1<?xml version="1.0" encoding="iso-8859-1"?> 2<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> 3<chapter id="happy"> 4 <title>Making Happy Users</title> 5 6 <para> 7 It is said that <quote>a day that is without troubles is not fulfilling. Rather, give 8 me a day of troubles well handled so that I can be content with my achievements.</quote> 9 </para> 10 11 <para> 12 In the world of computer networks, problems are as varied as the people who create them 13 or experience them. The design of the network implemented in <link linkend="Big500users"/> 14 may create problems for some network users. The following lists some of the problems that 15 may occur: 16 </para> 17 18 <indexterm><primary>PDC</primary></indexterm> 19 <indexterm><primary>network bandwidth</primary><secondary>utilization</secondary></indexterm> 20 <indexterm><primary>BDC</primary></indexterm> 21 <indexterm><primary>user account</primary></indexterm> 22 <indexterm><primary>PDC/BDC ratio</primary></indexterm> 23<caution><para> 24A significant number of network administrators have responded to the guidance given 25here. It should be noted that there are sites that have a single PDC for many hundreds of 26concurrent network clients. Network bandwidth, network bandwidth utilization, and server load 27are among the factors that determine the maximum number of Windows clients that 28can be served by a single domain controller (PDC or BDC) on a network segment. It is possible 29to operate with only a single PDC over a routed network. What is possible is not necessarily 30<emphasis>best practice</emphasis>. When Windows client network logons begin to fail with 31the message that the domain controller cannot be found or that the user account cannot 32be found (when you know it exists), that may be an indication that the domain controller is 33overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows 34clients is conservative and if followed will minimize problems &smbmdash; but it is not absolute. 35</para></caution> 36 37 <variablelist> 38 <varlistentry> 39 <term>Users experiencing difficulty logging onto the network</term> 40 <listitem><para> 41 <indexterm><primary>network</primary><secondary>logon</secondary></indexterm> 42 <indexterm><primary>multiple domain controllers</primary></indexterm> 43 When a Windows client logs onto the network, many data packets are exchanged 44 between the client and the server that is providing the network logon services. 45 Each request between the client and the server must complete within a specific 46 time limit. This is one of the primary factors that govern the installation of 47 multiple domain controllers (usually called secondary or backup controllers). 48 As a rough rule, there should be one such backup controller for every 49 30 to 150 clients. The actual limits are determined by network operational 50 characteristics. 51 </para> 52 53 <para> 54 <indexterm><primary>PDC</primary></indexterm> 55 <indexterm><primary>BDC</primary></indexterm> 56 <indexterm><primary>clients per DC</primary></indexterm> 57 If the domain controller provides only network logon services 58 and all file and print activity is handled by domain member servers, one domain 59 controller per 150 clients on a single network segment may suffice. In any 60 case, it is highly recommended to have a minimum of one domain controller (PDC or BDC) 61 per network segment. It is better to have at least one BDC on the network 62 segment that has a PDC. If the domain controller is also used as a file and 63 print server, the number of clients it can service reliably is reduced, 64 and generally for low powered hardware should not exceed 30 machines (Windows 65 workstations plus domain member servers) per domain controller. Many sites are 66 able to operate with more clients per domain controller, the number of clients 67 that can be supported is limited by the CPU speed, memory and the workload on 68 the Samba server as well as network bandwidth utilization. 69 </para></listitem> 70 </varlistentry> 71 72 <varlistentry> 73 <term>Slow logons and log-offs</term> 74 <listitem><para> 75 <indexterm><primary>slow logon</primary></indexterm> 76 Slow logons and log-offs may be caused by many factors that include: 77 78 <itemizedlist> 79 <listitem><para> 80 <indexterm><primary>NetBIOS</primary><secondary>name resolution</secondary><tertiary>delays</tertiary></indexterm> 81 <indexterm><primary>WINS</primary><secondary>server</secondary></indexterm> 82 Excessive delays in the resolution of a NetBIOS name to its IP 83 address. This may be observed when an overloaded domain controller 84 is also the WINS server. Another cause may be the failure to use 85 a WINS server (this assumes that there is a single network segment). 86 </para></listitem> 87 88 <listitem><para> 89 <indexterm><primary>traffic collisions</primary></indexterm> 90 <indexterm><primary>HUB</primary></indexterm> 91 <indexterm><primary>ethernet switch</primary></indexterm> 92 Network traffic collisions due to overloading of the network 93 segment. One short-term workaround to this may be to replace 94 network HUBs with Ethernet switches. 95 </para></listitem> 96 97 <listitem><para> 98 <indexterm><primary>networking hardware</primary><secondary>defective</secondary></indexterm> 99 Defective networking hardware. Over the past few years, we have seen 100 on the Samba mailing list a significant increase in the number of 101 problems that were traced to a defective network interface controller, 102 a defective HUB or Ethernet switch, or defective cabling. In most cases, 103 it was the erratic nature of the problem that ultimately pointed to 104 the cause of the problem. 105 </para></listitem> 106 107 <listitem><para> 108 <indexterm><primary>profile</primary><secondary>roaming</secondary></indexterm> 109 <indexterm><primary>MS Outlook</primary><secondary>PST file</secondary></indexterm> 110 Excessively large roaming profiles. This type of problem is typically 111 the result of poor user education as well as poor network management. 112 It can be avoided by users not storing huge quantities of email in 113 MS Outlook PST files as well as by not storing files on the desktop. 114 These are old bad habits that require much discipline and vigilance 115 on the part of network management. 116 </para></listitem> 117 118 <listitem><para> 119 <indexterm><primary>WebClient</primary></indexterm> 120 You should verify that the Windows XP WebClient service is not running. 121 The use of the WebClient service has been implicated in many Windows 122 networking-related problems. 123 </para></listitem> 124 </itemizedlist> 125 </para></listitem> 126 </varlistentry> 127 128 <varlistentry> 129 <term>Loss of access to network drives and printer resources</term> 130 <listitem><para> 131 Loss of access to network resources during client operation may be caused by a number 132 of factors, including: 133 </para> 134 135 <itemizedlist> 136 <listitem><para> 137 <indexterm><primary>network</primary><secondary>overload</secondary></indexterm> 138 Network overload (typically indicated by a high network collision rate) 139 </para></listitem> 140 141 <listitem><para> 142 Server overload 143 </para></listitem> 144 145 <listitem><para> 146 <indexterm><primary>network</primary><secondary>timeout</secondary></indexterm> 147 Timeout causing the client to close a connection that is in use but has 148 been latent (no traffic) for some time (5 minutes or more) 149 </para></listitem> 150 151 <listitem><para> 152 <indexterm><primary>network hardware</primary><secondary>defective</secondary></indexterm> 153 Defective networking hardware 154 </para></listitem> 155 </itemizedlist> 156 157 <para> 158 <indexterm><primary>data</primary><secondary>corruption</secondary></indexterm> 159 No matter what the cause, a sudden loss of access to network resources can 160 result in BSOD (blue screen of death) situations that necessitate rebooting of the client 161 workstation. In the case of a mild problem, retrying to access the network drive of the printer 162 may restore operations, but in any case this is a serious problem that may lead to the next 163 problem, data corruption. 164 </para></listitem> 165 </varlistentry> 166 167 <varlistentry> 168 <term>Potential data corruption</term> 169 <listitem><para> 170 <indexterm><primary>data</primary><secondary>corruption</secondary></indexterm> 171 Data corruption is one of the most serious problems. It leads to uncertainty, anger, and 172 frustration, and generally precipitates immediate corrective demands. Management response 173 to this type of problem may be rational, as well as highly irrational. There have been 174 cases where management has fired network staff for permitting this situation to occur without 175 immediate correction. There have been situations where perfectly functional hardware was thrown 176 out and replaced, only to find the problem caused by a low-cost network hardware item. There 177 have been cases where server operating systems were replaced, or where Samba was updated, 178 only to later isolate the problem due to defective client software. 179 </para></listitem> 180 </varlistentry> 181 </variablelist> 182 183 <para> 184 In this chapter, you can work through a number of measures that significantly arm you to 185 anticipate and combat network performance issues. You can work through complex and thorny 186 methods to improve the reliability of your network environment, but be warned that all such steps 187 demand the price of complexity. 188 </para> 189 190<sect1> 191<title>Regarding LDAP Directories and Windows Computer Accounts</title> 192 193 <para> 194 <indexterm><primary>LDAP</primary><secondary>directory</secondary></indexterm> 195 Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some 196 constraints that are described in this section. 197 </para> 198 199 <para> 200 <indexterm><primary>POSIX</primary></indexterm> 201 <indexterm><primary>SambaSAMAccount</primary></indexterm> 202 <indexterm><primary>machine account</primary></indexterm> 203 <indexterm><primary>trust account</primary></indexterm> 204 The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. 205 That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats 206 them. A user account and a machine account are indistinguishable from each other, except that 207 the machine account ends in a $ character, as do trust accounts. 208 </para> 209 210 <para> 211 <indexterm><primary>account</primary></indexterm> 212 <indexterm><primary>UID</primary></indexterm> 213 The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID 214 is a design decision that was made a long way back in the history of Samba development. It is 215 unlikely that this decision will be reversed or changed during the remaining life of the 216 Samba-3.x series. 217 </para> 218 219 <para> 220 <indexterm><primary>SID</primary></indexterm> 221 <indexterm><primary>NSS</primary></indexterm> 222 The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that 223 must refer back to the host operating system on which Samba is running. The name service 224 switch (NSS) is the preferred mechanism that shields applications (like Samba) from the 225 need to know everything about every host OS it runs on. 226 </para> 227 228 <para> 229 Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote> 230 and <quote>group</quote> facilities in the NSS control (configuration) file. The best tool 231 for achieving this is left up to the UNIX administrator to determine. It is not imposed by 232 Samba. Samba provides winbindd together with its support libraries as one method. It is 233 possible to do this via LDAP, and for that Samba provides the appropriate hooks so that 234 all account entities can be located in an LDAP directory. 235 </para> 236 237 <para> 238 <indexterm><primary>nss_ldap</primary></indexterm> 239 For many the weapon of choice is to use the PADL nss_ldap utility. This utility must 240 be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That 241 is fundamentally an LDAP design question. The information provided on the Samba list and 242 in the documentation is directed at providing working examples only. The design 243 of an LDAP directory is a complex subject that is beyond the scope of this documentation. 244 </para> 245 246</sect1> 247 248 249<sect1> 250 <title>Introduction</title> 251 252 <para> 253 You just opened an email from Christine that reads: 254 </para> 255 256 <para> 257 Good morning, 258 <blockquote><attribution>Christine</attribution><para> 259 A few months ago we sat down to design the network. We discussed the challenges ahead and we all 260 agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated 261 that we would have some time to resolve any issues that might be encountered. 262 </para> 263 264 <para> 265 As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them 266 resigned yesterday afternoon because she was under duress to complete some critical projects. She 267 suffered a blue screen of death situation just as she was finishing four hours of intensive work, all 268 of which was lost. She has a unique requirement that involves storing large files on her desktop. 269 Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it 270 takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all 271 network logon traffic passes over the network links between our buildings, logging on may take 272 three or four attempts due to blue screen problems associated with network timeouts. 273 </para> 274 275 <para> 276 A few of us worked to help her out of trouble. We convinced her to stay and promised to fully 277 resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard 278 limits on what our users can do with their desktops. Otherwise, we face staff losses 279 that can surely do harm to our growth as well as to staff morale. I am sure we can better deal 280 with the consequences of what we know we must do than we can with the unrest we have now. 281 </para> 282 283 <para> 284 Stan and I have discussed the current situation. We are resolved to help our users and protect 285 the well being of Abmas. Please acknowledge this advice with consent to proceed as required to 286 regain control of our vital IT operations. 287 </para></blockquote> 288 </para> 289 290 <para> 291 <indexterm><primary>compromise</primary></indexterm> 292 <indexterm><primary>network</primary><secondary>multi-segment</secondary></indexterm> 293 Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a 294 single domain controller is a poor design that has obvious operational effects that may 295 frustrate users. Here is your reply: 296 </para> 297 298 <blockquote><attribution>Bob</attribution><para> 299 Christine, Your diligence and attention to detail are much valued. Stan and I fully support your 300 proposals to resolve the issues. I am confident that your plans fully realized will significantly 301 boost staff morale. Please go ahead with your plans. If you have any problems, please let me know. 302 Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait 303 for approval; I appreciate the urgency. 304 </para></blockquote> 305 306 <sect2> 307 <title>Assignment Tasks</title> 308 309 <para> 310 The priority of assigned tasks in this chapter is: 311 </para> 312 313 <orderedlist> 314 <listitem><para> 315 <indexterm><primary>Backup Domain Controller</primary><see>BDC</see></indexterm> 316 <indexterm><primary>BDC</primary></indexterm> 317 <indexterm><primary>tdbsam</primary></indexterm> 318 <indexterm><primary>LDAP</primary></indexterm><indexterm><primary>migration</primary></indexterm> 319 Implement Backup Domain Controllers (BDCs) in each building. This involves 320 a change from a <emphasis>tdbsam</emphasis> backend that was used in the previous 321 chapter to an LDAP-based backend. 322 </para> 323 324 <para> 325 You can implement a single central LDAP server for this purpose. 326 </para></listitem> 327 328 <listitem><para> 329 <indexterm><primary>logon time</primary></indexterm> 330 <indexterm><primary>network share</primary></indexterm> 331 <indexterm><primary>default profile</primary></indexterm> 332 <indexterm><primary>profile</primary><secondary>default</secondary></indexterm> 333 Rectify the problem of excessive logon times. This involves redirection of 334 folders to network shares as well as modification of all user desktops to 335 exclude the redirected folders from being loaded at login time. You can also 336 create a new default profile that can be used for all new users. 337 </para></listitem> 338 </orderedlist> 339 340 <para> 341 <indexterm><primary>disk image</primary></indexterm> 342 You configure a new MS Windows XP Professional workstation disk image that you roll out 343 to all desktop users. The instructions you have created are followed on a staging machine 344 from which all changes can be carefully tested before inflicting them on your network users. 345 </para> 346 347 <para> 348 <indexterm><primary>CUPS</primary></indexterm> 349 This is the last network example in which specific mention of printing is made. The example 350 again makes use of the CUPS printing system. 351 </para> 352 353 </sect2> 354 355</sect1> 356 357<sect1> 358 <title>Dissection and Discussion</title> 359 360 <para> 361 <indexterm><primary>BDC</primary></indexterm> 362 <indexterm><primary>LDAP</primary></indexterm> 363 <indexterm><primary>OpenLDAP</primary></indexterm> 364 The implementation of Samba BDCs necessitates the installation and configuration of LDAP. 365 For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial 366 LDAP servers in current use with Samba-3 include: 367 </para> 368 369 <itemizedlist> 370 <listitem><para> 371 <indexterm><primary>eDirectory</primary></indexterm> 372 Novell <ulink url="http://www.novell.com/products/edirectory/">eDirectory</ulink> 373 is being successfully used by some sites. Information on how to use eDirectory can be 374 obtained from the Samba mailing lists or from Novell. 375 </para></listitem> 376 377 <listitem><para> 378 <indexterm><primary>Tivoli Directory Server</primary></indexterm> 379 IBM <ulink url="http://www-306.ibm.com/software/tivoli/products/directory-server/">Tivoli 380 Directory Server</ulink> can be used to provide the Samba LDAP backend. Example schema 381 files are provided in the Samba source code tarball under the directory 382 <filename>~samba/example/LDAP.</filename> 383 </para></listitem> 384 385 <listitem><para> 386 <indexterm><primary>Sun ONE Identity Server</primary></indexterm> 387 Sun <ulink url="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml">ONE Identity 388 Server product suite</ulink> provides an LDAP server that can be used for Samba. 389 Example schema files are provided in the Samba source code tarball under the directory 390 <filename>~samba/example/LDAP.</filename> 391 </para></listitem> 392 </itemizedlist> 393 394 <para> 395 A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial 396 offerings, it requires that you manually edit the server configuration files and manually 397 initialize the LDAP directory database. OpenLDAP itself has only command-line tools to 398 help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges. 399 </para> 400 401 <para> 402 <indexterm><primary>Active Directory</primary></indexterm> 403 For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite 404 adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include 405 GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database 406 requires an understanding of what you are doing, why you are doing it, and the tools that you must use. 407 </para> 408 409 <para> 410 <indexterm><primary>Identity Management</primary></indexterm> 411 <indexterm><primary>high availability</primary></indexterm> 412 <indexterm><primary>directory</primary><secondary>replication</secondary></indexterm> 413 <indexterm><primary>directory</primary><secondary>synchronization</secondary></indexterm> 414 <indexterm><primary>performance</primary></indexterm> 415 <indexterm><primary>directory</primary><secondary>management</secondary></indexterm> 416 <indexterm><primary>directory</primary><secondary>schema</secondary></indexterm> 417 When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. 418 High availability operation may be obtained through directory replication/synchronization and 419 master/slave server configurations. OpenLDAP is a mature platform to host the organizational 420 directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more. 421 The price paid through learning how to design an LDAP directory schema in implementation and configuration 422 of management tools is well rewarded by performance and flexibility and the freedom to manage directory 423 contents with greater ability to back up, restore, and modify the directory than is generally possible 424 with Microsoft Active Directory. 425 </para> 426 427 <para> 428 <indexterm><primary>comparison</primary><secondary>Active Directory & OpenLDAP</secondary></indexterm> 429 <indexterm><primary>ADAM</primary></indexterm> 430 <indexterm><primary>Active Directory</primary></indexterm> 431 <indexterm><primary>OpenLDAP</primary></indexterm> 432 A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory 433 tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured 434 for a specific task orientation. It comes with a set of administrative tools that is entirely customized 435 for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange 436 server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator 437 who wants to build a custom directory solution. Microsoft provides an application called 438 <ulink url="http://www.microsoft.com/windowsserver2003/adam/default.mspx"> 439 MS ADAM</ulink> that provides more generic LDAP services, yet it does not have the vanilla-like services 440 of OpenLDAP. 441 </para> 442 443 <para> 444 <indexterm><primary>directory</primary><secondary>schema</secondary></indexterm> 445 <indexterm><primary>passdb backend</primary></indexterm> 446 You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly 447 if you find the challenge of learning about LDAP directories, schemas, configuration, and management 448 tools and the creation of shell and Perl scripts a bit 449 challenging. OpenLDAP can be easily customized, though it includes 450 many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file 451 that is required for use as a passdb backend. 452 </para> 453 454 <para> 455 <indexterm><primary>interoperability</primary></indexterm> 456 For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability, 457 there are a few nice Web-based tools that may help you to manage your users and groups more effectively. 458 The Web-based tools you might like to consider include the 459 <ulink url="http://lam.sourceforge.net/">LDAP Account Manager</ulink> (LAM) and the Webmin-based 460 <ulink url="http://www.webmin.com">Webmin</ulink> Idealx 461 <ulink url="http://webmin.idealx.org/index.en.html">CGI tools</ulink>. 462 </para> 463 464 <para> 465 Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of 466 these, so it may be useful to them: 467 <ulink url="http://biot.com/gq">GQ</ulink>, a GTK-based LDAP browser; 468 LDAP <ulink url="http://www.iit.edu/~gawojar/ldap/">Browser/Editor</ulink> 469 <ulink url="http://www.jxplorer.org/">; JXplorer</ulink> (by Computer Associates); 470 and <ulink url="http://phpldapadmin.sourceforge.net/">phpLDAPadmin</ulink>. 471 </para> 472 473 <note><para> 474 The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal 475 security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided 476 is considered to consist of the barest essentials only. You are strongly encouraged to learn more about 477 LDAP before attempting to deploy it in a business-critical environment. 