11.5.1.2.3. Switching to Domain Controller
This section documents how the Falcot administrators went even further, by turning the Samba server into a domain controller providing roaming profiles (which allow users to find their desktop no matter what machine they connect to).
They first added a few extra directives in the [global] section of the configuration file:
domain logons = yes
preferred master = yes
logon path = \\%L\profiles\%U
logon script = scripts/logon.bat
Enables the domain controller functionality.
Specifies the location of the users' home directories. These are stored on a dedicated share, which allows enabling specific options (in particular, profile acls, a requirement for compatibility with Windows 2000, XP and Vista).
Specifies the batch (non-interactive) script that is to be run on the client Windows machine every time a session is opened. In this case, /var/lib/samba/netlogon/scripts/logon.bat. The script needs to be in DOS format, where the lines are separated by a carriage-return character and a line-feed character; if the file was created on Linux, running unix2dos will convert it.
The commands used most widely in these scripts allow the automatic creation of network drives and synchronizing the system time.
Example 11.28. The logon.bat file
net time \\ARRAKIS /set /yes
net use H: /home
net use U: \\ARRAKIS\utils
Two extra shares, and their associated directories, were also created:
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
The home directories for all users must also be created (as /var/lib/samba/profiles/user), and each of them must be owned by the matching user.
11.5.2. Samba Client
The client features in Samba allow a Linux machine to access Windows shares and shared printers. The required programs are available in the smbfs and smbclient packages.
11.5.2.1. The smbclient Program
The smbclient program queries SMB servers. It accepts a -U user option, for connecting to the server under a specific identity. smbclient //server/share accesses the share in an interactive way similar to the command-line FTP client. smbclient -L server lists all available (and visible) shares on a server.
11.5.2.2. Mounting Windows Shares
The smbmount command allows mounting a Windows share into the Linux filesystem hierarchy.
Example 11.29. Mounting a Windows share
smbmount //arrakis/shared /shared -o credentials=/usr/local/etc/smb-credentials
The /usr/local/etc/smb-credentials file (which must not be readable by users) has the following format:
username = user
password = password
Other options can be specified on the command-line; their full list is available in the smbmount(1) manual page. Two options in particular can be interesting: uid and gid allow forcing the owner and group of files available on the mount, so as not to restrict access to root.
The smbumount command unmounts an SMB share.
ALTERNATIVE Using mount for a Windows share
The mount command itself does not handle CIFS; however, when asked to mount an unknown filesystem type, it tries delegating the task to a mount.type. Since the smbfs package does provide a mount.cifs command, it then becomes possible to mount a Windows share with the standard mount command:
mount -t cifs -o credentials=/usr/local/etc/smb-credentials //server/shared /shared
This also allows configuring an SMB mount in the standard /etc/fstab file:
//server/shared /shared cifs credentials=/usr/local/etc/smb-credentials
11.5.2.3. Printing on a Shared Printer
CUPS is an elegant solution for printing from a Linux workstation to a printer shared by a Windows machine. When the smbclient is installed, CUPS allows installing Windows shared printers automatically.
Here are the required steps:
Enter the CUPS configuration interface:
http://localhost:631/admin.
Click on “Add Printer”, then enter the data relevant to this printer.
When choosing the printer device, pick “Windows Printer via SAMBA”.
The URI describing the printer looks like the following:
smb://user:password@server/printer.
Voilà, the printer is operational!
11.6. HTTP/FTP Proxy
An HTTP/FTP proxy acts as an intermediary for HTTP and/or FTP connections. Its role is twofold:
Caching: recently downloaded documents are copied locally, which avoids multiple downloads.
Filtering server: if use of the proxy is mandated (and outgoing connections are blocked unless they go through the proxy), then the proxy can determine whether or not the request is to be granted.
Falcot Corp selected Squid as their proxy server.
11.6.1. Installing
The squid Debian package only contains the modular (caching) proxy. Turning it into a filtering server requires installing the additional squidguard package. In addition, squid-cgi provides a querying and administration interface for a Squid proxy.
Prior to installing, care should be taken to check that the system can identify its own complete name: the hostname -f must return a fully-qualified name (including a domain). If it does not, then the /etc/hosts file should be edited to contain the full name of the system (for instance, arrakis.falcot.com). The official computer name should be validated with the network administrator in order to avoid potential name conflicts.
11.6.2. Configuring a Cache
Enabling the caching server feature is a simple matter of editing the /etc/squid/squid.conf configuration file and allowing machines from the local network to run queries through the proxy. The following example shows the modifications made by the Falcot Corp administrators:
Example 11.30. The /etc/squid/squid.conf file (excerpts)
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should