Context Navigation

← Previous Revision
Next Revision →
Normal
Revision Log

source: branches/samba-3.3.x/docs-xml/Samba3-ByExample/SBE-SimpleOfficeServer.xml

Visit:

Last change on this file was 217, checked in by Herwig Bauernfeind, 16 years ago
Import Samba 3.3 branch at 3.3.0 level docs-xml (psmedley's port)
File size: 61.8 KB

Rev	Line
[217]	1	<?xml version="1.0" encoding="iso-8859-1"?>
	2	<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
	3	<chapter id="simple">
	4	<title>No-Frills Samba Servers</title>
	5
	6	<para>
	7	This is the start of the real journey toward the successful deployment of Samba. For some this chapter
	8	is the end of the road because their needs will have been adequately met. For others, this chapter is
	9	the beginning of a journey that will take them well past the contents of this book. This book provides
	10	example configurations of, for the greater part, complete networking solutions. The intent of this book
	11	is to help you to get your Samba installation working with the least amount of pain and aggravation.
	12	</para>
	13
	14	<sect1>
	15	<title>Introduction</title>
	16
	17	<para>
	18	This chapter lays the groundwork for understanding the basics of Samba operation.
	19	Instead of a bland technical discussion, each principle is demonstrated by way of a
	20	real-world scenario for which a working solution<footnote><para>The examples given mirror those documented
	21	in The Official Samba-3 HOWTO and Reference Guide, Second Edition (TOSHARG2) Chapter 2, Section 2.3.1. You may gain additional
	22	insight from the standalone server configurations covered in TOSHARG2, sections 2.3.1.2 through 2.3.1.4.
	23	</para></footnote> is fully described.
	24	</para>
	25
	26	<para>
	27	The practical exercises take you on a journey through a drafting office, a charity administration
	28	office, and an accounting office. You may choose to apply any or all of these exercises to your own environment.
	29	</para>
	30
	31	<para>
	32	Every assignment case can be implemented far more creatively, but remember that the solutions you
	33	create are designed to demonstrate a particular solution possibility. With experience, you should
	34	find much improved solutions compared with those presented here. By the time you complete this book,
	35	you should aim to be a Samba expert, so do attempt to find better solutions and try them as you work your
	36	way through the examples.
	37	</para>
	38
	39	</sect1>
	40	<sect1>
	41	<title>Assignment Tasks</title>
	42
	43	<para>
	44	Each case presented highlights different aspects of Windows networking for which a simple
	45	Samba-based solution can be provided. Each has subtly different requirements taken from real-world cases.
	46	The cases are briefly reviewed to cover important points. Instructions are based
	47	on the assumption that the official Samba Team RPM package has been installed.
	48	</para>
	49
	50	<para>
	51	This chapter has three assignments built around fictitious companies:
	52	</para>
	53
	54	<para>
	55	<itemizedlist>
	56	<listitem><para>A drafting office</para></listitem>
	57	<listitem><para>A charity administration office</para></listitem>
	58	<listitem><para>An accounting office</para></listitem>
	59	</itemizedlist>
	60	</para>
	61
	62	<para>
	63	Let's get started.
	64	</para>
	65
	66	<sect2>
	67	<title>Drafting Office</title>
	68
	69	<para>
	70	Our fictitious company is called <emphasis>Abmas Design, Inc.</emphasis> This is a three-person
	71	computer-aided design (CAD) business that often has more work than can be handled. The
	72	business owner hires contract draftspeople from wherever he can. They bring their own
	73	notebook computers into the office. There are four permanent drafting machines. Abmas has a
	74	collection of over 10 years of plans that must be available for all draftsmen to reference.
	75	Abmas hires the services of an experienced network engineer to update the
	76	plans that are stored on a central server one day per month. She knows how to upload
	77	plans from each machine. The files available from the server must remain read-only.
	78	Anyone should be able to access the plans at any time and without barriers or difficulty.
	79	</para>
	80
	81	<para><indexterm><primary>Red Hat</primary></indexterm>
	82	<indexterm><primary>Fedora</primary></indexterm>
	83	Mr. Bob Jordan has asked you to install the new server as economically as possible. The central
	84	server has a Pentium-IV 1.6GHz CPU, 768MB RAM, a 20GB IDE boot drive, a 160GB IDE second disk
	85	to store plans, and a 100-base-T Ethernet card. You have already installed Red Hat Fedora CoreX and
	86	have upgraded Samba to version 3.0.20 using the RPM package that is provided from the Samba
	87	<ulink url="http://www.samba.org">FTP</ulink> sites. (Note: Fedora CoreX indicates your favorite
	88	version.)
	89	</para>
	90
	91	<para><indexterm>
	92	<primary>consultant</primary>
	93	</indexterm>
	94	The four permanent drafting machines (Microsoft Windows workstations) have attached printers
	95	and plotters that are shared on a peer-to-peer basis by any and all network users. The intent
	96	is to continue to share printers in this manner. The three permanent staff work together with
	97	all contractors to store all new work on one PC. A daily copy is made of the work storage
	98	area to another PC for safekeeping. When the network consultant arrives, the weekly work
	99	area is copied to the central server and the files are removed from the main weekly storage
	100	machine. The office works best with this arrangement and does not want to change anything.
	101	Old habits are too ingrained.
	102	</para>
	103
	104	<sect3>
	105	<title>Dissection and Discussion</title>
	106
	107	<para>
	108	<indexterm><primary>file server</primary><secondary>read-only</secondary></indexterm>
	109	The requirements for this server installation demand simplicity. An anonymous read-only
	110	file server adequately meets all needs. The network consultant determines how
	111	to upload all files from the weekly storage area to the server. This installation should
	112	focus only on critical aspects of the installation.
	113	</para>
	114
	115	<para>
	116	It is not necessary to have specific users on the server. The site has a method for storing
	117	all design files (plans). Each plan is stored in a directory that is named YYYYWW,<footnote><para>
	118	This information is given purely as an example of how data may be stored in such a way that it
	119	will be easy to locate records at a later date. The example is not meant to imply any instructions
	120	that may be construed as essential to the design of the solution; this is something you will almost
	121	certainly want to determine for yourself.</para></footnote> where
	122	YYYY is the year, and WW is the week of the year. This arrangement allows work to be stored
	123	by week of year to preserve the filing technique the site is familiar with.
	124	There is also a customer directory that is alphabetically listed. At the top level are 26
	125	directories (A-Z), in each is a second-level of directory for the first plus second letters of the name
	126	(A-Z); inside each is a directory by the customers' name. Inside each directory is a symbolic
	127	link to each design drawing or plan. This way of storing customer data files permits all
	128	plans to be located both by customer name and by the date the work was performed, without
	129	demanding the disk space that would be needed if a duplicate file copy were to be stored.
	130	The share containing the plans is called <emphasis>Plans</emphasis>.
	131	</para>
	132
	133	</sect3>
	134
	135	<sect3>
	136	<title>Implementation</title>
	137
	138	<para>
	139	It is assumed that the server is fully installed and ready for installation and
	140	configuration of Samba 3.0.20 and any support files needed. All TCP/IP addresses
	141	have been hard-coded. In our case the IP address of the Samba server is
	142	<constant>192.168.1.1</constant> and the netmask is <constant>255.255.255.0</constant>.
	143	The hostname of the server used is <constant>server</constant>.
	144	</para>
	145
	146	<procedure>
	147	<title>Samba Server Configuration</title>
	148
	149	<step><para>
	150	Download the Samba-3 RPM packages for Red Hat Fedora Core2 from the Samba
	151	<ulink url="http://www.samba.org">FTP servers.</ulink>
	152	</para></step>
	153
	154	<step><para>
	155	<indexterm><primary>RPM</primary><secondary>install</secondary></indexterm>
	156	<indexterm><primary>package</primary></indexterm>
	157	Install the RPM package using either the Red Hat Linux preferred GUI
	158	tool or the <command>rpm</command>:
	159	<screen>
	160	&rootprompt; rpm -Uvh samba-3.0.20-1.i386.rpm
	161	</screen>
	162	</para></step>
	163
	164	<step><para>
	165	Create a mount point for the file system that will be used to store all data files.
	166	You can create a directory called <filename>/plans</filename>:
	167	<screen>
	168	&rootprompt; mkdir /plans
	169	&rootprompt; chmod 755 /plans
	170	</screen>
	171	The 755 permissions on this directory (mount point) permit the owner to read, write,
	172	and execute, and the group and everyone else to read and execute only.
