\documentclass{ictlab}

\RCS $Revision: 1.1 $

\usepackage{alltt,key,xr}
\externaldocument[lt-]{../../linux_training-plus-config-files-ossi/build/masterfile}
\ifx\pdftexversion\undefined \else
  \usepackage[pdfpagemode=None,pdfauthor={Nick Urbanik}]{hyperref}
\fi

\renewcommand*{\subject}{Operating Systems and Systems Integration}

\newcommand*{\labTitle}{Configuring and Testing Samba PDCs}

\begin{document}

\section{Aim}
\label{sec:aim}

After completing this exercise, you will be able to install and
perform basic configuration of a Samba server as a primary domain
controller.  You will conduct a number of tests of your primary domain
controller with Windows~2000 clients.

%% \section{Background}
%% \label{sec:background}

%% I have created the final 2.2 Samba RPMs at
%% \url{http://Ictlab.tyict.vtc.edu.hk/samba/}.  We wish to test them
%% thoroughly for suitability as a primary domain controller for
%% Windows~2000 clients.

\section{Procedure}
\label{sec:procedure}

\begin{enumerate}

\item Choose a partner so that at least one of you has Windows 2000
  Prefessional or Advanced Server, that is \emph{not} either a
  primary or backup domain controller.

\item Mount the NFS drive from Ictlab, and change to the samba directory:
  \begin{verbatim}
$ sudo mount Ictlab:/var/ftp/pub /mnt
$ cd /mnt/samba
  \end{verbatim}

\item install the 2.2.3a samba packages---if you installed
  the alpha packages before, you need to upgrade them to the final
  version.

If you did not install samba 2.2 before:
\begin{verbatim}
$ sudo rpm -Uhv samba-*2.2.3a-4.i386.rpm
\end{verbatim}%$


\item Refer to the document that I have written about installing
  updates, and install the updates.  The Samba 2.2 RPMs will not work
  unless most of the OS updates are applied.
  
% \item Verify that you have installed some of the updates for Red Hat
%   7.0.  For example, check that you have a current version of the main
%   shared libraries:
% \begin{verbatim}
% $ rpm -q glibc glibc-common
% glibc-2.2-12
% glibc-common-2.2-12
% \end{verbatim}%$
% If the version of your main libraries is older than this, you need to
% apply the updates; I have found that this version of samba will not
% work with the older libraries.  See the document I have written about
% applying updates.

\item Back up your original \texttt{smb.conf} configuration file for
  Samba again:
\begin{verbatim}
$ cd /etc/samba
$ sudo cp -p smb.conf smb.conf-orig
\end{verbatim}

% \item turn on swat:
% \begin{verbatim}
% $ sudo setup
% \end{verbatim}%$
% then select services, and ensure that the \texttt{swat} entry has a
% star \texttt{[*]} next to it.  Also ensure that \texttt{nmb} is
% selected.

% \item restart \texttt{xinetd}, and \texttt{samba}:
% \begin{verbatim}
% $ sudo /etc/rc.d/init.d/xinetd restart
% $ sudo /etc/rc.d/init.d/smb restart
% \end{verbatim}

% \item Open SWAT in your web browser by clicking on
%   \url{http://localhost:901/}

%   Note: that is a \emph{colon}, not a comma; 901 is a port number, not
%   part of the DNS name.
  
%   If this doesn't work for you, then the proxy settings are wrong on
%   your browser.  Make sure that your web browser does not ask a proxy
%   server in Wan Chai, but connects directly to the SWAT server on your
%   machine.

% \item Click on the \key{\textsc{globals}} button at the top of the
%   page.


\item Copy the new configuration file from the documentation directory
  of Samba:
{\small
\begin{verbatim}
$ sudo cp -p /usr/share/doc/samba-2.2.0/smb.conf-pdc-example /etc/samba/smb.conf
\end{verbatim}}%$
  
%% \item Install my emacs fixes if you haven't done so already (and if
%%   you installed Linux yourself, not using the Ghost image) from
%%   \url{http://nicku.org/ftp/emacs/}.

\item Edit the Samba configuration file using emacs:
\begin{verbatim}
$ sudo emacs /etc/samba/smb.conf &
\end{verbatim}%$
  \begin{explanation}
    I \emph{strongly} suggest that you open this file, and \emph{keep
    it open}.  It wastes time to continually open and close the
    configuration file.
  \end{explanation}

\item Change the workgroup to a name based on your computers' DNS
  name, with a letter or digit appended.
  
  For example, if your computer's hostname is
  \texttt{sammy.tyict.vtc.edu.hk}, enter something like
  \texttt{sammyD}.  You should understand that NetBIOS domain names
  are different from DNS domain names.  DNS domain names form a
  hierarchy, whereas NetBIOS domain names are all in one big flat name
  space.


% \item for the netbios name, enter the first part of your DNS name.
%   For example, if your computer's hostname is
%   \texttt{sammy.tyict.vtc.edu.hk}, enter \texttt{sammy}
  
% \item Uncomment the line (remove the semicolon at the beginning):
% \begin{verbatim}
% ;  username map = /etc/samba/smbusers
% \end{verbatim}

% \item Add to the \texttt{[Global]} section the line:
% \begin{verbatim}
%    debug level = 1
% \end{verbatim}

\item Change the \texttt{netlogon} share to be writable by the
  administrator, by removing the \texttt{writable = no} configuration
  option and changing the configuration to look something like this:
\begin{verbatim}
[netlogon]
   comment = Network Logon Service
   path = /var/samba/netlogon
   guest ok = no
   write list = @smbadm
   share modes = no
\end{verbatim}

\item Verify that the configuration file has no syntax errors using
  the \texttt{testparm} program:
  \begin{alltt}
$ testparm
  \end{alltt}%$

\item Start the server with:
\begin{verbatim}
$ sudo samba start
\end{verbatim}%$
Then check to see that it is running with:
\begin{verbatim}
$ samba status
\end{verbatim}%$

\item You should have already created accounts for yourself, your
  partner and for the user \texttt{root} previously.  In case you need
  to make some more accounts, here is the procedure, repeated from
  last time:
  \begin{enumerate}
  \item Create a number of samba account passwords.  Each of them must
    have an entry in the \texttt{/etc/passwd} file (i.e., perhaps you
    added the account earlier using \texttt{useradd}.  Note that
    today, we will use separate passwords for samba and for logging
    into Linux.
    
    Example of adding a user that is not in your password file
    already:
\begin{verbatim}
$ sudo useradd -c 'Nick Urbanik' nicku
$ sudo smbpasswd -a nicku
\end{verbatim}
    
    Example of adding a user that is already in your password file:
\begin{verbatim}
$ sudo smbpasswd -a nicku
\end{verbatim}%$
    
  \item Add a password for root:
\begin{verbatim}
$ sudo smbpasswd -a root
\end{verbatim}%$
    Note that this password should be different from the Linux login
    password for root, for security reasons.  You will need to give
    your partner this password.
  \end{enumerate}

\item Examine the log files while you do the following steps.  The log
  files are in \texttt{/var/log/samba}.  You need to su to root before
  you can change into that directory.  Open some windows and run
  \texttt{tail -f} on the log files.

  
\item You should already have made a Windows 2000 machine a member of
  your domain last time, but in case you have a new partner today,
  here is the procedure:
  \begin{enumerate}
  \item Log into a Windows 2000 machine locally as administrator.
    Note: this Windows machine must not already be a primary domain
    controller, since a PDC cannot be made a member of another domain.
    You can use Windows 2000 Advanced Server, as long as it is not a
    \textsc{PDC} or \textsc{BDC}\@.  If you have no Windows 2000
    Professional for which you have administrator access, you can use
    Windows 98, but this will reduce what you can test.
    \begin{enumerate}
    \item In Windows 2000, from TCP/IP settings, add 192.168.68.240 as
      the WINS server address.  Select the radio button \textsf{Enable
        NetBIOS over TCP/IP}.
    
    \item In Windows 2000, right-click Network Places and select
      \texttt{Properties}; from the \texttt{Advanced} menu, select
      \texttt{Network Identification}.  Press \texttt{Properties}.
      
    \item Choose \texttt{Domain}, enter the domain name of your samba
      server.  Click \key{OK}.
      
    \item Enter the user name \texttt{administrator} and enter the
      Samba password for \texttt{root} on your Samba server.
      
    \item Wait for confirmation and reboot when prompted.
  \end{enumerate}
\end{enumerate}

\item Now test this as a primary domain controller.  Note that it is
  an \NT4 compatible \PDC, not a Windows 2000 \PDC\@.
  
  Being a \emph{primary domain controller} means allowing other machines to
  join the domain so that when any user logs into the domain, then:
  \begin{itemize}
  \item the user can access any resources (e.g., shares, printers)
    that are 
    \begin{itemize}
    \item provided by any of the machines that are members of the
      domain and that 
    \item they have the rights to access
    \end{itemize}
  \item without entering a password again.
  \end{itemize}
  
\item Login in to the domain as \texttt{administrator} from your
  Windows 2000 box.  Browse to the \texttt{netlogon} share, and create
  some logon scripts using notepad.  For the user \texttt{nickl}, the
  script is the file \texttt{/var/\allowbreak samba/\allowbreak
    netlogon/\allowbreak scripts/\allowbreak nickl.bat}.  The logon
  script is run by the client when it logs in.  Here is an example of
  a logon script:
\begin{verbatim}
@echo off

net time \\nicksbox /set /yes
if %OS%.==Windows_NT. goto WinNT

:Win9x
net use z: \\nicksbox\nickl
net use p: \\nicksbox\ossi
net use q: \\nicksbox\notlinux
net use r: \\nicksbox\linux
goto end
:WinNT
net use z: \\nicksbox\nickl /persistent:no
net use p: \\nicksbox\ossi /persistent:no
net use q: \\nicksbox\notlinux /persistent:no
net use r: \\nicksbox\linux /persistent:no
:end
\end{verbatim}
  Note that each line must be terminated by a carriage
  return/linefeed pair.
  
\item Documentation for the new features of Samba 2.2 is in
  \texttt{/usr/\allowbreak share/\allowbreak doc/\allowbreak
    samba-2.2.3a/\allowbreak docs/\allowbreak Samba\allowbreak
    -HOWTO\allowbreak -Collection\allowbreak .pdf}.  Open this up:
\begin{verbatim}
$ cd /usr/share/doc/samba-2.2.3a/docs
$ acroread Samba-HOWTO-Collection.pdf &
\end{verbatim}
and move to page 45 (by page numbering in the document itself), or
page 50 if count pages starting from beginning as page 1.  This
section is about System Policies and Profiles\@.

\item I have extracted the policy editor \texttt{poledit.exe} from the
  NT4 Service pack 6a, and put it, together with the files
  \texttt{common.adm} and \texttt{winnt.adm} into the directory
  \texttt{profile-editor-from-service-pack-6a} in the \texttt{samba}
  NFS directory from \texttt{Ictlab}\@.  Test editing policies on
  your samba server from the Windows 2000 machine.
  
\item I have also downloaded the server manager for \NT4.  You will
  find it in the \texttt{samba} \NFS directory from
  \texttt{Ictlab}\@.  Test the server manager.
  
\item Samba 2.2 supports downloadable printer drivers.  This is
  described in the \texttt{Samba\allowbreak -HOWTO\allowbreak
    -Collection\allowbreak .pdf} file on page 30(35).  Test it.
    
\item Samba 2.2 supports \DFS\@.  The \RPM package provides a directory
  that is a \DFS root.  Read the documentation about it on page 22(27)
  in the \texttt{Samba\allowbreak -HOWTO\allowbreak
    -Collection\allowbreak .pdf} file.  Also see
  \texttt{/usr/\allowbreak share/\allowbreak doc/\allowbreak
    samba-2.2.3a/\allowbreak docs/\allowbreak htmldocs/\allowbreak
    msdfs\_setup.html}.
  
\item Test your domain controller as much as you can.
\end{enumerate}
\end{document}