Section 2.4. Questions and Answers


2.4. Questions and Answers

Your new Domain Controller is ready to serve you. What does it mean? Here are some questions and answers that may help.

F.A.Q.

1. Q:

What is the key benefit of using DHCP to configure Windows client TCP/IP stacks?

A:

First and foremost, portability. It means that notebook users can move between the Abmas office and client offices (so long as they, too, use DHCP) without having to manually reconfigure their machines. It also means that when they work from their home environments either using DHCP assigned addressing or when using dial-up networking, settings such as default routes and DNS server addresses that apply only to the Abmas office environment do not interfere with remote operations. This is an extremely important feature of DHCP.

2. Q:

Are there any DHCP server configuration parameters in the /etc/dhcpd.conf that should be noted in particular?

A:

Yes. The configuration you created automatically provides each client with the IP address of your WINS server. It also configures the client to preferentially register NetBIOS names with the WINS server, and then instructs the client to first query the WINS server when a NetBIOS machine name needs to be resolved to an IP Address. This configuration results in far lower UDP broadcast traffic than would be the case if WINS was not used.

3. Q:

Is it possible to create a Windows Domain account that is specifically called Administrator?

A:

You can surely create a Windows Domain account called Administrator. It is also possible to map that account so that it has the effective UNIX UID of 0. This way it isn't necessary to use the username map facility to map this account to the UNIX account called root.

4. Q:

Why is it necessary to give the Windows Domain Administrator a UNIX UID of 0?

A:

The Windows Domain Administrator account is the most privileged account that exists on the Windows platform. This user can change any setting, add, delete, or modify user accounts, and completely reconfigure the system. The equivalent to this account in the UNIX environment is the root account. If you want to permit the Windows Domain Administrator to manage accounts as well as permissions, privileges, and security settings within the Domain and on the Samba server, equivalent rights must be assigned. This is achieved with the root UID equal to 0.

5. Q:

One of my junior staff needs the ability to add machines to the Domain, but I do not want to give him root access. How can we do this?

A:

Users who are members of the Domain Admins group can add machines to the Domain. This group is mapped to the UNIX group account called root (or the equivalent wheel on some UNIX systems) that has a GID of 0. This must be the primary GID of the account of the user who is a member of the Windows Domain Admins account.

6. Q:

Why must I map Windows Domain Groups to UNIX groups?

A:

Samba-3 does not permit a Domain Group to become visible to Domain network clients unless the account has a UNIX group account equivalent. The Domain groups that should be given UNIX equivalents are Domain Guests, Domain Users, and Domain Admins.

7. Q:

I deleted my root account and now I cannot add it back! What can I do?

A:

This is a nasty problem. Fortunately, there is a solution.

  1. Back up your existing configuration files in case you need to restore them.

  2. Rename the group_mapping.tdb file.

  3. Use the smbpasswd to add the root account.

  4. Restore the group_mapping.tdb file.

8. Q:

When I run net groupmap list, it reports a group called Administrators as well as Domain Admins. What is the difference between them?

A:

The group called Administrators is representative of the same account that would be present as the Local Group account on a Domain Member server or workstation. Samba uses only Domain Groups at this time. A Workstation or Server Local Group has no meaning in a Samba context. This may change at some later date. These accounts are provided only so that security objects are correctly shown.

9. Q:

What is the effect of changing the name of a Samba server or of changing the Domain name?

A:

If you elect to change the name of the Samba server, on restarting smbd, Windows security identifiers are changed. In the case of a standalone server or a Domain Member server, the machine SID is changed. This may break Domain membership. In the case of a change of the Domain name (Workgroup name), the Domain SID is changed. This affects all Domain memberships.

If it becomes necessary to change either the server name or the Domain name, be sure to back up the respective SID before the change is made. You can back up the SID using the net getlocalsid (Samba-3) or the smbpasswd (Samba-2.2.x). To change the SID, you use the same tool. Be sure to check the man page for this command for detailed instructions regarding the steps involved.

10. Q:

How can I manage user accounts from my Windows XP Professional workstation?

A:

Samba-3 implements a Windows NT4-style security domain architecture. This type of Domain cannot be managed using tools present on a Windows XP Professional installation. You may download from the Microsoft Web site the SRVTOOLS.EXE package. Extract it into the directory from which you wish to use it. This package extracts the tools: User Manager for Domains, Server Manager, and Event Viewer. You may use the User Manager for Domains to manage your Samba-3 Domain user and group accounts. Of course, you do need to be logged on as the Administrator for the Samba-3 Domain. It may help to log on as the root account.

Example 2.3.2. Abmas Accounting DHCP Server Configuration File /etc/dhcpd.conf
default-lease-time 86400; max-lease-time 172800; default-lease-time 86400; option ntp-servers 192.168.1.1; option domain-name "abmas.biz"; option domain-name-servers 192.168.1.1, 192.168.2.1; option netbios-name-servers 192.168.1.1, 192.168.2.1; option netbios-node-type 8; ### NOTE ### # netbios-node-type=8 means set clients to Hybrid Mode #   so they will use Unicast communication with the WINS #   server and thus reduce the level of UDP broadcast #   traffic by up to 90%. ############ subnet 192.168.1.0 netmask 255.255.255.0 {    range dynamic-bootp 192.168.1.128 192.168.1.254;    option subnet-mask 255.255.255.0;    option routers 192.168.1.1;    allow unknown-clients;    host hplj4 {       hardware ethernet 08:00:46:7a:35:e4;       fixed-address 192.168.1.10;       }    host hplj6 {       hardware ethernet 00:03:47:cb:81:e0;       fixed-address 192.168.1.11;       }    } subnet 192.168.2.0 netmask 255.255.255.0 {    range dynamic-bootp 192.168.2.128 192.168.2.254;    option subnet-mask 255.255.255.0;    option routers 192.168.2.1;    allow unknown-clients;    host qms {       hardware ethernet 01:04:31:db:e1:c0;       fixed-address 192.168.1.10;       }    } subnet 127.0.0.0 netmask 255.0.0.0 {    } 

Example 2.3.3. Accounting Office Network smb.conf File [globals] Section

[View full width]

# Global parameters [global] workgroup = BILLMORE passwd chat = *New*Password * %n\n*Reenter *new* password * %n\n * Password * changed * username map = /etc/samba/smbusers syslog = 0 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = No add user script = /usr/sbin/useradd m '%u' delete user script = /usr/sbin/userdel r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod G '%g' '%u' add machine script = /usr/sbin/useradd s /bin/false d /var/lib/nobody '%u' logon script = scripts\login.bat logon path = logon drive = X: domain logons = Yes preferred master = Yes wins support = Yes printing = CUPS

Example 2.3.4. Accounting Office Network smb.conf File Services and Shares Section
[homes]        comment = Home Directories        valid users = %S        read only = No        browseable = No [printers]        comment = SMB Print Spool        path = /var/spool/samba        printable = Yes        guest ok = Yes        use client driver = Yes        browseable = No [netlogon]        comment = Network Logon Service        path = /data/%U        valid users = %S        read only = No [accounts]        comment = Accounting Files        path = /data/accounts        valid users = %G        read only = No [finsvcs]        comment = Financial Service Files        path = /data/finsvcs        valid users = %G        read only = No 



    Samba-3 by Example. Practical Exercises to Successful Deployment
    Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)
    ISBN: 013188221X
    EAN: 2147483647
    Year: 2005
    Pages: 142

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net