1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�4.�Secure Office Networking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="small.html" title="Chapter�3.�Small Office Networking"><link rel="next" href="Big500users.html" title="Chapter�5.�The 500-User Office"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�4.�Secure Office Networking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="small.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="Big500users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="secure"></a>Chapter�4.�Secure Office Networking</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="secure.html#id2538580">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id2538632">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id2538897">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id2538912">Technical Issues</a></span></dt><dt><span class="sect2"><a href="secure.html#id2539376">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id2539418">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#ch4bsc">Basic System Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id2540388">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4ptrcfg">Printer Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4valid">Validation</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4appscfg">Application Share Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id2545191">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id2545253">Questions and Answers</a></span></dt></dl></div><p> 2 Congratulations, your Samba networking skills are developing nicely. You started out 3 with three simple networks in Chapter 2, and then in Chapter 3 you designed and built a 4 network that provides a high degree of flexibility, integrity, and dependability. It 5 was enough for the basic needs each was designed to fulfill. In this chapter you 6 address a more complex set of needs. The solution you explore is designed 7 to introduce you to basic features that are specific to Samba-3. 8 </p><p> 9 You should note that a working and secure solution could be implemented using Samba-2.2.x. 10 In the exercises presented here, you are gradually using more Samba-3 specific features 11 so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given. 12 To avoid confusion, this book is all about Samba-3. Let's get the exercises in this 13 chapter under way. 14 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2538580"></a>Introduction</h2></div></div></div><p> 15 You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work 16 well done. It is one year since the last network upgrade. You have been quite busy. 17 Two months ago Mr. Meany gave approval to hire Christine Roberson who has taken over 18 general network management. Soon she will provide primary user support. You have demonstrated 19 you can delegate responsibility, and plan and execute 20 to that plan. Above all, you have shown Mr. Meany that you are a responsible person. 21 Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never 22 expected. You are Mr. Bob Jordan and will take charge of business operations. Mr. Meany 23 is retiring and has entrusted the business to your capable hands. 24 </p><p> 25 Mr. Meany may be retiring from this company, but not from work. He is taking the opportunity to develop 26 Abmas Inc. into a larger and more substantial company. He says that it took him many 27 years to wake up to the fact that there is no future in just running a business. He 28 now realizes there is great personal reward and satisfaction in creation of career 29 opportunities for people in the local community. He wants to do more for others as he is 30 doing for you, Bob Jordan. Today he spent a lot of time talking about the grand plan. 31 He has plans for growth that you will deal with in the chapters ahead. 32 </p><p> 33 Over the past year, the growth projections were exceeded. The network has grown to 34 meet the needs of 130 users. Along with growth, the demand for improved services 35 and better functionality has also developed. You are about to make an interim 36 improvement and then hand over all Help desk and network maintenance to Christine. 37 Christine has professional certifications in Microsoft Windows as well as in Linux; 38 she is a hard worker and quite likable. Christine does not want to manage the department 39 (although she manages well). She gains job satisfaction when left to sort things out. 40 Occasionally she wants to work with you on a challenging problem. When you told her 41 about your move, she almost resigned, although she was reassured that a new manager would 42 be hired to run Information Technology and she would be responsible only for operations. 43 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2538632"></a>Assignment Tasks</h3></div></div></div><p> 44 You promised the staff Internet services including web browsing, electronic mail, virus 45 protection, and a company Web site. Christine is keen to help turn the vision into 46 reality. Let's see how close you can get to the promises made. 47 </p><p> 48 The network you are about to deliver will service 130 users today. Within 12 months, 49 Abmas will aquire another company. Mr. Meany claims that within two years there will be 50 well over 500 users on the network. You have bought into the big picture, so prepare 51 for growth. 52 </p><p> 53 You have purchased a new server, will implement a new network infrastructure, and 54 reward all staff with a new computer. Notebook computers will not be replaced at this time. 55 </p><p> 56 You have decided to not recycle old network components. The only items that will be 57 carried forward are notebook computers. You offered staff new notebooks, but not 58 one person wanted the disruption for what was perceived as a marginal update. 59 You have made the decision to give everyone a new desktop computer, even to those 60 who have a notebook computer. 61 </p><p> 62 You have procured a DSL Internet connection that provides 1.5 Megabit/sec (bidirectional) 63 and a 10 MBit/sec ethernet port. You have registered the domain 64 <tt class="constant">abmas.us</tt>, and the Internet Service Provider (ISP) is supplying 65 secondary DNS. Information furnished by your ISP is shown in <a href="secure.html#chap4netid" title="Table�4.1.�Abmas.US ISP Information">???</a>. 66 </p><p> 67 It is of paramount priority that under no circumstances will Samba offer 68 service access from an Internet connection. You are paying an ISP to 69 give, as part of their value-added services, full firewall protection for your 70 connection to the outside world. The only services allowed in from 71 the Internet side are the following destination ports: <tt class="constant">http/https (ports 72 80 and 443), email (port 25), DNS (port 53)</tt>. All Internet traffic 73 will be allowed out after network address translation (NAT). No internal IP addresses 74 are permitted through the NAT filter as complete privacy of internal network 75 operations must be assured. 76 </p><div class="table"><a name="chap4netid"></a><p class="title"><b>Table�4.1.�Abmas.US ISP Information</b></p><table summary="Abmas.US ISP Information" border="1"><colgroup><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Parameter</th><th align="center">Value</th></tr></thead><tbody><tr><td align="left">Server IP Address</td><td align="center">123.45.67.66</td></tr><tr><td align="left">DSL Device IP Address</td><td align="center">123.45.67.65</td></tr><tr><td align="left">Network Address</td><td align="center">123.45.67.64/30</td></tr><tr><td align="left">Gateway Address</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Primary DNS Server</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Secondary DNS Server</td><td align="center">123.45.54.32</td></tr><tr><td align="left">Forwarding DNS Server</td><td align="center">123.45.12.23</td></tr></tbody></table></div><div class="figure"><a name="ch04net"></a><p class="title"><b>Figure�4.1.�Abmas Network Topology 130 Users</b></p><div class="mediaobject"><img src="images/chap4-net.png" width="324" alt="Abmas Network Topology 130 Users"></div></div><p> 77 Christine has recommended that desktop systems should be installed from a single cloned 78 master system that has a minimum of locally installed software and loads all software 79 off a central application server. The benefit of having the central application server 80 is that it allows single point maintenance of all business applications, something 81 Christine is keen to pursue. She further recommended installation of anti-virus 82 software on workstations as well as on the Samba server. Christine is paranoid of 83 potential virus infection and insists on a comprehensive approach to detective 84 as well as corrective action to protect network operations. 85 </p><p> 86 A significant concern is the problem of managing company growth. Recently, a number 87 of users had to share a PC while waiting for new machines to arrive. This presented 88 some problems with desktop computers and software installation into the new users' 89 desktop profile. 90 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2538897"></a>Dissection and Discussion</h2></div></div></div><p> 91 Many of the conclusions you draw here are obvious. Some requirements are not very clear 92 or may simply be your means of drawing the most out of Samba-3. Much can be done more simply 93 than you will demonstrate here, but keep in mind that the network must scale to at least 500 94 users. This means that some functionality will be over-designed for the current 130 user 95 environment. 96 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2538912"></a>Technical Issues</h3></div></div></div><p> 97 In this exercise we are using a 24-bit subnet mask for the two local networks. This, 98 of course, limits our network to a maximum of 253 usable IP addresses. The network 99 address range chosen is one of the ranges assigned by RFC1918 for private networks. 100 When the number of users on the network begins to approach the limit of usable 101 addresses, it would be a good idea to switch to a network address specified in RFC1918 102 in the 172.16.0.0/16 range. This is done in the following chapters. 103 </p><p> 104 <a class="indexterm" name="id2538932"></a> 105 <a class="indexterm" name="id2538939"></a> 106 The high growth rates projected are a good reason to use the <tt class="constant">tdbsam</tt> 107 passdb backend. The use of <tt class="constant">smbpasswd</tt> for the backend may result in 108 performance problems. The <tt class="constant">tdbsam</tt> passdb backend offers features that 109 are not available with the older flat ASCII-based <tt class="constant">smbpasswd</tt> database. 110 </p><p> 111 <a class="indexterm" name="id2538968"></a> 112 The proposed network design uses a single server to act as an Internet services host for 113 electronic mail, Web serving, remote administrative access vis SSH, as well as for 114 Samba-based file and print services. This design is often chosen by sites that feel 115 they cannot afford or justify the cost or overhead of having separate servers. It must 116 be realized that if security of this type of server should ever be violated (compromised), 117 the whole network and all data is at risk. Many sites continue to choose this type 118 of solution; therefore, this chapter provides detailed coverage of key implementation 119 aspects. 120 </p><p> 121 Samba will be configured to specifically not operate on the ethernet interface that is 122 directly connected to the Internet. 123 </p><p> 124 <a class="indexterm" name="id2538994"></a> 125 <a class="indexterm" name="id2539001"></a> 126 <a class="indexterm" name="id2539007"></a> 127 <a class="indexterm" name="id2539016"></a> 128 You know that your ISP is providing full firewall services, but you cannot rely on that. 129 Always assume that human error will occur, so be prepared by using Linux firewall facilities 130 based on <span><b class="command">iptables</b></span> to effect Network Address Translation (NAT). Block all 131 incoming traffic except to permitted well-known ports. You must also allow incoming packets 132 to established outgoing connections. You will permit all internal outgoing requests. 133 </p><p> 134 The configuration of Web serving, Web proxy services, electronic mail, and the details of 135 generic anti-virus handling are beyond the scope of this book and therefore are not 136 covered, except insofar as this affects Samba-3. 137 </p><p><a class="indexterm" name="id2539048"></a> 138 Notebook computers are configured to use a network login when in the office and a 139 local account to login while away from the office. Users store all work done in 140 transit (away from the office) by using a local share for work files. Standard procedures 141 will dictate that on completion of the work that necessitates mobile file access, all 142 work files are moved back to secure storage on the office server. Staff is instructed 143 to not carry on any company notebook computer any files that are not absolutely required. 144 This is a preventative measure to protect client information as well as business private 145 records. 146 </p><p><a class="indexterm" name="id2539070"></a> 147 All applications are served from the central server from a share called <tt class="constant">apps</tt>. 148 Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network 149 (or administrative) installation. Accounting and financial management software can also 150 be run only from the central application server. Notebook users are provided with 151 locally installed applications on a need-to-have basis only. 152 </p><p> 153 <a class="indexterm" name="id2539093"></a> 154 The introduction of roaming profiles support means that users can move between 155 desktop computer systems without constraint while retaining full access to their data. 156 The desktop travels with them as they move. 157 </p><p> 158 <a class="indexterm" name="id2539106"></a> 159 The DNS server implementation must now address both internal needs as well as external 160 needs. You forward DNS lookups to your ISP provided server as well as the 161 <tt class="constant">abmas.us</tt> external secondary DNS server. 162 </p><p> 163 <a class="indexterm" name="id2539123"></a> 164 <a class="indexterm" name="id2539130"></a><a class="indexterm" name="id2539138"></a> 165 Compared with the DHCP server configuration in <a href="small.html#dhcp01" title="Example�3.2.�Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">???</a>, the configuration used 166 in this example has to deal with the presence of an Internet connection. The scope set for it 167 ensures that no DHCP services will be offered on the external connection. All printers are 168 configured as DHCP clients, so that the DHCP server assigns the printer a fixed IP 169 address by way of the ethernet interface (MAC) address. One additional feature of this DHCP 170 server configuration file is the inclusion of parameters to allow dynamic DNS (DDNS) operation. 171 </p><p> 172 This is the first implementation that depends on a correctly functioning DNS server. 173 Comprehensive steps are included to provide for a fully functioning DNS server that also 174 is enabled for dynamic DNS operation. This means that DHCP clients can be auto-registered 175 with the DNS server. 176 </p><p> 177 You are taking the opportunity to manually set the netbios name of the Samba server to 178 a name other than what will be automatically resolved. You are doing this to ensure that 179 the machine has the same NetBIOS name on both network segments. 180 </p><p> 181 As in the previous network configuration, printing in this network configuration uses 182 direct raw printing (i.e., no smart printing and no print driver auto-download to Windows 183 clients). Printer drivers are installed on the Windows client manually. This is not 184 a problem given that Christine is to install and configure one single workstation and 185 then clone that configuration, using Norton Ghost, to all workstations. Each machine is 186 identical, so this should pose no problem. 187 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2539191"></a>Hardware Requirements</h4></div></div></div><p><a class="indexterm" name="id2539198"></a> 188 This server runs a considerable number of services. From similarly configured Linux 189 installations the approximate calculated memory requirements will be as that shown in 190 <a href="secure.html#ch4memoryest" title="Example�4.1.�Estimation of Memory Requirements">???</a>. 191 192</p><div class="example"><a name="ch4memoryest"></a><p class="title"><b>Example�4.1.�Estimation of Memory Requirements</b></p><pre class="screen"> 193Application Memory per User 130 Users 500 Users 194 Name (MBytes) Total MBytes Total MBytes 195----------- --------------- ------------ ------------ 196DHCP 2.5 3 3 197DNS 16.0 16 16 198Samba (nmbd) 16.0 16 16 199Samba (winbind) 16.0 16 16 200Samba (smbd) 4.0 520 2000 201Apache 10.0 (20 User) 200 200 202CUPS 3.5 16 32 203Basic OS 256.0 256 256 204 -------------- -------------- 205 Total: 1043 MBytes 2539 MBytes 206 -------------- -------------- 207</pre></div><p> 208 You would choose to add a safety margin of at least 50% to these estimates. The minimum 209 system memory recommended for initial startup would be 1 GByte, but to permit the system 210 to scale to 500 users, it would make sense to provision the machine with 4 GBytes memory. 211 An initial configuration with only 1 GByte memory would lead to early performance complaints 212 as the system load builds up. Given the low cost of memory, it would not make sense to 213 compromise in this area. 214 </p><p><a class="indexterm" name="id2539256"></a> 215 Aggregate Input/Output loads should be considered for sizing network configuration as 216 well as disk subsystems. For network bandwidth calculations, one would typically use an 217 estimate of 0.1 MBytes/sec per user. This would suggest that 100-Base-T (approx. 10 MBytes/sec) 218 would deliver below acceptable capacity for the initial user load. It is, therefore, a good 219 idea to begin with 1 Gigabit ethernet cards for the two internal networks, each attached 220 to a 1 Gigabit Etherswitch that provides connectivity to an expandable array of 100-Base-T 221 switched ports. 222 </p><p><a class="indexterm" name="id2539277"></a><a class="indexterm" name="id2539285"></a> 223 Considering the choice of 1 Gigabit ethernet interfaces for the two local network segments, 224 the aggregate network I/O capacity will be 2100 MBit/sec (about 230 MBytes/sec), an I/O 225 demand that would require a fast disk storage I/O capability. Peak disk throughput is 226 limited by the disk sub-system chosen. It would be desirable to provide the maximum 227 I/O bandwidth that can be afforded. If a low-cost solution must be chosen, the use of 228 3Ware IDE RAID Controllers makes a good choice. These controllers can be fitted into a 229 64 bit, 66 MHz PCI-X slot. They appear to the operating system as a high speed SCSI 230 controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MByte/sec). 231 Alternative SCSI-based hardware RAID controllers should also be considered. Alternately, 232 it would make sense to purchase well-known branded hardware that has appropriate performance 233 specifications. As a minimum, one should attempt to provide a disk sub-system that can 234 deliver I/O rates of at least 100 MBytes/sec. 235 </p><p> 236 Disk storage requirements may be calculated as shown in <a href="secure.html#ch4diskest" title="Example�4.2.�Estimation of Disk Storage Requirements">???</a>. 237 238</p><div class="example"><a name="ch4diskest"></a><p class="title"><b>Example�4.2.�Estimation of Disk Storage Requirements</b></p><pre class="screen"> 239Corporate Data: 100 MBytes/user per year 240Email Storage: 500 MBytes/user per year 241Applications: 5000 MBytes 242Safety Buffer: At least 50% 243 244Given 500 Users and 2 years: 245----------------------------- 246 Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes 247 Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes 248 Applications: 5000 MBytes = 5 GBytes 249 ---------------------------- 250 Total: 605 GBytes 251 Add 50% buffer 303 GBytes 252 Recommended Storage: 908 GBytes 253</pre></div><p> 254 <a class="indexterm" name="id2539361"></a> 255 The preferred storage capacity should be approximately 1 TeraByte. Use of RAID level 5 256 with two hot spare drives would require an 8 drive by 200 GByte capacity per drive array. 257 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2539376"></a>Political Issues</h3></div></div></div><p> 258 Your industry is coming under increasing accountability pressures. Increased paranoia 259 is necessary so you can demonstrate that you have acted with due diligence. You must 260 not trust your Internet connection. 261 </p><p> 262 Apart from permitting more efficient management of business applications through use of 263 an application server, your primary reason for the decision to implement this is that it 264 gives you greater control over software licensing. 265 </p><p><a class="indexterm" name="id2539397"></a> 266 You are well aware that the current configuration results in some performance issues 267 as the size of the desktop profile grows. Given that users use Microsoft Outlook 268 Express, you know that the storage implications of the <tt class="constant">.PST</tt> file 269 is something that needs to be addressed later on. 270 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2539418"></a>Implementation</h2></div></div></div><p> 271 <a href="secure.html#ch04net" title="Figure�4.1.�Abmas Network Topology 130 Users">???</a> demonstrates the overall design of the network that you will implement. 272 </p><p> 273 The information presented here assumes that you are already familiar with many basic steps. 274 As this stands, the details provided already extend well beyond just the necessities of 275 Samba configuration. This decision is deliberate to ensure that key determinants 276 of a successful installation are not overlooked. This is the last case that documents 277 the finite minutiae of DHCP and DNS server configuration. Beyond the information provided 278 here, there are many other good reference books on these subjects. 279 </p><p> 280 The <tt class="filename">smb.conf</tt> file has the following noteworthy features: 281 </p><div class="itemizedlist"><ul type="disc"><li><p> 282 The NetBIOS name of the Samba server is set to <tt class="constant">DIAMOND</tt>. 283 </p></li><li><p> 284 The Domain name is set to <tt class="constant">PROMISES</tt>. 285 </p></li><li><p><a class="indexterm" name="id2539478"></a><a class="indexterm" name="id2539486"></a><a class="indexterm" name="id2539494"></a> 286 Ethernet interface <tt class="constant">eth0</tt> is attached to the Internet connection 287 and is externally exposed. This interface is explicitly not available for Samba to use. 288 Samba listens on this interface for broadcast messages, but does not broadcast any 289 information on <tt class="constant">eth0</tt>, nor does it accept any connections from it. 290 This is achieved by way of the <i class="parameter"><tt>interfaces</tt></i> parameter and the 291 <i class="parameter"><tt>bind interfaces only</tt></i> entry. 292 </p></li><li><p><a class="indexterm" name="id2539532"></a><a class="indexterm" name="id2539540"></a><a class="indexterm" name="id2539548"></a> 293 The <i class="parameter"><tt>passdb backend</tt></i> parameter specifies the creation and use 294 of the <tt class="constant">tdbsam</tt> password backend. This is a binary database that 295 has excellent scalability for a large number of user account entries. 296 </p></li><li><p><a class="indexterm" name="id2539573"></a><a class="indexterm" name="id2539581"></a><a class="indexterm" name="id2539589"></a> 297 WINS serving is enabled by the <a class="indexterm" name="id2539599"></a>wins support = Yes, 298 and name resolution is set to use it by means of the <a class="indexterm" name="id2539607"></a>name resolve order = wins bcast hosts entry. 299 </p></li><li><p><a class="indexterm" name="id2539618"></a> 300 The Samba server is configured for use by Windows clients as a time server. 301 </p></li><li><p><a class="indexterm" name="id2539632"></a><a class="indexterm" name="id2539640"></a><a class="indexterm" name="id2539647"></a> 302 Samba is configured to directly interface with CUPS via the direct internal interface 303 that is provided by CUPS libraries. This is achieved with the 304 <a class="indexterm" name="id2539659"></a>printing = CUPS as well as the 305 <a class="indexterm" name="id2539667"></a>printcap name = CUPS entries. 306 </p></li><li><p><a class="indexterm" name="id2539678"></a><a class="indexterm" name="id2539686"></a><a class="indexterm" name="id2539694"></a> 307 External interface scripts are provided to enable Samba to interface smoothly to 308 essential operating system functions for user and group management. This is important 309 to enable workstations to join the Domain, and is also important so that you can use 310 the Windows NT4 Domain User Manager, as well as the Domain Server Manager. These tools 311 are provided as part of the <tt class="filename">SRVTOOLS.EXE</tt> toolkit that can be 312 downloaded from the Microsoft FTP <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">site.</a> 313 </p></li><li><p><a class="indexterm" name="id2539726"></a> 314 The <tt class="filename">smb.conf</tt> file specifies that the Samba server will operate in (default) <i class="parameter"><tt> 315 security = user</tt></i> mode<sup>[<a name="id2539748" href="#ftn.id2539748">5</a>]</sup> (User Mode). 316 </p></li><li><p><a class="indexterm" name="id2539765"></a><a class="indexterm" name="id2539773"></a> 317 Domain logon services as well as a Domain logon script are specified. The logon script 318 will be used to add robustness to the overall network configuration. 319 </p></li><li><p><a class="indexterm" name="id2539788"></a><a class="indexterm" name="id2539796"></a><a class="indexterm" name="id2539804"></a> 320 Roaming profiles are enabled through the specification of the parameter, <a class="indexterm" name="id2539815"></a>logon path = \\%L\profiles\%U. The value of this parameter translates the 321 <tt class="constant">%L</tt> to the name by which the Samba server is called by the client (for this 322 configuration, it translates to the name <tt class="constant">DIAMOND</tt>), and the <tt class="constant">%U</tt> 323 will translate to the name of the user within the context of the connection made to the profile share. 324 It is the administrator's responsibility to ensure there is a directory in the root of the 325 profile share for each user. This directory must be owned by the user also. An exception to this 326 requirement is when a profile is created for group use. 327 </p></li><li><p><a class="indexterm" name="id2539845"></a><a class="indexterm" name="id2539853"></a> 328 Precautionary veto is effected for particular Windows file names that have been targeted by 329 virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking 330 controls. This should help to prevent lock contention related file access problems. 331 </p></li><li><p><a class="indexterm" name="id2539870"></a> 332 Explicit controls are effected to restrict access to the <tt class="constant">IPC$</tt> share to 333 local networks only. The <tt class="constant">IPC$</tt> share plays an important role in network 334 browsing and in establishment of network connections. 335 </p></li><li><p> 336 Every user has a private home directory on the UNIX/Linux host. This is mapped to 337 a network drive that is the same for all users. 338 </p></li></ul></div><p> 339 The configuration of the server is the most complex so far. The following steps are used: 340 </p><div class="orderedlist"><ol type="1"><li><p> 341 Basic System Configuration 342 </p></li><li><p> 343 Samba Configuration 344 </p></li><li><p> 345 DHCP and DNS Server Configuration 346 </p></li><li><p> 347 Printer Configuration 348 </p></li><li><p> 349 Process Start-up Configuration 350 </p></li><li><p> 351 Validation 352 </p></li><li><p> 353 Application Share Configuration 354 </p></li><li><p> 355 Windows Client Configuration 356 </p></li></ol></div><p> 357 The following sections cover each step in logical and defined detail. 358 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4bsc"></a>Basic System Configuration</h3></div></div></div><p><a class="indexterm" name="id2539968"></a> 359 The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been 360 freshly installed. It prepares basic files so that the system is ready for comprehensive 361 operation in line with the network diagram shown in <a href="secure.html#ch04net" title="Figure�4.1.�Abmas Network Topology 130 Users">???</a>. 362 </p><div class="procedure"><ol type="1"><li><p><a class="indexterm" name="id2539995"></a> 363 Using the UNIX/Linux system tools, name the server <tt class="constant">server.abmas.us</tt>. 364 Verify that your hostname is correctly set by running: 365</p><pre class="screen"> 366<tt class="prompt">root# </tt> uname -n 367server 368</pre><p> 369 An alternate method to verify the hostname is: 370</p><pre class="screen"> 371<tt class="prompt">root# </tt> hostname -f 372server.abmas.us 373</pre><p> 374 </p></li><li><p> 375 <a class="indexterm" name="id2540040"></a><a class="indexterm" name="id2540046"></a> 376 Edit your <tt class="filename">/etc/hosts</tt> file to include the primary names and addresses 377 of all network interfaces that are on the host server. This is necessary so that during 378 startup the system can resolve all its own names to the IP address prior to 379 startup of the DNS server. An example of entries that should be in the 380 <tt class="filename">/etc/hosts</tt> file is: 381</p><pre class="screen"> 382127.0.0.1 localhost 383192.168.1.1 sleeth1.abmas.biz sleeth1 diamond 384192.168.2.1 sleeth2.abmas.biz sleeth2 385123.45.67.66 server.abmas.us server 386</pre><p> 387 You should check the startup order of your system. If the CUPS print server is started before 388 the DNS server (<span><b class="command">named</b></span>), you should also include an entry for the printers 389 in the <tt class="filename">/etc/hosts</tt> file, as follows: 390</p><pre class="screen"> 391192.168.1.20 qmsa.abmas.biz qmsa 392192.168.1.30 hplj6a.abmas.biz hplj6a 393192.168.2.20 qmsf.abmas.biz qmsf 394192.168.2.30 hplj6f.abmas.biz hplj6f 395</pre><p> 396 <a class="indexterm" name="id2540104"></a><a class="indexterm" name="id2540112"></a><a class="indexterm" name="id2540120"></a> 397 The printer entries are not necessary if <span><b class="command">named</b></span> is started prior to 398 startup of <span><b class="command">cupsd</b></span>, the CUPS daemon. 399 </p></li><li><p> 400 <a class="indexterm" name="id2540149"></a> 401 <a class="indexterm" name="id2540156"></a><a class="indexterm" name="id2540162"></a> 402 The host server is acting as a router between the two internal network segments as well 403 as for all Internet access. This necessitates that IP forwarding must be enabled. This can be 404 achieved by adding to the <tt class="filename">/etc/rc.d/boot.local</tt> an entry as follows: 405</p><pre class="screen"> 406echo 1 > /proc/sys/net/ipv4/ip_forward 407</pre><p> 408 To ensure that your kernel is capable of IP forwarding during configuration, you may 409 wish to execute that command manually also. This setting permits the Linux system to 410 act as a router.<sup>[<a name="id2540192" href="#ftn.id2540192">6</a>]</sup> 411 </p></li><li><p><a class="indexterm" name="id2540204"></a><a class="indexterm" name="id2540212"></a> 412 Installation of a basic firewall and network address translation facility is necessary. 413 The following script can be installed in the <tt class="filename">/usr/local/sbin</tt> 414 directory. It is executed from the <tt class="filename">/etc/rc.d/boot.local</tt> startup 415 script. In your case, this script is called <tt class="filename">abmas-netfw.sh</tt>. The 416 script contents are shown in <a href="secure.html#ch4natfw" title="Example�4.3.�NAT Firewall Configuration Script">???</a>. 417 418</p><div class="example"><a name="ch4natfw"></a><p class="title"><b>Example�4.3.�NAT Firewall Configuration Script</b></p><pre class="screen"> 419#!/bin/sh 420echo -e "\n\nLoading NAT firewall.\n" 421IPTABLES=/usr/sbin/iptables 422EXTIF="eth0" 423INTIFA="eth1" 424INTIFB="eth2" 425 426/sbin/depmod -a 427/sbin/insmod ip_tables 428/sbin/insmod ip_conntrack 429/sbin/insmod ip_conntrack_ftp 430/sbin/insmod iptable_nat 431/sbin/insmod ip_nat_ftp 432$IPTABLES -P INPUT DROP 433$IPTABLES -F INPUT 434$IPTABLES -P OUTPUT ACCEPT 435$IPTABLES -F OUTPUT 436$IPTABLES -P FORWARD DROP 437$IPTABLES -F FORWARD 438 439$IPTABLES -A INPUT -i lo -j ACCEPT 440$IPTABLES -A INPUT -i $INTIFA -j ACCEPT 441$IPTABLES -A INPUT -i $INTIFB -j ACCEPT 442$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT 443# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS 444for i in 22 25 53 80 443 445do 446 $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT 447done 448# Allow DNS(udp) 449$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT 450echo "Allow all connections OUT and only existing and specified ones IN" 451$IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \ 452 --state ESTABLISHED,RELATED -j ACCEPT 453$IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \ 454 --state ESTABLISHED,RELATED -j ACCEPT 455$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT 456$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT 457$IPTABLES -A FORWARD -j LOG 458echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" 459$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE 460echo "1" > /proc/sys/net/ipv4/ip_forward 461echo -e "\nNAT firewall done.\n" 462</pre></div><p> 463 </p></li><li><p> 464 Execute the following to make the script executable: 465</p><pre class="screen"> 466<tt class="prompt">root# </tt> chmod 755 /usr/local/sbin/abmas-natfw.sh 467</pre><p> 468 You must now edit <tt class="filename">/etc/rc.d/boot.local</tt> to add an entry 469 that runs your <span><b class="command">abmas-natfw.sh</b></span> script. The following 470 entry works for you: 471</p><pre class="screen"> 472#! /bin/sh 473# 474# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany. 475# All rights reserved. 476# 477# Author: Werner Fink, 1996 478# Burchard Steinbild, 1996 479# 480# /etc/init.d/boot.local 481# 482# script with local commands to be executed from init on system startup 483# 484# Here you should add things that should happen directly after booting 485# before we're going to the first run level. 486# 487/usr/local/sbin/abmas-natfw.sh 488</pre><p> 489 </p></li></ol></div><p><a class="indexterm" name="id2540363"></a> 490 The server is now ready for Samba configuration. During the validation step, you remove 491 the entry for the Samba server <tt class="constant">diamond</tt> from the <tt class="filename">/etc/hosts</tt> 492 file. This is done after you are satisfied that DNS-based name resolution is functioning correctly. 493 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2540388"></a>Samba Configuration</h3></div></div></div><p> 494 When you have completed this section, the Samba server is ready for testing and validation; 495 however, testing and validation have to wait until DHCP, DNS, and Printing (CUPS) services have 496 been configured. 497 </p><div class="procedure"><ol type="1"><li><p> 498 Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary 499 RPM file is called <tt class="filename">samba-3.0.12-1.i386.rpm</tt>, one way to install this 500 file is as follows: 501</p><pre class="screen"> 502<tt class="prompt">root# </tt> rpm -Uvh samba-3.0.12-1.i386.rpm 503</pre><p> 504 This operation must be performed while logged in as the <span><b class="command">root</b></span> user. 505 Successful operation is clearly indicated. If this installation should fail for any reason, 506 refer to the operating system manufacturer's documentation for guidance. 507 </p></li><li><p> 508 Install the <tt class="filename">smb.conf</tt> file shown in <a href="secure.html#promisnet" title="Example�4.4.�130 User Network with tdbsam [globals] Section">???</a>, <a href="secure.html#promisnetsvca" title="Example�4.5.�130 User Network with tdbsam Services Section Part A">???</a>, 509 and <a href="secure.html#promisnetsvcb" title="Example�4.6.�130 User Network with tdbsam Services Section Part B">???</a>. Concatenate (join) all three files to make a single <tt class="filename">smb.conf</tt> 510 file. The final, fully qualified path for this file should be <tt class="filename">/etc/samba/smb.conf</tt>. 511 512</p><div class="example"><a name="promisnet"></a><p class="title"><b>Example�4.4.�130 User Network with tdbsam [globals] Section</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2540513"></a><i class="parameter"><tt> 513 514 workgroup = PROMISES</tt></i></td></tr><tr><td><a class="indexterm" name="id2540528"></a><i class="parameter"><tt> 515 516 netbios name = DIAMOND</tt></i></td></tr><tr><td><a class="indexterm" name="id2540544"></a><i class="parameter"><tt> 517 518 interfaces = eth1, eth2, lo</tt></i></td></tr><tr><td><a class="indexterm" name="id2540559"></a><i class="parameter"><tt> 519 520 bind interfaces only = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2540575"></a><i class="parameter"><tt> 521 522 passdb backend = tdbsam</tt></i></td></tr><tr><td><a class="indexterm" name="id2540591"></a><i class="parameter"><tt> 523 524 pam password change = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2540606"></a><i class="parameter"><tt> 525 526 passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*</tt></i></td></tr><tr><td><a class="indexterm" name="id2540623"></a><i class="parameter"><tt> 527 528 username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2540639"></a><i class="parameter"><tt> 529 530 unix password sync = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2540654"></a><i class="parameter"><tt> 531 532 log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2540670"></a><i class="parameter"><tt> 533 534 syslog = 0</tt></i></td></tr><tr><td><a class="indexterm" name="id2540685"></a><i class="parameter"><tt> 535 536 log file = /var/log/samba/%m</tt></i></td></tr><tr><td><a class="indexterm" name="id2540700"></a><i class="parameter"><tt> 537 538 max log size = 50</tt></i></td></tr><tr><td><a class="indexterm" name="id2540716"></a><i class="parameter"><tt> 539 540 smb ports = 139 445</tt></i></td></tr><tr><td><a class="indexterm" name="id2540731"></a><i class="parameter"><tt> 541 542 name resolve order = wins bcast hosts</tt></i></td></tr><tr><td><a class="indexterm" name="id2540747"></a><i class="parameter"><tt> 543 544 time server = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2540762"></a><i class="parameter"><tt> 545 546 printcap name = CUPS</tt></i></td></tr><tr><td><a class="indexterm" name="id2540778"></a><i class="parameter"><tt> 547 548 show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2540794"></a><i class="parameter"><tt> 549 550 add user script = /usr/sbin/useradd -m '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2540810"></a><i class="parameter"><tt> 551 552 delete user script = /usr/sbin/userdel -r '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2540826"></a><i class="parameter"><tt> 553 554 add group script = /usr/sbin/groupadd '%g'</tt></i></td></tr><tr><td><a class="indexterm" name="id2540842"></a><i class="parameter"><tt> 555 556 delete group script = /usr/sbin/groupdel '%g'</tt></i></td></tr><tr><td><a class="indexterm" name="id2540858"></a><i class="parameter"><tt> 557 558 add user to group script = /usr/sbin/usermod -G '%g' '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2540874"></a><i class="parameter"><tt> 559 560 add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'</tt></i></td></tr><tr><td><a class="indexterm" name="id2540890"></a><i class="parameter"><tt> 561 562 shutdown script = /var/lib/samba/scripts/shutdown.sh</tt></i></td></tr><tr><td><a class="indexterm" name="id2540906"></a><i class="parameter"><tt> 563 564 abort shutdown script = /sbin/shutdown -c</tt></i></td></tr><tr><td><a class="indexterm" name="id2540923"></a><i class="parameter"><tt> 565 566 logon script = scripts\logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2540938"></a><i class="parameter"><tt> 567 568 logon path = \\%L\profiles\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2540953"></a><i class="parameter"><tt> 569 570 logon drive = X:</tt></i></td></tr><tr><td><a class="indexterm" name="id2540969"></a><i class="parameter"><tt> 571 572 logon home = \\%L\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2540984"></a><i class="parameter"><tt> 573 574 domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541000"></a><i class="parameter"><tt> 575 576 preferred master = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541015"></a><i class="parameter"><tt> 577 578 wins support = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541031"></a><i class="parameter"><tt> 579 580 utmp = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541046"></a><i class="parameter"><tt> 581 582 map acl inherit = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541062"></a><i class="parameter"><tt> 583 584 printing = cups</tt></i></td></tr><tr><td><a class="indexterm" name="id2541077"></a><i class="parameter"><tt> 585 586 veto files = /*.eml/*.nws/*.{*}/</tt></i></td></tr><tr><td><a class="indexterm" name="id2541094"></a><i class="parameter"><tt> 587 588 veto oplock files = /*.doc/*.xls/*.mdb/</tt></i></td></tr></table></div><p> 589 590</p><div class="example"><a name="promisnetsvca"></a><p class="title"><b>Example�4.5.�130 User Network with tdbsam Services Section Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[IPC$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2541132"></a><i class="parameter"><tt> 591 592 path = /tmp</tt></i></td></tr><tr><td><a class="indexterm" name="id2541147"></a><i class="parameter"><tt> 593 594 hosts allow = 192.168.1.0/24, 192.168.2.0/24, 127.0.0.1</tt></i></td></tr><tr><td><a class="indexterm" name="id2541163"></a><i class="parameter"><tt> 595 596 hosts deny = 0.0.0.0/0</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2541187"></a><i class="parameter"><tt> 597 598 comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2541202"></a><i class="parameter"><tt> 599 600 valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2541218"></a><i class="parameter"><tt> 601 602 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2541233"></a><i class="parameter"><tt> 603 604 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2541257"></a><i class="parameter"><tt> 605 606 comment = SMB Print Spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2541273"></a><i class="parameter"><tt> 607 608 path = /var/spool/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2541288"></a><i class="parameter"><tt> 609 610 guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541304"></a><i class="parameter"><tt> 611 612 printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541319"></a><i class="parameter"><tt> 613 614 use client driver = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541335"></a><i class="parameter"><tt> 615 616 default devmode = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541350"></a><i class="parameter"><tt> 617 618 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><a class="indexterm" name="id2541375"></a><i class="parameter"><tt> 619 620 comment = Network Logon Service</tt></i></td></tr><tr><td><a class="indexterm" name="id2541391"></a><i class="parameter"><tt> 621 622 path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><a class="indexterm" name="id2541406"></a><i class="parameter"><tt> 623 624 guest ok = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541421"></a><i class="parameter"><tt> 625 626 locking = No</tt></i></td></tr></table></div><p> 627 628</p><div class="example"><a name="promisnetsvcb"></a><p class="title"><b>Example�4.6.