source: branches/samba-3.3.x/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml@ 374

Last change on this file since 374 was 217, checked in by Herwig Bauernfeind, 16 years ago

Import Samba 3.3 branch at 3.3.0 level docs-xml (psmedley's port)

File size: 14.9 KB
Line 
1<?xml version="1.0" encoding="iso-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3<chapter id="StandAloneServer">
4<chapterinfo>
5 &author.jht;
6</chapterinfo>
7<title>Standalone Servers</title>
8
9<para>
10<indexterm><primary>standalone server</primary></indexterm>
11<indexterm><primary>not domain members</primary></indexterm>
12<indexterm><primary>minimum security control</primary></indexterm>
13Standalone servers are independent of domain controllers on the network.
14They are not domain members and function more like workgroup servers. In many
15cases a standalone server is configured with a minimum of security control
16with the intent that all data served will be readily accessible to all users.
17</para>
18
19<sect1>
20<title>Features and Benefits</title>
21
22<para>
23<indexterm><primary>secure</primary></indexterm>
24<indexterm><primary>insecure</primary></indexterm>
25Standalone servers can be as secure or as insecure as needs dictate. They can
26have simple or complex configurations. Above all, despite the hoopla about
27domain security, they remain a common installation.
28</para>
29
30<para>
31<indexterm><primary>read-only files</primary></indexterm>
32<indexterm><primary>share-mode</primary></indexterm>
33<indexterm><primary>read-only</primary></indexterm>
34<indexterm><primary>standalone server</primary></indexterm>
35If all that is needed is a server for read-only files, or for
36printers alone, it may not make sense to effect a complex installation.
37For example, a drafting office needs to store old drawings and reference
38standards. Noone can write files to the server because it is legislatively
39important that all documents remain unaltered. A share-mode read-only standalone
40server is an ideal solution.
41</para>
42
43<para>
44<indexterm><primary>simplicity</primary></indexterm>
45<indexterm><primary>printers</primary></indexterm>
46<indexterm><primary>share-mode server</primary></indexterm>
47Another situation that warrants simplicity is an office that has many printers
48that are queued off a single central server. Everyone needs to be able to print
49to the printers, there is no need to effect any access controls, and no files will
50be served from the print server. Again, a share-mode standalone server makes
51a great solution.
52</para>
53</sect1>
54
55<sect1>
56<title>Background</title>
57
58<para>
59<indexterm><primary>standalone server</primary></indexterm>
60<indexterm><primary>local authentication</primary></indexterm>
61<indexterm><primary>access control</primary></indexterm>
62The term <emphasis>standalone server</emphasis> means that it will provide local authentication and access
63control for all resources that are available from it. In general this means that there will be a local user
64database. In more technical terms, it means resources on the machine will be made available in either
65<emphasis>share</emphasis> mode or in <emphasis>user</emphasis> mode.
66</para>
67
68<para>
69<indexterm><primary>create user accounts</primary></indexterm>
70<indexterm><primary>no network logon service</primary></indexterm>
71<indexterm><primary>independent</primary></indexterm>
72No special action is needed other than to create user accounts. Standalone
73servers do not provide network logon services. This means that machines that
74use this server do not perform a domain logon to it. Whatever logon facility
75the workstations are subject to is independent of this machine. It is, however,
76necessary to accommodate any network user so the logon name he or she uses will
77be translated (mapped) locally on the standalone server to a locally known
78user name. There are several ways this can be done.
79</para>
80
81<para>
82<indexterm><primary>local authentication database</primary></indexterm>
83<indexterm><primary>SMB</primary></indexterm>
84<indexterm><primary>not domain member</primary></indexterm>
85Samba tends to blur the distinction a little in defining
86a standalone server. This is because the authentication database may be
87local or on a remote server, even if from the SMB protocol perspective
88the Samba server is not a member of a domain security context.
89</para>
90
91<para>
92<indexterm><primary>PAM</primary></indexterm>
93<indexterm><primary>NSS</primary></indexterm>
94<indexterm><primary>UNIX-user database</primary></indexterm>
95<indexterm><primary>/etc/passwd</primary></indexterm>
96<indexterm><primary>/etc/shadow</primary></indexterm>
97<indexterm><primary>local smbpasswd file</primary></indexterm>
98<indexterm><primary>LDAP backend</primary></indexterm>
99<indexterm><primary>Winbind</primary></indexterm>
100Through the use of Pluggable Authentication Modules (PAM) (see <link linkend="pam">the chapter on PAM</link>)
101and the name service switcher (NSS), which maintains the UNIX-user database, the source of authentication may
102reside on another server. We would be inclined to call this the authentication server. This means that the
103Samba server may use the local UNIX/Linux system password database (<filename>/etc/passwd</filename> or
104<filename>/etc/shadow</filename>), may use a local smbpasswd file, or may use an LDAP backend, or even via PAM
105and Winbind another CIFS/SMB server for authentication.
106</para>
107
108</sect1>
109
110<sect1>
111<title>Example Configuration</title>
112
113<para>
114<indexterm><primary>inspire simplicity</primary></indexterm>
115<indexterm><primary>complexity</primary></indexterm>
116<link linkend="simplynice">The example Reference Documentation Server</link> and <link
117linkend="SimplePrintServer">Central Print Serving</link> are designed to inspire simplicity. It is too easy to
118attempt a high level of creativity and to introduce too much complexity in server and network design.
119</para>
120
121<sect2 id="RefDocServer">
122<title>Reference Documentation Server</title>
123
124<para>
125<indexterm><primary>read-only</primary></indexterm>
126<indexterm><primary>reference documents</primary></indexterm>
127<indexterm><primary>/export</primary></indexterm>
128<indexterm><primary>/etc/passwd</primary></indexterm>
129Configuration of a read-only data server that everyone can access is very simple. By default, all shares are
130read-only, unless set otherwise in the &smb.conf; file. <link linkend="simplynice">The example - Reference
131Documentation Server</link> is the &smb.conf; file that will do this. Assume that all the reference documents
132are stored in the directory <filename>/export</filename>, and the documents are owned by a user other than
133nobody. No home directories are shared, and there are no users in the <filename>/etc/passwd</filename> UNIX
134system database. This is a simple system to administer.
135</para>
136
137<example id="simplynice">
138<title>smb.conf for Reference Documentation Server</title>
139<smbconfblock>
140<smbconfcomment> Global parameters</smbconfcomment>
141<smbconfsection name="[global]"/>
142<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
143<smbconfoption name="netbios name">&example.server.samba;</smbconfoption>
144<smbconfoption name="security">SHARE</smbconfoption>
145<smbconfoption name="passdb backend">guest</smbconfoption>
146<smbconfoption name="wins server">192.168.1.1</smbconfoption>
147<smbconfsection name="[data]"/>
148<smbconfoption name="comment">Data</smbconfoption>
149<smbconfoption name="path">/export</smbconfoption>
150<smbconfoption name="guest only">Yes</smbconfoption>
151</smbconfblock>
152</example>
153
154<blockquote>
155<attribution>Mark Twain</attribution>
156<para>
157I would have spoken more briefly, if I'd had more time to prepare.
158</para>
159</blockquote>
160
161<para>
162<indexterm><primary>password backend</primary></indexterm>
163<indexterm><primary>guest</primary></indexterm>
164<indexterm><primary>unprivileged account names</primary></indexterm>
165<indexterm><primary>WINS</primary></indexterm>
166In <link linkend="simplynice">this example</link>, the machine name is set to &example.server.samba;, and the
167workgroup is set to the name of the local workgroup (&example.workgroup;) so the machine will appear together
168with systems with which users are familiar. The only password backend required is the <quote>guest</quote>
169backend to allow default unprivileged account names to be used. As there is a WINS server on this network, we
170of course make use of it.
171</para>
172
173<para>
174A US Air Force Colonel was renowned for saying: <quote>Better is the enemy of good enough!</quote> There are often
175sound reasons for avoiding complexity as well as for avoiding a technically perfect solution. Unfortunately,
176many network administrators still need to learn the art of doing just enough to keep out of trouble.
177</para>
178
179</sect2>
180
181<sect2 id="SimplePrintServer">
182<title>Central Print Serving</title>
183
184<para>
185<indexterm><primary>simple print server</primary></indexterm>
186<indexterm><primary>tools</primary></indexterm>
187Configuration of a simple print server is easy if you have all the right tools on your system.
188</para>
189
190<orderedlist>
191<title> Assumptions</title>
192 <listitem><para>
193 The print server must require no administration.
194 </para></listitem>
195
196 <listitem><para>
197 The print spooling and processing system on our print server will be CUPS.
198 (Please refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, for more information).
199 </para></listitem>
200
201 <listitem><para>
202 The print server will service only network printers. The network administrator
203 will correctly configure the CUPS environment to support the printers.
204 </para></listitem>
205
206 <listitem><para>
207 All workstations will use only PostScript drivers. The printer driver
208 of choice is the one shipped with the Windows OS for the Apple Color LaserWriter.
209 </para></listitem>
210</orderedlist>
211
212<para>
213<indexterm><primary>print server</primary></indexterm>
214<indexterm><primary>/var/spool/samba</primary></indexterm>
215<indexterm><primary>anonymous</primary></indexterm>
216In this example our print server will spool all incoming print jobs to
217<filename>/var/spool/samba</filename> until the job is ready to be submitted by
218Samba to the CUPS print processor. Since all incoming connections will be as
219the anonymous (guest) user, two things will be required to enable anonymous printing.
220</para>
221
222<itemizedlist>
223<title>Enabling Anonymous Printing</title>
224 <listitem><para>
225<indexterm><primary>guest account</primary></indexterm>
226<indexterm><primary>nobody</primary></indexterm>
227<indexterm><primary>testparm</primary></indexterm>
228 The UNIX/Linux system must have a <command>guest</command> account.
229 The default for this is usually the account <command>nobody</command>.
230 To find the correct name to use for your version of Samba, do the
231 following:
232<screen>
233&prompt;<userinput>testparm -s -v | grep "guest account"</userinput>
234</screen>
235<indexterm><primary>/etc/passwd</primary></indexterm>
236 Make sure that this account exists in your system password
237 database (<filename>/etc/passwd</filename>).
238 </para>
239
240 <para>
241<indexterm><primary>set a password</primary></indexterm>
242<indexterm><primary>lock password</primary></indexterm>
243<indexterm><primary>passwd</primary></indexterm>
244 It is a good idea either to set a password on this account, or else to lock it
245 from UNIX use. Assuming that the guest account is called <literal>pcguest</literal>,
246 it can be locked by executing:
247<screen>
248&rootprompt; passwd -l pcguest
249</screen>
250 The exact command may vary depending on your UNIX/Linux distribution.
251 </para></listitem>
252
253 <listitem><para>
254<indexterm><primary>directory</primary></indexterm>
255<indexterm><primary>guest account</primary></indexterm>
256<indexterm><primary>available</primary></indexterm>
257<indexterm><primary>mkdir</primary></indexterm>
258<indexterm><primary>chown</primary></indexterm>
259<indexterm><primary>chmod</primary></indexterm>
260 The directory into which Samba will spool the file must have write
261 access for the guest account. The following commands will ensure that
262 this directory is available for use:
263<screen>
264&rootprompt;<userinput>mkdir /var/spool/samba</userinput>
265&rootprompt;<userinput>chown nobody.nobody /var/spool/samba</userinput>
266&rootprompt;<userinput>chmod a+rwt /var/spool/samba</userinput>
267</screen>
268 </para></listitem>
269</itemizedlist>
270
271<para>
272The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">the Anonymous Printing example</link>.
273</para>
274
275<example id="AnonPtrSvr">
276<title>&smb.conf; for Anonymous Printing</title>
277<smbconfblock>
278<smbconfcomment> Global parameters</smbconfcomment>
279<smbconfsection name="[global]"/>
280<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
281<smbconfoption name="netbios name">&example.server.samba;</smbconfoption>
282<smbconfoption name="security">SHARE</smbconfoption>
283<smbconfoption name="passdb backend">guest</smbconfoption>
284<smbconfoption name="printing">cups</smbconfoption>
285<smbconfoption name="printcap name">cups</smbconfoption>
286
287<smbconfsection name="[printers]"/>
288<smbconfoption name="comment">All Printers</smbconfoption>
289<smbconfoption name="path">/var/spool/samba</smbconfoption>
290<smbconfoption name="printer admin">root</smbconfoption>
291<smbconfoption name="guest ok">Yes</smbconfoption>
292<smbconfoption name="printable">Yes</smbconfoption>
293<smbconfoption name="use client driver">Yes</smbconfoption>
294<smbconfoption name="browseable">No</smbconfoption>
295</smbconfblock>
296</example>
297
298
299<note><para>
300<indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm>
301<indexterm><primary>raw printing</primary></indexterm>
302<indexterm><primary>/etc/mime.conv</primary></indexterm>
303<indexterm><primary>/etc/mime.types</primary></indexterm>
304<indexterm><primary>CUPS print filters</primary></indexterm>
305On CUPS-enabled systems there is a facility to pass raw data directly to the printer without intermediate
306processing via CUPS print filters. Where use of this mode of operation is desired, it is necessary to
307configure a raw printing device. It is also necessary to enable the raw mime handler in the
308<filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename> files. Refer to <link
309linkend="CUPS-printing">CUPS Printing Support</link>, <link linkend="cups-raw">Explicitly Enable raw Printing
310for application/octet-stream</link>.
311</para></note>
312
313<para>
314<indexterm><primary>CUPS libarary API</primary></indexterm>
315<indexterm><primary>no printcap file</primary></indexterm>
316<indexterm><primary>PDF filter</primary></indexterm>
317<indexterm><primary>printcap name</primary></indexterm>
318The example in <link linkend="AnonPtrSvr">the Anonymous Printing example</link> uses CUPS for direct printing
319via the CUPS libarary API. This means that all printers will be exposed to Windows users without need to
320configure a printcap file. If there is necessity to expose only a sub-set of printers, or to define a special
321type of printer (for example, a PDF filter) the <parameter>printcap name = cups</parameter> can be replaced
322with the entry <parameter>printcap name = /etc/samba/myprintcap</parameter>. In this case the file specified
323should contain a list of the printer names that should be exposed to Windows network users.
324</para>
325
326</sect2>
327
328</sect1>
329
330<sect1>
331<title>Common Errors</title>
332
333<para>
334<indexterm><primary>greatest mistake</primary></indexterm>
335<indexterm><primary>configuration too complex</primary></indexterm>
336The greatest mistake so often made is to make a network configuration too complex.
337It pays to use the simplest solution that will meet the needs of the moment.
338</para>
339
340</sect1>
341</chapter>
Note: See TracBrowser for help on using the repository browser.