Section 3.3. Implementation

3.3. Implementation

Figure 3.1 demonstrates the overall design of the network that you will implement.

Figure 3.1. Abmas Network Topology 130 Users

The information presented here assumes that you are already familiar with many basic steps. As this stands, the details provided already extend well beyond just the necessities of Samba configuration. This decision is deliberate to ensure that key determinants of a successful installation are not overlooked. This is the last case that documents the finite minutiae of DHCP and DNS server configuration. Beyond the information provided here, there are many other good reference books on these subjects.

The smb.conf file has the following noteworthy features:

  • The NetBIOS name of the Samba server is set to DIAMOND.

  • The Domain name is set to PROMISES.

  • Ethernet interface eth0 is attached to the Internet connection and is externally exposed. This interface is explicitly not available for Samba to use. Samba listens on this interface for broadcast messages but does not broadcast any information on eth0, nor does it accept any connections from it. This is achieved by way of the interfaces parameter and the bind interfaces only entry.

  • The passdb backend parameter specifies the creation and use of the TDbsam password backend. This is a binary database that has excellent scalability for a large number of user account entries.

  • WINS serving is enabled by the wins support = Yes, and name resolution is set to use it by means of the name resolve order = wins bcast hosts entry.

  • The Samba server is configured for use by Windows clients as a time server.

  • Samba is configured to directly interface with CUPS via the direct internal interface that is provided by CUPS libraries. This is achieved with the printing = CUPS as well as the printcap name = CUPS entries.

  • External interface scripts are provided to enable Samba to interface smoothly to essential operating system functions for user and group management. This is important to enable workstations to join the Domain and is also important so that you can use the Windows NT4 Domain User Manager as well as the Domain Server Manager. These tools are provided as part of the SRVTOOLS.EXE toolkit that can be downloaded from the Microsoft FTP site[1].

    [1] <>

  • The smb.conf file specifies that the Samba server will operate in (default) security = user mode[2] (User Mode).

    [2] See TOSHARG2, Chapter 3. This is necessary so that Samba can act as a Domain Controller (PDC); see TOSHARG2, Chapter 4, for additional information.

  • Domain logon services as well as a Domain logon script are specified. The logon script will be used to add robustness to the overall network configuration.

  • Roaming profiles are enabled through the specification of the parameter, logon path = \\%L\profiles\%U. The value of this parameter translates the %L to the name by which the Samba server is called by the client (for this configuration, it translates to the name DIAMOND), and the %U will translate to the name of the user within the context of the connection made to the profile share. It is the administrator's responsibility to ensure there is a directory in the root of the profile share for each user. This directory must be owned by the user also. An exception to this requirement is when a profile is created for group use.

  • Precautionary veto is effected for particular Windows file names that have been targeted by virus-related activity. Additionally, Microsoft Office files are vetoed from opportunistic locking controls. This should help to prevent lock contention-related file access problems.

  • Every user has a private home directory on the UNIX/Linux host. This is mapped to a network drive that is the same for all users.

The configuration of the server is the most complex so far. The following steps are used:


Basic System Configuration


Samba Configuration


DHCP and DNS Server Configuration


Printer Configuration


Process Start-up Configuration




Application Share Configuration


Windows Client Configuration

The following sections cover each step in logical and defined detail.

3.3.1. Basic System Configuration

The preparation in this section assumes that your SUSE Enterprise Linux Server 8.0 system has been freshly installed. It prepares basic files so that the system is ready for comprehensive operation in line with the network diagram shown in Figure 3.1.



Using the UNIX/Linux system tools, name the server Verify that your hostname is correctly set by running:

root#  uname -n server 

An alternate method to verify the hostname is:

root#  hostname -f 


Edit your /etc/hosts file to include the primary names and addresses of all network interfaces that are on the host server. This is necessary so that during startup the system can resolve all its own names to the IP address prior to startup of the DNS server. An example of entries that should be in the /etc/hosts file is:      localhost sleeth1 diamond sleeth2 server 

You should check the startup order of your system. If the CUPS print server is started before the DNS server (named), you should also include an entry for the printers in the /etc/hosts file, as follows: qmsa hplj6a qmsf hplj6f 

The printer entries are not necessary if named is started prior to startup of cupsd, the CUPS daemon.


The host server is acting as a router between the two internal network segments as well as for all Internet access. This necessitates that IP forwarding be enabled. This can be achieved by adding to the /etc/rc.d/boot.local an entry as follows:

echo 1 > /proc/sys/net/ipv4/ip_forward 

To ensure that your kernel is capable of IP forwarding during configuration, you may wish to execute that command manually also. This setting permits the Linux system to act as a router.[3]

[3] You may want to do the echo command last and include "0" in the init scripts, since it opens up your network for a short time.


