Samba Guide

User Manual: Pdf

Open the PDF directly: View PDF PDF.
Page Count: 414 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Samba-3 by Example
Practical Exercises in Successful Samba Deployment
John H. Terpstra
23rd March 2005
ABOUT THE COVER ARTWORK
The cover artwork of this book continues a theme chosen for the book, The Official Samba-3
HOWTO and Reference Guide, the cover of which features a Confederate scene. Samba has
had a major impact on the network deployment of Microsoft Windows desktop systems.
The cover artwork of the two official Samba books tells of events that likewise had a major
impact on the future.
Samba-3 by Example Cover Artwork: King Alfred the Great (born 849, ruled 871-899) was
one of the most amazing kings ever to rule England. He defended Anglo-Saxon England
from Viking raids, formulated a code of laws, and fostered a rebirth of religious and scholarly
activity. His reign exhibits military skill and innovation, sound governance and the ability
to inspire men to plan for the future. Alfred liberated England at a time when all resistence
seemed futile.
Samba is a network interoperability solution that provides real choice for network admin-
istrators. It is an adjunct to Microsoft Windows networks that provides interoperability of
UNIX systems with Microsoft Windows desktop and server systems. You may use Samba
to realize the freedom it provides for your network environment thanks to a dedicated team
who work behind the scenes to give you a better choice. The efforts of these few dedicated
developers continues to shape the future of the Windows interoperability landscape. Enjoy!
ii
ACKNOWLEDGMENTS
Samba-3 by Example would not have been written except as a result of feedback provided
by reviewers of the book The Official Samba-3 HOWTO and Reference Guide. I hope this
book more than answers the challenge and fills the void that was brought to my attention.
I am deeply indebted to a large group of diligent people. Space prevents me from listing
all of them, but a few stand out as worthy of mention. Jelmer Vernooij made the notable
contribution of building the XML production environment and thereby made possible the
typesetting of this book.
Samba would not have come into existence if Andrew Tridgell had not taken the first steps.
He continues to lead the project. Under the shadow of his mantle are some great guys
who never give up and are always ready to help. Thank you to: Jeremy Allison, Jerry
Carter, Andrew Bartlett, Jelmer Vernooij, Alexander Bokovoy, Volker Lendecke, and other
team members who answered my continuous stream of questions — all of which resulted in
improved content in this book.
My heartfelt thanks go out also to a small set of reviewers (alphabetically listed) who gave
substantial feedback and significant suggestions for improvement: Roland Gruber, Luke
Howard, Jon Johnston, Alan Munter, Tarjei Huse, Mike MacIsaac, Scott Mann, Ed Riddle,
Santos Soler, Mark Taylor, and J´erˆome Tournier.
My appreciation is extended to a team of over 30 additional reviewers who helped me to
find my way around dark corners.
Particular mention is due to Lyndell, Amos and Melissa who gave me the latitude necessary
to spend nearly a entire year writing Samba documentation.
iii
FOREWORD
By Dan Kusnetzky, IDC
IDC’s software research group has been conducting research on the market for
software, including operating environments, for over twenty years. In 1994, the
system software research team started to field questions from its subscribers on
Linux. We had very little empirical data to offer when these queries first were
heard, so IDC added Linux to its operating environment research agenda. The
first demand and supply side research containing IDC’s findings on Linux started
to appear in early 1995.
IDC has watched as Linux marched from being software for computer hobbyists
to being a mainstream choice in many markets worldwide. This march is very
similar to the adoption cycle UNIX experienced in the 1970s and 1980s. Windows
repeated this pattern of adoption during the 1980s and 1990s. IDC has long
projected that Linux would be a mainstream choice in nearly all markets by the
end of 2005. The software is well down that path now and just might beat IDC’s
projections.
As of the end of 2002, Linux was the number three desktop or client operating
environment, responsible for nearly 3% of the worldwide shipments of client
operating environment software. Linux was the number two server operating
environment, responsible for nearly 25% of the worldwide shipments of server
operating environment software. This is an amazing level of growth from its
rather humble beginnings of holding less than 1% share of either client or server
operating environment market when IDC first started publishing its findings on
Linux.
IDC’s demand-side studies have indicated that Linux is most often utilized as
a platform for basic infrastructure services, such as supporting access to shared
files and printers or supporting basic networking functions. IDC’s most recent
survey, conducted in late 2003, indicated that supporting file and print services
was the most common use of Linux. Samba and NFS are the most commonly
mentioned approaches to offering file and print services on Linux.
Nearly all of IDC’s operating environment studies have shown that Linux is being
added into organizational networks that already include Windows, UNIX, and
mainframe operating environments. This, of course, means that interoperability
with these operating environments is a crucial success factor for Linux.
All of this leads to the book in hand, Samba-3 By Example, by John H. Terp-
stra, It addresses the most commonly heard questions about bringing Linux and
Samba into a Windows or UNIX focused environment. Namely, organizations
voice concerns about staff having sufficient levels of expertise to facilitate devel-
opment, administration, operations and support activities around the adoption
iv
Foreword v
of Linux and Samba. I expect Samba-3 by Example will be of enormous help to
Windows or UNIX administrators hoping to gain a level of comfort and famil-
iarity with both Linux and Samba.
Samba is a mature open source software product that is well established as a
leading Windows file and print technology in use on large-scale UNIX systems.
Its stability and scalability appears to be well respected. This book demonstrates
easy approaches to implementing Samba-3 no matter whether your network is
large or small. It is a book that would make a fine addition to the network
administrators’ library!
—Dan Kusnetzky, Vice President System Software Research, International
Data Corporation
By Andrew Tridgell, Samba Team
I’ve always been the sort of computer user that learns best by example. Seeing
a complete example matching a real-world use of a piece of software gives me
an understanding of that software far better than reading detailed manuals. If,
like me, you are the sort of computer user that learns best by example then this
book is for you.
I was also delighted to see the use of ethereal to illustrate the network protocols
used by Samba. Ethereal has developed into a very sophisticated network anal-
ysis tool, and familiarity with using ethereal is a very useful skill for any system
administrator.
Enjoy this book, and make the most of Samba!
—Andrew Tridgell, President, Samba Team
PREFACE
Network administrators live busy lives. We face distractions and pressures that drive us to
seek proven, working case scenarios that can be easily implemented. Often this approach
lands us in trouble. There is a saying that, geometrically speaking, the shortest distance
between two points is a straight line, but practically we find that the quickest route to a
stable network solution is the long way around.
This book is your means to the straight path. It provides step-by-step, proven, working
examples of Samba deployments. If you want to deploy Samba-3 with the least effort, or if
you want to become an expert at deploying Samba-3 without having to search through lots
of documentation, this book is the ticket to your destination.
Samba is software that can be run on a platform other than Microsoft Windows, for example,
UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the
TCP/IP protocol that is installed on the host server. When correctly configured, it allows
that host to interact with a Microsoft Windows client or server as if it is a Windows file
and print server. This book will help you to implement Windows-compatible file and print
services.
The examples presented in this book are typical of various businesses and reflect the prob-
lems and challenges they face. Care has been taken to preserve attitudes, perceptions,
practices, and demands from real network case studies. The maximum benefit may be ob-
tained from this book by working carefully through each exercise. You may be in a hurry
to satisfy a specific need, so feel free to locate the example that most closely matches your
need, copy it, and innovate as much as you like. Above all, enjoy the process of learning the
secrets of MS Windows networking that is truly liberated by Samba.
The focus of attention in this book is Samba-3. Specific notes are made in respect of how
Samba may be made secure. This book does not attempt to provide detailed information
regarding secure operation and configuration of peripheral services and applications such as
OpenLDAP, DNS and DHCP, the need for which can be met from other resources that are
dedicated to the subject.
Why Is This Book Necessary?
This book is the result of observations and feedback. The feedback from the Samba-
HOWTO-Collection has been positive and complimentary. There have been requests for
far more worked examples, a “Samba Cookbook, and for training materials to help kick-
start the process of mastering Samba.
The Samba mailing list’s users have asked for sample configuration files that work. It is
natural to question one’s own ability to correctly configure a complex tool such as Samba
until a minimum necessary knowledge level has been attained.
vi
Preface vii
The Samba-HOWTO-Collection, as do The Official Samba-3 HOWTO and Reference Guide,
document Samba features and functionality in a topical context. This book takes a com-
pletely different approach. It walks through Samba network configurations that are working
within particular environmental contexts, providing documented step-by-step implementa-
tions. All example case configuration files, scripts, and other tools are provided on the
CD-ROM. This book is descriptive, provides detailed diagrams, and makes deployment of
Samba-3 a breeze.
Samba 3.0.12 Update Edition
The Samba 3.0.x series has been remarkably popular. At the time this book first went
to print samba-3.0.2 was being released. There have been significant modifications and
enhancements between samba-3.0.2 and samba-3.0.11 (the current release) that necessitate
this documentation update. This update has the specific intent to refocus this book so that
its guidance can be followed for samba-3.0.12 and beyond. Further changes are expected as
Samba-3 matures further and will be reflected in future updates.
The changes shown in Table 1 are incorporated in this update:
Prerequisites
This book is not a tutorial on UNIX or Linux administration. UNIX and Linux training
is best obtained from books dedicated to the subject. This book assumes that you have at
least the basic skill necessary to use these operating systems, and that you can use a basic
system editor to edit and configure files. It has been written with the assumption that you
have experience with Samba, have read The Official Samba-3 HOWTO and Reference Guide
and the Samba-HOWTO-Collection, or that you have familiarity with Microsoft Windows.
If you do not have this experience, you can follow the examples in this book but may find
yourself at times intimidated by assumptions made. In this situation, you may need to refer
to administrative guides or manuals for your operating system platform to find what is the
best method to achieve what the text of this book describes.
Approach
The first chapter deals with some rather thorny network analysis issues. Do not be put
off by this. The information you glean, even without a detailed understanding of network
protocol analysis, can help you understand how Windows networking functions.
Each following chapter of this book opens with the description of a networking solution
sought by a hypothetical site. Bob Jordan is a hypothetical decision maker for an imaginary
company, Abmas Biz NL. We will use the non-existent domain name abmas.biz. All facts
presented regarding this company are fictitious and have been drawn from a variety of real
business scenarios over many years. Not one of these reveal the identify of the real-world
company from which the scenario originated.
viii Preface
Table 1. Samba Changes — 3.0.2 to 3.0.12
New Feature Description
Winbind Case Handling User and group names returned by winbindd are now con-
verted to lower case for better consistency. Samba imple-
mentations that depend on the case of information returned
by winbind (such as %u and %U) must now convert the de-
pendency to expecting lower case values. This affects mail
spool files, home directories, valid user lines in the smb.conf
file, etc.
Schema Changes Addition of code to handle password aging, password unique-
ness controls, bad password instances at logon time, have
made necessary extensions to the SambaSAM schema. This
change affects all sites that use LDAP and means that the
directory schema must be updated.
Username Map Handling Samba-3.0.8 redefined the behavior: Local authentication
results in a username map file lookup before authenticating
the connection. All authentication via an external domain
controller will result in the use of the fully qualified name
(i.e.: DOMAIN\username) after the user has been success-
fully authenticated.
UNIX extension handling Symbolicly linked files and directories on the UNIX host to
absolute paths will now be followed. This can be turned off
using “wide links = No” in the share stanza in the smb.conf
file. Turning off “wide links” support will degrade server
performance because each path must be checked.
Privileges Support Versions of Samba prior to samba-3.0.11 required the use
of the UNIX root account from network Windows clients.
The new “enable privileges = Yes” capability means that
functions such as adding machines to the domain, managing
printers, etc. can now be delegated to normal user accounts
or to groups of users.
In any case, Mr. Jordan likes to give all his staff nasty little assignments. Stanley Saroka is
one of his proteges; Christine Roberson is the network administrator Bob trusts. Jordan is
inclined to treat other departments well because they finance Abmas IT operations.
Each chapter presents a summary of the network solution we have chosen to demonstrate
together with a rationale to help you to understand the thought process that drove that
solution. The chapter then documents in precise detail all configuration files and steps that
must be taken to implement the example solution. Anyone wishing to gain serious value
from this book will do well to take note of the implications of points made, so watch out for
the this means that notations.
Each chapter has a set of questions and answers to help you to to understand and digest
key attributes of the solutions presented.
Preface ix
Summary of Topics
Our first assignment is to understand how Microsoft Windows products function in the
network environment. That is where we start. Let’s take just a few moments to get a
bird’s eye view of this book. Remember that this is a book about file and print technology
deployment; there are great examples of printing solutions. Here we go.
Chapter 1 — Windows Networking Primer Here we cover practical exercises to help
us to understand how MS Windows network protocols function. A network protocol
analyzer helps you to appreciate the fact that Windows networking is highly depen-
dent on broadcast messaging. Additionally, you can look into network packets that a
Windows client sends to a network server to set up a network connection. On comple-
tion, you should have a basic understanding of how network browsing functions and
have seen some of the information a Windows client sends to a file and print server to
create a connection over which file and print operations may take place.
Chapter 2 — No Frills Samba Servers Here you design a solution for three different
business scenarios, each for a company called Abmas. There are two simple networking
problems and one slightly more complex networking challenge. In the first two cases,
Abmas has a small simple office, and they want to replace a Windows 9x peer-to-peer
network. The third example business uses Windows 2000 Professional. This must be
simple, so let’s see how far we can get. If successful, Abmas grows quickly and soon
needs to replace all servers and workstations.
TechInfo — This chapter demands:
Case 1: The simplest smb.conf file that may reasonably be used. Works with
Samba-2.x also. This configuration uses Share Mode security. Encrypted pass-
words are not used, so there is no smbpasswd file.
Case 2: Another simple smb.conf file that adds WINS support and printing
support. This case deals with a special requirement that demonstrates how to
deal with purpose-built software that has a particular requirement for certain
share names and printing demands. This configuration uses Share Mode security
and also works with Samba-2.x. Encrypted passwords are not used, so there is
no smbpasswd file.
Case 3: This smb.conf configuration uses User Mode security. The file share
configuration demonstrates the ability to provide master access to an adminis-
trator while restricting all staff to their own work areas. Encrypted passwords
are used, so there is an implicit smbpasswd file.
Chapter 3 — Small Office Networking Abmas is a successful company now. They
have 50 network users and want a little more varoom from the network. This is a
typical small office and they want better systems to help them to grow. This is your
chance to really give advanced users a bit more functionality and usefulness.
TechInfo — This smb.conf file makes use of encrypted passwords, so there is an
smbpasswd file. It also demonstrates use of the valid users and valid groups to
xPreface
restrict share access. The Windows clients access the server as Domain members.
Mobile users log onto the Domain while in the office, but use a local machine account
while on the road. The result is an environment that answers mobile computing user
needs.
Chapter 4 — Secure Office Networking Abmas is growing rapidly now. Money is a
little tight, but with 130 network users, security has become a concern. They have
many new machines to install and the old equipment will be retired. This time they
want the new network to scale and grow for at least two years. Start with a sufficient
system and allow room for growth. You are now implementing an Internet connection
and have a few reservations about user expectations.
TechInfo — This smb.conf file makes use of encrypted passwords, and you can use
atdbsam password backend. Domain logons are introduced. Applications are served
from the central server. Roaming profiles are mandated. Access to the server is tight-
ened up so that only domain members can access server resources. Mobile computing
needs still are catered to.
Chapter 5 — The 500 User Office The two-year projections were met. Congratula-
tions, you are a star. Now Abmas needs to replace the network. Into the existing user
base, they need to merge a 280-user company they just acquired. It is time to build a
serious network. There are now three buildings on one campus and your assignment
is to keep everyone working while a new network is rolled out. Oh, isn’t it nice to
roll out brand new clients and servers! Money is no longer tight, you get to buy and
install what you ask for. You will install routers and a firewall. This is exciting!
TechInfo — This smb.conf file makes use of encrypted passwords, and a tdbsam pass-
word backend is used. You are not ready to launch into LDAP yet, so you accept the
limitation of having one central Domain Controller with a Domain Member server in
two buildings on your campus. A number of clever techniques are used to demonstrate
some of the smart options built into Samba.
Chapter 6 — Making Users Happy Congratulations again. Abmas is happy with your
services and you have been given another raise. Your users are becoming much more
capable and are complaining about little things that need to be fixed. Are you up to
the task? Mary says it takes her 20 minutes to log onto the network and it is killing
her productivity. Email is a bit unreliable — have you been sleeping on the job? We
do not discuss the technology of email but when the use of mail clients breaks because
of networking problems, you had better get on top of it. It’s time for a change.
TechInfo — This smb.conf file makes use of encrypted passwords; a distributed ldap-
sam password backend is used. Roaming profiles are enabled. Desktop profile controls
are introduced. Check out the techniques that can improve the user experience of
network performance. As a special bonus, this chapter documents how to configure
smart downloading of printer drivers for drag-and-drop printing support. And, yes,
the secret of configuring CUPS is clearly documented. Go for it; this one will tease
you, too.
Preface xi
Chapter 7 — A Distributed 2000-User Network Only eight months have passed, and
Abmas has acquired another company. You now need to expand the network further.
You have to deal with a network that spans several countries. There are three new
networks in addition to the original three buildings at the head-office campus. The
head office is in New York and you have branch offices in Washington, Los Angeles,
and London. Your desktop standard is Windows XP Professional. In many ways,
everything has changed and yet it must remain the same. Your team is primed for
another roll-out. You know there are further challenges ahead.
TechInfo — Slave LDAP servers are introduced. Samba is configured to use multiple
LDAP backends. This is a brief chapter; it assumes that the technology has been
mastered and gets right down to concepts and how to deploy them.
Chapter 8 — Migrating NT4 Domain to Samba-3 Another six months have
passed. Abmas has acquired yet another company. You will find a way to migrate all
users off the old network onto the existing network without loss of passwords and will
effect the change-over during one weekend. May the force (and caffeine) be with you,
may you keep your back to the wind and may the sun shine on your face.
TechInfo — This chapter demonstrates the use of the net rpc migrate facility using
an LDAP ldapsam backend, and also using a tdbsam passdb backend. Both are much-
asked-for examples of NT4 Domain migration.
Chapter 9 — Migrating NetWare 4.11 Server to Samba Misty Stanley-Jones has con-
tributed information that summarizes her experience at migration from a NetWare
server to Samba-3.
TechInfo — The documentation provided demonstrates how one site miigrated from
NetWare to Samba. Some alternatives tools are mentioned. These could be used to
provide another pathway to a successful migration.
Chapter 10 — Adding UNIX/Linux Servers and Clients Well done, Bob, your team
has achieved much. Now help Abmas integrate the entire network. You want central
control and central support and you need to cut costs. How can you reduce adminis-
trative overheads and yet get better control of the network?
This chapter has been contributed by Mark Taylor mark.taylor@siriusit.co.uk <mailto:
mark.taylor@siriusit.co.uk>and is based on a live site. For further information
regarding this example case, please contact Mark directly.
TechInfo — It is time to consider how to add Samba servers and UNIX and Linux
network clients. Users who convert to Linux want to be able to log on using Windows
network accounts. You explore nss ldap, pam ldap, winbind, and a few neat techniques
for taking control. Are you ready for this?
Chapter 11 — Active Directory, Kerberos and Security Abmas has acquired another
company that has just migrated to running Windows Server 2003 and Active Direc-
tory. One of your staff makes offhand comments that land you in hot water. A network
xii Preface
security auditor is hired by the head of the new business and files a damning report,
and you must address the defects reported. You have hired new network engineers
who want to replace Microsoft Active Directory with a pure Kerberos solution. How
will you handle this?
TechInfo — This chapter is your answer. Learn about share access controls, proper
use of UNIX/Linux file system access controls, and Windows 200x Access Control
Lists. Follow these steps to beat the critics.
Chapter 12 — Integrating Additional Services The battle is almost over, Samba-3
has won the day. Your team are delighted and now you find yourself at yet another
cross-roads. Abmas have acquired a snack food business, you made promises you must
keep. IT costs must be reduced, you have new resistance, but you will win again. This
time you choose to install the Squid proxy server to validate the fact that Samba is far
more than just a file and print server. SPNEGO authentication support means that
your Microsoft Windows clients gain transparent proxy access.
TechInfo — Samba provides the ntlm auth module that makes it possible for MS
Windows Internet Explorer to connect via the Squid Web and FTP proxy server. You
will configure Samba-3 as well as Squid to deliver authenticated access control using
the Active Directory Domain user security credentials.
Chapter 13 — Performance, Reliability and Availability Bob, are you sure the new
Samba server is up to the load? Your network is serving many users who risk becoming
unproductive. What can you do to keep ahead of demand? Can you keep the cost
under control also? What can go wrong?
TechInfo — Hot tips that put chili into your network. Avoid name resolution problems,
identify potential causes of network collisions, avoid Samba configuration options that
will weigh the server down. MS distributed file services to make your network fly and
much more. This chapter contains a good deal of “Did I tell you about this...?” type
of hints to help keep your name on the top performers list.
Conventions Used
The following notation conventions are used throughout this book:
TOSHARG is used as an abbreviation for the book, “The Official Samba-3 HOWTO
and Reference Guide,” Editors: John H. Terpstra and Jelmer R. Vernooij, Publisher:
Prentice Hall, ISBN: 0131453556.
Directories and filenames appear in mono-font. For example, /etc/pam.conf.
Executable names are bolded. For example, smbd.
Menu items and buttons appear in bold. For example, click Next.
