--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Secure Office Networking</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="small.html" title="Chapter 2. Small Office Networking"><link rel="next" href="Big500users.html" title="Chapter 4. The 500-User Office"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Secure Office Networking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="small.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="Big500users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="secure"></a>Chapter 3. Secure Office Networking</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="secure.html#id2525841">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id2525894">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id2526143">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id2526158">Technical Issues</a></span></dt><dt><span class="sect2"><a href="secure.html#id2526600">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id2526641">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#ch4bsc">Basic System Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id2527554">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4ptrcfg">Printer Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4valid">Validation</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4appscfg">Application Share Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id2532278">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id2532340">Questions and Answers</a></span></dt></dl></div><p>
+ Congratulations, your Samba networking skills are developing nicely. You started out
+ with three simple networks in <a href="simple.html" title="Chapter 1. No-Frills Samba Servers">???</a>, and then in <a href="small.html" title="Chapter 2. Small Office Networking">???</a>
+ you designed and built a network that provides a high degree of flexibility, integrity,
+ and dependability. It was enough for the basic needs each was designed to fulfill. In
+ this chapter you address a more complex set of needs. The solution you explore
+ introduces you to basic features that are specific to Samba-3.
+ </p><p>
+ You should note that a working and secure solution could be implemented using Samba-2.2.x.
+ In the exercises presented here, you are gradually using more Samba-3-specific features,
+ so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given.
+ To avoid confusion, this book is all about Samba-3. Let's get the exercises in this
+ chapter underway.
+ </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2525841"></a>Introduction</h2></div></div></div><p>
+ You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work
+ well done. It is one year since the last network upgrade. You have been quite busy.
+ Two months ago Mr. Meany gave approval to hire Christine Roberson, who has taken over
+ general network management. Soon she will provide primary user support. You have
+ demonstrated that you can delegate responsibility and can plan and execute according
+ to that plan. Above all, you have shown Mr. Meany that you are a responsible person.
+ Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never
+ expected: You are going to take charge of business operations. Mr. Meany
+ is retiring and has entrusted the business to your capable hands.
+ </p><p>
+ Mr. Meany may be retiring from this company, but not from work. He is taking the
+ opportunity to develop Abmas Accounting into a larger and more substantial company.
+ He says that it took him many years to learn that there is no future in just running
+ a business. He now realizes there is great personal satisfaction in the creation of
+ career opportunities for people in the local community. He wants to do more for others,
+ as he is doing for you. Today he spent a lot of time talking about his grand plan
+ for growth, which you will deal with in the chapters ahead.
+ </p><p>
+ Over the past year, the growth projections were exceeded. The network has grown to
+ meet the needs of 130 users. Along with growth, the demand for improved services
+ and better functionality has also developed. You are about to make an interim
+ improvement and then hand over all Help desk and network maintenance to Christine.
+ Christine has professional certifications in Microsoft Windows as well as in Linux;
+ she is a hard worker and quite likable. Christine does not want to manage the department
+ (although she manages well). She gains job satisfaction when left to sort things out.
+ Occasionally she wants to work with you on a challenging problem. When you told her
+ about your move, she almost resigned, although she was reassured that a new manager would
+ be hired to run Information Technology, and she would be responsible only for operations.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2525894"></a>Assignment Tasks</h3></div></div></div><p>
+ You promised the staff Internet services including Web browsing, electronic mail, virus
+ protection, and a company Web site. Christine is eager to help turn the vision into
+ reality. Let's see how close you can get to the promises made.
+ </p><p>
+ The network you are about to deliver will service 130 users today. Within a year,
+ Abmas will aquire another company. Mr. Meany claims that within 2 years there will be
+ well over 500 users on the network. You have bought into the big picture, so prepare
+ for growth. You have purchased a new server and will implement a new network infrastructure.
+ </p><p>
+ You have decided to not recycle old network components. The only items that will be
+ carried forward are notebook computers. You offered staff new notebooks, but not
+ one person wanted the disruption for what was perceived as a marginal update.
+ You decided to give everyone, even the notebook user, a new desktop computer.
+ </p><p>
+ You procured a DSL Internet connection that provides 1.5 Mb/sec (bidirectional)
+ and a 10 Mb/sec ethernet port. You registered the domain
+ <code class="constant">abmas.us</code>, and the Internet Service Provider (ISP) is supplying
+ secondary DNS. Information furnished by your ISP is shown in <a href="secure.html#chap4netid" title="Table 3.1. Abmas.US ISP Information">???</a>.
+ </p><p>
+ It is of paramount priority that under no circumstances will Samba offer
+ service access from an Internet connection. You are paying an ISP to
+ give, as part of its value-added services, full firewall protection for your
+ connection to the outside world. The only services allowed in from
+ the Internet side are the following destination ports: <code class="constant">http/https (ports
+ 80 and 443), email (port 25), DNS (port 53)</code>. All Internet traffic
+ will be allowed out after network address translation (NAT). No internal IP addresses
+ are permitted through the NAT filter because complete privacy of internal network
+ operations must be assured.
+ </p><div class="table"><a name="chap4netid"></a><p class="title"><b>Table 3.1. Abmas.US ISP Information</b></p><table summary="Abmas.US ISP Information" border="1"><colgroup><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Parameter</th><th align="center">Value</th></tr></thead><tbody><tr><td align="left">Server IP Address</td><td align="center">123.45.67.66</td></tr><tr><td align="left">DSL Device IP Address</td><td align="center">123.45.67.65</td></tr><tr><td align="left">Network Address</td><td align="center">123.45.67.64/30</td></tr><tr><td align="left">Gateway Address</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Primary DNS Server</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Secondary DNS Server</td><td align="center">123.45.54.32</td></tr><tr><td align="left">Forwarding DNS Server</td><td align="center">123.45.12.23</td></tr></tbody></table></div><div class="figure"><a name="ch04net"></a><p class="title"><b>Figure 3.1. Abmas Network Topology 130 Users</b></p><div class="mediaobject"><img src="images/chap4-net.png" width="351" alt="Abmas Network Topology 130 Users"></div></div><p>
+ Christine recommended that desktop systems should be installed from a single cloned
+ master system that has a minimum of locally installed software and loads all software
+ off a central application server. The benefit of having the central application server
+ is that it allows single-point maintenance of all business applications, a more
+ efficient way to manage software. She further recommended installation of antivirus
+ software on workstations as well as on the Samba server. Christine knows the dangers
+ of potential virus infection and insists on a comprehensive approach to detective
+ as well as corrective action to protect network operations.
+ </p><p>
+ A significant concern is the problem of managing company growth. Recently, a number
+ of users had to share a PC while waiting for new machines to arrive. This presented
+ some problems with desktop computers and software installation into the new users'
+ desktop profiles.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2526143"></a>Dissection and Discussion</h2></div></div></div><p>
+ Many of the conclusions you draw here are obvious. Some requirements are not very clear
+ or may simply be your means of drawing the most out of Samba-3. Much can be done more simply
+ than you will demonstrate here, but keep in mind that the network must scale to at least 500
+ users. This means that some functionality will be overdesigned for the current 130-user
+ environment.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2526158"></a>Technical Issues</h3></div></div></div><p>
+ In this exercise we use a 24-bit subnet mask for the two local networks. This,
+ of course, limits our network to a maximum of 253 usable IP addresses. The network
+ address range chosen is one assigned by RFC1918 for private networks.
+ When the number of users on the network begins to approach the limit of usable
+ addresses, it is a good idea to switch to a network address specified in RFC1918
+ in the 172.16.0.0/16 range. This is done in subsequent chapters.
+ </p><p>
+ <a class="indexterm" name="id2526178"></a>
+ <a class="indexterm" name="id2526184"></a>
+ The high growth rates projected are a good reason to use the <code class="constant">tdbsam</code>
+ passdb backend. The use of <code class="constant">smbpasswd</code> for the backend may result in
+ performance problems. The <code class="constant">tdbsam</code> passdb backend offers features that
+ are not available with the older, flat ASCII-based <code class="constant">smbpasswd</code> database.
+ </p><p>
+ <a class="indexterm" name="id2526213"></a>
+ The proposed network design uses a single server to act as an Internet services host for
+ electronic mail, Web serving, remote administrative access via SSH,
+ Samba-based file and print services. This design is often chosen by sites that feel
+ they cannot afford or justify the cost or overhead of having separate servers. It must
+ be realized that if security of this type of server should ever be violated (compromised),
+ the whole network and all data is at risk. Many sites continue to choose this type
+ of solution; therefore, this chapter provides detailed coverage of key implementation
+ aspects.
+ </p><p>
+ Samba will be configured to specifically not operate on the Ethernet interface that is
+ directly connected to the Internet.
+ </p><p>
+ <a class="indexterm" name="id2526239"></a>
+ <a class="indexterm" name="id2526246"></a>
+ <a class="indexterm" name="id2526252"></a>
+ <a class="indexterm" name="id2526262"></a>
+ You know that your ISP is providing full firewall services, but you cannot rely on that.
+ Always assume that human error will occur, so be prepared by using Linux firewall facilities
+ based on <span><strong class="command">iptables</strong></span> to effect NAT. Block all
+ incoming traffic except to permitted well-known ports. You must also allow incoming packets
+ to establish outgoing connections. You will permit all internal outgoing requests.
+ </p><p>
+ The configuration of Web serving, Web proxy services, electronic mail, and the details of
+ generic antivirus handling are beyond the scope of this book and therefore are not
+ covered except insofar as this affects Samba-3.
+ </p><p>
+ <a class="indexterm" name="id2526292"></a>
+ Notebook computers are configured to use a network login when in the office and a
+ local account to log in while away from the office. Users store all work done in
+ transit (away from the office) by using a local share for work files. Standard procedures
+ dictate that on completion of the work that necessitates mobile file access, all
+ work files are moved back to secure storage on the office server. Staff is instructed
+ to not carry on any company notebook computer any files that are not absolutely required.
+ This is a preventative measure to protect client information as well as private business
+ records.
+ </p><p>
+ <a class="indexterm" name="id2526312"></a>
+ All applications are served from the central server from a share called <code class="constant">apps</code>.
+ Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network
+ (or administrative) installation. Accounting and financial management software can also
+ be run only from the central application server. Notebook users are provided with
+ locally installed applications on a need-to-have basis only.
+ </p><p>
+ <a class="indexterm" name="id2526333"></a>
+ The introduction of roaming profiles support means that users can move between
+ desktop computer systems without constraint while retaining full access to their data.
+ The desktop travels with them as they move.
+ </p><p>
+ <a class="indexterm" name="id2526347"></a>
+ The DNS server implementation must now address both internal and external
+ needs. You forward DNS lookups to your ISP-provided server as well as the
+ <code class="constant">abmas.us</code> external secondary DNS server.
+ </p><p>
+ <a class="indexterm" name="id2526363"></a>
+ <a class="indexterm" name="id2526370"></a>
+ <a class="indexterm" name="id2526379"></a>
+ Compared with the DHCP server configuration in <a href="small.html" title="Chapter 2. Small Office Networking">???</a>, <a href="small.html#dhcp01" title="Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">???</a>, the
+ configuration used in this example has to deal with the presence of an Internet connection.
+ The scope set for it ensures that no DHCP services will be offered on the external
+ connection. All printers are configured as DHCP clients so that the DHCP server assigns
+ the printer a fixed IP address by way of the Ethernet interface (MAC) address. One additional
+ feature of this DHCP server configuration file is the inclusion of parameters to allow dynamic
+ DNS (DDNS) operation.
+ </p><p>
+ This is the first implementation that depends on a correctly functioning DNS server.
