1<?xml version="1.0" encoding="iso-8859-1"?> 2<!DOCTYPE preface PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> 3<preface id="preface"> 4 <title>Preface</title> 5 6 <para> 7 Network administrators live busy lives. We face distractions and pressures 8 that drive us to seek proven, working case scenarios that can be easily 9 implemented. Often this approach lands us in trouble. There is a 10 saying that, geometrically speaking, the shortest distance between two 11 points is a straight line, but practically we find that the quickest 12 route to a stable network solution is the long way around. 13 </para> 14 15 <para> 16 This book is your means to the straight path. It provides step-by-step, 17 proven, working examples of Samba deployments. If you want to deploy 18 Samba-3 with the least effort, or if you want to become an expert at deploying 19 Samba-3 without having to search through lots of documentation, this 20 book is the ticket to your destination. 21 </para> 22 23 <para> 24 Samba is software that can be run on a platform other than Microsoft Windows, 25 for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. 26 Samba uses the TCP/IP protocol that is installed on the host server. When 27 correctly configured, it allows that host to interact with a Microsoft Windows 28 client or server as if it is a Windows file and print server. This book 29 will help you to implement Windows-compatible file and print services. 30 </para> 31 32 <para> 33 The examples presented in this book are typical of various businesses and 34 reflect the problems and challenges they face. Care has been taken to preserve 35 attitudes, perceptions, practices, and demands from real network case studies. 36 The maximum benefit may be obtained from this book by working carefully through 37 each exercise. You may be in a hurry to satisfy a specific need, so feel 38 free to locate the example that most closely matches your need, copy it, and 39 innovate as much as you like. Above all, enjoy the process of learning the 40 secrets of MS Windows networking that is truly liberated by Samba. 41 </para> 42 43 <para> 44 The focus of attention in this book is Samba-3. Specific notes are made in 45 respect of how Samba may be made secure. This book does not attempt to provide 46 detailed information regarding secure operation and configuration of peripheral 47 services and applications such as OpenLDAP, DNS and DHCP, the need for which 48 can be met from other resources that are dedicated to the subject. 49 </para> 50 51 <sect1> 52 <title>Why Is This Book Necessary?</title> 53 54 <para> 55 This book is the result of observations and feedback. The feedback from 56 the Samba-HOWTO-Collection has been positive and complimentary. There 57 have been requests for far more worked examples, a 58 <quote>Samba Cookbook,</quote> and for training materials to 59 help kick-start the process of mastering Samba. 60 </para> 61 62 <para> 63 The Samba mailing lists users have asked for sample configuration files 64 that work. It is natural to question one's own ability to correctly 65 configure a complex tool such as Samba until a minimum necessary 66 knowledge level has been attained. 67 </para> 68 69 <para> 70 The Samba-HOWTO-Collection &smbmdash; as does <emphasis>The Official Samba-3 HOWTO and 71 Reference Guide</emphasis> &smbmdash; documents Samba features and functionality in 72 a topical context. This book takes a completely different approach. It 73 walks through Samba network configurations that are working within particular 74 environmental contexts, providing documented step-by-step implementations. 75 All example case configuration files, scripts, and other tools are provided 76 on the CD-ROM. This book is descriptive, provides detailed diagrams, and 77 makes deployment of Samba-3 a breeze. 78 </para> 79 80 <sect2> 81 <title>Samba 3.0.20 Update Edition</title> 82 83 <para> 84 The Samba 3.0.x series has been remarkably popular. At the time this book first 85 went to print samba-3.0.2 was being released. There have been significant modifications 86 and enhancements between samba-3.0.2 and samba-3.0.14 (the current release) that 87 necessitate this documentation update. This update has the specific intent to 88 refocus this book so that its guidance can be followed for samba-3.0.20 89 and beyond. Further changes are expected as Samba-3 matures further and will 90 be reflected in future updates. 91 </para> 92 93 <para> 94 The changes shown in <link linkend="pref-new"/> are incorporated in this update. 95 </para> 96 97 <table id="pref-new"> 98 <title>Samba Changes &smbmdash; 3.0.2 to 3.0.20</title> 99 <tgroup cols="2"> 100 <colspec align="left"/> 101 <colspec align="justify"/> 102 <thead> 103 <row> 104 <entry align="left"> 105 <para> 106 New Feature 107 </para> 108 </entry> 109 <entry align="left"> 110 <para> 111 Description 112 </para> 113 </entry> 114 </row> 115 </thead> 116 <tbody> 117 <row> 118 <entry> 119 <para> 120 Winbind Case Handling 121 </para> 122 </entry> 123 <entry> 124 <para> 125 User and group names returned by <command>winbindd</command> are now converted to lower case 126 for better consistency. Samba implementations that depend on the case of information returned 127 by winbind (such as %u and %U) must now convert the dependency to expecting lower case values. 128 This affects mail spool files, home directories, valid user lines in the &smb.conf; file, etc. 129 </para> 130 </entry> 131 </row> 132 <row> 133 <entry> 134 <para> 135 Schema Changes 136 </para> 137 </entry> 138 <entry> 139 <para> 140 Addition of code to handle password aging, password uniqueness controls, bad 141 password instances at logon time, have made necessary extensions to the SambaSAM 142 schema. This change affects all sites that use LDAP and means that the directory 143 schema must be updated. 144 </para> 145 </entry> 146 </row> 147 <row> 148 <entry> 149 <para> 150 Username Map Handling 151 </para> 152 </entry> 153 <entry> 154 <para> 155 Samba-3.0.8 redefined the behavior: Local authentication results in a username map file 156 lookup before authenticating the connection. All authentication via an external domain 157 controller will result in the use of the fully qualified name (i.e.: DOMAIN\username) 158 after the user has been successfully authenticated. 159 </para> 160 </entry> 161 </row> 162 <row> 163 <entry> 164 <para> 165 UNIX Extension Handling 166 </para> 167 </entry> 168 <entry> 169 <para> 170 Symbolically linked files and directories on the UNIX host to absolute paths will 171 now be followed. This can be turned off using <quote>wide links = No</quote> in 172 the share stanza in the &smb.conf; file. Turning off <quote>wide links</quote> 173 support will degrade server performance because each path must be checked. 174 </para> 175 </entry> 176 </row> 177 <row> 178 <entry> 179 <para> 180 Privileges Support 181 </para> 182 </entry> 183 <entry> 184 <para> 185 Versions of Samba prior to samba-3.0.11 required the use of the UNIX <constant>root</constant> 186 account from network Windows clients. The new <quote>enable privileges = Yes</quote> capability 187 means that functions such as adding machines to the domain, managing printers, etc. can now 188 be delegated to normal user accounts or to groups of users. 189 </para> 190 </entry> 191 </row> 192 </tbody> 193 </tgroup> 194 </table> 195 </sect2> 196 197 </sect1> 198 199 <sect1> 200 <title>Prerequisites</title> 201 202 <para> 203 This book is not a tutorial on UNIX or Linux administration. UNIX and Linux 204 training is best obtained from books dedicated to the subject. This book 205 assumes that you have at least the basic skill necessary to use these operating 206 systems, and that you can use a basic system editor to edit and configure files. 207 It has been written with the assumption that you have experience with Samba, 208 have read <emphasis>The Official Samba-3 HOWTO and Reference Guide</emphasis> and 209 the Samba-HOWTO-Collection, or that you have familiarity with Microsoft Windows. 210 </para> 211 212 <para> 213 If you do not have this experience, you can follow the examples in this book but may 214 find yourself at times intimidated by assumptions made. In this situation, you 215 may need to refer to administrative guides or manuals for your operating system 216 platform to find what is the best method to achieve what the text of this book describes. 217 </para> 218 219 </sect1> 220 221 <sect1> 222 <title>Approach</title> 223 224 <para> 225 The first chapter deals with some rather thorny network analysis issues. Do not be 226 put off by this. The information you glean, even without a detailed understanding 227 of network protocol analysis, can help you understand how Windows networking functions. 228 </para> 229 230 <para> 231 Each following chapter of this book opens with the description of a networking solution 232 sought by a hypothetical site. Bob Jordan is a hypothetical decision maker 233 for an imaginary company, <constant>Abmas Biz NL</constant>. We will use the 234 non-existent domain name <constant>abmas.biz</constant>. All <emphasis>facts</emphasis> 235 presented regarding this company are fictitious and have been drawn from a variety of real 236 business scenarios over many years. Not one of these reveal the identify of the 237 real-world company from which the scenario originated. 