	173	</para>
	174
	175	<para>
	176	<indexterm><primary>file system</primary><secondary>Ext3</secondary></indexterm>
	177	Use Red Hat Linux system tools (refer to Red Hat instructions)
	178	to format the 160GB hard drive with a suitable file system. An Ext3 file system
	179	is suitable. Configure this drive to automatically mount using the <filename>/plans</filename>
	180	directory as the mount point.
	181	</para></step>
	182
	183	<step><para>
	184	Install the &smb.conf; file shown in <link linkend="draft-smbconf"/> in the
	185	<filename>/etc/samba</filename> directory.
	186
	187	<example id="draft-smbconf">
	188	<title>Drafting Office &smb.conf; File</title>
	189	<smbconfblock>
	190	<smbconfcomment>Global Parameters</smbconfcomment>
	191	<smbconfsection name="[global]"/>
	192	<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
	193	<smbconfoption name="security">SHARE</smbconfoption>
	194
	195	<smbconfsection name="[Plans]"/>
	196	<smbconfoption name="path">/plans</smbconfoption>
	197	<smbconfoption name="read only">Yes</smbconfoption>
	198	<smbconfoption name="guest ok">Yes</smbconfoption>
	199	</smbconfblock>
	200	</example>
	201	</para></step>
	202
	203	<step><para>
	204	<indexterm><primary>/etc/hosts</primary></indexterm>
	205	Verify that the <filename>/etc/hosts</filename> file contains the following entry:
	206	<screen>
	207	192.168.1.1 server
	208	</screen>
	209
	210	</para></step>
	211
	212	<step><para>
	213	<indexterm><primary>samba</primary><secondary>starting samba</secondary></indexterm>
	214	<indexterm><primary>chkconfig</primary></indexterm>
	215	<indexterm><primary>starting samba</primary></indexterm>
	216	Use the standard system tool to start Samba and to configure it to restart
	217	automatically at every system reboot. For example,
	218	<screen>
	219	&rootprompt; chkconfig smb on
	220	&rootprompt; /etc/rc.d/init.d/smb restart
	221	</screen>
	222	</para></step>
	223
	224	</procedure>
	225
	226	<procedure>
	227	<title>Windows Client Configuration</title>
	228
	229	<step><para>
	230	Make certain that all clients are set to the same network address range as
	231	used for the Samba server. For example, one client might have an IP
	232	address 192.168.1.10.
	233	</para></step>
	234
	235	<step><para>
	236	<indexterm><primary>netmask</primary></indexterm>
	237	Ensure that the netmask used on the Windows clients matches that used
	238	for the Samba server. All clients must have the same netmask, such as
	239	255.255.255.0.
	240	</para></step>
	241
	242	<step><para>
	243	<indexterm><primary>workgroup</primary></indexterm>
	244	Set the workgroup name on all clients to <constant>MIDEARTH</constant>.
	245	</para></step>
	246
	247	<step><para>
	248	Verify on each client that the machine called <constant>SERVER</constant>
	249	is visible in the <guimenu>Network Neighborhood</guimenu>, that it is
	250	possible to connect to it and see the share <guimenuitem>Plans</guimenuitem>,
	251	and that it is possible to open that share to reveal its contents.
	252	</para></step>
	253
	254	</procedure>
	255
	256	</sect3>
	257
	258	<sect3 id="validate1">
	259	<title>Validation</title>
	260
	261	<para>
	262	<indexterm><primary>validation</primary></indexterm>
	263	The first priority in validating the new Samba configuration should be to check
	264	that Samba answers on the loop-back interface. Then it is time to check that Samba
	265	answers its own name correctly. Last, check that a client can connect to the Samba
	266	server.
	267	</para>
	268
	269	<procedure>
	270	<step><para>
	271	<indexterm><primary>smbd</primary></indexterm>
	272	<indexterm><primary>daemon</primary></indexterm>
	273	<indexterm><primary>smbclient</primary></indexterm>
	274	To check the ability to access the <command>smbd</command> daemon
	275	services, execute the following:
	276	<screen>
	277	&rootprompt; smbclient -L localhost -U%
	278	Sharename Type Comment
	279	--------- ---- -------
	280	Plans Disk
	281	IPC$ IPC IPC Service (Samba 3.0.20)
	282	ADMIN$ IPC IPC Service (Samba 3.0.20)
	283
	284	Server Comment
	285	--------- -------
	286	SERVER Samba 3.0.20
	287
	288	Workgroup Master
	289	--------- --------
	290	MIDEARTH SERVER
	291	</screen>
	292	<indexterm><primary>loopback</primary></indexterm>
	293	<indexterm><primary>NULL connection</primary></indexterm>
	294	This indicates that Samba is able to respond on the loopback interface to
	295	a NULL connection. The <parameter>-U%</parameter> means send an empty
	296	username and an empty password. This command should be repeated after
	297	Samba has been running for 15 minutes.
	298	</para></step>
	299
	300	<step><para>
	301	Now verify that Samba correctly handles being passed a username
	302	and password, and that it answers its own name. Execute the following:
	303	<screen>
	304	&rootprompt; smbclient -L server -Uroot%password
	305	</screen>
	306	The output should be identical to the previous response. Samba has been
	307	configured to ignore all usernames given; instead it uses the
	308	<parameter>guest account</parameter> for all connections.
	309	</para></step>
	310
	311	<step><para>
	312	<indexterm><primary>Windows Explorer</primary></indexterm>
	313	<indexterm><primary>Network Neighborhood</primary></indexterm>
	314	From the Windows 9x/Me client, launch Windows Explorer:
	315	<menuchoice>
	316	<guiicon>[Desktop: right-click] Network Neighborhood</guiicon>
	317	<guimenu>Explore</guimenu>
	318	<guimenuitem>[Left Panel] [+] Entire Network</guimenuitem>
	319	<guimenuitem>[Left Panel] [+] Server</guimenuitem>
	320	<guimenuitem>[Left Panel] [+] Plans</guimenuitem>
	321	</menuchoice>. In the right panel you should see the files and directories
	322	(folders) that are in the <guiicon>Plans</guiicon> share.
	323	</para></step>
	324	</procedure>
	325
	326	</sect3>
	327
	328	</sect2>
	329
	330	<sect2>
	331	<title>Charity Administration Office</title>
	332
	333	<para>
	334	The fictitious charity organization is called <emphasis>Abmas Vision NL</emphasis>. This office
	335	has five networked computers. Staff are all volunteers, staff changes are frequent.
	336	Ms. Amy May, the director of operations, wants a no-hassle network. Anyone should be able to
	337	use any PC. Only two Windows applications are used: a custom funds tracking and management package
	338	that stores all files on the central server and Microsoft Word. The office prepares mail-out
	339	letters, invitations, and thank-you notes. All files must be stored in perpetuity.
	340	The custom funds tracking and management (FTM) software is configured to use a server named
	341	<constant>SERVER</constant>, a share named <constant>FTMFILES</constant>, and a printer queue
	342	named <constant>PRINTQ</constant> that uses preprinted stationery, thus demanding a
	343	dedicated printer. This printer does not need to be mapped to a local printer on the workstations.
	344	</para>
	345
	346	<para>
	347	The FTM software has been in use since the days of Windows 3.11. The software was configured
	348	by the vendor who has since gone out of business. The identities of the file
	349	server and the printer are hard-coded in a configuration file that was created using a
	350	setup tool that the vendor did not provide to Abmas Vision NL or to its predecessors. The
	351	company that produced the software is no longer in business. In order to avoid risk of
	352	any incompatibilities, the share name and the name of the target print queue must be set
	353	precisely as the application expects. In fact, share names and print queue names
	354	should be treated as case insensitive (i.e., case does not matter), but Abmas Vision advises
	355	that if the share name is not in lowercase, the application claims it cannot find the
	356	file share.
	357	</para>
	358
	359	<para>
	360	<indexterm><primary>print queue</primary></indexterm>
	361	<indexterm><primary>print spooler</primary></indexterm>
	362	Printer handling in Samba results in a significant level of confusion. Samba presents to the
	363	MS Windows client only a print queue. The Samba <command>smbd</command> process passes a
	364	print job sent to it from the Windows client to the native UNIX printing system. The native
	365	UNIX printing system (spooler) places the job in a print queue from which it is
	366	delivered to the printer. In this book, network diagrams refer to a printer by the name
	367	of the print queue that services that printer. It does not matter what the fully qualified
	368	name (or the hostname) of a network-attached printer is. The UNIX print spooler is configured
	369	to correctly deliver all jobs to the printer.
	370	</para>
	371
	372	<para>
	373	This organization has a policy forbidding use of privately owned computers on site as a measure
	374	to prevent leakage of confidential information. Only the five PCs owned by Abmas Vision NL are
	375	used on this network.
