--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. A Distributed 2000-User Network</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="happy.html" title="Chapter 5. Making Happy Users"><link rel="next" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. A Distributed 2000-User Network</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="2000users"></a>Chapter 6. A Distributed 2000-User Network</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="2000users.html#id2551552">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id2551583">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id2551650">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id2551923">Technical Issues</a></span></dt><dt><span class="sect2"><a href="2000users.html#id2552878">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id2552896">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="2000users.html#id2556208">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="2000users.html#id2556356">Questions and Answers</a></span></dt></dl></div><p>
+There is something indeed mystical about things that are
+big. Large networks exhibit a certain magnetism and exude a sense of
+importance that obscures reality. You and I know that it is no more
+difficult to secure a large network than it is a small one. We all
+know that over and above a particular number of network clients, the
+rules no longer change; the only real dynamic is the size of the domain
+(much like a kingdom) over which the network ruler (oops, administrator)
+has control. The real dynamic then transforms from the technical to the
+political. Then again, that point is often reached well before the
+kingdom (or queendom) grows large.
+</p><p>
+If you have systematically worked your way to this chapter, hopefully you
+have found some gems and techniques that are applicable in your
+world. The network designs you have worked with in this book have their
+strong points as well as weak ones. That is to be expected given that
+they are based on real business environments, the specifics of which are
+molded to serve the purposes of this book.
+</p><p>
+This chapter is intent on wrapping up issues that are central to
+implementation and design of progressively larger networks. Are you ready
+for this chapter? Good, it is time to move on.
+</p><p>
+In previous chapters, you made the assumption that your network
+administration staff need detailed instruction right down to the
+nuts and bolts of implementing the solution. That is still the case,
+but they have graduated now. You decide to document only those issues,
+methods, and techniques that are new or complex. Routine tasks such as
+implementing a DNS or a DHCP server are under control. Even the basics of
+Samba are largely under control. So in this section you focus on the
+specifics of implementing LDAP changes, Samba changes, and approach and
+design of the solution and its deployment.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2551552"></a>Introduction</h2></div></div></div><p>
+Abmas is a miracle company. Most businesses would have collapsed under
+the weight of rapid expansion that this company has experienced. Samba
+is flexible, so there is no need to reinstall the whole operating
+system just because you need to implement a new network design. In fact,
+you can keep an old server running right up to the moment of cutover
+and then do a near-live conversion. There is no need to reinstall a
+Samba server just to change the way your network should function.
+</p><p>
+<a class="indexterm" name="id2551571"></a>
+Network growth is common to all organizations. In this exercise,
+your preoccupation is with the mechanics of implementing Samba and
+LDAP so that network users on each network segment can work
+without impediment.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2551583"></a>Assignment Tasks</h3></div></div></div><p>
+ Starting with the configuration files for the server called
+ <code class="constant">MASSIVE</code> in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you now deal with the
+ issues that are particular to large distributed networks. Your task
+ is simple identify the challenges, consider the
+ alternatives, and then design and implement a solution.
+ </p><p>
+ <a class="indexterm" name="id2551611"></a>
+ Remember, you have users based in London (UK), Los Angeles,
+ Washington. DC, and, three buildings in New York. A significant portion
+ of your workforce have notebook computers and roam all over the
+ world. Some dial into the office, others use VPN connections over the
+ Internet, and others just move between buildings.i
+ </p><p>
+ What do you say to an employee who normally uses a desktop
+ system but must spend six weeks on the road with a notebook computer?
+ She is concerned about email access and how to keep coworkers current
+ with changing documents.
+ </p><p>
+ To top it all off, you have one network support person and one
+ help desk person based in London, a single person dedicated to all
+ network operations in Los Angeles, five staff for user administration
+ and help desk in New York, plus one <span class="emphasis"><em>floater</em></span> for
+ Washington.
+ </p><p>
+ You have outsourced all desktop deployment and management to
+ DirectPointe. Your concern is server maintenance and third-level
+ support. Build a plan and show what must be done.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2551650"></a>Dissection and Discussion</h2></div></div></div><p>
+<a class="indexterm" name="id2551658"></a>
+<a class="indexterm" name="id2551665"></a>
+In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you implemented an LDAP server that provided the
+<em class="parameter"><code>passdb backend</code></em> for the Samba servers. You
+explored ways to accelerate Windows desktop profile handling and you
+took control of network performance.
+</p><p>
+<a class="indexterm" name="id2551690"></a>
+<a class="indexterm" name="id2551697"></a>
+<a class="indexterm" name="id2551704"></a>
+<a class="indexterm" name="id2551711"></a>
+The implementation of an LDAP-based passdb backend (known as
+<span class="emphasis"><em>ldapsam</em></span> in Samba parlance), or some form of database
+that can be distributed, is essential to permit the deployment of Samba
+Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem
+is that the <span class="emphasis"><em>tdbsam</em></span>-style passdb backend does not
+lend itself to being replicated. The older plain-text-based
+<span class="emphasis"><em>smbpasswd</em></span>-style passdb backend can be replicated
+using a tool such as <span><strong class="command">rsync</strong></span>, but
+<span class="emphasis"><em>smbpasswd</em></span> suffers the drawback that it does not
+support the range of account facilities demanded by modern network
+managers.
+</p><p>
+<a class="indexterm" name="id2551750"></a>
+<a class="indexterm" name="id2551757"></a>
+The new <span class="emphasis"><em>tdbsam</em></span> facility supports functionality
+that is similar to an <span class="emphasis"><em>ldapsam</em></span>, but the lack of
+distributed infrastructure sorely limits the scope for its
+deployment. This raises the following questions: Why can't I just use
+an XML-based backend, or for that matter, why not use an SQL-based
+backend? Is support for these tools broken? Answers to these
+questions require a bit of background.</p><p>
+<a class="indexterm" name="id2551780"></a>
+<a class="indexterm" name="id2551787"></a>
+<a class="indexterm" name="id2551794"></a>
+<a class="indexterm" name="id2551801"></a>
+<span class="emphasis"><em>What is a directory?</em></span> A directory is a
+collection of information regarding objects that can be accessed to
+rapidly find information that is relevant in a particular and
+consistent manner. A directory differs from a database in that it is
+generally more often searched (read) than updated. As a consequence, the
+information is organized to facilitate read access rather than to
+support transaction processing.</p><p>
+<a class="indexterm" name="id2551821"></a>
+<a class="indexterm" name="id2551831"></a>
+<a class="indexterm" name="id2551838"></a>
+<a class="indexterm" name="id2551845"></a>
+The Lightweight Directory Access Protocol (LDAP) differs
+considerably from a traditional database. It has a simple search
+facility that uniquely makes a highly preferred mechanism for managing
+user identities. LDAP provides a scalable mechanism for distributing
+the data repository and for keeping all copies (slaves) in sync with
+the master repository.</p><p>
+<a class="indexterm" name="id2551861"></a>
+<a class="indexterm" name="id2551868"></a>
+<a class="indexterm" name="id2551874"></a>
+Samba is a flexible and powerful file and print sharing
+technology. It can use many external authentication sources and can be
+part of a total authentication and identity management
+infrastructure. The two most important external sources for large sites
+are Microsoft Active Directory and LDAP. Sites that specifically wish to
+avoid the proprietary implications of Microsoft Active Directory
+naturally gravitate toward OpenLDAP.</p><p>
+<a class="indexterm" name="id2551892"></a>
+In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you had to deal with a locally routed
+network. All deployment concerns focused around making users happy,
+and that simply means taking control over all network practices and
+usage so that no one user is disadvantaged by any other. The real
+lesson is one of understanding that no matter how much network
+bandwidth you provide, bandwidth remains a precious resource.</p><p>In this chapter, you must now consider how the overall network must
+function. In particular, you must be concerned with users who move
+between offices. You must take into account the way users need to
+access information globally. And you must make the network robust
+enough so that it can sustain partial breakdown without causing loss of
+productivity.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2551923"></a>Technical Issues</h3></div></div></div><p>
+ There are at least three areas that need to be addressed as you
+ approach the challenge of designing a network solution for the newly
+ expanded business:
+ </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2551939"></a>
+ User needs such as mobility and data access</p></li><li><p>The nature of Windows networking protocols</p></li><li><p>Identity management infrastructure needs</p></li></ul></div><p>Let's look at each in turn.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2551963"></a>User Needs</h4></div></div></div><p>
+ The new company has three divisions. Staff for each division are spread across
+ the company. Some staff are office-bound and some are mobile users. Mobile
+ users travel globally. Some spend considerable periods working in other offices.
+ Everyone wants to be able to work without constraint of productivity.
+ </p><p>
+ The challenge is not insignificant. In some parts of the world, even dial-up
+ connectivity is poor, while in other regions political encumbrances severely
+ curtail user needs. Parts of the global Internet infrastructure remain shielded
+ off for reasons outside the scope of this discussion.
+ </p><p>
+ <a class="indexterm" name="id2551987"></a>
+ Decisions must be made regarding where data is to be stored, how it will be
+ replicated (if at all), and what the network bandwidth implications are. For
+ example, one decision that can be made is to give each office its own master
+ file storage area that can be synchronized to a central repository in New
+ York. This would permit global data to be backed up from a single location.
+ The synchronization tool could be <span><strong class="command">rsync,</strong></span> run via a cron
+ job. Mobile users may use off-line file storage under Windows XP Professional.
+ This way, they can synchronize all files that have changed since each logon
+ to the network.
+ </p><p>
+ <a class="indexterm" name="id2552014"></a>
+ <a class="indexterm" name="id2552023"></a>
+ No matter which way you look at this, the bandwidth requirements
+ for acceptable performance are substantial even if only 10 percent of
+ staff are global data users. A company with 3,500 employees,
+ 280 of whom are mobile users who use a similarly distributed
+ network, found they needed at least 2 Mb/sec connectivity
+ between the UK and US offices. Even over 2 Mb/sec bandwidth, this
+ company abandoned any attempt to run roaming profile usage for
+ mobile users. At that time, the average roaming profile took 480
+ KB, while today the minimum Windows XP Professional roaming
+ profile involves a transfer of over 750 KB from the profile
+ server to and from the client.
+ </p><p>
+ <a class="indexterm" name="id2552056"></a>
+ Obviously then, user needs and wide-area practicalities dictate the economic and
+ technical aspects of your network design as well as for standard operating procedures.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2552068"></a>The Nature of Windows Networking Protocols</h4></div></div></div><p>
+ <a class="indexterm" name="id2552076"></a>
+ Network logons that include roaming profile handling requires from 140 KB to 2 MB.
+ The inclusion of support for a minimal set of common desktop applications can push
+ the size of a complete profile to over 15 MB. This has substantial implications
+ for location of user profiles. Additionally, it is a significant factor in
+ determining the nature and style of mandatory profiles that may be enforced as
+ part of a total service-level assurance program that might be implemented.
+ </p><p>
+ <a class="indexterm" name="id2552096"></a>
+ <a class="indexterm" name="id2552103"></a>
+ One way to reduce the network bandwidth impact of user logon
+ traffic is through folder redirection. In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you
+ implemented this in the new Windows XP Professional standard
+ desktop configuration. When desktop folders such as <span class="guimenu">My
+ Documents</span> are redirected to a network drive, they should
+ also be excluded from synchronization to and from the server on
+ logon or logout. Redirected folders are analogous to network drive
+ connections.
+ </p><p><a class="indexterm" name="id2552131"></a>
+ Of course, network applications should only be run off
+ local application servers. As a general rule, even with 2 Mb/sec
+ network bandwidth, it would not make sense at all for someone who
+ is working out of the London office to run applications off a
+ server that is located in New York.
+ </p><p>
+ <a class="indexterm" name="id2552146"></a>
+ When network bandwidth becomes a precious commodity (that is most
+ of the time), there is a significant demand to understand network
+ processes and to mold the limits of acceptability around the
+ constraints of affordability.
+ </p><p>
+ When a Windows NT4/200x/XP Professional client user logs onto
+ the network, several important things must happen.
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ <a class="indexterm" name="id2552169"></a>
+ The client obtains an IP address via DHCP. (DHCP is
+ necessary so that users can roam between offices.)
+ </p></li><li><p>
+ <a class="indexterm" name="id2552182"></a>
+ <a class="indexterm" name="id2552189"></a>
+ The client must register itself with the WINS and/or DNS server.
+ </p></li><li><p>
+ <a class="indexterm" name="id2552201"></a>
+ The client must locate the closest domain controller.
+ </p></li><li><p>
+ The client must log onto a domain controller and obtain as part of
+ that process the location of the user's profile, load it, connect to
+ redirected folders, and establish all network drive and printer connections.
+ </p></li><li><p>
+ The domain controller must be able to resolve the user's
+ credentials before the logon process is fully implemented.
+ </p></li></ul></div><p>
+ Given that this book is about Samba and that it implements the Windows
+ NT4-style domain semantics, it makes little sense to compare Samba with
+ Microsoft Active Directory insofar as the logon protocols and principles
+ of operation are concerned. The following information pertains exclusively
+ to the interaction between a Windows XP Professional workstation and a
+ Samba-3.0.20 server. In the discussion that follows, use is made of DHCP and WINS.
+ </p><p>
+ As soon as the Windows workstation starts up, it obtains an
+ IP address. This is immediately followed by registration of its
+ name both by broadcast and Unicast registration that is directed
+ at the WINS server.
+ </p><p>
+ <a class="indexterm" name="id2552255"></a>
+ <a class="indexterm" name="id2552262"></a><a class="indexterm" name="id2552271"></a>
+ Given that the client is already a domain member, it then sends
+ a directed (Unicast) request to the WINS server seeking the list of
+ IP addresses for domain controllers (NetBIOS name type 0x1C). The
+ WINS server replies with the information requested.</p><p>
+ <a class="indexterm" name="id2552286"></a>
+ <a class="indexterm" name="id2552295"></a>
+ <a class="indexterm" name="id2552302"></a>
+ The client sends two netlogon mailslot broadcast requests
+ to the local network and to each of the IP addresses returned by
+ the WINS server. Whichever answers this request first appears to
+ be the machine that the Windows XP client attempts to use to
+ process the network logon. The mailslot messages use UDP broadcast
+ to the local network and UDP Unicast directed at each machine that
+ was listed in the WINS server response to a request for the list of
+ domain controllers.
+ </p><p>
+ <a class="indexterm" name="id2552320"></a>
+ <a class="indexterm" name="id2552329"></a>
+ <a class="indexterm" name="id2552336"></a>
+ The logon process begins with negotiation of the SMB/CIFS
+ protocols that are to be used; this is followed by an exchange of
+ information that ultimately includes the client sending the
+ credentials with which the user is attempting to logon. The logon
+ server must now approve the further establishment of the
+ connection, but that is a good point to halt for now. The priority
+ here must center around identification of network infrastructure
+ needs. A secondary fact we need to know is, what happens when
+ local domain controllers fail or break?
+ </p><p>
+ <a class="indexterm" name="id2552355"></a>
+ <a class="indexterm" name="id2552362"></a>
+ <a class="indexterm" name="id2552369"></a>
+ <a class="indexterm" name="id2552375"></a>
+ Under most circumstances, the nearest domain controller
+ responds to the netlogon mailslot broadcast. The exception to this
+ norm occurs when the nearest domain controller is too busy or is out
+ of service. Herein lies an important fact. This means it is
+ important that every network segment should have at least two
+ domain controllers. Since there can be only one PDC, all additional
+ domain controllers are by definition BDCs.
+ </p><p>
+ <a class="indexterm" name="id2552393"></a>
+ <a class="indexterm" name="id2552400"></a>
+ The provision of sufficient servers that are BDCs is an
+ important design factor. The second important design factor
+ involves how each of the BDCs obtains user authentication
+ data. That is the subject of the next section, which involves key
+ decisions regarding Identity Management facilities.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2552414"></a>Identity Management Needs</h4></div></div></div><p>
+ <a class="indexterm" name="id2552422"></a>
+ <a class="indexterm" name="id2552429"></a>
+ <a class="indexterm" name="id2552436"></a>
+ <a class="indexterm" name="id2552442"></a>
+ Network managers recognize that in large organizations users
+ generally need to be given resource access based on needs, while
+ being excluded from other resources for reasons of privacy. It is
+ therefore essential that all users identify themselves at the
+ point of network access. The network logon is the principal means
+ by which user credentials are validated and filtered and appropriate
+ rights and privileges are allocated.
+ </p><p>
+ <a class="indexterm" name="id2552460"></a>
+ <a class="indexterm" name="id2552467"></a>
+ <a class="indexterm" name="id2552474"></a>
+ Unfortunately, network resources tend to have their own Identity
+ Management facilities, the quality and manageability of which varies
+ from quite poor to exceptionally good. Corporations that use a mixture
+ of systems soon discover that until recently, few systems were
+ designed to interoperate. For example, UNIX systems each have an
+ independent user database. Sun Microsystems developed a facility that
+ was originally called <code class="constant">Yellow Pages</code>, and was renamed
+ when a telephone company objected to the use of its trademark.
+ What was once called <code class="constant">Yellow Pages</code> is today known
+ as <code class="constant">Network Information System</code> (NIS).
+ </p><p>
+ <a class="indexterm" name="id2552504"></a>
+ NIS gained a strong following throughout the UNIX/VMS space in a short
+ period of time and retained that appeal and use for over a decade.
+ Security concerns and inherent limitations have caused it to enter its
+ twilight. NIS did not gain widespread appeal outside of the UNIX world
+ and was not universally adopted. Sun updated this to a more secure
+ implementation called NIS+, but even it has fallen victim to changing
+ demands as the demand for directory services that can be coupled with
+ other information systems is catching on.
+ </p><p>
+ <a class="indexterm" name="id2552523"></a>
+ <a class="indexterm" name="id2552530"></a>
+ <a class="indexterm" name="id2552537"></a>
+ Nevertheless, both NIS and NIS+ continue to hold ground in
+ business areas where UNIX still has major sway. Examples of
+ organizations that remain firmly attached to the use of NIS and
+ NIS+ include large government departments, education institutions,
+ and large corporations that have a scientific or engineering
+ focus.
+ </p><p>
+ <a class="indexterm" name="id2552552"></a>
+ <a class="indexterm" name="id2552559"></a>
+ Today's networking world needs a scalable, distributed Identity
+ Management infrastructure, commonly called a directory. The most
+ popular technologies today are Microsoft Active Directory service
+ and a number of LDAP implementations.
+ </p><p>
+ <a class="indexterm" name="id2552573"></a>
+ The problem of managing multiple directories has become a focal
+ point over the past decade, creating a large market for
+ metadirectory products and services that allow organizations that
+ have multiple directories and multiple management and control
+ centers to provision information from one directory into
+ another. The attendant benefit to end users is the promise of
+ having to remember and deal with fewer login identities and
+ passwords.</p><p>
+ <a class="indexterm" name="id2552591"></a>
+ The challenge of every large network is to find the optimum
+ balance of internal systems and facilities for Identity
+ Management resources. How well the solution is chosen and
+ implemented has potentially significant impact on network bandwidth
+ and systems response needs.</p><p>
+ <a class="indexterm" name="id2552608"></a>
+ <a class="indexterm" name="id2552615"></a>
+ <a class="indexterm" name="id2552624"></a>
+ In <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, you implemented a single LDAP server for the
+ entire network. This may work for smaller networks, but almost
+ certainly fails to meet the needs of large and complex networks. The
+ following section documents how you may implement a single
+ master LDAP server with multiple slave servers.</p><p>
+ What is the best method for implementing master/slave LDAP
+ servers within the context of a distributed 2,000-user network is a
+ question that remains to be answered.</p><p>
+ <a class="indexterm" name="id2552654"></a>
+ <a class="indexterm" name="id2552660"></a>
+ One possibility that has great appeal is to create a single,
+ large distributed domain. The practical implications of this
+ design (see <a href="2000users.html#chap7net" title="Figure 6.6. Network Topology 2000 User Complex Design A">???</a>) demands the placement of
+ sufficient BDCs in each location. Additionally, network
+ administrators must make sure that profiles are not transferred
+ over the wide-area links, except as a totally unavoidable
+ measure. Network design must balance the risk of loss of user
+ productivity against the cost of network management and
+ maintenance.
+ </p><p>
+ <a class="indexterm" name="id2552685"></a>
+ The network design in <a href="2000users.html#chap7net2" title="Figure 6.7. Network Topology 2000 User Complex Design B">???</a> takes the approach
+ that management of networks that are too remote to be managed
+ effectively from New York ought to be given a certain degree of
+ autonomy. With this rationale, the Los Angeles and London networks,
+ though fully integrated with those on the East Coast, each have their
+ own domain name space and can be independently managed and controlled.
+ One of the key drawbacks of this design is that it flies in the face of
+ the ability for network users to roam globally without some compromise
+ in how they may access global resources.
+ </p><p>
+ <a class="indexterm" name="id2552711"></a>
+ Desk-bound users need not be negatively affected by this design, since
+ the use of interdomain trusts can be used to satisfy the need for global
+ data sharing.
+ </p><p>
+ <a class="indexterm" name="id2552724"></a>
+ <a class="indexterm" name="id2552730"></a>
+ <a class="indexterm" name="id2552740"></a>
+ When Samba-3 is configured to use an LDAP backend, it stores the domain
+ account information in a directory entry. This account entry contains the
+ domain SID. An unintended but exploitable side effect is that this makes it
+ possible to operate with more than one PDC on a distributed network.
+ </p><p>
+ <a class="indexterm" name="id2552754"></a>
+ <a class="indexterm" name="id2552761"></a>
+ <a class="indexterm" name="id2552768"></a>
+ How might this peculiar feature be exploited? The answer is simple. It is
+ imperative that each network segment have its own WINS server. Major
+ servers on remote network segments can be given a static WINS entry in
+ the <code class="filename">wins.dat</code> file on each WINS server. This allows
+ all essential data to be visible from all locations. Each location would,
+ however, function as if it is an independent domain, while all sharing the
+ same domain SID. Since all domain account information can be stored in a
+ single LDAP backend, users have unfettered ability to roam.
+ </p><p>
+ <a class="indexterm" name="id2552793"></a>
+ <a class="indexterm" name="id2552802"></a>
+ This concept has not been exhaustively validated, though we can see no reason
+ why this should not work. The important facets are the following: The name of
+ the domain must be identical in all locations. Each network segment must have
+ its own WINS server. The name of the PDC must be the same in all locations; this
+ necessitates the use of NetBIOS name aliases for each PDC so that they can be
+ accessed globally using the alias and not the PDC's primary name. A single master
+ LDAP server can be based in New York, with multiple LDAP slave servers located
+ on every network segment. Finally, the BDCs should each use failover LDAP servers
+ that are in fact slave LDAP servers on the local segments.
+ </p><p>
+ <a class="indexterm" name="id2552824"></a>
+ <a class="indexterm" name="id2552833"></a>
+ <a class="indexterm" name="id2552840"></a>
+ <a class="indexterm" name="id2552849"></a>
+ With a single master LDAP server, all network updates are effected on a single
+ server. In the event that this should become excessively fragile or network
+ bandwidth limiting, one could implement a delegated LDAP domain. This is also
+ known as a partitioned (or multiple partition) LDAP database and as a distributed
+ LDAP directory.
+ </p><p>
+ As the LDAP directory grows, it becomes increasingly important
+ that its structure is implemented in a manner that mirrors
+ organizational needs, so as to limit network update and
+ referential traffic. It should be noted that all directory
+ administrators must of necessity follow the same standard
+ procedures for managing the directory, because retroactive correction of
+ inconsistent directory information can be exceedingly difficult.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2552878"></a>Political Issues</h3></div></div></div><p>
+ As organizations grow, the number of points of control increases
+ also. In a large distributed organization, it is important that the
+ Identity Management system be capable of being updated from
+ many locations, and it is equally important that changes made should
+ become usable in a reasonable period, typically
+ minutes rather than days (the old limitation of highly manual
+ systems).
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2552896"></a>Implementation</h2></div></div></div><p>
+ <a class="indexterm" name="id2552904"></a>
+ <a class="indexterm" name="id2552910"></a>
+ <a class="indexterm" name="id2552917"></a>
+ <a class="indexterm" name="id2552924"></a>
+ Samba-3 has the ability to use multiple password (authentication and
+ identity resolution) backends. The diagram in <a href="2000users.html#chap7idres" title="Figure 6.1. Samba and Authentication Backend Search Pathways">???</a>
+ demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system
+ password database. The diagram only documents the mechanisms for
+ authentication and identity resolution (obtaining a UNIX UID/GID)
+ using the specific systems shown.
+ </p><div class="figure"><a name="chap7idres"></a><p class="title"><b>Figure 6.1. Samba and Authentication Backend Search Pathways</b></p><div class="mediaobject"><img src="images/chap7-idresol.png" width="297" alt="Samba and Authentication Backend Search Pathways"></div></div><p>
+ <a class="indexterm" name="id2552988"></a>
+ <a class="indexterm" name="id2552994"></a>
+ <a class="indexterm" name="id2553001"></a>
+ <a class="indexterm" name="id2553008"></a>
+ <a class="indexterm" name="id2553015"></a>
+ <a class="indexterm" name="id2553022"></a>
+ <a class="indexterm" name="id2553028"></a>
+ Samba is capable of using the <code class="constant">smbpasswd</code>,
+ <code class="constant">tdbsam</code>, <code class="constant">xmlsam</code>,
+ and <code class="constant">mysqlsam</code> authentication databases. The SMB
+ passwords can, of course, also be stored in an LDAP ldapsam
+ backend. LDAP is the preferred passdb backend for distributed network
+ operations.
+ </p><p>
+ <a class="indexterm" name="id2553056"></a>
+ Additionally, it is possible to use multiple passdb backends
+ concurrently as well as have multiple LDAP backends. As a result, you
+ can specify a failover LDAP backend. The syntax for specifying a
+ single LDAP backend in <code class="filename">smb.conf</code> is:
+</p><pre class="screen">
+...
+passdb backend = ldapsam:ldap://master.abmas.biz
+...
+</pre><p>
+ This configuration tells Samba to use a single LDAP server, as shown in <a href="2000users.html#ch7singleLDAP" title="Figure 6.2. Samba Configuration to Use a Single LDAP Server">???</a>.
+ </p><div class="figure"><a name="ch7singleLDAP"></a><p class="title"><b>Figure 6.2. Samba Configuration to Use a Single LDAP Server</b></p><div class="mediaobject"><img src="images/ch7-singleLDAP.png" width="351" alt="Samba Configuration to Use a Single LDAP Server"></div></div><p>
+ <a class="indexterm" name="id2553129"></a>
+ <a class="indexterm" name="id2553139"></a>
+ The addition of a failover LDAP server can simply be done by adding a
+ second entry for the failover server to the single <em class="parameter"><code>ldapsam</code></em>
+ entry, as shown here (note the particular use of the double quotes):
+</p><pre class="screen">
+...
+passdb backend = ldapsam:"ldap://master.abmas.biz \
+ ldap://slave.abmas.biz"
+...
+</pre><p>
+ This configuration tells Samba to use a master LDAP server, with failover to a slave server if necessary,
+ as shown in <a href="2000users.html#ch7dualLDAP" title="Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server">???</a>.
+ </p><div class="figure"><a name="ch7dualLDAP"></a><p class="title"><b>Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server</b></p><div class="mediaobject"><img src="images/ch7-fail-overLDAP.png" width="351" alt="Samba Configuration to Use a Dual (Fail-over) LDAP Server"></div></div><p>
+ </p><p>
+ Some folks have tried to implement this without the use of double quotes. This is the type of entry they
+ created:
+</p><pre class="screen">
+...
+passdb backend = ldapsam:ldap://master.abmas.biz \
+ ldapsam:ldap://slave.abmas.biz
+...
+</pre><p>
+ <a class="indexterm" name="id2553225"></a>
+ The effect of this style of entry is that Samba lists the users
+ that are in both LDAP databases. If both contain the same information,
+ it results in each record being shown twice. This is, of course, not the
+ solution desired for a failover implementation. The net effect of this
+ configuration is shown in <a href="2000users.html#ch7dualadd" title="Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!">???</a>
+ </p><div class="figure"><a name="ch7dualadd"></a><p class="title"><b>Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</b></p><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP.png" width="297" alt="Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!"></div></div><p>
+ If, however, each LDAP database contains unique information, this may
+ well be an advantageous way to effectively integrate multiple LDAP databases
+ into one seemingly contiguous directory. Only the first database will be updated.
+ An example of this configuration is shown in <a href="2000users.html#ch7dualok" title="Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.">???</a>.
+ </p><div class="figure"><a name="ch7dualok"></a><p class="title"><b>Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.</b></p><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP-Ok.png" width="297" alt="Samba Configuration to Use Two LDAP Databases - The result is additive."></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ When the use of ldapsam is specified twice, as shown here, it is imperative
+ that the two LDAP directories must be disjoint. If the entries are for a
+ master LDAP server as well as its own slave server, updates to the LDAP
+ database may end up being lost or corrupted. You may safely use multiple
+ LDAP backends only if both are entirely separate from each other.
+ </p></div><p>
+ It is assumed that the network you are working with follows in a
+ pattern similar to what was covered in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>. The following steps
+ permit the operation of a master/slave OpenLDAP arrangement.
+ </p><div class="procedure"><a name="id2553367"></a><p class="title"><b>Procedure 6.1. Implementation Steps for an LDAP Slave Server</b></p><ol type="1"><li><p>
+ <a class="indexterm" name="id2553379"></a>
+ <a class="indexterm" name="id2553386"></a>
+ Log onto the master LDAP server as <code class="constant">root</code>.
+ You are about to change the configuration of the LDAP server, so it
+ makes sense to temporarily halt it. Stop OpenLDAP from running on
+ SUSE Linux by executing:
+</p><pre class="screen">
+<code class="prompt">root# </code> rcldap stop
+</pre><p>
+ On Red Hat Linux, you can do this by executing:
+</p><pre class="screen">
+<code class="prompt">root# </code> service ldap stop
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2553431"></a>
+ Edit the <code class="filename">/etc/openldap/slapd.conf</code> file so it
+ matches the content of <a href="2000users.html#ch7-LDAP-master" title="Example 6.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf">???</a>.
+ </p></li><li><p>
+ Create a file called <code class="filename">admin-accts.ldif</code> with the following contents:
+</p><pre class="screen">
+dn: cn=updateuser,dc=abmas,dc=biz
+objectClass: person
+cn: updateuser
+sn: updateuser
+userPassword: not24get
+
+dn: cn=sambaadmin,dc=abmas,dc=biz
+objectClass: person
+cn: sambaadmin
+sn: sambaadmin
+userPassword: buttercup
+</pre><p>
+ </p></li><li><p>
+ Add an account called “<span class="quote">updateuser</span>” to the master LDAP server as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> slapadd -v -l admin-accts.ldif
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2553505"></a>
+ <a class="indexterm" name="id2553511"></a>
+ Change directory to a suitable place to dump the contents of the
+ LDAP server. The dump file (and LDIF file) is used to preload
+ the slave LDAP server database. You can dump the database by executing:
+</p><pre class="screen">
+<code class="prompt">root# </code> slapcat -v -l LDAP-transfer-LDIF.txt
+</pre><p>
+ Each record is written to the file.
+ </p></li><li><p>
+ <a class="indexterm" name="id2553544"></a>
+ Copy the file <code class="filename">LDAP-transfer-LDIF.txt</code> to the intended
+ slave LDAP server. A good location could be in the directory
+ <code class="filename">/etc/openldap/preload</code>.
+ </p></li><li><p>
+ Log onto the slave LDAP server as <code class="constant">root</code>. You can
+ now configure this server so the <code class="filename">/etc/openldap/slapd.conf</code>
+ file matches the content of <a href="2000users.html#ch7-LDAP-slave" title="Example 6.2. LDAP Slave Configuration File /etc/openldap/slapd.conf">???</a>.
+ </p></li><li><p>
+ Change directory to the location in which you stored the
+ <code class="filename">LDAP-transfer-LDIF.txt</code> file (<code class="filename">/etc/openldap/preload</code>).
+ While in this directory, execute:
+</p><pre class="screen">
+<code class="prompt">root# </code> slapadd -v -l LDAP-transfer-LDIF.txt
+</pre><p>
+ If all goes well, the following output confirms that the data is being loaded
+ as intended:
+</p><pre class="screen">
+added: "dc=abmas,dc=biz" (00000001)
+added: "cn=sambaadmin,dc=abmas,dc=biz" (00000002)
+added: "cn=updateuser,dc=abmas,dc=biz" (00000003)
+added: "ou=People,dc=abmas,dc=biz" (00000004)
+added: "ou=Groups,dc=abmas,dc=biz" (00000005)
+added: "ou=Computers,dc=abmas,dc=biz" (00000006)
+added: "uid=Administrator,ou=People,dc=abmas,dc=biz" (00000007)
+added: "uid=nobody,ou=People,dc=abmas,dc=biz" (00000008)
+added: "cn=Domain Admins,ou=Groups,dc=abmas,dc=biz" (00000009)
+added: "cn=Domain Users,ou=Groups,dc=abmas,dc=biz" (0000000a)
+added: "cn=Domain Guests,ou=Groups,dc=abmas,dc=biz" (0000000b)
+added: "uid=bobj,ou=People,dc=abmas,dc=biz" (0000000c)
+added: "sambaDomainName=MEGANET2,dc=abmas,dc=biz" (0000000d)
+added: "uid=stans,ou=People,dc=abmas,dc=biz" (0000000e)
+added: "uid=chrisr,ou=People,dc=abmas,dc=biz" (0000000f)
+added: "uid=maryv,ou=People,dc=abmas,dc=biz" (00000010)
+added: "cn=Accounts,ou=Groups,dc=abmas,dc=biz" (00000011)
+added: "cn=Finances,ou=Groups,dc=abmas,dc=biz" (00000012)
+added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013)
+</pre><p>
+ </p></li><li><p>
+ Now start the LDAP server and set it to run automatically on system reboot by executing:
+</p><pre class="screen">
+<code class="prompt">root# </code> rcldap start
+<code class="prompt">root# </code> chkconfig ldap on
+</pre><p>
+ On Red Hat Linux, execute the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> service ldap start
+<code class="prompt">root# </code> chkconfig ldap on
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2553699"></a>
+ <a class="indexterm" name="id2553706"></a>
+ <a class="indexterm" name="id2553713"></a>
+ Go back to the master LDAP server. Execute the following to start LDAP as well
+ as <span><strong class="command">slurpd</strong></span>, the synchronization daemon, as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> rcldap start
+<code class="prompt">root# </code> chkconfig ldap on
+<code class="prompt">root# </code> rcslurpd start
+<code class="prompt">root# </code> chkconfig slurpd on
+</pre><p>
+ <a class="indexterm" name="id2553758"></a>
+ On Red Hat Linux, check the equivalent command to start <span><strong class="command">slurpd</strong></span>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2553779"></a>
+ On the master LDAP server you may now add an account to validate that replication
+ is working. Assuming the configuration shown in <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, execute:
+</p><pre class="screen">
+<code class="prompt">root# </code> /var/lib/samba/sbin/smbldap-useradd -a fruitloop
+</pre><p>
+ </p></li><li><p>
+ On the slave LDAP server, change to the directory <code class="filename">/var/lib/ldap</code>.
+ There should now be a file called <code class="filename">replogfile</code>. If replication worked
+ as expected, the content of this file should be:
+</p><pre class="screen">
+time: 1072486403
+dn: uid=fruitloop,ou=People,dc=abmas,dc=biz
+changetype: modify
+replace: sambaProfilePath
+sambaProfilePath: \\MASSIVE\profiles\fruitloop
+-
+replace: sambaHomePath
+sambaHomePath: \\MASSIVE\homes
+-
+replace: entryCSN
+entryCSN: 2003122700:43:38Z#0x0005#0#0000
+-
+replace: modifiersName
+modifiersName: cn=Manager,dc=abmas,dc=biz
+-
+replace: modifyTimestamp
+modifyTimestamp: 20031227004338Z
+-
+</pre><p>
+ </p></li><li><p>
+ Given that this first slave LDAP server is now working correctly, you may now
+ implement additional slave LDAP servers as required.
+ </p></li><li><p>
+ On each machine (PDC and BDCs) after the respective <code class="filename">smb.conf</code> files have been created as shown in
+ <a href="2000users.html#ch7-massmbconfA" title="Example 6.3. Primary Domain Controller smb.conf File Part A">Primary Domain Controller <code class="filename">smb.conf</code> File Part A + B + C</a> and
+ on BDCs the <a href="2000users.html#ch7-slvsmbocnfA" title="Example 6.6. Backup Domain Controller smb.conf File Part A">Backup Domain Controller <code class="filename">smb.conf</code> File Part A
+ + B + C</a> execute the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> smbpasswd -w buttercup
+</pre><p>
+ This will install in the <code class="filename">secrets.tdb</code> file the password that Samba will need to
+ manage (write to) the LDAP Master server to perform account updates.
+ </p></li></ol></div><div class="example"><a name="ch7-LDAP-master"></a><p class="title"><b>Example 6.1. LDAP Master Server Configuration File <code class="filename">/etc/openldap/slapd.conf</code></b></p><pre class="screen">
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba.schema
+
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+database bdb
+suffix "dc=abmas,dc=biz"
+rootdn "cn=Manager,dc=abmas,dc=biz"
+
+# rootpw = not24get
+rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
+
+replica host=lapdc.abmas.biz:389
+ suffix="dc=abmas,dc=biz"
+ binddn="cn=updateuser,dc=abmas,dc=biz"
+ bindmethod=simple credentials=not24get
+
+access to attrs=sambaLMPassword,sambaNTPassword
+ by dn="cn=sambaadmin,dc=abmas,dc=biz" write
+ by * none
+
+replogfile /var/lib/ldap/replogfile
+
+directory /var/lib/ldap
+
+# Indices to maintain
+index objectClass eq
+index cn pres,sub,eq
+index sn pres,sub,eq
+index uid pres,sub,eq
+index displayName pres,sub,eq
+index uidNumber eq
+index gidNumber eq
+index memberUID eq
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+</pre></div><div class="example"><a name="ch7-LDAP-slave"></a><p class="title"><b>Example 6.2. LDAP Slave Configuration File <code class="filename">/etc/openldap/slapd.conf</code></b></p><pre class="screen">
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba.schema
+
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+database bdb
+suffix "dc=abmas,dc=biz"
+rootdn "cn=Manager,dc=abmas,dc=biz"
+
+# rootpw = not24get
+rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
+
+access to *
+ by dn=cn=updateuser,dc=abmas,dc=biz write
+ by * read
+
+updatedn cn=updateuser,dc=abmas,dc=biz
+updateref ldap://massive.abmas.biz
+
+directory /var/lib/ldap
+
+# Indices to maintain
+index objectClass eq
+index cn pres,sub,eq
+index sn pres,sub,eq
+index uid pres,sub,eq
+index displayName pres,sub,eq
+index uidNumber eq
+index gidNumber eq
+index memberUID eq
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+</pre></div><div class="example"><a name="ch7-massmbconfA"></a><p class="title"><b>Example 6.3. Primary Domain Controller <code class="filename">smb.conf</code> File Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2554061"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2554074"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2554087"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2554100"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2554113"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2554126"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2554138"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2554151"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2554164"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2554177"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2554190"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2554203"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2554216"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2554229"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2554243"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2554256"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2554270"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2554284"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2554298"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2554312"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2554325"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id2554339"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id2554352"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2554365"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2554378"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2554391"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2554404"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2554416"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2554429"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2554442"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2554455"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2554468"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2554481"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2554494"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2554508"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2554521"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2554534"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2554546"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2554559"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div><div class="example"><a name="ch7-massmbconfB"></a><p class="title"><b>Example 6.4. Primary Domain Controller <code class="filename">smb.conf</code> File Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[IPC$]</code></em></td></tr><tr><td><a class="indexterm" name="id2554606"></a><em class="parameter"><code>path = /tmp</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2554627"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2554640"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2554653"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2554674"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2554687"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2554700"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2554722"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2554734"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2554747"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2554769"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2554782"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2554794"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2554807"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2554828"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2554841"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2554854"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2554867"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2554879"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div><div class="example"><a name="ch7-massmbconfC"></a><p class="title"><b>Example 6.5. Primary Domain Controller <code class="filename">smb.conf</code> File Part C</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2554926"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2554939"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2554951"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id2554964"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2554986"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2554999"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2555012"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2555025"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2555037"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2555059"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2555072"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2555085"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2555097"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2555119"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2555132"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2555145"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2555158"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2555179"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2555192"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2555205"></a><em class="parameter"><code>write list = root</code></em></td></tr><tr><td><a class="indexterm" name="id2555218"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr></table></div><div class="example"><a name="ch7-slvsmbocnfA"></a><p class="title"><b>Example 6.6. Backup Domain Controller <code class="filename">smb.conf</code> File Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># # Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2555268"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2555281"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2555294"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id2555306"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2555320"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2555333"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2555346"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2555358"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2555371"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2555384"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2555396"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2555410"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2555423"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2555436"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2555449"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2555462"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2555474"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2555487"></a><em class="parameter"><code>os level = 63</code></em></td></tr><tr><td><a class="indexterm" name="id2555500"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2555513"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2555526"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2555538"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2555552"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2555565"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2555578"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2555591"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2555604"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2555617"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2555630"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2555643"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2555655"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2555677"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2555690"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2555703"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2555724"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2555737"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2555750"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div><div class="example"><a name="ch7-slvsmbocnfB"></a><p class="title"><b>Example 6.7. Backup Domain Controller <code class="filename">smb.conf</code> File Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2555797"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2555810"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2555822"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2555844"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2555856"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2555869"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2555882"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2555903"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2555916"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2555929"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2555942"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2555954"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2555976"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2555989"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2556001"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id2556014"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2556036"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2556049"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2556062"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2556074"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2556096"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2556109"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2556122"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2556134"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2556156"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2556169"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2556182"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2556195"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2556208"></a>Key Points Learned</h3></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
+ <a class="indexterm" name="id2556220"></a><a class="indexterm" name="id2556225"></a>
+ Where Samba-3 is used as a domain controller, the use of LDAP is an
+ essential component to permit the use of BDCs.
+ </p></li><li><p>
+ <a class="indexterm" name="id2556238"></a>
+ Replication of the LDAP master server to create a network of BDCs
+ is an important mechanism for limiting WAN traffic.
+ </p></li><li><p>
+ Network administration presents many complex challenges, most of which
+ can be satisfied by good design but that also require sound communication
+ and unification of management practices. This can be highly challenging in
+ a large, globally distributed network.
+ </p></li><li><p>
+ Roaming profiles must be contained to the local network segment. Any
+ departure from this may clog wide-area arteries and slow legitimate network
+ traffic to a crawl.
+ </p></li></ul></div></div><div class="figure"><a name="chap7net"></a><p class="title"><b>Figure 6.6. Network Topology 2000 User Complex Design A</b></p><div class="mediaobject"><img src="images/chap7-net-Ar.png" width="432" alt="Network Topology 2000 User Complex Design A"></div></div><div class="figure"><a name="chap7net2"></a><p class="title"><b>Figure 6.7. Network Topology 2000 User Complex Design B</b></p><div class="mediaobject"><img src="images/chap7-net2-Br.png" width="432" alt="Network Topology 2000 User Complex Design B"></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2556356"></a>Questions and Answers</h2></div></div></div><p>
+ There is much rumor and misinformation regarding the use of MS Windows networking protocols.
+ These questions are just a few of those frequently asked.
+ </p><div class="qandaset"><dl><dt> <a href="2000users.html#id2556372">
+ DHCP
+ networkbandwidth
+ Is it true that DHCP uses lots of WAN bandwidth?
+ </a></dt><dt> <a href="2000users.html#id2556506">
+ background communication
+ LDAPmaster/slavebackground communication
+ How much background communication takes place between a master LDAP server and its slave LDAP servers?
+ </a></dt><dt> <a href="2000users.html#id2556567">
+ LDAP has a database. Is LDAP not just a fancy database front end?
+ </a></dt><dt> <a href="2000users.html#id2556631">
+ OpenLDAP
+ Can Active Directory obtain account information from an OpenLDAP server?
+ </a></dt><dt> <a href="2000users.html#id2556667">
+ What are the parts of a roaming profile? How large is each part?
+ </a></dt><dt> <a href="2000users.html#id2556815">
+ Can the My Documents folder be stored on a network drive?
+ </a></dt><dt> <a href="2000users.html#id2556863">
+ wide-area
+ networkbandwidth
+ WINS
+ How much WAN bandwidth does WINS consume?
+ </a></dt><dt> <a href="2000users.html#id2556947">
+ How many BDCs should I have? What is the right number of Windows clients per server?
+ </a></dt><dt> <a href="2000users.html#id2556983">
+ NIS serverLDAP
+ I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
+ run an NIS server?
+ </a></dt><dt> <a href="2000users.html#id2557017">
+ Can I use NIS in place of LDAP?
+ </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2556372"></a><a name="id2556374"></a><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556378"></a>
+ <a class="indexterm" name="id2556385"></a>
+ Is it true that DHCP uses lots of WAN bandwidth?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556402"></a>
+ <a class="indexterm" name="id2556411"></a>
+ <a class="indexterm" name="id2556418"></a>
+ It is a smart practice to localize DHCP servers on each network segment. As a
+ rule, there should be two DHCP servers per network segment. This means that if
+ one server fails, there is always another to service user needs. DHCP requests use
+ only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network
+ routers. This makes it possible to run fewer DHCP servers.
+ </p><p>
+ <a class="indexterm" name="id2556437"></a>
+ <a class="indexterm" name="id2556446"></a>
+ A DHCP network address request and confirmation usually results in about six UDP packets.
+ The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP
+ clients and that uses a 24-hour IP address lease. This means that all clients renew
+ their IP address lease every 24 hours. If we assume an average packet length equal to the
+ maximum (just to be on the safe side), and we have a 128 Kb/sec wide-area connection,
+ how significant would the DHCP traffic be if all of it were to use DHCP Relay?
+ </p><p>
+ I must stress that this is a bad design, but here is the calculation:
+</p><pre class="screen">
+Daily Network Capacity: 128,000 (Kbits/s) / 8 (bits/byte)
+ x 3600 (sec/hr) x 24 (hrs/day)= 2288 Mbytes/day.
+
+DHCP traffic: 300 (clients) x 6 (packets)
+ x 512 (bytes/packet) = 0.9 Mbytes/day.
+</pre><p>
+ From this can be seen that the traffic impact would be minimal.
+ </p><p>
+ <a class="indexterm" name="id2556484"></a>
+ <a class="indexterm" name="id2556492"></a>
+ Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link,
+ the impact of the update is no more than the DHCP IP address renewal traffic and thus
+ still insignificant for most practical purposes.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2556506"></a><a name="id2556508"></a><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556513"></a>
+ <a class="indexterm" name="id2556520"></a>
+ How much background communication takes place between a master LDAP server and its slave LDAP servers?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556540"></a>
+ The process that controls the replication of data from the master LDAP server to the slave LDAP
+ servers is called <span><strong class="command">slurpd</strong></span>. The <span><strong class="command">slurpd</strong></span> remains nascent (quiet)
+ until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete)
+ two user accounts requires less than 10KB traffic.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2556567"></a><a name="id2556569"></a><b></b></td><td align="left" valign="top"><p>
+ LDAP has a database. Is LDAP not just a fancy database front end?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556581"></a>
+ <a class="indexterm" name="id2556588"></a>
+ <a class="indexterm" name="id2556597"></a>
+ <a class="indexterm" name="id2556604"></a>
+ LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific
+ data storage system. This type of database is indexed so that records can be rapidly located, but the
+ database is not generic and can be used only in particular pre-programmed ways. General external
+ applications do not gain access to the data. This type of database is used also by SQL servers. Both
+ an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional
+ orientation and typically allows external programs to perform ad hoc queries, even across data tables.
+ An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific
+ simple queries. The term <code class="constant">database</code> is heavily overloaded and thus much misunderstood.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2556631"></a><a name="id2556633"></a><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556638"></a>
+ Can Active Directory obtain account information from an OpenLDAP server?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556652"></a>
+ No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP
+ database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface
+ to OpenLDAP using standard LDAP queries and updates.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2556667"></a><a name="id2556669"></a><b></b></td><td align="left" valign="top"><p>
+ What are the parts of a roaming profile? How large is each part?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2556680"></a>
+ A roaming profile consists of
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ Desktop folders such as <code class="constant">Desktop</code>, <code class="constant">My Documents</code>,
+ <code class="constant">My Pictures</code>, <code class="constant">My Music</code>, <code class="constant">Internet Files</code>,
+ <code class="constant">Cookies</code>, <code class="constant">Application Data</code>,
+ <code class="constant">Local Settings,</code> and more. See <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>, <a href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">???</a>.
+ </p><p>
+ <a class="indexterm" name="id2556741"></a>
+ Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all
+ such folders can be redirected to network drive resources. See <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>
+ for more information regarding folder redirection.
+ </p></li><li><p>
+ A static or rewritable portion that is typically only a few files (2-5 KB of information).
+ </p></li><li><p>
+ <a class="indexterm" name="id2556767"></a>
+ <a class="indexterm" name="id2556774"></a>
+ The registry load file that modifies the <code class="constant">HKEY_LOCAL_USER</code> hive. This is
+ the <code class="filename">NTUSER.DAT</code> file. It can be from 0.4 to 1.5 MB.
+ </p></li></ul></div><p>
+ <a class="indexterm" name="id2556797"></a>
+ Microsoft Outlook PST files may be stored in the <code class="constant">Local Settings\Application Data</code>
+ folder. It can be up to 2 GB in size per PST file.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2556815"></a><a name="id2556817"></a><b></b></td><td align="left" valign="top"><p>
+ Can the <code class="constant">My Documents</code> folder be stored on a network drive?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556833"></a>
+ <a class="indexterm" name="id2556839"></a>
+ Yes. More correctly, such folders can be redirected to network shares. No specific network drive
+ connection is required. Registry settings permit this to be redirected directly to a UNC (Universal
+ Naming Convention) resource, though it is possible to specify a network drive letter instead of a
+ UNC name. See <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2556863"></a><a name="id2556865"></a><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556870"></a>
+ <a class="indexterm" name="id2556876"></a>
+ <a class="indexterm" name="id2556886"></a>
+ How much WAN bandwidth does WINS consume?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556900"></a>
+ <a class="indexterm" name="id2556909"></a>
+ <a class="indexterm" name="id2556916"></a>
+ MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache.
+ This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS
+ server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day,
+ was less than 30 KB/sec. Analysis of network traffic over a 6-week period showed that the total
+ of all background traffic consumed about 11 percent of available bandwidth over 64 Kb/sec links.
+ Background traffic consisted of domain replication, WINS queries, DNS lookups, and authentication
+ traffic. Each of 11 branch offices had a 64 Kb/sec wide-area link, with a 1.5 Mb/sec main connection
+ that aggregated the branch office connections plus an Internet connection.
+ </p><p>
+ In conclusion, the total load afforded through WINS traffic is again marginal to total operational
+ usage as it should be.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2556947"></a><a name="id2556949"></a><b></b></td><td align="left" valign="top"><p>
+ How many BDCs should I have? What is the right number of Windows clients per server?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ It is recommended to have at least one BDC per network segment, including the segment served
+ by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the
+ load demand pattern of client usage. I have seen sites that function without problem with 200
+ clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular
+ company, there was a drafting office that had 30 CAD/CAM operators served by one server, a print
+ server; and an application server. While all three were BDCs, typically only the print server would
+ service network logon requests after the first 10 users had started to use the network. This was
+ a reflection of the service load placed on both the application server and the data server.
+ </p><p>
+ As unsatisfactory as the answer might sound, it all depends on network and server load
+ characteristics.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2556983"></a><a name="id2556985"></a><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2556990"></a><a class="indexterm" name="id2556995"></a>
+ I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
+ run an NIS server?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ The correct answer to both questions is yes. But do understand that an LDAP server has
+ a configurable schema that can store far more information for many more purposes than
+ just NIS.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2557017"></a><a name="id2557019"></a><b></b></td><td align="left" valign="top"><p>
+ Can I use NIS in place of LDAP?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2557031"></a>
+ <a class="indexterm" name="id2557037"></a>
+ No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal
+ with the types of data necessary for interoperability with Microsoft Windows networking. The use
+ of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also
+ a Samba-specific schema extension.
+ </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Making Happy Users </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Domain Members, Updating Samba and Migration</td></tr></table></div></body></html>
projects / samba / blobdiff