1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4
<!ENTITY % globalent SYSTEM "../../libs/global.ent">
6
<!ENTITY % gnome-menus-C SYSTEM "../../libs/gnome-menus-C.ent">
8
<!ENTITY % xinclude SYSTEM "../../libs/xinclude.mod">
10
<!ENTITY language "&EnglishAmerican;">
12
<chapter id="file-servers" status="review">
13
<title>File Servers</title>
16
If you have more than one computer on a single network. At some point you will probably
17
need to share files between them. In this section we cover installing and configuring
21
<sect1 id="ftp-server" status="review">
22
<title>FTP Server</title>
25
File Transfer Protocol (FTP) is a TCP protocol for uploading and downloading
26
files between computers. FTP works on a client/server model. The server component is
27
called an <emphasis>FTP daemon</emphasis>. It continuously listens for FTP requests
28
from remote clients. When a request is received, it manages the login and sets up
29
the connection. For the duration of the session it executes any of commands sent by
33
<para>Access to an FTP server can be managed in two ways:</para>
35
<itemizedlist spacing="compact">
37
<para>Anonymous</para>
40
<para>Authenticated</para>
44
In the Anonymous mode, remote clients can access the FTP server by using the
45
default user account called "anonymous" or "ftp" and
46
sending an email address as the password. In the Authenticated mode a user must
47
have an account and a password. User access to the FTP server directories and files is
48
dependent on the permissions defined for the account used at login. As a general
49
rule, the FTP daemon will hide the root directory of the FTP server and change it to
50
the FTP Home directory. This hides the rest of the file system from remote
54
<sect2 id="vsftpd-ftp-server-installation" status="review">
55
<title>vsftpd - FTP Server Installation</title>
58
vsftpd is an FTP daemon available in
59
Ubuntu. It is easy to install, set up, and
60
maintain. To install <application>vsftpd</application> you
61
can run the following command:
65
<command>sudo apt-get install vsftpd</command>
70
<sect2 id="vsftpd-anonymous-configuration" status="review">
71
<title>Anonymous FTP Configuration</title>
74
By default <application>vsftpd</application> is <emphasis>not</emphasis> configured to only allow anonymous download.
75
If you wish to enable anonymous download edit <filename>/etc/vsftpd.conf</filename> changing:
83
During installation a <emphasis>ftp</emphasis> user is created with a home directory
84
of <filename>/srv/ftp</filename>. This is the default FTP directory.
88
If you wish to change this location, to <filename>/srv/files/ftp</filename>
89
for example, simply create a directory in another location and
90
change the <emphasis>ftp</emphasis> user's home directory:
94
<command>sudo mkdir /srv/files/ftp</command>
95
<command>sudo usermod -d /srv/files/ftp ftp</command>
99
After making the change restart <application>vsftpd</application>:
103
<command>sudo restart vsftpd</command>
107
Finally, copy any files and directories you would like to make available
108
through anonymous FTP to <filename>/srv/files/ftp</filename>, or <filename>/srv/ftp</filename> if you wish to
113
<sect2 id="vsftpd-userauth-configuration" status="review">
114
<title>User Authenticated FTP Configuration</title>
117
By default <application>vsftpd</application> is configured to authenticate
118
system users and allow them to download files. If you want users to be able to upload files, edit
119
<filename>/etc/vsftpd.conf</filename>:
127
Now restart <application>vsftpd</application>:
131
<command>sudo restart vsftpd</command>
135
Now when system users login to FTP they will start in their
136
<emphasis>home</emphasis> directories where they can download,
137
upload, create directories, etc.
141
Similarly, by default, the anonymous users are not
142
allowed to upload files to FTP server. To change
143
this setting, you should uncomment the following
144
line, and restart <application>vsftpd</application>:
148
anon_upload_enable=YES
153
Enabling anonymous FTP upload can be an extreme security risk. It is best to not enable
154
anonymous upload on servers accessed directly from the Internet.
159
The configuration file consists of many
160
configuration parameters. The information about
161
each parameter is available in the configuration
162
file. Alternatively, you can refer to the man
163
page, <command>man 5 vsftpd.conf</command> for
164
details of each parameter.
168
<sect2 id="vsftpd-security" status="review">
169
<title>Securing FTP</title>
172
There are options in <filename>/etc/vsftpd.conf</filename> to
173
help make <application>vsftpd</application> more secure. For
174
example users can be limited to their home directories by uncommenting:
178
chroot_local_user=YES
182
You can also limit a specific list of users to just their home directories:
186
chroot_list_enable=YES
187
chroot_list_file=/etc/vsftpd.chroot_list
191
After uncommenting the above options, create a <filename>/etc/vsftpd.chroot_list</filename>
192
containing a list of users one per line. Then restart <application>vsftpd</application>:
196
<command>sudo restart vsftpd</command>
200
Also, the <filename>/etc/ftpusers</filename> file is a list of users that
201
are <emphasis>disallowed</emphasis> FTP access. The default list
202
includes root, daemon, nobody, etc. To disable FTP access for additional
203
users simply add them to the list.
207
FTP can also be encrypted using <emphasis>FTPS</emphasis>. Different from <emphasis>SFTP</emphasis>,
208
<emphasis>FTPS</emphasis> is FTP over Secure Socket Layer (SSL). <emphasis>SFTP</emphasis> is a FTP
209
like session over an encrypted <emphasis>SSH</emphasis> connection. A major difference is that users
210
of SFTP need to have a <emphasis>shell</emphasis> account on the system, instead of a
211
<emphasis>nologin</emphasis> shell. Providing all users with a shell may not be ideal for some
212
environments, such as a shared web host.
216
To configure <emphasis>FTPS</emphasis>, edit <filename>/etc/vsftpd.conf</filename> and at the bottom add:
224
Also, notice the certificate and key related options:
228
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
229
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
233
By default these options are set the certificate and key provided by the <application>ssl-cert</application>
234
package. In a production environment these should be replaced with a certificate and key generated for the specific
235
host. For more information on certificates see <xref linkend="certificates-and-security"/>.
239
Now restart <application>vsftpd</application>, and non-anonymous users will be forced to use
240
<emphasis>FTPS</emphasis>:
244
<command>sudo restart vsftpd</command>
248
To allow users with a shell of <filename>/usr/sbin/nologin</filename> access to FTP, but have no shell access,
249
edit <filename>/etc/shells</filename> adding the <emphasis>nologin</emphasis> shell:
253
# /etc/shells: valid login shells
271
This is necessary because, by default <application>vsftpd</application> uses PAM for authentication, and the
272
<filename>/etc/pam.d/vsftpd</filename> configuration file contains:
276
auth required pam_shells.so
280
The <emphasis>shells</emphasis> PAM module restricts access to shells listed in the <filename>/etc/shells</filename>
285
Most popular FTP clients can be configured connect using FTPS. The <application>lftp</application> command line FTP
286
client has the ability to use FTPS as well.
290
<sect2 id="vsftpd-references" status="review">
291
<title>References</title>
296
See the <ulink url="http://vsftpd.beasts.org/vsftpd_conf.html">vsftpd website</ulink> for more information.
301
For detailed <filename>/etc/vsftpd.conf</filename> options see the
302
<ulink url="http://manpages.ubuntu.com/manpages/&distro-short-codename;/en/man5/vsftpd.conf.5.html">vsftpd.conf man page</ulink>.
307
The CodeGurus article <ulink url="http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329">
308
FTPS vs. SFTP: What to Choose</ulink> has useful information contrasting FTPS and SFTP.
313
Also, for more information see the <ulink url="https://help.ubuntu.com/community/vsftpd">Ubuntu Wiki vsftpd</ulink> page.
321
<sect1 id="network-file-system" status="review">
322
<title>Network File System (NFS)</title>
324
NFS allows a system to share directories and files with others
325
over a network. By using NFS, users and programs can access
326
files on remote systems almost as if they were local files.
