--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. A Collection of Useful Tidbits</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="ch14.html" title="Chapter 14. Samba Support"><link rel="next" href="primer.html" title="Chapter 16. Networking Primer"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. A Collection of Useful Tidbits</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="appendix"></a>Chapter 15. A Collection of Useful Tidbits</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2590459">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2590879">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2591228">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2591240">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2591288">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2591392">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2591451">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id2592021">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#id2593010">IDEALX Management Console</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id2593485">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2593632">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id2593716">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></div><p>
+ <a class="indexterm" name="id2589880"></a>
+ <a class="indexterm" name="id2589886"></a>
+ Information presented here is considered to be either basic or well-known material that is informative
+ yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that
+ the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps
+ different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical,
+ as shown in the example given below.
+ </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domjoin"></a>Joining a Domain: Windows 200x/XP Professional</h2></div></div></div><p>
+ <a class="indexterm" name="id2589917"></a>
+ Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security.
+ This section steps through the process for making a Windows 200x/XP Professional machine a
+ member of a Domain Security environment. It should be noted that this process is identical
+ when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC.
+ </p><div class="procedure"><a name="id2589931"></a><p class="title"><b>Procedure 15.1. Steps to Join a Domain</b></p><ol type="1"><li><p>
+ Click <span class="guimenu">Start</span>.
+ </p></li><li><p>
+ Right-click <span class="guimenu">My Computer</span>, and then select <span class="guimenuitem">Properties</span>.
+ </p></li><li><p>
+ The opening panel is the same one that can be reached by clicking <span class="guimenu">System</span> on the Control Panel.
+ See <a href="appendix.html#swxpp001" title="Figure 15.1. The General Panel.">???</a>.
+ </p><div class="figure"><a name="swxpp001"></a><p class="title"><b>Figure 15.1. The General Panel.</b></p><div class="mediaobject"><img src="images/wxpp001.png" alt="The General Panel."></div></div><p>
+ </p></li><li><p>
+ Click the <span class="guimenu">Computer Name</span> tab.
+ This panel shows the <span class="guimenuitem">Computer Description</span>, the <span class="guimenuitem">Full computer name</span>,
+ and the <span class="guimenuitem">Workgroup</span> or <span class="guimenuitem">Domain name</span>.
+ </p><p>
+ Clicking the <span class="guimenu">Network ID</span> button launches the configuration wizard. Do not use this with
+ Samba-3. If you wish to change the computer name, or join or leave the domain, click the <span class="guimenu">Change</span> button.
+ See <a href="appendix.html#swxpp004" title="Figure 15.2. The Computer Name Panel.">???</a>.
+ </p><div class="figure"><a name="swxpp004"></a><p class="title"><b>Figure 15.2. The Computer Name Panel.</b></p><div class="mediaobject"><img src="images/wxpp004.png" alt="The Computer Name Panel."></div></div><p>
+ </p></li><li><p>
+ Click on <span class="guimenu">Change</span>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP.
+ We join the domain called MIDEARTH. See <a href="appendix.html#swxpp006" title="Figure 15.3. The Computer Name Changes Panel">???</a>.
+ </p><div class="figure"><a name="swxpp006"></a><p class="title"><b>Figure 15.3. The Computer Name Changes Panel</b></p><div class="mediaobject"><img src="images/wxpp006.png" alt="The Computer Name Changes Panel"></div></div><p>
+ </p></li><li><p>
+ Enter the name <span class="guimenu">MIDEARTH</span> in the field below the Domain radio button.
+ </p><p>
+ This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <a href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">???</a>.
+ </p><div class="figure"><a name="swxpp007"></a><p class="title"><b>Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH</b></p><div class="mediaobject"><img src="images/wxpp007.png" alt="The Computer Name Changes Panel Domain MIDEARTH"></div></div><p>
+ </p></li><li><p>
+ Now click the <span class="guimenu">OK</span> button. A dialog box should appear to allow you to provide the credentials (username and password)
+ of a domain administrative account that has the rights to add machines to the domain.
+ </p><p>
+ Enter the name “<span class="quote">root</span>” and the root password from your Samba-3 server. See <a href="appendix.html#swxpp008" title="Figure 15.5. Computer Name Changes User name and Password Panel">???</a>.
+ </p><div class="figure"><a name="swxpp008"></a><p class="title"><b>Figure 15.5. Computer Name Changes User name and Password Panel</b></p><div class="mediaobject"><img src="images/wxpp008.png" alt="Computer Name Changes User name and Password Panel"></div></div><p>
+ </p></li><li><p>
+ Click <span class="guimenu">OK</span>.
+ </p><p>
+ The “<span class="quote">Welcome to the MIDEARTH domain</span>” dialog box should appear. At this point, the machine must be rebooted.
+ Joining the domain is now complete.
+ </p></li></ol></div><p>
+ <a class="indexterm" name="id2590349"></a>
+ <a class="indexterm" name="id2590356"></a>
+ The screen capture shown in <a href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">???</a> has a button labeled <span class="guimenu">More...</span>. This button opens a
+ panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members
+ of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace.
+ </p><p>
+ <a class="indexterm" name="id2590382"></a>
+ <a class="indexterm" name="id2590389"></a>
+ Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers
+ register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server
+ to find the services (like which machines are domain controllers or which machines have the Netlogon service running).
+ </p><p>
+ <a class="indexterm" name="id2590407"></a>
+ The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix,
+ this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to
+ a valid IP address.
+ </p><p>
+ The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain.
+ Where the client is a member of a Samba domain, it is preferable to leave this field blank.
+ </p><p>
+ <a class="indexterm" name="id2590431"></a>
+ According to Microsoft documentation, “<span class="quote">If this computer belongs to a group with <code class="constant">Group Policy</code>
+ enabled on <span><strong class="command">Primary DNS suffice of this computer</strong></span>, the string specified in the Group Policy is used
+ as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is
+ used only if Group Policy is disabled or unspecified.</span>”
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2590459"></a>Samba System File Location</h2></div></div></div><p><a class="indexterm" name="id2590466"></a><a class="indexterm" name="id2590474"></a><a class="indexterm" name="id2590482"></a>
+ One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team
+ build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is
+ in the <code class="filename">/usr/local/samba</code> directory. This is a perfectly reasonable location, particularly given all the other
+ Open Source software that installs into the <code class="filename">/usr/local</code> subdirectories.
+ </p><p>
+ Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team
+ default.
