• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /asuswrt-rt-n18u-9.0.0.4.380.2695/release/src/router/samba-3.5.8/docs-xml/Samba3-HOWTO/
1<?xml version="1.0" encoding="iso-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3<chapter id="AdvancedNetworkManagement">
4<chapterinfo>
5	&author.jht;
6    <pubdate>June 15 2005</pubdate>
7</chapterinfo>
8
9<title>Advanced Network Management</title>
10
11<para>
12<indexterm><primary>access control</primary></indexterm>
13This section documents peripheral issues that are of great importance to network
14administrators who want to improve network resource access control, to automate the user
15environment, and to make their lives a little easier.
16</para>
17
18<sect1>
19<title>Features and Benefits</title>
20
21<para>
22Often the difference between a working network environment and a well-appreciated one can
23best be measured by the <emphasis>little things</emphasis> that make everything work more
24harmoniously. A key part of every network environment solution is the ability to remotely
25manage MS Windows workstations, remotely access the Samba server, provide customized
26logon scripts, as well as other housekeeping activities that help to sustain more reliable
27network operations.
28</para>
29
30<para>
31This chapter presents information on each of these areas. They are placed here, and not in
32other chapters, for ease of reference.
33</para>
34
35</sect1>
36
37<sect1>
38<title>Remote Server Administration</title>
39
40
41<para><quote>How do I get User Manager and Server Manager?</quote></para>
42
43<para>
44<indexterm><primary>User Manager</primary></indexterm>
45<indexterm><primary>Server Manager</primary></indexterm>
46<indexterm><primary>Event Viewer</primary></indexterm>
47Since I do not need to buy an <application>NT4 server</application>, how do I get the User Manager for Domains
48and the Server Manager?
49</para>
50
51<para>
52<indexterm><primary>Nexus.exe</primary></indexterm>
53<indexterm><primary>Windows 9x/Me</primary></indexterm>
54Microsoft distributes a version of these tools called <filename>Nexus.exe</filename> for installation 
55on <application>Windows 9x/Me</application> systems. The tools set includes:
56</para>
57
58<itemizedlist>
59	<listitem><para>Server Manager</para></listitem>
60	<listitem><para>User Manager for Domains</para></listitem>
61	<listitem><para>Event Viewer</para></listitem>
62</itemizedlist>
63
64<para>
65Download the archived file at the Microsoft <ulink noescape="1"
66url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">Nexus</ulink> link.
67</para>
68
69<para>
70<indexterm><primary>SRVTOOLS.EXE</primary></indexterm>
71<indexterm><primary>User Manager for Domains</primary></indexterm>
72<indexterm><primary>Server Manager</primary></indexterm>
73The <application>Windows NT 4.0</application> version of the User Manager for 
74Domains and Server Manager are available from Microsoft
75<ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">via ftp</ulink>.
76</para>
77
78</sect1>
79
80<sect1>
81<title>Remote Desktop Management</title>
82
83<para>
84<indexterm><primary>remote desktop management</primary></indexterm>
85<indexterm><primary>network environment</primary></indexterm>
86There are a number of possible remote desktop management solutions that range from free
87through costly. Do not let that put you off. Sometimes the most costly solution is the
88most cost effective. In any case, you will need to draw your own conclusions as to which
89is the best tool in your network environment.
90</para>
91
92	<sect2>
93	<title>Remote Management from NoMachine.Com</title>
94
95	<para>
96	<indexterm><primary>NoMachine.Com</primary></indexterm>
97	The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
98	It is presented in slightly edited form (with author details omitted for privacy reasons).
99	The entire answer is reproduced below with some comments removed.
100	</para>
101
102		<para><quote>
103<indexterm><primary>remote desktop capabilities</primary></indexterm>
104		I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote
105		desktop capabilities so users outside could login to the system and get their desktop up from home or
106		another country.
107		</quote></para>
108
109		<para><quote>
110<indexterm><primary>Windows Terminal server</primary></indexterm>
111<indexterm><primary>BDC</primary></indexterm>
112<indexterm><primary>PDC</primary></indexterm>
113<indexterm><primary>remote login</primary></indexterm>
114		Is there a way to accomplish this? Do I need a Windows Terminal server?  Do I need to configure it so
115		it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login
116		even if the computer is in a domain?
117		</quote></para>
118
119		<para>
120		Answer provided: Check out the new offer of <quote>NX</quote> software from
121		<ulink noescape="1" url="http://www.nomachine.com/">NoMachine</ulink>.
122		</para>
123
124	<para>
125<indexterm><primary>Remote X protocol</primary></indexterm>
126<indexterm><primary>VNC/RFB</primary></indexterm>
127<indexterm><primary>rdesktop/RDP</primary></indexterm>
128	It implements an easy-to-use interface to the Remote X protocol as
129	well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed
130	performance much better than anything you may have ever seen.
