The Unix philosophy has
always been rather simple. Each portion of the OS or each tool was meant to
do only one job and do it well. Often, you’ll find that a simple (read
understandable and clear) algorithm has been preferred over an obviously
superior but complicated solution. While such small tradeoffs may seem
unnecessary, a fine example of the resultant advantages is the wizardry that’s
possible with small programs like grep and sort and by linking these
together with pipes. Another example is the distinction between an MTA (Mail
Transport Agent) like procmail or fetchmail and an MUA (Mail User Agent)
like pine or elm. Rather than have one single mail program that does
everything, the Unix way is to have a component that deals with getting the
mail while another component deals with the creation, editing, and
manipulation of messages.
The greatest benefit in this
approach is that you can choose what components you want to use, and if the
components are programmed well, they’ll work seamlessly with each other.
This translates into more choice for the user, which is what Linux is all
about, isn’t it? Another example of a similar attempt is the commonly
known OLE (Object Linking and Embedding) or the more current COM/DCOM
(Component Object Model). These technologies strive to define the interface
between components well enough for them to work with each other. The
benefits of such an approach are immense, even in terms of development and
programming. As the old programmer saying goes, "There’s no real need
to re-invent the wheel–it’s been done before!" Rather than struggle
with creating, debugging, and testing a graphics program designed to produce
a pie-chart, it’s more prudent to use a software component that does that
right away. A target scenario (though idealistic) would be one in which all
the programming that’s done is nothing but glue code for components from
standard libraries. This trend can be seen in the Standard Template Library
(STL) and generic programming efforts of ISO C++ and the java.util libraries
in Java.
Unfortunately, the simple
abstractions of a command line and pipes rarely scale up to the requirements
of an average GUI-based environment. Most GUI environments rely on
meta-data, or data that describes how data is stored. Sounds complicated? In
terms of a file-system, meta-data may range from what application is to be
associated with a particular file extension–such as xmms with MP3–to who
and how to interact with a document. This usage of meta-data not only
improves the user friendliness of a system, but also increases user
throughput when working on it. There’s an increasing trend towards using
meta-data in GUI systems to automate many commonly performed tasks.
In today’s world, where
complicated commands and arcane command line arguments are generally frowned
upon, the Open Source community needed something to set interoperability
between objects in Linux. Bonobo is such a standard. This was pioneered by
the GNOME group (http://developer.gnome.org),
which is responsible for the popular and widespread Window Manager GNOME.
To allow such components to
communicate and execute each other, you require a communication mechanism as
well as a control mechanism. A functional solution to this problem is RPC
(Remote Procedure Call). The more recent and object-oriented solution to
this problem has been CORBA–Common Object Request Broker Architecture (www.omg.org)–which
is going to become more important as we proceed to more distributed
computing. This standard is especially suited to Linux due to its open
nature.
A fine example of the You might ask
community’s efforts can be found in the CORBA implementation being used in
Bonobo. Initially, a CORBA implementation known as MICO was planned. MICO is
a popular implementation that’s often used to teach and explain CORBA. It
is cleanly implemented, but suffers from some performance deficiencies. The
community responded by creating an implementation of CORBA called ORbit (www.labs.redhat.com/orbit/),
which is now reputed to be amongst the leanest and fastest CORBA
implementations available. Now, with ORbit, developers can look forward to
inter-process communication with a useful abstraction, a secondary benefit
that is often missed in evaluating the Bonobo component model.
yourself why adding Win NT or 2000 machines should be any different from
adding Win 9x machines. However, there are significant differences in the
SMB implementations between versions of Microsoft’s own operating systems.
Even the password algorithms used by the two operating systems are
different. Win 9x machines don’t actually participate in a Win NT domain
the way NT does. The domain controller in this case is used purely for
authentication.
If you want to use Win 2000
machines in a Samba domain, you’ll need to upgrade to Samba 2.0.7 (Zoot
ships with 2.0.6, so you’ll have to download the updated RPMs). There are
a few subtle changes in 2000, most of which have been addressed in this
release. There are a few outstanding bugs though, but no show-stoppers. Note
that Win 2000 is currently only supported in the backwards compatibility
(with NT PDC) mode, and not in its native domain controller mode.
Adding a Samba server to a
Win NT domain
To get a
Samba server to join a Win NT domain, you must first create a machine
account for the server in the PDC’s SAM (Security Accounting Manager)
database. You can do this using the "Server Manager for Domains"
utility on the PDC. The machine account is created using the netbios name of
the Samba server, which is usually, but not necessarily, its host name.
Once you’ve created the
machine account, you need to configure the smb.conf file. Apart from the
standard configuration, you need to make the following changes:
workgroup = NTDOM (Assume
that the domain name is NTDOM)
security = domain
password server = NTDOMPDC
NTDOMBDC1 NTDOMBDC2
where NTDOMPDC is the name of
the domain controller, NTDOMBDC<1,2> are the names of the backup domain
controllers, and SAMBA is the netbios name of the samba server.
Now, before restarting the
smbd daemons, give the command
# smbpasswd -j NTDOM -r
NTDOMPDC
This command will create a
file called SAMBA.NTDOM.mac in your /etc/ directory, containing the machine
account password for the Samba server.
Assuming all goes well, you
should get a message saying
smbpasswd :
Joined domain NTDOM
To add
a Win NT machine to a Samba domain, you need to create a user entry
for it in the password file. This is the Samba equivalent of creating a
machine account in the SAM database. The username should be the name of the
machine, appended with a "$". Set no password, and set the home
directory to /dev/null, and shell to /bin/false. (You might have to escape
the "$" on the command line with a "\", if required)
# useradd ntserver$ -s /bin/false -d /dev/null
The next step
is to go to the NT machine, and set the domain name to SAMBADOM (where
SAMBADOM is the domain name). Take care not to check the "create a
machine account" check box. This feature is not yet supported. You
should get a message saying "Welcome
to the SAMBADOM domain".
Understanding server
configuration options
If you look
at the man page for the smb.conf file (man 5 smb.conf), you’ll find a
number of configuration options that you can use to tweak the performance
and customize your Samba configuration further. Due to the lack of space
here, I’ll take a look at only a few configuration options.
One of the more misunderstood
configuration parameters is the "security=" option. We’ll take a
brief look at what the various options mean.
security=share
This is the conventional, and
most brain-dead option available. Shares exported will be available to any
machine in the workgroup without further authentication. This is commonly
used for machines sharing public shares, CD-ROMs, etc. Use this only when
you have no security concerns whatsoever.
security=server
Server level security is used
when you want the Samba server to authenticate users against another Samba
or Windows NT machine acting as a domain controller. This is a good idea
when you have a number of machines on your network, with users needing to
logon to the domain to be able to access the shares. In this case, you’ll
have to configure the "password server" parameter to specify the
names of the authentication servers (normally the PDC and BDC).
security=user
In this scheme, the Samba
server actually acts as a workgroup controller, authenticating Windows NT
and Win 9x clients. A separate user list has to be maintained, and users are
added using the "smbpasswd" command. In this case, the Samba
server maintains its equivalent of an NT SAM database.
security=domain
Domain level security is used
in the case described above, when adding a Samba server to a Win NT domain.
Here too, you’ll need to specify the "password server"
parameter. So how’s this different to the "security=server"
configuration? For one, when using server level security, the Samba server
will open and maintain a network connection to the domain controller during
the entire session. This can be a significant drain on network resources. In
domain level security, a connection is established for exchanging
authentication information only.
There are some new parameters
in Samba 2.0.7 as well. Most of these deal with the new utmp and wtmp
support (experimental, I might add) included in this version. This will
enable users logged in via Samba to be seen using the "who"
command, and all login information to be recorded in the system logs, not
just the samba logs. You’ll need to specifically compile support for this
using the
"–with-utmp" flag to "configure".
Samba
development is progressing at an extremely hectic pace. There are currently
four trees under active development (For those new to the open source style
of development, a "tree" consists of all the latest source code of
the software, to which developers have access. Developers "check
in" portions of code they are working on, and then "check
out" the new code for others to test and debug when they have
finished).
There is the SAMBA_STABLE
branch, which has the regularly released "stable code", for you
and me to use. New features are not introduced into this tree until they’ve
been thoroughly tested in unstable versions. The stable Samba tree at this
time doesn’t have the ability to be a domain controller for Win NT
machines.
The second branch is the
SAMBA_TNG branch, which is where the main thrust of development is going on
at the moment. TNG stands for "The Next Generation", and includes
all the "cool code", such as domain controller for NT and Win 2000
machines, support for NT- specific administrative tools such as "User
Manager for Domains", and trust relationships, etc.
The Third branch is the
SAMBA_HEAD branch, which is the successor to the current 2.0.x series. It
contains improved file and print sharing services and NT file permissions
support. However, it contains no NT PDC support.
The last and final branch is
the HEAD_WITH_TNG branch, which is exactly what you might imagine from its
name.
The most interesting of these
branches is the SAMBA_TNG branch, which focuses on Win NT PDC controller
code. It currently suffers from poor file serving ability, but code mergers
with the SAMBA_HEAD branch will take care of this problem in the near
future.
So if you’re a hacker, or
kid with a network and time to spare, download the TNG or HEAD branch and
play with the code. Finding bugs or contributing documentation is the
easiest way to help the development effort, if you’re not a developer
yourself.
Babu Kalakrishnan, a Director at Sankya System & Objects, Bangalore www://www.sankya.com