+ </p><p><a class="indexterm" name="id2590518"></a><a class="indexterm" name="id2590529"></a><a class="indexterm" name="id2590537"></a><a class="indexterm" name="id2590548"></a><a class="indexterm" name="id2590556"></a><a class="indexterm" name="id2590567"></a><a class="indexterm" name="id2590575"></a><a class="indexterm" name="id2590583"></a><a class="indexterm" name="id2590591"></a><a class="indexterm" name="id2590598"></a><a class="indexterm" name="id2590606"></a><a class="indexterm" name="id2590614"></a><a class="indexterm" name="id2590622"></a><a class="indexterm" name="id2590630"></a><a class="indexterm" name="id2590638"></a><a class="indexterm" name="id2590646"></a>
+ Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy
+ System (FHS), have elected to locate the configuration files under the <code class="filename">/etc/samba</code> directory, common binary
+ files (those used by users) in the <code class="filename">/usr/bin</code> directory, and the administrative files (daemons) in the
+ <code class="filename">/usr/sbin</code> directory. Support files for the Samba Web Admin Tool (SWAT) are located under the
+ <code class="filename">/usr/share</code> directory, either in <code class="filename">/usr/share/samba/swat</code> or in
+ <code class="filename">/usr/share/swat</code>. There are additional support files for <span><strong class="command">smbd</strong></span> in the
+ <code class="filename">/usr/lib/samba</code> directory tree. The files located there include the dynamically loadable modules for the
+ passdb backend as well as for the VFS modules.
+ </p><p><a class="indexterm" name="id2590715"></a><a class="indexterm" name="id2590723"></a><a class="indexterm" name="id2590731"></a>
+ Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in
+ the <code class="filename">/var/lib/samba</code> directory. Log files are created in <code class="filename">/var/log/samba.</code>
+ </p><p>
+ When Samba is built and installed using the default Samba Team process, all files are located under the
+ <code class="filename">/usr/local/samba</code> directory tree. This makes it simple to find the files that Samba owns.
+ </p><p><a class="indexterm" name="id2590770"></a>
+ One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location
+ of all files called <span><strong class="command">smbd</strong></span>. Here is an example:
+</p><pre class="screen">
+<code class="prompt">root# </code> find / -name smbd -print
+</pre><p>
+ You can find the location of the configuration files by running:
+</p><pre class="screen">
+<code class="prompt">root# </code> /path-to-binary-file/smbd -b | more
+...
+Paths:
+ SBINDIR: /usr/sbin
+ BINDIR: /usr/bin
+ SWATDIR: /usr/share/samba/swat
+ CONFIGFILE: /etc/samba/smb.conf
+ LOGFILEBASE: /var/log/samba
+ LMHOSTSFILE: /etc/samba/lmhosts
+ LIBDIR: /usr/lib/samba
+ SHLIBEXT: so
+ LOCKDIR: /var/lib/samba
+ PIDDIR: /var/run/samba
+ SMB_PASSWD_FILE: /etc/samba/smbpasswd
+ PRIVATE_DIR: /etc/samba
+...
+</pre><p>
+ If you wish to locate the Samba version, just run:
+</p><pre class="screen">
+<code class="prompt">root# </code> /path-to-binary-file/smbd -V
+Version 3.0.20-SUSE
+</pre><p>
+ </p><p>
+ Many people have been caught by installation of Samba using the default Samba Team process when it was already installed
+ by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by
+ executing:<a class="indexterm" name="id2590843"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> rpm -qa | grep samba
+samba3-pdb-3.0.20-1
+samba3-vscan-0.3.6-0
+samba3-winbind-3.0.20-1
+samba3-3.0.20-1
+samba3-python-3.0.20-1
+samba3-utils-3.0.20-1
+samba3-doc-3.0.20-1
+samba3-client-3.0.20-1
+samba3-cifsmount-3.0.20-1
+ </pre><p><a class="indexterm" name="id2590866"></a>
+ The package names, of course, vary according to how the vendor, or the binary package builder, prepared them.
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2590879"></a>Starting Samba</h2></div></div></div><p><a class="indexterm" name="id2590886"></a>
+ Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services.
+ An example of a service is the Apache Web server for which the daemon is called <span><strong class="command">httpd</strong></span>. In the case of Samba, there
+ are three daemons, two of which are needed as a minimum.
+ </p><p>
+ The Samba server is made up of the following daemons:
+ </p><div class="example"><a name="ch12SL"></a><p class="title"><b>Example 15.1. A Useful Samba Control Script for SUSE Linux</b></p><pre class="screen">
+#!/bin/bash
+#
+# Script to start/stop samba
+# Locate this in /sbin as a file called 'samba'
+
+RCD=/etc/rc.d
+
+if [ z$1 == 'z' ]; then
+ echo $0 - No arguments given; must be start or stop.
+ exit
+fi
+
+if [ $1 == 'start' ]; then
+ ${RCD}/nmb start
+ ${RCD}/smb start
+ ${RCD}/winbind start
+
+fi
+if [ $1 == 'stop' ]; then
+ ${RCD}/smb stop
+ ${RCD}/winbind stop
+ ${RCD}/nmb stop
+fi
+if [ $1 == 'restart' ]; then
+ ${RCD}/smb stop
+ ${RCD}/winbind stop
+ ${RCD}/nmb stop
+ sleep 5
+ ${RCD}/nmb start
+ ${RCD}/smb start
+ ${RCD}/winbind start
+fi
+exit 0
+</pre></div><div class="variablelist"><dl><dt><span class="term">nmbd</span></dt><dd><p>
+ <a class="indexterm" name="id2590948"></a>
+ <a class="indexterm" name="id2590955"></a>
+ This daemon handles all name registration and resolution requests. It is the primary vehicle involved
+ in network browsing. It handles all UDP-based protocols. The <span><strong class="command">nmbd</strong></span> daemon should
+ be the first command started as part of the Samba startup process.
+ </p></dd><dt><span class="term">smbd</span></dt><dd><p>
+ <a class="indexterm" name="id2590985"></a>
+ <a class="indexterm" name="id2590991"></a>
+ This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also
+ manages local authentication. It should be started immediately following the startup of <span><strong class="command">nmbd</strong></span>.
+ </p></dd><dt><span class="term">winbindd</span></dt><dd><p>
+ <a class="indexterm" name="id2591020"></a>
+ <a class="indexterm" name="id2591027"></a>
+ This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when
+ Samba has trust relationships with another domain. The <span><strong class="command">winbindd</strong></span> daemon will check the
+ <code class="filename">smb.conf</code> file for the presence of the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em>
+ parameters. If they are not found, <span><strong class="command">winbindd</strong></span> bails out and refuses to start.
+ </p></dd></dl></div><p>
+ When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its
+ integration into the platform as a whole. Please refer to your operating system platform administration manuals for
+ specific information pertaining to correct management of Samba startup.
+ </p><div class="example"><a name="ch12RHscript"></a><p class="title"><b>Example 15.2. A Sample Samba Control Script for Red Hat Linux</b></p><pre class="screen">
+#!/bin/sh
+#
+# chkconfig: 345 81 35
+# description: Starts and stops the Samba smbd and nmbd daemons \
+# used to provide SMB network services.
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+# Source networking configuration.
+. /etc/sysconfig/network
+# Check that networking is up.
+[ ${NETWORKING} = "no" ] && exit 0
+CONFIG=/etc/samba/smb.conf
+# Check that smb.conf exists.
+[ -f $CONFIG ] || exit 0
+
+# See how we were called.
