1<?xml version="1.0" encoding="iso-8859-1"?> 2<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> 3<chapter id="StandAloneServer"> 4<chapterinfo> 5 &author.jht; 6</chapterinfo> 7<title>Standalone Servers</title> 8 9<para> 10<indexterm><primary>standalone server</primary></indexterm> 11<indexterm><primary>not domain members</primary></indexterm> 12<indexterm><primary>minimum security control</primary></indexterm> 13Standalone servers are independent of domain controllers on the network. 14They are not domain members and function more like workgroup servers. In many 15cases a standalone server is configured with a minimum of security control 16with the intent that all data served will be readily accessible to all users. 17</para> 18 19<sect1> 20<title>Features and Benefits</title> 21 22<para> 23<indexterm><primary>secure</primary></indexterm> 24<indexterm><primary>insecure</primary></indexterm> 25Standalone servers can be as secure or as insecure as needs dictate. They can 26have simple or complex configurations. Above all, despite the hoopla about 27domain security, they remain a common installation. 28</para> 29 30<para> 31<indexterm><primary>read-only files</primary></indexterm> 32<indexterm><primary>share-mode</primary></indexterm> 33<indexterm><primary>read-only</primary></indexterm> 34<indexterm><primary>standalone server</primary></indexterm> 35If all that is needed is a server for read-only files, or for 36printers alone, it may not make sense to effect a complex installation. 37For example, a drafting office needs to store old drawings and reference 38standards. Nobody can write files to the server because it is legislatively 39important that all documents remain unaltered. A share-mode read-only standalone 40server is an ideal solution. 41</para> 42 43<para> 44<indexterm><primary>simplicity</primary></indexterm> 45<indexterm><primary>printers</primary></indexterm> 46<indexterm><primary>share-mode server</primary></indexterm> 47Another situation that warrants simplicity is an office that has many printers 48that are queued off a single central server. Everyone needs to be able to print 49to the printers, there is no need to effect any access controls, and no files will 50be served from the print server. Again, a share-mode standalone server makes 51a great solution. 52</para> 53</sect1> 54 55<sect1> 56<title>Background</title> 57 58<para> 59<indexterm><primary>standalone server</primary></indexterm> 60<indexterm><primary>local authentication</primary></indexterm> 61<indexterm><primary>access control</primary></indexterm> 62The term <emphasis>standalone server</emphasis> means that it will provide local authentication and access 63control for all resources that are available from it. In general this means that there will be a local user 64database. In more technical terms, it means resources on the machine will be made available in either 65<emphasis>share</emphasis> mode or in <emphasis>user</emphasis> mode. 66</para> 67 68<para> 69<indexterm><primary>create user accounts</primary></indexterm> 70<indexterm><primary>no network logon service</primary></indexterm> 71<indexterm><primary>independent</primary></indexterm> 72No special action is needed other than to create user accounts. Standalone 73servers do not provide network logon services. This means that machines that 74use this server do not perform a domain logon to it. Whatever logon facility 75the workstations are subject to is independent of this machine. It is, however, 76necessary to accommodate any network user so the logon name he or she uses will 77be translated (mapped) locally on the standalone server to a locally known 78user name. There are several ways this can be done. 79</para> 80 81<para> 82<indexterm><primary>local authentication database</primary></indexterm> 83<indexterm><primary>SMB</primary></indexterm> 84<indexterm><primary>not domain member</primary></indexterm> 85Samba tends to blur the distinction a little in defining 86a standalone server. This is because the authentication database may be 87local or on a remote server, even if from the SMB protocol perspective 88the Samba server is not a member of a domain security context. 89</para> 90 91<para> 92<indexterm><primary>PAM</primary></indexterm> 93<indexterm><primary>NSS</primary></indexterm> 94<indexterm><primary>UNIX-user database</primary></indexterm> 95<indexterm><primary>/etc/passwd</primary></indexterm> 96<indexterm><primary>/etc/shadow</primary></indexterm> 97<indexterm><primary>local smbpasswd file</primary></indexterm> 98<indexterm><primary>LDAP backend</primary></indexterm> 99<indexterm><primary>Winbind</primary></indexterm> 100Through the use of Pluggable Authentication Modules (PAM) (see <link linkend="pam">the chapter on PAM</link>) 101and the name service switcher (NSS), which maintains the UNIX-user database, the source of authentication may 102reside on another server. We would be inclined to call this the authentication server. This means that the 103Samba server may use the local UNIX/Linux system password database (<filename>/etc/passwd</filename> or 104<filename>/etc/shadow</filename>), may use a local smbpasswd file, or may use an LDAP backend, or even via PAM 105and Winbind another CIFS/SMB server for authentication. 106</para> 107 108</sect1> 109 110<sect1> 111<title>Example Configuration</title> 112 113<para> 114<indexterm><primary>inspire simplicity</primary></indexterm> 115<indexterm><primary>complexity</primary></indexterm> 116<link linkend="simplynice">The example Reference Documentation Server</link> and <link 117linkend="SimplePrintServer">Central Print Serving</link> are designed to inspire simplicity. It is too easy to 118attempt a high level of creativity and to introduce too much complexity in server and network design. 119</para> 120 121<sect2 id="RefDocServer"> 122<title>Reference Documentation Server</title> 123 124<para> 125<indexterm><primary>read-only</primary></indexterm> 126<indexterm><primary>reference documents</primary></indexterm> 127<indexterm><primary>/export</primary></indexterm> 128<indexterm><primary>/etc/passwd</primary></indexterm> 129Configuration of a read-only data server that everyone can access is very simple. By default, all shares are 130read-only, unless set otherwise in the &smb.conf; file. <link linkend="simplynice">The example - Reference 131Documentation Server</link> is the &smb.conf; file that will do this. Assume that all the reference documents 132are stored in the directory <filename>/export</filename>, and the documents are owned by a user other than 133nobody. No home directories are shared, and there are no users in the <filename>/etc/passwd</filename> UNIX 134system database. This is a simple system to administer. 135</para> 136 137<example id="simplynice"> 138<title>smb.conf for Reference Documentation Server</title> 139<smbconfblock> 140<smbconfcomment> Global parameters</smbconfcomment> 141<smbconfsection name="[global]"/> 142<smbconfoption name="workgroup">&example.workgroup;</smbconfoption> 143<smbconfoption name="netbios name">&example.server.samba;</smbconfoption> 144<smbconfoption name="security">SHARE</smbconfoption> 145<smbconfoption name="passdb backend">guest</smbconfoption> 146<smbconfoption name="wins server">192.168.1.1</smbconfoption> 147<smbconfsection name="[data]"/> 148<smbconfoption name="comment">Data</smbconfoption> 149<smbconfoption name="path">/export</smbconfoption> 150<smbconfoption name="guest only">Yes</smbconfoption> 151</smbconfblock> 152</example> 153 154<blockquote> 155<attribution>Mark Twain</attribution> 156<para> 157I would have spoken more briefly, if I'd had more time to prepare. 158</para> 159</blockquote> 160 161<para> 162<indexterm><primary>password backend</primary></indexterm> 163<indexterm><primary>guest</primary></indexterm> 164<indexterm><primary>unprivileged account names</primary></indexterm> 165<indexterm><primary>WINS</primary></indexterm> 166In <link linkend="simplynice">this example</link>, the machine name is set to &example.server.samba;, and the 167workgroup is set to the name of the local workgroup (&example.workgroup;) so the machine will appear together 168with systems with which users are familiar. The only password backend required is the <quote>guest</quote> 169backend to allow default unprivileged account names to be used. As there is a WINS server on this network, we 170of course make use of it. 171</para> 172 173<para> 174A US Air Force Colonel was renowned for saying: <quote>Better is the enemy of good enough!</quote> There are often 175sound reasons for avoiding complexity as well as for avoiding a technically perfect solution. Unfortunately, 176many network administrators still need to learn the art of doing just enough to keep out of trouble. 177</para> 178 179</sect2> 180 181<sect2 id="SimplePrintServer"> 182<title>Central Print Serving</title> 183 184<para> 185<indexterm><primary>simple print server</primary></indexterm> 186<indexterm><primary>tools</primary></indexterm> 187Configuration of a simple print server is easy if you have all the right tools on your system. 188</para> 189 190<orderedlist> 191<title> Assumptions</title> 192 <listitem><para> 193 The print server must require no administration. 194 </para></listitem> 195 196 <listitem><para> 197 The print spooling and processing system on our print server will be CUPS. 198 (Please refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, for more information). 199 </para></listitem> 200 201 <listitem><para> 202 The print server will service only network printers. The network administrator 203 will correctly configure the CUPS environment to support the printers. 204 </para></listitem> 205 206 <listitem><para> 207 All workstations will use only PostScript drivers. The printer driver 208 of choice is the one shipped with the Windows OS for the Apple Color LaserWriter. 209 </para></listitem> 210</orderedlist> 211 212<para> 213<indexterm><primary>print server</primary></indexterm> 214<indexterm><primary>/var/spool/samba</primary></indexterm> 215<indexterm><primary>anonymous</primary></indexterm> 216In this example our print server will spool all incoming print jobs to 217<filename>/var/spool/samba</filename> until the job is ready to be submitted by 218Samba to the CUPS print processor. Since all incoming connections will be as 219the anonymous (guest) user, two things will be required to enable anonymous printing. 220</para> 221 222<itemizedlist> 223<title>Enabling Anonymous Printing</title> 224 <listitem><para> 225<indexterm><primary>guest account</primary></indexterm> 226<indexterm><primary>nobody</primary></indexterm> 227<indexterm><primary>testparm</primary></indexterm> 228 The UNIX/Linux system must have a <command>guest</command> account. 229 The default for this is usually the account <command>nobody</command>. 230 To find the correct name to use for your version of Samba, do the 231 following: 232<screen> 233&prompt;<userinput>testparm -s -v | grep "guest account"</userinput> 234</screen> 235<indexterm><primary>/etc/passwd</primary></indexterm> 236 Make sure that this account exists in your system password 237 database (<filename>/etc/passwd</filename>). 238 </para> 239 240 <para> 241<indexterm><primary>set a password</primary></indexterm> 242<indexterm><primary>lock password</primary></indexterm> 243<indexterm><primary>passwd</primary></indexterm> 244 It is a good idea either to set a password on this account, or else to lock it 245 from UNIX use. Assuming that the guest account is called <literal>pcguest</literal>, 246 it can be locked by executing: 247<screen> 248&rootprompt; passwd -l pcguest 249</screen> 250 The exact command may vary depending on your UNIX/Linux distribution. 251 </para></listitem> 252 253 <listitem><para> 254<indexterm><primary>directory</primary></indexterm> 255<indexterm><primary>guest account</primary></indexterm> 256<indexterm><primary>available</primary></indexterm> 257<indexterm><primary>mkdir</primary></indexterm> 258<indexterm><primary>chown</primary></indexterm> 259<indexterm><primary>chmod</primary></indexterm> 260 The directory into which Samba will spool the file must have write 261 access for the guest account. The following commands will ensure that 262 this directory is available for use: 263<screen> 264&rootprompt;<userinput>mkdir /var/spool/samba</userinput> 265&rootprompt;<userinput>chown nobody.nobody /var/spool/samba</userinput> 266&rootprompt;<userinput>chmod a+rwt /var/spool/samba</userinput> 267</screen> 268 </para></listitem> 269</itemizedlist> 270 271<para> 272The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">the Anonymous Printing example</link>. 273</para> 274 275<example id="AnonPtrSvr"> 276<title>&smb.conf; for Anonymous Printing</title> 277<smbconfblock> 278<smbconfcomment> Global parameters</smbconfcomment> 279<smbconfsection name="[global]"/> 280<smbconfoption name="workgroup">&example.workgroup;</smbconfoption> 281<smbconfoption name="netbios name">&example.server.samba;</smbconfoption> 282<smbconfoption name="security">SHARE</smbconfoption> 283<smbconfoption name="passdb backend">guest</smbconfoption> 284<smbconfoption name="printing">cups</smbconfoption> 285<smbconfoption name="printcap name">cups</smbconfoption> 286 287<smbconfsection name="[printers]"/> 288<smbconfoption name="comment">All Printers</smbconfoption> 289<smbconfoption name="path">/var/spool/samba</smbconfoption> 290<smbconfoption name="printer admin">root</smbconfoption> 291<smbconfoption name="guest ok">Yes</smbconfoption> 292<smbconfoption name="printable">Yes</smbconfoption> 293<smbconfoption name="use client driver">Yes</smbconfoption> 294<smbconfoption name="browseable">No</smbconfoption> 295</smbconfblock> 296</example> 297 298 299<note><para> 300<indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm> 301<indexterm><primary>raw printing</primary></indexterm> 302<indexterm><primary>/etc/mime.conv</primary></indexterm> 303<indexterm><primary>/etc/mime.types</primary></indexterm> 304<indexterm><primary>CUPS print filters</primary></indexterm> 305On CUPS-enabled systems there is a facility to pass raw data directly to the printer without intermediate 306processing via CUPS print filters. Where use of this mode of operation is desired, it is necessary to 307configure a raw printing device. It is also necessary to enable the raw mime handler in the 308<filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename> files. Refer to <link 309linkend="CUPS-printing">CUPS Printing Support</link>, <link linkend="cups-raw">Explicitly Enable raw Printing 310for application/octet-stream</link>. 311</para></note> 312 313<para> 314<indexterm><primary>CUPS libarary API</primary></indexterm> 315<indexterm><primary>no printcap file</primary></indexterm> 316<indexterm><primary>PDF filter</primary></indexterm> 317<indexterm><primary>printcap name</primary></indexterm> 318The example in <link linkend="AnonPtrSvr">the Anonymous Printing example</link> uses CUPS for direct printing 319via the CUPS libarary API. This means that all printers will be exposed to Windows users without need to 320configure a printcap file. If there is necessity to expose only a sub-set of printers, or to define a special 321type of printer (for example, a PDF filter) the <parameter>printcap name = cups</parameter> can be replaced 322with the entry <parameter>printcap name = /etc/samba/myprintcap</parameter>. In this case the file specified 323should contain a list of the printer names that should be exposed to Windows network users. 324</para> 325 326</sect2> 327 328</sect1> 329 330<sect1> 331<title>Common Errors</title> 332 333<para> 334<indexterm><primary>greatest mistake</primary></indexterm> 335<indexterm><primary>configuration too complex</primary></indexterm> 336The greatest mistake so often made is to make a network configuration too complex. 337It pays to use the simplest solution that will meet the needs of the moment. 338</para> 339 340</sect1> 341</chapter> 342