Section 6.4. Questions and Answers | Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)

6.4. Questions and Answers

There is much rumor and misinformation regarding the use of MS Windows networking protocols. These questions are just a few of those frequently asked.

F.A.Q.

1. Q:	Is it true that DHCP uses lots of WAN bandwidth?
A:	It is a smart practice to localize DHCP servers on each network segment. As a rule, there should be two DHCP servers per network segment. This means that if one server fails, there is always another to service user needs. DHCP requests use only UDP broadcast protocols. It is possible to run a DHCP Relay Agent on network routers. This makes it possible to run fewer DHCP servers. A DHCP network address request and confirmation usually results in about six UDP packets. The packets are from 60 to 568 bytes in length. Let us consider a site that has 300 DHCP clients and that uses a 24-hour IP address lease. This means that all clients renew their IP address lease every 24 hours. If we assume an average packet length equal to the maximum (just to be on the safe side), and we have a 128 Kb/sec wide-area connection, how significant would the DHCP traffic be if all of it were to use DHCP Relay? I must stress that this is a bad design, but here is the calculation: Daily Network Capacity: 128,000 (Kbits/s) / 8 (bits/byte) x 3600 (sec/hr) x 24 (hrs/day)= 2288 Mbytes/day. DHCP traffic: 300 (clients) x 6 (packets) x 512 (bytes/packet) = 0.9 Mbytes/day. From this can be seen that the traffic impact would be minimal. Even when DHCP is configured to do DNS update (dynamic DNS) over a wide-area link, the impact of the update is no more than the DHCP IP address renewal traffic and thus still insignificant for most practical purposes.
2. Q:	How much background communication takes place between a master LDAP server and its slave LDAP servers?
A:	The process that controls the replication of data from the master LDAP server to the slave LDAP servers is called slurpd. The slurpd remains nascent (quiet) until an update must be propagated. The propagation traffic per LDAP slave to update (add/modify/delete) two user accounts requires less than 10KB traffic.
3. Q:	LDAP has a database. Is LDAP not just a fancy database front end?
A:	LDAP does store its data in a database of sorts. In fact, the LDAP backend is an application-specific data storage system. This type of database is indexed so that records can be rapidly located, but the database is not generic and can be used only in particular preprogrammed ways. General external applications do not gain access to the data. This type of database is used also by SQL servers. Both an SQL server and an LDAP server provide ways to access the data. An SQL server has a transactional orientation and typically allows external programs to perform ad hoc queries, even across data tables. An LDAP front end is a purpose-built tool that has a search orientation that is designed around specific simple queries. The term `database` is heavily overloaded and thus much misunderstood.
4. Q:	Can Active Directory obtain account information from an OpenLDAP server?
A:	No, at least not directly. It is possible to provision Active Directory from and/or to an OpenLDAP database through use of a metadirectory server. Microsoft MMS (now called MIIS) can interface to OpenLDAP using standard LDAP queries and updates.
5. Q:	What are the parts of a roaming profile? How large is each part?
A:	A roaming profile consists of Desktop folders such as `Desktop, My Documents, My Pictures, My Music, Internet Files, Cookies, Application Data, Local Settings`, and more. See Chapter 5, "Making Happy Users", Figure 5.3. Each of these can be anywhere from a few bytes to gigabytes in capacity. Fortunately, all such folders can be redirected to network drive resources. See Section 5.7.1 for more information regarding folder redirection. A static or rewritable portion that is typically only a few files (2-5 KB of information). The registry load file that modifies the `HKEY_LOCAL_USER` hive. This is the `NTUSER.DAT` file. It can be from 0.4 to 1.5 MB. Microsoft Outlook PST files may be stored in the `Local Settings\Application Data` folder. It can be up to 2 GB in size per PST file.
6. Q:	Can the `My Documents` folder be stored on a network drive?
A:	Yes. More correctly, such folders can be redirected to network shares. No specific network drive connection is required. Registry settings permit this to be redirected directly to a UNC (Universal Naming Convention) resource, though it is possible to specify a network drive letter instead of a UNC name. See Section 5.7.1.
7. Q:	How much WAN bandwidth does WINS consume?
A:	MS Windows clients cache information obtained from WINS lookups in a local NetBIOS name cache. This keeps WINS lookups to a minimum. On a network with 3500 MS Windows clients and a central WINS server, the total bandwidth demand measured at the WINS server, averaged over an 8-hour working day, was less than 30 KB/sec. Analysis of network traffic over a 6-week period showed that the total of all background traffic consumed about 11 percent of available bandwidth over 64 Kb/sec links. Background traffic consisted of domain replication, WINS queries, DNS lookups, and authentication traffic. Each of 11 branch offices had a 64 Kb/sec wide-area link, with a 1.5 Mb/sec main connection that aggregated the branch office connections plus an Internet connection. In conclusion, the total load afforded through WINS traffic is again marginal to total operational usage as it should be.
8. Q:	How many BDCs should I have? What is the right number of Windows clients per server?
A:	It is recommended to have at least one BDC per network segment, including the segment served by the PDC. Actual requirements vary depending on the working load on each of the BDCs and the load demand pattern of client usage. I have seen sites that function without problem with 200 clients served by one BDC, and yet other sites that had one BDC per 20 clients. In one particular company, there was a drafting office that had 30 CAD/CAM operators served by one server, a print server; and an application server. While all three were BDCs, typically only the print server would service network logon requests after the first 10 users had started to use the network. This was a reflection of the service load placed on both the application server and the data server. As unsatisfactory as the answer might sound, it all depends on network and server load characteristics.
9. Q:	I've heard that you can store NIS accounts in LDAP. Is LDAP not just a smarter way to run an NIS server?
A:	The correct answer to both questions is yes. But do understand that an LDAP server has a configurable schema that can store far more information for many more purposes than just NIS.
10. Q:	Can I use NIS in place of LDAP?
A:	No. The NIS database does not have provision to store Microsoft encrypted passwords and does not deal with the types of data necessary for interoperability with Microsoft Windows networking. The use of LDAP with Samba requires the use of a number of schemas, one of which is the NIS schema, but also a Samba-specific schema extension.

Example 6.3.1. LDAP Master Server Configuration File /etc/openldap/slapd.conf

include     /etc/openldap/schema/core.schema include     /etc/openldap/schema/cosine.schema include     /etc/openldap/schema/inetorgperson.schema include     /etc/openldap/schema/nis.schema include     /etc/openldap/schema/samba.schema pidfile     /var/run/slapd/slapd.pid argsfile    /var/run/slapd/slapd.args database    bdb suffix      "dc=abmas,dc=biz" rootdn      "cn=Manager,dc=abmas,dc=biz" # rootpw = not24get rootpw      {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV replica     host=lapdc.abmas.biz:389             suffix="dc=abmas,dc=biz"             binddn="cn=updateuser,dc=abmas,dc=biz"             bindmethod=simple credentials=not24get access to attrs=sambaLMPassword,sambaNTPassword           by dn="cn=sambaadmin,dc=abmas,dc=biz" write           by * none replogfile  /var/lib/ldap/replogfile directory   /var/lib/ldap # Indices to maintain index objectClass           eq index cn                    pres,sub,eq index sn                    pres,sub,eq index uid                   pres,sub,eq index displayName           pres,sub,eq index uidNumber             eq index gidNumber             eq index memberUID             eq index sambaSID              eq index sambaPrimaryGroupSID  eq index sambaDomainName       eq index default               sub

Example 6.3.2. LDAP Slave Configuration File /etc/openldap/slapd.conf

include     /etc/openldap/schema/core.schema include     /etc/openldap/schema/cosine.schema include     /etc/openldap/schema/inetorgperson.schema include     /etc/openldap/schema/nis.schema include     /etc/openldap/schema/samba.schema pidfile     /var/run/slapd/slapd.pid argsfile    /var/run/slapd/slapd.args database    bdb suffix      "dc=abmas,dc=biz" rootdn      "cn=Manager,dc=abmas,dc=biz" # rootpw = not24get rootpw      {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV access to *             by dn=cn=updateuser,dc=abmas,dc=biz write             by * read updatedn    cn=updateuser,dc=abmas,dc=biz updateref   ldap://massive.abmas.biz directory   /var/lib/ldap # Indices to maintain index objectClass            eq index cn                     pres,sub,eq index sn                     pres,sub,eq index uid                    pres,sub,eq index displayName            pres,sub,eq index uidNumber              eq index gidNumber              eq index memberUID              eq index sambaSID               eq index sambaPrimaryGroupSID   eq index sambaDomainName        eq index default                sub

Example 6.3.3. Primary Domain Controller smb.conf File Part A

# Global parameters  [global]         unix charset = LOCALE         workgroup = MEGANET2         passdb backend = ldapsam : ldap : //massive.abmas.biz         username map = /etc/samba/smbusers         log level = 1         syslog = 0         log file = /var/log/samba/%m         max log size = 0         smb ports = 139         name resolve order = wins bcast hosts         time server = Yes         printcap name = CUPS         add user script = /opt /IDEALX/sbin /smbldapuseradd m '%u '         delete user script = /opt /IDEALX/sbin /smbldapuserdel '%u '         add group script = /opt /IDEALX/sbin /smbldapgroupadd p '%g '         delete group script = /opt /IDEALX/sbin /smbldapgroupdel '%g '         add user to group script = /opt /IDEALX/sbin /smbldapgroupmod  m '%g' '%u'         delete user from group script = /opt /IDEALX/sbin /smbldapgroupmod x '%g ' '%u '         set primary group script = /opt /IDEALX/sbin /smbldapusermod g '%g ' '%u '         add machine script = /opt /IDEALX/sbin /smbldapuseradd w '%u '         shutdown script = /var /lib/samba/scripts /shutdown.sh         abort shutdown script = /sbin /shutdown c         logon script = scripts \ logon.bat         logon path = \\%L\ profiles \%U         logon drive = X:         domain logons = Yes         domain master = Yes         wins support = Yes         ldap suffix = dc=abmas, dc=biz         ldap machine suffix = ou=People         ldap user suffix = ou=People         ldap group suffix = ou=Groups         ldap idmap suffix = ou=Idmap         ldap admin dn = cn=sambaadmin, dc=abmas, dc=biz         idmap backend = ldap : //massive.abmas.biz         idmap uid = 1000020000         idmap gid = 1000020000         printer admin = root         printing = cups

Example 6.3.4. Primary Domain Controller smb.conf File Part B

[IPC$]         path = /tmp  [accounts]         comment = Accounting Files         path = /data/accounts         read only = No  [service]         comment = Financial Services Files         path = /data /service         read only = No  [pidata]         comment = Property Insurance Files         path = /data /pidata         read only = No  [homes]         comment = Home Directories         valid users = %S         read only = No         browseable = No  [printers]         comment = SMB Print Spool         path = /var/spool/samba         guest ok = Yes         printable = Yes         browseable = No

Example 6.3.5. Primary Domain Controller smb.conf File Part C

[apps]         comment = Application Files         path = /apps         admin users = bjones         read only = No  [netlogon]         comment = Network Logon Service         path = /var/lib/samba/netlogon         admin users = root, Administrator         guest ok = Yes         locking = No  [profiles]         comment = Profile Share         path = /var/lib/samba/profiles         read only = No         profile acls = Yes  [profdata]         comment = Profile Data Share         path = /var/lib/samba/profdata         read only = No         profile acls = Yes  [print$]         comment = Printer Drivers         path = /var /lib/samba/drivers         write list = root         admin users = root, Administrator

Example 6.3.6. Backup Domain Controller smb.conf File Part A

# \# Global parameters  [global]         unix charset = LOCALE         workgroup = MEGANET2         netbios name = BLDG1         passdb backend = ldapsam : ldap : //lapdc.abmas.biz         username map = /etc/samba/smbusers         log level = 1         syslog = 0         log file = /var/log/samba/%m         max log size = 50         smb ports = 139         name resolve order = wins bcast hosts         printcap name = CUPS         show add printer wizard = No         logon script = scripts\logon.bat         logon path = \\%L\profiles\%U         logon drive = X:         domain logons = Yes         os level = 63         domain master = No         wins server = 192.168.2.1         ldap suffix = dc=abmas, dc=biz         ldap machine suffix = ou=People         ldap user suffix = ou=People         ldap group suffix = ou=Groups         ldap idmap suffix = ou=Idmap         ldap admin dn = cn=sambaadmin, dc=abmas, dc=biz         utmp = Yes         idmap backend = ldap : //massive.abmas.biz         idmap uid = 10000 20000         idmap gid = 10000 20000         printing = cups  [accounts]         comment = Accounting Files         path = /data/accounts         read only = No  [service]         comment = Financial Services Files         path = /data/service         read only = No

Example 6.3.7. Backup Domain Controller smb.conf File Part B

[pidata]         comment = Property Insurance Files         path = /data /pidata         read only = No  [homes]         comment = Home Directories         valid users = %S         read only = No         browseable = No  [printers]         comment = SMB Print Spool         path = /var/spool/samba         guest ok = Yes         printable = Yes         browseable = No  [apps]         comment = Application Files         path = /apps         admin users = bjones         read only = No  [netlogon]         comment = Network Logon Service         path = /var/lib/samba/netlogon         guest ok = Yes         locking = No  [profiles]         comment = Profile Share         path = /var/lib/samba/profiles         read only = No         profile acls = Yes  [profdata]         comment = Profile Data Share         path = /var/lib/samba/profdata         read only = No         profile acls = Yes