mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
Jelmer Vernooij
Gerald W. Carter
parent
789fda4de0
commit
2757cde29e
@ -642,10 +642,10 @@ root = Administrator
|
||||
<indexterm><primary>/etc/mime.convs</primary></indexterm>
|
||||
<indexterm><primary>application/octet-stream</primary></indexterm>
|
||||
This step, as well as the next one, may be omitted where CUPS version 1.1.18
|
||||
or later is in use. Although it does no harm to follow it anyhow, and may
|
||||
help to avoid later time spent trying to figure out why print jobs may be
|
||||
disappearing without trace. Look at these two steps as <emphasis>insurance</emphasis>
|
||||
against lost time. Edit file <filename>/etc/cups/mime.convs</filename> to
|
||||
or later is in use. Although it does no harm to follow it anyway, and may
|
||||
help to avoid time spent later trying to figure out why print jobs may be
|
||||
disappearing without a trace. Look at these two steps as <emphasis>insurance</emphasis>
|
||||
against lost time. Edit file <filename>/etc/cups/mime.convs</filename> to
|
||||
uncomment the line:
|
||||
<screen>
|
||||
application/octet-stream application/vnd.cups-raw 0 -
|
||||
@ -694,7 +694,7 @@ application/octet-stream
|
||||
<para>
|
||||
There are some steps that apply to particular server functionality only. Each step is critical
|
||||
to correct server operation. The following step-by-step installation guidance will assist you
|
||||
to work through the process of configuring the PDC and then both BDC's.
|
||||
in working through the process of configuring the PDC and then both BDC's.
|
||||
</para>
|
||||
|
||||
<sect3>
|
||||
@ -893,7 +893,7 @@ Added user <parameter>username</parameter>.
|
||||
<title>Configuration Specific to Domain Member Servers: <constant>BLDG1, BLDG2</constant></title>
|
||||
|
||||
<para>
|
||||
The following steps will guide you trough the nuances of imlplementing BDC's for the broadcast
|
||||
The following steps will guide you through the nuances of implementing BDCs for the broadcast
|
||||
isolated network segments. Remember that if the target installation platform is not Linux, it may
|
||||
be necessary to adapt some commands to the equivalent on the target platform.
|
||||
</para>
|
||||
|
||||
@ -113,7 +113,7 @@
|
||||
<indexterm><primary>accounts</primary><secondary>authoritative</secondary></indexterm>
|
||||
<indexterm><primary>PDC</primary></indexterm>
|
||||
<indexterm><primary>BDC</primary></indexterm>
|
||||
A domain controller (PDC or BDC) is always authoritative for all accounts in its Domain.
|
||||
A domain controller (PDC or BDC) is always authoritative for all accounts in its domain.
|
||||
This means that a BDC must (of necessity) be able to resolve all account UIDs and GIDs
|
||||
to the same values that the PDC resolved them to.
|
||||
</para></listitem>
|
||||
@ -190,41 +190,32 @@
|
||||
casual user.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para><indexterm>
|
||||
<primary>winbind enable local accounts</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Domain Member</primary>
|
||||
<secondary>servers</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Domain Controllers</primary>
|
||||
</indexterm>
|
||||
<listitem><para>
|
||||
<indexterm><primary>winbind trusted domains only</primary></indexterm>
|
||||
<indexterm><primary>domain member</primary><secondary>servers</secondary></indexterm>
|
||||
<indexterm><primary>domain controllers</primary></indexterm>
|
||||
If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable
|
||||
of being resolved using) the NSS facility, it is imperative to use the
|
||||
<smbconfoption name="winbind enable local accounts">Yes</smbconfoption>
|
||||
in the &smb.conf; file. This parameter specifically applies only to domain controllers,
|
||||
not to domain member servers.
|
||||
of being resolved using) the NSS facility, it is possible to use the
|
||||
<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>
|
||||
in the &smb.conf; file. This parameter specifically applies to domain controllers,
|
||||
and to domain member servers.
|
||||
</para></listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Posix accounts</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Samba accounts</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>LDAP</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Posix accounts</primary></indexterm>
|
||||
<indexterm><primary>Samba accounts</primary></indexterm>
|
||||
<indexterm><primary>LDAP</primary></indexterm>
|
||||
For many administrators, it should be plain that the use of an LDAP-based repository for all network
|
||||
accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and
|
||||
controllable facility. You eventually appreciate the decision to use LDAP.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>nss_ldap</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>identifiers</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>resolve</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>nss_ldap</primary></indexterm>
|
||||
<indexterm><primary>identifiers</primary></indexterm>
|
||||
<indexterm><primary>resolve</primary></indexterm>
|
||||
If your network account information resides in an LDAP repository, you should use it ahead of any
|
||||
alternative method. This means that if it is humanly possible to use the <command>nss_ldap</command>
|
||||
tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides
|
||||
@ -232,20 +223,13 @@
|
||||
throughout the network.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Domain Member</primary>
|
||||
<secondary>server</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>winbind trusted domains only</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>getpwnam</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>smbd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Trusted Domains</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>External Domains</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
|
||||
<indexterm><primary>winbind trusted domains only</primary></indexterm>
|
||||
<indexterm><primary>getpwnam</primary></indexterm>
|
||||
<indexterm><primary>smbd</primary></indexterm>
|
||||
<indexterm><primary>Trusted Domains</primary></indexterm>
|
||||
<indexterm><primary>External Domains</primary></indexterm>
|
||||
In the situation where UNIX accounts are held on the domain member server itself, the only effective
|
||||
way to use them involves the &smb.conf; entry
|
||||
<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>. This forces
|
||||
@ -254,17 +238,12 @@
|
||||
disables the use of Samba with trusted domains (i.e., external domains).
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>appliance mode</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Domain Member</primary>
|
||||
<secondary>server</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>winbindd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>automatically allocate</primary>
|
||||
</indexterm>
|
||||
Winbind can be used to create an appliance mode domain member server. In this capacity, <command>winbindd</command>
|
||||
<para>
|
||||
<indexterm><primary>appliance mode</primary></indexterm>
|
||||
<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
|
||||
<indexterm><primary>winbindd</primary></indexterm>
|
||||
<indexterm><primary>automatically allocate</primary></indexterm>
|
||||
Winbind can be used to create an appliance mode domain member server. In this capacity, <command>winbindd</command>
|
||||
is configured to automatically allocate UIDs/GIDs from numeric ranges set in the &smb.conf; file. The allocation
|
||||
is made for all accounts that connect to that domain member server, whether within its own domain or from
|
||||
trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database.
|
||||
@ -273,9 +252,8 @@
|
||||
is stored in the <filename>winbindd_idmap.tdb</filename> and <filename>winbindd_cache.tdb</filename> files.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>mapping</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>mapping</primary></indexterm>
|
||||
The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs
|
||||
mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member
|
||||
servers so configured. This solves one of the major headaches for network administrators who need to copy
|
||||
@ -287,16 +265,11 @@
|
||||
<sect2>
|
||||
<title>Political Issues</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>OpenLDAP</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>NIS</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>yellow pages</primary>
|
||||
<see>NIS</see>
|
||||
</indexterm><indexterm>
|
||||
<primary>identity management</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>OpenLDAP</primary></indexterm>
|
||||
<indexterm><primary>NIS</primary></indexterm>
|
||||
<indexterm><primary>yellow pages</primary><see>NIS</see></indexterm>
|
||||
<indexterm><primary>identity management</primary></indexterm>
|
||||
One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in
|
||||
particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP
|
||||
is different and requires a new approach to the need for a better identity management solution. The more
|
||||
@ -311,11 +284,9 @@
|
||||
commercial integration products. But it's not what Active Directory was designed for.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>directory</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>management</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>directory</primary></indexterm>
|
||||
<indexterm><primary>management</primary></indexterm>
|
||||
A number of long-term UNIX devotees have recently commented in various communications that the Samba Team
|
||||
is the first application group to almost force network administrators to use LDAP. It should be pointed
|
||||
out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has
|
||||
@ -330,25 +301,18 @@
|
||||
<sect1>
|
||||
<title>Implementation</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Domain Member</primary>
|
||||
<secondary>server</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Domain Member</primary>
|
||||
<secondary>client</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Domain Controller</primary>
|
||||
</indexterm>
|
||||
The domain Member server and the domain member client are at the center of focus in this chapter.
|
||||
<para>
|
||||
<indexterm><primary>Domain Member</primary><secondary>server</secondary></indexterm>
|
||||
<indexterm><primary>Domain Member</primary><secondary>client</secondary></indexterm>
|
||||
<indexterm><primary>Domain Controller</primary></indexterm>
|
||||
The domain member server and the domain member client are at the center of focus in this chapter.
|
||||
Configuration of Samba-3 domain controller is covered in earlier chapters, so if your
|
||||
interest is in domain controller configuration, you will not find that here. You will find good
|
||||
oil that helps you to add domain member servers and clients.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Domain Member</primary>
|
||||
<secondary>workstations</secondary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Domain Member</primary><secondary>workstations</secondary></indexterm>
|
||||
In practice, domain member servers and domain member workstations are very different entities, but in
|
||||
terms of technology they share similar core infrastructure. A technologist would argue that servers
|
||||
and workstations are identical. Many users would argue otherwise, given that in a well-disciplined
|
||||
@ -357,22 +321,18 @@
|
||||
but a server is viewed as a core component of the business.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>workstation</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>workstation</primary></indexterm>
|
||||
We can look at this another way. If a workstation breaks down, one user is affected, but if a
|
||||
server breaks down, hundreds of users may not be able to work. The services that a workstation
|
||||
must provide are document- and file-production oriented; a server provides information storage
|
||||
and is distribution oriented.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>authentication process</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>logon process</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>user identities</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>authentication process</primary></indexterm>
|
||||
<indexterm><primary>logon process</primary></indexterm>
|
||||
<indexterm><primary>user identities</primary></indexterm>
|
||||
<emphasis>Why is this important?</emphasis> For starters, we must identify what
|
||||
components of the operating system and its environment must be configured. Also, it is necessary
|
||||
to recognize where the interdependencies between the various services to be used are.
|
||||
@ -388,52 +348,52 @@
|
||||
</para>
|
||||
|
||||
<sect2 id="sdcsdmldap">
|
||||
<title>Samba Domain with Samba Domain Member Server &smbmdash; Using LDAP</title>
|
||||
<title>Samba Domain with Samba Domain Member Server &smbmdash; Using NSS LDAP</title>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>ldapsam</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>ldapsam backend</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>IDMAP</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>mapping</primary>
|
||||
<secondary>consistent</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>winbindd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>foreign SID</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>ldapsam</primary></indexterm>
|
||||
<indexterm><primary>ldapsam backend</primary></indexterm>
|
||||
<indexterm><primary>IDMAP</primary></indexterm>
|
||||
<indexterm><primary>mapping</primary><secondary>consistent</secondary></indexterm>
|
||||
<indexterm><primary>winbindd</primary></indexterm>
|
||||
<indexterm><primary>foreign SID</primary></indexterm>
|
||||
In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using
|
||||
an LDAP ldapsam backend. We are adding to the LDAP backend database (directory)
|
||||
containers for use by the IDMAP facility. This makes it possible to have globally consistent
|
||||
mapping of SIDs to and from UIDs and GIDs. This means that you are running <command>winbindd</command>
|
||||
as part of your configuration. The primary purpose of running <command>winbindd</command> (within
|
||||
this operational context) is to permit mapping of foreign SIDs (those not originating from our
|
||||
own domain). Foreign SIDs can come from any external domain or from Windows clients that do not
|
||||
belong to a domain.
|
||||
mapping of SIDs to and from UIDs and GIDs. This means that it is necessary to run
|
||||
<command>winbindd</command> as part of your configuration. The primary purpose of running
|
||||
<command>winbindd</command> (within this operational context) is to permit mapping of foreign
|
||||
SIDs (those not originating from the the local Samba server). Foreign SIDs can come from any
|
||||
domain member client or server, or from Windows clients that do not belong to a domain. Another
|
||||
way to explain the necessity to run <command>winbindd</command> is that Samba can locally
|
||||
resolve only accounts that belong to the security context of its own machine SID. Winbind
|
||||
handles all non-local SIDs and maps them to a local UID/GID value. The UID and GID are allocated
|
||||
from the parameter values set in the &smb.conf; file for the <parameter>idmap uid</parameter> and
|
||||
<parameter>idmap gid</parameter> ranges. Where LDAP is used, the mappings can be stored in LDAP
|
||||
so that all domain member servers can use a consistent mapping.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>winbindd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>getpwnam</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>NSS</primary>
|
||||
</indexterm>
|
||||
If your installation is accessed only from clients that are members of your own domain, then
|
||||
it is not necessary to run <command>winbindd</command> as long as all users can be resolved
|
||||
locally via the <command>getpwnam()</command> system call. On NSS-enabled systems, this condition
|
||||
is met by having
|
||||
<para>
|
||||
<indexterm><primary>winbindd</primary></indexterm>
|
||||
<indexterm><primary>getpwnam</primary></indexterm>
|
||||
<indexterm><primary>NSS</primary></indexterm>
|
||||
If your installation is accessed only from clients that are members of your own domain, and all
|
||||
user accounts are present in a local passdb backend then it is not necessary to run
|
||||
<command>winbindd</command>. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
It is possible to use a local passdb backend with any convenient means of resolving the POSIX
|
||||
user and group account information. The POSIX information is usually obtained using the
|
||||
<command>getpwnam()</command> system call. On NSS-enabled systems, the actual POSIX account
|
||||
source can be provided from
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para><indexterm>
|
||||
<primary>/etc/passwd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>/etc/group</primary>
|
||||
</indexterm>
|
||||
All accounts in <filename>/etc/passwd</filename> or in <filename>/etc/group</filename>.
|
||||
<listitem><para>
|
||||
<indexterm><primary>/etc/passwd</primary></indexterm>
|
||||
<indexterm><primary>/etc/group</primary></indexterm>
|
||||
Accounts in <filename>/etc/passwd</filename> or in <filename>/etc/group</filename>.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
@ -455,6 +415,12 @@
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<note><para>
|
||||
To advoid confusion the use of the term <literal>local passdb backend</literal> means that
|
||||
the user account backend is not shared by any other Samba server &smbmdash; instead, it is
|
||||
used only locally on the Samba domain member server under discussion.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>Identity resolution</primary></indexterm>
|
||||
The diagram in <link linkend="ch9-sambadc"/> demonstrates the relationship of Samba and system
|
||||
@ -467,11 +433,9 @@
|
||||
<imagefile scale="60">chap9-SambaDC</imagefile>
|
||||
</figure>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>IDMAP</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>foreign</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>IDMAP</primary></indexterm>
|
||||
<indexterm><primary>foreign</primary></indexterm>
|
||||
In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam
|
||||
to obtain authentication and user identity information. The IDMAP information is stored in the LDAP
|
||||
backend so that it can be shared by all domain member servers so that every user will have a
|
||||
@ -487,25 +451,30 @@
|
||||
</para>
|
||||
|
||||
<procedure>
|
||||
<title>Configuration of LDAP-Based Identity Resolution</title>
|
||||
<title>Configuration of NSS_LDAP-Based Identity Resolution</title>
|
||||
|
||||
<step><para>
|
||||
Create the &smb.conf; file as shown in <link linkend="ch9-sdmsdc"/>. Locate
|
||||
this file in the directory <filename>/etc/samba</filename>.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>ldap.conf</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>ldap.conf</primary></indexterm>
|
||||
Configure the file that will be used by <constant>nss_ldap</constant> to
|
||||
locate and communicate with the LDAP server. This file is called <filename>ldap.conf</filename>.
