, one decision that can be made is @@ -128,7 +128,7 @@ synchronization tool could be rsync, run via a cron job. Mobile users may use off-line file storage under Windows XP Professional. This way, they can synchronize all files that have - changed since each logon to the network.
+ changed since each logon to the network.
No matter which way you look at this, the bandwidth requirements for acceptable performance are substantial even if only 10 percent of staff are global data users. A company with 3500 employees @@ -139,10 +139,10 @@ mobile users. At that time, the average roaming profile took 480 Kbytes, while today the minimum Windows XP Professional roaming profile involves a transfer of over 750 Kbytes from the profile - server to/from the client.
Obviously then, user needs and wide-area practicalities dictate the economic and technical aspects of your network - design as well as for standard operating procedures.
Network logons that include roaming profile handling requires from 140 Kbytes to 2 Mbytes. The inclusion of support for a minimal set of common desktop applications can push the size of a complete @@ -150,7 +150,7 @@ as location of user profiles is concerned. Additionally, it is a significant factor in determining the nature and style of mandatory profiles that may be enforced as part of a total service level - assurance program that might be implemented.
+ assurance program that might be implemented.
One way to reduce the network bandwidth impact of user logon traffic is through folder redirection. In Chapter 6, you implemented this in the new Windows XP Professional standard @@ -158,21 +158,21 @@ Documents are redirected to a network drive, they should also be excluded from synchronization to/from the server on logon/out. Redirected folders are analogous to network drive - connections.
Of course, network applications should only be run off local application servers. As a general rule, even with 2 Mbit/sec network bandwidth, it would not make sense at all for someone who is working out of the London office to run applications off a - server that is located in New York.
+ server that is located in New York.
When network bandwidth becomes a precious commodity (that is most of the time), there is a significant demand to understand network processes and to mould the limits of acceptability around the constraints of affordability.
When a Windows NT4/200x/XP Professional client user logs onto - the network, several important things must happen.
+ the network, several important things must happen.
The client obtains an IP address via DHCP. (DHCP is - necessary so that users can roam between offices.)
The client must register itself with the WINS and/or DNS - server.
The client must log onto a Domain Controller and obtain as part of that process the location of the user's profile, load it, connect to redirected folders, and establish all network @@ -187,11 +187,11 @@ DHCP and WINS.
As soon as the Windows workstation starts up, it obtains an IP address. This is immediately followed by registration of its name both by broadcast and Unicast registration that is directed - at the WINS server.
Given that the client is already a Domain Member, it then sends a directed (Unicast) request to the WINS server seeking the list of IP addresses for domain controllers (NetBIOS name type 0x1C). The - WINS server replies with the information requested.
+ WINS server replies with the information requested.
The client sends two netlogon mailslot broadcast requests to the local network and to each of the IP addresses returned by the WINS server. Whichever answers this request first appears to @@ -199,7 +199,7 @@ process the network logon. The mailslot messages use UDP broadcast to the local network and UDP Unicast directed at each machine that was listed in the WINS server response to a request for the list of - Domain Controllers.
The logon process begins with negotiation of the SMB/CIFS protocols that are to be used; this is followed by an exchange of information that ultimately includes the client sending the @@ -208,7 +208,7 @@ connection, but that is a good point to halt for now. The priority here must center around identification of network infrastructure needs. A secondary fact we need to know is, what happens when - local Domain Controllers fail or break?
+ local Domain Controllers fail or break?
Under most circumstances, the nearest Domain Controller responds to the netlogon mailslot broadcast. The exception to this norm occurs when the nearest Domain Controller is too busy or is out @@ -216,19 +216,19 @@ important that every network segment should have at least two Domain Controllers. Since there can be only one Primary Domain Controller (PDC), all additional Domain Controllers are by definition - Backup Domain Controllers (BDCs).
+ Backup Domain Controllers (BDCs).
The provision of sufficient servers that are BDCs is an important design factor. The second important design factor involves how each of the BDCs obtains user authentication data. That is the subject of the next section as it involves key - decisions regarding Identity Management facilities.
Network managers recognize that in large organizations users generally need to be given resource access based on needs, while being excluded from other resources for reasons of privacy. It is, therefore, essential that all users identify themselves at the point of network access. The network logon is the principal means by which user credentials are validated and filtered, and appropriate - rights and privileges are allocated.
+ rights and privileges are allocated.
Unfortunately, network resources tend to have their own Identity Management facilities, the quality and manageability of which varies from quite poor to exceptionally good. Corporations that use a mixture @@ -238,7 +238,7 @@ was originally called Yellow Pages, and was renamed when a telephone company objected to the use of its trademark. What was once called Yellow Pages is today known - as Network Information System (NIS).
+ as Network Information System (NIS).
NIS gained a strong following throughout the UNIX/VMS space in a short period of time and retained that appeal and use for over a decade. Security concerns as well as inherent limitations @@ -247,17 +247,17 @@ adopted. Sun updated this to a more secure implementation called NIS+, but even it has fallen victim to changing demands as the demand for directory services that can be coupled with other - information systems is catching on.
+ information systems is catching on.
Nevertheless, both NIS and NIS+ continue to hold ground in business areas where UNIX still has major sway. Examples of organizations that remain firmly attached to the use of NIS and NIS+ includes large government departments, education institutions, as well as large corporations that have a scientific or engineering - focus.
Today's networking world needs a scalable, distributed Identity Management infrastructure, commonly called a directory. The most popular technologies today are Microsoft Active Directory service - and a number of LDAP implementations.
+ and a number of LDAP implementations.
The problem of managing multiple directories has become a focal point over the past decade. This has created a large market for meta-directory products and services that allow organizations that @@ -265,19 +265,19 @@ centers to provision information from one directory into another. The attendant benefit to end users is the promise of having to remember and deal with fewer login identities and - passwords.
The challenge of every large network is to find the optimum balance of internal systems and facilities for Identity Management resources. How well the solution is chosen and implemented has potentially significant impact on network bandwidth - and systems response needs.
In Chapter 6, you implemented a single LDAP server for the entire network. This may work for smaller networks, but almost certainly fails to meet the needs of large and complex networks. The following section documents how one may implement a single master LDAP server, with multiple slave servers.
What is the best method for implementing master/slave LDAP servers within the context of a distributed 2000 user network is a - question that remains to be answered.
+ question that remains to be answered.
One possibility that has great appeal is to create one single large distributed domain. The practical implications of this design (see ???) demands the placement of @@ -286,7 +286,7 @@ over the wide-area links, except as a totally unavoidable measure. Network design must balance the risk of loss of user productivity against the cost of network management and - maintenance.
The network design in ??? takes the approach that management of networks that are too remote to be capable of being managed effectively from New York ought @@ -296,15 +296,15 @@ and can be independently managed and controlled. One of the key drawbacks of this design is that it flies in the face of the ability for network users to roam globally without some compromise - in how they may access global resources.
+ in how they may access global resources.
Desk-bound users need not be negatively affected by this design, since the use of interdomain trusts can be used to satisfy - the need for global data sharing.
+ the need for global data sharing.
When Samba-3 is configured to use an LDAP backend, it stores the domain account information in a directory entry. This account entry contains the domain SID. An unintended but exploitable side effect is that this makes it possible to operate with more than one PDC on a - distributed network.
How might this peculiar feature be exploited? The answer is simple. It is imperative that each network segment should have its own WINS server. Major servers on remote network segments can be @@ -314,7 +314,7 @@ as if it is an independent domain, while all sharing the same domain SID. Since all domain account information can be stored in a single LDAP backend, users have unfettered ability to - roam.
This concept has not been exhaustively validated, though we can see no reason why this should not work. The important facets are: The name of the domain must be identical in all @@ -325,7 +325,7 @@ primary name. A single master LDAP server can be based in New York, with multiple LDAP slave servers located on every network segment. Finally, the BDCs should each use fail-over LDAP servers - that are in fact slave LDAP servers on the local segments.
+ that are in fact slave LDAP servers on the local segments.
With a single master LDAP server, all network updates are effected on a single server. In the event that this should become excessively fragile or network bandwidth limiting, one could @@ -337,25 +337,25 @@ referential traffic. It should be noted that all directory administrators must of necessity follow the same standard procedures for managing the directory, as retroactive correction of - inconsistent directory information can be exceedingly difficult.
As organizations grow, the number of points of control increase also. In a large distributed organization, it is important that the Identity Management system must be capable of being updated from many locations, and it is equally important that changes made should become capable of being used in a reasonable period, typically minutes rather than days (the old limitation of highly manual - systems).
Samba-3 has the ability to use multiple password (authentication and identity resolution) backends. The diagram in ??? demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system password database. The diagram only documents the mechanisms for authentication and identity resolution (obtaining a UNIX UID/GID) using the specific systems shown. -
Samba is capable of using the smbpasswd, tdbsam, xmlsam, and mysqlsam authentication databases. The SMB passwords can, of course, also be stored in an LDAP ldapsam backend. LDAP is the preferred passdb backend for distributed network - operations.
Additionally, it is possible to use multiple passdb backends concurrently as well as have multiple LDAP backends. As a result, one can specify a fail-over LDAP backend. The syntax for specifying a @@ -367,8 +367,8 @@
This configuration tells Samba to use a single LDAP server as shown in ???. -
+ The addition of a fail-over LDAP server can simply be done by adding a second entry for the fail-over server to the single ldapsam entry as shown here (note the particular @@ -381,7 +381,7 @@
This configuration tells Samba to use a master LDAP server, with fail-over to a slave server if necessary, as shown in ???. -
+
Some folks have tried to implement this without the use of double quotes as shown above. This is the type of entry they had created: @@ -391,18 +391,18 @@ ldapsam:ldap://slave.abmas.biz ...
- + The effect of this style of entry is that Samba lists the users that are in both LDAP databases. If both contain the same information, it results in each record being shown twice. This is, of course, not the solution desired for a fail-over implementation. The net effect of this configuration is shown in ??? -
+
If, however, each LDAP database contains unique information, this may well be an advantageous way to effectively integrate multiple LDAP databases into one seemingly contiguous directory. Only the first database will be updated. An example of this configuration is shown in ???. -
Note
+
Note
When the use of ldapsam is specified twice, as shown here, it is imperative that the two LDAP directories must be disjoint. If the entries are for a master LDAP server as well as its own slave server, updates to the LDAP @@ -411,7 +411,7 @@
It is assumed that the network you are working with follows in a pattern similar to what has been covered in Chapter 6. The following steps permit the operation of a Master/Slave OpenLDAP arrangement.
- + Log onto the master LDAP server as root. You are about to change the configuration of the LDAP server, so it makes sense to temporarily halt it. Stop OpenLDAP from running on @@ -423,10 +423,10 @@
root# service ldap stop
-
Edit the /etc/openldap/slapd.conf file so it matches the content of ???. -
Change directory to a suitable place to dump the contents of the LDAP server. The dump file (and LDIF file) is used to preload the Slave LDAP server database. You can dump the database by executing: @@ -434,7 +434,7 @@ root# slapcat -v -l LDAP-transfer-LDIF.txt
Each record is written to the file. -
Copy the file LDAP-transfer-LDIF.txt to the intended slave LDAP server. A good location could be in the directory /etc/openldap/preload. @@ -484,7 +484,7 @@ root# service ldap start root# chkconfig ldap on
Go back to the master LDAP server. Execute the following to start LDAP as well as slurpd, the synchronization daemon, as shown here: @@ -494,9 +494,9 @@ root# rcslurpd start root# chkconfig slurpd on
- + On Red Hat Linux, check the equivalent command to start slurpd. -
On the master ldap server you may now add an account to validate that replication is working. Assuming the configuration shown in Chapter 6, execute:
@@ -612,299 +612,299 @@ index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub -
Example 7.3. Primary Domain Controller smb.conf File Part A
+
Where Samba-3 is used as a Domain Controller, the use of LDAP is an essential component necessary to permit the use of BDCs. -
Replication of the LDAP master server to create a network of BDCs is an important mechanism for limiting wide-area network traffic.
@@ -916,40 +916,40 @@ Roaming profiles must be contained to the local network segment. Any departure from this may clog wide-area arteries and slow legitimate network traffic to a crawl. -
There is much rumor and misinformation regarding the use of MS Windows networking protocols. These questions are just a few of those frequently asked. -
- DHCPnetworkbandwidth
+
- DHCPnetworkbandwidth Is it true that DHCP uses lots of wide-area network bandwidth? -
- background communicationLDAPmaster/slavebackground communication +
- background communicationLDAPmaster/slavebackground communication How much background communication takes place between a Master LDAP server and its slave LDAP servers? -
- +
- LDAP has a database. Is LDAP not just a fancy database front end? -
- OpenLDAP +
- OpenLDAP Can Active Directory obtain account information from an OpenLDAP server? -
- +
- What are the parts of a roaming profile? How large is each part? -
- +
- Can the My Documents folder be stored on a network drive? -
- wide-areanetworkbandwidthWINS +
- wide-areanetworkbandwidthWINS How much wide-area network bandwidth does WINS consume? -
- +
- How many BDCs should I have? What is the right number of Windows clients per server? -
- NIS serverLDAP +
- NIS serverLDAP I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to run an NIS server? -
- +
- Can I use NIS in place of LDAP? -
Is it true that DHCP uses lots of wide-area network bandwidth? -
It is a smart practice to localize DHCP servers on each network segment. As a rule, there should be two DHCP servers per network segment. This means that if one server fails, there is always another to service user needs. DHCP requests use only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network routers. This makes it possible to run fewer DHCP servers. -
A DHCP network address request and confirmation usually results in about six UDP packets. The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP clients and that uses a 24-hour IP address lease. This means that all clients renew @@ -966,21 +966,21 @@ x 512 (bytes/packet) = 0.9 Mbytes/day.
From this can be seen that the traffic impact would be minimal. -
Even when DHCP is configured to do DNS update (Dynamic DNS) over a wide-area link, the impact of the update is no more than the DHCP IP address renewal traffic and, thus, still insignificant for most practical purposes. -
How much background communication takes place between a Master LDAP server and its slave LDAP servers? -
The process that controls the replication of data from the Master LDAP server to the Slave LDAP servers is called slurpd. The slurpd remains nascent (quiet) until an update must be propagated. The propagation traffic per LDAP salve to update (add/modify/delete) two user accounts requires less than 10Kbytes traffic. -
+
LDAP has a database. Is LDAP not just a fancy database front end? -
LDAP does store its data in a database of sorts. In fact the LDAP backend is an application-specific data storage system. This type of database is indexed so that records can be rapidly located, but the database is not generic and can be used only in particular pre-programmed ways. General external @@ -989,41 +989,41 @@ orientation and typically allows external programs to perform ad-hoc queries, even across data tables. An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific simple queries. The term database is heavily overloaded and, thus, much misunderstood. -
Can Active Directory obtain account information from an OpenLDAP server? -
No, at least not directly. It is possible to provision Active Directory from/to an OpenLDAP database through use of a meta-directory server. Microsoft MMS (now called MIIS) can interface to OpenLDAP using standard LDAP queries/updates. -
+
What are the parts of a roaming profile? How large is each part? -
A roaming profile consists of:
Desktop folders such as: Desktop, My Documents, My Pictures, My Music, Internet Files, Cookies, Application Data, Local Settings, and more. See ???. -
Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all such folders can be redirected to network drive resources. See ??? for more information regarding folder redirection.
A static or re-writable portion that is typically only a few files (2-5 Kbytes of information). -
The registry load file that modifies the HKEY_LOCAL_USER hive. This is the NTUSER.DAT file. It can be from 0.4-1.5 MBytes. -
Microsoft Outlook PST files may be stored in the Local Settings\Application Data folder. It can be up to 2 Gbytes in size per PST file. -
+
Can the My Documents folder be stored on a network drive? -
Yes. More correctly, such folders can be redirected to network shares. No specific network drive connection is required. Registry settings permit this to be redirected directly to a UNC (Universal Naming Convention) resource, though it is possible to specify a network drive letter instead of a UNC name. See ???. -
MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache. This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS server, the total bandwidth demand measured at the WINS server, averaged over an eight-hour working day, @@ -1035,7 +1035,7 @@
In conclusion, the total load afforded through WINS traffic is again marginal to total operational usage as it should be. -
+
How many BDCs should I have? What is the right number of Windows clients per server?
It is recommended to have at least one BDC per network segment, including the segment served @@ -1049,16 +1049,16 @@
As unsatisfactory as the answer might sound, it all depends on network and server load characteristics. -
I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to run an NIS server?
The correct answer to both questions is yes. But do understand that an LDAP server has a configurable schema that can store far more information for many more purposes than just NIS. -
+
Can I use NIS in place of LDAP? -
No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal with the types of data necessary for interoperability with Microsoft Windows networking. The use of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/appendix.html samba-3.0.9/docs/htmldocs/Samba-Guide/appendix.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/appendix.html 2004-10-25 11:16:29.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/appendix.html 2004-11-15 10:15:41.000000000 -0600 @@ -1,10 +1,10 @@ -
Appendix A. Appendix: A Collection of Useful Tid-bits Table of Contents
Appendix A. Appendix: A Collection of Useful Tid-bits Table of Contents
Information presented here is considered to be either basic or well-known material that is informative yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that the process for joining a Windows client to a Samba-controlled Windows Domain may somehow involve steps different from doing so with Windows NT4 or a Windows ADS Domain. Be assured that the steps are identical, as shown in the example given below. -
Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. This section steps through the process for making a Windows 200x/XP Professional machine a member of a Domain Security environment. It should be noted that this process is identical @@ -16,7 +16,7 @@
The opening panel is the same one that can be reached by clicking on the Control Panel. See ???. -
+
Click the tab. This panel shows the , the , @@ -25,48 +25,48 @@ Clicking the button launches the configuration wizard. Do not use this with Samba-3. If you wish to change the computer name, or join or leave the domain, click the button. See ???. -
+
Click on . This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. We join the domain called MIDEARTH. See ???. -
+
Enter the name in the field below the Domain radio button.
This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See ???. -
+
Now click the button. A dialog box should appear to allow you to provide the credentials (username and password) of a Domain administrative account that has the rights to add machines to the Domain.
Enter the name “root” and the root password from your Samba-3 server. See ???. -
+
Click .
The “Welcome to the MIDEARTH domain” dialog box should appear. At this point, the machine must be rebooted. Joining the domain is now complete. -
The screen capture shown in ??? has a button labeled . This button opens a panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members of Microsoft Active Directory. Active Directory is heavily oriented around the DNS name space. -
Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server to find the services (like which machines are Domain Controllers or which machines have the Netlogon service running). -
The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, this does not affect Domain Membership, but it can break network browsing and the ability to resolve your computer name to a valid IP address.
The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. Where the client is a member of a Samba Domain, it is preferable to leave this field blank. -
According to Microsoft documentation, “If this computer belongs to a group with Group Policy enabled on Primary DNS suffice of this computer, the string specified in the Group Policy is used as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is used only if Group Policy is disabled or unspecified.” -
One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is in the /usr/local/samba directory. This is a perfectly reasonable location, particularly given all the other @@ -74,7 +74,7 @@
Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team default. -
Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy System (FHS), have elected to locate the configuration files under the /etc/samba directory, common binary files (those used by users) in the /usr/bin directory, and the administrative files (daemons) in the @@ -83,13 +83,13 @@ /usr/share/swat. There are additional support files for smbd in the /usr/lib/samba directory tree. The files located there include the dynamically loadable modules for the passdb backend as well as for the VFS modules. -
Samba creates run-time control files and generates log files. The run-time control files (tdb and dat files) are stored in the /var/lib/samba directory. Log files are created in /var/log/samba.
When Samba is built and installed using the default Samba Team process, all files are located under the /usr/local/samba directory tree. This makes it simple to find the files that Samba owns. -
One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location of all files called smbd. Here is an example:
@@ -122,7 +122,7 @@
Many people have been caught by installation of Samba using the default Samba Team process when it was already installed by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by - executing: + executing:
root# rpm -qa | grep samba samba3-pdb-3.0.2-1 @@ -134,9 +134,9 @@ samba3-doc-3.0.2-1 samba3-client-3.0.2-1 samba3-cifsmount-3.0.2-1 -
The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. -
Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba, there are three daemons, two of which are needed as a minimum. @@ -177,19 +177,19 @@ fi exit 0
- nmbd
- - + + This daemon handles all name registration and resolution requests. It is the primary vehicle involved in network browsing. It handles all UDP-based protocols. The nmbd daemon should be the first command started as part of the Samba startup process.
- smbd
- - + + This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also manages local authentication. It should be started immediately following the startup of nmbd.
- winbindd
- - + + This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when Samba has trust relationships with another Domain. The winbindd daemon will check the smb.conf file for the presence of the idmap uid and idmap gid @@ -243,22 +243,22 @@ echo "Usage: smb {start|stop|restart|status}" exit 1 esac -
SUSE Linux implements individual control over each Samba daemon. A samba control script that can be conveniently executed from the command line is shown in ???. This can be located in the directory /sbin in a file called samba. This type of control script should be owned by user root and group root, and set so that only root can execute it. -
A sample startup script for a Red Hat Linux system is shown in ???. This file could be located in the directory /etc/rc.d and can be called samba. A similar startup script is required to control winbind. If you want to find more information regarding startup scripts please refer to the packaging section of the Samba source code distribution tarball. The packaging files for each platform include a startup control file. -
The following files are common to all DNS server configurations. Rather than repeat them multiple times, they are presented here for general reference. -
+
The forward zone file for the loopback address never changes. An example file is shown in ???. All traffic destined for an IP address that is hosted on a physical interface on the machine itself is routed to the loopback adaptor. This is @@ -275,7 +275,7 @@ IN NS @ IN A 127.0.0.1 -
The reverse zone file for the loopback address as shown in ??? is necessary so that references to the address 127.0.0.1 can be resolved to the correct name of the interface. @@ -335,15 +335,15 @@ . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 ; End of File -
The content of the root hints file as shown in ??? changes slowly over time. Periodically this file should be updated from the source shown. Because of its size this file is located at the end of this appendix. -
The following procedure may be used as an alternative means of configuring the initial LDAP database. Many administrators prefer to have greater control over how system files get configured. -
The first step to get the LDAP server ready for action is to create the LDIF file from which the LDAP database will be preloaded. This is necessary to create the containers into which the user, group, and so on, accounts is written. It is also necessary to @@ -700,7 +700,7 @@ displayName: Domain Users description: Domain Users structuralObjectClass: posixGroup -
The LDAP Account Manager (LAM) is an application suite that has been written in PHP. LAM can be used with any Web server that has PHP4 support. It connects to the LDAP server either using unencrypted connections or via SSL. LAM can be used to manage @@ -711,16 +711,16 @@ home page and from its mirror sites. LAM has been released under the GNU GPL version 2. The current version of LAM is 0.4.3. Release of version 0.5 is expected some time early in 2004. -
A web server that will work with PHP4.
PHP4 (available from the PHP home page.)
OpenLDAP 2.0 or later.
A Web browser that supports CSS.
Perl.
The gettext package.
mcrypt + mhash (optional since version 0.4.3).
It is also a good idea to install SSL support.
LAM is a useful tool that provides a simple Web-based device that can be used to - manage the contents of the LDAP directory to: + manage the contents of the LDAP directory to:
Display user/group/host and Domain entries.
Manages entries (Add/Delete/Edit).
Filter and sort entries.
Set LAM administrator accounts.
Store and use multiple operating profiles.
Edit organizational units (OUs).
Upload accounts from a file.
- Is compatible with Samba-2.2.x and Samba-3.
When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba user, group, and windows domain member machine accounts. -
The default password is “lam.” It is highly recommended that you use only an SSL connection to your Web server for all remote operations involving LAM. If you want secure connections, you must configure your Apache Web server to permit connections @@ -739,7 +739,7 @@ Copy the extracted files to the document root directory of your Web server. For example, on SuSE Linux Enterprise Server 8, copy to the /srv/web/htdocs directory. -
Set file permissions using the following commands:
root# chown -R wwwrun.www /srv/www/htdocs/lam @@ -748,14 +748,14 @@ root# chmod 755 /srv/www/htdocs/lam/config root# chmod 755 /srv/www/htdocs/lam/lib/*pl
-
Using your favorite editor create the following config.cfg LAM configuration file:
root# cd /srv/www/htdocs/lam/config root# cp config.cfg_sample config.cfg root# vi config.cfg -
An example file is shown in ???. This is the minimum configuration that must be completed. The LAM profile file can be created using a convenient wizard that is part of the LAM @@ -769,18 +769,18 @@ lam.conf_sample file to a file called lam.conf then, using your favorite editor, change the settings to match local site needs. -
An example of a working file is shown here in ???. This file has been stripped of comments to keep the size small. The comments and help information provided in the profile file that the wizard creates is very useful and will help many administrators to avoid pitfalls. Your configuration file obviously reflects the configuration options that are preferred at your site. -
It is important that your LDAP server is running at the time that LAM is being configured. This permits you to validate correct operation. An example of the LAM login screen is provided in ???. -
The LAM configuration editor has a number of options that must be managed correctly. An example of use of the LAM configuration editor is shown in ???. It is important that you correctly set the minimum and maximum UID/GID values that are @@ -789,12 +789,12 @@ The best work-around is to temporarily set the minimum values to zero (0) to permit the initial settings to be made. Do not forget to reset these to sensible values before using LAM to add additional users and groups. -
LAM has some nice, but unusual features. For example, one unexpected feature in most application screens permits the generation of a PDF file that lists configuration information. This is a well thought out facility. This option has been edited out of the following screen shots to conserve space. -
When you log onto LAM the opening screen drops you right into the user manager as shown in ???. This is a logical action as it permits the most-needed facility to be used immediately. The editing of an existing user, as with the addition of a new user, @@ -807,7 +807,7 @@ for user accounts, group accounts may be rapidly dealt with. ??? shown a sub-screen from the group editor that permits users to be assigned secondary group memberships. -
The final screen presented here is one that you should not normally need to use. Host accounts will be automatically managed using the smbldap-tools scripts. This means that the screen ??? will, in most cases, not be used. @@ -848,7 +848,7 @@ samba3: yes cachetimeout: 5 pwdhash: SSHA -
The setting of the SUID/SGID bits on the file or directory permissions flag has particular consequences. If the file is executable and the SUID bit is set, it executes with the privilege of (with the UID of) the owner of the file. For example, if you are logged onto a system as @@ -918,34 +918,34 @@ total 1 drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
-
The integrity of shared data is often viewed as a particularly emotional issue, especially where there are concurrent problems with multi-user data access. Contrary to the assertions of some who have experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
The solution to concurrent multi-user data access problems must consider three separate areas - from which the problem may stem: -
application level locking controls.
client side locking controls.
server side locking controls.
+ from which the problem may stem: +
application level locking controls.
client side locking controls.
server side locking controls.
Many database applications use some form of application-level access control. An example of one well-known application that uses application-level locking is Microsoft Access. Detailed guidance is provided given that this is the most common application for which problems have been reported. -
Common applications that are affected by client- and server-side locking controls include MS Excel and Act!. Important locking guidance is provided here. -
+
The best advice that can be given is to carefully read the Microsoft knowledge base articles that cover this area. Examples of relevant documents includes: -
http://support.microsoft.com/default.aspx?scid=kb;en-us;208778
http://support.microsoft.com/default.aspx?scid=kb;en-us;299373
http://support.microsoft.com/default.aspx?scid=kb;en-us;208778
http://support.microsoft.com/default.aspx?scid=kb;en-us;299373
Make sure that your MS Access database file is configured for multi-user access (not set for exclusive open). Open MS Access on each client workstation then set the following: ++. Set network path to Default database folder: \\server\share\folder.
You can configure MS Access file sharing behavior as follows: click . - Set: -
Default open mode: Shared
Default Record Locking: Edited Record
Open databases using record_level locking
Default open mode: Shared
Default Record Locking: Edited Record
Open databases using record_level locking
You must now commit the changes so that they will take effect. To do so, click . At this point, you should exit MS Access, restart it and then validate that these settings have not changed. -
Where the server sharing the ACT! database(s) is running Samba, Windows NT, 200x or XP, you must disable opportunistic locking on the server and all workstations. Failure to do so results in data corruption. This information is available from the Act! Web site @@ -953,7 +953,7 @@ 1998223162925 as well as from article 200110485036. -
These documents clearly state that opportunistic locking must be disabled on both the server (Samba in the case we are interested in here), as well as on every workstation from which the centrally shared Act! database will be accessed. Act! provides @@ -961,18 +961,18 @@ registry settings that may otherwise interfere with the operation of Act! Registered Act! users may download this utility from the Act! Web site. -
Third-party Windows applications may not be compatible with the use of opportunistic file - and record locking. For applications that are known not to be compatible,[14] oplock + and record locking. For applications that are known not to be compatible,[14] oplock support may need to be disabled both on the Samba server and on the Windows workstations. -
Oplocks enable a Windows client to cache parts of a file that are being edited. Another windows client may then request to open the file with the ability to write to it. The server will then ask the original workstation that had the file open with a write lock to release it's lock. Before doing so, that workstation must flush the file from cache memory to the disk or network drive. -
Disabling of Oplocks usage may require server and client changes. Oplocks may be disabled by file, by file pattern, on the share, or on the samba server. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/Big500users.html samba-3.0.9/docs/htmldocs/Samba-Guide/Big500users.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/Big500users.html 2004-10-25 11:16:24.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/Big500users.html 2004-11-15 10:15:35.000000000 -0600 @@ -1,4 +1,4 @@ -
Chapter 5. The 500-User Office +
Chapter 5. The 500-User Office The Samba-3 networking you explored in the previous chapter covers the finer points of configuration of peripheral services such as DHCP and DNS, and WINS. You experienced implementation of a simple configuration of the services that are important adjuncts @@ -16,7 +16,7 @@ involving no print job processing intelligence. In this chapter, you maintain that same approach to printing, but in the following chapter, there is an opportunity to make printing more complex for the administrator while making it easier for the user. -
The previous chapter demonstrates operation of a DHCP server and a DNS server, as well as a central WINS server. You validated the operation of these services and saw an effective implementation of a Samba Domain Controller using the @@ -38,7 +38,7 @@ improve network management and control while reducing human resource overheads. You should take the opportunity to innovate and expand on the methods presented here and explore them to the fullest. -
+
Business continues to go well for Abmas. Mr. Meany is driving your success and the network continues to grow thanks to the hard work Christine has done. You recently hired Stanley Soroka as Manager of Information Systems. Christine recommended Stan @@ -63,7 +63,7 @@ and to allow Stan and Christine to fully stage the new network and test it before it is rolled out. Your strategy is to complete the new network so that it is ready for operation when the old office moves into the new premises. -
+
The acquired business had 280 network users. The old Abmas building housed 220 network users in unbelievably cramped conditions. The network that initially served 130 users now handles 220 users quite well. @@ -104,7 +104,7 @@ DirectPointe Inc. receives from you a new standard desktop configuration every four months. They automatically roll that out to each desktop system. You must keep DirectPointe informed of all changes. -
The new network has a single Samba Domain Controller (PDC) located in the Network Operation Center (NOC). Buildings 1 and 2 each have a local server for local application servicing. It is a Domain Member. The new system @@ -112,8 +112,8 @@
Printing is based on raw pass-through facilities as it has been used so far. All printer drivers are installed on the desktop and notebook computers. -
+ The example you are building in this chapter is an example of a network design that works, but this does not make it a design that is recommended. As a general rule, there should be at least one Backup Domain Controller per 50 Windows network clients. The principle behind @@ -124,23 +124,23 @@ responsiveness. This network will have 500 clients serviced by one central Domain Controller. This is not a good omen for user satisfaction. You, of course, address this very soon (see next chapter). -
+
Stan has talked you into a horrible compromise, but it is addressed. Just make certain that the performance of this network is well validated before going live.
Design decisions made in this design include:
- - - + + + A single Primary Domain Controller (PDC) is being implemented. This limitation is based on the choice not to use LDAP. Many network administrators fear using LDAP based on the perceived complexity of implementation and management of an LDAP-based backend for all user identity management as well as to store network access credentials.
- - + + Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the only choice that makes sense with 500 users is to use the tdbsam passwd backend. This type of backend is not receptive to replication to Backup Domain Controllers. @@ -154,7 +154,7 @@ for a simple mode of operation, but has to be balanced with network performance and integrity of operations considerations.
- + A single central WINS server is being used. The PDC is also the WINS server. Any attempt to operate a routed network without a WINS server while using NetBIOS over TCP/IP protocols does not work unless on each client the name resolution @@ -165,12 +165,12 @@ At this time the Samba WINS database is not capable of being replicated. That is why a single WINS server is being implemented. This should work without a problem.
- + Backup Domain Controllers make use of winbindd to provide access to Domain security credentials for file system access and object storage.
- - + + Configuration of Windows XP Professional clients is achieved using DHCP. Each subnet has its own DHCP server. Backup DHCP serving is provided by one alternate DHCP server. This necessitates enabling of the DHCP Relay agent on @@ -186,24 +186,24 @@ The network address and sub-netmask chosen provide 1022 usable IP addresses in each subnet. If in the future more addresses are required, it would make sense to add further subnets rather than change addressing. -
This case gets close to the real world. You and I know the right way to implement Domain Control. Politically, we have to navigate a mine field. In this case, the need is to get the PDC rolled out in compliance with expectations and also to be ready to save the day by having the real solution ready before it is needed. That real solution is presented in the next chapter. -
The following configuration process begins following installation of Red Hat Linux 9.0 on the three servers shown in the network topology diagram in ???. You have selected hardware that is appropriate to the task. -
+
Carefully install the configuration files into the correct locations as shown in ???. You should validate that the full file path is correct as shown.
The abbreviation shown in this table as {VLN} means the directory location beginning with /var/lib/named. -
Table 5.1. Domain: MEGANET, File Locations for Servers
File Information Server Name Source Target Location MASSIVE BLDG1 BLDG2 ??? /etc/samba/smb.conf Yes No No ??? /etc/samba/dc-common.conf Yes No No ??? /etc/samba/common.conf Yes Yes Yes ??? /etc/samba/smb.conf No Yes No ??? /etc/samba/smb.conf No No Yes ??? /etc/samba/dommem.conf No Yes Yes ??? /etc/dhcpd.conf Yes No No ??? /etc/dhcpd.conf No Yes No ??? /etc/dhcpd.conf No No Yes ??? /etc/named.conf (part A) Yes No No ??? /etc/named.conf (part B) Yes No No ??? /etc/named.conf (part C) Yes No No ??? {VLN}/master/abmas.biz.hosts Yes No No ??? {VLN}/master/abmas.us.hosts Yes No No ??? /etc/named.conf (part A) No Yes Yes ??? /etc/named.conf (part B) No Yes Yes ??? {VLN}/localhost.zone Yes Yes Yes ??? {VLN}/127.0.0.zone Yes Yes Yes ??? {VLN}/root.hint Yes Yes Yes +
Table 5.1. Domain: MEGANET, File Locations for Servers
File Information Server Name Source Target Location MASSIVE BLDG1 BLDG2 ??? /etc/samba/smb.conf Yes No No ??? /etc/samba/dc-common.conf Yes No No ??? /etc/samba/common.conf Yes Yes Yes ??? /etc/samba/smb.conf No Yes No ??? /etc/samba/smb.conf No No Yes ??? /etc/samba/dommem.conf No Yes Yes ??? /etc/dhcpd.conf Yes No No ??? /etc/dhcpd.conf No Yes No ??? /etc/dhcpd.conf No No Yes ??? /etc/named.conf (part A) Yes No No ??? /etc/named.conf (part B) Yes No No ??? /etc/named.conf (part C) Yes No No ??? {VLN}/master/abmas.biz.hosts Yes No No ??? {VLN}/master/abmas.us.hosts Yes No No ??? /etc/named.conf (part A) No Yes Yes ??? /etc/named.conf (part B) No Yes Yes ??? {VLN}/localhost.zone Yes Yes Yes ??? {VLN}/127.0.0.zone Yes Yes Yes ??? {VLN}/root.hint Yes Yes Yes The following steps apply to all servers. Follow each step carefully.
