| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 1. No-Frills Samba Servers</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="next" href="small.html" title="Chapter 2. Small Office Networking"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. No-Frills Samba Servers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ExNetworks.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="small.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 1. No-Frills Samba Servers"><div class="titlepage"><div><div><h2 class="title"><a name="simple"></a>Chapter 1. No-Frills Samba Servers</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="simple.html#id323089">Introduction</a></span></dt><dt><span class="sect1"><a href="simple.html#id323120">Assignment Tasks</a></span></dt><dd><dl><dt><span class="sect2"><a href="simple.html#id323158">Drafting Office</a></span></dt><dt><span class="sect2"><a href="simple.html#id323803">Charity Administration Office</a></span></dt><dt><span class="sect2"><a href="simple.html#AccountingOffice">Accounting Office</a></span></dt></dl></dd><dt><span class="sect1"><a href="simple.html#id326925">Questions and Answers</a></span></dt></dl></div><p> | 
|---|
| 2 | This is the start of the real journey toward the successful deployment of Samba. For some this chapter | 
|---|
| 3 | is the end of the road because their needs will have been adequately met. For others, this chapter is | 
|---|
| 4 | the beginning of a journey that will take them well past the contents of this book. This book provides | 
|---|
| 5 | example configurations of, for the greater part, complete networking solutions. The intent of this book | 
|---|
| 6 | is to help you to get your Samba installation working with the least amount of pain and aggravation. | 
|---|
| 7 | </p><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323089"></a>Introduction</h2></div></div></div><p> | 
|---|
| 8 | This chapter lays the groundwork for understanding the basics of Samba operation. | 
|---|
| 9 | Instead of a bland technical discussion, each principle is demonstrated by way of a | 
|---|
| 10 | real-world scenario for which a working solution<sup>[<a name="id323099" href="#ftn.id323099" class="footnote">1</a>]</sup> is fully described. | 
|---|
| 11 | </p><p> | 
|---|
| 12 | The practical exercises take you on a journey through a drafting office, a charity administration | 
|---|
| 13 | office, and an accounting office. You may choose to apply any or all of these exercises to your own environment. | 
|---|
| 14 | </p><p> | 
|---|
| 15 | Every assignment case can be implemented far more creatively, but remember that the solutions you | 
|---|
| 16 | create are designed to demonstrate a particular solution possibility. With experience, you should | 
|---|
| 17 | find much improved solutions compared with those presented here. By the time you complete this book, | 
|---|
| 18 | you should aim to be a Samba expert, so do attempt to find better solutions and try them as you work your | 
|---|
| 19 | way through the examples. | 
|---|
| 20 | </p></div><div class="sect1" title="Assignment Tasks"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id323120"></a>Assignment Tasks</h2></div></div></div><p> | 
|---|
| 21 | Each case presented highlights different aspects of Windows networking for which a simple | 
|---|
| 22 | Samba-based solution can be provided. Each has subtly different requirements taken from real-world cases. | 
|---|
| 23 | The cases are briefly reviewed to cover important points. Instructions are based | 
|---|
| 24 | on the assumption that the official Samba Team RPM package has been installed. | 
|---|
| 25 | </p><p> | 
|---|
| 26 | This chapter has three assignments built around fictitious companies: | 
|---|
| 27 | </p><p> | 
|---|
| 28 | </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A drafting office</p></li><li class="listitem"><p>A charity administration office</p></li><li class="listitem"><p>An accounting office</p></li></ul></div><p> | 
|---|
| 29 | </p><p> | 
|---|
| 30 | Let's get started. | 
|---|
| 31 | </p><div class="sect2" title="Drafting Office"><div class="titlepage"><div><div><h3 class="title"><a name="id323158"></a>Drafting Office</h3></div></div></div><p> | 
|---|
| 32 | Our fictitious company is called <span class="emphasis"><em>Abmas Design, Inc.</em></span> This is a three-person | 
|---|
| 33 | computer-aided design (CAD) business that often has more work than can be handled. The | 
|---|
| 34 | business owner hires contract draftspeople from wherever he can. They bring their own | 
|---|
| 35 | notebook computers into the office. There are four permanent drafting machines. Abmas has a | 
|---|
| 36 | collection of over 10 years of plans that must be available for all draftsmen to reference. | 
|---|
| 37 | Abmas hires the services of an experienced network engineer to update the | 
|---|
| 38 | plans that are stored on a central server one day per month. She knows how to upload | 
|---|
| 39 | plans from each machine. The files available from the server must remain read-only. | 
|---|
| 40 | Anyone should be able to access the plans at any time and without barriers or difficulty. | 
|---|
| 41 | </p><p><a class="indexterm" name="id323177"></a> | 
|---|
| 42 | <a class="indexterm" name="id323183"></a> | 
|---|
| 43 | Mr. Bob Jordan has asked you to install the new server as economically as possible. The central | 
|---|
| 44 | server has a Pentium-IV 1.6GHz CPU, 768MB RAM, a 20GB IDE boot drive, a 160GB IDE second disk | 
|---|
| 45 | to store plans, and a 100-base-T Ethernet card. You have already installed Red Hat Fedora CoreX and | 
|---|
| 46 | have upgraded Samba to version 3.0.20 using the RPM package that is provided from the Samba | 
|---|
| 47 | <a class="ulink" href="http://www.samba.org" target="_top">FTP</a> sites. (Note: Fedora CoreX indicates your favorite | 
|---|
| 48 | version.) | 
|---|
| 49 | </p><p><a class="indexterm" name="id323204"></a> | 
|---|
| 50 | The four permanent drafting machines (Microsoft Windows workstations) have attached printers | 
|---|
| 51 | and plotters that are shared on a peer-to-peer basis by any and all network users. The intent | 
|---|
| 52 | is to continue to share printers in this manner. The three permanent staff work together with | 
|---|
| 53 | all contractors to store all new work on one PC. A daily copy is made of the work storage | 
|---|
| 54 | area to another PC for safekeeping.  When the network consultant arrives, the weekly work | 
|---|
| 55 | area is copied to the central server and the files are removed from the main weekly storage | 
|---|
| 56 | machine. The office works best with this arrangement and does not want to change anything. | 
|---|
| 57 | Old habits are too ingrained. | 
|---|
| 58 | </p><div class="sect3" title="Dissection and Discussion"><div class="titlepage"><div><div><h4 class="title"><a name="id323219"></a>Dissection and Discussion</h4></div></div></div><p> | 
|---|
| 59 | <a class="indexterm" name="id323227"></a> | 
|---|
| 60 | The requirements for this server installation demand simplicity. An anonymous read-only | 
|---|
| 61 | file server adequately meets all needs. The network consultant determines how | 
|---|
| 62 | to upload all files from the weekly storage area to the server. This installation should | 
|---|
| 63 | focus only on critical aspects of the installation. | 
|---|
| 64 | </p><p> | 
|---|
| 65 | It is not necessary to have specific users on the server. The site has a method for storing | 
|---|
| 66 | all design files (plans). Each plan is stored in a directory that is named YYYYWW,<sup>[<a name="id323243" href="#ftn.id323243" class="footnote">2</a>]</sup> where | 
|---|
| 67 | YYYY is the year, and WW is the week of the year. This arrangement allows work to be stored | 
|---|
| 68 | by week of year to preserve the filing technique the site is familiar with. | 
|---|
| 69 | There is also a customer directory that is alphabetically listed. At the top level are 26 | 
|---|
| 70 | directories (A-Z), in each is a second-level of directory for the first plus second letters of the name | 
|---|
| 71 | (A-Z); inside each is a directory by the customers' name. Inside each directory is a symbolic | 
|---|
| 72 | link to each design drawing or plan. This way of storing customer data files permits all | 
|---|
| 73 | plans to be located both by customer name and by the date the work was performed, without | 
|---|
| 74 | demanding the disk space that would be needed if a duplicate file copy were to be stored. | 
|---|
| 75 | The share containing the plans is called <span class="emphasis"><em>Plans</em></span>. | 
|---|
| 76 | </p></div><div class="sect3" title="Implementation"><div class="titlepage"><div><div><h4 class="title"><a name="id323262"></a>Implementation</h4></div></div></div><p> | 
|---|
| 77 | It is assumed that the server is fully installed and ready for installation and | 
|---|
| 78 | configuration of Samba 3.0.20 and any support files needed. All TCP/IP addresses | 
|---|
| 79 | have been hard-coded. In our case the IP address of the Samba server is | 
|---|
| 80 | <code class="constant">192.168.1.1</code> and the netmask is <code class="constant">255.255.255.0</code>. | 
|---|
| 81 | The hostname of the server used is <code class="constant">server</code>. | 
|---|
| 82 | </p><div class="procedure" title="Procedure 1.1. Samba Server Configuration"><a name="id323282"></a><p class="title"><b>Procedure 1.1. Samba Server Configuration</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> | 
|---|
| 83 | Download the Samba-3 RPM packages for Red Hat Fedora Core2 from the Samba | 
|---|
| 84 | <a class="ulink" href="http://www.samba.org" target="_top">FTP servers.</a> | 
|---|
| 85 | </p></li><li class="step" title="Step 2"><p> | 
|---|
| 86 | <a class="indexterm" name="id323305"></a> | 
|---|
| 87 | <a class="indexterm" name="id323314"></a> | 
|---|
| 88 | Install the RPM package using either the Red Hat Linux preferred GUI | 
|---|
| 89 | tool or the <code class="literal">rpm</code>: | 
|---|
| 90 | </p><pre class="screen"> | 
|---|
| 91 | <code class="prompt">root# </code> rpm -Uvh samba-3.0.20-1.i386.rpm | 
|---|
| 92 | </pre><p> | 
|---|
| 93 | </p></li><li class="step" title="Step 3"><p> | 
|---|
| 94 | Create a mount point for the file system that will be used to store all data files. | 
|---|
| 95 | You can create a directory called <code class="filename">/plans</code>: | 
|---|
| 96 | </p><pre class="screen"> | 
|---|
| 97 | <code class="prompt">root# </code> mkdir /plans | 
|---|
| 98 | <code class="prompt">root# </code> chmod 755 /plans | 
|---|
| 99 | </pre><p> | 
|---|
| 100 | The 755 permissions on this directory (mount point) permit the owner to read, write, | 
|---|
| 101 | and execute, and the group and everyone else to read and execute only. | 
|---|
| 102 | </p><p> | 
|---|
| 103 | <a class="indexterm" name="id323369"></a> | 
|---|
| 104 | Use Red Hat Linux system tools (refer to Red Hat instructions) | 
|---|
| 105 | to format the 160GB hard drive with a suitable file system. An Ext3 file system | 
|---|
| 106 | is suitable. Configure this drive to automatically mount using the <code class="filename">/plans</code> | 
|---|
| 107 | directory as the mount point. | 
|---|
| 108 | </p></li><li class="step" title="Step 4"><p> | 
|---|
| 109 | Install the <code class="filename">smb.conf</code> file shown in <a class="link" href="simple.html#draft-smbconf" title="Example 1.1. Drafting Office smb.conf File">“Drafting Office smb.conf File”</a> in the | 
|---|
| 110 | <code class="filename">/etc/samba</code> directory. | 
|---|
| 111 |  | 
|---|
| 112 | </p><div class="example"><a name="draft-smbconf"></a><p class="title"><b>Example 1.1. Drafting Office <code class="filename">smb.conf</code> File</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global Parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id323435"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id323446"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[Plans]</code></em></td></tr><tr><td><a class="indexterm" name="id323464"></a><em class="parameter"><code>path = /plans</code></em></td></tr><tr><td><a class="indexterm" name="id323475"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id323485"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><p><br class="example-break"> | 
|---|
| 113 | </p></li><li class="step" title="Step 5"><p> | 
|---|
| 114 | <a class="indexterm" name="id323503"></a> | 
|---|
| 115 | Verify that the <code class="filename">/etc/hosts</code> file contains the following entry: | 
|---|
| 116 | </p><pre class="screen"> | 
|---|
| 117 | 192.168.1.1     server | 
|---|
| 118 | </pre><p> | 
|---|
| 119 |  | 
|---|
| 120 | </p></li><li class="step" title="Step 6"><p> | 
|---|
| 121 | <a class="indexterm" name="id323526"></a> | 
|---|
| 122 | <a class="indexterm" name="id323534"></a> | 
|---|
| 123 | <a class="indexterm" name="id323540"></a> | 
|---|
| 124 | Use the standard system tool to start Samba and to configure it to restart | 
|---|
| 125 | automatically at every system reboot. For example, | 
|---|
| 126 | </p><pre class="screen"> | 
|---|
| 127 | <code class="prompt">root# </code> chkconfig smb on | 
|---|
| 128 | <code class="prompt">root# </code> /etc/rc.d/init.d/smb restart | 
|---|
| 129 | </pre><p> | 
|---|
| 130 | </p></li></ol></div><div class="procedure" title="Procedure 1.2. Windows Client Configuration"><a name="id323566"></a><p class="title"><b>Procedure 1.2. Windows Client Configuration</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> | 
|---|
| 131 | Make certain that all clients are set to the same network address range as | 
|---|
| 132 | used for the Samba server. For example, one client might have an IP | 
|---|
| 133 | address 192.168.1.10. | 
|---|
| 134 | </p></li><li class="step" title="Step 2"><p> | 
|---|
| 135 | <a class="indexterm" name="id323584"></a> | 
|---|
| 136 | Ensure that the netmask used on the Windows clients matches that used | 
|---|
| 137 | for the Samba server. All clients must have the same netmask, such as | 
|---|
| 138 | 255.255.255.0. | 
|---|
| 139 | </p></li><li class="step" title="Step 3"><p> | 
|---|
| 140 | <a class="indexterm" name="id323598"></a> | 
|---|
| 141 | Set the workgroup name on all clients to <code class="constant">MIDEARTH</code>. | 
|---|
| 142 | </p></li><li class="step" title="Step 4"><p> | 
|---|
| 143 | Verify on each client that the machine called <code class="constant">SERVER</code> | 
|---|
| 144 | is visible in the <span class="guimenu">Network Neighborhood</span>, that it is | 
|---|
| 145 | possible to connect to it and see the share <span class="guimenuitem">Plans</span>, | 
|---|
| 146 | and that it is possible to open that share to reveal its contents. | 
|---|
| 147 | </p></li></ol></div></div><div class="sect3" title="Validation"><div class="titlepage"><div><div><h4 class="title"><a name="validate1"></a>Validation</h4></div></div></div><p> | 
|---|
| 148 | <a class="indexterm" name="id323642"></a> | 
|---|
| 149 | The first priority in validating the new Samba configuration should be to check | 
|---|
| 150 | that Samba answers on the loop-back interface. Then it is time to check that Samba | 
|---|
| 151 | answers its own name correctly. Last, check that a client can connect to the Samba | 
|---|
| 152 | server. | 
|---|
| 153 | </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> | 
|---|
| 154 | <a class="indexterm" name="id323659"></a> | 
|---|
| 155 | <a class="indexterm" name="id323665"></a> | 
|---|
| 156 | <a class="indexterm" name="id323671"></a> | 
|---|
| 157 | To check the ability to access the <code class="literal">smbd</code> daemon | 
|---|
| 158 | services, execute the following: | 
|---|
| 159 | </p><pre class="screen"> | 
|---|
| 160 | <code class="prompt">root# </code> smbclient -L localhost -U% | 
|---|
| 161 | Sharename     Type     Comment | 
|---|
| 162 | ---------     ----     ------- | 
|---|
| 163 | Plans         Disk | 
|---|
| 164 | IPC$          IPC      IPC Service (Samba 3.0.20) | 
|---|
| 165 | ADMIN$        IPC      IPC Service (Samba 3.0.20) | 
|---|
| 166 |  | 
|---|
| 167 | Server             Comment | 
|---|
| 168 | ---------          ------- | 
|---|
| 169 | SERVER             Samba 3.0.20 | 
|---|
| 170 |  | 
|---|
| 171 | Workgroup          Master | 
|---|
| 172 | ---------          -------- | 
|---|
| 173 | MIDEARTH           SERVER | 
|---|
| 174 | </pre><p> | 
|---|
| 175 | <a class="indexterm" name="id323697"></a> | 
|---|
| 176 | <a class="indexterm" name="id323703"></a> | 
|---|
| 177 | This indicates that Samba is able to respond on the loopback interface to | 
|---|
| 178 | a NULL connection. The <em class="parameter"><code>-U%</code></em> means send an empty | 
|---|
| 179 | username and an empty password. This command should be repeated after | 
|---|
| 180 | Samba has been running for 15 minutes. | 
|---|
| 181 | </p></li><li class="step" title="Step 2"><p> | 
|---|
| 182 | Now verify that Samba correctly handles being passed a username | 
|---|
| 183 | and password, and that it answers its own name. Execute the following: | 
|---|
| 184 | </p><pre class="screen"> | 
|---|
| 185 | <code class="prompt">root# </code> smbclient -L server -Uroot%password | 
|---|
| 186 | </pre><p> | 
|---|
| 187 | The output should be identical to the previous response. Samba has been | 
|---|
| 188 | configured to ignore all usernames given; instead it uses the | 
|---|
| 189 | <em class="parameter"><code>guest account</code></em> for all connections. | 
|---|
| 190 | </p></li><li class="step" title="Step 3"><p> | 
|---|
| 191 | <a class="indexterm" name="id323748"></a> | 
|---|
| 192 | <a class="indexterm" name="id323754"></a> | 
|---|
| 193 | From the Windows 9x/Me client, launch Windows Explorer: | 
|---|
| 194 | <span class="guiicon">[Desktop: right-click] Network Neighborhood</span>+<span class="guimenu">Explore</span> → <span class="guimenuitem">[Left Panel]  [+] Entire Network</span> → <span class="guimenuitem">[Left Panel] [+] Server</span> → <span class="guimenuitem">[Left Panel] [+] Plans</span>. In the right panel you should see the files and directories | 
|---|
| 195 | (folders) that are in the <span class="guiicon">Plans</span> share. | 
|---|
| 196 | </p></li></ol></div></div></div><div class="sect2" title="Charity Administration Office"><div class="titlepage"><div><div><h3 class="title"><a name="id323803"></a>Charity Administration Office</h3></div></div></div><p> | 
|---|
| 197 | The fictitious charity organization is called <span class="emphasis"><em>Abmas Vision NL</em></span>. This office | 
|---|
| 198 | has five networked computers. Staff are all volunteers, staff changes are frequent. | 
|---|
| 199 | Ms. Amy May, the director of operations, wants a no-hassle network. Anyone should be able to | 
|---|
| 200 | use any PC. Only two Windows applications are used: a custom funds tracking and management package | 
|---|
| 201 | that stores all files on the central server and Microsoft Word. The office prepares mail-out | 
|---|
| 202 | letters, invitations, and thank-you notes. All files must be stored in perpetuity. | 
|---|
| 203 | The custom funds tracking and management (FTM) software is configured to use a server named | 
|---|
| 204 | <code class="constant">SERVER</code>, a share named <code class="constant">FTMFILES</code>, and a printer queue | 
|---|
| 205 | named <code class="constant">PRINTQ</code> that uses preprinted stationery, thus demanding a | 
|---|
| 206 | dedicated printer. This printer does not need to be mapped to a local printer on the workstations. | 
|---|
| 207 | </p><p> | 
|---|
| 208 | The FTM software has been in use since the days of Windows 3.11. The software was configured | 
|---|
| 209 | by the vendor who has since gone out of business. The identities of the file | 
|---|
| 210 | server and the printer are hard-coded in a configuration file that was created using a | 
|---|
| 211 | setup tool that the vendor did not provide to Abmas Vision NL or to its predecessors. The | 
|---|
| 212 | company that produced the software is no longer in business. In order to avoid risk of | 
|---|
| 213 | any incompatibilities, the share name and the name of the target print queue must be set | 
|---|
| 214 | precisely as the application expects. In fact, share names and print queue names | 
|---|
| 215 | should be treated as case insensitive (i.e., case does not matter), but Abmas Vision advises | 
|---|
| 216 | that if the share name is not in lowercase, the application claims it cannot find the | 
|---|
| 217 | file share. | 
|---|
| 218 | </p><p> | 
|---|
| 219 | <a class="indexterm" name="id323847"></a> | 
|---|
| 220 | <a class="indexterm" name="id323854"></a> | 
|---|
| 221 | Printer handling in Samba results in a significant level of confusion. Samba presents to the | 
|---|
| 222 | MS Windows client only a print queue. The Samba <code class="literal">smbd</code> process passes a | 
|---|
| 223 | print job sent to it from the Windows client to the native UNIX printing system. The native | 
|---|
| 224 | UNIX printing system (spooler) places the job in a print queue from which it is | 
|---|
| 225 | delivered to the printer. In this book, network diagrams refer to a printer by the name | 
|---|
| 226 | of the print queue that services that printer. It does not matter what the fully qualified | 
|---|
| 227 | name (or the hostname) of a network-attached printer is. The UNIX print spooler is configured | 
|---|
| 228 | to correctly deliver all jobs to the printer. | 
|---|
| 229 | </p><p> | 
|---|
| 230 | This organization has a policy forbidding use of privately owned computers on site as a measure | 
|---|
| 231 | to prevent leakage of confidential information. Only the five PCs owned by Abmas Vision NL are | 
|---|
| 232 | used on this network. | 
|---|
| 233 | </p><p> | 
|---|
| 234 | <a class="indexterm" name="id323879"></a> | 
|---|
| 235 | The central server was donated by a local computer store. It is a dual processor Pentium-III | 
|---|
| 236 | server, has 1GB RAM, a 3-Ware IDE RAID Controller that has four 200GB IDE hard drives, and a | 
|---|
| 237 | 100-base-T network card. The office has 100-base-T permanent network connections that go to | 
|---|
| 238 | a central hub, and all equipment is new. The five network computers all are equipped with Microsoft | 
|---|
| 239 | Windows Me. Funding is limited, so the server has no operating system on it. You have approval | 
|---|
| 240 | to install Samba on Linux, provided it works without problems. There are two HP LaserJet | 
|---|
| 241 | 5 PS printers that are network connected.  The second printer is to be used for general | 
|---|
| 242 | office and letter printing. Your recommendation to allow only the Linux server to print directly | 
|---|
| 243 | to the printers was accepted. You have supplied SUSE Enterprise Linux Server 9 and | 
|---|
| 244 | have upgraded Samba to version 3.0.20. | 
|---|
| 245 | </p><div class="sect3" title="Dissection and Discussion"><div class="titlepage"><div><div><h4 class="title"><a name="id323894"></a>Dissection and Discussion</h4></div></div></div><p> | 
|---|
| 246 | <a class="indexterm" name="id323902"></a> | 
|---|
| 247 | <a class="indexterm" name="id323908"></a> | 
|---|
| 248 | <a class="indexterm" name="id323914"></a> | 
|---|
| 249 | <a class="indexterm" name="id323920"></a> | 
|---|
| 250 | This installation demands simplicity. Frequent turnover of volunteer staff indicates that | 
|---|
| 251 | a network environment that requires users to logon might be problematic. It is suggested that the | 
|---|
| 252 | best solution for this office would be one where the user can log onto any PC with any username | 
|---|
| 253 | and password. Samba can accommodate an office like this by using the <em class="parameter"><code>force user</code></em> | 
|---|
| 254 | parameter in share and printer definitions. Using the <em class="parameter"><code>force user</code></em> | 
|---|
| 255 | parameter ensures that all files are owned by same user identifier (UID) and thus that there | 
|---|
| 256 | will never be a problem with file access due to file access permissions. Additionally, you elect | 
|---|
| 257 | to use the <em class="parameter"><code>nt acl support = No</code></em> option to ensure that | 
|---|
| 258 | access control lists (Posix type) cannot be written to any file or directory. This prevents | 
|---|
| 259 | an inadvertent ACL from overriding actual file permissions. | 
|---|
| 260 | </p><p> | 
|---|
| 261 | <a class="indexterm" name="id323953"></a> | 
|---|
| 262 | <a class="indexterm" name="id323959"></a> | 
|---|
| 263 | <a class="indexterm" name="id323965"></a> | 
|---|
| 264 | This organization is a prime candidate for Share Mode security. The <em class="parameter"><code>force user</code></em> | 
|---|
| 265 | allows all files to be owned by the same user and group. In addition, it would not hurt to | 
|---|
| 266 | set SUID and set SGID shared directories. This means that all new files that are created, no matter | 
|---|
| 267 | who creates it, are owned by the owner or group of the directory in which they are created. | 
|---|
| 268 | For further information regarding the significance of the SUID/SGID settings, see <a class="link" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#ch12-SUIDSGID" title="Effect of Setting File and Directory SUID/SGID Permissions Explained">“Effect of Setting File and Directory SUID/SGID Permissions Explained”</a>. | 
|---|
| 269 | </p><p> | 
|---|
| 270 | <a class="indexterm" name="id323994"></a> | 
|---|
| 271 | <a class="indexterm" name="id324000"></a> | 
|---|
| 272 | <a class="indexterm" name="id324009"></a> | 
|---|
| 273 | <a class="indexterm" name="id324015"></a> | 
|---|
| 274 | All client workstations print to a print queue on the server. This ensures that print jobs | 
|---|
| 275 | continue to print in the event that a user shuts down the workstation immediately after | 
|---|
| 276 | sending a job to the printer. Today, both Red Hat Linux and SUSE Linux use CUPS-based printing. | 
|---|
| 277 | Older Linux systems offered a choice between the LPRng printing system or CUPS. It appears, however, | 
|---|
| 278 | that CUPS has become the leading UNIX printing technology. | 
|---|
| 279 | </p><p> | 
|---|
| 280 | <a class="indexterm" name="id324028"></a> | 
|---|
| 281 | The print queues are set up as <code class="constant">Raw</code> devices, which means that CUPS will | 
|---|
| 282 | not do intelligent print processing, and vendor-supplied drivers must be installed locally on the | 
|---|
| 283 | Windows clients. | 
|---|
| 284 | </p><p> | 
|---|
| 285 | The hypothetical software, FTM, is representative of | 
|---|
| 286 | custom-built software that directly uses a NetBIOS interface. Most such software originated in | 
|---|
| 287 | the days of MS/PC DOS. NetBIOS names are uppercase (and functionally are case insensitive), | 
|---|
| 288 | so some old software applications would permit only uppercase names to be entered. | 
|---|
| 289 | Some such applications were later ported to MS Windows but retain the uppercase network | 
|---|
| 290 | resource naming conventions because customers are familiar with that. We made the decision | 
|---|
| 291 | to name shares and print queues for this application in uppercase for the same reason. | 
|---|
| 292 | Nothing would break if we were to use lowercase names, but that decision might create a need | 
|---|
| 293 | to retrain staff  something well avoided at this time. | 
|---|
| 294 | </p><p> | 
|---|
| 295 | NetBIOS networking does not print directly to a printer. Instead, all printing is done to a | 
|---|
| 296 | print queue. The print spooling system is responsible for communicating with the physical | 
|---|
| 297 | printer. In this example, therefore, the resource called <code class="constant">PRINTQ</code> | 
|---|
| 298 | really is just a print queue. The name of the print queue is representative of | 
|---|
| 299 | the device to which the print spooler delivers print jobs. | 
|---|
| 300 | </p></div><div class="sect3" title="Implementation"><div class="titlepage"><div><div><h4 class="title"><a name="id324064"></a>Implementation</h4></div></div></div><p> | 
|---|
| 301 | It is assumed that the server is fully installed and ready for configuration of | 
|---|
| 302 | Samba 3.0.20 and for necessary support files. All TCP/IP addresses should be hard-coded. | 
|---|
| 303 | In our case, the IP address of the Samba server is 192.168.1.1 and the netmask is | 
|---|
| 304 | 255.255.255.0. The hostname of the server used is <code class="constant">server</code>. | 
|---|
| 305 | The office network is built as shown in <a class="link" href="simple.html#charitynet" title="Figure 1.1. Charity Administration Office Network">“Charity Administration Office Network”</a>. | 
|---|
| 306 | </p><div class="figure"><a name="charitynet"></a><p class="title"><b>Figure 1.1. Charity Administration Office Network</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/Charity-Network.png" width="432" alt="Charity Administration Office Network"></div></div></div><br class="figure-break"><div class="procedure" title="Procedure 1.3. Samba Server Configuration"><a name="id324118"></a><p class="title"><b>Procedure 1.3. Samba Server Configuration</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> | 
|---|
| 307 | <a class="indexterm" name="id324129"></a> | 
|---|
| 308 | Create a group account for office file storage: | 
|---|
| 309 | </p><pre class="screen"> | 
|---|
| 310 | <code class="prompt">root# </code> groupadd office | 
|---|
| 311 | </pre><p> | 
|---|
| 312 | </p></li><li class="step" title="Step 2"><p> | 
|---|
| 313 | <a class="indexterm" name="id324152"></a> | 
|---|
| 314 | <a class="indexterm" name="id324158"></a> | 
|---|
| 315 | Create a user account for office file storage: | 
|---|
| 316 | </p><pre class="screen"> | 
|---|
| 317 | <code class="prompt">root# </code> useradd -m abmas | 
|---|
| 318 | <code class="prompt">root# </code> passwd abmas | 
|---|
| 319 | Changing password for abmas. | 
|---|
| 320 | New password: XXXXXXXX | 
|---|
| 321 | Re-enter new password: XXXXXXXX | 
|---|
| 322 | Password changed | 
|---|
| 323 | </pre><p> | 
|---|
| 324 | where XXXXXXXX is a secret password. | 
|---|
| 325 | </p></li><li class="step" title="Step 3"><p> | 
|---|
| 326 | Use the 3-Ware IDE RAID Controller firmware utilities to configure the four 200GB | 
|---|
| 327 | drives as a single RAID level 5 drive, with one drive set aside as the hot spare. | 
|---|
| 328 | (Refer to the 3-Ware RAID Controller Manual for the manufacturer's preferred procedure.) | 
|---|
| 329 | The resulting drive has a capacity of approximately 500GB of usable space. | 
|---|
| 330 | </p></li><li class="step" title="Step 4"><p> | 
|---|
| 331 | <a class="indexterm" name="id324197"></a> | 
|---|
| 332 | Create a mount point for the file system that can be used to store all data files. | 
|---|
| 333 | Create a directory called <code class="filename">/data</code>: | 
|---|
| 334 | </p><pre class="screen"> | 
|---|
| 335 | <code class="prompt">root# </code> mkdir /data | 
|---|
| 336 | <code class="prompt">root# </code> chmod 755 /data | 
|---|
| 337 | </pre><p> | 
|---|
| 338 | The 755 permissions on this directory (mount point) permit the owner to read, write, and execute, | 
|---|
| 339 | and the group and everyone else to read and execute only. | 
|---|
| 340 | </p></li><li class="step" title="Step 5"><p> | 
|---|
| 341 | Use SUSE Linux system tools (refer to the SUSE Administrators Guide for correct | 
|---|
| 342 | procedures) to format the partition with a suitable file system. The reiserfs file system | 
|---|
| 343 | is suitable. Configure this drive to automount using the <code class="filename">/data</code> | 
|---|
| 344 | directory as the mount point. It must be mounted before proceeding. | 
|---|
| 345 | </p></li><li class="step" title="Step 6"><p> | 
|---|
| 346 | Under the directory called <code class="filename">/data</code>, create two directories | 
|---|
| 347 | named <code class="filename">ftmfiles</code> and <code class="filename">officefiles</code>, and set | 
|---|
| 348 | ownership and permissions: | 
|---|
| 349 | </p><pre class="screen"> | 
|---|
| 350 | <code class="prompt">root# </code> mkdir -p /data/{ftmfiles,officefiles/{letters,invitations,misc}} | 
|---|
| 351 | <code class="prompt">root# </code> chown -R abmas:office /data | 
|---|
| 352 | <code class="prompt">root# </code> chmod -R ug+rwxs,o-w,o+rx /data | 
|---|
| 353 | </pre><p> | 
|---|
| 354 | These demonstrate compound operations. The <code class="literal">mkdir</code> command | 
|---|
| 355 | creates in one step these directories: | 
|---|
| 356 | </p><pre class="programlisting"> | 
|---|
| 357 | /data/fmtfiles | 
|---|
| 358 | /data/officefiles | 
|---|
| 359 | /data/officefiles/letters | 
|---|
| 360 | /data/officefiles/invitations | 
|---|
| 361 | /data/officefiles/misc | 
|---|
| 362 | </pre><p> | 
|---|
| 363 | <a class="indexterm" name="id324296"></a> | 
|---|
| 364 | The <code class="literal">chown</code> operation sets the owner to the user <code class="constant">abmas</code> | 
|---|
| 365 | and the group to <code class="constant">office</code> on all directories just created.  It recursively | 
|---|
| 366 | sets the permissions so that the owner and group have SUID/SGID with read, write, and execute | 
|---|
| 367 | permission, and everyone else has read and execute permission. This means that all files and | 
|---|
| 368 | directories are created with the same owner and group as the directory in which they are | 
|---|
| 369 | created. Any new directories created still have the same owner, group, and permissions as the | 
|---|
| 370 | directory they are in. This should eliminate all permissions-based file access problems.  For | 
|---|
| 371 | more information on this subject, refer to TOSHARG2<sup>[<a name="id324318" href="#ftn.id324318" class="footnote">3</a>]</sup> or refer | 
|---|
| 372 | to the UNIX man page for the <code class="literal">chmod</code> and the <code class="literal">chown</code> commands. | 
|---|
| 373 | </p></li><li class="step" title="Step 7"><p> | 
|---|
| 374 | Install the <code class="filename">smb.conf</code> file shown in <a class="link" href="simple.html#charity-smbconfnew" title="Example 1.2. Charity Administration Office smb.conf New-style File">“Charity Administration Office smb.conf New-style File”</a> in the | 
|---|
| 375 | <code class="filename">/etc/samba</code> directory. This newer <code class="filename">smb.conf</code> file uses user-mode security | 
|---|
| 376 | and is more suited to the mode of operation of Samba-3 than the older share-mode security | 
|---|
| 377 | configuration that was shown in the first edition of this book. | 
|---|
| 378 | </p><p> | 
|---|
| 379 | Note: If you want to use the older-style configuration that uses share-mode security, you | 
|---|
| 380 | can install the file shown in <a class="link" href="simple.html#charity-smbconf" title="Example 1.3. Charity Administration Office smb.conf Old-style File">“Charity Administration Office smb.conf Old-style File”</a> in the | 
|---|
| 381 | <code class="filename">/etc/samba</code> directory. | 
|---|
| 382 | </p></li><li class="step" title="Step 8"><p> | 
|---|
| 383 | <a class="indexterm" name="id324382"></a> | 
|---|
| 384 | We must ensure that the <code class="literal">smbd</code> can resolve the name of the Samba | 
|---|
| 385 | server to its IP address. Verify that the <code class="filename">/etc/hosts</code> file | 
|---|
| 386 | contains the following entry: | 
|---|
| 387 | </p><pre class="screen"> | 
|---|
| 388 | 192.168.1.1     server | 
|---|
| 389 | </pre><p> | 
|---|
| 390 | </p></li><li class="step" title="Step 9"><p> | 
|---|
| 391 | Configure the printers with the IP address as shown in <a class="link" href="simple.html#charitynet" title="Figure 1.1. Charity Administration Office Network">“Charity Administration Office Network”</a>. | 
|---|
| 392 | Follow the instructions in the manufacturer's manual to permit printing to port 9100 | 
|---|
| 393 | so that the CUPS spooler can print using raw mode protocols. | 
|---|
| 394 | </p></li><li class="step" title="Step 10"><p> | 
|---|
| 395 | <a class="indexterm" name="id324423"></a> | 
|---|
| 396 | Configure the CUPS Print Queues: | 
|---|
| 397 | </p><pre class="screen"> | 
|---|
| 398 | <code class="prompt">root# </code> lpadmin -p PRINTQ -v socket://192.168.1.20:9100 -E | 
|---|
| 399 | <code class="prompt">root# </code> lpadmin -p hplj5 -v socket://192.168.1.30:9100 -E | 
|---|
| 400 | </pre><p> | 
|---|
| 401 | This creates the necessary print queues with no assigned print filter. | 
|---|
| 402 | </p></li><li class="step" title="Step 11"><p> | 
|---|
| 403 | <a class="indexterm" name="id324452"></a> | 
|---|
| 404 | <a class="indexterm" name="id324459"></a> | 
|---|
| 405 | <a class="indexterm" name="id324465"></a> | 
|---|
| 406 | Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: | 
|---|
| 407 | </p><pre class="screen"> | 
|---|
| 408 | application/octet-stream     application/vnd.cups-raw      0     - | 
|---|
| 409 | </pre><p> | 
|---|
| 410 | </p></li><li class="step" title="Step 12"><p> | 
|---|
| 411 | <a class="indexterm" name="id324488"></a> | 
|---|
| 412 | Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: | 
|---|
| 413 | </p><pre class="screen"> | 
|---|
| 414 | application/octet-stream | 
|---|
| 415 | </pre><p> | 
|---|
| 416 | </p></li><li class="step" title="Step 13"><p> | 
|---|
| 417 | <a class="indexterm" name="id324511"></a> | 
|---|
| 418 | Use the standard system tool to start Samba and CUPS to configure them to restart | 
|---|
| 419 | automatically at every system reboot. For example, | 
|---|
| 420 | </p><p> | 
|---|
| 421 | <a class="indexterm" name="id324522"></a> | 
|---|
| 422 | <a class="indexterm" name="id324528"></a> | 
|---|
| 423 | <a class="indexterm" name="id324535"></a> | 
|---|
| 424 | </p><pre class="screen"> | 
|---|
| 425 | <code class="prompt">root# </code> chkconfig smb on | 
|---|
| 426 | <code class="prompt">root# </code> chkconfig cups on | 
|---|
| 427 | <code class="prompt">root# </code> /etc/rc.d/init.d/smb restart | 
|---|
| 428 | <code class="prompt">root# </code> /etc/rc.d/init.d/cups restart | 
|---|
| 429 | </pre><p> | 
|---|
| 430 | </p></li></ol></div><div class="example"><a name="charity-smbconfnew"></a><p class="title"><b>Example 1.2. Charity Administration Office <code class="filename">smb.conf</code> New-style File</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global Parameters - Newer Configuration</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id324598"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id324609"></a><em class="parameter"><code>printing = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id324619"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id324630"></a><em class="parameter"><code>map to guest = Bad User</code></em></td></tr><tr><td><a class="indexterm" name="id324640"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id324650"></a><em class="parameter"><code>wins support = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[FTMFILES]</code></em></td></tr><tr><td><a class="indexterm" name="id324669"></a><em class="parameter"><code>comment = Funds Tracking & Management Files</code></em></td></tr><tr><td><a class="indexterm" name="id324680"></a><em class="parameter"><code>path = /data/ftmfiles</code></em></td></tr><tr><td><a class="indexterm" name="id324690"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id324700"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id324711"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id324721"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324732"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[office]</code></em></td></tr><tr><td><a class="indexterm" name="id324750"></a><em class="parameter"><code>comment = General Office Files</code></em></td></tr><tr><td><a class="indexterm" name="id324761"></a><em class="parameter"><code>path = /data/officefiles</code></em></td></tr><tr><td><a class="indexterm" name="id324771"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id324782"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id324792"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id324802"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324813"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id324832"></a><em class="parameter"><code>comment = Print Temporary Spool Configuration</code></em></td></tr><tr><td><a class="indexterm" name="id324842"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id324852"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324863"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324873"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324884"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="charity-smbconf"></a><p class="title"><b>Example 1.3. Charity Administration Office <code class="filename">smb.conf</code> Old-style File</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global Parameters - Older Style Configuration</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id324924"></a><em class="parameter"><code>workgroup = MIDEARTH</code></em></td></tr><tr><td><a class="indexterm" name="id324935"></a><em class="parameter"><code>security = SHARE</code></em></td></tr><tr><td><a class="indexterm" name="id324945"></a><em class="parameter"><code>printing = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id324956"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id324966"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id324976"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id324987"></a><em class="parameter"><code>wins support = yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[FTMFILES]</code></em></td></tr><tr><td><a class="indexterm" name="id325006"></a><em class="parameter"><code>comment = Funds Tracking & Management Files</code></em></td></tr><tr><td><a class="indexterm" name="id325016"></a><em class="parameter"><code>path = /data/ftmfiles</code></em></td></tr><tr><td><a class="indexterm" name="id325026"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id325037"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id325047"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id325058"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id325068"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[office]</code></em></td></tr><tr><td><a class="indexterm" name="id325087"></a><em class="parameter"><code>comment = General Office Files</code></em></td></tr><tr><td><a class="indexterm" name="id325097"></a><em class="parameter"><code>path = /data/officefiles</code></em></td></tr><tr><td><a class="indexterm" name="id325108"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id325118"></a><em class="parameter"><code>force user = abmas</code></em></td></tr><tr><td><a class="indexterm" name="id325128"></a><em class="parameter"><code>force group = office</code></em></td></tr><tr><td><a class="indexterm" name="id325139"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id325149"></a><em class="parameter"><code>nt acl support = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id325168"></a><em class="parameter"><code>comment = Print Temporary Spool Configuration</code></em></td></tr><tr><td><a class="indexterm" name="id325178"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id325189"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id325199"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id325210"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id325220"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="procedure" title="Procedure 1.4. Windows Client Configuration"><a name="id325232"></a><p class="title"><b>Procedure 1.4. Windows Client Configuration</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> | 
|---|
| 431 | Configure clients to the network settings shown in <a class="link" href="simple.html#charitynet" title="Figure 1.1. Charity Administration Office Network">“Charity Administration Office Network”</a>. | 
|---|
| 432 | </p></li><li class="step" title="Step 2"><p> | 
|---|
| 433 | Ensure that the netmask used on the Windows clients matches that used | 
|---|
| 434 | for the Samba server. All clients must have the same netmask, such as | 
|---|
| 435 | <code class="constant">255.255.255.0</code>. | 
|---|
| 436 | </p></li><li class="step" title="Step 3"><p> | 
|---|
| 437 | <a class="indexterm" name="id325264"></a> | 
|---|
| 438 | On all Windows clients, set the WINS Server address to <code class="constant">192.168.1.1</code>, | 
|---|
| 439 | the IP address of the server. | 
|---|
| 440 | </p></li><li class="step" title="Step 4"><p> | 
|---|
| 441 | Set the workgroup name on all clients to <code class="constant">MIDEARTH</code>. | 
|---|
| 442 | </p></li><li class="step" title="Step 5"><p> | 
|---|
| 443 | <a class="indexterm" name="id325290"></a> | 
|---|
| 444 | Install the <span class="quote">“<span class="quote">Client for Microsoft Networks.</span>”</span> Ensure that the only option | 
|---|
| 445 | enabled in its properties is the option <span class="quote">“<span class="quote">Logon and restore network connections.</span>”</span> | 
|---|
| 446 | </p></li><li class="step" title="Step 6"><p> | 
|---|
| 447 | Click <span class="guibutton">OK</span> when you are prompted to reboot the system. Reboot the | 
|---|
| 448 | system, then log on using any username and password you choose. | 
|---|
| 449 | </p></li><li class="step" title="Step 7"><p> | 
|---|
| 450 | <a class="indexterm" name="id325322"></a> | 
|---|
| 451 | Verify on each client that the machine called <code class="constant">SERVER</code> | 
|---|
| 452 | is visible in <span class="guimenu">My Network Places</span>, that it is | 
|---|
| 453 | possible to connect to it and see the share <span class="guimenuitem">office</span>, | 
|---|
| 454 | and that it is possible to open that share to reveal its contents. | 
|---|
| 455 | </p></li><li class="step" title="Step 8"><p> | 
|---|
| 456 | <a class="indexterm" name="id325350"></a> | 
|---|
| 457 | <a class="indexterm" name="id325356"></a> | 
|---|
| 458 | Disable password caching on all Windows 9x/Me machines using the registry change file | 
|---|
| 459 | shown in <a class="link" href="simple.html#MEreg" title="Example 1.4. Windows Me Registry Edit File: Disable Password Caching">“Windows Me  Registry Edit File: Disable Password Caching”</a>. Be sure to remove all files that have the | 
|---|
| 460 | <code class="filename">PWL</code> extension that are in the <code class="filename">C:\WINDOWS</code> | 
|---|
| 461 | directory. | 
|---|
| 462 | </p><div class="example"><a name="MEreg"></a><p class="title"><b>Example 1.4. Windows Me  Registry Edit File: Disable Password Caching</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 463 | REGEDIT4 | 
|---|
| 464 |  | 
|---|
| 465 | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ | 
|---|
| 466 | Windows\CurrentVersion\Policies\Network] | 
|---|
| 467 | "DisablePwdCaching"=dword:00000001 | 
|---|
| 468 | </pre></div></div><p><br class="example-break"> | 
|---|
| 469 | The best way to apply this change is to save the patch in a file called | 
|---|
| 470 | <code class="filename">ME-dpwc.reg</code> and then execute: | 
|---|
| 471 | </p><pre class="screen"> | 
|---|
| 472 | C:\WINDOWS: regedit ME-dpwc.reg | 
|---|
| 473 | </pre><p> | 
|---|
| 474 | </p></li><li class="step" title="Step 9"><p> | 
|---|
| 475 | Instruct all users to log onto the workstation using a name and password of their own | 
|---|
| 476 | choosing. The Samba server has been | 
|---|
| 477 | configured to ignore the username and password given. | 
|---|
| 478 | </p></li><li class="step" title="Step 10"><p> | 
|---|
| 479 | On each Windows Me workstation, configure a network drive mapping to drive <code class="filename">G:</code> | 
|---|
| 480 | that redirects to the uniform naming convention (UNC) resource | 
|---|
| 481 | <code class="filename">\\server\office</code>. Make this a permanent drive connection: | 
|---|
| 482 | </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 10.1"><p> | 
|---|
| 483 | Right-click <span class="guimenu">My Network</span> → <span class="guimenuitem">Map Network Drive...</span> | 
|---|
| 484 | </p></li><li class="step" title="Step 10.2"><p> | 
|---|
| 485 | In the box labeled <span class="quote">“<span class="quote">Drive:</span>”</span>, type G. | 
|---|
| 486 | </p></li><li class="step" title="Step 10.3"><p> | 
|---|
| 487 | In the box labeled <span class="quote">“<span class="quote">Path:</span>”</span>, enter | 
|---|
| 488 | <code class="filename">\\server\officefiles</code>. | 
|---|
| 489 | </p></li><li class="step" title="Step 10.4"><p> | 
|---|
| 490 | Click <span class="guimenuitem">Reconnect at logon</span>. | 
|---|
| 491 | Click <span class="guibutton">OK</span>. | 
|---|
| 492 | </p></li></ol></div></li><li class="step" title="Step 11"><p> | 
|---|
| 493 | On each workstation, install the FTM software following the | 
|---|
| 494 | manufacturer's instructions. | 
|---|
| 495 | </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 11.1"><p> | 
|---|
| 496 | During installation, you are prompted for the name of the Windows 98 | 
|---|
| 497 | server. Enter the name <code class="constant">SERVER</code>. | 
|---|
| 498 | </p></li><li class="step" title="Step 11.2"><p> | 
|---|
| 499 | You are prompted for the name of the data share. | 
|---|
| 500 | The prompt defaults to <code class="constant">FTMFILES</code>. Press enter to accept the default value. | 
|---|
| 501 | </p></li><li class="step" title="Step 11.3"><p> | 
|---|
| 502 | You are now prompted for the print queue name. The default prompt is the name of | 
|---|
| 503 | the server you entered (<code class="constant">SERVER</code> as follows: | 
|---|
| 504 | <code class="constant">\\SERVER\PRINTQ</code>). Simply accept the default and press enter to | 
|---|
| 505 | continue. The software now completes the installation. | 
|---|
| 506 | </p></li></ol></div></li><li class="step" title="Step 12"><p> | 
|---|
| 507 | Install an office automation software package of the customer's choice. Either Microsoft | 
|---|
| 508 | Office 2003 Standard or OpenOffice 1.1.0 suffices for any functions the office may | 
|---|
| 509 | need to perform. Repeat this on each workstation. | 
|---|
| 510 | </p></li><li class="step" title="Step 13"><p> | 
|---|
| 511 | Install a printer on each workstation using the following steps: | 
|---|
| 512 | </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 13.1"><p> | 
|---|
| 513 | Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>. | 
|---|
| 514 | Ensure that <span class="guimenuitem">Local printer</span> is selected. | 
|---|
| 515 | </p></li><li class="step" title="Step 13.2"><p> | 
|---|
| 516 | Click <span class="guibutton">Next</span>. In the Manufacturer: panel, select | 
|---|
| 517 | <code class="constant">HP</code>. In the Printers: panel, select the printer called | 
|---|
| 518 | <code class="constant">HP LaserJet 5/5M Postscript</code>. Click <span class="guibutton">Next</span>. | 
|---|
| 519 | </p></li><li class="step" title="Step 13.3"><p> | 
|---|
| 520 | In the Available ports: panel, select <code class="constant">FILE:</code>. Accept the | 
|---|
| 521 | default printer name by clicking <span class="guibutton">Next</span>. When asked, | 
|---|
| 522 | <span class="quote">“<span class="quote">Would you like to print a test page?</span>”</span>, click | 
|---|
| 523 | <span class="guimenuitem">No</span>. Click <span class="guibutton">Finish</span>. | 
|---|
| 524 | </p></li><li class="step" title="Step 13.4"><p> | 
|---|
| 525 | You may be prompted for the name of a file to print to. If so, close the | 
|---|
| 526 | dialog panel. Right-click <span class="guiicon">HP LaserJet 5/5M Postscript</span> → <span class="guimenuitem">Properties</span> → <span class="guisubmenu">Details (Tab)</span> → <span class="guimenuitem">Add Port</span>. | 
|---|
| 527 | </p></li><li class="step" title="Step 13.5"><p> | 
|---|
| 528 | In the Network panel, enter the name of | 
|---|
| 529 | the print queue on the Samba server as follows: <code class="constant">\\SERVER\hplj5</code>. | 
|---|
| 530 | Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation. | 
|---|
| 531 | </p></li><li class="step" title="Step 13.6"><p> | 
|---|
| 532 | It is a good idea to test the functionality of the complete installation before | 
|---|
| 533 | handing the newly configured network over to the Charity Administration Office | 
|---|
| 534 | for production use. | 
|---|
| 535 | </p></li></ol></div></li></ol></div></div><div class="sect3" title="Validation"><div class="titlepage"><div><div><h4 class="title"><a name="id325734"></a>Validation</h4></div></div></div><p> | 
|---|
| 536 | Use the same validation process as was followed in <a class="link" href="simple.html#validate1" title="Validation">“Validation”</a>. | 
|---|
| 537 | </p></div></div><div class="sect2" title="Accounting Office"><div class="titlepage"><div><div><h3 class="title"><a name="AccountingOffice"></a>Accounting Office</h3></div></div></div><p> | 
|---|
| 538 | Abmas Accounting is a 40-year-old family-run business. There are nine permanent | 
|---|
| 539 | computer users. The network clients were upgraded two years ago. All computers run Windows 2000 | 
|---|
| 540 | Professional. This year the server will be upgraded from an old Windows NT4 server (actually | 
|---|
| 541 | running Windows NT4 Workstation, which worked fine for fewer than 10 users) that has | 
|---|
| 542 | run in workgroup (standalone) mode, to a new Linux server running Samba. | 
|---|
| 543 | </p><p> | 
|---|
| 544 | The office does not want a Domain Server. Mr. Alan Meany wants to keep the Windows 2000 Professional | 
|---|
| 545 | clients running as workgroup machines so that any staff member can take a machine home and keep | 
|---|
| 546 | working.  It has worked well so far, and your task is to replace the old server. All users have | 
|---|
| 547 | their own workstation logon (you configured it that way when the machines were installed). | 
|---|
| 548 | Mr. Meany wants the new system to operate the same way as the old Windows NT4 server  users | 
|---|
| 549 | cannot access each others' files, but he can access everyone's files. Each person's work files are | 
|---|
| 550 | in a separate share on the server. Users log on to their Windows workstation with their username | 
|---|
| 551 | and enter an assigned password; they do not need to enter a password when accessing their files | 
|---|
| 552 | on the server. | 
|---|
| 553 | </p><p> | 
|---|
| 554 | <a class="indexterm" name="id325783"></a> | 
|---|
| 555 | The new server will run Red Hat Fedora Core2. You should install Samba-3.0.20 and | 
|---|
| 556 | copy all files from the old system to the new one. The existing Windows NT4 server has a parallel | 
|---|
| 557 | port HP LaserJet 4 printer that is shared by all. The printer driver is installed on each | 
|---|
| 558 | workstation. You must not change anything on the workstations. Mr. Meany gave instructions to | 
|---|
| 559 | replace the server, <span class="quote">“<span class="quote">but leave everything else alone to avoid staff unrest.</span>”</span> | 
|---|
| 560 | </p><p> | 
|---|
| 561 | You have tried to educate Mr. Meany and found that he has no desire to understand networking. | 
|---|
| 562 | He believes that Windows for Workgroups 3.11 was <span class="quote">“<span class="quote">the best server Microsoft ever sold | 
|---|
| 563 | </span>”</span> and that Windows NT and 2000 are <span class="quote">“<span class="quote">too fang-dangled complex!</span>”</span> | 
|---|
| 564 | </p><div class="sect3" title="Dissection and Discussion"><div class="titlepage"><div><div><h4 class="title"><a name="id325807"></a>Dissection and Discussion</h4></div></div></div><p> | 
|---|
| 565 | <a class="indexterm" name="id325814"></a> | 
|---|
| 566 | The requirements of this network installation are not unusual. The staff are not interested in the | 
|---|
| 567 | details of networking. Passwords are never changed. In this example solution, we demonstrate the use | 
|---|
| 568 | of User Mode security in a simple context. Directories should be set SGID to ensure that members | 
|---|
| 569 | of a common group can access the contents. Each user has his or her own share to which only they | 
|---|
| 570 | can connect. Mr. Meany's share will be a top-level directory above the share point for each employee. | 
|---|
| 571 | Mr. Meany is a member of the same group as his staff and can access their work files. | 
|---|
| 572 | The well-used HP LaserJet 4 is available as a service called <code class="constant">hplj</code>. | 
|---|
| 573 | </p><p> | 
|---|
| 574 | You have finished configuring the new hardware and have just completed installation of Red Hat | 
|---|
| 575 | Fedora Core2. Roll up your sleeves and let's get to work. | 
|---|
| 576 | </p></div><div class="sect3" title="Implementation"><div class="titlepage"><div><div><h4 class="title"><a name="AcctgNet"></a>Implementation</h4></div></div></div><p> | 
|---|
| 577 | The workstations have fixed IP addresses. The old server runs Windows NT4 Workstation, so it | 
|---|
| 578 | cannot be running as a WINS server. It is best that the new configuration preserves the same | 
|---|
| 579 | configuration. The office does not use Internet access, so security really is not an issue. | 
|---|
| 580 | </p><p> | 
|---|
| 581 | The core information regarding the users, their passwords, the directory share point, and the | 
|---|
| 582 | share name is given in <a class="link" href="simple.html#acctingnet" title="Table 1.1. Accounting Office Network Information">“Accounting Office Network Information”</a>. The overall network topology is shown in | 
|---|
| 583 | <a class="link" href="simple.html#acctingnet2" title="Figure 1.2. Accounting Office Network Topology">“Accounting Office Network Topology”</a>. All machines have been configured as indicated prior to the | 
|---|
| 584 | start of Samba configuration. The following prescriptive steps may now commence. | 
|---|
| 585 | </p><div class="figure"><a name="acctingnet2"></a><p class="title"><b>Figure 1.2. Accounting Office Network Topology</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/AccountingNetwork.png" width="459" alt="Accounting Office Network Topology"></div></div></div><br class="figure-break"><div class="table"><a name="acctingnet"></a><p class="title"><b>Table 1.1. Accounting Office Network Information</b></p><div class="table-contents"><table summary="Accounting Office Network Information" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="left"><col align="left"><col align="left"></colgroup><thead><tr><th align="left">User</th><th align="left">Login-ID</th><th align="left">Password</th><th align="left">Share Name</th><th align="left">Directory</th><th align="left">Wkst</th></tr></thead><tbody><tr><td align="left">Alan Meany</td><td align="left">alan</td><td align="left">alm1961</td><td align="left">alan</td><td align="left">/data</td><td align="left">PC1</td></tr><tr><td align="left">James Meany</td><td align="left">james</td><td align="left">jimm1962</td><td align="left">james</td><td align="left">/data/james</td><td align="left">PC2</td></tr><tr><td align="left">Jeannie Meany</td><td align="left">jeannie</td><td align="left">jema1965</td><td align="left">jeannie</td><td align="left">/data/jeannie</td><td align="left">PC3</td></tr><tr><td align="left">Suzy Millicent</td><td align="left">suzy</td><td align="left">suzy1967</td><td align="left">suzy</td><td align="left">/data/suzy</td><td align="left">PC4</td></tr><tr><td align="left">Ursula Jenning</td><td align="left">ujen</td><td align="left">ujen1974</td><td align="left">ursula</td><td align="left">/data/ursula</td><td align="left">PC5</td></tr><tr><td align="left">Peter Pan</td><td align="left">peter</td><td align="left">pete1984</td><td align="left">peter</td><td align="left">/data/peter</td><td align="left">PC6</td></tr><tr><td align="left">Dale Roland</td><td align="left">dale</td><td align="left">dale1986</td><td align="left">dale</td><td align="left">/data/dale</td><td align="left">PC7</td></tr><tr><td align="left">Bertrand E Paoletti</td><td align="left">eric</td><td align="left">eric1993</td><td align="left">eric</td><td align="left">/data/eric</td><td align="left">PC8</td></tr><tr><td align="left">Russell Lewis</td><td align="left">russ</td><td align="left">russ2001</td><td align="left">russell</td><td align="left">/data/russell</td><td align="left">PC9</td></tr></tbody></table></div></div><br class="table-break"><div class="procedure" title="Procedure 1.5. Migration from Windows NT4 Workstation System to Samba-3"><a name="id326171"></a><p class="title"><b>Procedure 1.5. Migration from Windows NT4 Workstation System to Samba-3</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p><a class="indexterm" name="id326181"></a> | 
|---|
| 586 | Rename the old server from <code class="constant">CASHPOOL</code> to <code class="constant">STABLE</code> | 
|---|
| 587 | by logging onto the console as the <code class="constant">Administrator</code>. Restart the machine | 
|---|
| 588 | following system prompts. | 
|---|
| 589 | </p></li><li class="step" title="Step 2"><p> | 
|---|
| 590 | Name the new server <code class="constant">CASHPOOL</code> using the standard configuration method. | 
|---|
| 591 | Restart the machine following system prompts. | 
|---|
| 592 | </p></li><li class="step" title="Step 3"><p> | 
|---|
| 593 | Install the latest Samba-3 binary Red Hat Linux RPM that is available from the | 
|---|
| 594 | Samba FTP site. | 
|---|
| 595 | </p></li><li class="step" title="Step 4"><p> | 
|---|
| 596 | <a class="indexterm" name="id326223"></a> | 
|---|
| 597 | <a class="indexterm" name="id326230"></a> | 
|---|
| 598 | Add a group account for the office to use. Execute the following: | 
|---|
| 599 | </p><pre class="screen"> | 
|---|
| 600 | <code class="prompt">root# </code> groupadd accts | 
|---|
| 601 | </pre><p> | 
|---|
| 602 | </p></li><li class="step" title="Step 5"><p> | 
|---|
| 603 | Install the <code class="filename">smb.conf</code> file shown<sup>[<a name="id326258" href="#ftn.id326258" class="footnote">4</a>]</sup> | 
|---|
| 604 | in <a class="link" href="simple.html#acctconf" title="Example 1.5. Accounting Office Network smb.conf Old Style Configuration File">“Accounting Office Network smb.conf Old Style Configuration File”</a>. | 
|---|
| 605 | </p></li><li class="step" title="Step 6"><p> | 
|---|
| 606 | <a class="indexterm" name="id326289"></a> | 
|---|
| 607 | <a class="indexterm" name="id326296"></a> | 
|---|
| 608 | <a class="indexterm" name="id326302"></a> | 
|---|
| 609 | For each user who uses this system (see <a class="link" href="simple.html#acctingnet" title="Table 1.1. Accounting Office Network Information">“Accounting Office Network Information”</a>), | 
|---|
| 610 | execute the following: | 
|---|
| 611 | </p><pre class="screen"> | 
|---|
| 612 | <code class="prompt">root# </code> useradd -m -G accts -c "Name of User" "LoginID" | 
|---|
| 613 | <code class="prompt">root# </code> passwd "LoginID" | 
|---|
| 614 | Changing password for user "LoginID" | 
|---|
| 615 | New Password: XXXXXXXXX <-- the password from the table | 
|---|
| 616 | Retype new password: XXXXXXXXX | 
|---|
| 617 | <code class="prompt">root# </code> smbpasswd -a "LoginID" | 
|---|
| 618 | New SMB password: XXXXXXXXX <-- the password from the table | 
|---|
| 619 | Retype new SMB password: XXXXXXXXX | 
|---|
| 620 | Added user "LoginID" | 
|---|
| 621 | </pre><p> | 
|---|
| 622 | </p></li><li class="step" title="Step 7"><p> | 
|---|
| 623 | <a class="indexterm" name="id326344"></a> | 
|---|
| 624 | Create the directory structure for the file shares by executing the following: | 
|---|
| 625 | </p><pre class="screen"> | 
|---|
| 626 | <code class="prompt">root# </code> mkdir -p /data | 
|---|
| 627 | <code class="prompt">root# </code> chown alan /data | 
|---|
| 628 | <code class="prompt">root# </code> for i in james suzy ujen peter dale eric jeannie russ | 
|---|
| 629 | > do | 
|---|
| 630 | >    mkdir -p /data/$i | 
|---|
| 631 | >    chown $i /data/$i | 
|---|
| 632 | > done | 
|---|
| 633 | <code class="prompt">root# </code> chgrp -R accts /data | 
|---|
| 634 | <code class="prompt">root# </code> chmod -R ug+rwxs,o-r+x /data | 
|---|
| 635 | </pre><p> | 
|---|
| 636 | The data storage structure is now prepared for use. | 
|---|
| 637 | </p></li><li class="step" title="Step 8"><p> | 
|---|
| 638 | <a class="indexterm" name="id326390"></a> | 
|---|
| 639 | Configure the CUPS Print Queues: | 
|---|
| 640 | </p><pre class="screen"> | 
|---|
| 641 | <code class="prompt">root# </code> lpadmin -p hplj -v parallel:/dev/lp0 -E | 
|---|
| 642 | </pre><p> | 
|---|
| 643 | This creates the necessary print queues with no assigned print filter. | 
|---|
| 644 | </p></li><li class="step" title="Step 9"><p> | 
|---|
| 645 | <a class="indexterm" name="id326414"></a> | 
|---|
| 646 | <a class="indexterm" name="id326420"></a> | 
|---|
| 647 | Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line: | 
|---|
| 648 | </p><pre class="screen"> | 
|---|
| 649 | application/octet-stream     application/vnd.cups-raw      0     - | 
|---|
| 650 | </pre><p> | 
|---|
| 651 | </p></li><li class="step" title="Step 10"><p> | 
|---|
| 652 | <a class="indexterm" name="id326444"></a> | 
|---|
| 653 | <a class="indexterm" name="id326450"></a> | 
|---|
| 654 | Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line: | 
|---|
| 655 | </p><pre class="screen"> | 
|---|
| 656 | application/octet-stream | 
|---|
| 657 | </pre><p> | 
|---|
| 658 | </p></li><li class="step" title="Step 11"><p> | 
|---|
| 659 | <a class="indexterm" name="id326473"></a> | 
|---|
| 660 | Use the standard system tool to start Samba and CUPS to configure them to restart | 
|---|
| 661 | automatically at every system reboot. For example, | 
|---|
| 662 | </p><p> | 
|---|
| 663 | <a class="indexterm" name="id326484"></a> | 
|---|
| 664 | <a class="indexterm" name="id326490"></a> | 
|---|
| 665 | <a class="indexterm" name="id326497"></a> | 
|---|
| 666 | </p><pre class="screen"> | 
|---|
| 667 | <code class="prompt">root# </code> chkconfig smb on | 
|---|
| 668 | <code class="prompt">root# </code> chkconfig cups on | 
|---|
| 669 | <code class="prompt">root# </code> /etc/rc.d/init.d/smb restart | 
|---|
| 670 | <code class="prompt">root# </code> /etc/rc.d/init.d/cups restart | 
|---|
| 671 | </pre><p> | 
|---|
| 672 | </p></li><li class="step" title="Step 12"><p> | 
|---|
| 673 | On Alan's workstation, use Windows Explorer to migrate the files from the old server | 
|---|
| 674 | to the new server. The new server should appear in the <span class="guimenu">Network Neighborhood</span> | 
|---|
| 675 | with the name of the old server (<code class="constant">CASHPOOL</code>). | 
|---|
| 676 | </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 12.1"><p> | 
|---|
| 677 | Log on to Alan's workstation as the user <code class="constant">alan</code>. | 
|---|
| 678 | </p></li><li class="step" title="Step 12.2"><p> | 
|---|
| 679 | Launch a second instance of Windows Explorer and navigate to the share called | 
|---|
| 680 | <span class="guiicon">files</span> on the server called <span class="guimenu">STABLE</span>. | 
|---|
| 681 | </p></li><li class="step" title="Step 12.3"><p> | 
|---|
| 682 | Click in the right panel, and press <span class="guimenu">Ctrl-A</span> to select all files and | 
|---|
| 683 | directories. Press <span class="guimenu">Ctrl-C</span> to instruct Windows that you wish to | 
|---|
| 684 | copy all selected items. | 
|---|
| 685 | </p></li><li class="step" title="Step 12.4"><p> | 
|---|
| 686 | Launch the Windows Explorer, and navigate to the share called <span class="guiicon">files</span> | 
|---|
| 687 | on the server called <span class="guimenu">CASHPOOL</span>. Click in the right panel, and then press | 
|---|
| 688 | <span class="guimenu">Ctrl-V</span> to commence the copying process. | 
|---|
| 689 | </p></li></ol></div></li><li class="step" title="Step 13"><p> | 
|---|
| 690 | Verify that the files are being copied correctly from the Windows NT4 machine to the Samba-3 server. | 
|---|
| 691 | This is best done on the Samba-3 server. Check the contents of the directory tree under | 
|---|
| 692 | <code class="filename">/data</code> by executing the following command: | 
|---|
| 693 | </p><pre class="screen"> | 
|---|
| 694 | <code class="prompt">root# </code> ls -aR /data | 
|---|
| 695 | </pre><p> | 
|---|
| 696 | Make certain to check the ownership and permissions on all files. If in doubt, execute the following: | 
|---|
| 697 | </p><pre class="screen"> | 
|---|
| 698 | <code class="prompt">root# </code> chown alan /data | 
|---|
| 699 | <code class="prompt">root# </code> for i in james suzy ujen peter dale eric jeannie russ | 
|---|
| 700 | > do | 
|---|
| 701 | >    chown $i /data/$i | 
|---|
| 702 | > done | 
|---|
| 703 | <code class="prompt">root# </code> chgrp -R accts /data | 
|---|
| 704 | <code class="prompt">root# </code> chmod -R ug+rwxs,o-r+x /data | 
|---|
| 705 | </pre><p> | 
|---|
| 706 | </p></li><li class="step" title="Step 14"><p> | 
|---|
| 707 | The migration of all data should now be complete. It is time to validate the installation. | 
|---|
| 708 | For this, you should make sure all applications, including printing, work before asking the | 
|---|
| 709 | customer to test drive the new network. | 
|---|
| 710 | </p></li></ol></div><div class="example"><a name="acctconf"></a><p class="title"><b>Example 1.5. Accounting Office Network <code class="filename">smb.conf</code> Old Style Configuration File</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id326708"></a><em class="parameter"><code>workgroup = BILLMORE</code></em></td></tr><tr><td><a class="indexterm" name="id326718"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id326729"></a><em class="parameter"><code>disable spoolss = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326739"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id326750"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[files]</code></em></td></tr><tr><td><a class="indexterm" name="id326768"></a><em class="parameter"><code>comment = Work area files</code></em></td></tr><tr><td><a class="indexterm" name="id326779"></a><em class="parameter"><code>path = /data/%U</code></em></td></tr><tr><td><a class="indexterm" name="id326789"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[master]</code></em></td></tr><tr><td><a class="indexterm" name="id326808"></a><em class="parameter"><code>comment = Master work area files</code></em></td></tr><tr><td><a class="indexterm" name="id326818"></a><em class="parameter"><code>path = /data</code></em></td></tr><tr><td><a class="indexterm" name="id326829"></a><em class="parameter"><code>valid users = alan</code></em></td></tr><tr><td><a class="indexterm" name="id326839"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id326858"></a><em class="parameter"><code>comment = Print Temporary Spool Configuration</code></em></td></tr><tr><td><a class="indexterm" name="id326868"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id326879"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326889"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326900"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id326910"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"></div></div></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id326925"></a>Questions and Answers</h2></div></div></div><p> | 
|---|
| 711 | The following questions and answers draw from the examples in this chapter. | 
|---|
| 712 | Many design decisions are impacted by the configurations chosen. The intent | 
|---|
| 713 | is to expose some of the hidden implications. | 
|---|
| 714 | </p><div class="qandaset" title="Frequently Asked Questions"><a name="id326935"></a><dl><dt> <a href="simple.html#id326941"> | 
|---|
| 715 | What makes an anonymous Samba server more simple than a non-anonymous Samba server? | 
|---|
| 716 | </a></dt><dt> <a href="simple.html#id326964"> | 
|---|
| 717 | How is the operation of the parameter force user different from | 
|---|
| 718 | setting the root directory of the share SUID? | 
|---|
| 719 | </a></dt><dt> <a href="simple.html#id327008"> | 
|---|
| 720 | When would you both use the per share parameter force user and set | 
|---|
| 721 | the share root directory SUID? | 
|---|
| 722 | </a></dt><dt> <a href="simple.html#id327031"> | 
|---|
| 723 | What is better about CUPS printing than LPRng printing? | 
|---|
| 724 | </a></dt><dt> <a href="simple.html#id327065"> | 
|---|
| 725 | When should Windows client IP addresses be hard-coded? | 
|---|
| 726 | </a></dt><dt> <a href="simple.html#id327086"> | 
|---|
| 727 | Under what circumstances is it best to use a DHCP server? | 
|---|
| 728 | </a></dt><dt> <a href="simple.html#id327117"> | 
|---|
| 729 | What is the purpose of setting the parameter guest ok on a share? | 
|---|
| 730 | </a></dt><dt> <a href="simple.html#id327140"> | 
|---|
| 731 | When would you set the global parameter disable spoolss? | 
|---|
| 732 | </a></dt><dt> <a href="simple.html#id327209"> | 
|---|
| 733 | Why would you disable password caching on Windows 9x/Me clients? | 
|---|
| 734 | </a></dt><dt> <a href="simple.html#id327230"> | 
|---|
| 735 | The example of Abmas Accounting uses User Mode security. How does this provide anonymous access? | 
|---|
| 736 | </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question"><td align="left" valign="top"><a name="id326941"></a><a name="id326943"></a></td><td align="left" valign="top"><p> | 
|---|
| 737 | What makes an anonymous Samba server more simple than a non-anonymous Samba server? | 
|---|
| 738 | </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> | 
|---|
| 739 | In the anonymous server, the only account used is the <code class="constant">guest</code> account. | 
|---|
| 740 | In a non-anonymous configuration, it is necessary to add real user accounts to both the | 
|---|
| 741 | UNIX system and to the Samba configuration. Non-anonymous servers require additional | 
|---|
| 742 | administration. | 
|---|
| 743 | </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id326964"></a><a name="id326966"></a></td><td align="left" valign="top"><p> | 
|---|
| 744 | How is the operation of the parameter <em class="parameter"><code>force user</code></em> different from | 
|---|
| 745 | setting the root directory of the share SUID? | 
|---|
| 746 | </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> | 
|---|
| 747 | The parameter <em class="parameter"><code>force user</code></em> causes all operations on the share to assume the UID | 
|---|
| 748 | of the forced user. The new default GID that applies is the primary GID of the forced user. | 
|---|
| 749 | This gives all users of this resource the actual privilege of the forced user. | 
|---|
| 750 | </p><p> | 
|---|
| 751 | When a directory is set SUID, the operating system forces files that are written within it | 
|---|
| 752 | to be owned by the owner of the directory. While this happens, the user who is using the share | 
|---|
| 753 | has only the level of privilege he or she is assigned within the operating system context. | 
|---|
| 754 | </p><p> | 
|---|
| 755 | The parameter <em class="parameter"><code>force user</code></em> has potential security implications that go | 
|---|
| 756 | beyond the actual share root directory. Be careful and wary of using this parameter. | 
|---|
| 757 | </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id327008"></a><a name="id327010"></a></td><td align="left" valign="top"><p> | 
|---|
| 758 | When would you both use the per share parameter <em class="parameter"><code>force user</code></em> and set | 
|---|
| 759 | the share root directory SUID? | 
|---|
| 760 | </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> | 
|---|
| 761 | You would use both parameters when it is necessary to guarantee that all share handling operations | 
|---|
| 762 | are conducted as the forced user, while all file and directory creation are done as the SUID | 
|---|
| 763 | directory owner. | 
|---|
| 764 | </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id327031"></a><a name="id327034"></a></td><td align="left" valign="top"><p> | 
|---|
| 765 | What is better about CUPS printing than LPRng printing? | 
|---|
| 766 | </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> | 
|---|
| 767 | CUPS is a print spooling system that has integrated remote management facilities, provides completely | 
|---|
| 768 | automated print processing/preprocessing, and can be configured to automatically | 
|---|
| 769 | apply print preprocessing filters to ensure that a print job submitted is correctly rendered for the | 
|---|
| 770 | target printer. CUPS includes an image file RIP that supports printing of image files to | 
|---|
| 771 | non-PostScript printers. CUPS has lots of bells and whistles and is more like a supercharged MS Windows | 
|---|
| 772 | NT/200x print monitor and processor. Its complexity can be eliminated or turbocharged to suit | 
|---|
| 773 | any fancy. | 
|---|
| 774 | </p><p> | 
|---|
| 775 | The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print | 
|---|
| 776 | spooler functionality. It provides the same interface and meets RFC1179 requirements. LPRng can be | 
|---|
| 777 | configured to act like CUPS, but it is in principle a replacement for the old Berkeley lpr/lpd | 
|---|
| 778 | spooler. LPRng is generally preferred by those who are familiar with Berkeley lpr/lpd. | 
|---|
| 779 | </p><p> | 
|---|
| 780 | Which spooling system is better is a matter of personal taste. It depends on what you want to do and how you want to | 
|---|
| 781 | do it and manage it. Most modern Linux systems ship with CUPS as the default print management system. | 
|---|
| 782 | </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id327065"></a><a name="id327067"></a></td><td align="left" valign="top"><p> | 
|---|
| 783 | When should Windows client IP addresses be hard-coded? | 
|---|
| 784 | </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> | 
|---|
| 785 | When there are few MS Windows clients, little client change, no mobile users, and users are not | 
|---|
| 786 | inclined to tamper with network settings, it is a safe and convenient matter to hard-code Windows | 
|---|
| 787 | client TCP/IP settings. Given that it is possible to lock down the Windows desktop and remove | 
|---|
| 788 | user ability to access network configuration controls, fixed configuration eliminates the need | 
|---|
| 789 | for a DHCP server. This reduces maintenance overheads and eliminates a possible point of network | 
|---|
| 790 | failure. | 
|---|
| 791 | </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id327086"></a><a name="id327088"></a></td><td align="left" valign="top"><p> | 
|---|
| 792 | Under what circumstances is it best to use a DHCP server? | 
|---|
| 793 | </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> | 
|---|
| 794 | In network configurations where there are mobile users, or where Windows client PCs move around | 
|---|
| 795 | (particularly between offices or between subnets), it makes complete sense to control all Windows | 
|---|
| 796 | client configurations using a DHCP server. Additionally, when users do tamper with the network | 
|---|
| 797 | settings, DHCP can be used to normalize all client settings. | 
|---|
| 798 | </p><p> | 
|---|
| 799 | One underappreciated benefit of using a DHCP server to assign all network client | 
|---|
| 800 | device TCP/IP settings is that it makes it a pain-free process to change network TCP/IP | 
|---|
| 801 | settings, change network addressing, or enhance the ability of client devices to | 
|---|
| 802 | benefit from new network services. | 
|---|
| 803 | </p><p> | 
|---|
| 804 | Another benefit of modern DHCP servers is their ability to register dynamically | 
|---|
| 805 | assigned IP addresses with the DNS server. The benefits of Dynamic DNS (DDNS) are considerable in | 
|---|
| 806 | a large Windows network environment. | 
|---|
| 807 | </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id327117"></a><a name="id327119"></a></td><td align="left" valign="top"><p> | 
|---|
| 808 | What is the purpose of setting the parameter <em class="parameter"><code>guest ok</code></em> on a share? | 
|---|
| 809 | </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> | 
|---|
| 810 | If this parameter is set to yes for a service, then no password is required to connect to the service. | 
|---|
| 811 | Privileges are those of the guest account. | 
|---|
| 812 | </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id327140"></a><a name="id327142"></a></td><td align="left" valign="top"><p> | 
|---|
| 813 | When would you set the global parameter <em class="parameter"><code>disable spoolss</code></em>? | 
|---|
| 814 | </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> | 
|---|
| 815 | Setting this parameter to <code class="constant">Yes</code> disables Samba's support for the SPOOLSS set of | 
|---|
| 816 | MS-RPCs and yields behavior identical to Samba 2.0.x. Windows NT/2000 clients can downgrade to | 
|---|
| 817 | using LanMan style printing commands. Windows 9x/Me are unaffected by the parameter. However, this | 
|---|
| 818 | disables the ability to upload printer drivers to a Samba server via the Windows NT/200x Add Printer | 
|---|
| 819 | Wizard or by using the NT printer properties dialog window. It also disables the capability of | 
|---|
| 820 | Windows NT/200x clients to download print drivers from the Samba host on demand. Be extremely careful about | 
|---|
| 821 | setting this parameter. | 
|---|
| 822 | </p><p> | 
|---|
| 823 | The alternate parameter <em class="parameter"><code>use client driver</code></em> applies only to Windows NT/200x clients. It has no | 
|---|
| 824 | effect on Windows 95/98/Me clients. When serving a printer to Windows NT/200x clients without first installing a valid | 
|---|
| 825 | printer driver on the Samba host, the client is required to install a local printer driver. From this point on, | 
|---|
| 826 | the client treats the printer as a local printer and not a network printer connection. This is much the same behavior | 
|---|
| 827 | that occurs when <em class="parameter"><code>disable spoolss = yes</code></em>. | 
|---|
| 828 | </p><p> | 
|---|
| 829 | Under normal circumstances, the NT/200x client attempts to open the network printer using MS-RPC. Because the client | 
|---|
| 830 | considers the printer to be local, it attempts to issue the <em class="parameter"><code>OpenPrinterEx()</code></em> call requesting | 
|---|
| 831 | access rights associated with the logged on user. If the user possesses local administrator rights but not root | 
|---|
| 832 | privilege on the Samba host (often the case), the <em class="parameter"><code>OpenPrinterEx()</code></em> call fails. The result is | 
|---|
| 833 | that the client now displays an <span class="quote">“<span class="quote">Access Denied; Unable to connect</span>”</span> message in the printer queue window | 
|---|
| 834 | (even though jobs may be printed successfully). This parameter MUST not be enabled on a print share that has a valid | 
|---|
| 835 | print driver installed on the Samba server. | 
|---|
| 836 | </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id327209"></a><a name="id327211"></a></td><td align="left" valign="top"><p> | 
|---|
| 837 | Why would you disable password caching on Windows 9x/Me clients? | 
|---|
| 838 | </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> | 
|---|
| 839 | Windows 9x/Me workstations that are set at default (password caching enabled) store the username and | 
|---|
| 840 | password in files located in the Windows master directory. Such files can be scavenged (read off a client | 
|---|
| 841 | machine) and decrypted, thus revealing the user's access credentials for all systems the user may have accessed. | 
|---|
| 842 | It is most insecure to allow any Windows 9x/Me client to operate with password caching enabled. | 
|---|
| 843 | </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id327230"></a><a name="id327232"></a></td><td align="left" valign="top"><p> | 
|---|
| 844 | The example of Abmas Accounting uses User Mode security. How does this provide anonymous access? | 
|---|
| 845 | </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> | 
|---|
| 846 | The example used does not provide anonymous access. Since the clients are all Windows 2000 Professional, | 
|---|
| 847 | and given that users are logging onto their machines, by default the client attempts to connect to | 
|---|
| 848 | a remote server using currently logged in user credentials. By ensuring that the user's login ID and | 
|---|
| 849 | password are the same as those set on the Samba server, access is transparent and does not require | 
|---|
| 850 | separate user authentication. | 
|---|
| 851 | </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id323099" href="#id323099" class="para">1</a>] </sup>The examples given mirror those documented | 
|---|
| 852 | in The Official Samba-3 HOWTO and Reference Guide, Second Edition (TOSHARG2) Chapter 2, Section 2.3.1. You may gain additional | 
|---|
| 853 | insight from the standalone server configurations covered in TOSHARG2, sections 2.3.1.2 through 2.3.1.4. | 
|---|
| 854 | </p></div><div class="footnote"><p><sup>[<a name="ftn.id323243" href="#id323243" class="para">2</a>] </sup> | 
|---|
| 855 | This information is given purely as an example of how data may be stored in such a way that it | 
|---|
| 856 | will be easy to locate records at a later date. The example is not meant to imply any instructions | 
|---|
| 857 | that may be construed as essential to the design of the solution; this is something you will almost | 
|---|
| 858 | certainly want to determine for yourself.</p></div><div class="footnote"><p><sup>[<a name="ftn.id324318" href="#id324318" class="para">3</a>] </sup>The Official Samba-3 HOWTO and | 
|---|
| 859 | Reference Guide, Chapter 15, File, Directory and Share Access Controls.</p></div><div class="footnote"><p><sup>[<a name="ftn.id326258" href="#id326258" class="para">4</a>] </sup>This example uses the | 
|---|
| 860 | <em class="parameter"><code>smbpasswd</code></em> file in an obtuse way, since the use of | 
|---|
| 861 | the <em class="parameter"><code>passdb backend</code></em> has not been specified in the <code class="filename">smb.conf</code> | 
|---|
| 862 | file. This means that you are depending on correct default behavior.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ExNetworks.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="small.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part I. Example Network Configurations </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. Small Office Networking</td></tr></table></div></body></html> | 
|---|