Selecting a menu item is indicated as: Start Control Panel Administrative Tools
Active Directory Users and Computers
CONTENTS
Contents
ABOUT THE COVER ARTWORK ii
ACKNOWLEDGMENTS iii
FOREWORD iv
PREFACE vi
LIST OF EXAMPLES xxi
LIST OF FIGURES xxv
LIST OF TABLES xxvii
Chapter 1 NETWORKING PRIMER 1
1.1 Requirements and Notes 1
1.2 Introduction 2
1.2.1 Assignment Tasks 3
1.3 Exercises 3
1.3.1 Single Machine Broadcast Activity 4
1.3.1.1 Findings 4
1.3.2 Second Machine Startup Broadcast Interaction 5
1.3.2.1 Findings 7
1.3.3 Simple Windows Client Connection Characteristics 8
1.3.3.1 Findings and Comments 10
1.3.4 Windows 200x/XP Client Interaction with Samba-3 11
1.3.4.1 Discussion 13
1.3.5 Conclusions to Exercises 14
1.4 Dissection and Discussion 15
1.4.1 Technical Issues 15
1.5 Questions and Answers 15
Chapter 2 NO FRILLS SAMBA SERVERS 19
2.1 Introduction 19
2.2 Assignment Tasks 19
2.2.1 Drafting Office 20
2.2.1.1 Dissection and Discussion 20
2.2.1.2 Implementation 21
2.2.1.3 Validation 22
2.2.2 Charity Administration Office 23
2.2.2.1 Dissection and Discussion 24
2.2.2.2 Implementation 25
xiii
xiv Contents
2.2.2.3 Validation 30
2.2.3 Accounting Office 30
2.2.3.1 Dissection and Discussion 31
2.2.3.2 Implementation 31
2.3 Questions and Answers 34
Chapter 3 SMALL OFFICE NETWORKING 38
3.1 Introduction 38
3.1.1 Assignment Tasks 39
3.2 Dissection and Discussion 39
3.2.1 Technical Issues 40
3.2.2 Political Issues 41
3.3 Implementation 41
3.3.1 Validation 46
3.3.2 Notebook Computers: A Special Case 49
3.3.3 Key Points Learned 49
3.4 Questions and Answers 50
Chapter 4 SECURE OFFICE NETWORKING 56
4.1 Introduction 56
4.1.1 Assignment Tasks 57
4.2 Dissection and Discussion 58
4.2.1 Technical Issues 58
4.2.1.1 Hardware Requirements 60
4.2.2 Political Issues 62
4.3 Implementation 62
4.3.1 Basic System Configuration 64
4.3.2 Samba Configuration 65
4.3.3 Configuration of DHCP and DNS Servers 69
4.3.4 Printer Configuration 70
4.3.5 Process Startup Configuration 71
4.3.6 Validation 72
4.3.7 Application Share Configuration 79
4.3.7.1 Comments Regarding Software Terms of Use 80
4.3.8 Windows Client Configuration 81
4.3.9 Key Points Learned 82
4.4 Questions and Answers 83
Chapter 5 THE 500-USER OFFICE 98
5.1 Introduction 99
5.1.1 Assignment Tasks 99
5.2 Dissection and Discussion 100
5.2.1 Technical Issues 100
5.2.2 Political Issues 101
5.3 Implementation 102
5.3.1 Installation of DHCP, DNS, and Samba Control Files 102
5.3.2 Server Preparation — All Servers 102
5.3.3 Server Specific Preparation 106
Contents xv
5.3.3.1 Configuration for Server: MASSIVE 106
5.3.3.2 Configuration Specific to Domain Member Servers: BLDG1,
BLDG2 109
5.3.4 Process Startup Configuration 109
5.3.5 Windows Client Configuration 113
5.3.6 Key Points Learned 117
5.4 Questions and Answers 117
Chapter 6 MAKING HAPPY USERS 127
6.1 Regarding LDAP Directories and Windows Computer Accounts 129
6.2 Introduction 130
6.2.1 Assignment Tasks 130
6.3 Dissection and Discussion 131
6.3.1 Technical Issues 133
6.3.1.1 Addition of Machines to the Domain 134
6.3.1.2 Roaming Profile Background 135
6.3.1.3 The Local Group Policy 136
6.3.1.4 Profile Changes 136
6.3.1.5 Using a Network Default User Profile 136
6.3.1.6 Installation of Printer Driver Auto-Download 136
6.3.1.7 Avoiding Failures — Solving Problems Before the Happen 137
6.3.2 Political Issues 141
6.3.3 Installation Check-List 141
6.4 Samba Server Implementation 142
6.4.1 OpenLDAP Server Configuration 143
6.4.2 PAM and NSS Client Configuration 144
6.4.3 Samba-3 PDC Configuration 146
6.4.4 Install and Configure Idealx smbldap-tools Scripts 148
6.4.4.1 Installation of smbldap-tools from the tarball 149
6.4.4.2 Installing smbldap-tools from the RPM Package 150
6.4.4.3 Configuration of smbldap-tools 151
6.4.5 LDAP Initialization and Creation of User and Group Accounts 153
6.4.6 Printer Configuration 163
6.5 Samba-3 BDC Configuration 165
6.6 Miscellaneous Server Preparation Tasks 169
6.6.1 Configuring Directory Share Point Roots 169
6.6.2 Configuring Profile Directories 169
6.6.3 Preparation of Logon Scripts 170
6.6.4 Assigning Domain Privileges 171
6.7 Windows Client Configuration 172
6.7.1 Configuration of Default Profile with Folder Redirection 173
6.7.2 Configuration of MS Outlook to Relocate PST File 174
6.7.3 Configure Delete Cached Profiles on Logout 175
6.7.4 Uploading Printer Drivers to Samba Servers 176
6.7.5 Software Installation 177
6.7.6 Roll-out Image Creation 177
6.8 Key Points Learned 177
6.9 Questions and Answers 178
xvi Contents
Chapter 7 A DISTRIBUTED 2000 USER NETWORK 191
7.1 Introduction 191
7.1.1 Assignment Tasks 192
7.2 Dissection and Discussion 192
7.2.1 Technical Issues 193
7.2.1.1 User Needs 193
7.2.1.2 The Nature of Windows Networking Protocols 194
7.2.1.3 Identity Management Needs 196
7.2.2 Political Issues 198
7.3 Implementation 199
7.3.1 Key Points Learned 205
7.4 Questions and Answers 205
Chapter 8 MIGRATING NT4 DOMAIN TO SAMBA-3 216
8.1 Introduction 216
8.1.1 Assignment Tasks 216
8.2 Dissection and Discussion 217
8.2.1 Technical Issues 217
8.2.2 Political Issues 219
8.3 Implementation 219
8.3.1 NT4 Migration Using LDAP Backend 220
8.3.2 NT4 Migration Using tdbsam Backend 223
8.3.3 Key Points Learned 227
8.4 Questions and Answers 227
Chapter 9 MIGRATING NETWARE 4.11 SERVER TO SAMBA-3 231
9.1 Introduction 232
9.1.1 Assignment Tasks 232
9.2 Dissection and Discussion 233
9.2.1 Technical Issues 233
9.3 Implementation 233
9.3.1 NetWare Migration Using LDAP Backend 233
9.3.1.1 LDAP Server Configuration 234
Chapter 10 ADDING UNIX/LINUX SERVERS AND CLIENTS 260
10.1 Introduction 261
10.1.1 Assignment Tasks 261
10.2 Dissection and Discussion 261
10.2.1 Technical Issues 261
10.2.2 Political Issues 263
10.3 Implementation 264
10.3.1 Samba Domain with Samba Domain Member Server — Using LDAP 264
10.3.2 NT4/Samba Domain with Samba Domain Member Server — Using
Winbind 267
10.3.3 Active Directory Domain with Samba Domain Member Server 270
10.3.4 UNIX/Linux Client Domain Member 280
10.3.4.1 NT4 Domain Member 281
10.3.4.2 ADS Domain Member 281
Contents xvii
10.3.5 Key Points Learned 282
10.4 Questions and Answers 282
Chapter 11 ACTIVE DIRECTORY, KERBEROS, AND SECURITY 293
11.1 Introduction 293
11.1.1 Assignment Tasks 296
11.2 Dissection and Discussion 296
11.2.1 Technical Issues 297
11.2.1.1 Kerberos Exposed 300
11.3 Implementation 301
11.3.1 Share Access Controls 301
11.3.2 Share Definition Controls 302
11.3.2.1 Check-point Controls 302
11.3.2.2 Override Controls 304
11.3.3 Share Point Directory and File Permissions 305
11.3.4 Managing Windows 200x ACLs 306
11.3.4.1 Using the MMC Computer Management Interface 307
11.3.4.2 Using MS Windows Explorer (File Manager) 307
11.3.4.3 Setting Posix ACLs in UNIX/Linux 308
11.3.5 Key Points Learned 309
11.4 Questions and Answers 310
Chapter 12 INTEGRATING ADDITIONAL SERVICES 312
12.1 Introduction 312
12.1.1 Assignment Tasks 312
12.2 Dissection and Discussion 313
12.2.1 Technical Issues 313
12.2.2 Political Issues 314
12.3 Implementation 314
12.3.1 Removal of Pre-existing Conflicting RPMs 315
12.3.2 Kerberos Configuration 315
12.3.2.1 Samba Configuration 317
12.3.2.2 NSS Configuration 319
12.3.2.3 Squid Configuration 319
12.3.3 Configuration 319
12.3.4 Key Points Learned 321
12.4 Questions and Answers 321
Chapter 13 PERFORMANCE, RELIABILITY, AND AVAILABILITY 323
13.1 Introduction 323
13.2 Dissection and Discussion 324
13.3 Guidelines for Reliable Samba Operation 325
13.3.1 Name Resolution 325
13.3.1.1 Bad Hostnames 325
13.3.1.2 Routed Networks 326
13.3.1.3 Network Collisions 326
13.3.2 Samba Configuration 327
13.3.3 Use and Location of BDCs 328
xviii Contents
13.3.4 Use One Consistent Version of MS Windows Client 328
13.3.5 For Scalability, Use SAN Based Storage on Samba Servers 328
13.3.6 Distribute Network Load with MSDFS 329
13.3.7 Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth 329
13.3.8 Hardware Problems 329
13.3.9 Key Points Learned 330
Chapter A APPENDIX: A COLLECTION OF USEFUL TID-BITS 331
A.1 Joining a Domain: Windows 200x/XP Professional 331
A.2 Samba System File Location 333
A.3 Starting Samba 336
A.4 DNS Configuration Files 338
A.4.1 The Forward Zone File for the Loopback Adaptor 338
A.4.2 The Reverse Zone File for the Loopback Adaptor 338
A.4.3 DNS Root Server Hint File 338
A.5 Alternative LDAP Database Initialization 338
A.5.1 Initialization of the LDAP Database 338
A.6 The LDAP Account Manager 342
A.7 Effect of Setting File and Directory SUID/SGID Permissions Explained 346
A.8 Shared Data Integrity 349
A.8.1 Microsoft Access 350
A.8.2 Act! Database Sharing 350
A.8.3 Opportunistic Locking Controls 351
Chapter B GNU GENERAL PUBLIC LICENSE 362
B.1 Preamble 362
B.2 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MOD-
IFICATION 363
B.2.1 Section 0 363
B.2.2 Section 1 363
B.2.3 Section 2 363
B.2.4 Section 3 364
B.2.5 Section 4 365
B.2.6 Section 5 365
B.2.7 Section 6 365
B.2.8 Section 7 366
B.2.9 Section 8 366
B.2.10 Section 9 366
B.2.11 Section 10 367
B.2.12 NO WARRANTY Section 11 367
B.2.13 Section 12 367
B.3 How to Apply These Terms to Your New Programs 367
GLOSSARY 369
Glossary 371
SUBJECT INDEX 373
Contents xix
Index 387
LIST OF EXAMPLES
Chapter 1
Chapter 2
2.2.1 Drafting Office smb.conf File 21
2.2.2 Charity Administration Office smb.conf File 28
2.2.3 Windows Me — Registry Edit File: Disable Password Caching 29
2.2.4 Accounting Office Network smb.conf File 35
Chapter 3
3.3.1 Script to Map Windows NT Groups to UNIX Groups 43
3.3.2 Abmas Accounting DHCP Server Configuration File — /etc/dhcpd.conf 53
3.3.3 Accounting Office Network smb.conf File [globals] Section 54
3.3.4 Accounting Office Network smb.conf File Services and Shares Section 55
Chapter 4
4.2.1 Estimation of Memory Requirements 60
4.2.2 Estimation of Disk Storage Requirements 61
4.3.1 NAT Firewall Configuration Script 86
4.3.2 130 User Network with tdbsam [globals] Section 87
4.3.3 130 User Network with tdbsam Services Section Part A 88
4.3.4 130 User Network with tdbsam Services Section Part B 89
4.3.5 Script to Map Windows NT Groups to UNIX Groups 90
4.3.6 DHCP Server Configuration File — /etc/dhcpd.conf 91
4.3.7 DNS Master Configuration File — /etc/named.conf Master Section 92
4.3.8 DNS Master Configuration File — /etc/named.conf Forward Lookup Defini-
tion Section 93
4.3.9 DNS Master Configuration File — /etc/named.conf Reverse Lookup Defini-
tion Section 94
4.3.10 DNS 192.168.1 Reverse Zone File 95
4.3.11 DNS 192.168.2 Reverse Zone File 95
4.3.12 DNS Abmas.biz Forward Zone File 96
4.3.13 DNS Abmas.us Forward Zone File 97
Chapter 5
5.3.1 Server: MASSIVE (PDC), File: /etc/samba/smb.conf 110
5.3.2 Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf 111
5.3.3 Common Samba Configuration File: /etc/samba/common.conf 112
xxi
xxii List of Examples
5.3.4 Server: BLDG1 (Member), File: smb.conf 113
5.3.5 Server: BLDG2 (Member), File: smb.conf 113
5.3.6 Common Domain Member Include File: dom-mem.conf 113
5.3.7 Server: MASSIVE, File: dhcpd.conf 114
5.3.8 Server: BLDG1, File: dhcpd.conf 115
5.3.9 Server: BLDG2, File: dhcpd.conf 116
5.3.10 Server: MASSIVE, File: named.conf, Part: A 120
5.3.11 Server: MASSIVE, File: named.conf, Part: B 121
5.3.12 Server: MASSIVE, File: named.conf, Part: C 122
5.3.13 Forward Zone File: abmas.biz.hosts 123
5.3.14 Forward Zone File: abmas.biz.hosts 123
5.3.15 Servers: BLDG1/BLDG2, File: named.conf, Part: A 124
5.3.16 Servers: BLDG1/BLDG2, File: named.conf, Part: B 125
5.3.17 Initialize Groups Script, File: /etc/samba/initGrps.sh 126
Chapter 6
6.4.1 LDAP DB CONFIG File 144
6.4.2 LDAP Master Configuration File — /etc/openldap/slapd.conf Part A 182
6.4.3 LDAP Master Configuration File — /etc/openldap/slapd.conf Part B 183
6.4.4 Configuration File for NSS LDAP Support — /etc/ldap.conf 183
6.4.5 Configuration File for NSS LDAP Clients Support — /etc/ldap.conf 184
6.4.6 LDAP Based smb.conf File, Server: MASSIVE global Section: Part A 185
6.4.7 LDAP Based smb.conf File, Server: MASSIVE global Section: Part B 186
6.5.1 LDAP Based smb.conf File, Server: BLDG1 187
6.5.2 LDAP Based smb.conf File, Server: BLDG2 188
6.5.3 LDAP Based smb.conf File, Shares Section Part A 189
6.5.4 LDAP Based smb.conf File, Shares Section Part B 190
6.5.5 LDIF IDMAP Add-On Load File — File: /etc/openldap/idmap.LDIF 190
Chapter 7
7.3.1 LDAP Master Server Configuration File — /etc/openldap/slapd.conf 209
7.3.2 LDAP Slave Configuration File — /etc/openldap/slapd.conf 210
7.3.3 Primary Domain Controller smb.conf File Part A 211
7.3.4 Primary Domain Controller smb.conf File Part B 212
7.3.5 Primary Domain Controller smb.conf File Part C 213
7.3.6 Backup Domain Controller smb.conf File Part A 214
7.3.7 Backup Domain Controller smb.conf File Part B 215
Chapter 8
8.3.1 LDAP Preload LDIF file — preload.LDIF 224
Chapter 9
9.3.1 OpenLDAP Control File — slapd.conf Part A 242
9.3.2 OpenLDAP Control File — slapd.conf Part B 243
List of Examples xxiii
9.3.3 OpenLDAP Control File — slapd.conf Part C 244
9.3.4 NSS LDAP Control File — /etc/ldap.conf 245
9.3.5 Samba Configuration File smb.conf Part A 246
9.3.6 Samba Configuration File smb.conf Part B 247
9.3.7 Samba Configuration File smb.conf Part C 248
9.3.8 Samba Configuration File smb.conf Part D 249
9.3.9 Samba Configuration File smb.conf Part E 250
9.3.10 Idealx smbldap-tools Control File — Part A 251
9.3.11 Idealx smbldap-tools Control File — Part B 252
9.3.12 Idealx smbldap-tools Control File — Part C 253
9.3.13 Idealx smbldap-tools Control File — Part D 254
9.3.14 Kixstart Control File — File: logon.kix 255
9.3.15 Kixstart Control File — File: main.kix 256
9.3.16 Kixstart Control File — File: setup.kix, Part A 257
9.3.17 Kixstart Control File — File: setup.kix, Part B 258
9.3.18 Kixstart Control File — File: acct.kix 259
Chapter 10
10.3.1 Samba Domain Member in Samba Domain Control Context smb.conf File 286
10.3.2 LDIF IDMAP Add-On Load File — File: /etc/openldap/idmap.LDIF 287
10.3.3 Configuration File for NSS LDAP Support — /etc/ldap.conf 287
10.3.4 NSS using LDAP for Identity Resolution — File: /etc/nsswitch.conf 287
10.3.5 Samba Domain Member Server smb.conf File for NT4 Domain 288
10.3.6 Name Service Switch Control File: /etc/nsswitch.conf 289
10.3.7 Samba Domain Member smb.conf File for Active Directory Membership 290
10.3.8 SUSE: PAM login Module Using Winbind 291
10.3.9 SUSE: PAM xdm Module Using Winbind 291
10.3.10 Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Mod-
ule Using Winbind 292
Chapter 11
Chapter 12
12.3.1 Kerberos Configuration — File: /etc/krb5.conf 316
12.3.2 Samba Configuration File: /etc/samba/smb.conf 319
12.3.3 NSS Configuration File Extract — File: /etc/nsswitch.conf 319
12.3.4 Squid Configuration File Extract — /etc/squid.conf [ADMINISTRATIVE
PARAMETERS Section] 320
12.3.5 Squid Configuration File extract — File: /etc/squid.conf [AUTHENTICA-
TION PARAMETERS Section] 321
Chapter 13
A.3.1 A Useful Samba Control Script for SuSE Linux 337
A.3.2 353
A.4.1 DNS Localhost Forward Zone File: /var/lib/named/localhost.zone 354
xxiv List of Examples
A.4.2 DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone 354
A.4.3 DNS Root Name Server Hint File: /var/lib/named/root.hint 355
A.5.1 LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh — Part A 356
A.5.2 LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh — Part B 357
A.5.3 LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh — Part C 358
A.5.4 LDIF Pattern File Used to Pre-configure LDAP — Part A 359
A.5.5 LDIF Pattern File Used to Pre-configure LDAP — Part B 360
A.6.1 Example LAM Configuration File — config.cfg 360
A.6.2 LAM Profile Control File — lam.conf 361
List of Figures
1 Networking Primer
1.1 Windows Me Broadcasts The First 10 Minutes 5
1.2 Windows Me Later Broadcast Sample 6
1.3 Typical Windows 9x/Me Host Announcement 9
1.4 Typical Windows 9x/Me NULL SessionSetUp AndX Request 10
1.5 Typical Windows 9x/Me User SessionSetUp AndX Request 11
1.6 Typical Windows XP NULL Session Setup AndX Request 13
1.7 Typical Windows XP User Session Setup AndX Request 14
2 No Frills Samba Servers
2.1 Charity Administration Office Network 25
2.2 Accounting Office Network Topology 31
3 Small Office Networking
3.1 Abmas Accounting 52 User Network Topology 41
4 Secure Office Networking
4.1 Abmas Network Topology 130 Users 58
5 The 500-User Office
5.1 Network Topology 500 User Network Using tdbsam passdb backend. 102
6 Making Happy Users
6.1 The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts 134
6.2 Network Topology 500 User Network Using ldapsam passdb backend. 142
6.3 Windows XP Professional User Shared Folders 174
7 A Distributed 2000 User Network
7.1 Network Topology 2000 User Complex Design A 198
7.2 Network Topology 2000 User Complex Design B 199
7.3 Samba and Authentication Backend Search Pathways 200
7.4 Samba Configuration to Use a Single LDAP Server 200
7.5 Samba Configuration to Use a Dual (Fail-over) LDAP Server 201
7.6 Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use! 201
7.7 Samba Configuration to Use Two LDAP Databases - The result is additive. 201
xxv
xxvi LIST OF FIGURES
8 Migrating NT4 Domain to Samba-3
8.1 Schematic Explaining the net rpc vampire Process 218
8.2 View of Accounts in NT4 Domain User Manager 219
10 Adding UNIX/LINUX Servers and Clients
10.1 Open Magazine Samba Survey 260
10.2 Samba Domain: Samba Member Server 265
10.3 Active Directory Domain: Samba Member Server 271
A Appendix: A Collection of Useful Tid-bits
A.1 The General Panel. 332
A.2 The Computer Name Panel. 333
A.3 The Computer Name Changes Panel. 334
A.4 The Computer Name Changes Panel Domain MIDEARTH. 334
A.5 Computer Name Changes User name and Password Panel. 335
A.6 The LDAP Account Manager Login Screen 344
A.7 The LDAP Account Manager Configuration Screen 345
A.8 The LDAP Account Manager User Edit Screen 346
A.9 The LDAP Account Manager Group Edit Screen 347
A.10 The LDAP Account Manager Group Membership Edit Screen 348
A.11 The LDAP Account Manager Host Edit Screen 349
List of Tables
1 Samba Changes — 3.0.2 to 3.0.12 viii
1 Networking Primer
1.1 Windows Me — Startup Broadcast Capture Statistics 7
1.2 Second Machine (Windows 98) — Capture Statistics 8
2 No Frills Samba Servers
2.1 Accounting Office Network Information 32
4 Secure Office Networking
4.1 Abmas.US ISP Information 58
4.2 DNS (named) Resource Files 70
5 The 500-User Office
5.1 Domain: MEGANET, File Locations for Servers 103
6 Making Happy Users
6.1 Current Privilege Capabilities 135
6.2 Required OpenLDAP Linux Packages 143
6.3 Abmas Network Users and Groups 155
6.4 Default Profile Redirections 175
8 Migrating NT4 Domain to Samba-3
8.1 Samba smb.conf Scripts Essential to Migration 220
13 Performance, Reliability, and Availability
13.1 Effect of Common Problems 324
xxvii
Chapter 1
NETWORKING PRIMER
You are about to use the equivalent of a microscope to look at the information that runs
through the veins of a Windows network. We do more to observe the information than to
interrogate it. When you are done with this chapter, you should have a good understanding
of the types of information that flow over the network. Do not worry, this is not a biology
lesson. We won’t lose you in unnecessary detail. Think to yourself, “This is easy,” then
tackle each exercise without fear.
Samba can be configured with a minimum of complexity. Simplicity should be mastered
before you get too deeply into complexities. Let’s get moving, we have work to do.
1.1 Requirements and Notes
Successful completion of this chapter requires two Microsoft Windows 9x/Me Workstations,
as well as two Microsoft Windows XP Professional Workstations, each equipped with an
Ethernet card connected using a hub. Also required is one additional server (either Windows
NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network
sniffer and analysis application (ethereal is a good choice). All work should be undertaken
on a quiet network where there is no other traffic. It is best to use a dedicated hub with
only the machines under test connected at the time of the exercises.
Ethereal has become the network protocol analyzer of choice for many network adminis-
trators. You may find more information regarding this tool from the Ethereal <http:
//www.ethereal.com>Web site. Ethereal installation files for Windows may be obtained
from the Ethereal Web site. Ethereal is provided with SUSE and Red Hat Linux distribu-
tions, as well as many other Linux distributions. It may not be installed on your system by
default. If it is not installed, you may also need to install the libpcap software before you
can install or use Ethereal. Please refer to the instructions for your operating system or to
the Ethereal Web site for information regarding the installation and operation of Ethereal.
To obtain ethereal for your system, please visit the Ethereal download site. <http://
www.ethereal.com/download.html#binaries>
1
2Networking Primer Chapter 1
Note
The successful completion of this chapter requires that you capture
network traffic using ethereal. It is recommended that you use a hub,
not an etherswitch. It is necessary for the device used to act as a
repeater, not as a filter. Ethernet switches may filter out traffic that is
not directed at the machine that is used to monitor traffic; this would
not allow you to complete the projects.
Do not worry too much if you do not have access to all this equipment; network captures
from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive
directly into the analytical part of the exercises if you so desire.
Please do not be alarmed at the use of a high-powered analysis tool (ethereal) in this first
chapter. We expose you only to a minimum of detail necessary to complete the exercises
in this chapter. If you choose to use any other network sniffer and protocol analysis tool,
be advised that it may not allow you to examine the contents of recently added security
protocols used by Windows 200x/XP.
You could just skim through the exercises and try to absorb the key points made. The
exercises provide all the information necessary to convince the die-hard network engineer.
You possibly do not require so much convincing and may just want to move on, in which
case you should at least read Section 1.4.
Section 1.5 also provides useful information that may help you to avoid significantly time-
consuming networking problems.
1.2 Introduction
The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows
network computing. If you want a solid technical grounding, do not gloss over these exercises.
The points covered are recurrent issues on the Samba mailing lists.
You can see from these exercises that Windows networking involves quite a lot of network
broadcast traffic. You can look into the contents of some packets, but only to see some
particular information that the Windows client sends to a server in the course of establishing
a network connection.
To many people, browsing is everything that happens when one uses Microsoft Internet
Explorer. It is only when you start looking at network traffic and noting the protocols
and types of information that are used that you can begin to appreciate the complexities
of Windows networking and, more importantly, what needs to be configured so that it can
work. Detailed information regarding browsing is provided in the recommended preparatory
reading.
Recommended preparatory reading: The Official Samba-3 HOWTO and Reference Guide
(TOSHARG) Chapter 9, “Network Browsing,” and Chapter 3, “Server Types and Security
Modes.
Section 1.3. Exercises 3
1.2.1 Assignment Tasks
You are about to witness how Microsoft Windows computer networking functions. The
exercises step through identification of how a client machine establishes a connection to a
remote Windows server. You observe how Windows machines find each other (i.e., how
browsing works), and how the two key types of user identification (share mode security and
user mode security) are affected.
The networking protocols used by MS Windows networking when working with Samba use
TCP/IP as the transport protocol. The protocols that are specific to Windows networking
are encapsulated in TCP/IP. The network analyzer we use (ethereal) is able to show you
the contents of the TCP/IP packets (or messages). Chapter 1 Tasks
1. Examine network traces to witness SMB broadcasts, host announcements, and name
resolution processes.
2. Examine network traces to witness how share mode security functions.
3. Examine network traces to witness the use of user mode security.
4. Review traces of network logons for a Windows 9x/Me client as well as a Domain
logon for a Windows XP Professional client.
1.3 Exercises
You are embarking on a course of discovery. The first part of the exercise requires two MS
Windows 9x/Me systems. We called one machine WINEPRESSME and the other MILGATE98.
Each needs an IP address; we used 10.1.1.10 and 10.1.1.11. The test machines need
to be networked via a hub. A UNIX/Linux machine is required to run ethereal to enable
the network activity to be captured. It is important that the machine from which network
activity is captured must not interfere with the operation of the Windows workstations. It is
helpful for this machine to be passive (does not send broadcast information) to the network.
For these exercises, our test environment consisted of a SUSE 9.2 Professional Linux Work-
station running VMWare 4.5. The following VMWare images were prepared:
Windows 98 — name: MILGATE98.
Windows Me — name: WINEPRESSME.
Windows XP Professional — name: LightrayXP.
Samba-3.0.12 running on a SUSE Enterprise Linux 9.
Choose a workgroup name (MIDEARTH) for each exercise.
The network captures provided on the CD-ROM at the back of this book were captured
using ethereal version 0.10.6. A later version suffices without problems, but an earlier
version may not expose all the information needed. Each capture file has been decoded
and listed as a trace file. A summary of all packets has also been included. This makes
it possible for you to do all the studying you like without the need to perform the time-
consuming equipment configuration and test work. This is a good time to point out the
4Networking Primer Chapter 1
value that can be derived from this book really does warrant your taking sufficient time to
practice each exercise with care and attention to detail.
1.3.1 Single Machine Broadcast Activity
In this section, we start a single Windows 9x/Me machine, then monitor network activity
for 30 minutes.
1. Start the machine from which network activity will be monitored (using ethereal).
Launch ethereal, click Capture Start. Click the following:
(a) Update list of packets in real time
(b) Automatic scrolling in live capture
(c) Enable MAC name resolution
(d) Enable network name resolution
(e) Enable transport name resolution
Click OK.
2. Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes.
While monitoring, do not press any keyboard keys, do not click any on-screen icons
or menus; and do not answer any dialog boxes.
3. At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you
can go back to it later. Leave this machine running in preparation for the task in
Section 1.3.2.
4. Analyze the capture. Identify each discrete message type that was captured. Note
what transport protocol was used. Identify the timing between messages of identical
types.
1.3.1.1 Findings
The summary of the first 10 minutes of the packet capture should look like Figure 1.1. A
screenshot of a later stage of the same capture is shown in Figure 1.2.
Broadcast messages observed are shown in Table 1.1. Actual observations vary a little, but
not by much. Early in the startup process, the Windows Me machine broadcasts its name
for two reasons; first to ensure that its name would not result in a name clash, and second
to establish its presence with the Local Master Browser (LMB).
From the packet trace, it should be noted that no messages were propagated over TCP/IP;
all employed UDP/IP. When steady state operation has been achieved, there is a cycle of
various announcements, re-election of a browse master, and name queries. These create the
symphony of announcements by which network browsing is made possible.
For detailed information regarding the precise behavior of the CIFS/SMB protocols, the
reader is referred to the book “Implementing CIFS: The Common Internet File System,
by Christopher Hertel, Publisher: Prentice Hall PTR, ISBN: 013047116X.
Section 1.3. Exercises 5
Figure 1.1. Windows Me Broadcasts The First 10 Minutes
1.3.2 Second Machine Startup Broadcast Interaction
At this time, the machine you used to capture the single system startup trace should still be
running. The objective of this task is to identify the interaction of two machines in respect
to broadcast activity.
1. On the machine from which network activity will be monitored (using ethereal),
launch ethereal and click Capture Start. Click:
(a) Update list of packets in real time
6Networking Primer Chapter 1
Figure 1.2. Windows Me Later Broadcast Sample
(b) Automatic scrolling in live capture
(c) Enable MAC name resolution
(d) Enable network name resolution
(e) Enable transport name resolution
Click OK.
2. Start the second Windows 9x/Me machine. Let it run for 15-20 minutes. While
monitoring, do not press any keyboard keys, do not click any on-screen icons or menus,
and do not answer any dialog boxes.
3. At the conclusion of the capture time, stop the capture. Be sure to save the captured
data so you can examine the network data capture again at a later date should that
be necessary.
Section 1.3. Exercises 7
Table 1.1. Windows Me — Startup Broadcast Capture Statistics
Message Type Num Notes
WINEPRESSME<00>Reg 8 4 lots of 2, 0.6 sec apart.
WINEPRESSME<03>Reg 8 4 lots of 2, 0.6 sec apart.
WINEPRESSME<20>Reg 8 4 lots of 2, 0.75 sec apart.
MIDEARTH<00>Reg 8 4 lots of 2, 0.75 sec apart.
MIDEARTH<1d>Reg 8 4 lots of 2, 0.75 sec apart.
MIDEARTH<1e>Reg 8 4 lots of 2, 0.75 sec apart.
MIDEARTH<1b>Qry 84 300 sec apart at stable operation.
MSBROWSE Reg 8 Registered after winning election
to Browse Master.
JHT<03>Reg 8 4 x 2. This is the name of the
user that logged onto Windows.
Host Announcement WINE-
PRESSME
Ann 2 Observed at 10 sec.
Domain/Workgroup Announce-
ment MIDEARTH
Ann 18 300 sec apart at stable operation.
Local Master Announcement
WINEPRESSME
Ann 18 300 sec apart at stable operation.
Get Backup List Request Qry 12 6 x 2 early in startup, 0.5 sec
apart.
Browser Election Request Ann 10 5 x 2 early in startup.
Request Announcement WINE-
PRESSME
Ann 4 Early in startup.
4. Analyze the capture trace, taking note of the transport protocols used, the types of
messages observed, and what interaction took place between the two machines. Leave
both machines running for the next task.
1.3.2.1 Findings
Table 1.2 summarizes capture statistics observed. As in the previous case, all announcements
used UDP/IP broadcasts. Also, as was observed with the last example, the second Windows
9x/Me machine broadcasts its name on startup to ensure that there exists no name clash
(i.e., the name is already registered by another machine) on the network segment. Those
wishing to explore the inner details of the precise mechanism of how this functions should
refer to the book “Implementing CIFS: The Common Internet File System,” referred to
previously.
Observation of the contents of Host Announcements, Domain/Workgroup Announcements,
and Local Master Announcements is instructive. These messages convey a significant level
of detail regarding the nature of each machine that is on the network. An example dissection
of a Host Announcement is given in Figure 1.3.
8Networking Primer Chapter 1
Table 1.2. Second Machine (Windows 98) — Capture Statistics
Message Type Num Notes
MILGATE98<00>Reg 8 4 lots of 2, 0.6 sec apart.
MILGATE98<03>Reg 8 4 lots of 2, 0.6 sec apart.
MILGATE98<20>Reg 8 4 lots of 2, 0.75 sec apart.
MIDEARTH<00>Reg 8 4 lots of 2, 0.75 sec apart.
MIDEARTH<1d>Reg 8 4 lots of 2, 0.75 sec apart.
MIDEARTH<1e>Reg 8 4 lots of 2, 0.75 sec apart.
MIDEARTH<1b>Qry 18 900 sec apart at stable operation.
JHT<03>Reg 2 This is the name of the user that
logged onto Windows.
Host Announcement MIL-
GATE98
Ann 14 Every 120 sec.
Domain/Workgroup Announce-
ment MIDEARTH
Ann 6 900 sec apart at stable operation.
Local Master Announcement
WINEPRESSME
Ann 6 Insufficient detail to determine
frequency.
1.3.3 Simple Windows Client Connection Characteristics
The purpose of this exercise is to discover how Microsoft Windows clients create (establish)
connections with remote servers. The methodology involves analysis of a key aspect of how
Windows clients access remote servers: the session setup protocol.
1. Configure a Windows 9x/Me machine (MILGATE98) with a share called Stuff. Cre-
ate a Full Access control password on this share.
2. Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make
sure that it exports no shared resources.
3. Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log
on to both machines using a user name (JHT) of your choice. Wait approximately
two minutes before proceeding.
4. Start ethereal (or the network sniffer of your choice).
5. From the WINEPRESSME machine, right-click Network Neighborhood, select Ex-
plore, select My Network Places Entire Network MIDEARTH MILGATE98
Stuff. Enter the password you set for the Full Control mode for the Stuff share.
6. When the share called Stuff is being displayed, stop the capture. Save the captured
data in case it is needed for later analysis.
7. From the top of the packets captured, scan down to locate the first packet that
has interpreted as Session Setup AndX, User: anonymous; Tree Connect AndX,
Path: \\MILGATE98\IPC$.
8. In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request,
and Tree Connect AndX Request. Examine both operations. Identify the name of
Section 1.3. Exercises 9
Figure 1.3. Typical Windows 9x/Me Host Announcement
the user Account and what password was used. The Account name should be empty.
This is a NULL session setup packet.
9. Return to the packet capture sequence. There will be a number of packets that have
been decoded of the type Session Setup AndX. Locate the last such packet that was
targeted at the \\MILGATE98\IPC$ service.
10. Dissect this packet as per the one above. This packet should have a password length
of 24 (characters) and should have a password field, the contents of which is a long
hexadecimal number. Observe the name in the Account field. This is a User Mode
10 Networking Primer Chapter 1
session setup packet.
1.3.3.1 Findings and Comments
The IPC$ share serves a vital purpose1in SMB/CIFS based networking. A Windows client
connects to this resource to obtain the list of resources that are available on the server. The
server responds with the shares and print queues that are available. In most but not all
cases, the connection is made with a NULL username and a NULL password.
The two packets examined are material evidence with respect to how Windows clients may
interoperate with Samba. Samba requires every connection setup to be authenticated using
valid UNIX account credentials (UID/GID). This means that even a NULL session setup can
be established only by automatically mapping it to a valid UNIX account.
Samba has a special name for the NULL, or empty, user account. It calls that the guest
account. The default value of this parameter is nobody; however, this can be changed to map
the function of the guest account to any other UNIX identity. Some UNIX administrators
prefer to map this account to the system default anonymous FTP account. A sample NULL
Session Setup AndX packet dissection is shown in Figure 1.4.
Figure 1.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request
1TOSHARG, Sect 4.5.1
Section 1.3. Exercises 11
When a UNIX/Linux system does not have a nobody user account (/etc/passwd), the
operation of the NULL account cannot validate and thus connections that utilize the guest
account fail. This breaks all ability to browse the Samba server and is a common problem
reported on the Samba mailing list. A sample User Mode Session Setup AndX is shown in
Figure 1.5.
Figure 1.5. Typical Windows 9x/Me User SessionSetUp AndX Request
The User Mode connection packet contains the account name and the domain name. The
password is provided in Microsoft encrypted form, and its length is shown as 24 characters.
This is the length of Microsoft encrypted passwords.
1.3.4 Windows 200x/XP Client Interaction with Samba-3
By now you may be asking, “Why did you choose to work with Windows 9x/Me?
First, we want to demonstrate the simple case. This book is not intended to be a detailed
treatise on the Windows networking protocols, but rather to provide prescriptive guidance
for deployment of Samba. Second, by starting out with the simple protocol, it can be
demonstrated that the more complex case mostly follows the same principles.
The following exercise demonstrates the case that even MS Windows XP Professional with
up-to-date service updates also uses the NULL account, as well as user accounts. Simply
follow the procedure to complete this exercise.
12 Networking Primer Chapter 1
To complete this exercise, you need a Windows XP Professional client that has been con-
figured as a Domain Member of either a Samba controlled domain or a Windows NT4 or
200x Active Directory domain. Here we do not provide details for how to configure this, as
full coverage is provided later in this book.
1. Start your Domain Controller. Also, start the ethereal monitoring machine, launch
ethereal, and then wait for the next step to complete.
2. Start the Windows XP Client and wait five minutes before proceeding.
3. On the machine from which network activity will be monitored (using ethereal),
launch ethereal and click Capture Start. Click:
(a) Update list of packets in real time
(b) Automatic scrolling in live capture
(c) Enable MAC name resolution
(d) Enable network name resolution
(e) Enable transport name resolution
Click OK.
4. On the Windows XP Professional client: Press Ctrl-Alt-Delete to bring up the domain
logon screen. Log in using valid credentials for a domain user account.
5. Now proceed to connect to the Domain Controller as follows: Start (right-click)
My Network Places Explore → {Left Panel}[+] Entire Network → {Left Panel}
[+] Microsoft Windows Network → {Left Panel}[+] Midearth → {Left Panel}[+]
Frodo → {Left Panel}[+] data. Close the explorer window. In this step, our domain
name is Midearth, the domain controller is called Frodo, and we have connected to a
share called data.
6. Stop the capture on the ethereal monitoring machine. Be sure to save the captured
data to a file so that you can refer to it again later.
7. If desired, the Windows XP Professional client and the Domain Controller are no
longer needed for exercises in this chapter.
8. From the top of the packets captured, scan down to locate the first packet that has
interpreted as Session Setup AndX Request, NTLMSSP AUTH.
9. In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request.
Expand the packet decode information, beginning at the Security Blob: entry. Ex-
pand the GSS-API ->SPNEGO ->netTokenTarg ->responseToken ->NTLMSSP
keys. This should reveal that this is a NULL session setup packet. The User name:
NULL indicates this. An example decode is shown in Figure 1.6.
10. Return to the packet capture sequence. There will be a number of packets that have
been decoded of the type Session Setup AndX Request. Click the last such packet
that has been decoded as Session Setup AndX Request, NTLMSSP AUTH.
11. In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request.
Expand the packet decode information, beginning at the Security Blob: entry. Ex-
Section 1.3. Exercises 13
pand the GSS-API ->SPNEGO ->netTokenTarg ->responseToken ->NTLMSSP
keys. This should reveal that this is a User Mode session setup packet. The User
name: jht indicates this. An example decode is shown in Figure 1.7. In this case the
user name was jht. This packet decode includes the Lan Manager Response: and the
NTLM Response:. The value of these two parameters is the Microsoft encrypted pass-
word hashes, respectively, the LanMan password and then the NT (case-preserving)
password hash.
12. The passwords are 24 characters long hexadecimal numbers. This packet confirms
that this is a User Mode session setup packet.
Figure 1.6. Typical Windows XP NULL Session Setup AndX Request
1.3.4.1 Discussion
This exercise demonstrates that, while the specific protocol for the Session Setup AndX is
handled in a more sophisticated manner by recent MS Windows clients, the underlying rules
14 Networking Primer Chapter 1
Figure 1.7. Typical Windows XP User Session Setup AndX Request
or principles remain the same. Thus it is demonstrated that MS Windows XP Professional
clients still use a NULL-Session connection to query and locate resources on an advanced
network technology server (one using Windows NT4/200x or Samba). It also demonstrates
that an authenticated connection must be made before resources can be used.
1.3.5 Conclusions to Exercises
In summary, the following points have been established in this chapter:
When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs
broadcast oriented messaging protocols to provide knowledge of network services.
Network browsing protocols query information stored on Browse Masters that manage
information provided by NetBIOS Name Registrations and by way of on-going Host
Announcements and Workgroup Announcements.
Section 1.4. Dissection and Discussion 15
All Samba servers must be configured with a mechanism for mapping the NULL-Session
to a valid but non-privileged UNIX system account.
The use of Microsoft encrypted passwords is built right into the fabric of Windows
networking operations. Such passwords cannot be provided from the UNIX /etc/
passwd database and thus must be stored elsewhere on the UNIX system in a manner
that Samba can use. Samba-2.x permitted such encrypted passwords to be stored
in the smbpasswd file or in an LDAP database. Samba-3 permits that use of multi-
ple different passdb backend databases, in concurrent deploy. Refer to TOSHARG,
Chapter 10, “Account Information Databases.
1.4 Dissection and Discussion
The exercises demonstrate the use of the guest account, the way that MS Windows clients
and servers resolve computer names to a TCP/IP address, and how connections between a
client and a server are established.
Those wishing background information regarding NetBIOS name types should refer to the
Microsoft Knowledge Base Article Q102878. <http://support.microsoft.com/support/
kb/articles/Q102/78/8.asp>
1.4.1 Technical Issues
Network browsing involves SMB broadcast announcements, SMB enumeration requests,
connections to the IPC$ share, share enumerations, and SMB connection setup processes.
The use of anonymous connections to a Samba server involve the use of the guest account
that must map to a valid UNIX UID.
1.5 Questions and Answers
The questions and answers given in this section are designed to highlight important aspects
of Microsoft Windows networking.
F.A.Q.
1. Q: What is the significance of the MIDEARTH<1b>type query?
A: This is a broadcast announcement by which the Windows machine is attempting to
locate a Domain Master Browser (DMB) in the event that it might exist on the network.
Refer to TOSHARG Chapter 9, Section 9.7, “Technical Overview of Browsing” for details
regarding the function of the DMB and its role in network browsing.
2. Q: What is the significance of the MIDEARTH<1d>type name registration?
A: This name registration records the machine IP addresses of the Local Master Browsers
16 Networking Primer Chapter 1
(LMBs). Network clients can query this name type to obtain a list of browser servers from
the Master Browser.
The LMB is responsible for monitoring all host announcements on the local network and
for collating the information contained within them. Using this information, it can provide
answers to other Windows network clients that request information such as:
The list of machines known to the LMB (i.e., the browse list)
The IP addresses of all Domain Controllers known for the Domain
The IP addresses of LMBs
The IP address of the DMB (if one exists)
The IP address of the LMB on the local segment
3. Q: What is the role and significance of the <01><02>MSBROWSE <02><01>name
registration?
A: This name is registered by the Browse Master to broadcast and receive domain an-
nouncements. Its scope is limited to the local network segment, or subnet. By querying this
name type, Master Browsers on networks that have multiple domains can find the names of
Master Browsers for each domain.
4. Q: What is the significance of the MIDEARTH<1e>type name registration?
A: This name is registered by all Browse Masters in a domain or workgroup. The reg-
istration name type is known as the Browser Election Service. Master Browsers register
themselves with this name type so that Domain Master Browsers can locate them to per-
form cross-subnet browse list updates. This name type is also used to initiate elections for
Master Browsers.
5. Q: What is the significance of the guest account in smb.conf?
A: This parameter specifies the default UNIX account to which MS Windows networking
NULL session connections are mapped. The default name for the UNIX account used for
this mapping is called nobody. If the UNIX/Linux system that is hosting Samba does not
have a nobody account and an alternate mapping has not been specified, network browsing
will not work at all.
It should be noted that the guest account is essential to Samba operation. Either the
operating system must have an account called nobody or there must be an entry in the smb.
conf file with a valid UNIX account. For example, guest account = ftp.
6. Q: Is it possible to reduce network broadcast activity with Samba-3?
A: Yes, there are two ways to do this. The first involves use of WINS (See TOSHARG,
Chapter 9, Section 9.5, “WINS — The Windows Inter-networking Name Server”), the al-
ternate method involves disabling the use of NetBIOS over TCP/IP. This second method
Section 1.5. Questions and Answers 17
requires a correctly configured DNS server (see TOSHARG, Chapter 9, Section 9.3, “Dis-
cussion”).
The use of WINS reduces network broadcast traffic. The reduction is greatest when all
network clients are configured to operate in Hybrid Mode. This can be effected through use
of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is
beneficial to configure Samba to use name resolve order = wins host cast.
Note
Use of SMB without NetBIOS is possible only on Windows 200x/XP
Professional clients and servers, as well as with Samba-3.
7. Q: Can I just use plain-text passwords with Samba?
A: Yes, you can configure Samba to use plain-text passwords, though this does create a
few problems.
First, the use of /etc/passwd based plain-text passwords requires that registry modifica-
tions be made on all MS Windows client machines to enable plain-text passwords support.
This significantly diminishes the security of MS Windows client operation. Many network
administrators are bitterly opposed to doing this.
Second, Microsoft has not maintained plain-text password support since the default setting
was made disabling this. When network connections are dropped by the client it is not be
possible to re-establish the connection automatically. Users need to log off and then log on
again. Plain-text password support may interfere with recent enhancements that are part
of the Microsoft move toward a more secure computing environment.
Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text
password handling. Just create user accounts by running: smbpasswd -a ’username’
It is not possible to add a user to the passdb backend database unless there is a UNIX sys-
tem account for that user. On systems that run winbindd to access the Samba PDC/BDC
to provide Windows user and group accounts, the idmap uid, idmap gid ranges set in the
smb.conf file provide the local UID/GIDs needed for local identity management purposes.
8. Q: What parameter in the smb.conf file is used to enable the use of encrypted passwords?
A: The parameter in the smb.conf file that controls this behavior is known as encrypt
passwords. The default setting for this in Samba-3 is Yes (Enabled).
9. Q: Is it necessary to specify encrypt passwords = Yes when Samba-3 is configured as a
Domain Member?
A: No. This is the default behavior.
18 Networking Primer Chapter 1
10. Q: Is it necessary to specify a guest account when Samba-3 is configured as a Domain
Member server?
A: Yes. This is a local function on the server. The default setting is to use the UNIX
account nobody. If this account does not exist on the UNIX server, then it is necessary to
provide a guest account = an account, where an account is a valid local UNIX user account.
Chapter 2
NO FRILLS SAMBA SERVERS
Congratulations, you managed to get past the opening chapter. To some, this is where
the interesting exercises begin. This is the start of the real journey toward the Samba
deployment of a lifetime.
2.1 Introduction
This chapter lays the groundwork for understanding the basics of Samba operation. Instead
of a bland technical discussion, each principle is demonstrated by way of a real-world scenario
for which a working solution1is fully described.
The practical exercises take you on a journey through a drafting office, a charity adminis-
tration office, and an accounting office. You may choose to apply any or all of these to your
own environment.
Every assignment case can be implemented far more creatively, but remember that the
solutions you create are designed to demonstrate a particular solution possibility. With
experience, you should find much improved solutions compared with those presented here.
By the time you complete this book, you should aim to be a Samba expert, so do attempt
to find better solutions and try them as you work your way through the examples.
2.2 Assignment Tasks
Each case presented highlights different aspects of Windows networking for which a simple
Samba-based solution can be provided. Each has subtly different requirements taken from
real-world cases. Each is briefly reviewed to cover points of highlight. In each example,
instructions are based on the assumption that the official Samba Team RPM package has
been installed.
This chapter has three assignments built around ficticious companies:
A drafting office
1The examples given mirror those documented in TOSHARG Chapter 2, Section 2.3.1. You may gain
additional insight from the Stand-alone server configurations covered in TOSHARG sections 2.3.1.2 through
2.3.1.4.
19
20 No Frills Samba Servers Chapter 2
A charity administration office
An accounting office
Let’s get started.
2.2.1 Drafting Office
Our fictitious company is called Abmas Design Inc. This is a three-person computer-aided
design (CAD) business that often has more work than can be handled. The business owner
hires contract draftspeople from wherever he can. They bring their own notebook computers
into the office. There are four permanent drafting machines. Abmas has a collection of over
10 years of plans that must be available for all draftsmen to reference. Abmas hires the
services of an experienced network engineer to update the plans that are stored on a central
server one day per month. She knows how to upload plans from each machine. The files
available from the server must remain read-only. Anyone should be able to access the plans
at any time and without barriers or difficulty.
Mr. Bob Jordan has asked you to install the new server as economically as possible. The
central server has a Pentium-IV 1.6GHz CPU, 768MB RAM, a 20GB IDE boot drive, a
160GB IDE second disk to store plans, and a 100-base-T Ethernet card. You have already
installed Red Hat Fedora Core2 and have upgraded Samba to version 3.0.12 using the RPM
package that is provided from the Samba FTP <http://www.samba.org>sites.
The four permanent drafting machines (Microsoft Windows workstations) have attached
printers and plotters that are shared on a peer-to-peer basis by any/all network users. The
intent is to continue to share printers in this manner. The three permanent staff work
together with all contractors to store all new work on one PC. A daily copy is made of the
work storage area to another PC for safekeeping. When the network consultant arrives, the
weekly work area is copied to the central server and the files are removed from the main
weekly storage machine. The office works best with this arrangement and does not want to
change anything. Old habits are too ingrained.
2.2.1.1 Dissection and Discussion
The requirements for this server installation demand simplicity. An anonymous read-only
file server adequately meets all needs. The network consultant determines how to upload
all files from the weekly storage area to the server. This installation should focus only on
critical aspects of the installation.
It is not necessary to have specific users on the server. The site has a method for storing all
design files (plans). Each plan is stored in a directory that is named YYYYWW2, where
YYYY is the year, and WW is the week of the year. This arrangement allows work to be
stored by week of year to preserve the filing technique the site is familiar with. There is
another customer directory that is alphabetically listed. At the top level are 26 directories
(A-Z), in each is a second level of directory for the first plus second letter of the name (A-Z);
2This information is given purely as an example of how data may be stored in such a way that it will
be easy to locate records at a later date. The example is not meant to imply any instructions that may
be construed as essential to the design of the solution, this is something you will almost certainly want to
determine for yourself.
Section 2.2. Assignment Tasks 21
inside each is a directory by the customers’ name. Inside each directory is a symbolic link
to each design drawing/plan. This way of storing customer data files permits all plans to
be located both by customer name, as well as by the date the work was performed, without
demanding the disk space that would be needed if a duplicate file copy were to be stored.
The share containing the plans is called Plans.
2.2.1.2 Implementation
It is assumed that the server is fully installed and ready for installation and configuration of
Samba 3.0.12 and any support files needed. All TCP/IP addresses have been hard coded.
In our case the IP address of the Samba server is 192.168.1.1 and the netmask is 255.
255.255.0. The host name of the server used was server. Samba Server Configuration
1. Download the Samba-3 RPM packages for Red Hat Fedora Core2 from the Samba
FTP servers. <http://www.samba.org>
2. Install the RPM package as using either the Red Hat Linux preferred GUI tool or
using the rpm, as follows:
root# rpm -Uvh samba-3.0.12-1.i386.rpm
3. Create a mount point for the file system that will be used to store all data files. You
can create a directory called /plans as follows:
root# mkdir /plans
root# chmod 755 /plans
The 755 permissions on this directory (mount point) permit the owner to read, write
and execute, and the group and everyone else to read and execute only. Use Red Hat
Linux system tools (refer to Red Hat instructions for instructions) to format the 160GB
hard drive with a suitable file system. An Ext3 file system is suitable. Configure this
drive to automatically mount using the /plans directory as the mount point.
4. Install the smb.conf file shown in Example 2.2.1 in the /etc/samba directory.
Example 2.2.1. Drafting Office smb.conf File
# Global Parameters
[global]
workgroup = MIDEARTH
security = SHARE
[Plans]
path = /plans
read only = Yes
guest ok = Yes
22 No Frills Samba Servers Chapter 2
5. Verify that the /etc/hosts file contains the following entry:
192.168.1.1 server
6. Use the standard system tool to start Samba and to configure it to restart automati-
cally at every system reboot. For example:
root# chkconfig smb on
root# /etc/rc.d/init.d/smb restart
Windows Client Configuration
1. Make certain that all clients are set to the same network address range as has been used
for the Samba server. For example, one client might have an IP address 192.168.1.10.
2. Ensure that the netmask used on the Windows clients matches that used for the Samba
server. All clients must have the same netmask. For example, 255.255.255.0.
3. Set the workgroup name on all clients to MIDEARTH.
4. Verify on each client that the machine called SERVER is visible in the Network Neigh-
borhood, that it is possible to connect to it and see the share Plans, and that it is
possible to open that share to reveal its contents.
2.2.1.3 Validation
The first priority in validating the new Samba configuration should be to check that Samba
answers on the loop-back interface. Then it is time to check that Samba answers its own
name correctly. Last, check that a client can connect to the Samba server.
1. To check the ability to access the smbd daemon services, execute the following:
root# smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
Plans Disk
IPC$ IPC IPC Service (Samba 3.0.12)
ADMIN$ IPC IPC Service (Samba 3.0.12)
Server Comment
--------- -------
SERVER Samba 3.0.12
Workgroup Master
--------- --------
MIDEARTH SERVER
Section 2.2. Assignment Tasks 23
This indicates that Samba is able to respond on the loopback interface to a NULL
connection. The -U% means send an empty username and an empty password. This
command should be repeated after Samba has been running for 15 minutes.
2. Now verify that Samba correctly handles being passed a username and password, and
that it answers its own name. Execute the following:
root# smbclient -L server -Uroot%password
The output should be identical to the previous response. Samba has been configured
to ignore all usernames given; instead it uses the guest account for all connections.
3. From the Windows 9x/Me client, launch Windows Explorer, [Desktop: right-click]
Network Neighborhood+Explore [Left Panel] [+] Entire Network [Left Panel]
[+] Server [Left Panel] [+] Plans. In the right panel you should see the files and
directories (folders) that are in the Plans share.
2.2.2 Charity Administration Office
The fictitious charity organization is called Abmas Vision NL. This is an office that has five
networked computers. Staff are all volunteers with frequent staff changes. Ms. Amy May,
the director of operations, wants a no-hassle network. Anyone should be able to use any PC.
Only two Windows applications are used: a custom funds tracking and management package
that stores all files on the central server and Microsoft Word. The office prepares mail-out
letters, letters of invitation, and thank-you notes. All files must be stored in perpetuity.
The custom funds tracking and management (FTM) software has been configured to use a
server named SERVER, a share named FTMFILES, and a printer queue named PRINTQ that
uses preprinted stationery, thus demanding a dedicated printer. This printer does not need
to be mapped to a local printer on the workstations.
The FTM software has been in use since the days of Windows 3.11. The software was
configured by the vendor who has since gone out of business. The name of the identities of
the file server and the printer are hard coded in a configuration file that was created using
a setup tool that the vendor did not provide to Abmas Vision NL or to its predecessors.
The company that produced the software is no longer in business. In order to avoid risk
of any incompatibilities the share name and the name of the target print queue is being
set precisely as the application expects. In actual fact, share names and print queue names
should be treated as case insensitive (i.e.: Case does not matter) but Abmas Vision claim
that if the share name is not in lower case the application claims it can not find the file
share.
Printer handling in Samba results in a significant level of confusion. Samba presents to
the MS Windows client only a print queue. The Samba smbd process passes a print job
sent to it from the Windows client to the native UNIX printing system. The native UNIX
printing system (spooler) places the job in a print queue from which it is delivered to the
printer. In this book, network diagrams refer to a printer by the name of the print queue
that services that printer. It does not matter what the fully qualified name (or the host
name) of a network attached printer is. The UNIX print spooler is configured to correctly
deliver all jobs to the printer.
24 No Frills Samba Servers Chapter 2
This organization has a policy forbidding use of privately owned computers on site as a
measure to prevent leakage of confidential information. Only the five PCs owned by Abmas
Vision NL are used on this network.
The central server was donated by a local computer store. It is a dual processor Pentium-III
server, has 1GB RAM, a 3-Ware IDE RAID Controller that has 4 x 200GB IDE hard drives,
and a 100-base-T network card. The office has 100-base-T permanent network connections
that go to a central hub and all equipment is new. The five network computers all are
equipped with Microsoft Windows Me. Funding is limited, so the server has no operating
system on it. You have approval to install Samba on Linux, but just make sure it works
without problems. There are two HP LaserJet 5 PS printers that are network connected.
The second printer is to be used for general office and letter printing. Your recommendation
to allow only the Linux server to print directly to the printers was accepted. You have
supplied SUSE Enterprise Linux Server 9 and have upgraded Samba to version 3.0.12.
2.2.2.1 Dissection and Discussion
This installation demands simplicity. Frequent turn-over of volunteer staff would indicate
that a network environment that requires users to logon might be problematic. It is sug-
gested that the best solution for this office would be one where the user can log onto any PC
with any username and password. Samba can accommodate an office like this by using the
force user parameter in share and printer definitions. The use of the force user ensures
that all files are owned by same user identifier (UID) and thus ensures that there will never
be a problem with file access due to file access permissions. Additionally, you elect to use
the nt acl support = No option to ensure that no attempts can be made to write access
control lists (Posix type) to any file or directory. This prevents an inadvertent ACL from
overriding actual file permissions.
This organization is a prime candidate for Share Mode security. The force user allows all
files to be owned by the same user and group. In addition to this, it would not hurt to set
SUID and set SGID shared directories. This means that all new files that are created, no
matter who creates it, are owned by the owner or group of the directory in which they are
created. For further information regarding the significance of the SUID/SGID settings, see
Section A.7.
All client workstations print to a print queue on the server. This ensures that print jobs
continue to print in the event that a user may shut down the workstation immediately after
sending a job to the printer. Today, both Red Hat Linux and SUSE Linux use CUPS-based
printing. Older Linux systems offered a choice to use either the LPRng printing system,
or CUPS. It appears, however, that CUPS has now become the leading UNIX printing
technology.
The print queues are set up as Raw devices, which means that CUPS will not do intelligent
print processing, and vendor supplied drivers be installed locally on the Windows clients.
The hypothetical software (Funds Tracking and Management) referred to is representative of
custom-built software that directly uses a NetBIOS interface. Most such software originated
in the days of MS/PC DOS. NetBIOS names are upper-case (and functionally are case
insensitive), thus some old software applications would permit only upper-case names to be
entered. Some such applications were later ported to MS Windows but retain the upper-case
Section 2.2. Assignment Tasks 25
network resource naming conventions because customers are familiar with that. We made
the decision to name shares and print queues for this application in upper-case also for the
same reason. Nothing would break if you were to use lower-case names, but that decision
might create a need to re-educate staff — something well avoided at this time.
NetBIOS networking does not print directly to a printer. Instead, all printing is done to a
print queue. The print spooling system is responsible for communicating with the physical
printer. In this example, therefore, the resource that is referred to as PRINTQ really is just
a print queue. The name of the print queue is held to be representative of the device to
which the print spooler delivers print jobs.
2.2.2.2 Implementation
It is assumed that the server is fully installed and ready for configuration of Samba 3.0.12
and for necessary support files. All TCP/IP addresses should be hard coded. In our case,
the IP address of the Samba server is 192.168.1.1 and the netmask is 255.255.255.0. The
host name of the server used was server. The office network is built as shown in Figure 2.1.
Figure 2.1. Charity Administration Office Network
Samba Server Configuration
1. Create a group account for office file storage as follows:
root# groupadd office
2. Create a user account for office file storage as follows:
root# useradd -m abmas
root# passwd abmas
Changing password for abmas.
New password: XXXXXXXX
Re-enter new password: XXXXXXXX
Password changed
26 No Frills Samba Servers Chapter 2
where XXXXXXXX is a secret password.
3. Use the 3-Ware IDE RAID Controller firmware utilities to configure the four 200GB
drives as a single RAID level 5 drive, with one drive set aside as the hot spare. (Refer
to the 3-Ware RAID Controller Manual for the manufacturers’ preferred procedure.)
The resulting drive has a capacity of approximately 500GB of usable space.
4. Create a mount point for the file system that can be used to store all data files. Create
a directory called /data as follows:
root# mkdir /data
root# chmod 755 /data
The 755 permissions on this directory (mount point) permit the owner to read, write
and execute, and the group and everyone else to read and execute only.
5. Use SUSE Linux system tools (refer to the SUSE Administrators Guide for correct
procedures) to format the partition with a suitable file system. The reiserfs file system
is suitable. Configure this drive to automount using the /data directory as the mount
point. It must be mounted before proceeding.
6. Under the directory called /data create two directories named ftmfiles and office-
files, and set ownership and permissions as follows:
root# mkdir -p /data/{ftmfiles,officefiles/{letters,invitations,misc}}
root# chown -R abmas.office /data
root# chmod -R ug+rwxs,o-w,o+rx /data
These demonstrate compound operations. The mkdir command creates in one step
these directories:
/data/fmtfiles
/data/officefiles
/data/officefiles/letters
/data/officefiles/invitations
/data/officefiles/misc
The chown operation sets the owner to the user abmas and the group to office on all
directories just created. And the chmod operation recursively sets the permissions so
that the owner and group have SUID/SGID with read/write/execute permission, and
everyone else has read and execute permission. This means that all files and directories
are created with the same owner and group as the directory in which they are created.
Any new directories created still have the same owner, group, and permissions as the
directory they are in. This should eliminate all permissions-based file access problems.
For more information on this subject, refer to TOSHARG, Chapter 13, File, Directory
and Share Access Controls, or refer to the UNIX man page for the chmod and the
chown commands.
Section 2.2. Assignment Tasks 27
7. Install the smb.conf file shown in Example 2.2.2 in the /etc/samba directory.
8. We must ensure that the smbd can resolve the name of the Samba server to its IP
address. Verify that the /etc/hosts file contains the following entry:
192.168.1.1 server
9. Configure the printers with the IP address as shown in Figure 2.1. Follow the instruc-
tions in the manufacturers’ manual to permit printing to port 9100, so that the CUPS
spooler can print using raw mode protocols.
10. Configure the CUPS Print Queues as follows:
root# lpadmin -p PRINTQ -v socket://192.168.1.20:9100 -E
root# lpadmin -p hplj5 -v socket://192.168.1.30:9100 -E
This creates the necessary print queues with no assigned print filter.
11. Edit the file /etc/cups/mime.convs to uncomment the line:
application/octet-stream application/vnd.cups-raw 0 -
12. Edit the file /etc/cups/mime.types to uncomment the line:
application/octet-stream
13. Use the standard system tool to start Samba and CUPS to configure them to restart
automatically at every system reboot. For example:
root# chkconfig smb on
root# chkconfig cups on
root# /etc/rc.d/init.d/smb restart
root# /etc/rc.d/init.d/cups restart
Windows Client Configuration
1. Configure clients to the network settings shown in Figure 2.1.
2. Ensure that the netmask used on the Windows clients matches that used for the Samba
server. All clients must have the same netmask. For example, 255.255.255.0.
3. On all Windows clients, set the WINS Server address to 192.168.1.1, the IP address
of the server.
4. Set the workgroup name on all clients to MIDEARTH.
28 No Frills Samba Servers Chapter 2
Example 2.2.2. Charity Administration Office smb.conf File
# Global Parameters
[global]
workgroup = MIDEARTH
security = SHARE
printing = CUPS
printcap name = CUPS
disable spoolss = Yes
show add printer wizard = No
wins support = yes
[FTMFILES]
comment = Funds Tracking & Management Files
path = /data/ftmfiles
read only = No
force user = abmas
force group = office
guest ok = Yes
nt acl support = No
[office]
comment = General Office Files
path = /data/officefiles
read only = No
force user = abmas
force group = office
guest ok = Yes
nt acl support = No
[printers]
comment = Print Temporary Spool Configuration
path = /var/spool/samba
printable = Yes
guest ok = Yes
use client driver = Yes
browseable = No
5. Install the “Client for Microsoft Networks. Ensure that the only option enabled in
its properties is the option “Logon and restore network connections.
6. Click OK when you are prompted to reboot the system. Reboot the system, then
logon using any user name and password you choose.
7. Verify on each client that the machine called SERVER is visible in My Network Places,
that it is possible to connect to it and see the share office, and that it is possible to
open that share to reveal its contents.
Section 2.2. Assignment Tasks 29
8. Disable password caching on all Windows 9x/Me machines using the registry change
file shown in Example 2.2.3. Be sure to remove all files that have the PWL extension
that are in the C:\WINDOWS directory.
Example 2.2.3. Windows Me — Registry Edit File: Disable Password Caching
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrrentVersion\Policies\Network]
"DisablePwdCaching"=dword:00000001
The best way to apply this is to save the patch in a file called ME-dpwc.reg and then
execute:
C:\WINDOWS: regedit ME-dpwc.reg
9. Instruct all users to log onto the workstation using a name of their own choosing, with
a password of their own choosing. The Samba server has been configured to ignore
the username and password given.
10. On each Windows Me workstation, configure a network drive mapping to drive G:
that redirects to the uniform naming convention (UNC) resource \\server\office.
Make this a permanent drive connection as follows:
(a) (Right-click) My Network Map Network Drive...
(b) In the box labeled “Drive:”, type G.
(c) In the box labeled “Path:”, enter \\server\officefiles.
(d) Click Reconnect at logon. Click OK.
11. On each workstation, install the Funds Tracking and Management software following
the manufacturer’s instructions.
(a) During installation, you are prompted for the name of the Windows 98 server.
Enter the name SERVER.
(b) You are prompted for the name of the data share. The prompt defaults to
FTMFILES. Press enter to accept the default value.
(c) You are now prompted for the print queue name. The default prompt is the
name of the server you entered (SERVER as follows: \\SERVER\PRINTQ). Simply
accept the default and press enter to continue. The software now completes the
installation.
12. Install an office automation software package of the customer’s choice. Either Microsoft
Office 2003 Standard or OpenOffice 1.1.0 suffices for any functions the office may need
to perform. Repeat this on each workstation.
30 No Frills Samba Servers Chapter 2
13. Install a printer on each using the following steps:
(a) Click Start Settings Printers+Add Printer+Next. Do not click Network
printer. Ensure that Local printer is selected.
(b) Click Next. In the panel labeled Manufacturer:, select HP. In the Printers: panel,
select the printer called HP LaserJet 5/5M Postscript. Click Next.
(c) In the panel labeled Available ports:, select FILE:. Accept the default printer
name by clicking Next. When asked, “Would you like to print a test page?”, click
No. Click Finish.
(d) You may be prompted for the name of a file to print to. If so, close the dialog
panel. Right-click HP LaserJet 5/5M Postscript Properties Details (Tab)
Add Port.
(e) In the panel labeled Network, enter the name of the print queue on the Samba
server as follows: \\SERVER\hplj5. Click OK+OK to complete the installation.
(f) It is a good idea to test the functionality of the complete installation before
handing the newly configured network over to the Charity Administration Office
for production use.
2.2.2.3 Validation
Use the same validation process as was followed in Section 2.2.1.3.
2.2.3 Accounting Office
The office of Abmas Accounting Inc. is a 40-year-old family-run business. There are nine
permanent computer users. The network clients were upgraded two years ago. All computers
run Windows 2000 Professional. This year the server will be upgraded from an old Windows
NT4 server (actually running Windows NT4 Workstation, which worked fine as there were
fewer than 10 users) that has run in workgroup (Stand-Alone) mode, to a new Linux server
running Samba.
The office does not want a Domain Server. Mr. Alan Meany wants to keep the Windows
2000 Professional clients running as workgroup machines so that any staff member can take
a machine home and keep working. It has worked well so far and your task is to replace
the old server. All users have their own workstation logon (you configured it that way when
the machines were installed). Mr. Meany wants the new system to operate the same way
as the old Windows NT4 server — users cannot access each others’ files, but he can access
everyone’s files. Each person’s work files are in a separate share on the server. Users logon
to their Windows workstation with their username and enter an assigned password; they do
not need to enter a password when accessing their files on the server.
The new server will run Red Hat Fedora Core2. You should install Samba-3.0.12 and
copy all files off the old system to the new one. The existing Windows NT4 server has a
parallel port HP LaserJet 4 printer that is shared by all. The printer driver is installed on
each workstation. You must not change anything on the workstations. Mr. Meany gave
instructions to replace the server “but leave everything else alone to avoid staff unrest.
Section 2.2. Assignment Tasks 31
You have tried to educate Mr. Meany and found that he has no interest to understand
networking. He believes that Windows for Workgroups 3.11 was “the best server Microsoft
ever sold” and that Windows NT and 2000 are “too fang-dangled complex!
2.2.3.1 Dissection and Discussion
The requirements of this network installation are not unusual. The staff are not interested
in the details of networking. Passwords are never changed. In this example solution, we
demonstrate the use of User Mode security in a simple context. Directories should be set
SGID to ensure that members of a common group can access the contents. Each user has
his or her own share to which only they can connect. Mr. Meany’s share will be a top level
directory above the share point for each employee. Mr. Meany is a member of the same
group as his staff and is able to access their work files. The well used HP LaserJet 4 is
available as a service called hplj.
You have finished configuring the new hardware and have just completed installation of Red
Hat Fedora Core2. Roll up your sleeves and let’s get to work.
2.2.3.2 Implementation
The workstations have fixed IP addresses. The old server runs Windows NT4 Workstation,
so it cannot be running as a WINS server. It is best that the new configuration preserves
the same configuration. The office does not use Internet access, so security really is not an
issue.
The core information regarding the users, their passwords, the directory share point, and
the share name is given in Table 2.1. The overall network topology is shown in Figure 2.2.
All machines have been configured as indicated prior to the start of Samba configuration.
The following prescriptive steps may now commence.
Figure 2.2. Accounting Office Network Topology
32 No Frills Samba Servers Chapter 2
Table 2.1. Accounting Office Network Information
User Login-ID Password Share Name Directory Wkst
Alan Meany alan alm1961 alan /data PC1
James Meany james jimm1962 james /data/james PC2
Jeannie Meany jeannie jema1965 jeannie /data/jeannie PC3
Suzy Millicent suzy suzy1967 suzy /data/suzy PC4
Ursula Jenning ujen ujen1974 ursula /data/ursula PC5
Peter Pan peter pete1984 peter /data/peter PC6
Dale Roland dale dale1986 dale /data/dale PC7
Bertrand E Paoletti eric eric1993 eric /data/eric PC8
Russell Lewis russ russ2001 russell /data/russell PC9
Migration from Windows NT4 Workstation System to Samba-3
1. Rename the old server from CASHPOOL to STABLE by logging onto the console as the
Administrator. Restart the machine following system prompts.
2. Name the new server CASHPOOL using the standard configuration method. Restart the
machine following system prompts.
3. Install the latest Samba-3 binary Red Hat Linux RPM that is available from the Samba
FTP site.
4. Add a group account for the office to use. Execute the following:
root# groupadd accts
5. Install the smb.conf file shown3in Example 2.2.4.
6. For each user who uses this system (see Table 2.1), execute the following:
root# useradd -m -G accts -c "Name of User" "LoginID"
root# passwd "LoginID"
Changing password for user "LoginID"
New Password: XXXXXXXXX <-- the password from the table
Retype new password: XXXXXXXXX
root# smbpasswd -a "LoginID"
New SMB password: XXXXXXXXX <-- the password from the table
Retype new SMB password: XXXXXXXXX
Added user "LoginID"
7. Create the directory structure for the file shares by executing the following:
3This example makes use of the smbpasswd file. It does so in an obtuse way since the use of the passdb
backend has not been specified in the smb.conf file. This means that you are depending on correct default
behavior.
Section 2.2. Assignment Tasks 33
root# mkdir -p /data
root# chown alan /data
root# for i in james suzy ursula peter dale eric jeannie russell
> do
> mkdir -p /data/$i
> chown $i /data/$i
> done
root# chgrp -R accts /data
root# chmod -R ug+rwxs,o-r+x /data
The data storage structure is now prepared for use.
8. Configure the CUPS Print Queues as follows:
root# lpadmin -p hplj -v parallel:/dev/lp0 -E
This creates the necessary print queues with no assigned print filter.
9. Edit the file /etc/cups/mime.convs to uncomment the line:
application/octet-stream application/vnd.cups-raw 0 -
10. Edit the file /etc/cups/mime.types to uncomment the line:
application/octet-stream
11. Use the standard system tool to start Samba and CUPS to configure them to restart
automatically at every system reboot. For example:
root# chkconfig smb on
root# chkconfig cups on
root# /etc/rc.d/init.d/smb restart
root# /etc/rc.d/init.d/cups restart
12. On Alan’s workstation, use Windows explorer to migrate the files from the old server
to the new server. The new server should appear in the Network Neighborhood with
the name of the old server (CASHPOOL).
(a) Logon to Alan’s workstation as the user alan.
(b) Launch a second instance of Windows explorer and navigate to the share called
files on the server called STABLE.
(c) Click in the right panel, and press Ctrl-A to select all files and directories. Press
Ctrl-C to instruct Windows that you wish to copy all selected items.
34 No Frills Samba Servers Chapter 2
(d) Launch the Windows explorer, and navigate to the share called files on the server
called CASHPOOL. Click in the right panel, and then press Ctrl-V to commence
the copying process.
13. Verify that the files are being copied correctly from the Windows NT4 machine to the
Samba-3 server. This is best done on the Samba-3 server. Check the contents of the
directory tree under /data. This can be done by executing the following command:
root# ls -aR /data
Make certain to check the ownership and permissions on all files. If in doubt, execute
the following:
root# chown alan /data
root# for i in james suzy ursula peter dale eric jeannie russell
> do
> chown $i /data/$i
> done
root# chgrp -R accts /data
root# chmod -R ug+rwxs,o-r+x /data
14. The migration of all data should now be complete. It is time to validate the installa-
tion. For this, you should make sure all applications, including printing, work before
asking the customer to test drive the new network.
2.3 Questions and Answers
The following questions and answers draw from the examples in this chapter. Many design
decisions are impacted by the configurations chosen. The intent is to expose some of the
hidden implications.
F.A.Q.
1. Q: What makes an anonymous Samba server more simple than an non-anonymous Samba
server?
A: In the anonymous server, the only account used is the guest account. In a non-
anonymous configuration, it is necessary to add real user accounts to both the UNIX system
and to the Samba configuration. Non-anonymous servers require additional administration.
2. Q: How is the operation of the parameter force user different from setting the root
directory of the share SUID?
A: The parameter force user causes all operations on the share to assume the UID of
Section 2.3. Questions and Answers 35
Example 2.2.4. Accounting Office Network smb.conf File
# Global parameters
[global]
workgroup = BILLMORE
printing = CUPS
printcap name = CUPS
disable spoolss = Yes
show add printer wizard = No
[files]
comment = Work area files
path = /data/%U
valid users = %S
read only = No
[master]
comment = Master work area files
path = /data
valid users = alan
read only = No
[printers]
comment = Print Temporary Spool Configuration
path = /var/spool/samba
printable = Yes
guest ok = Yes
use client driver = Yes
browseable = No
the forced user. The new default GID that applies is the primary GID of the forced user.
This gives all users of this resource the actual privilege of the forced user.
When a directory is set SUID, the operating system forces files that are written within it to
be owned by the owner of the directory. While this happens, the user who is using the share
has only the level of privilege he or she is assigned within the operating system context.
The parameter force user has potential security implications that go beyond the actual
share root directory. Be careful and wary of using this parameter.
3. Q: When would you use both the per share parameter force user as well as setting the
share root directory SUID?
A: You would use both parameters when it is necessary to guarantee that all share handling
operations are conducted as the forced user, while all file and directory creation are done as
the SUID directory owner.
36 No Frills Samba Servers Chapter 2
4. Q: What is better about CUPS printing than LPRng printing?
A: CUPS is a print spooling system that has integrated remote management facilities,
provides completely automated print processing/preprocessing, and has the potential to
be configured to automatically apply print preprocessing filters to ensure that a print job
submitted is correctly rendered for the target printer. CUPS includes an image file RIP
that supports printing of image files to non-PostScript printers. CUPS has lots of bells
and whistles and is more like a super-charged MS Windows NT/200x print monitor and
processor. Its complexity can be eliminated or turbo-charged to suit any fancy.
The LPRng software is an enhanced, extended, and portable implementation of the Berke-
ley LPR print spooler functionality. It provides the same interface and meets RFC1179
requirements. LPRng is capable of being configured to act like CUPS, but it is in principle
a replacement for the old Berkeley lpr/lpd spooler. LPRng is generally preferred by those
who are familiar with Berkeley lpr/lpd.
Which is better is a matter of personal taste. It depends on what you want to do and
how you want to do it and manage it. Most modern Linux systems ship with CUPS as the
default print management system.
5. Q: When should Windows client IP addresses be hard coded?
A: When there are few MS Windows clients, little client change, no mobile users, and
users are not inclined to tamper with network settings, it is a safe and convenient matter
to hard-code Windows client TCP/IP settings. Given that it is possible to lock down the
Windows desktop and remove user ability to access network configuration controls, fixed
configuration eliminates the need for a DHCP server. This reduces maintenance overheads
and eliminates a possible point of network failure.
6. Q: Under what circumstances would it be best to use a DHCP server?
A: In network configurations where there are mobile users, or where Windows client PCs
move around (particularly between offices or between subnets), it makes complete sense to
control all Windows client configurations using a DHCP server. Additionally, when users
do tamper with the network settings, the use of DHCP can be used to normalize all client
settings.
One of the least appreciated benefits of using a DHCP server to assign all network client
device TCP/IP settings is that it makes it a pain-free process to change network TCP/IP
settings, change network addressing, or enhance the ability of client devices to benefit from
new network services.
Another benefit of modern DHCP servers is the ability of the DHCP server to register
dynamically assigned IP addresses with the DNS server. The benefits of Dynamic DNS
(DDNS) are considerable in a large Windows network environment.
7. Q: What is the purpose of setting the parameter guest ok on a share?
A: If this parameter is yes for a service, then no password is required to connect to the
service. Privileges are those of the guest account.
Section 2.3. Questions and Answers 37
8. Q: When would you set the global parameter disable spoolss?
A: Setting this parameter to Yes disables Samba’s support for the SPOOLSS set of MS-
RPC’s and yields behavior identical to Samba 2.0.x. Windows NT/2000 clients can down-
grade to using LanMan style printing commands. Windows 9x/ME are unaffected by the
parameter. However, this disables the ability to upload printer drivers to a Samba server
via the Windows NT/200x Add Printer Wizard or by using the NT printer properties dia-
log window. It also disables the capability of Windows NT/200x clients to download print
drivers from the Samba host on demand. Be extremely careful about setting this parameter.
The alternate parameter use client driver applies only to Windows NT/200x clients. It
has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/200x
clients without first installing a valid printer driver on the Samba host, the client is required
to install a local printer driver. From this point on, the client treats the printer as a local
printer and not a network printer connection. This is much the same behavior that occurs
when disable spoolss = yes.
Under normal circumstances, the NT/200x client attempts to open the network printer
using MS-RPC. Because the client considers the printer to be local, it attempts to issue
the OpenPrinterEx() call requesting access rights associated with the logged on user. If the
user possesses local administrator rights but not root privilege on the Samba host (often the
case), the OpenPrinterEx() call fails. The result is that the client now displays an ”Access
Denied; Unable to connect” message in the printer queue window (even though jobs may
be printed successfully). This parameter MUST not be enabled on a print share that has
valid print driver installed on the Samba server.
9. Q: Why would you disable password caching on Windows 9x/Me clients?
A: Windows 9x/Me workstations that are set at default (password caching enabled) store
the username and password in files located in the Windows master directory. Such files
can be scavenged (read off a client machine) and decrypted, thus revealing the user’s access
credentials for all systems the user may have accessed. It is most insecure to allow any
Windows 9x/Me client to operate with password caching enabled.
10. Q: The example of Abmas Accounting Inc. uses User Mode security. How does this
provide anonymous access?
A: The example used does not provide anonymous access. Since the clients are all Windows
2000 Professional, and given that users are logging onto their machines, by default the
client attempts to connect to a remote server using currently logged in user credentials. By
ensuring that the user’s login ID and password is the same as those set on the Samba server,
access is transparent and does not require separate user authentication.
Chapter 3
SMALL OFFICE NETWORKING
So far, this book has focused on the basics of simple yet effective network solutions. Network
administrators who take pride in their work (that’s most of us, right?) take care to deliver
what our users want, but not too much more. If we make things too complex, we confound
our users and increase costs of network ownership. A professional network manager avoids
the temptation to put too much pizazz into the way that the network operates. Some
creativity is helpful, but do keep it under control.
Five years ago there were two companies from which a lesson can be learned. In one case
the network administrator spent three months building a new network to replace an old
Netware server. What he delivered had all the bells and whistles he could muster. There
were a few teething problems during the change-over, nothing serious but a little disruptive
all the same. Users were exposed to many changes at once. The network administrator was
asked to resign two months after implementing the new system. This was necessary because
so many staff had complained they had lost time and were not happy with the new network.
Everything was automated and he delivered more features than any advanced user could
think of. He was just too smart for his own good.
In the case of the other company, a new network manager was appointed to oversee the
replacement of a LanTastic network with an MS Windows NT 4.0 network. He had the
replacement installed and operational within two weeks. Before installation and change-
over, he called a meeting to explain to all users what was going to happen, how it would
affect them and that he would be available 24 hours a day to help them transition. One
week after conversion, he held another meeting asking for cooperation in the introduction
of a few new features that would help to make life easier. Network users were thrilled with
what he was doing to help them. The network he implemented was nowhere near as complex
as the first example, had fewer features, and yet he had happy users. Months later he was
still adding new innovations. He always asked the users if a particular feature was what
they wanted. He asked his boss for a raise and got it. He often told me, Always keep a few
new tricks up your sleeves for when you need them. Was he smart? You decide. Let’s get
on with our next exercise.
3.1 Introduction
Abmas Accounting Inc. has grown. Mr. Meany likes you and says he knew you were the
right person for the job. That’s why he asked you to install the new server. The past few
38
Section 3.2. Dissection and Discussion 39
months have been hard work. You advised Mr. Meany that it is time for a change. Abmas
now has 52 users, having acquired an investment consulting business recently. The new
users were added to the network without any problems.
Some of the Windows clients are getting to be past their use-by date. You have found
damaged and unusable software on some of the workstations that came with the acquired
business and found some machines that are in need of both hardware and software mainte-
nance.
3.1.1 Assignment Tasks
Mr. Meany has decided to retire in 12 months. He wants you to help him make the business
run better. Many of the new staff want notebook computers. They visit customer business
premises with the need to use local network facilities; these users are technically competent.
The company uses a business application that requires Windows XP Professional. In short,
a complete client upgrade is about to happen. Mr. Meany told you that he is working on
another business acquisition and that by the time he retires there will be 80 to 100 users.
Mr. Meany is not concerned about security. He wants to make it easier for staff to do their
work. He has hired you to help him appoint a full-time network manager before he retires.
Above all, he says he is investing in the ability to grow. He is determined to live his lifelong
dream and hand the business over to a bright and capable executive who can make things
happen. This means your network design must cope well with growth.
In a few months, Abmas will require an Internet connection for email and so staff easily
obtain software updates. Mr. Meany is warming up to the installation of anti-virus software,
but is not yet ready to approve this expense. He told you to spend the money a virus scanner
costs on better quality notebook computers for mobile users.
One of Mr. Meany’s golfing partners sold him on the idea to buy new laser printers. One
black only, the other a color laser printer. Staff support the need for a color printer so they
can present more attractive proposals and reports.
Mr. Meany also asked if it would be possible for one of the staff to manage user accounts
from the Windows desktop. That person will be responsible for basic operations.
3.2 Dissection and Discussion
What are the key requirements in this business example? A quick review indicates a need
for:
Scalability — from 52 to over 100 users in 12 months
Mobile computing capability
Improved reliability and usability
Easier administration
In this instance the installed Linux system is assumed to be a Red Hat Linux Fedora Core2
server (as in Section 2.2.3).
40 Small Office Networking Chapter 3
3.2.1 Technical Issues
It is time to implement a domain security environment. You will use the smbpasswd (default)
backend. You should implement a DHCP server. There is no need to run DNS at this time,
but the system will use WINS. The Domain name will be BILLMORE. This time, the name
of the server will be SLEETH.
All printers will be configured as DHCP clients. The DHCP server will assign the printer a
fixed IP address by way of its Ethernet interface (MAC) address. See Example 3.3.2.
Note
The smb.conf file you are creating in this exercise can be used with
equal effectiveness with Samba-2.2.x series releases. This is deliberate
so that in the next chapter it is possible to start with the installation
that you have created here, migrate it to a Samba-3 configuration and
then secure the system further. Configurations following this one will
utilize features that may not be supported in Samba-2.2.x releases.
However, you should note that the examples in each chapter start with
the assumption that a fresh new installation is being effected.
Later on, when the Internet connection is implemented, you will add DNS as well as other
enhancements. It is important that you plan accordingly.
You have split the network into two separate areas. Each has its own ether-switch. There
are 20 users on the accounting network and 32 users on the financial services network. The
server has two network interfaces, one serving each network. The network printers will be
located in a central area. You plan to install the new printers and keep the old printer in
use also.
You will provide separate file storage areas for each business entity. The old system will
go away, accounting files will be handled under a single directory, and files will be stored
under customer name, not under a personal work area. Staff will be made responsible for
file location, so maintain the old share point.
Given that DNS will not be used, you will configure WINS name resolution for UNIX
hostname name resolution.
It is necessary to map Windows Domain Groups to UNIX groups as a minimum. It is
advisable to also map Windows Local Groups to UNIX groups. Additionally, the two key
staff groups in the firm are Accounting Staff and Financial Services Staff. For these, it is
necessary to create UNIX groups as well as Windows Domain Groups.
In the sample smb.conf file, you have configured Samba to call the UNIX groupadd to
add group entries. This utility does not permit the addition of group names that contain
upper-case characters or spaces. This is considered a bug. The groupadd is part of the
shadow-utils Open Source Software package. A later release of this package may have
been patched to resolve this bug. If your operating platform has this bug, it means that
Section 3.3. Implementation 41
attempts to add a Windows Domain Group that has either a space or upper-case characters
in it will fail. See TOSHARG, Section 11.3.1, Example 11.1, for more information.
Vendor-supplied printer drivers will be installed on each client. The CUPS print spooler on
the UNIX host will be operated in raw mode.
3.2.2 Political Issues
Mr. Meany is an old-school manager. He sets the rules and wants to see compliance. He is
willing to spend money on things he believes are of value. You need more time to convince
him of real priorities.
Go ahead, buy better notebooks. Wouldn’t it be neat if they happened to be supplied with
anti-virus software? Above all, demonstrate good purchase value and remember to make
your users happy.
3.3 Implementation
In this example, the assumption is made that this server is being configured from a clean
start. The alternate approach could be to demonstrate the migration of the system that
is documented in Section 2.2.3.2 to meet the new requirements. The decision to treat this
case, as with future examples, as a new installation is based on the premise that you can
determine the migration steps from the information provided in the separate chapter on this
subject. Additionally, a fresh installation makes the example easier to follow.
Each user will be given a home directory on the UNIX system, which will be available as
a private share. Two additional shares will be created, one for the Accounting Department
and the other for the Financial Services Department. Network users will be given access to
these shares by way of group membership.
UNIX group membership is the primary mechanism by which Windows Domain users will
be granted rights and privileges within the Windows environment.
The user alanm will be made the owner of all files. This will be preserved by setting the
sticky bit (set UID/GID) on the top-level directories.
Figure 3.1. Abmas Accounting 52 User Network Topology
1. Using UNIX/Linux system tools, name the server sleeth.
42 Small Office Networking Chapter 3
2. Place an entry for the machine sleeth in the /etc/hosts. The printers are network
attached, so it is desirable that there should be entries for the network printers also.
An example /etc/hosts file is shown here:
192.168.1.1 sleeth sleeth1
192.168.2.1 sleeth2
192.168.1.10 hplj6
192.168.1.11 hplj4
192.168.2.10 qms
3. Install the Samba-3 binary RPM from the Samba-Team FTP site.
4. Install the ISC DHCP server using the UNIX/Linux system tools available to you.
5. Given that Samba will be operating over two network interfaces and clients on each
side may want to be able to reach clients on the other side, it is imperative that
IP forwarding shall be enabled. Use the system tool of your choice to enable IP
forwarding. In the absence of such a tool on the Linux system, add to the /etc/rc.
d/rc.local file an entry as follows:
echo 1 > /proc/sys/net/ipv4/ip_forward
This causes the Linux kernel to forward IP packets so that it acts as a router.
6. Install the smb.conf file as shown in Example 3.3.3 and Example 3.3.4. Combine
these two examples to form a single /etc/samba/smb.conf file.
7. Add the user root to the Samba password backend:
root# smbpasswd -a root
New SMB password: XXXXXXX
Retype new SMB password: XXXXXXX
root#
This is the Windows Domain Administrator password. Never delete this account from
the password backend after Windows Domain Groups have been initialized. If you
delete this account, your system is crippled. You cannot restore this account and your
Samba server is no longer capable of being administered.
8. Create the username map file to permit the root account to be called Administrator
from the Windows network environment. To do this, create the file /etc/samba/
smbusers with the following contents:
####
# User mapping file
####
# File Format
Section 3.3. Implementation 43
# -----------
# Unix_ID = Windows_ID
#
# Examples:
# root = Administrator
# janes = "Jane Smith"
# jimbo = Jim Bones
#
# Note: If the name contains a space it must be double quoted.
# In the example above the name ’jimbo’ will be mapped to Windows
# user names ’Jim’ and ’Bones’ because the space was not quoted.
#######################################################################
root = Administrator
####
# End of File
####
9. Create and map Windows Domain Groups to UNIX groups. A sample script is pro-
vided in Example 3.3.1. Create a file containing this script. We called ours /etc/
samba/initGrps.sh. Set this file so it can be executed, and then execute the script.
Sample output should be as follows:
Example 3.3.1. Script to Map Windows NT Groups to UNIX Groups
#!/bin/bash
#
# initGrps.sh
#
# Create UNIX groups
groupadd acctsdep
groupadd finsrvcs
# Map Windows Domain Groups to UNIX groups
net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
# Add Functional Domain Groups
net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d
net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d
root# chmod 755 initGrps.sh
root# cd /etc/samba
44 Small Office Networking Chapter 3
root# ./initGrps.sh
Updated mapping entry for Domain Admins
Updated mapping entry for Domain Users
Updated mapping entry for Domain Guests
No rid or sid specified, choosing algorithmic mapping
Successfully added group Accounts Dept to the mapping db
No rid or sid specified, choosing algorithmic mapping
Successfully added group Domain Guests to the mapping db
root# cd /etc/samba
root# net groupmap list | sort
Account Operators (S-1-5-32-548) -> -1
Accounts Dept (S-1-5-21-194350-25496802-3394589-2003) -> acctsdep
Administrators (S-1-5-32-544) -> -1
Backup Operators (S-1-5-32-551) -> -1
Domain Admins (S-1-5-21-194350-25496802-3394589-512) -> root
Domain Guests (S-1-5-21-194350-25496802-3394589-514) -> nobody
Domain Users (S-1-5-21-194350-25496802-3394589-513) -> users
Financial Services (S-1-5-21-194350-25496802-3394589-2005) -> finsrvcs
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Replicators (S-1-5-32-552) -> -1
System Operators (S-1-5-32-549) -> -1
Users (S-1-5-32-545) -> -1
10. For each user who needs to be given a Windows Domain account, make an entry in
the /etc/passwd file as well as in the Samba password backend. Use the system tool
of your choice to create the UNIX system accounts and use the Samba smbpasswd
program to create the Domain user accounts. There are a number of tools for user
management under UNIX. Commonly known ones include: useradd,adduser. In
addition to these, there are a plethora of custom tools. With the tool of your choice,
create a home directory for each user.
11. Using the preferred tool for your UNIX system, add each user to the UNIX groups
created previously as necessary. File system access control will be based on UNIX
group membership.
12. Create the directory mount point for the disk sub-system that is mounted to provide
data storage for company files. In this case the mount point indicated in the smb.
conf file is /data. Format the file system as required, mount the formatted file system
partition using mount, and make the appropriate changes in /etc/fstab.
13. Create the top-level file storage directories are follows:
root# mkdir -p /data/{accounts,finsvcs}
root# chown -R root.root /data
root# chown -R alanm.accounts /data/accounts
Section 3.3. Implementation 45
root# chown -R alanm.finsvcs /data/finsvcs
root# chmod -R ug+rwx,o+rx-w /data
Each department is responsible for creating its own directory structure within its share.
The directory root of the accounts share is /data/accounts. The directory root of
the finsvcs share is /data/finsvcs.
14. Configure the printers with the IP addresses as shown in Figure 3.1. Follow the
instructions in the manufacturers’ manuals to permit printing to port 9100. This
allows the CUPS spooler to print using raw mode protocols.
15. Configure the CUPS Print Queues as follows:
root# lpadmin -p hplj4 -v socket://192.168.1.11:9100 -E
root# lpadmin -p hplj6 -v socket://192.168.1.10:9100 -E
root# lpadmin -p qms -v socket://192.168.2.10:9100 -E
This creates the necessary print queues with no assigned print filter.
16. Edit the file /etc/cups/mime.convs to uncomment the line:
application/octet-stream application/vnd.cups-raw 0 -
17. Edit the file /etc/cups/mime.types to uncomment the line:
application/octet-stream
18. Using your favorite system editor, create an /etc/dhcpd.conf with the contents as
shown in Example 3.3.2.
19. Use the standard system tool to start Samba and CUPS and configure them to start
automatically at every system reboot. For example:
root# chkconfig dhpc on
root# chkconfig smb on
root# chkconfig cups on
root# /etc/rc.d/init.d/dhcp restart
root# /etc/rc.d/init.d/smb restart
root# /etc/rc.d/init.d/cups restart
20. Configure the Name Service Switch (NSS) to handle WINS based name resolution.
Since this system does not use a DNS server, it is safe to remove this option from the
NSS configuration. Edit the /etc/nsswitch.conf file so that the hosts: entry looks
like this:
46 Small Office Networking Chapter 3
hosts: files wins
3.3.1 Validation
Does everything function as it ought? That is the key question at this point. Here are some
simple steps to validate your Samba server configuration.
1. If your smb.conf file has bogus options or parameters, this may cause Samba to refuse
to start. The first step should always be to validate the contents of this file by running:
root# testparm -s
Load smb config files from smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
Processing section "[accounts]"
Processing section "[service]"
Loaded services file OK.
# Global parameters
[global]
workgroup = BILLMORE
passwd chat = *New*Password* \
%n\n *Re-enter*new*password* %n\n *Password*changed*
username map = /etc/samba/smbusers
syslog = 0
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m ’%u’
delete user script = /usr/sbin/userdel -r ’%u’
add group script = /usr/sbin/groupadd ’%g’
delete group script = /usr/sbin/groupdel ’%g’
add user to group script = /usr/sbin/usermod -G ’%g’ ’%u’
add machine script = /usr/sbin/useradd
-s /bin/false -d /var/lib/nobody ’%u’
logon script = scripts\logon.bat
logon path =
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
printing = cups
...
### Remainder cut to save space ###
Section 3.3. Implementation 47
The inclusion of an invalid parameter (say one called dogbert) would generate an error
as follows:
Unknown parameter encountered: "dogbert"
Ignoring unknown parameter "dogbert"
Clear away all errors before proceeding and start or restart samba as necessary.
2. Check that the Samba server is running:
root# ps ax | grep mbd
14244 ? S 0:00 /usr/sbin/nmbd -D
14245 ? S 0:00 /usr/sbin/nmbd -D
14290 ? S 0:00 /usr/sbin/smbd -D
$rootprompt; ps ax | grep winbind
14293 ? S 0:00 /usr/sbin/winbindd -B
14295 ? S 0:00 /usr/sbin/winbindd -B
The winbindd daemon is running in split mode (normal) so there are also two in-
stances of it. For more information regarding winbindd, see TOSHARG, Chapter 22,
Section 22.3. The single instance of smbd is normal.
3. Check that an anonymous connection can be made to the Samba server:
root# smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
accounts Disk Accounting Files
finsvcs Disk Financial Service Files
IPC$ IPC IPC Service (Samba3)
ADMIN$ IPC IPC Service (Samba3)
hplj4 Printer Hewlett-Packard LaserJet 4
hplj6 Printer Hewlett-Packard LaserJet 6
qms Printer QMS Magicolor Laser Printer XXXX
Server Comment
--------- -------
SLEETH Samba 3.0.12
Workgroup Master
--------- -------
BILLMORE SLEETH
48 Small Office Networking Chapter 3
This demonstrates that an anonymous listing of shares can be obtained. This is the
equivalent of browsing the server from a Windows client to obtain a list of shares on
the server. The -U% argument means, send a ”NULL username and a NULL password.”
4. Verify that the printers have the IP addresses assigned in the DHCP server config-
uration file. The easiest way to do this is to ping the printer name. Immediately
after the ping response has been received, execute arp -a to find the MAC address of
the printer that has responded. Now you can compare the IP address and the MAC
address of the printer with the configuration information in the /etc/dhcpd.conf file.
They should, of course, match. For example:
root# ping hplj4
PING hplj4 (192.168.1.11) 56(84) bytes of data.
64 bytes from hplj4 (192.168.1.11): icmp_seq=1 ttl=64 time=0.113 ms
root# arp -a
hplj4 (192.168.1.11) at 08:00:46:7A:35:E4 [ether] on eth0
The MAC address 08:00:46:7A:35:E4 matches that specified for the IP address from
which the printer has responded and with the entry for it in the /etc/dhcpd.conf
file.
5. Make an authenticated connection to the server using the smbclient tool:
root# smbclient //sleeth/accounts -U alanm
Password: XXXXXXX
smb: \> dir
. D 0 Sun Nov 9 01:28:34 2003
.. D 0 Sat Aug 16 17:24:26 2003
.mc DH 0 Sat Nov 8 21:57:38 2003
.qt DH 0 Fri Sep 5 00:48:25 2003
SMB D 0 Sun Oct 19 23:04:30 2003
Documents D 0 Sat Nov 1 00:31:51 2003
xpsp1a_en_x86.exe 131170400 Sun Nov 2 01:25:44 2003
65387 blocks of size 65536. 28590 blocks available
smb: \> q
Windows XP Professional Client Configuration
1. Configure clients to the network settings shown in Figure 3.1. All clients use DHCP
for TCP/IP protocol stack configuration. DHCP configures all Windows clients to
use the WINS Server address 192.168.1.1.
2. Join the Windows Domain called BILLMORE. Use the Domain Administrator user name
root and the SMB password you assigned to this account. A detailed step-by-step
procedure for joining a Windows 200x/XP Professional client to a Windows Domain
Section 3.3. Implementation 49
is given in Section A.1. Reboot the machine as prompted and then logon using a
Domain User account.
3. Verify on each client that the machine called SLEETH is visible in My Network Places,
that it is possible to connect to it and see the shares accounts and finsvcs, and that
it is possible to open that share to reveal its contents.
4. Instruct all users to log onto the workstation using their assigned user name and
password.
5. Install a printer on each using the following steps:
(a) Click Start Settings Printers+Add Printer+Next. Do not click Network
printer. Ensure that Local printer is selected.
(b) Click Next. In the panel labeled Manufacturer:, select HP. In the Printers: panel,
select the printer called HP LaserJet 4. Click Next.
(c) In the panel labeled Available ports:, select FILE:. Accept the default printer
name by clicking Next. When asked, “Would you like to print a test page?”, click
No. Click Finish.
(d) You may be prompted for the name of a file to print to. If so, close the dialog
panel. Right-click HP LaserJet 4 Properties Details (Tab) Add Port.
(e) In the panel labeled Network, enter the name of the print queue on the Samba
server as follows: \\SERVER\hplj4. Click OK+OK to complete the installation.
(f) Repeat the printer installation steps above for the HP LaserJet 6 printer as well
as for the QMS Magicolor XXXX laser printer.
3.3.2 Notebook Computers: A Special Case
As a network administrator, you already know how to create local machine accounts for
Windows 200x/XP Professional systems. This is the preferred solution to provide continuity
of work for notebook users so that absence from the office network environment does not
become a barrier to productivity.
By creating a local machine account that has the same user name and password as you create
for that user in the Windows Domain environment, the user can log onto the machine locally
and still transparently access network resources as if logged onto the domain itself. There are
some trade-offs that mean that as the network is more tightly secured it becomes necessary
to modify Windows client configuration somewhat.
3.3.3 Key Points Learned
In this network design and implementation exercise, you have created a Windows NT4 style
Domain Controller using Samba-3.0.12. As a result of following these guidelines meant that
you experienced and implemented several important aspects of Windows networking. In
the next chapter of this book, you build on the experience gained. These are the highlights
from this chapter:
50 Small Office Networking Chapter 3
You implemented a DHCP Server and Microsoft Windows clients were able to obtain
all necessary network configuration settings from this server.
You created a Windows Domain Controller. You were able to use the network logon
service and successfully joined Windows 200x/XP Professional clients to the Domain.
You created raw print queues in the CUPS printing system. You maintained a simple
printing system so that all users can share centrally managed printers. You installed
native printer drivers on the Windows clients.
You experienced the benefits of centrally managed user accounts on the server.
You offered Mobile notebook users a solution that allows them to continue to work
while away from the office and not connected to the corporate network.
3.4 Questions and Answers
Your new Domain Controller is ready to serve you. What does it mean? Here are some
questions and answers that may help.
F.A.Q.
1. Q: What is the key benefit of using DHCP to configure Windows client TCP/IP stacks?
A: First and foremost, portability. It means that notebook users can move between the
Abmas office and client offices (so long as they, too, use DHCP) without having to manually
reconfigure their machines. It also means that when they work from their home environments
either using DHCP assigned addressing or when using dial-up networking, settings such as
default routes and DNS server addresses that apply only to the Abmas office environment
do not interfere with remote operations. This is an extremely important feature of DHCP.
2. Q: Are there any DHCP server configuration parameters in the /etc/dhcpd.conf that
should be noted in particular?
A: Yes. The configuration you created automatically provides each client with the IP
address of your WINS server. It also configures the client to preferentially register NetBIOS
names with the WINS server, and then instructs the client to first query the WINS server
when a NetBIOS machine name needs to be resolved to an IP Address. This means that
this configuration results in far lower UDP broadcast traffic than would be the case if WINS
was not used.
3. Q: Is it possible to create a Windows Domain account that is specifically called Adminis-
trator?
A: You can surely create a Windows Domain Account called Administrator. It is also
possible to map that account so that it has the effective UNIX UID of 0. This way it isn’t
necessary to use the username map facility to map this account to the UNIX account called
root.
Section 3.4. Questions and Answers 51
4. Q: Why is it necessary to give the Windows Domain Administrator a UNIX UID of 0?
A: The Windows Domain Administrator account is the most privileged account that
exists on the Windows platform. This user can change any setting, add/delete or modify
user accounts, and completely reconfigure the system. The equivalent to this account in
the UNIX environment is the root account. If you want to permit the Windows Domain
Administrator to manage accounts, as well as permissions, privileges, and security settings
within the Domain and on the Samba server, equivalent rights must be assigned. This is
achieved with the root UID equal to 0.
5. Q: One of my junior staff needs the ability to add machines to the Domain, but I do not
want to give him root access. How can we do this?
A: Users who are members of the Domain Admins group can add machines to the Domain.
This group is mapped to the UNIX group account called root (or equivalent on wheel on
some UNIX systems) that has a GID of 0. This must be the primary GID of the account of
the user who is a member of the Windows Domain Admins account.
6. Q: Why must I map Windows Domain Groups to UNIX groups?
A: Samba-3 does not permit a Domain Group to become visible to Domain network clients
unless the account has a UNIX group account equivalent. The Domain groups that should
be given UNIX equivalents are: Domain Guests, Domain Users, Domain Admins.
7. Q: I deleted my root account and now I cannot add it back! What can I do?
A: This is a nasty problem. Fortunately, here is a solution.
1. Back up your existing configuration files in case you need to restore them.
2. Rename the group mapping.tdb file.
3. Use the smbpasswd to add the root account.
4. Restore the group mapping.tdb file.
8. Q: When I run net groupmap list, it reports a group called Administrators as well as
Domain Admins. What is the difference between them?
A: The group called Administrators is representative of the same account that would be
present as the Local Group account on a Domain Member server or workstation. Samba uses
only Domain Groups at this time. A Workstation or Server Local Group has no meaning in
a Samba context. This may change at some later date. These accounts are provided only
so that security objects are correctly shown.
9. Q: What is the effect of changing the name of a Samba server, or of changing the Domain
name?
A: In the event that you elect to change the name of the Samba server, on restarting smbd,
Windows security identifiers are changed. In the case of a Stand-Alone server or a Domain
52 Small Office Networking Chapter 3
Member server, the machine SID is changed. This may break Domain Membership. In the
case of a change of the Domain name (Workgroup name), the Domain SID is changed. This
affects all Domain Memberships.
If it becomes necessary to change either the Server name or the Domain name, be sure
to back up the respective SID before the change is made. You can back up the SID from
use of the net getlocalsid (Samba-3), or by way of the smbpasswd (Samba-2.2.x). To
change the SID, you use the same tool. Be sure to check the man page for this command
for detailed instructions regarding the steps involved.
10. Q: How can I manage user accounts from my Windows XP Professional workstation?
A: Samba-3 implements a Windows NT4 style security domain architecture. This type of
Domain cannot be managed using tools present on a Windows XP Professional installation.
You may download from the Microsoft Web site the SRVTOOLS.EXE package. Extract it
into the directory from which you wish to use it. This package extracts the tools known
as: User Manager for Domains, Server Manager, Event Viewer. You may use the
User Manager for Domains to manage your Samba-3 Domain user and group accounts. Of
course, you do need to be logged on as the Administrator for the Samba-3 Domain. It may
help to log on as the root account.
Section 3.4. Questions and Answers 53
Example 3.3.2. Abmas Accounting DHCP Server Configuration File — /etc/dhcpd.conf
default-lease-time 86400;
max-lease-time 172800;
default-lease-time 86400;
option ntp-servers 192.168.1.1;
option domain-name "abmas.biz";
option domain-name-servers 192.168.1.1, 192.168.2.1;
option netbios-name-servers 192.168.1.1, 192.168.2.1;
option netbios-node-type 8;
### NOTE ###
# netbios-node-type=8 means set clients to Hybrid Mode
# so they will use Unicast communication with the WINS
# server and thus reduce the level of UDP broadcast
# traffic by up to 90%.
############
subnet 192.168.1.0 netmask 255.255.255.0 {
range dynamic-bootp 192.168.1.128 192.168.1.254;
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
allow unknown-clients;
host hplj4 {
hardware ethernet 08:00:46:7a:35:e4;
fixed-address 192.168.1.10;
}
host hplj6 {
hardware ethernet 00:03:47:cb:81:e0;
fixed-address 192.168.1.11;
}
}
subnet 192.168.2.0 netmask 255.255.255.0 {
range dynamic-bootp 192.168.2.128 192.168.2.254;
option subnet-mask 255.255.255.0;
option routers 192.168.2.1;
allow unknown-clients;
host qms {
hardware ethernet 01:04:31:db:e1:c0;
fixed-address 192.168.1.10;
}
}
subnet 127.0.0.0 netmask 255.0.0.0 {
}
54 Small Office Networking Chapter 3
Example 3.3.3. Accounting Office Network smb.conf File [globals] Section
# Global parameters
[global]
workgroup = BILLMORE
passwd chat = *New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed*
username map = /etc/samba/smbusers
syslog = 0
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m ’%u’
delete user script = /usr/sbin/userdel -r ’%u’
add group script = /usr/sbin/groupadd ’%g’
delete group script = /usr/sbin/groupdel ’%g’
add user to group script = /usr/sbin/usermod -G ’%g’ ’%u’
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody ’%u’
logon script = scripts\login.bat
logon path =
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
printing = CUPS
Section 3.4. Questions and Answers 55
Example 3.3.4. Accounting Office Network smb.conf File Services and Shares Section
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
printable = Yes
guest ok = Yes
use client driver = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /data/%U
valid users = %S
read only = No
[accounts]
comment = Accounting Files
path = /data/accounts
valid users = %G
read only = No
[finsvcs]
comment = Financial Service Files
path = /data/finsvcs
valid users = %G
read only = No
Chapter 4
SECURE OFFICE NETWORKING
Congratulations, your Samba networking skills are developing nicely. You started out with
three simple networks in Chapter 2, and then in Chapter 3 you designed and built a network
that provides a high degree of flexibility, integrity, and dependability. It was enough for the
basic needs each was designed to fulfill. In this chapter you address a more complex set
of needs. The solution you explore is designed to introduce you to basic features that are
specific to Samba-3.
You should note that a working and secure solution could be implemented using Samba-
2.2.x. In the exercises presented here, you are gradually using more Samba-3 specific features
so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given.
To avoid confusion, this book is all about Samba-3. Let’s get the exercises in this chapter
under way.
4.1 Introduction
You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work
well done. It is one year since the last network upgrade. You have been quite busy. Two
months ago Mr. Meany gave approval to hire Christine Roberson who has taken over general
network management. Soon she will provide primary user support. You have demonstrated
you can delegate responsibility, and plan and execute to that plan. Above all, you have
shown Mr. Meany that you are a responsible person. Today is a big day. Mr. Meany called
you to his office at 9 a.m. for news you never expected. You are Mr. Bob Jordan and will
take charge of business operations. Mr. Meany is retiring and has entrusted the business to
your capable hands.
Mr. Meany may be retiring from this company, but not from work. He is taking the
opportunity to develop Abmas Inc. into a larger and more substantial company. He says
that it took him many years to wake up to the fact that there is no future in just running
a business. He now realizes there is great personal reward and satisfaction in creation of
career opportunities for people in the local community. He wants to do more for others as
he is doing for you, Bob Jordan. Today he spent a lot of time talking about the grand plan.
He has plans for growth that you will deal with in the chapters ahead.
Over the past year, the growth projections were exceeded. The network has grown to meet
the needs of 130 users. Along with growth, the demand for improved services and better
56
Section 4.1. Introduction 57
functionality has also developed. You are about to make an interim improvement and then
hand over all Help desk and network maintenance to Christine. Christine has professional
certifications in Microsoft Windows as well as in Linux; she is a hard worker and quite likable.
Christine does not want to manage the department (although she manages well). She gains
job satisfaction when left to sort things out. Occasionally she wants to work with you on
a challenging problem. When you told her about your move, she almost resigned, although
she was reassured that a new manager would be hired to run Information Technology and
she would be responsible only for operations.
4.1.1 Assignment Tasks
You promised the staff Internet services including web browsing, electronic mail, virus pro-
tection, and a company Web site. Christine is keen to help turn the vision into reality. Let’s
see how close you can get to the promises made.
The network you are about to deliver will service 130 users today. Within 12 months, Abmas
will aquire another company. Mr. Meany claims that within two years there will be well
over 500 users on the network. You have bought into the big picture, so prepare for growth.
You have purchased a new server, will implement a new network infrastructure, and reward
all staff with a new computer. Notebook computers will not be replaced at this time.
You have decided to not recycle old network components. The only items that will be
carried forward are notebook computers. You offered staff new notebooks, but not one
person wanted the disruption for what was perceived as a marginal update. You have made
the decision to give everyone a new desktop computer, even to those who have a notebook
computer.
You have procured a DSL Internet connection that provides 1.5 Megabit/sec (bidirectional)
and a 10 MBit/sec ethernet port. You have registered the domain abmas.us, and the
Internet Service Provider (ISP) is supplying secondary DNS. Information furnished by your
ISP is shown in Table 4.1.
It is of paramount priority that under no circumstances will Samba offer service access from
an Internet connection. You are paying an ISP to give, as part of their value-added services,
full firewall protection for your connection to the outside world. The only services allowed
in from the Internet side are the following destination ports: http/https (ports 80 and
443), email (port 25), DNS (port 53). All Internet traffic will be allowed out after
network address translation (NAT). No internal IP addresses are permitted through the
NAT filter as complete privacy of internal network operations must be assured.
Christine has recommended that desktop systems should be installed from a single cloned
master system that has a minimum of locally installed software and loads all software off
a central application server. The benefit of having the central application server is that
it allows single point maintenance of all business applications, something Christine is keen
to pursue. She further recommended installation of anti-virus software on workstations as
well as on the Samba server. Christine is paranoid of potential virus infection and insists
on a comprehensive approach to detective as well as corrective action to protect network
operations.
58 Secure Office Networking Chapter 4
Table 4.1. Abmas.US ISP Information
Parameter Value
Server IP Address 123.45.67.66
DSL Device IP Address 123.45.67.65
Network Address 123.45.67.64/30
Gateway Address 123.45.54.65
Primary DNS Server 123.45.54.65
Secondary DNS Server 123.45.54.32
Forwarding DNS Server 123.45.12.23
Figure 4.1. Abmas Network Topology 130 Users
A significant concern is the problem of managing company growth. Recently, a number of
users had to share a PC while waiting for new machines to arrive. This presented some
problems with desktop computers and software installation into the new users’ desktop
profile.
4.2 Dissection and Discussion
Many of the conclusions you draw here are obvious. Some requirements are not very clear
or may simply be your means of drawing the most out of Samba-3. Much can be done more
simply than you will demonstrate here, but keep in mind that the network must scale to at
least 500 users. This means that some functionality will be over-designed for the current
130 user environment.
4.2.1 Technical Issues
In this exercise we are using a 24-bit subnet mask for the two local networks. This, of course,
limits our network to a maximum of 253 usable IP addresses. The network address range
chosen is one of the ranges assigned by RFC1918 for private networks. When the number
of users on the network begins to approach the limit of usable addresses, it would be a good
Section 4.2. Dissection and Discussion 59
idea to switch to a network address specified in RFC1918 in the 172.16.0.0/16 range. This
is done in the following chapters.
The high growth rates projected are a good reason to use the tdbsam passdb backend. The
use of smbpasswd for the backend may result in performance problems. The tdbsam passdb
backend offers features that are not available with the older flat ASCII-based smbpasswd
database.
The proposed network design uses a single server to act as an Internet services host for
electronic mail, Web serving, remote administrative access vis SSH, as well as for Samba-
based file and print services. This design is often chosen by sites that feel they cannot afford
or justify the cost or overhead of having separate servers. It must be realized that if security
of this type of server should ever be violated (compromised), the whole network and all
data is at risk. Many sites continue to choose this type of solution; therefore, this chapter
provides detailed coverage of key implementation aspects.
Samba will be configured to specifically not operate on the ethernet interface that is directly
connected to the Internet.
You know that your ISP is providing full firewall services, but you cannot rely on that.
Always assume that human error will occur, so be prepared by using Linux firewall facilities
based on iptables to effect Network Address Translation (NAT). Block all incoming traffic
except to permitted well-known ports. You must also allow incoming packets to established
outgoing connections. You will permit all internal outgoing requests.
The configuration of Web serving, Web proxy services, electronic mail, and the details of
generic anti-virus handling are beyond the scope of this book and therefore are not covered,
except insofar as this affects Samba-3.
Notebook computers are configured to use a network login when in the office and a local
account to login while away from the office. Users store all work done in transit (away from
the office) by using a local share for work files. Standard procedures will dictate that on
completion of the work that necessitates mobile file access, all work files are moved back to
secure storage on the office server. Staff is instructed to not carry on any company notebook
computer any files that are not absolutely required. This is a preventative measure to protect
client information as well as business private records.
All applications are served from the central server from a share called apps. Microsoft Office
XP Professional and OpenOffice 1.1.0 will be installed using a network (or administrative)
installation. Accounting and financial management software can also be run only from the
central application server. Notebook users are provided with locally installed applications
on a need-to-have basis only.
The introduction of roaming profiles support means that users can move between desktop
computer systems without constraint while retaining full access to their data. The desktop
travels with them as they move.
The DNS server implementation must now address both internal needs as well as external
needs. You forward DNS lookups to your ISP provided server as well as the abmas.us
external secondary DNS server.
Compared with the DHCP server configuration in Example 3.3.2, the configuration used in
this example has to deal with the presence of an Internet connection. The scope set for it
60 Secure Office Networking Chapter 4
ensures that no DHCP services will be offered on the external connection. All printers are
configured as DHCP clients, so that the DHCP server assigns the printer a fixed IP address
by way of the ethernet interface (MAC) address. One additional feature of this DHCP server
configuration file is the inclusion of parameters to allow dynamic DNS (DDNS) operation.
This is the first implementation that depends on a correctly functioning DNS server. Com-
prehensive steps are included to provide for a fully functioning DNS server that also is
enabled for dynamic DNS operation. This means that DHCP clients can be auto-registered
with the DNS server.
You are taking the opportunity to manually set the netbios name of the Samba server to a
name other than what will be automatically resolved. You are doing this to ensure that the
machine has the same NetBIOS name on both network segments.
As in the previous network configuration, printing in this network configuration uses direct
raw printing (i.e., no smart printing and no print driver auto-download to Windows clients).
Printer drivers are installed on the Windows client manually. This is not a problem given
that Christine is to install and configure one single workstation and then clone that config-
uration, using Norton Ghost, to all workstations. Each machine is identical, so this should
pose no problem.
4.2.1.1 Hardware Requirements
This server runs a considerable number of services. From similarly configured Linux instal-
lations the approximate calculated memory requirements will be as that shown in Exam-
ple 4.2.1.
Example 4.2.1. Estimation of Memory Requirements
Application Memory per User 130 Users 500 Users
Name (MBytes) Total MBytes Total MBytes
----------- --------------- ------------ ------------
DHCP 2.5 3 3
DNS 16.0 16 16
Samba (nmbd) 16.0 16 16
Samba (winbind) 16.0 16 16
Samba (smbd) 4.0 520 2000
Apache 10.0 (20 User) 200 200
CUPS 3.5 16 32
Basic OS 256.0 256 256
-------------- --------------
Total: 1043 MBytes 2539 MBytes
-------------- --------------
You would choose to add a safety margin of at least 50% to these estimates. The mini-
mum system memory recommended for initial startup would be 1 GByte, but to permit the
system to scale to 500 users, it would make sense to provision the machine with 4 GBytes
Section 4.2. Dissection and Discussion 61
memory. An initial configuration with only 1 GByte memory would lead to early perfor-
mance complaints as the system load builds up. Given the low cost of memory, it would not
make sense to compromise in this area.
Aggregate Input/Output loads should be considered for sizing network configuration as well
as disk subsystems. For network bandwidth calculations, one would typically use an estimate
of 0.1 MBytes/sec per user. This would suggest that 100-Base-T (approx. 10 MBytes/sec)
would deliver below acceptable capacity for the initial user load. It is, therefore, a good
idea to begin with 1 Gigabit ethernet cards for the two internal networks, each attached to
a 1 Gigabit Etherswitch that provides connectivity to an expandable array of 100-Base-T
switched ports.
Considering the choice of 1 Gigabit ethernet interfaces for the two local network segments,
the aggregate network I/O capacity will be 2100 MBit/sec (about 230 MBytes/sec), an I/O
demand that would require a fast disk storage I/O capability. Peak disk throughput is
limited by the disk sub-system chosen. It would be desirable to provide the maximum I/O
bandwidth that can be afforded. If a low-cost solution must be chosen, the use of 3Ware IDE
RAID Controllers makes a good choice. These controllers can be fitted into a 64 bit, 66 MHz
PCI-X slot. They appear to the operating system as a high speed SCSI controller that can
operate at the peak of the PCI-X bandwidth (approximately 450 MByte/sec). Alternative
SCSI-based hardware RAID controllers should also be considered. Alternately, it would
make sense to purchase well-known branded hardware that has appropriate performance
specifications. As a minimum, one should attempt to provide a disk sub-system that can
deliver I/O rates of at least 100 MBytes/sec.
Disk storage requirements may be calculated as shown in Example 4.2.2.
Example 4.2.2. Estimation of Disk Storage Requirements
Corporate Data: 100 MBytes/user per year
Email Storage: 500 MBytes/user per year
Applications: 5000 MBytes
Safety Buffer: At least 50%
Given 500 Users and 2 years:
-----------------------------
Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes
Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes
Applications: 5000 MBytes = 5 GBytes
----------------------------
Total: 605 GBytes
Add 50% buffer 303 GBytes
Recommended Storage: 908 GBytes
The preferred storage capacity should be approximately 1 TeraByte. Use of RAID level 5
with two hot spare drives would require an 8 drive by 200 GByte capacity per drive array.
62 Secure Office Networking Chapter 4
4.2.2 Political Issues
Your industry is coming under increasing accountability pressures. Increased paranoia is
necessary so you can demonstrate that you have acted with due diligence. You must not
trust your Internet connection.
Apart from permitting more efficient management of business applications through use of
an application server, your primary reason for the decision to implement this is that it gives
you greater control over software licensing.
You are well aware that the current configuration results in some performance issues as the
size of the desktop profile grows. Given that users use Microsoft Outlook Express, you know
that the storage implications of the .PST file is something that needs to be addressed later
on.
4.3 Implementation
Figure 4.1 demonstrates the overall design of the network that you will implement.
The information presented here assumes that you are already familiar with many basic
steps. As this stands, the details provided already extend well beyond just the necessities
of Samba configuration. This decision is deliberate to ensure that key determinants of a
successful installation are not overlooked. This is the last case that documents the finite
minutiae of DHCP and DNS server configuration. Beyond the information provided here,
there are many other good reference books on these subjects.
The smb.conf file has the following noteworthy features:
The NetBIOS name of the Samba server is set to DIAMOND.
The Domain name is set to PROMISES.
Ethernet interface eth0 is attached to the Internet connection and is externally ex-
posed. This interface is explicitly not available for Samba to use. Samba listens on
this interface for broadcast messages, but does not broadcast any information on eth0,
nor does it accept any connections from it. This is achieved by way of the interfaces
parameter and the bind interfaces only entry.
The passdb backend parameter specifies the creation and use of the tdbsam password
backend. This is a binary database that has excellent scalability for a large number
of user account entries.
WINS serving is enabled by the wins support = Yes, and name resolution is set to use
it by means of the name resolve order = wins bcast hosts entry.
The Samba server is configured for use by Windows clients as a time server.
Samba is configured to directly interface with CUPS via the direct internal interface
that is provided by CUPS libraries. This is achieved with the printing = CUPS as
well as the printcap name = CUPS entries.
External interface scripts are provided to enable Samba to interface smoothly to es-
sential operating system functions for user and group management. This is important
Section 4.3. Implementation 63
to enable workstations to join the Domain, and is also important so that you can
use the Windows NT4 Domain User Manager, as well as the Domain Server Man-
ager. These tools are provided as part of the SRVTOOLS.EXE toolkit that can be
downloaded from the Microsoft FTP site. <ftp://ftp.microsoft.com/Softlib/
MSLFILES/SRVTOOLS.EXE>
The smb.conf file specifies that the Samba server will operate in (default) security
= user mode1(User Mode).
Domain logon services as well as a Domain logon script are specified. The logon script
will be used to add robustness to the overall network configuration.
Roaming profiles are enabled through the specification of the parameter, logon path
=\\%L\profiles\%U. The value of this parameter translates the %L to the name by
which the Samba server is called by the client (for this configuration, it translates to
the name DIAMOND), and the %U will translate to the name of the user within the context
of the connection made to the profile share. It is the administrator’s responsibility to
ensure there is a directory in the root of the profile share for each user. This directory
must be owned by the user also. An exception to this requirement is when a profile is
created for group use.
Precautionary veto is effected for particular Windows file names that have been tar-
geted by virus-related activity. Additionally, Microsoft Office files are vetoed from
opportunistic locking controls. This should help to prevent lock contention related file
access problems.
Explicit controls are effected to restrict access to the IPC$ share to local networks only.
The IPC$ share plays an important role in network browsing and in establishment of
network connections.
Every user has a private home directory on the UNIX/Linux host. This is mapped to
a network drive that is the same for all users.
The configuration of the server is the most complex so far. The following steps are used:
1 Basic System Configuration
2 Samba Configuration
3 DHCP and DNS Server Configuration
4 Printer Configuration
5 Process Start-up Configuration
6 Validation
7 Application Share Configuration
8 Windows Client Configuration
The following sections cover each step in logical and defined detail.
1See TOSHARG, Chapter 3. This is necessary so that Samba can act as a Domain Controller (PDC);
see TOSHARG, Chapter 4 for additional information.
64 Secure Office Networking Chapter 4
4.3.1 Basic System Configuration
The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system
has been freshly installed. It prepares basic files so that the system is ready for comprehen-
sive operation in line with the network diagram shown in Figure 4.1.
1. Using the UNIX/Linux system tools, name the server server.abmas.us. Verify that
your hostname is correctly set by running:
root# uname -n
server
An alternate method to verify the hostname is:
root# hostname -f
server.abmas.us
2. Edit your /etc/hosts file to include the primary names and addresses of all network
interfaces that are on the host server. This is necessary so that during startup the
system can resolve all its own names to the IP address prior to startup of the DNS
server. An example of entries that should be in the /etc/hosts file is:
127.0.0.1 localhost
192.168.1.1 sleeth1.abmas.biz sleeth1 diamond
192.168.2.1 sleeth2.abmas.biz sleeth2
123.45.67.66 server.abmas.us server
You should check the startup order of your system. If the CUPS print server is started
before the DNS server (named), you should also include an entry for the printers in
the /etc/hosts file, as follows:
192.168.1.20 qmsa.abmas.biz qmsa
192.168.1.30 hplj6a.abmas.biz hplj6a
192.168.2.20 qmsf.abmas.biz qmsf
192.168.2.30 hplj6f.abmas.biz hplj6f
The printer entries are not necessary if named is started prior to startup of cupsd,
the CUPS daemon.
3. The host server is acting as a router between the two internal network segments as
well as for all Internet access. This necessitates that IP forwarding must be enabled.
This can be achieved by adding to the /etc/rc.d/boot.local an entry as follows:
echo 1 > /proc/sys/net/ipv4/ip_forward
Section 4.3. Implementation 65
To ensure that your kernel is capable of IP forwarding during configuration, you may
wish to execute that command manually also. This setting permits the Linux system
to act as a router.2
4. Installation of a basic firewall and network address translation facility is necessary.
The following script can be installed in the /usr/local/sbin directory. It is executed
from the /etc/rc.d/boot.local startup script. In your case, this script is called
abmas-netfw.sh. The script contents are shown in Example 4.3.1.
5. Execute the following to make the script executable:
root# chmod 755 /usr/local/sbin/abmas-natfw.sh
You must now edit /etc/rc.d/boot.local to add an entry that runs your abmas-
natfw.sh script. The following entry works for you:
#! /bin/sh
#
# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany.
# All rights reserved.
#
# Author: Werner Fink, 1996
# Burchard Steinbild, 1996
#
# /etc/init.d/boot.local
#
# script with local commands to be executed from init on system startup
#
# Here you should add things that should happen directly after booting
# before we’re going to the first run level.
#
/usr/local/sbin/abmas-natfw.sh
The server is now ready for Samba configuration. During the validation step, you remove
the entry for the Samba server diamond from the /etc/hosts file. This is done after you
are satisfied that DNS-based name resolution is functioning correctly.
4.3.2 Samba Configuration
When you have completed this section, the Samba server is ready for testing and valida-
tion; however, testing and validation have to wait until DHCP, DNS, and Printing (CUPS)
services have been configured.
2ED NOTE: You may want to do the echo command last and include ”0” in the init scripts since it opens
up your network for a short time.
66 Secure Office Networking Chapter 4
1. Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the
binary RPM file is called samba-3.0.12-1.i386.rpm, one way to install this file is as
follows:
root# rpm -Uvh samba-3.0.12-1.i386.rpm
This operation must be performed while logged in as the root user. Successful oper-
ation is clearly indicated. If this installation should fail for any reason, refer to the
operating system manufacturer’s documentation for guidance.
2. Install the smb.conf file shown in Example 4.3.2, Example 4.3.3, and Example 4.3.4.
Concatenate (join) all three files to make a single smb.conf file. The final, fully
qualified path for this file should be /etc/samba/smb.conf.
3. Add the root user to the password backend as follows:
root# smbpasswd -a root
New SMB password: XXXXXXXX
Retype new SMB password: XXXXXXXX
root#
The root account is the UNIX equivalent of the Windows Domain Administrator.
This account is essential in the regular maintenance of your Samba server. It must
never be deleted. If for any reason the account is deleted, you may not be able to
recreate this account without considerable trouble.
4. Create the username map file to permit the root account to be called Administrator
from the Windows network environment. To do this, create the file /etc/samba/
smbusers with the following contents:
####
# User mapping file
####
# File Format
# -----------
# Unix_ID = Windows_ID
#
# Examples:
# root = Administrator
# janes = "Jane Smith"
# jimbo = Jim Bones
#
# Note: If the name contains a space it must be double quoted.
# In the example above the name ’jimbo’ will be mapped to Windows
# user names ’Jim’ and ’Bones’ because the space was not quoted.
#######################################################################
root = Administrator
Section 4.3. Implementation 67
####
# End of File
####
5. Create and map Windows Domain Groups to UNIX groups. A sample script is pro-
vided in Example 3.3.1. Create a file containing this script. We called ours /etc/
samba/initGrps.sh. Set this file so it can be executed, and then execute the script.
Sample output should be as follows:
root# chmod 755 initGrps.sh
root# /etc/samba # ./initGrps.sh
Updated mapping entry for Domain Admins
Updated mapping entry for Domain Users
Updated mapping entry for Domain Guests
No rid or sid specified, choosing algorithmic mapping
Successfully added group Accounts Dept to the mapping db
No rid or sid specified, choosing algorithmic mapping
Successfully added group Domain Guests to the mapping db
root# /etc/samba # net groupmap list | sort
Account Operators (S-1-5-32-548) -> -1
Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep
Administrators (S-1-5-32-544) -> -1
Backup Operators (S-1-5-32-551) -> -1
Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root
Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody
Domain Users (S-1-5-21-179504-2437109-488451-513) -> users
Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Replicators (S-1-5-32-552) -> -1
System Operators (S-1-5-32-549) -> -1
Users (S-1-5-32-545) -> -1
6. There is one preparatory step without which you will not have a working Samba
network environment. You must add an account for each network user. For each
user who needs to be given a Windows Domain account, make an entry in the /etc/
passwd file, as well as in the Samba password backend. Use the system tool of your
choice to create the UNIX system account, and use the Samba smbpasswd to create a
Domain user account. There are a number of tools for user management under UNIX.
Commonly known ones include: useradd, adduser. In addition to these, there are
a plethora of custom tools. You also want to create a home directory for each user.
You can do this by executing the following steps for each user:
root# useradd -m username
68 Secure Office Networking Chapter 4
root# passwd username
Changing password for username.
New password: XXXXXXXX
Re-enter new password: XXXXXXXX
Password changed
root# smbpasswd -a username
New SMB password: XXXXXXXX
Retype new SMB password: XXXXXXXX
Added user username.
You do of course use a valid user login ID in place of username.
7. Using the preferred tool for your UNIX system, add each user to the UNIX groups
created previously as necessary. File system access control will be based on UNIX
group membership.
8. Create the directory mount point for the disk sub-system that can be mounted to
provide data storage for company files. In this case the mount point indicated in the
smb.conf file is /data. Format the file system as required, and mount the formatted
file system partition using appropriate system tools.
9. Create the top-level file storage directories for data and applications as follows:
root# mkdir -p /data/{accounts,finsvcs}
root# mkdir -p /apps
root# chown -R root.root /data
root# chown -R root.root /apps
root# chown -R bjordan.accounts /data/accounts
root# chown -R bjordan.finsvcs /data/finsvcs
root# chmod -R ug+rwxs,o-rwx /data
root# chmod -R ug+rwx,o+rx-w /apps
Each department is responsible for creating its own directory structure within the
departmental share. The directory root of the accounts share is /data/accounts.
The directory root of the finsvcs share is /data/finsvcs. The /apps directory is the
root of the apps share that provides the application server infrastructure.
10. The smb.conf file specifies an infrastructure to support roaming profiles and net-
work logon services. You can now create the file system infrastructure to provide
the locations on disk that these services require. Adequate planning is essential since
desktop profiles can grow to be quite large. For planning purposes, a minimum of 200
Megabytes of storage should be allowed per user for profile storage. The following
commands create the directory infrastructure needed:
root# mkdir -p /var/spool/samba
root# mkdir -p /var/lib/samba/{netlogon/scripts,profiles}
root# chown -R root.root /var/spool/samba
root# chown -R root.root /var/lib/samba
Section 4.3. Implementation 69
root# chmod a+rwxt /var/spool/samba
For each user account that is created on the system, the following commands should
be executed:
root# mkdir /var/lib/samba/profiles/’username’
root# chown ’username’.users /var/lib/samba/profiles/’username’
root# chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/’username’
11. Create a logon script. It is important that each line is correctly terminated with a
carriage return and line-feed combination (i.e., DOS encoding). The following proce-
dure works if the right tools (unix2dos and dos2unix) are installed. First, create a
file called /var/lib/samba/netlogon/scripts/logon.bat.unix with the following
contents:
net time \\diamond /set /yes
net use h: /home
net use p: \\diamond\apps
Convert the UNIX file to a DOS file using the unix2dos as shown here:
root# unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \
> /var/lib/samba/netlogon/scripts/logon.bat
4.3.3 Configuration of DHCP and DNS Servers
DHCP services are a basic component of the entire network client installation. DNS opera-
tion is foundational to Internet access as well as to trouble-free operation of local networking.
When you have completed this section, the server should be ready for solid duty operation.
1. Create a file called /etc/dhcpd.conf with the contents as shown in Example 4.3.6.
2. Create a file called /etc/named.conf that has the combined contents of the Exam-
ple 4.3.7, Example 4.3.8, and Example 4.3.9 files that are concatenated (merged) in
this specific order.
3. Create the files shown in their directories as follows:
4. All DNS name resolution should be handled locally. To ensure that the server is con-
figured correctly to handle this, edit /etc/resolv.conf to have the following content:
search abmas.us abmas.biz
nameserver 127.0.0.1
nameserver 123.45.54.23
70 Secure Office Networking Chapter 4
Table 4.2. DNS (named) Resource Files
Reference File Location
Example A.4.1 /var/lib/named/localhost.zone
Example A.4.2 /var/lib/named/127.0.0.zone
Example A.4.3 /var/lib/named/root.hint
Example 4.3.12 /var/lib/named/master/abmas.biz.hosts
Example 4.3.13 /var/lib/named/abmas.us.hosts
Example 4.3.10 /var/lib/named/192.168.1.0.rev
Example 4.3.11 /var/lib/named/192.168.2.0.rev
This instructs the name resolver function (when configured correctly) to ask the DNS
server that is running locally to resolve names to addresses. In the event that the local
name server is not available, ask the name server provided by the ISP. The latter, of
course, does not resolve purely local names to IP addresses.
5. The final step is to edit the /etc/nsswitch.conf file. This file controls the operation
of the various resolver libraries that are part of the Linux Glibc libraries. Edit this
file so that it contains the following entries:
hosts: files dns wins
The basic DHCP and DNS services are now ready for validation testing. Before you can
proceed, there are a few more steps along the road. First, configure the print spooling
and print processing system. Then you can configure the server so that all services start
automatically on reboot. You must also manually start all services prior to validation
testing.
4.3.4 Printer Configuration
1. Configure each printer to be a DHCP client carefully following the manufacturer’s
guidelines.
2. Follow the instructions in the printer manufacturers’ manuals to permit printing to
port 9100. Use any other port the manufacturer specifies for direct mode, raw printing
and adjust the port as necessary in the following example commands. This allows the
CUPS spooler to print using raw mode protocols.
3. Configure the CUPS Print Queues as follows:
root# lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E
root# lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E
root# lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E
root# lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E
This has created the necessary print queues with no assigned print filter.
Section 4.3. Implementation 71
4. Print queues may not be enabled at creation. Use lpc stat to check the status of the
print queues and if necessary make certain that the queues you have just created are
enabled by executing the following:
root# /usr/bin/enable qmsa
root# /usr/bin/enable hplj6a
root# /usr/bin/enable qmsf
root# /usr/bin/enable hplj6f
5. Even though your print queues may be enabled, it is still possible that they are not
accepting print jobs. A print queue services incoming printing requests only when
configured to do so. Ensure that your print queues are set to accept incoming jobs by
executing the following commands:
root# /usr/bin/accept qmsa
root# /usr/bin/accept hplj6a
root# /usr/bin/accept qmsf
root# /usr/bin/accept hplj6f
6. Edit the file /etc/cups/mime.convs to uncomment the line:
application/octet-stream application/vnd.cups-raw 0 -
7. Edit the file /etc/cups/mime.types to uncomment the line:
application/octet-stream
8. Printing drivers are installed on each network client workstation.
The UNIX system print queues have been configured and are ready for validation testing.
4.3.5 Process Startup Configuration
There are two essential steps to process startup configuration. First, the process must be
configured so that it automatically restarts each time the server is rebooted. This step
involves use of the chkconfig tool that creates the appropriate symbolic links from the
master daemon control file that is located in the /etc/rc.d directory, to the /etc/rc’x’.
ddirectories. Links are created so that when the system run-level is changed, the necessary
start or kill script is run.
In the event that a service is not run as a daemon, but via the inter-networking super
daemon (inetd or xinetd), then the chkconfig tool makes the necessary entries in the /
etc/xinetd.d directory and sends a hang-up (HUP) signal to the the super daemon, thus
forcing it to re-read its control files.
72 Secure Office Networking Chapter 4
Last, each service must be started to permit system validation to proceed.
1. Use the standard system tool to configure each service to restart automatically at
every system reboot. For example:
root# chkconfig dhpc on
root# chkconfig named on
root# chkconfig cups on
root# chkconfig smb on
2. Now start each service to permit the system to be validated. Execute each of the
following in the sequence shown:
root# /etc/rc.d/init.d/dhcp restart
root# /etc/rc.d/init.d/named restart
root# /etc/rc.d/init.d/cups restart
root# /etc/rc.d/init.d/smb restart
4.3.6 Validation
Complex networking problems are most often caused by simple things that are poorly or
incorrectly configured. The validation process adopted here should be followed carefully; it
is the result of the experience gained from years of making and correcting the most common
mistakes. Shortcuts often lead to basic errors. You should refrain from taking shortcuts,
from making basic assumptions, and from not exercising due process and diligence in net-
work validation. By thoroughly testing and validating every step in the process of network
installation and configuration, you can save yourself from sleepless nights and restless days.
A well debugged network is a foundation for happy network users and network administra-
tors. Later in this book you learn how to make users happier. For now, it is enough to learn
to validate. Let’s get on with it.
1. One of the most important facets of Samba configuration is to ensure that name
resolution functions correctly. You can test name resolution with a few simple tests.
The most basic name resolution is provided from the /etc/hosts file. To test its
operation, make a temporary edit to the /etc/nsswitch.conf file. Using your favorite
editor, change the entry for hosts to read:
hosts: files
When you have saved this file, execute the following command:
root# ping diamond
PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms
Section 4.3. Implementation 73
64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms
64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms
64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms
--- sleeth1.abmas.biz ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3016ms
rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms
This proves that name resolution via the /etc/hosts file is working.
2. So far, your installation is going particularly well. In this step we validate DNS server
and name resolution operation. Using your favorite UNIX system editor, change the
/etc/nsswitch.conf file so that the hosts entry reads:
hosts: dns
3. Before you test DNS operation, it is a good idea to verify that the DNS server is
running by executing the following:
root# ps ax | grep named
437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log
524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named
2552 pts/2 S 0:00 grep named
This means that we are ready to check DNS operation. Do so by executing:
root# ping diamond
PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data.
64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms
64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms
--- sleeth1.abmas.biz ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms
You should take a few more steps to validate DNS server operation, as follows:
root# host -f diamond.abmas.biz
sleeth1.abmas.biz has address 192.168.1.1
74 Secure Office Networking Chapter 4
You may now remove the entry called diamond from the /etc/hosts file. It does not
hurt to leave it there, but its removal reduces the number of administrative steps for
this name.
4. WINS is a great way to resolve NetBIOS names to their IP address. You can test
the operation of WINS by starting nmbd (manually, or by way of the Samba startup
method shown in Section 4.3.5). You must edit the /etc/nsswitch.conf file so that
the hosts entry is as follows:
hosts: wins
The next step is to make certain that Samba is running using ps ax|grep mbd, and
then execute the following:
root# ping diamond
PING diamond (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms
Now that you can relax with the knowledge that all three major forms of name resolu-
tion to IP address resolution are working, edit the /etc/nsswitch.conf again. This
time you add all three forms of name resolution to this file. Your edited entry for
hosts should now look like this:
hosts: files dns wins
The system is looking good. Let’s move on.
5. It would give peace of mind to know that the DHCP server is running and available
for service. You can validate DHCP services by running:
root# ps ax | grep dhcp
2618 ? S 0:00 /usr/sbin/dhcpd ...
8180 pts/2 S 0:00 grep dhcp
This shows that the server is running. The proof of whether or not it is working comes
when you try to add the first DHCP client to the network.
6. This is a good point at which to start validating Samba operation. You are content
that name resolution is working for basic TCP/IP needs. Let’s move on. If your smb.
conf file has bogus options or parameters, this may cause Samba to refuse to start.
The first step should always be to validate the contents of this file by running:
root# testparm -s
Load smb config files from /etc/samba/smb.conf
Section 4.3. Implementation 75
Processing section "[IPC$]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[accounts]"
Processing section "[service]"
Processing section "[apps]"
Loaded services file OK.
# Global parameters
[global]
workgroup = PROMISES
netbios name = DIAMOND
interfaces = eth1, eth2, lo
bind interfaces only = Yes
passdb backend = tdbsam
pam password change = Yes
passwd chat = *New*Password* %n\n \
*Re-enter*new*password* %n\n *Password*changed*
username map = /etc/samba/smbusers
unix password sync = Yes
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139 445
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd \
-s /bin/false -d /var/lib/nobody %u
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
logon home = \\%L\%U
domain logons = Yes
preferred master = Yes
wins support = Yes
utmp = Yes
winbind use default domain = Yes
76 Secure Office Networking Chapter 4
map acl inherit = Yes
printing = cups
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/
[IPC$]
path = /tmp
hosts allow = 192.168.1.0/24, 192.168.2.0/24, 127.0.0.1
hosts deny = 0.0.0.0/0
...
### Remainder cut to save space ###
Clear away all errors before proceeding.
7. Check that the Samba server is running:
root# ps ax | grep mbd
14244 ? S 0:00 /usr/sbin/nmbd -D
14245 ? S 0:00 /usr/sbin/nmbd -D
14290 ? S 0:00 /usr/sbin/smbd -D
$rootprompt; ps ax | grep winbind
14293 ? S 0:00 /usr/sbin/winbindd -B
14295 ? S 0:00 /usr/sbin/winbindd -B
The winbindd daemon is running in split mode (normal), so there are also two in-
stances3of it.
8. Check that an anonymous connection can be made to the Samba server:
root# smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 3.0.12)
netlogon Disk Network Logon Service
profiles Disk Profile Share
accounts Disk Accounting Files
service Disk Financial Services Files
apps Disk Application Files
ADMIN$ IPC IPC Service (Samba 3.0.12)
hplj6a Printer hplj6a
hplj6f Printer hplj6f
qmsa Printer qmsa
qmsf Printer qmsf
3For more information regarding winbindd, see TOSHARG, Chapter 22, Section 22.3. The single instance
of smbd is normal. One additional smbd slave process is spawned for each SMB/CIFS client connection.
Section 4.3. Implementation 77
Server Comment
--------- -------
DIAMOND Samba CVS 3.0.12
Workgroup Master
--------- -------
PROMISES DIAMOND
This demonstrates that an anonymous listing of shares can be obtained. This is the
equivalent of browsing the server from a Windows client to obtain a list of shares on
the server. The -U% argument means ”send a NULL username and a NULL password.”
9. Verify that each printer has the IP address assigned in the DHCP server configuration
file. The easiest way to do this is to ping the printer name. Immediately after the ping
response has been received, execute arp -a to find the MAC address of the printer
that has responded. Now you can compare the IP address and the MAC address of the
printer with the configuration information in the /etc/dhcpd.conf file. They should,
of course, match. For example:
root# ping hplj6
PING hplj6a (192.168.1.30) 56(84) bytes of data.
64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms
root# arp -a
hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0
The MAC address 00:03:47:CB:81:E0 matches that specified for the IP address from
which the printer has responded and with the entry for it in the /etc/dhcpd.conf
file. Repeat this for each printer configured.
10. Make an authenticated connection to the server using the smbclient tool:
root# smbclient //diamond/accounts -U gholmes
Password: XXXXXXX
smb: \> dir
. D 0 Thu Nov 27 15:07:09 2003
.. D 0 Sat Nov 15 17:40:50 2003
zakadmin.exe 161424 Thu Nov 27 15:06:52 2003
zak.exe 6066384 Thu Nov 27 15:06:52 2003
dhcpd.conf 1256 Thu Nov 27 15:06:52 2003
smb.conf 2131 Thu Nov 27 15:06:52 2003
initGrps.sh A 1089 Thu Nov 27 15:06:52 2003
POLICY.EXE 86542 Thu Nov 27 15:06:52 2003
55974 blocks of size 65536. 33968 blocks available
smb: \> q
78 Secure Office Networking Chapter 4
11. Your new server is connected to an Internet accessible connection. Before you start
your firewall, you should run a port scanner against your system. You should repeat
that after the firewall has been started. This helps you understand what extent the
server may be vulnerable to external attack. One way you can do this is by using an
external service provided such as the DSL Reports <http://www.dslreports.com/
scan>tools. Alternately, if you can gain root-level access to a remote UNIX/Linux
system that has the nmap tool, you can run this as follows:
root# nmap -v -sT server.abmas.us
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host server.abmas.us (123.45.67.66) appears to be up ... good.
Initiating Connect() Scan against server.abmas.us (123.45.67.66)
Adding open port 6000/tcp
Adding open port 873/tcp
Adding open port 445/tcp
Adding open port 10000/tcp
Adding open port 901/tcp
Adding open port 631/tcp
Adding open port 25/tcp
Adding open port 111/tcp
Adding open port 32770/tcp
Adding open port 3128/tcp
Adding open port 53/tcp
Adding open port 80/tcp
Adding open port 443/tcp
Adding open port 139/tcp
Adding open port 22/tcp
The Connect() Scan took 0 seconds to scan 1601 ports.
Interesting ports on server.abmas.us (123.45.67.66):
(The 1587 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open sunrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
873/tcp open rsync
901/tcp open samba-swat
3128/tcp open squid-http
6000/tcp open X11
10000/tcp open snet-sensor-mgmt
Section 4.3. Implementation 79
32770/tcp open sometimes-rpc3
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
The above scan was run before the external interface was locked down with the NAT-
firewall script you created above. The following results are obtained after the firewall
rules have been put into place:
root# nmap -v -sT server.abmas.us
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host server.abmas.us (123.45.67.66) appears to be up ... good.
Initiating Connect() Scan against server.abmas.us (123.45.67.66)
Adding open port 53/tcp
Adding open port 22/tcp
The Connect() Scan took 168 seconds to scan 1601 ports.
Interesting ports on server.abmas.us (123.45.67.66):
(The 1593 ports scanned but not shown below are in state: filtered)
Port State Service
22/tcp open ssh
25/tcp closed smtp
53/tcp open domain
80/tcp closed http
443/tcp closed https
Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds
4.3.7 Application Share Configuration
The use of an application server is a key mechanism by which desktop administration over-
heads can be reduced. Check the application manual for your software to identify how best
to create an administrative installation.
Some Windows software will only run locally on the desktop computer. Such software
is typically not suited for administrative installation. Administratively installed software
permits one or more of the following installation choices:
Install software fully onto a workstation, storing data files on the same workstation.
Install software fully onto a workstation with central network data file storage.
Install software to run off a central application server with data files stored on the
local workstation. This is often called a minimum installation, or a network client
installation.
Install software to run off a central application server with data files stored on a central
network share. This type of installation often prevents storage of work files on the
local workstation.
80 Secure Office Networking Chapter 4
A common application deployed in this environment is an office suite. Enterprise editions
of Microsoft Office XP Professional can be administratively installed by launching the in-
stallation from a command shell. The command that achieves this is: setup /a. It results
in a set of prompts through which various installation choices can be made. Refer to the
Microsoft Office Resource SDK and Resource Kit for more information regarding this mode
of installation of MS Office XP Professional. The full administrative installation of MS
Office XP Professional requires approximately 650 MB of disk space.
When the MS Office XP Professional product has been installed to the administrative net-
work share, the product can be installed onto a workstation by executing the normal setup
program. The installation process now provides a choice to either perform a minimum in-
stallation or a full local installation. A full local installation takes over 100 MB of disk
space. A network workstation (minimum) installation requires typically 10-15 MB of local
disk space. In the later case, when the applications are used, they load over the network.
Microsoft Office Service Packs can be unpacked to update an administrative share. This
makes it possible to update MS Office XP Professional for all users from a single installation
of the service pack and generally circumvents the need to run updates on each network
Windows client.
The default location for MS Office XP Professional data files can be set through registry
editing or by way of configuration options inside each Office XP Professional application.
OpenOffice.Org OpenOffice Version 1.1.0 is capable of being installed locally. It can also be
installed to run off a network share. The latter is a most desirable solution for office-bound
network users and for administrative staff alike. It permits quick and easy updates to be
rolled out to all users with a minimum of disruption and with maximum flexibility.
The process for installation of administrative shared OpenOffice involves download of the
distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area.
When fully extracted using the un-zipping tool of your choosing, change into the Windows
installation files directory then execute setup -net. You are prompted on screen for the
target installation location. This is the administrative share point. The full administrative
OpenOffice share takes approximately 150 MB of disk space.
4.3.7.1 Comments Regarding Software Terms of Use
Many single-user products can be installed into an administrative share, but personal ver-
sions of products such as Microsoft Office XP Professional do not permit this. Many people
do not like terms of use typical with commercial products, so a few comments regarding
software licensing seem important and thus are included below.
Please do not use an administrative installation of proprietary and commercially licensed
software products to violate the copyright holders’ property. All software is licensed, par-
ticularly software that is licensed for use free of charge. All software is the property of
the copyright holder, unless the author and/or copyright holder has explicitly disavowed
ownership and has placed the software into the public domain.
Software that is under the GNU General Public License, like proprietary software, is licensed
in a way that restricts use. For example, if you modify GPL software and then distribute
the binary version of your modifications, you must offer to provide the source code as well.
Section 4.3. Implementation 81
This is a form of restriction that is designed to maintain the momentum of the diffusion of
technology and to protect against the withholding of innovations.
Commercial and proprietary software generally restrict use to those who have paid the
license fees and who comply with the licensee’s terms of use. Software that is released
under the GNU General Public License is restricted to particular terms and conditions also.
Whatever the licensing terms may be, if you do not approve of the terms of use, please do
not use the software.
Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided
with the source code.
4.3.8 Windows Client Configuration
Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs
to reinstall many of the notebook computers that will be recycled for use with the new
network configuration. The smartest way to handle the challenge of the roll-out program is
to build a staged system for each type of target machine, and then use an image replication
tool such as Norton Ghost (enterprise edition) to replicate the staged machine to its target
desktops. The same can be done with notebook computers as long as they are identical or
sufficiently similar.
1. Install MS Windows XP Professional. During installation, configure the client to use
DHCP for TCP/IP protocol configuration. DHCP configures all Windows clients to
use the WINS Server address that has been defined for the local subnet.
2. Join the Windows Domain PROMISES. Use the Domain Administrator user name root
and the SMB password you assigned to this account. A detailed step-by-step procedure
for joining a Windows 200x/XP Professional client to a Windows Domain is given in
Section A.1. Reboot the machine as prompted and then logon using the Domain
Administrator account (root.
3. Verify DIAMOND is visible in My Network Places, that it is possible to connect to it
and see the shares accounts,apps, and finsvcs, and that it is possible to open each
share to reveal its contents.
4. Create a drive mapping to the apps share on the server DIAMOND.
5. Perform an administrative installation of each application to be used. Select the
options that you wish to use. Of course, you can choose to run applications over the
network, correct?
6. Now install all applications to be installed locally. Typical tools includes: Adobe
Acrobat, NTP-based time synchronization software, drivers for specific local devices
such as finger-print scanners, and the like. Probably the most significant application
for local installation is anti-virus software.
7. Now install all four printers onto the staging system. The printers you install include
the Accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You
will also configure identical printers that are located in the financial services depart-
ment. Install printers on each machine using the following steps:
82 Secure Office Networking Chapter 4
(a) Click Start Settings Printers+Add Printer+Next. Do not click Network
printer. Ensure that Local printer is selected.
(b) Click Next. In the panel labeled Manufacturer:, select HP. In the Printers: panel,
select the printer called HP LaserJet 6. Click Next.
(c) In the panel labeled Available ports:, select FILE:. Accept the default printer
name by clicking Next. When asked, “Would you like to print a test page?,” click
No. Click Finish.
(d) You may be prompted for the name of a file to print to. If so, close the dialog
panel. Right-click HP LaserJet 6 Properties Details (Tab) Add Port.
(e) In the panel labeled Network, enter the name of the print queue on the Samba
server as follows: \\DIAMOND\hplj6a. Click OK+OK to complete the installa-
tion.
(f) Repeat the printer installation steps above for both HP LaserJet 6 printers as
well as for both QMS Magicolor laser printers.
8. When you are satisfied that the staging systems are complete, use the appropriate
procedure to remove the client from the domain. Reboot the system and then log
on as the local administrator and clean out all temporary files stored on the system.
Before shutting down, use the disk defragmentation tool so that the file system is in
an optimal condition before replication.
9. Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM)
and image the machine to a network share on the server.
10. You may now replicate the image to the target machines using the appropriate Norton
Ghost procedure. Make sure to use the procedure that ensures each machine has a
unique Windows security identifier (SID). When the installation of the disk image has
completed, boot the PC.
11. Log onto the machine as the local Administrator (the only option), and join the
machine to the Domain following the procedure set out in Section A.1. The system is
now ready for the user to logon, providing you have created a network logon account
for that user, of course.
12. Instruct all users to log onto the workstation using their assigned user name and
password.
4.3.9 Key Points Learned
How do you feel, Bob? You have built a capable network, a truly ambitious project. Just
as well, you have Christine to help you. Future network updates can be handled by your
staff. You must be a satisfied manager. Let’s review the achievements.
A simple firewall has been configured to protect the server in the event that the ISP
firewall service should fail.
The Samba configuration uses measures to ensure that only local network users can
connect to SMB/CIFS services.
Section 4.4. Questions and Answers 83
Samba uses the new tdbsam passdb backend facility. Considerable complexity was
added to Samba functionality.
A DHCP server was configured to implement dynamic DNS (DDNS) updates to the
DNS server.
The DNS server was configured to permit DDNS only for local network clients. This
server also provides primary DNS services for the company Internet presence.
You introduced an application server, as well as the concept of cloning a Windows
client in order to effect improved standardization of desktops and to reduce the costs
of network management.
4.4 Questions and Answers
F.A.Q.
1. Q: What is the maximum number of account entries that the tdbsam passdb backend can
handle?
A: The tdb data structure and support system can handle more entries than the number
of accounts that are possible on most UNIX systems. There is a practical limit that would
come into play long before a performance boundary would be anticipated. That practical
limit is controlled by the nature of Windows networking. There are few Windows file and
print servers that can handle more than a few hundred concurrent client connections. The
key limiting factors that predicate off-loading of services to additional servers are memory
capacity, the number of CPUs, network bandwidth, and disk I/O limitations. All of these
are readily exhausted by just a few hundred concurrent active users. Such bottlenecks can
best be removed by segmentation of the network (distributing network load across multiple
networks).
As the network grows, it becomes necessary to provide additional authentication servers
(domain controllers). The tdbsam is limited to a single machine and cannot be reliably
replicated. This means that practical limits on network design dictate the point at which a
distributed passdb backend is required; at this time, there is no real alternative other than
ldapsam (LDAP).
The guideline provided in TOSHARG, Chapter 10, Section 10.1.2, is to limit the number
of accounts in the tdbsam backend to 250. This is the point at which most networks tend
to want backup domain controllers (BDCs). Samba-3 does not provide a mechanism for
replicating tdbsam data so it can be used by a BDC. The limitation of 250 users per tdbsam
is predicated only on the need for replication not on the limits4of the tdbsam backend itself.
2. Q: Would Samba operate any better if the OS Level is set to a value higher than 35?
A: No. MS Windows workstations and servers do not use a value higher than 33. Setting
4Bench tests have shown that tdbsam is a very effective database technology. There is surprisingly little
performance loss even with over 4000 users.
84 Secure Office Networking Chapter 4
this to a value of 35 already assures Samba of precedence over MS Windows products in
browser elections. There is no gain to be had from setting this higher.
3. Q: Why in this example have you provided UNIX group to Windows Group mappings for
only Domain Groups?
A: At this time, Samba has the capacity to use only Domain Groups mappings. It is
possible that at a later date Samba may make use of Windows Local Groups, as well as
of the Active Directory special Groups. Proper operation requires Domain Groups to be
mapped to valid UNIX groups.
4. Q: Why has a path been specified in the IPC$share?
A: This is done so that in the event that a software bug may permit a client connection
to the IPC$ share to obtain access to the file system, it does so at a location that presents
least risk. Under normal operation this type of paranoid step should not be necessary. The
use of this parameter should not be necessary.
5. Q: Why does the smb.conf file in this exercise include an entry for smb ports?
A: The default order by which Samba-3 attempts to communicate with MS Windows
clients is via port 445 (the TCP port used by Windows clients when NetBIOS-less SMB over
TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS over TCP/IP. In this
configuration Windows network operations are predicated around NetBIOS over TCP/IP.
By specifying the use of port 139 before port 445, the intent is to reduce unsuccessful service
connection attempts. The result of this is improved network performance. Where Samba-3
is installed as an Active Directory Domain member, the default behavior is highly beneficial
and should not be changed.
6. Q: What is the difference between a print queue and a printer?
A: A printer is a physical device that is connected either directly to the network or to a
computer via a serial, parallel, or USB connection so that print jobs can be submitted to it
to create a hard copy printout. Network attached printers that use TCP/IP-based printing
generally accept a single print data stream and block all secondary attempts to dispatch
jobs concurrently to the same device. If many clients were to concurrently print directly via
TCP/IP to the same printer, it would result in a huge amount of network traffic through
continually failing connection attempts.
A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or print
requests. When the data stream has been fully received the input stream is closed, the job
is then submitted to a sequential print queue where the job is stored until the printer is
ready to receive the job.
7. Q: Can all MS Windows application software be installed onto an application server
share?
A: Much older Windows software is not compatible with installation to and execution off an
Section 4.4. Questions and Answers 85
application server. Enterprise versions of Microsoft Office XP Professional can be installed
to an application server. Retail consumer versions of Microsoft Office XP Professional do
not permit installation to an application server share and can be installed and used only
to/from a local workstation hard disk.
8. Q: Why use dynamic DNS (DDNS)?
A: When DDNS records are updated directly from the DHCP server, it is possible for net-
work clients that are not NetBIOS enabled, and thus cannot use WINS, to locate Windows
clients via DNS.
9. Q: Why would you use WINS as well as DNS-based name resolution?
A: WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The
FQDN is a name like “myhost.mydomain.tld, where tld means top level domain. A
FQDN is a long hand but easy to remember expression that may be up to 1024 characters
in length and that represents an IP address. A NetBIOS name is always 16 characters long.
The 16