If you have a rather busy
system, you could get overwhelmed by system logs eating up disk space. Log
files are important records of system behavior, system resource usage,
application usage, and user access. Every such log file is worth a scan for
the unusual and may need to be archived for purposes of accounting.
One of the big questions you
would have while partitioning your hard disk is about the sizes of the
partitions. You know how to estimate the swap, the home area and the /usr
area. However, when it comes to estimating the /var partition, you don’t
know for sure how much space you’ll exactly need. Well, this is exactly
why the partition is tagged as /var(iable). The usage of this partition
changes with time. And, when you actually start monitoring the disk usage on
this partition, you’ll find that it grows faster than it shrinks. In any
case, how does one manage the huge amounts of log information that are
generated by applications? It’s imperative that sysadmins archive logs for
a specified period of time, especially from the security perspective.
The /var partition contains a
directory called logs, which records various information from applications
that run on the system as well as the kernel (see the article "System
Administration in Linux", page128 PC Quest November 1999).
This partition, by default, also contains the mail boxes of all users in the
directory /var/spool/mail/ or in /var/mail/, as the case may be. The moment
I mentioned mailboxes, you would have understood how fast the need for disk
space can grow. I’ll focus on the directory /var/log that contains all the
log information and tends to grow at a very fast rate, depending on how busy
a given system is. What we’re going to tackle here is how to manage the
space, given that we need to retain the log information for a while.
Linux provides you with a
utility called logrotate, which allows you to implement a log archiving
policy for your system. In my opinion, you can’t get anything more simple
and concise than what logrotate offers you–use it!
logrotate rotates and
compresses system logs. This is typically found under the directory subtree
/var/log/. It also allows you to specify when a log file has to be removed.
You can customize logrotate to your liking by editing its configuration
files, /etc/logrotate.conf and /etc/logrotate.d. The former is the global
configuration file and the latter is a directory that contains specific
instructions for various applications. This organization allows selective
control over how you might want to handle logs from different applications.
The only files for which specific instructions should be present in the
global configuration file are /var/log/wtmp and /var/log/lastlog.
To understand what logrotate
can do, first ask yourself what you want to do with your log files. The
table "Planning for a log processing and archiving policy" might
help you to start. The first row lists the processing and reporting to be
done, while the first column lists the files on which the processing is to
be done. Put down the different log files in column 1, tick out the log
processing of your choice, and you can come up with a policy for using
logrotate.
You might ask
yourself why adding Win NT or 2000 machines should be any different from
adding Win 9x machines. However, there are significant differences in the
SMB implementations between versions of Microsoft’s own operating systems.
Even the password algorithms used by the two operating systems are
different. Win 9x machines don’t actually participate in a Win NT domain
the way NT does. The domain controller in this case is used purely for
authentication.
If you want to use Win 2000
machines in a Samba domain, you’ll need to upgrade to Samba 2.0.7 (Zoot
ships with 2.0.6, so you’ll have to download the updated RPMs). There are
a few subtle changes in 2000, most of which have been addressed in this
release. There are a few outstanding bugs though, but no show-stoppers. Note
that Win 2000 is currently only supported in the backwards compatibility
(with NT PDC) mode, and not in its native domain controller mode.
Adding a Samba server to a
Win NT domain
To get a
Samba server to join a Win NT domain, you must first create a machine
account for the server in the PDC’s SAM (Security Accounting Manager)
database. You can do this using the "Server Manager for Domains"
utility on the PDC. The machine account is created using the netbios name of
the Samba server, which is usually, but not necessarily, its host name.
Once you’ve created the
machine account, you need to configure the smb.conf file. Apart from the
standard configuration, you need to make the following changes:
workgroup = NTDOM (Assume
that the domain name is NTDOM)
security = domain
password server = NTDOMPDC
NTDOMBDC1 NTDOMBDC2
where NTDOMPDC is the name of
the domain controller, NTDOMBDC<1,2> are the names of the backup domain
controllers, and SAMBA is the netbios name of the samba server.
Now, before restarting the
smbd daemons, give the command
# smbpasswd -j NTDOM -r
NTDOMPDC
This command will create a
file called SAMBA.NTDOM.mac in your /etc/ directory, containing the machine
account password for the Samba server.
Assuming all goes well, you
should get a message saying
smbpasswd :
Joined domain NTDOM
To add
a Win NT machine to a Samba domain, you need to create a user entry
for it in the password file. This is the Samba equivalent of creating a
machine account in the SAM database. The username should be the name of the
machine, appended with a "$". Set no password, and set the home
directory to /dev/null, and shell to /bin/false. (You might have to escape
the "$" on the command line with a "\", if required)
# useradd ntserver$ -s /bin/false -d /dev/null
The next step
is to go to the NT machine, and set the domain name to SAMBADOM (where
SAMBADOM is the domain name). Take care not to check the "create a
machine account" check box. This feature is not yet supported. You
should get a message saying "Welcome
to the SAMBADOM domain".
Understanding server
configuration options
If you look
at the man page for the smb.conf file (man 5 smb.conf), you’ll find a
number of configuration options that you can use to tweak the performance
and customize your Samba configuration further. Due to the lack of space
here, I’ll take a look at only a few configuration options.
One of the more misunderstood
configuration parameters is the "security=" option. We’ll take a
brief look at what the various options mean.
security=share
This is the conventional, and
most brain-dead option available. Shares exported will be available to any
machine in the workgroup without further authentication. This is commonly
used for machines sharing public shares, CD-ROMs, etc. Use this only when
you have no security concerns whatsoever.
security=server
Server level security is used
when you want the Samba server to authenticate users against another Samba
or Windows NT machine acting as a domain controller. This is a good idea
when you have a number of machines on your network, with users needing to
logon to the domain to be able to access the shares. In this case, you’ll
have to configure the "password server" parameter to specify the
names of the authentication servers (normally the PDC and BDC).
security=user
In this scheme, the Samba
server actually acts as a workgroup controller, authenticating Windows NT
and Win 9x clients. A separate user list has to be maintained, and users are
added using the "smbpasswd" command. In this case, the Samba
server maintains its equivalent of an NT SAM database.
security=domain
Domain level security is used
in the case described above, when adding a Samba server to a Win NT domain.
Here too, you’ll need to specify the "password server"
parameter. So how’s this different to the "security=server"
configuration? For one, when using server level security, the Samba server
will open and maintain a network connection to the domain controller during
the entire session. This can be a significant drain on network resources. In
domain level security, a connection is established for exchanging
authentication information only.
There are some new parameters
in Samba 2.0.7 as well. Most of these deal with the new utmp and wtmp
support (experimental, I might add) included in this version. This will
enable users logged in via Samba to be seen using the "who"
command, and all login information to be recorded in the system logs, not
just the samba logs. You’ll need to specifically compile support for this
using the
"–with-utmp" flag to "configure".
Samba
development is progressing at an extremely hectic pace. There are currently
four trees under active development (For those new to the open source style
of development, a "tree" consists of all the latest source code of
the software, to which developers have access. Developers "check
in" portions of code they are working on, and then "check
out" the new code for others to test and debug when they have
finished).
There is the SAMBA_STABLE
branch, which has the regularly released "stable code", for you
and me to use. New features are not introduced into this tree until they’ve
been thoroughly tested in unstable versions. The stable Samba tree at this
time doesn’t have the ability to be a domain controller for Win NT
machines.
The second branch is the
SAMBA_TNG branch, which is where the main thrust of development is going on
at the moment. TNG stands for "The Next Generation", and includes
all the "cool code", such as domain controller for NT and Win 2000
machines, support for NT- specific administrative tools such as "User
Manager for Domains", and trust relationships, etc.
The Third branch is the
SAMBA_HEAD branch, which is the successor to the current 2.0.x series. It
contains improved file and print sharing services and NT file permissions
support. However, it contains no NT PDC support.
The last and final branch is
the HEAD_WITH_TNG branch, which is exactly what you might imagine from its
name.
The most interesting of these
branches is the SAMBA_TNG branch, which focuses on Win NT PDC controller
code. It currently suffers from poor file serving ability, but code mergers
with the SAMBA_HEAD branch will take care of this problem in the near
future.
So if you’re a hacker, or
kid with a network and time to spare, download the TNG or HEAD branch and
play with the code. Finding bugs or contributing documentation is the
easiest way to help the development effort, if you’re not a developer
yourself.
Babu Kalakrishnan, a Director at Sankya System & Objects, Bangalore www://www.sankya.com