Section 3.4. Questions and Answers | Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)

3.4. Questions and Answers

F.A.Q.

1. Q:	What is the maximum number of account entries that the `tdbsam` passdb backend can handle?
A:	The tdb data structure and support system can handle more entries than the number of accounts that are possible on most UNIX systems. A practical limit would come into play long before a performance boundary would be anticipated. That practical limit is controlled by the nature of Windows networking. There are few Windows file and print servers that can handle more than a few hundred concurrent client connections. The key limiting factors that predicate offloading of services to additional servers are memory capacity, the number of CPUs, network bandwidth, and disk I/O limitations. All of these are readily exhausted by just a few hundred concurrent active users. Such bottlenecks can best be removed by segmentation of the network (distributing network load across multiple networks). As the network grows, it becomes necessary to provide additional authentication servers (domain controllers). The tdbsam is limited to a single machine and cannot be reliably replicated. This means that practical limits on network design dictate the point at which a distributed passdb backend is required; at this time, there is no real alternative other than ldapsam (LDAP). The guideline provided in TOSHARG2, Chapter 10, Section 10.1.2, is to limit the number of accounts in the tdbsam backend to 250. This is the point at which most networks tend to want backup domain controllers (BDCs). Samba-3 does not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The limitation of 250 users per tdbsam is predicated only on the need for replication, not on the limits^[6] of the tdbsam backend itself. ^[6] Bench tests have shown that tdbsam is a very effective database technology. There is surprisingly little performance loss even with over 4000 users.
2. Q:	Would Samba operate any better if the OS level is set to a value higher than 35?
A:	No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value of 35 already assures Samba of precedence over MS Windows products in browser elections. There is no gain to be had from setting this higher.
3. Q:	Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups?
A:	At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups.
4. Q:	Why has a path been specified in the `IPC$` share?
A:	This is done so that in the event that a software bug may permit a client connection to the IPC$ share to obtain access to the file system, it does so at a location that presents least risk. Under normal operation this type of paranoid step should not be necessary. The use of this parameter should not be necessary.
5. Q:	Why does the `smb.conf` file in this exercise include an entry for smb ports?
A:	The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By specifying the use of only port 139, the intent is to reduce unsuccessful service connection attempts. The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain member, the default behavior is highly beneficial and should not be changed.
6. Q:	What is the difference between a print queue and a printer?
A:	A printer is a physical device that is connected either directly to the network or to a computer via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a hard copy printout. Network-attached printers that use TCP/IP-based printing generally accept a single print data stream and block all secondary attempts to dispatch jobs concurrently to the same device. If many clients were to concurrently print directly via TCP/IP to the same printer, it would result in a huge amount of network traffic through continually failing connection attempts. A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or print requests. When the data stream has been fully received, the input stream is closed, and the job is then submitted to a sequential print queue where the job is stored until the printer is ready to receive the job.
7. Q:	Can all MS Windows application software be installed onto an application server share?
A:	Much older Windows software is not compatible with installation to and execution from an application server. Enterprise versions of Microsoft Office XP Professional can be installed to an application server. Retail consumer versions of Microsoft Office XP Professional do not permit installation to an application server share and can be installed and used only to/from a local workstation hard disk.
8. Q:	Why use dynamic DNS (DDNS)?
A:	When DDNS records are updated directly from the DHCP server, it is possible for network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate Windows clients via DNS.
9. Q:	Why would you use WINS as well as DNS-based name resolution?
A:	WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is a name like "myhost.mydomain.tld" where `tld` means `top-level domain`. A FQDN is a longhand but easy-to-remember expression that may be up to 1024 characters in length and that represents an IP address. A NetBIOS name is always 16 characters long. The 16^th character is a name type indicator. A specific name type is registered^[7] for each type of service that is provided by the Windows server or client and that may be registered where a WINS server is in use. ^[7] See TOSHARG2, Chapter 9, for more information. WINS is a mechanism by which a client may locate the IP Address that corresponds to a NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name that includes a particular registered NetBIOS name type. DNS does not provide a mechanism that permits handling of the NetBIOS name type information. DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular hostname or service name that has been registered in the DNS database for a particular domain. A DNS server has limited scope of control and is said to be authoritative for the zone over which it has control. Windows 200x Active Directory requires the registration in the DNS zone for the domain it controls of service locator^[8] records that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also requires the registration of special records that are called global catalog (GC) entries and site entries by which domain controllers and other essential ADS servers may be located. ^[8] See TOSHARG2, Chapter 9, Section 9.3.3.
10. Q:	What are the major benefits of using an application server?
A:	The use of an application server can significantly reduce application update maintenance. By providing a centralized application share, software updates need be applied to only one location for all major applications used. This results in faster update roll-outs and significantly better application usage control.

