Section 3.4. Questions and Answers

3.4. Questions and Answers


1. Q:

What is the maximum number of account entries that the tdbsam passdb backend can handle?


The tdb data structure and support system can handle more entries than the number of accounts that are possible on most UNIX systems. A practical limit would come into play long before a performance boundary would be anticipated. That practical limit is controlled by the nature of Windows networking. There are few Windows file and print servers that can handle more than a few hundred concurrent client connections. The key limiting factors that predicate offloading of services to additional servers are memory capacity, the number of CPUs, network bandwidth, and disk I/O limitations. All of these are readily exhausted by just a few hundred concurrent active users. Such bottlenecks can best be removed by segmentation of the network (distributing network load across multiple networks).

As the network grows, it becomes necessary to provide additional authentication servers (domain controllers). The tdbsam is limited to a single machine and cannot be reliably replicated. This means that practical limits on network design dictate the point at which a distributed passdb backend is required; at this time, there is no real alternative other than ldapsam (LDAP).

The guideline provided in TOSHARG2, Chapter 10, Section 10.1.2, is to limit the number of accounts in the tdbsam backend to 250. This is the point at which most networks tend to want backup domain controllers (BDCs). Samba-3 does not provide a mechanism for replicating tdbsam data so it can be used by a BDC. The limitation of 250 users per tdbsam is predicated only on the need for replication, not on the limits[6] of the tdbsam backend itself.

[6] Bench tests have shown that tdbsam is a very effective database technology. There is surprisingly little performance loss even with over 4000 users.

2. Q:

Would Samba operate any better if the OS level is set to a value higher than 35?


No. MS Windows workstations and servers do not use a value higher than 33. Setting this to a value of 35 already assures Samba of precedence over MS Windows products in browser elections. There is no gain to be had from setting this higher.

3. Q:

Why in this example have you provided UNIX group to Windows Group mappings for only Domain Groups?


At this time, Samba has the capacity to use only Domain Groups mappings. It is possible that at a later date Samba may make use of Windows Local Groups, as well as of the Active Directory special Groups. Proper operation requires Domain Groups to be mapped to valid UNIX groups.

4. Q:

Why has a path been specified in the IPC$ share?


This is done so that in the event that a software bug may permit a client connection to the IPC$ share to obtain access to the file system, it does so at a location that presents least risk. Under normal operation this type of paranoid step should not be necessary. The use of this parameter should not be necessary.

5. Q:

Why does the smb.conf file in this exercise include an entry for smb ports?


The default order by which Samba-3 attempts to communicate with MS Windows clients is via port 445 (the TCP port used by Windows clients when NetBIOS-less SMB over TCP/IP is in use). TCP port 139 is the primary port used for NetBIOS over TCP/IP. In this configuration Windows network operations are predicated around NetBIOS over TCP/IP. By specifying the use of only port 139, the intent is to reduce unsuccessful service connection attempts. The result of this is improved network performance. Where Samba-3 is installed as an Active Directory Domain member, the default behavior is highly beneficial and should not be changed.

6. Q:

What is the difference between a print queue and a printer?


A printer is a physical device that is connected either directly to the network or to a computer via a serial, parallel, or USB connection so that print jobs can be submitted to it to create a hard copy printout. Network-attached printers that use TCP/IP-based printing generally accept a single print data stream and block all secondary attempts to dispatch jobs concurrently to the same device. If many clients were to concurrently print directly via TCP/IP to the same printer, it would result in a huge amount of network traffic through continually failing connection attempts.

A print server (like CUPS or LPR/LPD) accepts multiple concurrent input streams or print requests. When the data stream has been fully received, the input stream is closed, and the job is then submitted to a sequential print queue where the job is stored until the printer is ready to receive the job.

7. Q:

Can all MS Windows application software be installed onto an application server share?


Much older Windows software is not compatible with installation to and execution from an application server. Enterprise versions of Microsoft Office XP Professional can be installed to an application server. Retail consumer versions of Microsoft Office XP Professional do not permit installation to an application server share and can be installed and used only to/from a local workstation hard disk.

8. Q:

Why use dynamic DNS (DDNS)?


When DDNS records are updated directly from the DHCP server, it is possible for network clients that are not NetBIOS-enabled, and thus cannot use WINS, to locate Windows clients via DNS.

9. Q:

Why would you use WINS as well as DNS-based name resolution?


WINS is to NetBIOS names as DNS is to fully qualified domain names (FQDN). The FQDN is a name like "myhost.mydomain.tld" where tld means top-level domain. A FQDN is a longhand but easy-to-remember expression that may be up to 1024 characters in length and that represents an IP address. A NetBIOS name is always 16 characters long. The 16th character is a name type indicator. A specific name type is registered[7] for each type of service that is provided by the Windows server or client and that may be registered where a WINS server is in use.

[7] See TOSHARG2, Chapter 9, for more information.

WINS is a mechanism by which a client may locate the IP Address that corresponds to a NetBIOS name. The WINS server may be queried to obtain the IP Address for a NetBIOS name that includes a particular registered NetBIOS name type. DNS does not provide a mechanism that permits handling of the NetBIOS name type information.

DNS provides a mechanism by which TCP/IP clients may locate the IP address of a particular hostname or service name that has been registered in the DNS database for a particular domain. A DNS server has limited scope of control and is said to be authoritative for the zone over which it has control.

Windows 200x Active Directory requires the registration in the DNS zone for the domain it controls of service locator[8] records that Windows clients and servers will use to locate Kerberos and LDAP services. ADS also requires the registration of special records that are called global catalog (GC) entries and site entries by which domain controllers and other essential ADS servers may be located.

[8] See TOSHARG2, Chapter 9, Section 9.3.3.

10. Q:

What are the major benefits of using an application server?


The use of an application server can significantly reduce application update maintenance. By providing a centralized application share, software updates need be applied to only one location for all major applications used. This results in faster update roll-outs and significantly better application usage control.

Example 3.3.1. NAT Firewall Configuration Script
#!/bin/sh echo -e "\n\nLoading NAT firewall.\n" IPTABLES=/usr/sbin/iptables EXTIF="eth0" INTIFA="eth1" INTIFB="eth2" /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INTIFA -j ACCEPT $IPTABLES -A INPUT -i $INTIFB -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS for i in 22 25 53 80 443 do         $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i -j ACCEPT done # Allow DNS(udp) $IPTABLES -A INPUT -i $EXTIF -p udp -dport 53 -j ACCEPT echo "Allow all connections OUT and only existing and specified ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state \                                   --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $INTIFB -m state \                                   --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $INTIFB -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward echo -e "\nNAT firewall done.\n" 

Example 3.3.2. 130 User Network with tdbsam [globals] Section

[View full width]

# Global parameters [global] workgroup = PROMISES netbios name = DIAMOND interfaces = eth1, eth2, lo bind interfaces only = Yes passdb backend = tdbsam pam password change = Yes passwd program = /usr /bin /passwd %u passwd chat = *New* Password * %n\n *Reenter *new* password*%n n * Password * changed * username map = /etc/samba/smbusers unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS show add printer wizard = No add user script = /usr /sbin /useradd m '%u' delete user script = /usr/sbin/userdel r '%u ' add group script = /usr/sbin/groupadd '%g ' delete group script = /usr/sbin/groupdel '%g ' add user to group script = /usr/sbin/usermod G '%g' '%u' add machine script = /usr/sbin/useradd s /bin/false d /tmp '%u ' shutdown script = /var/lib/samba/scripts/shutdown .sh abort shutdown script = /sbin/shutdown c logon script = scripts \ logon.bat logon path = \\%L\ profiles \%U logon drive = X: logon home = \\%L\%U domain logons = Yes preferred master = Yes wins support = Yes utmp = Yes map acl inherit = Yes printing = cups cups options = Raw veto files = /* .eml/* .nws/*.{*} / veto oplock files = /* .doc/*.xls /* .mdb/

Example 3.3.3. 130 User Network with tdbsam Services Section Part A
[homes]         comment = Home Directories         valid users = %S         read only = No         browseable = No  [printers]         comment = SMB Print Spool         path = /var/spool/samba         guest ok = Yes         printable = Yes         use client driver = Yes         default devmode = Yes         browseable = No  [netlogon]         comment = Network Logon Service         path = /var/lib/samba/netlogon         guest ok = Yes         locking = No  [profiles]         comment = Profile Share         path = /var/lib/samba/profiles         read only = No         profile acls = Yes  [accounts]         comment = Accounting files         path = /data/accounts         read only = No 

Example 3.3.4. 130 User Network with tdbsam Services Section Part B
[service]         comment = Financial Services Files         path = /data/service         read only = No  [pidata]         comment = Property Insurance Files         path = /data/pidata         read only = No  [apps]         comment = Application Files         path = /apps         read only = Yes         admin users = bjordan 

Example 3.3.5. Script to Map Windows NT Groups to UNIX Groups
#!/bin/bash # # # # Create UNIX groups groupadd acctsdep groupadd finsrvcs # Map Windows Domain Groups to UNIX groups net groupmap modify ntgroup="Domain Admins"   unixgroup=root net groupmap modify ntgroup="Domain Users"    unixgroup=users net groupmap modify ntgroup="Domain Guests"   unixgroup=nobody # Add Functional Domain Groups net groupmap add ntgroup="Accounts Dept"  unixgroup=acctsdep type=d net groupmap add ntgroup="Financial Services" unixgroup=finsrvcs type=d net groupmap add ntgroup="Insurance Group"     unixgroup=piops type=d # Map Windows NT machine local groups to local UNIX groups # Mapping of local groups is not necessary and not functional # for this installation. 

Example 3.3.6. DHCP Server Configuration File /etc/dhcpd.conf
# Abmas Accounting Inc. default-lease-time 86400; max-lease-time 172800; default-lease-time 86400; option ntp-servers; option domain-name ""; option domain-name-servers,; option netbios-name-servers,; option netbios-node-type 8;       ### Node type = Hybrid ### ddns-updates on;                  ### Dynamic DNS enabled ### ddns-update-style interim; subnet netmask {         range dynamic-bootp;         option subnet-mask;         option routers;         allow unknown-clients;         host qmsa {                 hardware ethernet 08:00:46:7a:35:e4;                 fixed-address;                 }         host hplj6a {                 hardware ethernet 00:03:47:cb:81:e0;                 fixed-address;                 }         } subnet netmask {         range dynamic-bootp;         option subnet-mask;         option routers;         allow unknown-clients;         host qmsf {                 hardware ethernet 01:04:31:db:e1:c0;                 fixed-address;          }         host hplj6f {                 hardware ethernet 00:03:47:cf:83:e2;                 fixed-address;                 }    } subnet netmask {         } subnet netmask {         } 

Example 3.3.7. DNS Master Configuration File /etc/named.conf Master Section
### # Abmas Biz DNS Control File ### # Date: November 15, 2003 ### options {    directory "/var/lib/named";    forwarders {;       };    forward first;    listen-on {       mynet;       };    auth-nxdomain yes;    multiple-cnames yes;    notify no; }; zone "." in {    type hint;    file "root.hint"; }; zone "localhost" in {    type master;    file ""; }; zone "" in {    type master;    file ""; }; acl mynet {;;; }; acl seconddns {; }; 

Example 3.3.8. DNS Master Configuration File /etc/named.conf Forward Lookup Definition Section
zone "" {    type master;    file "/var/lib/named/master/";    allow-query {       mynet;    };    allow-transfer {       mynet;    };    allow-update {       mynet;    }; }; zone "" {    type master;    file "/var/lib/named/master/";    allow-query {       all;    };    allow-transfer {       seconddns;    }; }; 

Example 3.3.9. DNS Master Configuration File /etc/named.conf Reverse Lookup Definition Section
zone "" {    type master;    file "/var/lib/named/master/";    allow-query {       mynet;    };    allow-transfer {       mynet;    };    allow-update {       mynet;    }; }; zone "" {    type master;    file "/var/lib/named/master/";    allow-query {       mynet;    };    allow-transfer {       mynet;    };    allow-update {       mynet;    }; }; 

Example 3.3.10. DNS 192.168.1 Reverse Zone File
$ORIGIN . $TTL 38400  ; 10 hours 40 minutes  IN SOA (             2003021825 ; serial             10800      ; refresh (3 hours)             3600       ; retry (1 hour)             604800     ; expire (1 week)             38400      ; minimum (10 hours 40 minutes)             )          NS $ORIGIN 1        PTR 20       PTR 30       PTR 

Example 3.3.11. DNS 192.168.2 Reverse Zone File
$ORIGIN . $TTL 38400  ; 10 hours 40 minutes  IN SOA (             2003021825 ; serial             10800      ; refresh (3 hours)             3600       ; retry (1 hour)             604800     ; expire (1 week)             38400      ; minimum (10 hours 40 minutes)             )          NS $ORIGIN 1        PTR 20       PTR 30       PTR 

Example 3.3.12. DNS Forward Zone File
$ORIGIN . $TTL 38400      ; 10 hours 40 minutes       IN SOA (                                 2003021833 ; serial                                 10800      ; refresh (3 hours)                                 3600       ; retry (1 hour)                                 604800     ; expire (1 week)                                 38400      ; minimum (10 hours 40 minutes)                                 )                         NS                         MX      10 $ORIGIN sleeth1                 A sleeth2                 A qmsa                    A hplj6a                  A qmsf                    A hplj6f                  A dns                     CNAME   sleeth1 diamond                 CNAME   sleeth1 mail                    CNAME   sleeth1 

Example 3.3.13. DNS Forward Zone File
$ORIGIN . $TTL 38400      ; 10 hours 40 minutes        IN SOA (                                 2003021833 ; serial                                 10800      ; refresh (3 hours)                                 3600       ; retry (1 hour)                                 604800     ; expire (1 week)                                 38400      ; minimum (10 hours 40 minutes)                                 )                         NS                         NS                         MX      10 $ORIGIN server                  A dns2                    A gw                      A www                     CNAME   server mail                    CNAME   server dns                     CNAME   server 

    Samba-3 by Example. Practical Exercises to Successful Deployment
    Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)
    ISBN: 013188221X
    EAN: 2147483647
    Year: 2005
    Pages: 142

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: