xref: /netgear-WNDR4500-V1.0.1.40_1.0.68/ap/gpl/samba-3.0.13/docs/htmldocs/Samba-Guide/happy.html

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�6.�Making Happy Users</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="Big500users.html" title="Chapter�5.�The 500-User Office"><link rel="next" href="2000users.html" title="Chapter�7.�A Distributed 2000 User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�6.�Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter�6.�Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id2551868">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id2552014">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2552114">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2552267">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2552764">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2554409">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2554424">Installation Check-List</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2554594">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#ch6-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#ch6-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#id2556862">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2557579">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#ch6-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#ch6-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id2561786">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2561807">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id2561902">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id2562154">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2562266">Assigning Domain Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2562396">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id2563152">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id2563229">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id2563412">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id2563923">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id2563958">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2563992">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id2564104">Questions and Answers</a></span></dt></dl></div><p>
	It has been said, &#8220;<span class="quote"><span class="emphasis"><em>A day that is without troubles is not fulfilling.  Rather, give 
	me a day of troubles well handled so that I can be content with my achievements.</em></span></span>&#8221;
	</p><p>
	In the world of computer networks, problems are as varied as the people who create them
	or experience them. The design of the network implemented in the last chapter may 
	create problems for some network users. The following lists some of the problems that
	may occur:
	</p><a class="indexterm" name="id2551436"></a><a class="indexterm" name="id2551443"></a><a class="indexterm" name="id2551452"></a><a class="indexterm" name="id2551458"></a><a class="indexterm" name="id2551465"></a><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>
Notice: A significant number of network administrators have responded to the guidance given
below. It should be noted that there are sites that have a single PDC for many hundreds of
concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
are among the factors that will determine the maximum number of Windows clients that
can be served by a single domain controller (PDC or BDC) on a network segment. It is possible
to operate with only a single PDC over a routed network. What is possible is not necessarily
<span class="emphasis"><em>best practice</em></span>. When Windows client network logons begin to fail with
the message that the domain controller can not be found, or that the user account can not
be found (when you know it exists), that may be an indication that the DC is overloaded or
network bandwidth is overloaded. The guidance given in respect of PDC/BDC ratio to Windows
clients is conservative and if followed will minimize problems - but it is not absolute.
</p></div><div class="variablelist"><dl><dt><span class="term">Users experiencing difficulty logging onto the network</span></dt><dd><p>
	    <a class="indexterm" name="id2551508"></a>
		When a Windows client logs onto the network, many data packets are exchanged
		between the client and the server that is providing the network logon services.
		Each request between the client and the server must complete within a specific
		time limit. This is one of the primary factors that govern the installation of
	    <a class="indexterm" name="id2551526"></a>
		multiple domain controllers (usually called secondary or backup controllers).
		As a rough rule, there should be one such backup controller for every
		30 to 150 clients. The actual limits are determined by network operational
		characteristics. 
		</p><p>
		If the domain controller provides only network logon services
		and all file and print activity is handled by Domain Member servers, one Domain	
		Controller per 150 clients on a single network segment may suffice. In any
		case, it is highly recommended to have a minimum of one Domain Controller (PDC or BDC)
		per network segment. It is better to have at least one BDC on the network
		segment that has a PDC. If the Domain Controller is also used as a file and
		print server, the number of clients it can service reliably is reduced
		and a common rule is not to exceed 30 machines (Windows workstations plus
		Domain Member servers) per Domain Controller.
		</p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p>
	    <a class="indexterm" name="id2551576"></a>
		Slow logons and log-offs may be caused by many factors that include:

			</p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2551590"></a><a class="indexterm" name="id2551606"></a>
				Excessive delays in the resolution of a NetBIOS name to its IP
				address. This may be observed when an overloaded domain controller 
				is also the WINS server. Another cause may be the failure to use
				a WINS server (this assumes that there is a single network segment).
				</p></li><li><p><a class="indexterm" name="id2551626"></a><a class="indexterm" name="id2551634"></a><a class="indexterm" name="id2551642"></a>
				Network traffic collisions due to overloading of the network
				segment  one short-term workaround to this may be to replace
				network HUBs with Ether-switches.
				</p></li><li><p><a class="indexterm" name="id2551660"></a>
				Defective networking hardware. Over the past few years, we have seen
				on the Samba mailing list a significant increase in the number of
				problems that were traced to a defective network interface controller,
				a defective HUB or Etherswitch, or defective cabling. In most cases,
				it was the erratic nature of the problem that ultimately pointed to
				the cause of the problem.
				</p></li><li><p><a class="indexterm" name="id2551682"></a><a class="indexterm" name="id2551693"></a>
				Excessively large roaming profiles. This type of problem is typically
				the result of poor user eduction, as well as poor network management.
				It can be avoided by users not storing huge quantities of email in
				MS Outlook PST files, as well as by not storing files on the desktop.
				These are old bad habits that require much discipline and vigilance
				on the part of network management.
				</p></li></ul></div><p>

		<font color="red">&lt;listitem&gt;<p><a class="indexterm" name="id2551717"></a>
				You should verify that the Windows XP WebClient service is not running.
				The use of the WebClient service has been implicated in many Windows
				networking related problems.
				</p>&lt;/listitem&gt;</font>

		</p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p>
		Loss of access to network resources during client operation may be caused by a number
		of factors including:
		</p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2551748"></a>
				Network overload (typically indicated by a high network collision rate)
				</p></li><li><p>
				Server overload
				</p></li><li><p><a class="indexterm" name="id2551770"></a>
				Timeout causing the client to close a connection that is in use, but has
				been latent (no traffic) for some time (5 minutes or more)
				</p></li><li><p><a class="indexterm" name="id2551788"></a>
				Defective networking hardware
				</p></li></ul></div><p><a class="indexterm" name="id2551805"></a>
		No matter what the cause, a sudden operational loss of access to network resources can
		result in BSOD (blue screen of death) situations that necessitate rebooting of the client
		workstation. In the case of a mild problem, retrying to access the network drive of printer
		may restore operations, but in any case this is a serious problem as it may lead to the next
		problem, data corruption.
		</p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p><a class="indexterm" name="id2551833"></a>
		Data corruption is one of the most serious problems. It leads to uncertainty, anger, and 
		frustration, and generally precipitates immediate corrective demands. Management response
		to this type of problem may be rational, as well as highly irrational. There have been
		cases where management has fired network staff for permitting this situation to occur without 
		immediate correction. There have been situations where perfectly functional hardware was thrown 
		out and replaced, only to find the problem caused by a low-cost network hardware item. There 
		have been cases where server operating systems were replaced, or where Samba was updated, 
		only to later isolate the problem due to defective client software.
		</p></dd></dl></div><p>
	In this chapter, you can work through a number of measures that significantly arm you to
	anticipate and to combat network performance issues. You can work through complex and thorny
	methods to improve the reliability of your network environment, but be warned that all such steps
	demand the price of complexity.
	</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2551868"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p>
	<a class="indexterm" name="id2551877"></a>
	Computer (machine) accounts can be placed where ever you like in an LDAP directory subject to some 
	constraints that are described in this section.
	</p><p>
	<a class="indexterm" name="id2551892"></a>
	<a class="indexterm" name="id2551899"></a>
	<a class="indexterm" name="id2551906"></a>
	<a class="indexterm" name="id2551913"></a>
	The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. 
	i.e.: Machine  accounts are treated inside Samba in the same way that Windows NT4/200X treats 
	them. A user account and a machine account are indistinquishable from each other, except that
	the machine account ends in a '$' character, as do trust accounts.
	</p><p>
	<a class="indexterm" name="id2551929"></a>
	<a class="indexterm" name="id2551936"></a>
	The need for Windows user, group, machine, trust, etc. accounts to be tied to a valid UNIX UID
	is a design decision that was made a long way back in the history of Samba development. It is 
	unlikely that this decision will be reversed of changed during the remaining life of the 
	Samba-3.x series. 
	</p><p>
	<a class="indexterm" name="id2551951"></a>
	<a class="indexterm" name="id2551957"></a>
	The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
	must refer back to the host operating system on which Samba is running. The Name Service
	Switcher (NSS) is the preferred mechanism that shields applications (like Samba) from the
	need to know everything about every host OS it runs on.
	</p><p>
	Samba asks the host OS to provide a UID via the &#8220;<span class="quote"><span class="emphasis"><em>passwd</em></span></span>&#8221;, &#8220;<span class="quote"><span class="emphasis"><em>shadow</em></span></span>&#8221;
	and &#8220;<span class="quote"><span class="emphasis"><em>group</em></span></span>&#8221; facilities in the NSS control (configuration) file. The best tool
	for achieving this is left up to the UNIX administrator to determine. It is not imposed by
	Samba. Samba provides winbindd together with its support libraries as one method. It is
	possible to do this via LDAP - and for that Samba provides the appropriate hooks so that
	all account entities can be located in an LDAP directory.
	</p><p>
	<a class="indexterm" name="id2551998"></a>
	For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
	be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
	is fundamentally an LDAP design question.  The information provided on the Samba list and
	in the documentation is directed at providing working examples only. The design
	of an LDAP directory is a complex subject that is beyond the scope of this documentation.
	</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2552014"></a>Introduction</h2></div></div></div><p>
	Mr. Bob Jordan just opened an email from Christine that reads:
	</p><p>
	Bob,
	</p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top">�</td><td width="80%" valign="top"><p>
	A few months ago we sat down to design the network. We discussed the challenges ahead and we all
	agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
	that we would have some time to resolve any issues that might be encountered.
	</p><p>
	As you now know we started off on the wrong foot. We have a lot of unhappy users. One of them
	resigned yesterday afternoon because she was under duress to complete some critical projects. She
	suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
	of which was lost. She has a unique requirement that involves storing large files on her desktop.
	Mary's desktop profile is nearly 1 Gigabyte in size. As a result of her desktop configuration, it
	takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
	network logon traffic passes over the network links between our buildings, logging on may take
	three or four attempts due to blue screen problems associated with network timeouts.
	</p><p>
	A few of us worked to help her out of trouble. We convinced her to stay and promised to fully 
	resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard 
	limits on what our users can do with their desktops. If we do not do this, we face staff losses 
	that can surely do harm to our growth, as well as to staff morale. I am sure we can better deal 
	with the consequences of what we know we must do than we can with the unrest we have now.
	</p><p>
	Stan and I have discussed the current situation. We are resolved to help our users and protect
	the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
	regain control of our vital IT operations.
	</p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Christine</span></td></tr></table></div><p>
	</p><p><a class="indexterm" name="id2552075"></a><a class="indexterm" name="id2552083"></a>
	Every compromise has consequences. Having a large routed (i.e., multi-segment) network with only a
	single domain controller is a poor design that has obvious operational effects that may
	frustrate users. Here is Bob's reply:
	</p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top">�</td><td width="80%" valign="top"><p>
	Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
	proposals to resolve the issues. I am confident that your plans fully realized will significantly
	boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
	Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
	for approval; I appreciate the urgency.
	</p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><p>
	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2552114"></a>Assignment Tasks</h3></div></div></div><p>
		The priority of assigned tasks in this chapter is:
		</p><div class="orderedlist"><ol type="1"><li><p><a class="indexterm" name="id2552133"></a><a class="indexterm" name="id2552144"></a><a class="indexterm" name="id2552152"></a><a class="indexterm" name="id2552160"></a><a class="indexterm" name="id2552168"></a>
	      Implement Backup Domain Controllers (BDCs) in each building. This involves
		a change from use of a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous
		chapter, to use an LDAP-based backend.
			</p><p>
			You can implement a single central LDAP server for this purpose.
			</p></li><li><p><a class="indexterm" name="id2552191"></a><a class="indexterm" name="id2552199"></a><a class="indexterm" name="id2552207"></a><a class="indexterm" name="id2552215"></a>
			Rectify the problem of excessive logon times. This involves redirection of
			folders to network shares as well as modification of all user desktops to
			exclude the redirected folders from being loaded at login time. You can also
			create a new default profile that can be used for all new users.
			</p></li></ol></div><p><a class="indexterm" name="id2552236"></a>
		You configure a new MS Windows XP Professional Workstation disk image that you
		roll out to all desktop users. The instructions you have created are followed on a
		staging machine from which all changes can be carefully tested before inflicting them on
		your network users.
		</p><p><a class="indexterm" name="id2552252"></a>
		This is the last network example in which specific mention of printing is made. The example
		again makes use of the CUPS printing system.
		</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2552267"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id2552274"></a><a class="indexterm" name="id2552281"></a><a class="indexterm" name="id2552289"></a>
	The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
	For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
	LDAP servers in current use with Samba-3 include:
	</p><div class="itemizedlist"><a class="indexterm" name="id2552304"></a><ul type="disc"><li><p>Novell <a href="http://www.novell.com/products/edirectory/" target="_top">eDirectory.</a>
		eDirectory is being successfully used by some sites. Information on how to use eDirectory can be
		obtained from the Samba mailing lists or from Novell.</p></li><li><p><a class="indexterm" name="id2552329"></a>IBM 
		<a href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli Directory Server,</a>
		can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba 
		source code tarball under the directory <tt class="filename">~samba/example/LDAP.</tt></p></li><li><p><a class="indexterm" name="id2552356"></a>Sun 
		<a href="http://www.sun.com/software/sunone/identity/index.html" target="_top">ONE Identity Server.</a>
		This product suite provides an LDAP server that can be used for Samba. Example schema files are 
		provided in the Samba source code tarball under the directory
	    <tt class="filename">~samba/example/LDAP.
		</tt></p></li></ul></div><p>
	A word of caution is fully in order. OpenLDAP is purely an LDAP server and unlike commercial
	offerings, it requires that you manually edit the server configuration files and manually
	initialize the LDAP directory database. OpenLDAP itself has only command line tools to
	help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
	</p><p><a class="indexterm" name="id2552399"></a>
	For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
	adequate. If you are migrating from Microsoft Active Directory, be
	warned that OpenLDAP does not include
	GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database 
	requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
	</p><p><a class="indexterm" name="id2552418"></a><a class="indexterm" name="id2552426"></a><a class="indexterm" name="id2552434"></a><a class="indexterm" name="id2552445"></a><a class="indexterm" name="id2552456"></a><a class="indexterm" name="id2552464"></a><a class="indexterm" name="id2552476"></a>
	When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. 
	High availability operation may be obtained through directory replication/synchronization and 
	master/slave server configurations. OpenLDAP is a mature platform to host the organizational 
	directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more. 
	The price paid through learning how to design an LDAP directory schema in implementation and configuration 
	of management tools is well rewarded by performance and flexibility, and the freedom to manage directory
	contents with greater ability to back up, restore, and modify the directory than is generally possible
	with Microsoft Active Directory.
	</p><p><a class="indexterm" name="id2552503"></a><a class="indexterm" name="id2552515"></a><a class="indexterm" name="id2552523"></a><a class="indexterm" name="id2552531"></a>
	A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
	tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely pre-configured
	for a specific task orientation. It comes with a set of administrative tools that is entirely customized
	for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
	server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
	who wants to built a custom directory solution. Microsoft Active Directory is a generic LDAP server that has
	been pre-configured for a specific task. Microsoft provides an application called 
	<a href="http://www.microsoft.com/windowsserver2003/adam/default.mspx" target="_top">
	MS ADAM</a> that provides more-generic LDAP services, yet it does not have the vanilla-like services
	of OpenLDAP.
	</p><p><a class="indexterm" name="id2552563"></a><a class="indexterm" name="id2552574"></a>
	You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
	if you find the challenge of learning about LDAP directories, schemas, configuration, and management
	tools, and the creation of shell and Perl scripts a bit
	challenging. OpenLDAP can be easily customized, though it includes
	many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
	that is required for use as a passdb backend.
	</p><p>
	<a class="indexterm" name="id2552594"></a>
	For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
	there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
	The Web-based tools you might like to consider include: The
	<a href="http://lam.sourceforge.net/" target="_top">LDAP Account Manager</a> (LAM), as well as the
	<a href="http://www.webmin.com" target="_top">Webmin</a>-based Idealx
	<a href="http://webmin.idealx.org/index.en.html" target="_top">CGI tools.</a>
	</p><p>
	Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of 
	these so it may be useful to include passing reference to them. 
	The first is <a href="http://biot.com/gq" target="_top">GQ</a>, a GTK-ased LDAP browser; 
	LDAP <a href="http://www.iit.edu/~gawojar/ldap/" target="_top">Browser/Editor,</a> 
	<a href="http://www.jxplorer.org/" target="_top">JXplorer</a> (by Computer Associates),
	and the last is called <a href="http://phpldapadmin.sourceforge.net/" target="_top">phpLDAPadmin.</a>
	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
	The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
	security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
	is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
	LDAP before attempting to deploy it in a business-critical environment.
	</p></div><p>
	Information to help you get started with OpenLDAP is available from the
	<a href="http://www.openldap.org/pub/" target="_top">OpenLDAP Web Site.</a> Many people have found the book
	<a href="http://www.booksense.com/product/info.jsp?isbn=1565924916" target="_top">LDAP System Administration,</a>
	written by Jerry Carter, quite useful.
	</p><p><a class="indexterm" name="id2552691"></a><a class="indexterm" name="id2552698"></a><a class="indexterm" name="id2552710"></a><a class="indexterm" name="id2552717"></a>
	Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
	main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
	be loaded over the wide-area network connection. This addition of BDCs on each network segment significantly
	improves overall network performance for most users, but this is not enough. You must gain control over
	user desktops, and this must be done in a way that wins their support and does not cause further loss of
	staff morale. The following procedures solve this problem.
	</p><p><a class="indexterm" name="id2552742"></a>
	There is also an opportunity to implement smart printing features. You add this to the Samba configuration
	so that future printer changes can be managed without need to change desktop configurations.
	</p><p>
	You add the ability to automatically download new printer drivers, even if they are not installed 
	in the default desktop profile. Only one example of printing configuration is given. It is assumed that
	you can extrapolate the principles and use this to install all printers that may be needed.
	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2552764"></a>Technical Issues</h3></div></div></div><p><a class="indexterm" name="id2552771"></a><a class="indexterm" name="id2552782"></a><a class="indexterm" name="id2552794"></a>
	The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
	server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
	accounts are stored Posix schema extensions. Samba provides its own schema to permit storage of account 
	attributes Samba needs. Samba-3 can use the LDAP backend to store:
	</p><div class="itemizedlist"><ul type="disc"><li><p>Windows Networking User Accounts</p></li><li><p>Windows NT Group Accounts</p></li><li><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p><a class="indexterm" name="id2552835"></a><a class="indexterm" name="id2552843"></a><a class="indexterm" name="id2552851"></a><a class="indexterm" name="id2552859"></a><a class="indexterm" name="id2552867"></a><a class="indexterm" name="id2552875"></a><a class="indexterm" name="id2552886"></a><a class="indexterm" name="id2552894"></a><a class="indexterm" name="id2552902"></a>
	The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
	accounts in the LDAP backend. This implies the need to use the 
	<a href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools.</a> The resolution 
	of the UNIX group name to its GID must be enabled from either the
	  <tt class="filename">/etc/group</tt> 
	or from the LDAP backend. This requires the use of the PADL <tt class="filename">nss_ldap</tt> toolset
	that integrates with the name service switcher (NSS). The same requirements exist for resolution
	of the UNIX username to the UID. The relationships are demonstrated in <a href="happy.html#ch6-LDAPdiag" title="Figure�6.1.�The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">???</a>.
	</p><div class="figure"><a name="ch6-LDAPdiag"></a><p class="title"><b>Figure�6.1.�The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div><p><a class="indexterm" name="id2552991"></a><a class="indexterm" name="id2552999"></a>
	You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
	ought to learn how to configure secure communications over LDAP so that sites security is not
	at risk. This is not covered in the following guidance.
	</p><p><a class="indexterm" name="id2553018"></a><a class="indexterm" name="id2553025"></a><a class="indexterm" name="id2553037"></a><a class="indexterm" name="id2553045"></a>
	When OpenLDAP has been made operative, you configure the Primary Domain Controller (PDC)
	called <tt class="constant">MASSIVE</tt>. You initialize the Samba
	  <tt class="filename">secrets.tdb<sub></sub></tt>
	file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database
	can be initialized. You need to decide how best to create user and group accounts. A few
	hints are, of course, provided. You can also find on the enclosed
	  CD-ROM, in the <tt class="filename">Chap06</tt>
	directory, a few tools that help to manage user and group configuration.
	</p><p><a class="indexterm" name="id2553080"></a><a class="indexterm" name="id2553088"></a><a class="indexterm" name="id2553096"></a>
	In order to effect folder redirection and to add robustness to the implementation,
	create a network Default Profile. All network users workstations are configured to use
	the new profile. Roaming profiles will automatically be deleted from the workstation
	when the user logs off.
	</p><p><a class="indexterm" name="id2553112"></a>
	The profile is configured so that users cannot change the appearance
	of their desktop. This is known as a mandatory profile. You make certain that users
	are able to use their computers efficiently.
	</p><p><a class="indexterm" name="id2553127"></a>
	A network logon script is used to deliver flexible but consistent network drive
	connections.
	</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553139"></a>Addition of Machines to the Domain</h4></div></div></div><p>
		<a class="indexterm" name="id2553147"></a>
		<a class="indexterm" name="id2553152"></a>
		<a class="indexterm" name="id2553158"></a>
		<a class="indexterm" name="id2553163"></a>
		Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
		that maps to the UNIX UID=0. The UNIX operating system permits only the <tt class="constant">root</tt>
		user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
		<tt class="constant">Privilieges</tt>. This new facility introduced four new privileges that
		can be assigned to users and/or groups:
		</p><div class="table"><a name="ch6-privs"></a><p class="title"><b>Table�6.1.�Current Privilege Capabilities</b></p><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="left"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="left"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="left"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="left"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr></tbody></table></div><p>
		In this network example use will be made of one of the supported privileges purely to demonstrate
		how any user can now be given the ability to add machines to the domain using a normal user account
		that has been given the appropriate privileges.
		</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553301"></a>Roaming Profile Background</h4></div></div></div><p>
		As XP roaming profiles grow, so does the amount of time it takes to log in and out.
		</p><p><a class="indexterm" name="id2553313"></a><a class="indexterm" name="id2553321"></a><a class="indexterm" name="id2553329"></a><a class="indexterm" name="id2553337"></a>
		An XP Roaming Profile consists of the <tt class="constant">HKEY_CURRENT_USER</tt> hive file
		<tt class="filename">NTUSER.DAT</tt> and a number of folders (My Documents, Application Data,
		Desktop, Start Menu, Templates, NetHood, Favorites, and so on).  When a user logs onto the 
		network with the default configuration of MS Windows NT/200x/XPP, all this data is 
		copied to the local machine. By default it is copied to the local machine, under the
		<tt class="filename">C:\Documents and Settings\%USERNAME%</tt> directory. While the user is logged in, 
		any changes made to any of these folders or to the <tt class="constant">HKEY_CURRENT_USER</tt> 
		branch of the registry are made to the local copy of the profile.  At logout the profile 
		data is copied back to the server. This behavior can be changed through appropriate
		registry changes and/or through changes to the Default User profile. In the latter case,
		it updates the registry with the values that are set in the
	    profile <tt class="filename">NTUSER.DAT</tt>
		file.
		</p><p>
		The first challenge is to reduce the amount of data that must be transferred to and 
		from the profile server as roaming profiles are processed.  This includes removing 
		all the shortcuts in the Recent directory, making sure the cache used by the web browser 
		is not being dumped into the <tt class="filename">Application Data</tt> folder, removing the 
		Java plug-in's cache (the .jpi_cache directory in the profile), as well as training the 
		user to not place large files on the Desktop and to use his mapped home directory for
		saving documents instead of the <tt class="filename">My Documents</tt> folder.
		</p><p><a class="indexterm" name="id2553412"></a>
		Using a folder other than <tt class="filename">My Documents</tt> is a nuisance for 
		some users since many applications use it by default.
		</p><p><a class="indexterm" name="id2553431"></a><a class="indexterm" name="id2553439"></a><a class="indexterm" name="id2553447"></a>
	    The secret to rapid loading of roaming profiles is to prevent unnecessary data from 
		being copied back and forth, without losing any functionality. This is not difficult; 
		it can be done by making changes to the Local Group Policy on each client as well 
		as changing some paths in each user's <tt class="filename">NTUSER.DAT</tt> hive.
		</p><p><a class="indexterm" name="id2553470"></a><a class="indexterm" name="id2553478"></a>
		Every user profile has their own <tt class="filename">NTUSER.DAT</tt> file. This means
		you need to edit every user's profile, unless a better method can be
		followed. Fortunately, with the right preparations, this is not difficult.
		It is possible to remove the <tt class="filename">NTUSER.DAT</tt> file from each
		user's profile. Then just create a Network Default Profile. Of course, it is
		necessary to copy all files from redirected folders to the network share to which
		they are redirected.
		</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch6-locgrppol"></a>The Local Group Policy</h4></div></div></div><p><a class="indexterm" name="id2553519"></a><a class="indexterm" name="id2553527"></a><a class="indexterm" name="id2553535"></a><a class="indexterm" name="id2553543"></a>
		Without an Active Directory PDC, you cannot take full advantage of Group Policy 
		Objects. However, you can still make changes to the Local Group Policy by using 
		the Group Policy editor (<span><b class="command">gpedit.msc</b></span>).
		</p><p>
		The <span class="emphasis"><em>Exclude directories in roaming profile</em></span> settings can 
		be found under 
		<span class="guimenu">User Configuration</span>-&gt;<span class="guimenuitem">Administrative Templates</span>-&gt;<span class="guimenuitem">System</span>-&gt;<span class="guimenuitem">User Profiles</span>. 
		By default this setting contains:
		&#8220;<span class="quote"><span class="emphasis"><em>Local Settings;Temporary Internet Files;History;Temp</em></span></span>&#8221;.
		</p><p>
		Simply add the folders you do not wish to be copied back and forth to this 
		semi-colon separated list. Note that this change must be made on all clients 
		that are using roaming profiles.
		</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553613"></a>Profile Changes</h4></div></div></div><p><a class="indexterm" name="id2553620"></a><a class="indexterm" name="id2553628"></a>
		There are two changes that should be done to each user's profile. Move each of 
		the directories that you have excluded from being copied back and forth out of 
		the usual profile path. Modify each user's <tt class="filename">NTUSER.DAT</tt> file 
		to point to the new paths that are shared over the network, instead of the default
		path (<tt class="filename">C:\Documents and Settings\%USERNAME%</tt>).
		</p><p><a class="indexterm" name="id2553657"></a><a class="indexterm" name="id2553665"></a>
		The above modifies existing user profiles. So that newly created profiles have 
		these settings, you will need to modify the <tt class="filename">NTUSER.DAT</tt> in 
		the <tt class="filename">C:\Documents and Settings\Default User</tt> folder on each 
		client machine, changing the same registry keys.  You could do this by copying 
		<tt class="filename">NTUSER.DAT</tt> to a Linux box and using
	    <span><b class="command">regedt32</b></span>.
		The basic method is described under <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>.
		</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553712"></a>Using a Network Default User Profile</h4></div></div></div><p><a class="indexterm" name="id2553719"></a><a class="indexterm" name="id2553727"></a>
		If you are using Samba as your PDC, you should create a file-share called 
		<tt class="constant">NETLOGON</tt> and within that create a directory called 
		<tt class="filename">Default User</tt>, which is a copy of the desired default user 
		configuration (including a copy of <tt class="filename">NTUSER.DAT</tt>.
		If this share exists and the <tt class="filename">Default User</tt> folder exists, 
		the first login from a new account pulls its configuration from it.
		See also: <a href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top">
		the Real Men Don't Click</a> Web site.
		</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553773"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p><a class="indexterm" name="id2553780"></a><a class="indexterm" name="id2553791"></a><a class="indexterm" name="id2553799"></a>
		The subject of printing is quite topical. Printing problems run second place to name
		resolution issues today. So far in this book, you have experienced only what is generally
		known as &#8220;<span class="quote"><span class="emphasis"><em>dumb</em></span></span>&#8221; printing. Dumb printing is the arrangement where all drivers
		are manually installed on each client and the printing subsystems perform no filtering
		or intelligent processing. Dumb printing is easily understood. It usually works without
		many problems, but it has its limitations also. Dumb printing is better known as
		<span><b class="command">Raw Print Through</b></span> printing.
		</p><p><a class="indexterm" name="id2553830"></a><a class="indexterm" name="id2553842"></a>
		Samba permits the configuration of <span><b class="command">Smart</b></span> printing using the Microsoft
		Windows point-and-click (also called drag-and-drop) printing. What this provides is
		essentially the ability to print to any printer. If the local client does not yet have a
		driver installed, the driver is automatically downloaded from the Samba server and
		installed on the client. Drag-and-drop printing is neat; it means the user never needs
		to fuss with driver installation, and that is a <span class="trademark">Good Thing</span>&#8482;,
		isn't it?
		</p><p>
		There is a further layer of print job processing that is known as <span><b class="command">Intelligent</b></span>
		printing that automatically senses the file format of data submitted for printing and
		then invokes a suitable print filter to convert the incoming data stream into a format
		suited to the printer to which the job is dispatched.
		</p><p><a class="indexterm" name="id2553891"></a><a class="indexterm" name="id2553899"></a>
		The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
		detect the data format and apply a print filter. This means that it is feasible to install
		on all Windows clients a single printer driver for use with all printers that are routed
		through CUPS. The most sensible driver to use is one for a Postscript printer. Fortunately,
		<a href="http://www.easysw.com" target="_top">Easy Software Products,</a> the authors of CUPS have
		released a Postscript printing driver for Windows. It can be installed into the Samba
		printing backend so that it automatically downloads to the client when needed. 
		</p><p>
		This means that so long as there is a CUPS driver for the printer, all printing from Windows 
		software can use Postscript, no matter what the actual printer language for the physical 
		device is. It also means that the administrator can swap out a printer with a totally 
		different type of device without ever needing to change a client workstation driver.
		</p><p>
		This book is about Samba-3, so you can confine the printing style to just the smart
		style of installation. Those interested in further information regarding intelligent
		printing should review documentation on the Easy Software Products Web site.
		</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553943"></a>Avoiding Failures  Solving Problems Before the Happen</h4></div></div></div><p>
		It has often been said that there are three types of people in the world: Those who
		have sharp minds and those that forget things. Please do not ask what the third group
		are like! Well, it seems that many of us have company in the second group. There must
		be a good explanation why so many network administrators fail to solve apparently
		simple problems efficiently and effectively.
		</p><p>
		Here are some diagnostic guidelines that can be referred to when things go wrong:
		</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2553966"></a>Preliminary Advice  Dangers Can be Avoided</h5></div></div></div><p>
		The best advice regarding how best to mend a broken leg was &#8220;<span class="quote"><span class="emphasis"><em>never break a leg!</em></span></span>&#8221;
		</p><p>
		New comers to Samba and LDAP seem to struggle a great deal at first.  If you want advice
		regarding the best way to remedy LDAP and Samba problems: &#8220;<span class="quote"><span class="emphasis"><em>Avoid them like the plague!</em></span></span>&#8221;
		</p><p>
		If you are now asking yourself how can problems be avoided? The best advice is to start
		out your learning experience with an <span class="emphasis"><em>known-to-work</em></span> solution. After
		you have seen a fully working solution, a good way to learn is to make slow and progressive
		changes that cause things to break, then observe carefully how and why things ceased to work.
		</p><p>
		The examples in this chapter (also in the book as a whole) are known to work. That means
		that they could serve as the kick-off point for your journey through fields of knowledge.
		Use this resource carefully; we hope it serves you well.
		</p><p>
		Warning: Do not be lulled into thinking that you can easily adopt the examples in this
		book and adapt them without first working through the working examples provided. A little
		thing over-looked can cause untold pain and may permanently tarnish your experience.
		</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2554024"></a>Debugging LDAP</h5></div></div></div><p>
		In the example <tt class="filename">/etc/openldap/slapd.conf</tt> control file
		(see <a href="happy.html#ch6-dbconf" title="Example�6.1.�LDAP DB_CONFIG File">???</a>) there is an entry for <tt class="constant">loglevel	256</tt>.
		To enable logging via the syslog infrastructure it is necessary to uncomment this parameter
		and restart <span><b class="command">slapd</b></span>.
		</p><p>
		LDAP log information can be directed into a file that is separate from the normal system
		log files by changing the <tt class="filename">/etc/syslog.conf</tt> file so it has the following
		contents:
</p><pre class="screen">
# Some foreign boot scripts require local7
#
local0,local1.*                 -/var/log/localmessages
local2,local3.*                 -/var/log/localmessages
local5.*                        -/var/log/localmessages
local6,local7.*                 -/var/log/localmessages
local4.*                        -/var/log/ldaplogs
</pre><p>
		In the above case, all LDAP related logs will be directed to the file
		<tt class="filename">/var/log/ldaplogs</tt>. This makes it easy to track LDAP errors.
		</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2554091"></a>Debugging NSS_LDAP</h5></div></div></div><p>
		The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
		<tt class="filename">/etc/ldap.conf</tt> file the following parameters:
</p><pre class="screen">
debug 256
logdir /data/logs
</pre><p>
		Create the log directory as follows:
</p><pre class="screen">
<tt class="prompt">root# </tt> mkdir /data/logs
</pre><p>
		</p><p>
		The diagnostic process should follow the following steps:
		</p><div class="procedure"><ol type="1"><li><p>
			Verify the <tt class="constant">nss_base_passwd, nss_base_shadow, nss_base_group</tt> entries
			in the <tt class="filename">/etc/ldap.conf</tt> file and compare them closely with the directory
			tree location that was chosen in when the directory was first created.
			</p><p>
			One was this can be done is by executing:
</p><pre class="screen">
<tt class="prompt">root# </tt> slapcat | grep Group | grep dn
dn: ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz
dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz
</pre><p>
			The first line is the DIT entry point for the container for POSIX groups. The correct entry
			for the <tt class="filename">/etc/ldap.conf</tt> for the <tt class="constant">nss_base_group</tt>
			parameter therefore is the distinquished name (dn) as applied here:
</p><pre class="screen">
nss_base_group ou=Groups,dc=abmas,dc=biz?one
</pre><p>
			The same process may be followed to determine the appropriate dn for user accounts.
			If the container for computer accounts is not the same as that for users (see the <tt class="filename">smb.conf</tt>
			file entry for <tt class="constant">ldap machine suffix</tt>, it may be necessary to set the 
			following DIT dn in the <tt class="filename">/etc/ldap.conf</tt>:
</p><pre class="screen">
nss_base_passwd dc=abmas,dc=biz?sub
</pre><p>
			This instructs LDAP to search for machine as well as user entries from the top of the DIT
			down. This is inefficient, but at least should work.
			</p></li><li><p>
			Perform lookups such as:
</p><pre class="screen">
<tt class="prompt">root# </tt> getent passwd
</pre><p>
			Each such lookup will create an entry in the <tt class="filename">/data/log</tt> directory
			for each such process executed. The contents of that file may provide a hint as to
			the cause of the failure that is being investigated.
			</p></li><li><p>
			Check the contents of the <tt class="filename">/var/log/messages</tt> to see what error messages are being
			generated as a result of the LDAP lookups. Here is an example of a successful lookup:
</p><pre class="screen">
slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539
(IP=0.0.0.0:389)
slapd[12164]: conn=0 op=0 BIND dn="" method=128
slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=
slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
slapd[12164]: conn=0 op=2 UNBIND
slapd[12164]: conn=0 fd=10 closed
slapd[12164]: conn=1 fd=10 ACCEPT from
IP=127.0.0.1:33540 (IP=0.0.0.0:389)
slapd[12164]: conn=1 op=0 BIND
dn="cn=Manager,dc=abmas,dc=biz" method=128
slapd[12164]: conn=1 op=0 BIND
dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0
slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=
slapd[12164]: conn=1 op=1 SRCH
base="ou=People,dc=abmas,dc=biz" scope=1 deref=0
filter="(objectClass=posixAccount)"
slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword
uidNumber gidNumber cn
homeDirectory loginShell gecos description objectClass
slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0
nentries=2 text=
slapd[12164]: conn=1 fd=10 closed

</pre><p>
			</p></li><li><p>
			Check that the bindpw entry in the <tt class="filename">/etc/ldap.conf</tt> or in the
			<tt class="filename">/etc/ldap.secrets</tt> file is correct. i.e.: As specified in the
			<tt class="filename">/etc/openldap/slapd.conf</tt> file.
			</p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2554320"></a>Debugging Samba</h5></div></div></div><p>
		The following parameters in the <tt class="filename">smb.conf</tt> file can be useful in tracking down Samba related problems:
</p><pre class="screen">
[global]
	...
	log level = 5
	log file = /var/log/samba/%m.log
	max log size = 0
	...
</pre><p>
		This will result in the creation of a separate log file for every client from which connections
		are made. The log file will be quite verbose and will grow continually. Do not forget to
		change these lines to the following when debugging has been completed:
</p><pre class="screen">
[global]
	...
	log level = 1
	log file = /var/log/samba/%m.log
	max log size = 50
	...
</pre><p>
		</p><p>
		The log file can be analyzed by executing:
</p><pre class="screen">
<tt class="prompt">root# </tt> cd /var/log/samba
<tt class="prompt">root# </tt> grep -v "^\[200" machine_name.log
</pre><p>
		</p><p>
		Search for hints of what may have failed by lokking for the words <span class="emphasis"><em>fail</em></span>
		and <span class="emphasis"><em>error</em></span>.
		</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2554391"></a>Debugging on the Windows Client</h5></div></div></div><p>
		MS Windows 2000 Professional and Windows  XP Professional clients are capable of being configured
		to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
		the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
		version of MS Windows.
		</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2554409"></a>Political Issues</h3></div></div></div><p>
		MS Windows network users are generally very sensitive to limits that may be imposed when 
		confronted with locked-down workstation configurations. The challenge you face must 
		be promoted as a choice between reliable and fast network operation, and a constant flux 	
		of problems that result in user irritation.
		</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2554424"></a>Installation Check-List</h3></div></div></div><p>
	You are starting a complex project. Even though you have gone through the installation
	of a complex network in chapter 5, this network is a bigger challenge because of the
	large number of complex applications that must be configured before the first few steps
	can be validated. Take stock of what you are about to undertake, prepare yourself, and
	frequently review the steps ahead while making at least a mental note of what has already
	been completed. The following task list may help you to keep track of the task items
	that are covered:
	</p><div class="itemizedlist"><ul type="disc"><li><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS Servers</p></li><li><p>OpenLDAP Server</p></li><li><p>PAM and NSS Client Tools</p></li><li><p>Samba-3 PDC</p></li><li><p>Idealx SMB-LDAP Scripts</p></li><li><p>LDAP Initialization</p></li><li><p>Create User and Group Accounts</p></li><li><p>Printers</p></li><li><p>Share Point Directory Roots</p></li><li><p>Profile Directories</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS Servers</p></li><li><p>PAM and NSS Client Tools</p></li><li><p>Printers</p></li><li><p>Share Point Directory Roots</p></li><li><p>Profiles Directories</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p></li><li><p>Windows XP Client Configuration</p><div class="orderedlist"><ol type="1"><li><p>Default Profile Folder Redirection</p></li><li><p>MS Outlook PST File Relocation</p></li><li><p>Delete Roaming Profile on Logout</p></li><li><p>Upload Printer Drivers to Samba Servers</p></li><li><p>Install Software</p></li><li><p>Creation of Roll-out Images</p></li></ol></div></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2554594"></a>Samba Server Implementation</h2></div></div></div><p><a class="indexterm" name="id2554601"></a><a class="indexterm" name="id2554609"></a>
	The network design shown in <a href="happy.html#chap6net" title="Figure�6.2.�Network Topology  500 User Network Using ldapsam passdb backend.">???</a> is not comprehensive. It is assumed
	that you will install additional file servers, and possibly additional BDCs.
	</p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure�6.2.�Network Topology  500 User Network Using ldapsam passdb backend.</b></p><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend."></div></div><p><a class="indexterm" name="id2554672"></a><a class="indexterm" name="id2554680"></a>
	All configuration files and locations are shown for SUSE Linux 9.2 and are equaly valid for SUSE
	Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
	adjust the locations for your particular Linux system distribution/implementation.
	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The following information applies to Samba-3.0.12 when used with the Idealx smbldap-tools scripts
version 0.8.7. If using a different version of Samba, or of the smbldap-tools tarball, please 
verify that the versions you are about to use are matching.
</p></div><p>
	The steps in the process involve changes from the network configuration
	shown in <a href="Big500users.html" title="Chapter�5.�The 500-User Office">???</a>.
	Before implementing the following steps, you must have completed the network implementation shown
	in that chapter. If you are starting with newly installed Linux servers, you must complete
	the steps shown in <a href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">???</a> before commencing
	at <a href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">???</a>:
	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p><a class="indexterm" name="id2554742"></a><a class="indexterm" name="id2554750"></a><a class="indexterm" name="id2554757"></a>
	Confirm that the packages shown in <a href="happy.html#oldapreq" title="Table�6.2.�Required OpenLDAP Linux Packages">???</a> are installed on your system.
	</p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table�6.2.�Required OpenLDAP Linux Packages</b></p><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left">�</td></tr></tbody></table></div><p>
	Samba-3 and OpenLDAP will have a degree of inter-dependence that is unavoidable. The method
	for boot-strapping the LDAP and Samba-3 configuration is relatively straight forward. If you
	follow these guidelines, the resulting system should work fine.
	</p><div class="procedure"><ol type="1"><li><p><a class="indexterm" name="id2554899"></a>
		Install the file shown in <a href="happy.html#ch6-slapdconf" title="Example�6.2.�LDAP Master Configuration File  /etc/openldap/slapd.conf Part A">???</a> in the directory
		<tt class="filename">/etc/openldap</tt>.
		</p></li><li><p><a class="indexterm" name="id2554928"></a><a class="indexterm" name="id2554935"></a><a class="indexterm" name="id2554943"></a>
		Remove all files from the directory <tt class="filename">/data/ldap</tt>, making certain that
		the directory exists with permissions:
</p><pre class="screen">
<tt class="prompt">root# </tt> ls -al /data | grep ldap
drwx------   2 ldap    ldap       48 Dec 15 22:11 ldap
</pre><p>
		This may require you to add a user and a group account for LDAP if they do not exist.
		</p></li><li><p><a class="indexterm" name="id2554980"></a>
		Install the file shown in <a href="happy.html#ch6-dbconf" title="Example�6.1.�LDAP DB_CONFIG File">???</a> in the directory
		<tt class="filename">/data/ldap</tt>. In the event that this file is added after <tt class="constant">ldap</tt>
		has been started, it is possible to cause the new settings to take effect by shutting down
		the <tt class="constant">LDAP</tt> server, executing the <span><b class="command">db_recover</b></span> command inside the
		<tt class="filename">/data/ldap</tt> directory, and then restarting the <tt class="constant">LDAP</tt> server.
		</p></li><li><p><a class="indexterm" name="id2555031"></a>
		Performance logging can be enabled and should preferrably be sent to a file on
		a file system that is large enough to handle significantly sized logs. To enable
		the logging at a verbose level to permit detailed analysis uncomment the entry in
		the <tt class="filename">/etc/openldap/slapd.conf</tt> shown as &#8220;<span class="quote"><span class="emphasis"><em>loglevel 256</em></span></span>&#8221;.
		</p><p>
		Edit the <tt class="filename">/etc/syslog.conf</tt> file to add the following at the end
		of the file:
</p><pre class="screen">
local4.*        -/data/ldap/log/openldap.log
</pre><p>
		Note: The path <tt class="filename">/data/ldap/log</tt> should be set a a location
		that is convenient and that can store a large volume of data.
		</p></li></ol></div><div class="example"><a name="ch6-dbconf"></a><p class="title"><b>Example�6.1.�LDAP DB_CONFIG File</b></p><pre class="screen">
set_cachesize           0 150000000 1
set_lg_regionmax        262144
set_lg_bsize            2097152
#set_lg_dir             /var/log/bdb
set_flags               DB_LOG_AUTOREMOVE
</pre></div><div class="example"><a name="ch6-slapdconf"></a><p class="title"><b>Example�6.2.�LDAP Master Configuration File  <tt class="filename">/etc/openldap/slapd.conf</tt> Part A</b></p><pre class="screen">
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/samba3.schema

pidfile		/var/run/slapd/slapd.pid
argsfile	/var/run/slapd/slapd.args

access to dn.base=""
		by self write
		by * auth

access to attr=userPassword
		by self write
		by * auth

access to attr=shadowLastChange
		by self write
		by * read

access to *
                by * read
                by anonymous auth

#loglevel	256

schemacheck 	on
idletimeout	30
backend		bdb
database	bdb
checkpoint      1024 5
cachesize       10000

suffix		"dc=abmas,dc=biz"
rootdn		"cn=Manager,dc=abmas,dc=biz"

# rootpw = not24get
rootpw          {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV

directory	/data/ldap
</pre></div><div class="example"><a name="ch6-slapdconf2"></a><p class="title"><b>Example�6.3.�LDAP Master Configuration File  <tt class="filename">/etc/openldap/slapd.conf</tt> Part B</b></p><pre class="screen">
# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch6-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p><a class="indexterm" name="id2555184"></a><a class="indexterm" name="id2555191"></a><a class="indexterm" name="id2555199"></a>
	The steps that follow involve configuration of LDAP, Name Service Switch (NSS) LDAP-based resolution
	of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead
	configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
	</p><p>
	Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
	that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
	  correct configuration of the Pluggable Authentication
	  Modules<a class="indexterm" name="id2555225"></a><a class="indexterm" name="id2555236"></a>
	  (PAM). The <span><b class="command">pam_ldap</b></span>
	open source package provides the PAM modules that most people would use. On SUSE Linux systems,
	the <span><b class="command">pam_unix2.so</b></span> module also has the ability to redirect authentication requests
	through LDAP.
	</p><p><a class="indexterm" name="id2555263"></a><a class="indexterm" name="id2555271"></a><a class="indexterm" name="id2555279"></a><a class="indexterm" name="id2555287"></a>
	You have chosen to configure these services by directly editing the system files but, of course, you
	know that this configuration can be done using system tools provided by the Linux system vendor.
	  SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span>-&gt;<span class="guimenuitem">system</span>-&gt;<span class="guimenuitem">ldap-client</span> that permits
	configuration of SUSE Linux as an LDAP client. Red Hat Linux provides
	  the <span><b class="command">authconfig</b></span>
	tool for this.
	</p><div class="procedure"><div class="example"><a name="ch6-nss01"></a><p class="title"><b>Example�6.4.�Configuration File for NSS LDAP Support  <tt class="filename">/etc/ldap.conf</tt></b></p><pre class="screen">
host 127.0.0.1

base dc=abmas,dc=biz

binddn cn=Manager,dc=abmas,dc=biz
bindpw not24get

timelimit 50
bind_timelimit 50
bind_policy hard

idle_timelimit 3600

pam_password exop

nss_base_passwd ou=People,dc=abmas,dc=biz?one
nss_base_shadow ou=People,dc=abmas,dc=biz?one
nss_base_group  ou=Groups,dc=abmas,dc=biz?one

ssl off
</pre></div><div class="example"><a name="ch6-nss02"></a><p class="title"><b>Example�6.5.�Configuration File for NSS LDAP Clients Support  <tt class="filename">/etc/ldap.conf</tt></b></p><pre class="screen">
host 172.16.0.1

base dc=abmas,dc=biz

binddn cn=Manager,dc=abmas,dc=biz
bindpw not24get

timelimit 50
bind_timelimit 50
bind_policy hard

idle_timelimit 3600

pam_password exop

nss_base_passwd ou=People,dc=abmas,dc=biz?one
nss_base_shadow ou=People,dc=abmas,dc=biz?one
nss_base_group  ou=Groups,dc=abmas,dc=biz?one

ssl off
</pre></div><ol type="1"><li><p><a class="indexterm" name="id2555335"></a><a class="indexterm" name="id2555343"></a><a class="indexterm" name="id2555351"></a>
		Execute the following command to find where the <tt class="filename">nss_ldap</tt> module
		expects to find its control file:
</p><pre class="screen">
<tt class="prompt">root# </tt> strings /lib/libnss_ldap.so.2 | grep conf
</pre><p>
		The preferred and usual location is <tt class="filename">/etc/ldap.conf</tt>.
		</p></li><li><p>
		On the server <tt class="constant">MASSIVE</tt>, install the file shown in 
		<a href="happy.html#ch6-nss01" title="Example�6.4.�Configuration File for NSS LDAP Support  /etc/ldap.conf">???</a> into the path that was obtained from the step above.
		On the servers called <tt class="constant">BLDG1</tt> and <tt class="constant">BLDG2</tt>, install the file shown in
		<a href="happy.html#ch6-nss02" title="Example�6.5.�Configuration File for NSS LDAP Clients Support  /etc/ldap.conf">???</a> into the path that was obtained from the step above.
		</p></li><li><p><a class="indexterm" name="id2555486"></a>
		Edit the NSS control file (<tt class="filename">/etc/nsswitch.conf</tt>) so that the lines that
		control user and group resolution will obtain information from the normal system files as
		well as from <span><b class="command">ldap</b></span> as follows:
</p><pre class="screen">
passwd: files ldap
shadow: files ldap
group:  files ldap
hosts:  files dns wins
</pre><p>
		Later, when the LDAP database has been initialized and user and group accounts have been
		added, you can validate resolution of the LDAP resolver process. The inclusion of 
		WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be 
		resolved to their IP addresses, whether or not they are DHCP clients.
		</p></li><li><p><a class="indexterm" name="id2555528"></a>
		For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
		files in the <tt class="filename">/etc/pam.d</tt> directory:
	      <span><b class="command">login, password, samba, sshd</b></span>.
		In each file, locate every entry that has the <span><b class="command">pam_unix2.so</b></span> entry and add to the
		line the entry <span><b class="command">use_ldap</b></span> as shown for the
	      <span><b class="command">login</b></span> module in
		this example:
</p><pre class="screen">
#%PAM-1.0
auth      requisite  pam_unix2.so   nullok use_ldap #set_secrpc
auth      required   pam_securetty.so
auth      required   pam_nologin.so
#auth     required   pam_homecheck.so
auth      required   pam_env.so
auth      required   pam_mail.so
account   required   pam_unix2.so   use_ldap
password  required   pam_pwcheck.s  nullok
password  required   pam_unix2.so   nullok use_first_pass \
                                    use_authtok use_ldap
session   required   pam_unix2.so   none use_ldap # debug or trace
session   required   pam_limits.so
</pre><p>
		</p><p><a class="indexterm" name="id2555593"></a>
		On other Linux systems that do not have an LDAP-enabled <span><b class="command">pam_unix2.so</b></span> module,
		you must edit these files by adding the <span><b class="command">pam_ldap.so</b></span> modules as shown here:
</p><pre class="screen">
#%PAM-1.0
auth     required    pam_securetty.so
auth     required    pam_nologin.so
auth     sufficient  pam_ldap.so
auth     required    pam_unix2.so   nullok try_first_pass #set_secrpc
account  sufficient  pam_ldap.so
account  required    pam_unix2.so
password required    pam_pwcheck.so nullok
password required    pam_ldap.so    use_first_pass use_authtok
password required    pam_unix2.so   nullok use_first_pass use_authtok
session  required    pam_unix2.so   none # debug or trace
session  required    pam_limits.so
session  required    pam_env.so
session  optional    pam_mail.so
</pre><p>
		This example does have the LDAP-enabled <span><b class="command">pam_unix2.so</b></span>, but simply
		demonstrates the use of the <span><b class="command">pam_ldap.so</b></span> module. You can use either
		implementation, but if the <span><b class="command">pam_unix2.so</b></span> on your system supports
		LDAP, you probably want to use it, rather than add an additional module.
		</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch6-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p><a class="indexterm" name="id2555667"></a>
	Verify that the Samba-3.0.12 (or later) packages are installed on each SUSE Linux server 
	before following the steps below. If Samba-3.0.12 (or later) is not installed, you have the
	choice to either build your own or to obtain the packages from a dependable source.
	Packages for SUSE Linux 8.x, 9.x and SUSE Linux Enterprise Server 9, as well as for 
	Red Hat Fedora Core and Red Hat Enteprise Linux Server 3 and 4 are included on the CD-ROM that
	is included at the back of this book.
	</p><div class="procedure"><a name="id2555685"></a><p class="title"><b>Procedure�6.4.�Configuration of PDC Called: <tt class="constant">MASSIVE</tt></b></p><ol type="1"><li><p>
		Install the files in <a href="happy.html#ch6-massive-smbconfa" title="Example�6.6.�LDAP Based smb.conf File, Server: MASSIVE  global Section: Part A">???</a>, 
		<a href="happy.html#ch6-massive-smbconfb" title="Example�6.7.�LDAP Based smb.conf File, Server: MASSIVE  global Section: Part B">???</a>, <a href="happy.html#ch6-shareconfa" title="Example�6.10.�LDAP Based smb.conf File, Shares Section  Part A">???</a>, 
		and <a href="happy.html#ch6-shareconfb" title="Example�6.11.�LDAP Based smb.conf File, Shares Section  Part B">???</a> into the <tt class="filename">/etc/samba/</tt> 
		directory. The three files should be added together to form the <tt class="filename">smb.conf</tt> 
		master file. It is a good practice to call this file something like
		<tt class="filename">smb.conf.master</tt>, and then to perform all file edits
		on the master file. The operational <tt class="filename">smb.conf</tt> is then generated as shown in
		the next step.
		</p></li><li><p><a class="indexterm" name="id2555761"></a>
		Create and verify the contents of the <tt class="filename">smb.conf</tt> file that is generated by:
</p><pre class="screen">
<tt class="prompt">root# </tt> testparm -s smb.conf.master &gt; smb.conf
</pre><p>
		Immediately follow this with the following:
</p><pre class="screen">
<tt class="prompt">root# </tt> testparm
</pre><p>
		The output that is created should be free from errors, as shown here:

