Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)

5.9. Questions and Answers

Well, here we are at the end of this chapter and we have only ten questions to help you to remember so much. There are bound to be some sticky issues here.

F.A.Q.

1. Q:

Why did you not cover secure practices? Isn't it rather irresponsible to instruct network administrators to implement insecure solutions?

A:

Let's get this right. This is a book about Samba, not about OpenLDAP and secure communication protocols for subjects other than Samba. Earlier on, you note, that the dynamic DNS and DHCP solutions also used no protective secure communications protocols. The reason for this is simple: There are so many ways of implementing secure protocols that this book would have been even larger and more complex.

The solutions presented here all work (at least they did for me). Network administrators have the interest and the need to be better trained and instructed in secure networking practices and ought to implement safe systems. I made the decision, right or wrong, to keep this material as simple as possible. The intent of this book is to demonstrate a working solution and not to discuss too many peripheral issues.

This book makes little mention of backup techniques. Does that mean that I am recommending that you should implement a network without provision for data recovery and for disaster management? Back to our focus: The deployment of Samba has been clearly demonstrated.

2. Q:

You have focused much on SUSE Linux and little on the market leader, Red Hat. Do you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant to the Linux I might be using?

A:

Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications for a standard Linux distribution. The differences are marginal. Surely you know your Linux platform, and you do have access to administration manuals for it. This book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on the Samba part of the book; all the other bits are peripheral (but important) to creation of a total network solution.

What I find interesting is the attention reviewers give to Linux installation and to the look and feel of the desktop, but does that make for a great server? In this book, I have paid particular attention to the details of creating a whole solution framework. I have not tightened every nut and bolt, but I have touched on all the issues you need to be familiar with. Over the years many people have approached me wanting to know the details of exactly how to implement a DHCP and dynamic DNS server with Samba and WINS. In this chapter, it is plain to see what needs to be configured to provide transparent interoperability. Likewise for CUPS and Samba interoperation. These are key stumbling areas for many people.

At every critical junction, I have provided comparative guidance for both SUSE and Red Hat Linux. Both manufacturers have done a great job in furthering the cause of open source software. I favor neither and respect both. I like particular features of both products (companies also). No bias in presentation is intended. Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.

3. Q:

You did not use SWAT to configure Samba. Is there something wrong with it?

A:

That is a good question. As it is, the smb.conf file configurations are presented in as direct a format as possible. Adding SWAT into the equation would have complicated matters. I sought simplicity of implementation. The fact is that I did use SWAT to create the files in the first place.

There are people in the Linux and open source community who feel that SWAT is dangerous and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I hope to have brought their interests on board. SWAT is well covered is TOSHARG2.

4. Q:

You have exposed a well-used password not24get. Is that not irresponsible?

A:

Well, I had to use a password of some sort. At least this one has been consistently used throughout. I guess you can figure out that in a real deployment it would make sense to use a more secure and original password.

5. Q:

The Idealx smbldap-tools create many domain group accounts that are not used. Is that a good thing?

A:

I took this up with Idealx and found them most willing to change that in the next version. Let's give Idealx some credit for the contribution they have made. I appreciate their work and, besides, it does no harm to create accounts that are not now used at some time Samba may well use them.

6. Q:

Can I use LDAP just for Samba accounts and not for UNIX system accounts?

A:

Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX) group account for every Windows domain group account. But if you put your users into the system password account, how do you plan to keep all domain controller system password files in sync? I think that having everything in LDAP makes a lot of sense for the UNIX administrator who is still learning the craft and is migrating from MS Windows.

7. Q:

Why are the Windows domain RID portions not the same as the UNIX UID?

A:

Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. This algorithm ought to ensure that there will be no clashes with well-known RIDs. Well-known RIDs have special significance to MS Windows clients. The automatic assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does permit you to override that to some extent. See the smb.conf man page entry for algorithmic rid base.

8. Q:

Printer configuration examples all show printing to the HP port 9100. Does this mean that I must have HP printers for these solutions to work?

A:

No. You can use any type of printer and must use the interfacing protocol supported by the printer. Many networks use LPR/LPD print servers to which are attached PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached inkjet printer. Use the appropriate device URI (Universal Resource Interface) argument to the lpadmin -v option that is right for your printer.

9. Q:

Is folder redirection dangerous? I've heard that you can lose your data that way.

A:

The only loss of data I know of that involved folder redirection was caused by manual misuse of the redirection tool. The administrator redirected a folder to a network drive and said he wanted to migrate (move) the data over. Then he changed his mind, so he moved the folder back to the roaming profile. This time, he declined to move the data because he thought it was still in the local profile folder. That was not the case, so by declining to move the data back, he wiped out the data. You cannot hold the tool responsible for that. Caveat emptor still applies.

10. Q:

Is it really necessary to set a local Group Policy to exclude the redirected folders from the roaming profile?

A:

Yes. If you do not do this, the data will still be copied from the network folder (share) to the local cached copy of the profile.

Example 5.4.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args access to dn.base="" by self write by * auth access to attr=userPassword by self write by * auth access to attr=shadowLastChange by self write by * read access to * by * read by anonymous auth #loglevel 256 schemacheck on idletimeout 30 backend bdb database bdb checkpoint 1024 5 cachesize 10000 suffix "dc=abmas,dc=biz" rootdn "cn=Manager,dc=abmas,dc=biz" # rootpw = not24get rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV directory /data/ldap

Example 5.4.3. LDAP Master Configuration File /etc/openldap/slapd.conf Part B

# Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub

Example 5.4.4. Configuration File for NSS LDAP Support /etc/ldap.conf

host 127.0.0.1 base dc=abmas,dc=biz binddn cn=Manager,dc=abmas,dc=biz bindpw not24get timelimit 50 bind_timelimit 50 bind_policy hard idle_timelimit 3600 pam_password exop nss_base_passwd ou=People,dc=abmas,dc=biz?one nss_base_shadow ou=People,dc=abmas,dc=biz?one nss_base_group ou=Groups,dc=abmas,dc=biz?one ssl off

Example 5.4.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf

host 172.16.0.1 base dc=abmas,dc=biz binddn cn=Manager,dc=abmas,dc=biz bindpw not24get timelimit 50 bind_timelimit 50 bind_policy hard idle_timelimit 3600 pam_password exop nss_base_passwd ou=People,dc=abmas,dc=biz?one nss_base_shadow ou=People,dc=abmas,dc=biz?one nss_base_group ou=Groups,dc=abmas,dc=biz?one ssl off

Example 5.4.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A

# Global parameters [global] unix charset = LOCALE workgroup = MEGANET2 netbios name = MASSIVE interfaces = eth1, lo bind interfaces only = Yes passdb backend = ldapsam : ldap : //massive.abmas.biz enable privileges = Yes username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS show add printer wizard = No add user script = /opt/IDEALX/sbin/smbldapuseradd m "%u" delete user script = /opt/IDEALX/sbin/smbldapuserdel "%u" add group script = /opt/IDEALX/sbin/smbldapgroupadd p "%g" delete group script = /opt/IDEALX/sbin/smbldapgroupdel "%g" add user to group script = /opt/IDEALX/sbin/smbldapgroupmod m "%u" "%g" delete user from group script = /opt/IDEALX/sbin/smbldapgroupmod x "%u" "%g" set primary group script = /opt/IDEALX/sbin/smbldapusermod g "%g" "%u" add machine script = /opt/IDEALX/sbin/smbldapuseradd w "%u"

Example 5.4.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B

logon script = scripts \ logon.bat logon path = \\%L\ profiles \%U logon drive = X: domain logons = Yes preferred master = Yes wins support = Yes ldap suffix = dc=abmas, dc=biz ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager, dc=abmas, dc=biz idmap backend = ldap : ldap : //massive.abmas.biz idmap uid = 1000020000 idmap gid = 1000020000 map acl inherit = Yes printing = cups printer admin = root, chrisr

Example 5.5.1. LDAP Based smb.conf File, Server: BLDG1

# Global parameters [global] unix charset = LOCALE workgroup = MEGANET2 netbios name = BLDG1 passdb backend = ldapsam : ldap : //massive.abmas.biz enable privileges = Yes username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = No logon script = scripts \ logon.bat logon path = \\%L\ profiles \%U logon drive = X: domain logons = Yes domain master = No wins server = 172.16.0.1 ldap suffix = dc=abmas, dc=biz ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager, dc=abmas, dc=biz idmap backend = ldap : ldap : //massive.abmas.biz idmap uid = 1000020000 idmap gid = 1000020000 printing = cups printer admin = root, chrisr

Example 5.5.2. LDAP Based smb.conf File, Server: BLDG2

# Global parameters [global] unix charset = LOCALE workgroup = MEGANET2 netbios name = BLDG2 passdb backend = ldapsam : ldap : //massive.abmas.biz enable privileges = Yes username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = No logon script = scripts \ logon.bat logon path = \\%L\ profiles \%U logon drive = X: domain logons = Yes domain master = No wins server = 172.16.0.1 ldap suffix = dc=abmas, dc=biz ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager, dc=abmas, dc=biz idmap backend = ldap : ldap : //massive.abmas.biz idmap uid = 10000 20000 idmap gid = 10000 20000 printing = cups printer admin = root, chrisr

Example 5.5.3. LDAP Based smb.conf File, Shares Section Part A

[accounts] comment = Accounting files path = /data/accounts read only = No [service] comment = Financial Services files path = /data /service read only = No [pidata] comment = Property Insurance files path = /data /pidata read only = No [homes] comment = Home Directories valid users = %S read only = No browseable = No [printers] comment = SMB Print Spool path = /var/spool/samba guest ok = Yes printable = Yes browseable = No

Example 5.5.4. LDAP Based smb.conf File, Shares Section Part B

[apps] comment = Application files path = /apps admin users = bjordan read only = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes locking = No [profiles] comment = Profile Share path = /var/lib/samba/profiles read only = No profile acls = Yes [profdata] comment = Profile Data Share path = /var/lib/samba/profdata read only = No profile acls = Yes [print$] comment = Printer Drivers path = /var/lib/samba/drivers browseable = yes guest ok = no read only = yes write list = root, chrisr

Example 5.5.5. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF

dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalUnit ou: idmap structuralObjectClass: organizationalUnit

    Related

    Категории