238 </para> 239 240 <para> 241 In any case, Mr. Jordan likes to give all his staff nasty little assignments. 242 Stanley Saroka is one of his proteges; Christine Roberson is the network administrator 243 Bob trusts. Jordan is inclined to treat other departments well because they finance 244 Abmas IT operations. 245 </para> 246 247 <para> 248 Each chapter presents a summary of the network solution we have chosen to 249 demonstrate together with a rationale to help you to understand the 250 thought process that drove that solution. The chapter then documents in precise 251 detail all configuration files and steps that must be taken to implement the 252 example solution. Anyone wishing to gain serious value from this book will 253 do well to take note of the implications of points made, so watch out for the 254 <emphasis>this means that</emphasis> notations. 255 </para> 256 257 <para> 258 Each chapter has a set of questions and answers to help you to 259 to understand and digest key attributes of the solutions presented. 260 </para> 261 262 </sect1> 263 264 <sect1> 265 <title>Summary of Topics</title> 266 267 <para> 268 The contents of this second edition of <emphasis>Samba-3 by Example</emphasis> 269 have been rearranged based on feedback from purchasers of the first edition. 270 </para> 271 272 <para> 273 Clearly the first edition contained most of what was needed and that was missing 274 from other books that cover this difficult subject. The new arrangement adds 275 additional material to meet consumer requests and includes changes that originated 276 as suggestions for improvement. 277 </para> 278 279 <para> 280 Chapter 1 now dives directly into the heart of the implementation of Windows 281 file and print server networks that use Samba at the heart. 282 </para> 283 284 <variablelist> 285 <varlistentry> 286 <term>Chapter 1 &smbmdash; No Frills Samba Servers.</term><listitem> 287 <para> 288 Here you design a solution for three different business scenarios, each for a 289 company called Abmas. There are two simple networking problems and one slightly 290 more complex networking challenge. In the first two cases, Abmas has a small 291 simple office, and they want to replace a Windows 9x peer-to-peer network. The 292 third example business uses Windows 2000 Professional. This must be simple, 293 so let's see how far we can get. If successful, Abmas grows quickly and 294 soon needs to replace all servers and workstations. 295 </para> 296 297 <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter demands: 298 <itemizedlist> 299 <listitem><para>Case 1: The simplest &smb.conf; file that may 300 reasonably be used. Works with Samba-2.x also. This 301 configuration uses Share Mode security. Encrypted 302 passwords are not used, so there is no 303 <filename>smbpasswd</filename> file. 304 </para></listitem> 305 306 <listitem><para>Case 2: Another simple &smb.conf; file that adds 307 WINS support and printing support. This case deals with 308 a special requirement that demonstrates how to deal with 309 purpose-built software that has a particular requirement 310 for certain share names and printing demands. This 311 configuration uses Share Mode security and also works with 312 Samba-2.x. Encrypted passwords are not used, so there is no 313 <filename>smbpasswd</filename> file. 314 </para></listitem> 315 316 <listitem><para>Case 3: This &smb.conf; configuration uses User Mode 317 security. The file share configuration demonstrates 318 the ability to provide master access to an administrator 319 while restricting all staff to their own work areas. 320 Encrypted passwords are used, so there is an implicit 321 <filename>smbpasswd</filename> file. 322 </para></listitem> 323 </itemizedlist> 324 </para> 325 </listitem> 326 </varlistentry> 327 328 <varlistentry> 329 <term>Chapter 2 &smbmdash; Small Office Networking.</term><listitem> 330 <para> 331 Abmas is a successful company now. They have 50 network users 332 and want a little more varoom from the network. This is a typical 333 small office and they want better systems to help them to grow. This is 334 your chance to really give advanced users a bit more functionality and usefulness. 335 </para> 336 337 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file 338 makes use of encrypted passwords, so there is an <filename>smbpasswd</filename> 339 file. It also demonstrates use of the <parameter>valid users</parameter> and 340 <parameter>valid groups</parameter> to restrict share access. The Windows 341 clients access the server as Domain members. Mobile users log onto 342 the Domain while in the office, but use a local machine account while on the 343 road. The result is an environment that answers mobile computing user needs. 344 </para> 345 </listitem> 346 </varlistentry> 347 348 <varlistentry> 349 <term>Chapter 3 &smbmdash; Secure Office Networking.</term><listitem> 350 <para> 351 Abmas is growing rapidly now. Money is a little tight, but with 130 352 network users, security has become a concern. They have many new machines 353 to install and the old equipment will be retired. This time they want the 354 new network to scale and grow for at least two years. Start with a sufficient 355 system and allow room for growth. You are now implementing an Internet 356 connection and have a few reservations about user expectations. 357 </para> 358 359 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file 360 makes use of encrypted passwords, and you can use a <filename>tdbsam</filename> 361 password backend. Domain logons are introduced. Applications are served from the central 362 server. Roaming profiles are mandated. Access to the server is tightened up 363 so that only domain members can access server resources. Mobile computing 364 needs still are catered to. 365 </para> 366 </listitem> 367 </varlistentry> 368 369 <varlistentry> 370 <term>Chapter 4 &smbmdash; The 500 User Office.</term><listitem> 371 <para> 372 The two-year projections were met. Congratulations, you are a star. 373 Now Abmas needs to replace the network. Into the existing user base, they 374 need to merge a 280-user company they just acquired. It is time to build a serious 375 network. There are now three buildings on one campus and your assignment is 376 to keep everyone working while a new network is rolled out. Oh, isn't it nice 377 to roll out brand new clients and servers! Money is no longer tight, you get 378 to buy and install what you ask for. You will install routers and a firewall. 379 This is exciting! 380 </para> 381 382 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file 383 makes use of encrypted passwords, and a <filename>tdbsam</filename> 384 password backend is used. You are not ready to launch into LDAP yet, so you 385 accept the limitation of having one central Domain Controller with a Domain 386 Member server in two buildings on your campus. A number of clever techniques 387 are used to demonstrate some of the smart options built into Samba. 388 </para> 389 </listitem> 390 </varlistentry> 391 392 <varlistentry> 393 <term>Chapter 5 &smbmdash; Making Happy Users.</term><listitem> 394 <para> 395 Congratulations again. Abmas is happy with your services and you have been given another raise. 396 Your users are becoming much more capable and are complaining about little 397 things that need to be fixed. Are you up to the task? Mary says it takes her 20 minutes 398 to log onto the network and it is killing her productivity. Email is a bit <emphasis> 399 unreliable</emphasis> &smbmdash; have you been sleeping on the job? We do not discuss the 400 technology of email but when the use of mail clients breaks because of networking 401 problems, you had better get on top of it. It's time for a change. 402 </para> 403 404 <para><emphasis>TechInfo</emphasis> &smbmdash; This &smb.conf; file 405 makes use of encrypted passwords; a distributed <filename>ldapsam</filename> 406 password backend is used. Roaming profiles are enabled. Desktop profile controls 407 are introduced. Check out the techniques that can improve the user experience 408 of network performance. As a special bonus, this chapter documents how to configure 409 smart downloading of printer drivers for drag-and-drop printing support. And, yes, 410 the secret of configuring CUPS is clearly documented. Go for it; this one will 411 tease you, too. 412 </para> 413 </listitem> 414 </varlistentry> 415 416 <varlistentry> 417 <term>Chapter 6 &smbmdash; A Distributed 2000 User Network.</term><listitem> 418 <para> 419 Only eight months have passed, and Abmas has acquired another company. You now need to expand 420 the network further. You have to deal with a network that spans several countries. 421 There are three new networks in addition to the original three buildings at the head-office 422 campus. The head office is in New York and you have branch offices in Washington, Los Angeles, and 423 London. Your desktop standard is Windows XP Professional. In many ways, everything has changed 424 and yet it must remain the same. Your team is primed for another roll-out. You know there are 425 further challenges ahead. 426 </para> 427 428 <para><emphasis>TechInfo</emphasis> &smbmdash; Slave LDAP servers are introduced. Samba is 429 configured to use multiple LDAP backends. This is a brief chapter; it assumes that the 430 technology has been mastered and gets right down to concepts and how to deploy them. 431 </para> 432 </listitem> 433 </varlistentry> 434 435 <varlistentry> 436 <term>Chapter 7 &smbmdash; Adding UNIX/Linux Servers and Clients.</term><listitem> 437 <para> 438 Well done, Bob, your team has achieved much. Now help Abmas integrate the entire network. 439 You want central control and central support and you need to cut costs. How can you reduce administrative 440 overheads and yet get better control of the network? 441 </para> 442 443 <para> 444 This chapter has been contributed by Mark Taylor <email>mark.taylor@siriusit.co.uk</email> 445 and is based on a live site. For further information regarding this example case, 446 please contact Mark directly. 447 </para> 448 449 <para><emphasis>TechInfo</emphasis> &smbmdash; It is time to consider how to add Samba servers 450 and UNIX and Linux network clients. Users who convert to Linux want to be able to log on 451 using Windows network accounts. You explore nss_ldap, pam_ldap, winbind, and a few neat 452 techniques for taking control. Are you ready for this? 453 </para> 454 </listitem> 455 </varlistentry> 456 457 <varlistentry> 458 <term>Chapter 8 &smbmdash; Updating Samba-3.</term><listitem> 459 <para> 460 This chapter is the result of repeated requests for better documentation of the steps 461 that must be followed when updating or upgrading a Samba server. It attempts to cover 462 the entire subject in broad-brush but at the same time provides detailed background 463 information that is not covered elsewhere in the Samba documentation. 464 </para> 465 466 <para><emphasis>TechInfo</emphasis> &smbmdash; Samba stores a lot of essential network 467 information in a large and growing collection of files. This chapter documents the 468 essentials of where those files may be located and how to find them. It also provides 469 an insight into inter-related matters that affect a Samba installation. 470 </para> 471 </listitem> 472 </varlistentry> 473 474 <varlistentry> 475 <term>Chapter 9 &smbmdash; Migrating NT4 Domain to Samba-3.</term><listitem> 476 <para> 477 Another six months have passed. Abmas has acquired yet another company. You will find a 478 way to migrate all users off the old network onto the existing network without loss 479 of passwords and will effect the change-over during one weekend. May the force (and caffeine) be with 480 you, may you keep your back to the wind and may the sun shine on your face. 481 </para> 482 483 <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter demonstrates the use of 484 the <command>net rpc migrate</command> facility using an LDAP ldapsam backend, and also 485 using a tdbsam passdb backend. Both are much-asked-for examples of NT4 Domain migration. 486 </para> 487 </listitem> 488 </varlistentry> 489 490 <varlistentry> 491 <term>Chapter 10 &smbmdash; Migrating NetWare 4.11 Server to Samba.</term><listitem> 492 <para> 493 Misty Stanley-Jones has contributed information that summarizes her experience at migration 494 from a NetWare server to Samba-3. 495 </para> 496 497 <para><emphasis>TechInfo</emphasis> &smbmdash; The documentation provided demonstrates 498 how one site migrated from NetWare to Samba. Some alternatives tools are mentioned. These 499 could be used to provide another pathway to a successful migration. 500 </para> 501 </listitem> 502 </varlistentry> 503 504 <varlistentry> 505 <term>Chapter 11 &smbmdash; Active Directory, Kerberos and Security.</term><listitem> 506 <para> 507 Abmas has acquired another company that has just migrated to running Windows Server 2003 and 508 Active Directory. One of your staff makes offhand comments that land you in hot water. 509 A network security auditor is hired by the head of the new business and files a damning 510 report, and you must address the <emphasis>defects</emphasis> reported. You have hired new 511 network engineers who want to replace Microsoft Active Directory with a pure Kerberos 512 solution. How will you handle this? 513 </para> 514 515 <para><emphasis>TechInfo</emphasis> &smbmdash; This chapter is your answer. Learn about 516 share access controls, proper use of UNIX/Linux file system access controls, and Windows 517 200x Access Control Lists. Follow these steps to beat the critics. 