Section 5.9. Questions and Answers


5.9. Questions and Answers

Well, here we are at the end of this chapter and we have only ten questions to help you to remember so much. There are bound to be some sticky issues here.

F.A.Q.

1. Q:

Why did you not cover secure practices? Isn't it rather irresponsible to instruct network administrators to implement insecure solutions?

A:

Let's get this right. This is a book about Samba, not about OpenLDAP and secure communication protocols for subjects other than Samba. Earlier on, you note, that the dynamic DNS and DHCP solutions also used no protective secure communications protocols. The reason for this is simple: There are so many ways of implementing secure protocols that this book would have been even larger and more complex.

The solutions presented here all work (at least they did for me). Network administrators have the interest and the need to be better trained and instructed in secure networking practices and ought to implement safe systems. I made the decision, right or wrong, to keep this material as simple as possible. The intent of this book is to demonstrate a working solution and not to discuss too many peripheral issues.

This book makes little mention of backup techniques. Does that mean that I am recommending that you should implement a network without provision for data recovery and for disaster management? Back to our focus: The deployment of Samba has been clearly demonstrated.

2. Q:

You have focused much on SUSE Linux and little on the market leader, Red Hat. Do you have a problem with Red Hat Linux? Doesn't that make your guidance irrelevant to the Linux I might be using?

A:

Both Red Hat Linux and SUSE Linux comply with the Linux Standards Base specifications for a standard Linux distribution. The differences are marginal. Surely you know your Linux platform, and you do have access to administration manuals for it. This book is not a Linux tutorial; it is a Samba tutorial. Let's keep the focus on the Samba part of the book; all the other bits are peripheral (but important) to creation of a total network solution.

What I find interesting is the attention reviewers give to Linux installation and to the look and feel of the desktop, but does that make for a great server? In this book, I have paid particular attention to the details of creating a whole solution framework. I have not tightened every nut and bolt, but I have touched on all the issues you need to be familiar with. Over the years many people have approached me wanting to know the details of exactly how to implement a DHCP and dynamic DNS server with Samba and WINS. In this chapter, it is plain to see what needs to be configured to provide transparent interoperability. Likewise for CUPS and Samba interoperation. These are key stumbling areas for many people.

At every critical junction, I have provided comparative guidance for both SUSE and Red Hat Linux. Both manufacturers have done a great job in furthering the cause of open source software. I favor neither and respect both. I like particular features of both products (companies also). No bias in presentation is intended. Oh, before I forget, I particularly like Debian Linux; that is my favorite playground.

3. Q:

You did not use SWAT to configure Samba. Is there something wrong with it?

A:

That is a good question. As it is, the smb.conf file configurations are presented in as direct a format as possible. Adding SWAT into the equation would have complicated matters. I sought simplicity of implementation. The fact is that I did use SWAT to create the files in the first place.

There are people in the Linux and open source community who feel that SWAT is dangerous and insecure. Many will not touch it with a barge-pole. By not introducing SWAT, I hope to have brought their interests on board. SWAT is well covered is TOSHARG2.

4. Q:

You have exposed a well-used password not24get. Is that not irresponsible?

A:

Well, I had to use a password of some sort. At least this one has been consistently used throughout. I guess you can figure out that in a real deployment it would make sense to use a more secure and original password.

5. Q:

The Idealx smbldap-tools create many domain group accounts that are not used. Is that a good thing?

A:

I took this up with Idealx and found them most willing to change that in the next version. Let's give Idealx some credit for the contribution they have made. I appreciate their work and, besides, it does no harm to create accounts that are not now used at some time Samba may well use them.

6. Q:

Can I use LDAP just for Samba accounts and not for UNIX system accounts?

A:

Yes, you can do that for user accounts only. Samba requires there to be a POSIX (UNIX) group account for every Windows domain group account. But if you put your users into the system password account, how do you plan to keep all domain controller system password files in sync? I think that having everything in LDAP makes a lot of sense for the UNIX administrator who is still learning the craft and is migrating from MS Windows.

7. Q:

Why are the Windows domain RID portions not the same as the UNIX UID?

A:

Samba uses a well-known public algorithm for assigning RIDs from UIDs and GIDs. This algorithm ought to ensure that there will be no clashes with well-known RIDs. Well-known RIDs have special significance to MS Windows clients. The automatic assignment used the calculation: RID = UID x 2 + 1000. Of course, Samba does permit you to override that to some extent. See the smb.conf man page entry for algorithmic rid base.

8. Q:

Printer configuration examples all show printing to the HP port 9100. Does this mean that I must have HP printers for these solutions to work?

A:

No. You can use any type of printer and must use the interfacing protocol supported by the printer. Many networks use LPR/LPD print servers to which are attached PCL printers, inkjet printers, plotters, and so on. At home I use a USB-attached inkjet printer. Use the appropriate device URI (Universal Resource Interface) argument to the lpadmin -v option that is right for your printer.

9. Q:

Is folder redirection dangerous? I've heard that you can lose your data that way.

A:

The only loss of data I know of that involved folder redirection was caused by manual misuse of the redirection tool. The administrator redirected a folder to a network drive and said he wanted to migrate (move) the data over. Then he changed his mind, so he moved the folder back to the roaming profile. This time, he declined to move the data because he thought it was still in the local profile folder. That was not the case, so by declining to move the data back, he wiped out the data. You cannot hold the tool responsible for that. Caveat emptor still applies.

10. Q:

Is it really necessary to set a local Group Policy to exclude the redirected folders from the roaming profile?

A:

Yes. If you do not do this, the data will still be copied from the network folder (share) to the local cached copy of the profile.

Example 5.4.2. LDAP Master Configuration File /etc/openldap/slapd.conf Part A
include     /etc/openldap/schema/core.schema include     /etc/openldap/schema/cosine.schema include     /etc/openldap/schema/inetorgperson.schema include     /etc/openldap/schema/nis.schema include     /etc/openldap/schema/samba3.schema pidfile     /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args access to dn.base=""       by self write       by * auth access to attr=userPassword       by self write       by * auth access to attr=shadowLastChange       by self write       by * read access to *                 by * read                 by anonymous auth #loglevel   256 schemacheck     on idletimeout 30 backend     bdb database bdb checkpoint       1024 5 cachesize        10000 suffix       "dc=abmas,dc=biz" rootdn       "cn=Manager,dc=abmas,dc=biz" # rootpw = not24get rootpw          {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV directory    /data/ldap 

Example 5.4.3. LDAP Master Configuration File /etc/openldap/slapd.conf Part B
# Indices to maintain index objectClass           eq index cn                    pres,sub,eq index sn                    pres,sub,eq index uid                   pres,sub,eq index displayName           pres,sub,eq index uidNumber             eq index gidNumber             eq index memberUID             eq index sambaSID              eq index sambaPrimaryGroupSID  eq index sambaDomainName       eq index default               sub 

Example 5.4.4. Configuration File for NSS LDAP Support /etc/ldap.conf
host 127.0.0.1 base dc=abmas,dc=biz binddn cn=Manager,dc=abmas,dc=biz bindpw not24get timelimit 50 bind_timelimit 50 bind_policy hard idle_timelimit 3600 pam_password exop nss_base_passwd ou=People,dc=abmas,dc=biz?one nss_base_shadow ou=People,dc=abmas,dc=biz?one nss_base_group  ou=Groups,dc=abmas,dc=biz?one ssl off 

Example 5.4.5. Configuration File for NSS LDAP Clients Support /etc/ldap.conf
host 172.16.0.1 base dc=abmas,dc=biz binddn cn=Manager,dc=abmas,dc=biz bindpw not24get timelimit 50 bind_timelimit 50 bind_policy hard idle_timelimit 3600 pam_password exop nss_base_passwd ou=People,dc=abmas,dc=biz?one nss_base_shadow ou=People,dc=abmas,dc=biz?one nss_base_group  ou=Groups,dc=abmas,dc=biz?one ssl off 

Example 5.4.6. LDAP Based smb.conf File, Server: MASSIVE global Section: Part A
# Global parameters  [global]         unix charset = LOCALE         workgroup = MEGANET2         netbios name = MASSIVE         interfaces = eth1, lo         bind interfaces only = Yes         passdb backend = ldapsam : ldap : //massive.abmas.biz         enable privileges = Yes         username map = /etc/samba/smbusers         log level = 1         syslog = 0         log file = /var/log/samba/%m         max log size = 50         smb ports = 139         name resolve order = wins bcast hosts         time server = Yes         printcap name = CUPS         show add printer wizard = No         add user script = /opt/IDEALX/sbin/smbldapuseradd m "%u"         delete user script = /opt/IDEALX/sbin/smbldapuserdel "%u"         add group script = /opt/IDEALX/sbin/smbldapgroupadd p "%g"         delete group script = /opt/IDEALX/sbin/smbldapgroupdel "%g"         add user to group script = /opt/IDEALX/sbin/smbldapgroupmod m "%u" "%g"         delete user from group script = /opt/IDEALX/sbin/smbldapgroupmod x "%u" "%g"         set primary group script = /opt/IDEALX/sbin/smbldapusermod g "%g" "%u"         add machine script = /opt/IDEALX/sbin/smbldapuseradd w "%u" 

Example 5.4.7. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B
logon script = scripts \ logon.bat logon path = \\%L\ profiles \%U logon drive = X: domain logons = Yes preferred master = Yes wins support = Yes ldap suffix = dc=abmas, dc=biz ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager, dc=abmas, dc=biz idmap backend = ldap : ldap : //massive.abmas.biz idmap uid = 1000020000 idmap gid = 1000020000 map acl inherit = Yes printing = cups printer admin = root, chrisr 

Example 5.5.1. LDAP Based smb.conf File, Server: BLDG1
# Global parameters  [global]         unix charset = LOCALE         workgroup = MEGANET2         netbios name = BLDG1         passdb backend = ldapsam : ldap : //massive.abmas.biz         enable privileges = Yes         username map = /etc/samba/smbusers         log level = 1         syslog = 0         log file = /var/log/samba/%m         max log size = 50         smb ports = 139         name resolve order = wins bcast hosts         printcap name = CUPS         show add printer wizard = No         logon script = scripts \ logon.bat         logon path = \\%L\ profiles \%U         logon drive = X:         domain logons = Yes         domain master = No         wins server = 172.16.0.1         ldap suffix = dc=abmas, dc=biz         ldap machine suffix = ou=People         ldap user suffix = ou=People         ldap group suffix = ou=Groups         ldap idmap suffix = ou=Idmap         ldap admin dn = cn=Manager, dc=abmas, dc=biz         idmap backend = ldap : ldap : //massive.abmas.biz         idmap uid = 1000020000         idmap gid = 1000020000         printing = cups         printer admin = root, chrisr 

Example 5.5.2. LDAP Based smb.conf File, Server: BLDG2
# Global parameters  [global]         unix charset = LOCALE         workgroup = MEGANET2         netbios name = BLDG2         passdb backend = ldapsam : ldap : //massive.abmas.biz         enable privileges = Yes         username map = /etc/samba/smbusers         log level = 1         syslog = 0         log file = /var/log/samba/%m         max log size = 50         smb ports = 139         name resolve order = wins bcast hosts         printcap name = CUPS         show add printer wizard = No         logon script = scripts \ logon.bat         logon path = \\%L\ profiles \%U         logon drive = X:         domain logons = Yes         domain master = No         wins server = 172.16.0.1         ldap suffix = dc=abmas, dc=biz         ldap machine suffix = ou=People         ldap user suffix = ou=People         ldap group suffix = ou=Groups         ldap idmap suffix = ou=Idmap         ldap admin dn = cn=Manager, dc=abmas, dc=biz         idmap backend = ldap : ldap : //massive.abmas.biz         idmap uid = 10000 20000         idmap gid = 10000 20000         printing = cups         printer admin = root, chrisr 

Example 5.5.3. LDAP Based smb.conf File, Shares Section Part A
[accounts]         comment = Accounting files         path = /data/accounts         read only = No  [service]         comment = Financial Services files         path = /data /service         read only = No  [pidata]         comment = Property Insurance files         path = /data /pidata         read only = No  [homes]         comment = Home Directories         valid users = %S         read only = No         browseable = No  [printers]         comment = SMB Print Spool         path = /var/spool/samba         guest ok = Yes         printable = Yes         browseable = No 

Example 5.5.4. LDAP Based smb.conf File, Shares Section Part B
[apps]         comment = Application files         path = /apps         admin users = bjordan         read only = No  [netlogon]         comment = Network Logon Service         path = /var/lib/samba/netlogon         guest ok = Yes         locking = No  [profiles]         comment = Profile Share         path = /var/lib/samba/profiles         read only = No         profile acls = Yes  [profdata]         comment = Profile Data Share         path = /var/lib/samba/profdata         read only = No         profile acls = Yes  [print$]         comment = Printer Drivers         path = /var/lib/samba/drivers         browseable = yes         guest ok = no         read only = yes         write list = root, chrisr 

Example 5.5.5. LDIF IDMAP Add-On Load File File: /etc/openldap/idmap.LDIF
dn: ou=Idmap,dc=abmas,dc=biz objectClass: organizationalUnit ou: idmap structuralObjectClass:  organizationalUnit 



    Samba-3 by Example. Practical Exercises to Successful Deployment
    Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)
    ISBN: 013188221X
    EAN: 2147483647
    Year: 2005
    Pages: 142

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net