mirror of
https://github.com/samba-team/samba.git
synced 2025-01-20 14:03:59 +03:00
cc841dde2f
(This used to be commit 85434d3144656e6fe587637276d6a2667df1857f)
228 lines
7.2 KiB
XML
228 lines
7.2 KiB
XML
<chapter id="StandAloneServer">
|
|
<chapterinfo>
|
|
&author.jht;
|
|
</chapterinfo>
|
|
<title>Stand-Alone Servers</title>
|
|
|
|
<para>
|
|
Stand-Alone servers are independant of Domain Controllers on the network.
|
|
They are NOT domain members and function more like workgroup servers. In many
|
|
cases a stand-alone server is configured with a minimum of security control
|
|
with the intent that all data served will be readilly accessible to all users.
|
|
</para>
|
|
|
|
<sect1>
|
|
<title>Features and Benefits</title>
|
|
|
|
<para>
|
|
Stand-Alone servers can be as secure or as insecure as needs dictate. They can
|
|
have simple or complex configurations. Above all, despite the hoopla about
|
|
Domain security they remain a very common installation.
|
|
</para>
|
|
|
|
<para>
|
|
If all that is needed is a server for read-only files, or for
|
|
printers alone, it may not make sense to affect a complex installation.
|
|
For example: A drafting office needs to store old drawings and reference
|
|
standards. No-one can write files to the server as it is legislatively
|
|
important that all documents remain unaltered. A share mode read-only stand-alone
|
|
server is an ideal solution.
|
|
</para>
|
|
|
|
<para>
|
|
Another situation that warrants simplicity is an office that has many printers
|
|
that are queued off a single central server. Everyone needs to be able to print
|
|
to the printers, there is no need to affect any access controls and no files will
|
|
be served from the print server. Again a share mode stand-alone server makes
|
|
a great solution.
|
|
</para>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Background</title>
|
|
|
|
<para>
|
|
The term <emphasis>stand-alone server</emphasis> means that the server
|
|
will provide local authentication and access control for all resources
|
|
that are available from it. In general this means that there will be a
|
|
local user database. In more technical terms, it means that resources
|
|
on the machine will be made available in either SHARE mode or in
|
|
USER mode.
|
|
</para>
|
|
|
|
<para>
|
|
No special action is needed other than to create user accounts. Stand-alone
|
|
servers do NOT provide network logon services. This means that machines that
|
|
use this server do NOT perform a domain log onto it. Whatever logon facility
|
|
the workstations are subject to is independant of this machine. It is however
|
|
necessary to accomodate any network user so that the logon name they use will
|
|
be translated (mapped) locally on the stand-alone server to a locally known
|
|
user name. There are several ways this cane be done.
|
|
</para>
|
|
|
|
<para>
|
|
Samba tends to blur the distinction a little in respect of what is
|
|
a stand-alone server. This is because the authentication database may be
|
|
local or on a remote server, even if from the samba protocol perspective
|
|
the samba server is NOT a member of a domain security context.
|
|
</para>
|
|
|
|
<para>
|
|
Through the use of PAM (Pluggable Authentication Modules) and nsswitch
|
|
(the name service switcher) the source of authentication may reside on
|
|
another server. We would be inclined to call this the authentication server.
|
|
This means that the samba server may use the local Unix/Linux system password database
|
|
(<filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>), may use a
|
|
local smbpasswd file, or may use
|
|
an LDAP back end, or even via PAM and Winbind another CIFS/SMB server
|
|
for authentication.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Example Configuration</title>
|
|
|
|
<para>
|
|
The following examples are designed to inspire simplicity. It is too easy to
|
|
attempt a high level of creativity and to introduce too much complexity in
|
|
server and network design.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Reference Documentation Server</title>
|
|
|
|
<para>
|
|
Configuration of a read-only data server that EVERYONE can access is very simple.
|
|
Here is the smb.conf file that will do this. Assume that all the reference documents
|
|
are stored in the directory /export, that the documents are owned by a user other than
|
|
nobody. No home directories are shared, that are no users in the <filename>/etc/passwd</filename>
|
|
Unix system database. This is a very simple system to administer.
|
|
</para>
|
|
|
|
<programlisting>
|
|
# Global parameters
|
|
[global]
|
|
workgroup = MYGROUP
|
|
netbios name = REFDOCS
|
|
security = SHARE
|
|
passdb backend = guest
|
|
wins server = 192.168.1.1
|
|
|
|
[data]
|
|
comment = Data
|
|
path = /export
|
|
guest only = Yes
|
|
</programlisting>
|
|
|
|
<para>
|
|
In the above example the machine name is set to REFDOCS, the workgroup is set to the name
|
|
of the local workgroup so that the machine will appear in with systems users are familiar
|
|
with. The only password backend required is the "guest" backend so as to allow default
|
|
unprivilidged account names to be used. Given that there is a WINS server on this network
|
|
we do use it.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Central Print Serving</title>
|
|
|
|
<para>
|
|
Configuration of a simple print server is very simple if you have all the right tools
|
|
on your system.
|
|
</para>
|
|
|
|
<orderedlist>
|
|
<title> Assumptions:</title>
|
|
<listitem><para>
|
|
The print server must require no administration
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
The print spooling and processing system on our print server will be CUPS.
|
|
(Please refer to the chapter on printing for more information).
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
All printers will that the print server will service will be network
|
|
printers. They will be correctly configured, by the administrator,
|
|
in the CUPS environment.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
All workstations will be installed using postscript drivers. The printer
|
|
of choice is the Apple Color LaserWriter.
|
|
</para></listitem>
|
|
</orderedlist>
|
|
|
|
<para>
|
|
In this example our print server will spool all incoming print jobs to
|
|
<filename>/var/spool/samba</filename> until the job is ready to be submitted by
|
|
samba to the CUPS print processor. Since all incoming connections will be as
|
|
the anonymous (guest) user two things will be required:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<title>Enablement for Anonymous Printing</title>
|
|
<listitem><para>
|
|
The Unix/Linux system must have a <command>guest</command> account.
|
|
The default for this is usually the account <command>nobody</command>.
|
|
To find the correct name to use for your version of Samba do the
|
|
following:
|
|
<screen>
|
|
<prompt>$ </prompt><userinput>testparm -s -v | grep "guest account"</userinput>
|
|
</screen>
|
|
Then make sure that this account exists in your system password
|
|
database (<filename>/etc/passwd</filename>).
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
The directory into which Samba will spool the file must have write
|
|
access for the guest account. The following commands will ensure that
|
|
this directory is available for use:
|
|
<screen>
|
|
&rootprompt;<userinput>mkdir /var/spool/samba</userinput>
|
|
&rootprompt;<userinput>chown nobody.nobody /var/spool/samba</userinput>
|
|
&rootprompt;<userinput>chmod a+rwt /var/spool/samba</userinput>
|
|
</screen>
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
<programlisting>
|
|
# Global parameters
|
|
[global]
|
|
workgroup = MYGROUP
|
|
netbios name = PTRSVR1
|
|
security = SHARE
|
|
passdb backend = guest
|
|
wins server = 192.168.1.1
|
|
|
|
[printers]
|
|
comment = All Printers
|
|
path = /var/spool/samba
|
|
printer admin = root
|
|
guest ok = Yes
|
|
printable = Yes
|
|
printing = cups
|
|
use client driver = Yes
|
|
browseable = No
|
|
</programlisting>
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Common Errors</title>
|
|
|
|
<para>
|
|
The greatest mistake so often made is to make a network configuration too complex.
|
|
It pays to use the simplest solution that will meet the needs of the moment.
|
|
</para>
|
|
|
|
</sect1>
|
|
</chapter>
|