Context Navigation

source: branches/samba-3.0/docs/htmldocs/Samba3-ByExample/happy.html

Visit:

Last change on this file was 286, checked in by Herwig Bauernfeind, 16 years ago
Update 3.0 to 3.0.35
File size: 214.9 KB

Line
1	<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Making Happy Users</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="Big500users.html" title="Chapter 4. The 500-User Office"><link rel="next" href="2000users.html" title="Chapter 6. A Distributed 2000-User Network"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Making Happy Users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="2000users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="happy"></a>Chapter 5. Making Happy Users</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="happy.html#id2571048">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt><dt><span class="sect1"><a href="happy.html#id2571190">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2571288">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2571425">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2571882">Technical Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2573760">Political Issues</a></span></dt><dt><span class="sect2"><a href="happy.html#id2573776">Installation Checklist</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2573956">Samba Server Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#ldapsetup">OpenLDAP Server Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-PAM-NSS">PAM and NSS Client Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-massive">Samba-3 PDC Configuration</a></span></dt><dt><span class="sect2"><a href="happy.html#sbeidealx">Install and Configure Idealx smbldap-tools Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2576854">LDAP Initialization and Creation of User and Group Accounts</a></span></dt><dt><span class="sect2"><a href="happy.html#sbehap-ptrcfg">Printer Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#sbehap-bldg1">Samba-3 BDC Configuration</a></span></dt><dt><span class="sect1"><a href="happy.html#id2580803">Miscellaneous Server Preparation Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#id2580823">Configuring Directory Share Point Roots</a></span></dt><dt><span class="sect2"><a href="happy.html#id2580918">Configuring Profile Directories</a></span></dt><dt><span class="sect2"><a href="happy.html#id2581163">Preparation of Logon Scripts</a></span></dt><dt><span class="sect2"><a href="happy.html#id2581274">Assigning User Rights and Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2581407">Windows Client Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="happy.html#redirfold">Configuration of Default Profile with Folder Redirection</a></span></dt><dt><span class="sect2"><a href="happy.html#id2582162">Configuration of MS Outlook to Relocate PST File</a></span></dt><dt><span class="sect2"><a href="happy.html#id2582477">Configure Delete Cached Profiles on Logout</a></span></dt><dt><span class="sect2"><a href="happy.html#id2582657">Uploading Printer Drivers to Samba Servers</a></span></dt><dt><span class="sect2"><a href="happy.html#id2583160">Software Installation</a></span></dt><dt><span class="sect2"><a href="happy.html#id2583195">Roll-out Image Creation</a></span></dt></dl></dd><dt><span class="sect1"><a href="happy.html#id2583229">Key Points Learned</a></span></dt><dt><span class="sect1"><a href="happy.html#id2583345">Questions and Answers</a></span></dt></dl></div><p>
2	It is said that “<span class="quote">a day that is without troubles is not fulfilling. Rather, give
3	me a day of troubles well handled so that I can be content with my achievements.</span>”
4	</p><p>
5	In the world of computer networks, problems are as varied as the people who create them
6	or experience them. The design of the network implemented in <a class="link" href="Big500users.html" title="Chapter 4. The 500-User Office">“The 500-User Office”</a>
7	may create problems for some network users. The following lists some of the problems that
8	may occur:
9	</p><a class="indexterm" name="id2570626"></a><a class="indexterm" name="id2570632"></a><a class="indexterm" name="id2570642"></a><a class="indexterm" name="id2570648"></a><a class="indexterm" name="id2570655"></a><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>
10	A significant number of network administrators have responded to the guidance given
11	here. It should be noted that there are sites that have a single PDC for many hundreds of
12	concurrent network clients. Network bandwidth, network bandwidth utilization, and server load
13	are among the factors that determine the maximum number of Windows clients that
14	can be served by a single domain controller (PDC or BDC) on a network segment. It is possible
15	to operate with only a single PDC over a routed network. What is possible is not necessarily
16	<span class="emphasis"><em>best practice</em></span>. When Windows client network logons begin to fail with
17	the message that the domain controller cannot be found or that the user account cannot
18	be found (when you know it exists), that may be an indication that the domain controller is
19	overloaded or network bandwidth is overloaded. The guidance given for PDC/BDC ratio to Windows
20	clients is conservative and if followed will minimize problems but it is not absolute.
21	</p></div><div class="variablelist"><dl><dt><span class="term">Users experiencing difficulty logging onto the network</span></dt><dd><p>
22	<a class="indexterm" name="id2570700"></a>
23	<a class="indexterm" name="id2570710"></a>
24	When a Windows client logs onto the network, many data packets are exchanged
25	between the client and the server that is providing the network logon services.
26	Each request between the client and the server must complete within a specific
27	time limit. This is one of the primary factors that govern the installation of
28	multiple domain controllers (usually called secondary or backup controllers).
29	As a rough rule, there should be one such backup controller for every
30	30 to 150 clients. The actual limits are determined by network operational
31	characteristics.
32	</p><p>
33	<a class="indexterm" name="id2570730"></a>
34	<a class="indexterm" name="id2570736"></a>
35	<a class="indexterm" name="id2570743"></a>
36	If the domain controller provides only network logon services
37	and all file and print activity is handled by domain member servers, one domain
38	controller per 150 clients on a single network segment may suffice. In any
39	case, it is highly recommended to have a minimum of one domain controller (PDC or BDC)
40	per network segment. It is better to have at least one BDC on the network
41	segment that has a PDC. If the domain controller is also used as a file and
42	print server, the number of clients it can service reliably is reduced,
43	and generally for low powered hardware should not exceed 30 machines (Windows
44	workstations plus domain member servers) per domain controller. Many sites are
45	able to operate with more clients per domain controller, the number of clients
46	that can be supported is limited by the CPU speed, memory and the workload on
47	the Samba server as well as network bandwidth utilization.
48	</p></dd><dt><span class="term">Slow logons and log-offs</span></dt><dd><p>
49	<a class="indexterm" name="id2570776"></a>
50	Slow logons and log-offs may be caused by many factors that include:
51
52	</p><div class="itemizedlist"><ul type="disc"><li><p>
53	<a class="indexterm" name="id2570790"></a>
54	<a class="indexterm" name="id2570802"></a>
55	Excessive delays in the resolution of a NetBIOS name to its IP
56	address. This may be observed when an overloaded domain controller
57	is also the WINS server. Another cause may be the failure to use
58	a WINS server (this assumes that there is a single network segment).
59	</p></li><li><p>
60	<a class="indexterm" name="id2570820"></a>
61	<a class="indexterm" name="id2570827"></a>
62	<a class="indexterm" name="id2570834"></a>
63	Network traffic collisions due to overloading of the network
64	segment. One short-term workaround to this may be to replace
65	network HUBs with Ethernet switches.
66	</p></li><li><p>
67	<a class="indexterm" name="id2570848"></a>
68	Defective networking hardware. Over the past few years, we have seen
69	on the Samba mailing list a significant increase in the number of
70	problems that were traced to a defective network interface controller,
71	a defective HUB or Ethernet switch, or defective cabling. In most cases,
72	it was the erratic nature of the problem that ultimately pointed to
73	the cause of the problem.
74	</p></li><li><p>
75	<a class="indexterm" name="id2570869"></a>
76	<a class="indexterm" name="id2570878"></a>
77	Excessively large roaming profiles. This type of problem is typically
78	the result of poor user education as well as poor network management.
79	It can be avoided by users not storing huge quantities of email in
80	MS Outlook PST files as well as by not storing files on the desktop.
81	These are old bad habits that require much discipline and vigilance
82	on the part of network management.
83	</p></li><li><p>
84	<a class="indexterm" name="id2570898"></a>
85	You should verify that the Windows XP WebClient service is not running.
86	The use of the WebClient service has been implicated in many Windows
87	networking-related problems.
88	</p></li></ul></div><p>
89	</p></dd><dt><span class="term">Loss of access to network drives and printer resources</span></dt><dd><p>
90	Loss of access to network resources during client operation may be caused by a number
91	of factors, including:
92	</p><div class="itemizedlist"><ul type="disc"><li><p>
93	<a class="indexterm" name="id2570931"></a>
94	Network overload (typically indicated by a high network collision rate)
95	</p></li><li><p>
96	Server overload
97	</p></li><li><p>
98	<a class="indexterm" name="id2570950"></a>
99	Timeout causing the client to close a connection that is in use but has
100	been latent (no traffic) for some time (5 minutes or more)
101	</p></li><li><p>
102	<a class="indexterm" name="id2570966"></a>
103	Defective networking hardware
104	</p></li></ul></div><p>
105	<a class="indexterm" name="id2570981"></a>
106	No matter what the cause, a sudden loss of access to network resources can
107	result in BSOD (blue screen of death) situations that necessitate rebooting of the client
108	workstation. In the case of a mild problem, retrying to access the network drive of the printer
109	may restore operations, but in any case this is a serious problem that may lead to the next
110	problem, data corruption.
111	</p></dd><dt><span class="term">Potential data corruption</span></dt><dd><p>
112	<a class="indexterm" name="id2571014"></a>
113	Data corruption is one of the most serious problems. It leads to uncertainty, anger, and
114	frustration, and generally precipitates immediate corrective demands. Management response
115	to this type of problem may be rational, as well as highly irrational. There have been
116	cases where management has fired network staff for permitting this situation to occur without
117	immediate correction. There have been situations where perfectly functional hardware was thrown
118	out and replaced, only to find the problem caused by a low-cost network hardware item. There
119	have been cases where server operating systems were replaced, or where Samba was updated,
120	only to later isolate the problem due to defective client software.
121	</p></dd></dl></div><p>
122	In this chapter, you can work through a number of measures that significantly arm you to
123	anticipate and combat network performance issues. You can work through complex and thorny
124	methods to improve the reliability of your network environment, but be warned that all such steps
125	demand the price of complexity.
126	</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571048"></a>Regarding LDAP Directories and Windows Computer Accounts</h2></div></div></div><p>
127	<a class="indexterm" name="id2571056"></a>
128	Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some
129	constraints that are described in this section.
130	</p><p>
131	<a class="indexterm" name="id2571071"></a>
132	<a class="indexterm" name="id2571078"></a>
133	<a class="indexterm" name="id2571085"></a>
134	<a class="indexterm" name="id2571092"></a>
135	The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
136	That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
137	them. A user account and a machine account are indistinguishable from each other, except that
138	the machine account ends in a $ character, as do trust accounts.
139	</p><p>
140	<a class="indexterm" name="id2571108"></a>
141	<a class="indexterm" name="id2571115"></a>
142	The need for Windows user, group, machine, trust, and other such accounts to be tied to a valid UNIX UID
143	is a design decision that was made a long way back in the history of Samba development. It is
144	unlikely that this decision will be reversed or changed during the remaining life of the
145	Samba-3.x series.
146	</p><p>
147	<a class="indexterm" name="id2571130"></a>
148	<a class="indexterm" name="id2571136"></a>
149	The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
150	must refer back to the host operating system on which Samba is running. The name service
151	switch (NSS) is the preferred mechanism that shields applications (like Samba) from the
152	need to know everything about every host OS it runs on.
153	</p><p>
154	Samba asks the host OS to provide a UID via the “<span class="quote">passwd</span>”, “<span class="quote">shadow</span>”
155	and “<span class="quote">group</span>” facilities in the NSS control (configuration) file. The best tool
156	for achieving this is left up to the UNIX administrator to determine. It is not imposed by
157	Samba. Samba provides winbindd together with its support libraries as one method. It is
158	possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
159	all account entities can be located in an LDAP directory.
160	</p><p>
161	<a class="indexterm" name="id2571174"></a>
162	For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
163	be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
164	is fundamentally an LDAP design question. The information provided on the Samba list and
165	in the documentation is directed at providing working examples only. The design
166	of an LDAP directory is a complex subject that is beyond the scope of this documentation.
167	</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571190"></a>Introduction</h2></div></div></div><p>
168	You just opened an email from Christine that reads:
169	</p><p>
170	Good morning,
171	</p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p>
172	A few months ago we sat down to design the network. We discussed the challenges ahead and we all
173	agreed to compromise our design to keep it simple. We knew there would be problems, but anticipated
174	that we would have some time to resolve any issues that might be encountered.
175	</p><p>
176	As you now know, we started off on the wrong foot. We have a lot of unhappy users. One of them
177	resigned yesterday afternoon because she was under duress to complete some critical projects. She
178	suffered a blue screen of death situation just as she was finishing four hours of intensive work, all
179	of which was lost. She has a unique requirement that involves storing large files on her desktop.
180	Mary's desktop profile is nearly 1 GB in size. As a result of her desktop configuration, it
181	takes her nearly 15 minutes just to log onto her workstation. But that is not enough. Because all
182	network logon traffic passes over the network links between our buildings, logging on may take
183	three or four attempts due to blue screen problems associated with network timeouts.
184	</p><p>
185	A few of us worked to help her out of trouble. We convinced her to stay and promised to fully
186	resolve the difficulties she is facing. We have no choice. We must implement LDAP and set hard
187	limits on what our users can do with their desktops. Otherwise, we face staff losses
188	that can surely do harm to our growth as well as to staff morale. I am sure we can better deal
189	with the consequences of what we know we must do than we can with the unrest we have now.
190	</p><p>
191	Stan and I have discussed the current situation. We are resolved to help our users and protect
192	the well being of Abmas. Please acknowledge this advice with consent to proceed as required to
193	regain control of our vital IT operations.
194	</p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Christine</span></td></tr></table></div><p>
195	</p><p>
196	<a class="indexterm" name="id2571252"></a>
197	<a class="indexterm" name="id2571259"></a>
198	Every compromise has consequences. Having a large routed (i.e., multisegment) network with only a
199	single domain controller is a poor design that has obvious operational effects that may
200	frustrate users. Here is your reply:
201	</p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p>
202	Christine, Your diligence and attention to detail are much valued. Stan and I fully support your
203	proposals to resolve the issues. I am confident that your plans fully realized will significantly
204	boost staff morale. Please go ahead with your plans. If you have any problems, please let me know.
205	Please let Stan know what the estimated cost will be so I can approve the expense. Do not wait
206	for approval; I appreciate the urgency.
207	</p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Bob</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571288"></a>Assignment Tasks</h3></div></div></div><p>
208	The priority of assigned tasks in this chapter is:
209	</p><div class="orderedlist"><ol type="1"><li><p>
210	<a class="indexterm" name="id2571308"></a>
211	<a class="indexterm" name="id2571317"></a>
212	<a class="indexterm" name="id2571323"></a>
213	<a class="indexterm" name="id2571330"></a><a class="indexterm" name="id2571336"></a>
214	Implement Backup Domain Controllers (BDCs) in each building. This involves
215	a change from a <span class="emphasis"><em>tdbsam</em></span> backend that was used in the previous
216	chapter to an LDAP-based backend.
217	</p><p>
218	You can implement a single central LDAP server for this purpose.
219	</p></li><li><p>
220	<a class="indexterm" name="id2571358"></a>
221	<a class="indexterm" name="id2571365"></a>
222	<a class="indexterm" name="id2571372"></a>
223	<a class="indexterm" name="id2571379"></a>
224	Rectify the problem of excessive logon times. This involves redirection of
225	folders to network shares as well as modification of all user desktops to
226	exclude the redirected folders from being loaded at login time. You can also
227	create a new default profile that can be used for all new users.
228	</p></li></ol></div><p>
229	<a class="indexterm" name="id2571398"></a>
230	You configure a new MS Windows XP Professional workstation disk image that you roll out
231	to all desktop users. The instructions you have created are followed on a staging machine
232	from which all changes can be carefully tested before inflicting them on your network users.
233	</p><p>
234	<a class="indexterm" name="id2571412"></a>
235	This is the last network example in which specific mention of printing is made. The example
236	again makes use of the CUPS printing system.
237	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571425"></a>Dissection and Discussion</h2></div></div></div><p>
238	<a class="indexterm" name="id2571433"></a>
239	<a class="indexterm" name="id2571439"></a>
240	<a class="indexterm" name="id2571446"></a>
241	The implementation of Samba BDCs necessitates the installation and configuration of LDAP.
242	For this site, you use OpenLDAP, the open source software LDAP server platform. Commercial
243	LDAP servers in current use with Samba-3 include:
244	</p><div class="itemizedlist"><ul type="disc"><li><p>
245	<a class="indexterm" name="id2571464"></a>
246	Novell <a class="ulink" href="http://www.novell.com/products/edirectory/" target="_top">eDirectory</a>
247	is being successfully used by some sites. Information on how to use eDirectory can be
248	obtained from the Samba mailing lists or from Novell.
249	</p></li><li><p>
250	<a class="indexterm" name="id2571484"></a>
251	IBM <a class="ulink" href="http://www-306.ibm.com/software/tivoli/products/directory-server/" target="_top">Tivoli
252	Directory Server</a> can be used to provide the Samba LDAP backend. Example schema
253	files are provided in the Samba source code tarball under the directory
254	<code class="filename">~samba/example/LDAP.</code>
255	</p></li><li><p>
256	<a class="indexterm" name="id2571511"></a>
257	Sun <a class="ulink" href="http://www.sun.com/software/software/products/identity_srvr/home_identity.xml" target="_top">ONE Identity
258	Server product suite</a> provides an LDAP server that can be used for Samba.
259	Example schema files are provided in the Samba source code tarball under the directory
260	<code class="filename">~samba/example/LDAP.</code>
261	</p></li></ul></div><p>
262	A word of caution is fully in order. OpenLDAP is purely an LDAP server, and unlike commercial
263	offerings, it requires that you manually edit the server configuration files and manually
264	initialize the LDAP directory database. OpenLDAP itself has only command-line tools to
265	help you to get OpenLDAP and Samba-3 running as required, albeit with some learning curve challenges.
266	</p><p>
267	<a class="indexterm" name="id2571548"></a>
268	For most sites, the deployment of Microsoft Active Directory from the shrink-wrapped installation is quite
269	adequate. If you are migrating from Microsoft Active Directory, be warned that OpenLDAP does not include
270	GUI-based directory management tools. Even a simple task such as adding users to the OpenLDAP database
271	requires an understanding of what you are doing, why you are doing it, and the tools that you must use.
272	</p><p>
273	<a class="indexterm" name="id2571566"></a>
274	<a class="indexterm" name="id2571573"></a>
275	<a class="indexterm" name="id2571580"></a>
276	<a class="indexterm" name="id2571589"></a>
277	<a class="indexterm" name="id2571598"></a>
278	<a class="indexterm" name="id2571605"></a>
279	<a class="indexterm" name="id2571614"></a>
280	When installed and configured, an OpenLDAP Identity Management backend for Samba functions well.
281	High availability operation may be obtained through directory replication/synchronization and
282	master/slave server configurations. OpenLDAP is a mature platform to host the organizational
283	directory infrastructure that can include all UNIX accounts, directories for electronic mail, and much more.
284	The price paid through learning how to design an LDAP directory schema in implementation and configuration
285	of management tools is well rewarded by performance and flexibility and the freedom to manage directory
286	contents with greater ability to back up, restore, and modify the directory than is generally possible
287	with Microsoft Active Directory.
288	</p><p>
289	<a class="indexterm" name="id2571639"></a>
290	<a class="indexterm" name="id2571649"></a>
291	<a class="indexterm" name="id2571656"></a>
292	<a class="indexterm" name="id2571663"></a>
293	A comparison of OpenLDAP with Microsoft Active Directory does not do justice to either. OpenLDAP is an LDAP directory
294	tool-set. Microsoft Active Directory Server is an implementation of an LDAP server that is largely preconfigured
295	for a specific task orientation. It comes with a set of administrative tools that is entirely customized
296	for the purpose of running MS Windows applications that include file and print services, Microsoft Exchange
297	server, Microsoft SQL server, and more. The complexity of OpenLDAP is highly valued by the UNIX administrator
298	who wants to build a custom directory solution. Microsoft provides an application called
299	<a class="ulink" href="http://www.microsoft.com/windowsserver2003/adam/default.mspx" target="_top">
300	MS ADAM</a> that provides more generic LDAP services, yet it does not have the vanilla-like services
301	of OpenLDAP.
302	</p><p>
303	<a class="indexterm" name="id2571692"></a>
304	<a class="indexterm" name="id2571701"></a>
305	You may wish to consider outsourcing the development of your OpenLDAP directory to an expert, particularly
306	if you find the challenge of learning about LDAP directories, schemas, configuration, and management
307	tools and the creation of shell and Perl scripts a bit
308	challenging. OpenLDAP can be easily customized, though it includes
309	many ready-to-use schemas. Samba-3 provides an OpenLDAP schema file
310	that is required for use as a passdb backend.
311	</p><p>
312	<a class="indexterm" name="id2571719"></a>
313	For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
314	there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
315	The Web-based tools you might like to consider include the
316	<a class="ulink" href="http://lam.sourceforge.net/" target="_top">LDAP Account Manager</a> (LAM) and the Webmin-based
317	<a class="ulink" href="http://www.webmin.com" target="_top">Webmin</a> Idealx
318	<a class="ulink" href="http://webmin.idealx.org/index.en.html" target="_top">CGI tools</a>.
319	</p><p>
320	Some additional LDAP tools should be mentioned. Every so often a Samba user reports using one of
321	these, so it may be useful to them:
322	<a class="ulink" href="http://biot.com/gq" target="_top">GQ</a>, a GTK-based LDAP browser;
323	LDAP <a class="ulink" href="http://www.iit.edu/~gawojar/ldap/" target="_top">Browser/Editor</a>
324	<a class="ulink" href="http://www.jxplorer.org/" target="_top">; JXplorer</a> (by Computer Associates);
325	and <a class="ulink" href="http://phpldapadmin.sourceforge.net/" target="_top">phpLDAPadmin</a>.
326	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
327	The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
328	security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
329	is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
330	LDAP before attempting to deploy it in a business-critical environment.
331	</p></div><p>
332	Information to help you get started with OpenLDAP is available from the
333	<a class="ulink" href="http://www.openldap.org/pub/" target="_top">OpenLDAP web site</a>. Many people have found the book
334	<a class="ulink" href="http://www.oreilly.com/catalog/ldapsa/index.html" target="_top"><span class="emphasis"><em>LDAP System Administration</em></span>,</a>
335	by Jerry Carter quite useful.
