Linux in a Windows Workstation Environment, Part II: Local Network Support
This article series covers the development of a Linux-based server that supports a number of workstations running the Microsoft Windows operating system in the computer laboratory of a 55+ RV Resort in Mesa, Arizona. Part I covered the background of our organization, the establishment of our Linux system and the rules for our iptables firewall. This article covers network functions such as IP address serving, a cache-only name server, an intranet Web server and print and file services using the service message block (SMB) protocol.
As noted in the previous article, our computer lab is connected to the Internet by way of a T1 line, which is shared with the business and sales offices and the Wi-Fi connections of the RV resort, all of which share a single IP address. An upstream router handles the necessary network address translation (NAT) to and from non-routable addresses in the 10.10.x.0 networks. Before installation of our firewall, all machines in the computer lab were assigned addresses on the 10.10.4.0 net. Now, only the external interface of the firewall belongs to that network. The internal address of the firewall, the printers, all of the computers in the lab and any laptops temporarily connected to the network are assigned addresses of the form 10.10.10.x. The firewall/server interface has a fixed address of 10.10.10.1, and the printers are fixed at 10.10.10.253 and 10.10.10.254. All other machines get their IP addresses from the DHCP server running on the Linux system. For ease of maintenance, I prefer to control the addresses of the desktop computers. Thus, our DHCP control file assigns fixed addresses based on the MAC address of the client.
The DHCP server in the SuSE distribution is controlled by the file etc/dhcpd.conf. An annotated listing of part of our file is shown below. The first statement defines the name for the network. This name is registered; however, no external DNS entries point to this system. Its use here, therefore, is fictitious.
option domain-name "mesaregalcc.org";
The next entry enumerates the name servers for this network, starting with the IP address of our server, which caches DNS entries. The configuration of this facility is described later in this article. The backslash (\) indicates that the command is continued on the next line.
option domain-name-servers 10.10.10.1, 198.6.1.4, 198.6.1.5, \ 198.6.1.195;
Next we define the gateway/router for the network.
option routers 10.10.10.1;
The next stanza defines the network and the range of dynamic addresses to be used. As shown, we have 50 IP numbers that are dynamically assigned. These addresses are issued to notebook computers that are brought into the computer room and temporarily attached to the wired network.
subnet 10.10.10.0 netmask 255.255.255.0 { option broadcast-address 10.10.10.255; range 10.10.10.50 10.10.10.199; max-lease-time 3600; }
The next stanza keeps the DHCP server from issuing any addresses on the external interface. The upstream router handles this function.
subnet 10.10.4.0 netmask 255.255.255.0 { }
The final group of statements defines the fixed addresses for the workstations, which are assigned as follows: the instructor's computer has an IP address equal to 10.10.10.200; the computer named mrlab1.mesaregalcc.net has an IP address of 10.10.10.201; and so on. The # character starts a comment.
group { option subnet-mask 255.255.255.0; option broadcast-address 10.10.10.255; max-lease-time 100000; # host MRLAB1 { hardware ethernet 00:0F:FE:02:C2:12; fixed-address 10.10.10.201; } ... }
As noted above, the workstation clients first contact the Linux computer when they attempt to resolve a network address. Our name server does not attempt to resolve any unknown addresses, but caches the addresses resolved by the external name servers. This facility is used for two reason. First, it speeds name serving for the external machines frequently accessed. Second, the SuSE distribution configures this functionality with essentially no changes. The only line of the configuration file, /etc/named.conf, that needed to be changed is presented below:
# The forwarders record contains a list of servers to which unsatisfied queries # should be forwarded. Enable this line and modify the IP address to # your provider's name server. Up to three servers may be listed. # ******* This next line is the only one changed at Mesa Regal. forwarders { 198.6.1.4, 198.6.1.5, 198.6.1.195; };
The computer club's Web site is used to publish scheduling information for classes, meetings and presentations. The navigation bar of this site also contains links to some popular sites, including the Web mail sites for AOL, Juno, Hotmail and Yahoo, as well as the search sites for Google and Hotbot. Because this site is used as the home page for all computers in the lab, it is accessed many, many times per day. To reduce bandwidth on the external line, a Web server has been configured to serve a local copy of this site. The effort has been minimal, as we do not use any CGI scripting nor do we need any logging.
By storing the Web content locally, our Web master can edit changing content without connecting to the external site. Each evening cron, the Linux version of the task scheduler, starts a script that produces a list of the Web site files that have been altered within the past 24 hours. It then transfers them to the external site using using the wput command, an indirect way to use FTP. To insure controlled write access to the Web material, it is stored in a password-protected Samba share, to be discussed later.
I use the Apache Web server as the server for our intranet. Although the latest version, 2.0, implements a number of new security features, my initial attempts to use the newest software failed. We use only simple Web pages and have no security issues, as the server is accessed only from the internal network. Therefore, I am using the older V1.3 release. The control file, httpd.conf, can include a large number of parameters; however, only a small number needed to be tailored for my system. The first of these is the server type. Under Linux, the daemon can be triggered by the Internet super daemon, inetd, or it can be started as a standalone program. I chose the latter option.
ServerType standalone
The next parameter to be configured is the root directory for the configuration, error and log files.
ServerRoot "/usr/local/apache"
We also specify the IP address and port. If this parameter was not specified, the program would listen on all interfaces. However, I explicitly wish to exclude the external interface but use the standard port.
Listen 10.10.10.1:80
We also need to specify the directory in which our Web pages are stored, as well as a Directory stanza to allow everyone to access that material.
DocumentRoot "/home/web" <Directory "/home/web"> Order allow,deny Allow from all </Directory>
The combination of local home page serving and the cache-only name server greatly decrease the workstation response time and cut the traffic on the external network. The benefits of each greatly outweigh the minimal effort required to set them up.
To supply file and print services for the Windows workstations, we use Samba. To quote samba.org, "Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients." Using this package, our Linux computer offers printer shares for both printers and three distinct file shares.
The Samba configuration file, which normally is /etc/samba/smb.conf, contains definitions for global parameters in a section named [global]. In this section, I have annotated the parameters defined on our system:
[global] max smbd processes = 40 # one server process for each workstation workgroup = MRLAB # name reported to network browser netbios name = server # NetBIOS name reported by server security = share # needed for guest services to work hosts allow = 10.10.10.0/24 # limit to our network guest account = nobody # the guest has the privileges of this user log file = /usr/local/samba/var/log smb passwd file = /usr/local/samba/lib/smbpasswd max log size = 500 # size in kB preferred master = yes # this machine is master for net domain master = yes # we have no other domain servers deadtime = 5 # no. of minutes till connection expires server string = Samba # name in printer comment box on Windows interfaces = 10.10.10.1/24 # serve only our internal network wins support = No # no Wins name resolution show add printer wizard = yes # Wizard is shown on NT/XP/2K clients max print jobs = 20 # number of simultaneous print jobs printer admin = root # only the superuser can manipulate printers null passwords = yes # we want to have no password for some users load printers = no # do not create shares automatically printing = bsd # BSD-type printing
The next section defines the parameters for a printer driver download area. If this section is properly defined, it is possible to install the printer drivers on a Windows client without needing to have any other source for the driver files.
[print$] path = /usr/local/samba/drivers # the root location for the driver tree browseable = yes public = yes # accessed without password read only = yes # cannot be written write list = root # except by the superuser
The [printers] section defines parameters that are common to all printers.
[printers] comment = All Printers path = /var/spool/samba # spool directory printer admin = root # the administrator account public = yes # no authentication needed printable = yes # spool files OK for this share use client driver = no # browsable = yes # can be browsed read only = yes
Each of our printers available to Windows clients is defined by a separate stanza. The name inside the brackets, bw_laser, is the name reported. The print command is the command spawned when a print job has been received. In most cases, this would be a simple call to the lpr command. Our system, however, does additional processing before calling the printer spooler, as explained below. In this line, the %s macro expands to the name of the spool file, and %I expands to the IP address of the client.
[bw_laser] min print space = 1000 # minimum spool space in kB printable = yes # spool files OK for this share print command = /usr/local/samba/lib/process_bw %s %I
Resort rules allow any resident of the RV resort to use the computers; however, only members of the computer club are allowed to print. Their membership dues are used to purchase paper and printer supplies. Previously, we had no way to control the number of pages that any user could print. As a result, printing costs were out of control. This season, each member was issued a user number and password when he or she joined. When a print job is received, the command-line script defined for that printer performs the following steps:
The number of pages is counted by inspecting the appropriate lines in the Postscript file.
The number of pages in the job and the IP number of the submitting computer are passed to a program that attempts a TCP connection with a special server program running on the Windows workstation. If the connection is rejected, the print job immediately is discarded; otherwise, a request for a user number and password is sent.
Once the user data is entered or a timeout period is exceeded, the results are passed back to the Linux machine. If the password does not match the accounting-file entry for that user, the program tries again. After three tries, a suitable message is sent to the user and the print job is aborted.
Once a valid password has been received, we then verify that the number of pages in the job and the total pages for the season are within limits. If either test fails, the job is aborted.
When all tests are passed, the print job is sent to the print spooler, and the totals for the season are updated. Even though our season limits of 100 color and 1000 black/white pages are generous, the authentication process and the psychological factors associated with the upper limit for the season have cut our print costs by a factor of 2.
During the authentication process described above, user numbers and passwords are transmitted in the clear. The security risk is acceptable, as these passwords are not used with any login account. Many of the users have written their number and password on the back of their name badge, which is a more severe security risk.
Club rules prohibit a user from storing any files or installing any new programs on the Windows workstations. These rules are enforced through the usage of a program called GoBack, operated in auto-revert mode. Whenever the computer is rebooted, any files that have been deleted are restored and any files that have been added are deleted.
As the users have legitimate needs to store files, a number of Samba file shares are defined. The first of these is a public share that is mounted as disk drive S on all of the workstations. Files on this share can be accessed from all computers without any authentication. Of course, the users are warned not to store any sensitive information in this location. The section of smb.conf that describes this share is shown below:
[guest] # share name path = /home/samba # path to this share public = yes # no password needed writable = yes # read/write printable = no # but not a printer share browsable = yes # can be browsed with Windows Explorer, etc.
To store some files that need to be accessed without a password but that should be kept separate, another share is defined but not mounted on any workstation. These files may be accessed by browsing My Network Places, but they require enough effort to reach them that they will not be accidentally destroyed.
[xphone] # share name path = /home/xphone # path public = yes # no password needed writable = yes # read/write printable = no # but not a printer share browsable = yes # can be browsed with Windows Explorer, etc.
To store our membership database and our Web site files, a password-protected share also has been defined. It differs from the others by setting the public keyword to no and setting the name of a valid user. Note: There is no web account in the Linux-user database; it exists only in the Samba password system, which is maintained by a separate program. Once a given workstation has logged into this share, the connection is disconnected when it has been dormant for five minutes. This time was defined in the global section above. Authentication for this share is encrypted.
[web] # share name path = /home/web # path public = no # password needed writable = yes # read/write printable = no # not a print share browsable = yes # can be browsed valid users = web # the user for this share
None of these Samba shares have any quotas attached to them. To prevent the possibility of some user creating large numbers of huge files and depriving the Linux kernel of working room, a separate partition has been established for /home, which is the root of all the Samba file shares. In our case, this separate partition is even on a separate disk, but that may not be necessary for other installations.
The next and last article in this series will describe how we use our server to provide VPN tunnels that secure the transmissions of our users over a Wi-Fi network, which is required to be unsecured.
Larry Finger is retired from the Carnegie Institution of Washington, Washington DC, and currently is the volunteer technical advisor for the computer club of the Mesa Regal RV Resort, Mesa, Arizona. Besides maintaining the system described in this article series, he also collaborates in the development of a program to display models of crystal structures.