Stage 1 of PHPTR Edits.

[Samba/gebeck_regimport.git] / docs / Samba3-HOWTO / TOSHARG-StandAloneServer.xml

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="StandAloneServer">
<chapterinfo>
        &author.jht;
</chapterinfo>
<title>Standalone Servers</title>

<para>
Standalone servers are independent of domain controllers on the network.
They are not domain members and function more like workgroup servers. In many
cases a standalone server is configured with a minimum of security control
with the intent that all data served will be readily accessible to all users.
</para>

<sect1>
<title>Features and Benefits</title>

<para>
Standalone servers can be as secure or as insecure as needs dictate. They can
have simple or complex configurations. Above all, despite the hoopla about
domain security, they remain a common installation.
</para>

<para>
If all that is needed is a server for read-only files, or for
printers alone, it may not make sense to effect a complex installation.
For example, a drafting office needs to store old drawings and reference
standards. Noone can write files to the server because it is legislatively
important that all documents remain unaltered. A share-mode read-only standalone
server is an ideal solution.
</para>

<para>
Another situation that warrants simplicity is an office that has many printers
that are queued off a single central server. Everyone needs to be able to print
to the printers, there is no need to effect any access controls, and no files will
be served from the print server. Again, a share-mode standalone server makes
a great solution.
</para>
</sect1>

<sect1>
<title>Background</title>

<para>
The term <emphasis>standalone server</emphasis> means that it
will provide local authentication and access control for all resources
that are available from it. In general this means that there will be a
local user database. In more technical terms, it means resources
on the machine will be made available in either <emphasis>share</emphasis> mode or in
<emphasis>user</emphasis> mode.
</para>

<para>
No special action is needed other than to create user accounts. Standalone
servers do not provide network logon services. This means that machines that
use this server do not perform a domain logon to it. Whatever logon facility
the workstations are subject to is independent of this machine. It is, however,
necessary to accommodate any network user so the logon name he or she uses will
be translated (mapped) locally on the standalone server to a locally known
user name. There are several ways this can be done.
</para>

<para>
Samba tends to blur the distinction a little in defining
a standalone server. This is because the authentication database may be
local or on a remote server, even if from the SMB protocol perspective
the Samba server is not a member of a domain security context.
</para>

<para>
Through the use of Pluggable Authentication Modules (PAM) and the name service switcher (NSSWITCH,
which maintains the UNIX-user database), the source of authentication may reside on 
another server. We would be inclined to call this the authentication server.
This means that the Samba server may use the local UNIX/Linux system password database
(<filename>/etc/passwd</filename> or <filename>/etc/shadow</filename>), may use a
local smbpasswd file, or may use an LDAP backend, or even via PAM and Winbind another CIFS/SMB server
for authentication.
</para>

</sect1>

<sect1>
<title>Example Configuration</title>

<para>
Examples 7.3.1 and 7.3.2
are designed to inspire simplicity. It is too easy to attempt a high level of creativity
and to introduce too much complexity in server and network design.
</para>

<sect2 id="RefDocServer">
<title>Reference Documentation Server</title>

<para>
Configuration of a read-only data server that everyone can access is very simple.
<link linkend="simplynice">The following example (7.3.1)</link> is the &smb.conf; file that will do this. Assume that all the reference documents
are stored in the directory <filename>/export</filename>, and the documents are owned by a user other than
nobody. No home directories are shared, and there are no users in the <filename>/etc/passwd</filename>
UNIX system database. This is a simple system to administer.
</para>

<example id="simplynice">
<title>smb.conf for Reference Documentation Server</title>
<smbconfblock>
<smbconfcomment> Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
<smbconfoption name="netbios name">&example.server.samba;</smbconfoption>
<smbconfoption name="security">SHARE</smbconfoption>
<smbconfoption name="passdb backend">guest</smbconfoption>
<smbconfoption name="wins server">192.168.1.1</smbconfoption>
<smbconfsection name="[data]"/>
<smbconfoption name="comment">Data</smbconfoption>
<smbconfoption name="path">/export</smbconfoption>
<smbconfoption name="guest only">Yes</smbconfoption>
</smbconfblock>
</example>

<para>
In <link linkend="simplynice">this example</link>, the machine name is set to &example.server.samba;, and the workgroup is set to the name
of the local workgroup (&example.workgroup;) so the machine will appear together with systems with
which users are familiar. The only password backend required is the <quote>guest</quote> backend to allow default
unprivileged account names to be used. As there is a WINS server on this network, we of course make use of it.
</para>

</sect2>

<sect2 id="SimplePrintServer">
<title>Central Print Serving</title>

<para>
Configuration of a simple print server is easy if you have all the right tools
on your system.
</para>

<orderedlist>
<title> Assumptions</title>
        <listitem><para>
        The print server must require no administration.
        </para></listitem>

        <listitem><para>
        The print spooling and processing system on our print server will be CUPS.
        (Please refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, for more information).
        </para></listitem>

        <listitem><para>
        The print server will service only network printers. The network administrator
        will correctly configure the CUPS environment to support the printers.
        </para></listitem>

        <listitem><para>
        All workstations will use only PostScript drivers. The printer driver
        of choice is the one shipped with the Windows OS for the Apple Color LaserWriter.
        </para></listitem>
</orderedlist>

<para>
In this example our print server will spool all incoming print jobs to
<filename>/var/spool/samba</filename> until the job is ready to be submitted by
Samba to the CUPS print processor. Since all incoming connections will be as
the anonymous (guest) user, two things will be required to enable anonymous printing.
</para>

<itemizedlist>
<title>Enabling Anonymous Printing</title>
        <listitem><para>
        The UNIX/Linux system must have a <command>guest</command> account.
        The default for this is usually the account <command>nobody</command>.
        To find the correct name to use for your version of Samba, do the 
        following:
<screen>
&prompt;<userinput>testparm -s -v | grep "guest account"</userinput>
</screen>
        Make sure that this account exists in your system password
        database (<filename>/etc/passwd</filename>).
        </para></listitem>

        <listitem><para>
        The directory into which Samba will spool the file must have write
        access for the guest account. The following commands will ensure that
        this directory is available for use:
<screen>
&rootprompt;<userinput>mkdir /var/spool/samba</userinput>
&rootprompt;<userinput>chown nobody.nobody /var/spool/samba</userinput>
&rootprompt;<userinput>chmod a+rwt /var/spool/samba</userinput>
</screen>
        </para></listitem>
</itemizedlist>

<para>
The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">Example 7.3.2</link>.
</para>

<example id="AnonPtrSvr">
<title>&smb.conf; for Anonymous Printing</title>
<smbconfblock>
<smbconfcomment> Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
<smbconfoption name="netbios name">&example.server.samba;</smbconfoption>
<smbconfoption name="security">SHARE</smbconfoption>
<smbconfoption name="passdb backend">guest</smbconfoption>
<smbconfoption name="printing">cups</smbconfoption>
<smbconfoption name="printcap name">cups</smbconfoption>

<smbconfsection name="[printers]"/>
<smbconfoption name="comment">All Printers</smbconfoption>
<smbconfoption name="path">/var/spool/samba</smbconfoption>
<smbconfoption name="printer admin">root</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="use client driver">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
</smbconfblock>
</example>


<note><para>
<indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm>
<indexterm><primary>raw printing</primary></indexterm>
On CUPS-enabled systems there is a facility to pass raw data directly to the printer without
intermediate processing via CUPS print filters. Where use of this mode of operation is desired,
it is necessary to configure a raw printing device. It is also necessary to enable the raw mime
handler in the <filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename>
files. Refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, <link linkend="cups-raw">Explicitly Enable raw Printing for 
application/octet-stream</link>.
</para></note>

</sect2>

</sect1>

<sect1>
<title>Common Errors</title>

<para>
The greatest mistake so often made is to make a network configuration too complex.
It pays to use the simplest solution that will meet the needs of the moment.
</para>

</sect1>
</chapter>