source: vendor/3.5.7/docs/htmldocs/Samba3-ByExample/net2000users.html

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 6. A Distributed 2000-User Network</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="ExNetworks.html" title="Part I. Example Network Configurations"><link rel="prev" href="happy.html" title="Chapter 5. Making Happy Users"><link rel="next" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. A Distributed 2000-User Network</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><th width="60%" align="center">Part I. Example Network Configurations</th><td width="20%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="net2000users"></a>Chapter 6. A Distributed 2000-User Network</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="net2000users.html#id2583726">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="net2000users.html#id2583756">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="net2000users.html#id2583824">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="net2000users.html#id2584098">Technical Issues</a></span></dt><dt><span class="sect2"><a href="net2000users.html#id2585046">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="net2000users.html#id2585064">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="net2000users.html#id2588223">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="net2000users.html#id2588370">Questions and Answers</a></span></dt></dl></div><p>
There is something indeed mystical about things that are
big. Large networks exhibit a certain magnetism and exude a sense of
importance that obscures reality. You and I know that it is no more
difficult to secure a large network than it is a small one. We all
know that over and above a particular number of network clients, the
rules no longer change; the only real dynamic is the size of the domain
(much like a kingdom) over which the network ruler (oops, administrator)
has control. The real dynamic then transforms from the technical to the
political. Then again, that point is often reached well before the
kingdom (or queendom) grows large.
</p><p>
If you have systematically worked your way to this chapter, hopefully you
have found some gems and techniques that are applicable in your
world. The network designs you have worked with in this book have their
strong points as well as weak ones. That is to be expected given that
they are based on real business environments, the specifics of which are
molded to serve the purposes of this book.
</p><p>
This chapter is intent on wrapping up issues that are central to
implementation and design of progressively larger networks. Are you ready
for this chapter? Good, it is time to move on.
</p><p>
In previous chapters, you made the assumption that your network
administration staff need detailed instruction right down to the
nuts and bolts of implementing the solution. That is still the case,
but they have graduated now. You decide to document only those issues,
methods, and techniques that are new or complex. Routine tasks such as
implementing a DNS or a DHCP server are under control. Even the basics of
Samba are largely under control. So in this section you focus on the
specifics of implementing LDAP changes, Samba changes, and approach and
design of the solution and its deployment.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583726"></a>Introduction</h2></div></div></div><p>
Abmas is a miracle company. Most businesses would have collapsed under
the weight of rapid expansion that this company has experienced. Samba 
is flexible, so there is no need to reinstall the whole operating 
system just because you need to implement a new network design. In fact, 
you can keep an old server running right up to the moment of cutover 
and then do a near-live conversion. There is no need to reinstall a 
Samba server just to change the way your network should function.
</p><p>
<a class="indexterm" name="id2583745"></a>
Network growth is common to all organizations. In this exercise,
your preoccupation is with the mechanics of implementing Samba and
LDAP so that network users on each network segment can work
without impediment.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583756"></a>Assignment Tasks</h3></div></div></div><p>
        Starting with the configuration files for the server called
        <code class="constant">MASSIVE</code> in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">&#8220;Making Happy Users&#8221;</a>, you now deal with the
        issues that are particular to large distributed networks. Your task
        is simple  identify the challenges, consider the 
        alternatives, and then design and implement a solution.
        </p><p>
        <a class="indexterm" name="id2583784"></a>
        Remember, you have users based in London (UK), Los Angeles,
        Washington. DC, and, three buildings in New York. A significant portion
        of your workforce have notebook computers and roam all over the
        world. Some dial into the office, others use VPN connections over the
        Internet, and others just move between buildings.i
        </p><p>
        What do you say to an employee who normally uses a desktop
        system but must spend six weeks on the road with a notebook computer?
        She is concerned about email access and how to keep coworkers current
        with changing documents.
        </p><p>
        To top it all off, you have one network support person and one 
        help desk person based in London, a single person dedicated to all 
        network operations in Los Angeles, five staff for user administration 
        and help desk in New York, plus one <span class="emphasis"><em>floater</em></span> for 
        Washington.
        </p><p>
        You have outsourced all desktop deployment and management to
        DirectPointe. Your concern is server maintenance and third-level
        support. Build a plan and show what must be done.
        </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2583824"></a>Dissection and Discussion</h2></div></div></div><p>
<a class="indexterm" name="id2583832"></a>
<a class="indexterm" name="id2583839"></a>
In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">&#8220;Making Happy Users&#8221;</a>, you implemented an LDAP server that provided the
<em class="parameter"><code>passdb backend</code></em> for the Samba servers. You
explored ways to accelerate Windows desktop profile handling and you
took control of network performance.
</p><p>
<a class="indexterm" name="id2583864"></a>
<a class="indexterm" name="id2583871"></a>
<a class="indexterm" name="id2583878"></a>
<a class="indexterm" name="id2583884"></a>
The implementation of an LDAP-based passdb backend (known as
<span class="emphasis"><em>ldapsam</em></span> in Samba parlance), or some form of database
that can be distributed, is essential to permit the deployment of Samba
Primary and Backup Domain Controllers (PDC/BDCs). You see, the problem
is that the <span class="emphasis"><em>tdbsam</em></span>-style passdb backend does not
lend itself to being replicated. The older plain-text-based
<span class="emphasis"><em>smbpasswd</em></span>-style passdb backend can be replicated
using a tool such as <code class="literal">rsync</code>, but
<span class="emphasis"><em>smbpasswd</em></span> suffers the drawback that it does not
support the range of account facilities demanded by modern network
managers.
</p><p>
<a class="indexterm" name="id2583924"></a>
<a class="indexterm" name="id2583931"></a>
The new <span class="emphasis"><em>tdbsam</em></span> facility supports functionality
that is similar to an <span class="emphasis"><em>ldapsam</em></span>, but the lack of
distributed infrastructure sorely limits the scope for its
deployment. This raises the following questions: Why can't I just use
an XML-based backend, or for that matter, why not use an SQL-based
backend? Is support for these tools broken? Answers to these
questions require a bit of background.</p><p>
<a class="indexterm" name="id2583954"></a>
<a class="indexterm" name="id2583961"></a>
<a class="indexterm" name="id2583968"></a>
<a class="indexterm" name="id2583975"></a>
<span class="emphasis"><em>What is a directory?</em></span> A directory is a
collection of information regarding objects that can be accessed to
rapidly find information that is relevant in a particular and
consistent manner. A directory differs from a database in that it is
generally more often searched (read) than updated. As a consequence, the
information is organized to facilitate read access rather than to
support transaction processing.</p><p>
<a class="indexterm" name="id2583995"></a>
<a class="indexterm" name="id2584005"></a>
<a class="indexterm" name="id2584012"></a>
<a class="indexterm" name="id2584019"></a>
The Lightweight Directory Access Protocol (LDAP) differs
considerably from a traditional database. It has a simple search
facility that uniquely makes a highly preferred mechanism for managing
user identities. LDAP provides a scalable mechanism for distributing
the data repository and for keeping all copies (slaves) in sync with
the master repository.</p><p>
<a class="indexterm" name="id2584035"></a>
<a class="indexterm" name="id2584042"></a>
<a class="indexterm" name="id2584049"></a>
Samba is a flexible and powerful file and print sharing
technology. It can use many external authentication sources and can be
part of a total authentication and identity management
infrastructure. The two most important external sources for large sites
are Microsoft Active Directory and LDAP. Sites that specifically wish to
avoid the proprietary implications of Microsoft Active Directory
naturally gravitate toward OpenLDAP.</p><p>
<a class="indexterm" name="id2584066"></a>
In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">&#8220;Making Happy Users&#8221;</a>, you had to deal with a locally routed
network. All deployment concerns focused around making users happy,
and that simply means taking control over all network practices and
usage so that no one user is disadvantaged by any other. The real
lesson is one of understanding that no matter how much network
bandwidth you provide, bandwidth remains a precious resource.</p><p>In this chapter, you must now consider how the overall network must
function. In particular, you must be concerned with users who move
between offices. You must take into account the way users need to
access information globally. And you must make the network robust
enough so that it can sustain partial breakdown without causing loss of
productivity.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2584098"></a>Technical Issues</h3></div></div></div><p>
        There are at least three areas that need to be addressed as you
        approach the challenge of designing a network solution for the newly
        expanded business:
        </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2584114"></a>
                User needs such as mobility and data access</p></li><li><p>The nature of Windows networking protocols</p></li><li><p>Identity management infrastructure needs</p></li></ul></div><p>Let's look at each in turn.</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2584137"></a>User Needs</h4></div></div></div><p>
        The new company has three divisions. Staff for each division are spread across
        the company. Some staff are office-bound and some are mobile users. Mobile
        users travel globally. Some spend considerable periods working in other offices.
        Everyone wants to be able to work without constraint of productivity.
        </p><p>
        The challenge is not insignificant. In some parts of the world, even dial-up
        connectivity is poor, while in other regions political encumbrances severely
        curtail user needs. Parts of the global Internet infrastructure remain shielded
        off for reasons outside the scope of this discussion.
        </p><p>
        <a class="indexterm" name="id2584162"></a>
        Decisions must be made regarding where data is to be stored, how it will be
        replicated (if at all), and what the network bandwidth implications are. For
        example, one decision that can be made is to give each office its own master
        file storage area that can be synchronized to a central repository in New
        York. This would permit global data to be backed up from a single location.
        The synchronization tool could be <code class="literal">rsync,</code> run via a cron
        job. Mobile users may use off-line file storage under Windows XP Professional.
        This way, they can synchronize all files that have changed since each logon
        to the network.
        </p><p>
        <a class="indexterm" name="id2584188"></a>
        <a class="indexterm" name="id2584198"></a>
        No matter which way you look at this, the bandwidth requirements
        for acceptable performance are substantial even if only 10 percent of
        staff are global data users. A company with 3,500 employees,
        280 of whom are mobile users who use a similarly distributed
        network, found they needed at least 2 Mb/sec connectivity
        between the UK and US offices. Even over 2 Mb/sec bandwidth, this
        company abandoned any attempt to run roaming profile usage for
        mobile users. At that time, the average roaming profile took 480
        KB, while today the minimum Windows XP Professional roaming
        profile involves a transfer of over 750 KB from the profile
        server to and from the client.
        </p><p>
        <a class="indexterm" name="id2584219"></a>
        Obviously then, user needs and wide-area practicalities dictate the economic and
        technical aspects of your network design as well as for standard operating procedures.
        </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2584231"></a>The Nature of Windows Networking Protocols</h4></div></div></div><p>
        <a class="indexterm" name="id2584239"></a>
        Network logons that include roaming profile handling requires from 140 KB to 2 MB.
        The inclusion of support for a minimal set of common desktop applications can push
        the size of a complete profile to over 15 MB. This has substantial implications
        for location of user profiles. Additionally, it is a significant factor in
        determining the nature and style of mandatory profiles that may be enforced as
        part of a total service-level assurance program that might be implemented.
        </p><p>
        <a class="indexterm" name="id2584260"></a>
        <a class="indexterm" name="id2584267"></a>
        One way to reduce the network bandwidth impact of user logon
        traffic is through folder redirection. In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">&#8220;Making Happy Users&#8221;</a>, you
        implemented this in the new Windows XP Professional standard
        desktop configuration. When desktop folders such as <span class="guimenu">My
        Documents</span> are redirected to a network drive, they should
        also be excluded from synchronization to and from the server on
        logon or logout. Redirected folders are analogous to network drive
        connections.
        </p><p><a class="indexterm" name="id2584294"></a>
        Of course, network applications should only be run off
        local application servers. As a general rule, even with 2 Mb/sec
        network bandwidth, it would not make sense at all for someone who
        is working out of the London office to run applications off a
        server that is located in New York.
        </p><p>
        <a class="indexterm" name="id2584310"></a>
        When network bandwidth becomes a precious commodity (that is most
        of the time), there is a significant demand to understand network
        processes and to mold the limits of acceptability around the
        constraints of affordability.
        </p><p>
        When a Windows NT4/200x/XP Professional client user logs onto
        the network, several important things must happen.
        </p><div class="itemizedlist"><ul type="disc"><li><p>
                <a class="indexterm" name="id2584332"></a>
                The client obtains an IP address via DHCP. (DHCP is
                necessary so that users can roam between offices.)
                </p></li><li><p>
                <a class="indexterm" name="id2584345"></a>
                <a class="indexterm" name="id2584352"></a>
                The client must register itself with the WINS and/or DNS server.
                </p></li><li><p>
                <a class="indexterm" name="id2584364"></a>
                The client must locate the closest domain controller.
                </p></li><li><p>
                The client must log onto a domain controller and obtain as part of
                that process the location of the user's profile, load it, connect to
                redirected folders, and establish all network drive and printer connections.
                </p></li><li><p>
                The domain controller must be able to resolve the user's
                credentials before the logon process is fully implemented.
                </p></li></ul></div><p>
        Given that this book is about Samba and that it implements the Windows
        NT4-style domain semantics, it makes little sense to compare Samba with
        Microsoft Active Directory insofar as the logon protocols and principles
        of operation are concerned. The following information pertains exclusively
        to the interaction between a Windows XP Professional workstation and a
        Samba-3.0.20 server. In the discussion that follows, use is made of DHCP and WINS.
        </p><p>
        As soon as the Windows workstation starts up, it obtains an
        IP address. This is immediately followed by registration of its
        name both by broadcast and Unicast registration that is directed
        at the WINS server.
        </p><p>
        <a class="indexterm" name="id2584411"></a>
        <a class="indexterm" name="id2584418"></a><a class="indexterm" name="id2584427"></a>
        Given that the client is already a domain member, it then sends
        a directed (Unicast) request to the WINS server seeking the list of
        IP addresses for domain controllers (NetBIOS name type 0x1C). The
        WINS server replies with the information requested.</p><p>
        <a class="indexterm" name="id2584442"></a>
        <a class="indexterm" name="id2584451"></a>
        <a class="indexterm" name="id2584458"></a>
        The client sends two netlogon mailslot broadcast requests
        to the local network and to each of the IP addresses returned by
        the WINS server. Whichever answers this request first appears to
        be the machine that the Windows XP client attempts to use to
        process the network logon. The mailslot messages use UDP broadcast
        to the local network and UDP Unicast directed at each machine that
        was listed in the WINS server response to a request for the list of
        domain controllers.
        </p><p>
        <a class="indexterm" name="id2584476"></a>
        <a class="indexterm" name="id2584485"></a>
        <a class="indexterm" name="id2584492"></a>
        The logon process begins with negotiation of the SMB/CIFS
        protocols that are to be used; this is followed by an exchange of
        information that ultimately includes the client sending the
        credentials with which the user is attempting to logon. The logon
        server must now approve the further establishment of the
        connection, but that is a good point to halt for now. The priority
        here must center around identification of network infrastructure
        needs. A secondary fact we need to know is, what happens when
        local domain controllers fail or break?
        </p><p>
        <a class="indexterm" name="id2584511"></a>
        <a class="indexterm" name="id2584518"></a>
        <a class="indexterm" name="id2584525"></a>
        <a class="indexterm" name="id2584531"></a>
        Under most circumstances, the nearest domain controller
        responds to the netlogon mailslot broadcast. The exception to this
        norm occurs when the nearest domain controller is too busy or is out
        of service. Herein lies an important fact. This means it is
        important that every network segment should have at least two
        domain controllers. Since there can be only one PDC, all additional
        domain controllers are by definition BDCs.
        </p><p>
        <a class="indexterm" name="id2584549"></a>
        <a class="indexterm" name="id2584556"></a>
        The provision of sufficient servers that are BDCs is an
        important design factor. The second important design factor
        involves how each of the BDCs obtains user authentication
        data. That is the subject of the next section, which involves key
        decisions regarding Identity Management facilities.
        </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2584570"></a>Identity Management Needs</h4></div></div></div><p>
        <a class="indexterm" name="id2584578"></a>
        <a class="indexterm" name="id2584584"></a>
        <a class="indexterm" name="id2584591"></a>
        <a class="indexterm" name="id2584598"></a>
        Network managers recognize that in large organizations users
        generally need to be given resource access based on needs, while
        being excluded from other resources for reasons of privacy. It is
        therefore essential that all users identify themselves at the
        point of network access. The network logon is the principal means
        by which user credentials are validated and filtered and appropriate
        rights and privileges are allocated.
        </p><p>
        <a class="indexterm" name="id2584616"></a>
        <a class="indexterm" name="id2584622"></a>
        <a class="indexterm" name="id2584629"></a>
        Unfortunately, network resources tend to have their own Identity 
        Management facilities, the quality and manageability of which varies 
        from quite poor to exceptionally good. Corporations that use a mixture 
        of systems soon discover that until recently, few systems were 
        designed to interoperate. For example, UNIX systems each have an 
        independent user database. Sun Microsystems developed a facility that 
        was originally called <code class="constant">Yellow Pages</code>, and was renamed 
        when a telephone company objected to the use of its trademark. 
        What was once called <code class="constant">Yellow Pages</code> is today known 
        as <code class="constant">Network Information System</code> (NIS).
        </p><p>
        <a class="indexterm" name="id2584660"></a>
        NIS gained a strong following throughout the UNIX/VMS space in a short
        period of time and retained that appeal and use for over a decade.
        Security concerns and inherent limitations have caused it to enter its
        twilight. NIS did not gain widespread appeal outside of the UNIX world
        and was not universally adopted. Sun updated this to a more secure
        implementation called NIS+, but even it has fallen victim to changing
        demands as the demand for directory services that can be coupled with
        other information systems is catching on.
        </p><p>
        <a class="indexterm" name="id2584679"></a>
        <a class="indexterm" name="id2584686"></a>
        <a class="indexterm" name="id2584693"></a>
        Nevertheless, both NIS and NIS+ continue to hold ground in
        business areas where UNIX still has major sway. Examples of
        organizations that remain firmly attached to the use of NIS and
        NIS+ include large government departments, education institutions,
        and large corporations that have a scientific or engineering
        focus.
        </p><p>
        <a class="indexterm" name="id2584708"></a>
        <a class="indexterm" name="id2584715"></a>
        Today's networking world needs a scalable, distributed Identity 
        Management infrastructure, commonly called a directory. The most 
        popular technologies today are Microsoft Active Directory service 
        and a number of LDAP implementations.
        </p><p>
        <a class="indexterm" name="id2584729"></a>
        The problem of managing multiple directories has become a focal
        point over the past decade, creating a large market for
        metadirectory products and services that allow organizations that
        have multiple directories and multiple management and control
        centers to provision information from one directory into
        another. The attendant benefit to end users is the promise of
        having to remember and deal with fewer login identities and
        passwords.</p><p>
        <a class="indexterm" name="id2584747"></a>
        The challenge of every large network is to find the optimum
        balance of internal systems and facilities for Identity
        Management resources. How well the solution is chosen and
        implemented has potentially significant impact on network bandwidth
        and systems response needs.</p><p>
        <a class="indexterm" name="id2584764"></a>
        <a class="indexterm" name="id2584771"></a>
        <a class="indexterm" name="id2584780"></a>
        In <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">&#8220;Making Happy Users&#8221;</a>, you implemented a single LDAP server for the
        entire network. This may work for smaller networks, but almost
        certainly fails to meet the needs of large and complex networks. The
        following section documents how you may implement a single
        master LDAP server with multiple slave servers.</p><p>
        What is the best method for implementing master/slave LDAP
        servers within the context of a distributed 2,000-user network is a
        question that remains to be answered.</p><p>
        <a class="indexterm" name="id2584809"></a>
        <a class="indexterm" name="id2584816"></a>
        One possibility that has great appeal is to create a single,
        large distributed domain. The practical implications of this
        design (see <a class="link" href="net2000users.html#chap7net" title="Figure 6.6. Network Topology 2000 User Complex Design A">&#8220;Network Topology  2000 User Complex Design A&#8221;</a>) demands the placement of
        sufficient BDCs in each location. Additionally, network
        administrators must make sure that profiles are not transferred
        over the wide-area links, except as a totally unavoidable
        measure. Network design must balance the risk of loss of user
        productivity against the cost of network management and
        maintenance.
        </p><p>
        <a class="indexterm" name="id2584847"></a>
        The network design in <a class="link" href="net2000users.html#chap7net2" title="Figure 6.7. Network Topology 2000 User Complex Design B">&#8220;Network Topology  2000 User Complex Design B&#8221;</a> takes the approach
        that management of networks that are too remote to be managed
        effectively from New York ought to be given a certain degree of
        autonomy. With this rationale, the Los Angeles and London networks,
        though fully integrated with those on the East Coast, each have their
        own domain name space and can be independently managed and controlled.
        One of the key drawbacks of this design is that it flies in the face of
        the ability for network users to roam globally without some compromise
        in how they may access global resources.
        </p><p>
        <a class="indexterm" name="id2584873"></a>
        Desk-bound users need not be negatively affected by this design, since
        the use of interdomain trusts can be used to satisfy the need for global
        data sharing.
        </p><p>
        <a class="indexterm" name="id2584886"></a>
        <a class="indexterm" name="id2584892"></a>
        <a class="indexterm" name="id2584902"></a>
        When Samba-3 is configured to use an LDAP backend, it stores the domain
        account information in a directory entry. This account entry contains the
        domain SID. An unintended but exploitable side effect is that this makes it
        possible to operate with more than one PDC on a distributed network.
        </p><p>
        <a class="indexterm" name="id2584916"></a>
        <a class="indexterm" name="id2584923"></a>
        <a class="indexterm" name="id2584930"></a>
        How might this peculiar feature be exploited? The answer is simple. It is
        imperative that each network segment have its own WINS server. Major
        servers on remote network segments can be given a static WINS entry in
        the <code class="filename">wins.dat</code> file on each WINS server. This allows
        all essential data to be visible from all locations. Each location would,
        however, function as if it is an independent domain, while all sharing the
        same domain SID. Since all domain account information can be stored in a
        single LDAP backend, users have unfettered ability to roam.
        </p><p>
        <a class="indexterm" name="id2584955"></a>
        <a class="indexterm" name="id2584964"></a>
        This concept has not been exhaustively validated, though we can see no reason
        why this should not work. The important facets are the following: The name of
        the domain must be identical in all locations. Each network segment must have
        its own WINS server. The name of the PDC must be the same in all locations; this
        necessitates the use of NetBIOS name aliases for each PDC so that they can be
        accessed globally using the alias and not the PDC's primary name. A single master
        LDAP server can be based in New York, with multiple LDAP slave servers located
        on every network segment. Finally, the BDCs should each use failover LDAP servers
        that are in fact slave LDAP servers on the local segments.
        </p><p>
        <a class="indexterm" name="id2584986"></a>
        <a class="indexterm" name="id2584995"></a>
        <a class="indexterm" name="id2585002"></a>
        <a class="indexterm" name="id2585011"></a>
        With a single master LDAP server, all network updates are effected on a single
        server. In the event that this should become excessively fragile or network
        bandwidth limiting, one could implement a delegated LDAP domain. This is also
        known as a partitioned (or multiple partition) LDAP database and as a distributed
        LDAP directory.
        </p><p>
        As the LDAP directory grows, it becomes increasingly important
        that its structure is implemented in a manner that mirrors
        organizational needs, so as to limit network update and
        referential traffic. It should be noted that all directory
        administrators must of necessity follow the same standard
        procedures for managing the directory, because retroactive correction of
        inconsistent directory information can be exceedingly difficult.
        </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2585046"></a>Political Issues</h3></div></div></div><p>
        As organizations grow, the number of points of control increases
        also. In a large distributed organization, it is important that the
        Identity Management system be capable of being updated from
        many locations, and it is equally important that changes made should
        become usable in a reasonable period, typically
        minutes rather than days (the old limitation of highly manual
        systems).
        </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2585064"></a>Implementation</h2></div></div></div><p>
        <a class="indexterm" name="id2585071"></a>
        <a class="indexterm" name="id2585078"></a>
        <a class="indexterm" name="id2585085"></a>
        <a class="indexterm" name="id2585092"></a>
        Samba-3 has the ability to use multiple password (authentication and
        identity resolution) backends. The diagram in <a class="link" href="net2000users.html#chap7idres" title="Figure 6.1. Samba and Authentication Backend Search Pathways">&#8220;Samba and Authentication Backend Search Pathways&#8221;</a>
        demonstrates how Samba uses winbind, LDAP, and NIS, the traditional system
        password database. The diagram only documents the mechanisms for
        authentication and identity resolution (obtaining a UNIX UID/GID)
        using the specific systems shown.
        </p><div class="figure"><a name="chap7idres"></a><p class="title"><b>Figure 6.1. Samba and Authentication Backend Search Pathways</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-idresol.png" width="297" alt="Samba and Authentication Backend Search Pathways"></div></div></div><br class="figure-break"><p>
        <a class="indexterm" name="id2585156"></a>
        <a class="indexterm" name="id2585163"></a>
        <a class="indexterm" name="id2585170"></a>
        <a class="indexterm" name="id2585177"></a>
        <a class="indexterm" name="id2585183"></a>
        <a class="indexterm" name="id2585190"></a>
        <a class="indexterm" name="id2585197"></a>
        Samba is capable of using the <code class="constant">smbpasswd</code>,
        <code class="constant">tdbsam</code>, <code class="constant">xmlsam</code>,
        and <code class="constant">mysqlsam</code> authentication databases. The SMB
        passwords can, of course, also be stored in an LDAP ldapsam
        backend. LDAP is the preferred passdb backend for distributed network
        operations.
        </p><p>
        <a class="indexterm" name="id2585225"></a>
        Additionally, it is possible to use multiple passdb backends
        concurrently as well as have multiple LDAP backends. As a result, you
        can specify a failover LDAP backend. The syntax for specifying a
        single LDAP backend in <code class="filename">smb.conf</code> is:
</p><pre class="screen">
...
passdb backend = ldapsam:ldap://master.abmas.biz
...
</pre><p>
        This configuration tells Samba to use a single LDAP server, as shown in <a class="link" href="net2000users.html#ch7singleLDAP" title="Figure 6.2. Samba Configuration to Use a Single LDAP Server">&#8220;Samba Configuration to Use a Single LDAP Server&#8221;</a>.
        </p><div class="figure"><a name="ch7singleLDAP"></a><p class="title"><b>Figure 6.2. Samba Configuration to Use a Single LDAP Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-singleLDAP.png" width="351" alt="Samba Configuration to Use a Single LDAP Server"></div></div></div><p><br class="figure-break">
        <a class="indexterm" name="id2585298"></a>
        <a class="indexterm" name="id2585308"></a>
        The addition of a failover LDAP server can simply be done by adding a
        second entry for the failover server to the single <em class="parameter"><code>ldapsam</code></em>
        entry, as shown here (note the particular use of the double quotes):
</p><pre class="screen">
...
passdb backend = ldapsam:"ldap://master.abmas.biz \
                          ldap://slave.abmas.biz"
...
</pre><p>
        This configuration tells Samba to use a master LDAP server, with failover to a slave server if necessary,
        as shown in <a class="link" href="net2000users.html#ch7dualLDAP" title="Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server">&#8220;Samba Configuration to Use a Dual (Fail-over) LDAP Server&#8221;</a>.
        </p><div class="figure"><a name="ch7dualLDAP"></a><p class="title"><b>Figure 6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-fail-overLDAP.png" width="351" alt="Samba Configuration to Use a Dual (Fail-over) LDAP Server"></div></div></div><p><br class="figure-break">
        </p><p>
        Some folks have tried to implement this without the use of double quotes. This is the type of entry they
        created:
</p><pre class="screen">
...
passdb backend = ldapsam:ldap://master.abmas.biz \
                 ldapsam:ldap://slave.abmas.biz
...
</pre><p>
        <a class="indexterm" name="id2585394"></a>
        The effect of this style of entry is that Samba lists the users
        that are in both LDAP databases. If both contain the same information,
        it results in each record being shown twice. This is, of course, not the
        solution desired for a failover implementation. The net effect of this
        configuration is shown in <a class="link" href="net2000users.html#ch7dualadd" title="Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!">&#8220;Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!&#8221;</a>
        </p><div class="figure"><a name="ch7dualadd"></a><p class="title"><b>Figure 6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP.png" width="297" alt="Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!"></div></div></div><br class="figure-break"><p>
        If, however, each LDAP database contains unique information, this may 
        well be an advantageous way to effectively integrate multiple LDAP databases 
        into one seemingly contiguous directory. Only the first database will be updated.
        An example of this configuration is shown in <a class="link" href="net2000users.html#ch7dualok" title="Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.">&#8220;Samba Configuration to Use Two LDAP Databases - The result is additive.&#8221;</a>.
        </p><div class="figure"><a name="ch7dualok"></a><p class="title"><b>Figure 6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch7-dual-additive-LDAP-Ok.png" width="297" alt="Samba Configuration to Use Two LDAP Databases - The result is additive."></div></div></div><br class="figure-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
        When the use of ldapsam is specified twice, as shown here, it is imperative
        that the two LDAP directories must be disjoint. If the entries are for a
        master LDAP server as well as its own slave server, updates to the LDAP
        database may end up being lost or corrupted. You may safely use multiple
        LDAP backends only if both are entirely separate from each other.
        </p></div><p>
        It is assumed that the network you are working with follows in a
        pattern similar to what was covered in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">&#8220;Making Happy Users&#8221;</a>. The following steps
    permit the operation of a master/slave OpenLDAP arrangement.
        </p><div class="procedure"><a name="id2585536"></a><p class="title"><b>Procedure 6.1. Implementation Steps for an LDAP Slave Server</b></p><ol type="1"><li><p>
            <a class="indexterm" name="id2585548"></a>
                <a class="indexterm" name="id2585555"></a>
                Log onto the master LDAP server as <code class="constant">root</code>.
                You are about to change the configuration of the LDAP server, so it
                makes sense to temporarily halt it. Stop OpenLDAP from running on 
                SUSE Linux by executing:
</p><pre class="screen">
<code class="prompt">root# </code> rcldap stop
</pre><p>
                On Red Hat Linux, you can do this by executing:
</p><pre class="screen">
<code class="prompt">root# </code> service ldap stop
</pre><p>
                </p></li><li><p>
                <a class="indexterm" name="id2585600"></a>
                Edit the <code class="filename">/etc/openldap/slapd.conf</code> file so it
                matches the content of <a class="link" href="net2000users.html#ch7-LDAP-master" title="Example 6.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf">&#8220;LDAP Master Server Configuration File  /etc/openldap/slapd.conf&#8221;</a>.
                </p></li><li><p>
                Create a file called <code class="filename">admin-accts.ldif</code> with the following contents:
</p><pre class="screen">
dn: cn=updateuser,dc=abmas,dc=biz
objectClass: person
cn: updateuser
sn: updateuser
userPassword: not24get

dn: cn=sambaadmin,dc=abmas,dc=biz
objectClass: person
cn: sambaadmin
sn: sambaadmin
userPassword: buttercup
</pre><p>
                </p></li><li><p>
                Add an account called &#8220;<span class="quote">updateuser</span>&#8221; to the master LDAP server as shown here:
</p><pre class="screen">
<code class="prompt">root# </code> slapadd -v -l admin-accts.ldif
</pre><p>
                </p></li><li><p>
                <a class="indexterm" name="id2585673"></a>
                <a class="indexterm" name="id2585680"></a>
                Change directory to a suitable place to dump the contents of the
                LDAP server. The dump file (and LDIF file) is used to preload
                the slave LDAP server database. You can dump the database by executing:
</p><pre class="screen">
<code class="prompt">root# </code> slapcat -v -l LDAP-transfer-LDIF.txt
</pre><p>
                Each record is written to the file.     
                </p></li><li><p>
                <a class="indexterm" name="id2585712"></a>
                Copy the file <code class="filename">LDAP-transfer-LDIF.txt</code> to the intended
                slave LDAP server. A good location could be in the directory 
                <code class="filename">/etc/openldap/preload</code>.
                </p></li><li><p>
                Log onto the slave LDAP server as <code class="constant">root</code>. You can
                now configure this server so the <code class="filename">/etc/openldap/slapd.conf</code>
                file matches the content of <a class="link" href="net2000users.html#ch7-LDAP-slave" title="Example 6.2. LDAP Slave Configuration File /etc/openldap/slapd.conf">&#8220;LDAP Slave Configuration File  /etc/openldap/slapd.conf&#8221;</a>.
                </p></li><li><p>
                Change directory to the location in which you stored the 
                <code class="filename">LDAP-transfer-LDIF.txt</code> file (<code class="filename">/etc/openldap/preload</code>).
                While in this directory, execute:
</p><pre class="screen">
<code class="prompt">root# </code> slapadd -v -l LDAP-transfer-LDIF.txt
</pre><p>
                If all goes well, the following output confirms that the data is being loaded
                as intended:
</p><pre class="screen">
added: "dc=abmas,dc=biz" (00000001)
added: "cn=sambaadmin,dc=abmas,dc=biz" (00000002)
added: "cn=updateuser,dc=abmas,dc=biz" (00000003)
added: "ou=People,dc=abmas,dc=biz" (00000004)
added: "ou=Groups,dc=abmas,dc=biz" (00000005)
added: "ou=Computers,dc=abmas,dc=biz" (00000006)
added: "uid=Administrator,ou=People,dc=abmas,dc=biz" (00000007)
added: "uid=nobody,ou=People,dc=abmas,dc=biz" (00000008)
added: "cn=Domain Admins,ou=Groups,dc=abmas,dc=biz" (00000009)
added: "cn=Domain Users,ou=Groups,dc=abmas,dc=biz" (0000000a)
added: "cn=Domain Guests,ou=Groups,dc=abmas,dc=biz" (0000000b)
added: "uid=bobj,ou=People,dc=abmas,dc=biz" (0000000c)
added: "sambaDomainName=MEGANET2,dc=abmas,dc=biz" (0000000d)
added: "uid=stans,ou=People,dc=abmas,dc=biz" (0000000e)
added: "uid=chrisr,ou=People,dc=abmas,dc=biz" (0000000f)
added: "uid=maryv,ou=People,dc=abmas,dc=biz" (00000010)
added: "cn=Accounts,ou=Groups,dc=abmas,dc=biz" (00000011)
added: "cn=Finances,ou=Groups,dc=abmas,dc=biz" (00000012)
added: "cn=PIOps,ou=Groups,dc=abmas,dc=biz" (00000013)
</pre><p>
                </p></li><li><p>
                Now start the LDAP server and set it to run automatically on system reboot by executing:
</p><pre class="screen">
<code class="prompt">root# </code> rcldap start
<code class="prompt">root# </code> chkconfig ldap on
</pre><p>
                On Red Hat Linux, execute the following:
</p><pre class="screen">
<code class="prompt">root# </code> service ldap start
<code class="prompt">root# </code> chkconfig ldap on
</pre><p>
                </p></li><li><p>
            <a class="indexterm" name="id2585885"></a>
                <a class="indexterm" name="id2585892"></a>
                <a class="indexterm" name="id2585899"></a>
                Go back to the master LDAP server. Execute the following to start LDAP as well
                as <code class="literal">slurpd</code>, the synchronization daemon, as shown here:
</p><pre class="screen">
<code class="prompt">root# </code> rcldap start
<code class="prompt">root# </code> chkconfig ldap on
<code class="prompt">root# </code> rcslurpd start
<code class="prompt">root# </code> chkconfig slurpd on
</pre><p>
            <a class="indexterm" name="id2585944"></a>
                On Red Hat Linux, check the equivalent command to start <code class="literal">slurpd</code>.
                </p></li><li><p>
                <a class="indexterm" name="id2585965"></a>
                On the master LDAP server you may now add an account to validate that replication
                is working. Assuming the configuration shown in <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">&#8220;Making Happy Users&#8221;</a>, execute:
</p><pre class="screen">
<code class="prompt">root# </code> /var/lib/samba/sbin/smbldap-useradd -a fruitloop
</pre><p>
                </p></li><li><p>
                On the slave LDAP server, change to the directory <code class="filename">/var/lib/ldap</code>.
                There should now be a file called <code class="filename">replogfile</code>. If replication worked
                as expected, the content of this file should be:
</p><pre class="screen">
time: 1072486403
dn: uid=fruitloop,ou=People,dc=abmas,dc=biz
changetype: modify
replace: sambaProfilePath
sambaProfilePath: \\MASSIVE\profiles\fruitloop
-
replace: sambaHomePath
sambaHomePath: \\MASSIVE\homes
-
replace: entryCSN
entryCSN: 2003122700:43:38Z#0x0005#0#0000
-
replace: modifiersName
modifiersName: cn=Manager,dc=abmas,dc=biz
-
replace: modifyTimestamp
modifyTimestamp: 20031227004338Z
-
</pre><p>
                </p></li><li><p>
                Given that this first slave LDAP server is now working correctly, you may now
                implement additional slave LDAP servers as required.
                </p></li><li><p>
                On each machine (PDC and BDCs) after the respective <code class="filename">smb.conf</code> files have been created as shown in
                <a class="link" href="net2000users.html#ch7-massmbconfA" title="Example 6.3. Primary Domain Controller smb.conf File Part A">Primary Domain Controller <code class="filename">smb.conf</code> File  Part A + B + C</a> and
                on BDCs the <a class="link" href="net2000users.html#ch7-slvsmbocnfA" title="Example 6.6. Backup Domain Controller smb.conf File Part A">Backup Domain Controller <code class="filename">smb.conf</code> File  Part A
                + B + C</a> execute the following:
</p><pre class="screen">
<code class="prompt">root# </code> smbpasswd -w buttercup
</pre><p>
                This will install in the <code class="filename">secrets.tdb</code> file the password that Samba will need to
                manage (write to) the LDAP Master server to perform account updates.
                </p></li></ol></div><div class="example"><a name="ch7-LDAP-master"></a><p class="title"><b>Example 6.1. LDAP Master Server Configuration File  <code class="filename">/etc/openldap/slapd.conf</code></b></p><div class="example-contents"><pre class="screen">
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

database    bdb
suffix      "dc=abmas,dc=biz"
rootdn      "cn=Manager,dc=abmas,dc=biz"

# rootpw = not24get
rootpw      {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV

replica     host=lapdc.abmas.biz:389
            suffix="dc=abmas,dc=biz"
            binddn="cn=updateuser,dc=abmas,dc=biz"
            bindmethod=simple credentials=not24get

access to attrs=sambaLMPassword,sambaNTPassword
           by dn="cn=sambaadmin,dc=abmas,dc=biz" write
           by * none

replogfile  /var/lib/ldap/replogfile

directory   /var/lib/ldap

# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
</pre></div></div><br class="example-break"><div class="example"><a name="ch7-LDAP-slave"></a><p class="title"><b>Example 6.2. LDAP Slave Configuration File  <code class="filename">/etc/openldap/slapd.conf</code></b></p><div class="example-contents"><pre class="screen">
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/samba.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

database    bdb
suffix      "dc=abmas,dc=biz"
rootdn      "cn=Manager,dc=abmas,dc=biz"

# rootpw = not24get
rootpw      {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV

access to *
            by dn=cn=updateuser,dc=abmas,dc=biz write
            by * read

updatedn    cn=updateuser,dc=abmas,dc=biz
updateref   ldap://massive.abmas.biz

directory   /var/lib/ldap

# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
</pre></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfA"></a><p class="title"><b>Example 6.3. Primary Domain Controller <code class="filename">smb.conf</code> File  Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2586228"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2586240"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2586252"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586264"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2586276"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2586288"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2586299"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2586311"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2586323"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2586335"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2586347"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586358"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2586370"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586383"></a><em class="parameter"><code>delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586395"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2586408"></a><em class="parameter"><code>delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2586420"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586433"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586446"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586459"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2586471"></a><em class="parameter"><code>shutdown script = /var/lib/samba/scripts/shutdown.sh</code></em></td></tr><tr><td><a class="indexterm" name="id2586484"></a><em class="parameter"><code>abort shutdown script = /sbin/shutdown -c</code></em></td></tr><tr><td><a class="indexterm" name="id2586496"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2586508"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2586520"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2586531"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586543"></a><em class="parameter"><code>domain master = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586555"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586567"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586578"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2586590"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2586602"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2586614"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2586626"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586639"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2586651"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2586663"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2586674"></a><em class="parameter"><code>printer admin = root</code></em></td></tr><tr><td><a class="indexterm" name="id2586686"></a><em class="parameter"><code>printing = cups</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfB"></a><p class="title"><b>Example 6.4. Primary Domain Controller <code class="filename">smb.conf</code> File  Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[IPC$]</code></em></td></tr><tr><td><a class="indexterm" name="id2586732"></a><em class="parameter"><code>path = /tmp</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2586752"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586764"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2586776"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2586796"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586808"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2586820"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2586840"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2586852"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2586864"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2586884"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2586896"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2586908"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2586919"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2586940"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2586951"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2586963"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586975"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586986"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-massmbconfC"></a><p class="title"><b>Example 6.5. Primary Domain Controller <code class="filename">smb.conf</code> File  Part C</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2587032"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2587044"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2587055"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id2587067"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2587087"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2587099"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2587111"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr><tr><td><a class="indexterm" name="id2587123"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2587135"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2587155"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2587167"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2587179"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2587190"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2587211"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2587223"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2587235"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2587246"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2587267"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2587279"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2587291"></a><em class="parameter"><code>write list = root</code></em></td></tr><tr><td><a class="indexterm" name="id2587302"></a><em class="parameter"><code>admin users = root, Administrator</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-slvsmbocnfA"></a><p class="title"><b>Example 6.6. Backup Domain Controller <code class="filename">smb.conf</code> File  Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># # Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2587352"></a><em class="parameter"><code>unix charset = LOCALE</code></em></td></tr><tr><td><a class="indexterm" name="id2587363"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2587375"></a><em class="parameter"><code>netbios name = BLDG1</code></em></td></tr><tr><td><a class="indexterm" name="id2587387"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://lapdc.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2587399"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2587411"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2587423"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2587434"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2587446"></a><em class="parameter"><code>max log size = 50</code></em></td></tr><tr><td><a class="indexterm" name="id2587458"></a><em class="parameter"><code>smb ports = 139</code></em></td></tr><tr><td><a class="indexterm" name="id2587469"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2587481"></a><em class="parameter"><code>printcap name = CUPS</code></em></td></tr><tr><td><a class="indexterm" name="id2587493"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2587505"></a><em class="parameter"><code>logon script = scripts\logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2587517"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2587529"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2587541"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2587553"></a><em class="parameter"><code>os level = 63</code></em></td></tr><tr><td><a class="indexterm" name="id2587564"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2587576"></a><em class="parameter"><code>wins server = 192.168.2.1</code></em></td></tr><tr><td><a class="indexterm" name="id2587588"></a><em class="parameter"><code>ldap suffix = dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2587600"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2587612"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2587624"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2587636"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2587648"></a><em class="parameter"><code>ldap admin dn = cn=sambaadmin,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2587660"></a><em class="parameter"><code>utmp = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2587671"></a><em class="parameter"><code>idmap backend = ldap://massive.abmas.biz</code></em></td></tr><tr><td><a class="indexterm" name="id2587683"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2587695"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2587707"></a><em class="parameter"><code>printing = cups</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[accounts]</code></em></td></tr><tr><td><a class="indexterm" name="id2587727"></a><em class="parameter"><code>comment = Accounting Files</code></em></td></tr><tr><td><a class="indexterm" name="id2587739"></a><em class="parameter"><code>path = /data/accounts</code></em></td></tr><tr><td><a class="indexterm" name="id2587751"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[service]</code></em></td></tr><tr><td><a class="indexterm" name="id2587771"></a><em class="parameter"><code>comment = Financial Services Files</code></em></td></tr><tr><td><a class="indexterm" name="id2587783"></a><em class="parameter"><code>path = /data/service</code></em></td></tr><tr><td><a class="indexterm" name="id2587795"></a><em class="parameter"><code>read only = No</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch7-slvsmbocnfB"></a><p class="title"><b>Example 6.7. Backup Domain Controller <code class="filename">smb.conf</code> File  Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[pidata]</code></em></td></tr><tr><td><a class="indexterm" name="id2587841"></a><em class="parameter"><code>comment = Property Insurance Files</code></em></td></tr><tr><td><a class="indexterm" name="id2587853"></a><em class="parameter"><code>path = /data/pidata</code></em></td></tr><tr><td><a class="indexterm" name="id2587864"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2587884"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2587896"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2587908"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2587919"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2587940"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2587952"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2587963"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2587975"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2587987"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2588007"></a><em class="parameter"><code>comment = Application Files</code></em></td></tr><tr><td><a class="indexterm" name="id2588019"></a><em class="parameter"><code>path = /apps</code></em></td></tr><tr><td><a class="indexterm" name="id2588030"></a><em class="parameter"><code>admin users = bjones</code></em></td></tr><tr><td><a class="indexterm" name="id2588042"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2588063"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2588075"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2588086"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2588098"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2588119"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2588130"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2588142"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2588154"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2588174"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2588186"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2588198"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2588210"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2588223"></a>Key Points Learned</h3></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>
                        <a class="indexterm" name="id2588234"></a><a class="indexterm" name="id2588239"></a>
                        Where Samba-3 is used as a domain controller, the use of LDAP is an 
                        essential component to permit the use of BDCs.
                        </p></li><li><p>
                        <a class="indexterm" name="id2588252"></a>
                        Replication of the LDAP master server to create a network of BDCs
                        is an important mechanism for limiting WAN traffic.
                        </p></li><li><p>
                        Network administration presents many complex challenges, most of which
                        can be satisfied by good design but that also require sound communication
                        and unification of management practices. This can be highly challenging in
                        a large, globally distributed network.
                        </p></li><li><p>
                        Roaming profiles must be contained to the local network segment. Any
                        departure from this may clog wide-area arteries and slow legitimate network
                        traffic to a crawl.
                        </p></li></ul></div></div><div class="figure"><a name="chap7net"></a><p class="title"><b>Figure 6.6. Network Topology  2000 User Complex Design A</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-net-Ar.png" width="432" alt="Network Topology 2000 User Complex Design A"></div></div></div><br class="figure-break"><div class="figure"><a name="chap7net2"></a><p class="title"><b>Figure 6.7. Network Topology  2000 User Complex Design B</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/chap7-net2-Br.png" width="432" alt="Network Topology 2000 User Complex Design B"></div></div></div><br class="figure-break"></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2588370"></a>Questions and Answers</h2></div></div></div><p>
        There is much rumor and misinformation regarding the use of MS Windows networking protocols.
        These questions are just a few of those frequently asked.
        </p><div class="qandaset"><dl><dt> <a href="net2000users.html#id2588388">
                
                
                Is it true that DHCP uses lots of WAN bandwidth?
                </a></dt><dt> <a href="net2000users.html#id2588523">
                
                
                How much background communication takes place between a master LDAP server and its slave LDAP servers?
                </a></dt><dt> <a href="net2000users.html#id2588584">
                LDAP has a database. Is LDAP not just a fancy database front end?
                </a></dt><dt> <a href="net2000users.html#id2588648">
                
                Can Active Directory obtain account information from an OpenLDAP server?
                </a></dt><dt> <a href="net2000users.html#id2588683">
                What are the parts of a roaming profile? How large is each part?
                </a></dt><dt> <a href="net2000users.html#id2588832">
                Can the My Documents folder be stored on a network drive?
                </a></dt><dt> <a href="net2000users.html#id2588880">
                
                
                
                How much WAN bandwidth does WINS consume?
                </a></dt><dt> <a href="net2000users.html#id2588964">
                How many BDCs should I have? What is the right number of Windows clients per server?
                </a></dt><dt> <a href="net2000users.html#id2589000">
                
                I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
                run an NIS server?
                </a></dt><dt> <a href="net2000users.html#id2589034">
                Can I use NIS in place of LDAP?
                </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2588388"></a><a name="id2588390"></a></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2588395"></a>
                <a class="indexterm" name="id2588401"></a>
                Is it true that DHCP uses lots of WAN bandwidth?
                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2588418"></a>
                <a class="indexterm" name="id2588427"></a>
                <a class="indexterm" name="id2588434"></a>
                It is a smart practice to localize DHCP servers on each network segment. As a 
                rule, there should be two DHCP servers per network segment. This means that if
                one server fails, there is always another to service user needs. DHCP requests use
                only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network
                routers. This makes it possible to run fewer DHCP servers.
                </p><p>
                <a class="indexterm" name="id2588453"></a>
                <a class="indexterm" name="id2588462"></a>
                A DHCP network address request and confirmation usually results in about six UDP packets.
                The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP
                clients and that uses a 24-hour IP address lease. This means that all clients renew
                their IP address lease every 24 hours. If we assume an average packet length equal to the
                maximum (just to be on the safe side), and we have a 128 Kb/sec wide-area connection, 
                how significant would the DHCP traffic be if all of it were to use DHCP Relay?
                </p><p>
                I must stress that this is a bad design, but here is the calculation:
</p><pre class="screen">
Daily Network Capacity: 128,000 (Kbits/s) / 8 (bits/byte) 
                             x 3600 (sec/hr) x 24 (hrs/day)= 2288 Mbytes/day.

DHCP traffic:          300 (clients) x 6 (packets) 
                                       x 512 (bytes/packet) = 0.9 Mbytes/day.
</pre><p>
                From this can be seen that the traffic impact would be minimal.
                </p><p>
                <a class="indexterm" name="id2588500"></a>
                <a class="indexterm" name="id2588509"></a>
                Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link,
                the impact of the update is no more than the DHCP IP address renewal traffic and thus
                still insignificant for most practical purposes.
                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588523"></a><a name="id2588525"></a></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2588529"></a>
                <a class="indexterm" name="id2588536"></a>
                How much background communication takes place between a master LDAP server and its slave LDAP servers?
                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2588557"></a>
                The process that controls the replication of data from the master LDAP server to the slave LDAP
                servers is called <code class="literal">slurpd</code>. The <code class="literal">slurpd</code> remains nascent (quiet)
                until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete)
                two user accounts requires less than 10KB traffic.
                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588584"></a><a name="id2588586"></a></td><td align="left" valign="top"><p>
                LDAP has a database. Is LDAP not just a fancy database front end?
                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2588598"></a>
                <a class="indexterm" name="id2588605"></a>
                <a class="indexterm" name="id2588614"></a>
                <a class="indexterm" name="id2588620"></a>
                LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific
                data storage system. This type of database is indexed so that records can be rapidly located, but the
                database is not generic and can be used only in particular pre-programmed ways. General external
                applications do not gain access to the data. This type of database is used also by SQL servers. Both
                an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional
                orientation and typically allows external programs to perform ad hoc queries, even across data tables.
                An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific
                simple queries. The term <code class="constant">database</code> is heavily overloaded and thus much misunderstood.
                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588648"></a><a name="id2588650"></a></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2588654"></a>
                Can Active Directory obtain account information from an OpenLDAP server?
                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2588669"></a>
                No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP
                database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface
                to OpenLDAP using standard LDAP queries and updates. 
                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588683"></a><a name="id2588685"></a></td><td align="left" valign="top"><p>
                What are the parts of a roaming profile? How large is each part?
                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2588696"></a>
                A roaming profile consists of
                </p><div class="itemizedlist"><ul type="disc"><li><p>
                        Desktop folders such as <code class="constant">Desktop</code>, <code class="constant">My Documents</code>,
                        <code class="constant">My Pictures</code>, <code class="constant">My Music</code>, <code class="constant">Internet Files</code>,
                        <code class="constant">Cookies</code>, <code class="constant">Application Data</code>,
                        <code class="constant">Local Settings,</code> and more. See <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">&#8220;Making Happy Users&#8221;</a>, <a class="link" href="happy.html#XP-screen001" title="Figure 5.3. Windows XP Professional User Shared Folders">&#8220;Windows XP Professional  User Shared Folders&#8221;</a>.
                        </p><p>
                        <a class="indexterm" name="id2588757"></a>
                        Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all
                        such folders can be redirected to network drive resources. See <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">&#8220;Configuration of Default Profile with Folder Redirection&#8221;</a>
                        for more information regarding folder redirection.
                        </p></li><li><p>
                        A static or rewritable portion that is typically only a few files (2-5 KB of information).
                        </p></li><li><p>
                        <a class="indexterm" name="id2588784"></a>
                        <a class="indexterm" name="id2588790"></a>
                        The registry load file that modifies the <code class="constant">HKEY_LOCAL_USER</code> hive. This is
                        the <code class="filename">NTUSER.DAT</code> file. It can be from 0.4 to 1.5 MB.
                        </p></li></ul></div><p>
                <a class="indexterm" name="id2588813"></a>
                Microsoft Outlook PST files may be stored in the <code class="constant">Local Settings\Application Data</code>
                folder. It can be up to 2 GB in size per PST file.
                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588832"></a><a name="id2588834"></a></td><td align="left" valign="top"><p>
                Can the <code class="constant">My Documents</code> folder be stored on a network drive?
                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2588849"></a>
                <a class="indexterm" name="id2588856"></a>
                Yes. More correctly, such folders can be redirected to network shares. No specific network drive
                connection is required. Registry settings permit this to be redirected directly to a UNC (Universal
                Naming Convention) resource, though it is possible to specify a network drive letter instead of a
                UNC name. See <a class="link" href="happy.html#redirfold" title="Configuration of Default Profile with Folder Redirection">&#8220;Configuration of Default Profile with Folder Redirection&#8221;</a>.
                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588880"></a><a name="id2588882"></a></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2588886"></a>
                <a class="indexterm" name="id2588893"></a>
                <a class="indexterm" name="id2588902"></a>
                How much WAN bandwidth does WINS consume?
                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2588916"></a>
                <a class="indexterm" name="id2588925"></a>
                <a class="indexterm" name="id2588932"></a>
                MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache.
                This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS
                server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day,
                was less than 30 KB/sec. Analysis of network traffic over a 6-week period showed that the total
                of all background traffic consumed about 11 percent of available bandwidth over 64 Kb/sec links.
                Background traffic consisted of domain replication, WINS queries, DNS lookups, and authentication
                traffic. Each of 11 branch offices had a 64 Kb/sec wide-area link, with a 1.5 Mb/sec main connection
                that aggregated the branch office connections plus an Internet connection.
                </p><p>
                In conclusion, the total load afforded through WINS traffic is again marginal to total operational
                usage  as it should be.
                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2588964"></a><a name="id2588966"></a></td><td align="left" valign="top"><p>
                How many BDCs should I have? What is the right number of Windows clients per server?
                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
                It is recommended to have at least one BDC per network segment, including the segment served
                by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the
                load demand pattern of client usage. I have seen sites that function without problem with 200
                clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular
                company, there was a drafting office that had 30 CAD/CAM operators served by one server, a print
                server; and an application server. While all three were BDCs, typically only the print server would
                service network logon requests after the first 10 users had started to use the network. This was
                a reflection of the service load placed on both the application server and the data server.
                </p><p>
                As unsatisfactory as the answer might sound, it all depends on network and server load
                characteristics.
                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589000"></a><a name="id2589002"></a></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2589006"></a><a class="indexterm" name="id2589012"></a>
                I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to
                run an NIS server?
                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
                The correct answer to both questions is yes. But do understand that an LDAP server has
                a configurable schema that can store far more information for many more purposes than
                just NIS.
                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2589034"></a><a name="id2589036"></a></td><td align="left" valign="top"><p>
                Can I use NIS in place of LDAP?
                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
                <a class="indexterm" name="id2589047"></a>
                <a class="indexterm" name="id2589054"></a>
                No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal
                with the types of data necessary for interoperability with Microsoft Windows networking. The use
                of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also
                a Samba-specific schema extension.
                </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="happy.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ExNetworks.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DMSMig.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Making Happy Users </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part II. Domain Members, Updating Samba and Migration</td></tr></table></div></body></html>