Samba-3 by Example

Practical Exercises in Successful Samba Deployment

John H. Terpstra

Samba Team

March 4, 2005


Table of Contents

About the Cover Artwork
Acknowledgments
Foreword
By Dan Kusnetzky, IDC
By Andrew Tridgell, Samba Team
Preface
Why Is This Book Necessary?
Samba 3.0.12 Update Edition
Prerequisites
Approach
Summary of Topics
Conventions Used
1. Networking Primer
Requirements and Notes
Introduction
Assignment Tasks
Exercises
Single Machine Broadcast Activity
Second Machine Startup Broadcast Interaction
Simple Windows Client Connection Characteristics
Windows 200x/XP Client Interaction with Samba-3
Conclusions to Exercises
Dissection and Discussion
Technical Issues
Questions and Answers
2. No Frills Samba Servers
Introduction
Assignment Tasks
Drafting Office
Charity Administration Office
Accounting Office
Questions and Answers
3. Small Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Validation
Notebook Computers: A Special Case
Key Points Learned
Questions and Answers
4. Secure Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Basic System Configuration
Samba Configuration
Configuration of DHCP and DNS Servers
Printer Configuration
Process Startup Configuration
Validation
Application Share Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
5. The 500-User Office
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Installation of DHCP, DNS, and Samba Control Files
Server Preparation All Servers
Server Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
6. Making Happy Users
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Check-List
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning Domain Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
7. A Distributed 2000 User Network
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Key Points Learned
Questions and Answers
8. Migrating NT4 Domain to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
NT4 Migration Using LDAP Backend
NT4 Migration Using tdbsam Backend
Key Points Learned
Questions and Answers
9. Migrating NetWare 4.11 Server to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
NetWare Migration Using LDAP Backend
10. Adding UNIX/LINUX Servers and Clients
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Samba Domain with Samba Domain Member Server Using LDAP
NT4/Samba Domain with Samba Domain Member Server Using Winbind
Active Directory Domain with Samba Domain Member Server
UNIX/Linux Client Domain Member
Key Points Learned
Questions and Answers
11. Active Directory, Kerberos, and Security
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
Share Access Controls
Share Definition Controls
Share Point Directory and File Permissions
Managing Windows 200x ACLs
Key Points Learned
Questions and Answers
12. Integrating Additional Services
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Removal of Pre-existing Conflicting RPMs
Key Points Learned
Questions and Answers
13. Performance, Reliability, and Availability
Introduction
Dissection and Discussion
Guidelines for Reliable Samba Operation
Name Resolution
Samba Configuration
Use and Location of BDCs
Use One Consistent Version of MS Windows Client
For Scalability, Use SAN Based Storage on Samba Servers
Distribute Network Load with MSDFS
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
Hardware Problems
Key Points Learned
A. Appendix: A Collection of Useful Tid-bits
Joining a Domain: Windows 200x/XP Professional
Samba System File Location
Starting Samba
DNS Configuration Files
The Forward Zone File for the Loopback Adaptor
The Reverse Zone File for the Loopback Adaptor
DNS Root Server Hint File
Alternative LDAP Database Initialization
Initialization of the LDAP Database
The LDAP Account Manager
Effect of Setting File and Directory SUID/SGID Permissions Explained
Shared Data Integrity
Microsoft Access
Act! Database Sharing
Opportunistic Locking Controls
B. GNU General Public License
Preamble
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
Section 0
Section 1
Section 2
Section 3
Section 4
Section 5
Section 6
Section 7
Section 8
Section 9
Section 10
NO WARRANTY Section 11
Section 12
How to Apply These Terms to Your New Programs
Glossary
Index

List of Figures

1.1. Windows Me Broadcasts The First 10 Minutes
1.2. Windows Me Later Broadcast Sample
1.3. Typical Windows 9x/Me Host Announcement
1.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request
1.5. Typical Windows 9x/Me User SessionSetUp AndX Request
1.6. Typical Windows XP NULL Session Setup AndX Request
1.7. Typical Windows XP User Session Setup AndX Request
2.1. Charity Administration Office Network
2.2. Accounting Office Network Topology
3.1. Abmas Accounting 52 User Network Topology
4.1. Abmas Network Topology 130 Users
5.1. Network Topology 500 User Network Using tdbsam passdb backend.
6.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts
6.2. Network Topology 500 User Network Using ldapsam passdb backend.
6.3. Windows XP Professional User Shared Folders
7.1. Network Topology 2000 User Complex Design A
7.2. Network Topology 2000 User Complex Design B
7.3. Samba and Authentication Backend Search Pathways
7.4. Samba Configuration to Use a Single LDAP Server
7.5. Samba Configuration to Use a Dual (Fail-over) LDAP Server
7.6. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!
7.7. Samba Configuration to Use Two LDAP Databases - The result is additive.
8.1. Schematic Explaining the net rpc vampire Process
8.2. View of Accounts in NT4 Domain User Manager
10.1. Open Magazine Samba Survey
10.2. Samba Domain: Samba Member Server
10.3. Active Directory Domain: Samba Member Server
A.1. The General Panel.
A.2. The Computer Name Panel.
A.3. The Computer Name Changes Panel.
A.4. The Computer Name Changes Panel Domain MIDEARTH.
A.5. Computer Name Changes User name and Password Panel.
A.6. The LDAP Account Manager Login Screen
A.7. The LDAP Account Manager Configuration Screen
A.8. The LDAP Account Manager User Edit Screen
A.9. The LDAP Account Manager Group Edit Screen
A.10. The LDAP Account Manager Group Membership Edit Screen
A.11. The LDAP Account Manager Host Edit Screen

List of Tables

1. Samba Changes 3.0.2 to 3.0.12
1.1. Windows Me Startup Broadcast Capture Statistics
1.2. Second Machine (Windows 98) Capture Statistics
2.1. Accounting Office Network Information
4.1. Abmas.US ISP Information
4.2. DNS (named) Resource Files
5.1. Domain: MEGANET, File Locations for Servers
6.1. Current Privilege Capabilities
6.2. Required OpenLDAP Linux Packages
6.3. Abmas Network Users and Groups
6.4. Default Profile Redirections
8.1. Samba smb.conf Scripts Essential to Migration
13.1. Effect of Common Problems

List of Examples

2.1. Drafting Office smb.conf File
2.2. Charity Administration Office smb.conf File
2.3. Windows Me Registry Edit File: Disable Password Caching
2.4. Accounting Office Network smb.conf File
3.1. Script to Map Windows NT Groups to UNIX Groups
3.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf
3.3. Accounting Office Network smb.conf File [globals] Section
3.4. Accounting Office Network smb.conf File Services and Shares Section
4.1. Estimation of Memory Requirements
4.2. Estimation of Disk Storage Requirements
4.3. NAT Firewall Configuration Script
4.4. 130 User Network with tdbsam [globals] Section
4.5. 130 User Network with tdbsam Services Section Part A
4.6. 130 User Network with tdbsam Services Section Part B
4.7. Script to Map Windows NT Groups to UNIX Groups
4.8. DHCP Server Configuration File /etc/dhcpd.conf
4.9. DNS Master Configuration File /etc/named.conf Master Section
4.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section
4.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section
4.12. DNS 192.168.1 Reverse Zone File
4.13. DNS 192.168.2 Reverse Zone File
4.14. DNS Abmas.biz Forward Zone File
4.15. DNS Abmas.us Forward Zone File
5.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
5.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
5.3. Common Samba Configuration File: /etc/samba/common.conf
5.4. Server: BLDG1 (Member), File: smb.conf
5.5. Server: BLDG2 (Member), File: smb.conf
5.6. Common Domain Member Include File: dom-mem.conf
5.7. Server: MASSIVE, File: dhcpd.conf
5.8. Server: BLDG1, File: dhcpd.conf
5.9. Server: BLDG2, File: dhcpd.conf
5.10. Server: MASSIVE, File: named.conf, Part: A
5.11. Server: MASSIVE, File: named.conf, Part: B
5.12. Server: MASSIVE, File: named.conf, Part: C
5.13. Forward Zone File: abmas.biz.hosts
5.14. Forward Zone File: abmas.biz.hosts
5.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A
5.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B
5.17. Initialize Groups Script, File: /etc/samba/initGrps.sh
6.1. LDAP DB_CONFIG File
6.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A
6.3. LDAP Master Configuration File /etc/openldap/slapd.conf Part B
6.4. Configuration File for NSS LDAP Support /etc/ldap.conf
6.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf
6.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
6.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
6.8. LDAP Based smb.conf File, Server: BLDG1
6.9. LDAP Based smb.conf File, Server: BLDG2
6.10. LDAP Based smb.conf File, Shares Section Part A
6.11. LDAP Based smb.conf File, Shares Section Part B
6.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
7.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf
7.2. LDAP Slave Configuration File /etc/openldap/slapd.conf
7.3. Primary Domain Controller smb.conf File Part A
7.4. Primary Domain Controller smb.conf File Part B
7.5. Primary Domain Controller smb.conf File Part C
7.6. Backup Domain Controller smb.conf File Part A
7.7. Backup Domain Controller smb.conf File Part B
8.1. LDAP Preload LDIF file preload.LDIF
9.1. OpenLDAP Control File slapd.conf Part A
9.2. OpenLDAP Control File slapd.conf Part B
9.3. OpenLDAP Control File slapd.conf Part C
9.4. NSS LDAP Control File /etc/ldap.conf
9.5. Samba Configuration File smb.conf Part A
9.6. Samba Configuration File smb.conf Part B
9.7. Samba Configuration File smb.conf Part C
9.8. Samba Configuration File smb.conf Part D
9.9. Samba Configuration File smb.conf Part E
9.10. Idealx smbldap-tools Control File Part A
9.11. Idealx smbldap-tools Control File Part B
9.12. Idealx smbldap-tools Control File Part C
9.13. Idealx smbldap-tools Control File Part D
9.14. Kixstart Control File File: logon.kix
9.15. Kixstart Control File File: main.kix
9.16. Kixstart Control File File: setup.kix, Part A
9.17. Kixstart Control File File: setup.kix, Part B
9.18. Kixstart Control File File: acct.kix
10.1. Samba Domain Member in Samba Domain Control Context smb.conf File
10.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
10.3. Configuration File for NSS LDAP Support /etc/ldap.conf
10.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf
10.5. Samba Domain Member Server smb.conf File for NT4 Domain
10.6. Name Service Switch Control File: /etc/nsswitch.conf
10.7. Samba Domain Member smb.conf File for Active Directory Membership
10.8. SUSE: PAM login Module Using Winbind
10.9. SUSE: PAM xdm Module Using Winbind
10.10. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind
12.1. Kerberos Configuration File: /etc/krb5.conf
12.2. Samba Configuration File: /etc/samba/smb.conf
12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]
12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]
A.1. A Useful Samba Control Script for SuSE Linux
A.2.
A.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone
A.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone
A.5. DNS Root Name Server Hint File: /var/lib/named/root.hint
A.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A
A.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B
A.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C
A.9. LDIF Pattern File Used to Pre-configure LDAP Part A
A.10. LDIF Pattern File Used to Pre-configure LDAP Part B
A.11. Example LAM Configuration File config.cfg
A.12. LAM Profile Control File lam.conf