diff options
author | Gerald W. Carter <jerry@samba.org> | 2008-04-22 10:09:40 -0500 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:47:48 -0500 |
commit | 8f8a9f01909ba29e2b781310baeeaaddc3f15f0d (patch) | |
tree | 90c6b720ad3a7bc815245c0ef28820424f89d658 /docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml | |
parent | 197238246389c40edc60c6630d18d6913086e630 (diff) | |
download | samba-8f8a9f01909ba29e2b781310baeeaaddc3f15f0d.tar.gz samba-8f8a9f01909ba29e2b781310baeeaaddc3f15f0d.tar.bz2 samba-8f8a9f01909ba29e2b781310baeeaaddc3f15f0d.zip |
Moving docs tree to docs-xml to make room for generated docs in the release tarball.
(This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14)
Diffstat (limited to 'docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml')
-rw-r--r-- | docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml | 341 |
1 files changed, 341 insertions, 0 deletions
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml b/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml new file mode 100644 index 0000000000..895544ed22 --- /dev/null +++ b/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml @@ -0,0 +1,341 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<chapter id="StandAloneServer"> +<chapterinfo> + &author.jht; +</chapterinfo> +<title>Standalone Servers</title> + +<para> +<indexterm><primary>standalone server</primary></indexterm> +<indexterm><primary>not domain members</primary></indexterm> +<indexterm><primary>minimum security control</primary></indexterm> +Standalone servers are independent of domain controllers on the network. +They are not domain members and function more like workgroup servers. In many +cases a standalone server is configured with a minimum of security control +with the intent that all data served will be readily accessible to all users. +</para> + +<sect1> +<title>Features and Benefits</title> + +<para> +<indexterm><primary>secure</primary></indexterm> +<indexterm><primary>insecure</primary></indexterm> +Standalone servers can be as secure or as insecure as needs dictate. They can +have simple or complex configurations. Above all, despite the hoopla about +domain security, they remain a common installation. +</para> + +<para> +<indexterm><primary>read-only files</primary></indexterm> +<indexterm><primary>share-mode</primary></indexterm> +<indexterm><primary>read-only</primary></indexterm> +<indexterm><primary>standalone server</primary></indexterm> +If all that is needed is a server for read-only files, or for +printers alone, it may not make sense to effect a complex installation. +For example, a drafting office needs to store old drawings and reference +standards. Noone can write files to the server because it is legislatively +important that all documents remain unaltered. A share-mode read-only standalone +server is an ideal solution. +</para> + +<para> +<indexterm><primary>simplicity</primary></indexterm> +<indexterm><primary>printers</primary></indexterm> +<indexterm><primary>share-mode server</primary></indexterm> +Another situation that warrants simplicity is an office that has many printers +that are queued off a single central server. Everyone needs to be able to print +to the printers, there is no need to effect any access controls, and no files will +be served from the print server. Again, a share-mode standalone server makes +a great solution. +</para> +</sect1> + +<sect1> +<title>Background</title> + +<para> +<indexterm><primary>standalone server</primary></indexterm> +<indexterm><primary>local authentication</primary></indexterm> +<indexterm><primary>access control</primary></indexterm> +The term <emphasis>standalone server</emphasis> means that it will provide local authentication and access +control for all resources that are available from it. In general this means that there will be a local user +database. In more technical terms, it means resources on the machine will be made available in either +<emphasis>share</emphasis> mode or in <emphasis>user</emphasis> mode. +</para> + +<para> +<indexterm><primary>create user accounts</primary></indexterm> +<indexterm><primary>no network logon service</primary></indexterm> +<indexterm><primary>independent</primary></indexterm> +No special action is needed other than to create user accounts. Standalone +servers do not provide network logon services. This means that machines that +use this server do not perform a domain logon to it. Whatever logon facility +the workstations are subject to is independent of this machine. It is, however, +necessary to accommodate any network user so the logon name he or she uses will +be translated (mapped) locally on the standalone server to a locally known +user name. There are several ways this can be done. +</para> + +<para> +<indexterm><primary>local authentication database</primary></indexterm> +<indexterm><primary>SMB</primary></indexterm> +<indexterm><primary>not domain member</primary></indexterm> +Samba tends to blur the distinction a little in defining +a standalone server. This is because the authentication database may be +local or on a remote server, even if from the SMB protocol perspective +the Samba server is not a member of a domain security context. +</para> + +<para> +<indexterm><primary>PAM</primary></indexterm> +<indexterm><primary>NSS</primary></indexterm> +<indexterm><primary>UNIX-user database</primary></indexterm> +<indexterm><primary>/etc/passwd</primary></indexterm> +<indexterm><primary>/etc/shadow</primary></indexterm> +<indexterm><primary>local smbpasswd file</primary></indexterm> +<indexterm><primary>LDAP backend</primary></indexterm> +<indexterm><primary>Winbind</primary></indexterm> +Through the use of Pluggable Authentication Modules (PAM) (see <link linkend="pam">the chapter on PAM</link>) +and the name service switcher (NSS), which maintains the UNIX-user database, the source of authentication may +reside on another server. We would be inclined to call this the authentication server. This means that the +Samba server may use the local UNIX/Linux system password database (<filename>/etc/passwd</filename> or +<filename>/etc/shadow</filename>), may use a local smbpasswd file, or may use an LDAP backend, or even via PAM +and Winbind another CIFS/SMB server for authentication. +</para> + +</sect1> + +<sect1> +<title>Example Configuration</title> + +<para> +<indexterm><primary>inspire simplicity</primary></indexterm> +<indexterm><primary>complexity</primary></indexterm> +<link linkend="simplynice">The example Reference Documentation Server</link> and <link +linkend="SimplePrintServer">Central Print Serving</link> are designed to inspire simplicity. It is too easy to +attempt a high level of creativity and to introduce too much complexity in server and network design. +</para> + +<sect2 id="RefDocServer"> +<title>Reference Documentation Server</title> + +<para> +<indexterm><primary>read-only</primary></indexterm> +<indexterm><primary>reference documents</primary></indexterm> +<indexterm><primary>/export</primary></indexterm> +<indexterm><primary>/etc/passwd</primary></indexterm> +Configuration of a read-only data server that everyone can access is very simple. By default, all shares are +read-only, unless set otherwise in the &smb.conf; file. <link linkend="simplynice">The example - Reference +Documentation Server</link> is the &smb.conf; file that will do this. Assume that all the reference documents +are stored in the directory <filename>/export</filename>, and the documents are owned by a user other than +nobody. No home directories are shared, and there are no users in the <filename>/etc/passwd</filename> UNIX +system database. This is a simple system to administer. +</para> + +<example id="simplynice"> +<title>smb.conf for Reference Documentation Server</title> +<smbconfblock> +<smbconfcomment> Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">&example.workgroup;</smbconfoption> +<smbconfoption name="netbios name">&example.server.samba;</smbconfoption> +<smbconfoption name="security">SHARE</smbconfoption> +<smbconfoption name="passdb backend">guest</smbconfoption> +<smbconfoption name="wins server">192.168.1.1</smbconfoption> +<smbconfsection name="[data]"/> +<smbconfoption name="comment">Data</smbconfoption> +<smbconfoption name="path">/export</smbconfoption> +<smbconfoption name="guest only">Yes</smbconfoption> +</smbconfblock> +</example> + +<blockquote> +<attribution>Mark Twain</attribution> +<para> +I would have spoken more briefly, if I'd had more time to prepare. +</para> +</blockquote> + +<para> +<indexterm><primary>password backend</primary></indexterm> +<indexterm><primary>guest</primary></indexterm> +<indexterm><primary>unprivileged account names</primary></indexterm> +<indexterm><primary>WINS</primary></indexterm> +In <link linkend="simplynice">this example</link>, the machine name is set to &example.server.samba;, and the +workgroup is set to the name of the local workgroup (&example.workgroup;) so the machine will appear together +with systems with which users are familiar. The only password backend required is the <quote>guest</quote> +backend to allow default unprivileged account names to be used. As there is a WINS server on this network, we +of course make use of it. +</para> + +<para> +A US Air Force Colonel was renowned for saying: <quote>Better is the enemy of good enough!</quote> There are often +sound reasons for avoiding complexity as well as for avoiding a technically perfect solution. Unfortunately, +many network administrators still need to learn the art of doing just enough to keep out of trouble. +</para> + +</sect2> + +<sect2 id="SimplePrintServer"> +<title>Central Print Serving</title> + +<para> +<indexterm><primary>simple print server</primary></indexterm> +<indexterm><primary>tools</primary></indexterm> +Configuration of a simple print server is easy if you have all the right tools on your system. +</para> + +<orderedlist> +<title> Assumptions</title> + <listitem><para> + The print server must require no administration. + </para></listitem> + + <listitem><para> + The print spooling and processing system on our print server will be CUPS. + (Please refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, for more information). + </para></listitem> + + <listitem><para> + The print server will service only network printers. The network administrator + will correctly configure the CUPS environment to support the printers. + </para></listitem> + + <listitem><para> + All workstations will use only PostScript drivers. The printer driver + of choice is the one shipped with the Windows OS for the Apple Color LaserWriter. + </para></listitem> +</orderedlist> + +<para> +<indexterm><primary>print server</primary></indexterm> +<indexterm><primary>/var/spool/samba</primary></indexterm> +<indexterm><primary>anonymous</primary></indexterm> +In this example our print server will spool all incoming print jobs to +<filename>/var/spool/samba</filename> until the job is ready to be submitted by +Samba to the CUPS print processor. Since all incoming connections will be as +the anonymous (guest) user, two things will be required to enable anonymous printing. +</para> + +<itemizedlist> +<title>Enabling Anonymous Printing</title> + <listitem><para> +<indexterm><primary>guest account</primary></indexterm> +<indexterm><primary>nobody</primary></indexterm> +<indexterm><primary>testparm</primary></indexterm> + The UNIX/Linux system must have a <command>guest</command> account. + The default for this is usually the account <command>nobody</command>. + To find the correct name to use for your version of Samba, do the + following: +<screen> +&prompt;<userinput>testparm -s -v | grep "guest account"</userinput> +</screen> +<indexterm><primary>/etc/passwd</primary></indexterm> + Make sure that this account exists in your system password + database (<filename>/etc/passwd</filename>). + </para> + + <para> +<indexterm><primary>set a password</primary></indexterm> +<indexterm><primary>lock password</primary></indexterm> +<indexterm><primary>passwd</primary></indexterm> + It is a good idea either to set a password on this account, or else to lock it + from UNIX use. Assuming that the guest account is called <literal>pcguest</literal>, + it can be locked by executing: +<screen> +&rootprompt; passwd -l pcguest +</screen> + The exact command may vary depending on your UNIX/Linux distribution. + </para></listitem> + + <listitem><para> +<indexterm><primary>directory</primary></indexterm> +<indexterm><primary>guest account</primary></indexterm> +<indexterm><primary>available</primary></indexterm> +<indexterm><primary>mkdir</primary></indexterm> +<indexterm><primary>chown</primary></indexterm> +<indexterm><primary>chmod</primary></indexterm> + The directory into which Samba will spool the file must have write + access for the guest account. The following commands will ensure that + this directory is available for use: +<screen> +&rootprompt;<userinput>mkdir /var/spool/samba</userinput> +&rootprompt;<userinput>chown nobody.nobody /var/spool/samba</userinput> +&rootprompt;<userinput>chmod a+rwt /var/spool/samba</userinput> +</screen> + </para></listitem> +</itemizedlist> + +<para> +The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">the Anonymous Printing example</link>. +</para> + +<example id="AnonPtrSvr"> +<title>&smb.conf; for Anonymous Printing</title> +<smbconfblock> +<smbconfcomment> Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">&example.workgroup;</smbconfoption> +<smbconfoption name="netbios name">&example.server.samba;</smbconfoption> +<smbconfoption name="security">SHARE</smbconfoption> +<smbconfoption name="passdb backend">guest</smbconfoption> +<smbconfoption name="printing">cups</smbconfoption> +<smbconfoption name="printcap name">cups</smbconfoption> + +<smbconfsection name="[printers]"/> +<smbconfoption name="comment">All Printers</smbconfoption> +<smbconfoption name="path">/var/spool/samba</smbconfoption> +<smbconfoption name="printer admin">root</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="use client driver">Yes</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> +</smbconfblock> +</example> + + +<note><para> +<indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm> +<indexterm><primary>raw printing</primary></indexterm> +<indexterm><primary>/etc/mime.conv</primary></indexterm> +<indexterm><primary>/etc/mime.types</primary></indexterm> +<indexterm><primary>CUPS print filters</primary></indexterm> +On CUPS-enabled systems there is a facility to pass raw data directly to the printer without intermediate +processing via CUPS print filters. Where use of this mode of operation is desired, it is necessary to +configure a raw printing device. It is also necessary to enable the raw mime handler in the +<filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename> files. Refer to <link +linkend="CUPS-printing">CUPS Printing Support</link>, <link linkend="cups-raw">Explicitly Enable raw Printing +for application/octet-stream</link>. +</para></note> + +<para> +<indexterm><primary>CUPS libarary API</primary></indexterm> +<indexterm><primary>no printcap file</primary></indexterm> +<indexterm><primary>PDF filter</primary></indexterm> +<indexterm><primary>printcap name</primary></indexterm> +The example in <link linkend="AnonPtrSvr">the Anonymous Printing example</link> uses CUPS for direct printing +via the CUPS libarary API. This means that all printers will be exposed to Windows users without need to +configure a printcap file. If there is necessity to expose only a sub-set of printers, or to define a special +type of printer (for example, a PDF filter) the <parameter>printcap name = cups</parameter> can be replaced +with the entry <parameter>printcap name = /etc/samba/myprintcap</parameter>. In this case the file specified +should contain a list of the printer names that should be exposed to Windows network users. +</para> + +</sect2> + +</sect1> + +<sect1> +<title>Common Errors</title> + +<para> +<indexterm><primary>greatest mistake</primary></indexterm> +<indexterm><primary>configuration too complex</primary></indexterm> +The greatest mistake so often made is to make a network configuration too complex. +It pays to use the simplest solution that will meet the needs of the moment. +</para> + +</sect1> +</chapter> |