--- /dev/null
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<chapter id="StandAloneServer">
+<chapterinfo>
+ &author.jht;
+</chapterinfo>
+<title>Standalone Servers</title>
+
+<para>
+<indexterm><primary>standalone server</primary></indexterm>
+<indexterm><primary>not domain members</primary></indexterm>
+<indexterm><primary>minimum security control</primary></indexterm>
+Standalone servers are independent of domain controllers on the network.
+They are not domain members and function more like workgroup servers. In many
+cases a standalone server is configured with a minimum of security control
+with the intent that all data served will be readily accessible to all users.
+</para>
+
+<sect1>
+<title>Features and Benefits</title>
+
+<para>
+<indexterm><primary>secure</primary></indexterm>
+<indexterm><primary>insecure</primary></indexterm>
+Standalone servers can be as secure or as insecure as needs dictate. They can
+have simple or complex configurations. Above all, despite the hoopla about
+domain security, they remain a common installation.
+</para>
+
+<para>
+<indexterm><primary>read-only files</primary></indexterm>
+<indexterm><primary>share-mode</primary></indexterm>
+<indexterm><primary>read-only</primary></indexterm>
+<indexterm><primary>standalone server</primary></indexterm>
+If all that is needed is a server for read-only files, or for
+printers alone, it may not make sense to effect a complex installation.
+For example, a drafting office needs to store old drawings and reference
+standards. Noone can write files to the server because it is legislatively
+important that all documents remain unaltered. A share-mode read-only standalone
+server is an ideal solution.
+</para>
+
+<para>
+<indexterm><primary>simplicity</primary></indexterm>
+<indexterm><primary>printers</primary></indexterm>
+<indexterm><primary>share-mode server</primary></indexterm>
+Another situation that warrants simplicity is an office that has many printers
+that are queued off a single central server. Everyone needs to be able to print
+to the printers, there is no need to effect any access controls, and no files will
+be served from the print server. Again, a share-mode standalone server makes
+a great solution.
+</para>
+</sect1>
+
+<sect1>
+<title>Background</title>
+
+<para>
+<indexterm><primary>standalone server</primary></indexterm>
+<indexterm><primary>local authentication</primary></indexterm>
+<indexterm><primary>access control</primary></indexterm>
+The term <emphasis>standalone server</emphasis> means that it will provide local authentication and access
+control for all resources that are available from it. In general this means that there will be a local user
+database. In more technical terms, it means resources on the machine will be made available in either
+<emphasis>share</emphasis> mode or in <emphasis>user</emphasis> mode.
+</para>
+
+<para>
+<indexterm><primary>create user accounts</primary></indexterm>
+<indexterm><primary>no network logon service</primary></indexterm>
+<indexterm><primary>independent</primary></indexterm>
+No special action is needed other than to create user accounts. Standalone
+servers do not provide network logon services. This means that machines that
+use this server do not perform a domain logon to it. Whatever logon facility
+the workstations are subject to is independent of this machine. It is, however,
+necessary to accommodate any network user so the logon name he or she uses will
+be translated (mapped) locally on the standalone server to a locally known
+user name. There are several ways this can be done.
+</para>
+
+<para>
+<indexterm><primary>local authentication database</primary></indexterm>
+<indexterm><primary>SMB</primary></indexterm>
+<indexterm><primary>not domain member</primary></indexterm>
+Samba tends to blur the distinction a little in defining
+a standalone server. This is because the authentication database may be
+local or on a remote server, even if from the SMB protocol perspective
+the Samba server is not a member of a domain security context.
+</para>
+
+<para>
+<indexterm><primary>PAM</primary></indexterm>
+<indexterm><primary>NSS</primary></indexterm>
+<indexterm><primary>UNIX-user database</primary></indexterm>
+<indexterm><primary>/etc/passwd</primary></indexterm>
+<indexterm><primary>/etc/shadow</primary></indexterm>
+<indexterm><primary>local smbpasswd file</primary></indexterm>
+<indexterm><primary>LDAP backend</primary></indexterm>
+<indexterm><primary>Winbind</primary></indexterm>
+Through the use of Pluggable Authentication Modules (PAM) (see <link linkend="pam">the chapter on PAM</link>)
+and the name service switcher (NSS), which maintains the UNIX-user database, the source of authentication may
+reside on another server. We would be inclined to call this the authentication server. This means that the
+Samba server may use the local UNIX/Linux system password database (<filename>/etc/passwd</filename> or
+<filename>/etc/shadow</filename>), may use a local smbpasswd file, or may use an LDAP backend, or even via PAM
+and Winbind another CIFS/SMB server for authentication.
+</para>
+
+</sect1>
+
+<sect1>
+<title>Example Configuration</title>
+
+<para>
+<indexterm><primary>inspire simplicity</primary></indexterm>
+<indexterm><primary>complexity</primary></indexterm>
+<link linkend="simplynice">The example Reference Documentation Server</link> and <link
+linkend="SimplePrintServer">Central Print Serving</link> are designed to inspire simplicity. It is too easy to
+attempt a high level of creativity and to introduce too much complexity in server and network design.
+</para>
+
+<sect2 id="RefDocServer">
+<title>Reference Documentation Server</title>
+
+<para>
+<indexterm><primary>read-only</primary></indexterm>
+<indexterm><primary>reference documents</primary></indexterm>
+<indexterm><primary>/export</primary></indexterm>
+<indexterm><primary>/etc/passwd</primary></indexterm>
+Configuration of a read-only data server that everyone can access is very simple. By default, all shares are
+read-only, unless set otherwise in the &smb.conf; file. <link linkend="simplynice">The example - Reference
+Documentation Server</link> is the &smb.conf; file that will do this. Assume that all the reference documents
+are stored in the directory <filename>/export</filename>, and the documents are owned by a user other than
+nobody. No home directories are shared, and there are no users in the <filename>/etc/passwd</filename> UNIX
+system database. This is a simple system to administer.
+</para>
+
+<example id="simplynice">
+<title>smb.conf for Reference Documentation Server</title>
+<smbconfblock>
+<smbconfcomment> Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
+<smbconfoption name="netbios name">&example.server.samba;</smbconfoption>
+<smbconfoption name="security">SHARE</smbconfoption>
+<smbconfoption name="passdb backend">guest</smbconfoption>
+<smbconfoption name="wins server">192.168.1.1</smbconfoption>
+<smbconfsection name="[data]"/>
+<smbconfoption name="comment">Data</smbconfoption>
+<smbconfoption name="path">/export</smbconfoption>
+<smbconfoption name="guest only">Yes</smbconfoption>
+</smbconfblock>
+</example>
+
+<blockquote>
+<attribution>Mark Twain</attribution>
+<para>
+I would have spoken more briefly, if I'd had more time to prepare.
+</para>
+</blockquote>
+
+<para>
+<indexterm><primary>password backend</primary></indexterm>
+<indexterm><primary>guest</primary></indexterm>
+<indexterm><primary>unprivileged account names</primary></indexterm>
+<indexterm><primary>WINS</primary></indexterm>
+In <link linkend="simplynice">this example</link>, the machine name is set to &example.server.samba;, and the
+workgroup is set to the name of the local workgroup (&example.workgroup;) so the machine will appear together
+with systems with which users are familiar. The only password backend required is the <quote>guest</quote>
+backend to allow default unprivileged account names to be used. As there is a WINS server on this network, we
+of course make use of it.
+</para>
+
+<para>
+A US Air Force Colonel was renowned for saying: <quote>Better is the enemy of good enough!</quote> There are often
+sound reasons for avoiding complexity as well as for avoiding a technically perfect solution. Unfortunately,
+many network administrators still need to learn the art of doing just enough to keep out of trouble.
+</para>
+
+</sect2>
+
+<sect2 id="SimplePrintServer">
+<title>Central Print Serving</title>
+
+<para>
+<indexterm><primary>simple print server</primary></indexterm>
+<indexterm><primary>tools</primary></indexterm>
+Configuration of a simple print server is easy if you have all the right tools on your system.
+</para>
+
+<orderedlist>
+<title> Assumptions</title>
+ <listitem><para>
+ The print server must require no administration.
+ </para></listitem>
+
+ <listitem><para>
+ The print spooling and processing system on our print server will be CUPS.
+ (Please refer to <link linkend="CUPS-printing">CUPS Printing Support</link>, for more information).
+ </para></listitem>
+
+ <listitem><para>
+ The print server will service only network printers. The network administrator
+ will correctly configure the CUPS environment to support the printers.
+ </para></listitem>
+
+ <listitem><para>
+ All workstations will use only PostScript drivers. The printer driver
+ of choice is the one shipped with the Windows OS for the Apple Color LaserWriter.
+ </para></listitem>
+</orderedlist>
+
+<para>
+<indexterm><primary>print server</primary></indexterm>
+<indexterm><primary>/var/spool/samba</primary></indexterm>
+<indexterm><primary>anonymous</primary></indexterm>
+In this example our print server will spool all incoming print jobs to
+<filename>/var/spool/samba</filename> until the job is ready to be submitted by
+Samba to the CUPS print processor. Since all incoming connections will be as
+the anonymous (guest) user, two things will be required to enable anonymous printing.
+</para>
+
+<itemizedlist>
+<title>Enabling Anonymous Printing</title>
+ <listitem><para>
+<indexterm><primary>guest account</primary></indexterm>
+<indexterm><primary>nobody</primary></indexterm>
+<indexterm><primary>testparm</primary></indexterm>
+ The UNIX/Linux system must have a <command>guest</command> account.
+ The default for this is usually the account <command>nobody</command>.
+ To find the correct name to use for your version of Samba, do the
+ following:
+<screen>
+&prompt;<userinput>testparm -s -v | grep "guest account"</userinput>
+</screen>
+<indexterm><primary>/etc/passwd</primary></indexterm>
+ Make sure that this account exists in your system password
+ database (<filename>/etc/passwd</filename>).
+ </para>
+
+ <para>
+<indexterm><primary>set a password</primary></indexterm>
+<indexterm><primary>lock password</primary></indexterm>
+<indexterm><primary>passwd</primary></indexterm>
+ It is a good idea either to set a password on this account, or else to lock it
+ from UNIX use. Assuming that the guest account is called <literal>pcguest</literal>,
+ it can be locked by executing:
+<screen>
+&rootprompt; passwd -l pcguest
+</screen>
+ The exact command may vary depending on your UNIX/Linux distribution.
+ </para></listitem>
+
+ <listitem><para>
+<indexterm><primary>directory</primary></indexterm>
+<indexterm><primary>guest account</primary></indexterm>
+<indexterm><primary>available</primary></indexterm>
+<indexterm><primary>mkdir</primary></indexterm>
+<indexterm><primary>chown</primary></indexterm>
+<indexterm><primary>chmod</primary></indexterm>
+ The directory into which Samba will spool the file must have write
+ access for the guest account. The following commands will ensure that
+ this directory is available for use:
+<screen>
+&rootprompt;<userinput>mkdir /var/spool/samba</userinput>
+&rootprompt;<userinput>chown nobody.nobody /var/spool/samba</userinput>
+&rootprompt;<userinput>chmod a+rwt /var/spool/samba</userinput>
+</screen>
+ </para></listitem>
+</itemizedlist>
+
+<para>
+The contents of the &smb.conf; file is shown in <link linkend="AnonPtrSvr">the Anonymous Printing example</link>.
+</para>
+
+<example id="AnonPtrSvr">
+<title>&smb.conf; for Anonymous Printing</title>
+<smbconfblock>
+<smbconfcomment> Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">&example.workgroup;</smbconfoption>
+<smbconfoption name="netbios name">&example.server.samba;</smbconfoption>
+<smbconfoption name="security">SHARE</smbconfoption>
+<smbconfoption name="passdb backend">guest</smbconfoption>
+<smbconfoption name="printing">cups</smbconfoption>
+<smbconfoption name="printcap name">cups</smbconfoption>
+
+<smbconfsection name="[printers]"/>
+<smbconfoption name="comment">All Printers</smbconfoption>
+<smbconfoption name="path">/var/spool/samba</smbconfoption>
+<smbconfoption name="printer admin">root</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="use client driver">Yes</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+</smbconfblock>
+</example>
+
+
+<note><para>
+<indexterm><primary>MIME</primary><secondary>raw</secondary></indexterm>
+<indexterm><primary>raw printing</primary></indexterm>
+<indexterm><primary>/etc/mime.conv</primary></indexterm>
+<indexterm><primary>/etc/mime.types</primary></indexterm>
+<indexterm><primary>CUPS print filters</primary></indexterm>
+On CUPS-enabled systems there is a facility to pass raw data directly to the printer without intermediate
+processing via CUPS print filters. Where use of this mode of operation is desired, it is necessary to
+configure a raw printing device. It is also necessary to enable the raw mime handler in the
+<filename>/etc/mime.conv</filename> and <filename>/etc/mime.types</filename> files. Refer to <link
+linkend="CUPS-printing">CUPS Printing Support</link>, <link linkend="cups-raw">Explicitly Enable raw Printing
+for application/octet-stream</link>.
+</para></note>
+
+<para>
+<indexterm><primary>CUPS libarary API</primary></indexterm>
+<indexterm><primary>no printcap file</primary></indexterm>
+<indexterm><primary>PDF filter</primary></indexterm>
+<indexterm><primary>printcap name</primary></indexterm>
+The example in <link linkend="AnonPtrSvr">the Anonymous Printing example</link> uses CUPS for direct printing
+via the CUPS libarary API. This means that all printers will be exposed to Windows users without need to
+configure a printcap file. If there is necessity to expose only a sub-set of printers, or to define a special
+type of printer (for example, a PDF filter) the <parameter>printcap name = cups</parameter> can be replaced
+with the entry <parameter>printcap name = /etc/samba/myprintcap</parameter>. In this case the file specified
+should contain a list of the printer names that should be exposed to Windows network users.
+</para>
+
+</sect2>
+
+</sect1>
+
+<sect1>
+<title>Common Errors</title>
+
+<para>
+<indexterm><primary>greatest mistake</primary></indexterm>
+<indexterm><primary>configuration too complex</primary></indexterm>
+The greatest mistake so often made is to make a network configuration too complex.
+It pays to use the simplest solution that will meet the needs of the moment.
+</para>
+
+</sect1>
+</chapter>
git.samba.org / jra / samba / .git / blobdiff