source: branches/samba-3.3.x/docs-xml/Samba3-HOWTO/TOSHARG-ConfigSmarts.xml@ 243

Last change on this file since 243 was 217, checked in by Herwig Bauernfeind, 16 years ago

Import Samba 3.3 branch at 3.3.0 level docs-xml (psmedley's port)

File size: 19.3 KB
Line 
1<?xml version="1.0" encoding="iso-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3<chapter id="cfgsmarts">
4<chapterinfo>
5 &author.jht;
6 <pubdate>June 30, 2005</pubdate>
7</chapterinfo>
8<title>Advanced Configuration Techniques</title>
9
10<para>
11<indexterm><primary>configuration techniques</primary></indexterm>
12<indexterm><primary>include</primary></indexterm>
13Since the release of the first edition of this book there have been repeated requests to better document
14configuration techniques that may help a network administrator to get more out of Samba. Some users have asked
15for documentation regarding the use of the <smbconfoption name="include">file-name</smbconfoption> parameter.
16</para>
17
18<para>
19<indexterm><primary>multiple servers</primary></indexterm>
20<indexterm><primary>multiple server personalities</primary></indexterm>
21Commencing around mid-2004 there has been increasing interest in the ability to host multiple Samba servers on
22one machine. There has also been an interest in the hosting of multiple Samba server personalities on one
23server.
24</para>
25
26<para>
27<indexterm><primary>technical reviewers</primary></indexterm>
28<indexterm><primary>reviewers</primary></indexterm>
29Feedback from technical reviewers made the inclusion of this chapter a necessity. So, here is an
30answer the questions that have to date not been adequately addressed. Additional user input is welcome as
31it will help this chapter to mature. What is presented here is just a small beginning.
32</para>
33
34<para>
35<indexterm><primary>multiple servers</primary></indexterm>
36<indexterm><primary>multiple hosting</primary></indexterm>
37<indexterm><primary>domain controllers</primary></indexterm>
38There are a number of ways in which multiple servers can be hosted on a single Samba server. Multiple server
39hosting makes it possible to host multiple domain controllers on one machine. Each such machine is
40independent, and each can be stopped or started without affecting another.
41</para>
42
43<para>
44<indexterm><primary>multiple servers</primary></indexterm>
45<indexterm><primary>DMS</primary></indexterm>
46<indexterm><primary>anonymous server</primary></indexterm>
47Sometimes it is desirable to host multiple servers, each with its own security mode. For example, a single
48UNIX/Linux host may be a domain member server (DMS) as well as a generic anonymous print server. In this case,
49only domain member machines and domain users can access the DMS, but even guest users can access the generic
50print server. Another example of a situation where it may be beneficial to host a generic (anonymous) server
51is to host a CDROM server.
52</para>
53
54<para>
55<indexterm><primary>separate servers</primary></indexterm>
56<indexterm><primary></primary></indexterm>
57Some environments dictate the need to have separate servers, each with their own resources, each of which are
58accessible only by certain users or groups. This is one of the simple, but highly effective, ways that Samba
59can replace many physical Windows servers in one Samba installation.
60</para>
61
62<sect1>
63<title>Implementation</title>
64
65<para>
66</para>
67
68<sect2>
69<title>Multiple Server Hosting</title>
70
71<para>
72<indexterm><primary>multiple server hosting</primary></indexterm>
73<indexterm><primary>separate instances</primary></indexterm>
74<indexterm><primary>nmbd</primary></indexterm>
75<indexterm><primary>smbd</primary></indexterm>
76<indexterm><primary>winbindd</primary></indexterm>
77<indexterm><primary>recompiling</primary></indexterm>
78<indexterm><primary>TDB</primary></indexterm>
79The use of multiple server hosting involves running multiple separate instances of Samba, each with it's own
80configuration file. This method is complicated by the fact that each instance of &nmbd;, &smbd; and &winbindd;
81must have write access to entirely separate TDB files. The ability to keep separate the TDB files used by
82&nmbd;, &smbd; and &winbindd; can be enabled either by recompiling Samba for each server hosted so each has its
83own default TDB directories, or by configuring these in the &smb.conf; file, in which case each instance of
84&nmbd;, &smbd; and &winbindd; must be told to start up with its own &smb.conf; configuration file.
85</para>
86
87<para>
88<indexterm><primary>independent</primary></indexterm>
89<indexterm><primary>listen own socket</primary></indexterm>
90<indexterm><primary>socket</primary></indexterm>
91<indexterm><primary>SID</primary></indexterm>
92Each instance should operate on its own IP address (that independent IP address can be an IP Alias).
93Each instance of &nmbd;, &smbd; and &winbindd; should listen only on its own IP socket. This can be secured
94using the <smbconfoption name="socket address"/> parameter. Each instance of the Samba server will have its
95own SID also, this means that the servers are discrete and independent of each other.
96</para>
97
98<para>
99<indexterm><primary>multiple server hosting</primary></indexterm>
100<indexterm><primary>private dir</primary></indexterm>
101<indexterm><primary>pid directory</primary></indexterm>
102<indexterm><primary>lock directory</primary></indexterm>
103<indexterm><primary>interfaces</primary></indexterm>
104<indexterm><primary>bind interfaces only</primary></indexterm>
105<indexterm><primary>netbios name</primary></indexterm>
106<indexterm><primary>workgroup</primary></indexterm>
107<indexterm><primary>socket address</primary></indexterm>
108The user of multiple server hosting is non-trivial, and requires careful configuration of each aspect of
109process management and start up. The &smb.conf; parameters that must be carefully configured includes:
110<smbconfoption name="private dir"/>, <smbconfoption name="pid directory"/>,<smbconfoption name="lock
111directory"/>, <smbconfoption name="interfaces"/>, <smbconfoption name="bind interfaces only"/>, <smbconfoption
112name="netbios name"/>, <smbconfoption name="workgroup"/>, <smbconfoption name="socket address"/>.
113</para>
114
115<para>
116<indexterm><primary>multiple servers</primary></indexterm>
117<indexterm><primary>contribute</primary></indexterm>
118<indexterm><primary>comprehensive documentation</primary></indexterm>
119Those who elect to create multiple Samba servers should have the ability to read and follow
120the Samba source code, and to modify it as needed. This mode of deployment is considered beyond the scope of
121this book. However, if someone will contribute more comprehensive documentation we will gladly review it, and
122if it is suitable extend this section of this chapter. Until such documentation becomes available the hosting
123of multiple samba servers on a single host is considered not supported for Samba-3 by the Samba Team.
124</para>
125
126</sect2>
127
128<sect2>
129<title>Multiple Virtual Server Personalities</title>
130
131<para>
132<indexterm><primary>multiple virtual servers</primary></indexterm>
133<indexterm><primary>netbios alias</primary></indexterm>
134<indexterm><primary>meta-services</primary></indexterm>
135Samba has the ability to host multiple virtual servers, each of which have their own personality. This is
136achieved by configuring an &smb.conf; file that is common to all personalities hosted. Each server
137personality is hosted using its own <smbconfoption name="netbios alias"/> name, and each has its own distinct
138<smbconfoption name="[global]"/> section. Each server may have its own stanzas for services and meta-services.
139</para>
140
141<para>
142<indexterm><primary>workgroup</primary></indexterm>
143<indexterm><primary>security</primary></indexterm>
144<indexterm><primary>netbios aliases</primary></indexterm>
145When hosting multiple virtual servers, each with their own personality, each can be in a different workgroup.
146Only the primary server can be a domain member or a domain controller. The personality is defined by the
147combination of the <smbconfoption name="security"/> mode it is operating in, the <smbconfoption name="netbios
148aliases"/> it has, and the <smbconfoption name="workgroup"/> that is defined for it.
149</para>
150
151<para>
152<indexterm><primary>NetBIOS name</primary></indexterm>
153<indexterm><primary>NetBIOS-less SMB</primary></indexterm>
154<indexterm><primary>smb ports</primary></indexterm>
155<indexterm><primary>TCP port 139</primary></indexterm>
156<indexterm><primary>TCP port 445</primary></indexterm>
157<indexterm><primary>%L</primary></indexterm>
158This configuration style can be used either with NetBIOS names, or using NetBIOS-less SMB over TCP services.
