From 951fa9619c10959654b4f7d69c08722f1e76db71 Mon Sep 17 00:00:00 2001 From: vorlon Date: Wed, 21 Nov 2007 17:44:34 +0000 Subject: merge upstream 3.0.27a into svn git-svn-id: svn://svn.debian.org/svn/pkg-samba/trunk/samba@1586 fc4039ab-9d04-0410-8cac-899223bdd6b0 --- docs/htmldocs/using_samba/appf.html | 780 ++++++++++++++++++++++++++++++++++++ 1 file changed, 780 insertions(+) create mode 100644 docs/htmldocs/using_samba/appf.html (limited to 'docs/htmldocs/using_samba/appf.html') diff --git a/docs/htmldocs/using_samba/appf.html b/docs/htmldocs/using_samba/appf.html new file mode 100644 index 0000000000..c3eb7d4d81 --- /dev/null +++ b/docs/htmldocs/using_samba/appf.html @@ -0,0 +1,780 @@ + + + + + +

Appendix F. Running Samba on Mac OS X Server

+ + + +

Mac OS X Server is an Apple +operating-system product based on Mac OS X, with the addition of +administrative tools and server software. One area in which it +differs from Mac OS X is in the configuration of Samba-based +services. In this appendix, we'll tell you how to +set up SMB file and printer shares, enable client user access, and +monitor activity. Our specific focus is on Mac OS X Server 10.2.

+ + + +
+ +

Setup Procedures

+ +

The first thing to note is that the procedure described in Chapter 2 using System Preferences to enable Samba does +not apply to Mac OS X Server. Unlike Mac OS X, the Sharing pane of +System Preferences does not include an option to turn on Windows File +Sharing. Instead, there is a set of applications to configure, +activate, and monitor services: Workgroup Manager, Server Settings, +Server Status, and Open Directory Assistant, all located in the +directory /Applications/Utilities.

+ +

NOTE

+

In addition to being installed with Mac OS X Server, these and other +administrative applications are included on a separate installation +CD-ROM sold with the operating system. They can be used to manage Mac +OS X Server systems remotely from any Mac OS X machine.

+ +

For more information, refer to the Mac OS X Server +Administrator's +Guide, included as a PDF +file in the /Library/Documentation/MacOSXServer +directory, and also downloadable from Apple +Computer's web site at http://www.apple.com/server/.

+
+ +

Briefly, the procedure for setting up SMB file and printer shares is +as follows:

+ +
  1. +

    Designate share points in Workgroup Manager for file sharing.

    +
  2. +

    Set up print queues in Server Settings for printer sharing, and +activate Printer Service.

    +
  3. +

    Configure and activate Windows Services in Server Settings.

    +
  4. +

    Activate Password Server and enable SMB authentication in Open +Directory Assistant.

    +
  5. +

    Enable Password Server authentication for user accounts in Workgroup +Manager.

    +
  6. +

    Monitor file and print services with Server Status.

    +
+ +
+ +

Sharing Files

+ +

The +first step to enable SMB file sharing is to designate one or more +share points. Share points are folders that +form the root of shared volumes for any of the protocols supported by +Mac OS X Server: Apple Filesharing Protocol (AFP), Network Filesystem +(NFS), File Transfer Protocol (FTP), and SMB.

+ +

To designate a share point, launch Workgroup Manager. You will be +prompted for the local or remote server's hostname +or IP address, as well as for a username and password; this process +is required by all the Mac OS X Server administrative applications. +Once Workgroup Manager is open, click the Sharing button in the +toolbar. The list on the left, under the Share Points tab, displays +currently defined share points. To add a new one, click the All tab, +and navigate to the folder you want to share.

+ +

On the right, under the General tab, check the box labeled Share this +item and its contents, change the ownership and permissions if +desired, then click the Save button. Next, under the Protocols tab, +select Windows File Settings from the pop-up menu, and ensure that +the box labeled Share this item using SMB is checked. At this point, +you can also decide whether to allow guest access to the share, +change the name of the share displayed to SMB clients, or set +permissions for files and folders created by SMB clients. Click the +Save button when you're finished making changes. See +Figure F-1.

+ +

Figure F-1. Workgroup Manager: Share Points and Windows File Settings

+ + +
+ + +
+ +

Sharing Printers

+ +

Printer shares are set up +differently. First, launch Server Settings; under the File & +Print tab, select Print, then Configure Print Service.... Check the +box labeled Automatically share new queues for Windows printing. +Next, click the Print icon again and then Show Print Monitor. Make +sure the printers you want to share are listed. Printers directly +attached to the server should have queues created automatically, but +remote printers you wish to reshare must be added by clicking New +Queue and discovering or specifying the printers. When +you're finished, click Save, select the Print icon +one more time, and select Start Print Service. See Figure F-2.

+ +

Figure F-2. Server Settings: Print Service

+ +

TIP

+

Server Settings will make local printers available for sharing only +if they're PostScript compatible. Unfortunately, +many printers, including consumer-grade USB inkjet printers, +aren't. If you want to make one of these printers +available to SMB clients, you can still add the share to +/etc/smb.conf yourself with a text editor. See +"Rolling Your Own" later in this +chapter for instructions and caveats related to making manual changes +to smb.conf.

+
+ + +
+ + +
+ +

Configuring and Activating Services

+ +

At this point, neither +the file shares nor the printer shares are available to SMB clients. +To activate them, click the Windows icon in Server Settings, and +click Configure Windows Services.... Under the General tab, you can +set the server's NetBIOS hostname, the workgroup or +Windows NT domain in which the server resides, and the description +that gets displayed in a browse list. You can also specify the code +page for an alternate character set. Finally, you can enable +boot-time startup of Samba. See Figure F-3.

+ +

Figure F-3. Server Settings: Windows Services

+ +

The Windows Services Access tab offers options to enable guest access +and limit the number of simultaneous client connections; under the +Logging tab, you can specify the verbosity of your logging. With +options under the Neighborhood tab, you can configure your machine as +a WINS client or server or have it provide browser services locally +or across subnets.

+ +
+

Password Server

+ +

Password Server is a feature +introduced with Mac OS X Server 10.2. In prior versions of Mac OS X +Server, Windows authentication was handled with Authentication +Manager, which stored a user's Windows password in +the tim_password property of the +user's NetInfo record. This can still be done in +Version 10.2, although it's strongly discouraged +because the encrypted password is visible to other users with access +to the NetInfo domain and can potentially be decrypted.

+ +

If you need to use Authentication Manager, use the following +procedure to enable it:

+ +
  1. +

    On every machine hosting a domain that will bind into the NetInfo +hierarchy, execute the command tim -init -auto +tag for each domain, where +tag is the name of the +domain's database.

    +
    2. +
  2. +

    When prompted, provide a password to be used as the encryption key +for the domain. This key is used to decrypt the Windows passwords and +is stored in an encrypted file readable only by root, +/var/db/netinfo/.tag.tim.

    +
    3. +
  3. +

    Set AUTHSERVER=-YES- in +/etc/hostconfig.

    +
    4. +
  4. +

    Start Authentication Manager by invoking tim. +This is also executed during the boot sequence by the AuthServer +startup item.

    +
    5. +
  5. +

    Reset the password of each user requiring SMB client access. In Mac +OS X Server 10.2 or later, make sure the user is set up for Basic +authentication, not Password Server authentication.

    +
+ +

When you've finished configuring Windows Services, +click the Save button, then click the Windows icon in Server +Settings, and select Start Windows Services. This starts the Samba +daemons, enabling access from SMB clients.

+ + +
+ + +
+ +

Activating Password Server

+ +

Now that +you've set up file and printer shares, you need to +make sure users can properly authenticate to access them. In Mac OS X +Server, this is accomplished with the Open Directory +Password Server, a service based on the Simple Authentication and Security +Layer (SASL) standard and usable with many different authentication +protocols, including the LAN Manager and Windows NT LAN Manager +(NTLM) protocols. This section describes how to support SMB client +authentication, but for more information on what Password Server does +and how it works, see the Mac OS X Server +Administrator's Guide.

+ +

To enable Password Server or merely check its settings, start the +Open Directory Assistant. Unless you wish to change any of the +settings, just click the right arrow button in the lower-right corner +of the window until you get to the first Security step. At this +point, activate Password Server by selecting the option marked +Password and authentication information will be provided to other +systems. The next step displays the main administrative account, and +the one after that gives you a choice of authentication protocols to +enable (see Figure F-4). Make sure that SMB-NT is +checked, and check SMB-Lan Manager if you have Windows 95/98/Me or +older clients. The final step saves the Password Server configuration +and prompts you to reboot.

+ +

Figure F-4. Password Server authentication protocols

+ + +
+ + +
+ +

Enabling Password Server

+ +

To enable the +use of Password Server for a user account, launch Workgroup Manager, +and click the Accounts button in the toolbar. Under the Users tab on +the far left (with the silhouette of a single person), select the +account, and under the Advanced tab on the right, select Password +Server for the User Password Type (see Figure F-5). +You are prompted to enter a new user password to be stored in the +Password Server database. After saving the account configuration, the +user can authenticate and access shares from an SMB client.

+ +

Figure F-5. Workgroup Manager: Enabling Password Server authentication

+ + +
+ + +
+ +

Monitoring Services

+ +

Once you've got +everything working, you'll want to keep an eye on +things. The Server Status application gives you views into the +various services provided by Mac OS X Server. For Windows Services, +you can see the current state of the service, browse the logs +(located in the directory +/Library/Logs/WindowsServices), display and +terminate individual connections, and view a graph of connections +over time (see Figure F-6). Similar information is +provided for Print Service.

+ +

Figure F-6. Server Status: Windows Services

+ + +
+ + +
+ + + +
+ +

Configuration Details

+ +

Underneath the GUI, a lot of activity +takes place to offer Windows Services. In the non-Server version of +Mac OS X, selecting Windows File Sharing sets the +SMBSERVER parameter in +/etc/hostconfig and triggers the Samba startup +item. In Mac OS X Server, under normal circumstances the Samba +startup item and the SMBSERVER parameter are never +used.

+ +

Instead, a process named sambadmind generates +/etc/smb.conf from the configuration specified +in Server Settings and Workgroup Manager and handles starting and +restarting the Samba daemons as necessary. The +sambadmind process is in turn monitored by +watchdog, which keeps an eye on certain +processes and restarts those which fail. The +watchdog utility is configured in +/etc/watchdog.conf, a file similar to a System V +inittab, which specifies how the services under +watchdog's purview are to be +treated. For example, the line for sambadmind +looks like this:

+ +
sambadmin:respawn:/usr/sbin/sambadmind -d     # SMB Admin daemon
+ +

Using a watchdog-monitored process such as +sambadmind to start the Samba daemons, instead +of a one-time execution of a startup item, results in more reliable +service. In Mac OS X Server, if a Samba daemon dies unexpectedly, it +is quickly restarted. (Examples of other services monitored by +watchdog are Password Server, Print Service, and +the Server Settings daemon that allows remote management.)

+ +

There's another wrinkle in Mac OS X Server: the +Samba configuration settings are not written directly to +/etc/smb.conf, as they are in the non-Server +version of Mac OS X. Instead, they're stored in the +server's local Open Directory domain,[1] from which sambadmind retrieves them +and regenerates smb.conf. For example, the Samba +global parameters are stored in +/config/SMBServer (see Figure F-7). Share point information is also kept in Open +Directory, under /config/SharePoints, while CUPS +takes responsibility for printer configuration in +/etc/cups/printers.conf (also creating stub +entries used by Samba in /etc/printcap).

+ +

Figure F-7. NetInfo Manager: SMBServer properties

+ +

Table F-1 summarizes the association of Windows +Services settings in the Server Settings application, properties +stored in Open Directory, and parameters in +/etc/smb.conf.

+ +

Table F-1. Samba configuration settings in Mac OS X Server

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

Server Settings graphical element in Windows Services

+		 +

Open Directory property in /config/SMBServer

+		 +

Samba global parameter in/etc/smb.conf

+
+

General → Server Name

+		 +

netbios_name

+		 +

netbios name

+
+

General → Workgroup

+		 +

workgroup

+		 +

workgroup

+
+

General → Description

+		 +

description

+		 +

server string

+
+

General → Code Page

+		 +

code_page

+		 +

client code page

+
+

General → Start Windows Services on system startup

+		 +

auto_start

+		 +

N/A

+
+

Access → Allow Guest Access

+		 +

guest_access, map_to_guest

+		 +

map to guest

+
+

N/A

+		 +

guest_account

+		 +

guest account

+
+

Access → Maximum client connections

+		 +

max_connections

+		 +

max smbd processes

+
+

Logging → Detail Level

+		 +

logging

+		 +

log level

+
+

Neighborhood → WINS Registration → +Off

+		 +

WINS_enabled, WINS_register

+		 +

wins support

+
+

Neighborhood → WINS Registration → +Enable WINS server

+		 +

WINS_enabled

+		 +

wins support

+
+

Neighborhood → WINS Registration → +Register with WINS server

+		 +

WINS_register, WINS_address

+		 +

wins server

+
+

Neighborhood → Workgroup/Domain Services +→ Master Browser

+		 +

Local_Master

+		 +

local master

+
+

Neighborhood → Workgroup/Domain Services +→ Domain Master Browser

+		 +

Domain_Master

+		 +

domain master

+
+

Print → Start Print Service

+		 +

printing

+		 +

N/A

+
+

N/A

+		 +

lprm_command

+		 +

lprm command

+
+

N/A

+		 +

lppause_command

+		 +

lppause command

+
+

N/A

+		 +

lpresume_command

+		 +

lpresume command

+
+

N/A

+		 +

printer_admin

+		 +

printer admin

+
+

N/A

+		 +

encryption

+		 +

encrypt passwords

+
+

N/A

+		 +

coding_system

+		 +

coding system

+
+

N/A

+		 +

log_dir

+		 +

N/A

+
+

N/A

+		 +

smb_log

+		 +

log file

+
+

N/A

+		 +

nmb_log

+		 +

N/A

+
+

N/A

+		 +

samba_sbindir

+		 +

N/A

+
+

N/A

+		 +

samba_bindir

+		 +

N/A

+
+

N/A

+		 +

samba_libdir

+		 +

N/A

+
+

N/A

+		 +

samba_lockdir

+		 +

N/A

+
+

N/A

+		 +

samba_vardir

+		 +

N/A

+
+

N/A

+		 +

stop_time

+		 +

N/A

+
+ + +
+ + + +
+ +

Rolling Your Own

+ +

When making manual changes to the Samba +configuration file, take care to block changes initiated from +graphical applications by invoking this command:

+ +
# chflags uchg /etc/smb.conf
+ +

From that point on, the GUI will be useful only for starting, +stopping, and monitoring the service—not for configuring it.

+ +

If you install your own version of Samba, you can still manage it +from Server Settings by changing some of the Open Directory +properties in /config/SMBServer.

+ +

To do this, open NetInfo Manager and modify the +samba_sbindir and samba_bindir +properties to match the location of your Samba installation. +Optionally, you can modify samba_libdir, +samba_vardir, and +samba_lockdir. Assuming a default Samba +installation, you can also change these at the command line with the +following commands:

+ +
# nicl . -create /config/SMBServer samba_sbindir /usr/local/samba/bin
+# nicl . -create /config/SMBServer samba_bindir /usr/local/samba/bin
+# nicl . -create /config/SMBServer samba_libdir /usr/local/samba/lib
+# nicl . -create /config/SMBServer samba_vardir /usr/local/samba/var
+# nicl . -create /config/SMBServer samba_lockdir /usr/local/samba/var/locks
+ +

You can check your settings with this command:

+ +
# nicl . -read /config/SMBServer
+ +

In Server Settings, select Stop Windows Services, then run this +command:

+ +
# killall sambadmind
+ +

The watchdog utility restarts +sambadmind within seconds. Finally, go back to +Server Settings, and select Start Windows Services.

+ +

If you don't modify Open Directory properties to +match your active Samba installation (because you wish to manage your +configuration another way), be sure never to activate Windows +Services from the Server Settings application, or +you'll wind up with two sets of Samba daemons +running concurrently.

+ + +
+ +

Footnotes

+

[1] In versions of Mac OS X prior to 10.2, Open Directory domains +were called NetInfo domains. NetInfo Manager (located in +/Applications/Utilities) provides a graphical +interface to view and modify the contents of Open Directory +databases. For more information, see the Mac OS X Server +Administrator's Guide, as well as +Understanding and Using NetInfo, downloadable +from the Mac OS X Server resources web page at http://www.apple.com/server/resources.html.

+
+ + +

TOC

+ -- cgit v1.2.3