Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: vendor/3.5.0/docs/htmldocs/Samba3-ByExample/secure.html

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 125.8 KB

Line
1	<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 3. Secure Office Networking</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="small.html" title="Chapter 2. Small Office Networking"><link rel="next" href="Big500users.html" title="Chapter 4. The 500-User Office"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Secure Office Networking</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="small.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="Big500users.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="secure"></a>Chapter 3. Secure Office Networking</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="secure.html#id2558563">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id2558614">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id2558848">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#id2558863">Technical Issues</a></span></dt><dt><span class="sect2"><a href="secure.html#id2559289">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id2559329">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="secure.html#ch4bsc">Basic System Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id2560183">Samba Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4dhcpdns">Configuration of DHCP and DNS Servers</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4ptrcfg">Printer Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#procstart">Process Startup Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4valid">Validation</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4appscfg">Application Share Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#ch4wincfg">Windows Client Configuration</a></span></dt><dt><span class="sect2"><a href="secure.html#id2564645">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="secure.html#id2564707">Questions and Answers</a></span></dt></dl></div><p>
2	Congratulations, your Samba networking skills are developing nicely. You started out
3	with three simple networks in <a class="link" href="simple.html" title="Chapter 1. No-Frills Samba Servers">“No-Frills Samba Servers”</a>, and then in <a class="link" href="small.html" title="Chapter 2. Small Office Networking">“Small Office Networking”</a>
4	you designed and built a network that provides a high degree of flexibility, integrity,
5	and dependability. It was enough for the basic needs each was designed to fulfill. In
6	this chapter you address a more complex set of needs. The solution you explore
7	introduces you to basic features that are specific to Samba-3.
8	</p><p>
9	You should note that a working and secure solution could be implemented using Samba-2.2.x.
10	In the exercises presented here, you are gradually using more Samba-3-specific features,
11	so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given.
12	To avoid confusion, this book is all about Samba-3. Let's get the exercises in this
13	chapter underway.
14	</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2558563"></a>Introduction</h2></div></div></div><p>
15	You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work
16	well done. It is one year since the last network upgrade. You have been quite busy.
17	Two months ago Mr. Meany gave approval to hire Christine Roberson, who has taken over
18	general network management. Soon she will provide primary user support. You have
19	demonstrated that you can delegate responsibility and can plan and execute according
20	to that plan. Above all, you have shown Mr. Meany that you are a responsible person.
21	Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never
22	expected: You are going to take charge of business operations. Mr. Meany
23	is retiring and has entrusted the business to your capable hands.
24	</p><p>
25	Mr. Meany may be retiring from this company, but not from work. He is taking the
26	opportunity to develop Abmas Accounting into a larger and more substantial company.
27	He says that it took him many years to learn that there is no future in just running
28	a business. He now realizes there is great personal satisfaction in the creation of
29	career opportunities for people in the local community. He wants to do more for others,
30	as he is doing for you. Today he spent a lot of time talking about his grand plan
31	for growth, which you will deal with in the chapters ahead.
32	</p><p>
33	Over the past year, the growth projections were exceeded. The network has grown to
34	meet the needs of 130 users. Along with growth, the demand for improved services
35	and better functionality has also developed. You are about to make an interim
36	improvement and then hand over all Help desk and network maintenance to Christine.
37	Christine has professional certifications in Microsoft Windows as well as in Linux;
38	she is a hard worker and quite likable. Christine does not want to manage the department
39	(although she manages well). She gains job satisfaction when left to sort things out.
40	Occasionally she wants to work with you on a challenging problem. When you told her
41	about your move, she almost resigned, although she was reassured that a new manager would
42	be hired to run Information Technology, and she would be responsible only for operations.
43	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2558614"></a>Assignment Tasks</h3></div></div></div><p>
44	You promised the staff Internet services including Web browsing, electronic mail, virus
45	protection, and a company Web site. Christine is eager to help turn the vision into
46	reality. Let's see how close you can get to the promises made.
47	</p><p>
48	The network you are about to deliver will service 130 users today. Within a year,
49	Abmas will aquire another company. Mr. Meany claims that within 2 years there will be
50	well over 500 users on the network. You have bought into the big picture, so prepare
51	for growth. You have purchased a new server and will implement a new network infrastructure.
52	</p><p>
53	You have decided to not recycle old network components. The only items that will be
54	carried forward are notebook computers. You offered staff new notebooks, but not
55	one person wanted the disruption for what was perceived as a marginal update.
56	You decided to give everyone, even the notebook user, a new desktop computer.
57	</p><p>
58	You procured a DSL Internet connection that provides 1.5 Mb/sec (bidirectional)
59	and a 10 Mb/sec ethernet port. You registered the domain
60	<code class="constant">abmas.us</code>, and the Internet Service Provider (ISP) is supplying
61	secondary DNS. Information furnished by your ISP is shown in <a class="link" href="secure.html#chap4netid" title="Table 3.1. Abmas.US ISP Information">“Abmas.US ISP Information”</a>.
62	</p><p>
63	It is of paramount priority that under no circumstances will Samba offer
64	service access from an Internet connection. You are paying an ISP to
65	give, as part of its value-added services, full firewall protection for your
66	connection to the outside world. The only services allowed in from
67	the Internet side are the following destination ports: <code class="constant">http/https (ports
68	80 and 443), email (port 25), DNS (port 53)</code>. All Internet traffic
69	will be allowed out after network address translation (NAT). No internal IP addresses
70	are permitted through the NAT filter because complete privacy of internal network
71	operations must be assured.
72	</p><div class="table"><a name="chap4netid"></a><p class="title"><b>Table 3.1. Abmas.US ISP Information</b></p><div class="table-contents"><table summary="Abmas.US ISP Information" border="1"><colgroup><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Parameter</th><th align="center">Value</th></tr></thead><tbody><tr><td align="left">Server IP Address</td><td align="center">123.45.67.66</td></tr><tr><td align="left">DSL Device IP Address</td><td align="center">123.45.67.65</td></tr><tr><td align="left">Network Address</td><td align="center">123.45.67.64/30</td></tr><tr><td align="left">Gateway Address</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Primary DNS Server</td><td align="center">123.45.54.65</td></tr><tr><td align="left">Secondary DNS Server</td><td align="center">123.45.54.32</td></tr><tr><td align="left">Forwarding DNS Server</td><td align="center">123.45.12.23</td></tr></tbody></table></div></div><br class="table-break"><div class="figure"><a name="ch04net"></a><p class="title"><b>Figure 3.1. Abmas Network Topology 130 Users</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap4-net.png" width="351" alt="Abmas Network Topology 130 Users"></div></div></div><br class="figure-break"><p>
73	Christine recommended that desktop systems should be installed from a single cloned
74	master system that has a minimum of locally installed software and loads all software
75	off a central application server. The benefit of having the central application server
76	is that it allows single-point maintenance of all business applications, a more
77	efficient way to manage software. She further recommended installation of antivirus
78	software on workstations as well as on the Samba server. Christine knows the dangers
79	of potential virus infection and insists on a comprehensive approach to detective
80	as well as corrective action to protect network operations.
81	</p><p>
82	A significant concern is the problem of managing company growth. Recently, a number
83	of users had to share a PC while waiting for new machines to arrive. This presented
84	some problems with desktop computers and software installation into the new users'
85	desktop profiles.
86	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2558848"></a>Dissection and Discussion</h2></div></div></div><p>
87	Many of the conclusions you draw here are obvious. Some requirements are not very clear
88	or may simply be your means of drawing the most out of Samba-3. Much can be done more simply
89	than you will demonstrate here, but keep in mind that the network must scale to at least 500
90	users. This means that some functionality will be overdesigned for the current 130-user
91	environment.
92	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2558863"></a>Technical Issues</h3></div></div></div><p>
93	In this exercise we use a 24-bit subnet mask for the two local networks. This,
94	of course, limits our network to a maximum of 253 usable IP addresses. The network
95	address range chosen is one assigned by RFC1918 for private networks.
96	When the number of users on the network begins to approach the limit of usable
97	addresses, it is a good idea to switch to a network address specified in RFC1918
98	in the 172.16.0.0/16 range. This is done in subsequent chapters.
99	</p><p>
100	<a class="indexterm" name="id2558881"></a>
101	<a class="indexterm" name="id2558888"></a>
102	The high growth rates projected are a good reason to use the <code class="constant">tdbsam</code>
103	passdb backend. The use of <code class="constant">smbpasswd</code> for the backend may result in
104	performance problems. The <code class="constant">tdbsam</code> passdb backend offers features that
105	are not available with the older, flat ASCII-based <code class="constant">smbpasswd</code> database.
106	</p><p>
107	<a class="indexterm" name="id2558914"></a>
108	The proposed network design uses a single server to act as an Internet services host for
109	electronic mail, Web serving, remote administrative access via SSH,
110	Samba-based file and print services. This design is often chosen by sites that feel
111	they cannot afford or justify the cost or overhead of having separate servers. It must
112	be realized that if security of this type of server should ever be violated (compromised),
113	the whole network and all data is at risk. Many sites continue to choose this type
114	of solution; therefore, this chapter provides detailed coverage of key implementation
115	aspects.
116	</p><p>
117	Samba will be configured to specifically not operate on the Ethernet interface that is
118	directly connected to the Internet.
119	</p><p>
120	<a class="indexterm" name="id2558939"></a>
121	<a class="indexterm" name="id2558945"></a>
122	<a class="indexterm" name="id2558952"></a>
123	<a class="indexterm" name="id2558960"></a>
124	You know that your ISP is providing full firewall services, but you cannot rely on that.
125	Always assume that human error will occur, so be prepared by using Linux firewall facilities
126	based on <code class="literal">iptables</code> to effect NAT. Block all
127	incoming traffic except to permitted well-known ports. You must also allow incoming packets
128	to establish outgoing connections. You will permit all internal outgoing requests.
129	</p><p>
130	The configuration of Web serving, Web proxy services, electronic mail, and the details of
131	generic antivirus handling are beyond the scope of this book and therefore are not
132	covered except insofar as this affects Samba-3.
133	</p><p>
134	<a class="indexterm" name="id2558989"></a>
135	Notebook computers are configured to use a network login when in the office and a
136	local account to log in while away from the office. Users store all work done in
137	transit (away from the office) by using a local share for work files. Standard procedures
138	dictate that on completion of the work that necessitates mobile file access, all
139	work files are moved back to secure storage on the office server. Staff is instructed
140	to not carry on any company notebook computer any files that are not absolutely required.
141	This is a preventative measure to protect client information as well as private business
142	records.
143	</p><p>
144	<a class="indexterm" name="id2559020"></a>
145	All applications are served from the central server from a share called <code class="constant">apps</code>.
146	Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network
147	(or administrative) installation. Accounting and financial management software can also
148	be run only from the central application server. Notebook users are provided with
149	locally installed applications on a need-to-have basis only.
150	</p><p>
151	<a class="indexterm" name="id2559039"></a>
152	The introduction of roaming profiles support means that users can move between
153	desktop computer systems without constraint while retaining full access to their data.
154	The desktop travels with them as they move.
155	</p><p>
156	<a class="indexterm" name="id2559052"></a>
157	The DNS server implementation must now address both internal and external
158	needs. You forward DNS lookups to your ISP-provided server as well as the
159	<code class="constant">abmas.us</code> external secondary DNS server.
160	</p><p>
161	<a class="indexterm" name="id2559069"></a>
162	<a class="indexterm" name="id2559075"></a>
163	<a class="indexterm" name="id2559083"></a>
164	Compared with the DHCP server configuration in <a class="link" href="small.html" title="Chapter 2. Small Office Networking">“Small Office Networking”</a>, <a class="link" href="small.html#dhcp01" title="Example 2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf">“Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf”</a>, the
165	configuration used in this example has to deal with the presence of an Internet connection.
166	The scope set for it ensures that no DHCP services will be offered on the external
167	connection. All printers are configured as DHCP clients so that the DHCP server assigns
168	the printer a fixed IP address by way of the Ethernet interface (MAC) address. One additional
169	feature of this DHCP server configuration file is the inclusion of parameters to allow dynamic
170	DNS (DDNS) operation.
171	</p><p>
172	This is the first implementation that depends on a correctly functioning DNS server.
173	Comprehensive steps are included to provide for a fully functioning DNS server that also
174	is enabled for DDNS operation. This means that DHCP clients can be autoregistered
175	with the DNS server.
176	</p><p>
177	You are taking the opportunity to manually set the netbios name of the Samba server to
178	a name other than what will be automatically resolved. You are doing this to ensure that
179	the machine has the same NetBIOS name on both network segments.
180	</p><p>
181	As in the previous network configuration, printing in this network configuration uses
182	direct raw printing (i.e., no smart printing and no print driver autodownload to Windows
183	clients). Printer drivers are installed on the Windows client manually. This is not
184	a problem because Christine is to install and configure one single workstation and
185	then clone that configuration, using Norton Ghost, to all workstations. Each machine is
186	identical, so this should pose no problem.
187	</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2559135"></a>Hardware Requirements</h4></div></div></div><p>
188	<a class="indexterm" name="id2559143"></a>
189	This server runs a considerable number of services. From similarly configured Linux
190	installations, the approximate calculated memory requirements are as shown in
191	<a class="link" href="secure.html#ch4memoryest" title="Example 3.1. Estimation of Memory Requirements">“Estimation of Memory Requirements”</a>.
192
193	</p><div class="example"><a name="ch4memoryest"></a><p class="title"><b>Example 3.1. Estimation of Memory Requirements</b></p><div class="example-contents"><pre class="screen">
194	Application Memory per User 130 Users 500 Users
195	Name (MBytes) Total MBytes Total MBytes
196	----------- --------------- ------------ ------------
197	DHCP 2.5 3 3
198	DNS 16.0 16 16
199	Samba (nmbd) 16.0 16 16
200	Samba (winbind) 16.0 16 16
201	Samba (smbd) 4.0 520 2000
202	Apache 10.0 (20 User) 200 200
203	CUPS 3.5 16 32
204	Basic OS 256.0 256 256
205	-------------- --------------
206	Total: 1043 MBytes 2539 MBytes
207	-------------- --------------
208	</pre></div></div><p><br class="example-break">
209	You should add a safety margin of at least 50% to these estimates. The minimum
210	system memory recommended for initial startup 1 GB, but to permit the system
211	to scale to 500 users, it makes sense to provision the machine with 4 GB memory.
212	An initial configuration with only 1 GB memory would lead to early performance complaints
213	as the system load builds up. Given the low cost of memory, it does not make sense to
214	compromise in this area.
215	</p><p>
216	<a class="indexterm" name="id2559194"></a>
217	Aggregate input/output loads should be considered for sizing network configuration as
218	well as disk subsystems. For network bandwidth calculations, one would typically use an
219	estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec)
220	would deliver below acceptable capacity for the initial user load. It is therefore a good
221	idea to begin with 1 Gb Ethernet cards for the two internal networks, each attached
222	to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T
223	switched ports.
224	</p><p>
225	<a class="indexterm" name="id2559213"></a>
226	<a class="indexterm" name="id2559219"></a>
227	Considering the choice of 1 Gb Ethernet interfaces for the two local network segments,
228	the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O
229	demand that would require a fast disk storage I/O capability. Peak disk throughput is
230	limited by the disk subsystem chosen. It is desirable to provide the maximum
231	I/O bandwidth affordable. If a low-cost solution must be chosen,
232	3Ware IDE RAID Controllers are a good choice. These controllers can be fitted into a
233	64-bit, 66 MHz PCI-X slot. They appear to the operating system as a high-speed SCSI
234	controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MB/sec).
235	Alternative SCSI-based hardware RAID controllers should also be considered. Alternately,
236	it makes sense to purchase well-known, branded hardware that has appropriate performance
237	specifications. As a minimum, one should attempt to provide a disk subsystem that can
238	deliver I/O rates of at least 100 MB/sec.
239	</p><p>
240	Disk storage requirements may be calculated as shown in <a class="link" href="secure.html#ch4diskest" title="Example 3.2. Estimation of Disk Storage Requirements">“Estimation of Disk Storage Requirements”</a>.
241
242	</p><div class="example"><a name="ch4diskest"></a><p class="title"><b>Example 3.2. Estimation of Disk Storage Requirements</b></p><div class="example-contents"><pre class="screen">
243	Corporate Data: 100 MBytes/user per year
244	Email Storage: 500 MBytes/user per year
245	Applications: 5000 MBytes
246	Safety Buffer: At least 50%
247
248	Given 500 Users and 2 years:
249	-----------------------------
250	Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes
251	Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes
252	Applications: 5000 MBytes = 5 GBytes
253	----------------------------
254	Total: 605 GBytes
255	Add 50% buffer 303 GBytes
256	Recommended Storage: 908 GBytes
257	</pre></div></div><p><br class="example-break">
258	<a class="indexterm" name="id2559277"></a>
259	The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5
260	with two hot spare drives would require an 8-drive by 200 GB capacity per drive array.
261	</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2559289"></a>Political Issues</h3></div></div></div><p>
262	Your industry is coming under increasing accountability pressures. Increased paranoia
263	is necessary so you can demonstrate that you have acted with due diligence. You must
264	not trust your Internet connection.
265	</p><p>
266	Apart from permitting more efficient management of business applications through use of
267	an application server, your primary reason for the decision to implement this is that it
268	gives you greater control over software licensing.
269	</p><p>
270	<a class="indexterm" name="id2559311"></a>
271	You are well aware that the current configuration results in some performance issues
272	as the size of the desktop profile grows. Given that users use Microsoft Outlook
273	Express, you know that the storage implications of the <code class="constant">.PST</code> file
274	is something that needs to be addressed later.
275	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2559329"></a>Implementation</h2></div></div></div><p>
276	<a class="link" href="secure.html#ch04net" title="Figure 3.1. Abmas Network Topology 130 Users">“Abmas Network Topology 130 Users”</a> demonstrates the overall design of the network that you will implement.
277	</p><p>
278	The information presented here assumes that you are already familiar with many basic steps.
279	As this stands, the details provided already extend well beyond just the necessities of
280	Samba configuration. This decision is deliberate to ensure that key determinants
281	of a successful installation are not overlooked. This is the last case that documents
282	the finite minutiae of DHCP and DNS server configuration. Beyond the information provided
283	here, there are many other good reference books on these subjects.
284	</p><p>
285	The <code class="filename">smb.conf</code> file has the following noteworthy features:
286	</p><div class="itemizedlist"><ul type="disc"><li><p>
287	The NetBIOS name of the Samba server is set to <code class="constant">DIAMOND</code>.
288	</p></li><li><p>
289	The Domain name is set to <code class="constant">PROMISES</code>.
290	</p></li><li><p>
291	<a class="indexterm" name="id2559386"></a>
292	<a class="indexterm" name="id2559392"></a>
293	<a class="indexterm" name="id2559398"></a>
294	Ethernet interface <code class="constant">eth0</code> is attached to the Internet connection
295	and is externally exposed. This interface is explicitly not available for Samba to use.
296	Samba listens on this interface for broadcast messages but does not broadcast any
297	information on <code class="constant">eth0</code>, nor does it accept any connections from it.
298	This is achieved by way of the <em class="parameter"><code>interfaces</code></em> parameter and the
299	<em class="parameter"><code>bind interfaces only</code></em> entry.
300	</p></li><li><p>
301	<a class="indexterm" name="id2559431"></a>
302	<a class="indexterm" name="id2559438"></a>
303	<a class="indexterm" name="id2559444"></a>
304	The <em class="parameter"><code>passdb backend</code></em> parameter specifies the creation and use
305	of the <code class="constant">tdbsam</code> password backend. This is a binary database that
306	has excellent scalability for a large number of user account entries.
307	</p></li><li><p>
308	<a class="indexterm" name="id2559466"></a>
309	<a class="indexterm" name="id2559472"></a>
310	<a class="indexterm" name="id2559478"></a>
311	WINS serving is enabled by the <a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support = Yes</a>,
312	and name resolution is set to use it by means of the
313	<a class="link" href="smb.conf.5.html#NAMERESOLVEORDER" target="_top">name resolve order = wins bcast hosts</a> entry.
314	</p></li><li><p>
315	<a class="indexterm" name="id2559508"></a>
316	The Samba server is configured for use by Windows clients as a time server.
317	</p></li><li><p>
318	<a class="indexterm" name="id2559520"></a>
319	<a class="indexterm" name="id2559526"></a>
320	<a class="indexterm" name="id2559532"></a>
321	Samba is configured to directly interface with CUPS via the direct internal interface
322	that is provided by CUPS libraries. This is achieved with the
323	<a class="link" href="smb.conf.5.html#PRINTING" target="_top">printing = CUPS</a> as well as the
324	<a class="link" href="smb.conf.5.html#PRINTCAPNAME" target="_top">printcap name = CUPS</a> entries.
325	</p></li><li><p>
326	<a class="indexterm" name="id2559563"></a>
327	<a class="indexterm" name="id2559569"></a>
328	<a class="indexterm" name="id2559576"></a>
329	External interface scripts are provided to enable Samba to interface smoothly to
330	essential operating system functions for user and group management. This is important
331	to enable workstations to join the Domain and is also important so that you can use
332	the Windows NT4 Domain User Manager as well as the Domain Server Manager. These tools
333	are provided as part of the <code class="filename">SRVTOOLS.EXE</code> toolkit that can be
334	downloaded from the Microsoft FTP
335	<a class="ulink" href="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE" target="_top">site</a>.
336	</p></li><li><p>
337	<a class="indexterm" name="id2559605"></a>
338	The <code class="filename">smb.conf</code> file specifies that the Samba server will operate in (default) <em class="parameter"><code>
339	security = user</code></em> mode<sup>[<a name="id2559623" href="#ftn.id2559623" class="footnote">5</a>]</sup>
340	(User Mode).
341	</p></li><li><p>
342	<a class="indexterm" name="id2559640"></a>
343	<a class="indexterm" name="id2559646"></a>
344	Domain logon services as well as a Domain logon script are specified. The logon script
345	will be used to add robustness to the overall network configuration.
346	</p></li><li><p>
347	<a class="indexterm" name="id2559659"></a>
348	<a class="indexterm" name="id2559665"></a>
349	<a class="indexterm" name="id2559672"></a>
350	Roaming profiles are enabled through the specification of the parameter,
351	<a class="link" href="smb.conf.5.html#LOGONPATH" target="_top">logon path = \\%L\profiles\%U</a>. The value of this parameter translates the
352	<code class="constant">%L</code> to the name by which the Samba server is called by the client (for this
353	configuration, it translates to the name <code class="constant">DIAMOND</code>), and the <code class="constant">%U</code>
354	will translate to the name of the user within the context of the connection made to the profile share.
355	It is the administrator's responsibility to ensure there is a directory in the root of the
356	profile share for each user. This directory must be owned by the user also. An exception to this
357	requirement is when a profile is created for group use.
358	</p></li><li><p>
359	<a class="indexterm" name="id2559712"></a>
360	<a class="indexterm" name="id2559718"></a>
361	Precautionary veto is effected for particular Windows file names that have been targeted by
362	virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking
363	controls. This should help to prevent lock contention-related file access problems.
364	</p></li><li><p>
365	Every user has a private home directory on the UNIX/Linux host. This is mapped to
366	a network drive that is the same for all users.
367	</p></li></ul></div><p>
368	The configuration of the server is the most complex so far. The following steps are used:
369	</p><div class="orderedlist"><ol type="1"><li><p>
370	Basic System Configuration
371	</p></li><li><p>
372	Samba Configuration
373	</p></li><li><p>
374	DHCP and DNS Server Configuration
375	</p></li><li><p>
376	Printer Configuration
377	</p></li><li><p>
378	Process Start-up Configuration
379	</p></li><li><p>
380	Validation
381	</p></li><li><p>
382	Application Share Configuration
383	</p></li><li><p>
384	Windows Client Configuration
385	</p></li></ol></div><p>
386	The following sections cover each step in logical and defined detail.
387	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4bsc"></a>Basic System Configuration</h3></div></div></div><p>
388	<a class="indexterm" name="id2559803"></a>
389	The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been
390	freshly installed. It prepares basic files so that the system is ready for comprehensive
391	operation in line with the network diagram shown in <a class="link" href="secure.html#ch04net" title="Figure 3.1. Abmas Network Topology 130 Users">“Abmas Network Topology 130 Users”</a>.
392	</p><div class="procedure"><a name="id2559820"></a><p class="title"><b>Procedure 3.1. Server Configuration Steps</b></p><ol type="1"><li><p>
393	<a class="indexterm" name="id2559830"></a>
394	Using the UNIX/Linux system tools, name the server <code class="constant">server.abmas.us</code>.
395	Verify that your hostname is correctly set by running:
396	</p><pre class="screen">
397	<code class="prompt">root# </code> uname -n
398	server
399	</pre><p>
400	An alternate method to verify the hostname is:
401	</p><pre class="screen">
402	<code class="prompt">root# </code> hostname -f
403	server.abmas.us
404	</pre><p>
405	</p></li><li><p>
406	<a class="indexterm" name="id2559870"></a>
407	<a class="indexterm" name="id2559877"></a>
408	Edit your <code class="filename">/etc/hosts</code> file to include the primary names and addresses
409	of all network interfaces that are on the host server. This is necessary so that during
410	startup the system can resolve all its own names to the IP address prior to
411	startup of the DNS server. An example of entries that should be in the
412	<code class="filename">/etc/hosts</code> file is:
413	</p><pre class="screen">
414	127.0.0.1 localhost
415	192.168.1.1 sleeth1.abmas.biz sleeth1 diamond
416	192.168.2.1 sleeth2.abmas.biz sleeth2
417	123.45.67.66 server.abmas.us server
418	</pre><p>
419	You should check the startup order of your system. If the CUPS print server is started before
420	the DNS server (<code class="literal">named</code>), you should also include an entry for the printers
421	in the <code class="filename">/etc/hosts</code> file, as follows:
422	</p><pre class="screen">
423	192.168.1.20 qmsa.abmas.biz qmsa
424	192.168.1.30 hplj6a.abmas.biz hplj6a
425	192.168.2.20 qmsf.abmas.biz qmsf
426	192.168.2.30 hplj6f.abmas.biz hplj6f
427	</pre><p>
428	<a class="indexterm" name="id2559928"></a>
429	<a class="indexterm" name="id2559934"></a>
430	<a class="indexterm" name="id2559940"></a>
431	The printer entries are not necessary if <code class="literal">named</code> is started prior to
432	startup of <code class="literal">cupsd</code>, the CUPS daemon.
