diff options
author | John Terpstra <jht@samba.org> | 2005-06-20 22:16:43 +0000 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:46:51 -0500 |
commit | ffa2020e049b621d6d5e0850a1dd34ec7d519498 (patch) | |
tree | 65d202044b4eea7f5c259e42accc4960f52c991a | |
parent | 08d364c5169f48a4b1e88296ba6628ffec9217a4 (diff) | |
download | samba-ffa2020e049b621d6d5e0850a1dd34ec7d519498.tar.gz samba-ffa2020e049b621d6d5e0850a1dd34ec7d519498.tar.bz2 samba-ffa2020e049b621d6d5e0850a1dd34ec7d519498.zip |
Another update.
(This used to be commit 92c45d0294a92af67c21b94e1b2b2bb9d75e2a7c)
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-StandAloneServer.xml | 153 |
1 files changed, 125 insertions, 28 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-StandAloneServer.xml b/docs/Samba3-HOWTO/TOSHARG-StandAloneServer.xml index d2c981c427..ae658e28ea 100644 --- a/docs/Samba3-HOWTO/TOSHARG-StandAloneServer.xml +++ b/docs/Samba3-HOWTO/TOSHARG-StandAloneServer.xml @@ -7,6 +7,9 @@ <title>Standalone Servers</title> <para> +<indexterm><primary>standalone server</primary></indexterm> +<indexterm><primary>not domain members</primary></indexterm> +<indexterm><primary>minimum security control</primary></indexterm> Standalone servers are independent of domain controllers on the network. They are not domain members and function more like workgroup servers. In many cases a standalone server is configured with a minimum of security control @@ -17,12 +20,18 @@ with the intent that all data served will be readily accessible to all users. <title>Features and Benefits</title> <para> +<indexterm><primary>secure</primary></indexterm> +<indexterm><primary>insecure</primary></indexterm> Standalone servers can be as secure or as insecure as needs dictate. They can have simple or complex configurations. Above all, despite the hoopla about domain security, they remain a common installation. </para> <para> +<indexterm><primary>read-only files</primary></indexterm> +<indexterm><primary>share-mode</primary></indexterm> +<indexterm><primary>read-only</primary></indexterm> +<indexterm><primary>standalone server</primary></indexterm> If all that is needed is a server for read-only files, or for printers alone, it may not make sense to effect a complex installation. For example, a drafting office needs to store old drawings and reference @@ -32,6 +41,9 @@ server is an ideal solution. </para> <para> +<indexterm><primary>simplicity</primary></indexterm> +<indexterm><primary>printers</primary></indexterm> +<indexterm><primary>share-mode server</primary></indexterm> Another situation that warrants simplicity is an office that has many printers that are queued off a single central server. Everyone needs to be able to print to the printers, there is no need to effect any access controls, and no files will @@ -44,15 +56,19 @@ a great solution. <title>Background</title> <para> -The term <emphasis>standalone server</emphasis> means that it -will provide local authentication and access control for all resources -that are available from it. In general this means that there will be a -local user database. In more technical terms, it means resources -on the machine will be made available in either <emphasis>share</emphasis> mode or in -<emphasis>user</emphasis> mode. +<indexterm><primary>standalone server</primary></indexterm> +<indexterm><primary>local authentication</primary></indexterm> +<indexterm><primary>access control</primary></indexterm> +The term <emphasis>standalone server</emphasis> means that it will provide local authentication and access +control for all resources that are available from it. In general this means that there will be a local user +database. In more technical terms, it means resources on the machine will be made available in either +<emphasis>share</emphasis> mode or in <emphasis>user</emphasis> mode. </para> <para> +<indexterm><primary>create user accounts</primary></indexterm> +<indexterm><primary>no network logon service</primary></indexterm> +<indexterm><primary>independent</primary></indexterm> No special action is needed other than to create user accounts. Standalone servers do not provide network logon services. This means that machines that use this server do not perform a domain logon to it. Whatever logon facility @@ -63,6 +79,9 @@ user name. There are several ways this can be done. </para> <para> +<indexterm><primary>local authentication database</primary></indexterm> +<indexterm><primary>SMB</primary></indexterm> +<indexterm><primary>not domain member</primary></indexterm> Samba tends to blur the distinction a little in defining a standalone server. This is because the authentication database may be local or on a remote server, even if from the SMB protocol perspective @@ -70,8 +89,16 @@ the Samba server is not a member of a domain security context. </para> <para> -Through the use of Pluggable Authentication Modules (PAM) and the name service switcher (NSSWITCH, -which maintains the UNIX-user database), the source of authentication may reside on +<indexterm><primary>PAM</primary></indexterm> +<indexterm><primary>NSS</primary></indexterm> +<indexterm><primary>UNIX-user database</primary></indexterm> +<indexterm><primary>/etc/passwd</primary></indexterm> +<indexterm><primary>/etc/shadow</primary></indexterm> +<indexterm><primary>local smbpasswd file</primary></indexterm> +<indexterm><primary>LDAP backend</primary></indexterm> +<indexterm><primary>Winbind</primary></indexterm> +Through the use of Pluggable Authentication Modules (PAM) and the name service switcher (NSS), +which maintains the UNIX-user database, the source of authentication may reside on another server. We would be inclined to call this the authentication server. This means that the Samba server may use the local UNIX/Linux system password database (<filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>), may use a @@ -85,20 +112,27 @@ for authentication. <title>Example Configuration</title> <para> -Examples 7.3.1 and 7.3.2 -are designed to inspire simplicity. It is too easy to attempt a high level of creativity -and to introduce too much complexity in server and network design. +<indexterm><primary>inspire simplicity</primary></indexterm> +<indexterm><primary>complexity</primary></indexterm> +<link linkend="simplynice">The example Reference Documentation Server</link> and <link +linkend="SimplePrintServer">Central Print Serving</link> are designed to inspire simplicity. It is too easy to +attempt a high level of creativity and to introduce too much complexity in server and network design. </para> <sect2 id="RefDocServer"> <title>Reference Documentation Server</title> <para> -Configuration of a read-only data server that everyone can access is very simple. -<link linkend="simplynice">The following example (7.3.1)</link> is the &smb.conf; file that will do this. Assume that all the reference documents +<indexterm><primary>read-only</primary></indexterm> +<indexterm><primary>reference documents</primary></indexterm> +<indexterm><primary>/export</primary></indexterm> +<indexterm><primary>/etc/passwd</primary></indexterm> +Configuration of a read-only data server that everyone can access is very simple. By default all shares are +read-only, unless set otherwise in the &smb.conf; file. <link linkend="simplynice">The example - Reference +Documentation Server</link> is the &smb.conf; file that will do this. Assume that all the reference documents are stored in the directory <filename>/export</filename>, and the documents are owned by a user other than -nobody. No home directories are shared, and there are no users in the <filename>/etc/passwd</filename> -UNIX system database. This is a simple system to administer. +nobody. No home directories are shared, and there are no users in the <filename>/etc/passwd</filename> UNIX +system database. This is a simple system to administer. </para> <example id="simplynice"> @@ -118,11 +152,29 @@ UNIX system database. This is a simple system to administer. </smbconfblock> </example> +<blockquote> +<attribution>Mark Twain</attribution> <para> -In <link linkend="simplynice">this example</link>, the machine name is set to &example.server.samba;, and the workgroup is set to the name -of the local workgroup (&example.workgroup;) so the machine will appear together with systems with -which users are familiar. The only password backend required is the <quote>guest</quote> backend to allow default -unprivileged account names to be used. As there is a WINS server on this network, we of course make use of it. +I would have spoken more briefly, if I'd had more time to prepare. +</para> +</blockquote> + +<para> +<indexterm><primary>password backend</primary></indexterm> +<indexterm><primary>guest</primary></indexterm> +<indexterm><primary>unprivileged account names</primary></indexterm> +<indexterm><primary>WINS</primary></indexterm> +In <link linkend="simplynice">this example</link>, the machine name is set to &example.server.samba;, and the +workgroup is set to the name of the local workgroup (&example.workgroup;) so the machine will appear together +with systems with which users are familiar. The only password backend required is the <quote>guest</quote> +backend to allow default unprivileged account names to be used. As there is a WINS server on this network, we +of course make use of it. +</para> + +<para> +A USAF Colonel was renowned for saying: <quote>Better is the enemy of good enough!</quote> There are often +sound reasons for avoiding complexity as well as for avoiding a technically perfect solution. Unfortunately, +many network administrators still need to learn the art of doing just enough to keep out of trouble. </para> </sect2> @@ -131,8 +183,9 @@ unprivileged account names to be used. As there is a WINS server on this network <title>Central Print Serving</title> <para> -Configuration of a simple print server is easy if you have all the right tools -on your system. +<indexterm><primary>simple print server</primary></indexterm> +<indexterm><primary>tools</primary></indexterm> +Configuration of a simple print server is easy if you have all the right tools on your system. </para> <orderedlist> @@ -158,6 +211,9 @@ on your system. </orderedlist> <para> +<indexterm><primary>print server</primary></indexterm> +<indexterm><primary>/var/spool/samba</primary></indexterm> +<indexterm><primary>anonymous</primary></indexterm> In this example our print server will spool all incoming print jobs to <filename>/var/spool/samba</filename> until the job is ready to be submitted by Samba to the CUPS print processor. Since all incoming connections will be as @@ -167,6 +223,9 @@ the anonymous (guest) user, two things will be required to enable anonymous prin <itemizedlist> <title>Enabling Anonymous Printing</title> <listitem><para> +<indexterm><primary>guest account</primary></indexterm> +<indexterm><primary>nobody</primary></indexterm> +<indexterm><primary>testparm</primary></indexterm> The UNIX/Linux system must have a <command>guest</command> account. The default for this is usually the account <command>nobody</command>. To find the correct name to use for your version of Samba, do the @@ -174,11 +233,31 @@ the anonymous (guest) user, two things will be required to enable anonymous prin <screen> &prompt;<userinput>testparm -s -v | grep "guest account"</userinput> </screen> +<indexterm><primary>/etc/passwd</primary></indexterm> Make sure that this account exists in your system password database (<filename>/etc/passwd</filename>). + </para> + + <para> +<indexterm><primary>set a password</primary></indexterm> +<indexterm><primary>lock password</primary></indexterm> +<indexterm><primary>passwd</primary></indexterm> + It is a good idea either to set a password on this account, or else to lock it + from UNIX use. Assuming that the guest account is called <literal>pcguest</literal>, + it can be locked by excuting: +<screen> +&rootprompt; passwd -l pcguest +</screen> + The exact command may vary depending on your UNIX/Linux distribution. </para></listitem> <listitem><para> +<indexterm><primary>directory</primary></indexterm> +<indexterm><primary>guest account</primary></indexterm> +<indexterm><primary>available</primary></indexterm> +<indexterm><primary>mkdir</primary></indexterm> +<indexterm><primary>chown</primary></indexterm> +<indexterm><primary>chmod</primary></indexterm> The directory into which Samba will spool the file must have write access for the guest account. The following commands will ensure that this directory is available for use: @@ -191,7 +270,7 @@ the anonymous (guest) user, two things will be required to enable anonymous prin </itemizedlist> <para> -The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">Example 7.3.2</link>. +The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">the Anonymous Printing example</link>. </para> <example id="AnonPtrSvr"> @@ -221,14 +300,30 @@ The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">Examp <note><para> <indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm> <indexterm><primary>raw printing</primary></indexterm> -On CUPS-enabled systems there is a facility to pass raw data directly to the printer without -intermediate processing via CUPS print filters. Where use of this mode of operation is desired, -it is necessary to configure a raw printing device. It is also necessary to enable the raw mime -handler in the <filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename> -files. Refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, <link linkend="cups-raw">Explicitly Enable raw Printing for -application/octet-stream</link>. +<indexterm><primary>/etc/mime.conv</primary></indexterm> +<indexterm><primary>/etc/mime.types</primary></indexterm> +<indexterm><primary>CUPS print filters</primary></indexterm> +On CUPS-enabled systems there is a facility to pass raw data directly to the printer without intermediate +processing via CUPS print filters. Where use of this mode of operation is desired, it is necessary to +configure a raw printing device. It is also necessary to enable the raw mime handler in the +<filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename> files. Refer to <link +linkend="CUPS-printing">CUPS Printing Support</link>, <link linkend="cups-raw">Explicitly Enable raw Printing +for application/octet-stream</link>. </para></note> +<para> +<indexterm><primary>CUPS libarary API</primary></indexterm> +<indexterm><primary>no printcap file</primary></indexterm> +<indexterm><primary>PDF filter</primary></indexterm> +<indexterm><primary>printcap name</primary></indexterm> +The example in <link linkend="AnonPtrSvr">the Anonymous Printing example</link> uses CUPS for direct printing +via the CUPS libarary API. This means that all printers will be exposed to Windows users without need to +configure a printcap file. If there is necessity to expose only a sub-set of printers, or to define a special +type of printer (for example, a PDF filter) the <parameter>printcap name = cups</parameter> can be replaced +with the entry <parameter>printcap name = /etc/samba/myprintcap</parameter>. In this case the file specified +should contain a list of the printer names that should be exposed to Windows network users. +</para> + </sect2> </sect1> @@ -237,6 +332,8 @@ application/octet-stream</link>. <title>Common Errors</title> <para> +<indexterm><primary>greatest mistake</primary></indexterm> +<indexterm><primary>configuration too complex</primary></indexterm> The greatest mistake so often made is to make a network configuration too complex. It pays to use the simplest solution that will meet the needs of the moment. </para> |