1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00

Put Johns' changes back in again.

(This used to be commit d5a730fc09)
This commit is contained in:
Jelmer Vernooij 2005-06-13 15:29:53 +00:00 committed by Gerald W. Carter
parent 789fda4de0
commit 2757cde29e
14 changed files with 301 additions and 350 deletions

View File

@ -642,10 +642,10 @@ root = Administrator
<indexterm><primary>/etc/mime.convs</primary></indexterm>
<indexterm><primary>application/octet-stream</primary></indexterm>
This step, as well as the next one, may be omitted where CUPS version 1.1.18
or later is in use. Although it does no harm to follow it anyhow, and may
help to avoid later time spent trying to figure out why print jobs may be
disappearing without trace. Look at these two steps as <emphasis>insurance</emphasis>
against lost time. Edit file <filename>/etc/cups/mime.convs</filename> to
or later is in use. Although it does no harm to follow it anyway, and may
help to avoid time spent later trying to figure out why print jobs may be
disappearing without a trace. Look at these two steps as <emphasis>insurance</emphasis>
against lost time. Edit file <filename>/etc/cups/mime.convs</filename> to
uncomment the line:
<screen>
application/octet-stream application/vnd.cups-raw 0 -
@ -694,7 +694,7 @@ application/octet-stream
<para>
There are some steps that apply to particular server functionality only. Each step is critical
to correct server operation. The following step-by-step installation guidance will assist you
to work through the process of configuring the PDC and then both BDC's.
in working through the process of configuring the PDC and then both BDC's.
</para>
<sect3>
@ -893,7 +893,7 @@ Added user <parameter>username</parameter>.
<title>Configuration Specific to Domain Member Servers: <constant>BLDG1, BLDG2</constant></title>
<para>
The following steps will guide you trough the nuances of imlplementing BDC's for the broadcast
The following steps will guide you through the nuances of implementing BDCs for the broadcast
isolated network segments. Remember that if the target installation platform is not Linux, it may
be necessary to adapt some commands to the equivalent on the target platform.
</para>

View File

@ -113,7 +113,7 @@
<indexterm><primary>accounts</primary><secondary>authoritative</secondary></indexterm>
<indexterm><primary>PDC</primary></indexterm>
<indexterm><primary>BDC</primary></indexterm>
A domain controller (PDC or BDC) is always authoritative for all accounts in its Domain.
A domain controller (PDC or BDC) is always authoritative for all accounts in its domain.
This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs
to the same values that the PDC resolved them to.
</para></listitem>
@ -190,41 +190,32 @@
casual user.
</para></listitem>
<listitem><para><indexterm>
<primary>winbind enable local accounts</primary>
</indexterm><indexterm>
<primary>Domain Member</primary>
<secondary>servers</secondary>
</indexterm><indexterm>
<primary>Domain Controllers</primary>
</indexterm>
<listitem><para>
<indexterm><primary>winbind trusted domains only</primary></indexterm>
<indexterm><primary>domain member</primary><secondary>servers</secondary></indexterm>
<indexterm><primary>domain controllers</primary></indexterm>
If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable
of being resolved using) the NSS facility, it is imperative to use the
<smbconfoption name="winbind enable local accounts">Yes</smbconfoption>
in the &smb.conf; file. This parameter specifically applies only to domain controllers,
not to domain member servers.
of being resolved using) the NSS facility, it is possible to use the
<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>
in the &smb.conf; file. This parameter specifically applies to domain controllers,
and to domain member servers.
</para></listitem>
</itemizedlist>
<para><indexterm>
<primary>Posix accounts</primary>
</indexterm><indexterm>
<primary>Samba accounts</primary>
</indexterm><indexterm>
<primary>LDAP</primary>
</indexterm>
<para>
<indexterm><primary>Posix accounts</primary></indexterm>
<indexterm><primary>Samba accounts</primary></indexterm>
<indexterm><primary>LDAP</primary></indexterm>
For many administrators, it should be plain that the use of an LDAP-based repository for all network
accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and
controllable facility. You eventually appreciate the decision to use LDAP.
</para>
<para><indexterm>
<primary>nss_ldap</primary>
</indexterm><indexterm>
<primary>identifiers</primary>
</indexterm><indexterm>
<primary>resolve</primary>
</indexterm>
<para>
<indexterm><primary>nss_ldap</primary></indexterm>
<indexterm><primary>identifiers</primary></indexterm>
<indexterm><primary>resolve</primary></indexterm>
If your network account information resides in an LDAP repository, you should use it ahead of any
alternative method. This means that if it is humanly possible to use the <command>nss_ldap</command>
tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides
@ -232,20 +223,13 @@
throughout the network.
</para>
<para><indexterm>
<primary>Domain Member</primary>
<secondary>server</secondary>
</indexterm><indexterm>
<primary>winbind trusted domains only</primary>
</indexterm><indexterm>
<primary>getpwnam</primary>
</indexterm><indexterm>
<primary>smbd</primary>
</indexterm><indexterm>
<primary>Trusted Domains</primary>
</indexterm><indexterm>
<primary>External Domains</primary>
</indexterm>
<para>
<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
<indexterm><primary>winbind trusted domains only</primary></indexterm>
<indexterm><primary>getpwnam</primary></indexterm>
<indexterm><primary>smbd</primary></indexterm>
<indexterm><primary>Trusted Domains</primary></indexterm>
<indexterm><primary>External Domains</primary></indexterm>
In the situation where UNIX accounts are held on the domain member server itself, the only effective
way to use them involves the &smb.conf; entry
<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>. This forces
@ -254,17 +238,12 @@
disables the use of Samba with trusted domains (i.e., external domains).
</para>
<para><indexterm>
<primary>appliance mode</primary>
</indexterm><indexterm>
<primary>Domain Member</primary>
<secondary>server</secondary>
</indexterm><indexterm>
<primary>winbindd</primary>
</indexterm><indexterm>
<primary>automatically allocate</primary>
</indexterm>
Winbind can be used to create an appliance mode domain member server. In this capacity, <command>winbindd</command>
<para>
<indexterm><primary>appliance mode</primary></indexterm>
<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
<indexterm><primary>winbindd</primary></indexterm>
<indexterm><primary>automatically allocate</primary></indexterm>
Winbind can be used to create an appliance mode domain member server. In this capacity, <command>winbindd</command>
is configured to automatically allocate UIDs/GIDs from numeric ranges set in the &smb.conf; file. The allocation
is made for all accounts that connect to that domain member server, whether within its own domain or from
trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database.
@ -273,9 +252,8 @@
is stored in the <filename>winbindd_idmap.tdb</filename> and <filename>winbindd_cache.tdb</filename> files.
</para>
<para><indexterm>
<primary>mapping</primary>
</indexterm>
<para>
<indexterm><primary>mapping</primary></indexterm>
The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs
mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member
servers so configured. This solves one of the major headaches for network administrators who need to copy
@ -287,16 +265,11 @@
<sect2>
<title>Political Issues</title>
<para><indexterm>
<primary>OpenLDAP</primary>
</indexterm><indexterm>
<primary>NIS</primary>
</indexterm><indexterm>
<primary>yellow pages</primary>
<see>NIS</see>
</indexterm><indexterm>
<primary>identity management</primary>
</indexterm>
<para>
<indexterm><primary>OpenLDAP</primary></indexterm>
<indexterm><primary>NIS</primary></indexterm>
<indexterm><primary>yellow pages</primary><see>NIS</see></indexterm>
<indexterm><primary>identity management</primary></indexterm>
One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in
particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP
is different and requires a new approach to the need for a better identity management solution. The more
@ -311,11 +284,9 @@
commercial integration products. But it's not what Active Directory was designed for.
</para>
<para><indexterm>
<primary>directory</primary>
</indexterm><indexterm>
<primary>management</primary>
</indexterm>
<para>
<indexterm><primary>directory</primary></indexterm>
<indexterm><primary>management</primary></indexterm>
A number of long-term UNIX devotees have recently commented in various communications that the Samba Team
is the first application group to almost force network administrators to use LDAP. It should be pointed
out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has
@ -330,25 +301,18 @@
<sect1>
<title>Implementation</title>
<para><indexterm>
<primary>Domain Member</primary>
<secondary>server</secondary>
</indexterm><indexterm>
<primary>Domain Member</primary>
<secondary>client</secondary>
</indexterm><indexterm>
<primary>Domain Controller</primary>
</indexterm>
The domain Member server and the domain member client are at the center of focus in this chapter.
<para>
<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
<indexterm><primary>Domain Member</primary><secondary>client</secondary></indexterm>
<indexterm><primary>Domain Controller</primary></indexterm>
The domain member server and the domain member client are at the center of focus in this chapter.
Configuration of Samba-3 domain controller is covered in earlier chapters, so if your
interest is in domain controller configuration, you will not find that here. You will find good
oil that helps you to add domain member servers and clients.
</para>
<para><indexterm>
<primary>Domain Member</primary>
<secondary>workstations</secondary>
</indexterm>
<para>
<indexterm><primary>Domain Member</primary><secondary>workstations</secondary></indexterm>
In practice, domain member servers and domain member workstations are very different entities, but in
terms of technology they share similar core infrastructure. A technologist would argue that servers
and workstations are identical. Many users would argue otherwise, given that in a well-disciplined
@ -357,22 +321,18 @@
but a server is viewed as a core component of the business.
</para>
<para><indexterm>
<primary>workstation</primary>
</indexterm>
<para>
<indexterm><primary>workstation</primary></indexterm>
We can look at this another way. If a workstation breaks down, one user is affected, but if a
server breaks down, hundreds of users may not be able to work. The services that a workstation
must provide are document- and file-production oriented; a server provides information storage
and is distribution oriented.
</para>
<para><indexterm>
<primary>authentication process</primary>
</indexterm><indexterm>
<primary>logon process</primary>
</indexterm><indexterm>
<primary>user identities</primary>
</indexterm>
<para>
<indexterm><primary>authentication process</primary></indexterm>
<indexterm><primary>logon process</primary></indexterm>
<indexterm><primary>user identities</primary></indexterm>
<emphasis>Why is this important?</emphasis> For starters, we must identify what
components of the operating system and its environment must be configured. Also, it is necessary
to recognize where the interdependencies between the various services to be used are.
@ -388,52 +348,52 @@
</para>
<sect2 id="sdcsdmldap">
<title>Samba Domain with Samba Domain Member Server &smbmdash; Using LDAP</title>
<title>Samba Domain with Samba Domain Member Server &smbmdash; Using NSS LDAP</title>
<para><indexterm>
<primary>ldapsam</primary>
</indexterm><indexterm>
<primary>ldapsam backend</primary>
</indexterm><indexterm>
<primary>IDMAP</primary>
</indexterm><indexterm>
<primary>mapping</primary>
<secondary>consistent</secondary>
</indexterm><indexterm>
<primary>winbindd</primary>
</indexterm><indexterm>
<primary>foreign SID</primary>
</indexterm>
<para>
<indexterm><primary>ldapsam</primary></indexterm>
<indexterm><primary>ldapsam backend</primary></indexterm>
<indexterm><primary>IDMAP</primary></indexterm>
<indexterm><primary>mapping</primary><secondary>consistent</secondary></indexterm>
<indexterm><primary>winbindd</primary></indexterm>
<indexterm><primary>foreign SID</primary></indexterm>
In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using
an LDAP ldapsam backend. We are adding to the LDAP backend database (directory)
containers for use by the IDMAP facility. This makes it possible to have globally consistent
mapping of SIDs to and from UIDs and GIDs. This means that you are running <command>winbindd</command>
as part of your configuration. The primary purpose of running <command>winbindd</command> (within
this operational context) is to permit mapping of foreign SIDs (those not originating from our
own domain). Foreign SIDs can come from any external domain or from Windows clients that do not
belong to a domain.
mapping of SIDs to and from UIDs and GIDs. This means that it is necessary to run
<command>winbindd</command> as part of your configuration. The primary purpose of running
<command>winbindd</command> (within this operational context) is to permit mapping of foreign
SIDs (those not originating from the the local Samba server). Foreign SIDs can come from any
domain member client or server, or from Windows clients that do not belong to a domain. Another
way to explain the necessity to run <command>winbindd</command> is that Samba can locally
resolve only accounts that belong to the security context of its own machine SID. Winbind
handles all non-local SIDs and maps them to a local UID/GID value. The UID and GID are allocated
from the parameter values set in the &smb.conf; file for the <parameter>idmap uid</parameter> and
<parameter>idmap gid</parameter> ranges. Where LDAP is used, the mappings can be stored in LDAP
so that all domain member servers can use a consistent mapping.
</para>
<para><indexterm>
<primary>winbindd</primary>
</indexterm><indexterm>
<primary>getpwnam</primary>
</indexterm><indexterm>
<primary>NSS</primary>
</indexterm>
If your installation is accessed only from clients that are members of your own domain, then
it is not necessary to run <command>winbindd</command> as long as all users can be resolved
locally via the <command>getpwnam()</command> system call. On NSS-enabled systems, this condition
is met by having
<para>
<indexterm><primary>winbindd</primary></indexterm>
<indexterm><primary>getpwnam</primary></indexterm>
<indexterm><primary>NSS</primary></indexterm>
If your installation is accessed only from clients that are members of your own domain, and all
user accounts are present in a local passdb backend then it is not necessary to run
<command>winbindd</command>. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam.
</para>
<para>
It is possible to use a local passdb backend with any convenient means of resolving the POSIX
user and group account information. The POSIX information is usually obtained using the
<command>getpwnam()</command> system call. On NSS-enabled systems, the actual POSIX account
source can be provided from
</para>
<itemizedlist>
<listitem><para><indexterm>
<primary>/etc/passwd</primary>
</indexterm><indexterm>
<primary>/etc/group</primary>
</indexterm>
All accounts in <filename>/etc/passwd</filename> or in <filename>/etc/group</filename>.
<listitem><para>
<indexterm><primary>/etc/passwd</primary></indexterm>
<indexterm><primary>/etc/group</primary></indexterm>
Accounts in <filename>/etc/passwd</filename> or in <filename>/etc/group</filename>.
</para></listitem>
<listitem><para>
@ -455,6 +415,12 @@
</para></listitem>
</itemizedlist>
<note><para>
To advoid confusion the use of the term <literal>local passdb backend</literal> means that
the user account backend is not shared by any other Samba server &smbmdash; instead, it is
used only locally on the Samba domain member server under discussion.
</para></note>
<para>
<indexterm><primary>Identity resolution</primary></indexterm>
The diagram in <link linkend="ch9-sambadc"/> demonstrates the relationship of Samba and system
@ -467,11 +433,9 @@
<imagefile scale="60">chap9-SambaDC</imagefile>
</figure>
<para><indexterm>
<primary>IDMAP</primary>
</indexterm><indexterm>
<primary>foreign</primary>
</indexterm>
<para>
<indexterm><primary>IDMAP</primary></indexterm>
<indexterm><primary>foreign</primary></indexterm>
In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam
to obtain authentication and user identity information. The IDMAP information is stored in the LDAP
backend so that it can be shared by all domain member servers so that every user will have a
@ -487,25 +451,30 @@
</para>
<procedure>
<title>Configuration of LDAP-Based Identity Resolution</title>
<title>Configuration of NSS_LDAP-Based Identity Resolution</title>
<step><para>
Create the &smb.conf; file as shown in <link linkend="ch9-sdmsdc"/>. Locate
this file in the directory <filename>/etc/samba</filename>.
</para></step>
<step><para><indexterm>
<primary>ldap.conf</primary>
</indexterm>
<step><para>
<indexterm><primary>ldap.conf</primary></indexterm>
Configure the file that will be used by <constant>nss_ldap</constant> to
locate and communicate with the LDAP server. This file is called <filename>ldap.conf</filename>.
If your implementation of <constant>nss_ldap</constant> is consistent with
the defaults suggested by PADL (the authors), it will be located in the
<filename>/etc</filename> directory. On some systems, the default location is
the <filename>/etc/openldap</filename> directory. Change the parameters inside
the file that is located on your OS so it matches <link linkend="ch9-sdmlcnf"/>.
To find the correct location of this file, you can obtain this from the
library that will be used by executing the following:
the <filename>/etc/openldap</filename> directory, however this file is intended
for use by the OpenLDAP utilities and should not really be used by the nss_ldap
utility since its content and structure serves the specific purpose of enabling
the resolution of user and group IDs via NSS.
</para>
<para>
Change the parameters inside the file that is located on your OS so it matches
<link linkend="ch9-sdmlcnf"/>. To find the correct location of this file, you
can obtain this from the library that will be used by executing the following:
<screen>
&rootprompt; strings /lib/libnss_ldap* | grep ldap.conf
/etc/ldap.conf
@ -513,15 +482,13 @@
</para></step>
<step><para>
Configure the NSS control file so it matches the one shown
in <link linkend="ch9-sdmnss"/>.
Configure the NSS control file so it matches the one shown in
<link linkend="ch9-sdmnss"/>.
</para></step>
<step><para><indexterm>
<primary>Identity resolution</primary>
</indexterm><indexterm>
<primary>getent</primary>
</indexterm>
<step><para>
<indexterm><primary>Identity resolution</primary></indexterm>
<indexterm><primary>getent</primary></indexterm>
Before proceeding to configure Samba, validate the operation of the NSS identity
resolution via LDAP by executing:
<screen>
@ -556,24 +523,21 @@ Finances:x:1001:
PIOps:x:1002:
sammy:x:4321:
</screen>
<indexterm>
<primary>secondary group</primary>
</indexterm><indexterm>
<primary>primary group</primary>
</indexterm><indexterm>
<primary>group membership</primary>
</indexterm>
<indexterm><primary>secondary group</primary></indexterm>
<indexterm><primary>primary group</primary></indexterm>
<indexterm><primary>group membership</primary></indexterm>
This shows that all is working as it should be. Notice that in the LDAP database
the users' primary and secondary group memberships are identical. It is not
necessary to add secondary group memberships (in the group database) if the
user is already a member via primary group membership in the password database.
When using winbind, it is in fact undesirable to do this because it results in
doubling up of group memberships and may break winbind under certain conditions.
doubling up of group memberships and may cause problems with winbind under certain
conditions. It is intended that these limitations with winbind will be resolved soon
after Samba-3.0.20 has been released.
</para></step>
<step><para><indexterm>
<primary>slapcat</primary>
</indexterm>
<step><para>
<indexterm><primary>slapcat</primary></indexterm>
The LDAP directory must have a container object for IDMAP data. There are several ways you can
check that your LDAP database is able to receive IDMAP information. One of the simplest is to
execute:
@ -582,25 +546,28 @@ sammy:x:4321:
dn: ou=Idmap,dc=abmas,dc=biz
ou: idmap
</screen>
<indexterm>
<primary>ldapadd</primary>
</indexterm>
If the execution of this command does not return IDMAP entries, you need to create an LDIF
template file (see <link linkend="ch9-ldifadd"/>). You can add the required entries using the following command:
<indexterm><primary>ldapadd</primary></indexterm>
If the execution of this command does not return IDMAP entries, you need to create an LDIF
template file (see <link linkend="ch9-ldifadd"/>). You can add the required entries using
the following command:
<screen>
&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
-w not24get &lt; /etc/openldap/idmap.LDIF
</screen>
Samba automatically populates this LDAP directory container when it needs to.
</para></step>
<step><para><indexterm>
<primary>net</primary>
<secondary>rpc</secondary>
<tertiary>join</tertiary>
</indexterm><indexterm>
<primary>Domain join</primary>
</indexterm>
<step><para>
Samba automatically populates the LDAP directory container when it needs to. To permit Samba
write access to the LDAP directory it is necessary to set the LDAP administrative password
in the <filename>secrets.tdb</filename> file as shown here:
<screen>
&rootprompt; smbpasswd -w not24get
</screen>
</para></step>
<step><para>
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
<indexterm><primary>Domain join</primary></indexterm>
The system is ready to join the domain. Execute the following:
<screen>
&rootprompt; net rpc join -U root%not24get
@ -632,9 +599,9 @@ Joined domain MEGANET2.
<indexterm><primary>failed join</primary></indexterm>
<indexterm><primary>rejected</primary></indexterm>
<indexterm><primary>restrict anonymous</primary></indexterm>
Note: Use "root" for UNIX/Linux and Samba, use "Administrator"for Windows NT4/200X. If the cause of
Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of
the failure appears to be related to a rejected or failed NT_SESSION_SETUP* or an error message that
says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the
says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the
<constant>restrict anonymous</constant> setting. Set this to the value 0 so that an anonymous connection
can be sustained, then try again.
</para>
@ -665,12 +632,12 @@ Join to 'MEGANET2' failed.
<step><para>
<indexterm><primary>wbinfo</primary></indexterm>
Just joining the domain is not quite enough; you must now provide a privileged set
of credentials through which <command>winbindd</command> can interact with the ADS
of credentials through which <command>winbindd</command> can interact with the
domain servers. Execute the following to implant the necessary credentials:
<screen>
&rootprompt; wbinfo --set-auth-user=Administrator%not24get
</screen>
The configuration is now ready to obtain ADS domain user and group information.
The configuration is now ready to obtain the Samba domain user and group information.
</para></step>
<step><para>
@ -786,7 +753,7 @@ aliases: files
</sect2>
<sect2 id="wdcsdm">
<title>NT4/Samba Domain with Samba Domain Member Server: Using Winbind</title>
<title>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</title>
<para>
You need to use this method for creating a Samba domain member server if any of the following conditions
@ -803,32 +770,27 @@ aliases: files
</para></listitem>
<listitem><para>
The Samba domain member server must be part of a Windows NT4 Domain.
The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain.
</para></listitem>
</itemizedlist>
<para><indexterm>
<primary>Windows ADS Domain</primary>
</indexterm><indexterm>
<primary>Samba Domain</primary>
</indexterm><indexterm>
<primary>LDAP</primary>
</indexterm>
<para>
<indexterm><primary>Windows ADS Domain</primary></indexterm>
<indexterm><primary>Samba Domain</primary></indexterm>
<indexterm><primary>LDAP</primary></indexterm>
Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain.
Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style
domain and/or does not use LDAP.
</para>
<note><para><indexterm>
<primary>duplicate accounts</primary>
</indexterm>
<note><para>
<indexterm><primary>duplicate accounts</primary></indexterm>
If you use <command>winbind</command> for identity resolution, make sure that there are no
duplicate accounts.
</para>
<para><indexterm>
<primary>/etc/passwd</primary>
</indexterm>
<para>
<indexterm><primary>/etc/passwd</primary></indexterm>
For example, do not have more than one account that has UID=0 in the password database. If there
is an account called <constant>root</constant> in the <filename>/etc/passwd</filename> database,
it is okay to have an account called <constant>root</constant> in the LDAP ldapsam or in the
@ -837,29 +799,20 @@ aliases: files
<constant>root</constant>.
</para>
<para><indexterm>
<primary>/etc/passwd</primary>
</indexterm><indexterm>
<primary>ldapsam</primary>
</indexterm><indexterm>
<primary>tdbsam</primary>
</indexterm>
<para>
<indexterm><primary>/etc/passwd</primary></indexterm>
<indexterm><primary>ldapsam</primary></indexterm>
<indexterm><primary>tdbsam</primary></indexterm>
Winbind will break if there is an account in <filename>/etc/passwd</filename> that has
the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only.
</para></note>
<para><indexterm>
<primary>credentials</primary>
</indexterm><indexterm>
<primary>traverse</primary>
</indexterm><indexterm>
<primary>wide-area</primary>
</indexterm><indexterm>
<primary>network</primary>
<secondary>wide-area</secondary>
</indexterm><indexterm>
<primary>tdbdump</primary>
</indexterm>
<para>
<indexterm><primary>credentials</primary></indexterm>
<indexterm><primary>traverse</primary></indexterm>
<indexterm><primary>wide-area</primary></indexterm>
<indexterm><primary>network</primary><secondary>wide-area</secondary></indexterm>
<indexterm><primary>tdbdump</primary></indexterm>
The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials.
The winbind information is locally cached in the <filename>winbindd_cache.tdb winbindd_idmap.tdb</filename>
files. This provides considerable performance benefits compared with the LDAP solution, particularly
@ -876,32 +829,26 @@ aliases: files
shown in <link linkend="ch0-NT4DSDM"/>.
</para></step>
<step><para><indexterm>
<primary>/etc/nsswitch.conf</primary>
</indexterm>
<step><para>
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
Edit the <filename>/etc/nsswitch.conf</filename> so it has the entries shown in
<link linkend="ch9-sdmnss"/>.
</para></step>
<step><para><indexterm>
<primary>net</primary>
<secondary>rpc</secondary>
<tertiary>join</tertiary>
</indexterm>
<step><para>
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
The system is ready to join the domain. Execute the following:
<screen>
net rpc join -U root%not2g4et
Joined domain MEGANET2.
</screen>
This indicates that the domain join succeed.
This indicates that the domain join succeed.
</para></step>
<step><para><indexterm>
<primary>winbind</primary>
</indexterm><indexterm>
<primary>wbinfo</primary>
</indexterm>
<step><para>
<indexterm><primary>winbind</primary></indexterm>
<indexterm><primary>wbinfo</primary></indexterm>
Validate operation of <command>winbind</command> using the <command>wbinfo</command>
tool as follows:
<screen>
@ -929,13 +876,10 @@ MEGANET2+PIOps
This shows that domain groups have been correctly obtained also.
</para></step>
<step><para><indexterm>
<primary>NSS</primary>
</indexterm><indexterm>
<primary>getent</primary>
</indexterm><indexterm>
<primary>winbind</primary>
</indexterm>
<step><para>
<indexterm><primary>NSS</primary></indexterm>
<indexterm><primary>getent</primary></indexterm>
<indexterm><primary>winbind</primary></indexterm>
The next step verifies that NSS is able to obtain this information
correctly from <command>winbind</command> also.
<screen>
@ -979,6 +923,7 @@ MEGANET2+PIOps:x:10005:
<step><para>
The Samba member server of a Windows NT4 domain is ready for use.
</para></step>
</procedure>
<example id="ch0-NT4DSDM">
@ -1063,7 +1008,7 @@ MEGANET2+PIOps:x:10005:
net rpc join -U root%not24get
Joined domain MEGANET2.
</screen>
This indicates that the domain join succeed.
This indicates that the domain join succeed.
</para></step>
<step><para>
@ -1180,9 +1125,8 @@ Joined domain MEGANET2.
<procedure>
<title>Joining a Samba Server as an ADS Domain Member</title>
<step><para><indexterm>
<primary>smbd</primary>
</indexterm>
<step><para>
<indexterm><primary>smbd</primary></indexterm>
Before you try to use Samba-3, you want to know for certain that your executables have
support for Kerberos and for LDAP. Execute the following to identify whether or
not this build is perhaps suitable for use:
@ -1498,11 +1442,8 @@ Server time offset: 2
In any case, the output we obtained confirms that all systems are operational.
</para></step>
<step><para><indexterm>
<primary>net</primary>
<secondary>ads</secondary>
<tertiary>status</tertiary>
</indexterm>
<step><para>
<indexterm><primary>net</primary><secondary>ads</secondary><tertiary>status</tertiary></indexterm>
There is one more action you elect to take, just because you are paranoid and disbelieving,
so you execute the following command:
<programlisting>
@ -1583,6 +1524,7 @@ Permissions:
called <constant>FRAN</constant> is able to communicate fully with the ADS
domain controllers.
</para></step>
</procedure>
@ -2023,7 +1965,7 @@ ssl no
</para></step>
<step><para>
Configure an LDAP server and initialize the directory with the top level entries needed by IDMAP
Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP
as shown in the following LDIF file:
<screen>
dn: dc=snowshow,dc=com
@ -2237,8 +2179,8 @@ hosts: files wins
</itemizedlist>
<para>
The following guidelines are pertinent the deployment of winbind-based authentication
and identity resolution with the express purpose of allowing users to log onto UNIX/Linux desktops
The following guidelines are pertinent to the deployment of winbind-based authentication
and identity resolution with the express purpose of allowing users to log on to UNIX/Linux desktops
using Windows network domain user credentials (username and password).
</para>
@ -2261,7 +2203,7 @@ hosts: files wins
<indexterm><primary>PAM</primary></indexterm>
<indexterm><primary>Identity resolution</primary></indexterm>
<indexterm><primary>NSS</primary></indexterm>
To permit users to log onto a Linux system using Windows network credentials, you need to
To permit users to log on to a Linux system using Windows network credentials, you need to
configure identity resolution (NSS) and PAM. This means that the basic steps include those
outlined above with the addition of PAM configuration. Given that most workstations (desktop/client)
usually do not need to provide file and print services to a group of users, the configuration
@ -2443,7 +2385,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you
learned how to integrate such servers so that the UID/GID mappings they use can be consistent
across all domain member servers. You also discovered how to implement the ability to use Samba
or Windows domain account credentials to log onto a UNIX/Linux client.
or Windows domain account credentials to log on to a UNIX/Linux client.
</para>
<para>
@ -2624,7 +2566,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
<question>
<para>
Are you suggesting that users should not log onto a domain member server? If so, why?
Are you suggesting that users should not log on to a domain member server? If so, why?
</para>
</question>

View File

@ -1224,10 +1224,10 @@ to LAM using only SSL.
</para>
<para>
The next major release, LAM 0.5, will have less restrictions and support the latest Samba features
(e.g. logon hours). The new plugin based architecture also allows to manage much more different
account types like plain Unix accounts. The upload can now handle groups and hosts, too. Another
important point is the tree view which allows to browse and edit LDAP objects directly.
The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features
(e.g., logon hours). The new plugin-based architecture also allows management of much more different
account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another
important point is the tree view which allows browsing and editing LDAP objects directly.
</para>
<example id="lamcfg">
@ -1419,7 +1419,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
<title>Microsoft Access</title>
<para>
The best advice that can be given is to carefully read the Microsoft knowledge base articles that
The best advice that can be given is to carefully read the Microsoft knowledgebase articles that
cover this area. Examples of relevant documents include:
</para>

View File

@ -36,7 +36,7 @@
With this acquisition comes new challenges for you and your team. Abmas Snack
Foods is a well-developed business with a huge and heterogeneous network. It
already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux.
The network is mature and well established, and there is no question of its chosen
The network is mature and well-established, and there is no question of its chosen
user authentication scheme being changed for now. You need to take a wise new
approach.
</para>
@ -792,7 +792,7 @@ group: files winbind
</para></blockquote>
<para>
You would be well advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
</para>

View File

@ -253,10 +253,10 @@
<indexterm><primary>DNS</primary><secondary>name lookup</secondary></indexterm>
<indexterm><primary>resolve</primary></indexterm>
A Samba server called <constant>FRED</constant> in a NetBIOS domain called <constant>COLLISION</constant>
in a network environment that is part of the fully qualified Internet domain namespace known
as <constant>parrots.com</constant> results in DNS name lookups for <constant>fred.parrots.com</constant>
in a network environment that is part of the fully-qualified Internet domain namespace known
as <constant>parrots.com</constant>, results in DNS name lookups for <constant>fred.parrots.com</constant>
and <constant>collision.parrots.com</constant>. It is therefore a mistake to name the domain
(workgroup) <constant>collision.parrots.com,</constant> since this results in DNS lookup
(workgroup) <constant>collision.parrots.com</constant>, since this results in DNS lookup
attempts to resolve <constant>fred.parrots.com.parrots.com</constant>, which most likely
fails given that you probably do not have this in your DNS namespace.
</para>
@ -375,7 +375,7 @@
</para>
<para>
As the size of the &smb.conf; file grows, the risk of introduction of parsing errors increases also.
As the size of the &smb.conf; file grows, the risk of introducing parsing errors also increases.
It is recommended to keep a fully documented &smb.conf; file on hand, and then to operate Samba only
with an optimized file.
</para>
@ -479,7 +479,7 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
<indexterm><primary>Domain Controller</primary></indexterm>
As a general guide, instead of adding domain member servers to a network, you would be better advised
to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add
domain member servers. This practice ensures that there is always sufficient domain controllers
domain member servers. This practice ensures that there are always sufficient domain controllers
to handle logon requests and authentication traffic.
</para>
@ -617,33 +617,33 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
<para>
There exist applications that create or manage directories containing many thousands of files. Such
applications typically generate many small files (less than 100 KB). At the best of times under UNIX
listing of the files in a directory that contains many files is slow. By default Windows NT, 200x,
applications typically generate many small files (less than 100 KB). At the best of times, under UNIX,
listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x,
and XP Pro cause network file system directory lookups on a Samba server to be performed for both
the case preserving file name as well as for the mangled (8.3) file name. This incurs a huge overhead
on the Samba server that may slow down the system dramatically.
</para>
<para>
In an extreme case the performance impact was dramatic. File transfer from the Samba server to a Windows
In an extreme case, the performance impact was dramatic. File transfer from the Samba server to a Windows
XP Professional workstation over 1 Gigabit Ethernet for 250-500 KB files was measured at approximately
30 MB/sec. But when tranfering a directory containng 120,000 files, all from 50KB to 60KB in size, the
30 MB/sec. But when tranferring a directory containing 120,000 files, all from 50KB to 60KB in size, the
transfer rate to the same workstation was measured at approximately 1.5 KB/sec. The net transfer was
of the order of a factor of 20-fold slower.
on the order of a factor of 20-fold slower.
</para>
<para>
The symptoms that will be observed on the Samba server when a large directory is accessed will be that
aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredably
aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredibly
long while at the same time the read queue is large. Close observation will show that the hard drive
that the file system is on will be thrashing wildly.
</para>
<para>
Samba-3.0.12, and later, includes new code that radically improves Samba perfomance. The secret to this is
Samba-3.0.12 and later, includes new code that radically improves Samba perfomance. The secret to this is
really in the <smbconfoption name="case sensitive">True</smbconfoption> line. This tells smbd never to scan
for case-insensitive versions of names. So if an application asks for a file called <filename>FOO</filename>,
and it can not be found by a simple stat call, then smbd will return file not found immediately without
and it can not be found by a simple stat call, then smbd will return "file not found" immediately without
scanning the containing directory for a version of a different case.
</para>

View File

@ -292,7 +292,7 @@
<para>
You agreed with Stan's recommendations and hired a consultant to help defuse the powder
keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able
to support his or her claims, keep emotions to a side, and answer technically.
to support his or her claims, keep emotions to the side, and answer technically.
</para>
</sect2>
@ -464,7 +464,7 @@
</indexterm>
Windows network administrators may be dismayed to find that <command>winbind</command>
exposes all domain users so that they may use their domain account credentials to
log onto a UNIX/Linux system. The fact that all users in the domain can see the
log on to a UNIX/Linux system. The fact that all users in the domain can see the
UNIX/Linux server in their Network Neighborhood and can browse the shares on the
server seems to excite them further.
</para>
@ -676,9 +676,9 @@
</indexterm>
The release of Samba-4 is expected around late 2004 to early 2005 and involves a near
complete rewrite to permit extensive modularization and to prepare Samba for new
functionality planned for addition during the next-generation series. The Samba Team
functionality planned for addition during the next-generation series. The Samba Team
is responsible and can be depended upon; the history to date suggests a high
degree of dependability as well on charter development consistent with published
degree of dependability and on charter development consistent with published
roadmap projections.
</para>
@ -877,7 +877,7 @@
</indexterm>
Kerberos is a network authentication protocol that provides secure authentication for
client-server applications by using secret-key cryptography. Firewalls are an insufficient
barrier mechanism in todays networking world; at best they only restrict incoming network
barrier mechanism in today's networking world; at best they only restrict incoming network
traffic but cannot prevent network traffic that comes from authorized locations from
performing unauthorized activities.
</para>
@ -924,7 +924,7 @@
</indexterm>
Kerberos was, until recently, a technology that was restricted from being exported from the United States.
For many years that hindered global adoption of more secure networking technologies both within the United States
and abroad. A free an unencumbered implementation of MIT Kerberos has been produced in Europe
and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe
and is available from the University of Paderborn, Sweden. It is known as the Heimdal Kerberos project.
In recent times the U.S. government has removed sanctions affecting the global distribution of MIT Kerberos.
It is likely that there will be a significant surge forward in the development of Kerberos-enabled applications
@ -966,7 +966,7 @@
</indexterm>
It so happens that Microsoft Windows clients depend on and expect the contents of the <emphasis>unspecified
fields</emphasis> in the Kerberos 5 communications data stream for their Windows interoperability,
particularly when Samba is being expected to emulate a Windows Server 200x domain controller. But the interoperability
particularly when Samba is expected to emulate a Windows Server 200x domain controller. But the interoperability
issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional,
there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment
(DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by
@ -1027,7 +1027,7 @@
</indexterm><indexterm>
<primary>account</primary>
</indexterm>
From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator
From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator
account (on Samba domains, this is usually the account called <constant>root</constant>).
</para></step>
@ -1142,7 +1142,7 @@
</indexterm><indexterm>
<primary>hierarchy of control</primary>
</indexterm>
It must be emphasized that the controls here discussed can act as a filter or give rights of passage
It must be emphasized that the controls discussed here can act as a filter or give rights of passage
that act as a superstructure over normal directory and file access controls. However, share-level
ACLs act at a higher level than do share definition controls because the user must filter through the
share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented
@ -1525,7 +1525,7 @@
<procedure>
<step><para>
From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator
From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator
account (on Samba domains, this is usually the account called <constant>root</constant>).
</para></step>
@ -1728,7 +1728,7 @@ other::r-x
</indexterm><indexterm>
<primary>inheritance</primary>
</indexterm>
It is highly recommend that you read the online manual page for the <command>setfacl</command>
It is highly recommended that you read the online manual page for the <command>setfacl</command>
and <command>getfacl</command> commands. This provides information regarding how to set/read the default
ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent
of setting <constant>inheritance</constant> properties.

View File

@ -2132,7 +2132,7 @@ Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [MEGANET2] >
. netbios name: netbios name of the samba controler
. netbios name: netbios name of the samba controller
netbios name [MASSIVE] >
. logon drive: local path to which the home directory will
be connected (for NT Workstations). Ex: 'H:'
@ -3739,8 +3739,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
</procedure>
<para>
Before puching out new desktop images for the client workstations, it is perhaps a good idea that
desktop behavior should be returned to the original Microsoft settings. The followin steps achieve
Before punching out new desktop images for the client workstations, it is perhaps a good idea that
desktop behavior should be returned to the original Microsoft settings. The following steps achieve
that ojective:
</para>

View File

@ -120,7 +120,7 @@
Do not forget to validate the security descriptors in the profiles share as well as network logon
scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this
as a good time to update desktop systems also. In all, the extra effort should constitute no
real disruption to users, but rather, with due diligence and care should make their network experience
real disruption to users, but rather, with due diligence and care, should make their network experience
a much happier one.
</para>
@ -683,7 +683,7 @@ Storing SID S-1-5-21-1385457007-882775198-1210191635 \
Install the Idealx <command>smbldap-tools</command> software package, following
the instructions given in <link linkend="sbeidealx"/>. The resulting perl scripts
should be located in the <filename>/opt/IDEALX/sbin</filename> directory.
Change into that location, or whereever the scripts have been installed. Execute the
Change into that location, or wherever the scripts have been installed. Execute the
<filename>configure.pl</filename> script to configure the Idealx package for use.
Note: Use the domain SID obtained from the step above. The following is
an example configuration session:
@ -1525,7 +1525,7 @@ Users Ordinary users
<para>
When migrating a <filename>smbpasswd</filename> file to an LDAP backend, the
UID of each account is taken together with the account information in the
<filename>/etc/passwd,</filename> and both sets of data are used to create the account
<filename>/etc/passwd</filename>, and both sets of data are used to create the account
entry in the LDAP database.
</para>

View File

@ -29,7 +29,7 @@
<indexterm><primary>migration</primary></indexterm>
Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many
years who surfaced on the Samba mailing list with a barrage of questions and who
regularly now helps other administrators to solve thorny Samba migration questions.
regularly helps other administrators to solve thorny Samba migration questions.
</para>
<para>
@ -52,7 +52,7 @@
<para>
The priority that Misty faced was one of migration of the data files off the NetWare 4.11
server and onto a Samba-ased Windows file and print server. This chapter does not pretend
server and onto a Samba-based Windows file and print server. This chapter does not pretend
to document all the different methods that could be used to migrate user and group accounts
off a NetWare server. Its focus is on migration of data files.
</para>
@ -232,7 +232,7 @@
entering everything from the printed company directory. This used only the inetOrgPerson
object class from the OpenLDAP schemas. The next step was to write a shell script that
would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
files on our mail server and create a LDIF file from which the information could be
files on our mail server and create an LDIF file from which the information could be
imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
and SMTP.
</para>
@ -971,7 +971,7 @@ The Idealx smbldap-tools package can be configured using a script called
<command>configure.pl</command> that is provided as part of the tool. See <link linkend="happy"/>
for an example of its use. Many administrators, like Misty, choose to do this manually
so as to maintain greater awareness of how the tool-chain works and possibly to avoid
undesirable actions from occurring un-noticed.
undesirable actions from occurring unnoticed.
</para></note>
<para>
@ -1203,7 +1203,7 @@ masterPw="verysecret"
The next step was to run the <command>smbldap-populate</command> command, which populates
the LDAP tree with the appropriate default users, groups, and UID and GID pools.
It creates a user called Administrator with UID=0 and GID=0 matching the
Domain Admins group. This is fine because you can still log on a root to a Windows system,
Domain Admins group. This is fine because you can still log on as root to a Windows system,
but it will break cached credentials if you need to log on as the administrator
to a system that is not on the network.
</para>
@ -1384,7 +1384,7 @@ sambaAcctFlags: [W ]
<para>
<indexterm><primary>netlogon</primary></indexterm>
So now I could log on with a test user from the machine w2kengrspare. It was all fine and
So now I could log on with a test user from the machine w2kengrspare. It was all well and
good, but that user was in no groups yet and so had pretty boring access. I fixed that
by writing the login script! To write the login script, I used
<ulink url="http://www.kixtart.org">Kixtart</ulink> because it will work
@ -1619,7 +1619,7 @@ ENDIF
One option is to check the OS as part of the Kixtart script, and if it
is Win9x and is the first login, copy a premade
<filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I
have onlythree such machines, and one is going away in the very near future,
have only three such machines, and one is going away in the very near future,
so it was easier to do it by hand.
</para>

View File

@ -1516,9 +1516,9 @@ hosts: files dns wins
<title>Printer Configuration</title>
<para>
Network administrators who are new to CUPS based printing typically experience some difficulty mastering
Network administrators who are new to CUPS based-printing typically experience some difficulty mastering
its powerful features. The steps outlined in this section are designed to navigate around the distractions
of learning CUPS. Instead of implementing smart features and capabilties our approach is to use it as a
of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a
transparent print queue that performs no filtering, and only minimal handling of each print job that is
submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that
the correct printer driver must be installed on all clients.
@ -1609,7 +1609,7 @@ application/octet-stream
<para>
Note: If the parameter <parameter>cups options = Raw</parameter> is specified in the &smb.conf; file,
the last two steps can be omitted where CUPS version 1.1.18, or later.
the last two steps can be omitted with CUPS version 1.1.18, or later.
</para>
<para>
@ -1826,7 +1826,7 @@ hosts: files dns wins
<screen>
&rootprompt; testparm -s
Load smb config files from smb.conf
rocessing section "[homes]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
Processing section "[profiles]"
@ -2298,14 +2298,14 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
</para></step>
<step><para>
Log onto the machine as the local Administrator (the only option), and join the machine to
Log on to the machine as the local Administrator (the only option), and join the machine to
the Domain, following the procedure set out in Appendix A, <link linkend="domjoin"/>. The system is now
ready for the user to log on, provided you have created a network logon account for that
user, of course.
</para></step>
<step><para>
Instruct all users to log onto the workstation using their assigned username and password.
Instruct all users to log on to the workstation using their assigned username and password.
</para></step>
</procedure>

View File

@ -10,7 +10,7 @@
is the end of the road because their needs will have been adequately met. For others, this chapter is
the beginning of a journey that will take them well past the contents of this book. This book provides
example configurations of, for the greater part, complete networking solutions. The intent of this book
is to help you to get your Samba installation working with least amount of pain and aggravation.
is to help you to get your Samba installation working with the least amount of pain and aggravation.
</para>
<sect1>
@ -570,12 +570,12 @@ Password changed
<step><para>
Install the &smb.conf; file shown in <link linkend="charity-smbconfnew"/> in the
<filename>/etc/samba</filename> directory. This newer &smb.conf; file uses user-mode security
and is more suited to the mode of operation of Samba-3 that the older share-mode security
and is more suited to the mode of operation of Samba-3 than the older share-mode security
configuration that was shown in the first edition of this book.
</para>
<para>
Note: If you want to use the older style configuration that uses share-mode security, you
Note: If you want to use the older-style configuration that uses share-mode security, you
can install the file shown in <link linkend="charity-smbconf"/> in the
<filename>/etc/samba</filename> directory.
</para></step>

View File

@ -83,7 +83,7 @@ to perform a major upgrade. Many administrators have experienced the consequence
of failure to take adequate precautions. So what is adequate? That is simple!
If data is lost during an upgrade or update and it can not be restored,
the precautions taken were inadequate. If a backup was not needed, but was available,
precaution was on the side of the victor.
caution was on the side of the victor.
</para>
<sect2>
@ -127,7 +127,7 @@ precaution was on the side of the victor.
There is an old axiom that says, <quote>The greater the volume of the documentation,
the greater the risk that noone will read it, but where there is no documentation,
noone can read it!</quote> While true, some documentation is an evil necessity.
It is to be hoped that this update to the documentation will avoid both extremes.
It is hoped that this update to the documentation will avoid both extremes.
</para>
<sect3>
@ -965,7 +965,7 @@ that are compatible with the original OS vendor's practices.
<para>
<indexterm><primary>binary package</primary></indexterm>
<indexterm><primary>binary files</primary></indexterm>
If you are not sure whether or a binary package complies with the OS
If you are not sure whether a binary package complies with the OS
vendor's practices, it is better to ask the package maintainer via
email than to waste much time dealing with the nuances.
Alternately, just diagnose the paths specified by the binary files following
@ -1116,8 +1116,8 @@ back to searching the 'ldap suffix' in some cases.
is stored in the <constant>smbpasswd</constant> or in the
<constant>tdbsam</constant> format, the user and group account information
for UNIX accounts that match the Samba accounts will reside in the system
<filename>/etc/passwd, /etc/shadow</filename>, and
<filename>/etc/group</filename> files. In this case be sure to copy these
<filename>/etc/passwd</filename>, <filename>/etc/shadow</filename>, and
<filename>/etc/group</filename> files. In this case, be sure to copy these
account entries to the new target server.
</para>
@ -1152,7 +1152,7 @@ back to searching the 'ldap suffix' in some cases.
<itemizedlist>
<listitem><para>
Where UNIX (POSIX) user and group accounts are stored in the system
<filename>/etc/passwd, /etc/shadow</filename>, and
<filename>/etc/passwd</filename>, <filename>/etc/shadow</filename>, and
<filename>/etc/group</filename> files, be sure to add the same accounts
with identical UID and GID values for each user.
</para>

View File

@ -19,14 +19,14 @@ of open-source software solutions globally, and in particular within the United
<para>
The OSSI has global affiliations with like-minded organizations. Our affiliate in the United Kingdom is the
Open Source Consortium. Both the OSSI and the OSC share a common objective to expand the use of open-source
software in federal, state and municipal government agencies and in academic institutions. We represent
software in federal, state, and municipal government agencies; and in academic institutions. We represent
businesses that provide professional support services that answer the needs of our target organizational
information technology consumers in an effective and cost efficient manner.
information technology consumers in an effective and cost-efficient manner.
</para>
<para>
Open source software has matured greatly over the past 5 years with the result that an increasing number of
people who hold key influential decision-making positions want to know how the business model works. They
people who hold key decision-making positions want to know how the business model works. They
want to understand how problems get resolved, how questions get answered, and how the development model
is sustained. Information and Communications Technology directors in defense organizations, and in other
government agencies that deal with sensitive information, want to become familiar with development road-maps
@ -36,38 +36,38 @@ and, in particular, seek to evaluate the track record of the main-stream open-so
<para>
Wherever the OSSI gains entrance to new opportunities we find that Microsoft Windows technologies are the
benchmark against which open-source software solutions are measured. Two open-source software projects
are key to our ability to present a structured, and convincing, proposition that there are alternatives
to the incumbent proprietary means of meeting information technology needs. They are the Apache Web server
are key to our ability to present a structured and convincing proposition that there are alternatives
to the incumbent proprietary means of meeting information technology needs. They are the Apache Web Server
and Samba.
</para>
<para>
Just as the Apache web server is the standard in web serving technology, Samba is the definitive standard
for providing inter-operability with UNIX systems and other non-Microsoft operating system platforms. Both
Just as the Apache Web Server is the standard in web serving technology, Samba is the definitive standard
for providing interoperability with UNIX systems and other non-Microsoft operating system platforms. Both
open-source applications have a truly remarkable track record that extends well over a decade. Both have
demonstrated unique capacity to innovate and to maintain a level of development that has not only kept
pace with demands, but in many areas each project has also proven to be an industry leader.
demonstrated the unique capacity to innovate and maintain a level of development that has not only kept
pace with demands, but, in many areas, each project has also proven to be an industry leader.
</para>
<para>
One of the areas in which the Samba project has demonstrated key leadership is in documentation. The OSSI
was delighted when we saw the Samba Team, and John H. Terpstra in particular, release two amazingly well
written books to help Samba software users to deploy, maintain and trouble-shoot Windows networking
was delighted when we saw the Samba Team, and John H. Terpstra in particular, release two amazingly
well-written books to help Samba software users deploy, maintain, and troubleshoot Windows networking
installations. We were concerned that, given the large volume of documentation, the challenge to maintain
it and keep it current might prove difficult.
</para>
<para>
This second edition of the book, <quote>Samba-3 by Example</quote> barely one year following the release
of the first edition has removed all concerns and is proof that open-source solutions are a compelling choice.
This second edition of the book, <quote>Samba-3 by Example</quote>, barely one year following the release
of the first edition, has removed all concerns and is proof that open-source solutions are a compelling choice.
The first edition was released shortly following the release of Samba version 3.0 itself, and has become
the authoritative instrument for training and for guiding deployment.
</para>
<para>
I am personally aware how much effort has gone into this second edition. John Terpstra has worked with
I am personally aware of how much effort has gone into this second edition. John Terpstra has worked with
government bodies and with large organizations that have deployed Samba-3 since it was released. He also
worked to ensure that this book gained community following. He asked those who have worked at the coal-face
worked to ensure that this book gained community following. He asked those who have worked at the coalface
of large and small organizations alike, to contribute their experiences. He has captured that in this book
and has succeeded yet again. His recipe is persistence, intuition, and a high level of respect for the people
who use Samba.
@ -77,7 +77,7 @@ who use Samba.
This book is the first source you should turn to before you deploy Samba and as you are mastering its
deployment. I am proud and excited to be associated in a small way with such a useful tool. This book has
reached maturity that is demonstrated by reiteration that every step in deployment must be validated.
This book makes it easy to succeed, and difficulty to fail to gain a stable network environment.
This book makes it easy to succeed, and difficult to fail, to gain a stable network environment.
</para>
<para>

View File

@ -4,32 +4,41 @@
<title>About the Cover Artwork</title>
<para>
The cover artwork of this book continues a theme chosen for the book,
<emphasis>The Official Samba-3 HOWTO and Reference Guide,</emphasis>
the cover of which features a Confederate scene. Samba has had a major
impact on the network deployment of Microsoft Windows desktop systems.
The cover artwork of the two official Samba books tells of events that
likewise had a major impact on the future.
The cover artwork of this book continues the freedom theme of the first
edition of <quote>Samba-3 by Example</quote>. The history of civilization
demonstrates the fragile nature of freedom. It can be lost in a moment,
and once lost, the cost of recovering liberty can be incredible. The last
edition cover featured Alfred the Great who liberated England from the
constant assault of Vikings and Norsemen. Events in England that
that finally liberated the common people came about in small steps, but
the result should not be under-estimated. Today, as always, freedom and
liberty are seldom appreciated until they are lost. If we can not quantify
what is the value of freedom, we shall be little motivated to protect it.
</para>
<para>
<emphasis>Samba-3 by Example Cover Artwork:</emphasis> King Alfred the Great
(born 849, ruled 871-899) was one of the most amazing kings ever to
rule England. He defended Anglo-Saxon England from Viking raids, formulated
a code of laws, and fostered a rebirth of religious and scholarly activity.
His reign exhibits military skill and innovation, sound governance and the
ability to inspire men to plan for the future. Alfred liberated England
at a time when all resistence seemed futile.
<emphasis>Samba-3 by Example Cover Artwork:</emphasis> The British houses
of parliament are a symbol of the Westminster system of government. This form
of government permits the people to govern themselves at the lowest level, yet
it provides for courts of appeal that are designed to protect freedom and to
hold back all forces of tyranny. The clock is a pertinent symbol of the
importance of time and place.
</para>
<para>
Samba is a network interoperability solution that provides real choice for network
administrators. It is an adjunct to Microsoft Windows networks that provides
interoperability of UNIX systems with Microsoft Windows desktop and server systems.
You may use Samba to realize the freedom it provides for your network environment
thanks to a dedicated team who work behind the scenes to give you a better choice.
The efforts of these few dedicated developers continues to shape the future of
the Windows interoperability landscape. Enjoy!
The information technology industry is being challenged by the imposition of
new laws, hostile litigation, and the imposition of significant constraint
of practice that threatens to remove the freedom to develop and deploy open
source software solutions. Samba is a software solution that epitomizes freedom
of choice in network interoperability for Microsoft Windows clients.
</para>
<para>
I hope you will take the time needed to deploy it well, and that you may realize
the greatest benefits may be obtained. You are free to use it in ways never
considered, but in doing so there may be some obstacles. Every obstacle that is
overcome adds to the freedom you can enjoy. Use Samba well, and it will serve
you well.
</para>
</preface>