From 118a2b639ac4ddca46b640c90e0717e5b4c7428c Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 25 May 2005 21:40:55 +0000 Subject: [PATCH] Another copy edit update. (This used to be commit 7d998a020d8de890bdefc6b9312d26001f3ab7eb) --- docs/Samba-Guide/SBE-2000UserNetwork.xml | 86 ++- docs/Samba-Guide/SBE-500UserNetwork.xml | 16 +- docs/Samba-Guide/SBE-AddingUNIXClients.xml | 492 ++++++++------- docs/Samba-Guide/SBE-Appendix1.xml | 283 ++++----- docs/Samba-Guide/SBE-Appendix2.xml | 205 +++---- docs/Samba-Guide/SBE-DomainAppsSupport.xml | 649 +++++++------------- docs/Samba-Guide/SBE-HighAvailability.xml | 492 ++++++--------- docs/Samba-Guide/SBE-KerberosFastStart.xml | 260 ++++---- docs/Samba-Guide/SBE-MakingHappyUsers.xml | 6 +- docs/Samba-Guide/SBE-MigrateNT4Samba3.xml | 213 ++++--- docs/Samba-Guide/SBE-MigrateNW4Samba3.xml | 260 ++++---- docs/Samba-Guide/SBE-SecureOfficeServer.xml | 18 +- docs/Samba-Guide/SBE-TheSmallOffice.xml | 6 +- docs/Samba-Guide/SBE-UpgradingSamba.xml | 300 ++++----- docs/Samba-Guide/SBE-glossary.xml | 36 +- 15 files changed, 1493 insertions(+), 1829 deletions(-) diff --git a/docs/Samba-Guide/SBE-2000UserNetwork.xml b/docs/Samba-Guide/SBE-2000UserNetwork.xml index 6554a9fdc92..3418be75207 100644 --- a/docs/Samba-Guide/SBE-2000UserNetwork.xml +++ b/docs/Samba-Guide/SBE-2000UserNetwork.xml @@ -69,7 +69,7 @@ without impediment. Starting with the configuration files for the server called - MASSIVE in Chapter 5, you now deal with the + MASSIVE in , you now deal with the issues that are particular to large distributed networks. Your task is simple &smbmdash; identify the challenges, consider the alternatives, and then design and implement a solution. @@ -293,7 +293,7 @@ productivity. logon traffic redirected folders One way to reduce the network bandwidth impact of user logon - traffic is through folder redirection. In Chapter 5, you + traffic is through folder redirection. In , you implemented this in the new Windows XP Professional standard desktop configuration. When desktop folders such as My Documents are redirected to a network drive, they should @@ -500,46 +500,39 @@ productivity. and a number of LDAP implementations. - - multiple directories - - The problem of managing multiple directories has become a focal - point over the past decade, creating a large market for - metadirectory products and services that allow organizations that - have multiple directories and multiple management and control - centers to provision information from one directory into - another. The attendant benefit to end users is the promise of - having to remember and deal with fewer login identities and - passwords. + + multiple directories + The problem of managing multiple directories has become a focal + point over the past decade, creating a large market for + metadirectory products and services that allow organizations that + have multiple directories and multiple management and control + centers to provision information from one directory into + another. The attendant benefit to end users is the promise of + having to remember and deal with fewer login identities and + passwords. - - network - bandwidth - - The challenge of every large network is to find the optimum - balance of internal systems and facilities for Identity - Management resources. How well the solution is chosen and - implemented has potentially significant impact on network bandwidth - and systems response needs. + + networkbandwidth + The challenge of every large network is to find the optimum + balance of internal systems and facilities for Identity + Management resources. How well the solution is chosen and + implemented has potentially significant impact on network bandwidth + and systems response needs. - - LDAP server - - LDAP - master - - LDAP - slave - - In Chapter 5, you implemented a single LDAP server for the - entire network. This may work for smaller networks, but almost - certainly fails to meet the needs of large and complex networks. The - following section documents how you may implement a single - master LDAP server with multiple slave servers. + + LDAP server + LDAPmaster + LDAPslave + In , you implemented a single LDAP server for the + entire network. This may work for smaller networks, but almost + certainly fails to meet the needs of large and complex networks. The + following section documents how you may implement a single + master LDAP server with multiple slave servers. - What is the best method for implementing master/slave LDAP - servers within the context of a distributed 2,000-user network is a - question that remains to be answered. + + What is the best method for implementing master/slave LDAP + servers within the context of a distributed 2,000-user network is a + question that remains to be answered. distributed domain @@ -783,7 +776,7 @@ passdb backend = ldapsam:ldap://master.abmas.biz \ It is assumed that the network you are working with follows in a - pattern similar to what was covered in Chapter 5. The following steps + pattern similar to what was covered in . The following steps permit the operation of a master/slave OpenLDAP arrangement. @@ -924,7 +917,7 @@ added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013) smbldap-useradd On the master LDAP server you may now add an account to validate that replication - is working. Assuming the configuration shown in Chapter 5, execute: + is working. Assuming the configuration shown in , execute: &rootprompt; /var/lib/samba/sbin/smbldap-useradd -a fruitloop @@ -1454,13 +1447,14 @@ DHCP traffic: 300 (clients) x 6 (packets) - Desktop folders such as Desktop, My Documents, My Pictures, My Music, Internet Files, - Cookies, Application Data, Local Settings, and more. See Chapter 5, . + Desktop folders such as Desktop, My Documents, + My Pictures, My Music, Internet Files, + Cookies, Application Data, + Local Settings, and more. See , . - - folder redirection - + + folder redirection Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all such folders can be redirected to network drive resources. See for more information regarding folder redirection. diff --git a/docs/Samba-Guide/SBE-500UserNetwork.xml b/docs/Samba-Guide/SBE-500UserNetwork.xml index 1e8116c6443..819f6ceb0c4 100644 --- a/docs/Samba-Guide/SBE-500UserNetwork.xml +++ b/docs/Samba-Guide/SBE-500UserNetwork.xml @@ -293,7 +293,7 @@ domain control. Politically, we have to navigate a minefield. In this case, the need is to get the PDC rolled out in compliance with expectations and also to be ready to save the day by having the real solution ready before it is needed. That real solution is presented in - Chapter 5. + . @@ -594,7 +594,7 @@ root = Administrator Create an entry in the DNS database on the server MASSIVE in both the forward lookup database for the zone abmas.biz.hosts and in the reverse lookup database for the network segment that the printer is - located in. Example configuration files for similar zones were presented in Chapter 3, + located in. Example configuration files for similar zones were presented in , and . @@ -867,7 +867,7 @@ Added user username. Your server is ready for validation testing. Do not proceed with the steps in until after the operation of the server has been - validated following the same methods as outlined in Chapter 3, . + validated following the same methods as outlined in , . @@ -1084,7 +1084,7 @@ hosts: files dns wins Server: MASSIVE, File: dhcpd.conf -# Abmas Accounting Inc. - Chapter 5/MASSIVE +# Abmas Accounting Inc. default-lease-time 86400; max-lease-time 172800; @@ -1127,7 +1127,7 @@ subnet 123.45.67.64 netmask 255.255.255.252 { Server: BLDG1, File: dhcpd.conf -# Abmas Accounting Inc. - Chapter 5/BLDG1 +# Abmas Accounting Inc. default-lease-time 86400; max-lease-time 172800; @@ -1162,7 +1162,7 @@ subnet 127.0.0.0 netmask 255.0.0.0 { Server: BLDG2, File: dhcpd.conf -# Abmas Accounting Inc. - Chapter 5/BLDG1 +# Abmas Accounting Inc. default-lease-time 86400; max-lease-time 172800; @@ -1720,8 +1720,8 @@ net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d The network you have just deployed has been a valuable exercise in forced constraint. You have deployed a network that works well, although you may soon start to see - performance problems, at which time the modifications demonstrated in - Chapter 5 bring the network to life. The following key learning points were experienced: + performance problems, at which time the modifications demonstrated in + bring the network to life. The following key learning points were experienced: diff --git a/docs/Samba-Guide/SBE-AddingUNIXClients.xml b/docs/Samba-Guide/SBE-AddingUNIXClients.xml index 8c8210f1bb6..c5a6b4349b6 100644 --- a/docs/Samba-Guide/SBE-AddingUNIXClients.xml +++ b/docs/Samba-Guide/SBE-AddingUNIXClients.xml @@ -8,11 +8,11 @@ survey - The most frequently discussed Samba subjects over the past two years have focused around Domain Control and printing. - It is well known that Samba is a file and print server. A recent survey conducted by Open Magazine found - that of all respondents: 97% use Samba for file and print services, and 68% use Samba for Domain Control. See the + The most frequently discussed Samba subjects over the past 2 years have focused around domain control and printing. + It is well known that Samba is a file and print server. A recent survey conducted by Open Magazine found + that of all respondents, 97 percent use Samba for file and print services, and 68 percent use Samba for Domain Control. See the Open-Mag - Web site for current information. The survey results as found on January 14, 2004, as shown in + Web site for current information. The survey results as found on January 14, 2004, are shown in . @@ -22,11 +22,11 @@ - While Domain Control is an exciting subject, basic file and print sharing remains the staple bread-and-butter + While domain control is an exciting subject, basic file and print sharing remains the staple bread-and-butter function that Samba provides. Yet this book may give the appearance of having focused too much on more exciting aspects of Samba deployment. This chapter directs your attention to provide important information on the addition of Samba servers into your present Windows network &smbmdash; whatever the controlling technology - may be. So let's get back to Abmas and our good friends Bob Jordan and company. + may be. So let's get back to our good friends at Abmas. @@ -38,9 +38,9 @@ Domain Member server - Bob Jordan looks back over the achievements of the past year or two. Daily events are rather straightforward - with not too many distractions or problems. Bob, your team is doing well, but a number of employees - are asking for Linux desktop systems. Your network has grown and demands additional Domain Member servers. Let's + Looking back over the achievements of the past year or two, daily events at Abmas are rather straightforward + with not too many distractions or problems. Your team is doing well, but a number of employees + are asking for Linux desktop systems. Your network has grown and demands additional domain member servers. Let's get on with this; Christine and Stan are ready to go. @@ -48,10 +48,9 @@ Domain Member desktop - Stan Soroka is firmly in control of the Department of the Future, while Christine is enjoying a stable and + Stan is firmly in control of the department of the future, while Christine is enjoying a stable and predictable network environment. It is time to add more servers and to add Linux desktops. It is - time to meet the demands of future growth and endure trial by fire. Go on, walk the steps - with Stan and Company. + time to meet the demands of future growth and endure trial by fire. @@ -60,14 +59,14 @@ Active Directory - You must now add UNIX/Linux Domain Member servers to your network. You have a friend who has a Windows 2003 - Active Directory Domain network who wants to add a Samba/Linux server and has asked Christine to help him + You must now add UNIX/Linux domain member servers to your network. You have a friend who has a Windows 2003 + Active Directory domain network who wants to add a Samba/Linux server and has asked Christine to help him out. Your real objective is to help Christine to see more of the way the Microsoft world lives and use her help to get validation that Samba really does live up to expectations. - Over the past six months, you have hired several new staff who want Linux on their desktops. You must integrate + Over the past 6 months, you have hired several new staff who want Linux on their desktops. You must integrate these systems to make sure that Abmas is not building islands of technology. You ask Christine to do likewise at Swodniw Biz NL (your friend's company) to help them to evaluate a Linux desktop. You want to make the right decision, don't you? @@ -82,7 +81,7 @@ winbind - Recent Samba mailing list activity is witness to how many sites are using winbind. Some have no trouble + Recent Samba mailing-list activity is witness to how many sites are using winbind. Some have no trouble at all with it, yet to others the problems seem insurmountable. Periodically there are complaints concerning an inability to achieve identical user and group IDs between Windows and UNIX environments. @@ -98,8 +97,8 @@ One of the great challenges we face when people ask us, What is the best way to solve - this problem? is to get beyond the facts so we can not only clearly comprehend - the immediate technical problem, but also understand how needs may change. + this problem? is to get beyond the facts so we not only can clearly comprehend + the immediate technical problem, but also can understand how needs may change. @@ -122,7 +121,7 @@ BDC - A Domain Controller (PDC or BDC) is always authoritative for all accounts in its Domain. + A domain controller (PDC or BDC) is always authoritative for all accounts in its Domain. This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs to the same values that the PDC resolved them to. @@ -138,15 +137,15 @@ winbindd - A Domain Member can be authoritative for local accounts, but is never authoritative for - Domain accounts. If a user is accessing a Domain Member server and that user's account - is not known locally, the Domain Member server must resolve the identity of that user - from the Domain in which that user's account resides. It must then map that ID to a + A domain member can be authoritative for local accounts, but is never authoritative for + domain accounts. If a user is accessing a domain member server and that user's account + is not known locally, the domain member server must resolve the identity of that user + from the domain in which that user's account resides. It must then map that ID to a UID/GID pair that it can use locally. This is handled by winbindd. - Samba, when running on a Domain Member server, can resolve user identities from a + Samba, when running on a domain member server, can resolve user identities from a number of sources: @@ -188,7 +187,7 @@ winbindd_cache.tdb Directly by querying winbindd. The winbindd - contact a Domain Controller to attempt to resolve the identity of the user or group. It + contacts a domain controller to attempt to resolve the identity of the user or group. It receives the Windows networking security identifier (SID) for that appropriate account and then allocates a local UID or GID from the range of available IDs and creates an entry in its winbindd_idmap.tdb and @@ -203,19 +202,19 @@ If the parameter ldap:ldap://myserver.domain was specified and the LDAP server has been configured with a container in which it may - store the IDMAP entries, all Domain Members may share a common mapping. + store the IDMAP entries, all domain members may share a common mapping. Irrespective of how &smb.conf; is configured, winbind creates and caches a local copy of - the ID mapping database. It uses the winbindd_idmap.tdb, and + the ID mapping database. It uses the winbindd_idmap.tdb and winbindd_cache.tdb files to do this. - Which of the above resolver methods is chosen is determined by the way that Samba is configured + Which of the resolver methods is chosen is determined by the way that Samba is configured in the &smb.conf; file. Some of the configuration options are rather less than obvious to the casual user. @@ -229,10 +228,10 @@ Domain Controllers If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable - of being resolved using) the name service switch (NSS) facility, it is imperative to use the + of being resolved using) the NSS facility, it is imperative to use the Yes - in the &smb.conf; file. This parameter specifically applies only to Domain Controllers, - not to Domain Member servers. + in the &smb.conf; file. This parameter specifically applies only to domain controllers, + not to domain member servers. @@ -244,7 +243,7 @@ LDAP For many administrators, it should be plain that the use of an LDAP-based repository for all network - accounts (both for Posix accounts as well as for Samba accounts) provides the most elegant and + accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and controllable facility. You eventually appreciate the decision to use LDAP. @@ -257,7 +256,7 @@ If your network account information resides in an LDAP repository, you should use it ahead of any alternative method. This means that if it is humanly possible to use the nss_ldap - tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, as it provides + tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides a more readily controllable method for asserting the exact same user and group identifiers throughout the network. @@ -276,12 +275,12 @@ External Domains - In the situation where UNIX accounts are held on the Domain Member server itself, the only effective + In the situation where UNIX accounts are held on the domain member server itself, the only effective way to use them involves the &smb.conf; entry Yes. This forces Samba (smbd) to perform a getpwnam() system call that can then be controlled via /etc/nsswitch.conf file settings. The use of this parameter - disables the use of Samba with Trusted Domains (i.e., External Domains). + disables the use of Samba with trusted domains (i.e., external domains). @@ -294,11 +293,11 @@ automatically allocate - Winbind can be used to create an appliance mode Domain Member server. In this capacity, winbindd + Winbind can be used to create an appliance mode domain member server. In this capacity, winbindd is configured to automatically allocate UIDs/GIDs from numeric ranges set in the &smb.conf; file. The allocation - is made for all accounts that connect to that Domain Member server, whether within its own Domain or from - Trusted Domains. If not stored in an LDAP backend, each Domain Member maintains its own unique mapping database. - This means that it is almost certain that a given user who accesses two Domain Member servers does not have the + is made for all accounts that connect to that domain member server, whether within its own domain or from + trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database. + This means that it is almost certain that a given user who accesses two domain member servers does not have the same UID/GID on both servers &smbmdash; however, this is transparent to the Windows network user. This data is stored in the winbindd_idmap.tdb and winbindd_cache.tdb files. @@ -306,10 +305,10 @@ mapping - The use of an LDAP backend for the Winbind IDMAP facility permits Windows Domain security identifiers (SIDs) - mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all Domain Member + The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs + mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member servers so configured. This solves one of the major headaches for network administrators who need to copy - files between/across network file servers. + files between or across network file servers. @@ -327,7 +326,7 @@ identity management - One of the most fierce conflicts recently being waged is one of resistance to the adoption of LDAP, in + One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP is different and requires a new approach to the need for a better identity management solution. The more you work with LDAP, the more its power and flexibility emerges from its dark, cavernous chasm. @@ -335,10 +334,10 @@ LDAP is a most suitable solution for heterogenous environments. If you need crypto, add Kerberos. - The reason these are preferable is because they are heterogenous. Windows solutions of this sort are NOT + The reason these are preferable is because they are heterogenous. Windows solutions of this sort are not heterogenous by design. This is fundamental &smbmdash; it isn't religious or political. This also doesn't say that you can't use Windows Active Directory in a heterogenous environment &smbmdash; it can be done, it just requires - commercial integration products &smbmdash; it's just not what Active Directory was designed for. + commercial integration products. But it's not what Active Directory was designed for. @@ -348,7 +347,7 @@ A number of long-term UNIX devotees have recently commented in various communications that the Samba Team is the first application group to almost force network administrators to use LDAP. It should be pointed - out that we resisted this as long as we could. It is not out of laziness or out of malice that LDAP has + out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has finally emerged as the preferred identity management backend for Samba. We recommend LDAP for your total organizational directory needs. @@ -369,17 +368,17 @@ Domain Controller - The Domain Member server and the Domain Member client are at the center of focus in this chapter. - Configuration of Samba-3 Domain Controller has been covered in earlier chapters, so if your - interest is in Domain Controller configuration, you will not find that here. You will find good - oil that helps you to add Domain Member servers and clients. + The domain Member server and the domain member client are at the center of focus in this chapter. + Configuration of Samba-3 domain controller is covered in earlier chapters, so if your + interest is in domain controller configuration, you will not find that here. You will find good + oil that helps you to add domain member servers and clients. Domain Member workstations - In practice, Domain Member servers and Domain Member workstations are very different entities, but in + In practice, domain member servers and domain member workstations are very different entities, but in terms of technology they share similar core infrastructure. A technologist would argue that servers and workstations are identical. Many users would argue otherwise, given that in a well-disciplined environment a workstation (client) is a device from which a user creates documents and files that @@ -390,9 +389,9 @@ workstation - One can look at this another way. If a workstation breaks down, one user is affected, but if a + We can look at this another way. If a workstation breaks down, one user is affected, but if a server breaks down, hundreds of users may not be able to work. The services that a workstation - must provide are document and file production oriented; a server provides information storage + must provide are document- and file-production oriented; a server provides information storage and is distribution oriented. @@ -403,7 +402,7 @@ user identities - Why is this important? &smbmdash; For starters, we must identify what + Why is this important? For starters, we must identify what components of the operating system and its environment must be configured. Also, it is necessary to recognize where the interdependencies between the various services to be used are. In particular, it is important to understand the operation of each critical part of the @@ -413,7 +412,7 @@ - So, while here we demonstrate how to implement the technology. It is done within a context of + So, in this chapter we demonstrate how to implement the technology. It is done within a context of what type of service need must be fulfilled. @@ -435,13 +434,13 @@ foreign SID In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using - an LDAP ldapsam backend. In this example, we are adding to the LDAP backend database (directory) + an LDAP ldapsam backend. We are adding to the LDAP backend database (directory) containers for use by the IDMAP facility. This makes it possible to have globally consistent - mapping of SIDs to/from UIDs/GIDs. This means that you are running winbindd + mapping of SIDs to and from UIDs and GIDs. This means that you are running winbindd as part of your configuration. The primary purpose of running winbindd (within this operational context) is to permit mapping of foreign SIDs (those not originating from our - own Domain). Foreign SIDs can come from any external Domain or from Windows clients that do not - belong to a Domain. + own domain). Foreign SIDs can come from any external domain or from Windows clients that do not + belong to a domain. @@ -454,7 +453,7 @@ If your installation is accessed only from clients that are members of your own domain, then it is not necessary to run winbindd as long as all users can be resolved locally via the getpwnam() system call. On NSS-enabled systems, this condition - is met by having: + is met by having @@ -486,8 +485,8 @@ PADL Software Resolution via NSS. On NSS-enabled systems, there is usually a facility to resolve IDs - via multiple methods. The methods typically include: files, compat, db, ldap, - nis, nisplus, hesiod. When correctly installed, Samba adds to this list + via multiple methods. The methods typically include files, compat, db, ldap, + nis, nisplus, hesiod. When correctly installed, Samba adds to this list the winbindd facility. The ldap facility is frequently the nss_ldap tool provided by PADL Software. @@ -496,9 +495,9 @@ Identity resolution - The diagram in demonstrates the relationship of samba and system - components that are involved in the Identity resolution process where Samba is used as a Domain - Member server within a Samba Domain Control network. + The diagram in demonstrates the relationship of Samba and system + components that are involved in the identity resolution process where Samba is used as a domain + member server within a Samba domain control network. @@ -513,14 +512,14 @@ In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam to obtain authentication and user identity information. The IDMAP information is stored in the LDAP - backend so that it can be shared by all Domain Member servers so that every user will have a + backend so that it can be shared by all domain member servers so that every user will have a consistent UID and GID across all of them. The IDMAP facility will be used for all foreign - (i.e., not having the same SID as the Domain it is a member of) Domains. The configuration of - NSS will ensure that all unix processes will obtain a consistent UID/GID. + (i.e., not having the same SID as the domain it is a member of) domains. The configuration of + NSS will ensure that all UNIX processes will obtain a consistent UID/GID. - The instructions given here apply to the Samba environment as shown in Chapters 6 and 7. + The instructions given here apply to the Samba environment shown in and . If the network does not have an LDAP slave server (i.e., configuration), change the target LDAP server from lapdc to massive. @@ -552,7 +551,7 @@ - Configure the name service switch (NSS) control file so it matches the one shown + Configure the NSS control file so it matches the one shown in . @@ -561,7 +560,7 @@ getent - Before proceeding to configure Samba, validate the operation of the NSS Identity + Before proceeding to configure Samba, validate the operation of the NSS identity resolution via LDAP by executing: &rootprompt; getent passwd @@ -580,10 +579,10 @@ fran$:x:1008:553:fran$:/dev/null:/bin/false josephj:x:1007:513:Joseph James:/home/josephj:/bin/bash You should notice the location of the users' home directories. First, make certain that - the home directories exist on the Domain Member server; otherwise, the home directory + the home directories exist on the domain member server; otherwise, the home directory share is not available. The home directories could be mounted off a domain controller - using NFS, or by any other suitable means. Second, the absence of the Domain name in the - home directory path is indicative that Identity resolution is not being done via Winbind. + using NFS or by any other suitable means. Second, the absence of the domain name in the + home directory path is indicative that identity resolution is not being done via winbind. &rootprompt; getent group ... @@ -602,11 +601,11 @@ sammy:x:4321: group membership - This shows that all is working as it should. Notice that in the LDAP database + This shows that all is working as it should be. Notice that in the LDAP database the users' primary and secondary group memberships are identical. It is not necessary to add secondary group memberships (in the group database) if the user is already a member via primary group membership in the password database. - When using winbind, it is in fact undesirable to do this as it results in + When using winbind, it is in fact undesirable to do this because it results in doubling up of group memberships and may break winbind under certain conditions. @@ -640,12 +639,12 @@ ou: idmap Domain join - The system is ready to join the Domain. Execute the following: + The system is ready to join the domain. Execute the following: &rootprompt; net rpc join -U root%not24get Joined domain MEGANET2. - This indicates that the Domain join succeeded. + This indicates that the domain join succeeded. @@ -655,7 +654,7 @@ Joined domain MEGANET2. - Broken resolution of netbios names to the respective IP address. + Broken resolution of NetBIOS names to the respective IP address. Incorrect username and password credentials. The NT4 restrict anonymous is set to exclude anonymous connections. @@ -671,9 +670,9 @@ Joined domain MEGANET2. failed join rejected restrict anonymous - Note: Use 'root' for UNIX/Linux and Samba, use 'Administrator' for Windows NT4/200X. If the cause of - the failure appears to be related to a rejected or failed 'NT_SESSION_SETUP*' or an error message that - says 'NT_STATUS_ACCESS_DENIED' immediately check the Windows registry setting that controls the + Note: Use "root" for UNIX/Linux and Samba, use "Administrator"for Windows NT4/200X. If the cause of + the failure appears to be related to a rejected or failed NT_SESSION_SETUP* or an error message that + says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the restrict anonymous setting. Set this to the value 0 so that an anonymous connection can be sustained, then try again. @@ -693,8 +692,8 @@ Num local groups: 8 &rootprompt; net rpc testjoin -S 'pdc-name' -U Administrator%not24get Join to 'MEGANET2' is OK - If for any reason the following response is obtained to the last command above it is time to - call in the Networking Super-Snooper task force (i.e.: Start debugging): + If for any reason the following response is obtained to the last command above,it is time to + call in the Networking Super-Snooper task force (i.e., start debugging): NT_STATUS_ACCESS_DENIED Join to 'MEGANET2' failed. @@ -703,17 +702,17 @@ Join to 'MEGANET2' failed. wbinfo - Just joining the Domain is not quite enough, you must now provide a privileged set + Just joining the domain is not quite enough; you must now provide a privileged set of credentials through which winbindd can interact with the ADS - Domain servers. Execute the following to implant the necessary credentials: + domain servers. Execute the following to implant the necessary credentials: &rootprompt; wbinfo --set-auth-user=Administrator%not24get - The configuration is now ready to obtain ADS Domain user and group information. + The configuration is now ready to obtain ADS domain user and group information. - You may now start Samba in the usual manner and your Samba Domain Member server + You may now start Samba in the usual manner, and your Samba domain member server is ready for use. Just add shares as required. @@ -823,10 +822,10 @@ aliases: files - NT4/Samba Domain with Samba Domain Member Server &smbmdash; Using Winbind + NT4/Samba Domain with Samba Domain Member Server: Using Winbind - You need to use this method for creating a Samba Domain Member server if any of the following conditions + You need to use this method for creating a Samba domain member server if any of the following conditions prevail: @@ -840,7 +839,7 @@ aliases: files - The Samba Domain Member server must be part of a Windows NT4 Domain. + The Samba domain member server must be part of a Windows NT4 Domain. @@ -851,15 +850,15 @@ aliases: files LDAP - Later in the chapter, you can see how to configure a Samba Domain Member server for a Windows ADS Domain. - Right now your objective is to configure a Samba server that can be a member of a Windows NT4 style - Domain and/or does not use LDAP. + Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain. + Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style + domain and/or does not use LDAP. duplicate accounts - If you use winbind for Identity resolution, do make sure that there are no + If you use winbind for identity resolution, make sure that there are no duplicate accounts. @@ -900,7 +899,7 @@ aliases: files The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials. The winbind information is locally cached in the winbindd_cache.tdb winbindd_idmap.tdb files. This provides considerable performance benefits compared with the LDAP solution, particularly - where the LDAP lookups must traverse wide-area network links. You may examine the contents of these + where the LDAP lookups must traverse WAN links. You may examine the contents of these files using the tool tdbdump, though you may have to build this from the Samba source code if it has not been supplied as part of a binary package distribution that you may be using. @@ -925,12 +924,12 @@ aliases: files rpc join - The system is ready to join the Domain. Execute the following: + The system is ready to join the domain. Execute the following: net rpc join -U root%not2g4et Joined domain MEGANET2. - This indicates that the Domain join succeed. + This indicates that the domain join succeed. @@ -953,7 +952,7 @@ MEGANET2+dbrady MEGANET2+joeg MEGANET2+balap - This shows that Domain users have been listed correctly. + This shows that domain users have been listed correctly. &rootprompt; wbinfo -g MEGANET2+Domain Admins @@ -963,7 +962,7 @@ MEGANET2+Accounts MEGANET2+Finances MEGANET2+PIOps - This shows that Domain groups have been correctly obtained also. + This shows that domain groups have been correctly obtained also. @@ -1014,7 +1013,7 @@ MEGANET2+PIOps:x:10005: - The Samba member server of a Windows NT4 Domain is ready for use. + The Samba member server of a Windows NT4 domain is ready for use. @@ -1066,11 +1065,11 @@ MEGANET2+PIOps:x:10005: - NT4/Samba Domain with Samba Domain Member Server - Without NSS Support + NT4/Samba Domain with Samba Domain Member Server without NSS Support No matter how many UNIX/Linux administrators there may be who believe that a UNIX operating - system that does not have NSS and PAM support to be outdated and antique, the fact is there + system that does not have NSS and PAM support to be outdated, the fact is there are still many such systems in use today. Samba can be used without NSS support, but this does limit it to the use of local user and group accounts only. @@ -1078,7 +1077,7 @@ MEGANET2+PIOps:x:10005: The following steps may be followed to implement Samba with support for local accounts. In this configuration Samba is made a domain member server. All incoming connections - to the Samba server will cause the look-up of the incoming user name. If the account + to the Samba server will cause the look-up of the incoming username. If the account is found, it is used. If the account is not found, one will be automatically created on the local machine so that it can then be used for all access controls. @@ -1093,20 +1092,20 @@ MEGANET2+PIOps:x:10005: netrpcjoin - The system is ready to join the Domain. Execute the following: + The system is ready to join the domain. Execute the following: net rpc join -U root%not24get Joined domain MEGANET2. - This indicates that the Domain join succeed. + This indicates that the domain join succeed. - Be sure to run all three Samba daemons: smbd, nmbd, winbindd. + Be sure to run all three Samba daemons: smbd, nmbd, winbindd. - The Samba member server of a Windows NT4 Domain is ready for use. + The Samba member server of a Windows NT4 domain is ready for use. @@ -1169,11 +1168,11 @@ Joined domain MEGANET2. server One of the much-sought-after features new to Samba-3 is the ability to join an Active Directory - Domain using Kerberos protocols. This makes it possible to operate an entire Windows network + domain using Kerberos protocols. This makes it possible to operate an entire Windows network without the need to run NetBIOS over TCP/IP and permits more secure networking in general. An exhaustively complete discussion of the protocols is not possible in this book; perhaps a later book may explore the intricacies of the NetBIOS-less operation that Samba-3 can participate - in. For now, we simply focus on how a Samba-3 server can be made a Domain Member server. + in. For now, we simply focus on how a Samba-3 server can be made a domain member server. @@ -1187,12 +1186,12 @@ Joined domain MEGANET2. The diagram in demonstrates how Samba-3 interfaces with Microsoft Active Directory components. It should be noted that if Microsoft Windows Services - for UNIX has been installed and correctly configured, it is possible to use client LDAP - for Identity resolution just as can be done with Samba-3 when using an LDAP passdb backend. + for UNIX (SFU) has been installed and correctly configured, it is possible to use client LDAP + for identity resolution just as can be done with Samba-3 when using an LDAP passdb backend. The UNIX tool that you need for this, as in the case of LDAP on UNIX/Linux, is the PADL Software nss_ldap tool-set. Compared with use of winbind and Kerberos, the use of - LDAP-based Identity resolution is a little less secure. In view of the fact that this solution - requires additional software to be installed on the Windows 200x ADS Domain Controllers, + LDAP-based identity resolution is a little less secure. In view of the fact that this solution + requires additional software to be installed on the Windows 200x ADS domain controllers, and that means more management overhead, it is likely that most Samba-3 ADS client sites may elect to use winbind. @@ -1206,12 +1205,12 @@ Joined domain MEGANET2. The hypothetical domain you are using in this example assumes that the Abmas London office - decided to take their own lead (some would say this is a typical behavior in a global + decided to take its own lead (some would say this is a typical behavior in a global corporate world; besides, a little divergence and conflict makes for an interesting life). - The Windows Server 2003 ADS Domain is called london.abmas.biz and the - name of the server is W2K3S. In ADS realm terms, the Domain Controller + The Windows Server 2003 ADS domain is called london.abmas.biz and the + name of the server is W2K3S. In ADS realm terms, the domain controller is known as w2k3s.london.abmas.biz. In NetBIOS nomenclature, the - Domain Name is LONDON and the server name is W2K3S. + domain name is LONDON and the server name is W2K3S. @@ -1244,7 +1243,7 @@ Joined domain MEGANET2. HAVE_KRB5_STRING_TO_KEY_SALT HAVE_LIBKRB5 - The above output was obtained on a SUSE Linux system and shows the output for + This output was obtained on a SUSE Linux system and shows the output for Samba that has been compiled and linked with the Heimdal Kerberos libraries. The following is a typical output that will be found on a Red Hat Linux system that has been linked with the MIT Kerberos libraries: @@ -1333,8 +1332,7 @@ massive:/usr/sbin # smbd -b | grep LDAP From this point on, you are certain that the Samba-3 build you are using has the - necessary capabilities. You can now configure Samba-3 and the name service - switch (NSS). + necessary capabilities. You can now configure Samba-3 and the NSS. @@ -1350,7 +1348,7 @@ massive:/usr/sbin # smbd -b | grep LDAP /etc/samba/secrets.tdb - Delete the file /etc/samba/secrets.tdb, if it exists. Of course, you + Delete the file /etc/samba/secrets.tdb if it exists. Of course, you do keep a backup, don't you? @@ -1373,7 +1371,7 @@ massive:/usr/sbin # smbd -b | grep LDAP &rootprompt; testparm -s | less Now that you are satisfied that your Samba server is ready to join the Windows - ADS Domain, let's move on. + ADS domain, let's move on. @@ -1390,7 +1388,7 @@ massive:/usr/sbin # smbd -b | grep LDAP Using short domain name -- LONDON Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' - You have successfully made your Samba-3 server a member of the ADS Domain + You have successfully made your Samba-3 server a member of the ADS domain using Kerberos protocols. @@ -1400,7 +1398,7 @@ Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' failed join In the event that you receive no output messages, a silent return means that the - Domain join failed. You should use ethereal to identify what + domain join failed. You should use ethereal to identify what may be failing. Common causes of a failed join include: @@ -1408,13 +1406,13 @@ Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' name resolution Defective - Defective or mis-configured DNS name resolution. + Defective or misconfigured DNS name resolution. Restrictive security - Restrictive security settings on the Windows 200x ADS Domain controller + Restrictive security settings on the Windows 200x ADS domain controller preventing needed communications protocols. You can check this by searching the Windows Server 200x Event Viewer. @@ -1439,8 +1437,8 @@ Joined 'FRAN' to realm 'LONDON.ABMAS.BIZ' mixed mode In any case, never execute the net rpc join command in an attempt - to join the Samba server to the Domain, unless you wish not to use the Kerberos - security protocols. Use of the older RPC-based Domain join facility requires that + to join the Samba server to the domain, unless you wish not to use the Kerberos + security protocols. Use of the older RPC-based domain join facility requires that Windows Server 200x ADS has been configured appropriately for mixed mode operation. @@ -1486,7 +1484,7 @@ data = "E\89\F6?" wbinfo This is a good time to verify that everything is working. First, check that - winbind is able to obtain the list of users and groups from the ADS Domain Controller. + winbind is able to obtain the list of users and groups from the ADS domain controller. Execute the following: &rootprompt; wbinfo -u @@ -1515,7 +1513,7 @@ LONDON+DnsUpdateProxy getent - Now repeat this via NSS to validate that full Identity resolution is + Now repeat this via NSS to validate that full identity resolution is functional as required. Execute: &rootprompt; getent passwd @@ -1531,7 +1529,7 @@ LONDON+krbtgt:x:10003:10000:krbtgt: LONDON+jht:x:10004:10000:John H. Terpstra: /home/LONDON/jht:/bin/bash - Okay, ADS user accounts are being resolved. Now you try group resolution as follows: + Okay, ADS user accounts are being resolved. Now you try group resolution: &rootprompt; getent group ... @@ -1657,15 +1655,15 @@ Permissions: [Read All Properties] -------------- End Of Security Descriptor - And now you have conclusive proof that your Samba-3 ADS Domain Member Server - called FRAN, is able to communicate fully with the ADS - Domain Controllers. + And now you have conclusive proof that your Samba-3 ADS domain member server + called FRAN is able to communicate fully with the ADS + domain controllers. - Your Samba-3 ADS Domain Member server is ready for use. During training sessions, + Your Samba-3 ADS domain member server is ready for use. During training sessions, you may be asked what is inside the winbindd_cache.tdb and winbindd_idmap.tdb files. Since curiosity just took hold of you, execute the following: @@ -1752,7 +1750,7 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- } .... - Now all is revealed. Your curiosity, as well as that of those with you, has been put at ease. + Now all is revealed. Your curiosity, as well as that of your team, has been put at ease. May this server serve well all who happen upon it. @@ -1810,7 +1808,7 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- The idmap_rid facility is a new tool that, unlike native winbind, creates a predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs. The key benefit of this method of implementing the Samba IDMAP facility is that it eliminates the need to store the IDMAP data - in a central place. The down-side is that it can be used only within a single ADS Domain and + in a central place. The downside is that it can be used only within a single ADS domain and is not compatible with trusted domain implementations. @@ -1819,7 +1817,7 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- allow trusted domains idmap uid idmap gid - This alternate method of SID to UID/GID mapping can be achieved uses the idmap_rid + This alternate method of SID to UID/GID mapping can be achieved with the idmap_rid plug-in. This plug-in uses the RID of the user SID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter allow trusted domains = No must be specified, as it is not compatible @@ -1830,8 +1828,8 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- idmap_rid realm - The idmap_rid facility can be used both for NT4/Samba style domains as well as with Active Directory. - To use this with an NT4 Domain the realm is not used, additionally the + The idmap_rid facility can be used both for NT4/Samba-style domains as well as with Active Directory. + To use this with an NT4 domain, the realm is not used. Additionally the method used to join the domain uses the net rpc join process. @@ -1863,10 +1861,10 @@ data = "\00\00\00\00bp\00\00\06krbtgt\06krbtgt- Active Directory response getent - In a large domain with many users it is imperative to disable enumeration of users and groups. - For example, at a site that has 22,000 users in Active Directory the winbind based user and + In a large domain with many users, it is imperative to disable enumeration of users and groups. + For example, at a site that has 22,000 users in Active Directory the winbind-based user and group resolution is unavailable for nearly 12 minutes following first start-up of - winbind. Disabling of such enumeration resulted in instantaneous response. + winbind. Disabling of such enumeration results in instantaneous response. The disabling of user and group enumeration means that it will not be possible to list users or groups using the getent passwd and getent group commands. It will be possible to perform the lookup for individual users, as shown in the procedure @@ -1921,13 +1919,13 @@ BIGJOE$@'s password: ads_connect: No results returned Join to domain is not valid - The specific error message may differ from the above as it depends on the type of failure that - may have occurred. Increase the log level to 10, repeat the above test + The specific error message may differ from the above because it depends on the type of failure that + may have occurred. Increase the log level to 10, repeat the above test, and then examine the log files produced to identify the nature of the failure. - Start the nmbd, winbind, and smbd daemons in the order shown. + Start the nmbd, winbind, and smbd daemons in the order shown. @@ -1948,14 +1946,14 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash ADAM ADS - The storage of IDMAP information in LDAP can be used with both NT4/Samba-3 style domains as well as - with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards - complying LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using + The storage of IDMAP information in LDAP can be used with both NT4/Samba-3-style domains as well as + with ADS domains. OpenLDAP is a commonly used LDAP server for this purpose, although any standards-compliant + LDAP server can be used. It is therefore possible to deploy this IDMAP configuration using the Sun iPlanet LDAP server, Novell eDirectory, Microsoft ADS plus ADAM, and so on. - The example in is for an ADS style domain. + The example in is for an ADS-style domain. @@ -1982,17 +1980,17 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash realm - In the case of an NT4 or Samba-3 style Domain the realm is not used and the - command used to join the domain is: net rpc join. The above example also demonstrates - advanced error reporting techniques that are documented in the chapter called Reporting Bugs in the - book The Official Samba-3 HOWTO and Reference Guide (TOSHARG). + In the case of an NT4 or Samba-3-style domain the realm is not used, and the + command used to join the domain is net rpc join. The above example also demonstrates + advanced error reporting techniques that are documented in the chapter called "Reporting Bugs" in + The Official Samba-3 HOWTO and Reference Guide (TOSHARG). MIT kerberos Heimdal kerberos /etc/krb5.conf - Where MIT kerberos is installed (version 1.3.4 or later) edit the /etc/krb5.conf + Where MIT kerberos is installed (version 1.3.4 or later), edit the /etc/krb5.conf file so it has the following contents: [logging] @@ -2017,8 +2015,8 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash - Where Heimdal kerberos is installed edit the /etc/krb5.conf - file so it is either empty (i.e.: no contents) or it has the following contents: + Where Heimdal kerberos is installed, edit the /etc/krb5.conf + file so it is either empty (i.e., no contents) or it has the following contents: [libdefaults] default_realm = SNOWSHOW.COM @@ -2035,9 +2033,9 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash - Samba can not use the Heimdal libraries if there is no /etc/krb5.conf file. - So long as there is an empty file the Heimdal kerberos libraries will be usable. There is no - need to specify any settings as Samba using the Heimdal libraries can figure this out automatically. + Samba cannot use the Heimdal libraries if there is no /etc/krb5.conf file. + So long as there is an empty file, the Heimdal kerberos libraries will be usable. There is no + need to specify any settings because Samba, using the Heimdal libraries, can figure this out automatically. Edit the NSS control file /etc/nsswitch.conf so it has the following entries: @@ -2090,12 +2088,12 @@ ssl no - Download, build and install the PADL nss_ldap tool set. Configure the + Download, build, and install the PADL nss_ldap tool set. Configure the /etc/ldap.conf file as shown above. - Configure an LDAP server, initialize the directory with the top level entries needed by IDMAP + Configure an LDAP server and initialize the directory with the top level entries needed by IDMAP as shown in the following LDIF file: dn: dc=snowshow,dc=com @@ -2117,7 +2115,7 @@ ou: idmap - Execute the command to join the Samba Domain Member Server to the ADS domain as shown here: + Execute the command to join the Samba domain member server to the ADS domain as shown here: &rootprompt; net ads testjoin Using short domain name -- SNOWSHOW @@ -2133,7 +2131,7 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM' - Start the nmbd, winbind, and smbd daemons in the order shown. + Start the nmbd, winbind, and smbd daemons in the order shown. @@ -2148,12 +2146,12 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM' - IDMAP and NSS Using LDAP From ADS with RFC2307bis Schema Extension + IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension rfc2307bis schema - The use of this method is messy. The information provided in the following is for guidance only + The use of this method is messy. The information provided in this section is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance. @@ -2205,7 +2203,7 @@ hosts: files wins /etc/ldap.conf nss_ldap The /etc/ldap.conf file must be configured also. Refer to the PADL documentation - and source code for nss_ldap to specific instructions. + and source code for nss_ldap instructions. @@ -2214,11 +2212,11 @@ hosts: files wins - IDMAP, Active Directory and MS Services for UNIX 3.5 + IDMAP, Active Directory, and MS Services for UNIX 3.5 SFU - The Microsoft Windows Service for UNIX (SFU) version 3.5 is available for free + The Microsoft Windows Service for UNIX version 3.5 is available for free download from the Microsoft Web site. You will need to download this tool and install it following Microsoft instructions. @@ -2227,12 +2225,12 @@ hosts: files wins - IDMAP, Active Directory and AD4UNIX + IDMAP, Active Directory, and AD4UNIX Instructions for obtaining and installing the AD4UNIX tool set can be found from the - Geekcomix web site. + Geekcomix Web site. @@ -2249,7 +2247,7 @@ hosts: files wins user credentials So far this chapter has been mainly concerned with the provision of file and print - services for Domain Member servers. However, an increasing number of UNIX/Linux + services for domain member servers. However, an increasing number of UNIX/Linux workstations are being installed that do not act as file or print servers to anyone other than a single desktop user. The key demand for desktop systems is to be able to log onto any UNIX/Linux or Windows desktop using the same network user credentials. @@ -2260,7 +2258,7 @@ hosts: files wins SSO The ability to use a common set of user credential across a variety of network systems - is generally regarded as a Single Sign-On (SSO) solution. SSO systems are sold by a + is generally regarded as a single sign-on (SSO) solution. SSO systems are sold by a large number of vendors and include a range of technologies such as: @@ -2274,7 +2272,7 @@ hosts: files wins - Meta-directory server solutions + Metadirectory server solutions @@ -2286,32 +2284,32 @@ hosts: files wins Identity management There are really only three solutions that provide integrated authentication and - user Identity management facilities: + user identity management facilities: - Samba Winbind (free) + Samba winbind (free) - PADL PAM and LDAP Tools (free) + PADL PAM and LDAP tools (free) - Vintela Authentication Services (Commercial) + Vintela Authentication Services (commercial) - The following guidelines are pertinent in respect of the deployment of winbind-based authentication - and Identity resolution with the express purpose of allowing users to log onto UNIX/Linux desktops - using Windows network Domain user credentials (username and password). + The following guidelines are pertinent the deployment of winbind-based authentication + and identity resolution with the express purpose of allowing users to log onto UNIX/Linux desktops + using Windows network domain user credentials (username and password). You should note that it is possible to use LDAP-based PAM and NSS tools to permit distributed - systems logons (SSO) providing user and group accounts are stored in an LDAP directory. This + systems logons (SSO), providing user and group accounts are stored in an LDAP directory. This provides logon services for UNIX/Linux users, while Windows users obtain their sign-on support via Samba-3. @@ -2320,9 +2318,9 @@ hosts: files wins Windows Services for UNIX SUS - On the other hand, if the authentication and Identity resolution backend must be provided by - a Windows NT4 style Domain or from an Active Directory Domain that does not have the Microsoft - Windows Services for UNIX (SUS) installed, winbind is your best friend. Specific guidance for these + On the other hand, if the authentication and identity resolution backend must be provided by + a Windows NT4-style domain or from an Active Directory Domain that does not have the Microsoft + Windows Services for UNIX installed, winbind is your best friend. Specific guidance for these situations now follows. @@ -2334,7 +2332,7 @@ hosts: files wins NSS To permit users to log onto a Linux system using Windows network credentials, you need to - configure Identity resolution (NSS) and PAM. This means that the basic steps include those + configure identity resolution (NSS) and PAM. This means that the basic steps include those outlined above with the addition of PAM configuration. Given that most workstations (desktop/client) usually do not need to provide file and print services to a group of users, the configuration of shares and printers is generally less important. Often this allows the share specifications @@ -2346,7 +2344,7 @@ hosts: files wins The following steps provide a Linux system that users can log onto using - Windows NT4 Domain (or Samba-3) Domain network credentials: + Windows NT4 (or Samba-3) domain network credentials: @@ -2356,7 +2354,7 @@ hosts: files wins - Identify what services users must log onto. On Red Hat Linux, if it is + Identify what services users must log on to. On Red Hat Linux, if it is intended that the user shall be given access to all services, it may be most expeditious to simply configure the file /etc/pam.d/system-auth. @@ -2395,7 +2393,7 @@ hosts: files wins This procedure should be followed to permit a Linux network client (workstation/desktop) - to permit users to log on using Microsoft Active Directory based user credentials. + to permit users to log on using Microsoft Active Directory-based user credentials. @@ -2405,7 +2403,7 @@ hosts: files wins - Identify what services users must log onto. On Red Hat Linux, if it is + Identify what services users must log on to. On Red Hat Linux, if it is intended that the user shall be given access to all services, it may be most expeditious to simply configure the file /etc/pam.d/system-auth as shown in . @@ -2514,34 +2512,34 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you learned how to integrate such servers so that the UID/GID mappings they use can be consistent - across all Domain Member servers. You also discovered how to implement the ability to use Samba - or Windows Domain account credentials to log onto a UNIX/Linux client. + across all domain member servers. You also discovered how to implement the ability to use Samba + or Windows domain account credentials to log onto a UNIX/Linux client. - The following are key points noted: + The following are key points made in this chapter: - Domain Controllers are always authoritative for the Domain. + Domain controllers are always authoritative for the domain. - Domain Members may have local accounts and must be able to resolve the identity of - Domain user accounts. Domain user account identity must map to a local UID/GID. That + Domain members may have local accounts and must be able to resolve the identity of + domain user accounts. Domain user account identity must map to a local UID/GID. That local UID/GID can be stored in LDAP. This way, it is possible to share the IDMAP data - across all Domain Member machines. + across all domain member machines. - Resolution of user and group identities on Domain Member machines may be implemented + Resolution of user and group identities on domain member machines may be implemented using direct LDAP services or using winbind. - On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for Identity management - and PAM is responsible for authentication of logon credentials (user name and password). + On NSS/PAM enabled UNIX/Linux systems, NSS is responsible for identity management + and PAM is responsible for authentication of logon credentials (username and password). @@ -2593,7 +2591,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass getpwnam() - On a Domain Member server, you effectively map Windows Domain users to local users + On a domain member server, you effectively map Windows domain users to local users that are in your NIS database by specifying the winbind trusted domains only. This causes user and group account lookups to be routed via the getpwnam() family of systems calls. On an NIS-enabled client, @@ -2611,7 +2609,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass - Our IT management people do not like LDAP, but are looking at Microsoft Active Directory. + Our IT management people do not like LDAP but are looking at Microsoft Active Directory. Which is better? Active Directory @@ -2629,21 +2627,21 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass schema Microsoft Active Directory is an LDAP server that is intricately tied to a Kerberos - infrastructure. Most IT managers who object to LDAP do so because of the fact that - an LDAP server is most often supplied as a raw tool that needs to be configured, and - for which the administrator must create the schema, create the administration tools and - devise the backup and recovery facilities in a site dependent manner. LDAP servers + infrastructure. Most IT managers who object to LDAP do so because + an LDAP server is most often supplied as a raw tool that needs to be configured and + for which the administrator must create the schema, create the administration tools, and + devise the backup and recovery facilities in a site-dependent manner. LDAP servers in general are seen as a high-energy, high-risk facility. management - Microsoft Active Directory by comparison is easy to install, configure, and + Microsoft Active Directory by comparison is easy to install and configure and is supplied with all tools necessary to implement and manage the directory. For sites that lack a lot of technical competence, Active Directory is a good choice. For sites that have the technical competence to handle Active Directory well, LDAP is a good - alternative. The real issue that needs to be addressed is what type of solution does + alternative. The real issue is, What type of solution does the site want? If management wants a choice to use an alternative, they may want to consider the options. On the other hand, if management just wants a solution that works, Microsoft Active Directory is a good solution. @@ -2680,8 +2678,8 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass Yes, it is possible to use NIS in place of LDAP, but there may be problems with keeping the Windows (SMB) encrypted passwords database correctly synchronized across the entire - network. Workstations (Windows client machines) periodically change their Domain - Membership secure account password. How can you keep changes that are on remote BDCs + network. Workstations (Windows client machines) periodically change their domain + membership secure account password. How can you keep changes that are on remote BDCs synchronized on the PDC? @@ -2693,7 +2691,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass network Identities LDAP is a more elegant solution because it permits centralized storage and management - of all network Identities (user, group and machine accounts) together with all information + of all network identities (user, group, and machine accounts) together with all information Samba needs to provide to network clients and their users. @@ -2704,7 +2702,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass - Are you suggesting that users should not log onto a Domain Member server? If so, why? + Are you suggesting that users should not log onto a domain member server? If so, why? @@ -2718,8 +2716,8 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass mapped drives - Many UNIX administrators mock the model that the Personal Computer industry has adopted - as normative since the early days of Novell NetWare. One may well argue that the old + Many UNIX administrators mock the model that the personal computer industry has adopted + as normative since the early days of Novell NetWare. The old perception of the necessity to keep users off file and print servers was a result of fears concerning the security and integrity of data. It was a simple and generally effective measure to keep users away from servers, except through mapped drives. @@ -2738,10 +2736,10 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass UNIX administrators are fully correct in asserting that UNIX servers and workstations are identical in terms of the software that is installed. They correctly assert that - in a well secured environment it is safe to store files on a system that has hundreds + in a well-secured environment it is safe to store files on a system that has hundreds of users. But all network administrators must factor into the decision to allow or reject general user logins to a UNIX system that is principally a file and print - server. One must take account of the risk to operations through simple user errors. + server the risk to operations through simple user errors. Only then can one begin to appraise the best strategy and adopt a site-specific policy that best protects the needs of users and of the organization alike. @@ -2749,7 +2747,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass system level logins - From experience, it is my recommendation to keep general system level logins to a + From experience, it is my recommendation to keep general system-level logins to a practical minimum and to eliminate them if possible. This should not be taken as a hard rule, though. The better question is, what works best for the site? @@ -2772,7 +2770,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass share In my &smb.conf; file, I enabled the parameter winbind enable local accounts - on all Domain Member servers, but it does not work. The accounts I put in + on all domain member servers, but it does not work. The accounts I put in /etc/passwd do not show up in the options list when I try to set an ACL on a share. What have I done wrong? @@ -2798,12 +2796,12 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass Domain The manual page for this &smb.conf; file parameter clearly says, This parameter - controls whether or not winbindd will act as a stand in replacement for the various + controls whether or not winbindd will act as a stand-in replacement for the various account management hooks in smb.conf (for example, add user script). If enabled, winbindd will support the creation of local users and groups as another source of UNIX account - information available via getpwnam() or getgrgid(), etc... By default this + information available via getpwnam() or getgrgid(), etc.... By default this parameter is already enabled; therefore, the action you are seeing is a result of a failure - of Identity resolution in the Domain. + of identity resolution in the domain. @@ -2821,9 +2819,9 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass GID - These are the accounts that are available for Windows network Domain logons. Providing - Identity resolution has been correctly configured on the Domain Controllers, as well as - on Domain Member servers. The Domain user and group identities automatically map + These are the accounts that are available for Windows network domain logons. Providing + identity resolution has been correctly configured on the domain controllers as well as + on domain member servers. The domain user and group identities automatically map to a valid local UID and GID pair. @@ -2867,19 +2865,19 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass /etc/passwd The manual page for this winbind trusted domains only parameter says, - This parameter is designed to allow Samba servers that are members of a Samba controlled + This parameter is designed to allow Samba servers that are members of a Samba-controlled domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the UIDs for winbindd users in the hosts primary domain. Therefore, the user SAMBA\user1 would be mapped to the account user1 in /etc/passwd instead - of allocating a new UID for him or her. This would clearly suggest that you are trying + of allocating a new UID for him or her. This clearly suggests that you are trying to use this parameter inappropriately. valid users - A far better solution would be to use the valid users by specifying - precisely the Domain users and groups that should be permitted access to the shares. You could, + A far better solution is to use the valid users by specifying + precisely the domain users and groups that should be permitted access to the shares. You could, for example, set the following parameters: [demoshare] @@ -2896,7 +2894,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass - What are the benefits of using LDAP for my Domain Member servers? + What are the benefits of using LDAP for my domain member servers? @@ -2922,7 +2920,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass identity The key benefit of using LDAP is that the UID of all users and the GID of all groups - are globally consistent on Domain Controllers as well as on Domain Member servers. + are globally consistent on domain controllers as well as on domain member servers. This means that it is possible to copy/replicate files across servers without loss of identity. @@ -2945,12 +2943,12 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass account information - When use is made of account Identity resolution via winbind, even when an IDMAP backend - is stored in LDAP, the UID/GID on Domain Member servers is consistent, but differs - from the ID that the user/group has on Domain Controllers. The winbind allocated UID/GID + When use is made of account identity resolution via winbind, even when an IDMAP backend + is stored in LDAP, the UID/GID on domain member servers is consistent, but differs + from the ID that the user/group has on domain controllers. The winbind allocated UID/GID that is stored in LDAP (or locally) will be in the numeric range specified in the - idmap uid/gid in the &smb.conf; file. On Domain Controllers, the UID/GID is - that of the Posix value assigned in the LDAP directory as part of the Posix account information. + idmap uid/gid in the &smb.conf; file. On domain controllers, the UID/GID is + that of the POSIX value assigned in the LDAP directory as part of the POSIX account information. @@ -2985,8 +2983,8 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass WINS lookup - Samba depends on correctly functioning resolution of host names to their IP address. Samba - makes no direct DNS lookup calls, but rather redirects all name to address calls via the + Samba depends on correctly functioning resolution of hostnames to their IP address. Samba + makes no direct DNS lookup calls, but rather redirects all name-to-address calls via the getXXXbyXXX() function calls. The configuration of the hosts entry in the NSS /etc/nsswitch.conf file determines how the underlying resolution process is implemented. If the hosts entry in your NSS @@ -2994,8 +2992,8 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass hosts: files dns wins - This means that a host name lookup first tries the /etc/hosts. - If this fails to resolve, it attempts a DNS lookup and if that fails, it tries a + this means that a hostname lookup first tries the /etc/hosts. + If this fails to resolve, it attempts a DNS lookup, and if that fails, it tries a WINS lookup. @@ -3009,9 +3007,9 @@ hosts: files dns wins The addition of the WINS-based name lookup makes sense only if NetBIOS over TCP/IP has been enabled on all Windows clients. Where NetBIOS over TCP/IP has been disabled, DNS is the preferred name resolution technology. This usually makes most sense when Samba - is a client of an Active Directory Domain, where NetBIOS use has been disabled. In this - case, the Windows 200x auto-registers all locator records it needs with its own DNS - server/s. + is a client of an Active Directory domain, where NetBIOS use has been disabled. In this + case, the Windows 200x autoregisters all locator records it needs with its own DNS + server or servers. @@ -3021,7 +3019,7 @@ hosts: files dns wins - Our Windows 2003 Server Active Directory Domain runs with NetBIOS disabled. Can we + Our Windows 2003 Server Active Directory domain runs with NetBIOS disabled. Can we use Samba-3 with that configuration? @@ -3047,8 +3045,8 @@ hosts: files dns wins rpc join - When I tried to execute net ads join, I got no output. It did not work, so - I think that it failed. I then executed net rpc join and that worked fine. + When I tried to execute net ads join, I got no output. It did not work, so + I think that it failed. I then executed net rpc join and that worked fine. That is okay, isn't it? @@ -3060,7 +3058,7 @@ hosts: files dns wins authentication - No. This is not okay. It means that your Samba-3 client has joined the ADS Domain as + No. This is not okay. It means that your Samba-3 client has joined the ADS domain as a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication. diff --git a/docs/Samba-Guide/SBE-Appendix1.xml b/docs/Samba-Guide/SBE-Appendix1.xml index 0940f4da416..d6fded0d3c2 100644 --- a/docs/Samba-Guide/SBE-Appendix1.xml +++ b/docs/Samba-Guide/SBE-Appendix1.xml @@ -2,27 +2,23 @@ - Appendix: A Collection of Useful Tid-bits + A Collection of Useful Tidbits - - material - - domain - joining - + + material + domainjoining Information presented here is considered to be either basic or well-known material that is informative yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that - the process for joining a Windows client to a Samba-controlled Windows Domain may somehow involve steps - different from doing so with Windows NT4 or a Windows ADS Domain. Be assured that the steps are identical, + the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps + different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical, as shown in the example given below. Joining a Domain: Windows 200x/XP Professional - - joining a domain - + + joining a domain Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. This section steps through the process for making a Windows 200x/XP Professional machine a member of a Domain Security environment. It should be noted that this process is identical @@ -76,7 +72,7 @@ Now click the OK button. A dialog box should appear to allow you to provide the credentials (username and password) - of a Domain administrative account that has the rights to add machines to the Domain. + of a domain administrative account that has the rights to add machines to the domain. @@ -95,43 +91,36 @@ - - Active Directory - - DNS - + + Active Directory + DNS The screen capture shown in has a button labeled More.... This button opens a panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members - of Microsoft Active Directory. Active Directory is heavily oriented around the DNS name space. + of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace. - - Netlogon - - DNSdynamic - + + Netlogon + DNSdynamic Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server - to find the services (like which machines are Domain Controllers or which machines have the Netlogon service running). + to find the services (like which machines are domain controllers or which machines have the Netlogon service running). - - DNS - suffix - + + DNSsuffix The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, - this does not affect Domain Membership, but it can break network browsing and the ability to resolve your computer name to + this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to a valid IP address. The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. - Where the client is a member of a Samba Domain, it is preferable to leave this field blank. + Where the client is a member of a Samba domain, it is preferable to leave this field blank. - - Group Policy - + + Group Policy According to Microsoft documentation, If this computer belongs to a group with Group Policy enabled on Primary DNS suffice of this computer, the string specified in the Group Policy is used as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is @@ -214,7 +203,7 @@ run-time control files - Samba creates run-time control files and generates log files. The run-time control files (tdb and dat files) are stored in + Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in the /var/lib/samba directory. Log files are created in /var/log/samba. @@ -361,8 +350,8 @@ exit 0 winbindd starting sambawinbindd - This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when - Samba has trust relationships with another Domain. The winbindd daemon will check the + This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when + Samba has trust relationships with another domain. The winbindd daemon will check the &smb.conf; file for the presence of the idmap uid and idmap gid parameters. If they are not found, winbindd bails out and refuses to start. @@ -428,7 +417,7 @@ esac samba control script - SUSE Linux implements individual control over each Samba daemon. A samba control script that can be conveniently + SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently executed from the command line is shown in . This can be located in the directory /sbin in a file called samba. This type of control script should be owned by user root and group root, and set so that only root can execute it. @@ -566,7 +555,7 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 The content of the root hints file as shown in changes slowly over time. Periodically this file should be updated from the source shown. Because - of its size this file is located at the end of this appendix. + of its size, this file is located at the end of this appendix. @@ -600,9 +589,9 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 SID The first step to get the LDAP server ready for action is to create the LDIF file from - which the LDAP database will be pre-loaded. This is necessary to create the containers - into which the user, group, and so on, accounts is written. It is also necessary to - pre-load the well-known Windows NT Domain Groups, as they must have the correct SID so + which the LDAP database will be preloaded. This is necessary to create the containers + into which the user, group, and other accounts are written. It is also necessary to + preload the well-known Windows NT Domain Groups, as they must have the correct SID so that they can be recognized as special NT Groups by the MS Windows clients. @@ -623,13 +612,13 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 Install the files shown in , , and into the directory /etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh. These three files are, - respectively, Part A, B, and C of the SMBLDAP-ldif-preconfig.sh file. + respectively, parts A, B, and C of the SMBLDAP-ldif-preconfig.sh file. Install the files shown in and into the directory /etc/openldap/SambaInit/nit-ldif.pat. These two files are - Part A and B, respectively, of the init-ldif.pat file. + parts A and B, respectively, of the init-ldif.pat file. @@ -675,7 +664,7 @@ Enter the top level org name or press Enter to continue: - It is now time to pre-load the LDAP database with the following + It is now time to preload the LDAP database with the following command: &rootprompt; slapadd -v -l MEGANET2.ldif @@ -998,25 +987,17 @@ description: Domain Users The LDAP Account Manager - - LAM - - LDAP Account Manager - LAM - - PHP - - unencrypted - - SSL - - Posix - - accountsmanage - + +LAM +LDAP Account ManagerLAM +PHP +unencrypted +SSL +Posix +accountsmanage The LDAP Account Manager (LAM) is an application suite that has been written in PHP. LAM can be used with any Web server that has PHP4 support. It connects to the LDAP -server either using unencrypted connections or via SSL. LAM can be used to manage +server either using unencrypted connections or via SSL/TLS. LAM can be used to manage Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines (hosts). @@ -1024,52 +1005,44 @@ Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machin LAM is available from the LAM home page and from its mirror sites. LAM has been released under the GNU GPL version 2. -The current version of LAM is 0.4.3. Release of version 0.5 is expected some time early -in 2004. +The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter +of 2005. - - PHP4 - - OpenLDAP - - Perl - + +PHP4 +OpenLDAP +Perl Requirements: A web server that will work with PHP4. - PHP4 (available from the - PHP home page.) + PHP4 (available from the PHP home page.) OpenLDAP 2.0 or later. A Web browser that supports CSS. Perl. The gettext package. - mcrypt + mhash (optional since version 0.4.3). + mcrypt + mhash (optional). It is also a good idea to install SSL support. LAM is a useful tool that provides a simple Web-based device that can be used to - manage the contents of the LDAP directory to: - organizational units - - operating profiles - - account policies - +manage the contents of the LDAP directory to: +organizational units +operating profiles +account policies Display user/group/host and Domain entries. - Manages entries (Add/Delete/Edit). + Manage entries (Add/Delete/Edit). Filter and sort entries. - Set LAM administrator accounts. Store and use multiple operating profiles. Edit organizational units (OUs). Upload accounts from a file. - Is compatible with Samba-2.2.x and Samba-3. + Is compatible with Samba-2.2.x and Samba-3. @@ -1077,15 +1050,11 @@ When correctly configured, LAM allows convenient management of UNIX (Posix) and user, group, and windows domain member machine accounts. - - default password - - secure connections - - LAM - - SSL - + +default password +secure connections +LAM +SSL The default password is lam. It is highly recommended that you use only an SSL connection to your Web server for all remote operations involving LAM. If you want secure connections, you must configure your Apache Web server to permit connections @@ -1093,29 +1062,27 @@ to LAM using only SSL. -Apache Condiguration Steps for LAM +Apache Configuration Steps for LAM - Extract the LAM package with: + Extract the LAM package by untarring it as shown here: -&rootprompt; tar xzf ldap-account-manager_0.4.3.tar.gz +&rootprompt; tar xzf ldap-account-manager_0.4.9.tar.gz -Alternately, install the LAM RPM for your system using the following example for -example: + Alternatively, install the LAM DEB for your system using the following command: -&rootprompt; rpm -Uvh ldap-account-manager-0.4.3-1.noarch.rpm +&rootprompt; dpkg -i ldap-account-manager_0.4.9.all.deb Copy the extracted files to the document root directory of your Web server. - For example, on SUSE Linux Enterprise Server 8, copy to the - /srv/web/htdocs directory. + For example, on SUSE Linux Enterprise Server 9, copy to the + /srv/www/htdocs directory. - - file permissions - + + file permissions Set file permissions using the following commands: &rootprompt; chown -R wwwrun.www /srv/www/htdocs/lam @@ -1126,23 +1093,17 @@ example: - - LAM - configuration file - + + LAMconfiguration file Using your favorite editor create the following config.cfg LAM configuration file: &rootprompt; cd /srv/www/htdocs/lam/config &rootprompt; cp config.cfg_sample config.cfg &rootprompt; vi config.cfg - - LAM - profile - - LAM - wizard - + + LAMprofile + LAMwizard An example file is shown in . This is the minimum configuration that must be completed. The LAM profile file can be created using a convenient wizard that is part of the LAM @@ -1161,9 +1122,8 @@ example: - - pitfalls - + + pitfalls An example of a working file is shown here in . This file has been stripped of comments to keep the size small. The comments and help information provided in the profile file that the wizard creates @@ -1172,10 +1132,8 @@ example: are preferred at your site. - - LAM - login screen - + + LAMlogin screen It is important that your LDAP server is running at the time that LAM is being configured. This permits you to validate correct operation. An example of the LAM login screen is provided in . @@ -1186,10 +1144,8 @@ example: lam-login - - LAM - configuration editor - + + LAMconfiguration editor The LAM configuration editor has a number of options that must be managed correctly. An example of use of the LAM configuration editor is shown in . It is important that you correctly set the minimum and maximum UID/GID values that are @@ -1205,19 +1161,16 @@ example: lam-config - - PDF - + + PDF LAM has some nice, but unusual features. For example, one unexpected feature in most application screens permits the generation of a PDF file that lists configuration information. This is a well thought out facility. This option has been edited out of the following screen shots to conserve space. - - LAM - opening screen - + + LAMopening screen When you log onto LAM the opening screen drops you right into the user manager as shown in . This is a logical action as it permits the most-needed facility to be used immediately. The editing of an existing user, as with the addition of a new user, @@ -1235,7 +1188,7 @@ example: The edit screen for groups is shown in . As with the edit screen for user accounts, group accounts may be rapidly dealt with. - shown a sub-screen from the group editor that permits users to be assigned secondary group + shows a sub-screen from the group editor that permits users to be assigned secondary group memberships. @@ -1249,11 +1202,8 @@ example: lam-group-members - - smbldap-tools - - scripts - + + smbldap-toolsscripts The final screen presented here is one that you should not normally need to use. Host accounts will be automatically managed using the smbldap-tools scripts. This means that the screen will, in most cases, not be used. @@ -1267,11 +1217,18 @@ example: One aspect of LAM that may annoy some users is the way it forces certain conventions on the administrator. For example, LAM does not permit the creation of Windows user and group - accounts that contain upper-case characters or spaces even though the underlying UNIX/Linux + accounts that contain spaces even though the underlying UNIX/Linux operating system may exhibit no problems with them. Given the propensity for using upper-case characters and spaces (particularly in the default Windows account names) this may cause some annoyance. For the rest, LAM is a very useful administrative tool. + + + The next major release, LAM 0.5, will have less restrictions and support the latest Samba features + (e.g. logon hours). The new plugin based architecture also allows to manage much more different + account types like plain Unix accounts. The upload can now handle groups and hosts, too. Another + important point is the tree view which allows to browse and edit LDAP objects directly. + Example LAM Configuration File &smbmdash; <filename>config.cfg</filename> @@ -1304,7 +1261,7 @@ userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber grouplistAttributes: #cn;#gidNumber;#memberUID;#description hostlistAttributes: #cn;#description;#uidNumber;#gidNumber maxlistentries: 30 -defaultLanguage: en_GB:ISO-8859-1:English (Britain) +defaultLanguage: en_GB:ISO-8859-1:English (Great Britain) scriptPath: scriptServer: samba3: yes @@ -1339,7 +1296,7 @@ pwdhash: SSHA When the SUID/SGID permissions are set on a directory, all files that are created within that directory - is automatically given the ownership of the SUID user and the SGID group, as per the ownership + are automatically given the ownership of the SUID user and the SGID group, as per the ownership of the directory in which the file is created. This means that the system level create() function executes with the SUID user and/or SGID group of the directory in which the file is created. @@ -1371,9 +1328,9 @@ drwxr-xr-x 21 root root 600 Dec 17 23:15 .. drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/ drwx------ 2 root root 48 Jan 26 2002 lost+found - In this example, if the user maryv creates a file, it would be owned by her. + In this example, if the user maryv creates a file, it is owned by her. If maryv has the primary group of Accounts, the file is - owned by the group Accounts as shown in this listing: + owned by the group Accounts, as shown in this listing: &rootprompt; ls -al /data/accounts/maryvfile.txt drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53 @@ -1393,7 +1350,7 @@ drwx------ 2 root root 48 Jan 26 2002 lost+found If maryv creates a file in this directory after this change has been made, the file is owned by the user bobj, and the group is set to the group - Domain Users as shown here: + Domain Users, as shown here: &rootprompt; chmod ug+s /data/accounts &rootprompt; ls -al /data/accounts/maryvfile.txt @@ -1414,12 +1371,12 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt data access The integrity of shared data is often viewed as a particularly emotional issue, especially where - there are concurrent problems with multi-user data access. Contrary to the assertions of some who have + there are concurrent problems with multiuser data access. Contrary to the assertions of some who have experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter. - The solution to concurrent multi-user data access problems must consider three separate areas + The solution to concurrent multiuser data access problems must consider three separate areas from which the problem may stem: locking Application level @@ -1433,9 +1390,9 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt - application level locking controls. - client side locking controls. - server side locking controls. + application-level locking controls + client-side locking controls + server-side locking controls @@ -1445,7 +1402,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt Many database applications use some form of application-level access control. An example of one well-known application that uses application-level locking is Microsoft Access. Detailed guidance - is provided given that this is the most common application for which problems have been reported. + is provided here because this is the most common application for which problems have been reported. @@ -1463,7 +1420,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt The best advice that can be given is to carefully read the Microsoft knowledge base articles that - cover this area. Examples of relevant documents includes: + cover this area. Examples of relevant documents include: @@ -1478,8 +1435,8 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt exclusive open - Make sure that your MS Access database file is configured for multi-user access (not set for - exclusive open). Open MS Access on each client workstation then set the following: + Make sure that your MS Access database file is configured for multiuser access (not set for + exclusive open). Open MS Access on each client workstation, then set the following: (Menu bar) ToolsOptions[tab] General . Set network path to Default database folder: \\server\share\folder. @@ -1503,7 +1460,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt You must now commit the changes so that they will take effect. To do so, click ApplyOk. At this point, you should exit MS Access, restart - it and then validate that these settings have not changed. + it, and then validate that these settings have not changed. @@ -1516,10 +1473,10 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt data corruption - Where the server sharing the ACT! database(s) is running Samba, Windows NT, 200x or XP, you + Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you must disable opportunistic locking on the server and all workstations. Failure to do so results in data corruption. This information is available from the Act! Web site - knowledge-base articles + knowledgebase articles 1998223162925 as well as from article 200110485036. @@ -1549,7 +1506,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt Third-party Windows applications may not be compatible with the use of opportunistic file and record locking. For applications that are known not to be compatible,Refer to - the application manufacturers' installation guidelines and knowledge base for specific + the application manufacturer's installation guidelines and knowledge base for specific information regarding compatibility. It is often safe to assume that if the software manufacturer does not specifically mention incompatibilities with opportunistic file and record locking, or with Windows client file caching, the application is probably @@ -1568,7 +1525,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt Oplocks enable a Windows client to cache parts of a file that are being edited. Another windows client may then request to open the file with the ability to write to it. The server will then ask the original workstation - that had the file open with a write lock to release it's lock. Before + that had the file open with a write lock to release its lock. Before doing so, that workstation must flush the file from cache memory to the disk or network drive. @@ -1579,7 +1536,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt Disabling of Oplocks usage may require server and client changes. Oplocks may be disabled by file, by file pattern, on the share, or on the - samba server. + Samba server. @@ -1600,7 +1557,7 @@ On the server: - The following registry entries on Microsoft Windows XP Professional, 2000 Professional and Windows NT4 + The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4 workstation clients must be configured as shown here: REGEDIT4 @@ -1616,8 +1573,8 @@ REGEDIT4 - Comprehensive coverage of file and record locking controls is provided in TOSHARG Chapter 13. - The information provided in that chapter was obtained from a wide variety of sources. + Comprehensive coverage of file and record-locking controls is provided in TOSHARG, Chapter 13. + The information in that chapter was obtained from a wide variety of sources. diff --git a/docs/Samba-Guide/SBE-Appendix2.xml b/docs/Samba-Guide/SBE-Appendix2.xml index d57c519fafe..c2e8f29de03 100644 --- a/docs/Samba-Guide/SBE-Appendix2.xml +++ b/docs/Samba-Guide/SBE-Appendix2.xml @@ -6,7 +6,7 @@ You are about to use the equivalent of a microscope to look at the information that runs through the veins of a Windows network. We do more to observe the information than - to interrogate it. When you are done with this chapter, you should have a good understanding + to interrogate it. When you are done with this primer, you should have a good understanding of the types of information that flow over the network. Do not worry, this is not a biology lesson. We won't lose you in unnecessary detail. Think to yourself, This is easy, then tackle each exercise without fear. @@ -14,13 +14,13 @@ Samba can be configured with a minimum of complexity. Simplicity should be mastered - before you get too deeply into complexities. Let's get moving, we have work to do. + before you get too deeply into complexities. Let's get moving: we have work to do. Requirements and Notes - Successful completion of this chapter requires two Microsoft Windows 9x/Me Workstations, + Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet card connected using a hub. Also required is one additional server (either Windows NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network @@ -36,7 +36,7 @@ You may find more information regarding this tool from the Ethereal Web site. Ethereal installation files for Windows may be obtained from the Ethereal Web site. Ethereal is provided with - SUSE and Red Hat Linux distributions, as well as many other Linux distributions. It may + SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may not be installed on your system by default. If it is not installed, you may also need to install the libpcap software before you can install or use Ethereal. Please refer to the instructions for your operating system or to the Ethereal Web site @@ -45,12 +45,12 @@ To obtain ethereal for your system, please visit the Ethereal - download site. + download site. - The successful completion of this chapter requires that you capture network traffic - using ethereal. It is recommended that you use a hub, not an + The successful completion of this appendix requires that you capture network traffic + using Ethereal. It is recommended that you use a hub, not an Ethernet switch. It is necessary for the device used to act as a repeater, not as a filter. Ethernet switches may filter out traffic that is not directed at the machine that is used to monitor traffic; this would not allow you to complete the projects. @@ -69,9 +69,9 @@ protocol analysis - Please do not be alarmed at the use of a high-powered analysis tool (ethereal) in this - first chapter. We expose you only to a minimum of detail necessary to complete - the exercises in this chapter. If you choose to use any other network sniffer and protocol + Please do not be alarmed at the use of a high-powered analysis tool (Ethereal) in this + primer. We expose you only to a minimum of detail necessary to complete + the exercises. If you choose to use any other network sniffer and protocol analysis tool, be advised that it may not allow you to examine the contents of recently added security protocols used by Windows 200x/XP. @@ -93,7 +93,7 @@ Introduction - The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows + The purpose of this appendix is to create familiarity with key aspects of Microsoft Windows network computing. If you want a solid technical grounding, do not gloss over these exercises. The points covered are recurrent issues on the Samba mailing lists. @@ -132,7 +132,7 @@ You are about to witness how Microsoft Windows computer networking functions. The exercises step through identification of how a client machine establishes a connection to a remote Windows server. You observe how Windows machines find - each other (i.e., how browsing works), and how the two key types of user identification + each other (i.e., how browsing works) and how the two key types of user identification (share mode security and user mode security) are affected. @@ -142,7 +142,7 @@ The networking protocols used by MS Windows networking when working with Samba use TCP/IP as the transport protocol. The protocols that are specific to Windows - networking are encapsulated in TCP/IP. The network analyzer we use (ethereal) + networking are encapsulated in TCP/IP. The network analyzer we use (Ethereal) is able to show you the contents of the TCP/IP packets (or messages). @@ -171,7 +171,7 @@ Review traces of network logons for a Windows 9x/Me client as well as - a Domain logon for a Windows XP Professional client. + a domain logon for a Windows XP Professional client. @@ -187,7 +187,7 @@ two MS Windows 9x/Me systems. We called one machine WINEPRESSME and the other MILGATE98. Each needs an IP address; we used 10.1.1.10 and 10.1.1.11. The test machines need to be networked via a hub. A UNIX/Linux - machine is required to run ethereal to enable the network activity to be captured. + machine is required to run Ethereal to enable the network activity to be captured. It is important that the machine from which network activity is captured must not interfere with the operation of the Windows workstations. It is helpful for this machine to be passive (does not send broadcast information) to the network. @@ -199,10 +199,10 @@ - Windows 98 &smbmdash; name: MILGATE98. - Windows Me &smbmdash; name: WINEPRESSME. - Windows XP Professional &smbmdash; name: LightrayXP. - Samba-3.0.20 running on a SUSE Enterprise Linux 9. + Windows 98 &smbmdash; name: MILGATE98 + Windows Me &smbmdash; name: WINEPRESSME + Windows XP Professional &smbmdash; name: LightrayXP + Samba-3.0.20 running on a SUSE Enterprise Linux 9 @@ -211,17 +211,17 @@ ethereal - The network captures provided on the CD-ROM at the back of this book were captured using ethereal + The network captures provided on the CD-ROM included with this book were captured using Ethereal version 0.10.6. A later version suffices without problems, but an earlier version may not expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all packets has also been included. This makes it possible for you to do all the studying you like without the need to - perform the time-consuming equipment configuration and test work. This is a good time to point out the value + perform the time-consuming equipment configuration and test work. This is a good time to point out that the value that can be derived from this book really does warrant your taking sufficient time to practice each exercise with care and attention to detail. - Single Machine Broadcast Activity + Single-Machine Broadcast Activity In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes. @@ -253,7 +253,7 @@ Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring, - do not press any keyboard keys, do not click any on-screen icons or menus; and do not answer any dialog boxes. + do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes. @@ -273,7 +273,7 @@ The summary of the first 10 minutes of the packet capture should look like . - A screen-shot of a later stage of the same capture is shown in . + A screenshot of a later stage of the same capture is shown in . @@ -294,7 +294,7 @@ Broadcast messages observed are shown in . Actual observations vary a little, but not by much. - Early in the startup process, the Windows Me machine broadcasts its name for two reasons; + Early in the startup process, the Windows Me machine broadcasts its name for two reasons: first to ensure that its name would not result in a name clash, and second to establish its presence with the Local Master Browser (LMB). @@ -319,91 +319,91 @@ WINEPRESSME<00> Reg 8 - 4 lots of 2, 0.6 sec apart. + 4 lots of 2, 0.6 sec apart WINEPRESSME<03> Reg 8 - 4 lots of 2, 0.6 sec apart. + 4 lots of 2, 0.6 sec apart WINEPRESSME<20> Reg 8 - 4 lots of 2, 0.75 sec apart. + 4 lots of 2, 0.75 sec apart MIDEARTH<00> Reg 8 - 4 lots of 2, 0.75 sec apart. + 4 lots of 2, 0.75 sec apart MIDEARTH<1d> Reg 8 - 4 lots of 2, 0.75 sec apart. + 4 lots of 2, 0.75 sec apart MIDEARTH<1e> Reg 8 - 4 lots of 2, 0.75 sec apart. + 4 lots of 2, 0.75 sec apart MIDEARTH<1b> Qry 84 - 300 sec apart at stable operation. + 300 sec apart at stable operation __MSBROWSE__ Reg 8 - Registered after winning election to Browse Master. + Registered after winning election to Browse Master JHT<03> Reg 8 - 4 x 2. This is the name of the user that logged onto Windows. + 4 x 2. This is the name of the user that logged onto Windows Host Announcement WINEPRESSME Ann 2 - Observed at 10 sec. + Observed at 10 sec Domain/Workgroup Announcement MIDEARTH Ann 18 - 300 sec apart at stable operation. + 300 sec apart at stable operation Local Master Announcement WINEPRESSME Ann 18 - 300 sec apart at stable operation. + 300 sec apart at stable operation Get Backup List Request Qry 12 - 6 x 2 early in startup, 0.5 sec apart. + 6 x 2 early in startup, 0.5 sec apart Browser Election Request Ann 10 - 5 x 2 early in startup. + 5 x 2 early in startup Request Announcement WINEPRESSME Ann 4 - Early in startup. + Early in startup @@ -415,7 +415,7 @@ browse master From the packet trace, it should be noted that no messages were propagated over TCP/IP; - all employed UDP/IP. When steady state operation has been achieved, there is a cycle + all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle of various announcements, re-election of a browse master, and name queries. These create the symphony of announcements by which network browsing is made possible. @@ -423,9 +423,9 @@ CIFS - For detailed information regarding the precise behavior of the CIFS/SMB protocols, the - reader is referred to the book Implementing CIFS: The Common Internet File System, - by Christopher Hertel, Publisher: Prentice Hall PTR, ISBN: 013047116X. + For detailed information regarding the precise behavior of the CIFS/SMB protocols, + refer to the book Implementing CIFS: The Common Internet File System, + by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X). @@ -436,7 +436,7 @@ Second Machine Startup Broadcast Interaction - At this time, the machine you used to capture the single system startup trace should still be running. + At this time, the machine you used to capture the single-system startup trace should still be running. The objective of this task is to identify the interaction of two machines in respect to broadcast activity. @@ -465,7 +465,7 @@ - Start the second Windows 9x/Me machine. Let it run for 15-20 minutes. While monitoring, do not press + Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes. @@ -489,7 +489,7 @@ Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash (i.e., the name is already registered by another machine) on the network segment. Those wishing to explore the inner details of the precise mechanism of how this functions should refer to - the book Implementing CIFS: The Common Internet File System, referred to previously. + Implementing CIFS: The Common Internet File System. @@ -512,67 +512,67 @@ MILGATE98<00>Reg8 - 4 lots of 2, 0.6 sec apart. + 4 lots of 2, 0.6 sec apart MILGATE98<03> Reg 8 - 4 lots of 2, 0.6 sec apart. + 4 lots of 2, 0.6 sec apart MILGATE98<20> Reg 8 - 4 lots of 2, 0.75 sec apart. + 4 lots of 2, 0.75 sec apart MIDEARTH<00> Reg 8 - 4 lots of 2, 0.75 sec apart. + 4 lots of 2, 0.75 sec apart MIDEARTH<1d> Reg 8 - 4 lots of 2, 0.75 sec apart. + 4 lots of 2, 0.75 sec apart MIDEARTH<1e> Reg 8 - 4 lots of 2, 0.75 sec apart. + 4 lots of 2, 0.75 sec apart MIDEARTH<1b> Qry 18 - 900 sec apart at stable operation. + 900 sec apart at stable operation JHT<03> Reg 2 - This is the name of the user that logged onto Windows. + This is the name of the user that logged onto Windows Host Announcement MILGATE98 Ann 14 - Every 120 sec. + Every 120 sec Domain/Workgroup Announcement MIDEARTH Ann 6 - 900 sec apart at stable operation. + 900 sec apart at stable operation Local Master Announcement WINEPRESSME Ann 6 - Insufficient detail to determine frequency. + Insufficient detail to determine frequency @@ -621,7 +621,7 @@ Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both - machines using a user name (JHT) of your choice. Wait approximately two minutes before proceeding. + machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding. @@ -674,7 +674,7 @@ password length User Mode - Dissect this packet as per the one above. This packet should have a password length + Dissect this packet as per the previous one. This packet should have a password length of 24 (characters) and should have a password field, the contents of which is a long hexadecimal number. Observe the name in the Account field. This is a User Mode session setup packet. @@ -687,7 +687,7 @@ IPC$ The IPC$ share serves a vital purposeTOSHARG, Sect 4.5.1 - in SMB/CIFS based networking. A Windows client connects to this resource to obtain the list of + in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of resources that are available on the server. The server responds with the shares and print queues that are available. In most but not all cases, the connection is made with a NULL username and a NULL password. @@ -695,7 +695,7 @@ account credentials - The two packets examined are material evidence with respect to how Windows clients may + The two packets examined are material evidence of how Windows clients may interoperate with Samba. Samba requires every connection setup to be authenticated using valid UNIX account credentials (UID/GID). This means that even a NULL session setup can be established only by automatically mapping it to a valid UNIX @@ -707,8 +707,8 @@ guest account nobody - Samba has a special name for the NULL, or empty, user account. - It calls that the . The + Samba has a special name for the NULL, or empty, user account: + it calls it the . The default value of this parameter is nobody; however, this can be changed to map the function of the guest account to any other UNIX identity. Some UNIX administrators prefer to map this account to the system default anonymous @@ -730,7 +730,7 @@ (/etc/passwd), the operation of the NULL account cannot validate and thus connections that utilize the guest account fail. This breaks all ability to browse the Samba server and is a common - problem reported on the Samba mailing list. A sample User Mode Session Setup AndX + problem reported on the Samba mailing list. A sample User Mode session setup AndX is shown in . @@ -772,20 +772,20 @@ To complete this exercise, you need a Windows XP Professional client that has been configured as - a Domain Member of either a Samba controlled domain or a Windows NT4 or 200x Active Directory domain. - Here we do not provide details for how to configure this, as full coverage is provided later in this book. + a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain. + Here we do not provide details for how to configure this, as full coverage is provided earlier in this book. Steps to Explore Windows XP Pro Connection Set-up - Start your Domain Controller. Also, start the ethereal monitoring machine, launch ethereal, + Start your domain controller. Also, start the ethereal monitoring machine, launch ethereal, and then wait for the next step to complete. - Start the Windows XP Client and wait five minutes before proceeding. + Start the Windows XP Client and wait 5 minutes before proceeding. @@ -810,12 +810,12 @@ - On the Windows XP Professional client: Press Ctrl-Alt-Delete to bring + On the Windows XP Professional client, press Ctrl-Alt-Delete to bring up the domain logon screen. Log in using valid credentials for a domain user account. - Now proceed to connect to the Domain Controller as follows: + Now proceed to connect to the domain controller as follows: Start (right-click) My Network Places @@ -839,8 +839,8 @@ - If desired, the Windows XP Professional client and the Domain Controller are no longer needed for exercises - in this chapter. + If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises + in this appendix. @@ -858,7 +858,7 @@ Expand the packet decode information, beginning at the Security Blob: entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP keys. This should reveal that this is a NULL session setup packet. - The User name: NULL indicates this. An example decode is shown in + The User name: NULL so indicates. An example decode is shown in . @@ -874,17 +874,17 @@ Expand the packet decode information, beginning at the Security Blob: entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP keys. This should reveal that this is a User Mode session setup packet. - The User name: jht indicates this. An example decode is shown in + The User name: jht so indicates. An example decode is shown in . In this case the user name was jht. This packet decode includes the Lan Manager Response: and the NTLM Response:. - The value of these two parameters is the Microsoft encrypted password hashes, respectively, the LanMan + The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan password and then the NT (case-preserving) password hash. password length User Mode - The passwords are 24 characters long hexadecimal numbers. This packet confirms that this is a User Mode + The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode session setup packet. @@ -922,24 +922,23 @@ Conclusions to Exercises - In summary, the following points have been established in this chapter: + In summary, the following points have been established in this appendix: - When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast - oriented messaging protocols to provide knowledge of network services. + When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services. - Network browsing protocols query information stored on Browse Masters that manage - information provided by NetBIOS Name Registrations and by way of on-going Host - Announcements and Workgroup Announcements. + Network browsing protocols query information stored on browse masters that manage + information provided by NetBIOS Name Registrations and by way of ongoing host + announcements and workgroup announcements. All Samba servers must be configured with a mechanism for mapping the NULL-Session - to a valid but non-privileged UNIX system account. + to a valid but nonprivileged UNIX system account. @@ -947,8 +946,8 @@ networking operations. Such passwords cannot be provided from the UNIX /etc/passwd database and thus must be stored elsewhere on the UNIX system in a manner that Samba can use. Samba-2.x permitted such encrypted passwords to be stored in the smbpasswd - file or in an LDAP database. Samba-3 permits that use of multiple different passdb backend - databases, in concurrent deploy. Refer to TOSHARG, Chapter 10, Account Information Databases. + file or in an LDAP database. Samba-3 permits use of multiple passdb backend + databases in concurrent deployment. Refer to TOSHARG, Chapter 10, Account Information Databases. @@ -968,7 +967,7 @@ Those wishing background information regarding NetBIOS name types should refer to - the Microsoft Knowledge Base Article + the Microsoft knowledgebase article Q102878. @@ -1011,7 +1010,7 @@ DMB This is a broadcast announcement by which the Windows machine is attempting to locate a Domain Master Browser (DMB) in the event that it might exist on the network. - Refer to TOSHARG Chapter 9, Section 9.7, Technical Overview of Browsing + Refer to TOSHARG, Chapter 9, Section 9.7, Technical Overview of Browsing, for details regarding the function of the DMB and its role in network browsing. @@ -1031,9 +1030,9 @@ Local Master BrowserLMB LMB - This name registration records the machine IP addresses of the Local Master Browsers (LMBs). + This name registration records the machine IP addresses of the LMBs. Network clients can query this name type to obtain a list of browser servers from the - Master Browser. + master browser. @@ -1048,7 +1047,7 @@ - The IP addresses of all Domain Controllers known for the Domain + The IP addresses of all domain controllers known for the domain @@ -1080,9 +1079,9 @@ Browse Master - This name is registered by the Browse Master to broadcast and receive domain announcements. + This name is registered by the browse master to broadcast and receive domain announcements. Its scope is limited to the local network segment, or subnet. By querying this name type, - Master Browsers on networks that have multiple domains can find the names of Master Browsers + master browsers on networks that have multiple domains can find the names of master browsers for each domain. @@ -1101,9 +1100,9 @@ Browser Election Service - This name is registered by all Browse Masters in a domain or workgroup. The registration - name type is known as the Browser Election Service. Master Browsers register themselves - with this name type so that Domain Master Browsers can locate them to perform cross-subnet + This name is registered by all browse masters in a domain or workgroup. The registration + name type is known as the Browser Election Service. Master browsers register themselves + with this name type so that DMBs can locate them to perform cross-subnet browse list updates. This name type is also used to initiate elections for Master Browsers. @@ -1132,7 +1131,7 @@ It should be noted that the guest account is essential to Samba operation. Either the operating system must have an account called nobody - or there must be an entry in the &smb.conf; file with a valid UNIX account. For example, + or there must be an entry in the &smb.conf; file with a valid UNIX account, such as ftp. @@ -1153,7 +1152,7 @@ WINS NetBIOS Yes, there are two ways to do this. The first involves use of WINS (See TOSHARG, Chapter 9, - Section 9.5, WINS &smbmdash; The Windows Inter-networking Name Server), the + Section 9.5, WINS &smbmdash; The Windows Inter-networking Name Server); the alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires a correctly configured DNS server (see TOSHARG, Chapter 9, Section 9.3, Discussion). @@ -1191,7 +1190,7 @@ - First, the use of /etc/passwd based plain-text passwords requires that registry + First, the use of /etc/passwd-based plain-text passwords requires that registry modifications be made on all MS Windows client machines to enable plain-text passwords support. This significantly diminishes the security of MS Windows client operation. Many network administrators are bitterly opposed to doing this. @@ -1199,7 +1198,7 @@ Second, Microsoft has not maintained plain-text password support since the default setting was made - disabling this. When network connections are dropped by the client it is not be possible to re-establish + disabling this. When network connections are dropped by the client, it is not possible to re-establish the connection automatically. Users need to log off and then log on again. Plain-text password support may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing environment. @@ -1207,7 +1206,7 @@ Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling. - Just create user accounts by running: smbpasswd -a 'username' + Just create user accounts by running smbpasswd -a 'username' @@ -1243,7 +1242,7 @@ Is it necessary to specify Yes - when Samba-3 is configured as a Domain Member? + when Samba-3 is configured as a domain member? @@ -1261,7 +1260,7 @@ Is it necessary to specify a guest account when Samba-3 is configured - as a Domain Member server? + as a domain member server? diff --git a/docs/Samba-Guide/SBE-DomainAppsSupport.xml b/docs/Samba-Guide/SBE-DomainAppsSupport.xml index c57f0190711..49dafda9fa6 100644 --- a/docs/Samba-Guide/SBE-DomainAppsSupport.xml +++ b/docs/Samba-Guide/SBE-DomainAppsSupport.xml @@ -2,22 +2,17 @@ - Integrating Additional Services +Integrating Additional Services - - authentication - - backends - - smbpasswd - - ldapsam - - Active Directory - + + authentication + backends + smbpasswd + ldapsam + Active Directory You've come a long way now. You have pretty much mastered Samba-3 for most uses it can be put to. Up until now, you have cast Samba-3 in the leading - role and where authentication was required, you have used one or another of + role, and where authentication was required, you have used one or another of Samba's many authentication backends (from flat text files with smbpasswd to LDAP directory integration with ldapsam). Now you can design a solution for a new Abmas business. This business is running Windows Server @@ -39,9 +34,9 @@ With this acquisition comes new challenges for you and your team. Abmas Snack - Foods is a well-developed business with a huge and heterogeneous network. They - already have Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux. - The network is mature and well established, and there is no question of their chosen + Foods is a well-developed business with a huge and heterogeneous network. It + already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux. + The network is mature and well established, and there is no question of its chosen user authentication scheme being changed for now. You need to take a wise new approach. @@ -53,15 +48,11 @@ - Assignment Tasks + Assignment Tasks - - web - proxying - - web - caching - + + webproxying + webcaching You've promised the skeptical Abmas Snack Foods management team that you can show them how Samba can ease itself and other Open Source technologies into their existing infrastructure and deliver sound business @@ -69,34 +60,29 @@ acquisition). You have chosen Web proxying and caching as your proving ground. - - bandwidth - - Microsoft ISA - - Abmas Snack Foods has several thousand users housed at their Head Office + + bandwidth + Microsoft ISA + Abmas Snack Foods has several thousand users housed at its head office and multiple regional offices, plants, and warehouses. A high proportion of the business's work is done online, so Internet access for most of these - users is essential. All Internet access, including all of their regional offices, + users is essential. All Internet access, including for all regional offices, is funneled through the head office and is the job of the (now your) networking team. The bandwidth requirements were horrific (comparable to a small ISP), and the team soon discovered proxying and caching. In fact, they became one of the earliest commercial users of Microsoft ISA. - - Active Directory - - authenticated - - proxy - + + Active Directory + authenticated + proxy The team is not happy with ISA. Because it never lived up to its marketing promises, - it under-performed and had reliability problems. You have pounced on the opportunity + it underperformed and had reliability problems. You have pounced on the opportunity to show what Open Source can do. The one thing they do like, however, is ISA's integration with Active Directory. They like that their users, once logged on, are automatically authenticated against the proxy. If your alternative to ISA - can operate completely seamlessly in their Active Directory Domain, it will be + can operate completely seamlessly in their Active Directory domain, it will be approved. @@ -109,7 +95,7 @@ - Dissection and Discussion +Dissection and Discussion The key requirements in this business example are straightforward. You are not required @@ -133,42 +119,26 @@ Technical Issues - - browsing - - Squid proxy - - proxy - - authentication - - Internet Explorer - - winbind - - NTLM - - NTLM authentication daemon - - authentication - - daemon - - Active Directory - - domain - Active Directory - - Kerberos - - token - + + browsing + Squid proxy + proxy + authentication + Internet Explorer + winbind + NTLM + NTLM authentication daemon + authentication + daemon + Active Directory + domainActive Directory + Kerberostoken Functionally, the user's Internet Explorer requests a browsing session with the Squid proxy, for which it offers its AD authentication token. Squid hands off the authentication request to the Samba-3 authentication helper application called ntlm_auth. This helper is a hook into winbind, the Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate - against Microsoft Windows Domains, including Active Directory domains. As Active + against Microsoft Windows domains, including Active Directory domains. As Active Directory authentication is a modified Kerberos authentication, winbind is assisted in this by local Kerberos 5 libraries configured to check passwords with the Active Directory server. Once the token has been checked, a browsing session is established. @@ -181,7 +151,7 @@ - Preparing the necessary environment using pre-configured packages + Preparing the necessary environment using preconfigured packages @@ -204,7 +174,7 @@ Political Issues - You are a stranger in a strange land and all eyes are upon you. Some would even like to see + You are a stranger in a strange land, and all eyes are upon you. Some would even like to see you fail. For you to gain the trust of your newly acquired IT people, it is essential that your solution does everything the old one did, but does it better in every way. Only then will the entrenched positions consider taking up your new way of doing things on a @@ -218,9 +188,8 @@ Implementation - - Squid - + + Squid First, your system needs to be prepared and in a known good state to proceed. This consists of making sure that everything the system depends on is present and that everything that could interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 @@ -228,18 +197,15 @@ they must be removed. - - Red Hat Linux - + + Red Hat Linux The following packages should be available on your Red Hat Linux system: - - krb5 - - Kerberos - + + krb5 + Kerberos krb5-libs @@ -260,9 +226,8 @@ - - SUSE Linux - + + SUSE Linux In the case of SUSE Linux, these packages are called: @@ -275,9 +240,8 @@ heimdal-devel - - Heimdal - + + Heimdal heimdal @@ -292,45 +256,36 @@ for your Linux system to ensure that the packages are correctly updated. - - MS Windows Server 2003 - - Kerberos - - MIT - - If the requirement is for inter-operation with MS Windows Server 2003, it + + MS Windows Server 2003 + Kerberos + MIT + If the requirement is for interoperation with MS Windows Server 2003, it will be necessary to ensure that you are using MIT Kerberos version 1.3.1 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires updating. - - Heimdal - - SUSE Enterprise Linux Server - + + Heimdal + SUSE Enterprise Linux Server Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version. - Removal of Pre-existing Conflicting RPMs + Removal of Pre-Existing Conflicting RPMs - - Squid - + + Squid If Samba and/or Squid RPMs are installed, they should be updated. You can build both from source. - - rpm - - samba - - squid - + + rpm + samba + squid Locating the packages to be un-installed can be achieved by running: &rootprompt; rpm -qa | grep -i samba @@ -345,110 +300,80 @@ Kerberos Configuration - - Kerberos - - Active Directory - server - - ADS - - KDC - + + Kerberos + Active Directoryserver + ADS + KDC The systems Kerberos installation must be configured to communicate with your primary Active Directory server (ADS KDC). - Strictly speaking, MIT Kerberos version 1.3.1 currently gives the best results, + Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results, although the current default Red Hat MIT version 1.2.7 gives acceptable results unless you are using Windows 2003 servers. - - MIT - - Heimdal - - Kerberos - - /etc/krb5.conf - - DNS - SRV records - - KDC - - DNS - lookup - - Officially, neither MIT (1.3.1) nor Heimdal (0.6) Kerberos needs an /etc/krb5.conf + + MIT + Heimdal + Kerberos + /etc/krb5.conf + DNSSRV records + KDC + DNSlookup + Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an /etc/krb5.conf file in order to work correctly. All ADS domains automatically create SRV records in the DNS zone Kerberos.REALM.NAME for each KDC in the realm. Since both MIT and Heimdal, KRB5 libraries default to checking for these records, so they - automatically find the KDCs. In addition, krb5.conf only allows - specifying a single KDC, even there if there is more than one. Using the DNS lookup + automatically find the KDCs. In addition, krb5.conf allows + specifying only a single KDC, even if there is more than one. Using the DNS lookup allows the KRB5 libraries to use whichever KDCs are available. Kerberos Configuration Steps - - krb5.conf - + + krb5.conf If you find the need to manually configure the krb5.conf, you should edit it to have the contents shown in . The final fully qualified path for this file should be /etc/krb5.conf. - - Kerberos - - realm - - case-sensitive - - KDC - - synchronization - - initial credentials - - Clock skew - - NTP - - DNS - lookup - - reverse DNS - - NetBIOS name - - /etc/hosts - - mapping - + + Kerberos + realm + case-sensitive + KDC + synchronization + initial credentials + Clock skew + NTP + DNSlookup + reverse DNS + NetBIOS name + /etc/hosts + mapping The following gotchas often catch people out. Kerberos is case sensitive. Your realm must be in UPPERCASE, or you will get an error: Cannot find KDC for requested realm while getting initial credentials. Kerberos is picky about time synchronization. The time - according to your participating servers must be within 5 minutes or you get an error + according to your participating servers must be within 5 minutes or you get an error: kinit(v5): Clock skew too great while getting initial credentials. Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is 5 minutes). A better solution is to implement NTP throughout your server network. Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC. Also, the name that this reverse lookup maps to must either be the NetBIOS name of - the KDC (i.e., the hostname with no domain attached), or it can alternately be the + the KDC (i.e., the hostname with no domain attached) or the NetBIOS name followed by the realm. If all else fails, you can add a /etc/hosts entry mapping the IP address of your KDC to its NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error when you try to join the realm. - - kinit - + + kinit You are now ready to test your installation by issuing the command: &rootprompt; kinit [USERNAME@REALM] @@ -479,48 +404,40 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ: klist - The command: + The command &rootprompt; klist -e - shows the Kerberos tickets cached by the system: + shows the Kerberos tickets cached by the system. Samba Configuration - - Active Directory - - Samba must be configured to correctly use Active Directory. Samba-3 must be used, as - this has the necessary components to interface with Active Directory. + + Active Directory + Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it + has the necessary components to interface with Active Directory. Securing Samba-3 With ADS Support Steps - - Red Hat Linux - - Samba Tea - - Red Hat Fedora Linux - - MIT KRB5 - - ntlm_auth - + + Red Hat Linux + Samba Tea + Red Hat Fedora Linux + MIT KRB5 + ntlm_auth Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team FTP site. The official Samba Team RPMs for Red Hat Fedora Linux contain the ntlm_auth tool - needed, and are linked against MIT KRB5 version 1.3.1 and, therefore, are ready for use. + needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use. - - SerNet - - RPMs - + + SerNet + RPMs The necessary, validated RPM packages for SUSE Linux may be obtained from the SerNet FTP site that is located in Germany. All SerNet RPMs are validated, have the necessary @@ -533,19 +450,12 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ: file so it has contents similar to the example shown in . - - computer account - - Active Directory - - net - ads - join - - Kerberos ticket - - ticket - + + computer account + Active Directory + netadsjoini + Kerberos ticket + ticket Next you need to create a computer account in the Active Directory. This sets up the trust relationship needed for other clients to authenticate to the Samba server with an Active Directory Kerberos ticket. @@ -556,20 +466,14 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ: - - smbd - - nmbd - - winbindd - - Active Directory - - Samba - + + smbd + nmbd + winbindd + Active Directory + Samba Your new Samba binaries must be started in the standard manner as is applicable - to the platform you are running on. Alternately, start your Active Directory - enabled Samba with the following commands: + to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands: &rootprompt; smbd -D &rootprompt; nmbd -D @@ -577,19 +481,12 @@ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ: - - winbind - - Active Directory - domain - - wbinfo - - enumerating - - Active Directory - tree - + + winbind + Active Directorydomain + wbinfo + enumerating + Active Directorytree We now need to test that Samba is communicating with the Active Directory domain; most specifically, we want to see whether winbind is enumerating users and groups. Issue the following commands: @@ -623,11 +520,9 @@ LONDON+DnsUpdateProxy This enumerates all the groups in your Active Directory tree. - - Squid - - ntlm_auth - + + Squid + ntlm_auth Squid uses the ntlm_auth helper build with Samba-3. You may test ntlm_auth with the command: @@ -640,23 +535,15 @@ password: XXXXXXXX - - ntlm_auth - - authenticate - - winbind - - privileged pipe - - squid - - chgrp - - chmod - - failure - + + ntlm_auth + authenticate + winbind + privileged pipe + squid + chgrp + chmod + failure The ntlm_auth helper, when run from a command line as the user root, authenticates against your Active Directory domain (with the aid of winbind). It manages this by reading from the winbind privileged pipe. @@ -682,13 +569,10 @@ password: XXXXXXXX NSS Configuration - - NSS - - winbind - - authentication - + + NSS + winbind + authentication For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication. @@ -735,12 +619,9 @@ group: files winbind Squid Configuration - - Squid - - Active Directory - authentication - + + Squid + Active Directoryauthentication Squid must be configured correctly to interact with the Samba-3 components that handle Active Directory authentication. @@ -755,30 +636,22 @@ group: files winbind Squid Configuration Steps - - SUSE Linux - - Squid - - helper agent - + + SUSE Linux + Squid + helper agent If your Linux distribution is SUSE Linux 9, the version of Squid supplied is already enabled to use the winbind helper agent. You - can, therefore, omit the steps that would build the Squid binary + can therefore omit the steps that would build the Squid binary programs. - - nobody - - squid - - rpms - - /etc/passwd - - /etc/group - + + nobody + squid + rpms + /etc/passwd + /etc/group Squid, by default, runs as the user nobody. You need to add a system user squid and a system group squid if they are not set up already (if the default @@ -787,11 +660,9 @@ group: files winbind and a squid group in /etc/group if these aren't there already. - - permissions - - chown - + + permissions + chown You now need to change the permissions on Squid's var directory. Enter the following command: @@ -799,11 +670,9 @@ group: files winbind - - logging - - Squid - + + logging + Squid Squid must also have control over its logging. Enter the following commands: &rootprompt; chown -R chown squid:squid /var/log/squid @@ -820,16 +689,14 @@ group: files winbind - - /etc/squid/squid.conf - + + /etc/squid/squid.conf The /etc/squid/squid.conf file must be edited to include the lines from and . - - cache directories - + + cache directories You must create Squid's cache directories before it may be run. Enter the following command: &rootprompt; squid -z @@ -876,19 +743,12 @@ group: files winbind Key Points Learned - - Web browsers - - services - - authentication protocols - - Web - proxy - access - - NTLMSSP - + + Web browsers + services + authentication protocols + Webproxyaccess + NTLMSSP Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft Windows clients use, even when accessing traditional services such as Web browsers. Depending on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, @@ -904,15 +764,11 @@ group: files winbind Questions and Answers - - ntlm_auth - - SambaXP conference - - Goettingen - - Italian - + + ntlm_auth + SambaXP conference + Goettingen + Italian The development of the ntlm_auth module was first discussed in many Open Source circles in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of ntlm_auth during one of the late developer meetings that took place. Since that time, the @@ -921,20 +777,20 @@ group: files winbind The largest report from a site that uses Squid with ntlm_auth-based authentication - support uses a dual processor server that has 2 GBytes of memory. It provides Web and FTP proxy services for 10,000 + support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000 users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following comments were made with respect to questions regarding the performance of this installation:
- [In our] EXTREMELY optimized environment ... [the] performance impact is almost [nothing]. The almost + [In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The almost part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
- You would be well advised to recognize the fact that all cache-intensive proxying solutions demand a lot of memory. + You would be well advised to recognize that all cache-intensive proxying solutions demand a lot of memory. Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. @@ -950,57 +806,38 @@ group: files winbind - - transparent inter-operability - - Windows clients - - network - services - - authentication - - wrapper - + + transparent inter-operability + Windows clients + networkservices + authentication + wrapper To provide transparent interoperability between Windows clients and the network services - that are used from them, Samba has had to develop tools and facilities that deliver that. The benefit + that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit of Open Source software is that it can readily be reused. The current ntlm_auth module is basically a wrapper around authentication code from the core of the Samba project. - - plain-text - - authentication - plain-text - - Web - proxy - - FTP - proxy - - NTLMSSP - - logon credentials - - Windows explorer - - Internet Information Server - - Apache Web server - + + plain-text + authenticationplain-text + Webproxy + FTPproxy + NTLMSSP + logon credentials + Windows explorer + Internet Information Server + Apache Web server The ntlm_auth module supports basic plain-text authentication and NTLMSSP protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without - the user being interrupted via his/her Windows logon credentials. This facility is available with - MS Windows explorer and is one of the key benefits claimed for Microsoft Internet Information Server. + the user being interrupted via his or her Windows logon credentials. This facility is available with + MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server. There are a few open source initiatives to provide support for these protocols in the Apache Web server also. - - wrapper - + + wrapper The short answer is that by adding a wrapper around key authentication components of Samba, other projects (like Squid) can benefit from the labors expended in meeting user interoperability needs. @@ -1018,45 +855,33 @@ group: files winbind - - winbindd - - Identity resolver - - daemon - - smbd - - file and print server - + + winbindd + Identity resolver + daemon + smbd + file and print server Samba-3 is a file and print server. The core components that provide this functionality are smbd, - nmbd, and the Identity resolver daemon, winbindd. + nmbd, and the identity resolver daemon, winbindd. - - SMB/CIFS - - smbclient - + + SMB/CIFS + smbclient Samba-3 is an SMB/CIFS client. The core component that provides this is called smbclient. - - modules - - utilities - - validation - - inter-operability - - authentication - - Samba-3 includes a number of helper tools, plug-in modules, utilities, and test/validation facilities. + + modules + utilities + validation + inter-operability + authentication + Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities. Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux - servers and client. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts + servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules - to permit Identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial + to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial server products). @@ -1075,7 +900,7 @@ group: files winbind Not really. Samba's ntlm_auth module handles only authentication. It requires that - Squid make an external call to ntlm_auth and, therefore, actually incurs a + Squid make an external call to ntlm_auth and therefore actually incurs a little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide sufficient memory when using Squid. Just add a little more to accommodate ntlm_auth. diff --git a/docs/Samba-Guide/SBE-HighAvailability.xml b/docs/Samba-Guide/SBE-HighAvailability.xml index 8f60733ccbb..1f2f38aa083 100644 --- a/docs/Samba-Guide/SBE-HighAvailability.xml +++ b/docs/Samba-Guide/SBE-HighAvailability.xml @@ -2,18 +2,15 @@ - Performance, Reliability, and Availability +Performance, Reliability, and Availability - - performance - - reliability - - availability - - Well, you have reached the chapter before the Appendix. It is customary to attempt + + performance + reliability + availability + Well, you have reached the chapter before the appendix. It is customary to attempt to wrap up the theme and contents of a book in what is generally regarded as the - chapter that should draw conclusions. This book is a suspense thriller and since + chapter that should draw conclusions. This book is a suspense thriller, and since the plot of the stories told mostly lead you to bigger, better Samba-3 networking solutions, it is perhaps appropriate to close this book with a few pertinent comments regarding some of the things everyone can do to deliver a reliable Samba-3 network. @@ -26,9 +23,8 @@ Introduction - - clustering - + + clustering The sparrow is a small bird whose sounds are drowned out by the noise of the busy world it lives in. Likewise, the simple steps that can be taken to improve the reliability and availability of a Samba network are often drowned out by the volume @@ -38,13 +34,10 @@ custom tools and methods. Only passing comments are offered concerning these methods. - - cluster - - samba cluster - - scalability - + + cluster + samba cluster + scalability A search for samba cluster produced 71,600 hits. And a search for highly available samba and highly available windows produced an amazing number of references. @@ -52,9 +45,8 @@ availability, reliability, and scalability are of vital interest to corporate network users. - - performance - + + performance So without further background, you can review a checklist of simple steps that can be taken to ensure acceptable network performance while keeping costs of ownership well under control. @@ -65,11 +57,9 @@ Dissection and Discussion - - simple - - complexities - + + simple + complexities If it is your purpose to get the best mileage out of your Samba servers, there is one rule that must be obeyed. If you want the best, keep your implementation as simple as possible. You may well be forced to introduce some complexities, but you should do so only as a last resort. @@ -81,11 +71,9 @@ complex ones. - - broken behavior - - poor performance - + + broken behavior + poor performance Problems reported by users fall into three categories: configurations that do not work, those that have broken behavior, and poor performance. The term broken behavior means that the function of a particular Samba component appears to work sometimes, but not at @@ -95,39 +83,33 @@ and at other times not listing them even though the machines are in use on the network. - - smbfs - - smbmnt - - smbmount - - smbumnt - - smbumount - - front-end - + + smbfs + smbmnt + smbmount + smbumnt + smbumount + front-end A significant number of reports concern problems with the smbfs file system driver that is part of the Linux kernel, not part of Samba. Users continue to interpret that smbfs is part of Samba, simply because Samba includes the front-end tools that are used to manage smbfs-based file service connections. So, just - for the record, the tools smbmnt, smbmount, smbumount, and smbumnt are front-end + for the record, the tools smbmnt, smbmount, + smbumount, and smbumnt are front-end facilities to core drivers that are supplied as part of the Linux kernel. These tools share a common infrastructure with some Samba components, but they are not maintained as part of Samba and are really foreign to it. - - cifsfs - + + cifsfs The new project, cifsfs, is destined to replace smbfs. It, too, is not part of Samba, even though one of the Samba Team members is a prime mover in this project. - The following table lists typical causes of: + Table 13.1 lists typical causes of: @@ -154,55 +136,55 @@
- File Locking + File locking - X - - Hardware Problems + Hardware problems X X X - Incorrect Authentication + Incorrect authentication X X - - Incorrect Configuration + Incorrect configuration X X X - LDAP Problems + LDAP problems X X - - Name Resolution + Name resolution X X X - Printing Problems + Printing problems X X - - Slow File Transfer + Slow file transfer - - X - Winbind Problems + Winbind problems X X - @@ -211,9 +193,8 @@
- - network hygiene - + + network hygiene It is obvious to all that the first requirement (as a matter of network hygiene) is to eliminate problems that affect basic network operation. This book has provided sufficient working examples to help you to avoid all these problems. @@ -224,11 +205,9 @@ Guidelines for Reliable Samba Operation - - resilient - - extreme demand - + + resilient + extreme demand Your objective is to provide a network that works correctly, can grow at all times, is resilient at times of extreme demand, and can scale to meet future needs. The following subject areas provide pointers that can help you today. @@ -239,24 +218,18 @@ There are three basic current problem areas: bad hostnames, routed networks, and network collisions. - These are covered in the discussion below. + These are covered in the following discussion. Bad Hostnames - - DHCP - client - - netbios name - - localhost - - /etc/hosts - - NetBIOS - + + DHCPclient + netbios name + localhost + /etc/hosts + NetBIOS When configured as a DHCP client, a number of Linux distributions set the system hostname to localhost. If the parameter netbios name is not specified to something other than localhost, the Samba server appears @@ -269,37 +242,29 @@ correctly. - - digits - + + digits A few sites have tried to name Windows clients and Samba servers with a name that begins with the digits 1-9. This does not work either because it may result in the client or server attempting to use that name as an IP address. - - DNS - name lookup - - resolve - - A Samba server called FRED, in a NetBIOS Domain called COLLISION - in a network environment that is part of the fully qualified Internet domain name space known - as parrots.com, results in DNS name lookups for: fred.parrots.com - and collision.parrots.com. It is, therefore, a mistake to name the Domain - (workgroup) collision.parrots.com since this results in DNS lookup - attempts to resolve: fred.parrots.com.parrots.com, which most likely - fails given that you probably do not have this in your DNS name space. + + DNSname lookup + resolve + A Samba server called FRED in a NetBIOS domain called COLLISION + in a network environment that is part of the fully qualified Internet domain namespace known + as parrots.com results in DNS name lookups for fred.parrots.com + and collision.parrots.com. It is therefore a mistake to name the domain + (workgroup) collision.parrots.com, since this results in DNS lookup + attempts to resolve fred.parrots.com.parrots.com, which most likely + fails given that you probably do not have this in your DNS namespace. - - Active Directory - realm - - ADS - - DNS - + + Active Directoryrealm + ADS + DNS An Active Directory realm called collision.parrots.com is perfectly okay, although it too must be capable of being resolved via DNS, something that functions correctly if Windows 200x ADS has been properly installed and configured. @@ -310,63 +275,48 @@ Routed Networks - - NetBIOS - - UDP - broadcast - - broadcast - + + NetBIOS + UDPbroadcast + broadcast NetBIOS networks (Windows networking with NetBIOS over TCP/IP enabled) makes extensive use - of UDP-based broadcast traffic. You saw that during the exercises in Chapter 1. + of UDP-based broadcast traffic, as you saw during the exercises in . - - routers - - forwarded - - multi-subnet - + + routers + forwarded + multi-subnet UDP broadcast traffic is not forwarded by routers. This means that NetBIOS broadcast-based networking cannot function across routed networks (i.e., multi-subnet networks) unless special provisions are made: - - LMHOSTS - - remote announce - - remote browse sync - + + LMHOSTS + remote announce + remote browse sync Either install on every Windows client an LMHOSTS file (located in the directory C:\windows\system32\drivers\etc). It is also necessary to - add to the Samba server &smb.conf; file the parameters: remote announce - and remote browse sync. For more information, refer to the on-line + add to the Samba server &smb.conf; file the parameters remote announce + and remote browse sync. For more information, refer to the online manual page for the &smb.conf; file. - - WINS - server - + + WINSserver Or configure Samba as a WINS server, and configure all network clients to use that WINS server in their TCP/IP configuration. - - WINS - name resolution - - DNS - + + WINSname resolution + DNS The use of DNS is not an acceptable substitute for WINS. DNS does not store specific - information regarding NetBIOS networking particulars that does get stored in the WINS - name resolution database, and that Windows clients require and depend on. + information regarding NetBIOS networking particulars that get stored in the WINS + name resolution database and that Windows clients require and depend on. @@ -374,19 +324,12 @@ Network Collisions - - network - collisions - - network - timeouts - - collision rates - - network - load - - Excessive network activity causes NetBIOS network time-outs. Time-outs may result in + + networkcollisions + networktimeouts + collision rates + networkload + Excessive network activity causes NetBIOS network timeouts. Timeouts may result in blue screen of death (BSOD) experiences. High collision rates may be caused by excessive UDP broadcast activity, by defective networking hardware, or through excessive network loads (another way of saying that the network is poorly designed). @@ -394,23 +337,20 @@ The use of WINS is highly recommended to reduce network broadcast traffic, as outlined - in Chapter 1. + in . - - netbios forwarding - - broadcast storms - - performance - + + netbios forwarding + broadcast storms + performance Under no circumstances should the facility be supported by many routers, known as NetBIOS forwarding, unless you know exactly what you are doing. Inappropriate use of this facility can result in UDP broadcast storms. In one case in 1999, a university network became - unusable due to this being enabled on all routers. The problem was discovered during performance - testing of a Samba server. The maximum throughput on a 100-Base-T (100 MBit/sec) network was - less than 15 KBytes/sec. After the NetBIOS forwarding was turned off, file transfer performance - immediately returned to 11 MBytes/sec. + unusable due to NetBIOS forwarding being enabled on all routers. The problem was discovered during performance + testing of a Samba server. The maximum throughput on a 100-Base-T (100 MB/sec) network was + less than 15 KB/sec. After the NetBIOS forwarding was turned off, file transfer performance + immediately returned to 11 MB/sec. @@ -425,20 +365,17 @@ No parameter should be specified unless you know it is essential to operation. - - document the settings - - documented - - optimized - + + document the settings + documented + optimized Many UNIX administrators like to fully document the settings in the &smb.conf; file. This is a bad idea because it adds content to the file. The &smb.conf; file is re-read by every smbd - process every time the file time stamp changes (or, on systems where this does not work, every 20 seconds or so). + process every time the file timestamp changes (or, on systems where this does not work, every 20 seconds or so). - As the size of the &smb.conf; file grows the risk of introduction of parsing errors increases also. + As the size of the &smb.conf; file grows, the risk of introduction of parsing errors increases also. It is recommended to keep a fully documented &smb.conf; file on hand, and then to operate Samba only with an optimized file. @@ -471,9 +408,7 @@ Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions - - fatal problem - + fatal problem You now, of course, press the enter key to complete the command, or else abort it by pressing Ctrl-C. The important thing to note is the noted Server role, as well as warning messages. Noted configuration conflicts must be remedied before proceeding. For example, the following error message represents a @@ -484,50 +419,38 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. - - performance degradation - - socket options - - socket address - - There are two parameters that can cause severe network performance degradation, socket options + + performance degradation + socket options + socket address + There are two parameters that can cause severe network performance degradation: socket options and socket address. The socket options parameter was often necessary when Samba was used with the Linux 2.2.x kernels. Later kernels are largely self-tuning and seldom benefit from this parameter being set. Do not use either parameter unless it has been proven necessary to use them. - - strict sync - - sync always - - severely degrade - - network - performance - + + strict sync + sync always + severely degrade + networkperformance Another &smb.conf; parameter that may cause severe network performance degradation is the strict sync parameter. Do not use this at all. There is no good reason to use this with any modern Windows client. The strict sync is often - used together with the sync always parameter. This, too, can severely - degrade network performance, so do not set it or if you must, do so with caution. + used with the sync always parameter. This, too, can severely + degrade network performance, so do not set it; if you must, do so with caution. - - opportunistic locking - - file caching - - caching - - oplocks - + + opportunistic locking + file caching + caching + oplocks Finally, many network administrators deliberately disable opportunistic locking support. While this does not degrade Samba performance, it significantly degrades Windows client performance because this disables local file caching on Windows clients and forces every file read and written to invoke a network read or write call. If for any reason you must disable oplocks (opportunistic locking) - support, do so on the share on which it is required only. That way, all other shares can provide + support, do so only on the share on which it is required. That way, all other shares can provide oplock support for operations that are tolerant of it. See for more information. @@ -537,33 +460,26 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. Use and Location of BDCs - - BDC - - PDC - - routed network - - wide-area network - - network segment - + + BDC + PDC + routed network + wide-area network + network segment On a network segment where there is a PDC and a BDC, the BDC carries the bulk of the network logon processing. If the BDC is a heavily loaded server, the PDC carries a greater proportion of authentication and logon processing. When a sole BDC on a routed network segment gets heavily loaded, it is possible that network logon requests and authentication requests may be directed - to a BDC on a distant network segment. This significantly hinders wide-area network operations + to a BDC on a distant network segment. This significantly hinders WAN operations and is undesirable. - - Domain Member - - Domain Controller - - As a general guide, instead of adding Domain Member servers to a network, you would be better advised + + Domain Member + Domain Controller + As a general guide, instead of adding domain member servers to a network, you would be better advised to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add - Domain Member servers. This practice ensures that there is always sufficient Domain Controllers + domain member servers. This practice ensures that there is always sufficient domain controllers to handle logon requests and authentication traffic. @@ -574,7 +490,7 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. Every network client has its own peculiarities. From a management perspective, it is easier to deal - with one version of MS Windows that is maintained to a consistent update level, than it is to deal + with one version of MS Windows that is maintained to a consistent update level than it is to deal with a mixture of clients. @@ -587,23 +503,19 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. - For Scalability, Use SAN Based Storage on Samba Servers + For Scalability, Use SAN-Based Storage on Samba Servers - - SAN - - synchronization - + + SAN + synchronization Many SAN-based storage systems permit more than one server to share a common data store. Use of a shared SAN data store means that you do not need to use time- and resource-hungry data synchronization techniques. - - load distribution - - clustering - + + load distribution + clustering The use of a collection of relatively low-cost front-end Samba servers that are coupled to a shared backend SAN data store permits load distribution while containing costs below that of installing and managing a complex clustering facility. @@ -614,23 +526,19 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. Distribute Network Load with MSDFS - - MSDFS - - distributed - + + MSDFS + distributed Microsoft DFS (distributed file system) technology has been implemented in Samba. MSDFS permits data to be accessed from a single share and yet to actually be distributed across multiple actual - servers. Refer to TOSHARG, Chapter 16, for information regarding implementation of an MSDFS installation. + servers. Refer to TOSHARG, Chapter 19, for information regarding + implementation of an MSDFS installation. - - front-end - server - - MSDFS - - The combination of multiple back end servers together with a front-end server and use of MSDFS + + front-endserver + MSDFS + The combination of multiple backend servers together with a front-end server and use of MSDFS can achieve almost the same as you would obtain with a clustered Samba server. @@ -639,16 +547,13 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth - - replicate - - rsync - - wide-area network - - Consider using rsync to replicate data across the wide-area network during times + + replicate + rsync + wide-area network + Consider using rsync to replicate data across the WAN during times of low utilization. Users can then access the replicated data store rather than needing to do so - across the wide-area network. This works best for read-only data, but with careful planning can be + across the WAN. This works best for read-only data, but with careful planning can be implemented so that modified files get replicated back to the point of origin. Be careful with your implementation if you choose to permit modification and return replication of the modified file; otherwise, you may inadvertently overwrite important data. @@ -659,48 +564,33 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. Hardware Problems - - hardware prices - - hardware problems - - NICs - - defective - HUBs - - defective - switches - - defective - cables - - Networking hardware prices have fallen sharply over the past five years. A surprising number + + hardware prices + hardware problems + NICs + defectiveHUBs + defectiveswitches + defectivecables + Networking hardware prices have fallen sharply over the past 5 years. A surprising number of Samba networking problems over this time have been traced to defective network interface cards (NICs) or defective HUBs, switches, and cables. - - corrective action - + + corrective action Not surprising is the fact that network administrators do not like to be shown to have made a bad decision. Money saved in buying low-cost hardware may result in high costs incurred in corrective action. - - intermittent - - data corruption - - slow network - - low performance - - data integrity - + + intermittent + data corruption + slow network + low performance + data integrity Defective NICs, HUBs, and switches may appear as intermittent network access problems, intermittent - or persistent data corruption, slow network throughput, low performance, or even as blue-screen-of-death (BSOD) + or persistent data corruption, slow network throughput, low performance, or even as BSOD problems with MS Windows clients. In one case, a company updated several workstations with newer, faster Windows client machines that triggered problems during logon as well as data integrity problems on an older PC that was unaffected so long as the new machines were kept shut down. @@ -710,9 +600,8 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. Defective hardware problems may take patience and persistence before the real cause can be discovered. - - RAID controllers - + + RAID controllers Networking hardware defects can significantly impact perceived Samba performance, but defective RAID controllers as well as SCSI and IDE hard disk controllers have also been known to impair Samba server operations. One business came to this realization only after replacing a Samba installation with MS @@ -738,11 +627,10 @@ cannot be set in the smb.conf file. nmbd will abort with this setting. her an even break. - - assumptions - - Last, but not least, you should not only keep the network design simple, but it should - be well documented. This book may serve as your pattern for documenting every + + assumptions + Last, but not least, you should not only keep the network design simple, but also be sure it is + well documented. This book may serve as your pattern for documenting every aspect of your design, its implementation, and particularly the objects and assumptions that underlie it. diff --git a/docs/Samba-Guide/SBE-KerberosFastStart.xml b/docs/Samba-Guide/SBE-KerberosFastStart.xml index bcd00dbd86d..42546c1256c 100644 --- a/docs/Samba-Guide/SBE-KerberosFastStart.xml +++ b/docs/Samba-Guide/SBE-KerberosFastStart.xml @@ -57,17 +57,17 @@ interesting portfolio of companies that includes accounting services, financial advice, investment portfolio management, property insurance, risk assessment, and the recent addition of a a video rental business. The pieces do not always appear to fit together, but Mr. Meany is certainly executing an - interesting business growth and development plan. Abmas Video Rentals has been recently acquired. - During the time that the acquisition was closing, the Video Rentals business upgraded their Windows + interesting business growth and development plan. Abmas Video Rentals was recently acquired. + During the time that the acquisition was closing, the Video Rentals business upgraded its Windows NT4-based network to Windows 2003 Server and Active Directory. Active Directory - Bob Jordan has been accepting of the fact that Abmas Video Rentals will use Microsoft Active Directory. - The IT team led by Stan Soroka is committed to Samba-3 and to maintaining a uniform technology platform. - Stan Soroka's team voiced their disapproval over the decision to permit this business to continue to + You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory. + The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform. + Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to operate with a solution that is viewed by Christine and her group as an island of broken technologies. This comment was made by one of Christine's staff as they were installing a new Samba-3 server at the new business. @@ -122,7 +122,7 @@ off-site storage - User and Group accounts, and respective privileges, have been well thought out. File system shares are + User and group accounts, and respective privileges, have been well thought out. File system shares are appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and effective off-site storage practices are considered to exceed industry norms. @@ -154,7 +154,7 @@ stored on the Linux system. We are alarmed that secure information is accessible to staff who should not even be aware that it exists. We share the concerns of your network management staff who have gone to great lengths to set fine-grained controls that limit information access to those who need access. - It seems incongruous to us that Samba winbind should be permitted to be used as it voids this fine work. + It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work. @@ -185,12 +185,12 @@ trusted computing - In respect of the use of Samba, we offer the following comments: Samba is in use in nearly half of + Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft ... what worries us regarding Samba is the need to disable essential Windows security features such as - secure channel support, digital sign'n'seal on all communication traffic, running Active Directory in + secure channel support, digital sign'n'seal on all communication traffic, and running Active Directory in mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that - Samba is not at the full capabilites of Microsoft Windows NT4 server. Microsoft has moved well beyond that + Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that with trusted computing initiatives that the Samba developers do not participate in. @@ -230,13 +230,13 @@ independent expert - This is also a challenge to rise above the trouble spot. Bob calls Stan's team together for a simple - discussion, but it gets further out of hand. When he returns to his office, he finds the following - email in his in-box: + This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple + discussion, but it gets further out of hand. When you return to your office, you find the following + email in your in-box: - Bob, + Good afternoon,
Stan @@ -282,7 +282,7 @@ will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce - use of any centrally proposed standards, but make all non-compliance the financial responsibility of the + use of any centrally proposed standards, but make all noncompliance the financial responsibility of the out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone.
@@ -290,9 +290,9 @@ Assignment Tasks - Bob agreed with Stan's recommendations and has hired your services to help defuse the powder - keg. Your task is to answer each of the issues raised with a tractable answer. You must be able - to support your claims, keep emotions to a side, and answer technically. + You agreed with Stan's recommendations and hired a consultant to help defuse the powder + keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able + to support his or her claims, keep emotions to a side, and answer technically.
@@ -316,9 +316,9 @@ employment - Samba-3 is a tool. No one pounding your door to use Samba. That is a choice that you are free to - make or reject. It is likely that your decision to use Samba can benefit your company more than - anyone else. The Samba Team obviously believes that the Samba software is a worthy choice. + Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to + make or reject. It is likely that your decision to use Samba can greatly benefit your company. + The Samba Team obviously believes that the Samba software is a worthy choice. If you hire a consultant to assist with the installation and/or deployment of Samba, or if you hire someone to help manage your Samba installation, you can create income and employment. Alternately, money saved by not spending in the IT area can be spent elsewhere in the business. All money saved @@ -353,8 +353,8 @@ broken It would be foolish to adopt a technology that might put any data or users at risk. Security affects - everyone. The Samba Team are fully cognizant of the responsibility they have to their users. - The Samba documentation clearly reveals the fact that full responsibility is accepted to fix anything + everyone. The Samba-Team is fully cognizant of the responsibility they have to their users. + The Samba documentation clearly reveals that full responsibility is accepted to fix anything that is broken.
@@ -404,8 +404,8 @@ vendor - The real issues that a consumer (like you) needs answered is what is the way of escape from technical - problems and how long will it take? The average problem turnaround time in the Open Source community is + The real issues that a consumer (like you) needs answered are What is the way of escape from technical + problems, and how long will it take? The average problem turnaround time in the Open Source community is approximately 48 hours. What does the EULA offer? What is the track record in the commercial software industry? What happens when your commercial vendor decides to cease providing support?
@@ -426,7 +426,7 @@ problem Open Source software at least puts you in possession of the source code. This means that when - all else fails, you can hire a programmer to solve/fix the problem. + all else fails, you can hire a programmer to solve the problem.
@@ -463,8 +463,8 @@ shares Windows network administrators may be dismayed to find that winbind - exposes all Domain users so that they may use their Domain account credentials to - log onto a UNIX/Linux system. The fact that all users in the Domain can see the + exposes all domain users so that they may use their domain account credentials to + log onto a UNIX/Linux system. The fact that all users in the domain can see the UNIX/Linux server in their Network Neighborhood and can browse the shares on the server seems to excite them further.
@@ -478,10 +478,10 @@ unknown - winbind provides for the UNIX/Linux Domain Member server or + winbind provides for the UNIX/Linux domain member server or client, the same as one would obtain by adding a Microsoft Windows server or - client to the Domain. The real objection is the fact that Samba is not MS Windows - and, therefore, requires handling a little differently from the familiar Windows systems. + client to the domain. The real objection is the fact that Samba is not MS Windows + and therefore requires handling a little differently from the familiar Windows systems. One must recognize fear of the unknown.
@@ -526,7 +526,7 @@ access controls - Where Samba and the ADS Domain account information obtained through the use of + Where Samba and the ADS domain account information obtained through the use of winbind permits access, by browsing or by the drive mapping to a share, to data that should be better protected. This can only happen when security controls have not been properly implemented. Samba permits access controls to be set @@ -537,7 +537,7 @@ Shares themselves (i.e., the logical share itself) The share definition in &smb.conf; The shared directories and files using UNIX permissions - Using Windows 2000 ACLs &smbmdash; if the file system is Posix enabled + Using Windows 2000 ACLs &smbmdash; if the file system is POSIX enabled @@ -608,7 +608,7 @@ weakness The report that is critical of Samba really ought to have exercised greater due - diligence, as the real weakness is on the side of a Microsoft Windows environment. + diligence: the real weakness is on the side of a Microsoft Windows environment. @@ -617,7 +617,7 @@ defects - Samba has been designed in such a manner that weaknesses inherent in the design of + Samba is designed in such a manner that weaknesses inherent in the design of Microsoft Windows networking ought not to expose the underlying UNIX/Linux file system in any way. All software has potential defects, and Samba is no exception. What matters more is how defects that are discovered get dealt with. @@ -656,7 +656,7 @@ turn-around time The report condemns Samba for releasing updates and security fixes, yet Microsoft - on-line updates need to be applied almost weekly. The answer to the criticism made + online updates need to be applied almost weekly. The answer to the criticism lies in the fact that Samba development is continuing, documentation is improving, user needs are being increasingly met or exceeded, and security updates are issued with a short turnaround time. @@ -676,10 +676,10 @@ The release of Samba-4 is expected around late 2004 to early 2005 and involves a near complete rewrite to permit extensive modularization and to prepare Samba for new - functionality planned for addition during the next generation series. The Samba Team - is responsible and can be depended upon; the history to date would suggest a high - degree of dependability as well as on charter development consistent with published - road-map projections. + functionality planned for addition during the next-generation series. The Samba Team + is responsible and can be depended upon; the history to date suggests a high + degree of dependability as well on charter development consistent with published + roadmap projections. @@ -719,12 +719,12 @@ digital sign'n'seal - The report correctly mentions the fact that Samba did not support the most recent + The report correctly mentions that Samba did not support the most recent schannel and digital sign'n'seal features of Microsoft Windows NT/200x/XPPro products. This is one of the key features of the Samba-3 release. Market research reports take so long to generate that they are seldom a reflection of current practice, and in many respects reports are like a - pathology report &smbmdash; they reflect accurately (at best) status at a snap-shot in time. + pathology report &smbmdash; they reflect accurately (at best) status at a snapshot in time. Meanwhile, the world moves on. @@ -746,11 +746,11 @@ secure networking It should be pointed out that had clear public specifications for the protocols - been published, it would have been much easier to implement this and would have + been published, it would have been much easier to implement these features and would have taken less time to do. The sole mechanism used to find an algorithm that is compatible with the methods used by Microsoft has been based on observation of network traffic and trial-and-error implementation of potential techniques. The real value of public - and defensible standards is obvious to all, and would have enabled more secure networking + and defensible standards is obvious to all and would have enabled more secure networking for everyone.
@@ -766,8 +766,8 @@ acknowledged and for which a fix was provided. In fact, Tangent Systems - appears even todayJanuary 2004 to not be sure that the problem has been resolved. - So it is evident that some delay in release of new functionality may have + appears even todayJanuary 2004 to be unsure whether the problem has been resolved, + it is evident that some delay in release of new functionality may have fortuitous consequences.
@@ -795,7 +795,7 @@ and working together to help define open and publicly refereed standards. The development of closed source, proprietary methods that are developed in a clandestine framework of secrecy, under claims of digital rights protection, does - not favor the diffusion of safe networking protocols, and certainly does not + not favor the diffusion of safe networking protocols and certainly does not help the consumer to make a better choice.
@@ -817,7 +817,7 @@ The Microsoft networking protocols extensively make use of remote procedure call (RPC) technology. Active Directory is not a simple mixture of LDAP and Kerberos together - with file and print services, but rather is a complex intertwined implementation + with file and print services, but rather is a complex, intertwined implementation of them that uses RPCs that are not supported by any of these component technologies and yet by which they are made to interoperate in ways that the components do not support. @@ -841,7 +841,7 @@ overall support for all project maintainers to work together on the complex challenge of developing and integrating the necessary technologies. Therefore, if the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality - into the Samba project, this dream request can not become a reality. + into the Samba project, this dream request cannot become a reality.
@@ -859,7 +859,7 @@ At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the Samba development roadmap. If it is not on the published roadmap, it cannot be delivered anytime soon. Ergo, ADS server support is not a current goal for Samba development. - The Samba Team is most committed to permitting Samba to be a full ADS Domain member + The Samba Team is most committed to permitting Samba to be a full ADS domain member that is increasingly capable of being managed using Microsoft Windows MMC tools. @@ -877,8 +877,8 @@ Kerberos is a network authentication protocol that provides secure authentication for client-server applications by using secret-key cryptography. Firewalls are an insufficient - barrier mechanism in todays networking world as at best they only restrict incoming network - traffic but can not prevent network traffic that comes from authorized locations from + barrier mechanism in todays networking world; at best they only restrict incoming network + traffic but cannot prevent network traffic that comes from authorized locations from performing unauthorized activities.
@@ -911,7 +911,7 @@ Kerberos is a trusted third-party service. That means that there is a third party (the kerberos server) that is trusted by all the entities on the network (users and services, usually called principals). All principals share a secret password (or key) with the kerberos server and this - enables principals to verify that the messages from the kerberos server are authentic. Thus + enables principals to verify that the messages from the kerberos server are authentic. Therefore, trusting the kerberos server, users and services can authenticate each other.
@@ -922,12 +922,12 @@ Heimdal Kerberos - Kerberos was until recently a technology that was restricted from being exported from the United States. - For many years that hindered global adoption of more secure networking technologies both within the USA - as well as outside it. A free an unencumbered implementation of MIT Kerberos has been produced in Europe + Kerberos was, until recently, a technology that was restricted from being exported from the United States. + For many years that hindered global adoption of more secure networking technologies both within the United States + and abroad. A free an unencumbered implementation of MIT Kerberos has been produced in Europe and is available from the University of Paderborn, Sweden. It is known as the Heimdal Kerberos project. - In recent times the USA government has removed sanctions affecting the global distribution of MIT Kerberos. - It is likely that there will be a significant surge forward in the development of Kerberos enabled applications + In recent times the U.S. government has removed sanctions affecting the global distribution of MIT Kerberos. + It is likely that there will be a significant surge forward in the development of Kerberos-enabled applications and in the general deployment and use of Kerberos across the spectrum of the information technology industry.
@@ -936,7 +936,7 @@ interoperability A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation - of it. For example, a 2002 new report by IDG + of it. For example, a 2002 report by IDG states:
@@ -965,11 +965,11 @@ RPC It so happens that Microsoft Windows clients depend on and expect the contents of the unspecified - fields in the Kerberos 5 communications data stream for their Windows interoperability, in - particular when Samba is being expected to emulate a Windows Server 200x Domain Controller. But the interoperability - issue goes far deeper than this. In the Domain control protocols that are used by MS Windows XP Professional + fields in the Kerberos 5 communications data stream for their Windows interoperability, + particularly when Samba is being expected to emulate a Windows Server 200x domain controller. But the interoperability + issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional, there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment - (DCE) remote procedure calls (RPCs) that themselves are an integral part of the SMB/CIFS protocols as used by + (DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by Microsoft.
@@ -1027,8 +1027,8 @@ account - From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator - account (on Samba Domains, this is usually the account called root). + From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator + account (on Samba domains, this is usually the account called root).
@@ -1060,7 +1060,7 @@ In the left panel, the entry Computer Management (Local) should now reflect the change made. For example, if the server you are administering is called FRODO, - the Computer Management entry should now say: Computer Management (FRODO). + the Computer Management entry should now say Computer Management (FRODO). @@ -1094,7 +1094,7 @@ rejected You may now edit/add/remove access control settings. Be very careful. Many problems have been - created by people who decided that Everyone should be rejected but one particular group should + created by people who decided that everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also belong to the group Everyone, which therefore overrules any permissions set for the permitted group. @@ -1125,10 +1125,10 @@ privileges - Share-definition-based access controls can be used like a check-point or like a pile-driver. Just as a - check-point can be used to require someone who wants to get through to meet certain requirements, so + Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a + checkpoint can be used to require someone who wants to get through to meet certain requirements, so it is possible to require the user (or group the user belongs to) to meet specified credential-related - objectives. It can be likened to a pile-driver by overriding default controls, in that having met the + objectives. It can be likened to a pile-driver by overriding default controls in that having met the credential-related objectives, the user can be granted powers and privileges that would not normally be available under default settings. @@ -1142,25 +1142,25 @@ hierarchy of control - It must be emphasized that the controls here discussed can act as a filter, or give rights of passage, - that act as a super-structure over normal directory and file access controls. However, share level - ACLs act at a higher level than to share definition controls because the user must filter through the - share level controls to get to the share definition controls. The proper hierarchy of controls implemented + It must be emphasized that the controls here discussed can act as a filter or give rights of passage + that act as a superstructure over normal directory and file access controls. However, share-level + ACLs act at a higher level than do share definition controls because the user must filter through the + share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented by Samba and Windows networking consists of:
- Share Level ACLs - Share Definition Controls - Directory and File Permissions - Directory and File Posix ACLs + Share-level ACLs + Share-definition controls + Directory and file permissions + Directory and file POSIX ACLs - Check-point Controls + Checkpoint Controls - Check-point Controls + Checkpoint Controls Consider the following extract from a &smb.conf; file defining the share called Apps: @@ -1186,8 +1186,8 @@ delimiter - On Domain Member servers and clients, even when the winbind use default domain has - been specified, the use of Domain accounts in security controls requires fully qualified Domain specification, + On domain member servers and clients, even when the winbind use default domain has + been specified, the use of domain accounts in security controls requires fully qualified domain specification, for example, @"MEGANET\Northern Engineers". Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a delimiter. @@ -1211,8 +1211,8 @@ share definition controls Consider another example. In this case, you want to permit all members of the group Employees - to access the Apps share, except the user patrickj. This can be - easily achieved by setting a share level ACL permitting only Employees to access the share, + except the user patrickj to access the Apps share. This can be + easily achieved by setting a share-level ACL permitting only Employees to access the share, and then in the share definition controls excluding just patrickj. Here is how that might be done: @@ -1225,7 +1225,7 @@ permissions - Let us assume that you want to permit the user gbshaw, to manage any file in the + Let us assume that you want to permit the user gbshaw to manage any file in the UNIX/Linux file system directory /data/apps, but you do not want to grant any write permissions beyond that directory tree. Here is one way this can be done: @@ -1243,13 +1243,13 @@ the group Doctors, excluding the user patrickj, to have read-only privilege, but the user gbshaw is granted administrative rights. The administrative rights conferred upon the user gbshaw permit operation as - if that user has logged in as the user root on the UNIX/Linux system, and thus - for access to the directory tree that has been shared (exported) permit the user to override controls + if that user has logged in as the user root on the UNIX/Linux system and thus, + for access to the directory tree that has been shared (exported), permit the user to override controls that apply to all other users on that resource. - There are additional check-point controls that may be used. For example, if for the same share we now + There are additional checkpoint controls that may be used. For example, if for the same share we now want to provide the user peters with the ability to write to one directory to which he has write privilege in the UNIX file system, you can specifically permit that with the following settings: @@ -1266,8 +1266,8 @@ check-point controls This is a particularly complex example at this point, but it begins to demonstrate the possibilities. - You should refer to the on-line manual page for the &smb.conf; file for more information regarding - the check-point controls that Samba implements. + You should refer to the online manual page for the &smb.conf; file for more information regarding + the checkpoint controls that Samba implements. @@ -1280,7 +1280,7 @@ Override controls implemented by Samba permit actions like the adoption of a different identity during file system operations, the forced overwriting of normal file and directory permissions, - and so on. You should refer to the on-line manual page for the &smb.conf; file for more information regarding + and so on. You should refer to the online manual page for the &smb.conf; file for more information regarding the override controls that Samba implements.
@@ -1305,9 +1305,9 @@ That is all there is to it. Well, it is almost that simple. The downside of this method is that users are logged onto the Windows client as themselves, and then immediately before accessing the file, Samba makes system calls to change the effective user and group to the forced settings - specified, completes the file transaction, and then reverts to the actually logged on identity. - This imposes significant overhead on Samba. The alternative way that effectively the same result - can be achieved (but with lower system CPU overheads) is described next. + specified, completes the file transaction, and then reverts to the actually logged-on identity. + This imposes significant overhead on Samba. The alternative way to effectively achieve the same result + (but with lower system CPU overheads) is described next.
@@ -1322,10 +1322,10 @@ performance degradation - The use of the force user, or the force group, may - also have a severe impact on system (and in particular Windows client) performance. If opportunistic + The use of the force user or the force group may + also have a severe impact on system (particularly on Windows client) performance. If opportunistic locking is enabled on the share (the default), it causes an oplock break to be - sent to the client, even if the client has not opened the file. On networks that have high traffic + sent to the client even if the client has not opened the file. On networks that have high traffic density, or on links that are routed to a remote network segment, oplock breaks can be lost. This results in possible retransmission of the request, or the client may time-out while waiting for the file system transaction (read or write) to complete. The result can be a profound @@ -1372,7 +1372,7 @@ A user opens a Work document from a network drive. The file was owned by user janetp - and users, and was set read/write enabled for everyone. + and users, and was set read/write-enabled for everyone. @@ -1385,19 +1385,19 @@ The file is now owned by the user billc and group doctors, - and is set read/write by billc, read only by doctors, and + and is set read/write by billc, read-only by doctors, and no access by everyone. - The original owner can not now access her own file and is justifiably upset. + The original owner cannot now access her own file and is justifiably upset. There have been many postings over the years that report the same basic problem. Frequently Samba users want to know when this bug will be fixed. The fact is, this is not a bug in Samba at all. - Here is the real sequence of what happens in the case mentioned above. + Here is the real sequence of what happens in this case. @@ -1423,7 +1423,7 @@ - The question is: How can we solve the problem? + The question is, How can we solve the problem? @@ -1462,7 +1462,7 @@ accessible Set the files and directory permissions to be read/write for owner and group, and not accessible - to others (everyone) using the following command: + to others (everyone), using the following command: &rootprompt; chmod ug+rwx,o-rwx /usr/data/finance @@ -1471,7 +1471,7 @@ SGID - Set the SGID (super-group) bit on all directories from the top down. This means all files + Set the SGID (supergroup) bit on all directories from the top down. This means all files can be created with the permissions of the group set on the directory. It means all users who are members of the group finance can read and write all files in the directory. The directory is not readable or writable by anyone who is not in the @@ -1509,8 +1509,8 @@ side effects - Samba must translate Windows 2000 ACLs to UNIX Posix ACLs. This has some interesting side effects because - of the fact that there is not a 1:1 equivalence between them. The as-close-as-possible ACLs match means + Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because + there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means that some transactions are not possible from MS Windows clients. One of these is to reset the ownership of directories and files. If you want to reset ownership, this must be done from a UNIX/Linux login. @@ -1525,8 +1525,8 @@ - From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator - account (on Samba Domains, this is usually the account called root). + From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator + account (on Samba domains, this is usually the account called root). @@ -1581,7 +1581,7 @@ to edit ACLs using the Advanced editing features. Click the Advanced button. This opens a panel that has four tabs. Only the functionality under the Permissions tab can be utilized with respect - to a Samba Domain server. + to a Samba domain server. @@ -1590,7 +1590,7 @@ permitted group You may now edit/add/remove access control settings. Be very careful. Many problems have been - created by people who decided that Everyone should be rejected but one particular group should + created by people who decided that everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also belong to the group Everyone, which therefore overrules any permissions set for the permitted group. @@ -1609,7 +1609,7 @@ The following alternative method may be used from a Windows workstation. In this example we work - with a Domain called MEGANET, a server called MASSIVE, and a + with a domain called MEGANET, a server called MASSIVE, and a share called Apps. The underlying UNIX/Linux share point for this share is /data/apps. @@ -1630,7 +1630,7 @@ Security Advanced . This opens a panel that has four tabs. Only the functionality under the - Permissions tab can be utilized in respect to a Samba Domain server. + Permissions tab can be utilized for a Samba domain server. @@ -1639,7 +1639,7 @@ over-rule You may now edit/add/remove access control settings. Be very careful. Many problems have been - created by people who decided that Everyone should be rejected but one particular group should + created by people who decided that everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also belong to the group Everyone, which therefore overrules any permissions set for the permitted group. @@ -1662,7 +1662,7 @@ shared resource Yet another alternative method for setting desired security settings on the shared resource files and - directories can be achieved by logging into UNIX/Linux and setting Posix ACLs directly using command-line + directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9 Linux system: @@ -1678,7 +1678,7 @@ &rootprompt; cd /data - Retrieve the existing Posix ACLs entry by executing: + Retrieve the existing POSIX ACLs entry by executing: &rootprompt; getfacl apps # file: apps @@ -1714,7 +1714,7 @@ group:AppsMgrs:rwx mask::rwx other::r-x - This confirms that the change of Posix ACL permissions has been effective. + This confirms that the change of POSIX ACL permissions has been effective. @@ -1728,7 +1728,7 @@ other::r-x inheritance - It is highly recommend that you should read the on-line manual page for the setfacl + It is highly recommend that you read the online manual page for the setfacl and getfacl commands. This provides information regarding how to set/read the default ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent of setting inheritance properties. @@ -1745,7 +1745,7 @@ other::r-x The mish-mash of issues were thrown together into one chapter because it seemed like a good idea. Looking back, this chapter could be broken into two, but it's too late now. It has been done. - The highlights covered are: + The highlights covered are as follows: @@ -1760,7 +1760,7 @@ other::r-x Winbind honors and does not override account controls set in Active Directory. This means that password change, logon hours, and so on, are (or soon will be) enforced - by Samba Winbind. At this time, an out-of-hours login is denied and password + by Samba winbind. At this time, an out-of-hours login is denied and password change is enforced. At this time, if logon hours expire, the user is not forcibly logged off. That may be implemented at some later date. @@ -1771,7 +1771,7 @@ other::r-x schannel Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential - problems acknowledged by Microsoft as having been fixed, but reported by some as still + problems acknowledged by Microsoft as having been fixed but reported by some as still possibly an open issue. @@ -1787,7 +1787,7 @@ other::r-x The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft Active Directory. The possibility to do this is not planned in the current Samba-3 roadmap. Samba-3 does aim to provide further improvements in interoperability so that - UNIX/Linux systems may be fully integrated into Active Directory Domains. + UNIX/Linux systems may be fully integrated into Active Directory domains.
@@ -1830,7 +1830,7 @@ other::r-x registry change No. Samba-3 fully supports Sign'n'seal as well as schannel - operation. The registry change should not be applied when Samba-3 is used as a Domain Controller. + operation. The registry change should not be applied when Samba-3 is used as a domain controller. @@ -1852,7 +1852,7 @@ other::r-x Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not provide Active Directory services. It cannot be used to replace a Microsoft Active Directory server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, - and it can function as an Active Directory Domain Member server. + and it can function as an Active Directory domain member server.
@@ -1876,7 +1876,7 @@ other::r-x No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, - as Samba-3 can join a native Windows 2003 Server ADS Domain. + because Samba-3 can join a native Windows 2003 Server ADS domain.
@@ -1888,14 +1888,14 @@ other::r-x share level access controls - Is it safe to set share level access controls in Samba? + Is it safe to set share-level access controls in Samba? - Yes. Share level access controls have been supported since early versions of Samba-2. This is + Yes. Share-level access controls have been supported since early versions of Samba-2. This is very mature technology. Not enough sites make use of this powerful capability, neither on Windows server or with Samba servers. @@ -1928,7 +1928,7 @@ other::r-x No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides means of securing shares through share definition controls in the &smb.conf; file. The additional - support for share level ACLs is like frosting on the cake. It adds to security, but is not essential + support for share-level ACLs is like frosting on the cake. It adds to security but is not essential to it.
@@ -2034,7 +2034,7 @@ other::r-x Either tool can be used with equal effect. There is no benefit of one over the other, except that the MMC utility is present on all Windows 200x/XP systems and does not require additional software to be downloaded and installed. Note that if you want to manage user and group accounts in your - Samba controlled Domain, the only tool that permits that is the NT4 Domain User Manager which + Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which is provided as part of the SRVTOOLS.EXE utility.
@@ -2052,14 +2052,14 @@ other::r-x Domain Member server I tried to set valid users = @Engineers, but it does not work. My Samba - server is an Active Directory Domain Member server. Has this been fixed now? + server is an Active Directory domain member server. Has this been fixed now? - The use of this parameter has always required the full specification of the Domain account, for + The use of this parameter has always required the full specification of the domain account, for example, valid users = @"MEGANET2\Domain Admins". diff --git a/docs/Samba-Guide/SBE-MakingHappyUsers.xml b/docs/Samba-Guide/SBE-MakingHappyUsers.xml index 47d5dc2bb63..51cd948a4cf 100644 --- a/docs/Samba-Guide/SBE-MakingHappyUsers.xml +++ b/docs/Samba-Guide/SBE-MakingHappyUsers.xml @@ -2875,7 +2875,7 @@ smb: \> q Create an entry in the DNS database on the server MASSIVE in both the forward lookup database for the zone abmas.biz.hosts and in the reverse lookup database for the network segment that the printer is to - be located in. Example configuration files for similar zones were presented in Chapter 3, + be located in. Example configuration files for similar zones were presented in , and in . @@ -3490,8 +3490,8 @@ structuralObjectClass: organizationalUnit - You should research the options for logon script implementation by referring to TOSHARG, Chapter 21, - Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon + You should research the options for logon script implementation by referring to TOSHARG, Chapter 24, + Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon facilities in use today is called KiXtart. diff --git a/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml b/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml index 05694d0258b..af575d4c48e 100644 --- a/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml +++ b/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml @@ -4,8 +4,8 @@ Migrating NT4 Domain to Samba-3 - Ever since Microsoft announced that they are discontinuing support for Windows - NT4, Samba users started to ask for detailed instructions for how to migrate + Ever since Microsoft announced that it was discontinuing support for Windows + NT4, Samba users started to ask for detailed instructions on how to migrate from NT4 to Samba-3. This chapter provides background information that should meet these needs. @@ -22,7 +22,7 @@ migration Network administrators who want to migrate off a Windows NT4 environment know - one thing with certainty. They feel that NT4 has been abandoned and they want + one thing with certainty. They feel that NT4 has been abandoned, and they want to update. The desire to get off NT4 and to not adopt Windows 200x and Active Directory is driven by a mixture of concerns over complexity, cost, fear of failure, and much more. @@ -33,20 +33,20 @@ accountsuser accountsgroup accountsmachine - The migration from NT4 to Samba-3 can involve a number of factors, including: + The migration from NT4 to Samba-3 can involve a number of factors, including migration of data to another server, migration of network environment controls - such as group policies, and finally migration of the users, groups, and machine + such as group policies, and migration of the users, groups, and machine accounts. accountsDomain It should be pointed out now that it is possible to migrate some systems from - Windows NT4 Domain environments to a Samba-3 Domain Environment. This is certainly - not possible in every case. It is possible to just migrate the Domain accounts + a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly + not possible in every case. It is possible to just migrate the domain accounts to Samba-3 and then to switch machines, but as a hands-off transition, this is more - an exception than the rule. Most systems require some tweaking and adjusting - following migration before an environment that is acceptable for immediate use + the exception than the rule. Most systems require some tweaking after + migration before an environment that is acceptable for immediate use is obtained. @@ -57,7 +57,7 @@ LDAP ldapsam passdb backend - You are about to migrate an MS Windows NT4 Domain accounts database to + You are about to migrate an MS Windows NT4 domain accounts database to a Samba-3 server. The Samba-3 server is using a passdb backend based on LDAP. The ldapsam is ideal because an LDAP backend can be distributed @@ -66,7 +66,7 @@ Your objective is to document the process of migrating user and group accounts - from several NT4 Domains into a single Samba-3 LDAP backend database. + from several NT4 domains into a single Samba-3 LDAP backend database. @@ -82,9 +82,9 @@ registrykeysSECURITY SAM Security Account ManagerSAM - The migration process takes a snap-shot of information that is stored in the - Windows NT4 registry based accounts database. That information resides in - the Security Account Manager (SAM) portion of the NT4 Registry under keys called + The migration process takes a snapshot of information that is stored in the + Windows NT4 registry-based accounts database. That information resides in + the Security Account Manager (SAM) portion of the NT4 registry under keys called SAM and SECURITY. @@ -93,7 +93,7 @@ inoperative The Windows NT4 registry keys called SAM and SECURITY are protected so that you cannot view the contents. If you change the security setting - to reveal the contents under these hive keys, your Windows NT4 Domain is crippled. Do not + to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not do this unless you are willing to render your domain controller inoperative. @@ -103,7 +103,7 @@ Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are. While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server, that may not be a good idea from an administration perspective. Since the process involves going - through a certain amount of disruptive activity anyhow, why not take this as an opportunity to + through a certain amount of disruptive activity anyhow, why not take this opportunity to review the structure of the network, how Windows clients are controlled and how they interact with the network environment. @@ -113,14 +113,14 @@ profiles share security descriptors MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed - have done little to keep the NT4 server environment up-to-date with more recent Windows releases, + have done little to keep the NT4 server environment up to date with more recent Windows releases, particularly Windows XP Professional. The migration provides opportunity to revise and update roaming profile deployment as well as folder redirection. Given that you must port the greater network configuration of this from the old NT4 server to the new Samba-3 server. Do not forget to validate the security descriptors in the profiles share as well as network logon scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this as a good time to update desktop systems also. In all, the extra effort should constitute no - real disruption to users, rather with due diligence and care should make their network experience + real disruption to users, but rather, with due diligence and care should make their network experience a much happier one. @@ -130,12 +130,12 @@ strategic active directory - Migration of an NT4 Domain user and group database to Samba-3 involves a certain strategic - element. Many sites have asked for instructions regarding merging of multiple different NT4 - Domains into one Samba-3 LDAP database. It would appear that this is viewed as a significant + Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic + element. Many sites have asked for instructions regarding merging of multiple NT4 + domains into one Samba-3 LDAP database. It seems that this is viewed as a significant added value compared with the alternative of migration to Windows Server 200x and Active Directory. The diagram in illustrates the effect of migration - from a Windows NT4 Domain to a Samba Domain. + from a Windows NT4 domain to a Samba domain. @@ -146,9 +146,9 @@ merge passdb.tdb - If you are wanting to merge multiple NT4 Domain account databases into one Samba Domain, + If you want to merge multiple NT4 domain account databases into one Samba domain, you must now dump the contents of the first migration and edit it as appropriate. Now clean - out (remove) the tdbsam backend file (passdb.tdb), or the LDAP database + out (remove) the tdbsam backend file (passdb.tdb) or the LDAP database files. You must start each migration with a new database into which you merge your NT4 domains. @@ -156,7 +156,7 @@ dump - At this point, you are ready to perform the second migration following the same steps as + At this point, you are ready to perform the second migration, following the same steps as for the first. In other words, dump the database, edit it, and then you may merge the dump for the first and second migrations. @@ -169,8 +169,8 @@ Domain SID You must be careful. If you choose to migrate to an LDAP backend, your dump file - now contains the full account information, including the Domain SID. The Domain SID for each - of the two NT4 Domains will be different. You must choose one, and change the Domain + now contains the full account information, including the domain SID. The domain SID for each + of the two NT4 domains will be different. You must choose one and change the domain portion of the account SIDs so that all are the same. @@ -189,12 +189,12 @@ import If you choose to use a tdbsam (passdb.tdb) backend file, your best choice is to use pdbedit to export the contents of the tdbsam file into an - smbpasswd data file. This automatically strips out all Domain specific information, - such as logon hours, logon machines, logon script, profile path, as well as the Domain SID. + smbpasswd data file. This automatically strips out all domain-specific information, + such as logon hours, logon machines, logon script, profile path, as well as the domain SID. The resulting file can be easily merged with other migration attempts (each of which must start - with a clean file). It should also be noted that all users that end up in the merged smbpasswd + with a clean file). It should also be noted that all users who end up in the merged smbpasswd file must have an account in /etc/passwd. The resulting smbpasswd file - may be exported/imported into either a tdbsam (passdb.tdb), or else into + may be exported or imported into either a tdbsam (passdb.tdb) or an LDAP backend. @@ -210,16 +210,16 @@ Political Issues - The merging of multiple Windows NT4 style Domains into a single LDAP-backend-based Samba-3 - Domain may be seen by those who had power over them as a loss of prestige or a loss of - power. The imposition of a single Domain may even be seen as a threat. So in migrating and + The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3 + domain may be seen by those who had power over them as a loss of prestige or a loss of + power. The imposition of a single domain may even be seen as a threat. So in migrating and merging account databases, be consciously aware of the political fall-out in which you may find yourself entangled when key staff feel a loss of prestige. - The best advice that can be given to those who set out to merge NT4 Domains into one single - Samba-3 Domain is to promote (sell) the action as one that reduces costs and delivers + The best advice that can be given to those who set out to merge NT4 domains into a single + Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers greater network interoperability and manageability. @@ -231,25 +231,25 @@ Implementation - From feedback on the Samba mailing lists it would appear that most Windows NT4 migrations + From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX - server. If you contemplate doing this also, please note that the steps that follow in this + server. If you contemplate doing this, please note that the steps that follow in this chapter assume familiarity with the information that has been previously covered in this - book. The reader is particularly encouraged to be familiar with , + book. You are particularly encouraged to be familiar with , and . - You can present here the steps and example output for two NT4 to Samba-3 Domain migrations. The + We present here the steps and example output for two NT4 to Samba-3 domain migrations. The first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the scripts you specify in the &smb.conf; file for the add user script collection of parameters are used to effect the addition of accounts into the passdb backend. - Before proceeding to NT4 migration using either a tdbsam or ldapsam it is most strongly recommended to + Before proceeding to NT4 migration using either a tdbsam or ldapsam, it is most strongly recommended to review for DNS and DHCP configuration. The importance of correctly - functioning name resolution must be recognized. This applies equally for hostname as for NetBIOS names + functioning name resolution must be recognized. This applies equally for both hostname and NetBIOS names (machine names, computer names, domain names, workgroup names &smbmdash; ALL names!). @@ -268,9 +268,9 @@ Posix lower-case Clean up the source NT4 PDC. Delete all accounts that need not be migrated. - Delete all files that should not be migrated. Where possible, change NT Group + Delete all files that should not be migrated. Where possible, change NT group names so there are no spaces or uppercase characters. This is important if - the target UNIX host insists on Posix compliant all lower-case user and group + the target UNIX host insists on POSIX-compliant all lowercase user and group names. @@ -289,7 +289,7 @@ - It may help to use the above outline as a pre-migration check-list. + It may help to use the above outline as a pre-migration checklist. @@ -299,21 +299,21 @@ In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about to be migrated are shown in . In this example use is made of the smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend. - Four scripts are essential to the migration process. There are other scripts that will be required + Four scripts are essential to the migration process. Other scripts will be required for daily management, but these are not critical to migration. The critical scripts are dependant on which passdb backend is being used. Refer to to see which scripts must be provided so that the migration process can complete. - Verify that you have correctly specified in the &smb.conf; file the scripts, and arguments - that should be passed to them, before attempting to perform the account migration. Note also + Verify that you have correctly specified in the &smb.conf; file the scripts and arguments + that should be passed to them before attempting to perform the account migration. Note also that the deletion scripts must be commented out during migration. These should be uncommented following successful migration of the NT4 Domain accounts. - Under absolutely no situations should the Samba daemons be started until instructed to do so. + Under absolutely no circumstances should the Samba daemons be started until instructed to do so. Delete the /etc/samba/secrets.tdb file and all Samba control tdb files before commencing the following configuration steps. @@ -372,7 +372,7 @@ smbldap-tools The UNIX/Linux usermod utility does not permit simple user addition to (or deletion of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this - capability you will need to create your own tool to do this. Alternately, you can search the web + capability, you must create your own tool to do this. Alternately, you can search the Web to locate a utility called groupmem (by George Kraft) that provides this functionality. The groupmem utility was contributed to the shadow package but has not surfaced in the formal commands provided by Linux distributions (March 2004). @@ -380,9 +380,8 @@ tdbdump - The tdbdump utility is a utility that you can build from the Samba source - code tree. Not all Linux binary distributions include this tool. If it is missing from your - Linux distribution you will need to build this yourself, or else for-go its use. + The tdbdump utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your + Linux distribution, you will need to build this yourself or else forgo its use. @@ -613,8 +612,8 @@ ssl off /etc/ldap.conf file has been configured, when the LDAP server is started, the process of starting the LDAP server will cause LDAP lookups. This causes the LDAP server slapd to hang because it finds port 389 - open and therefore can not gain exclusive control of it. By commenting these entries - out it is possible to avoid this grid-lock situation and thus the over-all + open and therefore cannot gain exclusive control of it. By commenting these entries + out, it is possible to avoid this gridlock situation and thus the overall installation and configuration will progress more smoothly. @@ -663,7 +662,7 @@ rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms - Pull the Domain SID from the NT4 Domain that is being migrated as follows: + Pull the domain SID from the NT4 domain that is being migrated as follows: &rootprompt; net rpc getsid -S TRANGRESSION -U Administrator%not24get Storing SID S-1-5-21-1385457007-882775198-1210191635 \ @@ -673,7 +672,7 @@ Storing SID S-1-5-21-1385457007-882775198-1210191635 \ Another way to obtain the domain SID from the target NT4 domain that is being - migrated to Samba-3 by executing the following: + migrated to Samba-3 is by executing the following: &rootprompt; net rpc info -S TRANSGRESSION @@ -689,12 +688,12 @@ Storing SID S-1-5-21-1385457007-882775198-1210191635 \ configure.pl /opt/IDEALX/sbin smbldap-tools - Install the Idealx smbldap-tools software package following + Install the Idealx smbldap-tools software package, following the instructions given in . The resulting perl scripts should be located in the /opt/IDEALX/sbin directory. - Change into that location, or where ever the scripts have been installed. Execute the + Change into that location, or whereever the scripts have been installed. Execute the configure.pl script to configure the Idealx package for use. - Note: Use the Domain SID obtained from the step above. The following is + Note: Use the domain SID obtained from the step above. The following is an example configuration session: merlin:/opt/IDEALX/sbin # ./configure.pl @@ -781,7 +780,7 @@ writing new configuration file: sambaDomainName Note that the NT4 domain SID that was previously obtained was entered above. Also, - the sambaUnixIdPooldn object was specified as: sambaDomainName=DAMNATION. This is + the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is the location into which the Idealx smbldap-tools store the next available UID/GID information. It is also where Samba stores domain specific information such as the next RID, the SID, and so on. @@ -906,7 +905,7 @@ Print Operators:x:550: Backup Operators:x:551: Replicators:x:552: - In both cases above the LDAP accounts follow the +::0: entry. + In both cases the LDAP accounts follow the +::0: entry. @@ -928,7 +927,7 @@ Changing password for root New password : ******** Retype new password : ******** - Note: During account migration the Windows Administrator account will not be migrated + Note: During account migration, the Windows Administrator account will not be migrated to the Samba server. @@ -959,7 +958,7 @@ Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators - The above are the expected results for a correctly configured system. + These are the expected results for a correctly configured system. @@ -1039,14 +1038,14 @@ Guests (S-1-5-32-546) -> Guests Server Operators (S-1-5-32-549) -> Server Operators Users (S-1-5-32-545) -> Users - It is of vital importance that the domain SID portion of all group + It is of vital importance that the domain SID portions of all group accounts are identical. The final responsibility in the migration process is to create identical shares and printing resources on the new Samba-3 server, copy all data - across, set up privileges and set share and file/directory access controls. + across, set up privileges, and set share and file/directory access controls. @@ -1083,14 +1082,14 @@ Press enter to see a dump of your service definitions All workstations should function as they did with the old NT4 PDC. All - inter-domain trust accounts should remain in place and fully functional. + interdomain trust accounts should remain in place and fully functional. All machine accounts and user logon accounts should also function correctly. - The configuration of Samba-3 BDC servers can be accomplished now, or at any + The configuration of Samba-3 BDC servers can be accomplished now or at any convenient time in the future. Please refer to the carefully detailed process - for doing this that has been outlined in . + for doing so is outlined in . @@ -1202,20 +1201,20 @@ Creating unix group: 'Users' NT4 Migration Using tdbsam Backend - In this example, you have chosen to change the Domain name of the NT4 server from + In this example, we change the domain name of the NT4 server from DRUGPREP to MEGANET prior to the use of the vampire (migration) tool. This migration process makes use of Linux system tools (like useradd) to add the accounts that are migrated into the - UNIX/Linux /etc/passwd, and /etc/group + UNIX/Linux /etc/passwd and /etc/group databases. These entries must therefore be present, and correct options specified, - in your &smb.conf; file or else the migration does not work as it should. + in your &smb.conf; file, or else the migration does not work as it should. Migration Steps Using tdbsam - Prepare a Samba-3 server precisely per the instructions shown in Chapter 5. + Prepare a Samba-3 server precisely per the instructions shown in . Set the workgroup name to MEGANET. @@ -1295,7 +1294,7 @@ SAM_DELTA_DOMAIN_INFO not handled pdbedit At this point, we can validate our migration. Let's look at the accounts - in the form as they would be seen in a smbpasswd file. This achieves that: + in the form in which they are seen in a smbpasswd file. This achieves that: &rootprompt; pdbedit -Lw Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3: @@ -1361,7 +1360,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT net group - And this command lists the long names of the groups that have been + The following command lists the long names of the groups that have been imported (vampired) from the NT4 PDC: &rootprompt; net group -l -Uroot%not24get -Smassive @@ -1408,12 +1407,12 @@ Users Ordinary users - Multiple NT4 Domains can be merged into a single Samba-3 - Domain. + Multiple NT4 domains can be merged into a single Samba-3 + domain. - The net Samba-3 Domain most likely requires some + The net Samba-3 domain most likely requires some administration and updating before going live. @@ -1444,10 +1443,10 @@ Users Ordinary users merge - This is a recommendation that permits the data from each NT4 Domain to - be kept separate until you are ready to merge them. Also, if you do not do this, - you may find errors due to users or groups from multiple Domains having the - same name, but different SIDs. It is better to permit each migration to complete + This is a recommendation that permits the data from each NT4 domain to + be kept separate until you are ready to merge them. Also, if you do not start with a clean database, + you may find errors due to users or groups from multiple domains having the + same name but different SIDs. It is better to permit each migration to complete without undue errors and then to handle the merging of vampired data under proper supervision. @@ -1461,7 +1460,7 @@ Users Ordinary users Domain SID - Is it possible to set my Domain SID to anything I like? + Is it possible to set my domain SID to anything I like? @@ -1474,12 +1473,12 @@ Users Ordinary users Domain SID - Yes, so long as the SID you create has the same structure as an auto-generated SID. + Yes, so long as the SID you create has the same structure as an autogenerated SID. The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why would you really want to create your own SID? I cannot think of a good reason. You may want to set the SID to one that is already in use somewhere on your network, - but that is a little different from straight out creating your own Domain SID. + but that is a little different from straight out creating your own domain SID. @@ -1506,7 +1505,7 @@ Users Ordinary users accounts Domain - When using a tdbsam passdb backend, why must I have all Domain user and group accounts + When using a tdbsam passdb backend, why must I have all domain user and group accounts in /etc/passwd and /etc/group? @@ -1534,7 +1533,7 @@ Users Ordinary users When migrating a smbpasswd file to an LDAP backend, the UID of each account is taken together with the account information in the - /etc/passwd and both sets of data are used to create the account + /etc/passwd, and both sets of data are used to create the account entry in the LDAP database. @@ -1566,9 +1565,9 @@ Users Ordinary users - Access validation before attempting to migrate NT4 Domain accounts helps to pin-point + Access validation before attempting to migrate NT4 domain accounts helps to pinpoint potential problems that may otherwise affect or impede account migration. I am always - mindful of the 4P's of migration &smbmdash; Planning Prevents Poor Performance. + mindful of the 4 P's of migration: Planning Prevents Poor Performance. @@ -1607,11 +1606,11 @@ Users Ordinary users tool - If you have 10 tdbsam Samba Domains, there is considerable risk that there are a number of + If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of accounts that have the same UNIX identifier (UID/GID). This means that you almost certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd file format and then manually edit all records to ensure that each has a unique UID. Each - file can then be imported a number of ways. You can use the pdbedit tool, + file can then be imported a number of ways. You can use the pdbedit tool to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that you have migrated before handing over access to a user. After all, too many users with a bad @@ -1630,8 +1629,8 @@ Users Ordinary users accounts machine - I want to change my Domain name after I migrate all accounts from an NT4 Domain to a - Samba-3 Domain. Does it make any sense to migrate the machine accounts in that case? + I want to change my domain name after I migrate all accounts from an NT4 domain to a + Samba-3 domain. Does it make any sense to migrate the machine accounts in that case? @@ -1646,9 +1645,9 @@ Users Ordinary users tattooing - I would recommend not. The machine accounts should still work, but there are registry entries + I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries on each Windows NT4 and upward client that have a tattoo of the old domain name. If you - un-join the domain and then rejoin the newly renamed Samba-3 Domain, you can be certain to avoid + unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid this tattooing effect. @@ -1661,7 +1660,7 @@ Users Ordinary users multiple group mappings - After merging multiple NT4 Domains into a Samba-3 Domain, I lost all multiple group mappings. Why? + After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why? @@ -1674,9 +1673,9 @@ Users Ordinary users Samba-3 currently does not implement multiple group membership internally. If you use the Windows NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group - membership is stored in the Posix groups area. If you use either tdbsam or smbpasswd backend, + membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend, then multiple group membership is handled through the UNIX groups file. When you dump the user - accounts no group account information is provided. When you edit (change) UIDs and GIDs in each + accounts, no group account information is provided. When you edit (change) UIDs and GIDs in each file to which you migrated the NT4 Domain data, do not forget to edit the UNIX /etc/passwd and /etc/group information also. That is where the multiple group information is most closely at your fingertips. @@ -1732,13 +1731,13 @@ Users Ordinary users A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows - groups can contain upper- and lower-case characters, as well as spaces. - Many UNIX system do not permit the use of upper-case characters, and some do not permit the - space character either. A number of systems (i.e., Linux) work fine with both upper-case + groups can contain upper- and lowercase characters, as well as spaces. + Many UNIX system do not permit the use of uppercase characters, and some do not permit the + space character either. A number of systems (i.e., Linux) work fine with both uppercase and space characters in group names, but the shadow-utils package that provides the group - control functions (groupadd, groupmod, groupdel, and so on) do not permit them. + control functions (groupadd, groupmod, groupdel, and so on) do not permit them. Also, a number of UNIX systems management tools enforce their own particular interpretation - of the Posix standards, and likewise do not permit upper-case or space characters in group + of the POSIX standards and likewise do not permit uppercase or space characters in group or user account names. You have to experiment with your system to find what its peculiarities are. @@ -1762,7 +1761,7 @@ Users Ordinary users UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs, - you would not be able to migrate 323,000 accounts because this number can not fit into a 16-bit unsigned + you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts. Please check this carefully before you attempt to effect a migration using the vampire process. @@ -1771,9 +1770,9 @@ Users Ordinary users Migration speed Migration speed depends much on the processor speed, the network speed, disk I/O capability, and - LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory, that was mirroring LDAP - to a second identical system over 1 gigabit ethernet, I was able to migrate around 180 user accounts - per minute. Migration would obviously go much faster if LDAP mirroring is turned off during the migration. + LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP + to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts + per minute. Migration would obviously go much faster if LDAP mirroring were turned off during the migration. diff --git a/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml b/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml index a56a8c8fcae..43dee10a322 100644 --- a/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml +++ b/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml @@ -6,12 +6,12 @@ Novell SUSE - Novell is a company any seasoned IT manager has to admire. They have become increasingly - Linux-friendly and are emerging out of a deep regression that almost saw the company + Novell is a company any seasoned IT manager has to admire. It has become increasingly + Linux-friendly and is emerging out of a deep regression that almost saw the company disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the platform of choice to which many older NetWare servers are being migrated. - It will be interesting to see what will become of NetWare over time. - Meanwhile, there can be no denying the fact that Novell is a Linux company. + It will be interesting to see what becomes of NetWare over time. + Meanwhile, there can be no denying that Novell is a Linux company. @@ -20,15 +20,15 @@ Gentoo Mandrake Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian, - Gentoo, Mandrake, SUSE (Novell) the information in this chapter should be read with - appropriate cognizance that file locations may vary a little; even so the information + Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with + the knowledge that file locations may vary a little; even so, the information in this chapter should provide something of value. migration - This chapter was contributed by Misty Stanley-Jones, a UNIX administrator of many - years who surfaced on the Samba mailing list with a barrage of questions, and who + Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many + years who surfaced on the Samba mailing list with a barrage of questions and who regularly now helps other administrators to solve thorny Samba migration questions. @@ -38,33 +38,33 @@ NetWare Mars_NWE One wonders how many NetWare servers remain in active service. Many are being migrated - to Samba on Linux. Red Hat Linux, SUSE Linux 9.x and SUSE Linux Enterprise Server 9 are + to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are ideal target platforms to which a NetWare server may be migrated. The migration method - of choice is much dependant on the tools that the administrator finds most natural to use. - The old-hand NetWare guru will likely want to use the tools like the NetWare NLM for + of choice is much dependent on the tools that the administrator finds most natural to use. + The old-hand NetWare guru will likely want to use tools like the NetWare NLM for rsync to migrate files from the NetWare server to the Samba server. The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare Emulator) open source package. The MS Windows network administrator will likely make use of the NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice, - migration will be filled with joyous and challenging moments - though probably not + migration will be filled with joyous and challenging moments &smbmdash; though probably not concurrently. The priority that Misty faced was one of migration of the data files off the NetWare 4.11 - server and onto a Samba based Windows file and print server. This chapter does not pretend + server and onto a Samba-ased Windows file and print server. This chapter does not pretend to document all the different methods that could be used to migrate user and group accounts - off a NetWare server, its focus is on migration of data files. + off a NetWare server. Its focus is on migration of data files. - This chapter tells its own story, so ride along, ... maybe the information here presented + This chapter tells its own story, so ride along. Maybe the information presented here will help to smooth over a similar migration challenge in your favorite networking environment. File paths have been modified to permit use of RPM packages provided by Novell. In the - original documentation contributed by Misty a the Courier-IMAP package had been built + original documentation contributed by Misty, the Courier-IMAP package had been built directly from the original source tarball. @@ -73,9 +73,9 @@ Novell - Misty Stanley-Jones was recruited by Abmas Inc. to administer a network that had - not received much attention for some years and was much in need of a make-over. - As a brand-new sysadmin to this company, she inherited a very old Novell file server, + Misty Stanley-Jones was recruited by Abmas to administer a network that had + not received much attention for some years and was much in need of a makeover. + As a brand-new sysadmin to this company, she inherited a very old Novell file server and came with a determination to change things for the better. @@ -93,7 +93,7 @@ - The company had outgrown this server several years before and were dealing with + The company had outgrown this server several years before and was dealing with severe growing pains. Some of the problems experienced were: @@ -102,7 +102,7 @@ Very slow performance - Available storage hovering around the 5% range. + Available storage hovering around the 5% range Extremely slow print spooling. @@ -110,7 +110,7 @@ Users storing information on their local hard - drives, causing backup integrity problems. + drives, causing backup integrity problems @@ -119,7 +119,7 @@ payroll - At one point disk space had filled up to 100% causing the payroll database + At one point disk space had filled up to 100 percent, causing the payroll database to become corrupt. This caused the accounting department to be down for over a week and necessitated deployment of another file server. The replacement server was created with very poor security and design considerations from @@ -135,8 +135,8 @@ configuration files and background will accelerate your learning as you grapple with a similar migration challenge. Let there be no confusion, the information presented in this chapter is provided to demonstrate - how Misty dealt with a particular NetWare migration requirement and - it provides an over-all approach to the implementation of a Samba-3 + how Misty dealt with a particular NetWare migration requirement, and + it provides an overall approach to the implementation of a Samba-3 environment that is significantly divergent from that presented in . @@ -144,19 +144,19 @@ The complete removal of all site-specific information in order to produce a generic migration solution would rob this chapter of its character. - It should be recognized therefore, that the examples given will require - significant adaptation to suit local needs and thus it is recognized that - there are some gaps in the example files. That is not Misty's fault, it + It should be recognized, therefore, that the examples given require + significant adaptation to suit local needs and thus + there are some gaps in the example files. That is not Misty's fault;it is the result of treatment given to her files in an attempt to make the overall information more useful to you. cost-benefit - After presenting a cost-benefit report to management, as well as an estimated + After management reviewed a cost-benefit report as well as an estimated time-to-completion, approval was given proceed with the solution proposed. The server was built from purchased components. The total project cost - was $3000. A brief description of the configuration follows: + was $3,000. A brief description of the configuration follows: @@ -184,7 +184,7 @@ - The new system has operated for six months without problems. Over the past months + The new system has operated for 6 months without problems. Over the past months much attention has been focused on cleaning up desktops and user profiles. @@ -199,8 +199,8 @@ e-Directory authentication identity management - A decision to use LDAP was made even though I know nothing about LDAP except that - I had been reading the book LDAP System Administration, by Gerald Carter. + A decision to use LDAP was made even though I knew nothing about LDAP except that + I had been reading the book LDAP System Administration, by Gerald Carter. LDAP seemed to provide some of the functionality of Novell's e-Directory Services and would provide centralized authentication and identity management. @@ -209,9 +209,9 @@ database RPM tree - Building the LDAP database took a while, and a lot of trial and error. Following - the guidance I obtained from Jerry Carter's book LDAP System - Administration, I installed OpenLDAP (from RPM; later I compiled + Building the LDAP database took a while and a lot of trial and error. Following + the guidance I obtained from LDAP System + Administration, I installed OpenLDAP (from RPM; later I compiled a more current version from source) and built my initial LDAP tree. @@ -228,19 +228,19 @@ IMAP POP3 SMTP - The first challenge was to create a company white-pages, followed by manually + The first challenge was to create a company white pages, followed by manually entering everything from the printed company directory. This used only the inetOrgPerson - objectclass from the OpenLDAP schemas. The next step was to write a shell script which + object class from the OpenLDAP schemas. The next step was to write a shell script that would look at the /etc/passwd and /etc/shadow - files on our mail server, and create a LDIF file from which the information could be + files on our mail server and create a LDIF file from which the information could be imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3, and SMTP. - Given that a decision had been made to use Courier-IMAP the schema authldap.schema - from the Courier-IMAP source tarball is necessary to resolve Courier-specific LDAP directory - needs. Where the Courier-IMAP file provided by SUSE is used this file is named + Because a decision was made to use Courier-IMAP the schema authldap.schema + from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory + needs. Where the Courier-IMAP file provided by SUSE is used, this file is named courier.schema. @@ -252,7 +252,7 @@ - An attempt was made to use the PADL POSIX account migration scripts but I gave up trying to + An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to make them work. Instead, even though it is most inelegant, I wrote a simple script that did what I needed. It is enclosed as a simple example to demonstrate that you do not need to be a guru to make light of otherwise painful repetition. This file is listed in . @@ -287,12 +287,12 @@ done - Editors' Note + The PADL MigrationTools are recommended for migration of the UNIX account information into the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups, aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text files (or from a name service such as NIS). This too set can be obtained from the PADL web site. + "http://www.padl.com">PADL Web site. @@ -551,7 +551,7 @@ tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem - The Name Server Switch control file /etc/nsswitch.conf has the following contents: + The NSS control file /etc/nsswitch.conf has the following contents: # /etc/nsswitch.conf # This file controls the resolve order for system databases. @@ -572,7 +572,7 @@ group: compat ldap module is shown in file. This works out of the box with the configuration files in this chapter. It enables you to have no local accounts for users (it is highly advisable - to have a local account for the root user). Traps for the unwary include: + to have a local account for the root user). Traps for the unwary include the following: @@ -626,15 +626,15 @@ session: none - If fail-over is configured incorrectly weird behavior can occur. For example, - DNS failing to resolve. + If failover is configured incorrectly, weird behavior can occur. For example, + DNS can fail to resolve. I do have two LDAP slave servers configured. That subject is beyond the scope - of this document and steps for implementing it are well-documented. + of this document, and steps for implementing it are well documented. @@ -652,15 +652,15 @@ session: none white-pages Windows Address Book - Company-wide White-Pages can be searched using a LDAP client + Companywide white pages can be searched using an LDAP client such as the one in the Windows Address Book. LDAP smbldap-tools - Having gained a solid understanding of LDAP, and a relatively workable LDAP tree - thus far, it was time to configure Samba. I compiled the latest stable SAMBA and + Having gained a solid understanding of LDAP and a relatively workable LDAP tree + thus far, it was time to configure Samba. I compiled the latest stable Samba and also installed the latest smbldap-tools from Idealx. @@ -883,21 +883,21 @@ session: none rsyncd.conf synchronize Note: During the process of building the new server, I kept data files - up-to-date with the Novell server via use of rsync. - On a separate system (my workstation in fact) which could be rebooted + up to date with the Novell server via use of rsync. + On a separate system (my workstation in fact), which could be rebooted whenever necessary, I set up a mount point to the Novell server via ncpmount. I then created a rsyncd.conf to share that mount point out to my new server, and synchronized once an hour. The script I used to synchronize is shown in . The files exclusion list I used is shown in . The reason I had to have the - rsync daemon running on a system which could be + rsync daemon running on a system that could be rebooted frequently is because ncpfs (part of the MARS NetWare Emulation package) has a nasty habit of creating stale - mount points which cannot be recovered without a reboot. The reason for hourly + mount points that cannot be recovered without a reboot. The reason for hourly synchronization is because some part of the chain was very slow and performance-heavy (whether rsync itself, the network, - or the Novell server I am not sure probably the Novell server). + or the Novell server, I am not sure, but it was probably the Novell server). @@ -951,8 +951,8 @@ fi - After Samba had been configured, I initialized the LDAP database. So the first - thing I had to do was to store the LDAP password in the Samba configuration by + After Samba was configured, I initialized the LDAP database. The first + thing I had to do was store the LDAP password in the Samba configuration by issuing the command (as root): &rootprompt; smbpasswd -w verysecret @@ -964,12 +964,12 @@ fi The Idealx smbldap-tools package can be configured using a script called configure.pl that is provided as part of the tool. See for an example of its use. Many administrators, like Misty, choose to do this manually -so as to maintain greater awareness of how the tool-chain works, and possibly to avoid +so as to maintain greater awareness of how the tool-chain works and possibly to avoid undesirable actions from occurring un-noticed.
- Now Samba is ready for use. Now configure the smbldap-tools. There are two + Now Samba was ready for use and it was time to configure the smbldap-tools. There are two relevant files, which are usually put into the directory /etc/smbldap-tools. The main file, smbldap.conf is shown in . @@ -1164,8 +1164,8 @@ smbpasswd="/usr/bin/smbpasswd" TLS - NOTE: I chose not to take advantage of the TLS capability of this. - Eventually I may go back and tweak it. Also I chose not to take advantage + Note: I chose not to take advantage of the TLS capability of this. + Eventually I may go back and tweak it. Also, I chose not to take advantage of the master/slave configuration as I heard horror stories that it was unstable. My slave servers are replicas only. @@ -1182,7 +1182,7 @@ smbpasswd="/usr/bin/smbpasswd" ############################ # Credential Configuration # ############################ -# Notes: you can specify two different configuration if you use a +# Notes: you can specify two different configurations if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) @@ -1194,16 +1194,16 @@ masterPw="verysecret" - We can now run the smbldap-populate command which will populate + The next step was to run the smbldap-populate command, which populates the LDAP tree with the appropriate default users, groups, and UID and GID pools. - It will create a user called Administrator with UID=0 and GID=0 matching the - Domain Admins group. This is fine you can still log in a root to a Windows system, - but it will break cached credentials if you need to log in as the administrator - to a system that is not on the network for whatever reason. + It creates a user called Administrator with UID=0 and GID=0 matching the + Domain Admins group. This is fine because you can still log on a root to a Windows system, + but it will break cached credentials if you need to log on as the administrator + to a system that is not on the network. - After the LDAP database has been pre-loaded it is prudent to validate that the + After the LDAP database has been preloaded, it is prudent to validate that the information needed is in the LDAP directory. This can be done done by restarting the LDAP server, then performing an LDAP search by executing: @@ -1250,11 +1250,11 @@ ou: Idmap smbldap-groupadd RID sambaGroupMapping - With the LDAP directory now initialized it is time to create the Windows and POSIX + With the LDAP directory now initialized, it was time to create the Windows and POSIX (UNIX) group accounts as well as the mappings from Windows groups to UNIX groups. - The easiest way to do this is to use smbldap-groupadd command. - It will create the group with the posixGroup and sambaGroupMapping attributes, a - unique GID, and an automatically-determined RID. I learned the hard way not to + The easiest way to do this was to use smbldap-groupadd command. + It creates the group with the posixGroup and sambaGroupMapping attributes, a + unique GID, and an automatically determined RID. I learned the hard way not to try to do this by hand. @@ -1273,7 +1273,7 @@ ou: Idmap posixAccount smbldap-usermod The most monumental task of all was adding the sambaSamAccount information to each - already-existent posixAccount entry. I did it one at a time as I moved people onto + already existent posixAccount entry. I did it one at a time as I moved people onto the new server, by issuing the command: &rootprompt; smbldap-usermod -a -P username @@ -1281,8 +1281,8 @@ ou: Idmap NetWare LDIF slapcat - I completed that step for every user after asking the person what their current - NetWare password was. The wiser way to have done it would probably be to dump the + I completed that step for every user after asking the person what his or her current + NetWare password was. The wiser way to have done it would probably have been to dump the entire database to an LDIF file. This can be done by executing: &rootprompt; slapcat > somefile.ldif @@ -1307,7 +1307,7 @@ ou: Idmap - So first I added a test user, of course. The LDIF for this test user looks like + I first added a test user, of course. The LDIF for this test user looks like this, to give you an idea: # Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz @@ -1378,10 +1378,10 @@ sambaAcctFlags: [W ] netlogon - So now I can log in with a test user from the machine w2kengrspare. It's all fine and - good, but that user is in no groups yet so has pretty boring access. We can fix that + So now I could log on with a test user from the machine w2kengrspare. It was all fine and + good, but that user was in no groups yet and so had pretty boring access. I fixed that by writing the login script! To write the login script, I used - Kixtart. I used it because it will work + Kixtart because it will work with every architecture of Windows, has an active and helpful user base, and was both easier to learn and more powerful than the standard netlogon scripts I have seen. I also did not have to do a logon script per user or per group. @@ -1389,7 +1389,7 @@ sambaAcctFlags: [W ] Kixtart - I downloaded Kixtart and put the following files in my [netlogon] share: + I downloaded Kixtart and put the following files in my netlogon share: KIX32.EXE KX32.dll @@ -1589,16 +1589,16 @@ ENDIF - As you can see in the script, I redirect the My Documents to the user's home - share if they are not in the Laptop group. I also add printers on a - group-by-group basis, and if applicable I setthe group printer. For this to + As you can see in the script, I redirected the My Documents to the user's home + share if he or she were not in the Laptop group. I also added printers on a + group-by-group basis, and if applicable I set the group printer. For this to be effective, the print drivers must be installed on the Samba server in the [print$] share. Ample documentation exists about how to - do that so I did not cover it. + do that, so it is not covered here. - I actually call this script via the logon.bat script in the [netlogon] directory: + I call this script via the logon.bat script in the [netlogon] directory: \\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f @@ -1608,12 +1608,12 @@ ENDIF Also of note for Win9x is that the drive mappings and printer setup will not - work because they rely on RPC. One merely has to put the appropriate settings + work because they rely on RPC. You merely have to put the appropriate settings into the c:\autoexec.bat file or map the drives manually. - One option would be to check the OS as part of the Kixtart script, and if it - is Win9x and if it is the first login, copy a pre-made + One option is to check the OS as part of the Kixtart script, and if it + is Win9x and is the first login, copy a premade autoexec.bat to the C: drive. I - only have three such machines and one is going away in the very near future, + have onlythree such machines, and one is going away in the very near future, so it was easier to do it by hand. @@ -1622,14 +1622,14 @@ ENDIF At this point I was able to add the users. This is the part that really falls into upgrade. I moved the users over one group at a time, starting with the people who used the least amount of resources on the network. With each group - that I moved, I first logged in as a standard user in that group and took - careful note of their environment, mainly the printers they used, their PATH, - and what network resources they had access to (most importantly which ones - they actually needed access to). + that I moved, I first logged on as a standard user in that group and took + careful note of the environment, mainly the printers he or she used, the PATH, + and what network resources he or she had access to (most importantly, which ones + the user actually needed access to). - I would then add the user's SambaSamAccount information as mentioned earlier, + I then added the user's SambaSamAccount information as mentioned earlier, and join the computer to the domain. The very first thing I had to do was to copy the user's profile to the new server. This was very important, and I really struggled with the most effective way to do it. Here is the method that worked @@ -1639,7 +1639,7 @@ ENDIF Log in as the user on the domain. This creates the local copy - of the user's profile and copies it to the server as they log out. + of the user's profile and copies it to the server as he or she logs out. @@ -1660,17 +1660,17 @@ ENDIF In the next dialog, copy it directly to the profiles share on the Samba server (\\PDCname\profiles\user\<architecture> in my case). You will have had to make a connection to the share as that - user (e.g.: Windows Explorer type \\PDCname\profiles\username). + user (e.g., Windows Explorer type \\PDCname\profiles\username). When the copy is complete (it can take a while) log out, and log back in - as the user. All his/her settings and all contents of My Documents, + as the user. All of his or her settings and all contents of My Documents, Favorites, and the registry should have been copied successfully. - If it doesn't look right (the dead giveaway is the desktop background) + If it doesn't look right (the dead giveaway is the desktop background), shut down the computer without logging out (power cycle) and try logging in as the user again. If it still doesn't work, repeat the steps above. I only had to ever repeat it once. @@ -1679,18 +1679,18 @@ ENDIF - WORDS TO THE WISE: + Words to the Wise: - If the user was anything other than a standard user on his/her system - before, you will save yourself some headaches by giving them identical - permissions (on the local machine) as their domain account, BEFORE - copying their profile over. Do this through the User Administrator + If the user was anything other than a standard user on his or her system + before, you will save yourself some headaches by giving him or her identical + permissions (on the local machine) as his or her domain account before + copying the profile over. Do this through the User Administrator in the Control Panel, after joining the computer to the domain and - before logging as that user for the first time. Otherwise they will - have trouble with permissions on their registry keys. + before logging on as that user for the first time. Otherwise the user will + have trouble with permissions on his or her registry keys. @@ -1703,53 +1703,53 @@ ENDIF After all these steps are accomplished, only cleanup details are left. Make sure user's shortcuts and Network Places point to the appropriate place on the new server, check the important applications to be sure they work as expected and troubleshoot any problems - that might arise, check to be sure the user's printers are present and working. By the - way, if there are any network printers installed as system printers (the Novell way) + that might arise, and check to be sure the user's printers are present and working. By the + way, if there are any network printers installed as system printers (the Novell way), you will need to log in as a local administrator and delete them. - For my non-laptop systems, I would then log in and out a couple times as the user, - to be sure that their registry settings were modified, then I was finished. + For my non-laptop systems, I would then log in and out a couple times as the user + to be sure that his or her registry settings were modified, and then I was finished. - Some compatibility issues that cropped up included: + Some compatibility issues that cropped up included the following: - Blackberry client &smbmdash; It did not like having its registry settings moved around, - and had to be reinstalled. Also it needed write permissions to a portion of + Blackberry client: It did not like having its registry settings moved around + and so had to be reinstalled. Also, it needed write permissions to a portion of the hard drive, and I had to give it those manually on the one system where this was an issue. - CAMedia &smbmdash; digital camera software for Canon cameras I had all kinds of trouble + CAMedia: Digital camera software for Canon cameras caused all kinds of trouble with the registry. I had to use the Run as service to open the registry of the local user while logged in as the domain user, and give the domain user the appropriate permissions to some registry keys, then export that portion - of the registry to a file. Then as the domain user I had to import that file + of the registry to a file. Then, as the domain user, I had to import that file into the registry. - Crystal Reports version 7 &smbmdash; More registry problems that were solved by re-copying + Crystal Reports version 7: More registry problems that were solved by recopying the user's profile. - Printing from legacy applications &smbmdash; I found out that Novell sent its jobs to - the printer in a raw format. CUPS sends them in Postscript by default. I had + Printing from legacy applications: I found out that Novell sends its jobs to + the printer in a raw format. CUPS sends them in PostScript by default. I had to make a second printer definition for one printer and tell CUPS specifically - to send raw data to the printer, and assign this printer to the LPT port with + to send raw data to the printer, then assign this printer to the LPT port with Kixtart's version of the net use command. These were all eventually solved by elbow grease, queries to the Samba mailing list and others, and diligence. The complete migration took about 5 weeks. - My userbase is relatively small, but includes multiple versions of Windows, + My userbase is relatively small but includes multiple versions of Windows, multiple Linux member servers, a mechanized saw, a pen plotter, and legacy applications written in Qbasic and R:Base, just to name a few. I actually ended up making some of these applications work better (or work again, as @@ -1759,22 +1759,22 @@ ENDIF The one thing I have not been able to get working is a very old database that - we had around for reference purposes which uses Novell's Btrieve engine. + we had around for reference purposes; it uses Novell's Btrieve engine. - As the resources compare, I went from 95% disk usage to just around 10%. - I went from a very high load on the server to an average load of between 1 - and 2 runnable processes on the server. I have improved the security and + As the resources compare, I went from 95 percent disk usage to just around 10 percent. + I went from a very high load on the server to an average load of between one + and two runnable processes on the server. I have improved the security and robustness of the system. I have also implemented - ClamAV Anti-virus - which scans the entire Samba server for viruses every two hours and + ClamAV antivirus software, + which scans the entire Samba server for viruses every 2 hours and quarantines them. I have found it much less problematic than our ancient - version of Norton Anti-virus Corporate Edition, and much more up-to-date. + version of Norton Antivirus Corporate Edition, and much more up-to-date. - In short, my users are much happier now that the new server is running, that + In short, my users are much happier now that the new server is running, and that is what is important to me. diff --git a/docs/Samba-Guide/SBE-SecureOfficeServer.xml b/docs/Samba-Guide/SBE-SecureOfficeServer.xml index 3e7bc344691..3dcbba4cd39 100644 --- a/docs/Samba-Guide/SBE-SecureOfficeServer.xml +++ b/docs/Samba-Guide/SBE-SecureOfficeServer.xml @@ -5,10 +5,10 @@ Congratulations, your Samba networking skills are developing nicely. You started out - with three simple networks in Chapter 1, and then in Chapter 2 you designed and built a - network that provides a high degree of flexibility, integrity, and dependability. It - was enough for the basic needs each was designed to fulfill. In this chapter you - address a more complex set of needs. The solution you explore + with three simple networks in , and then in + you designed and built a network that provides a high degree of flexibility, integrity, + and dependability. It was enough for the basic needs each was designed to fulfill. In + this chapter you address a more complex set of needs. The solution you explore introduces you to basic features that are specific to Samba-3. @@ -280,7 +280,7 @@ dynamic DNS DDNSdynamic DNS DHCP server - Compared with the DHCP server configuration in Chapter 2, , the + Compared with the DHCP server configuration in , , the configuration used in this example has to deal with the presence of an Internet connection. The scope set for it ensures that no DHCP services will be offered on the external connection. All printers are configured as DHCP clients so that the DHCP server assigns @@ -962,7 +962,7 @@ root = Administrator netgroupmapadd netgroupmapmodify netgroupmaplist - Create and map Windows Domain Groups to UNIX groups. A sample script is provided in Chapter 2, + Create and map Windows Domain Groups to UNIX groups. A sample script is provided in , . Create a file containing this script. We called ours /etc/samba/initGrps.sh. Set this file so it can be executed, and then execute the script. Sample output should be as follows: @@ -1157,7 +1157,7 @@ net use p: \\diamond\apps DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename> -# Abmas Accounting Inc. - Chapter 4 +# Abmas Accounting Inc. default-lease-time 86400; max-lease-time 172800; default-lease-time 86400; @@ -1890,7 +1890,7 @@ $rootprompt; ps ax | grep winbind The winbindd daemon is running in split mode (normal), so there are also two instancesFor more information regarding winbindd, see TOSHARG, - Chapter 22, Section 22.3. The single instance of smbd is normal. One additional + Chapter 23, Section 23.3. The single instance of smbd is normal. One additional smbd slave process is spawned for each SMB/CIFS client connection. of it. @@ -2608,7 +2608,7 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds expression that may be up to 1024 characters in length and that represents an IP address. A NetBIOS name is always 16 characters long. The 16th character is a name type indicator. A specific name type is registered - See TOSHARG, Chapter 9, for more information. for each + See TOSHARG, Chapter 9, for more information. for each type of service that is provided by the Windows server or client and that may be registered where a WINS server is in use. diff --git a/docs/Samba-Guide/SBE-TheSmallOffice.xml b/docs/Samba-Guide/SBE-TheSmallOffice.xml index 6ada0031591..a871d06b230 100644 --- a/docs/Samba-Guide/SBE-TheSmallOffice.xml +++ b/docs/Samba-Guide/SBE-TheSmallOffice.xml @@ -4,7 +4,7 @@ Small Office Networking - Chapter 1 focused on the basics of simple yet effective + focused on the basics of simple yet effective network solutions. Network administrators who take pride in their work (that's most of us, right?) take care to deliver what our users want, but not too much more. If we make things too complex, we confound our users @@ -264,7 +264,7 @@ The alternate approach could be to demonstrate the migration of the system that is documented in to meet the new requirements. The decision to treat this case, as with future examples, as a new installation is based on the premise that you can determine - the migration steps from the information provided in Chapter ?????????. + the migration steps from the information provided in . Additionally, a fresh installation makes the example easier to follow. @@ -769,7 +769,7 @@ $rootprompt; ps ax | grep winbind The winbindd daemon is running in split mode (normal), so there are also two instances of it. For more information regarding winbindd, see TOSHARG, - Chapter 22, Section 22.3. The single instance of smbd is normal. + Chapter 23, Section 23.3. The single instance of smbd is normal. diff --git a/docs/Samba-Guide/SBE-UpgradingSamba.xml b/docs/Samba-Guide/SBE-UpgradingSamba.xml index 6ce1df51b7c..04a6d3bc9b6 100644 --- a/docs/Samba-Guide/SBE-UpgradingSamba.xml +++ b/docs/Samba-Guide/SBE-UpgradingSamba.xml @@ -37,8 +37,8 @@ context in either book, I could not find it. contributions So in response to the significant request for these situations to be better -documented this chapter has now been added. User contributions and documentation -of real-world experiences will be a most welcome addition to this chapter. +documented, this chapter has now been added. User contributions and documentation +of real-world experiences are a most welcome addition to this chapter. @@ -49,20 +49,20 @@ of real-world experiences will be a most welcome addition to this chapter. upgrade frustration A Windows network administrator explained in an email what changes he was -planning to make and and followed with the question: Anyone done this before?. -Many of us have upgraded and updated Samba without incident. Others have -experienced much pain and user frustration. So it is to be hoped that the -notes in this chapter will make a positive difference by assuring that -someone will be saved a lot of discomfort. +planning to make and followed with the question: Anyone done this +before? Many of us have upgraded and updated Samba without incident. +Others have experienced much pain and user frustration. So it is to be hoped +that the notes in this chapter will make a positive difference by assuring +that someone will be saved a lot of discomfort. -Before anyone commences an upgrade or an update of Samba the one cardinal +Before anyone commences an upgrade or an update of Samba, the one cardinal rule that must be observed is: Backup all Samba configuration files in case it is necessary to revert to the old version. Even if you do not like this precautionary step, users will punish an administrator who fails to take adequate steps to avoid situations that may inflict lost -productivity on a user. +productivity on them. @@ -81,8 +81,8 @@ in the rare event that this may be necessary. It is prudent also to backup all data files on the server before attempting to perform a major upgrade. Many administrators have experienced the consequences of failure to take adequate precautions. So what is adequate? That is simple! -If data is lost during an upgrade or and update and it can not be restored -the precautions take were inadequate. If a backup was not needed, but was available, +If data is lost during an upgrade or update and it can not be restored, +the precautions taken were inadequate. If a backup was not needed, but was available, precaution was on the side of the victor. @@ -99,16 +99,16 @@ precaution was on the side of the victor. upgrade generation This is as good a time as any to define the terms upgrade and - update. The term upgrade is used to refer to + update. The term upgrade refers to the installation of a version of Samba that is a whole generation or more ahead of that which is installed. Generations are indicated by the first digit of the version - number. So far Samba has been released in generations 1.x, 2.x, 3.x and currently 4.0 + number. So far Samba has been released in generations 1.x, 2.x, 3.x, and currently 4.0 is in development. generation - The term update is used to refer to a minor version number installation + The term update refers to a minor version number installation in place of one of the same generation. For example, updating from Samba 3.0.10 to 3.0.14 is an update. The move from Samba 2.0.7 to 3.0.14 is an upgrade. @@ -118,15 +118,15 @@ precaution was on the side of the victor. While the use of these terms is an exercise in semantics, what needs to be realized is that there are major functional differences between a Samba 2.x release and a Samba 3.0.x release. Such differences may require a significantly different approach to - solving the same networking challenge and generally requires careful review of the + solving the same networking challenge and generally require careful review of the latest documentation to identify precisely how the new installation may need to be modified to preserve prior functionality. - There is an old axiom that says, The greater the volume of the documentation - the greater the risk that no-one will read it, but where there is no documentation - no-one can read it!. While true, some documentation is an evil necessity. + There is an old axiom that says, The greater the volume of the documentation, + the greater the risk that noone will read it, but where there is no documentation, + noone can read it! While true, some documentation is an evil necessity. It is to be hoped that this update to the documentation will avoid both extremes. @@ -140,7 +140,7 @@ precaution was on the side of the victor. SID networkingclient securityidentifier - Before the days of Windows NT and OS/2 every Windows and DOS networking client + Before the days of Windows NT and OS/2, every Windows and DOS networking client that used the SMB protocols was an entirely autonomous entity. There was no concept of a security identifier for a machine or a user outside of the username, the machine name, and the workgroup name. In actual fact, these were not security identifiers @@ -155,7 +155,7 @@ precaution was on the side of the victor. SID username Windowsclient - Versions of Samba prior to 1.9 did not make use of a SID, instead they make exclusive use + Versions of Samba prior to 1.9 did not make use of a SID. Instead they make exclusive use of the username that is embedded in the SessionSetUpAndX component of the connection setup process between a Windows client and an SMB/CIFS server. @@ -165,7 +165,7 @@ precaution was on the side of the victor. rpc security Around November 1997 support was added to Samba-1.9 to handle the Windows security - rpc based protocols that implemented support for Samba to store a machine SID. This + RPC-based protocols that implemented support for Samba to store a machine SID. This information was stored in a file called MACHINE.SID. @@ -173,9 +173,9 @@ precaution was on the side of the victor. machine SID secrets.tdb - Within the life time of the early Samba 2.x series the machine SID information was - relocated into a tdb file called secrets.tdb, which is where is - is still located in Samba 3.0.x along with other information that pertains to the + Within the lifetime of the early Samba 2.x series, the machine SID information was + relocated into a tdb file called secrets.tdb, which is where + it is still located in Samba 3.0.x along with other information that pertains to the local machine and its role within a domain security context. @@ -186,7 +186,7 @@ precaution was on the side of the victor. SAS There are two types of SID, those pertaining to the machine itself and the domain to which it may belong, and those pertaining to users and groups within the security - context of the local machine (in the case of stand-alone servers (SAS) and domain member + context of the local machine, in the case of standalone servers (SAS) and domain member servers (DMS). @@ -198,24 +198,24 @@ precaution was on the side of the victor. SID secrets.tdb When the Samba smbd daemon is first started, if the secrets.tdb - file does not exist it is created at the first client connection attempt. If this file does - exist, smbd checks that there is a machine SID (if it is a domain controller + file does not exist, it is created at the first client connection attempt. If this file does + exist, smbd checks that there is a machine SID (if it is a domain controller, it searches for the domain SID). If smbd does not find one for the current - name of the machine or for the current name of the workgroup a new SID will be generated and - then written to the secrets.tdb file. The SID is generated in a non-determinative + name of the machine or for the current name of the workgroup, a new SID will be generated and + then written to the secrets.tdb file. The SID is generated in a nondeterminative manner. This means that each time it is generated for a particular combination of machine name - (hostname) and domain name (workgroup) it will be different. + (hostname) and domain name (workgroup), it will be different. ACL The SID is the key used by MS Windows networking for all networking operations. This means - that when the machine or domain SID changes all security encoded objects such as profiles + that when the machine or domain SID changes, all security-encoded objects such as profiles and ACLs may become unusable. - It is of paramount importance that the machine and domain SID must be backed up so that in + It is of paramount importance that the machine and domain SID be backed up so that in the event of a change of hostname (machine name) or domain name (workgroup) the SID can be restored to its previous value. @@ -232,8 +232,8 @@ precaution was on the side of the victor. SAS SID In Samba-3 on a domain controller (PDC or BDC), the domain name controls the domain - SID. On all prior versions the hostname (computer name, or netbios name) controlled - the SID. On a stand-alone server (SAS) the hostname still controls the SID. + SID. On all prior versions the hostname (computer name, or NetBIOS name) controlled + the SID. On a standalone server the hostname still controls the SID. @@ -255,13 +255,13 @@ SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429 Samba 1.9.x stored the machine SID in the the file /etc/MACHINE.SID - from which it can be recovered and stored into the secrets.tdb file + from which it could be recovered and stored into the secrets.tdb file using the procedure shown above. Where the secrets.tdb file exists and a version of Samba 2.x or later - has been used there is no specific need to go through this update process. Samba-3 has the + has been used, there is no specific need to go through this update process. Samba-3 has the ability to read the older tdb file and to perform an in-situ update to the latest tdb format. This is not a reversible process &smbmdash; it is a one-way upgrade. @@ -280,7 +280,7 @@ SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429 &rootprompt; smbpasswd -S PDC -Uadministrator%password - From which the SID could be copied to a file and then it could be written to the Samba 2.2.x + from which the SID could be copied to a file and then written to the Samba-2.2.x secrets.tdb file by executing: &rootprompt; smbpasswd -W S-1-5-21-726309263-4128913605-1168186429 @@ -290,7 +290,7 @@ SID for domain FRODO is: S-1-5-21-726309263-4128913605-1168186429 rpcclient netrpcinfo - Domain security information, that includes the domain SID, can be obtained from Samba-2.2.x + Domain security information, which includes the domain SID, can be obtained from Samba-2.2.x systems by executing: &rootprompt; rpcclient lsaquery -Uroot%password @@ -315,9 +315,9 @@ Num local groups: 0 SID Take note that the domain SID is used extensively in Samba. Where LDAP is used for the passdb backend, all user, group, and trust accounts are encoded - with the domain SID. This means that if the domain SID changes for any reason the entire - Samba environment can become broken thus requiring extensive corrective action is the - original SID can not be restored. Fortunately, it can be recovered from a dump of the + with the domain SID. This means that if the domain SID changes for any reason, the entire + Samba environment can become broken and require extensive corrective action if the + original SID cannot be restored. Fortunately, it can be recovered from a dump of the LDAP database. A dump of the LDAP directory database can be obtained by executing: &rootprompt; slapcat -v -l filename.ldif @@ -328,14 +328,14 @@ Num local groups: 0 SID profiles RPM - When the domain SID has changed roaming profiles will cease to be functional. The recovery - of roaming profiles will necessitate resetting of the domain portion of the user SID + When the domain SID has changed, roaming profiles cease to be functional. The recovery + of roaming profiles necessitates resetting of the domain portion of the user SID that owns the profile. This is encoded in the NTUser.DAT and can be updated using the Samba profiles utility. Please be aware that not all - Linux distributions of the Samba RPMs do include this essential utility. Please do not - complain to the Samba Team if this utility is missing, that is an issue that must be + Linux distributions of the Samba RPMs include this essential utility. Please do not + complain to the Samba Team if this utility is missing; that issue that must be addressed to the creator of the RPM package. The Samba Team do their best to make - available all the tools needed to manage a Samba based Windows networking environment. + available all the tools needed to manage a Samba-based Windows networking environment. @@ -346,40 +346,40 @@ Num local groups: 0 netbiosmachine name netbios name - Samba uses two (2) methods by which the primary NetBIOS machine name (also known as a computer - name or the hostname) may be determined: If the &smb.conf; file contains an entry - netbios name entry its value will be used directly. In the absence - of such and entry the UNIX system hostname will be used. + Samba uses two methods by which the primary NetBIOS machine name (also known as a computer + name or the hostname) may be determined: If the &smb.conf; file contains a + netbios name entry, its value will be used directly. In the absence + of such an entry, the UNIX system hostname will be used. Many sites have become victims of lost Samba functionality because the UNIX system hostname was changed for one reason or another. Such a change will cause a new machine - SID to be generated. If this happens on a domain controller it will also change the - domain SID. These SIDs can be updated (restored) using the procedure outlined above. + SID to be generated. If this happens on a domain controller, it will also change the + domain SID. These SIDs can be updated (restored) using the procedure outlined previously. Do NOT change the hostname or the netbios name. If this - is changed be sure to reset the machine SID to the original setting, otherwise + is changed, be sure to reset the machine SID to the original setting. Otherwise there may be serious interoperability and/or operational problems. - Change of workgroup (domain) name + Change of Workgroup (Domain) Name workgroup - The domain name of a Samba server is identical with the workgroup name and is + The domain name of a Samba server is identical to the workgroup name and is set in the &smb.conf; file using the workgroup parameter. This has been consistent throughout the history of Samba and across all versions. SID - Be aware that when the workgroup name is changed a new SID will be generated. + Be aware that when the workgroup name is changed, a new SID will be generated. The old domain SID can be reset using the procedure outlined earlier in this chapter. @@ -402,7 +402,7 @@ Num local groups: 0 - During the life of the Samba 2.x release the &smb.conf; file was relocated + During the life of the Samba 2.x release, the &smb.conf; file was relocated on Linux systems to the /etc/samba directory where it remains located also for Samba 3.0.x installations. @@ -411,14 +411,14 @@ Num local groups: 0 secrets.tdb Samba 2.x introduced the secrets.tdb file that is also stored in the /etc/samba directory, or in the /usr/local/samba/lib - directory sub-system. + directory subsystem. smbd The location at which smbd expects to find all configuration and control files is determined at the time of compilation of Samba. For versions of Samba prior to - 3.0 one way to find the expected location of these files is to execute: + 3.0, one way to find the expected location of these files is to execute: &rootprompt; strings /usr/sbin/smbd | grep conf &rootprompt; strings /usr/sbin/smbd | grep secret @@ -463,10 +463,11 @@ Paths: - It is important that both the &smb.conf; file and the secrets.tdb should - be backed up before attempting any upgrade. The secrets.tdb file is version - encoded and therefore a newer version may not work with an older version of Samba. A backup - means that it is always possible to revert a failed or problematic upgrade. + It is important that both the &smb.conf; file and the secrets.tdb + be backed up before attempting any upgrade. The secrets.tdb file + is version-encoded, and therefore a newer version may not work with an older version + of Samba. A backup means that it is always possible to revert a failed or problematic + upgrade. @@ -479,7 +480,7 @@ Paths: character set codepage internationalization - Samba-2.x had not support for Unicode, instead all national language character set support in file names + Samba-2.x had no support for Unicode; instead, all national language character-set support in file names was done using particular locale codepage mapping techniques. Samba-3 supports Unicode in file names, thus providing true internationalization support. @@ -495,7 +496,7 @@ Paths: UTF-8 Files that are created with Samba-3 will use UTF-8 encoding. Should the file system ever end up with a - mix of codepage (unix charset) encoded file names and UTF-8 encoded file names, the mess will take some + mix of codepage (unix charset)-encoded file names and UTF-8-encoded file names, the mess will take some effort to set straight. @@ -503,7 +504,7 @@ Paths: convmv A very helpful tool is available from Bjorn Jacke's convmv work. Convmv is a tool that can be used to convert file and directory names from one encoding method to - another. The most common use for this tool is to convert locale encoded files to UTF-8 Unicode encoding. + another. The most common use for this tool is to convert locale-encoded files to UTF-8 Unicode encoding. @@ -519,7 +520,7 @@ Paths: Sites that are being upgraded from Samba-2 (or earlier versions) to Samba-3 may experience little difficulty or may require a lot of effort, depending on the complexity of the configuration. Samba-1.9.x upgrades to Samba-3 will -generally be simple and straight forward, although no upgrade should be +generally be simple and straightforward, although no upgrade should be attempted without proper planning and preparation. @@ -533,7 +534,7 @@ Samba-2.x could be compiled with LDAP support. Samba 1.9.x and 2.x Versions Without LDAP - Where it is necessary to upgrade an old Samba installation to Samba-3 + Where it is necessary to upgrade an old Samba installation to Samba-3, the following procedure can be followed: @@ -546,22 +547,22 @@ Samba-2.x could be compiled with LDAP support. nmbd Stop Samba. This can be done using the appropriate system tool that is particular for each operating system or by executing the - kill command on smbd, nmbd - and on winbindd. + kill command on smbd, + nmbd, and winbindd. - Find the location of the Samba &smb.conf; file - back it up to a + Find the location of the Samba &smb.conf; file and back it up to a safe location. - Find the location of the smbpasswd file - + Find the location of the smbpasswd file and back it up to a safe location. - Find the location of the secrets.tdb file - + Find the location of the secrets.tdb file and back it up to a safe location. @@ -575,7 +576,7 @@ Samba-2.x could be compiled with LDAP support. location used by the Samba Team is in /usr/local/samba/var/locks directory, but on Linux systems the old location was under the - /var/cache/samba directory, however the + /var/cache/samba directory. However, the Linux Standards Base specified location is now under the /var/lib/samba directory. Copy all the tdb files to a safe location. @@ -590,13 +591,13 @@ Samba-2.x could be compiled with LDAP support. On systems that do not support a reliable package management system - it is advisable either to delete the Samba old installation , or to + it is advisable either to delete the Samba old installation or to move it out of the way by renaming the directories that contain the Samba binary files. - When the Samba upgrade has been installed the first step that should + When the Samba upgrade has been installed, the first step that should be completed is to identify the new target locations for the control files. Follow the steps shown in to locate the correct directories to which each control file must be moved. @@ -627,15 +628,15 @@ Samba-2.x could be compiled with LDAP support. stripped The resulting &smb.conf; file will be stripped of all comments - and will be stripped of all non-conforming configuration settings. + and of all nonconforming configuration settings. winbindd It is now safe to start Samba using the appropriate system tool. - Alternately, it is possible to just execute nmbd, smbd - and winbindd for the command line while logged in - as the 'root' user. + Alternately, it is possible to just execute nmbd, + smbd, and winbindd for the command + line while logged in as the root user. @@ -643,7 +644,7 @@ Samba-2.x could be compiled with LDAP support. - Applicable to all Samba 2.x to Samba-3 Upgrades + Applicable to All Samba 2.x to Samba-3 Upgrades PDC @@ -651,15 +652,15 @@ Samba-2.x could be compiled with LDAP support. inter-domain Samba 2.x servers that were running as a domain controller (PDC) require changes to the configuration of the scripting interface - tools that Samba uses to perform operating system updates for - users, groups and trust accounts (machines and inter-domain). + tools that Samba uses to perform OS updates for + users, groups, and trust accounts (machines and interdomain). parameters - The following parameters are new to Samba-3 and should be correctly - configured. Please refer to Chapters 3-6 in this book for examples - of use of the new parameters shown here: + The following parameters are new to Samba-3 and should be correctly configured. + Please refer to through + in this book for examples of use of the new parameters shown here: add group script add machine script add user to group script @@ -700,31 +701,32 @@ Samba-2.x could be compiled with LDAP support. groupmod groupdel Where the passdb backend used is either smbpasswd - (the default), or the new tdbsam, the system interface scripts - are typically used. These involve use of operating system tools such as - useradd, usermod, userdel, groupadd, groupmod, groupdel, etc. + (the default) or the new tdbsam, the system interface scripts + are typically used. These involve use of OS tools such as useradd, + usermod, userdel, groupadd, + groupmod, groupdel, and so on. passdb backend LDAP Idealx - Where the passdb backend makes use of an LDAP directory - it will be necessary either to use the smbldap-tools provided - by Idealx, or else to use an alternate tool-set either provided by another third - party, or else home crafted tools to manage the LDAP directory accounts. + Where the passdb backend makes use of an LDAP directory, + it is necessary either to use the smbldap-tools provided + by Idealx or to use an alternate toolset provided by a third + party or else home-crafted to manage the LDAP directory accounts. - Samba-2.x with LDAP support + Samba-2.x with LDAP Support - Samba version 2.x could be compiled for use either with, or without, LDAP. + Samba version 2.x could be compiled for use either with or without LDAP. The LDAP control settings in the &smb.conf; file in this old version are completely different (and less complete) than they are with Samba-3. This - means that after migrating the control files it will be necessary to reconfigure + means that after migrating the control files, it is necessary to reconfigure the LDAP settings entirely. @@ -737,7 +739,7 @@ Samba-2.x could be compiled with LDAP support. schema WHATSNEW.txt The Samba SAM schema required for Samba-3 is significantly different from that - used with Samba 2.x. This means that the LDAP directory will need to be updated + used with Samba 2.x. This means that the LDAP directory must be updated using the procedure outlined in the Samba WHATSNEW.txt file that accompanies all releases of Samba-3. This information is repeated here directly from this file: @@ -901,7 +903,7 @@ the DN's with quotation marks. The key concern in this section is to deal with the changes that have been -affected in Samba-3 between the samba-3.0.0 release and the current update. +affected in Samba-3 between the Samba-3.0.0 release and the current update. Network administrators have expressed concerns over the steps that should be taken to update Samba-3 versions. @@ -911,19 +913,19 @@ taken to update Samba-3 versions. The information in would not be necessary if every person who has ever produced Samba executable (binary) files could agree on the preferred location of the &smb.conf; file and other Samba control files. -Clearly, such agreement is further away than a pipe-dream. +Clearly, such agreement is further away than a pipedream. vendors -Vendors and packagers who produce Samba binary install-able packages do not, +Vendors and packagers who produce Samba binary installable packages do not, as a rule, use the default paths used by the Samba-Team for the location of the binary files, the &smb.conf; file, and the Samba control files (tdb's -as well as files such as secrets.tdb. This means that +as well as files such as secrets.tdb). This means that the network or UNIX administrator who sets out to build the Samba executable files from the Samba tarball must take particular care. Failure to take care -will result in both the original vendors' version of Samba remaining installed -as well as the new version that will be installed in the default location used +will result in both the original vendor's version of Samba remaining installed +and the new version being installed in the default location used by the Samba-Team. This can lead to confusion and to much lost time as the uninformed administrator deals with apparent failure of the update to take effect. @@ -934,21 +936,21 @@ effect. The best advice for those lacking in code compilation experience is to use only vendor (or Samba-Team) provided binary packages. The Samba packages that are provided by the Samba-Team are generally built to use file paths -that are compatible with the original operating system vendors' practices. +that are compatible with the original OS vendor's practices. binary package binary files -If you are not sure whether or a binary package complies with the operating -system vendors' practices it is better to ask the package maintainer via -email to be certain than to waste much time dealing with the nuances. +If you are not sure whether or a binary package complies with the OS +vendor's practices, it is better to ask the package maintainer via +email than to waste much time dealing with the nuances. Alternately, just diagnose the paths specified by the binary files following the procedure outlined above. - Samba-3 to Samba-3 updates on the Same Server + Samba-3 to Samba-3 Updates on the Same Server The guidance in this section deals with updates to an existing @@ -975,7 +977,7 @@ the procedure outlined above. schema LDAPschema - When updating versions of Samba-3 prior to 3.0.6 to 3.0.6-3.0.10 + When updating versions of Samba-3 prior to 3.0.6 to 3.0.6 through 3.0.10, it is necessary only to update the LDAP schema (where LDAP is used). Always use the LDAP schema file that is shipped with the latest Samba-3 update. @@ -985,7 +987,7 @@ the procedure outlined above. ldapsam tdbsam passdb backend - Samba-3.0.6 introduced the ability to remember the last 'n' number + Samba-3.0.6 introduced the ability to remember the last n number of passwords a user has used. This information will work only with the tdbsam and ldapsam passdb backend facilities. @@ -1018,9 +1020,10 @@ the procedure outlined above. - In Samba-3.0.11 there were some functional changes to the ldap user suffix - and to the ldap machine suffix behaviors. The following - information has been extracted from the WHATSNEW.txt file from this release: + In Samba-3.0.11 there were some functional changes to the ldap user + suffix and to the ldap machine suffix behaviors. + The following information has been extracted from the WHATSNEW.txt file from this + release: ============ LDAP Changes @@ -1051,15 +1054,15 @@ back to searching the 'ldap suffix' in some cases. DMS - Replacement of a domain member server (DMS) should be done + Replacement of a domain member server should be done using the same procedure as outlined in . Usually the new server will be introduced with a temporary name. After - the old server data has been migrated to the new server it is customary - that the new server will be renamed to that of the old server. This will - change its SID and will necessitate re-joining to the domain. + the old server data has been migrated to the new server, it is customary + that the new server be renamed to that of the old server. This will + change its SID and will necessitate rejoining to the domain. @@ -1069,14 +1072,14 @@ back to searching the 'ldap suffix' in some cases. wins.dat browse.dat resolution - Following a change of hostname (netbios name) it is a good idea on all servers to - shutdown the Samba smbd, nmbd and winbindd - services, delete the wins.dat and browse.dat - files, then restart Samba. This will ensure that the old name and IP address - information is no longer able to interfere with name to IP address resolution. - If this is not done, there can be temporary name resolution problems. These - problems usually clear within 45 minutes of a name change, but can persist for - a longer period of time. + Following a change of hostname (NetBIOS name) it is a good idea on all servers + to shut down the Samba smbd, nmbd, and + winbindd services, delete the wins.dat + and browse.dat files, then restart Samba. This will ensure + that the old name and IP address information is no longer able to interfere with + name to IP address resolution. If this is not done, there can be temporary name + resolution problems. These problems usually clear within 45 minutes of a name + change, but can persist for a longer period of time. @@ -1084,12 +1087,13 @@ back to searching the 'ldap suffix' in some cases. /etc/passwd /etc/shadow /etc/group - If the old DMS had local accounts, it is necessary to create on the new DMS - the same accounts with the same UID and GID for each account. Where the - passdb backend database is stored in the smbpasswd - or in the tdbsam format the user and group account - information for UNIX accounts, that match the Samba accounts, will reside in - the system /etc/passwd, /etc/shadow and + If the old domain member server had local accounts, it is necessary to create + on the new domain member server the same accounts with the same UID and GID + for each account. Where the passdb backend database + is stored in the smbpasswd or in the + tdbsam format, the user and group account information + for UNIX accounts that match the Samba accounts will reside in the system + /etc/passwd, /etc/shadow, and /etc/group files. In this case be sure to copy these account entries to the new target server. @@ -1098,7 +1102,7 @@ back to searching the 'ldap suffix' in some cases. nss_ldap Where the user accounts for both UNIX and Samba are stored in LDAP, the new target server must be configured to use the nss_ldap tool set. - This will then automatically ensure that the appropriate user entities are + This will automatically ensure that the appropriate user entities are available on the new server. @@ -1109,8 +1113,8 @@ back to searching the 'ldap suffix' in some cases. domaincontroller - In the past, people who replaced a Windows NT4 domain controller would typically - install a new server, create printers and file shares on it, then migrate across + In the past, people who replaced a Windows NT4 domain controller typically + installed a new server, created printers and file shares on it, then migrate across all data that was destined to reside on it. The same can of course be done with Samba. @@ -1119,22 +1123,22 @@ back to searching the 'ldap suffix' in some cases. From recent mailing list postings it would seem that some administrators have the intent to just replace the old Samba server with a new one with the same name as the old one. In this case, simply follow the same process - as upgrading a Samba 2.x system in respect of the following: + as for upgrading a Samba 2.x system and do the following: Where UNIX (POSIX) user and group accounts are stored in the system - /etc/passwd, /etc/shadow and - /etc/group files be sure to add the same accounts + /etc/passwd, /etc/shadow, and + /etc/group files, be sure to add the same accounts with identical UID and GID values for each user. - Where LDAP is used, if the new system is intended to be the LDAP server + Where LDAP is used, if the new system is intended to be the LDAP server, migrate it across by configuring the LDAP server - (/etc/openldap/slapd.conf). The directory can either - be populated initially by setting this LDAP server up as a slave, or else + (/etc/openldap/slapd.conf). The directory can + be populated either initially by setting this LDAP server up as a slave or by dumping the data from the old LDAP server using the slapcat command and then reloading the same data into the new LDAP server using the slapadd command. Do not forget to install and configure @@ -1156,7 +1160,7 @@ back to searching the 'ldap suffix' in some cases. Before starting the Samba daemons, verify that the hostname of the new server - is identical with that of the old one. Note: The IP address can be different + is identical to that of the old one. Note: The IP address can be different from that of the old server. @@ -1175,11 +1179,11 @@ back to searching the 'ldap suffix' in some cases. - All Samba servers, other than one that uses LDAP, depend on the tdb files, and in - particular the secrets.tdb file. So long as the tdb files are + All Samba servers, other than one that uses LDAP, depend on the tdb files, and + particularly on the secrets.tdb file. So long as the tdb files are all in place, the &smb.conf; file is preserved, and either the hostname is identical or the netbios name is set to the original server name, Samba - should correctly pick up the original SID, and preserve all other settings. It is + should correctly pick up the original SID and preserve all other settings. It is sound advice to validate this before turning the system over to users. @@ -1208,7 +1212,7 @@ back to searching the 'ldap suffix' in some cases. In the Advanced/DNS section of the TCP/IP settings on your Windows - workstations, make sure DNS suffix for this + workstations, make sure the DNS suffix for this connection field is blank. @@ -1234,7 +1238,7 @@ back to searching the 'ldap suffix' in some cases. and satisfy all errors before committing the migration. Note that the test will always fail, because the machine will not have been actually migrated. You'll need to interpret the errors to know whether the - failure was due to a problem, or simply due to the fact that it was just + failure was due to a problem or simply to the fact that it was just a test. @@ -1249,7 +1253,7 @@ back to searching the 'ldap suffix' in some cases. - You can also migrate workstations remotely. You can specify that SIDs + You can migrate workstations remotely. You can specify that SIDs be simply added instead of replaced, giving you the option of joining a workstation back to the old domain if something goes awry. The workstations will be joined to the new domain. @@ -1271,7 +1275,7 @@ back to searching the 'ldap suffix' in some cases. The ADMT lets you test all operations before actually performing the migration. Accounts and workstations can be migrated individually or in batches. User accounts can be safely migrated all at once (since no - changes are made on the original domain); It is recommended to migrate only one + changes are made on the original domain). It is recommended to migrate only one or two workstations as a test before committing them all. diff --git a/docs/Samba-Guide/SBE-glossary.xml b/docs/Samba-Guide/SBE-glossary.xml index 3968e24c31f..1066d253c70 100644 --- a/docs/Samba-Guide/SBE-glossary.xml +++ b/docs/Samba-Guide/SBE-glossary.xml @@ -41,7 +41,7 @@ CUPS A recent implementation of a high-capability printing system for UNIX developed by - Easy Software Inc. The design objective + Easy Software Inc.. The design objective of CUPS was to provide a rich print processing system that has built-in intelligence that is capable of correctly rendering (processing) a file that is submitted for printing even if it was formatted for an entirely different printer. @@ -65,7 +65,7 @@ A protocol by which computer hostnames may be resolved to the matching IP address/es. DNS is implemented by the Berkeley Internet Name Daemon. There exists a recent version of DNS that allows dynamic name registration by network clients or by a DHCP server. - This recent protocol is known as Dynamic DNS (DDNS). + This recent protocol is known as dynamic DNS (DDNS). @@ -76,7 +76,7 @@ A protocol that was based on the BOOTP protocol that may be used to dynamically assign an IP address, from a reserved pool of addresses, to a network client or device. Additionally, DHCP may assign all network configuration settings and may be used to - register a computer name and its address with a Dynamic DNS server. + register a computer name and its address with a dynamic DNS server. @@ -84,9 +84,9 @@ Ethereal ethereal - A network analyzer, also known as: a network sniffer or a protocol analyzer. Ethereal is + A network analyzer, also known as a network sniffer or a protocol analyzer. Ethereal is freely available for UNIX/Linux and Microsoft Windows systems from - the Ethereal Web site. + the Ethereal Web site. @@ -94,9 +94,9 @@ Group IDentifier GID - The UNIX system Group Identifier; on older systems, a 32-bit unsigned integer, and on + The UNIX system group identifier; on older systems, a 32-bit unsigned integer, and on newer systems, an unsigned 64-bit integer. The GID is used in UNIX-like operating systems - for all group level access control. + for all group-level access control. @@ -111,24 +111,24 @@ - Light Weight Directory Access Protocol + Lightweight Directory Access Protocol LDAP - The Light Weight Directory Access Protocol is a technology that + The Lightweight Directory Access Protocol is a technology that originated from the development of X.500 protocol specifications and implementations. LDAP was designed as a means of rapidly searching through X.500 information. Later LDAP was adapted as an engine that could drive its own directory database. LDAP is not a database per - se; rather it is a technology that enables high volume search and + se; rather it is a technology that enables high-volume search and locate activity from clients that wish to obtain simply defined - information about a sub-set of records that are stored in a + information about a subset of records that are stored in a database. LDAP does not have a particularly efficient mechanism for storing records in the database, and it has no concept of transaction processing nor of mechanisms for preserving data consistency. LDAP is premised around the notion that the search and read activity far outweigh any need to add, delete, or modify records. LDAP does - provide a means for replication of the database so as to keep slave + provide a means for replication of the database to keep slave servers up to date with a master. It also has built-in capability to handle external references and deferral. @@ -147,7 +147,7 @@ Media Access Control MAC - The hard-coded address of the physical layer device that is attached to the network. + The hard-coded address of the physical-layer device that is attached to the network. All network interface controllers must have a hard-coded and unique MAC address. The MAC address is 48 bits long. @@ -158,7 +158,7 @@ NetBEUI Very simple network protocol invented by IBM and Microsoft. It is used to do NetBIOS - over ethernet with low overhead. NetBEUI is a non-routable protocol. + over Ethernet with low overhead. NetBEUI is a non-routable protocol. @@ -180,7 +180,7 @@ NetBIOS is a simple application programming interface (API) invented in the 1980s that allows programs to send data to certain network names. NetBIOS is always run over another network protocol such as IPX/SPX, TCP/IP, or Logical Link Control (LLC). - NetBIOS run over LLC is best known as NetBEUI (The NetBIOS Extended User Interface + NetBIOS run over LLC is best known as NetBEUI (the NetBIOS Extended User Interface &smbmdash; a complete misnomer!). @@ -231,7 +231,7 @@ TOSHARG This book makes repeated reference to The Official Samba-3 HOWTO and Reference Guide - by John H. Terpstra (Author) and Jelmer R. Vernooij (Author). This publication is available from + by John H. Terpstra and Jelmer R. Vernooij. This publication is available from Amazon.com. Publisher: Prentice Hall PTR (October 2003), ISBN: 0131453556. @@ -241,8 +241,8 @@ User IDentifier UID - The UNIX system User Identifier; on older systems, a 32-bit unsigned integer, and on newer systems, - an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user level access + The UNIX system user identifier; on older systems, a 32-bit unsigned integer, and on newer systems, + an unsigned 64-bit integer. The UID is used in UNIX-like operating systems for all user-level access control.