1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�6.�Making Happy Users</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="Big500users.html" title="Chapter�5.�The 500-User Office"><link rel="next" href="2000users.html" title="Chapter�7.�A Distributed 2000 User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�6.�Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter�6.�Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id2551868">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id2552014">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2552114">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2552267">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2552764">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2554409">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2554424">Installation Check-List</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2554594">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#ch6-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#ch6-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#id2556862">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2557579">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#ch6-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#ch6-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id2561786">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2561807">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id2561902">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id2562154">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2562266">Assigning Domain Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2562396">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id2563152">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id2563229">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id2563412">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id2563923">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id2563958">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2563992">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id2564104">Questions and Answers</a></span></dt></dl></div><p> 2 It has been said, “<span class="quote"><span class="emphasis"><em>A day that is without troubles is not fulfilling. Rather, give 3 me a day of troubles well handled so that I can be content with my achievements.</em></span></span>” 4 </p><p> 5 In the world of computer networks, problems are as varied as the people who create them 6 or experience them. The design of the network implemented in the last chapter may 7 create problems for some network users. The following lists some of the problems that 8 may occur: 9 </p><a class="indexterm" name="id2551436"></a><a class="indexterm" name="id2551443"></a><a class="indexterm" name="id2551452"></a><a class="indexterm" name="id2551458"></a><a class="indexterm" name="id2551465"></a><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p> 10Notice: A significant number of network administrators have responded to the guidance given 11below. It should be noted that there are sites that have a single PDC for many hundreds of 12concurrent network clients. Network bandwidth, network bandwidth utilization, and server load 13are among the factors that will determine the maximum number of Windows clients that 14can be served by a single domain controller (PDC or BDC) on a network segment. It is possible 15to operate with only a single PDC over a routed network. What is possible is not necessarily 16<span class="emphasis"><em>best practice</em></span>. When Windows client network logons begin to fail with 17the message that the domain controller can not be found, or that the user account can not 18be found (when you know it exists), that may be an indication that the DC is overloaded or 19network bandwidth is overloaded. The guidance given in respect of PDC/BDC ratio to Windows 20clients is conservative and if followed will minimize problems - but it is not absolute. 21</p></div><div class="variablelist"><dl><dt><span class="term">Users experiencing difficulty logging onto the network</span></dt><dd><p> 22 <a class="indexterm" name="id2551508"></a> 23 When a Windows client logs onto the network, many data packets are exchanged 24 between the client and the server that is providing the network logon services. 25 Each request between the client and the server must complete within a specific 26 time limit. This is one of the primary factors that govern the installation of 27 <a class="indexterm" name="id2551526"></a> 28 multiple domain controllers (usually called secondary or backup controllers). 29 As a rough rule, there should be one such backup controller for every 30 30 to 150 clients. The actual limits are determined by network operational 31 characteristics. 32 </p><p> 33 If the domain controller provides only network logon services 34 and all file and print activity is handled by Domain Member servers, one Domain 35 Controller per 150 clients on a single network segment may suffice. In any 36 case, it is highly recommended to have a minimum of one Domain Controller (PDC or BDC) 37 per network segment. It is better to have at least one BDC on the network 38 segment that has a PDC. If the Domain Controller is also used as a file and 39 print server, the number of clients it can service reliably is reduced 40 and a common rule is not to exceed 30 machines (Windows workstations plus 41 Domain Member servers) per Domain Controller. 42 </p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p> 43 <a class="indexterm" name="id2551576"></a> 44 Slow logons and log-offs may be caused by many factors that include: 45 46 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2551590"></a><a class="indexterm" name="id2551606"></a> 47 Excessive delays in the resolution of a NetBIOS name to its IP 48 address. This may be observed when an overloaded domain controller 49 is also the WINS server. Another cause may be the failure to use 50 a WINS server (this assumes that there is a single network segment). 51 </p></li><li><p><a class="indexterm" name="id2551626"></a><a class="indexterm" name="id2551634"></a><a class="indexterm" name="id2551642"></a> 52 Network traffic collisions due to overloading of the network 53 segment one short-term workaround to this may be to replace 54 network HUBs with Ether-switches. 55 </p></li><li><p><a class="indexterm" name="id2551660"></a> 56 Defective networking hardware. Over the past few years, we have seen 57 on the Samba mailing list a significant increase in the number of 58 problems that were traced to a defective network interface controller, 59 a defective HUB or Etherswitch, or defective cabling. In most cases, 60 it was the erratic nature of the problem that ultimately pointed to 61 the cause of the problem. 62 </p></li><li><p><a class="indexterm" name="id2551682"></a><a class="indexterm" name="id2551693"></a> 63 Excessively large roaming profiles. This type of problem is typically 64 the result of poor user eduction, as well as poor network management. 65 It can be avoided by users not storing huge quantities of email in 66 MS Outlook PST files, as well as by not storing files on the desktop. 67 These are old bad habits that require much discipline and vigilance 68 on the part of network management. 69 </p></li></ul></div><p> 70 71 <font color="red"><listitem><p><a class="indexterm" name="id2551717"></a> 72 You should verify that the Windows XP WebClient service is not running. 73 The use of the WebClient service has been implicated in many Windows 74 networking related problems. 75 </p></listitem></font> 76 77 </p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p> 78 Loss of access to network resources during client operation may be caused by a number 79 of factors including: 80 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2551748"></a> 81 Network overload (typically indicated by a high network collision rate) 82 </p></li><li><p> 83 Server overload 84 </p></li><li><p><a class="indexterm" name="id2551770"></a> 85 Timeout causing the client to close a connection that is in use, but has 86 been latent (no traffic) for some time (5 minutes or more) 87 </p></li><li><p><a class="indexterm" name="id2551788"></a> 88 Defective networking hardware 89 </p></li></ul></div><p><a class="indexterm" name="id2551805"></a> 90 No matter what the cause, a sudden operational loss of access to network resources can 91 result in BSOD (blue screen of death) situations that necessitate rebooting of the client 92 workstation. In the case of a mild problem, retrying to access the network drive of printer 93 may restore operations, but in any case this is a serious problem as it may lead to the next 94 problem, data corruption. 95 </p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p><a class="indexterm" name="id2551833"></a> 96 Data corruption is one of the most serious problems. It leads to uncertainty, anger, and 97 frustration, and generally precipitates immediate corrective demands. Management response 98 to this type of problem may be rational, as well as highly irrational. There have been 99 cases where management has fired network staff for permitting this situation to occur without 100 immediate correction. There have been situations where perfectly functional hardware was thrown 101 out and replaced, only to find the problem caused by a low-cost network hardware item. There 102 have been cases where server operating systems were replaced, or where Samba was updated, 103 only to later isolate the problem due to defective client software. 104 </p></dd></dl></div><p> 105 In this chapter, you can work through a number of measures that significantly arm you to 106 anticipate and to combat network performance issues. You can work through complex and thorny 107 methods to improve the reliability of your network environment, but be warned that all such steps 108 demand the price of complexity. 109 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2551868"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p> 110 <a class="indexterm" name="id2551877"></a> 111 Computer (machine) accounts can be placed where ever you like in an LDAP directory subject to some 112 constraints that are described in this section. 113 </p><p> 114 <a class="indexterm" name="id2551892"></a> 115 <a class="indexterm" name="id2551899"></a> 116 <a class="indexterm" name="id2551906"></a> 117 <a class="indexterm" name="id2551913"></a> 118 The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba. 119 i.e.: Machine accounts are treated inside Samba in the same way that Windows NT4/200X treats 120 them. A user account and a machine account are indistinquishable from each other, except that 121 the machine account ends in a '$' character, as do trust accounts. 122 </p><p> 123 <a class="indexterm" name="id2551929"></a> 124 <a class="indexterm" name="id2551936"></a> 125 The need for Windows user, group, machine, trust, etc. accounts to be tied to a valid UNIX UID 126 is a design decision that was made a long way back in the history of Samba development. It is 127 unlikely that this decision will be reversed of changed during the remaining life of the 128 Samba-3.x series. 129 </p><p> 130 <a class="indexterm" name="id2551951"></a> 131 <a class="indexterm" name="id2551957"></a> 132 The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that 133 must refer back to the host operating system on which Samba is running. The Name Service 134 Switcher (NSS) is the preferred mechanism that shields applications (like Samba) from the 135 need to know everything about every host OS it runs on. 136 </p><p> 137 Samba asks the host OS to provide a UID via the “<span class="quote"><span class="emphasis"><em>passwd</em></span></span>”, “<span class="quote"><span class="emphasis"><em>shadow</em></span></span>” 138 and “<span class="quote"><span class="emphasis"><em>group</em></span></span>” facilities in the NSS control (configuration) file. The best tool 139 for achieving this is left up to the UNIX administrator to determine. It is not imposed by 140 Samba. Samba provides winbindd together with its support libraries as one method. It is 141 possible to do this via LDAP - and for that Samba provides the appropriate hooks so that 142 all account entities can be located in an LDAP directory. 143 </p><p> 144 <a class="indexterm" name="id2551998"></a> 145 For many the weapon of choice is to use the PADL nss_ldap utility. This utility must 146 be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That 147 is fundamentally an LDAP design question. The information provided on the Samba list and 148 in the documentation is directed at providing working examples only. The design 149 of an LDAP directory is a complex subject that is beyond the scope of this documentation. 150 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2552014"></a>Introduction</h2></div></div></div><p> 151 Mr. Bob Jordan just opened an email from Christine that reads: 152 </p><p> 153 Bob, 154 </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top">�</td><td width="80%" valign="top"><p> 155 A few months ago we sat down to design the network. We discussed the challenges ahead and we all 156 agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated 157 that we would have some time to resolve any issues that might be encountered. 158 </p><p> 159 As you now know we started off on the wrong foot. We have a lot of unhappy users. One of them 160 resigned yesterday afternoon because she was under duress to complete some critical projects. She 161 suffered a blue screen of death situation just as she was finishing four hours of intensive work, all 162 of which was lost. She has a unique requirement that involves storing large files on her desktop. 163 Mary's desktop profile is nearly 1 Gigabyte in size. As a result of her desktop configuration, it 164 takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all 165 network logon traffic passes over the network links between our buildings, logging on may take 166 three or four attempts due to blue screen problems associated with network timeouts. 167 </p><p> 168 A few of us worked to help her out of trouble. We convinced her to stay and promised to fully 169 resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard 170 limits on what our users can do with their desktops. If we do not do this, we face staff losses 171 that can surely do harm to our growth, as well as to staff morale. I am sure we can better deal 172 with the consequences of what we know we must do than we can with the unrest we have now. 173 </p><p> 174 Stan and I have discussed the current situation. We are resolved to help our users and protect 175 the well being of Abmas. Please acknowledge this advice with consent to proceed as required to 176 regain control of our vital IT operations. 177 </p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Christine</span></td></tr></table></div><p> 178 </p><p><a class="indexterm" name="id2552075"></a><a class="indexterm" name="id2552083"></a> 179 Every compromise has consequences. Having a large routed (i.e., multi-segment) network with only a 180 single domain controller is a poor design that has obvious operational effects that may 181 frustrate users. Here is Bob's reply: 182 </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top">�</td><td width="80%" valign="top"><p> 183 Christine, Your diligence and attention to detail are much valued. Stan and I fully support your 184 proposals to resolve the issues. I am confident that your plans fully realized will significantly 185 boost staff morale. Please go ahead with your plans. If you have any problems, please let me know. 186 Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait 187 for approval; I appreciate the urgency. 188 </p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><p> 189 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2552114"></a>Assignment Tasks</h3></div></div></div><p> 190 The priority of assigned tasks in this chapter is: 191 </p><div class="orderedlist"><ol type="1"><li><p><a class="indexterm" name="id2552133"></a><a class="indexterm" name="id2552144"></a><a class="indexterm" name="id2552152"></a><a class="indexterm" name="id2552160"></a><a class="indexterm" name="id2552168"></a> 192 Implement Backup Domain Controllers (BDCs) in each building. This involves 193 a change from use of a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous 194 chapter, to use an LDAP-based backend. 195 </p><p> 196 You can implement a single central LDAP server for this purpose. 197 </p></li><li><p><a class="indexterm" name="id2552191"></a><a class="indexterm" name="id2552199"></a><a class="indexterm" name="id2552207"></a><a class="indexterm" name="id2552215"></a> 198 Rectify the problem of excessive logon times. This involves redirection of 199 folders to network shares as well as modification of all user desktops to 200 exclude the redirected folders from being loaded at login time. You can also 201 create a new default profile that can be used for all new users. 202 </p></li></ol></div><p><a class="indexterm" name="id2552236"></a> 203 You configure a new MS Windows XP Professional Workstation disk image that you 204 roll out to all desktop users. The instructions you have created are followed on a 205 staging machine from which all changes can be carefully tested before inflicting them on 206 your network users. 207 </p><p><a class="indexterm" name="id2552252"></a> 208 This is the last network example in which specific mention of printing is made. The example 209 again makes use of the CUPS printing system. 210 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2552267"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id2552274"></a><a class="indexterm" name="id2552281"></a><a class="indexterm" name="id2552289"></a> 211 The implementation of Samba BDCs necessitates the installation and configuration of LDAP. 212 For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial 213 LDAP servers in current use with Samba-3 include: 214 </p><div class="itemizedlist"><a class="indexterm" name="id2552304"></a><ul type="disc"><li><p>Novell <a href="http://www.novell.com/products/edirectory/" target="_top">eDirectory.</a> 215 eDirectory is being successfully used by some sites. Information on how to use eDirectory can be 216 obtained from the Samba mailing lists or from Novell.</p></li><li><p><a class="indexterm" name="id2552329"></a>IBM 217 <a href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli Directory Server,</a> 218 can be used to provide the Samba LDAP backend. Example schema files are provided in the Samba 219 source code tarball under the directory <tt class="filename">~samba/example/LDAP.</tt></p></li><li><p><a class="indexterm" name="id2552356"></a>Sun 220 <a href="http://www.sun.com/software/sunone/identity/index.html" target="_top">ONE Identity Server.</a> 221 This product suite provides an LDAP server that can be used for Samba. Example schema files are 222 provided in the Samba source code tarball under the directory 223 <tt class="filename">~samba/example/LDAP. 224 </tt></p></li></ul></div><p> 225 A word of caution is fully in order. OpenLDAP is purely an LDAP server and unlike commercial 226 offerings, it requires that you manually edit the server configuration files and manually 227 initialize the LDAP directory database. OpenLDAP itself has only command line tools to 228 help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges. 229 </p><p><a class="indexterm" name="id2552399"></a> 230 For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite 231 adequate. If you are migrating from Microsoft Active Directory, be 232 warned that OpenLDAP does not include 233 GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database 234 requires an understanding of what you are doing, why you are doing it, and the tools that you must use. 235 </p><p><a class="indexterm" name="id2552418"></a><a class="indexterm" name="id2552426"></a><a class="indexterm" name="id2552434"></a><a class="indexterm" name="id2552445"></a><a class="indexterm" name="id2552456"></a><a class="indexterm" name="id2552464"></a><a class="indexterm" name="id2552476"></a> 236 When installed and configured, an OpenLDAP Identity Management backend for Samba functions well. 237 High availability operation may be obtained through directory replication/synchronization and 238 master/slave server configurations. OpenLDAP is a mature platform to host the organizational 239 directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more. 240 The price paid through learning how to design an LDAP directory schema in implementation and configuration 241 of management tools is well rewarded by performance and flexibility, and the freedom to manage directory 242 contents with greater ability to back up, restore, and modify the directory than is generally possible 243 with Microsoft Active Directory. 244 </p><p><a class="indexterm" name="id2552503"></a><a class="indexterm" name="id2552515"></a><a class="indexterm" name="id2552523"></a><a class="indexterm" name="id2552531"></a> 245 A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory 246 tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely pre-configured 247 for a specific task orientation. It comes with a set of administrative tools that is entirely customized 248 for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange 249 server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator 250 who wants to built a custom directory solution. Microsoft Active Directory is a generic LDAP server that has 251 been pre-configured for a specific task. Microsoft provides an application called 252 <a href="http://www.microsoft.com/windowsserver2003/adam/default.mspx" target="_top"> 253 MS ADAM</a> that provides more-generic LDAP services, yet it does not have the vanilla-like services 254 of OpenLDAP. 255 </p><p><a class="indexterm" name="id2552563"></a><a class="indexterm" name="id2552574"></a> 256 You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly 257 if you find the challenge of learning about LDAP directories, schemas, configuration, and management 258 tools, and the creation of shell and Perl scripts a bit 259 challenging. OpenLDAP can be easily customized, though it includes 260 many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file 261 that is required for use as a passdb backend. 262 </p><p> 263 <a class="indexterm" name="id2552594"></a> 264 For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability, 265 there are a few nice Web-based tools that may help you to manage your users and groups more effectively. 266 The Web-based tools you might like to consider include: The 267 <a href="http://lam.sourceforge.net/" target="_top">LDAP Account Manager</a> (LAM), as well as the 268 <a href="http://www.webmin.com" target="_top">Webmin</a>-based Idealx 269 <a href="http://webmin.idealx.org/index.en.html" target="_top">CGI tools.</a> 270 </p><p> 271 Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of 272 these so it may be useful to include passing reference to them. 273 The first is <a href="http://biot.com/gq" target="_top">GQ</a>, a GTK-ased LDAP browser; 274 LDAP <a href="http://www.iit.edu/~gawojar/ldap/" target="_top">Browser/Editor,</a> 275 <a href="http://www.jxplorer.org/" target="_top">JXplorer</a> (by Computer Associates), 276 and the last is called <a href="http://phpldapadmin.sourceforge.net/" target="_top">phpLDAPadmin.</a> 277 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 278 The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal 279 security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided 280 is considered to consist of the barest essentials only. You are strongly encouraged to learn more about 281 LDAP before attempting to deploy it in a business-critical environment. 282 </p></div><p> 283 Information to help you get started with OpenLDAP is available from the 284 <a href="http://www.openldap.org/pub/" target="_top">OpenLDAP Web Site.</a> Many people have found the book 285 <a href="http://www.booksense.com/product/info.jsp?isbn=1565924916" target="_top">LDAP System Administration,</a> 286 written by Jerry Carter, quite useful. 287 </p><p><a class="indexterm" name="id2552691"></a><a class="indexterm" name="id2552698"></a><a class="indexterm" name="id2552710"></a><a class="indexterm" name="id2552717"></a> 288 Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the 289 main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must 290 be loaded over the wide-area network connection. This addition of BDCs on each network segment significantly 291 improves overall network performance for most users, but this is not enough. You must gain control over 292 user desktops, and this must be done in a way that wins their support and does not cause further loss of 293 staff morale. The following procedures solve this problem. 294 </p><p><a class="indexterm" name="id2552742"></a> 295 There is also an opportunity to implement smart printing features. You add this to the Samba configuration 296 so that future printer changes can be managed without need to change desktop configurations. 297 </p><p> 298 You add the ability to automatically download new printer drivers, even if they are not installed 299 in the default desktop profile. Only one example of printing configuration is given. It is assumed that 300 you can extrapolate the principles and use this to install all printers that may be needed. 301 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2552764"></a>Technical Issues</h3></div></div></div><p><a class="indexterm" name="id2552771"></a><a class="indexterm" name="id2552782"></a><a class="indexterm" name="id2552794"></a> 302 The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory 303 server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system 304 accounts are stored Posix schema extensions. Samba provides its own schema to permit storage of account 305 attributes Samba needs. Samba-3 can use the LDAP backend to store: 306 </p><div class="itemizedlist"><ul type="disc"><li><p>Windows Networking User Accounts</p></li><li><p>Windows NT Group Accounts</p></li><li><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p><a class="indexterm" name="id2552835"></a><a class="indexterm" name="id2552843"></a><a class="indexterm" name="id2552851"></a><a class="indexterm" name="id2552859"></a><a class="indexterm" name="id2552867"></a><a class="indexterm" name="id2552875"></a><a class="indexterm" name="id2552886"></a><a class="indexterm" name="id2552894"></a><a class="indexterm" name="id2552902"></a> 307 The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking 308 accounts in the LDAP backend. This implies the need to use the 309 <a href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools.</a> The resolution 310 of the UNIX group name to its GID must be enabled from either the 311 <tt class="filename">/etc/group</tt> 312 or from the LDAP backend. This requires the use of the PADL <tt class="filename">nss_ldap</tt> toolset 313 that integrates with the name service switcher (NSS). The same requirements exist for resolution 314 of the UNIX username to the UID. The relationships are demonstrated in <a href="happy.html#ch6-LDAPdiag" title="Figure�6.1.�The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">???</a>. 315 </p><div class="figure"><a name="ch6-LDAPdiag"></a><p class="title"><b>Figure�6.1.�The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div><p><a class="indexterm" name="id2552991"></a><a class="indexterm" name="id2552999"></a> 316 You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really 317 ought to learn how to configure secure communications over LDAP so that sites security is not 318 at risk. This is not covered in the following guidance. 319 </p><p><a class="indexterm" name="id2553018"></a><a class="indexterm" name="id2553025"></a><a class="indexterm" name="id2553037"></a><a class="indexterm" name="id2553045"></a> 320 When OpenLDAP has been made operative, you configure the Primary Domain Controller (PDC) 321 called <tt class="constant">MASSIVE</tt>. You initialize the Samba 322 <tt class="filename">secrets.tdb<sub></sub></tt> 323 file. Then you create the LDAP Interchange Format (LDIF) file from which the LDAP database 324 can be initialized. You need to decide how best to create user and group accounts. A few 325 hints are, of course, provided. You can also find on the enclosed 326 CD-ROM, in the <tt class="filename">Chap06</tt> 327 directory, a few tools that help to manage user and group configuration. 328 </p><p><a class="indexterm" name="id2553080"></a><a class="indexterm" name="id2553088"></a><a class="indexterm" name="id2553096"></a> 329 In order to effect folder redirection and to add robustness to the implementation, 330 create a network Default Profile. All network users workstations are configured to use 331 the new profile. Roaming profiles will automatically be deleted from the workstation 332 when the user logs off. 333 </p><p><a class="indexterm" name="id2553112"></a> 334 The profile is configured so that users cannot change the appearance 335 of their desktop. This is known as a mandatory profile. You make certain that users 336 are able to use their computers efficiently. 337 </p><p><a class="indexterm" name="id2553127"></a> 338 A network logon script is used to deliver flexible but consistent network drive 339 connections. 340 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553139"></a>Addition of Machines to the Domain</h4></div></div></div><p> 341 <a class="indexterm" name="id2553147"></a> 342 <a class="indexterm" name="id2553152"></a> 343 <a class="indexterm" name="id2553158"></a> 344 <a class="indexterm" name="id2553163"></a> 345 Samba versions prior to 3.0.11 necessitated the use of a domain administrator account 346 that maps to the UNIX UID=0. The UNIX operating system permits only the <tt class="constant">root</tt> 347 user to add user and group accounts. Samba 3.0.11 introduced a new facility known as 348 <tt class="constant">Privilieges</tt>. This new facility introduced four new privileges that 349 can be assigned to users and/or groups: 350 </p><div class="table"><a name="ch6-privs"></a><p class="title"><b>Table�6.1.�Current Privilege Capabilities</b></p><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="left"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="left"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="left"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="left"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr></tbody></table></div><p> 351 In this network example use will be made of one of the supported privileges purely to demonstrate 352 how any user can now be given the ability to add machines to the domain using a normal user account 353 that has been given the appropriate privileges. 354 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553301"></a>Roaming Profile Background</h4></div></div></div><p> 355 As XP roaming profiles grow, so does the amount of time it takes to log in and out. 356 </p><p><a class="indexterm" name="id2553313"></a><a class="indexterm" name="id2553321"></a><a class="indexterm" name="id2553329"></a><a class="indexterm" name="id2553337"></a> 357 An XP Roaming Profile consists of the <tt class="constant">HKEY_CURRENT_USER</tt> hive file 358 <tt class="filename">NTUSER.DAT</tt> and a number of folders (My Documents, Application Data, 359 Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the 360 network with the default configuration of MS Windows NT/200x/XPP, all this data is 361 copied to the local machine. By default it is copied to the local machine, under the 362 <tt class="filename">C:\Documents and Settings\%USERNAME%</tt> directory. While the user is logged in, 363 any changes made to any of these folders or to the <tt class="constant">HKEY_CURRENT_USER</tt> 364 branch of the registry are made to the local copy of the profile. At logout the profile 365 data is copied back to the server. This behavior can be changed through appropriate 366 registry changes and/or through changes to the Default User profile. In the latter case, 367 it updates the registry with the values that are set in the 368 profile <tt class="filename">NTUSER.DAT</tt> 369 file. 370 </p><p> 371 The first challenge is to reduce the amount of data that must be transferred to and 372 from the profile server as roaming profiles are processed. This includes removing 373 all the shortcuts in the Recent directory, making sure the cache used by the web browser 374 is not being dumped into the <tt class="filename">Application Data</tt> folder, removing the 375 Java plug-in's cache (the .jpi_cache directory in the profile), as well as training the 376 user to not place large files on the Desktop and to use his mapped home directory for 377 saving documents instead of the <tt class="filename">My Documents</tt> folder. 378 </p><p><a class="indexterm" name="id2553412"></a> 379 Using a folder other than <tt class="filename">My Documents</tt> is a nuisance for 380 some users since many applications use it by default. 381 </p><p><a class="indexterm" name="id2553431"></a><a class="indexterm" name="id2553439"></a><a class="indexterm" name="id2553447"></a> 382 The secret to rapid loading of roaming profiles is to prevent unnecessary data from 383 being copied back and forth, without losing any functionality. This is not difficult; 384 it can be done by making changes to the Local Group Policy on each client as well 385 as changing some paths in each user's <tt class="filename">NTUSER.DAT</tt> hive. 386 </p><p><a class="indexterm" name="id2553470"></a><a class="indexterm" name="id2553478"></a> 387 Every user profile has their own <tt class="filename">NTUSER.DAT</tt> file. This means 388 you need to edit every user's profile, unless a better method can be 389 followed. Fortunately, with the right preparations, this is not difficult. 390 It is possible to remove the <tt class="filename">NTUSER.DAT</tt> file from each 391 user's profile. Then just create a Network Default Profile. Of course, it is 392 necessary to copy all files from redirected folders to the network share to which 393 they are redirected. 394 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="ch6-locgrppol"></a>The Local Group Policy</h4></div></div></div><p><a class="indexterm" name="id2553519"></a><a class="indexterm" name="id2553527"></a><a class="indexterm" name="id2553535"></a><a class="indexterm" name="id2553543"></a> 395 Without an Active Directory PDC, you cannot take full advantage of Group Policy 396 Objects. However, you can still make changes to the Local Group Policy by using 397 the Group Policy editor (<span><b class="command">gpedit.msc</b></span>). 398 </p><p> 399 The <span class="emphasis"><em>Exclude directories in roaming profile</em></span> settings can 400 be found under 401 <span class="guimenu">User Configuration</span>-><span class="guimenuitem">Administrative Templates</span>-><span class="guimenuitem">System</span>-><span class="guimenuitem">User Profiles</span>. 402 By default this setting contains: 403 “<span class="quote"><span class="emphasis"><em>Local Settings;Temporary Internet Files;History;Temp</em></span></span>”. 404 </p><p> 405 Simply add the folders you do not wish to be copied back and forth to this 406 semi-colon separated list. Note that this change must be made on all clients 407 that are using roaming profiles. 408 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553613"></a>Profile Changes</h4></div></div></div><p><a class="indexterm" name="id2553620"></a><a class="indexterm" name="id2553628"></a> 409 There are two changes that should be done to each user's profile. Move each of 410 the directories that you have excluded from being copied back and forth out of 411 the usual profile path. Modify each user's <tt class="filename">NTUSER.DAT</tt> file 412 to point to the new paths that are shared over the network, instead of the default 413 path (<tt class="filename">C:\Documents and Settings\%USERNAME%</tt>). 414 </p><p><a class="indexterm" name="id2553657"></a><a class="indexterm" name="id2553665"></a> 415 The above modifies existing user profiles. So that newly created profiles have 416 these settings, you will need to modify the <tt class="filename">NTUSER.DAT</tt> in 417 the <tt class="filename">C:\Documents and Settings\Default User</tt> folder on each 418 client machine, changing the same registry keys. You could do this by copying 419 <tt class="filename">NTUSER.DAT</tt> to a Linux box and using 420 <span><b class="command">regedt32</b></span>. 421 The basic method is described under <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>. 422 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553712"></a>Using a Network Default User Profile</h4></div></div></div><p><a class="indexterm" name="id2553719"></a><a class="indexterm" name="id2553727"></a> 423 If you are using Samba as your PDC, you should create a file-share called 424 <tt class="constant">NETLOGON</tt> and within that create a directory called 425 <tt class="filename">Default User</tt>, which is a copy of the desired default user 426 configuration (including a copy of <tt class="filename">NTUSER.DAT</tt>. 427 If this share exists and the <tt class="filename">Default User</tt> folder exists, 428 the first login from a new account pulls its configuration from it. 429 See also: <a href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top"> 430 the Real Men Don't Click</a> Web site. 431 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553773"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p><a class="indexterm" name="id2553780"></a><a class="indexterm" name="id2553791"></a><a class="indexterm" name="id2553799"></a> 432 The subject of printing is quite topical. Printing problems run second place to name 433 resolution issues today. So far in this book, you have experienced only what is generally 434 known as “<span class="quote"><span class="emphasis"><em>dumb</em></span></span>” printing. Dumb printing is the arrangement where all drivers 435 are manually installed on each client and the printing subsystems perform no filtering 436 or intelligent processing. Dumb printing is easily understood. It usually works without 437 many problems, but it has its limitations also. Dumb printing is better known as 438 <span><b class="command">Raw Print Through</b></span> printing. 439 </p><p><a class="indexterm" name="id2553830"></a><a class="indexterm" name="id2553842"></a> 440 Samba permits the configuration of <span><b class="command">Smart</b></span> printing using the Microsoft 441 Windows point-and-click (also called drag-and-drop) printing. What this provides is 442 essentially the ability to print to any printer. If the local client does not yet have a 443 driver installed, the driver is automatically downloaded from the Samba server and 444 installed on the client. Drag-and-drop printing is neat; it means the user never needs 445 to fuss with driver installation, and that is a <span class="trademark">Good Thing</span>™, 446 isn't it? 447 </p><p> 448 There is a further layer of print job processing that is known as <span><b class="command">Intelligent</b></span> 449 printing that automatically senses the file format of data submitted for printing and 450 then invokes a suitable print filter to convert the incoming data stream into a format 451 suited to the printer to which the job is dispatched. 452 </p><p><a class="indexterm" name="id2553891"></a><a class="indexterm" name="id2553899"></a> 453 The CUPS printing subsystem is capable of intelligent printing. It has the capacity to 454 detect the data format and apply a print filter. This means that it is feasible to install 455 on all Windows clients a single printer driver for use with all printers that are routed 456 through CUPS. The most sensible driver to use is one for a Postscript printer. Fortunately, 457 <a href="http://www.easysw.com" target="_top">Easy Software Products,</a> the authors of CUPS have 458 released a Postscript printing driver for Windows. It can be installed into the Samba 459 printing backend so that it automatically downloads to the client when needed. 460 </p><p> 461 This means that so long as there is a CUPS driver for the printer, all printing from Windows 462 software can use Postscript, no matter what the actual printer language for the physical 463 device is. It also means that the administrator can swap out a printer with a totally 464 different type of device without ever needing to change a client workstation driver. 465 </p><p> 466 This book is about Samba-3, so you can confine the printing style to just the smart 467 style of installation. Those interested in further information regarding intelligent 468 printing should review documentation on the Easy Software Products Web site. 469 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553943"></a>Avoiding Failures Solving Problems Before the Happen</h4></div></div></div><p> 470 It has often been said that there are three types of people in the world: Those who 471 have sharp minds and those that forget things. Please do not ask what the third group 472 are like! Well, it seems that many of us have company in the second group. There must 473 be a good explanation why so many network administrators fail to solve apparently 474 simple problems efficiently and effectively. 475 </p><p> 476 Here are some diagnostic guidelines that can be referred to when things go wrong: 477 </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2553966"></a>Preliminary Advice Dangers Can be Avoided</h5></div></div></div><p> 478 The best advice regarding how best to mend a broken leg was “<span class="quote"><span class="emphasis"><em>never break a leg!</em></span></span>” 479 </p><p> 480 New comers to Samba and LDAP seem to struggle a great deal at first. If you want advice 481 regarding the best way to remedy LDAP and Samba problems: “<span class="quote"><span class="emphasis"><em>Avoid them like the plague!</em></span></span>” 482 </p><p> 483 If you are now asking yourself how can problems be avoided? The best advice is to start 484 out your learning experience with an <span class="emphasis"><em>known-to-work</em></span> solution. After 485 you have seen a fully working solution, a good way to learn is to make slow and progressive 486 changes that cause things to break, then observe carefully how and why things ceased to work. 487 </p><p> 488 The examples in this chapter (also in the book as a whole) are known to work. That means 489 that they could serve as the kick-off point for your journey through fields of knowledge. 490 Use this resource carefully; we hope it serves you well. 491 </p><p> 492 Warning: Do not be lulled into thinking that you can easily adopt the examples in this 493 book and adapt them without first working through the working examples provided. A little 494 thing over-looked can cause untold pain and may permanently tarnish your experience. 495 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2554024"></a>Debugging LDAP</h5></div></div></div><p> 496 In the example <tt class="filename">/etc/openldap/slapd.conf</tt> control file 497 (see <a href="happy.html#ch6-dbconf" title="Example�6.1.�LDAP DB_CONFIG File">???</a>) there is an entry for <tt class="constant">loglevel 256</tt>. 498 To enable logging via the syslog infrastructure it is necessary to uncomment this parameter 499 and restart <span><b class="command">slapd</b></span>. 500 </p><p> 501 LDAP log information can be directed into a file that is separate from the normal system 502 log files by changing the <tt class="filename">/etc/syslog.conf</tt> file so it has the following 503 contents: 504</p><pre class="screen"> 505# Some foreign boot scripts require local7 506# 507local0,local1.* -/var/log/localmessages 508local2,local3.* -/var/log/localmessages 509local5.* -/var/log/localmessages 510local6,local7.* -/var/log/localmessages 511local4.* -/var/log/ldaplogs 512</pre><p> 513 In the above case, all LDAP related logs will be directed to the file 514 <tt class="filename">/var/log/ldaplogs</tt>. This makes it easy to track LDAP errors. 515 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2554091"></a>Debugging NSS_LDAP</h5></div></div></div><p> 516 The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the 517 <tt class="filename">/etc/ldap.conf</tt> file the following parameters: 518</p><pre class="screen"> 519debug 256 520logdir /data/logs 521</pre><p> 522 Create the log directory as follows: 523</p><pre class="screen"> 524<tt class="prompt">root# </tt> mkdir /data/logs 525</pre><p> 526 </p><p> 527 The diagnostic process should follow the following steps: 528 </p><div class="procedure"><ol type="1"><li><p> 529 Verify the <tt class="constant">nss_base_passwd, nss_base_shadow, nss_base_group</tt> entries 530 in the <tt class="filename">/etc/ldap.conf</tt> file and compare them closely with the directory 531 tree location that was chosen in when the directory was first created. 532 </p><p> 533 One was this can be done is by executing: 534</p><pre class="screen"> 535<tt class="prompt">root# </tt> slapcat | grep Group | grep dn 536dn: ou=Groups,dc=abmas,dc=biz 537dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz 538dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz 539dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz 540dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz 541dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz 542dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz 543dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz 544dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz 545</pre><p> 546 The first line is the DIT entry point for the container for POSIX groups. The correct entry 547 for the <tt class="filename">/etc/ldap.conf</tt> for the <tt class="constant">nss_base_group</tt> 548 parameter therefore is the distinquished name (dn) as applied here: 549</p><pre class="screen"> 550nss_base_group ou=Groups,dc=abmas,dc=biz?one 551</pre><p> 552 The same process may be followed to determine the appropriate dn for user accounts. 