mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
parent
3192e95c2c
commit
118a2b639a
@ -69,7 +69,7 @@ without impediment.
|
||||
|
||||
<para>
|
||||
Starting with the configuration files for the server called
|
||||
<constant>MASSIVE</constant> in Chapter 5, you now deal with the
|
||||
<constant>MASSIVE</constant> in <link linkend="happy"/>, you now deal with the
|
||||
issues that are particular to large distributed networks. Your task
|
||||
is simple &smbmdash; identify the challenges, consider the
|
||||
alternatives, and then design and implement a solution.
|
||||
@ -293,7 +293,7 @@ productivity.</para>
|
||||
<indexterm><primary>logon traffic</primary></indexterm>
|
||||
<indexterm><primary>redirected folders</primary></indexterm>
|
||||
One way to reduce the network bandwidth impact of user logon
|
||||
traffic is through folder redirection. In Chapter 5, you
|
||||
traffic is through folder redirection. In <link linkend="happy"/>, you
|
||||
implemented this in the new Windows XP Professional standard
|
||||
desktop configuration. When desktop folders such as <guimenu>My
|
||||
Documents</guimenu> are redirected to a network drive, they should
|
||||
@ -500,46 +500,39 @@ productivity.</para>
|
||||
and a number of LDAP implementations.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>multiple directories</primary>
|
||||
</indexterm>
|
||||
The problem of managing multiple directories has become a focal
|
||||
point over the past decade, creating a large market for
|
||||
metadirectory products and services that allow organizations that
|
||||
have multiple directories and multiple management and control
|
||||
centers to provision information from one directory into
|
||||
another. The attendant benefit to end users is the promise of
|
||||
having to remember and deal with fewer login identities and
|
||||
passwords.</para>
|
||||
<para>
|
||||
<indexterm><primary>multiple directories</primary></indexterm>
|
||||
The problem of managing multiple directories has become a focal
|
||||
point over the past decade, creating a large market for
|
||||
metadirectory products and services that allow organizations that
|
||||
have multiple directories and multiple management and control
|
||||
centers to provision information from one directory into
|
||||
another. The attendant benefit to end users is the promise of
|
||||
having to remember and deal with fewer login identities and
|
||||
passwords.</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>network</primary>
|
||||
<secondary>bandwidth</secondary>
|
||||
</indexterm>
|
||||
The challenge of every large network is to find the optimum
|
||||
balance of internal systems and facilities for Identity
|
||||
Management resources. How well the solution is chosen and
|
||||
implemented has potentially significant impact on network bandwidth
|
||||
and systems response needs.</para>
|
||||
<para>
|
||||
<indexterm><primary>network</primary><secondary>bandwidth</secondary></indexterm>
|
||||
The challenge of every large network is to find the optimum
|
||||
balance of internal systems and facilities for Identity
|
||||
Management resources. How well the solution is chosen and
|
||||
implemented has potentially significant impact on network bandwidth
|
||||
and systems response needs.</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>LDAP server</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>LDAP</primary>
|
||||
<secondary>master</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>LDAP</primary>
|
||||
<secondary>slave</secondary>
|
||||
</indexterm>
|
||||
In Chapter 5, you implemented a single LDAP server for the
|
||||
entire network. This may work for smaller networks, but almost
|
||||
certainly fails to meet the needs of large and complex networks. The
|
||||
following section documents how you may implement a single
|
||||
master LDAP server with multiple slave servers.</para>
|
||||
<para>
|
||||
<indexterm><primary>LDAP server</primary></indexterm>
|
||||
<indexterm><primary>LDAP</primary><secondary>master</secondary></indexterm>
|
||||
<indexterm><primary>LDAP</primary><secondary>slave</secondary></indexterm>
|
||||
In <link linkend="happy"/>, you implemented a single LDAP server for the
|
||||
entire network. This may work for smaller networks, but almost
|
||||
certainly fails to meet the needs of large and complex networks. The
|
||||
following section documents how you may implement a single
|
||||
master LDAP server with multiple slave servers.</para>
|
||||
|
||||
<para>What is the best method for implementing master/slave LDAP
|
||||
servers within the context of a distributed 2,000-user network is a
|
||||
question that remains to be answered.</para>
|
||||
<para>
|
||||
What is the best method for implementing master/slave LDAP
|
||||
servers within the context of a distributed 2,000-user network is a
|
||||
question that remains to be answered.</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>distributed domain</primary></indexterm>
|
||||
@ -783,7 +776,7 @@ passdb backend = ldapsam:ldap://master.abmas.biz \
|
||||
|
||||
<para>
|
||||
It is assumed that the network you are working with follows in a
|
||||
pattern similar to what was covered in Chapter 5. The following steps
|
||||
pattern similar to what was covered in <link linkend="happy"/>. The following steps
|
||||
permit the operation of a master/slave OpenLDAP arrangement.
|
||||
</para>
|
||||
|
||||
@ -924,7 +917,7 @@ added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013)
|
||||
<step><para>
|
||||
<indexterm><primary>smbldap-useradd</primary></indexterm>
|
||||
On the master LDAP server you may now add an account to validate that replication
|
||||
is working. Assuming the configuration shown in Chapter 5, execute:
|
||||
is working. Assuming the configuration shown in <link linkend="happy"/>, execute:
|
||||
<screen>
|
||||
&rootprompt; /var/lib/samba/sbin/smbldap-useradd -a fruitloop
|
||||
</screen>
|
||||
@ -1454,13 +1447,14 @@ DHCP traffic: 300 (clients) x 6 (packets)
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
Desktop folders such as <constant>Desktop</constant>, <constant>My Documents</constant>, <constant>My Pictures</constant>, <constant>My Music</constant>, <constant>Internet Files</constant>,
|
||||
<constant>Cookies</constant>, <constant>Application Data</constant>, <constant>Local Settings,</constant> and more. See Chapter 5, <link linkend="XP-screen001"/>.
|
||||
Desktop folders such as <constant>Desktop</constant>, <constant>My Documents</constant>,
|
||||
<constant>My Pictures</constant>, <constant>My Music</constant>, <constant>Internet Files</constant>,
|
||||
<constant>Cookies</constant>, <constant>Application Data</constant>,
|
||||
<constant>Local Settings,</constant> and more. See <link linkend="happy"/>, <link linkend="XP-screen001"/>.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>folder redirection</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>folder redirection</primary></indexterm>
|
||||
Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all
|
||||
such folders can be redirected to network drive resources. See <link linkend="redirfold"/>
|
||||
for more information regarding folder redirection.
|
||||
|
@ -293,7 +293,7 @@
|
||||
domain control. Politically, we have to navigate a minefield. In this case, the need is to
|
||||
get the PDC rolled out in compliance with expectations and also to be ready to save the day
|
||||
by having the real solution ready before it is needed. That real solution is presented in
|
||||
Chapter 5.
|
||||
<link linkend="happy"/>.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -594,7 +594,7 @@ root = Administrator
|
||||
Create an entry in the DNS database on the server <constant>MASSIVE</constant>
|
||||
in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
|
||||
and in the reverse lookup database for the network segment that the printer is
|
||||
located in. Example configuration files for similar zones were presented in Chapter 3,
|
||||
located in. Example configuration files for similar zones were presented in <link linkend="secure"/>,
|
||||
<link linkend="abmasbiz"/> and <link linkend="eth2zone"/>.
|
||||
</para></step>
|
||||
|
||||
@ -867,7 +867,7 @@ Added user <parameter>username</parameter>.
|
||||
<step><para>
|
||||
Your server is ready for validation testing. Do not proceed with the steps in
|
||||
<link linkend="ch5-domsvrspec"/> until after the operation of the server has been
|
||||
validated following the same methods as outlined in Chapter 3, <link linkend="ch4valid"/>.
|
||||
validated following the same methods as outlined in <link linkend="secure"/>, <link linkend="ch4valid"/>.
|
||||
</para></step>
|
||||
|
||||
</procedure>
|
||||
@ -1084,7 +1084,7 @@ hosts: files dns wins
|
||||
<example id="massive-dhcp">
|
||||
<title>Server: MASSIVE, File: dhcpd.conf</title>
|
||||
<screen>
|
||||
# Abmas Accounting Inc. - Chapter 5/MASSIVE
|
||||
# Abmas Accounting Inc.
|
||||
|
||||
default-lease-time 86400;
|
||||
max-lease-time 172800;
|
||||
@ -1127,7 +1127,7 @@ subnet 123.45.67.64 netmask 255.255.255.252 {
|
||||
<example id="bldg1dhcp">
|
||||
<title>Server: BLDG1, File: dhcpd.conf</title>
|
||||
<screen>
|
||||
# Abmas Accounting Inc. - Chapter 5/BLDG1
|
||||
# Abmas Accounting Inc.
|
||||
|
||||
default-lease-time 86400;
|
||||
max-lease-time 172800;
|
||||
@ -1162,7 +1162,7 @@ subnet 127.0.0.0 netmask 255.0.0.0 {
|
||||
<example id="bldg2dhcp">
|
||||
<title>Server: BLDG2, File: dhcpd.conf</title>
|
||||
<screen>
|
||||
# Abmas Accounting Inc. - Chapter 5/BLDG1
|
||||
# Abmas Accounting Inc.
|
||||
|
||||
default-lease-time 86400;
|
||||
max-lease-time 172800;
|
||||
@ -1720,8 +1720,8 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
|
||||
<para>
|
||||
The network you have just deployed has been a valuable exercise in forced constraint.
|
||||
You have deployed a network that works well, although you may soon start to see
|
||||
performance problems, at which time the modifications demonstrated in
|
||||
Chapter 5 bring the network to life. The following key learning points were experienced:
|
||||
performance problems, at which time the modifications demonstrated in <link linkend="happy"/>
|
||||
bring the network to life. The following key learning points were experienced:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -2,27 +2,23 @@
|
||||
<!DOCTYPE appendix PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
||||
|
||||
<appendix id="appendix">
|
||||
<title>Appendix: A Collection of Useful Tid-bits</title>
|
||||
<title>A Collection of Useful Tidbits</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>material</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>domain</primary>
|
||||
<secondary>joining</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>material</primary></indexterm>
|
||||
<indexterm><primary>domain</primary><secondary>joining</secondary></indexterm>
|
||||
Information presented here is considered to be either basic or well-known material that is informative
|
||||
yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that
|
||||
the process for joining a Windows client to a Samba-controlled Windows Domain may somehow involve steps
|
||||
different from doing so with Windows NT4 or a Windows ADS Domain. Be assured that the steps are identical,
|
||||
the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps
|
||||
different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical,
|
||||
as shown in the example given below.
|
||||
</para>
|
||||
|
||||
<sect1 id="domjoin">
|
||||
<title>Joining a Domain: Windows 200x/XP Professional</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>joining a domain</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>joining a domain</primary></indexterm>
|
||||
Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
|
||||
This section steps through the process for making a Windows 200x/XP Professional machine a
|
||||
member of a Domain Security environment. It should be noted that this process is identical
|
||||
@ -76,7 +72,7 @@
|
||||
|
||||
<step><para>
|
||||
Now click the <guimenu>OK</guimenu> button. A dialog box should appear to allow you to provide the credentials (username and password)
|
||||
of a Domain administrative account that has the rights to add machines to the Domain.
|
||||
of a domain administrative account that has the rights to add machines to the domain.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -95,43 +91,36 @@
|
||||
|
||||
</procedure>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>DNS</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Active Directory</primary></indexterm>
|
||||
<indexterm><primary>DNS</primary></indexterm>
|
||||
The screen capture shown in <link linkend="swxpp007"/> has a button labeled <guimenu>More...</guimenu>. This button opens a
|
||||
panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members
|
||||
of Microsoft Active Directory. Active Directory is heavily oriented around the DNS name space.
|
||||
of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Netlogon</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>DNS</primary><secondary>dynamic</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Netlogon</primary></indexterm>
|
||||
<indexterm><primary>DNS</primary><secondary>dynamic</secondary></indexterm>
|
||||
Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers
|
||||
register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server
|
||||
to find the services (like which machines are Domain Controllers or which machines have the Netlogon service running).
|
||||
to find the services (like which machines are domain controllers or which machines have the Netlogon service running).
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>DNS</primary>
|
||||
<secondary>suffix</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>DNS</primary><secondary>suffix</secondary></indexterm>
|
||||
The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix,
|
||||
this does not affect Domain Membership, but it can break network browsing and the ability to resolve your computer name to
|
||||
this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to
|
||||
a valid IP address.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain.
|
||||
Where the client is a member of a Samba Domain, it is preferable to leave this field blank.
|
||||
Where the client is a member of a Samba domain, it is preferable to leave this field blank.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Group Policy</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Group Policy</primary></indexterm>
|
||||
According to Microsoft documentation, <quote>If this computer belongs to a group with <constant>Group Policy</constant>
|
||||
enabled on <command>Primary DNS suffice of this computer</command>, the string specified in the Group Policy is used
|
||||
as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is
|
||||
@ -214,7 +203,7 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>run-time control files</primary>
|
||||
</indexterm>
|
||||
Samba creates run-time control files and generates log files. The run-time control files (tdb and dat files) are stored in
|
||||
Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in
|
||||
the <filename>/var/lib/samba</filename> directory. Log files are created in <filename>/var/log/samba.</filename>
|
||||
</para>
|
||||
|
||||
@ -361,8 +350,8 @@ exit 0
|
||||
<listitem><para>
|
||||
<indexterm><primary>winbindd</primary></indexterm>
|
||||
<indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
|
||||
This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when
|
||||
Samba has trust relationships with another Domain. The <command>winbindd</command> daemon will check the
|
||||
This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when
|
||||
Samba has trust relationships with another domain. The <command>winbindd</command> daemon will check the
|
||||
&smb.conf; file for the presence of the <parameter>idmap uid</parameter> and <parameter>idmap gid</parameter>
|
||||
parameters. If they are not found, <command>winbindd</command> bails out and refuses to start.
|
||||
</para></listitem>
|
||||
@ -428,7 +417,7 @@ esac
|
||||
<para><indexterm>
|
||||
<primary>samba control script</primary>
|
||||
</indexterm>
|
||||
SUSE Linux implements individual control over each Samba daemon. A samba control script that can be conveniently
|
||||
SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently
|
||||
executed from the command line is shown in <link linkend="ch12SL"/>. This can be located in the directory
|
||||
<filename>/sbin</filename> in a file called <filename>samba</filename>. This type of control script should be
|
||||
owned by user root and group root, and set so that only root can execute it.
|
||||
@ -566,7 +555,7 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
|
||||
<para>
|
||||
The content of the root hints file as shown in <link linkend="roothint"/> changes slowly over time.
|
||||
Periodically this file should be updated from the source shown. Because
|
||||
of its size this file is located at the end of this appendix.
|
||||
of its size, this file is located at the end of this appendix.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -600,9 +589,9 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
|
||||
<primary>SID</primary>
|
||||
</indexterm>
|
||||
The first step to get the LDAP server ready for action is to create the LDIF file from
|
||||
which the LDAP database will be pre-loaded. This is necessary to create the containers
|
||||
into which the user, group, and so on, accounts is written. It is also necessary to
|
||||
pre-load the well-known Windows NT Domain Groups, as they must have the correct SID so
|
||||
which the LDAP database will be preloaded. This is necessary to create the containers
|
||||
into which the user, group, and other accounts are written. It is also necessary to
|
||||
preload the well-known Windows NT Domain Groups, as they must have the correct SID so
|
||||
that they can be recognized as special NT Groups by the MS Windows clients.
|
||||
</para>
|
||||
|
||||
@ -623,13 +612,13 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
|
||||
Install the files shown in <link linkend="sbehap-ldapreconfa"/>, <link linkend="sbehap-ldapreconfb"/>,
|
||||
and <link linkend="sbehap-ldapreconfc"/> into the directory
|
||||
<filename>/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</filename> These three files are,
|
||||
respectively, Part A, B, and C of the <filename>SMBLDAP-ldif-preconfig.sh</filename> file.
|
||||
respectively, parts A, B, and C of the <filename>SMBLDAP-ldif-preconfig.sh</filename> file.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Install the files shown in <link linkend="sbehap-ldifpata"/> and <link linkend="sbehap-ldifpatb"/> into the directory
|
||||
<filename>/etc/openldap/SambaInit/nit-ldif.pat.</filename> These two files are
|
||||
Part A and B, respectively, of the <filename>init-ldif.pat</filename> file.
|
||||
parts A and B, respectively, of the <filename>init-ldif.pat</filename> file.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -675,7 +664,7 @@ Enter the top level org name or press Enter to continue:
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
It is now time to pre-load the LDAP database with the following
|
||||
It is now time to preload the LDAP database with the following
|
||||
command:
|
||||
<screen>
|
||||
&rootprompt; slapadd -v -l MEGANET2.ldif
|
||||
@ -998,25 +987,17 @@ description: Domain Users
|
||||
<sect1>
|
||||
<title>The LDAP Account Manager</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>LAM</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>LDAP Account Manager</primary>
|
||||
<see>LAM</see>
|
||||
</indexterm><indexterm>
|
||||
<primary>PHP</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>unencrypted</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>SSL</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Posix</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>accounts</primary><secondary>manage</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>LAM</primary></indexterm>
|
||||
<indexterm><primary>LDAP Account Manager</primary><see>LAM</see></indexterm>
|
||||
<indexterm><primary>PHP</primary></indexterm>
|
||||
<indexterm><primary>unencrypted</primary></indexterm>
|
||||
<indexterm><primary>SSL</primary></indexterm>
|
||||
<indexterm><primary>Posix</primary></indexterm>
|
||||
<indexterm><primary>accounts</primary><secondary>manage</secondary></indexterm>
|
||||
The LDAP Account Manager (LAM) is an application suite that has been written in PHP.
|
||||
LAM can be used with any Web server that has PHP4 support. It connects to the LDAP
|
||||
server either using unencrypted connections or via SSL. LAM can be used to manage
|
||||
server either using unencrypted connections or via SSL/TLS. LAM can be used to manage
|
||||
Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines
|
||||
(hosts).
|
||||
</para>
|
||||
@ -1024,52 +1005,44 @@ Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machin
|
||||
<para>
|
||||
LAM is available from the <ulink url="http://sourceforge.net/projects/lam/">LAM</ulink>
|
||||
home page and from its mirror sites. LAM has been released under the GNU GPL version 2.
|
||||
The current version of LAM is 0.4.3. Release of version 0.5 is expected some time early
|
||||
in 2004.
|
||||
The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter
|
||||
of 2005.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>PHP4</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>OpenLDAP</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Perl</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>PHP4</primary></indexterm>
|
||||
<indexterm><primary>OpenLDAP</primary></indexterm>
|
||||
<indexterm><primary>Perl</primary></indexterm>
|
||||
Requirements:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>A web server that will work with PHP4.</para></listitem>
|
||||
<listitem><para>PHP4 (available from the <ulink url="http://www.php.net/">
|
||||
PHP</ulink> home page.)</para></listitem>
|
||||
<listitem><para>PHP4 (available from the <ulink url="http://www.php.net/">PHP</ulink> home page.)</para></listitem>
|
||||
<listitem><para>OpenLDAP 2.0 or later.</para></listitem>
|
||||
<listitem><para>A Web browser that supports CSS.</para></listitem>
|
||||
<listitem><para>Perl.</para></listitem>
|
||||
<listitem><para>The gettext package.</para></listitem>
|
||||
<listitem><para>mcrypt + mhash (optional since version 0.4.3).</para></listitem>
|
||||
<listitem><para>mcrypt + mhash (optional).</para></listitem>
|
||||
<listitem><para>It is also a good idea to install SSL support.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
LAM is a useful tool that provides a simple Web-based device that can be used to
|
||||
manage the contents of the LDAP directory to:<indexterm>
|
||||
<primary>organizational units</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>operating profiles</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>account policies</primary>
|
||||
</indexterm>
|
||||
manage the contents of the LDAP directory to:
|
||||
<indexterm><primary>organizational units</primary></indexterm>
|
||||
<indexterm><primary>operating profiles</primary></indexterm>
|
||||
<indexterm><primary>account policies</primary></indexterm>
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>Display user/group/host and Domain entries.</para></listitem>
|
||||
<listitem><para>Manages entries (Add/Delete/Edit).</para></listitem>
|
||||
<listitem><para>Manage entries (Add/Delete/Edit).</para></listitem>
|
||||
<listitem><para>Filter and sort entries.</para></listitem>
|
||||
<listitem><para>Set LAM administrator accounts.</para></listitem>
|
||||
<listitem><para>Store and use multiple operating profiles.</para></listitem>
|
||||
<listitem><para>Edit organizational units (OUs).</para></listitem>
|
||||
<listitem><para>Upload accounts from a file.</para></listitem>
|
||||
<listitem><para></para>Is compatible with Samba-2.2.x and Samba-3.</listitem>
|
||||
<listitem><para>Is compatible with Samba-2.2.x and Samba-3.</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
@ -1077,15 +1050,11 @@ When correctly configured, LAM allows convenient management of UNIX (Posix) and
|
||||
user, group, and windows domain member machine accounts.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>default password</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>secure connections</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>LAM</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>SSL</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>default password</primary></indexterm>
|
||||
<indexterm><primary>secure connections</primary></indexterm>
|
||||
<indexterm><primary>LAM</primary></indexterm>
|
||||
<indexterm><primary>SSL</primary></indexterm>
|
||||
The default password is <quote>lam.</quote> It is highly recommended that you use only
|
||||
an SSL connection to your Web server for all remote operations involving LAM. If you
|
||||
want secure connections, you must configure your Apache Web server to permit connections
|
||||
@ -1093,29 +1062,27 @@ to LAM using only SSL.
|
||||
</para>
|
||||
|
||||
<procedure id="sbehap-laminst">
|
||||
<title>Apache Condiguration Steps for LAM</title>
|
||||
<title>Apache Configuration Steps for LAM</title>
|
||||
|
||||
<step><para>
|
||||
Extract the LAM package with:
|
||||
Extract the LAM package by untarring it as shown here:
|
||||
<screen>
|
||||
&rootprompt; tar xzf ldap-account-manager_0.4.3.tar.gz
|
||||
&rootprompt; tar xzf ldap-account-manager_0.4.9.tar.gz
|
||||
</screen>
|
||||
Alternately, install the LAM RPM for your system using the following example for
|
||||
example:
|
||||
Alternatively, install the LAM DEB for your system using the following command:
|
||||
<screen>
|
||||
&rootprompt; rpm -Uvh ldap-account-manager-0.4.3-1.noarch.rpm
|
||||
&rootprompt; dpkg -i ldap-account-manager_0.4.9.all.deb
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Copy the extracted files to the document root directory of your Web server.
|
||||
For example, on SUSE Linux Enterprise Server 8, copy to the
|
||||
<filename>/srv/web/htdocs</filename> directory.
|
||||
For example, on SUSE Linux Enterprise Server 9, copy to the
|
||||
<filename>/srv/www/htdocs</filename> directory.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>file permissions</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>file permissions</primary></indexterm>
|
||||
Set file permissions using the following commands:
|
||||
<screen>
|
||||
&rootprompt; chown -R wwwrun.www /srv/www/htdocs/lam
|
||||
@ -1126,23 +1093,17 @@ example:
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>LAM</primary>
|
||||
<secondary>configuration file</secondary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>LAM</primary><secondary>configuration file</secondary></indexterm>
|
||||
Using your favorite editor create the following <filename>config.cfg</filename>
|
||||
LAM configuration file:
|
||||
<screen>
|
||||
&rootprompt; cd /srv/www/htdocs/lam/config
|
||||
&rootprompt; cp config.cfg_sample config.cfg
|
||||
&rootprompt; vi config.cfg
|
||||
</screen><indexterm>
|
||||
<primary>LAM</primary>
|
||||
<secondary>profile</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>LAM</primary>
|
||||
<secondary>wizard</secondary>
|
||||
</indexterm>
|
||||
</screen>
|
||||
<indexterm><primary>LAM</primary><secondary>profile</secondary></indexterm>
|
||||
<indexterm><primary>LAM</primary><secondary>wizard</secondary></indexterm>
|
||||
An example file is shown in <link linkend="lamcfg"/>.
|
||||
This is the minimum configuration that must be completed. The LAM profile
|
||||
file can be created using a convenient wizard that is part of the LAM
|
||||
@ -1161,9 +1122,8 @@ example:
|
||||
</para></step>
|
||||
</procedure>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>pitfalls</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>pitfalls</primary></indexterm>
|
||||
An example of a working file is shown here in <link linkend="lamconf"/>.
|
||||
This file has been stripped of comments to keep the size small. The comments
|
||||
and help information provided in the profile file that the wizard creates
|
||||
@ -1172,10 +1132,8 @@ example:
|
||||
are preferred at your site.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>LAM</primary>
|
||||
<secondary>login screen</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>LAM</primary><secondary>login screen</secondary></indexterm>
|
||||
It is important that your LDAP server is running at the time that LAM is
|
||||
being configured. This permits you to validate correct operation.
|
||||
An example of the LAM login screen is provided in <link linkend="lam-login"/>.
|
||||
@ -1186,10 +1144,8 @@ example:
|
||||
<imagefile scale="50">lam-login</imagefile>
|
||||
</image>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>LAM</primary>
|
||||
<secondary>configuration editor</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>LAM</primary><secondary>configuration editor</secondary></indexterm>
|
||||
The LAM configuration editor has a number of options that must be managed correctly.
|
||||
An example of use of the LAM configuration editor is shown in <link linkend="lam-config"/>.
|
||||
It is important that you correctly set the minimum and maximum UID/GID values that are
|
||||
@ -1205,19 +1161,16 @@ example:
|
||||
<imagefile scale="50">lam-config</imagefile>
|
||||
</image>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>PDF</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>PDF</primary></indexterm>
|
||||
LAM has some nice, but unusual features. For example, one unexpected feature in most application
|
||||
screens permits the generation of a PDF file that lists configuration information. This is a well
|
||||
thought out facility. This option has been edited out of the following screen shots to conserve
|
||||
space.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>LAM</primary>
|
||||
<secondary>opening screen</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>LAM</primary><secondary>opening screen</secondary></indexterm>
|
||||
When you log onto LAM the opening screen drops you right into the user manager as shown in
|
||||
<link linkend="lam-user"/>. This is a logical action as it permits the most-needed facility
|
||||
to be used immediately. The editing of an existing user, as with the addition of a new user,
|
||||
@ -1235,7 +1188,7 @@ example:
|
||||
<para>
|
||||
The edit screen for groups is shown in <link linkend="lam-group"/>. As with the edit screen
|
||||
for user accounts, group accounts may be rapidly dealt with. <link linkend="lam-group-mem"/>
|
||||
shown a sub-screen from the group editor that permits users to be assigned secondary group
|
||||
shows a sub-screen from the group editor that permits users to be assigned secondary group
|
||||
memberships.
|
||||
</para>
|
||||
|
||||
@ -1249,11 +1202,8 @@ example:
|
||||
<imagefile scale="50">lam-group-members</imagefile>
|
||||
</image>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>smbldap-tools</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>scripts</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>smbldap-tools</primary></indexterm><indexterm><primary>scripts</primary></indexterm>
|
||||
The final screen presented here is one that you should not normally need to use. Host accounts will
|
||||
be automatically managed using the smbldap-tools scripts. This means that the screen <link linkend="lam-host"/>
|
||||
will, in most cases, not be used.
|
||||
@ -1267,11 +1217,18 @@ example:
|
||||
<para>
|
||||
One aspect of LAM that may annoy some users is the way it forces certain conventions on
|
||||
the administrator. For example, LAM does not permit the creation of Windows user and group
|
||||
accounts that contain upper-case characters or spaces even though the underlying UNIX/Linux
|
||||
accounts that contain spaces even though the underlying UNIX/Linux
|
||||
operating system may exhibit no problems with them. Given the propensity for using upper-case
|
||||
characters and spaces (particularly in the default Windows account names) this may cause
|
||||
some annoyance. For the rest, LAM is a very useful administrative tool.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The next major release, LAM 0.5, will have less restrictions and support the latest Samba features
|
||||
(e.g. logon hours). The new plugin based architecture also allows to manage much more different
|
||||
account types like plain Unix accounts. The upload can now handle groups and hosts, too. Another
|
||||
important point is the tree view which allows to browse and edit LDAP objects directly.
|
||||
</para>
|
||||
|
||||
<example id="lamcfg">
|
||||
<title>Example LAM Configuration File &smbmdash; <filename>config.cfg</filename></title>
|
||||
@ -1304,7 +1261,7 @@ userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber
|
||||
grouplistAttributes: #cn;#gidNumber;#memberUID;#description
|
||||
hostlistAttributes: #cn;#description;#uidNumber;#gidNumber
|
||||
maxlistentries: 30
|
||||
defaultLanguage: en_GB:ISO-8859-1:English (Britain)
|
||||
defaultLanguage: en_GB:ISO-8859-1:English (Great Britain)
|
||||
scriptPath:
|
||||
scriptServer:
|
||||
samba3: yes
|
||||
@ -1339,7 +1296,7 @@ pwdhash: SSHA
|
||||
|
||||
<para>
|
||||
When the SUID/SGID permissions are set on a directory, all files that are created within that directory
|
||||
is automatically given the ownership of the SUID user and the SGID group, as per the ownership
|
||||
are automatically given the ownership of the SUID user and the SGID group, as per the ownership
|
||||
of the directory in which the file is created. This means that the system level <command>create()</command>
|
||||
function executes with the SUID user and/or SGID group of the directory in which the file is
|
||||
created.
|
||||
@ -1371,9 +1328,9 @@ drwxr-xr-x 21 root root 600 Dec 17 23:15 ..
|
||||
drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/
|
||||
drwx------ 2 root root 48 Jan 26 2002 lost+found
|
||||
</screen>
|
||||
In this example, if the user <constant>maryv</constant> creates a file, it would be owned by her.
|
||||
In this example, if the user <constant>maryv</constant> creates a file, it is owned by her.
|
||||
If <constant>maryv</constant> has the primary group of <constant>Accounts</constant>, the file is
|
||||
owned by the group <constant>Accounts</constant> as shown in this listing:
|
||||
owned by the group <constant>Accounts</constant>, as shown in this listing:
|
||||
<screen>
|
||||
&rootprompt; ls -al /data/accounts/maryvfile.txt
|
||||
drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53
|
||||
@ -1393,7 +1350,7 @@ drwx------ 2 root root 48 Jan 26 2002 lost+found
|
||||
</screen>
|
||||
If <constant>maryv</constant> creates a file in this directory after this change has been made, the
|
||||
file is owned by the user <constant>bobj</constant>, and the group is set to the group
|
||||
<constant>Domain Users</constant> as shown here:
|
||||
<constant>Domain Users</constant>, as shown here:
|
||||
<screen>
|
||||
&rootprompt; chmod ug+s /data/accounts
|
||||
&rootprompt; ls -al /data/accounts/maryvfile.txt
|
||||
@ -1414,12 +1371,12 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
<secondary>data access</secondary>
|
||||
</indexterm>
|
||||
The integrity of shared data is often viewed as a particularly emotional issue, especially where
|
||||
there are concurrent problems with multi-user data access. Contrary to the assertions of some who have
|
||||
there are concurrent problems with multiuser data access. Contrary to the assertions of some who have
|
||||
experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The solution to concurrent multi-user data access problems must consider three separate areas
|
||||
The solution to concurrent multiuser data access problems must consider three separate areas
|
||||
from which the problem may stem:<indexterm>
|
||||
<primary>locking</primary>
|
||||
<secondary>Application level</secondary>
|
||||
@ -1433,9 +1390,9 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>application level locking controls.</para></listitem>
|
||||
<listitem><para>client side locking controls.</para></listitem>
|
||||
<listitem><para>server side locking controls.</para></listitem>
|
||||
<listitem><para>application-level locking controls</para></listitem>
|
||||
<listitem><para>client-side locking controls</para></listitem>
|
||||
<listitem><para>server-side locking controls</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><indexterm>
|
||||
@ -1445,7 +1402,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
</indexterm>
|
||||
Many database applications use some form of application-level access control. An example of one
|
||||
well-known application that uses application-level locking is Microsoft Access. Detailed guidance
|
||||
is provided given that this is the most common application for which problems have been reported.
|
||||
is provided here because this is the most common application for which problems have been reported.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
@ -1463,7 +1420,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
|
||||
<para>
|
||||
The best advice that can be given is to carefully read the Microsoft knowledge base articles that
|
||||
cover this area. Examples of relevant documents includes:
|
||||
cover this area. Examples of relevant documents include:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -1478,8 +1435,8 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
</indexterm><indexterm>
|
||||
<primary>exclusive open</primary>
|
||||
</indexterm>
|
||||
Make sure that your MS Access database file is configured for multi-user access (not set for
|
||||
exclusive open). Open MS Access on each client workstation then set the following: <menuchoice>
|
||||
Make sure that your MS Access database file is configured for multiuser access (not set for
|
||||
exclusive open). Open MS Access on each client workstation, then set the following: <menuchoice>
|
||||
<guimenu>(Menu bar) Tools</guimenu><guimenu>Options</guimenu><guimenu>[tab] General</guimenu>
|
||||
</menuchoice>. Set network path to Default database folder: <filename>\\server\share\folder</filename>.
|
||||
</para>
|
||||
@ -1503,7 +1460,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
</indexterm>
|
||||
You must now commit the changes so that they will take effect. To do so, click
|
||||
<guimenu>Apply</guimenu><guimenu>Ok</guimenu>. At this point, you should exit MS Access, restart
|
||||
it and then validate that these settings have not changed.
|
||||
it, and then validate that these settings have not changed.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -1516,10 +1473,10 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
</indexterm><indexterm>
|
||||
<primary>data corruption</primary>
|
||||
</indexterm>
|
||||
Where the server sharing the ACT! database(s) is running Samba, Windows NT, 200x or XP, you
|
||||
Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you
|
||||
must disable opportunistic locking on the server and all workstations. Failure to do so
|
||||
results in data corruption. This information is available from the Act! Web site
|
||||
knowledge-base articles
|
||||
knowledgebase articles
|
||||
<ulink url="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925">1998223162925</ulink>
|
||||
as well as from article
|
||||
<ulink url="http://itdomino.saleslogix.com/act.nsf/docid/200110485036">200110485036</ulink>.
|
||||
@ -1549,7 +1506,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
</indexterm>
|
||||
Third-party Windows applications may not be compatible with the use of opportunistic file
|
||||
and record locking. For applications that are known not to be compatible,<footnote>Refer to
|
||||
the application manufacturers' installation guidelines and knowledge base for specific
|
||||
the application manufacturer's installation guidelines and knowledge base for specific
|
||||
information regarding compatibility. It is often safe to assume that if the software
|
||||
manufacturer does not specifically mention incompatibilities with opportunistic file
|
||||
and record locking, or with Windows client file caching, the application is probably
|
||||
@ -1568,7 +1525,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
Oplocks enable a Windows client to cache parts of a file that are being
|
||||
edited. Another windows client may then request to open the file with the
|
||||
ability to write to it. The server will then ask the original workstation
|
||||
that had the file open with a write lock to release it's lock. Before
|
||||
that had the file open with a write lock to release its lock. Before
|
||||
doing so, that workstation must flush the file from cache memory to the
|
||||
disk or network drive.
|
||||
</para>
|
||||
@ -1579,7 +1536,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
</indexterm>
|
||||
Disabling of Oplocks usage may require server and client changes.
|
||||
Oplocks may be disabled by file, by file pattern, on the share, or on the
|
||||
samba server.
|
||||
Samba server.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1600,7 +1557,7 @@ On the server:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The following registry entries on Microsoft Windows XP Professional, 2000 Professional and Windows NT4
|
||||
The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4
|
||||
workstation clients must be configured as shown here:
|
||||
<screen>
|
||||
REGEDIT4
|
||||
@ -1616,8 +1573,8 @@ REGEDIT4
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Comprehensive coverage of file and record locking controls is provided in TOSHARG Chapter 13.
|
||||
The information provided in that chapter was obtained from a wide variety of sources.
|
||||
Comprehensive coverage of file and record-locking controls is provided in TOSHARG, Chapter 13.
|
||||
The information in that chapter was obtained from a wide variety of sources.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
@ -6,7 +6,7 @@
|
||||
<para>
|
||||
You are about to use the equivalent of a microscope to look at the information
|
||||
that runs through the veins of a Windows network. We do more to observe the information than
|
||||
to interrogate it. When you are done with this chapter, you should have a good understanding
|
||||
to interrogate it. When you are done with this primer, you should have a good understanding
|
||||
of the types of information that flow over the network. Do not worry, this is not
|
||||
a biology lesson. We won't lose you in unnecessary detail. Think to yourself, <quote>This
|
||||
is easy,</quote> then tackle each exercise without fear.
|
||||
@ -14,13 +14,13 @@
|
||||
|
||||
<para>
|
||||
Samba can be configured with a minimum of complexity. Simplicity should be mastered
|
||||
before you get too deeply into complexities. Let's get moving, we have work to do.
|
||||
before you get too deeply into complexities. Let's get moving: we have work to do.
|
||||
</para>
|
||||
|
||||
<sect1>
|
||||
<title>Requirements and Notes</title>
|
||||
<para>
|
||||
Successful completion of this chapter requires two Microsoft Windows 9x/Me Workstations,
|
||||
Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations
|
||||
as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet
|
||||
card connected using a hub. Also required is one additional server (either Windows
|
||||
NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network
|
||||
@ -36,7 +36,7 @@
|
||||
You may find more information regarding this tool from the
|
||||
<ulink url="http://www.ethereal.com">Ethereal</ulink> Web site. Ethereal installation
|
||||
files for Windows may be obtained from the Ethereal Web site. Ethereal is provided with
|
||||
SUSE and Red Hat Linux distributions, as well as many other Linux distributions. It may
|
||||
SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may
|
||||
not be installed on your system by default. If it is not installed, you may also need
|
||||
to install the <command>libpcap </command> software before you can install or use Ethereal.
|
||||
Please refer to the instructions for your operating system or to the Ethereal Web site
|
||||
@ -45,12 +45,12 @@
|
||||
|
||||
<para>
|
||||
To obtain <command>ethereal</command> for your system, please visit the Ethereal
|
||||
<ulink url="http://www.ethereal.com/download.html#binaries">download site.</ulink>
|
||||
<ulink url="http://www.ethereal.com/download.html#binaries">download site</ulink>.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
The successful completion of this chapter requires that you capture network traffic
|
||||
using <command>ethereal</command>. It is recommended that you use a hub, not an
|
||||
The successful completion of this appendix requires that you capture network traffic
|
||||
using <command>Ethereal</command>. It is recommended that you use a hub, not an
|
||||
Ethernet switch. It is necessary for the device used to act as a repeater, not as a
|
||||
filter. Ethernet switches may filter out traffic that is not directed at the machine
|
||||
that is used to monitor traffic; this would not allow you to complete the projects.
|
||||
@ -69,9 +69,9 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>protocol analysis</primary>
|
||||
</indexterm>
|
||||
Please do not be alarmed at the use of a high-powered analysis tool (ethereal) in this
|
||||
first chapter. We expose you only to a minimum of detail necessary to complete
|
||||
the exercises in this chapter. If you choose to use any other network sniffer and protocol
|
||||
Please do not be alarmed at the use of a high-powered analysis tool (Ethereal) in this
|
||||
primer. We expose you only to a minimum of detail necessary to complete
|
||||
the exercises. If you choose to use any other network sniffer and protocol
|
||||
analysis tool, be advised that it may not allow you to examine the contents of
|
||||
recently added security protocols used by Windows 200x/XP.
|
||||
</para>
|
||||
@ -93,7 +93,7 @@
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>
|
||||
The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows
|
||||
The purpose of this appendix is to create familiarity with key aspects of Microsoft Windows
|
||||
network computing. If you want a solid technical grounding, do not gloss over these exercises.
|
||||
The points covered are recurrent issues on the Samba mailing lists.
|
||||
</para>
|
||||
@ -132,7 +132,7 @@
|
||||
You are about to witness how Microsoft Windows computer networking functions. The
|
||||
exercises step through identification of how a client machine establishes a
|
||||
connection to a remote Windows server. You observe how Windows machines find
|
||||
each other (i.e., how browsing works), and how the two key types of user identification
|
||||
each other (i.e., how browsing works) and how the two key types of user identification
|
||||
(share mode security and user mode security) are affected.
|
||||
</para>
|
||||
|
||||
@ -142,7 +142,7 @@
|
||||
</indexterm>
|
||||
The networking protocols used by MS Windows networking when working with Samba
|
||||
use TCP/IP as the transport protocol. The protocols that are specific to Windows
|
||||
networking are encapsulated in TCP/IP. The network analyzer we use (ethereal)
|
||||
networking are encapsulated in TCP/IP. The network analyzer we use (Ethereal)
|
||||
is able to show you the contents of the TCP/IP packets (or messages).
|
||||
</para>
|
||||
|
||||
@ -171,7 +171,7 @@
|
||||
|
||||
<step><para>
|
||||
Review traces of network logons for a Windows 9x/Me client as well as
|
||||
a Domain logon for a Windows XP Professional client.
|
||||
a domain logon for a Windows XP Professional client.
|
||||
</para></step>
|
||||
</procedure>
|
||||
|
||||
@ -187,7 +187,7 @@
|
||||
two MS Windows 9x/Me systems. We called one machine <constant>WINEPRESSME</constant> and the
|
||||
other <constant>MILGATE98</constant>. Each needs an IP address; we used <literal>10.1.1.10</literal>
|
||||
and <literal>10.1.1.11</literal>. The test machines need to be networked via a <emphasis>hub</emphasis>. A UNIX/Linux
|
||||
machine is required to run <command>ethereal</command> to enable the network activity to be captured.
|
||||
machine is required to run <command>Ethereal</command> to enable the network activity to be captured.
|
||||
It is important that the machine from which network activity is captured must not interfere with
|
||||
the operation of the Windows workstations. It is helpful for this machine to be passive (does not
|
||||
send broadcast information) to the network.
|
||||
@ -199,10 +199,10 @@
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>Windows 98 &smbmdash; name: MILGATE98.</para></listitem>
|
||||
<listitem><para>Windows Me &smbmdash; name: WINEPRESSME.</para></listitem>
|
||||
<listitem><para>Windows XP Professional &smbmdash; name: LightrayXP.</para></listitem>
|
||||
<listitem><para>Samba-3.0.20 running on a SUSE Enterprise Linux 9.</para></listitem>
|
||||
<listitem><para>Windows 98 &smbmdash; name: MILGATE98</para></listitem>
|
||||
<listitem><para>Windows Me &smbmdash; name: WINEPRESSME</para></listitem>
|
||||
<listitem><para>Windows XP Professional &smbmdash; name: LightrayXP</para></listitem>
|
||||
<listitem><para>Samba-3.0.20 running on a SUSE Enterprise Linux 9</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
@ -211,17 +211,17 @@
|
||||
|
||||
<para>
|
||||
<indexterm><primary>ethereal</primary></indexterm>
|
||||
The network captures provided on the CD-ROM at the back of this book were captured using <constant>ethereal</constant>
|
||||
The network captures provided on the CD-ROM included with this book were captured using <constant>Ethereal</constant>
|
||||
version <literal>0.10.6</literal>. A later version suffices without problems, but an earlier version may not
|
||||
expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all
|
||||
packets has also been included. This makes it possible for you to do all the studying you like without the need to
|
||||
perform the time-consuming equipment configuration and test work. This is a good time to point out the value
|
||||
perform the time-consuming equipment configuration and test work. This is a good time to point out that the value
|
||||
that can be derived from this book really does warrant your taking sufficient time to practice each exercise with
|
||||
care and attention to detail.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Single Machine Broadcast Activity</title>
|
||||
<title>Single-Machine Broadcast Activity</title>
|
||||
|
||||
<para>
|
||||
In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes.
|
||||
@ -253,7 +253,7 @@
|
||||
|
||||
<step><para>
|
||||
Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring,
|
||||
do not press any keyboard keys, do not click any on-screen icons or menus; and do not answer any dialog boxes.
|
||||
do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -273,7 +273,7 @@
|
||||
|
||||
<para>
|
||||
The summary of the first 10 minutes of the packet capture should look like <link linkend="pktcap01"/>.
|
||||
A screen-shot of a later stage of the same capture is shown in <link linkend="pktcap02"/>.
|
||||
A screenshot of a later stage of the same capture is shown in <link linkend="pktcap02"/>.
|
||||
</para>
|
||||
|
||||
<image id="pktcap01">
|
||||
@ -294,7 +294,7 @@
|
||||
</indexterm>
|
||||
Broadcast messages observed are shown in <link linkend="capsstats01"/>.
|
||||
Actual observations vary a little, but not by much.
|
||||
Early in the startup process, the Windows Me machine broadcasts its name for two reasons;
|
||||
Early in the startup process, the Windows Me machine broadcasts its name for two reasons:
|
||||
first to ensure that its name would not result in a name clash, and second to establish its
|
||||
presence with the Local Master Browser (LMB).
|
||||
</para>
|
||||
@ -319,91 +319,91 @@
|
||||
<entry>WINEPRESSME<00></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.6 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.6 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>WINEPRESSME<03></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.6 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.6 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>WINEPRESSME<20></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>MIDEARTH<00></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>MIDEARTH<1d></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>MIDEARTH<1e></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>MIDEARTH<1b></entry>
|
||||
<entry>Qry</entry>
|
||||
<entry>84</entry>
|
||||
<entry>300 sec apart at stable operation.</entry>
|
||||
<entry>300 sec apart at stable operation</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>__MSBROWSE__</entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>Registered after winning election to Browse Master.</entry>
|
||||
<entry>Registered after winning election to Browse Master</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>JHT<03></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 x 2. This is the name of the user that logged onto Windows.</entry>
|
||||
<entry>4 x 2. This is the name of the user that logged onto Windows</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Host Announcement WINEPRESSME</entry>
|
||||
<entry>Ann</entry>
|
||||
<entry>2</entry>
|
||||
<entry>Observed at 10 sec.</entry>
|
||||
<entry>Observed at 10 sec</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Domain/Workgroup Announcement MIDEARTH</entry>
|
||||
<entry>Ann</entry>
|
||||
<entry>18</entry>
|
||||
<entry>300 sec apart at stable operation.</entry>
|
||||
<entry>300 sec apart at stable operation</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Local Master Announcement WINEPRESSME</entry>
|
||||
<entry>Ann</entry>
|
||||
<entry>18</entry>
|
||||
<entry>300 sec apart at stable operation.</entry>
|
||||
<entry>300 sec apart at stable operation</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Get Backup List Request</entry>
|
||||
<entry>Qry</entry>
|
||||
<entry>12</entry>
|
||||
<entry>6 x 2 early in startup, 0.5 sec apart.</entry>
|
||||
<entry>6 x 2 early in startup, 0.5 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Browser Election Request</entry>
|
||||
<entry>Ann</entry>
|
||||
<entry>10</entry>
|
||||
<entry>5 x 2 early in startup.</entry>
|
||||
<entry>5 x 2 early in startup</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Request Announcement WINEPRESSME</entry>
|
||||
<entry>Ann</entry>
|
||||
<entry>4</entry>
|
||||
<entry>Early in startup.</entry>
|
||||
<entry>Early in startup</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@ -415,7 +415,7 @@
|
||||
<primary>browse master</primary>
|
||||
</indexterm>
|
||||
From the packet trace, it should be noted that no messages were propagated over TCP/IP;
|
||||
all employed UDP/IP. When steady state operation has been achieved, there is a cycle
|
||||
all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle
|
||||
of various announcements, re-election of a browse master, and name queries. These create
|
||||
the symphony of announcements by which network browsing is made possible.
|
||||
</para>
|
||||
@ -423,9 +423,9 @@
|
||||
<para><indexterm>
|
||||
<primary>CIFS</primary>
|
||||
</indexterm>
|
||||
For detailed information regarding the precise behavior of the CIFS/SMB protocols, the
|
||||
reader is referred to the book <quote>Implementing CIFS: The Common Internet File System,</quote>
|
||||
by Christopher Hertel, Publisher: Prentice Hall PTR, ISBN: 013047116X.
|
||||
For detailed information regarding the precise behavior of the CIFS/SMB protocols,
|
||||
refer to the book <quote>Implementing CIFS: The Common Internet File System,</quote>
|
||||
by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X).
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -436,7 +436,7 @@
|
||||
<title>Second Machine Startup Broadcast Interaction</title>
|
||||
|
||||
<para>
|
||||
At this time, the machine you used to capture the single system startup trace should still be running.
|
||||
At this time, the machine you used to capture the single-system startup trace should still be running.
|
||||
The objective of this task is to identify the interaction of two machines in respect to broadcast activity.
|
||||
</para>
|
||||
|
||||
@ -465,7 +465,7 @@
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Start the second Windows 9x/Me machine. Let it run for 15-20 minutes. While monitoring, do not press
|
||||
Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press
|
||||
any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
|
||||
</para></step>
|
||||
|
||||
@ -489,7 +489,7 @@
|
||||
Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash
|
||||
(i.e., the name is already registered by another machine) on the network segment. Those wishing
|
||||
to explore the inner details of the precise mechanism of how this functions should refer to
|
||||
the book <quote>Implementing CIFS: The Common Internet File System,</quote> referred to previously.
|
||||
<quote>Implementing CIFS: The Common Internet File System.</quote>
|
||||
</para>
|
||||
|
||||
<table id="capsstats02">
|
||||
@ -512,67 +512,67 @@
|
||||
<entry>MILGATE98<00></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.6 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.6 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>MILGATE98<03></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.6 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.6 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>MILGATE98<20></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>MIDEARTH<00></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>MIDEARTH<1d></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>MIDEARTH<1e></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>8</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart.</entry>
|
||||
<entry>4 lots of 2, 0.75 sec apart</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>MIDEARTH<1b></entry>
|
||||
<entry>Qry</entry>
|
||||
<entry>18</entry>
|
||||
<entry>900 sec apart at stable operation.</entry>
|
||||
<entry>900 sec apart at stable operation</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>JHT<03></entry>
|
||||
<entry>Reg</entry>
|
||||
<entry>2</entry>
|
||||
<entry>This is the name of the user that logged onto Windows.</entry>
|
||||
<entry>This is the name of the user that logged onto Windows</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Host Announcement MILGATE98</entry>
|
||||
<entry>Ann</entry>
|
||||
<entry>14</entry>
|
||||
<entry>Every 120 sec.</entry>
|
||||
<entry>Every 120 sec</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Domain/Workgroup Announcement MIDEARTH</entry>
|
||||
<entry>Ann</entry>
|
||||
<entry>6</entry>
|
||||
<entry>900 sec apart at stable operation.</entry>
|
||||
<entry>900 sec apart at stable operation</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>Local Master Announcement WINEPRESSME</entry>
|
||||
<entry>Ann</entry>
|
||||
<entry>6</entry>
|
||||
<entry>Insufficient detail to determine frequency.</entry>
|
||||
<entry>Insufficient detail to determine frequency</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@ -621,7 +621,7 @@
|
||||
|
||||
<step><para>
|
||||
Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both
|
||||
machines using a user name (JHT) of your choice. Wait approximately two minutes before proceeding.
|
||||
machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -674,7 +674,7 @@
|
||||
<step><para>
|
||||
<indexterm><primary>password length</primary></indexterm>
|
||||
<indexterm><primary>User Mode</primary></indexterm>
|
||||
Dissect this packet as per the one above. This packet should have a password length
|
||||
Dissect this packet as per the previous one. This packet should have a password length
|
||||
of 24 (characters) and should have a password field, the contents of which is a
|
||||
long hexadecimal number. Observe the name in the Account field. This is a User Mode
|
||||
session setup packet.
|
||||
@ -687,7 +687,7 @@
|
||||
<para>
|
||||
<indexterm><primary>IPC$</primary></indexterm>
|
||||
The <constant>IPC$</constant> share serves a vital purpose<footnote><para>TOSHARG, Sect 4.5.1</para></footnote>
|
||||
in SMB/CIFS based networking. A Windows client connects to this resource to obtain the list of
|
||||
in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of
|
||||
resources that are available on the server. The server responds with the shares and print queues that
|
||||
are available. In most but not all cases, the connection is made with a <constant>NULL</constant>
|
||||
username and a <constant>NULL</constant> password.
|
||||
@ -695,7 +695,7 @@
|
||||
|
||||
<para>
|
||||
<indexterm><primary>account credentials</primary></indexterm>
|
||||
The two packets examined are material evidence with respect to how Windows clients may
|
||||
The two packets examined are material evidence of how Windows clients may
|
||||
interoperate with Samba. Samba requires every connection setup to be authenticated using
|
||||
valid UNIX account credentials (UID/GID). This means that even a <constant>NULL</constant>
|
||||
session setup can be established only by automatically mapping it to a valid UNIX
|
||||
@ -707,8 +707,8 @@
|
||||
<primary>guest account</primary>
|
||||
</indexterm>
|
||||
<indexterm><primary>nobody</primary></indexterm>
|
||||
Samba has a special name for the <constant>NULL</constant>, or empty, user account.
|
||||
It calls that the <smbconfoption name="guest account"/>. The
|
||||
Samba has a special name for the <constant>NULL</constant>, or empty, user account:
|
||||
it calls it the <smbconfoption name="guest account"/>. The
|
||||
default value of this parameter is <constant>nobody</constant>; however, this can be
|
||||
changed to map the function of the guest account to any other UNIX identity. Some
|
||||
UNIX administrators prefer to map this account to the system default anonymous
|
||||
@ -730,7 +730,7 @@
|
||||
(<filename>/etc/passwd</filename>), the operation of the <constant>NULL</constant>
|
||||
account cannot validate and thus connections that utilize the guest account
|
||||
fail. This breaks all ability to browse the Samba server and is a common
|
||||
problem reported on the Samba mailing list. A sample User Mode Session Setup AndX
|
||||
problem reported on the Samba mailing list. A sample User Mode session setup AndX
|
||||
is shown in <link linkend="userconnect"/>.
|
||||
</para>
|
||||
|
||||
@ -772,20 +772,20 @@
|
||||
|
||||
<para>
|
||||
To complete this exercise, you need a Windows XP Professional client that has been configured as
|
||||
a Domain Member of either a Samba controlled domain or a Windows NT4 or 200x Active Directory domain.
|
||||
Here we do not provide details for how to configure this, as full coverage is provided later in this book.
|
||||
a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain.
|
||||
Here we do not provide details for how to configure this, as full coverage is provided earlier in this book.
|
||||
</para>
|
||||
|
||||
<procedure>
|
||||
<title>Steps to Explore Windows XP Pro Connection Set-up</title>
|
||||
|
||||
<step><para>
|
||||
Start your Domain Controller. Also, start the ethereal monitoring machine, launch ethereal,
|
||||
Start your domain controller. Also, start the ethereal monitoring machine, launch ethereal,
|
||||
and then wait for the next step to complete.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Start the Windows XP Client and wait five minutes before proceeding.
|
||||
Start the Windows XP Client and wait 5 minutes before proceeding.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -810,12 +810,12 @@
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
On the Windows XP Professional client: Press <guimenu>Ctrl-Alt-Delete</guimenu> to bring
|
||||
On the Windows XP Professional client, press <guimenu>Ctrl-Alt-Delete</guimenu> to bring
|
||||
up the domain logon screen. Log in using valid credentials for a domain user account.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Now proceed to connect to the Domain Controller as follows:
|
||||
Now proceed to connect to the domain controller as follows:
|
||||
<menuchoice>
|
||||
<guimenu>Start</guimenu>
|
||||
<guimenuitem>(right-click) My Network Places</guimenuitem>
|
||||
@ -839,8 +839,8 @@
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
If desired, the Windows XP Professional client and the Domain Controller are no longer needed for exercises
|
||||
in this chapter.
|
||||
If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises
|
||||
in this appendix.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -858,7 +858,7 @@
|
||||
Expand the packet decode information, beginning at the <constant>Security Blob:</constant>
|
||||
entry. Expand the <constant>GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</constant>
|
||||
keys. This should reveal that this is a <constant>NULL</constant> session setup packet.
|
||||
The <constant>User name: NULL</constant> indicates this. An example decode is shown in
|
||||
The <constant>User name: NULL</constant> so indicates. An example decode is shown in
|
||||
<link linkend="XPCap01"/>.
|
||||
</para></step>
|
||||
|
||||
@ -874,17 +874,17 @@
|
||||
Expand the packet decode information, beginning at the <constant>Security Blob:</constant>
|
||||
entry. Expand the <constant>GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</constant>
|
||||
keys. This should reveal that this is a <constant>User Mode</constant> session setup packet.
|
||||
The <constant>User name: jht</constant> indicates this. An example decode is shown in
|
||||
The <constant>User name: jht</constant> so indicates. An example decode is shown in
|
||||
<link linkend="XPCap02"/>. In this case the user name was <constant>jht</constant>. This packet
|
||||
decode includes the <constant>Lan Manager Response:</constant> and the <constant>NTLM Response:</constant>.
|
||||
The value of these two parameters is the Microsoft encrypted password hashes, respectively, the LanMan
|
||||
The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan
|
||||
password and then the NT (case-preserving) password hash.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
<indexterm><primary>password length</primary></indexterm>
|
||||
<indexterm><primary>User Mode</primary></indexterm>
|
||||
The passwords are 24 characters long hexadecimal numbers. This packet confirms that this is a User Mode
|
||||
The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode
|
||||
session setup packet.
|
||||
</para></step>
|
||||
|
||||
@ -922,24 +922,23 @@
|
||||
<title>Conclusions to Exercises</title>
|
||||
|
||||
<para>
|
||||
In summary, the following points have been established in this chapter:
|
||||
In summary, the following points have been established in this appendix:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast
|
||||
oriented messaging protocols to provide knowledge of network services.
|
||||
When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Network browsing protocols query information stored on Browse Masters that manage
|
||||
information provided by NetBIOS Name Registrations and by way of on-going Host
|
||||
Announcements and Workgroup Announcements.
|
||||
Network browsing protocols query information stored on browse masters that manage
|
||||
information provided by NetBIOS Name Registrations and by way of ongoing host
|
||||
announcements and workgroup announcements.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
All Samba servers must be configured with a mechanism for mapping the <constant>NULL-Session</constant>
|
||||
to a valid but non-privileged UNIX system account.
|
||||
to a valid but nonprivileged UNIX system account.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -947,8 +946,8 @@
|
||||
networking operations. Such passwords cannot be provided from the UNIX <filename>/etc/passwd</filename>
|
||||
database and thus must be stored elsewhere on the UNIX system in a manner that Samba can
|
||||
use. Samba-2.x permitted such encrypted passwords to be stored in the <constant>smbpasswd</constant>
|
||||
file or in an LDAP database. Samba-3 permits that use of multiple different <parameter>passdb backend</parameter>
|
||||
databases, in concurrent deploy. Refer to <emphasis>TOSHARG</emphasis>, Chapter 10, <quote>Account Information Databases.</quote>
|
||||
file or in an LDAP database. Samba-3 permits use of multiple <parameter>passdb backend</parameter>
|
||||
databases in concurrent deployment. Refer to <emphasis>TOSHARG</emphasis>, Chapter 10, <quote>Account Information Databases.</quote>
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -968,7 +967,7 @@
|
||||
|
||||
<para>
|
||||
Those wishing background information regarding NetBIOS name types should refer to
|
||||
the Microsoft Knowledge Base Article
|
||||
the Microsoft knowledgebase article
|
||||
<ulink url="http://support.microsoft.com/support/kb/articles/Q102/78/8.asp">Q102878.</ulink>
|
||||
</para>
|
||||
|
||||
@ -1011,7 +1010,7 @@
|
||||
<indexterm><primary>DMB</primary></indexterm>
|
||||
This is a broadcast announcement by which the Windows machine is attempting to
|
||||
locate a Domain Master Browser (DMB) in the event that it might exist on the network.
|
||||
Refer to <emphasis>TOSHARG</emphasis> Chapter 9, Section 9.7, <quote>Technical Overview of Browsing</quote>
|
||||
Refer to <emphasis>TOSHARG,</emphasis> Chapter 9, Section 9.7, <quote>Technical Overview of Browsing,</quote>
|
||||
for details regarding the function of the DMB and its role in network browsing.
|
||||
</para>
|
||||
|
||||
@ -1031,9 +1030,9 @@
|
||||
<para>
|
||||
<indexterm><primary>Local Master Browser</primary><see>LMB</see></indexterm>
|
||||
<indexterm><primary>LMB</primary></indexterm>
|
||||
This name registration records the machine IP addresses of the Local Master Browsers (LMBs).
|
||||
This name registration records the machine IP addresses of the LMBs.
|
||||
Network clients can query this name type to obtain a list of browser servers from the
|
||||
Master Browser.
|
||||
master browser.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1048,7 +1047,7 @@
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The IP addresses of all Domain Controllers known for the Domain
|
||||
The IP addresses of all domain controllers known for the domain
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -1080,9 +1079,9 @@
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Browse Master</primary></indexterm>
|
||||
This name is registered by the Browse Master to broadcast and receive domain announcements.
|
||||
This name is registered by the browse master to broadcast and receive domain announcements.
|
||||
Its scope is limited to the local network segment, or subnet. By querying this name type,
|
||||
Master Browsers on networks that have multiple domains can find the names of Master Browsers
|
||||
master browsers on networks that have multiple domains can find the names of master browsers
|
||||
for each domain.
|
||||
</para>
|
||||
|
||||
@ -1101,9 +1100,9 @@
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Browser Election Service</primary></indexterm>
|
||||
This name is registered by all Browse Masters in a domain or workgroup. The registration
|
||||
name type is known as the Browser Election Service. Master Browsers register themselves
|
||||
with this name type so that Domain Master Browsers can locate them to perform cross-subnet
|
||||
This name is registered by all browse masters in a domain or workgroup. The registration
|
||||
name type is known as the Browser Election Service. Master browsers register themselves
|
||||
with this name type so that DMBs can locate them to perform cross-subnet
|
||||
browse list updates. This name type is also used to initiate elections for Master Browsers.
|
||||
</para>
|
||||
|
||||
@ -1132,7 +1131,7 @@
|
||||
<para>
|
||||
It should be noted that the <parameter>guest account</parameter> is essential to
|
||||
Samba operation. Either the operating system must have an account called <constant>nobody</constant>
|
||||
or there must be an entry in the &smb.conf; file with a valid UNIX account. For example,
|
||||
or there must be an entry in the &smb.conf; file with a valid UNIX account, such as
|
||||
<smbconfoption name="guest account">ftp</smbconfoption>.
|
||||
</para>
|
||||
|
||||
@ -1153,7 +1152,7 @@
|
||||
<indexterm><primary>WINS</primary></indexterm>
|
||||
<indexterm><primary>NetBIOS</primary></indexterm>
|
||||
Yes, there are two ways to do this. The first involves use of WINS (See <emphasis>TOSHARG</emphasis>, Chapter 9,
|
||||
Section 9.5, <quote>WINS &smbmdash; The Windows Inter-networking Name Server</quote>), the
|
||||
Section 9.5, <quote>WINS &smbmdash; The Windows Inter-networking Name Server</quote>); the
|
||||
alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires
|
||||
a correctly configured DNS server (see <emphasis>TOSHARG</emphasis>, Chapter 9, Section 9.3, <quote>Discussion</quote>).
|
||||
</para>
|
||||
@ -1191,7 +1190,7 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
First, the use of <filename>/etc/passwd</filename> based plain-text passwords requires that registry
|
||||
First, the use of <filename>/etc/passwd</filename>-based plain-text passwords requires that registry
|
||||
modifications be made on all MS Windows client machines to enable plain-text passwords support. This
|
||||
significantly diminishes the security of MS Windows client operation. Many network administrators
|
||||
are bitterly opposed to doing this.
|
||||
@ -1199,7 +1198,7 @@
|
||||
|
||||
<para>
|
||||
Second, Microsoft has not maintained plain-text password support since the default setting was made
|
||||
disabling this. When network connections are dropped by the client it is not be possible to re-establish
|
||||
disabling this. When network connections are dropped by the client, it is not possible to re-establish
|
||||
the connection automatically. Users need to log off and then log on again. Plain-text password support
|
||||
may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing
|
||||
environment.
|
||||
@ -1207,7 +1206,7 @@
|
||||
|
||||
<para>
|
||||
Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling.
|
||||
Just create user accounts by running: <command>smbpasswd -a 'username'</command>
|
||||
Just create user accounts by running <command>smbpasswd -a 'username'</command>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1243,7 +1242,7 @@
|
||||
|
||||
<para>
|
||||
Is it necessary to specify <smbconfoption name="encrypt passwords">Yes</smbconfoption>
|
||||
when Samba-3 is configured as a Domain Member?
|
||||
when Samba-3 is configured as a domain member?
|
||||
</para>
|
||||
|
||||
</question>
|
||||
@ -1261,7 +1260,7 @@
|
||||
|
||||
<para>
|
||||
Is it necessary to specify a <parameter>guest account</parameter> when Samba-3 is configured
|
||||
as a Domain Member server?
|
||||
as a domain member server?
|
||||
</para>
|
||||
|
||||
</question>
|
||||
|
@ -2,22 +2,17 @@
|
||||
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
||||
|
||||
<chapter id="DomApps">
|
||||
<title>Integrating Additional Services</title>
|
||||
<title>Integrating Additional Services</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>authentication</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>backends</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>smbpasswd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>ldapsam</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>authentication</primary></indexterm>
|
||||
<indexterm><primary>backends</primary></indexterm>
|
||||
<indexterm><primary>smbpasswd</primary></indexterm>
|
||||
<indexterm><primary>ldapsam</primary></indexterm>
|
||||
<indexterm><primary>Active Directory</primary></indexterm>
|
||||
You've come a long way now. You have pretty much mastered Samba-3 for
|
||||
most uses it can be put to. Up until now, you have cast Samba-3 in the leading
|
||||
role and where authentication was required, you have used one or another of
|
||||
role, and where authentication was required, you have used one or another of
|
||||
Samba's many authentication backends (from flat text files with smbpasswd
|
||||
to LDAP directory integration with ldapsam). Now you can design a
|
||||
solution for a new Abmas business. This business is running Windows Server
|
||||
@ -39,9 +34,9 @@
|
||||
|
||||
<para>
|
||||
With this acquisition comes new challenges for you and your team. Abmas Snack
|
||||
Foods is a well-developed business with a huge and heterogeneous network. They
|
||||
already have Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux.
|
||||
The network is mature and well established, and there is no question of their chosen
|
||||
Foods is a well-developed business with a huge and heterogeneous network. It
|
||||
already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux.
|
||||
The network is mature and well established, and there is no question of its chosen
|
||||
user authentication scheme being changed for now. You need to take a wise new
|
||||
approach.
|
||||
</para>
|
||||
@ -53,15 +48,11 @@
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Assignment Tasks</title>
|
||||
<title>Assignment Tasks</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>web</primary>
|
||||
<secondary>proxying</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>web</primary>
|
||||
<secondary>caching</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>web</primary><secondary>proxying</secondary></indexterm>
|
||||
<indexterm><primary>web</primary><secondary>caching</secondary></indexterm>
|
||||
You've promised the skeptical Abmas Snack Foods management team
|
||||
that you can show them how Samba can ease itself and other Open Source
|
||||
technologies into their existing infrastructure and deliver sound business
|
||||
@ -69,34 +60,29 @@
|
||||
acquisition). You have chosen Web proxying and caching as your proving ground.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>bandwidth</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Microsoft ISA</primary>
|
||||
</indexterm>
|
||||
Abmas Snack Foods has several thousand users housed at their Head Office
|
||||
<para>
|
||||
<indexterm><primary>bandwidth</primary></indexterm>
|
||||
<indexterm><primary>Microsoft ISA</primary></indexterm>
|
||||
Abmas Snack Foods has several thousand users housed at its head office
|
||||
and multiple regional offices, plants, and warehouses. A high proportion of
|
||||
the business's work is done online, so Internet access for most of these
|
||||
users is essential. All Internet access, including all of their regional offices,
|
||||
users is essential. All Internet access, including for all regional offices,
|
||||
is funneled through the head office and is the job of the (now your) networking
|
||||
team. The bandwidth requirements were horrific (comparable to a small ISP), and
|
||||
the team soon discovered proxying and caching. In fact, they became one of
|
||||
the earliest commercial users of Microsoft ISA.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>authenticated</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>proxy</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Active Directory</primary></indexterm>
|
||||
<indexterm><primary>authenticated</primary></indexterm>
|
||||
<indexterm><primary>proxy</primary></indexterm>
|
||||
The team is not happy with ISA. Because it never lived up to its marketing promises,
|
||||
it under-performed and had reliability problems. You have pounced on the opportunity
|
||||
it underperformed and had reliability problems. You have pounced on the opportunity
|
||||
to show what Open Source can do. The one thing they do like, however, is ISA's
|
||||
integration with Active Directory. They like that their users, once logged on,
|
||||
are automatically authenticated against the proxy. If your alternative to ISA
|
||||
can operate completely seamlessly in their Active Directory Domain, it will be
|
||||
can operate completely seamlessly in their Active Directory domain, it will be
|
||||
approved.
|
||||
</para>
|
||||
|
||||
@ -109,7 +95,7 @@
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>Dissection and Discussion</title>
|
||||
<title>Dissection and Discussion</title>
|
||||
|
||||
<para>
|
||||
The key requirements in this business example are straightforward. You are not required
|
||||
@ -133,42 +119,26 @@
|
||||
<sect2>
|
||||
<title>Technical Issues</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>browsing</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Squid proxy</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>proxy</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>authentication</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Internet Explorer</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>winbind</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>NTLM</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>NTLM authentication daemon</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>authentication</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>daemon</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>domain</primary>
|
||||
<secondary>Active Directory</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Kerberos</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>token</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>browsing</primary></indexterm>
|
||||
<indexterm><primary>Squid proxy</primary></indexterm>
|
||||
<indexterm><primary>proxy</primary></indexterm>
|
||||
<indexterm><primary>authentication</primary></indexterm>
|
||||
<indexterm><primary>Internet Explorer</primary></indexterm>
|
||||
<indexterm><primary>winbind</primary></indexterm>
|
||||
<indexterm><primary>NTLM</primary></indexterm>
|
||||
<indexterm><primary>NTLM authentication daemon</primary></indexterm>
|
||||
<indexterm><primary>authentication</primary></indexterm>
|
||||
<indexterm><primary>daemon</primary></indexterm>
|
||||
<indexterm><primary>Active Directory</primary></indexterm>
|
||||
<indexterm><primary>domain</primary><secondary>Active Directory</secondary></indexterm>
|
||||
<indexterm><primary>Kerberos</primary></indexterm><indexterm><primary>token</primary></indexterm>
|
||||
Functionally, the user's Internet Explorer requests a browsing session with the
|
||||
Squid proxy, for which it offers its AD authentication token. Squid hands off
|
||||
the authentication request to the Samba-3 authentication helper application
|
||||
called <command>ntlm_auth</command>. This helper is a hook into winbind, the
|
||||
Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate
|
||||
against Microsoft Windows Domains, including Active Directory domains. As Active
|
||||
against Microsoft Windows domains, including Active Directory domains. As Active
|
||||
Directory authentication is a modified Kerberos authentication, winbind is assisted
|
||||
in this by local Kerberos 5 libraries configured to check passwords with the Active
|
||||
Directory server. Once the token has been checked, a browsing session is established.
