In addition to connecting to other Linux systems, Linux is
also able to connect to Windows and Macintosh computers and
communicate over Novell networks. This chapter shows the requirements
for and configuration of heterogenous networks.
ifundefinedsusepress
With the program Samba, convert a UNIX machine into a file and print server for DOS, Windows, and OS/2 machines. The Samba Project is run by the Samba Team and was originally developed by the Australian Andrew Tridgell.
Samba has now become a fully-fledged and rather complex product. This section presents an overview of its basic functionality. Samba offers plenty of online documentation. Enter apropos samba at the command line to display some manual pages or just browse the /usr/share/doc/packages/samba directory if Samba is installed for more online documentation and examples. A commented example configuration (smb.conf.SuSE) can be found in the examples subdirectory.
Samba uses the SMB protocol (Server Message Block) that is based on the NetBIOS services. Due to pressure from IBM, Microsoft released the protocol so other software manufacturers could establish connections to a Microsoft domain network. Samba sets the SMB protocol on top of the TCP/IP protocol, so the TCP/IP protocol must also be installed on all clients.
NetBIOS is a software interface (API) designed for communication between machines. Here, a name service is provided. It enables machines connected to the net to reserve names for themselves. After reservation, these machines can be addressed by name. There is no central process that checks names. Any machine on the network can reserve as many names as it wants, if the names are not already in use. The NetBIOS interface can now be implemented for different network architectures. An implementation that works relatively closely with network hardware is called NetBEUI, but this is often referred to as NetBIOS. Network protocols implemented with NetBIOS are IPX from Novell (NetBIOS via TCP/IP) and TCP/IP.
The NetBIOS names sent via TCP/IP have nothing in common with the names used in /etc/hosts or those defined by DNS. NetBIOS uses its own, completely independent naming convention. However, it is recommended to use names that correspond to DNS host names to make administration easier. This is the default used by Samba.
All common operating systems, such as Mac OS X, Windows, and OS/2, support the SMB protocol. The TCP/IP protocol must be installed on all computers. Samba provides a client for the UNIX versions.
For Linux, there is a file-system kernel module for SMB that allows the integration of SMB resources on the Linux system level.
SMB servers provide hardware space to their clients by means of shares. A share includes a directory and its subdirectories on the server. It is exported by means of a name and can be accessed by its name. The share name can be set to any name -- it does not have to be the name of the export directory. A printer is also assigned a name. Clients can access the printer by its name.
If you intent to use Samba as server, install the package samba. The services required for Samba can be started with rcnmb start && rcsmb start and stopped with rcsmb stop && rcnmb stop.
The main configuration file of Samba is /etc/samba/smb.conf. This file can be divided into two logical parts. The [global] section contains the central and global settings. The [share] sections contain the individual file and printer shares. By means of this approach, details regarding the shares can be set differently or globally in the [global] section, which enhances the structural transparency of the configuration file.
The following parameters of the [global] section need some adjustment to match the requirements of your network setup so other machines can access your Samba server via SMB in a Windows environment.
If the DNS name is not available, set the server name using netbiosname=MYNAME. See man smb.conf for more details about this parameter.
As long as there is no other SMB server present in your network, such as a Windows NT or 2000 server, and the Samba server should keep a list of all systems present in the local environment, set the os level to a higher value (for example, 65). Your Samba server will thus be chosen as LMB for your local network.
When changing this setting, consider carefully how this could affect an existing Windows network environment. A misconfigured Samba server can cause serious problems when trying to become LMB for its work group. Contact your administrator and subject your configuration to some heavy testing either in an isolated network or at a noncritical time of day.
The following examples illustrate how a CD-ROM drive and the user directories (homes) are made available to the SMB clients.
To avoid having the CD-ROM drive accidentally made available, these lines are deactivated with comment marks (semicolons in this case). Remove the semicolons in the first column to share the CD-ROM drive via Samba.
By means of a very restrictive default configuration, this kind of share is only made available to the users present on this system. If this share should be made available to everybody, add a line guest ok = yes to the configuration. This setting gives read permissions to anyone on the network. It is recommended to handle this parameter with great care. This applies even more to the use of this parameter in the [global] section.
The SMB protocol comes from the DOS and Windows world and directly takes into consideration the problem of security. Each share access can be protected with a password. SMB has three possible ways of checking the permissions:
The distinction between share, user, and server level security applies to the entire server. It is not possible to offer individual shares of a server configuration with Share Level Security and others with User Level Security. However, you can run a separate Samba server for each configured IP address on a system.
More information on this subject can be found in the file textdocs/security_level.txt. For multiple servers on one system, pay attention to the parameters interfaces and bind interfaces only.
In networks where predominantly Windows clients are found, it is often preferable that users may only register with a valid account and password. This can be brought about with the help of a Samba server. In a Windows-based network, this task is handled by a Windows NT server configured as a Primary Domain Controller (PDC). The entries that must be made in the [global] section of smb.conf are shown in File 47.
Global Section in smb.conf
[global]
workgroup = TUX-NET
domain logons = Yes
domain master = Yes
If encrypted passwords are used for verification purposes -- this is the default setting in maintained MS Windows 9x versions, MS Windows NT 4.0 from service pack 3, and all later products -- the Samba server must be able to handle these. The entry encrypt passwords = yes in the [global] section enables this functionality. In addition, it is necessary to prepare user accounts and passwords in an encryption format that conforms with Windows. This is done with the command smbpasswd -a name. Create the domain account for the computers, required by the Windows NT domain concept, with the following commands:
$
With the useradd command, a dollar sign is added. The command smbpasswd inserts this automatically when the parameter -m is used. The commented configuration example (/usr/share/doc/packages/Samba/examples/smb.conf.SuSE) contains settings that automate this task.
$
For the authentication method selected in this example, all user data is stored in /etc/samba/smbpasswd. To store your user data on an LDAP server, go to ` YaST' ->` System' ->` /etc/sysconfig Editor' ->` Network Services' ->` Samba' then modify the parameter SAMBA_SAM to ldap. Finally, execute SuSEconfig -module samba.
Clients can only access the Samba server via TCP/IP. NetBEUI and NetBIOS via IPX cannot be used with Samba.
Windows 9x and ME already have built-in support for TCP/IP. However, this is not installed as the default. To add TCP/IP, go to ` Control Panel' ->` System' and choose ` Add' ->` Protocols' ->` TCP/IP from Microsoft'. After rebooting your Windows machine, find the Samba server by double-clicking the desktop icon for the network environment.
socket options is one possible optimization provided with the sample configuration that ships with your Samba version. Its default configuration refers to a local ethernet network. For additional information about socket options, refer to the section ``socket options'' in smb.conf and to [7]socket. Additional information is provided in textdocs/Speed.txt and textdocs/Speed2.txt.
The standard configuration in /etc/samba/smb.conf is designed to provide useful settings based on the default settings of the Samba team. However, a ready-to-use configuration is not possible, especially in view of the network configuration and the work group name. The commented sample configuration examples/smb.conf.SuSE contains information that will be helpful for the adaption to local requirements.
Tip
The Samba team offers textdocs/DIAGNOSIS.txt,
which is a step-by-step guide to check your configuration.
With the package netatalk, obtain a high-performance file and print server for MacOS clients. With it, access data on a Linux machine from a Macintosh or print to a connected printer. Netatalk is a suite of Unix programs that run on kernel-based DDP (Datagram Delivery Protocol) and implement the AppleTalk protocol family (ADSP, ATP, ASP, RTMP, NBP, ZIP, AEP, and PAP).
AppleTalk is, in effect, an equivalent to the more familiar TCP (Transmission Control Protocol). It has counterparts to many TCP/IP-based services, including services for resolving host names and time synchronization. For example, the command aecho (AEP, AppleTalk Echo Protocol) is used instead of ping (ICMP ECHO_REQUEST, Internet Control Message Protocol).
The three daemons described below are normally started on the server:
Of course, you can export server directories not only via Netatalk, but also, at the same time, via Samba for Windows clients (see 16) and via NFS (see 13), which is very useful in heterogeneous network environments. This centralizes the management of data backup and user permissions on the Linux server.
There are some important details to consider when using Netatalk:
All configuration files are pure text files. Text that follows a hash mark `#' (comments) and empty lines can be disregarded. The various services (printing, Appletalk broadcast, Appletalk via TCP/IP, time server) can be activated through the file /etc/netatalk/netatalk.conf:
ATALKD_RUN=yes PAPD_RUN=yes AFPD_RUN=yes TIMELORD_RUN=no
eth0 -phase 2 -net 0-65534 -addr 65280.57
at the end of the file. For more complex configurations, refer to examples in the configuration file. Find documentation about additional options in the manual page of afpd.
If you do not change anything here, the default server will simply be started and displayed with the host name in the ` Chooser'. Therefore, you do not necessarily need to enter anything. However, you can give additional file servers a variety of names and options here, for instance, to provide a specific ``guest server'' where everybody can save files as ``guest''.
"Guest server" -uamlist uams_guest.so
Define a server that denies guests access, but which is only accessible for users who already exist in the Linux system with:
"Font server" -uamlist uams_clrtxt.so,uams_dhx.so
This behavior is controlled by the option uamlist, followed by a list of authentication modules to use, separated by commas. If you do not provide this option, all procedures are active by default.
An AppleShare server not only provides its services by default via AppleTalk, but also (``encapsulated'') via TCP/IP. The default port is 548. Assign dedicated ports to additional AppleShare servers (on the same machine) if these should also run via TCP. The availability of the service via TCP/IP enables access to the server even over non-AppleTalk networks, such as the Internet.
In this case, the syntax would read:
"Font server" -uamlist uams_clrtxt.so,uams_dhx.so -port 12000
The AppleShare server, set to the port 12000, then appears in the network with the name ``Font server'' and will not allow guest access. In this way, it is also accessible via TCP/IP routers.
The file AppleVolumes.default (described in detail below) defines which directories located on the server are made available by each AppleShare server as network volumes. Define other files containing unique descriptions for each AppleShare server using the option -defaultvol, such as with (in one line):
"Guest server" -uamlist uams_guest.so -defaultvol /etc/netatalk/AppleVolumes.guest
Further options are explained in the afpd.conf file itself.
Note
Here, the syntax has partially changed. Take this into
consideration if you are updating this version from a previous one.
For example,
it is now allow: instead of access= (a typical symptom
would be if, instead of the drive descriptions, you were to see a display
of the drive options on the Mac clients in the ` Chooser'.) Because the
new files are created with the .rpmnew endings during an update, it
is possible that your previous settings may no longer function as a result of
the modified syntax. Create backups of your
configuration files, copy your old configurations from them into your new
files, then rename these files to the proper names. This way, you will
benefit from the current comments contained in the configuration files,
which provide a detailed explanation of the diverse options.
The syntax
/usr/local/psfonts "PostScript Fonts"
indicates that the Linux directory /usr/local/psfonts located in the root directory is available as an AppleShare volume with the name ``PostScript Fonts''.
Options are separated by a space and attached to the end of a line. A very useful option is the access restriction:
/usr/local/psfonts "PostScript Fonts" allow:User1,@group0
which restricts access to the volume ``PostScript Fonts'' to the user ``User1'' and all members of the group ``group0''. The users and groups entered here must be known to the Linux system. Likewise, explicitly deny users access with deny:User2.
These restrictions only apply to access via AppleTalk and not to the normal access rights users have if they can log in to the server itself.
Netatalk maps the customary Resource Fork of MacOS files to .AppleDouble directories in the Linux file system. Using the noadouble option, set these directories to be created only when they are actually needed. Syntax:
/usr/local/guests "Guests" options:noadouble
Additional options and features can be found in the explanations included in the file itself.
The tilde (`~'
) in
this configuration file stands for the home directory for each and
every user on the server. This way, every user can easily access his home
directory without each one being defined explicitly here. The example
file installed already includes a tilde, which is why Netatalk
makes the home directory available by default as long as you do not modify
anything in this file.
afpd also searches for a file Applevolumes or .Applevolumes in the home directory of a user logged on to the system. Entries in this file supplement the entries in the server files AppleVolumes.system and AppleVolumes.default to enable individual type and creator file specifications and to access specific directories. These entries are extensions and do not allow access for the user for whom access permission is denied from the server side.
The netatalk.pamd file is used, via PAM (pluggable authentication modules), for authentication purposes. Using PAM is, however, irrelevant in this context.
A laserwriter service is made available by configuring the papd.conf file. The printer must be already functioning locally via lpd, so configure a printer as described in Chapter 6. If you can print a text file locally using the command lpr file.txt, the first step has been successfully completed.
You do not necessarily need to enter anything in papd.conf if a local printer is configured in Linux, because print jobs can simply be forwarded to the print daemon lpd without additional specifications. The printer registers itself in the AppleTalk network as Laserwriter. You can, however, extend your printer entries by referring to File 50.
This causes the printer named Printer_Reception to appear as a ` Chooser' item. The corresponding printer description file is usually provided by the vendor. Otherwise, refer to the file Laserwriter located in the ` System Extensions' folder. However, when using this file you often cannot use all of the printer's features.
The server can be started at system boot time via its ``init script'' or manually with rcatalk start. The init script is located at /etc/init.d/netatalk.
The actual starting of the server takes place in the background. It takes about a minute until the AppleTalk interfaces are set up and responsive. Check for the status as shown in the following (all servers are running if OK is reported three times):
From a Mac running MacOS, check for AppleTalk activation, choose ` Filesharing', then double-click ` AppleShare'. The names of the servers should then appear in the window. Double-click a server and log in. It should then be possible to access a shared volume.
The procedure is a bit different for AppleShare servers configured to use TCP only (and no DDP). To connect, press the ` Server IP address' button and enter the respective IP address. If necessary, append the port number, separated by a colon (`:').
To take full advantage of all the options netatalk offers, read the corresponding manual pages. Find them by entering the command rpm -qd netatalk. The /etc/netatalk/netatalk.conf file is not used in our netatalk version, so disregard it.
Helpful URLs:
We do not currently recommend trying to access an AppleShare file system hosted on a Macintosh from a Linux machine. Software is available, but it is in early development stages. For more information, refer to http://www.panix.com/~dfoster/afpfs/.
The Netware emulator MARSNWE can easily replace the file and print services of a Novell Netware 2.2 or 3.11 server. It can also be used in this manner as an IPX router. However, it does not offer the features of newer Netware versions, such as NDS (Netware Directory Services). Workstations running DOS or Windows already configured to access a Netware 2.2, 3.11, or 3.12 server can use the Linux server with the Netware emulator MARSNWE as a server without having to change the configuration much. Administration is best taken care of in Linux, because Novell system administration applications can only be utilized under certain conditions and have licensing issues as well.
After modifying the configuration, MARSNWE must be restarted with the command rcnwe restart.
The configuration options in detail:
1 SYS /usr/local/nwe/SYS/ kt 711 600
Here, the volumes to export are defined. Every line begins with the section number (here 1), followed by the volume name and the server directory path. In addition, various options can be specified represented by specific letters and a UMASK for the generation of both directories and files. If a UMASK is not specified, the default value from Section 9 is used. The volume for SYS is already entered. To avoid problems with uppercase and lowercase letters in the file names, it is recommended to use the k option, so all the file names will be converted to lowercase letters.
2 MARS
This specification is optional. The host name will be used by default.
3 auto
The internal network number is generated from the network card's MAC address if auto is specified here. This setting is usually retained.
4 0x0 * AUTO 1 4 0x22 eth0 ethernet_ii 1
Here, the Netware network number is specified as well as to which network interface using which protocol the bind should be made. The first example sets up everything automatically, while the second binds the network number 0x22 to the network card eth0 with the frame type Ethernet-II. If you have several network cards and enter all these with different network numbers, IPX will be routed between them.
9 0751 0640
Enters the default permission with which directories and files are created.
10 65534 11 65534
Group ID and user ID for users not logged in. Here nogroup and nobody.
12 SUPERVISOR root
The supervisor is mapped to user SuSE @nohyphen root.
13 LINUX linux
Netware users are assigned to Linux users. A static password can optionally be entered here.
15 0 top-secret
If 1 is specified here instead of 0, Linux logins will automatically be made available as Netware logins. In this case, the password is ``top-secret''.
21 LP - lpr -
The first parameter LP is the name of the Netware printer. Second, the name of the spool directory can be given. The print command is listed last.
22 PS_NWE LP_PS 1
Printers can be defined here that are accessed over the pserver by the package ncpfs.
The package ncpfs is a collection of small programs that can be used to administer a Netware 2.2 or 3.11 server from Linux, mount Netware volumes, or manage printers. To access Netware servers newer than version 4, the bindery emulation and IPX must be enabled on them.
The following programs are available. Refer to the man pages for their functions:
nwmsg ncopy ncpmount ncpumount
nprint nsend nwauth nwbocreate
nwbols nwboprops nwborm nwbpadd
nwbpcreate nwbprm nwbpset nwbpvalues
nwdir nwdpvalues nwfsctrl nwfsinfo
nwfstime nwgrant nwpasswd nwpurge
nwrevoke nwrights nwsfind nwtrustee
nwtrustee2 nwuserlist nwvolinfo pqlist
pqrm pqstat pserver slist
ncpmount, for example, is an essential program used to mount volumes from a Netware server in Linux. In turn, ncpumount is used to unmount them. package ncpfs contains tools for configuring the IPX protocol and IPX routing:
ipx_cmd ipx_configure ipx_interface ipx_internal_net ipx_route
With ipx_configure and ipx_interface, configure the the network card's IPX. If you already have MARSNWE running, however, it will take care of this configuration automatically.
Another package for converting Linux into an IPX router is package ipxrip. Usually, it is not needed, because an IPX router can be configured with MARSNWE or the tools from package ncpfs.