| 1 | <?xml version="1.0" encoding="iso-8859-1"?> | 
|---|
| 2 | <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> | 
|---|
| 3 | <chapter id="small"> | 
|---|
| 4 | <title>Small Office Networking</title> | 
|---|
| 5 |  | 
|---|
| 6 | <para> | 
|---|
| 7 | <link linkend="simple"/> focused on the basics of simple yet effective | 
|---|
| 8 | network solutions. Network administrators who take pride in their work | 
|---|
| 9 | (that's most of us, right?) take care to deliver what our users want, | 
|---|
| 10 | but not too much more. If we make things too complex, we confound our users | 
|---|
| 11 | and increase costs of network ownership. A professional network manager | 
|---|
| 12 | avoids the temptation to put too much pizazz into the way that the network | 
|---|
| 13 | operates. Some creativity is helpful, but keep it under control &smbmdash; | 
|---|
| 14 | good advice that the following two scenarios illustrate. | 
|---|
| 15 | </para> | 
|---|
| 16 |  | 
|---|
| 17 | <para> | 
|---|
| 18 | <indexterm><primary>Netware</primary></indexterm> | 
|---|
| 19 | In one case the network administrator of a mid-sized company spent three | 
|---|
| 20 | months building a new network to replace an old Netware server. What he | 
|---|
| 21 | delivered had all the bells and whistles he could muster. There were a | 
|---|
| 22 | few teething problems during the changeover, nothing serious but a little | 
|---|
| 23 | disruptive all the same. Users were exposed to many changes at once. The | 
|---|
| 24 | network administrator was asked to resign two months after implementing | 
|---|
| 25 | the new system because so many staff complained they had lost time and | 
|---|
| 26 | were not happy with the new network.  Everything was automated, and he | 
|---|
| 27 | delivered more features than any advanced user could think of. He was | 
|---|
| 28 | just too smart for his own good. | 
|---|
| 29 | </para> | 
|---|
| 30 |  | 
|---|
| 31 | <para> | 
|---|
| 32 | In the case of the other company, a new network manager was appointed | 
|---|
| 33 | to oversee the replacement of a LanTastic network with an MS Windows | 
|---|
| 34 | NT 4.0 network. He had the replacement installed and operational within | 
|---|
| 35 | two weeks. Before installation and changeover, he called a meeting to | 
|---|
| 36 | explain to all users what was going to happen, how it would affect them, | 
|---|
| 37 | and that he would be available 24 hours a day to help them transition. | 
|---|
| 38 | One week after conversion, he held another meeting asking for cooperation | 
|---|
| 39 | in the introduction of a few new features that would help to make life | 
|---|
| 40 | easier. Network users were thrilled with the help he provided. The network | 
|---|
| 41 | he implemented was nowhere near as complex as in the first example, had fewer | 
|---|
| 42 | features, and yet he had happy users. Months later he was still adding | 
|---|
| 43 | new innovations. He always asked the users if a | 
|---|
| 44 | particular feature was what they wanted. He asked his boss for a raise | 
|---|
| 45 | and got it. He often told me, <quote>Always keep a few new tricks up your | 
|---|
| 46 | sleeves for when you need them.</quote> Was he smart? You decide. Let's | 
|---|
| 47 | get on with our next exercise. | 
|---|
| 48 | </para> | 
|---|
| 49 |  | 
|---|
| 50 | <sect1> | 
|---|
| 51 | <title>Introduction</title> | 
|---|
| 52 |  | 
|---|
| 53 | <para> | 
|---|
| 54 | Abmas Accounting has grown. Mr. Meany likes you and says he knew you | 
|---|
| 55 | were the right person for the job. That's why he asked you to install the | 
|---|
| 56 | new server. The past few months have been hard work. You advised Mr. Meany | 
|---|
| 57 | that it is time for a change. Abmas now has 52 users, having acquired an | 
|---|
| 58 | investment consulting business recently. The new users were added to the | 
|---|
| 59 | network without any problems. | 
|---|
| 60 | </para> | 
|---|
| 61 |  | 
|---|
| 62 | <para> | 
|---|
| 63 | Some of the Windows clients are nearly past their use-by date.  You found damaged and unusable software on | 
|---|
| 64 | some of the workstations that came with the acquired business and found some machines in need of both | 
|---|
| 65 | hardware and software maintenance. | 
|---|
| 66 | </para> | 
|---|
| 67 |  | 
|---|
| 68 | <sect2> | 
|---|
| 69 | <title>Assignment Tasks</title> | 
|---|
| 70 |  | 
|---|
| 71 | <para> | 
|---|
| 72 | <indexterm><primary>Windows XP</primary></indexterm> | 
|---|
| 73 | Mr. Meany is retiring in 12 months. Before he goes, he wants you to help ensure | 
|---|
| 74 | that the business is running efficiently. Many of the new staff want notebook | 
|---|
| 75 | computers.  They visit customer business premises and need to use local network | 
|---|
| 76 | facilities; these users are technically competent. The company uses a | 
|---|
| 77 | business application that requires Windows XP Professional. In short, a complete | 
|---|
| 78 | client upgrade is about to happen. Mr. Meany told you that he is working | 
|---|
| 79 | on another business acquisition and that by the time he retires there will be | 
|---|
| 80 | 80 to 100 users. | 
|---|
| 81 | </para> | 
|---|
| 82 |  | 
|---|
| 83 | <para> | 
|---|
| 84 | Mr. Meany is not concerned about security. He wants to make it easier for | 
|---|
| 85 | staff to do their work. He has hired you to help him appoint a full-time | 
|---|
| 86 | network manager before he retires. Above all, he says he is investing in | 
|---|
| 87 | the ability to grow. He is determined to live his lifelong dream and | 
|---|
| 88 | hand the business over to a bright and capable executive who can make | 
|---|
| 89 | things happen. This means your network design must cope well with | 
|---|
| 90 | growth. | 
|---|
| 91 | </para> | 
|---|
| 92 |  | 
|---|
| 93 | <para> | 
|---|
| 94 | In a few months, Abmas will require an Internet connection for email and so | 
|---|
| 95 | that staff can easily obtain software updates. Mr. Meany is warming up to | 
|---|
| 96 | the installation of antivirus software but is not yet ready to approve | 
|---|
| 97 | this expense. He told you to spend the money a virus scanner costs | 
|---|
| 98 | on better quality notebook computers for mobile users. | 
|---|
| 99 | </para> | 
|---|
| 100 |  | 
|---|
| 101 | <para> | 
|---|
| 102 | One of Mr. Meany's golfing partners convinced him to buy new laser | 
|---|
| 103 | printers, one black only, the other a color laser printer. Staff support | 
|---|
| 104 | the need for a color printer so they can present more attractive proposals | 
|---|
| 105 | and reports. | 
|---|
| 106 | </para> | 
|---|
| 107 |  | 
|---|
| 108 | <para> | 
|---|
| 109 | Mr. Meany also asked if it would be possible for one of the staff to manage | 
|---|
| 110 | user accounts from the Windows desktop. That person will be responsible for | 
|---|
| 111 | basic operations. | 
|---|
| 112 | </para> | 
|---|
| 113 |  | 
|---|
| 114 | </sect2> | 
|---|
| 115 | </sect1> | 
|---|
| 116 |  | 
|---|
| 117 | <sect1> | 
|---|
| 118 | <title>Dissection and Discussion</title> | 
|---|
| 119 |  | 
|---|
| 120 | <para> | 
|---|
| 121 | What are the key requirements in this business example? A quick review indicates | 
|---|
| 122 | a need for | 
|---|
| 123 | </para> | 
|---|
| 124 |  | 
|---|
| 125 | <itemizedlist> | 
|---|
| 126 | <listitem><para> | 
|---|
| 127 | Scalability, from 52 to over 100 users in 12 months | 
|---|
| 128 | </para></listitem> | 
|---|
| 129 |  | 
|---|
| 130 | <listitem><para> | 
|---|
| 131 | Mobile computing capability | 
|---|
| 132 | <indexterm><primary>mobile computing</primary></indexterm> | 
|---|
| 133 | </para></listitem> | 
|---|
| 134 |  | 
|---|
| 135 | <listitem><para> | 
|---|
| 136 | Improved reliability and usability | 
|---|
| 137 | </para></listitem> | 
|---|
| 138 |  | 
|---|
| 139 | <listitem><para> | 
|---|
| 140 | Easier administration | 
|---|
| 141 | </para></listitem> | 
|---|
| 142 | </itemizedlist> | 
|---|
| 143 |  | 
|---|
| 144 | <para> | 
|---|
| 145 | In this instance the installed Linux system is assumed to be a Red Hat Linux Fedora Core2 server | 
|---|
| 146 | (as in <link linkend="AccountingOffice"/>). | 
|---|
| 147 |  | 
|---|
| 148 | </para> | 
|---|
| 149 |  | 
|---|
| 150 |  | 
|---|
| 151 | <sect2> | 
|---|
| 152 | <title>Technical Issues</title> | 
|---|
| 153 |  | 
|---|
| 154 | <para> | 
|---|
| 155 | <indexterm><primary>smbpasswd</primary></indexterm> | 
|---|
| 156 | <indexterm><primary>DHCP</primary></indexterm> | 
|---|
| 157 | <indexterm><primary>DNS</primary></indexterm> | 
|---|
| 158 | <indexterm><primary>WINS</primary></indexterm> | 
|---|
| 159 | <indexterm><primary>Domain</primary></indexterm> | 
|---|
| 160 | It is time to implement a domain security environment. You will use the <constant> | 
|---|
| 161 | smbpasswd</constant> (default) backend. You should implement a DHCP server. There is no need to | 
|---|
| 162 | run DNS at this time, but the system will use WINS. The domain name will be <constant> | 
|---|
| 163 | BILLMORE</constant>. This time, the name of the server will be <constant>SLEETH</constant>. | 
|---|
| 164 | </para> | 
|---|
| 165 |  | 
|---|
| 166 | <para> | 
|---|
| 167 | All printers will be configured as DHCP clients. The DHCP server will assign | 
|---|
| 168 | the printer a fixed IP address by way of its Ethernet interface (MAC) address. | 
|---|
| 169 | See <link linkend="dhcp01"/>. | 
|---|
| 170 | </para> | 
|---|
| 171 |  | 
|---|
| 172 | <note><para> | 
|---|
| 173 | The &smb.conf; file you are creating in this exercise can be used with equal effectiveness | 
|---|
| 174 | with Samba-2.2.x series releases. This is deliberate so that in the next chapter it is | 
|---|
| 175 | possible to start with the installation that you have created here, migrate it | 
|---|
| 176 | to a Samba-3 configuration, and then secure the system further. Configurations following | 
|---|
| 177 | this one utilize features that may not be supported in Samba-2.2.x releases. | 
|---|
| 178 | However, you should note that the examples in each chapter start with the assumption | 
|---|
| 179 | that a fresh new installation is being effected. | 
|---|
| 180 | </para></note> | 
|---|
| 181 |  | 
|---|
| 182 | <para> | 
|---|
| 183 | Later on, when the Internet connection is implemented, you will add DNS as well as | 
|---|
| 184 | other enhancements. It is important that you plan accordingly. | 
|---|
| 185 | </para> | 
|---|
| 186 |  | 
|---|
| 187 | <para> | 
|---|
| 188 | <indexterm><primary>Ethernet switch</primary></indexterm> | 
|---|
| 189 | You have split the network into two separate areas. Each has its own Ethernet switch. | 
|---|
| 190 | There are 20 users on the accounting network and 32 users on the financial services | 
|---|
| 191 | network. The server has two network interfaces, one serving each network. The | 
|---|
| 192 | network printers will be located in a central area. You plan to install the new | 
|---|
| 193 | printers and keep the old printer in use also. | 
|---|
| 194 | </para> | 
|---|
| 195 |  | 
|---|
| 196 | <para> | 
|---|
| 197 | You will provide separate file storage areas for each business entity. The old system | 
|---|
| 198 | will go away, accounting files will be handled under a single directory, and files will | 
|---|
| 199 | be stored under customer name, not under a personal work area. Staff will be made | 
|---|
| 200 | responsible for file location, so the old share point must be maintained. | 
|---|
| 201 | </para> | 
|---|
| 202 |  | 
|---|
| 203 | <para> | 
|---|
| 204 | Given that DNS will not be used, you will configure WINS name resolution for UNIX | 
|---|
| 205 | hostname name resolution. | 
|---|
| 206 | </para> | 
|---|
| 207 |  | 
|---|
| 208 | <para> | 
|---|
| 209 | <indexterm><primary>Domain</primary><secondary>groups</secondary></indexterm> | 
|---|
| 210 | <indexterm><primary>UNIX</primary><secondary>groups</secondary></indexterm> | 
|---|
| 211 | It is necessary to map Windows Domain Groups to UNIX groups. It is | 
|---|
| 212 | advisable to also map Windows Local Groups to UNIX groups. Additionally, the two | 
|---|
| 213 | key staff groups in the firm are accounting staff and financial services staff. | 
|---|
| 214 | For these, it is necessary to create UNIX groups as well as Windows Domain Groups. | 
|---|
| 215 | </para> | 
|---|
| 216 |  | 
|---|
| 217 | <para> | 
|---|
| 218 | In the sample &smb.conf; file, you have configured Samba to call the UNIX | 
|---|
| 219 | <command>groupadd</command> to add group entries. This utility does not permit | 
|---|
| 220 | the addition of group names that contain uppercase characters or spaces. This | 
|---|
| 221 | is considered a bug. The <command>groupadd</command> is part of the | 
|---|
| 222 | <command>shadow-utils</command> open source software package.  A later release | 
|---|
| 223 | of this package may have been patched to resolve this bug.  If your operating | 
|---|
| 224 | platform has this bug, it means that attempts to add a Windows Domain Group that | 
|---|
| 225 | has either a space or uppercase characters in it will fail. See | 
|---|
| 226 | <emphasis>TOSHARG2</emphasis>, Chapter 11, Section 11.3.1, Example 11.1, for | 
|---|
| 227 | more information. | 
|---|
| 228 | </para> | 
|---|
| 229 |  | 
|---|
| 230 | <para> | 
|---|
| 231 | <indexterm><primary>CUPS</primary></indexterm> | 
|---|
| 232 | Vendor-supplied printer drivers will be installed on each client. The CUPS print | 
|---|
| 233 | spooler on the UNIX host will be operated in <constant>raw</constant> mode. | 
|---|
| 234 | </para> | 
|---|
| 235 |  | 
|---|
| 236 | </sect2> | 
|---|
| 237 |  | 
|---|
| 238 | <sect2> | 
|---|
| 239 | <title>Political Issues</title> | 
|---|
| 240 |  | 
|---|
| 241 | <para> | 
|---|
| 242 | Mr. Meany is an old-school manager. He sets the rules and wants to see compliance. | 
|---|
| 243 | He is willing to spend money on things he believes are of value. You need more | 
|---|
| 244 | time to convince him of real priorities. | 
|---|
| 245 | </para> | 
|---|
| 246 |  | 
|---|
| 247 | <para> | 
|---|
| 248 | Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be | 
|---|
| 249 | supplied with antivirus software? Above all, demonstrate good purchase value and remember | 
|---|
| 250 | to make your users happy. | 
|---|
| 251 | </para> | 
|---|
| 252 |  | 
|---|
| 253 | </sect2> | 
|---|
| 254 |  | 
|---|
| 255 | </sect1> | 
|---|
| 256 |  | 
|---|
| 257 | <sect1> | 
|---|
| 258 | <title>Implementation</title> | 
|---|
| 259 |  | 
|---|
| 260 | <para> | 
|---|
| 261 | <indexterm><primary>migration</primary></indexterm> | 
|---|
| 262 | In this example, the assumption is made that this server is being configured from a clean start. | 
|---|
| 263 | The alternate approach could be to demonstrate the migration of the system that is documented | 
|---|
| 264 | in <link linkend="AcctgNet"/> to meet the new requirements. The decision to treat this case, as with | 
|---|
| 265 | future examples, as a new installation is based on the premise that you can determine | 
|---|
| 266 | the migration steps from the information provided in <link linkend="ntmigration"/>. | 
|---|
| 267 | Additionally, a fresh installation makes the example easier to follow. | 
|---|
| 268 | </para> | 
|---|
| 269 |  | 
|---|
| 270 | <para> | 
|---|
| 271 | <indexterm><primary>group membership</primary></indexterm> | 
|---|
| 272 | Each user will be given a home directory on the UNIX system, which will be available as a private | 
|---|
| 273 | share. Two additional shares will be created, one for the accounting department and the other for | 
|---|
| 274 | the financial services department. Network users will be given access to these shares by way | 
|---|
| 275 | of group membership. | 
|---|
| 276 | </para> | 
|---|
| 277 |  | 
|---|
| 278 | <para> | 
|---|
| 279 | <indexterm><primary>UNIX</primary><secondary>groups</secondary></indexterm> | 
|---|
| 280 | UNIX group membership is the primary mechanism by which Windows Domain users will be granted | 
|---|
| 281 | rights and privileges within the Windows environment. | 
|---|
| 282 | </para> | 
|---|
| 283 |  | 
|---|
| 284 | <para> | 
|---|
| 285 | <indexterm><primary>sticky bit</primary></indexterm> | 
|---|
| 286 | The user <command>alanm</command> will be made the owner of all files. This will be preserved | 
|---|
| 287 | by setting the sticky bit (set UID/GID) on the top-level directories. | 
|---|
| 288 | </para> | 
|---|
| 289 |  | 
|---|
| 290 | <para> | 
|---|
| 291 | <figure id="acct2net"> | 
|---|
| 292 | <title>Abmas Accounting &smbmdash; 52-User Network Topology</title> | 
|---|
| 293 | <imagefile scale="100">acct2net</imagefile> | 
|---|
| 294 | </figure> | 
|---|
| 295 | </para> | 
|---|
| 296 |  | 
|---|
| 297 | <procedure> | 
|---|
| 298 | <title>Server Installation Steps</title> | 
|---|
| 299 |  | 
|---|
| 300 | <step><para> | 
|---|
| 301 | Using UNIX/Linux system tools, name the server <constant>sleeth</constant>. | 
|---|
| 302 | </para></step> | 
|---|
| 303 |  | 
|---|
| 304 | <step><para> | 
|---|
| 305 | <indexterm><primary>/etc/hosts</primary></indexterm> | 
|---|
| 306 | Place an entry for the machine <constant>sleeth</constant> in the <filename>/etc/hosts</filename>. | 
|---|
| 307 | The printers are network attached, so there should be entries for the | 
|---|
| 308 | network printers also. An example <filename>/etc/hosts</filename> file is shown here: | 
|---|
| 309 | <screen> | 
|---|
| 310 | 192.168.1.1     sleeth sleeth1 | 
|---|
| 311 | 192.168.2.1     sleeth2 | 
|---|
| 312 | 192.168.1.10    hplj6 | 
|---|
| 313 | 192.168.1.11    hplj4 | 
|---|
| 314 | 192.168.2.10    qms | 
|---|
| 315 | </screen> | 
|---|
| 316 | </para></step> | 
|---|
| 317 |  | 
|---|
| 318 | <step><para> | 
|---|
| 319 | Install the Samba-3 binary RPM from the Samba-Team FTP site. | 
|---|
| 320 | </para></step> | 
|---|
| 321 |  | 
|---|
| 322 | <step><para> | 
|---|
| 323 | Install the ISC DHCP server using the UNIX/Linux system tools available to you. | 
|---|
| 324 | </para></step> | 
|---|
| 325 |  | 
|---|
| 326 | <step><para> | 
|---|
| 327 | <indexterm><primary>/etc/rc.d/rc.local</primary></indexterm> | 
|---|
| 328 | <indexterm><primary>IP forwarding</primary></indexterm> | 
|---|
| 329 | <indexterm><primary>router</primary></indexterm> | 
|---|
| 330 | <indexterm><primary>/proc/sys/net/ipv4/ip_forward</primary></indexterm> | 
|---|
| 331 | Because Samba will be operating over two network interfaces and clients on each side | 
|---|
| 332 | may want to be able to reach clients on the other side, it is imperative that IP forwarding | 
|---|
| 333 | is enabled. Use the system tool of your choice to enable IP forwarding. In the | 
|---|
| 334 | absence of such a tool on the Linux system, add to the <filename>/etc/rc.d/rc.local</filename> | 
|---|
| 335 | file an entry as follows: | 
|---|
| 336 | <screen> | 
|---|
| 337 | echo 1 > /proc/sys/net/ipv4/ip_forward | 
|---|
| 338 | </screen> | 
|---|
| 339 | This causes the Linux kernel to forward IP packets so that it acts as a router. | 
|---|
| 340 | </para></step> | 
|---|
| 341 |  | 
|---|
| 342 | <step><para> | 
|---|
| 343 | Install the &smb.conf; file as shown in <link linkend="acct2conf"/> and | 
|---|
| 344 | <link linkend="acct3conf"/>. Combine these two examples to form a single | 
|---|
| 345 | <filename>/etc/samba/smb.conf</filename> file. | 
|---|
| 346 | </para></step> | 
|---|
| 347 |  | 
|---|
| 348 | <step><para> | 
|---|
| 349 | <indexterm><primary>smbpasswd</primary></indexterm> | 
|---|
| 350 | Add the user <command>root</command> to the Samba password backend: | 
|---|
| 351 | <screen> | 
|---|
| 352 | &rootprompt; smbpasswd -a root | 
|---|
| 353 | New SMB password: XXXXXXX | 
|---|
| 354 | Retype new SMB password: XXXXXXX | 
|---|
| 355 | &rootprompt; | 
|---|
| 356 | </screen> | 
|---|
| 357 | <indexterm><primary>administrator</primary></indexterm> | 
|---|
| 358 | This is the Windows Domain Administrator password. Never delete this account from | 
|---|
| 359 | the password backend after Windows Domain Groups have been initialized. If you delete | 
|---|
| 360 | this account, your system is crippled. You cannot restore this account, | 
|---|
| 361 | and your Samba server can no longer be administered. | 
|---|
| 362 | </para></step> | 
|---|
| 363 |  | 
|---|
| 364 | <step><para> | 
|---|
| 365 | <indexterm><primary>username map</primary></indexterm> | 
|---|
| 366 | Create the username map file to permit the <constant>root</constant> account to be called | 
|---|
| 367 | <constant>Administrator</constant> from the Windows network environment. To do this, create | 
|---|
| 368 | the file <filename>/etc/samba/smbusers</filename> with the following contents: | 
|---|
| 369 | <screen> | 
|---|
| 370 | #### | 
|---|
| 371 | # User mapping file | 
|---|
| 372 | #### | 
|---|
| 373 | # File Format | 
|---|
| 374 | # ----------- | 
|---|
| 375 | # Unix_ID = Windows_ID | 
|---|
| 376 | # | 
|---|
| 377 | # Examples: | 
|---|
| 378 | # root = Administrator | 
|---|
| 379 | # janes = "Jane Smith" | 
|---|
| 380 | # jimbo = Jim Bones | 
|---|
| 381 | # | 
|---|
| 382 | # Note: If the name contains a space it must be double quoted. | 
|---|
| 383 | #       In the example above the name 'jimbo' will be mapped to Windows | 
|---|
| 384 | #       user names 'Jim' and 'Bones' because the space was not quoted. | 
|---|
| 385 | ####################################################################### | 
|---|
| 386 | root = Administrator | 
|---|
| 387 | #### | 
|---|
| 388 | # End of File | 
|---|
| 389 | #### | 
|---|
| 390 | </screen> | 
|---|
| 391 | </para></step> | 
|---|
| 392 |  | 
|---|
| 393 | <step><para> | 
|---|
| 394 | <indexterm><primary>initGrps.sh</primary></indexterm> | 
|---|
| 395 | Create and map Windows Domain Groups to UNIX groups. A sample script is provided in | 
|---|
| 396 | <link linkend="initGrps"/>. Create a file containing this script. We called ours | 
|---|
| 397 | <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed, | 
|---|
| 398 | and then execute the script. Sample output should be as follows: | 
|---|
| 399 |  | 
|---|
| 400 | <example id="initGrps"> | 
|---|
| 401 | <title>Script to Map Windows NT Groups to UNIX Groups</title> | 
|---|
| 402 | <indexterm><primary>initGrps.sh</primary></indexterm> | 
|---|
| 403 | <screen> | 
|---|
| 404 | #!/bin/bash | 
|---|
| 405 | # | 
|---|
| 406 | # initGrps.sh | 
|---|
| 407 | # | 
|---|
| 408 |  | 
|---|
| 409 | # Create UNIX groups | 
|---|
| 410 | groupadd acctsdep | 
|---|
| 411 | groupadd finsrvcs | 
|---|
| 412 |  | 
|---|
| 413 | # Map Windows Domain Groups to UNIX groups | 
|---|
| 414 | net groupmap add ntgroup="Domain Admins"  unixgroup=root type=d | 
|---|
| 415 | net groupmap add ntgroup="Domain Users"   unixgroup=users type=d | 
|---|
| 416 | net groupmap add ntgroup="Domain Guests"  unixgroup=nobody type=d | 
|---|
| 417 |  | 
|---|
| 418 | # Add Functional Domain Groups | 
|---|
| 419 | net groupmap add ntgroup="Accounts Dept"  unixgroup=acctsdep type=d | 
|---|
| 420 | net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d | 
|---|
| 421 | </screen> | 
|---|
| 422 | </example> | 
|---|
| 423 |  | 
|---|
| 424 | <screen> | 
|---|
| 425 | &rootprompt; chmod 755 initGrps.sh | 
|---|
| 426 | &rootprompt; cd /etc/samba | 
|---|
| 427 | &rootprompt; ./initGrps.sh | 
|---|
| 428 | Updated mapping entry for Domain Admins | 
|---|
| 429 | Updated mapping entry for Domain Users | 
|---|
| 430 | Updated mapping entry for Domain Guests | 
|---|
| 431 | No rid or sid specified, choosing algorithmic mapping | 
|---|
| 432 | Successfully added group Accounts Dept to the mapping db | 
|---|
| 433 | No rid or sid specified, choosing algorithmic mapping | 
|---|
| 434 | Successfully added group Domain Guests to the mapping db | 
|---|
| 435 |  | 
|---|
| 436 | &rootprompt; cd /etc/samba | 
|---|
| 437 | &rootprompt; net groupmap list | sort | 
|---|
| 438 | Account Operators (S-1-5-32-548) -> -1 | 
|---|
| 439 | Accounts Dept (S-1-5-21-194350-25496802-3394589-2003) -> acctsdep | 
|---|
| 440 | Administrators (S-1-5-32-544) -> -1 | 
|---|
| 441 | Backup Operators (S-1-5-32-551) -> -1 | 
|---|
| 442 | Domain Admins (S-1-5-21-194350-25496802-3394589-512) -> root | 
|---|
| 443 | Domain Guests (S-1-5-21-194350-25496802-3394589-514) -> nobody | 
|---|
| 444 | Domain Users (S-1-5-21-194350-25496802-3394589-513) -> users | 
|---|
| 445 | Financial Services (S-1-5-21-194350-25496802-3394589-2005) -> finsrvcs | 
|---|
| 446 | Guests (S-1-5-32-546) -> -1 | 
|---|
| 447 | Power Users (S-1-5-32-547) -> -1 | 
|---|
| 448 | Print Operators (S-1-5-32-550) -> -1 | 
|---|
| 449 | Replicators (S-1-5-32-552) -> -1 | 
|---|
| 450 | System Operators (S-1-5-32-549) -> -1 | 
|---|
| 451 | Users (S-1-5-32-545) -> -1 | 
|---|
| 452 | </screen> | 
|---|
| 453 | </para></step> | 
|---|
| 454 |  | 
|---|
| 455 | <step><para> | 
|---|
| 456 | <indexterm><primary>/etc/passwd</primary></indexterm> | 
|---|
| 457 | <indexterm><primary>password</primary><secondary>backend</secondary></indexterm> | 
|---|
| 458 | <indexterm><primary>smbpasswd</primary></indexterm> | 
|---|
| 459 | For each user who needs to be given a Windows Domain account, make an entry in the | 
|---|
| 460 | <filename>/etc/passwd</filename> file as well as in the Samba password backend. | 
|---|
| 461 | Use the system tool of your choice to create the UNIX system accounts, and use the Samba | 
|---|
| 462 | <command>smbpasswd</command> program to create the Domain user accounts. | 
|---|
| 463 | </para> | 
|---|
| 464 |  | 
|---|
| 465 | <para> | 
|---|
| 466 | <indexterm><primary>useradd</primary></indexterm> | 
|---|
| 467 | <indexterm><primary>adduser</primary></indexterm> | 
|---|
| 468 | <indexterm><primary>user</primary><secondary>management</secondary></indexterm> | 
|---|
| 469 | There are a number of tools for user management under UNIX, such as | 
|---|
| 470 | <command>useradd</command> and <command>adduser</command>, as well as a plethora of custom | 
|---|
| 471 | tools. With the tool of your choice, create a home directory for each user. | 
|---|
| 472 | </para></step> | 
|---|
| 473 |  | 
|---|
| 474 | <step><para> | 
|---|
| 475 | Using the preferred tool for your UNIX system, add each user to the UNIX groups created | 
|---|
| 476 | previously, as necessary. File system access control will be based on UNIX group membership. | 
|---|
| 477 | </para></step> | 
|---|
| 478 |  | 
|---|
| 479 | <step><para> | 
|---|
| 480 | Create the directory mount point for the disk subsystem that is mounted to provide | 
|---|
| 481 | data storage for company files. In this case the mount point is indicated in the &smb.conf; | 
|---|
| 482 | file is <filename>/data</filename>. Format the file system as required, mount the formatted | 
|---|
| 483 | file system partition using <command>mount</command>, | 
|---|
| 484 | and make the appropriate changes in <filename>/etc/fstab</filename>. | 
|---|
| 485 | </para></step> | 
|---|
| 486 |  | 
|---|
| 487 | <step><para> | 
|---|
| 488 | Create the top-level file storage directories are follows: | 
|---|
| 489 | <screen> | 
|---|
| 490 | &rootprompt; mkdir -p /data/{accounts,finsvcs} | 
|---|
| 491 | &rootprompt; chown -R root:root /data | 
|---|
| 492 | &rootprompt; chown -R alanm:acctsdep /data/accounts | 
|---|
| 493 | &rootprompt; chown -R alanm:finsrvcs /data/finsrvcs | 
|---|
| 494 | &rootprompt; chmod -R ug+rwx,o+rx-w /data | 
|---|
| 495 | </screen> | 
|---|
| 496 | Each department is responsible for creating its own directory structure within its | 
|---|
| 497 | share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>. | 
|---|
| 498 | The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>. | 
|---|
| 499 | </para></step> | 
|---|
| 500 |  | 
|---|
| 501 | <step><para> | 
|---|
| 502 | Configure the printers with the IP addresses as shown in <link linkend="acct2net"/>. | 
|---|
| 503 | Follow the instructions in the manufacturers' manuals to permit printing to port 9100. | 
|---|
| 504 | This allows the CUPS spooler to print using raw mode protocols. | 
|---|
| 505 | <indexterm><primary>CUPS</primary></indexterm> | 
|---|
| 506 | <indexterm><primary>raw printing</primary></indexterm> | 
|---|
| 507 | </para></step> | 
|---|
| 508 |  | 
|---|
| 509 | <step><para> | 
|---|
| 510 | <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm> | 
|---|
| 511 | <indexterm><primary>lpadmin</primary></indexterm> | 
|---|
| 512 | Configure the CUPS Print Queues as follows: | 
|---|
| 513 | <screen> | 
|---|
| 514 | &rootprompt; lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E | 
|---|
| 515 | &rootprompt; lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E | 
|---|
| 516 | &rootprompt; lpadmin -p qms -v socket://192.168.2.10:9100 -E | 
|---|
| 517 | </screen> | 
|---|
| 518 | <indexterm><primary>print filter</primary></indexterm> | 
|---|
| 519 | This creates the necessary print queues with no assigned print filter. | 
|---|
| 520 | </para></step> | 
|---|
| 521 |  | 
|---|
| 522 | <step><para> | 
|---|
| 523 | <indexterm><primary>mime type</primary></indexterm> | 
|---|
| 524 | <indexterm><primary>/etc/mime.convs</primary></indexterm> | 
|---|
| 525 | <indexterm><primary>application/octet-stream</primary></indexterm> | 
|---|
| 526 | Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line: | 
|---|
| 527 | <screen> | 
|---|
| 528 | application/octet-stream     application/vnd.cups-raw      0     - | 
|---|
| 529 | </screen> | 
|---|
| 530 | </para></step> | 
|---|
| 531 |  | 
|---|
| 532 | <step><para> | 
|---|
| 533 | <indexterm><primary>/etc/mime.types</primary></indexterm> | 
|---|
| 534 | Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line: | 
|---|
| 535 | <screen> | 
|---|
| 536 | application/octet-stream | 
|---|
| 537 | </screen> | 
|---|
| 538 | </para></step> | 
|---|
| 539 |  | 
|---|
| 540 | <step><para> | 
|---|
| 541 | <indexterm><primary>DHCP Server</primary></indexterm> | 
|---|
| 542 | Using your favorite system editor, create an <filename>/etc/dhcpd.conf</filename> with the | 
|---|
| 543 | contents as shown in <link linkend="dhcp01"/>. | 
|---|
| 544 | <example id="dhcp01"> | 
|---|
| 545 | <title>Abmas Accounting DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title> | 
|---|
| 546 | <indexterm><primary>/etc/dhcpd.conf</primary></indexterm> | 
|---|
| 547 | <screen> | 
|---|
| 548 | default-lease-time 86400; | 
|---|
| 549 | max-lease-time 172800; | 
|---|
| 550 | default-lease-time 86400; | 
|---|
| 551 |  | 
|---|
| 552 | option ntp-servers 192.168.1.1; | 
|---|
| 553 | option domain-name "abmas.biz"; | 
|---|
| 554 | option domain-name-servers 192.168.1.1, 192.168.2.1; | 
|---|
| 555 | option netbios-name-servers 192.168.1.1, 192.168.2.1; | 
|---|
| 556 | option netbios-node-type 8; | 
|---|
| 557 | ### NOTE ### | 
|---|
| 558 | # netbios-node-type=8 means set clients to Hybrid Mode | 
|---|
| 559 | #   so they will use Unicast communication with the WINS | 
|---|
| 560 | #   server and thus reduce the level of UDP broadcast | 
|---|
| 561 | #   traffic by up to 90%. | 
|---|
| 562 | ############ | 
|---|
| 563 |  | 
|---|
| 564 | subnet 192.168.1.0 netmask 255.255.255.0 { | 
|---|
| 565 | range dynamic-bootp 192.168.1.128 192.168.1.254; | 
|---|
| 566 | option subnet-mask 255.255.255.0; | 
|---|
| 567 | option routers 192.168.1.1; | 
|---|
| 568 | allow unknown-clients; | 
|---|
| 569 | host hplj4 { | 
|---|
| 570 | hardware ethernet 08:00:46:7a:35:e4; | 
|---|
| 571 | fixed-address 192.168.1.10; | 
|---|
| 572 | } | 
|---|
| 573 | host hplj6 { | 
|---|
| 574 | hardware ethernet 00:03:47:cb:81:e0; | 
|---|
| 575 | fixed-address 192.168.1.11; | 
|---|
| 576 | } | 
|---|
| 577 | } | 
|---|
| 578 | subnet 192.168.2.0 netmask 255.255.255.0 { | 
|---|
| 579 | range dynamic-bootp 192.168.2.128 192.168.2.254; | 
|---|
| 580 | option subnet-mask 255.255.255.0; | 
|---|
| 581 | option routers 192.168.2.1; | 
|---|
| 582 | allow unknown-clients; | 
|---|
| 583 | host qms { | 
|---|
| 584 | hardware ethernet 01:04:31:db:e1:c0; | 
|---|
| 585 | fixed-address 192.168.1.10; | 
|---|
| 586 | } | 
|---|
| 587 | } | 
|---|
| 588 | subnet 127.0.0.0 netmask 255.0.0.0 { | 
|---|
| 589 | } | 
|---|
| 590 | </screen> | 
|---|
| 591 | </example> | 
|---|
| 592 | </para></step> | 
|---|
| 593 |  | 
|---|
| 594 |  | 
|---|
| 595 | <step><para> | 
|---|
| 596 | Use the standard system tool to start Samba and CUPS and configure them to start | 
|---|
| 597 | automatically at every system reboot. For example, | 
|---|
| 598 | </para> | 
|---|
| 599 |  | 
|---|
| 600 | <para> | 
|---|
| 601 | <indexterm><primary>chkconfig</primary></indexterm> | 
|---|
| 602 | <indexterm><primary>starting dhcpd</primary></indexterm> | 
|---|
| 603 | <indexterm><primary>starting samba</primary></indexterm> | 
|---|
| 604 | <indexterm><primary>starting CUPS</primary></indexterm> | 
|---|
| 605 | <indexterm><primary>chkconfig</primary></indexterm> | 
|---|
| 606 | <screen> | 
|---|
| 607 | &rootprompt; chkconfig dhcp on | 
|---|
| 608 | &rootprompt; chkconfig smb on | 
|---|
| 609 | &rootprompt; chkconfig cups on | 
|---|
| 610 | &rootprompt; /etc/rc.d/init.d/dhcp restart | 
|---|
| 611 | &rootprompt; /etc/rc.d/init.d/smb restart | 
|---|
| 612 | &rootprompt; /etc/rc.d/init.d/cups restart | 
|---|
| 613 | </screen> | 
|---|
| 614 | </para></step> | 
|---|
| 615 |  | 
|---|
| 616 | <step><para> | 
|---|
| 617 | <indexterm><primary>name service switch</primary></indexterm> | 
|---|
| 618 | <indexterm><primary>NSS</primary><see>same service switch</see></indexterm> | 
|---|
| 619 | <indexterm><primary>DNS</primary></indexterm> | 
|---|
| 620 | <indexterm><primary>DNS server</primary></indexterm> | 
|---|
| 621 | <indexterm><primary>WINS</primary></indexterm> | 
|---|
| 622 | <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> | 
|---|
| 623 | Configure the name service switch (NSS) to handle WINS-based name resolution. | 
|---|
| 624 | Since this system does not use a DNS server, it is safe to remove this option from | 
|---|
| 625 | the NSS configuration. Edit the <filename>/etc/nsswitch.conf</filename> file so that | 
|---|
| 626 | the <constant>hosts:</constant> entry looks like this: | 
|---|
| 627 | <screen> | 
|---|
| 628 | hosts:  files wins | 
|---|
| 629 | </screen> | 
|---|
| 630 | </para></step> | 
|---|
| 631 |  | 
|---|
| 632 | </procedure> | 
|---|
| 633 |  | 
|---|
| 634 | <example id="acct2conf"> | 
|---|
| 635 | <title>Accounting Office Network &smb.conf; File &smbmdash; [globals] Section</title> | 
|---|
| 636 | <smbconfblock> | 
|---|
| 637 | <smbconfcomment>Global parameters</smbconfcomment> | 
|---|
| 638 | <smbconfsection name="[global]"/> | 
|---|
| 639 | <smbconfoption name="workgroup">BILLMORE</smbconfoption> | 
|---|
| 640 | <smbconfoption name="passwd chat">*New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed*</smbconfoption> | 
|---|
| 641 | <smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> | 
|---|
| 642 | <smbconfoption name="syslog">0</smbconfoption> | 
|---|
| 643 | <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption> | 
|---|
| 644 | <smbconfoption name="printcap name">CUPS</smbconfoption> | 
|---|
| 645 | <smbconfoption name="show add printer wizard">No</smbconfoption> | 
|---|
| 646 | <smbconfoption name="add user script">/usr/sbin/useradd -m -G users '%u'</smbconfoption> | 
|---|
| 647 | <smbconfoption name="delete user script">/usr/sbin/userdel -r '%u'</smbconfoption> | 
|---|
| 648 | <smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption> | 
|---|
| 649 | <smbconfoption name="delete group script">/usr/sbin/groupdel '%g'</smbconfoption> | 
|---|
| 650 | <smbconfoption name="add user to group script">/usr/sbin/usermod -A '%g' '%u'</smbconfoption> | 
|---|
| 651 | <smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</smbconfoption> | 
|---|
| 652 | <smbconfoption name="logon script">scripts\login.bat</smbconfoption> | 
|---|
| 653 | <smbconfoption name="logon path"> </smbconfoption> | 
|---|
| 654 | <smbconfoption name="logon drive">X:</smbconfoption> | 
|---|
| 655 | <smbconfoption name="domain logons">Yes</smbconfoption> | 
|---|
| 656 | <smbconfoption name="preferred master">Yes</smbconfoption> | 
|---|
| 657 | <smbconfoption name="wins support">Yes</smbconfoption> | 
|---|
| 658 | <smbconfoption name="printing">CUPS</smbconfoption> | 
|---|
| 659 | </smbconfblock> | 
|---|
| 660 | </example> | 
|---|
| 661 |  | 
|---|
| 662 | <example id="acct3conf"> | 
|---|
| 663 | <title>Accounting Office Network &smb.conf; File &smbmdash; Services and Shares Section</title> | 
|---|
| 664 | <smbconfblock> | 
|---|
| 665 | <smbconfsection name="[homes]"/> | 
|---|
| 666 | <smbconfoption name="comment">Home Directories</smbconfoption> | 
|---|
| 667 | <smbconfoption name="valid users">%S</smbconfoption> | 
|---|
| 668 | <smbconfoption name="read only">No</smbconfoption> | 
|---|
| 669 | <smbconfoption name="browseable">No</smbconfoption> | 
|---|
| 670 |  | 
|---|
| 671 | <smbconfsection name="[printers]"/> | 
|---|
| 672 | <smbconfoption name="comment">SMB Print Spool</smbconfoption> | 
|---|
| 673 | <smbconfoption name="path">/var/spool/samba</smbconfoption> | 
|---|
| 674 | <smbconfoption name="printable">Yes</smbconfoption> | 
|---|
| 675 | <smbconfoption name="guest ok">Yes</smbconfoption> | 
|---|
| 676 | <smbconfoption name="use client driver">Yes</smbconfoption> | 
|---|
| 677 | <smbconfoption name="browseable">No</smbconfoption> | 
|---|
| 678 |  | 
|---|
| 679 | <smbconfsection name="[netlogon]"/> | 
|---|
| 680 | <smbconfoption name="comment">Network Logon Service</smbconfoption> | 
|---|
| 681 | <smbconfoption name="path">/data/%U</smbconfoption> | 
|---|
| 682 | <smbconfoption name="valid users">%S</smbconfoption> | 
|---|
| 683 | <smbconfoption name="read only">No</smbconfoption> | 
|---|
| 684 |  | 
|---|
| 685 | <smbconfsection name="[accounts]"/> | 
|---|
| 686 | <smbconfoption name="comment">Accounting Files</smbconfoption> | 
|---|
| 687 | <smbconfoption name="path">/data/accounts</smbconfoption> | 
|---|
| 688 | <smbconfoption name="valid users">%G</smbconfoption> | 
|---|
| 689 | <smbconfoption name="read only">No</smbconfoption> | 
|---|
| 690 |  | 
|---|
| 691 | <smbconfsection name="[finsrvcs]"/> | 
|---|
| 692 | <smbconfoption name="comment">Financial Service Files</smbconfoption> | 
|---|
| 693 | <smbconfoption name="path">/data/finsrvcs</smbconfoption> | 
|---|
| 694 | <smbconfoption name="valid users">%G</smbconfoption> | 
|---|
| 695 | <smbconfoption name="read only">No</smbconfoption> | 
|---|
| 696 | </smbconfblock> | 
|---|
| 697 | </example> | 
|---|
| 698 |  | 
|---|
| 699 | <sect2> | 
|---|
| 700 | <title>Validation</title> | 
|---|
| 701 |  | 
|---|
| 702 | <para> | 
|---|
| 703 | Does everything function as it ought? That is the key question at this point. | 
|---|
| 704 | Here are some simple steps to validate your Samba server configuration. | 
|---|
| 705 | </para> | 
|---|
| 706 |  | 
|---|
| 707 | <procedure> | 
|---|
| 708 | <title>Validation Steps</title> | 
|---|
| 709 |  | 
|---|
| 710 | <step><para> | 
|---|
| 711 | <indexterm><primary>testparm</primary></indexterm> | 
|---|
| 712 | If your &smb.conf; file has bogus options or parameters, this may cause Samba | 
|---|
| 713 | to refuse to start. The first step should always be to validate the contents | 
|---|
| 714 | of this file by running: | 
|---|
| 715 | <screen> | 
|---|
| 716 | &rootprompt; testparm -s | 
|---|
| 717 | Load smb config files from smb.conf | 
|---|
| 718 | Processing section "[homes]" | 
|---|
| 719 | Processing section "[printers]" | 
|---|
| 720 | Processing section "[netlogon]" | 
|---|
| 721 | Processing section "[accounts]" | 
|---|
| 722 | Processing section "[service]" | 
|---|
| 723 | Loaded services file OK. | 
|---|
| 724 | # Global parameters | 
|---|
| 725 | [global] | 
|---|
| 726 | workgroup = BILLMORE | 
|---|
| 727 | passwd chat = *New*Password* \ | 
|---|
| 728 | %n\n *Re-enter*new*password* %n\n *Password*changed* | 
|---|
| 729 | username map = /etc/samba/smbusers | 
|---|
| 730 | syslog = 0 | 
|---|
| 731 | name resolve order = wins bcast hosts | 
|---|
| 732 | printcap name = CUPS | 
|---|
| 733 | show add printer wizard = No | 
|---|
| 734 | add user script = /usr/sbin/useradd -m -G users '%u' | 
|---|
| 735 | delete user script = /usr/sbin/userdel -r '%u' | 
|---|
| 736 | add group script = /usr/sbin/groupadd '%g' | 
|---|
| 737 | delete group script = /usr/sbin/groupdel '%g' | 
|---|
| 738 | add user to group script = /usr/sbin/usermod -A '%g' '%u' | 
|---|
| 739 | add machine script = /usr/sbin/useradd | 
|---|
| 740 | -s /bin/false -d /var/lib/nobody '%u' | 
|---|
| 741 | logon script = scripts\logon.bat | 
|---|
| 742 | logon path = | 
|---|
| 743 | logon drive = X: | 
|---|
| 744 | domain logons = Yes | 
|---|
| 745 | preferred master = Yes | 
|---|
| 746 | wins support = Yes | 
|---|
| 747 | ... | 
|---|
| 748 | ### Remainder cut to save space ### | 
|---|
| 749 | </screen> | 
|---|
| 750 | The inclusion of an invalid parameter (say one called dogbert) would generate an | 
|---|
| 751 | error as follows: | 
|---|
| 752 | <screen> | 
|---|
| 753 | Unknown parameter encountered: "dogbert" | 
|---|
| 754 | Ignoring unknown parameter "dogbert" | 
|---|
| 755 | </screen> | 
|---|
| 756 | Clear away all errors before proceeding, and start or restart samba as necessary. | 
|---|
| 757 | </para></step> | 
|---|
| 758 |  | 
|---|
| 759 | <step><para> | 
|---|
| 760 | <indexterm><primary>check samba daemons</primary></indexterm> | 
|---|
| 761 | <indexterm><primary>nmbd</primary></indexterm> | 
|---|
| 762 | <indexterm><primary>smbd</primary></indexterm> | 
|---|
| 763 | <indexterm><primary>winbindd</primary></indexterm> | 
|---|
| 764 | Check that the Samba server is running: | 
|---|
| 765 | <screen> | 
|---|
| 766 | &rootprompt; ps ax | grep mbd | 
|---|
| 767 | 14244 ?        S      0:00 /usr/sbin/nmbd -D | 
|---|
| 768 | 14245 ?        S      0:00 /usr/sbin/nmbd -D | 
|---|
| 769 | 14290 ?        S      0:00 /usr/sbin/smbd -D | 
|---|
| 770 |  | 
|---|
| 771 | $rootprompt; ps ax | grep winbind | 
|---|
| 772 | 14293 ?        S     0:00 /usr/sbin/winbindd -D | 
|---|
| 773 | 14295 ?        S     0:00 /usr/sbin/winbindd -D | 
|---|
| 774 | </screen> | 
|---|
| 775 | The <command>winbindd</command> daemon is running in split mode (normal), so there are also | 
|---|
| 776 | two instances of it. For more information regarding <command>winbindd</command>, see | 
|---|
| 777 | <emphasis>TOSHARG2</emphasis>, Chapter 23, Section 23.3. The single instance of | 
|---|
| 778 | <command>smbd</command> is normal. | 
|---|
| 779 | </para></step> | 
|---|
| 780 |  | 
|---|
| 781 | <step><para> | 
|---|
| 782 | <indexterm><primary>anonymous connection</primary></indexterm> | 
|---|
| 783 | Check that an anonymous connection can be made to the Samba server: | 
|---|
| 784 | <screen> | 
|---|
| 785 | &rootprompt; smbclient -L localhost -U% | 
|---|
| 786 |  | 
|---|
| 787 | Sharename      Type      Comment | 
|---|
| 788 | ---------      ----      ------- | 
|---|
| 789 | netlogon       Disk      Network Logon Service | 
|---|
| 790 | accounts       Disk      Accounting Files | 
|---|
| 791 | finsvcs        Disk      Financial Service Files | 
|---|
| 792 | IPC$           IPC       IPC Service (Samba3) | 
|---|
| 793 | ADMIN$         IPC       IPC Service (Samba3) | 
|---|
| 794 | hplj4          Printer   Hewlett-Packard LaserJet 4 | 
|---|
| 795 | hplj6          Printer   Hewlett-Packard LaserJet 6 | 
|---|
| 796 | qms            Printer   QMS Magicolor Laser Printer XXXX | 
|---|
| 797 |  | 
|---|
| 798 | Server               Comment | 
|---|
| 799 | ---------            ------- | 
|---|
| 800 | SLEETH               Samba 3.0.20 | 
|---|
| 801 |  | 
|---|
| 802 | Workgroup            Master | 
|---|
| 803 | ---------            ------- | 
|---|
| 804 | BILLMORE             SLEETH | 
|---|
| 805 | </screen> | 
|---|
| 806 | This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent | 
|---|
| 807 | of browsing the server from a Windows client to obtain a list of shares on the server. | 
|---|
| 808 | The <constant>-U%</constant> argument means to send a <constant>NULL</constant> username and | 
|---|
| 809 | a <constant>NULL</constant> password. | 
|---|
| 810 | </para></step> | 
|---|
| 811 |  | 
|---|
| 812 | <step><para> | 
|---|
| 813 | <indexterm><primary>dhcp client validation</primary></indexterm> | 
|---|
| 814 | <indexterm><primary>printer validation</primary></indexterm> | 
|---|
| 815 | <indexterm><primary>/etc/dhcpd.conf</primary></indexterm> | 
|---|
| 816 | Verify that the printers have the IP addresses assigned in the DHCP server configuration file. | 
|---|
| 817 | The easiest way to do this is to ping the printer name. Immediately after the ping response | 
|---|
| 818 | has been received, execute <command>arp -a</command> to find the MAC address of the printer | 
|---|
| 819 | that has responded. Now you can compare the IP address and the MAC address of the printer | 
|---|
| 820 | with the configuration information in the <filename>/etc/dhcpd.conf</filename> file. They | 
|---|
| 821 | should, of course, match. For example, | 
|---|
| 822 | <screen> | 
|---|
| 823 | &rootprompt; ping hplj4 | 
|---|
| 824 | PING hplj4 (192.168.1.11) 56(84) bytes of data. | 
|---|
| 825 | 64 bytes from hplj4 (192.168.1.11): icmp_seq=1 ttl=64 time=0.113 ms | 
|---|
| 826 |  | 
|---|
| 827 | &rootprompt; arp -a | 
|---|
| 828 | hplj4 (192.168.1.11) at 08:00:46:7A:35:E4 [ether] on eth0 | 
|---|
| 829 | </screen> | 
|---|
| 830 | The MAC address <constant>08:00:46:7A:35:E4</constant> matches that specified for the | 
|---|
| 831 | IP address from which the printer has responded and the entry for it in the | 
|---|
| 832 | <filename>/etc/dhcpd.conf</filename> file. | 
|---|
| 833 | </para></step> | 
|---|
| 834 |  | 
|---|
| 835 | <step><para> | 
|---|
| 836 | <indexterm><primary>authenticated connection</primary></indexterm> | 
|---|
| 837 | Make an authenticated connection to the server using the <command>smbclient</command> tool: | 
|---|
| 838 | <screen> | 
|---|
| 839 | &rootprompt; smbclient //sleeth/accounts -U alanm | 
|---|
| 840 | Password: XXXXXXX | 
|---|
| 841 | smb: \> dir | 
|---|
| 842 | .                          D        0  Sun Nov  9 01:28:34 2003 | 
|---|
| 843 | ..                         D        0  Sat Aug 16 17:24:26 2003 | 
|---|
| 844 | .mc                       DH        0  Sat Nov  8 21:57:38 2003 | 
|---|
| 845 | .qt                       DH        0  Fri Sep  5 00:48:25 2003 | 
|---|
| 846 | SMB                        D        0  Sun Oct 19 23:04:30 2003 | 
|---|
| 847 | Documents                  D        0  Sat Nov  1 00:31:51 2003 | 
|---|
| 848 | xpsp1a_en_x86.exe           131170400  Sun Nov  2 01:25:44 2003 | 
|---|
| 849 |  | 
|---|
| 850 | 65387 blocks of size 65536. 28590 blocks available | 
|---|
| 851 | smb: \> q | 
|---|
| 852 | </screen> | 
|---|
| 853 | </para></step> | 
|---|
| 854 |  | 
|---|
| 855 | </procedure> | 
|---|
| 856 |  | 
|---|
| 857 | </sect2> | 
|---|
| 858 |  | 
|---|
| 859 |  | 
|---|
| 860 | <procedure> | 
|---|
| 861 | <title>Windows XP Professional Client Configuration</title> | 
|---|
| 862 |  | 
|---|
| 863 | <step><para> | 
|---|
| 864 | Configure clients to the network settings shown in <link linkend="acct2net"/>. | 
|---|
| 865 | All clients use DHCP for TCP/IP protocol stack configuration. | 
|---|
| 866 | <indexterm><primary>WINS</primary></indexterm> | 
|---|
| 867 | <indexterm><primary>DHCP</primary></indexterm> | 
|---|
| 868 | DHCP configures all Windows clients to use the WINS Server address <constant>192.168.1.1</constant>. | 
|---|
| 869 | </para></step> | 
|---|
| 870 |  | 
|---|
| 871 | <step><para> | 
|---|
| 872 | Join the Windows Domain called <constant>BILLMORE</constant>. Use the Domain Administrator | 
|---|
| 873 | username <constant>root</constant> and the SMB password you assigned to this account. | 
|---|
| 874 | A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to | 
|---|
| 875 | a Windows Domain is given in <link linkend="appendix"/>, <link linkend="domjoin"/>. | 
|---|
| 876 | Reboot the machine as prompted and then log on using a Domain User account. | 
|---|
| 877 | </para></step> | 
|---|
| 878 |  | 
|---|
| 879 | <step><para> | 
|---|
| 880 | Verify on each client that the machine called <constant>SLEETH</constant> | 
|---|
| 881 | is visible in <guimenu>My Network Places</guimenu>, that it is | 
|---|
| 882 | possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem> | 
|---|
| 883 | and <guimenuitem>finsvcs</guimenuitem>, | 
|---|
| 884 | and that it is possible to open that share to reveal its contents. | 
|---|
| 885 | </para></step> | 
|---|
| 886 |  | 
|---|
| 887 | <step><para> | 
|---|
| 888 | Instruct all users to log onto the workstation using their assigned username and password. | 
|---|
| 889 | </para></step> | 
|---|
| 890 |  | 
|---|
| 891 | <step><para> | 
|---|
| 892 | Install a printer on each using the following steps: | 
|---|
| 893 | </para> | 
|---|
| 894 |  | 
|---|
| 895 | <procedure> | 
|---|
| 896 | <step><para> | 
|---|
| 897 | Click <menuchoice> | 
|---|
| 898 | <guimenu>Start</guimenu> | 
|---|
| 899 | <guimenuitem>Settings</guimenuitem> | 
|---|
| 900 | <guimenuitem>Printers</guimenuitem> | 
|---|
| 901 | <guiicon>Add Printer</guiicon> | 
|---|
| 902 | <guibutton>Next</guibutton> | 
|---|
| 903 | </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>. | 
|---|
| 904 | Ensure that <guimenuitem>Local printer</guimenuitem> is selected. | 
|---|
| 905 | </para></step> | 
|---|
| 906 |  | 
|---|
| 907 | <step><para> | 
|---|
| 908 | Click <guibutton>Next</guibutton>. In the | 
|---|
| 909 | <guimenuitem>Manufacturer:</guimenuitem> panel, select <constant>HP</constant>. | 
|---|
| 910 | In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called | 
|---|
| 911 | <constant>HP LaserJet 4</constant>. Click <guibutton>Next</guibutton>. | 
|---|
| 912 | </para></step> | 
|---|
| 913 |  | 
|---|
| 914 | <step><para> | 
|---|
| 915 | In the <guimenuitem>Available ports:</guimenuitem> panel, select | 
|---|
| 916 | <constant>FILE:</constant>. Accept the default printer name by clicking | 
|---|
| 917 | <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a | 
|---|
| 918 | test page?</quote>, click <guimenuitem>No</guimenuitem>. Click | 
|---|
| 919 | <guibutton>Finish</guibutton>. | 
|---|
| 920 | </para></step> | 
|---|
| 921 |  | 
|---|
| 922 | <step><para> | 
|---|
| 923 | You may be prompted for the name of a file to print to. If so, close the | 
|---|
| 924 | dialog panel. Right-click <menuchoice> | 
|---|
| 925 | <guiicon>HP LaserJet 4</guiicon> | 
|---|
| 926 | <guimenuitem>Properties</guimenuitem> | 
|---|
| 927 | <guisubmenu>Details (Tab)</guisubmenu> | 
|---|
| 928 | <guimenuitem>Add Port</guimenuitem> | 
|---|
| 929 | </menuchoice>. | 
|---|
| 930 | </para></step> | 
|---|
| 931 |  | 
|---|
| 932 | <step><para> | 
|---|
| 933 | In the <guimenuitem>Network</guimenuitem> panel, enter the name of | 
|---|
| 934 | the print queue on the Samba server as follows: <constant>\\SERVER\hplj4</constant>. | 
|---|
| 935 | Click <menuchoice> | 
|---|
| 936 | <guibutton>OK</guibutton> | 
|---|
| 937 | <guibutton>OK</guibutton> | 
|---|
| 938 | </menuchoice> to complete the installation. | 
|---|
| 939 | </para></step> | 
|---|
| 940 |  | 
|---|
| 941 | <step><para> | 
|---|
| 942 | Repeat the printer installation steps above for the HP LaserJet 6 printer | 
|---|
| 943 | as well as for the QMS Magicolor XXXX laser printer. | 
|---|
| 944 | </para></step> | 
|---|
| 945 | </procedure> | 
|---|
| 946 | </step> | 
|---|
| 947 | </procedure> | 
|---|
| 948 |  | 
|---|
| 949 | <sect2> | 
|---|
| 950 | <title>Notebook Computers: A Special Case</title> | 
|---|
| 951 |  | 
|---|
| 952 | <para> | 
|---|
| 953 | As a network administrator, you already know how to create local machine accounts for Windows 200x/XP | 
|---|
| 954 | Professional systems. This is the preferred solution to provide continuity of work for notebook users | 
|---|
| 955 | so that absence from the office network environment does not become a barrier to productivity. | 
|---|
| 956 | </para> | 
|---|
| 957 |  | 
|---|
| 958 | <para> | 
|---|
| 959 | By creating a local machine account that has the same username and password as you create for that | 
|---|
| 960 | user in the Windows Domain environment, the user can log onto the machine locally and still | 
|---|
| 961 | transparently access network resources as if logged onto the domain itself. There are some trade-offs | 
|---|
| 962 | that mean that as the network is more tightly secured, it becomes necessary to modify Windows client | 
|---|
| 963 | configuration somewhat. | 
|---|
| 964 | </para> | 
|---|
| 965 |  | 
|---|
| 966 | </sect2> | 
|---|
| 967 |  | 
|---|
| 968 | <sect2> | 
|---|
| 969 | <title>Key Points Learned</title> | 
|---|
| 970 |  | 
|---|
| 971 | <para> | 
|---|
| 972 | In this network design and implementation exercise, you created a Windows NT4-style Domain | 
|---|
| 973 | Controller using Samba-3.0.20. Following these guidelines, you experienced | 
|---|
| 974 | and implemented several important aspects of Windows networking. In the next chapter, | 
|---|
| 975 | you build on the experience. These are the highlights from this chapter: | 
|---|
| 976 | </para> | 
|---|
| 977 |  | 
|---|
| 978 | <itemizedlist> | 
|---|
| 979 | <listitem><para> | 
|---|
| 980 | <indexterm><primary>DHCP</primary></indexterm> | 
|---|
| 981 | You implemented a DHCP server, and Microsoft Windows clients were able to obtain all necessary | 
|---|
| 982 | network configuration settings from this server. | 
|---|
| 983 | </para></listitem> | 
|---|
| 984 |  | 
|---|
| 985 | <listitem><para> | 
|---|
| 986 | <indexterm><primary>Domain Controller</primary></indexterm> | 
|---|
| 987 | You created a Windows Domain Controller. You were able to use the network logon service | 
|---|
| 988 | and successfully joined Windows 200x/XP Professional clients to the Domain. | 
|---|
| 989 | </para></listitem> | 
|---|
| 990 |  | 
|---|
| 991 | <listitem><para> | 
|---|
| 992 | <indexterm><primary>CUPS</primary></indexterm> | 
|---|
| 993 | You created raw print queues in the CUPS printing system. You maintained a simple | 
|---|
| 994 | printing system so that all users can share centrally managed printers. You installed | 
|---|
| 995 | native printer drivers on the Windows clients. | 
|---|
| 996 | </para></listitem> | 
|---|
| 997 |  | 
|---|
| 998 | <listitem><para> | 
|---|
| 999 | You experienced the benefits of centrally managed user accounts on the server. | 
|---|
| 1000 | </para></listitem> | 
|---|
| 1001 |  | 
|---|
| 1002 | <listitem><para> | 
|---|
| 1003 | You offered Mobile notebook users a solution that allows them to continue to work | 
|---|
| 1004 | while away from the office and not connected to the corporate network. | 
|---|
| 1005 | </para></listitem> | 
|---|
| 1006 | </itemizedlist> | 
|---|
| 1007 |  | 
|---|
| 1008 | </sect2> | 
|---|
| 1009 |  | 
|---|
| 1010 | </sect1> | 
|---|
| 1011 |  | 
|---|
| 1012 | <sect1> | 
|---|
| 1013 | <title>Questions and Answers</title> | 
|---|
| 1014 |  | 
|---|
| 1015 | <para> | 
|---|
| 1016 | Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that | 
|---|
| 1017 | may help. | 
|---|
| 1018 | </para> | 
|---|
| 1019 |  | 
|---|
| 1020 | <qandaset> | 
|---|
| 1021 | <qandaentry> | 
|---|
| 1022 | <question> | 
|---|
| 1023 |  | 
|---|
| 1024 | <para> | 
|---|
| 1025 | What is the key benefit of using DHCP to configure Windows client TCP/IP stacks? | 
|---|
| 1026 | </para> | 
|---|
| 1027 |  | 
|---|
| 1028 | </question> | 
|---|
| 1029 | <answer> | 
|---|
| 1030 |  | 
|---|
| 1031 | <para> | 
|---|
| 1032 | First and foremost, portability. It means that notebook users can move between | 
|---|
| 1033 | the Abmas office and client offices (so long as they, too, use DHCP) without having to manually | 
|---|
| 1034 | reconfigure their machines. It also means that when they work from their home environments | 
|---|
| 1035 | either using DHCP assigned addressing or when using dial-up networking, settings such as | 
|---|
| 1036 | default routes and DNS server addresses that apply only to the Abmas office environment do | 
|---|
| 1037 | not interfere with remote operations. This is an extremely important feature of DHCP. | 
|---|
| 1038 | </para> | 
|---|
| 1039 |  | 
|---|
| 1040 | </answer> | 
|---|
| 1041 | </qandaentry> | 
|---|
| 1042 |  | 
|---|
| 1043 | <qandaentry> | 
|---|
| 1044 | <question> | 
|---|
| 1045 |  | 
|---|
| 1046 | <para> | 
|---|
| 1047 | Are there any DHCP server configuration parameters in the <filename>/etc/dhcpd.conf</filename> | 
|---|
| 1048 | that should be noted in particular? | 
|---|
| 1049 | </para> | 
|---|
| 1050 |  | 
|---|
| 1051 | </question> | 
|---|
| 1052 | <answer> | 
|---|
| 1053 |  | 
|---|
| 1054 | <para> | 
|---|
| 1055 | Yes. The configuration you created automatically provides each client with the IP address | 
|---|
| 1056 | of your WINS server. It also configures the client to preferentially register NetBIOS names | 
|---|
| 1057 | with the WINS server, and then instructs the client to first query the WINS server when a | 
|---|
| 1058 | NetBIOS machine name needs to be resolved to an IP Address. This configuration | 
|---|
| 1059 | results in far lower UDP broadcast traffic than would be the case if WINS was not used. | 
|---|
| 1060 | </para> | 
|---|
| 1061 |  | 
|---|
| 1062 | </answer> | 
|---|
| 1063 | </qandaentry> | 
|---|
| 1064 |  | 
|---|
| 1065 | <qandaentry> | 
|---|
| 1066 | <question> | 
|---|
| 1067 |  | 
|---|
| 1068 | <para> | 
|---|
| 1069 | Is it possible to create a Windows Domain account that is specifically called <constant>Administrator</constant>? | 
|---|
| 1070 | </para> | 
|---|
| 1071 |  | 
|---|
| 1072 | </question> | 
|---|
| 1073 | <answer> | 
|---|
| 1074 |  | 
|---|
| 1075 | <para> | 
|---|
| 1076 | You can surely create a Windows Domain account called <constant>Administrator</constant>. It is also | 
|---|
| 1077 | possible to map that account so that it has the effective UNIX UID of 0. This way it isn't | 
|---|
| 1078 | necessary to use the <parameter>username map</parameter> facility to map this account to the UNIX | 
|---|
| 1079 | account called <constant>root</constant>. | 
|---|
| 1080 | </para> | 
|---|
| 1081 |  | 
|---|
| 1082 | </answer> | 
|---|
| 1083 | </qandaentry> | 
|---|
| 1084 |  | 
|---|
| 1085 | <qandaentry> | 
|---|
| 1086 | <question> | 
|---|
| 1087 |  | 
|---|
| 1088 | <para> | 
|---|
| 1089 | Why is it necessary to give the Windows Domain <constant>Administrator</constant> a UNIX UID of 0? | 
|---|
| 1090 | </para> | 
|---|
| 1091 |  | 
|---|
| 1092 | </question> | 
|---|
| 1093 | <answer> | 
|---|
| 1094 |  | 
|---|
| 1095 | <para> | 
|---|
| 1096 | The Windows Domain <constant>Administrator</constant> account is the most privileged account that | 
|---|
| 1097 | exists on the Windows platform. This user can change any setting, add, delete, or modify user | 
|---|
| 1098 | accounts, and completely reconfigure the system. The equivalent to this account in the UNIX | 
|---|
| 1099 | environment is the <constant>root</constant> account. If you want to permit the Windows Domain | 
|---|
| 1100 | Administrator to manage accounts as well as permissions, privileges, and security | 
|---|
| 1101 | settings within the Domain and on the Samba server, equivalent rights must be assigned. This is | 
|---|
| 1102 | achieved with the <constant>root</constant> UID equal to 0. | 
|---|
| 1103 | </para> | 
|---|
| 1104 |  | 
|---|
| 1105 | </answer> | 
|---|
| 1106 | </qandaentry> | 
|---|
| 1107 |  | 
|---|
| 1108 | <qandaentry> | 
|---|
| 1109 | <question> | 
|---|
| 1110 |  | 
|---|
| 1111 | <para> | 
|---|
| 1112 | One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him | 
|---|
| 1113 | <constant>root</constant> access. How can we do this? | 
|---|
| 1114 | </para> | 
|---|
| 1115 |  | 
|---|
| 1116 | </question> | 
|---|
| 1117 | <answer> | 
|---|
| 1118 |  | 
|---|
| 1119 | <para> | 
|---|
| 1120 | Users who are members of the <constant>Domain Admins</constant> group can add machines to the | 
|---|
| 1121 | Domain. This group is mapped to the UNIX group account called <constant>root</constant> | 
|---|
| 1122 | (or the equivalent <constant>wheel</constant> on some UNIX systems) that has a GID of 0. | 
|---|
| 1123 | This must be the primary GID of the account of the user who is a member of the Windows <constant> | 
|---|
| 1124 | Domain Admins</constant> account. | 
|---|
| 1125 | </para> | 
|---|
| 1126 |  | 
|---|
| 1127 | </answer> | 
|---|
| 1128 | </qandaentry> | 
|---|
| 1129 |  | 
|---|
| 1130 | <qandaentry> | 
|---|
| 1131 | <question> | 
|---|
| 1132 |  | 
|---|
| 1133 | <para> | 
|---|
| 1134 | Why must I map Windows Domain Groups to UNIX groups? | 
|---|
| 1135 | </para> | 
|---|
| 1136 |  | 
|---|
| 1137 | </question> | 
|---|
| 1138 | <answer> | 
|---|
| 1139 |  | 
|---|
| 1140 | <para> | 
|---|
| 1141 | Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account | 
|---|
| 1142 | has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are | 
|---|
| 1143 | <guimenu>Domain Guests</guimenu>, <guimenu>Domain Users</guimenu>, and <guimenu>Domain Admins</guimenu>. | 
|---|
| 1144 | </para> | 
|---|
| 1145 |  | 
|---|
| 1146 | </answer> | 
|---|
| 1147 | </qandaentry> | 
|---|
| 1148 |  | 
|---|
| 1149 | <qandaentry> | 
|---|
| 1150 | <question> | 
|---|
| 1151 |  | 
|---|
| 1152 | <para> | 
|---|
| 1153 | I deleted my <constant>root</constant> account and now I cannot add it back! What can I do? | 
|---|
| 1154 | </para> | 
|---|
| 1155 |  | 
|---|
| 1156 | </question> | 
|---|
| 1157 | <answer> | 
|---|
| 1158 |  | 
|---|
| 1159 | <para> | 
|---|
| 1160 | This is a nasty problem. Fortunately, there is a solution. | 
|---|
| 1161 | </para> | 
|---|
| 1162 |  | 
|---|
| 1163 | <procedure> | 
|---|
| 1164 | <step><para> | 
|---|
| 1165 | Back up your existing configuration files in case you need to restore them. | 
|---|
| 1166 | </para></step> | 
|---|
| 1167 |  | 
|---|
| 1168 | <step><para> | 
|---|
| 1169 | Rename the <filename>group_mapping.tdb</filename> file. | 
|---|
| 1170 | </para></step> | 
|---|
| 1171 |  | 
|---|
| 1172 | <step><para> | 
|---|
| 1173 | Use the <command>smbpasswd</command> to add the root account. | 
|---|
| 1174 | </para></step> | 
|---|
| 1175 |  | 
|---|
| 1176 | <step><para> | 
|---|
| 1177 | Restore the <filename>group_mapping.tdb</filename> file. | 
|---|
| 1178 | </para></step> | 
|---|
| 1179 | </procedure> | 
|---|
| 1180 |  | 
|---|
| 1181 | </answer> | 
|---|
| 1182 | </qandaentry> | 
|---|
| 1183 |  | 
|---|
| 1184 | <qandaentry> | 
|---|
| 1185 | <question> | 
|---|
| 1186 |  | 
|---|
| 1187 | <para> | 
|---|
| 1188 | When I run <command>net groupmap list</command>, it reports a group called <guimenu>Administrators</guimenu> | 
|---|
| 1189 | as well as <guimenu>Domain Admins</guimenu>. What is the difference between them? | 
|---|
| 1190 | </para> | 
|---|
| 1191 |  | 
|---|
| 1192 | </question> | 
|---|
| 1193 | <answer> | 
|---|
| 1194 |  | 
|---|
| 1195 | <para> | 
|---|
| 1196 | The group called <guimenu>Administrators</guimenu> is representative of the same account that would be | 
|---|
| 1197 | present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain | 
|---|
| 1198 | Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This | 
|---|
| 1199 | may change at some later date. These accounts are provided only so that security objects are correctly shown. | 
|---|
| 1200 | </para> | 
|---|
| 1201 |  | 
|---|
| 1202 | </answer> | 
|---|
| 1203 | </qandaentry> | 
|---|
| 1204 |  | 
|---|
| 1205 | <qandaentry> | 
|---|
| 1206 | <question> | 
|---|
| 1207 |  | 
|---|
| 1208 | <para> | 
|---|
| 1209 | What is the effect of changing the name of a Samba server or of changing the Domain name? | 
|---|
| 1210 | </para> | 
|---|
| 1211 |  | 
|---|
| 1212 | </question> | 
|---|
| 1213 | <answer> | 
|---|
| 1214 |  | 
|---|
| 1215 | <para> | 
|---|
| 1216 | If you elect to change the name of the Samba server, on restarting <command>smbd</command>, | 
|---|
| 1217 | Windows security identifiers are changed. In the case of a standalone server or a Domain Member server, | 
|---|
| 1218 | the machine SID is changed. This may break Domain membership. In the case of a change of the Domain name | 
|---|
| 1219 | (Workgroup name), the Domain SID is changed. This affects all Domain memberships. | 
|---|
| 1220 | </para> | 
|---|
| 1221 |  | 
|---|
| 1222 | <para> | 
|---|
| 1223 | If it becomes necessary to change either the server name or the Domain name, be sure to back up the respective | 
|---|
| 1224 | SID before the change is made. You can back up the SID using the <command>net getlocalsid</command> (Samba-3) | 
|---|
| 1225 | or the <command>smbpasswd</command> (Samba-2.2.x). To change the SID, you use the same tool. Be sure | 
|---|
| 1226 | to check the man page for this command for detailed instructions regarding the steps involved. | 
|---|
| 1227 | </para> | 
|---|
| 1228 |  | 
|---|
| 1229 | </answer> | 
|---|
| 1230 | </qandaentry> | 
|---|
| 1231 |  | 
|---|
| 1232 | <qandaentry> | 
|---|
| 1233 | <question> | 
|---|
| 1234 |  | 
|---|
| 1235 | <para> | 
|---|
| 1236 | How can I manage user accounts from my Windows XP Professional workstation? | 
|---|
| 1237 | </para> | 
|---|
| 1238 |  | 
|---|
| 1239 | </question> | 
|---|
| 1240 | <answer> | 
|---|
| 1241 |  | 
|---|
| 1242 | <para> | 
|---|
| 1243 | Samba-3 implements a Windows NT4-style security domain architecture. This type of Domain cannot | 
|---|
| 1244 | be managed using tools present on a Windows XP Professional installation. You may download from the | 
|---|
| 1245 | Microsoft Web site the SRVTOOLS.EXE package. Extract it into the directory from which you wish to use | 
|---|
| 1246 | it. This package extracts the tools: <command>User Manager for Domains</command>, <command>Server Manager</command>, and <command>Event | 
|---|
| 1247 | Viewer</command>. You may use the <guimenu>User Manager for Domains</guimenu> to manage your Samba-3 | 
|---|
| 1248 | Domain user and group accounts. Of course, you do need to be logged on as the <constant>Administrator</constant> | 
|---|
| 1249 | for the Samba-3 Domain. It may help to log on as the <constant>root</constant> account. | 
|---|
| 1250 | </para> | 
|---|
| 1251 |  | 
|---|
| 1252 | </answer> | 
|---|
| 1253 | </qandaentry> | 
|---|
| 1254 |  | 
|---|
| 1255 | </qandaset> | 
|---|
| 1256 |  | 
|---|
| 1257 | </sect1> | 
|---|
| 1258 |  | 
|---|
| 1259 | </chapter> | 
|---|
| 1260 |  | 
|---|