131	</para>
132
133	<para>
134<indexterm><primary>modem/ISDN</primary></indexterm>
135	Remote X is not new at all, but what they did achieve successfully is
136	a new way of compression and caching technologies that makes the thing
137	fast enough to run even over slow modem/ISDN connections.
138	</para>
139
140	<para>
141<indexterm><primary>KDE konqueror</primary></indexterm>
142<indexterm><primary>mouse-over</primary></indexterm>
143<indexterm><primary>rdesktop</primary></indexterm>
144<indexterm><primary></primary></indexterm>
145	I test drove their (public) Red Hat machine in Italy, over a loaded
146	Internet connection, with enabled thumbnail previews in KDE konqueror,
147	which popped up immediately on <quote>mouse-over</quote>. From inside that (remote X)
148	session I started a rdesktop session on another, a Windows XP machine.
149	To test the performance, I played Pinball. I am proud to announce
150	that my score was 631,750 points at first try.
151	</para>
152
153	<para>
154<indexterm><primary>NX</primary></indexterm>
155<indexterm><primary>TightVNC</primary></indexterm>
156<indexterm><primary>rdesktop</primary></indexterm>
157<indexterm><primary>Remote X</primary></indexterm>
158	NX performs better on my local LAN than any of the other <quote>pure</quote>
159	connection methods I use from time to time: TightVNC, rdesktop or
160	Remote X. It is even faster than a direct crosslink connection between
161	two nodes.
162	</para>
163
164	<para>
165<indexterm><primary>Remote X</primary></indexterm>
166<indexterm><primary>KDE session</primary></indexterm>
167<indexterm><primary>copy'n'paste</primary></indexterm>
168	I even got sound playing from the Remote X app to my local boxes, and
169	had a working <quote>copy'n'paste</quote> from an NX  window (running a KDE session
170	in Italy) to my Mozilla mailing agent. These guys are certainly doing
171	something right!
172	</para>
173
174	<para>
175	I recommend test driving NX to anybody with a only a passing interest in remote computing
176	the <ulink noescape="1" url="http://www.nomachine.com/testdrive.php">NX</ulink> utility.
177	</para>
178
179	<para>
180	Just download the free-of-charge client software (available for Red Hat,
181	SuSE, Debian and Windows) and be up and running within 5 minutes (they
182	need to send you your account data, though, because you are assigned
183	a real UNIX account on their testdrive.nomachine.com box).
184	</para>
185
186	<para>
187	They plan to get to the point were you can have NX application servers
188	running as a cluster of nodes, and users simply start an NX session locally
189	and can select applications to run transparently (apps may even run on
190	another NX node, but pretend to be on the same as used for initial login,
191	because it displays in the same window. You also can run it
192	full-screen, and after a short time you forget that it is a remote session
193	at all).
194	</para>
195
196	<para>
197<indexterm><primary>GPL</primary></indexterm>
198	Now the best thing for last: All the core compression and caching
199	technologies are released under the GPL and available as source code
200	to anybody who wants to build on it! These technologies are working,
201	albeit started from the command line only (and very inconvenient to
202	use in order to get a fully running remote X session up and running).
203	</para>
204
205	<para>
206	To answer your questions:
207	</para>
208
209	<itemizedlist>
210		<listitem><para>
211		You do not need to install a terminal server; XP has RDP support built in.
212		</para></listitem>
213
214		<listitem><para>
215		NX is much cheaper than Citrix &smbmdash; and comparable in performance, probably faster.
216		</para></listitem>
217
218		<listitem><para>
219		You do not need to hack XP &smbmdash; it just works.
220		</para></listitem>
221
222		<listitem><para>
223		You log into the XP box from remote transparently (and I think there is no
224		need to change anything to get a connection, even if authentication is against a domain).
225		</para></listitem>
226
227		<listitem><para>
228		The NX core technologies are all Open Source and released under the GPL &smbmdash;
229		you can now use a (very inconvenient) command line at no cost,
230		but you can buy a comfortable (proprietary) NX GUI front end for money.
231		</para></listitem>
232
233		<listitem><para>
234<indexterm><primary>OSS/Free Software</primary></indexterm>
235<indexterm><primary>LTSP</primary></indexterm>
236<indexterm><primary>KDE</primary></indexterm>
237<indexterm><primary>GNOME</primary></indexterm>
238<indexterm><primary>NoMachine</primary></indexterm>
239		NoMachine is encouraging and offering help to OSS/Free Software implementations
240		for such a front-end too, even if it means competition to them (they have written
241		to this effect even to the LTSP, KDE, and GNOME developer mailing lists).
242		</para></listitem>
243	</itemizedlist>
244
245	</sect2>
246	<sect2>
247	<title>Remote Management with ThinLinc</title>
248	<para>
249	Another alternative for remote access is <emphasis>ThinLinc</emphasis> from Cendio.
250	</para>
251
252	<para>
253<indexterm><primary>ThinLinc</primary></indexterm>
254<indexterm><primary>terminal server</primary></indexterm>
255<indexterm><primary>Linux</primary></indexterm>
256<indexterm><primary>Solaris</primary></indexterm>
257<indexterm><primary>TightVNC</primary></indexterm>
258<indexterm><primary>SSH</primary></indexterm>
259<indexterm><primary>NFS</primary></indexterm>
260<indexterm><primary>PulseAudio</primary></indexterm>
261	ThinLinc is a terminal server solution that is available for Linux and Solaris based on standard
262	protocols such as SSH, TightVNC, NFS and PulseAudio.
263	</para>
264
265	<para>
266<indexterm><primary>LAN</primary></indexterm>
267<indexterm><primary>thin client</primary></indexterm>
268	ThinLinc an be used both in the LAN environment to implement a Thin Client strategy for an organization, and as
269	secure remote access solution for people working from remote locations, even over smallband connections.
270	ThinLinc is free to use for a single concurrent user.
271	</para>
272
273	<para>
274<indexterm><primary>Citrix</primary></indexterm>
275<indexterm><primary>Windows Terminal Server</primary></indexterm>
276<indexterm><primary>Java</primary></indexterm>
277	The product can also be used as a frontend to access Windows Terminal Server or Citrix farms, or even Windows
278	XP machines, securing the connection via the ssh protocol. The client is available both for Linux (supporting
279	all Linux distributions as well as numerous thin terminals) and for Windows. A Java-based Web client is also
280	available.
281	</para>
282
283	<para>
284	ThinLinc may be evaluated by connecting to Cendio's demo system, see
285	<ulink noescape="1" url="http://www.cendio.com">Cendio's</ulink> web site
286	<ulink noescape="1" url="http://www.cendio.com/testdrive">testdrive</ulink> center.
287	</para>
288
289	<para>
290	Cendio is a major contributor to several open source projects including
291	<ulink noescape="1" url="http://www.tightvnc.com">TightVNC</ulink>,
292	<ulink noescape="1" url="http://pulseaudio.org">PulseAudio</ulink> , unfsd,
293	<ulink noescape="1" url="http://www.python.org">Python</ulink> and
294	<ulink noescape="1" url="http://www.rdesktop.org">rdesktop</ulink>.
295	</para>
296
297	</sect2>
298</sect1>
299
300<sect1>
301<title>Network Logon Script Magic</title>
302
303<para>
304There are several opportunities for creating a custom network startup configuration environment.
305</para>
306
307<itemizedlist>
308	<listitem><para>No Logon Script.</para></listitem>
309	<listitem><para>Simple universal Logon Script that applies to all users.</para></listitem>
310	<listitem><para>Use of a conditional Logon Script that applies per-user or per-group attributes.</para></listitem>
311	<listitem><para>Use of Samba's preexec and postexec functions on access to the NETLOGON share to create
312		a custom logon script and then execute it.</para></listitem>
313	<listitem><para>User of a tool such as KixStart.</para></listitem>
314</itemizedlist>
315
316<para>
317The Samba source code tree includes two logon script generation/execution tools.
318See <filename>examples</filename> directory <filename>genlogon</filename> and
319<filename>ntlogon</filename> subdirectories.
320</para>
321
322<para>
323The following listings are from the genlogon directory.
324</para>
325
326
327<para>
328<indexterm><primary>genlogon.pl</primary></indexterm>
329This is the <filename>genlogon.pl</filename> file:
330
331<programlisting>
332	#!/usr/bin/perl
333	#
334	# genlogon.pl
335	#
336	# Perl script to generate user logon scripts on the fly, when users
337	# connect from a Windows client. This script should be called from 
338	# smb.conf with the %U, %G and %L parameters. I.e:
339	#
340	#       root preexec = genlogon.pl %U %G %L
341	#
342	# The script generated will perform
343	# the following:
344	#
345	# 1. Log the user connection to /var/log/samba/netlogon.log
346	# 2. Set the PC's time to the Linux server time (which is maintained
347	#    daily to the National Institute of Standards Atomic clock on the
348	#    internet.
349	# 3. Connect the user's home drive to H: (H for Home).
350	# 4. Connect common drives that everyone uses.
351	# 5. Connect group-specific drives for certain user groups.
352	# 6. Connect user-specific drives for certain users.
353	# 7. Connect network printers.
354
355	# Log client connection
356	#($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
357	($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
358	open LOG, ">>/var/log/samba/netlogon.log";
359	print LOG "$mon/$mday/$year $hour:$min:$sec";
360	print LOG " - User $ARGV[0] logged into $ARGV[1]\n";
361	close LOG;
362
363	# Start generating logon script
364	open LOGON, ">/shared/netlogon/$ARGV[0].bat";
365	print LOGON "\@ECHO OFF\r\n";
366
367	# Connect shares just use by Software Development group
368	if ($ARGV[1] eq "SOFTDEV" || $ARGV[0] eq "softdev")
369	{
370		print LOGON "NET USE M: \\\\$ARGV[2]\\SOURCE\r\n";
371	}
372
373	# Connect shares just use by Technical Support staff
374	if ($ARGV[1] eq "SUPPORT" || $ARGV[0] eq "support")
375	{
376		print LOGON "NET USE S: \\\\$ARGV[2]\\SUPPORT\r\n";
377	}
378
379	# Connect shares just used by Administration staff
380	If ($ARGV[1] eq "ADMIN" || $ARGV[0] eq "admin")
381	{
382		print LOGON "NET USE L: \\\\$ARGV[2]\\ADMIN\r\n";
383		print LOGON "NET USE K: \\\\$ARGV[2]\\MKTING\r\n";
384	}
385
386	# Now connect Printers. We handle just two or three users a little
387	# differently, because they are the exceptions that have desktop
388	# printers on LPT1: - all other user's go to the LaserJet on the
389	# server.
390	if ($ARGV[0] eq 'jim'
391	    || $ARGV[0] eq 'yvonne')
392	{
393		print LOGON "NET USE LPT2: \\\\$ARGV[2]\\LJET3\r\n";
394		print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
395	}
396	else
397	{
398		print LOGON "NET USE LPT1: \\\\$ARGV[2]\\LJET3\r\n";
399		print LOGON "NET USE LPT3: \\\\$ARGV[2]\\FAXQ\r\n";
400	}
401
402	# All done! Close the output file.
403	close LOGON;
404</programlisting>
405</para>
406
407<para>
408Those wishing to use a more elaborate or capable logon processing system should check out these sites:
409</para>
410
411<itemizedlist>
412	<listitem><para><ulink noescape="1" url="http://www.craigelachie.org/rhacer/ntlogon">http://www.craigelachie.org/rhacer/ntlogon</ulink></para></listitem>
413	<listitem><para><ulink noescape="1" url="http://www.kixtart.org">http://www.kixtart.org</ulink></para></listitem>
414</itemizedlist>
415
416<sect2>
417<title>Adding Printers without User Intervention</title>
418
419
420<para>
421<indexterm><primary>rundll32</primary></indexterm>
422Printers may be added automatically during logon script processing through the use of:
423<screen>
424&dosprompt;<userinput>rundll32 printui.dll,PrintUIEntry /?</userinput>
425</screen>
426
427See the documentation in the <ulink url="http://support.microsoft.com/default.asp?scid=kb;en-us;189105">Microsoft Knowledge Base article 189105</ulink>.
428</para>
429</sect2>
430
431<sect2>
432	<title>Limiting Logon Connections</title>
433
434	<para>
435		Sometimes it is necessary to limit the number of concurrent connections to a
436		Samba shared resource. For example, a site may wish to permit only one network
437		logon per user.
438	</para>
439
440	<para>
441		The Samba <parameter>preexec script</parameter> parameter can be used to permit only one
442		connection per user. Though this method is not foolproof and may have side effects,
443		the following contributed method may inspire someone to provide a better solution.
444	</para>
445
446	<para>
447		This is not a perfect solution because Windows clients can drop idle connections
448		with an auto-reconnect capability that could result in the appearance that a share
449		is no longer in use, while actually it is. Even so, it demonstrates the principle
450		of use of the <parameter>preexec script</parameter> parameter.
451	</para>
452
453	<para>
454		The following share configuration demonstrates use of the script shown in <link linkend="Tpees"/>.
455<programlisting>
456[myshare]
457	...
458	preexec script = /sbin/PermitSingleLogon.sh
459	preexec close = Yes
460	...
461</programlisting>
462	</para>
463
464<example id="Tpees">
465<title>Script to Enforce Single Resource Logon</title>
466<screen>
467#!/bin/bash
468
469IFS="-"
470RESULT=$(smbstatus -S -u $1 2> /dev/null | awk 'NF \
471        > 6 {print $1}' | sort | uniq -d)
472
473if [ "X${RESULT}" == X  ]; then
474  exit 0
475else
476  exit 1
477fi
478</screen>
479</example>
480
481</sect2>
482
483</sect1>
484
485</chapter>
486