433	</p></li><li><p>
434	<a class="indexterm" name="id2559965"></a>
435	<a class="indexterm" name="id2559971"></a>
436	<a class="indexterm" name="id2559978"></a>
437	The host server is acting as a router between the two internal network segments as well
438	as for all Internet access. This necessitates that IP forwarding be enabled. This can be
439	achieved by adding to the <code class="filename">/etc/rc.d/boot.local</code> an entry as follows:
440	</p><pre class="screen">
441	echo 1 > /proc/sys/net/ipv4/ip_forward
442	</pre><p>
443	To ensure that your kernel is capable of IP forwarding during configuration, you may
444	wish to execute that command manually also. This setting permits the Linux system to
445	act as a router.<sup>[<a name="id2560004" href="#ftn.id2560004" class="footnote">6</a>]</sup>
446	</p></li><li><p>
447	<a class="indexterm" name="id2560016"></a>
448	<a class="indexterm" name="id2560023"></a>
449	Installation of a basic firewall and NAT facility is necessary.
450	The following script can be installed in the <code class="filename">/usr/local/sbin</code>
451	directory. It is executed from the <code class="filename">/etc/rc.d/boot.local</code> startup
452	script. In your case, this script is called <code class="filename">abmas-netfw.sh</code>. The
453	script contents are shown in <a class="link" href="secure.html#ch4natfw" title="Example 3.3. NAT Firewall Configuration Script">“NAT Firewall Configuration Script”</a>.
454
455	</p><div class="example"><a name="ch4natfw"></a><p class="title"><b>Example 3.3. NAT Firewall Configuration Script</b></p><div class="example-contents"><pre class="screen">
456	#!/bin/sh
457	echo -e "\n\nLoading NAT firewall.\n"
458	IPTABLES=/usr/sbin/iptables
459	EXTIF="eth0"
460	INTIFA="eth1"
461	INTIFB="eth2"
462
463	/sbin/depmod -a
464	/sbin/modprobe ip_tables
465	/sbin/modprobe ip_conntrack
466	/sbin/modprobe ip_conntrack_ftp
467	/sbin/modprobe iptable_nat
468	/sbin/modprobe ip_nat_ftp
469	$IPTABLES -P INPUT DROP
470	$IPTABLES -F INPUT
471	$IPTABLES -P OUTPUT ACCEPT
472	$IPTABLES -F OUTPUT
473	$IPTABLES -P FORWARD DROP
474	$IPTABLES -F FORWARD
475
476	$IPTABLES -A INPUT -i lo -j ACCEPT
477	$IPTABLES -A INPUT -i $INTIFA -j ACCEPT
478	$IPTABLES -A INPUT -i $INTIFB -j ACCEPT
479	$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
480	# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS
481	for i in 22 25 53 80 443
482	do
483	$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT
484	done
485	# Allow DNS(udp)
486	$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT
487	echo "Allow all connections OUT and only existing and specified ones IN"
488	$IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \
489	--state ESTABLISHED,RELATED -j ACCEPT
490	$IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \
491	--state ESTABLISHED,RELATED -j ACCEPT
492	$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT
493	$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT
494	$IPTABLES -A FORWARD -j LOG
495	echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
496	$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
497	echo "1" > /proc/sys/net/ipv4/ip_forward
498	echo -e "\nNAT firewall done.\n"
499	</pre></div></div><p><br class="example-break">
500	</p></li><li><p>
501	Execute the following to make the script executable:
502	</p><pre class="screen">
503	<code class="prompt">root# </code> chmod 755 /usr/local/sbin/abmas-natfw.sh
504	</pre><p>
505	You must now edit <code class="filename">/etc/rc.d/boot.local</code> to add an entry
506	that runs your <code class="literal">abmas-natfw.sh</code> script. The following
507	entry works for you:
508	</p><pre class="screen">
509	#! /bin/sh
510	#
511	# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany.
512	# All rights reserved.
513	#
514	# Author: Werner Fink, 1996
515	# Burchard Steinbild, 1996
516	#
517	# /etc/init.d/boot.local
518	#
519	# script with local commands to be executed from init on system startup
520	#
521	# Here you should add things that should happen directly after booting
522	# before we're going to the first run level.
523	#
524	/usr/local/sbin/abmas-natfw.sh
525	</pre><p>
526	</p></li></ol></div><p>
527	<a class="indexterm" name="id2560162"></a>
528	The server is now ready for Samba configuration. During the validation step, you remove
529	the entry for the Samba server <code class="constant">diamond</code> from the <code class="filename">/etc/hosts</code>
530	file. This is done after you are satisfied that DNS-based name resolution is functioning correctly.
531	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2560183"></a>Samba Configuration</h3></div></div></div><p>
532	When you have completed this section, the Samba server is ready for testing and validation;
533	however, testing and validation have to wait until DHCP, DNS, and printing (CUPS) services have
534	been configured.
535	</p><div class="procedure"><a name="id2560195"></a><p class="title"><b>Procedure 3.2. Samba Configuration Steps</b></p><ol type="1"><li><p>
536	Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary
537	RPM file is called <code class="filename">samba-3.0.20-1.i386.rpm</code>, one way to install this
538	file is as follows:
539	</p><pre class="screen">
540	<code class="prompt">root# </code> rpm -Uvh samba-3.0.20-1.i386.rpm
541	</pre><p>
542	This operation must be performed while logged in as the <code class="literal">root</code> user.
543	Successful operation is clearly indicated. If this installation should fail for any reason,
544	refer to the operating system manufacturer's documentation for guidance.
545	</p></li><li><p>
546	Install the <code class="filename">smb.conf</code> file shown in <a class="link" href="secure.html#promisnet" title="Example 3.4. 130 User Network with tdbsam [globals] Section">“130 User Network with tdbsam [globals] Section”</a>, <a class="link" href="secure.html#promisnetsvca" title="Example 3.5. 130 User Network with tdbsam Services Section Part A">“130 User Network with tdbsam Services Section Part A”</a>,
547	and <a class="link" href="secure.html#promisnetsvcb" title="Example 3.6. 130 User Network with tdbsam Services Section Part B">“130 User Network with tdbsam Services Section Part B”</a>. Concatenate (join) all three files to make a single <code class="filename">smb.conf</code>
548	file. The final, fully qualified path for this file should be <code class="filename">/etc/samba/smb.conf</code>.
549
550	</p><div class="example"><a name="promisnet"></a><p class="title"><b>Example 3.4. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> [globals] Section</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2560301"></a><em class="parameter"><code>workgroup = PROMISES</code></em></td></tr><tr><td><a class="indexterm" name="id2560311"></a><em class="parameter"><code>netbios name = DIAMOND</code></em></td></tr><tr><td><a class="indexterm" name="id2560322"></a><em class="parameter"><code>interfaces = eth1, eth2, lo</code></em></td></tr><tr><td><a class="indexterm" name="id2560332"></a><em class="parameter"><code>bind interfaces only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560342"></a><em class="parameter"><code>passdb backend = tdbsam</code></em></td></tr><tr><td><a class="indexterm" name="id2560353"></a><em class="parameter"><code>pam password change = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560363"></a><em class="parameter"><code>passwd program = /usr/bin/passwd %u</code></em></td></tr><tr><td><a class="indexterm" name="id2560374"></a><em class="parameter"><code>passwd chat = NewPassword* %n\n Re-enternewpassword%n\n Passwordchanged</code></em></td></tr><tr><td><a class="indexterm" name="id2560385"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2560396"></a><em class="parameter"><code>unix password sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560407"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2560417"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2560428"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2560439"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2560449"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2560460"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2560471"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560481"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2560492"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2560503"></a><em class="parameter"><code>add user script = /usr/sbin/useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2560514"></a><em class="parameter"><code>delete user script = /usr/sbin/userdel -r '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2560525"></a><em class="parameter"><code>add group script = /usr/sbin/groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2560536"></a><em class="parameter"><code>delete group script = /usr/sbin/groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2560548"></a><em class="parameter"><code>add user to group script = /usr/sbin/usermod -G '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2560559"></a><em class="parameter"><code>add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2560571"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id2560582"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id2560593"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2560604"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2560616"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2560626"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2560636"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560647"></a><em class="parameter"><code>preferred master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560657"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560668"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560678"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560688"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2560699"></a><em class="parameter"><code>cups options = Raw</code></em></td></tr><tr><td><a class="indexterm" name="id2560709"></a><em class="parameter"><code>veto files = /.eml/.nws/.{}/</code></em></td></tr><tr><td><a class="indexterm" name="id2560720"></a><em class="parameter"><code>veto oplock files = /.doc/.xls/.mdb/</code></em></td></tr></table></div></div><p><br class="example-break">
551
552	</p><div class="example"><a name="promisnetsvca"></a><p class="title"><b>Example 3.5. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2560759"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2560770"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2560780"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2560791"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2560809"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2560820"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2560830"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560841"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560851"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560861"></a><em class="parameter"><code>default devmode = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560872"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2560891"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2560901"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2560912"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2560922"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2560941"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2560952"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2560963"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2560973"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2560992"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2561002"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2561013"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><p><br class="example-break">
553
554	</p><div class="example"><a name="promisnetsvcb"></a><p class="title"><b>Example 3.6. 130 User Network with <span class="emphasis"><em>tdbsam</em></span> Services Section Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2561051"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2561062"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2561072"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2561091"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2561102"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2561112"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2561131"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2561141"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2561152"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2561162"></a><em class="parameter"><code>admin users = bjordan</code></em></td></tr></table></div></div><p><br class="example-break">
555	</p></li><li><p>
556	<a class="indexterm" name="id2561180"></a><a class="indexterm" name="id2561185"></a>
557	Add the <code class="constant">root</code> user to the password backend as follows:
558	</p><pre class="screen">
559	<code class="prompt">root# </code> smbpasswd -a root
560	New SMB password: XXXXXXXX
561	Retype new SMB password: XXXXXXXX
562	<code class="prompt">root# </code>
563	</pre><p>
564	The <code class="constant">root</code> account is the UNIX equivalent of the Windows Domain Administrator.
565	This account is essential in the regular maintenance of your Samba server. It must never be
566	deleted. If for any reason the account is deleted, you may not be able to recreate this account
567	without considerable trouble.
568	</p></li><li><p>
569	<a class="indexterm" name="id2561229"></a>
570	Create the username map file to permit the <code class="constant">root</code> account to be called
571	<code class="constant">Administrator</code> from the Windows network environment. To do this, create
572	the file <code class="filename">/etc/samba/smbusers</code> with the following contents:
573	</p><pre class="screen">
574	####
575	# User mapping file
576	####
577	# File Format
578	# -----------
579	# Unix_ID = Windows_ID
580	#
581	# Examples:
582	# root = Administrator
583	# janes = "Jane Smith"
584	# jimbo = Jim Bones
585	#
586	# Note: If the name contains a space it must be double quoted.
587	# In the example above the name 'jimbo' will be mapped to Windows
588	# user names 'Jim' and 'Bones' because the space was not quoted.
589	#######################################################################
590	root = Administrator
591	####
592	# End of File
593	####
594	</pre><p>
595	</p></li><li><p>
596	<a class="indexterm" name="id2561271"></a>
597	<a class="indexterm" name="id2561277"></a>
598	<a class="indexterm" name="id2561288"></a>
599	<a class="indexterm" name="id2561298"></a>
600	Create and map Windows Domain Groups to UNIX groups. A sample script is provided in <a class="link" href="small.html" title="Chapter 2. Small Office Networking">“Small Office Networking”</a>,
601	<a class="link" href="small.html#initGrps" title="Example 2.1. Script to Map Windows NT Groups to UNIX Groups">“Script to Map Windows NT Groups to UNIX Groups”</a>. Create a file containing this script. We called ours
602	<code class="filename">/etc/samba/initGrps.sh</code>. Set this file so it can be executed,
603	and then execute the script. Sample output should be as follows:
604
605	</p><div class="example"><a name="ch4initGrps"></a><p class="title"><b>Example 3.7. Script to Map Windows NT Groups to UNIX Groups</b></p><div class="example-contents"><a class="indexterm" name="id2561336"></a><pre class="screen">
606	#!/bin/bash
607	#
608	# initGrps.sh
609	#
610
611	# Create UNIX groups
612	groupadd acctsdep
613	groupadd finsrvcs
614
615	# Map Windows Domain Groups to UNIX groups
616	net groupmap add ntgroup="Domain Admins" unixgroup=root type=d
617	net groupmap add ntgroup="Domain Users" unixgroup=users type=d
618	net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d
619
620	# Add Functional Domain Groups
621	net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
622	net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
623	net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d
624
625	# Map Windows NT machine local groups to local UNIX groups
626	# Mapping of local groups is not necessary and not functional
627	# for this installation.
