| |
In this instance we consider the simplest server configuration we can get away with
to make an accounting department happy. Let's be warned, the users are accountants and they
do have some nasty demands. There is a budget for only one server for this department.
The network is managed by an internal Information Services Group (ISG), to which we belong.
Internal politics are typical of a medium-sized organization; Human Resources is of the
opinion that they run the ISG because they are always adding and disabling users. Also,
departmental managers have to fight tooth and nail to gain basic network resources access for
their staff. Accounting is different, though, they get exactly what they want. So this should
set the scene.
We use the users from the last example. The accounting department
has a general printer that all departmental users may use. There is also a check printer
that may be used only by the person who has authority to print checks. The chief financial
officer (CFO) wants that printer to be completely restricted and for it to be located in the
private storage area in her office. It therefore must be a network printer.
The accounting department uses an accounting application called
SpytFull
that must be run from a central application server. The software is licensed to run only off
one server, there are no workstation components, and it is run off a mapped share. The data
store is in a UNIX-based SQL backend. The UNIX gurus look after that, so this is not our
problem.
The accounting department manager (maryo) wants a general filing system as well as a separate
file storage area for form letters (nastygrams). The form letter area should be read-only to
all accounting staff except the manager. The general filing system has to have a structured
layout with a general area for all staff to store general documents as well as a separate
file area for each member of her team that is private to that person, but she wants full
access to all areas. Users must have a private home share for personal work-related files
and for materials not related to departmental operations.
The server
valinor
will be a member server of the company domain.
Accounting will have only a local server. User accounts will be on the domain controllers,
as will desktop profiles and all network policy files.
Example2.5.Member Server smb.conf (Globals)
| # Global parameters |
| |
[global]
|
workgroup = MIDEARTH
|
netbios name = VALINOR
|
security = DOMAIN
|
printcap name = cups
|
disable spoolss = Yes
|
show add printer wizard = No
|
idmap uid = 15000-20000
|
idmap gid = 15000-20000
|
winbind use default domain = Yes
|
printing = cups
|
Example2.6.Member Server smb.conf (Shares and Services)
| |
[homes]
|
comment = Home Directories
|
valid users = %S
|
read only = No
|
browseable = No
|
| |
[spytfull]
|
comment = Accounting Application Only
|
path = /export/spytfull
|
valid users = @Accounts
|
admin users = maryo
|
read only = Yes
|
| |
[public]
|
comment = Data
|
path = /export/public
|
read only = No
|
| |
[printers]
|
comment = All Printers
|
path = /var/spool/samba
|
printer admin = root, maryo
|
create mask = 0600
|
guest ok = Yes
|
printable = Yes
|
use client driver = Yes
|
browseable = No
|
-
Do not add users to the UNIX/Linux server; all of this will run off the
central domain.
-
Configure smb.conf according to
Member server smb.conf
(globals) and
Member server smb.conf (shares
and services).
-
Join the domain. Note: Do not start Samba until this step has been completed!
root#
net rpc join -Uroot%'bigsecret'
Joined domain MIDEARTH.
-
Make absolutely certain that you disable (shut down) the
nscd
daemon on any system on which
winbind
is configured to run.
-
Start Samba following the normal method for your operating system platform.
If you wish to do this manually, execute as root:
root#
nmbd; smbd; winbindd;
-
Configure the name service switch (NSS) control file on your system to resolve user and group names
via winbind. Edit the following lines in /etc/nsswitch.conf:
passwd: files winbind
group: files winbind
hosts: files dns winbind
-
Set the password for
wbinfo
to use:
root#
wbinfo --set-auth-user=root%'bigsecret'
-
Validate that domain user and group credentials can be correctly resolved by executing:
root#
wbinfo -u
MIDEARTH\maryo
MIDEARTH\jackb
MIDEARTH\ameds
...
MIDEARTH\root
root#
wbinfo -g
MIDEARTH\Domain Users
MIDEARTH\Domain Admins
MIDEARTH\Domain Guests
...
MIDEARTH\Accounts
-
Check that
winbind
is working. The following demonstrates correct
username resolution via the
getent
system utility:
root#
getent passwd maryo
maryo:x:15000:15003:Mary Orville:/home/MIDEARTH/maryo:/bin/false
-
A final test that we have this under control might be reassuring:
root#
touch /export/a_file
root#
chown maryo /export/a_file
root#
ls -al /export/a_file
...
-rw-r--r-- 1 maryo users 11234 Jun 21 15:32 a_file
...
root#
rm /export/a_file
-
Configuration is now mostly complete, so this is an opportune time
to configure the directory structure for this site:
root#
mkdir -p /export/{spytfull,public}
root#
chmod ug=rwxS,o=x /export/{spytfull,public}
root#
chown maryo.Accounts /export/{spytfull,public}
|
|
