1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Appendix�A.�Appendix: A Collection of Useful Tid-bits</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="HA.html" title="Chapter�13.�Performance, Reliability, and Availability"><link rel="next" href="gpl.html" title="Appendix�B.�GNU General Public License"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Appendix�A.�Appendix: A Collection of Useful Tid-bits</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="HA.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="gpl.html">Next</a></td></tr></table><hr></div><div class="appendix" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="appendix"></a>Appendix�A.�Appendix: A Collection of Useful Tid-bits</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2596437">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2596857">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2597202">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2597214">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2597263">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2597403">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2597463">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id2598029">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2599439">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2599586">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2599670">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></div><p><a class="indexterm" name="id2595828"></a><a class="indexterm" name="id2595835"></a> 2 Information presented here is considered to be either basic or well-known material that is informative 3 yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that 4 the process for joining a Windows client to a Samba-controlled Windows Domain may somehow involve steps 5 different from doing so with Windows NT4 or a Windows ADS Domain. Be assured that the steps are identical, 6 as shown in the example given below. 7 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domjoin"></a>Joining a Domain: Windows 200x/XP Professional</h2></div></div></div><p><a class="indexterm" name="id2595868"></a> 8 Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. 9 This section steps through the process for making a Windows 200x/XP Professional machine a 10 member of a Domain Security environment. It should be noted that this process is identical 11 when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. 12 </p><div class="procedure"><ol type="1"><li><p> 13 Click <span class="guimenu">Start</span>. 14 </p></li><li><p> 15 Right-click <span class="guimenu">My Computer</span>, and then select <span class="guimenuitem">Properties</span>. 16 </p></li><li><p> 17 The opening panel is the same one that can be reached by clicking <span class="guimenu">System</span> on the Control Panel. 18 See <a href="appendix.html#wxpp001" title="Figure�A.1.�The General Panel.">???</a>. 19 </p><div class="figure"><a name="wxpp001"></a><p class="title"><b>Figure�A.1.�The General Panel.</b></p><div class="mediaobject"><img src="images/wxpp001.png" alt="The General Panel."></div></div><p> 20 </p></li><li><p> 21 Click the <span class="guimenu">Computer Name</span> tab. 22 This panel shows the <span class="guimenuitem">Computer Description</span>, the <span class="guimenuitem">Full computer name</span>, 23 and the <span class="guimenuitem">Workgroup</span> or <span class="guimenuitem">Domain name</span>. 24 </p><p> 25 Clicking the <span class="guimenu">Network ID</span> button launches the configuration wizard. Do not use this with 26 Samba-3. If you wish to change the computer name, or join or leave the domain, click the <span class="guimenu">Change</span> button. 27 See <a href="appendix.html#wxpp004" title="Figure�A.2.�The Computer Name Panel.">???</a>. 28 </p><div class="figure"><a name="wxpp004"></a><p class="title"><b>Figure�A.2.�The Computer Name Panel.</b></p><div class="mediaobject"><img src="images/wxpp004.png" alt="The Computer Name Panel."></div></div><p> 29 </p></li><li><p> 30 Click on <span class="guimenu">Change</span>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. 31 We join the domain called MIDEARTH. See <a href="appendix.html#wxpp006" title="Figure�A.3.�The Computer Name Changes Panel.">???</a>. 32 </p><div class="figure"><a name="wxpp006"></a><p class="title"><b>Figure�A.3.�The Computer Name Changes Panel.</b></p><div class="mediaobject"><img src="images/wxpp006.png" alt="The Computer Name Changes Panel."></div></div><p> 33 </p></li><li><p> 34 Enter the name <span class="guimenu">MIDEARTH</span> in the field below the Domain radio button. 35 </p><p> 36 This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <a href="appendix.html#wxpp007" title="Figure�A.4.�The Computer Name Changes Panel Domain MIDEARTH.">???</a>. 37 </p><div class="figure"><a name="wxpp007"></a><p class="title"><b>Figure�A.4.�The Computer Name Changes Panel Domain MIDEARTH.</b></p><div class="mediaobject"><img src="images/wxpp007.png" alt="The Computer Name Changes Panel Domain MIDEARTH."></div></div><p> 38 </p></li><li><p> 39 Now click the <span class="guimenu">OK</span> button. A dialog box should appear to allow you to provide the credentials (username and password) 40 of a Domain administrative account that has the rights to add machines to the Domain. 41 </p><p> 42 Enter the name “<span class="quote"><span class="emphasis"><em>root</em></span></span>” and the root password from your Samba-3 server. See <a href="appendix.html#wxpp008" title="Figure�A.5.�Computer Name Changes User name and Password Panel.">???</a>. 43 </p><div class="figure"><a name="wxpp008"></a><p class="title"><b>Figure�A.5.�Computer Name Changes User name and Password Panel.</b></p><div class="mediaobject"><img src="images/wxpp008.png" alt="Computer Name Changes User name and Password Panel."></div></div><p> 44 </p></li><li><p> 45 Click <span class="guimenu">OK</span>. 46 </p><p> 47 The “<span class="quote"><span class="emphasis"><em>Welcome to the MIDEARTH domain</em></span></span>” dialog box should appear. At this point, the machine must be rebooted. 48 Joining the domain is now complete. 49 </p></li></ol></div><p><a class="indexterm" name="id2596317"></a><a class="indexterm" name="id2596325"></a> 50 The screen capture shown in <a href="appendix.html#wxpp007" title="Figure�A.4.�The Computer Name Changes Panel Domain MIDEARTH.">???</a> has a button labeled <span class="guimenu">More...</span>. This button opens a 51 panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members 52 of Microsoft Active Directory. Active Directory is heavily oriented around the DNS name space. 53 </p><p><a class="indexterm" name="id2596353"></a><a class="indexterm" name="id2596361"></a> 54 Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers 55 register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server 56 to find the services (like which machines are Domain Controllers or which machines have the Netlogon service running). 57 </p><p><a class="indexterm" name="id2596380"></a> 58 The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, 59 this does not affect Domain Membership, but it can break network browsing and the ability to resolve your computer name to 60 a valid IP address. 61 </p><p> 62 The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. 63 Where the client is a member of a Samba Domain, it is preferable to leave this field blank. 64 </p><p><a class="indexterm" name="id2596406"></a> 65 According to Microsoft documentation, “<span class="quote"><span class="emphasis"><em>If this computer belongs to a group with <tt class="constant">Group Policy</tt> 66 enabled on <span><b class="command">Primary DNS suffice of this computer</b></span>, the string specified in the Group Policy is used 67 as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is 68 used only if Group Policy is disabled or unspecified.</em></span></span>” 69 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596437"></a>Samba System File Location</h2></div></div></div><p><a class="indexterm" name="id2596444"></a><a class="indexterm" name="id2596452"></a><a class="indexterm" name="id2596460"></a> 70 One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team 71 build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is 72 in the <tt class="filename">/usr/local/samba</tt> directory. This is a perfectly reasonable location, particularly given all the other 73 Open Source software that installs into the <tt class="filename">/usr/local</tt> subdirectories. 74 </p><p> 75 Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team 76 default. 77 </p><p><a class="indexterm" name="id2596496"></a><a class="indexterm" name="id2596507"></a><a class="indexterm" name="id2596515"></a><a class="indexterm" name="id2596526"></a><a class="indexterm" name="id2596534"></a><a class="indexterm" name="id2596545"></a><a class="indexterm" name="id2596553"></a><a class="indexterm" name="id2596561"></a><a class="indexterm" name="id2596569"></a><a class="indexterm" name="id2596576"></a><a class="indexterm" name="id2596584"></a><a class="indexterm" name="id2596592"></a><a class="indexterm" name="id2596600"></a><a class="indexterm" name="id2596608"></a><a class="indexterm" name="id2596616"></a><a class="indexterm" name="id2596624"></a> 78 Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy 79 System (FHS), have elected to locate the configuration files under the <tt class="filename">/etc/samba</tt> directory, common binary 80 files (those used by users) in the <tt class="filename">/usr/bin</tt> directory, and the administrative files (daemons) in the 81 <tt class="filename">/usr/sbin</tt> directory. Support files for the Samba Web Admin Tool (SWAT) are located under the 82 <tt class="filename">/usr/share</tt> directory, either in <tt class="filename">/usr/share/samba/swat</tt> or in 83 <tt class="filename">/usr/share/swat</tt>. There are additional support files for <span><b class="command">smbd</b></span> in the 84 <tt class="filename">/usr/lib/samba</tt> directory tree. The files located there include the dynamically loadable modules for the 85 passdb backend as well as for the VFS modules. 86 </p><p><a class="indexterm" name="id2596693"></a><a class="indexterm" name="id2596701"></a><a class="indexterm" name="id2596709"></a> 87 Samba creates run-time control files and generates log files. The run-time control files (tdb and dat files) are stored in 88 the <tt class="filename">/var/lib/samba</tt> directory. Log files are created in <tt class="filename">/var/log/samba.</tt> 89 </p><p> 90 When Samba is built and installed using the default Samba Team process, all files are located under the 91 <tt class="filename">/usr/local/samba</tt> directory tree. This makes it simple to find the files that Samba owns. 92 </p><p><a class="indexterm" name="id2596748"></a> 93 One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location 94 of all files called <span><b class="command">smbd</b></span>. Here is an example: 95</p><pre class="screen"> 96<tt class="prompt">root# </tt> find / -name smbd -print 97</pre><p> 98 You can find the location of the configuration files by running: 99</p><pre class="screen"> 100<tt class="prompt">root# </tt> /path-to-binary-file/smbd -b | more 101... 102Paths: 103 SBINDIR: /usr/sbin 104 BINDIR: /usr/bin 105 SWATDIR: /usr/share/samba/swat 106 CONFIGFILE: /etc/samba/smb.conf 107 LOGFILEBASE: /var/log/samba 108 LMHOSTSFILE: /etc/samba/lmhosts 109 LIBDIR: /usr/lib/samba 110 SHLIBEXT: so 111 LOCKDIR: /var/lib/samba 112 PIDDIR: /var/run/samba 113 SMB_PASSWD_FILE: /etc/samba/smbpasswd 114 PRIVATE_DIR: /etc/samba 115... 116</pre><p> 117 If you wish to locate the Samba version, just run: 118</p><pre class="screen"> 119<tt class="prompt">root# </tt> /path-to-binary-file/smbd -V 120Version 3.0.12-SUSE 121</pre><p> 122 </p><p> 123 Many people have been caught by installation of Samba using the default Samba Team process when it was already installed 124 by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by 125 executing:<a class="indexterm" name="id2596821"></a> 126</p><pre class="screen"> 127<tt class="prompt">root# </tt> rpm -qa | grep samba 128samba3-pdb-3.0.12-1 129samba3-vscan-0.3.5-0 130samba3-winbind-3.0.12-1 131samba3-3.0.12-1 132samba3-python-3.0.12-1 133samba3-utils-3.0.12-1 134samba3-doc-3.0.12-1 135samba3-client-3.0.12-1 136samba3-cifsmount-3.0.12-1 137 </pre><p><a class="indexterm" name="id2596844"></a> 138 The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. 139 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596857"></a>Starting Samba</h2></div></div></div><p><a class="indexterm" name="id2596864"></a> 140 Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. 141 An example of a service is the Apache Web server for which the daemon is called <span><b class="command">httpd</b></span>. In the case of Samba, there 142 are three daemons, two of which are needed as a minimum. 143 </p><p> 144 The Samba server is made up of the following daemons: 145 </p><div class="example"><a name="ch12SL"></a><p class="title"><b>Example�A.1.�A Useful Samba Control Script for SuSE Linux</b></p><pre class="screen"> 146#!/bin/bash 147# 148# Script to start/stop samba 149# Locate this in /sbin as a file called 'samba' 150 151RCD=/etc/rc.d 152 153if [ z$1 == 'z' ]; then 154 echo $0 - No arguments given; must be start or stop. 155 exit 156fi 157 158if [ $1 == 'start' ]; then 159 ${RCD}/nmb start 160 ${RCD}/smb start 161 ${RCD}/winbind start 162 163fi 164if [ $1 == 'stop' ]; then 165 ${RCD}/smb stop 166 ${RCD}/winbind stop 167 ${RCD}/nmb stop 168fi 169if [ $1 == 'restart' ]; then 170 ${RCD}/smb stop 171 ${RCD}/winbind stop 172 ${RCD}/nmb stop 173 sleep 5 174 ${RCD}/nmb start 175 ${RCD}/smb start 176 ${RCD}/winbind start 177fi 178exit 0 179</pre></div><div class="variablelist"><dl><dt><span class="term">nmbd</span></dt><dd><p> 180 <a class="indexterm" name="id2596926"></a> 181 <a class="indexterm" name="id2596933"></a> 182 This daemon handles all name registration and resolution requests. It is the primary vehicle involved 183 in network browsing. It handles all UDP-based protocols. The <span><b class="command">nmbd</b></span> daemon should 184 be the first command started as part of the Samba startup process. 185 </p></dd><dt><span class="term">smbd</span></dt><dd><p> 186 <a class="indexterm" name="id2596962"></a> 187 <a class="indexterm" name="id2596969"></a> 188 This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also 189 manages local authentication. It should be started immediately following the startup of <span><b class="command">nmbd</b></span>. 190 </p></dd><dt><span class="term">winbindd</span></dt><dd><p> 191 <a class="indexterm" name="id2596998"></a> 192 <a class="indexterm" name="id2597005"></a> 193 This daemon should be started when Samba is a member of a Windows NT4 or ADS Domain. IT is also needed when 194 Samba has trust relationships with another Domain. The <span><b class="command">winbindd</b></span> daemon will check the 195 <tt class="filename">smb.conf</tt> file for the presence of the <i class="parameter"><tt>idmap uid</tt></i> and <i class="parameter"><tt>idmap gid</tt></i> 196 parameters. If they are not found, <span><b class="command">winbindd</b></span> bails out and refuses to start. 