+ Comprehensive steps are included to provide for a fully functioning DNS server that also
+ is enabled for DDNS operation. This means that DHCP clients can be autoregistered
+ with the DNS server.
+ </p><p>
+ You are taking the opportunity to manually set the netbios name of the Samba server to
+ a name other than what will be automatically resolved. You are doing this to ensure that
+ the machine has the same NetBIOS name on both network segments.
+ </p><p>
+ As in the previous network configuration, printing in this network configuration uses
+ direct raw printing (i.e., no smart printing and no print driver autodownload to Windows
+ clients). Printer drivers are installed on the Windows client manually. This is not
+ a problem because Christine is to install and configure one single workstation and
+ then clone that configuration, using Norton Ghost, to all workstations. Each machine is
+ identical, so this should pose no problem.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2526435"></a>Hardware Requirements</h4></div></div></div><p>
+ <a class="indexterm" name="id2526443"></a>
+ This server runs a considerable number of services. From similarly configured Linux
+ installations, the approximate calculated memory requirements are as shown in
+ <a href="secure.html#ch4memoryest" title="Example 3.1. Estimation of Memory Requirements">???</a>.
+
+</p><div class="example"><a name="ch4memoryest"></a><p class="title"><b>Example 3.1. Estimation of Memory Requirements</b></p><pre class="screen">
+Application Memory per User 130 Users 500 Users
+ Name (MBytes) Total MBytes Total MBytes
+----------- --------------- ------------ ------------
+DHCP 2.5 3 3
+DNS 16.0 16 16
+Samba (nmbd) 16.0 16 16
+Samba (winbind) 16.0 16 16
+Samba (smbd) 4.0 520 2000
+Apache 10.0 (20 User) 200 200
+CUPS 3.5 16 32
+Basic OS 256.0 256 256
+ -------------- --------------
+ Total: 1043 MBytes 2539 MBytes
+ -------------- --------------
+</pre></div><p>
+ You should add a safety margin of at least 50% to these estimates. The minimum
+ system memory recommended for initial startup 1 GB, but to permit the system
+ to scale to 500 users, it makes sense to provision the machine with 4 GB memory.
+ An initial configuration with only 1 GB memory would lead to early performance complaints
+ as the system load builds up. Given the low cost of memory, it does not make sense to
+ compromise in this area.
+ </p><p>
+ <a class="indexterm" name="id2526499"></a>
+ Aggregate input/output loads should be considered for sizing network configuration as
+ well as disk subsystems. For network bandwidth calculations, one would typically use an
+ estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec)
+ would deliver below acceptable capacity for the initial user load. It is therefore a good
+ idea to begin with 1 Gb Ethernet cards for the two internal networks, each attached
+ to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T
+ switched ports.
+ </p><p>
+ <a class="indexterm" name="id2526518"></a>
+ <a class="indexterm" name="id2526525"></a>
+ Considering the choice of 1 Gb Ethernet interfaces for the two local network segments,
+ the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O
+ demand that would require a fast disk storage I/O capability. Peak disk throughput is
+ limited by the disk subsystem chosen. It is desirable to provide the maximum
+ I/O bandwidth affordable. If a low-cost solution must be chosen,
+ 3Ware IDE RAID Controllers are a good choice. These controllers can be fitted into a
+ 64-bit, 66 MHz PCI-X slot. They appear to the operating system as a high-speed SCSI
+ controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MB/sec).
+ Alternative SCSI-based hardware RAID controllers should also be considered. Alternately,
+ it makes sense to purchase well-known, branded hardware that has appropriate performance
+ specifications. As a minimum, one should attempt to provide a disk subsystem that can
+ deliver I/O rates of at least 100 MB/sec.
+ </p><p>
+ Disk storage requirements may be calculated as shown in <a href="secure.html#ch4diskest" title="Example 3.2. Estimation of Disk Storage Requirements">???</a>.
+
+</p><div class="example"><a name="ch4diskest"></a><p class="title"><b>Example 3.2. Estimation of Disk Storage Requirements</b></p><pre class="screen">
+Corporate Data: 100 MBytes/user per year
+Email Storage: 500 MBytes/user per year
+Applications: 5000 MBytes
+Safety Buffer: At least 50%
+
+Given 500 Users and 2 years:
+-----------------------------
+ Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes
+ Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes
+ Applications: 5000 MBytes = 5 GBytes
+ ----------------------------
+ Total: 605 GBytes
+ Add 50% buffer 303 GBytes
+ Recommended Storage: 908 GBytes
+</pre></div><p>
+ <a class="indexterm" name="id2526587"></a>
+ The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5
+ with two hot spare drives would require an 8-drive by 200 GB capacity per drive array.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2526600"></a>Political Issues</h3></div></div></div><p>
+ Your industry is coming under increasing accountability pressures. Increased paranoia
+ is necessary so you can demonstrate that you have acted with due diligence. You must
+ not trust your Internet connection.
+ </p><p>
+ Apart from permitting more efficient management of business applications through use of
+ an application server, your primary reason for the decision to implement this is that it
+ gives you greater control over software licensing.
+ </p><p>
+ <a class="indexterm" name="id2526622"></a>
+ You are well aware that the current configuration results in some performance issues
+ as the size of the desktop profile grows. Given that users use Microsoft Outlook
+ Express, you know that the storage implications of the <code class="constant">.PST</code> file
+ is something that needs to be addressed later.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2526641"></a>Implementation</h2></div></div></div><p>
+ <a href="secure.html#ch04net" title="Figure 3.1. Abmas Network Topology 130 Users">???</a> demonstrates the overall design of the network that you will implement.
+ </p><p>
+ The information presented here assumes that you are already familiar with many basic steps.
+ As this stands, the details provided already extend well beyond just the necessities of
+ Samba configuration. This decision is deliberate to ensure that key determinants
+ of a successful installation are not overlooked. This is the last case that documents
+ the finite minutiae of DHCP and DNS server configuration. Beyond the information provided
+ here, there are many other good reference books on these subjects.
+ </p><p>
+ The <code class="filename">smb.conf</code> file has the following noteworthy features:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ The NetBIOS name of the Samba server is set to <code class="constant">DIAMOND</code>.
+ </p></li><li><p>
+ The Domain name is set to <code class="constant">PROMISES</code>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2526702"></a>
+ <a class="indexterm" name="id2526709"></a>
+ <a class="indexterm" name="id2526716"></a>
+ Ethernet interface <code class="constant">eth0</code> is attached to the Internet connection
+ and is externally exposed. This interface is explicitly not available for Samba to use.
+ Samba listens on this interface for broadcast messages but does not broadcast any
+ information on <code class="constant">eth0</code>, nor does it accept any connections from it.
+ This is achieved by way of the <em class="parameter"><code>interfaces</code></em> parameter and the
+ <em class="parameter"><code>bind interfaces only</code></em> entry.
+ </p></li><li><p>
+ <a class="indexterm" name="id2526752"></a>
+ <a class="indexterm" name="id2526759"></a>
+ <a class="indexterm" name="id2526766"></a>
+ The <em class="parameter"><code>passdb backend</code></em> parameter specifies the creation and use
+ of the <code class="constant">tdbsam</code> password backend. This is a binary database that
+ has excellent scalability for a large number of user account entries.
+ </p></li><li><p>
+ <a class="indexterm" name="id2526790"></a>
+ <a class="indexterm" name="id2526797"></a>
+ <a class="indexterm" name="id2526804"></a>
+ WINS serving is enabled by the <a class="indexterm" name="id2526812"></a>wins support = Yes,
+ and name resolution is set to use it by means of the
+ <a class="indexterm" name="id2526820"></a>name resolve order = wins bcast hosts entry.
+ </p></li><li><p>
+ <a class="indexterm" name="id2526832"></a>
+ The Samba server is configured for use by Windows clients as a time server.
+ </p></li><li><p>
+ <a class="indexterm" name="id2526845"></a>
+ <a class="indexterm" name="id2526852"></a>
+ <a class="indexterm" name="id2526858"></a>
+ Samba is configured to directly interface with CUPS via the direct internal interface
+ that is provided by CUPS libraries. This is achieved with the
+ <a class="indexterm" name="id2526868"></a>printing = CUPS as well as the
+ <a class="indexterm" name="id2526876"></a>printcap name = CUPS entries.
+ </p></li><li><p>
+ <a class="indexterm" name="id2526887"></a>
+ <a class="indexterm" name="id2526894"></a>
+ <a class="indexterm" name="id2526901"></a>
+ External interface scripts are provided to enable Samba to interface smoothly to
+ essential operating system functions for user and group management. This is important
+ to enable workstations to join the Domain and is also important so that you can use
+ the Windows NT4 Domain User Manager as well as the Domain Server Manager. These tools
+ are provided as part of the <code class="filename">SRVTOOLS.EXE</code> toolkit that can be
+ downloaded from the Microsoft FTP
+ <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">site</a>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2526933"></a>
+ The <code class="filename">smb.conf</code> file specifies that the Samba server will operate in (default) <em class="parameter"><code>
+ security = user</code></em> mode<sup>[<a name="id2526953" href="#ftn.id2526953">5</a>]</sup>
+ (User Mode).
+ </p></li><li><p>
+ <a class="indexterm" name="id2526971"></a>
+ <a class="indexterm" name="id2526978"></a>
+ Domain logon services as well as a Domain logon script are specified. The logon script
+ will be used to add robustness to the overall network configuration.
+ </p></li><li><p>
+ <a class="indexterm" name="id2526992"></a>
+ <a class="indexterm" name="id2526999"></a>
+ <a class="indexterm" name="id2527006"></a>
+ Roaming profiles are enabled through the specification of the parameter,
+ <a class="indexterm" name="id2527014"></a>logon path = \\%L\profiles\%U. The value of this parameter translates the
+ <code class="constant">%L</code> to the name by which the Samba server is called by the client (for this
+ configuration, it translates to the name <code class="constant">DIAMOND</code>), and the <code class="constant">%U</code>
+ will translate to the name of the user within the context of the connection made to the profile share.
+ It is the administrator's responsibility to ensure there is a directory in the root of the
+ profile share for each user. This directory must be owned by the user also. An exception to this
+ requirement is when a profile is created for group use.
+ </p></li><li><p>
+ <a class="indexterm" name="id2527045"></a>
+ <a class="indexterm" name="id2527052"></a>
+ Precautionary veto is effected for particular Windows file names that have been targeted by
+ virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking
+ controls. This should help to prevent lock contention-related file access problems.
+ </p></li><li><p>
+ Every user has a private home directory on the UNIX/Linux host. This is mapped to
+ a network drive that is the same for all users.
+ </p></li></ul></div><p>
+ The configuration of the server is the most complex so far. The following steps are used:
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ Basic System Configuration
+ </p></li><li><p>
+ Samba Configuration
+ </p></li><li><p>
+ DHCP and DNS Server Configuration
+ </p></li><li><p>
+ Printer Configuration
+ </p></li><li><p>
+ Process Start-up Configuration
+ </p></li><li><p>
+ Validation
+ </p></li><li><p>
+ Application Share Configuration
+ </p></li><li><p>
+ Windows Client Configuration
+ </p></li></ol></div><p>
+ The following sections cover each step in logical and defined detail.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4bsc"></a>Basic System Configuration</h3></div></div></div><p>
+ <a class="indexterm" name="id2527144"></a>
+ The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been
+ freshly installed. It prepares basic files so that the system is ready for comprehensive
+ operation in line with the network diagram shown in <a href="secure.html#ch04net" title="Figure 3.1. Abmas Network Topology 130 Users">???</a>.
+ </p><div class="procedure"><a name="id2527162"></a><p class="title"><b>Procedure 3.1. Server Configuration Steps</b></p><ol type="1"><li><p>
+ <a class="indexterm" name="id2527173"></a>
+ Using the UNIX/Linux system tools, name the server <code class="constant">server.abmas.us</code>.
+ Verify that your hostname is correctly set by running:
+</p><pre class="screen">
+<code class="prompt">root# </code> uname -n
+server
+</pre><p>
+ An alternate method to verify the hostname is:
+</p><pre class="screen">
+<code class="prompt">root# </code> hostname -f
+server.abmas.us
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2527217"></a>
+ <a class="indexterm" name="id2527224"></a>
+ Edit your <code class="filename">/etc/hosts</code> file to include the primary names and addresses
+ of all network interfaces that are on the host server. This is necessary so that during
+ startup the system can resolve all its own names to the IP address prior to
+ startup of the DNS server. An example of entries that should be in the
+ <code class="filename">/etc/hosts</code> file is:
+</p><pre class="screen">
+127.0.0.1 localhost
+192.168.1.1 sleeth1.abmas.biz sleeth1 diamond
+192.168.2.1 sleeth2.abmas.biz sleeth2
+123.45.67.66 server.abmas.us server
+</pre><p>
+ You should check the startup order of your system. If the CUPS print server is started before
+ the DNS server (<span><strong class="command">named</strong></span>), you should also include an entry for the printers
+ in the <code class="filename">/etc/hosts</code> file, as follows:
+</p><pre class="screen">
+192.168.1.20 qmsa.abmas.biz qmsa
+192.168.1.30 hplj6a.abmas.biz hplj6a
+192.168.2.20 qmsf.abmas.biz qmsf
+192.168.2.30 hplj6f.abmas.biz hplj6f
+</pre><p>
+ <a class="indexterm" name="id2527279"></a>
+ <a class="indexterm" name="id2527286"></a>
+ <a class="indexterm" name="id2527293"></a>
+ The printer entries are not necessary if <span><strong class="command">named</strong></span> is started prior to
+ startup of <span><strong class="command">cupsd</strong></span>, the CUPS daemon.
+ </p></li><li><p>
+ <a class="indexterm" name="id2527320"></a>
+ <a class="indexterm" name="id2527327"></a>
+ <a class="indexterm" name="id2527334"></a>
+ The host server is acting as a router between the two internal network segments as well
+ as for all Internet access. This necessitates that IP forwarding be enabled. This can be
+ achieved by adding to the <code class="filename">/etc/rc.d/boot.local</code> an entry as follows:
+</p><pre class="screen">
+echo 1 > /proc/sys/net/ipv4/ip_forward
+</pre><p>
+ To ensure that your kernel is capable of IP forwarding during configuration, you may
+ wish to execute that command manually also. This setting permits the Linux system to
+ act as a router.<sup>[<a name="id2527362" href="#ftn.id2527362">6</a>]</sup>
+ </p></li><li><p>
+ <a class="indexterm" name="id2527375"></a>
+ <a class="indexterm" name="id2527382"></a>
+ Installation of a basic firewall and NAT facility is necessary.
+ The following script can be installed in the <code class="filename">/usr/local/sbin</code>
+ directory. It is executed from the <code class="filename">/etc/rc.d/boot.local</code> startup
+ script. In your case, this script is called <code class="filename">abmas-netfw.sh</code>. The
+ script contents are shown in <a href="secure.html#ch4natfw" title="Example 3.3. NAT Firewall Configuration Script">???</a>.
+
+</p><div class="example"><a name="ch4natfw"></a><p class="title"><b>Example 3.3. NAT Firewall Configuration Script</b></p><pre class="screen">
+#!/bin/sh
+echo -e "\n\nLoading NAT firewall.\n"
+IPTABLES=/usr/sbin/iptables
+EXTIF="eth0"
+INTIFA="eth1"
+INTIFB="eth2"
+
+/sbin/depmod -a
+/sbin/modprobe ip_tables
+/sbin/modprobe ip_conntrack
+/sbin/modprobe ip_conntrack_ftp
+/sbin/modprobe iptable_nat
+/sbin/modprobe ip_nat_ftp
+$IPTABLES -P INPUT DROP
+$IPTABLES -F INPUT
+$IPTABLES -P OUTPUT ACCEPT
+$IPTABLES -F OUTPUT
+$IPTABLES -P FORWARD DROP
+$IPTABLES -F FORWARD
+
+$IPTABLES -A INPUT -i lo -j ACCEPT
+$IPTABLES -A INPUT -i $INTIFA -j ACCEPT
+$IPTABLES -A INPUT -i $INTIFB -j ACCEPT
+$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
+# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS
+for i in 22 25 53 80 443
+do
+ $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT
+done
+# Allow DNS(udp)
+$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT
+echo "Allow all connections OUT and only existing and specified ones IN"
+$IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \
+ --state ESTABLISHED,RELATED -j ACCEPT
+$IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \
+ --state ESTABLISHED,RELATED -j ACCEPT
+$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT
+$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT
+$IPTABLES -A FORWARD -j LOG
+echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
+$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
+echo "1" > /proc/sys/net/ipv4/ip_forward
+echo -e "\nNAT firewall done.\n"
+</pre></div><p>
+ </p></li><li><p>
+ Execute the following to make the script executable:
+</p><pre class="screen">
+<code class="prompt">root# </code> chmod 755 /usr/local/sbin/abmas-natfw.sh
+</pre><p>
+ You must now edit <code class="filename">/etc/rc.d/boot.local</code> to add an entry
+ that runs your <span><strong class="command">abmas-natfw.sh</strong></span> script. The following
+ entry works for you:
+</p><pre class="screen">
+#! /bin/sh
+#
+# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany.
+# All rights reserved.
+#
+# Author: Werner Fink, 1996
+# Burchard Steinbild, 1996
+#
+# /etc/init.d/boot.local
+#
+# script with local commands to be executed from init on system startup
+#
+# Here you should add things that should happen directly after booting
+# before we're going to the first run level.
+#
+/usr/local/sbin/abmas-natfw.sh
+</pre><p>
+ </p></li></ol></div><p>
+ <a class="indexterm" name="id2527531"></a>
+ The server is now ready for Samba configuration. During the validation step, you remove
+ the entry for the Samba server <code class="constant">diamond</code> from the <code class="filename">/etc/hosts</code>
+ file. This is done after you are satisfied that DNS-based name resolution is functioning correctly.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2527554"></a>Samba Configuration</h3></div></div></div><p>
+ When you have completed this section, the Samba server is ready for testing and validation;
+ however, testing and validation have to wait until DHCP, DNS, and printing (CUPS) services have
+ been configured.
+ </p><div class="procedure"><a name="id2527566"></a><p class="title"><b>Procedure 3.2. Samba Configuration Steps</b></p><ol type="1"><li><p>
+ Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary
+ RPM file is called <code class="filename">samba-3.0.20-1.i386.rpm</code>, one way to install this
+ file is as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> rpm -Uvh samba-3.0.20-1.i386.rpm
+</pre><p>
+ This operation must be performed while logged in as the <span><strong class="command">root</strong></span> user.
+ Successful operation is clearly indicated. If this installation should fail for any reason,
+ refer to the operating system manufacturer's documentation for guidance.
+ </p></li><li><p>
+ Install the <code class="filename">smb.conf</code> file shown in <a href="secure.html#promisnet" title="Example 3.4. 130 User Network with tdbsam [globals] Section">???</a>, <a href="secure.html#promisnetsvca" title="Example 3.5. 130 User Network with tdbsam Services Section Part A">???</a>,
+ and <a href="secure.html#promisnetsvcb" title="Example 3.6. 130 User Network with tdbsam Services Section Part B">???</a>. Concatenate (join) all three files to make a single <code class="filename">smb.conf</code>
+ file. The final, fully qualified path for this file should be <code class="filename">/etc/samba/smb.conf</code>.
+
+</p><div class="example"><a name="promisnet"></a><p class="title"><b>Example 3.4. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> [globals] Section</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2527688"></a><em class="parameter"><code>workgroup = PROMISES</code></em></td></tr><tr><td><a class="indexterm" name="id2527701"></a><em class="parameter"><code>netbios name = DIAMOND</code></em></td></tr><tr><td><a class="indexterm" name="id2527714"></a><em class="parameter"><code>interfaces = eth1, eth2, lo</code></em></td></tr><tr><td><a class="indexterm" name="id2527726"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2527740"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id2527752"></a><em class="parameter"><code>pam password change = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2527765"></a><em class="parameter"><code>passwd program = /usr/bin/passwd %u</code></em></td></tr><tr><td><a class="indexterm" name="id2527778"></a><em class="parameter"><code>passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*</code></em></td></tr><tr><td><a class="indexterm" name="id2527792"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2527805"></a><em class="parameter"><code>unix password sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2527818"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2527831"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2527843"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2527856"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2527869"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2527882"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2527895"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2527908"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2527921"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2527934"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2527947"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2527960"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2527974"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2527987"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -G '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2528000"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2528014"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id2528028"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id2528041"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2528054"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2528067"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2528080"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2528092"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528105"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528118"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528131"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528143"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528156"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2528169"></a><em class="parameter"><code>cups options = Raw</code></em></td></tr><tr><td><a class="indexterm" name="id2528182"></a><em class="parameter"><code>veto files = /*.eml/*.nws/*.{*}/</code></em></td></tr><tr><td><a class="indexterm" name="id2528195"></a><em class="parameter"><code>veto oplock files = /*.doc/*.xls/*.mdb/</code></em></td></tr></table></div><p>
+
+</p><div class="example"><a name="promisnetsvca"></a><p class="title"><b>Example 3.5. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2528240"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2528252"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2528265"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2528277"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2528299"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2528312"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2528324"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528337"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528350"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528363"></a><em class="parameter"><code>default devmode = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528376"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2528397"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2528410"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2528423"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528436"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2528457"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2528470"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2528483"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2528496"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2528518"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2528530"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2528543"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div><p>
+
+</p><div class="example"><a name="promisnetsvcb"></a><p class="title"><b>Example 3.6. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2528587"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2528600"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2528613"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2528634"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2528647"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2528660"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2528682"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2528694"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2528707"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2528720"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr></table></div><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2528740"></a><a class="indexterm" name="id2528746"></a>
+ Add the <code class="constant">root</code> user to the password backend as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> smbpasswd -a root
+New SMB password: XXXXXXXX
+Retype new SMB password: XXXXXXXX
+<code class="prompt">root# </code>
+</pre><p>
+ The <code class="constant">root</code> account is the UNIX equivalent of the Windows Domain Administrator.
+ This account is essential in the regular maintenance of your Samba server. It must never be
+ deleted. If for any reason the account is deleted, you may not be able to recreate this account
+ without considerable trouble.
+ </p></li><li><p>
+ <a class="indexterm" name="id2528793"></a>
+ Create the username map file to permit the <code class="constant">root</code> account to be called
+ <code class="constant">Administrator</code> from the Windows network environment. To do this, create
+ the file <code class="filename">/etc/samba/smbusers</code> with the following contents:
+</p><pre class="screen">
+####
+# User mapping file
+####
+# File Format
+# -----------
+# Unix_ID = Windows_ID
+#
+# Examples:
+# root = Administrator
+# janes = "Jane Smith"
+# jimbo = Jim Bones
+#
+# Note: If the name contains a space it must be double quoted.
+# In the example above the name 'jimbo' will be mapped to Windows
+# user names 'Jim' and 'Bones' because the space was not quoted.
+#######################################################################
+root = Administrator
+####
+# End of File
+####
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2528846"></a>
+ <a class="indexterm" name="id2528853"></a>
+ <a class="indexterm" name="id2528864"></a>
+ <a class="indexterm" name="id2528875"></a>
+ Create and map Windows Domain Groups to UNIX groups. A sample script is provided in <a href="small.html" title="Chapter 2. Small Office Networking">???</a>,
+ <a href="small.html#initGrps" title="Example 2.1. Script to Map Windows NT Groups to UNIX Groups">???</a>. Create a file containing this script. We called ours
+ <code class="filename">/etc/samba/initGrps.sh</code>. Set this file so it can be executed,
+ and then execute the script. Sample output should be as follows:
+
+</p><div class="example"><a name="ch4initGrps"></a><p class="title"><b>Example 3.7. Script to Map Windows NT Groups to UNIX Groups</b></p><a class="indexterm" name="id2528919"></a><pre class="screen">
+#!/bin/bash
+#
+# initGrps.sh
+#
+
+# Create UNIX groups
+groupadd acctsdep
+groupadd finsrvcs
+
+# Map Windows Domain Groups to UNIX groups
+net groupmap modify ntgroup="Domain Admins" unixgroup=root
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+
+# Add Functional Domain Groups
+net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
+net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
+net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
+
+# Map Windows NT machine local groups to local UNIX groups
+# Mapping of local groups is not necessary and not functional
+# for this installation.
+</pre></div><p>
+
+</p><pre class="screen">
+<code class="prompt">root# </code> chmod 755 initGrps.sh
+<code class="prompt">root# </code> /etc/samba # ./initGrps.sh
+Updated mapping entry for Domain Admins
+Updated mapping entry for Domain Users
+Updated mapping entry for Domain Guests
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Accounts Dept to the mapping db
+No rid or sid specified, choosing algorithmic mapping
+Successfully added group Domain Guests to the mapping db
+
+<code class="prompt">root# </code> /etc/samba # net groupmap list | sort
+Account Operators (S-1-5-32-548) -> -1
+Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep
+Administrators (S-1-5-32-544) -> -1
+Backup Operators (S-1-5-32-551) -> -1
+Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root
+Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody
+Domain Users (S-1-5-21-179504-2437109-488451-513) -> users
+Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs
+Guests (S-1-5-32-546) -> -1
+Power Users (S-1-5-32-547) -> -1
+Print Operators (S-1-5-32-550) -> -1
+Replicators (S-1-5-32-552) -> -1
+System Operators (S-1-5-32-549) -> -1
+Users (S-1-5-32-545) -> -1
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2528995"></a>
+ <a class="indexterm" name="id2529002"></a>
+ <a class="indexterm" name="id2529009"></a>
+ <a class="indexterm" name="id2529016"></a>
+ <a class="indexterm" name="id2529022"></a>
+ <a class="indexterm" name="id2529029"></a>
+ <a class="indexterm" name="id2529038"></a>
+ There is one preparatory step without which you will not have a working Samba
+ network environment. You must add an account for each network user.
+ For each user who needs to be given a Windows Domain account, make an entry in the
+ <code class="filename">/etc/passwd</code> file as well as in the Samba password backend.
+ Use the system tool of your choice to create the UNIX system account, and use the Samba
+ <span><strong class="command">smbpasswd</strong></span> to create a Domain user account.
+ There are a number of tools for user management under UNIX, such as
+ <span><strong class="command">useradd</strong></span>, and <span><strong class="command">adduser</strong></span>, as well as a plethora of custom
+ tools. You also want to create a home directory for each user.
+ You can do this by executing the following steps for each user:
+</p><pre class="screen">
+<code class="prompt">root# </code> useradd -m <em class="parameter"><code>username</code></em>
+<code class="prompt">root# </code> passwd <em class="parameter"><code>username</code></em>
+Changing password for <em class="parameter"><code>username</code></em>.
+New password: XXXXXXXX
+Re-enter new password: XXXXXXXX
+Password changed
+<code class="prompt">root# </code> smbpasswd -a <em class="parameter"><code>username</code></em>
+New SMB password: XXXXXXXX
+Retype new SMB password: XXXXXXXX
+Added user <em class="parameter"><code>username</code></em>.
+</pre><p>
+ You do of course use a valid user login ID in place of <em class="parameter"><code>username</code></em>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2529153"></a>
+ <a class="indexterm" name="id2529162"></a>
+ <a class="indexterm" name="id2529172"></a>
+ Using the preferred tool for your UNIX system, add each user to the UNIX groups created
+ previously as necessary. File system access control will be based on UNIX group membership.
+ </p></li><li><p>
+ Create the directory mount point for the disk subsystem that can be mounted to provide
+ data storage for company files. In this case the mount point is indicated in the <code class="filename">smb.conf</code>
+ file is <code class="filename">/data</code>. Format the file system as required, and mount the formatted
+ file system partition using appropriate system tools.
+ </p></li><li><p>
+ <a class="indexterm" name="id2529214"></a>
+ Create the top-level file storage directories for data and applications as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> mkdir -p /data/{accounts,finsrvcs}
+<code class="prompt">root# </code> mkdir -p /apps
+<code class="prompt">root# </code> chown -R root:root /data
+<code class="prompt">root# </code> chown -R root:root /apps
+<code class="prompt">root# </code> chown -R bjordan:acctsdep /data/accounts
+<code class="prompt">root# </code> chown -R bjordan:finsrvcs /data/finsrvcs
+<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data
+<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps
+</pre><p>
+ Each department is responsible for creating its own directory structure within the departmental
+ share. The directory root of the <span><strong class="command">accounts</strong></span> share is <code class="filename">/data/accounts</code>.
+ The directory root of the <span><strong class="command">finsvcs</strong></span> share is <code class="filename">/data/finsvcs</code>.
+ The <code class="filename">/apps</code> directory is the root of the <code class="constant">apps</code> share
+ that provides the application server infrastructure.
+ </p></li><li><p>
+ The <code class="filename">smb.conf</code> file specifies an infrastructure to support roaming profiles and network
+ logon services. You can now create the file system infrastructure to provide the
+ locations on disk that these services require. Adequate planning is essential,
+ since desktop profiles can grow to be quite large. For planning purposes, a minimum of
+ 200 MB of storage should be allowed per user for profile storage. The following
+ commands create the directory infrastructure needed:
+</p><pre class="screen">
+<code class="prompt">root# </code> mkdir -p /var/spool/samba
+<code class="prompt">root# </code> mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
+<code class="prompt">root# </code> chown -R root:root /var/spool/samba
+<code class="prompt">root# </code> chown -R root:root /var/lib/samba
+<code class="prompt">root# </code> chmod a+rwxt /var/spool/samba
+<code class="prompt">root# </code> chmod 2775 /var/lib/samba/profiles
+<code class="prompt">root# </code> chgrp users /var/lib/samba/profiles
+</pre><p>
+ For each user account that is created on the system, the following commands should be
+ executed:
+</p><pre class="screen">
+<code class="prompt">root# </code> mkdir /var/lib/samba/profiles/'username'
+<code class="prompt">root# </code> chown 'username':users /var/lib/samba/profiles/'username'
+<code class="prompt">root# </code> chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2529426"></a>
+ <a class="indexterm" name="id2529433"></a>
+ <a class="indexterm" name="id2529440"></a>
+ Create a logon script. It is important that each line is correctly terminated with
+ a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
+ works if the right tools (<code class="constant">unix2dos</code> and <code class="constant">dos2unix</code>) are installed.
+ First, create a file called <code class="filename">/var/lib/samba/netlogon/scripts/logon.bat.unix</code>
+ with the following contents:
+</p><pre class="screen">
+net time \\diamond /set /yes
+net use h: /home
+net use p: \\diamond\apps
+</pre><p>
+ Convert the UNIX file to a DOS file using the <span><strong class="command">unix2dos</strong></span> as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \
+ > /var/lib/samba/netlogon/scripts/logon.bat
+</pre><p>
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4dhcpdns"></a>Configuration of DHCP and DNS Servers</h3></div></div></div><p>
+ DHCP services are a basic component of the entire network client installation. DNS operation is
+ foundational to Internet access as well as to trouble-free operation of local networking. When
+ you have completed this section, the server should be ready for solid duty operation.
+ </p><div class="procedure"><a name="id2529515"></a><p class="title"><b>Procedure 3.3. DHCP and DNS Server Configuration Steps</b></p><ol type="1"><li><p>
+ <a class="indexterm" name="id2529526"></a>
+ Create a file called <code class="filename">/etc/dhcpd.conf</code> with the contents as
+ shown in <a href="secure.html#prom-dhcp" title="Example 3.8. DHCP Server Configuration File /etc/dhcpd.conf">???</a>.
+
+</p><div class="example"><a name="prom-dhcp"></a><p class="title"><b>Example 3.8. DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></b></p><pre class="screen">
+# Abmas Accounting Inc.
+default-lease-time 86400;
+max-lease-time 172800;
+default-lease-time 86400;
+option ntp-servers 192.168.1.1;
+option domain-name "abmas.biz";
+option domain-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-name-servers 192.168.1.1, 192.168.2.1;
+option netbios-node-type 8; ### Node type = Hybrid ###
+ddns-updates on; ### Dynamic DNS enabled ###
+ddns-update-style interim;
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+ range dynamic-bootp 192.168.1.128 192.168.1.254;
+ option subnet-mask 255.255.255.0;
+ option routers 192.168.1.1;
+ allow unknown-clients;
+ host qmsa {
+ hardware ethernet 08:00:46:7a:35:e4;
+ fixed-address 192.168.1.20;
+ }
+ host hplj6a {
+ hardware ethernet 00:03:47:cb:81:e0;
+ fixed-address 192.168.1.30;
+ }
+ }
+subnet 192.168.2.0 netmask 255.255.255.0 {
+ range dynamic-bootp 192.168.2.128 192.168.2.254;
+ option subnet-mask 255.255.255.0;
+ option routers 192.168.2.1;
+ allow unknown-clients;
+ host qmsf {
+ hardware ethernet 01:04:31:db:e1:c0;
+ fixed-address 192.168.1.20;
+ }
+ host hplj6f {
+ hardware ethernet 00:03:47:cf:83:e2;
+ fixed-address 192.168.2.30;
+ }
+ }
+subnet 127.0.0.0 netmask 255.0.0.0 {
+ }
+subnet 123.45.67.64 netmask 255.255.255.252 {
+ }
+</pre></div><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2529601"></a>
+ Create a file called <code class="filename">/etc/named.conf</code> that has the combined contents
+ of the <a href="secure.html#ch4namedcfg" title="Example 3.9. DNS Master Configuration File /etc/named.conf Master Section">???</a>, <a href="secure.html#ch4namedvarfwd" title="Example 3.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section">???</a>, and
+ <a href="secure.html#ch4namedvarrev" title="Example 3.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section">???</a> files that are concatenated (merged) in this
+ specific order.
+ </p></li><li><p>
+ Create the files shown in their respective directories as shown in <a href="secure.html#namedrscfiles" title="Table 3.2. DNS (named) Resource Files">DNS
+ (named) Resource Files</a>.
+
+ </p><div class="table"><a name="namedrscfiles"></a><p class="title"><b>Table 3.2. DNS (named) Resource Files</b></p><table summary="DNS (named) Resource Files" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Reference</th><th align="left">File Location</th></tr></thead><tbody><tr><td align="left"><a href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">???</a></td><td align="left">/var/lib/named/localhost.zone</td></tr><tr><td align="left"><a href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">???</a></td><td align="left">/var/lib/named/127.0.0.zone</td></tr><tr><td align="left"><a href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">???</a></td><td align="left">/var/lib/named/root.hint</td></tr><tr><td align="left"><a href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">???</a></td><td align="left">/var/lib/named/master/abmas.biz.hosts</td></tr><tr><td align="left"><a href="secure.html#abmasus" title="Example 3.15. DNS Abmas.us Forward Zone File">???</a></td><td align="left">/var/lib/named/abmas.us.hosts</td></tr><tr><td align="left"><a href="secure.html#eth1zone" title="Example 3.12. DNS 192.168.1 Reverse Zone File">???</a></td><td align="left">/var/lib/named/192.168.1.0.rev</td></tr><tr><td align="left"><a href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">???</a></td><td align="left">/var/lib/named/192.168.2.0.rev</td></tr></tbody></table></div><p>
+
+</p><div class="example"><a name="ch4namedcfg"></a><p class="title"><b>Example 3.9. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Master Section</b></p><a class="indexterm" name="id2529813"></a><pre class="screen">
+###
+# Abmas Biz DNS Control File
+###
+# Date: November 15, 2003
+###
+options {
+ directory "/var/lib/named";
+ forwarders {
+ 123.45.12.23;
+ };
+ forward first;
+ listen-on {
+ mynet;
+ };
+ auth-nxdomain yes;
+ multiple-cnames yes;
+ notify no;
+};
+
+zone "." in {
+ type hint;
+ file "root.hint";
+};
+
+zone "localhost" in {
+ type master;
+ file "localhost.zone";
+};
+
+zone "0.0.127.in-addr.arpa" in {
+ type master;
+ file "127.0.0.zone";
+};
+
+acl mynet {
+ 192.168.1.0/24;
+ 192.168.2.0/24;
+ 127.0.0.1;
+};
+
+acl seconddns {
+ 123.45.54.32;
+};
+
+</pre></div><p>
+
+</p><div class="example"><a name="ch4namedvarfwd"></a><p class="title"><b>Example 3.10. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Forward Lookup Definition Section</b></p><pre class="screen">
+zone "abmas.biz" {
+ type master;
+ file "/var/lib/named/master/abmas.biz.hosts";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+
+zone "abmas.us" {
+ type master;
+ file "/var/lib/named/master/abmas.us.hosts";
+ allow-query {
+ any;
+ };
+ allow-transfer {
+ seconddns;
+ };
+};
+</pre></div><p>
+
+</p><div class="example"><a name="ch4namedvarrev"></a><p class="title"><b>Example 3.11. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Reverse Lookup Definition Section</b></p><pre class="screen">
+zone "1.168.192.in-addr.arpa" {
+ type master;
+ file "/var/lib/named/master/192.168.1.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+
+zone "2.168.192.in-addr.arpa" {
+ type master;
+ file "/var/lib/named/master/192.168.2.0.rev";
+ allow-query {
+ mynet;
+ };
+ allow-transfer {
+ mynet;
+ };
+ allow-update {
+ mynet;
+ };
+};
+</pre></div><p>
+
+</p><div class="example"><a name="eth1zone"></a><p class="title"><b>Example 3.12. DNS 192.168.1 Reverse Zone File</b></p><pre class="screen">
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. (
+ 2003021825 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS sleeth1.abmas.biz.
+$ORIGIN 1.168.192.in-addr.arpa.
+1 PTR sleeth1.abmas.biz.
+20 PTR qmsa.abmas.biz.
+30 PTR hplj6a.abmas.biz.
+</pre></div><p>
+
+</p><div class="example"><a name="eth2zone"></a><p class="title"><b>Example 3.13. DNS 192.168.2 Reverse Zone File</b></p><pre class="screen">
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. (
+ 2003021825 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS sleeth2.abmas.biz.
+$ORIGIN 2.168.192.in-addr.arpa.
+1 PTR sleeth2.abmas.biz.
+20 PTR qmsf.abmas.biz.
+30 PTR hplj6f.abmas.biz.
+</pre></div><p>
+
+</p><div class="example"><a name="abmasbiz"></a><p class="title"><b>Example 3.14. DNS Abmas.biz Forward Zone File</b></p><pre class="screen">
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. (
+ 2003021833 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS dns.abmas.biz.
+ MX 10 mail.abmas.biz.
+$ORIGIN abmas.biz.
+sleeth1 A 192.168.1.1
+sleeth2 A 192.168.2.1
+qmsa A 192.168.1.20
+hplj6a A 192.168.1.30
+qmsf A 192.168.2.20
+hplj6f A 192.168.2.30
+dns CNAME sleeth1
+diamond CNAME sleeth1
+mail CNAME sleeth1
+</pre></div><p>
+
+</p><div class="example"><a name="abmasus"></a><p class="title"><b>Example 3.15. DNS Abmas.us Forward Zone File</b></p><pre class="screen">
+$ORIGIN .
+$TTL 38400 ; 10 hours 40 minutes
+abmas.us IN SOA server.abmas.us. root.abmas.us. (
+ 2003021833 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 38400 ; minimum (10 hours 40 minutes)
+ )
+ NS dns.abmas.us.
+ NS dns2.abmas.us.
+ MX 10 mail.abmas.us.
+$ORIGIN abmas.us.
+server A 123.45.67.66
+dns2 A 123.45.54.32
+gw A 123.45.67.65
+www CNAME server
+mail CNAME server
+dns CNAME server
+</pre></div><p>
+
+ </p></li><li><p>
+ <a class="indexterm" name="id2530026"></a><a class="indexterm" name="id2530032"></a>
+ All DNS name resolution should be handled locally. To ensure that the server is configured
+ correctly to handle this, edit <code class="filename">/etc/resolv.conf</code> to have the following
+ content:
+</p><pre class="screen">
+search abmas.us abmas.biz
+nameserver 127.0.0.1
+nameserver 123.45.54.23
+</pre><p>
+ <a class="indexterm" name="id2530057"></a>
+ This instructs the name resolver function (when configured correctly) to ask the DNS server
+ that is running locally to resolve names to addresses. In the event that the local name server
+ is not available, ask the name server provided by the ISP. The latter, of course, does not resolve
+ purely local names to IP addresses.
+ </p></li><li><p>
+ <a class="indexterm" name="id2530078"></a>
+ The final step is to edit the <code class="filename">/etc/nsswitch.conf</code> file.
+ This file controls the operation of the various resolver libraries that are part of the Linux
+ Glibc libraries. Edit this file so that it contains the following entries:
+</p><pre class="screen">
+hosts: files dns wins
+</pre><p>
+ </p></li></ol></div><p>
+ The basic DHCP and DNS services are now ready for validation testing. Before you can proceed,
+ there are a few more steps along the road. First, configure the print spooling and print
+ processing system. Then you can configure the server so that all services
+ start automatically on reboot. You must also manually start all services prior to validation testing.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4ptrcfg"></a>Printer Configuration</h3></div></div></div><p>
+ Network administrators who are new to CUPS based-printing typically experience some difficulty mastering
+ its powerful features. The steps outlined in this section are designed to navigate around the distractions
+ of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a
+ transparent print queue that performs no filtering, and only minimal handling of each print job that is
+ submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that
+ the correct printer driver must be installed on all clients.
+ </p><div class="procedure"><a name="id2530137"></a><p class="title"><b>Procedure 3.4. Printer Configuration Steps</b></p><ol type="1"><li><p>
+ Configure each printer to be a DHCP client, carefully following the manufacturer's guidelines.
+ </p></li><li><p>
+ Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100.
+ Use any other port the manufacturer specifies for direct-mode raw printing, and adjust the
+ port as necessary in the following example commands.
+ This allows the CUPS spooler to print using raw mode protocols.
+ <a class="indexterm" name="id2530162"></a>
+ <a class="indexterm" name="id2530169"></a>
+ </p></li><li><p>
+ <a class="indexterm" name="id2530183"></a><a class="indexterm" name="id2530191"></a>
+ Configure the CUPS Print Queues as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E
+<code class="prompt">root# </code> lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E
+<code class="prompt">root# </code> lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E
+<code class="prompt">root# </code> lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E
+</pre><p>
+ <a class="indexterm" name="id2530234"></a>
+ This creates the necessary print queues with no assigned print filter.
+ </p></li><li><p><a class="indexterm" name="id2530248"></a>
+ Print queues may not be enabled at creation. Use <span><strong class="command">lpc stat</strong></span> to check
+ the status of the print queues and, if necessary, make certain that the queues you have
+ just created are enabled by executing the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> /usr/bin/enable qmsa
+<code class="prompt">root# </code> /usr/bin/enable hplj6a
+<code class="prompt">root# </code> /usr/bin/enable qmsf
+<code class="prompt">root# </code> /usr/bin/enable hplj6f
+</pre><p>
+ </p></li><li><p><a class="indexterm" name="id2530303"></a>
+ Even though your print queues may be enabled, it is still possible that they
+ are not accepting print jobs. A print queue services incoming printing
+ requests only when configured to do so. Ensure that your print queues are
+ set to accept incoming jobs by executing the following commands:
+</p><pre class="screen">
+<code class="prompt">root# </code> /usr/sbin/accept qmsa
+<code class="prompt">root# </code> /usr/sbin/accept hplj6a
+<code class="prompt">root# </code> /usr/sbin/accept qmsf
+<code class="prompt">root# </code> /usr/sbin/accept hplj6f
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2530354"></a>
+ <a class="indexterm" name="id2530361"></a>
+ <a class="indexterm" name="id2530368"></a>
+ Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line:
+</p><pre class="screen">
+application/octet-stream application/vnd.cups-raw 0 -
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2530395"></a>
+ Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line:
+</p><pre class="screen">
+application/octet-stream
+</pre><p>
+ </p></li><li><p>
+ Printing drivers are installed on each network client workstation.
+ </p></li></ol></div><p>
+ Note: If the parameter <em class="parameter"><code>cups options = Raw</code></em> is specified in the <code class="filename">smb.conf</code> file,
+ the last two steps can be omitted with CUPS version 1.1.18, or later.
+ </p><p>
+ The UNIX system print queues have been configured and are ready for validation testing.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="procstart"></a>Process Startup Configuration</h3></div></div></div><p>
+ <a class="indexterm" name="id2530461"></a>
+ There are two essential steps to process startup configuration. First, the process
+ must be configured so that it automatically restarts each time the server
+ is rebooted. This step involves use of the <span><strong class="command">chkconfig</strong></span> tool that
+ creates the appropriate symbolic links from the master daemon control file that is
+ located in the <code class="filename">/etc/rc.d</code> directory, to the <code class="filename">/etc/rc'x'.d</code>
+ directories. Links are created so that when the system run level is changed, the
+ necessary start or kill script is run.
+ </p><p>
+ <a class="indexterm" name="id2530496"></a>
+ <a class="indexterm" name="id2530503"></a>
+ <a class="indexterm" name="id2530510"></a>
+ <a class="indexterm" name="id2530516"></a>
+ <a class="indexterm" name="id2530523"></a>
+ In the event that a service is not run as a daemon, but via the internetworking
+ super daemon (<span><strong class="command">inetd</strong></span> or <span><strong class="command">xinetd</strong></span>), then the <span><strong class="command">chkconfig</strong></span>
+ tool makes the necessary entries in the <code class="filename">/etc/xinetd.d</code> directory
+ and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to
+ re-read its control files.
+ </p><p>
+ Last, each service must be started to permit system validation to proceed.
+ </p><div class="procedure"><ol type="1"><li><p>
+ Use the standard system tool to configure each service to restart
+ automatically at every system reboot. For example,
+ <a class="indexterm" name="id2530575"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> chkconfig dhpcd on
+<code class="prompt">root# </code> chkconfig named on
+<code class="prompt">root# </code> chkconfig cups on
+<code class="prompt">root# </code> chkconfig smb on
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2530619"></a>
+ <a class="indexterm" name="id2530626"></a>
+ <a class="indexterm" name="id2530632"></a>
+ Now start each service to permit the system to be validated.
+ Execute each of the following in the sequence shown:
+
+</p><pre class="screen">
+<code class="prompt">root# </code> /etc/rc.d/init.d/dhcpd restart
+<code class="prompt">root# </code> /etc/rc.d/init.d/named restart
+<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart
+<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart
+</pre><p>
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4valid"></a>Validation</h3></div></div></div><p>
+ <a class="indexterm" name="id2530687"></a>
+ Complex networking problems are most often caused by simple things that are poorly or incorrectly
+ configured. The validation process adopted here should be followed carefully; it is the result of the
+ experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should
+ refrain from taking shortcuts, from making basic assumptions, and from not exercising due process
+ and diligence in network validation. By thoroughly testing and validating every step in the process
+ of network installation and configuration, you can save yourself from sleepless nights and restless
+ days. A well debugged network is a foundation for happy network users and network administrators.
+ Later in this book you learn how to make users happier. For now, it is enough to learn to
+ validate. Let's get on with it.
+ </p><div class="procedure"><a name="id2530710"></a><p class="title"><b>Procedure 3.6. Server Validation Steps</b></p><ol type="1"><li><p>
+ <a class="indexterm" name="id2530721"></a>
+ One of the most important facets of Samba configuration is to ensure that
+ name resolution functions correctly. You can check name resolution
+ with a few simple tests. The most basic name resolution is provided from the
+ <code class="filename">/etc/hosts</code> file. To test its operation, make a
+ temporary edit to the <code class="filename">/etc/nsswitch.conf</code> file. Using
+ your favorite editor, change the entry for <code class="constant">hosts</code> to read:
+</p><pre class="screen">
+hosts: files
+</pre><p>
+ When you have saved this file, execute the following command:
+</p><pre class="screen">
+<code class="prompt">root# </code> ping diamond
+PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms
+
+--- sleeth1.abmas.biz ping statistics ---
+4 packets transmitted, 4 received, 0% packet loss, time 3016ms
+rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms
+</pre><p>
+ This proves that name resolution via the <code class="filename">/etc/hosts</code> file
+ is working.
+ </p></li><li><p>
+ <a class="indexterm" name="id2530790"></a>
+ So far, your installation is going particularly well. In this step we validate
+ DNS server and name resolution operation. Using your favorite UNIX system editor,
+ change the <code class="filename">/etc/nsswitch.conf</code> file so that the
+ <code class="constant">hosts</code> entry reads:
+</p><pre class="screen">
+hosts: dns
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2530823"></a>
+ Before you test DNS operation, it is a good idea to verify that the DNS server
+ is running by executing the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> ps ax | grep named
+ 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log
+ 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
+ 2552 pts/2 S 0:00 grep named
+</pre><p>
+ This means that we are ready to check DNS operation. Do so by executing:
+ <a class="indexterm" name="id2530853"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> ping diamond
+PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms
+64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms
+
+--- sleeth1.abmas.biz ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 999ms
+rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms
+</pre><p>
+ You should take a few more steps to validate DNS server operation, as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> host -f diamond.abmas.biz
+sleeth1.abmas.biz has address 192.168.1.1
+</pre><p>
+ <a class="indexterm" name="id2530892"></a>
+ You may now remove the entry called <code class="constant">diamond</code> from the
+ <code class="filename">/etc/hosts</code> file. It does not hurt to leave it there,
+ but its removal reduces the number of administrative steps for this name.
+ </p></li><li><p>
+ <a class="indexterm" name="id2530917"></a>
+ WINS is a great way to resolve NetBIOS names to their IP address. You can test
+ the operation of WINS by starting <span><strong class="command">nmbd</strong></span> (manually or by way
+ of the Samba startup method shown in <a href="secure.html#procstart" title="Process Startup Configuration">???</a>). You must edit
+ the <code class="filename">/etc/nsswitch.conf</code> file so that the <code class="constant">hosts</code>
+ entry is as follows:
+</p><pre class="screen">
+hosts: wins
+</pre><p>
+ The next step is to make certain that Samba is running using <span><strong class="command">ps ax | grep mbd</strong></span>.
+ The <span><strong class="command">nmbd</strong></span> daemon will provide the WINS name resolution service when the
+ <code class="filename">smb.conf</code> file <em class="parameter"><code></code></em> parameter <a class="indexterm" name="id2530981"></a>wins support = Yes has been specified. Having validated that Samba is operational,
+ excute the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> ping diamond
+PING diamond (192.168.1.1) 56(84) bytes of data.
+64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms
+64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms
+</pre><p>
+ <a class="indexterm" name="id2531005"></a>
+ Now that you can relax with the knowledge that all three major forms of name
+ resolution to IP address resolution are working, edit the <code class="filename">/etc/nsswitch.conf</code>
+ again. This time you add all three forms of name resolution to this file.
+ Your edited entry for <code class="constant">hosts</code> should now look like this:
+</p><pre class="screen">
+hosts: files dns wins
+</pre><p>
+ The system is looking good. Let's move on.
+ </p></li><li><p>
+ It would give you peace of mind to know that the DHCP server is running
+ and available for service. You can validate DHCP services by running:
+
+</p><pre class="screen">
+<code class="prompt">root# </code> ps ax | grep dhcp
+ 2618 ? S 0:00 /usr/sbin/dhcpd ...
+ 8180 pts/2 S 0:00 grep dhcp
+</pre><p>
+ This shows that the server is running. The proof of whether or not it is working
+ comes when you try to add the first DHCP client to the network.
+ </p></li><li><p>
+ <a class="indexterm" name="id2531065"></a>
+ This is a good point at which to start validating Samba operation. You are
+ content that name resolution is working for basic TCP/IP needs. Let's move on.
+ If your <code class="filename">smb.conf</code> file has bogus options or parameters, this may cause Samba
+ to refuse to start. The first step should always be to validate the contents
+ of this file by running:
+</p><pre class="screen">
+<code class="prompt">root# </code> testparm -s
+Load smb config files from smb.conf
+Processing section "[homes]"
+Processing section "[printers]"
+Processing section "[netlogon]"
+Processing section "[profiles]"
+Processing section "[accounts]"
+Processing section "[service]"
+Processing section "[apps]"
+Loaded services file OK.
+# Global parameters
+[global]
+ workgroup = PROMISES
+ netbios name = DIAMOND
+ interfaces = eth1, eth2, lo
+ bind interfaces only = Yes
+ passdb backend = tdbsam
+ pam password change = Yes
+ passwd program = /usr/bin/passwd '%u'
+ passwd chat = *New*Password* %n\n \
+ *Re-enter*new*password* %n\n *Password*changed*
+ username map = /etc/samba/smbusers
+ unix password sync = Yes
+ log level = 1
+ syslog = 0
+ log file = /var/log/samba/%m
+ max log size = 50
+ smb ports = 139
+ name resolve order = wins bcast hosts
+ time server = Yes
+ printcap name = CUPS
+ show add printer wizard = No
+ add user script = /usr/sbin/useradd -m '%u'
+ delete user script = /usr/sbin/userdel -r '%u'
+ add group script = /usr/sbin/groupadd '%g'
+ delete group script = /usr/sbin/groupdel '%g'
+ add user to group script = /usr/sbin/usermod -G '%g' '%u'
+ add machine script = /usr/sbin/useradd \
+ -s /bin/false -d /dev/null '%u'
+ shutdown script = /var/lib/samba/scripts/shutdown.sh
+ abort shutdown script = /sbin/shutdown -c
+ logon script = scripts\logon.bat
+ logon path = \\%L\profiles\%U
+ logon drive = X:
+ logon home = \\%L\%U
+ domain logons = Yes
+ preferred master = Yes
+ wins support = Yes
+ utmp = Yes
+ winbind use default domain = Yes
+ map acl inherit = Yes
+ cups options = Raw
+ veto files = /*.eml/*.nws/*.{*}/
+ veto oplock files = /*.doc/*.xls/*.mdb/
+
+[homes]
+ comment = Home Directories
+ valid users = %S
+ read only = No
+ browseable = No
+...
+### Remainder cut to save space ###
+</pre><p>
+ Clear away all errors before proceeding.
+ </p></li><li><p>
+ <a class="indexterm" name="id2531166"></a>
+ <a class="indexterm" name="id2531173"></a>
+ <a class="indexterm" name="id2531180"></a>
+ <a class="indexterm" name="id2531186"></a>
+ Check that the Samba server is running:
+</p><pre class="screen">
+<code class="prompt">root# </code> ps ax | grep mbd
+14244 ? S 0:00 /usr/sbin/nmbd -D
+14245 ? S 0:00 /usr/sbin/nmbd -D
+14290 ? S 0:00 /usr/sbin/smbd -D
+
+$rootprompt; ps ax | grep winbind
+14293 ? S 0:00 /usr/sbin/winbindd -B
+14295 ? S 0:00 /usr/sbin/winbindd -B
+</pre><p>
+ The <span><strong class="command">winbindd</strong></span> daemon is running in split mode (normal), so there are also
+ two instances<sup>[<a name="id2531218" href="#ftn.id2531218">7</a>]</sup> of it.
+ </p></li><li><p>
+ <a class="indexterm" name="id2531248"></a>
+ <a class="indexterm" name="id2531255"></a>
+ Check that an anonymous connection can be made to the Samba server:
+</p><pre class="screen">
+<code class="prompt">root# </code> smbclient -L localhost -U%
+
+ Sharename Type Comment
+ --------- ---- -------
+ IPC$ IPC IPC Service (Samba 3.0.20)
+ netlogon Disk Network Logon Service
+ profiles Disk Profile Share
+ accounts Disk Accounting Files
+ service Disk Financial Services Files
+ apps Disk Application Files
+ ADMIN$ IPC IPC Service (Samba 3.0.20)
+ hplj6a Printer hplj6a
+ hplj6f Printer hplj6f
+ qmsa Printer qmsa
+ qmsf Printer qmsf
+
+ Server Comment
+ --------- -------
+ DIAMOND Samba 3.0.20
+
+ Workgroup Master
+ --------- -------
+ PROMISES DIAMOND
+</pre><p>
+ This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent
+ of browsing the server from a Windows client to obtain a list of shares on the server.
+ The <code class="constant">-U%</code> argument means to send a <code class="constant">NULL</code> username and
+ a <code class="constant">NULL</code> password.
+ </p></li><li><p>
+ <a class="indexterm" name="id2531313"></a>
+ <a class="indexterm" name="id2531320"></a>
+ <a class="indexterm" name="id2531327"></a>
+ Verify that each printer has the IP address assigned in the DHCP server configuration file.
+ The easiest way to do this is to ping the printer name. Immediately after the ping response
+ has been received, execute <span><strong class="command">arp -a</strong></span> to find the MAC address of the printer
+ that has responded. Now you can compare the IP address and the MAC address of the printer
+ with the configuration information in the <code class="filename">/etc/dhcpd.conf</code> file. They
+ should, of course, match. For example,
+</p><pre class="screen">
+<code class="prompt">root# </code> ping hplj6
+PING hplj6a (192.168.1.30) 56(84) bytes of data.
+64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms
+
+<code class="prompt">root# </code> arp -a
+hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0
+</pre><p>
+ <a class="indexterm" name="id2531373"></a>
+ The MAC address <code class="constant">00:03:47:CB:81:E0</code> matches that specified for the
+ IP address from which the printer has responded and with the entry for it in the
+ <code class="filename">/etc/dhcpd.conf</code> file. Repeat this for each printer configured.
+ </p></li><li><p>
+ <a class="indexterm" name="id2531402"></a>
+ Make an authenticated connection to the server using the <span><strong class="command">smbclient</strong></span> tool:
+</p><pre class="screen">
+<code class="prompt">root# </code> smbclient //diamond/accounts -U gholmes
+Password: XXXXXXX
+smb: \> dir
+ . D 0 Thu Nov 27 15:07:09 2003
+ .. D 0 Sat Nov 15 17:40:50 2003
+ zakadmin.exe 161424 Thu Nov 27 15:06:52 2003
+ zak.exe 6066384 Thu Nov 27 15:06:52 2003
+ dhcpd.conf 1256 Thu Nov 27 15:06:52 2003
+ smb.conf 2131 Thu Nov 27 15:06:52 2003
+ initGrps.sh A 1089 Thu Nov 27 15:06:52 2003
+ POLICY.EXE 86542 Thu Nov 27 15:06:52 2003
+
+ 55974 blocks of size 65536. 33968 blocks available
+smb: \> q
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2531459"></a>
+ Your new server is connected to an Internet-accessible connection. Before you start
+ your firewall, you should run a port scanner against your system. You should repeat that
+ after the firewall has been started. This helps you understand to what extent the
+ server may be vulnerable to external attack. One way you can do this is by using an
+ external service, such as the <a href="http://www.dslreports.com/scan" target="_top">DSL Reports</a>
+ tools. Alternately, if you can gain root-level access to a remote
+ UNIX/Linux system that has the <span><strong class="command">nmap</strong></span> tool, you can run the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> nmap -v -sT server.abmas.us
+
+Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
+Host server.abmas.us (123.45.67.66) appears to be up ... good.
+Initiating Connect() Scan against server.abmas.us (123.45.67.66)
+Adding open port 6000/tcp
+Adding open port 873/tcp
+Adding open port 445/tcp
+Adding open port 10000/tcp
+Adding open port 901/tcp
+Adding open port 631/tcp
+Adding open port 25/tcp
+Adding open port 111/tcp
+Adding open port 32770/tcp
+Adding open port 3128/tcp
+Adding open port 53/tcp
+Adding open port 80/tcp
+Adding open port 443/tcp
+Adding open port 139/tcp
+Adding open port 22/tcp
+The Connect() Scan took 0 seconds to scan 1601 ports.
+Interesting ports on server.abmas.us (123.45.67.66):
+(The 1587 ports scanned but not shown below are in state: closed)
+Port State Service
+22/tcp open ssh
+25/tcp open smtp
+53/tcp open domain
+80/tcp open http
+111/tcp open sunrpc
+139/tcp open netbios-ssn
+443/tcp open https
+445/tcp open microsoft-ds
+631/tcp open ipp
+873/tcp open rsync
+901/tcp open samba-swat
+3128/tcp open squid-http
+6000/tcp open X11
+10000/tcp open snet-sensor-mgmt
+32770/tcp open sometimes-rpc3
+
+Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
+</pre><p>
+ The above scan was run before the external interface was locked down with the NAT-firewall
+ script you created above. The following results are obtained after the firewall rules
+ have been put into place:
+</p><pre class="screen">
+<code class="prompt">root# </code> nmap -v -sT server.abmas.us
+
+Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
+Host server.abmas.us (123.45.67.66) appears to be up ... good.
+Initiating Connect() Scan against server.abmas.us (123.45.67.66)
+Adding open port 53/tcp
+Adding open port 22/tcp
+The Connect() Scan took 168 seconds to scan 1601 ports.
+Interesting ports on server.abmas.us (123.45.67.66):
+(The 1593 ports scanned but not shown below are in state: filtered)
+Port State Service
+22/tcp open ssh
+25/tcp closed smtp
+53/tcp open domain
+80/tcp closed http
+443/tcp closed https
+
+Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
+</pre><p>
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4appscfg"></a>Application Share Configuration</h3></div></div></div><p>
+ <a class="indexterm" name="id2531562"></a>
+ <a class="indexterm" name="id2531568"></a>
+ The use of an application server is a key mechanism by which desktop administration overheads
+ can be reduced. Check the application manual for your software to identify how best to
+ create an administrative installation.
+ </p><p>
+ Some Windows software will only run locally on the desktop computer. Such software
+ is typically not suited for administrative installation. Administratively installed software
+ permits one or more of the following installation choices:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ Install software fully onto a workstation, storing data files on the same workstation.
+ </p></li><li><p>
+ Install software fully onto a workstation with central network data file storage.
+ </p></li><li><p>
+ Install software to run off a central application server with data files stored
+ on the local workstation. This is often called a minimum installation, or a
+ network client installation.
+ </p></li><li><p>
+ Install software to run off a central application server with data files stored
+ on a central network share. This type of installation often prevents storage
+ of work files on the local workstation.
+ </p></li></ul></div><p>
+ <a class="indexterm" name="id2531620"></a>
+ A common application deployed in this environment is an office suite.
+ Enterprise editions of Microsoft Office XP Professional can be administratively installed
+ by launching the installation from a command shell. The command that achieves this is
+ <span><strong class="command">setup /a</strong></span>. It results in a set of prompts through which various
+ installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource
+ Kit for more information regarding this mode of installation of MS Office XP Professional.
+ The full administrative installation of MS Office XP Professional requires approximately
+ 650 MB of disk space.
+ </p><p>
+ When the MS Office XP Professional product has been installed to the administrative network
+ share, the product can be installed onto a workstation by executing the normal setup program.
+ The installation process now provides a choice to either perform a minimum installation
+ or a full local installation. A full local installation takes over 100 MB of disk space.
+ A network workstation (minimum) installation requires typically 10 MB to 15 MB of
+ local disk space. In the latter case, when the applications are used, they load over the network.
+ </p><p>
+ <a class="indexterm" name="id2531658"></a>
+ <a class="indexterm" name="id2531665"></a>
+ Microsoft Office Service Packs can be unpacked to update an administrative share. This makes
+ it possible to update MS Office XP Professional for all users from a single installation
+ of the service pack and generally circumvents the need to run updates on each network
+ Windows client.
+ </p><p>
+ The default location for MS Office XP Professional data files can be set through registry
+ editing or by way of configuration options inside each Office XP Professional application.
+ </p><p>
+ <a class="indexterm" name="id2531686"></a>
+ OpenOffice.Org OpenOffice Version 1.1.0 can be installed locally. It can also
+ be installed to run off a network share. The latter is a most desirable solution for office-bound
+ network users and for administrative staff alike. It permits quick and easy updates
+ to be rolled out to all users with a minimum of disruption and with maximum flexibility.
+ </p><p>
+ The process for installation of administrative shared OpenOffice involves download of the
+ distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area.
+ When fully extracted using the unzipping tool of your choosing, change into the Windows
+ installation files directory then execute <span><strong class="command">setup -net</strong></span>. You are
+ prompted on screen for the target installation location. This is the administrative
+ share point. The full administrative OpenOffice share takes approximately 150 MB of disk
+ space.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2531718"></a>Comments Regarding Software Terms of Use</h4></div></div></div><p>
+ Many single-user products can be installed into an administrative share, but
+ personal versions of products such as Microsoft Office XP Professional do not permit this.
+ Many people do not like terms of use typical with commercial products, so a few comments
+ regarding software licensing seem important.
+ </p><p>
+ Please do not use an administrative installation of proprietary and commercially licensed
+ software products to violate the copyright holders' property. All software is licensed,
+ particularly software that is licensed for use free of charge. All software is the property
+ of the copyright holder unless the author and/or copyright holder has explicitly disavowed
+ ownership and has placed the software into the public domain.
+ </p><p>
+ Software that is under the GNU General Public License, like proprietary software, is
+ licensed in a way that restricts use. For example, if you modify GPL software and then
+ distribute the binary version of your modifications, you must offer to provide the source
+ code as well. This restriction is designed to maintain the momentum
+ of the diffusion of technology and to protect against the withholding of innovations.
+ </p><p>
+ Commercial and proprietary software generally restrict use to those who have paid the
+ license fees and who comply with the licensee's terms of use. Software that is released
+ under the GNU General Public License is restricted to particular terms and conditions
+ also. Whatever the licensing terms may be, if you do not approve of the terms of use,
+ please do not use the software.
+ </p><p>
+ <a class="indexterm" name="id2531766"></a>
+ Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided
+ with the source code.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4wincfg"></a>Windows Client Configuration</h3></div></div></div><p>
+ Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs
+ to reinstall many of the notebook computers that will be recycled for use with the new network
+ configuration. The smartest way to handle the challenge of the roll-out program is to build
+ a staged system for each type of target machine, and then use an image replication tool such as Norton
+ Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can
+ be done with notebook computers as long as they are identical or sufficiently similar.
+ </p><div class="procedure"><a name="sbewinclntprep"></a><p class="title"><b>Procedure 3.7. Windows Client Configuration Procedure</b></p><ol type="1"><li><p>
+ <a class="indexterm" name="id2531826"></a>
+ <a class="indexterm" name="id2531833"></a>
+ Install MS Windows XP Professional. During installation, configure the client to use DHCP for
+ TCP/IP protocol configuration. DHCP configures all Windows clients to use the WINS Server
+ address that has been defined for the local subnet.
+ </p></li><li><p>
+ Join the Windows Domain <code class="constant">PROMISES</code>. Use the Domain Administrator
+ username <code class="constant">root</code> and the SMB password you assigned to this account.
+ A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
+ a Windows Domain is given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>.
+ Reboot the machine as prompted and then log on using the Domain Administrator account
+ (<code class="constant">root</code>).
+ </p></li><li><p>
+ Verify <code class="constant">DIAMOND</code> is visible in <span class="guimenu">My Network Places</span>,
+ that it is possible to connect to it and see the shares <span class="guimenuitem">accounts</span>,
+ <span class="guimenuitem">apps</span>, and <span class="guimenuitem">finsvcs</span>, and that it is
+ possible to open each share to reveal its contents.
+ </p></li><li><p>
+ Create a drive mapping to the <code class="constant">apps</code> share on the server <code class="constant">DIAMOND</code>.
+ </p></li><li><p>
+ Perform an administrative installation of each application to be used. Select the options
+ that you wish to use. Of course, you can choose to run applications over the network, correct?
+ </p></li><li><p>
+ Now install all applications to be installed locally. Typical tools include Adobe Acrobat,
+ NTP-based time synchronization software, drivers for specific local devices such as fingerprint
+ scanners, and the like. Probably the most significant application for local installation
+ is antivirus software.
+ </p></li><li><p>
+ Now install all four printers onto the staging system. The printers you install
+ include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will
+ also configure identical printers that are located in the financial services department.
+ Install printers on each machine following the steps shown in the Windows client printer
+ preparation procedure below.
+ </p></li><li><p>
+ <a class="indexterm" name="id2531970"></a>
+ When you are satisfied that the staging systems are complete, use the appropriate procedure to
+ remove the client from the domain. Reboot the system and then log on as the local administrator
+ and clean out all temporary files stored on the system. Before shutting down, use the disk
+ defragmentation tool so that the file system is in optimal condition before replication.
+ </p></li><li><p>
+ Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the
+ machine to a network share on the server.
+ </p></li><li><p>
+ <a class="indexterm" name="id2532000"></a>
+ <a class="indexterm" name="id2532009"></a>
+ You may now replicate the image to the target machines using the appropriate Norton Ghost
+ procedure. Make sure to use the procedure that ensures each machine has a unique
+ Windows security identifier (SID). When the installation of the disk image has completed, boot the PC.
+ </p></li><li><p>
+ Log on to the machine as the local Administrator (the only option), and join the machine to
+ the Domain, following the procedure set out in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>. The system is now
+ ready for the user to log on, provided you have created a network logon account for that
+ user, of course.
+ </p></li><li><p>
+ Instruct all users to log on to the workstation using their assigned username and password.
+ </p></li></ol></div><div class="procedure"><a name="sbewinclntptrprep"></a><p class="title"><b>Procedure 3.8. Windows Client Printer Preparation Procedure</b></p><ol type="1"><li><p>
+ Click <span class="guimenu">Start</span>-><span class="guimenuitem">Settings</span>-><span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>.
+ Ensure that <span class="guimenuitem">Local printer</span> is selected.
+ </p></li><li><p>
+ Click <span class="guibutton">Next</span>. In the
+ <span class="guimenuitem">Manufacturer:</span> panel, select <code class="constant">HP</code>.
+ In the <span class="guimenuitem">Printers:</span> panel, select the printer called
+ <code class="constant">HP LaserJet 6</code>. Click <span class="guibutton">Next</span>.
+ </p></li><li><p>
+ In the <span class="guimenuitem">Available ports:</span> panel, select
+ <code class="constant">FILE:</code>. Accept the default printer name by clicking
+ <span class="guibutton">Next</span>. When asked, “<span class="quote">Would you like to print a
+ test page?,</span>” click <span class="guimenuitem">No</span>. Click
+ <span class="guibutton">Finish</span>.
+ </p></li><li><p>
+ You may be prompted for the name of a file to print to. If so, close the
+ dialog panel. Right-click <span class="guiicon">HP LaserJet 6</span>-><span class="guimenuitem">Properties</span>-><span class="guisubmenu">Details (Tab)</span>-><span class="guimenuitem">Add Port</span>.
+ </p></li><li><p>
+ In the <span class="guimenuitem">Network</span> panel, enter the name of
+ the print queue on the Samba server as follows: <code class="constant">\\DIAMOND\hplj6a</code>.
+ Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation.
+ </p></li><li><p>
+ Repeat the printer installation steps above for both HP LaserJet 6 printers
+ as well as for both QMS Magicolor laser printers.
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2532278"></a>Key Points Learned</h3></div></div></div><p>
+ How do you feel? You have built a capable network, a truly ambitious project.
+ Future network updates can be handled by
+ your staff. You must be a satisfied manager. Let's review the achievements.
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ A simple firewall has been configured to protect the server in the event that
+ the ISP firewall service should fail.
+ </p></li><li><p>
+ The Samba configuration uses measures to ensure that only local network users
+ can connect to SMB/CIFS services.
+ </p></li><li><p>
+ Samba uses the new <code class="constant">tdbsam</code> passdb backend facility.
+ Considerable complexity was added to Samba functionality.
+ </p></li><li><p>
+ A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS
+ server.
+ </p></li><li><p>
+ The DNS server was configured to permit DDNS only for local network clients. This
+ server also provides primary DNS services for the company Internet presence.
+ </p></li><li><p>
+ You introduced an application server as well as the concept of cloning a Windows
+ client in order to effect improved standardization of desktops and to reduce
+ the costs of network management.
+ </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2532340"></a>Questions and Answers</h2></div></div></div><p>
+ </p><div class="qandaset"><dl><dt>1. <a href="secure.html#id2532351">
+ What is the maximum number of account entries that the tdbsam
+ passdb backend can handle?
+ </a></dt><dt>2. <a href="secure.html#id2532420">
+ Would Samba operate any better if the OS level is set to a value higher than 35?
+ </a></dt><dt>3. <a href="secure.html#id2532442">
+ Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups?
+ </a></dt><dt>4. <a href="secure.html#id2532465">
+ Why has a path been specified in the IPC$ share?
+ </a></dt><dt>5. <a href="secure.html#id2532493">
+ Why does the smb.conf file in this exercise include an entry for smb portssmb ports?
+ </a></dt><dt>6. <a href="secure.html#id2532534">
+ What is the difference between a print queue and a printer?
+ </a></dt><dt>7. <a href="secure.html#id2532570">
+ Can all MS Windows application software be installed onto an application server share?
+ </a></dt><dt>8. <a href="secure.html#id2532595">
+ Why use dynamic DNS (DDNS)?
+ </a></dt><dt>9. <a href="secure.html#id2532615">
+ Why would you use WINS as well as DNS-based name resolution?
+ </a></dt><dt>10. <a href="secure.html#id2532700">
+ What are the major benefits of using an application server?
+ </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2532351"></a><a name="id2532354"></a><b>1.</b></td><td align="left" valign="top"><p>
+ What is the maximum number of account entries that the <em class="parameter"><code>tdbsam</code></em>
+ passdb backend can handle?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ The tdb data structure and support system can handle more entries than the number of
+ accounts that are possible on most UNIX systems. A practical limit would come into
+ play long before a performance boundary would be anticipated. That practical limit
+ is controlled by the nature of Windows networking. There are few Windows file and
+ print servers that can handle more than a few hundred concurrent client connections.
+ The key limiting factors that predicate offloading of services to additional servers
+ are memory capacity, the number of CPUs, network bandwidth, and disk I/O limitations.
+ All of these are readily exhausted by just a few hundred concurrent active users.
+ Such bottlenecks can best be removed by segmentation of the network (distributing
+ network load across multiple networks).
+ </p><p>
+ As the network grows, it becomes necessary to provide additional authentication
+ servers (domain controllers). The tdbsam is limited to a single machine and cannot
+ be reliably replicated. This means that practical limits on network design dictate
+ the point at which a distributed passdb backend is required; at this time, there is
+ no real alternative other than ldapsam (LDAP).
+ </p><p>
+ The guideline provided in <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 10, Section 10.1.2,
+ is to limit the number of accounts in the tdbsam backend to 250. This is the point
+ at which most networks tend to want backup domain controllers (BDCs). Samba-3 does
+ not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The
+ limitation of 250 users per tdbsam is predicated only on the need for replication,
+ not on the limits<sup>[<a name="id2532409" href="#ftn.id2532409">8</a>]</sup> of the tdbsam backend itself.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2532420"></a><a name="id2532422"></a><b>2.</b></td><td align="left" valign="top"><p>
+ Would Samba operate any better if the OS level is set to a value higher than 35?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value
+ of 35 already assures Samba of precedence over MS Windows products in browser elections. There is
+ no gain to be had from setting this higher.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2532442"></a><a name="id2532444"></a><b>3.</b></td><td align="left" valign="top"><p>
+ Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at
+ a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special
+ Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2532465"></a><a name="id2532467"></a><b>4.</b></td><td align="left" valign="top"><p>
+ Why has a path been specified in the <em class="parameter"><code>IPC$</code></em> share?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ This is done so that in the event that a software bug may permit a client connection to the IPC$ share to
+ obtain access to the file system, it does so at a location that presents least risk. Under normal operation
+ this type of paranoid step should not be necessary. The use of this parameter should not be necessary.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2532493"></a><a name="id2532495"></a><b>5.</b></td><td align="left" valign="top"><p>
+ Why does the <code class="filename">smb.conf</code> file in this exercise include an entry for <a class="indexterm" name="id2532507"></a>smb ports?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port
+ used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS
+ over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By
+ specifying the use of only port 139, the intent is to reduce unsuccessful service connection attempts.
+ The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain
+ member, the default behavior is highly beneficial and should not be changed.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2532534"></a><a name="id2532536"></a><b>6.</b></td><td align="left" valign="top"><p>
+ What is the difference between a print queue and a printer?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ A printer is a physical device that is connected either directly to the network or to a computer
+ via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a
+ hard copy printout. Network-attached printers that use TCP/IP-based printing generally accept a
+ single print data stream and block all secondary attempts to dispatch jobs concurrently to the
+ same device. If many clients were to concurrently print directly via TCP/IP to the same printer,
+ it would result in a huge amount of network traffic through continually failing connection attempts.
+ </p><p>
+ A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or
+ print requests. When the data stream has been fully received, the input stream is closed,
+ and the job is then submitted to a sequential print queue where the job is stored until
+ the printer is ready to receive the job.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2532570"></a><a name="id2532572"></a><b>7.</b></td><td align="left" valign="top"><p>
+ Can all MS Windows application software be installed onto an application server share?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ Much older Windows software is not compatible with installation to and execution from
+ an application server. Enterprise versions of Microsoft Office XP Professional can
+ be installed to an application server. Retail consumer versions of Microsoft Office XP
+ Professional do not permit installation to an application server share and can be installed
+ and used only to/from a local workstation hard disk.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2532595"></a><a name="id2532597"></a><b>8.</b></td><td align="left" valign="top"><p>
+ Why use dynamic DNS (DDNS)?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ When DDNS records are updated directly from the DHCP server, it is possible for
+ network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate
+ Windows clients via DNS.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2532615"></a><a name="id2532617"></a><b>9.</b></td><td align="left" valign="top"><p>
+ Why would you use WINS as well as DNS-based name resolution?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is
+ a name like “<span class="quote">myhost.mydomain.tld</span>” where <em class="parameter"><code>tld</code></em>
+ means <code class="constant">top-level domain</code>. A FQDN is a longhand but easy-to-remember
+ expression that may be up to 1024 characters in length and that represents an IP address.
+ A NetBIOS name is always 16 characters long. The 16<sup>th</sup> character
+ is a name type indicator. A specific name type is registered<sup>[<a name="id2532652" href="#ftn.id2532652">9</a>]</sup> for each
+ type of service that is provided by the Windows server or client and that may be registered
+ where a WINS server is in use.
+ </p><p>
+ WINS is a mechanism by which a client may locate the IP Address that corresponds to a
+ NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name
+ that includes a particular registered NetBIOS name type. DNS does not provide a mechanism
+ that permits handling of the NetBIOS name type information.
+ </p><p>
+ DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular
+ hostname or service name that has been registered in the DNS database for a particular domain.
+ A DNS server has limited scope of control and is said to be authoritative for the zone over
+ which it has control.
+ </p><p>
+ Windows 200x Active Directory requires the registration in the DNS zone for the domain it
+ controls of service locator<sup>[<a name="id2532686" href="#ftn.id2532686">10</a>]</sup> records
+ that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also
+ requires the registration of special records that are called global catalog (GC) entries
+ and site entries by which domain controllers and other essential ADS servers may be located.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2532700"></a><a name="id2532702"></a><b>10.</b></td><td align="left" valign="top"><p>
+ What are the major benefits of using an application server?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ The use of an application server can significantly reduce application update maintenance.
+ By providing a centralized application share, software updates need be applied to only
+ one location for all major applications used. This results in faster update roll-outs and
+ significantly better application usage control.
+ </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2526953" href="#id2526953">5</a>] </sup>See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 3.
+ This is necessary so that Samba can act as a Domain Controller (PDC); see
+ <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 4, for additional information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2527362" href="#id2527362">6</a>] </sup>You may want to do the echo command last and include
+ "0" in the init scripts, since it opens up your network for a short time.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2531218" href="#id2531218">7</a>] </sup>For more information regarding winbindd, see <span class="emphasis"><em>TOSHARG2</em></span>,
+ Chapter 23, Section 23.3. The single instance of <span><strong class="command">smbd</strong></span> is normal. One additional
+ <span><strong class="command">smbd</strong></span> slave process is spawned for each SMB/CIFS client
+ connection.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2532409" href="#id2532409">8</a>] </sup>Bench tests have shown that tdbsam is a very
+ effective database technology. There is surprisingly little performance loss even
+ with over 4000 users.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2532652" href="#id2532652">9</a>] </sup>
+ See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, for more information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2532686" href="#id2532686">10</a>] </sup>See TOSHARG2, Chapter 9, Section 9.3.3.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="small.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Big500users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. Small Office Networking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. The 500-User Office</td></tr></table></div></body></html>
projects / samba / blobdiff