+case "$1" in
+ start)
+ echo -n "Starting SMB services: "
+ daemon smbd -D; daemon nmbd -D; echo;
+ touch /var/lock/subsys/smb
+ ;;
+ stop)
+ echo -n "Shutting down SMB services: "
+ smbdpids=`ps guax | grep smbd | grep -v grep | awk '{print $2}'`
+ for pid in $smbdpids; do
+ kill -TERM $pid
+ done
+ killproc nmbd -TERM; rm -f /var/lock/subsys/smb
+ echo ""
+ ;;
+ status)
+ status smbd; status nmbd;
+ ;;
+ restart)
+ echo -n "Restarting SMB services: "
+ $0 stop; $0 start;
+ echo "done."
+ ;;
+ *)
+ echo "Usage: smb {start|stop|restart|status}"
+ exit 1
+esac
+</pre></div><p><a class="indexterm" name="id2591149"></a>
+ SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently
+ executed from the command line is shown in <a href="appendix.html#ch12SL" title="Example 15.1. A Useful Samba Control Script for SUSE Linux">???</a>. This can be located in the directory
+ <code class="filename">/sbin</code> in a file called <code class="filename">samba</code>. This type of control script should be
+ owned by user root and group root, and set so that only root can execute it.
+ </p><p><a class="indexterm" name="id2591185"></a>
+ A sample startup script for a Red Hat Linux system is shown in <a href="appendix.html#ch12RHscript" title="Example 15.2. A Sample Samba Control Script for Red Hat Linux">???</a>.
+ This file could be located in the directory <code class="filename">/etc/rc.d</code> and can be called
+ <code class="filename">samba</code>. A similar startup script is required to control <span><strong class="command">winbind</strong></span>.
+ If you want to find more information regarding startup scripts please refer to the packaging section of
+ the Samba source code distribution tarball. The packaging files for each platform include a
+ startup control file.
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2591228"></a>DNS Configuration Files</h2></div></div></div><p>
+ The following files are common to all DNS server configurations. Rather than repeat them multiple times, they
+ are presented here for general reference.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2591240"></a>The Forward Zone File for the Loopback Adaptor</h3></div></div></div><p>
+ The forward zone file for the loopback address never changes. An example file is shown
+ in <a href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a>. All traffic destined for an IP address that is hosted on a
+ physical interface on the machine itself is routed to the loopback adaptor. This is
+ a fundamental design feature of the TCP/IP protocol implementation. The loopback adaptor
+ is called <code class="constant">localhost</code>.
+ </p><div class="example"><a name="loopback"></a><p class="title"><b>Example 15.3. DNS Localhost Forward Zone File: <code class="filename">/var/lib/named/localhost.zone</code></b></p><pre class="screen">
+$TTL 1W
+@ IN SOA @ root (
+ 42 ; serial
+ 2D ; refresh
+ 4H ; retry
+ 6W ; expiry
+ 1W ) ; minimum
+
+ IN NS @
+ IN A 127.0.0.1
+</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2591288"></a>The Reverse Zone File for the Loopback Adaptor</h3></div></div></div><p>
+ The reverse zone file for the loopback address as shown in <a href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a>
+ is necessary so that references to the address <code class="constant">127.0.0.1</code> can be
+ resolved to the correct name of the interface.
+ </p><div class="example"><a name="dnsloopy"></a><p class="title"><b>Example 15.4. DNS Localhost Reverse Zone File: <code class="filename">/var/lib/named/127.0.0.zone</code></b></p><pre class="screen">
+$TTL 1W
+@ IN SOA localhost. root.localhost. (
+ 42 ; serial
+ 2D ; refresh
+ 4H ; retry
+ 6W ; expiry
+ 1W ) ; minimum
+
+ IN NS localhost.
+1 IN PTR localhost.
+</pre></div><div class="example"><a name="roothint"></a><p class="title"><b>Example 15.5. DNS Root Name Server Hint File: <code class="filename">/var/lib/named/root.hint</code></b></p><pre class="screen">
+; This file is made available by InterNIC under anonymous FTP as
+; file /domain/named.root
+; on server FTP.INTERNIC.NET
+; last update: Nov 5, 2002. Related version of root zone: 2002110501
+; formerly NS.INTERNIC.NET
+. 3600000 IN NS A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
+; formerly NS1.ISI.EDU
+. 3600000 NS B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
+; formerly C.PSI.NET
+. 3600000 NS C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
+; formerly TERP.UMD.EDU
+. 3600000 NS D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
+; formerly NS.NASA.GOV
+. 3600000 NS E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
+; formerly NS.ISC.ORG
+. 3600000 NS F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
+; formerly NS.NIC.DDN.MIL
+. 3600000 NS G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
+; formerly AOS.ARL.ARMY.MIL
+. 3600000 NS H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
+; formerly NIC.NORDU.NET
+. 3600000 NS I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
+; operated by VeriSign, Inc.
+. 3600000 NS J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
+; housed in LINX, operated by RIPE NCC
+. 3600000 NS K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
+; operated by IANA
+. 3600000 NS L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
+; housed in Japan, operated by WIDE
+. 3600000 NS M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
+; End of File
+</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2591392"></a>DNS Root Server Hint File</h3></div></div></div><p>
+ The content of the root hints file as shown in <a href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a> changes slowly over time.
+ Periodically this file should be updated from the source shown. Because
+ of its size, this file is located at the end of this chapter.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="altldapcfg"></a>Alternative LDAP Database Initialization</h2></div></div></div><p><a class="indexterm" name="id2591423"></a><a class="indexterm" name="id2591434"></a>
+ The following procedure may be used as an alternative means of configuring
+ the initial LDAP database. Many administrators prefer to have greater control
+ over how system files get configured.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2591451"></a>Initialization of the LDAP Database</h3></div></div></div><p><a class="indexterm" name="id2591458"></a><a class="indexterm" name="id2591466"></a><a class="indexterm" name="id2591478"></a>
+ The first step to get the LDAP server ready for action is to create the LDIF file from
+ which the LDAP database will be preloaded. This is necessary to create the containers
+ into which the user, group, and other accounts are written. It is also necessary to
+ preload the well-known Windows NT Domain Groups, as they must have the correct SID so
+ that they can be recognized as special NT Groups by the MS Windows clients.
+ </p><div class="procedure"><a name="ldapinit"></a><p class="title"><b>Procedure 15.2. LDAP Directory Pre-Load Steps</b></p><ol type="1"><li><p>
+ Create a directory in which to store the files you use to generate
+ the LDAP LDIF file for your system. Execute the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> mkdir /etc/openldap/SambaInit
+<code class="prompt">root# </code> chown root:root /etc/openldap/SambaInit
+<code class="prompt">root# </code> chmod 700 /etc/openldap/SambaInit
+</pre><p>
+ </p></li><li><p>
+ Install the files shown in <a href="appendix.html#sbehap-ldapreconfa" title="Example 15.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A">???</a>, <a href="appendix.html#sbehap-ldapreconfb" title="Example 15.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B">???</a>,
+ and <a href="appendix.html#sbehap-ldapreconfc" title="Example 15.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C">???</a> into the directory
+ <code class="filename">/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</code> These three files are,
+ respectively, parts A, B, and C of the <code class="filename">SMBLDAP-ldif-preconfig.sh</code> file.
+ </p></li><li><p>
+ Install the files shown in <a href="appendix.html#sbehap-ldifpata" title="Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A">???</a> and <a href="appendix.html#sbehap-ldifpatb" title="Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B">???</a> into the directory
+ <code class="filename">/etc/openldap/SambaInit/.</code> These two files are
+ parts A and B, respectively, of the <code class="filename">init-ldif.pat</code> file.
+ </p></li><li><p>
+ Change to the <code class="filename">/etc/openldap/SambaInit</code> directory. Execute the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> sh SMBLDAP-ldif-preconfig.sh
+
+How do you wish to refer to your organization?
+Suggestions:
+ Black Tire Company, Inc.
+ Cat With Hat Ltd.
+How would you like your organization name to appear?
+Your organization name is: My Organization
+Enter a new name is this is not what you want, press Enter to Continue.
+Name [My Organization]: Abmas Inc.
+
+Samba Config File Location [/etc/samba/smb.conf]:
+Enter a new full path or press Enter to continue.
+Samba Config File Location [/etc/samba/smb.conf]:
+Domain Name: MEGANET2
+Domain SID: S-1-5-21-3504140859-1010554828-2431957765
+
+The name of your Internet domain is now needed in a special format
+as follows, if your domain name is mydomain.org, what we need is
+the information in the form of:
+ Domain ID: mydomain
+ Top level: org
+If your fully qualified hostname is: snoopy.bazaar.garagesale.net
+where "snoopy" is the name of the machine,
+Then the information needed is:
+ Domain ID: garagesale
+ Top Level: net
+
+Found the following domain name: abmas.biz
+I think the bit we are looking for might be: abmas
+Enter the domain name or press Enter to continue:
+
+The top level organization name I will use is: biz
+Enter the top level org name or press Enter to continue:
+<code class="prompt">root# </code>
+</pre><p>
+ This creates a file called <code class="filename">MEGANET2.ldif</code>.
+ </p></li><li><p>
+ It is now time to preload the LDAP database with the following
+ command:
+</p><pre class="screen">
+<code class="prompt">root# </code> slapadd -v -l MEGANET2.ldif
+added: "dc=abmas,dc=biz" (00000001)
+added: "cn=Manager,dc=abmas,dc=biz" (00000002)
+added: "ou=People,dc=abmas,dc=biz" (00000003)
+added: "ou=Computers,dc=abmas,dc=biz" (00000004)
+added: "ou=Groups,dc=abmas,dc=biz" (00000005)
+added: "ou=Domains,dc=abmas,dc=biz" (00000006)
+added: "sambaDomainName=MEGANET2,ou=Domains,dc=abmas,dc=biz" (00000007)
+added: "cn=domadmins,ou=Groups,dc=abmas,dc=biz" (00000008)
+added: "cn=domguests,ou=Groups,dc=abmas,dc=biz" (00000009)
+added: "cn=domusers,ou=Groups,dc=abmas,dc=biz" (0000000a)
+</pre><p>
+ You should verify that the account information was correctly loaded by executing:
+</p><pre class="screen">
+<code class="prompt">root# </code> slapcat
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+dc: abmas
+o: Abmas Inc.
+description: Posix and Samba LDAP Identity Database
+structuralObjectClass: organization
+entryUUID: af552f8e-c4a1-1027-9002-9421e01bf474
+creatorsName: cn=manager,dc=abmas,dc=biz
+modifiersName: cn=manager,dc=abmas,dc=biz
+createTimestamp: 20031217055747Z
+modifyTimestamp: 20031217055747Z
+entryCSN: 2003121705:57:47Z#0x0001#0#0000
+...
+
+dn: cn=domusers,ou=Groups,dc=abmas,dc=biz
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 513
+cn: domusers
+sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513
+sambaGroupType: 2
+displayName: Domain Users
+description: Domain Users
+structuralObjectClass: posixGroup
+entryUUID: af7e98ba-c4a1-1027-900b-9421e01bf474
+creatorsName: cn=manager,dc=abmas,dc=biz
+modifiersName: cn=manager,dc=abmas,dc=biz
+createTimestamp: 20031217055747Z
+modifyTimestamp: 20031217055747Z
+entryCSN: 2003121705:57:47Z#0x000a#0#0000
+</pre><p>
+ </p></li><li><p>
+ Your LDAP database is ready for testing. You can now start the LDAP server
+ using the system tool for your Linux operating system. For SUSE Linux, you can
+ do this as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> rcldap start
+</pre><p>
+ </p></li><li><p>
+ It is now a good idea to validate that the LDAP server is running correctly.
+ Execute the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
+# extended LDIF
+#
+# LDAPv3
+# base <dc=abmas,dc=biz> with scope sub
+# filter: (ObjectClass=*)
+# requesting: ALL
+#
+
+# abmas.biz
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+dc: abmas
+o: Abmas Inc.
+description: Posix and Samba LDAP Identity Database
+...
+# domusers, Groups, abmas.biz
+dn: cn=domusers,ou=Groups,dc=abmas,dc=biz
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 513
+cn: domusers
+sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513
+sambaGroupType: 2
+displayName: Domain Users
+description: Domain Users
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 11
+# numEntries: 10
+</pre><p>
+ Your LDAP server is ready for creation of additional accounts.
+ </p></li></ol></div></div><div class="example"><a name="sbehap-ldapreconfa"></a><p class="title"><b>Example 15.6. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part A</b></p><pre class="screen">
+#!/bin/bash
+#
+# This script prepares the ldif LDAP load file only
+#
+
+# Pattern File Name
+file=init-ldif.pat
+
+# The name of my organization
+ORGNAME="My Organization"
+
+# My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets"
+INETDOMAIN="my-domain"
+
+# In the above case, md domain is: buckets.org, TLDORG="org"
+TLDORG="org"
+
+# This is the Samba Domain/Workgroup Name
+DOMNAME="MYWORKGROUP"
+
+#
+# Here We Go ...
+#
+
+cat <<EOF
+
+How do you wish to refer to your organization?
+
+Suggestions:
+ Black Tire Company, Inc.
+ Cat With Hat Ltd.
+
+How would you like your organization name to appear?
+
+EOF
+
+echo "Your organization name is: $ORGNAME"
+echo
+echo "Enter a new name or, press Enter to Continue."
+echo
+</pre></div><div class="example"><a name="sbehap-ldapreconfb"></a><p class="title"><b>Example 15.7. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part B</b></p><pre class="screen">
+echo -e -n "Name [$ORGNAME]: "
+ read name
+
+if [ ! -z "$name" ]; then
+ ORGNAME=${name}
+fi
+echo
+sed "s/ORGNAME/${ORGNAME}/g" < $file > $file.tmp1
+
+# Try to find smb.conf
+
+if [ -e /usr/local/samba/lib/smb.conf ]; then
+ CONF=/usr/local/samba/lib/smb.conf
+elif [ -e /etc/samba/smb.conf ]; then
+ CONF=/etc/samba/smb.conf
+fi
+
+echo "Samba Config File Location [$CONF]: "
+echo
+echo "Enter a new full path or press Enter to continue."
+echo
+echo -n "Samba Config File Location [$CONF]: "
+ read name
+if [ ! -z "$name" ]; then
+ CONF=$name
+fi
+echo
+
+# Find the name of our Domain/Workgroup
+DOMNAME=`grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=`
+echo Domain Name: $DOMNAME
+echo
+
+sed "s/DOMNAME/${DOMNAME}/g" < $file.tmp1 > $file.tmp2
+
+DOMSID=`net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"`
+echo Domain SID: $DOMSID
+
+sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1
+</pre></div><div class="example"><a name="sbehap-ldapreconfc"></a><p class="title"><b>Example 15.8. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code> Part C</b></p><pre class="screen">
+cat >>EOL
+The name of your Internet domain is now needed in a special format
+as follows, if your domain name is mydomain.org, what we need is
+the information in the form of:
+ Domain ID: mydomain
+ Top level: org
+
+If your fully qualified hostname is: snoopy.bazaar.garagesale.net
+where "snoopy" is the name of the machine,
+Then the information needed is:
+ Domain ID: garagesale
+ Top Level: net
+
+EOL
+INETDOMAIN=`hostname -d | cut -f1 -d.`
+echo Found the following domain name: `hostname -d`
+echo "I think the bit we are looking for might be: $INETDOMAIN"
+echo
+echo -n "Enter the domain name or press Enter to continue: "
+ read domnam
+if [ ! -z $domnam ]; then
+ INETDOMAIN=$domnam
+fi
+echo
+sed "s/INETDOMAIN/${INETDOMAIN}/g" < $file.tmp1 > $file.tmp2
+TLDORG=`hostname -d | sed "s/${INETDOMAIN}.//g"`
+echo "The top level organization name I will use is: ${TLDORG}"
+echo
+echo -n "Enter the top level org name or press Enter to continue: "
+ read domnam
+if [ ! -z $domnam ]; then
+ TLDORG=$domnam
+fi
+sed "s/TLDORG/${TLDORG}/g" < $file.tmp2 > $DOMNAME.ldif
+rm $file.tmp*
+exit 0
+</pre></div><div class="example"><a name="sbehap-ldifpata"></a><p class="title"><b>Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A</b></p><pre class="screen">
+dn: dc=INETDOMAIN,dc=TLDORG
+objectClass: dcObject
+objectClass: organization
+dc: INETDOMAIN
+o: ORGNAME
+description: Posix and Samba LDAP Identity Database
+
+dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG
+objectClass: organizationalRole
+cn: Manager
+description: Directory Manager
+
+dn: ou=People,dc=INETDOMAIN,dc=TLDORG
+objectClass: top
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG
+objectClass: top
+objectClass: organizationalUnit
+ou: Computers
+
+dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG
+objectClass: top
+objectClass: organizationalUnit
+ou: Groups
+
+dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG
+objectClass: top
+objectClass: organizationalUnit
+ou: Idmap
+
+dn: ou=Domains,dc=INETDOMAIN,dc=TLDORG
+objectClass: top
+objectClass: organizationalUnit
+ou: Domains
+
+dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG
+objectClass: sambaDomain
+sambaDomainName: DOMNAME
+sambaSID: DOMSID
+sambaAlgorithmicRidBase: 1000
+structuralObjectClass: sambaDomain
+</pre></div><div class="example"><a name="sbehap-ldifpatb"></a><p class="title"><b>Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B</b></p><pre class="screen">
+dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 512
+cn: domadmins
+sambaSID: DOMSID-512
+sambaGroupType: 2
+displayName: Domain Admins
+description: Domain Administrators
+
+dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 514
+cn: domguests
+sambaSID: DOMSID-514
+sambaGroupType: 2
+displayName: Domain Guests
+description: Domain Guests Users
+
+dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG
+objectClass: posixGroup
+objectClass: sambaGroupMapping
+gidNumber: 513
+cn: domusers
+sambaSID: DOMSID-513
+sambaGroupType: 2
+displayName: Domain Users
+description: Domain Users
+</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2592021"></a>The LDAP Account Manager</h2></div></div></div><p>
+<a class="indexterm" name="id2592029"></a>
+<a class="indexterm" name="id2592035"></a>
+<a class="indexterm" name="id2592044"></a>
+<a class="indexterm" name="id2592051"></a>
+<a class="indexterm" name="id2592058"></a>
+<a class="indexterm" name="id2592064"></a>
+<a class="indexterm" name="id2592071"></a>
+The LDAP Account Manager (LAM) is an application suite that has been written in PHP.
+LAM can be used with any Web server that has PHP4 support. It connects to the LDAP
+server either using unencrypted connections or via SSL/TLS. LAM can be used to manage
+Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines
+(hosts).
+</p><p>
+LAM is available from the <a href="http://sourceforge.net/projects/lam/" target="_top">LAM</a>
+home page and from its mirror sites. LAM has been released under the GNU GPL version 2.
+The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter
+of 2005.
+</p><p>
+<a class="indexterm" name="id2592102"></a>
+<a class="indexterm" name="id2592109"></a>
+<a class="indexterm" name="id2592116"></a>
+Requirements:
+</p><div class="itemizedlist"><ul type="disc"><li><p>A web server that will work with PHP4.</p></li><li><p>PHP4 (available from the <a href="http://www.php.net/" target="_top">PHP</a> home page.)</p></li><li><p>OpenLDAP 2.0 or later.</p></li><li><p>A Web browser that supports CSS.</p></li><li><p>Perl.</p></li><li><p>The gettext package.</p></li><li><p>mcrypt + mhash (optional).</p></li><li><p>It is also a good idea to install SSL support.</p></li></ul></div><p>
+LAM is a useful tool that provides a simple Web-based device that can be used to
+manage the contents of the LDAP directory to:
+<a class="indexterm" name="id2592177"></a>
+<a class="indexterm" name="id2592184"></a>
+<a class="indexterm" name="id2592191"></a>
+</p><div class="itemizedlist"><ul type="disc"><li><p>Display user/group/host and Domain entries.</p></li><li><p>Manage entries (Add/Delete/Edit).</p></li><li><p>Filter and sort entries.</p></li><li><p>Store and use multiple operating profiles.</p></li><li><p>Edit organizational units (OUs).</p></li><li><p>Upload accounts from a file.</p></li><li><p>Is compatible with Samba-2.2.x and Samba-3.</p></li></ul></div><p>
+When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba
+user, group, and windows domain member machine accounts.
+</p><p>
+<a class="indexterm" name="id2592245"></a>
+<a class="indexterm" name="id2592252"></a>
+<a class="indexterm" name="id2592259"></a>
+<a class="indexterm" name="id2592265"></a>
+The default password is “<span class="quote">lam.</span>” It is highly recommended that you use only
+an SSL connection to your Web server for all remote operations involving LAM. If you
+want secure connections, you must configure your Apache Web server to permit connections
+to LAM using only SSL.
+</p><div class="procedure"><a name="sbehap-laminst"></a><p class="title"><b>Procedure 15.3. Apache Configuration Steps for LAM</b></p><ol type="1"><li><p>
+ Extract the LAM package by untarring it as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> tar xzf ldap-account-manager_0.4.9.tar.gz
+</pre><p>
+ Alternatively, install the LAM DEB for your system using the following command:
+</p><pre class="screen">
+<code class="prompt">root# </code> dpkg -i ldap-account-manager_0.4.9.all.deb
+</pre><p>
+ </p></li><li><p>
+ Copy the extracted files to the document root directory of your Web server.
+ For example, on SUSE Linux Enterprise Server 9, copy to the
+ <code class="filename">/srv/www/htdocs</code> directory.
+ </p></li><li><p>
+ <a class="indexterm" name="id2592345"></a>
+ Set file permissions using the following commands:
+</p><pre class="screen">
+<code class="prompt">root# </code> chown -R wwwrun:www /srv/www/htdocs/lam
+<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/sess
+<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/tmp
+<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/config
+<code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/lib/*pl
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2592398"></a>
+ Using your favorite editor create the following <code class="filename">config.cfg</code>
+ LAM configuration file:
+</p><pre class="screen">
+<code class="prompt">root# </code> cd /srv/www/htdocs/lam/config
+<code class="prompt">root# </code> cp config.cfg_sample config.cfg
+<code class="prompt">root# </code> vi config.cfg
+</pre><p>
+ <a class="indexterm" name="id2592439"></a>
+ <a class="indexterm" name="id2592448"></a>
+ An example file is shown in <a href="appendix.html#lamcfg" title="Example 15.11. Example LAM Configuration File config.cfg">???</a>.
+ This is the minimum configuration that must be completed. The LAM profile
+ file can be created using a convenient wizard that is part of the LAM
+ configuration suite.
+ </p></li><li><p>
+ Start your Web server then, using your Web browser, connect to
+ <a href="http://localhost/lam" target="_top">LAM</a> URL. Click on the
+ the <em class="parameter"><code>Configuration Login</code></em> link then click on the
+ Configuration Wizard link to begin creation of the default profile so that
+ LAM can connect to your LDAP server. Alternately, copy the
+ <code class="filename">lam.conf_sample</code> file to a file called
+ <code class="filename">lam.conf</code> then, using your favorite editor,
+ change the settings to match local site needs.
+ </p></li></ol></div><p>
+ <a class="indexterm" name="id2592508"></a>
+ An example of a working file is shown here in <a href="appendix.html#lamconf" title="Example 15.12. LAM Profile Control File lam.conf">???</a>.
+ This file has been stripped of comments to keep the size small. The comments
+ and help information provided in the profile file that the wizard creates
+ is very useful and will help many administrators to avoid pitfalls.
+ Your configuration file obviously reflects the configuration options that
+ are preferred at your site.
+ </p><p>
+ <a class="indexterm" name="id2592531"></a>
+ It is important that your LDAP server is running at the time that LAM is
+ being configured. This permits you to validate correct operation.
+ An example of the LAM login screen is provided in <a href="appendix.html#lam-login" title="Figure 15.6. The LDAP Account Manager Login Screen">???</a>.
+ </p><div class="figure"><a name="lam-login"></a><p class="title"><b>Figure 15.6. The LDAP Account Manager Login Screen</b></p><div class="mediaobject"><img src="images/lam-login.png" width="270" alt="The LDAP Account Manager Login Screen"></div></div><p>
+ <a class="indexterm" name="id2592594"></a>
+ The LAM configuration editor has a number of options that must be managed correctly.
+ An example of use of the LAM configuration editor is shown in <a href="appendix.html#lam-config" title="Figure 15.7. The LDAP Account Manager Configuration Screen">???</a>.
+ It is important that you correctly set the minimum and maximum UID/GID values that are
+ permitted for use at your site. The default values may not be compatible with a need to
+ modify initial default account values for well-known Windows network users and groups.
+ The best work-around is to temporarily set the minimum values to zero (0) to permit
+ the initial settings to be made. Do not forget to reset these to sensible values before
+ using LAM to add additional users and groups.
+ </p><div class="figure"><a name="lam-config"></a><p class="title"><b>Figure 15.7. The LDAP Account Manager Configuration Screen</b></p><div class="mediaobject"><img src="images/lam-config.png" width="270" alt="The LDAP Account Manager Configuration Screen"></div></div><p>
+ <a class="indexterm" name="id2592666"></a>
+ LAM has some nice, but unusual features. For example, one unexpected feature in most application
+ screens permits the generation of a PDF file that lists configuration information. This is a well
+ thought out facility. This option has been edited out of the following screen shots to conserve
+ space.
+ </p><p>
+ <a class="indexterm" name="id2592681"></a>
+ When you log onto LAM the opening screen drops you right into the user manager as shown in
+ <a href="appendix.html#lam-user" title="Figure 15.8. The LDAP Account Manager User Edit Screen">???</a>. This is a logical action as it permits the most-needed facility
+ to be used immediately. The editing of an existing user, as with the addition of a new user,
+ is easy to follow and very clear in both layout and intent. It is a simple matter to edit
+ generic settings, UNIX specific parameters, and then Samba account requirements. Each step
+ involves clicking a button that intuitively drives you through the process. When you have
+ finished editing simply press the <span class="guimenu">Final</span> button.
+ </p><div class="figure"><a name="lam-user"></a><p class="title"><b>Figure 15.8. The LDAP Account Manager User Edit Screen</b></p><div class="mediaobject"><img src="images/lam-users.png" width="270" alt="The LDAP Account Manager User Edit Screen"></div></div><p>
+ The edit screen for groups is shown in <a href="appendix.html#lam-group" title="Figure 15.9. The LDAP Account Manager Group Edit Screen">???</a>. As with the edit screen
+ for user accounts, group accounts may be rapidly dealt with. <a href="appendix.html#lam-group-mem" title="Figure 15.10. The LDAP Account Manager Group Membership Edit Screen">???</a>
+ shows a sub-screen from the group editor that permits users to be assigned secondary group
+ memberships.
+ </p><div class="figure"><a name="lam-group"></a><p class="title"><b>Figure 15.9. The LDAP Account Manager Group Edit Screen</b></p><div class="mediaobject"><img src="images/lam-groups.png" width="270" alt="The LDAP Account Manager Group Edit Screen"></div></div><div class="figure"><a name="lam-group-mem"></a><p class="title"><b>Figure 15.10. The LDAP Account Manager Group Membership Edit Screen</b></p><div class="mediaobject"><img src="images/lam-group-members.png" width="270" alt="The LDAP Account Manager Group Membership Edit Screen"></div></div><p>
+ <a class="indexterm" name="id2592861"></a><a class="indexterm" name="id2592866"></a>
+ The final screen presented here is one that you should not normally need to use. Host accounts will
+ be automatically managed using the smbldap-tools scripts. This means that the screen <a href="appendix.html#lam-host" title="Figure 15.11. The LDAP Account Manager Host Edit Screen">???</a>
+ will, in most cases, not be used.
+ </p><div class="figure"><a name="lam-host"></a><p class="title"><b>Figure 15.11. The LDAP Account Manager Host Edit Screen</b></p><div class="mediaobject"><img src="images/lam-hosts.png" width="270" alt="The LDAP Account Manager Host Edit Screen"></div></div><p>
+ One aspect of LAM that may annoy some users is the way it forces certain conventions on
+ the administrator. For example, LAM does not permit the creation of Windows user and group
+ accounts that contain spaces even though the underlying UNIX/Linux
+ operating system may exhibit no problems with them. Given the propensity for using upper-case
+ characters and spaces (particularly in the default Windows account names) this may cause
+ some annoyance. For the rest, LAM is a very useful administrative tool.
+ </p><p>
+ The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features
+ (e.g., logon hours). The new plugin-based architecture also allows management of much more different
+ account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another
+ important point is the tree view which allows browsing and editing LDAP objects directly.
+ </p><div class="example"><a name="lamcfg"></a><p class="title"><b>Example 15.11. Example LAM Configuration File <code class="filename">config.cfg</code></b></p><pre class="screen">
+# password to add/delete/rename configuration profiles
+password: not24get
+
+# default profile, without ".conf"
+default: lam
+</pre></div><div class="example"><a name="lamconf"></a><p class="title"><b>Example 15.12. LAM Profile Control File <code class="filename">lam.conf</code></b></p><pre class="screen">
+ServerURL: ldap://massive.abmas.org:389
+Admins: cn=Manager,dc=abmas,dc=biz
+Passwd: not24get
+usersuffix: ou=People,dc=abmas,dc=biz
+groupsuffix: ou=Groups,dc=abmas,dc=biz
+hostsuffix: ou=Computers,dc=abmas,dc=biz
+domainsuffix: ou=Domains,dc=abmas,dc=biz
+MinUID: 0
+MaxUID: 65535
+MinGID: 0
+MaxGID: 65535
+MinMachine: 20000
+MaxMachine: 25000
+userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber
+grouplistAttributes: #cn;#gidNumber;#memberUID;#description
+hostlistAttributes: #cn;#description;#uidNumber;#gidNumber
+maxlistentries: 30
+defaultLanguage: en_GB:ISO-8859-1:English (Great Britain)
+scriptPath:
+scriptServer:
+samba3: yes
+cachetimeout: 5
+pwdhash: SSHA
+</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2593010"></a>IDEALX Management Console</h2></div></div></div><p>
+ IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive
+ web-based management interface for UNIX and Linux systems.
+ </p><p>
+ The Samba toolset is the first console developped for IMC. It offers a simple and ergonomic
+ interface for managing a Samba domain controler. The goal is to give Linux administrators who
+ need to manage production Samba servers an effective, intuitive and consistent management
+ experience. An IMC screenshot of the user management tool is shown in <a href="appendix.html#imcidealx" title="Figure 15.12. The IMC Samba User Account Screen">???</a>.
+ </p><div class="figure"><a name="imcidealx"></a><p class="title"><b>Figure 15.12. The IMC Samba User Account Screen</b></p><div class="mediaobject"><img src="images/imc-usermanager2.png" width="216" alt="The IMC Samba User Account Screen"></div></div><p>
+ IMC is built on a set of Perl modules. Most modules are standard CPAN modules. Some are bundled with IMC,
+ but will soon to be hosted on the CPAN independently, like Struts4P, a port of Struts to the Perl language.
+ </p><p>
+ For further information regarding IMC refer to the web <a href="http://imc.sourceforge.net/" target="_top">site.</a>
+ Prebuilt RPM packages are also <a href="http://imc.sourceforge.net/download.html" target="_top">available.</a>
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12-SUIDSGID"></a>Effect of Setting File and Directory SUID/SGID Permissions Explained</h2></div></div></div><a class="indexterm" name="id2593115"></a><a class="indexterm" name="id2593122"></a><p>
+ The setting of the SUID/SGID bits on the file or directory permissions flag has particular
+ consequences. If the file is executable and the SUID bit is set, it executes with the privilege
+ of (with the UID of) the owner of the file. For example, if you are logged onto a system as
+ a normal user (let's say as the user <code class="constant">bobj</code>), and you execute a file that is owned
+ by the user <code class="constant">root</code> (uid = 0), and the file has the SUID bit set, then the file is
+ executed as if you had logged in as the user <code class="constant">root</code> and then executed the file.
+ The SUID bit effectively gives you (as <code class="constant">bobj</code>) administrative privilege for the
+ use of that executable file.
+ </p><p>
+ The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it
+ applies the privilege to the UNIX group setting. In other words, the file executes with the force
+ of capability of the group.
+ </p><p>
+ When the SUID/SGID permissions are set on a directory, all files that are created within that directory
+ are automatically given the ownership of the SUID user and the SGID group, as per the ownership
+ of the directory in which the file is created. This means that the system level <span><strong class="command">create()</strong></span>
+ function executes with the SUID user and/or SGID group of the directory in which the file is
+ created.
+ </p><p>
+ If you want to obtain the SUID behavior, simply execute the following command:
+</p><pre class="screen">
+<code class="prompt">root# </code> chmod u+s file-or-directory
+</pre><p>
+ To set the SGID properties on a file or a directory, execute this command:
+</p><pre class="screen">
+<code class="prompt">root# </code> chmod g+s file-or-directory
+</pre><p>
+ And to set both SUID and SGID properties, execute the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> chmod ug+s file-or-directory
+</pre><p>
+ </p><p>
+ Let's consider the example of a directory <code class="filename">/data/accounts</code>. The permissions on this
+ directory before setting both SUID and SGID on this directory are:
+</p><pre class="screen">
+<code class="prompt">root# </code> ls -al /data/accounts
+total 1
+drwxr-xr-x 10 root root 232 Dec 18 17:08 .
+drwxr-xr-x 21 root root 600 Dec 17 23:15 ..
+drwxrwxrwx 2 bobj Domain Users 48 Dec 18 17:08 accounts/
+drwx------ 2 root root 48 Jan 26 2002 lost+found
+</pre><p>
+ In this example, if the user <code class="constant">maryv</code> creates a file, it is owned by her.
+ If <code class="constant">maryv</code> has the primary group of <code class="constant">Accounts</code>, the file is
+ owned by the group <code class="constant">Accounts</code>, as shown in this listing:
+</p><pre class="screen">
+<code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt
+drw-rw-r-- 2 maryv Accounts 12346 Dec 18 17:53
+</pre><p>
+ </p><p>
+ Now you set the SUID and SGID and check the result as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> chmod ug+s /data/accounts
+<code class="prompt">root# </code> ls -al /data/accounts
+total 1
+drwxr-xr-x 10 root root 232 Dec 18 17:08 .
+drwxr-xr-x 21 root root 600 Dec 17 23:15 ..
+drwsrwsr-x 2 bobj Domain Users 48 Dec 18 17:08 accounts
+drwx------ 2 root root 48 Jan 26 2002 lost+found
+</pre><p>
+ If <code class="constant">maryv</code> creates a file in this directory after this change has been made, the
+ file is owned by the user <code class="constant">bobj</code>, and the group is set to the group
+ <code class="constant">Domain Users</code>, as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> chmod ug+s /data/accounts
+<code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt
+total 1
+drw-rw-r-- 2 bobj Domain Users 12346 Dec 18 18:11 maryvfile.txt
+</pre><p>
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12dblck"></a>Shared Data Integrity</h2></div></div></div><p><a class="indexterm" name="id2593353"></a><a class="indexterm" name="id2593361"></a>
+ The integrity of shared data is often viewed as a particularly emotional issue, especially where
+ there are concurrent problems with multiuser data access. Contrary to the assertions of some who have
+ experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter.
+ </p><p>
+ The solution to concurrent multiuser data access problems must consider three separate areas
+ from which the problem may stem:<a class="indexterm" name="id2593384"></a><a class="indexterm" name="id2593396"></a><a class="indexterm" name="id2593407"></a>
+ </p><div class="itemizedlist"><ul type="disc"><li><p>application-level locking controls</p></li><li><p>client-side locking controls</p></li><li><p>server-side locking controls</p></li></ul></div><p><a class="indexterm" name="id2593440"></a><a class="indexterm" name="id2593448"></a>
+ Many database applications use some form of application-level access control. An example of one
+ well-known application that uses application-level locking is Microsoft Access. Detailed guidance
+ is provided here because this is the most common application for which problems have been reported.
+ </p><p><a class="indexterm" name="id2593464"></a><a class="indexterm" name="id2593472"></a>
+ Common applications that are affected by client- and server-side locking controls include MS
+ Excel and Act!. Important locking guidance is provided here.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2593485"></a>Microsoft Access</h3></div></div></div><p>
+ The best advice that can be given is to carefully read the Microsoft knowledgebase articles that
+ cover this area. Examples of relevant documents include:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</p></li><li><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</p></li></ul></div><p><a class="indexterm" name="id2593512"></a><a class="indexterm" name="id2593523"></a>
+ Make sure that your MS Access database file is configured for multiuser access (not set for
+ exclusive open). Open MS Access on each client workstation, then set the following: <span class="guimenu">(Menu bar) Tools</span>+<span class="guimenu">Options</span>+<span class="guimenu">[tab] General</span>. Set network path to Default database folder: <code class="filename">\\server\share\folder</code>.
+ </p><p>
+ You can configure MS Access file sharing behavior as follows: click <span class="guimenu">[tab] Advanced</span>.
+ Set:<a class="indexterm" name="id2593574"></a>
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Default open mode: Shared</p></li><li><p>Default Record Locking: Edited Record</p></li><li><p>Open databases using record_level locking</p></li></ul></div><p><a class="indexterm" name="id2593603"></a>
+ You must now commit the changes so that they will take effect. To do so, click
+ <span class="guimenu">Apply</span><span class="guimenu">Ok</span>. At this point, you should exit MS Access, restart
+ it, and then validate that these settings have not changed.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2593632"></a>Act! Database Sharing</h3></div></div></div><p><a class="indexterm" name="id2593639"></a><a class="indexterm" name="id2593647"></a>
+ Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you
+ must disable opportunistic locking on the server and all workstations. Failure to do so
+ results in data corruption. This information is available from the Act! Web site
+ knowledgebase articles
+ <a href="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925" target="_top">1998223162925</a>
+ as well as from article
+ <a href="http://itdomino.saleslogix.com/act.nsf/docid/200110485036" target="_top">200110485036</a>.
+ </p><p><a class="indexterm" name="id2593677"></a><a class="indexterm" name="id2593685"></a>
+ These documents clearly state that opportunistic locking must be disabled on both
+ the server (Samba in the case we are interested in here), as well as on every workstation
+ from which the centrally shared Act! database will be accessed. Act! provides
+ a tool called <span><strong class="command">Act!Diag</strong></span> that may be used to disable all workstation
+ registry settings that may otherwise interfere with the operation of Act!
+ Registered Act! users may download this utility from the Act! Web
+ <a href="http://www.act.com/support/updates/index.cfm" target="_top">site.</a>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2593716"></a>Opportunistic Locking Controls</h3></div></div></div><p><a class="indexterm" name="id2593723"></a>
+ Third-party Windows applications may not be compatible with the use of opportunistic file
+ and record locking. For applications that are known not to be compatible,<sup>[<a name="id2593735" href="#ftn.id2593735">14</a>]</sup> oplock
+ support may need to be disabled both on the Samba server and on the Windows workstations.
+ </p><p><a class="indexterm" name="id2593750"></a><a class="indexterm" name="id2593757"></a><a class="indexterm" name="id2593765"></a>
+ Oplocks enable a Windows client to cache parts of a file that are being
+ edited. Another windows client may then request to open the file with the
+ ability to write to it. The server will then ask the original workstation
+ that had the file open with a write lock to release its lock. Before
+ doing so, that workstation must flush the file from cache memory to the
+ disk or network drive.
+ </p><p><a class="indexterm" name="id2593787"></a>
+ Disabling of Oplocks usage may require server and client changes.
+ Oplocks may be disabled by file, by file pattern, on the share, or on the
+ Samba server.
+ </p><p>
+ The following are examples showing how Oplock support may be managed using
+ Samba <code class="filename">smb.conf</code> file settings:
+</p><pre class="screen">
+By file: veto oplock files = myfile.mdb
+
+By Pattern: veto oplock files = /*.mdb/
+
+On the Share: oplocks = No
+ level2 oplocks = No
+
+On the server:
+(in [global]) oplocks = No
+ level2 oplocks = No
+</pre><p>
+ </p><p>
+ The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4
+ workstation clients must be configured as shown here:
+</p><pre class="screen">
+REGEDIT4
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
+ Services\LanmanServer\Parameters]
+ "EnableOplocks"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
+ Services\LanmanWorkstation\Parameters]
+ "UseOpportunisticLocking"=dword:00000000
+</pre><p>
+ </p><p>
+ Comprehensive coverage of file and record-locking controls is provided in TOSHARG2, Chapter 13.
+ The information in that chapter was obtained from a wide variety of sources.
+ </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. Samba Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. Networking Primer</td></tr></table></div></body></html>
projects / samba / blobdiff