1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
|
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="StandAloneServer">
<chapterinfo>
&author.jht;
</chapterinfo>
<title>Standalone Servers</title>
<para>
<indexterm><primary>standalone server</primary></indexterm>
<indexterm><primary>not domain members</primary></indexterm>
<indexterm><primary>minimum security control</primary></indexterm>
Standalone servers are independent of domain controllers on the network.
They are not domain members and function more like workgroup servers. In many
cases a standalone server is configured with a minimum of security control
with the intent that all data served will be readily accessible to all users.
</para>
<sect1>
<title>Features and Benefits</title>
<para>
<indexterm><primary>secure</primary></indexterm>
<indexterm><primary>insecure</primary></indexterm>
Standalone servers can be as secure or as insecure as needs dictate. They can
have simple or complex configurations. Above all, despite the hoopla about
domain security, they remain a common installation.
</para>
<para>
<indexterm><primary>read-only files</primary></indexterm>
<indexterm><primary>share-mode</primary></indexterm>
<indexterm><primary>read-only</primary></indexterm>
<indexterm><primary>standalone server</primary></indexterm>
If all that is needed is a server for read-only files, or for
printers alone, it may not make sense to effect a complex installation.
For example, a drafting office needs to store old drawings and reference
standards. Nobody can write files to the server because it is legislatively
important that all documents remain unaltered. A share-mode read-only standalone
server is an ideal solution.
</para>
<para>
<indexterm><primary>simplicity</primary></indexterm>
<indexterm><primary>printers</primary></indexterm>
<indexterm><primary>share-mode server</primary></indexterm>
Another situation that warrants simplicity is an office that has many printers
that are queued off a single central server. Everyone needs to be able to print
to the printers, there is no need to effect any access controls, and no files will
be served from the print server. Again, a share-mode standalone server makes
a great solution.
</para>
</sect1>
<sect1>
<title>Background</title>
<para>
<indexterm><primary>standalone server</primary></indexterm>
<indexterm><primary>local authentication</primary></indexterm>
<indexterm><primary>access control</primary></indexterm>
The term <emphasis>standalone server</emphasis> means that it will provide local authentication and access
control for all resources that are available from it. In general this means that there will be a local user
database. In more technical terms, it means resources on the machine will be made available in either
<emphasis>share</emphasis> mode or in <emphasis>user</emphasis> mode.
</para>
<para>
<indexterm><primary>create user accounts</primary></indexterm>
<indexterm><primary>no network logon service</primary></indexterm>
<indexterm><primary>independent</primary></indexterm>
No special action is needed other than to create user accounts. Standalone
servers do not provide network logon services. This means that machines that
use this server do not perform a domain logon to it. Whatever logon facility
the workstations are subject to is independent of this machine. It is, however,
necessary to accommodate any network user so the logon name he or she uses will
be translated (mapped) locally on the standalone server to a locally known
user name. There are several ways this can be done.
</para>
<para>
<indexterm><primary>local authentication database</primary></indexterm>
<indexterm><primary>SMB</primary></indexterm>
<indexterm><primary>not domain member</primary></indexterm>
Samba tends to blur the distinction a little in defining
a standalone server. This is because the authentication database may be
local or on a remote server, even if from the SMB protocol perspective
the Samba server is not a member of a domain security context.
</para>
<para>
<indexterm><primary>PAM</primary></indexterm>
<indexterm><primary>NSS</primary></indexterm>
<indexterm><primary>UNIX-user database</primary></indexterm>
<indexterm><primary>/etc/passwd</primary></indexterm>
<indexterm><primary>/etc/shadow</primary></indexterm>
<indexterm><primary>local smbpasswd file</primary></indexterm>
<indexterm><primary>LDAP backend</primary></indexterm>
<indexterm><primary>Winbind</primary></indexterm>
Through the use of Pluggable Authentication Modules (PAM) (see <link linkend="pam">the chapter on PAM</link>)
and the name service switcher (NSS), which maintains the UNIX-user database, the source of authentication may
reside on another server. We would be inclined to call this the authentication server. This means that the
Samba server may use the local UNIX/Linux system password database (<filename>/etc/passwd</filename> or
<filename>/etc/shadow</filename>), may use a local smbpasswd file, or may use an LDAP backend, or even via PAM
and Winbind another CIFS/SMB server for authentication.
</para>
</sect1>
<sect1>
<title>Example Configuration</title>
<para>
<indexterm><primary>inspire simplicity</primary></indexterm>
<indexterm><primary>complexity</primary></indexterm>
<link linkend="simplynice">The example Reference Documentation Server</link> and <link
linkend="SimplePrintServer">Central Print Serving</link> are designed to inspire simplicity. It is too easy to
attempt a high level of creativity and to introduce too much complexity in server and network design.
</para>
<sect2 id="RefDocServer">
<title>Reference Documentation Server</title>
<para>
<indexterm><primary>read-only</primary></indexterm>
<indexterm><primary>reference documents</primary></indexterm>
<indexterm><primary>/export</primary></indexterm>
<indexterm><primary>/etc/passwd</primary></indexterm>
Configuration of a read-only data server that everyone can access is very simple. By default, all shares are
read-only, unless set otherwise in the &smb.conf; file. <link linkend="simplynice">The example - Reference
Documentation Server</link> is the &smb.conf; file that will do this. Assume that all the reference documents
are stored in the directory <filename>/export</filename>, and the documents are owned by a user other than
nobody. No home directories are shared, and there are no users in the <filename>/etc/passwd</filename> UNIX
system database. This is a simple system to administer.
</para>
<example id="simplynice">
<title>smb.conf for Reference Documentation Server</title>
<smbconfblock>
<smbconfcomment> Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
<smbconfoption name="netbios name">&example.server.samba;</smbconfoption>
<smbconfoption name="security">SHARE</smbconfoption>
<smbconfoption name="passdb backend">guest</smbconfoption>
<smbconfoption name="wins server">192.168.1.1</smbconfoption>
<smbconfsection name="[data]"/>
<smbconfoption name="comment">Data</smbconfoption>
<smbconfoption name="path">/export</smbconfoption>
<smbconfoption name="guest only">Yes</smbconfoption>
</smbconfblock>
</example>
<blockquote>
<attribution>Mark Twain</attribution>
<para>
I would have spoken more briefly, if I'd had more time to prepare.
</para>
</blockquote>
<para>
<indexterm><primary>password backend</primary></indexterm>
<indexterm><primary>guest</primary></indexterm>
<indexterm><primary>unprivileged account names</primary></indexterm>
<indexterm><primary>WINS</primary></indexterm>
In <link linkend="simplynice">this example</link>, the machine name is set to &example.server.samba;, and the
workgroup is set to the name of the local workgroup (&example.workgroup;) so the machine will appear together
with systems with which users are familiar. The only password backend required is the <quote>guest</quote>
backend to allow default unprivileged account names to be used. As there is a WINS server on this network, we
of course make use of it.
</para>
<para>
A US Air Force Colonel was renowned for saying: <quote>Better is the enemy of good enough!</quote> There are often
sound reasons for avoiding complexity as well as for avoiding a technically perfect solution. Unfortunately,
many network administrators still need to learn the art of doing just enough to keep out of trouble.
</para>
</sect2>
<sect2 id="SimplePrintServer">
<title>Central Print Serving</title>
<para>
<indexterm><primary>simple print server</primary></indexterm>
<indexterm><primary>tools</primary></indexterm>
Configuration of a simple print server is easy if you have all the right tools on your system.
</para>
<orderedlist>
<title> Assumptions</title>
<listitem><para>
The print server must require no administration.
</para></listitem>
<listitem><para>
The print spooling and processing system on our print server will be CUPS.
(Please refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, for more information).
</para></listitem>
<listitem><para>
The print server will service only network printers. The network administrator
will correctly configure the CUPS environment to support the printers.
</para></listitem>
<listitem><para>
All workstations will use only PostScript drivers. The printer driver
of choice is the one shipped with the Windows OS for the Apple Color LaserWriter.
</para></listitem>
</orderedlist>
<para>
<indexterm><primary>print server</primary></indexterm>
<indexterm><primary>/var/spool/samba</primary></indexterm>
<indexterm><primary>anonymous</primary></indexterm>
In this example our print server will spool all incoming print jobs to
<filename>/var/spool/samba</filename> until the job is ready to be submitted by
Samba to the CUPS print processor. Since all incoming connections will be as
the anonymous (guest) user, two things will be required to enable anonymous printing.
</para>
<itemizedlist>
<title>Enabling Anonymous Printing</title>
<listitem><para>
<indexterm><primary>guest account</primary></indexterm>
<indexterm><primary>nobody</primary></indexterm>
<indexterm><primary>testparm</primary></indexterm>
The UNIX/Linux system must have a <command>guest</command> account.
The default for this is usually the account <command>nobody</command>.
To find the correct name to use for your version of Samba, do the
following:
<screen>
&prompt;<userinput>testparm -s -v | grep "guest account"</userinput>
</screen>
<indexterm><primary>/etc/passwd</primary></indexterm>
Make sure that this account exists in your system password
database (<filename>/etc/passwd</filename>).
</para>
<para>
<indexterm><primary>set a password</primary></indexterm>
<indexterm><primary>lock password</primary></indexterm>
<indexterm><primary>passwd</primary></indexterm>
It is a good idea either to set a password on this account, or else to lock it
from UNIX use. Assuming that the guest account is called <literal>pcguest</literal>,
it can be locked by executing:
<screen>
&rootprompt; passwd -l pcguest
</screen>
The exact command may vary depending on your UNIX/Linux distribution.
</para></listitem>
<listitem><para>
<indexterm><primary>directory</primary></indexterm>
<indexterm><primary>guest account</primary></indexterm>
<indexterm><primary>available</primary></indexterm>
<indexterm><primary>mkdir</primary></indexterm>
<indexterm><primary>chown</primary></indexterm>
<indexterm><primary>chmod</primary></indexterm>
The directory into which Samba will spool the file must have write
access for the guest account. The following commands will ensure that
this directory is available for use:
<screen>
&rootprompt;<userinput>mkdir /var/spool/samba</userinput>
&rootprompt;<userinput>chown nobody.nobody /var/spool/samba</userinput>
&rootprompt;<userinput>chmod a+rwt /var/spool/samba</userinput>
</screen>
</para></listitem>
</itemizedlist>
<para>
The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">the Anonymous Printing example</link>.
</para>
<example id="AnonPtrSvr">
<title>&smb.conf; for Anonymous Printing</title>
<smbconfblock>
<smbconfcomment> Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
<smbconfoption name="netbios name">&example.server.samba;</smbconfoption>
<smbconfoption name="security">SHARE</smbconfoption>
<smbconfoption name="passdb backend">guest</smbconfoption>
<smbconfoption name="printing">cups</smbconfoption>
<smbconfoption name="printcap name">cups</smbconfoption>
<smbconfsection name="[printers]"/>
<smbconfoption name="comment">All Printers</smbconfoption>
<smbconfoption name="path">/var/spool/samba</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="use client driver">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
</smbconfblock>
</example>
<note><para>
<indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm>
<indexterm><primary>raw printing</primary></indexterm>
<indexterm><primary>/etc/mime.conv</primary></indexterm>
<indexterm><primary>/etc/mime.types</primary></indexterm>
<indexterm><primary>CUPS print filters</primary></indexterm>
On CUPS-enabled systems there is a facility to pass raw data directly to the printer without intermediate
processing via CUPS print filters. Where use of this mode of operation is desired, it is necessary to
configure a raw printing device. It is also necessary to enable the raw mime handler in the
<filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename> files. Refer to <link
linkend="CUPS-printing">CUPS Printing Support</link>, <link linkend="cups-raw">Explicitly Enable raw Printing
for application/octet-stream</link>.
</para></note>
<para>
<indexterm><primary>CUPS libarary API</primary></indexterm>
<indexterm><primary>no printcap file</primary></indexterm>
<indexterm><primary>PDF filter</primary></indexterm>
<indexterm><primary>printcap name</primary></indexterm>
The example in <link linkend="AnonPtrSvr">the Anonymous Printing example</link> uses CUPS for direct printing
via the CUPS libarary API. This means that all printers will be exposed to Windows users without need to
configure a printcap file. If there is necessity to expose only a sub-set of printers, or to define a special
type of printer (for example, a PDF filter) the <parameter>printcap name = cups</parameter> can be replaced
with the entry <parameter>printcap name = /etc/samba/myprintcap</parameter>. In this case the file specified
should contain a list of the printer names that should be exposed to Windows network users.
</para>
</sect2>
</sect1>
<sect1>
<title>Common Errors</title>
<para>
<indexterm><primary>greatest mistake</primary></indexterm>
<indexterm><primary>configuration too complex</primary></indexterm>
The greatest mistake so often made is to make a network configuration too complex.
It pays to use the simplest solution that will meet the needs of the moment.
</para>
</sect1>
</chapter>
|
