diff options
Diffstat (limited to 'docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml')
| -rw-r--r-- | docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml | 2694 |
1 files changed, 0 insertions, 2694 deletions
diff --git a/docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml b/docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml deleted file mode 100644 index 63c934e3feb..00000000000 --- a/docs-xml/Samba3-ByExample/SBE-SecureOfficeServer.xml +++ /dev/null @@ -1,2694 +0,0 @@ -<?xml version="1.0" encoding="iso-8859-1"?> -<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> -<chapter id="secure"> - <title>Secure Office Networking</title> - - <para> - Congratulations, your Samba networking skills are developing nicely. You started out - with three simple networks in <link linkend="simple"/>, and then in <link linkend="small"/> - you designed and built a network that provides a high degree of flexibility, integrity, - and dependability. It was enough for the basic needs each was designed to fulfill. In - this chapter you address a more complex set of needs. The solution you explore - introduces you to basic features that are specific to Samba. - </para> - - <para> - You should note that a working and secure solution could be implemented using Samba-2.2.x. - In the exercises presented here, you are gradually using more Samba-specific features, - so caution is advised for anyone who tries to use Samba-2.2.x with the guidance here given. - To avoid confusion, this book is all about Samba. Let's get the exercises in this - chapter underway. - </para> - -<sect1> - <title>Introduction</title> - - <para> - You have made Mr. Meany a very happy man. Recently he paid you a fat bonus for work - well done. It is one year since the last network upgrade. You have been quite busy. - Two months ago Mr. Meany gave approval to hire Christine Roberson, who has taken over - general network management. Soon she will provide primary user support. You have - demonstrated that you can delegate responsibility and can plan and execute according - to that plan. Above all, you have shown Mr. Meany that you are a responsible person. - Today is a big day. Mr. Meany called you to his office at 9 a.m. for news you never - expected: You are going to take charge of business operations. Mr. Meany - is retiring and has entrusted the business to your capable hands. - </para> - - <para> - Mr. Meany may be retiring from this company, but not from work. He is taking the - opportunity to develop Abmas Accounting into a larger and more substantial company. - He says that it took him many years to learn that there is no future in just running - a business. He now realizes there is great personal satisfaction in the creation of - career opportunities for people in the local community. He wants to do more for others, - as he is doing for you. Today he spent a lot of time talking about his grand plan - for growth, which you will deal with in the chapters ahead. - </para> - - <para> - Over the past year, the growth projections were exceeded. The network has grown to - meet the needs of 130 users. Along with growth, the demand for improved services - and better functionality has also developed. You are about to make an interim - improvement and then hand over all Help desk and network maintenance to Christine. - Christine has professional certifications in Microsoft Windows as well as in Linux; - she is a hard worker and quite likable. Christine does not want to manage the department - (although she manages well). She gains job satisfaction when left to sort things out. - Occasionally she wants to work with you on a challenging problem. When you told her - about your move, she almost resigned, although she was reassured that a new manager would - be hired to run Information Technology, and she would be responsible only for operations. - </para> - - <sect2> - <title>Assignment Tasks</title> - - <para> - You promised the staff Internet services including Web browsing, electronic mail, virus - protection, and a company Web site. Christine is eager to help turn the vision into - reality. Let's see how close you can get to the promises made. - </para> - - <para> - The network you are about to deliver will service 130 users today. Within a year, - Abmas will aquire another company. Mr. Meany claims that within 2 years there will be - well over 500 users on the network. You have bought into the big picture, so prepare - for growth. You have purchased a new server and will implement a new network infrastructure. - </para> - - <para> - You have decided to not recycle old network components. The only items that will be - carried forward are notebook computers. You offered staff new notebooks, but not - one person wanted the disruption for what was perceived as a marginal update. - You decided to give everyone, even the notebook user, a new desktop computer. - </para> - - <para> - You procured a DSL Internet connection that provides 1.5 Mb/sec (bidirectional) - and a 10 Mb/sec ethernet port. You registered the domain - <constant>abmas.us</constant>, and the Internet Service Provider (ISP) is supplying - secondary DNS. Information furnished by your ISP is shown in <link linkend="chap4netid"/>. - </para> - - <para> - It is of paramount priority that under no circumstances will Samba offer - service access from an Internet connection. You are paying an ISP to - give, as part of its value-added services, full firewall protection for your - connection to the outside world. The only services allowed in from - the Internet side are the following destination ports: <constant>http/https (ports - 80 and 443), email (port 25), DNS (port 53)</constant>. All Internet traffic - will be allowed out after network address translation (NAT). No internal IP addresses - are permitted through the NAT filter because complete privacy of internal network - operations must be assured. - </para> - - <table id="chap4netid"> - <title>Abmas.US ISP Information</title> - <tgroup cols="2"> - <colspec align="left"/> - <colspec align="center"/> - <thead> - <row> - <entry>Parameter</entry> - <entry>Value</entry> - </row> - </thead> - <tbody> - <row> - <entry>Server IP Address</entry> - <entry>123.45.67.66</entry> - </row> - <row> - <entry>DSL Device IP Address</entry> - <entry>123.45.67.65</entry> - </row> - <row> - <entry>Network Address</entry> - <entry>123.45.67.64/30</entry> - </row> - <row> - <entry>Gateway Address</entry> - <entry>123.45.54.65</entry> - </row> - <row> - <entry>Primary DNS Server</entry> - <entry>123.45.54.65</entry> - </row> - <row> - <entry>Secondary DNS Server</entry> - <entry>123.45.54.32</entry> - </row> - <row> - <entry>Forwarding DNS Server</entry> - <entry>123.45.12.23</entry> - </row> - </tbody> - </tgroup> - </table> - - <figure id="ch04net"> - <title>Abmas Network Topology &smbmdash; 130 Users</title> - <imagefile scale="65">chap4-net</imagefile> - </figure> - - <para> - Christine recommended that desktop systems should be installed from a single cloned - master system that has a minimum of locally installed software and loads all software - off a central application server. The benefit of having the central application server - is that it allows single-point maintenance of all business applications, a more - efficient way to manage software. She further recommended installation of antivirus - software on workstations as well as on the Samba server. Christine knows the dangers - of potential virus infection and insists on a comprehensive approach to detective - as well as corrective action to protect network operations. - </para> - - <para> - A significant concern is the problem of managing company growth. Recently, a number - of users had to share a PC while waiting for new machines to arrive. This presented - some problems with desktop computers and software installation into the new users' - desktop profiles. - </para> - - </sect2> -</sect1> - -<sect1> - <title>Dissection and Discussion</title> - - <para> - Many of the conclusions you draw here are obvious. Some requirements are not very clear - or may simply be your means of drawing the most out of Samba. Much can be done more simply - than you will demonstrate here, but keep in mind that the network must scale to at least 500 - users. This means that some functionality will be overdesigned for the current 130-user - environment. - </para> - - <sect2> - <title>Technical Issues</title> - - <para> - In this exercise we use a 24-bit subnet mask for the two local networks. This, - of course, limits our network to a maximum of 253 usable IP addresses. The network - address range chosen is one assigned by RFC1918 for private networks. - When the number of users on the network begins to approach the limit of usable - addresses, it is a good idea to switch to a network address specified in RFC1918 - in the 172.16.0.0/16 range. This is done in subsequent chapters. - </para> - - <para> - <indexterm><primary>tdbsam</primary></indexterm> - <indexterm><primary>smbpasswd</primary></indexterm> - The high growth rates projected are a good reason to use the <constant>tdbsam</constant> - passdb backend. The use of <constant>smbpasswd</constant> for the backend may result in - performance problems. The <constant>tdbsam</constant> passdb backend offers features that - are not available with the older, flat ASCII-based <constant>smbpasswd</constant> database. - </para> - - <para> - <indexterm><primary>risk</primary></indexterm> - The proposed network design uses a single server to act as an Internet services host for - electronic mail, Web serving, remote administrative access via SSH, - Samba-based file and print services. This design is often chosen by sites that feel - they cannot afford or justify the cost or overhead of having separate servers. It must - be realized that if security of this type of server should ever be violated (compromised), - the whole network and all data is at risk. Many sites continue to choose this type - of solution; therefore, this chapter provides detailed coverage of key implementation - aspects. - </para> - - <para> - Samba will be configured to specifically not operate on the Ethernet interface that is - directly connected to the Internet. - </para> - - <para> - <indexterm><primary>iptables</primary></indexterm> - <indexterm><primary>NAT</primary></indexterm> - <indexterm><primary>Network Address Translation</primary><see>NAT</see></indexterm> - <indexterm><primary>firewall</primary></indexterm> - You know that your ISP is providing full firewall services, but you cannot rely on that. - Always assume that human error will occur, so be prepared by using Linux firewall facilities - based on <command>iptables</command> to effect NAT. Block all - incoming traffic except to permitted well-known ports. You must also allow incoming packets - to establish outgoing connections. You will permit all internal outgoing requests. - </para> - - <para> - The configuration of Web serving, Web proxy services, electronic mail, and the details of - generic antivirus handling are beyond the scope of this book and therefore are not - covered except insofar as this affects Samba. - </para> - - <para> - <indexterm><primary>login</primary></indexterm> - Notebook computers are configured to use a network login when in the office and a - local account to log in while away from the office. Users store all work done in - transit (away from the office) by using a local share for work files. Standard procedures - dictate that on completion of the work that necessitates mobile file access, all - work files are moved back to secure storage on the office server. Staff is instructed - to not carry on any company notebook computer any files that are not absolutely required. - This is a preventative measure to protect client information as well as private business - records. - </para> - - <para> - <indexterm><primary>application server</primary></indexterm> - All applications are served from the central server from a share called <constant>apps</constant>. - Microsoft Office XP Professional and OpenOffice 1.1.0 will be installed using a network - (or administrative) installation. Accounting and financial management software can also - be run only from the central application server. Notebook users are provided with - locally installed applications on a need-to-have basis only. - </para> - - <para> - <indexterm><primary>roaming profiles</primary></indexterm> - The introduction of roaming profiles support means that users can move between - desktop computer systems without constraint while retaining full access to their data. - The desktop travels with them as they move. - </para> - - <para> - <indexterm><primary>DNS</primary></indexterm> - The DNS server implementation must now address both internal and external - needs. You forward DNS lookups to your ISP-provided server as well as the - <constant>abmas.us</constant> external secondary DNS server. - </para> - - <para> - <indexterm><primary>dynamic DNS</primary></indexterm> - <indexterm><primary>DDNS</primary><see>dynamic DNS</see></indexterm> - <indexterm><primary>DHCP server</primary></indexterm> - Compared with the DHCP server configuration in <link linkend="small"/>, <link linkend="dhcp01"/>, the - configuration used in this example has to deal with the presence of an Internet connection. - The scope set for it ensures that no DHCP services will be offered on the external - connection. All printers are configured as DHCP clients so that the DHCP server assigns - the printer a fixed IP address by way of the Ethernet interface (MAC) address. One additional - feature of this DHCP server configuration file is the inclusion of parameters to allow dynamic - DNS (DDNS) operation. - </para> - - <para> - This is the first implementation that depends on a correctly functioning DNS server. - Comprehensive steps are included to provide for a fully functioning DNS server that also - is enabled for DDNS operation. This means that DHCP clients can be autoregistered - with the DNS server. - </para> - - <para> - You are taking the opportunity to manually set the netbios name of the Samba server to - a name other than what will be automatically resolved. You are doing this to ensure that - the machine has the same NetBIOS name on both network segments. - </para> - - <para> - As in the previous network configuration, printing in this network configuration uses - direct raw printing (i.e., no smart printing and no print driver autodownload to Windows - clients). Printer drivers are installed on the Windows client manually. This is not - a problem because Christine is to install and configure one single workstation and - then clone that configuration, using Norton Ghost, to all workstations. Each machine is - identical, so this should pose no problem. - </para> - - <sect3> - <title>Hardware Requirements</title> - - <para> - <indexterm><primary>memory requirements</primary></indexterm> - This server runs a considerable number of services. From similarly configured Linux - installations, the approximate calculated memory requirements are as shown in - <link linkend="ch4memoryest"/>. - -<example id="ch4memoryest"> -<title>Estimation of Memory Requirements</title> -<screen> -Application Memory per User 130 Users 500 Users - Name (MBytes) Total MBytes Total MBytes ------------ --------------- ------------ ------------ -DHCP 2.5 3 3 -DNS 16.0 16 16 -Samba (nmbd) 16.0 16 16 -Samba (winbind) 16.0 16 16 -Samba (smbd) 4.0 520 2000 -Apache 10.0 (20 User) 200 200 -CUPS 3.5 16 32 -Basic OS 256.0 256 256 - -------------- -------------- - Total: 1043 MBytes 2539 MBytes - -------------- -------------- -</screen> -</example> - You should add a safety margin of at least 50% to these estimates. The minimum - system memory recommended for initial startup 1 GB, but to permit the system - to scale to 500 users, it makes sense to provision the machine with 4 GB memory. - An initial configuration with only 1 GB memory would lead to early performance complaints - as the system load builds up. Given the low cost of memory, it does not make sense to - compromise in this area. - </para> - - <para> - <indexterm><primary>bandwidth calculations</primary></indexterm> - Aggregate input/output loads should be considered for sizing network configuration as - well as disk subsystems. For network bandwidth calculations, one would typically use an - estimate of 0.1 MB/sec per user. This suggests that 100-Base-T (approx. 10 MB/sec) - would deliver below acceptable capacity for the initial user load. It is therefore a good - idea to begin with 1 Gb Ethernet cards for the two internal networks, each attached - to a 1 Gb Ethernet switch that provides connectivity to an expandable array of 100-Base-T - switched ports. - </para> - - <para> - <indexterm><primary>network segments</primary></indexterm> - <indexterm><primary>RAID</primary></indexterm> - Considering the choice of 1 Gb Ethernet interfaces for the two local network segments, - the aggregate network I/O capacity will be 2100 Mb/sec (about 230 MB/sec), an I/O - demand that would require a fast disk storage I/O capability. Peak disk throughput is - limited by the disk subsystem chosen. It is desirable to provide the maximum - I/O bandwidth affordable. If a low-cost solution must be chosen, - 3Ware IDE RAID Controllers are a good choice. These controllers can be fitted into a - 64-bit, 66 MHz PCI-X slot. They appear to the operating system as a high-speed SCSI - controller that can operate at the peak of the PCI-X bandwidth (approximately 450 MB/sec). - Alternative SCSI-based hardware RAID controllers should also be considered. Alternately, - it makes sense to purchase well-known, branded hardware that has appropriate performance - specifications. As a minimum, one should attempt to provide a disk subsystem that can - deliver I/O rates of at least 100 MB/sec. - </para> - - <para> - Disk storage requirements may be calculated as shown in <link linkend="ch4diskest"/>. - -<example id="ch4diskest"> -<title>Estimation of Disk Storage Requirements</title> -<screen> -Corporate Data: 100 MBytes/user per year -Email Storage: 500 MBytes/user per year -Applications: 5000 MBytes -Safety Buffer: At least 50% - -Given 500 Users and 2 years: ------------------------------ - Corporate Data: 2 x 100 x 500 = 100000 MBytes = 100 GBytes - Email Storage: 2 x 500 x 500 = 500000 MBytes = 500 GBytes - Applications: 5000 MBytes = 5 GBytes - ---------------------------- - Total: 605 GBytes - Add 50% buffer 303 GBytes - Recommended Storage: 908 GBytes -</screen> -</example> - <indexterm><primary>storage capacity</primary></indexterm> - The preferred storage capacity should be approximately 1 Terabyte. Use of RAID level 5 - with two hot spare drives would require an 8-drive by 200 GB capacity per drive array. - </para> - - </sect3> - - </sect2> - - - <sect2> - <title>Political Issues</title> - - <para> - Your industry is coming under increasing accountability pressures. Increased paranoia - is necessary so you can demonstrate that you have acted with due diligence. You must - not trust your Internet connection. - </para> - - <para> - Apart from permitting more efficient management of business applications through use of - an application server, your primary reason for the decision to implement this is that it - gives you greater control over software licensing. - </para> - - <para> - <indexterm><primary>Outlook Express</primary></indexterm> - You are well aware that the current configuration results in some performance issues - as the size of the desktop profile grows. Given that users use Microsoft Outlook - Express, you know that the storage implications of the <constant>.PST</constant> file - is something that needs to be addressed later. - </para> - - </sect2> - -</sect1> - -<sect1> - <title>Implementation</title> - - <para> - <link linkend="ch04net"/> demonstrates the overall design of the network that you will implement. - </para> - - <para> - The information presented here assumes that you are already familiar with many basic steps. - As this stands, the details provided already extend well beyond just the necessities of - Samba configuration. This decision is deliberate to ensure that key determinants - of a successful installation are not overlooked. This is the last case that documents - the finite minutiae of DHCP and DNS server configuration. Beyond the information provided - here, there are many other good reference books on these subjects. - </para> - - <para> - The &smb.conf; file has the following noteworthy features: - </para> - - <itemizedlist> - <listitem><para> - The NetBIOS name of the Samba server is set to <constant>DIAMOND</constant>. - </para></listitem> - - <listitem><para> - The Domain name is set to <constant>PROMISES</constant>. - </para></listitem> - - <listitem><para> - <indexterm><primary>broadcast messages</primary></indexterm> - <indexterm><primary>interfaces</primary></indexterm> - <indexterm><primary>bind interfaces only</primary></indexterm> - Ethernet interface <constant>eth0</constant> is attached to the Internet connection - and is externally exposed. This interface is explicitly not available for Samba to use. - Samba listens on this interface for broadcast messages but does not broadcast any - information on <constant>eth0</constant>, nor does it accept any connections from it. - This is achieved by way of the <parameter>interfaces</parameter> parameter and the - <parameter>bind interfaces only</parameter> entry. - </para></listitem> - - <listitem><para> - <indexterm><primary>passdb backend</primary></indexterm> - <indexterm><primary>tdbsam</primary></indexterm> - <indexterm><primary>binary database</primary></indexterm> - The <parameter>passdb backend</parameter> parameter specifies the creation and use - of the <constant>tdbsam</constant> password backend. This is a binary database that - has excellent scalability for a large number of user account entries. - </para></listitem> - - <listitem><para> - <indexterm><primary>WINS serving</primary></indexterm> - <indexterm><primary>wins support</primary></indexterm> - <indexterm><primary>name resolve order</primary></indexterm> - WINS serving is enabled by the <smbconfoption name="wins support">Yes</smbconfoption>, - and name resolution is set to use it by means of the - <smbconfoption name="name resolve order">wins bcast hosts</smbconfoption> entry. - </para></listitem> - - <listitem><para> - <indexterm><primary>time server</primary></indexterm> - The Samba server is configured for use by Windows clients as a time server. - </para></listitem> - - <listitem><para> - <indexterm><primary>CUPS</primary></indexterm> - <indexterm><primary>printing</primary></indexterm> - <indexterm><primary>printcap name</primary></indexterm> - Samba is configured to directly interface with CUPS via the direct internal interface - that is provided by CUPS libraries. This is achieved with the - <smbconfoption name="printing">CUPS</smbconfoption> as well as the - <smbconfoption name="printcap name">CUPS</smbconfoption> entries. - </para></listitem> - - <listitem><para> - <indexterm><primary>user management</primary></indexterm> - <indexterm><primary>group management</primary></indexterm> - <indexterm><primary>SRVTOOLS.EXE</primary></indexterm> - External interface scripts are provided to enable Samba to interface smoothly to - essential operating system functions for user and group management. This is important - to enable workstations to join the Domain and is also important so that you can use - the Windows NT4 Domain User Manager as well as the Domain Server Manager. These tools - are provided as part of the <filename>SRVTOOLS.EXE</filename> toolkit that can be - downloaded from the Microsoft FTP - <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">site</ulink>. - </para></listitem> - - <listitem><para> - <indexterm><primary>User Mode</primary></indexterm> - The &smb.conf; file specifies that the Samba server will operate in (default) <parameter> - security = user</parameter> mode<footnote><para>See <emphasis>TOSHARG2</emphasis>, Chapter 3. - This is necessary so that Samba can act as a Domain Controller (PDC); see - <emphasis>TOSHARG2</emphasis>, Chapter 4, for additional information.</para></footnote> - (User Mode). - </para></listitem> - - <listitem><para> - <indexterm><primary>logon services</primary></indexterm> - <indexterm><primary>logon script</primary></indexterm> - Domain logon services as well as a Domain logon script are specified. The logon script - will be used to add robustness to the overall network configuration. - </para></listitem> - - <listitem><para> - <indexterm><primary>roaming profiles</primary></indexterm> - <indexterm><primary>logon path</primary></indexterm> - <indexterm><primary>profile share</primary></indexterm> - Roaming profiles are enabled through the specification of the parameter, - <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>. The value of this parameter translates the - <constant>%L</constant> to the name by which the Samba server is called by the client (for this - configuration, it translates to the name <constant>DIAMOND</constant>), and the <constant>%U</constant> - will translate to the name of the user within the context of the connection made to the profile share. - It is the administrator's responsibility to ensure there is a directory in the root of the - profile share for each user. This directory must be owned by the user also. An exception to this - requirement is when a profile is created for group use. - </para></listitem> - - <listitem><para> - <indexterm><primary>virus</primary></indexterm> - <indexterm><primary>opportunistic locking</primary></indexterm> - Precautionary veto is effected for particular Windows file names that have been targeted by - virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking - controls. This should help to prevent lock contention-related file access problems. - </para></listitem> - - <listitem><para> - Every user has a private home directory on the UNIX/Linux host. This is mapped to - a network drive that is the same for all users. - </para></listitem> - - </itemizedlist> - - <para> - The configuration of the server is the most complex so far. The following steps are used: - </para> - - <orderedlist numeration="arabic"> - <listitem><para> - Basic System Configuration - </para></listitem> - - <listitem><para> - Samba Configuration - </para></listitem> - - <listitem><para> - DHCP and DNS Server Configuration - </para></listitem> - - <listitem><para> - Printer Configuration - </para></listitem> - - <listitem><para> - Process Start-up Configuration - </para></listitem> - - <listitem><para> - Validation - </para></listitem> - - <listitem><para> - Application Share Configuration - </para></listitem> - - <listitem><para> - Windows Client Configuration - </para></listitem> - </orderedlist> - - <para> - The following sections cover each step in logical and defined detail. - </para> - - <sect2 id="ch4bsc"> - <title>Basic System Configuration</title> - - <para> - <indexterm><primary>SUSE Enterprise Linux Server</primary></indexterm> - The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been - freshly installed. It prepares basic files so that the system is ready for comprehensive - operation in line with the network diagram shown in <link linkend="ch04net"/>. - </para> - - <procedure> - <title>Server Configuration Steps</title> - - <step><para> - <indexterm><primary>hostname</primary></indexterm> - Using the UNIX/Linux system tools, name the server <constant>server.abmas.us</constant>. - Verify that your hostname is correctly set by running: -<screen> -&rootprompt; uname -n -server -</screen> - An alternate method to verify the hostname is: -<screen> -&rootprompt; hostname -f -server.abmas.us -</screen> - </para></step> - - <step><para> - <indexterm><primary>/etc/hosts</primary></indexterm> - <indexterm><primary>localhost</primary></indexterm> - Edit your <filename>/etc/hosts</filename> file to include the primary names and addresses - of all network interfaces that are on the host server. This is necessary so that during - startup the system can resolve all its own names to the IP address prior to - startup of the DNS server. An example of entries that should be in the - <filename>/etc/hosts</filename> file is: -<screen> -127.0.0.1 localhost -192.168.1.1 sleeth1.abmas.biz sleeth1 diamond -192.168.2.1 sleeth2.abmas.biz sleeth2 -123.45.67.66 server.abmas.us server -</screen> - You should check the startup order of your system. If the CUPS print server is started before - the DNS server (<command>named</command>), you should also include an entry for the printers - in the <filename>/etc/hosts</filename> file, as follows: -<screen> -192.168.1.20 qmsa.abmas.biz qmsa -192.168.1.30 hplj6a.abmas.biz hplj6a -192.168.2.20 qmsf.abmas.biz qmsf -192.168.2.30 hplj6f.abmas.biz hplj6f -</screen> - <indexterm><primary>named</primary></indexterm> - <indexterm><primary>cupsd</primary></indexterm> - <indexterm><primary>daemon</primary></indexterm> - The printer entries are not necessary if <command>named</command> is started prior to - startup of <command>cupsd</command>, the CUPS daemon. - </para></step> - - <step><para> - <indexterm><primary>/etc/rc.d/boot.local</primary></indexterm> - <indexterm><primary>IP forwarding</primary></indexterm> - <indexterm><primary>/proc/sys/net/ipv4/ip_forward</primary></indexterm> - The host server is acting as a router between the two internal network segments as well - as for all Internet access. This necessitates that IP forwarding be enabled. This can be - achieved by adding to the <filename>/etc/rc.d/boot.local</filename> an entry as follows: -<screen> -echo 1 > /proc/sys/net/ipv4/ip_forward -</screen> - To ensure that your kernel is capable of IP forwarding during configuration, you may - wish to execute that command manually also. This setting permits the Linux system to - act as a router.<footnote><para>You may want to do the echo command last and include - "0" in the init scripts, since it opens up your network for a short time.</para></footnote> - </para></step> - - <step><para> - <indexterm><primary>firewall</primary></indexterm> - <indexterm><primary>abmas-netfw.sh</primary></indexterm> - Installation of a basic firewall and NAT facility is necessary. - The following script can be installed in the <filename>/usr/local/sbin</filename> - directory. It is executed from the <filename>/etc/rc.d/boot.local</filename> startup - script. In your case, this script is called <filename>abmas-netfw.sh</filename>. The - script contents are shown in <link linkend="ch4natfw"/>. - -<example id="ch4natfw"> -<title>NAT Firewall Configuration Script</title> -<screen> -#!/bin/sh -echo -e "\n\nLoading NAT firewall.\n" -IPTABLES=/usr/sbin/iptables -EXTIF="eth0" -INTIFA="eth1" -INTIFB="eth2" - -/sbin/depmod -a -/sbin/modprobe ip_tables -/sbin/modprobe ip_conntrack -/sbin/modprobe ip_conntrack_ftp -/sbin/modprobe iptable_nat -/sbin/modprobe ip_nat_ftp -$IPTABLES -P INPUT DROP -$IPTABLES -F INPUT -$IPTABLES -P OUTPUT ACCEPT -$IPTABLES -F OUTPUT -$IPTABLES -P FORWARD DROP -$IPTABLES -F FORWARD - -$IPTABLES -A INPUT -i lo -j ACCEPT -$IPTABLES -A INPUT -i $INTIFA -j ACCEPT -$IPTABLES -A INPUT -i $INTIFB -j ACCEPT -$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT -# Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS -for i in 22 25 53 80 443 -do - $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT -done -# Allow DNS(udp) -$IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT -echo "Allow all connections OUT and only existing and specified ones IN" -$IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \ - --state ESTABLISHED,RELATED -j ACCEPT -$IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \ - --state ESTABLISHED,RELATED -j ACCEPT -$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT -$IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT -$IPTABLES -A FORWARD -j LOG -echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" -$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE -echo "1" > /proc/sys/net/ipv4/ip_forward -echo -e "\nNAT firewall done.\n" -</screen> -</example> - </para></step> - - <step><para> - Execute the following to make the script executable: -<screen> -&rootprompt; chmod 755 /usr/local/sbin/abmas-natfw.sh -</screen> - You must now edit <filename>/etc/rc.d/boot.local</filename> to add an entry - that runs your <command>abmas-natfw.sh</command> script. The following - entry works for you: -<screen> -#! /bin/sh -# -# Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany. -# All rights reserved. -# -# Author: Werner Fink, 1996 -# Burchard Steinbild, 1996 -# -# /etc/init.d/boot.local -# -# script with local commands to be executed from init on system startup -# -# Here you should add things that should happen directly after booting -# before we're going to the first run level. -# -/usr/local/sbin/abmas-natfw.sh -</screen> - </para></step> - </procedure> - - <para> - <indexterm><primary>/etc/hosts</primary></indexterm> - The server is now ready for Samba configuration. During the validation step, you remove - the entry for the Samba server <constant>diamond</constant> from the <filename>/etc/hosts</filename> - file. This is done after you are satisfied that DNS-based name resolution is functioning correctly. - </para> - - </sect2> - - <sect2> - <title>Samba Configuration</title> - - <para> - When you have completed this section, the Samba server is ready for testing and validation; - however, testing and validation have to wait until DHCP, DNS, and printing (CUPS) services have - been configured. - </para> - - <procedure> - <title>Samba Configuration Steps</title> - - <step><para> - Install the Samba binary RPM from the Samba-Team FTP site. Assuming that the binary - RPM file is called <filename>samba-3.0.20-1.i386.rpm</filename>, one way to install this - file is as follows: -<screen> -&rootprompt; rpm -Uvh samba-3.0.20-1.i386.rpm -</screen> - This operation must be performed while logged in as the <command>root</command> user. - Successful operation is clearly indicated. If this installation should fail for any reason, - refer to the operating system manufacturer's documentation for guidance. - </para></step> - - <step><para> - Install the &smb.conf; file shown in <link linkend="promisnet"/>, <link linkend="promisnetsvca"/>, - and <link linkend="promisnetsvcb"/>. Concatenate (join) all three files to make a single &smb.conf; - file. The final, fully qualified path for this file should be <filename>/etc/samba/smb.conf</filename>. - -<example id="promisnet"> -<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; [globals] Section</title> -<smbconfblock> -<smbconfcomment>Global parameters</smbconfcomment> -<smbconfsection name="[global]"/> -<smbconfoption name="workgroup">PROMISES</smbconfoption> -<smbconfoption name="netbios name">DIAMOND</smbconfoption> -<smbconfoption name="interfaces">eth1, eth2, lo</smbconfoption> -<smbconfoption name="bind interfaces only">Yes</smbconfoption> -<smbconfoption name="passdb backend">tdbsam</smbconfoption> -<smbconfoption name="pam password change">Yes</smbconfoption> -<smbconfoption name="passwd program">/usr/bin/passwd %u</smbconfoption> -<smbconfoption name="passwd chat">*New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*</smbconfoption> -<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> -<smbconfoption name="unix password sync">Yes</smbconfoption> -<smbconfoption name="log level">1</smbconfoption> -<smbconfoption name="syslog">0</smbconfoption> -<smbconfoption name="log file">/var/log/samba/%m</smbconfoption> -<smbconfoption name="max log size">50</smbconfoption> -<smbconfoption name="smb ports">139</smbconfoption> -<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption> -<smbconfoption name="time server">Yes</smbconfoption> -<smbconfoption name="printcap name">CUPS</smbconfoption> -<smbconfoption name="show add printer wizard">No</smbconfoption> -<smbconfoption name="add user script">/usr/sbin/useradd -m '%u'</smbconfoption> -<smbconfoption name="delete user script">/usr/sbin/userdel -r '%u'</smbconfoption> -<smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption> -<smbconfoption name="delete group script">/usr/sbin/groupdel '%g'</smbconfoption> -<smbconfoption name="add user to group script">/usr/sbin/usermod -G '%g' '%u'</smbconfoption> -<smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /tmp '%u'</smbconfoption> -<smbconfoption name="shutdown script">/var/lib/samba/scripts/shutdown.sh</smbconfoption> -<smbconfoption name="abort shutdown script">/sbin/shutdown -c</smbconfoption> -<smbconfoption name="logon script">scripts\logon.bat</smbconfoption> -<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption> -<smbconfoption name="logon drive">X:</smbconfoption> -<smbconfoption name="logon home">\\%L\%U</smbconfoption> -<smbconfoption name="domain logons">Yes</smbconfoption> -<smbconfoption name="preferred master">Yes</smbconfoption> -<smbconfoption name="wins support">Yes</smbconfoption> -<smbconfoption name="utmp">Yes</smbconfoption> -<smbconfoption name="map acl inherit">Yes</smbconfoption> -<smbconfoption name="printing">cups</smbconfoption> -<smbconfoption name="cups options">Raw</smbconfoption> -<smbconfoption name="veto files">/*.eml/*.nws/*.{*}/</smbconfoption> -<smbconfoption name="veto oplock files">/*.doc/*.xls/*.mdb/</smbconfoption> -</smbconfblock> -</example> - -<example id="promisnetsvca"> -<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part A</title> -<smbconfblock> -<smbconfsection name="[homes]"/> -<smbconfoption name="comment">Home Directories</smbconfoption> -<smbconfoption name="valid users">%S</smbconfoption> -<smbconfoption name="read only">No</smbconfoption> -<smbconfoption name="browseable">No</smbconfoption> - -<smbconfsection name="[printers]"/> -<smbconfoption name="comment">SMB Print Spool</smbconfoption> -<smbconfoption name="path">/var/spool/samba</smbconfoption> -<smbconfoption name="guest ok">Yes</smbconfoption> -<smbconfoption name="printable">Yes</smbconfoption> -<smbconfoption name="use client driver">Yes</smbconfoption> -<smbconfoption name="default devmode">Yes</smbconfoption> -<smbconfoption name="browseable">No</smbconfoption> - -<smbconfsection name="[netlogon]"/> -<smbconfoption name="comment">Network Logon Service</smbconfoption> -<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption> -<smbconfoption name="guest ok">Yes</smbconfoption> -<smbconfoption name="locking">No</smbconfoption> - -<smbconfsection name="[profiles]"/> -<smbconfoption name="comment">Profile Share</smbconfoption> -<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption> -<smbconfoption name="read only">No</smbconfoption> -<smbconfoption name="profile acls">Yes</smbconfoption> - -<smbconfsection name="[accounts]"/> -<smbconfoption name="comment">Accounting Files</smbconfoption> -<smbconfoption name="path">/data/accounts</smbconfoption> -<smbconfoption name="read only">No</smbconfoption> -</smbconfblock> -</example> - -<example id="promisnetsvcb"> -<title>130 User Network with <emphasis>tdbsam</emphasis> &smbmdash; Services Section Part B</title> -<smbconfblock> -<smbconfsection name="[service]"/> -<smbconfoption name="comment">Financial Services Files</smbconfoption> -<smbconfoption name="path">/data/service</smbconfoption> -<smbconfoption name="read only">No</smbconfoption> - -<smbconfsection name="[pidata]"/> -<smbconfoption name="comment">Property Insurance Files</smbconfoption> -<smbconfoption name="path">/data/pidata</smbconfoption> -<smbconfoption name="read only">No</smbconfoption> - -<smbconfsection name="[apps]"/> -<smbconfoption name="comment">Application Files</smbconfoption> -<smbconfoption name="path">/apps</smbconfoption> -<smbconfoption name="read only">Yes</smbconfoption> -<smbconfoption name="admin users">bjordan</smbconfoption> -</smbconfblock> -</example> - </para></step> - - <step><para> - <indexterm><primary>administrator</primary></indexterm><indexterm> - <primary>smbpasswd</primary> - </indexterm> - Add the <constant>root</constant> user to the password backend as follows: -<screen> -&rootprompt; smbpasswd -a root -New SMB password: XXXXXXXX -Retype new SMB password: XXXXXXXX -&rootprompt; -</screen> - The <constant>root</constant> account is the UNIX equivalent of the Windows Domain Administrator. - This account is essential in the regular maintenance of your Samba server. It must never be - deleted. If for any reason the account is deleted, you may not be able to recreate this account - without considerable trouble. - </para></step> - - <step><para> - <indexterm><primary>username map</primary></indexterm> - Create the username map file to permit the <constant>root</constant> account to be called - <constant>Administrator</constant> from the Windows network environment. To do this, create - the file <filename>/etc/samba/smbusers</filename> with the following contents: -<screen> -#### -# User mapping file -#### -# File Format -# ----------- -# Unix_ID = Windows_ID -# -# Examples: -# root = Administrator -# janes = "Jane Smith" -# jimbo = Jim Bones -# -# Note: If the name contains a space it must be double quoted. -# In the example above the name 'jimbo' will be mapped to Windows -# user names 'Jim' and 'Bones' because the space was not quoted. -####################################################################### -root = Administrator -#### -# End of File -#### -</screen> - </para></step> - - <step><para> - <indexterm><primary>initGrps.sh</primary></indexterm> - <indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>add</tertiary></indexterm> - <indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>modify</tertiary></indexterm> - <indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>list</tertiary></indexterm> - Create and map Windows Domain Groups to UNIX groups. A sample script is provided in <link linkend="small"/>, - <link linkend="initGrps"/>. Create a file containing this script. We called ours - <filename>/etc/samba/initGrps.sh</filename>. Set this file so it can be executed, - and then execute the script. Sample output should be as follows: - -<example id="ch4initGrps"> -<title>Script to Map Windows NT Groups to UNIX Groups</title> -<indexterm><primary>initGrps.sh</primary></indexterm> -<screen> -#!/bin/bash -# -# initGrps.sh -# - -# Create UNIX groups -groupadd acctsdep -groupadd finsrvcs - -# Map Windows Domain Groups to UNIX groups -net groupmap add ntgroup="Domain Admins" unixgroup=root type=d -net groupmap add ntgroup="Domain Users" unixgroup=users type=d -net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d - -# Add Functional Domain Groups -net groupmap add ntgroup="Accounts Dept" unixgroup=acctsdep type=d -net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d -net groupmap add ntgroup="Insurance Group" unixgroup=piops type=d - -# Map Windows NT machine local groups to local UNIX groups -# Mapping of local groups is not necessary and not functional -# for this installation. -</screen> -</example> - -<screen> -&rootprompt; chmod 755 initGrps.sh -&rootprompt; /etc/samba # ./initGrps.sh -Updated mapping entry for Domain Admins -Updated mapping entry for Domain Users -Updated mapping entry for Domain Guests -No rid or sid specified, choosing algorithmic mapping -Successfully added group Accounts Dept to the mapping db -No rid or sid specified, choosing algorithmic mapping -Successfully added group Domain Guests to the mapping db - -&rootprompt; /etc/samba # net groupmap list | sort -Account Operators (S-1-5-32-548) -> -1 -Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep -Administrators (S-1-5-32-544) -> -1 -Backup Operators (S-1-5-32-551) -> -1 -Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root -Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody -Domain Users (S-1-5-21-179504-2437109-488451-513) -> users -Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs -Guests (S-1-5-32-546) -> -1 -Power Users (S-1-5-32-547) -> -1 -Print Operators (S-1-5-32-550) -> -1 -Replicators (S-1-5-32-552) -> -1 -System Operators (S-1-5-32-549) -> -1 -Users (S-1-5-32-545) -> -1 -</screen> - </para></step> - - <step><para> - <indexterm><primary>useradd</primary></indexterm> - <indexterm><primary>adduser</primary></indexterm> - <indexterm><primary>passwd</primary></indexterm> - <indexterm><primary>smbpasswd</primary></indexterm> - <indexterm><primary>/etc/passwd</primary></indexterm> - <indexterm><primary>password</primary><secondary>backend</secondary></indexterm> - <indexterm><primary>user</primary><secondary>management</secondary></indexterm> - There is one preparatory step without which you will not have a working Samba - network environment. You must add an account for each network user. - For each user who needs to be given a Windows Domain account, make an entry in the - <filename>/etc/passwd</filename> file as well as in the Samba password backend. - Use the system tool of your choice to create the UNIX system account, and use the Samba - <command>smbpasswd</command> to create a Domain user account. - There are a number of tools for user management under UNIX, such as - <command>useradd</command>, and <command>adduser</command>, as well as a plethora of custom - tools. You also want to create a home directory for each user. - You can do this by executing the following steps for each user: -<screen> -&rootprompt; useradd -m <parameter>username</parameter> -&rootprompt; passwd <parameter>username</parameter> -Changing password for <parameter>username</parameter>. -New password: XXXXXXXX -Re-enter new password: XXXXXXXX -Password changed -&rootprompt; smbpasswd -a <parameter>username</parameter> -New SMB password: XXXXXXXX -Retype new SMB password: XXXXXXXX -Added user <parameter>username</parameter>. -</screen> - You do of course use a valid user login ID in place of <parameter>username</parameter>. - </para></step> - - <step><para> - <indexterm><primary>file system</primary><secondary>access control</secondary></indexterm> - <indexterm><primary>file system</primary><secondary>permissions</secondary></indexterm> - <indexterm><primary>group membership</primary></indexterm> - Using the preferred tool for your UNIX system, add each user to the UNIX groups created - previously as necessary. File system access control will be based on UNIX group membership. - </para></step> - - <step><para> - Create the directory mount point for the disk subsystem that can be mounted to provide - data storage for company files. In this case the mount point is indicated in the &smb.conf; - file is <filename>/data</filename>. Format the file system as required, and mount the formatted - file system partition using appropriate system tools. - </para></step> - - <step><para> - <indexterm><primary>file system</primary><secondary>permissions</secondary></indexterm> - Create the top-level file storage directories for data and applications as follows: -<screen> -&rootprompt; mkdir -p /data/{accounts,finsrvcs} -&rootprompt; mkdir -p /apps -&rootprompt; chown -R root:root /data -&rootprompt; chown -R root:root /apps -&rootprompt; chown -R bjordan:acctsdep /data/accounts -&rootprompt; chown -R bjordan:finsrvcs /data/finsrvcs -&rootprompt; chmod -R ug+rwxs,o-rwx /data -&rootprompt; chmod -R ug+rwx,o+rx-w /apps -</screen> - Each department is responsible for creating its own directory structure within the departmental - share. The directory root of the <command>accounts</command> share is <filename>/data/accounts</filename>. - The directory root of the <command>finsvcs</command> share is <filename>/data/finsvcs</filename>. - The <filename>/apps</filename> directory is the root of the <constant>apps</constant> share - that provides the application server infrastructure. - </para></step> - - <step><para> - The &smb.conf; file specifies an infrastructure to support roaming profiles and network - logon services. You can now create the file system infrastructure to provide the - locations on disk that these services require. Adequate planning is essential, - since desktop profiles can grow to be quite large. For planning purposes, a minimum of - 200 MB of storage should be allowed per user for profile storage. The following - commands create the directory infrastructure needed: -<screen> -&rootprompt; mkdir -p /var/spool/samba -&rootprompt; mkdir -p /var/lib/samba/{netlogon/scripts,profiles} -&rootprompt; chown -R root:root /var/spool/samba -&rootprompt; chown -R root:root /var/lib/samba -&rootprompt; chmod a+rwxt /var/spool/samba -&rootprompt; chmod 2775 /var/lib/samba/profiles -&rootprompt; chgrp users /var/lib/samba/profiles -</screen> - For each user account that is created on the system, the following commands should be - executed: -<screen> -&rootprompt; mkdir /var/lib/samba/profiles/'username' -&rootprompt; chown 'username':users /var/lib/samba/profiles/'username' -&rootprompt; chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username' -</screen> - </para></step> - - <step><para> - <indexterm><primary>logon scrip</primary></indexterm> - <indexterm><primary>unix2dos</primary></indexterm> - <indexterm><primary>dos2unix</primary></indexterm> - Create a logon script. It is important that each line is correctly terminated with - a carriage return and line-feed combination (i.e., DOS encoding). The following procedure - works if the right tools (<constant>unix2dos</constant> and <constant>dos2unix</constant>) are installed. - First, create a file called <filename>/var/lib/samba/netlogon/scripts/logon.bat.unix</filename> - with the following contents: -<screen> -net time \\diamond /set /yes -net use h: /home -net use p: \\diamond\apps -</screen> - Convert the UNIX file to a DOS file using the <command>unix2dos</command> as shown here: -<screen> -&rootprompt; unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \ - > /var/lib/samba/netlogon/scripts/logon.bat -</screen> - </para></step> - </procedure> - - </sect2> - - <sect2 id="ch4dhcpdns"> - <title>Configuration of DHCP and DNS Servers</title> - - <para> - DHCP services are a basic component of the entire network client installation. DNS operation is - foundational to Internet access as well as to trouble-free operation of local networking. When - you have completed this section, the server should be ready for solid duty operation. - </para> - - <procedure> - <title>DHCP and DNS Server Configuration Steps</title> - - <step><para> - <indexterm><primary>/etc/dhcpd.conf</primary></indexterm> - Create a file called <filename>/etc/dhcpd.conf</filename> with the contents as - shown in <link linkend="prom-dhcp"/>. - -<example id="prom-dhcp"> -<title>DHCP Server Configuration File &smbmdash; <filename>/etc/dhcpd.conf</filename></title> -<screen> -# Abmas Accounting Inc. -default-lease-time 86400; -max-lease-time 172800; -default-lease-time 86400; -option ntp-servers 192.168.1.1; -option domain-name "abmas.biz"; -option domain-name-servers 192.168.1.1, 192.168.2.1; -option netbios-name-servers 192.168.1.1, 192.168.2.1; -option netbios-node-type 8; ### Node type = Hybrid ### -ddns-updates on; ### Dynamic DNS enabled ### -ddns-update-style interim; - -subnet 192.168.1.0 netmask 255.255.255.0 { - range dynamic-bootp 192.168.1.128 192.168.1.254; - option subnet-mask 255.255.255.0; - option routers 192.168.1.1; - allow unknown-clients; - host qmsa { - hardware ethernet 08:00:46:7a:35:e4; - fixed-address 192.168.1.20; - } - host hplj6a { - hardware ethernet 00:03:47:cb:81:e0; - fixed-address 192.168.1.30; - } - } -subnet 192.168.2.0 netmask 255.255.255.0 { - range dynamic-bootp 192.168.2.128 192.168.2.254; - option subnet-mask 255.255.255.0; - option routers 192.168.2.1; - allow unknown-clients; - host qmsf { - hardware ethernet 01:04:31:db:e1:c0; - fixed-address 192.168.1.20; - } - host hplj6f { - hardware ethernet 00:03:47:cf:83:e2; - fixed-address 192.168.2.30; - } - } -subnet 127.0.0.0 netmask 255.0.0.0 { - } -subnet 123.45.67.64 netmask 255.255.255.252 { - } -</screen> -</example> - </para></step> - - <step><para> - <indexterm><primary>/etc/named.conf</primary></indexterm> - Create a file called <filename>/etc/named.conf</filename> that has the combined contents - of the <link linkend="ch4namedcfg"/>, <link linkend="ch4namedvarfwd"/>, and - <link linkend="ch4namedvarrev"/> files that are concatenated (merged) in this - specific order. - </para></step> - - <step><para> - Create the files shown in their respective directories as shown in <link linkend="namedrscfiles">DNS - (named) Resource Files</link>. - - <table id="namedrscfiles"> - <title>DNS (named) Resource Files</title> - <tgroup cols="2"> - <colspec align="left"/> - <colspec align="left"/> - <thead> - <row> - <entry>Reference</entry> - <entry>File Location</entry> - </row> - </thead> - <tbody> - <row> - <entry><link linkend="loopback"/></entry> - <entry>/var/lib/named/localhost.zone</entry> - </row> - <row> - <entry><link linkend="dnsloopy"/></entry> - <entry>/var/lib/named/127.0.0.zone</entry> - </row> - <row> - <entry><link linkend="roothint"/></entry> - <entry>/var/lib/named/root.hint</entry> - </row> - <row> - <entry><link linkend="abmasbiz"/></entry> - <entry>/var/lib/named/master/abmas.biz.hosts</entry> - </row> - <row> - <entry><link linkend="abmasus"/></entry> - <entry>/var/lib/named/abmas.us.hosts</entry> - </row> - <row> - <entry><link linkend="eth1zone"/></entry> - <entry>/var/lib/named/192.168.1.0.rev</entry> - </row> - <row> - <entry><link linkend="eth2zone"/></entry> - <entry>/var/lib/named/192.168.2.0.rev</entry> - </row> - </tbody> - </tgroup> - </table> - -<example id="ch4namedcfg"> -<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Master Section</title> -<indexterm><primary>/etc/named.conf</primary></indexterm> -<screen> -### -# Abmas Biz DNS Control File -### -# Date: November 15, 2003 -### -options { - directory "/var/lib/named"; - forwarders { - 123.45.12.23; - }; - forward first; - listen-on { - mynet; - }; - auth-nxdomain yes; - multiple-cnames yes; - notify no; -}; - -zone "." in { - type hint; - file "root.hint"; -}; - -zone "localhost" in { - type master; - file "localhost.zone"; -}; - -zone "0.0.127.in-addr.arpa" in { - type master; - file "127.0.0.zone"; -}; - -acl mynet { - 192.168.1.0/24; - 192.168.2.0/24; - 127.0.0.1; -}; - -acl seconddns { - 123.45.54.32; -}; - -</screen> -</example> - -<example id="ch4namedvarfwd"> -<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Forward Lookup Definition Section</title> -<screen> -zone "abmas.biz" { - type master; - file "/var/lib/named/master/abmas.biz.hosts"; - allow-query { - mynet; - }; - allow-transfer { - mynet; - }; - allow-update { - mynet; - }; -}; - -zone "abmas.us" { - type master; - file "/var/lib/named/master/abmas.us.hosts"; - allow-query { - any; - }; - allow-transfer { - seconddns; - }; -}; -</screen> -</example> - -<example id="ch4namedvarrev"> -<title>DNS Master Configuration File &smbmdash; <filename>/etc/named.conf</filename> Reverse Lookup Definition Section</title> -<screen> -zone "1.168.192.in-addr.arpa" { - type master; - file "/var/lib/named/master/192.168.1.0.rev"; - allow-query { - mynet; - }; - allow-transfer { - mynet; - }; - allow-update { - mynet; - }; -}; - -zone "2.168.192.in-addr.arpa" { - type master; - file "/var/lib/named/master/192.168.2.0.rev"; - allow-query { - mynet; - }; - allow-transfer { - mynet; - }; - allow-update { - mynet; - }; -}; -</screen> -</example> - -<example id="eth1zone"> -<title>DNS 192.168.1 Reverse Zone File</title> -<screen> -$ORIGIN . -$TTL 38400 ; 10 hours 40 minutes -1.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( - 2003021825 ; serial - 10800 ; refresh (3 hours) - 3600 ; retry (1 hour) - 604800 ; expire (1 week) - 38400 ; minimum (10 hours 40 minutes) - ) - NS sleeth1.abmas.biz. -$ORIGIN 1.168.192.in-addr.arpa. -1 PTR sleeth1.abmas.biz. -20 PTR qmsa.abmas.biz. -30 PTR hplj6a.abmas.biz. -</screen> -</example> - -<example id="eth2zone"> -<title>DNS 192.168.2 Reverse Zone File</title> -<screen> -$ORIGIN . -$TTL 38400 ; 10 hours 40 minutes -2.168.192.in-addr.arpa IN SOA sleeth.abmas.biz. root.abmas.biz. ( - 2003021825 ; serial - 10800 ; refresh (3 hours) - 3600 ; retry (1 hour) - 604800 ; expire (1 week) - 38400 ; minimum (10 hours 40 minutes) - ) - NS sleeth2.abmas.biz. -$ORIGIN 2.168.192.in-addr.arpa. -1 PTR sleeth2.abmas.biz. -20 PTR qmsf.abmas.biz. -30 PTR hplj6f.abmas.biz. -</screen> -</example> - -<example id="abmasbiz"> -<title>DNS Abmas.biz Forward Zone File</title> -<screen> -$ORIGIN . -$TTL 38400 ; 10 hours 40 minutes -abmas.biz IN SOA sleeth1.abmas.biz. root.abmas.biz. ( - 2003021833 ; serial - 10800 ; refresh (3 hours) - 3600 ; retry (1 hour) - 604800 ; expire (1 week) - 38400 ; minimum (10 hours 40 minutes) - ) - NS dns.abmas.biz. - MX 10 mail.abmas.biz. -$ORIGIN abmas.biz. -sleeth1 A 192.168.1.1 -sleeth2 A 192.168.2.1 -qmsa A 192.168.1.20 -hplj6a A 192.168.1.30 -qmsf A 192.168.2.20 -hplj6f A 192.168.2.30 -dns CNAME sleeth1 -diamond CNAME sleeth1 -mail CNAME sleeth1 -</screen> -</example> - -<example id="abmasus"> -<title>DNS Abmas.us Forward Zone File</title> -<screen> -$ORIGIN . -$TTL 38400 ; 10 hours 40 minutes -abmas.us IN SOA server.abmas.us. root.abmas.us. ( - 2003021833 ; serial - 10800 ; refresh (3 hours) - 3600 ; retry (1 hour) - 604800 ; expire (1 week) - 38400 ; minimum (10 hours 40 minutes) - ) - NS dns.abmas.us. - NS dns2.abmas.us. - MX 10 mail.abmas.us. -$ORIGIN abmas.us. -server A 123.45.67.66 -dns2 A 123.45.54.32 -gw A 123.45.67.65 -www CNAME server -mail CNAME server -dns CNAME server -</screen> -</example> - - </para></step> - - <step><para> - <indexterm><primary>/etc/resolv.conf</primary></indexterm><indexterm> - <primary>name resolution</primary> - </indexterm> - All DNS name resolution should be handled locally. To ensure that the server is configured - correctly to handle this, edit <filename>/etc/resolv.conf</filename> to have the following - content: -<screen> -search abmas.us abmas.biz -nameserver 127.0.0.1 -nameserver 123.45.54.23 -</screen> - <indexterm> - <primary>DNS server</primary> - </indexterm> - This instructs the name resolver function (when configured correctly) to ask the DNS server - that is running locally to resolve names to addresses. In the event that the local name server - is not available, ask the name server provided by the ISP. The latter, of course, does not resolve - purely local names to IP addresses. - </para></step> - - <step><para> - <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> - The final step is to edit the <filename>/etc/nsswitch.conf</filename> file. - This file controls the operation of the various resolver libraries that are part of the Linux - Glibc libraries. Edit this file so that it contains the following entries: -<screen> -hosts: files dns wins -</screen> - </para></step> - </procedure> - - <para> - The basic DHCP and DNS services are now ready for validation testing. Before you can proceed, - there are a few more steps along the road. First, configure the print spooling and print - processing system. Then you can configure the server so that all services - start automatically on reboot. You must also manually start all services prior to validation testing. - </para> - - </sect2> - - <sect2 id="ch4ptrcfg"> - <title>Printer Configuration</title> - - <para> - Network administrators who are new to CUPS based-printing typically experience some difficulty mastering - its powerful features. The steps outlined in this section are designed to navigate around the distractions - of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a - transparent print queue that performs no filtering, and only minimal handling of each print job that is - submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that - the correct printer driver must be installed on all clients. - </para> - - <procedure> - <title>Printer Configuration Steps</title> - - <step><para> - Configure each printer to be a DHCP client, carefully following the manufacturer's guidelines. - </para></step> - - <step><para> - Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. - Use any other port the manufacturer specifies for direct-mode raw printing, and adjust the - port as necessary in the following example commands. - This allows the CUPS spooler to print using raw mode protocols. - <indexterm><primary>CUPS</primary></indexterm> - <indexterm><primary>raw printing</primary></indexterm> - </para></step> - - <step><para> - <indexterm><primary>CUPS</primary><secondary>queue</secondary></indexterm><indexterm> - <primary>lpadmin</primary> - </indexterm> - Configure the CUPS Print Queues as follows: -<screen> -&rootprompt; lpadmin -p qmsa -v socket://qmsa.abmas.biz:9100 -E -&rootprompt; lpadmin -p hplj6a -v socket://hplj6a.abmas.biz:9100 -E -&rootprompt; lpadmin -p qmsf -v socket://qmsf.abmas.biz:9100 -E -&rootprompt; lpadmin -p hplj6f -v socket://hplj6f.abmas.biz:9100 -E -</screen> - <indexterm><primary>print filter</primary></indexterm> - This creates the necessary print queues with no assigned print filter. - </para></step> - - <step><para><indexterm> - <primary>enable</primary> - </indexterm> - Print queues may not be enabled at creation. Use <command>lpc stat</command> to check - the status of the print queues and, if necessary, make certain that the queues you have - just created are enabled by executing the following: -<screen> -&rootprompt; /usr/bin/enable qmsa -&rootprompt; /usr/bin/enable hplj6a -&rootprompt; /usr/bin/enable qmsf -&rootprompt; /usr/bin/enable hplj6f -</screen> - </para></step> - - <step><para><indexterm> - <primary>accept</primary> - </indexterm> - Even though your print queues may be enabled, it is still possible that they - are not accepting print jobs. A print queue services incoming printing - requests only when configured to do so. Ensure that your print queues are - set to accept incoming jobs by executing the following commands: -<screen> -&rootprompt; /usr/sbin/accept qmsa -&rootprompt; /usr/sbin/accept hplj6a -&rootprompt; /usr/sbin/accept qmsf -&rootprompt; /usr/sbin/accept hplj6f -</screen> - </para></step> - - <step><para> - <indexterm><primary>mime type</primary></indexterm> - <indexterm><primary>/etc/mime.convs</primary></indexterm> - <indexterm><primary>application/octet-stream</primary></indexterm> - Edit the file <filename>/etc/cups/mime.convs</filename> to uncomment the line: -<screen> -application/octet-stream application/vnd.cups-raw 0 - -</screen> - </para></step> - - <step><para> - <indexterm><primary>/etc/mime.types</primary></indexterm> - Edit the file <filename>/etc/cups/mime.types</filename> to uncomment the line: -<screen> -application/octet-stream -</screen> - </para></step> - - <step><para> - Printing drivers are installed on each network client workstation. - </para></step> - </procedure> - - <para> - Note: If the parameter <parameter>cups options = Raw</parameter> is specified in the &smb.conf; file, - the last two steps can be omitted with CUPS version 1.1.18, or later. - </para> - - <para> - The UNIX system print queues have been configured and are ready for validation testing. - </para> - - </sect2> - - <sect2 id="procstart"> - <title>Process Startup Configuration</title> - - <para> - <indexterm><primary>chkconfig</primary></indexterm> - There are two essential steps to process startup configuration. First, the process - must be configured so that it automatically restarts each time the server - is rebooted. This step involves use of the <command>chkconfig</command> tool that - creates the appropriate symbolic links from the master daemon control file that is - located in the <filename>/etc/rc.d</filename> directory, to the <filename>/etc/rc'x'.d</filename> - directories. Links are created so that when the system run level is changed, the - necessary start or kill script is run. - </para> - - <para> - <indexterm><primary>/etc/xinetd.d</primary></indexterm> - <indexterm><primary>inetd</primary></indexterm> - <indexterm><primary>xinetd</primary></indexterm> - <indexterm><primary>chkconfig</primary></indexterm> - <indexterm><primary>super daemon</primary></indexterm> - In the event that a service is not run as a daemon, but via the internetworking - super daemon (<command>inetd</command> or <command>xinetd</command>), then the <command>chkconfig</command> - tool makes the necessary entries in the <filename>/etc/xinetd.d</filename> directory - and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to - re-read its control files. - </para> - - <para> - Last, each service must be started to permit system validation to proceed. - </para> - - <procedure> - <step><para> - Use the standard system tool to configure each service to restart - automatically at every system reboot. For example, - <indexterm><primary>chkconfig</primary></indexterm> -<screen> -&rootprompt; chkconfig dhpcd on -&rootprompt; chkconfig named on -&rootprompt; chkconfig cups on -&rootprompt; chkconfig smb on -</screen> - </para></step> - - <step><para> - <indexterm><primary>starting dhcpd</primary></indexterm> - <indexterm><primary>starting samba</primary></indexterm> - <indexterm><primary>starting CUPS</primary></indexterm> - Now start each service to permit the system to be validated. - Execute each of the following in the sequence shown: - -<screen> -&rootprompt; /etc/rc.d/init.d/dhcpd restart -&rootprompt; /etc/rc.d/init.d/named restart -&rootprompt; /etc/rc.d/init.d/cups restart -&rootprompt; /etc/rc.d/init.d/smb restart -</screen> - </para></step> - </procedure> - - </sect2> - - <sect2 id="ch4valid"> - <title>Validation</title> - - <para> - <indexterm><primary>validation</primary></indexterm> - Complex networking problems are most often caused by simple things that are poorly or incorrectly - configured. The validation process adopted here should be followed carefully; it is the result of the - experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should - refrain from taking shortcuts, from making basic assumptions, and from not exercising due process - and diligence in network validation. By thoroughly testing and validating every step in the process - of network installation and configuration, you can save yourself from sleepless nights and restless - days. A well debugged network is a foundation for happy network users and network administrators. - Later in this book you learn how to make users happier. For now, it is enough to learn to - validate. Let's get on with it. - </para> - - <procedure> - <title>Server Validation Steps</title> - - <step><para> - <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> - One of the most important facets of Samba configuration is to ensure that - name resolution functions correctly. You can check name resolution - with a few simple tests. The most basic name resolution is provided from the - <filename>/etc/hosts</filename> file. To test its operation, make a - temporary edit to the <filename>/etc/nsswitch.conf</filename> file. Using - your favorite editor, change the entry for <constant>hosts</constant> to read: -<screen> -hosts: files -</screen> - When you have saved this file, execute the following command: -<screen> -&rootprompt; ping diamond -PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. -64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.131 ms -64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.179 ms -64 bytes from sleeth1 (192.168.1.1): icmp_seq=3 ttl=64 time=0.192 ms -64 bytes from sleeth1 (192.168.1.1): icmp_seq=4 ttl=64 time=0.191 ms - ---- sleeth1.abmas.biz ping statistics --- -4 packets transmitted, 4 received, 0% packet loss, time 3016ms -rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms -</screen> - This proves that name resolution via the <filename>/etc/hosts</filename> file - is working. - </para></step> - - <step><para> - <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> - So far, your installation is going particularly well. In this step we validate - DNS server and name resolution operation. Using your favorite UNIX system editor, - change the <filename>/etc/nsswitch.conf</filename> file so that the - <constant>hosts</constant> entry reads: -<screen> -hosts: dns -</screen> - </para></step> - - <step><para> - <indexterm><primary>named</primary></indexterm> - Before you test DNS operation, it is a good idea to verify that the DNS server - is running by executing the following: -<screen> -&rootprompt; ps ax | grep named - 437 ? S 0:00 /sbin/syslogd -a /var/lib/named/dev/log - 524 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named - 525 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named - 526 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named - 529 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named - 540 ? S 0:00 /usr/sbin/named -t /var/lib/named -u named - 2552 pts/2 S 0:00 grep named -</screen> - This means that we are ready to check DNS operation. Do so by executing: - <indexterm><primary>ping</primary></indexterm> -<screen> -&rootprompt; ping diamond -PING sleeth1.abmas.biz (192.168.1.1) 56(84) bytes of data. -64 bytes from sleeth1 (192.168.1.1): icmp_seq=1 ttl=64 time=0.156 ms -64 bytes from sleeth1 (192.168.1.1): icmp_seq=2 ttl=64 time=0.183 ms - ---- sleeth1.abmas.biz ping statistics --- -2 packets transmitted, 2 received, 0% packet loss, time 999ms -rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms -</screen> - You should take a few more steps to validate DNS server operation, as follows: -<screen> -&rootprompt; host -f diamond.abmas.biz -sleeth1.abmas.biz has address 192.168.1.1 -</screen> - <indexterm><primary>/etc/hosts</primary></indexterm> - You may now remove the entry called <constant>diamond</constant> from the - <filename>/etc/hosts</filename> file. It does not hurt to leave it there, - but its removal reduces the number of administrative steps for this name. - </para></step> - - <step><para> - <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> - WINS is a great way to resolve NetBIOS names to their IP address. You can test - the operation of WINS by starting <command>nmbd</command> (manually or by way - of the Samba startup method shown in <link linkend="procstart"/>). You must edit - the <filename>/etc/nsswitch.conf</filename> file so that the <constant>hosts</constant> - entry is as follows: -<screen> -hosts: wins -</screen> - The next step is to make certain that Samba is running using <command>ps ax | grep mbd</command>. - The <command>nmbd</command> daemon will provide the WINS name resolution service when the - &smb.conf; file <smbconfsection name="global"/> parameter <smbconfoption name="wins - support">Yes</smbconfoption> has been specified. Having validated that Samba is operational, - excute the following: -<screen> -&rootprompt; ping diamond -PING diamond (192.168.1.1) 56(84) bytes of data. -64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.094 ms -64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.479 ms -</screen> - <indexterm><primary>ping</primary></indexterm> - Now that you can relax with the knowledge that all three major forms of name - resolution to IP address resolution are working, edit the <filename>/etc/nsswitch.conf</filename> - again. This time you add all three forms of name resolution to this file. - Your edited entry for <constant>hosts</constant> should now look like this: -<screen> -hosts: files dns wins -</screen> - The system is looking good. Let's move on. - </para></step> - - <step><para> - It would give you peace of mind to know that the DHCP server is running - and available for service. You can validate DHCP services by running: - -<screen> -&rootprompt; ps ax | grep dhcp - 2618 ? S 0:00 /usr/sbin/dhcpd ... - 8180 pts/2 S 0:00 grep dhcp -</screen> - This shows that the server is running. The proof of whether or not it is working - comes when you try to add the first DHCP client to the network. - </para></step> - - <step><para> - <indexterm><primary>testparm</primary></indexterm> - This is a good point at which to start validating Samba operation. You are - content that name resolution is working for basic TCP/IP needs. Let's move on. - If your &smb.conf; file has bogus options or parameters, this may cause Samba - to refuse to start. The first step should always be to validate the contents - of this file by running: -<screen> -&rootprompt; testparm -s -Load smb config files from smb.conf -Processing section "[homes]" -Processing section "[printers]" -Processing section "[netlogon]" -Processing section "[profiles]" -Processing section "[accounts]" -Processing section "[service]" -Processing section "[apps]" -Loaded services file OK. -# Global parameters -[global] - workgroup = PROMISES - netbios name = DIAMOND - interfaces = eth1, eth2, lo - bind interfaces only = Yes - passdb backend = tdbsam - pam password change = Yes - passwd program = /usr/bin/passwd '%u' - passwd chat = *New*Password* %n\n \ - *Re-enter*new*password* %n\n *Password*changed* - username map = /etc/samba/smbusers - unix password sync = Yes - log level = 1 - syslog = 0 - log file = /var/log/samba/%m - max log size = 50 - smb ports = 139 - name resolve order = wins bcast hosts - time server = Yes - printcap name = CUPS - show add printer wizard = No - add user script = /usr/sbin/useradd -m '%u' - delete user script = /usr/sbin/userdel -r '%u' - add group script = /usr/sbin/groupadd '%g' - delete group script = /usr/sbin/groupdel '%g' - add user to group script = /usr/sbin/usermod -G '%g' '%u' - add machine script = /usr/sbin/useradd \ - -s /bin/false -d /dev/null '%u' - shutdown script = /var/lib/samba/scripts/shutdown.sh - abort shutdown script = /sbin/shutdown -c - logon script = scripts\logon.bat - logon path = \\%L\profiles\%U - logon drive = X: - logon home = \\%L\%U - domain logons = Yes - preferred master = Yes - wins support = Yes - utmp = Yes - winbind use default domain = Yes - map acl inherit = Yes - cups options = Raw - veto files = /*.eml/*.nws/*.{*}/ - veto oplock files = /*.doc/*.xls/*.mdb/ - -[homes] - comment = Home Directories - valid users = %S - read only = No - browseable = No -... -### Remainder cut to save space ### -</screen> - Clear away all errors before proceeding. - </para></step> - - <step><para> - <indexterm><primary>check samba daemons</primary></indexterm> - <indexterm><primary>smbd</primary></indexterm> - <indexterm><primary>nmbd</primary></indexterm> - <indexterm><primary>winbindd</primary></indexterm> - Check that the Samba server is running: -<screen> -&rootprompt; ps ax | grep mbd -14244 ? S 0:00 /usr/sbin/nmbd -D -14245 ? S 0:00 /usr/sbin/nmbd -D -14290 ? S 0:00 /usr/sbin/smbd -D - -$rootprompt; ps ax | grep winbind -14293 ? S 0:00 /usr/sbin/winbindd -D -14295 ? S 0:00 /usr/sbin/winbindd -D -</screen> - The <command>winbindd</command> daemon is running in split mode (normal), so there are also - two instances<footnote><para>For more information regarding winbindd, see <emphasis>TOSHARG2</emphasis>, - Chapter 23, Section 23.3. The single instance of <command>smbd</command> is normal. One additional - <command>smbd</command> slave process is spawned for each SMB/CIFS client - connection.</para></footnote> of it. - </para></step> - - <step><para> - <indexterm><primary>anonymous - connection</primary></indexterm> - <indexterm> - <primary>smbclient</primary> - </indexterm> - Check that an anonymous connection can be made to the Samba server: -<screen> -&rootprompt; smbclient -L localhost -U% - - Sharename Type Comment - --------- ---- ------- - IPC$ IPC IPC Service (Samba 3.0.20) - netlogon Disk Network Logon Service - profiles Disk Profile Share - accounts Disk Accounting Files - service Disk Financial Services Files - apps Disk Application Files - ADMIN$ IPC IPC Service (Samba 3.0.20) - hplj6a Printer hplj6a - hplj6f Printer hplj6f - qmsa Printer qmsa - qmsf Printer qmsf - - Server Comment - --------- ------- - DIAMOND Samba 3.0.20 - - Workgroup Master - --------- ------- - PROMISES DIAMOND -</screen> - This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent - of browsing the server from a Windows client to obtain a list of shares on the server. - The <constant>-U%</constant> argument means to send a <constant>NULL</constant> username and - a <constant>NULL</constant> password. - </para></step> - - <step><para> - <indexterm><primary>dhcp client validation</primary></indexterm> - <indexterm><primary>printer validation</primary></indexterm> - <indexterm><primary>arp</primary></indexterm> - Verify that each printer has the IP address assigned in the DHCP server configuration file. - The easiest way to do this is to ping the printer name. Immediately after the ping response - has been received, execute <command>arp -a</command> to find the MAC address of the printer - that has responded. Now you can compare the IP address and the MAC address of the printer - with the configuration information in the <filename>/etc/dhcpd.conf</filename> file. They - should, of course, match. For example, -<screen> -&rootprompt; ping hplj6 -PING hplj6a (192.168.1.30) 56(84) bytes of data. -64 bytes from hplj6a (192.168.1.30): icmp_seq=1 ttl=64 time=0.113 ms - -&rootprompt; arp -a -hplj6a (192.168.1.30) at 00:03:47:CB:81:E0 [ether] on eth0 -</screen> - <indexterm> - <primary>/etc/dhcpd.conf</primary> - </indexterm> - The MAC address <constant>00:03:47:CB:81:E0</constant> matches that specified for the - IP address from which the printer has responded and with the entry for it in the - <filename>/etc/dhcpd.conf</filename> file. Repeat this for each printer configured. - </para></step> - - <step><para> - <indexterm><primary>authenticated connection</primary></indexterm> - Make an authenticated connection to the server using the <command>smbclient</command> tool: -<screen> -&rootprompt; smbclient //diamond/accounts -U gholmes -Password: XXXXXXX -smb: \> dir - . D 0 Thu Nov 27 15:07:09 2003 - .. D 0 Sat Nov 15 17:40:50 2003 - zakadmin.exe 161424 Thu Nov 27 15:06:52 2003 - zak.exe 6066384 Thu Nov 27 15:06:52 2003 - dhcpd.conf 1256 Thu Nov 27 15:06:52 2003 - smb.conf 2131 Thu Nov 27 15:06:52 2003 - initGrps.sh A 1089 Thu Nov 27 15:06:52 2003 - POLICY.EXE 86542 Thu Nov 27 15:06:52 2003 - - 55974 blocks of size 65536. 33968 blocks available -smb: \> q -</screen> - </para></step> - - <step><para> - <indexterm><primary>nmap</primary></indexterm> - Your new server is connected to an Internet-accessible connection. Before you start - your firewall, you should run a port scanner against your system. You should repeat that - after the firewall has been started. This helps you understand to what extent the - server may be vulnerable to external attack. One way you can do this is by using an - external service, such as the <ulink url="http://www.dslreports.com/scan">DSL Reports</ulink> - tools. Alternately, if you can gain root-level access to a remote - UNIX/Linux system that has the <command>nmap</command> tool, you can run the following: -<screen> -&rootprompt; nmap -v -sT server.abmas.us - -Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) -Host server.abmas.us (123.45.67.66) appears to be up ... good. -Initiating Connect() Scan against server.abmas.us (123.45.67.66) -Adding open port 6000/tcp -Adding open port 873/tcp -Adding open port 445/tcp -Adding open port 10000/tcp -Adding open port 901/tcp -Adding open port 631/tcp -Adding open port 25/tcp -Adding open port 111/tcp -Adding open port 32770/tcp -Adding open port 3128/tcp -Adding open port 53/tcp -Adding open port 80/tcp -Adding open port 443/tcp -Adding open port 139/tcp -Adding open port 22/tcp -The Connect() Scan took 0 seconds to scan 1601 ports. -Interesting ports on server.abmas.us (123.45.67.66): -(The 1587 ports scanned but not shown below are in state: closed) -Port State Service -22/tcp open ssh -25/tcp open smtp -53/tcp open domain -80/tcp open http -111/tcp open sunrpc -139/tcp open netbios-ssn -443/tcp open https -445/tcp open microsoft-ds -631/tcp open ipp -873/tcp open rsync -901/tcp open samba-swat -3128/tcp open squid-http -6000/tcp open X11 -10000/tcp open snet-sensor-mgmt -32770/tcp open sometimes-rpc3 - -Nmap run completed -- 1 IP address (1 host up) scanned in 1 second -</screen> - The above scan was run before the external interface was locked down with the NAT-firewall - script you created above. The following results are obtained after the firewall rules - have been put into place: -<screen> -&rootprompt; nmap -v -sT server.abmas.us - -Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) -Host server.abmas.us (123.45.67.66) appears to be up ... good. -Initiating Connect() Scan against server.abmas.us (123.45.67.66) -Adding open port 53/tcp -Adding open port 22/tcp -The Connect() Scan took 168 seconds to scan 1601 ports. -Interesting ports on server.abmas.us (123.45.67.66): -(The 1593 ports scanned but not shown below are in state: filtered) -Port State Service -22/tcp open ssh -25/tcp closed smtp -53/tcp open domain -80/tcp closed http -443/tcp closed https - -Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds -</screen> - </para></step> - - </procedure> - - </sect2> - - <sect2 id="ch4appscfg"> - <title>Application Share Configuration</title> - - <para> - <indexterm><primary>application server</primary></indexterm> - <indexterm><primary>administrative installation</primary></indexterm> - The use of an application server is a key mechanism by which desktop administration overheads - can be reduced. Check the application manual for your software to identify how best to - create an administrative installation. - </para> - - <para> - Some Windows software will only run locally on the desktop computer. Such software - is typically not suited for administrative installation. Administratively installed software - permits one or more of the following installation choices: - </para> - - <itemizedlist> - <listitem><para> - Install software fully onto a workstation, storing data files on the same workstation. - </para></listitem> - - <listitem><para> - Install software fully onto a workstation with central network data file storage. - </para></listitem> - - <listitem><para> - Install software to run off a central application server with data files stored - on the local workstation. This is often called a minimum installation, or a - network client installation. - </para></listitem> - - <listitem><para> - Install software to run off a central application server with data files stored - on a central network share. This type of installation often prevents storage - of work files on the local workstation. - </para></listitem> - </itemizedlist> - - <para> - <indexterm><primary></primary></indexterm> - A common application deployed in this environment is an office suite. - Enterprise editions of Microsoft Office XP Professional can be administratively installed - by launching the installation from a command shell. The command that achieves this is - <command>setup /a</command>. It results in a set of prompts through which various - installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource - Kit for more information regarding this mode of installation of MS Office XP Professional. - The full administrative installation of MS Office XP Professional requires approximately - 650 MB of disk space. - </para> - - <para> - When the MS Office XP Professional product has been installed to the administrative network - share, the product can be installed onto a workstation by executing the normal setup program. - The installation process now provides a choice to either perform a minimum installation - or a full local installation. A full local installation takes over 100 MB of disk space. - A network workstation (minimum) installation requires typically 10 MB to 15 MB of - local disk space. In the latter case, when the applications are used, they load over the network. - </para> - - <para> - <indexterm><primary>Service Packs</primary></indexterm> - <indexterm><primary>Microsoft Office</primary></indexterm> - Microsoft Office Service Packs can be unpacked to update an administrative share. This makes - it possible to update MS Office XP Professional for all users from a single installation - of the service pack and generally circumvents the need to run updates on each network - Windows client. - </para> - - <para> - The default location for MS Office XP Professional data files can be set through registry - editing or by way of configuration options inside each Office XP Professional application. - </para> - - <para> - <indexterm><primary>OpenOffice</primary></indexterm> - OpenOffice.Org OpenOffice Version 1.1.0 can be installed locally. It can also - be installed to run off a network share. The latter is a most desirable solution for office-bound - network users and for administrative staff alike. It permits quick and easy updates - to be rolled out to all users with a minimum of disruption and with maximum flexibility. - </para> - - <para> - The process for installation of administrative shared OpenOffice involves download of the - distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area. - When fully extracted using the unzipping tool of your choosing, change into the Windows - installation files directory then execute <command>setup -net</command>. You are - prompted on screen for the target installation location. This is the administrative - share point. The full administrative OpenOffice share takes approximately 150 MB of disk - space. - </para> - - <sect3> - <title>Comments Regarding Software Terms of Use</title> - <para> - Many single-user products can be installed into an administrative share, but - personal versions of products such as Microsoft Office XP Professional do not permit this. - Many people do not like terms of use typical with commercial products, so a few comments - regarding software licensing seem important. - </para> - - <para> - Please do not use an administrative installation of proprietary and commercially licensed - software products to violate the copyright holders' property. All software is licensed, - particularly software that is licensed for use free of charge. All software is the property - of the copyright holder unless the author and/or copyright holder has explicitly disavowed - ownership and has placed the software into the public domain. - </para> - - <para> - Software that is under the GNU General Public License, like proprietary software, is - licensed in a way that restricts use. For example, if you modify GPL software and then - distribute the binary version of your modifications, you must offer to provide the source - code as well. This restriction is designed to maintain the momentum - of the diffusion of technology and to protect against the withholding of innovations. - </para> - - <para> - Commercial and proprietary software generally restrict use to those who have paid the - license fees and who comply with the licensee's terms of use. Software that is released - under the GNU General Public License is restricted to particular terms and conditions - also. Whatever the licensing terms may be, if you do not approve of the terms of use, - please do not use the software. - </para> - - <para> - <indexterm><primary>GPL</primary></indexterm> - Samba is provided under the terms of the GNU - GPL Version 3, a copy of which is provided - with the source code. - </para> - </sect3> - - </sect2> - - <sect2 id="ch4wincfg"> - <title>Windows Client Configuration</title> - - <para> - Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs - to reinstall many of the notebook computers that will be recycled for use with the new network - configuration. The smartest way to handle the challenge of the roll-out program is to build - a staged system for each type of target machine, and then use an image replication tool such as Norton - Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can - be done with notebook computers as long as they are identical or sufficiently similar. - </para> - - <procedure id="sbewinclntprep"> - <title>Windows Client Configuration Procedure</title> - - <step><para> - <indexterm><primary>WINS</primary></indexterm> - <indexterm><primary>DHCP</primary></indexterm> - Install MS Windows XP Professional. During installation, configure the client to use DHCP for - TCP/IP protocol configuration. DHCP configures all Windows clients to use the WINS Server - address that has been defined for the local subnet. - </para></step> - - <step><para> - Join the Windows Domain <constant>PROMISES</constant>. Use the Domain Administrator - username <constant>root</constant> and the SMB password you assigned to this account. - A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to - a Windows Domain is given in <link linkend="appendix"/>, <link linkend="domjoin"/>. - Reboot the machine as prompted and then log on using the Domain Administrator account - (<constant>root</constant>). - </para></step> - - <step><para> - Verify <constant>DIAMOND</constant> is visible in <guimenu>My Network Places</guimenu>, - that it is possible to connect to it and see the shares <guimenuitem>accounts</guimenuitem>, - <guimenuitem>apps</guimenuitem>, and <guimenuitem>finsvcs</guimenuitem>, and that it is - possible to open each share to reveal its contents. - </para></step> - - <step><para> - Create a drive mapping to the <constant>apps</constant> share on the server <constant>DIAMOND</constant>. - </para></step> - - <step><para> - Perform an administrative installation of each application to be used. Select the options - that you wish to use. Of course, you can choose to run applications over the network, correct? - </para></step> - - <step><para> - Now install all applications to be installed locally. Typical tools include Adobe Acrobat, - NTP-based time synchronization software, drivers for specific local devices such as fingerprint - scanners, and the like. Probably the most significant application for local installation - is antivirus software. - </para></step> - - <step><para> - Now install all four printers onto the staging system. The printers you install - include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will - also configure identical printers that are located in the financial services department. - Install printers on each machine following the steps shown in the Windows client printer - preparation procedure below. - </para></step> - - <step><para> - <indexterm><primary>defragmentation</primary></indexterm> - When you are satisfied that the staging systems are complete, use the appropriate procedure to - remove the client from the domain. Reboot the system and then log on as the local administrator - and clean out all temporary files stored on the system. Before shutting down, use the disk - defragmentation tool so that the file system is in optimal condition before replication. - </para></step> - - <step><para> - Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the - machine to a network share on the server. - </para></step> - - <step><para> - <indexterm><primary>Windows security identifier</primary><see>SID</see></indexterm> - <indexterm><primary>SID</primary></indexterm> - You may now replicate the image to the target machines using the appropriate Norton Ghost - procedure. Make sure to use the procedure that ensures each machine has a unique - Windows security identifier (SID). When the installation of the disk image has completed, boot the PC. - </para></step> - - <step><para> - Log on to the machine as the local Administrator (the only option), and join the machine to - the Domain, following the procedure set out in <link linkend="appendix"/>, <link linkend="domjoin"/>. The system is now - ready for the user to log on, provided you have created a network logon account for that - user, of course. - </para></step> - - <step><para> - Instruct all users to log on to the workstation using their assigned username and password. - </para></step> - </procedure> - - <procedure id="sbewinclntptrprep"> - <title>Windows Client Printer Preparation Procedure</title> - - <step><para> - Click <menuchoice> - <guimenu>Start</guimenu> - <guimenuitem>Settings</guimenuitem> - <guimenuitem>Printers</guimenuitem> - <guiicon>Add Printer</guiicon> - <guibutton>Next</guibutton> - </menuchoice>. Do not click <guimenuitem>Network printer</guimenuitem>. - Ensure that <guimenuitem>Local printer</guimenuitem> is selected. - </para></step> - - <step><para> - Click <guibutton>Next</guibutton>. In the - <guimenuitem>Manufacturer:</guimenuitem> panel, select <constant>HP</constant>. - In the <guimenuitem>Printers:</guimenuitem> panel, select the printer called - <constant>HP LaserJet 6</constant>. Click <guibutton>Next</guibutton>. - </para></step> - - <step><para> - In the <guimenuitem>Available ports:</guimenuitem> panel, select - <constant>FILE:</constant>. Accept the default printer name by clicking - <guibutton>Next</guibutton>. When asked, <quote>Would you like to print a - test page?,</quote> click <guimenuitem>No</guimenuitem>. Click - <guibutton>Finish</guibutton>. - </para></step> - - <step><para> - You may be prompted for the name of a file to print to. If so, close the - dialog panel. Right-click <menuchoice> - <guiicon>HP LaserJet 6</guiicon> - <guimenuitem>Properties</guimenuitem> - <guisubmenu>Details (Tab)</guisubmenu> - <guimenuitem>Add Port</guimenuitem> - </menuchoice>. - </para></step> - - <step><para> - In the <guimenuitem>Network</guimenuitem> panel, enter the name of - the print queue on the Samba server as follows: <constant>\\DIAMOND\hplj6a</constant>. - Click <menuchoice> - <guibutton>OK</guibutton> - <guibutton>OK</guibutton> - </menuchoice> to complete the installation. - </para></step> - - <step><para> - Repeat the printer installation steps above for both HP LaserJet 6 printers - as well as for both QMS Magicolor laser printers. - </para></step> - </procedure> - - </sect2> - - <sect2> - <title>Key Points Learned</title> - - <para> - How do you feel? You have built a capable network, a truly ambitious project. - Future network updates can be handled by - your staff. You must be a satisfied manager. Let's review the achievements. - </para> - - <itemizedlist> - <listitem><para> - A simple firewall has been configured to protect the server in the event that - the ISP firewall service should fail. - </para></listitem> - - <listitem><para> - The Samba configuration uses measures to ensure that only local network users - can connect to SMB/CIFS services. - </para></listitem> - - <listitem><para> - Samba uses the new <constant>tdbsam</constant> passdb backend facility. - Considerable complexity was added to Samba functionality. - </para></listitem> - - <listitem><para> - A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS - server. - </para></listitem> - - <listitem><para> - The DNS server was configured to permit DDNS only for local network clients. This - server also provides primary DNS services for the company Internet presence. - </para></listitem> - - <listitem><para> - You introduced an application server as well as the concept of cloning a Windows - client in order to effect improved standardization of desktops and to reduce - the costs of network management. - </para></listitem> - </itemizedlist> - - </sect2> - -</sect1> - -<sect1> - <title>Questions and Answers</title> - - <para> - </para> - - <qandaset defaultlable="missed01" type="number"> - <qandaentry> - <question> - - <para> - What is the maximum number of account entries that the <parameter>tdbsam</parameter> - passdb backend can handle? - </para> - - </question> - <answer> - - <para> - The tdb data structure and support system can handle more entries than the number of - accounts that are possible on most UNIX systems. A practical limit would come into - play long before a performance boundary would be anticipated. That practical limit - is controlled by the nature of Windows networking. There are few Windows file and - print servers that can handle more than a few hundred concurrent client connections. - The key limiting factors that predicate offloading of services to additional servers - are memory capacity, the number of CPUs, network bandwidth, and disk I/O limitations. - All of these are readily exhausted by just a few hundred concurrent active users. - Such bottlenecks can best be removed by segmentation of the network (distributing - network load across multiple networks). - </para> - - <para> - As the network grows, it becomes necessary to provide additional authentication - servers (domain controllers). The tdbsam is limited to a single machine and cannot - be reliably replicated. This means that practical limits on network design dictate - the point at which a distributed passdb backend is required; at this time, there is - no real alternative other than ldapsam (LDAP). - </para> - - <para> - The guideline provided in <emphasis>TOSHARG2</emphasis>, Chapter 10, Section 10.1.2, - is to limit the number of accounts in the tdbsam backend to 250. This is the point - at which most networks tend to want backup domain controllers (BDCs). Samba does - not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The - limitation of 250 users per tdbsam is predicated only on the need for replication, - not on the limits<footnote><para>Bench tests have shown that tdbsam is a very - effective database technology. There is surprisingly little performance loss even - with over 4000 users.</para></footnote> of the tdbsam backend itself. - </para> - - </answer> - </qandaentry> - - <qandaentry> - <question> - - <para> - Would Samba operate any better if the OS level is set to a value higher than 35? - </para> - - </question> - <answer> - - <para> - No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value - of 35 already assures Samba of precedence over MS Windows products in browser elections. There is - no gain to be had from setting this higher. - </para> - - </answer> - </qandaentry> - - <qandaentry> - <question> - - <para> - Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups? - </para> - - </question> - <answer> - - <para> - At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at - a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special - Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups. - </para> - - </answer> - </qandaentry> - - <qandaentry> - <question> - - <para> - Why has a path been specified in the <parameter>IPC$</parameter> share? - </para> - - </question> - <answer> - - <para> - This is done so that in the event that a software bug may permit a client connection to the IPC$ share to - obtain access to the file system, it does so at a location that presents least risk. Under normal operation - this type of paranoid step should not be necessary. The use of this parameter should not be necessary. - </para> - - </answer> - </qandaentry> - - <qandaentry> - <question> - - <para> - Why does the &smb.conf; file in this exercise include an entry for <smbconfoption name="smb ports"/>? - </para> - - </question> - <answer> - - <para> - The default order by which Samba attempts to communicate with MS Windows clients is via port 445 (the TCP port - used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS - over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By - specifying the use of only port 139, the intent is to reduce unsuccessful service connection attempts. - The result of this is improved network performance. Where Samba is installed as an Active Directory Domain - member, the default behavior is highly beneficial and should not be changed. - </para> - - </answer> - </qandaentry> - - <qandaentry> - <question> - - <para> - What is the difference between a print queue and a printer? - </para> - - </question> - <answer> - - <para> - A printer is a physical device that is connected either directly to the network or to a computer - via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a - hard copy printout. Network-attached printers that use TCP/IP-based printing generally accept a - single print data stream and block all secondary attempts to dispatch jobs concurrently to the - same device. If many clients were to concurrently print directly via TCP/IP to the same printer, - it would result in a huge amount of network traffic through continually failing connection attempts. - </para> - - <para> - A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or - print requests. When the data stream has been fully received, the input stream is closed, - and the job is then submitted to a sequential print queue where the job is stored until - the printer is ready to receive the job. - </para> - - </answer> - </qandaentry> - - <qandaentry> - <question> - - <para> - Can all MS Windows application software be installed onto an application server share? - </para> - - </question> - <answer> - - <para> - Much older Windows software is not compatible with installation to and execution from - an application server. Enterprise versions of Microsoft Office XP Professional can - be installed to an application server. Retail consumer versions of Microsoft Office XP - Professional do not permit installation to an application server share and can be installed - and used only to/from a local workstation hard disk. - </para> - - </answer> - </qandaentry> - - <qandaentry> - <question> - - <para> - Why use dynamic DNS (DDNS)? - </para> - - </question> - <answer> - - <para> - When DDNS records are updated directly from the DHCP server, it is possible for - network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate - Windows clients via DNS. - </para> - - </answer> - </qandaentry> - - <qandaentry> - <question> - - <para> - Why would you use WINS as well as DNS-based name resolution? - </para> - - </question> - <answer> - - <para> - WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is - a name like <quote>myhost.mydomain.tld</quote> where <parameter>tld</parameter> - means <constant>top-level domain</constant>. A FQDN is a longhand but easy-to-remember - expression that may be up to 1024 characters in length and that represents an IP address. - A NetBIOS name is always 16 characters long. The 16<superscript>th</superscript> character - is a name type indicator. A specific name type is registered<footnote><para> - See <emphasis>TOSHARG2</emphasis>, Chapter 9, for more information.</para></footnote> for each - type of service that is provided by the Windows server or client and that may be registered - where a WINS server is in use. - </para> - - <para> - WINS is a mechanism by which a client may locate the IP Address that corresponds to a - NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name - that includes a particular registered NetBIOS name type. DNS does not provide a mechanism - that permits handling of the NetBIOS name type information. - </para> - - <para> - DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular - hostname or service name that has been registered in the DNS database for a particular domain. - A DNS server has limited scope of control and is said to be authoritative for the zone over - which it has control. - </para> - - <para> - Windows 200x Active Directory requires the registration in the DNS zone for the domain it - controls of service locator<footnote><para>See TOSHARG2, Chapter 9, Section 9.3.3.</para></footnote> records - that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also - requires the registration of special records that are called global catalog (GC) entries - and site entries by which domain controllers and other essential ADS servers may be located. - </para> - - </answer> - </qandaentry> - - <qandaentry> - <question> - - <para> - What are the major benefits of using an application server? - </para> - - </question> - <answer> - - <para> - The use of an application server can significantly reduce application update maintenance. - By providing a centralized application share, software updates need be applied to only - one location for all major applications used. This results in faster update roll-outs and - significantly better application usage control. - </para> - - </answer> - </qandaentry> - - </qandaset> - -</sect1> - -</chapter> |