summaryrefslogtreecommitdiff
path: root/docs/Samba3-HOWTO/TOSHARG-ConfigSmarts.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/Samba3-HOWTO/TOSHARG-ConfigSmarts.xml')
-rw-r--r--docs/Samba3-HOWTO/TOSHARG-ConfigSmarts.xml322
1 files changed, 322 insertions, 0 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-ConfigSmarts.xml b/docs/Samba3-HOWTO/TOSHARG-ConfigSmarts.xml
new file mode 100644
index 0000000000..7c9cfcbc04
--- /dev/null
+++ b/docs/Samba3-HOWTO/TOSHARG-ConfigSmarts.xml
@@ -0,0 +1,322 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<chapter id="cfgsmarts">
+<chapterinfo>
+ &author.jht;
+ <pubdate>June 30, 2005</pubdate>
+</chapterinfo>
+<title>Advanced Configuration Techniques</title>
+
+<para>
+Since the release of the first edition of this book there have been repeated requests to better document
+configuration techniques that may help a network administrator to get more out of Samba. Some users have asked
+for documentation regarding the use of the <smbconfoption name="include">file-name</smbconfoption> parameter.
+</para>
+
+<para>
+Commencing around mid-2004 there has been increasing interest in the ability to host multiple Samba servers on
+one machine. There has also been an interest in the hosting of multiple Samba server personalities on one
+server.
+</para>
+
+<para>
+Feedback from technical reviewers made the inclusion of this chapter a necessity. So finally, here is an attempt
+to answer the questions that have to date not been adequately addressed. Additional user input is welcome as
+it will help this chapter to mature. What is presented here is just a small beginning.
+</para>
+
+<para>
+There are a number of ways in which multiple servers can be hosted on a single Samba server. Multiple server
+hosting makes it possible to host multiple domain controllers on one machine. Each such machine is
+independent, and each can be stopped or started without affecting another.
+</para>
+
+<para>
+Sometimes it is desirable to host multiple servers, each with its own security mode. For example, a single
+UNIX/Linux host may be a domain member server (DMS) as well as a generic anonymous print server. In this case,
+only domain member machines and domain users can access the DMS, but even guest users can access the generic
+print server. Another example of a situation where it may be beneficial to host a generic (anonymous) server
+is to host a CDROM server.
+</para>
+
+<para>
+Some environments dictate the need to have separate servers, each with their own resources, each of which are
+accessible only by certain users or groups. This is one of the simple, but highly effective, capabilities
+</para>
+
+<sect1>
+<title>Implementation</title>
+
+<para>
+</para>
+
+<sect2>
+<title>Multiple Server Hosting</title>
+
+<para>
+The use of multiple server hosting involves running multiple separate instances of Samba, each with it's own
+configuration file. This method is complicated by the fact that each instance of &nmbd;, &smbd; and &winbindd;
+must have write access to entirely separate TDB files. The ability to keep separate the TDB files used by
+&nmbd;, &smbd; and &winbindd; can be enabled either by recompiling Samba for each server hosted so each has its
+own default TDB directories, or by configuring these in the &smb.conf; file, in which case each instance of
+&nmbd;, &smbd; and &winbindd; must be told to start up with its own &smb.conf; configuration file.
+</para>
+
+<para>
+Each instance should operate on its own IP address (that independent IP address can be an IP Alias).
+Each instance of &nmbd;, &smbd; and &winbindd; should listen only on its own IP socket. This can be secured
+using the <smbconfoption name="socket address"/> parameter. Each instance of the Samba server will have its
+own SID also, this means that the servers are discrete and independent of each other.
+</para>
+
+<para>
+The user of multiple server hosting is non-trivial, and requires careful configuration of each aspect of
+process management and start up. The &smb.conf; parameters that must be carefully configured includes:
+<smbconfoption name="private dir"/>, <smbconfoption name="pid directory"/>,<smbconfoption name="lock
+directory"/>, <smbconfoption name="interfaces"/>, <smbconfoption name="bind interfaces only"/>, <smbconfoption
+name="netbios name"/>, <smbconfoption name="workgroup"/>, <smbconfoption name="socket address"/>.
+</para>
+
+<para>
+Those who elect to use this method of creating multiple Samba servers must have the ability to read and follow
+the Samba source code, and to modify it as needed. This mode of deployment is considered beyond the scope of
+this book. However, if someone will contribute more comprehensive documentation we will gladly review it, and
+if it is suitable extend this section of this chapter. Until such documentation becomes available the hosting
+of multiple samba servers on a single host is considered not supported for Samba-3 by the Samba Team.
+</para>
+
+</sect2>
+
+<sect2>
+<title>Multiple Virtual Server Personalities</title>
+
+<para>
+Samba has the ability to host multiple virtual servers, each of which have their own personality. This is
+achieved by configuring an &smb.conf; file that is common to all personalities hosted. Each server
+personality is hosted using its own <smbconfoption name="netbios alias"/> name, and each has its own distinct
+<smbconfoption name="[global]"/> section. Each server may have its own stanzas for services and meta-services.
+</para>
+
+<para>
+When hosting multiple virtual servers, each with their own personality, each can be in a different workgroup.
+Only the primary server can be a domain member or a domain controller. The personality is defined by the
+combination of the <smbconfoption name="security"/> mode it is operating in, the <smbconfoption name="netbios
+alias"/> it has, and the <smbconfoption name="workgroup"/> that is defined for it.
+</para>
+
+<para>
+This configuration style can be used either with NetBIOS names, or using NetBIOS-less SMB over TCP services.
+If run using NetBIOS mode (the most common method) it is important that the parameter <smbconfoption name="smb
+ports">139</smbconfoption> should be specified in the primary &smb.conf; file. Failure to do this will result
+in Samba operating over TCP port 445 and problematic operation at best, and at worst only being able to obtain
+the functionality that is specified in the primary &smb.conf; file. The use of NetBIOS over TCP/IP using only
+TCP port 139 means that the use of the <literal>%L</literal> macro is fully enabled. If the <smbconfoption
+name="smb ports">139</smbconfoption> is not specified (the default is <parameter>445 139</parameter>, or if
+the value of this parameter is set at <parameter>139 445</parameter> then the <literal>%L</literal> parameter
+is not serviceable.
+</para>
+
+<para>
+It is possible to host multiple servers, each with their own personality, using port 445 (the NetBIOS-less SMB
+port), in which case the <literal>%i</literal> parameter can be used to provide separate server identities (by
+IP Address). Each can have its own <smbconfoption name="security"/> mode. It will be necessary to use the
+<smbconfoption name="interfaces"/>, <smbconfoption name="bind interfaces only"/> and IP aliases in addition to
+the <smbconfoption name="netbios name"/> parameters to create the virtual servers. This method is considerably
+more complex than that using NetBIOS names only using TCP port 139.
+</para>
+
+<para>
+Consider an example environment that consists of a standalone, user-mode security Samba server and a read-only
+Windows 95 file server that has to be replaced. Instead of replacing the Windows 95 machine with a new PC, it
+is possible to add this server as a read-only anonymous file server that is hosted on the Samba server. Here
+are some parameters:
+</para>
+
+<para>
+The Samba server is called <literal>ELASTIC</literal>, its workgroup name is <literal>ROBINSNEST</literal>.
+The CDROM server is called <literal>CDSERVER</literal> and its workgroup is <literal>ARTSDEPT</literal>. A
+possible implementation is shown here:
+</para>
+
+<para>
+The &smb.conf; file for the master server is shown in <link linkend="elastic">Elastic smb.conf File</link>.
+This file is placed in the <filename>/etc/samba</filename> directory. Only the &nmbd; and the &smbd; daemons
+are needed. When started the server will appear in Windows Network Neighborhood as the machine
+<literal>ELASTIC</literal> under the workgroup <literal>ROBINSNEST</literal>. It is helpful if the Windows
+clients that must access this server are also in the workgroup <literal>ROBINSNEST</literal> as this will make
+browsing much more reliable.
+</para>
+
+<example id="elastic">
+<title>Elastic smb.conf File</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">ROBINSNEST</smbconfoption>
+<smbconfoption name="netbios name">ELASTIC</smbconfoption>
+<smbconfoption name="netbios aliases">CDSERVER</smbconfoption>
+<smbconfoption name="smb ports">139</smbconfoption>
+<smbconfoption name="printcap name">cups</smbconfoption>
+<smbconfoption name="disable spoolss">Yes</smbconfoption>
+<smbconfoption name="show add printer wizard">No</smbconfoption>
+<smbconfoption name="printing">cups</smbconfoption>
+<smbconfoption name="include">/etc/samba/smb-%L.conf</smbconfoption>
+
+<smbconfsection name="[homes]"/>
+<smbconfoption name="comment">Home Directories</smbconfoption>
+<smbconfoption name="valid users">%S</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[office]"/>
+<smbconfoption name="comment">Data</smbconfoption>
+<smbconfoption name="path">/data</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+
+<smbconfsection name="[printers]"/>
+<smbconfoption name="comment">All Printers</smbconfoption>
+<smbconfoption name="path">/var/spool/samba</smbconfoption>
+<smbconfoption name="create mask">0600</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="use client driver">Yes</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+</smbconfblock>
+</example>
+
+<para>
+The configuration file for the CDROM server is listed in <link linkend="cdserver">CDROM Server
+smb-cdserver.conf file</link>. This file is called <filename>smb-cdserver.conf</filename> and it should be
+located in the <filename>/etc/samba</filename> directory. Machines that are in the workgroup
+<literal>ARTSDEPT</literal> will be able to browse this server freely.
+</para>
+
+<example id="cdserver">
+<title>CDROM Server smb-cdserver.conf file</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">ARTSDEPT</smbconfoption>
+<smbconfoption name="netbios name">CDSERVER</smbconfoption>
+<smbconfoption name="map to guest">Bad User</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[carousel]"/>
+<smbconfoption name="comment">CDROM Share</smbconfoption>
+<smbconfoption name="path">/export/cddata</smbconfoption>
+<smbconfoption name="read only">Yes</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+</smbconfblock>
+</example>
+
+<para>
+The two servers have different resources and are in separate workgroups. The server <literal>ELASTIC</literal>
+can only be accessed by uses who have an appropriate account on the host server. All users will be able to
+access the CDROM data that is stored in the <filename>/export/cddata</filename> directory. File system
+permissions should set so that the <literal>others</literal> user has read-only access to the directory and its
+contents. The files can be owned by root (any user other than the nobody account).
+</para>
+
+</sect2>
+
+<sect2>
+<title>Multiple Virtual Server Hosting</title>
+
+<para>
+In this example, the requirement is for a primary domain controller for the domain called
+<literal>MIDEARTH</literal>. The PDC will be called <literal>MERLIN</literal>. An extra machine called
+<literal>SAURON</literal> is required. Each machine will have only its own shares. Both machines belong to the
+same domain/workgroup.
+</para>
+
+<para>
+The master &smb.conf; file is shown in <link linkend="mastersmbc">the Master smb.conf File Global Section</link>.
+The two files that specify the share information for each server are shown in <link linkend="merlinsmbc">the
+smb-merlin.conf File Share Section</link>, and <link linkend="sauronsmbc">the smb-sauron.conf File Share
+Section</link>. All three files are locate in the <filename>/etc/samba</filename> directory.
+</para>
+
+<example id="mastersmbc">
+<title>Master smb.conf File Global Section</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
+<smbconfoption name="netbios name">MERLIN</smbconfoption>
+<smbconfoption name="netbios aliases">SAURON</smbconfoption>
+<smbconfoption name="passdb backend">tdbsam</smbconfoption>
+<smbconfoption name="smb ports">139</smbconfoption>
+<smbconfoption name="syslog">0</smbconfoption>
+<smbconfoption name="printcap name">CUPS</smbconfoption>
+<smbconfoption name="show add printer wizard">No</smbconfoption>
+<smbconfoption name="add user script">/usr/sbin/useradd -m '%u'</smbconfoption>
+<smbconfoption name="delete user script">/usr/sbin/userdel -r '%u'</smbconfoption>
+<smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption>
+<smbconfoption name="delete group script">/usr/sbin/groupdel '%g'</smbconfoption>
+<smbconfoption name="add user to group script">/usr/sbin/usermod -G '%g' '%u'</smbconfoption>
+<smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</smbconfoption>
+<smbconfoption name="logon script">scripts\login.bat</smbconfoption>
+<smbconfoption name="logon path"> </smbconfoption>
+<smbconfoption name="logon drive">X:</smbconfoption>
+<smbconfoption name="domain logons">Yes</smbconfoption>
+<smbconfoption name="preferred master">Yes</smbconfoption>
+<smbconfoption name="wins support">Yes</smbconfoption>
+<smbconfoption name="printing">CUPS</smbconfoption>
+<smbconfoption name="include">/etc/samba/smb-%L.conf</smbconfoption>
+</smbconfblock>
+</example>
+
+<example id="merlinsmbc">
+<title>MERLIN smb-merlin.conf File Share Section</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
+<smbconfoption name="netbios name">MERLIN</smbconfoption>
+
+<smbconfsection name="[homes]"/>
+<smbconfoption name="comment">Home Directories</smbconfoption>
+<smbconfoption name="valid users">%S</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[office]"/>
+<smbconfoption name="comment">Data</smbconfoption>
+<smbconfoption name="path">/data</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+
+<smbconfsection name="[netlogon]"/>
+<smbconfoption name="comment">NETLOGON</smbconfoption>
+<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
+<smbconfoption name="read only">Yes</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[printers]"/>
+<smbconfoption name="comment">All Printers</smbconfoption>
+<smbconfoption name="path">/var/spool/samba</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="use client driver">Yes</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+</smbconfblock>
+</example>
+
+<example id="sauronsmbc">
+<title>SAURON smb-sauron.conf File Share Section</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
+<smbconfoption name="netbios name">SAURON</smbconfoption>
+
+<smbconfsection name="[www]"/>
+<smbconfoption name="comment">Web Pages</smbconfoption>
+<smbconfoption name="path">/srv/www/htdocs</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+</smbconfblock>
+</example>
+
+</sect2>
+
+</sect1>
+
+</chapter>