1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Making Happy Users</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="Big500users.html" title="Chapter 4. The 500-User Office"><link rel="next" href="2000users.html" title="Chapter 6. A Distributed 2000-User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter 5. Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id2538755">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id2538898">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2539002">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2539140">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2539596">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2541446">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2541462">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2541642">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2544570">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id2548614">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2548635">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id2548730">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id2548974">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2549085">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2549223">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id2549977">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id2550292">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id2550472">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id2550975">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id2551010">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2551044">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id2551151">Questions and Answers</a></span></dt></dl></div><p>
2 It is said that “<span class="quote">a day that is without troubles is not fulfilling. Rather, give
3 me a day of troubles well handled so that I can be content with my achievements.</span>”
5 In the world of computer networks, problems are as varied as the people who create them
6 or experience them. The design of the network implemented in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>
7 may create problems for some network users. The following lists some of the problems that
9 </p><a class="indexterm" name="id2538334"></a><a class="indexterm" name="id2538340"></a><a class="indexterm" name="id2538349"></a><a class="indexterm" name="id2538356"></a><a class="indexterm" name="id2538363"></a><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>
10 A significant number of network administrators have responded to the guidance given
11 here. It should be noted that there are sites that have a single PDC for many hundreds of
12 concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
13 are among the factors that determine the maximum number of Windows clients that
14 can be served by a single domain controller (PDC or BDC) on a network segment. It is possible
15 to operate with only a single PDC over a routed network. What is possible is not necessarily
16 <span class="emphasis"><em>best practice</em></span>. When Windows client network logons begin to fail with
17 the message that the domain controller cannot be found or that the user account cannot
18 be found (when you know it exists), that may be an indication that the domain controller is
19 overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows
20 clients is conservative and if followed will minimize problems but it is not absolute.
21 </p></div><div class="variablelist"><dl><dt><span class="term">Users experiencing difficulty logging onto the network</span></dt><dd><p>
22 <a class="indexterm" name="id2538408"></a>
23 <a class="indexterm" name="id2538417"></a>
24 When a Windows client logs onto the network, many data packets are exchanged
25 between the client and the server that is providing the network logon services.
26 Each request between the client and the server must complete within a specific
27 time limit. This is one of the primary factors that govern the installation of
28 multiple domain controllers (usually called secondary or backup controllers).
29 As a rough rule, there should be one such backup controller for every
30 30 to 150 clients. The actual limits are determined by network operational
33 <a class="indexterm" name="id2538437"></a>
34 <a class="indexterm" name="id2538444"></a>
35 <a class="indexterm" name="id2538450"></a>
36 If the domain controller provides only network logon services
37 and all file and print activity is handled by domain member servers, one domain
38 controller per 150 clients on a single network segment may suffice. In any
39 case, it is highly recommended to have a minimum of one domain controller (PDC or BDC)
40 per network segment. It is better to have at least one BDC on the network
41 segment that has a PDC. If the domain controller is also used as a file and
42 print server, the number of clients it can service reliably is reduced,
43 and generally for low powered hardware should not exceed 30 machines (Windows
44 workstations plus domain member servers) per domain controller. Many sites are
45 able to operate with more clients per domain controller, the number of clients
46 that can be supported is limited by the CPU speed, memory and the workload on
47 the Samba server as well as network bandwidth utilization.
48 </p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p>
49 <a class="indexterm" name="id2538484"></a>
50 Slow logons and log-offs may be caused by many factors that include:
52 </p><div class="itemizedlist"><ul type="disc"><li><p>
53 <a class="indexterm" name="id2538498"></a>
54 <a class="indexterm" name="id2538509"></a>
55 Excessive delays in the resolution of a NetBIOS name to its IP
56 address. This may be observed when an overloaded domain controller
57 is also the WINS server. Another cause may be the failure to use
58 a WINS server (this assumes that there is a single network segment).
60 <a class="indexterm" name="id2538528"></a>
61 <a class="indexterm" name="id2538535"></a>
62 <a class="indexterm" name="id2538541"></a>
63 Network traffic collisions due to overloading of the network
64 segment. One short-term workaround to this may be to replace
65 network HUBs with Ethernet switches.
67 <a class="indexterm" name="id2538556"></a>
68 Defective networking hardware. Over the past few years, we have seen
69 on the Samba mailing list a significant increase in the number of
70 problems that were traced to a defective network interface controller,
71 a defective HUB or Ethernet switch, or defective cabling. In most cases,
72 it was the erratic nature of the problem that ultimately pointed to
73 the cause of the problem.
75 <a class="indexterm" name="id2538576"></a>
76 <a class="indexterm" name="id2538585"></a>
77 Excessively large roaming profiles. This type of problem is typically
78 the result of poor user education as well as poor network management.
79 It can be avoided by users not storing huge quantities of email in
80 MS Outlook PST files as well as by not storing files on the desktop.
81 These are old bad habits that require much discipline and vigilance
82 on the part of network management.
84 <a class="indexterm" name="id2538612"></a>
85 You should verify that the Windows XP WebClient service is not running.
86 The use of the WebClient service has been implicated in many Windows
87 networking-related problems.
88 </p></li></ul></div><p>
89 </p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p>
90 Loss of access to network resources during client operation may be caused by a number
91 of factors, including:
92 </p><div class="itemizedlist"><ul type="disc"><li><p>
93 <a class="indexterm" name="id2538645"></a>
94 Network overload (typically indicated by a high network collision rate)
98 <a class="indexterm" name="id2538664"></a>
99 Timeout causing the client to close a connection that is in use but has
100 been latent (no traffic) for some time (5 minutes or more)
102 <a class="indexterm" name="id2538680"></a>
103 Defective networking hardware
104 </p></li></ul></div><p>
105 <a class="indexterm" name="id2538695"></a>
106 No matter what the cause, a sudden loss of access to network resources can
107 result in BSOD (blue screen of death) situations that necessitate rebooting of the client
108 workstation. In the case of a mild problem, retrying to access the network drive of the printer
109 may restore operations, but in any case this is a serious problem that may lead to the next
110 problem, data corruption.
111 </p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p>
112 <a class="indexterm" name="id2538722"></a>
113 Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
114 frustration, and generally precipitates immediate corrective demands. Management response
115 to this type of problem may be rational, as well as highly irrational. There have been
116 cases where management has fired network staff for permitting this situation to occur without
117 immediate correction. There have been situations where perfectly functional hardware was thrown
118 out and replaced, only to find the problem caused by a low-cost network hardware item. There
119 have been cases where server operating systems were replaced, or where Samba was updated,
120 only to later isolate the problem due to defective client software.
121 </p></dd></dl></div><p>
122 In this chapter, you can work through a number of measures that significantly arm you to
123 anticipate and combat network performance issues. You can work through complex and thorny
124 methods to improve the reliability of your network environment, but be warned that all such steps
125 demand the price of complexity.
126 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2538755"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p>
127 <a class="indexterm" name="id2538764"></a>
128 Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some
129 constraints that are described in this section.
131 <a class="indexterm" name="id2538779"></a>
132 <a class="indexterm" name="id2538786"></a>
133 <a class="indexterm" name="id2538792"></a>
134 <a class="indexterm" name="id2538799"></a>
135 The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
136 That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
137 them. A user account and a machine account are indistinguishable from each other, except that
138 the machine account ends in a $ character, as do trust accounts.
140 <a class="indexterm" name="id2538816"></a>
141 <a class="indexterm" name="id2538822"></a>
142 The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID
143 is a design decision that was made a long way back in the history of Samba development. It is
144 unlikely that this decision will be reversed or changed during the remaining life of the
147 <a class="indexterm" name="id2538838"></a>
148 <a class="indexterm" name="id2538844"></a>
149 The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
150 must refer back to the host operating system on which Samba is running. The name service
151 switch (NSS) is the preferred mechanism that shields applications (like Samba) from the
152 need to know everything about every host OS it runs on.
154 Samba asks the host OS to provide a UID via the “<span class="quote">passwd</span>”, “<span class="quote">shadow</span>”
155 and “<span class="quote">group</span>” facilities in the NSS control (configuration) file. The best tool
156 for achieving this is left up to the UNIX administrator to determine. It is not imposed by
157 Samba. Samba provides winbindd together with its support libraries as one method. It is
158 possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
159 all account entities can be located in an LDAP directory.
161 <a class="indexterm" name="id2538881"></a>
162 For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
163 be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
164 is fundamentally an LDAP design question. The information provided on the Samba list and
165 in the documentation is directed at providing working examples only. The design
166 of an LDAP directory is a complex subject that is beyond the scope of this documentation.
167 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2538898"></a>Introduction</h2></div></div></div><p>
168 You just opened an email from Christine that reads:
171 </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p>
172 A few months ago we sat down to design the network. We discussed the challenges ahead and we all
173 agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
174 that we would have some time to resolve any issues that might be encountered.
176 As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them
177 resigned yesterday afternoon because she was under duress to complete some critical projects. She
178 suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
179 of which was lost. She has a unique requirement that involves storing large files on her desktop.
180 Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it
181 takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
182 network logon traffic passes over the network links between our buildings, logging on may take
183 three or four attempts due to blue screen problems associated with network timeouts.
185 A few of us worked to help her out of trouble. We convinced her to stay and promised to fully
186 resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard
187 limits on what our users can do with their desktops. Otherwise, we face staff losses
188 that can surely do harm to our growth as well as to staff morale. I am sure we can better deal
189 with the consequences of what we know we must do than we can with the unrest we have now.
191 Stan and I have discussed the current situation. We are resolved to help our users and protect
192 the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
193 regain control of our vital IT operations.
194 </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Christine</span></td></tr></table></div><p>
196 <a class="indexterm" name="id2538967"></a>
197 <a class="indexterm" name="id2538974"></a>
198 Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a
199 single domain controller is a poor design that has obvious operational effects that may
200 frustrate users. Here is your reply:
201 </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p>
202 Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
203 proposals to resolve the issues. I am confident that your plans fully realized will significantly
204 boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
205 Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
206 for approval; I appreciate the urgency.
207 </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2539002"></a>Assignment Tasks</h3></div></div></div><p>
208 The priority of assigned tasks in this chapter is:
209 </p><div class="orderedlist"><ol type="1"><li><p>
210 <a class="indexterm" name="id2539022"></a>
211 <a class="indexterm" name="id2539032"></a>
212 <a class="indexterm" name="id2539038"></a>
213 <a class="indexterm" name="id2539045"></a><a class="indexterm" name="id2539051"></a>
214 Implement Backup Domain Controllers (BDCs) in each building. This involves
215 a change from a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous
216 chapter to an LDAP-based backend.
218 You can implement a single central LDAP server for this purpose.
220 <a class="indexterm" name="id2539073"></a>
221 <a class="indexterm" name="id2539080"></a>
222 <a class="indexterm" name="id2539087"></a>
223 <a class="indexterm" name="id2539094"></a>
224 Rectify the problem of excessive logon times. This involves redirection of
225 folders to network shares as well as modification of all user desktops to
226 exclude the redirected folders from being loaded at login time. You can also
227 create a new default profile that can be used for all new users.
228 </p></li></ol></div><p>
229 <a class="indexterm" name="id2539112"></a>
230 You configure a new MS Windows XP Professional workstation disk image that you roll out
231 to all desktop users. The instructions you have created are followed on a staging machine
232 from which all changes can be carefully tested before inflicting them on your network users.
234 <a class="indexterm" name="id2539127"></a>
235 This is the last network example in which specific mention of printing is made. The example
236 again makes use of the CUPS printing system.
237 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2539140"></a>Dissection and Discussion</h2></div></div></div><p>
238 <a class="indexterm" name="id2539148"></a>
239 <a class="indexterm" name="id2539154"></a>
240 <a class="indexterm" name="id2539161"></a>
241 The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
242 For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
243 LDAP servers in current use with Samba-3 include:
244 </p><div class="itemizedlist"><ul type="disc"><li><p>
245 <a class="indexterm" name="id2539178"></a>
246 Novell <a href="http://www.novell.com/products/edirectory/" target="_top">eDirectory</a>
247 is being successfully used by some sites. Information on how to use eDirectory can be
248 obtained from the Samba mailing lists or from Novell.
250 <a class="indexterm" name="id2539198"></a>
251 IBM <a href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli
252 Directory Server</a> can be used to provide the Samba LDAP backend. Example schema
253 files are provided in the Samba source code tarball under the directory
254 <code class="filename">~samba/example/LDAP.</code>
256 <a class="indexterm" name="id2539225"></a>
257 Sun <a href="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml" target="_top">ONE Identity
258 Server product suite</a> provides an LDAP server that can be used for Samba.
259 Example schema files are provided in the Samba source code tarball under the directory
260 <code class="filename">~samba/example/LDAP.</code>
261 </p></li></ul></div><p>
262 A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial
263 offerings, it requires that you manually edit the server configuration files and manually
264 initialize the LDAP directory database. OpenLDAP itself has only command-line tools to
265 help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
267 <a class="indexterm" name="id2539263"></a>
268 For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
269 adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include
270 GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
271 requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
273 <a class="indexterm" name="id2539280"></a>
274 <a class="indexterm" name="id2539287"></a>
275 <a class="indexterm" name="id2539294"></a>
276 <a class="indexterm" name="id2539303"></a>
277 <a class="indexterm" name="id2539312"></a>
278 <a class="indexterm" name="id2539319"></a>
279 <a class="indexterm" name="id2539328"></a>
280 When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
281 High availability operation may be obtained through directory replication/synchronization and
282 master/slave server configurations. OpenLDAP is a mature platform to host the organizational
283 directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more.
284 The price paid through learning how to design an LDAP directory schema in implementation and configuration
285 of management tools is well rewarded by performance and flexibility and the freedom to manage directory
286 contents with greater ability to back up, restore, and modify the directory than is generally possible
287 with Microsoft Active Directory.
289 <a class="indexterm" name="id2539353"></a>
290 <a class="indexterm" name="id2539363"></a>
291 <a class="indexterm" name="id2539370"></a>
292 <a class="indexterm" name="id2539377"></a>
293 A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
294 tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured
295 for a specific task orientation. It comes with a set of administrative tools that is entirely customized
296 for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
297 server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
298 who wants to build a custom directory solution. Microsoft provides an application called
299 <a href="http://www.microsoft.com/windowsserver2003/adam/default.mspx" target="_top">
300 MS ADAM</a> that provides more generic LDAP services, yet it does not have the vanilla-like services
303 <a class="indexterm" name="id2539406"></a>
304 <a class="indexterm" name="id2539416"></a>
305 You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
306 if you find the challenge of learning about LDAP directories, schemas, configuration, and management
307 tools and the creation of shell and Perl scripts a bit
308 challenging. OpenLDAP can be easily customized, though it includes
309 many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
310 that is required for use as a passdb backend.
312 <a class="indexterm" name="id2539434"></a>
313 For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
314 there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
315 The Web-based tools you might like to consider include the
316 <a href="http://lam.sourceforge.net/" target="_top">LDAP Account Manager</a> (LAM) and the Webmin-based
317 <a href="http://www.webmin.com" target="_top">Webmin</a> Idealx
318 <a href="http://webmin.idealx.org/index.en.html" target="_top">CGI tools</a>.
320 Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of
321 these, so it may be useful to them:
322 <a href="http://biot.com/gq" target="_top">GQ</a>, a GTK-based LDAP browser;
323 LDAP <a href="http://www.iit.edu/~gawojar/ldap/" target="_top">Browser/Editor</a>
324 <a href="http://www.jxplorer.org/" target="_top">; JXplorer</a> (by Computer Associates);
325 and <a href="http://phpldapadmin.sourceforge.net/" target="_top">phpLDAPadmin</a>.
326 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
327 The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
328 security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
329 is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
330 LDAP before attempting to deploy it in a business-critical environment.
332 Information to help you get started with OpenLDAP is available from the
333 <a href="http://www.openldap.org/pub/" target="_top">OpenLDAP web site</a>. Many people have found the book
334 <a href="http://www.oreilly.com/catalog/ldapsa/index.html" target="_top"><span class="emphasis"><em>LDAP System Administration</em></span>,</a>
335 by Jerry Carter quite useful.
337 <a class="indexterm" name="id2539532"></a>
338 <a class="indexterm" name="id2539538"></a>
339 <a class="indexterm" name="id2539547"></a>
340 <a class="indexterm" name="id2539554"></a>
341 Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
342 main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
343 be loaded over the WAN connection. The addition of BDCs on each network segment significantly
344 improves overall network performance for most users, but it is not enough. You must gain control over
345 user desktops, and this must be done in a way that wins their support and does not cause further loss of
346 staff morale. The following procedures solve this problem.
348 <a class="indexterm" name="id2539576"></a>
349 There is also an opportunity to implement smart printing features. You add this to the Samba configuration
350 so that future printer changes can be managed without need to change desktop configurations.
352 You add the ability to automatically download new printer drivers, even if they are not installed
353 in the default desktop profile. Only one example of printing configuration is given. It is assumed that
354 you can extrapolate the principles and use them to install all printers that may be needed.
355 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2539596"></a>Technical Issues</h3></div></div></div><p>
356 <a class="indexterm" name="id2539604"></a>
357 <a class="indexterm" name="id2539614"></a>
358 <a class="indexterm" name="id2539623"></a>
359 The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
360 server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
361 accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account
362 attributes Samba needs. Samba-3 can use the LDAP backend to store:
363 </p><div class="itemizedlist"><ul type="disc"><li><p>Windows Networking User Accounts</p></li><li><p>Windows NT Group Accounts</p></li><li><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p>
364 <a class="indexterm" name="id2539663"></a>
365 <a class="indexterm" name="id2539670"></a>
366 <a class="indexterm" name="id2539677"></a>
367 <a class="indexterm" name="id2539684"></a>
368 <a class="indexterm" name="id2539691"></a>
369 <a class="indexterm" name="id2539698"></a>
370 <a class="indexterm" name="id2539707"></a>
371 <a class="indexterm" name="id2539713"></a>
372 <a class="indexterm" name="id2539720"></a>
373 The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
374 accounts in the LDAP backend. This implies the need to use the
375 <a href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools</a>. The resolution
376 of the UNIX group name to its GID must be enabled from either the <code class="filename">/etc/group</code>
377 or from the LDAP backend. This requires the use of the PADL <code class="filename">nss_ldap</code> tool-set
378 that integrates with the NSS. The same requirements exist for resolution
379 of the UNIX username to the UID. The relationships are demonstrated in <a href="happy.html#sbehap-LDAPdiag" title="Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">???</a>.
380 </p><div class="figure"><a name="sbehap-LDAPdiag"></a><p class="title"><b>Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div><p>
381 <a class="indexterm" name="id2539806"></a>
382 <a class="indexterm" name="id2539812"></a>
383 You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
384 ought to learn how to configure secure communications over LDAP so that site security is not
385 at risk. This is not covered in the following guidance.
387 <a class="indexterm" name="id2539829"></a>
388 <a class="indexterm" name="id2539836"></a>
389 <a class="indexterm" name="id2539845"></a>
390 <a class="indexterm" name="id2539852"></a>
391 When OpenLDAP has been made operative, you configure the PDC called <code class="constant">MASSIVE</code>.
392 You initialize the Samba <code class="filename">secrets.tdb<sub></sub></code> file. Then you
393 create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.
394 You need to decide how best to create user and group accounts. A few hints are, of course, provided.
395 You can also find on the enclosed CD-ROM, in the <code class="filename">Chap06</code> directory, a few tools
396 that help to manage user and group configuration.
398 <a class="indexterm" name="id2539886"></a>
399 <a class="indexterm" name="id2539892"></a>
400 <a class="indexterm" name="id2539899"></a>
401 In order to effect folder redirection and to add robustness to the implementation,
402 create a network default profile. All network users workstations are configured to use
403 the new profile. Roaming profiles will automatically be deleted from the workstation
404 when the user logs off.
406 <a class="indexterm" name="id2539914"></a>
407 The profile is configured so that users cannot change the appearance
408 of their desktop. This is known as a mandatory profile. You make certain that users
409 are able to use their computers efficiently.
411 <a class="indexterm" name="id2539928"></a>
412 A network logon script is used to deliver flexible but consistent network drive
414 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p>
415 <a class="indexterm" name="id2539950"></a>
416 <a class="indexterm" name="id2539955"></a>
417 <a class="indexterm" name="id2539960"></a>
418 <a class="indexterm" name="id2539966"></a>
419 Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
420 that maps to the UNIX UID=0. The UNIX operating system permits only the <code class="constant">root</code>
421 user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
422 <code class="constant">Privileges</code>, which provides five new privileges that
423 can be assigned to users and/or groups; see Table 5.1.
424 </p><div class="table"><a name="sbehap-privs"></a><p class="title"><b>Table 5.1. Current Privilege Capabilities</b></p><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="left"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="left"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="left"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="left"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr></tbody></table></div><p>
425 In this network example use is made of one of the supported privileges purely to demonstrate
426 how any user can now be given the ability to add machines to the domain using a normal user account
427 that has been given the appropriate privileges.
428 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2540104"></a>Roaming Profile Background</h4></div></div></div><p>
429 As XP roaming profiles grow, so does the amount of time it takes to log in and out.
431 <a class="indexterm" name="id2540117"></a>
432 <a class="indexterm" name="id2540124"></a>
433 <a class="indexterm" name="id2540130"></a>
434 <a class="indexterm" name="id2540137"></a>
435 An XP roaming profile consists of the <code class="constant">HKEY_CURRENT_USER</code> hive file
436 <code class="filename">NTUSER.DAT</code> and a number of folders (My Documents, Application Data,
437 Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
438 network with the default configuration of MS Windows NT/200x/XPP, all this data is
439 copied to the local machine under the <code class="filename">C:\Documents and Settings\%USERNAME%</code>
440 directory. While the user is logged in, any changes made to any of these folders or to the
441 <code class="constant">HKEY_CURRENT_USER</code> branch of the registry are made to the local copy
442 of the profile. At logout the profile data is copied back to the server. This behavior
443 can be changed through appropriate registry changes and/or through changes to the default
444 user profile. In the latter case, it updates the registry with the values that are set in the
445 profile <code class="filename">NTUSER.DAT</code>
448 The first challenge is to reduce the amount of data that must be transferred to and
449 from the profile server as roaming profiles are processed. This includes removing
450 all the shortcuts in the Recent directory, making sure the cache used by the Web browser
451 is not being dumped into the <code class="filename">Application Data</code> folder, removing the
452 Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the
453 user to not place large files on the desktop and to use his or her mapped home directory
454 instead of the <code class="filename">My Documents</code> folder for saving documents.
456 <a class="indexterm" name="id2540210"></a>
457 Using a folder other than <code class="filename">My Documents</code> is a nuisance for
458 some users, since many applications use it by default.
460 <a class="indexterm" name="id2540229"></a>
461 <a class="indexterm" name="id2540236"></a>
462 <a class="indexterm" name="id2540242"></a>
463 The secret to rapid loading of roaming profiles is to prevent unnecessary data from
464 being copied back and forth, without losing any functionality. This is not difficult;
465 it can be done by making changes to the Local Group Policy on each client as well
466 as changing some paths in each user's <code class="filename">NTUSER.DAT</code> hive.
468 <a class="indexterm" name="id2540264"></a>
469 <a class="indexterm" name="id2540271"></a>
470 Every user profile has its own <code class="filename">NTUSER.DAT</code> file. This means
471 you need to edit every user's profile, unless a better method can be
472 followed. Fortunately, with the right preparations, this is not difficult.
473 It is possible to remove the <code class="filename">NTUSER.DAT</code> file from each
474 user's profile. Then just create a Network Default Profile. Of course, it is
475 necessary to copy all files from redirected folders to the network share to which
477 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-locgrppol"></a>The Local Group Policy</h4></div></div></div><p>
478 <a class="indexterm" name="id2540311"></a>
479 <a class="indexterm" name="id2540318"></a>
480 <a class="indexterm" name="id2540325"></a>
481 <a class="indexterm" name="id2540331"></a>
482 Without an Active Directory PDC, you cannot take full advantage of Group Policy
483 Objects. However, you can still make changes to the Local Group Policy by using
484 the Group Policy editor (<span><strong class="command">gpedit.msc</strong></span>).
486 The <span class="emphasis"><em>Exclude directories in roaming profile</em></span> settings can
488 <span class="guimenu">User Configuration</span>-><span class="guimenuitem">Administrative Templates</span>-><span class="guimenuitem">System</span>-><span class="guimenuitem">User Profiles</span>.
489 By default this setting contains
490 “<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”.
492 Simply add the folders you do not wish to be copied back and forth to this
493 semicolon-separated list. Note that this change must be made on all clients
494 that are using roaming profiles.
495 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2540399"></a>Profile Changes</h4></div></div></div><p>
496 <a class="indexterm" name="id2540406"></a>
497 <a class="indexterm" name="id2540413"></a>
498 There are two changes that should be done to each user's profile. Move each of
499 the directories that you have excluded from being copied back and forth out of
500 the usual profile path. Modify each user's <code class="filename">NTUSER.DAT</code> file
501 to point to the new paths that are shared over the network instead of to the default
502 path (<code class="filename">C:\Documents and Settings\%USERNAME%</code>).
504 <a class="indexterm" name="id2540441"></a>
505 <a class="indexterm" name="id2540448"></a>
506 The above modifies existing user profiles. So that newly created profiles have
507 these settings, you need to modify the <code class="filename">NTUSER.DAT</code> in
508 the <code class="filename">C:\Documents and Settings\Default User</code> folder on each
509 client machine, changing the same registry keys. You could do this by copying
510 <code class="filename">NTUSER.DAT</code> to a Linux box and using <span><strong class="command">regedt32</strong></span>.
511 The basic method is described under <a href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">???</a>.
512 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2540493"></a>Using a Network Default User Profile</h4></div></div></div><p>
513 <a class="indexterm" name="id2540501"></a>
514 <a class="indexterm" name="id2540508"></a>
515 If you are using Samba as your PDC, you should create a file share called
516 <code class="constant">NETLOGON</code> and within that create a directory called
517 <code class="filename">Default User</code>, which is a copy of the desired default user
518 configuration (including a copy of <code class="filename">NTUSER.DAT</code>).
519 If this share exists and the <code class="filename">Default User</code> folder exists,
520 the first login from a new account pulls its configuration from it.
521 See also <a href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top">
522 the Real Men Don't Click</a> Web site.
523 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2540552"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p>
524 <a class="indexterm" name="id2540560"></a>
525 <a class="indexterm" name="id2540569"></a>
526 <a class="indexterm" name="id2540576"></a>
527 The subject of printing is quite topical. Printing problems run second place to name
528 resolution issues today. So far in this book, you have experienced only what is generally
529 known as “<span class="quote">dumb</span>” printing. Dumb printing is the arrangement by which all drivers
530 are manually installed on each client and the printing subsystems perform no filtering
531 or intelligent processing. Dumb printing is easily understood. It usually works without
532 many problems, but it has its limitations also. Dumb printing is better known as
533 <span><strong class="command">Raw-Print-Through</strong></span> printing.
535 <a class="indexterm" name="id2540605"></a>
536 <a class="indexterm" name="id2540614"></a>
537 Samba permits the configuration of <span><strong class="command">smart</strong></span> printing using the Microsoft
538 Windows point-and-click (also called drag-and-drop) printing. What this provides is
539 essentially the ability to print to any printer. If the local client does not yet have a
540 driver installed, the driver is automatically downloaded from the Samba server and
541 installed on the client. Drag-and-drop printing is neat; it means the user never needs
542 to fuss with driver installation, and that is a <span class="trademark">Good Thing,</span>™
545 There is a further layer of print job processing that is known as <span><strong class="command">intelligent</strong></span>
546 printing that automatically senses the file format of data submitted for printing and
547 then invokes a suitable print filter to convert the incoming data stream into a format
548 suited to the printer to which the job is dispatched.
550 <a class="indexterm" name="id2540661"></a>
551 <a class="indexterm" name="id2540668"></a>
552 <a class="indexterm" name="id2540675"></a>
553 The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
554 detect the data format and apply a print filter. This means that it is feasible to install
555 on all Windows clients a single printer driver for use with all printers that are routed
556 through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately,
557 <a href="http://www.easysw.com" target="_top">Easy Software Products</a>, the authors of CUPS, have
558 released a PostScript printing driver for Windows. It can be installed into the Samba
559 printing backend so that it automatically downloads to the client when needed.
561 This means that so long as there is a CUPS driver for the printer, all printing from Windows
562 software can use PostScript, no matter what the actual printer language for the physical
563 device is. It also means that the administrator can swap out a printer with a totally
564 different type of device without ever needing to change a client workstation driver.
566 This book is about Samba-3, so you can confine the printing style to just the smart
567 style of installation. Those interested in further information regarding intelligent
568 printing should review documentation on the Easy Software Products Web site.
569 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbeavoid"></a>Avoiding Failures: Solving Problems Before They Happen</h4></div></div></div><p>
570 It has often been said that there are three types of people in the world: those who
571 have sharp minds and those who forget things. Please do not ask what the third group
572 is like! Well, it seems that many of us have company in the second group. There must
573 be a good explanation why so many network administrators fail to solve apparently
574 simple problems efficiently and effectively.
576 Here are some diagnostic guidelines that can be referred to when things go wrong:
577 </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2540742"></a>Preliminary Advice: Dangers Can Be Avoided</h5></div></div></div><p>
578 The best advice regarding how to mend a broken leg is “<span class="quote">Never break a leg!</span>”
580 <a class="indexterm" name="id2540758"></a>
581 Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice
582 regarding the best way to remedy LDAP and Samba problems: “<span class="quote">Avoid them like the plague!</span>”
584 If you are now asking yourself how problems can be avoided, the best advice is to start
585 out your learning experience with a <span class="emphasis"><em>known-good configuration.</em></span> After
586 you have seen a fully working solution, a good way to learn is to make slow and progressive
587 changes that cause things to break, then observe carefully how and why things ceased to work.
589 The examples in this chapter (also in the book as a whole) are known to work. That means
590 that they could serve as the kick-off point for your journey through fields of knowledge.
591 Use this resource carefully; we hope it serves you well.
592 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
593 Do not be lulled into thinking that you can easily adopt the examples in this
594 book and adapt them without first working through the examples provided. A little
595 thing overlooked can cause untold pain and may permanently tarnish your experience.
596 </p></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2540802"></a>The Name Service Caching Daemon</h5></div></div></div><p>
597 The name service caching daemon (nscd) is a primary cause of difficulties with name
598 resolution, particularly where <span><strong class="command">winbind</strong></span> is used. Winbind does its
599 own caching, thus nscd causes double caching which can lead to peculiar problems during
600 debugging. As a rule, it is a good idea to turn off the name service caching daemon.
602 Operation of the name service caching daemon is controlled by the
603 <code class="filename">/etc/nscd.conf</code> file. Typical contents of this file are as follows:
604 </p><pre class="screen">
606 # An example Name Service Cache config file. This file is needed by nscd.
608 # logfile <file>
609 # debug-level <level>
610 # threads <threads to use>
611 # server-user <user to run server as instead of root>
612 # server-user is ignored if nscd is started with -S parameters
613 # stat-user <user who is allowed to request statistics>
614 # reload-count unlimited|<number>
616 # enable-cache <service> <yes|no>
617 # positive-time-to-live <service> <time in seconds>
618 # negative-time-to-live <service> <time in seconds>
619 # suggested-size <service> <prime number>
620 # check-files <service> <yes|no>
621 # persistent <service> <yes|no>
622 # shared <service> <yes|no>
623 # Currently supported cache names (services): passwd, group, hosts
624 # logfile /var/log/nscd.log
630 enable-cache passwd yes
631 positive-time-to-live passwd 600
632 negative-time-to-live passwd 20
633 suggested-size passwd 211
634 check-files passwd yes
635 persistent passwd yes
637 enable-cache group yes
638 positive-time-to-live group 3600
639 negative-time-to-live group 60
640 suggested-size group 211
641 check-files group yes
644 # !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to
645 # cache hosts will cause your local system to not be able to trust
646 # forward/reverse lookup checks. DO NOT USE THIS if your system relies on
647 # this sort of security mechanism. Use a caching DNS server instead.
648 enable-cache hosts no
649 positive-time-to-live hosts 3600
650 negative-time-to-live hosts 20
651 suggested-size hosts 211
652 check-files hosts yes
656 It is feasible to comment out the <code class="constant">passwd</code> and <code class="constant">group</code>
657 entries so they will not be cached. Alternatively, it is often simpler to just disable the
658 <span><strong class="command">nscd</strong></span> service by executing (on Novell SUSE Linux):
659 </p><pre class="screen">
660 <code class="prompt">root# </code> chkconfig nscd off
661 <code class="prompt">root# </code> rcnscd off
663 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2540940"></a>Debugging LDAP</h5></div></div></div><p>
664 <a class="indexterm" name="id2540948"></a>
665 <a class="indexterm" name="id2540955"></a>
666 <a class="indexterm" name="id2540962"></a>
667 In the example <code class="filename">/etc/openldap/slapd.conf</code> control file
668 (see <a href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">???</a>) there is an entry for <code class="constant">loglevel 256</code>.
669 To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter
670 and restart <span><strong class="command">slapd</strong></span>.
672 <a class="indexterm" name="id2540997"></a>
673 <a class="indexterm" name="id2541004"></a>
674 LDAP log information can be directed into a file that is separate from the normal system
675 log files by changing the <code class="filename">/etc/syslog.conf</code> file so it has the following
677 </p><pre class="screen">
678 # Some foreign boot scripts require local7
680 local0,local1.* -/var/log/localmessages
681 local2,local3.* -/var/log/localmessages
682 local5.* -/var/log/localmessages
683 local6,local7.* -/var/log/localmessages
684 local4.* -/var/log/ldaplogs
686 In this case, all LDAP-related logs will be directed to the file
687 <code class="filename">/var/log/ldaplogs</code>. This makes it easy to track LDAP errors.
688 The snippet provides a simple example of usage that can be modified to suit
689 local site needs. The configuration used later in this chapter reflects such
690 customization with the intent that LDAP log files will be stored at a location
691 that meets local site needs and wishes more fully.
692 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2541046"></a>Debugging NSS_LDAP</h5></div></div></div><p>
693 The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
694 <code class="filename">/etc/ldap.conf</code> file the following parameters:
695 </p><pre class="screen">
699 Create the log directory as follows:
700 </p><pre class="screen">
701 <code class="prompt">root# </code> mkdir /data/logs
704 The diagnostic process should follow these steps:
705 </p><div class="procedure"><a name="id2541089"></a><p class="title"><b>Procedure 5.1. NSS_LDAP Diagnostic Steps</b></p><ol type="1"><li><p>
706 Verify the <code class="constant">nss_base_passwd, nss_base_shadow, nss_base_group</code> entries
707 in the <code class="filename">/etc/ldap.conf</code> file and compare them closely with the directory
708 tree location that was chosen when the directory was first created.
710 One way this can be done is by executing:
711 </p><pre class="screen">
712 <code class="prompt">root# </code> slapcat | grep Group | grep dn
713 dn: ou=Groups,dc=abmas,dc=biz
714 dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
715 dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
716 dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
717 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
718 dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz
719 dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
720 dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
721 dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz
723 The first line is the DIT entry point for the container for POSIX groups. The correct entry
724 for the <code class="filename">/etc/ldap.conf</code> for the <code class="constant">nss_base_group</code>
725 parameter therefore is the distinguished name (dn) as applied here:
726 </p><pre class="screen">
727 nss_base_group ou=Groups,dc=abmas,dc=biz?one
729 The same process may be followed to determine the appropriate dn for user accounts.
730 If the container for computer accounts is not the same as that for users (see the <code class="filename">smb.conf</code>
731 file entry for <code class="constant">ldap machine suffix</code>), it may be necessary to set the
732 following DIT dn in the <code class="filename">/etc/ldap.conf</code> file:
733 </p><pre class="screen">
734 nss_base_passwd dc=abmas,dc=biz?sub
736 This instructs LDAP to search for machine as well as user entries from the top of the DIT
737 down. This is inefficient, but at least should work. Note: It is possible to specify multiple
738 <code class="constant">nss_base_passwd</code> entries in the <code class="filename">/etc/ldap.conf</code> file; they
739 will be evaluated sequentially. Let us consider an example of use where the following DIT
740 has been implemented:
742 </p><div class="itemizedlist"><ul type="disc"><li><p>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</p></li><li><p>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</p></li><li><p>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</p></li></ul></div><p>
744 The appropriate multiple entry for the <code class="constant">nss_base_passwd</code> directive
745 in the <code class="filename">/etc/ldap.conf</code> file may be:
746 </p><pre class="screen">
747 nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one
748 nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
751 Perform lookups such as:
752 </p><pre class="screen">
753 <code class="prompt">root# </code> getent passwd
755 Each such lookup will create an entry in the <code class="filename">/data/log</code> directory
756 for each such process executed. The contents of each file created in this directory
757 may provide a hint as to the cause of the a problem that is under investigation.
759 For additional diagnostic information, check the contents of the <code class="filename">/var/log/messages</code>
760 to see what error messages are being generated as a result of the LDAP lookups. Here is an example of
762 </p><pre class="screen">
763 slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539
765 slapd[12164]: conn=0 op=0 BIND dn="" method=128
766 slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=
767 slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0
768 filter="(objectClass=*)"
769 slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0
771 slapd[12164]: conn=0 op=2 UNBIND
772 slapd[12164]: conn=0 fd=10 closed
773 slapd[12164]: conn=1 fd=10 ACCEPT from
774 IP=127.0.0.1:33540 (IP=0.0.0.0:389)
775 slapd[12164]: conn=1 op=0 BIND
776 dn="cn=Manager,dc=abmas,dc=biz" method=128
777 slapd[12164]: conn=1 op=0 BIND
778 dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0
779 slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=
780 slapd[12164]: conn=1 op=1 SRCH
781 base="ou=People,dc=abmas,dc=biz" scope=1 deref=0
782 filter="(objectClass=posixAccount)"
783 slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword
784 uidNumber gidNumber cn
785 homeDirectory loginShell gecos description objectClass
786 slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0
788 slapd[12164]: conn=1 fd=10 closed
792 Check that the bindpw entry in the <code class="filename">/etc/ldap.conf</code> or in the
793 <code class="filename">/etc/ldap.secrets</code> file is correct, as specified in the
794 <code class="filename">/etc/openldap/slapd.conf</code> file.
795 </p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2541358"></a>Debugging Samba</h5></div></div></div><p>
796 The following parameters in the <code class="filename">smb.conf</code> file can be useful in tracking down Samba-related problems:
797 </p><pre class="screen">
801 log file = /var/log/samba/%m.log
805 This will result in the creation of a separate log file for every client from which connections
806 are made. The log file will be quite verbose and will grow continually. Do not forget to
807 change these lines to the following when debugging has been completed:
808 </p><pre class="screen">
812 log file = /var/log/samba/%m.log
817 The log file can be analyzed by executing:
818 </p><pre class="screen">
819 <code class="prompt">root# </code> cd /var/log/samba
820 <code class="prompt">root# </code> grep -v "^\[200" machine_name.log
823 Search for hints of what may have failed by looking for the words <span class="emphasis"><em>fail</em></span>
824 and <span class="emphasis"><em>error</em></span>.
825 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2541429"></a>Debugging on the Windows Client</h5></div></div></div><p>
826 MS Windows 2000 Professional and Windows XP Professional clients can be configured
827 to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
828 the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
829 version of MS Windows.
830 </p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2541446"></a>Political Issues</h3></div></div></div><p>
831 MS Windows network users are generally very sensitive to limits that may be imposed when
832 confronted with locked-down workstation configurations. The challenge you face must
833 be promoted as a choice between reliable, fast network operation and a constant flux
834 of problems that result in user irritation.
835 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2541462"></a>Installation Checklist</h3></div></div></div><p>
836 You are starting a complex project. Even though you went through the installation of a complex
837 network in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>, this network is a bigger challenge because of the
838 large number of complex applications that must be configured before the first few steps
839 can be validated. Take stock of what you are about to undertake, prepare yourself, and
840 frequently review the steps ahead while making at least a mental note of what has already
841 been completed. The following task list may help you to keep track of the task items
843 </p><div class="itemizedlist"><ul type="disc"><li><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>OpenLDAP server</p></li><li><p>PAM and NSS client tools</p></li><li><p>Samba-3 PDC</p></li><li><p>Idealx smbldap scripts</p></li><li><p>LDAP initialization</p></li><li><p>Create user and group accounts</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profile directories</p></li><li><p>Logon scripts</p></li><li><p>Configuration of user rights and privileges</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>PAM and NSS client tools</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profiles directories</p></li></ol></div></li><li><p>Windows XP Client Configuration</p><div class="orderedlist"><ol type="1"><li><p>Default profile folder redirection</p></li><li><p>MS Outlook PST file relocation</p></li><li><p>Delete roaming profile on logout</p></li><li><p>Upload printer drivers to Samba servers</p></li><li><p>Install software</p></li><li><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2541642"></a>Samba Server Implementation</h2></div></div></div><p>
844 <a class="indexterm" name="id2541650"></a>
845 <a class="indexterm" name="id2541657"></a>
846 The network design shown in <a href="happy.html#chap6net" title="Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend">???</a> is not comprehensive. It is assumed
847 that you will install additional file servers and possibly additional BDCs.
848 </p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend</b></p><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend"></div></div><p>
849 <a class="indexterm" name="id2541720"></a>
850 <a class="indexterm" name="id2541726"></a>
851 All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE
852 Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
853 adjust the locations for your particular Linux system distribution/implementation.
854 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
855 The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools
856 scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball,
857 please verify that the versions you are about to use are matching. The smbldap-tools package
858 uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are
859 issued for POSIX accounts. The LDAP rdn under which this information is stored are called
860 <code class="constant">uidNumber</code> and <code class="constant">gidNumber</code> respectively. These may be
861 located in any convenient part of the directory information tree (DIT). In the examples that
862 follow they have been located under <code class="constant">dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</code>.
863 They could just as well be located under the rdn <code class="constant">cn=NextFreeUnixId</code>.
865 The steps in the process involve changes from the network configuration shown in
866 <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>. Before implementing the following steps, you must
867 have completed the network implementation shown in that chapter. If you are starting
868 with newly installed Linux servers, you must complete the steps shown in
869 <a href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">???</a> before commencing at <a href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">???</a>.
870 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p>
871 <a class="indexterm" name="id2541808"></a>
872 <a class="indexterm" name="id2541815"></a>
873 <a class="indexterm" name="id2541822"></a>
874 Confirm that the packages shown in <a href="happy.html#oldapreq" title="Table 5.2. Required OpenLDAP Linux Packages">???</a> are installed on your system.
875 </p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table 5.2. Required OpenLDAP Linux Packages</b></p><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left"> </td></tr></tbody></table></div><p>
876 Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method
877 for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you
878 follow these guidelines, the resulting system should work fine.
879 </p><div class="procedure"><a name="id2541954"></a><p class="title"><b>Procedure 5.2. OpenLDAP Server Configuration Steps</b></p><ol type="1"><li><p>
880 <a class="indexterm" name="id2541965"></a>
881 Install the file shown in <a href="happy.html#sbehap-slapdconf" title="Example 5.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A">???</a> in the directory
882 <code class="filename">/etc/openldap</code>.
884 <a class="indexterm" name="id2541993"></a>
885 <a class="indexterm" name="id2542000"></a>
886 <a class="indexterm" name="id2542007"></a>
887 Remove all files from the directory <code class="filename">/data/ldap</code>, making certain that
888 the directory exists with permissions:
889 </p><pre class="screen">
890 <code class="prompt">root# </code> ls -al /data | grep ldap
891 drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
893 This may require you to add a user and a group account for LDAP if they do not exist.
895 <a class="indexterm" name="id2542042"></a>
896 Install the file shown in <a href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">???</a> in the directory
897 <code class="filename">/data/ldap</code>. In the event that this file is added after <code class="constant">ldap</code>
898 has been started, it is possible to cause the new settings to take effect by shutting down
899 the <code class="constant">LDAP</code> server, executing the <span><strong class="command">db_recover</strong></span> command inside the
900 <code class="filename">/data/ldap</code> directory, and then restarting the <code class="constant">LDAP</code> server.
902 <a class="indexterm" name="id2542096"></a>
903 Performance logging can be enabled and should preferably be sent to a file on
904 a file system that is large enough to handle significantly sized logs. To enable
905 the logging at a verbose level to permit detailed analysis, uncomment the entry in
906 the <code class="filename">/etc/openldap/slapd.conf</code> shown as “<span class="quote">loglevel 256</span>”.
908 Edit the <code class="filename">/etc/syslog.conf</code> file to add the following at the end
910 </p><pre class="screen">
911 local4.* -/data/ldap/log/openldap.log
913 Note: The path <code class="filename">/data/ldap/log</code> should be set at a location
914 that is convenient and that can store a large volume of data.
915 </p></li></ol></div><div class="example"><a name="sbehap-dbconf"></a><p class="title"><b>Example 5.1. LDAP DB_CONFIG File</b></p><pre class="screen">
916 set_cachesize 0 150000000 1
917 set_lg_regionmax 262144
919 #set_lg_dir /var/log/bdb
920 set_flags DB_LOG_AUTOREMOVE
921 </pre></div><div class="example"><a name="sbehap-slapdconf"></a><p class="title"><b>Example 5.2. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><pre class="screen">
922 include /etc/openldap/schema/core.schema
923 include /etc/openldap/schema/cosine.schema
924 include /etc/openldap/schema/inetorgperson.schema
925 include /etc/openldap/schema/nis.schema
926 include /etc/openldap/schema/samba3.schema
928 pidfile /var/run/slapd/slapd.pid
929 argsfile /var/run/slapd/slapd.args
935 access to attr=userPassword
939 access to attr=shadowLastChange
956 suffix "dc=abmas,dc=biz"
957 rootdn "cn=Manager,dc=abmas,dc=biz"
960 rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
963 </pre></div><div class="example"><a name="sbehap-slapdconf2"></a><p class="title"><b>Example 5.3. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part B</b></p><pre class="screen">
964 # Indices to maintain
968 index uid pres,sub,eq
969 index displayName pres,sub,eq
974 index sambaPrimaryGroupSID eq
975 index sambaDomainName eq
977 </pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p>
978 <a class="indexterm" name="id2542248"></a>
979 <a class="indexterm" name="id2542254"></a>
980 <a class="indexterm" name="id2542261"></a>
981 The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and
982 groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure
983 the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
985 <a class="indexterm" name="id2542275"></a>
986 <a class="indexterm" name="id2542285"></a>
987 Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
988 that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
989 correct configuration of PAM. The <span><strong class="command">pam_ldap</strong></span> open source package provides the
990 PAM modules that most people would use. On SUSE Linux systems, the <span><strong class="command">pam_unix2.so</strong></span>
991 module also has the ability to redirect authentication requests through LDAP.
993 <a class="indexterm" name="id2542313"></a>
994 <a class="indexterm" name="id2542320"></a>
995 <a class="indexterm" name="id2542327"></a>
996 <a class="indexterm" name="id2542334"></a>
997 You have chosen to configure these services by directly editing the system files, but of course, you
998 know that this configuration can be done using system tools provided by the Linux system vendor.
999 SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span>-><span class="guimenuitem">system</span>-><span class="guimenuitem">ldap-client</span> that permits
1000 configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <span><strong class="command">authconfig</strong></span>
1002 </p><div class="procedure"><a name="id2542373"></a><p class="title"><b>Procedure 5.3. PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example 5.4. Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><pre class="screen">
1005 base dc=abmas,dc=biz
1007 binddn cn=Manager,dc=abmas,dc=biz
1018 nss_base_passwd ou=People,dc=abmas,dc=biz?one
1019 nss_base_shadow ou=People,dc=abmas,dc=biz?one
1020 nss_base_group ou=Groups,dc=abmas,dc=biz?one
1023 </pre></div><div class="example"><a name="sbehap-nss02"></a><p class="title"><b>Example 5.5. Configuration File for NSS LDAP Clients Support <code class="filename">/etc/ldap.conf</code></b></p><pre class="screen">
1026 base dc=abmas,dc=biz
1028 binddn cn=Manager,dc=abmas,dc=biz
1039 nss_base_passwd ou=People,dc=abmas,dc=biz?one
1040 nss_base_shadow ou=People,dc=abmas,dc=biz?one
1041 nss_base_group ou=Groups,dc=abmas,dc=biz?one
1044 </pre></div><ol type="1"><li><p>
1045 <a class="indexterm" name="id2542385"></a>
1046 <a class="indexterm" name="id2542392"></a>
1047 <a class="indexterm" name="id2542399"></a>
1048 Execute the following command to find where the <code class="filename">nss_ldap</code> module
1049 expects to find its control file:
1050 </p><pre class="screen">
1051 <code class="prompt">root# </code> strings /lib/libnss_ldap.so.2 | grep conf
1053 The preferred and usual location is <code class="filename">/etc/ldap.conf</code>.
1055 On the server <code class="constant">MASSIVE</code>, install the file shown in
1056 <a href="happy.html#sbehap-nss01" title="Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf">???</a> into the path that was obtained from the step above.
1057 On the servers called <code class="constant">BLDG1</code> and <code class="constant">BLDG2</code>, install the file shown in
1058 <a href="happy.html#sbehap-nss02" title="Example 5.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf">???</a> into the path that was obtained from the step above.
1060 <a class="indexterm" name="id2542533"></a>
1061 Edit the NSS control file (<code class="filename">/etc/nsswitch.conf</code>) so that the lines that
1062 control user and group resolution will obtain information from the normal system files as
1063 well as from <span><strong class="command">ldap</strong></span>:
1064 </p><pre class="screen">
1068 hosts: files dns wins
1070 Later, when the LDAP database has been initialized and user and group accounts have been
1071 added, you can validate resolution of the LDAP resolver process. The inclusion of
1072 WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
1073 resolved to their IP addresses, whether or not they are DHCP clients.
1074 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1075 Some Linux systems (Novell SUSE Linux in particular) add entries to the <code class="filename">nsswitch.conf</code>
1076 file that may cause operational problems with the configuration methods adopted in this book. It is
1077 advisable to comment out the entries <code class="constant">passwd_compat</code> and <code class="constant">group_compat</code>
1078 where they are found in this file.
1080 Even at the risk of overstating the issue, incorrect and inappropriate configuration of the
1081 <code class="filename">nsswitch.conf</code> file is a significant cause of operational problems with LDAP.
1083 <a class="indexterm" name="id2542608"></a>
1084 For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
1085 files in the <code class="filename">/etc/pam.d</code> directory: <span><strong class="command">login</strong></span>, <span><strong class="command">password</strong></span>,
1086 <span><strong class="command">samba</strong></span>, <span><strong class="command">sshd</strong></span>. In each file, locate every entry that has the
1087 <span><strong class="command">pam_unix2.so</strong></span> entry and add to the line the entry <span><strong class="command">use_ldap</strong></span> as shown
1088 for the <span><strong class="command">login</strong></span> module in this example:
1089 </p><pre class="screen">
1091 auth requisite pam_unix2.so nullok use_ldap #set_secrpc
1092 auth required pam_securetty.so
1093 auth required pam_nologin.so
1094 #auth required pam_homecheck.so
1095 auth required pam_env.so
1096 auth required pam_mail.so
1097 account required pam_unix2.so use_ldap
1098 password required pam_pwcheck.s nullok
1099 password required pam_unix2.so nullok use_first_pass \
1100 use_authtok use_ldap
1101 session required pam_unix2.so none use_ldap # debug or trace
1102 session required pam_limits.so
1105 <a class="indexterm" name="id2542687"></a>
1106 On other Linux systems that do not have an LDAP-enabled <span><strong class="command">pam_unix2.so</strong></span> module,
1107 you must edit these files by adding the <span><strong class="command">pam_ldap.so</strong></span> modules as shown here:
1108 </p><pre class="screen">
1110 auth required pam_securetty.so
1111 auth required pam_nologin.so
1112 auth sufficient pam_ldap.so
1113 auth required pam_unix2.so nullok try_first_pass #set_secrpc
1114 account sufficient pam_ldap.so
1115 account required pam_unix2.so
1116 password required pam_pwcheck.so nullok
1117 password required pam_ldap.so use_first_pass use_authtok
1118 password required pam_unix2.so nullok use_first_pass use_authtok
1119 session required pam_unix2.so none # debug or trace
1120 session required pam_limits.so
1121 session required pam_env.so
1122 session optional pam_mail.so
1124 This example does have the LDAP-enabled <span><strong class="command">pam_unix2.so</strong></span>, but simply
1125 demonstrates the use of the <span><strong class="command">pam_ldap.so</strong></span> module. You can use either
1126 implementation, but if the <span><strong class="command">pam_unix2.so</strong></span> on your system supports
1127 LDAP, you probably want to use it rather than add an additional module.
1128 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p>
1129 <a class="indexterm" name="id2542761"></a>
1130 Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server
1131 before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the
1132 choice to either build your own or obtain the packages from a dependable source.
1133 Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for
1134 Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that
1135 is included with this book.
1136 </p><div class="procedure"><a name="id2542777"></a><p class="title"><b>Procedure 5.4. Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol type="1"><li><p>
1137 Install the files in <a href="happy.html#sbehap-massive-smbconfa" title="Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A">???</a>,
1138 <a href="happy.html#sbehap-massive-smbconfb" title="Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B">???</a>, <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>,
1139 and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a> into the <code class="filename">/etc/samba/</code>
1140 directory. The three files should be added together to form the <code class="filename">smb.conf</code>
1141 master file. It is a good practice to call this file something like
1142 <code class="filename">smb.conf.master</code> and then to perform all file edits
1143 on the master file. The operational <code class="filename">smb.conf</code> is then generated as shown in
1146 <a class="indexterm" name="id2542854"></a>
1147 Create and verify the contents of the <code class="filename">smb.conf</code> file that is generated by:
1148 </p><pre class="screen">
1149 <code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf
1151 Immediately follow this with the following:
1152 </p><pre class="screen">
1153 <code class="prompt">root# </code> testparm
1155 The output that is created should be free from errors, as shown here:
1157 </p><pre class="screen">
1158 Load smb config files from /etc/samba/smb.conf
1159 Processing section "[accounts]"
1160 Processing section "[service]"
1161 Processing section "[pidata]"
1162 Processing section "[homes]"
1163 Processing section "[printers]"
1164 Processing section "[apps]"
1165 Processing section "[netlogon]"
1166 Processing section "[profiles]"
1167 Processing section "[profdata]"
1168 Processing section "[print$]"
1169 Loaded services file OK.
1170 Server role: ROLE_DOMAIN_PDC
1171 Press enter to see a dump of your service definitions
1174 Delete all runtime files from prior Samba operation by executing (for SUSE
1176 </p><pre class="screen">
1177 <code class="prompt">root# </code> rm /etc/samba/*tdb
1178 <code class="prompt">root# </code> rm /var/lib/samba/*tdb
1179 <code class="prompt">root# </code> rm /var/lib/samba/*dat
1180 <code class="prompt">root# </code> rm /var/log/samba/*
1183 <a class="indexterm" name="id2542953"></a>
1184 <a class="indexterm" name="id2542960"></a>
1185 Samba-3 communicates with the LDAP server. The password that it uses to
1186 authenticate to the LDAP server must be stored in the <code class="filename">secrets.tdb</code>
1187 file. Execute the following to create the new <code class="filename">secrets.tdb</code> files
1188 and store the password for the LDAP Manager:
1189 </p><pre class="screen">
1190 <code class="prompt">root# </code> smbpasswd -w not24get
1192 The expected output from this command is:
1193 </p><pre class="screen">
1194 Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
1197 <a class="indexterm" name="id2543009"></a>
1198 <a class="indexterm" name="id2543016"></a>
1199 Samba-3 generates a Windows Security Identifier (SID) only when <span><strong class="command">smbd</strong></span>
1200 has been started. For this reason, you start Samba. After a few seconds delay,
1202 </p><pre class="screen">
1203 <code class="prompt">root# </code> smbclient -L localhost -U%
1204 <code class="prompt">root# </code> net getlocalsid
1206 A report such as the following means that the domain SID has not yet
1207 been written to the <code class="filename">secrets.tdb</code> or to the LDAP backend:
1208 </p><pre class="screen">
1209 [2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
1210 failed to bind to server ldap://massive.abmas.biz
1211 with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
1213 [2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
1214 smbldap_search_suffix: Problem during the LDAP search:
1215 (unknown) (Timed out)
1217 The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server
1218 is not running, this operation will fail by way of a timeout, as shown previously. This is
1219 normal output; do not worry about this error message. When the domain has been created and
1220 written to the <code class="filename">secrets.tdb</code> file, the output should look like this:
1221 </p><pre class="screen">
1222 SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
1224 If, after a short delay (a few seconds), the domain SID has still not been written to
1225 the <code class="filename">secrets.tdb</code> file, it is necessary to investigate what
1226 may be misconfigured. In this case, carefully check the <code class="filename">smb.conf</code> file for typographical
1227 errors (the most common problem). The use of the <span><strong class="command">testparm</strong></span> is highly
1228 recommended to validate the contents of this file.
1230 When a positive domain SID has been reported, stop Samba.
1232 <a class="indexterm" name="id2543128"></a>
1233 <a class="indexterm" name="id2543135"></a>
1234 <a class="indexterm" name="id2543142"></a>
1235 <a class="indexterm" name="id2543148"></a>
1236 Configure the NFS server for your Linux system. So you can complete the steps that
1237 follow, enter into the <code class="filename">/etc/exports</code> the following entry:
1238 </p><pre class="screen">
1239 /home *(rw,root_squash,sync)
1241 This permits the user home directories to be used on the BDC servers for testing
1242 purposes. You, of course, decide what is the best way for your site to distribute
1243 data drives, and you create suitable backup and restore procedures for Abmas
1244 I'd strongly recommend that for normal operation the BDC is completely independent
1245 of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite
1246 closely. If you do use NFS, do not forget to start the NFS server as follows:
1247 </p><pre class="screen">
1248 <code class="prompt">root# </code> rcnfsserver start
1250 </p></li></ol></div><p>
1251 Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
1252 configuration of the LDAP server.
1253 </p><div class="example"><a name="sbehap-massive-smbconfa"></a><p class="title"><b>Example 5.6. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2543235"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2543248"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2543260"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id2543273"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id2543286"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2543299"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2543312"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2543325"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2543338"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2543351"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2543364"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2543377"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2543389"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2543402"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2543415"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2543428"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2543441"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2543454"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2543468"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2543481"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2543495"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2543508"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2543522"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2543536"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2543550"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</code></em></td></tr></table></div><div class="example"><a name="sbehap-massive-smbconfb"></a><p class="title"><b>Example 5.7. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2543589"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2543602"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2543615"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2543627"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2543640"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2543653"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2543666"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2543679"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2543692"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2543705"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2543718"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2543731"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2543744"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2543758"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2543770"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2543783"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2543796"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2543809"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeidealx"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p>
1254 <a class="indexterm" name="id2543836"></a>
1255 The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
1256 on the LDAP server. You have chosen the Idealx scripts because they are the best-known
1257 LDAP configuration scripts. The use of these scripts will help avoid the necessity
1258 to create custom scripts. It is easy to download them from the Idealx
1259 <a href="http://samba.idealx.org/index.en.html" target="_top">Web site</a>. The tarball may
1260 be directly <a href="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz" target="_top">downloaded</a>
1261 from this site also. Alternatively, you may obtain the
1262 <a href="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm" target="_top">smbldap-tools-0.9.1-1.src.rpm</a>
1263 file that may be used to build an installable RPM package for your Linux system.
1264 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1265 The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must
1266 change the path to them in your <code class="filename">smb.conf</code> file on the PDC (<code class="constant">MASSIVE</code>).
1268 The smbldap-tools are located in <code class="filename">/opt/IDEALX/sbin</code>.
1269 The scripts are not needed on BDC machines because all LDAP updates are handled by
1271 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2543903"></a>Installation of smbldap-tools from the Tarball</h4></div></div></div><p>
1272 To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:
1273 </p><div class="procedure"><a name="idealxscript"></a><p class="title"><b>Procedure 5.5. Unpacking and Installation Steps for the <code class="constant">smbldap-tools</code> Tarball</b></p><ol type="1"><li><p>
1274 Create the <code class="filename">/opt/IDEALX/sbin</code> directory, and set its permissions
1275 and ownership as shown here:
1276 </p><pre class="screen">
1277 <code class="prompt">root# </code> mkdir -p /opt/IDEALX/sbin
1278 <code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin
1279 <code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin
1280 <code class="prompt">root# </code> mkdir -p /etc/smbldap-tools
1281 <code class="prompt">root# </code> chown root:root /etc/smbldap-tools
1282 <code class="prompt">root# </code> chmod 755 /etc/smbldap-tools
1285 If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
1286 Change into either the directory extracted from the tarball or the smbldap-tools
1287 directory in your <code class="filename">/usr/share/doc/packages</code> directory tree.
1289 Copy all the <code class="filename">smbldap-*</code> and the <code class="filename">configure.pl</code> files into the
1290 <code class="filename">/opt/IDEALX/sbin</code> directory, as shown here:
1291 </p><pre class="screen">
1292 <code class="prompt">root# </code> cd smbldap-tools-0.9.1/
1293 <code class="prompt">root# </code> cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/
1294 <code class="prompt">root# </code> cp smbldap*conf /etc/smbldap-tools/
1295 <code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/smbldap-*
1296 <code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/configure.pl
1297 <code class="prompt">root# </code> chmod 640 /etc/smbldap-tools/smbldap.conf
1298 <code class="prompt">root# </code> chmod 600 /etc/smbldap-tools/smbldap_bind.conf
1301 The smbldap-tools scripts master control file must now be configured.
1302 Change to the <code class="filename">/opt/IDEALX/sbin</code> directory, then edit the
1303 <code class="filename">smbldap_tools.pm</code> to affect the changes
1305 </p><pre class="screen">
1307 # ugly funcs using global variables and spawning openldap clients
1309 my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
1310 my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
1314 To complete the configuration of the smbldap-tools, set the permissions and ownership
1315 by executing the following commands:
1316 </p><pre class="screen">
1317 <code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin/*
1318 <code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin/smbldap-*
1319 <code class="prompt">root# </code> chmod 640 /opt/IDEALX/sbin/smb*pm
1321 The smbldap-tools scripts are now ready for the configuration step outlined in
1322 <a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">???</a>.
1323 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2544155"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p>
1324 In the event that you have elected to use the RPM package provided by Idealx, download the
1325 source RPM <code class="filename">smbldap-tools-0.9.1-1.src.rpm</code>, then follow this procedure:
1326 </p><div class="procedure"><a name="id2544174"></a><p class="title"><b>Procedure 5.6. Installation Steps for <code class="constant">smbldap-tools</code> RPM's</b></p><ol type="1"><li><p>
1327 Install the source RPM that has been downloaded as follows:
1328 </p><pre class="screen">
1329 <code class="prompt">root# </code> rpm -i smbldap-tools-0.9.1-1.src.rpm
1332 Change into the directory in which the SPEC files are located. On SUSE Linux:
1333 </p><pre class="screen">
1334 <code class="prompt">root# </code> cd /usr/src/packages/SPECS
1336 On Red Hat Linux systems:
1337 </p><pre class="screen">
1338 <code class="prompt">root# </code> cd /usr/src/redhat/SPECS
1341 Edit the <code class="filename">smbldap-tools.spec</code> file to change the value of the
1342 <code class="constant">_sysconfig</code> macro as shown here:
1343 </p><pre class="screen">
1344 %define _prefix /opt/IDEALX
1345 %define _sysconfdir /etc
1347 Note: Any suitable directory can be specified.
1349 Build the package by executing:
1350 </p><pre class="screen">
1351 <code class="prompt">root# </code> rpmbuild -ba -v smbldap-tools.spec
1353 A build process that has completed without error will place the installable binary
1354 files in the directory <code class="filename">../RPMS/noarch</code>.
1356 Install the binary package by executing:
1357 </p><pre class="screen">
1358 <code class="prompt">root# </code> rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm
1360 </p></li></ol></div><p>
1361 The Idealx scripts should now be ready for configuration using the steps outlined in
1362 <a href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>.
1363 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p>
1364 Prior to use, the smbldap-tools must be configured to match the settings in the <code class="filename">smb.conf</code> file
1365 and to match the settings in the <code class="filename">/etc/openldap/slapd.conf</code> file. The assumption
1366 is made that the <code class="filename">smb.conf</code> file has correct contents. The following procedure ensures that
1367 this is completed correctly:
1369 The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included
1370 in the <code class="filename">smb.conf</code> file.
1371 </p><div class="procedure"><a name="id2544368"></a><p class="title"><b>Procedure 5.7. Configuration Steps for <code class="constant">smbldap-tools</code> to Enable Use</b></p><ol type="1"><li><p>
1372 Change into the directory that contains the <code class="filename">configure.pl</code> script.
1373 </p><pre class="screen">
1374 <code class="prompt">root# </code> cd /opt/IDEALX/sbin
1377 Execute the <code class="filename">configure.pl</code> script as follows:
1378 </p><pre class="screen">
1379 <code class="prompt">root# </code> ./configure.pl
1381 The interactive use of this script for the PDC is demonstrated here:
1382 </p><pre class="screen">
1383 <code class="prompt">root# </code> /opt/IDEALX/sbin/configure.pl
1384 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1385 smbldap-tools script configuration
1386 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1387 Before starting, check
1388 . if your samba controller is up and running.
1389 . if the domain SID is defined (you can get it with the
1392 . you can leave the configuration using the Crtl-c key combination
1393 . empty value can be set with the "." character
1394 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1395 Looking for configuration files...
1397 Samba Config File Location [/etc/samba/smb.conf] >
1398 smbldap-tools configuration file Location (global parameters)
1399 [/etc/opt/IDEALX/smbldap-tools/smbldap.conf] >
1400 smbldap Config file Location (bind parameters)
1401 [/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] >
1402 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1403 Let's start configuring the smbldap-tools scripts ...
1405 . workgroup name: name of the domain Samba act as a PDC
1406 workgroup name [MEGANET2] >
1407 . netbios name: netbios name of the samba controler
1408 netbios name [MASSIVE] >
1409 . logon drive: local path to which the home directory
1410 will be connected (for NT Workstations). Ex: 'H:'
1411 logon drive [H:] >
1412 . logon home: home directory location (for Win95/98 or NT Workstation)
1413 (use %U as username) Ex:'\\MASSIVE\%U'
1414 logon home (press the "." character if you don't want homeDirectory)
1416 . logon path: directory where roaming profiles are stored.
1417 Ex:'\\MASSIVE\profiles\%U'
1418 logon path (press the "." character
1419 if you don't want roaming profile) [\\%L\profiles\%U] >
1420 . home directory prefix (use %U as username)
1421 [/home/%U] > /data/users/%U
1422 . default users' homeDirectory mode [700] >
1423 . default user netlogon script (use %U as username)
1424 [scripts\logon.bat] >
1425 default password validation time (time in days) [45] > 900
1426 . ldap suffix [dc=abmas,dc=biz] >
1427 . ldap group suffix [ou=Groups] >
1428 . ldap user suffix [ou=People,ou=Users] >
1429 . ldap machine suffix [ou=Computers,ou=Users] >
1430 . Idmap suffix [ou=Idmap] >
1431 . sambaUnixIdPooldn: object where you want to store the next uidNumber
1432 and gidNumber available for new users and groups
1433 sambaUnixIdPooldn object (relative to ${suffix})
1434 [sambaDomainName=MEGANET2] >
1435 . ldap master server: IP adress or DNS name of the master
1436 (writable) ldap server
1437 ldap master server [massive.abmas.biz] >
1438 . ldap master port [389] >
1439 . ldap master bind dn [cn=Manager,dc=abmas,dc=biz] >
1440 . ldap master bind password [] >
1441 . ldap slave server: IP adress or DNS name of the slave ldap server:
1442 can also be the master one
1443 ldap slave server [massive.abmas.biz] >
1444 . ldap slave port [389] >
1445 . ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] >
1446 . ldap slave bind password [] >
1447 . ldap tls support (1/0) [0] >
1448 . SID for domain MEGANET2: SID of the domain
1449 (can be obtained with 'net getlocalsid MASSIVE')
1450 SID for domain MEGANET2
1451 [S-1-5-21-3504140859-1010554828-2431957765]] >
1452 . unix password encryption: encryption used for unix passwords
1453 unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
1454 . default user gidNumber [513] >
1455 . default computer gidNumber [515] >
1456 . default login shell [/bin/bash] >
1457 . default skeleton directory [/etc/skel] >
1458 . default domain name to append to mail adress [] > abmas.biz
1459 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1460 backup old configuration files:
1461 /etc/opt/IDEALX/smbldap-tools/smbldap.conf->
1462 /etc/opt/IDEALX/smbldap-tools/smbldap.conf.old
1463 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf->
1464 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old
1465 writing new configuration file:
1466 /etc/opt/IDEALX/smbldap-tools/smbldap.conf done.
1467 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done.
1469 Since a slave LDAP server has not been configured, it is necessary to specify the IP
1470 address of the master LDAP server for both the master and the slave configuration
1473 Change to the directory that contains the <code class="filename">smbldap.conf</code> file,
1474 then verify its contents.
1475 </p></li></ol></div><p>
1476 The smbldap-tools are now ready for use.
1477 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2544570"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p>
1478 The LDAP database must be populated with well-known Windows domain user accounts and domain group
1479 accounts before Samba can be used. The following procedures step you through the process.
1481 At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are
1482 mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not
1483 hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
1484 database. From a UNIX system perspective, the NSS resolver checks system files before
1485 referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
1486 does not need to ask LDAP.
1488 Addition of an account to the LDAP backend can be done in two ways:
1489 </p><div class="itemizedlist"><ul type="disc"><li><p>
1490 <a class="indexterm" name="id2544604"></a>
1491 <a class="indexterm" name="id2544611"></a>
1492 <a class="indexterm" name="id2544618"></a>
1493 <a class="indexterm" name="id2544625"></a>
1494 <a class="indexterm" name="id2544631"></a>
1495 <a class="indexterm" name="id2544638"></a>
1496 If you always have a user account in the <code class="filename">/etc/passwd</code> on every
1497 server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in
1498 LDAP. In this case, you can add Windows domain user accounts using the
1499 <span><strong class="command">pdbedit</strong></span> utility. Use of this tool from the command line adds the
1500 SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
1502 This is the least desirable method because when LDAP is used as the passwd backend Samba
1503 expects the POSIX account to be in LDAP also. It is possible to use the PADL account
1504 migration tool to migrate all system accounts from either the <code class="filename">/etc/passwd</code>
1505 files, or from NIS, to LDAP.
1507 If you decide that it is probably a good idea to add both the PosixAccount attributes
1508 as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
1509 In the example system you are installing in this exercise, you are making use of the
1510 Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,
1511 is included on the enclosed CD-ROM under <code class="filename">Chap06/Tools.</code>
1512 </p></li></ul></div><p>
1513 <a class="indexterm" name="id2544698"></a>
1514 If you wish to have more control over how the LDAP database is initialized or
1515 if you don't want to use the Idealx smbldap-tools, you should refer to
1516 <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">???</a>.
1518 <a class="indexterm" name="id2544725"></a>
1519 The following steps initialize the LDAP database, and then you can add user and group
1520 accounts that Samba can use. You use the <span><strong class="command">smbldap-populate</strong></span> to
1521 seed the LDAP database. You then manually add the accounts shown in <a href="happy.html#sbehap-bigacct" title="Table 5.3. Abmas Network Users and Groups">???</a>.
1522 The list of users does not cover all 500 network users; it provides examples only.
1523 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1524 <a class="indexterm" name="id2544755"></a>
1525 <a class="indexterm" name="id2544764"></a>
1526 <a class="indexterm" name="id2544773"></a>
1527 In the following examples, as the LDAP database is initialized, we do create a container
1528 for Computer (machine) accounts. In the Samba-3 <code class="filename">smb.conf</code> files, specific use is made
1529 of the People container, not the Computers container, for domain member accounts. This is not a
1530 mistake; it is a deliberate action that is necessitated by the fact that the resolution of
1531 a machine (computer) account to a UID is done via NSS. The only way this can be handled is
1532 using the NSS (<code class="filename">/etc/nsswitch.conf</code>) entry for <code class="constant">passwd</code>,
1533 which is resolved using the <code class="filename">nss_ldap</code> library. The configuration file for
1534 the <code class="filename">nss_ldap</code> library is the file <code class="filename">/etc/ldap.conf</code> that
1535 provides only one possible LDAP search command that is specified by the entry called
1536 <code class="constant">nss_base_passwd</code>. This means that the search path must take into account
1537 the directory structure so that the LDAP search will commence at a level that is above
1538 both the Computers container and the Users (or People) container. If this is done, it is
1539 necessary to use a search that will descend the directory tree so that the machine account
1540 can be found. Alternatively, by placing all machine accounts in the People container, we
1541 are able to sidestep this limitation. This is the simpler solution that has been adopted
1543 </p></div><div class="table"><a name="sbehap-bigacct"></a><p class="title"><b>Table 5.3. Abmas Network Users and Groups</b></p><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left"> </td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left"> </td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left"> </td></tr></tbody></table></div><div class="procedure"><a name="creatacc"></a><p class="title"><b>Procedure 5.8. LDAP Directory Initialization Steps</b></p><ol type="1"><li><p>
1544 Start the LDAP server by executing:
1545 </p><pre class="screen">
1546 <code class="prompt">root# </code> rcldap start
1547 Starting ldap-server done
1550 Change to the <code class="filename">/opt/IDEALX/sbin</code> directory.
1552 Execute the script that will populate the LDAP database as shown here:
1553 </p><pre class="screen">
1554 <code class="prompt">root# </code> ./smbldap-populate -a root -k 0 -m 0
1556 The expected output from this is:
1557 </p><pre class="screen">
1558 Using workgroup name from smb.conf: sambaDomainName=MEGANET2
1559 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1560 => Warning: you must update smbldap.conf configuration file to :
1561 => sambaUnixIdPooldn parameter must be set
1562 to "sambaDomainName=MEGANET2,dc=abmas,dc=biz"
1563 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1564 Using builtin directory structure
1565 adding new entry: dc=abmas,dc=biz
1566 adding new entry: ou=People,dc=abmas,dc=biz
1567 adding new entry: ou=Groups,dc=abmas,dc=biz
1568 entry ou=People,dc=abmas,dc=biz already exist.
1569 adding new entry: ou=Idmap,dc=abmas,dc=biz
1570 adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz
1571 adding new entry: uid=root,ou=People,dc=abmas,dc=biz
1572 adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
1573 adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
1574 adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
1575 adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
1576 adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1577 adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
1578 adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
1579 adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
1580 adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
1583 Edit the <code class="filename">/etc/smbldap-tools/smbldap.conf</code> file so that the following
1584 information is changed from:
1585 </p><pre class="screen">
1586 # Where to store next uidNumber and gidNumber available
1587 sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1589 to read, after modification:
1590 </p><pre class="screen">
1591 # Where to store next uidNumber and gidNumber available
1592 #sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1593 sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
1596 It is necessary to restart the LDAP server as shown here:
1597 </p><pre class="screen">
1598 <code class="prompt">root# </code> rcldap restart
1599 Shutting down ldap-server done
1600 Starting ldap-server done
1603 <a class="indexterm" name="id2545193"></a>
1604 So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data.
1605 There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
1606 the simplest is to execute:
1607 </p><pre class="screen">
1608 <code class="prompt">root# </code> slapcat | grep -i idmap
1609 dn: ou=Idmap,dc=abmas,dc=biz
1612 <a class="indexterm" name="id2545217"></a>
1613 If the execution of this command does not return IDMAP entries, you need to create an LDIF
1614 template file (see <a href="happy.html#sbehap-ldifadd" title="Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">???</a>). You can add the required entries using
1615 the following command:
1616 </p><pre class="screen">
1617 <code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
1618 -w not24get < /etc/openldap/idmap.LDIF
1620 Samba automatically populates this LDAP directory container when it needs to.
1622 <a class="indexterm" name="id2545257"></a>
1623 It looks like all has gone well, as expected. Let's confirm that this is the case
1624 by running a few tests. First we check the contents of the database directly
1625 by running <span><strong class="command">slapcat</strong></span> as follows (the output has been cut down):
1626 </p><pre class="screen">
1627 <code class="prompt">root# </code> slapcat
1629 objectClass: dcObject
1630 objectClass: organization
1633 structuralObjectClass: organization
1634 entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
1635 creatorsName: cn=Manager,dc=abmas,dc=biz
1636 createTimestamp: 20031217234200Z
1637 entryCSN: 2003121723:42:00Z#0x0001#0#0000
1638 modifiersName: cn=Manager,dc=abmas,dc=biz
1639 modifyTimestamp: 20031217234200Z
1641 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1642 objectClass: posixGroup
1643 objectClass: sambaGroupMapping
1645 cn: Domain Computers
1646 description: Netbios Domain Computers accounts
1647 sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
1649 displayName: Domain Computers
1650 structuralObjectClass: posixGroup
1651 entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
1652 creatorsName: cn=Manager,dc=abmas,dc=biz
1653 createTimestamp: 20031217234206Z
1654 entryCSN: 2003121723:42:06Z#0x0002#0#0000
1655 modifiersName: cn=Manager,dc=abmas,dc=biz
1656 modifyTimestamp: 20031217234206Z
1658 This looks good so far.
1660 <a class="indexterm" name="id2545308"></a>
1661 The next step is to prove that the LDAP server is running and responds to a
1662 search request. Execute the following as shown (output has been cut to save space):
1663 </p><pre class="screen">
1664 <code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
1668 # base <dc=abmas,dc=biz> with scope sub
1669 # filter: (ObjectClass=*)
1675 objectClass: dcObject
1676 objectClass: organization
1681 dn: ou=People,dc=abmas,dc=biz
1682 objectClass: organizationalUnit
1685 # Domain Computers, Groups, abmas.biz
1686 dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1687 objectClass: posixGroup
1688 objectClass: sambaGroupMapping
1690 cn: Domain Computers
1691 description: Netbios Domain Computers accounts
1692 sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
1694 displayName: Domain Computers
1703 Good. It is all working just fine.
1705 <a class="indexterm" name="id2545365"></a>
1706 You must now make certain that the NSS resolver can interrogate LDAP also.
1707 Execute the following commands:
1708 </p><pre class="screen">
1709 <code class="prompt">root# </code> getent passwd | grep root
1710 root:x:998:512:Netbios Domain Administrator:/home:/bin/false
1712 <code class="prompt">root# </code> getent group | grep Domain
1713 Domain Admins:x:512:root
1715 Domain Guests:x:514:
1716 Domain Computers:x:553:
1718 <a class="indexterm" name="id2545394"></a>
1719 This demonstrates that the <span><strong class="command">nss_ldap</strong></span> library is functioning
1720 as it should. If these two steps fail to produce this information, refer to
1721 <a href="happy.html#sbeavoid" title="Avoiding Failures: Solving Problems Before They Happen">???</a> for diagnostic procedures that can be followed to
1722 isolate the cause of the problem. Proceed to the next step only when the previous steps
1723 have been successfully completed.
1725 <a class="indexterm" name="id2545425"></a>
1726 <a class="indexterm" name="id2545432"></a>
1727 <a class="indexterm" name="id2545439"></a>
1728 Our database is now ready for the addition of network users. For each user for
1729 whom an account must be created, execute the following:
1730 </p><pre class="screen">
1731 <code class="prompt">root# </code> ./smbldap-useradd -m -a <code class="constant">username</code>
1732 <code class="prompt">root# </code> ./smbldap-passwd <code class="constant">username</code>
1733 Changing password for <code class="constant">username</code>
1734 New password : XXXXXXXX
1735 Retype new password : XXXXXXXX
1737 <code class="prompt">root# </code> smbpasswd <code class="constant">username</code>
1738 New SMB password: XXXXXXXX
1739 Retype new SMB password: XXXXXXXX
1741 where <code class="constant">username</code> is the login ID for each user.
1743 <a class="indexterm" name="id2545500"></a>
1744 Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the
1746 </p><pre class="screen">
1747 <code class="prompt">root# </code> getent passwd
1748 root:x:0:0:root:/root:/bin/bash
1749 bin:x:1:1:bin:/bin:/bin/bash
1751 root:x:0:512:Netbios Domain Administrator:/home:/bin/false
1752 nobody:x:999:514:nobody:/dev/null:/bin/false
1753 bobj:x:1000:513:System User:/home/bobj:/bin/bash
1754 stans:x:1001:513:System User:/home/stans:/bin/bash
1755 chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
1756 maryv:x:1003:513:System User:/home/maryv:/bin/bash
1758 This demonstrates that user account resolution via LDAP is working.
1760 This step will determine whether or not identity resolution is working correctly.
1761 Do not procede is this step fails, rather find the cause of the failure. The
1762 <span><strong class="command">id</strong></span> command may be used to validate your configuration so far,
1764 </p><pre class="screen">
1765 <code class="prompt">root# </code> id chrisr
1766 uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
1768 This confirms that the UNIX (POSIX) user account information can be resolved from LDAP
1769 by system tools that make a getentpw() system call.
1771 <a class="indexterm" name="id2545566"></a>
1772 The root account must have UID=0; if not, this means that operations conducted from
1773 a Windows client using tools such as the Domain User Manager fails under UNIX because
1774 the management of user and group accounts requires that the UID=0. Additionally, it is
1775 a good idea to make certain that no matter how root account credentials are resolved,
1776 the home directory and shell are valid. You decide to effect this immediately
1777 as demonstrated here:
1778 </p><pre class="screen">
1779 <code class="prompt">root# </code> cd /opt/IDEALX/sbin
1780 <code class="prompt">root# </code> ./smbldap-usermod -u 0 -d /root -s /bin/bash root
1783 Verify that the changes just made to the <code class="constant">root</code> account were
1784 accepted by executing:
1785 </p><pre class="screen">
1786 <code class="prompt">root# </code> getent passwd | grep root
1787 root:x:0:0:root:/root:/bin/bash
1788 root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
1790 This demonstrates that the changes were accepted.
1792 Make certain that a home directory has been created for every user by listing the
1793 directories in <code class="filename">/home</code> as follows:
1794 </p><pre class="screen">
1795 <code class="prompt">root# </code> ls -al /home
1796 drwxr-xr-x 8 root root 176 Dec 17 18:50 ./
1797 drwxr-xr-x 21 root root 560 Dec 15 22:19 ../
1798 drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/
1799 drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/
1800 drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/
1801 drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
1803 This is precisely what we want to see.
1805 <a class="indexterm" name="id2545665"></a>
1806 <a class="indexterm" name="id2545672"></a>
1807 The final validation step involves making certain that Samba-3 can obtain the user
1808 accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
1809 </p><pre class="screen">
1810 <code class="prompt">root# </code> pdbedit -Lv chrisr
1811 Unix username: chrisr
1814 User SID: S-1-5-21-3504140859-1010554828-2431957765-3004
1815 Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513
1816 Full Name: System User
1817 Home Directory: \\MASSIVE\homes
1819 Logon Script: scripts\login.cmd
1820 Profile Path: \\MASSIVE\profiles\chrisr
1822 Account desc: System User
1826 Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
1827 Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
1828 Password last set: Wed, 17 Dec 2003 17:17:40 GMT
1829 Password can change: Wed, 17 Dec 2003 17:17:40 GMT
1830 Password must change: Mon, 18 Jan 2038 20:14:07 GMT
1831 Last bad password : 0
1832 Bad password count : 0
1833 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
1835 This looks good. Of course, you fully expected that it would all work, didn't you?
1837 <a class="indexterm" name="id2545717"></a>
1838 Now you add the group accounts that are used on the Abmas network. Execute
1839 the following exactly as shown:
1840 </p><pre class="screen">
1841 <code class="prompt">root# </code> ./smbldap-groupadd -a Accounts
1842 <code class="prompt">root# </code> ./smbldap-groupadd -a Finances
1843 <code class="prompt">root# </code> ./smbldap-groupadd -a PIOps
1845 The addition of groups does not involve keyboard interaction, so the lack of console
1846 output is of no concern.
1848 <a class="indexterm" name="id2545759"></a>
1849 You really do want to confirm that UNIX group resolution from LDAP is functioning
1850 as it should. Let's do this as shown here:
1851 </p><pre class="screen">
1852 <code class="prompt">root# </code> getent group
1854 Domain Admins:x:512:root
1855 Domain Users:x:513:bobj,stans,chrisr,maryv
1856 Domain Guests:x:514:
1862 The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
1863 as our own site-specific group accounts, are correctly listed. This is looking good.
1865 <a class="indexterm" name="id2545792"></a>
1866 The final step we need to validate is that Samba can see all the Windows domain groups
1867 and that they are correctly mapped to the respective UNIX group account. To do this,
1868 just execute the following command:
1869 </p><pre class="screen">
1870 <code class="prompt">root# </code> net groupmap list
1871 Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
1872 Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
1873 Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
1875 Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
1876 Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
1877 PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
1879 This is looking good. Congratulations it works! Note that in the above output
1880 the lines were shortened by replacing the middle value (1010554828) of the SID with the
1883 The server you have so carefully built is now ready for another important step. You
1884 start the Samba-3 server and validate its operation. Execute the following to render all
1885 the processes needed fully operative so that, on system reboot, they are automatically
1887 </p><pre class="screen">
1888 <code class="prompt">root# </code> chkconfig named on
1889 <code class="prompt">root# </code> chkconfig dhcpd on
1890 <code class="prompt">root# </code> chkconfig ldap on
1891 <code class="prompt">root# </code> chkconfig nmb on
1892 <code class="prompt">root# </code> chkconfig smb on
1893 <code class="prompt">root# </code> chkconfig winbind on
1894 <code class="prompt">root# </code> rcnmb start
1895 <code class="prompt">root# </code> rcsmb start
1896 <code class="prompt">root# </code> rcwinbind start
1899 The next step might seem a little odd at this point, but take note that you are about to
1900 start <span><strong class="command">winbindd</strong></span>, which must be able to authenticate to the PDC via the
1901 localhost interface with the <span><strong class="command">smbd</strong></span> process. This account can be
1902 easily created by joining the PDC to the domain by executing the following command:
1903 </p><pre class="screen">
1904 <code class="prompt">root# </code> net rpc join -S MASSIVE -U root%not24get
1906 Note: Before executing this command on the PDC, both <span><strong class="command">nmbd</strong></span> and
1907 <span><strong class="command">smbd</strong></span> must be started so that the <span><strong class="command">net</strong></span> command
1908 can communicate with <span><strong class="command">smbd</strong></span>. The expected output is as follows:
1909 </p><pre class="screen">
1910 Joined domain MEGANET2.
1912 This indicates that the domain security account for the PDC has been correctly created.
1914 At this time it is necessary to restart <span><strong class="command">winbindd</strong></span> so that it can
1915 correctly authenticate to the PDC. The following command achieves that:
1916 </p><pre class="screen">
1917 <code class="prompt">root# </code> rcwinbind restart
1920 <a class="indexterm" name="id2546007"></a>
1921 You may now check Samba-3 operation as follows:
1922 </p><pre class="screen">
1923 <code class="prompt">root# </code> smbclient -L massive -U%
1925 Sharename Type Comment
1926 --------- ---- -------
1927 IPC$ IPC IPC Service (Samba 3.0.20)
1928 accounts Disk Accounting Files
1929 service Disk Financial Services Files
1930 pidata Disk Property Insurance Files
1931 apps Disk Application Files
1932 netlogon Disk Network Logon Service
1933 profiles Disk Profile Share
1934 profdata Disk Profile Data Share
1935 ADMIN$ IPC IPC Service (Samba 3.0.20)
1939 MASSIVE Samba 3.0.20
1945 This shows that an anonymous connection is working.
1947 For your finale, let's try an authenticated connection:
1948 </p><pre class="screen">
1949 <code class="prompt">root# </code> smbclient //massive/bobj -Ubobj%n3v3r2l8
1951 . D 0 Wed Dec 17 01:16:19 2003
1952 .. D 0 Wed Dec 17 19:04:42 2003
1953 bin D 0 Tue Sep 2 04:00:57 2003
1954 Documents D 0 Sun Nov 30 07:28:20 2003
1955 public_html D 0 Sun Nov 30 07:28:20 2003
1956 .urlview H 311 Fri Jul 7 06:55:35 2000
1957 .dvipsrc H 208 Fri Nov 17 11:22:02 1995
1959 57681 blocks of size 524288. 57128 blocks available
1962 Well done. All is working fine.
1963 </p></li></ol></div><p>
1964 The server <code class="constant">MASSIVE</code> is now configured, and it is time to move onto the next task.
1965 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p>
1966 <a class="indexterm" name="id2546104"></a>
1967 The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
1968 taken care of in the <code class="filename">smb.conf</code> file. The only preparation needed for <code class="constant">smart</code>
1969 printing to be possible involves creation of the directories in which Samba-3 stores
1970 Windows printing driver files.
1971 </p><div class="procedure"><a name="id2546126"></a><p class="title"><b>Procedure 5.9. Printer Configuration Steps</b></p><ol type="1"><li><p>
1972 Configure all network-attached printers to have a fixed IP address.
1974 Create an entry in the DNS database on the server <code class="constant">MASSIVE</code>
1975 in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code>
1976 and in the reverse lookup database for the network segment that the printer is to
1977 be located in. Example configuration files for similar zones were presented in <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>,
1978 <a href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">???</a> and in <a href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">???</a>.
1980 Follow the instructions in the printer manufacturers' manuals to permit printing
1981 to port 9100. Use any other port the manufacturer specifies for direct mode,
1982 raw printing. This allows the CUPS spooler to print using raw mode protocols.
1983 <a class="indexterm" name="id2546187"></a>
1984 <a class="indexterm" name="id2546194"></a>
1986 <a class="indexterm" name="id2546207"></a>
1987 <a class="indexterm" name="id2546214"></a>
1988 Only on the server to which the printer is attached, configure the CUPS Print
1990 </p><pre class="screen">
1991 <code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em>
1992 -v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E
1994 <a class="indexterm" name="id2546250"></a>
1995 This step creates the necessary print queue to use no assigned print filter. This
1996 is ideal for raw printing, that is, printing without use of filters.
1997 The name <em class="parameter"><code>printque</code></em> is the name you have assigned for
1998 the particular printer.
2000 Print queues may not be enabled at creation. Make certain that the queues
2001 you have just created are enabled by executing the following:
2002 </p><pre class="screen">
2003 <code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em>
2006 Even though your print queue may be enabled, it is still possible that it
2007 may not accept print jobs. A print queue will service incoming printing
2008 requests only when configured to do so. Ensure that your print queue is
2009 set to accept incoming jobs by executing the following commands:
2010 </p><pre class="screen">
2011 <code class="prompt">root# </code> /usr/bin/accept <em class="parameter"><code>printque</code></em>
2014 <a class="indexterm" name="id2546331"></a>
2015 <a class="indexterm" name="id2546338"></a>
2016 <a class="indexterm" name="id2546345"></a>
2017 Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line:
2018 </p><pre class="screen">
2019 application/octet-stream application/vnd.cups-raw 0 -
2022 <a class="indexterm" name="id2546373"></a>
2023 Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line:
2024 </p><pre class="screen">
2025 application/octet-stream
2028 Refer to the CUPS printing manual for instructions regarding how to configure
2029 CUPS so that print queues that reside on CUPS servers on remote networks
2030 route print jobs to the print server that owns that queue. The default setting
2031 on your CUPS server may automatically discover remotely installed printers and
2032 may permit this functionality without requiring specific configuration.
2034 The following action creates the necessary directory subsystem. Follow these
2035 steps to printing heaven:
2036 </p><pre class="screen">
2037 <code class="prompt">root# </code> mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
2038 <code class="prompt">root# </code> chown -R root:root /var/lib/samba/drivers
2039 <code class="prompt">root# </code> chmod -R ug=rwx,o=rx /var/lib/samba/drivers
2041 </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure"><a name="id2546456"></a><p class="title"><b>Procedure 5.10. Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol type="1"><li><p>
2042 Install the files in <a href="happy.html#sbehap-bldg1-smbconf" title="Example 5.8. LDAP Based smb.conf File, Server: BLDG1">???</a>,
2043 <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a>
2044 into the <code class="filename">/etc/samba/</code> directory. The three files
2045 should be added together to form the <code class="filename">smb.conf</code> file.
2047 Verify the <code class="filename">smb.conf</code> file as in step 2 of <a href="happy.html#sbehap-massive" title="Samba-3 PDC Configuration">???</a>.
2049 Carefully follow the steps outlined in <a href="happy.html#sbehap-PAM-NSS" title="PAM and NSS Client Configuration">???</a>, taking
2050 particular note to install the correct <code class="filename">ldap.conf</code>.
2052 Verify that the NSS resolver is working. You may need to cycle the run level
2053 to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
2055 </p><pre class="screen">
2056 <code class="prompt">root# </code> init 1
2058 After the run level has been achieved, you are prompted to provide the
2059 <code class="constant">root</code> password. Log on, and then execute:
2060 </p><pre class="screen">
2061 <code class="prompt">root# </code> init 5
2063 When the normal logon prompt appears, log into the system as <code class="constant">root</code>
2064 and then execute these commands:
2065 </p><pre class="screen">
2066 <code class="prompt">root# </code> getent passwd
2067 root:x:0:0:root:/root:/bin/bash
2068 bin:x:1:1:bin:/bin:/bin/bash
2069 daemon:x:2:2:Daemon:/sbin:/bin/bash
2070 lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
2071 mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
2073 root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
2074 nobody:x:999:514:nobody:/dev/null:/bin/false
2075 bobj:x:1000:513:System User:/home/bobj:/bin/bash
2076 stans:x:1001:513:System User:/home/stans:/bin/bash
2077 chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
2078 maryv:x:1003:513:System User:/home/maryv:/bin/bash
2079 vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
2080 bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
2082 This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
2084 <a class="indexterm" name="id2546616"></a>
2085 The next step in the verification process involves testing the operation of UNIX group
2086 resolution via the NSS LDAP resolver. Execute these commands:
2087 </p><pre class="screen">
2088 <code class="prompt">root# </code> getent group
2094 Domain Admins:x:512:root
2095 Domain Users:x:513:bobj,stans,chrisr,maryv,jht
2096 Domain Guests:x:514:
2097 Administrators:x:544:
2101 Account Operators:x:548:
2102 Server Operators:x:549:
2103 Print Operators:x:550:
2104 Backup Operators:x:551:
2106 Domain Computers:x:553:
2111 This is also the correct and desired output, because it demonstrates that the LDAP client
2112 is able to communicate correctly with the LDAP server (<code class="constant">MASSIVE</code>).
2114 <a class="indexterm" name="id2546657"></a>
2115 You must now set the LDAP administrative password into the Samba-3 <code class="filename">secrets.tdb</code>
2116 file by executing this command:
2117 </p><pre class="screen">
2118 <code class="prompt">root# </code> smbpasswd -w not24get
2119 Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
2122 Now you must obtain the domain SID from the PDC and store it into the
2123 <code class="filename">secrets.tdb</code> file also. This step is not necessary with an LDAP
2124 passdb backend because Samba-3 obtains the domain SID from the
2125 sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
2126 add the SID to the <code class="filename">secrets.tdb</code>, and if you wish to do so, this
2127 command can achieve that:
2128 </p><pre class="screen">
2129 <code class="prompt">root# </code> net rpc getsid MEGANET2
2130 Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
2131 for Domain MEGANET2 in secrets.tdb
2133 When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
2134 any special action to join it to the domain. However, winbind communicates with the
2135 domain controller that is running on the localhost and must be able to authenticate,
2136 thus requiring that the BDC should be joined to the domain. The process of joining
2137 the domain creates the necessary authentication accounts.
2139 To join the Samba BDC to the domain, execute the following:
2140 </p><pre class="screen">
2141 <code class="prompt">root# </code> net rpc join -U root%not24get
2142 Joined domain MEGANET2.
2144 This indicates that the domain security account for the BDC has been correctly created.
2146 <a class="indexterm" name="id2546758"></a>
2147 Verify that user and group account resolution works via Samba-3 tools as follows:
2148 </p><pre class="screen">
2149 <code class="prompt">root# </code> pdbedit -L
2152 bobj:1000:System User
2153 stans:1001:System User
2154 chrisr:1002:System User
2155 maryv:1003:System User
2158 <code class="prompt">root# </code> net groupmap list
2159 Domain Admins (S-1-5-21-3504140859-...-2431957765-512) ->
2161 Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
2162 Domain Guests (S-1-5-21-3504140859-...-2431957765-514) ->
2164 Administrators (S-1-5-21-3504140859-...-2431957765-544) ->
2167 Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
2168 Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
2169 PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
2171 These results show that all things are in order.
2173 The server you have so carefully built is now ready for another important step. Now
2174 start the Samba-3 server and validate its operation. Execute the following to render all
2175 the processes needed fully operative so that, upon system reboot, they are automatically
2177 </p><pre class="screen">
2178 <code class="prompt">root# </code> chkconfig named on
2179 <code class="prompt">root# </code> chkconfig dhcpd on
2180 <code class="prompt">root# </code> chkconfig nmb on
2181 <code class="prompt">root# </code> chkconfig smb on
2182 <code class="prompt">root# </code> chkconfig winbind on
2183 <code class="prompt">root# </code> rcnmb start
2184 <code class="prompt">root# </code> rcsmb start
2185 <code class="prompt">root# </code> rcwinbind start
2187 Samba-3 should now be running and is ready for a quick test. But not quite yet!
2189 Your new <code class="constant">BLDG1, BLDG2</code> servers do not have home directories for users.
2190 To rectify this using the SUSE yast2 utility or by manually editing the <code class="filename">/etc/fstab</code>
2191 file, add a mount entry to mount the <code class="constant">home</code> directory that has been exported
2192 from the <code class="constant">MASSIVE</code> server. Mount this resource before proceeding. An alternate
2193 approach could be to create local home directories for users who are to use these machines.
2194 This is a choice that you, as system administrator, must make. The following entry in the
2195 <code class="filename">/etc/fstab</code> file suffices for now:
2196 </p><pre class="screen">
2197 massive.abmas.biz:/home /home nfs rw 0 0
2199 To mount this resource, execute:
2200 </p><pre class="screen">
2201 <code class="prompt">root# </code> mount -a
2203 Verify that the home directory has been mounted as follows:
2204 </p><pre class="screen">
2205 <code class="prompt">root# </code> df | grep home
2206 massive:/home 29532988 283388 29249600 1% /home
2209 Implement a quick check using one of the users that is in the LDAP database. Here you go:
2210 </p><pre class="screen">
2211 <code class="prompt">root# </code> smbclient //bldg1/bobj -Ubobj%n3v3r2l8
2213 . D 0 Wed Dec 17 01:16:19 2003
2214 .. D 0 Wed Dec 17 19:04:42 2003
2215 bin D 0 Tue Sep 2 04:00:57 2003
2216 Documents D 0 Sun Nov 30 07:28:20 2003
2217 public_html D 0 Sun Nov 30 07:28:20 2003
2218 .urlview H 311 Fri Jul 7 06:55:35 2000
2219 .dvipsrc H 208 Fri Nov 17 11:22:02 1995
2221 57681 blocks of size 524288. 57128 blocks available
2224 </p></li></ol></div><p>
2225 Now that the first BDC (<code class="constant">BDLG1</code>) has been configured it is time to build
2226 and configure the second BDC server (<code class="constant">BLDG2</code>) as follows:
2227 </p><div class="procedure"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure 5.11. Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol type="1"><li><p>
2228 Install the files in <a href="happy.html#sbehap-bldg2-smbconf" title="Example 5.9. LDAP Based smb.conf File, Server: BLDG2">???</a>,
2229 <a href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">???</a>, and <a href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">???</a>
2230 into the <code class="filename">/etc/samba/</code> directory. The three files
2231 should be added together to form the <code class="filename">smb.conf</code> file.
2233 Follow carefully the steps shown in <a href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">???</a>, starting at step 2.
2234 </p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example 5.8. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2547104"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2547117"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2547130"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id2547143"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2547156"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2547169"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2547182"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2547195"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2547207"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2547220"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2547233"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2547246"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2547259"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2547272"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2547285"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2547298"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2547311"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2547324"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2547336"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2547349"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2547362"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2547375"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2547388"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2547401"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2547414"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2547427"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2547440"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2547454"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2547467"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2547479"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2547492"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example 5.9. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2547540"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2547553"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2547565"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id2547578"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2547592"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2547605"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2547618"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2547630"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2547643"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2547656"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2547669"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2547681"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2547694"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2547707"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2547721"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2547734"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2547747"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2547759"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2547772"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2547785"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2547798"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2547811"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2547824"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2547837"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2547850"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2547863"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2547876"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2547889"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2547902"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2547915"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2547928"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example 5.10. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2547975"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2547988"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2548001"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2548022"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2548035"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2548048"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2548069"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2548082"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2548095"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2548116"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2548129"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2548142"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2548155"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2548176"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2548189"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2548202"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2548214"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2548227"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example 5.11. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2548274"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2548287"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2548299"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id2548312"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2548334"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2548347"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2548360"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2548372"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2548394"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2548407"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2548420"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2548432"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2548454"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2548467"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2548480"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2548492"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2548514"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2548527"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2548540"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2548553"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id2548565"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2548578"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><pre class="screen">
2235 dn: ou=Idmap,dc=abmas,dc=biz
2236 objectClass: organizationalUnit
2238 structuralObjectClass: organizationalUnit
2239 </pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2548614"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p>
2240 My father would say, “<span class="quote">Dinner is not over until the dishes have been done.</span>”
2241 The makings of a great network environment take a lot of effort and attention to detail.
2242 So far, you have completed most of the complex (and to many administrators, the interesting
2243 part of server configuration) steps, but remember to tie it all together. Here are
2244 a few more steps that must be completed so that your network runs like a well-rehearsed
2246 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2548635"></a>Configuring Directory Share Point Roots</h3></div></div></div><p>
2247 In your <code class="filename">smb.conf</code> file, you have specified Windows shares. Each has a <em class="parameter"><code>path</code></em>
2248 parameter. Even though it is obvious to all, one of the common Samba networking problems is
2249 caused by forgetting to verify that every such share root directory actually exists and that it
2250 has the necessary permissions and ownership.
2252 Here is an example, but remember to create the directory needed for every share:
2253 </p><pre class="screen">
2254 <code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs,piops}
2255 <code class="prompt">root# </code> mkdir -p /apps
2256 <code class="prompt">root# </code> chown -R root:root /data
2257 <code class="prompt">root# </code> chown -R root:root /apps
2258 <code class="prompt">root# </code> chown -R bobj:Accounts /data/accounts
2259 <code class="prompt">root# </code> chown -R bobj:Finances /data/finsvcs
2260 <code class="prompt">root# </code> chown -R bobj:PIOps /data/piops
2261 <code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data
2262 <code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps
2264 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2548730"></a>Configuring Profile Directories</h3></div></div></div><p>
2265 You made a conscious decision to do everything it would take to improve network client
2266 performance. One of your decisions was to implement folder redirection. This means that Windows
2267 user desktop profiles are now made up of two components: a dynamically loaded part and a set of file
2270 For this arrangement to work, every user needs a directory structure for the network folder
2271 portion of his or her profile as shown here:
2272 </p><pre class="screen">
2273 <code class="prompt">root# </code> mkdir -p /var/lib/samba/profdata
2274 <code class="prompt">root# </code> chown root:root /var/lib/samba/profdata
2275 <code class="prompt">root# </code> chmod 755 /var/lib/samba/profdata
2277 # Per user structure
2278 <code class="prompt">root# </code> cd /var/lib/samba/profdata
2279 <code class="prompt">root# </code> mkdir -p <span class="emphasis"><em>username</em></span>
2280 <code class="prompt">root# </code> for i in InternetFiles Cookies History AppData \
2281 LocalSettings MyPictures MyDocuments Recent
2282 <code class="prompt">root# </code> do
2283 <code class="prompt">root# </code> mkdir <span class="emphasis"><em>username</em></span>/$i
2284 <code class="prompt">root# </code> done
2285 <code class="prompt">root# </code> chown -R <span class="emphasis"><em>username</em></span>:Domain\ Users <span class="emphasis"><em>username</em></span>
2286 <code class="prompt">root# </code> chmod -R 750 <span class="emphasis"><em>username</em></span>
2289 <a class="indexterm" name="id2548846"></a>
2290 <a class="indexterm" name="id2548853"></a>
2291 You have three options insofar as the dynamically loaded portion of the roaming profile
2293 </p><div class="itemizedlist"><ul type="disc"><li><p>You may permit the user to obtain a default profile.</p></li><li><p>You can create a mandatory profile.</p></li><li><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p>
2294 Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory
2295 profile is effected by renaming the <code class="filename">NTUSER.DAT</code> to <code class="filename">NTUSER.MAN</code>,
2296 that is, just by changing the filename extension.
2298 <a class="indexterm" name="id2548902"></a>
2299 <a class="indexterm" name="id2548909"></a>
2300 The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend.
2301 You can manage this using the Idealx smbldap-tools or using the
2302 <a href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">Windows NT4 Domain User Manager</a>.
2304 It may not be obvious that you must ensure that the root directory for the user's profile exists
2305 and has the needed permissions. Use the following commands to create this directory:
2306 </p><pre class="screen">
2307 <code class="prompt">root# </code> mkdir -p /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
2308 <code class="prompt">root# </code> chown <span class="emphasis"><em>username</em></span>:Domain\ Users
2309 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
2310 <code class="prompt">root# </code> chmod 700 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
2312 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2548974"></a>Preparation of Logon Scripts</h3></div></div></div><p>
2313 <a class="indexterm" name="id2548982"></a>
2314 The use of a logon script with Windows XP Professional is an option that every site should consider.
2315 Unless you have locked down the desktop so the user cannot change anything, there is risk that
2316 a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
2317 can help to restore persistent network folder (drive) and printer connections in a predictable
2318 manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
2319 user attaches to another company's network that forces environment changes that are alien to your
2322 If you decide to use network logon scripts, by reference to the <code class="filename">smb.conf</code> files for the domain
2323 controllers, you see that the path to the share point for the <code class="constant">NETLOGON</code>
2324 share defined is <code class="filename">/var/lib/samba/netlogon</code>. The path defined for the logon
2325 script inside that share is <code class="filename">scripts\logon.bat</code>. This means that as a Windows
2326 NT/200x/XP client logs onto the network, it tries to obtain the file <code class="filename">logon.bat</code>
2327 from the fully qualified path <code class="filename">/var/lib/samba/netlogon/scripts</code>. This fully
2328 qualified path should therefore exist whether you install the <code class="filename">logon.bat</code>.
2330 You can, of course, create the fully qualified path by executing:
2331 </p><pre class="screen">
2332 <code class="prompt">root# </code> mkdir -p /var/lib/samba/netlogon/scripts
2335 You should research the options for logon script implementation by referring to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 24,
2336 Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon
2337 facilities in use today is called <a href="http://www.kixtart.org" target="_top">KiXtart</a>.
2338 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2549085"></a>Assigning User Rights and Privileges</h3></div></div></div><p>
2339 The ability to perform tasks such as joining Windows clients to the domain can be assigned to
2340 normal user accounts. By default, only the domain administrator account (<code class="constant">root</code> on UNIX
2341 systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
2342 this privilege in a very limited fashion to particular accounts.
2344 By default, even Samba-3.0.11 does not grant any rights even to the <code class="constant">Domain Admins</code>
2345 group. Here we grant this group all privileges.
2347 Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
2348 are granted rights can be restricted to particular machines. It is left to the network administrator
2349 to determine which rights should be provided and to whom.
2350 </p><div class="procedure"><a name="id2549121"></a><p class="title"><b>Procedure 5.12. Steps for Assignment of User Rights and Privileges</b></p><ol type="1"><li><p>
2351 Log onto the PDC as the <code class="constant">root</code> account.
2353 Execute the following command to grant the <code class="constant">Domain Admins</code> group all
2354 rights and privileges:
2355 </p><pre class="screen">
2356 <code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \
2357 "MEGANET2\Domain Admins" SeMachineAccountPrivilege \
2358 SePrintOperatorPrivilege SeAddUsersPrivilege \
2359 SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
2360 Successfully granted rights.
2362 Repeat this step on each domain controller, in each case substituting the name of the server
2363 (e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE.
2365 In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
2366 to the domain. Execute the following only on the PDC. It is not necessary to do this on
2367 BDCs or on DMS machines because machine accounts are only ever added by the PDC:
2368 </p><pre class="screen">
2369 <code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \
2370 "MEGANET2\bobj" SeMachineAccountPrivilege
2371 Successfully granted rights.
2374 Verify that privilege assignments have been correctly applied by executing:
2375 </p><pre class="screen">
2376 net rpc rights list accounts -Uroot%not24get
2378 SeMachineAccountPrivilege
2381 No privileges assigned
2383 BUILTIN\Print Operators
2384 No privileges assigned
2386 BUILTIN\Account Operators
2387 No privileges assigned
2389 BUILTIN\Backup Operators
2390 No privileges assigned
2392 BUILTIN\Server Operators
2393 No privileges assigned
2395 BUILTIN\Administrators
2396 No privileges assigned
2399 No privileges assigned
2401 MEGANET2\Domain Admins
2402 SeMachineAccountPrivilege
2403 SePrintOperatorPrivilege
2405 SeRemoteShutdownPrivilege
2406 SeDiskOperatorPrivilege
2408 </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2549223"></a>Windows Client Configuration</h2></div></div></div><p>
2409 <a class="indexterm" name="id2549231"></a>
2410 In the next few sections, you can configure a new Windows XP Professional disk image on a staging
2411 machine. You will configure all software, printer settings, profile and policy handling, and desktop
2412 default profile settings on this system. When it is complete, you copy the contents of the
2413 <code class="filename">C:\Documents and Settings\Default User</code> directory to a directory with the same
2414 name in the <code class="constant">NETLOGON</code> share on the domain controllers.
2416 Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
2417 One knowledge-base article in particular stands out:
2418 "<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475" target="_top">How to Create a
2419 Base Profile for All Users."</a>
2421 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p>
2422 <a class="indexterm" name="id2549281"></a>
2423 Log onto the Windows XP Professional workstation as the local <code class="constant">Administrator</code>.
2424 It is necessary to expose folders that are generally hidden to provide access to the
2425 <code class="constant">Default User</code> folder.
2426 </p><div class="procedure"><a name="id2549299"></a><p class="title"><b>Procedure 5.13. Expose Hidden Folders</b></p><ol type="1"><li><p>
2427 Launch the Windows Explorer by clicking
2428 <span class="guimenu">Start</span>-><span class="guimenuitem">My Computer</span>-><span class="guimenuitem">Tools</span>-><span class="guimenuitem">Folder Options</span>-><span class="guimenuitem">View Tab</span>.
2429 Select <span class="guilabel">Show hidden files and folders</span>,
2430 and click <span class="guibutton">OK</span>. Exit Windows Explorer.
2432 <a class="indexterm" name="id2549366"></a>
2433 Launch the Registry Editor. Click
2434 <span class="guimenu">Start</span>-><span class="guimenuitem">Run</span>. Key in <span><strong class="command">regedt32</strong></span>, and click
2435 <span class="guibutton">OK</span>.
2436 </p></li></ol></div><p>
2437 </p><div class="procedure"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure 5.14. Redirect Folders in Default System User Profile</b></p><ol type="1"><li><p>
2438 <a class="indexterm" name="id2549424"></a>
2439 <a class="indexterm" name="id2549430"></a>
2440 Give focus to <code class="constant">HKEY_LOCAL_MACHINE</code> hive entry in the left panel.
2441 Click <span class="guimenu">File</span>-><span class="guimenuitem">Load Hive...</span>-><span class="guimenuitem">Documents and Settings</span>-><span class="guimenuitem">Default User</span>-><span class="guimenuitem">NTUSER</span>-><span class="guimenuitem">Open</span>. In the dialog box that opens, enter the key name
2442 <code class="constant">Default</code> and click <span class="guibutton">OK</span>.
2444 Browse inside the newly loaded Default folder to:
2445 </p><pre class="screen">
2446 HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
2447 CurrentVersion\Explorer\User Shell Folders\
2449 The right panel reveals the contents as shown in <a href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">???</a>.
2451 <a class="indexterm" name="id2549523"></a>
2452 <a class="indexterm" name="id2549530"></a>
2453 You edit hive keys. Acceptable values to replace the
2454 <code class="constant">%USERPROFILE%</code> variable includes:
2456 </p><div class="itemizedlist"><ul type="disc"><li><p>A drive letter such as <code class="constant">U:</code></p></li><li><p>A direct network path such as
2457 <code class="constant">\\MASSIVE\profdata</code></p></li><li><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p>
2459 <a class="indexterm" name="id2549576"></a>
2460 Set the registry keys as shown in <a href="happy.html#proffold" title="Table 5.4. Default Profile Redirections">???</a>. Your implementation makes the assumption
2461 that users have statically located machines. Notebook computers (mobile users) need to be
2462 accommodated using local profiles. This is not an uncommon assumption.
2464 Click back to the root of the loaded hive <code class="constant">Default</code>.
2465 Click <span class="guimenu">File</span>-><span class="guimenuitem">Unload Hive...</span>-><span class="guimenuitem">Yes</span>.
2467 <a class="indexterm" name="id2549631"></a>
2468 Click <span class="guimenu">File</span>-><span class="guimenuitem">Exit</span>. This exits the
2471 Now follow the procedure given in <a href="happy.html#sbehap-locgrppol" title="The Local Group Policy">???</a>. Make sure that each folder you
2472 have redirected is in the exclusion list.
2474 You are now ready to copy<sup>[<a name="id2549675" href="#ftn.id2549675">11</a>]</sup>
2475 the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer,
2476 and use it to copy the full contents of the directory <code class="filename">Default User</code> that
2477 is in the <code class="filename">C:\Documents and Settings</code> to the root directory of the
2478 <code class="constant">NETLOGON</code> share. If the <code class="constant">NETLOGON</code> share has the defined
2479 UNIX path of <code class="filename">/var/lib/samba/netlogon</code>, when the copy is complete there must
2480 be a directory in there called <code class="filename">Default User</code>.
2481 </p></li></ol></div><p>
2482 Before punching out new desktop images for the client workstations, it is perhaps a good idea that
2483 desktop behavior should be returned to the original Microsoft settings. The following steps achieve
2485 </p><div class="procedure"><a name="id2549742"></a><p class="title"><b>Procedure 5.15. Reset Folder Display to Original Behavior</b></p><ul><li><p>
2486 To launch the Windows Explorer, click
2487 <span class="guimenu">Start</span>-><span class="guimenuitem">My Computer</span>-><span class="guimenuitem">Tools</span>-><span class="guimenuitem">Folder Options</span>-><span class="guimenuitem">View Tab</span>.
2488 Deselect <span class="guilabel">Show hidden files and folders</span>, and click <span class="guibutton">OK</span>.
2489 Exit Windows Explorer.
2490 </p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure 5.3. Windows XP Professional User Shared Folders</b></p><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div><div class="table"><a name="proffold"></a><p class="title"><b>Table 5.4. Default Profile Redirections</b></p><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2549977"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p>
2491 <a class="indexterm" name="id2549985"></a>
2492 <a class="indexterm" name="id2549994"></a>
2493 Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
2494 It is the nature of email storage that this file grows, at times quite rapidly.
2495 So that users' email is available to them at every workstation they may log onto,
2496 it is common practice in well-controlled sites to redirect the PST folder to the
2497 users' home directory. Follow these steps for each user who wishes to do this.
2499 To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave
2500 slightly differently), follow these steps:
2501 </p><div class="procedure"><a name="id2550016"></a><p class="title"><b>Procedure 5.16. Outlook PST File Relocation</b></p><ol type="1"><li><p>
2502 Close Outlook if it is open.
2504 From the <span class="guimenu">Control Panel</span>, launch the Mail icon.
2506 Click <span class="guimenu">Email Accounts.</span>
2508 Make a note of the location of the PST file(s). From this location, move
2509 the files to the desired new target location. The most desired new target location
2510 may well be the users' home directory.
2512 Add a new data file, selecting the PST file in the new desired target location.
2513 Give this entry (not the filename) a new name such as “<span class="quote">Personal Mail Folders.</span>”
2515 Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems
2516 following these instructions. Feedback from users suggests that where IMAP is used the PST
2517 file is used to store rules and filters. When the PST store is relocated it appears to break
2518 MS Outlook's Send/Receive button. If anyone has sucessfully relocated PST files where IMAP is
2519 used please email <code class="literal">jht@samba.org</code> with useful tips and suggestions so that
2520 this warning can be removed or modified.
2522 Close the <span class="guimenu">Date Files</span> windows, then click <span class="guimenu">Email Accounts</span>.
2524 Select <span class="guimenu">View of Change</span> exiting email accounts, click <span class="guibutton">Next.</span>
2526 Change the <span class="guimenu">Mail Delivery Location</span> so as to use the data file in the new
2529 Go back to the <span class="guimenu">Data Files</span> window, then delete the old data file entry.
2530 </p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2531 <a class="indexterm" name="id2550166"></a>
2532 You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise
2533 the user may be not be able to retrieve contacts when addressing a new email message.
2534 </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2535 <a class="indexterm" name="id2550181"></a>
2536 Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook
2537 Express storage files can not be redirected to network shares. The options panel will not permit
2538 this, but they can be moved to folders outside of the user's profile. They can also be excluded
2539 from folder synchronization as part of the roaming profile.
2541 While it is possible to redirect the data stores for Outlook Express data stores by editing the
2542 registry, experience has shown that data corruption and loss of email messages will result.
2544 <a class="indexterm" name="id2550204"></a>
2545 <a class="indexterm" name="id2550210"></a>
2546 In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with
2547 roaming profiles this can result in excruciatingly long login and logout behavior will files are
2548 synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming
2551 <a class="indexterm" name="id2550226"></a>
2552 Microsoft does not support storing PST files on network shares, although the practice does appear
2553 to be rather popular. Anyone who does relocation the PST file to a network resource should refer
2554 the Microsoft <a href="http://support.microsoft.com/kb/297019/" target="_top">reference</a> to better
2555 understand the issues.
2557 <a class="indexterm" name="id2550247"></a>
2558 Apart from manually moving PST files to a network share, it is possible to set the default PST
2559 location for new accounts by following the instructions at the WindowsITPro <a href="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html" target="_top">web</a> site.
2561 <a class="indexterm" name="id2550267"></a>
2562 User feedback suggests that disabling of oplocks on PST files will significantly improve
2563 network performance by reducing locking overheads. One way this can be done is to add to the
2564 <code class="filename">smb.conf</code> file stanza for the share the PST file the following:
2565 </p><pre class="screen">
2566 veto oplock files = /*.pdf/*.PST/
2568 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2550292"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p>
2569 Configure the Windows XP Professional client to auto-delete roaming profiles on logout:
2571 <a class="indexterm" name="id2550305"></a>
2573 <span class="guimenu">Start</span>-><span class="guimenuitem">Run</span>. In the dialog box, enter <span><strong class="command">MMC</strong></span> and click <span class="guibutton">OK</span>.
2575 Follow these steps to set the default behavior of the staging machine so that all roaming
2576 profiles are deleted as network users log out of the system. Click
2577 <span class="guimenu">File</span>-><span class="guimenuitem">Add/Remove Snap-in</span>-><span class="guimenuitem">Add</span>-><span class="guimenuitem">Group Policy</span>-><span class="guimenuitem">Add</span>-><span class="guimenuitem">Finish</span>-><span class="guimenuitem">Close</span>-><span class="guimenuitem">OK</span>.
2579 <a class="indexterm" name="id2550401"></a>
2580 The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span>
2581 utility that enables you to set the policies needed. In the left panel, click
2582 <span class="guimenuitem">Local Computer Policy</span>-><span class="guimenuitem">Administrative Templates</span>-><span class="guimenuitem">System</span>-><span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each
2584 </p><div class="itemizedlist"><ul type="disc"><li><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p>
2585 Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
2586 made of this system to deploy the new standard desktop system.
2587 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2550472"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p>
2588 <a class="indexterm" name="id2550480"></a>
2589 Users want to be able to use network printers. You have a vested interest in making
2590 it easy for them to print. You have chosen to install the printer drivers onto the Samba
2591 servers and to enable point-and-click (drag-and-drop) printing. This process results in
2592 Samba being able to automatically provide the Windows client with the driver necessary to
2593 print to the printer chosen. The following procedure must be followed for every network
2595 </p><div class="procedure"><a name="id2550498"></a><p class="title"><b>Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers</b></p><ol type="1"><li><p>
2596 Join your Windows XP Professional workstation (the staging machine) to the
2597 <code class="constant">MEGANET2</code> domain. If you are not sure of the procedure,
2598 follow the guidance given in <a href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">???</a>, <a href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">???</a>.
2600 After the machine has rebooted, log onto the workstation as the domain
2601 <code class="constant">root</code> (this is the Administrator account for the
2602 operating system that is the host platform for this implementation of Samba.
2604 Launch MS Windows Explorer. Navigate in the left panel. Click
2605 <span class="guimenu">My Network Places</span>-><span class="guimenuitem">Entire Network</span>-><span class="guimenuitem">Microsoft Windows Network</span>-><span class="guimenuitem">Meganet2</span>-><span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span>
2606 <span class="guimenu">Printers and Faxes</span>.
2608 Identify a printer that is shown in the right panel. Let us assume the printer is called
2609 <code class="constant">ps01-color</code>. Right-click on the <span class="guimenu">ps01-color</span> icon
2610 and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates
2611 that “<span class="quote">The printer driver is not installed on this computer. Some printer properties
2612 will not be accessible unless you install the printer driver. Do you want to install the
2613 driver now?</span>” It is important at this point you answer <span class="guimenu">No</span>.
2615 The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server
2616 <code class="constant">MASSIVE</code> is displayed. Click the <span class="guimenu">Advanced</span> tab.
2617 Note that the box labeled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span>
2618 button that is next to the <span class="guimenu">Driver</span> box. This launches the “<span class="quote">Add Printer Wizard</span>”.
2620 <a class="indexterm" name="id2550687"></a>
2621 <a class="indexterm" name="id2550696"></a>
2622 The “<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>” panel
2623 is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the
2624 printer manufacturer. In your case, you are adding a driver for a printer manufactured by
2625 Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
2626 <span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A
2627 progress bar appears and instructs you as each file is being uploaded and that it is being
2628 directed at the network server <code class="constant">\\massive\ps01-color</code>.
2630 <a class="indexterm" name="id2550745"></a>
2631 <a class="indexterm" name="id2550754"></a>
2632 <a class="indexterm" name="id2550763"></a>
2633 <a class="indexterm" name="id2550773"></a>
2634 <a class="indexterm" name="id2550782"></a>
2635 <a class="indexterm" name="id2550791"></a>
2636 The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
2637 you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel.
2638 You can set the Location (under the <span class="guimenu">General</span> tab) and Security settings (under
2639 the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to
2640 load additional printer drivers; there is also a check-box in this tab called “<span class="quote">List in the
2641 directory</span>”. When this box is checked, the printer will be published in Active Directory
2642 (Applicable to Active Directory use only.)
2644 <a class="indexterm" name="id2550846"></a>
2645 Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server.
2646 You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor.
2647 Right-click on the printer, click <span class="guimenu">Properties</span>-><span class="guimenuitem">Device Settings</span>. Now change the settings to suit
2648 your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
2649 you need to reverse the changes back to their original settings.
2651 This is necessary so that the printer settings are initialized in the Samba printers
2652 database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed
2653 just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
2654 click <span class="guimenu">Apply</span> again.
2656 <a class="indexterm" name="id2550919"></a>
2657 Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
2658 click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button.
2659 A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span>
2660 in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on
2661 massive Properties</span> panel.
2663 You must repeat this process for all network printers (i.e., for every printer on each server).
2664 When you have finished uploading drivers to all printers, close all applications. The next task
2665 is to install software your users require to do their work.
2666 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2550975"></a>Software Installation</h3></div></div></div><p>
2667 Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
2668 a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
2669 Notebooks require special handling that is beyond the scope of this chapter.
2671 For desktop systems, the installation of software onto administratively centralized application servers
2672 make a lot of sense. This means that you can manage software maintenance from a central
2673 perspective and that only minimal application stubware needs to be installed onto the desktop
2674 systems. You should proceed with software installation and default configuration as far as is humanly
2675 possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
2676 of software operations and configuration.
2678 When you believe that the overall configuration is complete, be sure to create a shared group profile
2679 and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in
2680 case a user may have specific needs you had not anticipated.
2681 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2551010"></a>Roll-out Image Creation</h3></div></div></div><p>
2682 The final steps before preparing the distribution Norton Ghost image file you might follow are:
2683 </p><div class="blockquote"><blockquote class="blockquote"><p>
2684 Unjoin the domain Each workstation requires a unique name and must be independently
2685 joined into domain membership.
2686 </p></blockquote></div><div class="blockquote"><blockquote class="blockquote"><p>
2687 Defragment the hard disk While not obvious to the uninitiated, defragmentation results
2688 in better performance and often significantly reduces the size of the compressed disk image. That
2689 also means it will take less time to deploy the image onto 500 workstations.
2690 </p></blockquote></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2551044"></a>Key Points Learned</h2></div></div></div><p>
2691 This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately
2692 avoided any consideration of security. Security does not just happen; you must design it into your total
2693 network. Security begins with a systems design and implementation that anticipates hostile behavior from
2694 users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
2695 they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
2696 practices, you must not deploy the design presented in this book in an environment where there is risk
2699 <a class="indexterm" name="id2551066"></a>
2700 <a class="indexterm" name="id2551075"></a>
2701 As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be
2702 configured to use secure protocols for all communications over the network. Of course, secure networking
2703 does not result just from systems design and implementation but involves constant user education
2704 training and, above all, disciplined attention to detail and constant searching for signs of unfriendly
2705 or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
2706 Jerry Carter's book <a href="http://www.booksense.com/product/info.jsp&isbn=1565924916" target="_top">
2707 <span class="emphasis"><em>LDAP System Administration</em></span></a> is a good place to start reading about OpenLDAP
2708 as well as security considerations.
2710 The substance of this chapter that has been deserving of particular attention includes:
2711 </p><div class="itemizedlist"><ul type="disc"><li><p>
2712 Implementation of an OpenLDAP-based passwd backend, necessary to support distributed
2715 Implementation of Samba primary and secondary domain controllers with a common LDAP backend
2716 for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and
2719 Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as
2720 to manage Samba Windows user and group accounts.
2722 The basics of implementation of Group Policy controls for Windows network clients.
2724 Control over roaming profiles, with particular focus on folder redirection to network drives.
2726 Use of the CUPS printing system together with Samba-based printer driver auto-download.
2727 </p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2551151"></a>Questions and Answers</h2></div></div></div><p>
2728 Well, here we are at the end of this chapter and we have only ten questions to help you to
2729 remember so much. There are bound to be some sticky issues here.
2730 </p><div class="qandaset"><dl><dt> <a href="happy.html#id2551167">
2731 Why did you not cover secure practices? Isn't it rather irresponsible to instruct
2732 network administrators to implement insecure solutions?
2733 </a></dt><dt> <a href="happy.html#id2551211">
2734 You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
2735 you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
2736 to the Linux I might be using?
2737 </a></dt><dt> <a href="happy.html#id2551264">
2738 You did not use SWAT to configure Samba. Is there something wrong with it?
2739 </a></dt><dt> <a href="happy.html#id2551304">
2740 You have exposed a well-used password not24get. Is that
2742 </a></dt><dt> <a href="happy.html#id2551329">
2743 The Idealx smbldap-tools create many domain group accounts that are not used. Is that
2745 </a></dt><dt> <a href="happy.html#id2551355">
2746 Can I use LDAP just for Samba accounts and not for UNIX system accounts?
2747 </a></dt><dt> <a href="happy.html#id2551380">
2748 Why are the Windows domain RID portions not the same as the UNIX UID?
2749 </a></dt><dt> <a href="happy.html#id2551416">
2750 Printer configuration examples all show printing to the HP port 9100. Does this
2751 mean that I must have HP printers for these solutions to work?
2752 </a></dt><dt> <a href="happy.html#id2551445">
2753 Is folder redirection dangerous? I've heard that you can lose your data that way.
2754 </a></dt><dt> <a href="happy.html#id2551472">
2755 Is it really necessary to set a local Group Policy to exclude the redirected
2756 folders from the roaming profile?
2757 </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2551167"></a><a name="id2551169"></a><b></b></td><td align="left" valign="top"><p>
2758 Why did you not cover secure practices? Isn't it rather irresponsible to instruct
2759 network administrators to implement insecure solutions?
2760 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
2761 Let's get this right. This is a book about Samba, not about OpenLDAP and secure
2762 communication protocols for subjects other than Samba. Earlier on, you note,
2763 that the dynamic DNS and DHCP solutions also used no protective secure communications
2764 protocols. The reason for this is simple: There are so many ways of implementing
2765 secure protocols that this book would have been even larger and more complex.
2767 The solutions presented here all work (at least they did for me). Network administrators
2768 have the interest and the need to be better trained and instructed in secure networking
2769 practices and ought to implement safe systems. I made the decision, right or wrong,
2770 to keep this material as simple as possible. The intent of this book is to demonstrate
2771 a working solution and not to discuss too many peripheral issues.
2773 This book makes little mention of backup techniques. Does that mean that I am recommending
2774 that you should implement a network without provision for data recovery and for disaster
2775 management? Back to our focus: The deployment of Samba has been clearly demonstrated.
2776 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2551211"></a><a name="id2551213"></a><b></b></td><td align="left" valign="top"><p>
2777 You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
2778 you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
2779 to the Linux I might be using?
2780 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
2781 Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
2782 for a standard Linux distribution. The differences are marginal. Surely you know
2783 your Linux platform, and you do have access to administration manuals for it. This
2784 book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
2785 the Samba part of the book; all the other bits are peripheral (but important) to
2786 creation of a total network solution.
2788 What I find interesting is the attention reviewers give to Linux installation and to
2789 the look and feel of the desktop, but does that make for a great server? In this book,
2790 I have paid particular attention to the details of creating a whole solution framework.
2791 I have not tightened every nut and bolt, but I have touched on all the issues you
2792 need to be familiar with. Over the years many people have approached me wanting to
2793 know the details of exactly how to implement a DHCP and dynamic DNS server with Samba
2794 and WINS. In this chapter, it is plain to see what needs to be configured to provide
2795 transparent interoperability. Likewise for CUPS and Samba interoperation. These are
2796 key stumbling areas for many people.
2798 At every critical junction, I have provided comparative guidance for both SUSE and
2799 Red Hat Linux. Both manufacturers have done a great job in furthering the cause
2800 of open source software. I favor neither and respect both. I like particular
2801 features of both products (companies also). No bias in presentation is intended.
2802 Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
2803 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2551264"></a><a name="id2551266"></a><b></b></td><td align="left" valign="top"><p>
2804 You did not use SWAT to configure Samba. Is there something wrong with it?
2805 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
2806 That is a good question. As it is, the <code class="filename">smb.conf</code> file configurations are presented
2807 in as direct a format as possible. Adding SWAT into the equation would have complicated
2808 matters. I sought simplicity of implementation. The fact is that I did use SWAT to
2809 create the files in the first place.
2811 There are people in the Linux and open source community who feel that SWAT is dangerous
2812 and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
2813 hope to have brought their interests on board. SWAT is well covered is <span class="emphasis"><em>TOSHARG2</em></span>.
2814 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2551304"></a><a name="id2551306"></a><b></b></td><td align="left" valign="top"><p>
2815 You have exposed a well-used password <span class="emphasis"><em>not24get</em></span>. Is that
2817 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
2818 Well, I had to use a password of some sort. At least this one has been consistently
2819 used throughout. I guess you can figure out that in a real deployment it would make
2820 sense to use a more secure and original password.
2821 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2551329"></a><a name="id2551331"></a><b></b></td><td align="left" valign="top"><p>
2822 The Idealx smbldap-tools create many domain group accounts that are not used. Is that
2824 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
2825 I took this up with Idealx and found them most willing to change that in the next version.
2826 Let's give Idealx some credit for the contribution they have made. I appreciate their work
2827 and, besides, it does no harm to create accounts that are not now used at some time
2828 Samba may well use them.
2829 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2551355"></a><a name="id2551357"></a><b></b></td><td align="left" valign="top"><p>
2830 Can I use LDAP just for Samba accounts and not for UNIX system accounts?
2831 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
2832 Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX)
2833 group account for every Windows domain group account. But if you put your users into
2834 the system password account, how do you plan to keep all domain controller system
2835 password files in sync? I think that having everything in LDAP makes a lot of sense
2836 for the UNIX administrator who is still learning the craft and is migrating from MS Windows.
2837 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2551380"></a><a name="id2551382"></a><b></b></td><td align="left" valign="top"><p>
2838 Why are the Windows domain RID portions not the same as the UNIX UID?
2839 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
2840 Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
2841 This algorithm ought to ensure that there will be no clashes with well-known RIDs.
2842 Well-known RIDs have special significance to MS Windows clients. The automatic
2843 assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
2844 permit you to override that to some extent. See the <code class="filename">smb.conf</code> man page entry
2845 for <em class="parameter"><code>algorithmic rid base</code></em>.
2846 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2551416"></a><a name="id2551418"></a><b></b></td><td align="left" valign="top"><p>
2847 Printer configuration examples all show printing to the HP port 9100. Does this
2848 mean that I must have HP printers for these solutions to work?
2849 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
2850 No. You can use any type of printer and must use the interfacing protocol supported
2851 by the printer. Many networks use LPR/LPD print servers to which are attached
2852 PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached
2853 inkjet printer. Use the appropriate device URI (Universal Resource Interface)
2854 argument to the <code class="constant">lpadmin -v</code> option that is right for your
2856 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2551445"></a><a name="id2551447"></a><b></b></td><td align="left" valign="top"><p>
2857 Is folder redirection dangerous? I've heard that you can lose your data that way.
2858 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
2859 The only loss of data I know of that involved folder redirection was caused by
2860 manual misuse of the redirection tool. The administrator redirected a folder to
2861 a network drive and said he wanted to migrate (move) the data over. Then he
2862 changed his mind, so he moved the folder back to the roaming profile. This time,
2863 he declined to move the data because he thought it was still in the local profile
2864 folder. That was not the case, so by declining to move the data back, he wiped out
2865 the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
2866 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2551472"></a><a name="id2551475"></a><b></b></td><td align="left" valign="top"><p>
2867 Is it really necessary to set a local Group Policy to exclude the redirected
2868 folders from the roaming profile?
2869 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
2870 Yes. If you do not do this, the data will still be copied from the network folder
2871 (share) to the local cached copy of the profile.
2872 </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2549675" href="#id2549675">11</a>] </sup>
2873 There is an alternate method by which a default user profile can be added to the
2874 <code class="constant">NETLOGON</code> share. This facility in the Windows System tool
2875 permits profiles to be exported. The export target may be a particular user or
2876 group profile share point or else the <code class="constant">NETLOGON</code> share.
2877 In this case, the profile directory must be named <code class="constant">Default User</code>.
2878 </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="2000users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. The 500-User Office </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. A Distributed 2000-User Network</td></tr></table></div></body></html>