|
||||
@ -181,7 +151,7 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
Preparing the necessary environment using pre-configured packages
|
||||
Preparing the necessary environment using preconfigured packages
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -204,7 +174,7 @@
|
||||
<title>Political Issues</title>
|
||||
|
||||
<para>
|
||||
You are a stranger in a strange land and all eyes are upon you. Some would even like to see
|
||||
You are a stranger in a strange land, and all eyes are upon you. Some would even like to see
|
||||
you fail. For you to gain the trust of your newly acquired IT people, it is essential that your
|
||||
solution does everything the old one did, but does it better in every way. Only then
|
||||
will the entrenched positions consider taking up your new way of doing things on a
|
||||
@ -218,9 +188,8 @@
|
||||
<sect1>
|
||||
<title>Implementation</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Squid</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Squid</primary></indexterm>
|
||||
First, your system needs to be prepared and in a known good state to proceed. This consists
|
||||
of making sure that everything the system depends on is present and that everything that could
|
||||
interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3
|
||||
@ -228,18 +197,15 @@
|
||||
they must be removed.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Red Hat Linux</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Red Hat Linux</primary></indexterm>
|
||||
The following packages should be available on your Red Hat Linux system:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para><indexterm>
|
||||
<primary>krb5</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Kerberos</primary>
|
||||
</indexterm>
|
||||
<listitem><para>
|
||||
<indexterm><primary>krb5</primary></indexterm>
|
||||
<indexterm><primary>Kerberos</primary></indexterm>
|
||||
krb5-libs
|
||||
</para></listitem>
|
||||
|
||||
@ -260,9 +226,8 @@
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>SUSE Linux</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>SUSE Linux</primary></indexterm>
|
||||
In the case of SUSE Linux, these packages are called:
|
||||
</para>
|
||||
|
||||
@ -275,9 +240,8 @@
|
||||
heimdal-devel
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para><indexterm>
|
||||
<primary>Heimdal</primary>
|
||||
</indexterm>
|
||||
<listitem><para>
|
||||
<indexterm><primary>Heimdal</primary></indexterm>
|
||||
heimdal
|
||||
</para></listitem>
|
||||
|
||||
@ -292,45 +256,36 @@
|
||||
for your Linux system to ensure that the packages are correctly updated.
|
||||
</para>
|
||||
|
||||
<note><para><indexterm>
|
||||
<primary>MS Windows Server 2003</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Kerberos</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>MIT</primary>
|
||||
</indexterm>
|
||||
If the requirement is for inter-operation with MS Windows Server 2003, it
|
||||
<note><para>
|
||||
<indexterm><primary>MS Windows Server 2003</primary></indexterm>
|
||||
<indexterm><primary>Kerberos</primary></indexterm>
|
||||
<indexterm><primary>MIT</primary></indexterm>
|
||||
If the requirement is for interoperation with MS Windows Server 2003, it
|
||||
will be necessary to ensure that you are using MIT Kerberos version 1.3.1
|
||||
or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
|
||||
updating.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Heimdal</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>SUSE Enterprise Linux Server</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Heimdal</primary></indexterm>
|
||||
<indexterm><primary>SUSE Enterprise Linux Server</primary></indexterm>
|
||||
Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
|
||||
Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
|
||||
</para></note>
|
||||
|
||||
<sect2 id="ch10-one">
|
||||
<title>Removal of Pre-existing Conflicting RPMs</title>
|
||||
<title>Removal of Pre-Existing Conflicting RPMs</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Squid</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Squid</primary></indexterm>
|
||||
If Samba and/or Squid RPMs are installed, they should be updated. You can
|
||||
build both from source.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>rpm</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>samba</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>squid</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>rpm</primary></indexterm>
|
||||
<indexterm><primary>samba</primary></indexterm>
|
||||
<indexterm><primary>squid</primary></indexterm>
|
||||
Locating the packages to be un-installed can be achieved by running:
|
||||
<screen>
|
||||
&rootprompt; rpm -qa | grep -i samba
|
||||
@ -345,110 +300,80 @@
|
||||
<sect2>
|
||||
<title>Kerberos Configuration</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Kerberos</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
<secondary>server</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>ADS</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>KDC</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Kerberos</primary></indexterm>
|
||||
<indexterm><primary>Active Directory</primary><secondary>server</secondary></indexterm>
|
||||
<indexterm><primary>ADS</primary></indexterm>
|
||||
<indexterm><primary>KDC</primary></indexterm>
|
||||
The systems Kerberos installation must be configured to communicate with
|
||||
your primary Active Directory server (ADS KDC).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Strictly speaking, MIT Kerberos version 1.3.1 currently gives the best results,
|
||||
Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results,
|
||||
although the current default Red Hat MIT version 1.2.7 gives acceptable results
|
||||
unless you are using Windows 2003 servers.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>MIT</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Heimdal</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Kerberos</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>/etc/krb5.conf</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>DNS</primary>
|
||||
<secondary>SRV records</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>KDC</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>DNS</primary>
|
||||
<secondary>lookup</secondary>
|
||||
</indexterm>
|
||||
Officially, neither MIT (1.3.1) nor Heimdal (0.6) Kerberos needs an <filename>/etc/krb5.conf</filename>
|
||||
<para>
|
||||
<indexterm><primary>MIT</primary></indexterm>
|
||||
<indexterm><primary>Heimdal</primary></indexterm>
|
||||
<indexterm><primary>Kerberos</primary></indexterm>
|
||||
<indexterm><primary>/etc/krb5.conf</primary></indexterm>
|
||||
<indexterm><primary>DNS</primary><secondary>SRV records</secondary></indexterm>
|
||||
<indexterm><primary>KDC</primary></indexterm>
|
||||
<indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm>
|
||||
Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <filename>/etc/krb5.conf</filename>
|
||||
file in order to work correctly. All ADS domains automatically create SRV records in the
|
||||
DNS zone <constant>Kerberos.REALM.NAME</constant> for each KDC in the realm. Since both
|
||||
MIT and Heimdal, KRB5 libraries default to checking for these records, so they
|
||||
automatically find the KDCs. In addition, <filename>krb5.conf</filename> only allows
|
||||
specifying a single KDC, even there if there is more than one. Using the DNS lookup
|
||||
automatically find the KDCs. In addition, <filename>krb5.conf</filename> allows
|
||||
specifying only a single KDC, even if there is more than one. Using the DNS lookup
|
||||
allows the KRB5 libraries to use whichever KDCs are available.
|
||||
</para>
|
||||
|
||||
<procedure>
|
||||
<title>Kerberos Configuration Steps</title>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>krb5.conf</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>krb5.conf</primary></indexterm>
|
||||
If you find the need to manually configure the <filename>krb5.conf</filename>, you should edit it
|
||||
to have the contents shown in <link linkend="ch10-krb5conf"/>. The final fully qualified path for this file
|
||||
should be <filename>/etc/krb5.conf</filename>.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>Kerberos</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>realm</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>case-sensitive</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>KDC</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>synchronization</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>initial credentials</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Clock skew</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>NTP</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>DNS</primary>
|
||||
<secondary>lookup</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>reverse DNS</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>NetBIOS name </primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>/etc/hosts</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>mapping</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>Kerberos</primary></indexterm>
|
||||
<indexterm><primary>realm</primary></indexterm>
|
||||
<indexterm><primary>case-sensitive</primary></indexterm>
|
||||
<indexterm><primary>KDC</primary></indexterm>
|
||||
<indexterm><primary>synchronization</primary></indexterm>
|
||||
<indexterm><primary>initial credentials</primary></indexterm>
|
||||
<indexterm><primary>Clock skew</primary></indexterm>
|
||||
<indexterm><primary>NTP</primary></indexterm>
|
||||
<indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm>
|
||||
<indexterm><primary>reverse DNS</primary></indexterm>
|
||||
<indexterm><primary>NetBIOS name </primary></indexterm>
|
||||
<indexterm><primary>/etc/hosts</primary></indexterm>
|
||||
<indexterm><primary>mapping</primary></indexterm>
|
||||
The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
|
||||
be in UPPERCASE, or you will get an error: <quote>Cannot find KDC for requested realm while getting
|
||||
initial credentials</quote>. Kerberos is picky about time synchronization. The time
|
||||
according to your participating servers must be within 5 minutes or you get an error
|
||||
according to your participating servers must be within 5 minutes or you get an error:
|
||||
<quote>kinit(v5): Clock skew too great while getting initial credentials</quote>.
|
||||
Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is
|
||||
5 minutes). A better solution is to implement NTP throughout your server network.
|
||||
Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC.
|
||||
Also, the name that this reverse lookup maps to must either be the NetBIOS name of
|
||||
the KDC (i.e., the hostname with no domain attached), or it can alternately be the
|
||||
the KDC (i.e., the hostname with no domain attached) or the
|
||||
NetBIOS name followed by the realm. If all else fails, you can add a
|
||||
<filename>/etc/hosts</filename> entry mapping the IP address of your KDC to its
|
||||
NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
|
||||
when you try to join the realm.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>kinit</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>kinit</primary></indexterm>
|
||||
You are now ready to test your installation by issuing the command:
|
||||
<screen>
|
||||
&rootprompt; kinit [USERNAME@REALM]
|
||||
@ -479,48 +404,40 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
|
||||
<para><indexterm>
|
||||
<primary>klist</primary>
|
||||
</indexterm>
|
||||
The command:
|
||||
The command
|
||||
<screen>
|
||||
&rootprompt; klist -e
|
||||
</screen>
|
||||
shows the Kerberos tickets cached by the system:
|
||||
shows the Kerberos tickets cached by the system.
|
||||
</para>
|
||||
|
||||
<sect3>
|
||||
<title>Samba Configuration</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
</indexterm>
|
||||
Samba must be configured to correctly use Active Directory. Samba-3 must be used, as
|
||||
this has the necessary components to interface with Active Directory.
|
||||
<para>
|
||||
<indexterm><primary>Active Directory</primary></indexterm>
|
||||
Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it
|
||||
has the necessary components to interface with Active Directory.
|
||||
</para>
|
||||
|
||||
<procedure>
|
||||
<title>Securing Samba-3 With ADS Support Steps</title>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>Red Hat Linux</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Samba Tea</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Red Hat Fedora Linux</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>MIT KRB5</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>ntlm_auth</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>Red Hat Linux</primary></indexterm>
|
||||
<indexterm><primary>Samba Tea</primary></indexterm>
|
||||
<indexterm><primary>Red Hat Fedora Linux</primary></indexterm>
|
||||
<indexterm><primary>MIT KRB5</primary></indexterm>
|
||||
<indexterm><primary>ntlm_auth</primary></indexterm>
|
||||
Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
|
||||
<ulink url="http://ftp.samba.org">FTP site.</ulink> The official Samba Team
|
||||
RPMs for Red Hat Fedora Linux contain the <command>ntlm_auth</command> tool
|
||||
needed, and are linked against MIT KRB5 version 1.3.1 and, therefore, are ready for use.
|
||||
needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>SerNet</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>RPMs</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>SerNet</primary></indexterm>
|
||||
<indexterm><primary>RPMs</primary></indexterm>
|
||||
The necessary, validated RPM packages for SUSE Linux may be obtained from
|
||||
the <ulink url="ftp://ftp.sernet.de/pub/samba">SerNet</ulink> FTP site that
|
||||
is located in Germany. All SerNet RPMs are validated, have the necessary
|
||||
@ -533,19 +450,12 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
|
||||
file so it has contents similar to the example shown in <link linkend="ch10-smbconf"/>.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>computer account</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>net</primary>
|
||||
<secondary>ads</secondary>
|
||||
<tertiary>join</tertiary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Kerberos ticket</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>ticket</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>computer account</primary></indexterm>
|
||||
<indexterm><primary>Active Directory</primary></indexterm>
|
||||
<indexterm><primary>net</primary><secondary>ads</secondary><tertiary>join</tertiary></indexterm>i
|
||||
<indexterm><primary>Kerberos ticket</primary></indexterm>
|
||||
<indexterm><primary>ticket</primary></indexterm>
|
||||
Next you need to create a computer account in the Active Directory.
|
||||
This sets up the trust relationship needed for other clients to
|
||||
authenticate to the Samba server with an Active Directory Kerberos ticket.
|
||||
@ -556,20 +466,14 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>smbd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>nmbd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>winbindd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Samba</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>smbd</primary></indexterm>
|
||||
<indexterm><primary>nmbd</primary></indexterm>
|
||||
<indexterm><primary>winbindd</primary></indexterm>
|
||||
<indexterm><primary>Active Directory</primary></indexterm>
|
||||
<indexterm><primary>Samba</primary></indexterm>
|
||||
Your new Samba binaries must be started in the standard manner as is applicable
|
||||
to the platform you are running on. Alternately, start your Active Directory
|
||||
enabled Samba with the following commands:
|
||||
to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
|
||||
<screen>
|
||||
&rootprompt; smbd -D
|
||||
&rootprompt; nmbd -D
|
||||
@ -577,19 +481,12 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>winbind</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
<secondary>domain</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>wbinfo</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>enumerating</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
<secondary>tree</secondary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>winbind</primary></indexterm>
|
||||
<indexterm><primary>Active Directory</primary><secondary>domain</secondary></indexterm>
|
||||
<indexterm><primary>wbinfo</primary></indexterm>
|
||||
<indexterm><primary>enumerating</primary></indexterm>
|
||||
<indexterm><primary>Active Directory</primary><secondary>tree</secondary></indexterm>
|
||||
We now need to test that Samba is communicating with the Active
|
||||
Directory domain; most specifically, we want to see whether winbind
|
||||
is enumerating users and groups. Issue the following commands:
|
||||
@ -623,11 +520,9 @@ LONDON+DnsUpdateProxy
|
||||
This enumerates all the groups in your Active Directory tree.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>Squid</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>ntlm_auth</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>Squid</primary></indexterm>
|
||||
<indexterm><primary>ntlm_auth</primary></indexterm>
|
||||
Squid uses the <command>ntlm_auth</command> helper build with Samba-3.
|
||||
You may test <command>ntlm_auth</command> with the command:
|
||||
<screen>
|
||||
@ -640,23 +535,15 @@ password: XXXXXXXX
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>ntlm_auth</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>authenticate</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>winbind</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>privileged pipe</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>squid</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>chgrp</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>chmod</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>failure</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>ntlm_auth</primary></indexterm>
|
||||
<indexterm><primary>authenticate</primary></indexterm>
|
||||
<indexterm><primary>winbind</primary></indexterm>
|
||||
<indexterm><primary>privileged pipe</primary></indexterm>
|
||||
<indexterm><primary>squid</primary></indexterm>
|
||||
<indexterm><primary>chgrp</primary></indexterm>
|
||||
<indexterm><primary>chmod</primary></indexterm>
|
||||
<indexterm><primary>failure</primary></indexterm>
|
||||
The <command>ntlm_auth</command> helper, when run from a command line as the user
|
||||
<quote>root</quote>, authenticates against your Active Directory domain (with
|
||||
the aid of winbind). It manages this by reading from the winbind privileged pipe.
|
||||
@ -682,13 +569,10 @@ password: XXXXXXXX
|
||||
<sect3>
|
||||
<title>NSS Configuration</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>NSS</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>winbind</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>authentication</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>NSS</primary></indexterm>
|
||||
<indexterm><primary>winbind</primary></indexterm>
|
||||
<indexterm><primary>authentication</primary></indexterm>
|
||||
For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
|
||||
</para>
|
||||
|
||||
@ -735,12 +619,9 @@ group: files winbind
|
||||
<sect3>
|
||||
<title>Squid Configuration</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Squid</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
<secondary>authentication</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Squid</primary></indexterm>
|
||||
<indexterm><primary>Active Directory</primary><secondary>authentication</secondary></indexterm>
|
||||
Squid must be configured correctly to interact with the Samba-3
|
||||
components that handle Active Directory authentication.
|
||||
</para>
|
||||
@ -755,30 +636,22 @@ group: files winbind
|
||||
<procedure>
|
||||
<title>Squid Configuration Steps</title>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>SUSE Linux</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Squid</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>helper agent</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>SUSE Linux</primary></indexterm>
|
||||
<indexterm><primary>Squid</primary> </indexterm>
|
||||
<indexterm><primary>helper agent</primary></indexterm>
|
||||
If your Linux distribution is SUSE Linux 9, the version of Squid
|
||||
supplied is already enabled to use the winbind helper agent. You
|
||||
can, therefore, omit the steps that would build the Squid binary
|
||||
can therefore omit the steps that would build the Squid binary
|
||||
programs.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>nobody</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>squid</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>rpms</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>/etc/passwd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>/etc/group</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>nobody</primary></indexterm>
|
||||
<indexterm><primary>squid</primary></indexterm>
|
||||
<indexterm><primary>rpms</primary></indexterm>
|
||||
<indexterm><primary>/etc/passwd</primary></indexterm>
|
||||
<indexterm><primary>/etc/group</primary></indexterm>
|
||||
Squid, by default, runs as the user <constant>nobody</constant>. You need to
|
||||
add a system user <constant>squid</constant> and a system group
|
||||
<constant>squid</constant> if they are not set up already (if the default
|
||||
@ -787,11 +660,9 @@ group: files winbind
|
||||
and a <constant>squid</constant> group in <filename>/etc/group</filename> if these aren't there already.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>permissions</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>chown</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>permissions</primary></indexterm>
|
||||
<indexterm><primary>chown</primary></indexterm>
|
||||
You now need to change the permissions on Squid's <constant>var</constant>
|
||||
directory. Enter the following command:
|
||||
<screen>
|
||||
@ -799,11 +670,9 @@ group: files winbind
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>logging</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Squid</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>logging</primary></indexterm>
|
||||
<indexterm><primary>Squid</primary></indexterm>
|
||||
Squid must also have control over its logging. Enter the following commands:
|
||||
<screen>
|
||||
&rootprompt; chown -R chown squid:squid /var/log/squid
|
||||
@ -820,16 +689,14 @@ group: files winbind
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>/etc/squid/squid.conf</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>/etc/squid/squid.conf</primary></indexterm>
|
||||
The <filename>/etc/squid/squid.conf</filename> file must be edited to include the lines from
|
||||
<link linkend="etcsquidcfg"/> and <link linkend="etcsquid2"/>.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>cache directories</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>cache directories</primary></indexterm>
|
||||
You must create Squid's cache directories before it may be run. Enter the following command:
|
||||
<screen>
|
||||
&rootprompt; squid -z
|
||||
@ -876,19 +743,12 @@ group: files winbind
|
||||
<sect2>
|
||||
<title>Key Points Learned</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Web browsers</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>services</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>authentication protocols</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Web</primary>
|
||||
<secondary>proxy</secondary>
|
||||
<tertiary>access</tertiary>
|
||||
</indexterm><indexterm>
|
||||
<primary>NTLMSSP</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Web browsers</primary></indexterm>
|
||||
<indexterm><primary>services</primary></indexterm>
|
||||
<indexterm><primary>authentication protocols</primary></indexterm>
|
||||
<indexterm><primary>Web</primary><secondary>proxy</secondary><tertiary>access</tertiary></indexterm>
|
||||
<indexterm><primary>NTLMSSP</primary></indexterm>
|
||||
Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
|
||||
Windows clients use, even when accessing traditional services such as Web browsers. Depending
|
||||
on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
|
||||
@ -904,15 +764,11 @@ group: files winbind
|
||||
<sect1>
|
||||
<title>Questions and Answers</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>ntlm_auth</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>SambaXP conference</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Goettingen</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Italian</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>ntlm_auth</primary></indexterm>
|
||||
<indexterm><primary>SambaXP conference</primary></indexterm>
|
||||
<indexterm><primary>Goettingen</primary></indexterm>
|
||||
<indexterm><primary>Italian</primary></indexterm>
|
||||
The development of the <command>ntlm_auth</command> module was first discussed in many Open Source circles
|
||||
in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of
|
||||
<command>ntlm_auth</command> during one of the late developer meetings that took place. Since that time, the
|
||||
@ -921,20 +777,20 @@ group: files winbind
|
||||
|
||||
<para>
|
||||
The largest report from a site that uses Squid with <command>ntlm_auth</command>-based authentication
|
||||
support uses a dual processor server that has 2 GBytes of memory. It provides Web and FTP proxy services for 10,000
|
||||
support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000
|
||||
users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who
|
||||
wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following
|
||||
comments were made with respect to questions regarding the performance of this installation:
|
||||
</para>
|
||||
|
||||
<blockquote><para>
|
||||
[In our] EXTREMELY optimized environment ... [the] performance impact is almost [nothing]. The <quote>almost</quote>
|
||||
[In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The <quote>almost</quote>
|
||||
part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case
|
||||
scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
|
||||
</para></blockquote>
|
||||
|
||||
<para>
|
||||
You would be well advised to recognize the fact that all cache-intensive proxying solutions demand a lot of memory.
|
||||
You would be well advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
|
||||
Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
|
||||
out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
|
||||
</para>
|
||||
@ -950,57 +806,38 @@ group: files winbind
|
||||
</question>
|
||||
<answer>
|
||||
|
||||
<para><indexterm>
|
||||
<secondary>transparent inter-operability</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Windows clients</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>network</primary>
|
||||
<secondary>services</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>authentication</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>wrapper</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><secondary>transparent inter-operability</secondary></indexterm>
|
||||
<indexterm><primary>Windows clients</primary></indexterm>
|
||||
<indexterm><primary>network</primary><secondary>services</secondary></indexterm>
|
||||
<indexterm><primary>authentication</primary></indexterm>
|
||||
<indexterm><primary>wrapper</primary></indexterm>
|
||||
To provide transparent interoperability between Windows clients and the network services
|
||||
that are used from them, Samba has had to develop tools and facilities that deliver that. The benefit
|
||||
that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit
|
||||
of Open Source software is that it can readily be reused. The current <command>ntlm_auth</command>
|
||||
module is basically a wrapper around authentication code from the core of the Samba project.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>plain-text</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>authentication</primary>
|
||||
<secondary>plain-text</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Web</primary>
|
||||
<secondary>proxy</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>FTP</primary>
|
||||
<secondary>proxy</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>NTLMSSP</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>logon credentials</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Windows explorer</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Internet Information Server</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Apache Web server</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>plain-text</primary></indexterm>
|
||||
<indexterm><primary>authentication</primary><secondary>plain-text</secondary></indexterm>
|
||||
<indexterm><primary>Web</primary><secondary>proxy</secondary></indexterm>
|
||||
<indexterm><primary>FTP</primary><secondary>proxy</secondary></indexterm>
|
||||
<indexterm><primary>NTLMSSP</primary></indexterm>
|
||||
<indexterm><primary>logon credentials</primary></indexterm>
|
||||
<indexterm><primary>Windows explorer</primary></indexterm>
|
||||
<indexterm><primary>Internet Information Server</primary></indexterm>
|
||||
<indexterm><primary>Apache Web server</primary></indexterm>
|
||||
The <command>ntlm_auth</command> module supports basic plain-text authentication and NTLMSSP
|
||||
protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
|
||||
the user being interrupted via his/her Windows logon credentials. This facility is available with
|
||||
MS Windows explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
|
||||
the user being interrupted via his or her Windows logon credentials. This facility is available with
|
||||
MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
|
||||
There are a few open source initiatives to provide support for these protocols in the Apache Web server
|
||||
also.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>wrapper</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>wrapper</primary></indexterm>
|
||||
The short answer is that by adding a wrapper around key authentication components of Samba, other
|
||||
projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
|
||||
</para>
|
||||
@ -1018,45 +855,33 @@ group: files winbind
|
||||
</question>
|
||||
<answer>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>winbindd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Identity resolver</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>daemon</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>smbd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>file and print server</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>winbindd</primary></indexterm>
|
||||
<indexterm><primary>Identity resolver</primary></indexterm>
|
||||
<indexterm><primary>daemon</primary></indexterm>
|
||||
<indexterm><primary>smbd</primary></indexterm>
|
||||
<indexterm><primary>file and print server</primary></indexterm>
|
||||
Samba-3 is a file and print server. The core components that provide this functionality are <command>smbd</command>,
|
||||
<command>nmbd</command>, and the Identity resolver daemon, <command>winbindd</command>.
|
||||
<command>nmbd</command>, and the identity resolver daemon, <command>winbindd</command>.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>SMB/CIFS</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>smbclient</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>SMB/CIFS</primary></indexterm>
|
||||
<indexterm><primary>smbclient</primary></indexterm>
|
||||
Samba-3 is an SMB/CIFS client. The core component that provides this is called <command>smbclient</command>.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>modules</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>utilities</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>validation</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>inter-operability</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>authentication</primary>
|
||||
</indexterm>
|
||||
Samba-3 includes a number of helper tools, plug-in modules, utilities, and test/validation facilities.
|
||||
<para>
|
||||
<indexterm><primary>modules</primary></indexterm>
|
||||
<indexterm><primary>utilities</primary></indexterm>
|
||||
<indexterm><primary>validation</primary></indexterm>
|
||||
<indexterm><primary>inter-operability</primary></indexterm>
|
||||
<indexterm><primary>authentication</primary></indexterm>
|
||||
Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities.
|
||||
Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
|
||||
servers and client. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
|
||||
servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
|
||||
as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules
|
||||
to permit Identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
|
||||
to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
|
||||
server products).
|
||||
</para>
|
||||
|
||||
@ -1075,7 +900,7 @@ group: files winbind
|
||||
|
||||
<para>
|
||||
Not really. Samba's <command>ntlm_auth</command> module handles only authentication. It requires that
|
||||
Squid make an external call to <command>ntlm_auth</command> and, therefore, actually incurs a
|
||||
Squid make an external call to <command>ntlm_auth</command> and therefore actually incurs a
|
||||
little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
|
||||
Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
|
||||
sufficient memory when using Squid. Just add a little more to accommodate <command>ntlm_auth</command>.
|
||||
|
@ -2,18 +2,15 @@
|
||||
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
||||
|
||||
<chapter id="HA">
|
||||
<title>Performance, Reliability, and Availability</title>
|
||||
<title>Performance, Reliability, and Availability</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>performance</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>reliability</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>availability</primary>
|
||||
</indexterm>
|
||||
Well, you have reached the chapter before the Appendix. It is customary to attempt
|
||||
<para>
|
||||
<indexterm><primary>performance</primary></indexterm>
|
||||
<indexterm><primary>reliability</primary></indexterm>
|
||||
<indexterm><primary>availability</primary></indexterm>
|
||||
Well, you have reached the chapter before the appendix. It is customary to attempt
|
||||
to wrap up the theme and contents of a book in what is generally regarded as the
|
||||
chapter that should draw conclusions. This book is a suspense thriller and since
|
||||
chapter that should draw conclusions. This book is a suspense thriller, and since
|
||||
the plot of the stories told mostly lead you to bigger, better Samba-3 networking
|
||||
solutions, it is perhaps appropriate to close this book with a few pertinent comments
|
||||
regarding some of the things everyone can do to deliver a reliable Samba-3 network.
|
||||
@ -26,9 +23,8 @@
|
||||
<sect1>
|
||||
<title>Introduction</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>clustering</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>clustering</primary></indexterm>
|
||||
The sparrow is a small bird whose sounds are drowned out by the noise of the busy
|
||||
world it lives in. Likewise, the simple steps that can be taken to improve the
|
||||
reliability and availability of a Samba network are often drowned out by the volume
|
||||
@ -38,13 +34,10 @@
|
||||
custom tools and methods. Only passing comments are offered concerning these methods.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>cluster</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>samba cluster</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>scalability</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>cluster</primary></indexterm>
|
||||
<indexterm><primary>samba cluster</primary></indexterm>
|
||||
<indexterm><primary>scalability</primary></indexterm>
|
||||
<ulink url="http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=samba+cluster&btnG=Google+Search">A search</ulink>
|
||||
for <quote>samba cluster</quote> produced 71,600 hits. And a search for <quote>highly available samba</quote>
|
||||
and <quote>highly available windows</quote> produced an amazing number of references.
|
||||
@ -52,9 +45,8 @@
|
||||
availability, reliability, and scalability are of vital interest to corporate network users.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>performance</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>performance</primary></indexterm>
|
||||
So without further background, you can review a checklist of simple steps that
|
||||
can be taken to ensure acceptable network performance while keeping costs of ownership
|
||||
well under control.
|
||||
@ -65,11 +57,9 @@
|
||||
<sect1>
|
||||
<title>Dissection and Discussion</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>simple</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>complexities</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>simple</primary></indexterm>
|
||||
<indexterm><primary>complexities</primary></indexterm>
|
||||
If it is your purpose to get the best mileage out of your Samba servers, there is one rule that
|
||||
must be obeyed. If you want the best, keep your implementation as simple as possible. You may
|
||||
well be forced to introduce some complexities, but you should do so only as a last resort.
|
||||
@ -81,11 +71,9 @@
|
||||
complex ones.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>broken behavior</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>poor performance</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>broken behavior</primary></indexterm>
|
||||
<indexterm><primary>poor performance</primary></indexterm>
|
||||
Problems reported by users fall into three categories: configurations that do not work, those
|
||||
that have broken behavior, and poor performance. The term <emphasis>broken behavior</emphasis>
|
||||
means that the function of a particular Samba component appears to work sometimes, but not at
|
||||
@ -95,39 +83,33 @@
|
||||
and at other times not listing them even though the machines are in use on the network.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>smbfs</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>smbmnt</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>smbmount</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>smbumnt</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>smbumount</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>front-end</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>smbfs</primary></indexterm>
|
||||
<indexterm><primary>smbmnt</primary></indexterm>
|
||||
<indexterm><primary>smbmount</primary></indexterm>
|
||||
<indexterm><primary>smbumnt</primary></indexterm>
|
||||
<indexterm><primary>smbumount</primary></indexterm>
|
||||
<indexterm><primary>front-end</primary></indexterm>
|
||||
A significant number of reports concern problems with the <command>smbfs</command> file system
|
||||
driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that
|
||||
<command>smbfs</command> is part of Samba, simply because Samba includes the front-end tools
|
||||
that are used to manage <command>smbfs</command>-based file service connections. So, just
|
||||
for the record, the tools <command>smbmnt, smbmount, smbumount,</command> and <command>smbumnt</command> are front-end
|
||||
for the record, the tools <command>smbmnt</command>, <command>smbmount</command>,
|
||||
<command>smbumount</command>, and <command>smbumnt</command> are front-end
|
||||
facilities to core drivers that are supplied as part of the Linux kernel. These tools share a
|
||||
common infrastructure with some Samba components, but they are not maintained as part of
|
||||
Samba and are really foreign to it.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>cifsfs</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>cifsfs</primary></indexterm>
|
||||
The new project, <command>cifsfs</command>, is destined to replace <command>smbfs</command>.
|
||||
It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in
|
||||
this project.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The following table lists typical causes of:
|
||||
Table 13.1 lists typical causes of:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -154,55 +136,55 @@
|
||||
</thead>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry><para>File Locking</para></entry>
|
||||
<entry><para>File locking</para></entry>
|
||||
<entry><para>-</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>-</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>Hardware Problems</para></entry>
|
||||
<entry><para>Hardware problems</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>Incorrect Authentication</para></entry>
|
||||
<entry><para>Incorrect authentication</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>-</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>Incorrect Configuration</para></entry>
|
||||
<entry><para>Incorrect configuration</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>LDAP Problems</para></entry>
|
||||
<entry><para>LDAP problems</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>-</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>Name Resolution</para></entry>
|
||||
<entry><para>Name resolution</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>Printing Problems</para></entry>
|
||||
<entry><para>Printing problems</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>-</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>Slow File Transfer</para></entry>
|
||||
<entry><para>Slow file transfer</para></entry>
|
||||
<entry><para>-</para></entry>
|
||||
<entry><para>-</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>Winbind Problems</para></entry>
|
||||
<entry><para>Winbind problems</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>X</para></entry>
|
||||
<entry><para>-</para></entry>
|
||||
@ -211,9 +193,8 @@
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>network hygiene</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>network hygiene</primary></indexterm>
|
||||
It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate
|
||||
problems that affect basic network operation. This book has provided sufficient working examples
|
||||
to help you to avoid all these problems.
|
||||
@ -224,11 +205,9 @@
|
||||
<sect1>
|
||||
<title>Guidelines for Reliable Samba Operation</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>resilient</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>extreme demand</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>resilient</primary></indexterm>
|
||||
<indexterm><primary>extreme demand</primary></indexterm>
|
||||
Your objective is to provide a network that works correctly, can grow at all times, is resilient
|
||||
at times of extreme demand, and can scale to meet future needs. The following subject areas provide
|
||||
pointers that can help you today.
|
||||
@ -239,24 +218,18 @@
|
||||
|
||||
<para>
|
||||
There are three basic current problem areas: bad hostnames, routed networks, and network collisions.
|
||||
These are covered in the discussion below.
|
||||
These are covered in the following discussion.
|
||||
</para>
|
||||
|
||||
<sect3>
|
||||
<title>Bad Hostnames</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>DHCP</primary>
|
||||
<secondary>client</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>netbios name</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>localhost</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>/etc/hosts</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>NetBIOS</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>DHCP</primary><secondary>client</secondary></indexterm>
|
||||
<indexterm><primary>netbios name</primary></indexterm>
|
||||
<indexterm><primary>localhost</primary></indexterm>
|
||||
<indexterm><primary>/etc/hosts</primary></indexterm>
|
||||
<indexterm><primary>NetBIOS</primary></indexterm>
|
||||
When configured as a DHCP client, a number of Linux distributions set the system hostname
|
||||
to <constant>localhost</constant>. If the parameter <parameter>netbios name</parameter> is not
|
||||
specified to something other than <constant>localhost</constant>, the Samba server appears
|
||||
@ -269,37 +242,29 @@
|
||||
correctly.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>digits</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>digits</primary></indexterm>
|
||||
A few sites have tried to name Windows clients and Samba servers with a name that begins
|
||||
with the digits 1-9. This does not work either because it may result in the client or
|
||||
server attempting to use that name as an IP address.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>DNS</primary>
|
||||
<secondary>name lookup</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>resolve</primary>
|
||||
</indexterm>
|
||||
A Samba server called <constant>FRED</constant>, in a NetBIOS Domain called <constant>COLLISION</constant>
|
||||
in a network environment that is part of the fully qualified Internet domain name space known
|
||||
as <constant>parrots.com</constant>, results in DNS name lookups for: <constant>fred.parrots.com</constant>
|
||||
and <constant>collision.parrots.com</constant>. It is, therefore, a mistake to name the Domain
|
||||
(workgroup) <constant>collision.parrots.com</constant> since this results in DNS lookup
|
||||
attempts to resolve: <constant>fred.parrots.com.parrots.com</constant>, which most likely
|
||||
fails given that you probably do not have this in your DNS name space.
|
||||
<para>
|
||||
<indexterm><primary>DNS</primary><secondary>name lookup</secondary></indexterm>
|
||||
<indexterm><primary>resolve</primary></indexterm>
|
||||
A Samba server called <constant>FRED</constant> in a NetBIOS domain called <constant>COLLISION</constant>
|
||||
in a network environment that is part of the fully qualified Internet domain namespace known
|
||||
as <constant>parrots.com</constant> results in DNS name lookups for <constant>fred.parrots.com</constant>
|
||||
and <constant>collision.parrots.com</constant>. It is therefore a mistake to name the domain
|
||||
(workgroup) <constant>collision.parrots.com,</constant> since this results in DNS lookup
|
||||
attempts to resolve <constant>fred.parrots.com.parrots.com</constant>, which most likely
|
||||
fails given that you probably do not have this in your DNS namespace.
|
||||
</para>
|
||||
|
||||
<note><para><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
<secondary>realm</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>ADS</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>DNS</primary>
|
||||
</indexterm>
|
||||
<note><para>
|
||||
<indexterm><primary>Active Directory</primary><secondary>realm</secondary></indexterm>
|
||||
<indexterm><primary>ADS</primary></indexterm>
|
||||
<indexterm><primary>DNS</primary></indexterm>
|
||||
An Active Directory realm called <constant>collision.parrots.com</constant> is perfectly okay,
|
||||
although it too must be capable of being resolved via DNS, something that functions correctly
|
||||
if Windows 200x ADS has been properly installed and configured.
|
||||
@ -310,63 +275,48 @@
|
||||
<sect3>
|
||||
<title>Routed Networks</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>NetBIOS</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>UDP</primary>
|
||||
<secondary>broadcast</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>broadcast</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>NetBIOS</primary></indexterm>
|
||||
<indexterm><primary>UDP</primary><secondary>broadcast</secondary></indexterm>
|
||||
<indexterm><primary>broadcast</primary></indexterm>
|
||||
NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use
|
||||
of UDP-based broadcast traffic. You saw that during the exercises in Chapter 1.
