Linux in a Windows Workstation Environment, Part II: Local Network Support

This article series covers the development of a Linux-based server
that supports a number of workstations running the Microsoft Windows
operating system in the computer laboratory of a 55+ RV Resort in
Mesa, Arizona.
Part I
covered the background of our organization, the establishment of
our Linux system and the rules for our iptables firewall. This article
covers network functions such as IP address serving, a cache-only
name server, an intranet Web server and print and file services
using the service message block (SMB) protocol.
DHCP Server
As noted in the previous article, our computer lab is connected to the
Internet by way of a T1 line, which is shared with the business and sales
offices and the Wi-Fi connections of the RV resort, all of which share
a single IP address. An upstream router handles the necessary network
address translation (NAT) to and from non-routable addresses in the
10.10.x.0 networks. Before installation of our firewall, all machines
in the computer lab were assigned addresses on the 10.10.4.0 net. Now,
only the external interface of the firewall belongs to that network. The
internal address of the firewall, the printers, all of the computers in
the lab and any laptops temporarily connected to the network are assigned
addresses of the form 10.10.10.x. The firewall/server interface has a
fixed address of 10.10.10.1, and the printers are fixed at 10.10.10.253 and
10.10.10.254. All other machines get their IP addresses from the DHCP server
running on the Linux system. For ease of maintenance, I prefer to control
the addresses of the desktop computers. Thus, our DHCP control file
assigns fixed addresses based on the MAC address of the client.

The DHCP server in the SuSE distribution is controlled by the file
etc/dhcpd.conf. An annotated listing of part of our file is shown
below. The first statement defines the name for the network. This name
is registered; however, no external DNS entries point to this system.
Its use here, therefore, is fictitious.

option domain-name "mesaregalcc.org";

The next entry enumerates the name servers for this network, starting with
the IP address of our server, which caches DNS entries. The configuration
of this facility is described later in this article. The backslash
(\) indicates that the command is continued on the next line.

option domain-name-servers 10.10.10.1, 198.6.1.4, 198.6.1.5, \
        198.6.1.195;

Next we define the gateway/router for the network.

option routers 10.10.10.1;

The next stanza defines the network and the range of dynamic addresses
to be used. As shown, we have 50 IP numbers that are dynamically
assigned. These addresses are issued to notebook computers that are
brought into the computer room and temporarily attached to the wired
network.

subnet 10.10.10.0 netmask 255.255.255.0 {
  option broadcast-address 10.10.10.255;
  range 10.10.10.50 10.10.10.199;
  max-lease-time 3600;
}

The next stanza keeps the DHCP server from issuing any addresses on the
external interface. The upstream router handles this function.

subnet 10.10.4.0 netmask 255.255.255.0 {
}

The final group of statements defines the fixed addresses for
the workstations, which are assigned as follows: the instructor's
computer has an IP address equal to 10.10.10.200; the computer named
mrlab1.mesaregalcc.net has an IP address of 10.10.10.201; and so on.
The # character starts a comment.

group {
  option subnet-mask 255.255.255.0;
  option broadcast-address 10.10.10.255;
  max-lease-time 100000;
#
host MRLAB1 {
    hardware ethernet 00:0F:FE:02:C2:12;
    fixed-address 10.10.10.201;
  }
...
}

Cache-Only Name Server
As noted above, the workstation clients first contact the Linux
computer when they attempt to resolve a network address. Our name
server does not attempt to resolve any unknown addresses, but caches the
addresses resolved by the external name servers. This facility is used
for two reason. First, it speeds name serving for the external machines
frequently accessed. Second, the SuSE distribution configures
this functionality with essentially no changes. The only line of the
configuration file, /etc/named.conf, that needed to be changed is
presented below:

# The forwarders record contains a list of servers to which unsatisfied queries
# should be forwarded.  Enable this line and modify the IP address to
# your provider's name server.  Up to three servers may be listed.
# ******* This next line is the only one changed at Mesa Regal.
forwarders { 198.6.1.4, 198.6.1.5, 198.6.1.195; };

Intranet Web Server
The computer club's Web
site is used to publish scheduling information for
classes, meetings and presentations. The navigation bar of this site also
contains links to some popular sites, including the Web mail sites for AOL,
Juno, Hotmail and Yahoo, as well as the search sites for Google and
Hotbot. Because this site is used as the home page for all computers in the lab, it is
accessed many, many times per day. To reduce bandwidth on the external
line, a Web server has been configured to serve a local copy of this
site. The effort has been minimal, as we do not use any CGI scripting
nor do we need any logging.

By storing the Web content locally, our Web master can edit changing
content without connecting to the external site. Each evening cron, the
Linux version of the task scheduler, starts a script that produces a
list of the Web site files that have been altered within the past 24
hours. It then transfers them to the external site using using the wput
command, an indirect way to use FTP. To insure controlled write access
to the Web material, it is stored in a password-protected Samba share,
to be discussed later.

I use the Apache Web server as the server for our intranet. Although
the latest version, 2.0, implements a number of new security features,
my initial attempts to use the newest software failed. We use only
simple Web pages and have no security issues, as the server is
accessed only from the internal network. Therefore, I am using the older
V1.3 release.
The control file, httpd.conf, can include a large number of parameters;
however, only a small number needed to be tailored for my system. The
first of these is the server type. Under Linux, the daemon can be
triggered by the Internet super daemon, inetd, or it can be started as
a standalone program. I chose the latter option.

ServerType standalone

The next parameter to be configured is the root directory for the
configuration, error and log files.

ServerRoot "/usr/local/apache"

We also specify the IP address and port. If this parameter was not
specified, the program would listen on all interfaces. However,
I explicitly wish to exclude the external interface but use the
standard port.

Listen 10.10.10.1:80

We also need to specify the directory in which our Web pages are stored,
as well as a Directory stanza to allow everyone to access that material.

DocumentRoot "/home/web"
<Directory "/home/web">
Order allow,deny
    Allow from all
</Directory>

The combination of local home page serving and the cache-only name server
greatly decrease the workstation response time and cut the traffic on
the external network. The benefits of each greatly outweigh the minimal
effort required to set them up.
File and Print Services
To supply file and print services for the Windows workstations, we use
Samba. To quote samba.org, "Samba is an Open Source/Free Software suite
that provides seamless file and print services to SMB/CIFS clients. Samba
is freely available, unlike other SMB/CIFS implementations, and allows
for interoperability between Linux/Unix servers and Windows-based
clients." Using this package, our Linux computer offers printer shares
for both printers and three distinct file shares.

The Samba configuration file, which normally is /etc/samba/smb.conf,
contains definitions for global parameters in a section named [global].
In this section, I have annotated the parameters defined on our system:

[global]
   max smbd processes = 40        # one server process for each workstation
   workgroup = MRLAB              # name reported to network browser
   netbios name = server          # NetBIOS name reported by server
   security = share               # needed for guest services to work
   hosts allow = 10.10.10.0/24    # limit to our network
   guest account = nobody         # the guest has the privileges of this user
   log file = /usr/local/samba/var/log
   smb passwd file = /usr/local/samba/lib/smbpasswd
   max log size = 500             # size in kB
   preferred master = yes         # this machine is master for net
   domain master = yes            # we have no other domain servers
   deadtime = 5                   # no. of minutes till connection expires
   server string = Samba          # name in printer comment box on Windows
   interfaces = 10.10.10.1/24     # serve only our internal network
   wins support = No              # no Wins name resolution
   show add printer wizard = yes  # Wizard is shown on NT/XP/2K clients
   max print jobs = 20            # number of simultaneous print jobs
   printer admin = root           # only the superuser can manipulate printers
   null passwords = yes           # we want to have no password for some users
   load printers = no             # do not create shares automatically
   printing = bsd                 # BSD-type printing

Print Shares
The next section defines the parameters for a printer driver download
area. If this section is properly defined, it is possible to install the
printer drivers on a Windows client without needing to have any other
source for the driver files.

[print$]
   path = /usr/local/samba/drivers # the root location for the driver tree
   browseable = yes 
   public = yes                    # accessed without password
   read only = yes                 # cannot be written
   write list = root               #   except by the superuser

The [printers] section defines parameters that are common to all printers.

[printers]
   comment = All Printers
   path = /var/spool/samba         # spool directory
   printer admin = root            # the administrator account
   public = yes                    # no authentication needed
   printable = yes                 # spool files OK for this share
   use client driver = no          # 
   browsable = yes                 # can be browsed 
   read only = yes

Each of our printers available to Windows clients is defined
by a separate stanza. The name inside the brackets, bw_laser, is the
name reported. The print command is the command spawned when
a print job has been received. In most cases, this would be a simple
call to the lpr command. Our system, however, does additional processing
before calling the printer spooler, as explained below. In this
line, the %s macro expands to the name of the spool file, and %I
expands to the IP address of the client.

[bw_laser]
   min print space = 1000          # minimum spool space in kB
   printable = yes                 # spool files OK for this share
   print command = /usr/local/samba/lib/process_bw %s %I

Resort rules allow any resident of the RV resort to use the
computers; however, only members of the computer club are allowed to
print. Their membership dues are used to purchase paper and printer
supplies. Previously, we had no way to control the number of pages
that any user could print. As a result, printing costs were out of
control. This season, each member was issued a user number and password
when he or she joined. When a print job is received, the command-line script
defined for that printer performs the following steps:

1. The number of pages is counted by inspecting the appropriate lines
   in the Postscript file.
2. The number of pages in the job and the IP number of the submitting
   computer are passed to a program that attempts a TCP connection with a special server
   program running on the Windows workstation. If the connection is rejected, the print
   job immediately is discarded; otherwise, a request for a user number and
   password is sent.
3. Once the user data is entered or a timeout period is exceeded,
   the results are passed back to the Linux machine. If the password does not match
   the accounting-file entry for that user, the program tries again. After three
   tries, a suitable message is sent to the user and the print job is
   aborted.
4. Once a valid password has been received, we then verify that the
   number of pages in the job and the total pages for the season are within
   limits. If either test fails, the job is aborted.
5. When all tests are passed, the print job is sent to the print spooler,
   and the totals for the season are updated. Even though our season limits of 100 color
   and 1000 black/white pages are generous, the authentication process
   and the psychological factors associated with the upper limit for the season have
   cut our print costs by a factor of 2.

During the authentication process described above, user numbers and
passwords are transmitted in the clear. The security risk is acceptable,
as these passwords are not used with any login account. Many of the users
have written their number and password on the back of their name badge,
which is a more severe security risk.
File Shares
Club rules prohibit a user from storing any files or installing any new
programs on the Windows workstations. These rules are enforced through
the usage of a program called GoBack, operated in auto-revert mode. Whenever the
computer is rebooted, any files that have been deleted are restored and
any files that have been added are deleted.

As the users have legitimate
needs to store files, a number of Samba file shares are defined. The
first of these is a public share that is mounted as disk drive S on
all of the workstations. Files on this share can be accessed from all
computers without any authentication. Of course, the users are warned
not to store any sensitive information in this location. The section
of smb.conf that describes this share is shown below:

[guest]                            # share name
   path = /home/samba              # path to this share
   public = yes                    # no password needed
   writable = yes                  # read/write
   printable = no                  #  but not a printer share
   browsable = yes                 # can be browsed with Windows Explorer, etc.

To store some files that need to be accessed without a password but that
should be kept separate, another share is defined but not mounted on any
workstation. These files may be accessed by browsing My Network Places,
but they require enough effort to reach them that they will not be accidentally
destroyed.

[xphone]                           # share name
   path = /home/xphone             # path
   public = yes                    # no password needed
   writable = yes                  # read/write
   printable = no                  #  but not a printer share
   browsable = yes                 # can be browsed with Windows Explorer, etc.

To store our membership database and our Web site files, a
password-protected share also has been defined. It differs from the others
by setting the public keyword to no and setting the name of a valid
user. Note: There is no web account in the Linux-user database;
it exists only in the Samba password system, which is maintained by a
separate program. Once a given workstation has logged into this share,
the connection is disconnected when it has been dormant for five
minutes. This time was defined in the global section above. Authentication
for this share is encrypted.

[web]                              # share name
   path = /home/web                # path
   public = no                     # password needed
   writable = yes                  # read/write
   printable = no                  # not a print share
   browsable = yes                 # can be browsed
   valid users = web               # the user for this share

None of these Samba shares have any quotas attached to them. To prevent
the possibility of some user creating large numbers of huge files and
depriving the Linux kernel of working room, a separate partition has
been established for /home, which is the root of all the Samba file
shares. In our case, this separate partition is even on a separate disk,
but that may not be necessary for other installations.
Preview of the Next Article
The next and last article in this series will describe how we use our
server to provide VPN tunnels that secure the transmissions of our users
over a Wi-Fi network, which is required to be unsecured.
Resources
"Linux in a
Windows Workstation Environment: Part 1"

Home Page for SMB/CIFS Server
Software

Home Page for Apache Web Server
Software

wput, a command-line
FTP client useful for script-driven updates of an external site

Mesa Regal Computer Club Home
Page

Larry Finger is retired from the Carnegie Institution of
Washington, Washington DC, and currently is the volunteer technical
advisor for the computer club of the Mesa Regal RV Resort, Mesa,
Arizona. Besides maintaining the system described in this article
series, he also collaborates in the development of a program
to display models of crystal
structures.