336	</p><p>
337	<a class="indexterm" name="id2571817"></a>
338	<a class="indexterm" name="id2571824"></a>
339	<a class="indexterm" name="id2571833"></a>
340	<a class="indexterm" name="id2571840"></a>
341	Mary's problems are due to two factors. First, the absence of a domain controller on the local network is the
342	main cause of the errors that result in blue screen crashes. Second, Mary has a large profile that must
343	be loaded over the WAN connection. The addition of BDCs on each network segment significantly
344	improves overall network performance for most users, but it is not enough. You must gain control over
345	user desktops, and this must be done in a way that wins their support and does not cause further loss of
346	staff morale. The following procedures solve this problem.
347	</p><p>
348	<a class="indexterm" name="id2571862"></a>
349	There is also an opportunity to implement smart printing features. You add this to the Samba configuration
350	so that future printer changes can be managed without need to change desktop configurations.
351	</p><p>
352	You add the ability to automatically download new printer drivers, even if they are not installed
353	in the default desktop profile. Only one example of printing configuration is given. It is assumed that
354	you can extrapolate the principles and use them to install all printers that may be needed.
355	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571882"></a>Technical Issues</h3></div></div></div><p>
356	<a class="indexterm" name="id2571890"></a>
357	<a class="indexterm" name="id2571899"></a>
358	<a class="indexterm" name="id2571908"></a>
359	The solution provided is a minimal approach to getting OpenLDAP running as an identity management directory
360	server for UNIX system accounts as well as for Samba. From the OpenLDAP perspective, UNIX system
361	accounts are stored POSIX schema extensions. Samba provides its own schema to permit storage of account
362	attributes Samba needs. Samba-3 can use the LDAP backend to store:
363	</p><div class="itemizedlist"><ul type="disc"><li><p>Windows Networking User Accounts</p></li><li><p>Windows NT Group Accounts</p></li><li><p>Mapping Information between UNIX Groups and Windows NT Groups</p></li><li><p>ID Mappings for SIDs to UIDs (also for foreign Domain SIDs)</p></li></ul></div><p>
364	<a class="indexterm" name="id2571949"></a>
365	<a class="indexterm" name="id2571956"></a>
366	<a class="indexterm" name="id2571963"></a>
367	<a class="indexterm" name="id2571970"></a>
368	<a class="indexterm" name="id2571977"></a>
369	<a class="indexterm" name="id2571984"></a>
370	<a class="indexterm" name="id2571993"></a>
371	<a class="indexterm" name="id2571999"></a>
372	<a class="indexterm" name="id2572006"></a>
373	The use of LDAP with Samba-3 makes it necessary to store UNIX accounts as well as Windows Networking
374	accounts in the LDAP backend. This implies the need to use the
375	<a class="ulink" href="http://www.padl.com/Contents/OpenSourceSoftware.html" target="_top">PADL LDAP tools</a>. The resolution
376	of the UNIX group name to its GID must be enabled from either the <code class="filename">/etc/group</code>
377	or from the LDAP backend. This requires the use of the PADL <code class="filename">nss_ldap</code> tool-set
378	that integrates with the NSS. The same requirements exist for resolution
379	of the UNIX username to the UID. The relationships are demonstrated in <a class="link" href="happy.html#sbehap-LDAPdiag" title="Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts">“The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts”</a>.
380	</p><div class="figure"><a name="sbehap-LDAPdiag"></a><p class="title"><b>Figure 5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UNIX-Samba-and-LDAP.png" width="270" alt="The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts"></div></div></div><br class="figure-break"><p>
381	<a class="indexterm" name="id2572091"></a>
382	<a class="indexterm" name="id2572098"></a>
383	You configure OpenLDAP so that it is operational. Before deploying the OpenLDAP, you really
384	ought to learn how to configure secure communications over LDAP so that site security is not
385	at risk. This is not covered in the following guidance.
386	</p><p>
387	<a class="indexterm" name="id2572115"></a>
388	<a class="indexterm" name="id2572121"></a>
389	<a class="indexterm" name="id2572131"></a>
390	<a class="indexterm" name="id2572138"></a>
391	When OpenLDAP has been made operative, you configure the PDC called <code class="constant">MASSIVE</code>.
392	You initialize the Samba <code class="filename">secrets.tdb<sub></sub></code> file. Then you
393	create the LDAP Interchange Format (LDIF) file from which the LDAP database can be initialized.
394	You need to decide how best to create user and group accounts. A few hints are, of course, provided.
395	You can also find on the enclosed CD-ROM, in the <code class="filename">Chap06</code> directory, a few tools
396	that help to manage user and group configuration.
397	</p><p>
398	<a class="indexterm" name="id2572172"></a>
399	<a class="indexterm" name="id2572178"></a>
400	<a class="indexterm" name="id2572185"></a>
401	In order to effect folder redirection and to add robustness to the implementation,
402	create a network default profile. All network users workstations are configured to use
403	the new profile. Roaming profiles will automatically be deleted from the workstation
404	when the user logs off.
405	</p><p>
406	<a class="indexterm" name="id2572205"></a>
407	The profile is configured so that users cannot change the appearance
408	of their desktop. This is known as a mandatory profile. You make certain that users
409	are able to use their computers efficiently.
410	</p><p>
411	<a class="indexterm" name="id2572218"></a>
412	A network logon script is used to deliver flexible but consistent network drive
413	connections.
414	</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-ppc"></a>Addition of Machines to the Domain</h4></div></div></div><p>
415	<a class="indexterm" name="id2572240"></a>
416	<a class="indexterm" name="id2572245"></a>
417	<a class="indexterm" name="id2572251"></a>
418	<a class="indexterm" name="id2572256"></a>
419	Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
420	that maps to the UNIX UID=0. The UNIX operating system permits only the <code class="constant">root</code>
421	user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
422	<code class="constant">Privileges</code>, which provides five new privileges that
423	can be assigned to users and/or groups; see Table 5.1.
424	</p><div class="table"><a name="sbehap-privs"></a><p class="title"><b>Table 5.1. Current Privilege Capabilities</b></p><div class="table-contents"><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="left"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="left"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="left"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="left"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="left"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr></tbody></table></div></div><br class="table-break"><p>
425	In this network example use is made of one of the supported privileges purely to demonstrate
426	how any user can now be given the ability to add machines to the domain using a normal user account
427	that has been given the appropriate privileges.
428	</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572394"></a>Roaming Profile Background</h4></div></div></div><p>
429	As XP roaming profiles grow, so does the amount of time it takes to log in and out.
430	</p><p>
431	<a class="indexterm" name="id2572407"></a>
432	<a class="indexterm" name="id2572414"></a>
433	<a class="indexterm" name="id2572420"></a>
434	<a class="indexterm" name="id2572427"></a>
435	An XP roaming profile consists of the <code class="constant">HKEY_CURRENT_USER</code> hive file
436	<code class="filename">NTUSER.DAT</code> and a number of folders (My Documents, Application Data,
437	Desktop, Start Menu, Templates, NetHood, Favorites, and so on). When a user logs onto the
438	network with the default configuration of MS Windows NT/200x/XPP, all this data is
439	copied to the local machine under the <code class="filename">C:\Documents and Settings\%USERNAME%</code>
440	directory. While the user is logged in, any changes made to any of these folders or to the
441	<code class="constant">HKEY_CURRENT_USER</code> branch of the registry are made to the local copy
442	of the profile. At logout the profile data is copied back to the server. This behavior
443	can be changed through appropriate registry changes and/or through changes to the default
444	user profile. In the latter case, it updates the registry with the values that are set in the
445	profile <code class="filename">NTUSER.DAT</code>
446	file.
447	</p><p>
448	The first challenge is to reduce the amount of data that must be transferred to and
449	from the profile server as roaming profiles are processed. This includes removing
450	all the shortcuts in the Recent directory, making sure the cache used by the Web browser
451	is not being dumped into the <code class="filename">Application Data</code> folder, removing the
452	Java plug-ins cache (the .jpi_cache directory in the profile), as well as training the
453	user to not place large files on the desktop and to use his or her mapped home directory
454	instead of the <code class="filename">My Documents</code> folder for saving documents.
455	</p><p>
456	<a class="indexterm" name="id2572506"></a>
457	Using a folder other than <code class="filename">My Documents</code> is a nuisance for
458	some users, since many applications use it by default.
459	</p><p>
460	<a class="indexterm" name="id2572524"></a>
461	<a class="indexterm" name="id2572531"></a>
462	<a class="indexterm" name="id2572538"></a>
463	The secret to rapid loading of roaming profiles is to prevent unnecessary data from
464	being copied back and forth, without losing any functionality. This is not difficult;
465	it can be done by making changes to the Local Group Policy on each client as well
466	as changing some paths in each user's <code class="filename">NTUSER.DAT</code> hive.
467	</p><p>
468	<a class="indexterm" name="id2572559"></a>
469	<a class="indexterm" name="id2572566"></a>
470	Every user profile has its own <code class="filename">NTUSER.DAT</code> file. This means
471	you need to edit every user's profile, unless a better method can be
472	followed. Fortunately, with the right preparations, this is not difficult.
473	It is possible to remove the <code class="filename">NTUSER.DAT</code> file from each
474	user's profile. Then just create a Network Default Profile. Of course, it is
475	necessary to copy all files from redirected folders to the network share to which
476	they are redirected.
477	</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbehap-locgrppol"></a>The Local Group Policy</h4></div></div></div><p>
478	<a class="indexterm" name="id2572607"></a>
479	<a class="indexterm" name="id2572614"></a>
480	<a class="indexterm" name="id2572620"></a>
481	<a class="indexterm" name="id2572627"></a>
482	Without an Active Directory PDC, you cannot take full advantage of Group Policy
483	Objects. However, you can still make changes to the Local Group Policy by using
484	the Group Policy editor (<code class="literal">gpedit.msc</code>).
485	</p><p>
486	The <span class="emphasis"><em>Exclude directories in roaming profile</em></span> settings can
487	be found under
488	<span class="guimenu">User Configuration</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>.
489	By default this setting contains
490	“<span class="quote">Local Settings; Temporary Internet Files; History; Temp</span>”.
491	</p><p>
492	Simply add the folders you do not wish to be copied back and forth to this
493	semicolon-separated list. Note that this change must be made on all clients
494	that are using roaming profiles.
495	</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572694"></a>Profile Changes</h4></div></div></div><p>
496	<a class="indexterm" name="id2572702"></a>
497	<a class="indexterm" name="id2572709"></a>
498	There are two changes that should be done to each user's profile. Move each of
499	the directories that you have excluded from being copied back and forth out of
500	the usual profile path. Modify each user's <code class="filename">NTUSER.DAT</code> file
501	to point to the new paths that are shared over the network instead of to the default
502	path (<code class="filename">C:\Documents and Settings\%USERNAME%</code>).
503	</p><p>
504	<a class="indexterm" name="id2572737"></a>
505	<a class="indexterm" name="id2572744"></a>
506	The above modifies existing user profiles. So that newly created profiles have
507	these settings, you need to modify the <code class="filename">NTUSER.DAT</code> in
508	the <code class="filename">C:\Documents and Settings\Default User</code> folder on each
509	client machine, changing the same registry keys. You could do this by copying
510	<code class="filename">NTUSER.DAT</code> to a Linux box and using <code class="literal">regedt32</code>.
511	The basic method is described under <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">“Configuration of Default Profile with Folder Redirection”</a>.
512	</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572788"></a>Using a Network Default User Profile</h4></div></div></div><p>
513	<a class="indexterm" name="id2572797"></a>
514	<a class="indexterm" name="id2572804"></a>
515	If you are using Samba as your PDC, you should create a file share called
516	<code class="constant">NETLOGON</code> and within that create a directory called
517	<code class="filename">Default User</code>, which is a copy of the desired default user
518	configuration (including a copy of <code class="filename">NTUSER.DAT</code>).
519	If this share exists and the <code class="filename">Default User</code> folder exists,
520	the first login from a new account pulls its configuration from it.
521	See also <a class="ulink" href="http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html" target="_top">
522	the Real Men Don't Click</a> Web site.
523	</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2572847"></a>Installation of Printer Driver Auto-Download</h4></div></div></div><p>
524	<a class="indexterm" name="id2572855"></a>
525	<a class="indexterm" name="id2572865"></a>
526	<a class="indexterm" name="id2572872"></a>
527	The subject of printing is quite topical. Printing problems run second place to name
528	resolution issues today. So far in this book, you have experienced only what is generally
529	known as “<span class="quote">dumb</span>” printing. Dumb printing is the arrangement by which all drivers
530	are manually installed on each client and the printing subsystems perform no filtering
531	or intelligent processing. Dumb printing is easily understood. It usually works without
532	many problems, but it has its limitations also. Dumb printing is better known as
533	<code class="literal">Raw-Print-Through</code> printing.
534	</p><p>
535	<a class="indexterm" name="id2572900"></a>
536	<a class="indexterm" name="id2572910"></a>
537	Samba permits the configuration of <code class="literal">smart</code> printing using the Microsoft
538	Windows point-and-click (also called drag-and-drop) printing. What this provides is
539	essentially the ability to print to any printer. If the local client does not yet have a
540	driver installed, the driver is automatically downloaded from the Samba server and
541	installed on the client. Drag-and-drop printing is neat; it means the user never needs
542	to fuss with driver installation, and that is a <span class="trademark">Good Thing,</span>™
543	isn't it?
544	</p><p>
545	There is a further layer of print job processing that is known as <code class="literal">intelligent</code>
546	printing that automatically senses the file format of data submitted for printing and
547	then invokes a suitable print filter to convert the incoming data stream into a format
548	suited to the printer to which the job is dispatched.
549	</p><p>
550	<a class="indexterm" name="id2572957"></a>
551	<a class="indexterm" name="id2572963"></a>
552	<a class="indexterm" name="id2572970"></a>
553	The CUPS printing subsystem is capable of intelligent printing. It has the capacity to
554	detect the data format and apply a print filter. This means that it is feasible to install
555	on all Windows clients a single printer driver for use with all printers that are routed
556	through CUPS. The most sensible driver to use is one for a PostScript printer. Fortunately,
557	<a class="ulink" href="http://www.easysw.com" target="_top">Easy Software Products</a>, the authors of CUPS, have
558	released a PostScript printing driver for Windows. It can be installed into the Samba
559	printing backend so that it automatically downloads to the client when needed.
560	</p><p>
561	This means that so long as there is a CUPS driver for the printer, all printing from Windows
562	software can use PostScript, no matter what the actual printer language for the physical
563	device is. It also means that the administrator can swap out a printer with a totally
564	different type of device without ever needing to change a client workstation driver.
565	</p><p>
566	This book is about Samba-3, so you can confine the printing style to just the smart
567	style of installation. Those interested in further information regarding intelligent
568	printing should review documentation on the Easy Software Products Web site.
569	</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbeavoid"></a>Avoiding Failures: Solving Problems Before They Happen</h4></div></div></div><p>
570	It has often been said that there are three types of people in the world: those who
571	have sharp minds and those who forget things. Please do not ask what the third group
572	is like! Well, it seems that many of us have company in the second group. There must
573	be a good explanation why so many network administrators fail to solve apparently
574	simple problems efficiently and effectively.
575	</p><p>
576	Here are some diagnostic guidelines that can be referred to when things go wrong:
577	</p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573037"></a>Preliminary Advice: Dangers Can Be Avoided</h5></div></div></div><p>
578	The best advice regarding how to mend a broken leg is “<span class="quote">Never break a leg!</span>”
579	</p><p>
580	<a class="indexterm" name="id2573053"></a>
581	Newcomers to Samba and LDAP seem to struggle a great deal at first. If you want advice
582	regarding the best way to remedy LDAP and Samba problems: “<span class="quote">Avoid them like the plague!</span>”
583	</p><p>
584	If you are now asking yourself how problems can be avoided, the best advice is to start
585	out your learning experience with a <span class="emphasis"><em>known-good configuration.</em></span> After
586	you have seen a fully working solution, a good way to learn is to make slow and progressive
587	changes that cause things to break, then observe carefully how and why things ceased to work.
588	</p><p>
589	The examples in this chapter (also in the book as a whole) are known to work. That means
590	that they could serve as the kick-off point for your journey through fields of knowledge.
591	Use this resource carefully; we hope it serves you well.
592	</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
593	Do not be lulled into thinking that you can easily adopt the examples in this
594	book and adapt them without first working through the examples provided. A little
595	thing overlooked can cause untold pain and may permanently tarnish your experience.
596	</p></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573097"></a>The Name Service Caching Daemon</h5></div></div></div><p>
597	The name service caching daemon (nscd) is a primary cause of difficulties with name
598	resolution, particularly where <code class="literal">winbind</code> is used. Winbind does its
599	own caching, thus nscd causes double caching which can lead to peculiar problems during
600	debugging. As a rule, it is a good idea to turn off the name service caching daemon.
601	</p><p>
602	Operation of the name service caching daemon is controlled by the
603	<code class="filename">/etc/nscd.conf</code> file. Typical contents of this file are as follows:
604	</p><pre class="screen">
605	# /etc/nscd.conf
606	# An example Name Service Cache config file. This file is needed by nscd.
607	# Legal entries are:
608	# logfile <file>
609	# debug-level <level>
610	# threads <threads to use>
611	# server-user <user to run server as instead of root>
612	# server-user is ignored if nscd is started with -S parameters
613	# stat-user <user who is allowed to request statistics>
614	# reload-count unlimited\|<number>
615	#
616	# enable-cache <service> <yes\|no>
617	# positive-time-to-live <service> <time in seconds>
618	# negative-time-to-live <service> <time in seconds>
619	# suggested-size <service> <prime number>
620	# check-files <service> <yes\|no>
621	# persistent <service> <yes\|no>
622	# shared <service> <yes\|no>
623	# Currently supported cache names (services): passwd, group, hosts
624	# logfile /var/log/nscd.log
625	# threads 6
626	# server-user nobody
627	# stat-user somebody
628	debug-level 0
629	# reload-count 5
630	enable-cache passwd yes
631	positive-time-to-live passwd 600
632	negative-time-to-live passwd 20
633	suggested-size passwd 211
634	check-files passwd yes
635	persistent passwd yes
636	shared passwd yes
637	enable-cache group yes
638	positive-time-to-live group 3600
639	negative-time-to-live group 60
640	suggested-size group 211
641	check-files group yes
642	persistent group yes
643	shared group yes
644	# !!!!!WARNING!!!!! Host cache is insecure!!! The mechanism in nscd to
645	# cache hosts will cause your local system to not be able to trust
646	# forward/reverse lookup checks. DO NOT USE THIS if your system relies on
647	# this sort of security mechanism. Use a caching DNS server instead.
648	enable-cache hosts no
649	positive-time-to-live hosts 3600
650	negative-time-to-live hosts 20
651	suggested-size hosts 211
652	check-files hosts yes
653	persistent hosts yes
654	shared hosts yes
655	</pre><p>
656	It is feasible to comment out the <code class="constant">passwd</code> and <code class="constant">group</code>
657	entries so they will not be cached. Alternatively, it is often simpler to just disable the
658	<code class="literal">nscd</code> service by executing (on Novell SUSE Linux):
659	</p><pre class="screen">
660	<code class="prompt">root# </code> chkconfig nscd off
661	<code class="prompt">root# </code> rcnscd off
662	</pre><p>
663	</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573271"></a>Debugging LDAP</h5></div></div></div><p>
664	<a class="indexterm" name="id2573279"></a>
665	<a class="indexterm" name="id2573286"></a>
666	<a class="indexterm" name="id2573293"></a>
667	In the example <code class="filename">/etc/openldap/slapd.conf</code> control file
668	(see <a class="link" href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">“LDAP DB_CONFIG File”</a>) there is an entry for <code class="constant">loglevel 256</code>.
669	To enable logging via the syslog infrastructure, it is necessary to uncomment this parameter
670	and restart <code class="literal">slapd</code>.
671	</p><p>
672	<a class="indexterm" name="id2573328"></a>
673	<a class="indexterm" name="id2573335"></a>
674	LDAP log information can be directed into a file that is separate from the normal system
675	log files by changing the <code class="filename">/etc/syslog.conf</code> file so it has the following
676	contents:
677	</p><pre class="screen">
678	# Some foreign boot scripts require local7
679	#
680	local0,local1.* -/var/log/localmessages
681	local2,local3.* -/var/log/localmessages
682	local5.* -/var/log/localmessages
683	local6,local7.* -/var/log/localmessages
684	local4.* -/var/log/ldaplogs
685	</pre><p>
686	In this case, all LDAP-related logs will be directed to the file
687	<code class="filename">/var/log/ldaplogs</code>. This makes it easy to track LDAP errors.
688	The snippet provides a simple example of usage that can be modified to suit
689	local site needs. The configuration used later in this chapter reflects such
690	customization with the intent that LDAP log files will be stored at a location
691	that meets local site needs and wishes more fully.
692	</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573377"></a>Debugging NSS_LDAP</h5></div></div></div><p>
693	The basic mechanism for diagnosing problems with the nss_ldap utility involves adding to the
694	<code class="filename">/etc/ldap.conf</code> file the following parameters:
695	</p><pre class="screen">
696	debug 256
697	logdir /data/logs
698	</pre><p>
699	Create the log directory as follows:
700	</p><pre class="screen">
701	<code class="prompt">root# </code> mkdir /data/logs
702	</pre><p>
703	</p><p>
704	The diagnostic process should follow these steps:
705	</p><div class="procedure"><a name="id2573421"></a><p class="title"><b>Procedure 5.1. NSS_LDAP Diagnostic Steps</b></p><ol type="1"><li><p>
706	Verify the <code class="constant">nss_base_passwd, nss_base_shadow, nss_base_group</code> entries
707	in the <code class="filename">/etc/ldap.conf</code> file and compare them closely with the directory
708	tree location that was chosen when the directory was first created.
709	</p><p>
710	One way this can be done is by executing:
711	</p><pre class="screen">
712	<code class="prompt">root# </code> slapcat \| grep Group \| grep dn
713	dn: ou=Groups,dc=abmas,dc=biz
714	dn: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
715	dn: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
716	dn: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
717	dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
718	dn: cn=Administrators,ou=Groups,dc=abmas,dc=biz
719	dn: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
720	dn: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
721	dn: cn=Replicators,ou=Groups,dc=abmas,dc=biz
722	</pre><p>
723	The first line is the DIT entry point for the container for POSIX groups. The correct entry
724	for the <code class="filename">/etc/ldap.conf</code> for the <code class="constant">nss_base_group</code>
725	parameter therefore is the distinguished name (dn) as applied here:
726	</p><pre class="screen">
727	nss_base_group ou=Groups,dc=abmas,dc=biz?one
728	</pre><p>
729	The same process may be followed to determine the appropriate dn for user accounts.
730	If the container for computer accounts is not the same as that for users (see the <code class="filename">smb.conf</code>
731	file entry for <code class="constant">ldap machine suffix</code>), it may be necessary to set the
732	following DIT dn in the <code class="filename">/etc/ldap.conf</code> file:
733	</p><pre class="screen">
734	nss_base_passwd dc=abmas,dc=biz?sub
735	</pre><p>
736	This instructs LDAP to search for machine as well as user entries from the top of the DIT
737	down. This is inefficient, but at least should work. Note: It is possible to specify multiple
738	<code class="constant">nss_base_passwd</code> entries in the <code class="filename">/etc/ldap.conf</code> file; they
739	will be evaluated sequentially. Let us consider an example of use where the following DIT
740	has been implemented:
741	</p><p>
742	</p><div class="itemizedlist"><ul type="disc"><li><p>User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz</p></li><li><p>User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, dc=biz</p></li><li><p>Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, dc=biz</p></li></ul></div><p>
743	</p><p>
744	The appropriate multiple entry for the <code class="constant">nss_base_passwd</code> directive
745	in the <code class="filename">/etc/ldap.conf</code> file may be:
746	</p><pre class="screen">
747	nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one
748	nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one
749	</pre><p>
750	</p></li><li><p>
751	Perform lookups such as:
752	</p><pre class="screen">
753	<code class="prompt">root# </code> getent passwd
754	</pre><p>
755	Each such lookup will create an entry in the <code class="filename">/data/log</code> directory
756	for each such process executed. The contents of each file created in this directory
757	may provide a hint as to the cause of the a problem that is under investigation.
758	</p></li><li><p>
759	For additional diagnostic information, check the contents of the <code class="filename">/var/log/messages</code>
760	to see what error messages are being generated as a result of the LDAP lookups. Here is an example of
761	a successful lookup:
762	</p><pre class="screen">
763	slapd[12164]: conn=0 fd=10 ACCEPT from IP=127.0.0.1:33539
764	(IP=0.0.0.0:389)
765	slapd[12164]: conn=0 op=0 BIND dn="" method=128
766	slapd[12164]: conn=0 op=0 RESULT tag=97 err=0 text=
767	slapd[12164]: conn=0 op=1 SRCH base="" scope=0 deref=0
768	filter="(objectClass=*)"
769	slapd[12164]: conn=0 op=1 SEARCH RESULT tag=101 err=0
770	nentries=1 text=
771	slapd[12164]: conn=0 op=2 UNBIND
772	slapd[12164]: conn=0 fd=10 closed
773	slapd[12164]: conn=1 fd=10 ACCEPT from
774	IP=127.0.0.1:33540 (IP=0.0.0.0:389)
775	slapd[12164]: conn=1 op=0 BIND
776	dn="cn=Manager,dc=abmas,dc=biz" method=128
777	slapd[12164]: conn=1 op=0 BIND
778	dn="cn=Manager,dc=abmas,dc=biz" mech=SIMPLE ssf=0
779	slapd[12164]: conn=1 op=0 RESULT tag=97 err=0 text=
780	slapd[12164]: conn=1 op=1 SRCH
781	base="ou=People,dc=abmas,dc=biz" scope=1 deref=0
782	filter="(objectClass=posixAccount)"
783	slapd[12164]: conn=1 op=1 SRCH attr=uid userPassword
784	uidNumber gidNumber cn
785	homeDirectory loginShell gecos description objectClass
786	slapd[12164]: conn=1 op=1 SEARCH RESULT tag=101 err=0
787	nentries=2 text=
788	slapd[12164]: conn=1 fd=10 closed
789
790	</pre><p>
791	</p></li><li><p>
792	Check that the bindpw entry in the <code class="filename">/etc/ldap.conf</code> or in the
793	<code class="filename">/etc/ldap.secrets</code> file is correct, as specified in the
794	<code class="filename">/etc/openldap/slapd.conf</code> file.
795	</p></li></ol></div></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573672"></a>Debugging Samba</h5></div></div></div><p>
796	The following parameters in the <code class="filename">smb.conf</code> file can be useful in tracking down Samba-related problems:
797	</p><pre class="screen">
798	[global]
799	...
800	log level = 5
801	log file = /var/log/samba/%m.log
802	max log size = 0
803	...
804	</pre><p>
805	This will result in the creation of a separate log file for every client from which connections
806	are made. The log file will be quite verbose and will grow continually. Do not forget to
807	change these lines to the following when debugging has been completed:
808	</p><pre class="screen">
809	[global]
810	...
811	log level = 1
812	log file = /var/log/samba/%m.log
813	max log size = 50
814	...
815	</pre><p>
816	</p><p>
817	The log file can be analyzed by executing:
818	</p><pre class="screen">
819	<code class="prompt">root# </code> cd /var/log/samba
820	<code class="prompt">root# </code> grep -v "^\[200" machine_name.log
821	</pre><p>
822	</p><p>
823	Search for hints of what may have failed by looking for the words <span class="emphasis"><em>fail</em></span>
824	and <span class="emphasis"><em>error</em></span>.
825	</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2573743"></a>Debugging on the Windows Client</h5></div></div></div><p>
826	MS Windows 2000 Professional and Windows XP Professional clients can be configured
827	to create a netlogon.log file that can be very helpful in diagnosing network logon problems. Search
828	the Microsoft knowledge base for detailed instructions. The techniques vary a little with each
829	version of MS Windows.
830	</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573760"></a>Political Issues</h3></div></div></div><p>
831	MS Windows network users are generally very sensitive to limits that may be imposed when
832	confronted with locked-down workstation configurations. The challenge you face must
833	be promoted as a choice between reliable, fast network operation and a constant flux
834	of problems that result in user irritation.
835	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573776"></a>Installation Checklist</h3></div></div></div><p>
836	You are starting a complex project. Even though you went through the installation of a complex
837	network in <a class="link" href="Big500users.html" title="Chapter 4. The 500-User Office">“The 500-User Office”</a>, this network is a bigger challenge because of the
838	large number of complex applications that must be configured before the first few steps
839	can be validated. Take stock of what you are about to undertake, prepare yourself, and
840	frequently review the steps ahead while making at least a mental note of what has already
841	been completed. The following task list may help you to keep track of the task items
842	that are covered:
843	</p><div class="itemizedlist"><ul type="disc"><li><p>Samba-3 PDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>OpenLDAP server</p></li><li><p>PAM and NSS client tools</p></li><li><p>Samba-3 PDC</p></li><li><p>Idealx smbldap scripts</p></li><li><p>LDAP initialization</p></li><li><p>Create user and group accounts</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profile directories</p></li><li><p>Logon scripts</p></li><li><p>Configuration of user rights and privileges</p></li></ol></div></li><li><p>Samba-3 BDC Server Configuration</p><div class="orderedlist"><ol type="1"><li><p>DHCP and DNS servers</p></li><li><p>PAM and NSS client tools</p></li><li><p>Printers</p></li><li><p>Share point directory roots</p></li><li><p>Profiles directories</p></li></ol></div></li><li><p>Windows XP Client Configuration</p><div class="orderedlist"><ol type="1"><li><p>Default profile folder redirection</p></li><li><p>MS Outlook PST file relocation</p></li><li><p>Delete roaming profile on logout</p></li><li><p>Upload printer drivers to Samba servers</p></li><li><p>Install software</p></li><li><p>Creation of roll-out images</p></li></ol></div></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573956"></a>Samba Server Implementation</h2></div></div></div><p>
844	<a class="indexterm" name="id2573964"></a>
845	<a class="indexterm" name="id2573971"></a>
846	The network design shown in <a class="link" href="happy.html#chap6net" title="Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend">“Network Topology 500 User Network Using ldapsam passdb backend”</a> is not comprehensive. It is assumed
847	that you will install additional file servers and possibly additional BDCs.
848	</p><div class="figure"><a name="chap6net"></a><p class="title"><b>Figure 5.2. Network Topology 500 User Network Using ldapsam passdb backend</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap6-net.png" width="270" alt="Network Topology 500 User Network Using ldapsam passdb backend"></div></div></div><br class="figure-break"><p>
849	<a class="indexterm" name="id2574034"></a>
850	<a class="indexterm" name="id2574041"></a>
851	All configuration files and locations are shown for SUSE Linux 9.2 and are equally valid for SUSE
852	Linux Enterprise Server 9. The file locations for Red Hat Linux are similar. You may need to
853	adjust the locations for your particular Linux system distribution/implementation.
854	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
855	The following information applies to Samba-3.0.20 when used with the Idealx smbldap-tools
856	scripts version 0.9.1. If using a different version of Samba or of the smbldap-tools tarball,
857	please verify that the versions you are about to use are matching. The smbldap-tools package
858	uses counter-entries in the LDAP directory to avoid duplication of the UIDs and GIDs that are
859	issued for POSIX accounts. The LDAP rdn under which this information is stored are called
860	<code class="constant">uidNumber</code> and <code class="constant">gidNumber</code> respectively. These may be
861	located in any convenient part of the directory information tree (DIT). In the examples that
862	follow they have been located under <code class="constant">dn=sambaDomainName=MEGANET2,dc=abmas,dc=org</code>.
863	They could just as well be located under the rdn <code class="constant">cn=NextFreeUnixId</code>.
864	</p></div><p>
865	The steps in the process involve changes from the network configuration shown in
866	<a class="link" href="Big500users.html" title="Chapter 4. The 500-User Office">“The 500-User Office”</a>. Before implementing the following steps, you must
867	have completed the network implementation shown in that chapter. If you are starting
868	with newly installed Linux servers, you must complete the steps shown in
869	<a class="link" href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">“Installation of DHCP, DNS, and Samba Control Files”</a> before commencing at <a class="link" href="happy.html#ldapsetup" title="OpenLDAP Server Configuration">“OpenLDAP Server Configuration”</a>.
870	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ldapsetup"></a>OpenLDAP Server Configuration</h3></div></div></div><p>
871	<a class="indexterm" name="id2574122"></a>
872	<a class="indexterm" name="id2574129"></a>
873	<a class="indexterm" name="id2574136"></a>
874	Confirm that the packages shown in <a class="link" href="happy.html#oldapreq" title="Table 5.2. Required OpenLDAP Linux Packages">“Required OpenLDAP Linux Packages”</a> are installed on your system.
875	</p><div class="table"><a name="oldapreq"></a><p class="title"><b>Table 5.2. Required OpenLDAP Linux Packages</b></p><div class="table-contents"><table summary="Required OpenLDAP Linux Packages" border="1"><colgroup><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">SUSE Linux 8.x</th><th align="center">SUSE Linux 9.x</th><th align="center">Red Hat Linux</th></tr></thead><tbody><tr><td align="left">nss_ldap</td><td align="left">nss_ldap</td><td align="left">nss_ldap</td></tr><tr><td align="left">pam_ldap</td><td align="left">pam_ldap</td><td align="left">pam_ldap</td></tr><tr><td align="left">openldap2</td><td align="left">openldap2</td><td align="left">openldap</td></tr><tr><td align="left">openldap2-client</td><td align="left">openldap2-client</td><td align="left"> </td></tr></tbody></table></div></div><br class="table-break"><p>
876	Samba-3 and OpenLDAP will have a degree of interdependence that is unavoidable. The method
877	for bootstrapping the LDAP and Samba-3 configuration is relatively straightforward. If you
878	follow these guidelines, the resulting system should work fine.
879	</p><div class="procedure"><a name="id2574268"></a><p class="title"><b>Procedure 5.2. OpenLDAP Server Configuration Steps</b></p><ol type="1"><li><p>
880	<a class="indexterm" name="id2574279"></a>
881	Install the file shown in <a class="link" href="happy.html#sbehap-slapdconf" title="Example 5.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A">“LDAP Master Configuration File /etc/openldap/slapd.conf Part A”</a> in the directory
882	<code class="filename">/etc/openldap</code>.
883	</p></li><li><p>
884	<a class="indexterm" name="id2574307"></a>
885	<a class="indexterm" name="id2574314"></a>
886	<a class="indexterm" name="id2574321"></a>
887	Remove all files from the directory <code class="filename">/data/ldap</code>, making certain that
888	the directory exists with permissions:
889	</p><pre class="screen">
890	<code class="prompt">root# </code> ls -al /data \| grep ldap
891	drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap
892	</pre><p>
893	This may require you to add a user and a group account for LDAP if they do not exist.
894	</p></li><li><p>
895	<a class="indexterm" name="id2574357"></a>
896	Install the file shown in <a class="link" href="happy.html#sbehap-dbconf" title="Example 5.1. LDAP DB_CONFIG File">“LDAP DB_CONFIG File”</a> in the directory
897	<code class="filename">/data/ldap</code>. In the event that this file is added after <code class="constant">ldap</code>
898	has been started, it is possible to cause the new settings to take effect by shutting down
899	the <code class="constant">LDAP</code> server, executing the <code class="literal">db_recover</code> command inside the
900	<code class="filename">/data/ldap</code> directory, and then restarting the <code class="constant">LDAP</code> server.
901	</p></li><li><p>
902	<a class="indexterm" name="id2574410"></a>
903	Performance logging can be enabled and should preferably be sent to a file on
904	a file system that is large enough to handle significantly sized logs. To enable
905	the logging at a verbose level to permit detailed analysis, uncomment the entry in
906	the <code class="filename">/etc/openldap/slapd.conf</code> shown as “<span class="quote">loglevel 256</span>”.
907	</p><p>
908	Edit the <code class="filename">/etc/syslog.conf</code> file to add the following at the end
909	of the file:
910	</p><pre class="screen">
911	local4.* -/data/ldap/log/openldap.log
912	</pre><p>
913	Note: The path <code class="filename">/data/ldap/log</code> should be set at a location
914	that is convenient and that can store a large volume of data.
915	</p></li></ol></div><div class="example"><a name="sbehap-dbconf"></a><p class="title"><b>Example 5.1. LDAP DB_CONFIG File</b></p><div class="example-contents"><pre class="screen">
916	set_cachesize 0 150000000 1
917	set_lg_regionmax 262144
918	set_lg_bsize 2097152
919	#set_lg_dir /var/log/bdb
920	set_flags DB_LOG_AUTOREMOVE
921	</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf"></a><p class="title"><b>Example 5.2. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen">
922	include /etc/openldap/schema/core.schema
923	include /etc/openldap/schema/cosine.schema
924	include /etc/openldap/schema/inetorgperson.schema
925	include /etc/openldap/schema/nis.schema
926	include /etc/openldap/schema/samba3.schema
927
928	pidfile /var/run/slapd/slapd.pid
929	argsfile /var/run/slapd/slapd.args
930
931	access to dn.base=""
932	by self write
933	by * auth
934
935	access to attr=userPassword
936	by self write
937	by * auth
938
939	access to attr=shadowLastChange
940	by self write
941	by * read
942
943	access to *
944	by * read
945	by anonymous auth
946
947	#loglevel 256
948
949	schemacheck on
950	idletimeout 30
951	backend bdb
952	database bdb
953	checkpoint 1024 5
954	cachesize 10000
955
956	suffix "dc=abmas,dc=biz"
957	rootdn "cn=Manager,dc=abmas,dc=biz"
958
959	# rootpw = not24get
960	rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
961
962	directory /data/ldap
963	</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-slapdconf2"></a><p class="title"><b>Example 5.3. LDAP Master Configuration File <code class="filename">/etc/openldap/slapd.conf</code> Part B</b></p><div class="example-contents"><pre class="screen">
964	# Indices to maintain
965	index objectClass eq
966	index cn pres,sub,eq
967	index sn pres,sub,eq
968	index uid pres,sub,eq
969	index displayName pres,sub,eq
970	index uidNumber eq
971	index gidNumber eq
972	index memberUID eq
973	index sambaSID eq
974	index sambaPrimaryGroupSID eq
975	index sambaDomainName eq
976	index default sub
977	</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-PAM-NSS"></a>PAM and NSS Client Configuration</h3></div></div></div><p>
978	<a class="indexterm" name="id2574568"></a>
979	<a class="indexterm" name="id2574575"></a>
980	<a class="indexterm" name="id2574582"></a>
981	The steps that follow involve configuration of LDAP, NSS LDAP-based resolution of users and
982	groups. Also, so that LDAP-based accounts can log onto the system, the steps ahead configure
983	the Pluggable Authentication Modules (PAM) to permit LDAP-based authentication.
984	</p><p>
985	<a class="indexterm" name="id2574596"></a>
986	<a class="indexterm" name="id2574606"></a>
987	Since you have chosen to put UNIX user and group accounts into the LDAP database, it is likely
988	that you may want to use them for UNIX system (Linux) local machine logons. This necessitates
989	correct configuration of PAM. The <code class="literal">pam_ldap</code> open source package provides the
990	PAM modules that most people would use. On SUSE Linux systems, the <code class="literal">pam_unix2.so</code>
991	module also has the ability to redirect authentication requests through LDAP.
992	</p><p>
993	<a class="indexterm" name="id2574634"></a>
994	<a class="indexterm" name="id2574641"></a>
995	<a class="indexterm" name="id2574648"></a>
996	<a class="indexterm" name="id2574655"></a>
997	You have chosen to configure these services by directly editing the system files, but of course, you
998	know that this configuration can be done using system tools provided by the Linux system vendor.
999	SUSE Linux has a facility in YaST (the system admin tool) through <span class="guimenu">yast</span> → <span class="guimenuitem">system</span> → <span class="guimenuitem">ldap-client</span> that permits
1000	configuration of SUSE Linux as an LDAP client. Red Hat Linux provides the <code class="literal">authconfig</code>
1001	tool for this.
1002	</p><div class="procedure"><a name="id2574694"></a><p class="title"><b>Procedure 5.3. PAM and NSS Client Configuration Steps</b></p><div class="example"><a name="sbehap-nss01"></a><p class="title"><b>Example 5.4. Configuration File for NSS LDAP Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen">
1003	host 127.0.0.1
1004
1005	base dc=abmas,dc=biz
1006
1007	binddn cn=Manager,dc=abmas,dc=biz
1008	bindpw not24get
1009
1010	timelimit 50
1011	bind_timelimit 50
1012	bind_policy hard
1013
1014	idle_timelimit 3600
1015
1016	pam_password exop
1017
1018	nss_base_passwd ou=People,dc=abmas,dc=biz?one
1019	nss_base_shadow ou=People,dc=abmas,dc=biz?one
1020	nss_base_group ou=Groups,dc=abmas,dc=biz?one
1021
1022	ssl off
1023	</pre></div></div><br class="example-break"><div class="example"><a name="sbehap-nss02"></a><p class="title"><b>Example 5.5. Configuration File for NSS LDAP Clients Support <code class="filename">/etc/ldap.conf</code></b></p><div class="example-contents"><pre class="screen">
1024	host 172.16.0.1
1025
1026	base dc=abmas,dc=biz
1027
1028	binddn cn=Manager,dc=abmas,dc=biz
1029	bindpw not24get
1030
1031	timelimit 50
1032	bind_timelimit 50
1033	bind_policy hard
1034
1035	idle_timelimit 3600
1036
1037	pam_password exop
1038
1039	nss_base_passwd ou=People,dc=abmas,dc=biz?one
1040	nss_base_shadow ou=People,dc=abmas,dc=biz?one
1041	nss_base_group ou=Groups,dc=abmas,dc=biz?one
1042
1043	ssl off
1044	</pre></div></div><br class="example-break"><ol type="1"><li><p>
1045	<a class="indexterm" name="id2574706"></a>
1046	<a class="indexterm" name="id2574713"></a>
1047	<a class="indexterm" name="id2574720"></a>
1048	Execute the following command to find where the <code class="filename">nss_ldap</code> module
1049	expects to find its control file:
1050	</p><pre class="screen">
1051	<code class="prompt">root# </code> strings /lib/libnss_ldap.so.2 \| grep conf
1052	</pre><p>
1053	The preferred and usual location is <code class="filename">/etc/ldap.conf</code>.
1054	</p></li><li><p>
1055	On the server <code class="constant">MASSIVE</code>, install the file shown in
1056	<a class="link" href="happy.html#sbehap-nss01" title="Example 5.4. Configuration File for NSS LDAP Support /etc/ldap.conf">“Configuration File for NSS LDAP Support /etc/ldap.conf”</a> into the path that was obtained from the step above.
1057	On the servers called <code class="constant">BLDG1</code> and <code class="constant">BLDG2</code>, install the file shown in
1058	<a class="link" href="happy.html#sbehap-nss02" title="Example 5.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf">“Configuration File for NSS LDAP Clients Support /etc/ldap.conf”</a> into the path that was obtained from the step above.
1059	</p></li><li><p>
1060	<a class="indexterm" name="id2574854"></a>
1061	Edit the NSS control file (<code class="filename">/etc/nsswitch.conf</code>) so that the lines that
1062	control user and group resolution will obtain information from the normal system files as
1063	well as from <code class="literal">ldap</code>:
1064	</p><pre class="screen">
1065	passwd: files ldap
1066	shadow: files ldap
1067	group: files ldap
1068	hosts: files dns wins
1069	</pre><p>
1070	Later, when the LDAP database has been initialized and user and group accounts have been
1071	added, you can validate resolution of the LDAP resolver process. The inclusion of
1072	WINS-based hostname resolution is deliberate so that all MS Windows client hostnames can be
1073	resolved to their IP addresses, whether or not they are DHCP clients.
1074	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1075	Some Linux systems (Novell SUSE Linux in particular) add entries to the <code class="filename">nsswitch.conf</code>
1076	file that may cause operational problems with the configuration methods adopted in this book. It is
1077	advisable to comment out the entries <code class="constant">passwd_compat</code> and <code class="constant">group_compat</code>
1078	where they are found in this file.
1079	</p></div><p>
1080	Even at the risk of overstating the issue, incorrect and inappropriate configuration of the
1081	<code class="filename">nsswitch.conf</code> file is a significant cause of operational problems with LDAP.
1082	</p></li><li><p>
1083	<a class="indexterm" name="id2574929"></a>
1084	For PAM LDAP configuration on this SUSE Linux 9.0 system, the simplest solution is to edit the following
1085	files in the <code class="filename">/etc/pam.d</code> directory: <code class="literal">login</code>, <code class="literal">password</code>,
1086	<code class="literal">samba</code>, <code class="literal">sshd</code>. In each file, locate every entry that has the
1087	<code class="literal">pam_unix2.so</code> entry and add to the line the entry <code class="literal">use_ldap</code> as shown
1088	for the <code class="literal">login</code> module in this example:
1089	</p><pre class="screen">
1090	#%PAM-1.0
1091	auth requisite pam_unix2.so nullok use_ldap #set_secrpc
1092	auth required pam_securetty.so
1093	auth required pam_nologin.so
1094	#auth required pam_homecheck.so
1095	auth required pam_env.so
1096	auth required pam_mail.so
1097	account required pam_unix2.so use_ldap
1098	password required pam_pwcheck.s nullok
1099	password required pam_unix2.so nullok use_first_pass \
1100	use_authtok use_ldap
1101	session required pam_unix2.so none use_ldap # debug or trace
1102	session required pam_limits.so
1103	</pre><p>
1104	</p><p>
1105	<a class="indexterm" name="id2575008"></a>
1106	On other Linux systems that do not have an LDAP-enabled <code class="literal">pam_unix2.so</code> module,
1107	you must edit these files by adding the <code class="literal">pam_ldap.so</code> modules as shown here:
1108	</p><pre class="screen">
1109	#%PAM-1.0
1110	auth required pam_securetty.so
1111	auth required pam_nologin.so
1112	auth sufficient pam_ldap.so
1113	auth required pam_unix2.so nullok try_first_pass #set_secrpc
1114	account sufficient pam_ldap.so
1115	account required pam_unix2.so
1116	password required pam_pwcheck.so nullok
1117	password required pam_ldap.so use_first_pass use_authtok
1118	password required pam_unix2.so nullok use_first_pass use_authtok
1119	session required pam_unix2.so none # debug or trace
1120	session required pam_limits.so
1121	session required pam_env.so
1122	session optional pam_mail.so
1123	</pre><p>
1124	This example does have the LDAP-enabled <code class="literal">pam_unix2.so</code>, but simply
1125	demonstrates the use of the <code class="literal">pam_ldap.so</code> module. You can use either
1126	implementation, but if the <code class="literal">pam_unix2.so</code> on your system supports
1127	LDAP, you probably want to use it rather than add an additional module.
1128	</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-massive"></a>Samba-3 PDC Configuration</h3></div></div></div><p>
1129	<a class="indexterm" name="id2575091"></a>
1130	Verify that the Samba-3.0.20 (or later) packages are installed on each SUSE Linux server
1131	before following the steps below. If Samba-3.0.20 (or later) is not installed, you have the
1132	choice to either build your own or obtain the packages from a dependable source.
1133	Packages for SUSE Linux 8.x, 9.x, and SUSE Linux Enterprise Server 9, as well as for
1134	Red Hat Fedora Core and Red Hat Enterprise Linux Server 3 and 4, are included on the CD-ROM that
1135	is included with this book.
1136	</p><div class="procedure"><a name="id2575107"></a><p class="title"><b>Procedure 5.4. Configuration of PDC Called <code class="constant">MASSIVE</code></b></p><ol type="1"><li><p>
1137	Install the files in <a class="link" href="happy.html#sbehap-massive-smbconfa" title="Example 5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A">“LDAP Based smb.conf File, Server: MASSIVE global Section: Part A”</a>,
1138	<a class="link" href="happy.html#sbehap-massive-smbconfb" title="Example 5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B">“LDAP Based smb.conf File, Server: MASSIVE global Section: Part B”</a>, <a class="link" href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>,
1139	and <a class="link" href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a> into the <code class="filename">/etc/samba/</code>
1140	directory. The three files should be added together to form the <code class="filename">smb.conf</code>
1141	master file. It is a good practice to call this file something like
1142	<code class="filename">smb.conf.master</code> and then to perform all file edits
1143	on the master file. The operational <code class="filename">smb.conf</code> is then generated as shown in
1144	the next step.
1145	</p></li><li><p>
1146	<a class="indexterm" name="id2575184"></a>
1147	Create and verify the contents of the <code class="filename">smb.conf</code> file that is generated by:
1148	</p><pre class="screen">
1149	<code class="prompt">root# </code> testparm -s smb.conf.master > smb.conf
1150	</pre><p>
1151	Immediately follow this with the following:
1152	</p><pre class="screen">
1153	<code class="prompt">root# </code> testparm
1154	</pre><p>
1155	The output that is created should be free from errors, as shown here:
1156
1157	</p><pre class="screen">
1158	Load smb config files from /etc/samba/smb.conf
1159	Processing section "[accounts]"
1160	Processing section "[service]"
1161	Processing section "[pidata]"
1162	Processing section "[homes]"
1163	Processing section "[printers]"
1164	Processing section "[apps]"
1165	Processing section "[netlogon]"
1166	Processing section "[profiles]"
1167	Processing section "[profdata]"
1168	Processing section "[print$]"
1169	Loaded services file OK.
1170	Server role: ROLE_DOMAIN_PDC
1171	Press enter to see a dump of your service definitions
1172	</pre><p>
1173	</p></li><li><p>
1174	Delete all runtime files from prior Samba operation by executing (for SUSE
1175	Linux):
1176	</p><pre class="screen">
1177	<code class="prompt">root# </code> rm /etc/samba/*tdb
1178	<code class="prompt">root# </code> rm /var/lib/samba/*tdb
1179	<code class="prompt">root# </code> rm /var/lib/samba/*dat
1180	<code class="prompt">root# </code> rm /var/log/samba/*
1181	</pre><p>
1182	</p></li><li><p>
1183	<a class="indexterm" name="id2575283"></a>
1184	<a class="indexterm" name="id2575290"></a>
1185	Samba-3 communicates with the LDAP server. The password that it uses to
1186	authenticate to the LDAP server must be stored in the <code class="filename">secrets.tdb</code>
1187	file. Execute the following to create the new <code class="filename">secrets.tdb</code> files
1188	and store the password for the LDAP Manager:
1189	</p><pre class="screen">
1190	<code class="prompt">root# </code> smbpasswd -w not24get
1191	</pre><p>
1192	The expected output from this command is:
1193	</p><pre class="screen">
1194	Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
1195	</pre><p>
1196	</p></li><li><p>
1197	<a class="indexterm" name="id2575339"></a>
1198	<a class="indexterm" name="id2575345"></a>
1199	Samba-3 generates a Windows Security Identifier (SID) only when <code class="literal">smbd</code>
1200	has been started. For this reason, you start Samba. After a few seconds delay,
1201	execute:
1202	</p><pre class="screen">
1203	<code class="prompt">root# </code> smbclient -L localhost -U%
1204	<code class="prompt">root# </code> net getlocalsid
1205	</pre><p>
1206	A report such as the following means that the domain SID has not yet
1207	been written to the <code class="filename">secrets.tdb</code> or to the LDAP backend:
1208	</p><pre class="screen">
1209	[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
1210	failed to bind to server ldap://massive.abmas.biz
1211	with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
1212	(unknown)
1213	[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
1214	smbldap_search_suffix: Problem during the LDAP search:
1215	(unknown) (Timed out)
1216	</pre><p>
1217	The attempt to read the SID will cause and attempted bind to the LDAP server. Because the LDAP server
1218	is not running, this operation will fail by way of a timeout, as shown previously. This is
1219	normal output; do not worry about this error message. When the domain has been created and
1220	written to the <code class="filename">secrets.tdb</code> file, the output should look like this:
1221	</p><pre class="screen">
1222	SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765
1223	</pre><p>
1224	If, after a short delay (a few seconds), the domain SID has still not been written to
1225	the <code class="filename">secrets.tdb</code> file, it is necessary to investigate what
1226	may be misconfigured. In this case, carefully check the <code class="filename">smb.conf</code> file for typographical
1227	errors (the most common problem). The use of the <code class="literal">testparm</code> is highly
1228	recommended to validate the contents of this file.
1229	</p></li><li><p>
1230	When a positive domain SID has been reported, stop Samba.
1231	</p></li><li><p>
1232	<a class="indexterm" name="id2575457"></a>
1233	<a class="indexterm" name="id2575464"></a>
1234	<a class="indexterm" name="id2575471"></a>
1235	<a class="indexterm" name="id2575478"></a>
1236	Configure the NFS server for your Linux system. So you can complete the steps that
1237	follow, enter into the <code class="filename">/etc/exports</code> the following entry:
1238	</p><pre class="screen">
1239	/home *(rw,root_squash,sync)
1240	</pre><p>
1241	This permits the user home directories to be used on the BDC servers for testing
1242	purposes. You, of course, decide what is the best way for your site to distribute
1243	data drives, and you create suitable backup and restore procedures for Abmas
1244	I'd strongly recommend that for normal operation the BDC is completely independent
1245	of the PDC. rsync is a useful tool here, as it resembles the NT replication service quite
1246	closely. If you do use NFS, do not forget to start the NFS server as follows:
1247	</p><pre class="screen">
1248	<code class="prompt">root# </code> rcnfsserver start
1249	</pre><p>
1250	</p></li></ol></div><p>
1251	Your Samba-3 PDC is now ready to communicate with the LDAP password backend. Let's get on with
1252	configuration of the LDAP server.
1253	</p><div class="example"><a name="sbehap-massive-smbconfa"></a><p class="title"><b>Example 5.6. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2575564"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2575576"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2575588"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id2575600"></a><em class="parameter"><code>interfaces = eth1, lo</code></em></td></tr><tr><td><a class="indexterm" name="id2575611"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575623"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2575636"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575648"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2575660"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2575671"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2575683"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2575694"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2575706"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2575718"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2575730"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575742"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2575753"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2575766"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2575778"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2575790"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575803"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575815"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575828"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2575841"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2575854"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-massive-smbconfb"></a><p class="title"><b>Example 5.7. LDAP Based <code class="filename">smb.conf</code> File, Server: MASSIVE global Section: Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2575892"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2575904"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2575916"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2575927"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575939"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575951"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2575962"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2575974"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2575986"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2575998"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2576010"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2576022"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2576034"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2576047"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2576058"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2576070"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2576082"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2576094"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeidealx"></a>Install and Configure Idealx smbldap-tools Scripts</h3></div></div></div><p>
1254	<a class="indexterm" name="id2576120"></a>
1255	The Idealx scripts, or equivalent, are necessary to permit Samba-3 to manage accounts
1256	on the LDAP server. You have chosen the Idealx scripts because they are the best-known
1257	LDAP configuration scripts. The use of these scripts will help avoid the necessity
1258	to create custom scripts. It is easy to download them from the Idealx
1259	<a class="ulink" href="http://samba.idealx.org/index.en.html" target="_top">Web site</a>. The tarball may
1260	be directly <a class="ulink" href="http://samba.idealx.org/dist/smbldap-tools-0.9.1.tgz" target="_top">downloaded</a>
1261	from this site also. Alternatively, you may obtain the
1262	<a class="ulink" href="http://samba.idealx.org/dist/smbldap-tools-0.9.1-1.src.rpm" target="_top">smbldap-tools-0.9.1-1.src.rpm</a>
1263	file that may be used to build an installable RPM package for your Linux system.
1264	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1265	The smbldap-tools scripts can be installed in any convenient directory of your choice, in which case you must
1266	change the path to them in your <code class="filename">smb.conf</code> file on the PDC (<code class="constant">MASSIVE</code>).
1267	</p></div><p>
1268	The smbldap-tools are located in <code class="filename">/opt/IDEALX/sbin</code>.
1269	The scripts are not needed on BDC machines because all LDAP updates are handled by
1270	the PDC alone.
1271	</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2576187"></a>Installation of smbldap-tools from the Tarball</h4></div></div></div><p>
1272	To perform a manual installation of the smbldap-tools scripts, the following procedure may be used:
1273	</p><div class="procedure"><a name="idealxscript"></a><p class="title"><b>Procedure 5.5. Unpacking and Installation Steps for the <code class="constant">smbldap-tools</code> Tarball</b></p><ol type="1"><li><p>
1274	Create the <code class="filename">/opt/IDEALX/sbin</code> directory, and set its permissions
1275	and ownership as shown here:
1276	</p><pre class="screen">
1277	<code class="prompt">root# </code> mkdir -p /opt/IDEALX/sbin
1278	<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin
1279	<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin
1280	<code class="prompt">root# </code> mkdir -p /etc/smbldap-tools
1281	<code class="prompt">root# </code> chown root:root /etc/smbldap-tools
1282	<code class="prompt">root# </code> chmod 755 /etc/smbldap-tools
1283	</pre><p>
1284	</p></li><li><p>
1285	If you wish to use the downloaded tarball, unpack the smbldap-tools in a suitable temporary location.
1286	Change into either the directory extracted from the tarball or the smbldap-tools
1287	directory in your <code class="filename">/usr/share/doc/packages</code> directory tree.
1288	</p></li><li><p>
1289	Copy all the <code class="filename">smbldap-*</code> and the <code class="filename">configure.pl</code> files into the
1290	<code class="filename">/opt/IDEALX/sbin</code> directory, as shown here:
1291	</p><pre class="screen">
1292	<code class="prompt">root# </code> cd smbldap-tools-0.9.1/
1293	<code class="prompt">root# </code> cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/
1294	<code class="prompt">root# </code> cp smbldap*conf /etc/smbldap-tools/
1295	<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/smbldap-*
1296	<code class="prompt">root# </code> chmod 750 /opt/IDEALX/sbin/configure.pl
1297	<code class="prompt">root# </code> chmod 640 /etc/smbldap-tools/smbldap.conf
1298	<code class="prompt">root# </code> chmod 600 /etc/smbldap-tools/smbldap_bind.conf
1299	</pre><p>
1300	</p></li><li><p>
1301	The smbldap-tools scripts master control file must now be configured.
1302	Change to the <code class="filename">/opt/IDEALX/sbin</code> directory, then edit the
1303	<code class="filename">smbldap_tools.pm</code> to affect the changes
1304	shown here:
1305	</p><pre class="screen">
1306	...
1307	# ugly funcs using global variables and spawning openldap clients
1308
1309	my $smbldap_conf="/etc/smbldap-tools/smbldap.conf";
1310	my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf";
1311	...
1312	</pre><p>
1313	</p></li><li><p>
1314	To complete the configuration of the smbldap-tools, set the permissions and ownership
1315	by executing the following commands:
1316	</p><pre class="screen">
1317	<code class="prompt">root# </code> chown root:root /opt/IDEALX/sbin/*
1318	<code class="prompt">root# </code> chmod 755 /opt/IDEALX/sbin/smbldap-*
1319	<code class="prompt">root# </code> chmod 640 /opt/IDEALX/sbin/smb*pm
1320	</pre><p>
1321	The smbldap-tools scripts are now ready for the configuration step outlined in
1322	<a class="link" href="happy.html#smbldap-init" title="Configuration of smbldap-tools">“Configuration of smbldap-tools”</a>.
1323	</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2576439"></a>Installing smbldap-tools from the RPM Package</h4></div></div></div><p>
1324	In the event that you have elected to use the RPM package provided by Idealx, download the
1325	source RPM <code class="filename">smbldap-tools-0.9.1-1.src.rpm</code>, then follow this procedure:
1326	</p><div class="procedure"><a name="id2576457"></a><p class="title"><b>Procedure 5.6. Installation Steps for <code class="constant">smbldap-tools</code> RPM's</b></p><ol type="1"><li><p>
1327	Install the source RPM that has been downloaded as follows:
1328	</p><pre class="screen">
1329	<code class="prompt">root# </code> rpm -i smbldap-tools-0.9.1-1.src.rpm
1330	</pre><p>
1331	</p></li><li><p>
1332	Change into the directory in which the SPEC files are located. On SUSE Linux:
1333	</p><pre class="screen">
1334	<code class="prompt">root# </code> cd /usr/src/packages/SPECS
1335	</pre><p>
1336	On Red Hat Linux systems:
1337	</p><pre class="screen">
1338	<code class="prompt">root# </code> cd /usr/src/redhat/SPECS
1339	</pre><p>
1340	</p></li><li><p>
1341	Edit the <code class="filename">smbldap-tools.spec</code> file to change the value of the
1342	<code class="constant">_sysconfig</code> macro as shown here:
1343	</p><pre class="screen">
1344	%define _prefix /opt/IDEALX
1345	%define _sysconfdir /etc
1346	</pre><p>
1347	Note: Any suitable directory can be specified.
1348	</p></li><li><p>
1349	Build the package by executing:
1350	</p><pre class="screen">
1351	<code class="prompt">root# </code> rpmbuild -ba -v smbldap-tools.spec
1352	</pre><p>
1353	A build process that has completed without error will place the installable binary
1354	files in the directory <code class="filename">../RPMS/noarch</code>.
1355	</p></li><li><p>
1356	Install the binary package by executing:
1357	</p><pre class="screen">
1358	<code class="prompt">root# </code> rpm -Uvh ../RPMS/noarch/smbldap-tools-0.9.1-1.noarch.rpm
1359	</pre><p>
1360	</p></li></ol></div><p>
1361	The Idealx scripts should now be ready for configuration using the steps outlined in
1362	<a class="link" href="happy.html#smbldap-init" title="Configuration of smbldap-tools">Configuration of smbldap-tools</a>.
1363	</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="smbldap-init"></a>Configuration of smbldap-tools</h4></div></div></div><p>
1364	Prior to use, the smbldap-tools must be configured to match the settings in the <code class="filename">smb.conf</code> file
1365	and to match the settings in the <code class="filename">/etc/openldap/slapd.conf</code> file. The assumption
1366	is made that the <code class="filename">smb.conf</code> file has correct contents. The following procedure ensures that
1367	this is completed correctly:
1368	</p><p>
1369	The smbldap-tools require that the NetBIOS name (machine name) of the Samba server be included
1370	in the <code class="filename">smb.conf</code> file.
1371	</p><div class="procedure"><a name="id2576652"></a><p class="title"><b>Procedure 5.7. Configuration Steps for <code class="constant">smbldap-tools</code> to Enable Use</b></p><ol type="1"><li><p>
1372	Change into the directory that contains the <code class="filename">configure.pl</code> script.
1373	</p><pre class="screen">
1374	<code class="prompt">root# </code> cd /opt/IDEALX/sbin
1375	</pre><p>
1376	</p></li><li><p>
1377	Execute the <code class="filename">configure.pl</code> script as follows:
1378	</p><pre class="screen">
1379	<code class="prompt">root# </code> ./configure.pl
1380	</pre><p>
1381	The interactive use of this script for the PDC is demonstrated here:
1382	</p><pre class="screen">
1383	<code class="prompt">root# </code> /opt/IDEALX/sbin/configure.pl
1384	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1385	smbldap-tools script configuration
1386	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1387	Before starting, check
1388	. if your samba controller is up and running.
1389	. if the domain SID is defined (you can get it with the
1390	'net getlocalsid')
1391
1392	. you can leave the configuration using the Crtl-c key combination
1393	. empty value can be set with the "." character
1394	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1395	Looking for configuration files...
1396
1397	Samba Config File Location [/etc/samba/smb.conf] >
1398	smbldap-tools configuration file Location (global parameters)
1399	[/etc/opt/IDEALX/smbldap-tools/smbldap.conf] >
1400	smbldap Config file Location (bind parameters)
1401	[/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf] >
1402	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1403	Let's start configuring the smbldap-tools scripts ...
1404
1405	. workgroup name: name of the domain Samba act as a PDC
1406	workgroup name [MEGANET2] >
1407	. netbios name: netbios name of the samba controler
1408	netbios name [MASSIVE] >
1409	. logon drive: local path to which the home directory
1410	will be connected (for NT Workstations). Ex: 'H:'
1411	logon drive [H:] >
1412	. logon home: home directory location (for Win95/98 or NT Workstation)
1413	(use %U as username) Ex:'\\MASSIVE\%U'
1414	logon home (press the "." character if you don't want homeDirectory)
1415	[\\MASSIVE\%U] >
1416	. logon path: directory where roaming profiles are stored.