197 </p></dd></dl></div><p> 198 When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its 199 integration into the platform as a whole. Please refer to your operating system platform administration manuals for 200 specific information pertaining to correct management of Samba startup. 201 </p><div class="example"><a name="ch12RHscript"></a><p class="title"><b>Example�A.2.�</b></p><pre class="screen"> 202#!/bin/sh 203# 204# chkconfig: 345 81 35 205# description: Starts and stops the Samba smbd and nmbd daemons \ 206# used to provide SMB network services. 207 208# Source function library. 209. /etc/rc.d/init.d/functions 210# Source networking configuration. 211. /etc/sysconfig/network 212# Check that networking is up. 213[ ${NETWORKING} = "no" ] && exit 0 214CONFIG=/etc/samba/smb.conf 215# Check that smb.conf exists. 216[ -f $CONFIG ] || exit 0 217 218# See how we were called. 219case "$1" in 220 start) 221 echo -n "Starting SMB services: " 222 daemon smbd -D; daemon nmbd -D; echo; 223 touch /var/lock/subsys/smb 224 ;; 225 stop) 226 echo -n "Shutting down SMB services: " 227 smbdpids=`ps guax | grep smbd | grep -v grep | awk '{print $2}'` 228 for pid in $smbdpids; do 229 kill -TERM $pid 230 done 231 killproc nmbd -TERM; rm -f /var/lock/subsys/smb 232 echo "" 233 ;; 234 status) 235 status smbd; status nmbd; 236 ;; 237 restart) 238 echo -n "Restarting SMB services: " 239 $0 stop; $0 start; 240 echo "done." 241 ;; 242 *) 243 echo "Usage: smb {start|stop|restart|status}" 244 exit 1 245esac 246</pre></div><p><a class="indexterm" name="id2597123"></a> 247 SUSE Linux implements individual control over each Samba daemon. A samba control script that can be conveniently 248 executed from the command line is shown in <a href="appendix.html#ch12SL" title="Example�A.1.�A Useful Samba Control Script for SuSE Linux">???</a>. This can be located in the directory 249 <tt class="filename">/sbin</tt> in a file called <tt class="filename">samba</tt>. This type of control script should be 250 owned by user root and group root, and set so that only root can execute it. 251 </p><p><a class="indexterm" name="id2597159"></a> 252 A sample startup script for a Red Hat Linux system is shown in <a href="appendix.html#ch12RHscript" title="Example�A.2.�">???</a>. 253 This file could be located in the directory <tt class="filename">/etc/rc.d</tt> and can be called 254 <tt class="filename">samba</tt>. A similar startup script is required to control <span><b class="command">winbind</b></span>. 255 If you want to find more information regarding startup scripts please refer to the packaging section of 256 the Samba source code distribution tarball. The packaging files for each platform include a 257 startup control file. 258 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2597202"></a>DNS Configuration Files</h2></div></div></div><p> 259 The following files are common to all DNS server configurations. Rather than repeat them multiple times, they 260 are presented here for general reference. 261 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2597214"></a>The Forward Zone File for the Loopback Adaptor</h3></div></div></div><p> 262 The forward zone file for the loopback address never changes. An example file is shown 263 in <a href="appendix.html#loopback" title="Example�A.3.�DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a>. All traffic destined for an IP address that is hosted on a 264 physical interface on the machine itself is routed to the loopback adaptor. This is 265 a fundamental design feature of the TCP/IP protocol implementation. The loopback adaptor 266 is called <tt class="constant">localhost</tt>. 267 </p><div class="example"><a name="loopback"></a><p class="title"><b>Example�A.3.�DNS Localhost Forward Zone File: <tt class="filename">/var/lib/named/localhost.zone</tt></b></p><pre class="screen"> 268$TTL 1W 269@ IN SOA @ root ( 270 42 ; serial 271 2D ; refresh 272 4H ; retry 273 6W ; expiry 274 1W ) ; minimum 275 276 IN NS @ 277 IN A 127.0.0.1 278</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2597263"></a>The Reverse Zone File for the Loopback Adaptor</h3></div></div></div><p> 279 The reverse zone file for the loopback address as shown in <a href="appendix.html#dnsloopy" title="Example�A.4.�DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a> 280 is necessary so that references to the address <tt class="constant">127.0.0.1</tt> can be 281 resolved to the correct name of the interface. 282 </p><div class="example"><a name="dnsloopy"></a><p class="title"><b>Example�A.4.�DNS Localhost Reverse Zone File: <tt class="filename">/var/lib/named/127.0.0.zone</tt></b></p><pre class="screen"> 283$TTL 1W 284@ IN SOA localhost. root.localhost. ( 285 42 ; serial 286 2D ; refresh 287 4H ; retry 288 6W ; expiry 289 1W ) ; minimum 290 291 IN NS localhost. 2921 IN PTR localhost. 293</pre></div><div class="example"><a name="roothint"></a><p class="title"><b>Example�A.5.�DNS Root Name Server Hint File: <tt class="filename">/var/lib/named/root.hint</tt></b></p><pre class="screen"> 294; This file is made available by InterNIC under anonymous FTP as 295; file /domain/named.root 296; on server FTP.INTERNIC.NET 297; last update: Nov 5, 2002. Related version of root zone: 2002110501 298; formerly NS.INTERNIC.NET 299. 3600000 IN NS A.ROOT-SERVERS.NET. 300A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 301; formerly NS1.ISI.EDU 302. 3600000 NS B.ROOT-SERVERS.NET. 303B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 304; formerly C.PSI.NET 305. 3600000 NS C.ROOT-SERVERS.NET. 306C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 307; formerly TERP.UMD.EDU 308. 3600000 NS D.ROOT-SERVERS.NET. 309D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 310; formerly NS.NASA.GOV 311. 3600000 NS E.ROOT-SERVERS.NET. 312E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 313; formerly NS.ISC.ORG 314. 3600000 NS F.ROOT-SERVERS.NET. 315F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 316; formerly NS.NIC.DDN.MIL 317. 3600000 NS G.ROOT-SERVERS.NET. 318G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 319; formerly AOS.ARL.ARMY.MIL 320. 3600000 NS H.ROOT-SERVERS.NET. 321H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 322; formerly NIC.NORDU.NET 323. 3600000 NS I.ROOT-SERVERS.NET. 324I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 325; operated by VeriSign, Inc. 326. 3600000 NS J.ROOT-SERVERS.NET. 327J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 328; housed in LINX, operated by RIPE NCC 329. 3600000 NS K.ROOT-SERVERS.NET. 330K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 331; operated by IANA 332. 3600000 NS L.ROOT-SERVERS.NET. 333L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 334; housed in Japan, operated by WIDE 335. 3600000 NS M.ROOT-SERVERS.NET. 336M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 337; End of File 338</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2597403"></a>DNS Root Server Hint File</h3></div></div></div><p> 339 The content of the root hints file as shown in <a href="appendix.html#roothint" title="Example�A.5.�DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a> changes slowly over time. 340 Periodically this file should be updated from the source shown. Because 341 of its size this file is located at the end of this appendix. 342 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="altldapcfg"></a>Alternative LDAP Database Initialization</h2></div></div></div><p><a class="indexterm" name="id2597434"></a><a class="indexterm" name="id2597446"></a> 343 The following procedure may be used as an alternative means of configuring 344 the initial LDAP database. Many administrators prefer to have greater control 345 over how system files get configured. 346 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2597463"></a>Initialization of the LDAP Database</h3></div></div></div><p><a class="indexterm" name="id2597470"></a><a class="indexterm" name="id2597478"></a><a class="indexterm" name="id2597489"></a> 347 The first step to get the LDAP server ready for action is to create the LDIF file from 348 which the LDAP database will be preloaded. This is necessary to create the containers 349 into which the user, group, and so on, accounts is written. It is also necessary to 350 preload the well-known Windows NT Domain Groups, as they must have the correct SID so 351 that they can be recognized as special NT Groups by the MS Windows clients. 352 </p><div class="procedure"><a name="ldapinit"></a><ol type="1"><li><p> 353 Create a directory in which to store the files you use to generate 354 the LDAP LDIF file for your system. Execute the following: 355</p><pre class="screen"> 356<tt class="prompt">root# </tt> mkdir /etc/openldap/SambaInit 357<tt class="prompt">root# </tt> chown root.root /etc/openldap/SambaInit 358<tt class="prompt">root# </tt> chmod 700 /etc/openldap/SambaInit 359</pre><p> 360 </p></li><li><p> 361 Install the files shown in <a href="appendix.html#ch6-ldapreconfa" title="Example�A.6.�LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A">???</a>, <a href="appendix.html#ch6-ldapreconfb" title="Example�A.7.�LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B">???</a>, 362 and <a href="appendix.html#ch6-ldapreconfc" title="Example�A.8.�LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C">???</a> into the directory 363 <tt class="filename">/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</tt> These three files are, 364 respectively, Part A, B, and C of the <tt class="filename">SMBLDAP-ldif-preconfig.sh</tt> file. 365 </p></li><li><p> 366 Install the files shown in <a href="appendix.html#ch6-ldifpata" title="Example�A.9.�LDIF Pattern File Used to Pre-configure LDAP Part A">???</a> and <a href="appendix.html#ch6-ldifpatb" title="Example�A.10.�LDIF Pattern File Used to Pre-configure LDAP Part B">???</a> into the directory 367 <tt class="filename">/etc/openldap/SambaInit/nit-ldif.pat.</tt> These two files are 368 Part A and B, respectively, of the <tt class="filename">init-ldif.pat</tt> file. 369 </p></li><li><p> 370 Change to the <tt class="filename">/etc/openldap/SambaInit</tt> directory. Execute the following: 371</p><pre class="screen"> 372<tt class="prompt">root# </tt> ./SMBLDAP-ldif-preconfig.sh 373 374How do you wish to refer to your organization? 375Suggestions: 376 Black Tire Company, Inc. 377 Cat With Hat Ltd. 378How would you like your organization name to appear? 379Your organization name is: My Organization 380Enter a new name is this is not what you want, press Enter to Continue. 381Name [My Organization]: Abmas Inc. 382 383Samba Config File Location [/etc/samba/smb.conf]: 384Enter a new full path or press Enter to continue. 385Samba Config File Location [/etc/samba/smb.conf]: 386Domain Name: MEGANET2 387Domain SID: S-1-5-21-3504140859-1010554828-2431957765 388 389The name of your Internet domain is now needed in a special format 390as follows, if your domain name is mydomain.org, what we need is 391the information in the form of: 392 Domain ID: mydomain 393 Top level: org 394If your fully qualified hostname is: snoopy.bazaar.garagesale.net 395where "snoopy" is the name of the machine, 396Then the information needed is: 397 Domain ID: garagesale 398 Top Level: net 399 400Found the following domain name: abmas.biz 401I think the bit we are looking for might be: abmas 402Enter the domain name or press Enter to continue: 403 404The top level organization name I will use is: biz 405Enter the top level org name or press Enter to continue: 406<tt class="prompt">root# </tt> 407</pre><p> 408 This creates a file called <tt class="filename">MEGANET2.ldif</tt>. 409 </p></li><li><p> 410 It is now time to preload the LDAP database with the following 411 command: 412</p><pre class="screen"> 413<tt class="prompt">root# </tt> slapadd -v -l MEGANET2.ldif 414added: "dc=abmas,dc=biz" (00000001) 415added: "cn=Manager,dc=abmas,dc=biz" (00000002) 416added: "ou=People,dc=abmas,dc=biz" (00000003) 417added: "ou=Computers,dc=abmas,dc=biz" (00000004) 418added: "ou=Groups,dc=abmas,dc=biz" (00000005) 419added: "ou=Domains,dc=abmas,dc=biz" (00000006) 420added: "sambaDomainName=MEGANET2,ou=Domains,dc=abmas,dc=biz" (00000007) 421added: "cn=domadmins,ou=Groups,dc=abmas,dc=biz" (00000008) 422added: "cn=domguests,ou=Groups,dc=abmas,dc=biz" (00000009) 423added: "cn=domusers,ou=Groups,dc=abmas,dc=biz" (0000000a) 424</pre><p> 425 You should verify that the account information was correctly loaded by executing: 426</p><pre class="screen"> 427<tt class="prompt">root# </tt> slapcat 428dn: dc=abmas,dc=biz 429objectClass: dcObject 430objectClass: organization 431dc: abmas 432o: Abmas Inc. 433description: Posix and Samba LDAP Identity Database 434structuralObjectClass: organization 435entryUUID: af552f8e-c4a1-1027-9002-9421e01bf474 436creatorsName: cn=manager,dc=abmas,dc=biz 437modifiersName: cn=manager,dc=abmas,dc=biz 438createTimestamp: 20031217055747Z 439modifyTimestamp: 20031217055747Z 440entryCSN: 2003121705:57:47Z#0x0001#0#0000 441... 442 443dn: cn=domusers,ou=Groups,dc=abmas,dc=biz 444objectClass: posixGroup 445objectClass: sambaGroupMapping 446gidNumber: 513 447cn: domusers 448sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 449sambaGroupType: 2 450displayName: Domain Users 451description: Domain Users 452structuralObjectClass: posixGroup 453entryUUID: af7e98ba-c4a1-1027-900b-9421e01bf474 454creatorsName: cn=manager,dc=abmas,dc=biz 455modifiersName: cn=manager,dc=abmas,dc=biz 456createTimestamp: 20031217055747Z 457modifyTimestamp: 20031217055747Z 458entryCSN: 2003121705:57:47Z#0x000a#0#0000 459</pre><p> 460 </p></li><li><p> 461 Your LDAP database is ready for testing. You can now start the LDAP server 462 using the system tool for your Linux operating system. For SUSE Linux, you can 463 do this as follows: 464</p><pre class="screen"> 465<tt class="prompt">root# </tt> rcldap start 466</pre><p> 467 </p></li><li><p> 468 It is now a good idea to validate that the LDAP server is running correctly. 469 Execute the following: 470</p><pre class="screen"> 471<tt class="prompt">root# </tt> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" 472# extended LDIF 473# 474# LDAPv3 475# base <dc=abmas,dc=biz> with scope sub 476# filter: (ObjectClass=*) 477# requesting: ALL 478# 479 480# abmas.biz 481dn: dc=abmas,dc=biz 482objectClass: dcObject 483objectClass: organization 484dc: abmas 485o: Abmas Inc. 486description: Posix and Samba LDAP Identity Database 487... 488# domusers, Groups, abmas.biz 489dn: cn=domusers,ou=Groups,dc=abmas,dc=biz 490objectClass: posixGroup 491objectClass: sambaGroupMapping 492gidNumber: 513 493cn: domusers 494sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 495sambaGroupType: 2 496displayName: Domain Users 497description: Domain Users 498 499# search result 500search: 2 501result: 0 Success 502 503# numResponses: 11 504# numEntries: 10 505</pre><p> 506 Your LDAP server is ready for creation of additional accounts. 507 </p></li></ol></div></div><div class="example"><a name="ch6-ldapreconfa"></a><p class="title"><b>Example�A.6.�LDAP Pre-configuration Script: <tt class="filename">SMBLDAP-ldif-preconfig.sh</tt> Part A</b></p><pre class="screen"> 508#!/bin/bash 509# 510# This script prepares the ldif LDAP load file only 511# 512 513# Pattern File Name 514file=init-ldif.pat 515 516# The name of my organization 517ORGNAME="My Organization" 518 519# My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets" 520INETDOMAIN="my-domain" 521 522# In the above case, md domain is: buckets.org, TLDORG="org" 523TLDORG="org" 524 525# This is the Samba Domain/Workgroup Name 526DOMNAME="MYWORKGROUP" 527 528# 529# Here We Go ... 530# 531 532cat <<EOF 533 534How do you wish to refer to your organization? 535 536Suggestions: 537 Black Tire Company, Inc. 538 Cat With Hat Ltd. 539 540How would you like your organization name to appear? 541 542EOF 543 544echo "Your organization name is: $ORGNAME" 545echo 546echo "Enter a new name or, press Enter to Continue." 547echo 548</pre></div><div class="example"><a name="ch6-ldapreconfb"></a><p class="title"><b>Example�A.7.�LDAP Pre-configuration Script: <tt class="filename">SMBLDAP-ldif-preconfig.sh</tt> Part B</b></p><pre class="screen"> 549echo -e -n "Name [$ORGNAME]: " 550 read name 551 552if [ ! -z "$name" ]; then 553 ORGNAME=${name} 554fi 555echo 556sed "s/ORGNAME/${ORGNAME}/g" < $file > $file.tmp1 557 558# Try to find smb.conf 559 560if [ -e /usr/local/samba/lib/smb.conf ]; then 561 CONF=/usr/local/samba/lib/smb.conf 562elif [ -e /etc/samba/smb.conf ]; then 563 CONF=/etc/samba/smb.conf 564fi 565 566echo "Samba Config File Location [$CONF]: " 567echo 568echo "Enter a new full path or press Enter to continue." 569echo 570echo -n "Samba Config File Location [$CONF]: " 571 read name 572if [ ! -z "$name" ]; then 573 CONF=$name 574fi 575echo 576 577# Find the name of our Domain/Workgroup 578DOMNAME=`grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=` 579echo Domain Name: $DOMNAME 580echo 581 582sed "s/DOMNAME/${DOMNAME}/g" < $file.tmp1 > $file.tmp2 583 584DOMSID=`net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"` 585echo Domain SID: $DOMSID 586 587sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1 588</pre></div><div class="example"><a name="ch6-ldapreconfc"></a><p class="title"><b>Example�A.8.�LDAP Pre-configuration Script: <tt class="filename">SMBLDAP-ldif-preconfig.sh</tt> Part C</b></p><pre class="screen"> 589cat >>EOL 590The name of your Internet domain is now needed in a special format 591as follows, if your domain name is mydomain.org, what we need is 592the information in the form of: 593 Domain ID: mydomain 594 Top level: org 595 596If your fully qualified hostname is: snoopy.bazaar.garagesale.net 597where "snoopy" is the name of the machine, 598Then the information needed is: 599 Domain ID: garagesale 600 Top Level: net 601 602EOL 603INETDOMAIN=`hostname -d | cut -f1 -d.` 604echo Found the following domain name: `hostname -d` 605echo "I think the bit we are looking for might be: $INETDOMAIN" 606echo 607echo -n "Enter the domain name or press Enter to continue: " 608 read domnam 609if [ ! -z $domnam ]; then 610 INETDOMAIN=$domnam 611fi 612echo 613sed "s/INETDOMAIN/${INETDOMAIN}/g" < $file.tmp1 > $file.tmp2 614TLDORG=`hostname -d | sed "s/${INETDOMAIN}.//g"` 615echo "The top level organization name I will use is: ${TLDORG}" 616echo 617echo -n "Enter the top level org name or press Enter to continue: " 618 read domnam 619if [ ! -z $domnam ]; then 620 TLDORG=$domnam 621fi 622sed "s/TLDORG/${TLDORG}/g" < $file.tmp2 > $DOMNAME.ldif 623rm $file.tmp* 624exit 0 625</pre></div><div class="example"><a name="ch6-ldifpata"></a><p class="title"><b>Example�A.9.�LDIF Pattern File Used to Pre-configure LDAP Part A</b></p><pre class="screen"> 626dn: dc=INETDOMAIN,dc=TLDORG 627objectClass: dcObject 628objectClass: organization 629dc: INETDOMAIN 630o: ORGNAME 631description: Posix and Samba LDAP Identity Database 632 633dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG 634objectClass: organizationalRole 635cn: Manager 636description: Directory Manager 637 638dn: ou=People,dc=INETDOMAIN,dc=TLDORG 639objectClass: top 640objectClass: organizationalUnit 641ou: People 642 643dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG 644objectClass: top 645objectClass: organizationalUnit 646ou: Computers 647 648dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG 649objectClass: top 650objectClass: organizationalUnit 651ou: Groups 652 653dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG 654objectClass: top 655objectClass: organizationalUnit 656ou: Idmap 657 658dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG 659objectClass: sambaDomain 660sambaDomainName: DOMNAME 661sambaSID: DOMSID 662sambaAlgorithmicRidBase: 1000 663structuralObjectClass: sambaDomain 664</pre></div><div class="example"><a name="ch6-ldifpatb"></a><p class="title"><b>Example�A.10.�LDIF Pattern File Used to Pre-configure LDAP Part B</b></p><pre class="screen"> 665dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG 666objectClass: posixGroup 667objectClass: sambaGroupMapping 668gidNumber: 512 669cn: domadmins 670sambaSID: DOMSID-512 671sambaGroupType: 2 672displayName: Domain Admins 673description: Domain Administrators 674 675dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG 676objectClass: posixGroup 677objectClass: sambaGroupMapping 678gidNumber: 514 679cn: domguests 680sambaSID: DOMSID-514 681sambaGroupType: 2 682displayName: Domain Guests 683description: Domain Guests Users 684 685dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG 686objectClass: posixGroup 687objectClass: sambaGroupMapping 688gidNumber: 513 689cn: domusers 690sambaSID: DOMSID-513 691sambaGroupType: 2 692displayName: Domain Users 693description: Domain Users 694</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2598029"></a>The LDAP Account Manager</h2></div></div></div><p><a class="indexterm" name="id2598036"></a><a class="indexterm" name="id2598044"></a><a class="indexterm" name="id2598055"></a><a class="indexterm" name="id2598063"></a><a class="indexterm" name="id2598070"></a><a class="indexterm" name="id2598078"></a><a class="indexterm" name="id2598086"></a> 695The LDAP Account Manager (LAM) is an application suite that has been written in PHP. 696LAM can be used with any Web server that has PHP4 support. It connects to the LDAP 697server either using unencrypted connections or via SSL. LAM can be used to manage 698Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines 699(hosts). 700</p><p> 701LAM is available from the <a href="http://sourceforge.net/projects/lam/" target="_top">LAM</a> 702home page and from its mirror sites. LAM has been released under the GNU GPL version 2. 703The current version of LAM is 0.4.3. Release of version 0.5 is expected some time early 704in 2004. 705</p><p><a class="indexterm" name="id2598118"></a><a class="indexterm" name="id2598126"></a><a class="indexterm" name="id2598134"></a> 706Requirements: 707</p><div class="itemizedlist"><ul type="disc"><li><p>A web server that will work with PHP4.</p></li><li><p>PHP4 (available from the <a href="http://www.php.net/" target="_top"> 708 PHP</a> home page.)</p></li><li><p>OpenLDAP 2.0 or later.</p></li><li><p>A Web browser that supports CSS.</p></li><li><p>Perl.</p></li><li><p>The gettext package.</p></li><li><p>mcrypt + mhash (optional since version 0.4.3).</p></li><li><p>It is also a good idea to install SSL support.</p></li></ul></div><p> 709LAM is a useful tool that provides a simple Web-based device that can be used to 710 manage the contents of the LDAP directory to:<a class="indexterm" name="id2598198"></a><a class="indexterm" name="id2598206"></a><a class="indexterm" name="id2598214"></a> 711</p><div class="itemizedlist"><ul type="disc"><li><p>Display user/group/host and Domain entries.</p></li><li><p>Manages entries (Add/Delete/Edit).</p></li><li><p>Filter and sort entries.</p></li><li><p>Set LAM administrator accounts.</p></li><li><p>Store and use multiple operating profiles.</p></li><li><p>Edit organizational units (OUs).</p></li><li><p>Upload accounts from a file.</p></li><li><p></p>Is compatible with Samba-2.2.x and Samba-3.</li></ul></div><p> 712When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba 713user, group, and windows domain member machine accounts. 714</p><p><a class="indexterm" name="id2598274"></a><a class="indexterm" name="id2598282"></a><a class="indexterm" name="id2598290"></a><a class="indexterm" name="id2598297"></a> 715The default password is “<span class="quote"><span class="emphasis"><em>lam.</em></span></span>” It is highly recommended that you use only 716an SSL connection to your Web server for all remote operations involving LAM. If you 717want secure connections, you must configure your Apache Web server to permit connections 718to LAM using only SSL. 719</p><div class="procedure"><a name="ch6-laminst"></a><ol type="1"><li><p> 720 Extract the LAM package with: 721</p><pre class="screen"> 722<tt class="prompt">root# </tt> tar xzf ldap-account-manager_0.4.3.tar.gz 723</pre><p> 724Alternately, install the LAM RPM for your system using the following example for 725example: 726</p><pre class="screen"> 727<tt class="prompt">root# </tt> rpm -Uvh ldap-account-manager-0.4.3-1.noarch.rpm 728</pre><p> 729 </p></li><li><p> 730 Copy the extracted files to the document root directory of your Web server. 731 For example, on SuSE Linux Enterprise Server 8, copy to the 732 <tt class="filename">/srv/web/htdocs</tt> directory. 733 </p></li><li><p><a class="indexterm" name="id2598375"></a> 734 Set file permissions using the following commands: 735</p><pre class="screen"> 736<tt class="prompt">root# </tt> chown -R wwwrun.www /srv/www/htdocs/lam 737<tt class="prompt">root# </tt> chmod 755 /srv/www/htdocs/lam/sess 738<tt class="prompt">root# </tt> chmod 755 /srv/www/htdocs/lam/tmp 739<tt class="prompt">root# </tt> chmod 755 /srv/www/htdocs/lam/config 740<tt class="prompt">root# </tt> chmod 755 /srv/www/htdocs/lam/lib/*pl 741</pre><p> 742 </p></li><li><p><a class="indexterm" name="id2598429"></a> 743 Using your favorite editor create the following <tt class="filename">config.cfg</tt> 744 LAM configuration file: 745</p><pre class="screen"> 746<tt class="prompt">root# </tt> cd /srv/www/htdocs/lam/config 747<tt class="prompt">root# </tt> cp config.cfg_sample config.cfg 748<tt class="prompt">root# </tt> vi config.cfg 749 </pre><p><a class="indexterm" name="id2598472"></a><a class="indexterm" name="id2598483"></a> 750 An example file is shown in <a href="appendix.html#lamcfg" title="Example�A.11.�Example LAM Configuration File config.cfg">???</a>. 751 This is the minimum configuration that must be completed. The LAM profile 752 file can be created using a convenient wizard that is part of the LAM 753 configuration suite. 754 </p></li><li><p> 755 Start your Web server then, using your Web browser, connect to 756 <a href="http://localhost/lam" target="_top">LAM</a> URL. Click on the 757 the <i class="parameter"><tt>Configuration Login</tt></i> link then click on the 758 Configuration Wizard link to begin creation of the default profile so that 759 LAM can connect to your LDAP server. Alternately, copy the 760 <tt class="filename">lam.conf_sample</tt> file to a file called 761 <tt class="filename">lam.conf</tt> then, using your favorite editor, 762 change the settings to match local site needs. 763 </p></li></ol></div><p><a class="indexterm" name="id2598545"></a> 764 An example of a working file is shown here in <a href="appendix.html#lamconf" title="Example�A.12.�LAM Profile Control File lam.conf">???</a>. 765 This file has been stripped of comments to keep the size small. The comments 766 and help information provided in the profile file that the wizard creates 767 is very useful and will help many administrators to avoid pitfalls. 768 Your configuration file obviously reflects the configuration options that 769 are preferred at your site. 770 </p><p><a class="indexterm" name="id2598570"></a> 771 It is important that your LDAP server is running at the time that LAM is 772 being configured. This permits you to validate correct operation. 773 An example of the LAM login screen is provided in <a href="appendix.html#lam-login" title="Figure�A.6.�The LDAP Account Manager Login Screen">???</a>. 774 </p><div class="figure"><a name="lam-login"></a><p class="title"><b>Figure�A.6.�The LDAP Account Manager Login Screen</b></p><div class="mediaobject"><img src="images/lam-login.png" width="270" alt="The LDAP Account Manager Login Screen"></div></div><p><a class="indexterm" name="id2598636"></a> 775 The LAM configuration editor has a number of options that must be managed correctly. 776 An example of use of the LAM configuration editor is shown in <a href="appendix.html#lam-config" title="Figure�A.7.�The LDAP Account Manager Configuration Screen">???</a>. 777 It is important that you correctly set the minimum and maximum UID/GID values that are 778 permitted for use at your site. The default values may not be compatible with a need to 779 modify initial default account values for well-known Windows network users and groups. 780 The best work-around is to temporarily set the minimum values to zero (0) to permit 781 the initial settings to be made. Do not forget to reset these to sensible values before 782 using LAM to add additional users and groups. 783 </p><div class="figure"><a name="lam-config"></a><p class="title"><b>Figure�A.7.�The LDAP Account Manager Configuration Screen</b></p><div class="mediaobject"><img src="images/lam-config.png" width="270" alt="The LDAP Account Manager Configuration Screen"></div></div><p><a class="indexterm" name="id2598711"></a> 784 LAM has some nice, but unusual features. For example, one unexpected feature in most application 785 screens permits the generation of a PDF file that lists configuration information. This is a well 786 thought out facility. This option has been edited out of the following screen shots to conserve 787 space. 788 </p><p><a class="indexterm" name="id2598727"></a> 789 When you log onto LAM the opening screen drops you right into the user manager as shown in 790 <a href="appendix.html#lam-user" title="Figure�A.8.�The LDAP Account Manager User Edit Screen">???</a>. This is a logical action as it permits the most-needed facility 791 to be used immediately. The editing of an existing user, as with the addition of a new user, 792 is easy to follow and very clear in both layout and intent. It is a simple matter to edit 793 generic settings, UNIX specific parameters, and then Samba account requirements. Each step 794 involves clicking a button that intuitively drives you through the process. When you have 795 finished editing simply press the <span class="guimenu">Final</span> button. 796 </p><div class="figure"><a name="lam-user"></a><p class="title"><b>Figure�A.8.�The LDAP Account Manager User Edit Screen</b></p><div class="mediaobject"><img src="images/lam-users.png" width="270" alt="The LDAP Account Manager User Edit Screen"></div></div><p> 797 The edit screen for groups is shown in <a href="appendix.html#lam-group" title="Figure�A.9.�The LDAP Account Manager Group Edit Screen">???</a>. As with the edit screen 798 for user accounts, group accounts may be rapidly dealt with. <a href="appendix.html#lam-group-mem" title="Figure�A.10.�The LDAP Account Manager Group Membership Edit Screen">???</a> 799 shown a sub-screen from the group editor that permits users to be assigned secondary group 800 memberships. 801 </p><div class="figure"><a name="lam-group"></a><p class="title"><b>Figure�A.9.�The LDAP Account Manager Group Edit Screen</b></p><div class="mediaobject"><img src="images/lam-groups.png" width="270" alt="The LDAP Account Manager Group Edit Screen"></div></div><div class="figure"><a name="lam-group-mem"></a><p class="title"><b>Figure�A.10.�The LDAP Account Manager Group Membership Edit Screen</b></p><div class="mediaobject"><img src="images/lam-group-members.png" width="270" alt="The LDAP Account Manager Group Membership Edit Screen"></div></div><p><a class="indexterm" name="id2598913"></a><a class="indexterm" name="id2598920"></a> 802 The final screen presented here is one that you should not normally need to use. Host accounts will 803 be automatically managed using the smbldap-tools scripts. This means that the screen <a href="appendix.html#lam-host" title="Figure�A.11.�The LDAP Account Manager Host Edit Screen">???</a> 804 will, in most cases, not be used. 805 </p><div class="figure"><a name="lam-host"></a><p class="title"><b>Figure�A.11.�The LDAP Account Manager Host Edit Screen</b></p><div class="mediaobject"><img src="images/lam-hosts.png" width="270" alt="The LDAP Account Manager Host Edit Screen"></div></div><p> 806 One aspect of LAM that may annoy some users is the way it forces certain conventions on 807 the administrator. For example, LAM does not permit the creation of Windows user and group 808 accounts that contain upper-case characters or spaces even though the underlying UNIX/Linux 809 operating system may exhibit no problems with them. Given the propensity for using upper-case 810 characters and spaces (particularly in the default Windows account names) this may cause 811 some annoyance. For the rest, LAM is a very useful administrative tool. 812 </p><div class="example"><a name="lamcfg"></a><p class="title"><b>Example�A.11.�Example LAM Configuration File <tt class="filename">config.cfg</tt></b></p><pre class="screen"> 813# password to add/delete/rename configuration profiles 814password: not24get 815 816# default profile, without ".conf" 817default: lam 818</pre></div><div class="example"><a name="lamconf"></a><p class="title"><b>Example�A.12.�LAM Profile Control File <tt class="filename">lam.conf</tt></b></p><pre class="screen"> 819ServerURL: ldap://massive.abmas.org:389 820Admins: cn=Manager,dc=abmas,dc=biz 821Passwd: not24get 822usersuffix: ou=People,dc=abmas,dc=biz 823groupsuffix: ou=Groups,dc=abmas,dc=biz 824hostsuffix: ou=Computers,dc=abmas,dc=biz 825domainsuffix: ou=Domains,dc=abmas,dc=biz 826MinUID: 0 827MaxUID: 65535 828MinGID: 0 829MaxGID: 65535 830MinMachine: 20000 831MaxMachine: 25000 832userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber 833grouplistAttributes: #cn;#gidNumber;#memberUID;#description 834hostlistAttributes: #cn;#description;#uidNumber;#gidNumber 835maxlistentries: 30 836defaultLanguage: en_GB:ISO-8859-1:English (Britain) 837scriptPath: 838scriptServer: 839samba3: yes 840cachetimeout: 5 841pwdhash: SSHA 842</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12-SUIDSGID"></a>Effect of Setting File and Directory SUID/SGID Permissions Explained</h2></div></div></div><a class="indexterm" name="id2599069"></a><a class="indexterm" name="id2599076"></a><p> 843 The setting of the SUID/SGID bits on the file or directory permissions flag has particular 844 consequences. If the file is executable and the SUID bit is set, it executes with the privilege 845 of (with the UID of) the owner of the file. For example, if you are logged onto a system as 846 a normal user (let's say as the user <tt class="constant">bobj</tt>), and you execute a file that is owned 847 by the user <tt class="constant">root</tt> (uid = 0), and the file has the SUID bit set, then the file is 848 executed as if you had logged in as the user <tt class="constant">root</tt> and then executed the file. 849 The SUID bit effectively gives you (as <tt class="constant">bobj</tt>) administrative privilege for the 850 use of that executable file. 851 </p><p> 852 The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it 853 applies the privilege to the UNIX group setting. In other words, the file executes with the force 854 of capability of the group. 855 </p><p> 856 When the SUID/SGID permissions are set on a directory, all files that are created within that directory 857 is automatically given the ownership of the SUID user and the SGID group, as per the ownership 858 of the directory in which the file is created. This means that the system level <span><b class="command">create()</b></span> 859 function executes with the SUID user and/or SGID group of the directory in which the file is 860 created. 861 </p><p> 862 If you want to obtain the SUID behavior, simply execute the following command: 863</p><pre class="screen"> 864<tt class="prompt">root# </tt> chmod u+s file-or-directory 865</pre><p> 866 To set the SGID properties on a file or a directory, execute this command: 867</p><pre class="screen"> 868<tt class="prompt">root# </tt> chmod g+s file-or-directory 869</pre><p> 870 And to set both SUID and SGID properties, execute the following: 871</p><pre class="screen"> 872<tt class="prompt">root# </tt> chmod ug+s file-or-directory 873</pre><p> 874 </p><p> 875 Let's consider the example of a directory <tt class="filename">/data/accounts</tt>. The permissions on this 876 directory before setting both SUID and SGID on this directory are: 877</p><pre class="screen"> 878<tt class="prompt">root# </tt> ls -al /data/accounts 879total 1 880drwxr-xr-x 10 root root 232 Dec 18 17:08 . 881drwxr-xr-x 21 root root 600 Dec 17 23:15 .. 882drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/ 883drwx------ 2 root root 48 Jan 26 2002 lost+found 884</pre><p> 885 In this example, if the user <tt class="constant">maryv</tt> creates a file, it would be owned by her. 886 If <tt class="constant">maryv</tt> has the primary group of <tt class="constant">Accounts</tt>, the file is 887 owned by the group <tt class="constant">Accounts</tt> as shown in this listing: 888</p><pre class="screen"> 889<tt class="prompt">root# </tt> ls -al /data/accounts/maryvfile.txt 890drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53 891</pre><p> 892 </p><p> 893 Now you set the SUID and SGID and check the result as follows: 894</p><pre class="screen"> 895<tt class="prompt">root# </tt> chmod ug+s /data/accounts 896<tt class="prompt">root# </tt> ls -al /data/accounts 897total 1 898drwxr-xr-x 10 root root 232 Dec 18 17:08 . 899drwxr-xr-x 21 root root 600 Dec 17 23:15 .. 900drwsrwsr-x 2 bobj Domain Users 48 Dec 18 17:08 accounts 901drwx------ 2 root root 48 Jan 26 2002 lost+found 902</pre><p> 903 If <tt class="constant">maryv</tt> creates a file in this directory after this change has been made, the 904 file is owned by the user <tt class="constant">bobj</tt>, and the group is set to the group 905 <tt class="constant">Domain Users</tt> as shown here: 906</p><pre class="screen"> 907<tt class="prompt">root# </tt> chmod ug+s /data/accounts 908<tt class="prompt">root# </tt> ls -al /data/accounts/maryvfile.txt 909total 1 910drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt 911</pre><p> 912 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12dblck"></a>Shared Data Integrity</h2></div></div></div><p><a class="indexterm" name="id2599307"></a><a class="indexterm" name="id2599315"></a> 913 The integrity of shared data is often viewed as a particularly emotional issue, especially where 914 there are concurrent problems with multi-user data access. Contrary to the assertions of some who have 915 experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter. 916 </p><p> 917 The solution to concurrent multi-user data access problems must consider three separate areas 918 from which the problem may stem:<a class="indexterm" name="id2599338"></a><a class="indexterm" name="id2599350"></a><a class="indexterm" name="id2599361"></a> 919 </p><div class="itemizedlist"><ul type="disc"><li><p>application level locking controls.</p></li><li><p>client side locking controls.</p></li><li><p>server side locking controls.</p></li></ul></div><p><a class="indexterm" name="id2599394"></a><a class="indexterm" name="id2599402"></a> 920 Many database applications use some form of application-level access control. An example of one 921 well-known application that uses application-level locking is Microsoft Access. Detailed guidance 922 is provided given that this is the most common application for which problems have been reported. 923 </p><p><a class="indexterm" name="id2599418"></a><a class="indexterm" name="id2599426"></a> 924 Common applications that are affected by client- and server-side locking controls include MS 925 Excel and Act!. Important locking guidance is provided here. 926 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2599439"></a>Microsoft Access</h3></div></div></div><p> 927 The best advice that can be given is to carefully read the Microsoft knowledge base articles that 928 cover this area. Examples of relevant documents includes: 929 </p><div class="itemizedlist"><ul type="disc"><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</p></li><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</p></li></ul></div><p><a class="indexterm" name="id2599466"></a><a class="indexterm" name="id2599477"></a> 930 Make sure that your MS Access database file is configured for multi-user access (not set for 931 exclusive open). Open MS Access on each client workstation then set the following: <span class="guimenu">(Menu bar) Tools</span>+<span class="guimenu">Options</span>+<span class="guimenu">[tab] General</span>. Set network path to Default database folder: <tt class="filename">\\server\share\folder</tt>. 932 </p><p> 933 You can configure MS Access file sharing behavior as follows: click <span class="guimenu">[tab] Advanced</span>. 934 Set:<a class="indexterm" name="id2599528"></a> 935 </p><div class="itemizedlist"><ul type="disc"><li><p>Default open mode: Shared</p></li><li><p>Default Record Locking: Edited Record</p></li><li><p>Open databases using record_level locking</p></li></ul></div><p><a class="indexterm" name="id2599557"></a> 936 You must now commit the changes so that they will take effect. To do so, click 937 <span class="guimenu">Apply</span><span class="guimenu">Ok</span>. At this point, you should exit MS Access, restart 938 it and then validate that these settings have not changed. 939 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2599586"></a>Act! Database Sharing</h3></div></div></div><p><a class="indexterm" name="id2599593"></a><a class="indexterm" name="id2599601"></a> 940 Where the server sharing the ACT! database(s) is running Samba, Windows NT, 200x or XP, you 941 must disable opportunistic locking on the server and all workstations. Failure to do so 942 results in data corruption. This information is available from the Act! Web site 943 knowledge-base articles 944 <a href="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925" target="_top">1998223162925</a> 945 as well as from article 946 <a href="http://itdomino.saleslogix.com/act.nsf/docid/200110485036" target="_top">200110485036</a>. 947 </p><p><a class="indexterm" name="id2599631"></a><a class="indexterm" name="id2599639"></a> 948 These documents clearly state that opportunistic locking must be disabled on both 949 the server (Samba in the case we are interested in here), as well as on every workstation 950 from which the centrally shared Act! database will be accessed. Act! provides 951 a tool called <span><b class="command">Act!Diag</b></span> that may be used to disable all workstation 952 registry settings that may otherwise interfere with the operation of Act! 953 Registered Act! users may download this utility from the Act! Web 954 <a href="http://www.act.com/support/updates/index.cfm" target="_top">site.</a> 955 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2599670"></a>Opportunistic Locking Controls</h3></div></div></div><p><a class="indexterm" name="id2599677"></a> 956 Third-party Windows applications may not be compatible with the use of opportunistic file 957 and record locking. For applications that are known not to be compatible,<sup>[<a name="id2599689" href="#ftn.id2599689">14</a>]</sup> oplock 958 support may need to be disabled both on the Samba server and on the Windows workstations. 959 </p><p><a class="indexterm" name="id2599704"></a><a class="indexterm" name="id2599711"></a><a class="indexterm" name="id2599719"></a> 960 Oplocks enable a Windows client to cache parts of a file that are being 961 edited. Another windows client may then request to open the file with the 962 ability to write to it. The server will then ask the original workstation 963 that had the file open with a write lock to release it's lock. Before 964 doing so, that workstation must flush the file from cache memory to the 965 disk or network drive. 966 </p><p><a class="indexterm" name="id2599741"></a> 967 Disabling of Oplocks usage may require server and client changes. 968 Oplocks may be disabled by file, by file pattern, on the share, or on the 969 samba server. 970 </p><p> 971 The following are examples showing how Oplock support may be managed using 972 Samba <tt class="filename">smb.conf</tt> file settings: 973</p><pre class="screen"> 974By file: veto oplock files = myfile.mdb 975 976By Pattern: veto oplock files = /*.mdb/ 977 978On the Share: oplocks = No 979 level2 oplocks = No 980 981On the server: 982(in [global]) oplocks = No 983 level2 oplocks = No 984</pre><p> 985 </p><p> 986 The following registry entries on Microsoft Windows XP Professional, 2000 Professional and Windows NT4 987 workstation clients must be configured as shown here: 988</p><pre class="screen"> 989REGEDIT4 990 991[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ 992 Services\LanmanServer\Parameters] 993 "EnableOplocks"=dword:00000000 994 995[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ 996 Services\LanmanWorkstation\Parameters] 997 "UseOpportunisticLocking"=dword:00000000 998</pre><p> 999 </p><p> 1000 Comprehensive coverage of file and record locking controls is provided in TOSHARG Chapter 13. 1001 The information provided in that chapter was obtained from a wide variety of sources. 1002 </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="HA.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="gpl.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�13.�Performance, Reliability, and Availability�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Appendix�B.�GNU General Public License</td></tr></table></div></body></html> 1003