�130 User Network with tdbsam Services Section Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><a class="indexterm" name="id2541459"></a><i class="parameter"><tt> 629 630 comment = Profile Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2541474"></a><i class="parameter"><tt> 631 632 path = /var/lib/samba/profiles</tt></i></td></tr><tr><td><a class="indexterm" name="id2541490"></a><i class="parameter"><tt> 633 634 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2541505"></a><i class="parameter"><tt> 635 636 profile acls = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[accounts]</tt></i></td></tr><tr><td><a class="indexterm" name="id2541529"></a><i class="parameter"><tt> 637 638 comment = Accounting Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2541545"></a><i class="parameter"><tt> 639 640 path = /data/accounts</tt></i></td></tr><tr><td><a class="indexterm" name="id2541560"></a><i class="parameter"><tt> 641 642 read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[service]</tt></i></td></tr><tr><td><a class="indexterm" name="id2541584"></a><i class="parameter"><tt> 643 644 comment = Financial Services Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2541601"></a><i class="parameter"><tt> 645 646 path = /data/service</tt></i></td></tr><tr><td><a class="indexterm" name="id2541616"></a><i class="parameter"><tt> 647 648 read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[apps]</tt></i></td></tr><tr><td><a class="indexterm" name="id2541640"></a><i class="parameter"><tt> 649 650 comment = Application Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2541655"></a><i class="parameter"><tt> 651 652 path = /apps</tt></i></td></tr><tr><td><a class="indexterm" name="id2541671"></a><i class="parameter"><tt> 653 654 read only = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2541686"></a><i class="parameter"><tt> 655 656 admin users = bjordan</tt></i></td></tr></table></div><p> 657 </p></li><li><p> 658 <a class="indexterm" name="id2541708"></a><a class="indexterm" name="id2541714"></a> 659 Add the <tt class="constant">root</tt> user to the password backend as follows: 660</p><pre class="screen"> 661<tt class="prompt">root# </tt> smbpasswd -a root 662New SMB password: XXXXXXXX 663Retype new SMB password: XXXXXXXX 664<tt class="prompt">root# </tt> 665</pre><p> 666 The <tt class="constant">root</tt> account is the UNIX equivalent of the Windows Domain Administrator. 667 This account is essential in the regular maintenance of your Samba server. It must never be 668 deleted. If for any reason the account is deleted, you may not be able to recreate this account 669 without considerable trouble. 670 </p></li><li><p> 671 <a class="indexterm" name="id2541761"></a> 672 Create the username map file to permit the <tt class="constant">root</tt> account to be called 673 <tt class="constant">Administrator</tt> from the Windows network environment. To do this, create 674 the file <tt class="filename">/etc/samba/smbusers</tt> with the following contents: 675</p><pre class="screen"> 676#### 677# User mapping file 678#### 679# File Format 680# ----------- 681# Unix_ID = Windows_ID 682# 683# Examples: 684# root = Administrator 685# janes = "Jane Smith" 686# jimbo = Jim Bones 687# 688# Note: If the name contains a space it must be double quoted. 689# In the example above the name 'jimbo' will be mapped to Windows 690# user names 'Jim' and 'Bones' because the space was not quoted. 691####################################################################### 692root = Administrator 693#### 694# End of File 695#### 696</pre><p> 697 </p></li><li><p> 698 <a class="indexterm" name="id2541805"></a><a class="indexterm" name="id2541811"></a><a class="indexterm" name="id2541826"></a><a class="indexterm" name="id2541840"></a> 699 Create and map Windows Domain Groups to UNIX groups. A sample script is provided in 700 <a href="small.html#initGrps" title="Example�3.1.�Script to Map Windows NT Groups to UNIX Groups">???</a>. Create a file containing this script. We called ours 701 <tt class="filename">/etc/samba/initGrps.sh</tt>. Set this file so it can be executed, 702 and then execute the script. Sample output should be as follows: 703 704</p><div class="example"><a name="ch4initGrps"></a><p class="title"><b>Example�4.7.�Script to Map Windows NT Groups to UNIX Groups</b></p><a class="indexterm" name="id2541883"></a><pre class="screen"> 705#!/bin/bash 706# 707# initGrps.sh 708# 709 710# Create UNIX groups 711groupadd acctsdep 712groupadd finsrvcs 713 714# Map Windows Domain Groups to UNIX groups 715net groupmap modify ntgroup="Domain Admins" unixgroup=root 716net groupmap modify ntgroup="Domain Users" unixgroup=users 717net groupmap modify ntgroup="Domain Guests" unixgroup=nobody 718 719# Add Functional Domain Groups 720net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d 721net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d 722 723# Map Windows NT machine local groups to local UNIX groups 724# Mapping of local groups is not necessary and not functional 725# for this installation. 726</pre></div><p> 727 728</p><pre class="screen"> 729<tt class="prompt">root# </tt> chmod 755 initGrps.sh 730<tt class="prompt">root# </tt> /etc/samba # ./initGrps.sh 731Updated mapping entry for Domain Admins 732Updated mapping entry for Domain Users 733Updated mapping entry for Domain Guests 734No rid or sid specified, choosing algorithmic mapping 735Successfully added group Accounts Dept to the mapping db 736No rid or sid specified, choosing algorithmic mapping 737Successfully added group Domain Guests to the mapping db 738 739<tt class="prompt">root# </tt> /etc/samba # net groupmap list | sort 740Account Operators (S-1-5-32-548) -> -1 741Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep 742Administrators (S-1-5-32-544) -> -1 743Backup Operators (S-1-5-32-551) -> -1 744Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root 745Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody 746Domain Users (S-1-5-21-179504-2437109-488451-513) -> users 747Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs 748Guests (S-1-5-32-546) -> -1 749Power Users (S-1-5-32-547) -> -1 750Print Operators (S-1-5-32-550) -> -1 751Replicators (S-1-5-32-552) -> -1 752System Operators (S-1-5-32-549) -> -1 753Users (S-1-5-32-545) -> -1 754</pre><p> 755 </p></li><li><p> 756 <a class="indexterm" name="id2541968"></a> 757 <a class="indexterm" name="id2541975"></a> 758 <a class="indexterm" name="id2541982"></a> 759 <a class="indexterm" name="id2541989"></a> 760 <a class="indexterm" name="id2541996"></a> 761 <a class="indexterm" name="id2542003"></a> 762 <a class="indexterm" name="id2542012"></a> 763 There is one preparatory step without which you will not have a working Samba 764 network environment. You must add an account for each network user. 765 For each user who needs to be given a Windows Domain account, make an entry in the 766 <tt class="filename">/etc/passwd</tt> file, as well as in the Samba password backend. 767 Use the system tool of your choice to create the UNIX system account, and use the Samba 768 <span><b class="command">smbpasswd</b></span> to create a Domain user account. 769 There are a number of tools for user management under UNIX. Commonly known ones include: 770 <span><b class="command">useradd, adduser</b></span>. In addition to these, there are a plethora of custom 771 tools. You also want to create a home directory for each user. 772 You can do this by executing the following steps for each user: 773</p><pre class="screen"> 774<tt class="prompt">root# </tt> useradd -m <i class="parameter"><tt>username</tt></i> 775<tt class="prompt">root# </tt> passwd <i class="parameter"><tt>username</tt></i> 776Changing password for <i class="parameter"><tt>username</tt></i>. 777New password: XXXXXXXX 778Re-enter new password: XXXXXXXX 779Password changed 780<tt class="prompt">root# </tt> smbpasswd -a <i class="parameter"><tt>username</tt></i> 781New SMB password: XXXXXXXX 782Retype new SMB password: XXXXXXXX 783Added user <i class="parameter"><tt>username</tt></i>. 784</pre><p> 785 You do of course use a valid user login ID in place of <i class="parameter"><tt>username</tt></i>. 786 </p></li><li><p><a class="indexterm" name="id2542120"></a><a class="indexterm" name="id2542132"></a><a class="indexterm" name="id2542143"></a> 787 Using the preferred tool for your UNIX system, add each user to the UNIX groups created 788 previously as necessary. File system access control will be based on UNIX group membership. 789 </p></li><li><p> 790 Create the directory mount point for the disk sub-system that can be mounted to provide 791 data storage for company files. In this case the mount point indicated in the <tt class="filename">smb.conf</tt> 792 file is <tt class="filename">/data</tt>. Format the file system as required, and mount the formatted 793 file system partition using appropriate system tools. 794 </p></li><li><p> 795 <a class="indexterm" name="id2542187"></a> 796 Create the top-level file storage directories for data and applications as follows: 797</p><pre class="screen"> 798<tt class="prompt">root# </tt> mkdir -p /data/{accounts,finsvcs} 799<tt class="prompt">root# </tt> mkdir -p /apps 800<tt class="prompt">root# </tt> chown -R root.root /data 801<tt class="prompt">root# </tt> chown -R root.root /apps 802<tt class="prompt">root# </tt> chown -R bjordan.accounts /data/accounts 803<tt class="prompt">root# </tt> chown -R bjordan.finsvcs /data/finsvcs 804<tt class="prompt">root# </tt> chmod -R ug+rwxs,o-rwx /data 805<tt class="prompt">root# </tt> chmod -R ug+rwx,o+rx-w /apps 806</pre><p> 807 Each department is responsible for creating its own directory structure within the departmental 808 share. The directory root of the <span><b class="command">accounts</b></span> share is <tt class="filename">/data/accounts</tt>. 809 The directory root of the <span><b class="command">finsvcs</b></span> share is <tt class="filename">/data/finsvcs</tt>. 810 The <tt class="filename">/apps</tt> directory is the root of the <tt class="constant">apps</tt> share 811 that provides the application server infrastructure. 812 </p></li><li><p> 813 The <tt class="filename">smb.conf</tt> file specifies an infrastructure to support roaming profiles and network 814 logon services. You can now create the file system infrastructure to provide the 815 locations on disk that these services require. Adequate planning is essential 816 since desktop profiles can grow to be quite large. For planning purposes, a minimum of 817 200 Megabytes of storage should be allowed per user for profile storage. The following 818 commands create the directory infrastructure needed: 819</p><pre class="screen"> 820<tt class="prompt">root# </tt> mkdir -p /var/spool/samba 821<tt class="prompt">root# </tt> mkdir -p /var/lib/samba/{netlogon/scripts,profiles} 822<tt class="prompt">root# </tt> chown -R root.root /var/spool/samba 823<tt class="prompt">root# </tt> chown -R root.root /var/lib/samba 824<tt class="prompt">root# </tt> chmod a+rwxt /var/spool/samba 825</pre><p> 826 For each user account that is created on the system, the following commands should be 827 executed: 828</p><pre class="screen"> 829<tt class="prompt">root# </tt> mkdir /var/lib/samba/profiles/'username' 830<tt class="prompt">root# </tt> chown 'username'.users /var/lib/samba/profiles/'username' 831<tt class="prompt">root# </tt> chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username' 832</pre><p> 833 </p></li><li><p><a class="indexterm" name="id2542386"></a><a class="indexterm" name="id2542393"></a><a class="indexterm" name="id2542401"></a> 834 Create a logon script. It is important that each line is correctly terminated with 835 a carriage return and line-feed combination (i.e., DOS encoding). The following procedure 836 works if the right tools (<tt class="constant">unix2dos</tt> and <tt class="constant">dos2unix</tt>) are installed. 837 First, create a file called <tt class="filename">/var/lib/samba/netlogon/scripts/logon.bat.unix</tt> 838 with the following contents: 839</p><pre class="screen"> 840net time \\diamond /set /yes 841net use h: /home 842net use p: \\diamond\apps 843</pre><p> 844 Convert the UNIX file to a DOS file using the <span><b class="command">unix2dos</b></span> as shown here: 845</p><pre class="screen"> 846<tt class="prompt">root# </tt> unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \ 847 > /var/lib/samba/netlogon/scripts/logon.bat 848</pre><p> 849 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4dhcpdns"></a>Configuration of DHCP and DNS Servers</h3></div></div></div><p> 850 DHCP services are a basic component of the entire network client installation. DNS operation is 851 foundational to Internet access as well as to trouble-free operation of local networking. When 852 you have completed this section, the server should be ready for solid duty operation. 853 </p><div class="procedure"><ol type="1"><li><p> 854 <a class="indexterm" name="id2542486"></a> 855 Create a file called <tt class="filename">/etc/dhcpd.conf</tt> with the contents as 856 shown in <a href="secure.html#prom-dhcp" title="Example�4.8.�DHCP Server Configuration File /etc/dhcpd.conf">???</a>. 857 858</p><div class="example"><a name="prom-dhcp"></a><p class="title"><b>Example�4.8.�DHCP Server Configuration File <tt class="filename">/etc/dhcpd.conf</tt></b></p><pre class="screen"> 859# Abmas Accounting Inc. - Chapter 4 860default-lease-time 86400; 861max-lease-time 172800; 862default-lease-time 86400; 863option ntp-servers 192.168.1.1; 864option domain-name "abmas.biz"; 865option domain-name-servers 192.168.1.1, 192.168.2.1; 866option netbios-name-servers 192.168.1.1, 192.168.2.1; 867option netbios-node-type 8; ### Node type = Hybrid ### 868ddns-updates on; ### Dynamic DNS enabled ### 869ddns-update-style ad-hoc; 870 871subnet 192.168.1.0 netmask 255.255.255.0 { 872 range dynamic-bootp 192.168.1.128 192.168.1.254; 873 option subnet-mask 255.255.255.0; 874 option routers 192.168.1.1; 875 allow unknown-clients; 876 host qmsa { 877 hardware ethernet 08:00:46:7a:35:e4; 878 fixed-address 192.168.1.20; 879 } 880 host hplj6a { 881 hardware ethernet 00:03:47:cb:81:e0; 882 fixed-address 192.168.1.30; 883 } 884 } 885subnet 192.168.2.0 netmask 255.255.255.0 { 886 range dynamic-bootp 192.168.2.128 192.168.2.254; 887 option subnet-mask 255.255.255.0; 888 option routers 192.168.2.1; 889 allow unknown-clients; 890 host qmsf { 891 hardware ethernet 01:04:31:db:e1:c0; 892 fixed-address 192.168.1.20; 893 } 894 host hplj6f { 895 hardware ethernet 00:03:47:cf:83:e2; 896 fixed-address 192.168.2.30; 897 } 898 } 899subnet 127.0.0.0 netmask 255.0.0.0 { 900 } 901subnet 123.45.67.64 netmask 255.255.255.252 { 902 } 903</pre></div><p> 904 </p></li><li><p> 905 <a class="indexterm" name="id2542561"></a> 906 Create a file called <tt class="filename">/etc/named.conf</tt> that has the combined contents 907 of the <a href="secure.html#ch4namedcfg" title="Example�4.9.�DNS Master Configuration File /etc/named.conf Master Section">???</a>, <a href="secure.html#ch4namedvarfwd" title="Example�4.10.�DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section">???</a>, and 908 <a href="secure.html#ch4namedvarrev" title="Example�4.11.�DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section">???</a> files that are concatenated (merged) in this 909 specific order. 910 </p></li><li><p> 911 Create the files shown in their directories as follows: 912 913 </p><div class="table"><a name="namedrscfiles"></a><p class="title"><b>Table�4.2.�DNS (named) Resource Files</b></p><table summary="DNS (named) Resource Files" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Reference</th><th align="left">File Location</th></tr></thead><tbody><tr><td align="left"><a href="appendix.html#loopback" title="Example�A.3.�DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a></td><td align="left">/var/lib/named/localhost.zone</td></tr><tr><td align="left"><a href="appendix.html#dnsloopy" title="Example�A.4.�DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a></td><td align="left">/var/lib/named/127.0.0.zone</td></tr><tr><td align="left"><a href="appendix.html#roothint" title="Example�A.5.�DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a></td><td align="left">/var/lib/named/root.hint</td></tr><tr><td align="left"><a href="secure.html#abmasbiz" title="Example�4.14.�DNS Abmas.biz Forward Zone File">???</a></td><td align="left">/var/lib/named/master/abmas.biz.hosts</td></tr><tr><td align="left"><a href="secure.html#abmasus" title="Example�4.15.�DNS Abmas.us Forward Zone File">???</a></td><td align="left">/var/lib/named/abmas.us.hosts</td></tr><tr><td align="left"><a href="secure.html#eth1zone" title="Example�4.12.�DNS 192.168.1 Reverse Zone File">???</a></td><td align="left">/var/lib/named/192.168.1.0.rev</td></tr><tr><td align="left"><a href="secure.html#eth2zone" title="Example�4.13.�DNS 192.168.2 Reverse Zone File">???</a></td><td align="left">/var/lib/named/192.168.2.0.rev</td></tr></tbody></table></div><p> 914 915</p><div class="example"><a name="ch4namedcfg"></a><p class="title"><b>Example�4.9.�DNS Master Configuration File <tt class="filename">/etc/named.conf</tt> Master Section</b></p><a class="indexterm" name="id2542764"></a><pre class="screen"> 916### 917# Abmas Biz DNS Control File 918### 919# Date: November 15, 2003 920### 921options { 922 directory "/var/lib/named"; 923 forwarders { 924 123.45.12.23; 925 }; 926 forward first; 927 listen-on { 928 mynet; 929 }; 930 auth-nxdomain yes; 931 multiple-cnames yes; 932 notify no; 933}; 934 935zone "." in { 936 type hint; 937 file "root.hint"; 938}; 939 940zone "localhost" in { 941 type master; 942 file "localhost.zone"; 943}; 944 945zone "0.0.127.in-addr.arpa" in { 946 type master; 947 file "127.0.0.zone"; 948}; 949 950acl mynet { 951 192.168.1.0/24; 952 192.168.2.0/24; 953 127.0.0.1; 954}; 955 956acl seconddns { 957 123.45.54.32; 958} 959 960</pre></div><p> 961 962</p><div class="example"><a name="ch4namedvarfwd"></a><p class="title"><b>Example�4.10.�DNS Master Configuration File <tt class="filename">/etc/named.conf</tt> Forward Lookup Definition Section</b></p><pre class="screen"> 963zone "abmas.biz" { 964 type master; 965 file "/var/lib/named/master/abmas.biz.hosts"; 966 allow-query { 967 mynet; 968 }; 969 allow-transfer { 970 mynet; 971 }; 972 allow-update { 973 mynet; 974 }; 975}; 976 977zone "abmas.us" { 978 type master; 979 file "/var/lib/named/master/abmas.us.hosts"; 980 allow-query { 981 all; 982 }; 983 allow-transfer { 984 seconddns; 985 }; 986}; 987</pre></div><p> 988 989</p><div class="example"><a name="ch4namedvarrev"></a><p class="title"><b>Example�4.11.�DNS Master Configuration File <tt class="filename">/etc/named.conf</tt> Reverse Lookup Definition Section</b></p><pre class="screen"> 990zone "1.168.192.in-addr.arpa" { 991 type master; 992 file "/var/lib/named/master/192.168.1.0.rev"; 993 allow-query { 994 mynet; 995 }; 996 allow-transfer { 997 mynet; 998 }; 999 allow-update { 1000 mynet; 1001 }; 1002}; 1003 1004zone "2.168.192.in-addr.arpa" { 1005 type master; 1006 file "/var/lib/named/master/192.168.2.0.rev"; 1007 allow-query { 1008 mynet; 1009 }; 1010 allow-transfer { 1011 mynet; 1012 }; 1013 allow-update { 1014 mynet; 1015 }; 1016}; 1017</pre></div><p> 1018 1019</p><div class="example"><a name="eth1zone"></a><p class="title"><b>Example�4.12.�DNS 192.168.1 Reverse Zone File</b></p><pre class="screen"> 1020$ORIGIN . 1021$TTL 38400 ; 10 hours 40 minutes 10221.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( 1023 2003021825 ; serial 1024 10800 ; refresh (3 hours) 1025 3600 ; retry (1 hour) 1026 604800 ; expire (1 week) 1027 38400 ; minimum (10 hours 40 minutes) 1028 ) 1029 NS sleeth1.abmas.biz. 1030$ORIGIN 1.168.192.in-addr.arpa. 10311 PTR sleeth1.abmas.biz. 103220 PTR qmsa.abmas.biz. 103330 PTR hplj6a.abmas.biz. 1034</pre></div><p> 1035 1036</p><div class="example"><a name="eth2zone"></a><p class="title"><b>Example�4.13.�DNS 192.168.2 Reverse Zone File</b></p><pre class="screen"> 1037$ORIGIN . 1038$TTL 38400 ; 10 hours 40 minutes 10392.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( 1040 2003021825 ; serial 1041 10800 ; refresh (3 hours) 1042 3600 ; retry (1 hour) 1043 604800 ; expire (1 week) 1044 38400 ; minimum (10 hours 40 minutes) 1045 ) 1046 NS sleeth2.abmas.biz. 1047$ORIGIN 2.168.192.in-addr.arpa. 10481 PTR sleeth2.abmas.biz. 104920 PTR qmsf.abmas.biz. 105030 PTR hplj6f.abmas.biz. 1051</pre></div><p> 1052 1053</p><div class="example"><a name="abmasbiz"></a><p class="title"><b>Example�4.14.�DNS Abmas.biz Forward Zone File</b></p><pre class="screen"> 1054$ORIGIN . 1055$TTL 38400 ; 10 hours 40 minutes 1056abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. ( 1057 2003021833 ; serial 1058 10800 ; refresh (3 hours) 1059 3600 ; retry (1 hour) 1060 604800 ; expire (1 week) 1061 38400 ; minimum (10 hours 40 minutes) 1062 ) 1063 NS dns.abmas.biz. 1064 MX 10 mail.abmas.biz. 1065$ORIGIN abmas.biz. 1066sleeth1 A 192.168.1.1 1067sleeth2 A 192.168.2.1 1068qmsa A 192.168.1.20 1069hplj6a A 192.168.1.30 1070qmsf A 192.168.2.20 1071hplj6f A 192.168.2.30 1072dns CNAME sleeth1 1073diamond CNAME sleeth1 1074mail CNAME sleeth1 1075</pre></div><p> 1076 1077</p><div class="example"><a name="abmasus"></a><p class="title"><b>Example�4.15.�DNS Abmas.us Forward Zone File</b></p><pre class="screen"> 1078$ORIGIN . 1079$TTL 38400 ; 10 hours 40 minutes 1080abmas.us IN SOA server.abmas.us. root.abmas.us. ( 1081 2003021833 ; serial 1082 10800 ; refresh (3 hours) 1083 3600 ; retry (1 hour) 1084 604800 ; expire (1 week) 1085 38400 ; minimum (10 hours 40 minutes) 1086 ) 1087 NS dns.abmas.us. 1088 NS dns2.abmas.us. 1089 MX 10 mail.abmas.us. 1090$ORIGIN abmas.us. 1091server A 123.45.67.66 1092dns2 A 123.45.54.32 1093gw A 123.45.67.65 1094www CNAME server 1095mail CNAME server 1096dns CNAME server 1097</pre></div><p> 1098 1099 </p></li><li><p> 1100 <a class="indexterm" name="id2542979"></a><a class="indexterm" name="id2542985"></a> 1101 All DNS name resolution should be handled locally. To ensure that the server is configured 1102 correctly to handle this, edit <tt class="filename">/etc/resolv.conf</tt> to have the following 1103 content: 1104</p><pre class="screen"> 1105search abmas.us abmas.biz 1106nameserver 127.0.0.1 1107nameserver 123.45.54.23 1108</pre><p> 1109 <a class="indexterm" name="id2543010"></a> 1110 This instructs the name resolver function (when configured correctly) to ask the DNS server 1111 that is running locally to resolve names to addresses. In the event that the local name server 1112 is not available, ask the name server provided by the ISP. The latter, of course, does not resolve 1113 purely local names to IP addresses. 1114 </p></li><li><p> 1115 <a class="indexterm" name="id2543031"></a> 1116 The final step is to edit the <tt class="filename">/etc/nsswitch.conf</tt> file. 1117 This file controls the operation of the various resolver libraries that are part of the Linux 1118 Glibc libraries. Edit this file so that it contains the following entries: 1119</p><pre class="screen"> 1120hosts: files dns wins 1121</pre><p> 1122 </p></li></ol></div><p> 1123 The basic DHCP and DNS services are now ready for validation testing. Before you can proceed, 1124 there are a few more steps along the road. First, configure the print spooling and print 1125 processing system. Then you can configure the server so that all services 1126 start automatically on reboot. You must also manually start all services prior to validation testing. 1127 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4ptrcfg"></a>Printer Configuration</h3></div></div></div><p> 1128 </p><div class="procedure"><ol type="1"><li><p> 1129 Configure each printer to be a DHCP client carefully following the manufacturer's guidelines. 1130 </p></li><li><p> 1131 Follow the instructions in the printer manufacturers' manuals to permit printing to port 9100. 1132 Use any other port the manufacturer specifies for direct mode, raw printing and adjust the 1133 port as necessary in the following example commands. 1134 This allows the CUPS spooler to print using raw mode protocols. 1135 <a class="indexterm" name="id2543101"></a> 1136 <a class="indexterm" name="id2543108"></a> 1137 </p></li><li><p> 1138 <a class="indexterm" name="id2543121"></a><a class="indexterm" name="id2543129"></a> 1139 Configure the CUPS Print Queues as follows: 1140</p><pre class="screen"> 1141<tt class="prompt">root# </tt> lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E 1142<tt class="prompt">root# </tt> lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E 1143<tt class="prompt">root# </tt> lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E 1144<tt class="prompt">root# </tt> lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E 1145</pre><p> 1146 <a class="indexterm" name="id2543172"></a> 1147 This has created the necessary print queues with no assigned print filter. 1148 </p></li><li><p><a class="indexterm" name="id2543186"></a> 1149 Print queues may not be enabled at creation. Use <span><b class="command">lpc stat</b></span> to check 1150 the status of the print queues and if necessary make certain that the queues you have 1151 just created are enabled by executing the following: 1152</p><pre class="screen"> 1153<tt class="prompt">root# </tt> /usr/bin/enable qmsa 1154<tt class="prompt">root# </tt> /usr/bin/enable hplj6a 1155<tt class="prompt">root# </tt> /usr/bin/enable qmsf 1156<tt class="prompt">root# </tt> /usr/bin/enable hplj6f 1157</pre><p> 1158 </p></li><li><p><a class="indexterm" name="id2543241"></a> 1159 Even though your print queues may be enabled, it is still possible that they 1160 are not accepting print jobs. A print queue services incoming printing 1161 requests only when configured to do so. Ensure that your print queues are 1162 set to accept incoming jobs by executing the following commands: 1163</p><pre class="screen"> 1164<tt class="prompt">root# </tt> /usr/bin/accept qmsa 1165<tt class="prompt">root# </tt> /usr/bin/accept hplj6a 1166<tt class="prompt">root# </tt> /usr/bin/accept qmsf 1167<tt class="prompt">root# </tt> /usr/bin/accept hplj6f 1168</pre><p> 1169 </p></li><li><p> 1170 <a class="indexterm" name="id2543292"></a> 1171 <a class="indexterm" name="id2543299"></a> 1172 <a class="indexterm" name="id2543306"></a> 1173 Edit the file <tt class="filename">/etc/cups/mime.convs</tt> to uncomment the line: 1174</p><pre class="screen"> 1175application/octet-stream application/vnd.cups-raw 0 - 1176</pre><p> 1177 </p></li><li><p> 1178 <a class="indexterm" name="id2543334"></a> 1179 Edit the file <tt class="filename">/etc/cups/mime.types</tt> to uncomment the line: 1180</p><pre class="screen"> 1181application/octet-stream 1182</pre><p> 1183 </p></li><li><p> 1184 Printing drivers are installed on each network client workstation. 1185 </p></li></ol></div><p> 1186 The UNIX system print queues have been configured and are ready for validation testing. 1187 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="procstart"></a>Process Startup Configuration</h3></div></div></div><p> 1188 <a class="indexterm" name="id2543382"></a> 1189 There are two essential steps to process startup configuration. First, the process 1190 must be configured so that it automatically restarts each time the server 1191 is rebooted. This step involves use of the <span><b class="command">chkconfig</b></span> tool that 1192 creates the appropriate symbolic links from the master daemon control file that is 1193 located in the <tt class="filename">/etc/rc.d</tt> directory, to the <tt class="filename">/etc/rc'x'.d</tt> 1194 directories. Links are created so that when the system run-level is changed, the 1195 necessary start or kill script is run. 1196 </p><p> 1197 <a class="indexterm" name="id2543417"></a><a class="indexterm" name="id2543423"></a><a class="indexterm" name="id2543431"></a><a class="indexterm" name="id2543438"></a><a class="indexterm" name="id2543446"></a> 1198 In the event that a service is not run as a daemon, but via the inter-networking 1199 super daemon (<span><b class="command">inetd</b></span> or <span><b class="command">xinetd</b></span>), then the <span><b class="command">chkconfig</b></span> 1200 tool makes the necessary entries in the <tt class="filename">/etc/xinetd.d</tt> directory 1201 and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to 1202 re-read its control files. 1203 </p><p> 1204 Last, each service must be started to permit system validation to proceed. 1205 </p><div class="procedure"><ol type="1"><li><p> 1206 Use the standard system tool to configure each service to restart 1207 automatically at every system reboot. For example: 1208 <a class="indexterm" name="id2543500"></a> 1209</p><pre class="screen"> 1210<tt class="prompt">root# </tt> chkconfig dhpc on 1211<tt class="prompt">root# </tt> chkconfig named on 1212<tt class="prompt">root# </tt> chkconfig cups on 1213<tt class="prompt">root# </tt> chkconfig smb on 1214</pre><p> 1215 </p></li><li><p> 1216 <a class="indexterm" name="id2543544"></a> 1217 <a class="indexterm" name="id2543551"></a> 1218 <a class="indexterm" name="id2543558"></a> 1219 Now start each service to permit the system to be validated. 1220 Execute each of the following in the sequence shown: 1221 1222</p><pre class="screen"> 1223<tt class="prompt">root# </tt> /etc/rc.d/init.d/dhcp restart 1224<tt class="prompt">root# </tt> /etc/rc.d/init.d/named restart 1225<tt class="prompt">root# </tt> /etc/rc.d/init.d/cups restart 1226<tt class="prompt">root# </tt> /etc/rc.d/init.d/smb restart 1227</pre><p> 1228 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4valid"></a>Validation</h3></div></div></div><p><a class="indexterm" name="id2543611"></a> 1229 Complex networking problems are most often caused by simple things that are poorly or incorrectly 1230 configured. The validation process adopted here should be followed carefully; it is the result of the 1231 experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should 1232 refrain from taking shortcuts, from making basic assumptions, and from not exercising due process 1233 and diligence in network validation. By thoroughly testing and validating every step in the process 1234 of network installation and configuration, you can save yourself from sleepless nights and restless 1235 days. A well debugged network is a foundation for happy network users and network administrators. 1236 Later in this book you learn how to make users happier. For now, it is enough to learn to 1237 validate. Let's get on with it. 1238 </p><div class="procedure"><ol type="1"><li><p> 1239 <a class="indexterm" name="id2543643"></a> 1240 One of the most important facets of Samba configuration is to ensure that 1241 name resolution functions correctly. You can test name resolution 1242 with a few simple tests. The most basic name resolution is provided from the 1243 <tt class="filename">/etc/hosts</tt> file. To test its operation, make a 1244 temporary edit to the <tt class="filename">/etc/nsswitch.conf</tt> file. Using 1245 your favorite editor, change the entry for <tt class="constant">hosts</tt> to read: 1246</p><pre class="screen"> 1247hosts: files 1248</pre><p> 1249 When you have saved this file, execute the following command: 1250</p><pre class="screen"> 1251<tt class="prompt">root# </tt> ping diamond 1252PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. 125364 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms 125464 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms 125564 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms 125664 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms 1257 1258--- sleeth1.abmas.biz ping statistics --- 12594 packets transmitted, 4 received, 0% packet loss, time 3016ms 1260rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms 1261</pre><p> 1262 This proves that name resolution via the <tt class="filename">/etc/hosts</tt> file 1263 is working. 1264 </p></li><li><p> 1265 <a class="indexterm" name="id2543712"></a> 1266 So far, your installation is going particularly well. In this step we validate 1267 DNS server and name resolution operation. Using your favorite UNIX system editor, 1268 change the <tt class="filename">/etc/nsswitch.conf</tt> file so that the 1269 <tt class="constant">hosts</tt> entry reads: 1270</p><pre class="screen"> 1271hosts: dns 1272</pre><p> 1273 </p></li><li><p> 1274 <a class="indexterm" name="id2543745"></a> 1275 Before you test DNS operation, it is a good idea to verify that the DNS server 1276 is running by executing the following: 1277</p><pre class="screen"> 1278<tt class="prompt">root# </tt> ps ax | grep named 1279 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log 1280 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named 1281 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named 1282 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named 1283 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named 1284 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named 1285 2552 pts/2 S 0:00 grep named 1286</pre><p> 1287 This means that we are ready to check DNS operation. Do so by executing: 1288 <a class="indexterm" name="id2543775"></a> 1289</p><pre class="screen"> 1290<tt class="prompt">root# </tt> ping diamond 1291PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. 129264 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms 129364 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms 1294 1295--- sleeth1.abmas.biz ping statistics --- 12962 packets transmitted, 2 received, 0% packet loss, time 999ms 1297rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms 1298</pre><p> 1299 You should take a few more steps to validate DNS server operation, as follows: 1300</p><pre class="screen"> 1301<tt class="prompt">root# </tt> host -f diamond.abmas.biz 1302sleeth1.abmas.biz has address 192.168.1.1 1303</pre><p> 1304 <a class="indexterm" name="id2543814"></a> 1305 You may now remove the entry called <tt class="constant">diamond</tt> from the 1306 <tt class="filename">/etc/hosts</tt> file. It does not hurt to leave it there, 1307 but its removal reduces the number of administrative steps for this name. 1308 </p></li><li><p> 1309 <a class="indexterm" name="id2543840"></a> 1310 WINS is a great way to resolve NetBIOS names to their IP address. You can test 1311 the operation of WINS by starting <span><b class="command">nmbd</b></span> (manually, or by way 1312 of the Samba startup method shown in <a href="secure.html#procstart" title="Process Startup Configuration">???</a>). You must edit 1313 the <tt class="filename">/etc/nsswitch.conf</tt> file so that the <tt class="constant">hosts</tt> 1314 entry is as follows: 1315</p><pre class="screen"> 1316hosts: wins 1317</pre><p> 1318 The next step is to make certain that Samba is running using <span><b class="command">ps ax|grep mbd</b></span>, and then execute the following: 1319</p><pre class="screen"> 1320<tt class="prompt">root# </tt> ping diamond 1321PING diamond (192.168.1.1) 56(84) bytes of data. 132264 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms 132364 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms 1324</pre><p> 1325 <a class="indexterm" name="id2543901"></a> 1326 Now that you can relax with the knowledge that all three major forms of name 1327 resolution to IP address resolution are working, edit the <tt class="filename">/etc/nsswitch.conf</tt> 1328 again. This time you add all three forms of name resolution to this file. 1329 Your edited entry for <tt class="constant">hosts</tt> should now look like this: 1330</p><pre class="screen"> 1331hosts: files dns wins 1332</pre><p> 1333 The system is looking good. Let's move on. 1334 </p></li><li><p> 1335 It would give peace of mind to know that the DHCP server is running 1336 and available for service. You can validate DHCP services by running: 1337 1338</p><pre class="screen"> 1339<tt class="prompt">root# </tt> ps ax | grep dhcp 1340 2618 ? S 0:00 /usr/sbin/dhcpd ... 1341 8180 pts/2 S 0:00 grep dhcp 1342</pre><p> 1343 This shows that the server is running. The proof of whether or not it is working 1344 comes when you try to add the first DHCP client to the network. 1345 </p></li><li><p> 1346 <a class="indexterm" name="id2543961"></a> 1347 This is a good point at which to start validating Samba operation. You are 1348 content that name resolution is working for basic TCP/IP needs. Let's move on. 1349 If your <tt class="filename">smb.conf</tt> file has bogus options or parameters, this may cause Samba 1350 to refuse to start. The first step should always be to validate the contents 1351 of this file by running: 1352</p><pre class="screen"> 1353<tt class="prompt">root# </tt> testparm -s 1354Load smb config files from /etc/samba/smb.conf 1355Processing section "[IPC$]" 1356Processing section "[homes]" 1357Processing section "[printers]" 1358Processing section "[netlogon]" 1359Processing section "[profiles]" 1360Processing section "[accounts]" 1361Processing section "[service]" 1362Processing section "[apps]" 1363Loaded services file OK. 1364# Global parameters 1365[global] 1366 workgroup = PROMISES 1367 netbios name = DIAMOND 1368 interfaces = eth1, eth2, lo 1369 bind interfaces only = Yes 1370 passdb backend = tdbsam 1371 pam password change = Yes 1372 passwd chat = *New*Password* %n\n \ 1373 *Re-enter*new*password* %n\n *Password*changed* 1374 username map = /etc/samba/smbusers 1375 unix password sync = Yes 1376 log level = 1 1377 syslog = 0 1378 log file = /var/log/samba/%m 1379 max log size = 50 1380 smb ports = 139 445 1381 name resolve order = wins bcast hosts 1382 time server = Yes 1383 printcap name = CUPS 1384 show add printer wizard = No 1385 add user script = /usr/sbin/useradd -m %u 1386 delete user script = /usr/sbin/userdel -r %u 1387 add group script = /usr/sbin/groupadd %g 1388 delete group script = /usr/sbin/groupdel %g 1389 add user to group script = /usr/sbin/usermod -G %g %u 1390 add machine script = /usr/sbin/useradd \ 1391 -s /bin/false -d /var/lib/nobody %u 1392 shutdown script = /var/lib/samba/scripts/shutdown.sh 1393 abort shutdown script = /sbin/shutdown -c 1394 logon script = scripts\logon.bat 1395 logon path = \\%L\profiles\%U 1396 logon drive = X: 1397 logon home = \\%L\%U 1398 domain logons = Yes 1399 preferred master = Yes 1400 wins support = Yes 1401 utmp = Yes 1402 winbind use default domain = Yes 1403 map acl inherit = Yes 1404 printing = cups 1405 veto files = /*.eml/*.nws/riched20.dll/*.{*}/ 1406 veto oplock files = /*.doc/*.xls/*.mdb/ 1407 1408[IPC$] 1409 path = /tmp 1410 hosts allow = 192.168.1.0/24, 192.168.2.0/24, 127.0.0.1 1411 hosts deny = 0.0.0.0/0 1412... 1413### Remainder cut to save space ### 1414</pre><p> 1415 Clear away all errors before proceeding. 1416 </p></li><li><p> 1417 <a class="indexterm" name="id2544067"></a> 1418 <a class="indexterm" name="id2544074"></a> 1419 <a class="indexterm" name="id2544081"></a> 1420 <a class="indexterm" name="id2544088"></a> 1421 Check that the Samba server is running: 1422</p><pre class="screen"> 1423<tt class="prompt">root# </tt> ps ax | grep mbd 142414244 ? S 0:00 /usr/sbin/nmbd -D 142514245 ? S 0:00 /usr/sbin/nmbd -D 142614290 ? S 0:00 /usr/sbin/smbd -D 1427 1428$rootprompt; ps ax | grep winbind 142914293 ? S 0:00 /usr/sbin/winbindd -B 143014295 ? S 0:00 /usr/sbin/winbindd -B 1431</pre><p> 1432 The <span><b class="command">winbindd</b></span> daemon is running in split mode (normal), so there are also 1433 two instances<sup>[<a name="id2544119" href="#ftn.id2544119">7</a>]</sup> of it. 1434 </p></li><li><p> 1435 <a class="indexterm" name="id2544149"></a> 1436 <a class="indexterm" name="id2544156"></a> 1437 Check that an anonymous connection can be made to the Samba server: 1438</p><pre class="screen"> 1439<tt class="prompt">root# </tt> smbclient -L localhost -U% 1440 1441 Sharename Type Comment 1442 --------- ---- ------- 1443 IPC$ IPC IPC Service (Samba 3.0.12) 1444 netlogon Disk Network Logon Service 1445 profiles Disk Profile Share 1446 accounts Disk Accounting Files 1447 service Disk Financial Services Files 1448 apps Disk Application Files 1449 ADMIN$ IPC IPC Service (Samba 3.0.12) 1450 hplj6a Printer hplj6a 1451 hplj6f Printer hplj6f 1452 qmsa Printer qmsa 1453 qmsf Printer qmsf 1454 1455 Server Comment 1456 --------- ------- 1457 DIAMOND Samba CVS 3.0.12 1458 1459 Workgroup Master 1460 --------- ------- 1461 PROMISES DIAMOND 1462</pre><p> 1463 This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent 1464 of browsing the server from a Windows client to obtain a list of shares on the server. 1465 The <tt class="constant">-U%</tt> argument means "send a <tt class="constant">NULL</tt> username and 1466 a <tt class="constant">NULL</tt> password." 1467 </p></li><li><p> 1468 <a class="indexterm" name="id2544214"></a> 1469 <a class="indexterm" name="id2544221"></a> 1470 <a class="indexterm" name="id2544228"></a> 1471 Verify that each printer has the IP address assigned in the DHCP server configuration file. 1472 The easiest way to do this is to ping the printer name. Immediately after the ping response 1473 has been received, execute <span><b class="command">arp -a</b></span> to find the MAC address of the printer 1474 that has responded. Now you can compare the IP address and the MAC address of the printer 1475 with the configuration information in the <tt class="filename">/etc/dhcpd.conf</tt> file. They 1476 should, of course, match. For example: 1477</p><pre class="screen"> 1478<tt class="prompt">root# </tt> ping hplj6 1479PING hplj6a (192.168.1.30) 56(84) bytes of data. 148064 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms 1481 1482<tt class="prompt">root# </tt> arp -a 1483hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0 1484</pre><p> 1485 <a class="indexterm" name="id2544274"></a> 1486 The MAC address <tt class="constant">00:03:47:CB:81:E0</tt> matches that specified for the 1487 IP address from which the printer has responded and with the entry for it in the 1488 <tt class="filename">/etc/dhcpd.conf</tt> file. Repeat this for each printer configured. 1489 </p></li><li><p> 1490 <a class="indexterm" name="id2544303"></a> 1491 Make an authenticated connection to the server using the <span><b class="command">smbclient</b></span> tool: 1492</p><pre class="screen"> 1493<tt class="prompt">root# </tt> smbclient //diamond/accounts -U gholmes 1494Password: XXXXXXX 1495smb: \> dir 1496 . D 0 Thu Nov 27 15:07:09 2003 1497 .. D 0 Sat Nov 15 17:40:50 2003 1498 zakadmin.exe 161424 Thu Nov 27 15:06:52 2003 1499 zak.exe 6066384 Thu Nov 27 15:06:52 2003 1500 dhcpd.conf 1256 Thu Nov 27 15:06:52 2003 1501 smb.conf 2131 Thu Nov 27 15:06:52 2003 1502 initGrps.sh A 1089 Thu Nov 27 15:06:52 2003 1503 POLICY.EXE 86542 Thu Nov 27 15:06:52 2003 1504 1505 55974 blocks of size 65536. 