1417	Ex:'\\MASSIVE\profiles\%U'
1418	logon path (press the "." character
1419	if you don't want roaming profile) [\\%L\profiles\%U] >
1420	. home directory prefix (use %U as username)
1421	[/home/%U] > /data/users/%U
1422	. default users' homeDirectory mode [700] >
1423	. default user netlogon script (use %U as username)
1424	[scripts\logon.bat] >
1425	default password validation time (time in days) [45] > 900
1426	. ldap suffix [dc=abmas,dc=biz] >
1427	. ldap group suffix [ou=Groups] >
1428	. ldap user suffix [ou=People,ou=Users] >
1429	. ldap machine suffix [ou=Computers,ou=Users] >
1430	. Idmap suffix [ou=Idmap] >
1431	. sambaUnixIdPooldn: object where you want to store the next uidNumber
1432	and gidNumber available for new users and groups
1433	sambaUnixIdPooldn object (relative to ${suffix})
1434	[sambaDomainName=MEGANET2] >
1435	. ldap master server: IP adress or DNS name of the master
1436	(writable) ldap server
1437	ldap master server [massive.abmas.biz] >
1438	. ldap master port [389] >
1439	. ldap master bind dn [cn=Manager,dc=abmas,dc=biz] >
1440	. ldap master bind password [] >
1441	. ldap slave server: IP adress or DNS name of the slave ldap server:
1442	can also be the master one
1443	ldap slave server [massive.abmas.biz] >
1444	. ldap slave port [389] >
1445	. ldap slave bind dn [cn=Manager,dc=abmas,dc=biz] >
1446	. ldap slave bind password [] >
1447	. ldap tls support (1/0) [0] >
1448	. SID for domain MEGANET2: SID of the domain
1449	(can be obtained with 'net getlocalsid MASSIVE')
1450	SID for domain MEGANET2
1451	[S-1-5-21-3504140859-1010554828-2431957765]] >
1452	. unix password encryption: encryption used for unix passwords
1453	unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
1454	. default user gidNumber [513] >
1455	. default computer gidNumber [515] >
1456	. default login shell [/bin/bash] >
1457	. default skeleton directory [/etc/skel] >
1458	. default domain name to append to mail adress [] > abmas.biz
1459	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1460	backup old configuration files:
1461	/etc/opt/IDEALX/smbldap-tools/smbldap.conf->
1462	/etc/opt/IDEALX/smbldap-tools/smbldap.conf.old
1463	/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf->
1464	/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf.old
1465	writing new configuration file:
1466	/etc/opt/IDEALX/smbldap-tools/smbldap.conf done.
1467	/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf done.
1468	</pre><p>
1469	Since a slave LDAP server has not been configured, it is necessary to specify the IP
1470	address of the master LDAP server for both the master and the slave configuration
1471	prompts.
1472	</p></li><li><p>
1473	Change to the directory that contains the <code class="filename">smbldap.conf</code> file,
1474	then verify its contents.
1475	</p></li></ol></div><p>
1476	The smbldap-tools are now ready for use.
1477	</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2576854"></a>LDAP Initialization and Creation of User and Group Accounts</h3></div></div></div><p>
1478	The LDAP database must be populated with well-known Windows domain user accounts and domain group
1479	accounts before Samba can be used. The following procedures step you through the process.
1480	</p><p>
1481	At this time, Samba-3 requires that on a PDC all UNIX (POSIX) group accounts that are
1482	mapped (linked) to Windows domain group accounts must be in the LDAP database. It does not
1483	hurt to have UNIX user and group accounts in both the system files as well as in the LDAP
1484	database. From a UNIX system perspective, the NSS resolver checks system files before
1485	referring to LDAP. If the UNIX system can resolve (find) an account in the system file, it
1486	does not need to ask LDAP.
1487	</p><p>
1488	Addition of an account to the LDAP backend can be done in two ways:
1489	</p><div class="itemizedlist"><ul type="disc"><li><p>
1490	<a class="indexterm" name="id2576888"></a>
1491	<a class="indexterm" name="id2576894"></a>
1492	<a class="indexterm" name="id2576901"></a>
1493	<a class="indexterm" name="id2576908"></a>
1494	<a class="indexterm" name="id2576915"></a>
1495	<a class="indexterm" name="id2576922"></a>
1496	If you always have a user account in the <code class="filename">/etc/passwd</code> on every
1497	server or in a NIS(+) backend, it is not necessary to add POSIX accounts for them in
1498	LDAP. In this case, you can add Windows domain user accounts using the
1499	<code class="literal">pdbedit</code> utility. Use of this tool from the command line adds the
1500	SambaSamAccount entry for the user, but does not add the PosixAccount entry for the user.
1501	</p><p>
1502	This is the least desirable method because when LDAP is used as the passwd backend Samba
1503	expects the POSIX account to be in LDAP also. It is possible to use the PADL account
1504	migration tool to migrate all system accounts from either the <code class="filename">/etc/passwd</code>
1505	files, or from NIS, to LDAP.
1506	</p></li><li><p>
1507	If you decide that it is probably a good idea to add both the PosixAccount attributes
1508	as well as the SambaSamAccount attributes for each user, then a suitable script is needed.
1509	In the example system you are installing in this exercise, you are making use of the
1510	Idealx smbldap-tools scripts. A copy of these tools, preconfigured for this system,
1511	is included on the enclosed CD-ROM under <code class="filename">Chap06/Tools.</code>
1512	</p></li></ul></div><p>
1513	<a class="indexterm" name="id2576982"></a>
1514	If you wish to have more control over how the LDAP database is initialized or
1515	if you don't want to use the Idealx smbldap-tools, you should refer to
1516	<a class="link" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#altldapcfg" title="Alternative LDAP Database Initialization">“Alternative LDAP Database Initialization”</a>.
1517	</p><p>
1518	<a class="indexterm" name="id2577009"></a>
1519	The following steps initialize the LDAP database, and then you can add user and group
1520	accounts that Samba can use. You use the <code class="literal">smbldap-populate</code> to
1521	seed the LDAP database. You then manually add the accounts shown in <a class="link" href="happy.html#sbehap-bigacct" title="Table 5.3. Abmas Network Users and Groups">“Abmas Network Users and Groups”</a>.
1522	The list of users does not cover all 500 network users; it provides examples only.
1523	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1524	<a class="indexterm" name="id2577038"></a>
1525	<a class="indexterm" name="id2577047"></a>
1526	<a class="indexterm" name="id2577056"></a>
1527	In the following examples, as the LDAP database is initialized, we do create a container
1528	for Computer (machine) accounts. In the Samba-3 <code class="filename">smb.conf</code> files, specific use is made
1529	of the People container, not the Computers container, for domain member accounts. This is not a
1530	mistake; it is a deliberate action that is necessitated by the fact that the resolution of
1531	a machine (computer) account to a UID is done via NSS. The only way this can be handled is
1532	using the NSS (<code class="filename">/etc/nsswitch.conf</code>) entry for <code class="constant">passwd</code>,
1533	which is resolved using the <code class="filename">nss_ldap</code> library. The configuration file for
1534	the <code class="filename">nss_ldap</code> library is the file <code class="filename">/etc/ldap.conf</code> that
1535	provides only one possible LDAP search command that is specified by the entry called
1536	<code class="constant">nss_base_passwd</code>. This means that the search path must take into account
1537	the directory structure so that the LDAP search will commence at a level that is above
1538	both the Computers container and the Users (or People) container. If this is done, it is
1539	necessary to use a search that will descend the directory tree so that the machine account
1540	can be found. Alternatively, by placing all machine accounts in the People container, we
1541	are able to sidestep this limitation. This is the simpler solution that has been adopted
1542	in this chapter.
1543	</p></div><div class="table"><a name="sbehap-bigacct"></a><p class="title"><b>Table 5.3. Abmas Network Users and Groups</b></p><div class="table-contents"><table summary="Abmas Network Users and Groups" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="center">Account Name</th><th align="center">Type</th><th align="center">ID</th><th align="center">Password</th></tr></thead><tbody><tr><td align="left">Robert Jordan</td><td align="left">User</td><td align="left">bobj</td><td align="left">n3v3r2l8</td></tr><tr><td align="left">Stanley Soroka</td><td align="left">User</td><td align="left">stans</td><td align="left">impl13dst4r</td></tr><tr><td align="left">Christine Roberson</td><td align="left">User</td><td align="left">chrisr</td><td align="left">S9n0nw4ll</td></tr><tr><td align="left">Mary Vortexis</td><td align="left">User</td><td align="left">maryv</td><td align="left">kw13t0n3</td></tr><tr><td align="left">Accounts</td><td align="left">Group</td><td align="left">Accounts</td><td align="left"> </td></tr><tr><td align="left">Finances</td><td align="left">Group</td><td align="left">Finances</td><td align="left"> </td></tr><tr><td align="left">Insurance</td><td align="left">Group</td><td align="left">PIOps</td><td align="left"> </td></tr></tbody></table></div></div><br class="table-break"><div class="procedure"><a name="creatacc"></a><p class="title"><b>Procedure 5.8. LDAP Directory Initialization Steps</b></p><ol type="1"><li><p>
1544	Start the LDAP server by executing:
1545	</p><pre class="screen">
1546	<code class="prompt">root# </code> rcldap start
1547	Starting ldap-server done
1548	</pre><p>
1549	</p></li><li><p>
1550	Change to the <code class="filename">/opt/IDEALX/sbin</code> directory.
1551	</p></li><li><p>
1552	Execute the script that will populate the LDAP database as shown here:
1553	</p><pre class="screen">
1554	<code class="prompt">root# </code> ./smbldap-populate -a root -k 0 -m 0
1555	</pre><p>
1556	The expected output from this is:
1557	</p><pre class="screen">
1558	Using workgroup name from smb.conf: sambaDomainName=MEGANET2
1559	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1560	=> Warning: you must update smbldap.conf configuration file to :
1561	=> sambaUnixIdPooldn parameter must be set
1562	to "sambaDomainName=MEGANET2,dc=abmas,dc=biz"
1563	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
1564	Using builtin directory structure
1565	adding new entry: dc=abmas,dc=biz
1566	adding new entry: ou=People,dc=abmas,dc=biz
1567	adding new entry: ou=Groups,dc=abmas,dc=biz
1568	entry ou=People,dc=abmas,dc=biz already exist.
1569	adding new entry: ou=Idmap,dc=abmas,dc=biz
1570	adding new entry: sambaDomainName=MEGANET2,dc=abmas,dc=biz
1571	adding new entry: uid=root,ou=People,dc=abmas,dc=biz
1572	adding new entry: uid=nobody,ou=People,dc=abmas,dc=biz
1573	adding new entry: cn=Domain Admins,ou=Groups,dc=abmas,dc=biz
1574	adding new entry: cn=Domain Users,ou=Groups,dc=abmas,dc=biz
1575	adding new entry: cn=Domain Guests,ou=Groups,dc=abmas,dc=biz
1576	adding new entry: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1577	adding new entry: cn=Administrators,ou=Groups,dc=abmas,dc=biz
1578	adding new entry: cn=Print Operators,ou=Groups,dc=abmas,dc=biz
1579	adding new entry: cn=Backup Operators,ou=Groups,dc=abmas,dc=biz
1580	adding new entry: cn=Replicators,ou=Groups,dc=abmas,dc=biz
1581	</pre><p>
1582	</p></li><li><p>
1583	Edit the <code class="filename">/etc/smbldap-tools/smbldap.conf</code> file so that the following
1584	information is changed from:
1585	</p><pre class="screen">
1586	# Where to store next uidNumber and gidNumber available
1587	sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1588	</pre><p>
1589	to read, after modification:
1590	</p><pre class="screen">
1591	# Where to store next uidNumber and gidNumber available
1592	#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1593	sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
1594	</pre><p>
1595	</p></li><li><p>
1596	It is necessary to restart the LDAP server as shown here:
1597	</p><pre class="screen">
1598	<code class="prompt">root# </code> rcldap restart
1599	Shutting down ldap-server done
1600	Starting ldap-server done
1601	</pre><p>
1602	</p></li><li><p>
1603	<a class="indexterm" name="id2577476"></a>
1604	So that we can use a global IDMAP repository, the LDAP directory must have a container object for IDMAP data.
1605	There are several ways you can check that your LDAP database is able to receive IDMAP information. One of
1606	the simplest is to execute:
1607	</p><pre class="screen">
1608	<code class="prompt">root# </code> slapcat \| grep -i idmap
1609	dn: ou=Idmap,dc=abmas,dc=biz
1610	ou: idmap
1611	</pre><p>
1612	<a class="indexterm" name="id2577500"></a>
1613	If the execution of this command does not return IDMAP entries, you need to create an LDIF
1614	template file (see <a class="link" href="happy.html#sbehap-ldifadd" title="Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF">“LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF”</a>). You can add the required entries using
1615	the following command:
1616	</p><pre class="screen">
1617	<code class="prompt">root# </code> ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \
1618	-w not24get < /etc/openldap/idmap.LDIF
1619	</pre><p>
1620	Samba automatically populates this LDAP directory container when it needs to.
1621	</p></li><li><p>
1622	<a class="indexterm" name="id2577540"></a>
1623	It looks like all has gone well, as expected. Let's confirm that this is the case
1624	by running a few tests. First we check the contents of the database directly
1625	by running <code class="literal">slapcat</code> as follows (the output has been cut down):
1626	</p><pre class="screen">
1627	<code class="prompt">root# </code> slapcat
1628	dn: dc=abmas,dc=biz
1629	objectClass: dcObject
1630	objectClass: organization
1631	dc: abmas
1632	o: abmas
1633	structuralObjectClass: organization
1634	entryUUID: 5ab02bf6-c536-1027-9d29-b1f32350fb43
1635	creatorsName: cn=Manager,dc=abmas,dc=biz
1636	createTimestamp: 20031217234200Z
1637	entryCSN: 2003121723:42:00Z#0x0001#0#0000
1638	modifiersName: cn=Manager,dc=abmas,dc=biz
1639	modifyTimestamp: 20031217234200Z
1640	...
1641	dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1642	objectClass: posixGroup
1643	objectClass: sambaGroupMapping
1644	gidNumber: 553
1645	cn: Domain Computers
1646	description: Netbios Domain Computers accounts
1647	sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
1648	sambaGroupType: 2
1649	displayName: Domain Computers
1650	structuralObjectClass: posixGroup
1651	entryUUID: 5e0a41d8-c536-1027-9d3b-b1f32350fb43
1652	creatorsName: cn=Manager,dc=abmas,dc=biz
1653	createTimestamp: 20031217234206Z
1654	entryCSN: 2003121723:42:06Z#0x0002#0#0000
1655	modifiersName: cn=Manager,dc=abmas,dc=biz
1656	modifyTimestamp: 20031217234206Z
1657	</pre><p>
1658	This looks good so far.
1659	</p></li><li><p>
1660	<a class="indexterm" name="id2577591"></a>
1661	The next step is to prove that the LDAP server is running and responds to a
1662	search request. Execute the following as shown (output has been cut to save space):
1663	</p><pre class="screen">
1664	<code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)"
1665	# extended LDIF
1666	#
1667	# LDAPv3
1668	# base <dc=abmas,dc=biz> with scope sub
1669	# filter: (ObjectClass=*)
1670	# requesting: ALL
1671	#
1672
1673	# abmas.biz
1674	dn: dc=abmas,dc=biz
1675	objectClass: dcObject
1676	objectClass: organization
1677	dc: abmas
1678	o: abmas
1679
1680	# People, abmas.biz
1681	dn: ou=People,dc=abmas,dc=biz
1682	objectClass: organizationalUnit
1683	ou: People
1684	...
1685	# Domain Computers, Groups, abmas.biz
1686	dn: cn=Domain Computers,ou=Groups,dc=abmas,dc=biz
1687	objectClass: posixGroup
1688	objectClass: sambaGroupMapping
1689	gidNumber: 553
1690	cn: Domain Computers
1691	description: Netbios Domain Computers accounts
1692	sambaSID: S-1-5-21-3504140859-1010554828-2431957765-553
1693	sambaGroupType: 2
1694	displayName: Domain Computers
1695
1696	# search result
1697	search: 2
1698	result: 0 Success
1699
1700	# numResponses: 20
1701	# numEntries: 19
1702	</pre><p>
1703	Good. It is all working just fine.
1704	</p></li><li><p>
1705	<a class="indexterm" name="id2577648"></a>
1706	You must now make certain that the NSS resolver can interrogate LDAP also.
1707	Execute the following commands:
1708	</p><pre class="screen">
1709	<code class="prompt">root# </code> getent passwd \| grep root
1710	root:x:998:512:Netbios Domain Administrator:/home:/bin/false
1711
1712	<code class="prompt">root# </code> getent group \| grep Domain
1713	Domain Admins:x:512:root
1714	Domain Users:x:513:
1715	Domain Guests:x:514:
1716	Domain Computers:x:553:
1717	</pre><p>
1718	<a class="indexterm" name="id2577677"></a>
1719	This demonstrates that the <code class="literal">nss_ldap</code> library is functioning
1720	as it should. If these two steps fail to produce this information, refer to
1721	<a class="link" href="happy.html#sbeavoid" title="Avoiding Failures: Solving Problems Before They Happen">“Avoiding Failures: Solving Problems Before They Happen”</a> for diagnostic procedures that can be followed to
1722	isolate the cause of the problem. Proceed to the next step only when the previous steps
1723	have been successfully completed.
1724	</p></li><li><p>
1725	<a class="indexterm" name="id2577708"></a>
1726	<a class="indexterm" name="id2577715"></a>
1727	<a class="indexterm" name="id2577722"></a>
1728	Our database is now ready for the addition of network users. For each user for
1729	whom an account must be created, execute the following:
1730	</p><pre class="screen">
1731	<code class="prompt">root# </code> ./smbldap-useradd -m -a <code class="constant">username</code>
1732	<code class="prompt">root# </code> ./smbldap-passwd <code class="constant">username</code>
1733	Changing password for <code class="constant">username</code>
1734	New password : XXXXXXXX
1735	Retype new password : XXXXXXXX
1736
1737	<code class="prompt">root# </code> smbpasswd <code class="constant">username</code>
1738	New SMB password: XXXXXXXX
1739	Retype new SMB password: XXXXXXXX
1740	</pre><p>
1741	where <code class="constant">username</code> is the login ID for each user.
1742	</p></li><li><p>
1743	<a class="indexterm" name="id2577783"></a>
1744	Now verify that the UNIX (POSIX) accounts can be resolved via NSS by executing the
1745	following:
1746	</p><pre class="screen">
1747	<code class="prompt">root# </code> getent passwd
1748	root:x:0:0:root:/root:/bin/bash
1749	bin:x:1:1:bin:/bin:/bin/bash
1750	...
1751	root:x:0:512:Netbios Domain Administrator:/home:/bin/false
1752	nobody:x:999:514:nobody:/dev/null:/bin/false
1753	bobj:x:1000:513:System User:/home/bobj:/bin/bash
1754	stans:x:1001:513:System User:/home/stans:/bin/bash
1755	chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
1756	maryv:x:1003:513:System User:/home/maryv:/bin/bash
1757	</pre><p>
1758	This demonstrates that user account resolution via LDAP is working.
1759	</p></li><li><p>
1760	This step will determine whether or not identity resolution is working correctly.
1761	Do not procede is this step fails, rather find the cause of the failure. The
1762	<code class="literal">id</code> command may be used to validate your configuration so far,
1763	as shown here:
1764	</p><pre class="screen">
1765	<code class="prompt">root# </code> id chrisr
1766	uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users)
1767	</pre><p>
1768	This confirms that the UNIX (POSIX) user account information can be resolved from LDAP
1769	by system tools that make a getentpw() system call.
1770	</p></li><li><p>
1771	<a class="indexterm" name="id2577849"></a>
1772	The root account must have UID=0; if not, this means that operations conducted from
1773	a Windows client using tools such as the Domain User Manager fails under UNIX because
1774	the management of user and group accounts requires that the UID=0. Additionally, it is
1775	a good idea to make certain that no matter how root account credentials are resolved,
1776	the home directory and shell are valid. You decide to effect this immediately
1777	as demonstrated here:
1778	</p><pre class="screen">
1779	<code class="prompt">root# </code> cd /opt/IDEALX/sbin
1780	<code class="prompt">root# </code> ./smbldap-usermod -u 0 -d /root -s /bin/bash root
1781	</pre><p>
1782	</p></li><li><p>
1783	Verify that the changes just made to the <code class="constant">root</code> account were
1784	accepted by executing:
1785	</p><pre class="screen">
1786	<code class="prompt">root# </code> getent passwd \| grep root
1787	root:x:0:0:root:/root:/bin/bash
1788	root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
1789	</pre><p>
1790	This demonstrates that the changes were accepted.
1791	</p></li><li><p>
1792	Make certain that a home directory has been created for every user by listing the
1793	directories in <code class="filename">/home</code> as follows:
1794	</p><pre class="screen">
1795	<code class="prompt">root# </code> ls -al /home
1796	drwxr-xr-x 8 root root 176 Dec 17 18:50 ./
1797	drwxr-xr-x 21 root root 560 Dec 15 22:19 ../
1798	drwx------ 7 bobj Domain Users 568 Dec 17 01:16 bobj/
1799	drwx------ 7 chrisr Domain Users 568 Dec 17 01:19 chrisr/
1800	drwx------ 7 maryv Domain Users 568 Dec 17 01:27 maryv/
1801	drwx------ 7 stans Domain Users 568 Dec 17 01:43 stans/
1802	</pre><p>
1803	This is precisely what we want to see.
1804	</p></li><li><p>
1805	<a class="indexterm" name="id2577948"></a>
1806	<a class="indexterm" name="id2577955"></a>
1807	The final validation step involves making certain that Samba-3 can obtain the user
1808	accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
1809	</p><pre class="screen">
1810	<code class="prompt">root# </code> pdbedit -Lv chrisr
1811	Unix username: chrisr
1812	NT username: chrisr
1813	Account Flags: [U ]
1814	User SID: S-1-5-21-3504140859-1010554828-2431957765-3004
1815	Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513
1816	Full Name: System User
1817	Home Directory: \\MASSIVE\homes
1818	HomeDir Drive: H:
1819	Logon Script: scripts\login.cmd
1820	Profile Path: \\MASSIVE\profiles\chrisr
1821	Domain: MEGANET2
1822	Account desc: System User
1823	Workstations:
1824	Munged dial:
1825	Logon time: 0
1826	Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
1827	Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
1828	Password last set: Wed, 17 Dec 2003 17:17:40 GMT
1829	Password can change: Wed, 17 Dec 2003 17:17:40 GMT
1830	Password must change: Mon, 18 Jan 2038 20:14:07 GMT
1831	Last bad password : 0
1832	Bad password count : 0
1833	Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
1834	</pre><p>
1835	This looks good. Of course, you fully expected that it would all work, didn't you?
1836	</p></li><li><p>
1837	<a class="indexterm" name="id2578000"></a>
1838	Now you add the group accounts that are used on the Abmas network. Execute
1839	the following exactly as shown:
1840	</p><pre class="screen">
1841	<code class="prompt">root# </code> ./smbldap-groupadd -a Accounts
1842	<code class="prompt">root# </code> ./smbldap-groupadd -a Finances
1843	<code class="prompt">root# </code> ./smbldap-groupadd -a PIOps
1844	</pre><p>
1845	The addition of groups does not involve keyboard interaction, so the lack of console
1846	output is of no concern.
1847	</p></li><li><p>
1848	<a class="indexterm" name="id2578042"></a>
1849	You really do want to confirm that UNIX group resolution from LDAP is functioning
1850	as it should. Let's do this as shown here:
1851	</p><pre class="screen">
1852	<code class="prompt">root# </code> getent group
1853	...
1854	Domain Admins:x:512:root
1855	Domain Users:x:513:bobj,stans,chrisr,maryv
1856	Domain Guests:x:514:
1857	...
1858	Accounts:x:1000:
1859	Finances:x:1001:
1860	PIOps:x:1002:
1861	</pre><p>
1862	The well-known special accounts (Domain Admins, Domain Users, Domain Guests), as well
1863	as our own site-specific group accounts, are correctly listed. This is looking good.
1864	</p></li><li><p>
1865	<a class="indexterm" name="id2578075"></a>
1866	The final step we need to validate is that Samba can see all the Windows domain groups
1867	and that they are correctly mapped to the respective UNIX group account. To do this,
1868	just execute the following command:
1869	</p><pre class="screen">
1870	<code class="prompt">root# </code> net groupmap list
1871	Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
1872	Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
1873	Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
1874	...
1875	Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
1876	Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
1877	PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
1878	</pre><p>
1879	This is looking good. Congratulations it works! Note that in the above output
1880	the lines were shortened by replacing the middle value (1010554828) of the SID with the
1881	ellipsis (...).
1882	</p></li><li><p>
1883	The server you have so carefully built is now ready for another important step. You
1884	start the Samba-3 server and validate its operation. Execute the following to render all
1885	the processes needed fully operative so that, on system reboot, they are automatically
1886	started:
1887	</p><pre class="screen">
1888	<code class="prompt">root# </code> chkconfig named on
1889	<code class="prompt">root# </code> chkconfig dhcpd on
1890	<code class="prompt">root# </code> chkconfig ldap on
1891	<code class="prompt">root# </code> chkconfig nmb on
1892	<code class="prompt">root# </code> chkconfig smb on
1893	<code class="prompt">root# </code> chkconfig winbind on
1894	<code class="prompt">root# </code> rcnmb start
1895	<code class="prompt">root# </code> rcsmb start
1896	<code class="prompt">root# </code> rcwinbind start
1897	</pre><p>
1898	</p></li><li><p>
1899	The next step might seem a little odd at this point, but take note that you are about to
1900	start <code class="literal">winbindd</code>, which must be able to authenticate to the PDC via the
1901	localhost interface with the <code class="literal">smbd</code> process. This account can be
1902	easily created by joining the PDC to the domain by executing the following command:
1903	</p><pre class="screen">
1904	<code class="prompt">root# </code> net rpc join -S MASSIVE -U root%not24get
1905	</pre><p>
1906	Note: Before executing this command on the PDC, both <code class="literal">nmbd</code> and
1907	<code class="literal">smbd</code> must be started so that the <code class="literal">net</code> command
1908	can communicate with <code class="literal">smbd</code>. The expected output is as follows:
1909	</p><pre class="screen">
1910	Joined domain MEGANET2.
1911	</pre><p>
1912	This indicates that the domain security account for the PDC has been correctly created.
1913	</p></li><li><p>
1914	At this time it is necessary to restart <code class="literal">winbindd</code> so that it can
1915	correctly authenticate to the PDC. The following command achieves that:
1916	</p><pre class="screen">
1917	<code class="prompt">root# </code> rcwinbind restart
1918	</pre><p>
1919	</p></li><li><p>
1920	<a class="indexterm" name="id2578290"></a>
1921	You may now check Samba-3 operation as follows:
1922	</p><pre class="screen">
1923	<code class="prompt">root# </code> smbclient -L massive -U%
1924
1925	Sharename Type Comment
1926	--------- ---- -------
1927	IPC$ IPC IPC Service (Samba 3.0.20)
1928	accounts Disk Accounting Files
1929	service Disk Financial Services Files
1930	pidata Disk Property Insurance Files
1931	apps Disk Application Files
1932	netlogon Disk Network Logon Service
1933	profiles Disk Profile Share
1934	profdata Disk Profile Data Share
1935	ADMIN$ IPC IPC Service (Samba 3.0.20)
1936
1937	Server Comment
1938	--------- -------
1939	MASSIVE Samba 3.0.20
1940
1941	Workgroup Master
1942	--------- -------
1943	MEGANET2 MASSIVE
1944	</pre><p>
1945	This shows that an anonymous connection is working.
1946	</p></li><li><p>
1947	For your finale, let's try an authenticated connection:
1948	</p><pre class="screen">
1949	<code class="prompt">root# </code> smbclient //massive/bobj -Ubobj%n3v3r2l8
1950	smb: \> dir
1951	. D 0 Wed Dec 17 01:16:19 2003
1952	.. D 0 Wed Dec 17 19:04:42 2003
1953	bin D 0 Tue Sep 2 04:00:57 2003
1954	Documents D 0 Sun Nov 30 07:28:20 2003
1955	public_html D 0 Sun Nov 30 07:28:20 2003
1956	.urlview H 311 Fri Jul 7 06:55:35 2000
1957	.dvipsrc H 208 Fri Nov 17 11:22:02 1995
1958
1959	57681 blocks of size 524288. 57128 blocks available
1960	smb: \> q
1961	</pre><p>
1962	Well done. All is working fine.
1963	</p></li></ol></div><p>
1964	The server <code class="constant">MASSIVE</code> is now configured, and it is time to move onto the next task.
1965	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbehap-ptrcfg"></a>Printer Configuration</h3></div></div></div><p>
1966	<a class="indexterm" name="id2578401"></a>
1967	The configuration for Samba-3 to enable CUPS raw-print-through printing has already been
1968	taken care of in the <code class="filename">smb.conf</code> file. The only preparation needed for <code class="constant">smart</code>
1969	printing to be possible involves creation of the directories in which Samba-3 stores
1970	Windows printing driver files.
1971	</p><div class="procedure"><a name="id2578423"></a><p class="title"><b>Procedure 5.9. Printer Configuration Steps</b></p><ol type="1"><li><p>
1972	Configure all network-attached printers to have a fixed IP address.
1973	</p></li><li><p>
1974	Create an entry in the DNS database on the server <code class="constant">MASSIVE</code>
1975	in both the forward lookup database for the zone <code class="constant">abmas.biz.hosts</code>
1976	and in the reverse lookup database for the network segment that the printer is to
1977	be located in. Example configuration files for similar zones were presented in <a class="link" href="secure.html" title="Chapter 3. Secure Office Networking">“Secure Office Networking”</a>,
1978	<a class="link" href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">“DNS Abmas.biz Forward Zone File”</a> and in <a class="link" href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">“DNS 192.168.2 Reverse Zone File”</a>.
1979	</p></li><li><p>
1980	Follow the instructions in the printer manufacturers' manuals to permit printing
1981	to port 9100. Use any other port the manufacturer specifies for direct mode,
1982	raw printing. This allows the CUPS spooler to print using raw mode protocols.
1983	<a class="indexterm" name="id2578484"></a>
1984	<a class="indexterm" name="id2578491"></a>
1985	</p></li><li><p>
1986	<a class="indexterm" name="id2578504"></a>
1987	<a class="indexterm" name="id2578511"></a>
1988	Only on the server to which the printer is attached, configure the CUPS Print
1989	Queues as follows:
1990	</p><pre class="screen">
1991	<code class="prompt">root# </code> lpadmin -p <em class="parameter"><code>printque</code></em>
1992	-v socket://<em class="parameter"><code>printer-name</code></em>.abmas.biz:9100 -E
1993	</pre><p>
1994	<a class="indexterm" name="id2578546"></a>
1995	This step creates the necessary print queue to use no assigned print filter. This
1996	is ideal for raw printing, that is, printing without use of filters.
1997	The name <em class="parameter"><code>printque</code></em> is the name you have assigned for
1998	the particular printer.
1999	</p></li><li><p>
2000	Print queues may not be enabled at creation. Make certain that the queues
2001	you have just created are enabled by executing the following:
2002	</p><pre class="screen">
2003	<code class="prompt">root# </code> /usr/bin/enable <em class="parameter"><code>printque</code></em>
2004	</pre><p>
2005	</p></li><li><p>
2006	Even though your print queue may be enabled, it is still possible that it
2007	may not accept print jobs. A print queue will service incoming printing
2008	requests only when configured to do so. Ensure that your print queue is
2009	set to accept incoming jobs by executing the following commands:
2010	</p><pre class="screen">
2011	<code class="prompt">root# </code> /usr/bin/accept <em class="parameter"><code>printque</code></em>
2012	</pre><p>
2013	</p></li><li><p>
2014	<a class="indexterm" name="id2578628"></a>
2015	<a class="indexterm" name="id2578635"></a>
2016	<a class="indexterm" name="id2578642"></a>
2017	Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line:
2018	</p><pre class="screen">
2019	application/octet-stream application/vnd.cups-raw 0 -
2020	</pre><p>
2021	</p></li><li><p>
2022	<a class="indexterm" name="id2578670"></a>
2023	Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line:
2024	</p><pre class="screen">
2025	application/octet-stream
2026	</pre><p>
2027	</p></li><li><p>
2028	Refer to the CUPS printing manual for instructions regarding how to configure
2029	CUPS so that print queues that reside on CUPS servers on remote networks
2030	route print jobs to the print server that owns that queue. The default setting
2031	on your CUPS server may automatically discover remotely installed printers and
2032	may permit this functionality without requiring specific configuration.
2033	</p></li><li><p>
2034	The following action creates the necessary directory subsystem. Follow these
2035	steps to printing heaven:
2036	</p><pre class="screen">
2037	<code class="prompt">root# </code> mkdir -p /var/lib/samba/drivers/{W32ALPHA,W32MIPS,W32X86,WIN40}
2038	<code class="prompt">root# </code> chown -R root:root /var/lib/samba/drivers
2039	<code class="prompt">root# </code> chmod -R ug=rwx,o=rx /var/lib/samba/drivers
2040	</pre><p>
2041	</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sbehap-bldg1"></a>Samba-3 BDC Configuration</h2></div></div></div><div class="procedure"><a name="id2578754"></a><p class="title"><b>Procedure 5.10. Configuration of BDC Called: <code class="constant">BLDG1</code></b></p><ol type="1"><li><p>
2042	Install the files in <a class="link" href="happy.html#sbehap-bldg1-smbconf" title="Example 5.8. LDAP Based smb.conf File, Server: BLDG1">“LDAP Based smb.conf File, Server: BLDG1”</a>,
2043	<a class="link" href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>, and <a class="link" href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a>
2044	into the <code class="filename">/etc/samba/</code> directory. The three files
2045	should be added together to form the <code class="filename">smb.conf</code> file.
2046	</p></li><li><p>
2047	Verify the <code class="filename">smb.conf</code> file as in step 2 of <a class="link" href="happy.html#sbehap-massive" title="Samba-3 PDC Configuration">“Samba-3 PDC Configuration”</a>.
2048	</p></li><li><p>
2049	Carefully follow the steps outlined in <a class="link" href="happy.html#sbehap-PAM-NSS" title="PAM and NSS Client Configuration">“PAM and NSS Client Configuration”</a>, taking
2050	particular note to install the correct <code class="filename">ldap.conf</code>.
2051	</p></li><li><p>
2052	Verify that the NSS resolver is working. You may need to cycle the run level
2053	to 1 and back to 5 before the NSS LDAP resolver functions. Follow these
2054	commands:
2055	</p><pre class="screen">
2056	<code class="prompt">root# </code> init 1
2057	</pre><p>
2058	After the run level has been achieved, you are prompted to provide the
2059	<code class="constant">root</code> password. Log on, and then execute:
2060	</p><pre class="screen">
2061	<code class="prompt">root# </code> init 5
2062	</pre><p>
2063	When the normal logon prompt appears, log into the system as <code class="constant">root</code>
2064	and then execute these commands:
2065	</p><pre class="screen">
2066	<code class="prompt">root# </code> getent passwd
2067	root:x:0:0:root:/root:/bin/bash
2068	bin:x:1:1:bin:/bin:/bin/bash
2069	daemon:x:2:2:Daemon:/sbin:/bin/bash
2070	lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
2071	mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
2072	...
2073	root:x:0:512:Netbios Domain Administrator:/root:/bin/bash
2074	nobody:x:999:514:nobody:/dev/null:/bin/false
2075	bobj:x:1000:513:System User:/home/bobj:/bin/bash
2076	stans:x:1001:513:System User:/home/stans:/bin/bash
2077	chrisr:x:1002:513:System User:/home/chrisr:/bin/bash
2078	maryv:x:1003:513:System User:/home/maryv:/bin/bash
2079	vaioboss$:x:1005:553:vaioboss$:/dev/null:/bin/false
2080	bldg1$:x:1006:553:bldg1$:/dev/null:/bin/false
2081	</pre><p>
2082	This is the correct output. If the accounts that have UIDs above 512 are not shown, there is a problem.
2083	</p></li><li><p>
2084	<a class="indexterm" name="id2578914"></a>
2085	The next step in the verification process involves testing the operation of UNIX group
2086	resolution via the NSS LDAP resolver. Execute these commands:
2087	</p><pre class="screen">
2088	<code class="prompt">root# </code> getent group
2089	root:x:0:
2090	bin:x:1:daemon
2091	daemon:x:2:
2092	sys:x:3:
2093	...
2094	Domain Admins:x:512:root
2095	Domain Users:x:513:bobj,stans,chrisr,maryv,jht
2096	Domain Guests:x:514:
2097	Administrators:x:544:
2098	Users:x:545:
2099	Guests:x:546:nobody
2100	Power Users:x:547:
2101	Account Operators:x:548:
2102	Server Operators:x:549:
2103	Print Operators:x:550:
2104	Backup Operators:x:551:
2105	Replicator:x:552:
2106	Domain Computers:x:553:
2107	Accounts:x:1000:
2108	Finances:x:1001:
2109	PIOps:x:1002:
2110	</pre><p>
2111	This is also the correct and desired output, because it demonstrates that the LDAP client
2112	is able to communicate correctly with the LDAP server (<code class="constant">MASSIVE</code>).
2113	</p></li><li><p>
2114	<a class="indexterm" name="id2578955"></a>
2115	You must now set the LDAP administrative password into the Samba-3 <code class="filename">secrets.tdb</code>
2116	file by executing this command:
2117	</p><pre class="screen">
2118	<code class="prompt">root# </code> smbpasswd -w not24get
2119	Setting stored password for "cn=Manager,dc=abmas,dc=biz" in secrets.tdb
2120	</pre><p>
2121	</p></li><li><p>
2122	Now you must obtain the domain SID from the PDC and store it into the
2123	<code class="filename">secrets.tdb</code> file also. This step is not necessary with an LDAP
2124	passdb backend because Samba-3 obtains the domain SID from the
2125	sambaDomain object it automatically stores in the LDAP backend. It does not hurt to
2126	add the SID to the <code class="filename">secrets.tdb</code>, and if you wish to do so, this
2127	command can achieve that:
2128	</p><pre class="screen">
2129	<code class="prompt">root# </code> net rpc getsid MEGANET2
2130	Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
2131	for Domain MEGANET2 in secrets.tdb
2132	</pre><p>
2133	When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take
2134	any special action to join it to the domain. However, winbind communicates with the
2135	domain controller that is running on the localhost and must be able to authenticate,
2136	thus requiring that the BDC should be joined to the domain. The process of joining
2137	the domain creates the necessary authentication accounts.
2138	</p></li><li><p>
2139	To join the Samba BDC to the domain, execute the following:
2140	</p><pre class="screen">
2141	<code class="prompt">root# </code> net rpc join -U root%not24get
2142	Joined domain MEGANET2.
2143	</pre><p>
2144	This indicates that the domain security account for the BDC has been correctly created.
2145	</p></li><li><p>
2146	<a class="indexterm" name="id2579056"></a>
2147	Verify that user and group account resolution works via Samba-3 tools as follows:
2148	</p><pre class="screen">
2149	<code class="prompt">root# </code> pdbedit -L
2150	root:0:root
2151	nobody:65534:nobody
2152	bobj:1000:System User
2153	stans:1001:System User
2154	chrisr:1002:System User
2155	maryv:1003:System User
2156	bldg1$:1006:bldg1$
2157
2158	<code class="prompt">root# </code> net groupmap list
2159	Domain Admins (S-1-5-21-3504140859-...-2431957765-512) ->
2160	Domain Admins
2161	Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
2162	Domain Guests (S-1-5-21-3504140859-...-2431957765-514) ->
2163	Domain Guests
2164	Administrators (S-1-5-21-3504140859-...-2431957765-544) ->
2165	Administrators
2166	...
2167	Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
2168	Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
2169	PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps
2170	</pre><p>
2171	These results show that all things are in order.
2172	</p></li><li><p>
2173	The server you have so carefully built is now ready for another important step. Now
2174	start the Samba-3 server and validate its operation. Execute the following to render all
2175	the processes needed fully operative so that, upon system reboot, they are automatically
2176	started:
2177	</p><pre class="screen">
2178	<code class="prompt">root# </code> chkconfig named on
2179	<code class="prompt">root# </code> chkconfig dhcpd on
2180	<code class="prompt">root# </code> chkconfig nmb on
2181	<code class="prompt">root# </code> chkconfig smb on
2182	<code class="prompt">root# </code> chkconfig winbind on
2183	<code class="prompt">root# </code> rcnmb start
2184	<code class="prompt">root# </code> rcsmb start
2185	<code class="prompt">root# </code> rcwinbind start
2186	</pre><p>
2187	Samba-3 should now be running and is ready for a quick test. But not quite yet!
2188	</p></li><li><p>
2189	Your new <code class="constant">BLDG1, BLDG2</code> servers do not have home directories for users.
2190	To rectify this using the SUSE yast2 utility or by manually editing the <code class="filename">/etc/fstab</code>
2191	file, add a mount entry to mount the <code class="constant">home</code> directory that has been exported
2192	from the <code class="constant">MASSIVE</code> server. Mount this resource before proceeding. An alternate
2193	approach could be to create local home directories for users who are to use these machines.
2194	This is a choice that you, as system administrator, must make. The following entry in the
2195	<code class="filename">/etc/fstab</code> file suffices for now:
2196	</p><pre class="screen">
2197	massive.abmas.biz:/home /home nfs rw 0 0
2198	</pre><p>
2199	To mount this resource, execute:
2200	</p><pre class="screen">
2201	<code class="prompt">root# </code> mount -a
2202	</pre><p>
2203	Verify that the home directory has been mounted as follows:
2204	</p><pre class="screen">
2205	<code class="prompt">root# </code> df \| grep home
2206	massive:/home 29532988 283388 29249600 1% /home
2207	</pre><p>
2208	</p></li><li><p>
2209	Implement a quick check using one of the users that is in the LDAP database. Here you go:
2210	</p><pre class="screen">
2211	<code class="prompt">root# </code> smbclient //bldg1/bobj -Ubobj%n3v3r2l8
2212	smb: \> dir
2213	. D 0 Wed Dec 17 01:16:19 2003
2214	.. D 0 Wed Dec 17 19:04:42 2003
2215	bin D 0 Tue Sep 2 04:00:57 2003
2216	Documents D 0 Sun Nov 30 07:28:20 2003
2217	public_html D 0 Sun Nov 30 07:28:20 2003
2218	.urlview H 311 Fri Jul 7 06:55:35 2000
2219	.dvipsrc H 208 Fri Nov 17 11:22:02 1995
2220
2221	57681 blocks of size 524288. 57128 blocks available
2222	smb: \> q
2223	</pre><p>
2224	</p></li></ol></div><p>
2225	Now that the first BDC (<code class="constant">BDLG1</code>) has been configured it is time to build
2226	and configure the second BDC server (<code class="constant">BLDG2</code>) as follows:
2227	</p><div class="procedure"><a name="sbehap-bldg2"></a><p class="title"><b>Procedure 5.11. Configuration of BDC Called <code class="constant">BLDG2</code></b></p><ol type="1"><li><p>
2228	Install the files in <a class="link" href="happy.html#sbehap-bldg2-smbconf" title="Example 5.9. LDAP Based smb.conf File, Server: BLDG2">“LDAP Based smb.conf File, Server: BLDG2”</a>,
2229	<a class="link" href="happy.html#sbehap-shareconfa" title="Example 5.10. LDAP Based smb.conf File, Shares Section Part A">“LDAP Based smb.conf File, Shares Section Part A”</a>, and <a class="link" href="happy.html#sbehap-shareconfb" title="Example 5.11. LDAP Based smb.conf File, Shares Section Part B">“LDAP Based smb.conf File, Shares Section Part B”</a>
2230	into the <code class="filename">/etc/samba/</code> directory. The three files
2231	should be added together to form the <code class="filename">smb.conf</code> file.
2232	</p></li><li><p>
2233	Follow carefully the steps shown in <a class="link" href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">“Samba-3 BDC Configuration”</a>, starting at step 2.
2234	</p></li></ol></div><div class="example"><a name="sbehap-bldg1-smbconf"></a><p class="title"><b>Example 5.8. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG1</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2579402"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2579413"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2579425"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id2579437"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579449"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579461"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2579473"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2579485"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2579496"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2579508"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2579520"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2579531"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2579544"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2579555"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579568"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2579580"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2579591"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2579603"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579615"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579626"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2579638"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579650"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2579662"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2579674"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2579686"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2579698"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579710"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579722"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2579734"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2579746"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2579758"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-bldg2-smbconf"></a><p class="title"><b>Example 5.9. LDAP Based <code class="filename">smb.conf</code> File, Server: BLDG2</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2579804"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2579816"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2579828"></a><em class="parameter"><code>netbios name = BLDG2</code></em></td></tr><tr><td><a class="indexterm" name="id2579840"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2579852"></a><em class="parameter"><code>enable privileges = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2579864"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2579876"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2579887"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2579899"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2579911"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2579922"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2579934"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2579946"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2579958"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2579970"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2579982"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2579994"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2580006"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580017"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580029"></a><em class="parameter"><code>wins server = 172.16.0.1</code></em></td></tr><tr><td><a class="indexterm" name="id2580041"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580053"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2580065"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2580077"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2580089"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2580101"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580113"></a><em class="parameter"><code>idmap backend = ldap:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2580125"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2580137"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2580148"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2580160"></a><em class="parameter"><code>printer admin = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfa"></a><p class="title"><b>Example 5.10. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2580206"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580218"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2580230"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2580250"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580262"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2580274"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2580294"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580306"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2580318"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2580338"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2580350"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2580362"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580373"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2580394"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2580405"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2580417"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580429"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580440"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-shareconfb"></a><p class="title"><b>Example 5.11. LDAP Based <code class="filename">smb.conf</code> File, Shares Section Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2580486"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2580498"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2580509"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr><tr><td><a class="indexterm" name="id2580521"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2580542"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2580553"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2580565"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580577"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2580597"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2580609"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2580621"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580633"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2580653"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2580665"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2580677"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2580689"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2580709"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2580721"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2580733"></a><em class="parameter"><code>browseable = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580744"></a><em class="parameter"><code>guest ok = no</code></em></td></tr><tr><td><a class="indexterm" name="id2580756"></a><em class="parameter"><code>read only = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2580768"></a><em class="parameter"><code>write list = root, chrisr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifadd"></a><p class="title"><b>Example 5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF</b></p><div class="example-contents"><pre class="screen">
2235	dn: ou=Idmap,dc=abmas,dc=biz
2236	objectClass: organizationalUnit
2237	ou: idmap
2238	structuralObjectClass: organizationalUnit
2239	</pre></div></div><br class="example-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2580803"></a>Miscellaneous Server Preparation Tasks</h2></div></div></div><p>
2240	My father would say, “<span class="quote">Dinner is not over until the dishes have been done.</span>”
2241	The makings of a great network environment take a lot of effort and attention to detail.
2242	So far, you have completed most of the complex (and to many administrators, the interesting
2243	part of server configuration) steps, but remember to tie it all together. Here are
2244	a few more steps that must be completed so that your network runs like a well-rehearsed
2245	orchestra.
2246	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2580823"></a>Configuring Directory Share Point Roots</h3></div></div></div><p>
2247	In your <code class="filename">smb.conf</code> file, you have specified Windows shares. Each has a <em class="parameter"><code>path</code></em>
2248	parameter. Even though it is obvious to all, one of the common Samba networking problems is
2249	caused by forgetting to verify that every such share root directory actually exists and that it
2250	has the necessary permissions and ownership.
2251	</p><p>
2252	Here is an example, but remember to create the directory needed for every share:
2253	</p><pre class="screen">
2254	<code class="prompt">root# </code> mkdir -p /data/{accounts,finsvcs,piops}
2255	<code class="prompt">root# </code> mkdir -p /apps
2256	<code class="prompt">root# </code> chown -R root:root /data
2257	<code class="prompt">root# </code> chown -R root:root /apps
2258	<code class="prompt">root# </code> chown -R bobj:Accounts /data/accounts
2259	<code class="prompt">root# </code> chown -R bobj:Finances /data/finsvcs
2260	<code class="prompt">root# </code> chown -R bobj:PIOps /data/piops
2261	<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data
2262	<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps
2263	</pre><p>
2264	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2580918"></a>Configuring Profile Directories</h3></div></div></div><p>
2265	You made a conscious decision to do everything it would take to improve network client
2266	performance. One of your decisions was to implement folder redirection. This means that Windows
2267	user desktop profiles are now made up of two components: a dynamically loaded part and a set of file
2268	network folders.
2269	</p><p>
2270	For this arrangement to work, every user needs a directory structure for the network folder
2271	portion of his or her profile as shown here:
2272	</p><pre class="screen">
2273	<code class="prompt">root# </code> mkdir -p /var/lib/samba/profdata
2274	<code class="prompt">root# </code> chown root:root /var/lib/samba/profdata
2275	<code class="prompt">root# </code> chmod 755 /var/lib/samba/profdata
2276
2277	# Per user structure
2278	<code class="prompt">root# </code> cd /var/lib/samba/profdata
2279	<code class="prompt">root# </code> mkdir -p <span class="emphasis"><em>username</em></span>
2280	<code class="prompt">root# </code> for i in InternetFiles Cookies History AppData \
2281	LocalSettings MyPictures MyDocuments Recent
2282	<code class="prompt">root# </code> do
2283	<code class="prompt">root# </code> mkdir <span class="emphasis"><em>username</em></span>/$i
2284	<code class="prompt">root# </code> done
2285	<code class="prompt">root# </code> chown -R <span class="emphasis"><em>username</em></span>:Domain\ Users <span class="emphasis"><em>username</em></span>
2286	<code class="prompt">root# </code> chmod -R 750 <span class="emphasis"><em>username</em></span>
2287	</pre><p>
2288	</p><p>
2289	<a class="indexterm" name="id2581034"></a>
2290	<a class="indexterm" name="id2581041"></a>
2291	You have three options insofar as the dynamically loaded portion of the roaming profile
2292	is concerned:
2293	</p><div class="itemizedlist"><ul type="disc"><li><p>You may permit the user to obtain a default profile.</p></li><li><p>You can create a mandatory profile.</p></li><li><p>You can create a group profile (which is almost always a mandatory profile).</p></li></ul></div><p>
2294	Mandatory profiles cannot be overwritten by a user. The change from a user profile to a mandatory
2295	profile is effected by renaming the <code class="filename">NTUSER.DAT</code> to <code class="filename">NTUSER.MAN</code>,
2296	that is, just by changing the filename extension.
2297	</p><p>
2298	<a class="indexterm" name="id2581091"></a>
2299	<a class="indexterm" name="id2581098"></a>
2300	The location of the profile that a user can obtain is set in the user's account in the LDAP passdb backend.
2301	You can manage this using the Idealx smbldap-tools or using the
2302	<a class="ulink" href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">Windows NT4 Domain User Manager</a>.
2303	</p><p>
2304	It may not be obvious that you must ensure that the root directory for the user's profile exists
2305	and has the needed permissions. Use the following commands to create this directory:
2306	</p><pre class="screen">
2307	<code class="prompt">root# </code> mkdir -p /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
2308	<code class="prompt">root# </code> chown <span class="emphasis"><em>username</em></span>:Domain\ Users
2309	/var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
2310	<code class="prompt">root# </code> chmod 700 /var/lib/samba/profiles/<span class="emphasis"><em>username</em></span>
2311	</pre><p>
2312	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2581163"></a>Preparation of Logon Scripts</h3></div></div></div><p>
2313	<a class="indexterm" name="id2581171"></a>
2314	The use of a logon script with Windows XP Professional is an option that every site should consider.
2315	Unless you have locked down the desktop so the user cannot change anything, there is risk that
2316	a vital network drive setting may be broken or that printer connections may be lost. Logon scripts
2317	can help to restore persistent network folder (drive) and printer connections in a predictable
2318	manner. One situation in which such breakage may occur in particular is when a mobile PC (notebook)
2319	user attaches to another company's network that forces environment changes that are alien to your
2320	network.
2321	</p><p>
2322	If you decide to use network logon scripts, by reference to the <code class="filename">smb.conf</code> files for the domain
2323	controllers, you see that the path to the share point for the <code class="constant">NETLOGON</code>
2324	share defined is <code class="filename">/var/lib/samba/netlogon</code>. The path defined for the logon
2325	script inside that share is <code class="filename">scripts\logon.bat</code>. This means that as a Windows
2326	NT/200x/XP client logs onto the network, it tries to obtain the file <code class="filename">logon.bat</code>
2327	from the fully qualified path <code class="filename">/var/lib/samba/netlogon/scripts</code>. This fully
2328	qualified path should therefore exist whether you install the <code class="filename">logon.bat</code>.
2329	</p><p>
2330	You can, of course, create the fully qualified path by executing:
2331	</p><pre class="screen">
2332	<code class="prompt">root# </code> mkdir -p /var/lib/samba/netlogon/scripts
2333	</pre><p>
2334	</p><p>
2335	You should research the options for logon script implementation by referring to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 24,
2336	Section 24.4. A quick Web search will bring up a host of options. One of the most popular logon
2337	facilities in use today is called <a class="ulink" href="http://www.kixtart.org" target="_top">KiXtart</a>.
2338	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2581274"></a>Assigning User Rights and Privileges</h3></div></div></div><p>
2339	The ability to perform tasks such as joining Windows clients to the domain can be assigned to
2340	normal user accounts. By default, only the domain administrator account (<code class="constant">root</code> on UNIX
2341	systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
2342	this privilege in a very limited fashion to particular accounts.
2343	</p><p>
2344	By default, even Samba-3.0.11 does not grant any rights even to the <code class="constant">Domain Admins</code>
2345	group. Here we grant this group all privileges.
2346	</p><p>
2347	Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
2348	are granted rights can be restricted to particular machines. It is left to the network administrator
2349	to determine which rights should be provided and to whom.
2350	</p><div class="procedure"><a name="id2581309"></a><p class="title"><b>Procedure 5.12. Steps for Assignment of User Rights and Privileges</b></p><ol type="1"><li><p>
2351	Log onto the PDC as the <code class="constant">root</code> account.
2352	</p></li><li><p>
2353	Execute the following command to grant the <code class="constant">Domain Admins</code> group all
2354	rights and privileges:
2355	</p><pre class="screen">
2356	<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \
2357	"MEGANET2\Domain Admins" SeMachineAccountPrivilege \
2358	SePrintOperatorPrivilege SeAddUsersPrivilege \
2359	SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
2360	Successfully granted rights.
2361	</pre><p>
2362	Repeat this step on each domain controller, in each case substituting the name of the server
2363	(e.g., BLDG1, BLDG2) in place of the PDC called MASSIVE.
2364	</p></li><li><p>
2365	In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
2366	to the domain. Execute the following only on the PDC. It is not necessary to do this on
2367	BDCs or on DMS machines because machine accounts are only ever added by the PDC:
2368	</p><pre class="screen">
2369	<code class="prompt">root# </code> net -S MASSIVE -U root%not24get rpc rights grant \
2370	"MEGANET2\bobj" SeMachineAccountPrivilege
2371	Successfully granted rights.
2372	</pre><p>
2373	</p></li><li><p>
2374	Verify that privilege assignments have been correctly applied by executing:
2375	</p><pre class="screen">
2376	net rpc rights list accounts -Uroot%not24get
2377	MEGANET2\bobj
2378	SeMachineAccountPrivilege
2379
2380	S-0-0
2381	No privileges assigned
2382
2383	BUILTIN\Print Operators
2384	No privileges assigned
2385
2386	BUILTIN\Account Operators
2387	No privileges assigned
2388
2389	BUILTIN\Backup Operators
2390	No privileges assigned
2391
2392	BUILTIN\Server Operators
2393	No privileges assigned
2394
2395	BUILTIN\Administrators
2396	No privileges assigned
2397
2398	Everyone
2399	No privileges assigned
2400
2401	MEGANET2\Domain Admins
2402	SeMachineAccountPrivilege
2403	SePrintOperatorPrivilege
2404	SeAddUsersPrivilege
2405	SeRemoteShutdownPrivilege
2406	SeDiskOperatorPrivilege
2407	</pre><p>
2408	</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2581407"></a>Windows Client Configuration</h2></div></div></div><p>
2409	<a class="indexterm" name="id2581416"></a>
2410	In the next few sections, you can configure a new Windows XP Professional disk image on a staging
2411	machine. You will configure all software, printer settings, profile and policy handling, and desktop
2412	default profile settings on this system. When it is complete, you copy the contents of the
2413	<code class="filename">C:\Documents and Settings\Default User</code> directory to a directory with the same
2414	name in the <code class="constant">NETLOGON</code> share on the domain controllers.
2415	</p><p>
2416	Much can be learned from the Microsoft Support site regarding how best to set up shared profiles.
2417	One knowledge-base article in particular stands out:
2418	"<a class="ulink" href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;168475" target="_top">How to Create a
2419	Base Profile for All Users."</a>
2420
2421	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="redirfold"></a>Configuration of Default Profile with Folder Redirection</h3></div></div></div><p>
2422	<a class="indexterm" name="id2581466"></a>
2423	Log onto the Windows XP Professional workstation as the local <code class="constant">Administrator</code>.
2424	It is necessary to expose folders that are generally hidden to provide access to the
2425	<code class="constant">Default User</code> folder.
2426	</p><div class="procedure"><a name="id2581484"></a><p class="title"><b>Procedure 5.13. Expose Hidden Folders</b></p><ol type="1"><li><p>
2427	Launch the Windows Explorer by clicking
2428	<span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>.
2429	Select <span class="guilabel">Show hidden files and folders</span>,
2430	and click <span class="guibutton">OK</span>. Exit Windows Explorer.
2431	</p></li><li><p>
2432	<a class="indexterm" name="id2581550"></a>
2433	Launch the Registry Editor. Click
2434	<span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. Key in <code class="literal">regedt32</code>, and click
2435	<span class="guibutton">OK</span>.
2436	</p></li></ol></div><p>
2437	</p><div class="procedure"><a name="sbehap-rdrfldr"></a><p class="title"><b>Procedure 5.14. Redirect Folders in Default System User Profile</b></p><ol type="1"><li><p>
2438	<a class="indexterm" name="id2581608"></a>
2439	<a class="indexterm" name="id2581615"></a>
2440	Give focus to <code class="constant">HKEY_LOCAL_MACHINE</code> hive entry in the left panel.
2441	Click <span class="guimenu">File</span> → <span class="guimenuitem">Load Hive...</span> → <span class="guimenuitem">Documents and Settings</span> → <span class="guimenuitem">Default User</span> → <span class="guimenuitem">NTUSER</span> → <span class="guimenuitem">Open</span>. In the dialog box that opens, enter the key name
2442	<code class="constant">Default</code> and click <span class="guibutton">OK</span>.
2443	</p></li><li><p>
2444	Browse inside the newly loaded Default folder to:
2445	</p><pre class="screen">
2446	HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\
2447	CurrentVersion\Explorer\User Shell Folders\
2448	</pre><p>
2449	The right panel reveals the contents as shown in <a class="link" href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">“Windows XP Professional User Shared Folders”</a>.
2450	</p></li><li><p>
2451	<a class="indexterm" name="id2581708"></a>
2452	<a class="indexterm" name="id2581714"></a>
2453	You edit hive keys. Acceptable values to replace the
2454	<code class="constant">%USERPROFILE%</code> variable includes:
2455
2456	</p><div class="itemizedlist"><ul type="disc"><li><p>A drive letter such as <code class="constant">U:</code></p></li><li><p>A direct network path such as
2457	<code class="constant">\\MASSIVE\profdata</code></p></li><li><p>A network redirection (UNC name) that contains a macro such as </p><p><code class="constant">%LOGONSERVER%\profdata\</code></p></li></ul></div><p>
2458	</p></li><li><p>
2459	<a class="indexterm" name="id2581761"></a>
2460	Set the registry keys as shown in <a class="link" href="happy.html#proffold" title="Table 5.4. Default Profile Redirections">“Default Profile Redirections”</a>. Your implementation makes the assumption
2461	that users have statically located machines. Notebook computers (mobile users) need to be
2462	accommodated using local profiles. This is not an uncommon assumption.
2463	</p></li><li><p>
2464	Click back to the root of the loaded hive <code class="constant">Default</code>.
2465	Click <span class="guimenu">File</span> → <span class="guimenuitem">Unload Hive...</span> → <span class="guimenuitem">Yes</span>.
2466	</p></li><li><p>
2467	<a class="indexterm" name="id2581816"></a>
2468	Click <span class="guimenu">File</span> → <span class="guimenuitem">Exit</span>. This exits the
2469	Registry Editor.
2470	</p></li><li><p>
2471	Now follow the procedure given in <a class="link" href="happy.html#sbehap-locgrppol" title="The Local Group Policy">“The Local Group Policy”</a>. Make sure that each folder you
2472	have redirected is in the exclusion list.
2473	</p></li><li><p>
2474	You are now ready to copy<sup>[<a name="id2581860" href="#ftn.id2581860" class="footnote">11</a>]</sup>
2475	the Default User profile to the Samba domain controllers. Launch Microsoft Windows Explorer,
2476	and use it to copy the full contents of the directory <code class="filename">Default User</code> that
2477	is in the <code class="filename">C:\Documents and Settings</code> to the root directory of the
2478	<code class="constant">NETLOGON</code> share. If the <code class="constant">NETLOGON</code> share has the defined
2479	UNIX path of <code class="filename">/var/lib/samba/netlogon</code>, when the copy is complete there must
2480	be a directory in there called <code class="filename">Default User</code>.
2481	</p></li></ol></div><p>
2482	Before punching out new desktop images for the client workstations, it is perhaps a good idea that
2483	desktop behavior should be returned to the original Microsoft settings. The following steps achieve
2484	that ojective:
2485	</p><div class="procedure"><a name="id2581927"></a><p class="title"><b>Procedure 5.15. Reset Folder Display to Original Behavior</b></p><ul><li><p>
2486	To launch the Windows Explorer, click
2487	<span class="guimenu">Start</span> → <span class="guimenuitem">My Computer</span> → <span class="guimenuitem">Tools</span> → <span class="guimenuitem">Folder Options</span> → <span class="guimenuitem">View Tab</span>.
2488	Deselect <span class="guilabel">Show hidden files and folders</span>, and click <span class="guibutton">OK</span>.
2489	Exit Windows Explorer.
2490	</p></li></ul></div><div class="figure"><a name="XP-screen001"></a><p class="title"><b>Figure 5.3. Windows XP Professional User Shared Folders</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/XP-screen001.png" width="351" alt="Windows XP Professional User Shared Folders"></div></div></div><br class="figure-break"><div class="table"><a name="proffold"></a><p class="title"><b>Table 5.4. Default Profile Redirections</b></p><div class="table-contents"><table summary="Default Profile Redirections" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Registry Key</th><th align="left">Redirected Value</th></tr></thead><tbody><tr><td align="left">Cache</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\InternetFiles</td></tr><tr><td align="left">Cookies</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Cookies</td></tr><tr><td align="left">History</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\AppData</td></tr><tr><td align="left">Local Settings</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\LocalSettings</td></tr><tr><td align="left">My Pictures</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyPictures</td></tr><tr><td align="left">Personal</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\MyDocuments</td></tr><tr><td align="left">Recent</td><td align="left">%LOGONSERVER%\profdata\%USERNAME%\Recent</td></tr></tbody></table></div></div><br class="table-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582162"></a>Configuration of MS Outlook to Relocate PST File</h3></div></div></div><p>
2491	<a class="indexterm" name="id2582170"></a>
2492	<a class="indexterm" name="id2582180"></a>
2493	Microsoft Outlook can store a Personal Storage file, generally known as a PST file.
2494	It is the nature of email storage that this file grows, at times quite rapidly.
2495	So that users' email is available to them at every workstation they may log onto,
2496	it is common practice in well-controlled sites to redirect the PST folder to the
2497	users' home directory. Follow these steps for each user who wishes to do this.
2498	</p><p>
2499	To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook behave
2500	slightly differently), follow these steps:
2501	</p><div class="procedure"><a name="id2582202"></a><p class="title"><b>Procedure 5.16. Outlook PST File Relocation</b></p><ol type="1"><li><p>
2502	Close Outlook if it is open.
2503	</p></li><li><p>
2504	From the <span class="guimenu">Control Panel</span>, launch the Mail icon.
2505	</p></li><li><p>
2506	Click <span class="guimenu">Email Accounts.</span>
2507	</p></li><li><p>
2508	Make a note of the location of the PST file(s). From this location, move
2509	the files to the desired new target location. The most desired new target location
2510	may well be the users' home directory.
2511	</p></li><li><p>
2512	Add a new data file, selecting the PST file in the new desired target location.
2513	Give this entry (not the filename) a new name such as “<span class="quote">Personal Mail Folders.</span>”
2514	</p><p>
2515	Note: If MS Outlook has been configured to use an IMAP account configuration there may be problems
2516	following these instructions. Feedback from users suggests that where IMAP is used the PST
2517	file is used to store rules and filters. When the PST store is relocated it appears to break
2518	MS Outlook's Send/Receive button. If anyone has sucessfully relocated PST files where IMAP is
2519	used please email <code class="literal">jht@samba.org</code> with useful tips and suggestions so that
2520	this warning can be removed or modified.
2521	</p></li><li><p>
2522	Close the <span class="guimenu">Date Files</span> windows, then click <span class="guimenu">Email Accounts</span>.
2523	</p></li><li><p>
2524	Select <span class="guimenu">View of Change</span> exiting email accounts, click <span class="guibutton">Next.</span>
2525	</p></li><li><p>
2526	Change the <span class="guimenu">Mail Delivery Location</span> so as to use the data file in the new
2527	target location.
2528	</p></li><li><p>
2529	Go back to the <span class="guimenu">Data Files</span> window, then delete the old data file entry.
2530	</p></li></ol></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2531	<a class="indexterm" name="id2582352"></a>
2532	You may have to remove and reinstall the Outlook Address Book (Contacts) entries, otherwise
2533	the user may be not be able to retrieve contacts when addressing a new email message.
2534	</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
2535	<a class="indexterm" name="id2582366"></a>
2536	Outlook Express is not at all like MS OutLook. It stores file very differently also. Outlook
2537	Express storage files can not be redirected to network shares. The options panel will not permit
2538	this, but they can be moved to folders outside of the user's profile. They can also be excluded
2539	from folder synchronization as part of the roaming profile.
2540	</p><p>
2541	While it is possible to redirect the data stores for Outlook Express data stores by editing the
2542	registry, experience has shown that data corruption and loss of email messages will result.
2543	</p><p>
2544	<a class="indexterm" name="id2582389"></a>
2545	<a class="indexterm" name="id2582396"></a>
2546	In the same vane as MS Outlook, Outlook Express data stores can become very large. When used with
2547	roaming profiles this can result in excruciatingly long login and logout behavior will files are
2548	synchronized. For this reason, it is highly recommended not to use Outlook Express where roaming
2549	profiles are used.
2550	</p></div><p>
2551	<a class="indexterm" name="id2582412"></a>
2552	Microsoft does not support storing PST files on network shares, although the practice does appear
2553	to be rather popular. Anyone who does relocation the PST file to a network resource should refer
2554	the Microsoft <a class="ulink" href="http://support.microsoft.com/kb/297019/" target="_top">reference</a> to better
2555	understand the issues.
2556	</p><p>
2557	<a class="indexterm" name="id2582432"></a>
2558	Apart from manually moving PST files to a network share, it is possible to set the default PST
2559	location for new accounts by following the instructions at the WindowsITPro <a class="ulink" href="http://www.windowsitpro.com/Windows/Article/ArticleID/48228/48228.html" target="_top">web</a> site.
2560	</p><p>
2561	<a class="indexterm" name="id2582452"></a>
2562	User feedback suggests that disabling of oplocks on PST files will significantly improve
2563	network performance by reducing locking overheads. One way this can be done is to add to the
2564	<code class="filename">smb.conf</code> file stanza for the share the PST file the following:
2565	</p><pre class="screen">
2566	veto oplock files = /.pdf/.PST/
2567	</pre><p>
2568	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582477"></a>Configure Delete Cached Profiles on Logout</h3></div></div></div><p>
2569	Configure the Windows XP Professional client to auto-delete roaming profiles on logout:
2570	</p><p>
2571	<a class="indexterm" name="id2582490"></a>
2572	Click
2573	<span class="guimenu">Start</span> → <span class="guimenuitem">Run</span>. In the dialog box, enter <code class="literal">MMC</code> and click <span class="guibutton">OK</span>.
2574	</p><p>
2575	Follow these steps to set the default behavior of the staging machine so that all roaming
2576	profiles are deleted as network users log out of the system. Click
2577	<span class="guimenu">File</span> → <span class="guimenuitem">Add/Remove Snap-in</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Group Policy</span> → <span class="guimenuitem">Add</span> → <span class="guimenuitem">Finish</span> → <span class="guimenuitem">Close</span> → <span class="guimenuitem">OK</span>.
2578	</p><p>
2579	<a class="indexterm" name="id2582586"></a>
2580	The Microsoft Management Console now shows the <span class="guimenu">Group Policy</span>
2581	utility that enables you to set the policies needed. In the left panel, click
2582	<span class="guimenuitem">Local Computer Policy</span> → <span class="guimenuitem">Administrative Templates</span> → <span class="guimenuitem">System</span> → <span class="guimenuitem">User Profiles</span>. In the right panel, set the properties shown here by double-clicking on each
2583	item as shown:
2584	</p><div class="itemizedlist"><ul type="disc"><li><p>Do not check for user ownership of Roaming Profile Folders = Enabled</p></li><li><p>Delete cached copies of roaming profiles = Enabled</p></li></ul></div><p>
2585	Close the Microsoft Management Console. The settings take immediate effect and persist onto all image copies
2586	made of this system to deploy the new standard desktop system.
2587	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582657"></a>Uploading Printer Drivers to Samba Servers</h3></div></div></div><p>
2588	<a class="indexterm" name="id2582665"></a>
2589	Users want to be able to use network printers. You have a vested interest in making
2590	it easy for them to print. You have chosen to install the printer drivers onto the Samba
2591	servers and to enable point-and-click (drag-and-drop) printing. This process results in
2592	Samba being able to automatically provide the Windows client with the driver necessary to
2593	print to the printer chosen. The following procedure must be followed for every network
2594	printer:
2595	</p><div class="procedure"><a name="id2582684"></a><p class="title"><b>Procedure 5.17. Steps to Install Printer Drivers on the Samba Servers</b></p><ol type="1"><li><p>
2596	Join your Windows XP Professional workstation (the staging machine) to the
2597	<code class="constant">MEGANET2</code> domain. If you are not sure of the procedure,
2598	follow the guidance given in <a class="link" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">“Joining a Domain: Windows 200x/XP Professional”</a>.
2599	</p></li><li><p>
2600	After the machine has rebooted, log onto the workstation as the domain
2601	<code class="constant">root</code> (this is the Administrator account for the
2602	operating system that is the host platform for this implementation of Samba.
2603	</p></li><li><p>
2604	Launch MS Windows Explorer. Navigate in the left panel. Click
2605	<span class="guimenu">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">Microsoft Windows Network</span> → <span class="guimenuitem">Meganet2</span> → <span class="guimenuitem">Massive</span>. Click on <span class="guimenu">Massive</span>
2606	<span class="guimenu">Printers and Faxes</span>.
2607	</p></li><li><p>
2608	Identify a printer that is shown in the right panel. Let us assume the printer is called
2609	<code class="constant">ps01-color</code>. Right-click on the <span class="guimenu">ps01-color</span> icon
2610	and select the <span class="guimenu">Properties</span> entry. This opens a dialog box that indicates
2611	that “<span class="quote">The printer driver is not installed on this computer. Some printer properties
2612	will not be accessible unless you install the printer driver. Do you want to install the
2613	driver now?</span>” It is important at this point you answer <span class="guimenu">No</span>.
2614	</p></li><li><p>
2615	The printer properties panel for the <span class="guimenu">ps01-color</span> printer on the server
2616	<code class="constant">MASSIVE</code> is displayed. Click the <span class="guimenu">Advanced</span> tab.
2617	Note that the box labeled <span class="guimenu">Driver</span> is empty. Click the <span class="guimenu">New Driver</span>
2618	button that is next to the <span class="guimenu">Driver</span> box. This launches the “<span class="quote">Add Printer Wizard</span>”.
2619	</p></li><li><p>
2620	<a class="indexterm" name="id2582873"></a>
2621	<a class="indexterm" name="id2582882"></a>
2622	The “<span class="quote">Add Printer Driver Wizard on <code class="constant">MASSIVE</code></span>” panel
2623	is now presented. Click <span class="guimenu">Next</span> to continue. From the left panel, select the
2624	printer manufacturer. In your case, you are adding a driver for a printer manufactured by
2625	Lexmark. In the right panel, select the printer (Lexmark Optra Color 40 PS). Click
2626	<span class="guimenu">Next</span>, and then <span class="guimenu">Finish</span> to commence driver upload. A
2627	progress bar appears and instructs you as each file is being uploaded and that it is being
2628	directed at the network server <code class="constant">\\massive\ps01-color</code>.
2629	</p></li><li><p>
2630	<a class="indexterm" name="id2582930"></a>
2631	<a class="indexterm" name="id2582939"></a>
2632	<a class="indexterm" name="id2582949"></a>
2633	<a class="indexterm" name="id2582958"></a>
2634	<a class="indexterm" name="id2582967"></a>
2635	<a class="indexterm" name="id2582976"></a>
2636	The driver upload completes in anywhere from a few seconds to a few minutes. When it completes,
2637	you are returned to the <span class="guimenu">Advanced</span> tab in the <span class="guimenu">Properties</span> panel.
2638	You can set the Location (under the <span class="guimenu">General</span> tab) and Security settings (under
2639	the <span class="guimenu">Security</span> tab). Under the <span class="guimenu">Sharing</span> tab it is possible to
2640	load additional printer drivers; there is also a check-box in this tab called “<span class="quote">List in the
2641	directory</span>”. When this box is checked, the printer will be published in Active Directory
2642	(Applicable to Active Directory use only.)
2643	</p></li><li><p>
2644	<a class="indexterm" name="id2583031"></a>
2645	Click <span class="guimenu">OK</span>. It will take a minute or so to upload the settings to the server.
2646	You are now returned to the <span class="guimenu">Printers and Faxes on Massive</span> monitor.
2647	Right-click on the printer, click <span class="guimenu">Properties</span> → <span class="guimenuitem">Device Settings</span>. Now change the settings to suit
2648	your requirements. BE CERTAIN TO CHANGE AT LEAST ONE SETTING and apply the changes even if
2649	you need to reverse the changes back to their original settings.
2650	</p></li><li><p>
2651	This is necessary so that the printer settings are initialized in the Samba printers
2652	database. Click <span class="guimenu">Apply</span> to commit your settings. Revert any settings you changed
2653	just to initialize the Samba printers database entry for this printer. If you need to revert a setting,
2654	click <span class="guimenu">Apply</span> again.
2655	</p></li><li><p>
2656	<a class="indexterm" name="id2583104"></a>
2657	Verify that all printer settings are at the desired configuration. When you are satisfied that they are,
2658	click the <span class="guimenu">General</span> tab. Now click the <span class="guimenu">Print Test Page</span> button.
2659	A test page should print. Verify that it has printed correctly. Then click <span class="guimenu">OK</span>
2660	in the panel that is newly presented. Click <span class="guimenu">OK</span> on the <span class="guimenu">ps01-color on
2661	massive Properties</span> panel.
2662	</p></li><li><p>
2663	You must repeat this process for all network printers (i.e., for every printer on each server).
2664	When you have finished uploading drivers to all printers, close all applications. The next task
2665	is to install software your users require to do their work.
2666	</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583160"></a>Software Installation</h3></div></div></div><p>
2667	Your network has both fixed desktop workstations as well as notebook computers. As a general rule, it is
2668	a good idea to not tamper with the operating system that is provided by the notebook computer manufacturer.
2669	Notebooks require special handling that is beyond the scope of this chapter.
2670	</p><p>
2671	For desktop systems, the installation of software onto administratively centralized application servers
2672	make a lot of sense. This means that you can manage software maintenance from a central
2673	perspective and that only minimal application stubware needs to be installed onto the desktop
2674	systems. You should proceed with software installation and default configuration as far as is humanly
2675	possible and so long as it makes sense to do so. Make certain to thoroughly test and validate every aspect
2676	of software operations and configuration.
2677	</p><p>
2678	When you believe that the overall configuration is complete, be sure to create a shared group profile
2679	and migrate that to the Samba server for later reuse when creating custom mandatory profiles, just in
2680	case a user may have specific needs you had not anticipated.
2681	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583195"></a>Roll-out Image Creation</h3></div></div></div><p>
2682	The final steps before preparing the distribution Norton Ghost image file you might follow are:
2683	</p><div class="blockquote"><blockquote class="blockquote"><p>
2684	Unjoin the domain Each workstation requires a unique name and must be independently
2685	joined into domain membership.
2686	</p></blockquote></div><div class="blockquote"><blockquote class="blockquote"><p>
2687	Defragment the hard disk While not obvious to the uninitiated, defragmentation results
2688	in better performance and often significantly reduces the size of the compressed disk image. That
2689	also means it will take less time to deploy the image onto 500 workstations.
2690	</p></blockquote></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583229"></a>Key Points Learned</h2></div></div></div><p>
2691	This chapter introduced many new concepts. Is it a sad fact that the example presented deliberately
2692	avoided any consideration of security. Security does not just happen; you must design it into your total
2693	network. Security begins with a systems design and implementation that anticipates hostile behavior from
2694	users both inside and outside the organization. Hostile and malicious intruders do not respect barriers;
2695	they accept them as challenges. For that reason, if not simply from a desire to establish safe networking
2696	practices, you must not deploy the design presented in this book in an environment where there is risk
2697	of compromise.
2698	</p><p>
2699	<a class="indexterm" name="id2583251"></a>
2700	<a class="indexterm" name="id2583260"></a>
2701	As a minimum, the LDAP server must be protected by way of Access Control Lists (ACLs), and it must be
2702	configured to use secure protocols for all communications over the network. Of course, secure networking
2703	does not result just from systems design and implementation but involves constant user education
2704	training and, above all, disciplined attention to detail and constant searching for signs of unfriendly
2705	or alien activities. Security is itself a topic for a whole book. Please do consult appropriate sources.
2706	Jerry Carter's book <a class="ulink" href="http://www.booksense.com/product/info.jsp&isbn=1565924916" target="_top">
2707	<span class="emphasis"><em>LDAP System Administration</em></span></a> is a good place to start reading about OpenLDAP
2708	as well as security considerations.
2709	</p><p>
2710	The substance of this chapter that has been deserving of particular attention includes:
2711	</p><div class="itemizedlist"><ul type="disc"><li><p>
2712	Implementation of an OpenLDAP-based passwd backend, necessary to support distributed
2713	domain control.
2714	</p></li><li><p>
2715	Implementation of Samba primary and secondary domain controllers with a common LDAP backend
2716	for user and group accounts that is shared with the UNIX system through the PADL nss_ldap and
2717	pam_ldap tool-sets.
2718	</p></li><li><p>
2719	Use of the Idealx smbldap-tools scripts for UNIX (POSIX) account management as well as
2720	to manage Samba Windows user and group accounts.
2721	</p></li><li><p>
2722	The basics of implementation of Group Policy controls for Windows network clients.
2723	</p></li><li><p>
2724	Control over roaming profiles, with particular focus on folder redirection to network drives.
2725	</p></li><li><p>
2726	Use of the CUPS printing system together with Samba-based printer driver auto-download.
2727	</p></li></ul></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583345"></a>Questions and Answers</h2></div></div></div><p>
2728	Well, here we are at the end of this chapter and we have only ten questions to help you to
2729	remember so much. There are bound to be some sticky issues here.
2730	</p><div class="qandaset"><dl><dt> <a href="happy.html#id2583363">
2731	Why did you not cover secure practices? Isn't it rather irresponsible to instruct
2732	network administrators to implement insecure solutions?
2733	</a></dt><dt> <a href="happy.html#id2583407">
2734	You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
2735	you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
2736	to the Linux I might be using?
2737	</a></dt><dt> <a href="happy.html#id2583468">
2738	You did not use SWAT to configure Samba. Is there something wrong with it?
2739	</a></dt><dt> <a href="happy.html#id2583508">
2740	You have exposed a well-used password not24get. Is that
2741	not irresponsible?
2742	</a></dt><dt> <a href="happy.html#id2583533">
2743	The Idealx smbldap-tools create many domain group accounts that are not used. Is that
2744	a good thing?
2745	</a></dt><dt> <a href="happy.html#id2583559">
2746	Can I use LDAP just for Samba accounts and not for UNIX system accounts?
2747	</a></dt><dt> <a href="happy.html#id2583584">
2748	Why are the Windows domain RID portions not the same as the UNIX UID?
2749	</a></dt><dt> <a href="happy.html#id2583620">
2750	Printer configuration examples all show printing to the HP port 9100. Does this
2751	mean that I must have HP printers for these solutions to work?
2752	</a></dt><dt> <a href="happy.html#id2583649">
2753	Is folder redirection dangerous? I've heard that you can lose your data that way.
2754	</a></dt><dt> <a href="happy.html#id2583677">
2755	Is it really necessary to set a local Group Policy to exclude the redirected
2756	folders from the roaming profile?
2757	</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2583363"></a><a name="id2583366"></a></td><td align="left" valign="top"><p>
2758	Why did you not cover secure practices? Isn't it rather irresponsible to instruct
2759	network administrators to implement insecure solutions?
2760	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2761	Let's get this right. This is a book about Samba, not about OpenLDAP and secure
2762	communication protocols for subjects other than Samba. Earlier on, you note,
2763	that the dynamic DNS and DHCP solutions also used no protective secure communications
2764	protocols. The reason for this is simple: There are so many ways of implementing
2765	secure protocols that this book would have been even larger and more complex.
2766	</p><p>
2767	The solutions presented here all work (at least they did for me). Network administrators
2768	have the interest and the need to be better trained and instructed in secure networking
2769	practices and ought to implement safe systems. I made the decision, right or wrong,
2770	to keep this material as simple as possible. The intent of this book is to demonstrate
2771	a working solution and not to discuss too many peripheral issues.
2772	</p><p>
2773	This book makes little mention of backup techniques. Does that mean that I am recommending
2774	that you should implement a network without provision for data recovery and for disaster
2775	management? Back to our focus: The deployment of Samba has been clearly demonstrated.
2776	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583407"></a><a name="id2583409"></a></td><td align="left" valign="top"><p>
2777	You have focused much on SUSE Linux and little on the market leader, Red Hat. Do
2778	you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant
2779	to the Linux I might be using?
2780	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2781	Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications
2782	for a standard Linux distribution. The differences are marginal. Surely you know
2783	your Linux platform, and you do have access to administration manuals for it. This
2784	book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on
2785	the Samba part of the book; all the other bits are peripheral (but important) to
2786	creation of a total network solution.
2787	</p><p>
2788	What I find interesting is the attention reviewers give to Linux installation and to
2789	the look and feel of the desktop, but does that make for a great server? In this book,
2790	I have paid particular attention to the details of creating a whole solution framework.
2791	I have not tightened every nut and bolt, but I have touched on all the issues you
2792	need to be familiar with. Over the years many people have approached me wanting to
2793	know the details of exactly how to implement a DHCP and dynamic DNS server with Samba
2794	and WINS. In this chapter, it is plain to see what needs to be configured to provide
2795	transparent interoperability. Likewise for CUPS and Samba interoperation. These are
2796	key stumbling areas for many people.
2797	</p><p>
2798	At every critical junction, I have provided comparative guidance for both SUSE and
2799	Red Hat Linux. Both manufacturers have done a great job in furthering the cause
2800	of open source software. I favor neither and respect both. I like particular
2801	features of both products (companies also). No bias in presentation is intended.
2802	Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.
2803	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583468"></a><a name="id2583470"></a></td><td align="left" valign="top"><p>
2804	You did not use SWAT to configure Samba. Is there something wrong with it?
2805	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2806	That is a good question. As it is, the <code class="filename">smb.conf</code> file configurations are presented
2807	in as direct a format as possible. Adding SWAT into the equation would have complicated
2808	matters. I sought simplicity of implementation. The fact is that I did use SWAT to
2809	create the files in the first place.
2810	</p><p>
2811	There are people in the Linux and open source community who feel that SWAT is dangerous
2812	and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I
2813	hope to have brought their interests on board. SWAT is well covered is <span class="emphasis"><em>TOSHARG2</em></span>.
2814	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583508"></a><a name="id2583510"></a></td><td align="left" valign="top"><p>
2815	You have exposed a well-used password <span class="emphasis"><em>not24get</em></span>. Is that
2816	not irresponsible?
2817	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2818	Well, I had to use a password of some sort. At least this one has been consistently
2819	used throughout. I guess you can figure out that in a real deployment it would make
2820	sense to use a more secure and original password.
2821	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583533"></a><a name="id2583535"></a></td><td align="left" valign="top"><p>
2822	The Idealx smbldap-tools create many domain group accounts that are not used. Is that
2823	a good thing?
2824	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2825	I took this up with Idealx and found them most willing to change that in the next version.
2826	Let's give Idealx some credit for the contribution they have made. I appreciate their work
2827	and, besides, it does no harm to create accounts that are not now used at some time
2828	Samba may well use them.
2829	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583559"></a><a name="id2583561"></a></td><td align="left" valign="top"><p>
2830	Can I use LDAP just for Samba accounts and not for UNIX system accounts?
2831	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2832	Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX)
2833	group account for every Windows domain group account. But if you put your users into
2834	the system password account, how do you plan to keep all domain controller system
2835	password files in sync? I think that having everything in LDAP makes a lot of sense
2836	for the UNIX administrator who is still learning the craft and is migrating from MS Windows.
2837	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583584"></a><a name="id2583586"></a></td><td align="left" valign="top"><p>
2838	Why are the Windows domain RID portions not the same as the UNIX UID?
2839	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2840	Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs.
2841	This algorithm ought to ensure that there will be no clashes with well-known RIDs.
2842	Well-known RIDs have special significance to MS Windows clients. The automatic
2843	assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does
2844	permit you to override that to some extent. See the <code class="filename">smb.conf</code> man page entry
2845	for <em class="parameter"><code>algorithmic rid base</code></em>.
2846	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583620"></a><a name="id2583622"></a></td><td align="left" valign="top"><p>
2847	Printer configuration examples all show printing to the HP port 9100. Does this
2848	mean that I must have HP printers for these solutions to work?
2849	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2850	No. You can use any type of printer and must use the interfacing protocol supported
2851	by the printer. Many networks use LPR/LPD print servers to which are attached
2852	PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached
2853	inkjet printer. Use the appropriate device URI (Universal Resource Interface)
2854	argument to the <code class="constant">lpadmin -v</code> option that is right for your
2855	printer.
2856	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583649"></a><a name="id2583651"></a></td><td align="left" valign="top"><p>
2857	Is folder redirection dangerous? I've heard that you can lose your data that way.
2858	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2859	The only loss of data I know of that involved folder redirection was caused by
2860	manual misuse of the redirection tool. The administrator redirected a folder to
2861	a network drive and said he wanted to migrate (move) the data over. Then he
2862	changed his mind, so he moved the folder back to the roaming profile. This time,
2863	he declined to move the data because he thought it was still in the local profile
2864	folder. That was not the case, so by declining to move the data back, he wiped out
2865	the data. You cannot hold the tool responsible for that. Caveat emptor still applies.
2866	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2583677"></a><a name="id2583679"></a></td><td align="left" valign="top"><p>
2867	Is it really necessary to set a local Group Policy to exclude the redirected
2868	folders from the roaming profile?
2869	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
2870	Yes. If you do not do this, the data will still be copied from the network folder
2871	(share) to the local cached copy of the profile.
2872	</p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2581860" href="#id2581860" class="para">11</a>] </sup>
2873	There is an alternate method by which a default user profile can be added to the
2874	<code class="constant">NETLOGON</code> share. This facility in the Windows System tool
2875	permits profiles to be exported. The export target may be a particular user or
2876	group profile share point or else the <code class="constant">NETLOGON</code> share.
2877	In this case, the profile directory must be named <code class="constant">Default User</code>.
2878	</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Big500users.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="2000users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. The 500-User Office </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. A Distributed 2000-User Network</td></tr></table></div></body></html>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: