Samba
To get samba:
apt-get install samba samba-doc smbclient
To get the Samba Web Administration Tool:
apt-get install swat netkit-inetd
The configuration is in /etc/samba
:
- One
[global]
section with the general settings - One section per share
One could use swat at http://localhost:901/ but it does not work easily on Ubuntu.
To see what is shared:
smbclient -L localhost
To access a share:
smbclient //localhost/name-of-the-share
To add a new user:
sudo smbpasswd -a username
To change the password of a user:
sudo smbpasswd username
To test accessing a share as a user:
smbclient //localhost/web -U yared
Documentation:
man smb.conf
To force the user or group used to access a share:
force user = enrico
force group = www-data
To set the unix permissions for every created file:
# For files
create mask = 0664
# For directories
directory mask = 0775
Example share configuration for a webspace:
mkdir /var/www/public
chgrp www-data /var/www/public
chmod 0775 /var/www/public
Then, in /etc/samba/smb.conf
:
[web]
comment = Webspace
path = /var/www
writable = yes
public = no
force group = www-data
create mask = 0664
directory mask = 0775
Example share configuration for a read only directory where only a limited group of people can write:
[documents]
comment = Documents
path = /home/enrico/Desktop/documents
force user = enrico
public = yes
writable = no
write list = enrico, yared
Print server (CUPS)
Installation:
apt-get install cupsys
Configuration:
-
On the web (not enabled in Ubuntu):
http://localhost:631/
-
On the desktop:
System/Administration/Printing
Example IPP URIs:
ipp://server[:port]/printers/queue
http://server:631/printers/queue
ipp://server[:port]/...
For example:
ipp://server/printers/laserjet
"This printer uri scheme can be used to contact local or remote print services to address a particular queue on the named host in the uri. The "ipp" uri scheme is specified in the Internet Print Protocol specifications and is actually much more free form that listed above. All Solaris and CUPS based print queues will be accessed using the formats listed above. Access to print queues on other IPP based print servers requires use of the server supported ipp uri format. Generally, it will be one of the formats listed above."
LDAP Lightweight Directory Access Protocol
Installation:
apt-get install ldap-utils slapd
The configuration is in /etc/ldap
.
To access a ldap server:
apt-get install gq
Various LDAP HOWTOs:
- http://bachue.com/svnwiki/ldap-intro
- http://minkirri.apana.org.au/~abo/projects/ldap-auth/LdapAuthentication.txt
- http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html
- http://www.mami.net/univr/tng-ldap/howto/
- http://www.ofb.net/~jheiss/krbldap/howto.html
- http://bachue.com/svnwiki/linux%20ldap%20howto
GRUB
The configuration file is in /boot/grub/menu.lst
.
The documentation can be accessed as info grub
after installing the package
grub-doc
.
Quick list of keys for info
:
arrows
: move aroundenter
: enters a sectionl
: goes backu
: goes up one nodeq
: quit/
: search
Grub trick to have a memory checker:
apt-get install memtest86+
- Add this to
/boot/grub/menu.lst
:title Memory test root (hd0,5) kernel /boot/memtest86+.bin
Firewall
With iptables:
man iptables
# Only allow in input the network packets
# that are going to the web server
iptables -P INPUT DROP
iptables -A INPUT --protocol tcp --destination port 80 -j ACCEPT
# To reset the input chain as the default
iptables -F INPUT
iptables -P INPUT ACCEPT
Some links:
- http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html
- NAT = Network Address Translation http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html
Squid
Installation:
apt-get install squid
The configuration is in /etc/squid/squid.conf
.
To allow the local network to use the proxy:
# Add this before "http_access deny all"
acl our_networks src 10.4.15.0/24
http_access allow our_networks
To use a parent proxy:
cache_peer proxy.aau.edu.et parent 8080 0 proxy-only no-query
Pay attention because /var/spool/squid
will grow as the cache is used. The
maximum cache size is set in the directive cache_dir
.
Information about squid access control is at http://www.squid-cache.org/Doc/FAQ/FAQ-10.html
To check that the configuration has no syntactic errors: squid -k parse
.
To match urls:
acl forbiddensites url_regex [-i] regexp
For info about regular expressions:
man regex
Example filtering by regular expression:
acl skype url_regex -i [^A-Za-z]skype[^A-Za-z]
http_access deny skype
Transparent proxy setup: http://www.tldp.org/HOWTO/TransparentProxy.html
Problems found today
Hiccups of the day:
- swat does not run on Ubuntu because Ubuntu does not have inetd
- swat does not allow root login on Ubuntu because root does not have a password
smbpasswd -a
does not seem to update the timestamp of/var/lib/samba/passwd.tdb
- cups web admin does not work on Ubuntu
- LDAP is still not so intuitive to set up
Update: Marius Gedminas writes:
I think it would be a good idea to mention that running
iptables -P INPUT DROP
in the shell is a Bad Idea if you're logged in remotely via SSH.