sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-12 20:58:37 +03:00
Code
samba-mirror/docs/Samba-Guide/SBE-SimpleOfficeServer.xml
John Terpstra 281ce2e337 More updates in the reorg. 
(This used to be commit 63a5f698ed546f35e48d366ffc71a4a8b5cd831a)
2008-04-23 08:46:25 -05:00

1600 lines
60 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="simple">
<title>No Frills Samba Servers</title>
<?latex \pagenumbering{arabic} ?>
<para>
This is the start of the real journey toward the successful deployment of Samba. For some this is chapter
is the end of the road bacause their needs will have been adequately met. For others, this chapter is
the beginning of a journey that will take them well past the contents of this book. This book provides
example configurations of, for the greater part, complete networking solutions. The intent of this book
is to help you to get your Samba installation working with least pain and agony.
</para>
<sect1>
<title>Introduction</title>
<para>
This chapter lays the groundwork for understanding the basics of Samba operation.
Instead of a bland technical discussion, each principle is demonstrated by way of a
real-world scenario for which a working solution<footnote><para>The examples given mirror those documented
in TOSHARG Chapter 2, Section 2.3.1. You may gain additional insight from the Stand-alone server
configurations covered in TOSHARG sections 2.3.1.2 through 2.3.1.4.
</para></footnote> is fully described.
</para>
<para>
The practical exercises take you on a journey through a drafting office, a charity administration
office, and an accounting office. You may choose to apply any or all of these to your own environment.
</para>
<para>
Every assignment case can be implemented far more creatively, but remember that the solutions you
create are designed to demonstrate a particular solution possibility. With experience, you should
find much improved solutions compared with those presented here. By the time you complete this book,
you should aim to be a Samba expert, so do attempt to find better solutions and try them as you work your
way through the examples.
</para>
</sect1>
<sect1>
<title>Assignment Tasks</title>
<para>
Each case presented highlights different aspects of Windows networking for which a simple
Samba-based solution can be provided. Each has subtly different requirements taken from real-world cases.
Each is briefly reviewed to cover points of highlight. In each example, instructions are based
on the assumption that the official Samba Team RPM package has been installed.
</para>
<para>
This chapter has three assignments built around ficticious companies:
</para>
<para>
<itemizedlist>
<listitem><para>A drafting office</para></listitem>
<listitem><para>A charity administration office</para></listitem>
<listitem><para>An accounting office</para></listitem>
</itemizedlist>
</para>
<para>
Let's get started.
</para>
<sect2>
<title>Drafting Office</title>
<para>
Our fictitious company is called <emphasis>Abmas Design Inc.</emphasis> This is a three-person
computer-aided design (CAD) business that often has more work than can be handled. The
business owner hires contract draftspeople from wherever he can. They bring their own
notebook computers into the office. There are four permanent drafting machines. Abmas has a
collection of over 10 years of plans that must be available for all draftsmen to reference.
Abmas hires the services of an experienced network engineer to update the
plans that are stored on a central server one day per month. She knows how to upload
plans from each machine. The files available from the server must remain read-only.
Anyone should be able to access the plans at any time and without barriers or difficulty.
</para>
<para><indexterm><primary>Red Hat</primary></indexterm>
<indexterm><primary>Fedora</primary></indexterm>
Mr. Bob Jordan has asked you to install the new server as economically as possible. The central
server has a Pentium-IV 1.6GHz CPU, 768MB RAM, a 20GB IDE boot drive, a 160GB IDE second disk
to store plans, and a 100-base-T Ethernet card. You have already installed Red Hat Fedora Core2 and
have upgraded Samba to version 3.0.15 using the RPM package that is provided from the Samba
<ulink url="http://www.samba.org">FTP</ulink> sites.
</para>
<para><indexterm>
<primary>consultant</primary>
</indexterm>
The four permanent drafting machines (Microsoft Windows workstations) have attached printers
and plotters that are shared on a peer-to-peer basis by any/all network users. The intent
is to continue to share printers in this manner. The three permanent staff work together with
all contractors to store all new work on one PC. A daily copy is made of the work storage
area to another PC for safekeeping. When the network consultant arrives, the weekly work
area is copied to the central server and the files are removed from the main weekly storage
machine. The office works best with this arrangement and does not want to change anything.
Old habits are too ingrained.
</para>
<sect3>
<title>Dissection and Discussion</title>
<para><indexterm>
<primary>file server</primary>
<secondary>read-only</secondary>
</indexterm>
The requirements for this server installation demand simplicity. An anonymous read-only
file server adequately meets all needs. The network consultant determines how
to upload all files from the weekly storage area to the server. This installation should
focus only on critical aspects of the installation.
</para>
<para>
It is not necessary to have specific users on the server. The site has a method for storing
all design files (plans). Each plan is stored in a directory that is named YYYYWW<footnote><para>
This information is given purely as an example of how data may be stored in such a way that it
will be easy to locate records at a later date. The example is not meant to imply any instructions
that may be construed as essential to the design of the solution, this is something you will almost
certainly want to determine for yourself.</para></footnote>, where
YYYY is the year, and WW is the week of the year. This arrangement allows work to be stored
by week of year to preserve the filing technique the site is familiar with.
There is another customer directory that is alphabetically listed. At the top level are 26
directories (A-Z), in each is a second level of directory for the first plus second letter of the name
(A-Z); inside each is a directory by the customers' name. Inside each directory is a symbolic
link to each design drawing/plan. This way of storing customer data files permits all
plans to be located both by customer name, as well as by the date the work was performed, without
demanding the disk space that would be needed if a duplicate file copy were to be stored.
The share containing the plans is called <emphasis>Plans</emphasis>.
</para>
</sect3>
<sect3>
<title>Implementation</title>
<para>
It is assumed that the server is fully installed and ready for installation and
configuration of Samba 3.0.15 and any support files needed. All TCP/IP addresses
have been hard coded. In our case the IP address of the Samba server is
<constant>192.168.1.1</constant> and the netmask is <constant>255.255.255.0</constant>.
The host name of the server used was <constant>server</constant>.
</para>
<procedure>
<title>Samba Server Configuration</title>
<step><para>
Download the Samba-3 RPM packages for Red Hat Fedora Core2 from the Samba
<ulink url="http://www.samba.org">FTP servers.</ulink>
</para></step>
<step><para><indexterm>
<primary>RPM</primary>
<secondary>install</secondary>
</indexterm><indexterm>
<primary>package</primary>
</indexterm>
Install the RPM package as using either the Red Hat Linux preferred GUI
tool or using the <command>rpm</command>, as follows:
<screen>
&rootprompt; rpm -Uvh samba-3.0.15-1.i386.rpm
</screen>
</para></step>
<step><para>
Create a mount point for the file system that will be used to store all data files.
You can create a directory called <filename>/plans</filename> as follows:
<screen>
&rootprompt; mkdir /plans
&rootprompt; chmod 755 /plans
</screen>
The 755 permissions on this directory (mount point) permit the owner to read, write
and execute, and the group and everyone else to read and execute only.
</para>
<para><indexterm>
<primary>file system</primary>
<secondary>Ext3</secondary>
</indexterm>
Use Red Hat Linux system tools (refer to Red Hat instructions for instructions)
to format the 160GB hard drive with a suitable file system. An Ext3 file system
is suitable. Configure this drive to automatically mount using the <filename>/plans</filename>
directory as the mount point.
</para></step>
<step><para>
Install the &smb.conf; file shown in <link linkend="draft-smbconf"/> in the
<filename>/etc/samba</filename> directory.
<smbconfexample id="draft-smbconf">
<title>Drafting Office &smb.conf; File</title>
<smbconfcomment>Global Parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
<smbconfoption name="security">SHARE</smbconfoption>
<smbconfsection name="[Plans]"/>
<smbconfoption name="path">/plans</smbconfoption>
<smbconfoption name="read only">Yes</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
</smbconfexample>
</para></step>
<step><para><indexterm>
<primary>/etc/hosts</primary>
</indexterm>
Verify that the <filename>/etc/hosts</filename> file contains the following entry:
<screen>
192.168.1.1 server
</screen>
</para></step>
<step><para><indexterm>
<primary>samba</primary>
<secondary>starting samba</secondary>
</indexterm><indexterm>
<primary>chkconfig</primary>
</indexterm>
<indexterm><primary>starting samba</primary></indexterm>
Use the standard system tool to start Samba and to configure it to restart
automatically at every system reboot. For example:
<screen>
&rootprompt; chkconfig smb on
&rootprompt; /etc/rc.d/init.d/smb restart
</screen>
</para></step>
</procedure>
<procedure>
<title>Windows Client Configuration</title>
<step><para>
Make certain that all clients are set to the same network address range as
has been used for the Samba server. For example, one client might have an IP
address 192.168.1.10.
</para></step>
<step><para><indexterm>
<primary>netmask</primary>
</indexterm>
Ensure that the netmask used on the Windows clients matches that used
for the Samba server. All clients must have the same netmask. For example,
255.255.255.0.
</para></step>
<step><para><indexterm>
<primary>workgroup</primary>
</indexterm>
Set the workgroup name on all clients to <constant>MIDEARTH</constant>.
</para></step>
<step><para>
Verify on each client that the machine called <constant>SERVER</constant>
is visible in the <guimenu>Network Neighborhood</guimenu>, that it is
possible to connect to it and see the share <guimenuitem>Plans</guimenuitem>,
and that it is possible to open that share to reveal its contents.
</para></step>
</procedure>
</sect3>
<sect3 id="validate1">
<title>Validation</title>
<para><indexterm>
<primary>validation</primary>
</indexterm>
The first priority in validating the new Samba configuration should be to check
that Samba answers on the loop-back interface. Then it is time to check that Samba
answers its own name correctly. Last, check that a client can connect to the Samba
server.
</para>
<procedure>
<step><para><indexterm>
<primary>smbd</primary>
</indexterm><indexterm>
<primary>daemon</primary>
</indexterm><indexterm>
<primary>smbclient</primary>
</indexterm>
To check the ability to access the <command>smbd</command> daemon
services, execute the following:
<screen>
&rootprompt; smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
Plans Disk
IPC$ IPC IPC Service (Samba 3.0.15)
ADMIN$ IPC IPC Service (Samba 3.0.15)
Server Comment
--------- -------
SERVER Samba 3.0.15
Workgroup Master
--------- --------
MIDEARTH SERVER
</screen>
<indexterm>
<primary>loopback</primary>
</indexterm><indexterm>
<primary>NULL connection</primary>
</indexterm>
This indicates that Samba is able to respond on the loopback interface to
a NULL connection. The <parameter>-U%</parameter> means send an empty
username and an empty password. This command should be repeated after
Samba has been running for 15 minutes.
</para></step>
<step><para>
Now verify that Samba correctly handles being passed a username
and password, and that it answers its own name. Execute the following:
<screen>
&rootprompt; smbclient -L server -Uroot%password
</screen>
The output should be identical to the previous response. Samba has been
configured to ignore all usernames given; instead it uses the
<parameter>guest account</parameter> for all connections.
</para></step>
<step><para><indexterm>
<primary>Windows Explorer</primary>
</indexterm><indexterm>
<primary>Network Neighborhood</primary>
</indexterm>
From the Windows 9x/Me client, launch Windows Explorer,
<menuchoice>
<guiicon>[Desktop: right-click] Network Neighborhood</guiicon>
<guimenu>Explore</guimenu>
<guimenuitem>[Left Panel] [+] Entire Network</guimenuitem>
<guimenuitem>[Left Panel] [+] Server</guimenuitem>
<guimenuitem>[Left Panel] [+] Plans</guimenuitem>
</menuchoice>. In the right panel you should see the files and directories
(folders) that are in the <guiicon>Plans</guiicon> share.
</para></step>
</procedure>
</sect3>
</sect2>
<sect2>
<title>Charity Administration Office</title>
<para>
The fictitious charity organization is called <emphasis>Abmas Vision NL</emphasis>. This is an
office that has five networked computers. Staff are all volunteers with frequent staff changes.
Ms. Amy May, the director of operations, wants a no-hassle network. Anyone should be able to
use any PC. Only two Windows applications are used: a custom funds tracking and management package
that stores all files on the central server and Microsoft Word. The office prepares mail-out
letters, letters of invitation, and thank-you notes. All files must be stored in perpetuity.
The custom funds tracking and management (FTM) software has been configured to use a server named
<constant>SERVER</constant>, a share named <constant>FTMFILES</constant>, and a printer queue
named <constant>PRINTQ</constant> that uses preprinted stationery, thus demanding a
dedicated printer. This printer does not need to be mapped to a local printer on the workstations.
</para>
<para>
The FTM software has been in use since the days of Windows 3.11. The software was configured
by the vendor who has since gone out of business. The name of the identities of the file
server and the printer are hard coded in a configuration file that was created using a
setup tool that the vendor did not provide to Abmas Vision NL or to its predecessors. The
company that produced the software is no longer in business. In order to avoid risk of
any incompatibilities the share name and the name of the target print queue is being set
precisely as the application expects. In actual fact, share names and print queue names
should be treated as case insensitive (i.e.: Case does not matter) but Abmas Vision claim
that if the share name is not in lower case the application claims it can not find the
file share.
</para>
<para><indexterm>
<primary>print queue</primary>
</indexterm><indexterm>
<primary>print spooler</primary>
</indexterm>
Printer handling in Samba results in a significant level of confusion. Samba presents to the
MS Windows client only a print queue. The Samba <command>smbd</command> process passes a
print job sent to it from the Windows client to the native UNIX printing system. The native
UNIX printing system (spooler) places the job in a print queue from which it is
delivered to the printer. In this book, network diagrams refer to a printer by the name
of the print queue that services that printer. It does not matter what the fully qualified
name (or the host name) of a network attached printer is. The UNIX print spooler is configured
to correctly deliver all jobs to the printer.
</para>
<para>
This organization has a policy forbidding use of privately owned computers on site as a measure
to prevent leakage of confidential information. Only the five PCs owned by Abmas Vision NL are
used on this network.
</para>
<para><indexterm>
<primary>SUSE Enterprise Linux Server</primary>
</indexterm>
The central server was donated by a local computer store. It is a dual processor Pentium-III
server, has 1GB RAM, a 3-Ware IDE RAID Controller that has 4 x 200GB IDE hard drives, and a
100-base-T network card. The office has 100-base-T permanent network connections that go to
a central hub and all equipment is new. The five network computers all are equipped with Microsoft
Windows Me. Funding is limited, so the server has no operating system on it. You have approval
to install Samba on Linux, but just make sure it works without problems. There are two HP LaserJet
5 PS printers that are network connected. The second printer is to be used for general
office and letter printing. Your recommendation to allow only the Linux server to print directly
to the printers was accepted. You have supplied SUSE Enterprise Linux Server 9 and
have upgraded Samba to version 3.0.15.
</para>
<sect3>
<title>Dissection and Discussion</title>
<para>
<indexterm><primary>force user</primary></indexterm><indexterm>
<primary>nt acl support</primary>
</indexterm><indexterm>
<primary>UID</primary>
</indexterm><indexterm>
<primary>Posix</primary>
</indexterm>
This installation demands simplicity. Frequent turn-over of volunteer staff would indicate that
a network environment that requires users to logon might be problematic. It is suggested that the
best solution for this office would be one where the user can log onto any PC with any username
and password. Samba can accommodate an office like this by using the <parameter>force user</parameter>
parameter in share and printer definitions. The use of the <parameter>force user</parameter>
ensures that all files are owned by same user identifier (UID) and thus ensures that there
will never be a problem with file access due to file access permissions. Additionally, you elect
to use the <parameter>nt acl support = No</parameter> option to ensure that no attempts can be
made to write access control lists (Posix type) to any file or directory. This prevents
an inadvertent ACL from overriding actual file permissions.
</para>
<para>
<indexterm><primary>SUID</primary></indexterm>
<indexterm><primary>SGID</primary></indexterm>
<indexterm><primary>security</primary><secondary>share mode</secondary></indexterm>
This organization is a prime candidate for Share Mode security. The <parameter>force user</parameter>
allows all files to be owned by the same user and group. In addition to this, it would not hurt to
set SUID and set SGID shared directories. This means that all new files that are created, no matter
who creates it, are owned by the owner or group of the directory in which they are created.
For further information regarding the significance of the SUID/SGID settings, see
<link linkend="ch12-SUIDSGID"/>.
</para>
<para>
<indexterm><primary>CUPS</primary></indexterm>
<indexterm><primary>printing</primary><secondary>raw</secondary></indexterm><indexterm>
<primary>Red Hat Linux</primary>
</indexterm><indexterm>
<primary>SUSE Linux</primary>
</indexterm>
All client workstations print to a print queue on the server. This ensures that print jobs
continue to print in the event that a user may shut down the workstation immediately after
sending a job to the printer. Today, both Red Hat Linux and SUSE Linux use CUPS-based printing.
Older Linux systems offered a choice to use either the LPRng printing system, or CUPS. It appears, however,
that CUPS has now become the leading UNIX printing technology.
</para>
<para>
<indexterm><primary>print queue</primary></indexterm>
The print queues are set up as <constant>Raw</constant> devices, which means that CUPS will
not do intelligent print processing, and vendor supplied drivers be installed locally on the
Windows clients.
</para>
<para>
The hypothetical software (Funds Tracking and Management) referred to is representative of
custom-built software that directly uses a NetBIOS interface. Most such software originated in
the days of MS/PC DOS. NetBIOS names are upper-case (and functionally are case insensitive),
thus some old software applications would permit only upper-case names to be entered.
Some such applications were later ported to MS Windows but retain the upper-case network
resource naming conventions because customers are familiar with that. We made the decision
to name shares and print queues for this application in upper-case also for the same reason.
Nothing would break if you were to use lower-case names, but that decision might create a need
to re-educate staff &smbmdash; something well avoided at this time.
</para>
<para>
NetBIOS networking does not print directly to a printer. Instead, all printing is done to a
print queue. The print spooling system is responsible for communicating with the physical
printer. In this example, therefore, the resource that is referred to as <constant>PRINTQ</constant>
really is just a print queue. The name of the print queue is held to be representative of
the device to which the print spooler delivers print jobs.
</para>
</sect3>
<sect3>
<title>Implementation</title>
<para>
It is assumed that the server is fully installed and ready for configuration of
Samba 3.0.15 and for necessary support files. All TCP/IP addresses should be hard coded.
In our case, the IP address of the Samba server is 192.168.1.1 and the netmask is
255.255.255.0. The host name of the server used was <constant>server</constant>.
The office network is built as shown in <link linkend="charitynet"/>.
</para>
<image id="charitynet">
<imagedescription>Charity Administration Office Network</imagedescription>
<imagefile scale="66">Charity-Network</imagefile>
</image>
<procedure>
<title>Samba Server Configuration</title>
<step><para><indexterm>
<primary>groupadd</primary>
</indexterm>
Create a group account for office file storage as follows:
<screen>
&rootprompt; groupadd office
</screen>
</para></step>
<step><para><indexterm>
<primary>useradd</primary>
</indexterm><indexterm>
<primary>passwd</primary>
</indexterm>
Create a user account for office file storage as follows:
<screen>
&rootprompt; useradd -m abmas
&rootprompt; passwd abmas
Changing password for abmas.
New password: XXXXXXXX
Re-enter new password: XXXXXXXX
Password changed
</screen>
where XXXXXXXX is a secret password.
</para></step>
<step><para>
Use the 3-Ware IDE RAID Controller firmware utilities to configure the four 200GB
drives as a single RAID level 5 drive, with one drive set aside as the hot spare.
(Refer to the 3-Ware RAID Controller Manual for the manufacturers' preferred procedure.)
The resulting drive has a capacity of approximately 500GB of usable space.
</para></step>
<step><para><indexterm>
<primary>permissions</primary>
</indexterm>
Create a mount point for the file system that can be used to store all data files.
Create a directory called <filename>/data</filename> as follows:
<screen>
&rootprompt; mkdir /data
&rootprompt; chmod 755 /data
</screen>
The 755 permissions on this directory (mount point) permit the owner to read, write and execute,
and the group and everyone else to read and execute only.
</para></step>
<step><para>
Use SUSE Linux system tools (refer to the SUSE Administrators Guide for correct
procedures) to format the partition with a suitable file system. The reiserfs file system
is suitable. Configure this drive to automount using the <filename>/data</filename>
directory as the mount point. It must be mounted before proceeding.
</para></step>
<step><para>
Under the directory called <filename>/data</filename> create two directories
named <filename>ftmfiles</filename> and <filename>officefiles</filename>, and set
ownership and permissions as follows:
<screen>
&rootprompt; mkdir -p /data/{ftmfiles,officefiles/{letters,invitations,misc}}
&rootprompt; chown -R abmas.office /data
&rootprompt; chmod -R ug+rwxs,o-w,o+rx /data
</screen>
These demonstrate compound operations. The <command>mkdir</command> command
creates in one step these directories:
<programlisting>
/data/fmtfiles
/data/officefiles
/data/officefiles/letters
/data/officefiles/invitations
/data/officefiles/misc
</programlisting>
The <command>chown</command> operation sets the owner to the user <constant>abmas</constant>
and the group to <constant>office</constant> on all directories just created. And
the <command>chmod</command> operation recursively sets the permissions so that
the owner and group have SUID/SGID with read/write/execute permission, and everyone else has
read and execute permission. This means that all files and directories are created
with the same owner and group as the directory in which they are created. Any new
directories created still have the same owner, group, and permissions as the
directory they are in. This should eliminate all permissions-based file access problems.
For more information on this subject, refer to <emphasis>TOSHARG</emphasis>, Chapter 13, <emphasis>File, Directory
and Share Access Controls</emphasis>, or refer to the UNIX man page for the
<command>chmod</command> and the <command>chown</command> commands.
</para></step>
<step><para>
Install the &smb.conf; file shown in <link linkend="charity-smbconf"/> in the
<filename>/etc/samba</filename> directory.
</para></step>
<step><para>
<indexterm><primary>smbd</primary></indexterm>
We must ensure that the <command>smbd</command> can resolve the name of the Samba
server to its IP address. Verify that the <filename>/etc/hosts</filename> file
contains the following entry:
<screen>
192.168.1.1 server
</screen>
</para></step>
<step><para>
Configure the printers with the IP address as shown in <link linkend="charitynet"/>.
Follow the instructions in the manufacturers' manual to permit printing to port 9100,
so that the CUPS spooler can print using raw mode protocols.
</para></step>
<step><para><indexterm>
<primary>lpadmin</primary>
</indexterm>
Configure the CUPS Print Queues as follows:
<screen>
&rootprompt; lpadmin -p PRINTQ -v socket://192.168.1.20:9100 -E
&rootprompt; lpadmin -p hplj5 -v socket://192.168.1.30:9100 -E
</screen>
This creates the necessary print queues with no assigned print filter.
</para></step>
<step><para>
<indexterm><primary>mime type</primary></indexterm><indexterm>
<primary>/etc/cups/mime.convs</primary>
</indexterm><indexterm>
<primary>application/octet-stream</primary>
</indexterm>
Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
<screen>
application/octet-stream application/vnd.cups-raw 0 -
</screen>
</para></step>
<step><para><indexterm>
<primary>/etc/cups/mime.types</primary>
</indexterm>
Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
<screen>
application/octet-stream
</screen>
</para></step>
<step><para>
<indexterm><primary>starting samba</primary></indexterm>
Use the standard system tool to start Samba and CUPS to configure them to restart
automatically at every system reboot. For example:
</para>
<para>
<indexterm><primary>starting samba</primary></indexterm>
<indexterm><primary>starting
CUPS</primary></indexterm><indexterm>
<primary>chkconfig</primary>
</indexterm>
<screen>
&rootprompt; chkconfig smb on
&rootprompt; chkconfig cups on
&rootprompt; /etc/rc.d/init.d/smb restart
&rootprompt; /etc/rc.d/init.d/cups restart
</screen>
</para></step>
</procedure>
<smbconfexample id="charity-smbconf">
<title>Charity Administration Office &smb.conf; File</title>
<smbconfcomment>Global Parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
<smbconfoption name="security">SHARE</smbconfoption>
<smbconfoption name="printing">CUPS</smbconfoption>
<smbconfoption name="printcap name">CUPS</smbconfoption>
<smbconfoption name="disable spoolss">Yes</smbconfoption>
<smbconfoption name="show add printer wizard">No</smbconfoption>
<smbconfoption name="wins support">yes</smbconfoption>
<smbconfsection name="[FTMFILES]"/>
<smbconfoption name="comment">Funds Tracking &amp; Management Files</smbconfoption>
<smbconfoption name="path">/data/ftmfiles</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="force user">abmas</smbconfoption>
<smbconfoption name="force group">office</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfoption name="nt acl support">No</smbconfoption>
<smbconfsection name="[office]"/>
<smbconfoption name="comment">General Office Files</smbconfoption>
<smbconfoption name="path">/data/officefiles</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="force user">abmas</smbconfoption>
<smbconfoption name="force group">office</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfoption name="nt acl support">No</smbconfoption>
<smbconfsection name="[printers]"/>
<smbconfoption name="comment">Print Temporary Spool Configuration</smbconfoption>
<smbconfoption name="path">/var/spool/samba</smbconfoption>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfoption name="use client driver">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
</smbconfexample>
<procedure>
<title>Windows Client Configuration</title>
<step><para>
Configure clients to the network settings shown in <link linkend="charitynet"/>.
</para></step>
<step><para>
Ensure that the netmask used on the Windows clients matches that used
for the Samba server. All clients must have the same netmask. For example,
<constant>255.255.255.0</constant>.
</para></step>
<step><para>
<indexterm><primary>WINS</primary></indexterm>
On all Windows clients, set the WINS Server address to <constant>192.168.1.1</constant>,
the IP address of the server.
</para></step>
<step><para>
Set the workgroup name on all clients to <constant>MIDEARTH</constant>.
</para></step>
<step><para><indexterm>
<secondary>logon</secondary>
</indexterm>
Install the <quote>Client for Microsoft Networks.</quote> Ensure that the only option
enabled in its properties is the option <quote>Logon and restore network connections.</quote>
</para></step>
<step><para>
Click <guibutton>OK</guibutton> when you are prompted to reboot the system. Reboot the
system, then logon using any user name and password you choose.
</para></step>
<step><para><indexterm>
<primary>My Network Places</primary>
</indexterm>
Verify on each client that the machine called <constant>SERVER</constant>
is visible in <guimenu>My Network Places</guimenu>, that it is
possible to connect to it and see the share <guimenuitem>office</guimenuitem>,
and that it is possible to open that share to reveal its contents.
</para></step>
<step><para><indexterm>
<primary>password caching</primary>
</indexterm><indexterm>
<primary>regedit</primary>
</indexterm>
Disable password caching on all Windows 9x/Me machines using the registry change file
shown in <link linkend="MEreg"/>. Be sure to remove all files that have the
<filename>PWL</filename> extension that are in the <filename>C:\WINDOWS</filename>
directory.
<example id="MEreg">
<title>Windows Me &smbmdash; Registry Edit File: Disable Password Caching</title>
<screen>
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrrentVersion\Policies\Network]
"DisablePwdCaching"=dword:00000001
</screen>
</example>
The best way to apply this is to save the patch in a file called
<filename>ME-dpwc.reg</filename> and then execute:
<screen>
C:\WINDOWS: regedit ME-dpwc.reg
</screen>
</para></step>
<step><para>
Instruct all users to log onto the workstation using a name of their own
choosing, with a password of their own choosing. The Samba server has been
configured to ignore the username and password given.
</para></step>
<step><para>
On each Windows Me workstation, configure a network drive mapping to drive <filename>G:</filename>
that redirects to the uniform naming convention (UNC) resource
<filename>\\server\office</filename>. Make this a permanent drive connection as follows:
</para>
<procedure>
<step><para>
<menuchoice>
<guimenu>(Right-click) My Network</guimenu>
<guimenuitem>Map Network Drive...</guimenuitem>
</menuchoice>
</para></step>
<step><para>
In the box labeled <quote>Drive:</quote>, type G.
</para></step>
<step><para>
In the box labeled <quote>Path:</quote>, enter
<filename>\\server\officefiles</filename>.
</para></step>
<step><para>
Click <guimenuitem>Reconnect at logon</guimenuitem>.
Click <guibutton>OK</guibutton>.
</para></step>
</procedure>
</step>
<step><para>
On each workstation, install the Funds Tracking and Management software following the
manufacturer's instructions.
</para>
<procedure>
<step><para>
During installation, you are prompted for the name of the Windows 98
server. Enter the name <constant>SERVER</constant>.
</para></step>
<step><para>
You are prompted for the name of the data share.
The prompt defaults to <constant>FTMFILES</constant>. Press enter to accept the default value.
</para></step>
<step><para>
You are now prompted for the print queue name. The default prompt is the name of
the server you entered (<constant>SERVER</constant> as follows:
<constant>\\SERVER\PRINTQ</constant>). Simply accept the default and press enter to
continue. The software now completes the installation.
</para></step>
</procedure>
</step>
<step><para>
Install an office automation software package of the customer's choice. Either Microsoft
Office 2003 Standard or OpenOffice 1.1.0 suffices for any functions the office may
need to perform. Repeat this on each workstation.
</para></step>
<step><para>
Install a printer on each using the following steps:
</para>
<procedure>
<step><para>
Click <menuchoice>
<guimenu>Start</guimenu>
<guimenuitem>Settings</guimenuitem>
<guimenuitem>Printers</guimenuitem>
<guiicon>Add Printer</guiicon>
<guibutton>Next</guibutton>
</menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
</para></step>
<step><para>
Click <guibutton>Next</guibutton>. In the panel labeled
<guimenuitem>Manufacturer:</guimenuitem>, select <constant>HP</constant>.
In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called
<constant>HP LaserJet 5/5M Postscript</constant>. Click <guibutton>Next</guibutton>.
</para></step>
<step><para>
In the panel labeled <guimenuitem>Available ports:</guimenuitem>, select
<constant>FILE:</constant>. Accept the default printer name by clicking
<guibutton>Next</guibutton>. When asked, <quote>Would you like to print a
test page?</quote>, click <guimenuitem>No</guimenuitem>. Click
<guibutton>Finish</guibutton>.
</para></step>
<step><para>
You may be prompted for the name of a file to print to. If so, close the
dialog panel. Right-click <menuchoice>
<guiicon>HP LaserJet 5/5M Postscript</guiicon>
<guimenuitem>Properties</guimenuitem>
<guisubmenu>Details (Tab)</guisubmenu>
<guimenuitem>Add Port</guimenuitem>
</menuchoice>.
</para></step>
<step><para>
In the panel labeled <guimenuitem>Network</guimenuitem>, enter the name of
the print queue on the Samba server as follows: <constant>\\SERVER\hplj5</constant>.
Click <menuchoice>
<guibutton>OK</guibutton>
<guibutton>OK</guibutton>
</menuchoice> to complete the installation.
</para></step>
<step><para>
It is a good idea to test the functionality of the complete installation before
handing the newly configured network over to the Charity Administration Office
for production use.
</para></step>
</procedure>
</step>
</procedure>
</sect3>
<sect3>
<title>Validation</title>
<para>
Use the same validation process as was followed in <link linkend="validate1"/>.
</para>
</sect3>
</sect2>
<sect2 id="AccountingOffice">
<title>Accounting Office</title>
<para>
The office of Abmas Accounting Inc. is a 40-year-old family-run business. There are nine permanent
computer users. The network clients were upgraded two years ago. All computers run Windows 2000
Professional. This year the server will be upgraded from an old Windows NT4 server (actually
running Windows NT4 Workstation, which worked fine as there were fewer than 10 users) that has
run in workgroup (Stand-Alone) mode, to a new Linux server running Samba.
</para>
<para>
The office does not want a Domain Server. Mr. Alan Meany wants to keep the Windows 2000 Professional
clients running as workgroup machines so that any staff member can take a machine home and keep
working. It has worked well so far and your task is to replace the old server. All users have
their own workstation logon (you configured it that way when the machines were installed).
Mr. Meany wants the new system to operate the same way as the old Windows NT4 server &smbmdash; users
cannot access each others' files, but he can access everyone's files. Each person's work files are
in a separate share on the server. Users logon to their Windows workstation with their username
and enter an assigned password; they do not need to enter a password when accessing their files
on the server.
</para>
<para><indexterm>
<primary>Red Hat Linux</primary>
</indexterm>
The new server will run Red Hat Fedora Core2. You should install Samba-3.0.15 and
copy all files off the old system to the new one. The existing Windows NT4 server has a parallel
port HP LaserJet 4 printer that is shared by all. The printer driver is installed on each
workstation. You must not change anything on the workstations. Mr. Meany gave instructions to
replace the server <quote>but leave everything else alone to avoid staff unrest.</quote>
</para>
<para>
You have tried to educate Mr. Meany and found that he has no interest to understand networking.
He believes that Windows for Workgroups 3.11 was <quote>the best server Microsoft ever sold
</quote> and that Windows NT and 2000 are <quote>too fang-dangled complex!</quote>
</para>
<sect3>
<title>Dissection and Discussion</title>
<para>
<indexterm><primary>security</primary><secondary>user mode</secondary></indexterm>
The requirements of this network installation are not unusual. The staff are not interested in the
details of networking. Passwords are never changed. In this example solution, we demonstrate the use
of User Mode security in a simple context. Directories should be set SGID to ensure that members
of a common group can access the contents. Each user has his or her own share to which only they
can connect. Mr. Meany's share will be a top level directory above the share point for each employee.
Mr. Meany is a member of the same group as his staff and is able to access their work files.
The well used HP LaserJet 4 is available as a service called <constant>hplj</constant>.
</para>
<para>
You have finished configuring the new hardware and have just completed installation of Red Hat
Fedora Core2. Roll up your sleeves and let's get to work.
</para>
</sect3>
<sect3 id="AcctgNet">
<title>Implementation</title>
<para>
The workstations have fixed IP addresses. The old server runs Windows NT4 Workstation, so it
cannot be running as a WINS server. It is best that the new configuration preserves the same
configuration. The office does not use Internet access, so security really is not an issue.
</para>
<para>
The core information regarding the users, their passwords, the directory share point, and the
share name is given in <link linkend="acctingnet"/>. The overall network topology is shown in
<link linkend="acctingnet2"/>. All machines have been configured as indicated prior to the
start of Samba configuration. The following prescriptive steps may now commence.
</para>
<image id="acctingnet2">
<imagedescription>Accounting Office Network Topology</imagedescription>
<imagefile scale="66">AccountingNetwork</imagefile>
</image>
<table id="acctingnet">
<title>Accounting Office Network Information</title>
<tgroup cols="6">
<colspec align="left"/>
<colspec align="left"/>
<colspec align="left"/>
<colspec align="left"/>
<colspec align="left"/>
<colspec align="left"/>
<thead>
<row>
<entry>User</entry>
<entry>Login-ID</entry>
<entry>Password</entry>
<entry>Share Name</entry>
<entry>Directory</entry>
<entry>Wkst</entry>
</row>
</thead>
<tbody>
<row>
<entry>Alan Meany</entry>
<entry>alan</entry>
<entry>alm1961</entry>
<entry>alan</entry>
<entry>/data</entry>
<entry>PC1</entry>
</row>
<row>
<entry>James Meany</entry>
<entry>james</entry>
<entry>jimm1962</entry>
<entry>james</entry>
<entry>/data/james</entry>
<entry>PC2</entry>
</row>
<row>
<entry>Jeannie Meany</entry>
<entry>jeannie</entry>
<entry>jema1965</entry>
<entry>jeannie</entry>
<entry>/data/jeannie</entry>
<entry>PC3</entry>
</row>
<row>
<entry>Suzy Millicent</entry>
<entry>suzy</entry>
<entry>suzy1967</entry>
<entry>suzy</entry>
<entry>/data/suzy</entry>
<entry>PC4</entry>
</row>
<row>
<entry>Ursula Jenning</entry>
<entry>ujen</entry>
<entry>ujen1974</entry>
<entry>ursula</entry>
<entry>/data/ursula</entry>
<entry>PC5</entry>
</row>
<row>
<entry>Peter Pan</entry>
<entry>peter</entry>
<entry>pete1984</entry>
<entry>peter</entry>
<entry>/data/peter</entry>
<entry>PC6</entry>
</row>
<row>
<entry>Dale Roland</entry>
<entry>dale</entry>
<entry>dale1986</entry>
<entry>dale</entry>
<entry>/data/dale</entry>
<entry>PC7</entry>
</row>
<row>
<entry>Bertrand E Paoletti</entry>
<entry>eric</entry>
<entry>eric1993</entry>
<entry>eric</entry>
<entry>/data/eric</entry>
<entry>PC8</entry>
</row>
<row>
<entry>Russell Lewis</entry>
<entry>russ</entry>
<entry>russ2001</entry>
<entry>russell</entry>
<entry>/data/russell</entry>
<entry>PC9</entry>
</row>
</tbody>
</tgroup>
</table>
<?latex \newpage ?>
<procedure>
<title>Migration from Windows NT4 Workstation System to Samba-3</title>
<step><para><indexterm>
<primary>migration</primary>
</indexterm>
Rename the old server from <constant>CASHPOOL</constant> to <constant>STABLE</constant>
by logging onto the console as the <constant>Administrator</constant>. Restart the machine
following system prompts.
</para></step>
<step><para>
Name the new server <constant>CASHPOOL</constant> using the standard configuration method.
Restart the machine following system prompts.
</para></step>
<step><para>
Install the latest Samba-3 binary Red Hat Linux RPM that is available from the
Samba FTP site.
</para></step>
<step><para><indexterm>
<primary>group account</primary>
</indexterm><indexterm>
<primary>groupadd</primary>
</indexterm>
Add a group account for the office to use. Execute the following:
<screen>
&rootprompt; groupadd accts
</screen>
</para></step>
<step><para>
Install the &smb.conf; file shown<footnote><para>This example makes use of the
<parameter>smbpasswd</parameter> file. It does so in an obtuse way since the use of
the <parameter>passdb backend</parameter> has not been specified in the &smb.conf;
file. This means that you are depending on correct default behavior.</para></footnote>
in <link linkend="acctconf"/>.
</para></step>
<step><para><indexterm>
<primary>useradd</primary>
</indexterm><indexterm>
<primary>passwd</primary>
</indexterm><indexterm>
<primary>smbpasswd</primary>
</indexterm>
For each user who uses this system (see <link linkend="acctingnet"/>),
execute the following:
<screen>
&rootprompt; useradd -m -G accts -c "Name of User" "LoginID"
&rootprompt; passwd "LoginID"
Changing password for user "LoginID"
New Password: XXXXXXXXX &lt;-- the password from the table
Retype new password: XXXXXXXXX
&rootprompt; smbpasswd -a "LoginID"
New SMB password: XXXXXXXXX &lt;-- the password from the table
Retype new SMB password: XXXXXXXXX
Added user "LoginID"
</screen>
</para></step>
<step><para><indexterm>
<primary>data storage</primary>
</indexterm>
Create the directory structure for the file shares by executing the following:
<screen>
&rootprompt; mkdir -p /data
&rootprompt; chown alan /data
&rootprompt; for i in james suzy ursula peter dale eric jeannie russell
> do
> mkdir -p /data/$i
> chown $i /data/$i
> done
&rootprompt; chgrp -R accts /data
&rootprompt; chmod -R ug+rwxs,o-r+x /data
</screen>
The data storage structure is now prepared for use.
</para></step>
<step><para><indexterm>
<primary>lpadmin</primary>
</indexterm>
Configure the CUPS Print Queues as follows:
<screen>
&rootprompt; lpadmin -p hplj -v parallel:/dev/lp0 -E
</screen>
This creates the necessary print queues with no assigned print filter.
</para></step>
<step><para>
<indexterm><primary>mime types</primary></indexterm><indexterm>
<primary>/etc/cups/mime.convs</primary>
</indexterm>
Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
<screen>
application/octet-stream application/vnd.cups-raw 0 -
</screen>
</para></step>
<step><para><indexterm>
<primary>/etc/cups/mime.types</primary>
</indexterm><indexterm>
<primary>application/octet-stream</primary>
</indexterm>
Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
<screen>
application/octet-stream
</screen>
</para></step>
<step><para>
<indexterm><primary>starting samba</primary></indexterm>
Use the standard system tool to start Samba and CUPS to configure them to restart
automatically at every system reboot. For example:
</para>
<para>
<indexterm><primary>starting samba</primary></indexterm>
<indexterm><primary>starting
CUPS</primary></indexterm><indexterm>
<primary>chkconfig</primary>
</indexterm>
<screen>
&rootprompt; chkconfig smb on
&rootprompt; chkconfig cups on
&rootprompt; /etc/rc.d/init.d/smb restart
&rootprompt; /etc/rc.d/init.d/cups restart
</screen>
</para></step>
<step><para>
On Alan's workstation, use Windows explorer to migrate the files from the old server
to the new server. The new server should appear in the <guimenu>Network Neighborhood</guimenu>
with the name of the old server (<constant>CASHPOOL</constant>).
</para>
<procedure>
<step><para>
Logon to Alan's workstation as the user <constant>alan</constant>.
</para></step>
<step><para>
Launch a second instance of Windows explorer and navigate to the share called
<guiicon>files</guiicon> on the server called <guimenu>STABLE</guimenu>.
</para></step>
<step><para>
Click in the right panel, and press <guimenu>Ctrl-A</guimenu> to select all files and
directories. Press <guimenu>Ctrl-C</guimenu> to instruct Windows that you wish to
copy all selected items.
</para></step>
<step><para>
Launch the Windows explorer, and navigate to the share called <guiicon>files</guiicon>
on the server called <guimenu>CASHPOOL</guimenu>. Click in the right panel, and then press
<guimenu>Ctrl-V</guimenu> to commence the copying process.
</para></step>
</procedure>
</step>
<step><para>
Verify that the files are being copied correctly from the Windows NT4 machine to the Samba-3 server.
This is best done on the Samba-3 server. Check the contents of the directory tree under
<filename>/data</filename>. This can be done by executing the following command:
<screen>
&rootprompt; ls -aR /data
</screen>
Make certain to check the ownership and permissions on all files. If in doubt, execute the following:
<screen>
&rootprompt; chown alan /data
&rootprompt; for i in james suzy ursula peter dale eric jeannie russell
> do
> chown $i /data/$i
> done
&rootprompt; chgrp -R accts /data
&rootprompt; chmod -R ug+rwxs,o-r+x /data
</screen>
</para></step>
<step><para>
The migration of all data should now be complete. It is time to validate the installation.
For this, you should make sure all applications, including printing, work before asking the
customer to test drive the new network.
</para></step>
</procedure>
<smbconfexample id="acctconf">
<title>Accounting Office Network &smb.conf; File</title>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">BILLMORE</smbconfoption>
<smbconfoption name="printing">CUPS</smbconfoption>
<smbconfoption name="printcap name">CUPS</smbconfoption>
<smbconfoption name="disable spoolss">Yes</smbconfoption>
<smbconfoption name="show add printer wizard">No</smbconfoption>
<smbconfsection name="[files]"/>
<smbconfoption name="comment">Work area files</smbconfoption>
<smbconfoption name="path">/data/%U</smbconfoption>
<smbconfoption name="valid users">%S</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfsection name="[master]"/>
<smbconfoption name="comment">Master work area files</smbconfoption>
<smbconfoption name="path">/data</smbconfoption>
<smbconfoption name="valid users">alan</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfsection name="[printers]"/>
<smbconfoption name="comment">Print Temporary Spool Configuration</smbconfoption>
<smbconfoption name="path">/var/spool/samba</smbconfoption>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfoption name="use client driver">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
</smbconfexample>
</sect3>
</sect2>
</sect1>
<sect1>
<title>Questions and Answers</title>
<para>
The following questions and answers draw from the examples in this chapter.
Many design decisions are impacted by the configurations chosen. The intent
is to expose some of the hidden implications.
</para>
<qandaset defaultlabel="chap02qa">
<qandaentry>
<question>
<para>
What makes an anonymous Samba server more simple than an non-anonymous Samba server?
</para>
</question>
<answer>
<para>
In the anonymous server, the only account used is the <constant>guest</constant> account.
In a non-anonymous configuration, it is necessary to add real user accounts to both the
UNIX system and to the Samba configuration. Non-anonymous servers require additional
administration.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
How is the operation of the parameter <parameter>force user</parameter> different from
setting the root directory of the share SUID?
</para>
</question>
<answer>
<para>
The parameter <parameter>force user</parameter> causes all operations on the share to assume the UID
of the forced user. The new default GID that applies is the primary GID of the forced user.
This gives all users of this resource the actual privilege of the forced user.
</para>
<para>
When a directory is set SUID, the operating system forces files that are written within it
to be owned by the owner of the directory. While this happens, the user who is using the share
has only the level of privilege he or she is assigned within the operating system context.
</para>
<para>
The parameter <parameter>force user</parameter> has potential security implications that go
beyond the actual share root directory. Be careful and wary of using this parameter.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
When would you use both the per share parameter <parameter>force user</parameter> as well
as setting the share root directory SUID?
</para>
</question>
<answer>
<para>
You would use both parameters when it is necessary to guarantee that all share handling operations
are conducted as the forced user, while all file and directory creation are done as the SUID
directory owner.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
What is better about CUPS printing than LPRng printing?
</para>
</question>
<answer>
<para>
CUPS is a print spooling system that has integrated remote management facilities, provides completely
automated print processing/preprocessing, and has the potential to be configured to automatically
apply print preprocessing filters to ensure that a print job submitted is correctly rendered for the
target printer. CUPS includes an image file RIP that supports printing of image files to
non-PostScript printers. CUPS has lots of bells and whistles and is more like a super-charged MS Windows
NT/200x print monitor and processor. Its complexity can be eliminated or turbo-charged to suit
any fancy.
</para>
<para>
The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print
spooler functionality. It provides the same interface and meets RFC1179 requirements. LPRng is capable
of being configured to act like CUPS, but it is in principle a replacement for the old Berkeley lpr/lpd
spooler. LPRng is generally preferred by those who are familiar with Berkeley lpr/lpd.
</para>
<para>
Which is better is a matter of personal taste. It depends on what you want to do and how you want to
do it and manage it. Most modern Linux systems ship with CUPS as the default print management system.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
When should Windows client IP addresses be hard coded?
</para>
</question>
<answer>
<para>
When there are few MS Windows clients, little client change, no mobile users, and users are not
inclined to tamper with network settings, it is a safe and convenient matter to hard-code Windows
client TCP/IP settings. Given that it is possible to lock down the Windows desktop and remove
user ability to access network configuration controls, fixed configuration eliminates the need
for a DHCP server. This reduces maintenance overheads and eliminates a possible point of network
failure.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Under what circumstances would it be best to use a DHCP server?
</para>
</question>
<answer>
<para>
In network configurations where there are mobile users, or where Windows client PCs move around
(particularly between offices or between subnets), it makes complete sense to control all Windows
client configurations using a DHCP server. Additionally, when users do tamper with the network
settings, the use of DHCP can be used to normalize all client settings.
</para>
<para>
One of the least appreciated benefits of using a DHCP server to assign all network client
device TCP/IP settings is that it makes it a pain-free process to change network TCP/IP
settings, change network addressing, or enhance the ability of client devices to
benefit from new network services.
</para>
<para>
Another benefit of modern DHCP servers is the ability of the DHCP server to register dynamically
assigned IP addresses with the DNS server. The benefits of Dynamic DNS (DDNS) are considerable in
a large Windows network environment.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
What is the purpose of setting the parameter <parameter>guest ok</parameter> on a share?
</para>
</question>
<answer>
<para>
If this parameter is yes for a service, then no password is required to connect to the service.
Privileges are those of the guest account.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
When would you set the global parameter <parameter>disable spoolss</parameter>?
</para>
</question>
<answer>
<para>
Setting this parameter to <constant>Yes</constant> disables Samba's support for the SPOOLSS set of
MS-RPC's and yields behavior identical to Samba 2.0.x. Windows NT/2000 clients can downgrade to
using LanMan style printing commands. Windows 9x/ME are unaffected by the parameter. However, this
disables the ability to upload printer drivers to a Samba server via the Windows NT/200x Add Printer
Wizard or by using the NT printer properties dialog window. It also disables the capability of
Windows NT/200x clients to download print drivers from the Samba host on demand. Be extremely careful about
setting this parameter.
</para>
<para>
The alternate parameter <parameter>use client driver</parameter> applies only to Windows NT/200x clients. It has no
effect on Windows 95/98/ME clients. When serving a printer to Windows NT/200x clients without first installing a valid
printer driver on the Samba host, the client is required to install a local printer driver. From this point on,
the client treats the printer as a local printer and not a network printer connection. This is much the same behavior
that occurs when <parameter>disable spoolss = yes</parameter>.
</para>
<para>
Under normal circumstances, the NT/200x client attempts to open the network printer using MS-RPC. Because the client
considers the printer to be local, it attempts to issue the OpenPrinterEx() call requesting access rights associated
with the logged on user. If the user possesses local administrator rights but not root privilege on the Samba host (often
the case), the OpenPrinterEx() call fails. The result is that the client now displays an "Access Denied; Unable
to connect" message in the printer queue window (even though jobs may be printed successfully). This parameter MUST
not be enabled on a print share that has valid print driver installed on the Samba server.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Why would you disable password caching on Windows 9x/Me clients?
</para>
</question>
<answer>
<para>
Windows 9x/Me workstations that are set at default (password caching enabled) store the username and
password in files located in the Windows master directory. Such files can be scavenged (read off a client
machine) and decrypted, thus revealing the user's access credentials for all systems the user may have accessed.
It is most insecure to allow any Windows 9x/Me client to operate with password caching enabled.
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
The example of Abmas Accounting Inc. uses User Mode security. How does this provide anonymous access?
</para>
</question>
<answer>
<para>
The example used does not provide anonymous access. Since the clients are all Windows 2000 Professional,
and given that users are logging onto their machines, by default the client attempts to connect to
a remote server using currently logged in user credentials. By ensuring that the user's login ID and
password is the same as those set on the Samba server, access is transparent and does not require
separate user authentication.
</para>
</answer>
</qandaentry>
</qandaset>
</sect1>
</chapter>
View Git Blame Copy Permalink