Using the UNIX/Linux system tools, set the name of the server as shown in the network @@ -219,7 +219,7 @@ root# hostname -f
- + Edit your /etc/hosts file to include the primary names and addresses of all network interfaces that are on the host server. This is necessary so that during startup the system is able to resolve all its own names to the IP address prior to @@ -227,7 +227,7 @@ CUPS print server is started before the DNS server (named), you should also include an entry for the printers in the /etc/hosts file.
- + All DNS name resolution should be handled locally. To ensure that the server is configured correctly to handle this, edit /etc/resolv.conf so it has the following content: @@ -238,7 +238,7 @@ This instructs the name resolver function (when configured correctly) to ask the DNS server that is running locally to resolve names to addresses.
- + Add the root user to the password backend as follows:
root# smbpasswd -a root @@ -251,7 +251,7 @@ deleted. If for any reason the account is deleted, you may not be able to recreate this account without considerable trouble.
- + Create the username map file to permit the root account to be called Administrator from the Windows network environment. To do this, create the file /etc/samba/smbusers with the following contents: @@ -289,16 +289,16 @@ Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. Use any other port the manufacturer specifies for direct mode, raw printing. This allows the CUPS spooler to print using raw mode protocols. - - + +
- + Only on the server to which the printer is attached configure the CUPS Print Queues as follows:
root# lpadmin -p printque -v socket://printer-name.abmas.biz:9100 -E
- + This step creates the necessary print queue to use no assigned print filter. This is ideal for raw printing, i.e., printing without use of filters. The name printque is the name you have assigned for @@ -318,15 +318,15 @@ root# /usr/bin/accept printque
- - - + + + Edit the file /etc/cups/mime.convs to uncomment the line:
application/octet-stream application/vnd.cups-raw 0 -
- + Edit the file /etc/cups/mime.types to uncomment the line:
application/octet-stream @@ -349,12 +349,12 @@ processes to auto-map Windows client drives to an application server that is nearest to the client. This is considerably more difficult when a single PDC is used on a routed network. It can be done, but not as elegantly as you see in the next chapter. -
There are some steps that apply to particular server functionality only. Each step is critical to correct server operation. -
+ + The host server acts as a router between the two internal network segments as well as for all Internet access. This necessitates that IP forwarding must be enabled. This can be achieved by adding to the /etc/rc.d/boot.local an entry as follows: @@ -382,7 +382,7 @@ startup files as follows: (SUSE) /etc/rc.d/boot.local, (Red Hat) /etc/rc.d/init.d/rc.local.
- + The final step that must be completed is to edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries: @@ -390,24 +390,24 @@ hosts: files dns wins
- + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in ???. Create a file containing this script. You called yours /etc/samba/initGrps.sh. Set this file so it can be executed and then execute the script. An example of the execution of this script as well as its validation are shown in Chapter 4, Section 4.3.2, Step 5.
- - - + + + For each user who needs to be given a Windows Domain account, make an entry in the /etc/passwd file, as well as in the Samba password backend. Use the system tool of your choice to create the UNIX system account and use the Samba smbpasswd to create a Domain user account.
- - - + + + There are a number of tools for user management under UNIX. Commonly known ones include: useradd, adduser. In addition to these, there is a plethora of custom tools. With the tool of your choice, create a home directory for each user. @@ -420,7 +420,7 @@ file is /data. Format the file system as required and mount the formatted file system partition using appropriate system tools.
- + Create the top-level file storage directories for data and applications as follows:
root# mkdir -p /data/{accounts,finsvcs,pidata} @@ -498,7 +498,7 @@ ??? until after the operation of the server has been validated following the same methods as outlined in ???.
- + The final step that must be completed is to edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries: @@ -510,13 +510,13 @@
Follow the steps outlined in ??? to start all services. Do not start Samba at this time. Samba is controlled by the process called smb. -
At this time, you must now attempt to join the Domain Member servers to the Domain. The following instructions should be executed to effect this:
root# net rpc join
-
You now start the Samba services by executing:
root# service smb start @@ -525,183 +525,183 @@ Your server is ready for validation testing. Do not proceed with the steps in ??? until after the operation of the server has been validated following the same methods as outlined in ???. -
Example 5.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
# Global parameters [global] + Example 5.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
# Global parameters [global] - workgroup = MEGANET + workgroup = MEGANET - netbios name = MASSIVE + netbios name = MASSIVE - interfaces = eth1, lo + interfaces = eth1, lo - bind interfaces only = Yes + bind interfaces only = Yes - passdb backend = tdbsam + passdb backend = tdbsam - add user script = /usr/sbin/useradd -m '%u' + add user script = /usr/sbin/useradd -m '%u' - delete user script = /usr/sbin/userdel -r '%u' + delete user script = /usr/sbin/userdel -r '%u' - add group script = /usr/sbin/groupadd '%g' + add group script = /usr/sbin/groupadd '%g' - delete group script = /usr/sbin/groupdel '%g' + delete group script = /usr/sbin/groupdel '%g' - add user to group script = /usr/sbin/usermod -G '%g' '%u' + add user to group script = /usr/sbin/usermod -G '%g' '%u' - add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u' + add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u' - preferred master = Yes + preferred master = Yes - wins support = Yes + wins support = Yes - include = /etc/samba/dc-common.conf [IPC$] + include = /etc/samba/dc-common.conf [IPC$] - path = /tmp + path = /tmp - hosts allow = 172.16.0.0/16, 127.0.0.1 + hosts allow = 172.16.0.0/16, 127.0.0.1 - hosts deny = 0.0.0.0/0 [accounts] + hosts deny = 0.0.0.0/0 [accounts] - comment = Accounting Files + comment = Accounting Files - path = /data/accounts + path = /data/accounts - read only = No [service] + read only = No [service] - comment = Financial Services Files + comment = Financial Services Files - path = /data/service + path = /data/service - read only = No [pidata] + read only = No [pidata] - comment = Property Insurance Files + comment = Property Insurance Files - path = /data/pidata + path = /data/pidata - read only = No Example 5.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
# Global parameters [global] + read only = No Example 5.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
# Global parameters [global] - shutdown script = /var/lib/samba/scripts/shutdown.sh + shutdown script = /var/lib/samba/scripts/shutdown.sh - abort shutdown script = /sbin/shutdown -c + abort shutdown script = /sbin/shutdown -c - logon script = scripts\logon.bat + logon script = scripts\logon.bat - logon path = \%L\profiles\%U + logon path = \%L\profiles\%U - logon drive = X: + logon drive = X: - logon home = \%L\%U + logon home = \%L\%U - domain logons = Yes + domain logons = Yes - preferred master = Yes + preferred master = Yes - include = /etc/samba/common.conf [homes] + include = /etc/samba/common.conf [homes] - comment = Home Directories + comment = Home Directories - valid users = %S + valid users = %S - read only = No + read only = No - browseable = No [netlogon] + browseable = No [netlogon] - comment = Network Logon Service + comment = Network Logon Service - path = /var/lib/samba/netlogon + path = /var/lib/samba/netlogon - guest ok = Yes + guest ok = Yes - locking = No [profiles] + locking = No [profiles] - comment = Profile Share + comment = Profile Share - path = /var/lib/samba/profiles + path = /var/lib/samba/profiles - read only = No + read only = No - profile acls = Yes Example 5.3. Common Samba Configuration File: /etc/samba/common.conf
[global] - username map = /etc/samba/smbusers + username map = /etc/samba/smbusers - log level = 1 + log level = 1 - syslog = 0 + syslog = 0 - log file = /var/log/samba/%m + log file = /var/log/samba/%m - max log size = 50 + max log size = 50 - smb ports = 139 445 + smb ports = 139 445 - name resolve order = wins bcast hosts + name resolve order = wins bcast hosts - time server = Yes + time server = Yes - printcap name = CUPS + printcap name = CUPS - show add printer wizard = No + show add printer wizard = No - shutdown script = /var/lib/samba/scripts/shutdown.sh + shutdown script = /var/lib/samba/scripts/shutdown.sh - abort shutdown script = /sbin/shutdown -c + abort shutdown script = /sbin/shutdown -c - utmp = Yes + utmp = Yes - map acl inherit = Yes + map acl inherit = Yes - printing = cups + printing = cups - veto files = /*.eml/*.nws/*.{*}/ + veto files = /*.eml/*.nws/*.{*}/ - veto oplock files = /*.doc/*.xls/*.mdb/ + veto oplock files = /*.doc/*.xls/*.mdb/ - include = # Share and Service Definitions are common to all servers [printers] + include = # Share and Service Definitions are common to all servers [printers] - comment = SMB Print Spool + comment = SMB Print Spool - path = /var/spool/samba + path = /var/spool/samba - guest ok = Yes + guest ok = Yes - printable = Yes + printable = Yes - use client driver = Yes + use client driver = Yes - default devmode = Yes + default devmode = Yes - browseable = No [apps] + browseable = No [apps] - comment = Application Files + comment = Application Files - path = /apps + path = /apps - admin users = bjordan + admin users = bjordan - read only = No Example 5.4. Server: BLDG1 (Member), File: smb.conf
# Global parameters [global] - workgroup = MEGANET + workgroup = MEGANET - netbios name = BLDG1 + netbios name = BLDG1 - include = /etc/samba/dom-mem.conf Example 5.5. Server: BLDG2 (Member), File: smb.conf
# Global parameters [global] + include = /etc/samba/dom-mem.conf Example 5.5. Server: BLDG2 (Member), File: smb.conf
# Global parameters [global] - workgroup = MEGANET + workgroup = MEGANET - netbios name = BLDG2 + netbios name = BLDG2 - include = /etc/samba/dom-mem.conf Example 5.6. Common Domain Member Include File: dom-mem.conf
# Global parameters [global] + include = /etc/samba/dom-mem.conf Example 5.6. Common Domain Member Include File: dom-mem.conf
# Global parameters [global] - shutdown script = /var/lib/samba/scripts/shutdown.sh + shutdown script = /var/lib/samba/scripts/shutdown.sh - abort shutdown script = /sbin/shutdown -c + abort shutdown script = /sbin/shutdown -c - preferred master = Yes + preferred master = Yes - wins server = 172.16.0.1 + wins server = 172.16.0.1 - idmap uid = 15000-20000 + idmap uid = 15000-20000 - idmap gid = 15000-20000 + idmap gid = 15000-20000 include = /etc/samba/common.conf Example 5.7. Server: MASSIVE, File: dhcpd.conf
# Abmas Accounting Inc. - Chapter 5/MASSIVE @@ -1053,7 +1053,7 @@ net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
- + There are two essential steps to process startup configuration. A process must be configured so that it is automatically restarted each time the server is rebooted. This step involves use of the chkconfig tool that @@ -1062,7 +1062,7 @@ directories. Links are created so that when the system run-level is changed, the necessary start or kill script is run.
- + In the event that a service is provided not as a daemon but via the inter-networking super daemon (inetd or xinetd), then the chkconfig tool makes the necessary entries in the /etc/xinetd.d directory @@ -1073,7 +1073,7 @@
Use the standard system tool to configure each service to restart automatically at every system reboot. For example: - +
root# chkconfig dhpc on root# chkconfig named on @@ -1082,9 +1082,9 @@ root# chkconfig swat on
- - - + + + Now start each service to permit the system to be validated. Execute each of the following in the sequence shown: @@ -1101,8 +1101,8 @@
Install MS Windows XP Professional. During installation, configure the client to use DHCP for TCP/IP protocol configuration. - - + + DHCP configures all Windows clients to use the WINS Server address that has been defined for the local subnet.
@@ -1190,7 +1190,7 @@ user, of course.
Instruct all users to log onto the workstation using their assigned user name and password. -
The network you have just deployed has been a valuable exercise in forced constraint. You have deployed a network that works well, although you may soon start to see performance problems, at which time the modifications demonstrated in the following @@ -1206,33 +1206,33 @@ to resources on the Domain Member servers
The introduction of roaming profiles -
+
- The example smb.conf files in this chapter make use of the include facility. How may I get to see what the actual working smb.conf settings are? -
- +
- Why does the include file common.conf have an empty include statement? -
- +
- I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend. I tried using rsync to replicate the passdb.tdb, and it seems to work fine! So what is the problem? -
- +
- You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
- How does the Windows client find the PDC?
- Why did you enable IP forwarding (routing) only on the server called MASSIVE? -
- +
- You did nothing special to implement roaming profiles. Why? -
- +
- On the Domain Member computers, you configured winbind in the /etc/nsswitch.conf file. You did not configure any PAM settings. Is this an omission? -
- +
- You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
- The Domain Controller has an auto-shutdown script. Isn't that dangerous? -
+
The example smb.conf files in this chapter make use of the include facility. How may I get to see what the actual working smb.conf settings are?
@@ -1240,7 +1240,7 @@
root# testparm -s | less
-
+
Why does the include file common.conf have an empty include statement?
The use of the empty include statement nullifies further includes. For example, let's say you @@ -1253,7 +1253,7 @@ If the include parameter was not in the common.conf file, the final smb.conf file leaves the include in place, even though the file it points to has already been included. This is a bug that will be fixed at a future date. -
+
I accept that the simplest configuration necessary to do the job is the best. The use of tdbsam passdb backend is much simpler than having to manage an LDAP-based ldapsam passdb backend. I tried using rsync to replicate the passdb.tdb, and it seems to work fine! @@ -1263,7 +1263,7 @@ contents between the PDC and BDCs. The most notable symptom is that workstations may not be able to log onto the network following a reboot and may have to re-join the Domain to recover network access capability. -
+
You are using DHCP Relay enabled on the routers as well as a local DHCP server. Will this cause a clash?
No. It is possible to have as many DHCP servers on a network segment as makes sense. A DHCP server @@ -1272,7 +1272,7 @@
The only exception to this rule is when the client makes a directed request from a specific DHCP server for renewal of the lease it has. This means that under normal circumstances there is no risk of a clash. -
+
How does the Windows client find the PDC?
The Windows client obtains the WINS server address from the DHCP lease information. It also @@ -1286,12 +1286,12 @@ (BLDG1 or BLDG2) has any need for IP forwarding since they are attached only to their own network. Route table entries are needed to direct MASSIVE to send all traffic intended for the remote network segments to the router that is its gateway to them. -
+
You did nothing special to implement roaming profiles. Why?
Unless configured to do otherwise, the default behavior with Samba-3 and Windows XP Professional clients is to use roaming profiles. -
+
On the Domain Member computers, you configured winbind in the /etc/nsswitch.conf file. You did not configure any PAM settings. Is this an omission?
@@ -1300,7 +1300,7 @@ Member servers using Windows networking user names and passwords, it is necessary to configure PAM to enable the use of winbind. Samba makes use only of the identity resolution facilities of the name service switcher (NSS). -
+
You are starting SWAT up on this example but have not discussed that anywhere. Why did you do this?
Oh, I did not think you would notice that. It is there so that it can be used. This is more fully discussed diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/DomApps.html samba-3.0.9/docs/htmldocs/Samba-Guide/DomApps.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/DomApps.html 2004-10-25 11:16:28.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/DomApps.html 2004-11-15 10:15:40.000000000 -0600 @@ -1,4 +1,4 @@ -
Chapter 11. Integrating Additional Services Table of Contents
Chapter 11. Integrating Additional Services Table of Contents
You've come a long way now. You have pretty much mastered Samba-3 for most uses it can be put to. Up until now, you have cast Samba-3 in the leading role and where authentication was required, you have used one or another of @@ -25,13 +25,13 @@ You have decided to set the ball rolling by introducing Samba-3 into the network gradually, taking over key services and easing the way to a full migration and, therefore, integration into Abmas's existing business later. -
You've promised the skeptical Abmas Snack Foods management team that you can show them how Samba can ease itself and other Open Source technologies into their existing infrastructure and deliver sound business advantages. Cost cutting is high on their agenda (a major promise of the acquisition). You have chosen Web proxying and caching as your proving ground. -
Abmas Snack Foods has several thousand users housed at their Head Office and multiple regional offices, plants, and warehouses. A high proportion of the business's work is done online, so Internet access for most of these @@ -40,7 +40,7 @@ team. The bandwidth requirements were horrific (comparable to a small ISP), and the team soon discovered proxying and caching. In fact, they became one of the earliest commercial users of Microsoft ISA. -
The team is not happy with ISA. Because it never lived up to its marketing promises, it under-performed and had reliability problems. You have pounced on the opportunity to show what Open Source can do. The one thing they do like, however, is ISA's @@ -51,7 +51,7 @@
This is a hands-on exercise. You build software applications so that you obtain the functionality Abmas needs. -
The key requirements in this business example are straightforward. You are not required to do anything new, just to replicate an existing system, not lose any existing features, and improve performance. The key points are: @@ -61,7 +61,7 @@ Distributed system to accommodate load and geographical distribution of users
Seamless and transparent interoperability with the existing Active Directory domain -
Functionally, the user's Internet Explorer requests a browsing session with the Squid proxy, for which it offers its AD authentication token. Squid hands off the authentication request to the Samba-3 authentication helper application @@ -82,13 +82,13 @@ Configuring, compiling, and then installing the supporting Samba-3 components
Tying it all together -
You are a stranger in a strange land and all eyes are upon you. Some would even like to see you fail. For you to gain the trust of your newly acquired IT people, it is essential that your solution does everything the old one did, but does it better in every way. Only then will the entrenched positions consider taking up your new way of doing things on a wider scale. -
First, your system needs to be prepared and in a known good state to proceed. This consists of making sure that everything the system depends on is present and that everything that could interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 @@ -96,7 +96,7 @@ they must be removed.
The following packages should be available on your Red Hat Linux system: -
krb5-devel @@ -112,7 +112,7 @@ heimdal-lib
heimdal-devel -
pam_krb5 @@ -125,13 +125,13 @@ will be necessary to ensure that you are using MIT Kerberos version 1.3.1 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires updating. -
Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version. -
If Samba and/or Squid rpms are installed, they should be updated. You can build both from source. -
Locating the packages to be uninstalled can be achieved by running:
root# rpm -qa | grep -i samba @@ -141,14 +141,14 @@
root# rpm -e samba-common
-
The systems Kerberos installation must be configured to communicate with your primary Active Directory server (ADS KDC).
Strictly speaking, MIT Kerberos version 1.3.1 currently gives the best results, although the current default Red Hat MIT version 1.2.7 gives acceptable results unless you are using Windows 2003 servers. -
Officially, neither MIT (1.3.1) nor Heimdal (0.6) Kerberos needs an /etc/krb5.conf file in order to work correctly. All ADS domains automatically create SRV records in the DNS zone Kerberos.REALM.NAME for each KDC in the realm. Since both @@ -156,11 +156,11 @@ automatically find the KDCs. In addition, krb5.conf only allows specifying a single KDC, even there if there is more than one. Using the DNS lookup allows the KRB5 libraries to use whichever KDCs are available. -
If you find the need to manually configure the krb5.conf, you should edit it to have the contents shown in ???. The final fully qualified path for this file should be /etc/krb5.conf. -
The following gotchas often catch people out. Kerberos is case sensitive. Your realm must be in UPPERCASE, or you will get an error: “Cannot find KDC for requested realm while getting initial credentials”. Kerberos is picky about time synchronization. The time @@ -175,7 +175,7 @@ /etc/hosts entry mapping the IP address of your KDC to its NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error when you try to join the realm. -
You are now ready to test your installation by issuing the command:
root# kinit [USERNAME@REALM] @@ -201,15 +201,15 @@ root# klist -e
shows the Kerberos tickets cached by the system: -
Samba must be configured to correctly use Active Directory. Samba-3 must be used, as this has the necessary components to interface with Active Directory. -
Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team FTP site. The official Samba Team RPMs for Red Hat Fedora Linux contain the ntlm_auth tool needed, and are linked against MIT KRB5 version 1.3.1 and, therefore, are ready for use. -
The necessary, validated RPM packages for SUSE Linux may be obtained from the SerNet FTP site that is located in Germany. All SerNet RPMs are validated, have the necessary @@ -218,7 +218,7 @@
Using your favorite editor, change the /etc/samba/smb.conf file so it has contents similar to the example shown in ???. -
Next you need to create a computer account in the Active Directory. This sets up the trust relationship needed for other clients to authenticate to the Samba server with an Active Directory Kerberos ticket. @@ -227,7 +227,7 @@
root# net ads join -U administrator%vulcon
-
Your new Samba binaries must be started in the standard manner as is applicable to the platform you are running on. Alternately, start your Active Directory enabled Samba with the following commands: @@ -236,7 +236,7 @@ root# nmbd -D root# winbindd -B
-
We now need to test that Samba is communicating with the Active Directory domain; most specifically, we want to see whether winbind is enumerating users and groups. Issue the following commands: @@ -279,7 +279,7 @@
root# NT_STATUS_OK: Success (0x0)
-
The ntlm_auth helper, when run from a command line as the user “root”, authenticates against your Active Directory domain (with the aid of winbind). It manages this by reading from the winbind privileged pipe. @@ -297,30 +297,30 @@ root# chgrp squid /var/lib/samba/winbindd_privileged root# chmod 750 /var/lib/samba/winbindd_privileged
-
For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
Edit your /etc/nsswitch.conf file so it has the parameters shown in ???. -
Example 11.2. Samba Configuration File: /etc/samba/smb.conf
[global] + Example 11.2. Samba Configuration File: /etc/samba/smb.conf
[global] - workgroup = LONDON + workgroup = LONDON - netbios name = W2K3S + netbios name = W2K3S - realm = LONDON.ABMAS.BIZ + realm = LONDON.ABMAS.BIZ security = ads - encrypt passwords = yes + encrypt passwords = yes - password server = w2k3s.london.abmas.biz # separate domain and username with '/', like DOMAIN/username + password server = w2k3s.london.abmas.biz # separate domain and username with '/', like DOMAIN/username - winbind separator = / # use UIDs from 10000 to 20000 for domain users + winbind separator = / # use UIDs from 10000 to 20000 for domain users - idmap uid = 10000-20000 + idmap uid = 10000-20000 - idmap gid = 10000-20000 # allow enumeration of winbind users and groups + idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes @@ -330,28 +330,28 @@ passwd: files winbind shadow: files group: files winbind - Squid must be configured correctly to interact with the Samba-3 components that handle Active Directory authentication. -
If your Linux distribution is SUSE Linux 9, the version of Squid supplied is already enabled to use the winbind helper agent. You can, therefore, omit the steps that would build the Squid binary programs. -
Squid, by default, runs as the user nobody. You need to add a system user squid and a system group squid if they are not set up already (if the default Red Hat squid rpms were installed, they will be). Set up a squid user in /etc/passwd and a squid group in /etc/group if these aren't there already. -
You now need to change the permissions on Squid's var directory. Enter the following command:
root# chown -R squid /var/cache/squid
-
Squid must also have control over its logging. Enter the following commands:
root# chown -R chown squid:squid /var/log/squid @@ -364,10 +364,10 @@ root# chown -R chown squid:squid /var/cache/squid root# chmod 770 /var/cache/squid
-
The /etc/squid/squid.conf file must be edited to include the lines from ??? and ???. -
You must create Squid's cache directories before it may be run. Enter the following command:
root# squid -z @@ -394,14 +394,14 @@ auth_param basic credentialsttl 2 hours acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers -
Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft Windows clients use, even when accessing traditional services such as Web browsers. Depending on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over the cookie-based authentication regime used by all competing browsers. It is Samba's implementation of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. -
The development of the ntlm_auth module was first discussed in many Open Source circles in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of ntlm_auth during one of the late developer meetings that took place. Since that time, the @@ -420,44 +420,44 @@ You would be well advised to recognize the fact that all cache-intensive proxying solutions demand a lot of memory. Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. -
-
+
- What does Samba have to do with Web proxy serving?
- What other services does Samba provide? -
- +
- Does use of Samba (ntlm_auth) improve the performance of Squid? -
+
What does Samba have to do with Web proxy serving? -
To provide transparent interoperability between Windows clients and the network services that are used from them, Samba has had to develop tools and facilities that deliver that. The benefit of Open Source software is that it can readily be reused. The current ntlm_auth module is basically a wrapper around authentication code from the core of the Samba project. -
The ntlm_auth module supports basic plain-text authentication and NTLMSSP protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without the user being interrupted via his/her Windows logon credentials. This facility is available with MS Windows explorer and is one of the key benefits claimed for Microsoft Internet Information Server. There are a few open source initiatives to provide support for these protocols in the Apache Web server also. -
The short answer is that by adding a wrapper around key authentication components of Samba, other projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
What other services does Samba provide? -
Samba-3 is a file and print server. The core components that provide this functionality are smbd, nmbd, and the Identity resolver daemon, winbindd. -
Samba-3 is an SMB/CIFS client. The core component that provides this is called smbclient. -
Samba-3 includes a number of helper tools, plug-in modules, utilities, and test/validation facilities. Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux servers and client. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switcher modules to permit Identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial server products). -
+
Does use of Samba (ntlm_auth) improve the performance of Squid?
Not really. Samba's ntlm_auth module handles only authentication. It requires that diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/go01.html samba-3.0.9/docs/htmldocs/Samba-Guide/go01.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/go01.html 2004-10-25 11:16:30.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/go01.html 2004-11-15 10:15:42.000000000 -0600 @@ -1,4 +1,4 @@ -
Glossary - Access Control List
+
Glossary - Access Control List
A detailed list of permissions granted to users or groups with respect to file and network resource access.
- Active Directory Service
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/HA.html samba-3.0.9/docs/htmldocs/Samba-Guide/HA.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/HA.html 2004-10-25 11:16:29.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/HA.html 2004-11-15 10:15:40.000000000 -0600 @@ -1,4 +1,4 @@ -
Chapter 12. Performance, Reliability, and Availability Chapter 12. Performance, Reliability, and Availability Well, you have reached the chapter before the Appendix. It is customary to attempt to wrap up the theme and contents of a book in what is generally regarded as the chapter that should draw conclusions. This book is a suspense thriller and since @@ -7,7 +7,7 @@ regarding some of the things everyone can do to deliver a reliable Samba-3 network.
In a world so full of noise, how can the sparrow be heard? -
--Anonymous
--Anonymous The sparrow is a small bird whose sounds are drowned out by the noise of the busy world it lives in. Likewise, the simple steps that can be taken to improve the reliability and availability of a Samba network are often drowned out by the volume @@ -15,17 +15,17 @@ suggest that clustering is not important, because clearly it is. This chapter does not devote itself to discussion of clustering because each clustering methodology uses its own custom tools and methods. Only passing comments are offered concerning these methods. -
A search for “samba cluster” produced 71,600 hits. And a search for “highly available samba” and “highly available windows” produced an amazing number of references. It is clear from the resources on the Internet that Windows file and print services availability, reliability, and scalability are of vital interest to corporate network users. -
So without further background, you can review a checklist of simple steps that can be taken to ensure acceptable network performance while keeping costs of ownership well under control. -
If it is your purpose to get the best mileage out of your Samba servers, there is one rule that must be obeyed. If you want the best, keep your implementation as simple as possible. You may well be forced to introduce some complexities, but you should do so only as a last resort. @@ -41,7 +41,7 @@ broken behavior known to many Windows networking users occurs when the list of Windows machines in MS Explorer changes, sometimes listing machines that are running and at other times not listing them even though the machines are in use on the network. -
A significant number of reports concern problems with the smbfs file system driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that smbfs is part of Samba, simply because Samba includes the front-end tools @@ -50,7 +50,7 @@ facilities to core drivers that are supplied as part of the Linux kernel. These tools share a common infrastructure with some Samba components, but they are not maintained as part of Samba and are really foreign to it. -
The new project, cifsfs, is destined to replace smbfs. It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in this project. @@ -60,14 +60,14 @@ It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate problems that affect basic network operation. This book has provided sufficient working examples to help you to avoid all these problems. -
Your objective is to provide a network that works correctly, can grow at all times, is resilient at times of extreme demand, and can scale to meet future needs. The following subject areas provide pointers that can help you today. -
+
There are three basic current problem areas: bad hostnames, routed networks, and network collisions. These are covered in the discussion below. -
When configured as a DHCP client, a number of Linux distributions set the system hostname to localhost. If the parameter netbios name is not specified to something other than localhost, the Samba server appears @@ -78,7 +78,7 @@ set up a NetBIOS over TCP/IP connection to it. This cannot work, because that IP address is the local Windows machine itself. Hostnames must be valid for Windows networking to function correctly. -
A few sites have tried to name Windows clients and Samba servers with a name that begins with the digits 1-9. This does not work either because it may result in the client or server attempting to use that name as an IP address. @@ -90,31 +90,31 @@ (workgroup) collision.parrots.com since this results in DNS lookup attempts to resolve: fred.parrots.com.parrots.com, which most likely fails given that you probably do not have this in your DNS name space. -
Note
NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use of UDP-based broadcast traffic. You saw that during the exercises in Chapter 1. -
UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based networking cannot function across routed networks (i.e., multi-subnet networks) unless special provisions are made: -
Either install on every Windows client an LMHOSTS file (located in the directory C:\windows\system32\drivers\etc). It is also necessary to add to the Samba server smb.conf file the parameters: remote announce and remote browse sync. For more information, refer to the on-line manual page for the smb.conf file. -
Or configure Samba as a WINS server, and configure all network clients to use that WINS server in their TCP/IP configuration. -
Excessive network activity causes NetBIOS network time-outs. Time-outs may result in blue screen of death (BSOD) experiences. High collision rates may be caused by excessive UDP broadcast activity, by defective networking hardware, or through excessive network @@ -122,7 +122,7 @@
The use of WINS is highly recommended to reduce network broadcast traffic, as outlined in Chapter 1. -
Under no circumstances should the facility be supported by many routers, known as NetBIOS forwarding, unless you know exactly what you are doing. Inappropriate use of this facility can result in UDP broadcast storms. In one case in 1999, a university network became @@ -130,10 +130,10 @@ testing of a Samba server. The maximum throughput on a 100-Base-T (100 MBit/sec) network was less than 15 KBytes/sec. After the NetBIOS forwarding was turned off, file transfer performance immediately returned to 11 MBytes/sec. -
As a general rule, the contents of the smb.conf file should be kept as simple as possible. No parameter should be specified unless you know it is essential to operation. -
Many UNIX administrators like to fully document the settings in the smb.conf file. This is a bad idea because it adds content to the file. The smb.conf file is re-read by every smbd process every time the file time stamp changes (or, on systems where this does not work, every 20 seconds or so). @@ -141,7 +141,7 @@ As the size of the smb.conf file grows the risk of introduction of parsing errors increases also. It is recommended to keep a fully documented smb.conf file on hand, and then to operate Samba only with an optimized file. -
The preferred way to maintain a documented file is to call it something like smb.conf.master. You can generate the optimized file by executing:
@@ -167,7 +167,7 @@ Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions
- + You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C. The important thing to note is the noted Server role, as well as warning messages. Noted configuration conflicts must be remedied before proceeding. For example, the following error message represents a @@ -176,18 +176,18 @@ ERROR: both 'wins support = true' and 'wins server = <server list>' cannot be set in the smb.conf file. nmbd will abort with this setting.
-
There are two parameters that can cause severe network performance degradation, socket options and socket address. The socket options parameter was often necessary when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from this parameter being set. Do not use either parameter unless it has been proven necessary to use them. -
Another smb.conf parameter that may cause severe network performance degradation is the strict sync parameter. Do not use this at all. There is no good reason to use this with any modern Windows client. The strict sync is often used together with the sync always parameter. This, too, can severely degrade network performance, so do not set it or if you must, do so with caution. -
Finally, many network administrators deliberately disable opportunistic locking support. While this does not degrade Samba performance, it significantly degrades Windows client performance because this disables local file caching on Windows clients and forces every file read and written to @@ -195,7 +195,7 @@ support, do so on the share on which it is required only. That way, all other shares can provide oplock support for operations that are tolerant of it. See ??? for more information. -
On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of authentication and logon processing. When a sole BDC on a routed network segment gets heavily @@ -207,7 +207,7 @@ to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add Domain Member servers. This practice ensures that there is always sufficient Domain Controllers to handle logon requests and authentication traffic. -
Every network client has its own peculiarities. From a management perspective, it is easier to deal with one version of MS Windows that is maintained to a consistent update level, than it is to deal with a mixture of clients. @@ -215,37 +215,37 @@ On a number of occasions, particular Microsoft service pack updates of a Windows server or client have necessitated special handling from the Samba server end. If you want to remain sane, keep you client workstation configurations consistent. -
Many SAN-based storage systems permit more than one server to share a common data store. Use of a shared SAN data store means that you do not need to use time- and resource-hungry data synchronization techniques. -
The use of a collection of relatively low-cost front-end Samba servers that are coupled to a shared backend SAN data store permits load distribution while containing costs below that of installing and managing a complex clustering facility. -
Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits data to be accessed from a single share and yet to actually be distributed across multiple actual servers. Refer to TOSHARG, Chapter 16, for information regarding implementation of an MSDFS installation. -
The combination of multiple back end servers together with a front-end server and use of MSDFS can achieve almost the same as you would obtain with a clustered Samba server. -
Consider using rsync to replicate data across the wide-area network during times of low utilization. Users can then access the replicated data store rather than needing to do so across the wide-area network. This works best for read-only data, but with careful planning can be implemented so that modified files get replicated back to the point of origin. Be careful with your implementation if you choose to permit modification and return replication of the modified file; otherwise, you may inadvertently overwrite important data. -
Networking hardware prices have fallen sharply over the past five years. A surprising number of Samba networking problems over this time have been traced to defective network interface cards (NICs) or defective hubs, switches, and cables. -
Not surprising is the fact that network administrators do not like to be shown to have made a bad decision. Money saved in buying low-cost hardware may result in high costs incurred in corrective action. -
Defective NICs, hubs, and switches may appear as intermittent network access problems, intermittent or persistent data corruption, slow network throughput, low performance, or even as blue-screen-of-death (BSOD) problems with MS Windows clients. In one case, a company updated several workstations with newer, faster @@ -253,7 +253,7 @@ an older PC that was unaffected so long as the new machines were kept shut down.
Defective hardware problems may take patience and persistence before the real cause can be discovered. -
Networking hardware defects can significantly impact perceived Samba performance, but defective RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server operations. One business came to this realization only after replacing a Samba installation with MS diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/happy.html samba-3.0.9/docs/htmldocs/Samba-Guide/happy.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/happy.html 2004-10-25 11:16:25.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/happy.html 2004-11-15 10:15:36.000000000 -0600 @@ -1,4 +1,4 @@ -
Chapter 6. Making Users Happy Table of Contents
+
Chapter 6. Making Users Happy Table of Contents
It has been said, “A day that is without troubles is not fulfilling. Rather, give me a day of troubles well handled so that I can be content with my achievements.”
@@ -12,7 +12,7 @@ between the client and the server that is providing the network logon services. Each request between the client and the server must complete within a specific time limit. This is one of the primary factors that govern the installation of - + multiple domain controllers (usually called secondary or backup controllers). As a rough rule, there should be one such backup controller for every 30 to 150 clients. The actual limits are determined by network operational @@ -31,23 +31,23 @@ Slow logons and log-offs may be caused by many factors that include: -
Excessive delays in the resolution of a NetBIOS name to its IP address. This may be observed when an overloaded domain controller is also the WINS server. Another cause may be the failure to use a WINS server (this assumes that there is a single network segment). -
Network traffic collisions due to overloading of the network segment one short-term workaround to this may be to replace network HUBs with Ether-switches. -
Defective networking hardware. Over the past few years, we have seen on the Samba mailing list a significant increase in the number of problems that were traced to a defective network interface controller, a defective HUB or Etherswitch, or defective cabling. In most cases, it was the erratic nature of the problem that ultimately pointed to the cause of the problem. -
Excessively large roaming profiles. This type of problem is typically the result of poor user eduction, as well as poor network management. It can be avoided by users not storing huge quantities of email in @@ -56,7 +56,7 @@ on the part of network management.