33968 blocks available 1506smb: \> q 1507</pre><p> 1508 </p></li><li><p> 1509 <a class="indexterm" name="id2544360"></a> 1510 Your new server is connected to an Internet accessible connection. Before you start 1511 your firewall, you should run a port scanner against your system. You should repeat that 1512 after the firewall has been started. This helps you understand what extent the 1513 server may be vulnerable to external attack. One way you can do this is by using an 1514 external service provided such as the <a href="http://www.dslreports.com/scan" target="_top">DSL Reports</a> 1515 tools. Alternately, if you can gain root-level access to a remote 1516 UNIX/Linux system that has the <span><b class="command">nmap</b></span> tool, you can run this as follows: 1517</p><pre class="screen"> 1518<tt class="prompt">root# </tt> nmap -v -sT server.abmas.us 1519 1520Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) 1521Host server.abmas.us (123.45.67.66) appears to be up ... good. 1522Initiating Connect() Scan against server.abmas.us (123.45.67.66) 1523Adding open port 6000/tcp 1524Adding open port 873/tcp 1525Adding open port 445/tcp 1526Adding open port 10000/tcp 1527Adding open port 901/tcp 1528Adding open port 631/tcp 1529Adding open port 25/tcp 1530Adding open port 111/tcp 1531Adding open port 32770/tcp 1532Adding open port 3128/tcp 1533Adding open port 53/tcp 1534Adding open port 80/tcp 1535Adding open port 443/tcp 1536Adding open port 139/tcp 1537Adding open port 22/tcp 1538The Connect() Scan took 0 seconds to scan 1601 ports. 1539Interesting ports on server.abmas.us (123.45.67.66): 1540(The 1587 ports scanned but not shown below are in state: closed) 1541Port State Service 154222/tcp open ssh 154325/tcp open smtp 154453/tcp open domain 154580/tcp open http 1546111/tcp open sunrpc 1547139/tcp open netbios-ssn 1548443/tcp open https 1549445/tcp open microsoft-ds 1550631/tcp open ipp 1551873/tcp open rsync 1552901/tcp open samba-swat 15533128/tcp open squid-http 15546000/tcp open X11 155510000/tcp open snet-sensor-mgmt 155632770/tcp open sometimes-rpc3 1557 1558Nmap run completed -- 1 IP address (1 host up) scanned in 1 second 1559</pre><p> 1560 The above scan was run before the external interface was locked down with the NAT-firewall 1561 script you created above. The following results are obtained after the firewall rules 1562 have been put into place: 1563</p><pre class="screen"> 1564<tt class="prompt">root# </tt> nmap -v -sT server.abmas.us 1565 1566Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) 1567Host server.abmas.us (123.45.67.66) appears to be up ... good. 1568Initiating Connect() Scan against server.abmas.us (123.45.67.66) 1569Adding open port 53/tcp 1570Adding open port 22/tcp 1571The Connect() Scan took 168 seconds to scan 1601 ports. 1572Interesting ports on server.abmas.us (123.45.67.66): 1573(The 1593 ports scanned but not shown below are in state: filtered) 1574Port State Service 157522/tcp open ssh 157625/tcp closed smtp 157753/tcp open domain 157880/tcp closed http 1579443/tcp closed https 1580 1581Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds 1582</pre><p> 1583 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4appscfg"></a>Application Share Configuration</h3></div></div></div><p><a class="indexterm" name="id2544484"></a><a class="indexterm" name="id2544492"></a> 1584 The use of an application server is a key mechanism by which desktop administration overheads 1585 can be reduced. Check the application manual for your software to identify how best to 1586 create an administrative installation. 1587 </p><p> 1588 Some Windows software will only run locally on the desktop computer. Such software 1589 is typically not suited for administrative installation. Administratively installed software 1590 permits one or more of the following installation choices: 1591 </p><div class="itemizedlist"><ul type="disc"><li><p> 1592 Install software fully onto a workstation, storing data files on the same workstation. 1593 </p></li><li><p> 1594 Install software fully onto a workstation with central network data file storage. 1595 </p></li><li><p> 1596 Install software to run off a central application server with data files stored 1597 on the local workstation. This is often called a minimum installation, or a 1598 network client installation. 1599 </p></li><li><p> 1600 Install software to run off a central application server with data files stored 1601 on a central network share. This type of installation often prevents storage 1602 of work files on the local workstation. 1603 </p></li></ul></div><p><a class="indexterm" name="id2544545"></a> 1604 A common application deployed in this environment is an office suite. 1605 Enterprise editions of Microsoft Office XP Professional can be administratively installed 1606 by launching the installation from a command shell. The command that achieves this is: 1607 <span><b class="command">setup /a</b></span>. It results in a set of prompts through which various 1608 installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource 1609 Kit for more information regarding this mode of installation of MS Office XP Professional. 1610 The full administrative installation of MS Office XP Professional requires approximately 1611 650 MB of disk space. 1612 </p><p> 1613 When the MS Office XP Professional product has been installed to the administrative network 1614 share, the product can be installed onto a workstation by executing the normal setup program. 1615 The installation process now provides a choice to either perform a minimum installation 1616 or a full local installation. A full local installation takes over 100 MB of disk space. 1617 A network workstation (minimum) installation requires typically 10-15 MB of 1618 local disk space. In the later case, when the applications are used, they load over the network. 1619 </p><p><a class="indexterm" name="id2544583"></a><a class="indexterm" name="id2544591"></a> 1620 Microsoft Office Service Packs can be unpacked to update an administrative share. This makes 1621 it possible to update MS Office XP Professional for all users from a single installation 1622 of the service pack and generally circumvents the need to run updates on each network 1623 Windows client. 1624 </p><p> 1625 The default location for MS Office XP Professional data files can be set through registry 1626 editing or by way of configuration options inside each Office XP Professional application. 1627 </p><p><a class="indexterm" name="id2544614"></a> 1628 OpenOffice.Org OpenOffice Version 1.1.0 is capable of being installed locally. It can also 1629 be installed to run off a network share. The latter is a most desirable solution for office-bound 1630 network users and for administrative staff alike. It permits quick and easy updates 1631 to be rolled out to all users with a minimum of disruption and with maximum flexibility. 1632 </p><p> 1633 The process for installation of administrative shared OpenOffice involves download of the 1634 distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area. 1635 When fully extracted using the un-zipping tool of your choosing, change into the Windows 1636 installation files directory then execute <span><b class="command">setup -net</b></span>. You are 1637 prompted on screen for the target installation location. This is the administrative 1638 share point. The full administrative OpenOffice share takes approximately 150 MB of disk 1639 space. 1640 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2544648"></a>Comments Regarding Software Terms of Use</h4></div></div></div><p> 1641 Many single-user products can be installed into an administrative share, but 1642 personal versions of products such as Microsoft Office XP Professional do not permit this. 1643 Many people do not like terms of use typical with commercial products, so a few comments 1644 regarding software licensing seem important and thus are included below. 1645 </p><p> 1646 Please do not use an administrative installation of proprietary and commercially licensed 1647 software products to violate the copyright holders' property. All software is licensed, 1648 particularly software that is licensed for use free of charge. All software is the property 1649 of the copyright holder, unless the author and/or copyright holder has explicitly disavowed 1650 ownership and has placed the software into the public domain. 1651 </p><p> 1652 Software that is under the GNU General Public License, like proprietary software, is 1653 licensed in a way that restricts use. For example, if you modify GPL software and then 1654 distribute the binary version of your modifications, you must offer to provide the source 1655 code as well. This is a form of restriction that is designed to maintain the momentum 1656 of the diffusion of technology and to protect against the withholding of innovations. 1657 </p><p> 1658 Commercial and proprietary software generally restrict use to those who have paid the 1659 license fees and who comply with the licensee's terms of use. Software that is released 1660 under the GNU General Public License is restricted to particular terms and conditions 1661 also. Whatever the licensing terms may be, if you do not approve of the terms of use, 1662 please do not use the software. 1663 </p><p><a class="indexterm" name="id2544696"></a> 1664 Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided 1665 with the source code. 1666 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4wincfg"></a>Windows Client Configuration</h3></div></div></div><p> 1667 Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs 1668 to reinstall many of the notebook computers that will be recycled for use with the new network 1669 configuration. The smartest way to handle the challenge of the roll-out program is to build 1670 a staged system for each type of target machine, and then use an image replication tool such as Norton 1671 Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can 1672 be done with notebook computers as long as they are identical or sufficiently similar. 1673 </p><div class="procedure"><ol type="1"><li><p> 1674 Install MS Windows XP Professional. During installation, configure the client to use DHCP for 1675 TCP/IP protocol configuration. 1676 <a class="indexterm" name="id2544752"></a> 1677 <a class="indexterm" name="id2544759"></a> 1678 DHCP configures all Windows clients to use the WINS Server address that has been defined 1679 for the local subnet. 1680 </p></li><li><p> 1681 Join the Windows Domain <tt class="constant">PROMISES</tt>. Use the Domain Administrator 1682 user name <tt class="constant">root</tt> and the SMB password you assigned to this account. 1683 A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to 1684 a Windows Domain is given in <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. 1685 Reboot the machine as prompted and then logon using the Domain Administrator account 1686 (<tt class="constant">root</tt>. 1687 </p></li><li><p> 1688 Verify <tt class="constant">DIAMOND</tt> is visible in <span class="guimenu">My Network Places</span>, 1689 that it is possible to connect to it and see the shares <span class="guimenuitem">accounts</span>, 1690 <span class="guimenuitem">apps</span>, and <span class="guimenuitem">finsvcs</span>, 1691 and that it is possible to open each share to reveal its contents. 1692 </p></li><li><p> 1693 Create a drive mapping to the <tt class="constant">apps</tt> share on the server <tt class="constant">DIAMOND</tt>. 1694 </p></li><li><p> 1695 Perform an administrative installation of each application to be used. Select the options 1696 that you wish to use. Of course, you can choose to run applications over the network, correct? 1697 </p></li><li><p> 1698 Now install all applications to be installed locally. Typical tools includes: Adobe Acrobat, 1699 NTP-based time synchronization software, drivers for specific local devices such as finger-print 1700 scanners, and the like. Probably the most significant application for local installation 1701 is anti-virus software. 1702 </p></li><li><p> 1703 Now install all four printers onto the staging system. The printers you install 1704 include the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will 1705 also configure identical printers that are located in the financial services department. 1706 Install printers on each machine using the following steps: 1707 </p><div class="procedure"><ol type="1"><li><p> 1708 Click <span class="guimenu">Start</span>-><span class="guimenuitem">Settings</span>-><span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. 1709 Ensure that <span class="guimenuitem">Local printer</span> is selected. 1710 </p></li><li><p> 1711 Click <span class="guibutton">Next</span>. In the panel labeled 1712 <span class="guimenuitem">Manufacturer:</span>, select <tt class="constant">HP</tt>. 1713 In the <span class="guimenuitem">Printers:</span> panel, select the printer called 1714 <tt class="constant">HP LaserJet 6</tt>. Click <span class="guibutton">Next</span>. 1715 </p></li><li><p> 1716 In the panel labeled <span class="guimenuitem">Available ports:</span>, select 1717 <tt class="constant">FILE:</tt>. Accept the default printer name by clicking 1718 <span class="guibutton">Next</span>. When asked, “<span class="quote"><span class="emphasis"><em>Would you like to print a 1719 test page?,</em></span></span>” click <span class="guimenuitem">No</span>. Click 1720 <span class="guibutton">Finish</span>. 1721 </p></li><li><p> 1722 You may be prompted for the name of a file to print to. If so, close the 1723 dialog panel. Right-click <span class="guiicon">HP LaserJet 6</span>-><span class="guimenuitem">Properties</span>-><span class="guisubmenu">Details (Tab)</span>-><span class="guimenuitem">Add Port</span>. 1724 </p></li><li><p> 1725 In the panel labeled <span class="guimenuitem">Network</span>, enter the name of 1726 the print queue on the Samba server as follows: <tt class="constant">\\DIAMOND\hplj6a</tt>. 1727 Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. 1728 </p></li><li><p> 1729 Repeat the printer installation steps above for both HP LaserJet 6 printers 1730 as well as for both QMS Magicolor laser printers. 1731 </p></li></ol></div></li><li><p><a class="indexterm" name="id2545107"></a> 1732 When you are satisfied that the staging systems are complete, use the appropriate procedure to 1733 remove the client from the domain. Reboot the system and then log on as the local administrator 1734 and clean out all temporary files stored on the system. Before shutting down, use the disk 1735 defragmentation tool so that the file system is in an optimal condition before replication. 1736 </p></li><li><p> 1737 Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the 1738 machine to a network share on the server. 1739 </p></li><li><p><a class="indexterm" name="id2545138"></a><a class="indexterm" name="id2545149"></a> 1740 You may now replicate the image to the target machines using the appropriate Norton Ghost 1741 procedure. Make sure to use the procedure that ensures each machine has a unique 1742 Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. 