|
||||
If your implementation of <constant>nss_ldap</constant> is consistent with
|
||||
the defaults suggested by PADL (the authors), it will be located in the
|
||||
<filename>/etc</filename> directory. On some systems, the default location is
|
||||
the <filename>/etc/openldap</filename> directory. Change the parameters inside
|
||||
the file that is located on your OS so it matches <link linkend="ch9-sdmlcnf"/>.
|
||||
To find the correct location of this file, you can obtain this from the
|
||||
library that will be used by executing the following:
|
||||
the <filename>/etc/openldap</filename> directory, however this file is intended
|
||||
for use by the OpenLDAP utilities and should not really be used by the nss_ldap
|
||||
utility since its content and structure serves the specific purpose of enabling
|
||||
the resolution of user and group IDs via NSS.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Change the parameters inside the file that is located on your OS so it matches
|
||||
<link linkend="ch9-sdmlcnf"/>. To find the correct location of this file, you
|
||||
can obtain this from the library that will be used by executing the following:
|
||||
<screen>
|
||||
&rootprompt; strings /lib/libnss_ldap* | grep ldap.conf
|
||||
/etc/ldap.conf
|
||||
@ -513,15 +482,13 @@
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Configure the NSS control file so it matches the one shown
|
||||
in <link linkend="ch9-sdmnss"/>.
|
||||
Configure the NSS control file so it matches the one shown in
|
||||
<link linkend="ch9-sdmnss"/>.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>Identity resolution</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>getent</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>Identity resolution</primary></indexterm>
|
||||
<indexterm><primary>getent</primary></indexterm>
|
||||
Before proceeding to configure Samba, validate the operation of the NSS identity
|
||||
resolution via LDAP by executing:
|
||||
<screen>
|
||||
@ -556,24 +523,21 @@ Finances:x:1001:
|
||||
PIOps:x:1002:
|
||||
sammy:x:4321:
|
||||
</screen>
|
||||
<indexterm>
|
||||
<primary>secondary group</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>primary group</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>group membership</primary>
|
||||
</indexterm>
|
||||
<indexterm><primary>secondary group</primary></indexterm>
|
||||
<indexterm><primary>primary group</primary></indexterm>
|
||||
<indexterm><primary>group membership</primary></indexterm>
|
||||
This shows that all is working as it should be. Notice that in the LDAP database
|
||||
the users' primary and secondary group memberships are identical. It is not
|
||||
necessary to add secondary group memberships (in the group database) if the
|
||||
user is already a member via primary group membership in the password database.
|
||||
When using winbind, it is in fact undesirable to do this because it results in
|
||||
doubling up of group memberships and may break winbind under certain conditions.
|
||||
doubling up of group memberships and may cause problems with winbind under certain
|
||||
conditions. It is intended that these limitations with winbind will be resolved soon
|
||||
after Samba-3.0.20 has been released.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>slapcat</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>slapcat</primary></indexterm>
|
||||
The LDAP directory must have a container object for IDMAP data. There are several ways you can
|
||||
check that your LDAP database is able to receive IDMAP information. One of the simplest is to
|
||||
execute:
|
||||
@ -582,25 +546,28 @@ sammy:x:4321:
|
||||
dn: ou=Idmap,dc=abmas,dc=biz
|
||||
ou: idmap
|
||||
</screen>
|
||||
<indexterm>
|
||||
<primary>ldapadd</primary>
|
||||
</indexterm>
|
||||
If the execution of this command does not return IDMAP entries, you need to create an LDIF
|
||||
template file (see <link linkend="ch9-ldifadd"/>). You can add the required entries using the following command:
|
||||
<indexterm><primary>ldapadd</primary></indexterm>
|
||||
If the execution of this command does not return IDMAP entries, you need to create an LDIF
|
||||
template file (see <link linkend="ch9-ldifadd"/>). You can add the required entries using
|
||||
the following command:
|
||||
<screen>
|
||||
&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
|
||||
-w not24get < /etc/openldap/idmap.LDIF
|
||||
</screen>
|
||||
Samba automatically populates this LDAP directory container when it needs to.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>net</primary>
|
||||
<secondary>rpc</secondary>
|
||||
<tertiary>join</tertiary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Domain join</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
Samba automatically populates the LDAP directory container when it needs to. To permit Samba
|
||||
write access to the LDAP directory it is necessary to set the LDAP administrative password
|
||||
in the <filename>secrets.tdb</filename> file as shown here:
|
||||
<screen>
|
||||
&rootprompt; smbpasswd -w not24get
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
|
||||
<indexterm><primary>Domain join</primary></indexterm>
|
||||
The system is ready to join the domain. Execute the following:
|
||||
<screen>
|
||||
&rootprompt; net rpc join -U root%not24get
|
||||
@ -632,9 +599,9 @@ Joined domain MEGANET2.
|
||||
<indexterm><primary>failed join</primary></indexterm>
|
||||
<indexterm><primary>rejected</primary></indexterm>
|
||||
<indexterm><primary>restrict anonymous</primary></indexterm>
|
||||
Note: Use "root" for UNIX/Linux and Samba, use "Administrator"for Windows NT4/200X. If the cause of
|
||||
Note: Use "root" for UNIX/Linux and Samba, use "Administrator" for Windows NT4/200X. If the cause of
|
||||
the failure appears to be related to a rejected or failed NT_SESSION_SETUP* or an error message that
|
||||
says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the
|
||||
says NT_STATUS_ACCESS_DENIED immediately check the Windows registry setting that controls the
|
||||
<constant>restrict anonymous</constant> setting. Set this to the value 0 so that an anonymous connection
|
||||
can be sustained, then try again.
|
||||
</para>
|
||||
@ -665,12 +632,12 @@ Join to 'MEGANET2' failed.
|
||||
<step><para>
|
||||
<indexterm><primary>wbinfo</primary></indexterm>
|
||||
Just joining the domain is not quite enough; you must now provide a privileged set
|
||||
of credentials through which <command>winbindd</command> can interact with the ADS
|
||||
of credentials through which <command>winbindd</command> can interact with the
|
||||
domain servers. Execute the following to implant the necessary credentials:
|
||||
<screen>
|
||||
&rootprompt; wbinfo --set-auth-user=Administrator%not24get
|
||||
</screen>
|
||||
The configuration is now ready to obtain ADS domain user and group information.
|
||||
The configuration is now ready to obtain the Samba domain user and group information.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -786,7 +753,7 @@ aliases: files
|
||||
</sect2>
|
||||
|
||||
<sect2 id="wdcsdm">
|
||||
<title>NT4/Samba Domain with Samba Domain Member Server: Using Winbind</title>
|
||||
<title>NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind</title>
|
||||
|
||||
<para>
|
||||
You need to use this method for creating a Samba domain member server if any of the following conditions
|
||||
@ -803,32 +770,27 @@ aliases: files
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The Samba domain member server must be part of a Windows NT4 Domain.
|
||||
The Samba domain member server must be part of a Windows NT4 Domain, or a Samba Domain.
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>Windows ADS Domain</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>Samba Domain</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>LDAP</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>Windows ADS Domain</primary></indexterm>
|
||||
<indexterm><primary>Samba Domain</primary></indexterm>
|
||||
<indexterm><primary>LDAP</primary></indexterm>
|
||||
Later in the chapter, you can see how to configure a Samba domain member server for a Windows ADS domain.
|
||||
Right now your objective is to configure a Samba server that can be a member of a Windows NT4-style
|
||||
domain and/or does not use LDAP.
|
||||
</para>
|
||||
|
||||
<note><para><indexterm>
|
||||
<primary>duplicate accounts</primary>
|
||||
</indexterm>
|
||||
<note><para>
|
||||
<indexterm><primary>duplicate accounts</primary></indexterm>
|
||||
If you use <command>winbind</command> for identity resolution, make sure that there are no
|
||||
duplicate accounts.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>/etc/passwd</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>/etc/passwd</primary></indexterm>
|
||||
For example, do not have more than one account that has UID=0 in the password database. If there
|
||||
is an account called <constant>root</constant> in the <filename>/etc/passwd</filename> database,
|
||||
it is okay to have an account called <constant>root</constant> in the LDAP ldapsam or in the
|
||||
@ -837,29 +799,20 @@ aliases: files
|
||||
<constant>root</constant>.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>/etc/passwd</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>ldapsam</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>tdbsam</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>/etc/passwd</primary></indexterm>
|
||||
<indexterm><primary>ldapsam</primary></indexterm>
|
||||
<indexterm><primary>tdbsam</primary></indexterm>
|
||||
Winbind will break if there is an account in <filename>/etc/passwd</filename> that has
|
||||
the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only.
|
||||
</para></note>
|
||||
|
||||
<para><indexterm>
|
||||
<primary>credentials</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>traverse</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>wide-area</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>network</primary>
|
||||
<secondary>wide-area</secondary>
|
||||
</indexterm><indexterm>
|
||||
<primary>tdbdump</primary>
|
||||
</indexterm>
|
||||
<para>
|
||||
<indexterm><primary>credentials</primary></indexterm>
|
||||
<indexterm><primary>traverse</primary></indexterm>
|
||||
<indexterm><primary>wide-area</primary></indexterm>
|
||||
<indexterm><primary>network</primary><secondary>wide-area</secondary></indexterm>
|
||||
<indexterm><primary>tdbdump</primary></indexterm>
|
||||
The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials.
|
||||
The winbind information is locally cached in the <filename>winbindd_cache.tdb winbindd_idmap.tdb</filename>
|
||||
files. This provides considerable performance benefits compared with the LDAP solution, particularly
|
||||
@ -876,32 +829,26 @@ aliases: files
|
||||
shown in <link linkend="ch0-NT4DSDM"/>.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>/etc/nsswitch.conf</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
|
||||
Edit the <filename>/etc/nsswitch.conf</filename> so it has the entries shown in
|
||||
<link linkend="ch9-sdmnss"/>.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>net</primary>
|
||||
<secondary>rpc</secondary>
|
||||
<tertiary>join</tertiary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>join</tertiary></indexterm>
|
||||
The system is ready to join the domain. Execute the following:
|
||||
<screen>
|
||||
net rpc join -U root%not2g4et
|
||||
Joined domain MEGANET2.
|
||||
</screen>
|
||||
This indicates that the domain join succeed.
|
||||
This indicates that the domain join succeed.
|
||||
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>winbind</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>wbinfo</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>winbind</primary></indexterm>
|
||||
<indexterm><primary>wbinfo</primary></indexterm>
|
||||
Validate operation of <command>winbind</command> using the <command>wbinfo</command>
|
||||
tool as follows:
|
||||
<screen>
|
||||
@ -929,13 +876,10 @@ MEGANET2+PIOps
|
||||
This shows that domain groups have been correctly obtained also.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>NSS</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>getent</primary>
|
||||
</indexterm><indexterm>
|
||||
<primary>winbind</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>NSS</primary></indexterm>
|
||||
<indexterm><primary>getent</primary></indexterm>
|
||||
<indexterm><primary>winbind</primary></indexterm>
|
||||
The next step verifies that NSS is able to obtain this information
|
||||
correctly from <command>winbind</command> also.
|
||||
<screen>
|
||||
@ -979,6 +923,7 @@ MEGANET2+PIOps:x:10005:
|
||||
<step><para>
|
||||
The Samba member server of a Windows NT4 domain is ready for use.
|
||||
</para></step>
|
||||
|
||||
</procedure>
|
||||
|
||||
<example id="ch0-NT4DSDM">
|
||||
@ -1063,7 +1008,7 @@ MEGANET2+PIOps:x:10005:
|
||||
net rpc join -U root%not24get
|
||||
Joined domain MEGANET2.
|
||||
</screen>
|
||||
This indicates that the domain join succeed.
|
||||
This indicates that the domain join succeed.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
@ -1180,9 +1125,8 @@ Joined domain MEGANET2.
|
||||
<procedure>
|
||||
<title>Joining a Samba Server as an ADS Domain Member</title>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>smbd</primary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>smbd</primary></indexterm>
|
||||
Before you try to use Samba-3, you want to know for certain that your executables have
|
||||
support for Kerberos and for LDAP. Execute the following to identify whether or
|
||||
not this build is perhaps suitable for use:
|
||||
@ -1498,11 +1442,8 @@ Server time offset: 2
|
||||
In any case, the output we obtained confirms that all systems are operational.
|
||||
</para></step>
|
||||
|
||||
<step><para><indexterm>
|
||||
<primary>net</primary>
|
||||
<secondary>ads</secondary>
|
||||
<tertiary>status</tertiary>
|
||||
</indexterm>
|
||||
<step><para>
|
||||
<indexterm><primary>net</primary><secondary>ads</secondary><tertiary>status</tertiary></indexterm>
|
||||
There is one more action you elect to take, just because you are paranoid and disbelieving,
|
||||
so you execute the following command:
|
||||
<programlisting>
|
||||
@ -1583,6 +1524,7 @@ Permissions:
|
||||
called <constant>FRAN</constant> is able to communicate fully with the ADS
|
||||
domain controllers.
|
||||
</para></step>
|
||||
|
||||
</procedure>
|
||||
|
||||
|
||||
@ -2023,7 +1965,7 @@ ssl no
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Configure an LDAP server and initialize the directory with the top level entries needed by IDMAP
|
||||
Configure an LDAP server and initialize the directory with the top-level entries needed by IDMAP
|
||||
as shown in the following LDIF file:
|
||||
<screen>
|
||||
dn: dc=snowshow,dc=com
|
||||
@ -2237,8 +2179,8 @@ hosts: files wins
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
The following guidelines are pertinent the deployment of winbind-based authentication
|
||||
and identity resolution with the express purpose of allowing users to log onto UNIX/Linux desktops
|
||||
The following guidelines are pertinent to the deployment of winbind-based authentication
|
||||
and identity resolution with the express purpose of allowing users to log on to UNIX/Linux desktops
|
||||
using Windows network domain user credentials (username and password).
|
||||
</para>
|
||||
|
||||
@ -2261,7 +2203,7 @@ hosts: files wins
|
||||
<indexterm><primary>PAM</primary></indexterm>
|
||||
<indexterm><primary>Identity resolution</primary></indexterm>
|
||||
<indexterm><primary>NSS</primary></indexterm>
|
||||
To permit users to log onto a Linux system using Windows network credentials, you need to
|
||||
To permit users to log on to a Linux system using Windows network credentials, you need to
|
||||
configure identity resolution (NSS) and PAM. This means that the basic steps include those
|
||||
outlined above with the addition of PAM configuration. Given that most workstations (desktop/client)
|
||||
usually do not need to provide file and print services to a group of users, the configuration
|
||||
@ -2443,7 +2385,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
|
||||
The addition of UNIX/Linux Samba servers and clients is a common requirement. In this chapter, you
|
||||
learned how to integrate such servers so that the UID/GID mappings they use can be consistent
|
||||
across all domain member servers. You also discovered how to implement the ability to use Samba
|
||||
or Windows domain account credentials to log onto a UNIX/Linux client.
|
||||
or Windows domain account credentials to log on to a UNIX/Linux client.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -2624,7 +2566,7 @@ session sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
|
||||
<question>
|
||||
|
||||
<para>
|
||||
Are you suggesting that users should not log onto a domain member server? If so, why?
|
||||
Are you suggesting that users should not log on to a domain member server? If so, why?
|
||||
</para>
|
||||
|
||||
</question>
|
||||
|
||||
@ -1224,10 +1224,10 @@ to LAM using only SSL.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The next major release, LAM 0.5, will have less restrictions and support the latest Samba features
|
||||
(e.g. logon hours). The new plugin based architecture also allows to manage much more different
|
||||
account types like plain Unix accounts. The upload can now handle groups and hosts, too. Another
|
||||
important point is the tree view which allows to browse and edit LDAP objects directly.
|
||||
The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features
|
||||
(e.g., logon hours). The new plugin-based architecture also allows management of much more different
|
||||
account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another
|
||||
important point is the tree view which allows browsing and editing LDAP objects directly.
|
||||
</para>
|
||||
|
||||
<example id="lamcfg">
|
||||
@ -1419,7 +1419,7 @@ drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
|
||||
<title>Microsoft Access</title>
|
||||
|
||||
<para>
|
||||
The best advice that can be given is to carefully read the Microsoft knowledge base articles that
|
||||
The best advice that can be given is to carefully read the Microsoft knowledgebase articles that
|
||||
cover this area. Examples of relevant documents include:
|
||||
</para>
|
||||
|
||||
|
||||
@ -36,7 +36,7 @@
|
||||
With this acquisition comes new challenges for you and your team. Abmas Snack
|
||||
Foods is a well-developed business with a huge and heterogeneous network. It
|
||||
already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux.
|
||||
The network is mature and well established, and there is no question of its chosen
|
||||
The network is mature and well-established, and there is no question of its chosen
|
||||
user authentication scheme being changed for now. You need to take a wise new
|
||||
approach.
|
||||
</para>
|
||||
@ -792,7 +792,7 @@ group: files winbind
|
||||
</para></blockquote>
|
||||
|
||||
<para>
|
||||
You would be well advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
|
||||
You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
|
||||
Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
|
||||
out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
|
||||
</para>
|
||||
|
||||
@ -253,10 +253,10 @@
|
||||
<indexterm><primary>DNS</primary><secondary>name lookup</secondary></indexterm>
|
||||
<indexterm><primary>resolve</primary></indexterm>
|
||||
A Samba server called <constant>FRED</constant> in a NetBIOS domain called <constant>COLLISION</constant>
|
||||
in a network environment that is part of the fully qualified Internet domain namespace known
|
||||
as <constant>parrots.com</constant> results in DNS name lookups for <constant>fred.parrots.com</constant>
|
||||
in a network environment that is part of the fully-qualified Internet domain namespace known
|
||||
as <constant>parrots.com</constant>, results in DNS name lookups for <constant>fred.parrots.com</constant>
|
||||
and <constant>collision.parrots.com</constant>. It is therefore a mistake to name the domain
|
||||
(workgroup) <constant>collision.parrots.com,</constant> since this results in DNS lookup
|
||||
(workgroup) <constant>collision.parrots.com</constant>, since this results in DNS lookup
|
||||
attempts to resolve <constant>fred.parrots.com.parrots.com</constant>, which most likely
|
||||
fails given that you probably do not have this in your DNS namespace.
|
||||
</para>
|
||||
@ -375,7 +375,7 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
As the size of the &smb.conf; file grows, the risk of introduction of parsing errors increases also.
|
||||
As the size of the &smb.conf; file grows, the risk of introducing parsing errors also increases.
|
||||
It is recommended to keep a fully documented &smb.conf; file on hand, and then to operate Samba only
|
||||
with an optimized file.
|
||||
</para>
|
||||
@ -479,7 +479,7 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
<indexterm><primary>Domain Controller</primary></indexterm>
|
||||
As a general guide, instead of adding domain member servers to a network, you would be better advised
|
||||
to add BDCs until there are fewer than 30 Windows clients per BDC. Beyond that ratio, you should add
|
||||
domain member servers. This practice ensures that there is always sufficient domain controllers
|
||||
domain member servers. This practice ensures that there are always sufficient domain controllers
|
||||
to handle logon requests and authentication traffic.
|
||||
</para>
|
||||
|
||||
@ -617,33 +617,33 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.
|
||||
|
||||
<para>
|
||||
There exist applications that create or manage directories containing many thousands of files. Such
|
||||
applications typically generate many small files (less than 100 KB). At the best of times under UNIX
|
||||
listing of the files in a directory that contains many files is slow. By default Windows NT, 200x,
|
||||
applications typically generate many small files (less than 100 KB). At the best of times, under UNIX,
|
||||
listing of the files in a directory that contains many files is slow. By default, Windows NT, 200x,
|
||||
and XP Pro cause network file system directory lookups on a Samba server to be performed for both
|
||||
the case preserving file name as well as for the mangled (8.3) file name. This incurs a huge overhead
|
||||
on the Samba server that may slow down the system dramatically.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
In an extreme case the performance impact was dramatic. File transfer from the Samba server to a Windows
|
||||
In an extreme case, the performance impact was dramatic. File transfer from the Samba server to a Windows
|
||||
XP Professional workstation over 1 Gigabit Ethernet for 250-500 KB files was measured at approximately
|
||||
30 MB/sec. But when tranfering a directory containng 120,000 files, all from 50KB to 60KB in size, the
|
||||
30 MB/sec. But when tranferring a directory containing 120,000 files, all from 50KB to 60KB in size, the
|
||||
transfer rate to the same workstation was measured at approximately 1.5 KB/sec. The net transfer was
|
||||
of the order of a factor of 20-fold slower.
|
||||
on the order of a factor of 20-fold slower.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The symptoms that will be observed on the Samba server when a large directory is accessed will be that
|
||||
aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredably
|
||||
aggregate I/O (typically blocks read) will be relatively low, yet the wait I/O times will be incredibly
|
||||
long while at the same time the read queue is large. Close observation will show that the hard drive
|
||||
that the file system is on will be thrashing wildly.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba-3.0.12, and later, includes new code that radically improves Samba perfomance. The secret to this is
|
||||
Samba-3.0.12 and later, includes new code that radically improves Samba perfomance. The secret to this is
|
||||
really in the <smbconfoption name="case sensitive">True</smbconfoption> line. This tells smbd never to scan
|
||||
for case-insensitive versions of names. So if an application asks for a file called <filename>FOO</filename>,
|
||||
and it can not be found by a simple stat call, then smbd will return file not found immediately without
|
||||
and it can not be found by a simple stat call, then smbd will return "file not found" immediately without
|
||||
scanning the containing directory for a version of a different case.
|
||||
</para>
|
||||
|
||||
|
||||
@ -292,7 +292,7 @@
|
||||
<para>
|
||||
You agreed with Stan's recommendations and hired a consultant to help defuse the powder
|
||||
keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able
|
||||
to support his or her claims, keep emotions to a side, and answer technically.
|
||||
to support his or her claims, keep emotions to the side, and answer technically.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
@ -464,7 +464,7 @@
|
||||
</indexterm>
|
||||
Windows network administrators may be dismayed to find that <command>winbind</command>
|
||||
exposes all domain users so that they may use their domain account credentials to
|
||||
log onto a UNIX/Linux system. The fact that all users in the domain can see the
|
||||
log on to a UNIX/Linux system. The fact that all users in the domain can see the
|
||||
UNIX/Linux server in their Network Neighborhood and can browse the shares on the
|
||||
server seems to excite them further.
|
||||
</para>
|
||||
@ -676,9 +676,9 @@
|
||||
</indexterm>
|
||||
The release of Samba-4 is expected around late 2004 to early 2005 and involves a near
|
||||
complete rewrite to permit extensive modularization and to prepare Samba for new
|
||||
functionality planned for addition during the next-generation series. The Samba Team
|
||||
functionality planned for addition during the next-generation series. The Samba Team
|
||||
is responsible and can be depended upon; the history to date suggests a high
|
||||
degree of dependability as well on charter development consistent with published
|
||||
degree of dependability and on charter development consistent with published
|
||||
roadmap projections.
|
||||
</para>
|
||||
|
||||
@ -877,7 +877,7 @@
|
||||
</indexterm>
|
||||
Kerberos is a network authentication protocol that provides secure authentication for
|
||||
client-server applications by using secret-key cryptography. Firewalls are an insufficient
|
||||
barrier mechanism in todays networking world; at best they only restrict incoming network
|
||||
barrier mechanism in today's networking world; at best they only restrict incoming network
|
||||
traffic but cannot prevent network traffic that comes from authorized locations from
|
||||
performing unauthorized activities.
|
||||
</para>
|
||||
@ -924,7 +924,7 @@
|
||||
</indexterm>
|
||||
Kerberos was, until recently, a technology that was restricted from being exported from the United States.
|
||||
For many years that hindered global adoption of more secure networking technologies both within the United States
|
||||
and abroad. A free an unencumbered implementation of MIT Kerberos has been produced in Europe
|
||||
and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe
|
||||
and is available from the University of Paderborn, Sweden. It is known as the Heimdal Kerberos project.
|
||||
In recent times the U.S. government has removed sanctions affecting the global distribution of MIT Kerberos.
|
||||
It is likely that there will be a significant surge forward in the development of Kerberos-enabled applications
|
||||
@ -966,7 +966,7 @@
|
||||
</indexterm>
|
||||
It so happens that Microsoft Windows clients depend on and expect the contents of the <emphasis>unspecified
|
||||
fields</emphasis> in the Kerberos 5 communications data stream for their Windows interoperability,
|
||||
particularly when Samba is being expected to emulate a Windows Server 200x domain controller. But the interoperability
|
||||
particularly when Samba is expected to emulate a Windows Server 200x domain controller. But the interoperability
|
||||
issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional,
|
||||
there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment
|
||||
(DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by
|
||||
@ -1027,7 +1027,7 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>account</primary>
|
||||
</indexterm>
|
||||
From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator
|
||||
From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator
|
||||
account (on Samba domains, this is usually the account called <constant>root</constant>).
|
||||
</para></step>
|
||||
|
||||
@ -1142,7 +1142,7 @@
|
||||
</indexterm><indexterm>
|
||||
<primary>hierarchy of control</primary>
|
||||
</indexterm>
|
||||
It must be emphasized that the controls here discussed can act as a filter or give rights of passage
|
||||
It must be emphasized that the controls discussed here can act as a filter or give rights of passage
|
||||
that act as a superstructure over normal directory and file access controls. However, share-level
|
||||
ACLs act at a higher level than do share definition controls because the user must filter through the
|
||||
share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented
|
||||
@ -1525,7 +1525,7 @@
|
||||
|
||||
<procedure>
|
||||
<step><para>
|
||||
From a Windows 200x/XP Professional workstation, log onto the domain using the Domain Administrator
|
||||
From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator
|
||||
account (on Samba domains, this is usually the account called <constant>root</constant>).
|
||||
</para></step>
|
||||
|
||||
@ -1728,7 +1728,7 @@ other::r-x
|
||||
</indexterm><indexterm>
|
||||
<primary>inheritance</primary>
|
||||
</indexterm>
|
||||
It is highly recommend that you read the online manual page for the <command>setfacl</command>
|
||||
It is highly recommended that you read the online manual page for the <command>setfacl</command>
|
||||
and <command>getfacl</command> commands. This provides information regarding how to set/read the default
|
||||
ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent
|
||||
of setting <constant>inheritance</constant> properties.
|
||||
|
||||
@ -2132,7 +2132,7 @@ Let's start configuring the smbldap-tools scripts ...
|
||||
|
||||
. workgroup name: name of the domain Samba act as a PDC
|
||||
workgroup name [MEGANET2] >
|
||||
. netbios name: netbios name of the samba controler
|
||||
. netbios name: netbios name of the samba controller
|
||||
netbios name [MASSIVE] >
|
||||
. logon drive: local path to which the home directory will
|
||||
be connected (for NT Workstations). Ex: 'H:'
|
||||
@ -3739,8 +3739,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
|
||||
</procedure>
|
||||
|
||||
<para>
|
||||
Before puching out new desktop images for the client workstations, it is perhaps a good idea that
|
||||
desktop behavior should be returned to the original Microsoft settings. The followin steps achieve
|
||||
Before punching out new desktop images for the client workstations, it is perhaps a good idea that
|
||||
desktop behavior should be returned to the original Microsoft settings. The following steps achieve
|
||||
that ojective:
|
||||
</para>
|
||||
|
||||
|
||||
@ -120,7 +120,7 @@
|
||||
Do not forget to validate the security descriptors in the profiles share as well as network logon
|
||||
scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this
|
||||
as a good time to update desktop systems also. In all, the extra effort should constitute no
|
||||
real disruption to users, but rather, with due diligence and care should make their network experience
|
||||
real disruption to users, but rather, with due diligence and care, should make their network experience
|
||||
a much happier one.
|
||||
</para>
|
||||
|
||||
@ -683,7 +683,7 @@ Storing SID S-1-5-21-1385457007-882775198-1210191635 \
|
||||
Install the Idealx <command>smbldap-tools</command> software package, following
|
||||
the instructions given in <link linkend="sbeidealx"/>. The resulting perl scripts
|
||||
should be located in the <filename>/opt/IDEALX/sbin</filename> directory.
|
||||
Change into that location, or whereever the scripts have been installed. Execute the
|
||||
Change into that location, or wherever the scripts have been installed. Execute the
|
||||
<filename>configure.pl</filename> script to configure the Idealx package for use.
|
||||
Note: Use the domain SID obtained from the step above. The following is
|
||||
an example configuration session:
|
||||
@ -1525,7 +1525,7 @@ Users Ordinary users
|
||||
<para>
|
||||
When migrating a <filename>smbpasswd</filename> file to an LDAP backend, the
|
||||
UID of each account is taken together with the account information in the
|
||||
<filename>/etc/passwd,</filename> and both sets of data are used to create the account
|
||||
<filename>/etc/passwd</filename>, and both sets of data are used to create the account
|
||||
entry in the LDAP database.
|
||||
</para>
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@
|
||||
<indexterm><primary>migration</primary></indexterm>
|
||||
Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many
|
||||
years who surfaced on the Samba mailing list with a barrage of questions and who
|
||||
regularly now helps other administrators to solve thorny Samba migration questions.
|
||||
regularly helps other administrators to solve thorny Samba migration questions.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -52,7 +52,7 @@
|
||||
|
||||
<para>
|
||||
The priority that Misty faced was one of migration of the data files off the NetWare 4.11
|
||||
server and onto a Samba-ased Windows file and print server. This chapter does not pretend
|
||||
server and onto a Samba-based Windows file and print server. This chapter does not pretend
|
||||
to document all the different methods that could be used to migrate user and group accounts
|
||||
off a NetWare server. Its focus is on migration of data files.
|
||||
</para>
|
||||
@ -232,7 +232,7 @@
|
||||
entering everything from the printed company directory. This used only the inetOrgPerson
|
||||
object class from the OpenLDAP schemas. The next step was to write a shell script that
|
||||
would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
|
||||
files on our mail server and create a LDIF file from which the information could be
|
||||
files on our mail server and create an LDIF file from which the information could be
|
||||
imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
|
||||
and SMTP.
|
||||
</para>
|
||||
@ -971,7 +971,7 @@ The Idealx smbldap-tools package can be configured using a script called
|
||||
<command>configure.pl</command> that is provided as part of the tool. See <link linkend="happy"/>
|
||||
for an example of its use. Many administrators, like Misty, choose to do this manually
|
||||
so as to maintain greater awareness of how the tool-chain works and possibly to avoid
|
||||
undesirable actions from occurring un-noticed.
|
||||
undesirable actions from occurring unnoticed.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
@ -1203,7 +1203,7 @@ masterPw="verysecret"
|
||||
The next step was to run the <command>smbldap-populate</command> command, which populates
|
||||
the LDAP tree with the appropriate default users, groups, and UID and GID pools.
|
||||
It creates a user called Administrator with UID=0 and GID=0 matching the
|
||||
Domain Admins group. This is fine because you can still log on a root to a Windows system,
|
||||
Domain Admins group. This is fine because you can still log on as root to a Windows system,
|
||||
but it will break cached credentials if you need to log on as the administrator
|
||||
to a system that is not on the network.
|
||||
</para>
|
||||
@ -1384,7 +1384,7 @@ sambaAcctFlags: [W ]
|
||||
|
||||
<para>
|
||||
<indexterm><primary>netlogon</primary></indexterm>
|
||||
So now I could log on with a test user from the machine w2kengrspare. It was all fine and
|
||||
So now I could log on with a test user from the machine w2kengrspare. It was all well and
|
||||
good, but that user was in no groups yet and so had pretty boring access. I fixed that
|
||||
by writing the login script! To write the login script, I used
|
||||
<ulink url="http://www.kixtart.org">Kixtart</ulink> because it will work
|
||||
@ -1619,7 +1619,7 @@ ENDIF
|
||||
One option is to check the OS as part of the Kixtart script, and if it
|
||||
is Win9x and is the first login, copy a premade
|
||||
<filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I
|
||||
have onlythree such machines, and one is going away in the very near future,
|
||||
have only three such machines, and one is going away in the very near future,
|
||||
so it was easier to do it by hand.
|
||||
</para>
|
||||
|
||||
|
||||
@ -1516,9 +1516,9 @@ hosts: files dns wins
|
||||
<title>Printer Configuration</title>
|
||||
|
||||
<para>
|
||||
Network administrators who are new to CUPS based printing typically experience some difficulty mastering
|
||||
Network administrators who are new to CUPS based-printing typically experience some difficulty mastering
|
||||
its powerful features. The steps outlined in this section are designed to navigate around the distractions
|
||||
of learning CUPS. Instead of implementing smart features and capabilties our approach is to use it as a
|
||||
of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a
|
||||
transparent print queue that performs no filtering, and only minimal handling of each print job that is
|
||||
submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that
|
||||
the correct printer driver must be installed on all clients.
|
||||
@ -1609,7 +1609,7 @@ application/octet-stream
|
||||
|
||||
<para>
|
||||
Note: If the parameter <parameter>cups options = Raw</parameter> is specified in the &smb.conf; file,
|
||||
the last two steps can be omitted where CUPS version 1.1.18, or later.
|
||||
the last two steps can be omitted with CUPS version 1.1.18, or later.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
@ -1826,7 +1826,7 @@ hosts: files dns wins
|
||||
<screen>
|
||||
&rootprompt; testparm -s
|
||||
Load smb config files from smb.conf
|
||||
rocessing section "[homes]"
|
||||
Processing section "[homes]"
|
||||
Processing section "[printers]"
|
||||
Processing section "[netlogon]"
|
||||
Processing section "[profiles]"
|
||||
@ -2298,14 +2298,14 @@ Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Log onto the machine as the local Administrator (the only option), and join the machine to
|
||||
Log on to the machine as the local Administrator (the only option), and join the machine to
|
||||
the Domain, following the procedure set out in Appendix A, <link linkend="domjoin"/>. The system is now
|
||||
ready for the user to log on, provided you have created a network logon account for that
|
||||
user, of course.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Instruct all users to log onto the workstation using their assigned username and password.
|
||||
Instruct all users to log on to the workstation using their assigned username and password.
|
||||
</para></step>
|
||||
</procedure>
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
is the end of the road because their needs will have been adequately met. For others, this chapter is
|
||||
the beginning of a journey that will take them well past the contents of this book. This book provides
|
||||
example configurations of, for the greater part, complete networking solutions. The intent of this book
|
||||
is to help you to get your Samba installation working with least amount of pain and aggravation.
|
||||
is to help you to get your Samba installation working with the least amount of pain and aggravation.
|
||||
</para>
|
||||
|
||||
<sect1>
|
||||
@ -570,12 +570,12 @@ Password changed
|
||||
<step><para>
|
||||
Install the &smb.conf; file shown in <link linkend="charity-smbconfnew"/> in the
|
||||
<filename>/etc/samba</filename> directory. This newer &smb.conf; file uses user-mode security
|
||||
and is more suited to the mode of operation of Samba-3 that the older share-mode security
|
||||
and is more suited to the mode of operation of Samba-3 than the older share-mode security
|
||||
configuration that was shown in the first edition of this book.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Note: If you want to use the older style configuration that uses share-mode security, you
|
||||
Note: If you want to use the older-style configuration that uses share-mode security, you
|
||||
can install the file shown in <link linkend="charity-smbconf"/> in the
|
||||
<filename>/etc/samba</filename> directory.
|
||||
</para></step>
|
||||
|
||||
@ -83,7 +83,7 @@ to perform a major upgrade. Many administrators have experienced the consequence
|
||||
of failure to take adequate precautions. So what is adequate? That is simple!
|
||||
If data is lost during an upgrade or update and it can not be restored,
|
||||
the precautions taken were inadequate. If a backup was not needed, but was available,
|
||||
precaution was on the side of the victor.
|
||||
caution was on the side of the victor.
|
||||
</para>
|
||||
|
||||
<sect2>
|
||||
@ -127,7 +127,7 @@ precaution was on the side of the victor.
|
||||
There is an old axiom that says, <quote>The greater the volume of the documentation,
|
||||
the greater the risk that noone will read it, but where there is no documentation,
|
||||
noone can read it!</quote> While true, some documentation is an evil necessity.
|
||||
It is to be hoped that this update to the documentation will avoid both extremes.
|
||||
It is hoped that this update to the documentation will avoid both extremes.
|
||||
</para>
|
||||
|
||||
<sect3>
|
||||
@ -965,7 +965,7 @@ that are compatible with the original OS vendor's practices.
|
||||
<para>
|
||||
<indexterm><primary>binary package</primary></indexterm>
|
||||
<indexterm><primary>binary files</primary></indexterm>
|
||||
If you are not sure whether or a binary package complies with the OS
|
||||
If you are not sure whether a binary package complies with the OS
|
||||
vendor's practices, it is better to ask the package maintainer via
|
||||
email than to waste much time dealing with the nuances.
|
||||
Alternately, just diagnose the paths specified by the binary files following
|
||||
@ -1116,8 +1116,8 @@ back to searching the 'ldap suffix' in some cases.
|
||||
is stored in the <constant>smbpasswd</constant> or in the
|
||||
<constant>tdbsam</constant> format, the user and group account information
|
||||
for UNIX accounts that match the Samba accounts will reside in the system
|
||||
<filename>/etc/passwd, /etc/shadow</filename>, and
|
||||
<filename>/etc/group</filename> files. In this case be sure to copy these
|
||||
<filename>/etc/passwd</filename>, <filename>/etc/shadow</filename>, and
|
||||
<filename>/etc/group</filename> files. In this case, be sure to copy these
|
||||
account entries to the new target server.
|
||||
</para>
|
||||
|
||||
@ -1152,7 +1152,7 @@ back to searching the 'ldap suffix' in some cases.
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
Where UNIX (POSIX) user and group accounts are stored in the system
|
||||
<filename>/etc/passwd, /etc/shadow</filename>, and
|
||||
<filename>/etc/passwd</filename>, <filename>/etc/shadow</filename>, and
|
||||
<filename>/etc/group</filename> files, be sure to add the same accounts
|
||||
with identical UID and GID values for each user.
|
||||
</para>
|
||||
|
||||
@ -19,14 +19,14 @@ of open-source software solutions globally, and in particular within the United
|
||||
<para>
|
||||
The OSSI has global affiliations with like-minded organizations. Our affiliate in the United Kingdom is the
|
||||
Open Source Consortium. Both the OSSI and the OSC share a common objective to expand the use of open-source
|
||||
software in federal, state and municipal government agencies and in academic institutions. We represent
|
||||
software in federal, state, and municipal government agencies; and in academic institutions. We represent
|
||||
businesses that provide professional support services that answer the needs of our target organizational
|
||||
information technology consumers in an effective and cost efficient manner.
|
||||
information technology consumers in an effective and cost-efficient manner.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Open source software has matured greatly over the past 5 years with the result that an increasing number of
|
||||
people who hold key influential decision-making positions want to know how the business model works. They
|
||||
people who hold key decision-making positions want to know how the business model works. They
|
||||
want to understand how problems get resolved, how questions get answered, and how the development model
|
||||
is sustained. Information and Communications Technology directors in defense organizations, and in other
|
||||
government agencies that deal with sensitive information, want to become familiar with development road-maps
|
||||
@ -36,38 +36,38 @@ and, in particular, seek to evaluate the track record of the main-stream open-so
|
||||
<para>
|
||||
Wherever the OSSI gains entrance to new opportunities we find that Microsoft Windows technologies are the
|
||||
benchmark against which open-source software solutions are measured. Two open-source software projects
|
||||
are key to our ability to present a structured, and convincing, proposition that there are alternatives
|
||||
to the incumbent proprietary means of meeting information technology needs. They are the Apache Web server
|
||||
are key to our ability to present a structured and convincing proposition that there are alternatives
|
||||
to the incumbent proprietary means of meeting information technology needs. They are the Apache Web Server
|
||||
and Samba.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Just as the Apache web server is the standard in web serving technology, Samba is the definitive standard
|
||||
for providing inter-operability with UNIX systems and other non-Microsoft operating system platforms. Both
|
||||
Just as the Apache Web Server is the standard in web serving technology, Samba is the definitive standard
|
||||
for providing interoperability with UNIX systems and other non-Microsoft operating system platforms. Both
|
||||
open-source applications have a truly remarkable track record that extends well over a decade. Both have
|
||||
demonstrated unique capacity to innovate and to maintain a level of development that has not only kept
|
||||
pace with demands, but in many areas each project has also proven to be an industry leader.
|
||||
demonstrated the unique capacity to innovate and maintain a level of development that has not only kept
|
||||
pace with demands, but, in many areas, each project has also proven to be an industry leader.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
One of the areas in which the Samba project has demonstrated key leadership is in documentation. The OSSI
|
||||
was delighted when we saw the Samba Team, and John H. Terpstra in particular, release two amazingly well
|
||||
written books to help Samba software users to deploy, maintain and trouble-shoot Windows networking
|
||||
was delighted when we saw the Samba Team, and John H. Terpstra in particular, release two amazingly
|
||||
well-written books to help Samba software users deploy, maintain, and troubleshoot Windows networking
|
||||
installations. We were concerned that, given the large volume of documentation, the challenge to maintain
|
||||
it and keep it current might prove difficult.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
This second edition of the book, <quote>Samba-3 by Example</quote> barely one year following the release
|
||||
of the first edition has removed all concerns and is proof that open-source solutions are a compelling choice.
|
||||
This second edition of the book, <quote>Samba-3 by Example</quote>, barely one year following the release
|
||||
of the first edition, has removed all concerns and is proof that open-source solutions are a compelling choice.
|
||||
The first edition was released shortly following the release of Samba version 3.0 itself, and has become
|
||||
the authoritative instrument for training and for guiding deployment.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
I am personally aware how much effort has gone into this second edition. John Terpstra has worked with
|
||||
I am personally aware of how much effort has gone into this second edition. John Terpstra has worked with
|
||||
government bodies and with large organizations that have deployed Samba-3 since it was released. He also
|
||||
worked to ensure that this book gained community following. He asked those who have worked at the coal-face
|
||||
worked to ensure that this book gained community following. He asked those who have worked at the coalface
|
||||
of large and small organizations alike, to contribute their experiences. He has captured that in this book
|
||||
and has succeeded yet again. His recipe is persistence, intuition, and a high level of respect for the people
|
||||
who use Samba.
|
||||
@ -77,7 +77,7 @@ who use Samba.
|
||||
This book is the first source you should turn to before you deploy Samba and as you are mastering its
|
||||
deployment. I am proud and excited to be associated in a small way with such a useful tool. This book has
|
||||
reached maturity that is demonstrated by reiteration that every step in deployment must be validated.
|
||||
This book makes it easy to succeed, and difficulty to fail to gain a stable network environment.
|
||||
This book makes it easy to succeed, and difficult to fail, to gain a stable network environment.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
||||
@ -4,32 +4,41 @@
|
||||
<title>About the Cover Artwork</title>
|
||||
|
||||
<para>
|
||||
The cover artwork of this book continues a theme chosen for the book,
|
||||
<emphasis>The Official Samba-3 HOWTO and Reference Guide,</emphasis>
|
||||
the cover of which features a Confederate scene. Samba has had a major
|
||||
impact on the network deployment of Microsoft Windows desktop systems.
|
||||
The cover artwork of the two official Samba books tells of events that
|
||||
likewise had a major impact on the future.
|
||||
The cover artwork of this book continues the freedom theme of the first
|
||||
edition of <quote>Samba-3 by Example</quote>. The history of civilization
|
||||
demonstrates the fragile nature of freedom. It can be lost in a moment,
|
||||
and once lost, the cost of recovering liberty can be incredible. The last
|
||||
edition cover featured Alfred the Great who liberated England from the
|
||||
constant assault of Vikings and Norsemen. Events in England that
|
||||
that finally liberated the common people came about in small steps, but
|
||||
the result should not be under-estimated. Today, as always, freedom and
|
||||
liberty are seldom appreciated until they are lost. If we can not quantify
|
||||
what is the value of freedom, we shall be little motivated to protect it.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<emphasis>Samba-3 by Example Cover Artwork:</emphasis> King Alfred the Great
|
||||
(born 849, ruled 871-899) was one of the most amazing kings ever to
|
||||
rule England. He defended Anglo-Saxon England from Viking raids, formulated
|
||||
a code of laws, and fostered a rebirth of religious and scholarly activity.
|
||||
His reign exhibits military skill and innovation, sound governance and the
|
||||
ability to inspire men to plan for the future. Alfred liberated England
|
||||
at a time when all resistence seemed futile.
|
||||
<emphasis>Samba-3 by Example Cover Artwork:</emphasis> The British houses
|
||||
of parliament are a symbol of the Westminster system of government. This form
|
||||
of government permits the people to govern themselves at the lowest level, yet
|
||||
it provides for courts of appeal that are designed to protect freedom and to
|
||||
hold back all forces of tyranny. The clock is a pertinent symbol of the
|
||||
importance of time and place.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba is a network interoperability solution that provides real choice for network
|
||||
administrators. It is an adjunct to Microsoft Windows networks that provides
|
||||
interoperability of UNIX systems with Microsoft Windows desktop and server systems.
|
||||
You may use Samba to realize the freedom it provides for your network environment
|
||||
thanks to a dedicated team who work behind the scenes to give you a better choice.
|
||||
The efforts of these few dedicated developers continues to shape the future of
|
||||
the Windows interoperability landscape. Enjoy!
|
||||
The information technology industry is being challenged by the imposition of
|
||||
new laws, hostile litigation, and the imposition of significant constraint
|
||||
of practice that threatens to remove the freedom to develop and deploy open
|
||||
source software solutions. Samba is a software solution that epitomizes freedom
|
||||
of choice in network interoperability for Microsoft Windows clients.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
I hope you will take the time needed to deploy it well, and that you may realize
|
||||
the greatest benefits may be obtained. You are free to use it in ways never
|
||||
considered, but in doing so there may be some obstacles. Every obstacle that is
|
||||
overcome adds to the freedom you can enjoy. Use Samba well, and it will serve
|
||||
you well.
|
||||
</para>
|
||||
|
||||
</preface>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user