518 </para> 519 </listitem> 520 </varlistentry> 521 522 <varlistentry> 523 <term>Chapter 12 &smbmdash; Integrating Additional Services.</term><listitem> 524 <para> 525 The battle is almost over, Samba-3 has won the day. Your team are delighted and now you 526 find yourself at yet another cross-roads. Abmas have acquired a snack food business, you 527 made promises you must keep. IT costs must be reduced, you have new resistance, but you 528 will win again. This time you choose to install the Squid proxy server to validate the 529 fact that Samba is far more than just a file and print server. SPNEGO authentication 530 support means that your Microsoft Windows clients gain transparent proxy access. 531 </para> 532 533 <para><emphasis>TechInfo</emphasis> &smbmdash; Samba provides the <command>ntlm_auth</command> 534 module that makes it possible for MS Windows Internet Explorer to connect via the Squid Web 535 and FTP proxy server. You will configure Samba-3 as well as Squid to deliver authenticated 536 access control using the Active Directory Domain user security credentials. 537 </para> 538 </listitem> 539 </varlistentry> 540 541 <varlistentry> 542 <term>Chapter 13 &smbmdash; Performance, Reliability and Availability.</term><listitem> 543 <para> 544 Bob, are you sure the new Samba server is up to the load? Your network is serving many 545 users who risk becoming unproductive. What can you do to keep ahead of demand? Can you 546 keep the cost under control also? What can go wrong? 547 </para> 548 549 <para><emphasis>TechInfo</emphasis> &smbmdash; Hot tips that put chili into your 550 network. Avoid name resolution problems, identify potential causes of network collisions, 551 avoid Samba configuration options that will weigh the server down. MS distributed file 552 services to make your network fly and much more. This chapter contains a good deal of 553 <quote>Did I tell you about this...?</quote> type of hints to help keep your name on the top 554 performers list. 555 </para> 556 </listitem> 557 </varlistentry> 558 559 <varlistentry> 560 <term>Chapter 14 &smbmdash; Samba Support.</term><listitem> 561 <para> 562 This chapter has been added specifically to help those who are seeking professional 563 paid support for Samba. The critics of Open Source Software often assert that 564 there is no support for free software. Some critics argue that free software 565 undermines the service that proprietary commercial software vendors depend on. 566 This chapter explains what are the support options for Samba and the fact that 567 a growing number of businesses make money by providing commercial paid-for 568 Samba support. 569 </para> 570 </listitem> 571 </varlistentry> 572 573 <varlistentry> 574 <term>Chapter 15 &smbmdash; A Collection of Useful Tid-bits.</term><listitem> 575 <para> 576 Sometimes it seems that there is not a good place for certain odds and ends that 577 impact Samba deployment. Some readers would argue that everyone can be expected 578 to know this information, or at least be able to find it easily. So to avoid 579 offending a reader's sensitivities, the tid-bits have been placed in this chapter. 580 Do check out the contents, you may find something of value among the loose ends. 581 </para> 582 </listitem> 583 </varlistentry> 584 585 <varlistentry> 586 <term>Chapter 16 &smbmdash; Windows Networking Primer.</term><listitem> 587 <para> 588 Here we cover practical exercises to help us to understand how MS Windows 589 network protocols function. A network protocol analyzer helps you to 590 appreciate the fact that Windows networking is highly dependent on broadcast 591 messaging. Additionally, you can look into network packets that a Windows 592 client sends to a network server to set up a network connection. On completion, 593 you should have a basic understanding of how network browsing functions and 594 have seen some of the information a Windows client sends to 595 a file and print server to create a connection over which file and print 596 operations may take place. 597 </para> 598 </listitem> 599 </varlistentry> 600 601 </variablelist> 602 603 </sect1> 604 605 <!-- the conventions used in this book --> 606 <xi:include href="conventions.xml" xmlns:xi="http://www.w3.org/2003/XInclude" /> 607 608</preface> 609 610