1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

Another copy edit update.

(This used to be commit 7d998a020d)
This commit is contained in:
John Terpstra 2005-05-25 21:40:55 +00:00 committed by Gerald W. Carter
parent 3192e95c2c
commit 118a2b639a
15 changed files with 1493 additions and 1829 deletions

View File

@ -69,7 +69,7 @@ without impediment.
<para>
Starting with the configuration files for the server called
<constant>MASSIVE</constant> in Chapter 5, you now deal with the
<constant>MASSIVE</constant> in <link linkend="happy"/>, you now deal with the
issues that are particular to large distributed networks. Your task
is simple &smbmdash; identify the challenges, consider the
alternatives, and then design and implement a solution.
@ -293,7 +293,7 @@ productivity.</para>
<indexterm><primary>logon traffic</primary></indexterm>
<indexterm><primary>redirected folders</primary></indexterm>
One way to reduce the network bandwidth impact of user logon
traffic is through folder redirection. In Chapter 5, you
traffic is through folder redirection. In <link linkend="happy"/>, you
implemented this in the new Windows XP Professional standard
desktop configuration. When desktop folders such as <guimenu>My
Documents</guimenu> are redirected to a network drive, they should
@ -500,46 +500,39 @@ productivity.</para>
and a number of LDAP implementations.
</para>
<para><indexterm>
<primary>multiple directories</primary>
</indexterm>
The problem of managing multiple directories has become a focal
point over the past decade, creating a large market for
metadirectory products and services that allow organizations that
have multiple directories and multiple management and control
centers to provision information from one directory into
another. The attendant benefit to end users is the promise of
having to remember and deal with fewer login identities and
passwords.</para>
<para>
<indexterm><primary>multiple directories</primary></indexterm>
The problem of managing multiple directories has become a focal
point over the past decade, creating a large market for
metadirectory products and services that allow organizations that
have multiple directories and multiple management and control
centers to provision information from one directory into
another. The attendant benefit to end users is the promise of
having to remember and deal with fewer login identities and
passwords.</para>
<para><indexterm>
<primary>network</primary>
<secondary>bandwidth</secondary>
</indexterm>
The challenge of every large network is to find the optimum
balance of internal systems and facilities for Identity
Management resources. How well the solution is chosen and
implemented has potentially significant impact on network bandwidth
and systems response needs.</para>
<para>
<indexterm><primary>network</primary><secondary>bandwidth</secondary></indexterm>
The challenge of every large network is to find the optimum
balance of internal systems and facilities for Identity
Management resources. How well the solution is chosen and
implemented has potentially significant impact on network bandwidth
and systems response needs.</para>
<para><indexterm>
<primary>LDAP server</primary>
</indexterm><indexterm>
<primary>LDAP</primary>
<secondary>master</secondary>
</indexterm><indexterm>
<primary>LDAP</primary>
<secondary>slave</secondary>
</indexterm>
In Chapter 5, you implemented a single LDAP server for the
entire network. This may work for smaller networks, but almost
certainly fails to meet the needs of large and complex networks. The
following section documents how you may implement a single
master LDAP server with multiple slave servers.</para>
<para>
<indexterm><primary>LDAP server</primary></indexterm>
<indexterm><primary>LDAP</primary><secondary>master</secondary></indexterm>
<indexterm><primary>LDAP</primary><secondary>slave</secondary></indexterm>
In <link linkend="happy"/>, you implemented a single LDAP server for the
entire network. This may work for smaller networks, but almost
certainly fails to meet the needs of large and complex networks. The
following section documents how you may implement a single
master LDAP server with multiple slave servers.</para>
<para>What is the best method for implementing master/slave LDAP
servers within the context of a distributed 2,000-user network is a
question that remains to be answered.</para>
<para>
What is the best method for implementing master/slave LDAP
servers within the context of a distributed 2,000-user network is a
question that remains to be answered.</para>
<para>
<indexterm><primary>distributed domain</primary></indexterm>
@ -783,7 +776,7 @@ passdb backend = ldapsam:ldap://master.abmas.biz \
<para>
It is assumed that the network you are working with follows in a
pattern similar to what was covered in Chapter 5. The following steps
pattern similar to what was covered in <link linkend="happy"/>. The following steps
permit the operation of a master/slave OpenLDAP arrangement.
</para>
@ -924,7 +917,7 @@ added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013)
<step><para>
<indexterm><primary>smbldap-useradd</primary></indexterm>
On the master LDAP server you may now add an account to validate that replication
is working. Assuming the configuration shown in Chapter 5, execute:
is working. Assuming the configuration shown in <link linkend="happy"/>, execute:
<screen>
&rootprompt; /var/lib/samba/sbin/smbldap-useradd -a fruitloop
</screen>
@ -1454,13 +1447,14 @@ DHCP traffic: 300 (clients) x 6 (packets)
<itemizedlist>
<listitem><para>
Desktop folders such as <constant>Desktop</constant>, <constant>My Documents</constant>, <constant>My Pictures</constant>, <constant>My Music</constant>, <constant>Internet Files</constant>,
<constant>Cookies</constant>, <constant>Application Data</constant>, <constant>Local Settings,</constant> and more. See Chapter 5, <link linkend="XP-screen001"/>.
Desktop folders such as <constant>Desktop</constant>, <constant>My Documents</constant>,
<constant>My Pictures</constant>, <constant>My Music</constant>, <constant>Internet Files</constant>,
<constant>Cookies</constant>, <constant>Application Data</constant>,
<constant>Local Settings,</constant> and more. See <link linkend="happy"/>, <link linkend="XP-screen001"/>.
</para>
<para><indexterm>
<primary>folder redirection</primary>
</indexterm>
<para>
<indexterm><primary>folder redirection</primary></indexterm>
Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all
such folders can be redirected to network drive resources. See <link linkend="redirfold"/>
for more information regarding folder redirection.

View File

@ -293,7 +293,7 @@
domain control. Politically, we have to navigate a minefield. In this case, the need is to
get the PDC rolled out in compliance with expectations and also to be ready to save the day
by having the real solution ready before it is needed. That real solution is presented in
Chapter 5.
<link linkend="happy"/>.
</para>
</sect2>
@ -594,7 +594,7 @@ root = Administrator
Create an entry in the DNS database on the server <constant>MASSIVE</constant>
in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
and in the reverse lookup database for the network segment that the printer is
located in. Example configuration files for similar zones were presented in Chapter 3,
located in. Example configuration files for similar zones were presented in <link linkend="secure"/>,
<link linkend="abmasbiz"/> and <link linkend="eth2zone"/>.
</para></step>
@ -867,7 +867,7 @@ Added user <parameter>username</parameter>.
<step><para>
Your server is ready for validation testing. Do not proceed with the steps in
<link linkend="ch5-domsvrspec"/> until after the operation of the server has been
validated following the same methods as outlined in Chapter 3, <link linkend="ch4valid"/>.
validated following the same methods as outlined in <link linkend="secure"/>, <link linkend="ch4valid"/>.
</para></step>
</procedure>
@ -1084,7 +1084,7 @@ hosts: files dns wins
<example id="massive-dhcp">
<title>Server: MASSIVE, File: dhcpd.conf</title>
<screen>
# Abmas Accounting Inc. - Chapter 5/MASSIVE
# Abmas Accounting Inc.
default-lease-time 86400;
max-lease-time 172800;
@ -1127,7 +1127,7 @@ subnet 123.45.67.64 netmask 255.255.255.252 {
<example id="bldg1dhcp">
<title>Server: BLDG1, File: dhcpd.conf</title>
<screen>
# Abmas Accounting Inc. - Chapter 5/BLDG1
# Abmas Accounting Inc.
default-lease-time 86400;
max-lease-time 172800;
@ -1162,7 +1162,7 @@ subnet 127.0.0.0 netmask 255.0.0.0 {
<example id="bldg2dhcp">
<title>Server: BLDG2, File: dhcpd.conf</title>
<screen>
# Abmas Accounting Inc. - Chapter 5/BLDG1
# Abmas Accounting Inc.
default-lease-time 86400;
max-lease-time 172800;
@ -1720,8 +1720,8 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
<para>
The network you have just deployed has been a valuable exercise in forced constraint.
You have deployed a network that works well, although you may soon start to see
performance problems, at which time the modifications demonstrated in
Chapter 5 bring the network to life. The following key learning points were experienced:
performance problems, at which time the modifications demonstrated in <link linkend="happy"/>
bring the network to life. The following key learning points were experienced:
</para>
<itemizedlist>

File diff suppressed because it is too large Load Diff

View File

@ -2,27 +2,23 @@
<!DOCTYPE appendix PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<appendix id="appendix">
<title>Appendix: A Collection of Useful Tid-bits</title>
<title>A Collection of Useful Tidbits</title>
<para><indexterm>
<primary>material</primary>
</indexterm><indexterm>
<primary>domain</primary>
<secondary>joining</secondary>
</indexterm>
<para>
<indexterm><primary>material</primary></indexterm>
<indexterm><primary>domain</primary><secondary>joining</secondary></indexterm>
Information presented here is considered to be either basic or well-known material that is informative
yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that
the process for joining a Windows client to a Samba-controlled Windows Domain may somehow involve steps
different from doing so with Windows NT4 or a Windows ADS Domain. Be assured that the steps are identical,
the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps
different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical,
as shown in the example given below.
</para>
<sect1 id="domjoin">
<title>Joining a Domain: Windows 200x/XP Professional</title>
<para><indexterm>
<primary>joining a domain</primary>
</indexterm>
<para>
<indexterm><primary>joining a domain</primary></indexterm>
Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
This section steps through the process for making a Windows 200x/XP Professional machine a
member of a Domain Security environment. It should be noted that this process is identical
@ -76,7 +72,7 @@
<step><para>
Now click the <guimenu>OK</guimenu> button. A dialog box should appear to allow you to provide the credentials (username and password)
of a Domain administrative account that has the rights to add machines to the Domain.
of a domain administrative account that has the rights to add machines to the domain.
</para>
<para>
@ -95,43 +91,36 @@
</procedure>
<para><indexterm>
<primary>Active Directory</primary>
</indexterm><indexterm>
<primary>DNS</primary>
</indexterm>
<para>
<indexterm><primary>Active Directory</primary></indexterm>
<indexterm><primary>DNS</primary></indexterm>
The screen capture shown in <link linkend="swxpp007"/> has a button labeled <guimenu>More...</guimenu>. This button opens a
panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members
of Microsoft Active Directory. Active Directory is heavily oriented around the DNS name space.
of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace.
</para>
<para><indexterm>
<primary>Netlogon</primary>
</indexterm><indexterm>
<primary>DNS</primary><secondary>dynamic</secondary>
</indexterm>
<para>
<indexterm><primary>Netlogon</primary></indexterm>
<indexterm><primary>DNS</primary><secondary>dynamic</secondary></indexterm>
Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers
register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server
to find the services (like which machines are Domain Controllers or which machines have the Netlogon service running).
to find the services (like which machines are domain controllers or which machines have the Netlogon service running).
</para>
<para><indexterm>
<primary>DNS</primary>
<secondary>suffix</secondary>
</indexterm>
<para>
<indexterm><primary>DNS</primary><secondary>suffix</secondary></indexterm>
The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix,
this does not affect Domain Membership, but it can break network browsing and the ability to resolve your computer name to
this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to
a valid IP address.
</para>
<para>
The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain.
Where the client is a member of a Samba Domain, it is preferable to leave this field blank.
Where the client is a member of a Samba domain, it is preferable to leave this field blank.
</para>
<para><indexterm>
<primary>Group Policy</primary>
</indexterm>
<para>
<indexterm><primary>Group Policy</primary></indexterm>
According to Microsoft documentation, <quote>If this computer belongs to a group with <constant>Group Policy</constant>
enabled on <command>Primary DNS suffice of this computer</command>, the string specified in the Group Policy is used
as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is
@ -214,7 +203,7 @@
</indexterm><indexterm>
<primary>run-time control files</primary>
</indexterm>
Samba creates run-time control files and generates log files. The run-time control files (tdb and dat files) are stored in
Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in
the <filename>/var/lib/samba</filename> directory. Log files are created in <filename>/var/log/samba.</filename>
</para>
@ -361,8 +350,8 @@ exit 0
<listitem><para>
<indexterm><primary>winbindd</primary></indexterm>
<indexterm><primary>starting samba</primary><secondary>winbindd</secondary></indexterm>
This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when
Samba has trust relationships with another Domain. The <command>winbindd</command> daemon will check the
This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when
Samba has trust relationships with another domain. The <command>winbindd</command> daemon will check the
&smb.conf; file for the presence of the <parameter>idmap uid</parameter> and <parameter>idmap gid</parameter>
parameters. If they are not found, <command>winbindd</command> bails out and refuses to start.
</para></listitem>
@ -428,7 +417,7 @@ esac
<para><indexterm>
<primary>samba control script</primary>
</indexterm>
SUSE Linux implements individual control over each Samba daemon. A samba control script that can be conveniently
SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently
executed from the command line is shown in <link linkend="ch12SL"/>. This can be located in the directory
<filename>/sbin</filename> in a file called <filename>samba</filename>. This type of control script should be
owned by user root and group root, and set so that only root can execute it.
@ -566,7 +555,7 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
<para>
The content of the root hints file as shown in <link linkend="roothint"/> changes slowly over time.
Periodically this file should be updated from the source shown. Because
of its size this file is located at the end of this appendix.
of its size, this file is located at the end of this appendix.
</para>
</sect2>
@ -600,9 +589,9 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
<primary>SID</primary>
</indexterm>
The first step to get the LDAP server ready for action is to create the LDIF file from
which the LDAP database will be pre-loaded. This is necessary to create the containers
into which the user, group, and so on, accounts is written. It is also necessary to
pre-load the well-known Windows NT Domain Groups, as they must have the correct SID so
which the LDAP database will be preloaded. This is necessary to create the containers
into which the user, group, and other accounts are written. It is also necessary to
preload the well-known Windows NT Domain Groups, as they must have the correct SID so
that they can be recognized as special NT Groups by the MS Windows clients.
</para>
@ -623,13 +612,13 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
Install the files shown in <link linkend="sbehap-ldapreconfa"/>, <link linkend="sbehap-ldapreconfb"/>,
and <link linkend="sbehap-ldapreconfc"/> into the directory
<filename>/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</filename> These three files are,
respectively, Part A, B, and C of the <filename>SMBLDAP-ldif-preconfig.sh</filename> file.
respectively, parts A, B, and C of the <filename>SMBLDAP-ldif-preconfig.sh</filename> file.
</para></step>
<step><para>
Install the files shown in <link linkend="sbehap-ldifpata"/> and <link linkend="sbehap-ldifpatb"/> into the directory
<filename>/etc/openldap/SambaInit/nit-ldif.pat.</filename> These two files are
Part A and B, respectively, of the <filename>init-ldif.pat</filename> file.
parts A and B, respectively, of the <filename>init-ldif.pat</filename> file.
</para></step>
<step><para>
@ -675,7 +664,7 @@ Enter the top level org name or press Enter to continue:
</para></step>
<step><para>
It is now time to pre-load the LDAP database with the following
It is now time to preload the LDAP database with the following
command:
<screen>
&rootprompt; slapadd -v -l MEGANET2.ldif
@ -998,25 +987,17 @@ description: Domain Users
<sect1>
<title>The LDAP Account Manager</title>
<para><indexterm>
<primary>LAM</primary>
</indexterm><indexterm>
<primary>LDAP Account Manager</primary>
<see>LAM</see>
</indexterm><indexterm>
<primary>PHP</primary>
</indexterm><indexterm>
<primary>unencrypted</primary>
</indexterm><indexterm>
<primary>SSL</primary>
</indexterm><indexterm>
<primary>Posix</primary>
</indexterm><indexterm>
<primary>accounts</primary><secondary>manage</secondary>
</indexterm>
<para>
<indexterm><primary>LAM</primary></indexterm>
<indexterm><primary>LDAP Account Manager</primary><see>LAM</see></indexterm>
<indexterm><primary>PHP</primary></indexterm>
<indexterm><primary>unencrypted</primary></indexterm>
<indexterm><primary>SSL</primary></indexterm>
<indexterm><primary>Posix</primary></indexterm>
<indexterm><primary>accounts</primary><secondary>manage</secondary></indexterm>
The LDAP Account Manager (LAM) is an application suite that has been written in PHP.
LAM can be used with any Web server that has PHP4 support. It connects to the LDAP
server either using unencrypted connections or via SSL. LAM can be used to manage
server either using unencrypted connections or via SSL/TLS. LAM can be used to manage
Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines
(hosts).
</para>
@ -1024,52 +1005,44 @@ Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machin
<para>
LAM is available from the <ulink url="http://sourceforge.net/projects/lam/">LAM</ulink>
home page and from its mirror sites. LAM has been released under the GNU GPL version 2.
The current version of LAM is 0.4.3. Release of version 0.5 is expected some time early
in 2004.
The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter
of 2005.
</para>
<para><indexterm>
<primary>PHP4</primary>
</indexterm><indexterm>
<primary>OpenLDAP</primary>
</indexterm><indexterm>
<primary>Perl</primary>
</indexterm>
<para>
<indexterm><primary>PHP4</primary></indexterm>
<indexterm><primary>OpenLDAP</primary></indexterm>
<indexterm><primary>Perl</primary></indexterm>
Requirements:
</para>
<itemizedlist>
<listitem><para>A web server that will work with PHP4.</para></listitem>
<listitem><para>PHP4 (available from the <ulink url="http://www.php.net/">
PHP</ulink> home page.)</para></listitem>
<listitem><para>PHP4 (available from the <ulink url="http://www.php.net/">PHP</ulink> home page.)</para></listitem>
<listitem><para>OpenLDAP 2.0 or later.</para></listitem>
<listitem><para>A Web browser that supports CSS.</para></listitem>
<listitem><para>Perl.</para></listitem>
<listitem><para>The gettext package.</para></listitem>
<listitem><para>mcrypt + mhash (optional since version 0.4.3).</para></listitem>
<listitem><para>mcrypt + mhash (optional).</para></listitem>
<listitem><para>It is also a good idea to install SSL support.</para></listitem>
</itemizedlist>
<para>
LAM is a useful tool that provides a simple Web-based device that can be used to
manage the contents of the LDAP directory to:<indexterm>
<primary>organizational units</primary>
</indexterm><indexterm>
<primary>operating profiles</primary>
</indexterm><indexterm>
<primary>account policies</primary>
</indexterm>
manage the contents of the LDAP directory to:
<indexterm><primary>organizational units</primary></indexterm>
<indexterm><primary>operating profiles</primary></indexterm>
<indexterm><primary>account policies</primary></indexterm>
</para>
<itemizedlist>
<listitem><para>Display user/group/host and Domain entries.</para></listitem>
<listitem><para>Manages entries (Add/Delete/Edit).</para></listitem>
<listitem><para>Manage entries (Add/Delete/Edit).</para></listitem>
<listitem><para>Filter and sort entries.</para></listitem>
<listitem><para>Set LAM administrator accounts.</para></listitem>
<listitem><para>Store and use multiple operating profiles.</para></listitem>
<listitem><para>Edit organizational units (OUs).</para></listitem>
<listitem><para>Upload accounts from a file.</para></listitem>
<listitem><para></para>Is compatible with Samba-2.2.x and Samba-3.</listitem>
<listitem><para>Is compatible with Samba-2.2.x and Samba-3.</para></listitem>
</itemizedlist>
<para>
@ -1077,15 +1050,11 @@ When correctly configured, LAM allows convenient management of UNIX (Posix) and
user, group, and windows domain member machine accounts.
</para>
<para><indexterm>
<primary>default password</primary>
</indexterm><indexterm>
<primary>secure connections</primary>
</indexterm><indexterm>
<primary>LAM</primary>
</indexterm><indexterm>
<primary>SSL</primary>
</indexterm>
<para>
<indexterm><primary>default password</primary></indexterm>
<indexterm><primary>secure connections</primary></indexterm>
<indexterm><primary>LAM</primary></indexterm>
<indexterm><primary>SSL</primary></indexterm>
The default password is <quote>lam.</quote> It is highly recommended that you use only
an SSL connection to your Web server for all remote operations involving LAM. If you
want secure connections, you must configure your Apache Web server to permit connections
@ -1093,29 +1062,27 @@ to LAM using only SSL.
</para>
<procedure id="sbehap-laminst">
<title>Apache Condiguration Steps for LAM</title>
<title>Apache Configuration Steps for LAM</title>
<step><para>
Extract the LAM package with:
Extract the LAM package by untarring it as shown here:
<screen>
&rootprompt; tar xzf ldap-account-manager_0.4.3.tar.gz
&rootprompt; tar xzf ldap-account-manager_0.4.9.tar.gz
</screen>
Alternately, install the LAM RPM for your system using the following example for
example:
Alternatively, install the LAM DEB for your system using the following command:
<screen>
&rootprompt; rpm -Uvh ldap-account-manager-0.4.3-1.noarch.rpm
&rootprompt; dpkg -i ldap-account-manager_0.4.9.all.deb
</screen>
</para></step>
<step><para>
Copy the extracted files to the document root directory of your Web server.
For example, on SUSE Linux Enterprise Server 8, copy to the
<filename>/srv/web/htdocs</filename> directory.
For example, on SUSE Linux Enterprise Server 9, copy to the
<filename>/srv/www/htdocs</filename> directory.
</para></step>
<step><para><indexterm>
<primary>file permissions</primary>
</indexterm>
<step><para>
<indexterm><primary>file permissions</primary></indexterm>
Set file permissions using the following commands:
<screen>
&rootprompt; chown -R wwwrun.www /srv/www/htdocs/lam
@ -1126,23 +1093,17 @@ example:
</screen>
</para></step>
<step><para><indexterm>
<primary>LAM</primary>
<secondary>configuration file</secondary>
</indexterm>
<step><para>
<indexterm><primary>LAM</primary><secondary>configuration file</secondary></indexterm>
Using your favorite editor create the following <filename>config.cfg</filename>
LAM configuration file:
<screen>
&rootprompt; cd /srv/www/htdocs/lam/config
&rootprompt; cp config.cfg_sample config.cfg
&rootprompt; vi config.cfg
</screen><indexterm>
<primary>LAM</primary>
<secondary>profile</secondary>
</indexterm><indexterm>
<primary>LAM</primary>
<secondary>wizard</secondary>
</indexterm>
</screen>
<indexterm><primary>LAM</primary><secondary>profile</secondary></indexterm>
<indexterm><primary>LAM</primary><secondary>wizard</secondary></indexterm>
An example file is shown in <link linkend="lamcfg"/>.
This is the minimum configuration that must be completed. The LAM profile
file can be created using a convenient wizard that is part of the LAM
@ -1161,9 +1122,8 @@ example:
</para></step>
</procedure>
<para><indexterm>
<primary>pitfalls</primary>
</indexterm>
<para>
<indexterm><primary>pitfalls</primary></indexterm>
An example of a working file is shown here in <link linkend="lamconf"/>.
This file has been stripped of comments to keep the size small. The comments
and help information provided in the profile file that the wizard creates
@ -1172,10 +1132,8 @@ example:
are preferred at your site.
</para>
<para><indexterm>
<primary>LAM</primary>
<secondary>login screen</secondary>
</indexterm>
<para>
<indexterm><primary>LAM</primary><secondary>login screen</secondary></indexterm>
It is important that your LDAP server is running at the time that LAM is
being configured. This permits you to validate correct operation.
An example of the LAM login screen is provided in <link linkend="lam-login"/>.
@ -1186,10 +1144,8 @@ example:
<imagefile scale="50">lam-login</imagefile>
</image>
<para><indexterm>
<primary>LAM</primary>
<secondary>configuration editor</secondary>
</indexterm>
<para>
<indexterm><primary>LAM</primary><secondary>configuration editor</secondary></indexterm>
The LAM configuration editor has a number of options that must be managed correctly.
An example of use of the LAM configuration editor is shown in <link linkend="lam-config"/>.
It is important that you correctly set the minimum and maximum UID/GID values that are
@ -1205,19 +1161,16 @@ example:
<imagefile scale="50">lam-config</imagefile>
</image>
<para><indexterm>
<primary>PDF</primary>
</indexterm>
<para>
<indexterm><primary>PDF</primary></indexterm>
LAM has some nice, but unusual features. For example, one unexpected feature in most application
screens permits the generation of a PDF file that lists configuration information. This is a well
thought out facility. This option has been edited out of the following screen shots to conserve
space.
</para>
<para><indexterm>
<primary>LAM</primary>
<secondary>opening screen</secondary>
</indexterm>
<para>
<indexterm><primary>LAM</primary><secondary>opening screen</secondary></indexterm>
When you log onto LAM the opening screen drops you right into the user manager as shown in
<link linkend="lam-user"/>. This is a logical action as it permits the most-needed facility
to be used immediately. The editing of an existing user, as with the addition of a new user,
@ -1235,7 +1188,7 @@ example:
<para>
The edit screen for groups is shown in <link linkend="lam-group"/>. As with the edit screen
for user accounts, group accounts may be rapidly dealt with. <link linkend="lam-group-mem"/>
shown a sub-screen from the group editor that permits users to be assigned secondary group
shows a sub-screen from the group editor that permits users to be assigned secondary group
memberships.
</para>
@ -1249,11 +1202,8 @@ example:
<imagefile scale="50">lam-group-members</imagefile>
</image>
<para><indexterm>
<primary>smbldap-tools</primary>
</indexterm><indexterm>
<primary>scripts</primary>
</indexterm>
<para>
<indexterm><primary>smbldap-tools</primary></indexterm><indexterm><primary>scripts</primary></indexterm>
The final screen presented here is one that you should not normally need to use. Host accounts will
be automatically managed using the smbldap-tools scripts. This means that the screen <link linkend="lam-host"/>
will, in most cases, not be used.
@ -1267,11 +1217,18 @@ example:
<para>
One aspect of LAM that may annoy some users is the way it forces certain conventions on
the administrator. For example, LAM does not permit the creation of Windows user and group
accounts that contain upper-case characters or spaces even though the underlying UNIX/Linux
accounts that contain spaces even though the underlying UNIX/Linux
operating system may exhibit no problems with them. Given the propensity for using upper-case
characters and spaces (particularly in the default Windows account names) this may cause
some annoyance. For the rest, LAM is a very useful administrative tool.
</para>
<para>
The next major release, LAM 0.5, will have less restrictions and support the latest Samba features
(e.g. logon hours). The new plugin based architecture also allows to manage much more different
account types like plain Unix accounts. The upload can now handle groups and hosts, too. Another
important point is the tree view which allows to browse and edit LDAP objects directly.
</para>
<example id="lamcfg">
<title>Example LAM Configuration File &smbmdash; <filename>config.cfg</filename></title>
@ -1304,7 +1261,7 @@ userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber
grouplistAttributes: #cn;#gidNumber;#memberUID;#description
hostlistAttributes: #cn;#description;#uidNumber;#gidNumber
maxlistentries: 30
defaultLanguage: en_GB:ISO-8859-1:English (Britain)
defaultLanguage: en_GB:ISO-8859-1:English (Great Britain)
scriptPath:
scriptServer:
samba3: yes
@ -1339,7 +1296,7 @@ pwdhash: SSHA
<para>
When the SUID/SGID permissions are set on a directory, all files that are created within that directory
is automatically given the ownership of the SUID user and the SGID group, as per the ownership
are automatically given the ownership of the SUID user and the SGID group, as per the ownership
of the directory in which the file is created. This means that the system level <command>create()</command>
function executes with the SUID user and/or SGID group of the directory in which the file is
created.
@ -1371,9 +1328,9 @@ drwxr-xr-x 21 root root 600 Dec 17 23:15 ..
drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/
drwx------ 2 root root 48 Jan 26 2002 lost+found
</screen>
In this example, if the user <constant>maryv</constant> creates a file, it would be owned by her.
In this example, if the user <constant>maryv</constant> creates a file, it is owned by her.
If <constant>maryv</constant> has the primary group of <constant>Accounts</constant>, the file is
owned by the group <constant>Accounts</constant> as shown in this listing:
owned by the group <constant>Accounts</constant>, as shown in this listing:
<screen>
&rootprompt; ls -al /data/accounts/maryvfile.txt
drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53
@ -1393,7 +1350,7 @@ drwx------ 2 root root 48 Jan 26 2002 lost+found
</screen>
If <constant>maryv</constant> creates a file in this directory after this change has been made, the
file is owned by the user <constant>bobj</constant>, and the group is set to the group
<constant>Domain Users</constant> as shown here:
<constant>Domain Users</constant>, as shown here:
<screen>
&rootprompt; chmod ug+s /data/accounts
&rootprompt; ls -al /data/accounts/maryvfile.txt
@ -1414,12 +1371,12 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
<secondary>data access</secondary>
</indexterm>
The integrity of shared data is often viewed as a particularly emotional issue, especially where
there are concurrent problems with multi-user data access. Contrary to the assertions of some who have
there are concurrent problems with multiuser data access. Contrary to the assertions of some who have
experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
</para>
<para>
The solution to concurrent multi-user data access problems must consider three separate areas
The solution to concurrent multiuser data access problems must consider three separate areas
from which the problem may stem:<indexterm>
<primary>locking</primary>
<secondary>Application level</secondary>
@ -1433,9 +1390,9 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
</para>
<itemizedlist>
<listitem><para>application level locking controls.</para></listitem>
<listitem><para>client side locking controls.</para></listitem>
<listitem><para>server side locking controls.</para></listitem>
<listitem><para>application-level locking controls</para></listitem>
<listitem><para>client-side locking controls</para></listitem>
<listitem><para>server-side locking controls</para></listitem>
</itemizedlist>
<para><indexterm>
@ -1445,7 +1402,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
</indexterm>
Many database applications use some form of application-level access control. An example of one
well-known application that uses application-level locking is Microsoft Access. Detailed guidance
is provided given that this is the most common application for which problems have been reported.
is provided here because this is the most common application for which problems have been reported.
</para>
<para><indexterm>
@ -1463,7 +1420,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
<para>
The best advice that can be given is to carefully read the Microsoft knowledge base articles that
cover this area. Examples of relevant documents includes:
cover this area. Examples of relevant documents include:
</para>
<itemizedlist>
@ -1478,8 +1435,8 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
</indexterm><indexterm>
<primary>exclusive open</primary>
</indexterm>
Make sure that your MS Access database file is configured for multi-user access (not set for
exclusive open). Open MS Access on each client workstation then set the following: <menuchoice>
Make sure that your MS Access database file is configured for multiuser access (not set for
exclusive open). Open MS Access on each client workstation, then set the following: <menuchoice>
<guimenu>(Menu bar) Tools</guimenu><guimenu>Options</guimenu><guimenu>[tab] General</guimenu>
</menuchoice>. Set network path to Default database folder: <filename>\\server\share\folder</filename>.
</para>
@ -1503,7 +1460,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
</indexterm>
You must now commit the changes so that they will take effect. To do so, click
<guimenu>Apply</guimenu><guimenu>Ok</guimenu>. At this point, you should exit MS Access, restart
it and then validate that these settings have not changed.
it, and then validate that these settings have not changed.
</para>
</sect2>
@ -1516,10 +1473,10 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
</indexterm><indexterm>
<primary>data corruption</primary>
</indexterm>
Where the server sharing the ACT! database(s) is running Samba, Windows NT, 200x or XP, you
Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you
must disable opportunistic locking on the server and all workstations. Failure to do so
results in data corruption. This information is available from the Act! Web site
knowledge-base articles
knowledgebase articles
<ulink url="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925">1998223162925</ulink>
as well as from article
<ulink url="http://itdomino.saleslogix.com/act.nsf/docid/200110485036">200110485036</ulink>.
@ -1549,7 +1506,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
</indexterm>
Third-party Windows applications may not be compatible with the use of opportunistic file
and record locking. For applications that are known not to be compatible,<footnote>Refer to
the application manufacturers' installation guidelines and knowledge base for specific
the application manufacturer's installation guidelines and knowledge base for specific
information regarding compatibility. It is often safe to assume that if the software
manufacturer does not specifically mention incompatibilities with opportunistic file
and record locking, or with Windows client file caching, the application is probably
@ -1568,7 +1525,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
Oplocks enable a Windows client to cache parts of a file that are being
edited. Another windows client may then request to open the file with the
ability to write to it. The server will then ask the original workstation
that had the file open with a write lock to release it's lock. Before
that had the file open with a write lock to release its lock. Before
doing so, that workstation must flush the file from cache memory to the
disk or network drive.
</para>
@ -1579,7 +1536,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
</indexterm>
Disabling of Oplocks usage may require server and client changes.
Oplocks may be disabled by file, by file pattern, on the share, or on the
samba server.
Samba server.
</para>
<para>
@ -1600,7 +1557,7 @@ On the server:
</para>
<para>
The following registry entries on Microsoft Windows XP Professional, 2000 Professional and Windows NT4
The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4
workstation clients must be configured as shown here:
<screen>
REGEDIT4
@ -1616,8 +1573,8 @@ REGEDIT4
</para>
<para>
Comprehensive coverage of file and record locking controls is provided in TOSHARG Chapter 13.
The information provided in that chapter was obtained from a wide variety of sources.
Comprehensive coverage of file and record-locking controls is provided in TOSHARG, Chapter 13.
The information in that chapter was obtained from a wide variety of sources.
</para>
</sect2>

