Наши партнеры








Книги по Linux (с отзывами читателей)

Библиотека сайта rus-linux.net

Appendix F. Running Samba on Mac OS X Server

Mac OS X Server is an Apple operating-system product based on Mac OS X, with the addition of administrative tools and server software. One area in which it differs from Mac OS X is in the configuration of Samba-based services. In this appendix, we'll tell you how to set up SMB file and printer shares, enable client user access, and monitor activity. Our specific focus is on Mac OS X Server 10.2.

Setup Procedures

The first thing to note is that the procedure described in Chapter 2 using System Preferences to enable Samba does not apply to Mac OS X Server. Unlike Mac OS X, the Sharing pane of System Preferences does not include an option to turn on Windows File Sharing. Instead, there is a set of applications to configure, activate, and monitor services: Workgroup Manager, Server Settings, Server Status, and Open Directory Assistant, all located in the directory /Applications/Utilities.

NOTE

In addition to being installed with Mac OS X Server, these and other administrative applications are included on a separate installation CD-ROM sold with the operating system. They can be used to manage Mac OS X Server systems remotely from any Mac OS X machine.

For more information, refer to the Mac OS X Server Administrator's Guide, included as a PDF file in the /Library/Documentation/MacOSXServer directory, and also downloadable from Apple Computer's web site at http://www.apple.com/server/.

Briefly, the procedure for setting up SMB file and printer shares is as follows:

  1. Designate share points in Workgroup Manager for file sharing.

  2. Set up print queues in Server Settings for printer sharing, and activate Printer Service.

  3. Configure and activate Windows Services in Server Settings.

  4. Activate Password Server and enable SMB authentication in Open Directory Assistant.

  5. Enable Password Server authentication for user accounts in Workgroup Manager.

  6. Monitor file and print services with Server Status.

Configuring and Activating Services

At this point, neither the file shares nor the printer shares are available to SMB clients. To activate them, click the Windows icon in Server Settings, and click Configure Windows Services.... Under the General tab, you can set the server's NetBIOS hostname, the workgroup or Windows NT domain in which the server resides, and the description that gets displayed in a browse list. You can also specify the code page for an alternate character set. Finally, you can enable boot-time startup of Samba. See Figure F-3.

Figure F-3. Server Settings: Windows Services

The Windows Services Access tab offers options to enable guest access and limit the number of simultaneous client connections; under the Logging tab, you can specify the verbosity of your logging. With options under the Neighborhood tab, you can configure your machine as a WINS client or server or have it provide browser services locally or across subnets.

Password Server

Password Server is a feature introduced with Mac OS X Server 10.2. In prior versions of Mac OS X Server, Windows authentication was handled with Authentication Manager, which stored a user's Windows password in the tim_password property of the user's NetInfo record. This can still be done in Version 10.2, although it's strongly discouraged because the encrypted password is visible to other users with access to the NetInfo domain and can potentially be decrypted.

If you need to use Authentication Manager, use the following procedure to enable it:

  1. On every machine hosting a domain that will bind into the NetInfo hierarchy, execute the command tim -init -auto tag for each domain, where tag is the name of the domain's database.

  2. When prompted, provide a password to be used as the encryption key for the domain. This key is used to decrypt the Windows passwords and is stored in an encrypted file readable only by root, /var/db/netinfo/.tag.tim.

  3. Set AUTHSERVER=-YES- in /etc/hostconfig.

  4. Start Authentication Manager by invoking tim. This is also executed during the boot sequence by the AuthServer startup item.

  5. Reset the password of each user requiring SMB client access. In Mac OS X Server 10.2 or later, make sure the user is set up for Basic authentication, not Password Server authentication.

When you've finished configuring Windows Services, click the Save button, then click the Windows icon in Server Settings, and select Start Windows Services. This starts the Samba daemons, enabling access from SMB clients.

Configuration Details

Underneath the GUI, a lot of activity takes place to offer Windows Services. In the non-Server version of Mac OS X, selecting Windows File Sharing sets the SMBSERVER parameter in /etc/hostconfig and triggers the Samba startup item. In Mac OS X Server, under normal circumstances the Samba startup item and the SMBSERVER parameter are never used.

Instead, a process named sambadmind generates /etc/smb.conf from the configuration specified in Server Settings and Workgroup Manager and handles starting and restarting the Samba daemons as necessary. The sambadmind process is in turn monitored by watchdog, which keeps an eye on certain processes and restarts those which fail. The watchdog utility is configured in /etc/watchdog.conf, a file similar to a System V inittab, which specifies how the services under watchdog's purview are to be treated. For example, the line for sambadmind looks like this:

sambadmin:respawn:/usr/sbin/sambadmind -d     # SMB Admin daemon

Using a watchdog-monitored process such as sambadmind to start the Samba daemons, instead of a one-time execution of a startup item, results in more reliable service. In Mac OS X Server, if a Samba daemon dies unexpectedly, it is quickly restarted. (Examples of other services monitored by watchdog are Password Server, Print Service, and the Server Settings daemon that allows remote management.)

There's another wrinkle in Mac OS X Server: the Samba configuration settings are not written directly to /etc/smb.conf, as they are in the non-Server version of Mac OS X. Instead, they're stored in the server's local Open Directory domain,[1] from which sambadmind retrieves them and regenerates smb.conf. For example, the Samba global parameters are stored in /config/SMBServer (see Figure F-7). Share point information is also kept in Open Directory, under /config/SharePoints, while CUPS takes responsibility for printer configuration in /etc/cups/printers.conf (also creating stub entries used by Samba in /etc/printcap).

Figure F-7. NetInfo Manager: SMBServer properties

Table F-1 summarizes the association of Windows Services settings in the Server Settings application, properties stored in Open Directory, and parameters in /etc/smb.conf.

Table F-1. Samba configuration settings in Mac OS X Server

Server Settings graphical element in Windows Services

Open Directory property in /config/SMBServer

Samba global parameter in/etc/smb.conf

General → Server Name

netbios_name

netbios name

General → Workgroup

workgroup

workgroup

General → Description

description

server string

General → Code Page

code_page

client code page

General → Start Windows Services on system startup

auto_start

N/A

Access → Allow Guest Access

guest_access, map_to_guest

map to guest

N/A

guest_account

guest account

Access → Maximum client connections

max_connections

max smbd processes

Logging → Detail Level

logging

log level

Neighborhood → WINS Registration → Off

WINS_enabled, WINS_register

wins support

Neighborhood → WINS Registration → Enable WINS server

WINS_enabled

wins support

Neighborhood → WINS Registration → Register with WINS server

WINS_register, WINS_address

wins server

Neighborhood → Workgroup/Domain Services → Master Browser

Local_Master

local master

Neighborhood → Workgroup/Domain Services → Domain Master Browser

Domain_Master

domain master

Print → Start Print Service

printing

N/A

N/A

lprm_command

lprm command

N/A

lppause_command

lppause command

N/A

lpresume_command

lpresume command

N/A

printer_admin

printer admin

N/A

encryption

encrypt passwords

N/A

coding_system

coding system

N/A

log_dir

N/A

N/A

smb_log

log file

N/A

nmb_log

N/A

N/A

samba_sbindir

N/A

N/A

samba_bindir

N/A

N/A

samba_libdir

N/A

N/A

samba_lockdir

N/A

N/A

samba_vardir

N/A

N/A

stop_time

N/A

Rolling Your Own

When making manual changes to the Samba configuration file, take care to block changes initiated from graphical applications by invoking this command:

# chflags uchg /etc/smb.conf

From that point on, the GUI will be useful only for starting, stopping, and monitoring the service—not for configuring it.

If you install your own version of Samba, you can still manage it from Server Settings by changing some of the Open Directory properties in /config/SMBServer.

To do this, open NetInfo Manager and modify the samba_sbindir and samba_bindir properties to match the location of your Samba installation. Optionally, you can modify samba_libdir, samba_vardir, and samba_lockdir. Assuming a default Samba installation, you can also change these at the command line with the following commands:

# nicl . -create /config/SMBServer samba_sbindir /usr/local/samba/bin
# nicl . -create /config/SMBServer samba_bindir /usr/local/samba/bin
# nicl . -create /config/SMBServer samba_libdir /usr/local/samba/lib
# nicl . -create /config/SMBServer samba_vardir /usr/local/samba/var
# nicl . -create /config/SMBServer samba_lockdir /usr/local/samba/var/locks

You can check your settings with this command:

# nicl . -read /config/SMBServer

In Server Settings, select Stop Windows Services, then run this command:

# killall sambadmind

The watchdog utility restarts sambadmind within seconds. Finally, go back to Server Settings, and select Start Windows Services.

If you don't modify Open Directory properties to match your active Samba installation (because you wish to manage your configuration another way), be sure never to activate Windows Services from the Server Settings application, or you'll wind up with two sets of Samba daemons running concurrently.


Footnotes

[1] In versions of Mac OS X prior to 10.2, Open Directory domains were called NetInfo domains. NetInfo Manager (located in /Applications/Utilities) provides a graphical interface to view and modify the contents of Open Directory databases. For more information, see the Mac OS X Server Administrator's Guide, as well as Understanding and Using NetInfo, downloadable from the Mac OS X Server resources web page at http://www.apple.com/server/resources.html.


TOC