- <listitem>
+ <listitem>
You should verify that the Windows XP WebClient service is not running. The use of the WebClient service has been implicated in many Windows networking related problems. @@ -65,22 +65,22 @@
- Loss of access to network drives and printer resources
Loss of access to network resources during client operation may be caused by a number of factors including: -
No matter what the cause, a sudden operational loss of access to network resources can result in BSOD (blue screen of death) situations that necessitate rebooting of the client workstation. In the case of a mild problem, retrying to access the network drive of printer may restore operations, but in any case this is a serious problem as it may lead to the next problem, data corruption. -
- Potential data corruption
- Potential data corruption
Data corruption is one of the most serious problems. It leads to uncertainty, anger, and frustration, and generally precipitates immediate corrective demands. Management response to this type of problem may be rational, as well as highly irrational. There have been @@ -133,15 +133,15 @@ Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait for approval; I appreciate the urgency.
--Bob -
+
The priority of assigned tasks in this chapter is: -
Implement Backup Domain Controllers (BDCs) in each building. This involves a change from use of a tdbsam backend that was used in the previous chapter, to use an LDAP-based backend.
You can implement a single central LDAP server for this purpose. -
Rectify the problem of excessive logon times. This involves redirection of folders to network shares as well as modification of all user desktops to exclude the redirected folders from being loaded at login time. You can also @@ -154,13 +154,13 @@
This is the last network example in which specific mention of printing is made. The example again makes use of the CUPS printing system. -
The implementation of Samba BDCs necessitates the installation and configuration of LDAP. For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial LDAP servers in current use with Samba-3 include: -
Novell eDirectory. +
Novell eDirectory. eDirectory is being successfully used by some sites. Information on how to use eDirectory can be - obtained from the Samba mailing lists or from Novell.
IBM Tivoli Directory Server, can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba source code tarball under the directory ~samba/example/LDAP.
Sun @@ -173,13 +173,13 @@ offerings, it requires that you manually edit the server configuration files and manually initialize the LDAP directory database. OpenLDAP itself has only command line tools to help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges. -
For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database requires an understanding of what you are doing, why you are doing it, and the tools that you must use. -
When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. High availability operation may be obtained through directory replication/synchronization and master/slave server configurations. OpenLDAP is a mature platform to host the organizational @@ -188,7 +188,7 @@ of management tools is well rewarded by performance and flexibility, and the freedom to manage directory contents with greater ability to back up, restore, and modify the directory than is generally possible with Microsoft Active Directory. -
A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely pre-configured for a specific task orientation. It comes with a set of administrative tools that is entirely customized @@ -199,7 +199,7 @@ MS ADAM that provides more-generic LDAP services, yet it does not have the vanilla-like services of OpenLDAP. -
You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly if you find the challenge of learning about LDAP directories, schemas, configuration, and management tools, and the creation of shell and Perl scripts a bit @@ -229,26 +229,26 @@ OpenLDAP Web Site. Many people have found the book LDAP System Administration, written by Jerry Carter, quite useful. -
Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must be loaded over the wide-area network connection. This addition of BDCs on each network segment significantly improves overall network performance for most users, but this is not enough. You must gain control over user desktops, and this must be done in a way that wins their support and does not cause further loss of staff morale. The following procedures solve this problem. -
There is also an opportunity to implement smart printing features. You add this to the Samba configuration so that future printer changes can be managed without need to change desktop configurations.
You add the ability to automatically download new printer drivers, even if they are not installed in the default desktop profile. Only one example of printing configuration is given. It is assumed that you can extrapolate the principles and use this to install all printers that may be needed. -
The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system accounts are stored Posix schema extensions. Samba provides its own schema to permit storage of account attributes Samba needs. Samba-3 can use the LDAP backend to store: -
Windows Networking User Accounts
Windows NT Group Accounts
Mapping Information between UNIX Groups and Windows NT Groups
ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)
Windows Networking User Accounts
Windows NT Group Accounts
Mapping Information between UNIX Groups and Windows NT Groups
ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)
The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking accounts in the LDAP backend. This implies the need to use the PADL LDAP tools. The resolution @@ -257,11 +257,11 @@ or from the LDAP backend. This requires the use of the PADL nss_ldap toolset that integrates with the name service switcher (NSS). The same requirements exist for resolution of the UNIX username to the UID. The relationships are demonstrated in ???. -
You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really ought to learn how to configure secure communications over LDAP so that sites security is not at risk. This is not covered in the following guidance. -
When OpenLDAP has been made operative, you configure the Primary Domain Controller (PDC) called MASSIVE. You initialize the Samba secrets.tdb @@ -270,12 +270,12 @@ hints are, of course, provided. You can also find on the enclosed CD-ROM, in the Chap06 directory, a few tools that help to manage user and group configuration. -
In order to effect folder redirection and to add robustness to the implementation, create a network Default Profile. All network users workstations are configured to use the new profile. Roaming profiles will automatically be deleted from the workstation when the user logs off. -
The profile is configured so that users cannot change the appearance of their desktop. This is known as a mandatory profile. You make certain that users are able to use their computers efficiently. @@ -284,7 +284,7 @@ connections.
As XP roaming profiles grow, so does the amount of time it takes to log in and out. -
An XP Roaming Profile consists of the HKEY_CURRENT_USER hive file NTUSER.DAT and a number of folders (My Documents, Application Data, Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the @@ -306,10 +306,10 @@ Java plug-in's cache (the .jpi_cache directory in the profile), as well as training the user to not place large files on the Desktop and to use his mapped home directory for saving documents instead of the My Documents folder. -
Using a folder other than My Documents is a nuisance for some users since many applications use it by default. -
The secret to rapid loading of roaming profiles is to prevent unnecessary data from being copied back and forth, without losing any functionality. This is not difficult; it can be done by making changes to the Local Group Policy on each client as well @@ -322,7 +322,7 @@ user's profile. Then just create a Network Default Profile. Of course, it is necessary to copy all files from redirected folders to the network share to which they are redirected. -
Without an Active Directory PDC, you cannot take full advantage of Group Policy Objects. However, you can still make changes to the Local Group Policy by using the Group Policy editor (gpedit.msc). @@ -336,7 +336,7 @@ Simply add the folders you do not wish to be copied back and forth to this semi-colon separated list. Note that this change must be made on all clients that are using roaming profiles. -
There are two changes that should be done to each user's profile. Move each of the directories that you have excluded from being copied back and forth out of the usual profile path. Modify each user's NTUSER.DAT file @@ -350,7 +350,7 @@ NTUSER.DAT to a Linux box and using regedt32. The basic method is described under ???. -
If you are using Samba as your PDC, you should create a file-share called NETLOGON and within that create a directory called Default User, which is a copy of the desired default user @@ -359,7 +359,7 @@ the first login from a new account pulls its configuration from it. See also: the Real Men Don't Click Web site. -
The subject of printing is quite topical. Printing problems run second place to name resolution issues today. So far in this book, you have experienced only what is generally known as “dumb” printing. Dumb printing is the arrangement where all drivers @@ -367,7 +367,7 @@ or intelligent processing. Dumb printing is easily understood. It usually works without many problems, but it has its limitations also. Dumb printing is better known as Raw Print Through printing. -
Samba permits the configuration of Smart printing using the Microsoft Windows point-and-click (also called drag-and-drop) printing. What this provides is essentially the ability to print to any printer. If the local client does not yet have a @@ -380,7 +380,7 @@ printing that automatically senses the file format of data submitted for printing and then invokes a suitable print filter to convert the incoming data stream into a format suited to the printer to which the job is dispatched. -
The CUPS printing subsystem is capable of intelligent printing. It has the capacity to detect the data format and apply a print filter. This means that it is feasible to install on all Windows clients a single printer driver for use with all printers that are routed @@ -397,12 +397,12 @@ This book is about Samba-3, so you can confine the printing style to just the smart style of installation. Those interested in further information regarding intelligent printing should review documentation on the Easy Software Products Web site. -
MS Windows network users are generally very sensitive to limits that may be imposed when confronted with locked-down workstation configurations. The challenge you face must be promoted as a choice between reliable and fast network operation, and a constant flux of problems that result in user irritation. -
You are starting a complex project. Even though you have gone through the installation of a complex network in chapter 5, this network is a bigger challenge because of the large number of complex applications that must be configured before the first few steps @@ -410,10 +410,10 @@ frequently review the steps ahead while making at least a mental note of what has already been completed. The following task list may help you to keep track of the task items that are covered: -
Samba-3 PDC Server Configuration
DHCP and DNS Servers
OpenLDAP Server
PAM and NSS Client Tools
Samba-3 PDC
Idealx SMB-LDAP Scripts
LDAP Initialization
Create User and Group Accounts
Printers
Share Point Directory Roots
Profile Directories
Samba-3 BDC Server Configuration
DHCP and DNS Servers
PAM and NSS Client Tools
Printers
Share Point Directory Roots
Profiles Directories
Samba-3 BDC Server Configuration
Windows XP Client Configuration
Default Profile Folder Redirection
MS Outlook PST File Relocation
Delete Roaming Profile on Logout
Upload Printer Drivers to Samba Servers
Install Software
Creation of Roll-out Images
Samba-3 PDC Server Configuration
DHCP and DNS Servers
OpenLDAP Server
PAM and NSS Client Tools
Samba-3 PDC
Idealx SMB-LDAP Scripts
LDAP Initialization
Create User and Group Accounts
Printers
Share Point Directory Roots
Profile Directories
Samba-3 BDC Server Configuration
DHCP and DNS Servers
PAM and NSS Client Tools
Printers
Share Point Directory Roots
Profiles Directories
Samba-3 BDC Server Configuration
Windows XP Client Configuration
Default Profile Folder Redirection
MS Outlook PST File Relocation
Delete Roaming Profile on Logout
Upload Printer Drivers to Samba Servers
Install Software
Creation of Roll-out Images
The network design shown in ??? is not comprehensive. It is assumed that you will install additional file servers, and possibly additional BDCs. -
All configuration files and locations are shown for SUSE Linux 9.0. The file locations for Red Hat Linux are similar. You may need to adjust the locations for your particular Linux system distribution/implementation. @@ -424,16 +424,16 @@ in that chapter. If you are starting with newly installed Linux servers, you must complete the steps shown in ??? before commencing at ???: -
Confirm that the packages shown in ??? are installed on your system.
Table 6.1. Required OpenLDAP Linux Packages
SUSE Linux 8.x SUSE Linux 9 Red Hat Linux 9 nss_ldap nss_ldap nss_ldap pam_ldap pam_ldap pam_ldap openldap2 openldap2 openldap openldap2-client openldap2-client openldap2-back-perl openldap2-back-monitor openldap2-back-ldap openldap2-back-meta Samba-3 and OpenLDAP will have a degree of inter-dependence that is unavoidable. The method for boot-strapping the LDAP and Samba-3 configuration is relatively straight forward. If you follow these guidelines, the resulting system should work fine. -
Install the file shown in ??? in the directory /etc/openldap. -
Remove all files from the directory /var/lib/ldap, making certain that the directory exists with permissions:
@@ -473,7 +473,7 @@ index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub -
The steps that follow involve configuration of LDAP, Name Service Switch (NSS) LDAP-based resolution of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication. @@ -481,12 +481,12 @@ Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely that you may want to use them for UNIX system (Linux) local machine logons. This necessitates correct configuration of the Pluggable Authentication - Modules + Modules (PAM). The pam_ldap open source package provides the PAM modules that most people would use. On SUSE Linux systems, the pam_unix2.so module also has the ability to redirect authentication requests through LDAP. -
You have chosen to configure these services by directly editing the system files but, of course, you know that this configuration can be done using system tools provided by the Linux system vendor. SUSE Linux has a facility in YaST (the system admin tool) through ->-> that permits @@ -523,7 +523,7 @@ nss_base_passwd ou=People,dc=abmas,dc=biz?one nss_base_shadow ou=People,dc=abmas,dc=biz?one nss_base_group ou=Groups,dc=abmas,dc=biz?one -
Execute the following command to find where the nss_ldap module expects to find its control file:
@@ -535,7 +535,7 @@ ??? into the path that was obtained from the step above. On the servers called BLDG1 and BLDG2, install the file shown in ??? into the path that was obtained from the step above. -
Edit the NSS control file (/etc/nsswitch.conf) so that the lines that control user and group resolution will obtain information from the normal system files as well as from ldap as follows: @@ -549,7 +549,7 @@ added, you can validate resolution of the LDAP resolver process. The inclusion of WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be resolved to their IP addresses, whether or not they are DHCP clients. -
For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following files in the /etc/pam.d directory: login, password, samba, sshd. @@ -572,7 +572,7 @@ session required pam_unix2.so none use_ldap # debug or trace session required pam_limits.so
-
On other Linux systems that do not have an LDAP-enabled pam_unix2.so module, you must edit these files by adding the pam_ldap.so modules as shown here:
@@ -595,7 +595,7 @@ demonstrates the use of the pam_ldap.so module. You can use either implementation, but if the pam_unix2.so on your system supports LDAP, you probably want to use it, rather than add an additional module. -
Verify that the Samba-3.0.2 (or later) packages are installed on each SUSE Linux server before following the steps below. If Samba-3.0.2 (or later) is not installed, you have the choice to either build your own or to obtain the packages from a dependable source. @@ -607,7 +607,7 @@ and ??? into the /etc/samba/ directory. The three files should be added together to form the smb.conf file. -
Verify the contents of the smb.conf file that is generated by Samba as it collates all the included files. You do this by executing:
@@ -637,7 +637,7 @@ root# rm /var/lib/samba/*dat root# rm /var/log/samba/*
-
Samba-3 communicates with the LDAP server. The password that it uses to authenticate to the LDAP server must be stored in the secrets.tdb file. Execute the following to create the new secrets.tdb files @@ -649,7 +649,7 @@
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
-
Samba-3 generates a Windows Security Identifier only when smbd has been started. For this reason, you start Samba. After a few seconds delay, execute: @@ -676,10 +676,10 @@
When a positive Domain SID has been reported, stop Samba.
- - - - + + + + Configure the NFS server for your Linux system. So you can complete the steps that follow, enter into the /etc/exports the following entry:
@@ -697,91 +697,91 @@
Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with configuration of the LDAP server. -
Example 6.4. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
# Global parameters [global] + Example 6.4. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
# Global parameters [global] - unix charset = LOCALE + unix charset = LOCALE - workgroup = MEGANET2 + workgroup = MEGANET2 - netbios name = MASSIVE + netbios name = MASSIVE - interfaces = eth1, lo + interfaces = eth1, lo - bind interfaces only = Yes + bind interfaces only = Yes - passdb backend = ldapsam:ldap://massive.abmas.biz + passdb backend = ldapsam:ldap://massive.abmas.biz - username map = /etc/samba/smbusers + username map = /etc/samba/smbusers - log level = 1 + log level = 1 - syslog = 0 + syslog = 0 - log file = /var/log/samba/%m + log file = /var/log/samba/%m - max log size = 50 + max log size = 50 - smb ports = 139 445 + smb ports = 139 445 - name resolve order = wins bcast hosts + name resolve order = wins bcast hosts - time server = Yes + time server = Yes - printcap name = CUPS + printcap name = CUPS - show add printer wizard = No + show add printer wizard = No - add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' + add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' - delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' + delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' - add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' + add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' - delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' + delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' - add user to group script = /var/lib/samba/sbin/ smbldap-groupmod.pl -m '%u' '%g' + add user to group script = /var/lib/samba/sbin/ smbldap-groupmod.pl -m '%u' '%g' - delete user from group script = /var/lib/samba/sbin/ smbldap-groupmod.pl -x '%u' '%g' + delete user from group script = /var/lib/samba/sbin/ smbldap-groupmod.pl -x '%u' '%g' - set primary group script = /var/lib/samba/sbin/ smbldap-usermod.pl -g '%g' '%u' + set primary group script = /var/lib/samba/sbin/ smbldap-usermod.pl -g '%g' '%u' - add machine script = /var/lib/samba/sbin/ smbldap-useradd.pl -w '%u' + add machine script = /var/lib/samba/sbin/ smbldap-useradd.pl -w '%u' - logon script = scripts\logon.bat + logon script = scripts\logon.bat - logon path = \\%L\profiles\%U + logon path = \\%L\profiles\%U - logon drive = X: + logon drive = X: - domain logons = Yes + domain logons = Yes - preferred master = Yes + preferred master = Yes - wins support = Yes + wins support = Yes - ldap suffix = dc=abmas,dc=biz + ldap suffix = dc=abmas,dc=biz - ldap machine suffix = ou=People + ldap machine suffix = ou=People - ldap user suffix = ou=People + ldap user suffix = ou=People - ldap group suffix = ou=Groups Example 6.5. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
+ ldap group suffix = ou=Groups Example 6.5. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
- ldap idmap suffix = ou=Idmap + ldap idmap suffix = ou=Idmap - ldap admin dn = cn=Manager,dc=abmas,dc=biz + ldap admin dn = cn=Manager,dc=abmas,dc=biz - idmap backend = ldap:ldap://massive.abmas.biz + idmap backend = ldap:ldap://massive.abmas.biz - idmap uid = 10000-20000 + idmap uid = 10000-20000 - idmap gid = 10000-20000 + idmap gid = 10000-20000 - map acl inherit = Yes + map acl inherit = Yes - printing = cups + printing = cups - printer admin = Administrator, chrisr
The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts on the LDAP server. You have chosen the Idealx scripts since they are part of the Samba-3 package distribution. On your SUSE Linux system, you find these scripts in the @@ -817,7 +817,7 @@ root# cd /usr/share/doc/packages/samba3/Examples/LDAP/smbldap-tools root# cp *.pl *.pm /var/lib/samba/sbin
-
You must compile the mkntpasswd tool and then install it into the /var/lib/samba/sbin directory, as shown here:
@@ -929,7 +929,7 @@ root# chmod 555 /var/lib/samba/sbin/mkntpwd
The smbldap-tools scripts are now ready for use. -
The LDAP database must be populated with well-known Windows Domain user accounts and Domain Group accounts before Samba can be used. The following procedures step you through the process.
@@ -941,7 +941,7 @@ does not need to ask LDAP.
Addition of an account to the LDAP backend can be done in a number of ways: -
If you always have a user account in the /etc/passwd on every server or in a NIS(+) backend, it is not necessary to add Posix accounts for them in LDAP. In this case, you can add Windows Domain user accounts using the @@ -953,15 +953,15 @@ In the example system you are installing in this exercise, you are making use of the Idealx smbldap-tools scripts. A copy of these tools, pre-configured for this system, is included on the enclosed CD-ROM under Chap06/Tools. -
If you wish to have more control over how the LDAP database is initialized or want not to use the Idealx smbldap-tools, you should refer to ???. -
The following steps initialize the LDAP database, and then you can add user and group accounts that Samba can use. You use the smbldap-populate.pl to seed the LDAP database. You then manually add the accounts shown in ???. The list of users does not cover all 500 network users; it provides examples only. -
Note
Note
In the following examples, as the LDAP database is initialized, we do create a container for Computer (machine) accounts. In the Samba-3 smb.conf files, specific use is made of the People container, not the Computers container, for domain member accounts. This is not a @@ -1011,7 +1011,7 @@ Shutting down ldap-server done Starting ldap-server done
-
So that we can use a global IDMAP repository the LDAP directory must have a container object for IDMAP data. There are several ways you can check that your LDAP database is able to receive IDMAP information. One of the simplest is to execute: @@ -1020,7 +1020,7 @@ dn: ou=Idmap,dc=abmas,dc=biz ou: idmap
- + If the execution of this command does not return IDMAP entries, you need to create an LDIF template file (see ???). You can add the required entries using the following command: @@ -1029,7 +1029,7 @@ -w not24get < /etc/openldap/idmap.LDIF
Samba automatically populates this LDAP directory container when it needs to. -
It looks like all has gone well, as expected. Let's confirm that this is the case by running a few tests. First we check the contents of the database directly by running slapcat as follows (the output has been cut down): @@ -1066,7 +1066,7 @@ modifyTimestamp: 20031217234206Z
This looks good so far. -
The next step is to prove that the LDAP server is running and responds to a search request. Execute the following as shown (output has been cut to save space):
@@ -1110,7 +1110,7 @@ # numEntries: 19
Good. It is all working just fine. -
You must now make certain that the NSS resolver can interrogate LDAP also. Execute the following commands:
@@ -1122,10 +1122,10 @@ Domain Users:x:513: Domain Guests:x:514: Domain Computers:x:553: -
This demonstrates that the nss_ldap library is functioning as it should. -
Our database is now ready for the addition of network users. For each user for whom an account must be created, execute the following:
@@ -1140,7 +1140,7 @@ Retype new SMB password: XXXXXXXX
Where username is the login ID for each user. -
Now verify that the UNIX (Posix) accounts can be resolved via NSS by executing the following:
@@ -1157,7 +1157,7 @@ uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
This confirms that the UNIX (Posix) user accounts can be resolved from LDAP. -
In the above listing, you can see that the user Administrator has been given UID=998. This means that operations conducted from a Windows client using tools such as the Domain User Manager fails under UNIX because the @@ -1180,7 +1180,7 @@ drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
This is precisely what we want to see. -
The final validation step involves making certain that Samba-3 can obtain the user accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
@@ -1207,7 +1207,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT
This looks good. Of course, you fully expected that it would all work, didn't you? -
Now you add the group accounts that are used on the Abmas network. Execute the following exactly as shown:
@@ -1217,7 +1217,7 @@
The addition of groups does not involve keyboard interaction, so the lack of console output is of no concern. -
You really do want to confirm that UNIX group resolution from LDAP is functioning as it should. Let's do this as shown here:
@@ -1233,7 +1233,7 @@
The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well as our own site-specific group accounts, are correctly listed. This is looking good. -
The final step we need to validate is that Samba can see all the Windows Domain Groups and that they are correctly mapped to the respective UNIX group account. To do this, just execute the following command: @@ -1282,7 +1282,7 @@
root# rcwinbind restart
-
You may now check Samba-3 operation as follows:
root# smbclient -L massive -U% @@ -1327,7 +1327,7 @@ Well done. All is working fine.
The server MASSIVE is now configured, and it is time to move onto the next task. -
The configuration for Samba-3 to enable CUPS raw-print-through printing has already been taken care of in the smb.conf file. The only preparation needed for smart @@ -1345,16 +1345,16 @@ Follow the instructions in the printer manufacturers' manuals to permit printing to port 9100. Use any other port the manufacturer specifies for direct mode, raw printing. This allows the CUPS spooler to print using raw mode protocols. - - -
+ Only on the server to which the printer is attached, configure the CUPS Print Queues as follows:
root# lpadmin -p printque -v socket://printer-name.abmas.biz:9100 -E
- + This step creates the necessary print queue to use no assigned print filter. This is ideal for raw printing, i.e., printing without use of filters. The name printque is the name you have assigned for @@ -1374,15 +1374,15 @@ root# /usr/bin/accept printque
- - - + + + Edit the file /etc/cups/mime.convs to uncomment the line:
application/octet-stream application/vnd.cups-raw 0 -
- + Edit the file /etc/cups/mime.types to uncomment the line:
application/octet-stream @@ -1444,7 +1444,7 @@ bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem. -
The next step in the verification process involves testing the operation of UNIX group resolution via the NSS LDAP resolver. Execute these commands:
@@ -1474,7 +1474,7 @@ This is also the correct and desired output, because it demonstrates that the LDAP client is able to communicate correctly with the LDAP server (MASSIVE). -
You must now set the LDAP administrative password into the Samba-3 secrets.tdb file by executing this command: @@ -1507,7 +1507,7 @@
This indicates that the Domain security account for the BDC has been correctly created.
- + Verify that user and group account resolution works via Samba-3 tools as follows:
root# pdbedit -L @@ -1590,219 +1590,219 @@ should be added together to form the smb.conf file.
Follow carefully the steps shown in ???, starting at step 2. -
Example 6.6. LDAP Based smb.conf File, Server: BLDG1
# Global parameters [global] + Example 6.6. LDAP Based smb.conf File, Server: BLDG1
# Global parameters [global] - unix charset = LOCALE + unix charset = LOCALE - workgroup = MEGANET2 + workgroup = MEGANET2 - netbios name = BLDG1 + netbios name = BLDG1 - passdb backend = ldapsam:ldap://massive.abmas.biz + passdb backend = ldapsam:ldap://massive.abmas.biz - username map = /etc/samba/smbusers + username map = /etc/samba/smbusers - log level = 1 + log level = 1 - syslog = 0 + syslog = 0 - log file = /var/log/samba/%m + log file = /var/log/samba/%m - max log size = 50 + max log size = 50 - smb ports = 139 445 + smb ports = 139 445 - name resolve order = wins bcast hosts + name resolve order = wins bcast hosts - printcap name = CUPS + printcap name = CUPS - show add printer wizard = No + show add printer wizard = No - logon script = scripts\logon.bat + logon script = scripts\logon.bat - logon path = \\%L\profiles\%U + logon path = \\%L\profiles\%U - logon drive = X: + logon drive = X: - domain logons = Yes + domain logons = Yes - domain master = No + domain master = No - wins server = 172.16.0.1 + wins server = 172.16.0.1 - ldap suffix = dc=abmas,dc=biz + ldap suffix = dc=abmas,dc=biz - ldap machine suffix = ou=People + ldap machine suffix = ou=People - ldap user suffix = ou=People + ldap user suffix = ou=People - ldap group suffix = ou=Groups + ldap group suffix = ou=Groups - ldap idmap suffix = ou=Idmap + ldap idmap suffix = ou=Idmap - ldap admin dn = cn=Manager,dc=abmas,dc=biz + ldap admin dn = cn=Manager,dc=abmas,dc=biz - idmap backend = ldap:ldap://massive.abmas.biz + idmap backend = ldap:ldap://massive.abmas.biz - idmap uid = 10000-20000 + idmap uid = 10000-20000 - idmap gid = 10000-20000 + idmap gid = 10000-20000 - printing = cups + printing = cups - printer admin = Administrator, chrisr Example 6.7. LDAP Based smb.conf File, Server: BLDG2
# Global parameters [global] + printer admin = Administrator, chrisr Example 6.7. LDAP Based smb.conf File, Server: BLDG2
# Global parameters [global] - unix charset = LOCALE + unix charset = LOCALE - workgroup = MEGANET2 + workgroup = MEGANET2 - netbios name = BLDG2 + netbios name = BLDG2 - passdb backend = ldapsam:ldap://massive.abmas.biz + passdb backend = ldapsam:ldap://massive.abmas.biz - username map = /etc/samba/smbusers + username map = /etc/samba/smbusers - log level = 1 + log level = 1 - syslog = 0 + syslog = 0 - log file = /var/log/samba/%m + log file = /var/log/samba/%m - max log size = 50 + max log size = 50 - smb ports = 139 445 + smb ports = 139 445 - name resolve order = wins bcast hosts + name resolve order = wins bcast hosts - printcap name = CUPS + printcap name = CUPS - show add printer wizard = No + show add printer wizard = No - logon script = scripts\logon.bat + logon script = scripts\logon.bat - logon path = \\%L\profiles\%U + logon path = \\%L\profiles\%U - logon drive = X: + logon drive = X: - domain logons = Yes + domain logons = Yes - domain master = No + domain master = No - wins server = 172.16.0.1 + wins server = 172.16.0.1 - ldap suffix = dc=abmas,dc=biz + ldap suffix = dc=abmas,dc=biz - ldap machine suffix = ou=People + ldap machine suffix = ou=People - ldap user suffix = ou=People + ldap user suffix = ou=People - ldap group suffix = ou=Groups + ldap group suffix = ou=Groups - ldap idmap suffix = ou=Idmap + ldap idmap suffix = ou=Idmap - ldap admin dn = cn=Manager,dc=abmas,dc=biz + ldap admin dn = cn=Manager,dc=abmas,dc=biz - idmap backend = ldap://massive.abmas.biz + idmap backend = ldap://massive.abmas.biz - idmap uid = 10000-20000 + idmap uid = 10000-20000 - idmap gid = 10000-20000 + idmap gid = 10000-20000 - printing = cups + printing = cups - printer admin = Administrator, chrisr Example 6.8. LDAP Based smb.conf File, Shares Section Part A
[accounts] + printer admin = Administrator, chrisr Example 6.8. LDAP Based smb.conf File, Shares Section Part A
[accounts] - comment = Accounting Files + comment = Accounting Files - path = /data/accounts + path = /data/accounts - read only = No [service] + read only = No [service] - comment = Financial Services Files + comment = Financial Services Files - path = /data/service + path = /data/service - read only = No [pidata] + read only = No [pidata] - comment = Property Insurance Files + comment = Property Insurance Files - path = /data/pidata + path = /data/pidata - read only = No [homes] + read only = No [homes] - comment = Home Directories + comment = Home Directories - valid users = %S + valid users = %S - read only = No + read only = No - browseable = No [printers] + browseable = No [printers] - comment = SMB Print Spool + comment = SMB Print Spool - path = /var/spool/samba + path = /var/spool/samba - guest ok = Yes + guest ok = Yes - printable = Yes + printable = Yes - browseable = No Example 6.9. LDAP Based smb.conf File, Shares Section Part B
[apps] - comment = Application Files + comment = Application Files - path = /apps + path = /apps - admin users = bjordan + admin users = bjordan - read only = No [netlogon] + read only = No [netlogon] - comment = Network Logon Service + comment = Network Logon Service - path = /var/lib/samba/netlogon + path = /var/lib/samba/netlogon - guest ok = Yes + guest ok = Yes - locking = No [profiles] + locking = No [profiles] - comment = Profile Share + comment = Profile Share - path = /var/lib/samba/profiles + path = /var/lib/samba/profiles - read only = No + read only = No - profile acls = Yes [profdata] + profile acls = Yes [profdata] - comment = Profile Data Share + comment = Profile Data Share - path = /var/lib/samba/profdata + path = /var/lib/samba/profdata - read only = No + read only = No - profile acls = Yes [print$] + profile acls = Yes [print$] - comment = Printer Drivers + comment = Printer Drivers - path = /var/lib/samba/drivers + path = /var/lib/samba/drivers - browseable = yes + browseable = yes - guest ok = no + guest ok = no - read only = yes + read only = yes write list = Administrator, chrisr Example 6.10. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalUnit ou: idmap structuralObjectClass: organizationalUnit -
My father would say, “Dinner is not over until the dishes have been done.” The makings of a great network environment take a lot of effort and attention to detail. So far you have completed most of the complex (and to many administrators, the interesting part of server configuration) steps, but remember to tie it all together. Here are a few more steps that must be completed so that your network runs like a well-rehearsed orchestra. -
+
In your smb.conf file, you have specified Windows shares. Each has a path parameter. Even though it is obvious to all, one of the common Samba networking problems is @@ -1821,7 +1821,7 @@ root# chmod -R ug+rwxs,o-rwx /data root# chmod -R ug+rwx,o+rx-w /apps
-
You made a conscious decision to do everything it would take to improve network client performance. One of your decisions was to implement folder redirection. This means that Windows user desktop profiles are now made up of two components a dynamically loaded part and a set of file @@ -1845,7 +1845,7 @@ root# chown -R username.Domain\ Users username root# chmod -R 750 username
-
You have three options insofar as the dynamically loaded portion of the roaming profile is concerned:
You may permit the user to obtain a default profile.
You can create a mandatory profile.
You can create a group profile (which is almost always a mandatory profile).
@@ -1854,7 +1854,7 @@ NTUSER.DAT to NTUSER.MAN, i.e., just by changing the filename extension. -
The location of the profile that a user can obtain is set in the users' account in the LDAP passdb backend. You can manage this using the Idealx smbldap-tools or using the Windows NT4 Domain User Manager. @@ -1867,7 +1867,7 @@ /var/lib/samba/profiles/username root# chmod 700 /var/lib/samba/profiles/username
-
The use of a logon script with Windows XP Professional is an option that every site should consider. Unless you have locked down the desktop so the user cannot change anything, there is risk that a vital network drive setting may be broken or that printer connections may be lost. Logon scripts @@ -1895,7 +1895,7 @@ You should research the options for logon script implementation by referring to TOSHARG, Chapter 21, Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon facilities in use today is called KiXtart. -
In the next few sections, you can configure a new Windows XP Professional disk image on a staging machine. You will configure all software, printer settings, profile and policy handling, and desktop default profile settings on this system. When it is complete, you copy the contents of the @@ -1907,7 +1907,7 @@ How to Create a Base Profile for All Users. -
Log onto the Windows XP Professional workstation as the local Administrator. It is necessary to expose folders that are generally hidden to provide access to the Default User @@ -1918,12 +1918,12 @@ Select Show hidden files and folders, and click . Exit Windows Explorer. -
Launch the Registry Editor. Click ->. Key in regedt32, and click .
-
Procedure 6.10. Redirect Folders in Default System User Profile
Procedure 6.10. Redirect Folders in Default System User Profile
Give focus to HKEY_LOCAL_MACHINE hive entry in the left panel. Click ->->->->->. In the dialog box that opens, enter the key name Default @@ -1936,27 +1936,27 @@
The contents of the right panel reveals the contents as shown in ???. -
You edit hive keys. Acceptable values to replace the %USERPROFILE% variable includes:
A drive letter such as: U:
A direct network path such as: \\MASSIVE\profdata
A network redirection (UNC name) that contains a macro such as:
\\%LOGONSERVER%\profdata\
-
Set the registry keys as shown in ???. Your implementation makes the assumption that users have statically located machines. Notebook computers (mobile users) need to be accommodated using local profiles. This is not an uncommon assumption.
Click back to the root of the loaded hive Default. Click ->->. -
Now follow the procedure given in ???. Make sure that each folder you have redirected is in the exclusion list.
- You are now ready to copy[11] + You are now ready to copy[11] the Default User profile to the Samba Domain Controllers. Launch Microsoft Windows Explorer, and use it to copy the full contents of the directory Default User @@ -1970,7 +1970,7 @@ Deselect Show hidden files and folders, and click . Exit Windows Explorer. -
Table 6.3. Default Profile Redirections
Registry Key Redirected Value Cache %LOGONSERVER%\profdata\%USERNAME%\InternetFiles Cookies %LOGONSERVER%\profdata\%USERNAME%\Cookies History %LOGONSERVER%\profdata\%USERNAME%\History Local AppData %LOGONSERVER%\profdata\%USERNAME%\AppData Local Settings %LOGONSERVER%\profdata\%USERNAME%\LocalSettings My Pictures %LOGONSERVER%\profdata\%USERNAME%\MyPictures Personal %LOGONSERVER%\profdata\%USERNAME%\MyDocuments Recent %LOGONSERVER%\profdata\%USERNAME%\Recent
Table 6.3. Default Profile Redirections
Registry Key Redirected Value Cache %LOGONSERVER%\profdata\%USERNAME%\InternetFiles Cookies %LOGONSERVER%\profdata\%USERNAME%\Cookies History %LOGONSERVER%\profdata\%USERNAME%\History Local AppData %LOGONSERVER%\profdata\%USERNAME%\AppData Local Settings %LOGONSERVER%\profdata\%USERNAME%\LocalSettings My Pictures %LOGONSERVER%\profdata\%USERNAME%\MyPictures Personal %LOGONSERVER%\profdata\%USERNAME%\MyDocuments Recent %LOGONSERVER%\profdata\%USERNAME%\Recent Microsoft Outlook can store a Personal Storage file, generally known as a PST file. It is the nature of email storage that this file grows, at times quite rapidly. So that users' email is available to them at every workstation they may log onto, @@ -1983,9 +1983,9 @@ ->->->->.
Follow the on-screen prompts to relocate the PST file to the desired location. -
To configure the Windows XP Professional client to auto-delete roaming profiles on logout: -
Click ->. In the dialog box, enter: MMC and click . @@ -1993,7 +1993,7 @@ Follow these steps to set the default behavior of the staging machine so that all roaming profiles are deleted as network users log out of the system. Click ->->->->->->->. -
The Microsoft Management Console now shows the utility that enables you to set the policies needed. In the left panel, click ->->->. In the right panel, set the properties shown here by double-clicking on each @@ -2001,7 +2001,7 @@
Do not check for user ownership of Roaming Profile Folders = Enabled
Delete cached copies of roaming profiles = Enabled
Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies made of this system to deploy the new standard desktop system. -
Users want to be able to use network printers. You have a vested interest in making it easy for them to print. You have chosen to install the printer drivers onto the Samba servers and to enable point-and-click (drag-and-drop) printing. This process results in @@ -2031,7 +2031,7 @@ MASSIVE is displayed. Click the tab. Note that the box labelled is empty. Click the button that is next to the box. This launches the quote“Add Printer Wizard”. -
The “Add Printer Driver Wizard on MASSIVE” panel is now presented. Click to continue. From the left panel, select the Printer Manufacturer. In your case, you are adding a driver for a printer manufactured by @@ -2040,12 +2040,12 @@ progress bar appears and instructs you as each file is being uploaded and that it is being directed at the network server \\massive\ps01-color.
- - - - - - + + + + + + The driver upload completes in anywhere from a few seconds to a few minutes. When it completes, you are returned to the tab in the panel. You can set the Location (under the tab), and Security settings (under @@ -2054,7 +2054,7 @@ directory”. When this box is checked the printer will be published in Active Directory (Applicable to Active Directory use only.)
- + Click . It will take a minute or so to upload the settings to the server. You are now returned to the monitor. Right-click on the printer, click ->. Now change the settings to suit @@ -2066,7 +2066,7 @@ just to initialize the Samba printers database entry for this printer. If you need to revert a setting, Click again.
- + Verify that all printer settings are at the desired configuration. When you are satisfied that they are, click the tab. Now click the button. A test page should print. Verify that it has printed correctly. Then click @@ -2076,7 +2076,7 @@ You must repeat this process for all network printers (i.e., for every printer, on each server). When you have finished uploading drivers to all printers, close all applications. The next task is to install software your users require to do their work. -
Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer. Notebooks require special handling that is beyond the scope of this chapter. @@ -2091,7 +2091,7 @@ When you believe that the overall configuration is complete, be sure to create a shared group profile and migrate that to the Samba server for later re-use when creating custom mandatory profiles, just in case a user may have specific needs you had not anticipated. -
The final steps before preparing the distribution Norton Ghost image file you might follow are:
Un-join the domain Each workstation requires a unique name and must be independently @@ -2100,7 +2100,7 @@ Defragment the hard disk While not obvious to the uninitiated, defragmentation results in better performance and often significantly reduces the size of the compressed disk image. That also means it will take less time to deploy the image onto 500 workstations. -
This chapter has introduced many new concepts. Is it a sad fact that the example presented deliberately avoided any consideration of security. Security does not just happen; you must design it into your total network. Security begins with a systems design and implementation that anticipates hostile behavior from @@ -2108,7 +2108,7 @@ they accept them as challenges. For that reason, if not simply from a desire to establish safe networking practices, you must not deploy the design presented in this book in an environment where there is risk of compromise. -
As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs) and it must be configured to use secure protocols for all communications over the network. Of course, secure networking does not result just from systems design and implementation but involves constant user education @@ -2134,37 +2134,37 @@ Control over roaming profiles, with particular focus on folder redirection to network drives.
Use of the CUPS printing system together with Samba-based printer driver auto-download. -
Well, here we are at the end of this chapter and we have only ten questions to help you to remember so much. There are bound to be some sticky issues here. -
-
+
- Why did you not cover secure practices? Isn't it rather irresponsible to instruct network administrators to implement insecure solutions? -
- +
- You have focused much on SUSE Linux and little on the market leader, Red Hat. Do you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant to the Linux I might be using? -
- +
- You did not use SWAT to configure Samba. Is there something wrong with it? -
- +
- You have exposed a well-used password not24get. Is that not irresponsible? -
- +
- The Idealx smbldap-tools create many domain group accounts that are not used. Is that a good thing? -
- +
- Can I use LDAP just for Samba accounts and not for UNIX system accounts? -
- +
- Why are the Windows Domain RID portions not the same as the UNIX UID? -
- +
- Printer configuration examples all show printing to the HP port 9100. Does this mean that I must have HP printers for these solutions to work? -
- +
- Is folder redirection dangerous? I've heard that you can lose your data that way. -
- +
- Is it really necessary to set a local Group Policy to exclude the redirected folders from the roaming profile? -
+
Why did you not cover secure practices? Isn't it rather irresponsible to instruct network administrators to implement insecure solutions?
@@ -2183,7 +2183,7 @@ This book makes little mention of backup techniques. Does that mean that I am recommending that you should implement a network without provision for data recovery and for disaster management? Back to our focus: The deployment of Samba has been clearly demonstrated. -
+
You have focused much on SUSE Linux and little on the market leader, Red Hat. Do you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant to the Linux I might be using? @@ -2210,7 +2210,7 @@ of open source software. I favor neither and respect both. I like particular features of both products (companies also). No bias in presentation is intended. Oh, before I forget, I particularly like Debian Linux; that is my favorite playground. -
+
You did not use SWAT to configure Samba. Is there something wrong with it?
That is a good question. As it is, the smb.conf file configurations are presented @@ -2221,14 +2221,14 @@ There are people in the Linux and open source community who feel that SWAT is dangerous and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I hope to have brought their interests on board. SWAT is well covered is TOSHARG. -
+
You have exposed a well-used password not24get. Is that not irresponsible?
Well, I had to use a password of some sort. At least this one has been consistently used throughout. I guess you can figure out that in a real deployment it would make sense to use a more secure and original password. -
+
The Idealx smbldap-tools create many domain group accounts that are not used. Is that a good thing?
@@ -2236,7 +2236,7 @@ Let's give Idealx some credit for the contribution they have made. I appreciate their work and, besides, it does no harm to create accounts that are not now used as at some time Samba may well use them. -
+
Can I use LDAP just for Samba accounts and not for UNIX system accounts?
Yes, you can do that for user accounts only. Samba requires there to be a Posix (UNIX) @@ -2244,7 +2244,7 @@ the system password account, how do you plan to keep all domain controller system password files in sync? I think that having everything in LDAP makes a lot of sense for the UNIX admin who is still learning the craft and is migrating from MS Windows. -
+
Why are the Windows Domain RID portions not the same as the UNIX UID?
Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. @@ -2253,7 +2253,7 @@ assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does permit you to override that to some extent. See the smb.conf man page entry for algorithmic rid base. -
+
Printer configuration examples all show printing to the HP port 9100. Does this mean that I must have HP printers for these solutions to work?
@@ -2263,7 +2263,7 @@ Inkjet printer. Use the appropriate device URI (Universal Resource Interface) argument to the lpadmin -v option that is right for your printer. -
+
Is folder redirection dangerous? I've heard that you can lose your data that way.
The only loss of data I know of that involved folder redirection was caused by @@ -2273,13 +2273,13 @@ he declined to move the data because he thought it was still in the local profile folder. That was not the case, so by declining to move the data back, he wiped out the data. You cannot hold the tool responsible for that. Caveat emptor still applies. -
+
Is it really necessary to set a local Group Policy to exclude the redirected folders from the roaming profile?
Yes. If you do not do this, the data will still be copied from the network folder (share) to the local cached copy of the profile. -
[11] There is an alternate method by which a Default User profile can be added to the NETLOGON share. This facility in the Windows System tool permits profiles to be exported. The export target may be a particular user or diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/index.html samba-3.0.9/docs/htmldocs/Samba-Guide/index.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/index.html 2004-10-25 11:16:40.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/index.html 2004-11-15 10:15:57.000000000 -0600 @@ -1,4 +1,4 @@ -
Samba-3 by Example diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/ix01.html samba-3.0.9/docs/htmldocs/Samba-Guide/ix01.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/ix01.html 2004-10-25 11:16:40.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/ix01.html 2004-11-15 10:15:57.000000000 -0600 @@ -1,5 +1,5 @@ -Table of Contents
- About the Cover Artwork
- Acknowledgments
- Foreword
- Preface
- 1. Networking Primer
- 2. No Frills Samba Servers
- 3. Small Office Networking
- 4. Secure Office Networking
- 5. The 500-User Office
- 6. Making Users Happy
- 7. A Distributed 2000 User Network
- 8. Migrating NT4 Domain to Samba-3
- 9. Adding UNIX/LINUX Servers and Clients
- 10. Active Directory, Kerberos, and Security
- 11. Integrating Additional Services
- 12. Performance, Reliability, and Availability
- A. Appendix: A Collection of Useful Tid-bits
- B. GNU General Public License
- Preamble
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
- Section 0
- Section 1
- Section 2
- Section 3
+
Samba-3 by Example +Table of Contents
- About the Cover Artwork
- Acknowledgments
- Foreword
- Preface
- 1. Networking Primer
- 2. No Frills Samba Servers
- 3. Small Office Networking
- 4. Secure Office Networking
- 5. The 500-User Office
- 6. Making Users Happy
- 7. A Distributed 2000 User Network
- 8. Migrating NT4 Domain to Samba-3
- 9. Adding UNIX/LINUX Servers and Clients
- 10. Active Directory, Kerberos, and Security
- 11. Integrating Additional Services
- 12. Performance, Reliability, and Availability
- A. Appendix: A Collection of Useful Tid-bits
- B. GNU General Public License
- Glossary
- Index
List of Figures
- 1.1. Windows Me Broadcasts The First 10 Minutes
- 1.2. Windows Me Later Broadcast Sample
- 1.3. Typical Windows 9x/Me Host Announcement
- 1.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request
- 1.5. Typical Windows 9x/Me User SessionSetUp AndX Request
- 1.6. Typical Windows XP NULL Session Setup AndX Request
- 1.7. Typical Windows XP User Session Setup AndX Request
- 2.1. Charity Administration Office Network
- 2.2. Accounting Office Network Topology
- 3.1. Abmas Accounting 52 User Network Topology
- 4.1. Abmas Network Topology 130 Users
- 5.1. Network Topology 500 User Network Using tdbsam passdb backend.
- 6.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts
- 6.2. Network Topology 500 User Network Using ldapsam passdb backend.
- 6.3. Windows XP Professional User Shared Folders
- 7.1. Network Topology 2000 User Complex Design A
- 7.2. Network Topology 2000 User Complex Design B
- 7.3. Samba and Authentication Backend Search Pathways
- 7.4. Samba Configuration to Use a Single LDAP Server
- 7.5. Samba Configuration to Use a Dual (Fail-over) LDAP Server
- 7.6. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!
- 7.7. Samba Configuration to Use Two LDAP Databases - The result is additive.
- 8.1. Schematic Explaining the net rpc vampire Process
- 8.2. View of Accounts in NT4 Domain User Manager
- 9.1. Open Magazine Samba Survey
- 9.2. Samba Domain: Samba Member Server
- 9.3. Active Directory Domain: Samba Member Server
- A.1. The General Panel.
- A.2. The Computer Name Panel.
- A.3. The Computer Name Changes Panel.
- A.4. The Computer Name Changes Panel Domain MIDEARTH.
- A.5. Computer Name Changes User name and Password Panel.
- A.6. The LDAP Account Manager Login Screen
- A.7. The LDAP Account Manager Configuration Screen
- A.8. The LDAP Account Manager User Edit Screen
- A.9. The LDAP Account Manager Group Edit Screen
- A.10. The LDAP Account Manager Group Membership Edit Screen
- A.11. The LDAP Account Manager Host Edit Screen
List of Tables
- 1.1. Windows Me Startup Broadcast Capture Statistics
- 1.2. Second Machine (Windows 98) Capture Statistics
- 2.1. Accounting Office Network Information
- 4.1. Abmas.US ISP Information
- 4.2. DNS (named) Resource Files
- 5.1. Domain: MEGANET, File Locations for Servers
- 6.1. Required OpenLDAP Linux Packages
- 6.2. Abmas Network Users and Groups
- 6.3. Default Profile Redirections
- 8.1. Samba smb.conf Scripts Essential to Migration
- 12.1. Effect of Common Problems
List of Examples
- 2.1. Drafting Office smb.conf File
- 2.2. Charity Administration Office smb.conf File
- 2.3. Windows Me Registry Edit File: Disable Password Caching
- 2.4. Accounting Office Network smb.conf File
- 3.1. Script to Map Windows NT Groups to UNIX Groups
- 3.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf
- 3.3. Accounting Office Network smb.conf File [globals] Section
- 3.4. Accounting Office Network smb.conf File Services and Shares Section
- 4.1. Estimation of Memory Requirements
- 4.2. Estimation of Disk Storage Requirements
- 4.3. NAT Firewall Configuration Script
- 4.4. 130 User Network with tdbsam [globals] Section
- 4.5. 130 User Network with tdbsam Services Section Part A
- 4.6. 130 User Network with tdbsam Services Section Part B
- 4.7. Script to Map Windows NT Groups to UNIX Groups
- 4.8. DHCP Server Configuration File /etc/dhcpd.conf
- 4.9. DNS Master Configuration File /etc/named.conf Master Section
- 4.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section
- 4.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section
- 4.12. DNS 192.168.1 Reverse Zone File
- 4.13. DNS 192.168.2 Reverse Zone File
- 4.14. DNS Abmas.biz Forward Zone File
- 4.15. DNS Abmas.us Forward Zone File
- 5.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
- 5.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
- 5.3. Common Samba Configuration File: /etc/samba/common.conf
- 5.4. Server: BLDG1 (Member), File: smb.conf
- 5.5. Server: BLDG2 (Member), File: smb.conf
- 5.6. Common Domain Member Include File: dom-mem.conf
- 5.7. Server: MASSIVE, File: dhcpd.conf
- 5.8. Server: BLDG1, File: dhcpd.conf
- 5.9. Server: BLDG2, File: dhcpd.conf
- 5.10. Server: MASSIVE, File: named.conf, Part: A
- 5.11. Server: MASSIVE, File: named.conf, Part: B
- 5.12. Server: MASSIVE, File: named.conf, Part: C
- 5.13. Forward Zone File: abmas.biz.hosts
- 5.14. Forward Zone File: abmas.biz.hosts
- 5.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A
- 5.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B
- 5.17. Initialize Groups Script, File: /etc/samba/initGrps.sh
- 6.1. LDAP Master Configuration File /etc/openldap/slapd.conf
- 6.2. Configuration File for NSS LDAP Support /etc/ldap.conf
- 6.3. Configuration File for NSS LDAP Clients Support /etc/ldap.conf
- 6.4. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
- 6.5. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
- 6.6. LDAP Based smb.conf File, Server: BLDG1
- 6.7. LDAP Based smb.conf File, Server: BLDG2
- 6.8. LDAP Based smb.conf File, Shares Section Part A
- 6.9. LDAP Based smb.conf File, Shares Section Part B
- 6.10. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
- 7.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf
- 7.2. LDAP Slave Configuration File /etc/openldap/slapd.conf
- 7.3. Primary Domain Controller smb.conf File Part A
- 7.4. Primary Domain Controller smb.conf File Part B
- 7.5. Primary Domain Controller smb.conf File Part C
- 7.6. Backup Domain Controller smb.conf File Part A
- 7.7. Backup Domain Controller smb.conf File Part B
- 8.1. LDAP Preload LDIF file preload.LDIF
- 9.1. Samba Domain Member in Samba Domain Control Context smb.conf File
- 9.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
- 9.3. Configuration File for NSS LDAP Support /etc/ldap.conf
- 9.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf
- 9.5. Samba Domain Member Server smb.conf File for NT4 Domain
- 9.6. Name Service Switch Control File: /etc/nsswitch.conf
- 9.7. Samba Domain Member smb.conf File for Active Directory Membership
- 9.8. SUSE: PAM login Module Using Winbind
- 9.9. SUSE: PAM xdm Module Using Winbind
- 9.10. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind
- 11.1. Kerberos Configuration File: /etc/krb5.conf
- 11.2. Samba Configuration File: /etc/samba/smb.conf
- 11.3. NSS Configuration File Extract File: /etc/nsswitch.conf
- 11.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]
- 11.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]
- A.1. A Useful Samba Control Script for SuSE Linux
- A.2.
- A.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone
- A.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone
- A.5. DNS Root Name Server Hint File: /var/lib/named/root.hint
- A.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A
- A.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B
- A.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C
- A.9. LDIF Pattern File Used to Pre-configure LDAP Part A
- A.10. LDIF Pattern File Used to Pre-configure LDAP Part B
- A.11. Example LAM Configuration File config.cfg
- A.12. LAM Profile Control File lam.conf
boo
boo
boo
- Glossary
- Index
List of Figures
- 1.1. Windows Me Broadcasts The First 10 Minutes
- 1.2. Windows Me Later Broadcast Sample
- 1.3. Typical Windows 9x/Me Host Announcement
- 1.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request
- 1.5. Typical Windows 9x/Me User SessionSetUp AndX Request
- 1.6. Typical Windows XP NULL Session Setup AndX Request
- 1.7. Typical Windows XP User Session Setup AndX Request
- 2.1. Charity Administration Office Network
- 2.2. Accounting Office Network Topology
- 3.1. Abmas Accounting 52 User Network Topology
- 4.1. Abmas Network Topology 130 Users
- 5.1. Network Topology 500 User Network Using tdbsam passdb backend.
- 6.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts
- 6.2. Network Topology 500 User Network Using ldapsam passdb backend.
- 6.3. Windows XP Professional User Shared Folders
- 7.1. Network Topology 2000 User Complex Design A
- 7.2. Network Topology 2000 User Complex Design B
- 7.3. Samba and Authentication Backend Search Pathways
- 7.4. Samba Configuration to Use a Single LDAP Server
- 7.5. Samba Configuration to Use a Dual (Fail-over) LDAP Server
- 7.6. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!
- 7.7. Samba Configuration to Use Two LDAP Databases - The result is additive.
- 8.1. Schematic Explaining the net rpc vampire Process
- 8.2. View of Accounts in NT4 Domain User Manager
- 9.1. Open Magazine Samba Survey
- 9.2. Samba Domain: Samba Member Server
- 9.3. Active Directory Domain: Samba Member Server
- A.1. The General Panel.
- A.2. The Computer Name Panel.
- A.3. The Computer Name Changes Panel.
- A.4. The Computer Name Changes Panel Domain MIDEARTH.
- A.5. Computer Name Changes User name and Password Panel.
- A.6. The LDAP Account Manager Login Screen
- A.7. The LDAP Account Manager Configuration Screen
- A.8. The LDAP Account Manager User Edit Screen
- A.9. The LDAP Account Manager Group Edit Screen
- A.10. The LDAP Account Manager Group Membership Edit Screen
- A.11. The LDAP Account Manager Host Edit Screen
List of Tables
- 1.1. Windows Me Startup Broadcast Capture Statistics
- 1.2. Second Machine (Windows 98) Capture Statistics
- 2.1. Accounting Office Network Information
- 4.1. Abmas.US ISP Information
- 4.2. DNS (named) Resource Files
- 5.1. Domain: MEGANET, File Locations for Servers
- 6.1. Required OpenLDAP Linux Packages
- 6.2. Abmas Network Users and Groups
- 6.3. Default Profile Redirections
- 8.1. Samba smb.conf Scripts Essential to Migration
- 12.1. Effect of Common Problems
List of Examples
- 2.1. Drafting Office smb.conf File
- 2.2. Charity Administration Office smb.conf File
- 2.3. Windows Me Registry Edit File: Disable Password Caching
- 2.4. Accounting Office Network smb.conf File
- 3.1. Script to Map Windows NT Groups to UNIX Groups
- 3.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf
- 3.3. Accounting Office Network smb.conf File [globals] Section
- 3.4. Accounting Office Network smb.conf File Services and Shares Section
- 4.1. Estimation of Memory Requirements
- 4.2. Estimation of Disk Storage Requirements
- 4.3. NAT Firewall Configuration Script
- 4.4. 130 User Network with tdbsam [globals] Section
- 4.5. 130 User Network with tdbsam Services Section Part A
- 4.6. 130 User Network with tdbsam Services Section Part B
- 4.7. Script to Map Windows NT Groups to UNIX Groups
- 4.8. DHCP Server Configuration File /etc/dhcpd.conf
- 4.9. DNS Master Configuration File /etc/named.conf Master Section
- 4.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section
- 4.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section
- 4.12. DNS 192.168.1 Reverse Zone File
- 4.13. DNS 192.168.2 Reverse Zone File
- 4.14. DNS Abmas.biz Forward Zone File
- 4.15. DNS Abmas.us Forward Zone File
- 5.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
- 5.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
- 5.3. Common Samba Configuration File: /etc/samba/common.conf
- 5.4. Server: BLDG1 (Member), File: smb.conf
- 5.5. Server: BLDG2 (Member), File: smb.conf
- 5.6. Common Domain Member Include File: dom-mem.conf
- 5.7. Server: MASSIVE, File: dhcpd.conf
- 5.8. Server: BLDG1, File: dhcpd.conf
- 5.9. Server: BLDG2, File: dhcpd.conf
- 5.10. Server: MASSIVE, File: named.conf, Part: A
- 5.11. Server: MASSIVE, File: named.conf, Part: B
- 5.12. Server: MASSIVE, File: named.conf, Part: C
- 5.13. Forward Zone File: abmas.biz.hosts
- 5.14. Forward Zone File: abmas.biz.hosts
- 5.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A
- 5.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B
- 5.17. Initialize Groups Script, File: /etc/samba/initGrps.sh
- 6.1. LDAP Master Configuration File /etc/openldap/slapd.conf
- 6.2. Configuration File for NSS LDAP Support /etc/ldap.conf
- 6.3. Configuration File for NSS LDAP Clients Support /etc/ldap.conf
- 6.4. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
- 6.5. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
- 6.6. LDAP Based smb.conf File, Server: BLDG1
- 6.7. LDAP Based smb.conf File, Server: BLDG2
- 6.8. LDAP Based smb.conf File, Shares Section Part A
- 6.9. LDAP Based smb.conf File, Shares Section Part B
- 6.10. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
- 7.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf
- 7.2. LDAP Slave Configuration File /etc/openldap/slapd.conf
- 7.3. Primary Domain Controller smb.conf File Part A
- 7.4. Primary Domain Controller smb.conf File Part B
- 7.5. Primary Domain Controller smb.conf File Part C
- 7.6. Backup Domain Controller smb.conf File Part A
- 7.7. Backup Domain Controller smb.conf File Part B
- 8.1. LDAP Preload LDIF file preload.LDIF
- 9.1. Samba Domain Member in Samba Domain Control Context smb.conf File
- 9.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
- 9.3. Configuration File for NSS LDAP Support /etc/ldap.conf
- 9.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf
- 9.5. Samba Domain Member Server smb.conf File for NT4 Domain
- 9.6. Name Service Switch Control File: /etc/nsswitch.conf
- 9.7. Samba Domain Member smb.conf File for Active Directory Membership
- 9.8. SUSE: PAM login Module Using Winbind
- 9.9. SUSE: PAM xdm Module Using Winbind
- 9.10. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind
- 11.1. Kerberos Configuration File: /etc/krb5.conf
- 11.2. Samba Configuration File: /etc/samba/smb.conf
- 11.3. NSS Configuration File Extract File: /etc/nsswitch.conf
- 11.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]
- 11.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]
- A.1. A Useful Samba Control Script for SuSE Linux
- A.2.
- A.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone
- A.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone
- A.5. DNS Root Name Server Hint File: /var/lib/named/root.hint
- A.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A
- A.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B
- A.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C
- A.9. LDIF Pattern File Used to Pre-configure LDAP Part A
- A.10. LDIF Pattern File Used to Pre-configure LDAP Part B
- A.11. Example LAM Configuration File config.cfg
- A.12. LAM Profile Control File lam.conf
boo
boo
boo
Index +Symbols
- %LOGONSERVER%, Configuration of Default Profile with Folder Redirection
- %USERNAME%, Roaming Profile Background, Profile Changes
- %USERPROFILE%, Configuration of Default Profile with Folder Redirection
- /etc/cups/mime.convs, Implementation, Implementation
- /etc/cups/mime.types, Implementation, Implementation
- /etc/dhcpd.conf, Implementation, Validation, Configuration of DHCP and DNS Servers, Validation
- /etc/exports, Samba-3 PDC Configuration
- /etc/group, Technical Issues, Questions and Answers, Samba Domain with Samba Domain Member Server Using LDAP, Removal of Pre-existing Conflicting RPMs
- /etc/hosts, Implementation, Implementation, Basic System Configuration, Validation, Server Preparation All Servers, Questions and Answers, Kerberos Configuration, Bad Hostnames
- /etc/krb5.conf, Kerberos Configuration
- /etc/ldap.conf, PAM and NSS Client Configuration
- /etc/mime.convs, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- /etc/mime.types, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- /etc/named.conf, Configuration of DHCP and DNS Servers
- /etc/nsswitch.conf, Implementation, Configuration of DHCP and DNS Servers, Validation, Configuration for Server: MASSIVE, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, PAM and NSS Client Configuration, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Questions and Answers
- /etc/openldap/slapd.conf, OpenLDAP Server Configuration, Implementation
- /etc/passwd, Findings and Comments, Implementation, Samba Configuration, Configuration for Server: MASSIVE, LDAP Initialization and Creation of User and Group Accounts, Technical Issues, Questions and Answers, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Questions and Answers, Share Point Directory and File Permissions, Removal of Pre-existing Conflicting RPMs
- /etc/rc.d/boot.local, Basic System Configuration, Configuration for Server: MASSIVE
- /etc/rc.d/rc.local, Implementation
- /etc/resolv.conf, Configuration of DHCP and DNS Servers, Server Preparation All Servers
- /etc/samba, Samba System File Location
- /etc/samba/secrets.tdb, Active Directory Domain with Samba Domain Member Server
- /etc/samba/smbusers, Server Preparation All Servers
- /etc/squid/squid.conf, Removal of Pre-existing Conflicting RPMs
- /etc/xinetd.d, Process Startup Configuration, Process Startup Configuration
- /lib/libnss_ldap.so.2, PAM and NSS Client Configuration
- /proc/sys/net/ipv4/ip_forward, Implementation, Basic System Configuration
- /usr/bin, Samba System File Location
- /usr/lib/samba, Samba System File Location
- /usr/local, Samba System File Location
- /usr/local/samba, Samba System File Location
- /usr/sbin, Samba System File Location
- /usr/share, Samba System File Location
- /usr/share/samba/swat, Samba System File Location
- /usr/share/swat, Samba System File Location
- /var/lib/ldap, OpenLDAP Server Configuration
- /var/lib/samba, Samba System File Location
- /var/log/samba, Samba System File Location
- , Application Share Configuration
- Domain account, Technical Issues
- liability, Dissection and Discussion
- logon, Implementation
- problem, Dissection and Discussion
- transparent inter-operability, Questions and Answers
A
- abmas-netfw.sh, Basic System Configuration
- abort shutdown script, Samba Configuration, Implementation, Implementation
- accept, Printer Configuration
- accepts liability, Dissection and Discussion
- access, Technical Issues, Check-point Controls
- access control, Kerberos Exposed, Using the MMC Computer Management Interface
- Access Control Lists (see ACLs)
- access control settings, Share Access Controls
- access controls, Technical Issues, Share Definition Controls
- accessible, Share Point Directory and File Permissions
- account, Share Access Controls
- ADS Domain, Technical Issues
- account credentials, Findings and Comments
- account information, Questions and Answers
- account names, Questions and Answers
- account policies, The LDAP Account Manager
- accountable, Introduction, Dissection and Discussion
- accounts
- authoritative, Technical Issues
- Domain, Introduction, Questions and Answers
- group, Introduction, Questions and Answers, Introduction
- machine, Introduction, Questions and Answers
- manage, The LDAP Account Manager
- user, Introduction, Questions and Answers, Introduction
- ACL, Questions and Answers, Check-point Controls
- ACLs, Key Points Learned, Share Access Controls, Share Definition Controls
- acquisitions, Introduction
- Act!, Shared Data Integrity
- ACT! database, Act! Database Sharing
- Act!Diag, Act! Database Sharing
- Active Directory, Dissection and Discussion, The Local Group Policy, Dissection and Discussion, Assignment Tasks, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Key Points Learned, Questions and Answers, Integrating Additional Services, Assignment Tasks, Technical Issues, Samba Configuration, Joining a Domain: Windows 200x/XP Professional
- authentication, Squid Configuration
- domain, Samba Configuration
- join, Active Directory Domain with Samba Domain Member Server
- management tools, Technical Issues
- realm, Bad Hostnames
- Replacement, Technical Issues
- server, Active Directory Domain with Samba Domain Member Server, Kerberos Configuration
- Server, Technical Issues
- tree, Samba Configuration
- AD printer publishing, Uploading Printer Drivers to Samba Servers
- ADAM, Dissection and Discussion
- add group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- add machine script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- Add Printer Wizard
- add user script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- add user to group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- adduser, Implementation, Samba Configuration, Configuration for Server: MASSIVE
- admin users, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- administrative installation, Application Share Configuration
- administrative rights, Check-point Controls
- administrator, Implementation, Samba Configuration, Server Preparation All Servers
- ADS, Technical Issues, Kerberos Configuration, Bad Hostnames
- server, Technical Issues
- ADS Domain, Technical Issues
- affordability, The Nature of Windows Networking Protocols
- alarm, Introduction
- algorithm, Technical Issues
- alternative, Dissection and Discussion
- analysis, Technical Issues
- anonymous connection, Validation, Validation
- Apache Web server, Questions and Answers
- appliance mode, Technical Issues
- application server, Technical Issues, Application Share Configuration
- application servers, The Nature of Windows Networking Protocols
- application/octet-stream, Implementation, Implementation, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- APW, Uploading Printer Drivers to Samba Servers
- arp, Validation
- assessment, Introduction
- assumptions, Key Points Learned
- authconfig, PAM and NSS Client Configuration
- authenticate, Samba Configuration
- authenticated, Assignment Tasks
- authenticated connection, Validation, Validation
- authentication, The Nature of Windows Networking Protocols, Questions and Answers, Integrating Additional Services, Technical Issues, NSS Configuration, Questions and Answers
- plain-text, Questions and Answers
- authentication process, Implementation
- authentication protocols, Key Points Learned
- authoritative, Technical Issues
- authorized location, Kerberos Exposed
- auto-generated SID, Questions and Answers
- automatically allocate, Technical Issues
- availability, Performance, Reliability, and Availability
B
- backends, Integrating Additional Services
- background communication, Questions and Answers
- Backup, Introduction
- Backup Domain Controller (see BDC)
- bandwidth, Assignment Tasks
- requirements, User Needs
- bandwidth calculations, Hardware Requirements
- BDC, Technical Issues, Assignment Tasks, Dissection and Discussion, Samba Server Implementation, Samba-3 PDC Configuration, The Nature of Windows Networking Protocols, Key Points Learned, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Technical Issues, Questions and Answers, Use and Location of BDCs
- benefit, Questions and Answers, Dissection and Discussion
- best practices, Introduction
- bias, Questions and Answers
- binary database, Implementation
- bind interfaces only, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
- broadcast, Questions and Answers, Routed Networks
- broadcast messages, Implementation
- broadcast storms, Network Collisions
- broken, Dissection and Discussion
- broken behavior, Dissection and Discussion
- browse, Technical Issues
- browse master, Findings
- Browse Master, Questions and Answers
- browseable, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- Browser Election Service, Questions and Answers
- browsing, Assignment Tasks, Technical Issues, Technical Issues
- budgetted, Introduction
- bug fixes, Introduction
C
- cache, Opportunistic Locking Controls
- cache directories, Removal of Pre-existing Conflicting RPMs
- caching, Samba Configuration
- case-sensitive, Kerberos Configuration
- centralized storage, Questions and Answers
- check samba - daemons, Validation, Validation
- check-point, Share Definition Controls
- Check-point Controls, Check-point Controls
- check-point controls, Check-point Controls
- chgrp, Samba Configuration
- chkconfig, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration, Implementation
- chmod, Samba Configuration
- choice, Dissection and Discussion, Technical Issues
- chown, Removal of Pre-existing Conflicting RPMs
- CIFS, Findings
- cifsfs, Dissection and Discussion
- clean database, Questions and Answers
- Clock skew, Kerberos Configuration
- cluster, Introduction
- clustering, Introduction, For Scalability, Use SAN Based Storage on Samba Servers
- collision rates, Network Collisions
- comment, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- commercial, Dissection and Discussion
- commercial software, Dissection and Discussion
- Common Internet File System (see CIFS)
- comparison
- Active Directory & OpenLDAP, Dissection and Discussion
- compat, Samba Domain with Samba Domain Member Server Using LDAP
- compatible, Technical Issues
- complexities, Dissection and Discussion
- compromise, Introduction, Introduction, Technical Issues
- computer account, Samba Configuration
- Computer Management, Share Access Controls, Questions and Answers
- condemns, Technical Issues
- conferences, Technical Issues
- connection, Share Access Controls
- connectivity, Questions and Answers
- consequential risk, Technical Issues
- consultant, Drafting Office, Introduction, Dissection and Discussion
- consumer, Dissection and Discussion, Technical Issues
- contiguous directory, Implementation
- copy, Questions and Answers
- corrective action, Hardware Problems
- cost, Dissection and Discussion
- credential, Share Definition Controls
- credentials, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Technical Issues
- crippled, Dissection and Discussion
- criticism, Active Directory, Kerberos, and Security, Introduction
- Critics, Technical Issues
- Cryptographic, Technical Issues
- CUPS, Dissection and Discussion, Technical Issues, Implementation, Key Points Learned, Implementation, Printer Configuration, Server Preparation All Servers, Assignment Tasks, Installation of Printer Driver Auto-Download, Printer Configuration
- cupsd, Basic System Configuration
D
- daemon, Validation, Basic System Configuration, Technical Issues, Questions and Answers, Starting Samba
- daemon control, Process Startup Configuration
- data
- corruption, Making Users Happy
- integrity, Questions and Answers
- data corruption, Hardware Problems, Act! Database Sharing
- data integrity, Hardware Problems, Shared Data Integrity
- data storage, Implementation
- database, Dissection and Discussion, Questions and Answers
- database applications, Shared Data Integrity
- DCE, Kerberos Exposed
- DDNS (see dynamic - DNS)
- default devmode, Samba Configuration, Implementation
- default installation, Samba System File Location
- default password, The LDAP Account Manager
- default profile, Assignment Tasks, Technical Issues
- Default User, Profile Changes, Configuration of Default Profile with Folder Redirection
- defective
- cables, Hardware Problems
- hubs, Hardware Problems
- switches, Hardware Problems
- defects, Technical Issues
- defensible standards, Technical Issues
- defragmentation, Windows Client Configuration
- delete group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- delete user from group script, Samba-3 PDC Configuration, Implementation
- delete user script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- delimiter, Check-point Controls
- dependability, Technical Issues
- desired security setting, Setting Posix ACLs in UNIX/Linux
- development, Technical Issues
- DHCP, Technical Issues, Implementation, Key Points Learned, Windows Client Configuration, Windows Client Configuration, The Nature of Windows Networking Protocols, Questions and Answers
- client, Bad Hostnames
- relay, Technical Issues
- Relay Agent, Questions and Answers
- request, Questions and Answers
- requests, Technical Issues
- servers, Questions and Answers
- traffic, Questions and Answers
- dhcp client validation, Validation, Validation
- DHCP Server, Implementation
- DHCP server, Technical Issues
- diffusion, Technical Issues
- digital rights, Technical Issues
- digital sign'n'seal, Technical Issues
- digits, Bad Hostnames
- diligence, Technical Issues
- directory, Dissection and Discussion, Political Issues
- Computers container, LDAP Initialization and Creation of User and Group Accounts
- management, Dissection and Discussion
- People container, LDAP Initialization and Creation of User and Group Accounts
- replication, Dissection and Discussion
- schema, Dissection and Discussion
- server, Technical Issues
- synchronization, Dissection and Discussion
- directory tree, Setting Posix ACLs in UNIX/Linux
- disable, Introduction
- disable spoolss, Implementation, Implementation
- disaster recovery, Introduction
- disk image, Assignment Tasks
- disruptive, Dissection and Discussion
- distributed, Identity Management Needs, Implementation, Questions and Answers, Distribute Network Load with MSDFS
- distributed domain, Identity Management Needs
- DMB, Questions and Answers
- DNS, Technical Issues, Implementation, Technical Issues, The Nature of Windows Networking Protocols, Bad Hostnames, Routed Networks, Joining a Domain: Windows 200x/XP Professional
- configuration, Questions and Answers
- Dynamic, Questions and Answers
- dynamic, Joining a Domain: Windows 200x/XP Professional
- lookup, Questions and Answers, Kerberos Configuration
- name lookup, Bad Hostnames
- SRV records, Kerberos Configuration
- suffix, Joining a Domain: Windows 200x/XP Professional
- DNS server, Implementation, Configuration of DHCP and DNS Servers
- document the settings, Samba Configuration
- documentation, Dissection and Discussion, Technical Issues
- documented, Samba Configuration
- Domain, Technical Issues, Questions and Answers
- group, Questions and Answers
- groups, Technical Issues
- user, Questions and Answers
- domain
- Active Directory, Technical Issues
- joining, Appendix: A Collection of Useful Tid-bits
- trusted, Questions and Answers
- Domain accounts, Technical Issues
- Domain Administrator, Share Access Controls
- Domain Controller, Key Points Learned, The Nature of Windows Networking Protocols, Technical Issues, Implementation, Use and Location of BDCs
- Domain Controllers, Technical Issues, Questions and Answers
- Domain Groups
- well-known, Initialization of the LDAP Database
- Domain join, Samba Domain with Samba Domain Member Server Using LDAP
- domain logons, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation
- Domain logons, Questions and Answers
- domain master, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend
- Domain Master Browser (see DMB)
- Domain Member, Use and Location of BDCs
- authoritative
- local accounts, Technical Issues
- client, Implementation
- desktop, Introduction
- server, Introduction, Technical Issues, Implementation, Active Directory Domain with Samba Domain Member Server
- servers, Technical Issues, Questions and Answers, Check-point Controls
- workstations, Implementation
- Domain Member server, Technical Issues, Questions and Answers
- Domain Member servers, Questions and Answers
- domain members, Questions and Answers
- domain name space, Identity Management Needs
- domain replication, Questions and Answers
- Domain SID, Technical Issues, NT4 Migration Using LDAP Backend, Questions and Answers
- domain tree, Identity Management Needs
- Domain User Manager, Configuring Profile Directories
- Domain users, Technical Issues
- dos2unix, Samba Configuration
- drive mapping, Technical Issues
- dumb printing, Installation of Printer Driver Auto-Download
- dump, Technical Issues, Questions and Answers
- duplicate accounts, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- dynamic DNS, Technical Issues
E
- economically sustainable, Dissection and Discussion
- eDirectory, Dissection and Discussion
- education, Identity Management Needs
- election, Findings
- employment, Introduction, Dissection and Discussion
- enable, Printer Configuration
- encrypt passwords, Questions and Answers, NSS Configuration
- encrypted, Findings and Comments
- encrypted password, Windows 200x/XP Client Interaction with Samba-3
- encrypted passwords, Questions and Answers
- End User License Agreement (see EULA)
- enumerating, Samba Configuration
- essential, Introduction
- ether-switch, Technical Issues
- Ethereal, Requirements and Notes
- ethereal, Exercises
- Etherswitch, Making Users Happy
- EULA, Dissection and Discussion
- Everyone, Share Access Controls
- Excel, Share Point Directory and File Permissions
- exclusive open, Microsoft Access
- experiment, Active Directory, Kerberos, and Security
- export, Technical Issues
- extent, Dissection and Discussion
- External Domains, Technical Issues
- extreme demand, Guidelines for Reliable Samba Operation
F
- fail, The Nature of Windows Networking Protocols
- fail-over, Identity Management Needs, Implementation
- failed join, Active Directory Domain with Samba Domain Member Server
- failure, Questions and Answers, Samba Configuration
- familiar, Technical Issues
- fatal problem, Samba Configuration
- fear, Technical Issues
- fears, Technical Issues
- FHS, Samba System File Location
- file and print server, Questions and Answers
- file and print service, Dissection and Discussion
- file cacheing, Opportunistic Locking Controls
- file caching, Samba Configuration
- File Hierarchy System (see FHS)
- file locations, Samba System File Location
- file permissions, The LDAP Account Manager
- file server
- read-only, Dissection and Discussion
- file servers, Samba Server Implementation
- file system, Technical Issues
- access control, Samba Configuration
- Ext3, Implementation
- permissions, Samba Configuration, Configuration for Server: MASSIVE
- file system security, Questions and Answers
- filter, Share Access Controls
- financial responsibility, Introduction
- firewall, Technical Issues, Basic System Configuration, Introduction
- fix, Dissection and Discussion
- flaws, Introduction
- flexibility, Technical Issues
- flush
- cache memory, Opportunistic Locking Controls
- folder redirection, Technical Issues, Configuration of Default Profile with Folder Redirection, Questions and Answers
- force group, Implementation, Override Controls, Questions and Answers
- force user, Dissection and Discussion, Implementation, Override Controls, Questions and Answers
- forced settings, Override Controls
- foreign, Samba Domain with Samba Domain Member Server Using LDAP
- foreign SID, Samba Domain with Samba Domain Member Server Using LDAP
- forwarded, Routed Networks
- foundation members, Technical Issues
- Free Standards Grou (see FSG)
- front-end, Dissection and Discussion
- FSG, Samba System File Location
- FTP
- proxy, Questions and Answers
- full control, Share Access Controls, Using MS Windows Explorer (File Manager)
- fully qualified, Check-point Controls
G
- getent, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- getfacl, Setting Posix ACLs in UNIX/Linux
- getgrgid(), Questions and Answers
- getgrnam, Technical Issues
- getpwnam, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP
- getpwnam(), Questions and Answers
- GID, Implementation, Questions and Answers, Questions and Answers
- Goettingen, Questions and Answers
- government, Identity Management Needs
- GPL, Comments Regarding Software Terms of Use
- group account, Implementation, OpenLDAP Server Configuration
- group management, Implementation
- group membership, Implementation, Samba Configuration, Samba Domain with Samba Domain Member Server Using LDAP, Share Point Directory and File Permissions
- group names, Questions and Answers
- group policies, Introduction
- Group Policy, Joining a Domain: Windows 200x/XP Professional
- Group Policy editor, The Local Group Policy
- Group Policy Objects, The Local Group Policy
- groupadd, Implementation, Implementation, Questions and Answers
- groupdel, Questions and Answers
- groupmod, Questions and Answers
- GSS-API, Windows 200x/XP Client Interaction with Samba-3
- guest account, Findings and Comments, Dissection and Discussion, Technical Issues, Questions and Answers
- guest ok, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
H
- hackers, Introduction
- hardware prices, Hardware Problems
- hardware problems, Hardware Problems
- Heimdal, Implementation, Kerberos Configuration
- Heimdal Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
- helper agent, Removal of Pre-existing Conflicting RPMs
- hesoid, Samba Domain with Samba Domain Member Server Using LDAP
- hierarchy of control, Share Definition Controls
- high availability, Dissection and Discussion
- hire, Dissection and Discussion
- HKEY_CURRENT_USER, Roaming Profile Background
- HKEY_LOCAL_MACHINE, Configuration of Default Profile with Folder Redirection
- HKEY_LOCAL_USER, Questions and Answers
- host announcement, Assignment Tasks, Findings
- hostname, Basic System Configuration
- hosts, Questions and Answers
- hosts allow, Samba Configuration, Implementation, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- hosts deny, Samba Configuration, Implementation
- HUB, Making Users Happy
- Hybrid, Questions and Answers
- hypothetical, Introduction
I
- Idealx
- identifiers, Technical Issues
- identity, Questions and Answers, Kerberos Exposed
- management, Technical Issues
- identity management, Technical Issues, Dissection and Discussion, Political Issues
- Identity Management, Dissection and Discussion, The Nature of Windows Networking Protocols, Identity Management Needs
- Identity management, UNIX/Linux Client Domain Member
- Identity resolution, Samba Domain with Samba Domain Member Server Using LDAP, Active Directory Domain with Samba Domain Member Server, UNIX/Linux Client Domain Member, Questions and Answers
- Identity resolver, Questions and Answers
- IDMAP, Samba Domain with Samba Domain Member Server Using LDAP
- idmap backend, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP
- IDMAP backend, Questions and Answers
- idmap gid, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, NSS Configuration
- idmap uid, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, NSS Configuration
- import, Technical Issues
- include, Implementation
- income, Dissection and Discussion
- independent expert, Introduction
- inetd, Process Startup Configuration
- inheritance, Setting Posix ACLs in UNIX/Linux
- initGrps.sh, Implementation, Samba Configuration, Configuration for Server: MASSIVE
- initial credentials, Kerberos Configuration
- inoperative, Dissection and Discussion
- installation, Dissection and Discussion
- integrate, Technical Issues
- integrity, Introduction, Kerberos Exposed
- inter-operability, Dissection and Discussion, Technical Issues, Key Points Learned, Questions and Answers
- interdomain trusts, Identity Management Needs
- interfaces, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
- intermittent, Hardware Problems
- Internet Explorer, Technical Issues
- Internet Information Server, Questions and Answers
- IP forwarding, Implementation, Basic System Configuration, Configuration for Server: MASSIVE
- IPC$, Findings and Comments, Implementation
- iptables, Technical Issues
- isolated, Introduction
- Italian, Questions and Answers
J
- jobs, Introduction
- joining a domain, Joining a Domain: Windows 200x/XP Professional
K
- KDC, Kerberos Configuration
- Kerberos, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Technical Issues, Key Points Learned, Technical Issues, Implementation, Kerberos Configuration
- Heimdal, Active Directory Domain with Samba Domain Member Server
- interoperability, Kerberos Exposed
- libraries, Active Directory Domain with Samba Domain Member Server
- MIT, Active Directory Domain with Samba Domain Member Server
- unspecified fields, Kerberos Exposed
- kerberos, Kerberos Exposed
- server, Kerberos Exposed
- Kerberos ticket, Samba Configuration
- kinit, Kerberos Configuration
- klist, Kerberos Configuration
- krb5, Implementation
- krb5.conf, Kerberos Configuration
L
- LAM, The LDAP Account Manager
- configuration editor, The LDAP Account Manager
- configuration file, The LDAP Account Manager
- login screen, The LDAP Account Manager
- opening screen, The LDAP Account Manager
- profile, The LDAP Account Manager
- wizard, The LDAP Account Manager
- LDAP, Technical Issues, Assignment Tasks, Dissection and Discussion, Technical Issues, PAM and NSS Client Configuration, Introduction, Dissection and Discussion, Identity Management Needs, Implementation, Key Points Learned, Questions and Answers, Assignment Tasks, Technical Issues, Questions and Answers, Technical Issues, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Technical Issues
- backend, Identity Management Needs
- database, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Alternative LDAP Database Initialization
- directory, Identity Management Needs
- fail-over, Implementation
- initial configuration, Alternative LDAP Database Initialization
- master, Identity Management Needs
- master/slave
- background communication, Questions and Answers
- preload, Implementation
- secure, Technical Issues
- server, Questions and Answers
- slave, Identity Management Needs
- updates, Identity Management Needs
- ldap, Samba Domain with Samba Domain Member Server Using LDAP
- LDAP Account Manager (see LAM)
- ldap admin dn, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- LDAP backend, Technical Issues
- LDAP database, Questions and Answers
- ldap group suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- ldap idmap suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- LDAP Interchange Format (see LDIF)
- ldap machine suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- LDAP server, Identity Management Needs
- ldap ssl, Active Directory Domain with Samba Domain Member Server
- ldap suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- ldap user suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- LDAP-transfer-LDIF.txt, Implementation
- ldap.conf, Samba Domain with Samba Domain Member Server Using LDAP
- ldapadd, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using LDAP
- ldapsam, LDAP Initialization and Creation of User and Group Accounts, Dissection and Discussion, Assignment Tasks, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Integrating Additional Services
- ldapsam backend, Samba Domain with Samba Domain Member Server Using LDAP
- ldapsearch, LDAP Initialization and Creation of User and Group Accounts
- LDIF, Technical Issues, Implementation, Initialization of the LDAP Database
- leadership, Technical Issues
- Lightweight Directory Access Protocol (see LDAP)
- limit, Questions and Answers
- Linux desktop, Introduction
- Linux Standards Base (see LSB)
- LMB, Findings, Questions and Answers
- LMHOSTS, Routed Networks
- load distribution, For Scalability, Use SAN Based Storage on Samba Servers
- local accounts, Technical Issues
- Local Group Policy, Roaming Profile Background
- local groups, Questions and Answers
- Local Master Announcement, Findings
- Local Master Browser (see LMB)
- local users, Questions and Answers
- localhost, Basic System Configuration, Bad Hostnames
- locking, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation
- Application level, Shared Data Integrity
- Client side, Shared Data Integrity
- Server side, Shared Data Integrity
- log file, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- log level, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- logging, Removal of Pre-existing Conflicting RPMs
- login, Technical Issues
- logon credentials, Questions and Answers
- logon drive, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation
- logon home, Samba Configuration, Implementation
- logon hours, Technical Issues, Key Points Learned
- logon machines, Technical Issues
- logon path, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation
- logon process, Implementation
- logon scrip, Samba Configuration, Technical Issues
- logon script, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Preparation of Logon Scripts, Implementation, Technical Issues
- logon server, The Nature of Windows Networking Protocols
- logon services, Implementation
- logon time, Assignment Tasks
- logon traffic, The Nature of Windows Networking Protocols
- loopback, Validation
- low performance, Hardware Problems
- lower-case, Technical Issues
- lpadmin, Implementation, Implementation, Implementation, Printer Configuration, Printer Configuration
- LSB, Samba System File Location
M
- machine accounts, Questions and Answers
- machine secret password, Technical Issues
- managed, Technical Issues
- management, Political Issues, Questions and Answers
- group, Technical Issues
- User, Technical Issues
- mandatory profile, Technical Issues, Configuring Profile Directories
- map acl inherit, Samba Configuration, Implementation, Samba-3 PDC Configuration
- mapped drives, Questions and Answers
- mapping, Technical Issues, Kerberos Configuration
- master, Dissection and Discussion
- material, Appendix: A Collection of Useful Tid-bits
- max log size, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- memory requirements, Hardware Requirements
- merge, Technical Issues, Questions and Answers
- merged, Technical Issues
- meta-directory, Questions and Answers
- meta-service, Questions and Answers
- Microsoft Access, Shared Data Integrity
- Microsoft Excel, Shared Data Integrity
- Microsoft ISA, Assignment Tasks
- Microsoft Management Console (see MMC)
- Microsoft Office, Application Share Configuration, Share Point Directory and File Permissions
- Microsoft Outlook
- PST files, Questions and Answers
- migrate, Technical Issues
- migration, Implementation, Implementation, Assignment Tasks, Introduction, Questions and Answers
- objectives, Dissection and Discussion
- Migration speed, Questions and Answers
- mime type, Implementation, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- mime types, Implementation
- missing RPC's, Technical Issues
- MIT, Implementation, Kerberos Configuration
- MIT Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
- MIT KRB5, Samba Configuration
- mixed mode, Active Directory Domain with Samba Domain Member Server
- mixed-mode, Questions and Answers
- mkntpasswd, Install and Configure Idealx SMB-LDAP Scripts
- MMC, Configure Delete Cached Profiles on Logout, Technical Issues, Questions and Answers
- mobile computing, Dissection and Discussion
- mobility, Technical Issues
- modularization, Technical Issues
- modules, Questions and Answers
- MS Access
- validate, Microsoft Access
- MS Outlook
- PST file, Making Users Happy
- MS Windows Server 2003, Implementation
- MS Word, Share Point Directory and File Permissions
- MSDFS, Distribute Network Load with MSDFS
- multi-subnet, Routed Networks
- multi-user
- access, Microsoft Access
- data access, Shared Data Integrity
- multiple directories, Identity Management Needs
- multiple domain controllers, Making Users Happy
- multiple group mappings, Questions and Answers
- My Documents, Roaming Profile Background
- My Network Places, Implementation
- mysqlsam, Implementation
N
- name resolution, Assignment Tasks, Configuration of DHCP and DNS Servers, Questions and Answers
- name resolve order, Questions and Answers, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- Name Service Switch, Implementation
- name service switch (see NSS)
- named, Basic System Configuration, Validation, Server Preparation All Servers
- NAT, Technical Issues
- native, Questions and Answers
- net
- ads
- getlocalsid, Samba-3 PDC Configuration
- group, NT4 Migration Using tdbsam Backend
- groupmap
- rpc
- getsid, NT4 Migration Using LDAP Backend
- join, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers
- vampire, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend
- NetBIOS, Questions and Answers, The Nature of Windows Networking Protocols, Questions and Answers, Bad Hostnames, Routed Networks
- name cache, Questions and Answers
- name resolution
- delays, Making Users Happy
- Node Type, Questions and Answers
- netbios forwarding, Network Collisions
- netbios name, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, NSS Configuration, Bad Hostnames
- NetBIOS name, Kerberos Configuration
- aliases, Identity Management Needs
- NETLOGON, Using a Network Default User Profile, Windows Client Configuration
- netlogon, The Nature of Windows Networking Protocols
- Netlogon, Joining a Domain: Windows 200x/XP Professional
- netmask, Implementation
- Netware, Small Office Networking
- network
- administrators, Technical Issues
- analyzer, Assignment Tasks
- bandwidth, Identity Management Needs, Questions and Answers
- broadcast, Introduction
- captures, Requirements and Notes
- collisions, Network Collisions
- load, Network Collisions
- logon, Making Users Happy
- logon scripts, Dissection and Discussion
- management, Introduction
- multi-segment, Introduction
- overload, Making Users Happy
- performance, Samba Configuration
- routed, Dissection and Discussion
- secure, Introduction
- segment, Dissection and Discussion
- services, Questions and Answers
- sniffer, Requirements and Notes
- tiemouts, Network Collisions
- timeout, Making Users Happy
- trace, Assignment Tasks
- traffic
- observation, Technical Issues
- wide-area, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- Network Address Translation (see NAT)
- network administrators, Technical Issues
- network attached storage (see NAS)
- Network Default Profile, Roaming Profile Background
- network hardware
- defective, Making Users Happy
- network hygiene, Dissection and Discussion
- network Identities, Questions and Answers
- network load factors, Dissection and Discussion
- Network Neighborhood, Validation, Technical Issues
- network segment, Use and Location of BDCs
- network segments, Hardware Requirements
- network share, Assignment Tasks
- networking hardware
- defective, Making Users Happy
- networking protocols, Technical Issues
- next generation, Technical Issues
- NFS server, Samba-3 PDC Configuration
- NICs, Hardware Problems
- NIS, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Technical Issues, Political Issues, Questions and Answers
- nis, Samba Domain with Samba Domain Member Server Using LDAP
- NIS schema, Questions and Answers
- NIS server, Questions and Answers
- NIS+, Identity Management Needs
- nisplus, Samba Domain with Samba Domain Member Server Using LDAP
- nmap, Validation
- nmbd, Validation, Validation, Samba Configuration, Starting Samba
- nobody, Findings and Comments, Removal of Pre-existing Conflicting RPMs
- NSS, Technical Issues, PAM and NSS Client Configuration, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, UNIX/Linux Client Domain Member, Questions and Answers, NSS Configuration (see Name Service Switch)
- nss_ldap, Technical Issues, OpenLDAP Server Configuration, PAM and NSS Client Configuration, LDAP Initialization and Creation of User and Group Accounts, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP
- nt acl support, Dissection and Discussion, Implementation
- NT4 registry, Dissection and Discussion
- NTLM, Technical Issues
- NTLM authentication daemon, Technical Issues
- NTLMSSP, Windows 200x/XP Client Interaction with Samba-3, Key Points Learned, Questions and Answers
- NTLMSSP_AUTH, Windows 200x/XP Client Interaction with Samba-3
- ntlm_auth, Samba Configuration, Questions and Answers
- NTP, Kerberos Configuration
- NTUSER.DAT, Roaming Profile Background, Profile Changes, Using a Network Default User Profile, Questions and Answers
- NULL connection, Validation
- NULL session, Findings and Comments
- NULL-Session, Discussion
O
- off-site storage, Introduction
- Open Magazine, Adding UNIX/LINUX Servers and Clients
- Open Source, Dissection and Discussion
- OpenLDAP, Dissection and Discussion, Dissection and Discussion, Questions and Answers, Political Issues, Introduction, Technical Issues, Key Points Learned, The LDAP Account Manager
- openldap, OpenLDAP Server Configuration
- OpenOffice, Application Share Configuration
- operating profiles, The LDAP Account Manager
- oplock break, Override Controls
- oplocks, Samba Configuration
- Oplocks
- disabled, Opportunistic Locking Controls
- opportunistic
- locking, Override Controls
- opportunistic locking, Implementation, Samba Configuration, Act! Database Sharing
- optimized, Samba Configuration
- options list, Questions and Answers
- organizational units, The LDAP Account Manager
- os level, Implementation
- Outlook
- Outlook Express, Political Issues
- over-ride, Technical Issues
- over-ride controls, Override Controls
- over-rule, Share Access Controls, Using MS Windows Explorer (File Manager)
- overheads, Override Controls
- ownership, Share Point Directory and File Permissions
P
- package, Implementation
- package names, Samba System File Location
- PADL, Technical Issues
- PADL LDAP tools, Technical Issues
- PADL Software, Samba Domain with Samba Domain Member Server Using LDAP
- PAM, PAM and NSS Client Configuration, UNIX/Linux Client Domain Member
- pam password change, Samba Configuration
- pam_ldap, OpenLDAP Server Configuration
- pam_ldap.so, PAM and NSS Client Configuration
- pam_unix2.so, PAM and NSS Client Configuration
- use_ldap, PAM and NSS Client Configuration
- passdb backend, Implementation, Samba Configuration, The 500-User Office, Implementation, Dissection and Discussion, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Assignment Tasks, Questions and Answers, Technical Issues, Questions and Answers
- passdb.tdb, Technical Issues
- passwd, Implementation, Implementation, Samba Configuration
- passwd chat, Implementation, Samba Configuration
- password
- password caching, Implementation
- password change, Key Points Learned
- password length, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
- password server, NSS Configuration
- path, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- pdbedit, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, NT4 Migration Using tdbsam Backend, Questions and Answers
- PDC, Assignment Tasks, Technical Issues, Technical Issues, The Local Group Policy, The Nature of Windows Networking Protocols, Technical Issues, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Technical Issues, Questions and Answers, Use and Location of BDCs
- PDF, The LDAP Account Manager
- performance, Dissection and Discussion, Questions and Answers, Performance, Reliability, and Availability, Introduction, Network Collisions
- performance degradation, Override Controls, Samba Configuration
- Perl, The LDAP Account Manager
- permission, Share Point Directory and File Permissions
- permissions, Implementation, Technical Issues, Share Access Controls, Check-point Controls, Share Point Directory and File Permissions, Removal of Pre-existing Conflicting RPMs
- Permissions, Using the MMC Computer Management Interface
- permits, Technical Issues
- permitted group, Using the MMC Computer Management Interface
- PHP, The LDAP Account Manager
- PHP4, The LDAP Account Manager
- pile-driver, Share Definition Controls
- ping, Validation, NT4 Migration Using LDAP Backend
- pitfalls, The LDAP Account Manager
- plain-text, Questions and Answers
- Pluggable Authentication Modules (see PAM)
- policy, Questions and Answers, Introduction
- poor performance, Dissection and Discussion
- Posix, Dissection and Discussion, Technical Issues, Technical Issues, Questions and Answers, Questions and Answers, The LDAP Account Manager
- Posix accounts, LDAP Initialization and Creation of User and Group Accounts, Technical Issues
- Posix ACLs, Managing Windows 200x ACLs
- PosixAccount, LDAP Initialization and Creation of User and Group Accounts
- Postscript, Installation of Printer Driver Auto-Download
- powers, Share Definition Controls
- practices, Introduction
- preferred master, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
- preload.LDIF, NT4 Migration Using LDAP Backend
- presence and leadership, Technical Issues
- price paid, Dissection and Discussion
- primary group, Samba Domain with Samba Domain Member Server Using LDAP, Share Point Directory and File Permissions
- principals, Kerberos Exposed
- print filter, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- print queue, Charity Administration Office, Dissection and Discussion
- print spooler, Charity Administration Office
- Print Test Page, Uploading Printer Drivers to Samba Servers
- printable, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- printcap name, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- printer admin, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- printer - validation, Validation, Validation
- printers
- Advanced, Uploading Printer Drivers to Samba Servers
- Default Settings, Uploading Printer Drivers to Samba Servers
- General, Uploading Printer Drivers to Samba Servers
- Properties, Uploading Printer Drivers to Samba Servers
- Security, Uploading Printer Drivers to Samba Servers
- Sharing, Uploading Printer Drivers to Samba Servers
- printing, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- privacy, Identity Management Needs
- Privilege Attribute Certificates (see PAC)
- privilege controls, Share Point Directory and File Permissions
- privileged pipe, Samba Configuration
- privileges, Identity Management Needs, Technical Issues, Share Definition Controls
- product defects, Dissection and Discussion
- profile
- default, Assignment Tasks
- mandatory, The Nature of Windows Networking Protocols
- roaming, Making Users Happy
- profile acls, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation
- profile path, Technical Issues
- profile share, Implementation
- profiles share, Dissection and Discussion
- programmer, Dissection and Discussion
- project maintainers, Technical Issues
- Properties, Using the MMC Computer Management Interface
- proprietary, Technical Issues
- protected, Technical Issues
- protection, Technical Issues
- protocol
- negotiation, The Nature of Windows Networking Protocols
- protocol analysis, Requirements and Notes
- protocols, Technical Issues
- proxy, Assignment Tasks, Technical Issues
- public specifications, Technical Issues
R
- RAID, Hardware Requirements
- RAID controllers, Hardware Problems
- Raw Print Through, Installation of Printer Driver Auto-Download
- raw printing, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- rcldap, Implementation
- read only, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- realm, Active Directory Domain with Samba Domain Member Server, Kerberos Configuration, NSS Configuration
- recognize, Technical Issues
- record locking, Microsoft Access
- recursively, Setting Posix ACLs in UNIX/Linux
- Red Hat Fedora Linux, Samba Configuration
- Red Hat Linux, Drafting Office, Dissection and Discussion, Accounting Office, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Samba Configuration
- redirected folders, Roaming Profile Background, The Nature of Windows Networking Protocols
- refereed standards, Technical Issues
- regedit, Implementation
- regedt32, Profile Changes, Configuration of Default Profile with Folder Redirection
- registry, Questions and Answers
- keys
- SAM, Dissection and Discussion
- SECURITY, Dissection and Discussion
- registry change, Questions and Answers
- Registry Editor, Configuration of Default Profile with Folder Redirection
- registry hacks, Questions and Answers
- registry keys, Configuration of Default Profile with Folder Redirection
- reimburse, Dissection and Discussion
- rejected, Share Access Controls
- rejoin, Questions and Answers
- reliability, Performance, Reliability, and Availability
- remote announce, Routed Networks
- remote browse sync, Routed Networks
- remote procedure call (see RPC)
- replicate, Questions and Answers, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
- replicated, Dissection and Discussion
- resilient, Guidelines for Reliable Samba Operation
- resolve, Technical Issues, Bad Hostnames
- responsibility, Dissection and Discussion
- responsible, Technical Issues
- restricted export, Kerberos Exposed
- Restrictive security, Active Directory Domain with Samba Domain Member Server
- reverse DNS, Kerberos Configuration
- risk, Technical Issues, Questions and Answers, Questions and Answers, Introduction
- road-map, Technical Issues
- published, Technical Issues
- roaming profile, Technical Issues, Roaming Profile Background, Configuring Profile Directories, User Needs, Questions and Answers
- roaming profiles, Technical Issues, Implementation, Roaming Profile Background
- routed network, Use and Location of BDCs
- router, Implementation
- routers, Questions and Answers, Routed Networks
- RPC, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
- RPM
- install, Implementation
- rpm, Removal of Pre-existing Conflicting RPMs, Samba System File Location
- RPMs, Samba Configuration
- rpms, Removal of Pre-existing Conflicting RPMs
- rsync, Samba-3 PDC Configuration, Questions and Answers, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
- run-time control files, Samba System File Location
S
- safe-guards, Technical Issues
- SAM, Dissection and Discussion
- samba, Removal of Pre-existing Conflicting RPMs
- starting samba, Implementation
- Samba, Samba Configuration
- Samba accounts, Technical Issues
- samba cluster, Introduction
- samba control script, Starting Samba
- Samba Domain, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- Samba Domain server, Using the MMC Computer Management Interface
- Samba RPM Packages, Samba-3 PDC Configuration
- Samba Tea, Samba Configuration
- SambaSamAccount, LDAP Initialization and Creation of User and Group Accounts
- SambaXP conference, Questions and Answers
- SAN, For Scalability, Use SAN Based Storage on Samba Servers
- scalability, Introduction
- scalable, Identity Management Needs
- schannel, Technical Issues, Key Points Learned, Questions and Answers
- schema, Questions and Answers
- scripts, The LDAP Account Manager
- secondary group, Samba Domain with Samba Domain Member Server Using LDAP
- secret, Kerberos Exposed
- secrets.tdb, Technical Issues, Samba-3 PDC Configuration, NT4 Migration Using LDAP Backend
- secure, Introduction
- secure account password, Questions and Answers
- secure connections, The LDAP Account Manager
- secure networking, Technical Issues
- secure networking protocols, Technical Issues
- security, Implementation, Implementation, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Technical Issues, Share Point Directory and File Permissions, Questions and Answers, NSS Configuration
- share mode, Dissection and Discussion
- user mode, Dissection and Discussion
- Security, Technical Issues, Using the MMC Computer Management Interface
- Security Account Manager (see SAM)
- security controls, Technical Issues
- security descriptors, Dissection and Discussion
- security fixes, Technical Issues
- security updates, Technical Issues
- SerNet, Active Directory Domain with Samba Domain Member Server, Samba Configuration
- server string, Active Directory Domain with Samba Domain Member Server
- service, Implementation
- Service Packs, Application Share Configuration
- services, Key Points Learned
- session setup, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
- Session Setup, Simple Windows Client Connection Characteristics
- set primary group script, Samba-3 PDC Configuration, Implementation
- setfacl, Setting Posix ACLs in UNIX/Linux
- severely degrade, Samba Configuration
- SGID, Dissection and Discussion, Share Point Directory and File Permissions, Effect of Setting File and Directory SUID/SGID Permissions Explained
- shadow-utils, Questions and Answers
- share, Questions and Answers
- Share Access Controls, Share Access Controls
- share ACLs, Questions and Answers
- share definition, Technical Issues
- Share Definition
- Controls, Share Definition Controls
- share definition controls, Share Definition Controls, Check-point Controls, Share Point Directory and File Permissions, Questions and Answers
- share level access controls, Questions and Answers
- share level ACL, Questions and Answers
- Share Permissions, Share Access Controls
- shared resource, Technical Issues, Setting Posix ACLs in UNIX/Linux
- shares, Technical Issues
- show add printer wizard, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation
- shutdown script, Samba Configuration, Implementation, Implementation
- SID, Windows Client Configuration, Identity Management Needs, Questions and Answers, Technical Issues, Initialization of the LDAP Database
- side effects, Managing Windows 200x ACLs
- Sign'n'seal, Key Points Learned, Questions and Answers
- silent return, Active Directory Domain with Samba Domain Member Server
- simple, Dissection and Discussion
- Single Sign-On (see SOS)
- slapadd, NT4 Migration Using LDAP Backend
- slapcat, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using LDAP
- slave, Dissection and Discussion
- slow logon, Making Users Happy
- slow network, Hardware Problems
- slurpd, Implementation, Questions and Answers
- smart printing, Dissection and Discussion
- SMB passwords, Implementation
- smb ports, Samba Configuration, Questions and Answers, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- SMB/CIFS, Questions and Answers
- smbclient, Validation, Validation, LDAP Initialization and Creation of User and Group Accounts, NT4 Migration Using LDAP Backend, Questions and Answers
- smbd, Validation, Implementation, Validation, Validation, Samba-3 PDC Configuration, Technical Issues, Active Directory Domain with Samba Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
- location of files, Samba System File Location
- smbfs, Dissection and Discussion
- smbldap-groupadd.pl, LDAP Initialization and Creation of User and Group Accounts
- smbldap-passwd.pl, LDAP Initialization and Creation of User and Group Accounts
- smbldap-populate.pl, LDAP Initialization and Creation of User and Group Accounts
- smbldap-tools, The LDAP Account Manager
- smbldap-useradd.pl, LDAP Initialization and Creation of User and Group Accounts, Implementation
- smbldap-usermod.pl, LDAP Initialization and Creation of User and Group Accounts
- smbmnt, Dissection and Discussion
- smbmount, Dissection and Discussion
- smbpasswd, Implementation, Technical Issues, Implementation, Technical Issues, Samba Configuration, Server Preparation All Servers, Configuration for Server: MASSIVE, Samba-3 PDC Configuration, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Technical Issues, Questions and Answers, Questions and Answers, Integrating Additional Services
- smbumnt, Dissection and Discussion
- smbumount, Dissection and Discussion
- snap-shot, Dissection and Discussion
- socket address, Samba Configuration
- socket options, Samba Configuration
- software, Dissection and Discussion
- solve, Dissection and Discussion
- source code, Dissection and Discussion
- SPNEGO, Windows 200x/XP Client Interaction with Samba-3
- SQL, Dissection and Discussion, Questions and Answers
- Squid, Technical Issues, Implementation, Removal of Pre-existing Conflicting RPMs, Samba Configuration, Squid Configuration
- squid, Removal of Pre-existing Conflicting RPMs, Samba Configuration
- Squid proxy, Technical Issues
- SRVTOOLS.EXE, Implementation, Configuring Profile Directories, Questions and Answers, Questions and Answers
- SSL, The LDAP Account Manager
- starting - CUPS, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
- starting dhcpd, Implementation, Process Startup Configuration, Process Startup Configuration
- starting samba, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
- nmbd, Starting Samba
- smbd, Starting Samba
- winbindd, Starting Samba
- startup script, Starting Samba
- sticky bit, Implementation
- storage capacity, Hardware Requirements
- strategic, Technical Issues
- strategy, Questions and Answers
- straw-man, Active Directory, Kerberos, and Security
- strict sync, Samba Configuration
- strong cryptography, Kerberos Exposed
- SUID, Dissection and Discussion, Questions and Answers, Effect of Setting File and Directory SUID/SGID Permissions Explained
- Sun ONE Identity Server, Dissection and Discussion
- super daemon, Process Startup Configuration
- support, Dissection and Discussion
- survey, Adding UNIX/LINUX Servers and Clients
- SUSE Enterprise Linux Server, Charity Administration Office, Basic System Configuration, Implementation
- SUSE Linux, Dissection and Discussion, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Removal of Pre-existing Conflicting RPMs
- SWAT, Samba System File Location
- sync always, Samba Configuration
- synchronization, Kerberos Configuration, For Scalability, Use SAN Based Storage on Samba Servers
- synchronize, User Needs
- synchronized, Questions and Answers
- syslog, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- system level logins, Questions and Answers
- system security, Technical Issues
T
- tattooing, Questions and Answers
- TCP/IP, Questions and Answers
- tdbdump, NT4 Migration Using LDAP Backend, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- tdbsam, Technical Issues, Implementation, The 500-User Office, Assignment Tasks, Dissection and Discussion, Implementation, Technical Issues, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Questions and Answers
- template primary group, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- template shell, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- testparm, Validation, Validation, Samba-3 PDC Configuration, Active Directory Domain with Samba Domain Member Server, Samba Configuration
- ticket, Samba Configuration
- time server, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- Tivoli Directory Server, Dissection and Discussion
- token, Technical Issues
- tool, Questions and Answers, Dissection and Discussion
- track record, Dissection and Discussion
- traffic collisions, Making Users Happy
- transaction processing, Dissection and Discussion
- transactional, Questions and Answers
- transfer, Questions and Answers
- translate, Managing Windows 200x ACLs
- traverse, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- Tree Connect, Simple Windows Client Connection Characteristics
- trusted computing, Introduction
- Trusted Domains, Technical Issues
- trusted domains, Questions and Answers
- trusted third-party, Kerberos Exposed
- trusting, Kerberos Exposed
- turn-around time, Technical Issues
U
- UDP
- broadcast, Routed Networks
- UID, Dissection and Discussion, Technical Issues, Implementation, Questions and Answers, Questions and Answers
- un-join, Questions and Answers
- unauthorized activities, Kerberos Exposed
- UNC name, Questions and Answers
- unencrypted, The LDAP Account Manager
- Unicast, The Nature of Windows Networking Protocols
- Universal Naming Convention (see UNC name)
- UNIX
- groups, Technical Issues, Implementation
- UNIX account, Questions and Answers
- UNIX accounts, Technical Issues
- unix charset, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- unix password sync, Samba Configuration
- UNIX/Linux server, Technical Issues
- unix2dos, Samba Configuration
- unknown, Technical Issues
- updates, Introduction, Technical Issues
- uppercase, Technical Issues
- use client driver, Implementation, Implementation, Implementation, Samba Configuration, Implementation
- user
- user account, OpenLDAP Server Configuration
- User and Group Controls, Technical Issues
- user credentials, Identity Management Needs, UNIX/Linux Client Domain Member
- user errors, Questions and Answers
- user identities, Implementation
- user logins, Questions and Answers
- user management, Implementation
- User Mode, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3, Implementation
- useradd, Implementation, Implementation, Implementation, Samba Configuration, Configuration for Server: MASSIVE
- username map, Implementation, Samba Configuration, Server Preparation All Servers, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- utilities, Questions and Answers
- utmp, Samba Configuration, Implementation, Implementation
V
- valid users, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Check-point Controls, Questions and Answers
- validate, NT4 Migration Using LDAP Backend, Questions and Answers, Check-point Controls
- validated, Identity Management Needs, Active Directory Domain with Samba Domain Member Server, Introduction
- validation, Validation, Validation, Questions and Answers
- vampire, Questions and Answers
- vendor, Dissection and Discussion
- veto files, Samba Configuration, Implementation
- veto oplock files, Samba Configuration, Implementation
- VFS modules, Samba System File Location
- virus, Implementation
- VPN, Assignment Tasks
- vulnerabilities, Introduction
W
- wbinfo, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, Samba Configuration
- weakness, Technical Issues
- web
- caching, Assignment Tasks
- proxying, Assignment Tasks
- Web
- proxy, Questions and Answers
- access, Key Points Learned
- Web browsers, Key Points Learned
- WebClient, Making Users Happy
- wide-area, User Needs, Identity Management Needs, Key Points Learned, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- wide-area network, Use and Location of BDCs, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
- winbind, Implementation, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Questions and Answers, Introduction, Technical Issues, Technical Issues, Samba Configuration, NSS Configuration
- Winbind, Questions and Answers, Technical Issues, Key Points Learned
- winbind enable local accounts, Technical Issues, Questions and Answers
- winbind enum groups, NSS Configuration
- winbind enum users, NSS Configuration
- winbind separator, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, NSS Configuration
- winbind trusted domains only, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP, Questions and Answers
- winbind use default domain, Check-point Controls
- winbind user default domain, NSS Configuration
- winbindd, Validation, Validation, Technical Issues, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP, Questions and Answers, Samba Configuration, Questions and Answers, Starting Samba
- winbindd_cache.tdb, Technical Issues
- winbindd_idmap.tdb, Technical Issues
- Windows 2000 ACLs, Managing Windows 200x ACLs
- Windows 2003 Serve, Introduction
- Windows 200x ACLs, Questions and Answers
- Windows accounts, Technical Issues
- Windows ACLs, Setting Posix ACLs in UNIX/Linux
- Windows ADS Domain, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- Windows clients, Questions and Answers
- Windows Explorer, Validation
- Windows explorer, Questions and Answers
- Windows security identifier (see SID)
- Windows Servers, Introduction
- Windows Services for UNIX (see SUS)
- Windows XP, Assignment Tasks
- WINS, Questions and Answers, Implementation, Technical Issues, Implementation, Windows Client Configuration, Technical Issues, Windows Client Configuration, The Nature of Windows Networking Protocols, Identity Management Needs, Questions and Answers
- lookup, Questions and Answers
- name resolution, Routed Networks
- server, Making Users Happy, Routed Networks
- WINS server, The 500-User Office, Questions and Answers
- wins server, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- WINS serving, Implementation
- wins support, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- wins.dat, Identity Management Needs
- Word, Share Point Directory and File Permissions
- workgroup, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, NSS Configuration
- Workgroup Announcement, Findings
- workstation, Implementation
- wrapper, Questions and Answers
- write list, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- write lock, Opportunistic Locking Controls
X
- xinetd, Process Startup Configuration
- XML, Dissection and Discussion
- xmlsam, Implementation
Y
- YaST, PAM and NSS Client Configuration
- Yellow Pages, Identity Management Needs
- yellow pages (see NIS)
Index diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/kerberos.html samba-3.0.9/docs/htmldocs/Samba-Guide/kerberos.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/kerberos.html 2004-10-25 11:16:28.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/kerberos.html 2004-11-15 10:15:39.000000000 -0600 @@ -1,10 +1,10 @@ -Symbols
- %LOGONSERVER%, Configuration of Default Profile with Folder Redirection
- %USERNAME%, Roaming Profile Background, Profile Changes
- %USERPROFILE%, Configuration of Default Profile with Folder Redirection
- /etc/cups/mime.convs, Implementation, Implementation
- /etc/cups/mime.types, Implementation, Implementation
- /etc/dhcpd.conf, Implementation, Validation, Configuration of DHCP and DNS Servers, Validation
- /etc/exports, Samba-3 PDC Configuration
- /etc/group, Technical Issues, Questions and Answers, Samba Domain with Samba Domain Member Server Using LDAP, Removal of Pre-existing Conflicting RPMs
- /etc/hosts, Implementation, Implementation, Basic System Configuration, Validation, Server Preparation All Servers, Questions and Answers, Kerberos Configuration, Bad Hostnames
- /etc/krb5.conf, Kerberos Configuration
- /etc/ldap.conf, PAM and NSS Client Configuration
- /etc/mime.convs, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- /etc/mime.types, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- /etc/named.conf, Configuration of DHCP and DNS Servers
- /etc/nsswitch.conf, Implementation, Configuration of DHCP and DNS Servers, Validation, Configuration for Server: MASSIVE, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, PAM and NSS Client Configuration, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Questions and Answers
- /etc/openldap/slapd.conf, OpenLDAP Server Configuration, Implementation
- /etc/passwd, Findings and Comments, Implementation, Samba Configuration, Configuration for Server: MASSIVE, LDAP Initialization and Creation of User and Group Accounts, Technical Issues, Questions and Answers, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Questions and Answers, Share Point Directory and File Permissions, Removal of Pre-existing Conflicting RPMs
- /etc/rc.d/boot.local, Basic System Configuration, Configuration for Server: MASSIVE
- /etc/rc.d/rc.local, Implementation
- /etc/resolv.conf, Configuration of DHCP and DNS Servers, Server Preparation All Servers
- /etc/samba, Samba System File Location
- /etc/samba/secrets.tdb, Active Directory Domain with Samba Domain Member Server
- /etc/samba/smbusers, Server Preparation All Servers
- /etc/squid/squid.conf, Removal of Pre-existing Conflicting RPMs
- /etc/xinetd.d, Process Startup Configuration, Process Startup Configuration
- /lib/libnss_ldap.so.2, PAM and NSS Client Configuration
- /proc/sys/net/ipv4/ip_forward, Implementation, Basic System Configuration
- /usr/bin, Samba System File Location
- /usr/lib/samba, Samba System File Location
- /usr/local, Samba System File Location
- /usr/local/samba, Samba System File Location
- /usr/sbin, Samba System File Location
- /usr/share, Samba System File Location
- /usr/share/samba/swat, Samba System File Location
- /usr/share/swat, Samba System File Location
- /var/lib/ldap, OpenLDAP Server Configuration
- /var/lib/samba, Samba System File Location
- /var/log/samba, Samba System File Location
- , Application Share Configuration
- Domain account, Technical Issues
- liability, Dissection and Discussion
- logon, Implementation
- problem, Dissection and Discussion
- transparent inter-operability, Questions and Answers
A
- abmas-netfw.sh, Basic System Configuration
- abort shutdown script, Samba Configuration, Implementation, Implementation
- accept, Printer Configuration
- accepts liability, Dissection and Discussion
- access, Technical Issues, Check-point Controls
- access control, Kerberos Exposed, Using the MMC Computer Management Interface
- Access Control Lists (see ACLs)
- access control settings, Share Access Controls
- access controls, Technical Issues, Share Definition Controls
- accessible, Share Point Directory and File Permissions
- account, Share Access Controls
- ADS Domain, Technical Issues
- account credentials, Findings and Comments
- account information, Questions and Answers
- account names, Questions and Answers
- account policies, The LDAP Account Manager
- accountable, Introduction, Dissection and Discussion
- accounts
- authoritative, Technical Issues
- Domain, Introduction, Questions and Answers
- group, Introduction, Questions and Answers, Introduction
- machine, Introduction, Questions and Answers
- manage, The LDAP Account Manager
- user, Introduction, Questions and Answers, Introduction
- ACL, Questions and Answers, Check-point Controls
- ACLs, Key Points Learned, Share Access Controls, Share Definition Controls
- acquisitions, Introduction
- Act!, Shared Data Integrity
- ACT! database, Act! Database Sharing
- Act!Diag, Act! Database Sharing
- Active Directory, Dissection and Discussion, The Local Group Policy, Dissection and Discussion, Assignment Tasks, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Key Points Learned, Questions and Answers, Integrating Additional Services, Assignment Tasks, Technical Issues, Samba Configuration, Joining a Domain: Windows 200x/XP Professional
- authentication, Squid Configuration
- domain, Samba Configuration
- join, Active Directory Domain with Samba Domain Member Server
- management tools, Technical Issues
- realm, Bad Hostnames
- Replacement, Technical Issues
- server, Active Directory Domain with Samba Domain Member Server, Kerberos Configuration
- Server, Technical Issues
- tree, Samba Configuration
- AD printer publishing, Uploading Printer Drivers to Samba Servers
- ADAM, Dissection and Discussion
- add group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- add machine script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- Add Printer Wizard
- add user script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- add user to group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- adduser, Implementation, Samba Configuration, Configuration for Server: MASSIVE
- admin users, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- administrative installation, Application Share Configuration
- administrative rights, Check-point Controls
- administrator, Implementation, Samba Configuration, Server Preparation All Servers
- ADS, Technical Issues, Kerberos Configuration, Bad Hostnames
- server, Technical Issues
- ADS Domain, Technical Issues
- affordability, The Nature of Windows Networking Protocols
- alarm, Introduction
- algorithm, Technical Issues
- alternative, Dissection and Discussion
- analysis, Technical Issues
- anonymous connection, Validation, Validation
- Apache Web server, Questions and Answers
- appliance mode, Technical Issues
- application server, Technical Issues, Application Share Configuration
- application servers, The Nature of Windows Networking Protocols
- application/octet-stream, Implementation, Implementation, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- APW, Uploading Printer Drivers to Samba Servers
- arp, Validation
- assessment, Introduction
- assumptions, Key Points Learned
- authconfig, PAM and NSS Client Configuration
- authenticate, Samba Configuration
- authenticated, Assignment Tasks
- authenticated connection, Validation, Validation
- authentication, The Nature of Windows Networking Protocols, Questions and Answers, Integrating Additional Services, Technical Issues, NSS Configuration, Questions and Answers
- plain-text, Questions and Answers
- authentication process, Implementation
- authentication protocols, Key Points Learned
- authoritative, Technical Issues
- authorized location, Kerberos Exposed
- auto-generated SID, Questions and Answers
- automatically allocate, Technical Issues
- availability, Performance, Reliability, and Availability
B
- backends, Integrating Additional Services
- background communication, Questions and Answers
- Backup, Introduction
- Backup Domain Controller (see BDC)
- bandwidth, Assignment Tasks
- requirements, User Needs
- bandwidth calculations, Hardware Requirements
- BDC, Technical Issues, Assignment Tasks, Dissection and Discussion, Samba Server Implementation, Samba-3 PDC Configuration, The Nature of Windows Networking Protocols, Key Points Learned, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Technical Issues, Questions and Answers, Use and Location of BDCs
- benefit, Questions and Answers, Dissection and Discussion
- best practices, Introduction
- bias, Questions and Answers
- binary database, Implementation
- bind interfaces only, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
- broadcast, Questions and Answers, Routed Networks
- broadcast messages, Implementation
- broadcast storms, Network Collisions
- broken, Dissection and Discussion
- broken behavior, Dissection and Discussion
- browse, Technical Issues
- browse master, Findings
- Browse Master, Questions and Answers
- browseable, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- Browser Election Service, Questions and Answers
- browsing, Assignment Tasks, Technical Issues, Technical Issues
- budgetted, Introduction
- bug fixes, Introduction
C
- cache, Opportunistic Locking Controls
- cache directories, Removal of Pre-existing Conflicting RPMs
- caching, Samba Configuration
- case-sensitive, Kerberos Configuration
- centralized storage, Questions and Answers
- check samba + daemons, Validation, Validation
- check-point, Share Definition Controls
- Check-point Controls, Check-point Controls
- check-point controls, Check-point Controls
- chgrp, Samba Configuration
- chkconfig, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration, Implementation
- chmod, Samba Configuration
- choice, Dissection and Discussion, Technical Issues
- chown, Removal of Pre-existing Conflicting RPMs
- CIFS, Findings
- cifsfs, Dissection and Discussion
- clean database, Questions and Answers
- Clock skew, Kerberos Configuration
- cluster, Introduction
- clustering, Introduction, For Scalability, Use SAN Based Storage on Samba Servers
- collision rates, Network Collisions
- comment, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- commercial, Dissection and Discussion
- commercial software, Dissection and Discussion
- Common Internet File System (see CIFS)
- comparison
- Active Directory & OpenLDAP, Dissection and Discussion
- compat, Samba Domain with Samba Domain Member Server Using LDAP
- compatible, Technical Issues
- complexities, Dissection and Discussion
- compromise, Introduction, Introduction, Technical Issues
- computer account, Samba Configuration
- Computer Management, Share Access Controls, Questions and Answers
- condemns, Technical Issues
- conferences, Technical Issues
- connection, Share Access Controls
- connectivity, Questions and Answers
- consequential risk, Technical Issues
- consultant, Drafting Office, Introduction, Dissection and Discussion
- consumer, Dissection and Discussion, Technical Issues
- contiguous directory, Implementation
- copy, Questions and Answers
- corrective action, Hardware Problems
- cost, Dissection and Discussion
- credential, Share Definition Controls
- credentials, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Technical Issues
- crippled, Dissection and Discussion
- criticism, Active Directory, Kerberos, and Security, Introduction
- Critics, Technical Issues
- Cryptographic, Technical Issues
- CUPS, Dissection and Discussion, Technical Issues, Implementation, Key Points Learned, Implementation, Printer Configuration, Server Preparation All Servers, Assignment Tasks, Installation of Printer Driver Auto-Download, Printer Configuration
- cupsd, Basic System Configuration
D
- daemon, Validation, Basic System Configuration, Technical Issues, Questions and Answers, Starting Samba
- daemon control, Process Startup Configuration
- data
- corruption, Making Users Happy
- integrity, Questions and Answers
- data corruption, Hardware Problems, Act! Database Sharing
- data integrity, Hardware Problems, Shared Data Integrity
- data storage, Implementation
- database, Dissection and Discussion, Questions and Answers
- database applications, Shared Data Integrity
- DCE, Kerberos Exposed
- DDNS (see dynamic + DNS)
- default devmode, Samba Configuration, Implementation
- default installation, Samba System File Location
- default password, The LDAP Account Manager
- default profile, Assignment Tasks, Technical Issues
- Default User, Profile Changes, Configuration of Default Profile with Folder Redirection
- defective
- cables, Hardware Problems
- hubs, Hardware Problems
- switches, Hardware Problems
- defects, Technical Issues
- defensible standards, Technical Issues
- defragmentation, Windows Client Configuration
- delete group script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- delete user from group script, Samba-3 PDC Configuration, Implementation
- delete user script, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- delimiter, Check-point Controls
- dependability, Technical Issues
- desired security setting, Setting Posix ACLs in UNIX/Linux
- development, Technical Issues
- DHCP, Technical Issues, Implementation, Key Points Learned, Windows Client Configuration, Windows Client Configuration, The Nature of Windows Networking Protocols, Questions and Answers
- client, Bad Hostnames
- relay, Technical Issues
- Relay Agent, Questions and Answers
- request, Questions and Answers
- requests, Technical Issues
- servers, Questions and Answers
- traffic, Questions and Answers
- dhcp client validation, Validation, Validation
- DHCP Server, Implementation
- DHCP server, Technical Issues
- diffusion, Technical Issues
- digital rights, Technical Issues
- digital sign'n'seal, Technical Issues
- digits, Bad Hostnames
- diligence, Technical Issues
- directory, Dissection and Discussion, Political Issues
- Computers container, LDAP Initialization and Creation of User and Group Accounts
- management, Dissection and Discussion
- People container, LDAP Initialization and Creation of User and Group Accounts
- replication, Dissection and Discussion
- schema, Dissection and Discussion
- server, Technical Issues
- synchronization, Dissection and Discussion
- directory tree, Setting Posix ACLs in UNIX/Linux
- disable, Introduction
- disable spoolss, Implementation, Implementation
- disaster recovery, Introduction
- disk image, Assignment Tasks
- disruptive, Dissection and Discussion
- distributed, Identity Management Needs, Implementation, Questions and Answers, Distribute Network Load with MSDFS
- distributed domain, Identity Management Needs
- DMB, Questions and Answers
- DNS, Technical Issues, Implementation, Technical Issues, The Nature of Windows Networking Protocols, Bad Hostnames, Routed Networks, Joining a Domain: Windows 200x/XP Professional
- configuration, Questions and Answers
- Dynamic, Questions and Answers
- dynamic, Joining a Domain: Windows 200x/XP Professional
- lookup, Questions and Answers, Kerberos Configuration
- name lookup, Bad Hostnames
- SRV records, Kerberos Configuration
- suffix, Joining a Domain: Windows 200x/XP Professional
- DNS server, Implementation, Configuration of DHCP and DNS Servers
- document the settings, Samba Configuration
- documentation, Dissection and Discussion, Technical Issues
- documented, Samba Configuration
- Domain, Technical Issues, Questions and Answers
- group, Questions and Answers
- groups, Technical Issues
- user, Questions and Answers
- domain
- Active Directory, Technical Issues
- joining, Appendix: A Collection of Useful Tid-bits
- trusted, Questions and Answers
- Domain accounts, Technical Issues
- Domain Administrator, Share Access Controls
- Domain Controller, Key Points Learned, The Nature of Windows Networking Protocols, Technical Issues, Implementation, Use and Location of BDCs
- Domain Controllers, Technical Issues, Questions and Answers
- Domain Groups
- well-known, Initialization of the LDAP Database
- Domain join, Samba Domain with Samba Domain Member Server Using LDAP
- domain logons, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation
- Domain logons, Questions and Answers
- domain master, Samba-3 BDC Configuration, Implementation, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend
- Domain Master Browser (see DMB)
- Domain Member, Use and Location of BDCs
- authoritative
- local accounts, Technical Issues
- client, Implementation
- desktop, Introduction
- server, Introduction, Technical Issues, Implementation, Active Directory Domain with Samba Domain Member Server
- servers, Technical Issues, Questions and Answers, Check-point Controls
- workstations, Implementation
- Domain Member server, Technical Issues, Questions and Answers
- Domain Member servers, Questions and Answers
- domain members, Questions and Answers
- domain name space, Identity Management Needs
- domain replication, Questions and Answers
- Domain SID, Technical Issues, NT4 Migration Using LDAP Backend, Questions and Answers
- domain tree, Identity Management Needs
- Domain User Manager, Configuring Profile Directories
- Domain users, Technical Issues
- dos2unix, Samba Configuration
- drive mapping, Technical Issues
- dumb printing, Installation of Printer Driver Auto-Download
- dump, Technical Issues, Questions and Answers
- duplicate accounts, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- dynamic DNS, Technical Issues
E
- economically sustainable, Dissection and Discussion
- eDirectory, Dissection and Discussion
- education, Identity Management Needs
- election, Findings
- employment, Introduction, Dissection and Discussion
- enable, Printer Configuration
- encrypt passwords, Questions and Answers, NSS Configuration
- encrypted, Findings and Comments
- encrypted password, Windows 200x/XP Client Interaction with Samba-3
- encrypted passwords, Questions and Answers
- End User License Agreement (see EULA)
- enumerating, Samba Configuration
- essential, Introduction
- ether-switch, Technical Issues
- Ethereal, Requirements and Notes
- ethereal, Exercises
- Etherswitch, Making Users Happy
- EULA, Dissection and Discussion
- Everyone, Share Access Controls
- Excel, Share Point Directory and File Permissions
- exclusive open, Microsoft Access
- experiment, Active Directory, Kerberos, and Security
- export, Technical Issues
- extent, Dissection and Discussion
- External Domains, Technical Issues
- extreme demand, Guidelines for Reliable Samba Operation
F
- fail, The Nature of Windows Networking Protocols
- fail-over, Identity Management Needs, Implementation
- failed join, Active Directory Domain with Samba Domain Member Server
- failure, Questions and Answers, Samba Configuration
- familiar, Technical Issues
- fatal problem, Samba Configuration
- fear, Technical Issues
- fears, Technical Issues
- FHS, Samba System File Location
- file and print server, Questions and Answers
- file and print service, Dissection and Discussion
- file cacheing, Opportunistic Locking Controls
- file caching, Samba Configuration
- File Hierarchy System (see FHS)
- file locations, Samba System File Location
- file permissions, The LDAP Account Manager
- file server
- read-only, Dissection and Discussion
- file servers, Samba Server Implementation
- file system, Technical Issues
- access control, Samba Configuration
- Ext3, Implementation
- permissions, Samba Configuration, Configuration for Server: MASSIVE
- file system security, Questions and Answers
- filter, Share Access Controls
- financial responsibility, Introduction
- firewall, Technical Issues, Basic System Configuration, Introduction
- fix, Dissection and Discussion
- flaws, Introduction
- flexibility, Technical Issues
- flush
- cache memory, Opportunistic Locking Controls
- folder redirection, Technical Issues, Configuration of Default Profile with Folder Redirection, Questions and Answers
- force group, Implementation, Override Controls, Questions and Answers
- force user, Dissection and Discussion, Implementation, Override Controls, Questions and Answers
- forced settings, Override Controls
- foreign, Samba Domain with Samba Domain Member Server Using LDAP
- foreign SID, Samba Domain with Samba Domain Member Server Using LDAP
- forwarded, Routed Networks
- foundation members, Technical Issues
- Free Standards Grou (see FSG)
- front-end, Dissection and Discussion
- FSG, Samba System File Location
- FTP
- proxy, Questions and Answers
- full control, Share Access Controls, Using MS Windows Explorer (File Manager)
- fully qualified, Check-point Controls
G
- getent, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- getfacl, Setting Posix ACLs in UNIX/Linux
- getgrgid(), Questions and Answers
- getgrnam, Technical Issues
- getpwnam, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP
- getpwnam(), Questions and Answers
- GID, Implementation, Questions and Answers, Questions and Answers
- Goettingen, Questions and Answers
- government, Identity Management Needs
- GPL, Comments Regarding Software Terms of Use
- group account, Implementation, OpenLDAP Server Configuration
- group management, Implementation
- group membership, Implementation, Samba Configuration, Samba Domain with Samba Domain Member Server Using LDAP, Share Point Directory and File Permissions
- group names, Questions and Answers
- group policies, Introduction
- Group Policy, Joining a Domain: Windows 200x/XP Professional
- Group Policy editor, The Local Group Policy
- Group Policy Objects, The Local Group Policy
- groupadd, Implementation, Implementation, Questions and Answers
- groupdel, Questions and Answers
- groupmod, Questions and Answers
- GSS-API, Windows 200x/XP Client Interaction with Samba-3
- guest account, Findings and Comments, Dissection and Discussion, Technical Issues, Questions and Answers
- guest ok, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
H
- hackers, Introduction
- hardware prices, Hardware Problems
- hardware problems, Hardware Problems
- Heimdal, Implementation, Kerberos Configuration
- Heimdal Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
- helper agent, Removal of Pre-existing Conflicting RPMs
- hesoid, Samba Domain with Samba Domain Member Server Using LDAP
- hierarchy of control, Share Definition Controls
- high availability, Dissection and Discussion
- hire, Dissection and Discussion
- HKEY_CURRENT_USER, Roaming Profile Background
- HKEY_LOCAL_MACHINE, Configuration of Default Profile with Folder Redirection
- HKEY_LOCAL_USER, Questions and Answers
- host announcement, Assignment Tasks, Findings
- hostname, Basic System Configuration
- hosts, Questions and Answers
- hosts allow, Samba Configuration, Implementation, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- hosts deny, Samba Configuration, Implementation
- HUB, Making Users Happy
- Hybrid, Questions and Answers
- hypothetical, Introduction
I
- Idealx
- identifiers, Technical Issues
- identity, Questions and Answers, Kerberos Exposed
- management, Technical Issues
- identity management, Technical Issues, Dissection and Discussion, Political Issues
- Identity Management, Dissection and Discussion, The Nature of Windows Networking Protocols, Identity Management Needs
- Identity management, UNIX/Linux Client Domain Member
- Identity resolution, Samba Domain with Samba Domain Member Server Using LDAP, Active Directory Domain with Samba Domain Member Server, UNIX/Linux Client Domain Member, Questions and Answers
- Identity resolver, Questions and Answers
- IDMAP, Samba Domain with Samba Domain Member Server Using LDAP
- idmap backend, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP
- IDMAP backend, Questions and Answers
- idmap gid, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, NSS Configuration
- idmap uid, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, NSS Configuration
- import, Technical Issues
- include, Implementation
- income, Dissection and Discussion
- independent expert, Introduction
- inetd, Process Startup Configuration
- inheritance, Setting Posix ACLs in UNIX/Linux
- initGrps.sh, Implementation, Samba Configuration, Configuration for Server: MASSIVE
- initial credentials, Kerberos Configuration
- inoperative, Dissection and Discussion
- installation, Dissection and Discussion
- integrate, Technical Issues
- integrity, Introduction, Kerberos Exposed
- inter-operability, Dissection and Discussion, Technical Issues, Key Points Learned, Questions and Answers
- interdomain trusts, Identity Management Needs
- interfaces, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
- intermittent, Hardware Problems
- Internet Explorer, Technical Issues
- Internet Information Server, Questions and Answers
- IP forwarding, Implementation, Basic System Configuration, Configuration for Server: MASSIVE
- IPC$, Findings and Comments, Implementation
- iptables, Technical Issues
- isolated, Introduction
- Italian, Questions and Answers
J
- jobs, Introduction
- joining a domain, Joining a Domain: Windows 200x/XP Professional
K
- KDC, Kerberos Configuration
- Kerberos, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Technical Issues, Key Points Learned, Technical Issues, Implementation, Kerberos Configuration
- Heimdal, Active Directory Domain with Samba Domain Member Server
- interoperability, Kerberos Exposed
- libraries, Active Directory Domain with Samba Domain Member Server
- MIT, Active Directory Domain with Samba Domain Member Server
- unspecified fields, Kerberos Exposed
- kerberos, Kerberos Exposed
- server, Kerberos Exposed
- Kerberos ticket, Samba Configuration
- kinit, Kerberos Configuration
- klist, Kerberos Configuration
- krb5, Implementation
- krb5.conf, Kerberos Configuration
L
- LAM, The LDAP Account Manager
- configuration editor, The LDAP Account Manager
- configuration file, The LDAP Account Manager
- login screen, The LDAP Account Manager
- opening screen, The LDAP Account Manager
- profile, The LDAP Account Manager
- wizard, The LDAP Account Manager
- LDAP, Technical Issues, Assignment Tasks, Dissection and Discussion, Technical Issues, PAM and NSS Client Configuration, Introduction, Dissection and Discussion, Identity Management Needs, Implementation, Key Points Learned, Questions and Answers, Assignment Tasks, Technical Issues, Questions and Answers, Technical Issues, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Technical Issues
- backend, Identity Management Needs
- database, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Alternative LDAP Database Initialization
- directory, Identity Management Needs
- fail-over, Implementation
- initial configuration, Alternative LDAP Database Initialization
- master, Identity Management Needs
- master/slave
- background communication, Questions and Answers
- preload, Implementation
- secure, Technical Issues
- server, Questions and Answers
- slave, Identity Management Needs
- updates, Identity Management Needs
- ldap, Samba Domain with Samba Domain Member Server Using LDAP
- LDAP Account Manager (see LAM)
- ldap admin dn, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- LDAP backend, Technical Issues
- LDAP database, Questions and Answers
- ldap group suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- ldap idmap suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- LDAP Interchange Format (see LDIF)
- ldap machine suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- LDAP server, Identity Management Needs
- ldap ssl, Active Directory Domain with Samba Domain Member Server
- ldap suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- ldap user suffix, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP
- LDAP-transfer-LDIF.txt, Implementation
- ldap.conf, Samba Domain with Samba Domain Member Server Using LDAP
- ldapadd, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using LDAP
- ldapsam, LDAP Initialization and Creation of User and Group Accounts, Dissection and Discussion, Assignment Tasks, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Integrating Additional Services
- ldapsam backend, Samba Domain with Samba Domain Member Server Using LDAP
- ldapsearch, LDAP Initialization and Creation of User and Group Accounts
- LDIF, Technical Issues, Implementation, Initialization of the LDAP Database
- leadership, Technical Issues
- Lightweight Directory Access Protocol (see LDAP)
- limit, Questions and Answers
- Linux desktop, Introduction
- Linux Standards Base (see LSB)
- LMB, Findings, Questions and Answers
- LMHOSTS, Routed Networks
- load distribution, For Scalability, Use SAN Based Storage on Samba Servers
- local accounts, Technical Issues
- Local Group Policy, Roaming Profile Background
- local groups, Questions and Answers
- Local Master Announcement, Findings
- Local Master Browser (see LMB)
- local users, Questions and Answers
- localhost, Basic System Configuration, Bad Hostnames
- locking, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation
- Application level, Shared Data Integrity
- Client side, Shared Data Integrity
- Server side, Shared Data Integrity
- log file, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- log level, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- logging, Removal of Pre-existing Conflicting RPMs
- login, Technical Issues
- logon credentials, Questions and Answers
- logon drive, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation
- logon home, Samba Configuration, Implementation
- logon hours, Technical Issues, Key Points Learned
- logon machines, Technical Issues
- logon path, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation
- logon process, Implementation
- logon scrip, Samba Configuration, Technical Issues
- logon script, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Preparation of Logon Scripts, Implementation, Technical Issues
- logon server, The Nature of Windows Networking Protocols
- logon services, Implementation
- logon time, Assignment Tasks
- logon traffic, The Nature of Windows Networking Protocols
- loopback, Validation
- low performance, Hardware Problems
- lower-case, Technical Issues
- lpadmin, Implementation, Implementation, Implementation, Printer Configuration, Printer Configuration
- LSB, Samba System File Location
M
- machine accounts, Questions and Answers
- machine secret password, Technical Issues
- managed, Technical Issues
- management, Political Issues, Questions and Answers
- group, Technical Issues
- User, Technical Issues
- mandatory profile, Technical Issues, Configuring Profile Directories
- map acl inherit, Samba Configuration, Implementation, Samba-3 PDC Configuration
- mapped drives, Questions and Answers
- mapping, Technical Issues, Kerberos Configuration
- master, Dissection and Discussion
- material, Appendix: A Collection of Useful Tid-bits
- max log size, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- memory requirements, Hardware Requirements
- merge, Technical Issues, Questions and Answers
- merged, Technical Issues
- meta-directory, Questions and Answers
- meta-service, Questions and Answers
- Microsoft Access, Shared Data Integrity
- Microsoft Excel, Shared Data Integrity
- Microsoft ISA, Assignment Tasks
- Microsoft Management Console (see MMC)
- Microsoft Office, Application Share Configuration, Share Point Directory and File Permissions
- Microsoft Outlook
- PST files, Questions and Answers
- migrate, Technical Issues
- migration, Implementation, Implementation, Assignment Tasks, Introduction, Questions and Answers
- objectives, Dissection and Discussion
- Migration speed, Questions and Answers
- mime type, Implementation, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- mime types, Implementation
- missing RPC's, Technical Issues
- MIT, Implementation, Kerberos Configuration
- MIT Kerberos, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
- MIT KRB5, Samba Configuration
- mixed mode, Active Directory Domain with Samba Domain Member Server
- mixed-mode, Questions and Answers
- mkntpasswd, Install and Configure Idealx SMB-LDAP Scripts
- MMC, Configure Delete Cached Profiles on Logout, Technical Issues, Questions and Answers
- mobile computing, Dissection and Discussion
- mobility, Technical Issues
- modularization, Technical Issues
- modules, Questions and Answers
- MS Access
- validate, Microsoft Access
- MS Outlook
- PST file, Making Users Happy
- MS Windows Server 2003, Implementation
- MS Word, Share Point Directory and File Permissions
- MSDFS, Distribute Network Load with MSDFS
- multi-subnet, Routed Networks
- multi-user
- access, Microsoft Access
- data access, Shared Data Integrity
- multiple directories, Identity Management Needs
- multiple domain controllers, Making Users Happy
- multiple group mappings, Questions and Answers
- My Documents, Roaming Profile Background
- My Network Places, Implementation
- mysqlsam, Implementation
N
- name resolution, Assignment Tasks, Configuration of DHCP and DNS Servers, Questions and Answers
- name resolve order, Questions and Answers, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- Name Service Switch, Implementation
- name service switch (see NSS)
- named, Basic System Configuration, Validation, Server Preparation All Servers
- NAT, Technical Issues
- native, Questions and Answers
- net
- ads
- getlocalsid, Samba-3 PDC Configuration
- group, NT4 Migration Using tdbsam Backend
- groupmap
- rpc
- getsid, NT4 Migration Using LDAP Backend
- join, Configuration Specific to Domain Member Servers: BLDG1, BLDG2, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers
- vampire, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend
- NetBIOS, Questions and Answers, The Nature of Windows Networking Protocols, Questions and Answers, Bad Hostnames, Routed Networks
- name cache, Questions and Answers
- name resolution
- delays, Making Users Happy
- Node Type, Questions and Answers
- netbios forwarding, Network Collisions
- netbios name, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, NSS Configuration, Bad Hostnames
- NetBIOS name, Kerberos Configuration
- aliases, Identity Management Needs
- NETLOGON, Using a Network Default User Profile, Windows Client Configuration
- netlogon, The Nature of Windows Networking Protocols
- Netlogon, Joining a Domain: Windows 200x/XP Professional
- netmask, Implementation
- Netware, Small Office Networking
- network
- administrators, Technical Issues
- analyzer, Assignment Tasks
- bandwidth, Identity Management Needs, Questions and Answers
- broadcast, Introduction
- captures, Requirements and Notes
- collisions, Network Collisions
- load, Network Collisions
- logon, Making Users Happy
- logon scripts, Dissection and Discussion
- management, Introduction
- multi-segment, Introduction
- overload, Making Users Happy
- performance, Samba Configuration
- routed, Dissection and Discussion
- secure, Introduction
- segment, Dissection and Discussion
- services, Questions and Answers
- sniffer, Requirements and Notes
- tiemouts, Network Collisions
- timeout, Making Users Happy
- trace, Assignment Tasks
- traffic
- observation, Technical Issues
- wide-area, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- Network Address Translation (see NAT)
- network administrators, Technical Issues
- network attached storage (see NAS)
- Network Default Profile, Roaming Profile Background
- network hardware
- defective, Making Users Happy
- network hygiene, Dissection and Discussion
- network Identities, Questions and Answers
- network load factors, Dissection and Discussion
- Network Neighborhood, Validation, Technical Issues
- network segment, Use and Location of BDCs
- network segments, Hardware Requirements
- network share, Assignment Tasks
- networking hardware
- defective, Making Users Happy
- networking protocols, Technical Issues
- next generation, Technical Issues
- NFS server, Samba-3 PDC Configuration
- NICs, Hardware Problems
- NIS, LDAP Initialization and Creation of User and Group Accounts, Identity Management Needs, Questions and Answers, Technical Issues, Political Issues, Questions and Answers
- nis, Samba Domain with Samba Domain Member Server Using LDAP
- NIS schema, Questions and Answers
- NIS server, Questions and Answers
- NIS+, Identity Management Needs
- nisplus, Samba Domain with Samba Domain Member Server Using LDAP
- nmap, Validation
- nmbd, Validation, Validation, Samba Configuration, Starting Samba
- nobody, Findings and Comments, Removal of Pre-existing Conflicting RPMs
- NSS, Technical Issues, PAM and NSS Client Configuration, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, UNIX/Linux Client Domain Member, Questions and Answers, NSS Configuration (see Name Service Switch)
- nss_ldap, Technical Issues, OpenLDAP Server Configuration, PAM and NSS Client Configuration, LDAP Initialization and Creation of User and Group Accounts, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP
- nt acl support, Dissection and Discussion, Implementation
- NT4 registry, Dissection and Discussion
- NTLM, Technical Issues
- NTLM authentication daemon, Technical Issues
- NTLMSSP, Windows 200x/XP Client Interaction with Samba-3, Key Points Learned, Questions and Answers
- NTLMSSP_AUTH, Windows 200x/XP Client Interaction with Samba-3
- ntlm_auth, Samba Configuration, Questions and Answers
- NTP, Kerberos Configuration
- NTUSER.DAT, Roaming Profile Background, Profile Changes, Using a Network Default User Profile, Questions and Answers
- NULL connection, Validation
- NULL session, Findings and Comments
- NULL-Session, Discussion
O
- off-site storage, Introduction
- Open Magazine, Adding UNIX/LINUX Servers and Clients
- Open Source, Dissection and Discussion
- OpenLDAP, Dissection and Discussion, Dissection and Discussion, Questions and Answers, Political Issues, Introduction, Technical Issues, Key Points Learned, The LDAP Account Manager
- openldap, OpenLDAP Server Configuration
- OpenOffice, Application Share Configuration
- operating profiles, The LDAP Account Manager
- oplock break, Override Controls
- oplocks, Samba Configuration
- Oplocks
- disabled, Opportunistic Locking Controls
- opportunistic
- locking, Override Controls
- opportunistic locking, Implementation, Samba Configuration, Act! Database Sharing
- optimized, Samba Configuration
- options list, Questions and Answers
- organizational units, The LDAP Account Manager
- os level, Implementation
- Outlook
- Outlook Express, Political Issues
- over-ride, Technical Issues
- over-ride controls, Override Controls
- over-rule, Share Access Controls, Using MS Windows Explorer (File Manager)
- overheads, Override Controls
- ownership, Share Point Directory and File Permissions
P
- package, Implementation
- package names, Samba System File Location
- PADL, Technical Issues
- PADL LDAP tools, Technical Issues
- PADL Software, Samba Domain with Samba Domain Member Server Using LDAP
- PAM, PAM and NSS Client Configuration, UNIX/Linux Client Domain Member
- pam password change, Samba Configuration
- pam_ldap, OpenLDAP Server Configuration
- pam_ldap.so, PAM and NSS Client Configuration
- pam_unix2.so, PAM and NSS Client Configuration
- use_ldap, PAM and NSS Client Configuration
- passdb backend, Implementation, Samba Configuration, The 500-User Office, Implementation, Dissection and Discussion, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Assignment Tasks, Questions and Answers, Technical Issues, Questions and Answers
- passdb.tdb, Technical Issues
- passwd, Implementation, Implementation, Samba Configuration
- passwd chat, Implementation, Samba Configuration
- password
- password caching, Implementation
- password change, Key Points Learned
- password length, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
- password server, NSS Configuration
- path, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- pdbedit, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, NT4 Migration Using tdbsam Backend, Questions and Answers
- PDC, Assignment Tasks, Technical Issues, Technical Issues, The Local Group Policy, The Nature of Windows Networking Protocols, Technical Issues, NT4 Migration Using LDAP Backend, NT4 Migration Using tdbsam Backend, Technical Issues, Questions and Answers, Use and Location of BDCs
- PDF, The LDAP Account Manager
- performance, Dissection and Discussion, Questions and Answers, Performance, Reliability, and Availability, Introduction, Network Collisions
- performance degradation, Override Controls, Samba Configuration
- Perl, The LDAP Account Manager
- permission, Share Point Directory and File Permissions
- permissions, Implementation, Technical Issues, Share Access Controls, Check-point Controls, Share Point Directory and File Permissions, Removal of Pre-existing Conflicting RPMs
- Permissions, Using the MMC Computer Management Interface
- permits, Technical Issues
- permitted group, Using the MMC Computer Management Interface
- PHP, The LDAP Account Manager
- PHP4, The LDAP Account Manager
- pile-driver, Share Definition Controls
- ping, Validation, NT4 Migration Using LDAP Backend
- pitfalls, The LDAP Account Manager
- plain-text, Questions and Answers
- Pluggable Authentication Modules (see PAM)
- policy, Questions and Answers, Introduction
- poor performance, Dissection and Discussion
- Posix, Dissection and Discussion, Technical Issues, Technical Issues, Questions and Answers, Questions and Answers, The LDAP Account Manager
- Posix accounts, LDAP Initialization and Creation of User and Group Accounts, Technical Issues
- Posix ACLs, Managing Windows 200x ACLs
- PosixAccount, LDAP Initialization and Creation of User and Group Accounts
- Postscript, Installation of Printer Driver Auto-Download
- powers, Share Definition Controls
- practices, Introduction
- preferred master, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration
- preload.LDIF, NT4 Migration Using LDAP Backend
- presence and leadership, Technical Issues
- price paid, Dissection and Discussion
- primary group, Samba Domain with Samba Domain Member Server Using LDAP, Share Point Directory and File Permissions
- principals, Kerberos Exposed
- print filter, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- print queue, Charity Administration Office, Dissection and Discussion
- print spooler, Charity Administration Office
- Print Test Page, Uploading Printer Drivers to Samba Servers
- printable, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- printcap name, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- printer admin, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- printer + validation, Validation, Validation
- printers
- Advanced, Uploading Printer Drivers to Samba Servers
- Default Settings, Uploading Printer Drivers to Samba Servers
- General, Uploading Printer Drivers to Samba Servers
- Properties, Uploading Printer Drivers to Samba Servers
- Security, Uploading Printer Drivers to Samba Servers
- Sharing, Uploading Printer Drivers to Samba Servers
- printing, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- privacy, Identity Management Needs
- Privilege Attribute Certificates (see PAC)
- privilege controls, Share Point Directory and File Permissions
- privileged pipe, Samba Configuration
- privileges, Identity Management Needs, Technical Issues, Share Definition Controls
- product defects, Dissection and Discussion
- profile
- default, Assignment Tasks
- mandatory, The Nature of Windows Networking Protocols
- roaming, Making Users Happy
- profile acls, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation
- profile path, Technical Issues
- profile share, Implementation
- profiles share, Dissection and Discussion
- programmer, Dissection and Discussion
- project maintainers, Technical Issues
- Properties, Using the MMC Computer Management Interface
- proprietary, Technical Issues
- protected, Technical Issues
- protection, Technical Issues
- protocol
- negotiation, The Nature of Windows Networking Protocols
- protocol analysis, Requirements and Notes
- protocols, Technical Issues
- proxy, Assignment Tasks, Technical Issues
- public specifications, Technical Issues
R
- RAID, Hardware Requirements
- RAID controllers, Hardware Problems
- Raw Print Through, Installation of Printer Driver Auto-Download
- raw printing, Implementation, Printer Configuration, Server Preparation All Servers, Printer Configuration
- rcldap, Implementation
- read only, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- realm, Active Directory Domain with Samba Domain Member Server, Kerberos Configuration, NSS Configuration
- recognize, Technical Issues
- record locking, Microsoft Access
- recursively, Setting Posix ACLs in UNIX/Linux
- Red Hat Fedora Linux, Samba Configuration
- Red Hat Linux, Drafting Office, Dissection and Discussion, Accounting Office, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Samba Configuration
- redirected folders, Roaming Profile Background, The Nature of Windows Networking Protocols
- refereed standards, Technical Issues
- regedit, Implementation
- regedt32, Profile Changes, Configuration of Default Profile with Folder Redirection
- registry, Questions and Answers
- keys
- SAM, Dissection and Discussion
- SECURITY, Dissection and Discussion
- registry change, Questions and Answers
- Registry Editor, Configuration of Default Profile with Folder Redirection
- registry hacks, Questions and Answers
- registry keys, Configuration of Default Profile with Folder Redirection
- reimburse, Dissection and Discussion
- rejected, Share Access Controls
- rejoin, Questions and Answers
- reliability, Performance, Reliability, and Availability
- remote announce, Routed Networks
- remote browse sync, Routed Networks
- remote procedure call (see RPC)
- replicate, Questions and Answers, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
- replicated, Dissection and Discussion
- resilient, Guidelines for Reliable Samba Operation
- resolve, Technical Issues, Bad Hostnames
- responsibility, Dissection and Discussion
- responsible, Technical Issues
- restricted export, Kerberos Exposed
- Restrictive security, Active Directory Domain with Samba Domain Member Server
- reverse DNS, Kerberos Configuration
- risk, Technical Issues, Questions and Answers, Questions and Answers, Introduction
- road-map, Technical Issues
- published, Technical Issues
- roaming profile, Technical Issues, Roaming Profile Background, Configuring Profile Directories, User Needs, Questions and Answers
- roaming profiles, Technical Issues, Implementation, Roaming Profile Background
- routed network, Use and Location of BDCs
- router, Implementation
- routers, Questions and Answers, Routed Networks
- RPC, Active Directory Domain with Samba Domain Member Server, Kerberos Exposed
- RPM
- install, Implementation
- rpm, Removal of Pre-existing Conflicting RPMs, Samba System File Location
- RPMs, Samba Configuration
- rpms, Removal of Pre-existing Conflicting RPMs
- rsync, Samba-3 PDC Configuration, Questions and Answers, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
- run-time control files, Samba System File Location
S
- safe-guards, Technical Issues
- SAM, Dissection and Discussion
- samba, Removal of Pre-existing Conflicting RPMs
- starting samba, Implementation
- Samba, Samba Configuration
- Samba accounts, Technical Issues
- samba cluster, Introduction
- samba control script, Starting Samba
- Samba Domain, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- Samba Domain server, Using the MMC Computer Management Interface
- Samba RPM Packages, Samba-3 PDC Configuration
- Samba Tea, Samba Configuration
- SambaSamAccount, LDAP Initialization and Creation of User and Group Accounts
- SambaXP conference, Questions and Answers
- SAN, For Scalability, Use SAN Based Storage on Samba Servers
- scalability, Introduction
- scalable, Identity Management Needs
- schannel, Technical Issues, Key Points Learned, Questions and Answers
- schema, Questions and Answers
- scripts, The LDAP Account Manager
- secondary group, Samba Domain with Samba Domain Member Server Using LDAP
- secret, Kerberos Exposed
- secrets.tdb, Technical Issues, Samba-3 PDC Configuration, NT4 Migration Using LDAP Backend
- secure, Introduction
- secure account password, Questions and Answers
- secure connections, The LDAP Account Manager
- secure networking, Technical Issues
- secure networking protocols, Technical Issues
- security, Implementation, Implementation, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Introduction, Technical Issues, Share Point Directory and File Permissions, Questions and Answers, NSS Configuration
- share mode, Dissection and Discussion
- user mode, Dissection and Discussion
- Security, Technical Issues, Using the MMC Computer Management Interface
- Security Account Manager (see SAM)
- security controls, Technical Issues
- security descriptors, Dissection and Discussion
- security fixes, Technical Issues
- security updates, Technical Issues
- SerNet, Active Directory Domain with Samba Domain Member Server, Samba Configuration
- server string, Active Directory Domain with Samba Domain Member Server
- service, Implementation
- Service Packs, Application Share Configuration
- services, Key Points Learned
- session setup, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3
- Session Setup, Simple Windows Client Connection Characteristics
- set primary group script, Samba-3 PDC Configuration, Implementation
- setfacl, Setting Posix ACLs in UNIX/Linux
- severely degrade, Samba Configuration
- SGID, Dissection and Discussion, Share Point Directory and File Permissions, Effect of Setting File and Directory SUID/SGID Permissions Explained
- shadow-utils, Questions and Answers
- share, Questions and Answers
- Share Access Controls, Share Access Controls
- share ACLs, Questions and Answers
- share definition, Technical Issues
- Share Definition
- Controls, Share Definition Controls
- share definition controls, Share Definition Controls, Check-point Controls, Share Point Directory and File Permissions, Questions and Answers
- share level access controls, Questions and Answers
- share level ACL, Questions and Answers
- Share Permissions, Share Access Controls
- shared resource, Technical Issues, Setting Posix ACLs in UNIX/Linux
- shares, Technical Issues
- show add printer wizard, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation
- shutdown script, Samba Configuration, Implementation, Implementation
- SID, Windows Client Configuration, Identity Management Needs, Questions and Answers, Technical Issues, Initialization of the LDAP Database
- side effects, Managing Windows 200x ACLs
- Sign'n'seal, Key Points Learned, Questions and Answers
- silent return, Active Directory Domain with Samba Domain Member Server
- simple, Dissection and Discussion
- Single Sign-On (see SOS)
- slapadd, NT4 Migration Using LDAP Backend
- slapcat, LDAP Initialization and Creation of User and Group Accounts, Samba Domain with Samba Domain Member Server Using LDAP
- slave, Dissection and Discussion
- slow logon, Making Users Happy
- slow network, Hardware Problems
- slurpd, Implementation, Questions and Answers
- smart printing, Dissection and Discussion
- SMB passwords, Implementation
- smb ports, Samba Configuration, Questions and Answers, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- SMB/CIFS, Questions and Answers
- smbclient, Validation, Validation, LDAP Initialization and Creation of User and Group Accounts, NT4 Migration Using LDAP Backend, Questions and Answers
- smbd, Validation, Implementation, Validation, Validation, Samba-3 PDC Configuration, Technical Issues, Active Directory Domain with Samba Domain Member Server, Samba Configuration, Questions and Answers, Starting Samba
- location of files, Samba System File Location
- smbfs, Dissection and Discussion
- smbldap-groupadd.pl, LDAP Initialization and Creation of User and Group Accounts
- smbldap-passwd.pl, LDAP Initialization and Creation of User and Group Accounts
- smbldap-populate.pl, LDAP Initialization and Creation of User and Group Accounts
- smbldap-tools, The LDAP Account Manager
- smbldap-useradd.pl, LDAP Initialization and Creation of User and Group Accounts, Implementation
- smbldap-usermod.pl, LDAP Initialization and Creation of User and Group Accounts
- smbmnt, Dissection and Discussion
- smbmount, Dissection and Discussion
- smbpasswd, Implementation, Technical Issues, Implementation, Technical Issues, Samba Configuration, Server Preparation All Servers, Configuration for Server: MASSIVE, Samba-3 PDC Configuration, LDAP Initialization and Creation of User and Group Accounts, Samba-3 BDC Configuration, Dissection and Discussion, Implementation, Technical Issues, Questions and Answers, Questions and Answers, Integrating Additional Services
- smbumnt, Dissection and Discussion
- smbumount, Dissection and Discussion
- snap-shot, Dissection and Discussion
- socket address, Samba Configuration
- socket options, Samba Configuration
- software, Dissection and Discussion
- solve, Dissection and Discussion
- source code, Dissection and Discussion
- SPNEGO, Windows 200x/XP Client Interaction with Samba-3
- SQL, Dissection and Discussion, Questions and Answers
- Squid, Technical Issues, Implementation, Removal of Pre-existing Conflicting RPMs, Samba Configuration, Squid Configuration
- squid, Removal of Pre-existing Conflicting RPMs, Samba Configuration
- Squid proxy, Technical Issues
- SRVTOOLS.EXE, Implementation, Configuring Profile Directories, Questions and Answers, Questions and Answers
- SSL, The LDAP Account Manager
- starting + CUPS, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
- starting dhcpd, Implementation, Process Startup Configuration, Process Startup Configuration
- starting samba, Implementation, Implementation, Implementation, Implementation, Process Startup Configuration, Process Startup Configuration
- nmbd, Starting Samba
- smbd, Starting Samba
- winbindd, Starting Samba
- startup script, Starting Samba
- sticky bit, Implementation
- storage capacity, Hardware Requirements
- strategic, Technical Issues
- strategy, Questions and Answers
- straw-man, Active Directory, Kerberos, and Security
- strict sync, Samba Configuration
- strong cryptography, Kerberos Exposed
- SUID, Dissection and Discussion, Questions and Answers, Effect of Setting File and Directory SUID/SGID Permissions Explained
- Sun ONE Identity Server, Dissection and Discussion
- super daemon, Process Startup Configuration
- support, Dissection and Discussion
- survey, Adding UNIX/LINUX Servers and Clients
- SUSE Enterprise Linux Server, Charity Administration Office, Basic System Configuration, Implementation
- SUSE Linux, Dissection and Discussion, Samba Server Implementation, PAM and NSS Client Configuration, Implementation, Active Directory Domain with Samba Domain Member Server, Implementation, Removal of Pre-existing Conflicting RPMs
- SWAT, Samba System File Location
- sync always, Samba Configuration
- synchronization, Kerberos Configuration, For Scalability, Use SAN Based Storage on Samba Servers
- synchronize, User Needs
- synchronized, Questions and Answers
- syslog, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- system level logins, Questions and Answers
- system security, Technical Issues
T
- tattooing, Questions and Answers
- TCP/IP, Questions and Answers
- tdbdump, NT4 Migration Using LDAP Backend, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- tdbsam, Technical Issues, Implementation, The 500-User Office, Assignment Tasks, Dissection and Discussion, Implementation, Technical Issues, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Questions and Answers
- template primary group, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- template shell, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- testparm, Validation, Validation, Samba-3 PDC Configuration, Active Directory Domain with Samba Domain Member Server, Samba Configuration
- ticket, Samba Configuration
- time server, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- Tivoli Directory Server, Dissection and Discussion
- token, Technical Issues
- tool, Questions and Answers, Dissection and Discussion
- track record, Dissection and Discussion
- traffic collisions, Making Users Happy
- transaction processing, Dissection and Discussion
- transactional, Questions and Answers
- transfer, Questions and Answers
- translate, Managing Windows 200x ACLs
- traverse, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- Tree Connect, Simple Windows Client Connection Characteristics
- trusted computing, Introduction
- Trusted Domains, Technical Issues
- trusted domains, Questions and Answers
- trusted third-party, Kerberos Exposed
- trusting, Kerberos Exposed
- turn-around time, Technical Issues
U
- UDP
- broadcast, Routed Networks
- UID, Dissection and Discussion, Technical Issues, Implementation, Questions and Answers, Questions and Answers
- un-join, Questions and Answers
- unauthorized activities, Kerberos Exposed
- UNC name, Questions and Answers
- unencrypted, The LDAP Account Manager
- Unicast, The Nature of Windows Networking Protocols
- Universal Naming Convention (see UNC name)
- UNIX
- groups, Technical Issues, Implementation
- UNIX account, Questions and Answers
- UNIX accounts, Technical Issues
- unix charset, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- unix password sync, Samba Configuration
- UNIX/Linux server, Technical Issues
- unix2dos, Samba Configuration
- unknown, Technical Issues
- updates, Introduction, Technical Issues
- uppercase, Technical Issues
- use client driver, Implementation, Implementation, Implementation, Samba Configuration, Implementation
- user
- user account, OpenLDAP Server Configuration
- User and Group Controls, Technical Issues
- user credentials, Identity Management Needs, UNIX/Linux Client Domain Member
- user errors, Questions and Answers
- user identities, Implementation
- user logins, Questions and Answers
- user management, Implementation
- User Mode, Simple Windows Client Connection Characteristics, Windows 200x/XP Client Interaction with Samba-3, Implementation
- useradd, Implementation, Implementation, Implementation, Samba Configuration, Configuration for Server: MASSIVE
- username map, Implementation, Samba Configuration, Server Preparation All Servers, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- utilities, Questions and Answers
- utmp, Samba Configuration, Implementation, Implementation
V
- valid users, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, Questions and Answers, Check-point Controls, Questions and Answers
- validate, NT4 Migration Using LDAP Backend, Questions and Answers, Check-point Controls
- validated, Identity Management Needs, Active Directory Domain with Samba Domain Member Server, Introduction
- validation, Validation, Validation, Questions and Answers
- vampire, Questions and Answers
- vendor, Dissection and Discussion
- veto files, Samba Configuration, Implementation
- veto oplock files, Samba Configuration, Implementation
- VFS modules, Samba System File Location
- virus, Implementation
- VPN, Assignment Tasks
- vulnerabilities, Introduction
W
- wbinfo, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, Samba Configuration
- weakness, Technical Issues
- web
- caching, Assignment Tasks
- proxying, Assignment Tasks
- Web
- proxy, Questions and Answers
- access, Key Points Learned
- Web browsers, Key Points Learned
- WebClient, Making Users Happy
- wide-area, User Needs, Identity Management Needs, Key Points Learned, Questions and Answers, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- wide-area network, Use and Location of BDCs, Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
- winbind, Implementation, Dissection and Discussion, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Questions and Answers, Introduction, Technical Issues, Technical Issues, Samba Configuration, NSS Configuration
- Winbind, Questions and Answers, Technical Issues, Key Points Learned
- winbind enable local accounts, Technical Issues, Questions and Answers
- winbind enum groups, NSS Configuration
- winbind enum users, NSS Configuration
- winbind separator, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, NSS Configuration
- winbind trusted domains only, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP, Questions and Answers
- winbind use default domain, Check-point Controls
- winbind user default domain, NSS Configuration
- winbindd, Validation, Validation, Technical Issues, Technical Issues, Samba Domain with Samba Domain Member Server Using LDAP, Questions and Answers, Samba Configuration, Questions and Answers, Starting Samba
- winbindd_cache.tdb, Technical Issues
- winbindd_idmap.tdb, Technical Issues
- Windows 2000 ACLs, Managing Windows 200x ACLs
- Windows 2003 Serve, Introduction
- Windows 200x ACLs, Questions and Answers
- Windows accounts, Technical Issues
- Windows ACLs, Setting Posix ACLs in UNIX/Linux
- Windows ADS Domain, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- Windows clients, Questions and Answers
- Windows Explorer, Validation
- Windows explorer, Questions and Answers
- Windows security identifier (see SID)
- Windows Servers, Introduction
- Windows Services for UNIX (see SUS)
- Windows XP, Assignment Tasks
- WINS, Questions and Answers, Implementation, Technical Issues, Implementation, Windows Client Configuration, Technical Issues, Windows Client Configuration, The Nature of Windows Networking Protocols, Identity Management Needs, Questions and Answers
- lookup, Questions and Answers
- name resolution, Routed Networks
- server, Making Users Happy, Routed Networks
- WINS server, The 500-User Office, Questions and Answers
- wins server, Implementation, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind
- WINS serving, Implementation
- wins support, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Implementation
- wins.dat, Identity Management Needs
- Word, Share Point Directory and File Permissions
- workgroup, Implementation, Implementation, Implementation, Implementation, Samba Configuration, Implementation, Samba-3 PDC Configuration, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server, NSS Configuration
- Workgroup Announcement, Findings
- workstation, Implementation
- wrapper, Questions and Answers
- write list, Samba-3 BDC Configuration, Implementation, Samba Domain with Samba Domain Member Server Using LDAP, NT4/Samba Domain with Samba Domain Member Server Using Winbind, Active Directory Domain with Samba Domain Member Server
- write lock, Opportunistic Locking Controls
X
- xinetd, Process Startup Configuration
- XML, Dissection and Discussion
- xmlsam, Implementation
Y
- YaST, PAM and NSS Client Configuration
- Yellow Pages, Identity Management Needs
- yellow pages (see NIS)
Chapter 10. Active Directory, Kerberos, and Security Table of Contents
Chapter 10. Active Directory, Kerberos, and Security Table of Contents
By this point in the book, you have been exposed to many Samba-3 features and capabilities. More importantly, if you have implemented the examples given, you are well on your way to becoming a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to practice, you likely have thought of improvements and scenarios with which you can experiment. You are rather well plugged in to the many flexible ways Samba can be used. -
This is a book about Samba-3. Understandably, its intent is to present it in a positive light. The casual observer might conclude that this book is one-eyed about Samba. It is what would you expect? This chapter exposes some criticisms that have been raised concerning @@ -13,13 +13,13 @@ Some criticism always comes from deep inside ranks that one would expect to be supportive of a particular decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of criticism develops with respect to Abmas. -
This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled out of thin air. They were drawn from comments made by Samba users and from criticism during discussions with Windows network administrators. The tone of the objections reflects as closely as possible that of the original. The case presented is a straw-man example that is designed to permit each objection to be answered as it might occur in real life. -
Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took note of the spectacular projection of Abmas onto the global business stage. Abmas is building an interesting portfolio of companies that includes accounting services, financial advice, investment @@ -28,42 +28,42 @@ interesting business growth and development plan. Abmas Video Rentals has been recently acquired. During the time that the acquisition was closing, the Video Rentals business upgraded their Windows NT4-based network to Windows 2003 Server and Active Directory. -
Bob Jordan has been accepting of the fact that Abmas Video Rentals will use Microsoft Active Directory. The IT team led by Stan Soroka is committed to Samba-3 and to maintaining a uniform technology platform. Stan Soroka's team voiced their disapproval over the decision to permit this business to continue to operate with a solution that is viewed by Christine and her group as “an island of broken technologies.” This comment was made by one of Christine's staff as they were installing a new Samba-3 server at the new business. -
Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer should make such a comment. He felt that he had to prepare in case he might be criticized for his decision to use Active Directory. He decided he would defend his decision by hiring the services - of an outside security systems consultant to report[12] on his unit's operations + of an outside security systems consultant to report[12] on his unit's operations and to investigate the role of Samba at his site. Here are key extracts from this hypothetical report: -
... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site, has been examined. We find no evidence to support a notion that vulnerabilities exist at your site. ... we took additional steps to validate the integrity of the installation and operation of Active Directory and are pleased that your staff are following sound practices.
... -
User and Group accounts, and respective privileges, have been well thought out. File system shares are appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and effective off-site storage practices are considered to exceed industry norms. -
Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain a secure network. -
The recently installed Linux file and application server uses a tool called winbind that is indiscriminate about security. All user accounts in Active Directory can be used to access data stored on the Linux system. We are alarmed that secure information is accessible to staff who should not even be aware that it exists. We share the concerns of your network management staff who have gone to great lengths to set fine-grained controls that limit information access to those who need access. It seems incongruous to us that Samba winbind should be permitted to be used as it voids this fine work. -
Graham Judd [head of network administration] has locked down the security of all systems and is following the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network is isolated from the outside world, the [product name removed] firewall is under current contract @@ -72,7 +72,7 @@ detail and for following Microsoft recommended best practices.
... -
In respect of the use of Samba, we offer the following comments: Samba is in use in nearly half of all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft ... what worries us regarding Samba is the need to disable essential Windows security features such as @@ -80,14 +80,14 @@ mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that Samba is not at the full capabilites of Microsoft Windows NT4 server. Microsoft has moved well beyond that with trusted computing initiatives that the Samba developers do not participate in. -
One wonders about the integrity of an open source program that is developed by a team of hackers who cannot be held accountable for the flaws in their code. The sheer number of updates and bug fixes they have released should ring alarm bells in any business. -
Another factor that should be considered is that buying Microsoft products and services helps to provide employment in the IT industry. Samba and Open Source software place those jobs at risk. -
This is also a challenge to rise above the trouble spot. Bob calls Stan's team together for a simple discussion, but it gets further out of hand. When he returns to his office, he finds the following email in his in-box: @@ -100,23 +100,23 @@ I also wish to advise that two of the recent recruits want to implement Kerberos authentication across all systems. I concur with the desire to improve security. One of the new guys who is championing the move to Kerberos was responsible for the comment that caused the embarrassment. -
I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP, plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent, I would like to hire the services of a well-known Samba consultant to set the record straight. -
I intend to use this report to answer the criticism raised and would like to establish a policy that we will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce use of any centrally proposed standards, but make all non-compliance the financial responsibility of the out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone. -
--Stan --Stan Bob agreed with Stan's recommendations and has hired your services to help defuse the powder keg. Your task is to answer each of the issues raised with a tractable answer. You must be able to support your claims, keep emotions to a side, and answer technically. -
Samba-3 is a tool. No one pounding your door to use Samba. That is a choice that you are free to make or reject. It is likely that your decision to use Samba can benefit your company more than anyone else. The Samba Team obviously believes that the Samba software is a worthy choice. @@ -124,18 +124,18 @@ someone to help manage your Samba installation, you can create income and employment. Alternately, money saved by not spending in the IT area can be spent elsewhere in the business. All money saved or spent creates employment. -
In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted purely to provide file and print service interoperability on platforms that otherwise cannot provide access to data and to printers for Microsoft Windows clients. Samba is used by some businesses to effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an alternative to the use of a Microsoft file and print serving platforms with no consideration of costs. -
It would be foolish to adopt a technology that might put any data or users at risk. Security affects everyone. The Samba Team are fully cognizant of the responsibility they have to their users. The Samba documentation clearly reveals the fact that full responsibility is accepted to fix anything that is broken. -
There is a mistaken perception in the IT industry that commercial software providers are fully accountable for the defects in products. Open Source software comes with no warranty, so it is often assumed that its use confers a higher degree of risk. Everyone should read commercial software @@ -143,34 +143,34 @@ extent of liability that is accepted. Doing so soon dispels the popular notion that commercial software vendors are willingly accountable for product defects. In many cases, the commercial vendor accepts liability only to reimburse the price paid for the software. -
The real issues that a consumer (like you) needs answered is what is the way of escape from technical problems and how long will it take? The average problem turnaround time in the Open Source community is approximately 48 hours. What does the EULA offer? What is the track record in the commercial software industry? What happens when your commercial vendor decides to cease providing support? -
Open Source software at least puts you in possession of the source code. This means that when all else fails, you can hire a programmer to solve/fix the problem. -
+
Each issue is now discussed and, where appropriate, example implementation steps are provided. -
- Winbind and Security
- Winbind and Security
Windows network administrators may be dismayed to find that winbind exposes all Domain users so that they may use their Domain account credentials to log onto a UNIX/Linux system. The fact that all users in the Domain can see the UNIX/Linux server in their Network Neighborhood and can browse the shares on the server seems to excite them further. -
winbind provides for the UNIX/Linux Domain Member server or client, the same as one would obtain by adding a Microsoft Windows server or client to the Domain. The real objection is the fact that Samba is not MS Windows and, therefore, requires handling a little differently from the familiar Windows systems. One must recognize fear of the unknown. -
Windows network administrators need to recognize that winbind does not, and cannot, override account controls set using the Active Directory management tools. The control is the same. Have no fear. -
Where Samba and the ADS Domain account information obtained through the use of winbind permits access, by browsing or by the drive mapping to a share, to data that should be better protected. This can only happen when security @@ -178,14 +178,14 @@ on:
Shares themselves (i.e., the logical share itself)
The share definition in smb.conf
The shared directories and files using UNIX permissions
Using Windows 2000 ACLs if the file system is Posix enabled
Examples of each are given in ???. -
- User and Group Controls
- User and Group Controls
User and group management facilities as known in the Windows ADS environment may be used to provide equivalent access control constraints or to provide equivalent permissions and privileges on Samba servers. Samba offers greater flexibility in the use of user and group controls because it has additional layers of control compared to Windows 200x/XP. For example, access controls on a Samba server may be set within the share definition in a manner for which Windows has no equivalent. -
In any serious analysis of system security, it is important to examine the safeguards that remain when all other protective measures fail. An administrator may inadvertently set excessive permissions on the file system of a shared resource, or he may set excessive @@ -193,35 +193,35 @@ the data would indeed be laid bare to abuse. Yet, within a Samba share definition, it is possible to guard against that by enforcing controls on the share definition itself. You see a practical example of this a little later in this chapter. -
The report that is critical of Samba really ought to have exercised greater due diligence, as the real weakness is on the side of a Microsoft Windows environment. -
- Security Overall
- Security Overall
Samba has been designed in such a manner that weaknesses inherent in the design of Microsoft Windows networking ought not to expose the underlying UNIX/Linux file system in any way. All software has potential defects, and Samba is no exception. What matters more is how defects that are discovered get dealt with. -
The Samba Team totally agrees with the necessity to observe and fully implement every security facility to provide a level of protection and security that is necessary and that the end user (or network administrator) needs. Never would the Samba Team recommend a compromise to system security, nor would deliberate defoliation of security be publicly condoned; yet this is the practice by many Windows network administrators just to make happy users who have no notion of consequential risk. -
The report condemns Samba for releasing updates and security fixes, yet Microsoft on-line updates need to be applied almost weekly. The answer to the criticism made lies in the fact that Samba development is continuing, documentation is improving, user needs are being increasingly met or exceeded, and security updates are issued with a short turnaround time. -
The release of Samba-4 is expected around late 2004 to early 2005 and involves a near complete rewrite to permit extensive modularization and to prepare Samba for new functionality planned for addition during the next generation series. The Samba Team is responsible and can be depended upon; the history to date would suggest a high degree of dependability as well as on charter development consistent with published road-map projections. -
Not well published is the fact that Microsoft was a foundation member of the Common Internet File System (CIFS) initiative, together with the participation of the network attached storage (NAS) industry. Unfortunately, for the past few years, @@ -230,7 +230,7 @@ space. The Samba Team has maintained consistent presence and leadership at all CIFS conferences and at the interoperability laboratories run concurrently with them. -
- Cryptographic Controls (schannel, sign'n'seal)
- Cryptographic Controls (schannel, sign'n'seal)
The report correctly mentions the fact that Samba did not support the most recent schannel and digital sign'n'seal features of Microsoft Windows NT/200x/XPPro products. This is one of the key features @@ -238,7 +238,7 @@ seldom a reflection of current practice, and in many respects reports are like a pathology report they reflect accurately (at best) status at a snap-shot in time. Meanwhile, the world moves on. -
It should be pointed out that had clear public specifications for the protocols been published, it would have been much easier to implement this and would have taken less time to do. The sole mechanism used to find an algorithm that is compatible @@ -246,7 +246,7 @@ and trial-and-error implementation of potential techniques. The real value of public and defensible standards is obvious to all, and would have enabled more secure networking for everyone. -
Critics of Samba often ignore fundamental problems that may plague (or may have plagued) the users of Microsoft's products also. Those who are first to criticize Samba for not rushing into release of digital sign'n'seal support @@ -254,10 +254,10 @@ acknowledged and for which a fix was provided. In fact, Tangent Systems - appears even today[13] to not be sure that the problem has been resolved. + appears even today[13] to not be sure that the problem has been resolved. So it is evident that some delay in release of new functionality may have fortuitous consequences. -
One final comment is warranted. If companies want more secure networking protocols, the most effective method by which this can be achieved is by users seeking and working together to help define open and publicly refereed standards. The @@ -273,7 +273,7 @@ of them that uses RPCs that are not supported by any of these component technologies and yet by which they are made to interoperate in ways that the components do not support. -
In order to make the popular request for Samba to be an Active Directory Server a reality, it is necessary to add to OpenLDAP, Kerberos, as well as Samba, RPC calls that are not presently supported. The Samba Team has not been able to gain critical @@ -281,31 +281,31 @@ challenge of developing and integrating the necessary technologies. Therefore, if the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality into the Samba project, this dream request can not become a reality. -
At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the Samba development roadmap. If it is not on the published roadmap, it cannot be delivered anytime soon. Ergo, ADS server support is not a current goal for Samba development. The Samba Team is most committed to permitting Samba to be a full ADS Domain member that is increasingly capable of being managed using Microsoft Windows MMC tools. -
Kerberos is a network authentication protocol that provides secure authentication for client-server applications by using secret-key cryptography. Firewalls are an insufficient barrier mechanism in todays networking world as at best they only restrict incoming network traffic but can not prevent network traffic that comes from authorized locations from performing unauthorized activities. -
Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business. -
Kerberos is a trusted third-party service. That means that there is a third party (the kerberos server) that is trusted by all the entities on the network (users and services, usually called principals). All principals share a secret password (or key) with the kerberos server and this enables principals to verify that the messages from the kerberos server are authentic. Thus trusting the kerberos server, users and services can authenticate each other. -
Kerberos was until recently a technology that was restricted from being exported from the United States. For many years that hindered global adoption of more secure networking technologies both within the USA as well as outside it. A free an unencumbered implementation of MIT Kerberos has been produced in Europe @@ -313,7 +313,7 @@ In recent times the USA government has removed sanctions affecting the global distribution of MIT Kerberos. It is likely that there will be a significant surge forward in the development of Kerberos enabled applications and in the general deployment and use of Kerberos across the spectrum of the information technology industry. -
A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation of it. For example, a 2002 new report by IDG states: @@ -322,14 +322,14 @@ great lengths to disclose interfaces and protocols that allow third-party software products to interact with Windows. But a lawyer with the states suing Microsoft pointed out that when it comes to the company's use of the Kerberos authentication specification, not everyone agrees. -
Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version 5 specification that Windows clients use for proprietary purposes and still achieve interoperability with the Microsoft OS. Microsoft takes advantage of unspecified fields in the Kerberos specification for storing Windows-specific authorization data, Short wrote. The designers of Kerberos left these fields undefined so that software developers could add their own authorization information, he said. -
It so happens that Microsoft Windows clients depend on and expect the contents of the unspecified fields in the Kerberos 5 communications data stream for their Windows interoperability, in particular when Samba is being expected to emulate a Windows Server 200x Domain Controller. But the interoperability @@ -340,7 +340,7 @@
Microsoft makes the following comment in a reference in a technet article: -
The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos tickets to convey Privilege Attribute Certificates (PACs) that define user identity and group membership. @@ -350,10 +350,10 @@ Windows NT access control information.
The following procedures outline the implementation of the security measures discussed so far. -
Access control entries placed on the share itself act as a filter at the time a when CIFS/SMB client (such as Windows XP Pro) attempts to make a connection to the Samba server. -
Procedure 10.1. Create/Edit/Delete Share ACLs
Procedure 10.1. Create/Edit/Delete Share ACLs
From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator account (on Samba Domains, this is usually the account called root).
@@ -362,16 +362,16 @@
In the left panel, ->->->->. In the lower panel, click on the name of the server you wish to - administer. Click ->->. + administer. Click ->->. In the left panel, the entry should now reflect the change made. For example, if the server you are administering is called FRODO, the Computer Management entry should now say: .
In the left panel, click ->->. -
In the right panel, double-click on the share on which you wish to set/edit ACLs. This will bring up the Properties panel. Click the tab. -
You may now edit/add/remove access control settings. Be very careful. Many problems have been created by people who decided that Everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also @@ -380,7 +380,7 @@
When you are done with editing, close all panels by clicking through the buttons. -
Share-definition-based access controls can be used like a check-point or like a pile-driver. Just as a check-point can be used to require someone who wants to get through to meet certain requirements, so it is possible to require the user (or group the user belongs to) to meet specified credential-related @@ -393,7 +393,7 @@ ACLs act at a higher level than to share definition controls because the user must filter through the share level controls to get to the share definition controls. The proper hierarchy of controls implemented by Samba and Windows networking consists of: -
Share Level ACLs
Share Definition Controls
Directory and File Permissions
Directory and File Posix ACLs
Share Level ACLs
Share Definition Controls
Directory and File Permissions
Directory and File Posix ACLs
Consider the following extract from a smb.conf file defining the share called Apps:
[Apps] @@ -404,19 +404,19 @@
This definition permits only those who are members of the group called Employees to access the share. -
Note
Note
On Domain Member servers and clients, even when the winbind use default domain has been specified, the use of Domain accounts in security controls requires fully qualified Domain specification, - for example, valid users = @"MEGANET\Northern Engineers". + for example, valid users = @"MEGANET\Northern Engineers". Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a delimiter. -
If there is an ACL on the share itself to permit read/write access for all Employees as well as read/write for the group Doctors, both groups are permitted through to the share. However, at the moment an attempt is made to set up a connection to the share, a member of the group Doctors, who is not also a member of the group Employees, would immediately fail to validate. -
Consider another example. In this case, you want to permit all members of the group Employees to access the Apps share, except the user patrickj. This can be easily achieved by setting a share level ACL permitting only Employees to access the share, @@ -429,7 +429,7 @@ read only = Yes invalid users = patrickj
- + Let us assume that you want to permit the user gbshaw, to manage any file in the UNIX/Linux file system directory /data/apps, but you do not want to grant any write permissions beyond that directory tree. Here is one way this can be done: @@ -467,7 +467,7 @@ This is a particularly complex example at this point, but it begins to demonstrate the possibilities. You should refer to the on-line manual page for the smb.conf file for more information regarding the check-point controls that Samba implements. -
Override controls implemented by Samba permit actions like the adoption of a different identity during file system operations, the forced overwriting of normal file and directory permissions, and so on. You should refer to the on-line manual page for the smb.conf file for more information regarding @@ -485,14 +485,14 @@ force user = billc force group = Mentors
- + That is all there is to it. Well, it is almost that simple. The downside of this method is that users are logged onto the Windows client as themselves, and then immediately before accessing the file, Samba makes system calls to change the effective user and group to the forced settings specified, completes the file transaction, and then reverts to the actually logged on identity. This imposes significant overhead on Samba. The alternative way that effectively the same result can be achieved (but with lower system CPU overheads) is described next. -
The use of the force user, or the force group, may also have a severe impact on system (and in particular Windows client) performance. If opportunistic locking is enabled on the share (the default), it causes an oplock break to be @@ -502,7 +502,7 @@ waiting for the file system transaction (read or write) to complete. The result can be a profound apparent performance degradation as the client continually attempts to reconnect to overcome the effect of the lost oplock break, or time-out. -
Samba has been designed and implemented so that it respects as far as is feasible the security and user privilege controls that are built into the UNIX/Linux operating system. Samba does nothing with respect to file system access that violates file system permission settings, unless it is @@ -510,7 +510,7 @@ UNIX file system controls, this chapter does not document simple information that can be obtained from a basic UNIX training guide. Instead, one common example of a typical problem is used to demonstrate the most effective solution referred to in the immediately preceding paragraph. -
One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence:
@@ -530,7 +530,7 @@ There have been many postings over the years that report the same basic problem. Frequently Samba users want to know when this “bug” will be fixed. The fact is, this is not a bug in Samba at all. Here is the real sequence of what happens in the case mentioned above. -
When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned by the user who creates the file (billc) and has the permissions that follow that user's default settings within the operating system (UNIX/Linux). When MS Word has finished writing @@ -556,18 +556,18 @@ browseable = Yes read only = No
-
Set consistent user and group permissions recursively down the directory tree as shown here:
root# chown -R janetp.users /usr/data/finance
-
Set the files and directory permissions to be read/write for owner and group, and not accessible to others (everyone) using the following command:
root# chmod ug+rwx,o-rwx /usr/data/finance
-
Set the SGID (super-group) bit on all directories from the top down. This means all files can be created with the permissions of the group set on the directory. It means all users who are members of the group finance can read and write all files in @@ -577,11 +577,11 @@ root# find /usr/data/finance -type d -exec chmod ug+s {}\;
-
Make sure all users that must have read/write access to the directory have finance group membership as their primary group, for example, the group they belong to in /etc/passwd. -
Samba must translate Windows 2000 ACLs to UNIX Posix ACLs. This has some interesting side effects because of the fact that there is not a 1:1 equivalence between them. The as-close-as-possible ACLs match means that some transactions are not possible from MS Windows clients. One of these is to reset the ownership @@ -589,7 +589,7 @@
There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation, either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface. -
+
From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator account (on Samba Domains, this is usually the account called root).
@@ -604,7 +604,7 @@ the Computer Management entry should now say: .
In the left panel, click ->->. -
In the right panel, double-click on the share on which you wish to set/edit ACLs. This brings up the Properties panel. Click the tab. It is best to edit ACLs using the Advanced editing features. Click the @@ -628,7 +628,7 @@
Click ->->->->->->->->->->->. This opens a panel that has four tabs. Only the functionality under the Permissions tab can be utilized in respect to a Samba Domain server. -
You may now edit/add/remove access control settings. Be very careful. Many problems have been created by people who decided that Everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also @@ -637,7 +637,7 @@
When you are done with editing, close all panels by clicking through the buttons until the last panel closes. -
Yet another alternative method for setting desired security settings on the shared resource files and directories can be achieved by logging into UNIX/Linux and setting Posix ACLs directly using command-line tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9 @@ -660,7 +660,7 @@ group::rwx other::r-x
-
You want to add permission for AppsMgrs to enable them to manage the applications (apps) share. It is important to set the ACL recursively so that the AppsMgrs have this capability throughout the directory tree that is @@ -683,26 +683,26 @@ other::r-x
This confirms that the change of Posix ACL permissions has been effective. -
It is highly recommend that you should read the on-line manual page for the setfacl and getfacl commands. This provides information regarding how to set/read the default ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent of setting inheritance properties. -
The mish-mash of issues were thrown together into one chapter because it seemed like a good idea. Looking back, this chapter could be broken into two, but it's too late now. It has been done. The highlights covered are: -
Winbind honors and does not override account controls set in Active Directory. This means that password change, logon hours, and so on, are (or soon will be) enforced by Samba Winbind. At this time, an out-of-hours login is denied and password change is enforced. At this time, if logon hours expire, the user is not forcibly logged off. That may be implemented at some later date. -
Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential problems acknowledged by Microsoft as having been fixed, but reported by some as still possibly an open issue. -
The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft Active Directory. The possibility to do this is not planned in the current Samba-3 roadmap. Samba-3 does aim to provide further improvements in interoperability so that @@ -711,77 +711,77 @@ This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of the four key methodologies was reviewed with specific reference to example deployment techniques. -
+
- Sign'n'sealregistry hacks Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2?
- Does Samba-3 support Active Directory?
- mixed-mode When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2? -
- share level access controls +
- share level access controls Is it safe to set share level access controls in Samba? -
- share ACLs +
- share ACLs Is it mandatory to set share ACLs to get a secure Samba-3 server? -
- valid users +
- valid users The valid users did not work on the [homes]. Has this functionality been restored yet? -
- force userforce groupbias +
- force userforce groupbias Is the bias against use of the force user and force group really warranted?
- The example given for file and directory access control forces all files to be owned by one particular user. I do not like that. Is there any way I can see who created the file? -
- Computer Management +
- Computer Management In the book, The Official Samba-3 HOWTO and Reference Guide, you recommended use of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?
- valid usersActive DirectoryDomain Member server I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory Domain Member server. Has this been fixed now? -
Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? -
No. Samba-3 fully supports Sign'n'seal as well as schannel operation. The registry change should not be applied when Samba-3 is used as a Domain Controller.
Does Samba-3 support Active Directory? -
Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not provide Active Directory services. It cannot be used to replace a Microsoft Active Directory server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, and it can function as an Active Directory Domain Member server. -
When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2? -
No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, as Samba-3 can join a native Windows 2003 Server ADS Domain. -
Yes. Share level access controls have been supported since early versions of Samba-2. This is very mature technology. Not enough sites make use of this powerful capability, neither on Windows server or with Samba servers. -
Is it mandatory to set share ACLs to get a secure Samba-3 server? -
No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides means of securing shares through share definition controls in the smb.conf file. The additional support for share level ACLs is like frosting on the cake. It adds to security, but is not essential to it. -
The valid users did not work on the [homes]. Has this functionality been restored yet?
Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard on the [homes] meta-service. The correct way to specify this is: valid users = %S. -
Is the bias against use of the force user and force group really warranted? -
There is no bias. There is a determination to recommend the right tool for the task at hand. After all, it is better than putting users through performance problems, isn't it?
@@ -795,17 +795,17 @@
Note that this required no more than removing the u argument so that the SUID bit is not set for the owner. -
In the book, “The Official Samba-3 HOWTO and Reference Guide”, you recommended use of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? -
Either tool can be used with equal effect. There is no benefit of one over the other, except that the MMC utility is present on all Windows 200x/XP systems and does not require additional software to be downloaded and installed. Note that if you want to manage user and group accounts in your Samba controlled Domain, the only tool that permits that is the NT4 Domain User Manager which is provided as part of the SRVTOOLS.EXE utility. -
I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory Domain Member server. Has this been fixed now?
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/migration.html samba-3.0.9/docs/htmldocs/Samba-Guide/migration.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/migration.html 2004-10-25 11:16:26.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/migration.html 2004-11-15 10:15:37.000000000 -0600 @@ -1,4 +1,4 @@ -
Chapter 8. Migrating NT4 Domain to Samba-3 Table of Contents
+
Chapter 8. Migrating NT4 Domain to Samba-3 Table of Contents
Ever since Microsoft announced that they are discontinuing support for Windows NT4, Samba users started to ask for detailed instructions for how to migrate from NT4 to Samba-3. This chapter provides background information that should @@ -6,18 +6,18 @@
One wonders how many NT4 systems will be left in service by the time you read this book though. -
Network administrators who want to migrate off a Windows NT4 environment know one thing with certainty. They feel that NT4 has been abandoned and they want to update. The desire to get off NT4 and to not adopt Windows 200x and Active Directory is driven by a mixture of concerns over complexity, cost, fear of failure, and much more. -
The migration from NT4 to Samba-3 can involve a number of factors, including: migration of data to another server, migration of network environment controls such as group policies, and finally migration of the users, groups, and machine accounts. -
It should be pointed out now that it is possible to migrate some systems from Windows NT4 Domain environments to a Samba-3 Domain Environment. This is certainly not possible in every case. It is possible to just migrate the Domain accounts @@ -25,7 +25,7 @@ an exception than the rule. Most systems require some tweaking and adjusting following migration before an environment that is acceptable for immediate use is obtained. -
You are about to migrate an MS Windows NT4 Domain accounts database to a Samba-3 server. The Samba-3 server is using a passdb backend based on LDAP. The @@ -34,24 +34,24 @@
Your objective is to document the process of migrating user and group accounts from several NT4 Domains into a single Samba-3 LDAP backend database. -
The migration process takes a snap-shot of information that is stored in the Windows NT4 registry based accounts database. That information resides in the Security Account Manager (SAM) portion of the NT4 Registry under keys called SAM and SECURITY. -
Warning
Warning
The Windows NT4 registry keys called SAM and SECURITY are protected so that you cannot view the contents. If you change the security setting to reveal the contents under these hive keys, your Windows NT4 Domain is crippled. Do not do this unless you are willing to render your domain controller inoperative. -
Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are. While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server, that may not be a good idea from an administration perspective. Since you are going through a certain amount of disruptive activity anyhow, why not take this as an opportunity to review the structure of the network, how Windows clients are controlled and how they interact with the network environment. -
MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed have done little to keep the NT4 server environment up-to-date with more recent Windows releases, particularly Windows XP Professional. The migration provides opportunity to revise and update @@ -62,7 +62,7 @@ as a good time to update desktop systems also. In all, the extra effort should constitute no real disruption to users, rather with due diligence and care should make their network experience a much happier one. -
Migration of an NT4 Domain user and group database to Samba-3 involves a certain strategic element. Many sites have asked for instructions regarding merging of multiple different NT4 Domains into one Samba-3 LDAP database. It would appear that this is viewed as a significant @@ -74,7 +74,7 @@
Prepare the target Samba-3 server. This involves configuring Samba-3 for migration to either a tdbsam or an ldapsam backend. -
Clean up the source NT4 PDC. Delete all accounts that need not be migrated. Delete all files that should not be migrated. Where possible, change NT Group names so there are no spaces or uppercase characters. This is important if @@ -82,27 +82,27 @@ names.
Step through the migration process. -
Upgrade the Samba-3 server from a BDC to a PDC, and validate all account information. -
If you are wanting to merge multiple NT4 Domain account databases into one Samba Domain, you must now dump the contents of the first migration and edit it as appropriate. Now clean out (remove) the tdbsam backend file (passdb.tdb), or the LDAP database files. You must start each migration with a new database into which you merge your NT4 domains. -
At this point, you are ready to perform the second migration following the same steps as for the first. In other words, dump the database, edit it, and then you may merge the dump for the first and second migrations. -
You must be careful. If you choose to migrate to an LDAP backend, your dump file now contains the full account information, including the Domain SID. The Domain SID for each of the two NT4 Domains will be different. You must choose one, and change the Domain portion of the account SIDs so that all are the same. -
If you choose to use a tdbsam (passdb.tdb) backend file, your best choice is to use pdbedit to export the contents of the tdbsam file into an smbpasswd data file. This automatically strips out all Domain specific information, @@ -112,7 +112,7 @@ file must have an account in /etc/passwd. The resulting smbpasswd file may be exported/imported into either a tdbsam (passdb.tdb), or else into an LDAP backend. -
The merging of multiple Windows NT4 style Domains into a single LDAP-backend-based Samba-3 Domain may be seen by those who had power over them as a loss of prestige or a loss of power. The imposition of a single Domain may even be seen as a threat. So in migrating and @@ -122,12 +122,12 @@ The best advice that can be given to those who set out to merge NT4 Domains into one single Samba-3 Domain is to promote (sell) the action as one that reduces costs and delivers greater network interoperability and manageability. -
You can present here the steps and example output for two NT4 to Samba-3 Domain migrations. The first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the scripts you specify in the smb.conf file for the add user script collection of parameters are used to effect the addition of accounts into the passdb backend. -
+
In this instance, you migrate an NT4 PDC to an LDAP backend. The accounts you are about to migrate are shown in ???. In this example you make use of the smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend. @@ -156,13 +156,13 @@ called MASSIVE. The Domain name MEGANET must match that of the NT4 Domain from which you are about to migrate. Do not execute any Samba executables. -
Edit the smb.conf file to temporarily change the parameter - domain master = No so + domain master = No so the Samba server functions as a BDC for the purpose of migration. -
Create a file called preload.LDIF as shown in ???. -
Preload the LDAP database so it is ready to receive the information from the NT4 PDC. This pre-loads the LDAP directory with the top-level information, as well as the top level containers for user, group, computer, and domain account data. Execute the @@ -179,7 +179,7 @@
Start the LDAP server. -
Verify that the NT4 PDC can be reached:
root# ping nt4s @@ -193,7 +193,7 @@ rtt min/avg/max/mdev = 0.518/3.773/10.223/4.560 ms
It can. Great. -
Validate that the resources on the NT4 PDC can be listed:
root# smbclient -L nt4s -UAdministrator%not24get @@ -213,7 +213,7 @@ MEGANET NT4SThis looks good. -
At this point, it is necessary to fetch the Domain SID from the NT4 PDC and apply that to the Samba-3 BDC (soon to be PDC):
@@ -222,7 +222,7 @@ Domain MEGANET in secrets.tdbDone. -
At this point, you can validate that the information is correct in the secrets.tdb file, as shown here:
@@ -239,14 +239,14 @@ }
This has returned the information expected. -
We are ready to join the NT4 Domain as a BDC by executing the following:
root# net rpc join -S NT4S -W MEGANET -U Administrator%not24get Joined domain MEGANET.
Done. -
The Samba-3 BDC is now ready to receive the NT4 PDC accounts database, as shown here:
root# net rpc vampire -S NT4S @@ -276,9 +276,9 @@ Fetching BUILTIN database SAM_DELTA_DOMAIN_INFO not handled
-
Edit the smb.conf file to reset the parameter - domain master = Yes so that + domain master = Yes so that the Samba server functions as a PDC for the purpose of migration.
In this example, you have chosen to change the Domain name of the NT4 server from DRUGPREP to MEGANET prior to the use of the vampire (migration) tool. This migration process makes use of Linux system tools @@ -328,19 +328,19 @@
Prepare a Samba-3 server precisely per the instructions shown in Chapter 5. Set the workgroup name to MEGANET. -
Edit the smb.conf file to temporarily change the parameter - domain master = No so + domain master = No so the Samba server functions as a BDC for the purpose of migration.
Start Samba as you have done previously. -
Join the NT4 Domain as a BDC, as shown here:
root# net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get Joined domain MEGANET.
-
You may vampire the accounts from the NT4 PDC by executing the command, as shown here:
root# net rpc vampire -S oldnt4pdc -U Administrator%not24get @@ -380,7 +380,7 @@ Creating unix group: 'Server Operators' Creating unix group: 'Users'
-
At this point, we can validate our migration. Let's look at the accounts in the form as they would be seen in a smbpasswd file. This achieves that:
@@ -412,7 +412,7 @@ maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C: CF271B744F7A55AFDA277FF88D80C527:[UX ]:LCT-3E8B4270:-
An expanded view of a user account entry shows more of what was obtained from the NT4 PDC:
@@ -438,7 +438,7 @@ Password can change: 0 Password must change: Mon, 18 Jan 2038 20:14:07 GMT
-
And this command lists the long names of the groups that have been imported (vampired) from the NT4 PDC:
@@ -455,11 +455,11 @@ Users Ordinary users
Everything looks well and in order. -
Edit the smb.conf file to reset the parameter - domain master = Yes so + domain master = Yes so the Samba server functions as a PDC for the purpose of migration. -
+
- clean database Why must I start each migration with a clean database? -
- Domain SID +
- Domain SID Is it possible to set my Domain SID to anything I like? -
- /etc/passwd/etc/grouptdbsampassdb backendaccountsuseraccountsgroupaccountsDomain +
- /etc/passwd/etc/grouptdbsampassdb backendaccountsuseraccountsgroupaccountsDomain When using a tdbsam passdb backend, why must I have all Domain user and group accounts in /etc/passwd and /etc/group? -
- validateconnectivitymigration +
- validateconnectivitymigration Why did you validate connectivity before attempting migration? -
- +
- How would you merge 10 tdbsam-based domains into an LDAP database? -
- machine accountsaccountsmachine +
- machine accountsaccountsmachine I want to change my Domain name after I migrate all accounts from an NT4 Domain to a Samba-3 Domain. Does it make any sense to migrate the machine accounts in that case? -
- multiple group mappings +
- multiple group mappings After merging multiple NT4 Domains into a Samba-3 Domain, I lost all multiple group mappings. Why? -
- +
- How can I reset group membership after loading the account information into the LDAP database? -
- group names +
- group names What are the limits or constraints that apply to group names? -
- vampire +
- vampire My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3 LDAP backend system using the vampire process? -
This is a recommendation that permits the data from each NT4 Domain to be kept separate until you are ready to merge them. Also, if you do not do this, you may find errors due to users or groups from multiple Domains having the same name, but different SIDs. It is better to permit each migration to complete without undue errors and then to handle the merging of vampired data under proper supervision. -
Yes, so long as the SID you create has the same structure as an auto-generated SID. The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why would you really want to create your own SID? I cannot think of a good reason. You may want to set the SID to one that is already in use somewhere on your network, but that is a little different from straight out creating your own Domain SID. -
When using a tdbsam passdb backend, why must I have all Domain user and group accounts in /etc/passwd and /etc/group? -
Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba does not fabricate the UNIX IDs from thin air, but rather requires them to be located in a suitable place. @@ -531,15 +531,15 @@ migration to the LDAP database, the accounts may be removed from the UNIX database files. In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in LDAP, require UIDs/GIDs. -
Why did you validate connectivity before attempting migration?
Access validation before attempting to migrate NT4 Domain accounts helps to pin-point potential problems that may otherwise affect or impede account migration. I am always mindful of the 4P's of migration Planning Prevents Poor Performance. -
+
How would you merge 10 tdbsam-based domains into an LDAP database? -
If you have 10 tdbsam Samba Domains, there is considerable risk that there are a number of accounts that have the same UNIX identifier (UID/GID). This means that you almost certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd @@ -549,17 +549,17 @@ tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that you have migrated before handing over access to a user. After all, too many users with a bad migration experience may threaten your career. -
I want to change my Domain name after I migrate all accounts from an NT4 Domain to a Samba-3 Domain. Does it make any sense to migrate the machine accounts in that case? -
I would recommend not. The machine accounts should still work, but there are registry entries on each Windows NT4 and upward client that have a tattoo of the old domain name. If you un-join the domain and then rejoin the newly renamed Samba-3 Domain, you can be certain to avoid this tattooing effect. -
After merging multiple NT4 Domains into a Samba-3 Domain, I lost all multiple group mappings. Why? -
Samba-3 currently does not implement multiple group membership internally. If you use the Windows NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group membership is stored in the Posix groups area. If you use either tdbsam or smbpasswd backend, @@ -568,14 +568,14 @@ file to which you migrated the NT4 Domain data, do not forget to edit the UNIX /etc/passwd and /etc/group information also. That is where the multiple group information is most closely at your fingertips. -
+
How can I reset group membership after loading the account information into the LDAP database? -
You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The installation file is called SRVTOOLS.EXE. -
What are the limits or constraints that apply to group names? -
A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows groups can contain upper- and lower-case characters, as well as spaces. @@ -587,7 +587,7 @@ of the Posix standards, and likewise do not permit upper-case or space characters in group or user account names. You have to experiment with your system to find what its peculiarities are. -
My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3 LDAP backend system using the vampire process?
@@ -596,7 +596,7 @@ you would not be able to migrate 323,000 accounts because this number can not fit into a 16-bit unsigned integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts. Please check this carefully before you attempt to effect a migration using the vampire process. -
Migration speed depends much on the processor speed, the network speed, disk I/O capability, and LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory, that was mirroring LDAP to a second identical system over 1 gigabit ethernet, I was able to migrate around 180 user accounts diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.8/docs/htmldocs/Samba-Guide/secure.html samba-3.0.9/docs/htmldocs/Samba-Guide/secure.html --- samba-3.0.8/docs/htmldocs/Samba-Guide/secure.html 2004-10-25 11:16:22.000000000 -0500 +++ samba-3.0.9/docs/htmldocs/Samba-Guide/secure.html 2004-11-15 10:15:34.000000000 -0600 @@ -1,4 +1,4 @@ -
Chapter 4. Secure Office Networking +
Chapter 4. Secure Office Networking Congratulations, your Samba networking skills are developing nicely. You started out with three simple networks in Chapter 2, and then in Chapter 3 you designed and built a network that provides a high degree of flexibility, integrity, and dependability. It @@ -73,7 +73,7 @@ will be allowed out after network address translation (NAT). No internal IP addresses are permitted through the NAT filter as complete privacy of internal network operations must be assured. -
Table 4.1. Abmas.US ISP Information
Parameter Value Server IP Address 123.45.67.66 DSL Device IP Address 123.45.67.65 Network Address 123.45.67.64/30 Gateway Address 123.45.54.65 Primary DNS Server 123.45.54.65 Secondary DNS Server 123.45.54.32 Forwarding DNS Server 123.45.12.23 +
Table 4.1. Abmas.US ISP Information
Parameter Value Server IP Address 123.45.67.66 DSL Device IP Address 123.45.67.65 Network Address 123.45.67.64/30 Gateway Address 123.45.54.65 Primary DNS Server 123.45.54.65 Secondary DNS Server 123.45.54.32 Forwarding DNS Server 123.45.12.23 Christine has recommended that desktop systems should be installed from a single cloned master system that has a minimum of locally installed software and loads all software off a central application server. The benefit of having the central application server @@ -435,7 +435,7 @@ $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD -$IPTABLES -t nat -F + $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INTIFA -j ACCEPT $IPTABLES -A INPUT -i $INTIFB -j ACCEPT @@ -443,7 +443,7 @@ # Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS for i in 22 25 53 80 443 do - $IPTABLES -A INPUT -i $EXTIF -p tcp -dport $i -j ACCEPT + $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT done # Allow DNS(udp) $IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT @@ -490,7 +490,7 @@ The server is now ready for Samba configuration. During the validation step, you remove the entry for the Samba server diamond from the /etc/hosts file. This is done after you are satisfied that DNS-based name resolution is functioning correctly. -
When you have completed this section, the Samba server is ready for testing and validation; however, testing and validation have to wait until DHCP, DNS, and Printing (CUPS) services have been configured. @@ -511,147 +511,147 @@
Example 4.4. 130 User Network with tdbsam [globals] Section
# Global parameters [global] - workgroup = PROMISES + workgroup = PROMISES - netbios name = DIAMOND + netbios name = DIAMOND - interfaces = eth1, eth2, lo + interfaces = eth1, eth2, lo - bind interfaces only = Yes + bind interfaces only = Yes passdb backend = tdbsam pam password change = Yes - passwd chat = *New*Password* %n\n *Re-enter*new*password* %n\n *Password*changed* + passwd chat = *New*Password* %n\n *Re-enter*new*password* %n\n *Password*changed* username map = /etc/samba/smbusers - unix password sync = Yes + unix password sync = Yes log level = 1 - syslog = 0 + syslog = 0 log file = /var/log/samba/%m max log size = 50 - smb ports = 139 445 + smb ports = 139 445 - name resolve order = wins bcast hosts + name resolve order = wins bcast hosts - time server = Yes + time server = Yes - printcap name = CUPS + printcap name = CUPS - show add printer wizard = No + show add printer wizard = No add user script = /usr/sbin/useradd -m '%u' - delete user script = /usr/sbin/userdel -r '%u' + delete user script = /usr/sbin/userdel -r '%u' - add group script = /usr/sbin/groupadd '%g' + add group script = /usr/sbin/groupadd '%g' - delete group script = /usr/sbin/groupdel '%g' + delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' - add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u + add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u' - shutdown script = /var/lib/samba/scripts/shutdown.sh + shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c logon script = scripts\logon.bat - logon path = \\%L\profiles\%U + logon path = \\%L\profiles\%U logon drive = X: - logon home = \\%L\%U + logon home = \\%L\%U - domain logons = Yes + domain logons = Yes - preferred master = Yes + preferred master = Yes - wins support = Yes + wins support = Yes utmp = Yes - map acl inherit = Yes + map acl inherit = Yes - printing = cups + printing = cups veto files = /*.eml/*.nws/*.{*}/ veto oplock files = /*.doc/*.xls/*.mdb/ -
Example 4.5. 130 User Network with tdbsam Services Section Part A
[IPC$] + Example 4.5. 130 User Network with tdbsam Services Section Part A
[IPC$] - path = /tmp + path = /tmp - hosts allow = 192.168.1.0/24, 192.168.2.0/24, 127.0.0.1 + hosts allow = 192.168.1.0/24, 192.168.2.0/24, 127.0.0.1 - hosts deny = 0.0.0.0/0 [homes] + hosts deny = 0.0.0.0/0 [homes] comment = Home Directories valid users = %S - read only = No + read only = No browseable = No [printers] - comment = SMB Print Spool + comment = SMB Print Spool - path = /var/spool/samba + path = /var/spool/samba - guest ok = Yes + guest ok = Yes - printable = Yes + printable = Yes - use client driver = Yes + use client driver = Yes - default devmode = Yes + default devmode = Yes browseable = No [netlogon] - comment = Network Logon Service + comment = Network Logon Service - path = /var/lib/samba/netlogon + path = /var/lib/samba/netlogon - guest ok = Yes + guest ok = Yes locking = No -
Example 4.6. 130 User Network with tdbsam Services Section Part B
[profiles] + Example 4.6. 130 User Network with tdbsam Services Section Part B
[profiles] comment = Profile Share - path = /var/lib/samba/profiles + path = /var/lib/samba/profiles - read only = No + read only = No profile acls = Yes [accounts] - comment = Accounting Files + comment = Accounting Files - path = /data/accounts + path = /data/accounts - read only = No [service] + read only = No [service] - comment = Financial Services Files + comment = Financial Services Files - path = /data/service + path = /data/service read only = No [apps] - comment = Application Files + comment = Application Files - path = /apps + path = /apps - read only = Yes + read only = Yes admin users = bjordan @@ -668,7 +668,7 @@ deleted. If for any reason the account is deleted, you may not be able to recreate this account without considerable trouble.
- + Create the username map file to permit the root account to be called Administrator from the Windows network environment. To do this, create the file /etc/samba/smbusers with the following contents: @@ -695,7 +695,7 @@ ####
- + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in ???. Create a file containing this script. We called ours /etc/samba/initGrps.sh. Set this file so it can be executed, @@ -753,13 +753,13 @@ Users (S-1-5-32-545) -> -1
- + - - - - - + + + + + There is one preparatory step without which you will not have a working Samba network environment. You must add an account for each network user. For each user who needs to be given a Windows Domain account, make an entry in the @@ -783,7 +783,7 @@ Added user username.
You do of course use a valid user login ID in place of