View File

@ -6,7 +6,7 @@
<para>
You are about to use the equivalent of a microscope to look at the information
that runs through the veins of a Windows network. We do more to observe the information than
to interrogate it. When you are done with this chapter, you should have a good understanding
to interrogate it. When you are done with this primer, you should have a good understanding
of the types of information that flow over the network. Do not worry, this is not
a biology lesson. We won't lose you in unnecessary detail. Think to yourself, <quote>This
is easy,</quote> then tackle each exercise without fear.
@ -14,13 +14,13 @@
<para>
Samba can be configured with a minimum of complexity. Simplicity should be mastered
before you get too deeply into complexities. Let's get moving, we have work to do.
before you get too deeply into complexities. Let's get moving: we have work to do.
</para>
<sect1>
<title>Requirements and Notes</title>
<para>
Successful completion of this chapter requires two Microsoft Windows 9x/Me Workstations,
Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations
as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet
card connected using a hub. Also required is one additional server (either Windows
NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network
@ -36,7 +36,7 @@
You may find more information regarding this tool from the
<ulink url="http://www.ethereal.com">Ethereal</ulink> Web site. Ethereal installation
files for Windows may be obtained from the Ethereal Web site. Ethereal is provided with
SUSE and Red Hat Linux distributions, as well as many other Linux distributions. It may
SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may
not be installed on your system by default. If it is not installed, you may also need
to install the <command>libpcap </command> software before you can install or use Ethereal.
Please refer to the instructions for your operating system or to the Ethereal Web site
@ -45,12 +45,12 @@
<para>
To obtain <command>ethereal</command> for your system, please visit the Ethereal
<ulink url="http://www.ethereal.com/download.html#binaries">download site.</ulink>
<ulink url="http://www.ethereal.com/download.html#binaries">download site</ulink>.
</para>
<note><para>
The successful completion of this chapter requires that you capture network traffic
using <command>ethereal</command>. It is recommended that you use a hub, not an
The successful completion of this appendix requires that you capture network traffic
using <command>Ethereal</command>. It is recommended that you use a hub, not an
Ethernet switch. It is necessary for the device used to act as a repeater, not as a
filter. Ethernet switches may filter out traffic that is not directed at the machine
that is used to monitor traffic; this would not allow you to complete the projects.
@ -69,9 +69,9 @@
</indexterm><indexterm>
<primary>protocol analysis</primary>
</indexterm>
Please do not be alarmed at the use of a high-powered analysis tool (ethereal) in this
first chapter. We expose you only to a minimum of detail necessary to complete
the exercises in this chapter. If you choose to use any other network sniffer and protocol
Please do not be alarmed at the use of a high-powered analysis tool (Ethereal) in this
primer. We expose you only to a minimum of detail necessary to complete
the exercises. If you choose to use any other network sniffer and protocol
analysis tool, be advised that it may not allow you to examine the contents of
recently added security protocols used by Windows 200x/XP.
</para>
@ -93,7 +93,7 @@
<title>Introduction</title>
<para>
The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows
The purpose of this appendix is to create familiarity with key aspects of Microsoft Windows
network computing. If you want a solid technical grounding, do not gloss over these exercises.
The points covered are recurrent issues on the Samba mailing lists.
</para>
@ -132,7 +132,7 @@
You are about to witness how Microsoft Windows computer networking functions. The
exercises step through identification of how a client machine establishes a
connection to a remote Windows server. You observe how Windows machines find
each other (i.e., how browsing works), and how the two key types of user identification
each other (i.e., how browsing works) and how the two key types of user identification
(share mode security and user mode security) are affected.
</para>
@ -142,7 +142,7 @@
</indexterm>
The networking protocols used by MS Windows networking when working with Samba
use TCP/IP as the transport protocol. The protocols that are specific to Windows
networking are encapsulated in TCP/IP. The network analyzer we use (ethereal)
networking are encapsulated in TCP/IP. The network analyzer we use (Ethereal)
is able to show you the contents of the TCP/IP packets (or messages).
</para>
@ -171,7 +171,7 @@
<step><para>
Review traces of network logons for a Windows 9x/Me client as well as
a Domain logon for a Windows XP Professional client.
a domain logon for a Windows XP Professional client.
</para></step>
</procedure>
@ -187,7 +187,7 @@
two MS Windows 9x/Me systems. We called one machine <constant>WINEPRESSME</constant> and the
other <constant>MILGATE98</constant>. Each needs an IP address; we used <literal>10.1.1.10</literal>
and <literal>10.1.1.11</literal>. The test machines need to be networked via a <emphasis>hub</emphasis>. A UNIX/Linux
machine is required to run <command>ethereal</command> to enable the network activity to be captured.
machine is required to run <command>Ethereal</command> to enable the network activity to be captured.
It is important that the machine from which network activity is captured must not interfere with
the operation of the Windows workstations. It is helpful for this machine to be passive (does not
send broadcast information) to the network.
@ -199,10 +199,10 @@
</para>
<itemizedlist>
<listitem><para>Windows 98 &smbmdash; name: MILGATE98.</para></listitem>
<listitem><para>Windows Me &smbmdash; name: WINEPRESSME.</para></listitem>
<listitem><para>Windows XP Professional &smbmdash; name: LightrayXP.</para></listitem>
<listitem><para>Samba-3.0.20 running on a SUSE Enterprise Linux 9.</para></listitem>
<listitem><para>Windows 98 &smbmdash; name: MILGATE98</para></listitem>
<listitem><para>Windows Me &smbmdash; name: WINEPRESSME</para></listitem>
<listitem><para>Windows XP Professional &smbmdash; name: LightrayXP</para></listitem>
<listitem><para>Samba-3.0.20 running on a SUSE Enterprise Linux 9</para></listitem>
</itemizedlist>
<para>
@ -211,17 +211,17 @@
<para>
<indexterm><primary>ethereal</primary></indexterm>
The network captures provided on the CD-ROM at the back of this book were captured using <constant>ethereal</constant>
The network captures provided on the CD-ROM included with this book were captured using <constant>Ethereal</constant>
version <literal>0.10.6</literal>. A later version suffices without problems, but an earlier version may not
expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all
packets has also been included. This makes it possible for you to do all the studying you like without the need to
perform the time-consuming equipment configuration and test work. This is a good time to point out the value
perform the time-consuming equipment configuration and test work. This is a good time to point out that the value
that can be derived from this book really does warrant your taking sufficient time to practice each exercise with
care and attention to detail.
</para>
<sect2>
<title>Single Machine Broadcast Activity</title>
<title>Single-Machine Broadcast Activity</title>
<para>
In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes.
@ -253,7 +253,7 @@
<step><para>
Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring,
do not press any keyboard keys, do not click any on-screen icons or menus; and do not answer any dialog boxes.
do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
</para></step>
<step><para>
@ -273,7 +273,7 @@
<para>
The summary of the first 10 minutes of the packet capture should look like <link linkend="pktcap01"/>.
A screen-shot of a later stage of the same capture is shown in <link linkend="pktcap02"/>.
A screenshot of a later stage of the same capture is shown in <link linkend="pktcap02"/>.
</para>
<image id="pktcap01">
@ -294,7 +294,7 @@
</indexterm>
Broadcast messages observed are shown in <link linkend="capsstats01"/>.
Actual observations vary a little, but not by much.
Early in the startup process, the Windows Me machine broadcasts its name for two reasons;
Early in the startup process, the Windows Me machine broadcasts its name for two reasons:
first to ensure that its name would not result in a name clash, and second to establish its
presence with the Local Master Browser (LMB).
</para>
@ -319,91 +319,91 @@
<entry>WINEPRESSME&lt;00&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.6 sec apart.</entry>
<entry>4 lots of 2, 0.6 sec apart</entry>
</row>
<row>
<entry>WINEPRESSME&lt;03&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.6 sec apart.</entry>
<entry>4 lots of 2, 0.6 sec apart</entry>
</row>
<row>
<entry>WINEPRESSME&lt;20&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.75 sec apart.</entry>
<entry>4 lots of 2, 0.75 sec apart</entry>
</row>
<row>
<entry>MIDEARTH&lt;00&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.75 sec apart.</entry>
<entry>4 lots of 2, 0.75 sec apart</entry>
</row>
<row>
<entry>MIDEARTH&lt;1d&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.75 sec apart.</entry>
<entry>4 lots of 2, 0.75 sec apart</entry>
</row>
<row>
<entry>MIDEARTH&lt;1e&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.75 sec apart.</entry>
<entry>4 lots of 2, 0.75 sec apart</entry>
</row>
<row>
<entry>MIDEARTH&lt;1b&gt;</entry>
<entry>Qry</entry>
<entry>84</entry>
<entry>300 sec apart at stable operation.</entry>
<entry>300 sec apart at stable operation</entry>
</row>
<row>
<entry>__MSBROWSE__</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>Registered after winning election to Browse Master.</entry>
<entry>Registered after winning election to Browse Master</entry>
</row>
<row>
<entry>JHT&lt;03&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 x 2. This is the name of the user that logged onto Windows.</entry>
<entry>4 x 2. This is the name of the user that logged onto Windows</entry>
</row>
<row>
<entry>Host Announcement WINEPRESSME</entry>
<entry>Ann</entry>
<entry>2</entry>
<entry>Observed at 10 sec.</entry>
<entry>Observed at 10 sec</entry>
</row>
<row>
<entry>Domain/Workgroup Announcement MIDEARTH</entry>
<entry>Ann</entry>
<entry>18</entry>
<entry>300 sec apart at stable operation.</entry>
<entry>300 sec apart at stable operation</entry>
</row>
<row>
<entry>Local Master Announcement WINEPRESSME</entry>
<entry>Ann</entry>
<entry>18</entry>
<entry>300 sec apart at stable operation.</entry>
<entry>300 sec apart at stable operation</entry>
</row>
<row>
<entry>Get Backup List Request</entry>
<entry>Qry</entry>
<entry>12</entry>
<entry>6 x 2 early in startup, 0.5 sec apart.</entry>
<entry>6 x 2 early in startup, 0.5 sec apart</entry>
</row>
<row>
<entry>Browser Election Request</entry>
<entry>Ann</entry>
<entry>10</entry>
<entry>5 x 2 early in startup.</entry>
<entry>5 x 2 early in startup</entry>
</row>
<row>
<entry>Request Announcement WINEPRESSME</entry>
<entry>Ann</entry>
<entry>4</entry>
<entry>Early in startup.</entry>
<entry>Early in startup</entry>
</row>
</tbody>
</tgroup>
@ -415,7 +415,7 @@
<primary>browse master</primary>
</indexterm>
From the packet trace, it should be noted that no messages were propagated over TCP/IP;
all employed UDP/IP. When steady state operation has been achieved, there is a cycle
all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle
of various announcements, re-election of a browse master, and name queries. These create
the symphony of announcements by which network browsing is made possible.
</para>
@ -423,9 +423,9 @@
<para><indexterm>
<primary>CIFS</primary>
</indexterm>
For detailed information regarding the precise behavior of the CIFS/SMB protocols, the
reader is referred to the book <quote>Implementing CIFS: The Common Internet File System,</quote>
by Christopher Hertel, Publisher: Prentice Hall PTR, ISBN: 013047116X.
For detailed information regarding the precise behavior of the CIFS/SMB protocols,
refer to the book <quote>Implementing CIFS: The Common Internet File System,</quote>
by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X).
</para>
</sect3>
@ -436,7 +436,7 @@
<title>Second Machine Startup Broadcast Interaction</title>
<para>
At this time, the machine you used to capture the single system startup trace should still be running.
At this time, the machine you used to capture the single-system startup trace should still be running.
The objective of this task is to identify the interaction of two machines in respect to broadcast activity.
</para>
@ -465,7 +465,7 @@
</para></step>
<step><para>
Start the second Windows 9x/Me machine. Let it run for 15-20 minutes. While monitoring, do not press
Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press
any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
</para></step>
@ -489,7 +489,7 @@
Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash
(i.e., the name is already registered by another machine) on the network segment. Those wishing
to explore the inner details of the precise mechanism of how this functions should refer to
the book <quote>Implementing CIFS: The Common Internet File System,</quote> referred to previously.
<quote>Implementing CIFS: The Common Internet File System.</quote>
</para>
<table id="capsstats02">
@ -512,67 +512,67 @@
<entry>MILGATE98&lt;00&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.6 sec apart.</entry>
<entry>4 lots of 2, 0.6 sec apart</entry>
</row>
<row>
<entry>MILGATE98&lt;03&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.6 sec apart.</entry>
<entry>4 lots of 2, 0.6 sec apart</entry>
</row>
<row>
<entry>MILGATE98&lt;20&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.75 sec apart.</entry>
<entry>4 lots of 2, 0.75 sec apart</entry>
</row>
<row>
<entry>MIDEARTH&lt;00&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.75 sec apart.</entry>
<entry>4 lots of 2, 0.75 sec apart</entry>
</row>
<row>
<entry>MIDEARTH&lt;1d&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.75 sec apart.</entry>
<entry>4 lots of 2, 0.75 sec apart</entry>
</row>
<row>
<entry>MIDEARTH&lt;1e&gt;</entry>
<entry>Reg</entry>
<entry>8</entry>
<entry>4 lots of 2, 0.75 sec apart.</entry>
<entry>4 lots of 2, 0.75 sec apart</entry>
</row>
<row>
<entry>MIDEARTH&lt;1b&gt;</entry>
<entry>Qry</entry>
<entry>18</entry>
<entry>900 sec apart at stable operation.</entry>
<entry>900 sec apart at stable operation</entry>
</row>
<row>
<entry>JHT&lt;03&gt;</entry>
<entry>Reg</entry>
<entry>2</entry>
<entry>This is the name of the user that logged onto Windows.</entry>
<entry>This is the name of the user that logged onto Windows</entry>
</row>
<row>
<entry>Host Announcement MILGATE98</entry>
<entry>Ann</entry>
<entry>14</entry>
<entry>Every 120 sec.</entry>
<entry>Every 120 sec</entry>
</row>
<row>
<entry>Domain/Workgroup Announcement MIDEARTH</entry>
<entry>Ann</entry>
<entry>6</entry>
<entry>900 sec apart at stable operation.</entry>
<entry>900 sec apart at stable operation</entry>
</row>
<row>
<entry>Local Master Announcement WINEPRESSME</entry>
<entry>Ann</entry>
<entry>6</entry>
<entry>Insufficient detail to determine frequency.</entry>
<entry>Insufficient detail to determine frequency</entry>
</row>
</tbody>
</tgroup>
@ -621,7 +621,7 @@
<step><para>
Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both
machines using a user name (JHT) of your choice. Wait approximately two minutes before proceeding.
machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding.
</para></step>
<step><para>
@ -674,7 +674,7 @@
<step><para>
<indexterm><primary>password length</primary></indexterm>
<indexterm><primary>User Mode</primary></indexterm>
Dissect this packet as per the one above. This packet should have a password length
Dissect this packet as per the previous one. This packet should have a password length
of 24 (characters) and should have a password field, the contents of which is a
long hexadecimal number. Observe the name in the Account field. This is a User Mode
session setup packet.
@ -687,7 +687,7 @@
<para>
<indexterm><primary>IPC$</primary></indexterm>
The <constant>IPC$</constant> share serves a vital purpose<footnote><para>TOSHARG, Sect 4.5.1</para></footnote>
in SMB/CIFS based networking. A Windows client connects to this resource to obtain the list of
in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of
resources that are available on the server. The server responds with the shares and print queues that
are available. In most but not all cases, the connection is made with a <constant>NULL</constant>
username and a <constant>NULL</constant> password.
@ -695,7 +695,7 @@
<para>
<indexterm><primary>account credentials</primary></indexterm>
The two packets examined are material evidence with respect to how Windows clients may
The two packets examined are material evidence of how Windows clients may
interoperate with Samba. Samba requires every connection setup to be authenticated using
valid UNIX account credentials (UID/GID). This means that even a <constant>NULL</constant>
session setup can be established only by automatically mapping it to a valid UNIX
@ -707,8 +707,8 @@
<primary>guest account</primary>
</indexterm>
<indexterm><primary>nobody</primary></indexterm>
Samba has a special name for the <constant>NULL</constant>, or empty, user account.
It calls that the <smbconfoption name="guest account"/>. The
Samba has a special name for the <constant>NULL</constant>, or empty, user account:
it calls it the <smbconfoption name="guest account"/>. The
default value of this parameter is <constant>nobody</constant>; however, this can be
changed to map the function of the guest account to any other UNIX identity. Some
UNIX administrators prefer to map this account to the system default anonymous
@ -730,7 +730,7 @@
(<filename>/etc/passwd</filename>), the operation of the <constant>NULL</constant>
account cannot validate and thus connections that utilize the guest account
fail. This breaks all ability to browse the Samba server and is a common
problem reported on the Samba mailing list. A sample User Mode Session Setup AndX
problem reported on the Samba mailing list. A sample User Mode session setup AndX
is shown in <link linkend="userconnect"/>.
</para>
@ -772,20 +772,20 @@
<para>
To complete this exercise, you need a Windows XP Professional client that has been configured as
a Domain Member of either a Samba controlled domain or a Windows NT4 or 200x Active Directory domain.
Here we do not provide details for how to configure this, as full coverage is provided later in this book.
a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain.
Here we do not provide details for how to configure this, as full coverage is provided earlier in this book.
</para>
<procedure>
<title>Steps to Explore Windows XP Pro Connection Set-up</title>
<step><para>
Start your Domain Controller. Also, start the ethereal monitoring machine, launch ethereal,
Start your domain controller. Also, start the ethereal monitoring machine, launch ethereal,
and then wait for the next step to complete.
</para></step>
<step><para>
Start the Windows XP Client and wait five minutes before proceeding.
Start the Windows XP Client and wait 5 minutes before proceeding.
</para></step>
<step><para>
@ -810,12 +810,12 @@
</para></step>
<step><para>
On the Windows XP Professional client: Press <guimenu>Ctrl-Alt-Delete</guimenu> to bring
On the Windows XP Professional client, press <guimenu>Ctrl-Alt-Delete</guimenu> to bring
up the domain logon screen. Log in using valid credentials for a domain user account.
</para></step>
<step><para>
Now proceed to connect to the Domain Controller as follows:
Now proceed to connect to the domain controller as follows:
<menuchoice>
<guimenu>Start</guimenu>
<guimenuitem>(right-click) My Network Places</guimenuitem>
@ -839,8 +839,8 @@
</para></step>
<step><para>
If desired, the Windows XP Professional client and the Domain Controller are no longer needed for exercises
in this chapter.
If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises
in this appendix.
</para></step>
<step><para>
@ -858,7 +858,7 @@
Expand the packet decode information, beginning at the <constant>Security Blob:</constant>
entry. Expand the <constant>GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</constant>
keys. This should reveal that this is a <constant>NULL</constant> session setup packet.
The <constant>User name: NULL</constant> indicates this. An example decode is shown in
The <constant>User name: NULL</constant> so indicates. An example decode is shown in
<link linkend="XPCap01"/>.
</para></step>
@ -874,17 +874,17 @@
Expand the packet decode information, beginning at the <constant>Security Blob:</constant>
entry. Expand the <constant>GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</constant>
keys. This should reveal that this is a <constant>User Mode</constant> session setup packet.
The <constant>User name: jht</constant> indicates this. An example decode is shown in
The <constant>User name: jht</constant> so indicates. An example decode is shown in
<link linkend="XPCap02"/>. In this case the user name was <constant>jht</constant>. This packet
decode includes the <constant>Lan Manager Response:</constant> and the <constant>NTLM Response:</constant>.
The value of these two parameters is the Microsoft encrypted password hashes, respectively, the LanMan
The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan
password and then the NT (case-preserving) password hash.
</para></step>
<step><para>
<indexterm><primary>password length</primary></indexterm>
<indexterm><primary>User Mode</primary></indexterm>
The passwords are 24 characters long hexadecimal numbers. This packet confirms that this is a User Mode
The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode
session setup packet.
</para></step>
@ -922,24 +922,23 @@
<title>Conclusions to Exercises</title>
<para>
In summary, the following points have been established in this chapter:
In summary, the following points have been established in this appendix:
</para>
<itemizedlist>
<listitem><para>
When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast
oriented messaging protocols to provide knowledge of network services.
When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services.
</para></listitem>
<listitem><para>
Network browsing protocols query information stored on Browse Masters that manage
information provided by NetBIOS Name Registrations and by way of on-going Host
Announcements and Workgroup Announcements.
Network browsing protocols query information stored on browse masters that manage
information provided by NetBIOS Name Registrations and by way of ongoing host
announcements and workgroup announcements.
</para></listitem>
<listitem><para>
All Samba servers must be configured with a mechanism for mapping the <constant>NULL-Session</constant>
to a valid but non-privileged UNIX system account.
to a valid but nonprivileged UNIX system account.
</para></listitem>
<listitem><para>
@ -947,8 +946,8 @@
networking operations. Such passwords cannot be provided from the UNIX <filename>/etc/passwd</filename>
database and thus must be stored elsewhere on the UNIX system in a manner that Samba can
use. Samba-2.x permitted such encrypted passwords to be stored in the <constant>smbpasswd</constant>
file or in an LDAP database. Samba-3 permits that use of multiple different <parameter>passdb backend</parameter>
databases, in concurrent deploy. Refer to <emphasis>TOSHARG</emphasis>, Chapter 10, <quote>Account Information Databases.</quote>
file or in an LDAP database. Samba-3 permits use of multiple <parameter>passdb backend</parameter>
databases in concurrent deployment. Refer to <emphasis>TOSHARG</emphasis>, Chapter 10, <quote>Account Information Databases.</quote>
</para></listitem>
</itemizedlist>
@ -968,7 +967,7 @@
<para>
Those wishing background information regarding NetBIOS name types should refer to
the Microsoft Knowledge Base Article
the Microsoft knowledgebase article
<ulink url="http://support.microsoft.com/support/kb/articles/Q102/78/8.asp">Q102878.</ulink>
</para>
@ -1011,7 +1010,7 @@
<indexterm><primary>DMB</primary></indexterm>
This is a broadcast announcement by which the Windows machine is attempting to
locate a Domain Master Browser (DMB) in the event that it might exist on the network.
Refer to <emphasis>TOSHARG</emphasis> Chapter 9, Section 9.7, <quote>Technical Overview of Browsing</quote>
Refer to <emphasis>TOSHARG,</emphasis> Chapter 9, Section 9.7, <quote>Technical Overview of Browsing,</quote>
for details regarding the function of the DMB and its role in network browsing.
</para>
@ -1031,9 +1030,9 @@
<para>
<indexterm><primary>Local Master Browser</primary><see>LMB</see></indexterm>
<indexterm><primary>LMB</primary></indexterm>
This name registration records the machine IP addresses of the Local Master Browsers (LMBs).
This name registration records the machine IP addresses of the LMBs.
Network clients can query this name type to obtain a list of browser servers from the
Master Browser.
master browser.
</para>
<para>
@ -1048,7 +1047,7 @@
</para></listitem>
<listitem><para>
The IP addresses of all Domain Controllers known for the Domain
The IP addresses of all domain controllers known for the domain
</para></listitem>
<listitem><para>
@ -1080,9 +1079,9 @@
<para>
<indexterm><primary>Browse Master</primary></indexterm>
This name is registered by the Browse Master to broadcast and receive domain announcements.
This name is registered by the browse master to broadcast and receive domain announcements.
Its scope is limited to the local network segment, or subnet. By querying this name type,
Master Browsers on networks that have multiple domains can find the names of Master Browsers
master browsers on networks that have multiple domains can find the names of master browsers
for each domain.
</para>
@ -1101,9 +1100,9 @@
<para>
<indexterm><primary>Browser Election Service</primary></indexterm>
This name is registered by all Browse Masters in a domain or workgroup. The registration
name type is known as the Browser Election Service. Master Browsers register themselves
with this name type so that Domain Master Browsers can locate them to perform cross-subnet
This name is registered by all browse masters in a domain or workgroup. The registration
name type is known as the Browser Election Service. Master browsers register themselves
with this name type so that DMBs can locate them to perform cross-subnet
browse list updates. This name type is also used to initiate elections for Master Browsers.
</para>
@ -1132,7 +1131,7 @@
<para>
It should be noted that the <parameter>guest account</parameter> is essential to
Samba operation. Either the operating system must have an account called <constant>nobody</constant>
or there must be an entry in the &smb.conf; file with a valid UNIX account. For example,
or there must be an entry in the &smb.conf; file with a valid UNIX account, such as
<smbconfoption name="guest account">ftp</smbconfoption>.
</para>
@ -1153,7 +1152,7 @@
<indexterm><primary>WINS</primary></indexterm>
<indexterm><primary>NetBIOS</primary></indexterm>
Yes, there are two ways to do this. The first involves use of WINS (See <emphasis>TOSHARG</emphasis>, Chapter 9,
Section 9.5, <quote>WINS &smbmdash; The Windows Inter-networking Name Server</quote>), the
Section 9.5, <quote>WINS &smbmdash; The Windows Inter-networking Name Server</quote>); the
alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires
a correctly configured DNS server (see <emphasis>TOSHARG</emphasis>, Chapter 9, Section 9.3, <quote>Discussion</quote>).
</para>
@ -1191,7 +1190,7 @@
</para>
<para>
First, the use of <filename>/etc/passwd</filename> based plain-text passwords requires that registry
First, the use of <filename>/etc/passwd</filename>-based plain-text passwords requires that registry
modifications be made on all MS Windows client machines to enable plain-text passwords support. This
significantly diminishes the security of MS Windows client operation. Many network administrators
are bitterly opposed to doing this.
@ -1199,7 +1198,7 @@
<para>
Second, Microsoft has not maintained plain-text password support since the default setting was made
disabling this. When network connections are dropped by the client it is not be possible to re-establish
disabling this. When network connections are dropped by the client, it is not possible to re-establish
the connection automatically. Users need to log off and then log on again. Plain-text password support
may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing
environment.
@ -1207,7 +1206,7 @@
<para>
Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling.
Just create user accounts by running: <command>smbpasswd -a 'username'</command>
Just create user accounts by running <command>smbpasswd -a 'username'</command>
</para>
<para>
@ -1243,7 +1242,7 @@
<para>
Is it necessary to specify <smbconfoption name="encrypt passwords">Yes</smbconfoption>
when Samba-3 is configured as a Domain Member?
when Samba-3 is configured as a domain member?
</para>
</question>
@ -1261,7 +1260,7 @@
<para>
Is it necessary to specify a <parameter>guest account</parameter> when Samba-3 is configured
as a Domain Member server?
as a domain member server?
</para>
</question>

View File

@ -2,22 +2,17 @@
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="DomApps">
<title>Integrating Additional Services</title>
<title>Integrating Additional Services</title>
<para><indexterm>
<primary>authentication</primary>
</indexterm><indexterm>
<primary>backends</primary>
</indexterm><indexterm>
<primary>smbpasswd</primary>
</indexterm><indexterm>
<primary>ldapsam</primary>
</indexterm><indexterm>
<primary>Active Directory</primary>
</indexterm>
<para>
<indexterm><primary>authentication</primary></indexterm>
<indexterm><primary>backends</primary></indexterm>
<indexterm><primary>smbpasswd</primary></indexterm>
<indexterm><primary>ldapsam</primary></indexterm>
<indexterm><primary>Active Directory</primary></indexterm>
You've come a long way now. You have pretty much mastered Samba-3 for
most uses it can be put to. Up until now, you have cast Samba-3 in the leading
role and where authentication was required, you have used one or another of
role, and where authentication was required, you have used one or another of
Samba's many authentication backends (from flat text files with smbpasswd
to LDAP directory integration with ldapsam). Now you can design a
solution for a new Abmas business. This business is running Windows Server
@ -39,9 +34,9 @@
<para>
With this acquisition comes new challenges for you and your team. Abmas Snack
Foods is a well-developed business with a huge and heterogeneous network. They
already have Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux.
The network is mature and well established, and there is no question of their chosen
Foods is a well-developed business with a huge and heterogeneous network. It
already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux.
The network is mature and well established, and there is no question of its chosen
user authentication scheme being changed for now. You need to take a wise new
approach.
</para>
@ -53,15 +48,11 @@
</para>
<sect2>
<title>Assignment Tasks</title>
<title>Assignment Tasks</title>
<para><indexterm>
<primary>web</primary>
<secondary>proxying</secondary>
</indexterm><indexterm>
<primary>web</primary>
<secondary>caching</secondary>
</indexterm>
<para>
<indexterm><primary>web</primary><secondary>proxying</secondary></indexterm>
<indexterm><primary>web</primary><secondary>caching</secondary></indexterm>
You've promised the skeptical Abmas Snack Foods management team
that you can show them how Samba can ease itself and other Open Source
technologies into their existing infrastructure and deliver sound business
@ -69,34 +60,29 @@
acquisition). You have chosen Web proxying and caching as your proving ground.
</para>
<para><indexterm>
<primary>bandwidth</primary>
</indexterm><indexterm>
<primary>Microsoft ISA</primary>
</indexterm>
Abmas Snack Foods has several thousand users housed at their Head Office
<para>
<indexterm><primary>bandwidth</primary></indexterm>
<indexterm><primary>Microsoft ISA</primary></indexterm>
Abmas Snack Foods has several thousand users housed at its head office
and multiple regional offices, plants, and warehouses. A high proportion of
the business's work is done online, so Internet access for most of these
users is essential. All Internet access, including all of their regional offices,
users is essential. All Internet access, including for all regional offices,
is funneled through the head office and is the job of the (now your) networking
team. The bandwidth requirements were horrific (comparable to a small ISP), and
the team soon discovered proxying and caching. In fact, they became one of
the earliest commercial users of Microsoft ISA.
</para>
<para><indexterm>
<primary>Active Directory</primary>
</indexterm><indexterm>
<primary>authenticated</primary>
</indexterm><indexterm>
<primary>proxy</primary>
</indexterm>
<para>
<indexterm><primary>Active Directory</primary></indexterm>
<indexterm><primary>authenticated</primary></indexterm>
<indexterm><primary>proxy</primary></indexterm>
The team is not happy with ISA. Because it never lived up to its marketing promises,
it under-performed and had reliability problems. You have pounced on the opportunity
it underperformed and had reliability problems. You have pounced on the opportunity
to show what Open Source can do. The one thing they do like, however, is ISA's
integration with Active Directory. They like that their users, once logged on,
are automatically authenticated against the proxy. If your alternative to ISA
can operate completely seamlessly in their Active Directory Domain, it will be
can operate completely seamlessly in their Active Directory domain, it will be
approved.
</para>
@ -109,7 +95,7 @@
</sect1>
<sect1>
<title>Dissection and Discussion</title>
<title>Dissection and Discussion</title>
<para>
The key requirements in this business example are straightforward. You are not required
@ -133,42 +119,26 @@
<sect2>
<title>Technical Issues</title>
<para><indexterm>
<primary>browsing</primary>
</indexterm><indexterm>
<primary>Squid proxy</primary>
</indexterm><indexterm>
<primary>proxy</primary>
</indexterm><indexterm>
<primary>authentication</primary>
</indexterm><indexterm>
<primary>Internet Explorer</primary>
</indexterm><indexterm>
<primary>winbind</primary>
</indexterm><indexterm>
<primary>NTLM</primary>
</indexterm><indexterm>
<primary>NTLM authentication daemon</primary>
</indexterm><indexterm>
<primary>authentication</primary>
</indexterm><indexterm>
<primary>daemon</primary>
</indexterm><indexterm>
<primary>Active Directory</primary>
</indexterm><indexterm>
<primary>domain</primary>
<secondary>Active Directory</secondary>
</indexterm><indexterm>
<primary>Kerberos</primary>
</indexterm><indexterm>
<primary>token</primary>
</indexterm>
<para>
<indexterm><primary>browsing</primary></indexterm>
<indexterm><primary>Squid proxy</primary></indexterm>
<indexterm><primary>proxy</primary></indexterm>
<indexterm><primary>authentication</primary></indexterm>
<indexterm><primary>Internet Explorer</primary></indexterm>
<indexterm><primary>winbind</primary></indexterm>
<indexterm><primary>NTLM</primary></indexterm>
<indexterm><primary>NTLM authentication daemon</primary></indexterm>
<indexterm><primary>authentication</primary></indexterm>
<indexterm><primary>daemon</primary></indexterm>
<indexterm><primary>Active Directory</primary></indexterm>
<indexterm><primary>domain</primary><secondary>Active Directory</secondary></indexterm>
<indexterm><primary>Kerberos</primary></indexterm><indexterm><primary>token</primary></indexterm>
Functionally, the user's Internet Explorer requests a browsing session with the
Squid proxy, for which it offers its AD authentication token. Squid hands off
the authentication request to the Samba-3 authentication helper application
called <command>ntlm_auth</command>. This helper is a hook into winbind, the
Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate
against Microsoft Windows Domains, including Active Directory domains. As Active
against Microsoft Windows domains, including Active Directory domains. As Active
Directory authentication is a modified Kerberos authentication, winbind is assisted
in this by local Kerberos 5 libraries configured to check passwords with the Active
Directory server. Once the token has been checked, a browsing session is established.
@ -181,7 +151,7 @@
<itemizedlist>
<listitem><para>
Preparing the necessary environment using pre-configured packages
Preparing the necessary environment using preconfigured packages
</para></listitem>
<listitem><para>
@ -204,7 +174,7 @@
<title>Political Issues</title>
<para>
You are a stranger in a strange land and all eyes are upon you. Some would even like to see
You are a stranger in a strange land, and all eyes are upon you. Some would even like to see
you fail. For you to gain the trust of your newly acquired IT people, it is essential that your
solution does everything the old one did, but does it better in every way. Only then
will the entrenched positions consider taking up your new way of doing things on a
@ -218,9 +188,8 @@
<sect1>
<title>Implementation</title>
<para><indexterm>
<primary>Squid</primary>
</indexterm>
<para>
<indexterm><primary>Squid</primary></indexterm>
First, your system needs to be prepared and in a known good state to proceed. This consists
of making sure that everything the system depends on is present and that everything that could
interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3
@ -228,18 +197,15 @@
they must be removed.
</para>
<para><indexterm>
<primary>Red Hat Linux</primary>
</indexterm>
<para>
<indexterm><primary>Red Hat Linux</primary></indexterm>
The following packages should be available on your Red Hat Linux system:
</para>
<itemizedlist>
<listitem><para><indexterm>
<primary>krb5</primary>
</indexterm><indexterm>
<primary>Kerberos</primary>
</indexterm>
<listitem><para>
<indexterm><primary>krb5</primary></indexterm>
<indexterm><primary>Kerberos</primary></indexterm>
krb5-libs
</para></listitem>
@ -260,9 +226,8 @@
</para></listitem>
</itemizedlist>
<para><indexterm>
<primary>SUSE Linux</primary>
</indexterm>
<para>
<indexterm><primary>SUSE Linux</primary></indexterm>
In the case of SUSE Linux, these packages are called:
</para>
@ -275,9 +240,8 @@
heimdal-devel
</para></listitem>
<listitem><para><indexterm>
<primary>Heimdal</primary>
</indexterm>
<listitem><para>
<indexterm><primary>Heimdal</primary></indexterm>
heimdal
</para></listitem>
@ -292,45 +256,36 @@
for your Linux system to ensure that the packages are correctly updated.
</para>
<note><para><indexterm>
<primary>MS Windows Server 2003</primary>
</indexterm><indexterm>
<primary>Kerberos</primary>
</indexterm><indexterm>
<primary>MIT</primary>
</indexterm>
If the requirement is for inter-operation with MS Windows Server 2003, it
<note><para>
<indexterm><primary>MS Windows Server 2003</primary></indexterm>
<indexterm><primary>Kerberos</primary></indexterm>
<indexterm><primary>MIT</primary></indexterm>
If the requirement is for interoperation with MS Windows Server 2003, it
will be necessary to ensure that you are using MIT Kerberos version 1.3.1
or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
updating.
</para>
<para><indexterm>
<primary>Heimdal</primary>
</indexterm><indexterm>
<primary>SUSE Enterprise Linux Server</primary>
</indexterm>
<para>
<indexterm><primary>Heimdal</primary></indexterm>
<indexterm><primary>SUSE Enterprise Linux Server</primary></indexterm>
Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
</para></note>
<sect2 id="ch10-one">
<title>Removal of Pre-existing Conflicting RPMs</title>
<title>Removal of Pre-Existing Conflicting RPMs</title>
<para><indexterm>
<primary>Squid</primary>
</indexterm>
<para>
<indexterm><primary>Squid</primary></indexterm>
If Samba and/or Squid RPMs are installed, they should be updated. You can
build both from source.
</para>
<para><indexterm>
<primary>rpm</primary>
</indexterm><indexterm>
<primary>samba</primary>
</indexterm><indexterm>
<primary>squid</primary>
</indexterm>
<para>
<indexterm><primary>rpm</primary></indexterm>
<indexterm><primary>samba</primary></indexterm>
<indexterm><primary>squid</primary></indexterm>
Locating the packages to be un-installed can be achieved by running:
<screen>
&rootprompt; rpm -qa | grep -i samba
@ -345,110 +300,80 @@
<sect2>
<title>Kerberos Configuration</title>
<para><indexterm>
<primary>Kerberos</primary>
</indexterm><indexterm>
<primary>Active Directory</primary>
<secondary>server</secondary>
</indexterm><indexterm>
<primary>ADS</primary>
</indexterm><indexterm>
<primary>KDC</primary>
</indexterm>
<para>
<indexterm><primary>Kerberos</primary></indexterm>
<indexterm><primary>Active Directory</primary><secondary>server</secondary></indexterm>
<indexterm><primary>ADS</primary></indexterm>
<indexterm><primary>KDC</primary></indexterm>
The systems Kerberos installation must be configured to communicate with
your primary Active Directory server (ADS KDC).
</para>
<para>
Strictly speaking, MIT Kerberos version 1.3.1 currently gives the best results,
Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results,
although the current default Red Hat MIT version 1.2.7 gives acceptable results
unless you are using Windows 2003 servers.
</para>
<para><indexterm>
<primary>MIT</primary>
</indexterm><indexterm>
<primary>Heimdal</primary>
</indexterm><indexterm>
<primary>Kerberos</primary>
</indexterm><indexterm>
<primary>/etc/krb5.conf</primary>
</indexterm><indexterm>
<primary>DNS</primary>
<secondary>SRV records</secondary>
</indexterm><indexterm>
<primary>KDC</primary>
</indexterm><indexterm>
<primary>DNS</primary>
<secondary>lookup</secondary>
</indexterm>
Officially, neither MIT (1.3.1) nor Heimdal (0.6) Kerberos needs an <filename>/etc/krb5.conf</filename>
<para>
<indexterm><primary>MIT</primary></indexterm>
<indexterm><primary>Heimdal</primary></indexterm>
<indexterm><primary>Kerberos</primary></indexterm>
<indexterm><primary>/etc/krb5.conf</primary></indexterm>
<indexterm><primary>DNS</primary><secondary>SRV records</secondary></indexterm>
<indexterm><primary>KDC</primary></indexterm>
<indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm>
Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <filename>/etc/krb5.conf</filename>
file in order to work correctly. All ADS domains automatically create SRV records in the
DNS zone <constant>Kerberos.REALM.NAME</constant> for each KDC in the realm. Since both
MIT and Heimdal, KRB5 libraries default to checking for these records, so they
automatically find the KDCs. In addition, <filename>krb5.conf</filename> only allows
specifying a single KDC, even there if there is more than one. Using the DNS lookup
automatically find the KDCs. In addition, <filename>krb5.conf</filename> allows
specifying only a single KDC, even if there is more than one. Using the DNS lookup
allows the KRB5 libraries to use whichever KDCs are available.
</para>
<procedure>
<title>Kerberos Configuration Steps</title>
<step><para><indexterm>
<primary>krb5.conf</primary>
</indexterm>
<step><para>
<indexterm><primary>krb5.conf</primary></indexterm>
If you find the need to manually configure the <filename>krb5.conf</filename>, you should edit it
to have the contents shown in <link linkend="ch10-krb5conf"/>. The final fully qualified path for this file
should be <filename>/etc/krb5.conf</filename>.
</para></step>
<step><para><indexterm>
<primary>Kerberos</primary>
</indexterm><indexterm>
<primary>realm</primary>
</indexterm><indexterm>
<primary>case-sensitive</primary>
</indexterm><indexterm>
<primary>KDC</primary>
</indexterm><indexterm>
<primary>synchronization</primary>
</indexterm><indexterm>
<primary>initial credentials</primary>
</indexterm><indexterm>
<primary>Clock skew</primary>
</indexterm><indexterm>
<primary>NTP</primary>
</indexterm><indexterm>
<primary>DNS</primary>
<secondary>lookup</secondary>
</indexterm><indexterm>
<primary>reverse DNS</primary>
</indexterm><indexterm>
<primary>NetBIOS name </primary>
</indexterm><indexterm>
<primary>/etc/hosts</primary>
</indexterm><indexterm>
<primary>mapping</primary>
</indexterm>
<step><para>
<indexterm><primary>Kerberos</primary></indexterm>
<indexterm><primary>realm</primary></indexterm>
<indexterm><primary>case-sensitive</primary></indexterm>
<indexterm><primary>KDC</primary></indexterm>
<indexterm><primary>synchronization</primary></indexterm>
<indexterm><primary>initial credentials</primary></indexterm>
<indexterm><primary>Clock skew</primary></indexterm>
<indexterm><primary>NTP</primary></indexterm>
<indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm>
<indexterm><primary>reverse DNS</primary></indexterm>
<indexterm><primary>NetBIOS name </primary></indexterm>
<indexterm><primary>/etc/hosts</primary></indexterm>
<indexterm><primary>mapping</primary></indexterm>
The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
be in UPPERCASE, or you will get an error: <quote>Cannot find KDC for requested realm while getting
initial credentials</quote>. Kerberos is picky about time synchronization. The time
according to your participating servers must be within 5 minutes or you get an error
according to your participating servers must be within 5 minutes or you get an error:
<quote>kinit(v5): Clock skew too great while getting initial credentials</quote>.
Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is
5 minutes). A better solution is to implement NTP throughout your server network.
Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC.
Also, the name that this reverse lookup maps to must either be the NetBIOS name of
the KDC (i.e., the hostname with no domain attached), or it can alternately be the
the KDC (i.e., the hostname with no domain attached) or the
NetBIOS name followed by the realm. If all else fails, you can add a
<filename>/etc/hosts</filename> entry mapping the IP address of your KDC to its
NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
when you try to join the realm.
</para></step>
<step><para><indexterm>
<primary>kinit</primary>
</indexterm>
<step><para>
<indexterm><primary>kinit</primary></indexterm>
You are now ready to test your installation by issuing the command:
<screen>
&rootprompt; kinit [USERNAME@REALM]
@ -479,48 +404,40 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
<para><indexterm>
<primary>klist</primary>
</indexterm>
The command:
The command
<screen>
&rootprompt; klist -e
</screen>
shows the Kerberos tickets cached by the system:
shows the Kerberos tickets cached by the system.
</para>
<sect3>
<title>Samba Configuration</title>
<para><indexterm>
<primary>Active Directory</primary>
</indexterm>
Samba must be configured to correctly use Active Directory. Samba-3 must be used, as
this has the necessary components to interface with Active Directory.
<para>
<indexterm><primary>Active Directory</primary></indexterm>
Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it
has the necessary components to interface with Active Directory.
</para>
<procedure>
<title>Securing Samba-3 With ADS Support Steps</title>
<step><para><indexterm>
<primary>Red Hat Linux</primary>
</indexterm><indexterm>
<primary>Samba Tea</primary>
</indexterm><indexterm>
<primary>Red Hat Fedora Linux</primary>
</indexterm><indexterm>
<primary>MIT KRB5</primary>
</indexterm><indexterm>
<primary>ntlm_auth</primary>
</indexterm>
<step><para>
<indexterm><primary>Red Hat Linux</primary></indexterm>
<indexterm><primary>Samba Tea</primary></indexterm>
<indexterm><primary>Red Hat Fedora Linux</primary></indexterm>
<indexterm><primary>MIT KRB5</primary></indexterm>
<indexterm><primary>ntlm_auth</primary></indexterm>
Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
<ulink url="http://ftp.samba.org">FTP site.</ulink> The official Samba Team
RPMs for Red Hat Fedora Linux contain the <command>ntlm_auth</command> tool
needed, and are linked against MIT KRB5 version 1.3.1 and, therefore, are ready for use.
needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
</para>
<para><indexterm>
<primary>SerNet</primary>
</indexterm><indexterm>
<primary>RPMs</primary>
</indexterm>
<para>
<indexterm><primary>SerNet</primary></indexterm>
<indexterm><primary>RPMs</primary></indexterm>
The necessary, validated RPM packages for SUSE Linux may be obtained from
the <ulink url="ftp://ftp.sernet.de/pub/samba">SerNet</ulink> FTP site that
is located in Germany. All SerNet RPMs are validated, have the necessary
@ -533,19 +450,12 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
file so it has contents similar to the example shown in <link linkend="ch10-smbconf"/>.
</para></step>
<step><para><indexterm>
<primary>computer account</primary>
</indexterm><indexterm>
<primary>Active Directory</primary>
</indexterm><indexterm>
<primary>net</primary>
<secondary>ads</secondary>
<tertiary>join</tertiary>
</indexterm><indexterm>
<primary>Kerberos ticket</primary>
</indexterm><indexterm>
<primary>ticket</primary>
</indexterm>
<step><para>
<indexterm><primary>computer account</primary></indexterm>
<indexterm><primary>Active Directory</primary></indexterm>
<indexterm><primary>net</primary><secondary>ads</secondary><tertiary>join</tertiary></indexterm>i
<indexterm><primary>Kerberos ticket</primary></indexterm>
<indexterm><primary>ticket</primary></indexterm>
Next you need to create a computer account in the Active Directory.
This sets up the trust relationship needed for other clients to
authenticate to the Samba server with an Active Directory Kerberos ticket.
@ -556,20 +466,14 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
</screen>
</para></step>
<step><para><indexterm>
<primary>smbd</primary>
</indexterm><indexterm>
<primary>nmbd</primary>
</indexterm><indexterm>
<primary>winbindd</primary>
</indexterm><indexterm>
<primary>Active Directory</primary>
</indexterm><indexterm>
<primary>Samba</primary>
</indexterm>
<step><para>
<indexterm><primary>smbd</primary></indexterm>
<indexterm><primary>nmbd</primary></indexterm>
<indexterm><primary>winbindd</primary></indexterm>
<indexterm><primary>Active Directory</primary></indexterm>
<indexterm><primary>Samba</primary></indexterm>
Your new Samba binaries must be started in the standard manner as is applicable
to the platform you are running on. Alternately, start your Active Directory
enabled Samba with the following commands:
to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
<screen>
&rootprompt; smbd -D
&rootprompt; nmbd -D
@ -577,19 +481,12 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
</screen>
</para></step>
<step><para><indexterm>
<primary>winbind</primary>
</indexterm><indexterm>
<primary>Active Directory</primary>
<secondary>domain</secondary>
</indexterm><indexterm>
<primary>wbinfo</primary>
</indexterm><indexterm>
<primary>enumerating</primary>
</indexterm><indexterm>
<primary>Active Directory</primary>
<secondary>tree</secondary>
</indexterm>
<step><para>
<indexterm><primary>winbind</primary></indexterm>
<indexterm><primary>Active Directory</primary><secondary>domain</secondary></indexterm>
<indexterm><primary>wbinfo</primary></indexterm>
<indexterm><primary>enumerating</primary></indexterm>
<indexterm><primary>Active Directory</primary><secondary>tree</secondary></indexterm>
We now need to test that Samba is communicating with the Active
Directory domain; most specifically, we want to see whether winbind
is enumerating users and groups. Issue the following commands:
@ -623,11 +520,9 @@ LONDON+DnsUpdateProxy
This enumerates all the groups in your Active Directory tree.
</para></step>
<step><para><indexterm>
<primary>Squid</primary>
</indexterm><indexterm>
<primary>ntlm_auth</primary>
</indexterm>
<step><para>
<indexterm><primary>Squid</primary></indexterm>
<indexterm><primary>ntlm_auth</primary></indexterm>
Squid uses the <command>ntlm_auth</command> helper build with Samba-3.
You may test <command>ntlm_auth</command> with the command:
<screen>
@ -640,23 +535,15 @@ password: XXXXXXXX
</screen>
</para></step>
<step><para><indexterm>
<primary>ntlm_auth</primary>
</indexterm><indexterm>
<primary>authenticate</primary>
</indexterm><indexterm>
<primary>winbind</primary>
</indexterm><indexterm>
<primary>privileged pipe</primary>
</indexterm><indexterm>
<primary>squid</primary>
</indexterm><indexterm>
<primary>chgrp</primary>
</indexterm><indexterm>
<primary>chmod</primary>
</indexterm><indexterm>
<primary>failure</primary>
</indexterm>
<step><para>
<indexterm><primary>ntlm_auth</primary></indexterm>
<indexterm><primary>authenticate</primary></indexterm>
<indexterm><primary>winbind</primary></indexterm>
<indexterm><primary>privileged pipe</primary></indexterm>
<indexterm><primary>squid</primary></indexterm>
<indexterm><primary>chgrp</primary></indexterm>
<indexterm><primary>chmod</primary></indexterm>
<indexterm><primary>failure</primary></indexterm>
The <command>ntlm_auth</command> helper, when run from a command line as the user
<quote>root</quote>, authenticates against your Active Directory domain (with
the aid of winbind). It manages this by reading from the winbind privileged pipe.
@ -682,13 +569,10 @@ password: XXXXXXXX
<sect3>
<title>NSS Configuration</title>
<para><indexterm>
<primary>NSS</primary>
</indexterm><indexterm>
<primary>winbind</primary>
</indexterm><indexterm>
<primary>authentication</primary>
</indexterm>
<para>
<indexterm><primary>NSS</primary></indexterm>
<indexterm><primary>winbind</primary></indexterm>
<indexterm><primary>authentication</primary></indexterm>
For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
</para>
@ -735,12 +619,9 @@ group: files winbind
<sect3>
<title>Squid Configuration</title>
<para><indexterm>
<primary>Squid</primary>
</indexterm><indexterm>
<primary>Active Directory</primary>
<secondary>authentication</secondary>
</indexterm>
<para>
<indexterm><primary>Squid</primary></indexterm>
<indexterm><primary>Active Directory</primary><secondary>authentication</secondary></indexterm>
Squid must be configured correctly to interact with the Samba-3
components that handle Active Directory authentication.
</para>
@ -755,30 +636,22 @@ group: files winbind
<procedure>
<title>Squid Configuration Steps</title>
<step><para><indexterm>
<primary>SUSE Linux</primary>
</indexterm><indexterm>
<primary>Squid</primary>
</indexterm><indexterm>
<primary>helper agent</primary>
</indexterm>
<step><para>
<indexterm><primary>SUSE Linux</primary></indexterm>
<indexterm><primary>Squid</primary> </indexterm>
<indexterm><primary>helper agent</primary></indexterm>
If your Linux distribution is SUSE Linux 9, the version of Squid
supplied is already enabled to use the winbind helper agent. You
can, therefore, omit the steps that would build the Squid binary
can therefore omit the steps that would build the Squid binary
programs.
</para></step>
<step><para><indexterm>
<primary>nobody</primary>
</indexterm><indexterm>
<primary>squid</primary>
</indexterm><indexterm>
<primary>rpms</primary>
</indexterm><indexterm>
<primary>/etc/passwd</primary>
</indexterm><indexterm>
<primary>/etc/group</primary>
</indexterm>
<step><para>
<indexterm><primary>nobody</primary></indexterm>
<indexterm><primary>squid</primary></indexterm>
<indexterm><primary>rpms</primary></indexterm>
<indexterm><primary>/etc/passwd</primary></indexterm>
<indexterm><primary>/etc/group</primary></indexterm>
Squid, by default, runs as the user <constant>nobody</constant>. You need to
add a system user <constant>squid</constant> and a system group
<constant>squid</constant> if they are not set up already (if the default
@ -787,11 +660,9 @@ group: files winbind
and a <constant>squid</constant> group in <filename>/etc/group</filename> if these aren't there already.
</para></step>
<step><para><indexterm>
<primary>permissions</primary>
</indexterm><indexterm>
<primary>chown</primary>
</indexterm>
<step><para>
<indexterm><primary>permissions</primary></indexterm>
<indexterm><primary>chown</primary></indexterm>
You now need to change the permissions on Squid's <constant>var</constant>
directory. Enter the following command:
<screen>
@ -799,11 +670,9 @@ group: files winbind
</screen>
</para></step>
<step><para><indexterm>
<primary>logging</primary>
</indexterm><indexterm>
<primary>Squid</primary>
</indexterm>
<step><para>
<indexterm><primary>logging</primary></indexterm>
<indexterm><primary>Squid</primary></indexterm>
Squid must also have control over its logging. Enter the following commands:
<screen>
&rootprompt; chown -R chown squid:squid /var/log/squid
@ -820,16 +689,14 @@ group: files winbind
</screen>
</para></step>
<step><para><indexterm>
<primary>/etc/squid/squid.conf</primary>
</indexterm>
<step><para>
<indexterm><primary>/etc/squid/squid.conf</primary></indexterm>
The <filename>/etc/squid/squid.conf</filename> file must be edited to include the lines from
<link linkend="etcsquidcfg"/> and <link linkend="etcsquid2"/>.
</para></step>
<step><para><indexterm>
<primary>cache directories</primary>
</indexterm>
<step><para>
<indexterm><primary>cache directories</primary></indexterm>
You must create Squid's cache directories before it may be run. Enter the following command:
<screen>
&rootprompt; squid -z
@ -876,19 +743,12 @@ group: files winbind
<sect2>
<title>Key Points Learned</title>
<para><indexterm>
<primary>Web browsers</primary>
</indexterm><indexterm>
<primary>services</primary>
</indexterm><indexterm>
<primary>authentication protocols</primary>
</indexterm><indexterm>
<primary>Web</primary>
<secondary>proxy</secondary>
<tertiary>access</tertiary>
</indexterm><indexterm>
<primary>NTLMSSP</primary>
</indexterm>
<para>
<indexterm><primary>Web browsers</primary></indexterm>
<indexterm><primary>services</primary></indexterm>
<indexterm><primary>authentication protocols</primary></indexterm>
<indexterm><primary>Web</primary><secondary>proxy</secondary><tertiary>access</tertiary></indexterm>
<indexterm><primary>NTLMSSP</primary></indexterm>
Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
Windows clients use, even when accessing traditional services such as Web browsers. Depending
on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
@ -904,15 +764,11 @@ group: files winbind
<sect1>
<title>Questions and Answers</title>
<para><indexterm>
<primary>ntlm_auth</primary>
</indexterm><indexterm>
<primary>SambaXP conference</primary>
</indexterm><indexterm>
<primary>Goettingen</primary>
</indexterm><indexterm>
<primary>Italian</primary>
</indexterm>
<para>
<indexterm><primary>ntlm_auth</primary></indexterm>
<indexterm><primary>SambaXP conference</primary></indexterm>
<indexterm><primary>Goettingen</primary></indexterm>
<indexterm><primary>Italian</primary></indexterm>
The development of the <command>ntlm_auth</command> module was first discussed in many Open Source circles
in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of
<command>ntlm_auth</command> during one of the late developer meetings that took place. Since that time, the
@ -921,20 +777,20 @@ group: files winbind
<para>
The largest report from a site that uses Squid with <command>ntlm_auth</command>-based authentication
support uses a dual processor server that has 2 GBytes of memory. It provides Web and FTP proxy services for 10,000
support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000
users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who
wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following
comments were made with respect to questions regarding the performance of this installation:
</para>
<blockquote><para>
[In our] EXTREMELY optimized environment ... [the] performance impact is almost [nothing]. The <quote>almost</quote>
[In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The <quote>almost</quote>
part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case
scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
</para></blockquote>
<para>
You would be well advised to recognize the fact that all cache-intensive proxying solutions demand a lot of memory.
You would be well advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
</para>
@ -950,57 +806,38 @@ group: files winbind
</question>
<answer>
<para><indexterm>
<secondary>transparent inter-operability</secondary>
</indexterm><indexterm>
<primary>Windows clients</primary>
</indexterm><indexterm>
<primary>network</primary>
<secondary>services</secondary>
</indexterm><indexterm>
<primary>authentication</primary>
</indexterm><indexterm>
<primary>wrapper</primary>
</indexterm>
<para>
<indexterm><secondary>transparent inter-operability</secondary></indexterm>
<indexterm><primary>Windows clients</primary></indexterm>
<indexterm><primary>network</primary><secondary>services</secondary></indexterm>
<indexterm><primary>authentication</primary></indexterm>
<indexterm><primary>wrapper</primary></indexterm>
To provide transparent interoperability between Windows clients and the network services
that are used from them, Samba has had to develop tools and facilities that deliver that. The benefit
that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit
of Open Source software is that it can readily be reused. The current <command>ntlm_auth</command>
module is basically a wrapper around authentication code from the core of the Samba project.
</para>
<para><indexterm>
<primary>plain-text</primary>
</indexterm><indexterm>
<primary>authentication</primary>
<secondary>plain-text</secondary>
</indexterm><indexterm>
<primary>Web</primary>
<secondary>proxy</secondary>
</indexterm><indexterm>
<primary>FTP</primary>
<secondary>proxy</secondary>
</indexterm><indexterm>
<primary>NTLMSSP</primary>
</indexterm><indexterm>
<primary>logon credentials</primary>
</indexterm><indexterm>
<primary>Windows explorer</primary>
</indexterm><indexterm>
<primary>Internet Information Server</primary>
</indexterm><indexterm>
<primary>Apache Web server</primary>
</indexterm>
<para>
<indexterm><primary>plain-text</primary></indexterm>
<indexterm><primary>authentication</primary><secondary>plain-text</secondary></indexterm>
<indexterm><primary>Web</primary><secondary>proxy</secondary></indexterm>
<indexterm><primary>FTP</primary><secondary>proxy</secondary></indexterm>
<indexterm><primary>NTLMSSP</primary></indexterm>
<indexterm><primary>logon credentials</primary></indexterm>
<indexterm><primary>Windows explorer</primary></indexterm>
<indexterm><primary>Internet Information Server</primary></indexterm>
<indexterm><primary>Apache Web server</primary></indexterm>
The <command>ntlm_auth</command> module supports basic plain-text authentication and NTLMSSP
protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
the user being interrupted via his/her Windows logon credentials. This facility is available with
MS Windows explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
the user being interrupted via his or her Windows logon credentials. This facility is available with
MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
There are a few open source initiatives to provide support for these protocols in the Apache Web server
also.
</para>
<para><indexterm>
<primary>wrapper</primary>
</indexterm>
<para>
<indexterm><primary>wrapper</primary></indexterm>
The short answer is that by adding a wrapper around key authentication components of Samba, other
projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
</para>
@ -1018,45 +855,33 @@ group: files winbind
</question>
<answer>
<para><indexterm>
<primary>winbindd</primary>
</indexterm><indexterm>
<primary>Identity resolver</primary>
</indexterm><indexterm>
<primary>daemon</primary>
</indexterm><indexterm>
<primary>smbd</primary>
</indexterm><indexterm>
<primary>file and print server</primary>
</indexterm>
<para>
<indexterm><primary>winbindd</primary></indexterm>
<indexterm><primary>Identity resolver</primary></indexterm>
<indexterm><primary>daemon</primary></indexterm>
<indexterm><primary>smbd</primary></indexterm>
<indexterm><primary>file and print server</primary></indexterm>
Samba-3 is a file and print server. The core components that provide this functionality are <command>smbd</command>,
<command>nmbd</command>, and the Identity resolver daemon, <command>winbindd</command>.
<command>nmbd</command>, and the identity resolver daemon, <command>winbindd</command>.
</para>
<para><indexterm>
<primary>SMB/CIFS</primary>
</indexterm><indexterm>
<primary>smbclient</primary>
</indexterm>
<para>
<indexterm><primary>SMB/CIFS</primary></indexterm>
<indexterm><primary>smbclient</primary></indexterm>
Samba-3 is an SMB/CIFS client. The core component that provides this is called <command>smbclient</command>.
</para>
<para><indexterm>
<primary>modules</primary>
</indexterm><indexterm>
<primary>utilities</primary>
</indexterm><indexterm>
<primary>validation</primary>
</indexterm><indexterm>
<primary>inter-operability</primary>
</indexterm><indexterm>
<primary>authentication</primary>
</indexterm>
Samba-3 includes a number of helper tools, plug-in modules, utilities, and test/validation facilities.
<para>
<indexterm><primary>modules</primary></indexterm>
<indexterm><primary>utilities</primary></indexterm>
<indexterm><primary>validation</primary></indexterm>
<indexterm><primary>inter-operability</primary></indexterm>
<indexterm><primary>authentication</primary></indexterm>
Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities.
Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
servers and client. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules
to permit Identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
server products).
</para>
@ -1075,7 +900,7 @@ group: files winbind
<para>
Not really. Samba's <command>ntlm_auth</command> module handles only authentication. It requires that
Squid make an external call to <command>ntlm_auth</command> and, therefore, actually incurs a
Squid make an external call to <command>ntlm_auth</command> and therefore actually incurs a
little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
sufficient memory when using Squid. Just add a little more to accommodate <command>ntlm_auth</command>.

View File

@ -2,18 +2,15 @@
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="HA">
<title>Performance, Reliability, and Availability</title>
<title>Performance, Reliability, and Availability</title>
<para><indexterm>
<primary>performance</primary>
</indexterm><indexterm>
<primary>reliability</primary>
</indexterm><indexterm>
<primary>availability</primary>
</indexterm>
Well, you have reached the chapter before the Appendix. It is customary to attempt
<para>
<indexterm><primary>performance</primary></indexterm>
<indexterm><primary>reliability</primary></indexterm>
<indexterm><primary>availability</primary></indexterm>
Well, you have reached the chapter before the appendix. It is customary to attempt
to wrap up the theme and contents of a book in what is generally regarded as the
chapter that should draw conclusions. This book is a suspense thriller and since
chapter that should draw conclusions. This book is a suspense thriller, and since
the plot of the stories told mostly lead you to bigger, better Samba-3 networking
solutions, it is perhaps appropriate to close this book with a few pertinent comments
regarding some of the things everyone can do to deliver a reliable Samba-3 network.
@ -26,9 +23,8 @@
<sect1>
<title>Introduction</title>
<para><indexterm>
<primary>clustering</primary>
</indexterm>
<para>
<indexterm><primary>clustering</primary></indexterm>
The sparrow is a small bird whose sounds are drowned out by the noise of the busy
world it lives in. Likewise, the simple steps that can be taken to improve the
reliability and availability of a Samba network are often drowned out by the volume
@ -38,13 +34,10 @@
custom tools and methods. Only passing comments are offered concerning these methods.
</para>
<para><indexterm>
<primary>cluster</primary>
</indexterm><indexterm>
<primary>samba cluster</primary>
</indexterm><indexterm>
<primary>scalability</primary>
</indexterm>
<para>
<indexterm><primary>cluster</primary></indexterm>
<indexterm><primary>samba cluster</primary></indexterm>
<indexterm><primary>scalability</primary></indexterm>
<ulink url="http://www.google.com/search?hl=en&amp;lr=&amp;ie=ISO-8859-1&amp;q=samba+cluster&amp;btnG=Google+Search">A search</ulink>
for <quote>samba cluster</quote> produced 71,600 hits. And a search for <quote>highly available samba</quote>
and <quote>highly available windows</quote> produced an amazing number of references.
@ -52,9 +45,8 @@
availability, reliability, and scalability are of vital interest to corporate network users.
</para>
<para><indexterm>
<primary>performance</primary>
</indexterm>
<para>
<indexterm><primary>performance</primary></indexterm>
So without further background, you can review a checklist of simple steps that
can be taken to ensure acceptable network performance while keeping costs of ownership
well under control.
@ -65,11 +57,9 @@
<sect1>
<title>Dissection and Discussion</title>
<para><indexterm>
<primary>simple</primary>
</indexterm><indexterm>
<primary>complexities</primary>
</indexterm>
<para>
<indexterm><primary>simple</primary></indexterm>
<indexterm><primary>complexities</primary></indexterm>
If it is your purpose to get the best mileage out of your Samba servers, there is one rule that
must be obeyed. If you want the best, keep your implementation as simple as possible. You may
well be forced to introduce some complexities, but you should do so only as a last resort.
@ -81,11 +71,9 @@
complex ones.
</para>
<para><indexterm>
<primary>broken behavior</primary>
</indexterm><indexterm>
<primary>poor performance</primary>
</indexterm>
<para>
<indexterm><primary>broken behavior</primary></indexterm>
<indexterm><primary>poor performance</primary></indexterm>
Problems reported by users fall into three categories: configurations that do not work, those
that have broken behavior, and poor performance. The term <emphasis>broken behavior</emphasis>
means that the function of a particular Samba component appears to work sometimes, but not at
@ -95,39 +83,33 @@
and at other times not listing them even though the machines are in use on the network.
</para>
<para><indexterm>
<primary>smbfs</primary>
</indexterm><indexterm>
<primary>smbmnt</primary>
</indexterm><indexterm>
<primary>smbmount</primary>
</indexterm><indexterm>
<primary>smbumnt</primary>
</indexterm><indexterm>
<primary>smbumount</primary>
</indexterm><indexterm>
<primary>front-end</primary>
</indexterm>
<para>
<indexterm><primary>smbfs</primary></indexterm>
<indexterm><primary>smbmnt</primary></indexterm>
<indexterm><primary>smbmount</primary></indexterm>
<indexterm><primary>smbumnt</primary></indexterm>
<indexterm><primary>smbumount</primary></indexterm>
<indexterm><primary>front-end</primary></indexterm>
A significant number of reports concern problems with the <command>smbfs</command> file system
driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that
<command>smbfs</command> is part of Samba, simply because Samba includes the front-end tools
that are used to manage <command>smbfs</command>-based file service connections. So, just
for the record, the tools <command>smbmnt, smbmount, smbumount,</command> and <command>smbumnt</command> are front-end
for the record, the tools <command>smbmnt</command>, <command>smbmount</command>,
<command>smbumount</command>, and <command>smbumnt</command> are front-end
facilities to core drivers that are supplied as part of the Linux kernel. These tools share a
common infrastructure with some Samba components, but they are not maintained as part of
Samba and are really foreign to it.
</para>
<para><indexterm>
<primary>cifsfs</primary>
</indexterm>
<para>
<indexterm><primary>cifsfs</primary></indexterm>
The new project, <command>cifsfs</command>, is destined to replace <command>smbfs</command>.
It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in
this project.
</para>
<para>
The following table lists typical causes of:
Table 13.1 lists typical causes of:
</para>
<itemizedlist>
@ -154,55 +136,55 @@
</thead>
<tbody>
<row>
<entry><para>File Locking</para></entry>
<entry><para>File locking</para></entry>
<entry><para>-</para></entry>
<entry><para>X</para></entry>
<entry><para>-</para></entry>
</row>
<row>
<entry><para>Hardware Problems</para></entry>
<entry><para>Hardware problems</para></entry>
<entry><para>X</para></entry>
<entry><para>X</para></entry>
<entry><para>X</para></entry>
</row>
<row>
<entry><para>Incorrect Authentication</para></entry>
<entry><para>Incorrect authentication</para></entry>
<entry><para>X</para></entry>
<entry><para>X</para></entry>
<entry><para>-</para></entry>
</row>
<row>
<entry><para>Incorrect Configuration</para></entry>
<entry><para>Incorrect configuration</para></entry>
<entry><para>X</para></entry>
<entry><para>X</para></entry>
<entry><para>X</para></entry>
</row>
<row>
<entry><para>LDAP Problems</para></entry>
<entry><para>LDAP problems</para></entry>
<entry><para>X</para></entry>
<entry><para>X</para></entry>
<entry><para>-</para></entry>
</row>
<row>
<entry><para>Name Resolution</para></entry>
<entry><para>Name resolution</para></entry>
<entry><para>X</para></entry>
<entry><para>X</para></entry>
<entry><para>X</para></entry>
</row>
<row>
<entry><para>Printing Problems</para></entry>
<entry><para>Printing problems</para></entry>
<entry><para>X</para></entry>
<entry><para>X</para></entry>
<entry><para>-</para></entry>
</row>
<row>
<entry><para>Slow File Transfer</para></entry>
<entry><para>Slow file transfer</para></entry>
<entry><para>-</para></entry>
<entry><para>-</para></entry>
<entry><para>X</para></entry>
</row>
<row>
<entry><para>Winbind Problems</para></entry>
<entry><para>Winbind problems</para></entry>
<entry><para>X</para></entry>
<entry><para>X</para></entry>
<entry><para>-</para></entry>
@ -211,9 +193,8 @@
</tgroup>
</table>
<para><indexterm>
<primary>network hygiene</primary>
</indexterm>
<para>
<indexterm><primary>network hygiene</primary></indexterm>
It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate
problems that affect basic network operation. This book has provided sufficient working examples
to help you to avoid all these problems.
@ -224,11 +205,9 @@
<sect1>
<title>Guidelines for Reliable Samba Operation</title>
<para><indexterm>
<primary>resilient</primary>
</indexterm><indexterm>
<primary>extreme demand</primary>
</indexterm>
<para>
<indexterm><primary>resilient</primary></indexterm>
<indexterm><primary>extreme demand</primary></indexterm>
Your objective is to provide a network that works correctly, can grow at all times, is resilient
at times of extreme demand, and can scale to meet future needs. The following subject areas provide
pointers that can help you today.
@ -239,24 +218,18 @@
<para>
There are three basic current problem areas: bad hostnames, routed networks, and network collisions.
These are covered in the discussion below.
These are covered in the following discussion.
</para>
<sect3>
<title>Bad Hostnames</title>
<para><indexterm>
<primary>DHCP</primary>
<secondary>client</secondary>
</indexterm><indexterm>
<primary>netbios name</primary>
</indexterm><indexterm>
<primary>localhost</primary>
</indexterm><indexterm>
<primary>/etc/hosts</primary>
</indexterm><indexterm>
<primary>NetBIOS</primary>
</indexterm>
<para>
<indexterm><primary>DHCP</primary><secondary>client</secondary></indexterm>
<indexterm><primary>netbios name</primary></indexterm>
<indexterm><primary>localhost</primary></indexterm>
<indexterm><primary>/etc/hosts</primary></indexterm>
<indexterm><primary>NetBIOS</primary></indexterm>
When configured as a DHCP client, a number of Linux distributions set the system hostname
to <constant>localhost</constant>. If the parameter <parameter>netbios name</parameter> is not
specified to something other than <constant>localhost</constant>, the Samba server appears
@ -269,37 +242,29 @@
correctly.
</para>
<para><indexterm>
<primary>digits</primary>
</indexterm>
<para>
<indexterm><primary>digits</primary></indexterm>
A few sites have tried to name Windows clients and Samba servers with a name that begins
with the digits 1-9. This does not work either because it may result in the client or
server attempting to use that name as an IP address.
</para>
<para><indexterm>
<primary>DNS</primary>
<secondary>name lookup</secondary>
</indexterm><indexterm>
<primary>resolve</primary>
</indexterm>
A Samba server called <constant>FRED</constant>, in a NetBIOS Domain called <constant>COLLISION</constant>
in a network environment that is part of the fully qualified Internet domain name space known
as <constant>parrots.com</constant>, results in DNS name lookups for: <constant>fred.parrots.com</constant>
and <constant>collision.parrots.com</constant>. It is, therefore, a mistake to name the Domain
(workgroup) <constant>collision.parrots.com</constant> since this results in DNS lookup
attempts to resolve: <constant>fred.parrots.com.parrots.com</constant>, which most likely
fails given that you probably do not have this in your DNS name space.
<para>
<indexterm><primary>DNS</primary><secondary>name lookup</secondary></indexterm>
<indexterm><primary>resolve</primary></indexterm>
A Samba server called <constant>FRED</constant> in a NetBIOS domain called <constant>COLLISION</constant>
in a network environment that is part of the fully qualified Internet domain namespace known
as <constant>parrots.com</constant> results in DNS name lookups for <constant>fred.parrots.com</constant>
and <constant>collision.parrots.com</constant>. It is therefore a mistake to name the domain
(workgroup) <constant>collision.parrots.com,</constant> since this results in DNS lookup
attempts to resolve <constant>fred.parrots.com.parrots.com</constant>, which most likely
fails given that you probably do not have this in your DNS namespace.
</para>
<note><para><indexterm>
<primary>Active Directory</primary>
<secondary>realm</secondary>
</indexterm><indexterm>
<primary>ADS</primary>
</indexterm><indexterm>
<primary>DNS</primary>
</indexterm>
<note><para>
<indexterm><primary>Active Directory</primary><secondary>realm</secondary></indexterm>
<indexterm><primary>ADS</primary></indexterm>
<indexterm><primary>DNS</primary></indexterm>
An Active Directory realm called <constant>collision.parrots.com</constant> is perfectly okay,
although it too must be capable of being resolved via DNS, something that functions correctly
if Windows 200x ADS has been properly installed and configured.
@ -310,63 +275,48 @@
<sect3>
<title>Routed Networks</title>
<para><indexterm>
<primary>NetBIOS</primary>
</indexterm><indexterm>
<primary>UDP</primary>
<secondary>broadcast</secondary>
</indexterm><indexterm>
<primary>broadcast</primary>
</indexterm>
<para>
<indexterm><primary>NetBIOS</primary></indexterm>
<indexterm><primary>UDP</primary><secondary>broadcast</secondary></indexterm>
<indexterm><primary>broadcast</primary></indexterm>
NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use
of UDP-based broadcast traffic. You saw that during the exercises in Chapter 1.
of UDP-based broadcast traffic, as you saw during the exercises in <link linkend="primer"/>.
</para>
<para><indexterm>
<primary>routers</primary>
</indexterm><indexterm>
<primary>forwarded</primary>
</indexterm><indexterm>
<primary>multi-subnet</primary>
</indexterm>
<para>
<indexterm><primary>routers</primary></indexterm>
<indexterm><primary>forwarded</primary></indexterm>
<indexterm><primary>multi-subnet</primary></indexterm>
UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based
networking cannot function across routed networks (i.e., multi-subnet networks) unless
special provisions are made:
</para>
<itemizedlist>
<listitem><para><indexterm>
<primary>LMHOSTS</primary>
</indexterm><indexterm>
<primary>remote announce</primary>
</indexterm><indexterm>
<primary>remote browse sync</primary>
</indexterm>
<listitem><para>
<indexterm><primary>LMHOSTS</primary></indexterm>
<indexterm><primary>remote announce</primary></indexterm>
<indexterm><primary>remote browse sync</primary></indexterm>
Either install on every Windows client an LMHOSTS file (located in the directory
<filename>C:\windows\system32\drivers\etc</filename>). It is also necessary to
add to the Samba server &smb.conf; file the parameters: <parameter>remote announce</parameter>
and <parameter>remote browse sync</parameter>. For more information, refer to the on-line
add to the Samba server &smb.conf; file the parameters <parameter>remote announce</parameter>
and <parameter>remote browse sync</parameter>. For more information, refer to the online
manual page for the &smb.conf; file.
</para></listitem>
<listitem><para><indexterm>
<primary>WINS</primary>
<secondary>server</secondary>
</indexterm>
<listitem><para>
<indexterm><primary>WINS</primary><secondary>server</secondary></indexterm>
Or configure Samba as a WINS server, and configure all network clients to use that
WINS server in their TCP/IP configuration.
</para></listitem>
</itemizedlist>
<note><para><indexterm>
<primary>WINS</primary>
<secondary>name resolution</secondary>
</indexterm><indexterm>
<primary>DNS</primary>
</indexterm>
<note><para>
<indexterm><primary>WINS</primary><secondary>name resolution</secondary></indexterm>
<indexterm><primary>DNS</primary></indexterm>
The use of DNS is not an acceptable substitute for WINS. DNS does not store specific
information regarding NetBIOS networking particulars that does get stored in the WINS
name resolution database, and that Windows clients require and depend on.
information regarding NetBIOS networking particulars that get stored in the WINS
name resolution database and that Windows clients require and depend on.
</para></note>
</sect3>
@ -374,19 +324,12 @@
<sect3>
<title>Network Collisions</title>
<para><indexterm>
<primary>network</primary>
<secondary>collisions</secondary>
</indexterm><indexterm>
<primary>network</primary>
<secondary>timeouts</secondary>
</indexterm><indexterm>
<primary>collision rates</primary>
</indexterm><indexterm>
<primary>network</primary>
<secondary>load</secondary>
</indexterm>
Excessive network activity causes NetBIOS network time-outs. Time-outs may result in
<para>
<indexterm><primary>network</primary><secondary>collisions</secondary></indexterm>
<indexterm><primary>network</primary><secondary>timeouts</secondary></indexterm>
<indexterm><primary>collision rates</primary></indexterm>
<indexterm><primary>network</primary><secondary>load</secondary></indexterm>
Excessive network activity causes NetBIOS network timeouts. Timeouts may result in
blue screen of death (BSOD) experiences. High collision rates may be caused by excessive
UDP broadcast activity, by defective networking hardware, or through excessive network
loads (another way of saying that the network is poorly designed).
@ -394,23 +337,20 @@
<para>
The use of WINS is highly recommended to reduce network broadcast traffic, as outlined
in Chapter 1.
in <link linkend="primer"/>.
</para>
<para><indexterm>
<primary>netbios forwarding</primary>
</indexterm><indexterm>
<primary>broadcast storms</primary>
</indexterm><indexterm>
<primary>performance</primary>
</indexterm>
<para>
<indexterm><primary>netbios forwarding</primary></indexterm>
<indexterm><primary>broadcast storms</primary></indexterm>
<indexterm><primary>performance</primary></indexterm>
Under no circumstances should the facility be supported by many routers, known as <constant>NetBIOS
forwarding</constant>, unless you know exactly what you are doing. Inappropriate use of this
facility can result in UDP broadcast storms. In one case in 1999, a university network became
unusable due to this being enabled on all routers. The problem was discovered during performance
testing of a Samba server. The maximum throughput on a 100-Base-T (100 MBit/sec) network was
less than 15 KBytes/sec. After the NetBIOS forwarding was turned off, file transfer performance
immediately returned to 11 MBytes/sec.
unusable due to NetBIOS forwarding being enabled on all routers. The problem was discovered during performance
testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was
less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance
immediately returned to 11 MB/sec.
</para>
</sect3>
@ -425,20 +365,17 @@
No parameter should be specified unless you know it is essential to operation.
</para>
<para><indexterm>
<primary>document the settings</primary>
</indexterm><indexterm>
<primary>documented</primary>
</indexterm><indexterm>
<primary>optimized</primary>
</indexterm>
<para>
<indexterm><primary>document the settings</primary></indexterm>
<indexterm><primary>documented</primary></indexterm>
<indexterm><primary>optimized</primary></indexterm>
Many UNIX administrators like to fully document the settings in the &smb.conf; file. This is a
bad idea because it adds content to the file. The &smb.conf; file is re-read by every <command>smbd</command>
process every time the file time stamp changes (or, on systems where this does not work, every 20 seconds or so).
process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so).
</para>
<para>
As the size of the &smb.conf; file grows the risk of introduction of parsing errors increases also.
As the size of the &smb.conf; file grows, the risk of introduction of parsing errors increases also.
It is recommended to keep a fully documented &smb.conf; file on hand, and then to operate Samba only
with an optimized file.
</para>
@ -471,9 +408,7 @@ Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
</screen>
<indexterm>
<primary>fatal problem</primary>
</indexterm>
<indexterm><primary>fatal problem</primary></indexterm>
You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C.
The important thing to note is the noted Server role, as well as warning messages. Noted configuration
conflicts must be remedied before proceeding. For example, the following error message represents a
@ -484,50 +419,38 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
</screen>
</para>
<para><indexterm>
<primary>performance degradation</primary>
</indexterm><indexterm>
<primary>socket options</primary>
</indexterm><indexterm>
<primary>socket address</primary>
</indexterm>
There are two parameters that can cause severe network performance degradation, <parameter>socket options</parameter>
<para>
<indexterm><primary>performance degradation</primary></indexterm>
<indexterm><primary>socket options</primary></indexterm>
<indexterm><primary>socket address</primary></indexterm>
There are two parameters that can cause severe network performance degradation: <parameter>socket options</parameter>
and <parameter>socket address</parameter>. The <parameter>socket options</parameter> parameter was often necessary
when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from
this parameter being set. Do not use either parameter unless it has been proven necessary to use them.
</para>
<para><indexterm>
<primary>strict sync</primary>
</indexterm><indexterm>
<primary>sync always</primary>
</indexterm><indexterm>
<primary>severely degrade</primary>
</indexterm><indexterm>
<primary>network</primary>
<secondary>performance</secondary>
</indexterm>
<para>
<indexterm><primary>strict sync</primary></indexterm>
<indexterm><primary>sync always</primary></indexterm>
<indexterm><primary>severely degrade</primary></indexterm>
<indexterm><primary>network</primary><secondary>performance</secondary></indexterm>
Another &smb.conf; parameter that may cause severe network performance degradation is the
<parameter>strict sync</parameter> parameter. Do not use this at all. There is no good reason
to use this with any modern Windows client. The <parameter>strict sync</parameter> is often
used together with the <parameter>sync always</parameter> parameter. This, too, can severely
degrade network performance, so do not set it or if you must, do so with caution.
used with the <parameter>sync always</parameter> parameter. This, too, can severely
degrade network performance, so do not set it; if you must, do so with caution.
</para>
<para><indexterm>
<primary>opportunistic locking</primary>
</indexterm><indexterm>
<primary>file caching</primary>
</indexterm><indexterm>
<primary>caching</primary>
</indexterm><indexterm>
<primary>oplocks</primary>
</indexterm>
<para>
<indexterm><primary>opportunistic locking</primary></indexterm>
<indexterm><primary>file caching</primary></indexterm>
<indexterm><primary>caching</primary></indexterm>
<indexterm><primary>oplocks</primary></indexterm>
Finally, many network administrators deliberately disable opportunistic locking support. While this
does not degrade Samba performance, it significantly degrades Windows client performance because
this disables local file caching on Windows clients and forces every file read and written to
invoke a network read or write call. If for any reason you must disable oplocks (opportunistic locking)
support, do so on the share on which it is required only. That way, all other shares can provide
support, do so only on the share on which it is required. That way, all other shares can provide
oplock support for operations that are tolerant of it. See <link linkend="ch12dblck"/> for more
information.
</para>
@ -537,33 +460,26 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
<sect2>
<title>Use and Location of BDCs</title>
<para><indexterm>
<primary>BDC</primary>
</indexterm><indexterm>
<primary>PDC</primary>
</indexterm><indexterm>
<primary>routed network</primary>
</indexterm><indexterm>
<primary>wide-area network</primary>
</indexterm><indexterm>
<primary>network segment</primary>
</indexterm>
<para>
<indexterm><primary>BDC</primary></indexterm>
<indexterm><primary>PDC</primary></indexterm>
<indexterm><primary>routed network</primary></indexterm>
<indexterm><primary>wide-area network</primary></indexterm>
<indexterm><primary>network segment</primary></indexterm>
On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon
processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of
authentication and logon processing. When a sole BDC on a routed network segment gets heavily
loaded, it is possible that network logon requests and authentication requests may be directed
to a BDC on a distant network segment. This significantly hinders wide-area network operations
to a BDC on a distant network segment. This significantly hinders WAN operations
and is undesirable.
</para>
<para><indexterm>
<primary>Domain Member</primary>
</indexterm><indexterm>
<primary>Domain Controller</primary>
</indexterm>
As a general guide, instead of adding Domain Member servers to a network, you would be better advised
<para>
<indexterm><primary>Domain Member</primary></indexterm>
<indexterm><primary>Domain Controller</primary></indexterm>
As a general guide, instead of adding domain member servers to a network, you would be better advised
to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add
Domain Member servers. This practice ensures that there is always sufficient Domain Controllers
domain member servers. This practice ensures that there is always sufficient domain controllers
to handle logon requests and authentication traffic.
</para>
@ -574,7 +490,7 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
<para>
Every network client has its own peculiarities. From a management perspective, it is easier to deal
with one version of MS Windows that is maintained to a consistent update level, than it is to deal
with one version of MS Windows that is maintained to a consistent update level than it is to deal
with a mixture of clients.
</para>
@ -587,23 +503,19 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
</sect2>
<sect2>
<title>For Scalability, Use SAN Based Storage on Samba Servers</title>
<title>For Scalability, Use SAN-Based Storage on Samba Servers</title>
<para><indexterm>
<primary>SAN</primary>
</indexterm><indexterm>
<primary>synchronization</primary>
</indexterm>
<para>
<indexterm><primary>SAN</primary></indexterm>
<indexterm><primary>synchronization</primary></indexterm>
Many SAN-based storage systems permit more than one server to share a common data store.
Use of a shared SAN data store means that you do not need to use time- and resource-hungry data
synchronization techniques.
</para>
<para><indexterm>
<primary>load distribution</primary>
</indexterm><indexterm>
<primary>clustering</primary>
</indexterm>
<para>
<indexterm><primary>load distribution</primary></indexterm>
<indexterm><primary>clustering</primary></indexterm>
The use of a collection of relatively low-cost front-end Samba servers that are coupled to
a shared backend SAN data store permits load distribution while containing costs below that
of installing and managing a complex clustering facility.
@ -614,23 +526,19 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
<sect2>
<title>Distribute Network Load with MSDFS</title>
<para><indexterm>
<primary>MSDFS</primary>
</indexterm><indexterm>
<primary>distributed</primary>
</indexterm>
<para>
<indexterm><primary>MSDFS</primary></indexterm>
<indexterm><primary>distributed</primary></indexterm>
Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits
data to be accessed from a single share and yet to actually be distributed across multiple actual
servers. Refer to <emphasis>TOSHARG</emphasis>, Chapter 16, for information regarding implementation of an MSDFS installation.
servers. Refer to <emphasis>TOSHARG</emphasis>, Chapter 19, for information regarding
implementation of an MSDFS installation.
</para>
<para><indexterm>
<primary>front-end</primary>
<secondary>server</secondary>
</indexterm><indexterm>
<primary>MSDFS</primary>
</indexterm>
The combination of multiple back end servers together with a front-end server and use of MSDFS
<para>
<indexterm><primary>front-end</primary><secondary>server</secondary></indexterm>
<indexterm><primary>MSDFS</primary></indexterm>
The combination of multiple backend servers together with a front-end server and use of MSDFS
can achieve almost the same as you would obtain with a clustered Samba server.
</para>
@ -639,16 +547,13 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
<sect2>
<title>Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth</title>
<para><indexterm>
<primary>replicate</primary>
</indexterm><indexterm>
<primary>rsync</primary>
</indexterm><indexterm>
<primary>wide-area network</primary>
</indexterm>
Consider using <command>rsync</command> to replicate data across the wide-area network during times
<para>
<indexterm><primary>replicate</primary></indexterm>
<indexterm><primary>rsync</primary></indexterm>
<indexterm><primary>wide-area network</primary></indexterm>
Consider using <command>rsync</command> to replicate data across the WAN during times
of low utilization. Users can then access the replicated data store rather than needing to do so
across the wide-area network. This works best for read-only data, but with careful planning can be
across the WAN. This works best for read-only data, but with careful planning can be
implemented so that modified files get replicated back to the point of origin. Be careful with your
implementation if you choose to permit modification and return replication of the modified file;
otherwise, you may inadvertently overwrite important data.
@ -659,48 +564,33 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
<sect2>
<title>Hardware Problems</title>
<para><indexterm>
<primary>hardware prices</primary>
</indexterm><indexterm>
<primary>hardware problems</primary>
</indexterm><indexterm>
<primary>NICs</primary>
</indexterm><indexterm>
<primary>defective</primary>
<secondary>HUBs</secondary>
</indexterm><indexterm>
<primary>defective</primary>
<secondary>switches</secondary>
</indexterm><indexterm>
<primary>defective</primary>
<secondary>cables</secondary>
</indexterm>
Networking hardware prices have fallen sharply over the past five years. A surprising number
<para>
<indexterm><primary>hardware prices</primary></indexterm>
<indexterm><primary>hardware problems</primary></indexterm>
<indexterm><primary>NICs</primary></indexterm>
<indexterm><primary>defective</primary><secondary>HUBs</secondary></indexterm>
<indexterm><primary>defective</primary><secondary>switches</secondary></indexterm>
<indexterm><primary>defective</primary><secondary>cables</secondary></indexterm>
Networking hardware prices have fallen sharply over the past 5 years. A surprising number
of Samba networking problems over this time have been traced to defective network interface
cards (NICs) or defective HUBs, switches, and cables.
</para>
<para><indexterm>
<primary>corrective action</primary>
</indexterm>
<para>
<indexterm><primary>corrective action</primary></indexterm>
Not surprising is the fact that network administrators do not like to be shown to have made
a bad decision. Money saved in buying low-cost hardware may result in high costs incurred
in corrective action.
</para>
<para><indexterm>
<primary>intermittent</primary>
</indexterm><indexterm>
<primary>data corruption</primary>
</indexterm><indexterm>
<primary>slow network</primary>
</indexterm><indexterm>
<primary>low performance</primary>
</indexterm><indexterm>
<primary>data integrity</primary>
</indexterm>
<para>
<indexterm><primary>intermittent</primary></indexterm>
<indexterm><primary>data corruption</primary></indexterm>
<indexterm><primary>slow network</primary></indexterm>
<indexterm><primary>low performance</primary></indexterm>
<indexterm><primary>data integrity</primary></indexterm>
Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent
or persistent data corruption, slow network throughput, low performance, or even as blue-screen-of-death (BSOD)
or persistent data corruption, slow network throughput, low performance, or even as BSOD
problems with MS Windows clients. In one case, a company updated several workstations with newer, faster
Windows client machines that triggered problems during logon as well as data integrity problems on
an older PC that was unaffected so long as the new machines were kept shut down.
@ -710,9 +600,8 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
Defective hardware problems may take patience and persistence before the real cause can be discovered.
</para>
<para><indexterm>
<primary>RAID controllers</primary>
</indexterm>
<para>
<indexterm><primary>RAID controllers</primary></indexterm>
Networking hardware defects can significantly impact perceived Samba performance, but defective
RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server
operations. One business came to this realization only after replacing a Samba installation with MS
@ -738,11 +627,10 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
her an even break.
</para>
<para><indexterm>
<primary>assumptions</primary>
</indexterm>
Last, but not least, you should not only keep the network design simple, but it should
be well documented. This book may serve as your pattern for documenting every
<para>
<indexterm><primary>assumptions</primary></indexterm>
Last, but not least, you should not only keep the network design simple, but also be sure it is
well documented. This book may serve as your pattern for documenting every
aspect of your design, its implementation, and particularly the objects and assumptions
that underlie it.
</para>