628	</pre></div></div><p><br class="example-break">
629
630	</p><pre class="screen">
631	<code class="prompt">root# </code> chmod 755 initGrps.sh
632	<code class="prompt">root# </code> /etc/samba # ./initGrps.sh
633	Updated mapping entry for Domain Admins
634	Updated mapping entry for Domain Users
635	Updated mapping entry for Domain Guests
636	No rid or sid specified, choosing algorithmic mapping
637	Successfully added group Accounts Dept to the mapping db
638	No rid or sid specified, choosing algorithmic mapping
639	Successfully added group Domain Guests to the mapping db
640
641	<code class="prompt">root# </code> /etc/samba # net groupmap list \| sort
642	Account Operators (S-1-5-32-548) -> -1
643	Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep
644	Administrators (S-1-5-32-544) -> -1
645	Backup Operators (S-1-5-32-551) -> -1
646	Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root
647	Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody
648	Domain Users (S-1-5-21-179504-2437109-488451-513) -> users
649	Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs
650	Guests (S-1-5-32-546) -> -1
651	Power Users (S-1-5-32-547) -> -1
652	Print Operators (S-1-5-32-550) -> -1
653	Replicators (S-1-5-32-552) -> -1
654	System Operators (S-1-5-32-549) -> -1
655	Users (S-1-5-32-545) -> -1
656	</pre><p>
657	</p></li><li><p>
658	<a class="indexterm" name="id2561409"></a>
659	<a class="indexterm" name="id2561415"></a>
660	<a class="indexterm" name="id2561421"></a>
661	<a class="indexterm" name="id2561427"></a>
662	<a class="indexterm" name="id2561434"></a>
663	<a class="indexterm" name="id2561440"></a>
664	<a class="indexterm" name="id2561448"></a>
665	There is one preparatory step without which you will not have a working Samba
666	network environment. You must add an account for each network user.
667	For each user who needs to be given a Windows Domain account, make an entry in the
668	<code class="filename">/etc/passwd</code> file as well as in the Samba password backend.
669	Use the system tool of your choice to create the UNIX system account, and use the Samba
670	<code class="literal">smbpasswd</code> to create a Domain user account.
671	There are a number of tools for user management under UNIX, such as
672	<code class="literal">useradd</code>, and <code class="literal">adduser</code>, as well as a plethora of custom
673	tools. You also want to create a home directory for each user.
674	You can do this by executing the following steps for each user:
675	</p><pre class="screen">
676	<code class="prompt">root# </code> useradd -m <em class="parameter"><code>username</code></em>
677	<code class="prompt">root# </code> passwd <em class="parameter"><code>username</code></em>
678	Changing password for <em class="parameter"><code>username</code></em>.
679	New password: XXXXXXXX
680	Re-enter new password: XXXXXXXX
681	Password changed
682	<code class="prompt">root# </code> smbpasswd -a <em class="parameter"><code>username</code></em>
683	New SMB password: XXXXXXXX
684	Retype new SMB password: XXXXXXXX
685	Added user <em class="parameter"><code>username</code></em>.
686	</pre><p>
687	You do of course use a valid user login ID in place of <em class="parameter"><code>username</code></em>.
688	</p></li><li><p>
689	<a class="indexterm" name="id2561553"></a>
690	<a class="indexterm" name="id2561561"></a>
691	<a class="indexterm" name="id2561569"></a>
692	Using the preferred tool for your UNIX system, add each user to the UNIX groups created
693	previously as necessary. File system access control will be based on UNIX group membership.
694	</p></li><li><p>
695	Create the directory mount point for the disk subsystem that can be mounted to provide
696	data storage for company files. In this case the mount point is indicated in the <code class="filename">smb.conf</code>
697	file is <code class="filename">/data</code>. Format the file system as required, and mount the formatted
698	file system partition using appropriate system tools.
699	</p></li><li><p>
700	<a class="indexterm" name="id2561609"></a>
701	Create the top-level file storage directories for data and applications as follows:
702	</p><pre class="screen">
703	<code class="prompt">root# </code> mkdir -p /data/{accounts,finsrvcs}
704	<code class="prompt">root# </code> mkdir -p /apps
705	<code class="prompt">root# </code> chown -R root:root /data
706	<code class="prompt">root# </code> chown -R root:root /apps
707	<code class="prompt">root# </code> chown -R bjordan:acctsdep /data/accounts
708	<code class="prompt">root# </code> chown -R bjordan:finsrvcs /data/finsrvcs
709	<code class="prompt">root# </code> chmod -R ug+rwxs,o-rwx /data
710	<code class="prompt">root# </code> chmod -R ug+rwx,o+rx-w /apps
711	</pre><p>
712	Each department is responsible for creating its own directory structure within the departmental
713	share. The directory root of the <code class="literal">accounts</code> share is <code class="filename">/data/accounts</code>.
714	The directory root of the <code class="literal">finsvcs</code> share is <code class="filename">/data/finsvcs</code>.
715	The <code class="filename">/apps</code> directory is the root of the <code class="constant">apps</code> share
716	that provides the application server infrastructure.
717	</p></li><li><p>
718	The <code class="filename">smb.conf</code> file specifies an infrastructure to support roaming profiles and network
719	logon services. You can now create the file system infrastructure to provide the
720	locations on disk that these services require. Adequate planning is essential,
721	since desktop profiles can grow to be quite large. For planning purposes, a minimum of
722	200 MB of storage should be allowed per user for profile storage. The following
723	commands create the directory infrastructure needed:
724	</p><pre class="screen">
725	<code class="prompt">root# </code> mkdir -p /var/spool/samba
726	<code class="prompt">root# </code> mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
727	<code class="prompt">root# </code> chown -R root:root /var/spool/samba
728	<code class="prompt">root# </code> chown -R root:root /var/lib/samba
729	<code class="prompt">root# </code> chmod a+rwxt /var/spool/samba
730	<code class="prompt">root# </code> chmod 2775 /var/lib/samba/profiles
731	<code class="prompt">root# </code> chgrp users /var/lib/samba/profiles
732	</pre><p>
733	For each user account that is created on the system, the following commands should be
734	executed:
735	</p><pre class="screen">
736	<code class="prompt">root# </code> mkdir /var/lib/samba/profiles/'username'
737	<code class="prompt">root# </code> chown 'username':users /var/lib/samba/profiles/'username'
738	<code class="prompt">root# </code> chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username'
739	</pre><p>
740	</p></li><li><p>
741	<a class="indexterm" name="id2561803"></a>
742	<a class="indexterm" name="id2561809"></a>
743	<a class="indexterm" name="id2561815"></a>
744	Create a logon script. It is important that each line is correctly terminated with
745	a carriage return and line-feed combination (i.e., DOS encoding). The following procedure
746	works if the right tools (<code class="constant">unix2dos</code> and <code class="constant">dos2unix</code>) are installed.
747	First, create a file called <code class="filename">/var/lib/samba/netlogon/scripts/logon.bat.unix</code>
748	with the following contents:
749	</p><pre class="screen">
750	net time \\diamond /set /yes
751	net use h: /home
752	net use p: \\diamond\apps
753	</pre><p>
754	Convert the UNIX file to a DOS file using the <code class="literal">unix2dos</code> as shown here:
755	</p><pre class="screen">
756	<code class="prompt">root# </code> unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \
757	> /var/lib/samba/netlogon/scripts/logon.bat
758	</pre><p>
759	</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4dhcpdns"></a>Configuration of DHCP and DNS Servers</h3></div></div></div><p>
760	DHCP services are a basic component of the entire network client installation. DNS operation is
761	foundational to Internet access as well as to trouble-free operation of local networking. When
762	you have completed this section, the server should be ready for solid duty operation.
763	</p><div class="procedure"><a name="id2561886"></a><p class="title"><b>Procedure 3.3. DHCP and DNS Server Configuration Steps</b></p><ol type="1"><li><p>
764	<a class="indexterm" name="id2561897"></a>
765	Create a file called <code class="filename">/etc/dhcpd.conf</code> with the contents as
766	shown in <a class="link" href="secure.html#prom-dhcp" title="Example 3.8. DHCP Server Configuration File /etc/dhcpd.conf">“DHCP Server Configuration File /etc/dhcpd.conf”</a>.
767
768	</p><div class="example"><a name="prom-dhcp"></a><p class="title"><b>Example 3.8. DHCP Server Configuration File <code class="filename">/etc/dhcpd.conf</code></b></p><div class="example-contents"><pre class="screen">
769	# Abmas Accounting Inc.
770	default-lease-time 86400;
771	max-lease-time 172800;
772	default-lease-time 86400;
773	option ntp-servers 192.168.1.1;
774	option domain-name "abmas.biz";
775	option domain-name-servers 192.168.1.1, 192.168.2.1;
776	option netbios-name-servers 192.168.1.1, 192.168.2.1;
777	option netbios-node-type 8; ### Node type = Hybrid ###
778	ddns-updates on; ### Dynamic DNS enabled ###
779	ddns-update-style interim;
780
781	subnet 192.168.1.0 netmask 255.255.255.0 {
782	range dynamic-bootp 192.168.1.128 192.168.1.254;
783	option subnet-mask 255.255.255.0;
784	option routers 192.168.1.1;
785	allow unknown-clients;
786	host qmsa {
787	hardware ethernet 08:00:46:7a:35:e4;
788	fixed-address 192.168.1.20;
789	}
790	host hplj6a {
791	hardware ethernet 00:03:47:cb:81:e0;
792	fixed-address 192.168.1.30;
793	}
794	}
795	subnet 192.168.2.0 netmask 255.255.255.0 {
796	range dynamic-bootp 192.168.2.128 192.168.2.254;
797	option subnet-mask 255.255.255.0;
798	option routers 192.168.2.1;
799	allow unknown-clients;
800	host qmsf {
801	hardware ethernet 01:04:31:db:e1:c0;
802	fixed-address 192.168.1.20;
803	}
804	host hplj6f {
805	hardware ethernet 00:03:47:cf:83:e2;
806	fixed-address 192.168.2.30;
807	}
808	}
809	subnet 127.0.0.0 netmask 255.0.0.0 {
810	}
811	subnet 123.45.67.64 netmask 255.255.255.252 {
812	}
813	</pre></div></div><p><br class="example-break">
814	</p></li><li><p>
815	<a class="indexterm" name="id2561972"></a>
816	Create a file called <code class="filename">/etc/named.conf</code> that has the combined contents
817	of the <a class="link" href="secure.html#ch4namedcfg" title="Example 3.9. DNS Master Configuration File /etc/named.conf Master Section">“DNS Master Configuration File /etc/named.conf Master Section”</a>, <a class="link" href="secure.html#ch4namedvarfwd" title="Example 3.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section">“DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section”</a>, and
818	<a class="link" href="secure.html#ch4namedvarrev" title="Example 3.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section">“DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section”</a> files that are concatenated (merged) in this
819	specific order.
820	</p></li><li><p>
821	Create the files shown in their respective directories as shown in <a class="link" href="secure.html#namedrscfiles" title="Table 3.2. DNS (named) Resource Files">DNS
822	(named) Resource Files</a>.
823
824	</p><div class="table"><a name="namedrscfiles"></a><p class="title"><b>Table 3.2. DNS (named) Resource Files</b></p><div class="table-contents"><table summary="DNS (named) Resource Files" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Reference</th><th align="left">File Location</th></tr></thead><tbody><tr><td align="left"><a class="link" href="appendix.html#loopback" title="Example 15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone">“DNS Localhost Forward Zone File: /var/lib/named/localhost.zone”</a></td><td align="left">/var/lib/named/localhost.zone</td></tr><tr><td align="left"><a class="link" href="appendix.html#dnsloopy" title="Example 15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone">“DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone”</a></td><td align="left">/var/lib/named/127.0.0.zone</td></tr><tr><td align="left"><a class="link" href="appendix.html#roothint" title="Example 15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint">“DNS Root Name Server Hint File: /var/lib/named/root.hint”</a></td><td align="left">/var/lib/named/root.hint</td></tr><tr><td align="left"><a class="link" href="secure.html#abmasbiz" title="Example 3.14. DNS Abmas.biz Forward Zone File">“DNS Abmas.biz Forward Zone File”</a></td><td align="left">/var/lib/named/master/abmas.biz.hosts</td></tr><tr><td align="left"><a class="link" href="secure.html#abmasus" title="Example 3.15. DNS Abmas.us Forward Zone File">“DNS Abmas.us Forward Zone File”</a></td><td align="left">/var/lib/named/abmas.us.hosts</td></tr><tr><td align="left"><a class="link" href="secure.html#eth1zone" title="Example 3.12. DNS 192.168.1 Reverse Zone File">“DNS 192.168.1 Reverse Zone File”</a></td><td align="left">/var/lib/named/192.168.1.0.rev</td></tr><tr><td align="left"><a class="link" href="secure.html#eth2zone" title="Example 3.13. DNS 192.168.2 Reverse Zone File">“DNS 192.168.2 Reverse Zone File”</a></td><td align="left">/var/lib/named/192.168.2.0.rev</td></tr></tbody></table></div></div><p><br class="table-break">
825
826	</p><div class="example"><a name="ch4namedcfg"></a><p class="title"><b>Example 3.9. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Master Section</b></p><div class="example-contents"><a class="indexterm" name="id2562182"></a><pre class="screen">
827	###
828	# Abmas Biz DNS Control File
829	###
830	# Date: November 15, 2003
831	###
832	options {
833	directory "/var/lib/named";
834	forwarders {
835	123.45.12.23;
836	};
837	forward first;
838	listen-on {
839	mynet;
840	};
841	auth-nxdomain yes;
842	multiple-cnames yes;
843	notify no;
844	};
845
846	zone "." in {
847	type hint;
848	file "root.hint";
849	};
850
851	zone "localhost" in {
852	type master;
853	file "localhost.zone";
854	};
855
856	zone "0.0.127.in-addr.arpa" in {
857	type master;
858	file "127.0.0.zone";
859	};
860
861	acl mynet {
862	192.168.1.0/24;
863	192.168.2.0/24;
864	127.0.0.1;
865	};
866
867	acl seconddns {
868	123.45.54.32;
869	};
870
871	</pre></div></div><p><br class="example-break">
872
873	</p><div class="example"><a name="ch4namedvarfwd"></a><p class="title"><b>Example 3.10. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Forward Lookup Definition Section</b></p><div class="example-contents"><pre class="screen">
874	zone "abmas.biz" {
875	type master;
876	file "/var/lib/named/master/abmas.biz.hosts";
877	allow-query {
878	mynet;
879	};
880	allow-transfer {
881	mynet;
882	};
883	allow-update {
884	mynet;
885	};
886	};
887
888	zone "abmas.us" {
889	type master;
890	file "/var/lib/named/master/abmas.us.hosts";
891	allow-query {
892	any;
893	};
894	allow-transfer {
895	seconddns;
896	};
897	};
898	</pre></div></div><p><br class="example-break">
899
900	</p><div class="example"><a name="ch4namedvarrev"></a><p class="title"><b>Example 3.11. DNS Master Configuration File <code class="filename">/etc/named.conf</code> Reverse Lookup Definition Section</b></p><div class="example-contents"><pre class="screen">
901	zone "1.168.192.in-addr.arpa" {
902	type master;
903	file "/var/lib/named/master/192.168.1.0.rev";
904	allow-query {
905	mynet;
906	};
907	allow-transfer {
908	mynet;
909	};
910	allow-update {
911	mynet;
912	};
913	};
914
915	zone "2.168.192.in-addr.arpa" {
916	type master;
917	file "/var/lib/named/master/192.168.2.0.rev";
918	allow-query {
919	mynet;
920	};
921	allow-transfer {
922	mynet;
923	};
924	allow-update {
925	mynet;
926	};
927	};
928	</pre></div></div><p><br class="example-break">
929
930	</p><div class="example"><a name="eth1zone"></a><p class="title"><b>Example 3.12. DNS 192.168.1 Reverse Zone File</b></p><div class="example-contents"><pre class="screen">
931	$ORIGIN .
932	$TTL 38400 ; 10 hours 40 minutes
933	1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. (
934	2003021825 ; serial
935	10800 ; refresh (3 hours)
936	3600 ; retry (1 hour)
937	604800 ; expire (1 week)
938	38400 ; minimum (10 hours 40 minutes)
939	)
940	NS sleeth1.abmas.biz.
941	$ORIGIN 1.168.192.in-addr.arpa.
942	1 PTR sleeth1.abmas.biz.
943	20 PTR qmsa.abmas.biz.
944	30 PTR hplj6a.abmas.biz.
945	</pre></div></div><p><br class="example-break">
946
947	</p><div class="example"><a name="eth2zone"></a><p class="title"><b>Example 3.13. DNS 192.168.2 Reverse Zone File</b></p><div class="example-contents"><pre class="screen">
948	$ORIGIN .
949	$TTL 38400 ; 10 hours 40 minutes
950	2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. (
951	2003021825 ; serial
952	10800 ; refresh (3 hours)
953	3600 ; retry (1 hour)
954	604800 ; expire (1 week)
955	38400 ; minimum (10 hours 40 minutes)
956	)
957	NS sleeth2.abmas.biz.
958	$ORIGIN 2.168.192.in-addr.arpa.
959	1 PTR sleeth2.abmas.biz.
960	20 PTR qmsf.abmas.biz.
961	30 PTR hplj6f.abmas.biz.
962	</pre></div></div><p><br class="example-break">
963
964	</p><div class="example"><a name="abmasbiz"></a><p class="title"><b>Example 3.14. DNS Abmas.biz Forward Zone File</b></p><div class="example-contents"><pre class="screen">
965	$ORIGIN .
966	$TTL 38400 ; 10 hours 40 minutes
967	abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. (
968	2003021833 ; serial
969	10800 ; refresh (3 hours)
970	3600 ; retry (1 hour)
971	604800 ; expire (1 week)
972	38400 ; minimum (10 hours 40 minutes)
973	)
974	NS dns.abmas.biz.
975	MX 10 mail.abmas.biz.
976	$ORIGIN abmas.biz.
977	sleeth1 A 192.168.1.1
978	sleeth2 A 192.168.2.1
979	qmsa A 192.168.1.20
980	hplj6a A 192.168.1.30
981	qmsf A 192.168.2.20
982	hplj6f A 192.168.2.30
983	dns CNAME sleeth1
984	diamond CNAME sleeth1
985	mail CNAME sleeth1
986	</pre></div></div><p><br class="example-break">
987
988	</p><div class="example"><a name="abmasus"></a><p class="title"><b>Example 3.15. DNS Abmas.us Forward Zone File</b></p><div class="example-contents"><pre class="screen">
989	$ORIGIN .
990	$TTL 38400 ; 10 hours 40 minutes
991	abmas.us IN SOA server.abmas.us. root.abmas.us. (
992	2003021833 ; serial
993	10800 ; refresh (3 hours)
994	3600 ; retry (1 hour)
995	604800 ; expire (1 week)
996	38400 ; minimum (10 hours 40 minutes)
997	)
998	NS dns.abmas.us.
999	NS dns2.abmas.us.
1000	MX 10 mail.abmas.us.
1001	$ORIGIN abmas.us.
1002	server A 123.45.67.66
1003	dns2 A 123.45.54.32
1004	gw A 123.45.67.65
1005	www CNAME server
1006	mail CNAME server
1007	dns CNAME server
1008	</pre></div></div><p><br class="example-break">
1009
1010	</p></li><li><p>
1011	<a class="indexterm" name="id2562396"></a><a class="indexterm" name="id2562402"></a>
1012	All DNS name resolution should be handled locally. To ensure that the server is configured
1013	correctly to handle this, edit <code class="filename">/etc/resolv.conf</code> to have the following
1014	content:
1015	</p><pre class="screen">
1016	search abmas.us abmas.biz
1017	nameserver 127.0.0.1
1018	nameserver 123.45.54.23
1019	</pre><p>
1020	<a class="indexterm" name="id2562427"></a>
1021	This instructs the name resolver function (when configured correctly) to ask the DNS server
1022	that is running locally to resolve names to addresses. In the event that the local name server
1023	is not available, ask the name server provided by the ISP. The latter, of course, does not resolve
1024	purely local names to IP addresses.
1025	</p></li><li><p>
1026	<a class="indexterm" name="id2562448"></a>
1027	The final step is to edit the <code class="filename">/etc/nsswitch.conf</code> file.
1028	This file controls the operation of the various resolver libraries that are part of the Linux
1029	Glibc libraries. Edit this file so that it contains the following entries:
1030	</p><pre class="screen">
1031	hosts: files dns wins
1032	</pre><p>
1033	</p></li></ol></div><p>
1034	The basic DHCP and DNS services are now ready for validation testing. Before you can proceed,
1035	there are a few more steps along the road. First, configure the print spooling and print
1036	processing system. Then you can configure the server so that all services
1037	start automatically on reboot. You must also manually start all services prior to validation testing.
1038	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4ptrcfg"></a>Printer Configuration</h3></div></div></div><p>
1039	Network administrators who are new to CUPS based-printing typically experience some difficulty mastering
1040	its powerful features. The steps outlined in this section are designed to navigate around the distractions
1041	of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a
1042	transparent print queue that performs no filtering, and only minimal handling of each print job that is
1043	submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that
1044	the correct printer driver must be installed on all clients.
1045	</p><div class="procedure"><a name="id2562506"></a><p class="title"><b>Procedure 3.4. Printer Configuration Steps</b></p><ol type="1"><li><p>
1046	Configure each printer to be a DHCP client, carefully following the manufacturer's guidelines.
1047	</p></li><li><p>
1048	Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100.
1049	Use any other port the manufacturer specifies for direct-mode raw printing, and adjust the
1050	port as necessary in the following example commands.
1051	This allows the CUPS spooler to print using raw mode protocols.
1052	<a class="indexterm" name="id2562532"></a>
1053	<a class="indexterm" name="id2562539"></a>
1054	</p></li><li><p>
1055	<a class="indexterm" name="id2562552"></a><a class="indexterm" name="id2562560"></a>
1056	Configure the CUPS Print Queues as follows:
1057	</p><pre class="screen">
1058	<code class="prompt">root# </code> lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E
1059	<code class="prompt">root# </code> lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E
1060	<code class="prompt">root# </code> lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E
1061	<code class="prompt">root# </code> lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E
1062	</pre><p>
1063	<a class="indexterm" name="id2562603"></a>
1064	This creates the necessary print queues with no assigned print filter.
1065	</p></li><li><p><a class="indexterm" name="id2562618"></a>
1066	Print queues may not be enabled at creation. Use <code class="literal">lpc stat</code> to check
1067	the status of the print queues and, if necessary, make certain that the queues you have
1068	just created are enabled by executing the following:
1069	</p><pre class="screen">
1070	<code class="prompt">root# </code> /usr/bin/enable qmsa
1071	<code class="prompt">root# </code> /usr/bin/enable hplj6a
1072	<code class="prompt">root# </code> /usr/bin/enable qmsf
1073	<code class="prompt">root# </code> /usr/bin/enable hplj6f
1074	</pre><p>
1075	</p></li><li><p><a class="indexterm" name="id2562673"></a>
1076	Even though your print queues may be enabled, it is still possible that they
1077	are not accepting print jobs. A print queue services incoming printing
1078	requests only when configured to do so. Ensure that your print queues are
1079	set to accept incoming jobs by executing the following commands:
1080	</p><pre class="screen">
1081	<code class="prompt">root# </code> /usr/sbin/accept qmsa
1082	<code class="prompt">root# </code> /usr/sbin/accept hplj6a
1083	<code class="prompt">root# </code> /usr/sbin/accept qmsf
1084	<code class="prompt">root# </code> /usr/sbin/accept hplj6f
1085	</pre><p>
1086	</p></li><li><p>
1087	<a class="indexterm" name="id2562724"></a>
1088	<a class="indexterm" name="id2562731"></a>
1089	<a class="indexterm" name="id2562738"></a>
1090	Edit the file <code class="filename">/etc/cups/mime.convs</code> to uncomment the line:
1091	</p><pre class="screen">
1092	application/octet-stream application/vnd.cups-raw 0 -
1093	</pre><p>
1094	</p></li><li><p>
1095	<a class="indexterm" name="id2562765"></a>
1096	Edit the file <code class="filename">/etc/cups/mime.types</code> to uncomment the line:
1097	</p><pre class="screen">
1098	application/octet-stream
1099	</pre><p>
1100	</p></li><li><p>
1101	Printing drivers are installed on each network client workstation.
1102	</p></li></ol></div><p>
1103	Note: If the parameter <em class="parameter"><code>cups options = Raw</code></em> is specified in the <code class="filename">smb.conf</code> file,
1104	the last two steps can be omitted with CUPS version 1.1.18, or later.
1105	</p><p>
1106	The UNIX system print queues have been configured and are ready for validation testing.
1107	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="procstart"></a>Process Startup Configuration</h3></div></div></div><p>
1108	<a class="indexterm" name="id2562831"></a>
1109	There are two essential steps to process startup configuration. First, the process
1110	must be configured so that it automatically restarts each time the server
1111	is rebooted. This step involves use of the <code class="literal">chkconfig</code> tool that
1112	creates the appropriate symbolic links from the master daemon control file that is
1113	located in the <code class="filename">/etc/rc.d</code> directory, to the <code class="filename">/etc/rc'x'.d</code>
1114	directories. Links are created so that when the system run level is changed, the
1115	necessary start or kill script is run.
1116	</p><p>
1117	<a class="indexterm" name="id2562866"></a>
1118	<a class="indexterm" name="id2562873"></a>
1119	<a class="indexterm" name="id2562880"></a>
1120	<a class="indexterm" name="id2562886"></a>
1121	<a class="indexterm" name="id2562893"></a>
1122	In the event that a service is not run as a daemon, but via the internetworking
1123	super daemon (<code class="literal">inetd</code> or <code class="literal">xinetd</code>), then the <code class="literal">chkconfig</code>
1124	tool makes the necessary entries in the <code class="filename">/etc/xinetd.d</code> directory
1125	and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to
1126	re-read its control files.
1127	</p><p>
1128	Last, each service must be started to permit system validation to proceed.
1129	</p><div class="procedure"><ol type="1"><li><p>
1130	Use the standard system tool to configure each service to restart
1131	automatically at every system reboot. For example,
1132	<a class="indexterm" name="id2562945"></a>
1133	</p><pre class="screen">
1134	<code class="prompt">root# </code> chkconfig dhpcd on
1135	<code class="prompt">root# </code> chkconfig named on
1136	<code class="prompt">root# </code> chkconfig cups on
1137	<code class="prompt">root# </code> chkconfig smb on
1138	</pre><p>
1139	</p></li><li><p>
1140	<a class="indexterm" name="id2562989"></a>
1141	<a class="indexterm" name="id2562996"></a>
1142	<a class="indexterm" name="id2563002"></a>
1143	Now start each service to permit the system to be validated.
1144	Execute each of the following in the sequence shown:
1145
1146	</p><pre class="screen">
1147	<code class="prompt">root# </code> /etc/rc.d/init.d/dhcpd restart
1148	<code class="prompt">root# </code> /etc/rc.d/init.d/named restart
1149	<code class="prompt">root# </code> /etc/rc.d/init.d/cups restart
1150	<code class="prompt">root# </code> /etc/rc.d/init.d/smb restart
1151	</pre><p>
1152	</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4valid"></a>Validation</h3></div></div></div><p>
1153	<a class="indexterm" name="id2563057"></a>
1154	Complex networking problems are most often caused by simple things that are poorly or incorrectly
1155	configured. The validation process adopted here should be followed carefully; it is the result of the
1156	experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should
1157	refrain from taking shortcuts, from making basic assumptions, and from not exercising due process
1158	and diligence in network validation. By thoroughly testing and validating every step in the process
1159	of network installation and configuration, you can save yourself from sleepless nights and restless
1160	days. A well debugged network is a foundation for happy network users and network administrators.
1161	Later in this book you learn how to make users happier. For now, it is enough to learn to
1162	validate. Let's get on with it.
1163	</p><div class="procedure"><a name="id2563079"></a><p class="title"><b>Procedure 3.5. Server Validation Steps</b></p><ol type="1"><li><p>
1164	<a class="indexterm" name="id2563090"></a>
1165	One of the most important facets of Samba configuration is to ensure that
1166	name resolution functions correctly. You can check name resolution
1167	with a few simple tests. The most basic name resolution is provided from the
1168	<code class="filename">/etc/hosts</code> file. To test its operation, make a
1169	temporary edit to the <code class="filename">/etc/nsswitch.conf</code> file. Using
1170	your favorite editor, change the entry for <code class="constant">hosts</code> to read:
1171	</p><pre class="screen">
1172	hosts: files
1173	</pre><p>
1174	When you have saved this file, execute the following command:
1175	</p><pre class="screen">
1176	<code class="prompt">root# </code> ping diamond
1177	PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
1178	64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms
1179	64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms
1180	64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms
1181	64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms
1182
1183	--- sleeth1.abmas.biz ping statistics ---
1184	4 packets transmitted, 4 received, 0% packet loss, time 3016ms
1185	rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms
1186	</pre><p>
1187	This proves that name resolution via the <code class="filename">/etc/hosts</code> file
1188	is working.
1189	</p></li><li><p>
1190	<a class="indexterm" name="id2563160"></a>
1191	So far, your installation is going particularly well. In this step we validate
1192	DNS server and name resolution operation. Using your favorite UNIX system editor,
1193	change the <code class="filename">/etc/nsswitch.conf</code> file so that the
1194	<code class="constant">hosts</code> entry reads:
1195	</p><pre class="screen">
1196	hosts: dns
1197	</pre><p>
1198	</p></li><li><p>
1199	<a class="indexterm" name="id2563193"></a>
1200	Before you test DNS operation, it is a good idea to verify that the DNS server
1201	is running by executing the following:
1202	</p><pre class="screen">
1203	<code class="prompt">root# </code> ps ax \| grep named
1204	437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log
1205	524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
1206	525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
1207	526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
1208	529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
1209	540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
1210	2552 pts/2 S 0:00 grep named
1211	</pre><p>
1212	This means that we are ready to check DNS operation. Do so by executing:
1213	<a class="indexterm" name="id2563223"></a>
1214	</p><pre class="screen">
1215	<code class="prompt">root# </code> ping diamond
1216	PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
1217	64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms
1218	64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms
1219
1220	--- sleeth1.abmas.biz ping statistics ---
1221	2 packets transmitted, 2 received, 0% packet loss, time 999ms
1222	rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms
1223	</pre><p>
1224	You should take a few more steps to validate DNS server operation, as follows:
1225	</p><pre class="screen">
1226	<code class="prompt">root# </code> host -f diamond.abmas.biz
1227	sleeth1.abmas.biz has address 192.168.1.1
1228	</pre><p>
1229	<a class="indexterm" name="id2563261"></a>
1230	You may now remove the entry called <code class="constant">diamond</code> from the
1231	<code class="filename">/etc/hosts</code> file. It does not hurt to leave it there,
1232	but its removal reduces the number of administrative steps for this name.
1233	</p></li><li><p>
1234	<a class="indexterm" name="id2563287"></a>
1235	WINS is a great way to resolve NetBIOS names to their IP address. You can test
1236	the operation of WINS by starting <code class="literal">nmbd</code> (manually or by way
1237	of the Samba startup method shown in <a class="link" href="secure.html#procstart" title="Process Startup Configuration">“Process Startup Configuration”</a>). You must edit
1238	the <code class="filename">/etc/nsswitch.conf</code> file so that the <code class="constant">hosts</code>
1239	entry is as follows:
1240	</p><pre class="screen">
1241	hosts: wins
1242	</pre><p>
1243	The next step is to make certain that Samba is running using <code class="literal">ps ax \| grep mbd</code>.
1244	The <code class="literal">nmbd</code> daemon will provide the WINS name resolution service when the
1245	<code class="filename">smb.conf</code> file <em class="parameter"><code>global</code></em> parameter <a class="link" href="smb.conf.5.html#WINSSUPPORT" target="_top">wins support = Yes</a> has been specified. Having validated that Samba is operational,
1246	excute the following:
1247	</p><pre class="screen">
1248	<code class="prompt">root# </code> ping diamond
1249	PING diamond (192.168.1.1) 56(84) bytes of data.
1250	64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms
1251	64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms
1252	</pre><p>
1253	<a class="indexterm" name="id2563380"></a>
1254	Now that you can relax with the knowledge that all three major forms of name
1255	resolution to IP address resolution are working, edit the <code class="filename">/etc/nsswitch.conf</code>
1256	again. This time you add all three forms of name resolution to this file.
1257	Your edited entry for <code class="constant">hosts</code> should now look like this:
1258	</p><pre class="screen">
1259	hosts: files dns wins
1260	</pre><p>
1261	The system is looking good. Let's move on.
1262	</p></li><li><p>
1263	It would give you peace of mind to know that the DHCP server is running
1264	and available for service. You can validate DHCP services by running:
1265
1266	</p><pre class="screen">
1267	<code class="prompt">root# </code> ps ax \| grep dhcp
1268	2618 ? S 0:00 /usr/sbin/dhcpd ...
1269	8180 pts/2 S 0:00 grep dhcp
1270	</pre><p>
1271	This shows that the server is running. The proof of whether or not it is working
1272	comes when you try to add the first DHCP client to the network.
1273	</p></li><li><p>
1274	<a class="indexterm" name="id2563440"></a>
1275	This is a good point at which to start validating Samba operation. You are
1276	content that name resolution is working for basic TCP/IP needs. Let's move on.
1277	If your <code class="filename">smb.conf</code> file has bogus options or parameters, this may cause Samba
1278	to refuse to start. The first step should always be to validate the contents
1279	of this file by running:
1280	</p><pre class="screen">
1281	<code class="prompt">root# </code> testparm -s
1282	Load smb config files from smb.conf
1283	Processing section "[homes]"
1284	Processing section "[printers]"
1285	Processing section "[netlogon]"
1286	Processing section "[profiles]"
1287	Processing section "[accounts]"
1288	Processing section "[service]"
1289	Processing section "[apps]"
1290	Loaded services file OK.
1291	# Global parameters
1292	[global]
1293	workgroup = PROMISES
1294	netbios name = DIAMOND
1295	interfaces = eth1, eth2, lo
1296	bind interfaces only = Yes
1297	passdb backend = tdbsam
1298	pam password change = Yes
1299	passwd program = /usr/bin/passwd '%u'
1300	passwd chat = NewPassword* %n\n \
1301	Re-enternewpassword %n\n Passwordchanged*
1302	username map = /etc/samba/smbusers
1303	unix password sync = Yes
1304	log level = 1
1305	syslog = 0
1306	log file = /var/log/samba/%m
1307	max log size = 50
1308	smb ports = 139
1309	name resolve order = wins bcast hosts
1310	time server = Yes
1311	printcap name = CUPS
1312	show add printer wizard = No
1313	add user script = /usr/sbin/useradd -m '%u'
1314	delete user script = /usr/sbin/userdel -r '%u'
1315	add group script = /usr/sbin/groupadd '%g'
1316	delete group script = /usr/sbin/groupdel '%g'
1317	add user to group script = /usr/sbin/usermod -G '%g' '%u'
1318	add machine script = /usr/sbin/useradd \
1319	-s /bin/false -d /dev/null '%u'
1320	shutdown script = /var/lib/samba/scripts/shutdown.sh
1321	abort shutdown script = /sbin/shutdown -c
1322	logon script = scripts\logon.bat
1323	logon path = \\%L\profiles\%U
1324	logon drive = X:
1325	logon home = \\%L\%U
1326	domain logons = Yes
1327	preferred master = Yes
1328	wins support = Yes
1329	utmp = Yes
1330	winbind use default domain = Yes
1331	map acl inherit = Yes
1332	cups options = Raw
1333	veto files = /.eml/.nws/.{}/
1334	veto oplock files = /.doc/.xls/*.mdb/
1335
1336	[homes]
1337	comment = Home Directories
1338	valid users = %S
1339	read only = No
1340	browseable = No
1341	...
1342	### Remainder cut to save space ###
1343	</pre><p>
1344	Clear away all errors before proceeding.
1345	</p></li><li><p>
1346	<a class="indexterm" name="id2563541"></a>
1347	<a class="indexterm" name="id2563548"></a>
1348	<a class="indexterm" name="id2563554"></a>
1349	<a class="indexterm" name="id2563561"></a>
1350	Check that the Samba server is running:
1351	</p><pre class="screen">
1352	<code class="prompt">root# </code> ps ax \| grep mbd
1353	14244 ? S 0:00 /usr/sbin/nmbd -D
1354	14245 ? S 0:00 /usr/sbin/nmbd -D
1355	14290 ? S 0:00 /usr/sbin/smbd -D
1356
1357	$rootprompt; ps ax \| grep winbind
1358	14293 ? S 0:00 /usr/sbin/winbindd -D
1359	14295 ? S 0:00 /usr/sbin/winbindd -D
1360	</pre><p>
1361	The <code class="literal">winbindd</code> daemon is running in split mode (normal), so there are also
1362	two instances<sup>[<a name="id2563592" href="#ftn.id2563592" class="footnote">7</a>]</sup> of it.
1363	</p></li><li><p>
1364	<a class="indexterm" name="id2563623"></a>
1365	<a class="indexterm" name="id2563630"></a>
1366	Check that an anonymous connection can be made to the Samba server:
1367	</p><pre class="screen">
1368	<code class="prompt">root# </code> smbclient -L localhost -U%
1369
1370	Sharename Type Comment
1371	--------- ---- -------
1372	IPC$ IPC IPC Service (Samba 3.0.20)
1373	netlogon Disk Network Logon Service
1374	profiles Disk Profile Share
1375	accounts Disk Accounting Files
1376	service Disk Financial Services Files
1377	apps Disk Application Files
1378	ADMIN$ IPC IPC Service (Samba 3.0.20)
1379	hplj6a Printer hplj6a
1380	hplj6f Printer hplj6f
1381	qmsa Printer qmsa
1382	qmsf Printer qmsf
1383
1384	Server Comment
1385	--------- -------
1386	DIAMOND Samba 3.0.20
1387
1388	Workgroup Master
1389	--------- -------
1390	PROMISES DIAMOND
1391	</pre><p>
1392	This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent
1393	of browsing the server from a Windows client to obtain a list of shares on the server.
1394	The <code class="constant">-U%</code> argument means to send a <code class="constant">NULL</code> username and
1395	a <code class="constant">NULL</code> password.
1396	</p></li><li><p>
1397	<a class="indexterm" name="id2563688"></a>
1398	<a class="indexterm" name="id2563695"></a>
1399	<a class="indexterm" name="id2563702"></a>
1400	Verify that each printer has the IP address assigned in the DHCP server configuration file.
1401	The easiest way to do this is to ping the printer name. Immediately after the ping response
1402	has been received, execute <code class="literal">arp -a</code> to find the MAC address of the printer
1403	that has responded. Now you can compare the IP address and the MAC address of the printer
1404	with the configuration information in the <code class="filename">/etc/dhcpd.conf</code> file. They
1405	should, of course, match. For example,
1406	</p><pre class="screen">
1407	<code class="prompt">root# </code> ping hplj6
1408	PING hplj6a (192.168.1.30) 56(84) bytes of data.
1409	64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms
1410
1411	<code class="prompt">root# </code> arp -a
1412	hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0
1413	</pre><p>
1414	<a class="indexterm" name="id2563748"></a>
1415	The MAC address <code class="constant">00:03:47:CB:81:E0</code> matches that specified for the
1416	IP address from which the printer has responded and with the entry for it in the
1417	<code class="filename">/etc/dhcpd.conf</code> file. Repeat this for each printer configured.
1418	</p></li><li><p>
1419	<a class="indexterm" name="id2563777"></a>
1420	Make an authenticated connection to the server using the <code class="literal">smbclient</code> tool:
1421	</p><pre class="screen">
1422	<code class="prompt">root# </code> smbclient //diamond/accounts -U gholmes
1423	Password: XXXXXXX
1424	smb: \> dir
1425	. D 0 Thu Nov 27 15:07:09 2003
1426	.. D 0 Sat Nov 15 17:40:50 2003
1427	zakadmin.exe 161424 Thu Nov 27 15:06:52 2003
1428	zak.exe 6066384 Thu Nov 27 15:06:52 2003
1429	dhcpd.conf 1256 Thu Nov 27 15:06:52 2003
1430	smb.conf 2131 Thu Nov 27 15:06:52 2003
1431	initGrps.sh A 1089 Thu Nov 27 15:06:52 2003
1432	POLICY.EXE 86542 Thu Nov 27 15:06:52 2003
1433
1434	55974 blocks of size 65536. 33968 blocks available
1435	smb: \> q
1436	</pre><p>
1437	</p></li><li><p>
1438	<a class="indexterm" name="id2563834"></a>
1439	Your new server is connected to an Internet-accessible connection. Before you start
1440	your firewall, you should run a port scanner against your system. You should repeat that
1441	after the firewall has been started. This helps you understand to what extent the
1442	server may be vulnerable to external attack. One way you can do this is by using an
1443	external service, such as the <a class="ulink" href="http://www.dslreports.com/scan" target="_top">DSL Reports</a>
1444	tools. Alternately, if you can gain root-level access to a remote
1445	UNIX/Linux system that has the <code class="literal">nmap</code> tool, you can run the following:
1446	</p><pre class="screen">
1447	<code class="prompt">root# </code> nmap -v -sT server.abmas.us
1448
1449	Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
1450	Host server.abmas.us (123.45.67.66) appears to be up ... good.
1451	Initiating Connect() Scan against server.abmas.us (123.45.67.66)
1452	Adding open port 6000/tcp
1453	Adding open port 873/tcp
1454	Adding open port 445/tcp
1455	Adding open port 10000/tcp
1456	Adding open port 901/tcp
1457	Adding open port 631/tcp
1458	Adding open port 25/tcp
1459	Adding open port 111/tcp
1460	Adding open port 32770/tcp
1461	Adding open port 3128/tcp
1462	Adding open port 53/tcp
1463	Adding open port 80/tcp
1464	Adding open port 443/tcp
1465	Adding open port 139/tcp
1466	Adding open port 22/tcp
1467	The Connect() Scan took 0 seconds to scan 1601 ports.
1468	Interesting ports on server.abmas.us (123.45.67.66):
1469	(The 1587 ports scanned but not shown below are in state: closed)
1470	Port State Service
1471	22/tcp open ssh
1472	25/tcp open smtp
1473	53/tcp open domain
1474	80/tcp open http
1475	111/tcp open sunrpc
1476	139/tcp open netbios-ssn
1477	443/tcp open https
1478	445/tcp open microsoft-ds
1479	631/tcp open ipp
1480	873/tcp open rsync
1481	901/tcp open samba-swat
1482	3128/tcp open squid-http
1483	6000/tcp open X11
1484	10000/tcp open snet-sensor-mgmt
1485	32770/tcp open sometimes-rpc3
1486
1487	Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
1488	</pre><p>
1489	The above scan was run before the external interface was locked down with the NAT-firewall
1490	script you created above. The following results are obtained after the firewall rules
1491	have been put into place:
1492	</p><pre class="screen">
1493	<code class="prompt">root# </code> nmap -v -sT server.abmas.us
1494
1495	Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
1496	Host server.abmas.us (123.45.67.66) appears to be up ... good.
1497	Initiating Connect() Scan against server.abmas.us (123.45.67.66)
1498	Adding open port 53/tcp
1499	Adding open port 22/tcp
1500	The Connect() Scan took 168 seconds to scan 1601 ports.
1501	Interesting ports on server.abmas.us (123.45.67.66):
1502	(The 1593 ports scanned but not shown below are in state: filtered)
1503	Port State Service
1504	22/tcp open ssh
1505	25/tcp closed smtp
1506	53/tcp open domain
1507	80/tcp closed http
1508	443/tcp closed https
1509
1510	Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
1511	</pre><p>
1512	</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4appscfg"></a>Application Share Configuration</h3></div></div></div><p>
1513	<a class="indexterm" name="id2563937"></a>
1514	<a class="indexterm" name="id2563944"></a>
1515	The use of an application server is a key mechanism by which desktop administration overheads
1516	can be reduced. Check the application manual for your software to identify how best to
1517	create an administrative installation.
1518	</p><p>
1519	Some Windows software will only run locally on the desktop computer. Such software
1520	is typically not suited for administrative installation. Administratively installed software
1521	permits one or more of the following installation choices:
1522	</p><div class="itemizedlist"><ul type="disc"><li><p>
1523	Install software fully onto a workstation, storing data files on the same workstation.
1524	</p></li><li><p>
1525	Install software fully onto a workstation with central network data file storage.
1526	</p></li><li><p>
1527	Install software to run off a central application server with data files stored
1528	on the local workstation. This is often called a minimum installation, or a
1529	network client installation.
1530	</p></li><li><p>
1531	Install software to run off a central application server with data files stored
1532	on a central network share. This type of installation often prevents storage
1533	of work files on the local workstation.
1534	</p></li></ul></div><p>
1535	<a class="indexterm" name="id2563996"></a>
1536	A common application deployed in this environment is an office suite.
1537	Enterprise editions of Microsoft Office XP Professional can be administratively installed
1538	by launching the installation from a command shell. The command that achieves this is
1539	<code class="literal">setup /a</code>. It results in a set of prompts through which various
1540	installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource
1541	Kit for more information regarding this mode of installation of MS Office XP Professional.
1542	The full administrative installation of MS Office XP Professional requires approximately
1543	650 MB of disk space.
1544	</p><p>
1545	When the MS Office XP Professional product has been installed to the administrative network
1546	share, the product can be installed onto a workstation by executing the normal setup program.
1547	The installation process now provides a choice to either perform a minimum installation
1548	or a full local installation. A full local installation takes over 100 MB of disk space.
1549	A network workstation (minimum) installation requires typically 10 MB to 15 MB of
1550	local disk space. In the latter case, when the applications are used, they load over the network.
1551	</p><p>
1552	<a class="indexterm" name="id2564033"></a>
1553	<a class="indexterm" name="id2564040"></a>
1554	Microsoft Office Service Packs can be unpacked to update an administrative share. This makes
1555	it possible to update MS Office XP Professional for all users from a single installation
1556	of the service pack and generally circumvents the need to run updates on each network
1557	Windows client.
1558	</p><p>
1559	The default location for MS Office XP Professional data files can be set through registry
1560	editing or by way of configuration options inside each Office XP Professional application.
1561	</p><p>
1562	<a class="indexterm" name="id2564062"></a>
1563	OpenOffice.Org OpenOffice Version 1.1.0 can be installed locally. It can also
1564	be installed to run off a network share. The latter is a most desirable solution for office-bound
1565	network users and for administrative staff alike. It permits quick and easy updates
1566	to be rolled out to all users with a minimum of disruption and with maximum flexibility.
1567	</p><p>
1568	The process for installation of administrative shared OpenOffice involves download of the
1569	distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area.
1570	When fully extracted using the unzipping tool of your choosing, change into the Windows
1571	installation files directory then execute <code class="literal">setup -net</code>. You are
1572	prompted on screen for the target installation location. This is the administrative
1573	share point. The full administrative OpenOffice share takes approximately 150 MB of disk
1574	space.
1575	</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2564093"></a>Comments Regarding Software Terms of Use</h4></div></div></div><p>
1576	Many single-user products can be installed into an administrative share, but
1577	personal versions of products such as Microsoft Office XP Professional do not permit this.
1578	Many people do not like terms of use typical with commercial products, so a few comments
1579	regarding software licensing seem important.
1580	</p><p>
1581	Please do not use an administrative installation of proprietary and commercially licensed
1582	software products to violate the copyright holders' property. All software is licensed,
1583	particularly software that is licensed for use free of charge. All software is the property
1584	of the copyright holder unless the author and/or copyright holder has explicitly disavowed
1585	ownership and has placed the software into the public domain.
1586	</p><p>
1587	Software that is under the GNU General Public License, like proprietary software, is
1588	licensed in a way that restricts use. For example, if you modify GPL software and then
1589	distribute the binary version of your modifications, you must offer to provide the source
1590	code as well. This restriction is designed to maintain the momentum
1591	of the diffusion of technology and to protect against the withholding of innovations.
1592	</p><p>
1593	Commercial and proprietary software generally restrict use to those who have paid the
1594	license fees and who comply with the licensee's terms of use. Software that is released
1595	under the GNU General Public License is restricted to particular terms and conditions
1596	also. Whatever the licensing terms may be, if you do not approve of the terms of use,
1597	please do not use the software.
1598	</p><p>
1599	<a class="indexterm" name="id2564142"></a>
1600	Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided
1601	with the source code.
1602	</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch4wincfg"></a>Windows Client Configuration</h3></div></div></div><p>
1603	Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs
1604	to reinstall many of the notebook computers that will be recycled for use with the new network
1605	configuration. The smartest way to handle the challenge of the roll-out program is to build
1606	a staged system for each type of target machine, and then use an image replication tool such as Norton
1607	Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can
1608	be done with notebook computers as long as they are identical or sufficiently similar.
1609	</p><div class="procedure"><a name="sbewinclntprep"></a><p class="title"><b>Procedure 3.6. Windows Client Configuration Procedure</b></p><ol type="1"><li><p>
1610	<a class="indexterm" name="id2564192"></a>
1611	<a class="indexterm" name="id2564199"></a>
1612	Install MS Windows XP Professional. During installation, configure the client to use DHCP for
1613	TCP/IP protocol configuration. DHCP configures all Windows clients to use the WINS Server
1614	address that has been defined for the local subnet.
1615	</p></li><li><p>
1616	Join the Windows Domain <code class="constant">PROMISES</code>. Use the Domain Administrator
1617	username <code class="constant">root</code> and the SMB password you assigned to this account.
1618	A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to
1619	a Windows Domain is given in <a class="link" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">“Joining a Domain: Windows 200x/XP Professional”</a>.
1620	Reboot the machine as prompted and then log on using the Domain Administrator account
1621	(<code class="constant">root</code>).
1622	</p></li><li><p>
1623	Verify <code class="constant">DIAMOND</code> is visible in <span class="guimenu">My Network Places</span>,
1624	that it is possible to connect to it and see the shares <span class="guimenuitem">accounts</span>,
1625	<span class="guimenuitem">apps</span>, and <span class="guimenuitem">finsvcs</span>, and that it is
1626	possible to open each share to reveal its contents.
1627	</p></li><li><p>
1628	Create a drive mapping to the <code class="constant">apps</code> share on the server <code class="constant">DIAMOND</code>.
1629	</p></li><li><p>
1630	Perform an administrative installation of each application to be used. Select the options
1631	that you wish to use. Of course, you can choose to run applications over the network, correct?
1632	</p></li><li><p>
1633	Now install all applications to be installed locally. Typical tools include Adobe Acrobat,
1634	NTP-based time synchronization software, drivers for specific local devices such as fingerprint
1635	scanners, and the like. Probably the most significant application for local installation
1636	is antivirus software.
1637	</p></li><li><p>
1638	Now install all four printers onto the staging system. The printers you install
1639	include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will
1640	also configure identical printers that are located in the financial services department.
1641	Install printers on each machine following the steps shown in the Windows client printer
1642	preparation procedure below.
1643	</p></li><li><p>
1644	<a class="indexterm" name="id2564337"></a>
1645	When you are satisfied that the staging systems are complete, use the appropriate procedure to
1646	remove the client from the domain. Reboot the system and then log on as the local administrator
1647	and clean out all temporary files stored on the system. Before shutting down, use the disk
1648	defragmentation tool so that the file system is in optimal condition before replication.
1649	</p></li><li><p>
1650	Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the
1651	machine to a network share on the server.
1652	</p></li><li><p>
1653	<a class="indexterm" name="id2564366"></a>
1654	<a class="indexterm" name="id2564375"></a>
1655	You may now replicate the image to the target machines using the appropriate Norton Ghost
1656	procedure. Make sure to use the procedure that ensures each machine has a unique
1657	Windows security identifier (SID). When the installation of the disk image has completed, boot the PC.
1658	</p></li><li><p>
1659	Log on to the machine as the local Administrator (the only option), and join the machine to
1660	the Domain, following the procedure set out in <a class="link" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits">“A Collection of Useful Tidbits”</a>, <a class="link" href="appendix.html#domjoin" title="Joining a Domain: Windows 200x/XP Professional">“Joining a Domain: Windows 200x/XP Professional”</a>. The system is now
1661	ready for the user to log on, provided you have created a network logon account for that
1662	user, of course.