159If run using NetBIOS mode (the most common method) it is important that the parameter <smbconfoption name="smb
160ports">139</smbconfoption> should be specified in the primary &smb.conf; file. Failure to do this will result
161in Samba operating over TCP port 445 and problematic operation at best, and at worst only being able to obtain
162the functionality that is specified in the primary &smb.conf; file. The use of NetBIOS over TCP/IP using only
163TCP port 139 means that the use of the <literal>%L</literal> macro is fully enabled. If the <smbconfoption
164name="smb ports">139</smbconfoption> is not specified (the default is <parameter>445 139</parameter>, or if
165the value of this parameter is set at <parameter>139 445</parameter> then the <literal>%L</literal> macro
166is not serviceable.
167</para>
168
169<para>
170<indexterm><primary>host multiple servers</primary></indexterm>
171<indexterm><primary>multiple personality</primary></indexterm>
172<indexterm><primary>NetBIOS-less</primary></indexterm>
173<indexterm><primary>%i macro</primary></indexterm>
174It is possible to host multiple servers, each with their own personality, using port 445 (the NetBIOS-less SMB
175port), in which case the <literal>%i</literal> macro can be used to provide separate server identities (by
176IP Address). Each can have its own <smbconfoption name="security"/> mode. It will be necessary to use the
177<smbconfoption name="interfaces"/>, <smbconfoption name="bind interfaces only"/> and IP aliases in addition to
178the <smbconfoption name="netbios name"/> parameters to create the virtual servers. This method is considerably
179more complex than that using NetBIOS names only using TCP port 139.
180</para>
181
182<para>
183<indexterm><primary>anonymous file server</primary></indexterm>
184Consider an example environment that consists of a standalone, user-mode security Samba server and a read-only
185Windows 95 file server that has to be replaced. Instead of replacing the Windows 95 machine with a new PC, it
186is possible to add this server as a read-only anonymous file server that is hosted on the Samba server. Here
187are some parameters:
188</para>
189
190<para>
191The Samba server is called <literal>ELASTIC</literal>, its workgroup name is <literal>ROBINSNEST</literal>.
192The CDROM server is called <literal>CDSERVER</literal> and its workgroup is <literal>ARTSDEPT</literal>. A
193possible implementation is shown here:
194</para>
195
196<para>
197<indexterm><primary>/etc/samba</primary></indexterm>
198<indexterm><primary>nmbd</primary></indexterm>
199<indexterm><primary>smbd</primary></indexterm>
200<indexterm><primary>smb.conf</primary></indexterm>
201The &smb.conf; file for the master server is shown in <link linkend="elastic">Elastic smb.conf File</link>.
202This file is placed in the <filename>/etc/samba</filename> directory. Only the &nmbd; and the &smbd; daemons
203are needed. When started the server will appear in Windows Network Neighborhood as the machine
204<literal>ELASTIC</literal> under the workgroup <literal>ROBINSNEST</literal>. It is helpful if the Windows
205clients that must access this server are also in the workgroup <literal>ROBINSNEST</literal> as this will make
206browsing much more reliable.
207</para>
208
209<example id="elastic">
210<title>Elastic smb.conf File</title>
211<smbconfblock>
212<smbconfcomment>Global parameters</smbconfcomment>
213<smbconfsection name="[global]"/>
214<smbconfoption name="workgroup">ROBINSNEST</smbconfoption>
215<smbconfoption name="netbios name">ELASTIC</smbconfoption>
216<smbconfoption name="netbios aliases">CDSERVER</smbconfoption>
217<smbconfoption name="smb ports">139</smbconfoption>
218<smbconfoption name="printcap name">cups</smbconfoption>
219<smbconfoption name="disable spoolss">Yes</smbconfoption>
220<smbconfoption name="show add printer wizard">No</smbconfoption>
221<smbconfoption name="printing">cups</smbconfoption>
222<smbconfoption name="include">/etc/samba/smb-%L.conf</smbconfoption>
223
224<smbconfsection name="[homes]"/>
225<smbconfoption name="comment">Home Directories</smbconfoption>
226<smbconfoption name="valid users">%S</smbconfoption>
227<smbconfoption name="read only">No</smbconfoption>
228<smbconfoption name="browseable">No</smbconfoption>
229
230<smbconfsection name="[office]"/>
231<smbconfoption name="comment">Data</smbconfoption>
232<smbconfoption name="path">/data</smbconfoption>
233<smbconfoption name="read only">No</smbconfoption>
234
235<smbconfsection name="[printers]"/>
236<smbconfoption name="comment">All Printers</smbconfoption>
237<smbconfoption name="path">/var/spool/samba</smbconfoption>
238<smbconfoption name="create mask">0600</smbconfoption>
239<smbconfoption name="guest ok">Yes</smbconfoption>
240<smbconfoption name="printable">Yes</smbconfoption>
241<smbconfoption name="use client driver">Yes</smbconfoption>
242<smbconfoption name="browseable">No</smbconfoption>
243</smbconfblock>
244</example>
245
246<para>
247<indexterm><primary>smb-cdserver.conf</primary></indexterm>
248The configuration file for the CDROM server is listed in <link linkend="cdserver">CDROM Server
249smb-cdserver.conf file</link>. This file is called <filename>smb-cdserver.conf</filename> and it should be
250located in the <filename>/etc/samba</filename> directory. Machines that are in the workgroup
251<literal>ARTSDEPT</literal> will be able to browse this server freely.
252</para>
253
254<example id="cdserver">
255<title>CDROM Server smb-cdserver.conf file</title>
256<smbconfblock>
257<smbconfcomment>Global parameters</smbconfcomment>
258<smbconfsection name="[global]"/>
259<smbconfoption name="workgroup">ARTSDEPT</smbconfoption>
260<smbconfoption name="netbios name">CDSERVER</smbconfoption>
261<smbconfoption name="map to guest">Bad User</smbconfoption>
262<smbconfoption name="guest ok">Yes</smbconfoption>
263
264<smbconfsection name="[carousel]"/>
265<smbconfoption name="comment">CDROM Share</smbconfoption>
266<smbconfoption name="path">/export/cddata</smbconfoption>
267<smbconfoption name="read only">Yes</smbconfoption>
268<smbconfoption name="guest ok">Yes</smbconfoption>
269</smbconfblock>
270</example>
271
272<para>
273<indexterm><primary>different resources</primary></indexterm>
274<indexterm><primary>separate workgroups</primary></indexterm>
275<indexterm><primary>read-only access</primary></indexterm>
276<indexterm><primary>nobody account</primary></indexterm>
277The two servers have different resources and are in separate workgroups. The server <literal>ELASTIC</literal>
278can only be accessed by uses who have an appropriate account on the host server. All users will be able to
279access the CDROM data that is stored in the <filename>/export/cddata</filename> directory. File system
280permissions should set so that the <literal>others</literal> user has read-only access to the directory and its
281contents. The files can be owned by root (any user other than the nobody account).
282</para>
283
284</sect2>
285
286<sect2>
287<title>Multiple Virtual Server Hosting</title>
288
289<para>
290<indexterm><primary>primary domain controller</primary></indexterm>
291<indexterm><primary>extra machine</primary></indexterm>
292<indexterm><primary>same domain/workgroup</primary></indexterm>
293In this example, the requirement is for a primary domain controller for the domain called
294<literal>MIDEARTH</literal>. The PDC will be called <literal>MERLIN</literal>. An extra machine called
295<literal>SAURON</literal> is required. Each machine will have only its own shares. Both machines belong to the
296same domain/workgroup.
297</para>
298
299<para>
300<indexterm><primary>master smb.conf</primary></indexterm>
301<indexterm><primary>/etc/samba</primary></indexterm>
302<indexterm><primary></primary></indexterm>
303The master &smb.conf; file is shown in <link linkend="mastersmbc">the Master smb.conf File Global Section</link>.
304The two files that specify the share information for each server are shown in <link linkend="merlinsmbc">the
305smb-merlin.conf File Share Section</link>, and <link linkend="sauronsmbc">the smb-sauron.conf File Share
306Section</link>. All three files are locate in the <filename>/etc/samba</filename> directory.
307</para>
308
309<example id="mastersmbc">
310<title>Master smb.conf File Global Section</title>
311<smbconfblock>
312<smbconfcomment>Global parameters</smbconfcomment>
313<smbconfsection name="[global]"/>
314<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
315<smbconfoption name="netbios name">MERLIN</smbconfoption>
316<smbconfoption name="netbios aliases">SAURON</smbconfoption>
317<smbconfoption name="passdb backend">tdbsam</smbconfoption>
318<smbconfoption name="smb ports">139</smbconfoption>
319<smbconfoption name="syslog">0</smbconfoption>
320<smbconfoption name="printcap name">CUPS</smbconfoption>
321<smbconfoption name="show add printer wizard">No</smbconfoption>
322<smbconfoption name="add user script">/usr/sbin/useradd -m '%u'</smbconfoption>
323<smbconfoption name="delete user script">/usr/sbin/userdel -r '%u'</smbconfoption>
324<smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption>
325<smbconfoption name="delete group script">/usr/sbin/groupdel '%g'</smbconfoption>
326<smbconfoption name="add user to group script">/usr/sbin/usermod -G '%g' '%u'</smbconfoption>
327<smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</smbconfoption>
328<smbconfoption name="logon script">scripts\login.bat</smbconfoption>
329<smbconfoption name="logon path"> </smbconfoption>
330<smbconfoption name="logon drive">X:</smbconfoption>
331<smbconfoption name="domain logons">Yes</smbconfoption>
332<smbconfoption name="preferred master">Yes</smbconfoption>
333<smbconfoption name="wins support">Yes</smbconfoption>
334<smbconfoption name="printing">CUPS</smbconfoption>
335<smbconfoption name="include">/etc/samba/smb-%L.conf</smbconfoption>
336</smbconfblock>
337</example>
338
339<example id="merlinsmbc">
340<title>MERLIN smb-merlin.conf File Share Section</title>
341<smbconfblock>
342<smbconfcomment>Global parameters</smbconfcomment>
343<smbconfsection name="[global]"/>
344<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
345<smbconfoption name="netbios name">MERLIN</smbconfoption>
346
347<smbconfsection name="[homes]"/>
348<smbconfoption name="comment">Home Directories</smbconfoption>
349<smbconfoption name="valid users">%S</smbconfoption>
350<smbconfoption name="read only">No</smbconfoption>
351<smbconfoption name="browseable">No</smbconfoption>
352
353<smbconfsection name="[office]"/>
354<smbconfoption name="comment">Data</smbconfoption>
355<smbconfoption name="path">/data</smbconfoption>
356<smbconfoption name="read only">No</smbconfoption>
357
358<smbconfsection name="[netlogon]"/>
359<smbconfoption name="comment">NETLOGON</smbconfoption>
360<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
361<smbconfoption name="read only">Yes</smbconfoption>
362<smbconfoption name="browseable">No</smbconfoption>
363
364<smbconfsection name="[printers]"/>
365<smbconfoption name="comment">All Printers</smbconfoption>
366<smbconfoption name="path">/var/spool/samba</smbconfoption>
367<smbconfoption name="printable">Yes</smbconfoption>
368<smbconfoption name="use client driver">Yes</smbconfoption>
369<smbconfoption name="browseable">No</smbconfoption>
370</smbconfblock>
371</example>
372
373<example id="sauronsmbc">
374<title>SAURON smb-sauron.conf File Share Section</title>
375<smbconfblock>
376<smbconfcomment>Global parameters</smbconfcomment>
377<smbconfsection name="[global]"/>
378<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
379<smbconfoption name="netbios name">SAURON</smbconfoption>
380
381<smbconfsection name="[www]"/>
382<smbconfoption name="comment">Web Pages</smbconfoption>
383<smbconfoption name="path">/srv/www/htdocs</smbconfoption>
384<smbconfoption name="read only">No</smbconfoption>
385</smbconfblock>
386</example>
387
388</sect2>
389
390</sect1>
391
392</chapter>
Note: See TracBrowser for help on using the repository browser.