View File

@ -57,17 +57,17 @@
interesting portfolio of companies that includes accounting services, financial advice, investment
portfolio management, property insurance, risk assessment, and the recent addition of a a video rental
business. The pieces do not always appear to fit together, but Mr. Meany is certainly executing an
interesting business growth and development plan. Abmas Video Rentals has been recently acquired.
During the time that the acquisition was closing, the Video Rentals business upgraded their Windows
interesting business growth and development plan. Abmas Video Rentals was recently acquired.
During the time that the acquisition was closing, the Video Rentals business upgraded its Windows
NT4-based network to Windows 2003 Server and Active Directory.
</para>
<para><indexterm>
<primary>Active Directory</primary>
</indexterm>
Bob Jordan has been accepting of the fact that Abmas Video Rentals will use Microsoft Active Directory.
The IT team led by Stan Soroka is committed to Samba-3 and to maintaining a uniform technology platform.
Stan Soroka's team voiced their disapproval over the decision to permit this business to continue to
You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory.
The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform.
Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to
operate with a solution that is viewed by Christine and her group as <quote>an island of broken
technologies.</quote> This comment was made by one of Christine's staff as they were installing a new
Samba-3 server at the new business.
@ -122,7 +122,7 @@
</indexterm><indexterm>
<primary>off-site storage</primary>
</indexterm>
User and Group accounts, and respective privileges, have been well thought out. File system shares are
User and group accounts, and respective privileges, have been well thought out. File system shares are
appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and
effective off-site storage practices are considered to exceed industry norms.
</para>
@ -154,7 +154,7 @@
stored on the Linux system. We are alarmed that secure information is accessible to staff who should
not even be aware that it exists. We share the concerns of your network management staff who have gone
to great lengths to set fine-grained controls that limit information access to those who need access.
It seems incongruous to us that Samba winbind should be permitted to be used as it voids this fine work.
It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work.
</para>
<para><indexterm>
@ -185,12 +185,12 @@
</indexterm><indexterm>
<primary>trusted computing</primary>
</indexterm>
In respect of the use of Samba, we offer the following comments: Samba is in use in nearly half of
Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of
all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft
... what worries us regarding Samba is the need to disable essential Windows security features such as
secure channel support, digital sign'n'seal on all communication traffic, running Active Directory in
secure channel support, digital sign'n'seal on all communication traffic, and running Active Directory in
mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that
Samba is not at the full capabilites of Microsoft Windows NT4 server. Microsoft has moved well beyond that
Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that
with trusted computing initiatives that the Samba developers do not participate in.
</para>
@ -230,13 +230,13 @@
</indexterm><indexterm>
<primary>independent expert</primary>
</indexterm>
This is also a challenge to rise above the trouble spot. Bob calls Stan's team together for a simple
discussion, but it gets further out of hand. When he returns to his office, he finds the following
email in his in-box:
This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple
discussion, but it gets further out of hand. When you return to your office, you find the following
email in your in-box:
</para>
<para>
Bob,
Good afternoon,
</para>
<blockquote><attribution>Stan</attribution><para>
@ -282,7 +282,7 @@
will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered
out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain
responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce
use of any centrally proposed standards, but make all non-compliance the financial responsibility of the
use of any centrally proposed standards, but make all noncompliance the financial responsibility of the
out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone.
</para></blockquote>
@ -290,9 +290,9 @@
<title>Assignment Tasks</title>
<para>
Bob agreed with Stan's recommendations and has hired your services to help defuse the powder
keg. Your task is to answer each of the issues raised with a tractable answer. You must be able
to support your claims, keep emotions to a side, and answer technically.
You agreed with Stan's recommendations and hired a consultant to help defuse the powder
keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able
to support his or her claims, keep emotions to a side, and answer technically.
</para>
</sect2>
@ -316,9 +316,9 @@
</indexterm><indexterm>
<primary>employment</primary>
</indexterm>
Samba-3 is a tool. No one pounding your door to use Samba. That is a choice that you are free to
make or reject. It is likely that your decision to use Samba can benefit your company more than
anyone else. The Samba Team obviously believes that the Samba software is a worthy choice.
Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to
make or reject. It is likely that your decision to use Samba can greatly benefit your company.
The Samba Team obviously believes that the Samba software is a worthy choice.
If you hire a consultant to assist with the installation and/or deployment of Samba, or if you hire
someone to help manage your Samba installation, you can create income and employment. Alternately,
money saved by not spending in the IT area can be spent elsewhere in the business. All money saved
@ -353,8 +353,8 @@
<primary>broken</primary>
</indexterm>
It would be foolish to adopt a technology that might put any data or users at risk. Security affects
everyone. The Samba Team are fully cognizant of the responsibility they have to their users.
The Samba documentation clearly reveals the fact that full responsibility is accepted to fix anything
everyone. The Samba-Team is fully cognizant of the responsibility they have to their users.
The Samba documentation clearly reveals that full responsibility is accepted to fix anything
that is broken.
</para>
@ -404,8 +404,8 @@
</indexterm><indexterm>
<primary>vendor</primary>
</indexterm>
The real issues that a consumer (like you) needs answered is what is the way of escape from technical
problems and how long will it take? The average problem turnaround time in the Open Source community is
The real issues that a consumer (like you) needs answered are What is the way of escape from technical
problems, and how long will it take? The average problem turnaround time in the Open Source community is
approximately 48 hours. What does the EULA offer? What is the track record in the commercial software
industry? What happens when your commercial vendor decides to cease providing support?
</para>
@ -426,7 +426,7 @@
<secondary>problem</secondary>
</indexterm>
Open Source software at least puts you in possession of the source code. This means that when
all else fails, you can hire a programmer to solve/fix the problem.
all else fails, you can hire a programmer to solve the problem.
</para>
<sect2>
@ -463,8 +463,8 @@
<primary>shares</primary>
</indexterm>
Windows network administrators may be dismayed to find that <command>winbind</command>
exposes all Domain users so that they may use their Domain account credentials to
log onto a UNIX/Linux system. The fact that all users in the Domain can see the
exposes all domain users so that they may use their domain account credentials to
log onto a UNIX/Linux system. The fact that all users in the domain can see the
UNIX/Linux server in their Network Neighborhood and can browse the shares on the
server seems to excite them further.
</para>
@ -478,10 +478,10 @@
</indexterm><indexterm>
<primary>unknown</primary>
</indexterm>
<command>winbind</command> provides for the UNIX/Linux Domain Member server or
<command>winbind</command> provides for the UNIX/Linux domain member server or
client, the same as one would obtain by adding a Microsoft Windows server or
client to the Domain. The real objection is the fact that Samba is not MS Windows
and, therefore, requires handling a little differently from the familiar Windows systems.
client to the domain. The real objection is the fact that Samba is not MS Windows
and therefore requires handling a little differently from the familiar Windows systems.
One must recognize fear of the unknown.
</para>
@ -526,7 +526,7 @@
</indexterm><indexterm>
<primary>access controls</primary>
</indexterm>
Where Samba and the ADS Domain account information obtained through the use of
Where Samba and the ADS domain account information obtained through the use of
<command>winbind</command> permits access, by browsing or by the drive mapping to
a share, to data that should be better protected. This can only happen when security
controls have not been properly implemented. Samba permits access controls to be set
@ -537,7 +537,7 @@
<listitem><para>Shares themselves (i.e., the logical share itself)</para></listitem>
<listitem><para>The share definition in &smb.conf;</para></listitem>
<listitem><para>The shared directories and files using UNIX permissions</para></listitem>
<listitem><para>Using Windows 2000 ACLs &smbmdash; if the file system is Posix enabled</para></listitem>
<listitem><para>Using Windows 2000 ACLs &smbmdash; if the file system is POSIX enabled</para></listitem>
</itemizedlist>
<para>
@ -608,7 +608,7 @@
<primary>weakness</primary>
</indexterm>
The report that is critical of Samba really ought to have exercised greater due
diligence, as the real weakness is on the side of a Microsoft Windows environment.
diligence: the real weakness is on the side of a Microsoft Windows environment.
</para></listitem>
</varlistentry>
@ -617,7 +617,7 @@
<listitem><para><indexterm>
<primary>defects</primary>
</indexterm>
Samba has been designed in such a manner that weaknesses inherent in the design of
Samba is designed in such a manner that weaknesses inherent in the design of
Microsoft Windows networking ought not to expose the underlying UNIX/Linux file
system in any way. All software has potential defects, and Samba is no exception.
What matters more is how defects that are discovered get dealt with.
@ -656,7 +656,7 @@
<primary>turn-around time</primary>
</indexterm>
The report condemns Samba for releasing updates and security fixes, yet Microsoft
on-line updates need to be applied almost weekly. The answer to the criticism made
online updates need to be applied almost weekly. The answer to the criticism
lies in the fact that Samba development is continuing, documentation is improving,
user needs are being increasingly met or exceeded, and security updates are issued
with a short turnaround time.
@ -676,10 +676,10 @@
</indexterm>
The release of Samba-4 is expected around late 2004 to early 2005 and involves a near
complete rewrite to permit extensive modularization and to prepare Samba for new
functionality planned for addition during the next generation series. The Samba Team
is responsible and can be depended upon; the history to date would suggest a high
degree of dependability as well as on charter development consistent with published
road-map projections.
functionality planned for addition during the next-generation series. The Samba Team
is responsible and can be depended upon; the history to date suggests a high
degree of dependability as well on charter development consistent with published
roadmap projections.
</para>
<para><indexterm>
@ -719,12 +719,12 @@
</indexterm><indexterm>
<primary>digital sign'n'seal</primary>
</indexterm>
The report correctly mentions the fact that Samba did not support the most recent
The report correctly mentions that Samba did not support the most recent
<constant>schannel</constant> and <constant>digital sign'n'seal</constant> features
of Microsoft Windows NT/200x/XPPro products. This is one of the key features
of the Samba-3 release. Market research reports take so long to generate that they are
seldom a reflection of current practice, and in many respects reports are like a
pathology report &smbmdash; they reflect accurately (at best) status at a snap-shot in time.
pathology report &smbmdash; they reflect accurately (at best) status at a snapshot in time.
Meanwhile, the world moves on.
</para>
@ -746,11 +746,11 @@
<primary>secure networking</primary>
</indexterm>
It should be pointed out that had clear public specifications for the protocols
been published, it would have been much easier to implement this and would have
been published, it would have been much easier to implement these features and would have
taken less time to do. The sole mechanism used to find an algorithm that is compatible
with the methods used by Microsoft has been based on observation of network traffic
and trial-and-error implementation of potential techniques. The real value of public
and defensible standards is obvious to all, and would have enabled more secure networking
and defensible standards is obvious to all and would have enabled more secure networking
for everyone.
</para>
@ -766,8 +766,8 @@
<ulink url="http://support.microsoft.com/default.aspx?kbid=321733">acknowledged</ulink>
and for which a fix was provided. In fact,
<ulink url="http://www.tangent-systems.com/support/delayedwrite.html">Tangent Systems</ulink>
appears even today<footnote>January 2004</footnote> to not be sure that the problem has been resolved.
So it is evident that some delay in release of new functionality may have
appears even today<footnote>January 2004</footnote> to be unsure whether the problem has been resolved,
it is evident that some delay in release of new functionality may have
fortuitous consequences.
</para>
@ -795,7 +795,7 @@
and working together to help define open and publicly refereed standards. The
development of closed source, proprietary methods that are developed in a
clandestine framework of secrecy, under claims of digital rights protection, does
not favor the diffusion of safe networking protocols, and certainly does not
not favor the diffusion of safe networking protocols and certainly does not
help the consumer to make a better choice.
</para></listitem>
</varlistentry>
@ -817,7 +817,7 @@
<literallayout> </literallayout>
The Microsoft networking protocols extensively make use of remote procedure call (RPC)
technology. Active Directory is not a simple mixture of LDAP and Kerberos together
with file and print services, but rather is a complex intertwined implementation
with file and print services, but rather is a complex, intertwined implementation
of them that uses RPCs that are not supported by any of these component technologies
and yet by which they are made to interoperate in ways that the components do not
support.
@ -841,7 +841,7 @@
overall support for all project maintainers to work together on the complex
challenge of developing and integrating the necessary technologies. Therefore, if
the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality
into the Samba project, this dream request can not become a reality.
into the Samba project, this dream request cannot become a reality.
</para>
<para><indexterm>
@ -859,7 +859,7 @@
At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the
Samba development roadmap. If it is not on the published roadmap, it cannot be delivered
anytime soon. Ergo, ADS server support is not a current goal for Samba development.
The Samba Team is most committed to permitting Samba to be a full ADS Domain member
The Samba Team is most committed to permitting Samba to be a full ADS domain member
that is increasingly capable of being managed using Microsoft Windows MMC tools.
</para></listitem>
</varlistentry>
@ -877,8 +877,8 @@
</indexterm>
Kerberos is a network authentication protocol that provides secure authentication for
client-server applications by using secret-key cryptography. Firewalls are an insufficient
barrier mechanism in todays networking world as at best they only restrict incoming network
traffic but can not prevent network traffic that comes from authorized locations from
barrier mechanism in todays networking world; at best they only restrict incoming network
traffic but cannot prevent network traffic that comes from authorized locations from
performing unauthorized activities.
</para>
@ -911,7 +911,7 @@
Kerberos is a trusted third-party service. That means that there is a third party (the kerberos
server) that is trusted by all the entities on the network (users and services, usually called
principals). All principals share a secret password (or key) with the kerberos server and this
enables principals to verify that the messages from the kerberos server are authentic. Thus
enables principals to verify that the messages from the kerberos server are authentic. Therefore,
trusting the kerberos server, users and services can authenticate each other.
</para>
@ -922,12 +922,12 @@
</indexterm><indexterm>
<primary>Heimdal Kerberos</primary>
</indexterm>
Kerberos was until recently a technology that was restricted from being exported from the United States.
For many years that hindered global adoption of more secure networking technologies both within the USA
as well as outside it. A free an unencumbered implementation of MIT Kerberos has been produced in Europe
Kerberos was, until recently, a technology that was restricted from being exported from the United States.
For many years that hindered global adoption of more secure networking technologies both within the United States
and abroad. A free an unencumbered implementation of MIT Kerberos has been produced in Europe
and is available from the University of Paderborn, Sweden. It is known as the Heimdal Kerberos project.
In recent times the USA government has removed sanctions affecting the global distribution of MIT Kerberos.
It is likely that there will be a significant surge forward in the development of Kerberos enabled applications
In recent times the U.S. government has removed sanctions affecting the global distribution of MIT Kerberos.
It is likely that there will be a significant surge forward in the development of Kerberos-enabled applications
and in the general deployment and use of Kerberos across the spectrum of the information technology industry.
</para>
@ -936,7 +936,7 @@
<secondary>interoperability</secondary>
</indexterm>
A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation
of it. For example, a 2002 new report by <ulink url="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument">IDG</ulink>
of it. For example, a 2002 report by <ulink url="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument">IDG</ulink>
states:
</para>
@ -965,11 +965,11 @@
<primary>RPC</primary>
</indexterm>
It so happens that Microsoft Windows clients depend on and expect the contents of the <emphasis>unspecified
fields</emphasis> in the Kerberos 5 communications data stream for their Windows interoperability, in
particular when Samba is being expected to emulate a Windows Server 200x Domain Controller. But the interoperability
issue goes far deeper than this. In the Domain control protocols that are used by MS Windows XP Professional
fields</emphasis> in the Kerberos 5 communications data stream for their Windows interoperability,
particularly when Samba is being expected to emulate a Windows Server 200x domain controller. But the interoperability
issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional,
there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment
(DCE) remote procedure calls (RPCs) that themselves are an integral part of the SMB/CIFS protocols as used by
(DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by
Microsoft.
</para>
@ -1027,8 +1027,8 @@
</indexterm><indexterm>
<primary>account</primary>
</indexterm>
From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator
account (on Samba Domains, this is usually the account called <constant>root</constant>).
From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator
account (on Samba domains, this is usually the account called <constant>root</constant>).
</para></step>
<step><para>
@ -1060,7 +1060,7 @@
</indexterm>
In the left panel, the entry <guimenu>Computer Management (Local)</guimenu> should now reflect
the change made. For example, if the server you are administering is called <constant>FRODO</constant>,
the Computer Management entry should now say: <guimenu>Computer Management (FRODO)</guimenu>.
the Computer Management entry should now say <guimenu>Computer Management (FRODO)</guimenu>.
</para></step>
<step><para>
@ -1094,7 +1094,7 @@
<primary>rejected</primary>
</indexterm>
You may now edit/add/remove access control settings. Be very careful. Many problems have been
created by people who decided that Everyone should be rejected but one particular group should
created by people who decided that everyone should be rejected but one particular group should
have full control. This is a catch-22 situation because members of that particular group also
belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
set for the permitted group.
@ -1125,10 +1125,10 @@
</indexterm><indexterm>
<primary>privileges</primary>
</indexterm>
Share-definition-based access controls can be used like a check-point or like a pile-driver. Just as a
check-point can be used to require someone who wants to get through to meet certain requirements, so
Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a
checkpoint can be used to require someone who wants to get through to meet certain requirements, so
it is possible to require the user (or group the user belongs to) to meet specified credential-related
objectives. It can be likened to a pile-driver by overriding default controls, in that having met the
objectives. It can be likened to a pile-driver by overriding default controls in that having met the
credential-related objectives, the user can be granted powers and privileges that would not normally be
available under default settings.
</para>
@ -1142,25 +1142,25 @@
</indexterm><indexterm>
<primary>hierarchy of control</primary>
</indexterm>
It must be emphasized that the controls here discussed can act as a filter, or give rights of passage,
that act as a super-structure over normal directory and file access controls. However, share level
ACLs act at a higher level than to share definition controls because the user must filter through the
share level controls to get to the share definition controls. The proper hierarchy of controls implemented
It must be emphasized that the controls here discussed can act as a filter or give rights of passage
that act as a superstructure over normal directory and file access controls. However, share-level
ACLs act at a higher level than do share definition controls because the user must filter through the
share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented
by Samba and Windows networking consists of:
</para>
<orderedlist>
<listitem><para>Share Level ACLs</para></listitem>
<listitem><para>Share Definition Controls</para></listitem>
<listitem><para>Directory and File Permissions</para></listitem>
<listitem><para>Directory and File Posix ACLs</para></listitem>
<listitem><para>Share-level ACLs</para></listitem>
<listitem><para>Share-definition controls</para></listitem>
<listitem><para>Directory and file permissions</para></listitem>
<listitem><para>Directory and file POSIX ACLs</para></listitem>
</orderedlist>
<sect3>
<title>Check-point Controls</title>
<title>Checkpoint Controls</title>
<para><indexterm>
<primary>Check-point Controls</primary>
<primary>Checkpoint Controls</primary>
</indexterm>
Consider the following extract from a &smb.conf; file defining the share called <constant>Apps</constant>:
<screen>
@ -1186,8 +1186,8 @@
</indexterm><indexterm>
<primary>delimiter</primary>
</indexterm>
On Domain Member servers and clients, even when the <parameter>winbind use default domain</parameter> has
been specified, the use of Domain accounts in security controls requires fully qualified Domain specification,
On domain member servers and clients, even when the <parameter>winbind use default domain</parameter> has
been specified, the use of domain accounts in security controls requires fully qualified domain specification,
for example, <smbconfoption name="valid users">@"MEGANET\Northern Engineers"</smbconfoption>.
Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a
delimiter.
@ -1211,8 +1211,8 @@
<primary>share definition controls</primary>
</indexterm>
Consider another example. In this case, you want to permit all members of the group <constant>Employees</constant>
to access the <constant>Apps</constant> share, except the user <constant>patrickj</constant>. This can be
easily achieved by setting a share level ACL permitting only <constant>Employees</constant> to access the share,
except the user <constant>patrickj</constant> to access the <constant>Apps</constant> share. This can be
easily achieved by setting a share-level ACL permitting only <constant>Employees</constant> to access the share,
and then in the share definition controls excluding just <constant>patrickj</constant>. Here is how that might
be done:
<screen>
@ -1225,7 +1225,7 @@
<indexterm>
<primary>permissions</primary>
</indexterm>
Let us assume that you want to permit the user <constant>gbshaw</constant>, to manage any file in the
Let us assume that you want to permit the user <constant>gbshaw</constant> to manage any file in the
UNIX/Linux file system directory <filename>/data/apps</filename>, but you do not want to grant any write
permissions beyond that directory tree. Here is one way this can be done:
<screen>
@ -1243,13 +1243,13 @@
the group <constant>Doctors</constant>, excluding the user <constant>patrickj</constant>, to have
read-only privilege, but the user <constant>gbshaw</constant> is granted administrative rights.
The administrative rights conferred upon the user <constant>gbshaw</constant> permit operation as
if that user has logged in as the user <constant>root</constant> on the UNIX/Linux system, and thus
for access to the directory tree that has been shared (exported) permit the user to override controls
if that user has logged in as the user <constant>root</constant> on the UNIX/Linux system and thus,
for access to the directory tree that has been shared (exported), permit the user to override controls
that apply to all other users on that resource.
</para>
<para>
There are additional check-point controls that may be used. For example, if for the same share we now
There are additional checkpoint controls that may be used. For example, if for the same share we now
want to provide the user <constant>peters</constant> with the ability to write to one directory to
which he has write privilege in the UNIX file system, you can specifically permit that with the
following settings:
@ -1266,8 +1266,8 @@
<primary>check-point controls</primary>
</indexterm>
This is a particularly complex example at this point, but it begins to demonstrate the possibilities.
You should refer to the on-line manual page for the &smb.conf; file for more information regarding
the check-point controls that Samba implements.
You should refer to the online manual page for the &smb.conf; file for more information regarding
the checkpoint controls that Samba implements.
</para>
</sect3>
@ -1280,7 +1280,7 @@
</indexterm>
Override controls implemented by Samba permit actions like the adoption of a different identity
during file system operations, the forced overwriting of normal file and directory permissions,
and so on. You should refer to the on-line manual page for the &smb.conf; file for more information regarding
and so on. You should refer to the online manual page for the &smb.conf; file for more information regarding
the override controls that Samba implements.
</para>
@ -1305,9 +1305,9 @@
That is all there is to it. Well, it is almost that simple. The downside of this method is that
users are logged onto the Windows client as themselves, and then immediately before accessing the
file, Samba makes system calls to change the effective user and group to the forced settings
specified, completes the file transaction, and then reverts to the actually logged on identity.
This imposes significant overhead on Samba. The alternative way that effectively the same result
can be achieved (but with lower system CPU overheads) is described next.
specified, completes the file transaction, and then reverts to the actually logged-on identity.
This imposes significant overhead on Samba. The alternative way to effectively achieve the same result
(but with lower system CPU overheads) is described next.
</para>
<para><indexterm>
@ -1322,10 +1322,10 @@
</indexterm><indexterm>
<primary>performance degradation</primary>
</indexterm>
The use of the <parameter>force user</parameter>, or the <parameter>force group</parameter>, may
also have a severe impact on system (and in particular Windows client) performance. If opportunistic
The use of the <parameter>force user</parameter> or the <parameter>force group</parameter> may
also have a severe impact on system (particularly on Windows client) performance. If opportunistic
locking is enabled on the share (the default), it causes an <constant>oplock break</constant> to be
sent to the client, even if the client has not opened the file. On networks that have high traffic
sent to the client even if the client has not opened the file. On networks that have high traffic
density, or on links that are routed to a remote network segment, <constant>oplock breaks</constant>
can be lost. This results in possible retransmission of the request, or the client may time-out while
waiting for the file system transaction (read or write) to complete. The result can be a profound
@ -1372,7 +1372,7 @@
<orderedlist>
<listitem><para>
A user opens a Work document from a network drive. The file was owned by user <constant>janetp</constant>
and <group>users</group>, and was set read/write enabled for everyone.
and <group>users</group>, and was set read/write-enabled for everyone.
</para></listitem>
<listitem><para>
@ -1385,19 +1385,19 @@
<listitem><para>
The file is now owned by the user <constant>billc</constant> and group <constant>doctors</constant>,
and is set read/write by <constant>billc</constant>, read only by <constant>doctors</constant>, and
and is set read/write by <constant>billc</constant>, read-only by <constant>doctors</constant>, and
no access by everyone.
</para></listitem>
<listitem><para>
The original owner can not now access her own file and is <quote>justifiably</quote> upset.
The original owner cannot now access her own file and is <quote>justifiably</quote> upset.
</para></listitem>
</orderedlist>
<para>
There have been many postings over the years that report the same basic problem. Frequently Samba users
want to know when this <quote>bug</quote> will be fixed. The fact is, this is not a bug in Samba at all.
Here is the real sequence of what happens in the case mentioned above.
Here is the real sequence of what happens in this case.
</para>
<para><indexterm>
@ -1423,7 +1423,7 @@
</para>
<para>
The question is: <quote>How can we solve the problem?</quote>
The question is, <quote>How can we solve the problem?</quote>
</para>
<para>
@ -1462,7 +1462,7 @@
<primary>accessible</primary>
</indexterm>
Set the files and directory permissions to be read/write for owner and group, and not accessible
to others (everyone) using the following command:
to others (everyone), using the following command:
<screen>
&rootprompt; chmod ug+rwx,o-rwx /usr/data/finance
</screen>
@ -1471,7 +1471,7 @@
<step><para><indexterm>
<primary>SGID</primary>
</indexterm>
Set the SGID (super-group) bit on all directories from the top down. This means all files
Set the SGID (supergroup) bit on all directories from the top down. This means all files
can be created with the permissions of the group set on the directory. It means all users
who are members of the group <constant>finance</constant> can read and write all files in
the directory. The directory is not readable or writable by anyone who is not in the
@ -1509,8 +1509,8 @@
</indexterm><indexterm>
<primary>side effects</primary>
</indexterm>
Samba must translate Windows 2000 ACLs to UNIX Posix ACLs. This has some interesting side effects because
of the fact that there is not a 1:1 equivalence between them. The as-close-as-possible ACLs match means
Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because
there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means
that some transactions are not possible from MS Windows clients. One of these is to reset the ownership
of directories and files. If you want to reset ownership, this must be done from a UNIX/Linux login.
</para>
@ -1525,8 +1525,8 @@
<procedure>
<step><para>
From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator
account (on Samba Domains, this is usually the account called <constant>root</constant>).
From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator
account (on Samba domains, this is usually the account called <constant>root</constant>).
</para></step>
<step><para>
@ -1581,7 +1581,7 @@
to edit ACLs using the <constant>Advanced</constant> editing features. Click the
<guimenu>Advanced</guimenu> button. This opens a panel that has four tabs. Only the
functionality under the <constant>Permissions</constant> tab can be utilized with respect
to a Samba Domain server.
to a Samba domain server.
</para></step>
<step><para><indexterm>
@ -1590,7 +1590,7 @@
<primary>permitted group</primary>
</indexterm>
You may now edit/add/remove access control settings. Be very careful. Many problems have been
created by people who decided that Everyone should be rejected but one particular group should
created by people who decided that everyone should be rejected but one particular group should
have full control. This is a catch-22 situation because members of that particular group also
belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
set for the permitted group.
@ -1609,7 +1609,7 @@
<para>
The following alternative method may be used from a Windows workstation. In this example we work
with a Domain called <constant>MEGANET</constant>, a server called <constant>MASSIVE</constant>, and a
with a domain called <constant>MEGANET</constant>, a server called <constant>MASSIVE</constant>, and a
share called <constant>Apps</constant>. The underlying UNIX/Linux share point for this share is
<filename>/data/apps</filename>.
</para>
@ -1630,7 +1630,7 @@
<guimenuitem>Security</guimenuitem>
<guimenuitem>Advanced</guimenuitem>
</menuchoice>. This opens a panel that has four tabs. Only the functionality under the
<constant>Permissions</constant> tab can be utilized in respect to a Samba Domain server.
<constant>Permissions</constant> tab can be utilized for a Samba domain server.
</para></step>
<step><para><indexterm>
@ -1639,7 +1639,7 @@
<primary>over-rule</primary>
</indexterm>
You may now edit/add/remove access control settings. Be very careful. Many problems have been
created by people who decided that Everyone should be rejected but one particular group should
created by people who decided that everyone should be rejected but one particular group should
have full control. This is a catch-22 situation because members of that particular group also
belong to the group <constant>Everyone</constant>, which therefore overrules any permissions
set for the permitted group.
@ -1662,7 +1662,7 @@
<primary>shared resource</primary>
</indexterm>
Yet another alternative method for setting desired security settings on the shared resource files and
directories can be achieved by logging into UNIX/Linux and setting Posix ACLs directly using command-line
directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line
tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9
Linux system:
</para>
@ -1678,7 +1678,7 @@
<screen>
&rootprompt; cd /data
</screen>
Retrieve the existing Posix ACLs entry by executing:
Retrieve the existing POSIX ACLs entry by executing:
<screen>
&rootprompt; getfacl apps
# file: apps
@ -1714,7 +1714,7 @@ group:AppsMgrs:rwx
mask::rwx
other::r-x
</screen>
This confirms that the change of Posix ACL permissions has been effective.
This confirms that the change of POSIX ACL permissions has been effective.
</para></step>
<step><para><indexterm>
@ -1728,7 +1728,7 @@ other::r-x
</indexterm><indexterm>
<primary>inheritance</primary>
</indexterm>
It is highly recommend that you should read the on-line manual page for the <command>setfacl</command>
It is highly recommend that you read the online manual page for the <command>setfacl</command>
and <command>getfacl</command> commands. This provides information regarding how to set/read the default
ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent
of setting <constant>inheritance</constant> properties.
@ -1745,7 +1745,7 @@ other::r-x
<para>
The mish-mash of issues were thrown together into one chapter because it seemed like a good idea.
Looking back, this chapter could be broken into two, but it's too late now. It has been done.
The highlights covered are:
The highlights covered are as follows:
</para>
<itemizedlist>
@ -1760,7 +1760,7 @@ other::r-x
</indexterm>
Winbind honors and does not override account controls set in Active Directory.
This means that password change, logon hours, and so on, are (or soon will be) enforced
by Samba Winbind. At this time, an out-of-hours login is denied and password
by Samba winbind. At this time, an out-of-hours login is denied and password
change is enforced. At this time, if logon hours expire, the user is not forcibly
logged off. That may be implemented at some later date.
</para></listitem>
@ -1771,7 +1771,7 @@ other::r-x
<primary>schannel</primary>
</indexterm>
Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential
problems acknowledged by Microsoft as having been fixed, but reported by some as still
problems acknowledged by Microsoft as having been fixed but reported by some as still
possibly an open issue.
</para></listitem>
@ -1787,7 +1787,7 @@ other::r-x
The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft
Active Directory. The possibility to do this is not planned in the current Samba-3
roadmap. Samba-3 does aim to provide further improvements in interoperability so that
UNIX/Linux systems may be fully integrated into Active Directory Domains.
UNIX/Linux systems may be fully integrated into Active Directory domains.
</para></listitem>
<listitem><para>
@ -1830,7 +1830,7 @@ other::r-x
<primary>registry change</primary>
</indexterm>
No. Samba-3 fully supports <constant>Sign'n'seal</constant> as well as <constant>schannel</constant>
operation. The registry change should not be applied when Samba-3 is used as a Domain Controller.
operation. The registry change should not be applied when Samba-3 is used as a domain controller.
</para>
</answer>
@ -1852,7 +1852,7 @@ other::r-x
Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not
provide Active Directory services. It cannot be used to replace a Microsoft Active Directory
server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit,
and it can function as an Active Directory Domain Member server.
and it can function as an Active Directory domain member server.
</para>
</answer>
@ -1876,7 +1876,7 @@ other::r-x
</indexterm>
No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x
Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation,
as Samba-3 can join a native Windows 2003 Server ADS Domain.
because Samba-3 can join a native Windows 2003 Server ADS domain.
</para>
</answer>
@ -1888,14 +1888,14 @@ other::r-x
<para><indexterm>
<primary>share level access controls</primary>
</indexterm>
Is it safe to set share level access controls in Samba?
Is it safe to set share-level access controls in Samba?
</para>
</question>
<answer>
<para>
Yes. Share level access controls have been supported since early versions of Samba-2. This is
Yes. Share-level access controls have been supported since early versions of Samba-2. This is
very mature technology. Not enough sites make use of this powerful capability, neither on
Windows server or with Samba servers.
</para>
@ -1928,7 +1928,7 @@ other::r-x
</indexterm>
No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides
means of securing shares through share definition controls in the &smb.conf; file. The additional
support for share level ACLs is like frosting on the cake. It adds to security, but is not essential
support for share-level ACLs is like frosting on the cake. It adds to security but is not essential
to it.
</para>
@ -2034,7 +2034,7 @@ other::r-x
Either tool can be used with equal effect. There is no benefit of one over the other, except that
the MMC utility is present on all Windows 200x/XP systems and does not require additional software
to be downloaded and installed. Note that if you want to manage user and group accounts in your
Samba controlled Domain, the only tool that permits that is the NT4 Domain User Manager which
Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which
is provided as part of the <filename>SRVTOOLS.EXE</filename> utility.
</para>
@ -2052,14 +2052,14 @@ other::r-x
<primary>Domain Member server</primary>
</indexterm>
I tried to set <parameter>valid users = @Engineers</parameter>, but it does not work. My Samba
server is an Active Directory Domain Member server. Has this been fixed now?
server is an Active Directory domain member server. Has this been fixed now?
</para>
</question>
<answer>
<para>
The use of this parameter has always required the full specification of the Domain account, for
The use of this parameter has always required the full specification of the domain account, for
example, <parameter>valid users = @"MEGANET2\Domain Admins"</parameter>.
</para>

View File

@ -2875,7 +2875,7 @@ smb: \> q
Create an entry in the DNS database on the server <constant>MASSIVE</constant>
in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
and in the reverse lookup database for the network segment that the printer is to
be located in. Example configuration files for similar zones were presented in Chapter 3,
be located in. Example configuration files for similar zones were presented in <link linkend="secure"/>,
<link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>.
</para></step>
@ -3490,8 +3490,8 @@ structuralObjectClass: organizationalUnit
</para>
<para>
You should research the options for logon script implementation by referring to <emphasis>TOSHARG</emphasis>, Chapter 21,
Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon
You should research the options for logon script implementation by referring to <emphasis>TOSHARG</emphasis>, Chapter 24,
Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon
facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart</ulink>.
</para>

View File

@ -4,8 +4,8 @@
<title>Migrating NT4 Domain to Samba-3</title>
<para>
Ever since Microsoft announced that they are discontinuing support for Windows
NT4, Samba users started to ask for detailed instructions for how to migrate
Ever since Microsoft announced that it was discontinuing support for Windows
NT4, Samba users started to ask for detailed instructions on how to migrate
from NT4 to Samba-3. This chapter provides background information that should
meet these needs.
</para>
@ -22,7 +22,7 @@
<primary>migration</primary>
</indexterm>
Network administrators who want to migrate off a Windows NT4 environment know
one thing with certainty. They feel that NT4 has been abandoned and they want
one thing with certainty. They feel that NT4 has been abandoned, and they want
to update. The desire to get off NT4 and to not adopt Windows 200x and Active
Directory is driven by a mixture of concerns over complexity, cost, fear of
failure, and much more.
@ -33,20 +33,20 @@
<indexterm><primary>accounts</primary><secondary>user</secondary></indexterm>
<indexterm><primary>accounts</primary><secondary>group</secondary></indexterm>
<indexterm><primary>accounts</primary><secondary>machine</secondary></indexterm>
The migration from NT4 to Samba-3 can involve a number of factors, including:
The migration from NT4 to Samba-3 can involve a number of factors, including
migration of data to another server, migration of network environment controls
such as group policies, and finally migration of the users, groups, and machine
such as group policies, and migration of the users, groups, and machine
accounts.
</para>
<para>
<indexterm><primary>accounts</primary><secondary>Domain</secondary></indexterm>
It should be pointed out now that it is possible to migrate some systems from
Windows NT4 Domain environments to a Samba-3 Domain Environment. This is certainly
not possible in every case. It is possible to just migrate the Domain accounts
a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly
not possible in every case. It is possible to just migrate the domain accounts
to Samba-3 and then to switch machines, but as a hands-off transition, this is more
an exception than the rule. Most systems require some tweaking and adjusting
following migration before an environment that is acceptable for immediate use
the exception than the rule. Most systems require some tweaking after
migration before an environment that is acceptable for immediate use
is obtained.
</para>
@ -57,7 +57,7 @@
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>ldapsam</primary></indexterm>
<indexterm><primary>passdb backend</primary></indexterm>
You are about to migrate an MS Windows NT4 Domain accounts database to
You are about to migrate an MS Windows NT4 domain accounts database to
a Samba-3 server. The Samba-3 server is using a
<parameter>passdb backend</parameter> based on LDAP. The
<constant>ldapsam</constant> is ideal because an LDAP backend can be distributed
@ -66,7 +66,7 @@
<para>
Your objective is to document the process of migrating user and group accounts
from several NT4 Domains into a single Samba-3 LDAP backend database.
from several NT4 domains into a single Samba-3 LDAP backend database.
</para>
</sect2>
@ -82,9 +82,9 @@
<indexterm><primary>registry</primary><secondary>keys</secondary><tertiary>SECURITY</tertiary></indexterm>
<indexterm><primary>SAM</primary></indexterm>
<indexterm><primary>Security Account Manager</primary><see>SAM</see></indexterm>
The migration process takes a snap-shot of information that is stored in the
Windows NT4 registry based accounts database. That information resides in
the Security Account Manager (SAM) portion of the NT4 Registry under keys called
The migration process takes a snapshot of information that is stored in the
Windows NT4 registry-based accounts database. That information resides in
the Security Account Manager (SAM) portion of the NT4 registry under keys called
<constant>SAM</constant> and <constant>SECURITY</constant>.
</para>
@ -93,7 +93,7 @@
<indexterm><primary>inoperative</primary></indexterm>
The Windows NT4 registry keys called <constant>SAM</constant> and <constant>SECURITY</constant>
are protected so that you cannot view the contents. If you change the security setting
to reveal the contents under these hive keys, your Windows NT4 Domain is crippled. Do not
to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not
do this unless you are willing to render your domain controller inoperative.
</para></warning>
@ -103,7 +103,7 @@
Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are.
While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server,
that may not be a good idea from an administration perspective. Since the process involves going
through a certain amount of disruptive activity anyhow, why not take this as an opportunity to
through a certain amount of disruptive activity anyhow, why not take this opportunity to
review the structure of the network, how Windows clients are controlled and how they
interact with the network environment.
</para>
@ -113,14 +113,14 @@
<indexterm><primary>profiles share</primary></indexterm>
<indexterm><primary>security descriptors</primary></indexterm>
MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed
have done little to keep the NT4 server environment up-to-date with more recent Windows releases,
have done little to keep the NT4 server environment up to date with more recent Windows releases,
particularly Windows XP Professional. The migration provides opportunity to revise and update
roaming profile deployment as well as folder redirection. Given that you must port the
greater network configuration of this from the old NT4 server to the new Samba-3 server.
Do not forget to validate the security descriptors in the profiles share as well as network logon
scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this
as a good time to update desktop systems also. In all, the extra effort should constitute no
real disruption to users, rather with due diligence and care should make their network experience
real disruption to users, but rather, with due diligence and care should make their network experience
a much happier one.
</para>
@ -130,12 +130,12 @@
<para>
<indexterm><primary>strategic</primary></indexterm>
<indexterm><primary>active directory</primary></indexterm>
Migration of an NT4 Domain user and group database to Samba-3 involves a certain strategic
element. Many sites have asked for instructions regarding merging of multiple different NT4
Domains into one Samba-3 LDAP database. It would appear that this is viewed as a significant
Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic
element. Many sites have asked for instructions regarding merging of multiple NT4
domains into one Samba-3 LDAP database. It seems that this is viewed as a significant
added value compared with the alternative of migration to Windows Server 200x and Active
Directory. The diagram in <link linkend="ch8-migration"/> illustrates the effect of migration
from a Windows NT4 Domain to a Samba Domain.
from a Windows NT4 domain to a Samba domain.
</para>
<image id="ch8-migration">
@ -146,9 +146,9 @@
<para>
<indexterm><primary>merge</primary></indexterm>
<indexterm><primary>passdb.tdb</primary></indexterm>
If you are wanting to merge multiple NT4 Domain account databases into one Samba Domain,
If you want to merge multiple NT4 domain account databases into one Samba domain,
you must now dump the contents of the first migration and edit it as appropriate. Now clean
out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>), or the LDAP database
out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>) or the LDAP database
files. You must start each migration with a new database into which you merge your NT4
domains.
</para>
@ -156,7 +156,7 @@
<para><indexterm>
<primary>dump</primary>
</indexterm>
At this point, you are ready to perform the second migration following the same steps as
At this point, you are ready to perform the second migration, following the same steps as
for the first. In other words, dump the database, edit it, and then you may merge the
dump for the first and second migrations.
</para>
@ -169,8 +169,8 @@
<primary>Domain SID</primary>
</indexterm>
You must be careful. If you choose to migrate to an LDAP backend, your dump file
now contains the full account information, including the Domain SID. The Domain SID for each
of the two NT4 Domains will be different. You must choose one, and change the Domain
now contains the full account information, including the domain SID. The domain SID for each
of the two NT4 domains will be different. You must choose one and change the domain
portion of the account SIDs so that all are the same.
</para>
@ -189,12 +189,12 @@
<indexterm><primary>import</primary></indexterm>
If you choose to use a tdbsam (<filename>passdb.tdb</filename>) backend file, your best choice
is to use <command>pdbedit</command> to export the contents of the tdbsam file into an
smbpasswd data file. This automatically strips out all Domain specific information,
such as logon hours, logon machines, logon script, profile path, as well as the Domain SID.
smbpasswd data file. This automatically strips out all domain-specific information,
such as logon hours, logon machines, logon script, profile path, as well as the domain SID.
The resulting file can be easily merged with other migration attempts (each of which must start
with a clean file). It should also be noted that all users that end up in the merged smbpasswd
with a clean file). It should also be noted that all users who end up in the merged smbpasswd
file must have an account in <filename>/etc/passwd</filename>. The resulting smbpasswd file
may be exported/imported into either a tdbsam (<filename>passdb.tdb</filename>), or else into
may be exported or imported into either a tdbsam (<filename>passdb.tdb</filename>) or
an LDAP backend.
</para>
@ -210,16 +210,16 @@
<title>Political Issues</title>
<para>
The merging of multiple Windows NT4 style Domains into a single LDAP-backend-based Samba-3
Domain may be seen by those who had power over them as a loss of prestige or a loss of
power. The imposition of a single Domain may even be seen as a threat. So in migrating and
The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3
domain may be seen by those who had power over them as a loss of prestige or a loss of
power. The imposition of a single domain may even be seen as a threat. So in migrating and
merging account databases, be consciously aware of the political fall-out in which you
may find yourself entangled when key staff feel a loss of prestige.
</para>
<para>
The best advice that can be given to those who set out to merge NT4 Domains into one single
Samba-3 Domain is to promote (sell) the action as one that reduces costs and delivers
The best advice that can be given to those who set out to merge NT4 domains into a single
Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers
greater network interoperability and manageability.
</para>
@ -231,25 +231,25 @@
<title>Implementation</title>
<para>
From feedback on the Samba mailing lists it would appear that most Windows NT4 migrations
From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations
to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX
server. If you contemplate doing this also, please note that the steps that follow in this
server. If you contemplate doing this, please note that the steps that follow in this
chapter assume familiarity with the information that has been previously covered in this
book. The reader is particularly encouraged to be familiar with <link linkend="secure"/>,
book. You are particularly encouraged to be familiar with <link linkend="secure"/>,
<link linkend="Big500users"/> and <link linkend="happy"/>.
</para>
<para>
You can present here the steps and example output for two NT4 to Samba-3 Domain migrations. The
We present here the steps and example output for two NT4 to Samba-3 domain migrations. The
first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the
scripts you specify in the &smb.conf; file for the <parameter>add user script</parameter>
collection of parameters are used to effect the addition of accounts into the passdb backend.
</para>
<para>
Before proceeding to NT4 migration using either a tdbsam or ldapsam it is most strongly recommended to
Before proceeding to NT4 migration using either a tdbsam or ldapsam, it is most strongly recommended to
review <link linkend="ch5-dnshcp-setup"/> for DNS and DHCP configuration. The importance of correctly
functioning name resolution must be recognized. This applies equally for hostname as for NetBIOS names
functioning name resolution must be recognized. This applies equally for both hostname and NetBIOS names
(machine names, computer names, domain names, workgroup names &smbmdash; ALL names!).
</para>
@ -268,9 +268,9 @@
<indexterm><primary>Posix</primary></indexterm>
<indexterm><primary>lower-case</primary></indexterm>
Clean up the source NT4 PDC. Delete all accounts that need not be migrated.
Delete all files that should not be migrated. Where possible, change NT Group
Delete all files that should not be migrated. Where possible, change NT group
names so there are no spaces or uppercase characters. This is important if
the target UNIX host insists on Posix compliant all lower-case user and group
the target UNIX host insists on POSIX-compliant all lowercase user and group
names.
</para></listitem>
@ -289,7 +289,7 @@
</itemizedlist>
<para>
It may help to use the above outline as a pre-migration check-list.
It may help to use the above outline as a pre-migration checklist.
</para>
<sect2>
@ -299,21 +299,21 @@
In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about
to be migrated are shown in <link linkend="NT4DUM"/>. In this example use is made of the
smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend.
Four scripts are essential to the migration process. There are other scripts that will be required
Four scripts are essential to the migration process. Other scripts will be required
for daily management, but these are not critical to migration. The critical scripts are dependant
on which passdb backend is being used. Refer to <link linkend="ch8-vampire"/> to see which scripts
must be provided so that the migration process can complete.
</para>
<para>
Verify that you have correctly specified in the &smb.conf; file the scripts, and arguments
that should be passed to them, before attempting to perform the account migration. Note also
Verify that you have correctly specified in the &smb.conf; file the scripts and arguments
that should be passed to them before attempting to perform the account migration. Note also
that the deletion scripts must be commented out during migration. These should be uncommented
following successful migration of the NT4 Domain accounts.
</para>
<warning><para>
Under absolutely no situations should the Samba daemons be started until instructed to do so.
Under absolutely no circumstances should the Samba daemons be started until instructed to do so.
Delete the <filename>/etc/samba/secrets.tdb</filename> file and all Samba control tdb files
before commencing the following configuration steps.
</para></warning>
@ -372,7 +372,7 @@
<indexterm><primary>smbldap-tools</primary></indexterm>
The UNIX/Linux <command>usermod</command> utility does not permit simple user addition to (or deletion
of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this
capability you will need to create your own tool to do this. Alternately, you can search the web
capability, you must create your own tool to do this. Alternately, you can search the Web
to locate a utility called <command>groupmem</command> (by George Kraft) that provides this functionality.
The <command>groupmem</command> utility was contributed to the shadow package but has not surfaced
in the formal commands provided by Linux distributions (March 2004).
@ -380,9 +380,8 @@
<note><para>
<indexterm><primary>tdbdump</primary></indexterm>
The <command>tdbdump</command> utility is a utility that you can build from the Samba source
code tree. Not all Linux binary distributions include this tool. If it is missing from your
Linux distribution you will need to build this yourself, or else for-go its use.
The <command>tdbdump</command> utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your
Linux distribution, you will need to build this yourself or else forgo its use.
</para></note>
<para>
@ -613,8 +612,8 @@ ssl off
<filename>/etc/ldap.conf</filename> file has been configured, when the LDAP server
is started, the process of starting the LDAP server will cause LDAP lookups. This
causes the LDAP server <command>slapd</command> to hang because it finds port 389
open and therefore can not gain exclusive control of it. By commenting these entries
out it is possible to avoid this grid-lock situation and thus the over-all
open and therefore cannot gain exclusive control of it. By commenting these entries
out, it is possible to avoid this gridlock situation and thus the overall
installation and configuration will progress more smoothly.
</para></step>
@ -663,7 +662,7 @@ rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms
</para></step>
<step><para>
Pull the Domain SID from the NT4 Domain that is being migrated as follows:
Pull the domain SID from the NT4 domain that is being migrated as follows:
<screen>
&rootprompt; net rpc getsid -S TRANGRESSION -U Administrator%not24get
Storing SID S-1-5-21-1385457007-882775198-1210191635 \
@ -673,7 +672,7 @@ Storing SID S-1-5-21-1385457007-882775198-1210191635 \
<para>
Another way to obtain the domain SID from the target NT4 domain that is being
migrated to Samba-3 by executing the following:
migrated to Samba-3 is by executing the following:
<screen>
&rootprompt; net rpc info -S TRANSGRESSION
</screen>
@ -689,12 +688,12 @@ Storing SID S-1-5-21-1385457007-882775198-1210191635 \
<indexterm><primary>configure.pl</primary></indexterm>
<indexterm><primary>/opt/IDEALX/sbin</primary></indexterm>
<indexterm><primary>smbldap-tools</primary></indexterm>
Install the Idealx <command>smbldap-tools</command> software package following
Install the Idealx <command>smbldap-tools</command> software package, following
the instructions given in <link linkend="sbeidealx"/>. The resulting perl scripts
should be located in the <filename>/opt/IDEALX/sbin</filename> directory.
Change into that location, or where ever the scripts have been installed. Execute the
Change into that location, or whereever the scripts have been installed. Execute the
<filename>configure.pl</filename> script to configure the Idealx package for use.
Note: Use the Domain SID obtained from the step above. The following is
Note: Use the domain SID obtained from the step above. The following is
an example configuration session:
<screen>
merlin:/opt/IDEALX/sbin # ./configure.pl
@ -781,7 +780,7 @@ writing new configuration file:
</screen>
<indexterm><primary>sambaDomainName</primary></indexterm>
Note that the NT4 domain SID that was previously obtained was entered above. Also,
the sambaUnixIdPooldn object was specified as: sambaDomainName=DAMNATION. This is
the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is
the location into which the Idealx smbldap-tools store the next available UID/GID
information. It is also where Samba stores domain specific information such as the
next RID, the SID, and so on.
@ -906,7 +905,7 @@ Print Operators:x:550:
Backup Operators:x:551:
Replicators:x:552:
</screen>
In both cases above the LDAP accounts follow the <quote>+::0:</quote> entry.
In both cases the LDAP accounts follow the <quote>+::0:</quote> entry.
</para></step>
<step><para>
@ -928,7 +927,7 @@ Changing password for root
New password : ********
Retype new password : ********
</screen>
Note: During account migration the Windows Administrator account will not be migrated
Note: During account migration, the Windows Administrator account will not be migrated
to the Samba server.
</para></step>
@ -959,7 +958,7 @@ Print Operators (S-1-5-32-550) -&gt; Print Operators
Backup Operators (S-1-5-32-551) -&gt; Backup Operators
Replicators (S-1-5-32-552) -> Replicators
</screen>
The above are the expected results for a correctly configured system.
These are the expected results for a correctly configured system.
</para></step>
<step><para>
@ -1039,14 +1038,14 @@ Guests (S-1-5-32-546) -&gt; Guests
Server Operators (S-1-5-32-549) -&gt; Server Operators
Users (S-1-5-32-545) -&gt; Users
</screen>
It is of vital importance that the domain SID portion of all group
It is of vital importance that the domain SID portions of all group
accounts are identical.
</para></step>
<step><para>
The final responsibility in the migration process is to create identical
shares and printing resources on the new Samba-3 server, copy all data
across, set up privileges and set share and file/directory access controls.
across, set up privileges, and set share and file/directory access controls.
</para></step>
<step><para>
@ -1083,14 +1082,14 @@ Press enter to see a dump of your service definitions
<step><para>
All workstations should function as they did with the old NT4 PDC. All
inter-domain trust accounts should remain in place and fully functional.
interdomain trust accounts should remain in place and fully functional.
All machine accounts and user logon accounts should also function correctly.
</para></step>
<step><para>
The configuration of Samba-3 BDC servers can be accomplished now, or at any
The configuration of Samba-3 BDC servers can be accomplished now or at any
convenient time in the future. Please refer to the carefully detailed process
for doing this that has been outlined in <link linkend="sbehap-bldg1"/>.
for doing so is outlined in <link linkend="sbehap-bldg1"/>.
</para></step>
</procedure>
@ -1202,20 +1201,20 @@ Creating unix group: 'Users'
<title>NT4 Migration Using tdbsam Backend</title>
<para>
In this example, you have chosen to change the Domain name of the NT4 server from
In this example, we change the domain name of the NT4 server from
<constant>DRUGPREP</constant> to <constant>MEGANET</constant> prior to the use
of the vampire (migration) tool. This migration process makes use of Linux system tools
(like <command>useradd</command>) to add the accounts that are migrated into the
UNIX/Linux <filename>/etc/passwd</filename>, and <filename>/etc/group</filename>
UNIX/Linux <filename>/etc/passwd</filename> and <filename>/etc/group</filename>
databases. These entries must therefore be present, and correct options specified,
in your &smb.conf; file or else the migration does not work as it should.
in your &smb.conf; file, or else the migration does not work as it should.
</para>
<procedure>
<title>Migration Steps Using tdbsam</title>
<step><para>
Prepare a Samba-3 server precisely per the instructions shown in Chapter 5.
Prepare a Samba-3 server precisely per the instructions shown in <link linkend="Big500users"/>.
Set the workgroup name to <constant>MEGANET</constant>.
</para></step>
@ -1295,7 +1294,7 @@ SAM_DELTA_DOMAIN_INFO not handled
<primary>pdbedit</primary>
</indexterm>
At this point, we can validate our migration. Let's look at the accounts
in the form as they would be seen in a smbpasswd file. This achieves that:
in the form in which they are seen in a smbpasswd file. This achieves that:
<screen>
&rootprompt; pdbedit -Lw
Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3:
@ -1361,7 +1360,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT
<primary>net</primary>
<secondary>group</secondary>
</indexterm>
And this command lists the long names of the groups that have been
The following command lists the long names of the groups that have been
imported (vampired) from the NT4 PDC:
<screen>
&rootprompt; net group -l -Uroot%not24get -Smassive
@ -1408,12 +1407,12 @@ Users Ordinary users
</para></listitem>
<listitem><para>
Multiple NT4 Domains can be merged into a single Samba-3
Domain.
Multiple NT4 domains can be merged into a single Samba-3
domain.
</para></listitem>
<listitem><para>
The net Samba-3 Domain most likely requires some
The net Samba-3 domain most likely requires some
administration and updating before going live.
</para></listitem>
</itemizedlist>
@ -1444,10 +1443,10 @@ Users Ordinary users
<para><indexterm>
<primary>merge</primary>
</indexterm>
This is a recommendation that permits the data from each NT4 Domain to
be kept separate until you are ready to merge them. Also, if you do not do this,
you may find errors due to users or groups from multiple Domains having the
same name, but different SIDs. It is better to permit each migration to complete
This is a recommendation that permits the data from each NT4 domain to
be kept separate until you are ready to merge them. Also, if you do not start with a clean database,
you may find errors due to users or groups from multiple domains having the
same name but different SIDs. It is better to permit each migration to complete
without undue errors and then to handle the merging of vampired data under
proper supervision.
</para>
@ -1461,7 +1460,7 @@ Users Ordinary users
<para><indexterm>
<primary>Domain SID</primary>
</indexterm>
Is it possible to set my Domain SID to anything I like?
Is it possible to set my domain SID to anything I like?
</para>
</question>
@ -1474,12 +1473,12 @@ Users Ordinary users
</indexterm><indexterm>
<primary>Domain SID</primary>
</indexterm>
Yes, so long as the SID you create has the same structure as an auto-generated SID.
Yes, so long as the SID you create has the same structure as an autogenerated SID.
The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where
the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why
would you really want to create your own SID? I cannot think of a good reason.
You may want to set the SID to one that is already in use somewhere on your network,
but that is a little different from straight out creating your own Domain SID.
but that is a little different from straight out creating your own domain SID.
</para>
</answer>
@ -1506,7 +1505,7 @@ Users Ordinary users
<primary>accounts</primary>
<secondary>Domain</secondary>
</indexterm>
When using a tdbsam passdb backend, why must I have all Domain user and group accounts
When using a tdbsam passdb backend, why must I have all domain user and group accounts
in <filename>/etc/passwd</filename> and <filename>/etc/group</filename>?
</para>
@ -1534,7 +1533,7 @@ Users Ordinary users
<para>
When migrating a <filename>smbpasswd</filename> file to an LDAP backend, the
UID of each account is taken together with the account information in the
<filename>/etc/passwd</filename> and both sets of data are used to create the account
<filename>/etc/passwd,</filename> and both sets of data are used to create the account
entry in the LDAP database.
</para>
@ -1566,9 +1565,9 @@ Users Ordinary users
<answer>
<para>
Access validation before attempting to migrate NT4 Domain accounts helps to pin-point
Access validation before attempting to migrate NT4 domain accounts helps to pinpoint
potential problems that may otherwise affect or impede account migration. I am always
mindful of the 4P's of migration &smbmdash; Planning Prevents Poor Performance.
mindful of the 4 P's of migration: Planning Prevents Poor Performance.
</para>
</answer>
@ -1607,11 +1606,11 @@ Users Ordinary users
</indexterm><indexterm>
<primary>tool</primary>
</indexterm>
If you have 10 tdbsam Samba Domains, there is considerable risk that there are a number of
If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of
accounts that have the same UNIX identifier (UID/GID). This means that you almost
certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd
file format and then manually edit all records to ensure that each has a unique UID. Each
file can then be imported a number of ways. You can use the <command>pdbedit</command> tool,
file can then be imported a number of ways. You can use the <command>pdbedit</command> tool
to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to
tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that
you have migrated before handing over access to a user. After all, too many users with a bad
@ -1630,8 +1629,8 @@ Users Ordinary users
<primary>accounts</primary>
<secondary>machine</secondary>
</indexterm>
I want to change my Domain name after I migrate all accounts from an NT4 Domain to a
Samba-3 Domain. Does it make any sense to migrate the machine accounts in that case?
I want to change my domain name after I migrate all accounts from an NT4 domain to a
Samba-3 domain. Does it make any sense to migrate the machine accounts in that case?
</para>
</question>
@ -1646,9 +1645,9 @@ Users Ordinary users
</indexterm><indexterm>
<primary>tattooing</primary>
</indexterm>
I would recommend not. The machine accounts should still work, but there are registry entries
I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries
on each Windows NT4 and upward client that have a tattoo of the old domain name. If you
un-join the domain and then rejoin the newly renamed Samba-3 Domain, you can be certain to avoid
unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid
this tattooing effect.
</para>
@ -1661,7 +1660,7 @@ Users Ordinary users
<para><indexterm>
<primary>multiple group mappings</primary>
</indexterm>
After merging multiple NT4 Domains into a Samba-3 Domain, I lost all multiple group mappings. Why?
After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why?
</para>
</question>
@ -1674,9 +1673,9 @@ Users Ordinary users
</indexterm>
Samba-3 currently does not implement multiple group membership internally. If you use the Windows
NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group
membership is stored in the Posix groups area. If you use either tdbsam or smbpasswd backend,
membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend,
then multiple group membership is handled through the UNIX groups file. When you dump the user
accounts no group account information is provided. When you edit (change) UIDs and GIDs in each
accounts, no group account information is provided. When you edit (change) UIDs and GIDs in each
file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <filename>/etc/passwd</filename>
and <filename>/etc/group</filename> information also. That is where the multiple group information
is most closely at your fingertips.
@ -1732,13 +1731,13 @@ Users Ordinary users
</indexterm>
A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group
name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows
groups can contain upper- and lower-case characters, as well as spaces.
Many UNIX system do not permit the use of upper-case characters, and some do not permit the
space character either. A number of systems (i.e., Linux) work fine with both upper-case
groups can contain upper- and lowercase characters, as well as spaces.
Many UNIX system do not permit the use of uppercase characters, and some do not permit the
space character either. A number of systems (i.e., Linux) work fine with both uppercase
and space characters in group names, but the shadow-utils package that provides the group
control functions (<command>groupadd, groupmod, groupdel</command>, and so on) do not permit them.
control functions (<command>groupadd</command>, <command>groupmod</command>, <command>groupdel</command>, and so on) do not permit them.
Also, a number of UNIX systems management tools enforce their own particular interpretation
of the Posix standards, and likewise do not permit upper-case or space characters in group
of the POSIX standards and likewise do not permit uppercase or space characters in group
or user account names. You have to experiment with your system to find what its
peculiarities are.
</para>
@ -1762,7 +1761,7 @@ Users Ordinary users
<para>
UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux
kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs,
you would not be able to migrate 323,000 accounts because this number can not fit into a 16-bit unsigned
you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned
integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts.
Please check this carefully before you attempt to effect a migration using the vampire process.
</para>
@ -1771,9 +1770,9 @@ Users Ordinary users
<primary>Migration speed</primary>
</indexterm>
Migration speed depends much on the processor speed, the network speed, disk I/O capability, and
LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory, that was mirroring LDAP
to a second identical system over 1 gigabit ethernet, I was able to migrate around 180 user accounts
per minute. Migration would obviously go much faster if LDAP mirroring is turned off during the migration.
LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP
to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts
per minute. Migration would obviously go much faster if LDAP mirroring were turned off during the migration.
</para>
</answer>

View File

@ -6,12 +6,12 @@
<para>
<indexterm><primary>Novell</primary></indexterm>
<indexterm><primary>SUSE</primary></indexterm>
Novell is a company any seasoned IT manager has to admire. They have become increasingly
Linux-friendly and are emerging out of a deep regression that almost saw the company
Novell is a company any seasoned IT manager has to admire. It has become increasingly
Linux-friendly and is emerging out of a deep regression that almost saw the company
disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the
platform of choice to which many older NetWare servers are being migrated.
It will be interesting to see what will become of NetWare over time.
Meanwhile, there can be no denying the fact that Novell is a Linux company.
It will be interesting to see what becomes of NetWare over time.
Meanwhile, there can be no denying that Novell is a Linux company.
</para>
<para>
@ -20,15 +20,15 @@
<indexterm><primary>Gentoo</primary></indexterm>
<indexterm><primary>Mandrake</primary></indexterm>
Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian,
Gentoo, Mandrake, SUSE (Novell) the information in this chapter should be read with
appropriate cognizance that file locations may vary a little; even so the information
Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with
the knowledge that file locations may vary a little; even so, the information
in this chapter should provide something of value.
</para>
<para>
<indexterm><primary>migration</primary></indexterm>
This chapter was contributed by Misty Stanley-Jones, a UNIX administrator of many
years who surfaced on the Samba mailing list with a barrage of questions, and who
Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many
years who surfaced on the Samba mailing list with a barrage of questions and who
regularly now helps other administrators to solve thorny Samba migration questions.
</para>
@ -38,33 +38,33 @@
<indexterm><primary>NetWare</primary></indexterm>
<indexterm><primary>Mars_NWE</primary></indexterm>
One wonders how many NetWare servers remain in active service. Many are being migrated
to Samba on Linux. Red Hat Linux, SUSE Linux 9.x and SUSE Linux Enterprise Server 9 are
to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are
ideal target platforms to which a NetWare server may be migrated. The migration method
of choice is much dependant on the tools that the administrator finds most natural to use.
The old-hand NetWare guru will likely want to use the tools like the NetWare NLM for
of choice is much dependent on the tools that the administrator finds most natural to use.
The old-hand NetWare guru will likely want to use tools like the NetWare NLM for
<command>rsync</command> to migrate files from the NetWare server to the Samba server.
The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare
Emulator) open source package. The MS Windows network administrator will likely make use of the
NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice,
migration will be filled with joyous and challenging moments - though probably not
migration will be filled with joyous and challenging moments &smbmdash; though probably not
concurrently.
</para>
<para>
The priority that Misty faced was one of migration of the data files off the NetWare 4.11
server and onto a Samba based Windows file and print server. This chapter does not pretend
server and onto a Samba-ased Windows file and print server. This chapter does not pretend
to document all the different methods that could be used to migrate user and group accounts
off a NetWare server, its focus is on migration of data files.
off a NetWare server. Its focus is on migration of data files.
</para>
<para>
This chapter tells its own story, so ride along, ... maybe the information here presented
This chapter tells its own story, so ride along. Maybe the information presented here
will help to smooth over a similar migration challenge in your favorite networking environment.
</para>
<para>
File paths have been modified to permit use of RPM packages provided by Novell. In the
original documentation contributed by Misty a the Courier-IMAP package had been built
original documentation contributed by Misty, the Courier-IMAP package had been built
directly from the original source tarball.
</para>
@ -73,9 +73,9 @@
<para>
<indexterm><primary>Novell</primary></indexterm>
Misty Stanley-Jones was recruited by Abmas Inc. to administer a network that had
not received much attention for some years and was much in need of a make-over.
As a brand-new sysadmin to this company, she inherited a very old Novell file server,
Misty Stanley-Jones was recruited by Abmas to administer a network that had
not received much attention for some years and was much in need of a makeover.
As a brand-new sysadmin to this company, she inherited a very old Novell file server
and came with a determination to change things for the better.
</para>
@ -93,7 +93,7 @@
</simplelist>
<para>
The company had outgrown this server several years before and were dealing with
The company had outgrown this server several years before and was dealing with
severe growing pains. Some of the problems experienced were:
</para>
@ -102,7 +102,7 @@
<para>Very slow performance</para>
</listitem>
<listitem>
<para>Available storage hovering around the 5% range.</para>
<para>Available storage hovering around the 5% range</para>
<itemizedlist>
<listitem>
<para>Extremely slow print spooling.</para>
@ -110,7 +110,7 @@
<listitem>
<para>
Users storing information on their local hard
drives, causing backup integrity problems.
drives, causing backup integrity problems
</para>
</listitem>
</itemizedlist>
@ -119,7 +119,7 @@
<para>
<indexterm><primary>payroll</primary></indexterm>
At one point disk space had filled up to 100% causing the payroll database
At one point disk space had filled up to 100 percent, causing the payroll database
to become corrupt. This caused the accounting department to be down for over
a week and necessitated deployment of another file server. The replacement
server was created with very poor security and design considerations from
@ -135,8 +135,8 @@
configuration files and background will accelerate your learning as you
grapple with a similar migration challenge. Let there be no confusion,
the information presented in this chapter is provided to demonstrate
how Misty dealt with a particular NetWare migration requirement and
it provides an over-all approach to the implementation of a Samba-3
how Misty dealt with a particular NetWare migration requirement, and
it provides an overall approach to the implementation of a Samba-3
environment that is significantly divergent from that presented in
<link linkend="happy"/>.
</para>
@ -144,19 +144,19 @@
<para>
The complete removal of all site-specific information in order to produce
a generic migration solution would rob this chapter of its character.
It should be recognized therefore, that the examples given will require
significant adaptation to suit local needs and thus it is recognized that
there are some gaps in the example files. That is not Misty's fault, it
It should be recognized, therefore, that the examples given require
significant adaptation to suit local needs and thus
there are some gaps in the example files. That is not Misty's fault;it
is the result of treatment given to her files in an attempt to make
the overall information more useful to you.
</para>
<para>
<indexterm><primary>cost-benefit</primary></indexterm>
After presenting a cost-benefit report to management, as well as an estimated
After management reviewed a cost-benefit report as well as an estimated
time-to-completion, approval was given proceed with the solution proposed.
The server was built from purchased components. The total project cost
was $3000. A brief description of the configuration follows:
was $3,000. A brief description of the configuration follows:
</para>
<simplelist>
@ -184,7 +184,7 @@
</simplelist>
<para>
The new system has operated for six months without problems. Over the past months
The new system has operated for 6 months without problems. Over the past months
much attention has been focused on cleaning up desktops and user profiles.
</para>
@ -199,8 +199,8 @@
<indexterm><primary>e-Directory</primary></indexterm>
<indexterm><primary>authentication</primary></indexterm>
<indexterm><primary>identity management</primary></indexterm>
A decision to use LDAP was made even though I know nothing about LDAP except that
I had been reading the book <quote>LDAP System Administration</quote>, by Gerald Carter.
A decision to use LDAP was made even though I knew nothing about LDAP except that
I had been reading the book <quote>LDAP System Administration,</quote> by Gerald Carter.
LDAP seemed to provide some of the functionality of Novell's e-Directory Services
and would provide centralized authentication and identity management.
</para>
@ -209,9 +209,9 @@
<indexterm><primary>database</primary></indexterm>
<indexterm><primary>RPM</primary></indexterm>
<indexterm><primary>tree</primary></indexterm>
Building the LDAP database took a while, and a lot of trial and error. Following
the guidance I obtained from Jerry Carter's book <quote>LDAP System
Administration</quote>, I installed OpenLDAP (from RPM; later I compiled
Building the LDAP database took a while and a lot of trial and error. Following
the guidance I obtained from <quote>LDAP System
Administration,</quote> I installed OpenLDAP (from RPM; later I compiled
a more current version from source) and built my initial LDAP tree.
</para>
@ -228,19 +228,19 @@
<indexterm><primary>IMAP</primary></indexterm>
<indexterm><primary>POP3</primary></indexterm>
<indexterm><primary>SMTP</primary></indexterm>
The first challenge was to create a company white-pages, followed by manually
The first challenge was to create a company white pages, followed by manually
entering everything from the printed company directory. This used only the inetOrgPerson
objectclass from the OpenLDAP schemas. The next step was to write a shell script which
object class from the OpenLDAP schemas. The next step was to write a shell script that
would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
files on our mail server, and create a LDIF file from which the information could be
files on our mail server and create a LDIF file from which the information could be
imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
and SMTP.
</para>
<para>
Given that a decision had been made to use Courier-IMAP the schema <quote>authldap.schema</quote>
from the Courier-IMAP source tarball is necessary to resolve Courier-specific LDAP directory
needs. Where the Courier-IMAP file provided by SUSE is used this file is named
Because a decision was made to use Courier-IMAP the schema <quote>authldap.schema</quote>
from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory
needs. Where the Courier-IMAP file provided by SUSE is used, this file is named
<filename>courier.schema</filename>.
</para>
@ -252,7 +252,7 @@
</para>
<para>
An attempt was made to use the PADL POSIX account migration scripts but I gave up trying to
An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to
make them work. Instead, even though it is most inelegant, I wrote a simple script that did
what I needed. It is enclosed as a simple example to demonstrate that you do not need to be
a guru to make light of otherwise painful repetition. This file is listed in <link linkend="sbeamg"/>.
@ -287,12 +287,12 @@ done
</example>
<note><para>
<title>Editors' Note</title>
The PADL MigrationTools are recommended for migration of the UNIX account information into
the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups,
aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text
files (or from a name service such as NIS). This too set can be obtained from the <ulink url=
"http://www.padl.com">PADL</ulink> web site.
"http://www.padl.com">PADL Web site</ulink>.
</para></note>
</sect2>
@ -551,7 +551,7 @@ tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem
</example>
<para>
The Name Server Switch control file <filename>/etc/nsswitch.conf</filename> has the following contents:
The NSS control file <filename>/etc/nsswitch.conf</filename> has the following contents:
<screen>
# /etc/nsswitch.conf
# This file controls the resolve order for system databases.
@ -572,7 +572,7 @@ group: compat ldap
module is shown in <link linkend="sbepu2"/> file.
This works out of the box with the configuration files in this chapter. It
enables you to have no local accounts for users (it is highly advisable
to have a local account for the root user). Traps for the unwary include:
to have a local account for the root user). Traps for the unwary include the following:
</para>
<example id="sbepu2">
@ -626,15 +626,15 @@ session: none
<listitem>
<para>
If fail-over is configured incorrectly weird behavior can occur. For example,
DNS failing to resolve.
If failover is configured incorrectly, weird behavior can occur. For example,
DNS can fail to resolve.
</para>
</listitem>
</itemizedlist>
<para>
I do have two LDAP slave servers configured. That subject is beyond the scope
of this document and steps for implementing it are well-documented.
of this document, and steps for implementing it are well documented.
</para>
<para>
@ -652,15 +652,15 @@ session: none
<para>
<indexterm><primary>white-pages</primary></indexterm>
<indexterm><primary>Windows Address Book</primary></indexterm>
Company-wide White-Pages can be searched using a LDAP client
Companywide white pages can be searched using an LDAP client
such as the one in the Windows Address Book.
</para>
<para>
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>smbldap-tools</primary></indexterm>
Having gained a solid understanding of LDAP, and a relatively workable LDAP tree
thus far, it was time to configure Samba. I compiled the latest stable SAMBA and
Having gained a solid understanding of LDAP and a relatively workable LDAP tree
thus far, it was time to configure Samba. I compiled the latest stable Samba and
also installed the latest <command>smbldap-tools</command> from
<ulink url="http://idealx.com">Idealx</ulink>.
</para>
@ -883,21 +883,21 @@ session: none
<indexterm><primary>rsyncd.conf</primary></indexterm>
<indexterm><primary>synchronize</primary></indexterm>
Note: During the process of building the new server, I kept data files
up-to-date with the Novell server via use of <command>rsync</command>.
On a separate system (my workstation in fact) which could be rebooted
up to date with the Novell server via use of <command>rsync</command>.
On a separate system (my workstation in fact), which could be rebooted
whenever necessary, I set up a mount point to the Novell server via
<command>ncpmount</command>. I then created a
<filename>rsyncd.conf</filename> to share that mount point out to my
new server, and synchronized once an hour. The script I used to synchronize
is shown in <link linkend="sbersync"/>. The files exclusion list I used
is shown in <link linkend="sbexcld"/>. The reason I had to have the
<command>rsync</command> daemon running on a system which could be
<command>rsync</command> daemon running on a system that could be
rebooted frequently is because <constant>ncpfs</constant>
(part of the MARS NetWare Emulation package) has a nasty habit of creating stale
mount points which cannot be recovered without a reboot. The reason for hourly
mount points that cannot be recovered without a reboot. The reason for hourly
synchronization is because some part of the chain was very slow and
performance-heavy (whether <command>rsync</command> itself, the network,
or the Novell server I am not sure probably the Novell server).
or the Novell server, I am not sure, but it was probably the Novell server).
</para>
<example id="sbersync">
@ -951,8 +951,8 @@ fi
</example>
<para>
After Samba had been configured, I initialized the LDAP database. So the first
thing I had to do was to store the LDAP password in the Samba configuration by
After Samba was configured, I initialized the LDAP database. The first
thing I had to do was store the LDAP password in the Samba configuration by
issuing the command (as root):
<screen>
&rootprompt; smbpasswd -w verysecret
@ -964,12 +964,12 @@ fi
The Idealx smbldap-tools package can be configured using a script called
<command>configure.pl</command> that is provided as part of the tool. See <link linkend="happy"/>
for an example of its use. Many administrators, like Misty, choose to do this manually
so as to maintain greater awareness of how the tool-chain works, and possibly to avoid
so as to maintain greater awareness of how the tool-chain works and possibly to avoid
undesirable actions from occurring un-noticed.
</para></note>
<para>
Now Samba is ready for use. Now configure the smbldap-tools. There are two
Now Samba was ready for use and it was time to configure the smbldap-tools. There are two
relevant files, which are usually put into the directory
<filename>/etc/smbldap-tools</filename>. The main file,
<filename>smbldap.conf</filename> is shown in <link linkend="ch8ideal"/>.
@ -1164,8 +1164,8 @@ smbpasswd="/usr/bin/smbpasswd"
<para>
<indexterm><primary>TLS</primary></indexterm>
NOTE: I chose not to take advantage of the TLS capability of this.
Eventually I may go back and tweak it. Also I chose not to take advantage
Note: I chose not to take advantage of the TLS capability of this.
Eventually I may go back and tweak it. Also, I chose not to take advantage
of the master/slave configuration as I heard horror stories that it was
unstable. My slave servers are replicas only.
</para>
@ -1182,7 +1182,7 @@ smbpasswd="/usr/bin/smbpasswd"
############################
# Credential Configuration #
############################
# Notes: you can specify two different configuration if you use a
# Notes: you can specify two different configurations if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
@ -1194,16 +1194,16 @@ masterPw="verysecret"
</para>
<para>
We can now run the <command>smbldap-populate</command> command which will populate
The next step was to run the <command>smbldap-populate</command> command, which populates
the LDAP tree with the appropriate default users, groups, and UID and GID pools.
It will create a user called Administrator with UID=0 and GID=0 matching the
Domain Admins group. This is fine you can still log in a root to a Windows system,
but it will break cached credentials if you need to log in as the administrator
to a system that is not on the network for whatever reason.
It creates a user called Administrator with UID=0 and GID=0 matching the
Domain Admins group. This is fine because you can still log on a root to a Windows system,
but it will break cached credentials if you need to log on as the administrator
to a system that is not on the network.
</para>
<para>
After the LDAP database has been pre-loaded it is prudent to validate that the
After the LDAP database has been preloaded, it is prudent to validate that the
information needed is in the LDAP directory. This can be done done by restarting
the LDAP server, then performing an LDAP search by executing:
<screen>
@ -1250,11 +1250,11 @@ ou: Idmap
<indexterm><primary>smbldap-groupadd</primary></indexterm>
<indexterm><primary>RID</primary></indexterm>
<indexterm><primary>sambaGroupMapping</primary></indexterm>
With the LDAP directory now initialized it is time to create the Windows and POSIX
With the LDAP directory now initialized, it was time to create the Windows and POSIX
(UNIX) group accounts as well as the mappings from Windows groups to UNIX groups.
The easiest way to do this is to use <command>smbldap-groupadd</command> command.
It will create the group with the posixGroup and sambaGroupMapping attributes, a
unique GID, and an automatically-determined RID. I learned the hard way not to
The easiest way to do this was to use <command>smbldap-groupadd</command> command.
It creates the group with the posixGroup and sambaGroupMapping attributes, a
unique GID, and an automatically determined RID. I learned the hard way not to
try to do this by hand.
</para>
@ -1273,7 +1273,7 @@ ou: Idmap
<indexterm><primary>posixAccount</primary></indexterm>
<indexterm><primary>smbldap-usermod</primary></indexterm>
The most monumental task of all was adding the sambaSamAccount information to each
already-existent posixAccount entry. I did it one at a time as I moved people onto
already existent posixAccount entry. I did it one at a time as I moved people onto
the new server, by issuing the command:
<screen>
&rootprompt; smbldap-usermod -a -P username
@ -1281,8 +1281,8 @@ ou: Idmap
<indexterm><primary>NetWare</primary></indexterm>
<indexterm><primary>LDIF</primary></indexterm>
<indexterm><primary>slapcat</primary></indexterm>
I completed that step for every user after asking the person what their current
NetWare password was. The wiser way to have done it would probably be to dump the
I completed that step for every user after asking the person what his or her current
NetWare password was. The wiser way to have done it would probably have been to dump the
entire database to an LDIF file. This can be done by executing:
<screen>
&rootprompt; slapcat &gt; somefile.ldif
@ -1307,7 +1307,7 @@ ou: Idmap
</para>
<para>
So first I added a test user, of course. The LDIF for this test user looks like
I first added a test user, of course. The LDIF for this test user looks like
this, to give you an idea:
<screen>
# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
@ -1378,10 +1378,10 @@ sambaAcctFlags: [W ]
<para>
<indexterm><primary>netlogon</primary></indexterm>
So now I can log in with a test user from the machine w2kengrspare. It's all fine and
good, but that user is in no groups yet so has pretty boring access. We can fix that
So now I could log on with a test user from the machine w2kengrspare. It was all fine and
good, but that user was in no groups yet and so had pretty boring access. I fixed that
by writing the login script! To write the login script, I used
<ulink url="http://www.kixtart.org">Kixtart</ulink>. I used it because it will work
<ulink url="http://www.kixtart.org">Kixtart</ulink> because it will work
with every architecture of Windows, has an active and helpful user base, and was both
easier to learn and more powerful than the standard netlogon scripts I have seen.
I also did not have to do a logon script per user or per group.
@ -1389,7 +1389,7 @@ sambaAcctFlags: [W ]
<para>
<indexterm><primary>Kixtart</primary></indexterm>
I downloaded Kixtart and put the following files in my [netlogon] share:
I downloaded Kixtart and put the following files in my netlogon share:
<screen>
KIX32.EXE
KX32.dll
@ -1589,16 +1589,16 @@ ENDIF
</example>
<para>
As you can see in the script, I redirect the My Documents to the user's home
share if they are not in the Laptop group. I also add printers on a
group-by-group basis, and if applicable I setthe group printer. For this to
As you can see in the script, I redirected the My Documents to the user's home
share if he or she were not in the Laptop group. I also added printers on a
group-by-group basis, and if applicable I set the group printer. For this to
be effective, the print drivers must be installed on the Samba server in the
<filename>[print$]</filename> share. Ample documentation exists about how to
do that so I did not cover it.
do that, so it is not covered here.
</para>
<para>
I actually call this script via the logon.bat script in the [netlogon] directory:
I call this script via the logon.bat script in the [netlogon] directory:
<screen>
\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f
</screen>
@ -1608,12 +1608,12 @@ ENDIF
<para>
Also of note for Win9x is that the drive mappings and printer setup will not
work because they rely on RPC. One merely has to put the appropriate settings
work because they rely on RPC. You merely have to put the appropriate settings
into the <filename>c:\autoexec.bat</filename> file or map the drives manually.
One option would be to check the OS as part of the Kixtart script, and if it
is Win9x and if it is the first login, copy a pre-made
One option is to check the OS as part of the Kixtart script, and if it
is Win9x and is the first login, copy a premade
<filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I
only have three such machines and one is going away in the very near future,
have onlythree such machines, and one is going away in the very near future,
so it was easier to do it by hand.
</para>
@ -1622,14 +1622,14 @@ ENDIF
At this point I was able to add the users. This is the part that really falls
into upgrade. I moved the users over one group at a time, starting with the
people who used the least amount of resources on the network. With each group
that I moved, I first logged in as a standard user in that group and took
careful note of their environment, mainly the printers they used, their PATH,
and what network resources they had access to (most importantly which ones
they actually needed access to).
that I moved, I first logged on as a standard user in that group and took
careful note of the environment, mainly the printers he or she used, the PATH,
and what network resources he or she had access to (most importantly, which ones
the user actually needed access to).
</para>
<para>
I would then add the user's SambaSamAccount information as mentioned earlier,
I then added the user's SambaSamAccount information as mentioned earlier,
and join the computer to the domain. The very first thing I had to do was to
copy the user's profile to the new server. This was very important, and I really
struggled with the most effective way to do it. Here is the method that worked
@ -1639,7 +1639,7 @@ ENDIF
<procedure>
<step><para>
Log in as the user on the domain. This creates the local copy
of the user's profile and copies it to the server as they log out.
of the user's profile and copies it to the server as he or she logs out.
</para></step>
<step><para>
@ -1660,17 +1660,17 @@ ENDIF
In the next dialog, copy it directly to the profiles share on the
Samba server (\\PDCname\profiles\user\&lt;architecture&gt; in my
case). You will have had to make a connection to the share as that
user (e.g.: Windows Explorer type \\PDCname\profiles\username).
user (e.g., Windows Explorer type \\PDCname\profiles\username).
</para></step>
<step><para>
When the copy is complete (it can take a while) log out, and log back in
as the user. All his/her settings and all contents of My Documents,
as the user. All of his or her settings and all contents of My Documents,
Favorites, and the registry should have been copied successfully.
</para></step>
<step><para>
If it doesn't look right (the dead giveaway is the desktop background)
If it doesn't look right (the dead giveaway is the desktop background),
shut down the computer without logging out (power cycle) and try logging
in as the user again. If it still doesn't work, repeat the steps above.
I only had to ever repeat it once.
@ -1679,18 +1679,18 @@ ENDIF
</procedure>
<para>
WORDS TO THE WISE:
Words to the Wise:
</para>
<itemizedlist>
<listitem><para>
If the user was anything other than a standard user on his/her system
before, you will save yourself some headaches by giving them identical
permissions (on the local machine) as their domain account, BEFORE
copying their profile over. Do this through the User Administrator
If the user was anything other than a standard user on his or her system
before, you will save yourself some headaches by giving him or her identical
permissions (on the local machine) as his or her domain account <emphasis>before</emphasis>
copying the profile over. Do this through the User Administrator
in the Control Panel, after joining the computer to the domain and
before logging as that user for the first time. Otherwise they will
have trouble with permissions on their registry keys.
before logging on as that user for the first time. Otherwise the user will
have trouble with permissions on his or her registry keys.
</para></listitem>
<listitem><para>
@ -1703,53 +1703,53 @@ ENDIF
After all these steps are accomplished, only cleanup details are left. Make sure user's
shortcuts and Network Places point to the appropriate place on the new server, check
the important applications to be sure they work as expected and troubleshoot any problems
that might arise, check to be sure the user's printers are present and working. By the
way, if there are any network printers installed as system printers (the Novell way)
that might arise, and check to be sure the user's printers are present and working. By the
way, if there are any network printers installed as system printers (the Novell way),
you will need to log in as a local administrator and delete them.
</para>
<para>
For my non-laptop systems, I would then log in and out a couple times as the user,
to be sure that their registry settings were modified, then I was finished.
For my non-laptop systems, I would then log in and out a couple times as the user
to be sure that his or her registry settings were modified, and then I was finished.
</para>
<para>
Some compatibility issues that cropped up included:
Some compatibility issues that cropped up included the following:
</para>
<para>
Blackberry client &smbmdash; It did not like having its registry settings moved around,
and had to be reinstalled. Also it needed write permissions to a portion of
Blackberry client: It did not like having its registry settings moved around
and so had to be reinstalled. Also, it needed write permissions to a portion of
the hard drive, and I had to give it those manually on the one system where
this was an issue.
</para>
<para>
CAMedia &smbmdash; digital camera software for Canon cameras I had all kinds of trouble
CAMedia: Digital camera software for Canon cameras caused all kinds of trouble
with the registry. I had to use the Run as service to open the registry of
the local user while logged in as the domain user, and give the domain user
the appropriate permissions to some registry keys, then export that portion
of the registry to a file. Then as the domain user I had to import that file
of the registry to a file. Then, as the domain user, I had to import that file
into the registry.
</para>
<para>
Crystal Reports version 7 &smbmdash; More registry problems that were solved by re-copying
Crystal Reports version 7: More registry problems that were solved by recopying
the user's profile.
</para>
<para>
Printing from legacy applications &smbmdash; I found out that Novell sent its jobs to
the printer in a raw format. CUPS sends them in Postscript by default. I had
Printing from legacy applications: I found out that Novell sends its jobs to
the printer in a raw format. CUPS sends them in PostScript by default. I had
to make a second printer definition for one printer and tell CUPS specifically
to send raw data to the printer, and assign this printer to the LPT port with
to send raw data to the printer, then assign this printer to the LPT port with
Kixtart's version of the net use command.
</para>
<para>
These were all eventually solved by elbow grease, queries to the Samba mailing
list and others, and diligence. The complete migration took about 5 weeks.
My userbase is relatively small, but includes multiple versions of Windows,
My userbase is relatively small but includes multiple versions of Windows,
multiple Linux member servers, a mechanized saw, a pen plotter, and legacy
applications written in Qbasic and R:Base, just to name a few. I actually
ended up making some of these applications work better (or work again, as
@ -1759,22 +1759,22 @@ ENDIF
<para>
The one thing I have not been able to get working is a very old database that
we had around for reference purposes which uses Novell's Btrieve engine.
we had around for reference purposes; it uses Novell's Btrieve engine.
</para>
<para>
As the resources compare, I went from 95% disk usage to just around 10%.
I went from a very high load on the server to an average load of between 1
and 2 runnable processes on the server. I have improved the security and
As the resources compare, I went from 95 percent disk usage to just around 10 percent.
I went from a very high load on the server to an average load of between one
and two runnable processes on the server. I have improved the security and
robustness of the system. I have also implemented
<ulink url="http://www.clamav.net">ClamAV</ulink> Anti-virus
which scans the entire Samba server for viruses every two hours and
<ulink url="http://www.clamav.net">ClamAV</ulink> antivirus software,
which scans the entire Samba server for viruses every 2 hours and
quarantines them. I have found it much less problematic than our ancient
version of Norton Anti-virus Corporate Edition, and much more up-to-date.
version of Norton Antivirus Corporate Edition, and much more up-to-date.
</para>
<para>
In short, my users are much happier now that the new server is running, that
In short, my users are much happier now that the new server is running, and that
is what is important to me.
</para>

View File

@ -5,10 +5,10 @@
<para>
Congratulations, your Samba networking skills are developing nicely. You started out
with three simple networks in Chapter 1, and then in Chapter 2 you designed and built a
network that provides a high degree of flexibility, integrity, and dependability. It
was enough for the basic needs each was designed to fulfill. In this chapter you
address a more complex set of needs. The solution you explore
with three simple networks in <link linkend="simple"/>, and then in <link linkend="small"/>
you designed and built a network that provides a high degree of flexibility, integrity,
and dependability. It was enough for the basic needs each was designed to fulfill. In
this chapter you address a more complex set of needs. The solution you explore
introduces you to basic features that are specific to Samba-3.
</para>
@ -280,7 +280,7 @@
<indexterm><primary>dynamic DNS</primary></indexterm>
<indexterm><primary>DDNS</primary><see>dynamic DNS</see></indexterm>
<indexterm><primary>DHCP server</primary></indexterm>
Compared with the DHCP server configuration in Chapter 2, <link linkend="dhcp01"/>, the
Compared with the DHCP server configuration in <link linkend="small"/>, <link linkend="dhcp01"/>, the
configuration used in this example has to deal with the presence of an Internet connection.
The scope set for it ensures that no DHCP services will be offered on the external
connection. All printers are configured as DHCP clients so that the DHCP server assigns
@ -962,7 +962,7 @@ root = Administrator
<indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>add</tertiary></indexterm>
<indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>modify</tertiary></indexterm>
<indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>list</tertiary></indexterm>
Create and map Windows Domain Groups to UNIX groups. A sample script is provided in Chapter 2,
Create and map Windows Domain Groups to UNIX groups. A sample script is provided in <link linkend="small"/>,
<link linkend="initGrps"/>. Create a file containing this script. We called ours
<filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed,
and then execute the script. Sample output should be as follows:
@ -1157,7 +1157,7 @@ net use p: \\diamond\apps
<example id="prom-dhcp">
<title>DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title>
<screen>
# Abmas Accounting Inc. - Chapter 4
# Abmas Accounting Inc.
default-lease-time 86400;
max-lease-time 172800;
default-lease-time 86400;
@ -1890,7 +1890,7 @@ $rootprompt; ps ax | grep winbind
</screen>
The <command>winbindd</command> daemon is running in split mode (normal), so there are also
two instances<footnote><para>For more information regarding winbindd, see <emphasis>TOSHARG</emphasis>,
Chapter 22, Section 22.3. The single instance of <command>smbd</command> is normal. One additional
Chapter 23, Section 23.3. The single instance of <command>smbd</command> is normal. One additional
<command>smbd</command> slave process is spawned for each SMB/CIFS client
connection.</para></footnote> of it.
</para></step>
@ -2608,7 +2608,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
expression that may be up to 1024 characters in length and that represents an IP address.
A NetBIOS name is always 16 characters long. The 16<superscript>th</superscript> character
is a name type indicator. A specific name type is registered<footnote><para>
See <emphasis>TOSHARG</emphasis>, Chapter 9, for more information.</para></footnote> for each
See <emphasis>TOSHARG</emphasis>, Chapter 9, for more information.</para></footnote> for each
type of service that is provided by the Windows server or client and that may be registered
where a WINS server is in use.
</para>

View File

@ -4,7 +4,7 @@
<title>Small Office Networking</title>
<para>
Chapter 1 focused on the basics of simple yet effective
<link linkend="simple"/> focused on the basics of simple yet effective
network solutions. Network administrators who take pride in their work
(that's most of us, right?) take care to deliver what our users want,
but not too much more. If we make things too complex, we confound our users
@ -264,7 +264,7 @@
The alternate approach could be to demonstrate the migration of the system that is documented
in <link linkend="AcctgNet"/> to meet the new requirements. The decision to treat this case, as with
future examples, as a new installation is based on the premise that you can determine
the migration steps from the information provided in Chapter ?????????.
the migration steps from the information provided in <link linkend="ntmigration"/>.
Additionally, a fresh installation makes the example easier to follow.
</para>
@ -769,7 +769,7 @@ $rootprompt; ps ax | grep winbind
</screen>
The <command>winbindd</command> daemon is running in split mode (normal), so there are also
two instances of it. For more information regarding <command>winbindd</command>, see <emphasis>TOSHARG</emphasis>,
Chapter 22, Section 22.3. The single instance of <command>smbd</command> is normal.
Chapter 23, Section 23.3. The single instance of <command>smbd</command> is normal.
</para></step>
<step><para>

View File

@ -37,8 +37,8 @@ context in either book, I could not find it.
<para>
<indexterm><primary>contributions</primary></indexterm>
So in response to the significant request for these situations to be better
documented this chapter has now been added. User contributions and documentation
of real-world experiences will be a most welcome addition to this chapter.
documented, this chapter has now been added. User contributions and documentation
of real-world experiences are a most welcome addition to this chapter.
</para>
<sect1>
@ -49,20 +49,20 @@ of real-world experiences will be a most welcome addition to this chapter.
<indexterm><primary>upgrade</primary></indexterm>
<indexterm><primary>frustration</primary></indexterm>
A Windows network administrator explained in an email what changes he was
planning to make and and followed with the question: <quote>Anyone done this before?</quote>.
Many of us have upgraded and updated Samba without incident. Others have
experienced much pain and user frustration. So it is to be hoped that the
notes in this chapter will make a positive difference by assuring that
someone will be saved a lot of discomfort.
planning to make and followed with the question: <quote>Anyone done this
before?</quote> Many of us have upgraded and updated Samba without incident.
Others have experienced much pain and user frustration. So it is to be hoped
that the notes in this chapter will make a positive difference by assuring
that someone will be saved a lot of discomfort.
</para>
<para>
Before anyone commences an upgrade or an update of Samba the one cardinal
Before anyone commences an upgrade or an update of Samba, the one cardinal
rule that must be observed is: Backup all Samba configuration files in
case it is necessary to revert to the old version. Even if you do not like
this precautionary step, users will punish an administrator who
fails to take adequate steps to avoid situations that may inflict lost
productivity on a user.
productivity on them.
</para>
<warning><para>
@ -81,8 +81,8 @@ in the rare event that this may be necessary.
It is prudent also to backup all data files on the server before attempting
to perform a major upgrade. Many administrators have experienced the consequences
of failure to take adequate precautions. So what is adequate? That is simple!
If data is lost during an upgrade or and update and it can not be restored
the precautions take were inadequate. If a backup was not needed, but was available,
If data is lost during an upgrade or update and it can not be restored,
the precautions taken were inadequate. If a backup was not needed, but was available,
precaution was on the side of the victor.
</para>
@ -99,16 +99,16 @@ precaution was on the side of the victor.
<indexterm><primary>upgrade</primary></indexterm>
<indexterm><primary>generation</primary></indexterm>
This is as good a time as any to define the terms <constant>upgrade</constant> and
<constant>update</constant>. The term <constant>upgrade</constant> is used to refer to
<constant>update</constant>. The term <constant>upgrade</constant> refers to
the installation of a version of Samba that is a whole generation or more ahead of
that which is installed. Generations are indicated by the first digit of the version
number. So far Samba has been released in generations 1.x, 2.x, 3.x and currently 4.0
number. So far Samba has been released in generations 1.x, 2.x, 3.x, and currently 4.0
is in development.
</para>
<para>
<indexterm><primary>generation</primary></indexterm>
The term <constant>update</constant> is used to refer to a minor version number installation
The term <constant>update</constant> refers to a minor version number installation
in place of one of the same generation. For example, updating from Samba 3.0.10 to 3.0.14
is an update. The move from Samba 2.0.7 to 3.0.14 is an upgrade.
</para>
@ -118,15 +118,15 @@ precaution was on the side of the victor.
While the use of these terms is an exercise in semantics, what needs to be realized
is that there are major functional differences between a Samba 2.x release and a Samba
3.0.x release. Such differences may require a significantly different approach to
solving the same networking challenge and generally requires careful review of the
solving the same networking challenge and generally require careful review of the
latest documentation to identify precisely how the new installation may need to be
modified to preserve prior functionality.
</para>
<para>
There is an old axiom that says, <quote>The greater the volume of the documentation
the greater the risk that no-one will read it, but where there is no documentation
no-one can read it!</quote>. While true, some documentation is an evil necessity.
There is an old axiom that says, <quote>The greater the volume of the documentation,
the greater the risk that noone will read it, but where there is no documentation,
noone can read it!</quote> While true, some documentation is an evil necessity.
It is to be hoped that this update to the documentation will avoid both extremes.
</para>
@ -140,7 +140,7 @@ precaution was on the side of the victor.
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>networking</primary><secondary>client</secondary></indexterm>
<indexterm><primary>security</primary><secondary>identifier</secondary></indexterm>
Before the days of Windows NT and OS/2 every Windows and DOS networking client
Before the days of Windows NT and OS/2, every Windows and DOS networking client
that used the SMB protocols was an entirely autonomous entity. There was no concept
of a security identifier for a machine or a user outside of the username, the
machine name, and the workgroup name. In actual fact, these were not security identifiers
@ -155,7 +155,7 @@ precaution was on the side of the victor.
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>username</primary></indexterm>
<indexterm><primary>Windows</primary><secondary>client</secondary></indexterm>
Versions of Samba prior to 1.9 did not make use of a SID, instead they make exclusive use
Versions of Samba prior to 1.9 did not make use of a SID. Instead they make exclusive use
of the username that is embedded in the SessionSetUpAndX component of the connection
setup process between a Windows client and an SMB/CIFS server.
</para>
@ -165,7 +165,7 @@ precaution was on the side of the victor.
<indexterm><primary>rpc</primary></indexterm>
<indexterm><primary>security</primary></indexterm>
Around November 1997 support was added to Samba-1.9 to handle the Windows security
rpc based protocols that implemented support for Samba to store a machine SID. This
RPC-based protocols that implemented support for Samba to store a machine SID. This
information was stored in a file called <filename>MACHINE.SID.</filename>
</para>
@ -173,9 +173,9 @@ precaution was on the side of the victor.
<indexterm><primary>machine</primary></indexterm>
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>secrets.tdb</primary></indexterm>
Within the life time of the early Samba 2.x series the machine SID information was
relocated into a tdb file called <filename>secrets.tdb</filename>, which is where is
is still located in Samba 3.0.x along with other information that pertains to the
Within the lifetime of the early Samba 2.x series, the machine SID information was
relocated into a tdb file called <filename>secrets.tdb</filename>, which is where
it is still located in Samba 3.0.x along with other information that pertains to the
local machine and its role within a domain security context.
</para>
@ -186,7 +186,7 @@ precaution was on the side of the victor.
<indexterm><primary>SAS</primary></indexterm>
There are two types of SID, those pertaining to the machine itself and the domain to
which it may belong, and those pertaining to users and groups within the security
context of the local machine (in the case of stand-alone servers (SAS) and domain member
context of the local machine, in the case of standalone servers (SAS) and domain member
servers (DMS).
</para>
@ -198,24 +198,24 @@ precaution was on the side of the victor.
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>secrets.tdb</primary></indexterm>
When the Samba <command>smbd</command> daemon is first started, if the <filename>secrets.tdb</filename>
file does not exist it is created at the first client connection attempt. If this file does
exist, <command>smbd</command> checks that there is a machine SID (if it is a domain controller
file does not exist, it is created at the first client connection attempt. If this file does
exist, <command>smbd</command> checks that there is a machine SID (if it is a domain controller,
it searches for the domain SID). If <command>smbd</command> does not find one for the current
name of the machine or for the current name of the workgroup a new SID will be generated and
then written to the <filename>secrets.tdb</filename> file. The SID is generated in a non-determinative
name of the machine or for the current name of the workgroup, a new SID will be generated and
then written to the <filename>secrets.tdb</filename> file. The SID is generated in a nondeterminative
manner. This means that each time it is generated for a particular combination of machine name
(hostname) and domain name (workgroup) it will be different.
(hostname) and domain name (workgroup), it will be different.
</para>
<para>
<indexterm><primary>ACL</primary></indexterm>
The SID is the key used by MS Windows networking for all networking operations. This means
that when the machine or domain SID changes all security encoded objects such as profiles
that when the machine or domain SID changes, all security-encoded objects such as profiles
and ACLs may become unusable.
</para>
<note><para>
It is of paramount importance that the machine and domain SID must be backed up so that in
It is of paramount importance that the machine and domain SID be backed up so that in
the event of a change of hostname (machine name) or domain name (workgroup) the SID can
be restored to its previous value.
</para></note>
@ -232,8 +232,8 @@ precaution was on the side of the victor.
<indexterm><primary>SAS</primary></indexterm>
<indexterm><primary>SID</primary></indexterm>
In Samba-3 on a domain controller (PDC or BDC), the domain name controls the domain
SID. On all prior versions the hostname (computer name, or netbios name) controlled
the SID. On a stand-alone server (SAS) the hostname still controls the SID.
SID. On all prior versions the hostname (computer name, or NetBIOS name) controlled
the SID. On a standalone server the hostname still controls the SID.
</para>
<para>
@ -255,13 +255,13 @@ SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429
<para>
Samba 1.9.x stored the machine SID in the the file <filename>/etc/MACHINE.SID</filename>
from which it can be recovered and stored into the <filename>secrets.tdb</filename> file
from which it could be recovered and stored into the <filename>secrets.tdb</filename> file
using the procedure shown above.
</para>
<para>
Where the <filename>secrets.tdb</filename> file exists and a version of Samba 2.x or later
has been used there is no specific need to go through this update process. Samba-3 has the
has been used, there is no specific need to go through this update process. Samba-3 has the
ability to read the older tdb file and to perform an in-situ update to the latest tdb format.
This is not a reversible process &smbmdash; it is a one-way upgrade.
</para>
@ -280,7 +280,7 @@ SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429
<screen>
&rootprompt; smbpasswd -S PDC -Uadministrator%password
</screen>
From which the SID could be copied to a file and then it could be written to the Samba 2.2.x
from which the SID could be copied to a file and then written to the Samba-2.2.x
<filename>secrets.tdb</filename> file by executing:
<screen>
&rootprompt; smbpasswd -W S-1-5-21-726309263-4128913605-1168186429
@ -290,7 +290,7 @@ SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429
<para>
<indexterm><primary>rpcclient</primary></indexterm>
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>info</tertiary></indexterm>
Domain security information, that includes the domain SID, can be obtained from Samba-2.2.x
Domain security information, which includes the domain SID, can be obtained from Samba-2.2.x
systems by executing:
<screen>
&rootprompt; rpcclient lsaquery -Uroot%password
@ -315,9 +315,9 @@ Num local groups: 0
<indexterm><primary>SID</primary></indexterm>
Take note that the domain SID is used extensively in Samba. Where LDAP is used for the
<parameter>passdb backend</parameter>, all user, group, and trust accounts are encoded
with the domain SID. This means that if the domain SID changes for any reason the entire
Samba environment can become broken thus requiring extensive corrective action is the
original SID can not be restored. Fortunately, it can be recovered from a dump of the
with the domain SID. This means that if the domain SID changes for any reason, the entire
Samba environment can become broken and require extensive corrective action if the
original SID cannot be restored. Fortunately, it can be recovered from a dump of the
LDAP database. A dump of the LDAP directory database can be obtained by executing:
<screen>
&rootprompt; slapcat -v -l filename.ldif
@ -328,14 +328,14 @@ Num local groups: 0
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>profiles</primary></indexterm>
<indexterm><primary>RPM</primary></indexterm>
When the domain SID has changed roaming profiles will cease to be functional. The recovery
of roaming profiles will necessitate resetting of the domain portion of the user SID
When the domain SID has changed, roaming profiles cease to be functional. The recovery
of roaming profiles necessitates resetting of the domain portion of the user SID
that owns the profile. This is encoded in the <filename>NTUser.DAT</filename> and can be
updated using the Samba <command>profiles</command> utility. Please be aware that not all
Linux distributions of the Samba RPMs do include this essential utility. Please do not
complain to the Samba Team if this utility is missing, that is an issue that must be
Linux distributions of the Samba RPMs include this essential utility. Please do not
complain to the Samba Team if this utility is missing; that issue that must be
addressed to the creator of the RPM package. The Samba Team do their best to make
available all the tools needed to manage a Samba based Windows networking environment.
available all the tools needed to manage a Samba-based Windows networking environment.
</para>
</sect3>
@ -346,40 +346,40 @@ Num local groups: 0
<para>
<indexterm><primary>netbios</primary><secondary>machine name</secondary></indexterm>
<indexterm><primary>netbios name</primary></indexterm>
Samba uses two (2) methods by which the primary NetBIOS machine name (also known as a computer
name or the hostname) may be determined: If the &smb.conf; file contains an entry
<parameter>netbios name</parameter> entry its value will be used directly. In the absence
of such and entry the UNIX system hostname will be used.
Samba uses two methods by which the primary NetBIOS machine name (also known as a computer
name or the hostname) may be determined: If the &smb.conf; file contains a
<parameter>netbios name</parameter> entry, its value will be used directly. In the absence
of such an entry, the UNIX system hostname will be used.
</para>
<para>
Many sites have become victims of lost Samba functionality because the UNIX system
hostname was changed for one reason or another. Such a change will cause a new machine
SID to be generated. If this happens on a domain controller it will also change the
domain SID. These SIDs can be updated (restored) using the procedure outlined above.
SID to be generated. If this happens on a domain controller, it will also change the
domain SID. These SIDs can be updated (restored) using the procedure outlined previously.
</para>
<note><para>
Do NOT change the hostname or the <parameter>netbios name</parameter>. If this
is changed be sure to reset the machine SID to the original setting, otherwise
is changed, be sure to reset the machine SID to the original setting. Otherwise
there may be serious interoperability and/or operational problems.
</para></note>
</sect3>
<sect3>
<title>Change of workgroup (domain) name</title>
<title>Change of Workgroup (Domain) Name</title>
<para>
<indexterm><primary>workgroup</primary></indexterm>
The domain name of a Samba server is identical with the workgroup name and is
The domain name of a Samba server is identical to the workgroup name and is
set in the &smb.conf; file using the <parameter>workgroup</parameter> parameter.
This has been consistent throughout the history of Samba and across all versions.
</para>
<para>
<indexterm><primary>SID</primary></indexterm>
Be aware that when the workgroup name is changed a new SID will be generated.
Be aware that when the workgroup name is changed, a new SID will be generated.
The old domain SID can be reset using the procedure outlined earlier in this chapter.
</para>
@ -402,7 +402,7 @@ Num local groups: 0
</para>
<para>
During the life of the Samba 2.x release the &smb.conf; file was relocated
During the life of the Samba 2.x release, the &smb.conf; file was relocated
on Linux systems to the <filename>/etc/samba</filename> directory where it
remains located also for Samba 3.0.x installations.
</para>
@ -411,14 +411,14 @@ Num local groups: 0
<indexterm><primary>secrets.tdb</primary></indexterm>
Samba 2.x introduced the <filename>secrets.tdb</filename> file that is also stored in the
<filename>/etc/samba</filename> directory, or in the <filename>/usr/local/samba/lib</filename>
directory sub-system.
directory subsystem.
</para>
<para>
<indexterm><primary>smbd</primary></indexterm>
The location at which <command>smbd</command> expects to find all configuration and control
files is determined at the time of compilation of Samba. For versions of Samba prior to
3.0 one way to find the expected location of these files is to execute:
3.0, one way to find the expected location of these files is to execute:
<screen>
&rootprompt; strings /usr/sbin/smbd | grep conf
&rootprompt; strings /usr/sbin/smbd | grep secret
@ -463,10 +463,11 @@ Paths:
<para>
<indexterm><primary></primary></indexterm>
It is important that both the &smb.conf; file and the <filename>secrets.tdb</filename> should
be backed up before attempting any upgrade. The <filename>secrets.tdb</filename> file is version
encoded and therefore a newer version may not work with an older version of Samba. A backup
means that it is always possible to revert a failed or problematic upgrade.
It is important that both the &smb.conf; file and the <filename>secrets.tdb</filename>
be backed up before attempting any upgrade. The <filename>secrets.tdb</filename> file
is version-encoded, and therefore a newer version may not work with an older version
of Samba. A backup means that it is always possible to revert a failed or problematic
upgrade.
</para>
</sect3>
@ -479,7 +480,7 @@ Paths:
<indexterm><primary>character set</primary></indexterm>
<indexterm><primary>codepage</primary></indexterm>
<indexterm><primary>internationalization</primary></indexterm>
Samba-2.x had not support for Unicode, instead all national language character set support in file names
Samba-2.x had no support for Unicode; instead, all national language character-set support in file names
was done using particular locale codepage mapping techniques. Samba-3 supports Unicode in file names, thus
providing true internationalization support.
</para>
@ -495,7 +496,7 @@ Paths:
<para>
<indexterm><primary>UTF-8</primary></indexterm>
Files that are created with Samba-3 will use UTF-8 encoding. Should the file system ever end up with a
mix of codepage (unix charset) encoded file names and UTF-8 encoded file names, the mess will take some
mix of codepage (unix charset)-encoded file names and UTF-8-encoded file names, the mess will take some
effort to set straight.
</para>
@ -503,7 +504,7 @@ Paths:
<indexterm><primary>convmv</primary></indexterm>
A very helpful tool is available from Bjorn Jacke's <ulink url="http://j3e.de/linux/convmv/">convmv</ulink>
work. Convmv is a tool that can be used to convert file and directory names from one encoding method to
another. The most common use for this tool is to convert locale encoded files to UTF-8 Unicode encoding.
another. The most common use for this tool is to convert locale-encoded files to UTF-8 Unicode encoding.
</para>
</sect3>
@ -519,7 +520,7 @@ Paths:
Sites that are being upgraded from Samba-2 (or earlier versions) to Samba-3
may experience little difficulty or may require a lot of effort, depending
on the complexity of the configuration. Samba-1.9.x upgrades to Samba-3 will
generally be simple and straight forward, although no upgrade should be
generally be simple and straightforward, although no upgrade should be
attempted without proper planning and preparation.
</para>
@ -533,7 +534,7 @@ Samba-2.x could be compiled with LDAP support.
<title>Samba 1.9.x and 2.x Versions Without LDAP</title>
<para>
Where it is necessary to upgrade an old Samba installation to Samba-3
Where it is necessary to upgrade an old Samba installation to Samba-3,
the following procedure can be followed:
</para>
@ -546,22 +547,22 @@ Samba-2.x could be compiled with LDAP support.
<indexterm><primary>nmbd</primary></indexterm>
Stop Samba. This can be done using the appropriate system tool
that is particular for each operating system or by executing the
<command>kill</command> command on <command>smbd, nmbd</command>
and on <command>winbindd</command>.
<command>kill</command> command on <command>smbd</command>,
<command>nmbd</command>, and <command>winbindd</command>.
</para></step>
<step><para>
Find the location of the Samba &smb.conf; file - back it up to a
Find the location of the Samba &smb.conf; file and back it up to a
safe location.
</para></step>
<step><para>
Find the location of the <filename>smbpasswd</filename> file -
Find the location of the <filename>smbpasswd</filename> file and
back it up to a safe location.
</para></step>
<step><para>
Find the location of the <filename>secrets.tdb</filename> file -
Find the location of the <filename>secrets.tdb</filename> file and
back it up to a safe location.
</para></step>
@ -575,7 +576,7 @@ Samba-2.x could be compiled with LDAP support.
location used by the Samba Team is in
<filename>/usr/local/samba/var/locks</filename> directory,
but on Linux systems the old location was under the
<filename>/var/cache/samba</filename> directory, however the
<filename>/var/cache/samba</filename> directory. However, the
Linux Standards Base specified location is now under the
<filename>/var/lib/samba</filename> directory. Copy all the
tdb files to a safe location.
@ -590,13 +591,13 @@ Samba-2.x could be compiled with LDAP support.
<para>
On systems that do not support a reliable package management system
it is advisable either to delete the Samba old installation , or to
it is advisable either to delete the Samba old installation or to
move it out of the way by renaming the directories that contain the
Samba binary files.
</para></step>
<step><para>
When the Samba upgrade has been installed the first step that should
When the Samba upgrade has been installed, the first step that should
be completed is to identify the new target locations for the control
files. Follow the steps shown in <link linkend="sbeug1"/> to locate
the correct directories to which each control file must be moved.
@ -627,15 +628,15 @@ Samba-2.x could be compiled with LDAP support.
</screen>
<indexterm><primary>stripped</primary></indexterm>
The resulting &smb.conf; file will be stripped of all comments
and will be stripped of all non-conforming configuration settings.
and of all nonconforming configuration settings.
</para></step>
<step><para>
<indexterm><primary>winbindd</primary></indexterm>
It is now safe to start Samba using the appropriate system tool.
Alternately, it is possible to just execute <command>nmbd, smbd</command>
and <command>winbindd</command> for the command line while logged in
as the 'root' user.
Alternately, it is possible to just execute <command>nmbd</command>,
<command>smbd</command>, and <command>winbindd</command> for the command
line while logged in as the root user.
</para></step>
</procedure>
@ -643,7 +644,7 @@ Samba-2.x could be compiled with LDAP support.
</sect2>
<sect2>
<title>Applicable to all Samba 2.x to Samba-3 Upgrades</title>
<title>Applicable to All Samba 2.x to Samba-3 Upgrades</title>
<para>
<indexterm><primary>PDC</primary></indexterm>
@ -651,15 +652,15 @@ Samba-2.x could be compiled with LDAP support.
<indexterm><primary>inter-domain</primary></indexterm>
Samba 2.x servers that were running as a domain controller (PDC)
require changes to the configuration of the scripting interface
tools that Samba uses to perform operating system updates for
users, groups and trust accounts (machines and inter-domain).
tools that Samba uses to perform OS updates for
users, groups, and trust accounts (machines and interdomain).
</para>
<para>
<indexterm><primary>parameters</primary></indexterm>
The following parameters are new to Samba-3 and should be correctly
configured. Please refer to Chapters 3-6 in this book for examples
of use of the new parameters shown here:
The following parameters are new to Samba-3 and should be correctly configured.
Please refer to <link linkend="secure"/> through <link linkend="2000users"/>
in this book for examples of use of the new parameters shown here:
<indexterm><primary>add group script</primary></indexterm>
<indexterm><primary>add machine script</primary></indexterm>
<indexterm><primary>add user to group script</primary></indexterm>
@ -700,31 +701,32 @@ Samba-2.x could be compiled with LDAP support.
<indexterm><primary>groupmod</primary></indexterm>
<indexterm><primary>groupdel</primary></indexterm>
Where the <parameter>passdb backend</parameter> used is either <constant>smbpasswd</constant>
(the default), or the new <constant>tdbsam</constant>, the system interface scripts
are typically used. These involve use of operating system tools such as
<command>useradd, usermod, userdel, groupadd, groupmod, groupdel</command>, etc.
(the default) or the new <constant>tdbsam</constant>, the system interface scripts
are typically used. These involve use of OS tools such as <command>useradd</command>,
<command>usermod</command>, <command>userdel</command>, <command>groupadd</command>,
<command>groupmod</command>, <command>groupdel</command>, and so on.
</para>
<para>
<indexterm><primary>passdb backend</primary></indexterm>
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>Idealx</primary></indexterm>
Where the <parameter>passdb backend</parameter> makes use of an LDAP directory
it will be necessary either to use the <constant>smbldap-tools</constant> provided
by Idealx, or else to use an alternate tool-set either provided by another third
party, or else home crafted tools to manage the LDAP directory accounts.
Where the <parameter>passdb backend</parameter> makes use of an LDAP directory,
it is necessary either to use the <constant>smbldap-tools</constant> provided
by Idealx or to use an alternate toolset provided by a third
party or else home-crafted to manage the LDAP directory accounts.
</para>
</sect2>
<sect2>
<title>Samba-2.x with LDAP support</title>
<title>Samba-2.x with LDAP Support</title>
<para>
Samba version 2.x could be compiled for use either with, or without, LDAP.
Samba version 2.x could be compiled for use either with or without LDAP.
The LDAP control settings in the &smb.conf; file in this old version are
completely different (and less complete) than they are with Samba-3. This
means that after migrating the control files it will be necessary to reconfigure
means that after migrating the control files, it is necessary to reconfigure
the LDAP settings entirely.
</para>
@ -737,7 +739,7 @@ Samba-2.x could be compiled with LDAP support.
<indexterm><primary>schema</primary></indexterm>
<indexterm><primary>WHATSNEW.txt</primary></indexterm>
The Samba SAM schema required for Samba-3 is significantly different from that
used with Samba 2.x. This means that the LDAP directory will need to be updated
used with Samba 2.x. This means that the LDAP directory must be updated
using the procedure outlined in the Samba WHATSNEW.txt file that accompanies
all releases of Samba-3. This information is repeated here directly from this
file:
@ -901,7 +903,7 @@ the DN's with quotation marks.
<para>
The key concern in this section is to deal with the changes that have been
affected in Samba-3 between the samba-3.0.0 release and the current update.
affected in Samba-3 between the Samba-3.0.0 release and the current update.
Network administrators have expressed concerns over the steps that should be
taken to update Samba-3 versions.
</para>
@ -911,19 +913,19 @@ taken to update Samba-3 versions.
The information in <link linkend="sbeug1"/> would not be necessary if every
person who has ever produced Samba executable (binary) files could agree on
the preferred location of the &smb.conf; file and other Samba control files.
Clearly, such agreement is further away than a pipe-dream.
Clearly, such agreement is further away than a pipedream.
</para>
<para>
<indexterm><primary>vendors</primary></indexterm>
Vendors and packagers who produce Samba binary install-able packages do not,
Vendors and packagers who produce Samba binary installable packages do not,
as a rule, use the default paths used by the Samba-Team for the location of
the binary files, the &smb.conf; file, and the Samba control files (tdb's
as well as files such as <filename>secrets.tdb</filename>. This means that
as well as files such as <filename>secrets.tdb</filename>). This means that
the network or UNIX administrator who sets out to build the Samba executable
files from the Samba tarball must take particular care. Failure to take care
will result in both the original vendors' version of Samba remaining installed
as well as the new version that will be installed in the default location used
will result in both the original vendor's version of Samba remaining installed
and the new version being installed in the default location used
by the Samba-Team. This can lead to confusion and to much lost time as the
uninformed administrator deals with apparent failure of the update to take
effect.
@ -934,21 +936,21 @@ effect.
The best advice for those lacking in code compilation experience is to use
only vendor (or Samba-Team) provided binary packages. The Samba packages
that are provided by the Samba-Team are generally built to use file paths
that are compatible with the original operating system vendors' practices.
that are compatible with the original OS vendor's practices.
</para>
<para>
<indexterm><primary>binary package</primary></indexterm>
<indexterm><primary>binary files</primary></indexterm>
If you are not sure whether or a binary package complies with the operating
system vendors' practices it is better to ask the package maintainer via
email to be certain than to waste much time dealing with the nuances.
If you are not sure whether or a binary package complies with the OS
vendor's practices, it is better to ask the package maintainer via
email than to waste much time dealing with the nuances.
Alternately, just diagnose the paths specified by the binary files following
the procedure outlined above.
</para>
<sect2>
<title>Samba-3 to Samba-3 updates on the Same Server</title>
<title>Samba-3 to Samba-3 Updates on the Same Server</title>
<para>
The guidance in this section deals with updates to an existing
@ -975,7 +977,7 @@ the procedure outlined above.
<para>
<indexterm><primary>schema</primary></indexterm>
<indexterm><primary>LDAP</primary><secondary>schema</secondary></indexterm>
When updating versions of Samba-3 prior to 3.0.6 to 3.0.6-3.0.10
When updating versions of Samba-3 prior to 3.0.6 to 3.0.6 through 3.0.10,
it is necessary only to update the LDAP schema (where LDAP is used).
Always use the LDAP schema file that is shipped with the latest Samba-3
update.
@ -985,7 +987,7 @@ the procedure outlined above.
<indexterm><primary>ldapsam</primary></indexterm>
<indexterm><primary>tdbsam</primary></indexterm>
<indexterm><primary>passdb backend</primary></indexterm>
Samba-3.0.6 introduced the ability to remember the last 'n' number
Samba-3.0.6 introduced the ability to remember the last <emphasis>n</emphasis> number
of passwords a user has used. This information will work only with
the <constant>tdbsam</constant> and <constant>ldapsam</constant>
<parameter>passdb backend</parameter> facilities.
@ -1018,9 +1020,10 @@ the procedure outlined above.
</para>
<para>
In Samba-3.0.11 there were some functional changes to the <parameter>ldap user suffix</parameter>
and to the <parameter>ldap machine suffix</parameter> behaviors. The following
information has been extracted from the WHATSNEW.txt file from this release:
In Samba-3.0.11 there were some functional changes to the <parameter>ldap user
suffix</parameter> and to the <parameter>ldap machine suffix</parameter> behaviors.
The following information has been extracted from the WHATSNEW.txt file from this
release:
<screen>
============
LDAP Changes
@ -1051,15 +1054,15 @@ back to searching the 'ldap suffix' in some cases.
<para>
<indexterm><primary>DMS</primary></indexterm>
Replacement of a domain member server (DMS) should be done
Replacement of a domain member server should be done
using the same procedure as outlined in <link linkend="unixclients"/>.
</para>
<para>
Usually the new server will be introduced with a temporary name. After
the old server data has been migrated to the new server it is customary
that the new server will be renamed to that of the old server. This will
change its SID and will necessitate re-joining to the domain.
the old server data has been migrated to the new server, it is customary
that the new server be renamed to that of the old server. This will
change its SID and will necessitate rejoining to the domain.
</para>
<para>
@ -1069,14 +1072,14 @@ back to searching the 'ldap suffix' in some cases.
<indexterm><primary>wins.dat</primary></indexterm>
<indexterm><primary>browse.dat</primary></indexterm>
<indexterm><primary>resolution</primary></indexterm>
Following a change of hostname (netbios name) it is a good idea on all servers to
shutdown the Samba <command>smbd, nmbd</command> and <command>winbindd</command>
services, delete the <filename>wins.dat</filename> and <filename>browse.dat</filename>
files, then restart Samba. This will ensure that the old name and IP address
information is no longer able to interfere with name to IP address resolution.
If this is not done, there can be temporary name resolution problems. These
problems usually clear within 45 minutes of a name change, but can persist for
a longer period of time.
Following a change of hostname (NetBIOS name) it is a good idea on all servers
to shut down the Samba <command>smbd</command>, <command>nmbd</command>, and
<command>winbindd</command> services, delete the <filename>wins.dat</filename>
and <filename>browse.dat</filename> files, then restart Samba. This will ensure
that the old name and IP address information is no longer able to interfere with
name to IP address resolution. If this is not done, there can be temporary name
resolution problems. These problems usually clear within 45 minutes of a name
change, but can persist for a longer period of time.
</para>
<para>
@ -1084,12 +1087,13 @@ back to searching the 'ldap suffix' in some cases.
<indexterm><primary>/etc/passwd</primary></indexterm>
<indexterm><primary>/etc/shadow</primary></indexterm>
<indexterm><primary>/etc/group</primary></indexterm>
If the old DMS had local accounts, it is necessary to create on the new DMS
the same accounts with the same UID and GID for each account. Where the
<parameter>passdb backend</parameter> database is stored in the <constant>smbpasswd</constant>
or in the <constant>tdbsam</constant> format the user and group account
information for UNIX accounts, that match the Samba accounts, will reside in
the system <filename>/etc/passwd, /etc/shadow</filename> and
If the old domain member server had local accounts, it is necessary to create
on the new domain member server the same accounts with the same UID and GID
for each account. Where the <parameter>passdb backend</parameter> database
is stored in the <constant>smbpasswd</constant> or in the
<constant>tdbsam</constant> format, the user and group account information
for UNIX accounts that match the Samba accounts will reside in the system
<filename>/etc/passwd, /etc/shadow</filename>, and
<filename>/etc/group</filename> files. In this case be sure to copy these
account entries to the new target server.
</para>
@ -1098,7 +1102,7 @@ back to searching the 'ldap suffix' in some cases.
<indexterm><primary>nss_ldap</primary></indexterm>
Where the user accounts for both UNIX and Samba are stored in LDAP, the new
target server must be configured to use the <command>nss_ldap</command> tool set.
This will then automatically ensure that the appropriate user entities are
This will automatically ensure that the appropriate user entities are
available on the new server.
</para>
@ -1109,8 +1113,8 @@ back to searching the 'ldap suffix' in some cases.
<para>
<indexterm><primary>domain</primary><secondary>controller</secondary></indexterm>
In the past, people who replaced a Windows NT4 domain controller would typically
install a new server, create printers and file shares on it, then migrate across
In the past, people who replaced a Windows NT4 domain controller typically
installed a new server, created printers and file shares on it, then migrate across
all data that was destined to reside on it. The same can of course be done with
Samba.
</para>
@ -1119,22 +1123,22 @@ back to searching the 'ldap suffix' in some cases.
From recent mailing list postings it would seem that some administrators
have the intent to just replace the old Samba server with a new one with
the same name as the old one. In this case, simply follow the same process
as upgrading a Samba 2.x system in respect of the following:
as for upgrading a Samba 2.x system and do the following:
</para>
<itemizedlist>
<listitem><para>
Where UNIX (POSIX) user and group accounts are stored in the system
<filename>/etc/passwd, /etc/shadow</filename> and
<filename>/etc/group</filename> files be sure to add the same accounts
<filename>/etc/passwd, /etc/shadow</filename>, and
<filename>/etc/group</filename> files, be sure to add the same accounts
with identical UID and GID values for each user.
</para>
<para>
Where LDAP is used, if the new system is intended to be the LDAP server
Where LDAP is used, if the new system is intended to be the LDAP server,
migrate it across by configuring the LDAP server
(<filename>/etc/openldap/slapd.conf</filename>). The directory can either
be populated initially by setting this LDAP server up as a slave, or else
(<filename>/etc/openldap/slapd.conf</filename>). The directory can
be populated either initially by setting this LDAP server up as a slave or
by dumping the data from the old LDAP server using the <command>slapcat</command>
command and then reloading the same data into the new LDAP server using the
<command>slapadd</command> command. Do not forget to install and configure
@ -1156,7 +1160,7 @@ back to searching the 'ldap suffix' in some cases.
<listitem><para>
Before starting the Samba daemons, verify that the hostname of the new server
is identical with that of the old one. Note: The IP address can be different
is identical to that of the old one. Note: The IP address can be different
from that of the old server.
</para></listitem>
@ -1175,11 +1179,11 @@ back to searching the 'ldap suffix' in some cases.
</para>
<para>
All Samba servers, other than one that uses LDAP, depend on the tdb files, and in
particular the <filename>secrets.tdb</filename> file. So long as the tdb files are
All Samba servers, other than one that uses LDAP, depend on the tdb files, and
particularly on the <filename>secrets.tdb</filename> file. So long as the tdb files are
all in place, the &smb.conf; file is preserved, and either the hostname is identical
or the <parameter>netbios name</parameter> is set to the original server name, Samba
should correctly pick up the original SID, and preserve all other settings. It is
should correctly pick up the original SID and preserve all other settings. It is
sound advice to validate this before turning the system over to users.
</para>
@ -1208,7 +1212,7 @@ back to searching the 'ldap suffix' in some cases.
<step><para>
In the Advanced/DNS section of the TCP/IP settings on your Windows
workstations, make sure <parameter>DNS suffix for this
workstations, make sure the <parameter>DNS suffix for this
connection</parameter> field is blank.
</para></step>
@ -1234,7 +1238,7 @@ back to searching the 'ldap suffix' in some cases.
and satisfy all errors before committing the migration. Note that the
test will always fail, because the machine will not have been actually
migrated. You'll need to interpret the errors to know whether the
failure was due to a problem, or simply due to the fact that it was just
failure was due to a problem or simply to the fact that it was just
a test.
</para></step>
@ -1249,7 +1253,7 @@ back to searching the 'ldap suffix' in some cases.
<itemizedlist>
<listitem><para>
You can also migrate workstations remotely. You can specify that SIDs
You can migrate workstations remotely. You can specify that SIDs
be simply added instead of replaced, giving you the option of joining a
workstation back to the old domain if something goes awry. The
workstations will be joined to the new domain.
@ -1271,7 +1275,7 @@ back to searching the 'ldap suffix' in some cases.
The ADMT lets you test all operations before actually performing the
migration. Accounts and workstations can be migrated individually or in
batches. User accounts can be safely migrated all at once (since no
changes are made on the original domain); It is recommended to migrate only one
changes are made on the original domain). It is recommended to migrate only one
or two workstations as a test before committing them all.
</para></listitem>

View File

@ -41,7 +41,7 @@
<acronym>CUPS</acronym>
<glossdef><para>
A recent implementation of a high-capability printing system for UNIX developed by
<ulink url="http://www.easysw.com/">Easy Software Inc.</ulink> The design objective
<ulink url="http://www.easysw.com/">Easy Software Inc.</ulink>. The design objective
of CUPS was to provide a rich print processing system that has built-in intelligence
that is capable of correctly rendering (processing) a file that is submitted for
printing even if it was formatted for an entirely different printer.
@ -65,7 +65,7 @@
A protocol by which computer hostnames may be resolved to the matching IP address/es.
DNS is implemented by the Berkeley Internet Name Daemon. There exists a recent version
of DNS that allows dynamic name registration by network clients or by a DHCP server.
This recent protocol is known as Dynamic DNS (DDNS).
This recent protocol is known as dynamic DNS (DDNS).
</para></glossdef>
</glossentry>
@ -76,7 +76,7 @@
A protocol that was based on the BOOTP protocol that may be used to dynamically assign
an IP address, from a reserved pool of addresses, to a network client or device.
Additionally, DHCP may assign all network configuration settings and may be used to
register a computer name and its address with a Dynamic DNS server.
register a computer name and its address with a dynamic DNS server.
</para></glossdef>
</glossentry>
@ -84,9 +84,9 @@
<glossterm>Ethereal</glossterm>
<acronym>ethereal</acronym>
<glossdef><para>
A network analyzer, also known as: a network sniffer or a protocol analyzer. Ethereal is
A network analyzer, also known as a network sniffer or a protocol analyzer. Ethereal is
freely available for UNIX/Linux and Microsoft Windows systems from
<ulink url="http://www.ethereal.com">the Ethereal Web site.</ulink>
<ulink url="http://www.ethereal.com">the Ethereal Web site</ulink>.
</para></glossdef>
</glossentry>
@ -94,9 +94,9 @@
<glossterm>Group IDentifier</glossterm>
<acronym>GID</acronym>
<glossdef><para>
The UNIX system Group Identifier; on older systems, a 32-bit unsigned integer, and on
The UNIX system group identifier; on older systems, a 32-bit unsigned integer, and on
newer systems, an unsigned 64-bit integer. The GID is used in UNIX-like operating systems
for all group level access control.
for all group-level access control.
</para></glossdef>
</glossentry>
@ -111,24 +111,24 @@
</glossentry>
<glossentry>
<glossterm>Light Weight Directory Access Protocol</glossterm>
<glossterm>Lightweight Directory Access Protocol</glossterm>
<acronym>LDAP</acronym>
<glossdef>
<para>
The Light Weight Directory Access Protocol is a technology that
The Lightweight Directory Access Protocol is a technology that
originated from the development of X.500 protocol specifications and
implementations. LDAP was designed as a means of rapidly searching
through X.500 information. Later LDAP was adapted as an engine that
could drive its own directory database. LDAP is not a database per
se; rather it is a technology that enables high volume search and
se; rather it is a technology that enables high-volume search and
locate activity from clients that wish to obtain simply defined
information about a sub-set of records that are stored in a
information about a subset of records that are stored in a
database. LDAP does not have a particularly efficient mechanism for
storing records in the database, and it has no concept of transaction
processing nor of mechanisms for preserving data consistency. LDAP is
premised around the notion that the search and read activity far
outweigh any need to add, delete, or modify records. LDAP does
provide a means for replication of the database so as to keep slave
provide a means for replication of the database to keep slave
servers up to date with a master. It also has built-in capability to
handle external references and deferral.
</para></glossdef>
@ -147,7 +147,7 @@
<glossterm>Media Access Control</glossterm>
<acronym>MAC</acronym>
<glossdef><para>
The hard-coded address of the physical layer device that is attached to the network.
The hard-coded address of the physical-layer device that is attached to the network.
All network interface controllers must have a hard-coded and unique MAC address. The
MAC address is 48 bits long.
</para></glossdef>
@ -158,7 +158,7 @@
<acronym>NetBEUI</acronym>
<glossdef><para>
Very simple network protocol invented by IBM and Microsoft. It is used to do NetBIOS
over ethernet with low overhead. NetBEUI is a non-routable protocol.
over Ethernet with low overhead. NetBEUI is a non-routable protocol.
</para></glossdef>
</glossentry>
@ -180,7 +180,7 @@
NetBIOS is a simple application programming interface (API) invented in the 1980s
that allows programs to send data to certain network names. NetBIOS is always run over
another network protocol such as IPX/SPX, TCP/IP, or Logical Link Control (LLC).
NetBIOS run over LLC is best known as NetBEUI (The NetBIOS Extended User Interface
NetBIOS run over LLC is best known as NetBEUI (the NetBIOS Extended User Interface
&smbmdash; a complete misnomer!).
</para></glossdef>
</glossentry>
@ -231,7 +231,7 @@
<acronym>TOSHARG</acronym>
<glossdef><para>
This book makes repeated reference to <quote>The Official Samba-3 HOWTO and Reference Guide</quote>
by John H. Terpstra (Author) and Jelmer R. Vernooij (Author). This publication is available from
by John H. Terpstra and Jelmer R. Vernooij. This publication is available from
Amazon.com. Publisher: Prentice Hall PTR (October 2003),
ISBN: 0131453556.
</para></glossdef>
@ -241,8 +241,8 @@
<glossterm>User IDentifier</glossterm>
<acronym>UID</acronym>
<glossdef><para>
The UNIX system User Identifier; on older systems, a 32-bit unsigned integer, and on newer systems,
an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user level access
The UNIX system user identifier; on older systems, a 32-bit unsigned integer, and on newer systems,
an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user-level access
control.
</para></glossdef>
</glossentry>