Example 3.3.1. NAT Firewall Configuration Script

#!/bin/sh echo -e "\n\nLoading NAT firewall.\n" IPTABLES=/usr/sbin/iptables EXTIF="eth0" INTIFA="eth1" INTIFB="eth2" /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INTIFA -j ACCEPT $IPTABLES -A INPUT -i $INTIFB -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS for i in 22 25 53 80 443 do         $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT done # Allow DNS(udp) $IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT echo "Allow all connections OUT and only existing and specified ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \                                   --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \                                   --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward echo -e "\nNAT firewall done.\n"

Example 3.3.2. 130 User Network with tdbsam [globals] Section

[View full width]
# Global parameters [global]        workgroup = PROMISES        netbios name = DIAMOND        interfaces = eth1, eth2, lo        bind interfaces only = Yes        passdb backend = tdbsam        pam password change = Yes        passwd program = /usr /bin /passwd %u        passwd chat = *New* Password * %n\n *Reenter *new* password*%n  n * Password *  changed *        username map = /etc/samba/smbusers        unix password sync = Yes        log level = 1        syslog = 0        log file = /var/log/samba/%m        max log size = 50        smb ports = 139        name resolve order = wins bcast hosts        time server = Yes        printcap name = CUPS        show add printer wizard = No        add user script = /usr /sbin /useradd m '%u'        delete user script = /usr/sbin/userdel r '%u '        add group script = /usr/sbin/groupadd '%g '        delete group script = /usr/sbin/groupdel '%g '        add user to group script = /usr/sbin/usermod G '%g' '%u'        add machine script = /usr/sbin/useradd s /bin/false d /tmp '%u '        shutdown script = /var/lib/samba/scripts/shutdown .sh        abort shutdown script = /sbin/shutdown c        logon script = scripts \ logon.bat        logon path = \\%L\ profiles \%U        logon drive = X:        logon home = \\%L\%U        domain logons = Yes        preferred master = Yes        wins support = Yes        utmp = Yes        map acl inherit = Yes        printing = cups        cups options = Raw        veto files = /* .eml/* .nws/*.{*} /        veto oplock files = /* .doc/*.xls /* .mdb/

Example 3.3.3. 130 User Network with tdbsam Services Section Part A

[homes]         comment = Home Directories         valid users = %S         read only = No         browseable = No  [printers]         comment = SMB Print Spool         path = /var/spool/samba         guest ok = Yes         printable = Yes         use client driver = Yes         default devmode = Yes         browseable = No  [netlogon]         comment = Network Logon Service         path = /var/lib/samba/netlogon         guest ok = Yes         locking = No  [profiles]         comment = Profile Share         path = /var/lib/samba/profiles         read only = No         profile acls = Yes  [accounts]         comment = Accounting files         path = /data/accounts         read only = No

Example 3.3.4. 130 User Network with tdbsam Services Section Part B

[service]         comment = Financial Services Files         path = /data/service         read only = No  [pidata]         comment = Property Insurance Files         path = /data/pidata         read only = No  [apps]         comment = Application Files         path = /apps         read only = Yes         admin users = bjordan

Example 3.3.5. Script to Map Windows NT Groups to UNIX Groups

#!/bin/bash # # initGrps.sh # # Create UNIX groups groupadd acctsdep groupadd finsrvcs # Map Windows Domain Groups to UNIX groups net groupmap modify ntgroup="Domain Admins"   unixgroup=root net groupmap modify ntgroup="Domain Users"    unixgroup=users net groupmap modify ntgroup="Domain Guests"   unixgroup=nobody # Add Functional Domain Groups net groupmap add ntgroup="Accounts Dept"  unixgroup=acctsdep type=d net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d net groupmap add ntgroup="Insurance Group"     unixgroup=piops type=d # Map Windows NT machine local groups to local UNIX groups # Mapping of local groups is not necessary and not functional # for this installation.

Example 3.3.6. DHCP Server Configuration File /etc/dhcpd.conf

# Abmas Accounting Inc. default-lease-time 86400; max-lease-time 172800; default-lease-time 86400; option ntp-servers 192.168.1.1; option domain-name "abmas.biz"; option domain-name-servers 192.168.1.1, 192.168.2.1; option netbios-name-servers 192.168.1.1, 192.168.2.1; option netbios-node-type 8;       ### Node type = Hybrid ### ddns-updates on;                  ### Dynamic DNS enabled ### ddns-update-style interim; subnet 192.168.1.0 netmask 255.255.255.0 {         range dynamic-bootp 192.168.1.128 192.168.1.254;         option subnet-mask 255.255.255.0;         option routers 192.168.1.1;         allow unknown-clients;         host qmsa {                 hardware ethernet 08:00:46:7a:35:e4;                 fixed-address 192.168.1.20;                 }         host hplj6a {                 hardware ethernet 00:03:47:cb:81:e0;                 fixed-address 192.168.1.30;                 }         } subnet 192.168.2.0 netmask 255.255.255.0 {         range dynamic-bootp 192.168.2.128 192.168.2.254;         option subnet-mask 255.255.255.0;         option routers 192.168.2.1;         allow unknown-clients;         host qmsf {                 hardware ethernet 01:04:31:db:e1:c0;                 fixed-address 192.168.1.20;          }         host hplj6f {                 hardware ethernet 00:03:47:cf:83:e2;                 fixed-address 192.168.2.30;                 }    } subnet 127.0.0.0 netmask 255.0.0.0 {         } subnet 123.45.67.64 netmask 255.255.255.252 {         }

Example 3.3.7. DNS Master Configuration File /etc/named.conf Master Section

### # Abmas Biz DNS Control File ### # Date: November 15, 2003 ### options {    directory "/var/lib/named";    forwarders {       123.45.12.23;       };    forward first;    listen-on {       mynet;       };    auth-nxdomain yes;    multiple-cnames yes;    notify no; }; zone "." in {    type hint;    file "root.hint"; }; zone "localhost" in {    type master;    file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" in {    type master;    file "127.0.0.zone"; }; acl mynet {    192.168.1.0/24;    192.168.2.0/24;    127.0.0.1; }; acl seconddns {    123.45.54.32; };

Example 3.3.8. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section

zone "abmas.biz" {    type master;    file "/var/lib/named/master/abmas.biz.hosts";    allow-query {       mynet;    };    allow-transfer {       mynet;    };    allow-update {       mynet;    }; }; zone "abmas.us" {    type master;    file "/var/lib/named/master/abmas.us.hosts";    allow-query {       all;    };    allow-transfer {       seconddns;    }; };

Example 3.3.9. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section

zone "1.168.192.in-addr.arpa" {    type master;    file "/var/lib/named/master/192.168.1.0.rev";    allow-query {       mynet;    };    allow-transfer {       mynet;    };    allow-update {       mynet;    }; }; zone "2.168.192.in-addr.arpa" {    type master;    file "/var/lib/named/master/192.168.2.0.rev";    allow-query {       mynet;    };    allow-transfer {       mynet;    };    allow-update {       mynet;    }; };

Example 3.3.10. DNS 192.168.1 Reverse Zone File

$ORIGIN . $TTL 38400  ; 10 hours 40 minutes 1.168.192.in-addr.arpa  IN SOA   sleeth.abmas.biz. root.abmas.biz. (             2003021825 ; serial             10800      ; refresh (3 hours)             3600       ; retry (1 hour)             604800     ; expire (1 week)             38400      ; minimum (10 hours 40 minutes)             )          NS sleeth1.abmas.biz. $ORIGIN 1.168.192.in-addr.arpa. 1        PTR   sleeth1.abmas.biz. 20       PTR   qmsa.abmas.biz. 30       PTR   hplj6a.abmas.biz.

Example 3.3.11. DNS 192.168.2 Reverse Zone File

$ORIGIN . $TTL 38400  ; 10 hours 40 minutes 2.168.192.in-addr.arpa  IN SOA   sleeth.abmas.biz. root.abmas.biz. (             2003021825 ; serial             10800      ; refresh (3 hours)             3600       ; retry (1 hour)             604800     ; expire (1 week)             38400      ; minimum (10 hours 40 minutes)             )          NS sleeth2.abmas.biz. $ORIGIN 2.168.192.in-addr.arpa. 1        PTR   sleeth2.abmas.biz. 20       PTR   qmsf.abmas.biz. 30       PTR   hplj6f.abmas.biz.

Example 3.3.12. DNS Abmas.biz Forward Zone File

$ORIGIN . $TTL 38400      ; 10 hours 40 minutes abmas.biz       IN SOA  sleeth1.abmas.biz. root.abmas.biz. (                                 2003021833 ; serial                                 10800      ; refresh (3 hours)                                 3600       ; retry (1 hour)                                 604800     ; expire (1 week)                                 38400      ; minimum (10 hours 40 minutes)                                 )                         NS      dns.abmas.biz.                         MX      10 mail.abmas.biz. $ORIGIN abmas.biz. sleeth1                 A       192.168.1.1 sleeth2                 A       192.168.2.1 qmsa                    A       192.168.1.20 hplj6a                  A       192.168.1.30 qmsf                    A       192.168.2.20 hplj6f                  A       192.168.2.30 dns                     CNAME   sleeth1 diamond                 CNAME   sleeth1 mail                    CNAME   sleeth1

Example 3.3.13. DNS Abmas.us Forward Zone File

$ORIGIN . $TTL 38400      ; 10 hours 40 minutes abmas.us        IN SOA  server.abmas.us. root.abmas.us. (                                 2003021833 ; serial                                 10800      ; refresh (3 hours)                                 3600       ; retry (1 hour)                                 604800     ; expire (1 week)                                 38400      ; minimum (10 hours 40 minutes)                                 )                         NS      dns.abmas.us.                         NS      dns2.abmas.us.                         MX      10 mail.abmas.us. $ORIGIN abmas.us. server                  A       123.45.67.66 dns2                    A       123.45.54.32 gw                      A       123.45.67.65 www                     CNAME   server mail                    CNAME   server dns                     CNAME   server