|
||||
of UDP-based broadcast traffic, as you saw during the exercises in <link linkend="primer"/>.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>routers</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>forwarded</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>multi-subnet</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>routers</primary></indexterm>
|
||||
<indexterm><primary>forwarded</primary></indexterm>
|
||||
<indexterm><primary>multi-subnet</primary></indexterm>
|
||||
UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based
|
||||
networking cannot function across routed networks (i.e., multi-subnet networks) unless
|
||||
special provisions are made:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para><indexterm>
|
||||
<primary>LMHOSTS</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>remote announce</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>remote browse sync</primary>
|
||||
</indexterm>
|
||||
<listitem><para>
|
||||
<indexterm><primary>LMHOSTS</primary></indexterm>
|
||||
<indexterm><primary>remote announce</primary></indexterm>
|
||||
<indexterm><primary>remote browse sync</primary></indexterm>
|
||||
Either install on every Windows client an LMHOSTS file (located in the directory
|
||||
<filename>C:\windows\system32\drivers\etc</filename>). It is also necessary to
|
||||
add to the Samba server &smb.conf; file the parameters: <parameter>remote announce</parameter>
|
||||
and <parameter>remote browse sync</parameter>. For more information, refer to the on-line
|
||||
add to the Samba server &smb.conf; file the parameters <parameter>remote announce</parameter>
|
||||
and <parameter>remote browse sync</parameter>. For more information, refer to the online
|
||||
manual page for the &smb.conf; file.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para><indexterm>
|
||||
<primary>WINS</primary>
|
||||
<secondary>server</secondary>
|
||||
</indexterm>
|
||||
<listitem><para>
|
||||
<indexterm><primary>WINS</primary><secondary>server</secondary></indexterm>
|
||||
Or configure Samba as a WINS server, and configure all network clients to use that
|
||||
WINS server in their TCP/IP configuration.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<note><para><indexterm>
|
||||
<primary>WINS</primary>
|
||||
<secondary>name resolution</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>DNS</primary>
|
||||
</indexterm>
|
||||
<note><para>
|
||||
<indexterm><primary>WINS</primary><secondary>name resolution</secondary></indexterm>
|
||||
<indexterm><primary>DNS</primary></indexterm>
|
||||
The use of DNS is not an acceptable substitute for WINS. DNS does not store specific
|
||||
information regarding NetBIOS networking particulars that does get stored in the WINS
|
||||
name resolution database, and that Windows clients require and depend on.
|
||||
information regarding NetBIOS networking particulars that get stored in the WINS
|
||||
name resolution database and that Windows clients require and depend on.
|
||||
</para></note>
|
||||
|
||||
</sect3>
|
||||
@ -374,19 +324,12 @@
|
||||
<sect3>
|
||||
<title>Network Collisions</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>network</primary>
|
||||
<secondary>collisions</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>network</primary>
|
||||
<secondary>timeouts</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>collision rates</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>network</primary>
|
||||
<secondary>load</secondary>
|
||||
</indexterm>
|
||||
Excessive network activity causes NetBIOS network time-outs. Time-outs may result in
|
||||
<para>
|
||||
<indexterm><primary>network</primary><secondary>collisions</secondary></indexterm>
|
||||
<indexterm><primary>network</primary><secondary>timeouts</secondary></indexterm>
|
||||
<indexterm><primary>collision rates</primary></indexterm>
|
||||
<indexterm><primary>network</primary><secondary>load</secondary></indexterm>
|
||||
Excessive network activity causes NetBIOS network timeouts. Timeouts may result in
|
||||
blue screen of death (BSOD) experiences. High collision rates may be caused by excessive
|
||||
UDP broadcast activity, by defective networking hardware, or through excessive network
|
||||
loads (another way of saying that the network is poorly designed).
|
||||
@ -394,23 +337,20 @@
|
||||
|
||||
<para>
|
||||
The use of WINS is highly recommended to reduce network broadcast traffic, as outlined
|
||||
in Chapter 1.
|
||||
in <link linkend="primer"/>.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>netbios forwarding</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>broadcast storms</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>performance</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>netbios forwarding</primary></indexterm>
|
||||
<indexterm><primary>broadcast storms</primary></indexterm>
|
||||
<indexterm><primary>performance</primary></indexterm>
|
||||
Under no circumstances should the facility be supported by many routers, known as <constant>NetBIOS
|
||||
forwarding</constant>, unless you know exactly what you are doing. Inappropriate use of this
|
||||
facility can result in UDP broadcast storms. In one case in 1999, a university network became
|
||||
unusable due to this being enabled on all routers. The problem was discovered during performance
|
||||
testing of a Samba server. The maximum throughput on a 100-Base-T (100 MBit/sec) network was
|
||||
less than 15 KBytes/sec. After the NetBIOS forwarding was turned off, file transfer performance
|
||||
immediately returned to 11 MBytes/sec.
|
||||
unusable due to NetBIOS forwarding being enabled on all routers. The problem was discovered during performance
|
||||
testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was
|
||||
less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance
|
||||
immediately returned to 11 MB/sec.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -425,20 +365,17 @@
|
||||
No parameter should be specified unless you know it is essential to operation.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>document the settings</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>documented</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>optimized</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>document the settings</primary></indexterm>
|
||||
<indexterm><primary>documented</primary></indexterm>
|
||||
<indexterm><primary>optimized</primary></indexterm>
|
||||
Many UNIX administrators like to fully document the settings in the &smb.conf; file. This is a
|
||||
bad idea because it adds content to the file. The &smb.conf; file is re-read by every <command>smbd</command>
|
||||
process every time the file time stamp changes (or, on systems where this does not work, every 20 seconds or so).
|
||||
process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
As the size of the &smb.conf; file grows the risk of introduction of parsing errors increases also.
|
||||
As the size of the &smb.conf; file grows, the risk of introduction of parsing errors increases also.
|
||||
It is recommended to keep a fully documented &smb.conf; file on hand, and then to operate Samba only
|
||||
with an optimized file.
|
||||
</para>
|
||||
@ -471,9 +408,7 @@ Loaded services file OK.
|
||||
Server role: ROLE_DOMAIN_PDC
|
||||
Press enter to see a dump of your service definitions
|
||||
</screen>
|
||||
<indexterm>
|
||||
<primary>fatal problem</primary>
|
||||
</indexterm>
|
||||
<indexterm><primary>fatal problem</primary></indexterm>
|
||||
You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C.
|
||||
The important thing to note is the noted Server role, as well as warning messages. Noted configuration
|
||||
conflicts must be remedied before proceeding. For example, the following error message represents a
|
||||
@ -484,50 +419,38 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
</screen>
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>performance degradation</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>socket options</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>socket address</primary>
|
||||
</indexterm>
|
||||
There are two parameters that can cause severe network performance degradation, <parameter>socket options</parameter>
|
||||
<para>
|
||||
<indexterm><primary>performance degradation</primary></indexterm>
|
||||
<indexterm><primary>socket options</primary></indexterm>
|
||||
<indexterm><primary>socket address</primary></indexterm>
|
||||
There are two parameters that can cause severe network performance degradation: <parameter>socket options</parameter>
|
||||
and <parameter>socket address</parameter>. The <parameter>socket options</parameter> parameter was often necessary
|
||||
when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from
|
||||
this parameter being set. Do not use either parameter unless it has been proven necessary to use them.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>strict sync</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>sync always</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>severely degrade</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>network</primary>
|
||||
<secondary>performance</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>strict sync</primary></indexterm>
|
||||
<indexterm><primary>sync always</primary></indexterm>
|
||||
<indexterm><primary>severely degrade</primary></indexterm>
|
||||
<indexterm><primary>network</primary><secondary>performance</secondary></indexterm>
|
||||
Another &smb.conf; parameter that may cause severe network performance degradation is the
|
||||
<parameter>strict sync</parameter> parameter. Do not use this at all. There is no good reason
|
||||
to use this with any modern Windows client. The <parameter>strict sync</parameter> is often
|
||||
used together with the <parameter>sync always</parameter> parameter. This, too, can severely
|
||||
degrade network performance, so do not set it or if you must, do so with caution.
|
||||
used with the <parameter>sync always</parameter> parameter. This, too, can severely
|
||||
degrade network performance, so do not set it; if you must, do so with caution.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>opportunistic locking</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>file caching</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>caching</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>oplocks</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>opportunistic locking</primary></indexterm>
|
||||
<indexterm><primary>file caching</primary></indexterm>
|
||||
<indexterm><primary>caching</primary></indexterm>
|
||||
<indexterm><primary>oplocks</primary></indexterm>
|
||||
Finally, many network administrators deliberately disable opportunistic locking support. While this
|
||||
does not degrade Samba performance, it significantly degrades Windows client performance because
|
||||
this disables local file caching on Windows clients and forces every file read and written to
|
||||
invoke a network read or write call. If for any reason you must disable oplocks (opportunistic locking)
|
||||
support, do so on the share on which it is required only. That way, all other shares can provide
|
||||
support, do so only on the share on which it is required. That way, all other shares can provide
|
||||
oplock support for operations that are tolerant of it. See <link linkend="ch12dblck"/> for more
|
||||
information.
|
||||
</para>
|
||||
@ -537,33 +460,26 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
<sect2>
|
||||
<title>Use and Location of BDCs</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>BDC</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>PDC</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>routed network</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>wide-area network</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>network segment</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>BDC</primary></indexterm>
|
||||
<indexterm><primary>PDC</primary></indexterm>
|
||||
<indexterm><primary>routed network</primary></indexterm>
|
||||
<indexterm><primary>wide-area network</primary></indexterm>
|
||||
<indexterm><primary>network segment</primary></indexterm>
|
||||
On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon
|
||||
processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of
|
||||
authentication and logon processing. When a sole BDC on a routed network segment gets heavily
|
||||
loaded, it is possible that network logon requests and authentication requests may be directed
|
||||
to a BDC on a distant network segment. This significantly hinders wide-area network operations
|
||||
to a BDC on a distant network segment. This significantly hinders WAN operations
|
||||
and is undesirable.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Domain Member</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Domain Controller</primary>
|
||||
</indexterm>
|
||||
As a general guide, instead of adding Domain Member servers to a network, you would be better advised
|
||||
<para>
|
||||
<indexterm><primary>Domain Member</primary></indexterm>
|
||||
<indexterm><primary>Domain Controller</primary></indexterm>
|
||||
As a general guide, instead of adding domain member servers to a network, you would be better advised
|
||||
to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add
|
||||
Domain Member servers. This practice ensures that there is always sufficient Domain Controllers
|
||||
domain member servers. This practice ensures that there is always sufficient domain controllers
|
||||
to handle logon requests and authentication traffic.
|
||||
</para>
|
||||
|
||||
@ -574,7 +490,7 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
|
||||
<para>
|
||||
Every network client has its own peculiarities. From a management perspective, it is easier to deal
|
||||
with one version of MS Windows that is maintained to a consistent update level, than it is to deal
|
||||
with one version of MS Windows that is maintained to a consistent update level than it is to deal
|
||||
with a mixture of clients.
|
||||
</para>
|
||||
|
||||
@ -587,23 +503,19 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>For Scalability, Use SAN Based Storage on Samba Servers</title>
|
||||
<title>For Scalability, Use SAN-Based Storage on Samba Servers</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>SAN</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>synchronization</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>SAN</primary></indexterm>
|
||||
<indexterm><primary>synchronization</primary></indexterm>
|
||||
Many SAN-based storage systems permit more than one server to share a common data store.
|
||||
Use of a shared SAN data store means that you do not need to use time- and resource-hungry data
|
||||
synchronization techniques.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>load distribution</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>clustering</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>load distribution</primary></indexterm>
|
||||
<indexterm><primary>clustering</primary></indexterm>
|
||||
The use of a collection of relatively low-cost front-end Samba servers that are coupled to
|
||||
a shared backend SAN data store permits load distribution while containing costs below that
|
||||
of installing and managing a complex clustering facility.
|
||||
@ -614,23 +526,19 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
<sect2>
|
||||
<title>Distribute Network Load with MSDFS</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>MSDFS</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>distributed</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>MSDFS</primary></indexterm>
|
||||
<indexterm><primary>distributed</primary></indexterm>
|
||||
Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits
|
||||
data to be accessed from a single share and yet to actually be distributed across multiple actual
|
||||
servers. Refer to <emphasis>TOSHARG</emphasis>, Chapter 16, for information regarding implementation of an MSDFS installation.
|
||||
servers. Refer to <emphasis>TOSHARG</emphasis>, Chapter 19, for information regarding
|
||||
implementation of an MSDFS installation.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>front-end</primary>
|
||||
<secondary>server</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>MSDFS</primary>
|
||||
</indexterm>
|
||||
The combination of multiple back end servers together with a front-end server and use of MSDFS
|
||||
<para>
|
||||
<indexterm><primary>front-end</primary><secondary>server</secondary></indexterm>
|
||||
<indexterm><primary>MSDFS</primary></indexterm>
|
||||
The combination of multiple backend servers together with a front-end server and use of MSDFS
|
||||
can achieve almost the same as you would obtain with a clustered Samba server.
|
||||
</para>
|
||||
|
||||
@ -639,16 +547,13 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
<sect2>
|
||||
<title>Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>replicate</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>rsync</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>wide-area network</primary>
|
||||
</indexterm>
|
||||
Consider using <command>rsync</command> to replicate data across the wide-area network during times
|
||||
<para>
|
||||
<indexterm><primary>replicate</primary></indexterm>
|
||||
<indexterm><primary>rsync</primary></indexterm>
|
||||
<indexterm><primary>wide-area network</primary></indexterm>
|
||||
Consider using <command>rsync</command> to replicate data across the WAN during times
|
||||
of low utilization. Users can then access the replicated data store rather than needing to do so
|
||||
across the wide-area network. This works best for read-only data, but with careful planning can be
|
||||
across the WAN. This works best for read-only data, but with careful planning can be
|
||||
implemented so that modified files get replicated back to the point of origin. Be careful with your
|
||||
implementation if you choose to permit modification and return replication of the modified file;
|
||||
otherwise, you may inadvertently overwrite important data.
|
||||
@ -659,48 +564,33 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
<sect2>
|
||||
<title>Hardware Problems</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>hardware prices</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>hardware problems</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>NICs</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>defective</primary>
|
||||
<secondary>HUBs</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>defective</primary>
|
||||
<secondary>switches</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>defective</primary>
|
||||
<secondary>cables</secondary>
|
||||
</indexterm>
|
||||
Networking hardware prices have fallen sharply over the past five years. A surprising number
|
||||
<para>
|
||||
<indexterm><primary>hardware prices</primary></indexterm>
|
||||
<indexterm><primary>hardware problems</primary></indexterm>
|
||||
<indexterm><primary>NICs</primary></indexterm>
|
||||
<indexterm><primary>defective</primary><secondary>HUBs</secondary></indexterm>
|
||||
<indexterm><primary>defective</primary><secondary>switches</secondary></indexterm>
|
||||
<indexterm><primary>defective</primary><secondary>cables</secondary></indexterm>
|
||||
Networking hardware prices have fallen sharply over the past 5 years. A surprising number
|
||||
of Samba networking problems over this time have been traced to defective network interface
|
||||
cards (NICs) or defective HUBs, switches, and cables.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>corrective action</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>corrective action</primary></indexterm>
|
||||
Not surprising is the fact that network administrators do not like to be shown to have made
|
||||
a bad decision. Money saved in buying low-cost hardware may result in high costs incurred
|
||||
in corrective action.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>intermittent</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>data corruption</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>slow network</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>low performance</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>data integrity</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>intermittent</primary></indexterm>
|
||||
<indexterm><primary>data corruption</primary></indexterm>
|
||||
<indexterm><primary>slow network</primary></indexterm>
|
||||
<indexterm><primary>low performance</primary></indexterm>
|
||||
<indexterm><primary>data integrity</primary></indexterm>
|
||||
Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent
|
||||
or persistent data corruption, slow network throughput, low performance, or even as blue-screen-of-death (BSOD)
|
||||
or persistent data corruption, slow network throughput, low performance, or even as BSOD
|
||||
problems with MS Windows clients. In one case, a company updated several workstations with newer, faster
|
||||
Windows client machines that triggered problems during logon as well as data integrity problems on
|
||||
an older PC that was unaffected so long as the new machines were kept shut down.
|
||||
@ -710,9 +600,8 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
Defective hardware problems may take patience and persistence before the real cause can be discovered.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>RAID controllers</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>RAID controllers</primary></indexterm>
|
||||
Networking hardware defects can significantly impact perceived Samba performance, but defective
|
||||
RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server
|
||||
operations. One business came to this realization only after replacing a Samba installation with MS
|
||||
@ -738,11 +627,10 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
her an even break.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>assumptions</primary>
|
||||
</indexterm>
|
||||
Last, but not least, you should not only keep the network design simple, but it should
|
||||
be well documented. This book may serve as your pattern for documenting every
|
||||
<para>
|
||||
<indexterm><primary>assumptions</primary></indexterm>
|
||||
Last, but not least, you should not only keep the network design simple, but also be sure it is
|
||||
well documented. This book may serve as your pattern for documenting every
|
||||
aspect of your design, its implementation, and particularly the objects and assumptions
|
||||
that underlie it.
|
||||
</para>
|
||||
|
@ -57,17 +57,17 @@
|
||||
interesting portfolio of companies that includes accounting services, financial advice, investment
|
||||
portfolio management, property insurance, risk assessment, and the recent addition of a a video rental
|
||||
business. The pieces do not always appear to fit together, but Mr. Meany is certainly executing an
|
||||
interesting business growth and development plan. Abmas Video Rentals has been recently acquired.
|
||||
During the time that the acquisition was closing, the Video Rentals business upgraded their Windows
|
||||
interesting business growth and development plan. Abmas Video Rentals was recently acquired.
|
||||
During the time that the acquisition was closing, the Video Rentals business upgraded its Windows
|
||||
NT4-based network to Windows 2003 Server and Active Directory.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Active Directory</primary>
|
||||
</indexterm>
|
||||
Bob Jordan has been accepting of the fact that Abmas Video Rentals will use Microsoft Active Directory.
|
||||
The IT team led by Stan Soroka is committed to Samba-3 and to maintaining a uniform technology platform.
|
||||
Stan Soroka's team voiced their disapproval over the decision to permit this business to continue to
|
||||
You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory.
|
||||
The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform.
|
||||
Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to
|
||||
operate with a solution that is viewed by Christine and her group as <quote>an island of broken
|
||||
technologies.</quote> This comment was made by one of Christine's staff as they were installing a new
|
||||
Samba-3 server at the new business.
|
||||
@ -122,7 +122,7 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>off-site storage</primary>
|
||||
</indexterm>
|
||||
User and Group accounts, and respective privileges, have been well thought out. File system shares are
|
||||
User and group accounts, and respective privileges, have been well thought out. File system shares are
|
||||
appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and
|
||||
effective off-site storage practices are considered to exceed industry norms.
|
||||
</para>
|
||||
@ -154,7 +154,7 @@
|
||||
stored on the Linux system. We are alarmed that secure information is accessible to staff who should
|
||||
not even be aware that it exists. We share the concerns of your network management staff who have gone
|
||||
to great lengths to set fine-grained controls that limit information access to those who need access.
|
||||
It seems incongruous to us that Samba winbind should be permitted to be used as it voids this fine work.
|
||||
It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
@ -185,12 +185,12 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>trusted computing</primary>
|
||||
</indexterm>
|
||||
In respect of the use of Samba, we offer the following comments: Samba is in use in nearly half of
|
||||
Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of
|
||||
all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft
|
||||
... what worries us regarding Samba is the need to disable essential Windows security features such as
|
||||
secure channel support, digital sign'n'seal on all communication traffic, running Active Directory in
|
||||
secure channel support, digital sign'n'seal on all communication traffic, and running Active Directory in
|
||||
mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that
|
||||
Samba is not at the full capabilites of Microsoft Windows NT4 server. Microsoft has moved well beyond that
|
||||
Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that
|
||||
with trusted computing initiatives that the Samba developers do not participate in.
|
||||
</para>
|
||||
|
||||
@ -230,13 +230,13 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>independent expert</primary>
|
||||
</indexterm>
|
||||
This is also a challenge to rise above the trouble spot. Bob calls Stan's team together for a simple
|
||||
discussion, but it gets further out of hand. When he returns to his office, he finds the following
|
||||
email in his in-box:
|
||||
This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple
|
||||
discussion, but it gets further out of hand. When you return to your office, you find the following
|
||||
email in your in-box:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Bob,
|
||||
Good afternoon,
|
||||
</para>
|
||||
|
||||
<blockquote><attribution>Stan</attribution><para>
|
||||
@ -282,7 +282,7 @@
|
||||
will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered
|
||||
out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain
|
||||
responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce
|
||||
use of any centrally proposed standards, but make all non-compliance the financial responsibility of the
|
||||
use of any centrally proposed standards, but make all noncompliance the financial responsibility of the
|
||||
out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone.
|
||||
</para></blockquote>
|
||||
|
||||
@ -290,9 +290,9 @@
|
||||
<title>Assignment Tasks</title>
|
||||
|
||||
<para>
|
||||
Bob agreed with Stan's recommendations and has hired your services to help defuse the powder
|
||||
keg. Your task is to answer each of the issues raised with a tractable answer. You must be able
|
||||
to support your claims, keep emotions to a side, and answer technically.
|
||||
You agreed with Stan's recommendations and hired a consultant to help defuse the powder
|
||||
keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able
|
||||
to support his or her claims, keep emotions to a side, and answer technically.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -316,9 +316,9 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>employment</primary>
|
||||
</indexterm>
|
||||
Samba-3 is a tool. No one pounding your door to use Samba. That is a choice that you are free to
|
||||
make or reject. It is likely that your decision to use Samba can benefit your company more than
|
||||
anyone else. The Samba Team obviously believes that the Samba software is a worthy choice.
|
||||
Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to
|
||||
make or reject. It is likely that your decision to use Samba can greatly benefit your company.
|
||||
The Samba Team obviously believes that the Samba software is a worthy choice.
|
||||
If you hire a consultant to assist with the installation and/or deployment of Samba, or if you hire
|
||||
someone to help manage your Samba installation, you can create income and employment. Alternately,
|
||||
money saved by not spending in the IT area can be spent elsewhere in the business. All money saved
|
||||
@ -353,8 +353,8 @@
|
||||
<primary>broken</primary>
|
||||
</indexterm>
|
||||
It would be foolish to adopt a technology that might put any data or users at risk. Security affects
|
||||
everyone. The Samba Team are fully cognizant of the responsibility they have to their users.
|
||||
The Samba documentation clearly reveals the fact that full responsibility is accepted to fix anything
|
||||
everyone. The Samba-Team is fully cognizant of the responsibility they have to their users.
|
||||
The Samba documentation clearly reveals that full responsibility is accepted to fix anything
|
||||
that is broken.
|
||||
</para>
|
||||
|
||||
@ -404,8 +404,8 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>vendor</primary>
|
||||
</indexterm>
|
||||
The real issues that a consumer (like you) needs answered is what is the way of escape from technical
|
||||
problems and how long will it take? The average problem turnaround time in the Open Source community is
|
||||
The real issues that a consumer (like you) needs answered are What is the way of escape from technical
|
||||
problems, and how long will it take? The average problem turnaround time in the Open Source community is
|
||||
approximately 48 hours. What does the EULA offer? What is the track record in the commercial software
|
||||
industry? What happens when your commercial vendor decides to cease providing support?
|
||||
</para>
|
||||
@ -426,7 +426,7 @@
|
||||
<secondary>problem</secondary>
|
||||
</indexterm>
|
||||
Open Source software at least puts you in possession of the source code. This means that when
|
||||
all else fails, you can hire a programmer to solve/fix the problem.
|
||||
all else fails, you can hire a programmer to solve the problem.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
@ -463,8 +463,8 @@
|
||||
<primary>shares</primary>
|
||||
</indexterm>
|
||||
Windows network administrators may be dismayed to find that <command>winbind</command>
|
||||
exposes all Domain users so that they may use their Domain account credentials to
|
||||
log onto a UNIX/Linux system. The fact that all users in the Domain can see the
|
||||
exposes all domain users so that they may use their domain account credentials to
|
||||
log onto a UNIX/Linux system. The fact that all users in the domain can see the
|
||||
UNIX/Linux server in their Network Neighborhood and can browse the shares on the
|
||||
server seems to excite them further.
|
||||
</para>
|
||||
@ -478,10 +478,10 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>unknown</primary>
|
||||
</indexterm>
|
||||
<command>winbind</command> provides for the UNIX/Linux Domain Member server or
|
||||
<command>winbind</command> provides for the UNIX/Linux domain member server or
|
||||
client, the same as one would obtain by adding a Microsoft Windows server or
|
||||
client to the Domain. The real objection is the fact that Samba is not MS Windows
|
||||
and, therefore, requires handling a little differently from the familiar Windows systems.
|
||||
client to the domain. The real objection is the fact that Samba is not MS Windows
|
||||
and therefore requires handling a little differently from the familiar Windows systems.
|
||||
One must recognize fear of the unknown.
|
||||
</para>
|
||||
|
||||
@ -526,7 +526,7 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>access controls</primary>
|
||||
</indexterm>
|
||||
Where Samba and the ADS Domain account information obtained through the use of
|
||||
Where Samba and the ADS domain account information obtained through the use of
|
||||
<command>winbind</command> permits access, by browsing or by the drive mapping to
|
||||
a share, to data that should be better protected. This can only happen when security
|
||||
controls have not been properly implemented. Samba permits access controls to be set
|
||||
@ -537,7 +537,7 @@
|
||||
<listitem><para>Shares themselves (i.e., the logical share itself)</para></listitem>
|
||||
<listitem><para>The share definition in &smb.conf;</para></listitem>
|
||||
<listitem><para>The shared directories and files using UNIX permissions</para></listitem>
|
||||
<listitem><para>Using Windows 2000 ACLs &smbmdash; if the file system is Posix enabled</para></listitem>
|
||||
<listitem><para>Using Windows 2000 ACLs &smbmdash; if the file system is POSIX enabled</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
@ -608,7 +608,7 @@
|
||||
<primary>weakness</primary>
|
||||
</indexterm>
|
||||
The report that is critical of Samba really ought to have exercised greater due
|
||||
diligence, as the real weakness is on the side of a Microsoft Windows environment.
|
||||
diligence: the real weakness is on the side of a Microsoft Windows environment.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -617,7 +617,7 @@
|
||||
<listitem><para><indexterm>
|
||||
<primary>defects</primary>
|
||||
</indexterm>
|
||||
Samba has been designed in such a manner that weaknesses inherent in the design of
|
||||
Samba is designed in such a manner that weaknesses inherent in the design of
|
||||
Microsoft Windows networking ought not to expose the underlying UNIX/Linux file
|
||||
system in any way. All software has potential defects, and Samba is no exception.
|
||||
What matters more is how defects that are discovered get dealt with.
|
||||
@ -656,7 +656,7 @@
|
||||
<primary>turn-around time</primary>
|
||||
</indexterm>
|
||||
The report condemns Samba for releasing updates and security fixes, yet Microsoft
|
||||
on-line updates need to be applied almost weekly. The answer to the criticism made
|
||||
online updates need to be applied almost weekly. The answer to the criticism
|
||||
lies in the fact that Samba development is continuing, documentation is improving,
|
||||
user needs are being increasingly met or exceeded, and security updates are issued
|
||||
with a short turnaround time.
|
||||
@ -676,10 +676,10 @@
|
||||
</indexterm>
|
||||
The release of Samba-4 is expected around late 2004 to early 2005 and involves a near
|
||||
complete rewrite to permit extensive modularization and to prepare Samba for new
|
||||
functionality planned for addition during the next generation series. The Samba Team
|
||||
is responsible and can be depended upon; the history to date would suggest a high
|
||||
degree of dependability as well as on charter development consistent with published
|
||||
road-map projections.
|
||||
functionality planned for addition during the next-generation series. The Samba Team
|
||||
is responsible and can be depended upon; the history to date suggests a high
|
||||
degree of dependability as well on charter development consistent with published
|
||||
roadmap projections.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
@ -719,12 +719,12 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>digital sign'n'seal</primary>
|
||||
</indexterm>
|
||||
The report correctly mentions the fact that Samba did not support the most recent
|
||||
The report correctly mentions that Samba did not support the most recent
|
||||
<constant>schannel</constant> and <constant>digital sign'n'seal</constant> features
|
||||
of Microsoft Windows NT/200x/XPPro products. This is one of the key features
|
||||
of the Samba-3 release. Market research reports take so long to generate that they are
|
||||
seldom a reflection of current practice, and in many respects reports are like a
|
||||
pathology report &smbmdash; they reflect accurately (at best) status at a snap-shot in time.
|
||||
pathology report &smbmdash; they reflect accurately (at best) status at a snapshot in time.
|
||||
Meanwhile, the world moves on.
|
||||
</para>
|
||||
|
||||
@ -746,11 +746,11 @@
|
||||
<primary>secure networking</primary>
|
||||
</indexterm>
|
||||
It should be pointed out that had clear public specifications for the protocols
|
||||
been published, it would have been much easier to implement this and would have
|
||||
been published, it would have been much easier to implement these features and would have
|
||||
taken less time to do. The sole mechanism used to find an algorithm that is compatible
|
||||
with the methods used by Microsoft has been based on observation of network traffic
|
||||
and trial-and-error implementation of potential techniques. The real value of public
|
||||
and defensible standards is obvious to all, and would have enabled more secure networking
|
||||
and defensible standards is obvious to all and would have enabled more secure networking
|
||||
for everyone.
|
||||
</para>
|
||||
|
||||
@ -766,8 +766,8 @@
|
||||
<ulink url="http://support.microsoft.com/default.aspx?kbid=321733">acknowledged</ulink>
|
||||
and for which a fix was provided. In fact,
|
||||
<ulink url="http://www.tangent-systems.com/support/delayedwrite.html">Tangent Systems</ulink>
|
||||
appears even today<footnote>January 2004</footnote> to not be sure that the problem has been resolved.
|
||||
So it is evident that some delay in release of new functionality may have
|
||||
appears even today<footnote>January 2004</footnote> to be unsure whether the problem has been resolved,
|
||||
it is evident that some delay in release of new functionality may have
|
||||
fortuitous consequences.
|
||||
</para>
|
||||
|
||||
@ -795,7 +795,7 @@
|
||||
and working together to help define open and publicly refereed standards. The
|
||||
development of closed source, proprietary methods that are developed in a
|
||||
clandestine framework of secrecy, under claims of digital rights protection, does
|
||||
not favor the diffusion of safe networking protocols, and certainly does not
|
||||
not favor the diffusion of safe networking protocols and certainly does not
|
||||
help the consumer to make a better choice.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
@ -817,7 +817,7 @@
|
||||
<literallayout> </literallayout>
|
||||
The Microsoft networking protocols extensively make use of remote procedure call (RPC)
|
||||
technology. Active Directory is not a simple mixture of LDAP and Kerberos together
|
||||
with file and print services, but rather is a complex intertwined implementation
|
||||
with file and print services, but rather is a complex, intertwined implementation
|
||||
of them that uses RPCs that are not supported by any of these component technologies
|
||||
and yet by which they are made to interoperate in ways that the components do not
|
||||
support.
|
||||
@ -841,7 +841,7 @@
|
||||
overall support for all project maintainers to work together on the complex
|
||||
challenge of developing and integrating the necessary technologies. Therefore, if
|
||||
the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality
|
||||
into the Samba project, this dream request can not become a reality.
|
||||
into the Samba project, this dream request cannot become a reality.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
@ -859,7 +859,7 @@
|
||||
At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the
|
||||
Samba development roadmap. If it is not on the published roadmap, it cannot be delivered
|
||||
anytime soon. Ergo, ADS server support is not a current goal for Samba development.
|
||||
The Samba Team is most committed to permitting Samba to be a full ADS Domain member
|
||||
The Samba Team is most committed to permitting Samba to be a full ADS domain member
|
||||
that is increasingly capable of being managed using Microsoft Windows MMC tools.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
@ -877,8 +877,8 @@
|
||||
</indexterm>
|
||||
Kerberos is a network authentication protocol that provides secure authentication for
|
||||
client-server applications by using secret-key cryptography. Firewalls are an insufficient
|
||||
barrier mechanism in todays networking world as at best they only restrict incoming network
|
||||
traffic but can not prevent network traffic that comes from authorized locations from
|
||||
barrier mechanism in todays networking world; at best they only restrict incoming network
|
||||
traffic but cannot prevent network traffic that comes from authorized locations from
|
||||
performing unauthorized activities.
|
||||
</para>
|
||||
|
||||
@ -911,7 +911,7 @@
|
||||
Kerberos is a trusted third-party service. That means that there is a third party (the kerberos
|
||||
server) that is trusted by all the entities on the network (users and services, usually called
|
||||
principals). All principals share a secret password (or key) with the kerberos server and this
|
||||
enables principals to verify that the messages from the kerberos server are authentic. Thus
|
||||
enables principals to verify that the messages from the kerberos server are authentic. Therefore,
|
||||
trusting the kerberos server, users and services can authenticate each other.
|
||||
</para>
|
||||
|
||||
@ -922,12 +922,12 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>Heimdal Kerberos</primary>
|
||||
</indexterm>
|
||||
Kerberos was until recently a technology that was restricted from being exported from the United States.
|
||||
For many years that hindered global adoption of more secure networking technologies both within the USA
|
||||
as well as outside it. A free an unencumbered implementation of MIT Kerberos has been produced in Europe
|
||||
Kerberos was, until recently, a technology that was restricted from being exported from the United States.
|
||||
For many years that hindered global adoption of more secure networking technologies both within the United States
|
||||
and abroad. A free an unencumbered implementation of MIT Kerberos has been produced in Europe
|
||||
and is available from the University of Paderborn, Sweden. It is known as the Heimdal Kerberos project.
|
||||
In recent times the USA government has removed sanctions affecting the global distribution of MIT Kerberos.
|
||||
It is likely that there will be a significant surge forward in the development of Kerberos enabled applications
|
||||
In recent times the U.S. government has removed sanctions affecting the global distribution of MIT Kerberos.
|
||||
It is likely that there will be a significant surge forward in the development of Kerberos-enabled applications
|
||||
and in the general deployment and use of Kerberos across the spectrum of the information technology industry.
|
||||
</para>
|
||||
|
||||
@ -936,7 +936,7 @@
|
||||
<secondary>interoperability</secondary>
|
||||
</indexterm>
|
||||
A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation
|
||||
of it. For example, a 2002 new report by <ulink url="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument">IDG</ulink>
|
||||
of it. For example, a 2002 report by <ulink url="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument">IDG</ulink>
|
||||
states:
|
||||
</para>
|
||||
|
||||
@ -965,11 +965,11 @@
|
||||
<primary>RPC</primary>
|
||||
</indexterm>
|
||||
It so happens that Microsoft Windows clients depend on and expect the contents of the <emphasis>unspecified
|
||||
fields</emphasis> in the Kerberos 5 communications data stream for their Windows interoperability, in
|
||||
particular when Samba is being expected to emulate a Windows Server 200x Domain Controller. But the interoperability
|
||||
issue goes far deeper than this. In the Domain control protocols that are used by MS Windows XP Professional
|
||||
fields</emphasis> in the Kerberos 5 communications data stream for their Windows interoperability,
|
||||
particularly when Samba is being expected to emulate a Windows Server 200x domain controller. But the interoperability
|
||||
issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional,
|
||||
there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment
|
||||
(DCE) remote procedure calls (RPCs) that themselves are an integral part of the SMB/CIFS protocols as used by
|
||||
(DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by
|
||||
Microsoft.
|
||||
</para>
|
||||
|
||||
@ -1027,8 +1027,8 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>account</primary>
|
||||
</indexterm>
|
||||
From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator
|
||||
account (on Samba Domains, this is usually the account called <constant>root</constant>).
|
||||
From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator
|
||||
account (on Samba domains, this is usually the account called <constant>root</constant>).
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -1060,7 +1060,7 @@
|
||||
</indexterm>
|
||||
In the left panel, the entry <guimenu>Computer Management (Local)</guimenu> should now reflect
|
||||
the change made. For example, if the server you are administering is called <constant>FRODO</constant>,
|
||||
the Computer Management entry should now say: <guimenu>Computer Management (FRODO)</guimenu>.
|
||||
the Computer Management entry should now say <guimenu>Computer Management (FRODO)</guimenu>.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -1094,7 +1094,7 @@
|
||||
<primary>rejected</primary>
|
||||
</indexterm>
|
||||
You may now edit/add/remove access control settings. Be very careful. Many problems have been
|
||||
created by people who decided that Everyone should be rejected but one particular group should
|
||||
created by people who decided that everyone should be rejected but one particular group should
|
||||
have full control. This is a catch-22 situation because members of that particular group also
|
||||
belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
|
||||
set for the permitted group.
|
||||
@ -1125,10 +1125,10 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>privileges</primary>
|
||||
</indexterm>
|
||||
Share-definition-based access controls can be used like a check-point or like a pile-driver. Just as a
|
||||
check-point can be used to require someone who wants to get through to meet certain requirements, so
|
||||
Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a
|
||||
checkpoint can be used to require someone who wants to get through to meet certain requirements, so
|
||||
it is possible to require the user (or group the user belongs to) to meet specified credential-related
|
||||
objectives. It can be likened to a pile-driver by overriding default controls, in that having met the
|
||||
objectives. It can be likened to a pile-driver by overriding default controls in that having met the
|
||||
credential-related objectives, the user can be granted powers and privileges that would not normally be
|
||||
available under default settings.
|
||||
</para>
|
||||
@ -1142,25 +1142,25 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>hierarchy of control</primary>
|
||||
</indexterm>
|
||||
It must be emphasized that the controls here discussed can act as a filter, or give rights of passage,
|
||||
that act as a super-structure over normal directory and file access controls. However, share level
|
||||
ACLs act at a higher level than to share definition controls because the user must filter through the
|
||||
share level controls to get to the share definition controls. The proper hierarchy of controls implemented
|
||||
It must be emphasized that the controls here discussed can act as a filter or give rights of passage
|
||||
that act as a superstructure over normal directory and file access controls. However, share-level
|
||||
ACLs act at a higher level than do share definition controls because the user must filter through the
|
||||
share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented
|
||||
by Samba and Windows networking consists of:
|
||||
</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem><para>Share Level ACLs</para></listitem>
|
||||
<listitem><para>Share Definition Controls</para></listitem>
|
||||
<listitem><para>Directory and File Permissions</para></listitem>
|
||||
<listitem><para>Directory and File Posix ACLs</para></listitem>
|
||||
<listitem><para>Share-level ACLs</para></listitem>
|
||||
<listitem><para>Share-definition controls</para></listitem>
|
||||
<listitem><para>Directory and file permissions</para></listitem>
|
||||
<listitem><para>Directory and file POSIX ACLs</para></listitem>
|
||||
</orderedlist>
|
||||
|
||||
<sect3>
|
||||
<title>Check-point Controls</title>
|
||||
<title>Checkpoint Controls</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Check-point Controls</primary>
|
||||
<primary>Checkpoint Controls</primary>
|
||||
</indexterm>
|
||||
Consider the following extract from a &smb.conf; file defining the share called <constant>Apps</constant>:
|
||||
<screen>
|
||||
@ -1186,8 +1186,8 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>delimiter</primary>
|
||||
</indexterm>
|
||||
On Domain Member servers and clients, even when the <parameter>winbind use default domain</parameter> has
|
||||
been specified, the use of Domain accounts in security controls requires fully qualified Domain specification,
|
||||
On domain member servers and clients, even when the <parameter>winbind use default domain</parameter> has
|
||||
been specified, the use of domain accounts in security controls requires fully qualified domain specification,
|
||||
for example, <smbconfoption name="valid users">@"MEGANET\Northern Engineers"</smbconfoption>.
|
||||
Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a
|
||||
delimiter.
|
||||
@ -1211,8 +1211,8 @@
|
||||
<primary>share definition controls</primary>
|
||||
</indexterm>
|
||||
Consider another example. In this case, you want to permit all members of the group <constant>Employees</constant>
|
||||
to access the <constant>Apps</constant> share, except the user <constant>patrickj</constant>. This can be
|
||||
easily achieved by setting a share level ACL permitting only <constant>Employees</constant> to access the share,
|
||||
except the user <constant>patrickj</constant> to access the <constant>Apps</constant> share. This can be
|
||||
easily achieved by setting a share-level ACL permitting only <constant>Employees</constant> to access the share,
|
||||
and then in the share definition controls excluding just <constant>patrickj</constant>. Here is how that might
|
||||
be done:
|
||||
<screen>
|
||||
@ -1225,7 +1225,7 @@
|
||||
<indexterm>
|
||||
<primary>permissions</primary>
|
||||
</indexterm>
|
||||
Let us assume that you want to permit the user <constant>gbshaw</constant>, to manage any file in the
|
||||
Let us assume that you want to permit the user <constant>gbshaw</constant> to manage any file in the
|
||||
UNIX/Linux file system directory <filename>/data/apps</filename>, but you do not want to grant any write
|
||||
permissions beyond that directory tree. Here is one way this can be done:
|
||||
<screen>
|
||||
@ -1243,13 +1243,13 @@
|
||||
the group <constant>Doctors</constant>, excluding the user <constant>patrickj</constant>, to have
|
||||
read-only privilege, but the user <constant>gbshaw</constant> is granted administrative rights.
|
||||
The administrative rights conferred upon the user <constant>gbshaw</constant> permit operation as
|
||||
if that user has logged in as the user <constant>root</constant> on the UNIX/Linux system, and thus
|
||||
for access to the directory tree that has been shared (exported) permit the user to override controls
|
||||
if that user has logged in as the user <constant>root</constant> on the UNIX/Linux system and thus,
|
||||
for access to the directory tree that has been shared (exported), permit the user to override controls
|
||||
that apply to all other users on that resource.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There are additional check-point controls that may be used. For example, if for the same share we now
|
||||
There are additional checkpoint controls that may be used. For example, if for the same share we now
|
||||
want to provide the user <constant>peters</constant> with the ability to write to one directory to
|
||||
which he has write privilege in the UNIX file system, you can specifically permit that with the
|
||||
following settings:
|
||||
@ -1266,8 +1266,8 @@
|
||||
<primary>check-point controls</primary>
|
||||
</indexterm>
|
||||
This is a particularly complex example at this point, but it begins to demonstrate the possibilities.
|
||||
You should refer to the on-line manual page for the &smb.conf; file for more information regarding
|
||||
the check-point controls that Samba implements.
|
||||
You should refer to the online manual page for the &smb.conf; file for more information regarding
|
||||
the checkpoint controls that Samba implements.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -1280,7 +1280,7 @@
|
||||
</indexterm>
|
||||
Override controls implemented by Samba permit actions like the adoption of a different identity
|
||||
during file system operations, the forced overwriting of normal file and directory permissions,
|
||||
and so on. You should refer to the on-line manual page for the &smb.conf; file for more information regarding
|
||||
and so on. You should refer to the online manual page for the &smb.conf; file for more information regarding
|
||||
the override controls that Samba implements.
|
||||
</para>
|
||||
|
||||
@ -1305,9 +1305,9 @@
|
||||
That is all there is to it. Well, it is almost that simple. The downside of this method is that
|
||||
users are logged onto the Windows client as themselves, and then immediately before accessing the
|
||||
file, Samba makes system calls to change the effective user and group to the forced settings
|
||||
specified, completes the file transaction, and then reverts to the actually logged on identity.
|
||||
This imposes significant overhead on Samba. The alternative way that effectively the same result
|
||||
can be achieved (but with lower system CPU overheads) is described next.
|
||||
specified, completes the file transaction, and then reverts to the actually logged-on identity.
|
||||
This imposes significant overhead on Samba. The alternative way to effectively achieve the same result
|
||||
(but with lower system CPU overheads) is described next.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
@ -1322,10 +1322,10 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>performance degradation</primary>
|
||||
</indexterm>
|
||||
The use of the <parameter>force user</parameter>, or the <parameter>force group</parameter>, may
|
||||
also have a severe impact on system (and in particular Windows client) performance. If opportunistic
|
||||
The use of the <parameter>force user</parameter> or the <parameter>force group</parameter> may
|
||||
also have a severe impact on system (particularly on Windows client) performance. If opportunistic
|
||||
locking is enabled on the share (the default), it causes an <constant>oplock break</constant> to be
|
||||
sent to the client, even if the client has not opened the file. On networks that have high traffic
|
||||
sent to the client even if the client has not opened the file. On networks that have high traffic
|
||||
density, or on links that are routed to a remote network segment, <constant>oplock breaks</constant>
|
||||
can be lost. This results in possible retransmission of the request, or the client may time-out while
|
||||
waiting for the file system transaction (read or write) to complete. The result can be a profound
|
||||
@ -1372,7 +1372,7 @@
|
||||
<orderedlist>
|
||||
<listitem><para>
|
||||
A user opens a Work document from a network drive. The file was owned by user <constant>janetp</constant>
|
||||
and <group>users</group>, and was set read/write enabled for everyone.
|
||||
and <group>users</group>, and was set read/write-enabled for everyone.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -1385,19 +1385,19 @@
|
||||
|
||||
<listitem><para>
|
||||
The file is now owned by the user <constant>billc</constant> and group <constant>doctors</constant>,
|
||||
and is set read/write by <constant>billc</constant>, read only by <constant>doctors</constant>, and
|
||||
and is set read/write by <constant>billc</constant>, read-only by <constant>doctors</constant>, and
|
||||
no access by everyone.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The original owner can not now access her own file and is <quote>justifiably</quote> upset.
|
||||
The original owner cannot now access her own file and is <quote>justifiably</quote> upset.
|
||||
</para></listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>
|
||||
There have been many postings over the years that report the same basic problem. Frequently Samba users
|
||||
want to know when this <quote>bug</quote> will be fixed. The fact is, this is not a bug in Samba at all.
|
||||
Here is the real sequence of what happens in the case mentioned above.
|
||||
Here is the real sequence of what happens in this case.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
@ -1423,7 +1423,7 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The question is: <quote>How can we solve the problem?</quote>
|
||||
The question is, <quote>How can we solve the problem?</quote>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1462,7 +1462,7 @@
|
||||
<primary>accessible</primary>
|
||||
</indexterm>
|
||||
Set the files and directory permissions to be read/write for owner and group, and not accessible
|
||||
to others (everyone) using the following command:
|
||||
to others (everyone), using the following command:
|
||||
<screen>
|
||||
&rootprompt; chmod ug+rwx,o-rwx /usr/data/finance
|
||||
</screen>
|
||||
@ -1471,7 +1471,7 @@
|
||||
<step><para><indexterm>
|
||||
<primary>SGID</primary>
|
||||
</indexterm>
|
||||
Set the SGID (super-group) bit on all directories from the top down. This means all files
|
||||
Set the SGID (supergroup) bit on all directories from the top down. This means all files
|
||||
can be created with the permissions of the group set on the directory. It means all users
|
||||
who are members of the group <constant>finance</constant> can read and write all files in
|
||||
the directory. The directory is not readable or writable by anyone who is not in the
|
||||
@ -1509,8 +1509,8 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>side effects</primary>
|
||||
</indexterm>
|
||||
Samba must translate Windows 2000 ACLs to UNIX Posix ACLs. This has some interesting side effects because
|
||||
of the fact that there is not a 1:1 equivalence between them. The as-close-as-possible ACLs match means
|
||||
Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because
|
||||
there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means
|
||||
that some transactions are not possible from MS Windows clients. One of these is to reset the ownership
|
||||
of directories and files. If you want to reset ownership, this must be done from a UNIX/Linux login.
|
||||
</para>
|
||||
@ -1525,8 +1525,8 @@
|
||||
|
||||
<procedure>
|
||||
<step><para>
|
||||
From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator
|
||||
account (on Samba Domains, this is usually the account called <constant>root</constant>).
|
||||
From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator
|
||||
account (on Samba domains, this is usually the account called <constant>root</constant>).
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -1581,7 +1581,7 @@
|
||||
to edit ACLs using the <constant>Advanced</constant> editing features. Click the
|
||||
<guimenu>Advanced</guimenu> button. This opens a panel that has four tabs. Only the
|
||||
functionality under the <constant>Permissions</constant> tab can be utilized with respect
|
||||
to a Samba Domain server.
|
||||
to a Samba domain server.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
@ -1590,7 +1590,7 @@
|
||||
<primary>permitted group</primary>
|
||||
</indexterm>
|
||||
You may now edit/add/remove access control settings. Be very careful. Many problems have been
|
||||
created by people who decided that Everyone should be rejected but one particular group should
|
||||
created by people who decided that everyone should be rejected but one particular group should
|
||||
have full control. This is a catch-22 situation because members of that particular group also
|
||||
belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
|
||||
set for the permitted group.
|
||||
@ -1609,7 +1609,7 @@
|
||||
|
||||
<para>
|
||||
The following alternative method may be used from a Windows workstation. In this example we work
|
||||
with a Domain called <constant>MEGANET</constant>, a server called <constant>MASSIVE</constant>, and a
|
||||
with a domain called <constant>MEGANET</constant>, a server called <constant>MASSIVE</constant>, and a
|
||||
share called <constant>Apps</constant>. The underlying UNIX/Linux share point for this share is
|
||||
<filename>/data/apps</filename>.
|
||||
</para>
|
||||
@ -1630,7 +1630,7 @@
|
||||
<guimenuitem>Security</guimenuitem>
|
||||
<guimenuitem>Advanced</guimenuitem>
|
||||
</menuchoice>. This opens a panel that has four tabs. Only the functionality under the
|
||||
<constant>Permissions</constant> tab can be utilized in respect to a Samba Domain server.
|
||||
<constant>Permissions</constant> tab can be utilized for a Samba domain server.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
@ -1639,7 +1639,7 @@
|
||||
<primary>over-rule</primary>
|
||||
</indexterm>
|
||||
You may now edit/add/remove access control settings. Be very careful. Many problems have been
|
||||
created by people who decided that Everyone should be rejected but one particular group should
|
||||
created by people who decided that everyone should be rejected but one particular group should
|
||||
have full control. This is a catch-22 situation because members of that particular group also
|
||||
belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
|
||||
set for the permitted group.
|
||||
@ -1662,7 +1662,7 @@
|
||||
<primary>shared resource</primary>
|
||||
</indexterm>
|
||||
Yet another alternative method for setting desired security settings on the shared resource files and
|
||||
directories can be achieved by logging into UNIX/Linux and setting Posix ACLs directly using command-line
|
||||
directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line
|
||||
tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9
|
||||
Linux system:
|
||||
</para>
|
||||
@ -1678,7 +1678,7 @@
|
||||
<screen>
|
||||
&rootprompt; cd /data
|
||||
</screen>
|
||||
Retrieve the existing Posix ACLs entry by executing:
|
||||
Retrieve the existing POSIX ACLs entry by executing:
|
||||
<screen>
|
||||
&rootprompt; getfacl apps
|
||||
# file: apps
|
||||
@ -1714,7 +1714,7 @@ group:AppsMgrs:rwx
|
||||
mask::rwx
|
||||
other::r-x
|
||||
</screen>
|
||||
This confirms that the change of Posix ACL permissions has been effective.
|
||||
This confirms that the change of POSIX ACL permissions has been effective.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
@ -1728,7 +1728,7 @@ other::r-x
|
||||
</indexterm><indexterm>
|
||||
<primary>inheritance</primary>
|
||||
</indexterm>
|
||||
It is highly recommend that you should read the on-line manual page for the <command>setfacl</command>
|
||||
It is highly recommend that you read the online manual page for the <command>setfacl</command>
|
||||
and <command>getfacl</command> commands. This provides information regarding how to set/read the default
|
||||
ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent
|
||||
of setting <constant>inheritance</constant> properties.
|
||||
@ -1745,7 +1745,7 @@ other::r-x
|
||||
<para>
|
||||
The mish-mash of issues were thrown together into one chapter because it seemed like a good idea.
|
||||
Looking back, this chapter could be broken into two, but it's too late now. It has been done.
|
||||
The highlights covered are:
|
||||
The highlights covered are as follows:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -1760,7 +1760,7 @@ other::r-x
|
||||
</indexterm>
|
||||
Winbind honors and does not override account controls set in Active Directory.
|
||||
This means that password change, logon hours, and so on, are (or soon will be) enforced
|
||||
by Samba Winbind. At this time, an out-of-hours login is denied and password
|
||||
by Samba winbind. At this time, an out-of-hours login is denied and password
|
||||
change is enforced. At this time, if logon hours expire, the user is not forcibly
|
||||
logged off. That may be implemented at some later date.
|
||||
</para></listitem>
|
||||
@ -1771,7 +1771,7 @@ other::r-x
|
||||
<primary>schannel</primary>
|
||||
</indexterm>
|
||||
Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential
|
||||
problems acknowledged by Microsoft as having been fixed, but reported by some as still
|
||||
problems acknowledged by Microsoft as having been fixed but reported by some as still
|
||||
possibly an open issue.
|
||||
</para></listitem>
|
||||
|
||||
@ -1787,7 +1787,7 @@ other::r-x
|
||||
The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft
|
||||
Active Directory. The possibility to do this is not planned in the current Samba-3
|
||||
roadmap. Samba-3 does aim to provide further improvements in interoperability so that
|
||||
UNIX/Linux systems may be fully integrated into Active Directory Domains.
|
||||
UNIX/Linux systems may be fully integrated into Active Directory domains.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -1830,7 +1830,7 @@ other::r-x
|
||||
<primary>registry change</primary>
|
||||
</indexterm>
|
||||
No. Samba-3 fully supports <constant>Sign'n'seal</constant> as well as <constant>schannel</constant>
|
||||
operation. The registry change should not be applied when Samba-3 is used as a Domain Controller.
|
||||
operation. The registry change should not be applied when Samba-3 is used as a domain controller.
|
||||
</para>
|
||||
|
||||
</answer>
|
||||
@ -1852,7 +1852,7 @@ other::r-x
|
||||
Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not
|
||||
provide Active Directory services. It cannot be used to replace a Microsoft Active Directory
|
||||
server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit,
|
||||
and it can function as an Active Directory Domain Member server.
|
||||
and it can function as an Active Directory domain member server.
|
||||
</para>
|
||||
|
||||
</answer>
|
||||
@ -1876,7 +1876,7 @@ other::r-x
|
||||
</indexterm>
|
||||
No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x
|
||||
Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation,
|
||||
as Samba-3 can join a native Windows 2003 Server ADS Domain.
|
||||
because Samba-3 can join a native Windows 2003 Server ADS domain.
|
||||
</para>
|
||||
|
||||
</answer>
|
||||
@ -1888,14 +1888,14 @@ other::r-x
|
||||
<para><indexterm>
|
||||
<primary>share level access controls</primary>
|
||||
</indexterm>
|
||||
Is it safe to set share level access controls in Samba?
|
||||
Is it safe to set share-level access controls in Samba?
|
||||
</para>
|
||||
|
||||
</question>
|
||||
<answer>
|
||||
|
||||
<para>
|
||||
Yes. Share level access controls have been supported since early versions of Samba-2. This is
|
||||
Yes. Share-level access controls have been supported since early versions of Samba-2. This is
|
||||
very mature technology. Not enough sites make use of this powerful capability, neither on
|
||||
Windows server or with Samba servers.
|
||||
</para>
|
||||
@ -1928,7 +1928,7 @@ other::r-x
|
||||
</indexterm>
|
||||
No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides
|
||||
means of securing shares through share definition controls in the &smb.conf; file. The additional
|
||||
support for share level ACLs is like frosting on the cake. It adds to security, but is not essential
|
||||
support for share-level ACLs is like frosting on the cake. It adds to security but is not essential
|
||||
to it.
|
||||
</para>
|
||||
|
||||
@ -2034,7 +2034,7 @@ other::r-x
|
||||
Either tool can be used with equal effect. There is no benefit of one over the other, except that
|
||||
the MMC utility is present on all Windows 200x/XP systems and does not require additional software
|
||||
to be downloaded and installed. Note that if you want to manage user and group accounts in your
|
||||
Samba controlled Domain, the only tool that permits that is the NT4 Domain User Manager which
|
||||
Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which
|
||||
is provided as part of the <filename>SRVTOOLS.EXE</filename> utility.
|
||||
</para>
|
||||
|
||||
@ -2052,14 +2052,14 @@ other::r-x
|
||||
<primary>Domain Member server</primary>
|
||||
</indexterm>
|
||||
I tried to set <parameter>valid users = @Engineers</parameter>, but it does not work. My Samba
|
||||
server is an Active Directory Domain Member server. Has this been fixed now?
|
||||
server is an Active Directory domain member server. Has this been fixed now?
|
||||
</para>
|
||||
|
||||
</question>
|
||||
<answer>
|
||||
|
||||
<para>
|
||||
The use of this parameter has always required the full specification of the Domain account, for
|
||||
The use of this parameter has always required the full specification of the domain account, for
|
||||
example, <parameter>valid users = @"MEGANET2\Domain Admins"</parameter>.
|
||||
</para>
|
||||
|
||||
|
@ -2875,7 +2875,7 @@ smb: \> q
|
||||
Create an entry in the DNS database on the server <constant>MASSIVE</constant>
|
||||
in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
|
||||
and in the reverse lookup database for the network segment that the printer is to
|
||||
be located in. Example configuration files for similar zones were presented in Chapter 3,
|
||||
be located in. Example configuration files for similar zones were presented in <link linkend="secure"/>,
|
||||
<link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>.
|
||||
</para></step>
|
||||
|
||||
@ -3490,8 +3490,8 @@ structuralObjectClass: organizationalUnit
|
||||
</para>
|
||||
|
||||
<para>
|
||||
You should research the options for logon script implementation by referring to <emphasis>TOSHARG</emphasis>, Chapter 21,
|
||||
Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon
|
||||
You should research the options for logon script implementation by referring to <emphasis>TOSHARG</emphasis>, Chapter 24,
|
||||
Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon
|
||||
facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart</ulink>.
|
||||
</para>
|
||||
|
||||
|
@ -4,8 +4,8 @@
|
||||
<title>Migrating NT4 Domain to Samba-3</title>
|
||||
|
||||
<para>
|
||||
Ever since Microsoft announced that they are discontinuing support for Windows
|
||||
NT4, Samba users started to ask for detailed instructions for how to migrate
|
||||
Ever since Microsoft announced that it was discontinuing support for Windows
|
||||
NT4, Samba users started to ask for detailed instructions on how to migrate
|
||||
from NT4 to Samba-3. This chapter provides background information that should
|
||||
meet these needs.
|
||||
</para>
|
||||
@ -22,7 +22,7 @@
|
||||
<primary>migration</primary>
|
||||
</indexterm>
|
||||
Network administrators who want to migrate off a Windows NT4 environment know
|
||||
one thing with certainty. They feel that NT4 has been abandoned and they want
|
||||
one thing with certainty. They feel that NT4 has been abandoned, and they want
|
||||
to update. The desire to get off NT4 and to not adopt Windows 200x and Active
|
||||
Directory is driven by a mixture of concerns over complexity, cost, fear of
|
||||
failure, and much more.
|
||||
@ -33,20 +33,20 @@
|
||||
<indexterm><primary>accounts</primary><secondary>user</secondary></indexterm>
|
||||
<indexterm><primary>accounts</primary><secondary>group</secondary></indexterm>
|
||||
<indexterm><primary>accounts</primary><secondary>machine</secondary></indexterm>
|
||||
The migration from NT4 to Samba-3 can involve a number of factors, including:
|
||||
The migration from NT4 to Samba-3 can involve a number of factors, including
|
||||
migration of data to another server, migration of network environment controls
|
||||
such as group policies, and finally migration of the users, groups, and machine
|
||||
such as group policies, and migration of the users, groups, and machine
|
||||
accounts.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>accounts</primary><secondary>Domain</secondary></indexterm>
|
||||
It should be pointed out now that it is possible to migrate some systems from
|
||||
Windows NT4 Domain environments to a Samba-3 Domain Environment. This is certainly
|
||||
not possible in every case. It is possible to just migrate the Domain accounts
|
||||
a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly
|
||||
not possible in every case. It is possible to just migrate the domain accounts
|
||||
to Samba-3 and then to switch machines, but as a hands-off transition, this is more
|
||||
an exception than the rule. Most systems require some tweaking and adjusting
|
||||
following migration before an environment that is acceptable for immediate use
|
||||
the exception than the rule. Most systems require some tweaking after
|
||||
migration before an environment that is acceptable for immediate use
|
||||
is obtained.
|
||||
</para>
|
||||
|
||||
@ -57,7 +57,7 @@
|
||||
<indexterm><primary>LDAP</primary></indexterm>
|
||||
<indexterm><primary>ldapsam</primary></indexterm>
|
||||
<indexterm><primary>passdb backend</primary></indexterm>
|
||||
You are about to migrate an MS Windows NT4 Domain accounts database to
|
||||
You are about to migrate an MS Windows NT4 domain accounts database to
|
||||
a Samba-3 server. The Samba-3 server is using a
|
||||
<parameter>passdb backend</parameter> based on LDAP. The
|
||||
<constant>ldapsam</constant> is ideal because an LDAP backend can be distributed
|
||||
@ -66,7 +66,7 @@
|
||||
|
||||
<para>
|
||||
Your objective is to document the process of migrating user and group accounts
|
||||
from several NT4 Domains into a single Samba-3 LDAP backend database.
|
||||
from several NT4 domains into a single Samba-3 LDAP backend database.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -82,9 +82,9 @@
|
||||
<indexterm><primary>registry</primary><secondary>keys</secondary><tertiary>SECURITY</tertiary></indexterm>
|
||||
<indexterm><primary>SAM</primary></indexterm>
|
||||
<indexterm><primary>Security Account Manager</primary><see>SAM</see></indexterm>
|
||||
The migration process takes a snap-shot of information that is stored in the
|
||||
Windows NT4 registry based accounts database. That information resides in
|
||||
the Security Account Manager (SAM) portion of the NT4 Registry under keys called
|
||||
The migration process takes a snapshot of information that is stored in the
|
||||
Windows NT4 registry-based accounts database. That information resides in
|
||||
the Security Account Manager (SAM) portion of the NT4 registry under keys called
|
||||
<constant>SAM</constant> and <constant>SECURITY</constant>.
|
||||
</para>
|
||||
|
||||
@ -93,7 +93,7 @@
|
||||
<indexterm><primary>inoperative</primary></indexterm>
|
||||
The Windows NT4 registry keys called <constant>SAM</constant> and <constant>SECURITY</constant>
|
||||
are protected so that you cannot view the contents. If you change the security setting
|
||||
to reveal the contents under these hive keys, your Windows NT4 Domain is crippled. Do not
|
||||
to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not
|
||||
do this unless you are willing to render your domain controller inoperative.
|
||||
</para></warning>
|
||||
|
||||
@ -103,7 +103,7 @@
|
||||
Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are.
|
||||
While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server,
|
||||
that may not be a good idea from an administration perspective. Since the process involves going
|
||||
through a certain amount of disruptive activity anyhow, why not take this as an opportunity to
|
||||
through a certain amount of disruptive activity anyhow, why not take this opportunity to
|
||||
review the structure of the network, how Windows clients are controlled and how they
|
||||
interact with the network environment.
|
||||
</para>
|
||||
@ -113,14 +113,14 @@
|
||||
<indexterm><primary>profiles share</primary></indexterm>
|
||||
<indexterm><primary>security descriptors</primary></indexterm>
|
||||
MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed
|
||||
have done little to keep the NT4 server environment up-to-date with more recent Windows releases,
|
||||
have done little to keep the NT4 server environment up to date with more recent Windows releases,
|
||||
particularly Windows XP Professional. The migration provides opportunity to revise and update
|
||||
roaming profile deployment as well as folder redirection. Given that you must port the
|
||||
greater network configuration of this from the old NT4 server to the new Samba-3 server.
|
||||
Do not forget to validate the security descriptors in the profiles share as well as network logon
|
||||
scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this
|
||||
as a good time to update desktop systems also. In all, the extra effort should constitute no
|
||||
real disruption to users, rather with due diligence and care should make their network experience
|
||||
real disruption to users, but rather, with due diligence and care should make their network experience
|
||||
a much happier one.
|
||||
</para>
|
||||
|
||||
@ -130,12 +130,12 @@
|
||||
<para>
|
||||
<indexterm><primary>strategic</primary></indexterm>
|
||||
<indexterm><primary>active directory</primary></indexterm>
|
||||
Migration of an NT4 Domain user and group database to Samba-3 involves a certain strategic
|
||||
element. Many sites have asked for instructions regarding merging of multiple different NT4
|
||||
Domains into one Samba-3 LDAP database. It would appear that this is viewed as a significant
|
||||
Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic
|
||||
element. Many sites have asked for instructions regarding merging of multiple NT4
|
||||
domains into one Samba-3 LDAP database. It seems that this is viewed as a significant
|
||||
added value compared with the alternative of migration to Windows Server 200x and Active
|
||||
Directory. The diagram in <link linkend="ch8-migration"/> illustrates the effect of migration
|
||||
from a Windows NT4 Domain to a Samba Domain.
|
||||
from a Windows NT4 domain to a Samba domain.
|
||||
</para>
|
||||
|
||||
<image id="ch8-migration">
|
||||
@ -146,9 +146,9 @@
|
||||
<para>
|
||||
<indexterm><primary>merge</primary></indexterm>
|
||||
<indexterm><primary>passdb.tdb</primary></indexterm>
|
||||
If you are wanting to merge multiple NT4 Domain account databases into one Samba Domain,
|
||||
If you want to merge multiple NT4 domain account databases into one Samba domain,
|
||||
you must now dump the contents of the first migration and edit it as appropriate. Now clean
|
||||
out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>), or the LDAP database
|
||||
out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>) or the LDAP database
|
||||
files. You must start each migration with a new database into which you merge your NT4
|
||||
domains.
|
||||
</para>
|
||||
@ -156,7 +156,7 @@
|
||||
<para><indexterm>
|
||||
<primary>dump</primary>
|
||||
</indexterm>
|
||||
At this point, you are ready to perform the second migration following the same steps as
|
||||
At this point, you are ready to perform the second migration, following the same steps as
|
||||
for the first. In other words, dump the database, edit it, and then you may merge the
|
||||
dump for the first and second migrations.
|
||||
</para>
|
||||
@ -169,8 +169,8 @@
|
||||
<primary>Domain SID</primary>
|
||||
</indexterm>
|
||||
You must be careful. If you choose to migrate to an LDAP backend, your dump file
|
||||
now contains the full account information, including the Domain SID. The Domain SID for each
|
||||
of the two NT4 Domains will be different. You must choose one, and change the Domain
|
||||
now contains the full account information, including the domain SID. The domain SID for each
|
||||
of the two NT4 domains will be different. You must choose one and change the domain
|
||||
portion of the account SIDs so that all are the same.
|
||||
</para>
|
||||
|
||||
@ -189,12 +189,12 @@
|
||||
<indexterm><primary>import</primary></indexterm>
|
||||
If you choose to use a tdbsam (<filename>passdb.tdb</filename>) backend file, your best choice
|
||||
is to use <command>pdbedit</command> to export the contents of the tdbsam file into an
|
||||
smbpasswd data file. This automatically strips out all Domain specific information,
|
||||
such as logon hours, logon machines, logon script, profile path, as well as the Domain SID.
|
||||
smbpasswd data file. This automatically strips out all domain-specific information,
|
||||
such as logon hours, logon machines, logon script, profile path, as well as the domain SID.
|
||||
The resulting file can be easily merged with other migration attempts (each of which must start
|
||||
with a clean file). It should also be noted that all users that end up in the merged smbpasswd
|
||||
with a clean file). It should also be noted that all users who end up in the merged smbpasswd
|
||||
file must have an account in <filename>/etc/passwd</filename>. The resulting smbpasswd file
|
||||
may be exported/imported into either a tdbsam (<filename>passdb.tdb</filename>), or else into
|
||||
may be exported or imported into either a tdbsam (<filename>passdb.tdb</filename>) or
|
||||
an LDAP backend.
|
||||
</para>
|
||||
|
||||
@ -210,16 +210,16 @@
|
||||
<title>Political Issues</title>
|
||||
|
||||
<para>
|
||||
The merging of multiple Windows NT4 style Domains into a single LDAP-backend-based Samba-3
|
||||
Domain may be seen by those who had power over them as a loss of prestige or a loss of
|
||||
power. The imposition of a single Domain may even be seen as a threat. So in migrating and
|
||||
The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3
|
||||
domain may be seen by those who had power over them as a loss of prestige or a loss of
|
||||
power. The imposition of a single domain may even be seen as a threat. So in migrating and
|
||||
merging account databases, be consciously aware of the political fall-out in which you
|
||||
may find yourself entangled when key staff feel a loss of prestige.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The best advice that can be given to those who set out to merge NT4 Domains into one single
|
||||
Samba-3 Domain is to promote (sell) the action as one that reduces costs and delivers
|
||||
The best advice that can be given to those who set out to merge NT4 domains into a single
|
||||
Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers
|
||||
greater network interoperability and manageability.
|
||||
</para>
|
||||
|
||||
@ -231,25 +231,25 @@
|
||||
<title>Implementation</title>
|
||||
|
||||
<para>
|
||||
From feedback on the Samba mailing lists it would appear that most Windows NT4 migrations
|
||||
From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations
|
||||
to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX
|
||||
server. If you contemplate doing this also, please note that the steps that follow in this
|
||||
server. If you contemplate doing this, please note that the steps that follow in this
|
||||
chapter assume familiarity with the information that has been previously covered in this
|
||||
book. The reader is particularly encouraged to be familiar with <link linkend="secure"/>,
|
||||
book. You are particularly encouraged to be familiar with <link linkend="secure"/>,
|
||||
<link linkend="Big500users"/> and <link linkend="happy"/>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
You can present here the steps and example output for two NT4 to Samba-3 Domain migrations. The
|
||||
We present here the steps and example output for two NT4 to Samba-3 domain migrations. The
|
||||
first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the
|
||||
scripts you specify in the &smb.conf; file for the <parameter>add user script</parameter>
|
||||
collection of parameters are used to effect the addition of accounts into the passdb backend.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Before proceeding to NT4 migration using either a tdbsam or ldapsam it is most strongly recommended to
|
||||
Before proceeding to NT4 migration using either a tdbsam or ldapsam, it is most strongly recommended to
|
||||
review <link linkend="ch5-dnshcp-setup"/> for DNS and DHCP configuration. The importance of correctly
|
||||
functioning name resolution must be recognized. This applies equally for hostname as for NetBIOS names
|
||||
functioning name resolution must be recognized. This applies equally for both hostname and NetBIOS names
|
||||
(machine names, computer names, domain names, workgroup names &smbmdash; ALL names!).
|
||||
</para>
|
||||
|
||||
@ -268,9 +268,9 @@
|
||||
<indexterm><primary>Posix</primary></indexterm>
|
||||
<indexterm><primary>lower-case</primary></indexterm>
|
||||
Clean up the source NT4 PDC. Delete all accounts that need not be migrated.
|
||||
Delete all files that should not be migrated. Where possible, change NT Group
|
||||
Delete all files that should not be migrated. Where possible, change NT group
|
||||
names so there are no spaces or uppercase characters. This is important if
|
||||
the target UNIX host insists on Posix compliant all lower-case user and group
|
||||
the target UNIX host insists on POSIX-compliant all lowercase user and group
|
||||
names.
|
||||
</para></listitem>
|
||||
|
||||
@ -289,7 +289,7 @@
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
It may help to use the above outline as a pre-migration check-list.
|
||||
It may help to use the above outline as a pre-migration checklist.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
@ -299,21 +299,21 @@
|
||||
In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about
|
||||
to be migrated are shown in <link linkend="NT4DUM"/>. In this example use is made of the
|
||||
smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend.
|
||||
Four scripts are essential to the migration process. There are other scripts that will be required
|
||||
Four scripts are essential to the migration process. Other scripts will be required
|
||||
for daily management, but these are not critical to migration. The critical scripts are dependant
|
||||
on which passdb backend is being used. Refer to <link linkend="ch8-vampire"/> to see which scripts
|
||||
must be provided so that the migration process can complete.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Verify that you have correctly specified in the &smb.conf; file the scripts, and arguments
|
||||
that should be passed to them, before attempting to perform the account migration. Note also
|
||||
Verify that you have correctly specified in the &smb.conf; file the scripts and arguments
|
||||
that should be passed to them before attempting to perform the account migration. Note also
|
||||
that the deletion scripts must be commented out during migration. These should be uncommented
|
||||
following successful migration of the NT4 Domain accounts.
|
||||
</para>
|
||||
|
||||
<warning><para>
|
||||
Under absolutely no situations should the Samba daemons be started until instructed to do so.
|
||||
Under absolutely no circumstances should the Samba daemons be started until instructed to do so.
|
||||
Delete the <filename>/etc/samba/secrets.tdb</filename> file and all Samba control tdb files
|
||||
before commencing the following configuration steps.
|
||||
</para></warning>
|
||||
@ -372,7 +372,7 @@
|
||||
<indexterm><primary>smbldap-tools</primary></indexterm>
|
||||
The UNIX/Linux <command>usermod</command> utility does not permit simple user addition to (or deletion
|
||||
of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this
|
||||
capability you will need to create your own tool to do this. Alternately, you can search the web
|
||||
capability, you must create your own tool to do this. Alternately, you can search the Web
|
||||
to locate a utility called <command>groupmem</command> (by George Kraft) that provides this functionality.
|
||||
The <command>groupmem</command> utility was contributed to the shadow package but has not surfaced
|
||||
in the formal commands provided by Linux distributions (March 2004).
|
||||
@ -380,9 +380,8 @@
|
||||
|
||||
<note><para>
|
||||
<indexterm><primary>tdbdump</primary></indexterm>
|
||||
The <command>tdbdump</command> utility is a utility that you can build from the Samba source
|
||||
code tree. Not all Linux binary distributions include this tool. If it is missing from your
|
||||
Linux distribution you will need to build this yourself, or else for-go its use.
|
||||
The <command>tdbdump</command> utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your
|
||||
Linux distribution, you will need to build this yourself or else forgo its use.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
@ -613,8 +612,8 @@ ssl off
|
||||
<filename>/etc/ldap.conf</filename> file has been configured, when the LDAP server
|
||||
is started, the process of starting the LDAP server will cause LDAP lookups. This
|
||||
causes the LDAP server <command>slapd</command> to hang because it finds port 389
|
||||
open and therefore can not gain exclusive control of it. By commenting these entries
|
||||
out it is possible to avoid this grid-lock situation and thus the over-all
|
||||
open and therefore cannot gain exclusive control of it. By commenting these entries
|
||||
out, it is possible to avoid this gridlock situation and thus the overall
|
||||
installation and configuration will progress more smoothly.
|
||||
</para></step>
|
||||
|
||||
@ -663,7 +662,7 @@ rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Pull the Domain SID from the NT4 Domain that is being migrated as follows:
|
||||
Pull the domain SID from the NT4 domain that is being migrated as follows:
|
||||
<screen>
|
||||
&rootprompt; net rpc getsid -S TRANGRESSION -U Administrator%not24get
|
||||
Storing SID S-1-5-21-1385457007-882775198-1210191635 \
|
||||
@ -673,7 +672,7 @@ Storing SID S-1-5-21-1385457007-882775198-1210191635 \
|
||||
|
||||
<para>
|
||||
Another way to obtain the domain SID from the target NT4 domain that is being
|
||||
migrated to Samba-3 by executing the following:
|
||||
migrated to Samba-3 is by executing the following:
|
||||
<screen>
|
||||
&rootprompt; net rpc info -S TRANSGRESSION
|
||||
</screen>
|
||||
@ -689,12 +688,12 @@ Storing SID S-1-5-21-1385457007-882775198-1210191635 \
|
||||
<indexterm><primary>configure.pl</primary></indexterm>
|
||||
<indexterm><primary>/opt/IDEALX/sbin</primary></indexterm>
|
||||
<indexterm><primary>smbldap-tools</primary></indexterm>
|
||||
Install the Idealx <command>smbldap-tools</command> software package following
|
||||
Install the Idealx <command>smbldap-tools</command> software package, following
|
||||
the instructions given in <link linkend="sbeidealx"/>. The resulting perl scripts
|
||||
should be located in the <filename>/opt/IDEALX/sbin</filename> directory.
|
||||
Change into that location, or where ever the scripts have been installed. Execute the
|
||||
Change into that location, or whereever the scripts have been installed. Execute the
|
||||
<filename>configure.pl</filename> script to configure the Idealx package for use.
|
||||
Note: Use the Domain SID obtained from the step above. The following is
|
||||
Note: Use the domain SID obtained from the step above. The following is
|
||||
an example configuration session:
|
||||
<screen>
|
||||
merlin:/opt/IDEALX/sbin # ./configure.pl
|
||||
@ -781,7 +780,7 @@ writing new configuration file:
|
||||
</screen>
|
||||
<indexterm><primary>sambaDomainName</primary></indexterm>
|
||||
Note that the NT4 domain SID that was previously obtained was entered above. Also,
|
||||
the sambaUnixIdPooldn object was specified as: sambaDomainName=DAMNATION. This is
|
||||
the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is
|
||||
the location into which the Idealx smbldap-tools store the next available UID/GID
|
||||
information. It is also where Samba stores domain specific information such as the
|
||||
next RID, the SID, and so on.
|
||||
@ -906,7 +905,7 @@ Print Operators:x:550:
|
||||
Backup Operators:x:551:
|
||||
Replicators:x:552:
|
||||
</screen>
|
||||
In both cases above the LDAP accounts follow the <quote>+::0:</quote> entry.
|
||||
In both cases the LDAP accounts follow the <quote>+::0:</quote> entry.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -928,7 +927,7 @@ Changing password for root
|
||||
New password : ********
|
||||
Retype new password : ********
|
||||
</screen>
|
||||
Note: During account migration the Windows Administrator account will not be migrated
|
||||
Note: During account migration, the Windows Administrator account will not be migrated
|
||||
to the Samba server.
|
||||
</para></step>
|
||||
|
||||
@ -959,7 +958,7 @@ Print Operators (S-1-5-32-550) -> Print Operators
|
||||
Backup Operators (S-1-5-32-551) -> Backup Operators
|
||||
Replicators (S-1-5-32-552) -> Replicators
|
||||
</screen>
|
||||
The above are the expected results for a correctly configured system.
|
||||
These are the expected results for a correctly configured system.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -1039,14 +1038,14 @@ Guests (S-1-5-32-546) -> Guests
|
||||
Server Operators (S-1-5-32-549) -> Server Operators
|
||||
Users (S-1-5-32-545) -> Users
|
||||
</screen>
|
||||
It is of vital importance that the domain SID portion of all group
|
||||
It is of vital importance that the domain SID portions of all group
|
||||
accounts are identical.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
The final responsibility in the migration process is to create identical
|
||||
shares and printing resources on the new Samba-3 server, copy all data
|
||||
across, set up privileges and set share and file/directory access controls.
|
||||
across, set up privileges, and set share and file/directory access controls.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -1083,14 +1082,14 @@ Press enter to see a dump of your service definitions
|
||||
|
||||
<step><para>
|
||||
All workstations should function as they did with the old NT4 PDC. All
|
||||
inter-domain trust accounts should remain in place and fully functional.
|
||||
interdomain trust accounts should remain in place and fully functional.
|
||||
All machine accounts and user logon accounts should also function correctly.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
The configuration of Samba-3 BDC servers can be accomplished now, or at any
|
||||
The configuration of Samba-3 BDC servers can be accomplished now or at any
|
||||
convenient time in the future. Please refer to the carefully detailed process
|
||||
for doing this that has been outlined in <link linkend="sbehap-bldg1"/>.
|
||||
for doing so is outlined in <link linkend="sbehap-bldg1"/>.
|
||||
</para></step>
|
||||
|
||||
</procedure>
|
||||
@ -1202,20 +1201,20 @@ Creating unix group: 'Users'
|
||||
<title>NT4 Migration Using tdbsam Backend</title>
|
||||
|
||||
<para>
|
||||
In this example, you have chosen to change the Domain name of the NT4 server from
|
||||
In this example, we change the domain name of the NT4 server from
|
||||
<constant>DRUGPREP</constant> to <constant>MEGANET</constant> prior to the use
|
||||
of the vampire (migration) tool. This migration process makes use of Linux system tools
|
||||
(like <command>useradd</command>) to add the accounts that are migrated into the
|
||||
UNIX/Linux <filename>/etc/passwd</filename>, and <filename>/etc/group</filename>
|
||||
UNIX/Linux <filename>/etc/passwd</filename> and <filename>/etc/group</filename>
|
||||
databases. These entries must therefore be present, and correct options specified,
|
||||
in your &smb.conf; file or else the migration does not work as it should.
|
||||
in your &smb.conf; file, or else the migration does not work as it should.
|
||||
</para>
|
||||
|
||||
<procedure>
|
||||
<title>Migration Steps Using tdbsam</title>
|
||||
|
||||
<step><para>
|
||||
Prepare a Samba-3 server precisely per the instructions shown in Chapter 5.
|
||||
Prepare a Samba-3 server precisely per the instructions shown in <link linkend="Big500users"/>.
|
||||
Set the workgroup name to <constant>MEGANET</constant>.
|
||||
</para></step>
|
||||
|
||||
@ -1295,7 +1294,7 @@ SAM_DELTA_DOMAIN_INFO not handled
|
||||
<primary>pdbedit</primary>
|
||||
</indexterm>
|
||||
At this point, we can validate our migration. Let's look at the accounts
|
||||
in the form as they would be seen in a smbpasswd file. This achieves that:
|
||||
in the form in which they are seen in a smbpasswd file. This achieves that:
|
||||
<screen>
|
||||
&rootprompt; pdbedit -Lw
|
||||
Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3:
|
||||
@ -1361,7 +1360,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT
|
||||
<primary>net</primary>
|
||||
<secondary>group</secondary>
|
||||
</indexterm>
|
||||
And this command lists the long names of the groups that have been
|
||||
The following command lists the long names of the groups that have been
|
||||
imported (vampired) from the NT4 PDC:
|
||||
<screen>
|
||||
&rootprompt; net group -l -Uroot%not24get -Smassive
|
||||
@ -1408,12 +1407,12 @@ Users Ordinary users
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Multiple NT4 Domains can be merged into a single Samba-3
|
||||
Domain.
|
||||
Multiple NT4 domains can be merged into a single Samba-3
|
||||
domain.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The net Samba-3 Domain most likely requires some
|
||||
The net Samba-3 domain most likely requires some
|
||||
administration and updating before going live.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
@ -1444,10 +1443,10 @@ Users Ordinary users
|
||||
<para><indexterm>
|
||||
<primary>merge</primary>
|
||||
</indexterm>
|
||||
This is a recommendation that permits the data from each NT4 Domain to
|
||||
be kept separate until you are ready to merge them. Also, if you do not do this,
|
||||
you may find errors due to users or groups from multiple Domains having the
|
||||
same name, but different SIDs. It is better to permit each migration to complete
|
||||
This is a recommendation that permits the data from each NT4 domain to
|
||||
be kept separate until you are ready to merge them. Also, if you do not start with a clean database,
|
||||
you may find errors due to users or groups from multiple domains having the
|
||||
same name but different SIDs. It is better to permit each migration to complete
|
||||
without undue errors and then to handle the merging of vampired data under
|
||||
proper supervision.
|
||||
</para>
|
||||
@ -1461,7 +1460,7 @@ Users Ordinary users
|
||||
<para><indexterm>
|
||||
<primary>Domain SID</primary>
|
||||
</indexterm>
|
||||
Is it possible to set my Domain SID to anything I like?
|
||||
Is it possible to set my domain SID to anything I like?
|
||||
</para>
|
||||
|
||||
</question>
|
||||
@ -1474,12 +1473,12 @@ Users Ordinary users
|
||||
</indexterm><indexterm>
|
||||
<primary>Domain SID</primary>
|
||||
</indexterm>
|
||||
Yes, so long as the SID you create has the same structure as an auto-generated SID.
|
||||
Yes, so long as the SID you create has the same structure as an autogenerated SID.
|
||||
The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where
|
||||
the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why
|
||||
would you really want to create your own SID? I cannot think of a good reason.
|
||||
You may want to set the SID to one that is already in use somewhere on your network,
|
||||
but that is a little different from straight out creating your own Domain SID.
|
||||
but that is a little different from straight out creating your own domain SID.
|
||||
</para>
|
||||
|
||||
</answer>
|
||||
@ -1506,7 +1505,7 @@ Users Ordinary users
|
||||
<primary>accounts</primary>
|
||||
<secondary>Domain</secondary>
|
||||
</indexterm>
|
||||
When using a tdbsam passdb backend, why must I have all Domain user and group accounts
|
||||
When using a tdbsam passdb backend, why must I have all domain user and group accounts
|
||||
in <filename>/etc/passwd</filename> and <filename>/etc/group</filename>?
|
||||
</para>
|
||||
|
||||
@ -1534,7 +1533,7 @@ Users Ordinary users
|
||||
<para>
|
||||
When migrating a <filename>smbpasswd</filename> file to an LDAP backend, the
|
||||
UID of each account is taken together with the account information in the
|
||||
<filename>/etc/passwd</filename> and both sets of data are used to create the account
|
||||
<filename>/etc/passwd,</filename> and both sets of data are used to create the account
|
||||
entry in the LDAP database.
|
||||
</para>
|
||||
|
||||
@ -1566,9 +1565,9 @@ Users Ordinary users
|
||||
<answer>
|
||||
|
||||
<para>
|
||||
Access validation before attempting to migrate NT4 Domain accounts helps to pin-point
|
||||
Access validation before attempting to migrate NT4 domain accounts helps to pinpoint
|
||||
potential problems that may otherwise affect or impede account migration. I am always
|
||||
mindful of the 4P's of migration &smbmdash; Planning Prevents Poor Performance.
|
||||
mindful of the 4 P's of migration: Planning Prevents Poor Performance.
|
||||
</para>
|
||||
|
||||
</answer>
|
||||
@ -1607,11 +1606,11 @@ Users Ordinary users
|
||||
</indexterm><indexterm>
|
||||
<primary>tool</primary>
|
||||
</indexterm>
|
||||
If you have 10 tdbsam Samba Domains, there is considerable risk that there are a number of
|
||||
If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of
|
||||
accounts that have the same UNIX identifier (UID/GID). This means that you almost
|
||||
certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd
|
||||
file format and then manually edit all records to ensure that each has a unique UID. Each
|
||||
file can then be imported a number of ways. You can use the <command>pdbedit</command> tool,
|
||||
file can then be imported a number of ways. You can use the <command>pdbedit</command> tool
|
||||
to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to
|
||||
tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that
|
||||
you have migrated before handing over access to a user. After all, too many users with a bad
|
||||
@ -1630,8 +1629,8 @@ Users Ordinary users
|
||||
<primary>accounts</primary>
|
||||
<secondary>machine</secondary>
|
||||
</indexterm>
|
||||
I want to change my Domain name after I migrate all accounts from an NT4 Domain to a
|
||||
Samba-3 Domain. Does it make any sense to migrate the machine accounts in that case?
|
||||
I want to change my domain name after I migrate all accounts from an NT4 domain to a
|
||||
Samba-3 domain. Does it make any sense to migrate the machine accounts in that case?
|
||||
</para>
|
||||
|
||||
</question>
|
||||
@ -1646,9 +1645,9 @@ Users Ordinary users
|
||||
</indexterm><indexterm>
|
||||
<primary>tattooing</primary>
|
||||
</indexterm>
|
||||
I would recommend not. The machine accounts should still work, but there are registry entries
|
||||
I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries
|
||||
on each Windows NT4 and upward client that have a tattoo of the old domain name. If you
|
||||
un-join the domain and then rejoin the newly renamed Samba-3 Domain, you can be certain to avoid
|
||||
unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid
|
||||
this tattooing effect.
|
||||
</para>
|
||||
|
||||
@ -1661,7 +1660,7 @@ Users Ordinary users
|
||||
<para><indexterm>
|
||||
<primary>multiple group mappings</primary>
|
||||
</indexterm>
|
||||
After merging multiple NT4 Domains into a Samba-3 Domain, I lost all multiple group mappings. Why?
|
||||
After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why?
|
||||
</para>
|
||||
|
||||
</question>
|
||||
@ -1674,9 +1673,9 @@ Users Ordinary users
|
||||
</indexterm>
|
||||
Samba-3 currently does not implement multiple group membership internally. If you use the Windows
|
||||
NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group
|
||||
membership is stored in the Posix groups area. If you use either tdbsam or smbpasswd backend,
|
||||
membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend,
|
||||
then multiple group membership is handled through the UNIX groups file. When you dump the user
|
||||
accounts no group account information is provided. When you edit (change) UIDs and GIDs in each
|
||||
accounts, no group account information is provided. When you edit (change) UIDs and GIDs in each
|
||||
file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <filename>/etc/passwd</filename>
|
||||
and <filename>/etc/group</filename> information also. That is where the multiple group information
|
||||
is most closely at your fingertips.
|
||||
@ -1732,13 +1731,13 @@ Users Ordinary users
|
||||
</indexterm>
|
||||
A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group
|
||||
name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows
|
||||
groups can contain upper- and lower-case characters, as well as spaces.
|
||||
Many UNIX system do not permit the use of upper-case characters, and some do not permit the
|
||||
space character either. A number of systems (i.e., Linux) work fine with both upper-case
|
||||
groups can contain upper- and lowercase characters, as well as spaces.
|
||||
Many UNIX system do not permit the use of uppercase characters, and some do not permit the
|
||||
space character either. A number of systems (i.e., Linux) work fine with both uppercase
|
||||
and space characters in group names, but the shadow-utils package that provides the group
|
||||
control functions (<command>groupadd, groupmod, groupdel</command>, and so on) do not permit them.
|
||||
control functions (<command>groupadd</command>, <command>groupmod</command>, <command>groupdel</command>, and so on) do not permit them.
|
||||
Also, a number of UNIX systems management tools enforce their own particular interpretation
|
||||
of the Posix standards, and likewise do not permit upper-case or space characters in group
|
||||
of the POSIX standards and likewise do not permit uppercase or space characters in group
|
||||
or user account names. You have to experiment with your system to find what its
|
||||
peculiarities are.
|
||||
</para>
|
||||
@ -1762,7 +1761,7 @@ Users Ordinary users
|
||||
<para>
|
||||
UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux
|
||||
kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs,
|
||||
you would not be able to migrate 323,000 accounts because this number can not fit into a 16-bit unsigned
|
||||
you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned
|
||||
integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts.
|
||||
Please check this carefully before you attempt to effect a migration using the vampire process.
|
||||
</para>
|
||||
@ -1771,9 +1770,9 @@ Users Ordinary users
|
||||
<primary>Migration speed</primary>
|
||||
</indexterm>
|
||||
Migration speed depends much on the processor speed, the network speed, disk I/O capability, and
|
||||
LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory, that was mirroring LDAP
|
||||
to a second identical system over 1 gigabit ethernet, I was able to migrate around 180 user accounts
|
||||
per minute. Migration would obviously go much faster if LDAP mirroring is turned off during the migration.
|
||||
LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP
|
||||
to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts
|
||||
per minute. Migration would obviously go much faster if LDAP mirroring were turned off during the migration.
|
||||
</para>
|
||||
|
||||
</answer>
|
||||
|
@ -6,12 +6,12 @@
|
||||
<para>
|
||||
<indexterm><primary>Novell</primary></indexterm>
|
||||
<indexterm><primary>SUSE</primary></indexterm>
|
||||
Novell is a company any seasoned IT manager has to admire. They have become increasingly
|
||||
Linux-friendly and are emerging out of a deep regression that almost saw the company
|
||||
Novell is a company any seasoned IT manager has to admire. It has become increasingly
|
||||
Linux-friendly and is emerging out of a deep regression that almost saw the company
|
||||
disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the
|
||||
platform of choice to which many older NetWare servers are being migrated.
|
||||
It will be interesting to see what will become of NetWare over time.
|
||||
Meanwhile, there can be no denying the fact that Novell is a Linux company.
|
||||
It will be interesting to see what becomes of NetWare over time.
|
||||
Meanwhile, there can be no denying that Novell is a Linux company.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -20,15 +20,15 @@
|
||||
<indexterm><primary>Gentoo</primary></indexterm>
|
||||
<indexterm><primary>Mandrake</primary></indexterm>
|
||||
Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian,
|
||||
Gentoo, Mandrake, SUSE (Novell) the information in this chapter should be read with
|
||||
appropriate cognizance that file locations may vary a little; even so the information
|
||||
Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with
|
||||
the knowledge that file locations may vary a little; even so, the information
|
||||
in this chapter should provide something of value.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>migration</primary></indexterm>
|
||||
This chapter was contributed by Misty Stanley-Jones, a UNIX administrator of many
|
||||
years who surfaced on the Samba mailing list with a barrage of questions, and who
|
||||
Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many
|
||||
years who surfaced on the Samba mailing list with a barrage of questions and who
|
||||
regularly now helps other administrators to solve thorny Samba migration questions.
|
||||
</para>
|
||||
|
||||
@ -38,33 +38,33 @@
|
||||
<indexterm><primary>NetWare</primary></indexterm>
|
||||
<indexterm><primary>Mars_NWE</primary></indexterm>
|
||||
One wonders how many NetWare servers remain in active service. Many are being migrated
|
||||
to Samba on Linux. Red Hat Linux, SUSE Linux 9.x and SUSE Linux Enterprise Server 9 are
|
||||
to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are
|
||||
ideal target platforms to which a NetWare server may be migrated. The migration method
|
||||
of choice is much dependant on the tools that the administrator finds most natural to use.
|
||||
The old-hand NetWare guru will likely want to use the tools like the NetWare NLM for
|
||||
of choice is much dependent on the tools that the administrator finds most natural to use.
|
||||
The old-hand NetWare guru will likely want to use tools like the NetWare NLM for
|
||||
<command>rsync</command> to migrate files from the NetWare server to the Samba server.
|
||||
The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare
|
||||
Emulator) open source package. The MS Windows network administrator will likely make use of the
|
||||
NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice,
|
||||
migration will be filled with joyous and challenging moments - though probably not
|
||||
migration will be filled with joyous and challenging moments &smbmdash; though probably not
|
||||
concurrently.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The priority that Misty faced was one of migration of the data files off the NetWare 4.11
|
||||
server and onto a Samba based Windows file and print server. This chapter does not pretend
|
||||
server and onto a Samba-ased Windows file and print server. This chapter does not pretend
|
||||
to document all the different methods that could be used to migrate user and group accounts
|
||||
off a NetWare server, its focus is on migration of data files.
|
||||
off a NetWare server. Its focus is on migration of data files.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This chapter tells its own story, so ride along, ... maybe the information here presented
|
||||
This chapter tells its own story, so ride along. Maybe the information presented here
|
||||
will help to smooth over a similar migration challenge in your favorite networking environment.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
File paths have been modified to permit use of RPM packages provided by Novell. In the
|
||||
original documentation contributed by Misty a the Courier-IMAP package had been built
|
||||
original documentation contributed by Misty, the Courier-IMAP package had been built
|
||||
directly from the original source tarball.
|
||||
</para>
|
||||
|
||||
@ -73,9 +73,9 @@
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Novell</primary></indexterm>
|
||||
Misty Stanley-Jones was recruited by Abmas Inc. to administer a network that had
|
||||
not received much attention for some years and was much in need of a make-over.
|
||||
As a brand-new sysadmin to this company, she inherited a very old Novell file server,
|
||||
Misty Stanley-Jones was recruited by Abmas to administer a network that had
|
||||
not received much attention for some years and was much in need of a makeover.
|
||||
As a brand-new sysadmin to this company, she inherited a very old Novell file server
|
||||
and came with a determination to change things for the better.
|
||||
</para>
|
||||
|
||||
@ -93,7 +93,7 @@
|
||||
</simplelist>
|
||||
|
||||
<para>
|
||||
The company had outgrown this server several years before and were dealing with
|
||||
The company had outgrown this server several years before and was dealing with
|
||||
severe growing pains. Some of the problems experienced were:
|
||||
</para>
|
||||
|
||||
@ -102,7 +102,7 @@
|
||||
<para>Very slow performance</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Available storage hovering around the 5% range.</para>
|
||||
<para>Available storage hovering around the 5% range</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Extremely slow print spooling.</para>
|
||||
@ -110,7 +110,7 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Users storing information on their local hard
|
||||
drives, causing backup integrity problems.
|
||||
drives, causing backup integrity problems
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
@ -119,7 +119,7 @@
|
||||
|
||||
<para>
|
||||
<indexterm><primary>payroll</primary></indexterm>
|
||||
At one point disk space had filled up to 100% causing the payroll database
|
||||
At one point disk space had filled up to 100 percent, causing the payroll database
|
||||
to become corrupt. This caused the accounting department to be down for over
|
||||
a week and necessitated deployment of another file server. The replacement
|
||||
server was created with very poor security and design considerations from
|
||||
@ -135,8 +135,8 @@
|
||||
configuration files and background will accelerate your learning as you
|
||||
grapple with a similar migration challenge. Let there be no confusion,
|
||||
the information presented in this chapter is provided to demonstrate
|
||||
how Misty dealt with a particular NetWare migration requirement and
|
||||
it provides an over-all approach to the implementation of a Samba-3
|
||||
how Misty dealt with a particular NetWare migration requirement, and
|
||||
it provides an overall approach to the implementation of a Samba-3
|
||||
environment that is significantly divergent from that presented in
|
||||
<link linkend="happy"/>.
|
||||
</para>
|
||||
@ -144,19 +144,19 @@
|
||||
<para>
|
||||
The complete removal of all site-specific information in order to produce
|
||||
a generic migration solution would rob this chapter of its character.
|
||||
It should be recognized therefore, that the examples given will require
|
||||
significant adaptation to suit local needs and thus it is recognized that
|
||||
there are some gaps in the example files. That is not Misty's fault, it
|
||||
It should be recognized, therefore, that the examples given require
|
||||
significant adaptation to suit local needs and thus
|
||||
there are some gaps in the example files. That is not Misty's fault;it
|
||||
is the result of treatment given to her files in an attempt to make
|
||||
the overall information more useful to you.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>cost-benefit</primary></indexterm>
|
||||
After presenting a cost-benefit report to management, as well as an estimated
|
||||
After management reviewed a cost-benefit report as well as an estimated
|
||||
time-to-completion, approval was given proceed with the solution proposed.
|
||||
The server was built from purchased components. The total project cost
|
||||
was $3000. A brief description of the configuration follows:
|
||||
was $3,000. A brief description of the configuration follows:
|
||||
</para>
|
||||
|
||||
<simplelist>
|
||||
@ -184,7 +184,7 @@
|
||||
</simplelist>
|
||||
|
||||
<para>
|
||||
The new system has operated for six months without problems. Over the past months
|
||||
The new system has operated for 6 months without problems. Over the past months
|
||||
much attention has been focused on cleaning up desktops and user profiles.
|
||||
</para>
|
||||
|
||||
@ -199,8 +199,8 @@
|
||||
<indexterm><primary>e-Directory</primary></indexterm>
|
||||
<indexterm><primary>authentication</primary></indexterm>
|
||||
<indexterm><primary>identity management</primary></indexterm>
|
||||
A decision to use LDAP was made even though I know nothing about LDAP except that
|
||||
I had been reading the book <quote>LDAP System Administration</quote>, by Gerald Carter.
|
||||
A decision to use LDAP was made even though I knew nothing about LDAP except that
|
||||
I had been reading the book <quote>LDAP System Administration,</quote> by Gerald Carter.
|
||||
LDAP seemed to provide some of the functionality of Novell's e-Directory Services
|
||||
and would provide centralized authentication and identity management.
|
||||
</para>
|
||||
@ -209,9 +209,9 @@
|
||||
<indexterm><primary>database</primary></indexterm>
|
||||
<indexterm><primary>RPM</primary></indexterm>
|
||||
<indexterm><primary>tree</primary></indexterm>
|
||||
Building the LDAP database took a while, and a lot of trial and error. Following
|
||||
the guidance I obtained from Jerry Carter's book <quote>LDAP System
|
||||
Administration</quote>, I installed OpenLDAP (from RPM; later I compiled
|
||||
Building the LDAP database took a while and a lot of trial and error. Following
|
||||
the guidance I obtained from <quote>LDAP System
|
||||
Administration,</quote> I installed OpenLDAP (from RPM; later I compiled
|
||||
a more current version from source) and built my initial LDAP tree.
|
||||
</para>
|
||||
|
||||
@ -228,19 +228,19 @@
|
||||
<indexterm><primary>IMAP</primary></indexterm>
|
||||
<indexterm><primary>POP3</primary></indexterm>
|
||||
<indexterm><primary>SMTP</primary></indexterm>
|
||||
The first challenge was to create a company white-pages, followed by manually
|
||||
The first challenge was to create a company white pages, followed by manually
|
||||
entering everything from the printed company directory. This used only the inetOrgPerson
|
||||
objectclass from the OpenLDAP schemas. The next step was to write a shell script which
|
||||
object class from the OpenLDAP schemas. The next step was to write a shell script that
|
||||
would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
|
||||
files on our mail server, and create a LDIF file from which the information could be
|
||||
files on our mail server and create a LDIF file from which the information could be
|
||||
imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
|
||||
and SMTP.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Given that a decision had been made to use Courier-IMAP the schema <quote>authldap.schema</quote>
|
||||
from the Courier-IMAP source tarball is necessary to resolve Courier-specific LDAP directory
|
||||
needs. Where the Courier-IMAP file provided by SUSE is used this file is named
|
||||
Because a decision was made to use Courier-IMAP the schema <quote>authldap.schema</quote>
|
||||
from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory
|
||||
needs. Where the Courier-IMAP file provided by SUSE is used, this file is named
|
||||
<filename>courier.schema</filename>.
|
||||
</para>
|
||||
|
||||
@ -252,7 +252,7 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
An attempt was made to use the PADL POSIX account migration scripts but I gave up trying to
|
||||
An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to
|
||||
make them work. Instead, even though it is most inelegant, I wrote a simple script that did
|
||||
what I needed. It is enclosed as a simple example to demonstrate that you do not need to be
|
||||
a guru to make light of otherwise painful repetition. This file is listed in <link linkend="sbeamg"/>.
|
||||
@ -287,12 +287,12 @@ done
|
||||
</example>
|
||||
|
||||
<note><para>
|
||||
<title>Editors' Note</title>
|
||||
|
||||
The PADL MigrationTools are recommended for migration of the UNIX account information into
|
||||
the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups,
|
||||
aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text
|
||||
files (or from a name service such as NIS). This too set can be obtained from the <ulink url=
|
||||
"http://www.padl.com">PADL</ulink> web site.
|
||||
"http://www.padl.com">PADL Web site</ulink>.
|
||||
</para></note>
|
||||
|
||||
</sect2>
|
||||
@ -551,7 +551,7 @@ tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem
|
||||
</example>
|
||||
|
||||
<para>
|
||||
The Name Server Switch control file <filename>/etc/nsswitch.conf</filename> has the following contents:
|
||||
The NSS control file <filename>/etc/nsswitch.conf</filename> has the following contents:
|
||||
<screen>
|
||||
# /etc/nsswitch.conf
|
||||
# This file controls the resolve order for system databases.
|
||||
@ -572,7 +572,7 @@ group: compat ldap
|
||||
module is shown in <link linkend="sbepu2"/> file.
|
||||
This works out of the box with the configuration files in this chapter. It
|
||||
enables you to have no local accounts for users (it is highly advisable
|
||||
to have a local account for the root user). Traps for the unwary include:
|
||||
to have a local account for the root user). Traps for the unwary include the following:
|
||||
</para>
|
||||
|
||||
<example id="sbepu2">
|
||||
@ -626,15 +626,15 @@ session: none
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
If fail-over is configured incorrectly weird behavior can occur. For example,
|
||||
DNS failing to resolve.
|
||||
If failover is configured incorrectly, weird behavior can occur. For example,
|
||||
DNS can fail to resolve.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
I do have two LDAP slave servers configured. That subject is beyond the scope
|
||||
of this document and steps for implementing it are well-documented.
|
||||
of this document, and steps for implementing it are well documented.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -652,15 +652,15 @@ session: none
|
||||
<para>
|
||||
<indexterm><primary>white-pages</primary></indexterm>
|
||||
<indexterm><primary>Windows Address Book</primary></indexterm>
|
||||
Company-wide White-Pages can be searched using a LDAP client
|
||||
Companywide white pages can be searched using an LDAP client
|
||||
such as the one in the Windows Address Book.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>LDAP</primary></indexterm>
|
||||
<indexterm><primary>smbldap-tools</primary></indexterm>
|
||||
Having gained a solid understanding of LDAP, and a relatively workable LDAP tree
|
||||
thus far, it was time to configure Samba. I compiled the latest stable SAMBA and
|
||||
Having gained a solid understanding of LDAP and a relatively workable LDAP tree
|
||||
thus far, it was time to configure Samba. I compiled the latest stable Samba and
|
||||
also installed the latest <command>smbldap-tools</command> from
|
||||
<ulink url="http://idealx.com">Idealx</ulink>.
|
||||
</para>
|
||||
@ -883,21 +883,21 @@ session: none
|
||||
<indexterm><primary>rsyncd.conf</primary></indexterm>
|
||||
<indexterm><primary>synchronize</primary></indexterm>
|
||||
Note: During the process of building the new server, I kept data files
|
||||
up-to-date with the Novell server via use of <command>rsync</command>.
|
||||
On a separate system (my workstation in fact) which could be rebooted
|
||||
up to date with the Novell server via use of <command>rsync</command>.
|
||||
On a separate system (my workstation in fact), which could be rebooted
|
||||
whenever necessary, I set up a mount point to the Novell server via
|
||||
<command>ncpmount</command>. I then created a
|
||||
<filename>rsyncd.conf</filename> to share that mount point out to my
|
||||
new server, and synchronized once an hour. The script I used to synchronize
|
||||
is shown in <link linkend="sbersync"/>. The files exclusion list I used
|
||||
is shown in <link linkend="sbexcld"/>. The reason I had to have the
|
||||
<command>rsync</command> daemon running on a system which could be
|
||||
<command>rsync</command> daemon running on a system that could be
|
||||
rebooted frequently is because <constant>ncpfs</constant>
|
||||
(part of the MARS NetWare Emulation package) has a nasty habit of creating stale
|
||||
mount points which cannot be recovered without a reboot. The reason for hourly
|
||||
mount points that cannot be recovered without a reboot. The reason for hourly
|
||||
synchronization is because some part of the chain was very slow and
|
||||
performance-heavy (whether <command>rsync</command> itself, the network,
|
||||
or the Novell server I am not sure probably the Novell server).
|
||||
or the Novell server, I am not sure, but it was probably the Novell server).
|
||||
</para>
|
||||
|
||||
<example id="sbersync">
|
||||
@ -951,8 +951,8 @@ fi
|
||||
</example>
|
||||
|
||||
<para>
|
||||
After Samba had been configured, I initialized the LDAP database. So the first
|
||||
thing I had to do was to store the LDAP password in the Samba configuration by
|
||||
After Samba was configured, I initialized the LDAP database. The first
|
||||
thing I had to do was store the LDAP password in the Samba configuration by
|
||||
issuing the command (as root):
|
||||
<screen>
|
||||
&rootprompt; smbpasswd -w verysecret
|
||||
@ -964,12 +964,12 @@ fi
|
||||
The Idealx smbldap-tools package can be configured using a script called
|
||||
<command>configure.pl</command> that is provided as part of the tool. See <link linkend="happy"/>
|
||||
for an example of its use. Many administrators, like Misty, choose to do this manually
|
||||
so as to maintain greater awareness of how the tool-chain works, and possibly to avoid
|
||||
so as to maintain greater awareness of how the tool-chain works and possibly to avoid
|
||||
undesirable actions from occurring un-noticed.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
Now Samba is ready for use. Now configure the smbldap-tools. There are two
|
||||
Now Samba was ready for use and it was time to configure the smbldap-tools. There are two
|
||||
relevant files, which are usually put into the directory
|
||||
<filename>/etc/smbldap-tools</filename>. The main file,
|
||||
<filename>smbldap.conf</filename> is shown in <link linkend="ch8ideal"/>.
|
||||
@ -1164,8 +1164,8 @@ smbpasswd="/usr/bin/smbpasswd"
|
||||
|
||||
<para>
|
||||
<indexterm><primary>TLS</primary></indexterm>
|
||||
NOTE: I chose not to take advantage of the TLS capability of this.
|
||||
Eventually I may go back and tweak it. Also I chose not to take advantage
|
||||
Note: I chose not to take advantage of the TLS capability of this.
|
||||
Eventually I may go back and tweak it. Also, I chose not to take advantage
|
||||
of the master/slave configuration as I heard horror stories that it was
|
||||
unstable. My slave servers are replicas only.
|
||||
</para>
|
||||
@ -1182,7 +1182,7 @@ smbpasswd="/usr/bin/smbpasswd"
|
||||
############################
|
||||
# Credential Configuration #
|
||||
############################
|
||||
# Notes: you can specify two different configuration if you use a
|
||||
# Notes: you can specify two different configurations if you use a
|
||||
# master ldap for writing access and a slave ldap server for reading access
|
||||
# By default, we will use the same DN (so it will work for standard Samba
|
||||
# release)
|
||||
@ -1194,16 +1194,16 @@ masterPw="verysecret"
|
||||
</para>
|
||||
|
||||
<para>
|
||||
We can now run the <command>smbldap-populate</command> command which will populate
|
||||
The next step was to run the <command>smbldap-populate</command> command, which populates
|
||||
the LDAP tree with the appropriate default users, groups, and UID and GID pools.
|
||||
It will create a user called Administrator with UID=0 and GID=0 matching the
|
||||
Domain Admins group. This is fine you can still log in a root to a Windows system,
|
||||
but it will break cached credentials if you need to log in as the administrator
|
||||
to a system that is not on the network for whatever reason.
|
||||
It creates a user called Administrator with UID=0 and GID=0 matching the
|
||||
Domain Admins group. This is fine because you can still log on a root to a Windows system,
|
||||
but it will break cached credentials if you need to log on as the administrator
|
||||
to a system that is not on the network.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
After the LDAP database has been pre-loaded it is prudent to validate that the
|
||||
After the LDAP database has been preloaded, it is prudent to validate that the
|
||||
information needed is in the LDAP directory. This can be done done by restarting
|
||||
the LDAP server, then performing an LDAP search by executing:
|
||||
<screen>
|
||||
@ -1250,11 +1250,11 @@ ou: Idmap
|
||||
<indexterm><primary>smbldap-groupadd</primary></indexterm>
|
||||
<indexterm><primary>RID</primary></indexterm>
|
||||
<indexterm><primary>sambaGroupMapping</primary></indexterm>
|
||||
With the LDAP directory now initialized it is time to create the Windows and POSIX
|
||||
With the LDAP directory now initialized, it was time to create the Windows and POSIX
|
||||
(UNIX) group accounts as well as the mappings from Windows groups to UNIX groups.
|
||||
The easiest way to do this is to use <command>smbldap-groupadd</command> command.
|
||||
It will create the group with the posixGroup and sambaGroupMapping attributes, a
|
||||
unique GID, and an automatically-determined RID. I learned the hard way not to
|
||||
The easiest way to do this was to use <command>smbldap-groupadd</command> command.
|
||||
It creates the group with the posixGroup and sambaGroupMapping attributes, a
|
||||
unique GID, and an automatically determined RID. I learned the hard way not to
|
||||
try to do this by hand.
|
||||
</para>
|
||||
|
||||
@ -1273,7 +1273,7 @@ ou: Idmap
|
||||
<indexterm><primary>posixAccount</primary></indexterm>
|
||||
<indexterm><primary>smbldap-usermod</primary></indexterm>
|
||||
The most monumental task of all was adding the sambaSamAccount information to each
|
||||
already-existent posixAccount entry. I did it one at a time as I moved people onto
|
||||
already existent posixAccount entry. I did it one at a time as I moved people onto
|
||||
the new server, by issuing the command:
|
||||
<screen>
|
||||
&rootprompt; smbldap-usermod -a -P username
|
||||
@ -1281,8 +1281,8 @@ ou: Idmap
|
||||
<indexterm><primary>NetWare</primary></indexterm>
|
||||
<indexterm><primary>LDIF</primary></indexterm>
|
||||
<indexterm><primary>slapcat</primary></indexterm>
|
||||
I completed that step for every user after asking the person what their current
|
||||
NetWare password was. The wiser way to have done it would probably be to dump the
|
||||
I completed that step for every user after asking the person what his or her current
|
||||
NetWare password was. The wiser way to have done it would probably have been to dump the
|
||||
entire database to an LDIF file. This can be done by executing:
|
||||
<screen>
|
||||
&rootprompt; slapcat > somefile.ldif
|
||||
@ -1307,7 +1307,7 @@ ou: Idmap
|
||||
</para>
|
||||
|
||||
<para>
|
||||
So first I added a test user, of course. The LDIF for this test user looks like
|
||||
I first added a test user, of course. The LDIF for this test user looks like
|
||||
this, to give you an idea:
|
||||
<screen>
|
||||
# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
|
||||
@ -1378,10 +1378,10 @@ sambaAcctFlags: [W ]
|
||||
|
||||
<para>
|
||||
<indexterm><primary>netlogon</primary></indexterm>
|
||||
So now I can log in with a test user from the machine w2kengrspare. It's all fine and
|
||||
good, but that user is in no groups yet so has pretty boring access. We can fix that
|
||||
So now I could log on with a test user from the machine w2kengrspare. It was all fine and
|
||||
good, but that user was in no groups yet and so had pretty boring access. I fixed that
|
||||
by writing the login script! To write the login script, I used
|
||||
<ulink url="http://www.kixtart.org">Kixtart</ulink>. I used it because it will work
|
||||
<ulink url="http://www.kixtart.org">Kixtart</ulink> because it will work
|
||||
with every architecture of Windows, has an active and helpful user base, and was both
|
||||
easier to learn and more powerful than the standard netlogon scripts I have seen.
|
||||
I also did not have to do a logon script per user or per group.
|
||||
@ -1389,7 +1389,7 @@ sambaAcctFlags: [W ]
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Kixtart</primary></indexterm>
|
||||
I downloaded Kixtart and put the following files in my [netlogon] share:
|
||||
I downloaded Kixtart and put the following files in my netlogon share:
|
||||
<screen>
|
||||
KIX32.EXE
|
||||
KX32.dll
|
||||
@ -1589,16 +1589,16 @@ ENDIF
|
||||
</example>
|
||||
|
||||
<para>
|
||||
As you can see in the script, I redirect the My Documents to the user's home
|
||||
share if they are not in the Laptop group. I also add printers on a
|
||||
group-by-group basis, and if applicable I setthe group printer. For this to
|
||||
As you can see in the script, I redirected the My Documents to the user's home
|
||||
share if he or she were not in the Laptop group. I also added printers on a
|
||||
group-by-group basis, and if applicable I set the group printer. For this to
|
||||
be effective, the print drivers must be installed on the Samba server in the
|
||||
<filename>[print$]</filename> share. Ample documentation exists about how to
|
||||
do that so I did not cover it.
|
||||
do that, so it is not covered here.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
I actually call this script via the logon.bat script in the [netlogon] directory:
|
||||
I call this script via the logon.bat script in the [netlogon] directory:
|
||||
<screen>
|
||||
\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f
|
||||
</screen>
|
||||
@ -1608,12 +1608,12 @@ ENDIF
|
||||
|
||||
<para>
|
||||
Also of note for Win9x is that the drive mappings and printer setup will not
|
||||
work because they rely on RPC. One merely has to put the appropriate settings
|
||||
work because they rely on RPC. You merely have to put the appropriate settings
|
||||
into the <filename>c:\autoexec.bat</filename> file or map the drives manually.
|
||||
One option would be to check the OS as part of the Kixtart script, and if it
|
||||
is Win9x and if it is the first login, copy a pre-made
|
||||
One option is to check the OS as part of the Kixtart script, and if it
|
||||
is Win9x and is the first login, copy a premade
|
||||
<filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I
|
||||
only have three such machines and one is going away in the very near future,
|
||||
have onlythree such machines, and one is going away in the very near future,
|
||||
so it was easier to do it by hand.
|
||||
</para>
|
||||
|
||||
@ -1622,14 +1622,14 @@ ENDIF
|
||||
At this point I was able to add the users. This is the part that really falls
|
||||
into upgrade. I moved the users over one group at a time, starting with the
|
||||
people who used the least amount of resources on the network. With each group
|
||||
that I moved, I first logged in as a standard user in that group and took
|
||||
careful note of their environment, mainly the printers they used, their PATH,
|
||||
and what network resources they had access to (most importantly which ones
|
||||
they actually needed access to).
|
||||
that I moved, I first logged on as a standard user in that group and took
|
||||
careful note of the environment, mainly the printers he or she used, the PATH,
|
||||
and what network resources he or she had access to (most importantly, which ones
|
||||
the user actually needed access to).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
I would then add the user's SambaSamAccount information as mentioned earlier,
|
||||
I then added the user's SambaSamAccount information as mentioned earlier,
|
||||
and join the computer to the domain. The very first thing I had to do was to
|
||||
copy the user's profile to the new server. This was very important, and I really
|
||||
struggled with the most effective way to do it. Here is the method that worked
|
||||
@ -1639,7 +1639,7 @@ ENDIF
|
||||
<procedure>
|
||||
<step><para>
|
||||
Log in as the user on the domain. This creates the local copy
|
||||
of the user's profile and copies it to the server as they log out.
|
||||
of the user's profile and copies it to the server as he or she logs out.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -1660,17 +1660,17 @@ ENDIF
|
||||
In the next dialog, copy it directly to the profiles share on the
|
||||
Samba server (\\PDCname\profiles\user\<architecture> in my
|
||||
case). You will have had to make a connection to the share as that
|
||||
user (e.g.: Windows Explorer type \\PDCname\profiles\username).
|
||||
user (e.g., Windows Explorer type \\PDCname\profiles\username).
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
When the copy is complete (it can take a while) log out, and log back in
|
||||
as the user. All his/her settings and all contents of My Documents,
|
||||
as the user. All of his or her settings and all contents of My Documents,
|
||||
Favorites, and the registry should have been copied successfully.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
If it doesn't look right (the dead giveaway is the desktop background)
|
||||
If it doesn't look right (the dead giveaway is the desktop background),
|
||||
shut down the computer without logging out (power cycle) and try logging
|
||||
in as the user again. If it still doesn't work, repeat the steps above.
|
||||
I only had to ever repeat it once.
|
||||
@ -1679,18 +1679,18 @@ ENDIF
|
||||
</procedure>
|
||||
|
||||
<para>
|
||||
WORDS TO THE WISE:
|
||||
Words to the Wise:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
If the user was anything other than a standard user on his/her system
|
||||
before, you will save yourself some headaches by giving them identical
|
||||
permissions (on the local machine) as their domain account, BEFORE
|
||||
copying their profile over. Do this through the User Administrator
|
||||
If the user was anything other than a standard user on his or her system
|
||||
before, you will save yourself some headaches by giving him or her identical
|
||||
permissions (on the local machine) as his or her domain account <emphasis>before</emphasis>
|
||||
copying the profile over. Do this through the User Administrator
|
||||
in the Control Panel, after joining the computer to the domain and
|
||||
before logging as that user for the first time. Otherwise they will
|
||||
have trouble with permissions on their registry keys.
|
||||
before logging on as that user for the first time. Otherwise the user will
|
||||
have trouble with permissions on his or her registry keys.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -1703,53 +1703,53 @@ ENDIF
|
||||
After all these steps are accomplished, only cleanup details are left. Make sure user's
|
||||
shortcuts and Network Places point to the appropriate place on the new server, check
|
||||
the important applications to be sure they work as expected and troubleshoot any problems
|
||||
that might arise, check to be sure the user's printers are present and working. By the
|
||||
way, if there are any network printers installed as system printers (the Novell way)
|
||||
that might arise, and check to be sure the user's printers are present and working. By the
|
||||
way, if there are any network printers installed as system printers (the Novell way),
|
||||
you will need to log in as a local administrator and delete them.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
For my non-laptop systems, I would then log in and out a couple times as the user,
|
||||
to be sure that their registry settings were modified, then I was finished.
|
||||
For my non-laptop systems, I would then log in and out a couple times as the user
|
||||
to be sure that his or her registry settings were modified, and then I was finished.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Some compatibility issues that cropped up included:
|
||||
Some compatibility issues that cropped up included the following:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Blackberry client &smbmdash; It did not like having its registry settings moved around,
|
||||
and had to be reinstalled. Also it needed write permissions to a portion of
|
||||
Blackberry client: It did not like having its registry settings moved around
|
||||
and so had to be reinstalled. Also, it needed write permissions to a portion of
|
||||
the hard drive, and I had to give it those manually on the one system where
|
||||
this was an issue.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
CAMedia &smbmdash; digital camera software for Canon cameras I had all kinds of trouble
|
||||
CAMedia: Digital camera software for Canon cameras caused all kinds of trouble
|
||||
with the registry. I had to use the Run as service to open the registry of
|
||||
the local user while logged in as the domain user, and give the domain user
|
||||
the appropriate permissions to some registry keys, then export that portion
|
||||
of the registry to a file. Then as the domain user I had to import that file
|
||||
of the registry to a file. Then, as the domain user, I had to import that file
|
||||
into the registry.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Crystal Reports version 7 &smbmdash; More registry problems that were solved by re-copying
|
||||
Crystal Reports version 7: More registry problems that were solved by recopying
|
||||
the user's profile.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Printing from legacy applications &smbmdash; I found out that Novell sent its jobs to
|
||||
the printer in a raw format. CUPS sends them in Postscript by default. I had
|
||||
Printing from legacy applications: I found out that Novell sends its jobs to
|
||||
the printer in a raw format. CUPS sends them in PostScript by default. I had
|
||||
to make a second printer definition for one printer and tell CUPS specifically
|
||||
to send raw data to the printer, and assign this printer to the LPT port with
|
||||
to send raw data to the printer, then assign this printer to the LPT port with
|
||||
Kixtart's version of the net use command.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
These were all eventually solved by elbow grease, queries to the Samba mailing
|
||||
list and others, and diligence. The complete migration took about 5 weeks.
|
||||
My userbase is relatively small, but includes multiple versions of Windows,
|
||||
My userbase is relatively small but includes multiple versions of Windows,
|
||||
multiple Linux member servers, a mechanized saw, a pen plotter, and legacy
|
||||
applications written in Qbasic and R:Base, just to name a few. I actually
|
||||
ended up making some of these applications work better (or work again, as
|
||||
@ -1759,22 +1759,22 @@ ENDIF
|
||||
|
||||
<para>
|
||||
The one thing I have not been able to get working is a very old database that
|
||||
we had around for reference purposes which uses Novell's Btrieve engine.
|
||||
we had around for reference purposes; it uses Novell's Btrieve engine.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
As the resources compare, I went from 95% disk usage to just around 10%.
|
||||
I went from a very high load on the server to an average load of between 1
|
||||
and 2 runnable processes on the server. I have improved the security and
|
||||
As the resources compare, I went from 95 percent disk usage to just around 10 percent.
|
||||
I went from a very high load on the server to an average load of between one
|
||||
and two runnable processes on the server. I have improved the security and
|
||||
robustness of the system. I have also implemented
|
||||
<ulink url="http://www.clamav.net">ClamAV</ulink> Anti-virus
|
||||
which scans the entire Samba server for viruses every two hours and
|
||||
<ulink url="http://www.clamav.net">ClamAV</ulink> antivirus software,
|
||||
which scans the entire Samba server for viruses every 2 hours and
|
||||
quarantines them. I have found it much less problematic than our ancient
|
||||
version of Norton Anti-virus Corporate Edition, and much more up-to-date.
|
||||
version of Norton Antivirus Corporate Edition, and much more up-to-date.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In short, my users are much happier now that the new server is running, that
|
||||
In short, my users are much happier now that the new server is running, and that
|
||||
is what is important to me.
|
||||
</para>
|
||||
|
||||
|
@ -5,10 +5,10 @@
|
||||
|
||||
<para>
|
||||
Congratulations, your Samba networking skills are developing nicely. You started out
|
||||
with three simple networks in Chapter 1, and then in Chapter 2 you designed and built a
|
||||
network that provides a high degree of flexibility, integrity, and dependability. It
|
||||
was enough for the basic needs each was designed to fulfill. In this chapter you
|
||||
address a more complex set of needs. The solution you explore
|
||||
with three simple networks in <link linkend="simple"/>, and then in <link linkend="small"/>
|
||||
you designed and built a network that provides a high degree of flexibility, integrity,
|
||||
and dependability. It was enough for the basic needs each was designed to fulfill. In
|
||||
this chapter you address a more complex set of needs. The solution you explore
|
||||
introduces you to basic features that are specific to Samba-3.
|
||||
</para>
|
||||
|
||||
@ -280,7 +280,7 @@
|
||||
<indexterm><primary>dynamic DNS</primary></indexterm>
|
||||
<indexterm><primary>DDNS</primary><see>dynamic DNS</see></indexterm>
|
||||
<indexterm><primary>DHCP server</primary></indexterm>
|
||||
Compared with the DHCP server configuration in Chapter 2, <link linkend="dhcp01"/>, the
|
||||
Compared with the DHCP server configuration in <link linkend="small"/>, <link linkend="dhcp01"/>, the
|
||||
configuration used in this example has to deal with the presence of an Internet connection.
|
||||
The scope set for it ensures that no DHCP services will be offered on the external
|
||||
connection. All printers are configured as DHCP clients so that the DHCP server assigns
|
||||
@ -962,7 +962,7 @@ root = Administrator
|
||||
<indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>add</tertiary></indexterm>
|
||||
<indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>modify</tertiary></indexterm>
|
||||
<indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>list</tertiary></indexterm>
|
||||
Create and map Windows Domain Groups to UNIX groups. A sample script is provided in Chapter 2,
|
||||
Create and map Windows Domain Groups to UNIX groups. A sample script is provided in <link linkend="small"/>,
|
||||
<link linkend="initGrps"/>. Create a file containing this script. We called ours
|
||||
<filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed,
|
||||
and then execute the script. Sample output should be as follows:
|
||||
@ -1157,7 +1157,7 @@ net use p: \\diamond\apps
|
||||
<example id="prom-dhcp">
|
||||
<title>DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title>
|
||||
<screen>
|
||||
# Abmas Accounting Inc. - Chapter 4
|
||||
# Abmas Accounting Inc.
|
||||
default-lease-time 86400;
|
||||
max-lease-time 172800;
|
||||
default-lease-time 86400;
|
||||
@ -1890,7 +1890,7 @@ $rootprompt; ps ax | grep winbind
|
||||
</screen>
|
||||
The <command>winbindd</command> daemon is running in split mode (normal), so there are also
|
||||
two instances<footnote><para>For more information regarding winbindd, see <emphasis>TOSHARG</emphasis>,
|
||||
Chapter 22, Section 22.3. The single instance of <command>smbd</command> is normal. One additional
|
||||
Chapter 23, Section 23.3. The single instance of <command>smbd</command> is normal. One additional
|
||||
<command>smbd</command> slave process is spawned for each SMB/CIFS client
|
||||
connection.</para></footnote> of it.
|
||||
</para></step>
|
||||
@ -2608,7 +2608,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
|
||||
expression that may be up to 1024 characters in length and that represents an IP address.
|
||||
A NetBIOS name is always 16 characters long. The 16<superscript>th</superscript> character
|
||||
is a name type indicator. A specific name type is registered<footnote><para>
|
||||
See <emphasis>TOSHARG</emphasis>, Chapter 9, for more information.</para></footnote> for each
|
||||
See <emphasis>TOSHARG</emphasis>, Chapter 9, for more information.</para></footnote> for each
|
||||
type of service that is provided by the Windows server or client and that may be registered
|
||||
where a WINS server is in use.
|
||||
</para>
|
||||
|
@ -4,7 +4,7 @@
|
||||
<title>Small Office Networking</title>
|
||||
|
||||
<para>
|
||||
Chapter 1 focused on the basics of simple yet effective
|
||||
<link linkend="simple"/> focused on the basics of simple yet effective
|
||||
network solutions. Network administrators who take pride in their work
|
||||
(that's most of us, right?) take care to deliver what our users want,
|
||||
but not too much more. If we make things too complex, we confound our users
|
||||
@ -264,7 +264,7 @@
|
||||
The alternate approach could be to demonstrate the migration of the system that is documented
|
||||
in <link linkend="AcctgNet"/> to meet the new requirements. The decision to treat this case, as with
|
||||
future examples, as a new installation is based on the premise that you can determine
|
||||
the migration steps from the information provided in Chapter ?????????.
|
||||
the migration steps from the information provided in <link linkend="ntmigration"/>.
|
||||
Additionally, a fresh installation makes the example easier to follow.
|
||||
</para>
|
||||
|
||||
@ -769,7 +769,7 @@ $rootprompt; ps ax | grep winbind
|
||||
</screen>
|
||||
The <command>winbindd</command> daemon is running in split mode (normal), so there are also
|
||||
two instances of it. For more information regarding <command>winbindd</command>, see <emphasis>TOSHARG</emphasis>,
|
||||
Chapter 22, Section 22.3. The single instance of <command>smbd</command> is normal.
|
||||
Chapter 23, Section 23.3. The single instance of <command>smbd</command> is normal.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
|
@ -37,8 +37,8 @@ context in either book, I could not find it.
|
||||
<para>
|
||||
<indexterm><primary>contributions</primary></indexterm>
|
||||
So in response to the significant request for these situations to be better
|
||||
documented this chapter has now been added. User contributions and documentation
|
||||
of real-world experiences will be a most welcome addition to this chapter.
|
||||
documented, this chapter has now been added. User contributions and documentation
|
||||
of real-world experiences are a most welcome addition to this chapter.
|
||||
</para>
|
||||
|
||||
<sect1>
|
||||
@ -49,20 +49,20 @@ of real-world experiences will be a most welcome addition to this chapter.
|
||||
<indexterm><primary>upgrade</primary></indexterm>
|
||||
<indexterm><primary>frustration</primary></indexterm>
|
||||
A Windows network administrator explained in an email what changes he was
|
||||
planning to make and and followed with the question: <quote>Anyone done this before?</quote>.
|
||||
Many of us have upgraded and updated Samba without incident. Others have
|
||||
experienced much pain and user frustration. So it is to be hoped that the
|
||||
notes in this chapter will make a positive difference by assuring that
|
||||
someone will be saved a lot of discomfort.
|
||||
planning to make and followed with the question: <quote>Anyone done this
|
||||
before?</quote> Many of us have upgraded and updated Samba without incident.
|
||||
Others have experienced much pain and user frustration. So it is to be hoped
|
||||
that the notes in this chapter will make a positive difference by assuring
|
||||
that someone will be saved a lot of discomfort.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Before anyone commences an upgrade or an update of Samba the one cardinal
|
||||
Before anyone commences an upgrade or an update of Samba, the one cardinal
|
||||
rule that must be observed is: Backup all Samba configuration files in
|
||||
case it is necessary to revert to the old version. Even if you do not like
|
||||
this precautionary step, users will punish an administrator who
|
||||
fails to take adequate steps to avoid situations that may inflict lost
|
||||
productivity on a user.
|
||||
productivity on them.
|
||||
</para>
|
||||
|
||||
<warning><para>
|
||||
@ -81,8 +81,8 @@ in the rare event that this may be necessary.
|
||||
It is prudent also to backup all data files on the server before attempting
|
||||
to perform a major upgrade. Many administrators have experienced the consequences
|
||||
of failure to take adequate precautions. So what is adequate? That is simple!
|
||||
If data is lost during an upgrade or and update and it can not be restored
|
||||
the precautions take were inadequate. If a backup was not needed, but was available,
|
||||
If data is lost during an upgrade or update and it can not be restored,
|
||||
the precautions taken were inadequate. If a backup was not needed, but was available,
|
||||
precaution was on the side of the victor.
|
||||
</para>
|
||||
|
||||
@ -99,16 +99,16 @@ precaution was on the side of the victor.
|
||||
<indexterm><primary>upgrade</primary></indexterm>
|
||||
<indexterm><primary>generation</primary></indexterm>
|
||||
This is as good a time as any to define the terms <constant>upgrade</constant> and
|
||||
<constant>update</constant>. The term <constant>upgrade</constant> is used to refer to
|
||||
<constant>update</constant>. The term <constant>upgrade</constant> refers to
|
||||
the installation of a version of Samba that is a whole generation or more ahead of
|
||||
that which is installed. Generations are indicated by the first digit of the version
|
||||
number. So far Samba has been released in generations 1.x, 2.x, 3.x and currently 4.0
|
||||
number. So far Samba has been released in generations 1.x, 2.x, 3.x, and currently 4.0
|
||||
is in development.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>generation</primary></indexterm>
|
||||
The term <constant>update</constant> is used to refer to a minor version number installation
|
||||
The term <constant>update</constant> refers to a minor version number installation
|
||||
in place of one of the same generation. For example, updating from Samba 3.0.10 to 3.0.14
|
||||
is an update. The move from Samba 2.0.7 to 3.0.14 is an upgrade.
|
||||
</para>
|
||||
@ -118,15 +118,15 @@ precaution was on the side of the victor.
|
||||
While the use of these terms is an exercise in semantics, what needs to be realized
|
||||
is that there are major functional differences between a Samba 2.x release and a Samba
|
||||
3.0.x release. Such differences may require a significantly different approach to
|
||||
solving the same networking challenge and generally requires careful review of the
|
||||
solving the same networking challenge and generally require careful review of the
|
||||
latest documentation to identify precisely how the new installation may need to be
|
||||
modified to preserve prior functionality.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There is an old axiom that says, <quote>The greater the volume of the documentation
|
||||
the greater the risk that no-one will read it, but where there is no documentation
|
||||
no-one can read it!</quote>. While true, some documentation is an evil necessity.
|
||||
There is an old axiom that says, <quote>The greater the volume of the documentation,
|
||||
the greater the risk that noone will read it, but where there is no documentation,
|
||||
noone can read it!</quote> While true, some documentation is an evil necessity.
|
||||
It is to be hoped that this update to the documentation will avoid both extremes.
|
||||
</para>
|
||||
|
||||
@ -140,7 +140,7 @@ precaution was on the side of the victor.
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
<indexterm><primary>networking</primary><secondary>client</secondary></indexterm>
|
||||
<indexterm><primary>security</primary><secondary>identifier</secondary></indexterm>
|
||||
Before the days of Windows NT and OS/2 every Windows and DOS networking client
|
||||
Before the days of Windows NT and OS/2, every Windows and DOS networking client
|
||||
that used the SMB protocols was an entirely autonomous entity. There was no concept
|
||||
of a security identifier for a machine or a user outside of the username, the
|
||||
machine name, and the workgroup name. In actual fact, these were not security identifiers
|
||||
@ -155,7 +155,7 @@ precaution was on the side of the victor.
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
<indexterm><primary>username</primary></indexterm>
|
||||
<indexterm><primary>Windows</primary><secondary>client</secondary></indexterm>
|
||||
Versions of Samba prior to 1.9 did not make use of a SID, instead they make exclusive use
|
||||
Versions of Samba prior to 1.9 did not make use of a SID. Instead they make exclusive use
|
||||
of the username that is embedded in the SessionSetUpAndX component of the connection
|
||||
setup process between a Windows client and an SMB/CIFS server.
|
||||
</para>
|
||||
@ -165,7 +165,7 @@ precaution was on the side of the victor.
|
||||
<indexterm><primary>rpc</primary></indexterm>
|
||||
<indexterm><primary>security</primary></indexterm>
|
||||
Around November 1997 support was added to Samba-1.9 to handle the Windows security
|
||||
rpc based protocols that implemented support for Samba to store a machine SID. This
|
||||
RPC-based protocols that implemented support for Samba to store a machine SID. This
|
||||
information was stored in a file called <filename>MACHINE.SID.</filename>
|
||||
</para>
|
||||
|
||||
@ -173,9 +173,9 @@ precaution was on the side of the victor.
|
||||
<indexterm><primary>machine</primary></indexterm>
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
<indexterm><primary>secrets.tdb</primary></indexterm>
|
||||
Within the life time of the early Samba 2.x series the machine SID information was
|
||||
relocated into a tdb file called <filename>secrets.tdb</filename>, which is where is
|
||||
is still located in Samba 3.0.x along with other information that pertains to the
|
||||
Within the lifetime of the early Samba 2.x series, the machine SID information was
|
||||
relocated into a tdb file called <filename>secrets.tdb</filename>, which is where
|
||||
it is still located in Samba 3.0.x along with other information that pertains to the
|
||||
local machine and its role within a domain security context.
|
||||
</para>
|
||||
|
||||
@ -186,7 +186,7 @@ precaution was on the side of the victor.
|
||||
<indexterm><primary>SAS</primary></indexterm>
|
||||
There are two types of SID, those pertaining to the machine itself and the domain to
|
||||
which it may belong, and those pertaining to users and groups within the security
|
||||
context of the local machine (in the case of stand-alone servers (SAS) and domain member
|
||||
context of the local machine, in the case of standalone servers (SAS) and domain member
|
||||
servers (DMS).
|
||||
</para>
|
||||
|
||||
@ -198,24 +198,24 @@ precaution was on the side of the victor.
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
<indexterm><primary>secrets.tdb</primary></indexterm>
|
||||
When the Samba <command>smbd</command> daemon is first started, if the <filename>secrets.tdb</filename>
|
||||
file does not exist it is created at the first client connection attempt. If this file does
|
||||
exist, <command>smbd</command> checks that there is a machine SID (if it is a domain controller
|
||||
file does not exist, it is created at the first client connection attempt. If this file does
|
||||
exist, <command>smbd</command> checks that there is a machine SID (if it is a domain controller,
|
||||
it searches for the domain SID). If <command>smbd</command> does not find one for the current
|
||||
name of the machine or for the current name of the workgroup a new SID will be generated and
|
||||
then written to the <filename>secrets.tdb</filename> file. The SID is generated in a non-determinative
|
||||
name of the machine or for the current name of the workgroup, a new SID will be generated and
|
||||
then written to the <filename>secrets.tdb</filename> file. The SID is generated in a nondeterminative
|
||||
manner. This means that each time it is generated for a particular combination of machine name
|
||||
(hostname) and domain name (workgroup) it will be different.
|
||||
(hostname) and domain name (workgroup), it will be different.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>ACL</primary></indexterm>
|
||||
The SID is the key used by MS Windows networking for all networking operations. This means
|
||||
that when the machine or domain SID changes all security encoded objects such as profiles
|
||||
that when the machine or domain SID changes, all security-encoded objects such as profiles
|
||||
and ACLs may become unusable.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
It is of paramount importance that the machine and domain SID must be backed up so that in
|
||||
It is of paramount importance that the machine and domain SID be backed up so that in
|
||||
the event of a change of hostname (machine name) or domain name (workgroup) the SID can
|
||||
be restored to its previous value.
|
||||
</para></note>
|
||||
@ -232,8 +232,8 @@ precaution was on the side of the victor.
|
||||
<indexterm><primary>SAS</primary></indexterm>
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
In Samba-3 on a domain controller (PDC or BDC), the domain name controls the domain
|
||||
SID. On all prior versions the hostname (computer name, or netbios name) controlled
|
||||
the SID. On a stand-alone server (SAS) the hostname still controls the SID.
|
||||
SID. On all prior versions the hostname (computer name, or NetBIOS name) controlled
|
||||
the SID. On a standalone server the hostname still controls the SID.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -255,13 +255,13 @@ SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429
|
||||
|
||||
<para>
|
||||
Samba 1.9.x stored the machine SID in the the file <filename>/etc/MACHINE.SID</filename>
|
||||
from which it can be recovered and stored into the <filename>secrets.tdb</filename> file
|
||||
from which it could be recovered and stored into the <filename>secrets.tdb</filename> file
|
||||
using the procedure shown above.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Where the <filename>secrets.tdb</filename> file exists and a version of Samba 2.x or later
|
||||
has been used there is no specific need to go through this update process. Samba-3 has the
|
||||
has been used, there is no specific need to go through this update process. Samba-3 has the
|
||||
ability to read the older tdb file and to perform an in-situ update to the latest tdb format.
|
||||
This is not a reversible process &smbmdash; it is a one-way upgrade.
|
||||
</para>
|
||||
@ -280,7 +280,7 @@ SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429
|
||||
<screen>
|
||||
&rootprompt; smbpasswd -S PDC -Uadministrator%password
|
||||
</screen>
|
||||
From which the SID could be copied to a file and then it could be written to the Samba 2.2.x
|
||||
from which the SID could be copied to a file and then written to the Samba-2.2.x
|
||||
<filename>secrets.tdb</filename> file by executing:
|
||||
<screen>
|
||||
&rootprompt; smbpasswd -W S-1-5-21-726309263-4128913605-1168186429
|
||||
@ -290,7 +290,7 @@ SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429
|
||||
<para>
|
||||
<indexterm><primary>rpcclient</primary></indexterm>
|
||||
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>info</tertiary></indexterm>
|
||||
Domain security information, that includes the domain SID, can be obtained from Samba-2.2.x
|
||||
Domain security information, which includes the domain SID, can be obtained from Samba-2.2.x
|
||||
systems by executing:
|
||||
<screen>
|
||||
&rootprompt; rpcclient lsaquery -Uroot%password
|
||||
@ -315,9 +315,9 @@ Num local groups: 0
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
Take note that the domain SID is used extensively in Samba. Where LDAP is used for the
|
||||
<parameter>passdb backend</parameter>, all user, group, and trust accounts are encoded
|
||||
with the domain SID. This means that if the domain SID changes for any reason the entire
|
||||
Samba environment can become broken thus requiring extensive corrective action is the
|
||||
original SID can not be restored. Fortunately, it can be recovered from a dump of the
|
||||
with the domain SID. This means that if the domain SID changes for any reason, the entire
|
||||
Samba environment can become broken and require extensive corrective action if the
|
||||
original SID cannot be restored. Fortunately, it can be recovered from a dump of the
|
||||
LDAP database. A dump of the LDAP directory database can be obtained by executing:
|
||||
<screen>
|
||||
&rootprompt; slapcat -v -l filename.ldif
|
||||
@ -328,14 +328,14 @@ Num local groups: 0
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
<indexterm><primary>profiles</primary></indexterm>
|
||||
<indexterm><primary>RPM</primary></indexterm>
|
||||
When the domain SID has changed roaming profiles will cease to be functional. The recovery
|
||||
of roaming profiles will necessitate resetting of the domain portion of the user SID
|
||||
When the domain SID has changed, roaming profiles cease to be functional. The recovery
|
||||
of roaming profiles necessitates resetting of the domain portion of the user SID
|
||||
that owns the profile. This is encoded in the <filename>NTUser.DAT</filename> and can be
|
||||
updated using the Samba <command>profiles</command> utility. Please be aware that not all
|
||||
Linux distributions of the Samba RPMs do include this essential utility. Please do not
|
||||
complain to the Samba Team if this utility is missing, that is an issue that must be
|
||||
Linux distributions of the Samba RPMs include this essential utility. Please do not
|
||||
complain to the Samba Team if this utility is missing; that issue that must be
|
||||
addressed to the creator of the RPM package. The Samba Team do their best to make
|
||||
available all the tools needed to manage a Samba based Windows networking environment.
|
||||
available all the tools needed to manage a Samba-based Windows networking environment.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -346,40 +346,40 @@ Num local groups: 0
|
||||
<para>
|
||||
<indexterm><primary>netbios</primary><secondary>machine name</secondary></indexterm>
|
||||
<indexterm><primary>netbios name</primary></indexterm>
|
||||
Samba uses two (2) methods by which the primary NetBIOS machine name (also known as a computer
|
||||
name or the hostname) may be determined: If the &smb.conf; file contains an entry
|
||||
<parameter>netbios name</parameter> entry its value will be used directly. In the absence
|
||||
of such and entry the UNIX system hostname will be used.
|
||||
Samba uses two methods by which the primary NetBIOS machine name (also known as a computer
|
||||
name or the hostname) may be determined: If the &smb.conf; file contains a
|
||||
<parameter>netbios name</parameter> entry, its value will be used directly. In the absence
|
||||
of such an entry, the UNIX system hostname will be used.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Many sites have become victims of lost Samba functionality because the UNIX system
|
||||
hostname was changed for one reason or another. Such a change will cause a new machine
|
||||
SID to be generated. If this happens on a domain controller it will also change the
|
||||
domain SID. These SIDs can be updated (restored) using the procedure outlined above.
|
||||
SID to be generated. If this happens on a domain controller, it will also change the
|
||||
domain SID. These SIDs can be updated (restored) using the procedure outlined previously.
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
Do NOT change the hostname or the <parameter>netbios name</parameter>. If this
|
||||
is changed be sure to reset the machine SID to the original setting, otherwise
|
||||
is changed, be sure to reset the machine SID to the original setting. Otherwise
|
||||
there may be serious interoperability and/or operational problems.
|
||||
</para></note>
|
||||
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
<title>Change of workgroup (domain) name</title>
|
||||
<title>Change of Workgroup (Domain) Name</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>workgroup</primary></indexterm>
|
||||
The domain name of a Samba server is identical with the workgroup name and is
|
||||
The domain name of a Samba server is identical to the workgroup name and is
|
||||
set in the &smb.conf; file using the <parameter>workgroup</parameter> parameter.
|
||||
This has been consistent throughout the history of Samba and across all versions.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>SID</primary></indexterm>
|
||||
Be aware that when the workgroup name is changed a new SID will be generated.
|
||||
Be aware that when the workgroup name is changed, a new SID will be generated.
|
||||
The old domain SID can be reset using the procedure outlined earlier in this chapter.
|
||||
</para>
|
||||
|
||||
@ -402,7 +402,7 @@ Num local groups: 0
|
||||
</para>
|
||||
|
||||
<para>
|
||||
During the life of the Samba 2.x release the &smb.conf; file was relocated
|
||||
During the life of the Samba 2.x release, the &smb.conf; file was relocated
|
||||
on Linux systems to the <filename>/etc/samba</filename> directory where it
|
||||
remains located also for Samba 3.0.x installations.
|
||||
</para>
|
||||
@ -411,14 +411,14 @@ Num local groups: 0
|
||||
<indexterm><primary>secrets.tdb</primary></indexterm>
|
||||
Samba 2.x introduced the <filename>secrets.tdb</filename> file that is also stored in the
|
||||
<filename>/etc/samba</filename> directory, or in the <filename>/usr/local/samba/lib</filename>
|
||||
directory sub-system.
|
||||
directory subsystem.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>smbd</primary></indexterm>
|
||||
The location at which <command>smbd</command> expects to find all configuration and control
|
||||
files is determined at the time of compilation of Samba. For versions of Samba prior to
|
||||
3.0 one way to find the expected location of these files is to execute:
|
||||
3.0, one way to find the expected location of these files is to execute:
|
||||
<screen>
|
||||
&rootprompt; strings /usr/sbin/smbd | grep conf
|
||||
&rootprompt; strings /usr/sbin/smbd | grep secret
|
||||
@ -463,10 +463,11 @@ Paths:
|
||||
|
||||
<para>
|
||||
<indexterm><primary></primary></indexterm>
|
||||
It is important that both the &smb.conf; file and the <filename>secrets.tdb</filename> should
|
||||
be backed up before attempting any upgrade. The <filename>secrets.tdb</filename> file is version
|
||||
encoded and therefore a newer version may not work with an older version of Samba. A backup
|
||||
means that it is always possible to revert a failed or problematic upgrade.
|
||||
It is important that both the &smb.conf; file and the <filename>secrets.tdb</filename>
|
||||
be backed up before attempting any upgrade. The <filename>secrets.tdb</filename> file
|
||||
is version-encoded, and therefore a newer version may not work with an older version
|
||||
of Samba. A backup means that it is always possible to revert a failed or problematic
|
||||
upgrade.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -479,7 +480,7 @@ Paths:
|
||||
<indexterm><primary>character set</primary></indexterm>
|
||||
<indexterm><primary>codepage</primary></indexterm>
|
||||
<indexterm><primary>internationalization</primary></indexterm>
|
||||
Samba-2.x had not support for Unicode, instead all national language character set support in file names
|
||||
Samba-2.x had no support for Unicode; instead, all national language character-set support in file names
|
||||
was done using particular locale codepage mapping techniques. Samba-3 supports Unicode in file names, thus
|
||||
providing true internationalization support.
|
||||
</para>
|
||||
@ -495,7 +496,7 @@ Paths:
|
||||
<para>
|
||||
<indexterm><primary>UTF-8</primary></indexterm>
|
||||
Files that are created with Samba-3 will use UTF-8 encoding. Should the file system ever end up with a
|
||||
mix of codepage (unix charset) encoded file names and UTF-8 encoded file names, the mess will take some
|
||||
mix of codepage (unix charset)-encoded file names and UTF-8-encoded file names, the mess will take some
|
||||
effort to set straight.
|
||||
</para>
|
||||
|
||||
@ -503,7 +504,7 @@ Paths:
|
||||
<indexterm><primary>convmv</primary></indexterm>
|
||||
A very helpful tool is available from Bjorn Jacke's <ulink url="http://j3e.de/linux/convmv/">convmv</ulink>
|
||||
work. Convmv is a tool that can be used to convert file and directory names from one encoding method to
|
||||
another. The most common use for this tool is to convert locale encoded files to UTF-8 Unicode encoding.
|
||||
another. The most common use for this tool is to convert locale-encoded files to UTF-8 Unicode encoding.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
@ -519,7 +520,7 @@ Paths:
|
||||
Sites that are being upgraded from Samba-2 (or earlier versions) to Samba-3
|
||||
may experience little difficulty or may require a lot of effort, depending
|
||||
on the complexity of the configuration. Samba-1.9.x upgrades to Samba-3 will
|
||||
generally be simple and straight forward, although no upgrade should be
|
||||
generally be simple and straightforward, although no upgrade should be
|
||||
attempted without proper planning and preparation.
|
||||
</para>
|
||||
|
||||
@ -533,7 +534,7 @@ Samba-2.x could be compiled with LDAP support.
|
||||
<title>Samba 1.9.x and 2.x Versions Without LDAP</title>
|
||||
|
||||
<para>
|
||||
Where it is necessary to upgrade an old Samba installation to Samba-3
|
||||
Where it is necessary to upgrade an old Samba installation to Samba-3,
|
||||
the following procedure can be followed:
|
||||
</para>
|
||||
|
||||
@ -546,22 +547,22 @@ Samba-2.x could be compiled with LDAP support.
|
||||
<indexterm><primary>nmbd</primary></indexterm>
|
||||
Stop Samba. This can be done using the appropriate system tool
|
||||
that is particular for each operating system or by executing the
|
||||
<command>kill</command> command on <command>smbd, nmbd</command>
|
||||
and on <command>winbindd</command>.
|
||||
<command>kill</command> command on <command>smbd</command>,
|
||||
<command>nmbd</command>, and <command>winbindd</command>.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Find the location of the Samba &smb.conf; file - back it up to a
|
||||
Find the location of the Samba &smb.conf; file and back it up to a
|
||||
safe location.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Find the location of the <filename>smbpasswd</filename> file -
|
||||
Find the location of the <filename>smbpasswd</filename> file and
|
||||
back it up to a safe location.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Find the location of the <filename>secrets.tdb</filename> file -
|
||||
Find the location of the <filename>secrets.tdb</filename> file and
|
||||
back it up to a safe location.
|
||||
</para></step>
|
||||
|
||||
@ -575,7 +576,7 @@ Samba-2.x could be compiled with LDAP support.
|
||||
location used by the Samba Team is in
|
||||
<filename>/usr/local/samba/var/locks</filename> directory,
|
||||
but on Linux systems the old location was under the
|
||||
<filename>/var/cache/samba</filename> directory, however the
|
||||
<filename>/var/cache/samba</filename> directory. However, the
|
||||
Linux Standards Base specified location is now under the
|
||||
<filename>/var/lib/samba</filename> directory. Copy all the
|
||||
tdb files to a safe location.
|
||||
@ -590,13 +591,13 @@ Samba-2.x could be compiled with LDAP support.
|
||||
|
||||
<para>
|
||||
On systems that do not support a reliable package management system
|
||||
it is advisable either to delete the Samba old installation , or to
|
||||
it is advisable either to delete the Samba old installation or to
|
||||
move it out of the way by renaming the directories that contain the
|
||||
Samba binary files.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
When the Samba upgrade has been installed the first step that should
|
||||
When the Samba upgrade has been installed, the first step that should
|
||||
be completed is to identify the new target locations for the control
|
||||
files. Follow the steps shown in <link linkend="sbeug1"/> to locate
|
||||
the correct directories to which each control file must be moved.
|
||||
@ -627,15 +628,15 @@ Samba-2.x could be compiled with LDAP support.
|
||||
</screen>
|
||||
<indexterm><primary>stripped</primary></indexterm>
|
||||
The resulting &smb.conf; file will be stripped of all comments
|
||||
and will be stripped of all non-conforming configuration settings.
|
||||
and of all nonconforming configuration settings.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
<indexterm><primary>winbindd</primary></indexterm>
|
||||
It is now safe to start Samba using the appropriate system tool.
|
||||
Alternately, it is possible to just execute <command>nmbd, smbd</command>
|
||||
and <command>winbindd</command> for the command line while logged in
|
||||
as the 'root' user.
|
||||
Alternately, it is possible to just execute <command>nmbd</command>,
|
||||
<command>smbd</command>, and <command>winbindd</command> for the command
|
||||
line while logged in as the root user.
|
||||
</para></step>
|
||||
|
||||
</procedure>
|
||||
@ -643,7 +644,7 @@ Samba-2.x could be compiled with LDAP support.
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Applicable to all Samba 2.x to Samba-3 Upgrades</title>
|
||||
<title>Applicable to All Samba 2.x to Samba-3 Upgrades</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>PDC</primary></indexterm>
|
||||
@ -651,15 +652,15 @@ Samba-2.x could be compiled with LDAP support.
|
||||
<indexterm><primary>inter-domain</primary></indexterm>
|
||||
Samba 2.x servers that were running as a domain controller (PDC)
|
||||
require changes to the configuration of the scripting interface
|
||||
tools that Samba uses to perform operating system updates for
|
||||
users, groups and trust accounts (machines and inter-domain).
|
||||
tools that Samba uses to perform OS updates for
|
||||
users, groups, and trust accounts (machines and interdomain).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>parameters</primary></indexterm>
|
||||
The following parameters are new to Samba-3 and should be correctly
|
||||
configured. Please refer to Chapters 3-6 in this book for examples
|
||||
of use of the new parameters shown here:
|
||||
The following parameters are new to Samba-3 and should be correctly configured.
|
||||
Please refer to <link linkend="secure"/> through <link linkend="2000users"/>
|
||||
in this book for examples of use of the new parameters shown here:
|
||||
<indexterm><primary>add group script</primary></indexterm>
|
||||
<indexterm><primary>add machine script</primary></indexterm>
|
||||
<indexterm><primary>add user to group script</primary></indexterm>
|
||||
@ -700,31 +701,32 @@ Samba-2.x could be compiled with LDAP support.
|
||||
<indexterm><primary>groupmod</primary></indexterm>
|
||||
<indexterm><primary>groupdel</primary></indexterm>
|
||||
Where the <parameter>passdb backend</parameter> used is either <constant>smbpasswd</constant>
|
||||
(the default), or the new <constant>tdbsam</constant>, the system interface scripts
|
||||
are typically used. These involve use of operating system tools such as
|
||||
<command>useradd, usermod, userdel, groupadd, groupmod, groupdel</command>, etc.
|
||||
(the default) or the new <constant>tdbsam</constant>, the system interface scripts
|
||||
are typically used. These involve use of OS tools such as <command>useradd</command>,
|
||||
<command>usermod</command>, <command>userdel</command>, <command>groupadd</command>,
|
||||
<command>groupmod</command>, <command>groupdel</command>, and so on.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>passdb backend</primary></indexterm>
|
||||
<indexterm><primary>LDAP</primary></indexterm>
|
||||
<indexterm><primary>Idealx</primary></indexterm>
|
||||
Where the <parameter>passdb backend</parameter> makes use of an LDAP directory
|
||||
it will be necessary either to use the <constant>smbldap-tools</constant> provided
|
||||
by Idealx, or else to use an alternate tool-set either provided by another third
|
||||
party, or else home crafted tools to manage the LDAP directory accounts.
|
||||
Where the <parameter>passdb backend</parameter> makes use of an LDAP directory,
|
||||
it is necessary either to use the <constant>smbldap-tools</constant> provided
|
||||
by Idealx or to use an alternate toolset provided by a third
|
||||
party or else home-crafted to manage the LDAP directory accounts.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Samba-2.x with LDAP support</title>
|
||||
<title>Samba-2.x with LDAP Support</title>
|
||||
|
||||
<para>
|
||||
Samba version 2.x could be compiled for use either with, or without, LDAP.
|
||||
Samba version 2.x could be compiled for use either with or without LDAP.
|
||||
The LDAP control settings in the &smb.conf; file in this old version are
|
||||
completely different (and less complete) than they are with Samba-3. This
|
||||
means that after migrating the control files it will be necessary to reconfigure
|
||||
means that after migrating the control files, it is necessary to reconfigure
|
||||
the LDAP settings entirely.
|
||||
</para>
|
||||
|
||||
@ -737,7 +739,7 @@ Samba-2.x could be compiled with LDAP support.
|
||||
<indexterm><primary>schema</primary></indexterm>
|
||||
<indexterm><primary>WHATSNEW.txt</primary></indexterm>
|
||||
The Samba SAM schema required for Samba-3 is significantly different from that
|
||||
used with Samba 2.x. This means that the LDAP directory will need to be updated
|
||||
used with Samba 2.x. This means that the LDAP directory must be updated
|
||||
using the procedure outlined in the Samba WHATSNEW.txt file that accompanies
|
||||
all releases of Samba-3. This information is repeated here directly from this
|
||||
file:
|
||||
@ -901,7 +903,7 @@ the DN's with quotation marks.
|
||||
|
||||
<para>
|
||||
The key concern in this section is to deal with the changes that have been
|
||||
affected in Samba-3 between the samba-3.0.0 release and the current update.
|
||||
affected in Samba-3 between the Samba-3.0.0 release and the current update.
|
||||
Network administrators have expressed concerns over the steps that should be
|
||||
taken to update Samba-3 versions.
|
||||
</para>
|
||||
@ -911,19 +913,19 @@ taken to update Samba-3 versions.
|
||||
The information in <link linkend="sbeug1"/> would not be necessary if every
|
||||
person who has ever produced Samba executable (binary) files could agree on
|
||||
the preferred location of the &smb.conf; file and other Samba control files.
|
||||
Clearly, such agreement is further away than a pipe-dream.
|
||||
Clearly, such agreement is further away than a pipedream.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>vendors</primary></indexterm>
|
||||
Vendors and packagers who produce Samba binary install-able packages do not,
|
||||
Vendors and packagers who produce Samba binary installable packages do not,
|
||||
as a rule, use the default paths used by the Samba-Team for the location of
|
||||
the binary files, the &smb.conf; file, and the Samba control files (tdb's
|
||||
as well as files such as <filename>secrets.tdb</filename>. This means that
|
||||
as well as files such as <filename>secrets.tdb</filename>). This means that
|
||||
the network or UNIX administrator who sets out to build the Samba executable
|
||||
files from the Samba tarball must take particular care. Failure to take care
|
||||
will result in both the original vendors' version of Samba remaining installed
|
||||
as well as the new version that will be installed in the default location used
|
||||
will result in both the original vendor's version of Samba remaining installed
|
||||
and the new version being installed in the default location used
|
||||
by the Samba-Team. This can lead to confusion and to much lost time as the
|
||||
uninformed administrator deals with apparent failure of the update to take
|
||||
effect.
|
||||
@ -934,21 +936,21 @@ effect.
|
||||
The best advice for those lacking in code compilation experience is to use
|
||||
only vendor (or Samba-Team) provided binary packages. The Samba packages
|
||||
that are provided by the Samba-Team are generally built to use file paths
|
||||
that are compatible with the original operating system vendors' practices.
|
||||
that are compatible with the original OS vendor's practices.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>binary package</primary></indexterm>
|
||||
<indexterm><primary>binary files</primary></indexterm>
|
||||
If you are not sure whether or a binary package complies with the operating
|
||||
system vendors' practices it is better to ask the package maintainer via
|
||||
email to be certain than to waste much time dealing with the nuances.
|
||||
If you are not sure whether or a binary package complies with the OS
|
||||
vendor's practices, it is better to ask the package maintainer via
|
||||
email than to waste much time dealing with the nuances.
|
||||
Alternately, just diagnose the paths specified by the binary files following
|
||||
the procedure outlined above.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
<title>Samba-3 to Samba-3 updates on the Same Server</title>
|
||||
<title>Samba-3 to Samba-3 Updates on the Same Server</title>
|
||||
|
||||
<para>
|
||||
The guidance in this section deals with updates to an existing
|
||||
@ -975,7 +977,7 @@ the procedure outlined above.
|
||||
<para>
|
||||
<indexterm><primary>schema</primary></indexterm>
|
||||
<indexterm><primary>LDAP</primary><secondary>schema</secondary></indexterm>
|
||||
When updating versions of Samba-3 prior to 3.0.6 to 3.0.6-3.0.10
|
||||
When updating versions of Samba-3 prior to 3.0.6 to 3.0.6 through 3.0.10,
|
||||
it is necessary only to update the LDAP schema (where LDAP is used).
|
||||
Always use the LDAP schema file that is shipped with the latest Samba-3
|
||||
update.
|
||||
@ -985,7 +987,7 @@ the procedure outlined above.
|
||||
<indexterm><primary>ldapsam</primary></indexterm>
|
||||
<indexterm><primary>tdbsam</primary></indexterm>
|
||||
<indexterm><primary>passdb backend</primary></indexterm>
|
||||
Samba-3.0.6 introduced the ability to remember the last 'n' number
|
||||
Samba-3.0.6 introduced the ability to remember the last <emphasis>n</emphasis> number
|
||||
of passwords a user has used. This information will work only with
|
||||
the <constant>tdbsam</constant> and <constant>ldapsam</constant>
|
||||
<parameter>passdb backend</parameter> facilities.
|
||||
@ -1018,9 +1020,10 @@ the procedure outlined above.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In Samba-3.0.11 there were some functional changes to the <parameter>ldap user suffix</parameter>
|
||||
and to the <parameter>ldap machine suffix</parameter> behaviors. The following
|
||||
information has been extracted from the WHATSNEW.txt file from this release:
|
||||
In Samba-3.0.11 there were some functional changes to the <parameter>ldap user
|
||||
suffix</parameter> and to the <parameter>ldap machine suffix</parameter> behaviors.
|
||||
The following information has been extracted from the WHATSNEW.txt file from this
|
||||
release:
|
||||
<screen>
|
||||
============
|
||||
LDAP Changes
|
||||
@ -1051,15 +1054,15 @@ back to searching the 'ldap suffix' in some cases.
|
||||
|
||||
<para>
|
||||
<indexterm><primary>DMS</primary></indexterm>
|
||||
Replacement of a domain member server (DMS) should be done
|
||||
Replacement of a domain member server should be done
|
||||
using the same procedure as outlined in <link linkend="unixclients"/>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Usually the new server will be introduced with a temporary name. After
|
||||
the old server data has been migrated to the new server it is customary
|
||||
that the new server will be renamed to that of the old server. This will
|
||||
change its SID and will necessitate re-joining to the domain.
|
||||
the old server data has been migrated to the new server, it is customary
|
||||
that the new server be renamed to that of the old server. This will
|
||||
change its SID and will necessitate rejoining to the domain.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1069,14 +1072,14 @@ back to searching the 'ldap suffix' in some cases.
|
||||
<indexterm><primary>wins.dat</primary></indexterm>
|
||||
<indexterm><primary>browse.dat</primary></indexterm>
|
||||
<indexterm><primary>resolution</primary></indexterm>
|
||||
Following a change of hostname (netbios name) it is a good idea on all servers to
|
||||
shutdown the Samba <command>smbd, nmbd</command> and <command>winbindd</command>
|
||||
services, delete the <filename>wins.dat</filename> and <filename>browse.dat</filename>
|
||||
files, then restart Samba. This will ensure that the old name and IP address
|
||||
information is no longer able to interfere with name to IP address resolution.
|
||||
If this is not done, there can be temporary name resolution problems. These
|
||||
problems usually clear within 45 minutes of a name change, but can persist for
|
||||
a longer period of time.
|
||||
Following a change of hostname (NetBIOS name) it is a good idea on all servers
|
||||
to shut down the Samba <command>smbd</command>, <command>nmbd</command>, and
|
||||
<command>winbindd</command> services, delete the <filename>wins.dat</filename>
|
||||
and <filename>browse.dat</filename> files, then restart Samba. This will ensure
|
||||
that the old name and IP address information is no longer able to interfere with
|
||||
name to IP address resolution. If this is not done, there can be temporary name
|
||||
resolution problems. These problems usually clear within 45 minutes of a name
|
||||
change, but can persist for a longer period of time.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1084,12 +1087,13 @@ back to searching the 'ldap suffix' in some cases.
|
||||
<indexterm><primary>/etc/passwd</primary></indexterm>
|
||||
<indexterm><primary>/etc/shadow</primary></indexterm>
|
||||
<indexterm><primary>/etc/group</primary></indexterm>
|
||||
If the old DMS had local accounts, it is necessary to create on the new DMS
|
||||
the same accounts with the same UID and GID for each account. Where the
|
||||
<parameter>passdb backend</parameter> database is stored in the <constant>smbpasswd</constant>
|
||||
or in the <constant>tdbsam</constant> format the user and group account
|
||||
information for UNIX accounts, that match the Samba accounts, will reside in
|
||||
the system <filename>/etc/passwd, /etc/shadow</filename> and
|
||||
If the old domain member server had local accounts, it is necessary to create
|
||||
on the new domain member server the same accounts with the same UID and GID
|
||||
for each account. Where the <parameter>passdb backend</parameter> database
|
||||
is stored in the <constant>smbpasswd</constant> or in the
|
||||
<constant>tdbsam</constant> format, the user and group account information
|
||||
for UNIX accounts that match the Samba accounts will reside in the system
|
||||
<filename>/etc/passwd, /etc/shadow</filename>, and
|
||||
<filename>/etc/group</filename> files. In this case be sure to copy these
|
||||
account entries to the new target server.
|
||||
</para>
|
||||
@ -1098,7 +1102,7 @@ back to searching the 'ldap suffix' in some cases.
|
||||
<indexterm><primary>nss_ldap</primary></indexterm>
|
||||
Where the user accounts for both UNIX and Samba are stored in LDAP, the new
|
||||
target server must be configured to use the <command>nss_ldap</command> tool set.
|
||||
This will then automatically ensure that the appropriate user entities are
|
||||
This will automatically ensure that the appropriate user entities are
|
||||
available on the new server.
|
||||
</para>
|
||||
|
||||
@ -1109,8 +1113,8 @@ back to searching the 'ldap suffix' in some cases.
|
||||
|
||||
<para>
|
||||
<indexterm><primary>domain</primary><secondary>controller</secondary></indexterm>
|
||||
In the past, people who replaced a Windows NT4 domain controller would typically
|
||||
install a new server, create printers and file shares on it, then migrate across
|
||||
In the past, people who replaced a Windows NT4 domain controller typically
|
||||
installed a new server, created printers and file shares on it, then migrate across
|
||||
all data that was destined to reside on it. The same can of course be done with
|
||||
Samba.
|
||||
</para>
|
||||
@ -1119,22 +1123,22 @@ back to searching the 'ldap suffix' in some cases.
|
||||
From recent mailing list postings it would seem that some administrators
|
||||
have the intent to just replace the old Samba server with a new one with
|
||||
the same name as the old one. In this case, simply follow the same process
|
||||
as upgrading a Samba 2.x system in respect of the following:
|
||||
as for upgrading a Samba 2.x system and do the following:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
Where UNIX (POSIX) user and group accounts are stored in the system
|
||||
<filename>/etc/passwd, /etc/shadow</filename> and
|
||||
<filename>/etc/group</filename> files be sure to add the same accounts
|
||||
<filename>/etc/passwd, /etc/shadow</filename>, and
|
||||
<filename>/etc/group</filename> files, be sure to add the same accounts
|
||||
with identical UID and GID values for each user.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Where LDAP is used, if the new system is intended to be the LDAP server
|
||||
Where LDAP is used, if the new system is intended to be the LDAP server,
|
||||
migrate it across by configuring the LDAP server
|
||||
(<filename>/etc/openldap/slapd.conf</filename>). The directory can either
|
||||
be populated initially by setting this LDAP server up as a slave, or else
|
||||
(<filename>/etc/openldap/slapd.conf</filename>). The directory can
|
||||
be populated either initially by setting this LDAP server up as a slave or
|
||||
by dumping the data from the old LDAP server using the <command>slapcat</command>
|
||||
command and then reloading the same data into the new LDAP server using the
|
||||
<command>slapadd</command> command. Do not forget to install and configure
|
||||
@ -1156,7 +1160,7 @@ back to searching the 'ldap suffix' in some cases.
|
||||
|
||||
<listitem><para>
|
||||
Before starting the Samba daemons, verify that the hostname of the new server
|
||||
is identical with that of the old one. Note: The IP address can be different
|
||||
is identical to that of the old one. Note: The IP address can be different
|
||||
from that of the old server.
|
||||
</para></listitem>
|
||||
|
||||
@ -1175,11 +1179,11 @@ back to searching the 'ldap suffix' in some cases.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
All Samba servers, other than one that uses LDAP, depend on the tdb files, and in
|
||||
particular the <filename>secrets.tdb</filename> file. So long as the tdb files are
|
||||
All Samba servers, other than one that uses LDAP, depend on the tdb files, and
|
||||
particularly on the <filename>secrets.tdb</filename> file. So long as the tdb files are
|
||||
all in place, the &smb.conf; file is preserved, and either the hostname is identical
|
||||
or the <parameter>netbios name</parameter> is set to the original server name, Samba
|
||||
should correctly pick up the original SID, and preserve all other settings. It is
|
||||
should correctly pick up the original SID and preserve all other settings. It is
|
||||
sound advice to validate this before turning the system over to users.
|
||||
</para>
|
||||
|
||||
@ -1208,7 +1212,7 @@ back to searching the 'ldap suffix' in some cases.
|
||||
|
||||
<step><para>
|
||||
In the Advanced/DNS section of the TCP/IP settings on your Windows
|
||||
workstations, make sure <parameter>DNS suffix for this
|
||||
workstations, make sure the <parameter>DNS suffix for this
|
||||
connection</parameter> field is blank.
|
||||
</para></step>
|
||||
|
||||
@ -1234,7 +1238,7 @@ back to searching the 'ldap suffix' in some cases.
|
||||
and satisfy all errors before committing the migration. Note that the
|
||||
test will always fail, because the machine will not have been actually
|
||||
migrated. You'll need to interpret the errors to know whether the
|
||||
failure was due to a problem, or simply due to the fact that it was just
|
||||
failure was due to a problem or simply to the fact that it was just
|
||||
a test.
|
||||
</para></step>
|
||||
|
||||
@ -1249,7 +1253,7 @@ back to searching the 'ldap suffix' in some cases.
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
You can also migrate workstations remotely. You can specify that SIDs
|
||||
You can migrate workstations remotely. You can specify that SIDs
|
||||
be simply added instead of replaced, giving you the option of joining a
|
||||
workstation back to the old domain if something goes awry. The
|
||||
workstations will be joined to the new domain.
|
||||
@ -1271,7 +1275,7 @@ back to searching the 'ldap suffix' in some cases.
|
||||
The ADMT lets you test all operations before actually performing the
|
||||
migration. Accounts and workstations can be migrated individually or in
|
||||
batches. User accounts can be safely migrated all at once (since no
|
||||
changes are made on the original domain); It is recommended to migrate only one
|
||||
changes are made on the original domain). It is recommended to migrate only one
|
||||
or two workstations as a test before committing them all.
|
||||
</para></listitem>
|
||||
|
||||
|
@ -41,7 +41,7 @@
|
||||
<acronym>CUPS</acronym>
|
||||
<glossdef><para>
|
||||
A recent implementation of a high-capability printing system for UNIX developed by
|
||||
<ulink url="http://www.easysw.com/">Easy Software Inc.</ulink> The design objective
|
||||
<ulink url="http://www.easysw.com/">Easy Software Inc.</ulink>. The design objective
|
||||
of CUPS was to provide a rich print processing system that has built-in intelligence
|
||||
that is capable of correctly rendering (processing) a file that is submitted for
|
||||
printing even if it was formatted for an entirely different printer.
|
||||
@ -65,7 +65,7 @@
|
||||
A protocol by which computer hostnames may be resolved to the matching IP address/es.
|
||||
DNS is implemented by the Berkeley Internet Name Daemon. There exists a recent version
|
||||
of DNS that allows dynamic name registration by network clients or by a DHCP server.
|
||||
This recent protocol is known as Dynamic DNS (DDNS).
|
||||
This recent protocol is known as dynamic DNS (DDNS).
|
||||
</para></glossdef>
|
||||
</glossentry>
|
||||
|
||||
@ -76,7 +76,7 @@
|
||||
A protocol that was based on the BOOTP protocol that may be used to dynamically assign
|
||||
an IP address, from a reserved pool of addresses, to a network client or device.
|
||||
Additionally, DHCP may assign all network configuration settings and may be used to
|
||||
register a computer name and its address with a Dynamic DNS server.
|
||||
register a computer name and its address with a dynamic DNS server.
|
||||
</para></glossdef>
|
||||
</glossentry>
|
||||
|
||||
@ -84,9 +84,9 @@
|
||||
<glossterm>Ethereal</glossterm>
|
||||
<acronym>ethereal</acronym>
|
||||
<glossdef><para>
|
||||
A network analyzer, also known as: a network sniffer or a protocol analyzer. Ethereal is
|
||||
A network analyzer, also known as a network sniffer or a protocol analyzer. Ethereal is
|
||||
freely available for UNIX/Linux and Microsoft Windows systems from
|
||||
<ulink url="http://www.ethereal.com">the Ethereal Web site.</ulink>
|
||||
<ulink url="http://www.ethereal.com">the Ethereal Web site</ulink>.
|
||||
</para></glossdef>
|
||||
</glossentry>
|
||||
|
||||
@ -94,9 +94,9 @@
|
||||
<glossterm>Group IDentifier</glossterm>
|
||||
<acronym>GID</acronym>
|
||||
<glossdef><para>
|
||||
The UNIX system Group Identifier; on older systems, a 32-bit unsigned integer, and on
|
||||
The UNIX system group identifier; on older systems, a 32-bit unsigned integer, and on
|
||||
newer systems, an unsigned 64-bit integer. The GID is used in UNIX-like operating systems
|
||||
for all group level access control.
|
||||
for all group-level access control.
|
||||
</para></glossdef>
|
||||
</glossentry>
|
||||
|
||||
@ -111,24 +111,24 @@
|
||||
</glossentry>
|
||||
|
||||
<glossentry>
|
||||
<glossterm>Light Weight Directory Access Protocol</glossterm>
|
||||
<glossterm>Lightweight Directory Access Protocol</glossterm>
|
||||
<acronym>LDAP</acronym>
|
||||
<glossdef>
|
||||
<para>
|
||||
The Light Weight Directory Access Protocol is a technology that
|
||||
The Lightweight Directory Access Protocol is a technology that
|
||||
originated from the development of X.500 protocol specifications and
|
||||
implementations. LDAP was designed as a means of rapidly searching
|
||||
through X.500 information. Later LDAP was adapted as an engine that
|
||||
could drive its own directory database. LDAP is not a database per
|
||||
se; rather it is a technology that enables high volume search and
|
||||
se; rather it is a technology that enables high-volume search and
|
||||
locate activity from clients that wish to obtain simply defined
|
||||
information about a sub-set of records that are stored in a
|
||||
information about a subset of records that are stored in a
|
||||
database. LDAP does not have a particularly efficient mechanism for
|
||||
storing records in the database, and it has no concept of transaction
|
||||
processing nor of mechanisms for preserving data consistency. LDAP is
|
||||
premised around the notion that the search and read activity far
|
||||
outweigh any need to add, delete, or modify records. LDAP does
|
||||
provide a means for replication of the database so as to keep slave
|
||||
provide a means for replication of the database to keep slave
|
||||
servers up to date with a master. It also has built-in capability to
|
||||
handle external references and deferral.
|
||||
</para></glossdef>
|
||||
@ -147,7 +147,7 @@
|
||||
<glossterm>Media Access Control</glossterm>
|
||||
<acronym>MAC</acronym>
|
||||
<glossdef><para>
|
||||
The hard-coded address of the physical layer device that is attached to the network.
|
||||
The hard-coded address of the physical-layer device that is attached to the network.
|
||||
All network interface controllers must have a hard-coded and unique MAC address. The
|
||||
MAC address is 48 bits long.
|
||||
</para></glossdef>
|
||||
@ -158,7 +158,7 @@
|
||||
<acronym>NetBEUI</acronym>
|
||||
<glossdef><para>
|
||||
Very simple network protocol invented by IBM and Microsoft. It is used to do NetBIOS
|
||||
over ethernet with low overhead. NetBEUI is a non-routable protocol.
|
||||
over Ethernet with low overhead. NetBEUI is a non-routable protocol.
|
||||
</para></glossdef>
|
||||
</glossentry>
|
||||
|
||||
@ -180,7 +180,7 @@
|
||||
NetBIOS is a simple application programming interface (API) invented in the 1980s
|
||||
that allows programs to send data to certain network names. NetBIOS is always run over
|
||||
another network protocol such as IPX/SPX, TCP/IP, or Logical Link Control (LLC).
|
||||
NetBIOS run over LLC is best known as NetBEUI (The NetBIOS Extended User Interface
|
||||
NetBIOS run over LLC is best known as NetBEUI (the NetBIOS Extended User Interface
|
||||
&smbmdash; a complete misnomer!).
|
||||
</para></glossdef>
|
||||
</glossentry>
|
||||
@ -231,7 +231,7 @@
|
||||
<acronym>TOSHARG</acronym>
|
||||
<glossdef><para>
|
||||
This book makes repeated reference to <quote>The Official Samba-3 HOWTO and Reference Guide</quote>
|
||||
by John H. Terpstra (Author) and Jelmer R. Vernooij (Author). This publication is available from
|
||||
by John H. Terpstra and Jelmer R. Vernooij. This publication is available from
|
||||
Amazon.com. Publisher: Prentice Hall PTR (October 2003),
|
||||
ISBN: 0131453556.
|
||||
</para></glossdef>
|
||||
@ -241,8 +241,8 @@
|
||||
<glossterm>User IDentifier</glossterm>
|
||||
<acronym>UID</acronym>
|
||||
<glossdef><para>
|
||||
The UNIX system User Identifier; on older systems, a 32-bit unsigned integer, and on newer systems,
|
||||
an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user level access
|
||||
The UNIX system user identifier; on older systems, a 32-bit unsigned integer, and on newer systems,
|
||||
an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user-level access
|
||||
control.
|
||||
</para></glossdef>
|
||||
</glossentry>
|
||||
|
Loading…
Reference in New Issue
Block a user