Home

Linux in a Windows Workstation Environment, Part II: Local Network Support

Mar 15, 2005  By Larry Finger
 in
Setting up local network support for file shares, print serving and intranet services.
Print Shares

The next section defines the parameters for a printer driver download area. If this section is properly defined, it is possible to install the printer drivers on a Windows client without needing to have any other source for the driver files. 


[print$]
   path = /usr/local/samba/drivers # the root location for the driver tree
   browseable = yes 
   public = yes                    # accessed without password
   read only = yes                 # cannot be written
   write list = root               #   except by the superuser

The [printers] section defines parameters that are common to all printers. 


[printers]
   comment = All Printers
   path = /var/spool/samba         # spool directory
   printer admin = root            # the administrator account
   public = yes                    # no authentication needed
   printable = yes                 # spool files OK for this share
   use client driver = no          # 
   browsable = yes                 # can be browsed 
   read only = yes

Each of our printers available to Windows clients is defined by a separate stanza. The name inside the brackets, bw_laser, is the name reported. The print command is the command spawned when a print job has been received. In most cases, this would be a simple call to the lpr command. Our system, however, does additional processing before calling the printer spooler, as explained below. In this line, the %s macro expands to the name of the spool file, and %I expands to the IP address of the client. 


[bw_laser]
   min print space = 1000          # minimum spool space in kB
   printable = yes                 # spool files OK for this share
   print command = /usr/local/samba/lib/process_bw %s %I

Resort rules allow any resident of the RV resort to use the computers; however, only members of the computer club are allowed to print. Their membership dues are used to purchase paper and printer supplies. Previously, we had no way to control the number of pages that any user could print. As a result, printing costs were out of control. This season, each member was issued a user number and password when he or she joined. When a print job is received, the command-line script defined for that printer performs the following steps:

  1. The number of pages is counted by inspecting the appropriate lines in the Postscript file.

  2. The number of pages in the job and the IP number of the submitting computer are passed to a program that attempts a TCP connection with a special server program running on the Windows workstation. If the connection is rejected, the print job immediately is discarded; otherwise, a request for a user number and password is sent.

  3. Once the user data is entered or a timeout period is exceeded, the results are passed back to the Linux machine. If the password does not match the accounting-file entry for that user, the program tries again. After three tries, a suitable message is sent to the user and the print job is aborted.

  4. Once a valid password has been received, we then verify that the number of pages in the job and the total pages for the season are within limits. If either test fails, the job is aborted.

  5. When all tests are passed, the print job is sent to the print spooler, and the totals for the season are updated. Even though our season limits of 100 color and 1000 black/white pages are generous, the authentication process and the psychological factors associated with the upper limit for the season have cut our print costs by a factor of 2.

During the authentication process described above, user numbers and passwords are transmitted in the clear. The security risk is acceptable, as these passwords are not used with any login account. Many of the users have written their number and password on the back of their name badge, which is a more severe security risk.

File Shares

Club rules prohibit a user from storing any files or installing any new programs on the Windows workstations. These rules are enforced through the usage of a program called GoBack, operated in auto-revert mode. Whenever the computer is rebooted, any files that have been deleted are restored and any files that have been added are deleted.

As the users have legitimate needs to store files, a number of Samba file shares are defined. The first of these is a public share that is mounted as disk drive S on all of the workstations. Files on this share can be accessed from all computers without any authentication. Of course, the users are warned not to store any sensitive information in this location. The section of smb.conf that describes this share is shown below: 


[guest]                            # share name
   path = /home/samba              # path to this share
   public = yes                    # no password needed
   writable = yes                  # read/write
   printable = no                  #  but not a printer share
   browsable = yes                 # can be browsed with Windows Explorer, etc.

To store some files that need to be accessed without a password but that should be kept separate, another share is defined but not mounted on any workstation. These files may be accessed by browsing My Network Places, but they require enough effort to reach them that they will not be accidentally destroyed. 


[xphone]                           # share name
   path = /home/xphone             # path
   public = yes                    # no password needed
   writable = yes                  # read/write
   printable = no                  #  but not a printer share
   browsable = yes                 # can be browsed with Windows Explorer, etc.

To store our membership database and our Web site files, a password-protected share also has been defined. It differs from the others by setting the public keyword to no and setting the name of a valid user. Note: There is no web account in the Linux-user database; it exists only in the Samba password system, which is maintained by a separate program. Once a given workstation has logged into this share, the connection is disconnected when it has been dormant for five minutes. This time was defined in the global section above. Authentication for this share is encrypted. 


[web]                              # share name
   path = /home/web                # path
   public = no                     # password needed
   writable = yes                  # read/write
   printable = no                  # not a print share
   browsable = yes                 # can be browsed
   valid users = web               # the user for this share

None of these Samba shares have any quotas attached to them. To prevent the possibility of some user creating large numbers of huge files and depriving the Linux kernel of working room, a separate partition has been established for /home, which is the root of all the Samba file shares. In our case, this separate partition is even on a separate disk, but that may not be necessary for other installations.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

hello my name is josh and i w

Anonymous's picture
Submitted by Anonymous (not verified) on Tue, 04/19/2005 - 07:43.

hello my name is josh and i was wandering how you put out comment

wput link is down .... :(

Anonymous's picture
Submitted by Anonymous (not verified) on Fri, 03/25/2005 - 13:09.

wput link is down .... :(

It works now - must have been

Larry's picture
Submitted by Larry (not verified) on Wed, 03/30/2005 - 00:19.

It works now - must have been temporary.

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState