Samba-3 by Example

Practical Exercises in Successful Samba Deployment

John H. Samba Team Terpstra

Samba Team

July, 2006


Table of Contents

About the Cover Artwork
Acknowledgments
Foreword
By John M. Weathersby, Executive Director, OSSI
Preface
Why Is This Book Necessary?
Samba 3.0.20 Update Edition
Prerequisites
Approach
Summary of Topics
Conventions Used
I. Example Network Configurations
1. No-Frills Samba Servers
Introduction
Assignment Tasks
Drafting Office
Charity Administration Office
Accounting Office
Questions and Answers
2. Small Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Validation
Notebook Computers: A Special Case
Key Points Learned
Questions and Answers
3. Secure Office Networking
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Basic System Configuration
Samba Configuration
Configuration of DHCP and DNS Servers
Printer Configuration
Process Startup Configuration
Validation
Application Share Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
4. The 500-User Office
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Installation of DHCP, DNS, and Samba Control Files
Server Preparation: All Servers
Server-Specific Preparation
Process Startup Configuration
Windows Client Configuration
Key Points Learned
Questions and Answers
5. Making Happy Users
Regarding LDAP Directories and Windows Computer Accounts
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Installation Checklist
Samba Server Implementation
OpenLDAP Server Configuration
PAM and NSS Client Configuration
Samba-3 PDC Configuration
Install and Configure Idealx smbldap-tools Scripts
LDAP Initialization and Creation of User and Group Accounts
Printer Configuration
Samba-3 BDC Configuration
Miscellaneous Server Preparation Tasks
Configuring Directory Share Point Roots
Configuring Profile Directories
Preparation of Logon Scripts
Assigning User Rights and Privileges
Windows Client Configuration
Configuration of Default Profile with Folder Redirection
Configuration of MS Outlook to Relocate PST File
Configure Delete Cached Profiles on Logout
Uploading Printer Drivers to Samba Servers
Software Installation
Roll-out Image Creation
Key Points Learned
Questions and Answers
6. A Distributed 2000-User Network
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Key Points Learned
Questions and Answers
II. Domain Members, Updating Samba and Migration
7. Adding Domain Member Servers and Clients
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Samba Domain with Samba Domain Member Server Using NSS LDAP
NT4/Samba Domain with Samba Domain Member Server: Using NSS and Winbind
NT4/Samba Domain with Samba Domain Member Server without NSS Support
Active Directory Domain with Samba Domain Member Server
UNIX/Linux Client Domain Member
Key Points Learned
Questions and Answers
8. Updating Samba-3
Introduction
Cautions and Notes
Upgrading from Samba 1.x and 2.x to Samba-3
Samba 1.9.x and 2.x Versions Without LDAP
Applicable to All Samba 2.x to Samba-3 Upgrades
Samba-2.x with LDAP Support
Updating a Samba-3 Installation
Samba-3 to Samba-3 Updates on the Same Server
Migrating Samba-3 to a New Server
Migration of Samba Accounts to Active Directory
9. Migrating NT4 Domain to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
NT4 Migration Using LDAP Backend
NT4 Migration Using tdbsam Backend
Key Points Learned
Questions and Answers
10. Migrating NetWare Server to Samba-3
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
NetWare Migration Using LDAP Backend
III. Reference Section
11. Active Directory, Kerberos, and Security
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Implementation
Share Access Controls
Share Definition Controls
Share Point Directory and File Permissions
Managing Windows 200x ACLs
Key Points Learned
Questions and Answers
12. Integrating Additional Services
Introduction
Assignment Tasks
Dissection and Discussion
Technical Issues
Political Issues
Implementation
Removal of Pre-Existing Conflicting RPMs
Key Points Learned
Questions and Answers
13. Performance, Reliability, and Availability
Introduction
Dissection and Discussion
Guidelines for Reliable Samba Operation
Name Resolution
Samba Configuration
Use and Location of BDCs
Use One Consistent Version of MS Windows Client
For Scalability, Use SAN-Based Storage on Samba Servers
Distribute Network Load with MSDFS
Replicate Data to Conserve Peak-Demand Wide-Area Bandwidth
Hardware Problems
Large Directories
Key Points Learned
14. Samba Support
Free Support
Commercial Support
15. A Collection of Useful Tidbits
Joining a Domain: Windows 200x/XP Professional
Samba System File Location
Starting Samba
DNS Configuration Files
The Forward Zone File for the Loopback Adaptor
The Reverse Zone File for the Loopback Adaptor
DNS Root Server Hint File
Alternative LDAP Database Initialization
Initialization of the LDAP Database
The LDAP Account Manager
IDEALX Management Console
Effect of Setting File and Directory SUID/SGID Permissions Explained
Shared Data Integrity
Microsoft Access
Act! Database Sharing
Opportunistic Locking Controls
16. Networking Primer
Requirements and Notes
Introduction
Assignment Tasks
Exercises
Single-Machine Broadcast Activity
Second Machine Startup Broadcast Interaction
Simple Windows Client Connection Characteristics
Windows 200x/XP Client Interaction with Samba-3
Conclusions to Exercises
Dissection and Discussion
Technical Issues
Questions and Answers
A. GNU General Public License version 3
A. Preamble
A. TERMS AND CONDITIONS
A. 0. Definitions.
A. 1. Source Code.
A. 2. Basic Permissions.
A. 3. Protecting Users’ Legal Rights From Anti-Circumvention Law.
A. 4. Conveying Verbatim Copies.
A. 5. Conveying Modified Source Versions.
A. 6. Conveying Non-Source Forms.
A. 7. Additional Terms.
A. 8. Termination.
A. 9. Acceptance Not Required for Having Copies.
A. 10. Automatic Licensing of Downstream Recipients.
A. 11. Patents.
A. 12. No Surrender of Others’ Freedom.
A. 13. Use with the ???TITLE??? Affero General Public License.
A. 14. Revised Versions of this License.
A. 15. Disclaimer of Warranty.
A. 16. Limitation of Liability.
A. 17. Interpretation of Sections 15 and 16.
A. END OF TERMS AND CONDITIONS
A. How to Apply These Terms to Your New Programs
Glossary
Index

List of Figures

1.1. Charity Administration Office Network
1.2. Accounting Office Network Topology
2.1. Abmas Accounting 52-User Network Topology
3.1. Abmas Network Topology 130 Users
4.1. Network Topology 500 User Network Using tdbsam passdb backend.
5.1. The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts
5.2. Network Topology 500 User Network Using ldapsam passdb backend
5.3. Windows XP Professional User Shared Folders
6.1. Samba and Authentication Backend Search Pathways
6.2. Samba Configuration to Use a Single LDAP Server
6.3. Samba Configuration to Use a Dual (Fail-over) LDAP Server
6.4. Samba Configuration to Use Dual LDAP Databases - Broken - Do Not Use!
6.5. Samba Configuration to Use Two LDAP Databases - The result is additive.
6.6. Network Topology 2000 User Complex Design A
6.7. Network Topology 2000 User Complex Design B
7.1. Open Magazine Samba Survey
7.2. Samba Domain: Samba Member Server
7.3. Active Directory Domain: Samba Member Server
9.1. Schematic Explaining the net rpc vampire Process
9.2. View of Accounts in NT4 Domain User Manager
15.1. The General Panel.
15.2. The Computer Name Panel.
15.3. The Computer Name Changes Panel
15.4. The Computer Name Changes Panel Domain MIDEARTH
15.5. Computer Name Changes User name and Password Panel
15.6. The LDAP Account Manager Login Screen
15.7. The LDAP Account Manager Configuration Screen
15.8. The LDAP Account Manager User Edit Screen
15.9. The LDAP Account Manager Group Edit Screen
15.10. The LDAP Account Manager Group Membership Edit Screen
15.11. The LDAP Account Manager Host Edit Screen
15.12. The IMC Samba User Account Screen
16.1. Windows Me Broadcasts The First 10 Minutes
16.2. Windows Me Later Broadcast Sample
16.3. Typical Windows 9x/Me Host Announcement
16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request
16.5. Typical Windows 9x/Me User SessionSetUp AndX Request
16.6. Typical Windows XP NULL Session Setup AndX Request
16.7. Typical Windows XP User Session Setup AndX Request

List of Tables

1. Samba Changes 3.0.2 to 3.0.20
1.1. Accounting Office Network Information
3.1. Abmas.US ISP Information
3.2. DNS (named) Resource Files
4.1. Domain: MEGANET, File Locations for Servers
5.1. Current Privilege Capabilities
5.2. Required OpenLDAP Linux Packages
5.3. Abmas Network Users and Groups
5.4. Default Profile Redirections
9.1. Samba smb.conf Scripts Essential to Samba Operation
13.1. Effect of Common Problems
16.1. Windows Me Startup Broadcast Capture Statistics
16.2. Second Machine (Windows 98) Capture Statistics

List of Examples

1.1. Drafting Office smb.conf File
1.2. Charity Administration Office smb.conf New-style File
1.3. Charity Administration Office smb.conf Old-style File
1.4. Windows Me Registry Edit File: Disable Password Caching
1.5. Accounting Office Network smb.conf Old Style Configuration File
2.1. Script to Map Windows NT Groups to UNIX Groups
2.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf
2.3. Accounting Office Network smb.conf File [globals] Section
2.4. Accounting Office Network smb.conf File Services and Shares Section
3.1. Estimation of Memory Requirements
3.2. Estimation of Disk Storage Requirements
3.3. NAT Firewall Configuration Script
3.4. 130 User Network with tdbsam [globals] Section
3.5. 130 User Network with tdbsam Services Section Part A
3.6. 130 User Network with tdbsam Services Section Part B
3.7. Script to Map Windows NT Groups to UNIX Groups
3.8. DHCP Server Configuration File /etc/dhcpd.conf
3.9. DNS Master Configuration File /etc/named.conf Master Section
3.10. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section
3.11. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section
3.12. DNS 192.168.1 Reverse Zone File
3.13. DNS 192.168.2 Reverse Zone File
3.14. DNS Abmas.biz Forward Zone File
3.15. DNS Abmas.us Forward Zone File
4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
4.2. Server: MASSIVE (PDC), File: /etc/samba/dc-common.conf
4.3. Common Samba Configuration File: /etc/samba/common.conf
4.4. Server: BLDG1 (Member), File: smb.conf
4.5. Server: BLDG2 (Member), File: smb.conf
4.6. Common Domain Member Include File: dom-mem.conf
4.7. Server: MASSIVE, File: dhcpd.conf
4.8. Server: BLDG1, File: dhcpd.conf
4.9. Server: BLDG2, File: dhcpd.conf
4.10. Server: MASSIVE, File: named.conf, Part: A
4.11. Server: MASSIVE, File: named.conf, Part: B
4.12. Server: MASSIVE, File: named.conf, Part: C
4.13. Forward Zone File: abmas.biz.hosts
4.14. Forward Zone File: abmas.biz.hosts
4.15. Servers: BLDG1/BLDG2, File: named.conf, Part: A
4.16. Servers: BLDG1/BLDG2, File: named.conf, Part: B
4.17. Initialize Groups Script, File: /etc/samba/initGrps.sh
5.1. LDAP DB_CONFIG File
5.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A
5.3. LDAP Master Configuration File /etc/openldap/slapd.conf Part B
5.4. Configuration File for NSS LDAP Support /etc/ldap.conf
5.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf
5.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
5.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
5.8. LDAP Based smb.conf File, Server: BLDG1
5.9. LDAP Based smb.conf File, Server: BLDG2
5.10. LDAP Based smb.conf File, Shares Section Part A
5.11. LDAP Based smb.conf File, Shares Section Part B
5.12. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
6.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf
6.2. LDAP Slave Configuration File /etc/openldap/slapd.conf
6.3. Primary Domain Controller smb.conf File Part A
6.4. Primary Domain Controller smb.conf File Part B
6.5. Primary Domain Controller smb.conf File Part C
6.6. Backup Domain Controller smb.conf File Part A
6.7. Backup Domain Controller smb.conf File Part B
7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File
7.2. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
7.3. Configuration File for NSS LDAP Support /etc/ldap.conf
7.4. NSS using LDAP for Identity Resolution File: /etc/nsswitch.conf
7.5. Samba Domain Member Server Using Winbind smb.conf File for NT4 Domain
7.6. Samba Domain Member Server Using Local Accounts smb.conf File for NT4 Domain
7.7. Samba Domain Member smb.conf File for Active Directory Membership
7.8. Example smb.conf File Using idmap_rid
7.9. Typical ADS Style Domain smb.conf File
7.10. ADS Membership Using RFC2307bis Identity Resolution smb.conf File
7.11. SUSE: PAM login Module Using Winbind
7.12. SUSE: PAM xdm Module Using Winbind
7.13. Red Hat 9: PAM System Authentication File: /etc/pam.d/system-auth Module Using Winbind
9.1. NT4 Migration Samba-3 Server smb.conf Part: A
9.2. NT4 Migration Samba-3 Server smb.conf Part: B
9.3. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A
9.4. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part B
9.5. NT4 Migration NSS LDAP File: /etc/ldap.conf
9.6. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)
9.7. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:2)
10.1. A Rough Tool to Create an LDIF File from the System Account Files
10.2. NSS LDAP Control File /etc/ldap.conf
10.3. The PAM Control File /etc/security/pam_unix2.conf
10.4. Samba Configuration File smb.conf Part A
10.5. Samba Configuration File smb.conf Part B
10.6. Samba Configuration File smb.conf Part C
10.7. Samba Configuration File smb.conf Part D
10.8. Samba Configuration File smb.conf Part E
10.9. Rsync Script
10.10. Rsync Files Exclusion List /root/excludes.txt
10.11. Idealx smbldap-tools Control File Part A
10.12. Idealx smbldap-tools Control File Part B
10.13. Idealx smbldap-tools Control File Part C
10.14. Idealx smbldap-tools Control File Part D
10.15. Kixtart Control File File: logon.kix
10.16. Kixtart Control File File: main.kix
10.17. Kixtart Control File File: setup.kix, Part A
10.18. Kixtart Control File File: setup.kix, Part B
10.19. Kixtart Control File File: acct.kix
12.1. Kerberos Configuration File: /etc/krb5.conf
12.2. Samba Configuration File: /etc/samba/smb.conf
12.3. NSS Configuration File Extract File: /etc/nsswitch.conf
12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]
12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]
15.1. A Useful Samba Control Script for SUSE Linux
15.2. A Sample Samba Control Script for Red Hat Linux
15.3. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone
15.4. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone
15.5. DNS Root Name Server Hint File: /var/lib/named/root.hint
15.6. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A
15.7. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part B
15.8. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part C
15.9. LDIF Pattern File Used to Pre-configure LDAP Part A
15.10. LDIF Pattern File Used to Pre-configure LDAP Part B
15.11. Example LAM Configuration File config.cfg
15.12. LAM Profile Control File lam.conf