|
|
Mac OS X Server is an Apple operating-system product based on Mac OS X, with the addition of administrative tools and server software. One area in which it differs from Mac OS X is in the configuration of Samba-based services. In this appendix, we'll tell you how to set up SMB file and printer shares, enable client user access, and monitor activity. Our specific focus is on Mac OS X Server 10.2.
The first thing to note is that the procedure described in Chapter 2 using System Preferences to enable Samba does not apply to Mac OS X Server. Unlike Mac OS X, the Sharing pane of System Preferences does not include an option to turn on Windows File Sharing. Instead, there is a set of applications to configure, activate, and monitor services: Workgroup Manager, Server Settings, Server Status, and Open Directory Assistant, all located in the directory /Applications/Utilities.
NOTE
In addition to being installed with Mac OS X Server, these and other administrative applications are included on a separate installation CD-ROM sold with the operating system. They can be used to manage Mac OS X Server systems remotely from any Mac OS X machine.
For more information, refer to the Mac OS X Server Administrator's Guide, included as a PDF file in the /Library/Documentation/MacOSXServer directory, and also downloadable from Apple Computer's web site at http://www.apple.com/server/.
Briefly, the procedure for setting up SMB file and printer shares is as follows:
Designate share points in Workgroup Manager for file sharing.
Set up print queues in Server Settings for printer sharing, and activate Printer Service.
Configure and activate Windows Services in Server Settings.
Activate Password Server and enable SMB authentication in Open Directory Assistant.
Enable Password Server authentication for user accounts in Workgroup Manager.
Monitor file and print services with Server Status.
The first step to enable SMB file sharing is to designate one or more share points. Share points are folders that form the root of shared volumes for any of the protocols supported by Mac OS X Server: Apple Filesharing Protocol (AFP), Network Filesystem (NFS), File Transfer Protocol (FTP), and SMB.
To designate a share point, launch Workgroup Manager. You will be prompted for the local or remote server's hostname or IP address, as well as for a username and password; this process is required by all the Mac OS X Server administrative applications. Once Workgroup Manager is open, click the Sharing button in the toolbar. The list on the left, under the Share Points tab, displays currently defined share points. To add a new one, click the All tab, and navigate to the folder you want to share.
On the right, under the General tab, check the box labeled Share this item and its contents, change the ownership and permissions if desired, then click the Save button. Next, under the Protocols tab, select Windows File Settings from the pop-up menu, and ensure that the box labeled Share this item using SMB is checked. At this point, you can also decide whether to allow guest access to the share, change the name of the share displayed to SMB clients, or set permissions for files and folders created by SMB clients. Click the Save button when you're finished making changes. See Figure F-1.
Printer shares are set up differently. First, launch Server Settings; under the File & Print tab, select Print, then Configure Print Service.... Check the box labeled Automatically share new queues for Windows printing. Next, click the Print icon again and then Show Print Monitor. Make sure the printers you want to share are listed. Printers directly attached to the server should have queues created automatically, but remote printers you wish to reshare must be added by clicking New Queue and discovering or specifying the printers. When you're finished, click Save, select the Print icon one more time, and select Start Print Service. See Figure F-2.
TIP
Server Settings will make local printers available for sharing only if they're PostScript compatible. Unfortunately, many printers, including consumer-grade USB inkjet printers, aren't. If you want to make one of these printers available to SMB clients, you can still add the share to /etc/smb.conf yourself with a text editor. See "Rolling Your Own" later in this chapter for instructions and caveats related to making manual changes to smb.conf.
At this point, neither the file shares nor the printer shares are available to SMB clients. To activate them, click the Windows icon in Server Settings, and click Configure Windows Services.... Under the General tab, you can set the server's NetBIOS hostname, the workgroup or Windows NT domain in which the server resides, and the description that gets displayed in a browse list. You can also specify the code page for an alternate character set. Finally, you can enable boot-time startup of Samba. See Figure F-3.
The Windows Services Access tab offers options to enable guest access and limit the number of simultaneous client connections; under the Logging tab, you can specify the verbosity of your logging. With options under the Neighborhood tab, you can configure your machine as a WINS client or server or have it provide browser services locally or across subnets.
When you've finished configuring Windows Services, click the Save button, then click the Windows icon in Server Settings, and select Start Windows Services. This starts the Samba daemons, enabling access from SMB clients.
Now that you've set up file and printer shares, you need to make sure users can properly authenticate to access them. In Mac OS X Server, this is accomplished with the Open Directory Password Server, a service based on the Simple Authentication and Security Layer (SASL) standard and usable with many different authentication protocols, including the LAN Manager and Windows NT LAN Manager (NTLM) protocols. This section describes how to support SMB client authentication, but for more information on what Password Server does and how it works, see the Mac OS X Server Administrator's Guide.
To enable Password Server or merely check its settings, start the Open Directory Assistant. Unless you wish to change any of the settings, just click the right arrow button in the lower-right corner of the window until you get to the first Security step. At this point, activate Password Server by selecting the option marked Password and authentication information will be provided to other systems. The next step displays the main administrative account, and the one after that gives you a choice of authentication protocols to enable (see Figure F-4). Make sure that SMB-NT is checked, and check SMB-Lan Manager if you have Windows 95/98/Me or older clients. The final step saves the Password Server configuration and prompts you to reboot.
To enable the use of Password Server for a user account, launch Workgroup Manager, and click the Accounts button in the toolbar. Under the Users tab on the far left (with the silhouette of a single person), select the account, and under the Advanced tab on the right, select Password Server for the User Password Type (see Figure F-5). You are prompted to enter a new user password to be stored in the Password Server database. After saving the account configuration, the user can authenticate and access shares from an SMB client.
Once you've got everything working, you'll want to keep an eye on things. The Server Status application gives you views into the various services provided by Mac OS X Server. For Windows Services, you can see the current state of the service, browse the logs (located in the directory /Library/Logs/WindowsServices), display and terminate individual connections, and view a graph of connections over time (see Figure F-6). Similar information is provided for Print Service.
Underneath the GUI, a lot of activity takes place to offer Windows Services. In the non-Server version of Mac OS X, selecting Windows File Sharing sets the SMBSERVER parameter in /etc/hostconfig and triggers the Samba startup item. In Mac OS X Server, under normal circumstances the Samba startup item and the SMBSERVER parameter are never used.
Instead, a process named sambadmind generates /etc/smb.conf from the configuration specified in Server Settings and Workgroup Manager and handles starting and restarting the Samba daemons as necessary. The sambadmind process is in turn monitored by watchdog, which keeps an eye on certain processes and restarts those which fail. The watchdog utility is configured in /etc/watchdog.conf, a file similar to a System V inittab, which specifies how the services under watchdog's purview are to be treated. For example, the line for sambadmind looks like this:
sambadmin:respawn:/usr/sbin/sambadmind -d # SMB Admin daemon
Using a watchdog-monitored process such as sambadmind to start the Samba daemons, instead of a one-time execution of a startup item, results in more reliable service. In Mac OS X Server, if a Samba daemon dies unexpectedly, it is quickly restarted. (Examples of other services monitored by watchdog are Password Server, Print Service, and the Server Settings daemon that allows remote management.)
There's another wrinkle in Mac OS X Server: the Samba configuration settings are not written directly to /etc/smb.conf, as they are in the non-Server version of Mac OS X. Instead, they're stored in the server's local Open Directory domain,[1] from which sambadmind retrieves them and regenerates smb.conf. For example, the Samba global parameters are stored in /config/SMBServer (see Figure F-7). Share point information is also kept in Open Directory, under /config/SharePoints, while CUPS takes responsibility for printer configuration in /etc/cups/printers.conf (also creating stub entries used by Samba in /etc/printcap).
Table F-1 summarizes the association of Windows Services settings in the Server Settings application, properties stored in Open Directory, and parameters in /etc/smb.conf.
Server Settings graphical element in Windows Services |
Open Directory property in /config/SMBServer |
Samba global parameter in/etc/smb.conf |
---|---|---|
General → Server Name |
netbios_name |
netbios name |
General → Workgroup |
workgroup |
workgroup |
General → Description |
description |
server string |
General → Code Page |
code_page |
client code page |
General → Start Windows Services on system startup |
auto_start |
N/A |
Access → Allow Guest Access |
guest_access, map_to_guest |
map to guest |
N/A |
guest_account |
guest account |
Access → Maximum client connections |
max_connections |
max smbd processes |
Logging → Detail Level |
logging |
log level |
Neighborhood → WINS Registration → Off |
WINS_enabled, WINS_register |
wins support |
Neighborhood → WINS Registration → Enable WINS server |
WINS_enabled |
wins support |
Neighborhood → WINS Registration → Register with WINS server |
WINS_register, WINS_address |
wins server |
Neighborhood → Workgroup/Domain Services → Master Browser |
Local_Master |
local master |
Neighborhood → Workgroup/Domain Services → Domain Master Browser |
Domain_Master |
domain master |
Print → Start Print Service |
printing |
N/A |
N/A |
lprm_command |
lprm command |
N/A |
lppause_command |
lppause command |
N/A |
lpresume_command |
lpresume command |
N/A |
printer_admin |
printer admin |
N/A |
encryption |
encrypt passwords |
N/A |
coding_system |
coding system |
N/A |
log_dir |
N/A |
N/A |
smb_log |
log file |
N/A |
nmb_log |
N/A |
N/A |
samba_sbindir |
N/A |
N/A |
samba_bindir |
N/A |
N/A |
samba_libdir |
N/A |
N/A |
samba_lockdir |
N/A |
N/A |
samba_vardir |
N/A |
N/A |
stop_time |
When making manual changes to the Samba configuration file, take care to block changes initiated from graphical applications by invoking this command:
# chflags uchg /etc/smb.conf
From that point on, the GUI will be useful only for starting, stopping, and monitoring the service—not for configuring it.
If you install your own version of Samba, you can still manage it from Server Settings by changing some of the Open Directory properties in /config/SMBServer.
To do this, open NetInfo Manager and modify the samba_sbindir and samba_bindir properties to match the location of your Samba installation. Optionally, you can modify samba_libdir, samba_vardir, and samba_lockdir. Assuming a default Samba installation, you can also change these at the command line with the following commands:
# nicl . -create /config/SMBServer samba_sbindir /usr/local/samba/bin # nicl . -create /config/SMBServer samba_bindir /usr/local/samba/bin # nicl . -create /config/SMBServer samba_libdir /usr/local/samba/lib # nicl . -create /config/SMBServer samba_vardir /usr/local/samba/var # nicl . -create /config/SMBServer samba_lockdir /usr/local/samba/var/locks
You can check your settings with this command:
# nicl . -read /config/SMBServer
In Server Settings, select Stop Windows Services, then run this command:
# killall sambadmind
The watchdog utility restarts sambadmind within seconds. Finally, go back to Server Settings, and select Start Windows Services.
If you don't modify Open Directory properties to match your active Samba installation (because you wish to manage your configuration another way), be sure never to activate Windows Services from the Server Settings application, or you'll wind up with two sets of Samba daemons running concurrently.
[1] In versions of Mac OS X prior to 10.2, Open Directory domains were called NetInfo domains. NetInfo Manager (located in /Applications/Utilities) provides a graphical interface to view and modify the contents of Open Directory databases. For more information, see the Mac OS X Server Administrator's Guide, as well as Understanding and Using NetInfo, downloadable from the Mac OS X Server resources web page at http://www.apple.com/server/resources.html.