1<?xml version="1.0" encoding="iso-8859-1"?> 2<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> 3<chapter id="AdvancedNetworkManagement"> 4<chapterinfo> 5 &author.jht; 6 <pubdate>June 15 2005</pubdate> 7</chapterinfo> 8 9<title>Advanced Network Management</title> 10 11<para> 12<indexterm><primary>access control</primary></indexterm> 13This section documents peripheral issues that are of great importance to network 14administrators who want to improve network resource access control, to automate the user 15environment, and to make their lives a little easier. 16</para> 17 18<sect1> 19<title>Features and Benefits</title> 20 21<para> 22Often the difference between a working network environment and a well-appreciated one can 23best be measured by the <emphasis>little things</emphasis> that make everything work more 24harmoniously. A key part of every network environment solution is the ability to remotely 25manage MS Windows workstations, remotely access the Samba server, provide customized 26logon scripts, as well as other housekeeping activities that help to sustain more reliable 27network operations. 28</para> 29 30<para> 31This chapter presents information on each of these areas. They are placed here, and not in 32other chapters, for ease of reference. 33</para> 34 35</sect1> 36 37<sect1> 38<title>Remote Server Administration</title> 39 40 41<para><quote>How do I get User Manager and Server Manager?</quote></para> 42 43<para> 44<indexterm><primary>User Manager</primary></indexterm> 45<indexterm><primary>Server Manager</primary></indexterm> 46<indexterm><primary>Event Viewer</primary></indexterm> 47Since I do not need to buy an <application>NT4 server</application>, how do I get the User Manager for Domains 48and the Server Manager? 49</para> 50 51<para> 52<indexterm><primary>Nexus.exe</primary></indexterm> 53<indexterm><primary>Windows 9x/Me</primary></indexterm> 54Microsoft distributes a version of these tools called <filename>Nexus.exe</filename> for installation 55on <application>Windows 9x/Me</application> systems. The tools set includes: 56</para> 57 58<itemizedlist> 59 <listitem><para>Server Manager</para></listitem> 60 <listitem><para>User Manager for Domains</para></listitem> 61 <listitem><para>Event Viewer</para></listitem> 62</itemizedlist> 63 64<para> 65Download the archived file at the Microsoft <ulink noescape="1" 66url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">Nexus</ulink> link. 67</para> 68 69<para> 70<indexterm><primary>SRVTOOLS.EXE</primary></indexterm> 71<indexterm><primary>User Manager for Domains</primary></indexterm> 72<indexterm><primary>Server Manager</primary></indexterm> 73The <application>Windows NT 4.0</application> version of the User Manager for 74Domains and Server Manager are available from Microsoft 75<ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">via ftp</ulink>. 76</para> 77 78</sect1> 79 80<sect1> 81<title>Remote Desktop Management</title> 82 83<para> 84<indexterm><primary>remote desktop management</primary></indexterm> 85<indexterm><primary>network environment</primary></indexterm> 86There are a number of possible remote desktop management solutions that range from free 87through costly. Do not let that put you off. Sometimes the most costly solution is the 88most cost effective. In any case, you will need to draw your own conclusions as to which 89is the best tool in your network environment. 90</para> 91 92 <sect2> 93 <title>Remote Management from NoMachine.Com</title> 94 95 <para> 96 <indexterm><primary>NoMachine.Com</primary></indexterm> 97 The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003. 98 It is presented in slightly edited form (with author details omitted for privacy reasons). 99 The entire answer is reproduced below with some comments removed. 100 </para> 101 102 <para><quote> 103<indexterm><primary>remote desktop capabilities</primary></indexterm> 104 I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote 105 desktop capabilities so users outside could login to the system and get their desktop up from home or 106 another country. 107 </quote></para> 108 109 <para><quote> 110<indexterm><primary>Windows Terminal server</primary></indexterm> 111<indexterm><primary>BDC</primary></indexterm> 112<indexterm><primary>PDC</primary></indexterm> 113<indexterm><primary>remote login</primary></indexterm> 114 Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so 115 it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login 116 even if the computer is in a domain? 117 </quote></para> 118 119 <para> 120 Answer provided: Check out the new offer of <quote>NX</quote> software from 121 <ulink noescape="1" url="http://www.nomachine.com/">NoMachine</ulink>. 122 </para> 123 124 <para> 125<indexterm><primary>Remote X protocol</primary></indexterm> 126<indexterm><primary>VNC/RFB</primary></indexterm> 127<indexterm><primary>rdesktop/RDP</primary></indexterm> 128 It implements an easy-to-use interface to the Remote X protocol as 129 well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed 130 performance much better than anything you may have ever seen. 131 </para> 132 133 <para> 134<indexterm><primary>modem/ISDN</primary></indexterm> 135 Remote X is not new at all, but what they did achieve successfully is 136 a new way of compression and caching technologies that makes the thing 137 fast enough to run even over slow modem/ISDN connections. 138 </para> 139 140 <para> 141<indexterm><primary>KDE konqueror</primary></indexterm> 142<indexterm><primary>mouse-over</primary></indexterm> 143<indexterm><primary>rdesktop</primary></indexterm> 144<indexterm><primary></primary></indexterm> 145 I test drove their (public) Red Hat machine in Italy, over a loaded 146 Internet connection, with enabled thumbnail previews in KDE konqueror, 147 which popped up immediately on <quote>mouse-over</quote>. From inside that (remote X) 148 session I started a rdesktop session on another, a Windows XP machine. 149 To test the performance, I played Pinball. I am proud to announce 150 that my score was 631,750 points at first try. 151 </para> 152 153 <para> 154<indexterm><primary>NX</primary></indexterm> 155<indexterm><primary>TightVNC</primary></indexterm> 156<indexterm><primary>rdesktop</primary></indexterm> 157<indexterm><primary>Remote X</primary></indexterm> 158 NX performs better on my local LAN than any of the other <quote>pure</quote> 159 connection methods I use from time to time: TightVNC, rdesktop or 160 Remote X. It is even faster than a direct crosslink connection between 161 two nodes. 162 </para> 163 164 <para> 165<indexterm><primary>Remote X</primary></indexterm> 166<indexterm><primary>KDE session</primary></indexterm> 167<indexterm><primary>copy'n'paste</primary></indexterm> 168 I even got sound playing from the Remote X app to my local boxes, and 169 had a working <quote>copy'n'paste</quote> from an NX window (running a KDE session 170 in Italy) to my Mozilla mailing agent. These guys are certainly doing 171 something right! 172 </para> 173 174 <para> 175 I recommend test driving NX to anybody with a only a passing interest in remote computing 176 the <ulink noescape="1" url="http://www.nomachine.com/testdrive.php">NX</ulink> utility. 177 </para> 178 179 <para> 180 Just download the free-of-charge client software (available for Red Hat, 181 SuSE, Debian and Windows) and be up and running within 5 minutes (they 182 need to send you your account data, though, because you are assigned 183 a real UNIX account on their testdrive.nomachine.com box). 184 </para> 185 186 <para> 187 They plan to get to the point were you can have NX application servers 188 running as a cluster of nodes, and users simply start an NX session locally 189 and can select applications to run transparently (apps may even run on 190 another NX node, but pretend to be on the same as used for initial login, 191 because it displays in the same window. You also can run it 192 full-screen, and after a short time you forget that it is a remote session 193 at all). 194 </para> 195 196 <para> 197<indexterm><primary>GPL</primary></indexterm> 198 Now the best thing for last: All the core compression and caching 199 technologies are released under the GPL and available as source code 200 to anybody who wants to build on it! These technologies are working, 201 albeit started from the command line only (and very inconvenient to 202 use in order to get a fully running remote X session up and running). 203 </para> 204 205 <para> 206 To answer your questions: 207 </para> 208 209 <itemizedlist> 210 <listitem><para> 211 You do not need to install a terminal server; XP has RDP support built in. 212 </para></listitem> 213 214 <listitem><para> 215 NX is much cheaper than Citrix &smbmdash; and comparable in performance, probably faster. 216 </para></listitem> 217 218 <listitem><para> 219 You do not need to hack XP &smbmdash; it just works. 220 </para></listitem> 221 222 <listitem><para> 223 You log into the XP box from remote transparently (and I think there is no 224 need to change anything to get a connection, even if authentication is against a domain). 225 </para></listitem> 226 227 <listitem><para> 228 The NX core technologies are all Open Source and released under the GPL &smbmdash; 229 you can now use a (very inconvenient) command line at no cost, 230 but you can buy a comfortable (proprietary) NX GUI front end for money. 231 </para></listitem> 232 233 <listitem><para> 234<indexterm><primary>OSS/Free Software</primary></indexterm> 235<indexterm><primary>LTSP</primary></indexterm> 236<indexterm><primary>KDE</primary></indexterm> 237<indexterm><primary>GNOME</primary></indexterm> 238<indexterm><primary>NoMachine</primary></indexterm> 239 NoMachine is encouraging and offering help to OSS/Free Software implementations 240 for such a front-end too, even if it means competition to them (they have written 241 to this effect even to the LTSP, KDE, and GNOME developer mailing lists). 242 </para></listitem> 243 </itemizedlist> 244 245 </sect2> 246 <sect2> 247 <title>Remote Management with ThinLinc</title> 248 <para> 249 Another alternative for remote access is <emphasis>ThinLinc</emphasis> from Cendio. 250 </para> 251 252 <para> 253<indexterm><primary>ThinLinc</primary></indexterm> 254<indexterm><primary>terminal server</primary></indexterm> 255<indexterm><primary>Linux</primary></indexterm> 256<indexterm><primary>Solaris</primary></indexterm> 257<indexterm><primary>TightVNC</primary></indexterm> 258<indexterm><primary>SSH</primary></indexterm> 259<indexterm><primary>NFS</primary></indexterm> 260<indexterm><primary>PulseAudio</primary></indexterm> 261 ThinLinc is a terminal server solution that is available for Linux and Solaris based on standard 262 protocols such as SSH, TightVNC, NFS and PulseAudio. 263 </para> 264 265 <para> 266<indexterm><primary>LAN</primary></indexterm> 267<indexterm><primary>thin client</primary></indexterm> 268 ThinLinc an be used both in the LAN environment to implement a Thin Client strategy for an organization, and as 269 secure remote access solution for people working from remote locations, even over smallband connections. 270 ThinLinc is free to use for a single concurrent user. 271 </para> 272 273 <para> 274<indexterm><primary>Citrix</primary></indexterm> 275<indexterm><primary>Windows Terminal Server</primary></indexterm> 276<indexterm><primary>Java</primary></indexterm> 277 The product can also be used as a frontend to access Windows Terminal Server or Citrix farms, or even Windows 278 XP machines, securing the connection via the ssh protocol. The client is available both for Linux (supporting 279 all Linux distributions as well as numerous thin terminals) and for Windows. A Java-based Web client is also 280 available. 281 </para> 282 283 <para> 284 ThinLinc may be evaluated by connecting to Cendio's demo system, see 285 <ulink noescape="1" url="http://www.cendio.com">Cendio's</ulink> web site 286 <ulink noescape="1" url="http://www.cendio.com/testdrive">testdrive</ulink> center. 287 </para> 288 289 <para> 290 Cendio is a major contributor to several open source projects including 291 <ulink noescape="1" url="http://www.tightvnc.com">TightVNC</ulink>, 292 <ulink noescape="1" url="http://pulseaudio.org">PulseAudio</ulink> , unfsd, 293 <ulink noescape="1" url="http://www.python.org">Python</ulink> and 294 <ulink noescape="1" url="http://www.rdesktop.org">rdesktop</ulink>. 295 </para> 296 297 </sect2> 298</sect1> 299 300<sect1> 301<title>Network Logon Script Magic</title> 302 303<para> 304There are several opportunities for creating a custom network startup configuration environment. 305</para> 306 307<itemizedlist> 308 <listitem><para>No Logon Script.</para></listitem> 309 <listitem><para>Simple universal Logon Script that applies to all users.</para></listitem> 310 <listitem><para>Use of a conditional Logon Script that applies per-user or per-group attributes.</para></listitem> 311 <listitem><para>Use of Samba's preexec and postexec functions on access to the NETLOGON share to create 312 a custom logon script and then execute it.</para></listitem> 313 <listitem><para>User of a tool such as KixStart.</para></listitem> 314</itemizedlist> 315 316<para> 317The Samba source code tree includes two logon script generation/execution tools. 318See <filename>examples</filename> directory <filename>genlogon</filename> and 319<filename>ntlogon</filename> subdirectories. 320</para> 321 322<para> 323The following listings are from the genlogon directory. 324</para> 325 326 327<para> 328<indexterm><primary>genlogon.pl</primary></indexterm> 329This is the <filename>genlogon.pl</filename> file: 330 331<programlisting> 332 #!/usr/bin/perl 333 # 334 # genlogon.pl 335 # 336 # Perl script to generate user logon scripts on the fly, when users 337 # connect from a Windows client. This script should be called from 338 # smb.conf with the %U, %G and %L parameters. I.e: 339 # 340 # root preexec = genlogon.pl %U %G %L 341 # 342 # The script generated will perform 343 # the following: 344 # 345 # 1. Log the user connection to /var/log/samba/netlogon.log 346 # 2. Set the PC's time to the Linux server time (which is maintained 347 # daily to the National Institute of Standards Atomic clock on the 348 # internet. 349 # 3. Connect the user's home drive to H: (H for Home). 350 # 4. Connect common drives that everyone uses. 351 # 5. Connect group-specific drives for certain user groups. 352 # 6. Connect user-specific drives for certain users. 353 # 7. Connect network printers. 354 355 # Log client connection 356 #($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); 357 ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); 358 open LOG, ">>/var/log/samba/netlogon.log"; 359 print LOG "$mon/$mday/$year $hour:$min:$sec"; 360 print LOG " - User $ARGV[0] logged into $ARGV[1]\n"; 361 close LOG; 362 363 # Start generating logon script 364 open LOGON, ">/shared/netlogon/$ARGV[0].bat"; 365 print LOGON "\@ECHO OFF\r\n"; 366 367 # Connect shares just use by Software Development group 368 if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev") 369 { 370 print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n"; 371 } 372 373 # Connect shares just use by Technical Support staff 374 if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support") 375 { 376 print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n"; 377 } 378 379 # Connect shares just used by Administration staff 380 If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin") 381 { 382 print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n"; 383 print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n"; 384 } 385 386 # Now connect Printers. We handle just two or three users a little 387 # differently, because they are the exceptions that have desktop 388 # printers on LPT1: - all other user's go to the LaserJet on the 389 # server. 390 if ($ARGV[0] eq 'jim' 391 || $ARGV[0] eq 'yvonne') 392 { 393 print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n"; 394 print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; 395 } 396 else 397 { 398 print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n"; 399 print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n"; 400 } 401 402 # All done! Close the output file. 403 close LOGON; 404</programlisting> 405</para> 406 407<para> 408Those wishing to use a more elaborate or capable logon processing system should check out these sites: 409</para> 410 411<itemizedlist> 412 <listitem><para><ulink noescape="1" url="http://www.craigelachie.org/rhacer/ntlogon">http://www.craigelachie.org/rhacer/ntlogon</ulink></para></listitem> 413 <listitem><para><ulink noescape="1" url="http://www.kixtart.org">http://www.kixtart.org</ulink></para></listitem> 414</itemizedlist> 415 416<sect2> 417<title>Adding Printers without User Intervention</title> 418 419 420<para> 421<indexterm><primary>rundll32</primary></indexterm> 422Printers may be added automatically during logon script processing through the use of: 423<screen> 424&dosprompt;<userinput>rundll32 printui.dll,PrintUIEntry /?</userinput> 425</screen> 426 427See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft Knowledge Base article 189105</ulink>. 428</para> 429</sect2> 430 431<sect2> 432 <title>Limiting Logon Connections</title> 433 434 <para> 435 Sometimes it is necessary to limit the number of concurrent connections to a 436 Samba shared resource. For example, a site may wish to permit only one network 437 logon per user. 438 </para> 439 440 <para> 441 The Samba <parameter>preexec script</parameter> parameter can be used to permit only one 442 connection per user. Though this method is not foolproof and may have side effects, 443 the following contributed method may inspire someone to provide a better solution. 444 </para> 445 446 <para> 447 This is not a perfect solution because Windows clients can drop idle connections 448 with an auto-reconnect capability that could result in the appearance that a share 449 is no longer in use, while actually it is. Even so, it demonstrates the principle 450 of use of the <parameter>preexec script</parameter> parameter. 451 </para> 452 453 <para> 454 The following share configuration demonstrates use of the script shown in <link linkend="Tpees"/>. 455<programlisting> 456[myshare] 457 ... 458 preexec script = /sbin/PermitSingleLogon.sh 459 preexec close = Yes 460 ... 461</programlisting> 462 </para> 463 464<example id="Tpees"> 465<title>Script to Enforce Single Resource Logon</title> 466<screen> 467#!/bin/bash 468 469IFS="-" 470RESULT=$(smbstatus -S -u $1 2> /dev/null | awk 'NF \ 471 > 6 {print $1}' | sort | uniq -d) 472 473if [ "X${RESULT}" == X ]; then 474 exit 0 475else 476 exit 1 477fi 478</screen> 479</example> 480 481</sect2> 482 483</sect1> 484 485</chapter> 486