| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. A Collection of Useful Tidbits</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="ch14.html" title="Chapter 14. Samba Support"><link rel="next" href="primer.html" title="Chapter 16. Networking Primer"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 15. A Collection of Useful Tidbits</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 15. A Collection of Useful Tidbits"><div class="titlepage"><div><div><h2 class="title"><a name="appendix"></a>Chapter 15. A Collection of Useful Tidbits</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="appendix.html#domjoin">Joining a Domain: Windows 200x/XP Professional</a></span></dt><dt><span class="sect1"><a href="appendix.html#id387559">Samba System File Location</a></span></dt><dt><span class="sect1"><a href="appendix.html#id387952">Starting Samba</a></span></dt><dt><span class="sect1"><a href="appendix.html#id388254">DNS Configuration Files</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id388264">The Forward Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id388308">The Reverse Zone File for the Loopback Adaptor</a></span></dt><dt><span class="sect2"><a href="appendix.html#id388408">DNS Root Server Hint File</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#altldapcfg">Alternative LDAP Database Initialization</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id388463">Initialization of the LDAP Database</a></span></dt></dl></dd><dt><span class="sect1"><a href="appendix.html#id388919">The LDAP Account Manager</a></span></dt><dt><span class="sect1"><a href="appendix.html#id389839">IDEALX Management Console</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12-SUIDSGID">Effect of Setting File and Directory SUID/SGID Permissions Explained</a></span></dt><dt><span class="sect1"><a href="appendix.html#ch12dblck">Shared Data Integrity</a></span></dt><dd><dl><dt><span class="sect2"><a href="appendix.html#id390270">Microsoft Access</a></span></dt><dt><span class="sect2"><a href="appendix.html#id390409">Act! Database Sharing</a></span></dt><dt><span class="sect2"><a href="appendix.html#id390484">Opportunistic Locking Controls</a></span></dt></dl></dd></dl></div><p> | 
|---|
| 2 | <a class="indexterm" name="id387011"></a> | 
|---|
| 3 | <a class="indexterm" name="id387018"></a> | 
|---|
| 4 | Information presented here is considered to be either basic or well-known material that is informative | 
|---|
| 5 | yet helpful. Over the years, I have observed an interesting behavior. There is an expectation that | 
|---|
| 6 | the process for joining a Windows client to a Samba-controlled Windows domain may somehow involve steps | 
|---|
| 7 | different from doing so with Windows NT4 or a Windows ADS domain. Be assured that the steps are identical, | 
|---|
| 8 | as shown in the example given below. | 
|---|
| 9 | </p><div class="sect1" title="Joining a Domain: Windows 200x/XP Professional"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="domjoin"></a>Joining a Domain: Windows 200x/XP Professional</h2></div></div></div><p> | 
|---|
| 10 | <a class="indexterm" name="id387044"></a> | 
|---|
| 11 | Microsoft Windows NT/200x/XP Professional platforms can participate in Domain Security. | 
|---|
| 12 | This section steps through the process for making a Windows 200x/XP Professional machine a | 
|---|
| 13 | member of a Domain Security environment. It should be noted that this process is identical | 
|---|
| 14 | when joining a domain that is controlled by Windows NT4/200x as well as a Samba PDC. | 
|---|
| 15 | </p><div class="procedure" title="Procedure 15.1. Steps to Join a Domain"><a name="id387055"></a><p class="title"><b>Procedure 15.1. Steps to Join a Domain</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> | 
|---|
| 16 | Click <span class="guimenu">Start</span>. | 
|---|
| 17 | </p></li><li class="step" title="Step 2"><p> | 
|---|
| 18 | Right-click <span class="guimenu">My Computer</span>, and then select <span class="guimenuitem">Properties</span>. | 
|---|
| 19 | </p></li><li class="step" title="Step 3"><p> | 
|---|
| 20 | The opening panel is the same one that can be reached by clicking <span class="guimenu">System</span> on the Control Panel. | 
|---|
| 21 | See <a class="link" href="appendix.html#swxpp001" title="Figure 15.1. The General Panel.">“The General Panel.”</a>. | 
|---|
| 22 | </p><div class="figure"><a name="swxpp001"></a><p class="title"><b>Figure 15.1. The General Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp001.png" alt="The General Panel."></div></div></div><p><br class="figure-break"> | 
|---|
| 23 | </p></li><li class="step" title="Step 4"><p> | 
|---|
| 24 | Click the <span class="guimenu">Computer Name</span> tab. | 
|---|
| 25 | This panel shows the <span class="guimenuitem">Computer Description</span>, the <span class="guimenuitem">Full computer name</span>, | 
|---|
| 26 | and the <span class="guimenuitem">Workgroup</span> or <span class="guimenuitem">Domain name</span>. | 
|---|
| 27 | </p><p> | 
|---|
| 28 | Clicking the <span class="guimenu">Network ID</span> button launches the configuration wizard. Do not use this with | 
|---|
| 29 | Samba-3. If you wish to change the computer name, or join or leave the domain, click the <span class="guimenu">Change</span> button. | 
|---|
| 30 | See <a class="link" href="appendix.html#swxpp004" title="Figure 15.2. The Computer Name Panel.">“The Computer Name Panel.”</a>. | 
|---|
| 31 | </p><div class="figure"><a name="swxpp004"></a><p class="title"><b>Figure 15.2. The Computer Name Panel.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp004.png" alt="The Computer Name Panel."></div></div></div><p><br class="figure-break"> | 
|---|
| 32 | </p></li><li class="step" title="Step 5"><p> | 
|---|
| 33 | Click on <span class="guimenu">Change</span>. This panel shows that our example machine (TEMPTATION) is in a workgroup called WORKGROUP. | 
|---|
| 34 | We join the domain called MIDEARTH. See <a class="link" href="appendix.html#swxpp006" title="Figure 15.3. The Computer Name Changes Panel">“The Computer Name Changes Panel”</a>. | 
|---|
| 35 | </p><div class="figure"><a name="swxpp006"></a><p class="title"><b>Figure 15.3. The Computer Name Changes Panel</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp006.png" alt="The Computer Name Changes Panel"></div></div></div><p><br class="figure-break"> | 
|---|
| 36 | </p></li><li class="step" title="Step 6"><p> | 
|---|
| 37 | Enter the name <span class="guimenu">MIDEARTH</span> in the field below the Domain radio button. | 
|---|
| 38 | </p><p> | 
|---|
| 39 | This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See <a class="link" href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">“The Computer Name Changes Panel  Domain MIDEARTH”</a>. | 
|---|
| 40 | </p><div class="figure"><a name="swxpp007"></a><p class="title"><b>Figure 15.4. The Computer Name Changes Panel  Domain MIDEARTH</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp007.png" alt="The Computer Name Changes Panel Domain MIDEARTH"></div></div></div><p><br class="figure-break"> | 
|---|
| 41 | </p></li><li class="step" title="Step 7"><p> | 
|---|
| 42 | Now click the <span class="guimenu">OK</span> button. A dialog box should appear to allow you to provide the credentials (username and password) | 
|---|
| 43 | of a domain administrative account that has the rights to add machines to the domain. | 
|---|
| 44 | </p><p> | 
|---|
| 45 | Enter the name <span class="quote">“<span class="quote">root</span>”</span> and the root password from your Samba-3 server. See <a class="link" href="appendix.html#swxpp008" title="Figure 15.5. Computer Name Changes User name and Password Panel">“Computer Name Changes  User name and Password Panel”</a>. | 
|---|
| 46 | </p><div class="figure"><a name="swxpp008"></a><p class="title"><b>Figure 15.5. Computer Name Changes  User name and Password Panel</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/wxpp008.png" alt="Computer Name Changes User name and Password Panel"></div></div></div><p><br class="figure-break"> | 
|---|
| 47 | </p></li><li class="step" title="Step 8"><p> | 
|---|
| 48 | Click <span class="guimenu">OK</span>. | 
|---|
| 49 | </p><p> | 
|---|
| 50 | The <span class="quote">“<span class="quote">Welcome to the MIDEARTH domain</span>”</span> dialog box should appear. At this point, the machine must be rebooted. | 
|---|
| 51 | Joining the domain is now complete. | 
|---|
| 52 | </p></li></ol></div><p> | 
|---|
| 53 | <a class="indexterm" name="id387460"></a> | 
|---|
| 54 | <a class="indexterm" name="id387466"></a> | 
|---|
| 55 | The screen capture shown in <a class="link" href="appendix.html#swxpp007" title="Figure 15.4. The Computer Name Changes Panel Domain MIDEARTH">“The Computer Name Changes Panel  Domain MIDEARTH”</a> has a button labeled <span class="guimenu">More...</span>. This button opens a | 
|---|
| 56 | panel in which you can set (or change) the Primary DNS suffix of the computer. This is a parameter that mainly affects members | 
|---|
| 57 | of Microsoft Active Directory. Active Directory is heavily oriented around the DNS namespace. | 
|---|
| 58 | </p><p> | 
|---|
| 59 | <a class="indexterm" name="id387490"></a> | 
|---|
| 60 | <a class="indexterm" name="id387497"></a> | 
|---|
| 61 | Where NetBIOS technology uses WINS as well as UDP broadcast as key mechanisms for name resolution, Active Directory servers | 
|---|
| 62 | register their services with the Microsoft Dynamic DNS server. Windows clients must be able to query the correct DNS server | 
|---|
| 63 | to find the services (like which machines are domain controllers or which machines have the Netlogon service running). | 
|---|
| 64 | </p><p> | 
|---|
| 65 | <a class="indexterm" name="id387512"></a> | 
|---|
| 66 | The default setting of the Primary DNS suffix is the Active Directory domain name. When you change the Primary DNS suffix, | 
|---|
| 67 | this does not affect domain membership, but it can break network browsing and the ability to resolve your computer name to | 
|---|
| 68 | a valid IP address. | 
|---|
| 69 | </p><p> | 
|---|
| 70 | The Primary DNS suffix parameter principally affects MS Windows clients that are members of an Active Directory domain. | 
|---|
| 71 | Where the client is a member of a Samba domain, it is preferable to leave this field blank. | 
|---|
| 72 | </p><p> | 
|---|
| 73 | <a class="indexterm" name="id387534"></a> | 
|---|
| 74 | According to Microsoft documentation, <span class="quote">“<span class="quote">If this computer belongs to a group with <code class="constant">Group Policy</code> | 
|---|
| 75 | enabled on <code class="literal">Primary DNS suffice of this computer</code>, the string specified in the Group Policy is used | 
|---|
| 76 | as the primary DNS suffix and you might need to restart your computer to view the correct setting. The local setting is | 
|---|
| 77 | used only if Group Policy is disabled or unspecified.</span>”</span> | 
|---|
| 78 | </p></div><div class="sect1" title="Samba System File Location"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387559"></a>Samba System File Location</h2></div></div></div><p><a class="indexterm" name="id387566"></a><a class="indexterm" name="id387574"></a><a class="indexterm" name="id387581"></a> | 
|---|
| 79 | One of the frustrations expressed by subscribers to the Samba mailing lists revolves around the choice of where the default Samba Team | 
|---|
| 80 | build and installation process locates its Samba files. The location, chosen in the early 1990s, for the default installation is | 
|---|
| 81 | in the <code class="filename">/usr/local/samba</code> directory. This is a perfectly reasonable location, particularly given all the other | 
|---|
| 82 | Open Source software that installs into the <code class="filename">/usr/local</code> subdirectories. | 
|---|
| 83 | </p><p> | 
|---|
| 84 | Several UNIX vendors, and Linux vendors in particular, elected to locate the Samba files in a location other than the Samba Team | 
|---|
| 85 | default. | 
|---|
| 86 | </p><p><a class="indexterm" name="id387612"></a><a class="indexterm" name="id387624"></a><a class="indexterm" name="id387631"></a><a class="indexterm" name="id387643"></a><a class="indexterm" name="id387650"></a><a class="indexterm" name="id387662"></a><a class="indexterm" name="id387670"></a><a class="indexterm" name="id387677"></a><a class="indexterm" name="id387685"></a><a class="indexterm" name="id387693"></a><a class="indexterm" name="id387701"></a><a class="indexterm" name="id387709"></a><a class="indexterm" name="id387717"></a><a class="indexterm" name="id387725"></a><a class="indexterm" name="id387732"></a><a class="indexterm" name="id387740"></a> | 
|---|
| 87 | Linux vendors, working in conjunction with the Free Standards Group (FSG), Linux Standards Base (LSB), and File Hierarchy | 
|---|
| 88 | System (FHS), have elected to locate the configuration files under the <code class="filename">/etc/samba</code> directory, common binary | 
|---|
| 89 | files (those used by users) in the <code class="filename">/usr/bin</code> directory, and the administrative files (daemons) in the | 
|---|
| 90 | <code class="filename">/usr/sbin</code> directory. Support files for the Samba Web Admin Tool (SWAT) are located under the | 
|---|
| 91 | <code class="filename">/usr/share</code> directory, either in <code class="filename">/usr/share/samba/swat</code> or in | 
|---|
| 92 | <code class="filename">/usr/share/swat</code>. There are additional support files for <code class="literal">smbd</code> in the | 
|---|
| 93 | <code class="filename">/usr/lib/samba</code> directory tree. The files located there include the dynamically loadable modules for the | 
|---|
| 94 | passdb backend as well as for the VFS modules. | 
|---|
| 95 | </p><p><a class="indexterm" name="id387804"></a><a class="indexterm" name="id387812"></a><a class="indexterm" name="id387820"></a> | 
|---|
| 96 | Samba creates runtime control files and generates log files. The runtime control files (tdb and dat files) are stored in | 
|---|
| 97 | the <code class="filename">/var/lib/samba</code> directory. Log files are created in <code class="filename">/var/log/samba.</code> | 
|---|
| 98 | </p><p> | 
|---|
| 99 | When Samba is built and installed using the default Samba Team process, all files are located under the | 
|---|
| 100 | <code class="filename">/usr/local/samba</code> directory tree. This makes it simple to find the files that Samba owns. | 
|---|
| 101 | </p><p><a class="indexterm" name="id387854"></a> | 
|---|
| 102 | One way to find the Samba files that are installed on your UNIX/Linux system is to search for the location | 
|---|
| 103 | of all files called <code class="literal">smbd</code>. Here is an example: | 
|---|
| 104 | </p><pre class="screen"> | 
|---|
| 105 | <code class="prompt">root# </code> find / -name smbd -print | 
|---|
| 106 | </pre><p> | 
|---|
| 107 | You can find the location of the configuration files by running: | 
|---|
| 108 | </p><pre class="screen"> | 
|---|
| 109 | <code class="prompt">root# </code> /path-to-binary-file/smbd -b | more | 
|---|
| 110 | ... | 
|---|
| 111 | Paths: | 
|---|
| 112 | SBINDIR: /usr/sbin | 
|---|
| 113 | BINDIR: /usr/bin | 
|---|
| 114 | SWATDIR: /usr/share/samba/swat | 
|---|
| 115 | CONFIGFILE: /etc/samba/smb.conf | 
|---|
| 116 | LOGFILEBASE: /var/log/samba | 
|---|
| 117 | LMHOSTSFILE: /etc/samba/lmhosts | 
|---|
| 118 | LIBDIR: /usr/lib/samba | 
|---|
| 119 | SHLIBEXT: so | 
|---|
| 120 | LOCKDIR: /var/lib/samba | 
|---|
| 121 | PIDDIR: /var/run/samba | 
|---|
| 122 | SMB_PASSWD_FILE: /etc/samba/smbpasswd | 
|---|
| 123 | PRIVATE_DIR: /etc/samba | 
|---|
| 124 | ... | 
|---|
| 125 | </pre><p> | 
|---|
| 126 | If you wish to locate the Samba version, just run: | 
|---|
| 127 | </p><pre class="screen"> | 
|---|
| 128 | <code class="prompt">root# </code> /path-to-binary-file/smbd -V | 
|---|
| 129 | Version 3.0.20-SUSE | 
|---|
| 130 | </pre><p> | 
|---|
| 131 | </p><p> | 
|---|
| 132 | Many people have been caught by installation of Samba using the default Samba Team process when it was already installed | 
|---|
| 133 | by the platform vendor's method. If your platform uses RPM format packages, you can check to see if Samba is installed by | 
|---|
| 134 | executing:<a class="indexterm" name="id387919"></a> | 
|---|
| 135 | </p><pre class="screen"> | 
|---|
| 136 | <code class="prompt">root# </code> rpm -qa | grep samba | 
|---|
| 137 | samba3-pdb-3.0.20-1 | 
|---|
| 138 | samba3-vscan-0.3.6-0 | 
|---|
| 139 | samba3-winbind-3.0.20-1 | 
|---|
| 140 | samba3-3.0.20-1 | 
|---|
| 141 | samba3-python-3.0.20-1 | 
|---|
| 142 | samba3-utils-3.0.20-1 | 
|---|
| 143 | samba3-doc-3.0.20-1 | 
|---|
| 144 | samba3-client-3.0.20-1 | 
|---|
| 145 | samba3-cifsmount-3.0.20-1 | 
|---|
| 146 | </pre><p><a class="indexterm" name="id387940"></a> | 
|---|
| 147 | The package names, of course, vary according to how the vendor, or the binary package builder, prepared them. | 
|---|
| 148 | </p></div><div class="sect1" title="Starting Samba"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id387952"></a>Starting Samba</h2></div></div></div><p><a class="indexterm" name="id387958"></a> | 
|---|
| 149 | Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. | 
|---|
| 150 | An example of a service is the Apache Web server for which the daemon is called <code class="literal">httpd</code>. In the case of Samba, there | 
|---|
| 151 | are three daemons, two of which are needed as a minimum. | 
|---|
| 152 | </p><p> | 
|---|
| 153 | The Samba server is made up of the following daemons: | 
|---|
| 154 | </p><div class="example"><a name="ch12SL"></a><p class="title"><b>Example 15.1. A Useful Samba Control Script for SUSE Linux</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 155 | #!/bin/bash | 
|---|
| 156 | # | 
|---|
| 157 | # Script to start/stop samba | 
|---|
| 158 | # Locate this in /sbin as a file called 'samba' | 
|---|
| 159 |  | 
|---|
| 160 | RCD=/etc/rc.d | 
|---|
| 161 |  | 
|---|
| 162 | if [ z$1 == 'z' ]; then | 
|---|
| 163 | echo $0 - No arguments given; must be start or stop. | 
|---|
| 164 | exit | 
|---|
| 165 | fi | 
|---|
| 166 |  | 
|---|
| 167 | if [ $1 == 'start' ]; then | 
|---|
| 168 | ${RCD}/nmb start | 
|---|
| 169 | ${RCD}/smb start | 
|---|
| 170 | ${RCD}/winbind start | 
|---|
| 171 |  | 
|---|
| 172 | fi | 
|---|
| 173 | if [ $1 == 'stop' ]; then | 
|---|
| 174 | ${RCD}/smb stop | 
|---|
| 175 | ${RCD}/winbind stop | 
|---|
| 176 | ${RCD}/nmb stop | 
|---|
| 177 | fi | 
|---|
| 178 | if [ $1 == 'restart' ]; then | 
|---|
| 179 | ${RCD}/smb stop | 
|---|
| 180 | ${RCD}/winbind stop | 
|---|
| 181 | ${RCD}/nmb stop | 
|---|
| 182 | sleep 5 | 
|---|
| 183 | ${RCD}/nmb start | 
|---|
| 184 | ${RCD}/smb start | 
|---|
| 185 | ${RCD}/winbind start | 
|---|
| 186 | fi | 
|---|
| 187 | exit 0 | 
|---|
| 188 | </pre></div></div><br class="example-break"><div class="variablelist"><dl><dt><span class="term">nmbd</span></dt><dd><p> | 
|---|
| 189 | <a class="indexterm" name="id388017"></a> | 
|---|
| 190 | <a class="indexterm" name="id388024"></a> | 
|---|
| 191 | This daemon handles all name registration and resolution requests. It is the primary vehicle involved | 
|---|
| 192 | in network browsing. It handles all UDP-based protocols. The <code class="literal">nmbd</code> daemon should | 
|---|
| 193 | be the first command started as part of the Samba startup process. | 
|---|
| 194 | </p></dd><dt><span class="term">smbd</span></dt><dd><p> | 
|---|
| 195 | <a class="indexterm" name="id388051"></a> | 
|---|
| 196 | <a class="indexterm" name="id388058"></a> | 
|---|
| 197 | This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also | 
|---|
| 198 | manages local authentication. It should be started immediately following the startup of <code class="literal">nmbd</code>. | 
|---|
| 199 | </p></dd><dt><span class="term">winbindd</span></dt><dd><p> | 
|---|
| 200 | <a class="indexterm" name="id388085"></a> | 
|---|
| 201 | <a class="indexterm" name="id388092"></a> | 
|---|
| 202 | This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when | 
|---|
| 203 | Samba has trust relationships with another domain. The <code class="literal">winbindd</code> daemon will check the | 
|---|
| 204 | <code class="filename">smb.conf</code> file for the presence of the <em class="parameter"><code>idmap uid</code></em> and <em class="parameter"><code>idmap gid</code></em> | 
|---|
| 205 | parameters. If they are not found, <code class="literal">winbindd</code> bails out and refuses to start. | 
|---|
| 206 | </p></dd></dl></div><p> | 
|---|
| 207 | When Samba has been packaged by an operating system vendor, the startup process is typically a custom feature of its | 
|---|
| 208 | integration into the platform as a whole. Please refer to your operating system platform administration manuals for | 
|---|
| 209 | specific information pertaining to correct management of Samba startup. | 
|---|
| 210 | </p><div class="example"><a name="ch12RHscript"></a><p class="title"><b>Example 15.2. A Sample Samba Control Script for Red Hat Linux</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 211 | #!/bin/sh | 
|---|
| 212 | # | 
|---|
| 213 | # chkconfig: 345 81 35 | 
|---|
| 214 | # description: Starts and stops the Samba smbd and nmbd daemons \ | 
|---|
| 215 | #              used to provide SMB network services. | 
|---|
| 216 |  | 
|---|
| 217 | # Source function library. | 
|---|
| 218 | . /etc/rc.d/init.d/functions | 
|---|
| 219 | # Source networking configuration. | 
|---|
| 220 | . /etc/sysconfig/network | 
|---|
| 221 | # Check that networking is up. | 
|---|
| 222 | [ ${NETWORKING} = "no" ] && exit 0 | 
|---|
| 223 | CONFIG=/etc/samba/smb.conf | 
|---|
| 224 | # Check that smb.conf exists. | 
|---|
| 225 | [ -f $CONFIG ] || exit 0 | 
|---|
| 226 |  | 
|---|
| 227 | # See how we were called. | 
|---|
| 228 | case "$1" in | 
|---|
| 229 | start) | 
|---|
| 230 | echo -n "Starting SMB services: " | 
|---|
| 231 | daemon smbd -D; daemon nmbd -D; echo; | 
|---|
| 232 | touch /var/lock/subsys/smb | 
|---|
| 233 | ;; | 
|---|
| 234 | stop) | 
|---|
| 235 | echo -n "Shutting down SMB services: " | 
|---|
| 236 | smbdpids=`ps guax | grep smbd | grep -v grep | awk '{print $2}'` | 
|---|
| 237 | for pid in $smbdpids; do | 
|---|
| 238 | kill -TERM $pid | 
|---|
| 239 | done | 
|---|
| 240 | killproc nmbd -TERM; rm -f /var/lock/subsys/smb | 
|---|
| 241 | echo "" | 
|---|
| 242 | ;; | 
|---|
| 243 | status) | 
|---|
| 244 | status smbd; status nmbd; | 
|---|
| 245 | ;; | 
|---|
| 246 | restart) | 
|---|
| 247 | echo -n "Restarting SMB services: " | 
|---|
| 248 | $0 stop; $0 start; | 
|---|
| 249 | echo "done." | 
|---|
| 250 | ;; | 
|---|
| 251 | *) | 
|---|
| 252 | echo "Usage: smb {start|stop|restart|status}" | 
|---|
| 253 | exit 1 | 
|---|
| 254 | esac | 
|---|
| 255 | </pre></div></div><br class="example-break"><p><a class="indexterm" name="id388184"></a> | 
|---|
| 256 | SUSE Linux implements individual control over each Samba daemon. A Samba control script that can be conveniently | 
|---|
| 257 | executed from the command line is shown in <a class="link" href="appendix.html#ch12SL" title="Example 15.1. A Useful Samba Control Script for SUSE Linux">“A Useful Samba Control Script for SUSE Linux”</a>. This can be located in the directory | 
|---|
| 258 | <code class="filename">/sbin</code> in a file called <code class="filename">samba</code>. This type of control script should be | 
|---|
| 259 | owned by user root and group root, and set so that only root can execute it. | 
|---|
| 260 | </p><p><a class="indexterm" name="id388216"></a> | 
|---|
| 261 | A sample startup script for a Red Hat Linux system is shown in <a class="link" href="appendix.html#ch12RHscript" title="Example 15.2. A Sample Samba Control Script for Red Hat Linux">“A Sample Samba Control Script for Red Hat Linux”</a>. | 
|---|
| 262 | This file could be located in the directory <code class="filename">/etc/rc.d</code> and can be called | 
|---|
| 263 | <code class="filename">samba</code>. A similar startup script is required to control <code class="literal">winbind</code>. | 
|---|
| 264 | If you want to find more information regarding startup scripts please refer to the packaging section of | 
|---|
| 265 | the Samba source code distribution tarball. The packaging files for each platform include a | 
|---|
| 266 | startup control file. | 
|---|
| 267 | </p></div><div class="sect1" title="DNS Configuration Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388254"></a>DNS Configuration Files</h2></div></div></div><p> | 
|---|
| 268 | The following files are common to all DNS server configurations. Rather than repeat them multiple times, they | 
|---|
| 269 | are presented here for general reference. | 
|---|
| 270 | </p><div class="sect2" title="The Forward Zone File for the Loopback Adaptor"><div class="titlepage"><div><div><h3 class="title"><a name="id388264"></a>The Forward Zone File for the Loopback Adaptor</h3></div></div></div><p> | 
|---|
| 271 | The forward zone file for the loopback address never changes. An example file is shown | 
|---|
| 272 | in <a class="link" href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">“DNS Localhost Forward Zone File: /var/lib/named/localhost.zone”</a>. All traffic destined for an IP address that is hosted on a | 
|---|
| 273 | physical interface on the machine itself is routed to the loopback adaptor. This is | 
|---|
| 274 | a fundamental design feature of the TCP/IP protocol implementation. The loopback adaptor | 
|---|
| 275 | is called <code class="constant">localhost</code>. | 
|---|
| 276 | </p><div class="example"><a name="loopback"></a><p class="title"><b>Example 15.3. DNS Localhost Forward Zone File: <code class="filename">/var/lib/named/localhost.zone</code></b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 277 | $TTL 1W | 
|---|
| 278 | @               IN SOA  @   root ( | 
|---|
| 279 | 42              ; serial | 
|---|
| 280 | 2D              ; refresh | 
|---|
| 281 | 4H              ; retry | 
|---|
| 282 | 6W              ; expiry | 
|---|
| 283 | 1W )            ; minimum | 
|---|
| 284 |  | 
|---|
| 285 | IN NS           @ | 
|---|
| 286 | IN A            127.0.0.1 | 
|---|
| 287 | </pre></div></div><br class="example-break"></div><div class="sect2" title="The Reverse Zone File for the Loopback Adaptor"><div class="titlepage"><div><div><h3 class="title"><a name="id388308"></a>The Reverse Zone File for the Loopback Adaptor</h3></div></div></div><p> | 
|---|
| 288 | The reverse zone file for the loopback address as shown in <a class="link" href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">“DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone”</a> | 
|---|
| 289 | is necessary so that references to the address <code class="constant">127.0.0.1</code> can be | 
|---|
| 290 | resolved to the correct name of the interface. | 
|---|
| 291 | </p><div class="example"><a name="dnsloopy"></a><p class="title"><b>Example 15.4. DNS Localhost Reverse Zone File: <code class="filename">/var/lib/named/127.0.0.zone</code></b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 292 | $TTL 1W | 
|---|
| 293 | @               IN SOA          localhost.   root.localhost. ( | 
|---|
| 294 | 42              ; serial | 
|---|
| 295 | 2D              ; refresh | 
|---|
| 296 | 4H              ; retry | 
|---|
| 297 | 6W              ; expiry | 
|---|
| 298 | 1W )            ; minimum | 
|---|
| 299 |  | 
|---|
| 300 | IN NS           localhost. | 
|---|
| 301 | 1               IN PTR          localhost. | 
|---|
| 302 | </pre></div></div><br class="example-break"><div class="example"><a name="roothint"></a><p class="title"><b>Example 15.5. DNS Root Name Server Hint File: <code class="filename">/var/lib/named/root.hint</code></b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 303 | ; This file is made available by InterNIC under anonymous FTP as | 
|---|
| 304 | ;       file                /domain/named.root | 
|---|
| 305 | ;       on server           FTP.INTERNIC.NET | 
|---|
| 306 | ; last update: Nov 5, 2002. Related version of root zone: 2002110501 | 
|---|
| 307 | ; formerly NS.INTERNIC.NET | 
|---|
| 308 | .                        3600000  IN  NS    A.ROOT-SERVERS.NET. | 
|---|
| 309 | A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4 | 
|---|
| 310 | ; formerly NS1.ISI.EDU | 
|---|
| 311 | .                        3600000      NS    B.ROOT-SERVERS.NET. | 
|---|
| 312 | B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107 | 
|---|
| 313 | ; formerly C.PSI.NET | 
|---|
| 314 | .                        3600000      NS    C.ROOT-SERVERS.NET. | 
|---|
| 315 | C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12 | 
|---|
| 316 | ; formerly TERP.UMD.EDU | 
|---|
| 317 | .                        3600000      NS    D.ROOT-SERVERS.NET. | 
|---|
| 318 | D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90 | 
|---|
| 319 | ; formerly NS.NASA.GOV | 
|---|
| 320 | .                        3600000      NS    E.ROOT-SERVERS.NET. | 
|---|
| 321 | E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10 | 
|---|
| 322 | ; formerly NS.ISC.ORG | 
|---|
| 323 | .                        3600000      NS    F.ROOT-SERVERS.NET. | 
|---|
| 324 | F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241 | 
|---|
| 325 | ; formerly NS.NIC.DDN.MIL | 
|---|
| 326 | .                        3600000      NS    G.ROOT-SERVERS.NET. | 
|---|
| 327 | G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4 | 
|---|
| 328 | ; formerly AOS.ARL.ARMY.MIL | 
|---|
| 329 | .                        3600000      NS    H.ROOT-SERVERS.NET. | 
|---|
| 330 | H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53 | 
|---|
| 331 | ; formerly NIC.NORDU.NET | 
|---|
| 332 | .                        3600000      NS    I.ROOT-SERVERS.NET. | 
|---|
| 333 | I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17 | 
|---|
| 334 | ; operated by VeriSign, Inc. | 
|---|
| 335 | .                        3600000      NS    J.ROOT-SERVERS.NET. | 
|---|
| 336 | J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30 | 
|---|
| 337 | ; housed in LINX, operated by RIPE NCC | 
|---|
| 338 | .                        3600000      NS    K.ROOT-SERVERS.NET. | 
|---|
| 339 | K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129 | 
|---|
| 340 | ; operated by IANA | 
|---|
| 341 | .                        3600000      NS    L.ROOT-SERVERS.NET. | 
|---|
| 342 | L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12 | 
|---|
| 343 | ; housed in Japan, operated by WIDE | 
|---|
| 344 | .                        3600000      NS    M.ROOT-SERVERS.NET. | 
|---|
| 345 | M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33 | 
|---|
| 346 | ; End of File | 
|---|
| 347 | </pre></div></div><br class="example-break"></div><div class="sect2" title="DNS Root Server Hint File"><div class="titlepage"><div><div><h3 class="title"><a name="id388408"></a>DNS Root Server Hint File</h3></div></div></div><p> | 
|---|
| 348 | The content of the root hints file as shown in <a class="link" href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">“DNS Root Name Server Hint File: /var/lib/named/root.hint”</a>  changes slowly over time. | 
|---|
| 349 | Periodically this file should be updated from the source shown. Because | 
|---|
| 350 | of its size, this file is located at the end of this chapter. | 
|---|
| 351 | </p></div></div><div class="sect1" title="Alternative LDAP Database Initialization"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="altldapcfg"></a>Alternative LDAP Database Initialization</h2></div></div></div><p><a class="indexterm" name="id388437"></a><a class="indexterm" name="id388448"></a> | 
|---|
| 352 | The following procedure may be used as an alternative means of configuring | 
|---|
| 353 | the initial LDAP database. Many administrators prefer to have greater control | 
|---|
| 354 | over how system files get configured. | 
|---|
| 355 | </p><div class="sect2" title="Initialization of the LDAP Database"><div class="titlepage"><div><div><h3 class="title"><a name="id388463"></a>Initialization of the LDAP Database</h3></div></div></div><p><a class="indexterm" name="id388470"></a><a class="indexterm" name="id388478"></a><a class="indexterm" name="id388489"></a> | 
|---|
| 356 | The first step to get the LDAP server ready for action is to create the LDIF file from | 
|---|
| 357 | which the LDAP database will be preloaded. This is necessary to create the containers | 
|---|
| 358 | into which the user, group, and other accounts are written. It is also necessary to | 
|---|
| 359 | preload the well-known Windows NT Domain Groups, as they must have the correct SID so | 
|---|
| 360 | that they can be recognized as special NT Groups by the MS Windows clients. | 
|---|
| 361 | </p><div class="procedure" title="Procedure 15.2. LDAP Directory Pre-Load Steps"><a name="ldapinit"></a><p class="title"><b>Procedure 15.2. LDAP Directory Pre-Load Steps</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> | 
|---|
| 362 | Create a directory in which to store the files you use to generate | 
|---|
| 363 | the LDAP LDIF file for your system. Execute the following: | 
|---|
| 364 | </p><pre class="screen"> | 
|---|
| 365 | <code class="prompt">root# </code> mkdir /etc/openldap/SambaInit | 
|---|
| 366 | <code class="prompt">root# </code> chown root:root /etc/openldap/SambaInit | 
|---|
| 367 | <code class="prompt">root# </code> chmod 700 /etc/openldap/SambaInit | 
|---|
| 368 | </pre><p> | 
|---|
| 369 | </p></li><li class="step" title="Step 2"><p> | 
|---|
| 370 | Install the files shown in <a class="link" href="appendix.html#sbehap-ldapreconfa" title="Example 15.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A">“LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh  Part A”</a>, <a class="link" href="appendix.html#sbehap-ldapreconfb" title="Example 15.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B">“LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh  Part B”</a>, | 
|---|
| 371 | and <a class="link" href="appendix.html#sbehap-ldapreconfc" title="Example 15.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C">“LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh  Part C”</a> into the directory | 
|---|
| 372 | <code class="filename">/etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh.</code> These three files are, | 
|---|
| 373 | respectively, parts A, B, and C of the <code class="filename">SMBLDAP-ldif-preconfig.sh</code> file. | 
|---|
| 374 | </p></li><li class="step" title="Step 3"><p> | 
|---|
| 375 | Install the files shown in <a class="link" href="appendix.html#sbehap-ldifpata" title="Example 15.9. LDIF Pattern File Used to Pre-configure LDAP Part A">“LDIF Pattern File Used to Pre-configure LDAP  Part A”</a> and <a class="link" href="appendix.html#sbehap-ldifpatb" title="Example 15.10. LDIF Pattern File Used to Pre-configure LDAP Part B">“LDIF Pattern File Used to Pre-configure LDAP  Part B”</a> into the directory | 
|---|
| 376 | <code class="filename">/etc/openldap/SambaInit/.</code> These two files are | 
|---|
| 377 | parts A and B, respectively, of the <code class="filename">init-ldif.pat</code> file. | 
|---|
| 378 | </p></li><li class="step" title="Step 4"><p> | 
|---|
| 379 | Change to the <code class="filename">/etc/openldap/SambaInit</code> directory. Execute the following: | 
|---|
| 380 | </p><pre class="screen"> | 
|---|
| 381 | <code class="prompt">root# </code> sh SMBLDAP-ldif-preconfig.sh | 
|---|
| 382 |  | 
|---|
| 383 | How do you wish to refer to your organization? | 
|---|
| 384 | Suggestions: | 
|---|
| 385 | Black Tire Company, Inc. | 
|---|
| 386 | Cat With Hat Ltd. | 
|---|
| 387 | How would you like your organization name to appear? | 
|---|
| 388 | Your organization name is: My Organization | 
|---|
| 389 | Enter a new name is this is not what you want, press Enter to Continue. | 
|---|
| 390 | Name [My Organization]: Abmas Inc. | 
|---|
| 391 |  | 
|---|
| 392 | Samba Config File Location [/etc/samba/smb.conf]: | 
|---|
| 393 | Enter a new full path or press Enter to continue. | 
|---|
| 394 | Samba Config File Location [/etc/samba/smb.conf]: | 
|---|
| 395 | Domain Name: MEGANET2 | 
|---|
| 396 | Domain SID: S-1-5-21-3504140859-1010554828-2431957765 | 
|---|
| 397 |  | 
|---|
| 398 | The name of your Internet domain is now needed in a special format | 
|---|
| 399 | as follows, if your domain name is mydomain.org, what we need is | 
|---|
| 400 | the information in the form of: | 
|---|
| 401 | Domain ID: mydomain | 
|---|
| 402 | Top level: org | 
|---|
| 403 | If your fully qualified hostname is: snoopy.bazaar.garagesale.net | 
|---|
| 404 | where "snoopy" is the name of the machine, | 
|---|
| 405 | Then the information needed is: | 
|---|
| 406 | Domain ID: garagesale | 
|---|
| 407 | Top Level: net | 
|---|
| 408 |  | 
|---|
| 409 | Found the following domain name: abmas.biz | 
|---|
| 410 | I think the bit we are looking for might be: abmas | 
|---|
| 411 | Enter the domain name or press Enter to continue: | 
|---|
| 412 |  | 
|---|
| 413 | The top level organization name I will use is: biz | 
|---|
| 414 | Enter the top level org name or press Enter to continue: | 
|---|
| 415 | <code class="prompt">root# </code> | 
|---|
| 416 | </pre><p> | 
|---|
| 417 | This creates a file called <code class="filename">MEGANET2.ldif</code>. | 
|---|
| 418 | </p></li><li class="step" title="Step 5"><p> | 
|---|
| 419 | It is now time to preload the LDAP database with the following | 
|---|
| 420 | command: | 
|---|
| 421 | </p><pre class="screen"> | 
|---|
| 422 | <code class="prompt">root# </code> slapadd -v -l MEGANET2.ldif | 
|---|
| 423 | added: "dc=abmas,dc=biz" (00000001) | 
|---|
| 424 | added: "cn=Manager,dc=abmas,dc=biz" (00000002) | 
|---|
| 425 | added: "ou=People,dc=abmas,dc=biz" (00000003) | 
|---|
| 426 | added: "ou=Computers,dc=abmas,dc=biz" (00000004) | 
|---|
| 427 | added: "ou=Groups,dc=abmas,dc=biz" (00000005) | 
|---|
| 428 | added: "ou=Domains,dc=abmas,dc=biz" (00000006) | 
|---|
| 429 | added: "sambaDomainName=MEGANET2,ou=Domains,dc=abmas,dc=biz" (00000007) | 
|---|
| 430 | added: "cn=domadmins,ou=Groups,dc=abmas,dc=biz" (00000008) | 
|---|
| 431 | added: "cn=domguests,ou=Groups,dc=abmas,dc=biz" (00000009) | 
|---|
| 432 | added: "cn=domusers,ou=Groups,dc=abmas,dc=biz" (0000000a) | 
|---|
| 433 | </pre><p> | 
|---|
| 434 | You should verify that the account information was correctly loaded by executing: | 
|---|
| 435 | </p><pre class="screen"> | 
|---|
| 436 | <code class="prompt">root# </code> slapcat | 
|---|
| 437 | dn: dc=abmas,dc=biz | 
|---|
| 438 | objectClass: dcObject | 
|---|
| 439 | objectClass: organization | 
|---|
| 440 | dc: abmas | 
|---|
| 441 | o: Abmas Inc. | 
|---|
| 442 | description: Posix and Samba LDAP Identity Database | 
|---|
| 443 | structuralObjectClass: organization | 
|---|
| 444 | entryUUID: af552f8e-c4a1-1027-9002-9421e01bf474 | 
|---|
| 445 | creatorsName: cn=manager,dc=abmas,dc=biz | 
|---|
| 446 | modifiersName: cn=manager,dc=abmas,dc=biz | 
|---|
| 447 | createTimestamp: 20031217055747Z | 
|---|
| 448 | modifyTimestamp: 20031217055747Z | 
|---|
| 449 | entryCSN: 2003121705:57:47Z#0x0001#0#0000 | 
|---|
| 450 | ... | 
|---|
| 451 |  | 
|---|
| 452 | dn: cn=domusers,ou=Groups,dc=abmas,dc=biz | 
|---|
| 453 | objectClass: posixGroup | 
|---|
| 454 | objectClass: sambaGroupMapping | 
|---|
| 455 | gidNumber: 513 | 
|---|
| 456 | cn: domusers | 
|---|
| 457 | sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 | 
|---|
| 458 | sambaGroupType: 2 | 
|---|
| 459 | displayName: Domain Users | 
|---|
| 460 | description: Domain Users | 
|---|
| 461 | structuralObjectClass: posixGroup | 
|---|
| 462 | entryUUID: af7e98ba-c4a1-1027-900b-9421e01bf474 | 
|---|
| 463 | creatorsName: cn=manager,dc=abmas,dc=biz | 
|---|
| 464 | modifiersName: cn=manager,dc=abmas,dc=biz | 
|---|
| 465 | createTimestamp: 20031217055747Z | 
|---|
| 466 | modifyTimestamp: 20031217055747Z | 
|---|
| 467 | entryCSN: 2003121705:57:47Z#0x000a#0#0000 | 
|---|
| 468 | </pre><p> | 
|---|
| 469 | </p></li><li class="step" title="Step 6"><p> | 
|---|
| 470 | Your LDAP database is ready for testing. You can now start the LDAP server | 
|---|
| 471 | using the system tool for your Linux operating system. For SUSE Linux, you can | 
|---|
| 472 | do this as follows: | 
|---|
| 473 | </p><pre class="screen"> | 
|---|
| 474 | <code class="prompt">root# </code> rcldap start | 
|---|
| 475 | </pre><p> | 
|---|
| 476 | </p></li><li class="step" title="Step 7"><p> | 
|---|
| 477 | It is now a good idea to validate that the LDAP server is running correctly. | 
|---|
| 478 | Execute the following: | 
|---|
| 479 | </p><pre class="screen"> | 
|---|
| 480 | <code class="prompt">root# </code> ldapsearch -x -b "dc=abmas,dc=biz" "(ObjectClass=*)" | 
|---|
| 481 | # extended LDIF | 
|---|
| 482 | # | 
|---|
| 483 | # LDAPv3 | 
|---|
| 484 | # base <dc=abmas,dc=biz> with scope sub | 
|---|
| 485 | # filter: (ObjectClass=*) | 
|---|
| 486 | # requesting: ALL | 
|---|
| 487 | # | 
|---|
| 488 |  | 
|---|
| 489 | # abmas.biz | 
|---|
| 490 | dn: dc=abmas,dc=biz | 
|---|
| 491 | objectClass: dcObject | 
|---|
| 492 | objectClass: organization | 
|---|
| 493 | dc: abmas | 
|---|
| 494 | o: Abmas Inc. | 
|---|
| 495 | description: Posix and Samba LDAP Identity Database | 
|---|
| 496 | ... | 
|---|
| 497 | # domusers, Groups, abmas.biz | 
|---|
| 498 | dn: cn=domusers,ou=Groups,dc=abmas,dc=biz | 
|---|
| 499 | objectClass: posixGroup | 
|---|
| 500 | objectClass: sambaGroupMapping | 
|---|
| 501 | gidNumber: 513 | 
|---|
| 502 | cn: domusers | 
|---|
| 503 | sambaSID: S-1-5-21-3504140859-1010554828-2431957765-513 | 
|---|
| 504 | sambaGroupType: 2 | 
|---|
| 505 | displayName: Domain Users | 
|---|
| 506 | description: Domain Users | 
|---|
| 507 |  | 
|---|
| 508 | # search result | 
|---|
| 509 | search: 2 | 
|---|
| 510 | result: 0 Success | 
|---|
| 511 |  | 
|---|
| 512 | # numResponses: 11 | 
|---|
| 513 | # numEntries: 10 | 
|---|
| 514 | </pre><p> | 
|---|
| 515 | Your LDAP server is ready for creation of additional accounts. | 
|---|
| 516 | </p></li></ol></div></div><div class="example"><a name="sbehap-ldapreconfa"></a><p class="title"><b>Example 15.6. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code>  Part A</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 517 | #!/bin/bash | 
|---|
| 518 | # | 
|---|
| 519 | # This script prepares the ldif LDAP load file only | 
|---|
| 520 | # | 
|---|
| 521 |  | 
|---|
| 522 | # Pattern File Name | 
|---|
| 523 | file=init-ldif.pat | 
|---|
| 524 |  | 
|---|
| 525 | # The name of my organization | 
|---|
| 526 | ORGNAME="My Organization" | 
|---|
| 527 |  | 
|---|
| 528 | # My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets" | 
|---|
| 529 | INETDOMAIN="my-domain" | 
|---|
| 530 |  | 
|---|
| 531 | # In the above case, md domain is: buckets.org, TLDORG="org" | 
|---|
| 532 | TLDORG="org" | 
|---|
| 533 |  | 
|---|
| 534 | # This is the Samba Domain/Workgroup Name | 
|---|
| 535 | DOMNAME="MYWORKGROUP" | 
|---|
| 536 |  | 
|---|
| 537 | # | 
|---|
| 538 | # Here We Go ... | 
|---|
| 539 | # | 
|---|
| 540 |  | 
|---|
| 541 | cat <<EOF | 
|---|
| 542 |  | 
|---|
| 543 | How do you wish to refer to your organization? | 
|---|
| 544 |  | 
|---|
| 545 | Suggestions: | 
|---|
| 546 | Black Tire Company, Inc. | 
|---|
| 547 | Cat With Hat Ltd. | 
|---|
| 548 |  | 
|---|
| 549 | How would you like your organization name to appear? | 
|---|
| 550 |  | 
|---|
| 551 | EOF | 
|---|
| 552 |  | 
|---|
| 553 | echo "Your organization name is: $ORGNAME" | 
|---|
| 554 | echo | 
|---|
| 555 | echo "Enter a new name or, press Enter to Continue." | 
|---|
| 556 | echo | 
|---|
| 557 | </pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldapreconfb"></a><p class="title"><b>Example 15.7. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code>  Part B</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 558 | echo -e -n "Name [$ORGNAME]: " | 
|---|
| 559 | read name | 
|---|
| 560 |  | 
|---|
| 561 | if [ ! -z "$name" ]; then | 
|---|
| 562 | ORGNAME=${name} | 
|---|
| 563 | fi | 
|---|
| 564 | echo | 
|---|
| 565 | sed "s/ORGNAME/${ORGNAME}/g" < $file > $file.tmp1 | 
|---|
| 566 |  | 
|---|
| 567 | # Try to find smb.conf | 
|---|
| 568 |  | 
|---|
| 569 | if [ -e /usr/local/samba/lib/smb.conf ]; then | 
|---|
| 570 | CONF=/usr/local/samba/lib/smb.conf | 
|---|
| 571 | elif [ -e /etc/samba/smb.conf ]; then | 
|---|
| 572 | CONF=/etc/samba/smb.conf | 
|---|
| 573 | fi | 
|---|
| 574 |  | 
|---|
| 575 | echo "Samba Config File Location [$CONF]: " | 
|---|
| 576 | echo | 
|---|
| 577 | echo "Enter a new full path or press Enter to continue." | 
|---|
| 578 | echo | 
|---|
| 579 | echo -n "Samba Config File Location [$CONF]: " | 
|---|
| 580 | read name | 
|---|
| 581 | if [ ! -z "$name" ]; then | 
|---|
| 582 | CONF=$name | 
|---|
| 583 | fi | 
|---|
| 584 | echo | 
|---|
| 585 |  | 
|---|
| 586 | # Find the name of our Domain/Workgroup | 
|---|
| 587 | DOMNAME=`grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=` | 
|---|
| 588 | echo Domain Name: $DOMNAME | 
|---|
| 589 | echo | 
|---|
| 590 |  | 
|---|
| 591 | sed "s/DOMNAME/${DOMNAME}/g" < $file.tmp1 > $file.tmp2 | 
|---|
| 592 |  | 
|---|
| 593 | DOMSID=`net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"` | 
|---|
| 594 | echo Domain SID: $DOMSID | 
|---|
| 595 |  | 
|---|
| 596 | sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1 | 
|---|
| 597 | </pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldapreconfc"></a><p class="title"><b>Example 15.8. LDAP Pre-configuration Script: <code class="filename">SMBLDAP-ldif-preconfig.sh</code>  Part C</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 598 | cat <<EOL | 
|---|
| 599 | The name of your Internet domain is now needed in a special format | 
|---|
| 600 | as follows, if your domain name is mydomain.org, what we need is | 
|---|
| 601 | the information in the form of: | 
|---|
| 602 | Domain ID: mydomain | 
|---|
| 603 | Top level: org | 
|---|
| 604 |  | 
|---|
| 605 | If your fully qualified hostname is: snoopy.bazaar.garagesale.net | 
|---|
| 606 | where "snoopy" is the name of the machine, | 
|---|
| 607 | Then the information needed is: | 
|---|
| 608 | Domain ID: garagesale | 
|---|
| 609 | Top Level: net | 
|---|
| 610 |  | 
|---|
| 611 | EOL | 
|---|
| 612 | INETDOMAIN=`hostname -d | cut -f1 -d.` | 
|---|
| 613 | echo Found the following domain name: `hostname -d` | 
|---|
| 614 | echo "I think the bit we are looking for might be: $INETDOMAIN" | 
|---|
| 615 | echo | 
|---|
| 616 | echo -n "Enter the domain name or press Enter to continue: " | 
|---|
| 617 | read domnam | 
|---|
| 618 | if [ ! -z $domnam ]; then | 
|---|
| 619 | INETDOMAIN=$domnam | 
|---|
| 620 | fi | 
|---|
| 621 | echo | 
|---|
| 622 | sed "s/INETDOMAIN/${INETDOMAIN}/g" < $file.tmp1 > $file.tmp2 | 
|---|
| 623 | TLDORG=`hostname -d | sed "s/${INETDOMAIN}.//g"` | 
|---|
| 624 | echo "The top level organization name I will use is: ${TLDORG}" | 
|---|
| 625 | echo | 
|---|
| 626 | echo -n "Enter the top level org name or press Enter to continue: " | 
|---|
| 627 | read domnam | 
|---|
| 628 | if [ ! -z $domnam ]; then | 
|---|
| 629 | TLDORG=$domnam | 
|---|
| 630 | fi | 
|---|
| 631 | sed "s/TLDORG/${TLDORG}/g" < $file.tmp2 > $DOMNAME.ldif | 
|---|
| 632 | rm $file.tmp* | 
|---|
| 633 | exit 0 | 
|---|
| 634 | </pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifpata"></a><p class="title"><b>Example 15.9. LDIF Pattern File Used to Pre-configure LDAP  Part A</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 635 | dn: dc=INETDOMAIN,dc=TLDORG | 
|---|
| 636 | objectClass: dcObject | 
|---|
| 637 | objectClass: organization | 
|---|
| 638 | dc: INETDOMAIN | 
|---|
| 639 | o: ORGNAME | 
|---|
| 640 | description: Posix and Samba LDAP Identity Database | 
|---|
| 641 |  | 
|---|
| 642 | dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG | 
|---|
| 643 | objectClass: organizationalRole | 
|---|
| 644 | cn: Manager | 
|---|
| 645 | description: Directory Manager | 
|---|
| 646 |  | 
|---|
| 647 | dn: ou=People,dc=INETDOMAIN,dc=TLDORG | 
|---|
| 648 | objectClass: top | 
|---|
| 649 | objectClass: organizationalUnit | 
|---|
| 650 | ou: People | 
|---|
| 651 |  | 
|---|
| 652 | dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG | 
|---|
| 653 | objectClass: top | 
|---|
| 654 | objectClass: organizationalUnit | 
|---|
| 655 | ou: Computers | 
|---|
| 656 |  | 
|---|
| 657 | dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG | 
|---|
| 658 | objectClass: top | 
|---|
| 659 | objectClass: organizationalUnit | 
|---|
| 660 | ou: Groups | 
|---|
| 661 |  | 
|---|
| 662 | dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG | 
|---|
| 663 | objectClass: top | 
|---|
| 664 | objectClass: organizationalUnit | 
|---|
| 665 | ou: Idmap | 
|---|
| 666 |  | 
|---|
| 667 | dn: ou=Domains,dc=INETDOMAIN,dc=TLDORG | 
|---|
| 668 | objectClass: top | 
|---|
| 669 | objectClass: organizationalUnit | 
|---|
| 670 | ou: Domains | 
|---|
| 671 |  | 
|---|
| 672 | dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG | 
|---|
| 673 | objectClass: sambaDomain | 
|---|
| 674 | sambaDomainName: DOMNAME | 
|---|
| 675 | sambaSID: DOMSID | 
|---|
| 676 | sambaAlgorithmicRidBase: 1000 | 
|---|
| 677 | structuralObjectClass: sambaDomain | 
|---|
| 678 | </pre></div></div><br class="example-break"><div class="example"><a name="sbehap-ldifpatb"></a><p class="title"><b>Example 15.10. LDIF Pattern File Used to Pre-configure LDAP  Part B</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 679 | dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG | 
|---|
| 680 | objectClass: posixGroup | 
|---|
| 681 | objectClass: sambaGroupMapping | 
|---|
| 682 | gidNumber: 512 | 
|---|
| 683 | cn: domadmins | 
|---|
| 684 | sambaSID: DOMSID-512 | 
|---|
| 685 | sambaGroupType: 2 | 
|---|
| 686 | displayName: Domain Admins | 
|---|
| 687 | description: Domain Administrators | 
|---|
| 688 |  | 
|---|
| 689 | dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG | 
|---|
| 690 | objectClass: posixGroup | 
|---|
| 691 | objectClass: sambaGroupMapping | 
|---|
| 692 | gidNumber: 514 | 
|---|
| 693 | cn: domguests | 
|---|
| 694 | sambaSID: DOMSID-514 | 
|---|
| 695 | sambaGroupType: 2 | 
|---|
| 696 | displayName: Domain Guests | 
|---|
| 697 | description: Domain Guests Users | 
|---|
| 698 |  | 
|---|
| 699 | dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG | 
|---|
| 700 | objectClass: posixGroup | 
|---|
| 701 | objectClass: sambaGroupMapping | 
|---|
| 702 | gidNumber: 513 | 
|---|
| 703 | cn: domusers | 
|---|
| 704 | sambaSID: DOMSID-513 | 
|---|
| 705 | sambaGroupType: 2 | 
|---|
| 706 | displayName: Domain Users | 
|---|
| 707 | description: Domain Users | 
|---|
| 708 | </pre></div></div><br class="example-break"></div><div class="sect1" title="The LDAP Account Manager"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id388919"></a>The LDAP Account Manager</h2></div></div></div><p> | 
|---|
| 709 | <a class="indexterm" name="id388927"></a> | 
|---|
| 710 | <a class="indexterm" name="id388934"></a> | 
|---|
| 711 | <a class="indexterm" name="id388943"></a> | 
|---|
| 712 | <a class="indexterm" name="id388949"></a> | 
|---|
| 713 | <a class="indexterm" name="id388956"></a> | 
|---|
| 714 | <a class="indexterm" name="id388963"></a> | 
|---|
| 715 | <a class="indexterm" name="id388970"></a> | 
|---|
| 716 | The LDAP Account Manager (LAM) is an application suite that has been written in PHP. | 
|---|
| 717 | LAM can be used with any Web server that has PHP4 support. It connects to the LDAP | 
|---|
| 718 | server either using unencrypted connections or via SSL/TLS. LAM can be used to manage | 
|---|
| 719 | Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines | 
|---|
| 720 | (hosts). | 
|---|
| 721 | </p><p> | 
|---|
| 722 | LAM is available from the <a class="ulink" href="http://sourceforge.net/projects/lam/" target="_top">LAM</a> | 
|---|
| 723 | home page and from its mirror sites. LAM has been released under the GNU GPL version 2. | 
|---|
| 724 | The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter | 
|---|
| 725 | of 2005. | 
|---|
| 726 | </p><p> | 
|---|
| 727 | <a class="indexterm" name="id388996"></a> | 
|---|
| 728 | <a class="indexterm" name="id389003"></a> | 
|---|
| 729 | <a class="indexterm" name="id389010"></a> | 
|---|
| 730 | Requirements: | 
|---|
| 731 | </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A web server that will work with PHP4.</p></li><li class="listitem"><p>PHP4 (available from the <a class="ulink" href="http://www.php.net/" target="_top">PHP</a> home page.)</p></li><li class="listitem"><p>OpenLDAP 2.0 or later.</p></li><li class="listitem"><p>A Web browser that supports CSS.</p></li><li class="listitem"><p>Perl.</p></li><li class="listitem"><p>The gettext package.</p></li><li class="listitem"><p>mcrypt + mhash (optional).</p></li><li class="listitem"><p>It is also a good idea to install SSL support.</p></li></ul></div><p> | 
|---|
| 732 | LAM is a useful tool that provides a simple Web-based device that can be used to | 
|---|
| 733 | manage the contents of the LDAP directory to: | 
|---|
| 734 | <a class="indexterm" name="id389067"></a> | 
|---|
| 735 | <a class="indexterm" name="id389074"></a> | 
|---|
| 736 | <a class="indexterm" name="id389081"></a> | 
|---|
| 737 | </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Display user/group/host and Domain entries.</p></li><li class="listitem"><p>Manage entries (Add/Delete/Edit).</p></li><li class="listitem"><p>Filter and sort entries.</p></li><li class="listitem"><p>Store and use multiple operating profiles.</p></li><li class="listitem"><p>Edit organizational units (OUs).</p></li><li class="listitem"><p>Upload accounts from a file.</p></li><li class="listitem"><p>Is compatible with Samba-2.2.x and Samba-3.</p></li></ul></div><p> | 
|---|
| 738 | When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba | 
|---|
| 739 | user, group, and windows domain member machine accounts. | 
|---|
| 740 | </p><p> | 
|---|
| 741 | <a class="indexterm" name="id389132"></a> | 
|---|
| 742 | <a class="indexterm" name="id389139"></a> | 
|---|
| 743 | <a class="indexterm" name="id389145"></a> | 
|---|
| 744 | <a class="indexterm" name="id389152"></a> | 
|---|
| 745 | The default password is <span class="quote">“<span class="quote">lam.</span>”</span> It is highly recommended that you use only | 
|---|
| 746 | an SSL connection to your Web server for all remote operations involving LAM. If you | 
|---|
| 747 | want secure connections, you must configure your Apache Web server to permit connections | 
|---|
| 748 | to LAM using only SSL. | 
|---|
| 749 | </p><div class="procedure" title="Procedure 15.3. Apache Configuration Steps for LAM"><a name="sbehap-laminst"></a><p class="title"><b>Procedure 15.3. Apache Configuration Steps for LAM</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> | 
|---|
| 750 | Extract the LAM package by untarring it as shown here: | 
|---|
| 751 | </p><pre class="screen"> | 
|---|
| 752 | <code class="prompt">root# </code> tar xzf ldap-account-manager_0.4.9.tar.gz | 
|---|
| 753 | </pre><p> | 
|---|
| 754 | Alternatively, install the LAM DEB for your system using the following command: | 
|---|
| 755 | </p><pre class="screen"> | 
|---|
| 756 | <code class="prompt">root# </code> dpkg -i ldap-account-manager_0.4.9.all.deb | 
|---|
| 757 | </pre><p> | 
|---|
| 758 | </p></li><li class="step" title="Step 2"><p> | 
|---|
| 759 | Copy the extracted files to the document root directory of your Web server. | 
|---|
| 760 | For example, on SUSE Linux Enterprise Server 9, copy to the | 
|---|
| 761 | <code class="filename">/srv/www/htdocs</code> directory. | 
|---|
| 762 | </p></li><li class="step" title="Step 3"><p> | 
|---|
| 763 | <a class="indexterm" name="id389226"></a> | 
|---|
| 764 | Set file permissions using the following commands: | 
|---|
| 765 | </p><pre class="screen"> | 
|---|
| 766 | <code class="prompt">root# </code> chown -R wwwrun:www /srv/www/htdocs/lam | 
|---|
| 767 | <code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/sess | 
|---|
| 768 | <code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/tmp | 
|---|
| 769 | <code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/config | 
|---|
| 770 | <code class="prompt">root# </code> chmod 755 /srv/www/htdocs/lam/lib/*pl | 
|---|
| 771 | </pre><p> | 
|---|
| 772 | </p></li><li class="step" title="Step 4"><p> | 
|---|
| 773 | <a class="indexterm" name="id389276"></a> | 
|---|
| 774 | Using your favorite editor create the following <code class="filename">config.cfg</code> | 
|---|
| 775 | LAM configuration file: | 
|---|
| 776 | </p><pre class="screen"> | 
|---|
| 777 | <code class="prompt">root# </code> cd /srv/www/htdocs/lam/config | 
|---|
| 778 | <code class="prompt">root# </code> cp config.cfg_sample config.cfg | 
|---|
| 779 | <code class="prompt">root# </code> vi config.cfg | 
|---|
| 780 | </pre><p> | 
|---|
| 781 | <a class="indexterm" name="id389315"></a> | 
|---|
| 782 | <a class="indexterm" name="id389324"></a> | 
|---|
| 783 | An example file is shown in <a class="link" href="appendix.html#lamcfg" title="Example 15.11. Example LAM Configuration File config.cfg">“Example LAM Configuration File  config.cfg”</a>. | 
|---|
| 784 | This is the minimum configuration that must be completed. The LAM profile | 
|---|
| 785 | file can be created using a convenient wizard that is part of the LAM | 
|---|
| 786 | configuration suite. | 
|---|
| 787 | </p></li><li class="step" title="Step 5"><p> | 
|---|
| 788 | Start your Web server then, using your Web browser, connect to | 
|---|
| 789 | <a class="ulink" href="http://localhost/lam" target="_top">LAM</a> URL. Click on the | 
|---|
| 790 | the <em class="parameter"><code>Configuration Login</code></em> link then click on the | 
|---|
| 791 | Configuration Wizard link to begin creation of the default profile so that | 
|---|
| 792 | LAM can connect to your LDAP server. Alternately, copy the | 
|---|
| 793 | <code class="filename">lam.conf_sample</code> file to a file called | 
|---|
| 794 | <code class="filename">lam.conf</code> then, using your favorite editor, | 
|---|
| 795 | change the settings to match local site needs. | 
|---|
| 796 | </p></li></ol></div><p> | 
|---|
| 797 | <a class="indexterm" name="id389379"></a> | 
|---|
| 798 | An example of a working file is shown here in <a class="link" href="appendix.html#lamconf" title="Example 15.12. LAM Profile Control File lam.conf">“LAM Profile Control File  lam.conf”</a>. | 
|---|
| 799 | This file has been stripped of comments to keep the size small. The comments | 
|---|
| 800 | and help information provided in the profile file that the wizard creates | 
|---|
| 801 | is very useful and will help many administrators to avoid pitfalls. | 
|---|
| 802 | Your configuration file obviously reflects the configuration options that | 
|---|
| 803 | are preferred at your site. | 
|---|
| 804 | </p><p> | 
|---|
| 805 | <a class="indexterm" name="id389399"></a> | 
|---|
| 806 | It is important that your LDAP server is running at the time that LAM is | 
|---|
| 807 | being configured. This permits you to validate correct operation. | 
|---|
| 808 | An example of the LAM login screen is provided in <a class="link" href="appendix.html#lam-login" title="Figure 15.6. The LDAP Account Manager Login Screen">“The LDAP Account Manager Login Screen”</a>. | 
|---|
| 809 | </p><div class="figure"><a name="lam-login"></a><p class="title"><b>Figure 15.6. The LDAP Account Manager Login Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-login.png" width="270" alt="The LDAP Account Manager Login Screen"></div></div></div><br class="figure-break"><p> | 
|---|
| 810 | <a class="indexterm" name="id389458"></a> | 
|---|
| 811 | The LAM configuration editor has a number of options that must be managed correctly. | 
|---|
| 812 | An example of use of the LAM configuration editor is shown in <a class="link" href="appendix.html#lam-config" title="Figure 15.7. The LDAP Account Manager Configuration Screen">“The LDAP Account Manager Configuration Screen”</a>. | 
|---|
| 813 | It is important that you correctly set the minimum and maximum UID/GID values that are | 
|---|
| 814 | permitted for use at your site. The default values may not be compatible with a need to | 
|---|
| 815 | modify initial default account values for well-known Windows network users and groups. | 
|---|
| 816 | The best work-around is to temporarily set the minimum values to zero (0) to permit | 
|---|
| 817 | the initial settings to be made. Do not forget to reset these to sensible values before | 
|---|
| 818 | using LAM to add additional users and groups. | 
|---|
| 819 | </p><div class="figure"><a name="lam-config"></a><p class="title"><b>Figure 15.7. The LDAP Account Manager Configuration Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-config.png" width="270" alt="The LDAP Account Manager Configuration Screen"></div></div></div><br class="figure-break"><p> | 
|---|
| 820 | <a class="indexterm" name="id389523"></a> | 
|---|
| 821 | LAM has some nice, but unusual features. For example, one unexpected feature in most application | 
|---|
| 822 | screens permits the generation of a PDF file that lists configuration information. This is a well | 
|---|
| 823 | thought out facility. This option has been edited out of the following screen shots to conserve | 
|---|
| 824 | space. | 
|---|
| 825 | </p><p> | 
|---|
| 826 | <a class="indexterm" name="id389536"></a> | 
|---|
| 827 | When you log onto LAM the opening screen drops you right into the user manager as shown in | 
|---|
| 828 | <a class="link" href="appendix.html#lam-user" title="Figure 15.8. The LDAP Account Manager User Edit Screen">“The LDAP Account Manager User Edit Screen”</a>. This is a logical action as it permits the most-needed facility | 
|---|
| 829 | to be used immediately. The editing of an existing user, as with the addition of a new user, | 
|---|
| 830 | is easy to follow and very clear in both layout and intent. It is a simple matter to edit | 
|---|
| 831 | generic settings, UNIX specific parameters, and then Samba account requirements. Each step | 
|---|
| 832 | involves clicking a button that intuitively drives you through the process. When you have | 
|---|
| 833 | finished editing simply press the <span class="guimenu">Final</span> button. | 
|---|
| 834 | </p><div class="figure"><a name="lam-user"></a><p class="title"><b>Figure 15.8. The LDAP Account Manager User Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-users.png" width="270" alt="The LDAP Account Manager User Edit Screen"></div></div></div><br class="figure-break"><p> | 
|---|
| 835 | The edit screen for groups is shown in <a class="link" href="appendix.html#lam-group" title="Figure 15.9. The LDAP Account Manager Group Edit Screen">“The LDAP Account Manager Group Edit Screen”</a>. As with the edit screen | 
|---|
| 836 | for user accounts, group accounts may be rapidly dealt with. <a class="link" href="appendix.html#lam-group-mem" title="Figure 15.10. The LDAP Account Manager Group Membership Edit Screen">“The LDAP Account Manager Group Membership Edit Screen”</a> | 
|---|
| 837 | shows a sub-screen from the group editor that permits users to be assigned secondary group | 
|---|
| 838 | memberships. | 
|---|
| 839 | </p><div class="figure"><a name="lam-group"></a><p class="title"><b>Figure 15.9. The LDAP Account Manager Group Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-groups.png" width="270" alt="The LDAP Account Manager Group Edit Screen"></div></div></div><br class="figure-break"><div class="figure"><a name="lam-group-mem"></a><p class="title"><b>Figure 15.10. The LDAP Account Manager Group Membership Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-group-members.png" width="270" alt="The LDAP Account Manager Group Membership Edit Screen"></div></div></div><br class="figure-break"><p> | 
|---|
| 840 | <a class="indexterm" name="id389704"></a><a class="indexterm" name="id389710"></a> | 
|---|
| 841 | The final screen presented here is one that you should not normally need to use. Host accounts will | 
|---|
| 842 | be automatically managed using the smbldap-tools scripts. This means that the screen <a class="link" href="appendix.html#lam-host" title="Figure 15.11. The LDAP Account Manager Host Edit Screen">“The LDAP Account Manager Host Edit Screen”</a> | 
|---|
| 843 | will, in most cases, not be used. | 
|---|
| 844 | </p><div class="figure"><a name="lam-host"></a><p class="title"><b>Figure 15.11. The LDAP Account Manager Host Edit Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/lam-hosts.png" width="270" alt="The LDAP Account Manager Host Edit Screen"></div></div></div><br class="figure-break"><p> | 
|---|
| 845 | One aspect of LAM that may annoy some users is the way it forces certain conventions on | 
|---|
| 846 | the administrator. For example, LAM does not permit the creation of Windows user and group | 
|---|
| 847 | accounts that contain spaces even though the underlying UNIX/Linux | 
|---|
| 848 | operating system may exhibit no problems with them. Given the propensity for using upper-case | 
|---|
| 849 | characters and spaces (particularly in the default Windows account names) this may cause | 
|---|
| 850 | some annoyance. For the rest, LAM is a very useful administrative tool. | 
|---|
| 851 | </p><p> | 
|---|
| 852 | The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features | 
|---|
| 853 | (e.g., logon hours). The new plugin-based architecture also allows management of much more different | 
|---|
| 854 | account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another | 
|---|
| 855 | important point is the tree view which allows browsing and editing LDAP objects directly. | 
|---|
| 856 | </p><div class="example"><a name="lamcfg"></a><p class="title"><b>Example 15.11. Example LAM Configuration File  <code class="filename">config.cfg</code></b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 857 | # password to add/delete/rename configuration profiles | 
|---|
| 858 | password: not24get | 
|---|
| 859 |  | 
|---|
| 860 | # default profile, without ".conf" | 
|---|
| 861 | default: lam | 
|---|
| 862 | </pre></div></div><br class="example-break"><div class="example"><a name="lamconf"></a><p class="title"><b>Example 15.12. LAM Profile Control File  <code class="filename">lam.conf</code></b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 863 | ServerURL: ldap://massive.abmas.org:389 | 
|---|
| 864 | Admins: cn=Manager,dc=abmas,dc=biz | 
|---|
| 865 | Passwd: not24get | 
|---|
| 866 | usersuffix: ou=People,dc=abmas,dc=biz | 
|---|
| 867 | groupsuffix: ou=Groups,dc=abmas,dc=biz | 
|---|
| 868 | hostsuffix: ou=Computers,dc=abmas,dc=biz | 
|---|
| 869 | domainsuffix: ou=Domains,dc=abmas,dc=biz | 
|---|
| 870 | MinUID: 0 | 
|---|
| 871 | MaxUID: 65535 | 
|---|
| 872 | MinGID: 0 | 
|---|
| 873 | MaxGID: 65535 | 
|---|
| 874 | MinMachine: 20000 | 
|---|
| 875 | MaxMachine: 25000 | 
|---|
| 876 | userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber | 
|---|
| 877 | grouplistAttributes: #cn;#gidNumber;#memberUID;#description | 
|---|
| 878 | hostlistAttributes: #cn;#description;#uidNumber;#gidNumber | 
|---|
| 879 | maxlistentries: 30 | 
|---|
| 880 | defaultLanguage: en_GB:ISO-8859-1:English (Great Britain) | 
|---|
| 881 | scriptPath: | 
|---|
| 882 | scriptServer: | 
|---|
| 883 | samba3: yes | 
|---|
| 884 | cachetimeout: 5 | 
|---|
| 885 | pwdhash: SSHA | 
|---|
| 886 | </pre></div></div><br class="example-break"></div><div class="sect1" title="IDEALX Management Console"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id389839"></a>IDEALX Management Console</h2></div></div></div><p> | 
|---|
| 887 | IMC (the IDEALX Mamagement Console) is a tool that can be used as the basis for a comprehensive | 
|---|
| 888 | web-based management interface for UNIX and Linux systems. | 
|---|
| 889 | </p><p> | 
|---|
| 890 | The Samba toolset is the first console developped for IMC. It offers a simple and ergonomic | 
|---|
| 891 | interface for managing a Samba domain controler. The goal is to give Linux administrators who | 
|---|
| 892 | need to manage production Samba servers an effective, intuitive and consistent management | 
|---|
| 893 | experience. An IMC screenshot of the user management tool is shown in <a class="link" href="appendix.html#imcidealx" title="Figure 15.12. The IMC Samba User Account Screen">“The IMC Samba User Account Screen”</a>. | 
|---|
| 894 | </p><div class="figure"><a name="imcidealx"></a><p class="title"><b>Figure 15.12. The IMC Samba User Account Screen</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/imc-usermanager2.png" width="216" alt="The IMC Samba User Account Screen"></div></div></div><br class="figure-break"><p> | 
|---|
| 895 | IMC is built on a set of Perl modules. Most modules are standard CPAN modules. Some are bundled with IMC, | 
|---|
| 896 | but will soon to be hosted on the CPAN independently, like Struts4P, a port of Struts to the Perl language. | 
|---|
| 897 | </p><p> | 
|---|
| 898 | For further information regarding IMC refer to the web <a class="ulink" href="http://imc.sourceforge.net/" target="_top">site.</a> | 
|---|
| 899 | Prebuilt RPM packages are also <a class="ulink" href="http://imc.sourceforge.net/download.html" target="_top">available.</a> | 
|---|
| 900 | </p></div><div class="sect1" title="Effect of Setting File and Directory SUID/SGID Permissions Explained"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12-SUIDSGID"></a>Effect of Setting File and Directory SUID/SGID Permissions Explained</h2></div></div></div><a class="indexterm" name="id389935"></a><a class="indexterm" name="id389942"></a><p> | 
|---|
| 901 | The setting of the SUID/SGID bits on the file or directory permissions flag has particular | 
|---|
| 902 | consequences. If the file is executable and the SUID bit is set, it executes with the privilege | 
|---|
| 903 | of (with the UID of) the owner of the file. For example, if you are logged onto a system as | 
|---|
| 904 | a normal user (let's say as the user <code class="constant">bobj</code>), and you execute a file that is owned | 
|---|
| 905 | by the user <code class="constant">root</code> (uid = 0), and the file has the SUID bit set, then the file is | 
|---|
| 906 | executed as if you had logged in as the user <code class="constant">root</code> and then executed the file. | 
|---|
| 907 | The SUID bit effectively gives you (as <code class="constant">bobj</code>) administrative privilege for the | 
|---|
| 908 | use of that executable file. | 
|---|
| 909 | </p><p> | 
|---|
| 910 | The setting of the SGID bit does precisely the same as the effect of the SUID bit, except that it | 
|---|
| 911 | applies the privilege to the UNIX group setting. In other words, the file executes with the force | 
|---|
| 912 | of capability of the group. | 
|---|
| 913 | </p><p> | 
|---|
| 914 | When the SUID/SGID permissions are set on a directory, all files that are created within that directory | 
|---|
| 915 | are automatically given the ownership of the SUID user and the SGID group, as per the ownership | 
|---|
| 916 | of the directory in which the file is created. This means that the system level <code class="literal">create()</code> | 
|---|
| 917 | function executes with the SUID user and/or SGID group of the directory in which the file is | 
|---|
| 918 | created. | 
|---|
| 919 | </p><p> | 
|---|
| 920 | If you want to obtain the SUID behavior, simply execute the following command: | 
|---|
| 921 | </p><pre class="screen"> | 
|---|
| 922 | <code class="prompt">root# </code> chmod u+s file-or-directory | 
|---|
| 923 | </pre><p> | 
|---|
| 924 | To set the SGID properties on a file or a directory, execute this command: | 
|---|
| 925 | </p><pre class="screen"> | 
|---|
| 926 | <code class="prompt">root# </code> chmod g+s file-or-directory | 
|---|
| 927 | </pre><p> | 
|---|
| 928 | And to set both SUID and SGID properties, execute the following: | 
|---|
| 929 | </p><pre class="screen"> | 
|---|
| 930 | <code class="prompt">root# </code> chmod ug+s file-or-directory | 
|---|
| 931 | </pre><p> | 
|---|
| 932 | </p><p> | 
|---|
| 933 | Let's consider the example of a directory <code class="filename">/data/accounts</code>. The permissions on this | 
|---|
| 934 | directory before setting both SUID and SGID on this directory are: | 
|---|
| 935 | </p><pre class="screen"> | 
|---|
| 936 | <code class="prompt">root# </code> ls -al /data/accounts | 
|---|
| 937 | total 1 | 
|---|
| 938 | drwxr-xr-x   10 root     root          232 Dec 18 17:08 . | 
|---|
| 939 | drwxr-xr-x   21 root     root          600 Dec 17 23:15 .. | 
|---|
| 940 | drwxrwxrwx    2 bobj     Domain Users  48 Dec 18 17:08 accounts/ | 
|---|
| 941 | drwx------    2 root     root           48 Jan 26  2002 lost+found | 
|---|
| 942 | </pre><p> | 
|---|
| 943 | In this example, if the user <code class="constant">maryv</code> creates a file, it is owned by her. | 
|---|
| 944 | If <code class="constant">maryv</code> has the primary group of <code class="constant">Accounts</code>, the file is | 
|---|
| 945 | owned by the group <code class="constant">Accounts</code>, as shown in this listing: | 
|---|
| 946 | </p><pre class="screen"> | 
|---|
| 947 | <code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt | 
|---|
| 948 | drw-rw-r--    2 maryv    Accounts     12346 Dec 18 17:53 | 
|---|
| 949 | </pre><p> | 
|---|
| 950 | </p><p> | 
|---|
| 951 | Now you set the SUID and SGID and check the result as follows: | 
|---|
| 952 | </p><pre class="screen"> | 
|---|
| 953 | <code class="prompt">root# </code> chmod ug+s /data/accounts | 
|---|
| 954 | <code class="prompt">root# </code> ls -al /data/accounts | 
|---|
| 955 | total 1 | 
|---|
| 956 | drwxr-xr-x   10 root     root          232 Dec 18 17:08 . | 
|---|
| 957 | drwxr-xr-x   21 root     root          600 Dec 17 23:15 .. | 
|---|
| 958 | drwsrwsr-x    2 bobj     Domain Users  48 Dec 18 17:08 accounts | 
|---|
| 959 | drwx------    2 root     root           48 Jan 26  2002 lost+found | 
|---|
| 960 | </pre><p> | 
|---|
| 961 | If <code class="constant">maryv</code> creates a file in this directory after this change has been made, the | 
|---|
| 962 | file is owned by the user <code class="constant">bobj</code>, and the group is set to the group | 
|---|
| 963 | <code class="constant">Domain Users</code>, as shown here: | 
|---|
| 964 | </p><pre class="screen"> | 
|---|
| 965 | <code class="prompt">root# </code> chmod ug+s /data/accounts | 
|---|
| 966 | <code class="prompt">root# </code> ls -al /data/accounts/maryvfile.txt | 
|---|
| 967 | total 1 | 
|---|
| 968 | drw-rw-r--    2 bobj     Domain Users  12346 Dec 18 18:11 maryvfile.txt | 
|---|
| 969 | </pre><p> | 
|---|
| 970 | </p></div><div class="sect1" title="Shared Data Integrity"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch12dblck"></a>Shared Data Integrity</h2></div></div></div><p><a class="indexterm" name="id390147"></a><a class="indexterm" name="id390155"></a> | 
|---|
| 971 | The integrity of shared data is often viewed as a particularly emotional issue, especially where | 
|---|
| 972 | there are concurrent problems with multiuser data access. Contrary to the assertions of some who have | 
|---|
| 973 | experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter. | 
|---|
| 974 | </p><p> | 
|---|
| 975 | The solution to concurrent multiuser data access problems must consider three separate areas | 
|---|
| 976 | from which the problem may stem:<a class="indexterm" name="id390175"></a><a class="indexterm" name="id390186"></a><a class="indexterm" name="id390197"></a> | 
|---|
| 977 | </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>application-level locking controls</p></li><li class="listitem"><p>client-side locking controls</p></li><li class="listitem"><p>server-side locking controls</p></li></ul></div><p><a class="indexterm" name="id390229"></a><a class="indexterm" name="id390237"></a> | 
|---|
| 978 | Many database applications use some form of application-level access control. An example of one | 
|---|
| 979 | well-known application that uses application-level locking is Microsoft Access. Detailed guidance | 
|---|
| 980 | is provided here because this is the most common application for which problems have been reported. | 
|---|
| 981 | </p><p><a class="indexterm" name="id390251"></a><a class="indexterm" name="id390259"></a> | 
|---|
| 982 | Common applications that are affected by client- and server-side locking controls include MS | 
|---|
| 983 | Excel and Act!. Important locking guidance is provided here. | 
|---|
| 984 | </p><div class="sect2" title="Microsoft Access"><div class="titlepage"><div><div><h3 class="title"><a name="id390270"></a>Microsoft Access</h3></div></div></div><p> | 
|---|
| 985 | The best advice that can be given is to carefully read the Microsoft knowledgebase articles that | 
|---|
| 986 | cover this area. Examples of relevant documents include: | 
|---|
| 987 | </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;208778</p></li><li class="listitem"><p>http://support.microsoft.com/default.aspx?scid=kb;en-us;299373</p></li></ul></div><p><a class="indexterm" name="id390294"></a><a class="indexterm" name="id390306"></a> | 
|---|
| 988 | Make sure that your MS Access database file is configured for multiuser access (not set for | 
|---|
| 989 | exclusive open). Open MS Access on each client workstation, then set the following: <span class="guimenu">(Menu bar) Tools</span>+<span class="guimenu">Options</span>+<span class="guimenu">[tab] General</span>.  Set network path to Default database folder: <code class="filename">\\server\share\folder</code>. | 
|---|
| 990 | </p><p> | 
|---|
| 991 | You can configure MS Access file sharing behavior as follows: click <span class="guimenu">[tab] Advanced</span>. | 
|---|
| 992 | Set:<a class="indexterm" name="id390353"></a> | 
|---|
| 993 | </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Default open mode: Shared</p></li><li class="listitem"><p>Default Record Locking: Edited Record</p></li><li class="listitem"><p>Open databases using record_level locking</p></li></ul></div><p><a class="indexterm" name="id390382"></a> | 
|---|
| 994 | You must now commit the changes so that they will take effect. To do so, click | 
|---|
| 995 | <span class="guimenu">Apply</span><span class="guimenu">Ok</span>. At this point, you should exit MS Access, restart | 
|---|
| 996 | it, and then validate that these settings have not changed. | 
|---|
| 997 | </p></div><div class="sect2" title="Act! Database Sharing"><div class="titlepage"><div><div><h3 class="title"><a name="id390409"></a>Act! Database Sharing</h3></div></div></div><p><a class="indexterm" name="id390415"></a><a class="indexterm" name="id390423"></a> | 
|---|
| 998 | Where the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you | 
|---|
| 999 | must disable opportunistic locking on the server and all workstations. Failure to do so | 
|---|
| 1000 | results in data corruption. This information is available from the Act! Web site | 
|---|
| 1001 | knowledgebase articles | 
|---|
| 1002 | <a class="ulink" href="http://itdomino.saleslogix.com/act.nsf/docid/1998223162925" target="_top">1998223162925</a> | 
|---|
| 1003 | as well as from article | 
|---|
| 1004 | <a class="ulink" href="http://itdomino.saleslogix.com/act.nsf/docid/200110485036" target="_top">200110485036</a>. | 
|---|
| 1005 | </p><p><a class="indexterm" name="id390449"></a><a class="indexterm" name="id390457"></a> | 
|---|
| 1006 | These documents clearly state that opportunistic locking must be disabled on both | 
|---|
| 1007 | the server (Samba in the case we are interested in here), as well as on every workstation | 
|---|
| 1008 | from which the centrally shared Act! database will be accessed. Act! provides | 
|---|
| 1009 | a tool called <code class="literal">Act!Diag</code> that may be used to disable all workstation | 
|---|
| 1010 | registry settings that may otherwise interfere with the operation of Act! | 
|---|
| 1011 | Registered Act! users may download this utility from the Act! Web | 
|---|
| 1012 | <a class="ulink" href="http://www.act.com/support/updates/index.cfm" target="_top">site.</a> | 
|---|
| 1013 | </p></div><div class="sect2" title="Opportunistic Locking Controls"><div class="titlepage"><div><div><h3 class="title"><a name="id390484"></a>Opportunistic Locking Controls</h3></div></div></div><p><a class="indexterm" name="id390491"></a> | 
|---|
| 1014 | Third-party Windows applications may not be compatible with the use of opportunistic file | 
|---|
| 1015 | and record locking. For applications that are known not to be compatible,<sup>[<a name="id390501" href="#ftn.id390501" class="footnote">14</a>]</sup> oplock | 
|---|
| 1016 | support may need to be disabled both on the Samba server and on the Windows workstations. | 
|---|
| 1017 | </p><p><a class="indexterm" name="id390512"></a><a class="indexterm" name="id390520"></a><a class="indexterm" name="id390528"></a> | 
|---|
| 1018 | Oplocks enable a Windows client to cache parts of a file that are being | 
|---|
| 1019 | edited. Another windows client may then request to open the file with the | 
|---|
| 1020 | ability to write to it. The server will then ask the original workstation | 
|---|
| 1021 | that had the file open with a write lock to release its lock. Before | 
|---|
| 1022 | doing so, that workstation must flush the file from cache memory to the | 
|---|
| 1023 | disk or network drive. | 
|---|
| 1024 | </p><p><a class="indexterm" name="id390546"></a> | 
|---|
| 1025 | Disabling of Oplocks usage may require server and client changes. | 
|---|
| 1026 | Oplocks may be disabled by file, by file pattern, on the share, or on the | 
|---|
| 1027 | Samba server. | 
|---|
| 1028 | </p><p> | 
|---|
| 1029 | The following are examples showing how Oplock support may be managed using | 
|---|
| 1030 | Samba <code class="filename">smb.conf</code> file settings: | 
|---|
| 1031 | </p><pre class="screen"> | 
|---|
| 1032 | By file:        veto oplock files = myfile.mdb | 
|---|
| 1033 |  | 
|---|
| 1034 | By Pattern:     veto oplock files = /*.mdb/ | 
|---|
| 1035 |  | 
|---|
| 1036 | On the Share:   oplocks = No | 
|---|
| 1037 | level2 oplocks = No | 
|---|
| 1038 |  | 
|---|
| 1039 | On the server: | 
|---|
| 1040 | (in [global])   oplocks = No | 
|---|
| 1041 | level2 oplocks = No | 
|---|
| 1042 | </pre><p> | 
|---|
| 1043 | </p><p> | 
|---|
| 1044 | The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4 | 
|---|
| 1045 | workstation clients must be configured as shown here: | 
|---|
| 1046 | </p><pre class="screen"> | 
|---|
| 1047 | REGEDIT4 | 
|---|
| 1048 |  | 
|---|
| 1049 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ | 
|---|
| 1050 | Services\LanmanServer\Parameters] | 
|---|
| 1051 | "EnableOplocks"=dword:00000000 | 
|---|
| 1052 |  | 
|---|
| 1053 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ | 
|---|
| 1054 | Services\LanmanWorkstation\Parameters] | 
|---|
| 1055 | "UseOpportunisticLocking"=dword:00000000 | 
|---|
| 1056 | </pre><p> | 
|---|
| 1057 | </p><p> | 
|---|
| 1058 | Comprehensive coverage of file and record-locking controls is provided in TOSHARG2, Chapter 13. | 
|---|
| 1059 | The information in that chapter was obtained from a wide variety of sources. | 
|---|
| 1060 | </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id390501" href="#id390501" class="para">14</a>] </sup>Refer to | 
|---|
| 1061 | the application manufacturer's installation guidelines and knowledge base for specific | 
|---|
| 1062 | information regarding compatibility. It is often safe to assume that if the software | 
|---|
| 1063 | manufacturer does not specifically mention incompatibilities with opportunistic file | 
|---|
| 1064 | and record locking, or with Windows client file caching, the application is probably | 
|---|
| 1065 | compatible with Windows (as well as Samba) default settings.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch14.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="primer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 14. Samba Support </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 16. Networking Primer</td></tr></table></div></body></html> | 
|---|