Installation of a basic firewall and NAT facility is necessary. The following script can be installed in the /usr/local/sbin directory. It is executed from the /etc/rc.d/boot.local startup script. In your case, this script is called The script contents are shown in Example 3.3.1.


Execute the following to make the script executable:

root#  chmod 755 /usr/local/sbin/ 

You must now edit /etc/rc.d/boot.local to add an entry that runs your script. The following entry works for you:

#! /bin/sh # # Copyright (c) 2002 SUSE Linux AG Nuernberg, Germany. # All rights reserved. # # Author: Werner Fink, 1996 #         Burchard Steinbild, 1996 # # /etc/init.d/boot.local # # script with local commands to be executed from init on system startup # # Here you should add things that should happen directly after booting # before we're going to the first run level. # /usr/local/sbin/ 

The server is now ready for Samba configuration. During the validation step, you remove the entry for the Samba server diamond from the /etc/hosts file. This is done after you are satisfied that DNS-based name resolution is functioning correctly.

3.3.2. Samba Configuration

When you have completed this section, the Samba server is ready for testing and validation; however, testing and validation have to wait until DHCP, DNS, and printing (CUPS) services have been configured.



Install the Samba-3 binary RPM from the Samba-Team FTP site. Assuming that the binary RPM file is called samba-3.0.20-1.i386.rpm, one way to install this file is as follows:

root#  rpm -Uvh samba-3.0.20-1.i386.rpm 

This operation must be performed while logged in as the root user. Successful operation is clearly indicated. If this installation should fail for any reason, refer to the operating system manufacturer's documentation for guidance.


Install the smb.conf file shown in Example 3.3.2, Example 3.3.3, and Example 3.3.4. Concatenate (join) all three files to make a single smb.conf file. The final, fully qualified path for this file should be /etc/samba/smb.conf.


Add the root user to the password backend as follows:

root#  smbpasswd -a root New SMB password: XXXXXXXX Retype new SMB password: XXXXXXXX root# 

The root account is the UNIX equivalent of the Windows Domain Administrator. This account is essential in the regular maintenance of your Samba server. It must never be deleted. If for any reason the account is deleted, you may not be able to recreate this account without considerable trouble.


Create the username map file to permit the root account to be called Administrator from the Windows network environment. To do this, create the file /etc/samba/smbusers with the following contents:

#### # User mapping file #### # File Format # ----------- # Unix_ID = Windows_ID # # Examples: # root = Administrator # janes = "Jane Smith" # jimbo = Jim Bones # # Note: If the name contains a space it must be double quoted. #       In the example above the name 'jimbo' will be mapped to Windows #       user names 'Jim' and 'Bones' because the space was not quoted. ####################################################################### root = Administrator #### # End of File #### 


Create and map Windows Domain Groups to UNIX groups. A sample script is provided in Chapter 2, "Small Office Networking", Example 2.3.1. Create a file containing this script. We called ours /etc/samba/ Set this file so it can be executed, and then execute the script. Sample output should be as follows:

root#  chmod 755 root#  /etc/samba # ./ Updated mapping entry for Domain Admins Updated mapping entry for Domain Users Updated mapping entry for Domain Guests No rid or sid specified, choosing algorithmic mapping Successfully added group Accounts Dept to the mapping db No rid or sid specified, choosing algorithmic mapping Successfully added group Domain Guests to the mapping db root#  /etc/samba # net groupmap list | sort Account Operators (S-1-5-32-548) -> -1 Accounts Dept (S-1-5-21-179504-2437109-488451-2003) -> acctsdep Administrators (S-1-5-32-544) -> -1 Backup Operators (S-1-5-32-551) -> -1 Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody Domain Users (S-1-5-21-179504-2437109-488451-513) -> users Financial Services (S-1-5-21-179504-2437109-488451-2005) -> finsrvcs Guests (S-1-5-32-546) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Replicators (S-1-5-32-552) -> -1 System Operators (S-1-5-32-549) -> -1 Users (S-1-5-32-545) -> -1 


There is one preparatory step without which you will not have a working Samba network environment. You must add an account for each network user. For each user who needs to be given a Windows Domain account, make an entry in the /etc/passwd file as well as in the Samba password backend. Use the system tool of your choice to create the UNIX system account, and use the Samba smbpasswd to create a Domain user account. There are a number of tools for user management under UNIX, such as useradd, and adduser, as well as a plethora of custom tools. You also want to create a home directory for each user. You can do this by executing the following steps for each user:

root#  useradd -m username root#  passwd username Changing password for username. New password: XXXXXXXX Re-enter new password: XXXXXXXX Password changed root#  smbpasswd -a username New SMB password: XXXXXXXX Retype new SMB password: XXXXXXXX Added user username. 

You do of course use a valid user login ID in place of username.


Using the preferred tool for your UNIX system, add each user to the UNIX groups created previously as necessary. File system access control will be based on UNIX group membership.


Create the directory mount point for the disk subsystem that can be mounted to provide data storage for company files. In this case the mount point is indicated in the smb.conf file is /data. Format the file system as required, and mount the formatted file system partition using appropriate system tools.


Create the top-level file storage directories for data and applications as follows:

root#  mkdir -p /data/{accounts,finsvcs} root#  mkdir -p /apps root#  chown -R root:root /data root#  chown -R root:root /apps root#  chown -R bjordan:accounts /data/accounts root#  chown -R bjordan:finsvcs /data/finsvcs root#  chmod -R ug+rwxs,o-rwx /data root#  chmod -R ug+rwx,o+rx-w /apps 

Each department is responsible for creating its own directory structure within the departmental share. The directory root of the accounts share is /data/accounts. The directory root of the finsvcs share is /data/finsvcs. The /apps directory is the root of the apps share that provides the application server infrastructure.


The smb.conf file specifies an infrastructure to support roaming profiles and network logon services. You can now create the file system infrastructure to provide the locations on disk that these services require. Adequate planning is essential, since desktop profiles can grow to be quite large. For planning purposes, a minimum of 200 MB of storage should be allowed per user for profile storage. The following commands create the directory infrastructure needed:

root#  mkdir -p /var/spool/samba root#  mkdir -p /var/lib/samba/{netlogon/scripts,profiles} root#  chown -R root:root /var/spool/samba root#  chown -R root:root /var/lib/samba root#  chmod a+rwxt /var/spool/samba 

For each user account that is created on the system, the following commands should be executed:

root#  mkdir /var/lib/samba/profiles/'username' root#  chown 'username':users /var/lib/samba/profiles/'username' root#  chmod ug+wrx,o+rx,-w /var/lib/samba/profiles/'username' 


Create a logon script. It is important that each line is correctly terminated with a carriage return and line-feed combination (i.e., DOS encoding). The following procedure works if the right tools (unix2dos and dos2unix) are installed. First, create a file called /var/lib/samba/netlogon/scripts/logon.bat.unix with the following contents:

net time \\diamond /set /yes net use h: /home net use p: \\diamond\apps 

Convert the UNIX file to a DOS file using the unix2dos as shown here:

root#  unix2dos < /var/lib/samba/netlogon/scripts/logon.bat.unix \    > /var/lib/samba/netlogon/scripts/logon.bat 

3.3.3. Configuration of DHCP and DNS Servers

DHCP services are a basic component of the entire network client installation. DNS operation is foundational to Internet access as well as to trouble-free operation of local networking. When you have completed this section, the server should be ready for solid duty operation.



Create a file called /etc/dhcpd.conf with the contents as shown in Example 3.3.6.


Create a file called /etc/named.conf that has the combined contents of the Example 3.3.7, Example 3.3.8, and Example 3.3.9 files that are concatenated (merged) in this specific order.


Create the files shown in their respective directories as shown in Table 3.2.

Table 3.2. DNS (named) Resource Files


File Location

Example 15.4.1


Example 15.4.2


Example 15.4.3


Example 3.3.12


Example 3.3.13


Example 3.3.10


Example 3.3.11



All DNS name resolution should be handled locally. To ensure that the server is configured correctly to handle this, edit /etc/resolv.conf to have the following content:

search nameserver nameserver 

This instructs the name resolver function (when configured correctly) to ask the DNS server that is running locally to resolve names to addresses. In the event that the local name server is not available, ask the name server provided by the ISP. The latter, of course, does not resolve purely local names to IP addresses.


The final step is to edit the /etc/nsswitch.conf file. This file controls the operation of the various resolver libraries that are part of the Linux Glibc libraries. Edit this file so that it contains the following entries:

hosts:    files dns wins 

The basic DHCP and DNS services are now ready for validation testing. Before you can proceed, there are a few more steps along the road. First, configure the print spooling and print processing system. Then you can configure the server so that all services start automatically on reboot. You must also manually start all services prior to validation testing.

3.3.4. Printer Configuration

Network administrators who are new to CUPS based-printing typically experience some difficulty mastering its powerful features. The steps outlined in this section are designed to navigate around the distractions of learning CUPS. Instead of implementing smart features and capabilities, our approach is to use it as a transparent print queue that performs no filtering, and only minimal handling of each print job that is submitted to it. In other words, our configuration turns CUPS into a raw-mode print queue. This means that the correct printer driver must be installed on all clients.



Configure each printer to be a DHCP client, carefully following the manufacturer's guidelines.


Follow the instructions in the printer manufacturer's manuals to permit printing to port 9100. Use any other port the manufacturer specifies for direct-mode raw printing, and adjust the port as necessary in the following example commands. This allows the CUPS spooler to print using raw mode protocols.


Configure the CUPS Print Queues as follows:

root#  lpadmin -p qmsa -v socket:// -E root#  lpadmin -p hplj6a -v socket:// -E root#  lpadmin -p qmsf -v socket:// -E root#  lpadmin -p hplj6f -v socket:// -E 

This creates the necessary print queues with no assigned print filter.


Print queues may not be enabled at creation. Use lpc stat to check the status of the print queues and, if necessary, make certain that the queues you have just created are enabled by executing the following:

root#  /usr/bin/enable qmsa root#  /usr/bin/enable hplj6a root#  /usr/bin/enable qmsf root#  /usr/bin/enable hplj6f 


Even though your print queues may be enabled, it is still possible that they are not accepting print jobs. A print queue services incoming printing requests only when configured to do so. Ensure that your print queues are set to accept incoming jobs by executing the following commands:

root#  /usr/bin/accept qmsa root#  /usr/bin/accept hplj6a root#  /usr/bin/accept qmsf root#  /usr/bin/accept hplj6f 


Edit the file /etc/cups/mime.convs to uncomment the line:

application/octet-stream     application/vnd.cups-raw      0     - 


Edit the file /etc/cups/mime.types to uncomment the line:



Printing drivers are installed on each network client workstation.

Note: If the parameter cups options = Raw is specified in the smb.conf file, the last two steps can be omitted with CUPS version 1.1.18, or later.

The UNIX system print queues have been configured and are ready for validation testing.

3.3.5. Process Startup Configuration

There are two essential steps to process startup configuration. First, the process must be configured so that it automatically restarts each time the server is rebooted. This step involves use of the chkconfig tool that creates the appropriate symbolic links from the master daemon control file that is located in the /etc/rc.d directory, to the /etc/rc'x'.d directories. Links are created so that when the system run level is changed, the necessary start or kill script is run.

In the event that a service is not run as a daemon, but via the internetworking super daemon (inetd or xinetd), then the chkconfig tool makes the necessary entries in the /etc/xinetd.d directory and sends a hang-up (HUP) signal to the the super daemon, thus forcing it to re-read its control files.

Last, each service must be started to permit system validation to proceed.


Use the standard system tool to configure each service to restart automatically at every system reboot. For example,

root#  chkconfig dhpc on root#  chkconfig named on root#  chkconfig cups on root#  chkconfig smb on 


Now start each service to permit the system to be validated. Execute each of the following in the sequence shown:

root#  /etc/rc.d/init.d/dhcp restart root#  /etc/rc.d/init.d/named restart root#  /etc/rc.d/init.d/cups restart root#  /etc/rc.d/init.d/smb restart 

3.3.6. Validation

Complex networking problems are most often caused by simple things that are poorly or incorrectly configured. The validation process adopted here should be followed carefully; it is the result of the experience gained from years of making and correcting the most common mistakes. Shortcuts often lead to basic errors. You should refrain from taking shortcuts, from making basic assumptions, and from not exercising due process and diligence in network validation. By thoroughly testing and validating every step in the process of network installation and configuration, you can save yourself from sleepless nights and restless days. A well debugged network is a foundation for happy network users and network administrators. Later in this book you learn how to make users happier. For now, it is enough to learn to validate. Let's get on with it.



One of the most important facets of Samba configuration is to ensure that name resolution functions correctly. You can check name resolution with a few simple tests. The most basic name resolution is provided from the /etc/hosts file. To test its operation, make a temporary edit to the /etc/nsswitch.conf file. Using your favorite editor, change the entry for hosts to read:

hosts:     files 

When you have saved this file, execute the following command:

root#  ping diamond PING ( 56(84) bytes of data. 64 bytes from sleeth1 ( icmp_seq=1 ttl=64 time=0.131 ms 64 bytes from sleeth1 ( icmp_seq=2 ttl=64 time=0.179 ms 64 bytes from sleeth1 ( icmp_seq=3 ttl=64 time=0.192 ms 64 bytes from sleeth1 ( icmp_seq=4 ttl=64 time=0.191 ms --- ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3016ms rtt min/avg/max/mdev = 0.131/0.173/0.192/0.026 ms 

This proves that name resolution via the /etc/hosts file is working.


So far, your installation is going particularly well. In this step we validate DNS server and name resolution operation. Using your favorite UNIX system editor, change the /etc/nsswitch.conf file so that the hosts entry reads:

hosts:      dns 


Before you test DNS operation, it is a good idea to verify that the DNS server is running by executing the following:

root#  ps ax | grep named   437 ?        S      0:00 /sbin/syslogd -a /var/lib/named/dev/log   524 ?        S      0:00 /usr/sbin/named -t /var/lib/named -u named   525 ?        S      0:00 /usr/sbin/named -t /var/lib/named -u named   526 ?        S      0:00 /usr/sbin/named -t /var/lib/named -u named   529 ?        S      0:00 /usr/sbin/named -t /var/lib/named -u named   540 ?        S      0:00 /usr/sbin/named -t /var/lib/named -u named  2552 pts/2    S      0:00 grep named 

This means that we are ready to check DNS operation. Do so by executing:

root#  ping diamond PING ( 56(84) bytes of data. 64 bytes from sleeth1 ( icmp_seq=1 ttl=64 time=0.156 ms 64 bytes from sleeth1 ( icmp_seq=2 ttl=64 time=0.183 ms --- ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.156/0.169/0.183/0.018 ms 

You should take a few more steps to validate DNS server operation, as follows:

root#  host -f has address 

You may now remove the entry called diamond from the /etc/hosts file. It does not hurt to leave it there, but its removal reduces the number of administrative steps for this name.


WINS is a great way to resolve NetBIOS names to their IP address. You can test the operation of WINS by starting nmbd (manually or by way of the Samba startup method shown in Section 3.3.5). You must edit the /etc/nsswitch.conf file so that the hosts enTRy is as follows:

hosts:      wins 

The next step is to make certain that Samba is running using ps ax|grep mbd, and then execute the following:

root#  ping diamond PING diamond ( 56(84) bytes of data. 64 bytes from icmp_seq=1 ttl=64 time=0.094 ms 64 bytes from icmp_seq=2 ttl=64 time=0.479 ms 

Now that you can relax with the knowledge that all three major forms of name resolution to IP address resolution are working, edit the /etc/nsswitch.conf again. This time you add all three forms of name resolution to this file. Your edited entry for hosts should now look like this:

hosts:       files dns wins 

The system is looking good. Let's move on.


It would give you peace of mind to know that the DHCP server is running and available for service. You can validate DHCP services by running:

root#  ps ax | grep dhcp  2618 ?        S      0:00 /usr/sbin/dhcpd ...  8180 pts/2    S      0:00 grep dhcp 

This shows that the server is running. The proof of whether or not it is working comes when you try to add the first DHCP client to the network.


This is a good point at which to start validating Samba operation. You are content that name resolution is working for basic TCP/IP needs. Let's move on. If your smb. conf file has bogus options or parameters, this may cause Samba to refuse to start. The first step should always be to validate the contents of this file by running:

root#  testparm -s Load smb config files from smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[netlogon]" Processing section "[profiles]" Processing section "[accounts]" Processing section "[service]" Processing section "[apps]" Loaded services file OK. # Global parameters [global]     workgroup = PROMISES     netbios name = DIAMOND     interfaces = eth1, eth2, lo     bind interfaces only = Yes     passdb backend = tdbsam     pam password change = Yes     passwd program = /usr/bin/passwd '%u'     passwd chat = *New*Password* %n\n \              *Re-enter*new*password* %n\n *Password*changed*     username map = /etc/samba/smbusers     unix password sync = Yes     log level = 1     syslog = 0     log file = /var/log/samba/%m     max log size = 50     smb ports = 139     name resolve order = wins bcast hosts     time server = Yes     printcap name = CUPS     show add printer wizard = No     add user script = /usr/sbin/useradd -m '%u'     delete user script = /usr/sbin/userdel -r '%u'     add group script = /usr/sbin/groupadd '%g'     delete group script = /usr/sbin/groupdel '%g'     add user to group script = /usr/sbin/usermod -G '%g' '%u'     add machine script = /usr/sbin/useradd \                               -s /bin/false -d /dev/null '%u'     shutdown script = /var/lib/samba/scripts/     abort shutdown script = /sbin/shutdown -c     logon script = scripts\logon.bat     logon path = \\%L\profiles\%U     logon drive = X:     logon home = \\%L\%U     domain logons = Yes     preferred master = Yes     wins support = Yes     utmp = Yes     winbind use default domain = Yes     map acl inherit = Yes     cups options = Raw     veto files = /*.eml/*.nws/*.{*}/     veto oplock files = /*.doc/*.xls/*.mdb/ [homes]     comment = Home Directories     valid users = %S     read only = No     browseable = No ... ### Remainder cut to save space ### 

Clear away all errors before proceeding.


Check that the Samba server is running:

root#  ps ax | grep mbd 14244 ?        S      0:00 /usr/sbin/nmbd -D 14245 ?        S      0:00 /usr/sbin/nmbd -D 14290 ?        S      0:00 /usr/sbin/smbd -D $rootprompt; ps ax | grep winbind 14293 ?        S     0:00 /usr/sbin/winbindd -B 14295 ?        S     0:00 /usr/sbin/winbindd -B 

The winbindd daemon is running in split mode (normal), so there are also two instances[4] of it.

[4] For more information regarding winbindd, see TOSHARG2, Chapter 23, Section 23.3. The single instance of smbd is normal. One additional smbd slave process is spawned for each SMB/CIFS client connection.


Check that an anonymous connection can be made to the Samba server:

root#  smbclient -L localhost -U%         Sharename      Type      Comment         ---------      ----      -------         IPC$           IPC       IPC Service (Samba 3.0.20)         netlogon       Disk      Network Logon Service         profiles       Disk      Profile Share         accounts       Disk      Accounting Files         service        Disk      Financial Services Files         apps           Disk      Application Files         ADMIN$         IPC       IPC Service (Samba 3.0.20)         hplj6a         Printer   hplj6a         hplj6f         Printer   hplj6f         qmsa           Printer   qmsa         qmsf           Printer   qmsf         Server               Comment         ---------            -------         DIAMOND              Samba 3.0.20         Workgroup            Master         ---------            -------         PROMISES             DIAMOND 

This demonstrates that an anonymous listing of shares can be obtained. This is the equivalent of browsing the server from a Windows client to obtain a list of shares on the server. The -U% argument means to send a NULL username and a NULL password.


Verify that each printer has the IP address assigned in the DHCP server configuration file. The easiest way to do this is to ping the printer name. Immediately after the ping response has been received, execute arp -a to find the MAC address of the printer that has responded. Now you can compare the IP address and the MAC address of the printer with the configuration information in the /etc/dhcpd.conf file. They should, of course, match. For example,

root#  ping hplj6 PING hplj6a ( 56(84) bytes of data. 64 bytes from hplj6a ( icmp_seq=1 ttl=64 time=0.113 ms root#  arp -a hplj6a ( at 00:03:47:CB:81:E0 [ether] on eth0 

The MAC address 00:03:47:CB:81:E0 matches that specified for the IP address from which the printer has responded and with the entry for it in the /etc/dhcpd.conf file. Repeat this for each printer configured.


Make an authenticated connection to the server using the smbclient tool:

root#  smbclient //diamond/accounts -U gholmes Password: XXXXXXX smb: \> dir   .                          D        0  Thu Nov 27 15:07:09 2003   ..                         D        0  Sat Nov 15 17:40:50 2003   zakadmin.exe                   161424  Thu Nov 27 15:06:52 2003   zak.exe                       6066384  Thu Nov 27 15:06:52 2003   dhcpd.conf                       1256  Thu Nov 27 15:06:52 2003   smb.conf                         2131  Thu Nov 27 15:06:52 2003                A     1089  Thu Nov 27 15:06:52 2003   POLICY.EXE                      86542  Thu Nov 27 15:06:52 2003                 55974 blocks of size 65536. 33968 blocks available smb: \> q 


Your new server is connected to an Internet-accessible connection. Before you start your firewall, you should run a port scanner against your system. You should repeat that after the firewall has been started. This helps you understand to what extent the server may be vulnerable to external attack. One way you can do this is by using an external service, such as the DSL Reports[5] tools. Alternately, if you can gain rootlevel access to a remote UNIX/Linux system that has the nmap tool, you can run the following:

[5] <>

root#  nmap -v -sT Starting nmap V. 3.00 ( Host ( appears to be up ... good. Initiating Connect() Scan against ( Adding open port 6000/tcp Adding open port 873/tcp Adding open port 445/tcp Adding open port 10000/tcp Adding open port 901/tcp Adding open port 631/tcp Adding open port 25/tcp Adding open port 111/tcp Adding open port 32770/tcp Adding open port 3128/tcp Adding open port 53/tcp Adding open port 80/tcp Adding open port 443/tcp Adding open port 139/tcp Adding open port 22/tcp The Connect() Scan took 0 seconds to scan 1601 ports. Interesting ports on ( (The 1587 ports scanned but not shown below are in state: closed) Port       State       Service 22/tcp     open        ssh 25/tcp     open        smtp 53/tcp     open        domain 80/tcp     open        http 111/tcp    open        sunrpc 139/tcp    open        netbios-ssn 443/tcp    open        https 445/tcp    open        microsoft-ds 631/tcp    open        ipp 873/tcp    open        rsync 901/tcp    open        samba-swat 3128/tcp   open        squid-http 6000/tcp   open        X11 10000/tcp  open        snet-sensor-mgmt 32770/tcp  open        sometimes-rpc3 Nmap run completed -- 1 IP address (1 host up) scanned in 1 second 

The above scan was run before the external interface was locked down with the NAT-firewall script you created above. The following results are obtained after the firewall rules have been put into place:

root#  nmap -v -sT Starting nmap V. 3.00 ( Host ( appears to be up ... good. Initiating Connect() Scan against ( Adding open port 53/tcp Adding open port 22/tcp The Connect() Scan took 168 seconds to scan 1601 ports. Interesting ports on ( (The 1593 ports scanned but not shown below are in state: filtered) Port       State       Service 22/tcp     open        ssh 25/tcp     closed      smtp 53/tcp     open        domain 80/tcp     closed      http 443/tcp    closed      https Nmap run completed -- 1 IP address (1 host up) scanned in 168 seconds 

3.3.7. Application Share Configuration

The use of an application server is a key mechanism by which desktop administration overheads can be reduced. Check the application manual for your software to identify how best to create an administrative installation.

Some Windows software will only run locally on the desktop computer. Such software is typically not suited for administrative installation. Administratively installed software permits one or more of the following installation choices:

  • Install software fully onto a workstation, storing data files on the same workstation.

  • Install software fully onto a workstation with central network data file storage.

  • Install software to run off a central application server with data files stored on the local workstation. This is often called a minimum installation, or a network client installation.

  • Install software to run off a central application server with data files stored on a central network share. This type of installation often prevents storage of work files on the local workstation.

A common application deployed in this environment is an office suite. Enterprise editions of Microsoft Office XP Professional can be administratively installed by launching the installation from a command shell. The command that achieves this is setup /a. It results in a set of prompts through which various installation choices can be made. Refer to the Microsoft Office Resource SDK and Resource Kit for more information regarding this mode of installation of MS Office XP Professional. The full administrative installation of MS Office XP Professional requires approximately 650 MB of disk space.

When the MS Office XP Professional product has been installed to the administrative network share, the product can be installed onto a workstation by executing the normal setup program. The installation process now provides a choice to either perform a minimum installation or a full local installation. A full local installation takes over 100 MB of disk space. A network workstation (minimum) installation requires typically 10 MB to 15 MB of local disk space. In the latter case, when the applications are used, they load over the network.

Microsoft Office Service Packs can be unpacked to update an administrative share. This makes it possible to update MS Office XP Professional for all users from a single installation of the service pack and generally circumvents the need to run updates on each network Windows client.

The default location for MS Office XP Professional data files can be set through registry editing or by way of configuration options inside each Office XP Professional application.

OpenOffice.Org OpenOffice Version 1.1.0 can be installed locally. It can also be installed to run off a network share. The latter is a most desirable solution for office-bound network users and for administrative staff alike. It permits quick and easy updates to be rolled out to all users with a minimum of disruption and with maximum flexibility.

The process for installation of administrative shared OpenOffice involves download of the distribution ZIP file, followed by extraction of the ZIP file into a temporary disk area. When fully extracted using the unzipping tool of your choosing, change into the Windows installation files directory then execute setup -net. You are prompted on screen for the target installation location. This is the administrative share point. The full administrative OpenOffice share takes approximately 150 MB of disk space. Comments Regarding Software Terms of Use

Many single-user products can be installed into an administrative share, but personal versions of products such as Microsoft Office XP Professional do not permit this. Many people do not like terms of use typical with commercial products, so a few comments regarding software licensing seem important.

Please do not use an administrative installation of proprietary and commercially licensed software products to violate the copyright holders' property. All software is licensed, particularly software that is licensed for use free of charge. All software is the property of the copyright holder unless the author and/or copyright holder has explicitly disavowed ownership and has placed the software into the public domain.

Software that is under the GNU General Public License, like proprietary software, is licensed in a way that restricts use. For example, if you modify GPL software and then distribute the binary version of your modifications, you must offer to provide the source code as well. This restriction is designed to maintain the momentum of the diffusion of technology and to protect against the withholding of innovations.

Commercial and proprietary software generally restrict use to those who have paid the license fees and who comply with the licensee's terms of use. Software that is released under the GNU General Public License is restricted to particular terms and conditions also. Whatever the licensing terms may be, if you do not approve of the terms of use, please do not use the software.

Samba is provided under the terms of the GNU GPL Version 2, a copy of which is provided with the source code.

3.3.8. Windows Client Configuration

Christine needs to roll out 130 new desktop systems. There is no doubt that she also needs to reinstall many of the notebook computers that will be recycled for use with the new network configuration. The smartest way to handle the challenge of the roll-out program is to build a staged system for each type of target machine, and then use an image replication tool such as Norton Ghost (enterprise edition) to replicate the staged machine to its target desktops. The same can be done with notebook computers as long as they are identical or sufficiently similar.



Install MS Windows XP Professional. During installation, configure the client to use DHCP for TCP/IP protocol configuration. DHCP configures all Windows clients to use the WINS Server address that has been defined for the local subnet.


Join the Windows Domain PROMISES. Use the Domain Administrator username root and the SMB password you assigned to this account. A detailed step-by-step procedure for joining a Windows 200x/XP Professional client to a Windows Domain is given in Chapter 15, "A Collection of Useful Tidbits", Section 15.1. Reboot the machine as prompted and then log on using the Domain Administrator account (root).


Verify DIAMOND is visible in My Network Places, that it is possible to connect to it and see the shares accounts, apps, and finsvcs, and that it is possible to open each share to reveal its contents.


Create a drive mapping to the apps share on the server DIAMOND.


Perform an administrative installation of each application to be used. Select the options that you wish to use. Of course, you can choose to run applications over the network, correct?


Now install all applications to be installed locally. Typical tools include Adobe Acrobat, NTP-based time synchronization software, drivers for specific local devices such as fingerprint scanners, and the like. Probably the most significant application for local installation is antivirus software.


Now install all four printers onto the staging system. The printers you install include the accounting department HP LaserJet 6 and Minolta QMS Magicolor printers. You will also configure identical printers that are located in the financial services department. Install printers on each machine following the steps shown in the Windows client printer preparation procedure below.


When you are satisfied that the staging systems are complete, use the appropriate procedure to remove the client from the domain. Reboot the system and then log on as the local administrator and clean out all temporary files stored on the system. Before shutting down, use the disk defragmentation tool so that the file system is in optimal condition before replication.


Boot the workstation using the Norton (Symantec) Ghosting diskette (or CD-ROM) and image the machine to a network share on the server.


You may now replicate the image to the target machines using the appropriate Norton Ghost procedure. Make sure to use the procedure that ensures each machine has a unique Windows security identifier (SID). When the installation of the disk image has completed, boot the PC.


Log on to the machine as the local Administrator (the only option), and join the machine to the Domain, following the procedure set out in Chapter 15, "A Collection of Useful Tidbits", Section 15.1. The system is now ready for the user to log on, provided you have created a network logon account for that user, of course.


Instruct all users to log on to the workstation using their assigned username and password.



Click Start Add Printer+Next. Do not click Network printer. Ensure that Local printer is selected.


Click Next. In the Manufacturer: panel, select HP. In the Printers: panel, select the printer called HP LaserJet 6. Click Next.


In the Available ports: panel, select FILE:. Accept the default printer name by clicking Next. When asked, "Would you like to print a test page?," click No. Click Finish.


You may be prompted for the name of a file to print to. If so, close the dialog panel. Right-click HP LaserJet 6


In the Network panel, enter the name of the print queue on the Samba server as follows: \\DIAMOND\hplj6a. Click OK+OK to complete the installation.


Repeat the printer installation steps above for both HP LaserJet 6 printers as well as for both QMS Magicolor laser printers.

3.3.9. Key Points Learned

How do you feel? You have built a capable network, a truly ambitious project. Future network updates can be handled by your staff. You must be a satisfied manager. Let's review the achievements.

  • A simple firewall has been configured to protect the server in the event that the ISP firewall service should fail.

  • The Samba configuration uses measures to ensure that only local network users can connect to SMB/CIFS services.

  • Samba uses the new tdbsam passdb backend facility. Considerable complexity was added to Samba functionality.

  • A DHCP server was configured to implement dynamic DNS (DDNS) updates to the DNS server.

  • The DNS server was configured to permit DDNS only for local network clients. This server also provides primary DNS services for the company Internet presence.

  • You introduced an application server as well as the concept of cloning a Windows client in order to effect improved standardization of desktops and to reduce the costs of network management.

    Samba-3 by Example. Practical Exercises to Successful Deployment
    Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)
    ISBN: 013188221X
    EAN: 2147483647
    Year: 2005
    Pages: 142

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: