|
|
|
|
Samba-3 By Example: Practical Exercises to Successful Deployment
Last Updated 2/3/2009 3:43:01 PM
Abstract
In this chapter from "Samba-3 by Example: Practical Exercises to Successful Deployment," by John Terpstra, you'll learn about small business networking through a real-world business example. You'll find out how to confront expense, implementation, administration, scalability, and mobility issues. Plus, you'll get in-depth answers to FAQs about small business networking.
'
So far, this book has focused on the basics of simple yet effective network solutions. Network administrators who take pride in their work (that's most of us, right?) take care to deliver what our users want, but not too much more. If we make things too complex, we confound our users and increase costs of network ownership. A professional network manager avoids the temptation to put too much pizazz into the way that the network operates. Some creativity is helpful, but do keep it under control.'
Five years ago there were two companies from which a lesson can be learned. In one ccase the network administrator spend three months building a new network to replace an old Netware server. What he delivered had all the bells and whistles he could muster. There were a few teething problems during the changeover, nothing serious but a little disruptive all the same. Users were exposed to many changes at once. The network administrator was asked to resign two months after implementing the new system. This was necessary because so many staff had complained they had lost time and were not happy with the new network. Everything was automated and he delivered more features than any advanced user could think of. He was just too smart for his own good.
In the case of the other company, a new network manager was appointed to oversee the
replacement of a LanTastic network with an MS Windows NT 4.0 network. He had the replacement installed and operational within two weeks. Before installation and changeover, he called
meeting to explain to all users what was going to happen, how it would affect them and that he would be available 24 hours a day to help them transition. One week after conversion, he held another meeting asking for cooperation in the introduction of a few new features that would help to make life easier. Network users were thrilled with what he was doing to help them. The network he implemented was nowhere near as complex as the first example, had fewer features, and yet he had happy users. Months later he was still adding new innovations. He always asked the users if a particular feature was what they wanted. He asked his boss for a raise and got it. He often told me, "Always keep a few new tricks up your sleeves for when you need them." Was he smart? You decide. Let's get on with our next exercise.
3.1 INTRODUCTION
Abmas Accounting Inc. has grown. Mr. Meany likes you and says he knew you were the right person for the job. That's why he asked you to install the new server. The past few months have been hard work. You advised Mr. Meany that it is time for a change. Abmas now has 52 users, having acquired an investment consulting business recently. The new users were added to the network without any problems.
Some of the Windows clients are getting to be past their use by date. You have found damaged and unusable software on some of the workstations that came with the acquired business and found some machines that are in need of both hardware and software maintenance.
3.1.1 Assignment Tasks
Mr. Meany has decided to retire in 12 months. He wants you to help him make the business run better. Many of the new staff wants notebook computers. They visit customer business premises with the need to use local network facilities; these users are technically competent. The company uses a business application that requires Windows XP Professional. In short, a complete client upgrade is about to happen. Mr. Meany told you that he is working on another business acquisition and that by the time he retires there will be 80 to 100 users.
Mr. Meany is not concerned about security. He wants to make it easier for staff to do their work. He has hired you to help him appoint a fulltime network manager before he retires. Above all, he says he is investing in the ability to grow. He is determined to live his lifelong dream and hand the business over to a bright and capable executive who can make things happen. This means your network design must cope well with growth.
In a few months, Abmas will require an Internet connection for email and so staff easily obtains software updates. Mr. Meany is warming up to the installation of antivirus software but is not yet ready to approve this expense. He told you to spend the money a virus scanner costs on better quality notebook computers for mobile users.
One of Mr. Meany's golfing partners sold him on the idea to buy new laser printers. One black only, the other a color laser printer. Staff supports the need for a color printer so they can present more attractive proposals and reports.
Mr. Meany also asked if it would be possible for one of the staff to manage user accounts from the Windows desktop. That person will be responsible for basic operations.
3.2 DISSECTION AND DISCUSSION
What'are'the'key'requirements'in'this'business'example?'A'quick'review'indicates'a'need'for:
- Scalability — from'52'to'over'100'users'in'12'months'
- Mobile'computing'capability' '
- Improved'reliability'and'usability''
- Easier'administration'
In this instance the installed Linux system is assumed to be a Red Hat Linux 9.0 server (as in Section 2.2.3).
3.2.1 Technical Issues
It is time to implement a domain security environment. You will use the smbpasswd (default) backend. You should implement a DHCP server. There is no need to run DNS at this time, but the system will use WINS. The Domain name will be BILLMORE. This time, the name of the server will be SLEETH.
All printers will be configured as DHCP clients. The DHCP server will assign the printer a fixed IP address by way of its Ethernet interface (MAC) address. See Example 3.2.
| Note: The smb.conf file you are creating in this exercise can be used with equal effectiveness with Samba2.2.x series releases. This is deliberate
so that in the next chapter it is possible to start with the installation that you have created here, migrate it to a Samba-3 configuration and then secure the system further. Configurations following this one will utilize features that may not be supported in Samba2.2.x releases. However, you should note that the examples in each chapter start with the assumption that a fresh new installation is being effected.
|
Later on, when the Internet connection is implemented, you will add DNS as well as other enhancements. It is important that you plan accordingly.
You have split the network into two separate areas. Each has its own ether-switch. There are 20 users on the accounting network and 32 users on the financial services network. The
server has two network interfaces, one serving each network. The network printers will be
located in a central area. You plan to install the new printers and keep the old printer in use also.
You will provide separate file storage areas for each business entity. The old system will go away, accounting files will be handled under a single directory, and files will be stored under customer name, not under a personal work area. Staff will be made responsible for file location, so maintain the old share point.
Given that DNS will not be used, you will configure WINS name resolution for UNIX
hostname name resolution.
It is necessary to map Windows Domain Groups to UNIX groups as a minimum. It is advisable to also map Windows Local Groups to UNIX groups. Additionally, the two key staff groups in the firm are Accounting Staff and Financial Services Staff. For these, it is necessary to create UNIX groups as well as Windows Domain Groups.
In the sample smb.conf file, you have configured Samba to call the UNIX
groupadd to add group entries. This utility does not permit the addition of group names that contain uppercase characters or spaces. This is considered a bug. The groupadd is part of the shadow-utils Open Source Software package. A later release of this package may have been patched to resolve this bug. If your operating platform has this bug, it means that attempts to add a Windows Domain Group that has either a space or uppercase characters in it will fail. See TOSHARG, Section 11.3.1, Example 11.1, for more information.
Vendor-supplied printer drivers will be installed on each client. The CUPS print spooler on the UNIX host will be operated in raw mode.
3.2.2 Political Issues
Mr. Meany is an old-school manager. He sets the rules and wants to see compliance. He is willing to spend money on things he believes are of value. You need more time to
convince him of real priorities.
Go ahead, buy better notebooks. Wouldn't it be neat if they happened to be supplied with anti-virus software? Above all, demonstrate good purchase value and remember to make your users happy.
3.3 IMPLEMENTATION
In this example, the assumption is made that this server is being configured from a clean start. The alternate approach could be to demonstrate the migration of the system that is documented in Section 2.2.3.2 to meet the new requirements. The decision to treat this
case, as with future examples, as a new installation is based on the premise that you can
determine the migration steps from the information provided in the separate chapter on this subject. Additionally, a fresh installation makes the example easier to follow.
Each user will be given a home directory on the UNIX system, which will be available as a private share. Two additional shares will be created, one for the Accounting Department and the other for the Financial Services Department. Network users will be given access to
these shares by way of group membership.
UNIX group membership is the primary mechanism by which Windows Domain users
will be granted rights and privileges within the Widows environment.
The user alanm will be made the owner of all files. This will be preserved by
setting the sticky bit (set UID/GID) on the top-level directories.
1. Using'UNIX/Linux'system'tools,'name'the'server'sleeth.''
2. Place an entry for the machine sleeth in the /etc/hosts. The printers are network attached, so it is desirable that there should be entries for the network printers also. An example /etc/hosts file is shown here:
192.168.1.1 sleeth'sleeth1
192.168.2.1 sleeth2
192.168.1.10 hplj6
192.168.1.11 hplj4
192.168.2.10 qms
3. Install'the'Samba-3'binary'RPM'from'the'Samba-Team'FTP'site.'
4. Install'the'ISC'DHCP'server'using'the'UNIX/Linux'system'tools'available'to'you.''
5. Given that Samba will be operating over two network interfaces and clients on each side may want to be able to reach clients on the other side, it is imperative that IP forwarding shall be enabled. Use the system tool of your choice to enable IP forwarding. In the
absence of such a tool on the Linux system, add to the /etc/rc. d/rc.local file an entry as follows:
echo'1'>'/proc/sys/net/ipv4/ip_forward'
This'causes'the'Linux'kernel'to'forward'IP'packets'so'that'it'acts'as'a'router.
6. Install the smb.conf file as shown in Example 3.3 and Example 3.4. Combine
these two examples to form a single /etc/samba/smb.conf file.
7.'Add'the'user'root'to'the'Samba'password'backend:'
root#'smbpasswd'-a'root
New'SMB'password:'XXXXXXX
Retype'new'SMB'password:'XXXXXXX
root#
This is the Windows Domain Administrator password. Never delete this account from the password backend after Windows Domain Groups have been initialized. If you delete this account, your system is crippled. You cannot restore this account and your Samba server is no longer capable of being administered.
8. Create the username map file to permit the root account to be called Administrator from the Windows network environment. To do this, create the file /etc/samba/smbusers with the following contents:
####'
#'User'mapping'file'
####'
#'File'Format'
#'-----------
# Unix_ID'='Windows_ID'
#'
#'Examples:'
#'root'='Administrator'
#'janes'='"Jane'Smith"'
#'jimbo'='Jim'Bones'
#'
#'Note:'If'the'name'contains'a'space'it'must'be'double'quoted.'
#'In'the'example'above'the'name''jimbo''will'be'mapped'to'Windows'
#'user'names''Jim''and''Bones''because'the'space'was'not'quoted.
#######################################################################'
root'='Administrator'
####'
#'End'of'File'
####'
9. Create and map Windows Domain Groups to UNIX groups. A sample script is provided
in Example 3.1. Create a file containing this script. We called ours /etc/samba/initGrps.sh. Set this file so it can be executed, and then execute the script. Sample output should be as follows:
root#'chmod'755'initGrps.sh
root#'/etc/samba'#'./initGrps.sh
Updated'mapping'entry'for'Domain'Admins
Updated'mapping'entry'for'Domain'Users
Updated'mapping'entry'for'Domain'Guests
No'rid'or'sid'specified,'choosing'algorithmic'mapping
Successfully'added'group'Accounts'Dept'to'the'mapping'db
No'rid'or'sid'specified,'choosing'algorithmic'mapping
Successfully'added'group'Domain'Guests'to'the'mapping'db
Updated'mapping'entry'for'Administrators
Updated'mapping'entry'for'Users
Updated'mapping'entry'for'Guests
Updated'mapping'entry'for'System'Operators
Updated'mapping'entry'for'Account'Operators
Updated'mapping'entry'for'Backup'Operators
Updated'mapping'entry'for'Print'Operators
Updated'mapping'entry'for'Replicators
Example'3.1.'Script'to'Map'Windows'NT'Groups'to'UNIX'Groups'
#!/bin/bash
#'
#'initGrps.sh'
#'
#'Create'UNIX'groups'
groupadd'acctsdep'
groupadd'finsrvcs'
#'Map'Windows'Domain'Groups'to'UNIX'groups'
net'groupmap'modify'ntgroup="Domain'Admins" unixgroup=root'
net'groupmap'modify'ntgroup="Domain'Users" unixgroup=users'
net'groupmap'modify'ntgroup="Domain'Guests" unixgroup=nobody'
#'Add'Functional'Domain'Groups'
net'groupmap'add'ntgroup="Accounts'Dept" unixgroup=acctsdep'type=d'
net'groupmap'add'ntgroup="Financial'Services"'unixgroup=finsrvcs'type=d
#'Map'Windows'NT'machine'local'groups'to'local'UNIX'groups
net'groupmap'modify'ntgroup="Administrators"'unixgroup=sys
net'groupmap'modify'ntgroup="Users" unixgroup=public'
net'groupmap'modify'ntgroup="Guests" unixgroup=nobody'
net'groupmap'modify'ntgroup="System'Operators" unixgroup=daemon'
net'groupmap'modify'ntgroup="Account'Operators" unixgroup=wheel'
net'groupmap'modify'ntgroup="Backup'Operators" unixgroup=bin'
net'groupmap'modify'ntgroup="Print'Operators" unixgroup=lp'
net'groupmap'modify'ntgroup="Replicators" unixgroup=kmem'
net'groupmap'modify'ntgroup="Power'Users" unixgroup=ntadmin'
Updated'mapping'entry'for'Power'Users'
root#'/etc/samba'#'net'groupmap'list'|'sort
Account'Operators'(S-1-5-32-548) -> wheel'
Accounts'Dept'(S-1-5-21-194350-25496802-3394589-2003) -> acctsdep'
Administrators'(S-1-5-32-544) -> sys
Backup'Operators'(S-1-5-32-551) -> bin'
Domain'Admins'(S-1-5-21-194350-25496802-3394589-512) -> root'
Domain'Guests'(S-1-5-21-194350-25496802-3394589-514) -> nobody'
Domain'Users'(S-1-5-21-194350-25496802-3394589-513) -> users'
Financial'Services'(S-1-5-21-194350-25496802-3394589-2005) -> finsrvcs'
Guests'(S-1-5-32-546) -> nobody'
Power'Users'(S-1-5-32-547) -> ntadmin'
Print'Operators'(S-1-5-32-550) -> lp
Replicators'(S-1-5-32-552) ->'kmem
System'Operators'(S-1-5-32-549) -> daemon
Users'(S-1-5-32-545) -> public
10. For each user who needs to be given a Windows Domain account, make an entry in the /etc/passwd file as well as in the Samba password backend. Use the system tool of your choice to create the UNIX system accounts and use the Samba smbpasswd
program to create the Domain-user accounts. There are a number of tools for user management under UNIX. Commonly known ones include: useradd, adduser. In addition to
these, there are a plethora of custom tools. With the tool of your choice, create a home directory for each user.
11. Using the preferred tool for your UNIX system, add each user to the UNIX groups
created previously as necessary. File system access control will be based on UNIX group membership.
12. Create the directory mount point for the disk subsystem that is mounted to provide
data storage for company files. In this case the mount point indicated in the smb.conf file is /data. Format the file system as required, mount the formatted file system partition using mount, and make the appropriate changes in /etc/fstab.
Each department is responsible for creating its own directory structure within its share. The directory root of the accounts share is /data/accounts. The
directory
root of the finsvcs share is /data/finsvcs.
14. Configure the printers with the IP addresses as shown in
Figure 3.1. Follow the instructions in the manufacturers' manuals to permit printing to port 9100. This allows the CUPS spooler to print using raw mode protocols.
15. Configure'the'CUPS'Print'Queues'as'follows:'
root#'lpadmin'p'hplj4'v'socket://192.168.1.11:9100'E
root#'lpadmin'p'hplj6'v'socket://192.168.1.10:9100'E
root#'lpadmin'p'qms'v'socket://192.168.2.10:9100'E
This'creates'the'necessary'print'queues'with'no'assigned'print'filter.'
16.'Edit'the'file'/etc/cups/mime.convs'to'uncomment'the'line:'
application/octetstream' application/vnd.cupsraw' 0' -
13. Create the top-level file storage directories are follows:
root#'mkdir'p'/data/{accounts,finsvcs}'
root#'chown'R'root.root'/data'
root#'chown'R'alanm.accounts'/data/accounts
root#'chown'R'alanm.finsvcs'/data/finsvcs
root#'chmod'R'ug+rwx,o+rxw'/data'
17.'Edit'the'file /etc/cups/mime.types'to'uncomment'the'line:'
application/octetstream'
18. Using your favorite system editor, create an /etc/dhcpd.conf with the contents as shown in Example 3.2.
19. 'Use'the'standard'system'tool'to'start'Samba'and'CUPS'and'configure'them'to'start automatically'at'every'system'reboot.'For'example:'
root#'chkconfig'dhpc'on'
root#'chkconfig'smb'on'
root#'chkconfig'cups'on'
root#'/etc/rc.d/init.d/dhcp'restart'
root#'/etc/rc.d/init.d/smb'restart'
root#'/etc/rc.d/init.d/cups'restart'
20. Configure'the'Name'Service'Switch'(NSS)'to'handle'WINS'based'name'resolution.'Since'this
system'does'not'use'a'DNS'server,'it'is'safe'to'remove'this'option'from'the'NSS configuration.'Edit'the'/etc/nsswitch.conf file'so'that'the'hosts:'entry'looks'like this:
'hosts:'files'wins'
|
Page:
1,
2 |
next page  |
|
|