sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-11 16:58:40 +03:00
Code
samba-mirror/docs/htmldocs/advancednetworkmanagement.html
Jelmer Vernooij ee88b8214e Regenerate docs 
(This used to be commit 4f1865f7c234f3f4a7f5dba19db4a5d139db5a48)
2003-04-19 14:59:58 +00:00

555 lines
12 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML
><HEAD
><TITLE
>Advanced Network Manangement</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
REL="UP"
TITLE="Advanced Configuration"
HREF="optional.html"><LINK
REL="PREVIOUS"
TITLE="Unified Logons between Windows NT and UNIX using Winbind"
HREF="winbind.html"><LINK
REL="NEXT"
TITLE="System and Account Policies"
HREF="policymgmt.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>SAMBA Project Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="winbind.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="policymgmt.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="ADVANCEDNETWORKMANAGEMENT"
></A
>Chapter 16. Advanced Network Manangement</H1
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>16.1. <A
HREF="advancednetworkmanagement.html#AEN2869"
>Configuring Samba Share Access Controls</A
></DT
><DT
>16.2. <A
HREF="advancednetworkmanagement.html#AEN2907"
>Remote Server Administration</A
></DT
><DT
>16.3. <A
HREF="advancednetworkmanagement.html#AEN2924"
>Network Logon Script Magic</A
></DT
></DL
></DIV
><P
>This section attempts to document peripheral issues that are of great importance to network
administrators who want to improve network resource access control, to automate the user
environment, and to make their lives a little easier.</P
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2869"
>16.1. Configuring Samba Share Access Controls</A
></H1
><P
>This section deals with how to configure Samba per share access control restrictions.
By default samba sets no restrictions on the share itself. Restrictions on the share itself
can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
connect to a share. In the absence of specific restrictions the default setting is to allow
the global user <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Everyone</I
></SPAN
> Full Control (ie: Full control, Change and Read).</P
><P
>At this time Samba does NOT provide a tool for configuring access control setting on the Share
itself. Samba does have the capacity to store and act on access control settings, but the only
way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for
Computer Management.</P
><P
>Samba stores the per share access control settings in a file called <TT
CLASS="FILENAME"
>share_info.tdb</TT
>.
The location of this file on your system will depend on how samba was compiled. The default location
for samba's tdb files is under <TT
CLASS="FILENAME"
>/usr/local/samba/var</TT
>. If the <TT
CLASS="FILENAME"
>tdbdump</TT
>
utility has been compiled and installed on your system then you can examine the contents of this file
by: <KBD
CLASS="USERINPUT"
>tdbdump share_info.tdb</KBD
>.</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2879"
>16.1.1. Share Permissions Management</A
></H2
><P
>The best tool for the task is platform dependant. Choose the best tool for your environmemt.</P
><DIV
CLASS="SECT3"
><H3
CLASS="SECT3"
><A
NAME="AEN2882"
>16.1.1.1. Windows NT4 Workstation/Server</A
></H3
><P
>The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.</P
><DIV
CLASS="PROCEDURE"
><P
><B
>Instructions</B
></P
><OL
TYPE="1"
><LI
><P
>Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu
select Computer, then click on the Shared Directories entry.</P
></LI
><LI
><P
> Now click on the share that you wish to manage, then click on the Properties tab, next click on
the Permissions tab. Now you can Add or change access control settings as you wish.</P
></LI
></OL
></DIV
></DIV
><DIV
CLASS="SECT3"
><H3
CLASS="SECT3"
><A
NAME="AEN2891"
>16.1.1.2. Windows 200x/XP</A
></H3
><P
>On MS Windows NT4/200x/XP system access control lists on the share itself are set using native
tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows
<SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Everyone</I
></SPAN
> Full Control on the Share.</P
><P
>MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the
Microsoft Management Console (MMC). This tool is located by clicking on <TT
CLASS="FILENAME"
>Control Panel -&#62;
Administrative Tools -&#62; Computer Management</TT
>.</P
><DIV
CLASS="PROCEDURE"
><P
><B
>Instructions</B
></P
><OL
TYPE="1"
><LI
><P
> After launching the MMC with the Computer Management snap-in, click on the menu item 'Action',
select 'Connect to another computer'. If you are not logged onto a domain you will be prompted
to enter a domain login user identifier and a password. This will authenticate you to the domain.
If you where already logged in with administrative privilidge this step is not offered.</P
></LI
><LI
><P
>If the Samba server is not shown in the Select Computer box, then type in the name of the target
Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+]
next to 'Shared Folders' in the left panel.</P
></LI
><LI
><P
>Now in the right panel, double-click on the share you wish to set access control permissions on.
Then click on the tab 'Share Permissions'. It is now possible to add access control entities
to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
wish to assign for each entry.</P
></LI
></OL
></DIV
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
HSPACE="5"
ALT="Warning"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>Be careful. If you take away all permissions from the Everyone user without removing this user
then effectively no user will be able to access the share. This is a result of what is known as
ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone
will have no access even if this user is given explicit full control access.</P
></TD
></TR
></TABLE
></DIV
></DIV
></DIV
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2907"
>16.2. Remote Server Administration</A
></H1
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>How do I get 'User Manager' and 'Server Manager'?</I
></SPAN
></P
><P
>Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains',
the 'Server Manager'?</P
><P
>Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me
systems. The tools set includes:</P
><P
></P
><UL
><LI
><P
>Server Manager</P
></LI
><LI
><P
>User Manager for Domains</P
></LI
><LI
><P
>Event Viewer</P
></LI
></UL
><P
>Click here to download the archived file <A
HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
TARGET="_top"
>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
></P
><P
>The Windows NT 4.0 version of the 'User Manager for
Domains' and 'Server Manager' are available from Microsoft via ftp
from <A
HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
TARGET="_top"
>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
></P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN2924"
>16.3. Network Logon Script Magic</A
></H1
><P
>This section needs work. Volunteer contributions most welcome. Please send your patches or updates
to <A
HREF="mailto:jht@samba.org"
TARGET="_top"
>John Terpstra</A
>.</P
><P
>There are several opportunities for creating a custom network startup configuration environment.</P
><P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>No Logon Script</TD
></TR
><TR
><TD
>Simple universal Logon Script that applies to all users</TD
></TR
><TR
><TD
>Use of a conditional Logon Script that applies per user or per group attirbutes</TD
></TR
><TR
><TD
>Use of Samba's Preexec and Postexec functions on access to the NETLOGON share to create
a custom Logon Script and then execute it.</TD
></TR
><TR
><TD
>User of a tool such as KixStart</TD
></TR
></TBODY
></TABLE
><P
></P
><P
>The Samba source code tree includes two logon script generation/execution tools. See <TT
CLASS="FILENAME"
>examples</TT
> directory <TT
CLASS="FILENAME"
>genlogon</TT
> and <TT
CLASS="FILENAME"
>ntlogon</TT
> subdirectories.</P
><P
>The following listings are from the genlogon directory.</P
><P
>This is the genlogon.pl file:
<PRE
CLASS="PROGRAMLISTING"
> #!/usr/bin/perl
#
# genlogon.pl
#
# Perl script to generate user logon scripts on the fly, when users
# connect from a Windows client. This script should be called from smb.conf
# with the %U, %G and %L parameters. I.e:
#
# root preexec = genlogon.pl %U %G %L
#
# The script generated will perform
# the following:
#
# 1. Log the user connection to /var/log/samba/netlogon.log
# 2. Set the PC's time to the Linux server time (which is maintained
# daily to the National Institute of Standard's Atomic clock on the
# internet.
# 3. Connect the user's home drive to H: (H for Home).
# 4. Connect common drives that everyone uses.
# 5. Connect group-specific drives for certain user groups.
# 6. Connect user-specific drives for certain users.
# 7. Connect network printers.
# Log client connection
#($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
open LOG, "&#62;&#62;/var/log/samba/netlogon.log";
print LOG "$mon/$mday/$year $hour:$min:$sec - User $ARGV[0] logged into $ARGV[1]\n";
close LOG;
# Start generating logon script
open LOGON, "&#62;/shared/netlogon/$ARGV[0].bat";
print LOGON "\@ECHO OFF\r\n";
# Connect shares just use by Software Development group
if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
{
print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
}
# Connect shares just use by Technical Support staff
if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
{
print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
}
# Connect shares just used by Administration staff
If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
{
print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
}
# Now connect Printers. We handle just two or three users a little
# differently, because they are the exceptions that have desktop
# printers on LPT1: - all other user's go to the LaserJet on the
# server.
if ($ARGV[0] eq 'jim'
|| $ARGV[0] eq 'yvonne')
{
print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
}
else
{
print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
}
# All done! Close the output file.
close LOGON;</PRE
></P
><P
>Those wishing to use more elaborate or capable logon processing system should check out the following sites:</P
><P
></P
><TABLE
BORDER="0"
><TBODY
><TR
><TD
>http://www.craigelachie.org/rhacer/ntlogon</TD
></TR
><TR
><TD
>http://www.kixtart.org</TD
></TR
></TBODY
></TABLE
><P
></P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="winbind.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="samba-howto-collection.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="policymgmt.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Unified Logons between Windows NT and UNIX using Winbind</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="optional.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>System and Account Policies</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
View Git Blame Copy Permalink