mirror of
https://github.com/samba-team/samba.git
synced 2024-12-28 07:21:54 +03:00
e42e87d544
Part of a fix for bug #7938. Based on a patch provided by John Bradshaw <john@johnbradshaw.org>. Karolin Autobuild-User: Karolin Seeger <kseeger@samba.org> Autobuild-Date: Tue May 8 13:56:32 CEST 2012 on sn-devel-104
4519 lines
181 KiB
XML
4519 lines
181 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
<chapter id="happy">
|
|
<title>Making Happy Users</title>
|
|
|
|
<para>
|
|
It is said that <quote>a day that is without troubles is not fulfilling. Rather, give
|
|
me a day of troubles well handled so that I can be content with my achievements.</quote>
|
|
</para>
|
|
|
|
<para>
|
|
In the world of computer networks, problems are as varied as the people who create them
|
|
or experience them. The design of the network implemented in <link linkend="Big500users"/>
|
|
may create problems for some network users. The following lists some of the problems that
|
|
may occur:
|
|
</para>
|
|
|
|
<indexterm><primary>PDC</primary></indexterm>
|
|
<indexterm><primary>network bandwidth</primary><secondary>utilization</secondary></indexterm>
|
|
<indexterm><primary>BDC</primary></indexterm>
|
|
<indexterm><primary>user account</primary></indexterm>
|
|
<indexterm><primary>PDC/BDC ratio</primary></indexterm>
|
|
<caution><para>
|
|
A significant number of network administrators have responded to the guidance given
|
|
here. It should be noted that there are sites that have a single PDC for many hundreds of
|
|
concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
|
|
are among the factors that determine the maximum number of Windows clients that
|
|
can be served by a single domain controller (PDC or BDC) on a network segment. It is possible
|
|
to operate with only a single PDC over a routed network. What is possible is not necessarily
|
|
<emphasis>best practice</emphasis>. When Windows client network logons begin to fail with
|
|
the message that the domain controller cannot be found or that the user account cannot
|
|
be found (when you know it exists), that may be an indication that the domain controller is
|
|
overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows
|
|
clients is conservative and if followed will minimize problems &smbmdash; but it is not absolute.
|
|
</para></caution>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Users experiencing difficulty logging onto the network</term>
|
|
<listitem><para>
|
|
<indexterm><primary>network</primary><secondary>logon</secondary></indexterm>
|
|
<indexterm><primary>multiple domain controllers</primary></indexterm>
|
|
When a Windows client logs onto the network, many data packets are exchanged
|
|
between the client and the server that is providing the network logon services.
|
|
Each request between the client and the server must complete within a specific
|
|
time limit. This is one of the primary factors that govern the installation of
|
|
multiple domain controllers (usually called secondary or backup controllers).
|
|
As a rough rule, there should be one such backup controller for every
|
|
30 to 150 clients. The actual limits are determined by network operational
|
|
characteristics.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>PDC</primary></indexterm>
|
|
<indexterm><primary>BDC</primary></indexterm>
|
|
<indexterm><primary>clients per DC</primary></indexterm>
|
|
If the domain controller provides only network logon services
|
|
and all file and print activity is handled by domain member servers, one domain
|
|
controller per 150 clients on a single network segment may suffice. In any
|
|
case, it is highly recommended to have a minimum of one domain controller (PDC or BDC)
|
|
per network segment. It is better to have at least one BDC on the network
|
|
segment that has a PDC. If the domain controller is also used as a file and
|
|
print server, the number of clients it can service reliably is reduced,
|
|
and generally for low powered hardware should not exceed 30 machines (Windows
|
|
workstations plus domain member servers) per domain controller. Many sites are
|
|
able to operate with more clients per domain controller, the number of clients
|
|
that can be supported is limited by the CPU speed, memory and the workload on
|
|
the Samba server as well as network bandwidth utilization.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Slow logons and log-offs</term>
|
|
<listitem><para>
|
|
<indexterm><primary>slow logon</primary></indexterm>
|
|
Slow logons and log-offs may be caused by many factors that include:
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
<indexterm><primary>NetBIOS</primary><secondary>name resolution</secondary><tertiary>delays</tertiary></indexterm>
|
|
<indexterm><primary>WINS</primary><secondary>server</secondary></indexterm>
|
|
Excessive delays in the resolution of a NetBIOS name to its IP
|
|
address. This may be observed when an overloaded domain controller
|
|
is also the WINS server. Another cause may be the failure to use
|
|
a WINS server (this assumes that there is a single network segment).
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
<indexterm><primary>traffic collisions</primary></indexterm>
|
|
<indexterm><primary>HUB</primary></indexterm>
|
|
<indexterm><primary>ethernet switch</primary></indexterm>
|
|
Network traffic collisions due to overloading of the network
|
|
segment. One short-term workaround to this may be to replace
|
|
network HUBs with Ethernet switches.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
<indexterm><primary>networking hardware</primary><secondary>defective</secondary></indexterm>
|
|
Defective networking hardware. Over the past few years, we have seen
|
|
on the Samba mailing list a significant increase in the number of
|
|
problems that were traced to a defective network interface controller,
|
|
a defective HUB or Ethernet switch, or defective cabling. In most cases,
|
|
it was the erratic nature of the problem that ultimately pointed to
|
|
the cause of the problem.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
<indexterm><primary>profile</primary><secondary>roaming</secondary></indexterm>
|
|
<indexterm><primary>MS Outlook</primary><secondary>PST file</secondary></indexterm>
|
|
Excessively large roaming profiles. This type of problem is typically
|
|
the result of poor user education as well as poor network management.
|
|
It can be avoided by users not storing huge quantities of email in
|
|
MS Outlook PST files as well as by not storing files on the desktop.
|
|
These are old bad habits that require much discipline and vigilance
|
|
on the part of network management.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
<indexterm><primary>WebClient</primary></indexterm>
|
|
You should verify that the Windows XP WebClient service is not running.
|
|
The use of the WebClient service has been implicated in many Windows
|
|
networking-related problems.
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Loss of access to network drives and printer resources</term>
|
|
<listitem><para>
|
|
Loss of access to network resources during client operation may be caused by a number
|
|
of factors, including:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
<indexterm><primary>network</primary><secondary>overload</secondary></indexterm>
|
|
Network overload (typically indicated by a high network collision rate)
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Server overload
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
<indexterm><primary>network</primary><secondary>timeout</secondary></indexterm>
|
|
Timeout causing the client to close a connection that is in use but has
|
|
been latent (no traffic) for some time (5 minutes or more)
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
<indexterm><primary>network hardware</primary><secondary>defective</secondary></indexterm>
|
|
Defective networking hardware
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
<indexterm><primary>data</primary><secondary>corruption</secondary></indexterm>
|
|
No matter what the cause, a sudden loss of access to network resources can
|
|
result in BSOD (blue screen of death) situations that necessitate rebooting of the client
|
|
workstation. In the case of a mild problem, retrying to access the network drive of the printer
|
|
may restore operations, but in any case this is a serious problem that may lead to the next
|
|
problem, data corruption.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Potential data corruption</term>
|
|
<listitem><para>
|
|
<indexterm><primary>data</primary><secondary>corruption</secondary></indexterm>
|
|
Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
|
|
frustration, and generally precipitates immediate corrective demands. Management response
|
|
to this type of problem may be rational, as well as highly irrational. There have been
|
|
cases where management has fired network staff for permitting this situation to occur without
|
|
immediate correction. There have been situations where perfectly functional hardware was thrown
|
|
out and replaced, only to find the problem caused by a low-cost network hardware item. There
|
|
have been cases where server operating systems were replaced, or where Samba was updated,
|
|
only to later isolate the problem due to defective client software.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>
|
|
In this chapter, you can work through a number of measures that significantly arm you to
|
|
anticipate and combat network performance issues. You can work through complex and thorny
|
|
methods to improve the reliability of your network environment, but be warned that all such steps
|
|
demand the price of complexity.
|
|
</para>
|
|
|
|
<sect1>
|
|
<title>Regarding LDAP Directories and Windows Computer Accounts</title>
|
|
|
|
<para>
|
|
<indexterm><primary>LDAP</primary><secondary>directory</secondary></indexterm>
|
|
Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some
|
|
constraints that are described in this section.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>POSIX</primary></indexterm>
|
|
<indexterm><primary>SambaSAMAccount</primary></indexterm>
|
|
<indexterm><primary>machine account</primary></indexterm>
|
|
<indexterm><primary>trust account</primary></indexterm>
|
|
The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
|
|
That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
|
|
them. A user account and a machine account are indistinguishable from each other, except that
|
|
the machine account ends in a $ character, as do trust accounts.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>account</primary></indexterm>
|
|
<indexterm><primary>UID</primary></indexterm>
|
|
The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID
|
|
is a design decision that was made a long way back in the history of Samba development. It is
|
|
unlikely that this decision will be reversed or changed during the remaining life of the
|
|
Samba-3.x series.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>SID</primary></indexterm>
|
|
<indexterm><primary>NSS</primary></indexterm>
|
|
The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
|
|
must refer back to the host operating system on which Samba is running. The name service
|
|
switch (NSS) is the preferred mechanism that shields applications (like Samba) from the
|
|
need to know everything about every host OS it runs on.
|
|
</para>
|
|
|
|
<para>
|
|
Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>
|
|
and <quote>group</quote> facilities in the NSS control (configuration) file. The best tool
|
|
for achieving this is left up to the UNIX administrator to determine. It is not imposed by
|
|
Samba. Samba provides winbindd together with its support libraries as one method. It is
|
|
possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
|
|
all account entities can be located in an LDAP directory.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>nss_ldap</primary></indexterm>
|
|
For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
|
|
be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
|
|
is fundamentally an LDAP design question. The information provided on the Samba list and
|
|
in the documentation is directed at providing working examples only. The design
|
|
of an LDAP directory is a complex subject that is beyond the scope of this documentation.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
|
|
<sect1>
|
|
<title>Introduction</title>
|
|
|
|
<para>
|
|
You just opened an email from Christine that reads:
|
|
</para>
|
|
|
|
<para>
|
|
Good morning,
|
|
<blockquote><attribution>Christine</attribution><para>
|
|
A few months ago we sat down to design the network. We discussed the challenges ahead and we all
|
|
agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
|
|
that we would have some time to resolve any issues that might be encountered.
|
|
</para>
|
|
|
|
<para>
|
|
As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them
|
|
resigned yesterday afternoon because she was under duress to complete some critical projects. She
|
|
suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
|
|
of which was lost. She has a unique requirement that involves storing large files on her desktop.
|
|
Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it
|
|
takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
|
|
network logon traffic passes over the network links between our buildings, logging on may take
|
|
three or four attempts due to blue screen problems associated with network timeouts.
|
|
</para>
|
|
|
|
<para>
|
|
A few of us worked to help her out of trouble. We convinced her to stay and promised to fully
|
|
resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard
|
|
limits on what our users can do with their desktops. Otherwise, we face staff losses
|
|
that can surely do harm to our growth as well as to staff morale. I am sure we can better deal
|
|
with the consequences of what we know we must do than we can with the unrest we have now.
|
|
</para>
|
|
|
|
<para>
|
|
Stan and I have discussed the current situation. We are resolved to help our users and protect
|
|
the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
|
|
regain control of our vital IT operations.
|
|
</para></blockquote>
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>compromise</primary></indexterm>
|
|
<indexterm><primary>network</primary><secondary>multi-segment</secondary></indexterm>
|
|
Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a
|
|
single domain controller is a poor design that has obvious operational effects that may
|
|
frustrate users. Here is your reply:
|
|
</para>
|
|
|
|
<blockquote><attribution>Bob</attribution><para>
|
|
Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
|
|
proposals to resolve the issues. I am confident that your plans fully realized will significantly
|
|
boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
|
|
Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
|
|
for approval; I appreciate the urgency.
|
|
</para></blockquote>
|
|
|
|
<sect2>
|
|
<title>Assignment Tasks</title>
|
|
|
|
<para>
|
|
The priority of assigned tasks in this chapter is:
|
|
</para>
|
|
|
|
<orderedlist>
|
|
<listitem><para>
|
|
<indexterm><primary>Backup Domain Controller</primary><see>BDC</see></indexterm>
|
|
<indexterm><primary>BDC</primary></indexterm>
|
|
<indexterm><primary>tdbsam</primary></indexterm>
|
|
<indexterm><primary>LDAP</primary></indexterm><indexterm><primary>migration</primary></indexterm>
|
|
Implement Backup Domain Controllers (BDCs) in each building. This involves
|
|
a change from a <emphasis>tdbsam</emphasis> backend that was used in the previous
|
|
chapter to an LDAP-based backend.
|
|
</para>
|
|
|
|
<para>
|
|
You can implement a single central LDAP server for this purpose.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
<indexterm><primary>logon time</primary></indexterm>
|
|
<indexterm><primary>network share</primary></indexterm>
|
|
<indexterm><primary>default profile</primary></indexterm>
|
|
<indexterm><primary>profile</primary><secondary>default</secondary></indexterm>
|
|
Rectify the problem of excessive logon times. This involves redirection of
|
|
folders to network shares as well as modification of all user desktops to
|
|
exclude the redirected folders from being loaded at login time. You can also
|
|
create a new default profile that can be used for all new users.
|
|
</para></listitem>
|
|
</orderedlist>
|
|
|
|
<para>
|
|
<indexterm><primary>disk image</primary></indexterm>
|
|
You configure a new MS Windows XP Professional workstation disk image that you roll out
|
|
to all desktop users. The instructions you have created are followed on a staging machine
|
|
from which all changes can be carefully tested before inflicting them on your network users.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>CUPS</primary></indexterm>
|
|
This is the last network example in which specific mention of printing is made. The example
|
|
again makes use of the CUPS printing system.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Dissection and Discussion</title>
|
|
|
|
<para>
|
|
<indexterm><primary>BDC</primary></indexterm>
|
|
<indexterm><primary>LDAP</primary></indexterm>
|
|
<indexterm><primary>OpenLDAP</primary></indexterm>
|
|
The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
|
|
For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
|
|
LDAP servers in current use with Samba-3 include:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
<indexterm><primary>eDirectory</primary></indexterm>
|
|
Novell <ulink url="http://www.novell.com/products/edirectory/">eDirectory</ulink>
|
|
is being successfully used by some sites. Information on how to use eDirectory can be
|
|
obtained from the Samba mailing lists or from Novell.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
<indexterm><primary>Tivoli Directory Server</primary></indexterm>
|
|
IBM <ulink url="http://www-306.ibm.com/software/tivoli/products/directory-server/">Tivoli
|
|
Directory Server</ulink> can be used to provide the Samba LDAP backend. Example schema
|
|
files are provided in the Samba source code tarball under the directory
|
|
<filename>~samba/example/LDAP.</filename>
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
<indexterm><primary>Sun ONE Identity Server</primary></indexterm>
|
|
Sun <ulink url="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml">ONE Identity
|
|
Server product suite</ulink> provides an LDAP server that can be used for Samba.
|
|
Example schema files are provided in the Samba source code tarball under the directory
|
|
<filename>~samba/example/LDAP.</filename>
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial
|
|
offerings, it requires that you manually edit the server configuration files and manually
|
|
initialize the LDAP directory database. OpenLDAP itself has only command-line tools to
|
|
help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Active Directory</primary></indexterm>
|
|
For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
|
|
adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include
|
|
GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
|
|
requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Identity Management</primary></indexterm>
|
|
<indexterm><primary>high availability</primary></indexterm>
|
|
<indexterm><primary>directory</primary><secondary>replication</secondary></indexterm>
|
|
<indexterm><primary>directory</primary><secondary>synchronization</secondary></indexterm>
|
|
<indexterm><primary>performance</primary></indexterm>
|
|
<indexterm><primary>directory</primary><secondary>management</secondary></indexterm>
|
|
<indexterm><primary>directory</primary><secondary>schema</secondary></indexterm>
|
|
When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
|
|
High availability operation may be obtained through directory replication/synchronization and
|
|
master/slave server configurations. OpenLDAP is a mature platform to host the organizational
|
|
directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more.
|
|
The price paid through learning how to design an LDAP directory schema in implementation and configuration
|
|
of management tools is well rewarded by performance and flexibility and the freedom to manage directory
|
|
contents with greater ability to back up, restore, and modify the directory than is generally possible
|
|
with Microsoft Active Directory.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>comparison</primary><secondary>Active Directory & OpenLDAP</secondary></indexterm>
|
|
<indexterm><primary>ADAM</primary></indexterm>
|
|
<indexterm><primary>Active Directory</primary></indexterm>
|
|
<indexterm><primary>OpenLDAP</primary></indexterm>
|
|
A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
|
|
tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured
|
|
for a specific task orientation. It comes with a set of administrative tools that is entirely customized
|
|
for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
|
|
server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
|
|
who wants to build a custom directory solution. Microsoft provides an application called
|
|
<ulink url="http://www.microsoft.com/windowsserver2003/adam/default.mspx">
|
|
MS ADAM</ulink> that provides more generic LDAP services, yet it does not have the vanilla-like services
|
|
of OpenLDAP.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>directory</primary><secondary>schema</secondary></indexterm>
|
|
<indexterm><primary>passdb backend</primary></indexterm>
|
|
You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
|
|
if you find the challenge of learning about LDAP directories, schemas, configuration, and management
|
|
tools and the creation of shell and Perl scripts a bit
|
|
challenging. OpenLDAP can be easily customized, though it includes
|
|
many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
|
|
that is required for use as a passdb backend.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>interoperability</primary></indexterm>
|
|
For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
|
|
there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
|
|
The Web-based tools you might like to consider include the
|
|
<ulink url="http://lam.sourceforge.net/">LDAP Account Manager</ulink> (LAM) and the Webmin-based
|
|
<ulink url="http://www.webmin.com">Webmin</ulink> Idealx
|
|
<ulink url="http://webmin.idealx.org/index.en.html">CGI tools</ulink>.
|
|
</para>
|
|
|
|
<para>
|
|
Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of
|
|
these, so it may be useful to them:
|
|
<ulink url="http://biot.com/gq">GQ</ulink>, a GTK-based LDAP browser;
|
|
LDAP <ulink url="http://www.iit.edu/~gawojar/ldap/">Browser/Editor</ulink>
|
|
<ulink url="http://www.jxplorer.org/">; JXplorer</ulink> (by Computer Associates);
|
|
and <ulink url="http://phpldapadmin.sourceforge.net/">phpLDAPadmin</ulink>.
|
|
</para>
|
|
|
|
<note><para>
|
|
The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
|
|
security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
|
|
is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
|
|
LDAP before attempting to deploy it in a business-critical environment.
|
|
</para></note>
|
|
|
|
<para>
|
|
Information to help you get started with OpenLDAP is available from the
|
|
<ulink url="http://www.openldap.org/pub/">OpenLDAP web site</ulink>. Many people have found the book
|
|
<ulink url="http://www.oreilly.com/catalog/ldapsa/index.html"><emphasis>LDAP System Administration</emphasis>,</ulink>
|
|
by Jerry Carter quite useful.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>BDC</primary></indexterm>
|
|
<indexterm><primary>network</primary><secondary>segment</secondary></indexterm>
|
|
<indexterm><primary>performance</primary></indexterm>
|
|
<indexterm><primary>network</primary><secondary>wide-area</secondary></indexterm>
|
|
Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
|
|
main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
|
|
be loaded over the WAN connection. The addition of BDCs on each network segment significantly
|
|
improves overall network performance for most users, but it is not enough. You must gain control over
|
|
user desktops, and this must be done in a way that wins their support and does not cause further loss of
|
|
staff morale. The following procedures solve this problem.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>smart printing</primary></indexterm>
|
|
There is also an opportunity to implement smart printing features. You add this to the Samba configuration
|
|
so that future printer changes can be managed without need to change desktop configurations.
|
|
</para>
|
|
|
|
<para>
|
|
You add the ability to automatically download new printer drivers, even if they are not installed
|
|
in the default desktop profile. Only one example of printing configuration is given. It is assumed that
|
|
you can extrapolate the principles and use them to install all printers that may be needed.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Technical Issues</title>
|
|
|
|
<para>
|
|
<indexterm><primary>identity</primary><secondary>management</secondary></indexterm>
|
|
<indexterm><primary>directory</primary><secondary>server</secondary></indexterm>
|
|
<indexterm><primary>Posix</primary></indexterm>
|
|
The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
|
|
server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
|
|
accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account
|
|
attributes Samba needs. Samba-3 can use the LDAP backend to store:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>Windows Networking User Accounts</para></listitem>
|
|
<listitem><para>Windows NT Group Accounts</para></listitem>
|
|
<listitem><para>Mapping Information between UNIX Groups and Windows NT Groups</para></listitem>
|
|
<listitem><para>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
<indexterm><primary>UNIX accounts</primary></indexterm>
|
|
<indexterm><primary>Windows accounts</primary></indexterm>
|
|
<indexterm><primary>PADL LDAP tools</primary></indexterm>
|
|
<indexterm><primary>/etc/group</primary></indexterm>
|
|
<indexterm><primary>LDAP</primary></indexterm>
|
|
<indexterm><primary>name service switch</primary><see>NSS</see></indexterm>
|
|
<indexterm><primary>NSS</primary></indexterm>
|
|
<indexterm><primary>UID</primary></indexterm>
|
|
<indexterm><primary>nss_ldap</primary></indexterm>
|
|
The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
|
|
accounts in the LDAP backend. This implies the need to use the
|
|
<ulink url="http://www.padl.com/Contents/OpenSourceSoftware.html">PADL LDAP tools</ulink>. The resolution
|
|
of the UNIX group name to its GID must be enabled from either the <filename>/etc/group</filename>
|
|
or from the LDAP backend. This requires the use of the PADL <filename>nss_ldap</filename> tool-set
|
|
that integrates with the NSS. The same requirements exist for resolution
|
|
of the UNIX username to the UID. The relationships are demonstrated in <link linkend="sbehap-LDAPdiag"/>.
|
|
</para>
|
|
|
|
<figure id="sbehap-LDAPdiag">
|
|
<title>The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</title>
|
|
<imagefile scale="50">UNIX-Samba-and-LDAP</imagefile>
|
|
</figure>
|
|
|
|
<para>
|
|
<indexterm><primary>security</primary></indexterm>
|
|
<indexterm><primary>LDAP</primary><secondary>secure</secondary></indexterm>
|
|
You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
|
|
ought to learn how to configure secure communications over LDAP so that site security is not
|
|
at risk. This is not covered in the following guidance.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>PDC</primary></indexterm>
|
|
<indexterm><primary>LDAP Interchange Format</primary><see>LDIF</see></indexterm>
|
|
<indexterm><primary>LDIF</primary></indexterm>
|
|
<indexterm><primary>secrets.tdb</primary></indexterm>
|
|
When OpenLDAP has been made operative, you configure the PDC called <constant>MASSIVE</constant>.
|
|
You initialize the Samba <filename>secrets.tdb<subscript></subscript></filename> file. Then you
|
|
create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.
|
|
You need to decide how best to create user and group accounts. A few hints are, of course, provided.
|
|
You can also find on the enclosed CD-ROM, in the <filename>Chap06</filename> directory, a few tools
|
|
that help to manage user and group configuration.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>folder redirection</primary></indexterm>
|
|
<indexterm><primary>default profile</primary></indexterm>
|
|
<indexterm><primary>roaming profile</primary></indexterm>
|
|
In order to effect folder redirection and to add robustness to the implementation,
|
|
create a network default profile. All network users workstations are configured to use
|
|
the new profile. Roaming profiles will automatically be deleted from the workstation
|
|
when the user logs off.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>mandatory profile</primary></indexterm>
|
|
The profile is configured so that users cannot change the appearance
|
|
of their desktop. This is known as a mandatory profile. You make certain that users
|
|
are able to use their computers efficiently.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>logon script</primary></indexterm>
|
|
A network logon script is used to deliver flexible but consistent network drive
|
|
connections.
|
|
</para>
|
|
|
|
<sect3 id="sbehap-ppc">
|
|
<title>Addition of Machines to the Domain</title>
|
|
|
|
<para>
|
|
<indexterm><primary></primary></indexterm>
|
|
<indexterm><primary></primary></indexterm>
|
|
<indexterm><primary></primary></indexterm>
|
|
<indexterm><primary></primary></indexterm>
|
|
Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
|
|
that maps to the UNIX UID=0. The UNIX operating system permits only the <constant>root</constant>
|
|
user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
|
|
<constant>Privileges</constant>, which provides five new privileges that
|
|
can be assigned to users and/or groups; see Table 5.1.
|
|
</para>
|
|
|
|
|
|
<table id="sbehap-privs">
|
|
<title>Current Privilege Capabilities</title>
|
|
<tgroup cols="2">
|
|
<colspec align="left"/>
|
|
<colspec align="left"/>
|
|
<thead>
|
|
<row>
|
|
<entry align="left">Privilege</entry>
|
|
<entry align="left">Description</entry>
|
|
</row>
|
|
</thead>
|
|
<tbody>
|
|
<row>
|
|
<entry><para>SeMachineAccountPrivilege</para></entry>
|
|
<entry><para>Add machines to domain</para></entry>
|
|
</row>
|
|
<row>
|
|
<entry><para>SePrintOperatorPrivilege</para></entry>
|
|
<entry><para>Manage printers</para></entry>
|
|
</row>
|
|
<row>
|
|
<entry><para>SeAddUsersPrivilege</para></entry>
|
|
<entry><para>Add users and groups to the domain</para></entry>
|
|
</row>
|
|
<row>
|
|
<entry><para>SeRemoteShutdownPrivilege</para></entry>
|
|
<entry><para>Force shutdown from a remote system</para></entry>
|
|
</row>
|
|
<row>
|
|
<entry><para>SeDiskOperatorPrivilege</para></entry>
|
|
<entry><para>Manage disk share</para></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>
|
|
In this network example use is made of one of the supported privileges purely to demonstrate
|
|
how any user can now be given the ability to add machines to the domain using a normal user account
|
|
that has been given the appropriate privileges.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Roaming Profile Background</title>
|
|
|
|
<para>
|
|
As XP roaming profiles grow, so does the amount of time it takes to log in and out.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>roaming profile</primary></indexterm>
|
|
<indexterm><primary>HKEY_CURRENT_USER</primary></indexterm>
|
|
<indexterm><primary>NTUSER.DAT</primary></indexterm>
|
|
<indexterm><primary>%USERNAME%</primary></indexterm>
|
|
An XP roaming profile consists of the <constant>HKEY_CURRENT_USER</constant> hive file
|
|
<filename>NTUSER.DAT</filename> and a number of folders (My Documents, Application Data,
|
|
Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
|
|
network with the default configuration of MS Windows NT/200x/XPP, all this data is
|
|
copied to the local machine under the <filename>C:\Documents and Settings\%USERNAME%</filename>
|
|
directory. While the user is logged in, any changes made to any of these folders or to the
|
|
<constant>HKEY_CURRENT_USER</constant> branch of the registry are made to the local copy
|
|
of the profile. At logout the profile data is copied back to the server. This behavior
|
|
can be changed through appropriate registry changes and/or through changes to the default
|
|
user profile. In the latter case, it updates the registry with the values that are set in the
|
|
profile <filename>NTUSER.DAT</filename>
|
|
file.
|
|
</para>
|
|
|
|
<para>
|
|
The first challenge is to reduce the amount of data that must be transferred to and
|
|
from the profile server as roaming profiles are processed. This includes removing
|
|
all the shortcuts in the Recent directory, making sure the cache used by the Web browser
|
|
is not being dumped into the <filename>Application Data</filename> folder, removing the
|
|
Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the
|
|
user to not place large files on the desktop and to use his or her mapped home directory
|
|
instead of the <filename>My Documents</filename> folder for saving documents.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>My Documents</primary></indexterm>
|
|
Using a folder other than <filename>My Documents</filename> is a nuisance for
|
|
some users, since many applications use it by default.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>roaming profiles</primary></indexterm>
|
|
<indexterm><primary>Local Group Policy</primary></indexterm>
|
|
<indexterm><primary>NTUSER.DAT</primary></indexterm>
|
|
The secret to rapid loading of roaming profiles is to prevent unnecessary data from
|
|
being copied back and forth, without losing any functionality. This is not difficult;
|
|
it can be done by making changes to the Local Group Policy on each client as well
|
|
as changing some paths in each user's <filename>NTUSER.DAT</filename> hive.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Network Default Profile</primary></indexterm>
|
|
<indexterm><primary>redirected folders</primary></indexterm>
|
|
Every user profile has its own <filename>NTUSER.DAT</filename> file. This means
|
|
you need to edit every user's profile, unless a better method can be
|
|
followed. Fortunately, with the right preparations, this is not difficult.
|
|
It is possible to remove the <filename>NTUSER.DAT</filename> file from each
|
|
user's profile. Then just create a Network Default Profile. Of course, it is
|
|
necessary to copy all files from redirected folders to the network share to which
|
|
they are redirected.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3 id="sbehap-locgrppol">
|
|
<title>The Local Group Policy</title>
|
|
|
|
<para>
|
|
<indexterm><primary>Group Policy Objects</primary></indexterm>
|
|
<indexterm><primary>Active Directory</primary></indexterm>
|
|
<indexterm><primary>PDC</primary></indexterm>
|
|
<indexterm><primary>Group Policy editor</primary></indexterm>
|
|
Without an Active Directory PDC, you cannot take full advantage of Group Policy
|
|
Objects. However, you can still make changes to the Local Group Policy by using
|
|
the Group Policy editor (<command>gpedit.msc</command>).
|
|
</para>
|
|
|
|
<para>
|
|
The <emphasis>Exclude directories in roaming profile</emphasis> settings can
|
|
be found under
|
|
<menuchoice>
|
|
<guimenu>User Configuration</guimenu>
|
|
<guimenuitem>Administrative Templates</guimenuitem>
|
|
<guimenuitem>System</guimenuitem>
|
|
<guimenuitem>User Profiles</guimenuitem>
|
|
</menuchoice>.
|
|
By default this setting contains
|
|
<quote>Local Settings; Temporary Internet Files; History; Temp</quote>.
|
|
</para>
|
|
|
|
<para>
|
|
Simply add the folders you do not wish to be copied back and forth to this
|
|
semicolon-separated list. Note that this change must be made on all clients
|
|
that are using roaming profiles.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Profile Changes</title>
|
|
|
|
<para>
|
|
<indexterm><primary>NTUSER.DAT</primary></indexterm>
|
|
<indexterm><primary>%USERNAME%</primary></indexterm>
|
|
There are two changes that should be done to each user's profile. Move each of
|
|
the directories that you have excluded from being copied back and forth out of
|
|
the usual profile path. Modify each user's <filename>NTUSER.DAT</filename> file
|
|
to point to the new paths that are shared over the network instead of to the default
|
|
path (<filename>C:\Documents and Settings\%USERNAME%</filename>).
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Default User</primary></indexterm>
|
|
<indexterm><primary>regedt32</primary></indexterm>
|
|
The above modifies existing user profiles. So that newly created profiles have
|
|
these settings, you need to modify the <filename>NTUSER.DAT</filename> in
|
|
the <filename>C:\Documents and Settings\Default User</filename> folder on each
|
|
client machine, changing the same registry keys. You could do this by copying
|
|
<filename>NTUSER.DAT</filename> to a Linux box and using <command>regedt32</command>.
|
|
The basic method is described under <link linkend="redirfold"/>.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Using a Network Default User Profile</title>
|
|
|
|
<para>
|
|
<indexterm><primary>NETLOGON</primary></indexterm>
|
|
<indexterm><primary>NTUSER.DAT</primary></indexterm>
|
|
If you are using Samba as your PDC, you should create a file share called
|
|
<constant>NETLOGON</constant> and within that create a directory called
|
|
<filename>Default User</filename>, which is a copy of the desired default user
|
|
configuration (including a copy of <filename>NTUSER.DAT</filename>).
|
|
If this share exists and the <filename>Default User</filename> folder exists,
|
|
the first login from a new account pulls its configuration from it.
|
|
See also <ulink url="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html">
|
|
the Real Men Don't Click</ulink> Web site.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Installation of Printer Driver Auto-Download</title>
|
|
|
|
<para>
|
|
<indexterm><primary>printing</primary><secondary>dumb</secondary></indexterm>
|
|
<indexterm><primary>dumb printing</primary></indexterm>
|
|
<indexterm><primary>Raw Print Through</primary></indexterm>
|
|
The subject of printing is quite topical. Printing problems run second place to name
|
|
resolution issues today. So far in this book, you have experienced only what is generally
|
|
known as <quote>dumb</quote> printing. Dumb printing is the arrangement by which all drivers
|
|
are manually installed on each client and the printing subsystems perform no filtering
|
|
or intelligent processing. Dumb printing is easily understood. It usually works without
|
|
many problems, but it has its limitations also. Dumb printing is better known as
|
|
<command>Raw-Print-Through</command> printing.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>printing</primary><secondary>drag-and-drop</secondary></indexterm>
|
|
<indexterm><primary>printing</primary><secondary>point-n-click</secondary></indexterm>
|
|
Samba permits the configuration of <command>smart</command> printing using the Microsoft
|
|
Windows point-and-click (also called drag-and-drop) printing. What this provides is
|
|
essentially the ability to print to any printer. If the local client does not yet have a
|
|
driver installed, the driver is automatically downloaded from the Samba server and
|
|
installed on the client. Drag-and-drop printing is neat; it means the user never needs
|
|
to fuss with driver installation, and that is a <trademark>Good Thing,</trademark>
|
|
isn't it?
|
|
</para>
|
|
|
|
<para>
|
|
There is a further layer of print job processing that is known as <command>intelligent</command>
|
|
printing that automatically senses the file format of data submitted for printing and
|
|
then invokes a suitable print filter to convert the incoming data stream into a format
|
|
suited to the printer to which the job is dispatched.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>CUPS</primary></indexterm>
|
|
<indexterm><primary>Easy Software Products</primary></indexterm>
|
|
<indexterm><primary>Postscript</primary></indexterm>
|
|
The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
|
|
detect the data format and apply a print filter. This means that it is feasible to install
|
|
on all Windows clients a single printer driver for use with all printers that are routed
|
|
through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately,
|
|
<ulink url="http://www.easysw.com">Easy Software Products</ulink>, the authors of CUPS, have
|
|
released a PostScript printing driver for Windows. It can be installed into the Samba
|
|
printing backend so that it automatically downloads to the client when needed.
|
|
</para>
|
|
|
|
<para>
|
|
This means that so long as there is a CUPS driver for the printer, all printing from Windows
|
|
software can use PostScript, no matter what the actual printer language for the physical
|
|
device is. It also means that the administrator can swap out a printer with a totally
|
|
different type of device without ever needing to change a client workstation driver.
|
|
</para>
|
|
|
|
<para>
|
|
This book is about Samba-3, so you can confine the printing style to just the smart
|
|
style of installation. Those interested in further information regarding intelligent
|
|
printing should review documentation on the Easy Software Products Web site.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3 id="sbeavoid">
|
|
<title>Avoiding Failures: Solving Problems Before They Happen</title>
|
|
|
|
<para>
|
|
It has often been said that there are three types of people in the world: those who
|
|
have sharp minds and those who forget things. Please do not ask what the third group
|
|
is like! Well, it seems that many of us have company in the second group. There must
|
|
be a good explanation why so many network administrators fail to solve apparently
|
|
simple problems efficiently and effectively.
|
|
</para>
|
|
|
|
<para>
|
|
Here are some diagnostic guidelines that can be referred to when things go wrong:
|
|
</para>
|
|
|
|
<sect4>
|
|
<title>Preliminary Advice: Dangers Can Be Avoided</title>
|
|
|
|
<para>
|
|
The best advice regarding how to mend a broken leg is <quote>Never break a leg!</quote>
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>LDAP</primary></indexterm>
|
|
Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice
|
|
regarding the best way to remedy LDAP and Samba problems: <quote>Avoid them like the plague!</quote>
|
|
</para>
|
|
|
|
<para>
|
|
If you are now asking yourself how problems can be avoided, the best advice is to start
|
|
out your learning experience with a <emphasis>known-good configuration.</emphasis> After
|
|
you have seen a fully working solution, a good way to learn is to make slow and progressive
|
|
changes that cause things to break, then observe carefully how and why things ceased to work.
|
|
</para>
|
|
|
|
<para>
|
|
The examples in this chapter (also in the book as a whole) are known to work. That means
|
|
that they could serve as the kick-off point for your journey through fields of knowledge.
|
|
Use this resource carefully; we hope it serves you well.
|
|
</para>
|
|
|
|
<warning><para>
|
|
Do not be lulled into thinking that you can easily adopt the examples in this
|
|
book and adapt them without first working through the examples provided. A little
|
|
thing overlooked can cause untold pain and may permanently tarnish your experience.
|
|
</para></warning>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>The Name Service Caching Daemon</title>
|
|
|
|
<para>
|
|
The name service caching daemon (nscd) is a primary cause of difficulties with name
|
|
resolution, particularly where <command>winbind</command> is used. Winbind does its
|
|
own caching, thus nscd causes double caching which can lead to peculiar problems during
|
|
debugging. As a rule, it is a good idea to turn off the name service caching daemon.
|
|
</para>
|
|
|
|
<para>
|
|
Operation of the name service caching daemon is controlled by the
|
|
<filename>/etc/nscd.conf</filename> file. Typical contents of this file are as follows:
|
|
<screen>
|
|
# /etc/nscd.conf
|
|
# An example Name Service Cache config file. This file is needed by nscd.
|
|
# Legal entries are:
|
|
# logfile <file>
|
|
# debug-level <level>
|
|
# threads <threads to use>
|
|
# server-user <user to run server as instead of root>
|
|
# server-user is ignored if nscd is started with -S parameters
|
|
# stat-user <user who is allowed to request statistics>
|
|
# reload-count unlimited|<number>
|
|
#
|
|
# enable-cache <service> <yes|no>
|
|
# positive-time-to-live <service> <time in seconds>
|
|
# negative-time-to-live <service> <time in seconds>
|
|
# suggested-size <service> <prime number>
|
|
# check-files <service> <yes|no>
|
|
# persistent <service> <yes|no>
|
|
# shared <service> <yes|no>
|
|
# Currently supported cache names (services): passwd, group, hosts
|
|
# logfile /var/log/nscd.log
|
|
# threads 6
|
|
# server-user nobody
|
|
# stat-user somebody
|
|
debug-level 0
|
|
# reload-count 5
|
|
enable-cache passwd yes
|
|
positive-time-to-live passwd 600
|
|
negative-time-to-live passwd 20
|
|
suggested-size passwd 211
|
|
check-files passwd yes
|
|
persistent passwd yes
|
|
shared passwd yes
|
|
enable-cache group yes
|
|
positive-time-to-live group 3600
|
|
negative-time-to-live group 60
|
|
suggested-size group 211
|
|
check-files group yes
|
|
persistent group yes
|
|
shared group yes
|
|
# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to
|
|
# cache hosts will cause your local system to not be able to trust
|
|
# forward/reverse lookup checks. DO NOT USE THIS if your system relies on
|
|
# this sort of security mechanism. Use a caching DNS server instead.
|
|
enable-cache hosts no
|
|
positive-time-to-live hosts 3600
|
|
negative-time-to-live hosts 20
|
|
suggested-size hosts 211
|
|
check-files hosts yes
|
|
persistent hosts yes
|
|
shared hosts yes
|
|
</screen>
|
|
It is feasible to comment out the <constant>passwd</constant> and <constant>group</constant>
|
|
entries so they will not be cached. Alternatively, it is often simpler to just disable the
|
|
<command>nscd</command> service by executing (on Novell SUSE Linux):
|
|
<screen>
|
|
&rootprompt; chkconfig nscd off
|
|
&rootprompt; rcnscd off
|
|
</screen>
|
|
</para>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>Debugging LDAP</title>
|
|
|
|
<para>
|
|
<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
|
|
<indexterm><primary>loglevel</primary></indexterm>
|
|
<indexterm><primary>slapd</primary></indexterm>
|
|
In the example <filename>/etc/openldap/slapd.conf</filename> control file
|
|
(see <link linkend="sbehap-dbconf"/>) there is an entry for <constant>loglevel 256</constant>.
|
|
To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter
|
|
and restart <command>slapd</command>.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>/etc/syslog.conf</primary></indexterm>
|
|
<indexterm><primary>/var/log/ldaplogs</primary></indexterm>
|
|
LDAP log information can be directed into a file that is separate from the normal system
|
|
log files by changing the <filename>/etc/syslog.conf</filename> file so it has the following
|
|
contents:
|
|
<screen>
|
|
# Some foreign boot scripts require local7
|
|
#
|
|
local0,local1.* -/var/log/localmessages
|
|
local2,local3.* -/var/log/localmessages
|
|
local5.* -/var/log/localmessages
|
|
local6,local7.* -/var/log/localmessages
|
|
local4.* -/var/log/ldaplogs
|
|
</screen>
|
|
In this case, all LDAP-related logs will be directed to the file
|
|
<filename>/var/log/ldaplogs</filename>. This makes it easy to track LDAP errors.
|
|
The snippet provides a simple example of usage that can be modified to suit
|
|
local site needs. The configuration used later in this chapter reflects such
|
|
customization with the intent that LDAP log files will be stored at a location
|
|
that meets local site needs and wishes more fully.
|
|
</para>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>Debugging NSS_LDAP</title>
|
|
|
|
<para>
|
|
The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
|
|
<filename>/etc/ldap.conf</filename> file the following parameters:
|
|
<screen>
|
|
debug 256
|
|
logdir /data/logs
|
|
</screen>
|
|
Create the log directory as follows:
|
|
<screen>
|
|
&rootprompt; mkdir /data/logs
|
|
</screen>
|
|
</para>
|
|
|
|
<?latex \newpage ?>
|
|
|
|
<para>
|
|
The diagnostic process should follow these steps:
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>NSS_LDAP Diagnostic Steps</title>
|
|
|
|
<step><para>
|
|
Verify the <constant>nss_base_passwd, nss_base_shadow, nss_base_group</constant> entries
|
|
in the <filename>/etc/ldap.conf</filename> file and compare them closely with the directory
|
|
tree location that was chosen when the directory was first created.
|
|
</para>
|
|
|
|
<para>
|
|
One way this can be done is by executing:
|
|
<screen>
|
|
&rootprompt; slapcat | grep Group | grep dn
|
|
dn: ou=Groups,dc=abmas,dc=biz
|
|
dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
|
|
dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
|
|
dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
|
|
dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
|
|
dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz
|
|
dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
|
|
dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
|
|
dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz
|
|
</screen>
|
|
The first line is the DIT entry point for the container for POSIX groups. The correct entry
|
|
for the <filename>/etc/ldap.conf</filename> for the <constant>nss_base_group</constant>
|
|
parameter therefore is the distinguished name (dn) as applied here:
|
|
<screen>
|
|
nss_base_group ou=Groups,dc=abmas,dc=biz?one
|
|
</screen>
|
|
The same process may be followed to determine the appropriate dn for user accounts.
|
|
If the container for computer accounts is not the same as that for users (see the &smb.conf;
|
|
file entry for <constant>ldap machine suffix</constant>), it may be necessary to set the
|
|
following DIT dn in the <filename>/etc/ldap.conf</filename> file:
|
|
<screen>
|
|
nss_base_passwd dc=abmas,dc=biz?sub
|
|
</screen>
|
|
This instructs LDAP to search for machine as well as user entries from the top of the DIT
|
|
down. This is inefficient, but at least should work. Note: It is possible to specify multiple
|
|
<constant>nss_base_passwd</constant> entries in the <filename>/etc/ldap.conf</filename> file; they
|
|
will be evaluated sequentially. Let us consider an example of use where the following DIT
|
|
has been implemented:
|
|
</para>
|
|
|
|
<para>
|
|
<itemizedlist>
|
|
<listitem><para>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</para></listitem>
|
|
<listitem><para>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</para></listitem>
|
|
<listitem><para>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</para></listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
|
|
<para>
|
|
The appropriate multiple entry for the <constant>nss_base_passwd</constant> directive
|
|
in the <filename>/etc/ldap.conf</filename> file may be:
|
|
<screen>
|
|
nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one
|
|
nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Perform lookups such as:
|
|
<screen>
|
|
&rootprompt; getent passwd
|
|
</screen>
|
|
Each such lookup will create an entry in the <filename>/data/log</filename> directory
|
|
for each such process executed. The contents of each file created in this directory
|
|
may provide a hint as to the cause of the a problem that is under investigation.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
For additional diagnostic information, check the contents of the <filename>/var/log/messages</filename>
|
|
to see what error messages are being generated as a result of the LDAP lookups. Here is an example of
|
|
a successful lookup:
|
|
<screen>
|
|
slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539
|
|
(IP=0.0.0.0:389)
|
|
slapd[12164]: conn=0 op=0 BIND dn="" method=128
|
|
slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=
|
|
slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0
|
|
filter="(objectClass=*)"
|
|
slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0
|
|
nentries=1 text=
|
|
slapd[12164]: conn=0 op=2 UNBIND
|
|
slapd[12164]: conn=0 fd=10 closed
|
|
slapd[12164]: conn=1 fd=10 ACCEPT from
|
|
IP=127.0.0.1:33540 (IP=0.0.0.0:389)
|
|
slapd[12164]: conn=1 op=0 BIND
|
|
dn="cn=Manager,dc=abmas,dc=biz" method=128
|
|
slapd[12164]: conn=1 op=0 BIND
|
|
dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0
|
|
slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=
|
|
slapd[12164]: conn=1 op=1 SRCH
|
|
base="ou=People,dc=abmas,dc=biz" scope=1 deref=0
|
|
filter="(objectClass=posixAccount)"
|
|
slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword
|
|
uidNumber gidNumber cn
|
|
homeDirectory loginShell gecos description objectClass
|
|
slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0
|
|
nentries=2 text=
|
|
slapd[12164]: conn=1 fd=10 closed
|
|
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Check that the bindpw entry in the <filename>/etc/ldap.conf</filename> or in the
|
|
<filename>/etc/ldap.secrets</filename> file is correct, as specified in the
|
|
<filename>/etc/openldap/slapd.conf</filename> file.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>Debugging Samba</title>
|
|
|
|
<para>
|
|
The following parameters in the &smb.conf; file can be useful in tracking down Samba-related problems:
|
|
<screen>
|
|
[global]
|
|
...
|
|
log level = 5
|
|
log file = /var/log/samba/%m.log
|
|
max log size = 0
|
|
...
|
|
</screen>
|
|
This will result in the creation of a separate log file for every client from which connections
|
|
are made. The log file will be quite verbose and will grow continually. Do not forget to
|
|
change these lines to the following when debugging has been completed:
|
|
<screen>
|
|
[global]
|
|
...
|
|
log level = 1
|
|
log file = /var/log/samba/%m.log
|
|
max log size = 50
|
|
...
|
|
</screen>
|
|
</para>
|
|
|
|
<para>
|
|
The log file can be analyzed by executing:
|
|
<screen>
|
|
&rootprompt; cd /var/log/samba
|
|
&rootprompt; grep -v "^\[200" machine_name.log
|
|
</screen>
|
|
</para>
|
|
|
|
<para>
|
|
Search for hints of what may have failed by looking for the words <emphasis>fail</emphasis>
|
|
and <emphasis>error</emphasis>.
|
|
</para>
|
|
|
|
</sect4>
|
|
|
|
<sect4>
|
|
<title>Debugging on the Windows Client</title>
|
|
|
|
<para>
|
|
MS Windows 2000 Professional and Windows XP Professional clients can be configured
|
|
to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
|
|
the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
|
|
version of MS Windows.
|
|
</para>
|
|
|
|
</sect4>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
|
|
<sect2>
|
|
<title>Political Issues</title>
|
|
|
|
<para>
|
|
MS Windows network users are generally very sensitive to limits that may be imposed when
|
|
confronted with locked-down workstation configurations. The challenge you face must
|
|
be promoted as a choice between reliable, fast network operation and a constant flux
|
|
of problems that result in user irritation.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Installation Checklist</title>
|
|
|
|
<para>
|
|
You are starting a complex project. Even though you went through the installation of a complex
|
|
network in <link linkend="Big500users"/>, this network is a bigger challenge because of the
|
|
large number of complex applications that must be configured before the first few steps
|
|
can be validated. Take stock of what you are about to undertake, prepare yourself, and
|
|
frequently review the steps ahead while making at least a mental note of what has already
|
|
been completed. The following task list may help you to keep track of the task items
|
|
that are covered:
|
|
</para>
|
|
|
|
|
|
<itemizedlist>
|
|
<listitem><para>Samba-3 PDC Server Configuration</para>
|
|
<orderedlist>
|
|
<listitem><para>DHCP and DNS servers</para></listitem>
|
|
<listitem><para>OpenLDAP server</para></listitem>
|
|
<listitem><para>PAM and NSS client tools</para></listitem>
|
|
<listitem><para>Samba-3 PDC</para></listitem>
|
|
<listitem><para>Idealx smbldap scripts</para></listitem>
|
|
<listitem><para>LDAP initialization</para></listitem>
|
|
<listitem><para>Create user and group accounts</para></listitem>
|
|
<listitem><para>Printers</para></listitem>
|
|
<listitem><para>Share point directory roots</para></listitem>
|
|
<listitem><para>Profile directories</para></listitem>
|
|
<listitem><para>Logon scripts</para></listitem>
|
|
<listitem><para>Configuration of user rights and privileges</para></listitem>
|
|
</orderedlist>
|
|
</listitem>
|
|
<listitem><para>Samba-3 BDC Server Configuration</para>
|
|
<orderedlist>
|
|
<listitem><para>DHCP and DNS servers</para></listitem>
|
|
<listitem><para>PAM and NSS client tools</para></listitem>
|
|
<listitem><para>Printers</para></listitem>
|
|
<listitem><para>Share point directory roots</para></listitem>
|
|
<listitem><para>Profiles directories</para></listitem>
|
|
</orderedlist>
|
|
</listitem>
|
|
<listitem><para>Windows XP Client Configuration</para>
|
|
<orderedlist>
|
|
<listitem><para>Default profile folder redirection</para></listitem>
|
|
<listitem><para>MS Outlook PST file relocation</para></listitem>
|
|
<listitem><para>Delete roaming profile on logout</para></listitem>
|
|
<listitem><para>Upload printer drivers to Samba servers</para></listitem>
|
|
<listitem><para>Install software</para></listitem>
|
|
<listitem><para>Creation of roll-out images</para></listitem>
|
|
</orderedlist>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Samba Server Implementation</title>
|
|
|
|
<para>
|
|
<indexterm><primary>file servers</primary></indexterm>
|
|
<indexterm><primary>BDC</primary></indexterm>
|
|
The network design shown in <link linkend="chap6net"/> is not comprehensive. It is assumed
|
|
that you will install additional file servers and possibly additional BDCs.
|
|
</para>
|
|
|
|
<figure id="chap6net">
|
|
<title>Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend</title>
|
|
<imagefile scale="50">chap6-net</imagefile>
|
|
</figure>
|
|
|
|
<para>
|
|
<indexterm><primary>SUSE Linux</primary></indexterm>
|
|
<indexterm><primary>Red Hat Linux</primary></indexterm>
|
|
All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE
|
|
Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
|
|
adjust the locations for your particular Linux system distribution/implementation.
|
|
</para>
|
|
|
|
<note><para>
|
|
The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools
|
|
scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball,
|
|
please verify that the versions you are about to use are matching. The smbldap-tools package
|
|
uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are
|
|
issued for POSIX accounts. The LDAP rdn under which this information is stored are called
|
|
<constant>uidNumber</constant> and <constant>gidNumber</constant> respectively. These may be
|
|
located in any convenient part of the directory information tree (DIT). In the examples that
|
|
follow they have been located under <constant>dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</constant>.
|
|
They could just as well be located under the rdn <constant>cn=NextFreeUnixId</constant>.
|
|
</para></note>
|
|
|
|
<para>
|
|
The steps in the process involve changes from the network configuration shown in
|
|
<link linkend="Big500users"/>. Before implementing the following steps, you must
|
|
have completed the network implementation shown in that chapter. If you are starting
|
|
with newly installed Linux servers, you must complete the steps shown in
|
|
<link linkend="ch5-dnshcp-setup"/> before commencing at <link linkend="ldapsetup"/>.
|
|
</para>
|
|
|
|
<sect2 id="ldapsetup">
|
|
<title>OpenLDAP Server Configuration</title>
|
|
|
|
<para>
|
|
<indexterm><primary>nss_ldap</primary></indexterm>
|
|
<indexterm><primary>pam_ldap</primary></indexterm>
|
|
<indexterm><primary>openldap</primary></indexterm>
|
|
Confirm that the packages shown in <link linkend="oldapreq"/> are installed on your system.
|
|
</para>
|
|
|
|
<table id="oldapreq">
|
|
<title>Required OpenLDAP Linux Packages</title>
|
|
<tgroup cols="3">
|
|
<colspec align="left"/>
|
|
<colspec align="left"/>
|
|
<colspec align="left"/>
|
|
<thead>
|
|
<row>
|
|
<entry align="center">SUSE Linux 8.x</entry>
|
|
<entry align="center">SUSE Linux 9.x</entry>
|
|
<entry align="center">Red Hat Linux</entry>
|
|
</row>
|
|
</thead>
|
|
<tbody>
|
|
<row>
|
|
<entry>nss_ldap</entry>
|
|
<entry>nss_ldap</entry>
|
|
<entry>nss_ldap</entry>
|
|
</row>
|
|
<row>
|
|
<entry>pam_ldap</entry>
|
|
<entry>pam_ldap</entry>
|
|
<entry>pam_ldap</entry>
|
|
</row>
|
|
<row>
|
|
<entry>openldap2</entry>
|
|
<entry>openldap2</entry>
|
|
<entry>openldap</entry>
|
|
</row>
|
|
<row>
|
|
<entry>openldap2-client</entry>
|
|
<entry>openldap2-client</entry>
|
|
<entry></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<para>
|
|
Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method
|
|
for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you
|
|
follow these guidelines, the resulting system should work fine.
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>OpenLDAP Server Configuration Steps</title>
|
|
|
|
<step><para>
|
|
<indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm>
|
|
Install the file shown in <link linkend="sbehap-slapdconf"/> in the directory
|
|
<filename>/etc/openldap</filename>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>/data/ldap</primary></indexterm>
|
|
<indexterm><primary>group account</primary></indexterm>
|
|
<indexterm><primary>user account</primary></indexterm>
|
|
Remove all files from the directory <filename>/data/ldap</filename>, making certain that
|
|
the directory exists with permissions:
|
|
<screen>
|
|
&rootprompt; ls -al /data | grep ldap
|
|
drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
|
|
</screen>
|
|
This may require you to add a user and a group account for LDAP if they do not exist.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>DB_CONFIG</primary></indexterm>
|
|
Install the file shown in <link linkend="sbehap-dbconf"/> in the directory
|
|
<filename>/data/ldap</filename>. In the event that this file is added after <constant>ldap</constant>
|
|
has been started, it is possible to cause the new settings to take effect by shutting down
|
|
the <constant>LDAP</constant> server, executing the <command>db_recover</command> command inside the
|
|
<filename>/data/ldap</filename> directory, and then restarting the <constant>LDAP</constant> server.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>syslog</primary></indexterm>
|
|
Performance logging can be enabled and should preferably be sent to a file on
|
|
a file system that is large enough to handle significantly sized logs. To enable
|
|
the logging at a verbose level to permit detailed analysis, uncomment the entry in
|
|
the <filename>/etc/openldap/slapd.conf</filename> shown as <quote>loglevel 256</quote>.
|
|
</para>
|
|
|
|
<para>
|
|
Edit the <filename>/etc/syslog.conf</filename> file to add the following at the end
|
|
of the file:
|
|
<screen>
|
|
local4.* -/data/ldap/log/openldap.log
|
|
</screen>
|
|
Note: The path <filename>/data/ldap/log</filename> should be set at a location
|
|
that is convenient and that can store a large volume of data.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
<example id="sbehap-dbconf">
|
|
<title>LDAP DB_CONFIG File</title>
|
|
<screen>
|
|
set_cachesize 0 150000000 1
|
|
set_lg_regionmax 262144
|
|
set_lg_bsize 2097152
|
|
#set_lg_dir /var/log/bdb
|
|
set_flags DB_LOG_AUTOREMOVE
|
|
</screen>
|
|
</example>
|
|
|
|
<example id="sbehap-slapdconf">
|
|
<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part A</title>
|
|
<screen>
|
|
include /etc/openldap/schema/core.schema
|
|
include /etc/openldap/schema/cosine.schema
|
|
include /etc/openldap/schema/inetorgperson.schema
|
|
include /etc/openldap/schema/nis.schema
|
|
include /etc/openldap/schema/samba3.schema
|
|
|
|
pidfile /var/run/slapd/slapd.pid
|
|
argsfile /var/run/slapd/slapd.args
|
|
|
|
access to dn.base=""
|
|
by self write
|
|
by * auth
|
|
|
|
access to attr=userPassword
|
|
by self write
|
|
by * auth
|
|
|
|
access to attr=shadowLastChange
|
|
by self write
|
|
by * read
|
|
|
|
access to *
|
|
by * read
|
|
by anonymous auth
|
|
|
|
#loglevel 256
|
|
|
|
schemacheck on
|
|
idletimeout 30
|
|
backend bdb
|
|
database bdb
|
|
checkpoint 1024 5
|
|
cachesize 10000
|
|
|
|
suffix "dc=abmas,dc=biz"
|
|
rootdn "cn=Manager,dc=abmas,dc=biz"
|
|
|
|
# rootpw = not24get
|
|
rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
|
|
|
|
directory /data/ldap
|
|
</screen>
|
|
</example>
|
|
|
|
<example id="sbehap-slapdconf2">
|
|
<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part B</title>
|
|
<screen>
|
|
# Indices to maintain
|
|
index objectClass eq
|
|
index cn pres,sub,eq
|
|
index sn pres,sub,eq
|
|
index uid pres,sub,eq
|
|
index displayName pres,sub,eq
|
|
index uidNumber eq
|
|
index gidNumber eq
|
|
index memberUID eq
|
|
index sambaSID eq
|
|
index sambaPrimaryGroupSID eq
|
|
index sambaDomainName eq
|
|
index default sub
|
|
</screen>
|
|
</example>
|
|
|
|
</sect2>
|
|
|
|
<sect2 id="sbehap-PAM-NSS">
|
|
<title>PAM and NSS Client Configuration</title>
|
|
|
|
<para>
|
|
<indexterm><primary>LDAP</primary></indexterm>
|
|
<indexterm><primary>NSS</primary></indexterm>
|
|
<indexterm><primary>PAM</primary></indexterm>
|
|
The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and
|
|
groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure
|
|
the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Pluggable Authentication Modules</primary><see>PAM</see></indexterm>
|
|
<indexterm><primary>pam_unix2.so</primary></indexterm>
|
|
Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
|
|
that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
|
|
correct configuration of PAM. The <command>pam_ldap</command> open source package provides the
|
|
PAM modules that most people would use. On SUSE Linux systems, the <command>pam_unix2.so</command>
|
|
module also has the ability to redirect authentication requests through LDAP.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>YaST</primary></indexterm>
|
|
<indexterm><primary>SUSE Linux</primary></indexterm>
|
|
<indexterm><primary>Red Hat Linux</primary></indexterm>
|
|
<indexterm><primary>authconfig</primary></indexterm>
|
|
You have chosen to configure these services by directly editing the system files, but of course, you
|
|
know that this configuration can be done using system tools provided by the Linux system vendor.
|
|
SUSE Linux has a facility in YaST (the system admin tool) through <menuchoice><guimenu>yast</guimenu>
|
|
<guimenuitem>system</guimenuitem><guimenuitem>ldap-client</guimenuitem></menuchoice> that permits
|
|
configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <command>authconfig</command>
|
|
tool for this.
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>PAM and NSS Client Configuration Steps</title>
|
|
|
|
<step><para>
|
|
<indexterm><primary>/lib/libnss_ldap.so.2</primary></indexterm>
|
|
<indexterm><primary>/etc/ldap.conf</primary></indexterm>
|
|
<indexterm><primary>nss_ldap</primary></indexterm>
|
|
Execute the following command to find where the <filename>nss_ldap</filename> module
|
|
expects to find its control file:
|
|
<screen>
|
|
&rootprompt; strings /lib/libnss_ldap.so.2 | grep conf
|
|
</screen>
|
|
The preferred and usual location is <filename>/etc/ldap.conf</filename>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
On the server <constant>MASSIVE</constant>, install the file shown in
|
|
<link linkend="sbehap-nss01"/> into the path that was obtained from the step above.
|
|
On the servers called <constant>BLDG1</constant> and <constant>BLDG2</constant>, install the file shown in
|
|
<link linkend="sbehap-nss02"/> into the path that was obtained from the step above.
|
|
</para></step>
|
|
|
|
<example id="sbehap-nss01">
|
|
<title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
|
|
<screen>
|
|
host 127.0.0.1
|
|
|
|
base dc=abmas,dc=biz
|
|
|
|
binddn cn=Manager,dc=abmas,dc=biz
|
|
bindpw not24get
|
|
|
|
timelimit 50
|
|
bind_timelimit 50
|
|
bind_policy hard
|
|
|
|
idle_timelimit 3600
|
|
|
|
pam_password exop
|
|
|
|
nss_base_passwd ou=People,dc=abmas,dc=biz?one
|
|
nss_base_shadow ou=People,dc=abmas,dc=biz?one
|
|
nss_base_group ou=Groups,dc=abmas,dc=biz?one
|
|
|
|
ssl off
|
|
</screen>
|
|
</example>
|
|
|
|
<example id="sbehap-nss02">
|
|
<title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title>
|
|
<screen>
|
|
host 172.16.0.1
|
|
|
|
base dc=abmas,dc=biz
|
|
|
|
binddn cn=Manager,dc=abmas,dc=biz
|
|
bindpw not24get
|
|
|
|
timelimit 50
|
|
bind_timelimit 50
|
|
bind_policy hard
|
|
|
|
idle_timelimit 3600
|
|
|
|
pam_password exop
|
|
|
|
nss_base_passwd ou=People,dc=abmas,dc=biz?one
|
|
nss_base_shadow ou=People,dc=abmas,dc=biz?one
|
|
nss_base_group ou=Groups,dc=abmas,dc=biz?one
|
|
|
|
ssl off
|
|
</screen>
|
|
</example>
|
|
|
|
<step><para>
|
|
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
|
|
Edit the NSS control file (<filename>/etc/nsswitch.conf</filename>) so that the lines that
|
|
control user and group resolution will obtain information from the normal system files as
|
|
well as from <command>ldap</command>:
|
|
<screen>
|
|
passwd: files ldap
|
|
shadow: files ldap
|
|
group: files ldap
|
|
hosts: files dns wins
|
|
</screen>
|
|
Later, when the LDAP database has been initialized and user and group accounts have been
|
|
added, you can validate resolution of the LDAP resolver process. The inclusion of
|
|
WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
|
|
resolved to their IP addresses, whether or not they are DHCP clients.
|
|
</para>
|
|
|
|
<note><para>
|
|
Some Linux systems (Novell SUSE Linux in particular) add entries to the <filename>nsswitch.conf</filename>
|
|
file that may cause operational problems with the configuration methods adopted in this book. It is
|
|
advisable to comment out the entries <constant>passwd_compat</constant> and <constant>group_compat</constant>
|
|
where they are found in this file.
|
|
</para></note>
|
|
|
|
<para>
|
|
Even at the risk of overstating the issue, incorrect and inappropriate configuration of the
|
|
<filename>nsswitch.conf</filename> file is a significant cause of operational problems with LDAP.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>pam_unix2.so</primary><secondary>use_ldap</secondary></indexterm>
|
|
For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
|
|
files in the <filename>/etc/pam.d</filename> directory: <command>login</command>, <command>password</command>,
|
|
<command>samba</command>, <command>sshd</command>. In each file, locate every entry that has the
|
|
<command>pam_unix2.so</command> entry and add to the line the entry <command>use_ldap</command> as shown
|
|
for the <command>login</command> module in this example:
|
|
<screen>
|
|
#%PAM-1.0
|
|
auth requisite pam_unix2.so nullok use_ldap #set_secrpc
|
|
auth required pam_securetty.so
|
|
auth required pam_nologin.so
|
|
#auth required pam_homecheck.so
|
|
auth required pam_env.so
|
|
auth required pam_mail.so
|
|
account required pam_unix2.so use_ldap
|
|
password required pam_pwcheck.s nullok
|
|
password required pam_unix2.so nullok use_first_pass \
|
|
use_authtok use_ldap
|
|
session required pam_unix2.so none use_ldap # debug or trace
|
|
session required pam_limits.so
|
|
</screen>
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>pam_ldap.so</primary></indexterm>
|
|
On other Linux systems that do not have an LDAP-enabled <command>pam_unix2.so</command> module,
|
|
you must edit these files by adding the <command>pam_ldap.so</command> modules as shown here:
|
|
<screen>
|
|
#%PAM-1.0
|
|
auth required pam_securetty.so
|
|
auth required pam_nologin.so
|
|
auth sufficient pam_ldap.so
|
|
auth required pam_unix2.so nullok try_first_pass #set_secrpc
|
|
account sufficient pam_ldap.so
|
|
account required pam_unix2.so
|
|
password required pam_pwcheck.so nullok
|
|
password required pam_ldap.so use_first_pass use_authtok
|
|
password required pam_unix2.so nullok use_first_pass use_authtok
|
|
session required pam_unix2.so none # debug or trace
|
|
session required pam_limits.so
|
|
session required pam_env.so
|
|
session optional pam_mail.so
|
|
</screen>
|
|
This example does have the LDAP-enabled <command>pam_unix2.so</command>, but simply
|
|
demonstrates the use of the <command>pam_ldap.so</command> module. You can use either
|
|
implementation, but if the <command>pam_unix2.so</command> on your system supports
|
|
LDAP, you probably want to use it rather than add an additional module.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
</sect2>
|
|
|
|
<sect2 id="sbehap-massive">
|
|
<title>Samba-3 PDC Configuration</title>
|
|
|
|
<para>
|
|
<indexterm><primary>Samba RPM Packages</primary></indexterm>
|
|
Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server
|
|
before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the
|
|
choice to either build your own or obtain the packages from a dependable source.
|
|
Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for
|
|
Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that
|
|
is included with this book.
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>Configuration of PDC Called <constant>MASSIVE</constant></title>
|
|
|
|
<step><para>
|
|
Install the files in <link linkend="sbehap-massive-smbconfa"/>,
|
|
<link linkend="sbehap-massive-smbconfb"/>, <link linkend="sbehap-shareconfa"/>,
|
|
and <link linkend="sbehap-shareconfb"/> into the <filename>/etc/samba/</filename>
|
|
directory. The three files should be added together to form the &smb.conf;
|
|
master file. It is a good practice to call this file something like
|
|
<filename>smb.conf.master</filename> and then to perform all file edits
|
|
on the master file. The operational &smb.conf; is then generated as shown in
|
|
the next step.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>testparm</primary></indexterm>
|
|
Create and verify the contents of the &smb.conf; file that is generated by:
|
|
<screen>
|
|
&rootprompt; testparm -s smb.conf.master > smb.conf
|
|
</screen>
|
|
Immediately follow this with the following:
|
|
<screen>
|
|
&rootprompt; testparm
|
|
</screen>
|
|
The output that is created should be free from errors, as shown here:
|
|
|
|
<screen>
|
|
Load smb config files from /etc/samba/smb.conf
|
|
Processing section "[accounts]"
|
|
Processing section "[service]"
|
|
Processing section "[pidata]"
|
|
Processing section "[homes]"
|
|
Processing section "[printers]"
|
|
Processing section "[apps]"
|
|
Processing section "[netlogon]"
|
|
Processing section "[profiles]"
|
|
Processing section "[profdata]"
|
|
Processing section "[print$]"
|
|
Loaded services file OK.
|
|
Server role: ROLE_DOMAIN_PDC
|
|
Press enter to see a dump of your service definitions
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Delete all runtime files from prior Samba operation by executing (for SUSE
|
|
Linux):
|
|
<screen>
|
|
&rootprompt; rm /etc/samba/*tdb
|
|
&rootprompt; rm /var/lib/samba/*tdb
|
|
&rootprompt; rm /var/lib/samba/*dat
|
|
&rootprompt; rm /var/log/samba/*
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>secrets.tdb</primary></indexterm>
|
|
<indexterm><primary>smbpasswd</primary></indexterm>
|
|
Samba-3 communicates with the LDAP server. The password that it uses to
|
|
authenticate to the LDAP server must be stored in the <filename>secrets.tdb</filename>
|
|
file. Execute the following to create the new <filename>secrets.tdb</filename> files
|
|
and store the password for the LDAP Manager:
|
|
<screen>
|
|
&rootprompt; smbpasswd -w not24get
|
|
</screen>
|
|
The expected output from this command is:
|
|
<screen>
|
|
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>smbd</primary></indexterm>
|
|
<indexterm><primary>net</primary><secondary>getlocalsid</secondary></indexterm>
|
|
Samba-3 generates a Windows Security Identifier (SID) only when <command>smbd</command>
|
|
has been started. For this reason, you start Samba. After a few seconds delay,
|
|
execute:
|
|
<screen>
|
|
&rootprompt; smbclient -L localhost -U%
|
|
&rootprompt; net getlocalsid
|
|
</screen>
|
|
A report such as the following means that the domain SID has not yet
|
|
been written to the <filename>secrets.tdb</filename> or to the LDAP backend:
|
|
<screen>
|
|
[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
|
|
failed to bind to server ldap://massive.abmas.biz
|
|
with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
|
|
(unknown)
|
|
[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
|
|
smbldap_search_suffix: Problem during the LDAP search:
|
|
(unknown) (Timed out)
|
|
</screen>
|
|
The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server
|
|
is not running, this operation will fail by way of a timeout, as shown previously. This is
|
|
normal output; do not worry about this error message. When the domain has been created and
|
|
written to the <filename>secrets.tdb</filename> file, the output should look like this:
|
|
<screen>
|
|
SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
|
|
</screen>
|
|
If, after a short delay (a few seconds), the domain SID has still not been written to
|
|
the <filename>secrets.tdb</filename> file, it is necessary to investigate what
|
|
may be misconfigured. In this case, carefully check the &smb.conf; file for typographical
|
|
errors (the most common problem). The use of the <command>testparm</command> is highly
|
|
recommended to validate the contents of this file.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
When a positive domain SID has been reported, stop Samba.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>NFS server</primary></indexterm>
|
|
<indexterm><primary>/etc/exports</primary></indexterm>
|
|
<indexterm><primary>BDC</primary></indexterm>
|
|
<indexterm><primary>rsync</primary></indexterm>
|
|
Configure the NFS server for your Linux system. So you can complete the steps that
|
|
follow, enter into the <filename>/etc/exports</filename> the following entry:
|
|
<screen>
|
|
/home *(rw,root_squash,sync)
|
|
</screen>
|
|
This permits the user home directories to be used on the BDC servers for testing
|
|
purposes. You, of course, decide what is the best way for your site to distribute
|
|
data drives, and you create suitable backup and restore procedures for Abmas
|
|
I'd strongly recommend that for normal operation the BDC is completely independent
|
|
of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite
|
|
closely. If you do use NFS, do not forget to start the NFS server as follows:
|
|
<screen>
|
|
&rootprompt; rcnfsserver start
|
|
</screen>
|
|
</para></step>
|
|
</procedure>
|
|
|
|
<para>
|
|
Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
|
|
configuration of the LDAP server.
|
|
</para>
|
|
|
|
<example id="sbehap-massive-smbconfa">
|
|
<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A</title>
|
|
<smbconfblock>
|
|
<smbconfcomment>Global parameters</smbconfcomment>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="unix charset">LOCALE</smbconfoption>
|
|
<smbconfoption name="workgroup">MEGANET2</smbconfoption>
|
|
<smbconfoption name="netbios name">MASSIVE</smbconfoption>
|
|
<smbconfoption name="interfaces">eth1, lo</smbconfoption>
|
|
<smbconfoption name="bind interfaces only">Yes</smbconfoption>
|
|
<smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
|
|
<smbconfoption name="enable privileges">Yes</smbconfoption>
|
|
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
|
|
<smbconfoption name="log level">1</smbconfoption>
|
|
<smbconfoption name="syslog">0</smbconfoption>
|
|
<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
|
|
<smbconfoption name="max log size">50</smbconfoption>
|
|
<smbconfoption name="smb ports">139</smbconfoption>
|
|
<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
|
|
<smbconfoption name="time server">Yes</smbconfoption>
|
|
<smbconfoption name="printcap name">CUPS</smbconfoption>
|
|
<smbconfoption name="show add printer wizard">No</smbconfoption>
|
|
<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption>
|
|
<smbconfoption name="delete user script">/opt/IDEALX/sbin/smbldap-userdel "%u"</smbconfoption>
|
|
<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption>
|
|
<smbconfoption name="delete group script">/opt/IDEALX/sbin/smbldap-groupdel "%g"</smbconfoption>
|
|
<smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</smbconfoption>
|
|
<smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</smbconfoption>
|
|
<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</smbconfoption>
|
|
<smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w "%u"</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<example id="sbehap-massive-smbconfb">
|
|
<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title>
|
|
<smbconfblock>
|
|
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
|
|
<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
|
|
<smbconfoption name="logon drive">X:</smbconfoption>
|
|
<smbconfoption name="domain logons">Yes</smbconfoption>
|
|
<smbconfoption name="preferred master">Yes</smbconfoption>
|
|
<smbconfoption name="wins support">Yes</smbconfoption>
|
|
<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
|
|
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
|
|
<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
|
|
<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
|
|
<smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
|
|
<smbconfoption name="idmap uid">10000-20000</smbconfoption>
|
|
<smbconfoption name="idmap gid">10000-20000</smbconfoption>
|
|
<smbconfoption name="map acl inherit">Yes</smbconfoption>
|
|
<smbconfoption name="printing">cups</smbconfoption>
|
|
<smbconfoption name="printer admin">root, chrisr</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
</sect2>
|
|
|
|
|
|
<sect2 id="sbeidealx">
|
|
<title>Install and Configure Idealx smbldap-tools Scripts</title>
|
|
|
|
<para>
|
|
<indexterm><primary>Idealx</primary><secondary>smbldap-tools</secondary></indexterm>
|
|
The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
|
|
on the LDAP server. You have chosen the Idealx scripts because they are the best-known
|
|
LDAP configuration scripts. The use of these scripts will help avoid the necessity
|
|
to create custom scripts. It is easy to download them from the Idealx
|
|
<ulink url="http://samba.idealx.org/index.en.html">Web site</ulink>. The tarball may
|
|
be directly <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz">downloaded</ulink>
|
|
from this site also. Alternatively, you may obtain the
|
|
<ulink url="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm">smbldap-tools-0.9.1-1.src.rpm</ulink>
|
|
file that may be used to build an installable RPM package for your Linux system.
|
|
</para>
|
|
|
|
<note><para>
|
|
The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must
|
|
change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>).
|
|
</para></note>
|
|
|
|
<para>
|
|
The smbldap-tools are located in <filename>/opt/IDEALX/sbin</filename>.
|
|
The scripts are not needed on BDC machines because all LDAP updates are handled by
|
|
the PDC alone.
|
|
</para>
|
|
|
|
<sect3>
|
|
<title>Installation of smbldap-tools from the Tarball</title>
|
|
|
|
<para>
|
|
To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:
|
|
</para>
|
|
|
|
<procedure id="idealxscript">
|
|
<title>Unpacking and Installation Steps for the <constant>smbldap-tools</constant> Tarball</title>
|
|
|
|
<step><para>
|
|
Create the <filename>/opt/IDEALX/sbin</filename> directory, and set its permissions
|
|
and ownership as shown here:
|
|
<screen>
|
|
&rootprompt; mkdir -p /opt/IDEALX/sbin
|
|
&rootprompt; chown root:root /opt/IDEALX/sbin
|
|
&rootprompt; chmod 755 /opt/IDEALX/sbin
|
|
&rootprompt; mkdir -p /etc/smbldap-tools
|
|
&rootprompt; chown root:root /etc/smbldap-tools
|
|
&rootprompt; chmod 755 /etc/smbldap-tools
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
|
|
Change into either the directory extracted from the tarball or the smbldap-tools
|
|
directory in your <filename>/usr/share/doc/packages</filename> directory tree.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Copy all the <filename>smbldap-*</filename> and the <filename>configure.pl</filename> files into the
|
|
<filename>/opt/IDEALX/sbin</filename> directory, as shown here:
|
|
<screen>
|
|
&rootprompt; cd smbldap-tools-0.9.1/
|
|
&rootprompt; cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/
|
|
&rootprompt; cp smbldap*conf /etc/smbldap-tools/
|
|
&rootprompt; chmod 750 /opt/IDEALX/sbin/smbldap-*
|
|
&rootprompt; chmod 750 /opt/IDEALX/sbin/configure.pl
|
|
&rootprompt; chmod 640 /etc/smbldap-tools/smbldap.conf
|
|
&rootprompt; chmod 600 /etc/smbldap-tools/smbldap_bind.conf
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The smbldap-tools scripts master control file must now be configured.
|
|
Change to the <filename>/opt/IDEALX/sbin</filename> directory, then edit the
|
|
<filename>smbldap_tools.pm</filename> to affect the changes
|
|
shown here:
|
|
<screen>
|
|
...
|
|
# ugly funcs using global variables and spawning openldap clients
|
|
|
|
my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
|
|
my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
|
|
...
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
To complete the configuration of the smbldap-tools, set the permissions and ownership
|
|
by executing the following commands:
|
|
<screen>
|
|
&rootprompt; chown root:root /opt/IDEALX/sbin/*
|
|
&rootprompt; chmod 755 /opt/IDEALX/sbin/smbldap-*
|
|
&rootprompt; chmod 640 /opt/IDEALX/sbin/smb*pm
|
|
</screen>
|
|
The smbldap-tools scripts are now ready for the configuration step outlined in
|
|
<link linkend="smbldap-init"/>.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Installing smbldap-tools from the RPM Package</title>
|
|
|
|
<para>
|
|
In the event that you have elected to use the RPM package provided by Idealx, download the
|
|
source RPM <filename>smbldap-tools-0.9.1-1.src.rpm</filename>, then follow this procedure:
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>Installation Steps for <constant>smbldap-tools</constant> RPM's</title>
|
|
|
|
<step><para>
|
|
Install the source RPM that has been downloaded as follows:
|
|
<screen>
|
|
&rootprompt; rpm -i smbldap-tools-0.9.1-1.src.rpm
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Change into the directory in which the SPEC files are located. On SUSE Linux:
|
|
<screen>
|
|
&rootprompt; cd /usr/src/packages/SPECS
|
|
</screen>
|
|
On Red Hat Linux systems:
|
|
<screen>
|
|
&rootprompt; cd /usr/src/redhat/SPECS
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Edit the <filename>smbldap-tools.spec</filename> file to change the value of the
|
|
<constant>_sysconfig</constant> macro as shown here:
|
|
<screen>
|
|
%define _prefix /opt/IDEALX
|
|
%define _sysconfdir /etc
|
|
</screen>
|
|
Note: Any suitable directory can be specified.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Build the package by executing:
|
|
<screen>
|
|
&rootprompt; rpmbuild -ba -v smbldap-tools.spec
|
|
</screen>
|
|
A build process that has completed without error will place the installable binary
|
|
files in the directory <filename>../RPMS/noarch</filename>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Install the binary package by executing:
|
|
<screen>
|
|
&rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm
|
|
</screen>
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
<para>
|
|
The Idealx scripts should now be ready for configuration using the steps outlined in
|
|
<link linkend="smbldap-init">Configuration of smbldap-tools</link>.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3 id="smbldap-init">
|
|
<title>Configuration of smbldap-tools</title>
|
|
|
|
<para>
|
|
Prior to use, the smbldap-tools must be configured to match the settings in the &smb.conf; file
|
|
and to match the settings in the <filename>/etc/openldap/slapd.conf</filename> file. The assumption
|
|
is made that the &smb.conf; file has correct contents. The following procedure ensures that
|
|
this is completed correctly:
|
|
</para>
|
|
|
|
<para>
|
|
The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included
|
|
in the &smb.conf; file.
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>Configuration Steps for <constant>smbldap-tools</constant> to Enable Use</title>
|
|
|
|
<step><para>
|
|
Change into the directory that contains the <filename>configure.pl</filename> script.
|
|
<screen>
|
|
&rootprompt; cd /opt/IDEALX/sbin
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Execute the <filename>configure.pl</filename> script as follows:
|
|
<screen>
|
|
&rootprompt; ./configure.pl
|
|
</screen>
|
|
The interactive use of this script for the PDC is demonstrated here:
|
|
<screen>
|
|
&rootprompt; /opt/IDEALX/sbin/configure.pl
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
smbldap-tools script configuration
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Before starting, check
|
|
. if your samba controller is up and running.
|
|
. if the domain SID is defined (you can get it with the
|
|
'net getlocalsid')
|
|
|
|
. you can leave the configuration using the Crtl-c key combination
|
|
. empty value can be set with the "." character
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Looking for configuration files...
|
|
|
|
Samba Config File Location [/etc/samba/smb.conf] >
|
|
smbldap-tools configuration file Location (global parameters)
|
|
[/etc/opt/IDEALX/smbldap-tools/smbldap.conf] >
|
|
smbldap Config file Location (bind parameters)
|
|
[/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] >
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Let's start configuring the smbldap-tools scripts ...
|
|
|
|
. workgroup name: name of the domain Samba act as a PDC
|
|
workgroup name [MEGANET2] >
|
|
. netbios name: netbios name of the samba controler
|
|
netbios name [MASSIVE] >
|
|
. logon drive: local path to which the home directory
|
|
will be connected (for NT Workstations). Ex: 'H:'
|
|
logon drive [H:] >
|
|
. logon home: home directory location (for Win95/98 or NT Workstation)
|
|
(use %U as username) Ex:'\\MASSIVE\%U'
|
|
logon home (press the "." character if you don't want homeDirectory)
|
|
[\\MASSIVE\%U] >
|
|
. logon path: directory where roaming profiles are stored.
|
|
Ex:'\\MASSIVE\profiles\%U'
|
|
logon path (press the "." character
|
|
if you don't want roaming profile) [\\%L\profiles\%U] >
|
|
. home directory prefix (use %U as username)
|
|
[/home/%U] > /data/users/%U
|
|
. default users' homeDirectory mode [700] >
|
|
. default user netlogon script (use %U as username)
|
|
[scripts\logon.bat] >
|
|
default password validation time (time in days) [45] > 900
|
|
. ldap suffix [dc=abmas,dc=biz] >
|
|
. ldap group suffix [ou=Groups] >
|
|
. ldap user suffix [ou=People,ou=Users] >
|
|
. ldap machine suffix [ou=Computers,ou=Users] >
|
|
. Idmap suffix [ou=Idmap] >
|
|
. sambaUnixIdPooldn: object where you want to store the next uidNumber
|
|
and gidNumber available for new users and groups
|
|
sambaUnixIdPooldn object (relative to ${suffix})
|
|
[sambaDomainName=MEGANET2] >
|
|
. ldap master server: IP adress or DNS name of the master
|
|
(writable) ldap server
|
|
ldap master server [massive.abmas.biz] >
|
|
. ldap master port [389] >
|
|
. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] >
|
|
. ldap master bind password [] >
|
|
. ldap slave server: IP adress or DNS name of the slave ldap server:
|
|
can also be the master one
|
|
ldap slave server [massive.abmas.biz] >
|
|
. ldap slave port [389] >
|
|
. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] >
|
|
. ldap slave bind password [] >
|
|
. ldap tls support (1/0) [0] >
|
|
. SID for domain MEGANET2: SID of the domain
|
|
(can be obtained with 'net getlocalsid MASSIVE')
|
|
SID for domain MEGANET2
|
|
[S-1-5-21-3504140859-1010554828-2431957765]] >
|
|
. unix password encryption: encryption used for unix passwords
|
|
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
|
|
. default user gidNumber [513] >
|
|
. default computer gidNumber [515] >
|
|
. default login shell [/bin/bash] >
|
|
. default skeleton directory [/etc/skel] >
|
|
. default domain name to append to mail adress [] > abmas.biz
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
backup old configuration files:
|
|
/etc/opt/IDEALX/smbldap-tools/smbldap.conf->
|
|
/etc/opt/IDEALX/smbldap-tools/smbldap.conf.old
|
|
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf->
|
|
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old
|
|
writing new configuration file:
|
|
/etc/opt/IDEALX/smbldap-tools/smbldap.conf done.
|
|
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done.
|
|
</screen>
|
|
Since a slave LDAP server has not been configured, it is necessary to specify the IP
|
|
address of the master LDAP server for both the master and the slave configuration
|
|
prompts.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Change to the directory that contains the <filename>smbldap.conf</filename> file,
|
|
then verify its contents.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
<para>
|
|
The smbldap-tools are now ready for use.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>LDAP Initialization and Creation of User and Group Accounts</title>
|
|
|
|
<para>
|
|
The LDAP database must be populated with well-known Windows domain user accounts and domain group
|
|
accounts before Samba can be used. The following procedures step you through the process.
|
|
</para>
|
|
|
|
<para>
|
|
At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are
|
|
mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not
|
|
hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
|
|
database. From a UNIX system perspective, the NSS resolver checks system files before
|
|
referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
|
|
does not need to ask LDAP.
|
|
</para>
|
|
|
|
<para>
|
|
Addition of an account to the LDAP backend can be done in two ways:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
<indexterm><primary>NIS</primary></indexterm>
|
|
<indexterm><primary>/etc/passwd</primary></indexterm>
|
|
<indexterm><primary>Posix accounts</primary></indexterm>
|
|
<indexterm><primary>pdbedit</primary></indexterm>
|
|
<indexterm><primary>SambaSamAccount</primary></indexterm>
|
|
<indexterm><primary>PosixAccount</primary></indexterm>
|
|
If you always have a user account in the <filename>/etc/passwd</filename> on every
|
|
server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in
|
|
LDAP. In this case, you can add Windows domain user accounts using the
|
|
<command>pdbedit</command> utility. Use of this tool from the command line adds the
|
|
SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
|
|
</para>
|
|
|
|
<para>
|
|
This is the least desirable method because when LDAP is used as the passwd backend Samba
|
|
expects the POSIX account to be in LDAP also. It is possible to use the PADL account
|
|
migration tool to migrate all system accounts from either the <filename>/etc/passwd</filename>
|
|
files, or from NIS, to LDAP.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
If you decide that it is probably a good idea to add both the PosixAccount attributes
|
|
as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
|
|
In the example system you are installing in this exercise, you are making use of the
|
|
Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,
|
|
is included on the enclosed CD-ROM under <filename>Chap06/Tools.</filename>
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
<indexterm><primary>Idealx</primary><secondary>smbldap-tools</secondary></indexterm>
|
|
If you wish to have more control over how the LDAP database is initialized or
|
|
if you don't want to use the Idealx smbldap-tools, you should refer to
|
|
<link linkend="appendix"/>, <link linkend="altldapcfg"/>.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>smbldap-populate</primary></indexterm>
|
|
The following steps initialize the LDAP database, and then you can add user and group
|
|
accounts that Samba can use. You use the <command>smbldap-populate</command> to
|
|
seed the LDAP database. You then manually add the accounts shown in <link linkend="sbehap-bigacct"/>.
|
|
The list of users does not cover all 500 network users; it provides examples only.
|
|
</para>
|
|
|
|
<note><para>
|
|
<indexterm><primary>LDAP</primary><secondary>database</secondary></indexterm>
|
|
<indexterm><primary>directory</primary><secondary>People container</secondary></indexterm>
|
|
<indexterm><primary>directory</primary><secondary>Computers container</secondary></indexterm>
|
|
In the following examples, as the LDAP database is initialized, we do create a container
|
|
for Computer (machine) accounts. In the Samba-3 &smb.conf; files, specific use is made
|
|
of the People container, not the Computers container, for domain member accounts. This is not a
|
|
mistake; it is a deliberate action that is necessitated by the fact that the resolution of
|
|
a machine (computer) account to a UID is done via NSS. The only way this can be handled is
|
|
using the NSS (<filename>/etc/nsswitch.conf</filename>) entry for <constant>passwd</constant>,
|
|
which is resolved using the <filename>nss_ldap</filename> library. The configuration file for
|
|
the <filename>nss_ldap</filename> library is the file <filename>/etc/ldap.conf</filename> that
|
|
provides only one possible LDAP search command that is specified by the entry called
|
|
<constant>nss_base_passwd</constant>. This means that the search path must take into account
|
|
the directory structure so that the LDAP search will commence at a level that is above
|
|
both the Computers container and the Users (or People) container. If this is done, it is
|
|
necessary to use a search that will descend the directory tree so that the machine account
|
|
can be found. Alternatively, by placing all machine accounts in the People container, we
|
|
are able to sidestep this limitation. This is the simpler solution that has been adopted
|
|
in this chapter.
|
|
</para></note>
|
|
|
|
|
|
<table id="sbehap-bigacct">
|
|
<title>Abmas Network Users and Groups</title>
|
|
<tgroup cols="4">
|
|
<colspec align="left"/>
|
|
<colspec align="left"/>
|
|
<colspec align="left"/>
|
|
<colspec align="left"/>
|
|
<thead>
|
|
<row>
|
|
<entry align="center">Account Name</entry>
|
|
<entry align="center">Type</entry>
|
|
<entry align="center">ID</entry>
|
|
<entry align="center">Password</entry>
|
|
</row>
|
|
</thead>
|
|
<tbody>
|
|
<row>
|
|
<entry>Robert Jordan</entry>
|
|
<entry>User</entry>
|
|
<entry>bobj</entry>
|
|
<entry>n3v3r2l8</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Stanley Soroka</entry>
|
|
<entry>User</entry>
|
|
<entry>stans</entry>
|
|
<entry>impl13dst4r</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Christine Roberson</entry>
|
|
<entry>User</entry>
|
|
<entry>chrisr</entry>
|
|
<entry>S9n0nw4ll</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Mary Vortexis</entry>
|
|
<entry>User</entry>
|
|
<entry>maryv</entry>
|
|
<entry>kw13t0n3</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Accounts</entry>
|
|
<entry>Group</entry>
|
|
<entry>Accounts</entry>
|
|
<entry></entry>
|
|
</row>
|
|
<row>
|
|
<entry>Finances</entry>
|
|
<entry>Group</entry>
|
|
<entry>Finances</entry>
|
|
<entry></entry>
|
|
</row>
|
|
<row>
|
|
<entry>Insurance</entry>
|
|
<entry>Group</entry>
|
|
<entry>PIOps</entry>
|
|
<entry></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<procedure id="creatacc">
|
|
<title>LDAP Directory Initialization Steps</title>
|
|
|
|
<step><para>
|
|
Start the LDAP server by executing:
|
|
<screen>
|
|
&rootprompt; rcldap start
|
|
Starting ldap-server done
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Change to the <filename>/opt/IDEALX/sbin</filename> directory.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Execute the script that will populate the LDAP database as shown here:
|
|
<screen>
|
|
&rootprompt; ./smbldap-populate -a root -k 0 -m 0
|
|
</screen>
|
|
The expected output from this is:
|
|
<screen>
|
|
Using workgroup name from smb.conf: sambaDomainName=MEGANET2
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
=> Warning: you must update smbldap.conf configuration file to :
|
|
=> sambaUnixIdPooldn parameter must be set
|
|
to "sambaDomainName=MEGANET2,dc=abmas,dc=biz"
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Using builtin directory structure
|
|
adding new entry: dc=abmas,dc=biz
|
|
adding new entry: ou=People,dc=abmas,dc=biz
|
|
adding new entry: ou=Groups,dc=abmas,dc=biz
|
|
entry ou=People,dc=abmas,dc=biz already exist.
|
|
adding new entry: ou=Idmap,dc=abmas,dc=biz
|
|
adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz
|
|
adding new entry: uid=root,ou=People,dc=abmas,dc=biz
|
|
adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
|
|
adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
|
|
adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
|
|
adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
|
|
adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
|
|
adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
|
|
adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
|
|
adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
|
|
adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Edit the <filename>/etc/smbldap-tools/smbldap.conf</filename> file so that the following
|
|
information is changed from:
|
|
<screen>
|
|
# Where to store next uidNumber and gidNumber available
|
|
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
|
|
</screen>
|
|
to read, after modification:
|
|
<screen>
|
|
# Where to store next uidNumber and gidNumber available
|
|
#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
|
|
sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
It is necessary to restart the LDAP server as shown here:
|
|
<screen>
|
|
&rootprompt; rcldap restart
|
|
Shutting down ldap-server done
|
|
Starting ldap-server done
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>slapcat</primary></indexterm>
|
|
So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data.
|
|
There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
|
|
the simplest is to execute:
|
|
<screen>
|
|
&rootprompt; slapcat | grep -i idmap
|
|
dn: ou=Idmap,dc=abmas,dc=biz
|
|
ou: idmap
|
|
</screen>
|
|
<indexterm> <primary>ldapadd</primary></indexterm>
|
|
If the execution of this command does not return IDMAP entries, you need to create an LDIF
|
|
template file (see <link linkend="sbehap-ldifadd"/>). You can add the required entries using
|
|
the following command:
|
|
<screen>
|
|
&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
|
|
-w not24get < /etc/openldap/idmap.LDIF
|
|
</screen>
|
|
Samba automatically populates this LDAP directory container when it needs to.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>slapcat</primary></indexterm>
|
|
It looks like all has gone well, as expected. Let's confirm that this is the case
|
|
by running a few tests. First we check the contents of the database directly
|
|
by running <command>slapcat</command> as follows (the output has been cut down):
|
|
<screen>
|
|
&rootprompt; slapcat
|
|
dn: dc=abmas,dc=biz
|
|
objectClass: dcObject
|
|
objectClass: organization
|
|
dc: abmas
|
|
o: abmas
|
|
structuralObjectClass: organization
|
|
entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
|
|
creatorsName: cn=Manager,dc=abmas,dc=biz
|
|
createTimestamp: 20031217234200Z
|
|
entryCSN: 2003121723:42:00Z#0x0001#0#0000
|
|
modifiersName: cn=Manager,dc=abmas,dc=biz
|
|
modifyTimestamp: 20031217234200Z
|
|
...
|
|
dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
|
|
objectClass: posixGroup
|
|
objectClass: sambaGroupMapping
|
|
gidNumber: 553
|
|
cn: Domain Computers
|
|
description: Netbios Domain Computers accounts
|
|
sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
|
|
sambaGroupType: 2
|
|
displayName: Domain Computers
|
|
structuralObjectClass: posixGroup
|
|
entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
|
|
creatorsName: cn=Manager,dc=abmas,dc=biz
|
|
createTimestamp: 20031217234206Z
|
|
entryCSN: 2003121723:42:06Z#0x0002#0#0000
|
|
modifiersName: cn=Manager,dc=abmas,dc=biz
|
|
modifyTimestamp: 20031217234206Z
|
|
</screen>
|
|
This looks good so far.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>ldapsearch</primary></indexterm>
|
|
The next step is to prove that the LDAP server is running and responds to a
|
|
search request. Execute the following as shown (output has been cut to save space):
|
|
<screen>
|
|
&rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
|
|
# extended LDIF
|
|
#
|
|
# LDAPv3
|
|
# base <dc=abmas,dc=biz> with scope sub
|
|
# filter: (ObjectClass=*)
|
|
# requesting: ALL
|
|
#
|
|
|
|
# abmas.biz
|
|
dn: dc=abmas,dc=biz
|
|
objectClass: dcObject
|
|
objectClass: organization
|
|
dc: abmas
|
|
o: abmas
|
|
|
|
# People, abmas.biz
|
|
dn: ou=People,dc=abmas,dc=biz
|
|
objectClass: organizationalUnit
|
|
ou: People
|
|
...
|
|
# Domain Computers, Groups, abmas.biz
|
|
dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
|
|
objectClass: posixGroup
|
|
objectClass: sambaGroupMapping
|
|
gidNumber: 553
|
|
cn: Domain Computers
|
|
description: Netbios Domain Computers accounts
|
|
sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
|
|
sambaGroupType: 2
|
|
displayName: Domain Computers
|
|
|
|
# search result
|
|
search: 2
|
|
result: 0 Success
|
|
|
|
# numResponses: 20
|
|
# numEntries: 19
|
|
</screen>
|
|
Good. It is all working just fine.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>getent</primary></indexterm>
|
|
You must now make certain that the NSS resolver can interrogate LDAP also.
|
|
Execute the following commands:
|
|
<screen>
|
|
&rootprompt; getent passwd | grep root
|
|
root:x:998:512:Netbios Domain Administrator:/home:/bin/false
|
|
|
|
&rootprompt; getent group | grep Domain
|
|
Domain Admins:x:512:root
|
|
Domain Users:x:513:
|
|
Domain Guests:x:514:
|
|
Domain Computers:x:553:
|
|
</screen>
|
|
<indexterm><primary>nss_ldap</primary></indexterm>
|
|
This demonstrates that the <command>nss_ldap</command> library is functioning
|
|
as it should. If these two steps fail to produce this information, refer to
|
|
<link linkend="sbeavoid"/> for diagnostic procedures that can be followed to
|
|
isolate the cause of the problem. Proceed to the next step only when the previous steps
|
|
have been successfully completed.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>smbldap-useradd</primary></indexterm>
|
|
<indexterm><primary>smbldap-passwd</primary></indexterm>
|
|
<indexterm><primary>smbpasswd</primary></indexterm>
|
|
Our database is now ready for the addition of network users. For each user for
|
|
whom an account must be created, execute the following:
|
|
<screen>
|
|
&rootprompt; ./smbldap-useradd -m -a <constant>username</constant>
|
|
&rootprompt; ./smbldap-passwd <constant>username</constant>
|
|
Changing password for <constant>username</constant>
|
|
New password : XXXXXXXX
|
|
Retype new password : XXXXXXXX
|
|
|
|
&rootprompt; smbpasswd <constant>username</constant>
|
|
New SMB password: XXXXXXXX
|
|
Retype new SMB password: XXXXXXXX
|
|
</screen>
|
|
where <constant>username</constant> is the login ID for each user.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>getent</primary></indexterm>
|
|
Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the
|
|
following:
|
|
<screen>
|
|
&rootprompt; getent passwd
|
|
root:x:0:0:root:/root:/bin/bash
|
|
bin:x:1:1:bin:/bin:/bin/bash
|
|
...
|
|
root:x:0:512:Netbios Domain Administrator:/home:/bin/false
|
|
nobody:x:999:514:nobody:/dev/null:/bin/false
|
|
bobj:x:1000:513:System User:/home/bobj:/bin/bash
|
|
stans:x:1001:513:System User:/home/stans:/bin/bash
|
|
chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
|
|
maryv:x:1003:513:System User:/home/maryv:/bin/bash
|
|
</screen>
|
|
This demonstrates that user account resolution via LDAP is working.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
This step will determine whether or not identity resolution is working correctly.
|
|
Do not procede is this step fails, rather find the cause of the failure. The
|
|
<command>id</command> command may be used to validate your configuration so far,
|
|
as shown here:
|
|
<screen>
|
|
&rootprompt; id chrisr
|
|
uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
|
|
</screen>
|
|
This confirms that the UNIX (POSIX) user account information can be resolved from LDAP
|
|
by system tools that make a getentpw() system call.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>smbldap-usermod</primary></indexterm>
|
|
The root account must have UID=0; if not, this means that operations conducted from
|
|
a Windows client using tools such as the Domain User Manager fails under UNIX because
|
|
the management of user and group accounts requires that the UID=0. Additionally, it is
|
|
a good idea to make certain that no matter how root account credentials are resolved,
|
|
the home directory and shell are valid. You decide to effect this immediately
|
|
as demonstrated here:
|
|
<screen>
|
|
&rootprompt; cd /opt/IDEALX/sbin
|
|
&rootprompt; ./smbldap-usermod -u 0 -d /root -s /bin/bash root
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Verify that the changes just made to the <constant>root</constant> account were
|
|
accepted by executing:
|
|
<screen>
|
|
&rootprompt; getent passwd | grep root
|
|
root:x:0:0:root:/root:/bin/bash
|
|
root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
|
|
</screen>
|
|
This demonstrates that the changes were accepted.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Make certain that a home directory has been created for every user by listing the
|
|
directories in <filename>/home</filename> as follows:
|
|
<screen>
|
|
&rootprompt; ls -al /home
|
|
drwxr-xr-x 8 root root 176 Dec 17 18:50 ./
|
|
drwxr-xr-x 21 root root 560 Dec 15 22:19 ../
|
|
drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/
|
|
drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/
|
|
drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/
|
|
drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
|
|
</screen>
|
|
This is precisely what we want to see.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>ldapsam</primary></indexterm>
|
|
<indexterm><primary>pdbedit</primary></indexterm>
|
|
The final validation step involves making certain that Samba-3 can obtain the user
|
|
accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
|
|
<screen>
|
|
&rootprompt; pdbedit -Lv chrisr
|
|
Unix username: chrisr
|
|
NT username: chrisr
|
|
Account Flags: [U ]
|
|
User SID: S-1-5-21-3504140859-1010554828-2431957765-3004
|
|
Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513
|
|
Full Name: System User
|
|
Home Directory: \\MASSIVE\homes
|
|
HomeDir Drive: H:
|
|
Logon Script: scripts\login.cmd
|
|
Profile Path: \\MASSIVE\profiles\chrisr
|
|
Domain: MEGANET2
|
|
Account desc: System User
|
|
Workstations:
|
|
Munged dial:
|
|
Logon time: 0
|
|
Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
|
|
Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
|
|
Password last set: Wed, 17 Dec 2003 17:17:40 GMT
|
|
Password can change: Wed, 17 Dec 2003 17:17:40 GMT
|
|
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
|
|
Last bad password : 0
|
|
Bad password count : 0
|
|
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
|
|
</screen>
|
|
This looks good. Of course, you fully expected that it would all work, didn't you?
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>smbldap-groupadd</primary></indexterm>
|
|
Now you add the group accounts that are used on the Abmas network. Execute
|
|
the following exactly as shown:
|
|
<screen>
|
|
&rootprompt; ./smbldap-groupadd -a Accounts
|
|
&rootprompt; ./smbldap-groupadd -a Finances
|
|
&rootprompt; ./smbldap-groupadd -a PIOps
|
|
</screen>
|
|
The addition of groups does not involve keyboard interaction, so the lack of console
|
|
output is of no concern.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>getent</primary></indexterm>
|
|
You really do want to confirm that UNIX group resolution from LDAP is functioning
|
|
as it should. Let's do this as shown here:
|
|
<screen>
|
|
&rootprompt; getent group
|
|
...
|
|
Domain Admins:x:512:root
|
|
Domain Users:x:513:bobj,stans,chrisr,maryv
|
|
Domain Guests:x:514:
|
|
...
|
|
Accounts:x:1000:
|
|
Finances:x:1001:
|
|
PIOps:x:1002:
|
|
</screen>
|
|
The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
|
|
as our own site-specific group accounts, are correctly listed. This is looking good.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>list</tertiary></indexterm>
|
|
The final step we need to validate is that Samba can see all the Windows domain groups
|
|
and that they are correctly mapped to the respective UNIX group account. To do this,
|
|
just execute the following command:
|
|
<screen>
|
|
&rootprompt; net groupmap list
|
|
Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
|
|
Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
|
|
Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
|
|
...
|
|
Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
|
|
Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
|
|
PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
|
|
</screen>
|
|
This is looking good. Congratulations &smbmdash; it works! Note that in the above output
|
|
the lines were shortened by replacing the middle value (1010554828) of the SID with the
|
|
ellipsis (...).
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The server you have so carefully built is now ready for another important step. You
|
|
start the Samba-3 server and validate its operation. Execute the following to render all
|
|
the processes needed fully operative so that, on system reboot, they are automatically
|
|
started:
|
|
<screen>
|
|
&rootprompt; chkconfig named on
|
|
&rootprompt; chkconfig dhcpd on
|
|
&rootprompt; chkconfig ldap on
|
|
&rootprompt; chkconfig nmb on
|
|
&rootprompt; chkconfig smb on
|
|
&rootprompt; chkconfig winbind on
|
|
&rootprompt; rcnmb start
|
|
&rootprompt; rcsmb start
|
|
&rootprompt; rcwinbind start
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The next step might seem a little odd at this point, but take note that you are about to
|
|
start <command>winbindd</command>, which must be able to authenticate to the PDC via the
|
|
localhost interface with the <command>smbd</command> process. This account can be
|
|
easily created by joining the PDC to the domain by executing the following command:
|
|
<screen>
|
|
&rootprompt; net rpc join -S MASSIVE -U root%not24get
|
|
</screen>
|
|
Note: Before executing this command on the PDC, both <command>nmbd</command> and
|
|
<command>smbd</command> must be started so that the <command>net</command> command
|
|
can communicate with <command>smbd</command>. The expected output is as follows:
|
|
<screen>
|
|
Joined domain MEGANET2.
|
|
</screen>
|
|
This indicates that the domain security account for the PDC has been correctly created.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
At this time it is necessary to restart <command>winbindd</command> so that it can
|
|
correctly authenticate to the PDC. The following command achieves that:
|
|
<screen>
|
|
&rootprompt; rcwinbind restart
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>smbclient</primary></indexterm>
|
|
You may now check Samba-3 operation as follows:
|
|
<screen>
|
|
&rootprompt; smbclient -L massive -U%
|
|
|
|
Sharename Type Comment
|
|
--------- ---- -------
|
|
IPC$ IPC IPC Service (Samba 3.0.20)
|
|
accounts Disk Accounting Files
|
|
service Disk Financial Services Files
|
|
pidata Disk Property Insurance Files
|
|
apps Disk Application Files
|
|
netlogon Disk Network Logon Service
|
|
profiles Disk Profile Share
|
|
profdata Disk Profile Data Share
|
|
ADMIN$ IPC IPC Service (Samba 3.0.20)
|
|
|
|
Server Comment
|
|
--------- -------
|
|
MASSIVE Samba 3.0.20
|
|
|
|
Workgroup Master
|
|
--------- -------
|
|
MEGANET2 MASSIVE
|
|
</screen>
|
|
This shows that an anonymous connection is working.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
For your finale, let's try an authenticated connection:
|
|
<screen>
|
|
&rootprompt; smbclient //massive/bobj -Ubobj%n3v3r2l8
|
|
smb: \> dir
|
|
. D 0 Wed Dec 17 01:16:19 2003
|
|
.. D 0 Wed Dec 17 19:04:42 2003
|
|
bin D 0 Tue Sep 2 04:00:57 2003
|
|
Documents D 0 Sun Nov 30 07:28:20 2003
|
|
public_html D 0 Sun Nov 30 07:28:20 2003
|
|
.urlview H 311 Fri Jul 7 06:55:35 2000
|
|
.dvipsrc H 208 Fri Nov 17 11:22:02 1995
|
|
|
|
57681 blocks of size 524288. 57128 blocks available
|
|
smb: \> q
|
|
</screen>
|
|
Well done. All is working fine.
|
|
</para></step>
|
|
</procedure>
|
|
|
|
<para>
|
|
The server <constant>MASSIVE</constant> is now configured, and it is time to move onto the next task.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2 id="sbehap-ptrcfg">
|
|
<title>Printer Configuration</title>
|
|
|
|
<para>
|
|
<indexterm><primary>CUPS</primary></indexterm>
|
|
The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
|
|
taken care of in the &smb.conf; file. The only preparation needed for <constant>smart</constant>
|
|
printing to be possible involves creation of the directories in which Samba-3 stores
|
|
Windows printing driver files.
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>Printer Configuration Steps</title>
|
|
|
|
<step><para>
|
|
Configure all network-attached printers to have a fixed IP address.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Create an entry in the DNS database on the server <constant>MASSIVE</constant>
|
|
in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant>
|
|
and in the reverse lookup database for the network segment that the printer is to
|
|
be located in. Example configuration files for similar zones were presented in <link linkend="secure"/>,
|
|
<link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Follow the instructions in the printer manufacturers' manuals to permit printing
|
|
to port 9100. Use any other port the manufacturer specifies for direct mode,
|
|
raw printing. This allows the CUPS spooler to print using raw mode protocols.
|
|
<indexterm><primary>CUPS</primary></indexterm>
|
|
<indexterm><primary>raw printing</primary></indexterm>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>lpadmin</primary></indexterm>
|
|
<indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm>
|
|
Only on the server to which the printer is attached, configure the CUPS Print
|
|
Queues as follows:
|
|
<screen>
|
|
&rootprompt; lpadmin -p <parameter>printque</parameter>
|
|
-v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E
|
|
</screen>
|
|
<indexterm><primary>print filter</primary></indexterm>
|
|
This step creates the necessary print queue to use no assigned print filter. This
|
|
is ideal for raw printing, that is, printing without use of filters.
|
|
The name <parameter>printque</parameter> is the name you have assigned for
|
|
the particular printer.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Print queues may not be enabled at creation. Make certain that the queues
|
|
you have just created are enabled by executing the following:
|
|
<screen>
|
|
&rootprompt; /usr/bin/enable <parameter>printque</parameter>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Even though your print queue may be enabled, it is still possible that it
|
|
may not accept print jobs. A print queue will service incoming printing
|
|
requests only when configured to do so. Ensure that your print queue is
|
|
set to accept incoming jobs by executing the following commands:
|
|
<screen>
|
|
&rootprompt; /usr/bin/accept <parameter>printque</parameter>
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>mime type</primary></indexterm>
|
|
<indexterm><primary>/etc/mime.convs</primary></indexterm>
|
|
<indexterm><primary>application/octet-stream</primary></indexterm>
|
|
Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
|
|
<screen>
|
|
application/octet-stream application/vnd.cups-raw 0 -
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>/etc/mime.types</primary></indexterm>
|
|
Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
|
|
<screen>
|
|
application/octet-stream
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Refer to the CUPS printing manual for instructions regarding how to configure
|
|
CUPS so that print queues that reside on CUPS servers on remote networks
|
|
route print jobs to the print server that owns that queue. The default setting
|
|
on your CUPS server may automatically discover remotely installed printers and
|
|
may permit this functionality without requiring specific configuration.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The following action creates the necessary directory subsystem. Follow these
|
|
steps to printing heaven:
|
|
<screen>
|
|
&rootprompt; mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
|
|
&rootprompt; chown -R root:root /var/lib/samba/drivers
|
|
&rootprompt; chmod -R ug=rwx,o=rx /var/lib/samba/drivers
|
|
</screen>
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1 id="sbehap-bldg1">
|
|
<title>Samba-3 BDC Configuration</title>
|
|
|
|
<procedure>
|
|
<title>Configuration of BDC Called: <constant>BLDG1</constant></title>
|
|
|
|
<step><para>
|
|
Install the files in <link linkend="sbehap-bldg1-smbconf"/>,
|
|
<link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
|
|
into the <filename>/etc/samba/</filename> directory. The three files
|
|
should be added together to form the &smb.conf; file.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Verify the &smb.conf; file as in step 2 of <link
|
|
linkend="sbehap-massive"/>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Carefully follow the steps outlined in <link linkend="sbehap-PAM-NSS"/>, taking
|
|
particular note to install the correct <filename>ldap.conf</filename>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Verify that the NSS resolver is working. You may need to cycle the run level
|
|
to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
|
|
commands:
|
|
<screen>
|
|
&rootprompt; init 1
|
|
</screen>
|
|
After the run level has been achieved, you are prompted to provide the
|
|
<constant>root</constant> password. Log on, and then execute:
|
|
<screen>
|
|
&rootprompt; init 5
|
|
</screen>
|
|
When the normal logon prompt appears, log into the system as <constant>root</constant>
|
|
and then execute these commands:
|
|
<screen>
|
|
&rootprompt; getent passwd
|
|
root:x:0:0:root:/root:/bin/bash
|
|
bin:x:1:1:bin:/bin:/bin/bash
|
|
daemon:x:2:2:Daemon:/sbin:/bin/bash
|
|
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
|
|
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
|
|
...
|
|
root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
|
|
nobody:x:999:514:nobody:/dev/null:/bin/false
|
|
bobj:x:1000:513:System User:/home/bobj:/bin/bash
|
|
stans:x:1001:513:System User:/home/stans:/bin/bash
|
|
chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
|
|
maryv:x:1003:513:System User:/home/maryv:/bin/bash
|
|
vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
|
|
bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
|
|
</screen>
|
|
This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>getent</primary></indexterm>
|
|
The next step in the verification process involves testing the operation of UNIX group
|
|
resolution via the NSS LDAP resolver. Execute these commands:
|
|
<screen>
|
|
&rootprompt; getent group
|
|
root:x:0:
|
|
bin:x:1:daemon
|
|
daemon:x:2:
|
|
sys:x:3:
|
|
...
|
|
Domain Admins:x:512:root
|
|
Domain Users:x:513:bobj,stans,chrisr,maryv,jht
|
|
Domain Guests:x:514:
|
|
Administrators:x:544:
|
|
Users:x:545:
|
|
Guests:x:546:nobody
|
|
Power Users:x:547:
|
|
Account Operators:x:548:
|
|
Server Operators:x:549:
|
|
Print Operators:x:550:
|
|
Backup Operators:x:551:
|
|
Replicator:x:552:
|
|
Domain Computers:x:553:
|
|
Accounts:x:1000:
|
|
Finances:x:1001:
|
|
PIOps:x:1002:
|
|
</screen>
|
|
This is also the correct and desired output, because it demonstrates that the LDAP client
|
|
is able to communicate correctly with the LDAP server (<constant>MASSIVE</constant>).
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>smbpasswd</primary></indexterm>
|
|
You must now set the LDAP administrative password into the Samba-3 <filename>secrets.tdb</filename>
|
|
file by executing this command:
|
|
<screen>
|
|
&rootprompt; smbpasswd -w not24get
|
|
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Now you must obtain the domain SID from the PDC and store it into the
|
|
<filename>secrets.tdb</filename> file also. This step is not necessary with an LDAP
|
|
passdb backend because Samba-3 obtains the domain SID from the
|
|
sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
|
|
add the SID to the <filename>secrets.tdb</filename>, and if you wish to do so, this
|
|
command can achieve that:
|
|
<screen>
|
|
&rootprompt; net rpc getsid MEGANET2
|
|
Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
|
|
for Domain MEGANET2 in secrets.tdb
|
|
</screen>
|
|
When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
|
|
any special action to join it to the domain. However, winbind communicates with the
|
|
domain controller that is running on the localhost and must be able to authenticate,
|
|
thus requiring that the BDC should be joined to the domain. The process of joining
|
|
the domain creates the necessary authentication accounts.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
To join the Samba BDC to the domain, execute the following:
|
|
<screen>
|
|
&rootprompt; net rpc join -U root%not24get
|
|
Joined domain MEGANET2.
|
|
</screen>
|
|
This indicates that the domain security account for the BDC has been correctly created.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm>
|
|
<primary>pdbedit</primary>
|
|
</indexterm>
|
|
Verify that user and group account resolution works via Samba-3 tools as follows:
|
|
<screen>
|
|
&rootprompt; pdbedit -L
|
|
root:0:root
|
|
nobody:65534:nobody
|
|
bobj:1000:System User
|
|
stans:1001:System User
|
|
chrisr:1002:System User
|
|
maryv:1003:System User
|
|
bldg1$:1006:bldg1$
|
|
|
|
&rootprompt; net groupmap list
|
|
Domain Admins (S-1-5-21-3504140859-...-2431957765-512) ->
|
|
Domain Admins
|
|
Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
|
|
Domain Guests (S-1-5-21-3504140859-...-2431957765-514) ->
|
|
Domain Guests
|
|
Administrators (S-1-5-21-3504140859-...-2431957765-544) ->
|
|
Administrators
|
|
...
|
|
Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
|
|
Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
|
|
PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
|
|
</screen>
|
|
These results show that all things are in order.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The server you have so carefully built is now ready for another important step. Now
|
|
start the Samba-3 server and validate its operation. Execute the following to render all
|
|
the processes needed fully operative so that, upon system reboot, they are automatically
|
|
started:
|
|
<screen>
|
|
&rootprompt; chkconfig named on
|
|
&rootprompt; chkconfig dhcpd on
|
|
&rootprompt; chkconfig nmb on
|
|
&rootprompt; chkconfig smb on
|
|
&rootprompt; chkconfig winbind on
|
|
&rootprompt; rcnmb start
|
|
&rootprompt; rcsmb start
|
|
&rootprompt; rcwinbind start
|
|
</screen>
|
|
Samba-3 should now be running and is ready for a quick test. But not quite yet!
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Your new <constant>BLDG1, BLDG2</constant> servers do not have home directories for users.
|
|
To rectify this using the SUSE yast2 utility or by manually editing the <filename>/etc/fstab</filename>
|
|
file, add a mount entry to mount the <constant>home</constant> directory that has been exported
|
|
from the <constant>MASSIVE</constant> server. Mount this resource before proceeding. An alternate
|
|
approach could be to create local home directories for users who are to use these machines.
|
|
This is a choice that you, as system administrator, must make. The following entry in the
|
|
<filename>/etc/fstab</filename> file suffices for now:
|
|
<screen>
|
|
massive.abmas.biz:/home /home nfs rw 0 0
|
|
</screen>
|
|
To mount this resource, execute:
|
|
<screen>
|
|
&rootprompt; mount -a
|
|
</screen>
|
|
Verify that the home directory has been mounted as follows:
|
|
<screen>
|
|
&rootprompt; df | grep home
|
|
massive:/home 29532988 283388 29249600 1% /home
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Implement a quick check using one of the users that is in the LDAP database. Here you go:
|
|
<screen>
|
|
&rootprompt; smbclient //bldg1/bobj -Ubobj%n3v3r2l8
|
|
smb: \> dir
|
|
. D 0 Wed Dec 17 01:16:19 2003
|
|
.. D 0 Wed Dec 17 19:04:42 2003
|
|
bin D 0 Tue Sep 2 04:00:57 2003
|
|
Documents D 0 Sun Nov 30 07:28:20 2003
|
|
public_html D 0 Sun Nov 30 07:28:20 2003
|
|
.urlview H 311 Fri Jul 7 06:55:35 2000
|
|
.dvipsrc H 208 Fri Nov 17 11:22:02 1995
|
|
|
|
57681 blocks of size 524288. 57128 blocks available
|
|
smb: \> q
|
|
</screen>
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
<para>
|
|
Now that the first BDC (<constant>BDLG1</constant>) has been configured it is time to build
|
|
and configure the second BDC server (<constant>BLDG2</constant>) as follows:
|
|
</para>
|
|
|
|
<procedure id="sbehap-bldg2">
|
|
<title>Configuration of BDC Called <constant>BLDG2</constant></title>
|
|
|
|
<step><para>
|
|
Install the files in <link linkend="sbehap-bldg2-smbconf"/>,
|
|
<link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/>
|
|
into the <filename>/etc/samba/</filename> directory. The three files
|
|
should be added together to form the &smb.conf; file.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Follow carefully the steps shown in <link linkend="sbehap-bldg1"/>, starting at step 2.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
<example id="sbehap-bldg1-smbconf">
|
|
<title>LDAP Based &smb.conf; File, Server: BLDG1</title>
|
|
<smbconfblock>
|
|
<smbconfcomment>Global parameters</smbconfcomment>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="unix charset">LOCALE</smbconfoption>
|
|
<smbconfoption name="workgroup">MEGANET2</smbconfoption>
|
|
<smbconfoption name="netbios name">BLDG1</smbconfoption>
|
|
<smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
|
|
<smbconfoption name="enable privileges">Yes</smbconfoption>
|
|
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
|
|
<smbconfoption name="log level">1</smbconfoption>
|
|
<smbconfoption name="syslog">0</smbconfoption>
|
|
<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
|
|
<smbconfoption name="max log size">50</smbconfoption>
|
|
<smbconfoption name="smb ports">139</smbconfoption>
|
|
<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
|
|
<smbconfoption name="printcap name">CUPS</smbconfoption>
|
|
<smbconfoption name="show add printer wizard">No</smbconfoption>
|
|
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
|
|
<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
|
|
<smbconfoption name="logon drive">X:</smbconfoption>
|
|
<smbconfoption name="domain logons">Yes</smbconfoption>
|
|
<smbconfoption name="domain master">No</smbconfoption>
|
|
<smbconfoption name="wins server">172.16.0.1</smbconfoption>
|
|
<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
|
|
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
|
|
<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
|
|
<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
|
|
<smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
|
|
<smbconfoption name="idmap uid">10000-20000</smbconfoption>
|
|
<smbconfoption name="idmap gid">10000-20000</smbconfoption>
|
|
<smbconfoption name="printing">cups</smbconfoption>
|
|
<smbconfoption name="printer admin">root, chrisr</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
|
|
<example id="sbehap-bldg2-smbconf">
|
|
<title>LDAP Based &smb.conf; File, Server: BLDG2</title>
|
|
<smbconfblock>
|
|
<smbconfcomment>Global parameters</smbconfcomment>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="unix charset">LOCALE</smbconfoption>
|
|
<smbconfoption name="workgroup">MEGANET2</smbconfoption>
|
|
<smbconfoption name="netbios name">BLDG2</smbconfoption>
|
|
<smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption>
|
|
<smbconfoption name="enable privileges">Yes</smbconfoption>
|
|
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
|
|
<smbconfoption name="log level">1</smbconfoption>
|
|
<smbconfoption name="syslog">0</smbconfoption>
|
|
<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
|
|
<smbconfoption name="max log size">50</smbconfoption>
|
|
<smbconfoption name="smb ports">139</smbconfoption>
|
|
<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
|
|
<smbconfoption name="printcap name">CUPS</smbconfoption>
|
|
<smbconfoption name="show add printer wizard">No</smbconfoption>
|
|
<smbconfoption name="logon script">scripts\logon.bat</smbconfoption>
|
|
<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
|
|
<smbconfoption name="logon drive">X:</smbconfoption>
|
|
<smbconfoption name="domain logons">Yes</smbconfoption>
|
|
<smbconfoption name="domain master">No</smbconfoption>
|
|
<smbconfoption name="wins server">172.16.0.1</smbconfoption>
|
|
<smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption>
|
|
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
|
|
<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
|
|
<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
|
|
<smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption>
|
|
<smbconfoption name="idmap uid">10000-20000</smbconfoption>
|
|
<smbconfoption name="idmap gid">10000-20000</smbconfoption>
|
|
<smbconfoption name="printing">cups</smbconfoption>
|
|
<smbconfoption name="printer admin">root, chrisr</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
|
|
<example id="sbehap-shareconfa">
|
|
<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A</title>
|
|
<smbconfblock>
|
|
<smbconfsection name="[accounts]"/>
|
|
<smbconfoption name="comment">Accounting Files</smbconfoption>
|
|
<smbconfoption name="path">/data/accounts</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
|
|
<smbconfsection name="[service]"/>
|
|
<smbconfoption name="comment">Financial Services Files</smbconfoption>
|
|
<smbconfoption name="path">/data/service</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
|
|
<smbconfsection name="[pidata]"/>
|
|
<smbconfoption name="comment">Property Insurance Files</smbconfoption>
|
|
<smbconfoption name="path">/data/pidata</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
|
|
<smbconfsection name="[homes]"/>
|
|
<smbconfoption name="comment">Home Directories</smbconfoption>
|
|
<smbconfoption name="valid users">%S</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
|
|
<smbconfsection name="[printers]"/>
|
|
<smbconfoption name="comment">SMB Print Spool</smbconfoption>
|
|
<smbconfoption name="path">/var/spool/samba</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
<smbconfoption name="printable">Yes</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<example id="sbehap-shareconfb">
|
|
<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B</title>
|
|
<smbconfblock>
|
|
<smbconfsection name="[apps]"/>
|
|
<smbconfoption name="comment">Application Files</smbconfoption>
|
|
<smbconfoption name="path">/apps</smbconfoption>
|
|
<smbconfoption name="admin users">bjordan</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
|
|
<smbconfsection name="[netlogon]"/>
|
|
<smbconfoption name="comment">Network Logon Service</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
<smbconfoption name="locking">No</smbconfoption>
|
|
|
|
<smbconfsection name="[profiles]"/>
|
|
<smbconfoption name="comment">Profile Share</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="profile acls">Yes</smbconfoption>
|
|
|
|
<smbconfsection name="[profdata]"/>
|
|
<smbconfoption name="comment">Profile Data Share</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/profdata</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="profile acls">Yes</smbconfoption>
|
|
|
|
<smbconfsection name="[print$]"/>
|
|
<smbconfoption name="comment">Printer Drivers</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
|
|
<smbconfoption name="browseable">yes</smbconfoption>
|
|
<smbconfoption name="guest ok">no</smbconfoption>
|
|
<smbconfoption name="read only">yes</smbconfoption>
|
|
<smbconfoption name="write list">root, chrisr</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<example id="sbehap-ldifadd">
|
|
<title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title>
|
|
<screen>
|
|
dn: ou=Idmap,dc=abmas,dc=biz
|
|
objectClass: organizationalUnit
|
|
ou: idmap
|
|
structuralObjectClass: organizationalUnit
|
|
</screen>
|
|
</example>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Miscellaneous Server Preparation Tasks</title>
|
|
|
|
<para>
|
|
My father would say, <quote>Dinner is not over until the dishes have been done.</quote>
|
|
The makings of a great network environment take a lot of effort and attention to detail.
|
|
So far, you have completed most of the complex (and to many administrators, the interesting
|
|
part of server configuration) steps, but remember to tie it all together. Here are
|
|
a few more steps that must be completed so that your network runs like a well-rehearsed
|
|
orchestra.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Configuring Directory Share Point Roots</title>
|
|
|
|
<para>
|
|
In your &smb.conf; file, you have specified Windows shares. Each has a <parameter>path</parameter>
|
|
parameter. Even though it is obvious to all, one of the common Samba networking problems is
|
|
caused by forgetting to verify that every such share root directory actually exists and that it
|
|
has the necessary permissions and ownership.
|
|
</para>
|
|
|
|
<para>
|
|
Here is an example, but remember to create the directory needed for every share:
|
|
<screen>
|
|
&rootprompt; mkdir -p /data/{accounts,finsvcs,piops}
|
|
&rootprompt; mkdir -p /apps
|
|
&rootprompt; chown -R root:root /data
|
|
&rootprompt; chown -R root:root /apps
|
|
&rootprompt; chown -R bobj:Accounts /data/accounts
|
|
&rootprompt; chown -R bobj:Finances /data/finsvcs
|
|
&rootprompt; chown -R bobj:PIOps /data/piops
|
|
&rootprompt; chmod -R ug+rwxs,o-rwx /data
|
|
&rootprompt; chmod -R ug+rwx,o+rx-w /apps
|
|
</screen>
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Configuring Profile Directories</title>
|
|
|
|
<para>
|
|
You made a conscious decision to do everything it would take to improve network client
|
|
performance. One of your decisions was to implement folder redirection. This means that Windows
|
|
user desktop profiles are now made up of two components: a dynamically loaded part and a set of file
|
|
network folders.
|
|
</para>
|
|
|
|
<para>
|
|
For this arrangement to work, every user needs a directory structure for the network folder
|
|
portion of his or her profile as shown here:
|
|
<screen>
|
|
&rootprompt; mkdir -p /var/lib/samba/profdata
|
|
&rootprompt; chown root:root /var/lib/samba/profdata
|
|
&rootprompt; chmod 755 /var/lib/samba/profdata
|
|
|
|
# Per user structure
|
|
&rootprompt; cd /var/lib/samba/profdata
|
|
&rootprompt; mkdir -p <emphasis>username</emphasis>
|
|
&rootprompt; for i in InternetFiles Cookies History AppData \
|
|
LocalSettings MyPictures MyDocuments Recent
|
|
&rootprompt; do
|
|
&rootprompt; mkdir <emphasis>username</emphasis>/$i
|
|
&rootprompt; done
|
|
&rootprompt; chown -R <emphasis>username</emphasis>:Domain\ Users <emphasis>username</emphasis>
|
|
&rootprompt; chmod -R 750 <emphasis>username</emphasis>
|
|
</screen>
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>roaming profile</primary></indexterm>
|
|
<indexterm><primary>mandatory profile</primary></indexterm>
|
|
You have three options insofar as the dynamically loaded portion of the roaming profile
|
|
is concerned:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>You may permit the user to obtain a default profile.</para></listitem>
|
|
<listitem><para>You can create a mandatory profile.</para></listitem>
|
|
<listitem><para>You can create a group profile (which is almost always a mandatory profile).</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory
|
|
profile is effected by renaming the <filename>NTUSER.DAT</filename> to <filename>NTUSER.MAN</filename>,
|
|
that is, just by changing the filename extension.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
|
|
<indexterm><primary>Domain User Manager</primary></indexterm>
|
|
The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend.
|
|
You can manage this using the Idealx smbldap-tools or using the
|
|
<ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">Windows NT4 Domain User Manager</ulink>.
|
|
</para>
|
|
|
|
<para>
|
|
It may not be obvious that you must ensure that the root directory for the user's profile exists
|
|
and has the needed permissions. Use the following commands to create this directory:
|
|
<screen>
|
|
&rootprompt; mkdir -p /var/lib/samba/profiles/<emphasis>username</emphasis>
|
|
&rootprompt; chown <emphasis>username</emphasis>:Domain\ Users
|
|
/var/lib/samba/profiles/<emphasis>username</emphasis>
|
|
&rootprompt; chmod 700 /var/lib/samba/profiles/<emphasis>username</emphasis>
|
|
</screen>
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Preparation of Logon Scripts</title>
|
|
|
|
<para>
|
|
<indexterm><primary>logon script</primary></indexterm>
|
|
The use of a logon script with Windows XP Professional is an option that every site should consider.
|
|
Unless you have locked down the desktop so the user cannot change anything, there is risk that
|
|
a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
|
|
can help to restore persistent network folder (drive) and printer connections in a predictable
|
|
manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
|
|
user attaches to another company's network that forces environment changes that are alien to your
|
|
network.
|
|
</para>
|
|
|
|
<para>
|
|
If you decide to use network logon scripts, by reference to the &smb.conf; files for the domain
|
|
controllers, you see that the path to the share point for the <constant>NETLOGON</constant>
|
|
share defined is <filename>/var/lib/samba/netlogon</filename>. The path defined for the logon
|
|
script inside that share is <filename>scripts\logon.bat</filename>. This means that as a Windows
|
|
NT/200x/XP client logs onto the network, it tries to obtain the file <filename>logon.bat</filename>
|
|
from the fully qualified path <filename>/var/lib/samba/netlogon/scripts</filename>. This fully
|
|
qualified path should therefore exist whether you install the <filename>logon.bat</filename>.
|
|
</para>
|
|
|
|
<para>
|
|
You can, of course, create the fully qualified path by executing:
|
|
<screen>
|
|
&rootprompt; mkdir -p /var/lib/samba/netlogon/scripts
|
|
</screen>
|
|
</para>
|
|
|
|
<para>
|
|
You should research the options for logon script implementation by referring to <emphasis>TOSHARG2</emphasis>, Chapter 24,
|
|
Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon
|
|
facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart</ulink>.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Assigning User Rights and Privileges</title>
|
|
|
|
<para>
|
|
The ability to perform tasks such as joining Windows clients to the domain can be assigned to
|
|
normal user accounts. By default, only the domain administrator account (<constant>root</constant> on UNIX
|
|
systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
|
|
this privilege in a very limited fashion to particular accounts.
|
|
</para>
|
|
|
|
<para>
|
|
By default, even Samba-3.0.11 does not grant any rights even to the <constant>Domain Admins</constant>
|
|
group. Here we grant this group all privileges.
|
|
</para>
|
|
|
|
<para>
|
|
Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
|
|
are granted rights can be restricted to particular machines. It is left to the network administrator
|
|
to determine which rights should be provided and to whom.
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>Steps for Assignment of User Rights and Privileges</title>
|
|
|
|
<step><para>
|
|
Log onto the PDC as the <constant>root</constant> account.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Execute the following command to grant the <constant>Domain Admins</constant> group all
|
|
rights and privileges:
|
|
<screen>
|
|
&rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
|
|
"MEGANET2\Domain Admins" SeMachineAccountPrivilege \
|
|
SePrintOperatorPrivilege SeAddUsersPrivilege \
|
|
SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
|
|
Successfully granted rights.
|
|
</screen>
|
|
Repeat this step on each domain controller, in each case substituting the name of the server
|
|
(e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
|
|
to the domain. Execute the following only on the PDC. It is not necessary to do this on
|
|
BDCs or on DMS machines because machine accounts are only ever added by the PDC:
|
|
<screen>
|
|
&rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
|
|
"MEGANET2\bobj" SeMachineAccountPrivilege
|
|
Successfully granted rights.
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Verify that privilege assignments have been correctly applied by executing:
|
|
<screen>
|
|
net rpc rights list accounts -Uroot%not24get
|
|
MEGANET2\bobj
|
|
SeMachineAccountPrivilege
|
|
|
|
S-0-0
|
|
No privileges assigned
|
|
|
|
BUILTIN\Print Operators
|
|
No privileges assigned
|
|
|
|
BUILTIN\Account Operators
|
|
No privileges assigned
|
|
|
|
BUILTIN\Backup Operators
|
|
No privileges assigned
|
|
|
|
BUILTIN\Server Operators
|
|
No privileges assigned
|
|
|
|
BUILTIN\Administrators
|
|
No privileges assigned
|
|
|
|
Everyone
|
|
No privileges assigned
|
|
|
|
MEGANET2\Domain Admins
|
|
SeMachineAccountPrivilege
|
|
SePrintOperatorPrivilege
|
|
SeAddUsersPrivilege
|
|
SeRemoteShutdownPrivilege
|
|
SeDiskOperatorPrivilege
|
|
</screen>
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Windows Client Configuration</title>
|
|
|
|
<para>
|
|
<indexterm><primary>NETLOGON</primary></indexterm>
|
|
In the next few sections, you can configure a new Windows XP Professional disk image on a staging
|
|
machine. You will configure all software, printer settings, profile and policy handling, and desktop
|
|
default profile settings on this system. When it is complete, you copy the contents of the
|
|
<filename>C:\Documents and Settings\Default User</filename> directory to a directory with the same
|
|
name in the <constant>NETLOGON</constant> share on the domain controllers.
|
|
</para>
|
|
|
|
<para>
|
|
Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
|
|
One knowledge-base article in particular stands out:
|
|
"<ulink url="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475">How to Create a
|
|
Base Profile for All Users."</ulink>
|
|
|
|
</para>
|
|
|
|
<sect2 id="redirfold">
|
|
<title>Configuration of Default Profile with Folder Redirection</title>
|
|
|
|
<para>
|
|
<indexterm><primary>folder redirection</primary></indexterm>
|
|
Log onto the Windows XP Professional workstation as the local <constant>Administrator</constant>.
|
|
It is necessary to expose folders that are generally hidden to provide access to the
|
|
<constant>Default User</constant> folder.
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>Expose Hidden Folders</title>
|
|
|
|
<step><para>
|
|
Launch the Windows Explorer by clicking
|
|
<menuchoice>
|
|
<guimenu>Start</guimenu>
|
|
<guimenuitem>My Computer</guimenuitem>
|
|
<guimenuitem>Tools</guimenuitem>
|
|
<guimenuitem>Folder Options</guimenuitem>
|
|
<guimenuitem>View Tab</guimenuitem>
|
|
</menuchoice>.
|
|
Select <guilabel>Show hidden files and folders</guilabel>,
|
|
and click <guibutton>OK</guibutton>. Exit Windows Explorer.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>regedt32</primary></indexterm>
|
|
Launch the Registry Editor. Click
|
|
<menuchoice>
|
|
<guimenu>Start</guimenu>
|
|
<guimenuitem>Run</guimenuitem>
|
|
</menuchoice>. Key in <command>regedt32</command>, and click
|
|
<guibutton>OK</guibutton>.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
<para>
|
|
</para>
|
|
|
|
<procedure id="sbehap-rdrfldr">
|
|
<title>Redirect Folders in Default System User Profile</title>
|
|
|
|
<step><para>
|
|
<indexterm><primary>HKEY_LOCAL_MACHINE</primary></indexterm>
|
|
<indexterm><primary>Default User</primary></indexterm>
|
|
Give focus to <constant>HKEY_LOCAL_MACHINE</constant> hive entry in the left panel.
|
|
Click <menuchoice>
|
|
<guimenu>File</guimenu>
|
|
<guimenuitem>Load Hive...</guimenuitem>
|
|
<guimenuitem>Documents and Settings</guimenuitem>
|
|
<guimenuitem>Default User</guimenuitem>
|
|
<guimenuitem>NTUSER</guimenuitem>
|
|
<guimenuitem>Open</guimenuitem>
|
|
</menuchoice>. In the dialog box that opens, enter the key name
|
|
<constant>Default</constant> and click <guibutton>OK</guibutton>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Browse inside the newly loaded Default folder to:
|
|
<screen>
|
|
HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
|
|
CurrentVersion\Explorer\User Shell Folders\
|
|
</screen>
|
|
The right panel reveals the contents as shown in <link linkend="XP-screen001"/>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>%USERPROFILE%</primary></indexterm>
|
|
<indexterm><primary>%LOGONSERVER%</primary></indexterm>
|
|
You edit hive keys. Acceptable values to replace the
|
|
<constant>%USERPROFILE%</constant> variable includes:
|
|
|
|
<itemizedlist>
|
|
<listitem><para>A drive letter such as <constant>U:</constant></para></listitem>
|
|
<listitem><para>A direct network path such as
|
|
<constant>\\MASSIVE\profdata</constant></para></listitem>
|
|
<listitem><para>A network redirection (UNC name) that contains a macro such as </para>
|
|
<para><constant>%LOGONSERVER%\profdata\</constant></para></listitem>
|
|
</itemizedlist>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>registry keys</primary></indexterm>
|
|
Set the registry keys as shown in <link linkend="proffold"/>. Your implementation makes the assumption
|
|
that users have statically located machines. Notebook computers (mobile users) need to be
|
|
accommodated using local profiles. This is not an uncommon assumption.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Click back to the root of the loaded hive <constant>Default</constant>.
|
|
Click <menuchoice><guimenu>File</guimenu><guimenuitem>Unload Hive...</guimenuitem>
|
|
<guimenuitem>Yes</guimenuitem></menuchoice>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>Registry Editor</primary></indexterm>
|
|
Click <menuchoice><guimenu>File</guimenu><guimenuitem>Exit</guimenuitem></menuchoice>. This exits the
|
|
Registry Editor.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Now follow the procedure given in <link linkend="sbehap-locgrppol"/>. Make sure that each folder you
|
|
have redirected is in the exclusion list.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
You are now ready to copy<footnote><para>
|
|
There is an alternate method by which a default user profile can be added to the
|
|
<constant>NETLOGON</constant> share. This facility in the Windows System tool
|
|
permits profiles to be exported. The export target may be a particular user or
|
|
group profile share point or else the <constant>NETLOGON</constant> share.
|
|
In this case, the profile directory must be named <constant>Default User</constant>.
|
|
</para></footnote>
|
|
the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer,
|
|
and use it to copy the full contents of the directory <filename>Default User</filename> that
|
|
is in the <filename>C:\Documents and Settings</filename> to the root directory of the
|
|
<constant>NETLOGON</constant> share. If the <constant>NETLOGON</constant> share has the defined
|
|
UNIX path of <filename>/var/lib/samba/netlogon</filename>, when the copy is complete there must
|
|
be a directory in there called <filename>Default User</filename>.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
<para>
|
|
Before punching out new desktop images for the client workstations, it is perhaps a good idea that
|
|
desktop behavior should be returned to the original Microsoft settings. The following steps achieve
|
|
that ojective:
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>Reset Folder Display to Original Behavior</title>
|
|
|
|
<step><para>
|
|
To launch the Windows Explorer, click
|
|
<menuchoice>
|
|
<guimenu>Start</guimenu>
|
|
<guimenuitem>My Computer</guimenuitem>
|
|
<guimenuitem>Tools</guimenuitem>
|
|
<guimenuitem>Folder Options</guimenuitem>
|
|
<guimenuitem>View Tab</guimenuitem>
|
|
</menuchoice>.
|
|
Deselect <guilabel>Show hidden files and folders</guilabel>, and click <guibutton>OK</guibutton>.
|
|
Exit Windows Explorer.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
<figure id="XP-screen001">
|
|
<title>Windows XP Professional &smbmdash; User Shared Folders</title>
|
|
<imagefile scale="65">XP-screen001</imagefile>
|
|
</figure>
|
|
|
|
<table id="proffold">
|
|
<title>Default Profile Redirections</title>
|
|
<tgroup cols="2">
|
|
<colspec align="left"/>
|
|
<colspec align="left"/>
|
|
<thead>
|
|
<row>
|
|
<entry>Registry Key</entry>
|
|
<entry>Redirected Value</entry>
|
|
</row>
|
|
</thead>
|
|
<tbody>
|
|
<row>
|
|
<entry>Cache</entry>
|
|
<entry>%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Cookies</entry>
|
|
<entry>%LOGONSERVER%\profdata\%USERNAME%\Cookies</entry>
|
|
</row>
|
|
<row>
|
|
<entry>History</entry>
|
|
<entry>%LOGONSERVER%\profdata\%USERNAME%\History</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Local AppData</entry>
|
|
<entry>%LOGONSERVER%\profdata\%USERNAME%\AppData</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Local Settings</entry>
|
|
<entry>%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</entry>
|
|
</row>
|
|
<row>
|
|
<entry>My Pictures</entry>
|
|
<entry>%LOGONSERVER%\profdata\%USERNAME%\MyPictures</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Personal</entry>
|
|
<entry>%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Recent</entry>
|
|
<entry>%LOGONSERVER%\profdata\%USERNAME%\Recent</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Configuration of MS Outlook to Relocate PST File</title>
|
|
|
|
<para>
|
|
<indexterm><primary>Outlook</primary><secondary>PST</secondary></indexterm>
|
|
<indexterm><primary>MS Outlook</primary><secondary>PST</secondary></indexterm>
|
|
Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
|
|
It is the nature of email storage that this file grows, at times quite rapidly.
|
|
So that users' email is available to them at every workstation they may log onto,
|
|
it is common practice in well-controlled sites to redirect the PST folder to the
|
|
users' home directory. Follow these steps for each user who wishes to do this.
|
|
</para>
|
|
|
|
<para>
|
|
To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave
|
|
slightly differently), follow these steps:
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>Outlook PST File Relocation</title>
|
|
|
|
<step><para>
|
|
Close Outlook if it is open.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
From the <guimenu>Control Panel</guimenu>, launch the Mail icon.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Click <guimenu>Email Accounts.</guimenu>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Make a note of the location of the PST file(s). From this location, move
|
|
the files to the desired new target location. The most desired new target location
|
|
may well be the users' home directory.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Add a new data file, selecting the PST file in the new desired target location.
|
|
Give this entry (not the filename) a new name such as <quote>Personal Mail Folders.</quote>
|
|
</para>
|
|
|
|
<para>
|
|
Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems
|
|
following these instructions. Feedback from users suggests that where IMAP is used the PST
|
|
file is used to store rules and filters. When the PST store is relocated it appears to break
|
|
MS Outlook's Send/Receive button. If anyone has successfully relocated PST files where IMAP is
|
|
used please email <literal>jht@samba.org</literal> with useful tips and suggestions so that
|
|
this warning can be removed or modified.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Close the <guimenu>Date Files</guimenu> windows, then click <guimenu>Email Accounts</guimenu>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Select <guimenu>View of Change</guimenu> exiting email accounts, click <guibutton>Next.</guibutton>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Change the <guimenu>Mail Delivery Location</guimenu> so as to use the data file in the new
|
|
target location.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Go back to the <guimenu>Data Files</guimenu> window, then delete the old data file entry.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
<note><para>
|
|
<indexterm><primary>Outlook Address Book</primary></indexterm>
|
|
You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise
|
|
the user may be not be able to retrieve contacts when addressing a new email message.
|
|
</para></note>
|
|
|
|
<note><para>
|
|
<indexterm><primary>Outlook Express</primary></indexterm>
|
|
Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook
|
|
Express storage files can not be redirected to network shares. The options panel will not permit
|
|
this, but they can be moved to folders outside of the user's profile. They can also be excluded
|
|
from folder synchronization as part of the roaming profile.
|
|
</para>
|
|
|
|
<para>
|
|
While it is possible to redirect the data stores for Outlook Express data stores by editing the
|
|
registry, experience has shown that data corruption and loss of email messages will result.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Outlook Express</primary></indexterm>
|
|
<indexterm><primary>MS Outlook</primary></indexterm>
|
|
In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with
|
|
roaming profiles this can result in excruciatingly long login and logout behavior will files are
|
|
synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming
|
|
profiles are used.
|
|
</para></note>
|
|
|
|
<para>
|
|
<indexterm><primary>PST file</primary></indexterm>
|
|
Microsoft does not support storing PST files on network shares, although the practice does appear
|
|
to be rather popular. Anyone who does relocation the PST file to a network resource should refer
|
|
the Microsoft <ulink url="http://support.microsoft.com/kb/297019/">reference</ulink> to better
|
|
understand the issues.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>PST file</primary></indexterm>
|
|
Apart from manually moving PST files to a network share, it is possible to set the default PST
|
|
location for new accounts by following the instructions at the WindowsITPro <ulink
|
|
url="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html">web</ulink> site.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>PST file</primary></indexterm>
|
|
User feedback suggests that disabling of oplocks on PST files will significantly improve
|
|
network performance by reducing locking overheads. One way this can be done is to add to the
|
|
&smb.conf; file stanza for the share the PST file the following:
|
|
<screen>
|
|
veto oplock files = /*.pdf/*.PST/
|
|
</screen>
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Configure Delete Cached Profiles on Logout</title>
|
|
|
|
<para>
|
|
Configure the Windows XP Professional client to auto-delete roaming profiles on logout:
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>MMC</primary></indexterm>
|
|
Click
|
|
<menuchoice>
|
|
<guimenu>Start</guimenu>
|
|
<guimenuitem>Run</guimenuitem>
|
|
</menuchoice>. In the dialog box, enter <command>MMC</command> and click <guibutton>OK</guibutton>.
|
|
</para>
|
|
|
|
<para>
|
|
Follow these steps to set the default behavior of the staging machine so that all roaming
|
|
profiles are deleted as network users log out of the system. Click
|
|
<menuchoice>
|
|
<guimenu>File</guimenu>
|
|
<guimenuitem>Add/Remove Snap-in</guimenuitem>
|
|
<guimenuitem>Add</guimenuitem>
|
|
<guimenuitem>Group Policy</guimenuitem>
|
|
<guimenuitem>Add</guimenuitem>
|
|
<guimenuitem>Finish</guimenuitem>
|
|
<guimenuitem>Close</guimenuitem>
|
|
<guimenuitem>OK</guimenuitem>
|
|
</menuchoice>.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Microsoft Management Console</primary><see>MMC</see></indexterm>
|
|
The Microsoft Management Console now shows the <guimenu>Group Policy</guimenu>
|
|
utility that enables you to set the policies needed. In the left panel, click
|
|
<menuchoice>
|
|
<guimenuitem>Local Computer Policy</guimenuitem>
|
|
<guimenuitem>Administrative Templates</guimenuitem>
|
|
<guimenuitem>System</guimenuitem>
|
|
<guimenuitem>User Profiles</guimenuitem>
|
|
</menuchoice>. In the right panel, set the properties shown here by double-clicking on each
|
|
item as shown:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>Do not check for user ownership of Roaming Profile Folders = Enabled</para></listitem>
|
|
<listitem><para>Delete cached copies of roaming profiles = Enabled</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
|
|
made of this system to deploy the new standard desktop system.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Uploading Printer Drivers to Samba Servers</title>
|
|
|
|
<para>
|
|
<indexterm><primary>printing</primary><secondary>drag-and-drop</secondary></indexterm>
|
|
Users want to be able to use network printers. You have a vested interest in making
|
|
it easy for them to print. You have chosen to install the printer drivers onto the Samba
|
|
servers and to enable point-and-click (drag-and-drop) printing. This process results in
|
|
Samba being able to automatically provide the Windows client with the driver necessary to
|
|
print to the printer chosen. The following procedure must be followed for every network
|
|
printer:
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>Steps to Install Printer Drivers on the Samba Servers</title>
|
|
|
|
<step><para>
|
|
Join your Windows XP Professional workstation (the staging machine) to the
|
|
<constant>MEGANET2</constant> domain. If you are not sure of the procedure,
|
|
follow the guidance given in <link linkend="appendix"/>, <link linkend="domjoin"/>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
After the machine has rebooted, log onto the workstation as the domain
|
|
<constant>root</constant> (this is the Administrator account for the
|
|
operating system that is the host platform for this implementation of Samba.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Launch MS Windows Explorer. Navigate in the left panel. Click
|
|
<menuchoice>
|
|
<guimenu>My Network Places</guimenu>
|
|
<guimenuitem>Entire Network</guimenuitem>
|
|
<guimenuitem>Microsoft Windows Network</guimenuitem>
|
|
<guimenuitem>Meganet2</guimenuitem>
|
|
<guimenuitem>Massive</guimenuitem>
|
|
</menuchoice>. Click on <guimenu>Massive</guimenu>
|
|
<guimenu>Printers and Faxes</guimenu>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Identify a printer that is shown in the right panel. Let us assume the printer is called
|
|
<constant>ps01-color</constant>. Right-click on the <guimenu>ps01-color</guimenu> icon
|
|
and select the <guimenu>Properties</guimenu> entry. This opens a dialog box that indicates
|
|
that <quote>The printer driver is not installed on this computer. Some printer properties
|
|
will not be accessible unless you install the printer driver. Do you want to install the
|
|
driver now?</quote> It is important at this point you answer <guimenu>No</guimenu>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The printer properties panel for the <guimenu>ps01-color</guimenu> printer on the server
|
|
<constant>MASSIVE</constant> is displayed. Click the <guimenu>Advanced</guimenu> tab.
|
|
Note that the box labeled <guimenu>Driver</guimenu> is empty. Click the <guimenu>New Driver</guimenu>
|
|
button that is next to the <guimenu>Driver</guimenu> box. This launches the <quote>Add Printer Wizard</quote>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>Add Printer Wizard</primary><secondary>APW</secondary></indexterm>
|
|
<indexterm><primary>APW</primary></indexterm>
|
|
The <quote>Add Printer Driver Wizard on <constant>MASSIVE</constant></quote> panel
|
|
is now presented. Click <guimenu>Next</guimenu> to continue. From the left panel, select the
|
|
printer manufacturer. In your case, you are adding a driver for a printer manufactured by
|
|
Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
|
|
<guimenu>Next</guimenu>, and then <guimenu>Finish</guimenu> to commence driver upload. A
|
|
progress bar appears and instructs you as each file is being uploaded and that it is being
|
|
directed at the network server <constant>\\massive\ps01-color</constant>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>printers</primary><secondary>Advanced</secondary></indexterm>
|
|
<indexterm><primary>printers</primary><secondary>Properties</secondary></indexterm>
|
|
<indexterm><primary>printers</primary><secondary>Sharing</secondary></indexterm>
|
|
<indexterm><primary>printers</primary><secondary>General</secondary></indexterm>
|
|
<indexterm><primary>printers</primary><secondary>Security</secondary></indexterm>
|
|
<indexterm><primary>AD printer publishing</primary></indexterm>
|
|
The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
|
|
you are returned to the <guimenu>Advanced</guimenu> tab in the <guimenu>Properties</guimenu> panel.
|
|
You can set the Location (under the <guimenu>General</guimenu> tab) and Security settings (under
|
|
the <guimenu>Security</guimenu> tab). Under the <guimenu>Sharing</guimenu> tab it is possible to
|
|
load additional printer drivers; there is also a check-box in this tab called <quote>List in the
|
|
directory</quote>. When this box is checked, the printer will be published in Active Directory
|
|
(Applicable to Active Directory use only.)
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>printers</primary><secondary>Default Settings</secondary></indexterm>
|
|
Click <guimenu>OK</guimenu>. It will take a minute or so to upload the settings to the server.
|
|
You are now returned to the <guimenu>Printers and Faxes on Massive</guimenu> monitor.
|
|
Right-click on the printer, click <menuchoice><guimenu>Properties</guimenu>
|
|
<guimenuitem>Device Settings</guimenuitem> </menuchoice>. Now change the settings to suit
|
|
your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
|
|
you need to reverse the changes back to their original settings.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
This is necessary so that the printer settings are initialized in the Samba printers
|
|
database. Click <guimenu>Apply</guimenu> to commit your settings. Revert any settings you changed
|
|
just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
|
|
click <guimenu>Apply</guimenu> again.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>Print Test Page</primary></indexterm>
|
|
Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
|
|
click the <guimenu>General</guimenu> tab. Now click the <guimenu>Print Test Page</guimenu> button.
|
|
A test page should print. Verify that it has printed correctly. Then click <guimenu>OK</guimenu>
|
|
in the panel that is newly presented. Click <guimenu>OK</guimenu> on the <guimenu>ps01-color on
|
|
massive Properties</guimenu> panel.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
You must repeat this process for all network printers (i.e., for every printer on each server).
|
|
When you have finished uploading drivers to all printers, close all applications. The next task
|
|
is to install software your users require to do their work.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Software Installation</title>
|
|
|
|
<para>
|
|
Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
|
|
a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
|
|
Notebooks require special handling that is beyond the scope of this chapter.
|
|
</para>
|
|
|
|
<para>
|
|
For desktop systems, the installation of software onto administratively centralized application servers
|
|
make a lot of sense. This means that you can manage software maintenance from a central
|
|
perspective and that only minimal application stubware needs to be installed onto the desktop
|
|
systems. You should proceed with software installation and default configuration as far as is humanly
|
|
possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
|
|
of software operations and configuration.
|
|
</para>
|
|
|
|
<para>
|
|
When you believe that the overall configuration is complete, be sure to create a shared group profile
|
|
and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in
|
|
case a user may have specific needs you had not anticipated.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Roll-out Image Creation</title>
|
|
|
|
<para>
|
|
The final steps before preparing the distribution Norton Ghost image file you might follow are:
|
|
</para>
|
|
|
|
<blockquote><para>
|
|
Unjoin the domain &smbmdash; Each workstation requires a unique name and must be independently
|
|
joined into domain membership.
|
|
</para></blockquote>
|
|
|
|
<blockquote><para>
|
|
Defragment the hard disk &smbmdash; While not obvious to the uninitiated, defragmentation results
|
|
in better performance and often significantly reduces the size of the compressed disk image. That
|
|
also means it will take less time to deploy the image onto 500 workstations.
|
|
</para></blockquote>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Key Points Learned</title>
|
|
|
|
<para>
|
|
This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately
|
|
avoided any consideration of security. Security does not just happen; you must design it into your total
|
|
network. Security begins with a systems design and implementation that anticipates hostile behavior from
|
|
users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
|
|
they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
|
|
practices, you must not deploy the design presented in this book in an environment where there is risk
|
|
of compromise.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Access Control Lists</primary><see>ACLs</see></indexterm>
|
|
<indexterm><primary>ACLs</primary></indexterm>
|
|
As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be
|
|
configured to use secure protocols for all communications over the network. Of course, secure networking
|
|
does not result just from systems design and implementation but involves constant user education
|
|
training and, above all, disciplined attention to detail and constant searching for signs of unfriendly
|
|
or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
|
|
Jerry Carter's book <ulink url="http://www.booksense.com/product/info.jsp&isbn=1565924916">
|
|
<emphasis>LDAP System Administration</emphasis></ulink> is a good place to start reading about OpenLDAP
|
|
as well as security considerations.
|
|
</para>
|
|
|
|
<para>
|
|
The substance of this chapter that has been deserving of particular attention includes:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
Implementation of an OpenLDAP-based passwd backend, necessary to support distributed
|
|
domain control.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Implementation of Samba primary and secondary domain controllers with a common LDAP backend
|
|
for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and
|
|
pam_ldap tool-sets.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as
|
|
to manage Samba Windows user and group accounts.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
The basics of implementation of Group Policy controls for Windows network clients.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Control over roaming profiles, with particular focus on folder redirection to network drives.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Use of the CUPS printing system together with Samba-based printer driver auto-download.
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
</sect1>
|
|
|
|
|
|
<sect1>
|
|
<title>Questions and Answers</title>
|
|
|
|
<para>
|
|
Well, here we are at the end of this chapter and we have only ten questions to help you to
|
|
remember so much. There are bound to be some sticky issues here.
|
|
</para>
|
|
|
|
<qandaset defaultlabel="chap06qa" type="number">
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
Why did you not cover secure practices? Isn't it rather irresponsible to instruct
|
|
network administrators to implement insecure solutions?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
Let's get this right. This is a book about Samba, not about OpenLDAP and secure
|
|
communication protocols for subjects other than Samba. Earlier on, you note,
|
|
that the dynamic DNS and DHCP solutions also used no protective secure communications
|
|
protocols. The reason for this is simple: There are so many ways of implementing
|
|
secure protocols that this book would have been even larger and more complex.
|
|
</para>
|
|
|
|
<para>
|
|
The solutions presented here all work (at least they did for me). Network administrators
|
|
have the interest and the need to be better trained and instructed in secure networking
|
|
practices and ought to implement safe systems. I made the decision, right or wrong,
|
|
to keep this material as simple as possible. The intent of this book is to demonstrate
|
|
a working solution and not to discuss too many peripheral issues.
|
|
</para>
|
|
|
|
<para>
|
|
This book makes little mention of backup techniques. Does that mean that I am recommending
|
|
that you should implement a network without provision for data recovery and for disaster
|
|
management? Back to our focus: The deployment of Samba has been clearly demonstrated.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
|
|
you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
|
|
to the Linux I might be using?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
|
|
for a standard Linux distribution. The differences are marginal. Surely you know
|
|
your Linux platform, and you do have access to administration manuals for it. This
|
|
book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
|
|
the Samba part of the book; all the other bits are peripheral (but important) to
|
|
creation of a total network solution.
|
|
</para>
|
|
|
|
<para>
|
|
What I find interesting is the attention reviewers give to Linux installation and to
|
|
the look and feel of the desktop, but does that make for a great server? In this book,
|
|
I have paid particular attention to the details of creating a whole solution framework.
|
|
I have not tightened every nut and bolt, but I have touched on all the issues you
|
|
need to be familiar with. Over the years many people have approached me wanting to
|
|
know the details of exactly how to implement a DHCP and dynamic DNS server with Samba
|
|
and WINS. In this chapter, it is plain to see what needs to be configured to provide
|
|
transparent interoperability. Likewise for CUPS and Samba interoperation. These are
|
|
key stumbling areas for many people.
|
|
</para>
|
|
|
|
<para>
|
|
At every critical junction, I have provided comparative guidance for both SUSE and
|
|
Red Hat Linux. Both manufacturers have done a great job in furthering the cause
|
|
of open source software. I favor neither and respect both. I like particular
|
|
features of both products (companies also). No bias in presentation is intended.
|
|
Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
You did not use SWAT to configure Samba. Is there something wrong with it?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
That is a good question. As it is, the &smb.conf; file configurations are presented
|
|
in as direct a format as possible. Adding SWAT into the equation would have complicated
|
|
matters. I sought simplicity of implementation. The fact is that I did use SWAT to
|
|
create the files in the first place.
|
|
</para>
|
|
|
|
<para>
|
|
There are people in the Linux and open source community who feel that SWAT is dangerous
|
|
and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
|
|
hope to have brought their interests on board. SWAT is well covered is <emphasis>TOSHARG2</emphasis>.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
You have exposed a well-used password <emphasis>not24get</emphasis>. Is that
|
|
not irresponsible?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
Well, I had to use a password of some sort. At least this one has been consistently
|
|
used throughout. I guess you can figure out that in a real deployment it would make
|
|
sense to use a more secure and original password.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
The Idealx smbldap-tools create many domain group accounts that are not used. Is that
|
|
a good thing?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
I took this up with Idealx and found them most willing to change that in the next version.
|
|
Let's give Idealx some credit for the contribution they have made. I appreciate their work
|
|
and, besides, it does no harm to create accounts that are not now used &smbmdash; at some time
|
|
Samba may well use them.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
Can I use LDAP just for Samba accounts and not for UNIX system accounts?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX)
|
|
group account for every Windows domain group account. But if you put your users into
|
|
the system password account, how do you plan to keep all domain controller system
|
|
password files in sync? I think that having everything in LDAP makes a lot of sense
|
|
for the UNIX administrator who is still learning the craft and is migrating from MS Windows.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
Why are the Windows domain RID portions not the same as the UNIX UID?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
|
|
This algorithm ought to ensure that there will be no clashes with well-known RIDs.
|
|
Well-known RIDs have special significance to MS Windows clients. The automatic
|
|
assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
|
|
permit you to override that to some extent. See the &smb.conf; man page entry
|
|
for <parameter>algorithmic rid base</parameter>.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
Printer configuration examples all show printing to the HP port 9100. Does this
|
|
mean that I must have HP printers for these solutions to work?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
No. You can use any type of printer and must use the interfacing protocol supported
|
|
by the printer. Many networks use LPR/LPD print servers to which are attached
|
|
PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached
|
|
inkjet printer. Use the appropriate device URI (Universal Resource Interface)
|
|
argument to the <constant>lpadmin -v</constant> option that is right for your
|
|
printer.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
Is folder redirection dangerous? I've heard that you can lose your data that way.
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
The only loss of data I know of that involved folder redirection was caused by
|
|
manual misuse of the redirection tool. The administrator redirected a folder to
|
|
a network drive and said he wanted to migrate (move) the data over. Then he
|
|
changed his mind, so he moved the folder back to the roaming profile. This time,
|
|
he declined to move the data because he thought it was still in the local profile
|
|
folder. That was not the case, so by declining to move the data back, he wiped out
|
|
the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
Is it really necessary to set a local Group Policy to exclude the redirected
|
|
folders from the roaming profile?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
Yes. If you do not do this, the data will still be copied from the network folder
|
|
(share) to the local cached copy of the profile.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
</qandaset>
|
|
|
|
</sect1>
|
|
|
|
</chapter>
|