330
Some of the most notable benefits that NFS can provide are:
335
<para>Local workstations use less disk space because commonly used data
336
can be stored on a single machine and still remain accessible to others
337
over the network.</para>
340
<para>There is no need for users to have separate home directories on
341
every network machine. Home directories could be set up on the NFS
342
server and made available throughout the network.</para>
346
<para>Storage devices such as floppy disks, CDROM drives, and USB
347
Thumb drives can be used by other machines on the network. This may
348
reduce the number of removable media drives throughout the
353
<sect2 id="nfs-installation" status="review">
354
<title>Installation</title>
357
At a terminal prompt enter the following command to install the NFS
362
<command>sudo apt-get install nfs-kernel-server</command>
366
<sect2 id="nfs-configuration" status="review">
367
<title>Configuration</title>
369
You can configure the directories to be exported by adding them to
370
the <filename>/etc/exports</filename> file. For example:
374
/ubuntu *(ro,sync,no_root_squash)
375
/home *(rw,sync,no_root_squash)
380
You can replace * with one of the hostname formats. Make the
381
hostname declaration as specific as possible so unwanted
382
systems cannot access the NFS mount.
386
To start the NFS server, you can run the following command at a terminal prompt:
390
<command>sudo /etc/init.d/nfs-kernel-server start</command>
394
<sect2 id="nfs-client-configuration" status="review">
395
<title>NFS Client Configuration</title>
397
Use the <application>mount</application> command to mount a shared NFS directory from
398
another machine, by typing a command line similar to the following at a terminal prompt:
402
<command>sudo mount example.hostname.com:/ubuntu /local/ubuntu</command>
407
The mount point directory <filename>/local/ubuntu</filename> must
408
exist. There should be no files or subdirectories in the
409
<filename>/local/ubuntu</filename> directory.
414
An alternate way to mount an NFS share from another machine is to
415
add a line to the <filename>/etc/fstab</filename> file. The line must state the
416
hostname of the NFS server, the directory on the server being
417
exported, and the directory on the local machine where the NFS
418
share is to be mounted.
422
The general syntax for the line in <filename>/etc/fstab</filename>
428
example.hostname.com:/ubuntu /local/ubuntu nfs rsize=8192,wsize=8192,timeo=14,intr
432
If you have trouble mounting an NFS share, make sure the <application>nfs-common</application> package is
433
installed on your client. To install
434
<application>nfs-common</application> enter the following
435
command at the terminal
438
<command>sudo apt-get install nfs-common</command>
442
<sect2 id="nfs-references" status="review">
443
<title>References</title>
444
<para><ulink url="http://nfs.sourceforge.net/">Linux NFS faq</ulink></para>
446
<ulink url="https://help.ubuntu.com/community/NFSv4Howto">Ubuntu Wiki NFS Howto</ulink>
451
<sect1 id="cups" status="review">
452
<title>CUPS - Print Server</title>
454
The primary mechanism for Ubuntu printing and print services is the
455
<emphasis role="bold">Common UNIX Printing System</emphasis> (CUPS).
456
This printing system is a freely available, portable printing layer
457
which has become the new standard for printing in most Linux
461
CUPS manages print jobs and queues and provides network printing using
462
the standard Internet Printing Protocol (IPP), while offering support
463
for a very large range of printers, from dot-matrix to laser and many
464
in between. CUPS also supports PostScript Printer Description (PPD) and
465
auto-detection of network printers, and features a simple web-based
466
configuration and administration tool.
468
<sect2 id="cups-installation" status="review">
469
<title>Installation</title>
471
To install CUPS on your Ubuntu computer, simply use <application>sudo</application> with the <application>apt-get</application> command and give the packages to install as the first parameter. A complete CUPS install has many package dependencies, but they may all be specified on the same command line. Enter the following at a terminal prompt to install CUPS:
475
<command>sudo apt-get install cups</command>
479
Upon authenticating with your user password, the packages should be downloaded
480
and installed without error. Upon the conclusion of installation, the CUPS server
481
will be started automatically.
484
For troubleshooting purposes, you can access CUPS
485
server errors via the error log file at: <filename>/var/log/cups/error_log</filename>.
486
If the error log does not show enough information to troubleshoot any problems you
487
encounter, the verbosity of the CUPS log can be increased by changing the <emphasis
488
role="bold">LogLevel</emphasis> directive in the configuration file (discussed below)
489
to "debug" or even "debug2", which logs everything, from the default of "info". If
490
you make this change, remember to change it back once you've solved your problem, to
491
prevent the log file from becoming overly large.
494
<sect2 id="cups-configuration" status="review">
495
<title>Configuration</title>
497
The Common UNIX Printing System server's behavior is configured through the
498
directives contained in the file <filename>/etc/cups/cupsd.conf</filename>.
499
The CUPS configuration file follows the same syntax as the primary configuration
500
file for the Apache HTTP server, so users familiar with editing Apache's
501
configuration file should feel at ease when editing the CUPS configuration
502
file. Some examples of settings you may wish to change initially will be
506
<para>Prior to editing the configuration file, you should make a copy of
507
the original file and protect it from writing, so you will have the original
508
settings as a reference, and to reuse as necessary.
510
<para>Copy the <filename>/etc/cups/cupsd.conf</filename> file and protect it
511
from writing with the following commands, issued at a terminal prompt:
516
<command>sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original</command>
517
<command>sudo chmod a-w /etc/cups/cupsd.conf.original</command>
523
<emphasis role="bold">ServerAdmin</emphasis>: To configure the email
524
address of the designated administrator of the CUPS server, simply
525
edit the <filename>/etc/cups/cupsd.conf</filename> configuration file
526
with your preferred text editor, and add or modify the <emphasis
527
role="italics">ServerAdmin</emphasis> line accordingly. For example,
528
if you are the Administrator for the CUPS server, and your e-mail
529
address is 'bjoy@somebigco.com', then you would modify the ServerAdmin
530
line to appear as such:
534
ServerAdmin bjoy@somebigco.com
540
<emphasis role="bold">Listen</emphasis>: By default on Ubuntu, the CUPS
541
server installation listens only on the loopback interface at IP address
542
<emphasis>127.0.0.1</emphasis>. In order to instruct the
543
CUPS server to listen on an actual network adapter's IP address, you must
544
specify either a hostname, the IP address, or optionally, an IP
545
address/port pairing via the addition of a Listen directive. For example,
546
if your CUPS server resides on a local network at the IP address <emphasis
547
role="italics">192.168.10.250</emphasis> and you'd like to make it
548
accessible to the other systems on this subnetwork, you would edit the
549
<filename>/etc/cups/cupsd.conf</filename> and add a Listen
554
Listen 127.0.0.1:631 # existing loopback Listen
555
Listen /var/run/cups/cups.sock # existing socket Listen
556
Listen 192.168.10.250:631 # Listen on the LAN interface, Port 631 (IPP)
560
In the example above, you may comment out or remove the reference to the
561
Loopback address (127.0.0.1) if you do not wish <application>cupsd
562
</application> to listen on that interface, but would rather have it only
563
listen on the Ethernet interfaces of the Local Area Network (LAN). To enable
564
listening for all network interfaces for which a certain hostname is bound,
565
including the Loopback, you could create a Listen entry for the hostname
566
<emphasis>socrates</emphasis> as such:
570
Listen socrates:631 # Listen on all interfaces for the hostname 'socrates'
573
<para>or by omitting the Listen directive and using <emphasis>Port</emphasis> instead, as in:</para>
576
Port 631 # Listen on port 631 on all interfaces
583
For more examples of configuration directives in the CUPS server
584
configuration file, view the associated system manual page by entering the
585
following command at a terminal prompt:
589
<command>man cupsd.conf</command>
594
Whenever you make changes to the <filename>/etc/cups/cupsd.conf</filename> configuration file, you'll need to restart the CUPS server by typing the following command at a terminal prompt:
599
<command>sudo /etc/init.d/cups restart</command>
604
<sect2 id="cups-web" status="review">
605
<title>Web Interface</title>
608
CUPS can be configured and monitored using a web interface, which by default is available at <ulink url="http://localhost:631/admin">http://localhost:631/admin</ulink>. The web interface can be used to perform all printer management tasks.
612
In order to perform administrative tasks via the web interface, you must either have the root account enabled on your server, or authenticate as a user in the <emphasis role="italic">lpadmin</emphasis> group. For security reasons, CUPS won't authenticate a user that doesn't have a password.
615
To add a user to the <emphasis role="italic">lpadmin</emphasis> group, run at the terminal prompt:
617
<command>sudo usermod -aG lpadmin username</command>
621
Further documentation is available in the <emphasis role="italic">Documentation/Help</emphasis> tab of the web interface.
625
<sect2 id="cups-references" status="review">
626
<title>References</title>
628
<ulink url="http://www.cups.org/">CUPS Website</ulink>
631
<ulink url="https://help.ubuntu.com/community/cups">Ubuntu Wiki CUPS page</ulink>