Linux in a Windows Workstation Environment, Part II: Local Network Support
The next section defines the parameters for a printer driver download area. If this section is properly defined, it is possible to install the printer drivers on a Windows client without needing to have any other source for the driver files.
[print$] path = /usr/local/samba/drivers # the root location for the driver tree browseable = yes public = yes # accessed without password read only = yes # cannot be written write list = root # except by the superuser
The [printers] section defines parameters that are common to all printers.
[printers] comment = All Printers path = /var/spool/samba # spool directory printer admin = root # the administrator account public = yes # no authentication needed printable = yes # spool files OK for this share use client driver = no # browsable = yes # can be browsed read only = yes
Each of our printers available to Windows clients is defined by a separate stanza. The name inside the brackets, bw_laser, is the name reported. The print command is the command spawned when a print job has been received. In most cases, this would be a simple call to the lpr command. Our system, however, does additional processing before calling the printer spooler, as explained below. In this line, the %s macro expands to the name of the spool file, and %I expands to the IP address of the client.
[bw_laser] min print space = 1000 # minimum spool space in kB printable = yes # spool files OK for this share print command = /usr/local/samba/lib/process_bw %s %I
Resort rules allow any resident of the RV resort to use the computers; however, only members of the computer club are allowed to print. Their membership dues are used to purchase paper and printer supplies. Previously, we had no way to control the number of pages that any user could print. As a result, printing costs were out of control. This season, each member was issued a user number and password when he or she joined. When a print job is received, the command-line script defined for that printer performs the following steps:
The number of pages is counted by inspecting the appropriate lines in the Postscript file.
The number of pages in the job and the IP number of the submitting computer are passed to a program that attempts a TCP connection with a special server program running on the Windows workstation. If the connection is rejected, the print job immediately is discarded; otherwise, a request for a user number and password is sent.
Once the user data is entered or a timeout period is exceeded, the results are passed back to the Linux machine. If the password does not match the accounting-file entry for that user, the program tries again. After three tries, a suitable message is sent to the user and the print job is aborted.
Once a valid password has been received, we then verify that the number of pages in the job and the total pages for the season are within limits. If either test fails, the job is aborted.
When all tests are passed, the print job is sent to the print spooler, and the totals for the season are updated. Even though our season limits of 100 color and 1000 black/white pages are generous, the authentication process and the psychological factors associated with the upper limit for the season have cut our print costs by a factor of 2.
During the authentication process described above, user numbers and passwords are transmitted in the clear. The security risk is acceptable, as these passwords are not used with any login account. Many of the users have written their number and password on the back of their name badge, which is a more severe security risk.
Club rules prohibit a user from storing any files or installing any new programs on the Windows workstations. These rules are enforced through the usage of a program called GoBack, operated in auto-revert mode. Whenever the computer is rebooted, any files that have been deleted are restored and any files that have been added are deleted.
As the users have legitimate needs to store files, a number of Samba file shares are defined. The first of these is a public share that is mounted as disk drive S on all of the workstations. Files on this share can be accessed from all computers without any authentication. Of course, the users are warned not to store any sensitive information in this location. The section of smb.conf that describes this share is shown below:
[guest] # share name path = /home/samba # path to this share public = yes # no password needed writable = yes # read/write printable = no # but not a printer share browsable = yes # can be browsed with Windows Explorer, etc.
To store some files that need to be accessed without a password but that should be kept separate, another share is defined but not mounted on any workstation. These files may be accessed by browsing My Network Places, but they require enough effort to reach them that they will not be accidentally destroyed.
[xphone] # share name path = /home/xphone # path public = yes # no password needed writable = yes # read/write printable = no # but not a printer share browsable = yes # can be browsed with Windows Explorer, etc.
To store our membership database and our Web site files, a password-protected share also has been defined. It differs from the others by setting the public keyword to no and setting the name of a valid user. Note: There is no web account in the Linux-user database; it exists only in the Samba password system, which is maintained by a separate program. Once a given workstation has logged into this share, the connection is disconnected when it has been dormant for five minutes. This time was defined in the global section above. Authentication for this share is encrypted.
[web] # share name path = /home/web # path public = no # password needed writable = yes # read/write printable = no # not a print share browsable = yes # can be browsed valid users = web # the user for this share
None of these Samba shares have any quotas attached to them. To prevent the possibility of some user creating large numbers of huge files and depriving the Linux kernel of working room, a separate partition has been established for /home, which is the root of all the Samba file shares. In our case, this separate partition is even on a separate disk, but that may not be necessary for other installations.
|Using tshark to Watch and Inspect Network Traffic||Aug 31, 2015|
|Where's That Pesky Hidden Word?||Aug 28, 2015|
|A Project to Guarantee Better Security for Open-Source Projects||Aug 27, 2015|
|Concerning Containers' Connections: on Docker Networking||Aug 26, 2015|
|My Network Go-Bag||Aug 24, 2015|
|Doing Astronomy with Python||Aug 19, 2015|
- Using tshark to Watch and Inspect Network Traffic
- Problems with Ubuntu's Software Center and How Canonical Plans to Fix Them
- Concerning Containers' Connections: on Docker Networking
- A Project to Guarantee Better Security for Open-Source Projects
- Where's That Pesky Hidden Word?
- Firefox Security Exploit Targets Linux Users and Web Developers
- My Network Go-Bag
- Doing Astronomy with Python
- Build a “Virtual SuperComputer” with Process Virtualization
- diff -u: What's New in Kernel Development