Final Addition. Copy layout is next.

[Samba/gebeck_regimport.git] / docs / Samba3-HOWTO / TOSHARG-ConfigSmarts.xml

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="cfgsmarts">
<chapterinfo>
        &author.jht;
        <pubdate>June 30, 2005</pubdate>
</chapterinfo>
<title>Advanced Configuration Techniques</title>

<para>
Since the release of the first edition of this book there have been repeated requests to better document
configuration techniques that may help a network administrator to get more out of Samba. Some users have asked
for documentation regarding the use of the <smbconfoption name="include">file-name</smbconfoption> parameter.
</para>

<para>
Commencing around mid-2004 there has been increasing interest in the ability to host multiple Samba servers on
one machine. There has also been an interest in the hosting of multiple Samba server personalities on one
server.
</para>

<para>
Feedback from technical reviewers made the inclusion of this chapter a necessity. So finally, here is an attempt
to answer the questions that have to date not been adequately addressed. Additional user input is welcome as
it will help this chapter to mature. What is presented here is just a small beginning.
</para>

<para>
There are a number of ways in which multiple servers can be hosted on a single Samba server. Multiple server
hosting makes it possible to host multiple domain controllers on one machine. Each such machine is
independent, and each can be stopped or started without affecting another.
</para>

<para>
Sometimes it is desirable to host multiple servers, each with its own security mode. For example, a single
UNIX/Linux host may be a domain member server (DMS) as well as a generic anonymous print server. In this case,
only domain member machines and domain users can access the DMS, but even guest users can access the generic
print server. Another example of a situation where it may be beneficial to host a generic (anonymous) server
is to host a CDROM server.
</para>

<para>
Some environments dictate the need to have separate servers, each with their own resources, each of which are
accessible only by certain users or groups. This is one of the simple, but highly effective, capabilities
</para>

<sect1>
<title>Implementation</title>

<para>
</para>

<sect2>
<title>Multiple Server Hosting</title>

<para>
The use of multiple server hosting involves running multiple separate instances of Samba, each with it's own
configuration file. This method is complicated by the fact that each instance of &nmbd;, &smbd; and &winbindd;
must have write access to entirely separate TDB files. The ability to keep separate the TDB files used by
&nmbd;, &smbd; and &winbindd; can be enabled either by recompiling Samba for each server hosted so each has its
own default TDB directories, or by configuring these in the &smb.conf; file, in which case each instance of
&nmbd;, &smbd; and &winbindd; must be told to start up with its own &smb.conf; configuration file.
</para>

<para>
Each instance should operate on its own IP address (that independent IP address can be an IP Alias).
Each instance of &nmbd;, &smbd; and &winbindd; should listen only on its own IP socket. This can be secured
using the <smbconfoption name="socket address"/> parameter. Each instance of the Samba server will have its
own SID also, this means that the servers are discrete and independent of each other.
</para>

<para>
The user of multiple server hosting is non-trivial, and requires careful configuration of each aspect of
process management and start up. The &smb.conf; parameters that must be carefully configured includes:
<smbconfoption name="private dir"/>, <smbconfoption name="pid directory"/>,<smbconfoption name="lock
directory"/>, <smbconfoption name="interfaces"/>, <smbconfoption name="bind interfaces only"/>, <smbconfoption
name="netbios name"/>, <smbconfoption name="workgroup"/>, <smbconfoption name="socket address"/>.
</para>

<para>
Those who elect to use this method of creating multiple Samba servers must have the ability to read and follow
the Samba source code, and to modify it as needed. This mode of deployment is considered beyond the scope of
this book. However, if someone will contribute more comprehensive documentation we will gladly review it, and
if it is suitable extend this section of this chapter. Until such documentation becomes available the hosting
of multiple samba servers on a single host is considered not supported for Samba-3 by the Samba Team.
</para>

</sect2>

<sect2>
<title>Multiple Virtual Server Personalities</title>

<para>
Samba has the ability to host multiple virtual servers, each of which have their own personality.  This is
achieved by configuring an &smb.conf; file that is common to all personalities hosted.  Each server
personality is hosted using its own <smbconfoption name="netbios alias"/> name, and each has its own distinct
<smbconfoption name="[global]"/> section. Each server may have its own stanzas for services and meta-services.
</para>

<para>
When hosting multiple virtual servers, each with their own personality, each can be in a different workgroup.
Only the primary server can be a domain member or a domain controller. The personality is defined by the
combination of the <smbconfoption name="security"/> mode it is operating in, the <smbconfoption name="netbios
alias"/> it has, and the <smbconfoption name="workgroup"/> that is defined for it.
</para>

<para>
This configuration style can be used either with NetBIOS names, or using NetBIOS-less SMB over TCP services.
If run using NetBIOS mode (the most common method) it is important that the parameter <smbconfoption name="smb
ports">139</smbconfoption> should be specified in the primary &smb.conf; file. Failure to do this will result
in Samba operating over TCP port 445 and problematic operation at best, and at worst only being able to obtain
the functionality that is specified in the primary &smb.conf; file. The use of NetBIOS over TCP/IP using only
TCP port 139 means that the use of the <literal>%L</literal> macro is fully enabled. If the <smbconfoption
name="smb ports">139</smbconfoption> is not specified (the default is <parameter>445 139</parameter>, or if
the value of this parameter is set at <parameter>139 445</parameter> then the <literal>%L</literal> parameter
is not serviceable.
</para>

<para>
It is possible to host multiple servers, each with their own personality, using port 445 (the NetBIOS-less SMB
port), in which case the <literal>%i</literal> parameter can be used to provide separate server identities (by
IP Address). Each can have its own <smbconfoption name="security"/> mode. It will be necessary to use the
<smbconfoption name="interfaces"/>, <smbconfoption name="bind interfaces only"/> and IP aliases in addition to
the <smbconfoption name="netbios name"/> parameters to create the virtual servers. This method is considerably
more complex than that using NetBIOS names only using TCP port 139.
</para>

<para>
Consider an example environment that consists of a standalone, user-mode security Samba server and a read-only
Windows 95 file server that has to be replaced. Instead of replacing the Windows 95 machine with a new PC, it
is possible to add this server as a read-only anonymous file server that is hosted on the Samba server. Here
are some parameters:
</para>

<para>
The Samba server is called <literal>ELASTIC</literal>, its workgroup name is <literal>ROBINSNEST</literal>.
The CDROM server is called <literal>CDSERVER</literal> and its workgroup is <literal>ARTSDEPT</literal>. A
possible implementation is shown here:
</para>

<para>
The &smb.conf; file for the master server is shown in <link linkend="elastic">Elastic smb.conf File</link>.
This file is placed in the <filename>/etc/samba</filename> directory. Only the &nmbd; and the &smbd; daemons
are needed. When started the server will appear in Windows Network Neighborhood as the machine
<literal>ELASTIC</literal> under the workgroup <literal>ROBINSNEST</literal>. It is helpful if the Windows
clients that must access this server are also in the workgroup <literal>ROBINSNEST</literal> as this will make
browsing much more reliable.
</para>

<example id="elastic">
<title>Elastic smb.conf File</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">ROBINSNEST</smbconfoption>
<smbconfoption name="netbios name">ELASTIC</smbconfoption>
<smbconfoption name="netbios aliases">CDSERVER</smbconfoption>
<smbconfoption name="smb ports">139</smbconfoption>
<smbconfoption name="printcap name">cups</smbconfoption>
<smbconfoption name="disable spoolss">Yes</smbconfoption>
<smbconfoption name="show add printer wizard">No</smbconfoption>
<smbconfoption name="printing">cups</smbconfoption>
<smbconfoption name="include">/etc/samba/smb-%L.conf</smbconfoption>

<smbconfsection name="[homes]"/>
<smbconfoption name="comment">Home Directories</smbconfoption>
<smbconfoption name="valid users">%S</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>

<smbconfsection name="[office]"/>
<smbconfoption name="comment">Data</smbconfoption>
<smbconfoption name="path">/data</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>

<smbconfsection name="[printers]"/>
<smbconfoption name="comment">All Printers</smbconfoption>
<smbconfoption name="path">/var/spool/samba</smbconfoption>
<smbconfoption name="create mask">0600</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="use client driver">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
</smbconfblock>
</example>

<para>
The configuration file for the CDROM server is listed in <link linkend="cdserver">CDROM Server
smb-cdserver.conf file</link>. This file is called <filename>smb-cdserver.conf</filename> and it should be
located in the <filename>/etc/samba</filename> directory. Machines that are in the workgroup
<literal>ARTSDEPT</literal> will be able to browse this server freely.
</para>

<example id="cdserver">
<title>CDROM Server smb-cdserver.conf file</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">ARTSDEPT</smbconfoption>
<smbconfoption name="netbios name">CDSERVER</smbconfoption>
<smbconfoption name="map to guest">Bad User</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>

<smbconfsection name="[carousel]"/>
<smbconfoption name="comment">CDROM Share</smbconfoption>
<smbconfoption name="path">/export/cddata</smbconfoption>
<smbconfoption name="read only">Yes</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
</smbconfblock>
</example>

<para>
The two servers have different resources and are in separate workgroups. The server <literal>ELASTIC</literal>
can only be accessed by uses who have an appropriate account on the host server. All users will be able to
access the CDROM data that is stored in the <filename>/export/cddata</filename> directory. File system
permissions should set so that the <literal>others</literal> user has read-only access to the directory and its
contents. The files can be owned by root (any user other than the nobody account).
</para>

</sect2>

<sect2>
<title>Multiple Virtual Server Hosting</title>

<para>
In this example, the requirement is for a primary domain controller for the domain called
<literal>MIDEARTH</literal>. The PDC will be called <literal>MERLIN</literal>. An extra machine called
<literal>SAURON</literal> is required. Each machine will have only its own shares. Both machines belong to the
same domain/workgroup.
</para>

<para>
The master &smb.conf; file is shown in <link linkend="mastersmbc">the Master smb.conf File Global Section</link>.
The two files that specify the share information for each server are shown in <link linkend="merlinsmbc">the
smb-merlin.conf File Share Section</link>, and <link linkend="sauronsmbc">the smb-sauron.conf File Share
Section</link>. All three files are locate in the <filename>/etc/samba</filename> directory.
</para>

<example id="mastersmbc">
<title>Master smb.conf File Global Section</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
<smbconfoption name="netbios name">MERLIN</smbconfoption>
<smbconfoption name="netbios aliases">SAURON</smbconfoption>
<smbconfoption name="passdb backend">tdbsam</smbconfoption>
<smbconfoption name="smb ports">139</smbconfoption>
<smbconfoption name="syslog">0</smbconfoption>
<smbconfoption name="printcap name">CUPS</smbconfoption>
<smbconfoption name="show add printer wizard">No</smbconfoption>
<smbconfoption name="add user script">/usr/sbin/useradd -m '%u'</smbconfoption>
<smbconfoption name="delete user script">/usr/sbin/userdel -r '%u'</smbconfoption>
<smbconfoption name="add group script">/usr/sbin/groupadd '%g'</smbconfoption>
<smbconfoption name="delete group script">/usr/sbin/groupdel '%g'</smbconfoption>
<smbconfoption name="add user to group script">/usr/sbin/usermod -G '%g' '%u'</smbconfoption>
<smbconfoption name="add machine script">/usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'</smbconfoption>
<smbconfoption name="logon script">scripts\login.bat</smbconfoption>
<smbconfoption name="logon path"> </smbconfoption>
<smbconfoption name="logon drive">X:</smbconfoption>
<smbconfoption name="domain logons">Yes</smbconfoption>
<smbconfoption name="preferred master">Yes</smbconfoption>
<smbconfoption name="wins support">Yes</smbconfoption>
<smbconfoption name="printing">CUPS</smbconfoption>
<smbconfoption name="include">/etc/samba/smb-%L.conf</smbconfoption>
</smbconfblock>
</example>

<example id="merlinsmbc">
<title>MERLIN smb-merlin.conf File Share Section</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
<smbconfoption name="netbios name">MERLIN</smbconfoption>

<smbconfsection name="[homes]"/>
<smbconfoption name="comment">Home Directories</smbconfoption>
<smbconfoption name="valid users">%S</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>

<smbconfsection name="[office]"/>
<smbconfoption name="comment">Data</smbconfoption>
<smbconfoption name="path">/data</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>

<smbconfsection name="[netlogon]"/>
<smbconfoption name="comment">NETLOGON</smbconfoption>
<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
<smbconfoption name="read only">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>

<smbconfsection name="[printers]"/>
<smbconfoption name="comment">All Printers</smbconfoption>
<smbconfoption name="path">/var/spool/samba</smbconfoption>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="use client driver">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
</smbconfblock>
</example>

<example id="sauronsmbc">
<title>SAURON smb-sauron.conf File Share Section</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">MIDEARTH</smbconfoption>
<smbconfoption name="netbios name">SAURON</smbconfoption>

<smbconfsection name="[www]"/>
<smbconfoption name="comment">Web Pages</smbconfoption>
<smbconfoption name="path">/srv/www/htdocs</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
</smbconfblock>
</example>

</sect2>

</sect1>

</chapter>