	376	</para>
	377
	378	<para>
	379	<indexterm><primary>SUSE Enterprise Linux Server</primary></indexterm>
	380	The central server was donated by a local computer store. It is a dual processor Pentium-III
	381	server, has 1GB RAM, a 3-Ware IDE RAID Controller that has four 200GB IDE hard drives, and a
	382	100-base-T network card. The office has 100-base-T permanent network connections that go to
	383	a central hub, and all equipment is new. The five network computers all are equipped with Microsoft
	384	Windows Me. Funding is limited, so the server has no operating system on it. You have approval
	385	to install Samba on Linux, provided it works without problems. There are two HP LaserJet
	386	5 PS printers that are network connected. The second printer is to be used for general
	387	office and letter printing. Your recommendation to allow only the Linux server to print directly
	388	to the printers was accepted. You have supplied SUSE Enterprise Linux Server 9 and
	389	have upgraded Samba to version 3.0.20.
	390	</para>
	391
	392	<sect3>
	393	<title>Dissection and Discussion</title>
	394
	395	<para>
	396	<indexterm><primary>force user</primary></indexterm>
	397	<indexterm><primary>nt acl support</primary></indexterm>
	398	<indexterm><primary>UID</primary></indexterm>
	399	<indexterm><primary>Posix</primary></indexterm>
	400	This installation demands simplicity. Frequent turnover of volunteer staff indicates that
	401	a network environment that requires users to logon might be problematic. It is suggested that the
	402	best solution for this office would be one where the user can log onto any PC with any username
	403	and password. Samba can accommodate an office like this by using the <parameter>force user</parameter>
	404	parameter in share and printer definitions. Using the <parameter>force user</parameter>
	405	parameter ensures that all files are owned by same user identifier (UID) and thus that there
	406	will never be a problem with file access due to file access permissions. Additionally, you elect
	407	to use the <parameter>nt acl support = No</parameter> option to ensure that
	408	access control lists (Posix type) cannot be written to any file or directory. This prevents
	409	an inadvertent ACL from overriding actual file permissions.
	410	</para>
	411
	412	<para>
	413	<indexterm><primary>SUID</primary></indexterm>
	414	<indexterm><primary>SGID</primary></indexterm>
	415	<indexterm><primary>security</primary><secondary>share mode</secondary></indexterm>
	416	This organization is a prime candidate for Share Mode security. The <parameter>force user</parameter>
	417	allows all files to be owned by the same user and group. In addition, it would not hurt to
	418	set SUID and set SGID shared directories. This means that all new files that are created, no matter
	419	who creates it, are owned by the owner or group of the directory in which they are created.
	420	For further information regarding the significance of the SUID/SGID settings, see <link
	421	linkend="appendix"/>, <link linkend="ch12-SUIDSGID"/>.
	422	</para>
	423
	424	<para>
	425	<indexterm><primary>CUPS</primary></indexterm>
	426	<indexterm><primary>printing</primary><secondary>raw</secondary></indexterm>
	427	<indexterm><primary>Red Hat Linux</primary></indexterm>
	428	<indexterm><primary>SUSE Linux</primary></indexterm>
	429	All client workstations print to a print queue on the server. This ensures that print jobs
	430	continue to print in the event that a user shuts down the workstation immediately after
	431	sending a job to the printer. Today, both Red Hat Linux and SUSE Linux use CUPS-based printing.
	432	Older Linux systems offered a choice between the LPRng printing system or CUPS. It appears, however,
	433	that CUPS has become the leading UNIX printing technology.
	434	</para>
	435
	436	<para>
	437	<indexterm><primary>print queue</primary></indexterm>
	438	The print queues are set up as <constant>Raw</constant> devices, which means that CUPS will
	439	not do intelligent print processing, and vendor-supplied drivers must be installed locally on the
	440	Windows clients.
	441	</para>
	442
	443	<para>
	444	The hypothetical software, FTM, is representative of
	445	custom-built software that directly uses a NetBIOS interface. Most such software originated in
	446	the days of MS/PC DOS. NetBIOS names are uppercase (and functionally are case insensitive),
	447	so some old software applications would permit only uppercase names to be entered.
	448	Some such applications were later ported to MS Windows but retain the uppercase network
	449	resource naming conventions because customers are familiar with that. We made the decision
	450	to name shares and print queues for this application in uppercase for the same reason.
	451	Nothing would break if we were to use lowercase names, but that decision might create a need
	452	to retrain staff &smbmdash; something well avoided at this time.
	453	</para>
	454
	455	<para>
	456	NetBIOS networking does not print directly to a printer. Instead, all printing is done to a
	457	print queue. The print spooling system is responsible for communicating with the physical
	458	printer. In this example, therefore, the resource called <constant>PRINTQ</constant>
	459	really is just a print queue. The name of the print queue is representative of
	460	the device to which the print spooler delivers print jobs.
	461	</para>
	462
	463	</sect3>
	464
	465	<sect3>
	466	<title>Implementation</title>
	467
	468	<para>
	469	It is assumed that the server is fully installed and ready for configuration of
	470	Samba 3.0.20 and for necessary support files. All TCP/IP addresses should be hard-coded.
	471	In our case, the IP address of the Samba server is 192.168.1.1 and the netmask is
	472	255.255.255.0. The hostname of the server used is <constant>server</constant>.
	473	The office network is built as shown in <link linkend="charitynet"/>.
	474	</para>
	475
	476	<figure id="charitynet">
	477	<title>Charity Administration Office Network</title>
	478	<imagefile scale="80">Charity-Network</imagefile>
	479	</figure>
	480
	481	<procedure>
	482	<title>Samba Server Configuration</title>
	483
	484	<step><para>
	485	<indexterm><primary>groupadd</primary></indexterm>
	486	Create a group account for office file storage:
	487	<screen>
	488	&rootprompt; groupadd office
	489	</screen>
	490	</para></step>
	491
	492	<step><para>
	493	<indexterm><primary>useradd</primary></indexterm>
	494	<indexterm><primary>passwd</primary></indexterm>
	495	Create a user account for office file storage:
	496	<screen>
	497	&rootprompt; useradd -m abmas
	498	&rootprompt; passwd abmas
	499	Changing password for abmas.
	500	New password: XXXXXXXX
	501	Re-enter new password: XXXXXXXX
	502	Password changed
	503	</screen>
	504	where XXXXXXXX is a secret password.
	505	</para></step>
	506
	507	<step><para>
	508	Use the 3-Ware IDE RAID Controller firmware utilities to configure the four 200GB
	509	drives as a single RAID level 5 drive, with one drive set aside as the hot spare.
	510	(Refer to the 3-Ware RAID Controller Manual for the manufacturer's preferred procedure.)
	511	The resulting drive has a capacity of approximately 500GB of usable space.
	512	</para></step>
	513
	514	<step><para>
	515	<indexterm><primary>permissions</primary></indexterm>
	516	Create a mount point for the file system that can be used to store all data files.
	517	Create a directory called <filename>/data</filename>:
	518	<screen>
	519	&rootprompt; mkdir /data
	520	&rootprompt; chmod 755 /data
	521	</screen>
	522	The 755 permissions on this directory (mount point) permit the owner to read, write, and execute,
	523	and the group and everyone else to read and execute only.
	524	</para></step>
	525
	526	<step><para>
	527	Use SUSE Linux system tools (refer to the SUSE Administrators Guide for correct
	528	procedures) to format the partition with a suitable file system. The reiserfs file system
	529	is suitable. Configure this drive to automount using the <filename>/data</filename>
	530	directory as the mount point. It must be mounted before proceeding.
	531	</para></step>
	532
	533	<step><para>
	534	Under the directory called <filename>/data</filename>, create two directories
	535	named <filename>ftmfiles</filename> and <filename>officefiles</filename>, and set
	536	ownership and permissions:
	537	<screen>
	538	&rootprompt; mkdir -p /data/{ftmfiles,officefiles/{letters,invitations,misc}}
	539	&rootprompt; chown -R abmas:office /data
	540	&rootprompt; chmod -R ug+rwxs,o-w,o+rx /data
	541	</screen>
	542	These demonstrate compound operations. The <command>mkdir</command> command
	543	creates in one step these directories:
	544	<programlisting>
	545	/data/fmtfiles
	546	/data/officefiles
	547	/data/officefiles/letters
	548	/data/officefiles/invitations
	549	/data/officefiles/misc
	550	</programlisting>
	551	<indexterm><primary>TOSHARG2</primary></indexterm>
	552	The <command>chown</command> operation sets the owner to the user <constant>abmas</constant>
	553	and the group to <constant>office</constant> on all directories just created. It recursively
	554	sets the permissions so that the owner and group have SUID/SGID with read, write, and execute
	555	permission, and everyone else has read and execute permission. This means that all files and
	556	directories are created with the same owner and group as the directory in which they are
	557	created. Any new directories created still have the same owner, group, and permissions as the
	558	directory they are in. This should eliminate all permissions-based file access problems. For
	559	more information on this subject, refer to TOSHARG2<footnote>The Official Samba-3 HOWTO and
	560	Reference Guide, Chapter 15, File, Directory and Share Access Controls.</footnote> or refer
	561	to the UNIX man page for the <command>chmod</command> and the <command>chown</command> commands.
	562	</para></step>
	563
	564	<step><para>
	565	Install the &smb.conf; file shown in <link linkend="charity-smbconfnew"/> in the
	566	<filename>/etc/samba</filename> directory. This newer &smb.conf; file uses user-mode security
	567	and is more suited to the mode of operation of Samba-3 than the older share-mode security
	568	configuration that was shown in the first edition of this book.
	569	</para>
	570
	571	<para>
	572	Note: If you want to use the older-style configuration that uses share-mode security, you
	573	can install the file shown in <link linkend="charity-smbconf"/> in the
	574	<filename>/etc/samba</filename> directory.
	575	</para></step>
	576
	577	<step><para>
	578	<indexterm><primary>smbd</primary></indexterm>
	579	We must ensure that the <command>smbd</command> can resolve the name of the Samba
	580	server to its IP address. Verify that the <filename>/etc/hosts</filename> file
	581	contains the following entry:
	582	<screen>
	583	192.168.1.1 server
	584	</screen>
	585	</para></step>
	586
	587	<step><para>
	588	Configure the printers with the IP address as shown in <link linkend="charitynet"/>.
	589	Follow the instructions in the manufacturer's manual to permit printing to port 9100
	590	so that the CUPS spooler can print using raw mode protocols.
	591	</para></step>
	592
	593	<step><para>
	594	<indexterm><primary>lpadmin</primary></indexterm>
	595	Configure the CUPS Print Queues:
	596	<screen>
	597	&rootprompt; lpadmin -p PRINTQ -v socket://192.168.1.20:9100 -E
	598	&rootprompt; lpadmin -p hplj5 -v socket://192.168.1.30:9100 -E
	599	</screen>
	600	This creates the necessary print queues with no assigned print filter.
	601	</para></step>
	602
	603	<step><para>
	604	<indexterm><primary>mime type</primary></indexterm>
	605	<indexterm><primary>/etc/cups/mime.convs</primary></indexterm>
	606	<indexterm><primary>application/octet-stream</primary></indexterm>
	607	Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
	608	<screen>
	609	application/octet-stream application/vnd.cups-raw 0 -
	610	</screen>
	611	</para></step>
	612
	613	<step><para>
	614	<indexterm><primary>/etc/cups/mime.types</primary></indexterm>
	615	Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
	616	<screen>
	617	application/octet-stream
	618	</screen>
	619	</para></step>
	620
	621	<step><para>
	622	<indexterm><primary>starting samba</primary></indexterm>
	623	Use the standard system tool to start Samba and CUPS to configure them to restart
	624	automatically at every system reboot. For example,
	625	</para>
	626
	627	<para>
	628	<indexterm><primary>starting samba</primary></indexterm>
	629	<indexterm><primary>starting CUPS</primary></indexterm>
	630	<indexterm><primary>chkconfig</primary></indexterm>
	631	<screen>
	632	&rootprompt; chkconfig smb on
	633	&rootprompt; chkconfig cups on
	634	&rootprompt; /etc/rc.d/init.d/smb restart
	635	&rootprompt; /etc/rc.d/init.d/cups restart
	636	</screen>
	637	</para></step>
	638
	639	</procedure>
	640
	641	<example id="charity-smbconfnew">
	642	<title>Charity Administration Office &smb.conf; New-style File</title>
	643	<smbconfblock>
	644	<smbconfcomment>Global Parameters - Newer Configuration</smbconfcomment>
	645	<smbconfsection name="[global]"/>
	646	<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
	647	<smbconfoption name="printing">CUPS</smbconfoption>
	648	<smbconfoption name="printcap name">CUPS</smbconfoption>
	649	<smbconfoption name="map to guest">Bad User</smbconfoption>
	650	<smbconfoption name="show add printer wizard">No</smbconfoption>
	651	<smbconfoption name="wins support">yes</smbconfoption>
	652
	653	<smbconfsection name="[FTMFILES]"/>
	654	<smbconfoption name="comment">Funds Tracking & Management Files</smbconfoption>
	655	<smbconfoption name="path">/data/ftmfiles</smbconfoption>
	656	<smbconfoption name="read only">No</smbconfoption>
	657	<smbconfoption name="force user">abmas</smbconfoption>
	658	<smbconfoption name="force group">office</smbconfoption>
	659	<smbconfoption name="guest ok">Yes</smbconfoption>
	660	<smbconfoption name="nt acl support">No</smbconfoption>
	661
	662	<smbconfsection name="[office]"/>
	663	<smbconfoption name="comment">General Office Files</smbconfoption>
	664	<smbconfoption name="path">/data/officefiles</smbconfoption>
	665	<smbconfoption name="read only">No</smbconfoption>
	666	<smbconfoption name="force user">abmas</smbconfoption>
	667	<smbconfoption name="force group">office</smbconfoption>
	668	<smbconfoption name="guest ok">Yes</smbconfoption>
	669	<smbconfoption name="nt acl support">No</smbconfoption>
	670
	671	<smbconfsection name="[printers]"/>
	672	<smbconfoption name="comment">Print Temporary Spool Configuration</smbconfoption>
	673	<smbconfoption name="path">/var/spool/samba</smbconfoption>
	674	<smbconfoption name="printable">Yes</smbconfoption>
	675	<smbconfoption name="guest ok">Yes</smbconfoption>
	676	<smbconfoption name="use client driver">Yes</smbconfoption>
	677	<smbconfoption name="browseable">No</smbconfoption>
	678	</smbconfblock>
	679	</example>
	680
	681	<example id="charity-smbconf">
	682	<title>Charity Administration Office &smb.conf; Old-style File</title>
	683	<smbconfblock>
	684	<smbconfcomment>Global Parameters - Older Style Configuration</smbconfcomment>
	685	<smbconfsection name="[global]"/>
	686	<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
	687	<smbconfoption name="security">SHARE</smbconfoption>
	688	<smbconfoption name="printing">CUPS</smbconfoption>
	689	<smbconfoption name="printcap name">CUPS</smbconfoption>
	690	<smbconfoption name="disable spoolss">Yes</smbconfoption>
	691	<smbconfoption name="show add printer wizard">No</smbconfoption>
	692	<smbconfoption name="wins support">yes</smbconfoption>
	693
	694	<smbconfsection name="[FTMFILES]"/>
	695	<smbconfoption name="comment">Funds Tracking & Management Files</smbconfoption>
	696	<smbconfoption name="path">/data/ftmfiles</smbconfoption>
	697	<smbconfoption name="read only">No</smbconfoption>
	698	<smbconfoption name="force user">abmas</smbconfoption>
	699	<smbconfoption name="force group">office</smbconfoption>
	700	<smbconfoption name="guest ok">Yes</smbconfoption>
	701	<smbconfoption name="nt acl support">No</smbconfoption>
	702
	703	<smbconfsection name="[office]"/>
	704	<smbconfoption name="comment">General Office Files</smbconfoption>
	705	<smbconfoption name="path">/data/officefiles</smbconfoption>
	706	<smbconfoption name="read only">No</smbconfoption>
	707	<smbconfoption name="force user">abmas</smbconfoption>
	708	<smbconfoption name="force group">office</smbconfoption>
	709	<smbconfoption name="guest ok">Yes</smbconfoption>
	710	<smbconfoption name="nt acl support">No</smbconfoption>
	711
	712	<smbconfsection name="[printers]"/>
	713	<smbconfoption name="comment">Print Temporary Spool Configuration</smbconfoption>
	714	<smbconfoption name="path">/var/spool/samba</smbconfoption>
	715	<smbconfoption name="printable">Yes</smbconfoption>
	716	<smbconfoption name="guest ok">Yes</smbconfoption>
	717	<smbconfoption name="use client driver">Yes</smbconfoption>
	718	<smbconfoption name="browseable">No</smbconfoption>
	719	</smbconfblock>
	720	</example>
	721
	722	<procedure>
	723	<title>Windows Client Configuration</title>
	724
	725	<step><para>
	726	Configure clients to the network settings shown in <link linkend="charitynet"/>.
	727	</para></step>
	728
	729	<step><para>
	730	Ensure that the netmask used on the Windows clients matches that used
	731	for the Samba server. All clients must have the same netmask, such as
	732	<constant>255.255.255.0</constant>.
	733	</para></step>
	734
	735	<step><para>
	736	<indexterm><primary>WINS</primary></indexterm>
	737	On all Windows clients, set the WINS Server address to <constant>192.168.1.1</constant>,
	738	the IP address of the server.
	739	</para></step>
	740
	741	<step><para>
	742	Set the workgroup name on all clients to <constant>MIDEARTH</constant>.
	743	</para></step>
	744
	745	<step><para>
	746	<indexterm><secondary>logon</secondary></indexterm>
	747	Install the <quote>Client for Microsoft Networks.</quote> Ensure that the only option
	748	enabled in its properties is the option <quote>Logon and restore network connections.</quote>
	749	</para></step>
	750
	751	<step><para>
	752	Click <guibutton>OK</guibutton> when you are prompted to reboot the system. Reboot the
	753	system, then log on using any username and password you choose.
	754	</para></step>
	755
	756	<step><para>
	757	<indexterm><primary>My Network Places</primary></indexterm>
	758	Verify on each client that the machine called <constant>SERVER</constant>
	759	is visible in <guimenu>My Network Places</guimenu>, that it is
	760	possible to connect to it and see the share <guimenuitem>office</guimenuitem>,
	761	and that it is possible to open that share to reveal its contents.
	762	</para></step>
	763
	764	<step><para>
	765	<indexterm><primary>password caching</primary></indexterm>
	766	<indexterm><primary>regedit</primary></indexterm>
	767	Disable password caching on all Windows 9x/Me machines using the registry change file
	768	shown in <link linkend="MEreg"/>. Be sure to remove all files that have the
	769	<filename>PWL</filename> extension that are in the <filename>C:\WINDOWS</filename>
	770	directory.
	771	<example id="MEreg">
	772	<title>Windows Me &smbmdash; Registry Edit File: Disable Password Caching</title>
	773	<screen>
	774	REGEDIT4
	775
	776	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
	777	Windows\CurrentVersion\Policies\Network]
	778	"DisablePwdCaching"=dword:00000001
	779	</screen>
	780	</example>
	781	The best way to apply this change is to save the patch in a file called
	782	<filename>ME-dpwc.reg</filename> and then execute:
	783	<screen>
	784	C:\WINDOWS: regedit ME-dpwc.reg
	785	</screen>
	786	</para></step>
	787
	788	<step><para>
	789	Instruct all users to log onto the workstation using a name and password of their own
	790	choosing. The Samba server has been
	791	configured to ignore the username and password given.
	792	</para></step>
	793
	794	<step><para>
	795	On each Windows Me workstation, configure a network drive mapping to drive <filename>G:</filename>
	796	that redirects to the uniform naming convention (UNC) resource
	797	<filename>\\server\office</filename>. Make this a permanent drive connection:
	798	</para>
	799	<procedure>
	800	<step><para>
	801	<menuchoice>
	802	Right-click <guimenu>My Network</guimenu>
	803	<guimenuitem>Map Network Drive...</guimenuitem>
	804	</menuchoice>
	805	</para></step>
	806
	807	<step><para>
	808	In the box labeled <quote>Drive:</quote>, type G.
	809	</para></step>
	810
	811	<step><para>
	812	In the box labeled <quote>Path:</quote>, enter
	813	<filename>\\server\officefiles</filename>.
	814	</para></step>
	815
	816	<step><para>
	817	Click <guimenuitem>Reconnect at logon</guimenuitem>.
	818	Click <guibutton>OK</guibutton>.
	819	</para></step>
	820
	821	</procedure>
	822	</step>
	823
	824	<step><para>
	825	On each workstation, install the FTM software following the
	826	manufacturer's instructions.
	827	</para>
	828	<procedure>
	829	<step><para>
	830	During installation, you are prompted for the name of the Windows 98
	831	server. Enter the name <constant>SERVER</constant>.
	832	</para></step>
	833	<step><para>
	834	You are prompted for the name of the data share.
	835	The prompt defaults to <constant>FTMFILES</constant>. Press enter to accept the default value.
	836	</para></step>
	837	<step><para>
	838	You are now prompted for the print queue name. The default prompt is the name of
	839	the server you entered (<constant>SERVER</constant> as follows:
	840	<constant>\\SERVER\PRINTQ</constant>). Simply accept the default and press enter to
	841	continue. The software now completes the installation.
	842	</para></step>
	843	</procedure>
	844	</step>
	845
	846	<step><para>
	847	Install an office automation software package of the customer's choice. Either Microsoft
	848	Office 2003 Standard or OpenOffice 1.1.0 suffices for any functions the office may
	849	need to perform. Repeat this on each workstation.
	850	</para></step>
	851
	852	<step><para>
	853	Install a printer on each workstation using the following steps:
	854	</para>
	855
	856	<procedure>
	857	<step><para>
	858	Click <menuchoice>
	859	<guimenu>Start</guimenu>
	860	<guimenuitem>Settings</guimenuitem>
	861	<guimenuitem>Printers</guimenuitem>
	862	<guiicon>Add Printer</guiicon>
	863	<guibutton>Next</guibutton>
	864	</menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>.
	865	Ensure that <guimenuitem>Local printer</guimenuitem> is selected.
	866	</para></step>
	867
	868	<step><para>
	869	Click <guibutton>Next</guibutton>. In the Manufacturer: panel, select
	870	<constant>HP</constant>. In the Printers: panel, select the printer called
	871	<constant>HP LaserJet 5/5M Postscript</constant>. Click <guibutton>Next</guibutton>.
	872	</para></step>
	873
	874	<step><para>
	875	In the Available ports: panel, select <constant>FILE:</constant>. Accept the
	876	default printer name by clicking <guibutton>Next</guibutton>. When asked,
	877	<quote>Would you like to print a test page?</quote>, click
	878	<guimenuitem>No</guimenuitem>. Click <guibutton>Finish</guibutton>.
	879	</para></step>
	880
	881	<step><para>
	882	You may be prompted for the name of a file to print to. If so, close the
	883	dialog panel. Right-click <menuchoice>
	884	<guiicon>HP LaserJet 5/5M Postscript</guiicon>
	885	<guimenuitem>Properties</guimenuitem>
	886	<guisubmenu>Details (Tab)</guisubmenu>
	887	<guimenuitem>Add Port</guimenuitem>
	888	</menuchoice>.
	889	</para></step>
	890
	891	<step><para>
	892	In the Network panel, enter the name of
	893	the print queue on the Samba server as follows: <constant>\\SERVER\hplj5</constant>.
	894	Click <menuchoice>
	895	<guibutton>OK</guibutton>
	896	<guibutton>OK</guibutton>
	897	</menuchoice> to complete the installation.
	898	</para></step>
	899
	900	<step><para>
	901	It is a good idea to test the functionality of the complete installation before
	902	handing the newly configured network over to the Charity Administration Office
	903	for production use.
	904	</para></step>
	905
	906	</procedure>
	907
	908	</step>
	909
	910	</procedure>
	911
	912	</sect3>
	913
	914	<sect3>
	915	<title>Validation</title>
	916
	917	<para>
	918	Use the same validation process as was followed in <link linkend="validate1"/>.
	919	</para>
	920
	921	</sect3>
	922
	923	</sect2>
	924
	925	<sect2 id="AccountingOffice">
	926	<title>Accounting Office</title>
	927
	928	<para>
	929	Abmas Accounting is a 40-year-old family-run business. There are nine permanent
	930	computer users. The network clients were upgraded two years ago. All computers run Windows 2000
	931	Professional. This year the server will be upgraded from an old Windows NT4 server (actually
	932	running Windows NT4 Workstation, which worked fine for fewer than 10 users) that has
	933	run in workgroup (standalone) mode, to a new Linux server running Samba.
	934	</para>
	935
	936	<para>
	937	The office does not want a Domain Server. Mr. Alan Meany wants to keep the Windows 2000 Professional
	938	clients running as workgroup machines so that any staff member can take a machine home and keep
	939	working. It has worked well so far, and your task is to replace the old server. All users have
	940	their own workstation logon (you configured it that way when the machines were installed).
	941	Mr. Meany wants the new system to operate the same way as the old Windows NT4 server &smbmdash; users
	942	cannot access each others' files, but he can access everyone's files. Each person's work files are
	943	in a separate share on the server. Users log on to their Windows workstation with their username
	944	and enter an assigned password; they do not need to enter a password when accessing their files
	945	on the server.
	946	</para>
	947
	948	<para>
	949	<indexterm><primary>Red Hat Linux</primary></indexterm>
	950	The new server will run Red Hat Fedora Core2. You should install Samba-3.0.20 and
	951	copy all files from the old system to the new one. The existing Windows NT4 server has a parallel
	952	port HP LaserJet 4 printer that is shared by all. The printer driver is installed on each
	953	workstation. You must not change anything on the workstations. Mr. Meany gave instructions to
	954	replace the server, <quote>but leave everything else alone to avoid staff unrest.</quote>
	955	</para>
	956
	957	<para>
	958	You have tried to educate Mr. Meany and found that he has no desire to understand networking.
	959	He believes that Windows for Workgroups 3.11 was <quote>the best server Microsoft ever sold
	960	</quote> and that Windows NT and 2000 are <quote>too fang-dangled complex!</quote>
	961	</para>
	962
	963	<sect3>
	964	<title>Dissection and Discussion</title>
	965
	966	<para>
	967	<indexterm><primary>security</primary><secondary>user mode</secondary></indexterm>
	968	The requirements of this network installation are not unusual. The staff are not interested in the
	969	details of networking. Passwords are never changed. In this example solution, we demonstrate the use
	970	of User Mode security in a simple context. Directories should be set SGID to ensure that members
	971	of a common group can access the contents. Each user has his or her own share to which only they
	972	can connect. Mr. Meany's share will be a top-level directory above the share point for each employee.
	973	Mr. Meany is a member of the same group as his staff and can access their work files.
	974	The well-used HP LaserJet 4 is available as a service called <constant>hplj</constant>.
	975	</para>
	976
	977	<para>
	978	You have finished configuring the new hardware and have just completed installation of Red Hat
	979	Fedora Core2. Roll up your sleeves and let's get to work.
	980	</para>
	981
	982	</sect3>
	983
	984	<sect3 id="AcctgNet">
	985	<title>Implementation</title>
	986
	987	<para>
	988	The workstations have fixed IP addresses. The old server runs Windows NT4 Workstation, so it
	989	cannot be running as a WINS server. It is best that the new configuration preserves the same
	990	configuration. The office does not use Internet access, so security really is not an issue.
	991	</para>
	992
	993	<para>
	994	The core information regarding the users, their passwords, the directory share point, and the
	995	share name is given in <link linkend="acctingnet"/>. The overall network topology is shown in
	996	<link linkend="acctingnet2"/>. All machines have been configured as indicated prior to the
	997	start of Samba configuration. The following prescriptive steps may now commence.
	998	</para>
	999
	1000	<figure id="acctingnet2">
	1001	<title>Accounting Office Network Topology</title>
	1002	<imagefile scale="85">AccountingNetwork</imagefile>
	1003	</figure>
	1004
	1005	<table id="acctingnet">
	1006	<title>Accounting Office Network Information</title>
	1007	<tgroup cols="6">
	1008	<colspec align="left"/>
	1009	<colspec align="left"/>
	1010	<colspec align="left"/>
	1011	<colspec align="left"/>
	1012	<colspec align="left"/>
	1013	<colspec align="left"/>
	1014	<thead>
	1015	<row>
	1016	<entry>User</entry>
	1017	<entry>Login-ID</entry>
	1018	<entry>Password</entry>
	1019	<entry>Share Name</entry>
	1020	<entry>Directory</entry>
	1021	<entry>Wkst</entry>
	1022	</row>
	1023	</thead>
	1024	<tbody>
	1025	<row>
	1026	<entry>Alan Meany</entry>
	1027	<entry>alan</entry>
	1028	<entry>alm1961</entry>
	1029	<entry>alan</entry>
	1030	<entry>/data</entry>
	1031	<entry>PC1</entry>
	1032	</row>
	1033	<row>
	1034	<entry>James Meany</entry>
	1035	<entry>james</entry>
	1036	<entry>jimm1962</entry>
	1037	<entry>james</entry>
	1038	<entry>/data/james</entry>
	1039	<entry>PC2</entry>
	1040	</row>
	1041	<row>
	1042	<entry>Jeannie Meany</entry>
	1043	<entry>jeannie</entry>
	1044	<entry>jema1965</entry>
	1045	<entry>jeannie</entry>
	1046	<entry>/data/jeannie</entry>
	1047	<entry>PC3</entry>
	1048	</row>
	1049	<row>
	1050	<entry>Suzy Millicent</entry>
	1051	<entry>suzy</entry>
	1052	<entry>suzy1967</entry>
	1053	<entry>suzy</entry>
	1054	<entry>/data/suzy</entry>
	1055	<entry>PC4</entry>
	1056	</row>
	1057	<row>
	1058	<entry>Ursula Jenning</entry>
	1059	<entry>ujen</entry>
	1060	<entry>ujen1974</entry>
	1061	<entry>ursula</entry>
	1062	<entry>/data/ursula</entry>
	1063	<entry>PC5</entry>
	1064	</row>
	1065	<row>
	1066	<entry>Peter Pan</entry>
	1067	<entry>peter</entry>
	1068	<entry>pete1984</entry>
	1069	<entry>peter</entry>
	1070	<entry>/data/peter</entry>
	1071	<entry>PC6</entry>
	1072	</row>
	1073	<row>
	1074	<entry>Dale Roland</entry>
	1075	<entry>dale</entry>
	1076	<entry>dale1986</entry>
	1077	<entry>dale</entry>
	1078	<entry>/data/dale</entry>
	1079	<entry>PC7</entry>
	1080	</row>
	1081	<row>
	1082	<entry>Bertrand E Paoletti</entry>
	1083	<entry>eric</entry>
	1084	<entry>eric1993</entry>
	1085	<entry>eric</entry>
	1086	<entry>/data/eric</entry>
	1087	<entry>PC8</entry>
	1088	</row>
	1089	<row>
	1090	<entry>Russell Lewis</entry>
	1091	<entry>russ</entry>
	1092	<entry>russ2001</entry>
	1093	<entry>russell</entry>
	1094	<entry>/data/russell</entry>
	1095	<entry>PC9</entry>
	1096	</row>
	1097	</tbody>
	1098	</tgroup>
	1099	</table>
	1100
	1101	<procedure>
	1102	<title>Migration from Windows NT4 Workstation System to Samba-3</title>
	1103
	1104	<step><para><indexterm>
	1105	<primary>migration</primary>
	1106	</indexterm>
	1107	Rename the old server from <constant>CASHPOOL</constant> to <constant>STABLE</constant>
	1108	by logging onto the console as the <constant>Administrator</constant>. Restart the machine
	1109	following system prompts.
	1110	</para></step>
	1111
	1112	<step><para>
	1113	Name the new server <constant>CASHPOOL</constant> using the standard configuration method.
	1114	Restart the machine following system prompts.
	1115	</para></step>
	1116
	1117	<step><para>
	1118	Install the latest Samba-3 binary Red Hat Linux RPM that is available from the
	1119	Samba FTP site.
	1120	</para></step>
	1121
	1122	<step><para>
	1123	<indexterm><primary>group account</primary></indexterm>
	1124	<indexterm><primary>groupadd</primary></indexterm>
	1125	Add a group account for the office to use. Execute the following:
	1126	<screen>
	1127	&rootprompt; groupadd accts
	1128	</screen>
	1129	</para></step>
	1130
	1131	<step><para>
	1132	Install the &smb.conf; file shown<footnote><para>This example uses the
	1133	<parameter>smbpasswd</parameter> file in an obtuse way, since the use of
	1134	the <parameter>passdb backend</parameter> has not been specified in the &smb.conf;
	1135	file. This means that you are depending on correct default behavior.</para></footnote>
	1136	in <link linkend="acctconf"/>.
	1137	</para></step>
	1138
	1139	<step><para>
	1140	<indexterm><primary>useradd</primary></indexterm>
	1141	<indexterm><primary>passwd</primary></indexterm>
	1142	<indexterm><primary>smbpasswd</primary></indexterm>
	1143	For each user who uses this system (see <link linkend="acctingnet"/>),
	1144	execute the following:
	1145	<screen>
	1146	&rootprompt; useradd -m -G accts -c "Name of User" "LoginID"
	1147	&rootprompt; passwd "LoginID"
	1148	Changing password for user "LoginID"
	1149	New Password: XXXXXXXXX <-- the password from the table
	1150	Retype new password: XXXXXXXXX
	1151	&rootprompt; smbpasswd -a "LoginID"
	1152	New SMB password: XXXXXXXXX <-- the password from the table
	1153	Retype new SMB password: XXXXXXXXX
	1154	Added user "LoginID"
	1155	</screen>
	1156	</para></step>
	1157
	1158	<step><para>
	1159	<indexterm><primary>data storage</primary></indexterm>
	1160	Create the directory structure for the file shares by executing the following:
	1161	<screen>
	1162	&rootprompt; mkdir -p /data
	1163	&rootprompt; chown alan /data
	1164	&rootprompt; for i in james suzy ujen peter dale eric jeannie russ
	1165	> do
	1166	> mkdir -p /data/$i
	1167	> chown $i /data/$i
	1168	> done
	1169	&rootprompt; chgrp -R accts /data
	1170	&rootprompt; chmod -R ug+rwxs,o-r+x /data
	1171	</screen>
	1172	The data storage structure is now prepared for use.
	1173	</para></step>
	1174
	1175	<step><para>
	1176	<indexterm><primary>lpadmin</primary></indexterm>
	1177	Configure the CUPS Print Queues:
	1178	<screen>
	1179	&rootprompt; lpadmin -p hplj -v parallel:/dev/lp0 -E
	1180	</screen>
	1181	This creates the necessary print queues with no assigned print filter.
	1182	</para></step>
	1183
	1184	<step><para>
	1185	<indexterm><primary>mime types</primary></indexterm>
	1186	<indexterm><primary>/etc/cups/mime.convs</primary></indexterm>
	1187	Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line:
	1188	<screen>
	1189	application/octet-stream application/vnd.cups-raw 0 -
	1190	</screen>
	1191	</para></step>
	1192
	1193	<step><para>
	1194	<indexterm><primary>/etc/cups/mime.types</primary></indexterm>
	1195	<indexterm><primary>application/octet-stream</primary></indexterm>
	1196	Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line:
	1197	<screen>
	1198	application/octet-stream
	1199	</screen>
	1200	</para></step>
	1201
	1202	<step><para>
	1203	<indexterm><primary>starting samba</primary></indexterm>
	1204	Use the standard system tool to start Samba and CUPS to configure them to restart
	1205	automatically at every system reboot. For example,
	1206	</para>
	1207
	1208	<para>
	1209	<indexterm><primary>starting samba</primary></indexterm>
	1210	<indexterm><primary>startingCUPS</primary></indexterm>
	1211	<indexterm><primary>chkconfig</primary></indexterm>
	1212	<screen>
	1213	&rootprompt; chkconfig smb on
	1214	&rootprompt; chkconfig cups on
	1215	&rootprompt; /etc/rc.d/init.d/smb restart
	1216	&rootprompt; /etc/rc.d/init.d/cups restart
	1217	</screen>
	1218	</para></step>
	1219
	1220	<step><para>
	1221	On Alan's workstation, use Windows Explorer to migrate the files from the old server
	1222	to the new server. The new server should appear in the <guimenu>Network Neighborhood</guimenu>
	1223	with the name of the old server (<constant>CASHPOOL</constant>).
	1224	</para>
	1225
	1226	<procedure>
	1227
	1228	<step><para>
	1229	Log on to Alan's workstation as the user <constant>alan</constant>.
	1230	</para></step>
	1231
	1232	<step><para>
	1233	Launch a second instance of Windows Explorer and navigate to the share called
	1234	<guiicon>files</guiicon> on the server called <guimenu>STABLE</guimenu>.
	1235	</para></step>
	1236
	1237	<step><para>
	1238	Click in the right panel, and press <guimenu>Ctrl-A</guimenu> to select all files and
	1239	directories. Press <guimenu>Ctrl-C</guimenu> to instruct Windows that you wish to
	1240	copy all selected items.
	1241	</para></step>
	1242
	1243	<step><para>
	1244	Launch the Windows Explorer, and navigate to the share called <guiicon>files</guiicon>
	1245	on the server called <guimenu>CASHPOOL</guimenu>. Click in the right panel, and then press
	1246	<guimenu>Ctrl-V</guimenu> to commence the copying process.
	1247	</para></step>
	1248
	1249	</procedure>
	1250	</step>
	1251
	1252	<step><para>
	1253	Verify that the files are being copied correctly from the Windows NT4 machine to the Samba-3 server.
	1254	This is best done on the Samba-3 server. Check the contents of the directory tree under
	1255	<filename>/data</filename> by executing the following command:
	1256	<screen>
	1257	&rootprompt; ls -aR /data
	1258	</screen>
	1259	Make certain to check the ownership and permissions on all files. If in doubt, execute the following:
	1260	<screen>
	1261	&rootprompt; chown alan /data
	1262	&rootprompt; for i in james suzy ujen peter dale eric jeannie russ
	1263	> do
	1264	> chown $i /data/$i
	1265	> done
	1266	&rootprompt; chgrp -R accts /data
	1267	&rootprompt; chmod -R ug+rwxs,o-r+x /data
	1268	</screen>
	1269	</para></step>
	1270
	1271	<step><para>
	1272	The migration of all data should now be complete. It is time to validate the installation.
	1273	For this, you should make sure all applications, including printing, work before asking the
	1274	customer to test drive the new network.
	1275	</para></step>
	1276
	1277	</procedure>
	1278
	1279	<example id="acctconf">
	1280	<title>Accounting Office Network &smb.conf; Old Style Configuration File</title>
	1281	<smbconfblock>
	1282	<smbconfcomment>Global parameters</smbconfcomment>
	1283	<smbconfsection name="[global]"/>
	1284	<smbconfoption name="workgroup">BILLMORE</smbconfoption>
	1285	<smbconfoption name="printcap name">CUPS</smbconfoption>
	1286	<smbconfoption name="disable spoolss">Yes</smbconfoption>
	1287	<smbconfoption name="show add printer wizard">No</smbconfoption>
	1288	<smbconfoption name="printing">cups</smbconfoption>
	1289
	1290	<smbconfsection name="[files]"/>
	1291	<smbconfoption name="comment">Work area files</smbconfoption>
	1292	<smbconfoption name="path">/data/%U</smbconfoption>
	1293	<smbconfoption name="read only">No</smbconfoption>
	1294
	1295	<smbconfsection name="[master]"/>
	1296	<smbconfoption name="comment">Master work area files</smbconfoption>
	1297	<smbconfoption name="path">/data</smbconfoption>
	1298	<smbconfoption name="valid users">alan</smbconfoption>
	1299	<smbconfoption name="read only">No</smbconfoption>
	1300
	1301	<smbconfsection name="[printers]"/>
	1302	<smbconfoption name="comment">Print Temporary Spool Configuration</smbconfoption>
	1303	<smbconfoption name="path">/var/spool/samba</smbconfoption>
	1304	<smbconfoption name="printable">Yes</smbconfoption>
	1305	<smbconfoption name="guest ok">Yes</smbconfoption>
	1306	<smbconfoption name="use client driver">Yes</smbconfoption>
	1307	<smbconfoption name="browseable">No</smbconfoption>
	1308	</smbconfblock>
	1309	</example>
	1310
	1311	</sect3>
	1312	</sect2>
	1313	</sect1>
	1314
	1315	<sect1>
	1316	<title>Questions and Answers</title>
	1317
	1318	<para>
	1319	The following questions and answers draw from the examples in this chapter.
	1320	Many design decisions are impacted by the configurations chosen. The intent
	1321	is to expose some of the hidden implications.
	1322	</para>
	1323
	1324	<qandaset defaultlabel="chap02qa" type="number">
	1325	<qandaentry>
	1326	<question>
	1327
	1328	<para>
	1329	What makes an anonymous Samba server more simple than a non-anonymous Samba server?
	1330	</para>
	1331
	1332	</question>
	1333	<answer>
	1334
	1335	<para>
	1336	In the anonymous server, the only account used is the <constant>guest</constant> account.
	1337	In a non-anonymous configuration, it is necessary to add real user accounts to both the
	1338	UNIX system and to the Samba configuration. Non-anonymous servers require additional
	1339	administration.
	1340	</para>
	1341
	1342	</answer>
	1343	</qandaentry>
	1344
	1345	<qandaentry>
	1346	<question>
	1347
	1348	<para>
	1349	How is the operation of the parameter <parameter>force user</parameter> different from
	1350	setting the root directory of the share SUID?
	1351	</para>
	1352
	1353	</question>
	1354	<answer>
	1355
	1356	<para>
	1357	The parameter <parameter>force user</parameter> causes all operations on the share to assume the UID
	1358	of the forced user. The new default GID that applies is the primary GID of the forced user.
	1359	This gives all users of this resource the actual privilege of the forced user.
	1360	</para>
	1361
	1362	<para>
	1363	When a directory is set SUID, the operating system forces files that are written within it
	1364	to be owned by the owner of the directory. While this happens, the user who is using the share
	1365	has only the level of privilege he or she is assigned within the operating system context.
	1366	</para>
	1367
	1368	<para>
	1369	The parameter <parameter>force user</parameter> has potential security implications that go
	1370	beyond the actual share root directory. Be careful and wary of using this parameter.
	1371	</para>
	1372
	1373	</answer>
	1374	</qandaentry>
	1375
	1376	<qandaentry>
	1377	<question>
	1378
	1379	<para>
	1380	When would you both use the per share parameter <parameter>force user</parameter> and set
	1381	the share root directory SUID?
	1382	</para>
	1383
	1384	</question>
	1385	<answer>
	1386
	1387	<para>
	1388	You would use both parameters when it is necessary to guarantee that all share handling operations
	1389	are conducted as the forced user, while all file and directory creation are done as the SUID
	1390	directory owner.
	1391	</para>
	1392
	1393	</answer>
	1394	</qandaentry>
	1395
	1396	<qandaentry>
	1397	<question>
	1398
	1399	<para>
	1400	What is better about CUPS printing than LPRng printing?
	1401	</para>
	1402
	1403	</question>
	1404	<answer>
	1405
	1406	<para>
	1407	CUPS is a print spooling system that has integrated remote management facilities, provides completely
	1408	automated print processing/preprocessing, and can be configured to automatically
	1409	apply print preprocessing filters to ensure that a print job submitted is correctly rendered for the
	1410	target printer. CUPS includes an image file RIP that supports printing of image files to
	1411	non-PostScript printers. CUPS has lots of bells and whistles and is more like a supercharged MS Windows
	1412	NT/200x print monitor and processor. Its complexity can be eliminated or turbocharged to suit
	1413	any fancy.
	1414	</para>
	1415
	1416	<para>
	1417	The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print
	1418	spooler functionality. It provides the same interface and meets RFC1179 requirements. LPRng can be
	1419	configured to act like CUPS, but it is in principle a replacement for the old Berkeley lpr/lpd
	1420	spooler. LPRng is generally preferred by those who are familiar with Berkeley lpr/lpd.
	1421	</para>
	1422
	1423	<para>
	1424	Which spooling system is better is a matter of personal taste. It depends on what you want to do and how you want to
	1425	do it and manage it. Most modern Linux systems ship with CUPS as the default print management system.
	1426	</para>
	1427
	1428	</answer>
	1429	</qandaentry>
	1430
	1431	<qandaentry>
	1432	<question>
	1433
	1434	<para>
	1435	When should Windows client IP addresses be hard-coded?
	1436	</para>
	1437
	1438	</question>
	1439	<answer>
	1440
	1441	<para>
	1442	When there are few MS Windows clients, little client change, no mobile users, and users are not
	1443	inclined to tamper with network settings, it is a safe and convenient matter to hard-code Windows
	1444	client TCP/IP settings. Given that it is possible to lock down the Windows desktop and remove
	1445	user ability to access network configuration controls, fixed configuration eliminates the need
	1446	for a DHCP server. This reduces maintenance overheads and eliminates a possible point of network
	1447	failure.
	1448	</para>
	1449
	1450	</answer>
	1451	</qandaentry>
	1452
	1453	<qandaentry>
	1454	<question>
	1455
	1456	<para>
	1457	Under what circumstances is it best to use a DHCP server?
	1458	</para>
	1459
	1460	</question>
	1461	<answer>
	1462
	1463	<para>
	1464	In network configurations where there are mobile users, or where Windows client PCs move around
	1465	(particularly between offices or between subnets), it makes complete sense to control all Windows
	1466	client configurations using a DHCP server. Additionally, when users do tamper with the network
	1467	settings, DHCP can be used to normalize all client settings.
	1468	</para>
	1469
	1470	<para>
	1471	One underappreciated benefit of using a DHCP server to assign all network client
	1472	device TCP/IP settings is that it makes it a pain-free process to change network TCP/IP
	1473	settings, change network addressing, or enhance the ability of client devices to
	1474	benefit from new network services.
	1475	</para>
	1476
	1477	<para>
	1478	Another benefit of modern DHCP servers is their ability to register dynamically
	1479	assigned IP addresses with the DNS server. The benefits of Dynamic DNS (DDNS) are considerable in
	1480	a large Windows network environment.
	1481	</para>
	1482
	1483	</answer>
	1484	</qandaentry>
	1485
	1486	<qandaentry>
	1487	<question>
	1488
	1489	<para>
	1490	What is the purpose of setting the parameter <parameter>guest ok</parameter> on a share?
	1491	</para>
	1492
	1493	</question>
	1494	<answer>
	1495
	1496	<para>
	1497	If this parameter is set to yes for a service, then no password is required to connect to the service.
	1498	Privileges are those of the guest account.
	1499	</para>
	1500
	1501	</answer>
	1502	</qandaentry>
	1503
	1504	<qandaentry>
	1505	<question>
	1506
	1507	<para>
	1508	When would you set the global parameter <parameter>disable spoolss</parameter>?
	1509	</para>
	1510
	1511	</question>
	1512	<answer>
	1513
	1514	<para>
	1515	Setting this parameter to <constant>Yes</constant> disables Samba's support for the SPOOLSS set of
	1516	MS-RPCs and yields behavior identical to Samba 2.0.x. Windows NT/2000 clients can downgrade to
	1517	using LanMan style printing commands. Windows 9x/Me are unaffected by the parameter. However, this
	1518	disables the ability to upload printer drivers to a Samba server via the Windows NT/200x Add Printer
	1519	Wizard or by using the NT printer properties dialog window. It also disables the capability of
	1520	Windows NT/200x clients to download print drivers from the Samba host on demand. Be extremely careful about
	1521	setting this parameter.
	1522	</para>
	1523
	1524	<para>
	1525	The alternate parameter <parameter>use client driver</parameter> applies only to Windows NT/200x clients. It has no
	1526	effect on Windows 95/98/Me clients. When serving a printer to Windows NT/200x clients without first installing a valid
	1527	printer driver on the Samba host, the client is required to install a local printer driver. From this point on,
	1528	the client treats the printer as a local printer and not a network printer connection. This is much the same behavior
	1529	that occurs when <parameter>disable spoolss = yes</parameter>.
	1530	</para>
	1531
	1532	<para>
	1533	Under normal circumstances, the NT/200x client attempts to open the network printer using MS-RPC. Because the client
	1534	considers the printer to be local, it attempts to issue the <parameter>OpenPrinterEx()</parameter> call requesting
	1535	access rights associated with the logged on user. If the user possesses local administrator rights but not root
	1536	privilege on the Samba host (often the case), the <parameter>OpenPrinterEx()</parameter> call fails. The result is
	1537	that the client now displays an <quote>Access Denied; Unable to connect</quote> message in the printer queue window
	1538	(even though jobs may be printed successfully). This parameter MUST not be enabled on a print share that has a valid
	1539	print driver installed on the Samba server.
	1540	</para>
	1541
	1542	</answer>
	1543	</qandaentry>
	1544
	1545	<qandaentry>
	1546	<question>
	1547
	1548	<para>
	1549	Why would you disable password caching on Windows 9x/Me clients?
	1550	</para>
	1551
	1552	</question>
	1553	<answer>
	1554
	1555	<para>
	1556	Windows 9x/Me workstations that are set at default (password caching enabled) store the username and
	1557	password in files located in the Windows master directory. Such files can be scavenged (read off a client
	1558	machine) and decrypted, thus revealing the user's access credentials for all systems the user may have accessed.
	1559	It is most insecure to allow any Windows 9x/Me client to operate with password caching enabled.
	1560	</para>
	1561
	1562	</answer>
	1563	</qandaentry>
	1564
	1565	<qandaentry>
	1566	<question>
	1567
	1568	<para>
	1569	The example of Abmas Accounting uses User Mode security. How does this provide anonymous access?
	1570	</para>
	1571
	1572	</question>
	1573	<answer>
	1574
	1575	<para>
	1576	The example used does not provide anonymous access. Since the clients are all Windows 2000 Professional,
	1577	and given that users are logging onto their machines, by default the client attempts to connect to
	1578	a remote server using currently logged in user credentials. By ensuring that the user's login ID and
	1579	password are the same as those set on the Samba server, access is transparent and does not require
	1580	separate user authentication.
	1581	</para>
	1582
	1583	</answer>
	1584	</qandaentry>
	1585
	1586	</qandaset>
	1587
	1588	</sect1>
	1589
	1590	</chapter>
	1591

Note: See TracBrowser for help on using the repository browser.

Download in other formats: