1 |
<?xml version='1.0' encoding='UTF-8'?> |
2 |
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/quick-samba-howto.xml,v 1.10 2004/08/11 14:34:34 swift Exp $ --> |
3 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
4 |
<guide link="quick-samba-howto.xml"> |
5 |
<title>Gentoo Samba3/CUPS/Clam AV HOWTO</title> |
6 |
<author title="Author"> |
7 |
<mail link="daff at dword dot org">Andreas "daff" Ntaflos</mail> |
8 |
</author> |
9 |
<author title="Author"> |
10 |
<mail link="joshua@sungentoo.homeunix.com">Joshua Preston</mail> |
11 |
</author> |
12 |
|
13 |
<abstract> |
14 |
Setup, install and configure a Samba Server under Gentoo that shares |
15 |
files, printers without the need to install drivers and provides |
16 |
automatic virus scanning. |
17 |
</abstract> |
18 |
|
19 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
20 |
<!-- See http://creativecommons.org/licenses/by-sa/1.0 --> |
21 |
<license/> |
22 |
|
23 |
<version>1.8</version> |
24 |
<date>August 20, 2004</date> |
25 |
|
26 |
<chapter> |
27 |
<title>Introduction to this HOWTO</title> |
28 |
<section> |
29 |
<title>Purpose</title> |
30 |
<body> |
31 |
|
32 |
<p> |
33 |
This HOWTO is designed to help you move a network from many different |
34 |
clients speaking different languages, to many different machines that |
35 |
speak a common language. The ultimate goal is to help differing |
36 |
architectures and technologies, come together in a productive, |
37 |
happily coexisting environment. |
38 |
</p> |
39 |
|
40 |
<p> |
41 |
Following the directions outlined in this HOWTO should give you an |
42 |
excellent step towards a peaceful cohabitation between Windows, and |
43 |
virtually all known variations of *nix. |
44 |
</p> |
45 |
|
46 |
<p> |
47 |
This HOWTO originally started not as a HOWTO, but as a FAQ. It was |
48 |
intended to explore the functionality and power of the Gentoo system, |
49 |
portage and the flexibility of USE flags. Like so many other projects, |
50 |
it was quickly discovered what was missing in the Gentoo realm: there |
51 |
weren't any Samba HOWTO's catered for Gentoo users. These users are |
52 |
more demanding than most; they require performance, flexibility and |
53 |
customization. This does not however imply that this HOWTO was not |
54 |
intended for other distributions; rather that it was designed to work |
55 |
with a highly customized version of Samba. |
56 |
</p> |
57 |
|
58 |
<p> |
59 |
This HOWTO will describe how to share files and printers between Windows |
60 |
PCs and *nix PCs. It will also demonstrate the use of the VFS (Virtual |
61 |
File System) feature of Samba to incorporate automatic virus protection. |
62 |
As a finale, it will show you how to mount and manipulate shares. |
63 |
</p> |
64 |
|
65 |
<p> |
66 |
There are a few topics that will be mentioned, but are out of the |
67 |
scope of this HOWTO. These will be noted as they are presented. |
68 |
</p> |
69 |
|
70 |
<p> |
71 |
This HOWTO is based on a compilation and merge of an excellent HOWTO |
72 |
provided in the <uri link="http://forums.gentoo.org">Gentoo forums</uri> |
73 |
by Andreas "daff" Ntaflos and the collected knowledge of Joshua Preston. |
74 |
The link to this discussion is provided below for your reference: |
75 |
</p> |
76 |
|
77 |
<ul> |
78 |
<li> |
79 |
<uri link="http://forums.gentoo.org/viewtopic.php?t=110931">HOWTO |
80 |
CUPS+Samba: printing from Windows & Linux</uri> |
81 |
</li> |
82 |
</ul> |
83 |
|
84 |
</body> |
85 |
</section> |
86 |
<section> |
87 |
<title>Before you use this guide</title> |
88 |
<body> |
89 |
|
90 |
<p> |
91 |
There are a several other guides for setting up CUPS and/or Samba, please read |
92 |
them as well, as they may tell you things left out of this HOWTO (intentional |
93 |
or otherwise). One such document is the very useful and well written <uri |
94 |
link="/doc/en/printing-howto.xml">Gentoo Printing Guide</uri>, as configuration |
95 |
issues and specific printer setup is not discussed here. |
96 |
</p> |
97 |
|
98 |
</body> |
99 |
</section> |
100 |
<section> |
101 |
<title>Brief Overview</title> |
102 |
<body> |
103 |
|
104 |
<p> |
105 |
After presenting the various USE flags, the following list will outline |
106 |
all of the topics covered as they are presented: |
107 |
</p> |
108 |
|
109 |
<ul> |
110 |
<li>On the Samba server: |
111 |
<ul> |
112 |
<li>Install and configure CLAM-AV</li> |
113 |
<li>Install and configure Samba</li> |
114 |
<li>Install and configure CUPS</li> |
115 |
<li>Adding the printer to CUPS</li> |
116 |
<li>Adding the PS drivers for the Windows clients</li> |
117 |
</ul> |
118 |
</li> |
119 |
<li>On the Unix clients: |
120 |
<ul> |
121 |
<li>Install and configure CUPS</li> |
122 |
<li>Configuring a default printer</li> |
123 |
<li>Mounting a Windows or Samba share</li> |
124 |
</ul> |
125 |
</li> |
126 |
<li>On the Windows Clients: |
127 |
<ul> |
128 |
<li>Configuring the printer</li> |
129 |
<li>Accessing Samba shares</li> |
130 |
</ul> |
131 |
</li> |
132 |
</ul> |
133 |
|
134 |
</body> |
135 |
</section> |
136 |
<section> |
137 |
<title>Requirements</title> |
138 |
<body> |
139 |
|
140 |
<p> |
141 |
We will need the following: |
142 |
</p> |
143 |
|
144 |
<ul> |
145 |
<li>net-fs/samba</li> |
146 |
<li>app-antivirus/clamav</li> |
147 |
<li>net-print/cups</li> |
148 |
<li>net-print/foomatic</li> |
149 |
<li>net-print/hpijs (if you have an HP printer)</li> |
150 |
<li>A kernel of sorts (preferably 2.4.24+ or 2.6.x)</li> |
151 |
<li>A printer (PS or non-PS, maybe not TOO new or fancy)</li> |
152 |
<li> |
153 |
A working network (home/office/etc) consisting of more than one machine) |
154 |
</li> |
155 |
</ul> |
156 |
|
157 |
<p> |
158 |
The main package we use here is net-fs/samba, however, you will need |
159 |
a kernel with smbfs support enabled in order to mount a samba or windows |
160 |
share from another computer. CUPS will be emerged if it is not already. |
161 |
app-antivirus/clamav will be used also, but others should be easily adapted |
162 |
to work with Samba. |
163 |
</p> |
164 |
|
165 |
</body> |
166 |
</section> |
167 |
</chapter> |
168 |
|
169 |
<chapter> |
170 |
<title>Getting acquainted with Samba</title> |
171 |
<section> |
172 |
<title>The USE Flags</title> |
173 |
<body> |
174 |
|
175 |
<p> |
176 |
Before emerging anything, take a look at the various USE flags |
177 |
available to Samba. |
178 |
</p> |
179 |
|
180 |
<pre caption="Samba uses the following USE Variables:"> |
181 |
kerberos mysql xml acl cups ldap pam readline python oav |
182 |
</pre> |
183 |
|
184 |
<p> |
185 |
Depending on the network topology and the specific requirements of |
186 |
the server, the USE flags outlined below will define what to include or |
187 |
exclude from the emerging of Samba. |
188 |
</p> |
189 |
|
190 |
<table> |
191 |
<tr> |
192 |
<th><b>USE flag</b></th> |
193 |
<th>Description</th> |
194 |
</tr> |
195 |
<tr> |
196 |
<th><b>kerberos</b></th> |
197 |
<ti> |
198 |
Include support for Kerberos. The server will need this if it is |
199 |
intended to join an existing domain or Active Directory. See the note |
200 |
below for more information. |
201 |
</ti> |
202 |
</tr> |
203 |
<tr> |
204 |
<th><b>mysql</b></th> |
205 |
<ti> |
206 |
This will allow Samba to use MySQL in order to do password authentication. |
207 |
It will store ACLs, usernames, passwords, etc in a database versus a |
208 |
flat file. If Samba is needed to do password authentication, such as |
209 |
acting as a password validation server or a Primary Domain Controller |
210 |
(PDC). |
211 |
</ti> |
212 |
</tr> |
213 |
<tr> |
214 |
<th><b>xml</b></th> |
215 |
<ti> |
216 |
The xml USE option for Samba provides a password database backend allowing |
217 |
Samba to store account details in XML files, for the same reasons listed in |
218 |
the mysql USE flag description. |
219 |
</ti> |
220 |
</tr> |
221 |
<tr> |
222 |
<th><b>acl</b></th> |
223 |
<ti> |
224 |
Enables Access Control Lists. The ACL support in Samba uses a patched |
225 |
ext2/ext3, or SGI's XFS in order to function properly as it extends more |
226 |
detailed access to files or directories; much more so than typical *nix |
227 |
GID/UID schemas. |
228 |
</ti> |
229 |
</tr> |
230 |
<tr> |
231 |
<th><b>cups</b></th> |
232 |
<ti> |
233 |
This enables support for the Common Unix Printing System. This |
234 |
provides an interface allowing local CUPS printers to be shared to |
235 |
other systems in the network. |
236 |
</ti> |
237 |
</tr> |
238 |
<tr> |
239 |
<th><b>ldap</b></th> |
240 |
<ti> |
241 |
Enables the Lightweight Directory Access Protocol (LDAP). If Samba is |
242 |
expected to use Active Directory, this option must be used. This would |
243 |
be used in the event Samba needs to login to or provide login to |
244 |
a Domain/Active Directory Server. The kerberos USE flag is needed for |
245 |
proper functioning of this option. |
246 |
</ti> |
247 |
</tr> |
248 |
<tr> |
249 |
<th><b>pam</b></th> |
250 |
<ti> |
251 |
Include support for pluggable authentication modules (PAM). This |
252 |
provides the ability to authenticate users on the Samba Server, which is |
253 |
required if users have to login to your server. The kerberos USE flag |
254 |
is recommended along with this option. |
255 |
</ti> |
256 |
</tr> |
257 |
<tr> |
258 |
<th><b>readline</b></th> |
259 |
<ti> |
260 |
Link Samba again libreadline. This is highly recommended and should |
261 |
probably not be disabled |
262 |
</ti> |
263 |
</tr> |
264 |
<tr> |
265 |
<th><b>python</b></th> |
266 |
<ti> |
267 |
Python bindings API. Provides an API that will allow Python to |
268 |
interface with Samba. |
269 |
</ti> |
270 |
</tr> |
271 |
<tr> |
272 |
<th><b>oav</b></th> |
273 |
<ti> |
274 |
Provides on-access scanning of Samba shares with FRISK F-Prot |
275 |
Daemon, Kaspersky AntiVirus, OpenAntiVirus.org ScannerDaemon, Sophos Sweep |
276 |
(SAVI), Symantec CarrierScan, and Trend Micro (VSAPI). |
277 |
</ti> |
278 |
</tr> |
279 |
</table> |
280 |
|
281 |
<p> |
282 |
A couple of things worth mentioning about the USE flags and different |
283 |
Samba functions include: |
284 |
</p> |
285 |
|
286 |
<ul> |
287 |
<li> |
288 |
ACLs on ext2/3 are implemented through extended attributes (EAs). EA and |
289 |
ACL kernel options for ext2 and/or ext3 will need to be enabled |
290 |
(depending on which file system is being used - both can be enabled). |
291 |
</li> |
292 |
<li> |
293 |
While Active Directory, ACL, and PDC functions are out of the intended |
294 |
scope of this HOWTO, you may find these links as helpful to your cause: |
295 |
<ul> |
296 |
<li><uri>http://www.bluelightning.org/linux/samba_acl_howto/</uri></li> |
297 |
<li><uri>http://open-projects.linuxcare.com/research-papers/winbind-08162000.html</uri></li> |
298 |
<li><uri>http://www.wlug.org.nz/HowtoSamba3AndActiveDirectory</uri></li> |
299 |
</ul> |
300 |
</li> |
301 |
</ul> |
302 |
|
303 |
</body> |
304 |
</section> |
305 |
</chapter> |
306 |
|
307 |
<chapter> |
308 |
<title>Server Software Installation</title> |
309 |
<section> |
310 |
<title>Emerging Samba</title> |
311 |
<body> |
312 |
|
313 |
<p> |
314 |
First of all: be sure that all your hostnames resolve correctly. |
315 |
Either have a working domain name system running on your network |
316 |
or appropriate entries in your <path>/etc/hosts</path> file. |
317 |
<c>cupsaddsmb</c> often borks if hostnames don't point to the correct |
318 |
machines. |
319 |
</p> |
320 |
|
321 |
<p> |
322 |
Hopefully now you can make an assessment of what you'll actually need in |
323 |
order to use Samba with your particular setup. The setup used for this |
324 |
HOWTO is: |
325 |
</p> |
326 |
|
327 |
<ul> |
328 |
<li>oav</li> |
329 |
<li>cups</li> |
330 |
<li>readline</li> |
331 |
<li>pam</li> |
332 |
</ul> |
333 |
|
334 |
<p> |
335 |
To optimize performance, size and the time of the build, the |
336 |
USE flags are specifically included or excluded. |
337 |
</p> |
338 |
|
339 |
<pre caption="Emerge Samba"> |
340 |
<comment>(Note the USE flags!)</comment> |
341 |
# <i>USE="oav readline cups pam -python -ldap -kerberos -xml -acl -mysql" emerge net-fs/samba</i> |
342 |
</pre> |
343 |
|
344 |
<note> |
345 |
The following archs will need to add <e>~</e> to their <e>KEYWORDS</e>: x86, |
346 |
ppc, sparc, hppa, ia64 and alpha |
347 |
</note> |
348 |
|
349 |
<p> |
350 |
This will emerge Samba and CUPS (if CUPS is not already emerged). |
351 |
</p> |
352 |
|
353 |
</body> |
354 |
</section> |
355 |
<section> |
356 |
<title>Emerging Clam AV</title> |
357 |
<body> |
358 |
|
359 |
<p> |
360 |
Because the <e>oav</e> USE flag only provides an interface to allow on access |
361 |
virus scanning, the actual virus scanner must be emerged. The scanner |
362 |
used in this HOWTO is Clam AV. |
363 |
</p> |
364 |
|
365 |
<pre caption="Emerge clam-av"> |
366 |
# <i>emerge app-antivirus/clamav</i> |
367 |
</pre> |
368 |
|
369 |
</body> |
370 |
</section> |
371 |
<section> |
372 |
<title>Emerging foomatic</title> |
373 |
<body> |
374 |
|
375 |
<pre caption="Emerge foomatic"> |
376 |
# <i>emerge net-print/foomatic</i> |
377 |
</pre> |
378 |
|
379 |
</body> |
380 |
</section> |
381 |
<section> |
382 |
<title>Emerging net-print/hpijs</title> |
383 |
<body> |
384 |
|
385 |
<p> |
386 |
You only need to emerge this if you use an HP printer. |
387 |
</p> |
388 |
|
389 |
<pre caption="Emerge hpijs"> |
390 |
# <i>emerge net-print/hpijs</i> |
391 |
</pre> |
392 |
|
393 |
</body> |
394 |
</section> |
395 |
</chapter> |
396 |
|
397 |
<chapter> |
398 |
<title>Server Configuration</title> |
399 |
<section> |
400 |
<title>Configuring Samba</title> |
401 |
<body> |
402 |
|
403 |
<p> |
404 |
The main Samba configuration file is <path>/etc/samba/smb.conf</path>. |
405 |
It is divided in sections indicated by [sectionname]. Comments are either |
406 |
# or ;. A sample <path>smb.conf</path> is included below with comments and |
407 |
suggestions for modifications. If more details are required, see the |
408 |
man page for <path>smb.conf</path>, the installed |
409 |
<path>smb.conf.example</path>, the Samba Web site or any of the |
410 |
numerous Samba books available. |
411 |
</p> |
412 |
|
413 |
<pre caption="A Sample /etc/samba/smb.conf"> |
414 |
[global] |
415 |
<comment># Replace MYWORKGROUPNAME with your workgroup/domain</comment> |
416 |
workgroup = <comment>MYWORKGROUPNAME</comment> |
417 |
<comment># Of course this has no REAL purpose other than letting |
418 |
# everyone know its not Windows! |
419 |
# %v prints the version of Samba we are using.</comment> |
420 |
server string = Samba Server %v |
421 |
<comment># We are going to use cups, so we are going to put it in here ;-)</comment> |
422 |
printcap name = cups |
423 |
printing = cups |
424 |
load printers = yes |
425 |
<comment># We want a log file and we do not want it to get bigger than 50kb.</comment> |
426 |
log file = /var/log/samba/log.%m |
427 |
max log size = 50 |
428 |
<comment># We are going to set some options for our interfaces...</comment> |
429 |
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 |
430 |
<comment># This is a good idea, what we are doing is binding the |
431 |
# samba server to our local network. |
432 |
# For example, if eth0 is our local network device</comment> |
433 |
interfaces = lo <i>eth0</i> |
434 |
bind interfaces only = yes |
435 |
<comment># Now we are going to specify who we allow, we are afterall |
436 |
# very security conscience, since this configuration does |
437 |
# not use passwords!</comment> |
438 |
hosts allow = 127.0.0.1 <i>192.168.1.0/24</i> |
439 |
hosts deny = 0.0.0.0/0 |
440 |
<comment># Other options for this are USER, DOMAIN, ADS, and SERVER |
441 |
# The default is user</comment> |
442 |
security = share |
443 |
<comment># No passwords, so we're going to use a guest account!</comment> |
444 |
guest account = samba |
445 |
guest ok = yes |
446 |
<comment># We now will implement the on access virus scanner. |
447 |
# NOTE: By putting this in our [Global] section, we enable |
448 |
# scanning of ALL shares, you could optionally move |
449 |
# these to a specific share and only scan it.</comment> |
450 |
|
451 |
<comment># For Samba 3.x</comment> |
452 |
vfs object = vscan-clamav |
453 |
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf |
454 |
|
455 |
<comment># For Samba 2.2.x</comment> |
456 |
vfs object = /usr/lib/samba/vfs/vscan-clamav.so |
457 |
vfs options = config-file = /etc/samba/vscan-clamav.conf |
458 |
|
459 |
<comment># Now we setup our print drivers information!</comment> |
460 |
[print$] |
461 |
comment = Printer Drivers |
462 |
path = /etc/samba/printer <comment># this path holds the driver structure</comment> |
463 |
guest ok = yes |
464 |
browseable = yes |
465 |
read only = yes |
466 |
<comment># Modify this to "username,root" if you don't want root to |
467 |
# be the only printer admin)</comment> |
468 |
write list = <i>root</i> |
469 |
|
470 |
<comment># Now we'll setup a printer to share, while the name is arbitrary |
471 |
# it should be consistent throughout Samba and CUPS!</comment> |
472 |
[HPDeskJet930C] |
473 |
comment = HP DeskJet 930C Network Printer |
474 |
printable = yes |
475 |
path = /var/spool/samba |
476 |
public = yes |
477 |
guest ok = yes |
478 |
<comment># Modify this to "username,root" if you don't want root to |
479 |
# be the only printer admin)</comment> |
480 |
printer admin = <i>root</i> |
481 |
|
482 |
<comment># Now we setup our printers share. This should be |
483 |
# browseable, printable, public.</comment> |
484 |
[printers] |
485 |
comment = All Printers |
486 |
browseable = no |
487 |
printable = yes |
488 |
writable = no |
489 |
public = yes |
490 |
guest ok = yes |
491 |
path = /var/spool/samba |
492 |
<comment># Modify this to "username,root" if you don't want root to |
493 |
# be the only printer admin)</comment> |
494 |
printer admin = <i>root</i> |
495 |
|
496 |
<comment># We create a new share that we can read/write to from anywhere |
497 |
# This is kind of like a public temp share, anyone can do what |
498 |
# they want here.</comment> |
499 |
[public] |
500 |
comment = Public Files |
501 |
browseable = yes |
502 |
public = yes |
503 |
create mode = 0766 |
504 |
guest ok = yes |
505 |
path = /home/samba/public |
506 |
</pre> |
507 |
|
508 |
<warn> |
509 |
If you like to use Samba's guest account to do anything concerning |
510 |
printing from Windows clients: don't set <c>guest only = yes</c> in |
511 |
the <c>[global]</c> section. The guest account seems to cause |
512 |
problems when running <c>cupsaddsmb</c> sometimes when trying to |
513 |
connect from Windows machines. See below, too, when we talk about |
514 |
<c>cupsaddsmb</c> and the problems that can arise. Use a dedicated |
515 |
printer user, like <c>printeruser</c> or <c>printer</c> or |
516 |
<c>printme</c> or whatever. It doesn't hurt and it will certainly |
517 |
protect you from a lot of problems. |
518 |
</warn> |
519 |
|
520 |
<p> |
521 |
Now create the directories required for the minimum configuration of |
522 |
Samba to share the installed printer throughout the network. |
523 |
</p> |
524 |
|
525 |
<pre caption="Create the directories"> |
526 |
# <i>mkdir /etc/samba/printer</i> |
527 |
# <i>mkdir /var/spool/samba</i> |
528 |
# <i>mkdir /home/samba/public</i> |
529 |
</pre> |
530 |
|
531 |
<p> |
532 |
At least one Samba user is required in order to install the printer |
533 |
drivers and to allow users to connect to the printer. Users must |
534 |
exist in the system's <path>/etc/passwd</path> file. |
535 |
</p> |
536 |
|
537 |
<pre caption="Creating the users"> |
538 |
# <i>smbpasswd -a root</i> |
539 |
|
540 |
<comment>(If another user is to be a printer admin)</comment> |
541 |
# <i>smbpasswd -a username</i> |
542 |
</pre> |
543 |
|
544 |
<p> |
545 |
The Samba passwords need not be the same as the system passwords |
546 |
in <path>/etc/passwd</path>. |
547 |
</p> |
548 |
|
549 |
<p> |
550 |
You will also need to update <path>/etc/nsswitch.conf</path> so that Windows |
551 |
systems can be found easily using NetBIOS: |
552 |
</p> |
553 |
|
554 |
<pre caption="Editing /etc/nsswitch.conf"> |
555 |
# <i>nano -w /etc/nsswitch.conf</i> |
556 |
<comment>(Edit the hosts: line)</comment> |
557 |
hosts: files dns <i>wins</i> |
558 |
</pre> |
559 |
|
560 |
</body> |
561 |
</section> |
562 |
<section> |
563 |
<title>Configuring Clam AV</title> |
564 |
<body> |
565 |
|
566 |
<p> |
567 |
The configuration file specified to be used in <path>smb.conf</path> is |
568 |
<path>/etc/samba/vscan-clamav.conf</path>. While these options are set |
569 |
to the defaults, the infected file action may need to be changed. |
570 |
</p> |
571 |
|
572 |
<pre caption="/etc/samba/vscan-clamav.conf"> |
573 |
[samba-vscan] |
574 |
<comment>; run-time configuration for vscan-samba using |
575 |
; clamd |
576 |
; all options are set to default values</comment> |
577 |
|
578 |
<comment>; do not scan files larger than X bytes. If set to 0 (default), |
579 |
; this feature is disable (i.e. all files are scanned)</comment> |
580 |
max file size = 0 |
581 |
|
582 |
<comment>; log all file access (yes/no). If set to yes, every access will |
583 |
; be logged. If set to no (default), only access to infected files |
584 |
; will be logged</comment> |
585 |
verbose file logging = no |
586 |
|
587 |
<comment>; if set to yes (default), a file will be scanned while opening</comment> |
588 |
scan on open = yes |
589 |
<comment>; if set to yes, a file will be scanned while closing (default is yes)</comment> |
590 |
scan on close = yes |
591 |
|
592 |
<comment>; if communication to clamd fails, should access to file denied? |
593 |
; (default: yes)</comment> |
594 |
deny access on error = yes |
595 |
|
596 |
<comment>; if daemon fails with a minor error (corruption, etc.), |
597 |
; should access to file denied? |
598 |
; (default: yes)</comment> |
599 |
deny access on minor error = yes |
600 |
|
601 |
<comment>; send a warning message via Windows Messenger service |
602 |
; when virus is found? |
603 |
; (default: yes)</comment> |
604 |
send warning message = yes |
605 |
|
606 |
<comment>; what to do with an infected file |
607 |
; quarantine: try to move to quantine directory; delete it if moving fails |
608 |
; delete: delete infected file |
609 |
; nothing: do nothing</comment> |
610 |
infected file action = <comment>delete</comment> |
611 |
|
612 |
<comment>; where to put infected files - you really want to change this! |
613 |
; it has to be on the same physical device as the share!</comment> |
614 |
quarantine directory = /tmp |
615 |
<comment>; prefix for files in quarantine</comment> |
616 |
quarantine prefix = vir- |
617 |
|
618 |
<comment>; as Windows tries to open a file multiple time in a (very) short time |
619 |
; of period, samba-vscan use a last recently used file mechanism to avoid |
620 |
; multiple scans of a file. This setting specified the maximum number of |
621 |
; elements of the last recently used file list. (default: 100)</comment> |
622 |
max lru files entries = 100 |
623 |
|
624 |
<comment>; an entry is invalidated after lru file entry lifetime (in seconds). |
625 |
; (Default: 5)</comment> |
626 |
lru file entry lifetime = 5 |
627 |
|
628 |
<comment>; socket name of clamd (default: /var/run/clamd)</comment> |
629 |
clamd socket name = /var/run/clamd |
630 |
</pre> |
631 |
|
632 |
<p> |
633 |
It is generally a good idea to start the virus scanner immediately. Add |
634 |
it to the <e>default</e> runlevel and then start the <c>clamd</c> service immediately. |
635 |
</p> |
636 |
|
637 |
<pre caption="Add clamd to bootup and start it"> |
638 |
# <i>rc-update add clamd default</i> |
639 |
# <i>/etc/init.d/clamd start</i> |
640 |
</pre> |
641 |
|
642 |
</body> |
643 |
</section> |
644 |
<section> |
645 |
<title>Configuring CUPS</title> |
646 |
<body> |
647 |
|
648 |
<p> |
649 |
This is a little more complicated. CUPS' main config file is |
650 |
<path>/etc/cups/cupsd.conf</path>. It's structure is similar to Apache's |
651 |
<path>httpd.conf</path> file, so many you may find it familiar. Outlined |
652 |
in the example are the directives that need to be changed: |
653 |
</p> |
654 |
|
655 |
<pre caption="/etc/cups/cupsd.conf"> |
656 |
ServerName <i>PrintServer</i> <comment># your printserver name</comment> |
657 |
ServerAdmin <i>root@PrintServer</i> <comment># the person for printer-related hate-mail, eg you</comment> |
658 |
|
659 |
AccessLog /var/log/cups/access_log <comment># probably doesn't need changing</comment> |
660 |
ErrorLog /var/log/cups/error_log <comment># doesn't really need changing either</comment> |
661 |
|
662 |
LogLevel debug <comment># only while isntalling and testing, should later be |
663 |
# changed to 'info'</comment> |
664 |
|
665 |
MaxClients 100 <comment># I've had to set this to 1000000000 or so because some time back, |
666 |
# there seemed to be a bug in CUPS' controlling of the web interface, |
667 |
# making CUPS think a denial of service attack was in progress when |
668 |
# I tried to configure a printer with the web interface. weird.</comment> |
669 |
|
670 |
BrowseAddress @IF(<i>eth0</i>) <comment># Change this to your internal net interface</comment> |
671 |
|
672 |
<Location /> |
673 |
Order Deny,Allow |
674 |
Deny From All |
675 |
Allow From <i>192.168.1.*</i> <comment># the addresses of your internel network |
676 |
# eg 192.168.1.* will allow connections from any host on |
677 |
# the 192.168.1.0 network. change to whatever suits you</comment> |
678 |
</Location> |
679 |
|
680 |
<Location /admin> |
681 |
AuthType Basic |
682 |
AuthClass System |
683 |
Allow From <i>192.168.1.*</i> <comment># same as above, allow any host on the |
684 |
# 192.168.1.0 network to connect and do |
685 |
# administrative tasks after authenticating</comment> |
686 |
Order Deny,Allow |
687 |
Deny From All |
688 |
</Location> |
689 |
</pre> |
690 |
|
691 |
<p> |
692 |
Edit <path>/etc/cups/mime.convs</path> to uncomment some lines. |
693 |
The changes to <path>mime.convs</path> and <path>mime.types</path> are |
694 |
needed to make CUPS print Microsoft Office document files. |
695 |
</p> |
696 |
|
697 |
<pre caption="/etc/cups/mime.convs"> |
698 |
<comment>(The following line is found near the end of the file. Uncomment it)</comment> |
699 |
application/octet-stream application/vnd.cups-raw 0 |
700 |
</pre> |
701 |
|
702 |
<p> |
703 |
Edit <path>/etc/cups/mime.convs</path> to uncomment some lines. |
704 |
</p> |
705 |
|
706 |
<pre caption="/etc/cups/mime.types"> |
707 |
<comment>(The following line is found near the end of the file. Uncomment it)</comment> |
708 |
application/octet-stream |
709 |
</pre> |
710 |
|
711 |
<p> |
712 |
CUPS needs to be started on boot, and started immediately. |
713 |
</p> |
714 |
|
715 |
<pre caption="Setting up the CUPS service" > |
716 |
<comment>(To start CUPS on boot)</comment> |
717 |
# <i>rc-update add cupsd default</i> |
718 |
<comment>(To start CUPS if it isn't started)</comment> |
719 |
# <i>/etc/init.d/cupsd start</i> |
720 |
<comment>(If CUPS is already started we'll need to restart it!)</comment> |
721 |
# <i>/etc/init.d/cupsd restart</i> |
722 |
</pre> |
723 |
|
724 |
</body> |
725 |
</section> |
726 |
<section> |
727 |
<title>Installing a printer for and with CUPS</title> |
728 |
<body> |
729 |
|
730 |
<p> |
731 |
First, go to <uri link="http://linuxprinting.org">LinuxPrinting.Org</uri> to |
732 |
find and download the correct PPD file for your printer and CUPS. To do so, |
733 |
click the link Printer Listings to the left. Select your printers manufacturer |
734 |
and the model in the pulldown menu, eg HP and DeskJet 930C. Click "Show". On |
735 |
the page coming up click the "recommended driver" link after reading the |
736 |
various notes and information. Then fetch the PPD file from the next page, |
737 |
again after reading the notes and introductions there. You may have to select |
738 |
your printers manufacturer and model again. Reading the <uri |
739 |
link="http://www.linuxprinting.org/cups-doc.html">CUPS quickstart guide</uri> |
740 |
is also very helpful when working with CUPS. |
741 |
</p> |
742 |
|
743 |
<p> |
744 |
Now you have a PPD file for your printer to work with CUPS. Place it in |
745 |
<path>/usr/share/cups/model</path>. The PPD for the HP DeskJet 930C was |
746 |
named <path>HP-DeskJet_930C-hpijs.ppd</path>. You should now install the printer. |
747 |
This can be done via the CUPS web interface or via command line. The web |
748 |
interface is found at <path>http://PrintServer:631</path> once CUPS is running. |
749 |
</p> |
750 |
|
751 |
<pre caption="Install the printer via command line"> |
752 |
# <i>lpadmin -p HPDeskJet930C -E -v usb:/dev/ultp0 -m HP-DeskJet_930C-hpijs.ppd</i> |
753 |
</pre> |
754 |
|
755 |
<p> |
756 |
Remember to adjust to what you have. Be sure to have the name |
757 |
(<c>-p</c> argument) right (the name you set above during the Samba |
758 |
configuration!) and to put in the correct <c>usb:/dev/usb/blah</c>, |
759 |
<c>parallel:/dev/blah</c> or whatever device you are using for your |
760 |
printer. |
761 |
</p> |
762 |
|
763 |
<p> |
764 |
You should now be able to access the printer from the web interface |
765 |
and be able to print a test page. |
766 |
</p> |
767 |
|
768 |
</body> |
769 |
</section> |
770 |
<section> |
771 |
<title>Installing the Windows printer drivers</title> |
772 |
<body> |
773 |
|
774 |
<p> |
775 |
Now that the printer should be working it is time to install the drivers |
776 |
for the Windows clients to work. Samba 2.2 introduced this functionality. |
777 |
Browsing to the print server in the Network Neighbourhood, right-clicking |
778 |
on the printershare and selecting "connect" downloads the appropriate |
779 |
drivers automagically to the connecting client, avoiding the hassle of |
780 |
manually installing printer drivers locally. |
781 |
</p> |
782 |
|
783 |
<p> |
784 |
There are two sets of printer drivers for this. First, the Adobe PS |
785 |
drivers which can be obtained from <uri |
786 |
link="http://www.adobe.com/support/downloads/main.html">Adobe</uri> |
787 |
(PostScript printer drivers). Second, there are the CUPS PS drivers, |
788 |
to be obtained from <uri link="http://www.cups.org/software.php">the |
789 |
CUPS homepage</uri> and selecting "CUPS Driver for Windows" from the |
790 |
pull down menu. There doesn't seem to be a difference between the |
791 |
functionality of the two, but the Adobe PS drivers need to be extracted |
792 |
on a Windows System since it's a Windows binary. Also the whole procedure |
793 |
of finding and copying the correct files is a bit more hassle. The CUPS |
794 |
drivers seem to support some options the Adobe drivers don't. |
795 |
</p> |
796 |
|
797 |
<p> |
798 |
This HOWTO uses the CUPS drivers for Windows. The downloaded file is |
799 |
called <path>cups-samba-5.0rc2.tar.gz</path>. Extract the files |
800 |
contained into a directory. |
801 |
</p> |
802 |
|
803 |
<pre caption="Extract the drivers and run the install"> |
804 |
# <i>tar -xzf cups-samba-5.0rc2.tar.gz</i> |
805 |
# <i>cd cups-samba-5.0rc2</i> |
806 |
<comment>(Only use this script if CUPS resides in /usr/share/cups)</comment> |
807 |
# <i>./cups-samba.install</i> |
808 |
</pre> |
809 |
|
810 |
<p> |
811 |
<path>cups-samba.ss</path> is a TAR archive containing three files: |
812 |
<path>cups5.hlp</path>, <path>cupsdrvr5.dll</path> and |
813 |
<path>cupsui5.dll</path>. These are the actual driver files. |
814 |
</p> |
815 |
|
816 |
<warn> |
817 |
The script <c>cups-samba.install</c> may not work for all *nixes (ie FreeBSD) |
818 |
because almost everything which is not part of the base system is |
819 |
installed somewhere under the prefix <path>/usr/local/</path>. This |
820 |
seems not to be the case for most things you install under GNU/Linux. |
821 |
However, if your CUPS installation is somewhere other than |
822 |
<path>/usr/share/cups/</path> see the example below. |
823 |
</warn> |
824 |
|
825 |
<p> |
826 |
Suppose your CUPS installation resides under |
827 |
<path>/usr/local/share/cups/</path>, and you want to install the drivers there. |
828 |
Do the following: |
829 |
</p> |
830 |
|
831 |
<pre caption="Manually installing the drivers"> |
832 |
# <i>cd /path/you/extracted/the/CUPS-driver/tarball/into</i> |
833 |
# <i>tar -xf cups-samba.ss</i> |
834 |
<comment>(This extracts the files to usr/share/cups/drivers under the CURRENT WORKING DIRECTORY)</comment> |
835 |
# <i>cd usr/share/cups/drivers</i> |
836 |
<comment>(no leading / !)</comment> |
837 |
# <i>cp cups* /usr/local/share/cups/drivers</i> |
838 |
</pre> |
839 |
|
840 |
<p> |
841 |
Now we'll use the script <c>cupsaddsmb</c> provided by the CUPS |
842 |
distribution. It's man page is an interesting read. |
843 |
</p> |
844 |
|
845 |
<pre caption="Run cupsaddsmb"> |
846 |
# <i>cupsaddsmb -H PrintServer -U root -h PrintServer -v HPDeskJet930C</i> |
847 |
<comment>(Instead of HPDeskJet930C you could also specify "-a", which will |
848 |
"export all known printers".)</comment> |
849 |
# <i>cupsaddsmb -H PrintServer -U root -h PrintServer -a</i> |
850 |
</pre> |
851 |
|
852 |
<warn> |
853 |
The execution of this command often causes the most trouble. |
854 |
Reading through the <uri |
855 |
link="http://forums.gentoo.org/viewtopic.php?t=110931">posts in this |
856 |
thread</uri>. |
857 |
</warn> |
858 |
|
859 |
<p> |
860 |
Here are common errors that may happen: |
861 |
</p> |
862 |
|
863 |
<ul> |
864 |
<li> |
865 |
The hostname given as a parameter for <c>-h</c> and <c>-H</c> |
866 |
(<c>PrintServer</c>) often does not resolve correctly and doesn't |
867 |
identify the print server for CUPS/Samba interaction. If an error |
868 |
like: <b>Warning: No PPD file for printer "CUPS_PRINTER_NAME" - |
869 |
skipping!</b> occurs, the first thing you should do is substitute |
870 |
<c>PrintServer</c> with <c>localhost</c> and try it again. |
871 |
</li> |
872 |
<li> |
873 |
The command fails with an <b>NT_STATUS_UNSUCCESSFUL</b>. This error message |
874 |
is quite common, but can be triggered by many problems. It's unfortunately |
875 |
not very helpful. One thing to try is to temporarily set <c>security = |
876 |
user</c> in your <path>smb.conf</path>. After/if the installation completes |
877 |
successfully, you should set it back to share, or whatever it was set to |
878 |
before. |
879 |
</li> |
880 |
</ul> |
881 |
|
882 |
<p> |
883 |
This should install the correct driver directory structure under |
884 |
<path>/etc/samba/printer</path>. That would be |
885 |
<path>/etc/samba/printer/W32X86/2/</path>. The files contained should |
886 |
be the 3 driver files and the PPD file, renamed to YourPrinterName.ppd |
887 |
(the name which you gave the printer when installing it (see above). |
888 |
</p> |
889 |
|
890 |
<p> |
891 |
Pending no errors or other complications, your drivers are now |
892 |
installed. |
893 |
</p> |
894 |
|
895 |
</body> |
896 |
</section> |
897 |
<section> |
898 |
<title>Finalizing our setup</title> |
899 |
<body> |
900 |
|
901 |
<p> |
902 |
Lastly, setup our directories. |
903 |
</p> |
904 |
|
905 |
<pre caption="Final changes needed"> |
906 |
# <i>mkdir /home/samba</i> |
907 |
# <i>mkdir /home/samba/public</i> |
908 |
# <i>chmod 755 /home/samba</i> |
909 |
# <i>chmod 755 /home/samba/public</i> |
910 |
</pre> |
911 |
|
912 |
</body> |
913 |
</section> |
914 |
<section> |
915 |
<title>Testing our Samba configuration</title> |
916 |
<body> |
917 |
|
918 |
<p> |
919 |
We will want to test our configuration file to ensure that it is formatted |
920 |
properly and all of our options have at least the correct syntax. To do |
921 |
this we run <c>testparm</c>. |
922 |
</p> |
923 |
|
924 |
<pre caption="Running the testparm"> |
925 |
<comment>(By default, testparm checks /etc/samba/smb.conf)</comment> |
926 |
# <i>/usr/bin/testparm</i> |
927 |
Load smb config files from /etc/samba/smb.conf |
928 |
Processing section "[printers]" |
929 |
Global parameter guest account found in service section! |
930 |
Processing section "[public]" |
931 |
Global parameter guest account found in service section! |
932 |
Loaded services file OK. |
933 |
Server role: ROLE_STANDALONE |
934 |
Press enter to see a dump of your service definitions |
935 |
... |
936 |
... |
937 |
</pre> |
938 |
|
939 |
</body> |
940 |
</section> |
941 |
<section> |
942 |
<title>Starting the Samba service</title> |
943 |
<body> |
944 |
|
945 |
<p> |
946 |
Now configure Samba to start at bootup; then go ahead and start it. |
947 |
</p> |
948 |
|
949 |
<pre caption="Setting up the Samba service"> |
950 |
# <i>rc-update add samba default</i> |
951 |
# <i>/etc/init.d/samba start</i> |
952 |
</pre> |
953 |
|
954 |
</body> |
955 |
</section> |
956 |
<section> |
957 |
<title>Checking our services</title> |
958 |
<body> |
959 |
|
960 |
<p> |
961 |
It would probably be prudent to check our logs at this time also. |
962 |
We will also want to take a peak at our Samba shares using |
963 |
<c>smbclient</c>. |
964 |
</p> |
965 |
|
966 |
<pre caption="Checking the shares with smbclient"> |
967 |
# <i>smbclient -L localhost</i> |
968 |
Password: |
969 |
<comment>(You should see a BIG list of services here.)</comment> |
970 |
</pre> |
971 |
|
972 |
</body> |
973 |
</section> |
974 |
</chapter> |
975 |
|
976 |
<chapter> |
977 |
<title>Configuration of the Clients</title> |
978 |
<section> |
979 |
<title>Printer configuration of *nix based clients</title> |
980 |
<body> |
981 |
|
982 |
<p> |
983 |
Despite the variation or distribution, the only thing needed is CUPS. Do the |
984 |
equivalent on any other UNIX/Linux/BSD client. |
985 |
</p> |
986 |
|
987 |
<pre caption="Configuring a Gentoo system"> |
988 |
# <i>emerge cups</i> |
989 |
# <i>nano -w /etc/cups/client.conf</i> |
990 |
ServerName <i>PrintServer</i> <comment># your printserver name</comment> |
991 |
</pre> |
992 |
|
993 |
<p> |
994 |
That should be it. Nothing else will be needed. |
995 |
</p> |
996 |
|
997 |
<p> |
998 |
If you use only one printer, it will be your default printer. If your print |
999 |
server manages several printers, your administrator will have defined a default |
1000 |
printer on the server. If you want to define a different default printer for |
1001 |
yourself, use the <c>lpoptions</c> command. |
1002 |
</p> |
1003 |
|
1004 |
<pre caption="Setting your default printer"> |
1005 |
<comment>(List available printers)</comment> |
1006 |
# <i>lpstat -a</i> |
1007 |
<comment>(Sample output, yours will differ)</comment> |
1008 |
HPDeskJet930C accepting requests since Jan 01 00:00 |
1009 |
laser accepting requests since Jan 01 00:00 |
1010 |
<comment>(Define HPDeskJet930C as your default printer)</comment> |
1011 |
# <i>lpoptions -d HPDeskJet930C</i> |
1012 |
</pre> |
1013 |
|
1014 |
<pre caption="Printing in *nix"> |
1015 |
<comment>(Specify the printer to be used)</comment> |
1016 |
# <i>lp -d HPDeskJet930C anything.txt</i> |
1017 |
<comment>(Use your default printer)</comment> |
1018 |
# <i>lp foobar.whatever.ps</i> |
1019 |
</pre> |
1020 |
|
1021 |
<p> |
1022 |
Just point your web browser to <c>http://printserver:631</c> on the client if |
1023 |
you want to manage your printers and their jobs with a nice web interface. |
1024 |
Replace <c>printserver</c> with the name of the <e>machine</e> that acts as |
1025 |
your print server, not the name you gave to the cups print server if you used |
1026 |
different names. |
1027 |
</p> |
1028 |
|
1029 |
</body> |
1030 |
</section> |
1031 |
<section> |
1032 |
<title>Mounting a Windows or Samba share in GNU/Linux</title> |
1033 |
<body> |
1034 |
|
1035 |
<p> |
1036 |
Now is time to configure our kernel to support smbfs. Since I'm assumming we've |
1037 |
all compiled at least one kernel, we'll need to make sure we have all the right |
1038 |
options selected in our kernel. For simplicity sake, make it a module for ease |
1039 |
of use. It is the author's opinion that kernel modules are a good thing and |
1040 |
should be used whenever possible. |
1041 |
</p> |
1042 |
|
1043 |
<pre caption="Relevant kernel options" > |
1044 |
CONFIG_SMB_FS=m |
1045 |
CONFIG_SMB_UNIX=y |
1046 |
</pre> |
1047 |
|
1048 |
<p> |
1049 |
Then make the module/install it; insert them with: |
1050 |
</p> |
1051 |
|
1052 |
<pre caption="Loading the kernel module"> |
1053 |
# <i>modprobe smbfs</i> |
1054 |
</pre> |
1055 |
|
1056 |
<p> |
1057 |
Once the modules is loaded, mounting a Windows or Samba share is |
1058 |
possible. Use <c>mount</c> to accomplish this, as detailed below: |
1059 |
</p> |
1060 |
|
1061 |
<pre caption="Mounting a Windows/Samba share"> |
1062 |
<comment>(The syntax for mounting a Windows/Samba share is: |
1063 |
mount -t smbfs [-o username=xxx,password=xxx] //server/share /mnt/point |
1064 |
If we are not using passwords or a password is not needed)</comment> |
1065 |
|
1066 |
# <i>mount -t smbfs //PrintServer/public /mnt/public</i> |
1067 |
|
1068 |
<comment>(If a password is needed)</comment> |
1069 |
# <i>mount -t smbfs -o username=USERNAME,password=PASSWORD //PrintServer/public /mnt/public</i> |
1070 |
</pre> |
1071 |
|
1072 |
<p> |
1073 |
After you mount the share, you would access it as if it were a local |
1074 |
drive. |
1075 |
</p> |
1076 |
|
1077 |
</body> |
1078 |
</section> |
1079 |
<section> |
1080 |
<title>Printer Configuration for Windows NT/2000/XP clients</title> |
1081 |
<body> |
1082 |
|
1083 |
<p> |
1084 |
That's just a bit of point-and-click. Browse to |
1085 |
<path>\\PrintServer</path> and right click on the printer |
1086 |
(HPDeskJet930C) and click connect. This will download the drivers to |
1087 |
the Windows client and now every application (such as Word or Acrobat) |
1088 |
will offer HPDeskJet930C as an available printer to print to. :-) |
1089 |
</p> |
1090 |
|
1091 |
</body> |
1092 |
</section> |
1093 |
</chapter> |
1094 |
|
1095 |
<chapter> |
1096 |
<title>Final Notes</title> |
1097 |
<section> |
1098 |
<title>A Fond Farewell</title> |
1099 |
<body> |
1100 |
|
1101 |
<p> |
1102 |
Well that should be it. You should now have a successful printing enviroment |
1103 |
that is friendly to both Windows and *nix as well as a fully virus-free working |
1104 |
share! |
1105 |
</p> |
1106 |
|
1107 |
</body> |
1108 |
</section> |
1109 |
</chapter> |
1110 |
|
1111 |
<chapter> |
1112 |
<title>Links and Resources</title> |
1113 |
<section> |
1114 |
<title>Links</title> |
1115 |
<body> |
1116 |
|
1117 |
<p> |
1118 |
These are some links that may help you in setting up, configuration and |
1119 |
troubleshooting your installation: |
1120 |
</p> |
1121 |
|
1122 |
<ul> |
1123 |
<li><uri link="http://www.cups.org/">CUPS Homepage</uri></li> |
1124 |
<li><uri link="http://www.samba.org/">Samba Homepage</uri></li> |
1125 |
<li><uri link="http://linuxprinting.org/">LinuxPrinting dot Org</uri></li> |
1126 |
<li> |
1127 |
<uri link="http://www.linuxprinting.org/kpfeifle/SambaPrintHOWTO/">Kurt |
1128 |
Pfeifle's Samba Print HOWTO</uri> ( |
1129 |
This HOWTO really covers <e>ANYTHING</e> and <e>EVERYTHING</e> |
1130 |
I've written here, plus a LOT more concerning CUPS and Samba, and |
1131 |
generally printing support on networks. A really interesting read, |
1132 |
with lots and lots of details) |
1133 |
</li> |
1134 |
<li><uri link="http://www.freebsddiary.org/cups.php">FreeBSD Diary's CUPS Topic</uri></li> |
1135 |
</ul> |
1136 |
|
1137 |
</body> |
1138 |
</section> |
1139 |
<section> |
1140 |
<title>Troubleshooting</title> |
1141 |
<body> |
1142 |
|
1143 |
<p> |
1144 |
See <uri link="http://www.linuxprinting.org/kpfeifle/SambaPrintHOWTO/Samba-HOWTO-Collection-3.0-PrintingChapter-11th-draft.html#37">this |
1145 |
page</uri> from Kurt Pfeifle's "Printing Support in Samba 3.0" |
1146 |
manual. Lots of useful tips there! Be sure to look this one up |
1147 |
first, before posting questions and problems! Maybe the solution |
1148 |
you're looking for is right there. |
1149 |
</p> |
1150 |
|
1151 |
</body> |
1152 |
</section> |
1153 |
</chapter> |
1154 |
</guide> |