15.9. Shared Data IntegrityThe integrity of shared data is often viewed as a particularly emotional issue, especially where there are concurrent problems with multiuser data access. Contrary to the assertions of some who have experienced problems in either area, the cause has nothing to do with the phases of the moons of Jupiter. The solution to concurrent multiuser data access problems must consider three separate areas from which the problem may stem:
Many database applications use some form of application-level access control. An example of one well-known application that uses application-level locking is Microsoft Access. Detailed guidance is provided here because this is the most common application for which problems have been reported. Common applications that are affected by client-and server-side locking controls include MS Excel and Act!. Important locking guidance is provided here. 15.9.1. Microsoft AccessThe best advice that can be given is to carefully read the Microsoft knowledgebase articles that cover this area. Examples of relevant documents include:
Make sure that your MS Access database file is configured for multiuser access (not set for exclusive open). Open MS Access on each client workstation, then set the following: (Menu bar) Tools+Options+[tab] General. Set network path to Default database folder: \\server\share\folder. You can configure MS Access file sharing behavior as follows: click [tab] Advanced. Set:
You must now commit the changes so that they will take effect. To do so, click ApplyOk. At this point, you should exit MS Access, restart it, and then validate that these settings have not changed. 15.9.2. Act! Database SharingWhere the server sharing the ACT! database(s) is running Samba,or Windows NT, 200x, or XP, you must disable opportunistic locking on the server and all workstations. Failure to do so results in data corruption. This information is available from the Act! Web site knowledgebase articles 1998223162925[6] as well as from article 200110485036[7].
These documents clearly state that opportunistic locking must be disabled on both the server (Samba in the case we are interested in here), as well as on every workstation from which the centrally shared Act! database will be accessed. Act! provides a tool called Act!Diag that may be used to disable all workstation registry settings that may otherwise interfere with the operation of Act! Registered Act! users may download this utility from the Act! Web site.[8]
15.9.3. Opportunistic Locking ControlsThird-party Windows applications may not be compatible with the use of opportunistic file and record locking. For applications that are known not to be compatible,[9] oplock support may need to be disabled both on the Samba server and on the Windows workstations.
Oplocks enable a Windows client to cache parts of a file that are being edited. Another windows client may then request to open the file with the ability to write to it. The server will then ask the original workstation that had the file open with a write lock to release its lock. Before doing so, that workstation must flush the file from cache memory to the disk or network drive. Disabling of Oplocks usage may require server and client changes. Oplocks may be disabled by file, by file pattern, on the share, or on the Samba server. The following are examples showing how Oplock support may be managed using Samba smb.conf file settings: By file: veto oplock files = myfile.mdb By Pattern: veto oplock files = /*.mdb/ On the Share: oplocks = No level2 oplocks = No On the server: (in [global]) oplocks = No level2 oplocks = No The following registry entries on Microsoft Windows XP Professional, 2000 Professional, and Windows NT4 workstation clients must be configured as shown here: REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\LanmanServer\Parameters] "EnableOplocks"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\LanmanWorkstation\Parameters] "UseOpportunisticLocking"=dword:00000000 Comprehensive coverage of file and record-locking controls is provided in TOSHARG2, Chapter 13. The information in that chapter was obtained from a wide variety of sources. Example 15.3.2. A Sample Samba Control Script for Red Hat Linux#!/bin/sh # # chkconfig: 345 81 35 # description: Starts and stops the Samba smbd and nmbd daemons \ # used to provide SMB network services. # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [${NETWORKING} = "no"] && exit 0 CONFIG=/etc/samba/smb.conf # Check that smb.conf exists. [-f $CONFIG] || exit 0 # See how we were called. case "$1" in start) echo -n "Starting SMB services: " daemon smbd -D; daemon nmbd -D; echo; touch /var/lock/subsys/smb ;; stop) echo -n "Shutting down SMB services: " smbdpids='ps guax | grep smbd | grep -v grep | awk '{print $2}'' for pid in $smbdpids; do kill -TERM $pid done killproc nmbd -TERM; rm -f /var/lock/subsys/smb echo "" ;; status) status smbd; status nmbd; ;; restart) echo -n "Restarting SMB services: " $0 stop; $0 start; echo "done." ;; *) echo "Usage: smb {start|stop|restart|status}" exit 1 esac Example 15.4.1. DNS Localhost Forward Zone File: /var/lib/named/localhost.zone$TTL 1W @ IN SOA @ root ( 42 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS @ IN A 127.0.0.1 Example 15.4.2. DNS Localhost Reverse Zone File: /var/lib/named/127.0.0.zone$TTL 1W @ IN SOA localhost. root.localhost. ( 42 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS localhost. 1 IN PTR localhost. Example 15.4.3. DNS Root Name Server Hint File: /var/lib/named/root.hint; This file is made available by InterNIC under anonymous FTP as ; file /domain/named.root ; on server FTP.INTERNIC.NET ; last update: Nov 5, 2002. Related version of root zone: 2002110501 ; formerly NS.INTERNIC.NET . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; formerly NS1.ISI.EDU . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 ; formerly C.PSI.NET . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; formerly TERP.UMD.EDU . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 ; formerly NS.NASA.GOV . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 ; formerly NS.ISC.ORG . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 ; formerly NS.NIC.DDN.MIL . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 ; formerly AOS.ARL.ARMY.MIL . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 ; formerly NIC.NORDU.NET . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 ; operated by VeriSign, Inc. . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 ; housed in LINX, operated by RIPE NCC . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 ; operated by IANA . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 ; housed in Japan, operated by WIDE . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 ; End of File Example 15.5.1. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part A#!/bin/bash # # This script prepares the ldif LDAP load file only # # Pattern File Name file=init-ldif.pat # The name of my organization ORGNAME="My Organization" # My Internet domain. ie: if my domain is: buckets.org, INETDOMAIN="buckets" INETDOMAIN="my-domain" # In the above case, md domain is: buckets.org, TLDORG="org" TLDORG="org" # This is the Samba Domain/Workgroup Name DOMNAME="MYWORKGROUP" # # Here We Go ... # cat <<EOF How do you wish to refer to your organization? Suggestions: Black Tire Company, Inc. Cat With Hat Ltd. How would you like your organization name to appear? EOF echo "Your organization name is: $ORGNAME" echo echo "Enter a new name or, press Enter to Continue." echo Example 15.5.2. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part Becho -e -n "Name [$ORGNAME]: " read name if [ ! -z "$name" ]; then ORGNAME=${name} fi echo sed "s/ORGNAME/${ORGNAME}/g" < $file > $file.tmp1 # Try to find smb.conf if [ -e /usr/local/samba/lib/smb.conf]; then CONF=/usr/local/samba/lib/smb.conf elif [ -e /etc/samba/smb.conf]; then CONF=/etc/samba/smb.conf fi echo "Samba Config File Location [$CONF]: " echo echo "Enter a new full path or press Enter to continue." echo echo -n "Samba Config File Location [$CONF]: " read name if [ ! -z "$name" ]; then CONF=$name fi echo # Find the name of our Domain/Workgroup DOMNAME='grep -i workgroup ${CONF} | sed "s/ //g" | cut -f2 -d=' echo Domain Name: $DOMNAME echo sed "s/DOMNAME/${DOMNAME}/g" < $file.tmp1 > $file.tmp2 DOMSID='net getlocalsid ${DOMNAME} | cut -f2 -d: | sed "s/ //g"' echo Domain SID: $DOMSID sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1 Example 15.5.3. LDAP Pre-configuration Script: SMBLDAP-ldif-preconfig.sh Part Ccat >>EOL The name of your Internet domain is now needed in a special format as follows, if your domain name is mydomain.org, what we need is the information in the form of: Domain ID: mydomain Top level: org If your fully qualified hostname is: snoopy.bazaar.garagesale.net where "snoopy" is the name of the machine, Then the information needed is: Domain ID: garagesale Top Level: net EOL INETDOMAIN='hostname -d | cut -f1 -d.' echo Found the following domain name: 'hostname -d' echo "I think the bit we are looking for might be: $INETDOMAIN" echo echo -n "Enter the domain name or press Enter to continue: " read domnam if [ ! -z $domnam ]; then INETDOMAIN=$domnam fi echo sed "s/INETDOMAIN/${INETDOMAIN}/g" < $file.tmp1 > $file.tmp2 TLDORG='hostname -d | sed "s/${INETDOMAIN}.//g"' echo "The top level organization name I will use is: ${TLDORG}" echo echo -n "Enter the top level org name or press Enter to continue: " read domnam if [ ! -z $domnam ]; then TLDORG=$domnam fi sed "s/TLDORG/${TLDORG}/g" < $file.tmp2 > $DOMNAME.ldif rm $file.tmp* exit 0 Example 15.5.4. LDIF Pattern File Used to Pre-configure LDAP Part Adn: dc=INETDOMAIN,dc=TLDORG objectClass: dcObject objectClass: organization dc: INETDOMAIN o: ORGNAME description: Posix and Samba LDAP Identity Database dn: cn=Manager,dc=INETDOMAIN,dc=TLDORG objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=INETDOMAIN,dc=TLDORG objectClass: top objectClass: organizationalUnit ou: People dn: ou=Computers,dc=INETDOMAIN,dc=TLDORG objectClass: top objectClass: organizationalUnit ou: Computers dn: ou=Groups,dc=INETDOMAIN,dc=TLDORG objectClass: top objectClass: organizationalUnit ou: Groups dn: ou=Idmap,dc=INETDOMAIN,dc=TLDORG objectClass: top objectClass: organizationalUnit ou: Idmap dn: sambaDomainName=DOMNAME,ou=Domains,dc=INETDOMAIN,dc=TLDORG objectClass: sambaDomain sambaDomainName: DOMNAME sambaSID: DOMSID sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain Example 15.5.5. LDIF Pattern File Used to Pre-configure LDAP Part Bdn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: domadmins sambaSID: DOMSID-512 sambaGroupType: 2 displayName: Domain Admins description: Domain Administrators dn: cn=domguests,ou=Groups,dc=INETDOMAIN,dc=TLDORG objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: domguests sambaSID: DOMSID-514 sambaGroupType: 2 displayName: Domain Guests description: Domain Guests Users dn: cn=domusers,ou=Groups,dc=INETDOMAIN,dc=TLDORG objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: domusers sambaSID: DOMSID-513 sambaGroupType: 2 displayName: Domain Users description: Domain Users Example 15.6.1. Example LAM Configuration File config.cfg# password to add/delete/rename configuration profiles password: not24get # default profile, without ".conf" default: lam Example 15.6.2. LAM Profile Control File lam.confServerURL: ldap://massive.abmas.org:389 Admins: cn=Manager,dc=abmas,dc=biz Passwd: not24get usersuffix: ou=People,dc=abmas,dc=biz groupsuffix: ou=Groups,dc=abmas,dc=biz hostsuffix: ou=Computers,dc=abmas,dc=biz domainsuffix: ou=Domains,dc=abmas,dc=biz MinUID: 0 MaxUID: 65535 MinGID: 0 MaxGID: 65535 MinMachine: 20000 MaxMachine: 25000 userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber grouplistAttributes: #cn;#gidNumber;#memberUID;#description hostlistAttributes: #cn;#description;#uidNumber;#gidNumber maxlistentries: 30 defaultLanguage: en_GB:ISO-8859-1:English (Great Britain) scriptPath: scriptServer: samba3: yes cachetimeout: 5 pwdhash: SSHA |