sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-31 17:18:04 +03:00
Code

Incorporating feedback from reviewers.

Browse Source
This commit is contained in:
John Terpstra 2005-04-16 19:17:42 +00:00 committed by Gerald W. Carter
parent cbd7c8f779
commit 2105913b8b
5 changed files with 320 additions and 299 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
docs/Samba-Guide/SBE-Appendix1.xml
View File

@ -615,14 +615,14 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
</para></step>
<step><para>
Install the files shown in <link linkend="ch6-ldapreconfa"/>, <link linkend="ch6-ldapreconfb"/>,
and <link linkend="ch6-ldapreconfc"/> into the directory
Install the files shown in <link linkend="sbehap-ldapreconfa"/>, <link linkend="sbehap-ldapreconfb"/>,
and <link linkend="sbehap-ldapreconfc"/> into the directory
<filename>/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</filename> These three files are,
respectively, Part A, B, and C of the <filename>SMBLDAP-ldif-preconfig.sh</filename> file.
</para></step>
<step><para>
Install the files shown in <link linkend="ch6-ldifpata"/> and <link linkend="ch6-ldifpatb"/> into the directory
Install the files shown in <link linkend="sbehap-ldifpata"/> and <link linkend="sbehap-ldifpatb"/> into the directory
<filename>/etc/openldap/SambaInit/nit-ldif.pat.</filename> These two files are
Part A and B, respectively, of the <filename>init-ldif.pat</filename> file.
</para></step>
@ -776,7 +776,7 @@ result: 0 Success
</sect2>
<example id="ch6-ldapreconfa">
<example id="sbehap-ldapreconfa">
<title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part A</title>
<screen>
#!/bin/bash
@ -822,7 +822,7 @@ echo
</screen>
</example>
<example id="ch6-ldapreconfb">
<example id="sbehap-ldapreconfb">
<title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part B</title>
<screen>
echo -e -n "Name [$ORGNAME]: "
@ -867,7 +867,7 @@ sed "s/DOMSID/${DOMSID}/g" &lt; $file.tmp2 &gt; $file.tmp1
</screen>
</example>
<example id="ch6-ldapreconfc">
<example id="sbehap-ldapreconfc">
<title>LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part C</title>
<screen>
cat &gt;&gt;EOL
@ -909,7 +909,7 @@ exit 0
</screen>
</example>
<example id="ch6-ldifpata">
<example id="sbehap-ldifpata">
<title>LDIF Pattern File Used to Pre-configure LDAP &smbmdash; Part A</title>
<screen>
dn: dc=INETDOMAIN,dc=TLDORG
@ -953,7 +953,7 @@ structuralObjectClass: sambaDomain
</screen>
</example>
<example id="ch6-ldifpatb">
<example id="sbehap-ldifpatb">
<title>LDIF Pattern File Used to Pre-configure LDAP &smbmdash; Part B</title>
<screen>
dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG
@ -1087,7 +1087,7 @@ want secure connections, you must configure your Apache Web server to permit con
to LAM using only SSL.
</para>
<procedure id="ch6-laminst">
<procedure id="sbehap-laminst">
<step><para>
Extract the LAM package with:
<screen>

161
docs/Samba-Guide/SBE-MakingHappyUsers.xml
View File

@ -636,10 +636,10 @@ clients is conservative and if followed will minimize problems - but it is not a
<filename>/etc/group</filename>
or from the LDAP backend. This requires the use of the PADL <filename>nss_ldap</filename> toolset
that integrates with the name service switcher (NSS). The same requirements exist for resolution
of the UNIX username to the UID. The relationships are demonstrated in <link linkend="ch6-LDAPdiag"/>.
of the UNIX username to the UID. The relationships are demonstrated in <link linkend="sbehap-LDAPdiag"/>.
</para>
<image id="ch6-LDAPdiag">
<image id="sbehap-LDAPdiag">
<imagedescription>The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</imagedescription>
<imagefile scale="50">UNIX-Samba-and-LDAP</imagefile>
</image>
@ -703,7 +703,7 @@ clients is conservative and if followed will minimize problems - but it is not a
connections.
</para>
<sect3 id="ch6-ppc">
<sect3 id="sbehap-ppc">
<title>Addition of Machines to the Domain</title>
<para>
@ -719,7 +719,7 @@ clients is conservative and if followed will minimize problems - but it is not a
</para>
<table id="ch6-privs">
<table id="sbehap-privs">
<title>Current Privilege Capabilities</title>
<tgroup cols="2">
<colspec align="left"/>
@ -840,7 +840,7 @@ clients is conservative and if followed will minimize problems - but it is not a
</sect3>
<sect3 id="ch6-locgrppol">
<sect3 id="sbehap-locgrppol">
<title>The Local Group Policy</title>
<para><indexterm>
<primary>Group Policy Objects</primary>
@ -971,11 +971,10 @@ clients is conservative and if followed will minimize problems - but it is not a
suited to the printer to which the job is dispatched.
</para>
<para><indexterm>
<primary>CUPS</primary>
</indexterm><indexterm>
<primary>Postscript</primary>
</indexterm>
<para>
<indexterm><primary>CUPS</primary></indexterm>
<indexterm><primary>Easy Software Products</primary></indexterm>
<indexterm><primary>Postscript</primary></indexterm>
The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
detect the data format and apply a print filter. This means that it is feasible to install
on all Windows clients a single printer driver for use with all printers that are routed
@ -1000,7 +999,7 @@ clients is conservative and if followed will minimize problems - but it is not a
</sect3>
<sect3>
<sect3 id="sbeavoid">
<title>Avoiding Failures &smbmdash; Solving Problems Before the Happen</title>
<para>
@ -1023,6 +1022,7 @@ clients is conservative and if followed will minimize problems - but it is not a
</para>
<para>
<indexterm><primary>LDAP</primary></indexterm>
New comers to Samba and LDAP seem to struggle a great deal at first. If you want advice
regarding the best way to remedy LDAP and Samba problems: <quote>Avoid them like the plague!</quote>
</para>
@ -1040,11 +1040,11 @@ clients is conservative and if followed will minimize problems - but it is not a
Use this resource carefully; we hope it serves you well.
</para>
<para>
Warning: Do not be lulled into thinking that you can easily adopt the examples in this
<warning><para>
Do not be lulled into thinking that you can easily adopt the examples in this
book and adapt them without first working through the working examples provided. A little
thing over-looked can cause untold pain and may permanently tarnish your experience.
</para>
</para></warning>
</sect4>
@ -1052,13 +1052,18 @@ clients is conservative and if followed will minimize problems - but it is not a
<title>Debugging LDAP</title>
<para>
<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
<indexterm><primary>loglevel</primary></indexterm>
<indexterm><primary>slapd</primary></indexterm>
In the example <filename>/etc/openldap/slapd.conf</filename> control file
(see <link linkend="ch6-dbconf"/>) there is an entry for <constant>loglevel 256</constant>.
(see <link linkend="sbehap-dbconf"/>) there is an entry for <constant>loglevel 256</constant>.
To enable logging via the syslog infrastructure it is necessary to uncomment this parameter
and restart <command>slapd</command>.
</para>
<para>
<indexterm><primary>/etc/syslog.conf</primary></indexterm>
<indexterm><primary>/var/log/ldaplogs</primary></indexterm>
LDAP log information can be directed into a file that is separate from the normal system
log files by changing the <filename>/etc/syslog.conf</filename> file so it has the following
contents:
@ -1073,6 +1078,10 @@ local4.* -/var/log/ldaplogs
</screen>
In the above case, all LDAP related logs will be directed to the file
<filename>/var/log/ldaplogs</filename>. This makes it easy to track LDAP errors.
The above provides a simple example of usage that can be modified to suit
local site needs. The configuration used later in this chapter reflects such
customization with the intent that LDAP log files will be stored at a location
that meets local site needs and wishes more fully.
</para>
</sect4>
@ -1106,7 +1115,7 @@ logdir /data/logs
</para>
<para>
One was this can be done is by executing:
One way this can be done is by executing:
<screen>
&rootprompt; slapcat | grep Group | grep dn
dn: ou=Groups,dc=abmas,dc=biz
@ -1128,12 +1137,32 @@ nss_base_group ou=Groups,dc=abmas,dc=biz?one
The same process may be followed to determine the appropriate dn for user accounts.
If the container for computer accounts is not the same as that for users (see the &smb.conf;
file entry for <constant>ldap machine suffix</constant>, it may be necessary to set the
following DIT dn in the <filename>/etc/ldap.conf</filename>:
following DIT dn in the <filename>/etc/ldap.conf</filename> file:
<screen>
nss_base_passwd dc=abmas,dc=biz?sub
</screen>
This instructs LDAP to search for machine as well as user entries from the top of the DIT
down. This is inefficient, but at least should work.
down. This is inefficient, but at least should work. Note: It is possible to specify mulitple
<constant>nss_base_passwd</constant> entries in the <filename>/etc/ldap.conf</filename> file, they
will be evaluated sequentially. Let us consider an example of use where the following DIT
has been implemented:
</para>
<para>
<simplelist>
<member><para>All user accounts are stored under the DIT: ou=Users,dc=abmas,dc=biz</para></member>
<member><para>All user login accounts are under the DIT: ou=People,ou-Users,dc=abmas,dc=biz</para></member>
<member><para>All computer accounts are under the DIT: ou=Computers,ou=Users,dc=abmas,dc=biz</para></member>
</simplelist>
</para>
<para>
The appropriate multiple entry for the <constant>nss_base_passwd</constant> directive
in the <filename>/etc/ldap.conf</filename> file may be:
<screen>
nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one
nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
</screen>
</para></step>
<step><para>
@ -1287,6 +1316,7 @@ slapd[12164]: conn=1 fd=10 closed
<listitem><para>Printers</para></listitem>
<listitem><para>Share Point Directory Roots</para></listitem>
<listitem><para>Profile Directories</para></listitem>
<listitem><para>Logon Scripts</para></listitem>
<listitem><para>Configuration of User Rights and Privileges</para></listitem>
</orderedlist>
</listitem>
@ -1345,7 +1375,7 @@ slapd[12164]: conn=1 fd=10 closed
<note><para>
The following information applies to Samba-3.0.15 when used with the Idealx smbldap-tools scripts
version 0.8.7. If using a different version of Samba, or of the smbldap-tools tarball, please
version 0.8.8. If using a different version of Samba, or of the smbldap-tools tarball, please
verify that the versions you are about to use are matching.
</para></note>
@ -1419,7 +1449,7 @@ verify that the versions you are about to use are matching.
<step><para><indexterm>
<primary>/etc/openldap/slapd.conf</primary>
</indexterm>
Install the file shown in <link linkend="ch6-slapdconf"/> in the directory
Install the file shown in <link linkend="sbehap-slapdconf"/> in the directory
<filename>/etc/openldap</filename>.
</para></step>
@ -1440,7 +1470,7 @@ drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
</para></step>
<step><para><indexterm><primary>DB_CONFIG</primary></indexterm>
Install the file shown in <link linkend="ch6-dbconf"/> in the directory
Install the file shown in <link linkend="sbehap-dbconf"/> in the directory
<filename>/data/ldap</filename>. In the event that this file is added after <constant>ldap</constant>
has been started, it is possible to cause the new settings to take effect by shutting down
the <constant>LDAP</constant> server, executing the <command>db_recover</command> command inside the
@ -1466,7 +1496,7 @@ local4.* -/data/ldap/log/openldap.log
</procedure>
<example id="ch6-dbconf">
<example id="sbehap-dbconf">
<title>LDAP DB_CONFIG File</title>
<screen>
set_cachesize 0 150000000 1
@ -1477,7 +1507,7 @@ set_flags DB_LOG_AUTOREMOVE
</screen>
</example>
<example id="ch6-slapdconf">
<example id="sbehap-slapdconf">
<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part A</title>
<screen>
include /etc/openldap/schema/core.schema
@ -1524,7 +1554,7 @@ directory /data/ldap
</screen>
</example>
<example id="ch6-slapdconf2">
<example id="sbehap-slapdconf2">
<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part B</title>
<screen>
# Indices to maintain
@ -1545,7 +1575,7 @@ index default sub
</sect2>
<sect2 id="ch6-PAM-NSS">
<sect2 id="sbehap-PAM-NSS">
<title>PAM and NSS Client Configuration</title>
<para><indexterm>
@ -1612,12 +1642,12 @@ index default sub
<step><para>
On the server <constant>MASSIVE</constant>, install the file shown in
<link linkend="ch6-nss01"/> into the path that was obtained from the step above.
<link linkend="sbehap-nss01"/> into the path that was obtained from the step above.
On the servers called <constant>BLDG1</constant> and <constant>BLDG2</constant>, install the file shown in
<link linkend="ch6-nss02"/> into the path that was obtained from the step above.
<link linkend="sbehap-nss02"/> into the path that was obtained from the step above.
</para></step>
<example id="ch6-nss01">
<example id="sbehap-nss01">
<title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
<screen>
host 127.0.0.1
@ -1643,7 +1673,7 @@ ssl off
</screen>
</example>
<example id="ch6-nss02">
<example id="sbehap-nss02">
<title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
<screen>
host 172.16.0.1
@ -1745,7 +1775,7 @@ session optional pam_mail.so
</sect2>
<sect2 id="ch6-massive">
<sect2 id="sbehap-massive">
<title>Samba-3 PDC Configuration</title>
<para><indexterm>
@ -1762,9 +1792,9 @@ session optional pam_mail.so
<procedure>
<title>Configuration of PDC Called: <constant>MASSIVE</constant></title>
<step><para>
Install the files in <link linkend="ch6-massive-smbconfa"/>,
<link linkend="ch6-massive-smbconfb"/>, <link linkend="ch6-shareconfa"/>,
and <link linkend="ch6-shareconfb"/> into the <filename>/etc/samba/</filename>
Install the files in <link linkend="sbehap-massive-smbconfa"/>,
<link linkend="sbehap-massive-smbconfb"/>, <link linkend="sbehap-shareconfa"/>,
and <link linkend="sbehap-shareconfb"/> into the <filename>/etc/samba/</filename>
directory. The three files should be added together to form the &smb.conf;
master file. It is a good practice to call this file something like
<filename>smb.conf.master</filename>, and then to perform all file edits
@ -1908,7 +1938,7 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
configuration of the LDAP server.
</para>
<smbconfexample id="ch6-massive-smbconfa">
<smbconfexample id="sbehap-massive-smbconfa">
<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A</title>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
@ -1942,7 +1972,7 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
<smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w "%u"</smbconfoption>
</smbconfexample>
<smbconfexample id="ch6-massive-smbconfb">
<smbconfexample id="sbehap-massive-smbconfb">
<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title>
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
@ -1967,7 +1997,7 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
</sect2>
<sect2>
<sect2 id="sbeidealx">
<title>Install and Configure Idealx smbldap-tools Scripts</title>
<para><indexterm>
@ -1979,9 +2009,9 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
LDAP configuration scripts. The use of these scripts will help avoid the necessity
to create custom scripts. It is easy to download them from the Idealx
<ulink url="http://samba.idealx.org/index.en.html">Web Site.</ulink> The tarball may
be directly <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.8.7.tgz">downloaded</ulink>
be directly <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.8.8.tgz">downloaded</ulink>
for this site, also. Alternately, you may obtain the
<ulink url="http://samba.idealx.org/dist/smbldap-tools-0.8.7-3.src.rpm">smbldap-tools-0.8.7-3.src.rpm</ulink>
<ulink url="http://samba.idealx.org/dist/smbldap-tools-0.8.8-3.src.rpm">smbldap-tools-0.8.8-3.src.rpm</ulink>
file that may be used to build an installable RPM package for your Linux system.
</para>
@ -2027,7 +2057,7 @@ change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</c
Copy all the <filename>smbldap-*</filename> and the <filename>configure.pl</filename> files into the
<filename>/opt/IDEALX/sbin</filename> directory, as shown here:
<screen>
&rootprompt; cd smbldap-tools-0.8.7/
&rootprompt; cd smbldap-tools-0.8.8/
&rootprompt; cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/
&rootprompt; cp smbldap*conf /etc/smbldap-tools/
&rootprompt; chmod 750 /opt/IDEALX/sbin/smbldap-*
@ -2072,7 +2102,7 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
<para>
In the event that you have elected to use the RPM package provided by Idealx, download the
source RPM <filename>smbldap-tools-0.8.7-3.src.rpm</filename>, then follow the following procedure:
source RPM <filename>smbldap-tools-0.8.8-3.src.rpm</filename>, then follow the following procedure:
</para>
<procedure>
@ -2080,7 +2110,7 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
<step><para>
Install the source RPM that has been downloaded as follows:
<screen>
&rootprompt; rpm -i smbldap-tools-0.8.7-5.src.rpm
&rootprompt; rpm -i smbldap-tools-0.8.8-3.src.rpm
</screen>
</para></step>
@ -2117,7 +2147,7 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
<step><para>
Install the binary package by executing:
<screen>
&rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.8.7-5.noarch.rpm
&rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.8.8-3.noarch.rpm
</screen>
</para></step>
@ -2343,7 +2373,7 @@ writing new configuration file:
</indexterm>
The following steps initialize the LDAP database, and then you can add user and group
accounts that Samba can use. You use the <command>smbldap-populate</command> to
seed the LDAP database. You then manually add the accounts shown in <link linkend="ch6-bigacct"/>.
seed the LDAP database. You then manually add the accounts shown in <link linkend="sbehap-bigacct"/>.
The list of users does not cover all 500 network users; it provides examples only.
</para>
@ -2376,7 +2406,7 @@ writing new configuration file:
</para></note>
<table id="ch6-bigacct">
<table id="sbehap-bigacct">
<title>Abmas Network Users and Groups</title>
<tgroup cols="4">
<colspec align="left"/>
@ -2523,7 +2553,7 @@ ou: idmap
<primary>ldapadd</primary>
</indexterm>
If the execution of this command does not return IDMAP entries, you need to create an LDIF
template file (see <link linkend="ch6-ldifadd"/>). You can add the required entries using
template file (see <link linkend="sbehap-ldifadd"/>). You can add the required entries using
the following command:
<screen>
&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
@ -2639,7 +2669,10 @@ Domain Computers:x:553:
<primary>nss_ldap</primary>
</indexterm>
This demonstrates that the <command>nss_ldap</command> library is functioning
as it should.
as it should. If these two steps fail to produce this information refer to
<link linkend="sbeavoid"/> for diagnostic procedures that can be followed to
isolate the cause of the problem. Procede to the next step only when the steps
above have been successfully completed.
</para></step>
<step><para><indexterm>
@ -2928,7 +2961,7 @@ smb: \> q
</sect2>
<sect2 id="ch6-ptrcfg">
<sect2 id="sbehap-ptrcfg">
<title>Printer Configuration</title>
<para><indexterm>
@ -3040,25 +3073,25 @@ application/octet-stream
</sect1>
<sect1 id="ch6-bldg1">
<sect1 id="sbehap-bldg1">
<title>Samba-3 BDC Configuration</title>
<procedure>
<title>Configuration of BDC Called: <constant>BLDG1</constant></title>
<step><para>
Install the files in <link linkend="ch6-bldg1-smbconf"/>,
<link linkend="ch6-shareconfa"/>, and <link linkend="ch6-shareconfb"/>
Install the files in <link linkend="sbehap-bldg1-smbconf"/>,
<link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
into the <filename>/etc/samba/</filename> directory. The three files
should be added together to form the &smb.conf; file.
</para></step>
<step><para>
Verify the &smb.conf; file as in step 2 of <link
linkend="ch6-massive"/>.
linkend="sbehap-massive"/>.
</para></step>
<step><para>
Carefully follow the steps outlined in <link linkend="ch6-PAM-NSS"/>, taking
Carefully follow the steps outlined in <link linkend="sbehap-PAM-NSS"/>, taking
particular note to install the correct <filename>ldap.conf</filename>.
</para></step>
@ -3259,22 +3292,22 @@ smb: \> q
</procedure>
<procedure id="ch6-bldg2">
<procedure id="sbehap-bldg2">
<title>Configuration of BDC Called: <constant>BLDG2</constant></title>
<step><para>
Install the files in <link linkend="ch6-bldg2-smbconf"/>,
<link linkend="ch6-shareconfa"/>, and <link linkend="ch6-shareconfb"/>
Install the files in <link linkend="sbehap-bldg2-smbconf"/>,
<link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
into the <filename>/etc/samba/</filename> directory. The three files
should be added together to form the &smb.conf; file.
</para></step>
<step><para>
Follow carefully the steps shown in <link linkend="ch6-bldg1"/>, starting at step 2.
Follow carefully the steps shown in <link linkend="sbehap-bldg1"/>, starting at step 2.
</para></step>
</procedure>
<smbconfexample id="ch6-bldg1-smbconf">
<smbconfexample id="sbehap-bldg1-smbconf">
<title>LDAP Based &smb.conf; File, Server: BLDG1</title>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
@ -3312,7 +3345,7 @@ smb: \> q
</smbconfexample>
<smbconfexample id="ch6-bldg2-smbconf">
<smbconfexample id="sbehap-bldg2-smbconf">
<title>LDAP Based &smb.conf; File, Server: BLDG2</title>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
@ -3350,7 +3383,7 @@ smb: \> q
</smbconfexample>
<smbconfexample id="ch6-shareconfa">
<smbconfexample id="sbehap-shareconfa">
<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A</title>
<smbconfsection name="[accounts]"/>
<smbconfoption name="comment">Accounting Files</smbconfoption>
@ -3381,7 +3414,7 @@ smb: \> q
<smbconfoption name="browseable">No</smbconfoption>
</smbconfexample>
<smbconfexample id="ch6-shareconfb">
<smbconfexample id="sbehap-shareconfb">
<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B</title>
<smbconfsection name="[apps]"/>
<smbconfoption name="comment">Application Files</smbconfoption>
@ -3416,7 +3449,7 @@ smb: \> q
<smbconfoption name="write list">root, chrisr</smbconfoption>
</smbconfexample>
<example id="ch6-ldifadd">
<example id="sbehap-ldifadd">
<title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
<screen>
dn: ou=Idmap,dc=abmas,dc=biz
@ -3589,7 +3622,7 @@ structuralObjectClass: organizationalUnit
</sect2>
<sect2>
<title>Assigning Domain Privileges</title>
<title>Assigning User Rights and Privileges</title>
<para>
The ability to perform tasks such as joining Windows clients to the domain can be assigned to
@ -3748,7 +3781,7 @@ SeDiskOperatorPrivilege
<para>
</para>
<procedure id="ch6-rdrfldr">
<procedure id="sbehap-rdrfldr">
<title>Redirect Folders in Default System User Profile</title>
<step><para><indexterm>
@ -3818,7 +3851,7 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
</para></step>
<step><para>
Now follow the procedure given in <link linkend="ch6-locgrppol"/>. Make sure that each folder you
Now follow the procedure given in <link linkend="sbehap-locgrppol"/>. Make sure that each folder you
have redirected is in the exclusion list.
</para></step>

428
docs/Samba-Guide/SBE-MigrateNT4Samba3.xml
View File

@ -28,28 +28,19 @@
failure, and much more.
</para>
<para><indexterm>
<primary>group policies</primary>
</indexterm><indexterm>
<primary>accounts</primary>
<secondary>user</secondary>
</indexterm><indexterm>
<primary>accounts</primary>
<secondary>group</secondary>
</indexterm><indexterm>
<primary>accounts</primary>
<secondary>machine</secondary>
</indexterm>
<para>
<indexterm><primary>group policies</primary></indexterm>
<indexterm><primary>accounts</primary><secondary>user</secondary></indexterm>
<indexterm><primary>accounts</primary><secondary>group</secondary></indexterm>
<indexterm><primary>accounts</primary><secondary>machine</secondary></indexterm>
The migration from NT4 to Samba-3 can involve a number of factors, including:
migration of data to another server, migration of network environment controls
such as group policies, and finally migration of the users, groups, and machine
accounts.
</para>
<para><indexterm>
<primary>accounts</primary>
<secondary>Domain</secondary>
</indexterm>
<para>
<indexterm><primary>accounts</primary><secondary>Domain</secondary></indexterm>
It should be pointed out now that it is possible to migrate some systems from
Windows NT4 Domain environments to a Samba-3 Domain Environment. This is certainly
not possible in every case. It is possible to just migrate the Domain accounts
@ -60,26 +51,23 @@
</para>
<sect2>
<title>Assignment Tasks</title>
<title>Assignment Tasks</title>
<para><indexterm>
<primary>LDAP</primary>
</indexterm><indexterm>
<primary>ldapsam</primary>
</indexterm><indexterm>
<primary>passdb backend</primary>
</indexterm>
You are about to migrate an MS Windows NT4 Domain accounts database to
a Samba-3 server. The Samba-3 server is using a
<parameter>passdb backend</parameter> based on LDAP. The
<constant>ldapsam</constant> is ideal because an LDAP backend can be distributed
for use with BDCs &smbmdash; generally essential for larger networks.
</para>
<para>
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>ldapsam</primary></indexterm>
<indexterm><primary>passdb backend</primary></indexterm>
You are about to migrate an MS Windows NT4 Domain accounts database to
a Samba-3 server. The Samba-3 server is using a
<parameter>passdb backend</parameter> based on LDAP. The
<constant>ldapsam</constant> is ideal because an LDAP backend can be distributed
for use with BDCs &smbmdash; generally essential for larger networks.
</para>
<para>
Your objective is to document the process of migrating user and group accounts
from several NT4 Domains into a single Samba-3 LDAP backend database.
</para>
<para>
Your objective is to document the process of migrating user and group accounts
from several NT4 Domains into a single Samba-3 LDAP backend database.
</para>
</sect2>
</sect1>
@ -87,69 +75,49 @@
<sect1>
<title>Dissection and Discussion</title>
<para><indexterm>
<primary>snap-shot</primary>
</indexterm><indexterm>
<primary>NT4 registry</primary>
</indexterm><indexterm>
<primary>registry</primary>
<secondary>keys</secondary>
<tertiary>SAM</tertiary>
</indexterm><indexterm>
<primary>registry</primary>
<secondary>keys</secondary>
<tertiary>SECURITY</tertiary>
</indexterm><indexterm>
<primary>SAM</primary>
</indexterm><indexterm>
<primary>Security Account Manager</primary>
<see>SAM</see>
</indexterm>
<para>
<indexterm><primary>snap-shot</primary></indexterm>
<indexterm><primary>NT4 registry</primary></indexterm>
<indexterm><primary>registry</primary><secondary>keys</secondary><tertiary>SAM</tertiary></indexterm>
<indexterm><primary>registry</primary><secondary>keys</secondary><tertiary>SECURITY</tertiary></indexterm>
<indexterm><primary>SAM</primary></indexterm>
<indexterm><primary>Security Account Manager</primary><see>SAM</see></indexterm>
The migration process takes a snap-shot of information that is stored in the
Windows NT4 registry based accounts database. That information resides in
the Security Account Manager (SAM) portion of the NT4 Registry under keys called
<constant>SAM</constant> and <constant>SECURITY</constant>.
</para>
<warning><para><indexterm>
<primary>crippled</primary>
</indexterm><indexterm>
<primary>inoperative</primary>
</indexterm>
<warning><para>
<indexterm><primary>crippled</primary></indexterm>
<indexterm><primary>inoperative</primary></indexterm>
The Windows NT4 registry keys called <constant>SAM</constant> and <constant>SECURITY</constant>
are protected so that you cannot view the contents. If you change the security setting
to reveal the contents under these hive keys, your Windows NT4 Domain is crippled. Do not
do this unless you are willing to render your domain controller inoperative.
</para></warning>
<para><indexterm>
<primary>migration</primary>
<secondary>objectives</secondary>
</indexterm><indexterm>
<primary>disruptive</primary>
</indexterm>
<para>
<indexterm><primary>migration</primary><secondary>objectives</secondary></indexterm>
<indexterm><primary>disruptive</primary></indexterm>
Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are.
While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server,
that may not be a good idea from an administration perspective. Since you are going through a
certain amount of disruptive activity anyhow, why not take this as an opportunity to review
the structure of the network, how Windows clients are controlled and how they
that may not be a good idea from an administration perspective. Since the process involves going
through a certain amount of disruptive activity anyhow, why not take this as an opportunity to
review the structure of the network, how Windows clients are controlled and how they
interact with the network environment.
</para>
<para><indexterm>
<primary>network</primary>
<secondary>logon scripts</secondary>
</indexterm><indexterm>
<primary>profiles share</primary>
</indexterm><indexterm>
<primary>security descriptors</primary>
</indexterm>
<para>
<indexterm><primary>network</primary><secondary>logon scripts</secondary></indexterm>
<indexterm><primary>profiles share</primary></indexterm>
<indexterm><primary>security descriptors</primary></indexterm>
MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed
have done little to keep the NT4 server environment up-to-date with more recent Windows releases,
particularly Windows XP Professional. The migration provides opportunity to revise and update
roaming profile deployment as well as folder redirection. Given that you must port the
greater network configuration of this from the old NT4 server to the new Samba-3 server, you
also must validate the security descriptors in the profiles share as well as network logon
greater network configuration of this from the old NT4 server to the new Samba-3 server.
Do not forget to validate the security descriptors in the profiles share as well as network logon
scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this
as a good time to update desktop systems also. In all, the extra effort should constitute no
real disruption to users, rather with due diligence and care should make their network experience
@ -157,157 +125,103 @@
</para>
<sect2>
<title>Technical Issues</title>
<title>Technical Issues</title>
<para>
<indexterm><primary>strategic</primary></indexterm>
<indexterm><primary>active directory</primary></indexterm>
Migration of an NT4 Domain user and group database to Samba-3 involves a certain strategic
element. Many sites have asked for instructions regarding merging of multiple different NT4
Domains into one Samba-3 LDAP database. It would appear that this is viewed as a significant
added value compared with the alternative of migration to Windows Server 200x and Active
Directory. The diagram in <link linkend="ch8-migration"/> illustrates the effect of migration
from a Windows NT4 Domain to a Samba Domain.
</para>
<para>
<indexterm><primary>strategic</primary></indexterm>
<indexterm><primary>active directory</primary></indexterm>
Migration of an NT4 Domain user and group database to Samba-3 involves a certain strategic
element. Many sites have asked for instructions regarding merging of multiple different NT4
Domains into one Samba-3 LDAP database. It would appear that this is viewed as a significant
added value compared with the alternative of migration to Windows Server 200x and Active
Directory. The diagram in <link linkend="ch8-migration"/> illustrates the effect of migration
from a Windows NT4 Domain to a Samba Domain.
</para>
<image id="ch8-migration">
<imagedescription>Schematic Explaining the <command>net rpc vampire</command> Process</imagedescription>
<imagefile scale="55">ch8-migration</imagefile>
</image>
<image id="ch8-migration">
<imagedescription>Schematic Explaining the <command>net rpc vampire</command> Process</imagedescription>
<imagefile scale="55">ch8-migration</imagefile>
</image>
<para>
In any case, the migration process involves the following steps:
</para>
<itemizedlist>
<listitem><para>
Prepare the target Samba-3 server. This involves configuring Samba-3 for
migration to either a tdbsam or an ldapsam backend.
</para></listitem>
<listitem><para><indexterm>
<primary>uppercase</primary>
</indexterm><indexterm>
<primary>Posix</primary>
</indexterm><indexterm>
<primary>lower-case</primary>
</indexterm>
Clean up the source NT4 PDC. Delete all accounts that need not be migrated.
Delete all files that should not be migrated. Where possible, change NT Group
names so there are no spaces or uppercase characters. This is important if
the target UNIX host insists on Posix compliant all lower-case user and group
names.
</para></listitem>
<listitem><para>
Step through the migration process.
</para></listitem>
<listitem><para><indexterm>
<primary>PDC</primary>
</indexterm>
Remove the NT4 PDC from the network.
</para></listitem>
<listitem><para>
Upgrade the Samba-3 server from a BDC to a PDC, and validate all account
information.
</para></listitem>
</itemizedlist>
<para>
<indexterm><primary>merge</primary></indexterm>
<indexterm><primary>passdb.tdb</primary></indexterm>
If you are wanting to merge multiple NT4 Domain account databases into one Samba Domain,
you must now dump the contents of the first migration and edit it as appropriate. Now clean
out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>), or the LDAP database
files. You must start each migration with a new database into which you merge your NT4
domains.
</para>
<para><indexterm>
<primary>merge</primary>
</indexterm><indexterm>
<primary>passdb.tdb</primary>
</indexterm>
If you are wanting to merge multiple NT4 Domain account databases into one Samba Domain,
you must now dump the contents of the first migration and edit it as appropriate. Now clean
out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>), or the LDAP database
files. You must start each migration with a new database into which you merge your NT4
domains.
</para>
<primary>dump</primary>
</indexterm>
At this point, you are ready to perform the second migration following the same steps as
for the first. In other words, dump the database, edit it, and then you may merge the
dump for the first and second migrations.
</para>
<para><indexterm>
<primary>dump</primary>
</indexterm>
At this point, you are ready to perform the second migration following the same steps as
for the first. In other words, dump the database, edit it, and then you may merge the
dump for the first and second migrations.
</para>
<primary>LDAP</primary>
</indexterm><indexterm>
<primary>migrate</primary>
</indexterm><indexterm>
<primary>Domain SID</primary>
</indexterm>
You must be careful. If you choose to migrate to an LDAP backend, your dump file
now contains the full account information, including the Domain SID. The Domain SID for each
of the two NT4 Domains will be different. You must choose one, and change the Domain
portion of the account SIDs so that all are the same.
</para>
<para><indexterm>
<primary>LDAP</primary>
</indexterm><indexterm>
<primary>migrate</primary>
</indexterm><indexterm>
<primary>Domain SID</primary>
</indexterm>
You must be careful. If you choose to migrate to an LDAP backend, your dump file
now contains the full account information, including the Domain SID. The Domain SID for each
of the two NT4 Domains will be different. You must choose one, and change the Domain
portion of the account SIDs so that all are the same.
</para>
<para>
<indexterm><primary>passdb.tdb</primary></indexterm>
<indexterm><primary>/etc/passwd</primary></indexterm>
<indexterm><primary>merged</primary></indexterm>
<indexterm><primary>logon script</primary></indexterm>
<indexterm><primary>logon hours</primary></indexterm>
<indexterm><primary>logon machines</primary></indexterm>
<indexterm><primary>profile path</primary></indexterm>
<indexterm><primary>smbpasswd</primary></indexterm>
<indexterm><primary>tdbsam</primary></indexterm>
<indexterm><primary>LDAP backend</primary></indexterm>
<indexterm><primary>export</primary></indexterm>
<indexterm><primary>import</primary></indexterm>
If you choose to use a tdbsam (<filename>passdb.tdb</filename>) backend file, your best choice
is to use <command>pdbedit</command> to export the contents of the tdbsam file into an
smbpasswd data file. This automatically strips out all Domain specific information,
such as logon hours, logon machines, logon script, profile path, as well as the Domain SID.
The resulting file can be easily merged with other migration attempts (each of which must start
with a clean file). It should also be noted that all users that end up in the merged smbpasswd
file must have an account in <filename>/etc/passwd</filename>. The resulting smbpasswd file
may be exported/imported into either a tdbsam (<filename>passdb.tdb</filename>), or else into
an LDAP backend.
</para>
<para><indexterm>
<primary>passdb.tdb</primary>
</indexterm><indexterm>
<primary>/etc/passwd</primary>
</indexterm><indexterm>
<primary>merged</primary>
</indexterm><indexterm>
<primary>logon script</primary>
</indexterm><indexterm>
<primary>logon hours</primary>
</indexterm><indexterm>
<primary>logon machines</primary>
</indexterm><indexterm>
<primary>profile path</primary>
</indexterm><indexterm>
<primary>smbpasswd</primary>
</indexterm><indexterm>
<primary>tdbsam</primary>
</indexterm><indexterm>
<primary>LDAP backend</primary>
</indexterm><indexterm>
<primary>export</primary>
</indexterm><indexterm>
<primary>import</primary>
</indexterm>
If you choose to use a tdbsam (<filename>passdb.tdb</filename>) backend file, your best choice
is to use <command>pdbedit</command> to export the contents of the tdbsam file into an
smbpasswd data file. This automatically strips out all Domain specific information,
such as logon hours, logon machines, logon script, profile path, as well as the Domain SID.
The resulting file can be easily merged with other migration attempts (each of which must start
with a clean file). It should also be noted that all users that end up in the merged smbpasswd
file must have an account in <filename>/etc/passwd</filename>. The resulting smbpasswd file
may be exported/imported into either a tdbsam (<filename>passdb.tdb</filename>), or else into
an LDAP backend.
</para>
<image id="NT4DUM">
<imagedescription>View of Accounts in NT4 Domain User Manager</imagedescription>
<imagefile scale="50">UserMgrNT4</imagefile>
</image>
<image id="NT4DUM">
<imagedescription>View of Accounts in NT4 Domain User Manager</imagedescription>
<imagefile scale="50">UserMgrNT4</imagefile>
</image>
</sect2>
</sect2>
<sect2>
<title>Political Issues</title>
<sect2>
<title>Political Issues</title>
<para>
The merging of multiple Windows NT4 style Domains into a single LDAP-backend-based Samba-3
Domain may be seen by those who had power over them as a loss of prestige or a loss of
power. The imposition of a single Domain may even be seen as a threat. So in migrating and
merging account databases, be consciously aware of the political fall-out in which you
may find yourself entangled when key staff feel a loss of prestige.
</para>
<para>
The merging of multiple Windows NT4 style Domains into a single LDAP-backend-based Samba-3
Domain may be seen by those who had power over them as a loss of prestige or a loss of
power. The imposition of a single Domain may even be seen as a threat. So in migrating and
merging account databases, be consciously aware of the political fall-out in which you
may find yourself entangled when key staff feel a loss of prestige.
</para>
<para>
The best advice that can be given to those who set out to merge NT4 Domains into one single
Samba-3 Domain is to promote (sell) the action as one that reduces costs and delivers
greater network interoperability and manageability.
</para>
<para>
The best advice that can be given to those who set out to merge NT4 Domains into one single
Samba-3 Domain is to promote (sell) the action as one that reduces costs and delivers
greater network interoperability and manageability.
</para>
</sect2>
@ -316,6 +230,15 @@
<sect1>
<title>Implementation</title>
<para>
From feedback on the Samba mailing lists it would appear that most Windows NT4 migrations
to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX
server. If you contemplate doing this also, please note that the steps that follow in this
chapter assume familiarity with the information that has been previously covered in this
book. The reader is particularly encouraged to be familiar with <link linkend="secure"/>,
<link linkend="Big500users"/> and <link linkend="happy"/>.
</para>
<para>
You can present here the steps and example output for two NT4 to Samba-3 Domain migrations. The
first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the
@ -323,6 +246,52 @@
collection of parameters are used to effect the addition of accounts into the passdb backend.
</para>
<para>
Before proceeding to NT4 migration using either a tdbsam or ldapsam it is most strongly recommended to
review <link linkend="ch5-dnshcp-setup"/> for DNS and DHCP configuration. The importance of correctly
functioning name resolution must be recognized. This applies equally for hostname as for netBIOS names
(machine names, computer names, domain names, workgroup names &smbmdash; ALL names!).
</para>
<para>
The migration process involves the following steps:
</para>
<itemizedlist>
<listitem><para>
Prepare the target Samba-3 server. This involves configuring Samba-3 for
migration to either a tdbsam or an ldapsam backend.
</para></listitem>
<listitem><para>
<indexterm><primary>uppercase</primary></indexterm>
<indexterm><primary>Posix</primary></indexterm>
<indexterm><primary>lower-case</primary></indexterm>
Clean up the source NT4 PDC. Delete all accounts that need not be migrated.
Delete all files that should not be migrated. Where possible, change NT Group
names so there are no spaces or uppercase characters. This is important if
the target UNIX host insists on Posix compliant all lower-case user and group
names.
</para></listitem>
<listitem><para>
Step through the migration process.
</para></listitem>
<listitem><para><indexterm><primary>PDC</primary></indexterm>
Remove the NT4 PDC from the network.
</para></listitem>
<listitem><para>
Upgrade the Samba-3 server from a BDC to a PDC, and validate all account
information.
</para></listitem>
</itemizedlist>
<para>
It may help to use the above outline as a pre-migration check-list.
</para>
<sect2>
<title>NT4 Migration Using LDAP Backend</title>
@ -648,7 +617,14 @@ bootparams: files
automount: files nis
aliases: files
</screen>
Note that the LDAP entris
Note that the LDAP entries have been commented out. This is deliberate. If these
entries are active (not commented out), and the <filename>/ec/ldap.conf</filename>
file has been configured, when the LDAP server is started, the process
of starting the LDAP server will cause LDAP lookups. This causes the LDAP server
<command>slapd</command> to hang becasue it finds port 389 open and therefore
can not gain exclusive control of it. By commenting these entries out it is possible
to avoid this grid-lock situation and thus the over-all installation and configuration
will progress more smoothly.
</para></step>
<step><para>
@ -665,12 +641,13 @@ PING transgression.terpstra-world.org (192.168.1.5) 56(84) bytes of data.
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms
</screen>
Do not procede to the next step if this step fails. It is imperative that the name of the PDC
Do not proceed to the next step if this step fails. It is imperative that the name of the PDC
can be resolved to its IP address. If this is broken, fix it.
</para></step>
<step><para>
Obtain the domain SID from the target NT4 domain that is being migrated to Samba-3.
Obtain the domain SID from the target NT4 domain that is being
migrated to Samba-3 by executing the following:
<screen>
&rootprompt; net rpc info -S TRANSGRESSION
</screen>
@ -681,11 +658,12 @@ rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms
<indexterm><primary>configure.pl</primary></indexterm>
<indexterm><primary>/opt/IDEALX/sbin</primary></indexterm>
<indexterm><primary>smbldap-tools</primary></indexterm>
Install the Idealx <command>smbldap-tools</command> software package. The resulting
perl scripts should be located in the <filename>/opt/IDEALX/sbin</filename> directory.
Install the Idealx <command>smbldap-tools</command> software package following
the instructions given in <link linkend="sbeidealx"/>. The resulting perl scripts
should be located in the <filename>/opt/IDEALX/sbin</filename> directory.
Change into that location, or where ever the scripts have been installed. Execute the
<filename>configure.pl</filename> script to configure the Idealx package for use.
Note: Use the Domain SID obtained from the immediately prior step. The following is
Note: Use the Domain SID obtained from the step above. The following is
an example configuration session:
<screen>
merlin:/opt/IDEALX/sbin # ./configure.pl
@ -770,8 +748,12 @@ writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.
</screen>
<indexterm><primary>sambaDomainName</primary></indexterm>
Note that the NT4 domain SID that was previously obtained was entered above. Also,
the sambaUnixIdPooldn object was specified as: sambaDomainName=DAMNATION
the sambaUnixIdPooldn object was specified as: sambaDomainName=DAMNATION. This is
the location into which the Idealx smbldap-tools store the next available UID/GID
information. It is also where Samba stores domain specific information such as the
next RID, the SID, and so on.
</para></step>
<step><para>
@ -1049,6 +1031,12 @@ Users (S-1-5-32-545) -&gt; Users
All user logon accounts should also function correctly.
</para></step>
<step><para>
The configuration of Samba-3 BDC servers can be accomplised now, or at any
convenient time in the future. Please refer to the carefully detailed process
for doing this that has been outlined in <link linkend="sbehap-bldg1"/>.
</para></step>
</procedure>
<sect3 id="sbevam1">

10
docs/Samba-Guide/SBE-SecureOfficeServer.xml
View File

@ -752,11 +752,11 @@ INTIFA="eth1"
INTIFB="eth2"
/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
/sbin/modprobe -i ip_tables
/sbin/modprobe -i ip_conntrack
/sbin/modprobe -i ip_conntrack_ftp
/sbin/modprobe -i iptable_nat
/sbin/modprobe -i ip_nat_ftp
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT

2
docs/Samba-Guide/SBE-UpgradingSamba.xml
View File

@ -1009,7 +1009,7 @@ the procedure outlined above.
<para>
<indexterm><primary>privileges</primary></indexterm>
In Samba-3.0.11 a new privileges interface was implemented. Please
refer to <link linkend="ch6-ppc"/> for information regarding this new
refer to <link linkend="sbehap-ppc"/> for information regarding this new
feature. It is not necessary to implement the privileges interface, but it
is one that has been requested for several years and thus may be of interest
at your site.