478 </para></note> 479 480 <para> 481 Information to help you get started with OpenLDAP is available from the 482 <ulink url="http://www.openldap.org/pub/">OpenLDAP web site</ulink>. Many people have found the book 483 <ulink url="http://www.oreilly.com/catalog/ldapsa/index.html"><emphasis>LDAP System Administration</emphasis>,</ulink> 484 by Jerry Carter quite useful. 485 </para> 486 487 <para> 488 <indexterm><primary>BDC</primary></indexterm> 489 <indexterm><primary>network</primary><secondary>segment</secondary></indexterm> 490 <indexterm><primary>performance</primary></indexterm> 491 <indexterm><primary>network</primary><secondary>wide-area</secondary></indexterm> 492 Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the 493 main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must 494 be loaded over the WAN connection. The addition of BDCs on each network segment significantly 495 improves overall network performance for most users, but it is not enough. You must gain control over 496 user desktops, and this must be done in a way that wins their support and does not cause further loss of 497 staff morale. The following procedures solve this problem. 498 </para> 499 500 <para> 501 <indexterm><primary>smart printing</primary></indexterm> 502 There is also an opportunity to implement smart printing features. You add this to the Samba configuration 503 so that future printer changes can be managed without need to change desktop configurations. 504 </para> 505 506 <para> 507 You add the ability to automatically download new printer drivers, even if they are not installed 508 in the default desktop profile. Only one example of printing configuration is given. It is assumed that 509 you can extrapolate the principles and use them to install all printers that may be needed. 510 </para> 511 512 <sect2> 513 <title>Technical Issues</title> 514 515 <para> 516 <indexterm><primary>identity</primary><secondary>management</secondary></indexterm> 517 <indexterm><primary>directory</primary><secondary>server</secondary></indexterm> 518 <indexterm><primary>Posix</primary></indexterm> 519 The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory 520 server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system 521 accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account 522 attributes Samba needs. Samba-3 can use the LDAP backend to store: 523 </para> 524 525 <itemizedlist> 526 <listitem><para>Windows Networking User Accounts</para></listitem> 527 <listitem><para>Windows NT Group Accounts</para></listitem> 528 <listitem><para>Mapping Information between UNIX Groups and Windows NT Groups</para></listitem> 529 <listitem><para>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</para></listitem> 530 </itemizedlist> 531 532 <para> 533 <indexterm><primary>UNIX accounts</primary></indexterm> 534 <indexterm><primary>Windows accounts</primary></indexterm> 535 <indexterm><primary>PADL LDAP tools</primary></indexterm> 536 <indexterm><primary>/etc/group</primary></indexterm> 537 <indexterm><primary>LDAP</primary></indexterm> 538 <indexterm><primary>name service switch</primary><see>NSS</see></indexterm> 539 <indexterm><primary>NSS</primary></indexterm> 540 <indexterm><primary>UID</primary></indexterm> 541 <indexterm><primary>nss_ldap</primary></indexterm> 542 The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking 543 accounts in the LDAP backend. This implies the need to use the 544 <ulink url="http://www.padl.com/Contents/OpenSourceSoftware.html">PADL LDAP tools</ulink>. The resolution 545 of the UNIX group name to its GID must be enabled from either the <filename>/etc/group</filename> 546 or from the LDAP backend. This requires the use of the PADL <filename>nss_ldap</filename> tool-set 547 that integrates with the NSS. The same requirements exist for resolution 548 of the UNIX username to the UID. The relationships are demonstrated in <link linkend="sbehap-LDAPdiag"/>. 549 </para> 550 551 <figure id="sbehap-LDAPdiag"> 552 <title>The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</title> 553 <imagefile scale="50">UNIX-Samba-and-LDAP</imagefile> 554 </figure> 555 556 <para> 557 <indexterm><primary>security</primary></indexterm> 558 <indexterm><primary>LDAP</primary><secondary>secure</secondary></indexterm> 559 You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really 560 ought to learn how to configure secure communications over LDAP so that site security is not 561 at risk. This is not covered in the following guidance. 562 </para> 563 564 <para> 565 <indexterm><primary>PDC</primary></indexterm> 566 <indexterm><primary>LDAP Interchange Format</primary><see>LDIF</see></indexterm> 567 <indexterm><primary>LDIF</primary></indexterm> 568 <indexterm><primary>secrets.tdb</primary></indexterm> 569 When OpenLDAP has been made operative, you configure the PDC called <constant>MASSIVE</constant>. 570 You initialize the Samba <filename>secrets.tdb<subscript></subscript></filename> file. Then you 571 create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized. 572 You need to decide how best to create user and group accounts. A few hints are, of course, provided. 573 You can also find on the enclosed CD-ROM, in the <filename>Chap06</filename> directory, a few tools 574 that help to manage user and group configuration. 575 </para> 576 577 <para> 578 <indexterm><primary>folder redirection</primary></indexterm> 579 <indexterm><primary>default profile</primary></indexterm> 580 <indexterm><primary>roaming profile</primary></indexterm> 581 In order to effect folder redirection and to add robustness to the implementation, 582 create a network default profile. All network users workstations are configured to use 583 the new profile. Roaming profiles will automatically be deleted from the workstation 584 when the user logs off. 585 </para> 586 587 <para> 588 <indexterm><primary>mandatory profile</primary></indexterm> 589 The profile is configured so that users cannot change the appearance 590 of their desktop. This is known as a mandatory profile. You make certain that users 591 are able to use their computers efficiently. 592 </para> 593 594 <para> 595 <indexterm><primary>logon script</primary></indexterm> 596 A network logon script is used to deliver flexible but consistent network drive 597 connections. 598 </para> 599 600 <sect3 id="sbehap-ppc"> 601 <title>Addition of Machines to the Domain</title> 602 603 <para> 604 <indexterm><primary></primary></indexterm> 605 <indexterm><primary></primary></indexterm> 606 <indexterm><primary></primary></indexterm> 607 <indexterm><primary></primary></indexterm> 608 Samba versions prior to 3.0.11 necessitated the use of a domain administrator account 609 that maps to the UNIX UID=0. The UNIX operating system permits only the <constant>root</constant> 610 user to add user and group accounts. Samba 3.0.11 introduced a new facility known as 611 <constant>Privileges</constant>, which provides five new privileges that 612 can be assigned to users and/or groups; see Table 5.1. 613 </para> 614 615 616 <table id="sbehap-privs"> 617 <title>Current Privilege Capabilities</title> 618 <tgroup cols="2"> 619 <colspec align="left"/> 620 <colspec align="left"/> 621 <thead> 622 <row> 623 <entry align="left">Privilege</entry> 624 <entry align="left">Description</entry> 625 </row> 626 </thead> 627 <tbody> 628 <row> 629 <entry><para>SeMachineAccountPrivilege</para></entry> 630 <entry><para>Add machines to domain</para></entry> 631 </row> 632 <row> 633 <entry><para>SePrintOperatorPrivilege</para></entry> 634 <entry><para>Manage printers</para></entry> 635 </row> 636 <row> 637 <entry><para>SeAddUsersPrivilege</para></entry> 638 <entry><para>Add users and groups to the domain</para></entry> 639 </row> 640 <row> 641 <entry><para>SeRemoteShutdownPrivilege</para></entry> 642 <entry><para>Force shutdown from a remote system</para></entry> 643 </row> 644 <row> 645 <entry><para>SeDiskOperatorPrivilege</para></entry> 646 <entry><para>Manage disk share</para></entry> 647 </row> 648 </tbody> 649 </tgroup> 650 </table> 651 652 <para> 653 In this network example use is made of one of the supported privileges purely to demonstrate 654 how any user can now be given the ability to add machines to the domain using a normal user account 655 that has been given the appropriate privileges. 656 </para> 657 658 </sect3> 659 660 <sect3> 661 <title>Roaming Profile Background</title> 662 663 <para> 664 As XP roaming profiles grow, so does the amount of time it takes to log in and out. 665 </para> 666 667 <para> 668 <indexterm><primary>roaming profile</primary></indexterm> 669 <indexterm><primary>HKEY_CURRENT_USER</primary></indexterm> 670 <indexterm><primary>NTUSER.DAT</primary></indexterm> 671 <indexterm><primary>%USERNAME%</primary></indexterm> 672 An XP roaming profile consists of the <constant>HKEY_CURRENT_USER</constant> hive file 673 <filename>NTUSER.DAT</filename> and a number of folders (My Documents, Application Data, 674 Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the 675 network with the default configuration of MS Windows NT/200x/XPP, all this data is 676 copied to the local machine under the <filename>C:\Documents and Settings\%USERNAME%</filename> 677 directory. While the user is logged in, any changes made to any of these folders or to the 678 <constant>HKEY_CURRENT_USER</constant> branch of the registry are made to the local copy 679 of the profile. At logout the profile data is copied back to the server. This behavior 680 can be changed through appropriate registry changes and/or through changes to the default 681 user profile. In the latter case, it updates the registry with the values that are set in the 682 profile <filename>NTUSER.DAT</filename> 683 file. 684 </para> 685 686 <para> 687 The first challenge is to reduce the amount of data that must be transferred to and 688 from the profile server as roaming profiles are processed. This includes removing 689 all the shortcuts in the Recent directory, making sure the cache used by the Web browser 690 is not being dumped into the <filename>Application Data</filename> folder, removing the 691 Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the 692 user to not place large files on the desktop and to use his or her mapped home directory 693 instead of the <filename>My Documents</filename> folder for saving documents. 694 </para> 695 696 <para> 697 <indexterm><primary>My Documents</primary></indexterm> 698 Using a folder other than <filename>My Documents</filename> is a nuisance for 699 some users, since many applications use it by default. 700 </para> 701 702 <para> 703 <indexterm><primary>roaming profiles</primary></indexterm> 704 <indexterm><primary>Local Group Policy</primary></indexterm> 705 <indexterm><primary>NTUSER.DAT</primary></indexterm> 706 The secret to rapid loading of roaming profiles is to prevent unnecessary data from 707 being copied back and forth, without losing any functionality. This is not difficult; 708 it can be done by making changes to the Local Group Policy on each client as well 709 as changing some paths in each user's <filename>NTUSER.DAT</filename> hive. 710 </para> 711 712 <para> 713 <indexterm><primary>Network Default Profile</primary></indexterm> 714 <indexterm><primary>redirected folders</primary></indexterm> 715 Every user profile has its own <filename>NTUSER.DAT</filename> file. This means 716 you need to edit every user's profile, unless a better method can be 717 followed. Fortunately, with the right preparations, this is not difficult. 718 It is possible to remove the <filename>NTUSER.DAT</filename> file from each 719 user's profile. Then just create a Network Default Profile. Of course, it is 720 necessary to copy all files from redirected folders to the network share to which 721 they are redirected. 722 </para> 723 724 </sect3> 725 726 <sect3 id="sbehap-locgrppol"> 727 <title>The Local Group Policy</title> 728 729 <para> 730 <indexterm><primary>Group Policy Objects</primary></indexterm> 731 <indexterm><primary>Active Directory</primary></indexterm> 732 <indexterm><primary>PDC</primary></indexterm> 733 <indexterm><primary>Group Policy editor</primary></indexterm> 734 Without an Active Directory PDC, you cannot take full advantage of Group Policy 735 Objects. However, you can still make changes to the Local Group Policy by using 736 the Group Policy editor (<command>gpedit.msc</command>). 737 </para> 738 739 <para> 740 The <emphasis>Exclude directories in roaming profile</emphasis> settings can 741 be found under 742 <menuchoice> 743 <guimenu>User Configuration</guimenu> 744 <guimenuitem>Administrative Templates</guimenuitem> 745 <guimenuitem>System</guimenuitem> 746 <guimenuitem>User Profiles</guimenuitem> 747 </menuchoice>. 748 By default this setting contains 749 <quote>Local Settings; Temporary Internet Files; History; Temp</quote>. 750 </para> 751 752 <para> 753 Simply add the folders you do not wish to be copied back and forth to this 754 semicolon-separated list. Note that this change must be made on all clients 755 that are using roaming profiles. 756 </para> 757 758 </sect3> 759 760 <sect3> 761 <title>Profile Changes</title> 762 763 <para> 764 <indexterm><primary>NTUSER.DAT</primary></indexterm> 765 <indexterm><primary>%USERNAME%</primary></indexterm> 766 There are two changes that should be done to each user's profile. Move each of 767 the directories that you have excluded from being copied back and forth out of 768 the usual profile path. Modify each user's <filename>NTUSER.DAT</filename> file 769 to point to the new paths that are shared over the network instead of to the default 770 path (<filename>C:\Documents and Settings\%USERNAME%</filename>). 771 </para> 772 773 <para> 774 <indexterm><primary>Default User</primary></indexterm> 775 <indexterm><primary>regedt32</primary></indexterm> 776 The above modifies existing user profiles. So that newly created profiles have 777 these settings, you need to modify the <filename>NTUSER.DAT</filename> in 778 the <filename>C:\Documents and Settings\Default User</filename> folder on each 779 client machine, changing the same registry keys. You could do this by copying 780 <filename>NTUSER.DAT</filename> to a Linux box and using <command>regedt32</command>. 781 The basic method is described under <link linkend="redirfold"/>. 782 </para> 783 784 </sect3> 785 786 <sect3> 787 <title>Using a Network Default User Profile</title> 788 789 <para> 790 <indexterm><primary>NETLOGON</primary></indexterm> 791 <indexterm><primary>NTUSER.DAT</primary></indexterm> 792 If you are using Samba as your PDC, you should create a file share called 793 <constant>NETLOGON</constant> and within that create a directory called 794 <filename>Default User</filename>, which is a copy of the desired default user 795 configuration (including a copy of <filename>NTUSER.DAT</filename>). 796 If this share exists and the <filename>Default User</filename> folder exists, 797 the first login from a new account pulls its configuration from it. 798 See also <ulink url="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html"> 799 the Real Men Don't Click</ulink> Web site. 800 </para> 801 802 </sect3> 803 804 <sect3> 805 <title>Installation of Printer Driver Auto-Download</title> 806 807 <para> 808 <indexterm><primary>printing</primary><secondary>dumb</secondary></indexterm> 809 <indexterm><primary>dumb printing</primary></indexterm> 810 <indexterm><primary>Raw Print Through</primary></indexterm> 811 The subject of printing is quite topical. Printing problems run second place to name 812 resolution issues today. So far in this book, you have experienced only what is generally 813 known as <quote>dumb</quote> printing. Dumb printing is the arrangement by which all drivers 814 are manually installed on each client and the printing subsystems perform no filtering 815 or intelligent processing. Dumb printing is easily understood. It usually works without 816 many problems, but it has its limitations also. Dumb printing is better known as 817 <command>Raw-Print-Through</command> printing. 818 </para> 819 820 <para> 821 <indexterm><primary>printing</primary><secondary>drag-and-drop</secondary></indexterm> 822 <indexterm><primary>printing</primary><secondary>point-n-click</secondary></indexterm> 823 Samba permits the configuration of <command>smart</command> printing using the Microsoft 824 Windows point-and-click (also called drag-and-drop) printing. What this provides is 825 essentially the ability to print to any printer. If the local client does not yet have a 826 driver installed, the driver is automatically downloaded from the Samba server and 827 installed on the client. Drag-and-drop printing is neat; it means the user never needs 828 to fuss with driver installation, and that is a <trademark>Good Thing,</trademark> 829 isn't it? 830 </para> 831 832 <para> 833 There is a further layer of print job processing that is known as <command>intelligent</command> 834 printing that automatically senses the file format of data submitted for printing and 835 then invokes a suitable print filter to convert the incoming data stream into a format 836 suited to the printer to which the job is dispatched. 837 </para> 838 839 <para> 840 <indexterm><primary>CUPS</primary></indexterm> 841 <indexterm><primary>Easy Software Products</primary></indexterm> 842 <indexterm><primary>Postscript</primary></indexterm> 843 The CUPS printing subsystem is capable of intelligent printing. It has the capacity to 844 detect the data format and apply a print filter. This means that it is feasible to install 845 on all Windows clients a single printer driver for use with all printers that are routed 846 through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately, 847 <ulink url="http://www.easysw.com">Easy Software Products</ulink>, the authors of CUPS, have 848 released a PostScript printing driver for Windows. It can be installed into the Samba 849 printing backend so that it automatically downloads to the client when needed. 850 </para> 851 852 <para> 853 This means that so long as there is a CUPS driver for the printer, all printing from Windows 854 software can use PostScript, no matter what the actual printer language for the physical 855 device is. It also means that the administrator can swap out a printer with a totally 856 different type of device without ever needing to change a client workstation driver. 857 </para> 858 859 <para> 860 This book is about Samba-3, so you can confine the printing style to just the smart 861 style of installation. Those interested in further information regarding intelligent 862 printing should review documentation on the Easy Software Products Web site. 863 </para> 864 865 </sect3> 866 867 <sect3 id="sbeavoid"> 868 <title>Avoiding Failures: Solving Problems Before They Happen</title> 869 870 <para> 871 It has often been said that there are three types of people in the world: those who 872 have sharp minds and those who forget things. Please do not ask what the third group 873 is like! Well, it seems that many of us have company in the second group. There must 874 be a good explanation why so many network administrators fail to solve apparently 875 simple problems efficiently and effectively. 876 </para> 877 878 <para> 879 Here are some diagnostic guidelines that can be referred to when things go wrong: 880 </para> 881 882 <sect4> 883 <title>Preliminary Advice: Dangers Can Be Avoided</title> 884 885 <para> 886 The best advice regarding how to mend a broken leg is <quote>Never break a leg!</quote> 887 </para> 888 889 <para> 890 <indexterm><primary>LDAP</primary></indexterm> 891 Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice 892 regarding the best way to remedy LDAP and Samba problems: <quote>Avoid them like the plague!</quote> 893 </para> 894 895 <para> 896 If you are now asking yourself how problems can be avoided, the best advice is to start 897 out your learning experience with a <emphasis>known-good configuration.</emphasis> After 898 you have seen a fully working solution, a good way to learn is to make slow and progressive 899 changes that cause things to break, then observe carefully how and why things ceased to work. 900 </para> 901 902 <para> 903 The examples in this chapter (also in the book as a whole) are known to work. That means 904 that they could serve as the kick-off point for your journey through fields of knowledge. 905 Use this resource carefully; we hope it serves you well. 906 </para> 907 908 <warning><para> 909 Do not be lulled into thinking that you can easily adopt the examples in this 910 book and adapt them without first working through the examples provided. A little 911 thing overlooked can cause untold pain and may permanently tarnish your experience. 912 </para></warning> 913 914 </sect4> 915 916 <sect4> 917 <title>The Name Service Caching Daemon</title> 918 919 <para> 920 The name service caching daemon (nscd) is a primary cause of difficulties with name 921 resolution, particularly where <command>winbind</command> is used. Winbind does its 922 own caching, thus nscd causes double caching which can lead to peculiar problems during 923 debugging. As a rule, it is a good idea to turn off the name service caching daemon. 924 </para> 925 926 <para> 927 Operation of the name service caching daemon is controlled by the 928 <filename>/etc/nscd.conf</filename> file. Typical contents of this file are as follows: 929<screen> 930# /etc/nscd.conf 931# An example Name Service Cache config file. This file is needed by nscd. 932# Legal entries are: 933# logfile <file> 934# debug-level <level> 935# threads <threads to use> 936# server-user <user to run server as instead of root> 937# server-user is ignored if nscd is started with -S parameters 938# stat-user <user who is allowed to request statistics> 939# reload-count unlimited|<number> 940# 941# enable-cache <service> <yes|no> 942# positive-time-to-live <service> <time in seconds> 943# negative-time-to-live <service> <time in seconds> 944# suggested-size <service> <prime number> 945# check-files <service> <yes|no> 946# persistent <service> <yes|no> 947# shared <service> <yes|no> 948# Currently supported cache names (services): passwd, group, hosts 949# logfile /var/log/nscd.log 950# threads 6 951# server-user nobody 952# stat-user somebody 953 debug-level 0 954# reload-count 5 955 enable-cache passwd yes 956 positive-time-to-live passwd 600 957 negative-time-to-live passwd 20 958 suggested-size passwd 211 959 check-files passwd yes 960 persistent passwd yes 961 shared passwd yes 962 enable-cache group yes 963 positive-time-to-live group 3600 964 negative-time-to-live group 60 965 suggested-size group 211 966 check-files group yes 967 persistent group yes 968 shared group yes 969# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to 970# cache hosts will cause your local system to not be able to trust 971# forward/reverse lookup checks. DO NOT USE THIS if your system relies on 972# this sort of security mechanism. Use a caching DNS server instead. 973 enable-cache hosts no 974 positive-time-to-live hosts 3600 975 negative-time-to-live hosts 20 976 suggested-size hosts 211 977 check-files hosts yes 978 persistent hosts yes 979 shared hosts yes 980</screen> 981 It is feasible to comment out the <constant>passwd</constant> and <constant>group</constant> 982 entries so they will not be cached. Alternatively, it is often simpler to just disable the 983 <command>nscd</command> service by executing (on Novell SUSE Linux): 984<screen> 985&rootprompt; chkconfig nscd off 986&rootprompt; rcnscd off 987</screen> 988 </para> 989 990 </sect4> 991 992 <sect4> 993 <title>Debugging LDAP</title> 994 995 <para> 996 <indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm> 997 <indexterm><primary>loglevel</primary></indexterm> 998 <indexterm><primary>slapd</primary></indexterm> 999 In the example <filename>/etc/openldap/slapd.conf</filename> control file 1000 (see <link linkend="sbehap-dbconf"/>) there is an entry for <constant>loglevel 256</constant>. 1001 To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter 1002 and restart <command>slapd</command>. 1003 </para> 1004 1005 <para> 1006 <indexterm><primary>/etc/syslog.conf</primary></indexterm> 1007 <indexterm><primary>/var/log/ldaplogs</primary></indexterm> 1008 LDAP log information can be directed into a file that is separate from the normal system 1009 log files by changing the <filename>/etc/syslog.conf</filename> file so it has the following 1010 contents: 1011<screen> 1012# Some foreign boot scripts require local7 1013# 1014local0,local1.* -/var/log/localmessages 1015local2,local3.* -/var/log/localmessages 1016local5.* -/var/log/localmessages 1017local6,local7.* -/var/log/localmessages 1018local4.* -/var/log/ldaplogs 1019</screen> 1020 In this case, all LDAP-related logs will be directed to the file 1021 <filename>/var/log/ldaplogs</filename>. This makes it easy to track LDAP errors. 1022 The snippet provides a simple example of usage that can be modified to suit 1023 local site needs. The configuration used later in this chapter reflects such 1024 customization with the intent that LDAP log files will be stored at a location 1025 that meets local site needs and wishes more fully. 1026 </para> 1027 1028 </sect4> 1029 1030 <sect4> 1031 <title>Debugging NSS_LDAP</title> 1032 1033 <para> 1034 The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the 1035 <filename>/etc/ldap.conf</filename> file the following parameters: 1036<screen> 1037debug 256 1038logdir /data/logs 1039</screen> 1040 Create the log directory as follows: 1041<screen> 1042&rootprompt; mkdir /data/logs 1043</screen> 1044 </para> 1045 1046<?latex \newpage ?> 1047 1048 <para> 1049 The diagnostic process should follow these steps: 1050 </para> 1051 1052 <procedure> 1053 <title>NSS_LDAP Diagnostic Steps</title> 1054 1055 <step><para> 1056 Verify the <constant>nss_base_passwd, nss_base_shadow, nss_base_group</constant> entries 1057 in the <filename>/etc/ldap.conf</filename> file and compare them closely with the directory 1058 tree location that was chosen when the directory was first created. 1059 </para> 1060 1061 <para> 1062 One way this can be done is by executing: 1063<screen> 1064&rootprompt; slapcat | grep Group | grep dn 1065dn: ou=Groups,dc=abmas,dc=biz 1066dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz 1067dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz 1068dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz 1069dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz 1070dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz 1071dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz 1072dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz 1073dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz 1074</screen> 1075 The first line is the DIT entry point for the container for POSIX groups. The correct entry 1076 for the <filename>/etc/ldap.conf</filename> for the <constant>nss_base_group</constant> 1077 parameter therefore is the distinguished name (dn) as applied here: 1078<screen> 1079nss_base_group ou=Groups,dc=abmas,dc=biz?one 1080</screen> 1081 The same process may be followed to determine the appropriate dn for user accounts. 1082 If the container for computer accounts is not the same as that for users (see the &smb.conf; 1083 file entry for <constant>ldap machine suffix</constant>), it may be necessary to set the 1084 following DIT dn in the <filename>/etc/ldap.conf</filename> file: 1085<screen> 1086nss_base_passwd dc=abmas,dc=biz?sub 1087</screen> 1088 This instructs LDAP to search for machine as well as user entries from the top of the DIT 1089 down. This is inefficient, but at least should work. Note: It is possible to specify multiple 1090 <constant>nss_base_passwd</constant> entries in the <filename>/etc/ldap.conf</filename> file; they 1091 will be evaluated sequentially. Let us consider an example of use where the following DIT 1092 has been implemented: 1093 </para> 1094 1095 <para> 1096 <itemizedlist> 1097 <listitem><para>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</para></listitem> 1098 <listitem><para>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</para></listitem> 1099 <listitem><para>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</para></listitem> 1100 </itemizedlist> 1101 </para> 1102 1103 <para> 1104 The appropriate multiple entry for the <constant>nss_base_passwd</constant> directive 1105 in the <filename>/etc/ldap.conf</filename> file may be: 1106<screen> 1107nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one 1108nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one 1109</screen> 1110 </para></step> 1111 1112 <step><para> 1113 Perform lookups such as: 1114<screen> 1115&rootprompt; getent passwd 1116</screen> 1117 Each such lookup will create an entry in the <filename>/data/log</filename> directory 1118 for each such process executed. The contents of each file created in this directory 1119 may provide a hint as to the cause of the a problem that is under investigation. 1120 </para></step> 1121 1122 <step><para> 1123 For additional diagnostic information, check the contents of the <filename>/var/log/messages</filename> 1124 to see what error messages are being generated as a result of the LDAP lookups. Here is an example of 1125 a successful lookup: 1126<screen> 1127slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539 1128(IP=0.0.0.0:389) 1129slapd[12164]: conn=0 op=0 BIND dn="" method=128 1130slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text= 1131slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0 1132filter="(objectClass=*)" 1133slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0 1134nentries=1 text= 1135slapd[12164]: conn=0 op=2 UNBIND 1136slapd[12164]: conn=0 fd=10 closed 1137slapd[12164]: conn=1 fd=10 ACCEPT from 1138IP=127.0.0.1:33540 (IP=0.0.0.0:389) 1139slapd[12164]: conn=1 op=0 BIND 1140dn="cn=Manager,dc=abmas,dc=biz" method=128 1141slapd[12164]: conn=1 op=0 BIND 1142dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0 1143slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text= 1144slapd[12164]: conn=1 op=1 SRCH 1145base="ou=People,dc=abmas,dc=biz" scope=1 deref=0 1146filter="(objectClass=posixAccount)" 1147slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword 1148uidNumber gidNumber cn 1149homeDirectory loginShell gecos description objectClass 1150slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0 1151nentries=2 text= 1152slapd[12164]: conn=1 fd=10 closed 1153 1154</screen> 1155 </para></step> 1156 1157 <step><para> 1158 Check that the bindpw entry in the <filename>/etc/ldap.conf</filename> or in the 1159 <filename>/etc/ldap.secrets</filename> file is correct, as specified in the 1160 <filename>/etc/openldap/slapd.conf</filename> file. 1161 </para></step> 1162 1163 </procedure> 1164 1165 </sect4> 1166 1167 <sect4> 1168 <title>Debugging Samba</title> 1169 1170 <para> 1171 The following parameters in the &smb.conf; file can be useful in tracking down Samba-related problems: 1172<screen> 1173[global] 1174 ... 1175 log level = 5 1176 log file = /var/log/samba/%m.log 1177 max log size = 0 1178 ... 1179</screen> 1180 This will result in the creation of a separate log file for every client from which connections 1181 are made. The log file will be quite verbose and will grow continually. Do not forget to 1182 change these lines to the following when debugging has been completed: 1183<screen> 1184[global] 1185 ... 1186 log level = 1 1187 log file = /var/log/samba/%m.log 1188 max log size = 50 1189 ... 1190</screen> 1191 </para> 1192 1193 <para> 1194 The log file can be analyzed by executing: 1195<screen> 1196&rootprompt; cd /var/log/samba 1197&rootprompt; grep -v "^\[200" machine_name.log 1198</screen> 1199 </para> 1200 1201 <para> 1202 Search for hints of what may have failed by looking for the words <emphasis>fail</emphasis> 1203 and <emphasis>error</emphasis>. 1204 </para> 1205 1206 </sect4> 1207 1208 <sect4> 1209 <title>Debugging on the Windows Client</title> 1210 1211 <para> 1212 MS Windows 2000 Professional and Windows XP Professional clients can be configured 1213 to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search 1214 the Microsoft knowledge base for detailed instructions. The techniques vary a little with each 1215 version of MS Windows. 1216 </para> 1217 1218 </sect4> 1219 1220 </sect3> 1221 1222 </sect2> 1223 1224 1225 <sect2> 1226 <title>Political Issues</title> 1227 1228 <para> 1229 MS Windows network users are generally very sensitive to limits that may be imposed when 1230 confronted with locked-down workstation configurations. The challenge you face must 1231 be promoted as a choice between reliable, fast network operation and a constant flux 1232 of problems that result in user irritation. 1233 </para> 1234 1235 </sect2> 1236 1237 <sect2> 1238 <title>Installation Checklist</title> 1239 1240 <para> 1241 You are starting a complex project. Even though you went through the installation of a complex 1242 network in <link linkend="Big500users"/>, this network is a bigger challenge because of the 1243 large number of complex applications that must be configured before the first few steps 1244 can be validated. Take stock of what you are about to undertake, prepare yourself, and 1245 frequently review the steps ahead while making at least a mental note of what has already 1246 been completed. The following task list may help you to keep track of the task items 1247 that are covered: 1248 </para> 1249 1250 1251 <itemizedlist> 1252 <listitem><para>Samba-3 PDC Server Configuration</para> 1253 <orderedlist> 1254 <listitem><para>DHCP and DNS servers</para></listitem> 1255 <listitem><para>OpenLDAP server</para></listitem> 1256 <listitem><para>PAM and NSS client tools</para></listitem> 1257 <listitem><para>Samba-3 PDC</para></listitem> 1258 <listitem><para>Idealx smbldap scripts</para></listitem> 1259 <listitem><para>LDAP initialization</para></listitem> 1260 <listitem><para>Create user and group accounts</para></listitem> 1261 <listitem><para>Printers</para></listitem> 1262 <listitem><para>Share point directory roots</para></listitem> 1263 <listitem><para>Profile directories</para></listitem> 1264 <listitem><para>Logon scripts</para></listitem> 1265 <listitem><para>Configuration of user rights and privileges</para></listitem> 1266 </orderedlist> 1267 </listitem> 1268 <listitem><para>Samba-3 BDC Server Configuration</para> 1269 <orderedlist> 1270 <listitem><para>DHCP and DNS servers</para></listitem> 1271 <listitem><para>PAM and NSS client tools</para></listitem> 1272 <listitem><para>Printers</para></listitem> 1273 <listitem><para>Share point directory roots</para></listitem> 1274 <listitem><para>Profiles directories</para></listitem> 1275 </orderedlist> 1276 </listitem> 1277 <listitem><para>Windows XP Client Configuration</para> 1278 <orderedlist> 1279 <listitem><para>Default profile folder redirection</para></listitem> 1280 <listitem><para>MS Outlook PST file relocation</para></listitem> 1281 <listitem><para>Delete roaming profile on logout</para></listitem> 1282 <listitem><para>Upload printer drivers to Samba servers</para></listitem> 1283 <listitem><para>Install software</para></listitem> 1284 <listitem><para>Creation of roll-out images</para></listitem> 1285 </orderedlist> 1286 </listitem> 1287 </itemizedlist> 1288 1289 1290 </sect2> 1291 1292</sect1> 1293 1294<sect1> 1295 <title>Samba Server Implementation</title> 1296 1297 <para> 1298 <indexterm><primary>file servers</primary></indexterm> 1299 <indexterm><primary>BDC</primary></indexterm> 1300 The network design shown in <link linkend="chap6net"/> is not comprehensive. It is assumed 1301 that you will install additional file servers and possibly additional BDCs. 1302 </para> 1303 1304 <figure id="chap6net"> 1305 <title>Network Topology &smbmdash; 500 User Network Using ldapsam passdb backend</title> 1306 <imagefile scale="50">chap6-net</imagefile> 1307 </figure> 1308 1309 <para> 1310 <indexterm><primary>SUSE Linux</primary></indexterm> 1311 <indexterm><primary>Red Hat Linux</primary></indexterm> 1312 All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE 1313 Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to 1314 adjust the locations for your particular Linux system distribution/implementation. 1315 </para> 1316 1317<note><para> 1318The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools 1319scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball, 1320please verify that the versions you are about to use are matching. The smbldap-tools package 1321uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are 1322issued for POSIX accounts. The LDAP rdn under which this information is stored are called 1323<constant>uidNumber</constant> and <constant>gidNumber</constant> respectively. These may be 1324located in any convenient part of the directory information tree (DIT). In the examples that 1325follow they have been located under <constant>dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</constant>. 1326They could just as well be located under the rdn <constant>cn=NextFreeUnixId</constant>. 1327</para></note> 1328 1329 <para> 1330 The steps in the process involve changes from the network configuration shown in 1331 <link linkend="Big500users"/>. Before implementing the following steps, you must 1332 have completed the network implementation shown in that chapter. If you are starting 1333 with newly installed Linux servers, you must complete the steps shown in 1334 <link linkend="ch5-dnshcp-setup"/> before commencing at <link linkend="ldapsetup"/>. 1335 </para> 1336 1337 <sect2 id="ldapsetup"> 1338 <title>OpenLDAP Server Configuration</title> 1339 1340 <para> 1341 <indexterm><primary>nss_ldap</primary></indexterm> 1342 <indexterm><primary>pam_ldap</primary></indexterm> 1343 <indexterm><primary>openldap</primary></indexterm> 1344 Confirm that the packages shown in <link linkend="oldapreq"/> are installed on your system. 1345 </para> 1346 1347 <table id="oldapreq"> 1348 <title>Required OpenLDAP Linux Packages</title> 1349 <tgroup cols="3"> 1350 <colspec align="left"/> 1351 <colspec align="left"/> 1352 <colspec align="left"/> 1353 <thead> 1354 <row> 1355 <entry align="center">SUSE Linux 8.x</entry> 1356 <entry align="center">SUSE Linux 9.x</entry> 1357 <entry align="center">Red Hat Linux</entry> 1358 </row> 1359 </thead> 1360 <tbody> 1361 <row> 1362 <entry>nss_ldap</entry> 1363 <entry>nss_ldap</entry> 1364 <entry>nss_ldap</entry> 1365 </row> 1366 <row> 1367 <entry>pam_ldap</entry> 1368 <entry>pam_ldap</entry> 1369 <entry>pam_ldap</entry> 1370 </row> 1371 <row> 1372 <entry>openldap2</entry> 1373 <entry>openldap2</entry> 1374 <entry>openldap</entry> 1375 </row> 1376 <row> 1377 <entry>openldap2-client</entry> 1378 <entry>openldap2-client</entry> 1379 <entry></entry> 1380 </row> 1381 </tbody> 1382 </tgroup> 1383 </table> 1384 1385 <para> 1386 Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method 1387 for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you 1388 follow these guidelines, the resulting system should work fine. 1389 </para> 1390 1391 <procedure> 1392 <title>OpenLDAP Server Configuration Steps</title> 1393 1394 <step><para> 1395 <indexterm><primary>/etc/openldap/slapd.conf</primary></indexterm> 1396 Install the file shown in <link linkend="sbehap-slapdconf"/> in the directory 1397 <filename>/etc/openldap</filename>. 1398 </para></step> 1399 1400 <step><para> 1401 <indexterm><primary>/data/ldap</primary></indexterm> 1402 <indexterm><primary>group account</primary></indexterm> 1403 <indexterm><primary>user account</primary></indexterm> 1404 Remove all files from the directory <filename>/data/ldap</filename>, making certain that 1405 the directory exists with permissions: 1406<screen> 1407&rootprompt; ls -al /data | grep ldap 1408drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap 1409</screen> 1410 This may require you to add a user and a group account for LDAP if they do not exist. 1411 </para></step> 1412 1413 <step><para> 1414 <indexterm><primary>DB_CONFIG</primary></indexterm> 1415 Install the file shown in <link linkend="sbehap-dbconf"/> in the directory 1416 <filename>/data/ldap</filename>. In the event that this file is added after <constant>ldap</constant> 1417 has been started, it is possible to cause the new settings to take effect by shutting down 1418 the <constant>LDAP</constant> server, executing the <command>db_recover</command> command inside the 1419 <filename>/data/ldap</filename> directory, and then restarting the <constant>LDAP</constant> server. 1420 </para></step> 1421 1422 <step><para> 1423 <indexterm><primary>syslog</primary></indexterm> 1424 Performance logging can be enabled and should preferably be sent to a file on 1425 a file system that is large enough to handle significantly sized logs. To enable 1426 the logging at a verbose level to permit detailed analysis, uncomment the entry in 1427 the <filename>/etc/openldap/slapd.conf</filename> shown as <quote>loglevel 256</quote>. 1428 </para> 1429 1430 <para> 1431 Edit the <filename>/etc/syslog.conf</filename> file to add the following at the end 1432 of the file: 1433<screen> 1434local4.* -/data/ldap/log/openldap.log 1435</screen> 1436 Note: The path <filename>/data/ldap/log</filename> should be set at a location 1437 that is convenient and that can store a large volume of data. 1438 </para></step> 1439 1440 </procedure> 1441 1442<example id="sbehap-dbconf"> 1443<title>LDAP DB_CONFIG File</title> 1444<screen> 1445set_cachesize 0 150000000 1 1446set_lg_regionmax 262144 1447set_lg_bsize 2097152 1448#set_lg_dir /var/log/bdb 1449set_flags DB_LOG_AUTOREMOVE 1450</screen> 1451</example> 1452 1453<example id="sbehap-slapdconf"> 1454<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part A</title> 1455<screen> 1456include /etc/openldap/schema/core.schema 1457include /etc/openldap/schema/cosine.schema 1458include /etc/openldap/schema/inetorgperson.schema 1459include /etc/openldap/schema/nis.schema 1460include /etc/openldap/schema/samba3.schema 1461 1462pidfile /var/run/slapd/slapd.pid 1463argsfile /var/run/slapd/slapd.args 1464 1465access to dn.base="" 1466 by self write 1467 by * auth 1468 1469access to attr=userPassword 1470 by self write 1471 by * auth 1472 1473access to attr=shadowLastChange 1474 by self write 1475 by * read 1476 1477access to * 1478 by * read 1479 by anonymous auth 1480 1481#loglevel 256 1482 1483schemacheck on 1484idletimeout 30 1485backend bdb 1486database bdb 1487checkpoint 1024 5 1488cachesize 10000 1489 1490suffix "dc=abmas,dc=biz" 1491rootdn "cn=Manager,dc=abmas,dc=biz" 1492 1493# rootpw = not24get 1494rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV 1495 1496directory /data/ldap 1497</screen> 1498</example> 1499 1500<example id="sbehap-slapdconf2"> 1501<title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part B</title> 1502<screen> 1503# Indices to maintain 1504index objectClass eq 1505index cn pres,sub,eq 1506index sn pres,sub,eq 1507index uid pres,sub,eq 1508index displayName pres,sub,eq 1509index uidNumber eq 1510index gidNumber eq 1511index memberUID eq 1512index sambaSID eq 1513index sambaPrimaryGroupSID eq 1514index sambaDomainName eq 1515index default sub 1516</screen> 1517</example> 1518 1519 </sect2> 1520 1521 <sect2 id="sbehap-PAM-NSS"> 1522 <title>PAM and NSS Client Configuration</title> 1523 1524 <para> 1525 <indexterm><primary>LDAP</primary></indexterm> 1526 <indexterm><primary>NSS</primary></indexterm> 1527 <indexterm><primary>PAM</primary></indexterm> 1528 The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and 1529 groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure 1530 the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication. 1531 </para> 1532 1533 <para> 1534 <indexterm><primary>Pluggable Authentication Modules</primary><see>PAM</see></indexterm> 1535 <indexterm><primary>pam_unix2.so</primary></indexterm> 1536 Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely 1537 that you may want to use them for UNIX system (Linux) local machine logons. This necessitates 1538 correct configuration of PAM. The <command>pam_ldap</command> open source package provides the 1539 PAM modules that most people would use. On SUSE Linux systems, the <command>pam_unix2.so</command> 1540 module also has the ability to redirect authentication requests through LDAP. 1541 </para> 1542 1543 <para> 1544 <indexterm><primary>YaST</primary></indexterm> 1545 <indexterm><primary>SUSE Linux</primary></indexterm> 1546 <indexterm><primary>Red Hat Linux</primary></indexterm> 1547 <indexterm><primary>authconfig</primary></indexterm> 1548 You have chosen to configure these services by directly editing the system files, but of course, you 1549 know that this configuration can be done using system tools provided by the Linux system vendor. 1550 SUSE Linux has a facility in YaST (the system admin tool) through <menuchoice><guimenu>yast</guimenu> 1551 <guimenuitem>system</guimenuitem><guimenuitem>ldap-client</guimenuitem></menuchoice> that permits 1552 configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <command>authconfig</command> 1553 tool for this. 1554 </para> 1555 1556 <procedure> 1557 <title>PAM and NSS Client Configuration Steps</title> 1558 1559 <step><para> 1560 <indexterm><primary>/lib/libnss_ldap.so.2</primary></indexterm> 1561 <indexterm><primary>/etc/ldap.conf</primary></indexterm> 1562 <indexterm><primary>nss_ldap</primary></indexterm> 1563 Execute the following command to find where the <filename>nss_ldap</filename> module 1564 expects to find its control file: 1565<screen> 1566&rootprompt; strings /lib/libnss_ldap.so.2 | grep conf 1567</screen> 1568 The preferred and usual location is <filename>/etc/ldap.conf</filename>. 1569 </para></step> 1570 1571 <step><para> 1572 On the server <constant>MASSIVE</constant>, install the file shown in 1573 <link linkend="sbehap-nss01"/> into the path that was obtained from the step above. 1574 On the servers called <constant>BLDG1</constant> and <constant>BLDG2</constant>, install the file shown in 1575 <link linkend="sbehap-nss02"/> into the path that was obtained from the step above. 1576 </para></step> 1577 1578<example id="sbehap-nss01"> 1579<title>Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename></title> 1580<screen> 1581host 127.0.0.1 1582 1583base dc=abmas,dc=biz 1584 1585binddn cn=Manager,dc=abmas,dc=biz 1586bindpw not24get 1587 1588timelimit 50 1589bind_timelimit 50 1590bind_policy hard 1591 1592idle_timelimit 3600 1593 1594pam_password exop 1595 1596nss_base_passwd ou=People,dc=abmas,dc=biz?one 1597nss_base_shadow ou=People,dc=abmas,dc=biz?one 1598nss_base_group ou=Groups,dc=abmas,dc=biz?one 1599 1600ssl off 1601</screen> 1602</example> 1603 1604<example id="sbehap-nss02"> 1605<title>Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename></title> 1606<screen> 1607host 172.16.0.1 1608 1609base dc=abmas,dc=biz 1610 1611binddn cn=Manager,dc=abmas,dc=biz 1612bindpw not24get 1613 1614timelimit 50 1615bind_timelimit 50 1616bind_policy hard 1617 1618idle_timelimit 3600 1619 1620pam_password exop 1621 1622nss_base_passwd ou=People,dc=abmas,dc=biz?one 1623nss_base_shadow ou=People,dc=abmas,dc=biz?one 1624nss_base_group ou=Groups,dc=abmas,dc=biz?one 1625 1626ssl off 1627</screen> 1628</example> 1629 1630 <step><para> 1631 <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> 1632 Edit the NSS control file (<filename>/etc/nsswitch.conf</filename>) so that the lines that 1633 control user and group resolution will obtain information from the normal system files as 1634 well as from <command>ldap</command>: 1635<screen> 1636passwd: files ldap 1637shadow: files ldap 1638group: files ldap 1639hosts: files dns wins 1640</screen> 1641 Later, when the LDAP database has been initialized and user and group accounts have been 1642 added, you can validate resolution of the LDAP resolver process. The inclusion of 1643 WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be 1644 resolved to their IP addresses, whether or not they are DHCP clients. 1645 </para> 1646 1647 <note><para> 1648 Some Linux systems (Novell SUSE Linux in particular) add entries to the <filename>nsswitch.conf</filename> 1649 file that may cause operational problems with the configuration methods adopted in this book. It is 1650 advisable to comment out the entries <constant>passwd_compat</constant> and <constant>group_compat</constant> 1651 where they are found in this file. 1652 </para></note> 1653 1654 <para> 1655 Even at the risk of overstating the issue, incorrect and inappropriate configuration of the 1656 <filename>nsswitch.conf</filename> file is a significant cause of operational problems with LDAP. 1657 </para></step> 1658 1659 <step><para> 1660 <indexterm><primary>pam_unix2.so</primary><secondary>use_ldap</secondary></indexterm> 1661 For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following 1662 files in the <filename>/etc/pam.d</filename> directory: <command>login</command>, <command>password</command>, 1663 <command>samba</command>, <command>sshd</command>. In each file, locate every entry that has the 1664 <command>pam_unix2.so</command> entry and add to the line the entry <command>use_ldap</command> as shown 1665 for the <command>login</command> module in this example: 1666<screen> 1667#%PAM-1.0 1668auth requisite pam_unix2.so nullok use_ldap #set_secrpc 1669auth required pam_securetty.so 1670auth required pam_nologin.so 1671#auth required pam_homecheck.so 1672auth required pam_env.so 1673auth required pam_mail.so 1674account required pam_unix2.so use_ldap 1675password required pam_pwcheck.s nullok 1676password required pam_unix2.so nullok use_first_pass \ 1677 use_authtok use_ldap 1678session required pam_unix2.so none use_ldap # debug or trace 1679session required pam_limits.so 1680</screen> 1681 </para> 1682 1683 <para> 1684 <indexterm><primary>pam_ldap.so</primary></indexterm> 1685 On other Linux systems that do not have an LDAP-enabled <command>pam_unix2.so</command> module, 1686 you must edit these files by adding the <command>pam_ldap.so</command> modules as shown here: 1687<screen> 1688#%PAM-1.0 1689auth required pam_securetty.so 1690auth required pam_nologin.so 1691auth sufficient pam_ldap.so 1692auth required pam_unix2.so nullok try_first_pass #set_secrpc 1693account sufficient pam_ldap.so 1694account required pam_unix2.so 1695password required pam_pwcheck.so nullok 1696password required pam_ldap.so use_first_pass use_authtok 1697password required pam_unix2.so nullok use_first_pass use_authtok 1698session required pam_unix2.so none # debug or trace 1699session required pam_limits.so 1700session required pam_env.so 1701session optional pam_mail.so 1702</screen> 1703 This example does have the LDAP-enabled <command>pam_unix2.so</command>, but simply 1704 demonstrates the use of the <command>pam_ldap.so</command> module. You can use either 1705 implementation, but if the <command>pam_unix2.so</command> on your system supports 1706 LDAP, you probably want to use it rather than add an additional module. 1707 </para></step> 1708 1709 </procedure> 1710 1711 </sect2> 1712 1713 <sect2 id="sbehap-massive"> 1714 <title>Samba-3 PDC Configuration</title> 1715 1716 <para> 1717 <indexterm><primary>Samba RPM Packages</primary></indexterm> 1718 Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server 1719 before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the 1720 choice to either build your own or obtain the packages from a dependable source. 1721 Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for 1722 Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that 1723 is included with this book. 1724 </para> 1725 1726 <procedure> 1727 <title>Configuration of PDC Called <constant>MASSIVE</constant></title> 1728 1729 <step><para> 1730 Install the files in <link linkend="sbehap-massive-smbconfa"/>, 1731 <link linkend="sbehap-massive-smbconfb"/>, <link linkend="sbehap-shareconfa"/>, 1732 and <link linkend="sbehap-shareconfb"/> into the <filename>/etc/samba/</filename> 1733 directory. The three files should be added together to form the &smb.conf; 1734 master file. It is a good practice to call this file something like 1735 <filename>smb.conf.master</filename> and then to perform all file edits 1736 on the master file. The operational &smb.conf; is then generated as shown in 1737 the next step. 1738 </para></step> 1739 1740 <step><para> 1741 <indexterm><primary>testparm</primary></indexterm> 1742 Create and verify the contents of the &smb.conf; file that is generated by: 1743<screen> 1744&rootprompt; testparm -s smb.conf.master > smb.conf 1745</screen> 1746 Immediately follow this with the following: 1747<screen> 1748&rootprompt; testparm 1749</screen> 1750 The output that is created should be free from errors, as shown here: 1751 1752<screen> 1753Load smb config files from /etc/samba/smb.conf 1754Processing section "[accounts]" 1755Processing section "[service]" 1756Processing section "[pidata]" 1757Processing section "[homes]" 1758Processing section "[printers]" 1759Processing section "[apps]" 1760Processing section "[netlogon]" 1761Processing section "[profiles]" 1762Processing section "[profdata]" 1763Processing section "[print$]" 1764Loaded services file OK. 1765Server role: ROLE_DOMAIN_PDC 1766Press enter to see a dump of your service definitions 1767</screen> 1768 </para></step> 1769 1770 <step><para> 1771 Delete all runtime files from prior Samba operation by executing (for SUSE 1772 Linux): 1773<screen> 1774&rootprompt; rm /etc/samba/*tdb 1775&rootprompt; rm /var/lib/samba/*tdb 1776&rootprompt; rm /var/lib/samba/*dat 1777&rootprompt; rm /var/log/samba/* 1778</screen> 1779 </para></step> 1780 1781 <step><para> 1782 <indexterm><primary>secrets.tdb</primary></indexterm> 1783 <indexterm><primary>smbpasswd</primary></indexterm> 1784 Samba-3 communicates with the LDAP server. The password that it uses to 1785 authenticate to the LDAP server must be stored in the <filename>secrets.tdb</filename> 1786 file. Execute the following to create the new <filename>secrets.tdb</filename> files 1787 and store the password for the LDAP Manager: 1788<screen> 1789&rootprompt; smbpasswd -w not24get 1790</screen> 1791 The expected output from this command is: 1792<screen> 1793Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb 1794</screen> 1795 </para></step> 1796 1797 <step><para> 1798 <indexterm><primary>smbd</primary></indexterm> 1799 <indexterm><primary>net</primary><secondary>getlocalsid</secondary></indexterm> 1800 Samba-3 generates a Windows Security Identifier (SID) only when <command>smbd</command> 1801 has been started. For this reason, you start Samba. After a few seconds delay, 1802 execute: 1803<screen> 1804&rootprompt; smbclient -L localhost -U% 1805&rootprompt; net getlocalsid 1806</screen> 1807 A report such as the following means that the domain SID has not yet 1808 been written to the <filename>secrets.tdb</filename> or to the LDAP backend: 1809<screen> 1810[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852) 1811 failed to bind to server ldap://massive.abmas.biz 1812with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server 1813 (unknown) 1814[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169) 1815 smbldap_search_suffix: Problem during the LDAP search: 1816 (unknown) (Timed out) 1817</screen> 1818 The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server 1819 is not running, this operation will fail by way of a timeout, as shown previously. This is 1820 normal output; do not worry about this error message. When the domain has been created and 1821 written to the <filename>secrets.tdb</filename> file, the output should look like this: 1822<screen> 1823SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 1824</screen> 1825 If, after a short delay (a few seconds), the domain SID has still not been written to 1826 the <filename>secrets.tdb</filename> file, it is necessary to investigate what 1827 may be misconfigured. In this case, carefully check the &smb.conf; file for typographical 1828 errors (the most common problem). The use of the <command>testparm</command> is highly 1829 recommended to validate the contents of this file. 1830 </para></step> 1831 1832 <step><para> 1833 When a positive domain SID has been reported, stop Samba. 1834 </para></step> 1835 1836 <step><para> 1837 <indexterm><primary>NFS server</primary></indexterm> 1838 <indexterm><primary>/etc/exports</primary></indexterm> 1839 <indexterm><primary>BDC</primary></indexterm> 1840 <indexterm><primary>rsync</primary></indexterm> 1841 Configure the NFS server for your Linux system. So you can complete the steps that 1842 follow, enter into the <filename>/etc/exports</filename> the following entry: 1843<screen> 1844/home *(rw,root_squash,sync) 1845</screen> 1846 This permits the user home directories to be used on the BDC servers for testing 1847 purposes. You, of course, decide what is the best way for your site to distribute 1848 data drives, and you create suitable backup and restore procedures for Abmas 1849 I'd strongly recommend that for normal operation the BDC is completely independent 1850 of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite 1851 closely. If you do use NFS, do not forget to start the NFS server as follows: 1852<screen> 1853&rootprompt; rcnfsserver start 1854</screen> 1855 </para></step> 1856 </procedure> 1857 1858 <para> 1859 Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with 1860 configuration of the LDAP server. 1861 </para> 1862 1863<example id="sbehap-massive-smbconfa"> 1864<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A</title> 1865<smbconfblock> 1866<smbconfcomment>Global parameters</smbconfcomment> 1867<smbconfsection name="[global]"/> 1868 <smbconfoption name="unix charset">LOCALE</smbconfoption> 1869 <smbconfoption name="workgroup">MEGANET2</smbconfoption> 1870 <smbconfoption name="netbios name">MASSIVE</smbconfoption> 1871 <smbconfoption name="interfaces">eth1, lo</smbconfoption> 1872 <smbconfoption name="bind interfaces only">Yes</smbconfoption> 1873 <smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption> 1874 <smbconfoption name="enable privileges">Yes</smbconfoption> 1875 <smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> 1876 <smbconfoption name="log level">1</smbconfoption> 1877 <smbconfoption name="syslog">0</smbconfoption> 1878 <smbconfoption name="log file">/var/log/samba/%m</smbconfoption> 1879 <smbconfoption name="max log size">50</smbconfoption> 1880 <smbconfoption name="smb ports">139</smbconfoption> 1881 <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption> 1882 <smbconfoption name="time server">Yes</smbconfoption> 1883 <smbconfoption name="printcap name">CUPS</smbconfoption> 1884 <smbconfoption name="show add printer wizard">No</smbconfoption> 1885 <smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption> 1886 <smbconfoption name="delete user script">/opt/IDEALX/sbin/smbldap-userdel "%u"</smbconfoption> 1887 <smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption> 1888 <smbconfoption name="delete group script">/opt/IDEALX/sbin/smbldap-groupdel "%g"</smbconfoption> 1889 <smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</smbconfoption> 1890 <smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</smbconfoption> 1891 <smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</smbconfoption> 1892 <smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w "%u"</smbconfoption> 1893</smbconfblock> 1894</example> 1895 1896<example id="sbehap-massive-smbconfb"> 1897<title>LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B</title> 1898<smbconfblock> 1899 <smbconfoption name="logon script">scripts\logon.bat</smbconfoption> 1900 <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption> 1901 <smbconfoption name="logon drive">X:</smbconfoption> 1902 <smbconfoption name="domain logons">Yes</smbconfoption> 1903 <smbconfoption name="preferred master">Yes</smbconfoption> 1904 <smbconfoption name="wins support">Yes</smbconfoption> 1905 <smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption> 1906 <smbconfoption name="ldap machine suffix">ou=People</smbconfoption> 1907 <smbconfoption name="ldap user suffix">ou=People</smbconfoption> 1908 <smbconfoption name="ldap group suffix">ou=Groups</smbconfoption> 1909 <smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption> 1910 <smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption> 1911 <smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption> 1912 <smbconfoption name="idmap uid">10000-20000</smbconfoption> 1913 <smbconfoption name="idmap gid">10000-20000</smbconfoption> 1914 <smbconfoption name="map acl inherit">Yes</smbconfoption> 1915 <smbconfoption name="printing">cups</smbconfoption> 1916 <smbconfoption name="printer admin">root, chrisr</smbconfoption> 1917</smbconfblock> 1918</example> 1919 1920 </sect2> 1921 1922 1923 <sect2 id="sbeidealx"> 1924 <title>Install and Configure Idealx smbldap-tools Scripts</title> 1925 1926 <para> 1927 <indexterm><primary>Idealx</primary><secondary>smbldap-tools</secondary></indexterm> 1928 The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts 1929 on the LDAP server. You have chosen the Idealx scripts because they are the best-known 1930 LDAP configuration scripts. The use of these scripts will help avoid the necessity 1931 to create custom scripts. It is easy to download them from the Idealx 1932 <ulink url="http://samba.idealx.org/index.en.html">Web site</ulink>. The tarball may 1933 be directly <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz">downloaded</ulink> 1934 from this site also. Alternatively, you may obtain the 1935 <ulink url="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm">smbldap-tools-0.9.1-1.src.rpm</ulink> 1936 file that may be used to build an installable RPM package for your Linux system. 1937 </para> 1938 1939<note><para> 1940The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must 1941change the path to them in your &smb.conf; file on the PDC (<constant>MASSIVE</constant>). 1942</para></note> 1943 1944 <para> 1945 The smbldap-tools are located in <filename>/opt/IDEALX/sbin</filename>. 1946 The scripts are not needed on BDC machines because all LDAP updates are handled by 1947 the PDC alone. 1948 </para> 1949 1950 <sect3> 1951 <title>Installation of smbldap-tools from the Tarball</title> 1952 1953 <para> 1954 To perform a manual installation of the smbldap-tools scripts, the following procedure may be used: 1955 </para> 1956 1957 <procedure id="idealxscript"> 1958 <title>Unpacking and Installation Steps for the <constant>smbldap-tools</constant> Tarball</title> 1959 1960 <step><para> 1961 Create the <filename>/opt/IDEALX/sbin</filename> directory, and set its permissions 1962 and ownership as shown here: 1963<screen> 1964&rootprompt; mkdir -p /opt/IDEALX/sbin 1965&rootprompt; chown root:root /opt/IDEALX/sbin 1966&rootprompt; chmod 755 /opt/IDEALX/sbin 1967&rootprompt; mkdir -p /etc/smbldap-tools 1968&rootprompt; chown root:root /etc/smbldap-tools 1969&rootprompt; chmod 755 /etc/smbldap-tools 1970</screen> 1971 </para></step> 1972 1973 <step><para> 1974 If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location. 1975 Change into either the directory extracted from the tarball or the smbldap-tools 1976 directory in your <filename>/usr/share/doc/packages</filename> directory tree. 1977 </para></step> 1978 1979 <step><para> 1980 Copy all the <filename>smbldap-*</filename> and the <filename>configure.pl</filename> files into the 1981 <filename>/opt/IDEALX/sbin</filename> directory, as shown here: 1982<screen> 1983&rootprompt; cd smbldap-tools-0.9.1/ 1984&rootprompt; cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/ 1985&rootprompt; cp smbldap*conf /etc/smbldap-tools/ 1986&rootprompt; chmod 750 /opt/IDEALX/sbin/smbldap-* 1987&rootprompt; chmod 750 /opt/IDEALX/sbin/configure.pl 1988&rootprompt; chmod 640 /etc/smbldap-tools/smbldap.conf 1989&rootprompt; chmod 600 /etc/smbldap-tools/smbldap_bind.conf 1990</screen> 1991 </para></step> 1992 1993 <step><para> 1994 The smbldap-tools scripts master control file must now be configured. 1995 Change to the <filename>/opt/IDEALX/sbin</filename> directory, then edit the 1996 <filename>smbldap_tools.pm</filename> to affect the changes 1997 shown here: 1998<screen> 1999... 2000# ugly funcs using global variables and spawning openldap clients 2001 2002my $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; 2003my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; 2004... 2005</screen> 2006 </para></step> 2007 2008 <step><para> 2009 To complete the configuration of the smbldap-tools, set the permissions and ownership 2010 by executing the following commands: 2011<screen> 2012&rootprompt; chown root:root /opt/IDEALX/sbin/* 2013&rootprompt; chmod 755 /opt/IDEALX/sbin/smbldap-* 2014&rootprompt; chmod 640 /opt/IDEALX/sbin/smb*pm 2015</screen> 2016 The smbldap-tools scripts are now ready for the configuration step outlined in 2017 <link linkend="smbldap-init"/>. 2018 </para></step> 2019 2020 </procedure> 2021 2022 </sect3> 2023 2024 <sect3> 2025 <title>Installing smbldap-tools from the RPM Package</title> 2026 2027 <para> 2028 In the event that you have elected to use the RPM package provided by Idealx, download the 2029 source RPM <filename>smbldap-tools-0.9.1-1.src.rpm</filename>, then follow this procedure: 2030 </para> 2031 2032 <procedure> 2033 <title>Installation Steps for <constant>smbldap-tools</constant> RPM's</title> 2034 2035 <step><para> 2036 Install the source RPM that has been downloaded as follows: 2037<screen> 2038&rootprompt; rpm -i smbldap-tools-0.9.1-1.src.rpm 2039</screen> 2040 </para></step> 2041 2042 <step><para> 2043 Change into the directory in which the SPEC files are located. On SUSE Linux: 2044<screen> 2045&rootprompt; cd /usr/src/packages/SPECS 2046</screen> 2047 On Red Hat Linux systems: 2048<screen> 2049&rootprompt; cd /usr/src/redhat/SPECS 2050</screen> 2051 </para></step> 2052 2053 <step><para> 2054 Edit the <filename>smbldap-tools.spec</filename> file to change the value of the 2055 <constant>_sysconfig</constant> macro as shown here: 2056<screen> 2057%define _prefix /opt/IDEALX 2058%define _sysconfdir /etc 2059</screen> 2060 Note: Any suitable directory can be specified. 2061 </para></step> 2062 2063 <step><para> 2064 Build the package by executing: 2065<screen> 2066&rootprompt; rpmbuild -ba -v smbldap-tools.spec 2067</screen> 2068 A build process that has completed without error will place the installable binary 2069 files in the directory <filename>../RPMS/noarch</filename>. 2070 </para></step> 2071 2072 <step><para> 2073 Install the binary package by executing: 2074<screen> 2075&rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm 2076</screen> 2077 </para></step> 2078 2079 </procedure> 2080 2081 <para> 2082 The Idealx scripts should now be ready for configuration using the steps outlined in 2083 <link linkend="smbldap-init">Configuration of smbldap-tools</link>. 2084 </para> 2085 2086 </sect3> 2087 2088 <sect3 id="smbldap-init"> 2089 <title>Configuration of smbldap-tools</title> 2090 2091 <para> 2092 Prior to use, the smbldap-tools must be configured to match the settings in the &smb.conf; file 2093 and to match the settings in the <filename>/etc/openldap/slapd.conf</filename> file. The assumption 2094 is made that the &smb.conf; file has correct contents. The following procedure ensures that 2095 this is completed correctly: 2096 </para> 2097 2098 <para> 2099 The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included 2100 in the &smb.conf; file. 2101 </para> 2102 2103 <procedure> 2104 <title>Configuration Steps for <constant>smbldap-tools</constant> to Enable Use</title> 2105 2106 <step><para> 2107 Change into the directory that contains the <filename>configure.pl</filename> script. 2108<screen> 2109&rootprompt; cd /opt/IDEALX/sbin 2110</screen> 2111 </para></step> 2112 2113 <step><para> 2114 Execute the <filename>configure.pl</filename> script as follows: 2115<screen> 2116&rootprompt; ./configure.pl 2117</screen> 2118 The interactive use of this script for the PDC is demonstrated here: 2119<screen> 2120&rootprompt; /opt/IDEALX/sbin/configure.pl 2121-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 2122 smbldap-tools script configuration 2123 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 2124Before starting, check 2125 . if your samba controller is up and running. 2126 . if the domain SID is defined (you can get it with the 2127 'net getlocalsid') 2128 2129 . you can leave the configuration using the Crtl-c key combination 2130 . empty value can be set with the "." character 2131-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 2132Looking for configuration files... 2133 2134Samba Config File Location [/etc/samba/smb.conf] > 2135smbldap-tools configuration file Location (global parameters) 2136 [/etc/opt/IDEALX/smbldap-tools/smbldap.conf] > 2137smbldap Config file Location (bind parameters) 2138 [/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] > 2139-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 2140Let's start configuring the smbldap-tools scripts ... 2141 2142. workgroup name: name of the domain Samba act as a PDC 2143 workgroup name [MEGANET2] > 2144. netbios name: netbios name of the samba controler 2145 netbios name [MASSIVE] > 2146. logon drive: local path to which the home directory 2147 will be connected (for NT Workstations). Ex: 'H:' 2148 logon drive [H:] > 2149. logon home: home directory location (for Win95/98 or NT Workstation) 2150 (use %U as username) Ex:'\\MASSIVE\%U' 2151 logon home (press the "." character if you don't want homeDirectory) 2152 [\\MASSIVE\%U] > 2153. logon path: directory where roaming profiles are stored. 2154 Ex:'\\MASSIVE\profiles\%U' 2155 logon path (press the "." character 2156 if you don't want roaming profile) [\\%L\profiles\%U] > 2157. home directory prefix (use %U as username) 2158 [/home/%U] > /data/users/%U 2159. default users' homeDirectory mode [700] > 2160. default user netlogon script (use %U as username) 2161 [scripts\logon.bat] > 2162 default password validation time (time in days) [45] > 900 2163. ldap suffix [dc=abmas,dc=biz] > 2164. ldap group suffix [ou=Groups] > 2165. ldap user suffix [ou=People,ou=Users] > 2166. ldap machine suffix [ou=Computers,ou=Users] > 2167. Idmap suffix [ou=Idmap] > 2168. sambaUnixIdPooldn: object where you want to store the next uidNumber 2169 and gidNumber available for new users and groups 2170 sambaUnixIdPooldn object (relative to ${suffix}) 2171 [sambaDomainName=MEGANET2] > 2172. ldap master server: IP adress or DNS name of the master 2173 (writable) ldap server 2174 ldap master server [massive.abmas.biz] > 2175. ldap master port [389] > 2176. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] > 2177. ldap master bind password [] > 2178. ldap slave server: IP adress or DNS name of the slave ldap server: 2179 can also be the master one 2180 ldap slave server [massive.abmas.biz] > 2181. ldap slave port [389] > 2182. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] > 2183. ldap slave bind password [] > 2184. ldap tls support (1/0) [0] > 2185. SID for domain MEGANET2: SID of the domain 2186 (can be obtained with 'net getlocalsid MASSIVE') 2187 SID for domain MEGANET2 2188 [S-1-5-21-3504140859-1010554828-2431957765]] > 2189. unix password encryption: encryption used for unix passwords 2190 unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 2191. default user gidNumber [513] > 2192. default computer gidNumber [515] > 2193. default login shell [/bin/bash] > 2194. default skeleton directory [/etc/skel] > 2195. default domain name to append to mail adress [] > abmas.biz 2196-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 2197backup old configuration files: 2198 /etc/opt/IDEALX/smbldap-tools/smbldap.conf-> 2199 /etc/opt/IDEALX/smbldap-tools/smbldap.conf.old 2200 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf-> 2201 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old 2202writing new configuration file: 2203 /etc/opt/IDEALX/smbldap-tools/smbldap.conf done. 2204 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done. 2205</screen> 2206 Since a slave LDAP server has not been configured, it is necessary to specify the IP 2207 address of the master LDAP server for both the master and the slave configuration 2208 prompts. 2209 </para></step> 2210 2211 <step><para> 2212 Change to the directory that contains the <filename>smbldap.conf</filename> file, 2213 then verify its contents. 2214 </para></step> 2215 2216 </procedure> 2217 2218 <para> 2219 The smbldap-tools are now ready for use. 2220 </para> 2221 2222 </sect3> 2223 2224 </sect2> 2225 2226 <sect2> 2227 <title>LDAP Initialization and Creation of User and Group Accounts</title> 2228 2229 <para> 2230 The LDAP database must be populated with well-known Windows domain user accounts and domain group 2231 accounts before Samba can be used. The following procedures step you through the process. 2232 </para> 2233 2234 <para> 2235 At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are 2236 mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not 2237 hurt to have UNIX user and group accounts in both the system files as well as in the LDAP 2238 database. From a UNIX system perspective, the NSS resolver checks system files before 2239 referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it 2240 does not need to ask LDAP. 2241 </para> 2242 2243 <para> 2244 Addition of an account to the LDAP backend can be done in two ways: 2245 </para> 2246 2247 <itemizedlist> 2248 <listitem><para> 2249 <indexterm><primary>NIS</primary></indexterm> 2250 <indexterm><primary>/etc/passwd</primary></indexterm> 2251 <indexterm><primary>Posix accounts</primary></indexterm> 2252 <indexterm><primary>pdbedit</primary></indexterm> 2253 <indexterm><primary>SambaSamAccount</primary></indexterm> 2254 <indexterm><primary>PosixAccount</primary></indexterm> 2255 If you always have a user account in the <filename>/etc/passwd</filename> on every 2256 server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in 2257 LDAP. In this case, you can add Windows domain user accounts using the 2258 <command>pdbedit</command> utility. Use of this tool from the command line adds the 2259 SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user. 2260 </para> 2261 2262 <para> 2263 This is the least desirable method because when LDAP is used as the passwd backend Samba 2264 expects the POSIX account to be in LDAP also. It is possible to use the PADL account 2265 migration tool to migrate all system accounts from either the <filename>/etc/passwd</filename> 2266 files, or from NIS, to LDAP. 2267 </para></listitem> 2268 2269 <listitem><para> 2270 If you decide that it is probably a good idea to add both the PosixAccount attributes 2271 as well as the SambaSamAccount attributes for each user, then a suitable script is needed. 2272 In the example system you are installing in this exercise, you are making use of the 2273 Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system, 2274 is included on the enclosed CD-ROM under <filename>Chap06/Tools.</filename> 2275 </para></listitem> 2276 </itemizedlist> 2277 2278 <para> 2279 <indexterm><primary>Idealx</primary><secondary>smbldap-tools</secondary></indexterm> 2280 If you wish to have more control over how the LDAP database is initialized or 2281 if you don't want to use the Idealx smbldap-tools, you should refer to 2282 <link linkend="appendix"/>, <link linkend="altldapcfg"/>. 2283 </para> 2284 2285 <para> 2286 <indexterm><primary>smbldap-populate</primary></indexterm> 2287 The following steps initialize the LDAP database, and then you can add user and group 2288 accounts that Samba can use. You use the <command>smbldap-populate</command> to 2289 seed the LDAP database. You then manually add the accounts shown in <link linkend="sbehap-bigacct"/>. 2290 The list of users does not cover all 500 network users; it provides examples only. 2291 </para> 2292 2293 <note><para> 2294 <indexterm><primary>LDAP</primary><secondary>database</secondary></indexterm> 2295 <indexterm><primary>directory</primary><secondary>People container</secondary></indexterm> 2296 <indexterm><primary>directory</primary><secondary>Computers container</secondary></indexterm> 2297 In the following examples, as the LDAP database is initialized, we do create a container 2298 for Computer (machine) accounts. In the Samba-3 &smb.conf; files, specific use is made 2299 of the People container, not the Computers container, for domain member accounts. This is not a 2300 mistake; it is a deliberate action that is necessitated by the fact that the resolution of 2301 a machine (computer) account to a UID is done via NSS. The only way this can be handled is 2302 using the NSS (<filename>/etc/nsswitch.conf</filename>) entry for <constant>passwd</constant>, 2303 which is resolved using the <filename>nss_ldap</filename> library. The configuration file for 2304 the <filename>nss_ldap</filename> library is the file <filename>/etc/ldap.conf</filename> that 2305 provides only one possible LDAP search command that is specified by the entry called 2306 <constant>nss_base_passwd</constant>. This means that the search path must take into account 2307 the directory structure so that the LDAP search will commence at a level that is above 2308 both the Computers container and the Users (or People) container. If this is done, it is 2309 necessary to use a search that will descend the directory tree so that the machine account 2310 can be found. Alternatively, by placing all machine accounts in the People container, we 2311 are able to sidestep this limitation. This is the simpler solution that has been adopted 2312 in this chapter. 2313 </para></note> 2314 2315 2316 <table id="sbehap-bigacct"> 2317 <title>Abmas Network Users and Groups</title> 2318 <tgroup cols="4"> 2319 <colspec align="left"/> 2320 <colspec align="left"/> 2321 <colspec align="left"/> 2322 <colspec align="left"/> 2323 <thead> 2324 <row> 2325 <entry align="center">Account Name</entry> 2326 <entry align="center">Type</entry> 2327 <entry align="center">ID</entry> 2328 <entry align="center">Password</entry> 2329 </row> 2330 </thead> 2331 <tbody> 2332 <row> 2333 <entry>Robert Jordan</entry> 2334 <entry>User</entry> 2335 <entry>bobj</entry> 2336 <entry>n3v3r2l8</entry> 2337 </row> 2338 <row> 2339 <entry>Stanley Soroka</entry> 2340 <entry>User</entry> 2341 <entry>stans</entry> 2342 <entry>impl13dst4r</entry> 2343 </row> 2344 <row> 2345 <entry>Christine Roberson</entry> 2346 <entry>User</entry> 2347 <entry>chrisr</entry> 2348 <entry>S9n0nw4ll</entry> 2349 </row> 2350 <row> 2351 <entry>Mary Vortexis</entry> 2352 <entry>User</entry> 2353 <entry>maryv</entry> 2354 <entry>kw13t0n3</entry> 2355 </row> 2356 <row> 2357 <entry>Accounts</entry> 2358 <entry>Group</entry> 2359 <entry>Accounts</entry> 2360 <entry></entry> 2361 </row> 2362 <row> 2363 <entry>Finances</entry> 2364 <entry>Group</entry> 2365 <entry>Finances</entry> 2366 <entry></entry> 2367 </row> 2368 <row> 2369 <entry>Insurance</entry> 2370 <entry>Group</entry> 2371 <entry>PIOps</entry> 2372 <entry></entry> 2373 </row> 2374 </tbody> 2375 </tgroup> 2376 </table> 2377 2378 <procedure id="creatacc"> 2379 <title>LDAP Directory Initialization Steps</title> 2380 2381 <step><para> 2382 Start the LDAP server by executing: 2383<screen> 2384&rootprompt; rcldap start 2385Starting ldap-server done 2386</screen> 2387 </para></step> 2388 2389 <step><para> 2390 Change to the <filename>/opt/IDEALX/sbin</filename> directory. 2391 </para></step> 2392 2393 <step><para> 2394 Execute the script that will populate the LDAP database as shown here: 2395<screen> 2396&rootprompt; ./smbldap-populate -a root -k 0 -m 0 2397</screen> 2398 The expected output from this is: 2399<screen> 2400Using workgroup name from smb.conf: sambaDomainName=MEGANET2 2401-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 2402=> Warning: you must update smbldap.conf configuration file to : 2403=> sambaUnixIdPooldn parameter must be set 2404 to "sambaDomainName=MEGANET2,dc=abmas,dc=biz" 2405-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 2406Using builtin directory structure 2407adding new entry: dc=abmas,dc=biz 2408adding new entry: ou=People,dc=abmas,dc=biz 2409adding new entry: ou=Groups,dc=abmas,dc=biz 2410entry ou=People,dc=abmas,dc=biz already exist. 2411adding new entry: ou=Idmap,dc=abmas,dc=biz 2412adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz 2413adding new entry: uid=root,ou=People,dc=abmas,dc=biz 2414adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz 2415adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz 2416adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz 2417adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz 2418adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz 2419adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz 2420adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz 2421adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz 2422adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz 2423</screen> 2424 </para></step> 2425 2426 <step><para> 2427 Edit the <filename>/etc/smbldap-tools/smbldap.conf</filename> file so that the following 2428 information is changed from: 2429<screen> 2430# Where to store next uidNumber and gidNumber available 2431sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 2432</screen> 2433 to read, after modification: 2434<screen> 2435# Where to store next uidNumber and gidNumber available 2436#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 2437sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" 2438</screen> 2439 </para></step> 2440 2441 <step><para> 2442 It is necessary to restart the LDAP server as shown here: 2443<screen> 2444&rootprompt; rcldap restart 2445Shutting down ldap-server done 2446Starting ldap-server done 2447</screen> 2448 </para></step> 2449 2450 <step><para> 2451 <indexterm><primary>slapcat</primary></indexterm> 2452 So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data. 2453 There are several ways you can check that your LDAP database is able to receive IDMAP information. One of 2454 the simplest is to execute: 2455<screen> 2456&rootprompt; slapcat | grep -i idmap 2457dn: ou=Idmap,dc=abmas,dc=biz 2458ou: idmap 2459</screen> 2460 <indexterm> <primary>ldapadd</primary></indexterm> 2461 If the execution of this command does not return IDMAP entries, you need to create an LDIF 2462 template file (see <link linkend="sbehap-ldifadd"/>). You can add the required entries using 2463 the following command: 2464<screen> 2465&rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ 2466 -w not24get < /etc/openldap/idmap.LDIF 2467</screen> 2468 Samba automatically populates this LDAP directory container when it needs to. 2469 </para></step> 2470 2471 <step><para> 2472 <indexterm><primary>slapcat</primary></indexterm> 2473 It looks like all has gone well, as expected. Let's confirm that this is the case 2474 by running a few tests. First we check the contents of the database directly 2475 by running <command>slapcat</command> as follows (the output has been cut down): 2476<screen> 2477&rootprompt; slapcat 2478dn: dc=abmas,dc=biz 2479objectClass: dcObject 2480objectClass: organization 2481dc: abmas 2482o: abmas 2483structuralObjectClass: organization 2484entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43 2485creatorsName: cn=Manager,dc=abmas,dc=biz 2486createTimestamp: 20031217234200Z 2487entryCSN: 2003121723:42:00Z#0x0001#0#0000 2488modifiersName: cn=Manager,dc=abmas,dc=biz 2489modifyTimestamp: 20031217234200Z 2490... 2491dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz 2492objectClass: posixGroup 2493objectClass: sambaGroupMapping 2494gidNumber: 553 2495cn: Domain Computers 2496description: Netbios Domain Computers accounts 2497sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 2498sambaGroupType: 2 2499displayName: Domain Computers 2500structuralObjectClass: posixGroup 2501entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43 2502creatorsName: cn=Manager,dc=abmas,dc=biz 2503createTimestamp: 20031217234206Z 2504entryCSN: 2003121723:42:06Z#0x0002#0#0000 2505modifiersName: cn=Manager,dc=abmas,dc=biz 2506modifyTimestamp: 20031217234206Z 2507</screen> 2508 This looks good so far. 2509 </para></step> 2510 2511 <step><para> 2512 <indexterm><primary>ldapsearch</primary></indexterm> 2513 The next step is to prove that the LDAP server is running and responds to a 2514 search request. Execute the following as shown (output has been cut to save space): 2515<screen> 2516&rootprompt; ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" 2517# extended LDIF 2518# 2519# LDAPv3 2520# base <dc=abmas,dc=biz> with scope sub 2521# filter: (ObjectClass=*) 2522# requesting: ALL 2523# 2524 2525# abmas.biz 2526dn: dc=abmas,dc=biz 2527objectClass: dcObject 2528objectClass: organization 2529dc: abmas 2530o: abmas 2531 2532# People, abmas.biz 2533dn: ou=People,dc=abmas,dc=biz 2534objectClass: organizationalUnit 2535ou: People 2536... 2537# Domain Computers, Groups, abmas.biz 2538dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz 2539objectClass: posixGroup 2540objectClass: sambaGroupMapping 2541gidNumber: 553 2542cn: Domain Computers 2543description: Netbios Domain Computers accounts 2544sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 2545sambaGroupType: 2 2546displayName: Domain Computers 2547 2548# search result 2549search: 2 2550result: 0 Success 2551 2552# numResponses: 20 2553# numEntries: 19 2554</screen> 2555 Good. It is all working just fine. 2556 </para></step> 2557 2558 <step><para> 2559 <indexterm><primary>getent</primary></indexterm> 2560 You must now make certain that the NSS resolver can interrogate LDAP also. 2561 Execute the following commands: 2562<screen> 2563&rootprompt; getent passwd | grep root 2564root:x:998:512:Netbios Domain Administrator:/home:/bin/false 2565 2566&rootprompt; getent group | grep Domain 2567Domain Admins:x:512:root 2568Domain Users:x:513: 2569Domain Guests:x:514: 2570Domain Computers:x:553: 2571</screen> 2572 <indexterm><primary>nss_ldap</primary></indexterm> 2573 This demonstrates that the <command>nss_ldap</command> library is functioning 2574 as it should. If these two steps fail to produce this information, refer to 2575 <link linkend="sbeavoid"/> for diagnostic procedures that can be followed to 2576 isolate the cause of the problem. Proceed to the next step only when the previous steps 2577 have been successfully completed. 2578 </para></step> 2579 2580 <step><para> 2581 <indexterm><primary>smbldap-useradd</primary></indexterm> 2582 <indexterm><primary>smbldap-passwd</primary></indexterm> 2583 <indexterm><primary>smbpasswd</primary></indexterm> 2584 Our database is now ready for the addition of network users. For each user for 2585 whom an account must be created, execute the following: 2586<screen> 2587&rootprompt; ./smbldap-useradd -m -a <constant>username</constant> 2588&rootprompt; ./smbldap-passwd <constant>username</constant> 2589Changing password for <constant>username</constant> 2590New password : XXXXXXXX 2591Retype new password : XXXXXXXX 2592 2593&rootprompt; smbpasswd <constant>username</constant> 2594New SMB password: XXXXXXXX 2595Retype new SMB password: XXXXXXXX 2596</screen> 2597 where <constant>username</constant> is the login ID for each user. 2598 </para></step> 2599 2600 <step><para> 2601 <indexterm><primary>getent</primary></indexterm> 2602 Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the 2603 following: 2604<screen> 2605&rootprompt; getent passwd 2606root:x:0:0:root:/root:/bin/bash 2607bin:x:1:1:bin:/bin:/bin/bash 2608... 2609root:x:0:512:Netbios Domain Administrator:/home:/bin/false 2610nobody:x:999:514:nobody:/dev/null:/bin/false 2611bobj:x:1000:513:System User:/home/bobj:/bin/bash 2612stans:x:1001:513:System User:/home/stans:/bin/bash 2613chrisr:x:1002:513:System User:/home/chrisr:/bin/bash 2614maryv:x:1003:513:System User:/home/maryv:/bin/bash 2615</screen> 2616 This demonstrates that user account resolution via LDAP is working. 2617 </para></step> 2618 2619 <step><para> 2620 This step will determine whether or not identity resolution is working correctly. 2621 Do not procede is this step fails, rather find the cause of the failure. The 2622 <command>id</command> command may be used to validate your configuration so far, 2623 as shown here: 2624<screen> 2625&rootprompt; id chrisr 2626uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users) 2627</screen> 2628 This confirms that the UNIX (POSIX) user account information can be resolved from LDAP 2629 by system tools that make a getentpw() system call. 2630 </para></step> 2631 2632 <step><para> 2633 <indexterm><primary>smbldap-usermod</primary></indexterm> 2634 The root account must have UID=0; if not, this means that operations conducted from 2635 a Windows client using tools such as the Domain User Manager fails under UNIX because 2636 the management of user and group accounts requires that the UID=0. Additionally, it is 2637 a good idea to make certain that no matter how root account credentials are resolved, 2638 the home directory and shell are valid. You decide to effect this immediately 2639 as demonstrated here: 2640<screen> 2641&rootprompt; cd /opt/IDEALX/sbin 2642&rootprompt; ./smbldap-usermod -u 0 -d /root -s /bin/bash root 2643</screen> 2644 </para></step> 2645 2646 <step><para> 2647 Verify that the changes just made to the <constant>root</constant> account were 2648 accepted by executing: 2649<screen> 2650&rootprompt; getent passwd | grep root 2651root:x:0:0:root:/root:/bin/bash 2652root:x:0:512:Netbios Domain Administrator:/root:/bin/bash 2653</screen> 2654 This demonstrates that the changes were accepted. 2655 </para></step> 2656 2657 <step><para> 2658 Make certain that a home directory has been created for every user by listing the 2659 directories in <filename>/home</filename> as follows: 2660<screen> 2661&rootprompt; ls -al /home 2662drwxr-xr-x 8 root root 176 Dec 17 18:50 ./ 2663drwxr-xr-x 21 root root 560 Dec 15 22:19 ../ 2664drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/ 2665drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/ 2666drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/ 2667drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/ 2668</screen> 2669 This is precisely what we want to see. 2670 </para></step> 2671 2672 <step><para> 2673 <indexterm><primary>ldapsam</primary></indexterm> 2674 <indexterm><primary>pdbedit</primary></indexterm> 2675 The final validation step involves making certain that Samba-3 can obtain the user 2676 accounts from the LDAP ldapsam passwd backend. Execute the following command as shown: 2677<screen> 2678&rootprompt; pdbedit -Lv chrisr 2679Unix username: chrisr 2680NT username: chrisr 2681Account Flags: [U ] 2682User SID: S-1-5-21-3504140859-1010554828-2431957765-3004 2683Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513 2684Full Name: System User 2685Home Directory: \\MASSIVE\homes 2686HomeDir Drive: H: 2687Logon Script: scripts\login.cmd 2688Profile Path: \\MASSIVE\profiles\chrisr 2689Domain: MEGANET2 2690Account desc: System User 2691Workstations: 2692Munged dial: 2693Logon time: 0 2694Logoff time: Mon, 18 Jan 2038 20:14:07 GMT 2695Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT 2696Password last set: Wed, 17 Dec 2003 17:17:40 GMT 2697Password can change: Wed, 17 Dec 2003 17:17:40 GMT 2698Password must change: Mon, 18 Jan 2038 20:14:07 GMT 2699Last bad password : 0 2700Bad password count : 0 2701Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 2702</screen> 2703 This looks good. Of course, you fully expected that it would all work, didn't you? 2704 </para></step> 2705 2706 <step><para> 2707 <indexterm><primary>smbldap-groupadd</primary></indexterm> 2708 Now you add the group accounts that are used on the Abmas network. Execute 2709 the following exactly as shown: 2710<screen> 2711&rootprompt; ./smbldap-groupadd -a Accounts 2712&rootprompt; ./smbldap-groupadd -a Finances 2713&rootprompt; ./smbldap-groupadd -a PIOps 2714</screen> 2715 The addition of groups does not involve keyboard interaction, so the lack of console 2716 output is of no concern. 2717 </para></step> 2718 2719 <step><para> 2720 <indexterm><primary>getent</primary></indexterm> 2721 You really do want to confirm that UNIX group resolution from LDAP is functioning 2722 as it should. Let's do this as shown here: 2723<screen> 2724&rootprompt; getent group 2725... 2726Domain Admins:x:512:root 2727Domain Users:x:513:bobj,stans,chrisr,maryv 2728Domain Guests:x:514: 2729... 2730Accounts:x:1000: 2731Finances:x:1001: 2732PIOps:x:1002: 2733</screen> 2734 The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well 2735 as our own site-specific group accounts, are correctly listed. This is looking good. 2736 </para></step> 2737 2738 <step><para> 2739 <indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>list</tertiary></indexterm> 2740 The final step we need to validate is that Samba can see all the Windows domain groups 2741 and that they are correctly mapped to the respective UNIX group account. To do this, 2742 just execute the following command: 2743<screen> 2744&rootprompt; net groupmap list 2745Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins 2746Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users 2747Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests 2748... 2749Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts 2750Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances 2751PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps 2752</screen> 2753 This is looking good. Congratulations &smbmdash; it works! Note that in the above output 2754 the lines were shortened by replacing the middle value (1010554828) of the SID with the 2755 ellipsis (...). 2756 </para></step> 2757 2758 <step><para> 2759 The server you have so carefully built is now ready for another important step. You 2760 start the Samba-3 server and validate its operation. Execute the following to render all 2761 the processes needed fully operative so that, on system reboot, they are automatically 2762 started: 2763<screen> 2764&rootprompt; chkconfig named on 2765&rootprompt; chkconfig dhcpd on 2766&rootprompt; chkconfig ldap on 2767&rootprompt; chkconfig nmb on 2768&rootprompt; chkconfig smb on 2769&rootprompt; chkconfig winbind on 2770&rootprompt; rcnmb start 2771&rootprompt; rcsmb start 2772&rootprompt; rcwinbind start 2773</screen> 2774 </para></step> 2775 2776 <step><para> 2777 The next step might seem a little odd at this point, but take note that you are about to 2778 start <command>winbindd</command>, which must be able to authenticate to the PDC via the 2779 localhost interface with the <command>smbd</command> process. This account can be 2780 easily created by joining the PDC to the domain by executing the following command: 2781<screen> 2782&rootprompt; net rpc join -S MASSIVE -U root%not24get 2783</screen> 2784 Note: Before executing this command on the PDC, both <command>nmbd</command> and 2785 <command>smbd</command> must be started so that the <command>net</command> command 2786 can communicate with <command>smbd</command>. The expected output is as follows: 2787<screen> 2788Joined domain MEGANET2. 2789</screen> 2790 This indicates that the domain security account for the PDC has been correctly created. 2791 </para></step> 2792 2793 <step><para> 2794 At this time it is necessary to restart <command>winbindd</command> so that it can 2795 correctly authenticate to the PDC. The following command achieves that: 2796<screen> 2797&rootprompt; rcwinbind restart 2798</screen> 2799 </para></step> 2800 2801 <step><para> 2802 <indexterm><primary>smbclient</primary></indexterm> 2803 You may now check Samba-3 operation as follows: 2804<screen> 2805&rootprompt; smbclient -L massive -U% 2806 2807 Sharename Type Comment 2808 --------- ---- ------- 2809 IPC$ IPC IPC Service (Samba 3.0.20) 2810 accounts Disk Accounting Files 2811 service Disk Financial Services Files 2812 pidata Disk Property Insurance Files 2813 apps Disk Application Files 2814 netlogon Disk Network Logon Service 2815 profiles Disk Profile Share 2816 profdata Disk Profile Data Share 2817 ADMIN$ IPC IPC Service (Samba 3.0.20) 2818 2819 Server Comment 2820 --------- ------- 2821 MASSIVE Samba 3.0.20 2822 2823 Workgroup Master 2824 --------- ------- 2825 MEGANET2 MASSIVE 2826</screen> 2827 This shows that an anonymous connection is working. 2828 </para></step> 2829 2830 <step><para> 2831 For your finale, let's try an authenticated connection: 2832<screen> 2833&rootprompt; smbclient //massive/bobj -Ubobj%n3v3r2l8 2834smb: \> dir 2835 . D 0 Wed Dec 17 01:16:19 2003 2836 .. D 0 Wed Dec 17 19:04:42 2003 2837 bin D 0 Tue Sep 2 04:00:57 2003 2838 Documents D 0 Sun Nov 30 07:28:20 2003 2839 public_html D 0 Sun Nov 30 07:28:20 2003 2840 .urlview H 311 Fri Jul 7 06:55:35 2000 2841 .dvipsrc H 208 Fri Nov 17 11:22:02 1995 2842 2843 57681 blocks of size 524288. 57128 blocks available 2844smb: \> q 2845</screen> 2846 Well done. All is working fine. 2847 </para></step> 2848 </procedure> 2849 2850 <para> 2851 The server <constant>MASSIVE</constant> is now configured, and it is time to move onto the next task. 2852 </para> 2853 2854 </sect2> 2855 2856 <sect2 id="sbehap-ptrcfg"> 2857 <title>Printer Configuration</title> 2858 2859 <para> 2860 <indexterm><primary>CUPS</primary></indexterm> 2861 The configuration for Samba-3 to enable CUPS raw-print-through printing has already been 2862 taken care of in the &smb.conf; file. The only preparation needed for <constant>smart</constant> 2863 printing to be possible involves creation of the directories in which Samba-3 stores 2864 Windows printing driver files. 2865 </para> 2866 2867 <procedure> 2868 <title>Printer Configuration Steps</title> 2869 2870 <step><para> 2871 Configure all network-attached printers to have a fixed IP address. 2872 </para></step> 2873 2874 <step><para> 2875 Create an entry in the DNS database on the server <constant>MASSIVE</constant> 2876 in both the forward lookup database for the zone <constant>abmas.biz.hosts</constant> 2877 and in the reverse lookup database for the network segment that the printer is to 2878 be located in. Example configuration files for similar zones were presented in <link linkend="secure"/>, 2879 <link linkend="abmasbiz"/> and in <link linkend="eth2zone"/>. 2880 </para></step> 2881 2882 <step><para> 2883 Follow the instructions in the printer manufacturers' manuals to permit printing 2884 to port 9100. Use any other port the manufacturer specifies for direct mode, 2885 raw printing. This allows the CUPS spooler to print using raw mode protocols. 2886 <indexterm><primary>CUPS</primary></indexterm> 2887 <indexterm><primary>raw printing</primary></indexterm> 2888 </para></step> 2889 2890 <step><para> 2891 <indexterm><primary>lpadmin</primary></indexterm> 2892 <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm> 2893 Only on the server to which the printer is attached, configure the CUPS Print 2894 Queues as follows: 2895<screen> 2896&rootprompt; lpadmin -p <parameter>printque</parameter> 2897 -v socket://<parameter>printer-name</parameter>.abmas.biz:9100 -E 2898</screen> 2899 <indexterm><primary>print filter</primary></indexterm> 2900 This step creates the necessary print queue to use no assigned print filter. This 2901 is ideal for raw printing, that is, printing without use of filters. 2902 The name <parameter>printque</parameter> is the name you have assigned for 2903 the particular printer. 2904 </para></step> 2905 2906 <step><para> 2907 Print queues may not be enabled at creation. Make certain that the queues 2908 you have just created are enabled by executing the following: 2909<screen> 2910&rootprompt; /usr/bin/enable <parameter>printque</parameter> 2911</screen> 2912 </para></step> 2913 2914 <step><para> 2915 Even though your print queue may be enabled, it is still possible that it 2916 may not accept print jobs. A print queue will service incoming printing 2917 requests only when configured to do so. Ensure that your print queue is 2918 set to accept incoming jobs by executing the following commands: 2919<screen> 2920&rootprompt; /usr/bin/accept <parameter>printque</parameter> 2921</screen> 2922 </para></step> 2923 2924 <step><para> 2925 <indexterm><primary>mime type</primary></indexterm> 2926 <indexterm><primary>/etc/mime.convs</primary></indexterm> 2927 <indexterm><primary>application/octet-stream</primary></indexterm> 2928 Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line: 2929<screen> 2930application/octet-stream application/vnd.cups-raw 0 - 2931</screen> 2932 </para></step> 2933 2934 <step><para> 2935 <indexterm><primary>/etc/mime.types</primary></indexterm> 2936 Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line: 2937<screen> 2938application/octet-stream 2939</screen> 2940 </para></step> 2941 2942 <step><para> 2943 Refer to the CUPS printing manual for instructions regarding how to configure 2944 CUPS so that print queues that reside on CUPS servers on remote networks 2945 route print jobs to the print server that owns that queue. The default setting 2946 on your CUPS server may automatically discover remotely installed printers and 2947 may permit this functionality without requiring specific configuration. 2948 </para></step> 2949 2950 <step><para> 2951 The following action creates the necessary directory subsystem. Follow these 2952 steps to printing heaven: 2953<screen> 2954&rootprompt; mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40} 2955&rootprompt; chown -R root:root /var/lib/samba/drivers 2956&rootprompt; chmod -R ug=rwx,o=rx /var/lib/samba/drivers 2957</screen> 2958 </para></step> 2959 2960 </procedure> 2961 2962 </sect2> 2963 2964</sect1> 2965 2966<sect1 id="sbehap-bldg1"> 2967 <title>Samba-3 BDC Configuration</title> 2968 2969 <procedure> 2970 <title>Configuration of BDC Called: <constant>BLDG1</constant></title> 2971 2972 <step><para> 2973 Install the files in <link linkend="sbehap-bldg1-smbconf"/>, 2974 <link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/> 2975 into the <filename>/etc/samba/</filename> directory. The three files 2976 should be added together to form the &smb.conf; file. 2977 </para></step> 2978 2979 <step><para> 2980 Verify the &smb.conf; file as in step 2 of <link 2981 linkend="sbehap-massive"/>. 2982 </para></step> 2983 2984 <step><para> 2985 Carefully follow the steps outlined in <link linkend="sbehap-PAM-NSS"/>, taking 2986 particular note to install the correct <filename>ldap.conf</filename>. 2987 </para></step> 2988 2989 <step><para> 2990 Verify that the NSS resolver is working. You may need to cycle the run level 2991 to 1 and back to 5 before the NSS LDAP resolver functions. Follow these 2992 commands: 2993<screen> 2994&rootprompt; init 1 2995</screen> 2996 After the run level has been achieved, you are prompted to provide the 2997 <constant>root</constant> password. Log on, and then execute: 2998<screen> 2999&rootprompt; init 5 3000</screen> 3001 When the normal logon prompt appears, log into the system as <constant>root</constant> 3002 and then execute these commands: 3003<screen> 3004&rootprompt; getent passwd 3005root:x:0:0:root:/root:/bin/bash 3006bin:x:1:1:bin:/bin:/bin/bash 3007daemon:x:2:2:Daemon:/sbin:/bin/bash 3008lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash 3009mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false 3010... 3011root:x:0:512:Netbios Domain Administrator:/root:/bin/bash 3012nobody:x:999:514:nobody:/dev/null:/bin/false 3013bobj:x:1000:513:System User:/home/bobj:/bin/bash 3014stans:x:1001:513:System User:/home/stans:/bin/bash 3015chrisr:x:1002:513:System User:/home/chrisr:/bin/bash 3016maryv:x:1003:513:System User:/home/maryv:/bin/bash 3017vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false 3018bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false 3019</screen> 3020 This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem. 3021 </para></step> 3022 3023 <step><para> 3024 <indexterm><primary>getent</primary></indexterm> 3025 The next step in the verification process involves testing the operation of UNIX group 3026 resolution via the NSS LDAP resolver. Execute these commands: 3027<screen> 3028&rootprompt; getent group 3029root:x:0: 3030bin:x:1:daemon 3031daemon:x:2: 3032sys:x:3: 3033... 3034Domain Admins:x:512:root 3035Domain Users:x:513:bobj,stans,chrisr,maryv,jht 3036Domain Guests:x:514: 3037Administrators:x:544: 3038Users:x:545: 3039Guests:x:546:nobody 3040Power Users:x:547: 3041Account Operators:x:548: 3042Server Operators:x:549: 3043Print Operators:x:550: 3044Backup Operators:x:551: 3045Replicator:x:552: 3046Domain Computers:x:553: 3047Accounts:x:1000: 3048Finances:x:1001: 3049PIOps:x:1002: 3050</screen> 3051 This is also the correct and desired output, because it demonstrates that the LDAP client 3052 is able to communicate correctly with the LDAP server (<constant>MASSIVE</constant>). 3053 </para></step> 3054 3055 <step><para> 3056 <indexterm><primary>smbpasswd</primary></indexterm> 3057 You must now set the LDAP administrative password into the Samba-3 <filename>secrets.tdb</filename> 3058 file by executing this command: 3059<screen> 3060&rootprompt; smbpasswd -w not24get 3061Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb 3062</screen> 3063 </para></step> 3064 3065 <step><para> 3066 Now you must obtain the domain SID from the PDC and store it into the 3067 <filename>secrets.tdb</filename> file also. This step is not necessary with an LDAP 3068 passdb backend because Samba-3 obtains the domain SID from the 3069 sambaDomain object it automatically stores in the LDAP backend. It does not hurt to 3070 add the SID to the <filename>secrets.tdb</filename>, and if you wish to do so, this 3071 command can achieve that: 3072<screen> 3073&rootprompt; net rpc getsid MEGANET2 3074Storing SID S-1-5-21-3504140859-1010554828-2431957765 \ 3075 for Domain MEGANET2 in secrets.tdb 3076</screen> 3077 When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take 3078 any special action to join it to the domain. However, winbind communicates with the 3079 domain controller that is running on the localhost and must be able to authenticate, 3080 thus requiring that the BDC should be joined to the domain. The process of joining 3081 the domain creates the necessary authentication accounts. 3082 </para></step> 3083 3084 <step><para> 3085 To join the Samba BDC to the domain, execute the following: 3086<screen> 3087&rootprompt; net rpc join -U root%not24get 3088Joined domain MEGANET2. 3089</screen> 3090 This indicates that the domain security account for the BDC has been correctly created. 3091 </para></step> 3092 3093 <step><para> 3094 <indexterm> 3095 <primary>pdbedit</primary> 3096 </indexterm> 3097 Verify that user and group account resolution works via Samba-3 tools as follows: 3098<screen> 3099&rootprompt; pdbedit -L 3100root:0:root 3101nobody:65534:nobody 3102bobj:1000:System User 3103stans:1001:System User 3104chrisr:1002:System User 3105maryv:1003:System User 3106bldg1$:1006:bldg1$ 3107 3108&rootprompt; net groupmap list 3109Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> 3110 Domain Admins 3111Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users 3112Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> 3113 Domain Guests 3114Administrators (S-1-5-21-3504140859-...-2431957765-544) -> 3115 Administrators 3116... 3117Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts 3118Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances 3119PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps 3120</screen> 3121 These results show that all things are in order. 3122 </para></step> 3123 3124 <step><para> 3125 The server you have so carefully built is now ready for another important step. Now 3126 start the Samba-3 server and validate its operation. Execute the following to render all 3127 the processes needed fully operative so that, upon system reboot, they are automatically 3128 started: 3129<screen> 3130&rootprompt; chkconfig named on 3131&rootprompt; chkconfig dhcpd on 3132&rootprompt; chkconfig nmb on 3133&rootprompt; chkconfig smb on 3134&rootprompt; chkconfig winbind on 3135&rootprompt; rcnmb start 3136&rootprompt; rcsmb start 3137&rootprompt; rcwinbind start 3138</screen> 3139 Samba-3 should now be running and is ready for a quick test. But not quite yet! 3140 </para></step> 3141 3142 <step><para> 3143 Your new <constant>BLDG1, BLDG2</constant> servers do not have home directories for users. 3144 To rectify this using the SUSE yast2 utility or by manually editing the <filename>/etc/fstab</filename> 3145 file, add a mount entry to mount the <constant>home</constant> directory that has been exported 3146 from the <constant>MASSIVE</constant> server. Mount this resource before proceeding. An alternate 3147 approach could be to create local home directories for users who are to use these machines. 3148 This is a choice that you, as system administrator, must make. The following entry in the 3149 <filename>/etc/fstab</filename> file suffices for now: 3150<screen> 3151massive.abmas.biz:/home /home nfs rw 0 0 3152</screen> 3153 To mount this resource, execute: 3154<screen> 3155&rootprompt; mount -a 3156</screen> 3157 Verify that the home directory has been mounted as follows: 3158<screen> 3159&rootprompt; df | grep home 3160massive:/home 29532988 283388 29249600 1% /home 3161</screen> 3162 </para></step> 3163 3164 <step><para> 3165 Implement a quick check using one of the users that is in the LDAP database. Here you go: 3166<screen> 3167&rootprompt; smbclient //bldg1/bobj -Ubobj%n3v3r2l8 3168smb: \> dir 3169 . D 0 Wed Dec 17 01:16:19 2003 3170 .. D 0 Wed Dec 17 19:04:42 2003 3171 bin D 0 Tue Sep 2 04:00:57 2003 3172 Documents D 0 Sun Nov 30 07:28:20 2003 3173 public_html D 0 Sun Nov 30 07:28:20 2003 3174 .urlview H 311 Fri Jul 7 06:55:35 2000 3175 .dvipsrc H 208 Fri Nov 17 11:22:02 1995 3176 3177 57681 blocks of size 524288. 57128 blocks available 3178smb: \> q 3179</screen> 3180 </para></step> 3181 3182 </procedure> 3183 3184 <para> 3185 Now that the first BDC (<constant>BDLG1</constant>) has been configured it is time to build 3186 and configure the second BDC server (<constant>BLDG2</constant>) as follows: 3187 </para> 3188 3189 <procedure id="sbehap-bldg2"> 3190 <title>Configuration of BDC Called <constant>BLDG2</constant></title> 3191 3192 <step><para> 3193 Install the files in <link linkend="sbehap-bldg2-smbconf"/>, 3194 <link linkend="sbehap-shareconfa"/>, and <link linkend="sbehap-shareconfb"/> 3195 into the <filename>/etc/samba/</filename> directory. The three files 3196 should be added together to form the &smb.conf; file. 3197 </para></step> 3198 3199 <step><para> 3200 Follow carefully the steps shown in <link linkend="sbehap-bldg1"/>, starting at step 2. 3201 </para></step> 3202 3203 </procedure> 3204 3205<example id="sbehap-bldg1-smbconf"> 3206<title>LDAP Based &smb.conf; File, Server: BLDG1</title> 3207<smbconfblock> 3208<smbconfcomment>Global parameters</smbconfcomment> 3209<smbconfsection name="[global]"/> 3210 <smbconfoption name="unix charset">LOCALE</smbconfoption> 3211 <smbconfoption name="workgroup">MEGANET2</smbconfoption> 3212 <smbconfoption name="netbios name">BLDG1</smbconfoption> 3213 <smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption> 3214 <smbconfoption name="enable privileges">Yes</smbconfoption> 3215 <smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> 3216 <smbconfoption name="log level">1</smbconfoption> 3217 <smbconfoption name="syslog">0</smbconfoption> 3218 <smbconfoption name="log file">/var/log/samba/%m</smbconfoption> 3219 <smbconfoption name="max log size">50</smbconfoption> 3220 <smbconfoption name="smb ports">139</smbconfoption> 3221 <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption> 3222 <smbconfoption name="printcap name">CUPS</smbconfoption> 3223 <smbconfoption name="show add printer wizard">No</smbconfoption> 3224 <smbconfoption name="logon script">scripts\logon.bat</smbconfoption> 3225 <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption> 3226 <smbconfoption name="logon drive">X:</smbconfoption> 3227 <smbconfoption name="domain logons">Yes</smbconfoption> 3228 <smbconfoption name="domain master">No</smbconfoption> 3229 <smbconfoption name="wins server">172.16.0.1</smbconfoption> 3230 <smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption> 3231 <smbconfoption name="ldap machine suffix">ou=People</smbconfoption> 3232 <smbconfoption name="ldap user suffix">ou=People</smbconfoption> 3233 <smbconfoption name="ldap group suffix">ou=Groups</smbconfoption> 3234 <smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption> 3235 <smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption> 3236 <smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption> 3237 <smbconfoption name="idmap uid">10000-20000</smbconfoption> 3238 <smbconfoption name="idmap gid">10000-20000</smbconfoption> 3239 <smbconfoption name="printing">cups</smbconfoption> 3240 <smbconfoption name="printer admin">root, chrisr</smbconfoption> 3241</smbconfblock> 3242</example> 3243 3244 3245<example id="sbehap-bldg2-smbconf"> 3246<title>LDAP Based &smb.conf; File, Server: BLDG2</title> 3247<smbconfblock> 3248<smbconfcomment>Global parameters</smbconfcomment> 3249<smbconfsection name="[global]"/> 3250 <smbconfoption name="unix charset">LOCALE</smbconfoption> 3251 <smbconfoption name="workgroup">MEGANET2</smbconfoption> 3252 <smbconfoption name="netbios name">BLDG2</smbconfoption> 3253 <smbconfoption name="passdb backend">ldapsam:ldap://massive.abmas.biz</smbconfoption> 3254 <smbconfoption name="enable privileges">Yes</smbconfoption> 3255 <smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> 3256 <smbconfoption name="log level">1</smbconfoption> 3257 <smbconfoption name="syslog">0</smbconfoption> 3258 <smbconfoption name="log file">/var/log/samba/%m</smbconfoption> 3259 <smbconfoption name="max log size">50</smbconfoption> 3260 <smbconfoption name="smb ports">139</smbconfoption> 3261 <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption> 3262 <smbconfoption name="printcap name">CUPS</smbconfoption> 3263 <smbconfoption name="show add printer wizard">No</smbconfoption> 3264 <smbconfoption name="logon script">scripts\logon.bat</smbconfoption> 3265 <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption> 3266 <smbconfoption name="logon drive">X:</smbconfoption> 3267 <smbconfoption name="domain logons">Yes</smbconfoption> 3268 <smbconfoption name="domain master">No</smbconfoption> 3269 <smbconfoption name="wins server">172.16.0.1</smbconfoption> 3270 <smbconfoption name="ldap suffix">dc=abmas,dc=biz</smbconfoption> 3271 <smbconfoption name="ldap machine suffix">ou=People</smbconfoption> 3272 <smbconfoption name="ldap user suffix">ou=People</smbconfoption> 3273 <smbconfoption name="ldap group suffix">ou=Groups</smbconfoption> 3274 <smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption> 3275 <smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption> 3276 <smbconfoption name="idmap backend">ldap:ldap://massive.abmas.biz</smbconfoption> 3277 <smbconfoption name="idmap uid">10000-20000</smbconfoption> 3278 <smbconfoption name="idmap gid">10000-20000</smbconfoption> 3279 <smbconfoption name="printing">cups</smbconfoption> 3280 <smbconfoption name="printer admin">root, chrisr</smbconfoption> 3281</smbconfblock> 3282</example> 3283 3284 3285<example id="sbehap-shareconfa"> 3286<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A</title> 3287<smbconfblock> 3288<smbconfsection name="[accounts]"/> 3289 <smbconfoption name="comment">Accounting Files</smbconfoption> 3290 <smbconfoption name="path">/data/accounts</smbconfoption> 3291 <smbconfoption name="read only">No</smbconfoption> 3292 3293<smbconfsection name="[service]"/> 3294 <smbconfoption name="comment">Financial Services Files</smbconfoption> 3295 <smbconfoption name="path">/data/service</smbconfoption> 3296 <smbconfoption name="read only">No</smbconfoption> 3297 3298<smbconfsection name="[pidata]"/> 3299 <smbconfoption name="comment">Property Insurance Files</smbconfoption> 3300 <smbconfoption name="path">/data/pidata</smbconfoption> 3301 <smbconfoption name="read only">No</smbconfoption> 3302 3303<smbconfsection name="[homes]"/> 3304 <smbconfoption name="comment">Home Directories</smbconfoption> 3305 <smbconfoption name="valid users">%S</smbconfoption> 3306 <smbconfoption name="read only">No</smbconfoption> 3307 <smbconfoption name="browseable">No</smbconfoption> 3308 3309<smbconfsection name="[printers]"/> 3310 <smbconfoption name="comment">SMB Print Spool</smbconfoption> 3311 <smbconfoption name="path">/var/spool/samba</smbconfoption> 3312 <smbconfoption name="guest ok">Yes</smbconfoption> 3313 <smbconfoption name="printable">Yes</smbconfoption> 3314 <smbconfoption name="browseable">No</smbconfoption> 3315</smbconfblock> 3316</example> 3317 3318<example id="sbehap-shareconfb"> 3319<title>LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B</title> 3320<smbconfblock> 3321<smbconfsection name="[apps]"/> 3322 <smbconfoption name="comment">Application Files</smbconfoption> 3323 <smbconfoption name="path">/apps</smbconfoption> 3324 <smbconfoption name="admin users">bjordan</smbconfoption> 3325 <smbconfoption name="read only">No</smbconfoption> 3326 3327<smbconfsection name="[netlogon]"/> 3328 <smbconfoption name="comment">Network Logon Service</smbconfoption> 3329 <smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption> 3330 <smbconfoption name="guest ok">Yes</smbconfoption> 3331 <smbconfoption name="locking">No</smbconfoption> 3332 3333<smbconfsection name="[profiles]"/> 3334 <smbconfoption name="comment">Profile Share</smbconfoption> 3335 <smbconfoption name="path">/var/lib/samba/profiles</smbconfoption> 3336 <smbconfoption name="read only">No</smbconfoption> 3337 <smbconfoption name="profile acls">Yes</smbconfoption> 3338 3339<smbconfsection name="[profdata]"/> 3340 <smbconfoption name="comment">Profile Data Share</smbconfoption> 3341 <smbconfoption name="path">/var/lib/samba/profdata</smbconfoption> 3342 <smbconfoption name="read only">No</smbconfoption> 3343 <smbconfoption name="profile acls">Yes</smbconfoption> 3344 3345<smbconfsection name="[print$]"/> 3346 <smbconfoption name="comment">Printer Drivers</smbconfoption> 3347 <smbconfoption name="path">/var/lib/samba/drivers</smbconfoption> 3348 <smbconfoption name="browseable">yes</smbconfoption> 3349 <smbconfoption name="guest ok">no</smbconfoption> 3350 <smbconfoption name="read only">yes</smbconfoption> 3351 <smbconfoption name="write list">root, chrisr</smbconfoption> 3352</smbconfblock> 3353</example> 3354 3355<example id="sbehap-ldifadd"> 3356<title>LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF</title> 3357<screen> 3358dn: ou=Idmap,dc=abmas,dc=biz 3359objectClass: organizationalUnit 3360ou: idmap 3361structuralObjectClass: organizationalUnit 3362</screen> 3363</example> 3364 3365</sect1> 3366 3367<sect1> 3368 <title>Miscellaneous Server Preparation Tasks</title> 3369 3370 <para> 3371 My father would say, <quote>Dinner is not over until the dishes have been done.</quote> 3372 The makings of a great network environment take a lot of effort and attention to detail. 3373 So far, you have completed most of the complex (and to many administrators, the interesting 3374 part of server configuration) steps, but remember to tie it all together. Here are 3375 a few more steps that must be completed so that your network runs like a well-rehearsed 3376 orchestra. 3377 </para> 3378 3379 <sect2> 3380 <title>Configuring Directory Share Point Roots</title> 3381 3382 <para> 3383 In your &smb.conf; file, you have specified Windows shares. Each has a <parameter>path</parameter> 3384 parameter. Even though it is obvious to all, one of the common Samba networking problems is 3385 caused by forgetting to verify that every such share root directory actually exists and that it 3386 has the necessary permissions and ownership. 3387 </para> 3388 3389 <para> 3390 Here is an example, but remember to create the directory needed for every share: 3391<screen> 3392&rootprompt; mkdir -p /data/{accounts,finsvcs,piops} 3393&rootprompt; mkdir -p /apps 3394&rootprompt; chown -R root:root /data 3395&rootprompt; chown -R root:root /apps 3396&rootprompt; chown -R bobj:Accounts /data/accounts 3397&rootprompt; chown -R bobj:Finances /data/finsvcs 3398&rootprompt; chown -R bobj:PIOps /data/piops 3399&rootprompt; chmod -R ug+rwxs,o-rwx /data 3400&rootprompt; chmod -R ug+rwx,o+rx-w /apps 3401</screen> 3402 </para> 3403 3404 </sect2> 3405 3406 <sect2> 3407 <title>Configuring Profile Directories</title> 3408 3409 <para> 3410 You made a conscious decision to do everything it would take to improve network client 3411 performance. One of your decisions was to implement folder redirection. This means that Windows 3412 user desktop profiles are now made up of two components: a dynamically loaded part and a set of file 3413 network folders. 3414 </para> 3415 3416 <para> 3417 For this arrangement to work, every user needs a directory structure for the network folder 3418 portion of his or her profile as shown here: 3419<screen> 3420&rootprompt; mkdir -p /var/lib/samba/profdata 3421&rootprompt; chown root:root /var/lib/samba/profdata 3422&rootprompt; chmod 755 /var/lib/samba/profdata 3423 3424# Per user structure 3425&rootprompt; cd /var/lib/samba/profdata 3426&rootprompt; mkdir -p <emphasis>username</emphasis> 3427&rootprompt; for i in InternetFiles Cookies History AppData \ 3428 LocalSettings MyPictures MyDocuments Recent 3429&rootprompt; do 3430&rootprompt; mkdir <emphasis>username</emphasis>/$i 3431&rootprompt; done 3432&rootprompt; chown -R <emphasis>username</emphasis>:Domain\ Users <emphasis>username</emphasis> 3433&rootprompt; chmod -R 750 <emphasis>username</emphasis> 3434</screen> 3435 </para> 3436 3437 <para> 3438 <indexterm><primary>roaming profile</primary></indexterm> 3439 <indexterm><primary>mandatory profile</primary></indexterm> 3440 You have three options insofar as the dynamically loaded portion of the roaming profile 3441 is concerned: 3442 </para> 3443 3444 <itemizedlist> 3445 <listitem><para>You may permit the user to obtain a default profile.</para></listitem> 3446 <listitem><para>You can create a mandatory profile.</para></listitem> 3447 <listitem><para>You can create a group profile (which is almost always a mandatory profile).</para></listitem> 3448 </itemizedlist> 3449 3450 <para> 3451 Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory 3452 profile is effected by renaming the <filename>NTUSER.DAT</filename> to <filename>NTUSER.MAN</filename>, 3453 that is, just by changing the filename extension. 3454 </para> 3455 3456 <para> 3457 <indexterm><primary>SRVTOOLS.EXE</primary></indexterm> 3458 <indexterm><primary>Domain User Manager</primary></indexterm> 3459 The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend. 3460 You can manage this using the Idealx smbldap-tools or using the 3461 <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">Windows NT4 Domain User Manager</ulink>. 3462 </para> 3463 3464 <para> 3465 It may not be obvious that you must ensure that the root directory for the user's profile exists 3466 and has the needed permissions. Use the following commands to create this directory: 3467<screen> 3468&rootprompt; mkdir -p /var/lib/samba/profiles/<emphasis>username</emphasis> 3469&rootprompt; chown <emphasis>username</emphasis>:Domain\ Users 3470 /var/lib/samba/profiles/<emphasis>username</emphasis> 3471&rootprompt; chmod 700 /var/lib/samba/profiles/<emphasis>username</emphasis> 3472</screen> 3473 </para> 3474 3475 </sect2> 3476 3477 <sect2> 3478 <title>Preparation of Logon Scripts</title> 3479 3480 <para> 3481 <indexterm><primary>logon script</primary></indexterm> 3482 The use of a logon script with Windows XP Professional is an option that every site should consider. 3483 Unless you have locked down the desktop so the user cannot change anything, there is risk that 3484 a vital network drive setting may be broken or that printer connections may be lost. Logon scripts 3485 can help to restore persistent network folder (drive) and printer connections in a predictable 3486 manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook) 3487 user attaches to another company's network that forces environment changes that are alien to your 3488 network. 3489 </para> 3490 3491 <para> 3492 If you decide to use network logon scripts, by reference to the &smb.conf; files for the domain 3493 controllers, you see that the path to the share point for the <constant>NETLOGON</constant> 3494 share defined is <filename>/var/lib/samba/netlogon</filename>. The path defined for the logon 3495 script inside that share is <filename>scripts\logon.bat</filename>. This means that as a Windows 3496 NT/200x/XP client logs onto the network, it tries to obtain the file <filename>logon.bat</filename> 3497 from the fully qualified path <filename>/var/lib/samba/netlogon/scripts</filename>. This fully 3498 qualified path should therefore exist whether you install the <filename>logon.bat</filename>. 3499 </para> 3500 3501 <para> 3502 You can, of course, create the fully qualified path by executing: 3503<screen> 3504&rootprompt; mkdir -p /var/lib/samba/netlogon/scripts 3505</screen> 3506 </para> 3507 3508 <para> 3509 You should research the options for logon script implementation by referring to <emphasis>TOSHARG2</emphasis>, Chapter 24, 3510 Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon 3511 facilities in use today is called <ulink url="http://www.kixtart.org">KiXtart</ulink>. 3512 </para> 3513 3514 </sect2> 3515 3516 <sect2> 3517 <title>Assigning User Rights and Privileges</title> 3518 3519 <para> 3520 The ability to perform tasks such as joining Windows clients to the domain can be assigned to 3521 normal user accounts. By default, only the domain administrator account (<constant>root</constant> on UNIX 3522 systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant 3523 this privilege in a very limited fashion to particular accounts. 3524 </para> 3525 3526 <para> 3527 By default, even Samba-3.0.11 does not grant any rights even to the <constant>Domain Admins</constant> 3528 group. Here we grant this group all privileges. 3529 </para> 3530 3531 <para> 3532 Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who 3533 are granted rights can be restricted to particular machines. It is left to the network administrator 3534 to determine which rights should be provided and to whom. 3535 </para> 3536 3537 <procedure> 3538 <title>Steps for Assignment of User Rights and Privileges</title> 3539 3540 <step><para> 3541 Log onto the PDC as the <constant>root</constant> account. 3542 </para></step> 3543 3544 <step><para> 3545 Execute the following command to grant the <constant>Domain Admins</constant> group all 3546 rights and privileges: 3547<screen> 3548&rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \ 3549 "MEGANET2\Domain Admins" SeMachineAccountPrivilege \ 3550 SePrintOperatorPrivilege SeAddUsersPrivilege \ 3551 SeDiskOperatorPrivilege SeRemoteShutdownPrivilege 3552Successfully granted rights. 3553</screen> 3554 Repeat this step on each domain controller, in each case substituting the name of the server 3555 (e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE. 3556 </para></step> 3557 3558 <step><para> 3559 In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations 3560 to the domain. Execute the following only on the PDC. It is not necessary to do this on 3561 BDCs or on DMS machines because machine accounts are only ever added by the PDC: 3562<screen> 3563&rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \ 3564 "MEGANET2\bobj" SeMachineAccountPrivilege 3565Successfully granted rights. 3566</screen> 3567 </para></step> 3568 3569 <step><para> 3570 Verify that privilege assignments have been correctly applied by executing: 3571<screen> 3572net rpc rights list accounts -Uroot%not24get 3573MEGANET2\bobj 3574SeMachineAccountPrivilege 3575 3576S-0-0 3577No privileges assigned 3578 3579BUILTIN\Print Operators 3580No privileges assigned 3581 3582BUILTIN\Account Operators 3583No privileges assigned 3584 3585BUILTIN\Backup Operators 3586No privileges assigned 3587 3588BUILTIN\Server Operators 3589No privileges assigned 3590 3591BUILTIN\Administrators 3592No privileges assigned 3593 3594Everyone 3595No privileges assigned 3596 3597MEGANET2\Domain Admins 3598SeMachineAccountPrivilege 3599SePrintOperatorPrivilege 3600SeAddUsersPrivilege 3601SeRemoteShutdownPrivilege 3602SeDiskOperatorPrivilege 3603</screen> 3604 </para></step> 3605 3606 </procedure> 3607 3608 </sect2> 3609 3610</sect1> 3611 3612<sect1> 3613 <title>Windows Client Configuration</title> 3614 3615 <para> 3616 <indexterm><primary>NETLOGON</primary></indexterm> 3617 In the next few sections, you can configure a new Windows XP Professional disk image on a staging 3618 machine. You will configure all software, printer settings, profile and policy handling, and desktop 3619 default profile settings on this system. When it is complete, you copy the contents of the 3620 <filename>C:\Documents and Settings\Default User</filename> directory to a directory with the same 3621 name in the <constant>NETLOGON</constant> share on the domain controllers. 3622 </para> 3623 3624 <para> 3625 Much can be learned from the Microsoft Support site regarding how best to set up shared profiles. 3626 One knowledge-base article in particular stands out: 3627 "<ulink url="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475">How to Create a 3628 Base Profile for All Users."</ulink> 3629 3630 </para> 3631 3632 <sect2 id="redirfold"> 3633 <title>Configuration of Default Profile with Folder Redirection</title> 3634 3635 <para> 3636 <indexterm><primary>folder redirection</primary></indexterm> 3637 Log onto the Windows XP Professional workstation as the local <constant>Administrator</constant>. 3638 It is necessary to expose folders that are generally hidden to provide access to the 3639 <constant>Default User</constant> folder. 3640 </para> 3641 3642 <procedure> 3643 <title>Expose Hidden Folders</title> 3644 3645 <step><para> 3646 Launch the Windows Explorer by clicking 3647 <menuchoice> 3648 <guimenu>Start</guimenu> 3649 <guimenuitem>My Computer</guimenuitem> 3650 <guimenuitem>Tools</guimenuitem> 3651 <guimenuitem>Folder Options</guimenuitem> 3652 <guimenuitem>View Tab</guimenuitem> 3653 </menuchoice>. 3654 Select <guilabel>Show hidden files and folders</guilabel>, 3655 and click <guibutton>OK</guibutton>. Exit Windows Explorer. 3656 </para></step> 3657 3658 <step><para> 3659 <indexterm><primary>regedt32</primary></indexterm> 3660 Launch the Registry Editor. Click 3661 <menuchoice> 3662 <guimenu>Start</guimenu> 3663 <guimenuitem>Run</guimenuitem> 3664 </menuchoice>. Key in <command>regedt32</command>, and click 3665 <guibutton>OK</guibutton>. 3666 </para></step> 3667 3668 </procedure> 3669 3670 <para> 3671 </para> 3672 3673 <procedure id="sbehap-rdrfldr"> 3674 <title>Redirect Folders in Default System User Profile</title> 3675 3676 <step><para> 3677 <indexterm><primary>HKEY_LOCAL_MACHINE</primary></indexterm> 3678 <indexterm><primary>Default User</primary></indexterm> 3679 Give focus to <constant>HKEY_LOCAL_MACHINE</constant> hive entry in the left panel. 3680 Click <menuchoice> 3681 <guimenu>File</guimenu> 3682 <guimenuitem>Load Hive...</guimenuitem> 3683 <guimenuitem>Documents and Settings</guimenuitem> 3684 <guimenuitem>Default User</guimenuitem> 3685 <guimenuitem>NTUSER</guimenuitem> 3686 <guimenuitem>Open</guimenuitem> 3687 </menuchoice>. In the dialog box that opens, enter the key name 3688 <constant>Default</constant> and click <guibutton>OK</guibutton>. 3689 </para></step> 3690 3691 <step><para> 3692 Browse inside the newly loaded Default folder to: 3693<screen> 3694HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ 3695 CurrentVersion\Explorer\User Shell Folders\ 3696</screen> 3697 The right panel reveals the contents as shown in <link linkend="XP-screen001"/>. 3698 </para></step> 3699 3700 <step><para> 3701 <indexterm><primary>%USERPROFILE%</primary></indexterm> 3702 <indexterm><primary>%LOGONSERVER%</primary></indexterm> 3703 You edit hive keys. Acceptable values to replace the 3704 <constant>%USERPROFILE%</constant> variable includes: 3705 3706 <itemizedlist> 3707 <listitem><para>A drive letter such as <constant>U:</constant></para></listitem> 3708 <listitem><para>A direct network path such as 3709 <constant>\\MASSIVE\profdata</constant></para></listitem> 3710 <listitem><para>A network redirection (UNC name) that contains a macro such as </para> 3711 <para><constant>%LOGONSERVER%\profdata\</constant></para></listitem> 3712 </itemizedlist> 3713 </para></step> 3714 3715 <step><para> 3716 <indexterm><primary>registry keys</primary></indexterm> 3717 Set the registry keys as shown in <link linkend="proffold"/>. Your implementation makes the assumption 3718 that users have statically located machines. Notebook computers (mobile users) need to be 3719 accommodated using local profiles. This is not an uncommon assumption. 3720 </para></step> 3721 3722 <step><para> 3723 Click back to the root of the loaded hive <constant>Default</constant>. 3724 Click <menuchoice><guimenu>File</guimenu><guimenuitem>Unload Hive...</guimenuitem> 3725 <guimenuitem>Yes</guimenuitem></menuchoice>. 3726 </para></step> 3727 3728 <step><para> 3729 <indexterm><primary>Registry Editor</primary></indexterm> 3730 Click <menuchoice><guimenu>File</guimenu><guimenuitem>Exit</guimenuitem></menuchoice>. This exits the 3731 Registry Editor. 3732 </para></step> 3733 3734 <step><para> 3735 Now follow the procedure given in <link linkend="sbehap-locgrppol"/>. Make sure that each folder you 3736 have redirected is in the exclusion list. 3737 </para></step> 3738 3739 <step><para> 3740 You are now ready to copy<footnote><para> 3741 There is an alternate method by which a default user profile can be added to the 3742 <constant>NETLOGON</constant> share. This facility in the Windows System tool 3743 permits profiles to be exported. The export target may be a particular user or 3744 group profile share point or else the <constant>NETLOGON</constant> share. 3745 In this case, the profile directory must be named <constant>Default User</constant>. 3746 </para></footnote> 3747 the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer, 3748 and use it to copy the full contents of the directory <filename>Default User</filename> that 3749 is in the <filename>C:\Documents and Settings</filename> to the root directory of the 3750 <constant>NETLOGON</constant> share. If the <constant>NETLOGON</constant> share has the defined 3751 UNIX path of <filename>/var/lib/samba/netlogon</filename>, when the copy is complete there must 3752 be a directory in there called <filename>Default User</filename>. 3753 </para></step> 3754 3755 </procedure> 3756 3757 <para> 3758 Before punching out new desktop images for the client workstations, it is perhaps a good idea that 3759 desktop behavior should be returned to the original Microsoft settings. The following steps achieve 3760 that ojective: 3761 </para> 3762 3763 <procedure> 3764 <title>Reset Folder Display to Original Behavior</title> 3765 3766 <step><para> 3767 To launch the Windows Explorer, click 3768 <menuchoice> 3769 <guimenu>Start</guimenu> 3770 <guimenuitem>My Computer</guimenuitem> 3771 <guimenuitem>Tools</guimenuitem> 3772 <guimenuitem>Folder Options</guimenuitem> 3773 <guimenuitem>View Tab</guimenuitem> 3774 </menuchoice>. 3775 Deselect <guilabel>Show hidden files and folders</guilabel>, and click <guibutton>OK</guibutton>. 3776 Exit Windows Explorer. 3777 </para></step> 3778 3779 </procedure> 3780 3781 <figure id="XP-screen001"> 3782 <title>Windows XP Professional &smbmdash; User Shared Folders</title> 3783 <imagefile scale="65">XP-screen001</imagefile> 3784 </figure> 3785 3786<table id="proffold"> 3787 <title>Default Profile Redirections</title> 3788 <tgroup cols="2"> 3789 <colspec align="left"/> 3790 <colspec align="left"/> 3791 <thead> 3792 <row> 3793 <entry>Registry Key</entry> 3794 <entry>Redirected Value</entry> 3795 </row> 3796 </thead> 3797 <tbody> 3798 <row> 3799 <entry>Cache</entry> 3800 <entry>%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</entry> 3801 </row> 3802 <row> 3803 <entry>Cookies</entry> 3804 <entry>%LOGONSERVER%\profdata\%USERNAME%\Cookies</entry> 3805 </row> 3806 <row> 3807 <entry>History</entry> 3808 <entry>%LOGONSERVER%\profdata\%USERNAME%\History</entry> 3809 </row> 3810 <row> 3811 <entry>Local AppData</entry> 3812 <entry>%LOGONSERVER%\profdata\%USERNAME%\AppData</entry> 3813 </row> 3814 <row> 3815 <entry>Local Settings</entry> 3816 <entry>%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</entry> 3817 </row> 3818 <row> 3819 <entry>My Pictures</entry> 3820 <entry>%LOGONSERVER%\profdata\%USERNAME%\MyPictures</entry> 3821 </row> 3822 <row> 3823 <entry>Personal</entry> 3824 <entry>%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</entry> 3825 </row> 3826 <row> 3827 <entry>Recent</entry> 3828 <entry>%LOGONSERVER%\profdata\%USERNAME%\Recent</entry> 3829 </row> 3830 </tbody> 3831 </tgroup> 3832</table> 3833 3834 </sect2> 3835 3836 <sect2> 3837 <title>Configuration of MS Outlook to Relocate PST File</title> 3838 3839 <para> 3840 <indexterm><primary>Outlook</primary><secondary>PST</secondary></indexterm> 3841 <indexterm><primary>MS Outlook</primary><secondary>PST</secondary></indexterm> 3842 Microsoft Outlook can store a Personal Storage file, generally known as a PST file. 3843 It is the nature of email storage that this file grows, at times quite rapidly. 3844 So that users' email is available to them at every workstation they may log onto, 3845 it is common practice in well-controlled sites to redirect the PST folder to the 3846 users' home directory. Follow these steps for each user who wishes to do this. 3847 </para> 3848 3849 <para> 3850 To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave 3851 slightly differently), follow these steps: 3852 </para> 3853 3854 <procedure> 3855 <title>Outlook PST File Relocation</title> 3856 3857 <step><para> 3858 Close Outlook if it is open. 3859 </para></step> 3860 3861 <step><para> 3862 From the <guimenu>Control Panel</guimenu>, launch the Mail icon. 3863 </para></step> 3864 3865 <step><para> 3866 Click <guimenu>Email Accounts.</guimenu> 3867 </para></step> 3868 3869 <step><para> 3870 Make a note of the location of the PST file(s). From this location, move 3871 the files to the desired new target location. The most desired new target location 3872 may well be the users' home directory. 3873 </para></step> 3874 3875 <step><para> 3876 Add a new data file, selecting the PST file in the new desired target location. 3877 Give this entry (not the filename) a new name such as <quote>Personal Mail Folders.</quote> 3878 </para> 3879 3880 <para> 3881 Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems 3882 following these instructions. Feedback from users suggests that where IMAP is used the PST 3883 file is used to store rules and filters. When the PST store is relocated it appears to break 3884 MS Outlook's Send/Receive button. If anyone has sucessfully relocated PST files where IMAP is 3885 used please email <literal>jht@samba.org</literal> with useful tips and suggestions so that 3886 this warning can be removed or modified. 3887 </para></step> 3888 3889 <step><para> 3890 Close the <guimenu>Date Files</guimenu> windows, then click <guimenu>Email Accounts</guimenu>. 3891 </para></step> 3892 3893 <step><para> 3894 Select <guimenu>View of Change</guimenu> exiting email accounts, click <guibutton>Next.</guibutton> 3895 </para></step> 3896 3897 <step><para> 3898 Change the <guimenu>Mail Delivery Location</guimenu> so as to use the data file in the new 3899 target location. 3900 </para></step> 3901 3902 <step><para> 3903 Go back to the <guimenu>Data Files</guimenu> window, then delete the old data file entry. 3904 </para></step> 3905 3906 </procedure> 3907 3908 <note><para> 3909 <indexterm><primary>Outlook Address Book</primary></indexterm> 3910 You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise 3911 the user may be not be able to retrieve contacts when addressing a new email message. 3912 </para></note> 3913 3914 <note><para> 3915 <indexterm><primary>Outlook Express</primary></indexterm> 3916 Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook 3917 Express storage files can not be redirected to network shares. The options panel will not permit 3918 this, but they can be moved to folders outside of the user's profile. They can also be excluded 3919 from folder synchronization as part of the roaming profile. 3920 </para> 3921 3922 <para> 3923 While it is possible to redirect the data stores for Outlook Express data stores by editing the 3924 registry, experience has shown that data corruption and loss of email messages will result. 3925 </para> 3926 3927 <para> 3928 <indexterm><primary>Outlook Express</primary></indexterm> 3929 <indexterm><primary>MS Outlook</primary></indexterm> 3930 In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with 3931 roaming profiles this can result in excruciatingly long login and logout behavior will files are 3932 synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming 3933 profiles are used. 3934 </para></note> 3935 3936 <para> 3937 <indexterm><primary>PST file</primary></indexterm> 3938 Microsoft does not support storing PST files on network shares, although the practice does appear 3939 to be rather popular. Anyone who does relocation the PST file to a network resource should refer 3940 the Microsoft <ulink url="http://support.microsoft.com/kb/297019/">reference</ulink> to better 3941 understand the issues. 3942 </para> 3943 3944 <para> 3945 <indexterm><primary>PST file</primary></indexterm> 3946 Apart from manually moving PST files to a network share, it is possible to set the default PST 3947 location for new accounts by following the instructions at the WindowsITPro <ulink 3948 url="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html">web</ulink> site. 3949 </para> 3950 3951 <para> 3952 <indexterm><primary>PST file</primary></indexterm> 3953 User feedback suggests that disabling of oplocks on PST files will significantly improve 3954 network performance by reducing locking overheads. One way this can be done is to add to the 3955 &smb.conf; file stanza for the share the PST file the following: 3956<screen> 3957veto oplock files = /*.pdf/*.PST/ 3958</screen> 3959 </para> 3960 3961 </sect2> 3962 3963 <sect2> 3964 <title>Configure Delete Cached Profiles on Logout</title> 3965 3966 <para> 3967 Configure the Windows XP Professional client to auto-delete roaming profiles on logout: 3968 </para> 3969 3970 <para> 3971 <indexterm><primary>MMC</primary></indexterm> 3972 Click 3973 <menuchoice> 3974 <guimenu>Start</guimenu> 3975 <guimenuitem>Run</guimenuitem> 3976 </menuchoice>. In the dialog box, enter <command>MMC</command> and click <guibutton>OK</guibutton>. 3977 </para> 3978 3979 <para> 3980 Follow these steps to set the default behavior of the staging machine so that all roaming 3981 profiles are deleted as network users log out of the system. Click 3982 <menuchoice> 3983 <guimenu>File</guimenu> 3984 <guimenuitem>Add/Remove Snap-in</guimenuitem> 3985 <guimenuitem>Add</guimenuitem> 3986 <guimenuitem>Group Policy</guimenuitem> 3987 <guimenuitem>Add</guimenuitem> 3988 <guimenuitem>Finish</guimenuitem> 3989 <guimenuitem>Close</guimenuitem> 3990 <guimenuitem>OK</guimenuitem> 3991 </menuchoice>. 3992 </para> 3993 3994 <para> 3995 <indexterm><primary>Microsoft Management Console</primary><see>MMC</see></indexterm> 3996 The Microsoft Management Console now shows the <guimenu>Group Policy</guimenu> 3997 utility that enables you to set the policies needed. In the left panel, click 3998 <menuchoice> 3999 <guimenuitem>Local Computer Policy</guimenuitem> 4000 <guimenuitem>Administrative Templates</guimenuitem> 4001 <guimenuitem>System</guimenuitem> 4002 <guimenuitem>User Profiles</guimenuitem> 4003 </menuchoice>. In the right panel, set the properties shown here by double-clicking on each 4004 item as shown: 4005 </para> 4006 4007 <itemizedlist> 4008 <listitem><para>Do not check for user ownership of Roaming Profile Folders = Enabled</para></listitem> 4009 <listitem><para>Delete cached copies of roaming profiles = Enabled</para></listitem> 4010 </itemizedlist> 4011 4012 <para> 4013 Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies 4014 made of this system to deploy the new standard desktop system. 4015 </para> 4016 4017 </sect2> 4018 4019 <sect2> 4020 <title>Uploading Printer Drivers to Samba Servers</title> 4021 4022 <para> 4023 <indexterm><primary>printing</primary><secondary>drag-and-drop</secondary></indexterm> 4024 Users want to be able to use network printers. You have a vested interest in making 4025 it easy for them to print. You have chosen to install the printer drivers onto the Samba 4026 servers and to enable point-and-click (drag-and-drop) printing. This process results in 4027 Samba being able to automatically provide the Windows client with the driver necessary to 4028 print to the printer chosen. The following procedure must be followed for every network 4029 printer: 4030 </para> 4031 4032 <procedure> 4033 <title>Steps to Install Printer Drivers on the Samba Servers</title> 4034 4035 <step><para> 4036 Join your Windows XP Professional workstation (the staging machine) to the 4037 <constant>MEGANET2</constant> domain. If you are not sure of the procedure, 4038 follow the guidance given in <link linkend="appendix"/>, <link linkend="domjoin"/>. 4039 </para></step> 4040 4041 <step><para> 4042 After the machine has rebooted, log onto the workstation as the domain 4043 <constant>root</constant> (this is the Administrator account for the 4044 operating system that is the host platform for this implementation of Samba. 4045 </para></step> 4046 4047 <step><para> 4048 Launch MS Windows Explorer. Navigate in the left panel. Click 4049 <menuchoice> 4050 <guimenu>My Network Places</guimenu> 4051 <guimenuitem>Entire Network</guimenuitem> 4052 <guimenuitem>Microsoft Windows Network</guimenuitem> 4053 <guimenuitem>Meganet2</guimenuitem> 4054 <guimenuitem>Massive</guimenuitem> 4055 </menuchoice>. Click on <guimenu>Massive</guimenu> 4056 <guimenu>Printers and Faxes</guimenu>. 4057 </para></step> 4058 4059 <step><para> 4060 Identify a printer that is shown in the right panel. Let us assume the printer is called 4061 <constant>ps01-color</constant>. Right-click on the <guimenu>ps01-color</guimenu> icon 4062 and select the <guimenu>Properties</guimenu> entry. This opens a dialog box that indicates 4063 that <quote>The printer driver is not installed on this computer. Some printer properties 4064 will not be accessible unless you install the printer driver. Do you want to install the 4065 driver now?</quote> It is important at this point you answer <guimenu>No</guimenu>. 4066 </para></step> 4067 4068 <step><para> 4069 The printer properties panel for the <guimenu>ps01-color</guimenu> printer on the server 4070 <constant>MASSIVE</constant> is displayed. Click the <guimenu>Advanced</guimenu> tab. 4071 Note that the box labeled <guimenu>Driver</guimenu> is empty. Click the <guimenu>New Driver</guimenu> 4072 button that is next to the <guimenu>Driver</guimenu> box. This launches the <quote>Add Printer Wizard</quote>. 4073 </para></step> 4074 4075 <step><para> 4076 <indexterm><primary>Add Printer Wizard</primary><secondary>APW</secondary></indexterm> 4077 <indexterm><primary>APW</primary></indexterm> 4078 The <quote>Add Printer Driver Wizard on <constant>MASSIVE</constant></quote> panel 4079 is now presented. Click <guimenu>Next</guimenu> to continue. From the left panel, select the 4080 printer manufacturer. In your case, you are adding a driver for a printer manufactured by 4081 Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click 4082 <guimenu>Next</guimenu>, and then <guimenu>Finish</guimenu> to commence driver upload. A 4083 progress bar appears and instructs you as each file is being uploaded and that it is being 4084 directed at the network server <constant>\\massive\ps01-color</constant>. 4085 </para></step> 4086 4087 <step><para> 4088 <indexterm><primary>printers</primary><secondary>Advanced</secondary></indexterm> 4089 <indexterm><primary>printers</primary><secondary>Properties</secondary></indexterm> 4090 <indexterm><primary>printers</primary><secondary>Sharing</secondary></indexterm> 4091 <indexterm><primary>printers</primary><secondary>General</secondary></indexterm> 4092 <indexterm><primary>printers</primary><secondary>Security</secondary></indexterm> 4093 <indexterm><primary>AD printer publishing</primary></indexterm> 4094 The driver upload completes in anywhere from a few seconds to a few minutes. When it completes, 4095 you are returned to the <guimenu>Advanced</guimenu> tab in the <guimenu>Properties</guimenu> panel. 4096 You can set the Location (under the <guimenu>General</guimenu> tab) and Security settings (under 4097 the <guimenu>Security</guimenu> tab). Under the <guimenu>Sharing</guimenu> tab it is possible to 4098 load additional printer drivers; there is also a check-box in this tab called <quote>List in the 4099 directory</quote>. When this box is checked, the printer will be published in Active Directory 4100 (Applicable to Active Directory use only.) 4101 </para></step> 4102 4103 <step><para> 4104 <indexterm><primary>printers</primary><secondary>Default Settings</secondary></indexterm> 4105 Click <guimenu>OK</guimenu>. It will take a minute or so to upload the settings to the server. 4106 You are now returned to the <guimenu>Printers and Faxes on Massive</guimenu> monitor. 4107 Right-click on the printer, click <menuchoice><guimenu>Properties</guimenu> 4108 <guimenuitem>Device Settings</guimenuitem> </menuchoice>. Now change the settings to suit 4109 your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if 4110 you need to reverse the changes back to their original settings. 4111 </para></step> 4112 4113 <step><para> 4114 This is necessary so that the printer settings are initialized in the Samba printers 4115 database. Click <guimenu>Apply</guimenu> to commit your settings. Revert any settings you changed 4116 just to initialize the Samba printers database entry for this printer. If you need to revert a setting, 4117 click <guimenu>Apply</guimenu> again. 4118 </para></step> 4119 4120 <step><para> 4121 <indexterm><primary>Print Test Page</primary></indexterm> 4122 Verify that all printer settings are at the desired configuration. When you are satisfied that they are, 4123 click the <guimenu>General</guimenu> tab. Now click the <guimenu>Print Test Page</guimenu> button. 4124 A test page should print. Verify that it has printed correctly. Then click <guimenu>OK</guimenu> 4125 in the panel that is newly presented. Click <guimenu>OK</guimenu> on the <guimenu>ps01-color on 4126 massive Properties</guimenu> panel. 4127 </para></step> 4128 4129 <step><para> 4130 You must repeat this process for all network printers (i.e., for every printer on each server). 4131 When you have finished uploading drivers to all printers, close all applications. The next task 4132 is to install software your users require to do their work. 4133 </para></step> 4134 4135 </procedure> 4136 4137 </sect2> 4138 4139 <sect2> 4140 <title>Software Installation</title> 4141 4142 <para> 4143 Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is 4144 a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer. 4145 Notebooks require special handling that is beyond the scope of this chapter. 4146 </para> 4147 4148 <para> 4149 For desktop systems, the installation of software onto administratively centralized application servers 4150 make a lot of sense. This means that you can manage software maintenance from a central 4151 perspective and that only minimal application stubware needs to be installed onto the desktop 4152 systems. You should proceed with software installation and default configuration as far as is humanly 4153 possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect 4154 of software operations and configuration. 4155 </para> 4156 4157 <para> 4158 When you believe that the overall configuration is complete, be sure to create a shared group profile 4159 and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in 4160 case a user may have specific needs you had not anticipated. 4161 </para> 4162 4163 </sect2> 4164 4165 <sect2> 4166 <title>Roll-out Image Creation</title> 4167 4168 <para> 4169 The final steps before preparing the distribution Norton Ghost image file you might follow are: 4170 </para> 4171 4172 <blockquote><para> 4173 Unjoin the domain &smbmdash; Each workstation requires a unique name and must be independently 4174 joined into domain membership. 4175 </para></blockquote> 4176 4177 <blockquote><para> 4178 Defragment the hard disk &smbmdash; While not obvious to the uninitiated, defragmentation results 4179 in better performance and often significantly reduces the size of the compressed disk image. That 4180 also means it will take less time to deploy the image onto 500 workstations. 4181 </para></blockquote> 4182 4183 </sect2> 4184 4185</sect1> 4186 4187<sect1> 4188 <title>Key Points Learned</title> 4189 4190 <para> 4191 This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately 4192 avoided any consideration of security. Security does not just happen; you must design it into your total 4193 network. Security begins with a systems design and implementation that anticipates hostile behavior from 4194 users both inside and outside the organization. Hostile and malicious intruders do not respect barriers; 4195 they accept them as challenges. For that reason, if not simply from a desire to establish safe networking 4196 practices, you must not deploy the design presented in this book in an environment where there is risk 4197 of compromise. 4198 </para> 4199 4200 <para> 4201 <indexterm><primary>Access Control Lists</primary><see>ACLs</see></indexterm> 4202 <indexterm><primary>ACLs</primary></indexterm> 4203 As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be 4204 configured to use secure protocols for all communications over the network. Of course, secure networking 4205 does not result just from systems design and implementation but involves constant user education 4206 training and, above all, disciplined attention to detail and constant searching for signs of unfriendly 4207 or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources. 4208 Jerry Carter's book <ulink url="http://www.booksense.com/product/info.jsp&isbn=1565924916"> 4209 <emphasis>LDAP System Administration</emphasis></ulink> is a good place to start reading about OpenLDAP 4210 as well as security considerations. 4211 </para> 4212 4213 <para> 4214 The substance of this chapter that has been deserving of particular attention includes: 4215 </para> 4216 4217 <itemizedlist> 4218 <listitem><para> 4219 Implementation of an OpenLDAP-based passwd backend, necessary to support distributed 4220 domain control. 4221 </para></listitem> 4222 4223 <listitem><para> 4224 Implementation of Samba primary and secondary domain controllers with a common LDAP backend 4225 for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and 4226 pam_ldap tool-sets. 4227 </para></listitem> 4228 4229 <listitem><para> 4230 Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as 4231 to manage Samba Windows user and group accounts. 4232 </para></listitem> 4233 4234 <listitem><para> 4235 The basics of implementation of Group Policy controls for Windows network clients. 4236 </para></listitem> 4237 4238 <listitem><para> 4239 Control over roaming profiles, with particular focus on folder redirection to network drives. 4240 </para></listitem> 4241 4242 <listitem><para> 4243 Use of the CUPS printing system together with Samba-based printer driver auto-download. 4244 </para></listitem> 4245 </itemizedlist> 4246 4247</sect1> 4248 4249 4250<sect1> 4251 <title>Questions and Answers</title> 4252 4253 <para> 4254 Well, here we are at the end of this chapter and we have only ten questions to help you to 4255 remember so much. There are bound to be some sticky issues here. 4256 </para> 4257 4258 <qandaset defaultlabel="chap06qa" type="number"> 4259 <qandaentry> 4260 <question> 4261 4262 <para> 4263 Why did you not cover secure practices? Isn't it rather irresponsible to instruct 4264 network administrators to implement insecure solutions? 4265 </para> 4266 4267 </question> 4268 <answer> 4269 4270 <para> 4271 Let's get this right. This is a book about Samba, not about OpenLDAP and secure 4272 communication protocols for subjects other than Samba. Earlier on, you note, 4273 that the dynamic DNS and DHCP solutions also used no protective secure communications 4274 protocols. The reason for this is simple: There are so many ways of implementing 4275 secure protocols that this book would have been even larger and more complex. 4276 </para> 4277 4278 <para> 4279 The solutions presented here all work (at least they did for me). Network administrators 4280 have the interest and the need to be better trained and instructed in secure networking 4281 practices and ought to implement safe systems. I made the decision, right or wrong, 4282 to keep this material as simple as possible. The intent of this book is to demonstrate 4283 a working solution and not to discuss too many peripheral issues. 4284 </para> 4285 4286 <para> 4287 This book makes little mention of backup techniques. Does that mean that I am recommending 4288 that you should implement a network without provision for data recovery and for disaster 4289 management? Back to our focus: The deployment of Samba has been clearly demonstrated. 4290 </para> 4291 4292 </answer> 4293 </qandaentry> 4294 4295 <qandaentry> 4296 <question> 4297 4298 <para> 4299 You have focused much on SUSE Linux and little on the market leader, Red Hat. Do 4300 you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant 4301 to the Linux I might be using? 4302 </para> 4303 4304 </question> 4305 <answer> 4306 4307 <para> 4308 Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications 4309 for a standard Linux distribution. The differences are marginal. Surely you know 4310 your Linux platform, and you do have access to administration manuals for it. This 4311 book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on 4312 the Samba part of the book; all the other bits are peripheral (but important) to 4313 creation of a total network solution. 4314 </para> 4315 4316 <para> 4317 What I find interesting is the attention reviewers give to Linux installation and to 4318 the look and feel of the desktop, but does that make for a great server? In this book, 4319 I have paid particular attention to the details of creating a whole solution framework. 4320 I have not tightened every nut and bolt, but I have touched on all the issues you 4321 need to be familiar with. Over the years many people have approached me wanting to 4322 know the details of exactly how to implement a DHCP and dynamic DNS server with Samba 4323 and WINS. In this chapter, it is plain to see what needs to be configured to provide 4324 transparent interoperability. Likewise for CUPS and Samba interoperation. These are 4325 key stumbling areas for many people. 4326 </para> 4327 4328 <para> 4329 At every critical junction, I have provided comparative guidance for both SUSE and 4330 Red Hat Linux. Both manufacturers have done a great job in furthering the cause 4331 of open source software. I favor neither and respect both. I like particular 4332 features of both products (companies also). No bias in presentation is intended. 4333 Oh, before I forget, I particularly like Debian Linux; that is my favorite playground. 4334 </para> 4335 4336 </answer> 4337 </qandaentry> 4338 4339 <qandaentry> 4340 <question> 4341 4342 <para> 4343 You did not use SWAT to configure Samba. Is there something wrong with it? 4344 </para> 4345 4346 </question> 4347 <answer> 4348 4349 <para> 4350 That is a good question. As it is, the &smb.conf; file configurations are presented 4351 in as direct a format as possible. Adding SWAT into the equation would have complicated 4352 matters. I sought simplicity of implementation. The fact is that I did use SWAT to 4353 create the files in the first place. 4354 </para> 4355 4356 <para> 4357 There are people in the Linux and open source community who feel that SWAT is dangerous 4358 and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I 4359 hope to have brought their interests on board. SWAT is well covered is <emphasis>TOSHARG2</emphasis>. 4360 </para> 4361 4362 </answer> 4363 </qandaentry> 4364 4365 <qandaentry> 4366 <question> 4367 4368 <para> 4369 You have exposed a well-used password <emphasis>not24get</emphasis>. Is that 4370 not irresponsible? 4371 </para> 4372 4373 </question> 4374 <answer> 4375 4376 <para> 4377 Well, I had to use a password of some sort. At least this one has been consistently 4378 used throughout. I guess you can figure out that in a real deployment it would make 4379 sense to use a more secure and original password. 4380 </para> 4381 4382 </answer> 4383 </qandaentry> 4384 4385 <qandaentry> 4386 <question> 4387 4388 <para> 4389 The Idealx smbldap-tools create many domain group accounts that are not used. Is that 4390 a good thing? 4391 </para> 4392 4393 </question> 4394 <answer> 4395 4396 <para> 4397 I took this up with Idealx and found them most willing to change that in the next version. 4398 Let's give Idealx some credit for the contribution they have made. I appreciate their work 4399 and, besides, it does no harm to create accounts that are not now used &smbmdash; at some time 4400 Samba may well use them. 4401 </para> 4402 4403 </answer> 4404 </qandaentry> 4405 4406 <qandaentry> 4407 <question> 4408 4409 <para> 4410 Can I use LDAP just for Samba accounts and not for UNIX system accounts? 4411 </para> 4412 4413 </question> 4414 <answer> 4415 4416 <para> 4417 Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX) 4418 group account for every Windows domain group account. But if you put your users into 4419 the system password account, how do you plan to keep all domain controller system 4420 password files in sync? I think that having everything in LDAP makes a lot of sense 4421 for the UNIX administrator who is still learning the craft and is migrating from MS Windows. 4422 </para> 4423 4424 </answer> 4425 </qandaentry> 4426 4427 <qandaentry> 4428 <question> 4429 4430 <para> 4431 Why are the Windows domain RID portions not the same as the UNIX UID? 4432 </para> 4433 4434 </question> 4435 <answer> 4436 4437 <para> 4438 Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. 4439 This algorithm ought to ensure that there will be no clashes with well-known RIDs. 4440 Well-known RIDs have special significance to MS Windows clients. The automatic 4441 assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does 4442 permit you to override that to some extent. See the &smb.conf; man page entry 4443 for <parameter>algorithmic rid base</parameter>. 4444 </para> 4445 4446 </answer> 4447 </qandaentry> 4448 4449 <qandaentry> 4450 <question> 4451 4452 <para> 4453 Printer configuration examples all show printing to the HP port 9100. Does this 4454 mean that I must have HP printers for these solutions to work? 4455 </para> 4456 4457 </question> 4458 <answer> 4459 4460 <para> 4461 No. You can use any type of printer and must use the interfacing protocol supported 4462 by the printer. Many networks use LPR/LPD print servers to which are attached 4463 PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached 4464 inkjet printer. Use the appropriate device URI (Universal Resource Interface) 4465 argument to the <constant>lpadmin -v</constant> option that is right for your 4466 printer. 4467 </para> 4468 4469 </answer> 4470 </qandaentry> 4471 4472 <qandaentry> 4473 <question> 4474 4475 <para> 4476 Is folder redirection dangerous? I've heard that you can lose your data that way. 4477 </para> 4478 4479 </question> 4480 <answer> 4481 4482 <para> 4483 The only loss of data I know of that involved folder redirection was caused by 4484 manual misuse of the redirection tool. The administrator redirected a folder to 4485 a network drive and said he wanted to migrate (move) the data over. Then he 4486 changed his mind, so he moved the folder back to the roaming profile. This time, 4487 he declined to move the data because he thought it was still in the local profile 4488 folder. That was not the case, so by declining to move the data back, he wiped out 4489 the data. You cannot hold the tool responsible for that. Caveat emptor still applies. 4490 </para> 4491 4492 </answer> 4493 </qandaentry> 4494 4495 <qandaentry> 4496 <question> 4497 4498 <para> 4499 Is it really necessary to set a local Group Policy to exclude the redirected 4500 folders from the roaming profile? 4501 </para> 4502 4503 </question> 4504 <answer> 4505 4506 <para> 4507 Yes. If you do not do this, the data will still be copied from the network folder 4508 (share) to the local cached copy of the profile. 4509 </para> 4510 4511 </answer> 4512 </qandaentry> 4513 4514 </qandaset> 4515 4516</sect1> 4517 4518</chapter> 4519