1743 </p></li><li><p> 1744 Log onto the machine as the local Administrator (the only option), and join the machine to 1745 the Domain following the procedure set out in <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. The system is now 1746 ready for the user to logon, providing you have created a network logon account for that 1747 user, of course. 1748 </p></li><li><p> 1749 Instruct all users to log onto the workstation using their assigned user name and password. 1750 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2545191"></a>Key Points Learned</h3></div></div></div><p> 1751 How do you feel, Bob? You have built a capable network, a truly ambitious project. 1752 Just as well, you have Christine to help you. Future network updates can be handled by 1753 your staff. You must be a satisfied manager. Let's review the achievements. 1754 </p><div class="itemizedlist"><ul type="disc"><li><p> 1755 A simple firewall has been configured to protect the server in the event that 1756 the ISP firewall service should fail. 1757 </p></li><li><p> 1758 The Samba configuration uses measures to ensure that only local network users 1759 can connect to SMB/CIFS services. 1760 </p></li><li><p> 1761 Samba uses the new <tt class="constant">tdbsam</tt> passdb backend facility. 1762 Considerable complexity was added to Samba functionality. 1763 </p></li><li><p> 1764 A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS 1765 server. 1766 </p></li><li><p> 1767 The DNS server was configured to permit DDNS only for local network clients. This 1768 server also provides primary DNS services for the company Internet presence. 1769 </p></li><li><p> 1770 You introduced an application server, as well as the concept of cloning a Windows 1771 client in order to effect improved standardization of desktops and to reduce 1772 the costs of network management. 1773 </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2545253"></a>Questions and Answers</h2></div></div></div><p> 1774 </p><div class="qandaset"><dl><dt>1. <a href="secure.html#id2545264"> 1775 What is the maximum number of account entries that the tdbsam passdb backend can handle? 1776 </a></dt><dt>2. <a href="secure.html#id2545333"> 1777 Would Samba operate any better if the OS Level is set to a value higher than 35? 1778 </a></dt><dt>3. <a href="secure.html#id2545355"> 1779 Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? 1780 </a></dt><dt>4. <a href="secure.html#id2545378"> 1781 Why has a path been specified in the IPC$ share? 1782 </a></dt><dt>5. <a href="secure.html#id2545406"> 1783 Why does the smb.conf file in this exercise include an entry for smb portssmb ports? 1784 </a></dt><dt>6. <a href="secure.html#id2545459"> 1785 What is the difference between a print queue and a printer? 1786 </a></dt><dt>7. <a href="secure.html#id2545494"> 1787 Can all MS Windows application software be installed onto an application server share? 1788 </a></dt><dt>8. <a href="secure.html#id2545519"> 1789 Why use dynamic DNS (DDNS)? 1790 </a></dt><dt>9. <a href="secure.html#id2545539"> 1791 Why would you use WINS as well as DNS-based name resolution? 1792 </a></dt><dt>10. <a href="secure.html#id2545625"> 1793 What are the major benefits of using an application server? 1794 </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2545264"></a><a name="id2545267"></a><b>1.</b></td><td align="left" valign="top"><p> 1795 What is the maximum number of account entries that the <i class="parameter"><tt>tdbsam</tt></i> passdb backend can handle? 1796 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1797 The tdb data structure and support system can handle more entries than the number of accounts 1798 that are possible on most UNIX systems. There is a practical limit that would come into play 1799 long before a performance boundary would be anticipated. That practical limit is controlled 1800 by the nature of Windows networking. There are few Windows file and print servers 1801 that can handle more than a few hundred concurrent client connections. The key limiting factors 1802 that predicate off-loading of services to additional servers are memory capacity, the number 1803 of CPUs, network bandwidth, and disk I/O limitations. All of these are readily exhausted by 1804 just a few hundred concurrent active users. Such bottlenecks can best be removed by segmentation 1805 of the network (distributing network load across multiple networks). 1806 </p><p> 1807 As the network grows, it becomes necessary to provide additional authentication servers (domain 1808 controllers). The tdbsam is limited to a single machine and cannot be reliably replicated. 1809 This means that practical limits on network design dictate the point at which a distributed 1810 passdb backend is required; at this time, there is no real alternative other than ldapsam (LDAP). 1811 </p><p> 1812 The guideline provided in <span class="emphasis"><em>TOSHARG</em></span>, Chapter 10, Section 10.1.2, is to limit the number of accounts 1813 in the tdbsam backend to 250. This is the point at which most networks tend to want backup domain 1814 controllers (BDCs). Samba-3 does not provide a mechanism for replicating tdbsam data so it can be used 1815 by a BDC. The limitation of 250 users per tdbsam is predicated only on the need for replication 1816 not on the limits<sup>[<a name="id2545322" href="#ftn.id2545322">8</a>]</sup> of the tdbsam backend itself. 1817 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2545333"></a><a name="id2545335"></a><b>2.</b></td><td align="left" valign="top"><p> 1818 Would Samba operate any better if the OS Level is set to a value higher than 35? 1819 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1820 No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value 1821 of 35 already assures Samba of precedence over MS Windows products in browser elections. There is 1822 no gain to be had from setting this higher. 1823 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2545355"></a><a name="id2545357"></a><b>3.</b></td><td align="left" valign="top"><p> 1824 Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? 1825 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1826 At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at 1827 a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special 1828 Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups. 1829 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2545378"></a><a name="id2545380"></a><b>4.</b></td><td align="left" valign="top"><p> 1830 Why has a path been specified in the <i class="parameter"><tt>IPC$</tt></i> share? 1831 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1832 This is done so that in the event that a software bug may permit a client connection to the IPC$ share to 1833 obtain access to the file system, it does so at a location that presents least risk. Under normal operation 1834 this type of paranoid step should not be necessary. The use of this parameter should not be necessary. 1835 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2545406"></a><a name="id2545408"></a><b>5.</b></td><td align="left" valign="top"><p> 1836 Why does the <tt class="filename">smb.conf</tt> file in this exercise include an entry for <a class="indexterm" name="id2545420"></a>smb ports? 1837 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1838 The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port 1839 used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS 1840 over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By 1841 specifying the use of port 139 before port 445, the intent is to reduce unsuccessful service connection attempts. 1842 The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain 1843 member, the default behavior is highly beneficial and should not be changed. 1844 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2545459"></a><a name="id2545461"></a><b>6.</b></td><td align="left" valign="top"><p> 1845 What is the difference between a print queue and a printer? 1846 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1847 A printer is a physical device that is connected either directly to the network or to a computer 1848 via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a 1849 hard copy printout. Network attached printers that use TCP/IP-based printing generally accept a 1850 single print data stream and block all secondary attempts to dispatch jobs concurrently to the 1851 same device. If many clients were to concurrently print directly via TCP/IP to the same printer, 1852 it would result in a huge amount of network traffic through continually failing connection attempts. 1853 </p><p> 1854 A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or 1855 print requests. When the data stream has been fully received the input stream is closed, 1856 the job is then submitted to a sequential print queue where the job is stored until 1857 the printer is ready to receive the job. 1858 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2545494"></a><a name="id2545497"></a><b>7.</b></td><td align="left" valign="top"><p> 1859 Can all MS Windows application software be installed onto an application server share? 1860 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1861 Much older Windows software is not compatible with installation to and execution off 1862 an application server. Enterprise versions of Microsoft Office XP Professional can 1863 be installed to an application server. Retail consumer versions of Microsoft Office XP 1864 Professional do not permit installation to an application server share and can be installed 1865 and used only to/from a local workstation hard disk. 1866 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2545519"></a><a name="id2545521"></a><b>8.</b></td><td align="left" valign="top"><p> 1867 Why use dynamic DNS (DDNS)? 1868 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1869 When DDNS records are updated directly from the DHCP server, it is possible for 1870 network clients that are not NetBIOS enabled, and thus cannot use WINS, to locate 1871 Windows clients via DNS. 1872 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2545539"></a><a name="id2545542"></a><b>9.</b></td><td align="left" valign="top"><p> 1873 Why would you use WINS as well as DNS-based name resolution? 1874 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1875 WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is 1876 a name like “<span class="quote"><span class="emphasis"><em>myhost.mydomain.tld,</em></span></span>” where <i class="parameter"><tt>tld</tt></i> 1877 means <tt class="constant">top level domain</tt>. A FQDN is a long hand but easy to remember 1878 expression that may be up to 1024 characters in length and that represents an IP address. 1879 A NetBIOS name is always 16 characters long. The 16<sup>th</sup> character 1880 is a name type indicator. A specific name type is registered<sup>[<a name="id2545578" href="#ftn.id2545578">9</a>]</sup> for each 1881 type of service that is provided by the Windows server or client and that may be registered 1882 where a WINS server is in use. 1883 </p><p> 1884 WINS is a mechanism by which a client may locate the IP Address that corresponds to a 1885 NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name 1886 that includes a particular registered NetBIOS name type. DNS does not provide a mechanism 1887 that permits handling of the NetBIOS name type information. 1888 </p><p> 1889 DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular 1890 hostname or service name that has been registered in the DNS database for a particular domain. 1891 A DNS server has limited scope of control and is said to be authoritative for the zone over 1892 which it has control. 1893 </p><p> 1894 Windows 200x Active Directory requires the registration in the DNS zone for the domain it 1895 controls of service locator<sup>[<a name="id2545612" href="#ftn.id2545612">10</a>]</sup> records 1896 that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also 1897 requires the registration of special records that are called global catalog (GC) entries 1898 and site entries by which domain controllers and other essential ADS servers may be located. 1899 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2545625"></a><a name="id2545627"></a><b>10.</b></td><td align="left" valign="top"><p> 1900 What are the major benefits of using an application server? 1901 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 1902 The use of an application server can significantly reduce application update maintenance. 1903 By providing a centralized application share, software updates need be applied to only 1904 one location for all major applications used. This results in faster update roll-outs and 1905 significantly better application usage control. 1906 </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2539748" href="#id2539748">5</a>] </sup>See <span class="emphasis"><em>TOSHARG</em></span>, Chapter 3. This is necessary 1907 so that Samba can act as a Domain Controller (PDC); see <span class="emphasis"><em>TOSHARG</em></span>, Chapter 4 for 1908 additional information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2540192" href="#id2540192">6</a>] </sup>ED NOTE: You may want to do the echo command last and include 1909 "0" in the init scripts since it opens up your network for a short time.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2544119" href="#id2544119">7</a>] </sup>For more information regarding winbindd, see <span class="emphasis"><em>TOSHARG</em></span>, 1910 Chapter 22, Section 22.3. The single instance of <span><b class="command">smbd</b></span> is normal. One additional 1911 <span><b class="command">smbd</b></span> slave process is spawned for each SMB/CIFS client 1912 connection.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2545322" href="#id2545322">8</a>] </sup>Bench tests have shown that tdbsam is a very effective database technology. 1913 There is surprisingly little performance loss even with over 4000 users.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2545578" href="#id2545578">9</a>] </sup> 1914 See <span class="emphasis"><em>TOSHARG</em></span>, Chapter 9 for more information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2545612" href="#id2545612">10</a>] </sup>See TOSHARG, Chapter 9, Section 9.3.3</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="small.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="Big500users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�3.�Small Office Networking�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�5.�The 500-User Office</td></tr></table></div></body></html> 1915