553 If the container for computer accounts is not the same as that for users (see the <tt class="filename">smb.conf</tt> 554 file entry for <tt class="constant">ldap machine suffix</tt>, it may be necessary to set the 555 following DIT dn in the <tt class="filename">/etc/ldap.conf</tt>: 556</p><pre class="screen"> 557nss_base_passwd dc=abmas,dc=biz?sub 558</pre><p> 559 This instructs LDAP to search for machine as well as user entries from the top of the DIT 560 down. This is inefficient, but at least should work. 561 </p></li><li><p> 562 Perform lookups such as: 563</p><pre class="screen"> 564<tt class="prompt">root# </tt> getent passwd 565</pre><p> 566 Each such lookup will create an entry in the <tt class="filename">/data/log</tt> directory 567 for each such process executed. The contents of that file may provide a hint as to 568 the cause of the failure that is being investigated. 569 </p></li><li><p> 570 Check the contents of the <tt class="filename">/var/log/messages</tt> to see what error messages are being 571 generated as a result of the LDAP lookups. Here is an example of a successful lookup: 572</p><pre class="screen"> 573slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539 574(IP=0.0.0.0:389) 575slapd[12164]: conn=0 op=0 BIND dn="" method=128 576slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text= 577slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0 578filter="(objectClass=*)" 579slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0 580nentries=1 text= 581slapd[12164]: conn=0 op=2 UNBIND 582slapd[12164]: conn=0 fd=10 closed 583slapd[12164]: conn=1 fd=10 ACCEPT from 584IP=127.0.0.1:33540 (IP=0.0.0.0:389) 585slapd[12164]: conn=1 op=0 BIND 586dn="cn=Manager,dc=abmas,dc=biz" method=128 587slapd[12164]: conn=1 op=0 BIND 588dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0 589slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text= 590slapd[12164]: conn=1 op=1 SRCH 591base="ou=People,dc=abmas,dc=biz" scope=1 deref=0 592filter="(objectClass=posixAccount)" 593slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword 594uidNumber gidNumber cn 595homeDirectory loginShell gecos description objectClass 596slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0 597nentries=2 text= 598slapd[12164]: conn=1 fd=10 closed 599 600</pre><p> 601 </p></li><li><p> 602 Check that the bindpw entry in the <tt class="filename">/etc/ldap.conf</tt> or in the 603 <tt class="filename">/etc/ldap.secrets</tt> file is correct. i.e.: As specified in the 604 <tt class="filename">/etc/openldap/slapd.conf</tt> file. 605 </p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2554320"></a>Debugging Samba</h5></div></div></div><p> 606 The following parameters in the <tt class="filename">smb.conf</tt> file can be useful in tracking down Samba related problems: 607</p><pre class="screen"> 608[global] 609 ... 610 log level = 5 611 log file = /var/log/samba/%m.log 612 max log size = 0 613 ... 614</pre><p> 615 This will result in the creation of a separate log file for every client from which connections 616 are made. The log file will be quite verbose and will grow continually. Do not forget to 617 change these lines to the following when debugging has been completed: 618</p><pre class="screen"> 619[global] 620 ... 621 log level = 1 622 log file = /var/log/samba/%m.log 623 max log size = 50 624 ... 625</pre><p> 626 </p><p> 627 The log file can be analyzed by executing: 628</p><pre class="screen"> 629<tt class="prompt">root# </tt> cd /var/log/samba 630<tt class="prompt">root# </tt> grep -v "^\[200" machine_name.log 631</pre><p> 632 </p><p> 633 Search for hints of what may have failed by lokking for the words <span class="emphasis"><em>fail</em></span> 634 and <span class="emphasis"><em>error</em></span>. 635 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2554391"></a>Debugging on the Windows Client</h5></div></div></div><p> 636 MS Windows 2000 Professional and Windows XP Professional clients are capable of being configured 637 to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search 638 the Microsoft knowledge base for detailed instructions. The techniques vary a little with each 639 version of MS Windows. 640 </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2554409"></a>Political Issues</h3></div></div></div><p> 641 MS Windows network users are generally very sensitive to limits that may be imposed when 642 confronted with locked-down workstation configurations. The challenge you face must 643 be promoted as a choice between reliable and fast network operation, and a constant flux 644 of problems that result in user irritation. 645 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2554424"></a>Installation Check-List</h3></div></div></div><p> 646 You are starting a complex project. Even though you have gone through the installation 647 of a complex network in chapter 5, this network is a bigger challenge because of the 648 large number of complex applications that must be configured before the first few steps 649 can be validated. Take stock of what you are about to undertake, prepare yourself, and 650 frequently review the steps ahead while making at least a mental note of what has already 651 been completed. The following task list may help you to keep track of the task items 652 that are covered: 653 </p><div class="itemizedlist"><ul type="disc"><li><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS Servers</p></li><li><p>OpenLDAP Server</p></li><li><p>PAM and NSS Client Tools</p></li><li><p>Samba-3 PDC</p></li><li><p>Idealx SMB-LDAP Scripts</p></li><li><p>LDAP Initialization</p></li><li><p>Create User and Group Accounts</p></li><li><p>Printers</p></li><li><p>Share Point Directory Roots</p></li><li><p>Profile Directories</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS Servers</p></li><li><p>PAM and NSS Client Tools</p></li><li><p>Printers</p></li><li><p>Share Point Directory Roots</p></li><li><p>Profiles Directories</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p></li><li><p>Windows XP Client Configuration</p><div class="orderedlist"><ol type="1"><li><p>Default Profile Folder Redirection</p></li><li><p>MS Outlook PST File Relocation</p></li><li><p>Delete Roaming Profile on Logout</p></li><li><p>Upload Printer Drivers to Samba Servers</p></li><li><p>Install Software</p></li><li><p>Creation of Roll-out Images</p></li></ol></div></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2554594"></a>Samba Server Implementation</h2></div></div></div><p><a class="indexterm" name="id2554601"></a><a class="indexterm" name="id2554609"></a> 654 The network design shown in <a href="happy.html#chap6net" title="Figure�6.2.�Network Topology 500 User Network Using ldapsam passdb backend.">???</a> is not comprehensive. It is assumed 655 that you will install additional file servers, and possibly additional BDCs. 656 </p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure�6.2.�Network Topology 500 User Network Using ldapsam passdb backend.</b></p><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend."></div></div><p><a class="indexterm" name="id2554672"></a><a class="indexterm" name="id2554680"></a> 657 All configuration files and locations are shown for SUSE Linux 9.2 and are equaly valid for SUSE 658 Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to 659 adjust the locations for your particular Linux system distribution/implementation. 660 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 661The following information applies to Samba-3.0.12 when used with the Idealx smbldap-tools scripts 662version 0.8.7. If using a different version of Samba, or of the smbldap-tools tarball, please 663verify that the versions you are about to use are matching. 664</p></div><p> 665 The steps in the process involve changes from the network configuration 666 shown in <a href="Big500users.html" title="Chapter�5.�The 500-User Office">???</a>. 667 Before implementing the following steps, you must have completed the network implementation shown 668 in that chapter. If you are starting with newly installed Linux servers, you must complete 669 the steps shown in <a href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">???</a> before commencing 670 at <a href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">???</a>: 671 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p><a class="indexterm" name="id2554742"></a><a class="indexterm" name="id2554750"></a><a class="indexterm" name="id2554757"></a> 672 Confirm that the packages shown in <a href="happy.html#oldapreq" title="Table�6.2.�Required OpenLDAP Linux Packages">???</a> are installed on your system. 673 </p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table�6.2.�Required OpenLDAP Linux Packages</b></p><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left">�</td></tr></tbody></table></div><p> 674 Samba-3 and OpenLDAP will have a degree of inter-dependence that is unavoidable. The method 675 for boot-strapping the LDAP and Samba-3 configuration is relatively straight forward. If you 676 follow these guidelines, the resulting system should work fine. 677 </p><div class="procedure"><ol type="1"><li><p><a class="indexterm" name="id2554899"></a> 678 Install the file shown in <a href="happy.html#ch6-slapdconf" title="Example�6.2.�LDAP Master Configuration File /etc/openldap/slapd.conf Part A">???</a> in the directory 679 <tt class="filename">/etc/openldap</tt>. 680 </p></li><li><p><a class="indexterm" name="id2554928"></a><a class="indexterm" name="id2554935"></a><a class="indexterm" name="id2554943"></a> 681 Remove all files from the directory <tt class="filename">/data/ldap</tt>, making certain that 682 the directory exists with permissions: 683</p><pre class="screen"> 684<tt class="prompt">root# </tt> ls -al /data | grep ldap 685drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap 686</pre><p> 687 This may require you to add a user and a group account for LDAP if they do not exist. 688 </p></li><li><p><a class="indexterm" name="id2554980"></a> 689 Install the file shown in <a href="happy.html#ch6-dbconf" title="Example�6.1.�LDAP DB_CONFIG File">???</a> in the directory 690 <tt class="filename">/data/ldap</tt>. In the event that this file is added after <tt class="constant">ldap</tt> 691 has been started, it is possible to cause the new settings to take effect by shutting down 692 the <tt class="constant">LDAP</tt> server, executing the <span><b class="command">db_recover</b></span> command inside the 693 <tt class="filename">/data/ldap</tt> directory, and then restarting the <tt class="constant">LDAP</tt> server. 694 </p></li><li><p><a class="indexterm" name="id2555031"></a> 695 Performance logging can be enabled and should preferrably be sent to a file on 696 a file system that is large enough to handle significantly sized logs. To enable 697 the logging at a verbose level to permit detailed analysis uncomment the entry in 698 the <tt class="filename">/etc/openldap/slapd.conf</tt> shown as “<span class="quote"><span class="emphasis"><em>loglevel 256</em></span></span>”. 699 </p><p> 700 Edit the <tt class="filename">/etc/syslog.conf</tt> file to add the following at the end 701 of the file: 702</p><pre class="screen"> 703local4.* -/data/ldap/log/openldap.log 704</pre><p> 705 Note: The path <tt class="filename">/data/ldap/log</tt> should be set a a location 706 that is convenient and that can store a large volume of data. 707 </p></li></ol></div><div class="example"><a name="ch6-dbconf"></a><p class="title"><b>Example�6.1.�LDAP DB_CONFIG File</b></p><pre class="screen"> 708set_cachesize 0 150000000 1 709set_lg_regionmax 262144 710set_lg_bsize 2097152 711#set_lg_dir /var/log/bdb 712set_flags DB_LOG_AUTOREMOVE 713</pre></div><div class="example"><a name="ch6-slapdconf"></a><p class="title"><b>Example�6.2.�LDAP Master Configuration File <tt class="filename">/etc/openldap/slapd.conf</tt> Part A</b></p><pre class="screen"> 714include /etc/openldap/schema/core.schema 715include /etc/openldap/schema/cosine.schema 716include /etc/openldap/schema/inetorgperson.schema 717include /etc/openldap/schema/nis.schema 718include /etc/openldap/schema/samba3.schema 719 720pidfile /var/run/slapd/slapd.pid 721argsfile /var/run/slapd/slapd.args 722 723access to dn.base="" 724 by self write 725 by * auth 726 727access to attr=userPassword 728 by self write 729 by * auth 730 731access to attr=shadowLastChange 732 by self write 733 by * read 734 735access to * 736 by * read 737 by anonymous auth 738 739#loglevel 256 740 741schemacheck on 742idletimeout 30 743backend bdb 744database bdb 745checkpoint 1024 5 746cachesize 10000 747 748suffix "dc=abmas,dc=biz" 749rootdn "cn=Manager,dc=abmas,dc=biz" 750 751# rootpw = not24get 752rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV 753 754directory /data/ldap 755</pre></div><div class="example"><a name="ch6-slapdconf2"></a><p class="title"><b>Example�6.3.�LDAP Master Configuration File <tt class="filename">/etc/openldap/slapd.conf</tt> Part B</b></p><pre class="screen"> 756# Indices to maintain 757index objectClass eq 758index cn pres,sub,eq 759index sn pres,sub,eq 760index uid pres,sub,eq 761index displayName pres,sub,eq 762index uidNumber eq 763index gidNumber eq 764index memberUID eq 765index sambaSID eq 766index sambaPrimaryGroupSID eq 767index sambaDomainName eq 768index default sub 769</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch6-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p><a class="indexterm" name="id2555184"></a><a class="indexterm" name="id2555191"></a><a class="indexterm" name="id2555199"></a> 770 The steps that follow involve configuration of LDAP, Name Service Switch (NSS) LDAP-based resolution 771 of users and groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead 772 configure the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication. 773 </p><p> 774 Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely 775 that you may want to use them for UNIX system (Linux) local machine logons. This necessitates 776 correct configuration of the Pluggable Authentication 777 Modules<a class="indexterm" name="id2555225"></a><a class="indexterm" name="id2555236"></a> 778 (PAM). The <span><b class="command">pam_ldap</b></span> 779 open source package provides the PAM modules that most people would use. On SUSE Linux systems, 780 the <span><b class="command">pam_unix2.so</b></span> module also has the ability to redirect authentication requests 781 through LDAP. 782 </p><p><a class="indexterm" name="id2555263"></a><a class="indexterm" name="id2555271"></a><a class="indexterm" name="id2555279"></a><a class="indexterm" name="id2555287"></a> 783 You have chosen to configure these services by directly editing the system files but, of course, you 784 know that this configuration can be done using system tools provided by the Linux system vendor. 785 SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span>-><span class="guimenuitem">system</span>-><span class="guimenuitem">ldap-client</span> that permits 786 configuration of SUSE Linux as an LDAP client. Red Hat Linux provides 787 the <span><b class="command">authconfig</b></span> 788 tool for this. 789 </p><div class="procedure"><div class="example"><a name="ch6-nss01"></a><p class="title"><b>Example�6.4.�Configuration File for NSS LDAP Support <tt class="filename">/etc/ldap.conf</tt></b></p><pre class="screen"> 790host 127.0.0.1 791 792base dc=abmas,dc=biz 793 794binddn cn=Manager,dc=abmas,dc=biz 795bindpw not24get 796 797timelimit 50 798bind_timelimit 50 799bind_policy hard 800 801idle_timelimit 3600 802 803pam_password exop 804 805nss_base_passwd ou=People,dc=abmas,dc=biz?one 806nss_base_shadow ou=People,dc=abmas,dc=biz?one 807nss_base_group ou=Groups,dc=abmas,dc=biz?one 808 809ssl off 810</pre></div><div class="example"><a name="ch6-nss02"></a><p class="title"><b>Example�6.5.�Configuration File for NSS LDAP Clients Support <tt class="filename">/etc/ldap.conf</tt></b></p><pre class="screen"> 811host 172.16.0.1 812 813base dc=abmas,dc=biz 814 815binddn cn=Manager,dc=abmas,dc=biz 816bindpw not24get 817 818timelimit 50 819bind_timelimit 50 820bind_policy hard 821 822idle_timelimit 3600 823 824pam_password exop 825 826nss_base_passwd ou=People,dc=abmas,dc=biz?one 827nss_base_shadow ou=People,dc=abmas,dc=biz?one 828nss_base_group ou=Groups,dc=abmas,dc=biz?one 829 830ssl off 831</pre></div><ol type="1"><li><p><a class="indexterm" name="id2555335"></a><a class="indexterm" name="id2555343"></a><a class="indexterm" name="id2555351"></a> 832 Execute the following command to find where the <tt class="filename">nss_ldap</tt> module 833 expects to find its control file: 834</p><pre class="screen"> 835<tt class="prompt">root# </tt> strings /lib/libnss_ldap.so.2 | grep conf 836</pre><p> 837 The preferred and usual location is <tt class="filename">/etc/ldap.conf</tt>. 838 </p></li><li><p> 839 On the server <tt class="constant">MASSIVE</tt>, install the file shown in 840 <a href="happy.html#ch6-nss01" title="Example�6.4.�Configuration File for NSS LDAP Support /etc/ldap.conf">???</a> into the path that was obtained from the step above. 841 On the servers called <tt class="constant">BLDG1</tt> and <tt class="constant">BLDG2</tt>, install the file shown in 842 <a href="happy.html#ch6-nss02" title="Example�6.5.�Configuration File for NSS LDAP Clients Support /etc/ldap.conf">???</a> into the path that was obtained from the step above. 843 </p></li><li><p><a class="indexterm" name="id2555486"></a> 844 Edit the NSS control file (<tt class="filename">/etc/nsswitch.conf</tt>) so that the lines that 845 control user and group resolution will obtain information from the normal system files as 846 well as from <span><b class="command">ldap</b></span> as follows: 847</p><pre class="screen"> 848passwd: files ldap 849shadow: files ldap 850group: files ldap 851hosts: files dns wins 852</pre><p> 853 Later, when the LDAP database has been initialized and user and group accounts have been 854 added, you can validate resolution of the LDAP resolver process. The inclusion of 855 WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be 856 resolved to their IP addresses, whether or not they are DHCP clients. 857 </p></li><li><p><a class="indexterm" name="id2555528"></a> 858 For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following 859 files in the <tt class="filename">/etc/pam.d</tt> directory: 860 <span><b class="command">login, password, samba, sshd</b></span>. 861 In each file, locate every entry that has the <span><b class="command">pam_unix2.so</b></span> entry and add to the 862 line the entry <span><b class="command">use_ldap</b></span> as shown for the 863 <span><b class="command">login</b></span> module in 864 this example: 865</p><pre class="screen"> 866#%PAM-1.0 867auth requisite pam_unix2.so nullok use_ldap #set_secrpc 868auth required pam_securetty.so 869auth required pam_nologin.so 870#auth required pam_homecheck.so 871auth required pam_env.so 872auth required pam_mail.so 873account required pam_unix2.so use_ldap 874password required pam_pwcheck.s nullok 875password required pam_unix2.so nullok use_first_pass \ 876 use_authtok use_ldap 877session required pam_unix2.so none use_ldap # debug or trace 878session required pam_limits.so 879</pre><p> 880 </p><p><a class="indexterm" name="id2555593"></a> 881 On other Linux systems that do not have an LDAP-enabled <span><b class="command">pam_unix2.so</b></span> module, 882 you must edit these files by adding the <span><b class="command">pam_ldap.so</b></span> modules as shown here: 883</p><pre class="screen"> 884#%PAM-1.0 885auth required pam_securetty.so 886auth required pam_nologin.so 887auth sufficient pam_ldap.so 888auth required pam_unix2.so nullok try_first_pass #set_secrpc 889account sufficient pam_ldap.so 890account required pam_unix2.so 891password required pam_pwcheck.so nullok 892password required pam_ldap.so use_first_pass use_authtok 893password required pam_unix2.so nullok use_first_pass use_authtok 894session required pam_unix2.so none # debug or trace 895session required pam_limits.so 896session required pam_env.so 897session optional pam_mail.so 898</pre><p> 899 This example does have the LDAP-enabled <span><b class="command">pam_unix2.so</b></span>, but simply 900 demonstrates the use of the <span><b class="command">pam_ldap.so</b></span> module. You can use either 901 implementation, but if the <span><b class="command">pam_unix2.so</b></span> on your system supports 902 LDAP, you probably want to use it, rather than add an additional module. 903 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch6-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p><a class="indexterm" name="id2555667"></a> 904 Verify that the Samba-3.0.12 (or later) packages are installed on each SUSE Linux server 905 before following the steps below. If Samba-3.0.12 (or later) is not installed, you have the 906 choice to either build your own or to obtain the packages from a dependable source. 907 Packages for SUSE Linux 8.x, 9.x and SUSE Linux Enterprise Server 9, as well as for 908 Red Hat Fedora Core and Red Hat Enteprise Linux Server 3 and 4 are included on the CD-ROM that 909 is included at the back of this book. 910 </p><div class="procedure"><a name="id2555685"></a><p class="title"><b>Procedure�6.4.�Configuration of PDC Called: <tt class="constant">MASSIVE</tt></b></p><ol type="1"><li><p> 911 Install the files in <a href="happy.html#ch6-massive-smbconfa" title="Example�6.6.�LDAP Based smb.conf File, Server: MASSIVE global Section: Part A">???</a>, 912 <a href="happy.html#ch6-massive-smbconfb" title="Example�6.7.�LDAP Based smb.conf File, Server: MASSIVE global Section: Part B">???</a>, <a href="happy.html#ch6-shareconfa" title="Example�6.10.�LDAP Based smb.conf File, Shares Section Part A">???</a>, 913 and <a href="happy.html#ch6-shareconfb" title="Example�6.11.�LDAP Based smb.conf File, Shares Section Part B">???</a> into the <tt class="filename">/etc/samba/</tt> 914 directory. The three files should be added together to form the <tt class="filename">smb.conf</tt> 915 master file. It is a good practice to call this file something like 916 <tt class="filename">smb.conf.master</tt>, and then to perform all file edits 917 on the master file. The operational <tt class="filename">smb.conf</tt> is then generated as shown in 918 the next step. 919 </p></li><li><p><a class="indexterm" name="id2555761"></a> 920 Create and verify the contents of the <tt class="filename">smb.conf</tt> file that is generated by: 921</p><pre class="screen"> 922<tt class="prompt">root# </tt> testparm -s smb.conf.master > smb.conf 923</pre><p> 924 Immediately follow this with the following: 925</p><pre class="screen"> 926<tt class="prompt">root# </tt> testparm 927</pre><p> 928 The output that is created should be free from errors, as shown here: 929 930</p><pre class="screen"> 931Load smb config files from /etc/samba/smb.conf 932Processing section "[accounts]" 933Processing section "[service]" 934Processing section "[pidata]" 935Processing section "[homes]" 936Processing section "[printers]" 937Processing section "[apps]" 938Processing section "[netlogon]" 939Processing section "[profiles]" 940Processing section "[profdata]" 941Processing section "[print$]" 942Loaded services file OK. 943Server role: ROLE_DOMAIN_PDC 944Press enter to see a dump of your service definitions 945</pre><p> 946 </p></li><li><p> 947 Delete all run-time files from prior Samba operation by executing (for SUSE 948 Linux): 949</p><pre class="screen"> 950<tt class="prompt">root# </tt> rm /etc/samba/*tdb 951<tt class="prompt">root# </tt> rm /var/lib/samba/*tdb 952<tt class="prompt">root# </tt> rm /var/lib/samba/*dat 953<tt class="prompt">root# </tt> rm /var/log/samba/* 954</pre><p> 955 </p></li><li><p><a class="indexterm" name="id2555862"></a><a class="indexterm" name="id2555870"></a> 956 Samba-3 communicates with the LDAP server. The password that it uses to 957 authenticate to the LDAP server must be stored in the <tt class="filename">secrets.tdb</tt> 958 file. Execute the following to create the new <tt class="filename">secrets.tdb</tt> files 959 and store the password for the LDAP Manager: 960</p><pre class="screen"> 961<tt class="prompt">root# </tt> smbpasswd -w not24get 962</pre><p> 963 The expected output from this command is: 964</p><pre class="screen"> 965Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb 966</pre><p> 967 </p></li><li><p><a class="indexterm" name="id2555919"></a><a class="indexterm" name="id2555927"></a> 968 Samba-3 generates a Windows Security Identifier only when <span><b class="command">smbd</b></span> 969 has been started. For this reason, you start Samba. After a few seconds delay, 970 execute: 971</p><pre class="screen"> 972<tt class="prompt">root# </tt> smbclient -L localhost -U% 973<tt class="prompt">root# </tt> net getlocalsid 974</pre><p> 975 A report such as the following means that the Domain Security Identifier (SID) has not yet 976 been written to the <tt class="filename">secrets.tdb</tt> or to the LDAP backend: 977</p><pre class="screen"> 978[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852) 979 failed to bind to server ldap://massive.abmas.biz 980with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server 981 (unknown) 982[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169) 983 smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out) 984</pre><p> 985 The attempt to read the SID will attempt to bind to the LDAP server. Because the LDAP server 986 is not running this operation will fail by way of a time out, as shown above. This is 987 normal output, do not worry about this error message. When the Domain has been created and 988 written to the <tt class="filename">secrets.tdb</tt> file, the output should look like this: 989</p><pre class="screen"> 990SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 991</pre><p> 992 If, after a short delay (a few seconds), the Domain SID has still not been written to 993 the <tt class="filename">secrets.tdb</tt> file, it is necessary to investigate what 994 may be mis-configured. In this case, carefully check the <tt class="filename">smb.conf</tt> file for typographical 995 errors (the most common problem). The use of the <span><b class="command">testparm</b></span> is highly 996 recommended to validate the contents of this file. 997 </p></li><li><p> 998 When a positive Domain SID has been reported, stop Samba. 999 </p></li><li><p> 1000 <a class="indexterm" name="id2556042"></a> 1001 <a class="indexterm" name="id2556051"></a> 1002 <a class="indexterm" name="id2556060"></a> 1003 <a class="indexterm" name="id2556069"></a> 1004 Configure the NFS server for your Linux system. So you can complete the steps that 1005 follow, enter into the <tt class="filename">/etc/exports</tt> the following entry: 1006</p><pre class="screen"> 1007/home *(rw,root_squash,sync) 1008</pre><p> 1009 This permits the user home directories to be used on the BDC servers for testing 1010 purposes. You, of course, decide what is the best way for your site to distribute 1011 data drives, as well as creating suitable backup and restore procedures for Abmas Inc. 1012 I'd strongly recommend that for normal operation the BDC is completely independent 1013 of the PDC. rsync is a useful tool here as it resembles the NT replication service quite 1014 closely. If you do use NFS, do not forget to start the NFS server as follows: 1015</p><pre class="screen"> 1016<tt class="prompt">root# </tt> rcnfsserver start 1017</pre><p> 1018 </p></li></ol></div><p> 1019 Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with 1020 configuration of the LDAP server. 1021 </p><div class="example"><a name="ch6-massive-smbconfa"></a><p class="title"><b>Example�6.6.�LDAP Based smb.conf File, Server: MASSIVE global Section: Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2556150"></a><i class="parameter"><tt> 1022 1023 unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2556166"></a><i class="parameter"><tt> 1024 1025 workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2556181"></a><i class="parameter"><tt> 1026 1027 netbios name = MASSIVE</tt></i></td></tr><tr><td><a class="indexterm" name="id2556197"></a><i class="parameter"><tt> 1028 1029 interfaces = eth1, lo</tt></i></td></tr><tr><td><a class="indexterm" name="id2556212"></a><i class="parameter"><tt> 1030 1031 bind interfaces only = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556228"></a><i class="parameter"><tt> 1032 1033 passdb backend = ldapsam:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2556244"></a><i class="parameter"><tt> 1034 1035 enable privileges = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556259"></a><i class="parameter"><tt> 1036 1037 username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2556276"></a><i class="parameter"><tt> 1038 1039 log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2556291"></a><i class="parameter"><tt> 1040 1041 syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2556306"></a><i class="parameter"><tt> 1042 1043 log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2556321"></a><i class="parameter"><tt> 1044 1045 max log size = 50</tt></i></td></tr><tr><td><a class="indexterm" name="id2556337"></a><i class="parameter"><tt> 1046 1047 smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2556352"></a><i class="parameter"><tt> 1048 1049 name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2556369"></a><i class="parameter"><tt> 1050 1051 time server = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556384"></a><i class="parameter"><tt> 1052 1053 printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2556399"></a><i class="parameter"><tt> 1054 1055 show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2556415"></a><i class="parameter"><tt> 1056 1057 add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556432"></a><i class="parameter"><tt> 1058 1059 delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556448"></a><i class="parameter"><tt> 1060 1061 add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556464"></a><i class="parameter"><tt> 1062 1063 delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556480"></a><i class="parameter"><tt> 1064 1065 add user to group script = /opt/IDEALX/sbin/</tt></i></td></tr><tr><td><i class="parameter"><tt>smbldap-groupmod -m "%u" "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556503"></a><i class="parameter"><tt> 1066 1067 delete user from group script = /opt/IDEALX/sbin/</tt></i></td></tr><tr><td><i class="parameter"><tt>smbldap-groupmod -x "%u" "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556527"></a><i class="parameter"><tt> 1068 1069 set primary group script = /opt/IDEALX/sbin/</tt></i></td></tr><tr><td><i class="parameter"><tt>smbldap-usermod -g "%g" "%u"</tt></i></td></tr><tr><td><a class="indexterm" name="id2556550"></a><i class="parameter"><tt> 1070 1071 add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</tt></i></td></tr></table></div><div class="example"><a name="ch6-massive-smbconfb"></a><p class="title"><b>Example�6.7.�LDAP Based smb.conf File, Server: MASSIVE global Section: Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2556581"></a><i class="parameter"><tt> 1072 1073 logon script = scripts\logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2556597"></a><i class="parameter"><tt> 1074 1075 logon path = \\%L\profiles\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2556612"></a><i class="parameter"><tt> 1076 1077 logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2556627"></a><i class="parameter"><tt> 1078 1079 domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556642"></a><i class="parameter"><tt> 1080 1081 preferred master = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556658"></a><i class="parameter"><tt> 1082 1083 wins support = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556674"></a><i class="parameter"><tt> 1084 1085 ldap suffix = dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2556689"></a><i class="parameter"><tt> 1086 1087 ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2556705"></a><i class="parameter"><tt> 1088 1089 ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2556720"></a><i class="parameter"><tt> 1090 1091 ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2556736"></a><i class="parameter"><tt> 1092 1093 ldap idmap suffix = ou=Idmap</tt></i></td></tr><tr><td><a class="indexterm" name="id2556752"></a><i class="parameter"><tt> 1094 1095 ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2556768"></a><i class="parameter"><tt> 1096 1097 idmap backend = ldap:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2556784"></a><i class="parameter"><tt> 1098 1099 idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2556799"></a><i class="parameter"><tt> 1100 1101 idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2556814"></a><i class="parameter"><tt> 1102 1103 map acl inherit = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2556830"></a><i class="parameter"><tt> 1104 1105 printing = cups</tt></i></td></tr><tr><td><a class="indexterm" name="id2556845"></a><i class="parameter"><tt> 1106 1107 printer admin = root, chrisr</tt></i></td></tr></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2556862"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p><a class="indexterm" name="id2556869"></a> 1108 The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts 1109 on the LDAP server. You have chosen the Idealx scripts since they are the best known 1110 LDAP configuration scripts. The use of these scripts will help avoid the necessity 1111 to create custom scripts. It is easy to download them from the Idealx 1112 <a href="http://samba.idealx.org/index.en.html" target="_top">Web Site.</a> The tarball may 1113 be directly <a href="http://samba.idealx.org/dist/smbldap-tools-0.8.7.tgz" target="_top">downloaded</a> 1114 for this site, also. Alternately, you may obtain the 1115 <a href="http://samba.idealx.org/dist/smbldap-tools-0.8.7-3.src.rpm" target="_top">smbldap-tools-0.8.7-3.src.rpm</a> 1116 file that may be used to build an installable RPM package for your Linux system. 1117 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 1118The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must 1119change the path to them in your <tt class="filename">smb.conf</tt> file on the PDC (<tt class="constant">MASSIVE</tt>). 1120</p></div><p> 1121 The smbldap-tools are located in <tt class="filename">/opt/IDEALX/sbin</tt>. 1122 The scripts are not needed on BDC machines because all LDAP updates are handled by 1123 the PDC alone. 1124 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2556940"></a>Installation of smbldap-tools from the tarball</h4></div></div></div><p> 1125 To perform a manual installation of the smbldap-tools scripts the following procedure may be used: 1126 </p><div class="procedure"><a name="idealxscript"></a><ol type="1"><li><p> 1127 Create the <tt class="filename">/opt/IDEALX/sbin</tt> directory, and set its permissions 1128 and ownership as shown here: 1129</p><pre class="screen"> 1130<tt class="prompt">root# </tt> mkdir -p /opt/IDEALX/sbin 1131<tt class="prompt">root# </tt> chown root.root /opt/IDEALX/sbin 1132<tt class="prompt">root# </tt> chmod 755 /opt/IDEALX/sbin 1133<tt class="prompt">root# </tt> mkdir -p /etc/smbldap-tools 1134<tt class="prompt">root# </tt> chown root.root /etc/smbldap-tools 1135<tt class="prompt">root# </tt> chmod 755 /etc/smbldap-tools 1136</pre><p> 1137 </p></li><li><p> 1138 If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location. 1139 Change into either the directory extracted from the tarball, or else into the smbldap-tools 1140 directory in your <tt class="filename">/usr/share/doc/packages</tt> directory tree. 1141 </p></li><li><p> 1142 Copy all the <tt class="filename">smbldap-*</tt> and the <tt class="filename">configure.pl</tt> files into the 1143 <tt class="filename">/opt/IDEALX/sbin</tt> directory, as shown here: 1144</p><pre class="screen"> 1145<tt class="prompt">root# </tt> cd smbldap-tools-0.8.7/ 1146<tt class="prompt">root# </tt> cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/ 1147<tt class="prompt">root# </tt> cp smbldap*conf /etc/smbldap-tools/ 1148<tt class="prompt">root# </tt> chmod 750 /opt/IDEALX/sbin/smbldap-* 1149<tt class="prompt">root# </tt> chmod 750 /opt/IDEALX/sbin/configure.pl 1150<tt class="prompt">root# </tt> chmod 640 /etc/smbldap-tools/smbldap.conf 1151<tt class="prompt">root# </tt> chmod 600 /etc/smbldap-tools/smbldap_bind.conf 1152</pre><p> 1153 </p></li><li><p> 1154 The smbldap-tools scripts master control file must now be configured. 1155 Change to the <tt class="filename">/opt/IDEALX/sbin</tt> directory, then edit the 1156 <tt class="filename">smbldap_tools.pm</tt> to affect the changes 1157 shown here: 1158</p><pre class="screen"> 1159... 1160# ugly funcs using global variables and spawning openldap clients 1161 1162my $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; 1163my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; 1164... 1165</pre><p> 1166 </p></li><li><p> 1167 To complete the configuration of the smbldap-tools, set the permissions and ownership 1168 by executing the following commands: 1169</p><pre class="screen"> 1170<tt class="prompt">root# </tt> chown root.root /opt/IDEALX/sbin/* 1171<tt class="prompt">root# </tt> chmod 755 /opt/IDEALX/sbin/smbldap-* 1172<tt class="prompt">root# </tt> chmod 640 /opt/IDEALX/sbin/smb*pm 1173</pre><p> 1174 The smbldap-tools scripts are now ready for the configuration step outlined in 1175 <a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>. 1176 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2557186"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p> 1177 In the event that you have elected to use the RPM package provided by Idealx, download the 1178 source RPM <tt class="filename">smbldap-tools-0.8.7-3.src.rpm</tt>, then follow the following procedure: 1179 </p><div class="procedure"><ol type="1"><li><p> 1180 Install the source RPM that has been downloaded as follows: 1181</p><pre class="screen"> 1182<tt class="prompt">root# </tt> rpm -i smbldap-tools-0.8.7-5.src.rpm 1183</pre><p> 1184 </p></li><li><p> 1185 Change into the directory in which the SPEC files are located. On SUSE Linux: 1186</p><pre class="screen"> 1187<tt class="prompt">root# </tt> cd /usr/src/packages/SPECS 1188</pre><p> 1189 On Red Hat Linux systems: 1190</p><pre class="screen"> 1191<tt class="prompt">root# </tt> cd /usr/src/redhat/SPECS 1192</pre><p> 1193 </p></li><li><p> 1194 Edit the <tt class="filename">smbldap-tools.spec</tt> file to change the value of the 1195 <tt class="constant">_sysconfig</tt> macro as shown here: 1196</p><pre class="screen"> 1197%define _prefix /opt/IDEALX 1198%define _sysconfdir /etc 1199</pre><p> 1200 Note: Any suitable directory can be specified. 1201 </p></li><li><p> 1202 Build the package by executing: 1203</p><pre class="screen"> 1204<tt class="prompt">root# </tt> rpmbuild -ba -v smbldap-tools.spec 1205</pre><p> 1206 A build process that has completed without error will place the installable binary 1207 files in the directory <tt class="filename">../RPMS/noarch</tt>. 1208 </p></li><li><p> 1209 Install the binary package by executing: 1210</p><pre class="screen"> 1211<tt class="prompt">root# </tt> rpm -Uvh ../RPMS/noarch/smbldap-tools-0.8.7-5.noarch.rpm 1212</pre><p> 1213 </p></li></ol></div><p> 1214 The Idealx scripts should now be ready for configuration using the steps outlined in 1215 <a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>. 1216 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p> 1217 Prior to use the smbldap-tools must be configured to match the settings in the <tt class="filename">smb.conf</tt> file 1218 and to match the settings in the <tt class="filename">/etc/openldap/slapd.conf</tt> file. The assumption 1219 is made that the <tt class="filename">smb.conf</tt> file has correct contents. The following procedure will ensure that 1220 this is completed correctly: 1221 </p><p> 1222 The smbldap-tools require that the netbios name (machine name) of the Samba server be included 1223 in the <tt class="filename">smb.conf</tt> file. 1224 </p><div class="procedure"><ol type="1"><li><p> 1225 Change into the directory that contains the <tt class="filename">configure.pl</tt> script. 1226</p><pre class="screen"> 1227<tt class="prompt">root# </tt> cd /opt/IDEALX/sbin 1228</pre><p> 1229 </p></li><li><p> 1230 Execute the <tt class="filename">configure.pl</tt> script as follows: 1231</p><pre class="screen"> 1232<tt class="prompt">root# </tt> ./configure.pl 1233</pre><p> 1234 The interactive use of this script for the PDC is demonstrated here: 1235</p><pre class="screen"> 1236Unrecognized escape \p passed through at ./configure.pl line 194. 1237-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 1238 smbldap-tools script configuration 1239 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 1240Before starting, check 1241 . if your samba controller is up and running. 1242 . if the domain SID is defined (you can get it with the 'net getlocalsid') 1243 1244 . you can leave the configuration using the Crtl-c key combination 1245 . empty value can be set with the "." caracter 1246-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 1247Looking for configuration files... 1248 1249Samba Config File Location [/etc/samba/smb.conf] > 1250smbldap Config file Location (global parameters) 1251 [/etc/smbldap-tools/smbldap.conf] > 1252smbldap Config file Location (bind parameters) 1253 [/etc/smbldap-tools/smbldap_bind.conf] > 1254-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 1255Let's start configuring the smbldap-tools scripts ... 1256 1257. workgroup name: name of the domain Samba act as a PDC 1258 workgroup name [MEGANET2] > 1259. netbios name: netbios name of the samba controler 1260 netbios name [MASSIVE] > 1261. logon drive: local path to which the home directory 1262 will be connected (for NT Workstations). Ex: 'H:' 1263 logon drive [X:] > 1264. logon home: home directory location (for Win95/98 or NT Workstation). 1265 (use %U as username) Ex:'\\MASSIVE\home\%U' 1266 logon home (leave blank if you don't want homeDirectory) 1267 [\\MASSIVE\home\%U] > \\MASSIVE\%U 1268. logon path: directory where roaming profiles are stored. 1269 Ex:'\\MASSIVE\profiles\%U' 1270 logon path (leave blank if you don't want roaming profile) 1271 [\\MASSIVE\profiles\%U] > 1272. home directory prefix (use %U as username) 1273 [/home/%U] > /home/users/%U 1274. default user netlogon script (use %U as username) 1275 [%U.cmd] > scripts\login.cmd 1276 default password validation time (time in days) [45] > 0 1277. ldap suffix [dc=abmas,dc=biz] > 1278. ldap group suffix [ou=Groups] > 1279. ldap user suffix [ou=People] > 1280. ldap machine suffix [ou=People] > 1281. Idmap suffix [ou=Idmap] > 1282. sambaUnixIdPooldn: object where you want to store the next uidNumber 1283 and gidNumber available for new users and groups 1284 sambaUnixIdPooldn object (relative to ${suffix}) [cn=NextFreeUnixId] > 1285. ldap master server: IP adress or DNS name 1286 of the master (writable) ldap server 1287Use of uninitialized value in scalar chomp at ./configure.pl 1288 line 138, <STDIN> line 17. 1289Use of uninitialized value in hash element at ./configure.pl 1290 line 140, <STDIN> line 17. 1291Use of uninitialized value in concatenation (.) or string at 1292 ./configure.pl line 144, <STDIN> line 17. 1293Use of uninitialized value in string at ./configure.pl 1294 line 145, <STDIN> line 17. 1295 ldap master server [] > 127.0.0.1 1296. ldap master port [389] > 1297. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] > 1298. ldap master bind password [] > 1299. ldap slave server: IP adress or DNS name of the slave 1300 ldap server: can also be the master one 1301Use of uninitialized value in scalar chomp at ./configure.pl 1302 line 138, <STDIN> line 21. 1303Use of uninitialized value in hash element at ./configure.pl 1304 line 140, <STDIN> line 21. 1305Use of uninitialized value in concatenation (.) or string at 1306 ./configure.pl line 144, <STDIN> line 21. 1307Use of uninitialized value in string at ./configure.pl line 145, 1308 <STDIN> line 21. 1309 ldap slave server [] > 127.0.0.1 1310. ldap slave port [389] > 1311. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] > 1312. ldap slave bind password [] > 1313. ldap tls support (1/0) [0] > 1314. SID for domain MEGANET2: SID of the domain 1315 (can be obtained with 'net getlocalsid MASSIVE') 1316 SID for domain MEGANET2 1317 [S-1-5-21-3504140859-1010554828-2431957765] > 1318. unix password encryption: encryption used for unix passwords 1319 unix password encryption 1320 (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 1321. default user gidNumber [513] > 1322. default computer gidNumber [515] > 1323. default login shell [/bin/bash] > 1324. default domain name to append to mail adress [] > abmas.biz 1325-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 1326backup old configuration files: 1327 /etc/smbldap-tools/smbldap.conf-> 1328 etc/smbldap-tools/smbldap.conf.old 1329 /etc/smbldap-tools/smbldap_bind.conf-> 1330 etc/smbldap-tools/smbldap_bind.conf.old 1331writing new configuration file: 1332 /etc/smbldap-tools/smbldap.conf done. 1333 /etc/smbldap-tools/smbldap_bind.conf done. 1334</pre><p> 1335 Since a slave LDAP server has not been configured it is necessary to specify the IP 1336 address of the master LDAP server for both the master and the slave configuration 1337 prompts. 1338 </p></li><li><p> 1339 Change to the directory that contains the <tt class="filename">smbldap.conf</tt> file 1340 then verify its contents. 1341 </p></li></ol></div><p> 1342 The smbldap-tools are now ready for use. 1343 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2557579"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p> 1344 The LDAP database must be populated with well-known Windows Domain user accounts and Domain Group 1345 accounts before Samba can be used. The following procedures step you through the process. 1346 </p><p> 1347 At this time, Samba-3 requires that on a PDC all UNIX (Posix) group accounts that are 1348 mapped (linked) to Windows Domain Group accounts must be in the LDAP database. It does not 1349 hurt to have UNIX user and group accounts in both the system files as well as in the LDAP 1350 database. From a UNIX system perspective, the NSS resolver checks system files before 1351 referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it 1352 does not need to ask LDAP. 1353 </p><p> 1354 Addition of an account to the LDAP backend can be done in a number of ways: 1355 </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id2557610"></a><a class="indexterm" name="id2557618"></a><a class="indexterm" name="id2557626"></a><a class="indexterm" name="id2557634"></a><a class="indexterm" name="id2557642"></a><a class="indexterm" name="id2557650"></a> 1356 If you always have a user account in the <tt class="filename">/etc/passwd</tt> on every 1357 server or in a NIS(+) backend, it is not necessary to add Posix accounts for them in 1358 LDAP. In this case, you can add Windows Domain user accounts using the 1359 <span><b class="command">pdbedit</b></span> utility. Use of this tool from the command line adds the 1360 SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user. 1361 </p><p> 1362 If you decide that it is probably a good idea to add both the PosixAccount attributes 1363 as well as the SambaSamAccount attributes for each user, then a suitable script is needed. 1364 In the example system you are installing in this exercise, you are making use of the 1365 Idealx smbldap-tools scripts. A copy of these tools, pre-configured for this system, 1366 is included on the enclosed CD-ROM under <tt class="filename">Chap06/Tools.</tt> 1367 </p></blockquote></div><p><a class="indexterm" name="id2557695"></a> 1368 If you wish to have more control over how the LDAP database is initialized or 1369 want not to use the Idealx smbldap-tools, you should refer to <a href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">???</a>. 1370 </p><p><a class="indexterm" name="id2557718"></a> 1371 The following steps initialize the LDAP database, and then you can add user and group 1372 accounts that Samba can use. You use the <span><b class="command">smbldap-populate</b></span> to 1373 seed the LDAP database. You then manually add the accounts shown in <a href="happy.html#ch6-bigacct" title="Table�6.3.�Abmas Network Users and Groups">???</a>. 1374 The list of users does not cover all 500 network users; it provides examples only. 1375 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id2557748"></a><a class="indexterm" name="id2557759"></a><a class="indexterm" name="id2557770"></a> 1376 In the following examples, as the LDAP database is initialized, we do create a container 1377 for Computer (machine) accounts. In the Samba-3 <tt class="filename">smb.conf</tt> files, specific use is made 1378 of the People container, not the Computers container, for domain member accounts. This is not a 1379 mistake; it is a deliberate action that is necessitated by the fact that there is a bug in Samba-3 1380 that prevents it from being able to search the LDAP database for computer accounts if they are 1381 placed in the Computers container. By placing all machine accounts in the People container, we 1382 are able to side-step this bug. It is expected that at some time in the future this problem will 1383 be resolved. At that time, it will be possible to use the Computers container in order to keep 1384 machine accounts separate from user accounts. 1385 </p></div><div class="table"><a name="ch6-bigacct"></a><p class="title"><b>Table�6.3.�Abmas Network Users and Groups</b></p><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left">�</td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left">�</td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left">�</td></tr></tbody></table></div><div class="procedure"><a name="creatacc"></a><ol type="1"><li><p> 1386 Start the LDAP server by executing: 1387</p><pre class="screen"> 1388<tt class="prompt">root# </tt> rcldap start 1389Starting ldap-server done 1390</pre><p> 1391 </p></li><li><p> 1392 Change to the <tt class="filename">/opt/IDEALX/sbin</tt> directory. 1393 </p></li><li><p> 1394 Execute the script that will populate the LDAP database as shown here: 1395</p><pre class="screen"> 1396<tt class="prompt">root# </tt> ./smbldap-populate -a root -k 0 1397</pre><p> 1398 The expected output from this is: 1399</p><pre class="screen"> 1400Using workgroup name from smb.conf: sambaDomainName=MEGANET2 1401-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 1402=> Warning: you must update smbldap.conf configuration file to : 1403=> sambaUnixIdPooldn parameter must be set 1404 to "sambaDomainName=MEGANET2,dc=abmas,dc=biz" 1405-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 1406Using builtin directory structure 1407adding new entry: dc=abmas,dc=biz 1408adding new entry: ou=People,dc=abmas,dc=biz 1409adding new entry: ou=Groups,dc=abmas,dc=biz 1410entry ou=People,dc=abmas,dc=biz already exist. 1411adding new entry: ou=Idmap,dc=abmas,dc=biz 1412adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz 1413adding new entry: uid=root,ou=People,dc=abmas,dc=biz 1414adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz 1415adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz 1416adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz 1417adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz 1418adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz 1419adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz 1420adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz 1421adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz 1422adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz 1423</pre><p> 1424 </p></li><li><p> 1425 Edit the <tt class="filename">/etc/smbldap-tools/smbldap.conf</tt> file so that the following 1426 information is changed from: 1427</p><pre class="screen"> 1428# Where to store next uidNumber and gidNumber available 1429sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 1430</pre><p> 1431 to read, after modification: 1432</p><pre class="screen"> 1433# Where to store next uidNumber and gidNumber available 1434#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 1435sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" 1436</pre><p> 1437 </p></li><li><p> 1438 It is necessary to restart the LDAP server as shown here: 1439</p><pre class="screen"> 1440<tt class="prompt">root# </tt> rcldap restart 1441Shutting down ldap-server done 1442Starting ldap-server done 1443</pre><p> 1444 </p></li><li><p><a class="indexterm" name="id2558150"></a> 1445 So that we can use a global IDMAP repository the LDAP directory must have a container object for IDMAP data. 1446 There are several ways you can check that your LDAP database is able to receive IDMAP information. One of 1447 the simplest is to execute: 1448</p><pre class="screen"> 1449<tt class="prompt">root# </tt> slapcat | grep -i idmap 1450dn: ou=Idmap,dc=abmas,dc=biz 1451ou: idmap 1452</pre><p> 1453 <a class="indexterm" name="id2558176"></a> 1454 If the execution of this command does not return IDMAP entries, you need to create an LDIF 1455 template file (see <a href="happy.html#ch6-ldifadd" title="Example�6.12.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">???</a>). You can add the required entries using 1456 the following command: 1457</p><pre class="screen"> 1458<tt class="prompt">root# </tt> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ 1459 -w not24get < /etc/openldap/idmap.LDIF 1460</pre><p> 1461 Samba automatically populates this LDAP directory container when it needs to. 1462 </p></li><li><p><a class="indexterm" name="id2558215"></a> 1463 It looks like all has gone well, as expected. Let's confirm that this is the case 1464 by running a few tests. First we check the contents of the database directly 1465 by running <span><b class="command">slapcat</b></span> as follows (the output has been cut down): 1466</p><pre class="screen"> 1467<tt class="prompt">root# </tt> slapcat 1468dn: dc=abmas,dc=biz 1469objectClass: dcObject 1470objectClass: organization 1471dc: abmas 1472o: abmas 1473structuralObjectClass: organization 1474entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43 1475creatorsName: cn=Manager,dc=abmas,dc=biz 1476createTimestamp: 20031217234200Z 1477entryCSN: 2003121723:42:00Z#0x0001#0#0000 1478modifiersName: cn=Manager,dc=abmas,dc=biz 1479modifyTimestamp: 20031217234200Z 1480... 1481dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz 1482objectClass: posixGroup 1483objectClass: sambaGroupMapping 1484gidNumber: 553 1485cn: Domain Computers 1486description: Netbios Domain Computers accounts 1487sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 1488sambaGroupType: 2 1489displayName: Domain Computers 1490structuralObjectClass: posixGroup 1491entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43 1492creatorsName: cn=Manager,dc=abmas,dc=biz 1493createTimestamp: 20031217234206Z 1494entryCSN: 2003121723:42:06Z#0x0002#0#0000 1495modifiersName: cn=Manager,dc=abmas,dc=biz 1496modifyTimestamp: 20031217234206Z 1497</pre><p> 1498 This looks good so far. 1499 </p></li><li><p><a class="indexterm" name="id2558267"></a> 1500 The next step is to prove that the LDAP server is running and responds to a 1501 search request. Execute the following as shown (output has been cut to save space): 1502</p><pre class="screen"> 1503<tt class="prompt">root# </tt> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" 1504# extended LDIF 1505# 1506# LDAPv3 1507# base <dc=abmas,dc=biz> with scope sub 1508# filter: (ObjectClass=*) 1509# requesting: ALL 1510# 1511 1512# abmas.biz 1513dn: dc=abmas,dc=biz 1514objectClass: dcObject 1515objectClass: organization 1516dc: abmas 1517o: abmas 1518 1519# People, abmas.biz 1520dn: ou=People,dc=abmas,dc=biz 1521objectClass: organizationalUnit 1522ou: People 1523... 1524# Domain Computers, Groups, abmas.biz 1525dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz 1526objectClass: posixGroup 1527objectClass: sambaGroupMapping 1528gidNumber: 553 1529cn: Domain Computers 1530description: Netbios Domain Computers accounts 1531sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553 1532sambaGroupType: 2 1533displayName: Domain Computers 1534 1535# search result 1536search: 2 1537result: 0 Success 1538 1539# numResponses: 20 1540# numEntries: 19 1541</pre><p> 1542 Good. It is all working just fine. 1543 </p></li><li><p><a class="indexterm" name="id2558325"></a> 1544 You must now make certain that the NSS resolver can interrogate LDAP also. 1545 Execute the following commands: 1546</p><pre class="screen"> 1547<tt class="prompt">root# </tt> getent passwd | grep root 1548root:x:998:512:Netbios Domain Administrator:/home:/bin/false 1549 1550<tt class="prompt">root# </tt> getent group | grep Domain 1551Domain Admins:x:512:root 1552Domain Users:x:513: 1553Domain Guests:x:514: 1554Domain Computers:x:553: 1555</pre><p><a class="indexterm" name="id2558356"></a> 1556 This demonstrates that the <span><b class="command">nss_ldap</b></span> library is functioning 1557 as it should. 1558 </p></li><li><p><a class="indexterm" name="id2558378"></a><a class="indexterm" name="id2558386"></a><a class="indexterm" name="id2558394"></a> 1559 Our database is now ready for the addition of network users. For each user for 1560 whom an account must be created, execute the following: 1561</p><pre class="screen"> 1562<tt class="prompt">root# </tt> ./smbldap-useradd -m -a <tt class="constant">username</tt> 1563<tt class="prompt">root# </tt> ./smbldap-passwd <tt class="constant">username</tt> 1564Changing password for <tt class="constant">username</tt> 1565New password : XXXXXXXX 1566Retype new password : XXXXXXXX 1567 1568<tt class="prompt">root# </tt> smbpasswd <tt class="constant">username</tt> 1569New SMB password: XXXXXXXX 1570Retype new SMB password: XXXXXXXX 1571</pre><p> 1572 Where <tt class="constant">username</tt> is the login ID for each user. 1573 </p></li><li><p><a class="indexterm" name="id2558456"></a> 1574 Now verify that the UNIX (Posix) accounts can be resolved via NSS by executing the 1575 following: 1576</p><pre class="screen"> 1577<tt class="prompt">root# </tt> getent passwd 1578root:x:0:0:root:/root:/bin/bash 1579bin:x:1:1:bin:/bin:/bin/bash 1580... 1581root:x:0:512:Netbios Domain Administrator:/home:/bin/false 1582nobody:x:999:514:nobody:/dev/null:/bin/false 1583bobj:x:1000:513:System User:/home/bobj:/bin/bash 1584stans:x:1001:513:System User:/home/stans:/bin/bash 1585chrisr:x:1002:513:System User:/home/chrisr:/bin/bash 1586maryv:x:1003:513:System User:/home/maryv:/bin/bash 1587</pre><p> 1588 This demonstates that user account resolution via LDAP is working. 1589 </p></li><li><p> 1590 This step will determin 1591</p><pre class="screen"> 1592<tt class="prompt">root# </tt> id chrisr 1593uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users) 1594</pre><p> 1595 This confirms that the UNIX (Posix) user account information can be resolved from LDAP 1596 by system tools that make a getentpw() system call. 1597 </p></li><li><p><a class="indexterm" name="id2558513"></a> 1598 The 'root' account must have UID=0, if not this means that operations conducted from 1599 a Windows client using tools such as the Domain User Manager fails under UNIX because 1600 the management of user and group accounts requires that the UID=0. Additionally, it is 1601 a good idea to make certain that no matter how 'root' account credentials are resolved 1602 that the home directory and shell are valid. You decide to effect this immediately 1603 as demonstrated here: 1604</p><pre class="screen"> 1605<tt class="prompt">root# </tt> cd /opt/IDEALX/sbin 1606<tt class="prompt">root# </tt> ./smbldap-usermod -u 0 -d /root -s /bin/bash root 1607</pre><p> 1608 </p></li><li><p> 1609 Verify that the changes just made to the <tt class="constant">root</tt> account were 1610 accepted by executing: 1611</p><pre class="screen"> 1612<tt class="prompt">root# </tt> getent passwd | grep root 1613root:x:0:0:root:/root:/bin/bash 1614root:x:0:512:Netbios Domain Administrator:/root:/bin/bash 1615</pre><p> 1616 This demonstrates that the changes were accepted. 1617 </p></li><li><p> 1618 Make certain that a home directory has been created for every user by listing the 1619 directories in <tt class="filename">/home</tt> as follows: 1620</p><pre class="screen"> 1621<tt class="prompt">root# </tt> ls -al /home 1622drwxr-xr-x 8 root root 176 Dec 17 18:50 ./ 1623drwxr-xr-x 21 root root 560 Dec 15 22:19 ../ 1624drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/ 1625drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/ 1626drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/ 1627drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/ 1628</pre><p> 1629 This is precisely what we want to see. 1630 </p></li><li><p><a class="indexterm" name="id2558614"></a><a class="indexterm" name="id2558622"></a> 1631 The final validation step involves making certain that Samba-3 can obtain the user 1632 accounts from the LDAP ldapsam passwd backend. Execute the following command as shown: 1633</p><pre class="screen"> 1634<tt class="prompt">root# </tt> pdbedit -Lv chrisr 1635Unix username: chrisr 1636NT username: chrisr 1637Account Flags: [U ] 1638User SID: S-1-5-21-3504140859-1010554828-2431957765-3004 1639Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513 1640Full Name: System User 1641Home Directory: \\MASSIVE\homes 1642HomeDir Drive: H: 1643Logon Script: scripts\login.cmd 1644Profile Path: \\MASSIVE\profiles\chrisr 1645Domain: MEGANET2 1646Account desc: System User 1647Workstations: 1648Munged dial: 1649Logon time: 0 1650Logoff time: Mon, 18 Jan 2038 20:14:07 GMT 1651Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT 1652Password last set: Wed, 17 Dec 2003 17:17:40 GMT 1653Password can change: Wed, 17 Dec 2003 17:17:40 GMT 1654Password must change: Mon, 18 Jan 2038 20:14:07 GMT 1655Last bad password : 0 1656Bad password count : 0 1657Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 1658</pre><p> 1659 This looks good. Of course, you fully expected that it would all work, didn't you? 1660 </p></li><li><p><a class="indexterm" name="id2558668"></a> 1661 Now you add the group accounts that are used on the Abmas network. Execute 1662 the following exactly as shown: 1663</p><pre class="screen"> 1664<tt class="prompt">root# </tt> ./smbldap-groupadd -a Accounts 1665<tt class="prompt">root# </tt> ./smbldap-groupadd -a Finances 1666<tt class="prompt">root# </tt> ./smbldap-groupadd -a PIOps 1667</pre><p> 1668 The addition of groups does not involve keyboard interaction, so the lack of console 1669 output is of no concern. 1670 </p></li><li><p><a class="indexterm" name="id2558711"></a> 1671 You really do want to confirm that UNIX group resolution from LDAP is functioning 1672 as it should. Let's do this as shown here: 1673</p><pre class="screen"> 1674<tt class="prompt">root# </tt> getent group 1675... 1676Domain Admins:x:512:root 1677Domain Users:x:513:bobj,stans,chrisr,maryv 1678Domain Guests:x:514: 1679... 1680Accounts:x:1000: 1681Finances:x:1001: 1682PIOps:x:1002: 1683</pre><p> 1684 The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well 1685 as our own site-specific group accounts, are correctly listed. This is looking good. 1686 </p></li><li><p><a class="indexterm" name="id2558745"></a> 1687 The final step we need to validate is that Samba can see all the Windows Domain Groups 1688 and that they are correctly mapped to the respective UNIX group account. To do this, 1689 just execute the following command: 1690</p><pre class="screen"> 1691<tt class="prompt">root# </tt> net groupmap list 1692Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins 1693Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users 1694Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests 1695... 1696Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts 1697Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances 1698PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps 1699</pre><p> 1700 This is looking good. Congratulations it works! Note that in the above output 1701 the lines where shortened by replacing the middle value (1010554828) of the SID with the 1702 elipsis (...). 1703 </p></li><li><p> 1704 The server you have so carefully built is now ready for another important step. You 1705 start the Samba-3 server and validate its operation. Execute the following to render all 1706 the processes needed fully operative so that, on system reboot, they are automatically 1707 started: 1708</p><pre class="screen"> 1709<tt class="prompt">root# </tt> chkconfig named on 1710<tt class="prompt">root# </tt> chkconfig dhcpd on 1711<tt class="prompt">root# </tt> chkconfig ldap on 1712<tt class="prompt">root# </tt> chkconfig nmb on 1713<tt class="prompt">root# </tt> chkconfig smb on 1714<tt class="prompt">root# </tt> chkconfig winbind on 1715<tt class="prompt">root# </tt> rcnmb start 1716<tt class="prompt">root# </tt> rcsmb start 1717<tt class="prompt">root# </tt> rcwinbind start 1718</pre><p> 1719 </p></li><li><p> 1720 The next step might seem a little odd at this point, but take note that you are about to 1721 start <span><b class="command">winbindd</b></span> which must be able to authenticate to the PDC via the 1722 localhost interface with the <span><b class="command">smbd</b></span> process. This account can be 1723 easily created by joining the PDC to the Domain by executing the following command: 1724</p><pre class="screen"> 1725<tt class="prompt">root# </tt> net rpc join -S MASSIVE -U root%not24get 1726</pre><p> 1727 Note: Before executing this command on the PDC both <span><b class="command">nmbd</b></span> and 1728 <span><b class="command">smbd</b></span> must be started so that the <span><b class="command">net</b></span> command 1729 can communicate with <span><b class="command">smbd</b></span>. The expected output is: 1730</p><pre class="screen"> 1731Joined domain MEGANET2. 1732</pre><p> 1733 This indicates that the Domain security account for the PDC has been correctly created. 1734 </p></li><li><p> 1735 At this time it is necessary to restart <span><b class="command">winbindd</b></span> so that it can 1736 correctly authenticate to the PDC. The following command achieves that: 1737</p><pre class="screen"> 1738<tt class="prompt">root# </tt> rcwinbind restart 1739</pre><p> 1740 </p></li><li><p><a class="indexterm" name="id2558963"></a> 1741 You may now check Samba-3 operation as follows: 1742</p><pre class="screen"> 1743<tt class="prompt">root# </tt> smbclient -L massive -U% 1744 1745 Sharename Type Comment 1746 --------- ---- ------- 1747 IPC$ IPC IPC Service (Samba 3.0.1) 1748 accounts Disk Accounting Files 1749 service Disk Financial Services Files 1750 pidata Disk Property Insurance Files 1751 apps Disk Application Files 1752 netlogon Disk Network Logon Service 1753 profiles Disk Profile Share 1754 profdata Disk Profile Data Share 1755 ADMIN$ IPC IPC Service (Samba 3.0.1) 1756 1757 Server Comment 1758 --------- ------- 1759 MASSIVE Samba 3.0.1 1760 1761 Workgroup Master 1762 --------- ------- 1763 MEGANET2 MASSIVE 1764</pre><p> 1765 This shows that an anonymous connection is working. 1766 </p></li><li><p> 1767 For your finale, let's try an authenticated connection. Follow this as shown: 1768</p><pre class="screen"> 1769<tt class="prompt">root# </tt> smbclient //massive/bobj -Ubobj%n3v3r2l8 1770smb: \> dir 1771 . D 0 Wed Dec 17 01:16:19 2003 1772 .. D 0 Wed Dec 17 19:04:42 2003 1773 bin D 0 Tue Sep 2 04:00:57 2003 1774 Documents D 0 Sun Nov 30 07:28:20 2003 1775 public_html D 0 Sun Nov 30 07:28:20 2003 1776 .urlview H 311 Fri Jul 7 06:55:35 2000 1777 .dvipsrc H 208 Fri Nov 17 11:22:02 1995 1778 1779 57681 blocks of size 524288. 57128 blocks available 1780smb: \> q 1781</pre><p> 1782 Well done. All is working fine. 1783 </p></li></ol></div><p> 1784 The server <tt class="constant">MASSIVE</tt> is now configured, and it is time to move onto the next task. 1785 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch6-ptrcfg"></a>Printer Configuration</h3></div></div></div><p><a class="indexterm" name="id2559061"></a> 1786 The configuration for Samba-3 to enable CUPS raw-print-through printing has already been 1787 taken care of in the <tt class="filename">smb.conf</tt> file. The only preparation needed for 1788 <tt class="constant">smart</tt> 1789 printing to be possible involves creation of the directories in which Samba-3 stores 1790 Windows printing driver files. 1791 </p><div class="procedure"><ol type="1"><li><p> 1792 Configure all network attached printers to have a fixed IP address. 1793 </p></li><li><p> 1794 Create an entry in the DNS database on the server <tt class="constant">MASSIVE</tt> 1795 in both the forward lookup database for the zone <tt class="constant">abmas.biz.hosts</tt> 1796 and in the reverse lookup database for the network segment that the printer is to 1797 be located in. Example configuration files for similar zones were presented in 1798 <a href="secure.html#abmasbiz" title="Example�4.14.�DNS Abmas.biz Forward Zone File">???</a> and in <a href="secure.html#eth2zone" title="Example�4.13.�DNS 192.168.2 Reverse Zone File">???</a>. 1799 </p></li><li><p> 1800 Follow the instructions in the printer manufacturers' manuals to permit printing 1801 to port 9100. Use any other port the manufacturer specifies for direct mode, 1802 raw printing. This allows the CUPS spooler to print using raw mode protocols. 1803 <a class="indexterm" name="id2559137"></a> 1804 <a class="indexterm" name="id2559144"></a> 1805 </p></li><li><p><a class="indexterm" name="id2559156"></a> 1806 <a class="indexterm" name="id2559165"></a> 1807 Only on the server to which the printer is attached, configure the CUPS Print 1808 Queues as follows: 1809</p><pre class="screen"> 1810<tt class="prompt">root# </tt> lpadmin -p <i class="parameter"><tt>printque</tt></i> 1811 -v socket://<i class="parameter"><tt>printer-name</tt></i>.abmas.biz:9100 -E 1812</pre><p> 1813 <a class="indexterm" name="id2559201"></a> 1814 This step creates the necessary print queue to use no assigned print filter. This 1815 is ideal for raw printing, i.e., printing without use of filters. 1816 The name <i class="parameter"><tt>printque</tt></i> is the name you have assigned for 1817 the particular printer. 1818 </p></li><li><p> 1819 Print queues may not be enabled at creation. Make certain that the queues 1820 you have just created are enabled by executing the following: 1821</p><pre class="screen"> 1822<tt class="prompt">root# </tt> /usr/bin/enable <i class="parameter"><tt>printque</tt></i> 1823</pre><p> 1824 </p></li><li><p> 1825 Even though your print queue may be enabled, it is still possible that it 1826 may not accept print jobs. A print queue will service incoming printing 1827 requests only when configured to do so. Ensure that your print queue is 1828 set to accept incoming jobs by executing the following commands: 1829</p><pre class="screen"> 1830<tt class="prompt">root# </tt> /usr/bin/accept <i class="parameter"><tt>printque</tt></i> 1831</pre><p> 1832 </p></li><li><p> 1833 <a class="indexterm" name="id2559282"></a> 1834 <a class="indexterm" name="id2559289"></a> 1835 <a class="indexterm" name="id2559296"></a> 1836 Edit the file <tt class="filename">/etc/cups/mime.convs</tt> to uncomment the line: 1837</p><pre class="screen"> 1838application/octet-stream application/vnd.cups-raw 0 - 1839</pre><p> 1840 </p></li><li><p> 1841 <a class="indexterm" name="id2559324"></a> 1842 Edit the file <tt class="filename">/etc/cups/mime.types</tt> to uncomment the line: 1843</p><pre class="screen"> 1844application/octet-stream 1845</pre><p> 1846 </p></li><li><p> 1847 Refer to the CUPS printing manual for instructions regarding how to configure 1848 CUPS so that print queues that reside on CUPS servers on remote networks 1849 route print jobs to the print server that owns that queue. The default setting 1850 on your CUPS server may automatically discover remotely installed printers and 1851 may permit this functionality without requiring specific configuration. 1852 </p></li><li><p> 1853 The following action creates the necessary directory sub-system. Follow these 1854 steps to printing heaven: 1855</p><pre class="screen"> 1856<tt class="prompt">root# </tt> mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40} 1857<tt class="prompt">root# </tt> chown -R root.root /var/lib/samba/drivers 1858<tt class="prompt">root# </tt> chmod -R ug=rwx,o=rx /var/lib/samba/drivers 1859</pre><p> 1860 </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch6-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure"><a name="id2559406"></a><p class="title"><b>Procedure�6.10.�Configuration of BDC Called: <tt class="constant">BLDG1</tt></b></p><ol type="1"><li><p> 1861 Install the files in <a href="happy.html#ch6-bldg1-smbconf" title="Example�6.8.�LDAP Based smb.conf File, Server: BLDG1">???</a>, 1862 <a href="happy.html#ch6-shareconfa" title="Example�6.10.�LDAP Based smb.conf File, Shares Section Part A">???</a>, and <a href="happy.html#ch6-shareconfb" title="Example�6.11.�LDAP Based smb.conf File, Shares Section Part B">???</a> 1863 into the <tt class="filename">/etc/samba/</tt> directory. The three files 1864 should be added together to form the <tt class="filename">smb.conf</tt> file. 1865 </p></li><li><p> 1866 Verify the <tt class="filename">smb.conf</tt> file as in step 2 of <a href="happy.html#ch6-massive" title="Samba-3 PDC Configuration">???</a>. 1867 </p></li><li><p> 1868 Carefully follow the steps outlined in <a href="happy.html#ch6-PAM-NSS" title="PAM and NSS Client Configuration">???</a>, taking 1869 particular note to install the correct <tt class="filename">ldap.conf</tt>. 1870 </p></li><li><p> 1871 Verify that the NSS resolver is working. You may need to cycle the run level 1872 to 1 and back to 5 before the NSS LDAP resolver functions. Follow these 1873 commands: 1874</p><pre class="screen"> 1875<tt class="prompt">root# </tt> init 1 1876</pre><p> 1877 After the run level has been achieved, you are prompted to provide the 1878 <tt class="constant">root</tt> password. Log on, and then execute: 1879</p><pre class="screen"> 1880<tt class="prompt">root# </tt> init 5 1881</pre><p> 1882 When the normal logon prompt appears, log into the system as 1883 <tt class="constant">root</tt> 1884 and then execute these commands: 1885</p><pre class="screen"> 1886<tt class="prompt">root# </tt> getent passwd 1887root:x:0:0:root:/root:/bin/bash 1888bin:x:1:1:bin:/bin:/bin/bash 1889daemon:x:2:2:Daemon:/sbin:/bin/bash 1890lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash 1891mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false 1892... 1893root:x:0:512:Netbios Domain Administrator:/root:/bin/bash 1894nobody:x:999:514:nobody:/dev/null:/bin/false 1895bobj:x:1000:513:System User:/home/bobj:/bin/bash 1896stans:x:1001:513:System User:/home/stans:/bin/bash 1897chrisr:x:1002:513:System User:/home/chrisr:/bin/bash 1898maryv:x:1003:513:System User:/home/maryv:/bin/bash 1899vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false 1900bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false 1901</pre><p> 1902 This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem. 1903 </p></li><li><p><a class="indexterm" name="id2559566"></a> 1904 The next step in the verification process involves testing the operation of UNIX group 1905 resolution via the NSS LDAP resolver. Execute these commands: 1906</p><pre class="screen"> 1907<tt class="prompt">root# </tt> getent group 1908root:x:0: 1909bin:x:1:daemon 1910daemon:x:2: 1911sys:x:3: 1912... 1913Domain Admins:x:512:root 1914Domain Users:x:513:bobj,stans,chrisr,maryv,jht 1915Domain Guests:x:514: 1916Administrators:x:544: 1917Users:x:545: 1918Guests:x:546:nobody 1919Power Users:x:547: 1920Account Operators:x:548: 1921Server Operators:x:549: 1922Print Operators:x:550: 1923Backup Operators:x:551: 1924Replicator:x:552: 1925Domain Computers:x:553: 1926Accounts:x:1000: 1927Finances:x:1001: 1928PIOps:x:1002: 1929</pre><p> 1930 This is also the correct and desired output, because it demonstrates that the LDAP client 1931 is able to communicate correctly with the LDAP server 1932 (<tt class="constant">MASSIVE</tt>). 1933 </p></li><li><p><a class="indexterm" name="id2559608"></a> 1934 You must now set the LDAP administrative password into the 1935 Samba-3 <tt class="filename">secrets.tdb</tt> 1936 file by executing this command: 1937</p><pre class="screen"> 1938<tt class="prompt">root# </tt> smbpasswd -w not24get 1939Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb 1940</pre><p> 1941 </p></li><li><p> 1942 Now you must obtain the Domain Security Identifier from the PDC and store it into the 1943 <tt class="filename">secrets.tdb</tt> file also. This step is not necessary with an LDAP 1944 passdb backend because Samba-3 obtains the Domain SID from the 1945 sambaDomain object it automatically stores in the LDAP backend. It does not hurt to 1946 add the SID to the <tt class="filename">secrets.tdb</tt>, and if you wish to do so, this 1947 command can achieve that: 1948</p><pre class="screen"> 1949<tt class="prompt">root# </tt> net rpc getsid MEGANET2 1950Storing SID S-1-5-21-3504140859-1010554828-2431957765 \ 1951 for Domain MEGANET2 in secrets.tdb 1952</pre><p> 1953 When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take 1954 any special action to join it to the Domain. However, winbind communicates with the 1955 Domain Controller that is running on the localhost and must be able to authenticate, 1956 thus requiring that the BDC should be joined to the Domain. The process of joining 1957 the Domain creates the necessary authentication accounts. 1958 </p></li><li><p> 1959 To join the Samba BDC to the Domain execute the following: 1960</p><pre class="screen"> 1961<tt class="prompt">root# </tt> net rpc join -U root%not24get 1962Joined domain MEGANET2. 1963</pre><p> 1964 This indicates that the Domain security account for the BDC has been correctly created. 1965 </p></li><li><p> 1966 <a class="indexterm" name="id2559711"></a> 1967 Verify that user and group account resolution works via Samba-3 tools as follows: 1968</p><pre class="screen"> 1969<tt class="prompt">root# </tt> pdbedit -L 1970root:0:root 1971nobody:65534:nobody 1972bobj:1000:System User 1973stans:1001:System User 1974chrisr:1002:System User 1975maryv:1003:System User 1976bldg1$:1006:bldg1$ 1977 1978<tt class="prompt">root# </tt> net groupmap list 1979Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins 1980Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users 1981Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests 1982Administrators (S-1-5-21-3504140859-...-2431957765-544) -> Administrators 1983... 1984Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts 1985Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances 1986PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps 1987</pre><p> 1988 The above results show that all things are in order. 1989 </p></li><li><p> 1990 The server you have so carefully built is now ready for another important step. Now 1991 start the Samba-3 server and validate its operation. Execute the following to render all 1992 the processes needed fully operative so that, upon system reboot, they are automatically 1993 started: 1994</p><pre class="screen"> 1995<tt class="prompt">root# </tt> chkconfig named on 1996<tt class="prompt">root# </tt> chkconfig dhcpd on 1997<tt class="prompt">root# </tt> chkconfig nmb on 1998<tt class="prompt">root# </tt> chkconfig smb on 1999<tt class="prompt">root# </tt> chkconfig winbind on 2000<tt class="prompt">root# </tt> rcnmb start 2001<tt class="prompt">root# </tt> rcsmb start 2002<tt class="prompt">root# </tt> rcwinbind start 2003</pre><p> 2004 Samba-3 should now be running and is ready for a quick test. But not quite yet! 2005 </p></li><li><p> 2006 Your new <tt class="constant">BLDG1, BLDG2</tt> servers do not have home directories for users. 2007 To rectify this using the SUSE yast2 utility or by manually editing the <tt class="filename">/etc/fstab</tt> 2008 file, add a mount entry to mount the <tt class="constant">home</tt> directory that has been exported 2009 from the <tt class="constant">MASSIVE</tt> server. Mount this resource before proceeding. An alternate 2010 approach could be to create local home directories for users who are to use these machines. 2011 This is a choice that you, as system administrator, must make. The following entry in the 2012 <tt class="filename">/etc/fstab</tt> file suffices for now: 2013</p><pre class="screen"> 2014massive.abmas.biz:/home /home nfs rw 0 0 2015</pre><p> 2016 To mount this resource, execute: 2017</p><pre class="screen"> 2018<tt class="prompt">root# </tt> mount -a 2019</pre><p> 2020 Verify that the home directory has been mounted as follows: 2021</p><pre class="screen"> 2022<tt class="prompt">root# </tt> df | grep home 2023massive:/home 29532988 283388 29249600 1% /home 2024</pre><p> 2025 </p></li><li><p> 2026 Implement a quick check using one of the users that is in the LDAP database. Here you go: 2027</p><pre class="screen"> 2028<tt class="prompt">root# </tt> smbclient //bldg1/bobj -Ubobj%n3v3r2l8 2029smb: \> dir 2030 . D 0 Wed Dec 17 01:16:19 2003 2031 .. D 0 Wed Dec 17 19:04:42 2003 2032 bin D 0 Tue Sep 2 04:00:57 2003 2033 Documents D 0 Sun Nov 30 07:28:20 2003 2034 public_html D 0 Sun Nov 30 07:28:20 2003 2035 .urlview H 311 Fri Jul 7 06:55:35 2000 2036 .dvipsrc H 208 Fri Nov 17 11:22:02 1995 2037 2038 57681 blocks of size 524288. 57128 blocks available 2039smb: \> q 2040</pre><p> 2041 </p></li></ol></div><div class="procedure"><a name="ch6-bldg2"></a><p class="title"><b>Procedure�6.11.�Configuration of BDC Called: <tt class="constant">BLDG2</tt></b></p><ol type="1"><li><p> 2042 Install the files in <a href="happy.html#ch6-bldg2-smbconf" title="Example�6.9.�LDAP Based smb.conf File, Server: BLDG2">???</a>, 2043 <a href="happy.html#ch6-shareconfa" title="Example�6.10.�LDAP Based smb.conf File, Shares Section Part A">???</a>, and <a href="happy.html#ch6-shareconfb" title="Example�6.11.�LDAP Based smb.conf File, Shares Section Part B">???</a> 2044 into the <tt class="filename">/etc/samba/</tt> directory. The three files 2045 should be added together to form the <tt class="filename">smb.conf</tt> file. 2046 </p></li><li><p> 2047 Follow carefully the steps shown in <a href="happy.html#ch6-bldg1" title="Samba-3 BDC Configuration">???</a>, starting at step 2. 2048 </p></li></ol></div><div class="example"><a name="ch6-bldg1-smbconf"></a><p class="title"><b>Example�6.8.�LDAP Based smb.conf File, Server: BLDG1</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2560036"></a><i class="parameter"><tt> 2049 2050 unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2560051"></a><i class="parameter"><tt> 2051 2052 workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2560067"></a><i class="parameter"><tt> 2053 2054 netbios name = BLDG1</tt></i></td></tr><tr><td><a class="indexterm" name="id2560082"></a><i class="parameter"><tt> 2055 2056 passdb backend = ldapsam:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560099"></a><i class="parameter"><tt> 2057 2058 enable privileges = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2560114"></a><i class="parameter"><tt> 2059 2060 username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2560130"></a><i class="parameter"><tt> 2061 2062 log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2560145"></a><i class="parameter"><tt> 2063 2064 syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2560160"></a><i class="parameter"><tt> 2065 2066 log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2560176"></a><i class="parameter"><tt> 2067 2068 max log size = 50</tt></i></td></tr><tr><td><a class="indexterm" name="id2560191"></a><i class="parameter"><tt> 2069 2070 smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2560207"></a><i class="parameter"><tt> 2071 2072 name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2560223"></a><i class="parameter"><tt> 2073 2074 printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2560238"></a><i class="parameter"><tt> 2075 2076 show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2560254"></a><i class="parameter"><tt> 2077 2078 logon script = scripts\logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2560270"></a><i class="parameter"><tt> 2079 2080 logon path = \\%L\profiles\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2560285"></a><i class="parameter"><tt> 2081 2082 logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2560301"></a><i class="parameter"><tt> 2083 2084 domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2560316"></a><i class="parameter"><tt> 2085 2086 domain master = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2560332"></a><i class="parameter"><tt> 2087 2088 wins server = 172.16.0.1</tt></i></td></tr><tr><td><a class="indexterm" name="id2560347"></a><i class="parameter"><tt> 2089 2090 ldap suffix = dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560363"></a><i class="parameter"><tt> 2091 2092 ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2560379"></a><i class="parameter"><tt> 2093 2094 ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2560394"></a><i class="parameter"><tt> 2095 2096 ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2560410"></a><i class="parameter"><tt> 2097 2098 ldap idmap suffix = ou=Idmap</tt></i></td></tr><tr><td><a class="indexterm" name="id2560425"></a><i class="parameter"><tt> 2099 2100 ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560442"></a><i class="parameter"><tt> 2101 2102 idmap backend = ldap:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560458"></a><i class="parameter"><tt> 2103 2104 idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2560473"></a><i class="parameter"><tt> 2105 2106 idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2560488"></a><i class="parameter"><tt> 2107 2108 printing = cups</tt></i></td></tr><tr><td><a class="indexterm" name="id2560504"></a><i class="parameter"><tt> 2109 2110 printer admin = root, chrisr</tt></i></td></tr></table></div><div class="example"><a name="ch6-bldg2-smbconf"></a><p class="title"><b>Example�6.9.�LDAP Based smb.conf File, Server: BLDG2</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2560547"></a><i class="parameter"><tt> 2111 2112 unix charset = LOCALE</tt></i></td></tr><tr><td><a class="indexterm" name="id2560563"></a><i class="parameter"><tt> 2113 2114 workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2560578"></a><i class="parameter"><tt> 2115 2116 netbios name = BLDG2</tt></i></td></tr><tr><td><a class="indexterm" name="id2560594"></a><i class="parameter"><tt> 2117 2118 passdb backend = ldapsam:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560611"></a><i class="parameter"><tt> 2119 2120 enable privileges = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2560626"></a><i class="parameter"><tt> 2121 2122 username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2560642"></a><i class="parameter"><tt> 2123 2124 log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2560657"></a><i class="parameter"><tt> 2125 2126 syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2560672"></a><i class="parameter"><tt> 2127 2128 log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2560687"></a><i class="parameter"><tt> 2129 2130 max log size = 50</tt></i></td></tr><tr><td><a class="indexterm" name="id2560703"></a><i class="parameter"><tt> 2131 2132 smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2560718"></a><i class="parameter"><tt> 2133 2134 name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2560735"></a><i class="parameter"><tt> 2135 2136 printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2560750"></a><i class="parameter"><tt> 2137 2138 show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2560766"></a><i class="parameter"><tt> 2139 2140 logon script = scripts\logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2560782"></a><i class="parameter"><tt> 2141 2142 logon path = \\%L\profiles\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2560797"></a><i class="parameter"><tt> 2143 2144 logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2560812"></a><i class="parameter"><tt> 2145 2146 domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2560828"></a><i class="parameter"><tt> 2147 2148 domain master = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2560844"></a><i class="parameter"><tt> 2149 2150 wins server = 172.16.0.1</tt></i></td></tr><tr><td><a class="indexterm" name="id2560859"></a><i class="parameter"><tt> 2151 2152 ldap suffix = dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560874"></a><i class="parameter"><tt> 2153 2154 ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2560891"></a><i class="parameter"><tt> 2155 2156 ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2560906"></a><i class="parameter"><tt> 2157 2158 ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2560921"></a><i class="parameter"><tt> 2159 2160 ldap idmap suffix = ou=Idmap</tt></i></td></tr><tr><td><a class="indexterm" name="id2560937"></a><i class="parameter"><tt> 2161 2162 ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560954"></a><i class="parameter"><tt> 2163 2164 idmap backend = ldap:ldap://massive.abmas.biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2560969"></a><i class="parameter"><tt> 2165 2166 idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2560984"></a><i class="parameter"><tt> 2167 2168 idmap gid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2561000"></a><i class="parameter"><tt> 2169 2170 printing = cups</tt></i></td></tr><tr><td><a class="indexterm" name="id2561015"></a><i class="parameter"><tt> 2171 2172 printer admin = root, chrisr</tt></i></td></tr></table></div><div class="example"><a name="ch6-shareconfa"></a><p class="title"><b>Example�6.10.�LDAP Based smb.conf File, Shares Section Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[accounts]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561054"></a><i class="parameter"><tt> 2173 2174 comment = Accounting Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2561069"></a><i class="parameter"><tt> 2175 2176 path = /data/accounts</tt></i></td></tr><tr><td><a class="indexterm" name="id2561084"></a><i class="parameter"><tt> 2177 2178 read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[service]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561108"></a><i class="parameter"><tt> 2179 2180 comment = Financial Services Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2561124"></a><i class="parameter"><tt> 2181 2182 path = /data/service</tt></i></td></tr><tr><td><a class="indexterm" name="id2561139"></a><i class="parameter"><tt> 2183 2184 read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[pidata]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561164"></a><i class="parameter"><tt> 2185 2186 comment = Property Insurance Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2561180"></a><i class="parameter"><tt> 2187 2188 path = /data/pidata</tt></i></td></tr><tr><td><a class="indexterm" name="id2561195"></a><i class="parameter"><tt> 2189 2190 read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561219"></a><i class="parameter"><tt> 2191 2192 comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2561234"></a><i class="parameter"><tt> 2193 2194 valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2561250"></a><i class="parameter"><tt> 2195 2196 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2561265"></a><i class="parameter"><tt> 2197 2198 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561289"></a><i class="parameter"><tt> 2199 2200 comment = SMB Print Spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2561305"></a><i class="parameter"><tt> 2201 2202 path = /var/spool/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2561320"></a><i class="parameter"><tt> 2203 2204 guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2561336"></a><i class="parameter"><tt> 2205 2206 printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2561351"></a><i class="parameter"><tt> 2207 2208 browseable = No</tt></i></td></tr></table></div><div class="example"><a name="ch6-shareconfb"></a><p class="title"><b>Example�6.11.�LDAP Based smb.conf File, Shares Section Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[apps]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561390"></a><i class="parameter"><tt> 2209 2210 comment = Application Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2561405"></a><i class="parameter"><tt> 2211 2212 path = /apps</tt></i></td></tr><tr><td><a class="indexterm" name="id2561420"></a><i class="parameter"><tt> 2213 2214 admin users = bjordan</tt></i></td></tr><tr><td><a class="indexterm" name="id2561435"></a><i class="parameter"><tt> 2215 2216 read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561460"></a><i class="parameter"><tt> 2217 2218 comment = Network Logon Service</tt></i></td></tr><tr><td><a class="indexterm" name="id2561476"></a><i class="parameter"><tt> 2219 2220 path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><a class="indexterm" name="id2561491"></a><i class="parameter"><tt> 2221 2222 guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2561506"></a><i class="parameter"><tt> 2223 2224 locking = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561530"></a><i class="parameter"><tt> 2225 2226 comment = Profile Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2561546"></a><i class="parameter"><tt> 2227 2228 path = /var/lib/samba/profiles</tt></i></td></tr><tr><td><a class="indexterm" name="id2561561"></a><i class="parameter"><tt> 2229 2230 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2561576"></a><i class="parameter"><tt> 2231 2232 profile acls = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profdata]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561601"></a><i class="parameter"><tt> 2233 2234 comment = Profile Data Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2561616"></a><i class="parameter"><tt> 2235 2236 path = /var/lib/samba/profdata</tt></i></td></tr><tr><td><a class="indexterm" name="id2561632"></a><i class="parameter"><tt> 2237 2238 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2561647"></a><i class="parameter"><tt> 2239 2240 profile acls = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2561671"></a><i class="parameter"><tt> 2241 2242 comment = Printer Drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2561687"></a><i class="parameter"><tt> 2243 2244 path = /var/lib/samba/drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2561702"></a><i class="parameter"><tt> 2245 2246 browseable = yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2561718"></a><i class="parameter"><tt> 2247 2248 guest ok = no</tt></i></td></tr><tr><td><a class="indexterm" name="id2561733"></a><i class="parameter"><tt> 2249 2250 read only = yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2561748"></a><i class="parameter"><tt> 2251 2252 write list = root, chrisr</tt></i></td></tr></table></div><div class="example"><a name="ch6-ldifadd"></a><p class="title"><b>Example�6.12.�LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><pre class="screen"> 2253dn: ou=Idmap,dc=abmas,dc=biz 2254objectClass: organizationalUnit 2255ou: idmap 2256structuralObjectClass: organizationalUnit 2257</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2561786"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p> 2258 My father would say, “<span class="quote"><span class="emphasis"><em>Dinner is not over until the dishes have been done.</em></span></span>” 2259 The makings of a great network environment take a lot of effort and attention to detail. 2260 So far you have completed most of the complex (and to many administrators, the interesting 2261 part of server configuration) steps, but remember to tie it all together. Here are 2262 a few more steps that must be completed so that your network runs like a well-rehearsed 2263 orchestra. 2264 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2561807"></a>Configuring Directory Share Point Roots</h3></div></div></div><p> 2265 In your <tt class="filename">smb.conf</tt> file, you have specified Windows shares. Each has a 2266 <i class="parameter"><tt>path</tt></i> 2267 parameter. Even though it is obvious to all, one of the common Samba networking problems is 2268 caused by forgetting to verify that every such share root directory actually exists and that it 2269 has the necessary permissions and ownership. 2270 </p><p> 2271 Here is an example, but remember to create the directory needed for every share: 2272</p><pre class="screen"> 2273<tt class="prompt">root# </tt> mkdir -p /data/{accounts,finsvcs,piops} 2274<tt class="prompt">root# </tt> mkdir -p /apps 2275<tt class="prompt">root# </tt> chown -R root.root /data 2276<tt class="prompt">root# </tt> chown -R root.root /apps 2277<tt class="prompt">root# </tt> chown -R bobj.Accounts /data/accounts 2278<tt class="prompt">root# </tt> chown -R bobj.Finances /data/finsvcs 2279<tt class="prompt">root# </tt> chown -R bobj.PIOps /data/pidata 2280<tt class="prompt">root# </tt> chmod -R ug+rwxs,o-rwx /data 2281<tt class="prompt">root# </tt> chmod -R ug+rwx,o+rx-w /apps 2282</pre><p> 2283 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2561902"></a>Configuring Profile Directories</h3></div></div></div><p> 2284 You made a conscious decision to do everything it would take to improve network client 2285 performance. One of your decisions was to implement folder redirection. This means that Windows 2286 user desktop profiles are now made up of two components a dynamically loaded part and a set of file 2287 network folders. 2288 </p><p> 2289 For this arrangement to work, every user needs a directory structure for the network folder 2290 portion of their profile as shown here: 2291</p><pre class="screen"> 2292<tt class="prompt">root# </tt> mkdir -p /var/lib/samba/profdata 2293<tt class="prompt">root# </tt> chown root.root /var/lib/samba/profdata 2294<tt class="prompt">root# </tt> chmod 755 /var/lib/samba/profdata 2295 2296# Per user structure 2297<tt class="prompt">root# </tt> cd /var/lib/samba/profdata 2298<tt class="prompt">root# </tt> mkdir -p <span class="emphasis"><em>username</em></span> 2299<tt class="prompt">root# </tt> for i in InternetFiles Cookies History AppData \ 2300 LocalSettings MyPictures MyDocuments Recent 2301<tt class="prompt">root# </tt> do 2302<tt class="prompt">root# </tt> mkdir <span class="emphasis"><em>username</em></span>/$i 2303<tt class="prompt">root# </tt> done 2304<tt class="prompt">root# </tt> chown -R <span class="emphasis"><em>username</em></span>.Domain\ Users <span class="emphasis"><em>username</em></span> 2305<tt class="prompt">root# </tt> chmod -R 750 <span class="emphasis"><em>username</em></span> 2306</pre><p> 2307 </p><p><a class="indexterm" name="id2562020"></a><a class="indexterm" name="id2562028"></a> 2308 You have three options insofar as the dynamically loaded portion of the roaming profile 2309 is concerned: 2310 </p><div class="itemizedlist"><ul type="disc"><li><p>You may permit the user to obtain a default profile.</p></li><li><p>You can create a mandatory profile.</p></li><li><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p> 2311 Mandatory profiles cannot be overwritten by a user. The change from 2312 a user profile to a mandatory profile is effected by renaming the 2313 <tt class="filename">NTUSER.DAT</tt> to 2314 <tt class="filename">NTUSER.MAN</tt>, i.e., just by changing the filename 2315 extension. 2316 </p><p><a class="indexterm" name="id2562079"></a><a class="indexterm" name="id2562087"></a> 2317 The location of the profile that a user can obtain is set in the users' account in the LDAP passdb backend. 2318 You can manage this using the Idealx smbldap-tools or using the 2319 <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">Windows NT4 Domain User Manager.</a> 2320 </p><p> 2321 It may not be obvious that you must ensure that the root directory for the user's profile exists 2322 and has the needed permissions. Use the following commands to create this directory: 2323</p><pre class="screen"> 2324<tt class="prompt">root# </tt> mkdir -p /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> 2325<tt class="prompt">root# </tt> chown <span class="emphasis"><em>username</em></span>.Domain\ Users 2326 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> 2327<tt class="prompt">root# </tt> chmod 700 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span> 2328</pre><p> 2329 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2562154"></a>Preparation of Logon Scripts</h3></div></div></div><p><a class="indexterm" name="id2562161"></a> 2330 The use of a logon script with Windows XP Professional is an option that every site should consider. 2331 Unless you have locked down the desktop so the user cannot change anything, there is risk that 2332 a vital network drive setting may be broken or that printer connections may be lost. Logon scripts 2333 can help to restore persistent network folder (drive) and printer connections in a predictable 2334 manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook) 2335 user attaches to another company's network that forces environment changes that are alien to your 2336 network. 2337 </p><p> 2338 If you decide to use network logon scripts, by reference to the <tt class="filename">smb.conf</tt> files for the Domain 2339 Controllers, you see that the path to the share point for the 2340 <tt class="constant">NETLOGON</tt> 2341 share defined is <tt class="filename">/var/lib/samba/netlogon</tt>. The path defined for the logon 2342 script inside that share is <tt class="filename">scripts\logon.bat</tt>. This means that as a Windows 2343 NT/200x/XP client logs onto the network, it tries to obtain the file 2344 <tt class="filename">logon.bat</tt> 2345 from the fully qualified path <tt class="filename">/var/lib/samba/netlogon/scripts</tt>. This fully 2346 qualified path should, therefore, exist whether you install the 2347 <tt class="filename">logon.bat</tt>. 2348 </p><p> 2349 You can, of course, create the fully qualified path by executing: 2350</p><pre class="screen"> 2351<tt class="prompt">root# </tt> mkdir -p /var/lib/samba/netlogon/scripts 2352</pre><p> 2353 </p><p> 2354 You should research the options for logon script implementation by referring to <span class="emphasis"><em>TOSHARG</em></span>, Chapter 21, 2355 Section 21.4. A quick Web search will bring up a host of options. One of the most popular logon 2356 facilities in use today is called <a href="http://www.kixtart.org" target="_top">KiXtart.</a> 2357 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2562266"></a>Assigning Domain Privileges</h3></div></div></div><p> 2358 The ability to perform tasks such as joining Windows clients to the domain can be assigned to 2359 normal user accounts. By default, only the domain administrator account (<tt class="constant">root</tt> on UNIX 2360 systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant 2361 this privilege in a very limited fashion to particular accounts. 2362 </p><p> 2363 By default, even Samba 3.0.11 does not grant any rights even to the <tt class="constant">Domain Admins</tt> 2364 group. Here we will grant this group all privileges. 2365 </p><p> 2366 Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who 2367 are granted rights can be restricted to particular machines. It is left to the network administrator 2368 to determine which rights should be provided and to whom. 2369 </p><div class="procedure"><ol type="1"><li><p> 2370 Log onto the primary domain controller (PDC) as the <tt class="constant">root</tt> account. 2371 </p></li><li><p> 2372 Execute the following command to grant the <tt class="constant">Domain Admins</tt> group all 2373 rights and privileges: 2374</p><pre class="screen"> 2375<tt class="prompt">root# </tt> net -S MASSIVE -U root%not24get rpc rights grant \ 2376 "MEGANET2\Domain Admins" SeMachineAccountPrivilege \ 2377 SePrintOperatorPrivilege SeAddUsersPrivilege \ 2378 SeDiskOperatorPrivilege SeRemoteShutdownPrivilege 2379Successfully granted rights. 2380</pre><p> 2381 Repeat this step on each domain controller in each case substituting the name of the server 2382 (e.g.: BLDG1, BLDG2) in place of the PDC called MASSIVE. 2383 </p></li><li><p> 2384 In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations 2385 to the domain. Execute the following only on the PDC. It is not necessary to do this on 2386 BDCs or on DMS machines because machine accounts are only ever added by the PDC: 2387</p><pre class="screen"> 2388<tt class="prompt">root# </tt> net -S MASSIVE -U root%not24get rpc rights grant \ 2389 "MEGANET2\bobj" SeMachineAccountPrivilege 2390Successfully granted rights. 2391</pre><p> 2392 </p></li><li><p> 2393 Verify that the assignment of privileges have been correctly applied by executing: 2394</p><pre class="screen"> 2395net rpc rights list accounts -Uroot%not24get 2396MEGANET2\bobj 2397SeMachineAccountPrivilege 2398 2399S-0-0 2400No privileges assigned 2401 2402BUILTIN\Print Operators 2403No privileges assigned 2404 2405BUILTIN\Account Operators 2406No privileges assigned 2407 2408BUILTIN\Backup Operators 2409No privileges assigned 2410 2411BUILTIN\Server Operators 2412No privileges assigned 2413 2414BUILTIN\Administrators 2415No privileges assigned 2416 2417Everyone 2418No privileges assigned 2419 2420MEGANET2\Domain Admins 2421SeMachineAccountPrivilege 2422SePrintOperatorPrivilege 2423SeAddUsersPrivilege 2424SeRemoteShutdownPrivilege 2425SeDiskOperatorPrivilege 2426</pre><p> 2427 </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2562396"></a>Windows Client Configuration</h2></div></div></div><p><a class="indexterm" name="id2562403"></a> 2428 In the next few sections, you can configure a new Windows XP Professional disk image on a staging 2429 machine. You will configure all software, printer settings, profile and policy handling, and desktop 2430 default profile settings on this system. When it is complete, you copy the contents of the 2431 <tt class="filename">C:\Documents and Settings\Default User</tt> directory to a directory with the same 2432 name in the <tt class="constant">NETLOGON</tt> share on the Domain Controllers. 2433 </p><p> 2434 Much can be learned from the Microsoft Support site regarding how best to set up shared profiles. 2435 One knowledge-base article in particular stands out. See: 2436 <a href="http://support.microsoft.com/default.aspx&scid=kb;en-us;168475" target="_top">How to Create a 2437 Base Profile for All Users.</a> 2438 2439 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p><a class="indexterm" name="id2562454"></a> 2440 Log onto the Windows XP Professional workstation as the local <tt class="constant">Administrator</tt>. 2441 It is necessary to expose folders that are generally hidden to provide 2442 access to the <tt class="constant">Default User</tt> 2443 folder. 2444 </p><div class="procedure"><a name="id2562474"></a><p class="title"><b>Procedure�6.13.�Expose Hidden Folders</b></p><ol type="1"><li><p> 2445 Launch the Windows Explorer by clicking 2446 <span class="guimenu">Start</span>-><span class="guimenuitem">My Computer</span>-><span class="guimenuitem">Tools</span>-><span class="guimenuitem">Folder Options</span>-><span class="guimenuitem">View Tab</span>. 2447 Select <span class="guilabel">Show hidden files and folders</span>, 2448 and click <span class="guibutton">OK</span>. 2449 Exit Windows Explorer. 2450 </p></li><li><p><a class="indexterm" name="id2562539"></a> 2451 Launch the Registry Editor. Click 2452 <span class="guimenu">Start</span>-><span class="guimenuitem">Run</span>. Key in <span><b class="command">regedt32</b></span>, and click 2453 <span class="guibutton">OK</span>. 2454 </p></li></ol></div><p> 2455 </p><div class="procedure"><a name="ch6-rdrfldr"></a><p class="title"><b>Procedure�6.14.�Redirect Folders in Default System User Profile</b></p><ol type="1"><li><p><a class="indexterm" name="id2562598"></a><a class="indexterm" name="id2562606"></a> 2456 Give focus to <tt class="constant">HKEY_LOCAL_MACHINE</tt> hive entry in the left panel. 2457 Click <span class="guimenu">File</span>-><span class="guimenuitem">Load Hive...</span>-><span class="guimenuitem">[Panel] Documents and Settings</span>-><span class="guimenuitem">[Panel] Default User</span>-><span class="guimenuitem">NTUSER</span>-><span class="guimenuitem">Open</span>. In the dialog box that opens, enter the 2458 key name <tt class="constant">Default</tt> 2459 and click <span class="guibutton">OK</span>. 2460 </p></li><li><p> 2461 Browse inside the newly loaded Default folder to: 2462</p><pre class="screen"> 2463HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ 2464 CurrentVersion\Explorer\User Shell Folders\ 2465</pre><p> 2466 The contents of the right panel reveals the contents as 2467 shown in <a href="happy.html#XP-screen001" title="Figure�6.3.�Windows XP Professional User Shared Folders">???</a>. 2468 </p></li><li><p><a class="indexterm" name="id2562700"></a><a class="indexterm" name="id2562708"></a> 2469 You edit hive keys. Acceptable values to replace the 2470 <tt class="constant">%USERPROFILE%</tt> variable includes: 2471 2472 </p><div class="itemizedlist"><ul type="disc"><li><p>A drive letter such as: <tt class="constant">U:</tt></p></li><li><p>A direct network path such as: 2473 <tt class="constant">\\MASSIVE\profdata</tt></p></li><li><p>A network redirection (UNC name) that contains a macro such as: </p><p><tt class="constant">\\%LOGONSERVER%\profdata\</tt></p></li></ul></div><p> 2474 </p></li><li><p><a class="indexterm" name="id2562756"></a> 2475 Set the registry keys as shown in <a href="happy.html#proffold" title="Table�6.4.�Default Profile Redirections">???</a>. Your implementation makes the assumption 2476 that users have statically located machines. Notebook computers (mobile users) need to be 2477 accommodated using local profiles. This is not an uncommon assumption. 2478 </p></li><li><p> 2479 Click back to the root of the loaded hive <tt class="constant">Default</tt>. 2480 Click <span class="guimenu">File</span>-><span class="guimenuitem">Unload Hive...</span>-><span class="guimenuitem">Yes</span>. 2481 </p></li><li><p><a class="indexterm" name="id2562811"></a> 2482 Click <span class="guimenu">File</span>-><span class="guimenuitem">Exit</span>. This exits the 2483 Registry Editor. 2484 </p></li><li><p> 2485 Now follow the procedure given in <a href="happy.html#ch6-locgrppol" title="The Local Group Policy">???</a>. Make sure that each folder you 2486 have redirected is in the exclusion list. 2487 </p></li><li><p> 2488 You are now ready to copy<sup>[<a name="id2562858" href="#ftn.id2562858">11</a>]</sup> 2489 the Default User profile to the Samba Domain Controllers. Launch Microsoft 2490 Windows Explorer, and use it to copy the full contents of the 2491 directory <tt class="filename">Default User</tt> 2492 that is in the <tt class="filename">C:\Documents and Settings</tt> to the root directory of the 2493 <tt class="constant">NETLOGON</tt> share. If the <tt class="constant">NETLOGON</tt> share has the defined 2494 UNIX path of <tt class="filename">/var/lib/samba/netlogon</tt>, when the copy is complete there must be 2495 a directory in there called <tt class="filename">Default User</tt>. 2496 </p></li></ol></div><div class="procedure"><a name="id2562918"></a><p class="title"><b>Procedure�6.15.�Reset Folder Display to Original Behavior</b></p><ul><li><p> 2497 To launch the Windows Explorer, click 2498 <span class="guimenu">Start</span>-><span class="guimenuitem">My Computer</span>-><span class="guimenuitem">Tools</span>-><span class="guimenuitem">Folder Options</span>-><span class="guimenuitem">View Tab</span>. 2499 Deselect <span class="guilabel">Show hidden files and folders</span>, 2500 and click <span class="guibutton">OK</span>. 2501 Exit Windows Explorer. 2502 </p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure�6.3.�Windows XP Professional User Shared Folders</b></p><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div><div class="table"><a name="proffold"></a><p class="title"><b>Table�6.4.�Default Profile Redirections</b></p><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2563152"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p><a class="indexterm" name="id2563159"></a> 2503 Microsoft Outlook can store a Personal Storage file, generally known as a PST file. 2504 It is the nature of email storage that this file grows, at times quite rapidly. 2505 So that users' email is available to them at every workstation they may log onto, 2506 it is common practice in well-controlled sites to redirect the PST folder to the 2507 users' home directory. Follow these steps for each user who wishes to do this. 2508 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 2509 It is presumed that Outlook Express has been configured for use. 2510 </p></div><p> 2511 Launch Outlook Express 6. Click 2512 <span class="guimenu">Tools</span>-><span class="guimenuitem">Options</span>-><span class="guimenuitem">Maintenance</span>-><span class="guimenuitem">Store Folder</span>-><span class="guimenuitem">Change</span>. 2513 </p><p> 2514 Follow the on-screen prompts to relocate the PST file to the desired location. 2515 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2563229"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p> 2516 To configure the Windows XP Professional client to auto-delete roaming profiles on logout: 2517 </p><p><a class="indexterm" name="id2563241"></a> 2518 Click 2519 <span class="guimenu">Start</span>-><span class="guimenuitem">Run</span>. In the dialog box, enter: <span><b class="command">MMC</b></span> 2520 and click <span class="guibutton">OK</span>. 2521 </p><p> 2522 Follow these steps to set the default behavior of the staging machine so that all roaming 2523 profiles are deleted as network users log out of the system. Click 2524 <span class="guimenu">File</span>-><span class="guimenuitem">Add/Remove Snap-in</span>-><span class="guimenuitem">Add</span>-><span class="guimenuitem">Group Policy</span>-><span class="guimenuitem">Add</span>-><span class="guimenuitem">Finish</span>-><span class="guimenuitem">Close</span>-><span class="guimenuitem">OK</span>. 2525 </p><p><a class="indexterm" name="id2563338"></a> 2526 The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span> 2527 utility that enables you to set the policies needed. In the left panel, click 2528 <span class="guimenuitem">Local Computer Policy</span>-><span class="guimenuitem">Administrative Templates</span>-><span class="guimenuitem">System</span>-><span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each 2529 item as shown: 2530 </p><div class="itemizedlist"><ul type="disc"><li><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p> 2531 Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies 2532 made of this system to deploy the new standard desktop system. 2533 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2563412"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p><a class="indexterm" name="id2563419"></a> 2534 Users want to be able to use network printers. You have a vested interest in making 2535 it easy for them to print. You have chosen to install the printer drivers onto the Samba 2536 servers and to enable point-and-click (drag-and-drop) printing. This process results in 2537 Samba being able to automatically provide the Windows client with the driver necessary to 2538 print to the printer chosen. The following procedure must be followed for every network 2539 printer: 2540 </p><div class="procedure"><ol type="1"><li><p> 2541 Join your Windows XP Professional workstation (the staging machine) to the 2542 <tt class="constant">MEGANET2</tt> Domain. If you are not sure of the procedure, 2543 follow the guidance given in <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. 2544 </p></li><li><p> 2545 After the machine has re-booted, log onto the workstation as the domain 2546 <tt class="constant">root</tt> (this is the Administrator account for the 2547 operating system that is the host platform for this implementation of Samba. 2548 </p></li><li><p> 2549 Launch MS Windows Explorer. Navigate in the left panel. Click 2550 <span class="guimenu">My Network Places</span>-><span class="guimenuitem">Entire Network</span>-><span class="guimenuitem">Microsoft Windows Network</span>-><span class="guimenuitem">Meganet2</span>-><span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span> 2551 <span class="guimenu">Printers and Faxes</span>. 2552 </p></li><li><p> 2553 Identify a printer that is shown in the right panel. Let us assume the printer is called 2554 <tt class="constant">ps01-color</tt>. Right-click on the <span class="guimenu">ps01-color</span> icon 2555 and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates 2556 that “<span class="quote"><span class="emphasis"><em>The printer driver is not installed on this computer. Some printer properties 2557 will not be accessible unless you install the printer driver. Do you want to install the 2558 driver now?</em></span></span>” It is important at this point you answer <span class="guimenu">No</span>. 2559 </p></li><li><p> 2560 The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server 2561 <tt class="constant">MASSIVE</tt> is displayed. Click the <span class="guimenu">Advanced</span> tab. 2562 Note that the box labelled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span> 2563 button that is next to the <span class="guimenu">Driver</span> box. This launches the quote“<span class="quote"><span class="emphasis"><em>Add Printer Wizard</em></span></span>”. 2564 </p></li><li><p><a class="indexterm" name="id2563629"></a><a class="indexterm" name="id2563640"></a> 2565 The “<span class="quote"><span class="emphasis"><em>Add Printer Driver Wizard on <tt class="constant">MASSIVE</tt></em></span></span>” panel 2566 is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the 2567 Printer Manufacturer. In your case, you are adding a driver for a printer manufactured by 2568 Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click 2569 <span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A 2570 progress bar appears and instructs you as each file is being uploaded and that it is being 2571 directed at the network server <tt class="constant">\\massive\ps01-color</tt>. 2572 </p></li><li><p> 2573 <a class="indexterm" name="id2563692"></a> 2574 <a class="indexterm" name="id2563701"></a> 2575 <a class="indexterm" name="id2563710"></a> 2576 <a class="indexterm" name="id2563720"></a> 2577 <a class="indexterm" name="id2563729"></a> 2578 <a class="indexterm" name="id2563738"></a> 2579 The driver upload completes in anywhere from a few seconds to a few minutes. When it completes, 2580 you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel. 2581 You can set the Location (under the <span class="guimenu">General</span> tab), and Security settings (under 2582 the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to 2583 load additional printer drivers, there is also a check-box in this tab called “<span class="quote"><span class="emphasis"><em>List in the 2584 directory</em></span></span>”. When this box is checked the printer will be published in Active Directory 2585 (Applicable to Active Directory use only.) 2586 </p></li><li><p> 2587 <a class="indexterm" name="id2563794"></a> 2588 Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server. 2589 You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor. 2590 Right-click on the printer, click <span class="guimenu">Properties</span>-><span class="guimenuitem">Device Settings</span>. Now change the settings to suit 2591 your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if 2592 you need to reverse them changes back to their original settings. 2593 </p></li><li><p> 2594 This is necessary so that the printer settings are initialized in the Samba printers 2595 database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed 2596 just to initialize the Samba printers database entry for this printer. If you need to revert a setting, 2597 Click <span class="guimenu">Apply</span> again. 2598 </p></li><li><p> 2599 <a class="indexterm" name="id2563867"></a> 2600 Verify that all printer settings are at the desired configuration. When you are satisfied that they are, 2601 click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button. 2602 A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span> 2603 in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on 2604 massive Properties</span> panel. 2605 </p></li><li><p> 2606 You must repeat this process for all network printers (i.e., for every printer, on each server). 2607 When you have finished uploading drivers to all printers, close all applications. The next task 2608 is to install software your users require to do their work. 2609 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2563923"></a>Software Installation</h3></div></div></div><p> 2610 Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is 2611 a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer. 2612 Notebooks require special handling that is beyond the scope of this chapter. 2613 </p><p> 2614 For desktop systems, the installation of software onto administratively centralized application servers 2615 make a lot of sense. This means that you can manage software maintenance from a central 2616 perspective and that only minimal application stub-ware needs to be installed onto the desktop 2617 systems. You should proceed with software installation and default configuration as far as is humanly 2618 possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect 2619 of software operations and configuration. 2620 </p><p> 2621 When you believe that the overall configuration is complete, be sure to create a shared group profile 2622 and migrate that to the Samba server for later re-use when creating custom mandatory profiles, just in 2623 case a user may have specific needs you had not anticipated. 2624 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2563958"></a>Roll-out Image Creation</h3></div></div></div><p> 2625 The final steps before preparing the distribution Norton Ghost image file you might follow are: 2626 </p><div class="blockquote"><blockquote class="blockquote"><p> 2627 Un-join the domain Each workstation requires a unique name and must be independently 2628 joined into Domain Membership. 2629 </p></blockquote></div><div class="blockquote"><blockquote class="blockquote"><p> 2630 Defragment the hard disk While not obvious to the uninitiated, defragmentation results 2631 in better performance and often significantly reduces the size of the compressed disk image. That 2632 also means it will take less time to deploy the image onto 500 workstations. 2633 </p></blockquote></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2563992"></a>Key Points Learned</h2></div></div></div><p> 2634 This chapter has introduced many new concepts. Is it a sad fact that the example presented deliberately 2635 avoided any consideration of security. Security does not just happen; you must design it into your total 2636 network. Security begins with a systems design and implementation that anticipates hostile behavior from 2637 users both inside and outside the organization. Hostile and malicious intruders do not respect barriers; 2638 they accept them as challenges. For that reason, if not simply from a desire to establish safe networking 2639 practices, you must not deploy the design presented in this book in an environment where there is risk 2640 of compromise. 2641 </p><p><a class="indexterm" name="id2564013"></a><a class="indexterm" name="id2564024"></a> 2642 As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs) and it must be 2643 configured to use secure protocols for all communications over the network. Of course, secure networking 2644 does not result just from systems design and implementation but involves constant user education 2645 training, and above all disciplined attention to detail and constant searching for signs of unfriendly 2646 or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources. 2647 Jerry Carter's book <a href="http://www.booksense.com/product/info.jsp&isbn=1565924916" target="_top"><span class="emphasis"><em>LDAP System 2648 Administration</em></span></a> is a good place to start reading about OpenLDAP as well as security considerations. 2649 </p><p> 2650 The substance of this chapter that has been deserving of particular attention includes: 2651 </p><div class="itemizedlist"><ul type="disc"><li><p> 2652 Implementation of an OpenLDAP-based passwd backend necessary to support distributed 2653 Domain Control. 2654 </p></li><li><p> 2655 Implementation of Samba Primary and Secondary Domain Controllers with a common LDAP backend 2656 for user and group accounts that is shared with the UNIX system through the PADL nns_ldap and 2657 pam_ldap toolsets. 2658 </p></li><li><p> 2659 Use of the Idealx smbldap-tools scripts for UNIX (Posix) account management as well as 2660 to manage Samba Windows user and group accounts. 2661 </p></li><li><p> 2662 The basics of implementation of Group Policy controls for Windows network clients. 2663 </p></li><li><p> 2664 Control over roaming profiles, with particular focus on folder redirection to network drives. 2665 </p></li><li><p> 2666 Use of the CUPS printing system together with Samba-based printer driver auto-download. 2667 </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2564104"></a>Questions and Answers</h2></div></div></div><p> 2668 Well, here we are at the end of this chapter and we have only ten questions to help you to 2669 remember so much. There are bound to be some sticky issues here. 2670 </p><div class="qandaset"><dl><dt> <a href="happy.html#id2564120"> 2671 Why did you not cover secure practices? Isn't it rather irresponsible to instruct 2672 network administrators to implement insecure solutions? 2673 </a></dt><dt> <a href="happy.html#id2564164"> 2674 You have focused much on SUSE Linux and little on the market leader, Red Hat. Do 2675 you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant 2676 to the Linux I might be using? 2677 </a></dt><dt> <a href="happy.html#id2564217"> 2678 You did not use SWAT to configure Samba. Is there something wrong with it? 2679 </a></dt><dt> <a href="happy.html#id2564256"> 2680 You have exposed a well-used password not24get. Is that 2681 not irresponsible? 2682 </a></dt><dt> <a href="happy.html#id2564281"> 2683 The Idealx smbldap-tools create many domain group accounts that are not used. Is that 2684 a good thing? 2685 </a></dt><dt> <a href="happy.html#id2564304"> 2686 Can I use LDAP just for Samba accounts and not for UNIX system accounts? 2687 </a></dt><dt> <a href="happy.html#id2564329"> 2688 Why are the Windows Domain RID portions not the same as the UNIX UID? 2689 </a></dt><dt> <a href="happy.html#id2564366"> 2690 Printer configuration examples all show printing to the HP port 9100. Does this 2691 mean that I must have HP printers for these solutions to work? 2692 </a></dt><dt> <a href="happy.html#id2564395"> 2693 Is folder redirection dangerous? I've heard that you can lose your data that way. 2694 </a></dt><dt> <a href="happy.html#id2564422"> 2695 Is it really necessary to set a local Group Policy to exclude the redirected 2696 folders from the roaming profile? 2697 </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2564120"></a><a name="id2564122"></a><b></b></td><td align="left" valign="top"><p> 2698 Why did you not cover secure practices? Isn't it rather irresponsible to instruct 2699 network administrators to implement insecure solutions? 2700 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 2701 Let's get this right. This is a book about Samba, not about OpenLDAP and secure 2702 communication protocols for subjects other than Samba. Earlier on, you note 2703 that the Dynamic DNS and DHCP solutions also used no protective secure communications 2704 protocols. The reason for this is simple: There are so many ways of implementing 2705 secure protocols that this book would have been even larger and more complex. 2706 </p><p> 2707 The solutions presented here all work (at least they did for me). Network administrators 2708 have the interest and the need to be better trained and instructed in secure networking 2709 practices and ought to implement safe systems. I made the decision, right or wrong, 2710 to keep this material as simple as possible. The intent of this book is to demonstrate 2711 a working solution and not to discuss too many peripheral issues. 2712 </p><p> 2713 This book makes little mention of backup techniques. Does that mean that I am recommending 2714 that you should implement a network without provision for data recovery and for disaster 2715 management? Back to our focus: The deployment of Samba has been clearly demonstrated. 2716 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564164"></a><a name="id2564166"></a><b></b></td><td align="left" valign="top"><p> 2717 You have focused much on SUSE Linux and little on the market leader, Red Hat. Do 2718 you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant 2719 to the Linux I might be using? 2720 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 2721 Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications 2722 for a standard Linux distribution. The differences are marginal. Surely you know 2723 your Linux platform and you do have access to administration manuals for it. This 2724 book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on 2725 the Samba part of the book; all the other bits are peripheral (but important) to 2726 creation of a total network solution. 2727 </p><p> 2728 What I find interesting is the attention reviewers give to Linux installation and to 2729 the look and feel of the desktop, but does that make for a great server? In this book, 2730 I have paid particular attention to the details of creating a whole solution framework. 2731 I have not tightened every nut and bolt, but I have touched on all the issues you 2732 need to be familiar with. Over the years many people have approached me wanting to 2733 know the details of exactly how to implement a DHCP and Dynamic DNS server with Samba 2734 and WINS. In this chapter, it is plain to see what needs to be configured to provide 2735 transparent interoperability. Likewise for CUPS and Samba interoperation. These are 2736 key stumbling areas for many people. 2737 </p><p> 2738 At every critical junction, I have provided comparative guidance for both SUSE and 2739 Red Hat Linux. Both manufacturers have done a great job in furthering the cause 2740 of open source software. I favor neither and respect both. I like particular 2741 features of both products (companies also). No bias in presentation is intended. 2742 Oh, before I forget, I particularly like Debian Linux; that is my favorite playground. 2743 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564217"></a><a name="id2564219"></a><b></b></td><td align="left" valign="top"><p> 2744 You did not use SWAT to configure Samba. Is there something wrong with it? 2745 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 2746 That is a good question. As it is, the <tt class="filename">smb.conf</tt> file configurations are presented 2747 in as direct a format as possible. Adding SWAT into the equation would have complicated 2748 matters. I sought simplicity of implementation. The fact is that I did use SWAT to 2749 create the files in the first place. 2750 </p><p> 2751 There are people in the Linux and open source community who feel that SWAT is dangerous 2752 and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I 2753 hope to have brought their interests on board. SWAT is well covered is <span class="emphasis"><em>TOSHARG</em></span>. 2754 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564256"></a><a name="id2564259"></a><b></b></td><td align="left" valign="top"><p> 2755 You have exposed a well-used password <span class="emphasis"><em>not24get</em></span>. Is that 2756 not irresponsible? 2757 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 2758 Well, I had to use a password of some sort. At least this one has been consistently 2759 used throughout. I guess you can figure out that in a real deployment it would make 2760 sense to use a more secure and original password. 2761 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564281"></a><a name="id2564284"></a><b></b></td><td align="left" valign="top"><p> 2762 The Idealx smbldap-tools create many domain group accounts that are not used. Is that 2763 a good thing? 2764 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 2765 I took this up with Idealx and found them most willing to change that in the next version. 2766 Let's give Idealx some credit for the contribution they have made. I appreciate their work 2767 and, besides, it does no harm to create accounts that are not now used as at some time 2768 Samba may well use them. 2769 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564304"></a><a name="id2564307"></a><b></b></td><td align="left" valign="top"><p> 2770 Can I use LDAP just for Samba accounts and not for UNIX system accounts? 2771 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 2772 Yes, you can do that for user accounts only. Samba requires there to be a Posix (UNIX) 2773 group account for every Windows Domain group account. But if you put your users into 2774 the system password account, how do you plan to keep all domain controller system 2775 password files in sync? I think that having everything in LDAP makes a lot of sense 2776 for the UNIX admin who is still learning the craft and is migrating from MS Windows. 2777 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564329"></a><a name="id2564332"></a><b></b></td><td align="left" valign="top"><p> 2778 Why are the Windows Domain RID portions not the same as the UNIX UID? 2779 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 2780 Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. 2781 This algorithm ought to ensure that there will be no clashes with well-known RIDs. 2782 Well-known RIDs have special significance to MS Windows clients. The automatic 2783 assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does 2784 permit you to override that to some extent. See the <tt class="filename">smb.conf</tt> man page entry 2785 for <i class="parameter"><tt>algorithmic rid base</tt></i>. 2786 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564366"></a><a name="id2564368"></a><b></b></td><td align="left" valign="top"><p> 2787 Printer configuration examples all show printing to the HP port 9100. Does this 2788 mean that I must have HP printers for these solutions to work? 2789 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 2790 No. You can use any type of printer and must use the interfacing protocol supported 2791 by the printer. Many networks use LPR/LPD print servers to which are attached 2792 PCL printers, InkJet printers, plotters, and so on. At home I use a USB attached 2793 Inkjet printer. Use the appropriate device URI (Universal Resource Interface) 2794 argument to the <tt class="constant">lpadmin -v</tt> option that is right for your 2795 printer. 2796 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564395"></a><a name="id2564397"></a><b></b></td><td align="left" valign="top"><p> 2797 Is folder redirection dangerous? I've heard that you can lose your data that way. 2798 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 2799 The only loss of data I know of that involved folder redirection was caused by 2800 manual misuse of the redirection tool. The administrator redirected a folder to 2801 a network drive and said he wanted to migrate (move) the data over. Then he 2802 changed his mind, so he moved the folder back to the roaming profile. This time, 2803 he declined to move the data because he thought it was still in the local profile 2804 folder. That was not the case, so by declining to move the data back, he wiped out 2805 the data. You cannot hold the tool responsible for that. Caveat emptor still applies. 2806 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564422"></a><a name="id2564424"></a><b></b></td><td align="left" valign="top"><p> 2807 Is it really necessary to set a local Group Policy to exclude the redirected 2808 folders from the roaming profile? 2809 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 2810 Yes. If you do not do this, the data will still be copied from the network folder 2811 (share) to the local cached copy of the profile. 2812 </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2562858" href="#id2562858">11</a>] </sup> 2813 There is an alternate method by which a Default User profile can be added to the 2814 <tt class="constant">NETLOGON</tt> share. This facility in the Windows System tool 2815 permits profiles to be exported. The export target may be a particular user or 2816 group profile share point, or else into the <tt class="constant">NETLOGON</tt> share. 2817 In this case, the profile directory must be named 2818 <tt class="constant">Default User</tt>. 2819 </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Big500users.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="2000users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�5.�The 500-User Office�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�7.�A Distributed 2000 User Network</td></tr></table></div></body></html> 2820