</p><pre class="screen">
Load smb config files from /etc/samba/smb.conf
Processing section "[accounts]"
Processing section "[service]"
Processing section "[pidata]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[apps]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[profdata]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
</pre><p>
		</p></li><li><p>
		Delete all run-time files from prior Samba operation by executing (for SUSE
		Linux):
</p><pre class="screen">
<tt class="prompt">root# </tt> rm /etc/samba/*tdb
<tt class="prompt">root# </tt> rm /var/lib/samba/*tdb
<tt class="prompt">root# </tt> rm /var/lib/samba/*dat
<tt class="prompt">root# </tt> rm /var/log/samba/*
</pre><p>
		</p></li><li><p><a class="indexterm" name="id2555862"></a><a class="indexterm" name="id2555870"></a>
		Samba-3 communicates with the LDAP server. The password that it uses to
		authenticate to the LDAP server must be stored in the <tt class="filename">secrets.tdb</tt>
		file. Execute the following to create the new <tt class="filename">secrets.tdb</tt> files
		and store the password for the LDAP Manager:
</p><pre class="screen">
<tt class="prompt">root# </tt> smbpasswd -w not24get
</pre><p>
		The expected output from this command is:
</p><pre class="screen">
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
</pre><p>
		</p></li><li><p><a class="indexterm" name="id2555919"></a><a class="indexterm" name="id2555927"></a>
		Samba-3 generates a Windows Security Identifier only when <span><b class="command">smbd</b></span>
		has been started. For this reason, you start Samba. After a few seconds delay,
		execute:
</p><pre class="screen">
<tt class="prompt">root# </tt> smbclient -L localhost -U%
<tt class="prompt">root# </tt> net getlocalsid
</pre><p>
		A report such as the following means that the Domain Security Identifier (SID) has not yet
		been written to the <tt class="filename">secrets.tdb</tt> or to the LDAP backend:
</p><pre class="screen">
[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
  failed to bind to server ldap://massive.abmas.biz
with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
        (unknown)
[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
  smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out)
</pre><p>
		The attempt to read the SID will attempt to bind to the LDAP server. Because the LDAP server
		is not running this operation will fail by way of a time out, as shown above. This is
		normal output, do not worry about this error message.  When the Domain has been created and
		written to the <tt class="filename">secrets.tdb</tt> file, the output should look like this:
</p><pre class="screen">
SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
</pre><p>
		If, after a short delay (a few seconds), the Domain SID has still not been written to 
		the <tt class="filename">secrets.tdb</tt> file, it is necessary to investigate what 
		may be mis-configured. In this case, carefully check the <tt class="filename">smb.conf</tt> file for typographical 
		errors (the most common problem).  The use of the <span><b class="command">testparm</b></span> is highly 
		recommended to validate the contents of this file.
		</p></li><li><p>
		When a positive Domain SID has been reported, stop Samba.
		</p></li><li><p>
		<a class="indexterm" name="id2556042"></a>
		<a class="indexterm" name="id2556051"></a>
		<a class="indexterm" name="id2556060"></a>
		<a class="indexterm" name="id2556069"></a>
		Configure the NFS server for your Linux system. So you can complete the steps that
		follow, enter into the <tt class="filename">/etc/exports</tt> the following entry:
</p><pre class="screen">
/home   *(rw,root_squash,sync)
</pre><p>
		This permits the user home directories to be used on the BDC servers for testing
		purposes. You, of course, decide what is the best way for your site to distribute
		data drives, as well as creating suitable backup and restore procedures for Abmas Inc.
		I'd strongly recommend that for normal operation the BDC is completely independent 
		of the PDC. rsync is a useful tool here as it resembles the NT replication service quite 
		closely. If you do use NFS, do not forget to start the NFS server as follows:
</p><pre class="screen">
<tt class="prompt">root# </tt> rcnfsserver start
</pre><p>
		</p></li></ol></div><p>
	Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
	configuration of the LDAP server.
	</p><div class="example"><a name="ch6-massive-smbconfa"></a><p class="title"><b>Example�6.6.�LDAP Based smb.conf File, Server: MASSIVE  global Section: Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2556150"></a><i class="parameter"><tt>
					
				unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2556166"></a><i class="parameter"><tt>
					
				workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2556181"></a><i class="parameter"><tt>
					
				netbios name = MASSIVE</tt></i></td></tr><tr><td><a class="indexterm" name="id2556197"></a><i class="parameter"><tt>
					
				interfaces = eth1, lo</tt></i></td></tr><tr><td><a class="indexterm" name="id2556212"></a><i class="parameter"><tt>
					
				bind interfaces only = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556228"></a><i class="parameter"><tt>
					
				passdb backend = ldapsam:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2556244"></a><i class="parameter"><tt>
					
				enable privileges = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556259"></a><i class="parameter"><tt>
					
				username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2556276"></a><i class="parameter"><tt>
					
				log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2556291"></a><i class="parameter"><tt>
					
				syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2556306"></a><i class="parameter"><tt>
					
				log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2556321"></a><i class="parameter"><tt>
					
				max log size = 50</tt></i></td></tr><tr><td><a class="indexterm" name="id2556337"></a><i class="parameter"><tt>
					
				smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2556352"></a><i class="parameter"><tt>
					
				name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2556369"></a><i class="parameter"><tt>
					
				time server = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556384"></a><i class="parameter"><tt>
					
				printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2556399"></a><i class="parameter"><tt>
					
				show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2556415"></a><i class="parameter"><tt>
					
				add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556432"></a><i class="parameter"><tt>
					
				delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556448"></a><i class="parameter"><tt>
					
				add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556464"></a><i class="parameter"><tt>
					
				delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556480"></a><i class="parameter"><tt>
					
				add user to group script = /opt/IDEALX/sbin/</tt></i></td></tr><tr><td><i class="parameter"><tt>smbldap-groupmod -m "%u" "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556503"></a><i class="parameter"><tt>
					
				delete user from group script = /opt/IDEALX/sbin/</tt></i></td></tr><tr><td><i class="parameter"><tt>smbldap-groupmod -x "%u" "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556527"></a><i class="parameter"><tt>
					
				set primary group script = /opt/IDEALX/sbin/</tt></i></td></tr><tr><td><i class="parameter"><tt>smbldap-usermod -g "%g" "%u"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556550"></a><i class="parameter"><tt>
					
				add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</tt></i></td></tr></table></div><div class="example"><a name="ch6-massive-smbconfb"></a><p class="title"><b>Example�6.7.�LDAP Based smb.conf File, Server: MASSIVE  global Section: Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2556581"></a><i class="parameter"><tt>
					
				logon script = scripts\logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2556597"></a><i class="parameter"><tt>
					
				logon path = \\%L\profiles\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2556612"></a><i class="parameter"><tt>
					
				logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2556627"></a><i class="parameter"><tt>
					
				domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556642"></a><i class="parameter"><tt>
					
				preferred master = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556658"></a><i class="parameter"><tt>
					
				wins support = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556674"></a><i class="parameter"><tt>
					
				ldap suffix = dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2556689"></a><i class="parameter"><tt>
					
				ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2556705"></a><i class="parameter"><tt>
					
				ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2556720"></a><i class="parameter"><tt>
					
				ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2556736"></a><i class="parameter"><tt>
					
				ldap idmap suffix = ou=Idmap</tt></i></td></tr><tr><td><a class="indexterm" name="id2556752"></a><i class="parameter"><tt>
					
				ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2556768"></a><i class="parameter"><tt>
					
				idmap backend = ldap:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2556784"></a><i class="parameter"><tt>
					
				idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2556799"></a><i class="parameter"><tt>
					
				idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2556814"></a><i class="parameter"><tt>
					
				map acl inherit = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556830"></a><i class="parameter"><tt>
					
				printing = cups</tt></i></td></tr><tr><td><a class="indexterm" name="id2556845"></a><i class="parameter"><tt>
					
				printer admin = root, chrisr</tt></i></td></tr></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2556862"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p><a class="indexterm" name="id2556869"></a>
	The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
	on the LDAP server. You have chosen the Idealx scripts since they are the best known
	LDAP configuration scripts. The use of these scripts will help avoid the necessity
	to create custom scripts. It is easy to download them from the Idealx
	<a href="http://samba.idealx.org/index.en.html" target="_top">Web Site.</a> The tarball may
	be directly <a href="http://samba.idealx.org/dist/smbldap-tools-0.8.7.tgz" target="_top">downloaded</a>
	for this site, also. Alternately, you may obtain the 
	<a href="http://samba.idealx.org/dist/smbldap-tools-0.8.7-3.src.rpm" target="_top">smbldap-tools-0.8.7-3.src.rpm</a>
	file that may be used to build an installable RPM package for your Linux system.
	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must
change the path to them in your <tt class="filename">smb.conf</tt> file on the PDC (<tt class="constant">MASSIVE</tt>).
</p></div><p>
	The smbldap-tools are located in <tt class="filename">/opt/IDEALX/sbin</tt>.
	The scripts are not needed on BDC machines because all LDAP updates are handled by
	the PDC alone.
	</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2556940"></a>Installation of smbldap-tools from the tarball</h4></div></div></div><p>
	To perform a manual installation of the smbldap-tools scripts the following procedure may be used:
	</p><div class="procedure"><a name="idealxscript"></a><ol type="1"><li><p>
		Create the <tt class="filename">/opt/IDEALX/sbin</tt> directory, and set its permissions
		and ownership as shown here:
</p><pre class="screen">
<tt class="prompt">root# </tt> mkdir -p /opt/IDEALX/sbin
<tt class="prompt">root# </tt> chown root.root /opt/IDEALX/sbin
<tt class="prompt">root# </tt> chmod 755 /opt/IDEALX/sbin
<tt class="prompt">root# </tt> mkdir -p /etc/smbldap-tools
<tt class="prompt">root# </tt> chown root.root /etc/smbldap-tools
<tt class="prompt">root# </tt> chmod 755 /etc/smbldap-tools
</pre><p>
		</p></li><li><p>
		If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
		Change into either the directory extracted from the tarball, or else into the smbldap-tools
		directory in your <tt class="filename">/usr/share/doc/packages</tt> directory tree.
		</p></li><li><p>
		Copy all the <tt class="filename">smbldap-*</tt> and the <tt class="filename">configure.pl</tt> files into the 
		<tt class="filename">/opt/IDEALX/sbin</tt> directory, as shown here:
</p><pre class="screen">
<tt class="prompt">root# </tt> cd smbldap-tools-0.8.7/
<tt class="prompt">root# </tt> cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/
<tt class="prompt">root# </tt> cp smbldap*conf /etc/smbldap-tools/
<tt class="prompt">root# </tt> chmod 750 /opt/IDEALX/sbin/smbldap-*
<tt class="prompt">root# </tt> chmod 750 /opt/IDEALX/sbin/configure.pl
<tt class="prompt">root# </tt> chmod 640 /etc/smbldap-tools/smbldap.conf
<tt class="prompt">root# </tt> chmod 600 /etc/smbldap-tools/smbldap_bind.conf
</pre><p>
		</p></li><li><p>
		The smbldap-tools scripts master control file must now be configured.
		Change to the <tt class="filename">/opt/IDEALX/sbin</tt> directory, then edit the
		<tt class="filename">smbldap_tools.pm</tt> to affect the changes
		shown here:
</p><pre class="screen">
...
# ugly funcs using global variables and spawning openldap clients

my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
...
</pre><p>
		</p></li><li><p>
		To complete the configuration of the smbldap-tools, set the permissions and ownership
		by executing the following commands:
</p><pre class="screen">
<tt class="prompt">root# </tt> chown root.root /opt/IDEALX/sbin/* 
<tt class="prompt">root# </tt> chmod 755 /opt/IDEALX/sbin/smbldap-*
<tt class="prompt">root# </tt> chmod 640 /opt/IDEALX/sbin/smb*pm 
</pre><p>
		The smbldap-tools scripts are now ready for the configuration step outlined in
		<a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>.
		</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2557186"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p>
	In the event that you have elected to use the RPM package provided by Idealx, download the
	source RPM <tt class="filename">smbldap-tools-0.8.7-3.src.rpm</tt>, then follow the following procedure:
	</p><div class="procedure"><ol type="1"><li><p>
		Install the source RPM that has been downloaded as follows:
</p><pre class="screen">
<tt class="prompt">root# </tt> rpm -i smbldap-tools-0.8.7-5.src.rpm
</pre><p>
		</p></li><li><p>
		Change into the directory in which the SPEC files are located. On SUSE Linux:
</p><pre class="screen">
<tt class="prompt">root# </tt> cd /usr/src/packages/SPECS
</pre><p>
		On Red Hat Linux systems:
</p><pre class="screen">
<tt class="prompt">root# </tt> cd /usr/src/redhat/SPECS
</pre><p>
		</p></li><li><p>
		Edit the <tt class="filename">smbldap-tools.spec</tt> file to change the value of the
		<tt class="constant">_sysconfig</tt> macro as shown here:
</p><pre class="screen">
%define _prefix /opt/IDEALX
%define _sysconfdir /etc
</pre><p>
		Note: Any suitable directory can be specified.
		</p></li><li><p>
		Build the package by executing:
</p><pre class="screen">
<tt class="prompt">root# </tt> rpmbuild -ba -v smbldap-tools.spec
</pre><p>
		A build process that has completed without error will place the installable binary
		files in the directory <tt class="filename">../RPMS/noarch</tt>.
		</p></li><li><p>
		Install the binary package by executing:
</p><pre class="screen">
<tt class="prompt">root# </tt> rpm -Uvh ../RPMS/noarch/smbldap-tools-0.8.7-5.noarch.rpm
</pre><p>
		</p></li></ol></div><p>
	The Idealx scripts should now be ready for configuration using the steps outlined in
	<a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>.
	</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p>
	Prior to use the smbldap-tools must be configured to match the settings in the <tt class="filename">smb.conf</tt> file
	and to match the settings in the <tt class="filename">/etc/openldap/slapd.conf</tt> file. The assumption
	is made that the <tt class="filename">smb.conf</tt> file has correct contents. The following procedure will ensure that
	this is completed correctly:
	</p><p>
	The smbldap-tools require that the netbios name (machine name) of the Samba server be included
	in the <tt class="filename">smb.conf</tt> file.
	</p><div class="procedure"><ol type="1"><li><p>
		Change into the directory that contains the <tt class="filename">configure.pl</tt> script.
</p><pre class="screen">
<tt class="prompt">root# </tt> cd /opt/IDEALX/sbin
</pre><p>
		</p></li><li><p>
		Execute the <tt class="filename">configure.pl</tt> script as follows:
</p><pre class="screen">
<tt class="prompt">root# </tt> ./configure.pl
</pre><p>
		The interactive use of this script for the PDC is demonstrated here:
</p><pre class="screen">
Unrecognized escape \p passed through at ./configure.pl line 194.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
       smbldap-tools script configuration
       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
 . if your samba controller is up and running.
 . if the domain SID is defined (you can get it with the 'net getlocalsid')

 . you can leave the configuration using the Crtl-c key combination
 . empty value can be set with the "." caracter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Config File Location [/etc/samba/smb.conf] &gt;
smbldap Config file Location (global parameters)
	 [/etc/smbldap-tools/smbldap.conf] &gt;
smbldap Config file Location (bind parameters)
	 [/etc/smbldap-tools/smbldap_bind.conf] &gt;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba act as a PDC
  workgroup name [MEGANET2] &gt;
. netbios name: netbios name of the samba controler
  netbios name [MASSIVE] &gt;
. logon drive: local path to which the home directory
	 will be connected (for NT Workstations). Ex: 'H:'
  logon drive [X:] &gt;
. logon home: home directory location (for Win95/98 or NT Workstation).
  (use %U as username) Ex:'\\MASSIVE\home\%U'
  logon home (leave blank if you don't want homeDirectory)
	 [\\MASSIVE\home\%U] &gt; \\MASSIVE\%U
. logon path: directory where roaming profiles are stored.
	 Ex:'\\MASSIVE\profiles\%U'
  logon path (leave blank if you don't want roaming profile)
	 [\\MASSIVE\profiles\%U] &gt;
. home directory prefix (use %U as username)
	 [/home/%U] &gt; /home/users/%U
. default user netlogon script (use %U as username)
	 [%U.cmd] &gt; scripts\login.cmd
  default password validation time (time in days) [45] &gt; 0
. ldap suffix [dc=abmas,dc=biz] &gt;
. ldap group suffix [ou=Groups] &gt;
. ldap user suffix [ou=People] &gt;
. ldap machine suffix [ou=People] &gt;
. Idmap suffix [ou=Idmap] &gt;
. sambaUnixIdPooldn: object where you want to store the next uidNumber
  and gidNumber available for new users and groups
  sambaUnixIdPooldn object (relative to ${suffix}) [cn=NextFreeUnixId] &gt;
. ldap master server: IP adress or DNS name
	 of the master (writable) ldap server
Use of uninitialized value in scalar chomp at ./configure.pl
	 line 138, &lt;STDIN&gt; line 17.
Use of uninitialized value in hash element at ./configure.pl
	 line 140, &lt;STDIN&gt; line 17.
Use of uninitialized value in concatenation (.) or string at
	 ./configure.pl line 144, &lt;STDIN&gt; line 17.
Use of uninitialized value in string at ./configure.pl
	 line 145, &lt;STDIN&gt; line 17.
  ldap master server [] &gt; 127.0.0.1
. ldap master port [389] &gt;
. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] &gt;
. ldap master bind password [] &gt;
. ldap slave server: IP adress or DNS name of the slave
	 ldap server: can also be the master one
Use of uninitialized value in scalar chomp at ./configure.pl
	 line 138, &lt;STDIN&gt; line 21.
Use of uninitialized value in hash element at ./configure.pl
	 line 140, &lt;STDIN&gt; line 21.
Use of uninitialized value in concatenation (.) or string at
	 ./configure.pl line 144, &lt;STDIN&gt; line 21.
Use of uninitialized value in string at ./configure.pl line 145,
	 &lt;STDIN&gt; line 21.
  ldap slave server [] &gt; 127.0.0.1
. ldap slave port [389] &gt;
. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] &gt;
. ldap slave bind password [] &gt;
. ldap tls support (1/0) [0] &gt;
. SID for domain MEGANET2: SID of the domain
	 (can be obtained with 'net getlocalsid MASSIVE')
  SID for domain MEGANET2
	 [S-1-5-21-3504140859-1010554828-2431957765] &gt;
. unix password encryption: encryption used for unix passwords
  unix password encryption
	 (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] &gt; MD5
. default user gidNumber [513] &gt;
. default computer gidNumber [515] &gt;
. default login shell [/bin/bash] &gt;
. default domain name to append to mail adress [] &gt; abmas.biz
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
  /etc/smbldap-tools/smbldap.conf-&gt;
	etc/smbldap-tools/smbldap.conf.old
  /etc/smbldap-tools/smbldap_bind.conf-&gt;
	etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.
</pre><p>
		Since a slave LDAP server has not been configured it is necessary to specify the IP
		address of the master LDAP server for both the master and the slave configuration
		prompts.
		</p></li><li><p>
		Change to the directory that contains the <tt class="filename">smbldap.conf</tt> file
		then verify its contents.
		</p></li></ol></div><p>
	The smbldap-tools are now ready for use.
	</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2557579"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p>
	The LDAP database must be populated with well-known Windows Domain user accounts and Domain Group 
	accounts before Samba can be used. The following procedures step you through the process.
	</p><p>
	At this time, Samba-3 requires that on a PDC all UNIX (Posix) group accounts that are
	mapped (linked) to Windows Domain Group accounts must be in the LDAP database. It does not
	hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
	database. From a UNIX system perspective, the NSS resolver checks system files before
	referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
	does not need to ask LDAP.
	</p><p>
	Addition of an account to the LDAP backend can be done in a number of ways:
	</p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id2557610"></a><a class="indexterm" name="id2557618"></a><a class="indexterm" name="id2557626"></a><a class="indexterm" name="id2557634"></a><a class="indexterm" name="id2557642"></a><a class="indexterm" name="id2557650"></a>
	If you always have a user account in the <tt class="filename">/etc/passwd</tt> on every 
	server or in a NIS(+) backend, it is not necessary to add Posix accounts for them in 
	LDAP. In this case, you can add Windows Domain user accounts using the 
	<span><b class="command">pdbedit</b></span> utility. Use of this tool from the command line adds the 
	SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
	</p><p>
	If you decide that it is probably a good idea to add both the PosixAccount attributes
	as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
	In the example system you are installing in this exercise, you are making use of the
	Idealx smbldap-tools scripts. A copy of these tools, pre-configured for this system,
	is included on the enclosed CD-ROM under <tt class="filename">Chap06/Tools.</tt>
	</p></blockquote></div><p><a class="indexterm" name="id2557695"></a>
	If you wish to have more control over how the LDAP database is initialized or 
	want not to use the Idealx smbldap-tools, you should refer to <a href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">???</a>.
	</p><p><a class="indexterm" name="id2557718"></a>
	The following steps initialize the LDAP database, and then you can add user and group
	accounts that Samba can use. You use the <span><b class="command">smbldap-populate</b></span> to
	seed the LDAP database. You then manually add the accounts shown in <a href="happy.html#ch6-bigacct" title="Table�6.3.�Abmas Network Users and Groups">???</a>. 
	The list of users does not cover all 500 network users; it provides examples only.
	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id2557748"></a><a class="indexterm" name="id2557759"></a><a class="indexterm" name="id2557770"></a>
	In the following examples, as the LDAP database is initialized, we do create a container
	for Computer (machine) accounts. In the Samba-3 <tt class="filename">smb.conf</tt> files, specific use is made
	of the People container, not the Computers container, for domain member accounts. This is not a
	mistake; it is a deliberate action that is necessitated by the fact that there is a bug in Samba-3
	that prevents it from being able to search the LDAP database for computer accounts if they are
	placed in the Computers container. By placing all machine accounts in the People container, we
	are able to side-step this bug. It is expected that at some time in the future this problem will
	be resolved. At that time, it will be possible to use the Computers container in order to keep
	machine accounts separate from user accounts.
	</p></div><div class="table"><a name="ch6-bigacct"></a><p class="title"><b>Table�6.3.�Abmas Network Users and Groups</b></p><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left">�</td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left">�</td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left">�</td></tr></tbody></table></div><div class="procedure"><a name="creatacc"></a><ol type="1"><li><p>
		Start the LDAP server by executing:
</p><pre class="screen">
<tt class="prompt">root# </tt> rcldap start
Starting ldap-server                           done
</pre><p>
		</p></li><li><p>
		Change to the <tt class="filename">/opt/IDEALX/sbin</tt> directory.
		</p></li><li><p>
		Execute the script that will populate the LDAP database as shown here:
</p><pre class="screen">
<tt class="prompt">root# </tt> ./smbldap-populate -a root -k 0
</pre><p>
		The expected output from this is:
</p><pre class="screen">
Using workgroup name from smb.conf: sambaDomainName=MEGANET2
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=&gt; Warning: you must update smbldap.conf configuration file to :
=&gt; sambaUnixIdPooldn parameter must be set
	to "sambaDomainName=MEGANET2,dc=abmas,dc=biz"
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Using builtin directory structure
adding new entry: dc=abmas,dc=biz
adding new entry: ou=People,dc=abmas,dc=biz
adding new entry: ou=Groups,dc=abmas,dc=biz
entry ou=People,dc=abmas,dc=biz already exist.
adding new entry: ou=Idmap,dc=abmas,dc=biz
adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz
adding new entry: uid=root,ou=People,dc=abmas,dc=biz
adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
</pre><p>
		</p></li><li><p>
		Edit the <tt class="filename">/etc/smbldap-tools/smbldap.conf</tt> file so that the following
		information is changed from:
</p><pre class="screen">
# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
</pre><p>
		to read, after modification:
</p><pre class="screen">
# Where to store next uidNumber and gidNumber available
#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
</pre><p>
		</p></li><li><p>
		It is necessary to restart the LDAP server as shown here:
</p><pre class="screen">
<tt class="prompt">root# </tt> rcldap restart
Shutting down ldap-server                            done
Starting ldap-server                                 done
</pre><p>
		</p></li><li><p><a class="indexterm" name="id2558150"></a>
		So that we can use a global IDMAP repository the LDAP directory must have a container object for IDMAP data. 
		There are several ways you can check that your LDAP database is able to receive IDMAP information. One of 
		the simplest is to execute:
</p><pre class="screen">
<tt class="prompt">root# </tt> slapcat | grep -i idmap
dn: ou=Idmap,dc=abmas,dc=biz
ou: idmap
</pre><p>
	      <a class="indexterm" name="id2558176"></a>
	        If the execution of this command does not return IDMAP entries, you need to create an LDIF
		template file (see <a href="happy.html#ch6-ldifadd" title="Example�6.12.�LDIF IDMAP Add-On Load File  File: /etc/openldap/idmap.LDIF">???</a>). You can add the required entries using 
		the following command:
</p><pre class="screen">
<tt class="prompt">root# </tt> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
		-w not24get &lt; /etc/openldap/idmap.LDIF
</pre><p>
		Samba automatically populates this LDAP directory container when it needs to.
		</p></li><li><p><a class="indexterm" name="id2558215"></a>
		It looks like all has gone well, as expected. Let's confirm that this is the case
		by running a few tests. First we check the contents of the database directly
		by running <span><b class="command">slapcat</b></span> as follows (the output has been cut down):
</p><pre class="screen">
<tt class="prompt">root# </tt> slapcat
dn: dc=abmas,dc=biz
objectClass: dcObject
objectClass: organization
dc: abmas
o: abmas
structuralObjectClass: organization
entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
creatorsName: cn=Manager,dc=abmas,dc=biz
createTimestamp: 20031217234200Z
entryCSN: 2003121723:42:00Z#0x0001#0#0000
modifiersName: cn=Manager,dc=abmas,dc=biz
modifyTimestamp: 20031217234200Z
...
dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 553
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
sambaGroupType: 2
displayName: Domain Computers
structuralObjectClass: posixGroup
entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
creatorsName: cn=Manager,dc=abmas,dc=biz
createTimestamp: 20031217234206Z
entryCSN: 2003121723:42:06Z#0x0002#0#0000
modifiersName: cn=Manager,dc=abmas,dc=biz
modifyTimestamp: 20031217234206Z
</pre><p>
		This looks good so far.
		</p></li><li><p><a class="indexterm" name="id2558267"></a>
		The next step is to prove that the LDAP server is running and responds to a
		search request. Execute the following as shown (output has been cut to save space):
</p><pre class="screen">
<tt class="prompt">root# </tt> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
# extended LDIF
#
# LDAPv3
# base &lt;dc=abmas,dc=biz&gt; with scope sub
# filter: (ObjectClass=*)
# requesting: ALL
#

# abmas.biz
dn: dc=abmas,dc=biz
objectClass: dcObject
objectClass: organization
dc: abmas
o: abmas

# People, abmas.biz
dn: ou=People,dc=abmas,dc=biz
objectClass: organizationalUnit
ou: People
...
# Domain Computers, Groups, abmas.biz
dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 553
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
sambaGroupType: 2
displayName: Domain Computers

# search result
search: 2
result: 0 Success

# numResponses: 20
# numEntries: 19
</pre><p>
		Good. It is all working just fine.
		</p></li><li><p><a class="indexterm" name="id2558325"></a>
		You must now make certain that the NSS resolver can interrogate LDAP also.
		Execute the following commands:
</p><pre class="screen">
<tt class="prompt">root# </tt> getent passwd | grep root
root:x:998:512:Netbios Domain Administrator:/home:/bin/false

<tt class="prompt">root# </tt> getent group | grep Domain
Domain Admins:x:512:root
Domain Users:x:513:
Domain Guests:x:514:
Domain Computers:x:553:
</pre><p><a class="indexterm" name="id2558356"></a>
		This demonstrates that the <span><b class="command">nss_ldap</b></span> library is functioning
		as it should.
		</p></li><li><p><a class="indexterm" name="id2558378"></a><a class="indexterm" name="id2558386"></a><a class="indexterm" name="id2558394"></a>
		Our database is now ready for the addition of network users. For each user for
		whom an account must be created, execute the following:
</p><pre class="screen">
<tt class="prompt">root# </tt> ./smbldap-useradd -m -a <tt class="constant">username</tt>
<tt class="prompt">root# </tt> ./smbldap-passwd <tt class="constant">username</tt>
Changing password for <tt class="constant">username</tt>
New password : XXXXXXXX
Retype new password : XXXXXXXX

<tt class="prompt">root# </tt> smbpasswd <tt class="constant">username</tt>
New SMB password: XXXXXXXX
Retype new SMB password: XXXXXXXX
</pre><p>
		Where <tt class="constant">username</tt> is the login ID for each user.
		</p></li><li><p><a class="indexterm" name="id2558456"></a>
		Now verify that the UNIX (Posix) accounts can be resolved via NSS by executing the
		following:
</p><pre class="screen">
<tt class="prompt">root# </tt> getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
...
root:x:0:512:Netbios Domain Administrator:/home:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
bobj:x:1000:513:System User:/home/bobj:/bin/bash
stans:x:1001:513:System User:/home/stans:/bin/bash
chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
maryv:x:1003:513:System User:/home/maryv:/bin/bash
</pre><p>
		This demonstates that user account resolution via LDAP is working.
		</p></li><li><p>
		This step will determin
</p><pre class="screen">
<tt class="prompt">root# </tt> id chrisr
uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
</pre><p>
		This confirms that the UNIX (Posix) user account information can be resolved from LDAP
		by system tools that make a getentpw() system call.
		</p></li><li><p><a class="indexterm" name="id2558513"></a>
		The 'root' account must have UID=0, if not this means that operations conducted from
		a Windows client using tools such as the Domain User Manager fails under UNIX because
		the management of user and group accounts requires that the UID=0. Additionally, it is
		a good idea to make certain that no matter how 'root' account credentials are resolved
		that the home directory and shell are valid. You decide to effect this immediately
		as demonstrated here:
</p><pre class="screen">
<tt class="prompt">root# </tt> cd /opt/IDEALX/sbin
<tt class="prompt">root# </tt> ./smbldap-usermod -u 0 -d /root -s /bin/bash root
</pre><p>
		</p></li><li><p>
		Verify that the changes just made to the <tt class="constant">root</tt> account were
		accepted by executing:
</p><pre class="screen">
<tt class="prompt">root# </tt> getent passwd | grep root
root:x:0:0:root:/root:/bin/bash
root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
</pre><p>
		This demonstrates that the changes were accepted.
		</p></li><li><p>
		Make certain that a home directory has been created for every user by listing the
		directories in <tt class="filename">/home</tt> as follows:
</p><pre class="screen">
<tt class="prompt">root# </tt> ls -al /home
drwxr-xr-x   8 root   root         176 Dec 17 18:50 ./
drwxr-xr-x  21 root   root         560 Dec 15 22:19 ../
drwx------   7 bobj   Domain Users     568 Dec 17 01:16 bobj/
drwx------   7 chrisr Domain Users     568 Dec 17 01:19 chrisr/
drwx------   7 maryv  Domain Users     568 Dec 17 01:27 maryv/
drwx------   7 stans  Domain Users     568 Dec 17 01:43 stans/
</pre><p>
		This is precisely what we want to see.
		</p></li><li><p><a class="indexterm" name="id2558614"></a><a class="indexterm" name="id2558622"></a>
		The final validation step involves making certain that Samba-3 can obtain the user
		accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
</p><pre class="screen">
<tt class="prompt">root# </tt> pdbedit -Lv chrisr
Unix username:        chrisr
NT username:          chrisr
Account Flags:        [U          ]
User SID:             S-1-5-21-3504140859-1010554828-2431957765-3004
Primary Group SID:    S-1-5-21-3504140859-1010554828-2431957765-513
Full Name:            System User
Home Directory:       \\MASSIVE\homes
HomeDir Drive:        H:
Logon Script:         scripts\login.cmd
Profile Path:         \\MASSIVE\profiles\chrisr
Domain:               MEGANET2
Account desc:         System User
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 20:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 20:14:07 GMT
Password last set:    Wed, 17 Dec 2003 17:17:40 GMT
Password can change:  Wed, 17 Dec 2003 17:17:40 GMT
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
</pre><p>
		This looks good. Of course, you fully expected that it would all work, didn't you?
		</p></li><li><p><a class="indexterm" name="id2558668"></a>
		Now you add the group accounts that are used on the Abmas network. Execute
		the following exactly as shown:
</p><pre class="screen">
<tt class="prompt">root# </tt> ./smbldap-groupadd -a Accounts
<tt class="prompt">root# </tt> ./smbldap-groupadd -a Finances
<tt class="prompt">root# </tt> ./smbldap-groupadd -a PIOps
</pre><p>
		The addition of groups does not involve keyboard interaction, so the lack of console
		output is of no concern.
		</p></li><li><p><a class="indexterm" name="id2558711"></a>
		You really do want to confirm that UNIX group resolution from LDAP is functioning 
		as it should. Let's do this as shown here:
</p><pre class="screen">
<tt class="prompt">root# </tt> getent group
...
Domain Admins:x:512:root
Domain Users:x:513:bobj,stans,chrisr,maryv
Domain Guests:x:514:
...
Accounts:x:1000:
Finances:x:1001:
PIOps:x:1002:
</pre><p>
		The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
		as our own site-specific group accounts, are correctly listed. This is looking good.
		</p></li><li><p><a class="indexterm" name="id2558745"></a>
		The final step we need to validate is that Samba can see all the Windows Domain Groups
		and that they are correctly mapped to the respective UNIX group account. To do this,
		just execute the following command:
</p><pre class="screen">
<tt class="prompt">root# </tt> net groupmap list
Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -&gt; Domain Admins
Domain Users (S-1-5-21-3504140859-...-2431957765-513) -&gt; Domain Users
Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -&gt; Domain Guests
...
Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -&gt; Accounts
Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -&gt; Finances
PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -&gt; PIOps
</pre><p>
		This is looking good. Congratulations  it works! Note that in the above output
		the lines where shortened by replacing the middle value (1010554828) of the SID with the 
		elipsis (...).
		</p></li><li><p>
		The server you have so carefully built is now ready for another important step. You 
		start the Samba-3 server and validate its operation. Execute the following to render all 
		the processes needed fully operative so that, on system reboot, they are automatically 
		started:
</p><pre class="screen">
<tt class="prompt">root# </tt> chkconfig named on
<tt class="prompt">root# </tt> chkconfig dhcpd on
<tt class="prompt">root# </tt> chkconfig ldap on
<tt class="prompt">root# </tt> chkconfig nmb on
<tt class="prompt">root# </tt> chkconfig smb on
<tt class="prompt">root# </tt> chkconfig winbind on
<tt class="prompt">root# </tt> rcnmb start
<tt class="prompt">root# </tt> rcsmb start
<tt class="prompt">root# </tt> rcwinbind start
</pre><p>
		</p></li><li><p>
		The next step might seem a little odd at this point, but take note that you are about to
		start <span><b class="command">winbindd</b></span> which must be able to authenticate to the PDC via the
		localhost interface with the <span><b class="command">smbd</b></span> process. This account can be
		easily created by joining the PDC to the Domain by executing the following command:
</p><pre class="screen">
<tt class="prompt">root# </tt> net rpc join -S MASSIVE -U root%not24get
</pre><p>
		Note: Before executing this command on the PDC both <span><b class="command">nmbd</b></span> and
		<span><b class="command">smbd</b></span> must be started so that the <span><b class="command">net</b></span> command
		can communicate with <span><b class="command">smbd</b></span>. The expected output is:
</p><pre class="screen">
Joined domain MEGANET2.
</pre><p>
		This indicates that the Domain security account for the PDC has been correctly created.
		</p></li><li><p>
		At this time it is necessary to restart <span><b class="command">winbindd</b></span> so that it can
		correctly authenticate to the PDC. The following command achieves that:
</p><pre class="screen">
<tt class="prompt">root# </tt> rcwinbind restart
</pre><p>
		</p></li><li><p><a class="indexterm" name="id2558963"></a>
		You may now check Samba-3 operation as follows:
</p><pre class="screen">
<tt class="prompt">root# </tt> smbclient -L massive -U%

        Sharename      Type      Comment
        ---------      ----      -------
        IPC$           IPC       IPC Service (Samba 3.0.1)
        accounts       Disk      Accounting Files
        service        Disk      Financial Services Files
        pidata         Disk      Property Insurance Files
        apps           Disk      Application Files
        netlogon       Disk      Network Logon Service
        profiles       Disk      Profile Share
        profdata       Disk      Profile Data Share
        ADMIN$         IPC       IPC Service (Samba 3.0.1)

        Server               Comment
        ---------            -------
        MASSIVE              Samba 3.0.1

        Workgroup            Master
        ---------            -------
        MEGANET2             MASSIVE
</pre><p>
	This shows that an anonymous connection is working.
		</p></li><li><p>
		For your finale, let's try an authenticated connection. Follow this as shown:
</p><pre class="screen">
<tt class="prompt">root# </tt> smbclient //massive/bobj -Ubobj%n3v3r2l8
smb: \&gt; dir
  .                    D        0  Wed Dec 17 01:16:19 2003
  ..                   D        0  Wed Dec 17 19:04:42 2003
  bin                  D        0  Tue Sep  2 04:00:57 2003
  Documents            D        0  Sun Nov 30 07:28:20 2003
  public_html          D        0  Sun Nov 30 07:28:20 2003
  .urlview             H      311  Fri Jul  7 06:55:35 2000
  .dvipsrc             H      208  Fri Nov 17 11:22:02 1995

          57681 blocks of size 524288. 57128 blocks available
smb: \&gt; q
</pre><p>
		Well done. All is working fine.
		</p></li></ol></div><p>
	The server <tt class="constant">MASSIVE</tt> is now configured, and it is time to move onto the next task.
	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch6-ptrcfg"></a>Printer Configuration</h3></div></div></div><p><a class="indexterm" name="id2559061"></a>
	The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
	taken care of in the <tt class="filename">smb.conf</tt> file. The only preparation needed for
	  <tt class="constant">smart</tt>
	printing to be possible involves creation of the directories in which Samba-3 stores
	Windows printing driver files.
	</p><div class="procedure"><ol type="1"><li><p>
                Configure all network attached printers to have a fixed IP address.
                </p></li><li><p>
                Create an entry in the DNS database on the server <tt class="constant">MASSIVE</tt>
                in both the forward lookup database for the zone <tt class="constant">abmas.biz.hosts</tt>
                and in the reverse lookup database for the network segment that the printer is to
                be located in. Example configuration files for similar zones were presented in
                <a href="secure.html#abmasbiz" title="Example�4.14.�DNS Abmas.biz Forward Zone File">???</a> and in <a href="secure.html#eth2zone" title="Example�4.13.�DNS 192.168.2 Reverse Zone File">???</a>.
                </p></li><li><p>
                Follow the instructions in the printer manufacturers' manuals to permit printing
                to port 9100.  Use any other port the manufacturer specifies for direct mode,
                raw printing.  This allows the CUPS spooler to print using raw mode protocols.
                <a class="indexterm" name="id2559137"></a>
                <a class="indexterm" name="id2559144"></a>
                </p></li><li><p><a class="indexterm" name="id2559156"></a>
                <a class="indexterm" name="id2559165"></a>
                Only on the server to which the printer is attached, configure the CUPS Print
                Queues as follows:
</p><pre class="screen">
<tt class="prompt">root# </tt> lpadmin -p <i class="parameter"><tt>printque</tt></i>
	 -v socket://<i class="parameter"><tt>printer-name</tt></i>.abmas.biz:9100 -E
</pre><p>
                <a class="indexterm" name="id2559201"></a>
                This step creates the necessary print queue to use no assigned print filter. This
                is ideal for raw printing, i.e., printing without use of filters.
                The name <i class="parameter"><tt>printque</tt></i> is the name you have assigned for
                the particular printer.
                </p></li><li><p>
                Print queues may not be enabled at creation. Make certain that the queues
                you have just created are enabled by executing the following:
</p><pre class="screen">
<tt class="prompt">root# </tt> /usr/bin/enable <i class="parameter"><tt>printque</tt></i>
</pre><p>
                </p></li><li><p>
                Even though your print queue may be enabled, it is still possible that it
                may not accept print jobs. A print queue will service incoming printing
                requests only when configured to do so. Ensure that your print queue is
                set to accept incoming jobs by executing the following commands:
</p><pre class="screen">
<tt class="prompt">root# </tt> /usr/bin/accept <i class="parameter"><tt>printque</tt></i>
</pre><p>
                </p></li><li><p>
                <a class="indexterm" name="id2559282"></a>
                <a class="indexterm" name="id2559289"></a>
                <a class="indexterm" name="id2559296"></a>
                Edit the file <tt class="filename">/etc/cups/mime.convs</tt> to uncomment the line:
</p><pre class="screen">
application/octet-stream     application/vnd.cups-raw      0     -
</pre><p>
		</p></li><li><p>
		 <a class="indexterm" name="id2559324"></a>
		 Edit the file <tt class="filename">/etc/cups/mime.types</tt> to uncomment the line:
</p><pre class="screen">
application/octet-stream
</pre><p>
	        </p></li><li><p>
	        Refer to the CUPS printing manual for instructions regarding how to configure
	        CUPS so that print queues that reside on CUPS servers on remote networks
	        route print jobs to the print server that owns that queue. The default setting
	        on your CUPS server may automatically discover remotely installed printers and
	        may permit this functionality without requiring specific configuration.
	        </p></li><li><p>
		The following action creates the necessary directory sub-system. Follow these 
		steps to printing heaven:
</p><pre class="screen">
<tt class="prompt">root# </tt> mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
<tt class="prompt">root# </tt> chown -R root.root /var/lib/samba/drivers
<tt class="prompt">root# </tt> chmod -R ug=rwx,o=rx /var/lib/samba/drivers
</pre><p>
		</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch6-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure"><a name="id2559406"></a><p class="title"><b>Procedure�6.10.�Configuration of BDC Called: <tt class="constant">BLDG1</tt></b></p><ol type="1"><li><p>
		Install the files in <a href="happy.html#ch6-bldg1-smbconf" title="Example�6.8.�LDAP Based smb.conf File, Server: BLDG1">???</a>,
		<a href="happy.html#ch6-shareconfa" title="Example�6.10.�LDAP Based smb.conf File, Shares Section  Part A">???</a>, and <a href="happy.html#ch6-shareconfb" title="Example�6.11.�LDAP Based smb.conf File, Shares Section  Part B">???</a>
		into the <tt class="filename">/etc/samba/</tt> directory. The three files
		should be added together to form the <tt class="filename">smb.conf</tt> file.
		</p></li><li><p>
		Verify the <tt class="filename">smb.conf</tt> file as in step 2 of <a href="happy.html#ch6-massive" title="Samba-3 PDC Configuration">???</a>.
		</p></li><li><p>
		Carefully follow the steps outlined in <a href="happy.html#ch6-PAM-NSS" title="PAM and NSS Client Configuration">???</a>, taking
		particular note to install the correct <tt class="filename">ldap.conf</tt>.
		</p></li><li><p>
		Verify that the NSS resolver is working. You may need to cycle the run level
		to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
		commands:
</p><pre class="screen">
<tt class="prompt">root# </tt> init 1
</pre><p>
		After the run level has been achieved, you are prompted to provide the
		<tt class="constant">root</tt> password. Log on, and then execute:
</p><pre class="screen">
<tt class="prompt">root# </tt> init 5
</pre><p>
		When the normal logon prompt appears, log into the system as
	    <tt class="constant">root</tt>
		and then execute these commands:
</p><pre class="screen">
<tt class="prompt">root# </tt> getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
...
root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
nobody:x:999:514:nobody:/dev/null:/bin/false
bobj:x:1000:513:System User:/home/bobj:/bin/bash
stans:x:1001:513:System User:/home/stans:/bin/bash
chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
maryv:x:1003:513:System User:/home/maryv:/bin/bash
vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
</pre><p>
		This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
		</p></li><li><p><a class="indexterm" name="id2559566"></a>
		The next step in the verification process involves testing the operation of UNIX group
		resolution via the NSS LDAP resolver. Execute these commands:
</p><pre class="screen">
<tt class="prompt">root# </tt> getent group
root:x:0:
bin:x:1:daemon
daemon:x:2:
sys:x:3:
...
Domain Admins:x:512:root
Domain Users:x:513:bobj,stans,chrisr,maryv,jht
Domain Guests:x:514:
Administrators:x:544:
Users:x:545:
Guests:x:546:nobody
Power Users:x:547:
Account Operators:x:548:
Server Operators:x:549:
Print Operators:x:550:
Backup Operators:x:551:
Replicator:x:552:
Domain Computers:x:553:
Accounts:x:1000:
Finances:x:1001:
PIOps:x:1002:
</pre><p>
		This is also the correct and desired output, because it demonstrates that the LDAP client
		is able to communicate correctly with the LDAP server
	    (<tt class="constant">MASSIVE</tt>).
		</p></li><li><p><a class="indexterm" name="id2559608"></a>
		You must now set the LDAP administrative password into the
	    Samba-3 <tt class="filename">secrets.tdb</tt>
		file by executing this command:
</p><pre class="screen">
<tt class="prompt">root# </tt> smbpasswd -w not24get
Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
</pre><p>
		</p></li><li><p>
		Now you must obtain the Domain Security Identifier from the PDC and store it into the
		<tt class="filename">secrets.tdb</tt> file also. This step is not necessary with an LDAP
		passdb backend because Samba-3 obtains the Domain SID from the 
		sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
		add the SID to the <tt class="filename">secrets.tdb</tt>, and if you wish to do so, this 
		command can achieve that:
</p><pre class="screen">
<tt class="prompt">root# </tt> net rpc getsid MEGANET2
Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
                           for Domain MEGANET2 in secrets.tdb
</pre><p>
		When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
		any special action to join it to the Domain. However, winbind communicates with the
		Domain Controller that is running on the localhost and must be able to authenticate,
		thus requiring that the BDC should be joined to the Domain. The process of joining
		the Domain creates the necessary authentication accounts.
		</p></li><li><p>
		To join the Samba BDC to the Domain execute the following:
</p><pre class="screen">
<tt class="prompt">root# </tt> net rpc join -U root%not24get
Joined domain MEGANET2.
</pre><p>
		This indicates that the Domain security account for the BDC has been correctly created.
		</p></li><li><p>
		<a class="indexterm" name="id2559711"></a>
		Verify that user and group account resolution works via Samba-3 tools as follows:
</p><pre class="screen">
<tt class="prompt">root# </tt> pdbedit -L
root:0:root
nobody:65534:nobody
bobj:1000:System User
stans:1001:System User
chrisr:1002:System User
maryv:1003:System User
bldg1$:1006:bldg1$

<tt class="prompt">root# </tt> net groupmap list
Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -&gt; Domain Admins
Domain Users (S-1-5-21-3504140859-...-2431957765-513) -&gt; Domain Users
Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -&gt; Domain Guests
Administrators (S-1-5-21-3504140859-...-2431957765-544) -&gt; Administrators
...
Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -&gt; Accounts
Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -&gt; Finances
PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -&gt; PIOps
</pre><p>
		The above results show that all things are in order.
		</p></li><li><p>
                The server you have so carefully built is now ready for another important step. Now
                start the Samba-3 server and validate its operation. Execute the following to render all
                the processes needed fully operative so that, upon system reboot, they are automatically
                started:
</p><pre class="screen">
<tt class="prompt">root# </tt> chkconfig named on
<tt class="prompt">root# </tt> chkconfig dhcpd on
<tt class="prompt">root# </tt> chkconfig nmb on
<tt class="prompt">root# </tt> chkconfig smb on
<tt class="prompt">root# </tt> chkconfig winbind on
<tt class="prompt">root# </tt> rcnmb start
<tt class="prompt">root# </tt> rcsmb start
<tt class="prompt">root# </tt> rcwinbind start
</pre><p>
		Samba-3 should now be running and is ready for a quick test. But not quite yet!
                </p></li><li><p>
		Your new <tt class="constant">BLDG1, BLDG2</tt> servers do not have home directories for users.
		To rectify this using the SUSE yast2 utility or by manually editing the <tt class="filename">/etc/fstab</tt>
		file, add a mount entry to mount the <tt class="constant">home</tt> directory that has been exported
		from the <tt class="constant">MASSIVE</tt> server. Mount this resource before proceeding. An alternate
		approach could be to create local home directories for users who are to use these machines.
		This is a choice that you, as system administrator, must make. The following entry in the
		<tt class="filename">/etc/fstab</tt> file suffices for now:
</p><pre class="screen">
massive.abmas.biz:/home  /home  nfs     rw 0 0
</pre><p>
		To mount this resource, execute:
</p><pre class="screen">
<tt class="prompt">root# </tt> mount -a
</pre><p>
		Verify that the home directory has been mounted as follows:
</p><pre class="screen">
<tt class="prompt">root# </tt> df | grep home
massive:/home         29532988    283388  29249600   1% /home
</pre><p>
		</p></li><li><p>
		Implement a quick check using one of the users that is in the LDAP database. Here you go:
</p><pre class="screen">
<tt class="prompt">root# </tt> smbclient //bldg1/bobj -Ubobj%n3v3r2l8
smb: \&gt; dir
  .                    D        0  Wed Dec 17 01:16:19 2003
  ..                   D        0  Wed Dec 17 19:04:42 2003
  bin                  D        0  Tue Sep  2 04:00:57 2003
  Documents            D        0  Sun Nov 30 07:28:20 2003
  public_html          D        0  Sun Nov 30 07:28:20 2003
  .urlview             H      311  Fri Jul  7 06:55:35 2000
  .dvipsrc             H      208  Fri Nov 17 11:22:02 1995

          57681 blocks of size 524288. 57128 blocks available
smb: \&gt; q
</pre><p>
		</p></li></ol></div><div class="procedure"><a name="ch6-bldg2"></a><p class="title"><b>Procedure�6.11.�Configuration of BDC Called: <tt class="constant">BLDG2</tt></b></p><ol type="1"><li><p>
		Install the files in <a href="happy.html#ch6-bldg2-smbconf" title="Example�6.9.�LDAP Based smb.conf File, Server: BLDG2">???</a>,
		<a href="happy.html#ch6-shareconfa" title="Example�6.10.�LDAP Based smb.conf File, Shares Section  Part A">???</a>, and <a href="happy.html#ch6-shareconfb" title="Example�6.11.�LDAP Based smb.conf File, Shares Section  Part B">???</a>
		into the <tt class="filename">/etc/samba/</tt> directory. The three files
		should be added together to form the <tt class="filename">smb.conf</tt> file.
		</p></li><li><p>
		Follow carefully the steps shown in <a href="happy.html#ch6-bldg1" title="Samba-3 BDC Configuration">???</a>, starting at step 2.
		</p></li></ol></div><div class="example"><a name="ch6-bldg1-smbconf"></a><p class="title"><b>Example�6.8.�LDAP Based smb.conf File, Server: BLDG1</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2560036"></a><i class="parameter"><tt>
					
				unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2560051"></a><i class="parameter"><tt>
					
				workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2560067"></a><i class="parameter"><tt>
					
				netbios name = BLDG1</tt></i></td></tr><tr><td><a class="indexterm" name="id2560082"></a><i class="parameter"><tt>
					
				passdb backend = ldapsam:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560099"></a><i class="parameter"><tt>
					
				enable privileges = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2560114"></a><i class="parameter"><tt>
					
				username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2560130"></a><i class="parameter"><tt>
					
				log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2560145"></a><i class="parameter"><tt>
					
				syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2560160"></a><i class="parameter"><tt>
					
				log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2560176"></a><i class="parameter"><tt>
					
				max log size = 50</tt></i></td></tr><tr><td><a class="indexterm" name="id2560191"></a><i class="parameter"><tt>
					
				smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2560207"></a><i class="parameter"><tt>
					
				name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2560223"></a><i class="parameter"><tt>
					
				printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2560238"></a><i class="parameter"><tt>
					
				show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2560254"></a><i class="parameter"><tt>
					
				logon script = scripts\logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2560270"></a><i class="parameter"><tt>
					
				logon path = \\%L\profiles\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2560285"></a><i class="parameter"><tt>
					
				logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2560301"></a><i class="parameter"><tt>
					
				domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2560316"></a><i class="parameter"><tt>
					
				domain master = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2560332"></a><i class="parameter"><tt>
					
				wins server = 172.16.0.1</tt></i></td></tr><tr><td><a class="indexterm" name="id2560347"></a><i class="parameter"><tt>
					
				ldap suffix = dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560363"></a><i class="parameter"><tt>
					
				ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2560379"></a><i class="parameter"><tt>
					
				ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2560394"></a><i class="parameter"><tt>
					
				ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2560410"></a><i class="parameter"><tt>
					
				ldap idmap suffix = ou=Idmap</tt></i></td></tr><tr><td><a class="indexterm" name="id2560425"></a><i class="parameter"><tt>
					
				ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560442"></a><i class="parameter"><tt>
					
				idmap backend = ldap:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560458"></a><i class="parameter"><tt>
					
				idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2560473"></a><i class="parameter"><tt>
					
				idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2560488"></a><i class="parameter"><tt>
					
				printing = cups</tt></i></td></tr><tr><td><a class="indexterm" name="id2560504"></a><i class="parameter"><tt>
					
				printer admin = root, chrisr</tt></i></td></tr></table></div><div class="example"><a name="ch6-bldg2-smbconf"></a><p class="title"><b>Example�6.9.�LDAP Based smb.conf File, Server: BLDG2</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2560547"></a><i class="parameter"><tt>
					
				unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2560563"></a><i class="parameter"><tt>
					
				workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2560578"></a><i class="parameter"><tt>
					
				netbios name = BLDG2</tt></i></td></tr><tr><td><a class="indexterm" name="id2560594"></a><i class="parameter"><tt>
					
				passdb backend = ldapsam:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560611"></a><i class="parameter"><tt>
					
				enable privileges = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2560626"></a><i class="parameter"><tt>
					
				username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2560642"></a><i class="parameter"><tt>
					
				log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2560657"></a><i class="parameter"><tt>
					
				syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2560672"></a><i class="parameter"><tt>
					
				log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2560687"></a><i class="parameter"><tt>
					
				max log size = 50</tt></i></td></tr><tr><td><a class="indexterm" name="id2560703"></a><i class="parameter"><tt>
					
				smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2560718"></a><i class="parameter"><tt>
					
				name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2560735"></a><i class="parameter"><tt>
					
				printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2560750"></a><i class="parameter"><tt>
					
				show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2560766"></a><i class="parameter"><tt>
					
				logon script = scripts\logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2560782"></a><i class="parameter"><tt>
					
				logon path = \\%L\profiles\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2560797"></a><i class="parameter"><tt>
					
				logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2560812"></a><i class="parameter"><tt>
					
				domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2560828"></a><i class="parameter"><tt>
					
				domain master = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2560844"></a><i class="parameter"><tt>
					
				wins server = 172.16.0.1</tt></i></td></tr><tr><td><a class="indexterm" name="id2560859"></a><i class="parameter"><tt>
					
				ldap suffix = dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560874"></a><i class="parameter"><tt>
					
				ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2560891"></a><i class="parameter"><tt>
					
				ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2560906"></a><i class="parameter"><tt>
					
				ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2560921"></a><i class="parameter"><tt>
					
				ldap idmap suffix = ou=Idmap</tt></i></td></tr><tr><td><a class="indexterm" name="id2560937"></a><i class="parameter"><tt>
					
				ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560954"></a><i class="parameter"><tt>
					
				idmap backend = ldap:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560969"></a><i class="parameter"><tt>
					
				idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2560984"></a><i class="parameter"><tt>
					
				idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2561000"></a><i class="parameter"><tt>
					
				printing = cups</tt></i></td></tr><tr><td><a class="indexterm" name="id2561015"></a><i class="parameter"><tt>
					
				printer admin = root, chrisr</tt></i></td></tr></table></div><div class="example"><a name="ch6-shareconfa"></a><p class="title"><b>Example�6.10.�LDAP Based smb.conf File, Shares Section  Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[accounts]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561054"></a><i class="parameter"><tt>
					
				comment = Accounting Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2561069"></a><i class="parameter"><tt>
					
				path = /data/accounts</tt></i></td></tr><tr><td><a class="indexterm" name="id2561084"></a><i class="parameter"><tt>
					
				read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[service]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561108"></a><i class="parameter"><tt>
					
				comment = Financial Services Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2561124"></a><i class="parameter"><tt>
					
				path = /data/service</tt></i></td></tr><tr><td><a class="indexterm" name="id2561139"></a><i class="parameter"><tt>
					
				read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[pidata]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561164"></a><i class="parameter"><tt>
					
				comment = Property Insurance Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2561180"></a><i class="parameter"><tt>
					
				path = /data/pidata</tt></i></td></tr><tr><td><a class="indexterm" name="id2561195"></a><i class="parameter"><tt>
					
				read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561219"></a><i class="parameter"><tt>
					
				comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2561234"></a><i class="parameter"><tt>
					
				valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2561250"></a><i class="parameter"><tt>
					
				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2561265"></a><i class="parameter"><tt>
					
				browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561289"></a><i class="parameter"><tt>
					
				comment = SMB Print Spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2561305"></a><i class="parameter"><tt>
					
				path = /var/spool/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2561320"></a><i class="parameter"><tt>
					
				guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2561336"></a><i class="parameter"><tt>
					
				printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2561351"></a><i class="parameter"><tt>
					
				browseable = No</tt></i></td></tr></table></div><div class="example"><a name="ch6-shareconfb"></a><p class="title"><b>Example�6.11.�LDAP Based smb.conf File, Shares Section  Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[apps]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561390"></a><i class="parameter"><tt>
					
				comment = Application Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2561405"></a><i class="parameter"><tt>
					
				path = /apps</tt></i></td></tr><tr><td><a class="indexterm" name="id2561420"></a><i class="parameter"><tt>
					
				admin users = bjordan</tt></i></td></tr><tr><td><a class="indexterm" name="id2561435"></a><i class="parameter"><tt>
					
				read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561460"></a><i class="parameter"><tt>
					
				comment = Network Logon Service</tt></i></td></tr><tr><td><a class="indexterm" name="id2561476"></a><i class="parameter"><tt>
					
				path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><a class="indexterm" name="id2561491"></a><i class="parameter"><tt>
					
				guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2561506"></a><i class="parameter"><tt>
					
				locking = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561530"></a><i class="parameter"><tt>
					
				comment = Profile Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2561546"></a><i class="parameter"><tt>
					
				path = /var/lib/samba/profiles</tt></i></td></tr><tr><td><a class="indexterm" name="id2561561"></a><i class="parameter"><tt>
					
				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2561576"></a><i class="parameter"><tt>
					
				profile acls = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profdata]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561601"></a><i class="parameter"><tt>
					
				comment = Profile Data Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2561616"></a><i class="parameter"><tt>
					
				path = /var/lib/samba/profdata</tt></i></td></tr><tr><td><a class="indexterm" name="id2561632"></a><i class="parameter"><tt>
					
				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2561647"></a><i class="parameter"><tt>
					
				profile acls = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561671"></a><i class="parameter"><tt>
					
				comment = Printer Drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2561687"></a><i class="parameter"><tt>
					
				path = /var/lib/samba/drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2561702"></a><i class="parameter"><tt>
					
				browseable = yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2561718"></a><i class="parameter"><tt>
					
				guest ok = no</tt></i></td></tr><tr><td><a class="indexterm" name="id2561733"></a><i class="parameter"><tt>
					
				read only = yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2561748"></a><i class="parameter"><tt>
					
				write list = root, chrisr</tt></i></td></tr></table></div><div class="example"><a name="ch6-ldifadd"></a><p class="title"><b>Example�6.12.�LDIF IDMAP Add-On Load File  File: /etc/openldap/idmap.LDIF</b></p><pre class="screen">
dn: ou=Idmap,dc=abmas,dc=biz
objectClass: organizationalUnit
ou: idmap
structuralObjectClass: organizationalUnit
</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2561786"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p>
	My father would say, &#8220;<span class="quote"><span class="emphasis"><em>Dinner is not over until the dishes have been done.</em></span></span>&#8221;
	The makings of a great network environment take a lot of effort and attention to detail.
	So far you have completed most of the complex (and to many administrators, the interesting
	part of server configuration) steps, but remember to tie it all together. Here are
	a few more steps that must be completed so that your network runs like a well-rehearsed
	orchestra.
	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2561807"></a>Configuring Directory Share Point Roots</h3></div></div></div><p>
	In your <tt class="filename">smb.conf</tt> file, you have specified Windows shares. Each has a
	  <i class="parameter"><tt>path</tt></i>
	parameter. Even though it is obvious to all, one of the common Samba networking problems is
	caused by forgetting to verify that every such share root directory actually exists and that it
	has the necessary permissions and ownership.
	</p><p>
	Here is an example, but remember to create the directory needed for every share:
</p><pre class="screen">
<tt class="prompt">root# </tt> mkdir -p /data/{accounts,finsvcs,piops}
<tt class="prompt">root# </tt> mkdir -p /apps
<tt class="prompt">root# </tt> chown -R root.root /data
<tt class="prompt">root# </tt> chown -R root.root /apps
<tt class="prompt">root# </tt> chown -R bobj.Accounts /data/accounts
<tt class="prompt">root# </tt> chown -R bobj.Finances /data/finsvcs
<tt class="prompt">root# </tt> chown -R bobj.PIOps /data/pidata
<tt class="prompt">root# </tt> chmod -R ug+rwxs,o-rwx /data
<tt class="prompt">root# </tt> chmod -R ug+rwx,o+rx-w /apps
</pre><p>
	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2561902"></a>Configuring Profile Directories</h3></div></div></div><p>
	You made a conscious decision to do everything it would take to improve network client
	performance. One of your decisions was to implement folder redirection. This means that Windows
	user desktop profiles are now made up of two components  a dynamically loaded part and a set of file
	network folders.
	</p><p>
	For this arrangement to work, every user needs a directory structure for the network folder
	portion of their profile as shown here:
</p><pre class="screen">
<tt class="prompt">root# </tt> mkdir -p /var/lib/samba/profdata
<tt class="prompt">root# </tt> chown root.root /var/lib/samba/profdata
<tt class="prompt">root# </tt> chmod 755 /var/lib/samba/profdata

# Per user structure
<tt class="prompt">root# </tt> cd /var/lib/samba/profdata
<tt class="prompt">root# </tt> mkdir -p <span class="emphasis"><em>username</em></span>
<tt class="prompt">root# </tt> for i in InternetFiles Cookies History AppData \
                      LocalSettings MyPictures MyDocuments Recent
<tt class="prompt">root# </tt> do
<tt class="prompt">root# </tt> mkdir <span class="emphasis"><em>username</em></span>/$i
<tt class="prompt">root# </tt> done
<tt class="prompt">root# </tt> chown -R <span class="emphasis"><em>username</em></span>.Domain\ Users <span class="emphasis"><em>username</em></span>
<tt class="prompt">root# </tt> chmod -R 750 <span class="emphasis"><em>username</em></span>
</pre><p>
	</p><p><a class="indexterm" name="id2562020"></a><a class="indexterm" name="id2562028"></a>
	You have three options insofar as the dynamically loaded portion of the roaming profile
	is concerned: 
	</p><div class="itemizedlist"><ul type="disc"><li><p>You may permit the user to obtain a default profile.</p></li><li><p>You can create a mandatory profile.</p></li><li><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p>
	  Mandatory profiles cannot be overwritten by a user. The change from
	  a user profile to a mandatory profile is effected by renaming the
	  <tt class="filename">NTUSER.DAT</tt> to
	  <tt class="filename">NTUSER.MAN</tt>, i.e., just by changing the filename
	  extension.
	  </p><p><a class="indexterm" name="id2562079"></a><a class="indexterm" name="id2562087"></a>
	The location of the profile that a user can obtain is set in the users' account in the LDAP passdb backend.
	You can manage this using the Idealx smbldap-tools or using the 
	<a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">Windows NT4 Domain User Manager.</a>
	</p><p>
	It may not be obvious that you must ensure that the root directory for the user's profile exists
	and has the needed permissions. Use the following commands to create this directory:
</p><pre class="screen">
<tt class="prompt">root# </tt> mkdir -p /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
<tt class="prompt">root# </tt> chown <span class="emphasis"><em>username</em></span>.Domain\ Users
	    /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
<tt class="prompt">root# </tt> chmod 700  /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
</pre><p>
	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2562154"></a>Preparation of Logon Scripts</h3></div></div></div><p><a class="indexterm" name="id2562161"></a>
	The use of a logon script with Windows XP Professional is an option that every site should consider.
	Unless you have locked down the desktop so the user cannot change anything, there is risk that
	a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
	can help to restore persistent network folder (drive) and printer connections in a predictable
	manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
	user attaches to another company's network that forces environment changes that are alien to your
	network.
	</p><p>
	If you decide to use network logon scripts, by reference to the <tt class="filename">smb.conf</tt> files for the Domain
	Controllers, you see that the path to the share point for the
	  <tt class="constant">NETLOGON</tt>
	share defined is <tt class="filename">/var/lib/samba/netlogon</tt>. The path defined for the logon
	script inside that share is <tt class="filename">scripts\logon.bat</tt>. This means that as a Windows
	NT/200x/XP client logs onto the network, it tries to obtain the file
	  <tt class="filename">logon.bat</tt>
	from the fully qualified path <tt class="filename">/var/lib/samba/netlogon/scripts</tt>. This fully
	qualified path should, therefore, exist whether you install the
	  <tt class="filename">logon.bat</tt>.
	</p><p>
	You can, of course, create the fully qualified path by executing:
</p><pre class="screen">
<tt class="prompt">root# </tt> mkdir -p /var/lib/samba/netlogon/scripts
</pre><p>
	</p><p>
	You should research the options for logon script implementation by referring to <span class="emphasis"><em>TOSHARG</em></span>, Chapter 21,
	Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon
	facilities in use today is called <a href="http://www.kixtart.org" target="_top">KiXtart.</a>
	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2562266"></a>Assigning Domain Privileges</h3></div></div></div><p>
	The ability to perform tasks such as joining Windows clients to the domain can be assigned to
	normal user accounts. By default, only the domain administrator account (<tt class="constant">root</tt> on UNIX
	systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
	this privilege in a very limited fashion to particular accounts.
	</p><p>
	By default, even Samba 3.0.11 does not grant any rights even to the <tt class="constant">Domain Admins</tt>
	group. Here we will grant this group all privileges.
	</p><p>
	Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
	are granted rights can be restricted to particular machines. It is left to the network administrator
	to determine which rights should be provided and to whom.
	</p><div class="procedure"><ol type="1"><li><p>
		Log onto the primary domain controller (PDC) as the <tt class="constant">root</tt> account.
		</p></li><li><p>
		Execute the following command to grant the <tt class="constant">Domain Admins</tt> group all
		rights and privileges:
</p><pre class="screen">
<tt class="prompt">root# </tt> net -S MASSIVE  -U root%not24get rpc rights grant \
        "MEGANET2\Domain Admins" SeMachineAccountPrivilege \
	SePrintOperatorPrivilege SeAddUsersPrivilege \
	SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
Successfully granted rights.
</pre><p>
		Repeat this step on each domain controller in each case substituting the name of the server
		(e.g.: BLDG1, BLDG2) in place of the PDC called MASSIVE.
		</p></li><li><p>
		In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
		to the domain. Execute the following only on the PDC. It is not necessary to do this on
		BDCs or on DMS machines because machine accounts are only ever added by the PDC:
</p><pre class="screen">
<tt class="prompt">root# </tt> net -S MASSIVE  -U root%not24get rpc rights grant \
             "MEGANET2\bobj" SeMachineAccountPrivilege
Successfully granted rights.
</pre><p>
		</p></li><li><p>
		Verify that the assignment of privileges have been correctly applied by executing:
</p><pre class="screen">
net rpc rights list accounts -Uroot%not24get
MEGANET2\bobj
SeMachineAccountPrivilege

S-0-0
No privileges assigned

BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
No privileges assigned

Everyone
No privileges assigned

MEGANET2\Domain Admins
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege
</pre><p>
		</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2562396"></a>Windows Client Configuration</h2></div></div></div><p><a class="indexterm" name="id2562403"></a>
	In the next few sections, you can configure a new Windows XP Professional disk image on a staging
	machine. You will configure all software, printer settings, profile and policy handling, and desktop
	default profile settings on this system. When it is complete, you copy the contents of the
	<tt class="filename">C:\Documents and Settings\Default User</tt> directory to a directory with the same
	name in the <tt class="constant">NETLOGON</tt> share on the Domain Controllers.
	</p><p>
	Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
	One knowledge-base article in particular stands out. See:
	<a href="http://support.microsoft.com/default.aspx&scid=kb;en-us;168475" target="_top">How to Create a 
	Base Profile for All Users.</a>

	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p><a class="indexterm" name="id2562454"></a>
	Log onto the Windows XP Professional workstation as the local <tt class="constant">Administrator</tt>.
	It is necessary to expose folders that are generally hidden to provide
	  access to the <tt class="constant">Default User</tt>
	folder.
	</p><div class="procedure"><a name="id2562474"></a><p class="title"><b>Procedure�6.13.�Expose Hidden Folders</b></p><ol type="1"><li><p>
		Launch the Windows Explorer by clicking
			<span class="guimenu">Start</span>-&gt;<span class="guimenuitem">My Computer</span>-&gt;<span class="guimenuitem">Tools</span>-&gt;<span class="guimenuitem">Folder Options</span>-&gt;<span class="guimenuitem">View Tab</span>.
		Select <span class="guilabel">Show hidden files and folders</span>,
	      and click <span class="guibutton">OK</span>.
		Exit Windows Explorer.
		</p></li><li><p><a class="indexterm" name="id2562539"></a>
		Launch the Registry Editor. Click 
		<span class="guimenu">Start</span>-&gt;<span class="guimenuitem">Run</span>. Key in <span><b class="command">regedt32</b></span>, and click
	      <span class="guibutton">OK</span>.
		</p></li></ol></div><p>
	</p><div class="procedure"><a name="ch6-rdrfldr"></a><p class="title"><b>Procedure�6.14.�Redirect Folders in Default System User Profile</b></p><ol type="1"><li><p><a class="indexterm" name="id2562598"></a><a class="indexterm" name="id2562606"></a>
		Give focus to <tt class="constant">HKEY_LOCAL_MACHINE</tt> hive entry in the left panel.
		Click <span class="guimenu">File</span>-&gt;<span class="guimenuitem">Load Hive...</span>-&gt;<span class="guimenuitem">[Panel] Documents and Settings</span>-&gt;<span class="guimenuitem">[Panel] Default User</span>-&gt;<span class="guimenuitem">NTUSER</span>-&gt;<span class="guimenuitem">Open</span>. In the dialog box that opens, enter the
	      key name <tt class="constant">Default</tt>
		and click <span class="guibutton">OK</span>.
		</p></li><li><p>
		Browse inside the newly loaded Default folder to:
</p><pre class="screen">
HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
                     CurrentVersion\Explorer\User Shell Folders\
</pre><p>
		The contents of the right panel reveals the contents as
	      shown in <a href="happy.html#XP-screen001" title="Figure�6.3.�Windows XP Professional  User Shared Folders">???</a>.
		</p></li><li><p><a class="indexterm" name="id2562700"></a><a class="indexterm" name="id2562708"></a>
		You edit hive keys. Acceptable values to replace the 
		<tt class="constant">%USERPROFILE%</tt> variable includes:

		</p><div class="itemizedlist"><ul type="disc"><li><p>A drive letter such as: <tt class="constant">U:</tt></p></li><li><p>A direct network path such as:
		    <tt class="constant">\\MASSIVE\profdata</tt></p></li><li><p>A network redirection (UNC name) that contains a macro such as: </p><p><tt class="constant">\\%LOGONSERVER%\profdata\</tt></p></li></ul></div><p>
		</p></li><li><p><a class="indexterm" name="id2562756"></a>
		Set the registry keys as shown in <a href="happy.html#proffold" title="Table�6.4.�Default Profile Redirections">???</a>. Your implementation makes the assumption
		that users have statically located machines. Notebook computers (mobile users) need to be
		accommodated using local profiles. This is not an uncommon assumption.
		</p></li><li><p>
		Click back to the root of the loaded hive <tt class="constant">Default</tt>.
		Click <span class="guimenu">File</span>-&gt;<span class="guimenuitem">Unload Hive...</span>-&gt;<span class="guimenuitem">Yes</span>.
		</p></li><li><p><a class="indexterm" name="id2562811"></a>
		Click <span class="guimenu">File</span>-&gt;<span class="guimenuitem">Exit</span>. This exits the
		Registry Editor.
		</p></li><li><p>
		Now follow the procedure given in <a href="happy.html#ch6-locgrppol" title="The Local Group Policy">???</a>. Make sure that each folder you
		have redirected is in the exclusion list.
		</p></li><li><p>
		You are now ready to copy<sup>[<a name="id2562858" href="#ftn.id2562858">11</a>]</sup> 
		the Default User profile to the Samba Domain Controllers. Launch Microsoft
		Windows Explorer, and use it to copy the full contents of the
	      directory <tt class="filename">Default User</tt>
		that is in the <tt class="filename">C:\Documents and Settings</tt> to the root directory of the
		<tt class="constant">NETLOGON</tt> share. If the <tt class="constant">NETLOGON</tt> share has the defined
		UNIX path of <tt class="filename">/var/lib/samba/netlogon</tt>, when the copy is complete there must be
		a directory in there called <tt class="filename">Default User</tt>.
		</p></li></ol></div><div class="procedure"><a name="id2562918"></a><p class="title"><b>Procedure�6.15.�Reset Folder Display to Original Behavior</b></p><ul><li><p>
		To launch the Windows Explorer, click
			<span class="guimenu">Start</span>-&gt;<span class="guimenuitem">My Computer</span>-&gt;<span class="guimenuitem">Tools</span>-&gt;<span class="guimenuitem">Folder Options</span>-&gt;<span class="guimenuitem">View Tab</span>.
		Deselect <span class="guilabel">Show hidden files and folders</span>,
	      and click <span class="guibutton">OK</span>.
		Exit Windows Explorer.
		</p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure�6.3.�Windows XP Professional  User Shared Folders</b></p><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div><div class="table"><a name="proffold"></a><p class="title"><b>Table�6.4.�Default Profile Redirections</b></p><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2563152"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p><a class="indexterm" name="id2563159"></a>
	Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
	It is the nature of email storage that this file grows, at times quite rapidly.
	So that users' email is available to them at every workstation they may log onto,
	it is common practice in well-controlled sites to redirect the PST folder to the
	users' home directory. Follow these steps for each user who wishes to do this.
	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
	It is presumed that Outlook Express has been configured for use.
	</p></div><p>
	Launch Outlook Express 6. Click
	<span class="guimenu">Tools</span>-&gt;<span class="guimenuitem">Options</span>-&gt;<span class="guimenuitem">Maintenance</span>-&gt;<span class="guimenuitem">Store Folder</span>-&gt;<span class="guimenuitem">Change</span>.
	</p><p>
	Follow the on-screen prompts to relocate the PST file to the desired location.
	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2563229"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p>
	To configure the Windows XP Professional client to auto-delete roaming profiles on logout:
	</p><p><a class="indexterm" name="id2563241"></a>
	  Click 
	<span class="guimenu">Start</span>-&gt;<span class="guimenuitem">Run</span>. In the dialog box, enter: <span><b class="command">MMC</b></span>
	  and click <span class="guibutton">OK</span>.
	</p><p>
	Follow these steps to set the default behavior of the staging machine so that all roaming
	profiles are deleted as network users log out of the system. Click
	<span class="guimenu">File</span>-&gt;<span class="guimenuitem">Add/Remove Snap-in</span>-&gt;<span class="guimenuitem">Add</span>-&gt;<span class="guimenuitem">Group Policy</span>-&gt;<span class="guimenuitem">Add</span>-&gt;<span class="guimenuitem">Finish</span>-&gt;<span class="guimenuitem">Close</span>-&gt;<span class="guimenuitem">OK</span>. 
	</p><p><a class="indexterm" name="id2563338"></a>
	The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span>
	utility that enables you to set the policies needed. In the left panel, click
	<span class="guimenuitem">Local Computer Policy</span>-&gt;<span class="guimenuitem">Administrative Templates</span>-&gt;<span class="guimenuitem">System</span>-&gt;<span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each
	item as shown:
	</p><div class="itemizedlist"><ul type="disc"><li><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p>
	Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
	made of this system to deploy the new standard desktop system.
	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2563412"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p><a class="indexterm" name="id2563419"></a>
	Users want to be able to use network printers. You have a vested interest in making
	it easy for them to print. You have chosen to install the printer drivers onto the Samba
	servers and to enable point-and-click (drag-and-drop) printing. This process results in
	Samba being able to automatically provide the Windows client with the driver necessary to
	print to the printer chosen. The following procedure must be followed for every network
	printer:
	</p><div class="procedure"><ol type="1"><li><p>
		Join your Windows XP Professional workstation (the staging machine) to the 
		<tt class="constant">MEGANET2</tt> Domain. If you are not sure of the procedure, 
		follow the guidance given in <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>.
		</p></li><li><p>
		After the machine has re-booted, log onto the workstation as the domain
		<tt class="constant">root</tt> (this is the Administrator account for the 
		operating system that is the host platform for this implementation of Samba.
		</p></li><li><p>
		Launch MS Windows Explorer. Navigate in the left panel. Click
		<span class="guimenu">My Network Places</span>-&gt;<span class="guimenuitem">Entire Network</span>-&gt;<span class="guimenuitem">Microsoft Windows Network</span>-&gt;<span class="guimenuitem">Meganet2</span>-&gt;<span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span>
			<span class="guimenu">Printers and Faxes</span>.
		</p></li><li><p>
		Identify a printer that is shown in the right panel. Let us assume the printer is called 
		<tt class="constant">ps01-color</tt>. Right-click on the <span class="guimenu">ps01-color</span> icon
		and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates
		that &#8220;<span class="quote"><span class="emphasis"><em>The printer driver is not installed on this computer. Some printer properties
		will not be accessible unless you install the printer driver. Do you want to install the
		driver now?</em></span></span>&#8221; It is important at this point you answer <span class="guimenu">No</span>.
		</p></li><li><p>
		The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server 
		<tt class="constant">MASSIVE</tt> is displayed. Click the <span class="guimenu">Advanced</span> tab.
		Note that the box labelled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span>
		button that is next to the <span class="guimenu">Driver</span> box. This launches the quote&#8220;<span class="quote"><span class="emphasis"><em>Add Printer Wizard</em></span></span>&#8221;.
		</p></li><li><p><a class="indexterm" name="id2563629"></a><a class="indexterm" name="id2563640"></a>
		The &#8220;<span class="quote"><span class="emphasis"><em>Add Printer Driver Wizard on <tt class="constant">MASSIVE</tt></em></span></span>&#8221; panel 
		is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the 
		Printer Manufacturer. In your case, you are adding a driver for a printer manufactured by 
		Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click 
		<span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A 
		progress bar appears and instructs you as each file is being uploaded and that it is being 
		directed at the network server <tt class="constant">\\massive\ps01-color</tt>.
		</p></li><li><p>
		<a class="indexterm" name="id2563692"></a>
		<a class="indexterm" name="id2563701"></a>
		<a class="indexterm" name="id2563710"></a>
		<a class="indexterm" name="id2563720"></a>
		<a class="indexterm" name="id2563729"></a>
		<a class="indexterm" name="id2563738"></a>
		The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
		you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel. 
		You can set the Location (under the <span class="guimenu">General</span> tab), and Security settings (under 
		the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to
		load additional printer drivers, there is also a check-box in this tab called &#8220;<span class="quote"><span class="emphasis"><em>List in the
		directory</em></span></span>&#8221;. When this box is checked the printer will be published in Active Directory
		(Applicable to Active Directory use only.)
		</p></li><li><p>
		<a class="indexterm" name="id2563794"></a>
		Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server. 
		You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor.
		Right-click on the printer, click <span class="guimenu">Properties</span>-&gt;<span class="guimenuitem">Device Settings</span>.  Now change the settings to suit 
		your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if 
		you need to reverse them changes back to their original settings. 
		</p></li><li><p>
		This is necessary so that the printer settings are initialized in the Samba printers
		database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed
		just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
		Click <span class="guimenu">Apply</span> again.
		</p></li><li><p>
		<a class="indexterm" name="id2563867"></a>
		Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
		click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button.
		A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span>
		in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on 
		massive Properties</span> panel.
		</p></li><li><p>
		You must repeat this process for all network printers (i.e., for every printer, on each server).
		When you have finished uploading drivers to all printers, close all applications. The next task
		is to install software your users require to do their work.
		</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2563923"></a>Software Installation</h3></div></div></div><p>
	Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
	a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
	Notebooks require special handling that is beyond the scope of this chapter.
	</p><p>
	For desktop systems, the installation of software onto administratively centralized application servers
	make a lot of sense. This means that you can manage software maintenance from a central
	perspective and that only minimal application stub-ware needs to be installed onto the desktop
	systems. You should proceed with software installation and default configuration as far as is humanly
	possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
	of software operations and configuration.
	</p><p>
	When you believe that the overall configuration is complete, be sure to create a shared group profile
	and migrate that to the Samba server for later re-use when creating custom mandatory profiles, just in
	case a user may have specific needs you had not anticipated.
	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2563958"></a>Roll-out Image Creation</h3></div></div></div><p>
	The final steps before preparing the distribution Norton Ghost image file you might follow are:
	</p><div class="blockquote"><blockquote class="blockquote"><p>
	Un-join the domain  Each workstation requires a unique name and must be independently
	joined into Domain Membership.
	</p></blockquote></div><div class="blockquote"><blockquote class="blockquote"><p>
	Defragment the hard disk  While not obvious to the uninitiated, defragmentation results
	in better performance and often significantly reduces the size of the compressed disk image. That
	also means it will take less time to deploy the image onto 500 workstations.
	</p></blockquote></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2563992"></a>Key Points Learned</h2></div></div></div><p>
	This chapter has introduced many new concepts. Is it a sad fact that the example presented deliberately
	avoided any consideration of security. Security does not just happen; you must design it into your total
	network. Security begins with a systems design and implementation that anticipates hostile behavior from
	users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
	they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
	practices, you must not deploy the design presented in this book in an environment where there is risk
	of compromise.
	</p><p><a class="indexterm" name="id2564013"></a><a class="indexterm" name="id2564024"></a>
	As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs) and it must be
	configured to use secure protocols for all communications over the network. Of course, secure networking
	does not result just from systems design and implementation but involves constant user education
	training, and above all disciplined attention to detail and constant searching for signs of unfriendly
	or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
	Jerry Carter's book <a href="http://www.booksense.com/product/info.jsp&isbn=1565924916" target="_top"><span class="emphasis"><em>LDAP System 
	Administration</em></span></a> is a good place to start reading about OpenLDAP as well as security considerations.
	</p><p>
	The substance of this chapter that has been deserving of particular attention includes:
	</p><div class="itemizedlist"><ul type="disc"><li><p>
		Implementation of an OpenLDAP-based passwd backend  necessary to support distributed
		Domain Control.
		</p></li><li><p>
		Implementation of Samba Primary and Secondary Domain Controllers with a common LDAP backend
		for user and group accounts that is shared with the UNIX system through the PADL nns_ldap and
		pam_ldap toolsets.
		</p></li><li><p>
		Use of the Idealx smbldap-tools scripts for UNIX (Posix) account management as well as
		to manage Samba Windows user and group accounts.
		</p></li><li><p>
		The basics of implementation of Group Policy controls for Windows network clients.
		</p></li><li><p>
		Control over roaming profiles, with particular focus on folder redirection to network drives.
		</p></li><li><p>
		Use of the CUPS printing system together with Samba-based printer driver auto-download.
		</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2564104"></a>Questions and Answers</h2></div></div></div><p>
	Well, here we are at the end of this chapter and we have only ten questions to help you to
	remember so much. There are bound to be some sticky issues here.
	</p><div class="qandaset"><dl><dt> <a href="happy.html#id2564120">
		Why did you not cover secure practices? Isn't it rather irresponsible to instruct
		network administrators to implement insecure solutions?
		</a></dt><dt> <a href="happy.html#id2564164">
		You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
		you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
		to the Linux I might be using?
		</a></dt><dt> <a href="happy.html#id2564217">
		You did not use SWAT to configure Samba. Is there something wrong with it?
		</a></dt><dt> <a href="happy.html#id2564256">
		You have exposed a well-used password not24get. Is that
		not irresponsible? 
		</a></dt><dt> <a href="happy.html#id2564281">
		The Idealx smbldap-tools create many domain group accounts that are not used. Is that
		a good thing?
		</a></dt><dt> <a href="happy.html#id2564304">
		Can I use LDAP just for Samba accounts and not for UNIX system accounts?
		</a></dt><dt> <a href="happy.html#id2564329">
		Why are the Windows Domain RID portions not the same as the UNIX UID?
		</a></dt><dt> <a href="happy.html#id2564366">
		Printer configuration examples all show printing to the HP port 9100. Does this
		mean that I must have HP printers for these solutions to work?
		</a></dt><dt> <a href="happy.html#id2564395">
		Is folder redirection dangerous? I've heard that you can lose your data that way.
		</a></dt><dt> <a href="happy.html#id2564422">
		Is it really necessary to set a local Group Policy to exclude the redirected
		folders from the roaming profile?
		</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2564120"></a><a name="id2564122"></a><b></b></td><td align="left" valign="top"><p>
		Why did you not cover secure practices? Isn't it rather irresponsible to instruct
		network administrators to implement insecure solutions?
		</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
		Let's get this right. This is a book about Samba, not about OpenLDAP and secure
		communication protocols for subjects other than Samba. Earlier on, you note
		that the Dynamic DNS and DHCP solutions also used no protective secure communications
		protocols. The reason for this is simple: There are so many ways of implementing
		secure protocols that this book would have been even larger and more complex.
		</p><p>
		The solutions presented here all work (at least they did for me). Network administrators
		have the interest and the need to be better trained and instructed in secure networking
		practices and ought to implement safe systems. I made the decision, right or wrong,
		to keep this material as simple as possible. The intent of this book is to demonstrate
		a working solution and not to discuss too many peripheral issues.
		</p><p>
		This book makes little mention of backup techniques. Does that mean that I am recommending
		that you should implement a network without provision for data recovery and for disaster
		management? Back to our focus: The deployment of Samba has been clearly demonstrated.
		</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564164"></a><a name="id2564166"></a><b></b></td><td align="left" valign="top"><p>
		You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
		you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
		to the Linux I might be using?
		</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
		Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
		for a standard Linux distribution. The differences are marginal. Surely you know
		your Linux platform and you do have access to administration manuals for it. This
		book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
		the Samba part of the book; all the other bits are peripheral (but important) to
		creation of a total network solution. 
		</p><p>
		What I find interesting is the attention reviewers give to Linux installation and to
		the look and feel of the desktop, but does that make for a great server? In this book,
		I have paid particular attention to the details of creating a whole solution framework.
		I have not tightened every nut and bolt, but I have touched on all the issues you
		need to be familiar with. Over the years many people have approached me wanting to
		know the details of exactly how to implement a DHCP and Dynamic DNS server with Samba
		and WINS. In this chapter, it is plain to see what needs to be configured to provide
		transparent interoperability. Likewise for CUPS and Samba interoperation. These are
		key stumbling areas for many people.
		</p><p>
		At every critical junction, I have provided comparative guidance for both SUSE and
		Red Hat Linux. Both manufacturers have done a great job in furthering the cause
		of open source software. I favor neither and respect both. I like particular
		features of both products (companies also). No bias in presentation is intended.
		Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
		</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564217"></a><a name="id2564219"></a><b></b></td><td align="left" valign="top"><p>
		You did not use SWAT to configure Samba. Is there something wrong with it?
		</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
		That is a good question. As it is, the <tt class="filename">smb.conf</tt> file configurations are presented
		in as direct a format as possible. Adding SWAT into the equation would have complicated
		matters. I sought simplicity of implementation. The fact is that I did use SWAT to
		create the files in the first place.
		</p><p>
		There are people in the Linux and open source community who feel that SWAT is dangerous
		and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
		hope to have brought their interests on board. SWAT is well covered is <span class="emphasis"><em>TOSHARG</em></span>.
		</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564256"></a><a name="id2564259"></a><b></b></td><td align="left" valign="top"><p>
		You have exposed a well-used password <span class="emphasis"><em>not24get</em></span>. Is that
		not irresponsible? 
		</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
		Well, I had to use a password of some sort. At least this one has been consistently
		used throughout. I guess you can figure out that in a real deployment it would make 
		sense to use a more secure and original password.
		</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564281"></a><a name="id2564284"></a><b></b></td><td align="left" valign="top"><p>
		The Idealx smbldap-tools create many domain group accounts that are not used. Is that
		a good thing?
		</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
		I took this up with Idealx and found them most willing to change that in the next version.
		Let's give Idealx some credit for the contribution they have made. I appreciate their work
		and, besides, it does no harm to create accounts that are not now used as at some time 
		Samba may well use them.
		</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564304"></a><a name="id2564307"></a><b></b></td><td align="left" valign="top"><p>
		Can I use LDAP just for Samba accounts and not for UNIX system accounts?
		</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
		Yes, you can do that for user accounts only. Samba requires there to be a Posix (UNIX)
		group account for every Windows Domain group account. But if you put your users into
		the system password account, how do you plan to keep all domain controller system
		password files in sync? I think that having everything in LDAP makes a lot of sense
		for the UNIX admin who is still learning the craft and is migrating from MS Windows.
		</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564329"></a><a name="id2564332"></a><b></b></td><td align="left" valign="top"><p>
		Why are the Windows Domain RID portions not the same as the UNIX UID?
		</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
		Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
		This algorithm ought to ensure that there will be no clashes with well-known RIDs.
		Well-known RIDs have special significance to MS Windows clients. The automatic
		assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
		permit you to override that to some extent. See the <tt class="filename">smb.conf</tt> man page entry
		for <i class="parameter"><tt>algorithmic rid base</tt></i>.
		</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564366"></a><a name="id2564368"></a><b></b></td><td align="left" valign="top"><p>
		Printer configuration examples all show printing to the HP port 9100. Does this
		mean that I must have HP printers for these solutions to work?
		</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
		No. You can use any type of printer and must use the interfacing protocol supported
		by the printer. Many networks use LPR/LPD print servers to which are attached
		PCL printers, InkJet printers, plotters, and so on. At home I use a USB attached
		Inkjet printer. Use the appropriate device URI (Universal Resource Interface)
		argument to the <tt class="constant">lpadmin -v</tt> option that is right for your
		printer.
		</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564395"></a><a name="id2564397"></a><b></b></td><td align="left" valign="top"><p>
		Is folder redirection dangerous? I've heard that you can lose your data that way.
		</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
		The only loss of data I know of that involved folder redirection was caused by
		manual misuse of the redirection tool. The administrator redirected a folder to
		a network drive and said he wanted to migrate (move) the data over. Then he 
		changed his mind, so he moved the folder back to the roaming profile. This time,
		he declined to move the data because he thought it was still in the local profile
		folder. That was not the case, so by declining to move the data back, he wiped out
		the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
		</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564422"></a><a name="id2564424"></a><b></b></td><td align="left" valign="top"><p>
		Is it really necessary to set a local Group Policy to exclude the redirected
		folders from the roaming profile?
		</p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
		Yes. If you do not do this, the data will still be copied from the network folder
		(share) to the local cached copy of the profile.
		</p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2562858" href="#id2562858">11</a>] </sup>
			There is an alternate method by which a Default User profile can be added to the
			<tt class="constant">NETLOGON</tt> share. This facility in the Windows System tool 
			permits profiles to be exported. The export target may be a particular user or 
			group profile share point, or else into the <tt class="constant">NETLOGON</tt> share. 
			In this case, the profile directory must be named
		  <tt class="constant">Default User</tt>.
			</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Big500users.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="2000users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�5.�The 500-User Office�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�7.�A Distributed 2000 User Network</td></tr></table></div></body></html>