1663	</p></li><li><p>
1664	Instruct all users to log on to the workstation using their assigned username and password.
1665	</p></li></ol></div><div class="procedure"><a name="sbewinclntptrprep"></a><p class="title"><b>Procedure 3.7. Windows Client Printer Preparation Procedure</b></p><ol type="1"><li><p>
1666	Click <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Printers</span>+<span class="guiicon">Add Printer</span>+<span class="guibutton">Next</span>. Do not click <span class="guimenuitem">Network printer</span>.
1667	Ensure that <span class="guimenuitem">Local printer</span> is selected.
1668	</p></li><li><p>
1669	Click <span class="guibutton">Next</span>. In the
1670	<span class="guimenuitem">Manufacturer:</span> panel, select <code class="constant">HP</code>.
1671	In the <span class="guimenuitem">Printers:</span> panel, select the printer called
1672	<code class="constant">HP LaserJet 6</code>. Click <span class="guibutton">Next</span>.
1673	</p></li><li><p>
1674	In the <span class="guimenuitem">Available ports:</span> panel, select
1675	<code class="constant">FILE:</code>. Accept the default printer name by clicking
1676	<span class="guibutton">Next</span>. When asked, “<span class="quote">Would you like to print a
1677	test page?,</span>” click <span class="guimenuitem">No</span>. Click
1678	<span class="guibutton">Finish</span>.
1679	</p></li><li><p>
1680	You may be prompted for the name of a file to print to. If so, close the
1681	dialog panel. Right-click <span class="guiicon">HP LaserJet 6</span> → <span class="guimenuitem">Properties</span> → <span class="guisubmenu">Details (Tab)</span> → <span class="guimenuitem">Add Port</span>.
1682	</p></li><li><p>
1683	In the <span class="guimenuitem">Network</span> panel, enter the name of
1684	the print queue on the Samba server as follows: <code class="constant">\\DIAMOND\hplj6a</code>.
1685	Click <span class="guibutton">OK</span>+<span class="guibutton">OK</span> to complete the installation.
1686	</p></li><li><p>
1687	Repeat the printer installation steps above for both HP LaserJet 6 printers
1688	as well as for both QMS Magicolor laser printers.
1689	</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2564645"></a>Key Points Learned</h3></div></div></div><p>
1690	How do you feel? You have built a capable network, a truly ambitious project.
1691	Future network updates can be handled by
1692	your staff. You must be a satisfied manager. Let's review the achievements.
1693	</p><div class="itemizedlist"><ul type="disc"><li><p>
1694	A simple firewall has been configured to protect the server in the event that
1695	the ISP firewall service should fail.
1696	</p></li><li><p>
1697	The Samba configuration uses measures to ensure that only local network users
1698	can connect to SMB/CIFS services.
1699	</p></li><li><p>
1700	Samba uses the new <code class="constant">tdbsam</code> passdb backend facility.
1701	Considerable complexity was added to Samba functionality.
1702	</p></li><li><p>
1703	A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS
1704	server.
1705	</p></li><li><p>
1706	The DNS server was configured to permit DDNS only for local network clients. This
1707	server also provides primary DNS services for the company Internet presence.
1708	</p></li><li><p>
1709	You introduced an application server as well as the concept of cloning a Windows
1710	client in order to effect improved standardization of desktops and to reduce
1711	the costs of network management.
1712	</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2564707"></a>Questions and Answers</h2></div></div></div><p>
1713	</p><div class="qandaset"><dl><dt>1. <a href="secure.html#id2564723">
1714	What is the maximum number of account entries that the tdbsam
1715	passdb backend can handle?
1716	</a></dt><dt>2. <a href="secure.html#id2564792">
1717	Would Samba operate any better if the OS level is set to a value higher than 35?
1718	</a></dt><dt>3. <a href="secure.html#id2564814">
1719	Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups?
1720	</a></dt><dt>4. <a href="secure.html#id2564836">
1721	Why has a path been specified in the IPC$ share?
1722	</a></dt><dt>5. <a href="secure.html#id2564865">
1723	Why does the smb.conf file in this exercise include an entry for smb ports?
1724	</a></dt><dt>6. <a href="secure.html#id2564911">
1725	What is the difference between a print queue and a printer?
1726	</a></dt><dt>7. <a href="secure.html#id2564947">
1727	Can all MS Windows application software be installed onto an application server share?
1728	</a></dt><dt>8. <a href="secure.html#id2564972">
1729	Why use dynamic DNS (DDNS)?
1730	</a></dt><dt>9. <a href="secure.html#id2564992">
1731	Why would you use WINS as well as DNS-based name resolution?
1732	</a></dt><dt>10. <a href="secure.html#id2565077">
1733	What are the major benefits of using an application server?
1734	</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2564723"></a><a name="id2564725"></a><p><b>1.</b></p></td><td align="left" valign="top"><p>
1735	What is the maximum number of account entries that the <em class="parameter"><code>tdbsam</code></em>
1736	passdb backend can handle?
1737	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1738	The tdb data structure and support system can handle more entries than the number of
1739	accounts that are possible on most UNIX systems. A practical limit would come into
1740	play long before a performance boundary would be anticipated. That practical limit
1741	is controlled by the nature of Windows networking. There are few Windows file and
1742	print servers that can handle more than a few hundred concurrent client connections.
1743	The key limiting factors that predicate offloading of services to additional servers
1744	are memory capacity, the number of CPUs, network bandwidth, and disk I/O limitations.
1745	All of these are readily exhausted by just a few hundred concurrent active users.
1746	Such bottlenecks can best be removed by segmentation of the network (distributing
1747	network load across multiple networks).
1748	</p><p>
1749	As the network grows, it becomes necessary to provide additional authentication
1750	servers (domain controllers). The tdbsam is limited to a single machine and cannot
1751	be reliably replicated. This means that practical limits on network design dictate
1752	the point at which a distributed passdb backend is required; at this time, there is
1753	no real alternative other than ldapsam (LDAP).
1754	</p><p>
1755	The guideline provided in <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 10, Section 10.1.2,
1756	is to limit the number of accounts in the tdbsam backend to 250. This is the point
1757	at which most networks tend to want backup domain controllers (BDCs). Samba-3 does
1758	not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The
1759	limitation of 250 users per tdbsam is predicated only on the need for replication,
1760	not on the limits<sup>[<a name="id2564781" href="#ftn.id2564781" class="footnote">8</a>]</sup> of the tdbsam backend itself.
1761	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564792"></a><a name="id2564794"></a><p><b>2.</b></p></td><td align="left" valign="top"><p>
1762	Would Samba operate any better if the OS level is set to a value higher than 35?
1763	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1764	No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value
1765	of 35 already assures Samba of precedence over MS Windows products in browser elections. There is
1766	no gain to be had from setting this higher.
1767	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564814"></a><a name="id2564816"></a><p><b>3.</b></p></td><td align="left" valign="top"><p>
1768	Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups?
1769	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1770	At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at
1771	a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special
1772	Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups.
1773	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564836"></a><a name="id2564838"></a><p><b>4.</b></p></td><td align="left" valign="top"><p>
1774	Why has a path been specified in the <em class="parameter"><code>IPC$</code></em> share?
1775	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1776	This is done so that in the event that a software bug may permit a client connection to the IPC$ share to
1777	obtain access to the file system, it does so at a location that presents least risk. Under normal operation
1778	this type of paranoid step should not be necessary. The use of this parameter should not be necessary.
1779	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564865"></a><a name="id2564867"></a><p><b>5.</b></p></td><td align="left" valign="top"><p>
1780	Why does the <code class="filename">smb.conf</code> file in this exercise include an entry for <a class="link" href="smb.conf.5.html#SMBPORTS" target="_top">smb ports</a>?
1781	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1782	The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port
1783	used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS
1784	over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By
1785	specifying the use of only port 139, the intent is to reduce unsuccessful service connection attempts.
1786	The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain
1787	member, the default behavior is highly beneficial and should not be changed.
1788	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564911"></a><a name="id2564914"></a><p><b>6.</b></p></td><td align="left" valign="top"><p>
1789	What is the difference between a print queue and a printer?
1790	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1791	A printer is a physical device that is connected either directly to the network or to a computer
1792	via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a
1793	hard copy printout. Network-attached printers that use TCP/IP-based printing generally accept a
1794	single print data stream and block all secondary attempts to dispatch jobs concurrently to the
1795	same device. If many clients were to concurrently print directly via TCP/IP to the same printer,
1796	it would result in a huge amount of network traffic through continually failing connection attempts.
1797	</p><p>
1798	A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or
1799	print requests. When the data stream has been fully received, the input stream is closed,
1800	and the job is then submitted to a sequential print queue where the job is stored until
1801	the printer is ready to receive the job.
1802	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564947"></a><a name="id2564949"></a><p><b>7.</b></p></td><td align="left" valign="top"><p>
1803	Can all MS Windows application software be installed onto an application server share?
1804	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1805	Much older Windows software is not compatible with installation to and execution from
1806	an application server. Enterprise versions of Microsoft Office XP Professional can
1807	be installed to an application server. Retail consumer versions of Microsoft Office XP
1808	Professional do not permit installation to an application server share and can be installed
1809	and used only to/from a local workstation hard disk.
1810	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564972"></a><a name="id2564974"></a><p><b>8.</b></p></td><td align="left" valign="top"><p>
1811	Why use dynamic DNS (DDNS)?
1812	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1813	When DDNS records are updated directly from the DHCP server, it is possible for
1814	network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate
1815	Windows clients via DNS.
1816	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2564992"></a><a name="id2564994"></a><p><b>9.</b></p></td><td align="left" valign="top"><p>
1817	Why would you use WINS as well as DNS-based name resolution?
1818	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1819	WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is
1820	a name like “<span class="quote">myhost.mydomain.tld</span>” where <em class="parameter"><code>tld</code></em>
1821	means <code class="constant">top-level domain</code>. A FQDN is a longhand but easy-to-remember
1822	expression that may be up to 1024 characters in length and that represents an IP address.
1823	A NetBIOS name is always 16 characters long. The 16<sup>th</sup> character
1824	is a name type indicator. A specific name type is registered<sup>[<a name="id2565029" href="#ftn.id2565029" class="footnote">9</a>]</sup> for each
1825	type of service that is provided by the Windows server or client and that may be registered
1826	where a WINS server is in use.
1827	</p><p>
1828	WINS is a mechanism by which a client may locate the IP Address that corresponds to a
1829	NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name
1830	that includes a particular registered NetBIOS name type. DNS does not provide a mechanism
1831	that permits handling of the NetBIOS name type information.
1832	</p><p>
1833	DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular
1834	hostname or service name that has been registered in the DNS database for a particular domain.
1835	A DNS server has limited scope of control and is said to be authoritative for the zone over
1836	which it has control.
1837	</p><p>
1838	Windows 200x Active Directory requires the registration in the DNS zone for the domain it
1839	controls of service locator<sup>[<a name="id2565063" href="#ftn.id2565063" class="footnote">10</a>]</sup> records
1840	that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also
1841	requires the registration of special records that are called global catalog (GC) entries
1842	and site entries by which domain controllers and other essential ADS servers may be located.
1843	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2565077"></a><a name="id2565079"></a><p><b>10.</b></p></td><td align="left" valign="top"><p>
1844	What are the major benefits of using an application server?
1845	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1846	The use of an application server can significantly reduce application update maintenance.
1847	By providing a centralized application share, software updates need be applied to only
1848	one location for all major applications used. This results in faster update roll-outs and
1849	significantly better application usage control.
1850	</p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2559623" href="#id2559623" class="para">5</a>] </sup>See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 3.
1851	This is necessary so that Samba can act as a Domain Controller (PDC); see
1852	<span class="emphasis"><em>TOSHARG2</em></span>, Chapter 4, for additional information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2560004" href="#id2560004" class="para">6</a>] </sup>You may want to do the echo command last and include
1853	"0" in the init scripts, since it opens up your network for a short time.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2563592" href="#id2563592" class="para">7</a>] </sup>For more information regarding winbindd, see <span class="emphasis"><em>TOSHARG2</em></span>,
1854	Chapter 23, Section 23.3. The single instance of <code class="literal">smbd</code> is normal. One additional
1855	<code class="literal">smbd</code> slave process is spawned for each SMB/CIFS client
1856	connection.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2564781" href="#id2564781" class="para">8</a>] </sup>Bench tests have shown that tdbsam is a very
1857	effective database technology. There is surprisingly little performance loss even
1858	with over 4000 users.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2565029" href="#id2565029" class="para">9</a>] </sup>
1859	See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, for more information.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2565063" href="#id2565063" class="para">10</a>] </sup>See TOSHARG2, Chapter 9, Section 9.3.3.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="small.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Big500users.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. Small Office Networking </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. The 500-User Office</td></tr></table></div></body></html>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: