Section 9.3. Using Samba to Share Resources with Windows

NFS and lpd are file and print sharing services for Unix systems, and are both native TCP/IP applications. Microsoft Windows printer and file sharing applications are based on NetBIOS (Network Basic Input Output System). Samba bridges these two worlds, providing file and print sharing for Unix and Windows systems. Samba is the key to integrating Unix and Windows because it allows a Unix system to be a file and print server for Windows clients, or to be a client of a Windows server.

The protocol used between NetBIOS clients and servers is Server Message Block Protocol (SMB). Originally, NetBIOS was a monolithic protocol that took data all the way from the application to the physical network. Today, NetBIOS runs over TCP/IP, which allows NetBIOS applications to run on Unix systems that use TCP/IP.

Two things are needed to run NetBIOS on a TCP/IP network: a protocol to carry NetBIOS data over TCP/IP and a technique to map NetBIOS addresses to TCP/IP addresses. The protocol that transports NetBIOS is NetBIOS over TCP/IP (NBT), which is defined by RFCs 1001 and 1002. Address mapping is handled by a special NetBIOS name server. Samba provides both of these services.

Samba services are implemented as two daemons. The SMB daemon (smbd), the heart of Samba, provides the file and printer sharing services. The NetBIOS name server daemon (nmbd) provides NetBIOS-to-IP-address name service. NBT requires some method for mapping NetBIOS computer names, which are the addresses of a NetBIOS network, to the IP addresses of a TCP/IP network.

Samba is included in most Linux distributions and is installed during the initial system installation. On a Red Hat system, the /etc/rc.d/init.d/smb script runs at boot time, and starts both smbd and nmbd. Samba is not included in Solaris 8, but the software is available for download from the Internet. Go to http://www.samba.org to select your nearest download site.

9.3.1 Configuring a Samba Server

The Samba server is configured by the smb.conf file. Look in the startup script to see where smbd expects to find the configuration file. On a Red Hat system, it is /etc/samba/smb.conf. On a Caldera system, it is /etc/samba.d/smb.conf. The default used in most Samba documentation is /usr/local/samba/lib/smb.conf. Use find or check the startup script so you know where it is on your system.

The smb.conf file is divided into sections. Except for the global section, which defines configuration parameters for the entire server, the sections are named after shares. A share is a resource offered by the server to the clients. It can be either a filesystem or a shared printer.

The best way to learn about the smb.conf file is to look at one. Minus the printers share, which is covered later, the Red Hat smb.conf file contains these active lines:

[global]

   workgroup = MYGROUP

   server string = Samba Server

   printcap name = /etc/printcap

   load printers = yes

   printing = lprng

   log file = /var/log/samba/%m.log

   max log size = 0

   security = user

   encrypt passwords = yes

   smb passwd file = /etc/samba/smbpasswd

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

  dns proxy = no

[homes]

   comment = Home Directories

   browseable = no

   writable = yes

   valid users = %S

   create mode = 0664

   directory mode = 0775

Two sections of the Red Hat configuration file, global and homes, are listed above. The global section defines parameters that affect the entire server:

workgroup

Defines the hierarchical grouping of hosts, called a workgroup, of which this server is a member. Replace the MYGROUP name in the example with a meaningful workgroup name of 15 characters or less. Make sure you use a meaningful name. Never use the name MYGROUP or WORKGROUP.

server string

Defines the descriptive comment for this server that is displayed by the net view command on DOS clients. Change the string in the example to something meaningful for your system.

printcap name

Defines the location of the printcap file. The printcap file is used to identify the printers that are available to share. The default path is /etc/printcap.

load printers

Specifies whether or not all the printers in the printcap file are to be shared. The default is yes, use all the printers defined in the printcap file. no means don't read the printcap file at all. If no is specified, all shared printers must be defined individually.

printing

Identifies the Unix printing system used by the server. In the example, it is LPR Next Generation (lprng), which is an implementation of the standard LPR/LPD system described earlier in this chapter.

log file

Defines the location of the log file. The example contains the %m variable,[7] which varies according to the client's NetBIOS name. This creates a different log file for each client with a file extension that is the client's NetBIOS name. If the NetBIOS name of the client is crab, the log file is named /var/log/samba/log.crab. If the client's NetBIOS name is rodent, the log file is /var/log/samba/log.rodent.

[7] Samba has about 20 different variables. See the manpage for a full list.

max log size

Defines the maximum size of a log file in kilobytes. The default is 5 MB, or 5000 KB. (If the maximum size is exceeded, smbd closes the log and renames it with the extension .old.) In the sample configuration, this is set to 0, which means that no maximum size is set for log files.

security

Defines the type of security used. There are four possible settings:

share

Requests share-level security. This is the lowest level of security. The resource is shared with everyone. It is possible to associate a password with a share, but the password is the same for everyone.

user

Requests user-level security. Every user is required to enter a username and an associated password. By default, this is the username and password defined in /etc/passwd. The default values for passwords can be changed. See the discussion of passwords later in this section.

server

Defines server-level security. This is similar to user-level security, but an external server is used to authenticate the username and password. The external server must be defined by the password server option.

domain

Defines domain-level security. In this scheme, the Linux server joins a Windows NT/2000 domain and uses the Windows NT/2000 domain controller as the server that approves usernames and passwords. Use the password server option to point to the Windows NT/2000 Primary Domain Controller (PDC). Log into the PDC and create an account for the Linux system. Finally, add these lines to the global section on the Linux system:

domain master = no

local master = no

preferred master = no

os level = 0
encrypt passwords

Setting this option to yes causes Samba to encrypt passwords before they are sent across the network. This makes the server more compatible with Windows clients from Windows 98 on, which default to encrypted passwords, and makes it harder for intruders to sniff passwords from the network. By default, Samba uses clear-text Unix passwords.

smb passwd file

This option points to the location of the smbpasswd file, where encrypted Samba passwords are stored. When encrypted passwords are used, the Samba server must maintain two password files: passwd and smbpasswd. Use the mksmbpasswd.sh script to build the initial smbpasswd file from the passwd file.

socket options

Defines performance tuning parameters. This option is not required, although setting the send and receive buffers to 8 KB may slightly increase performance. In the case of this sample Red Hat configuration, the TCP_NODELAY setting, which causes Samba to send multiple packets with each transfer, has no effect because it is the default for versions of Samba 2.0.4 or higher. See Appendix B of Using Samba, by Kelly, Eckstein, and Collier-Brown (O'Reilly) for a good discussion of Samba performance tuning.

dns proxy

Specifies whether or not nmbd should forward unresolved NBNS queries to DNS.

In addition to the options described above, several other parameters are commonly used in the global section; they are shown in Table 9-3.

Table 9-3. Other global section parameters

Option

Function

deadtime

Defines the timeout for inactive connections.

debug level

Sets the level of messages written to the log.

keepalive

Uses keepalives to check on the state of the clients.

lock directory

Defines the path of the directory where wins.dat, status files, and lock files are stored.

message command

Defines how smbd handles WinPopup messages.

name resolve order

Defines the order in which services are queried to resolve NetBIOS names. Possible values are: lmhosts, hosts, wins, and bcast.

netbios aliases

Defines other names the server will answer to.

netbios name

Defines the server's NetBIOS name.

syslog

Maps debug levels to syslog levels.

syslog only

Uses syslog instead of Samba log files.

time server

Tells the server to advertise itself as a Windows time server.

wins support

Enables the WINS name server.

As the Red Hat sample configuration demonstrates, many servers come preconfigured with reasonable global parameters to begin running a simple server system. In addition to a preconfigured global section, the Red Hat configuration comes with a preconfigured homes section.

9.3.1.1 The smb.conf homes section

The homes section is a special share section. It tells smbd to permit users to access their home directories through SMB. Unlike other share sections, which we cover later, this section does not tell smbd the specific path of the directory being shared. Instead, smbd uses the home directory from the /etc/passwd file based on the username of the user requesting the share. The configuration parameters in the Red Hat homes section are:

comment

Provides a description of the share that is displayed in the comment field of the Network Neighborhood window when this share is viewed on a Windows PC.

browseable

Specifies whether or not all users may browse the contents of this share. no means that only users with the correct user ID are allowed to browse this share. yes means all users, regardless of UID, can browse the share. This parameter controls only browsing; actual access to the contents of the share is controlled by standard Linux file permissions.

writable

Specifies whether or not files can be written to this share. If yes, the share can be written to. If no, the share is read-only. This parameter defines the actions permitted by Samba. Actual permission to write to the directory defined by the share is still controlled by standard Linux file permissions.

valid users

This option lists the users who are allowed to use this share. In this example, %S contains the name of the user allowed to access this share.

create mode

This option defines the file permissions used when a client creates a file within the homes share.

directory mode

This option defines the permissions used when a client creates a directory within the homes share.

9.3.1.2 Sharing directories through Samba

To share a directory through Samba, create a share section in smb.conf that describes the directory and the conditions under which it will be shared. To share a new directory named /usr/doc/pcdocs and the /home/research directory used in the NFS examples, add the following two share sections to the sample smb.conf file:

[pcdocs]

     comment = PC Documentation

     path = /usr/doc/pcdocs

     browseable = yes

     writable = no

     public = yes



[research]

     comment = Research Deptment Shared Directory

     path = /home/research

     browseable = no

     writable = yes

     create mode = 0750

     hosts allow = horseshoe,jerboas,crab,rodent

Each share section is labeled with a meaningful name. This name is displayed as a folder in the Network Neighborhood window on client PCs. The example contains some commands we have already covered and a few new commands. The first new command is path, which defines the path of the directory being offered by this share.

The pcdocs share also contains the command public, which grants everyone access, even if they don't have a valid username or password. These public users are granted "guest account" access to the share. On a Linux system, this means they run as user nobody and group nobody and are limited to world permissions.

Files may be written to the research share. The create mode command controls the Unix permissions used when a client writes a file to the share. In the example, the permission 0750 specifies that files will be created as read/write/execute for the owner, read/execute for the group, and no permissions for the world. A related command, directory mode, defines the permission used when a client creates a directory within a share. For example:

directory mode = 0744

This sets the permissions for new directories to read/write/execute for the owner, read/execute for the group, and read/execute for the world. This is a reasonable setting that allows cd and ls to work as expected.

The research share section also contains a hosts allow command, which defines the clients that are allowed to access this share. Even if a user has the correct username and password, that user is allowed to access this share only from the specified hosts. By default, all hosts are granted access, and specific access is controlled by the username and password.

In addition to the hosts allow command, there is a hosts deny command that defines computers that are explicitly denied access to the share. Its syntax is similar to that of the hosts allow command.

Combining these two new share sections with the section that came with the Red Hat configuration creates a server that provides access to user home directories, to public directories, and to private directories limited to members of a group. This provides the same services as NFS in a manner that is simpler for Microsoft Windows clients to use. Samba can also be used to share printers with Windows clients.

9.3.1.3 Sharing printers through Samba

Shared printers are configured through the smb.conf file. The Red Hat system comes with a smb.conf file that is preconfigured for sharing printers. The following lines occur right after the global and homes sections in the Red Hat smb.conf file:

[printers]

   comment = All Printers

   path = /var/spool/samba

   browseable = no

   guest ok = no

   writable = no

   printable = yes

The printcap and load printers lines in the global section prepare the server to share the printers defined in the printcap file. This printers section makes those printers available to the clients in a manner similar to the way the homes section makes every home directory available to the appropriate user. The Red Hat printers share section contains five parameters.

Three of the parameters, comment, browseable, and path, were explained previously. Here, however, path does not define the path of a shared file. Instead, it defines the path of the spool directory for the SMB printers.

We introduce two new parameters in this configuration, the first of which is printable, which identifies this share as a printer. The default for this option is no, meaning that by default, shares are considered to be file shares instead of printer shares. To create a printer share, set this option to yes. Setting printable = yes permits clients to write printer files to the spool directory defined by the path option. Use a create mode command to limit the permissions of the files created by clients in the spool directory. For example, create mode = 0700.

The other new line, guest ok, defines whether or not guest accounts are permitted access to the resource. This is exactly the same as the public option discussed earlier, so these two options are used interchangeably. no means that the user nobody cannot send a print job to the printer. A user must have a valid user account to use the printer. This is designed to prevent guest users from abusing the printer, but it is also useful to have a valid username for sorting out print jobs if you use banner pages and accounting on the server.

Generally, a print server offers all of its printers to all of its clients. However, individual share sections can be created for each printer in the same way that they are created for file sharing. If you don't want to share every printer, remove the printers section, set the load printers option to no, and add individual share sections for just those printers that you want to share.

An smb.conf file with a share section for a specific printer might contain:

[global]

   workgroup = BOOKS

   server string = Print Server

   load printers = no  

   security = user

[homes]

   comment = Home Directories

   browseable = no

   writable = yes

[hp5m]

   comment = PostScript Laser Printer

   path = /var/spool/samba

   browseable = no

   public = no

   create mode = 0700

   printable = yes

   printer = lp

This sample file has no printers section. Instead, a share section named hp5m is added that shares a printer named lp. The printer name must be found in the printcap file for this to work. The printcap option is allowed to default to /etc/printcap.

smbd is the component of Samba that provides file and printer sharing. The other component of Samba is nmbd.

9.3.2 NetBIOS Name Service

The NetBIOS name server daemon (nmbd) is the part of the basic Samba software distribution that turns a Unix server into a NetBIOS name server (NBNS). nmbd can handle queries from LanManager clients, and it can be configured to act as a Windows Internet Name Server (WINS).

nmbd is configured in the global section of the smb.conf file. The options that relate to running WINS are:

wins support

Set to yes or no. This option determines whether or not nmbd runs as a WINS server. no is the default, so by default, nmbd provides browsing controls but does not provide WINS service.

dns proxy

Set to yes or no. This option tells nmbd to use DNS to resolve WINS queries that it cannot resolve any other way. This is significant only if nmbd is running as a WINS server. The default is yes. DNS can help with NetBIOS name resolution only if NetBIOS names and DNS hostnames are the same.

wins server

Set to the IP address of an external WINS server. This option is useful only if you're not running a WINS server on your Linux system. This option tells Samba the address of the external WINS server to which it should send NetBIOS name queries.

wins proxy

Set to yes or no. The default is no. When set to yes, nmbd resolves broadcast NetBIOS name queries by turning them into unicast queries and sending them directly to the WINS server. If wins support = yes is set, these queries are handled by nmbd itself. If instead wins server is set, these queries are sent to the external server. The wins proxy option is needed only if clients don't know the address of the server or don't understand the WINS protocol.

The NetBIOS name server is generally started at boot time with the following command:

nmbd -D

When started with the -D option, nmbd runs continuously as a daemon listening for NetBIOS name service requests on port 137. The server answers requests using registration data collected from its clients and the NetBIOS name-to-address mappings it has learned from other servers.

The lmhosts file is used to manually map addresses when that is necessary. Most WINS servers do not need an lmhosts file because the servers learn address mappings dynamically from clients and other servers. NetBIOS names are self-registered; clients register their NetBIOS names with the server when they boot. The addresses and names are stored in the WINS database, wins.dat. The lmhosts file is only a small part of the total database.

The lmhosts file is similar to the hosts file described in Chapter 4. Each entry begins with an IP address that is followed by a hostname. However, this time, the hostname is the NetBIOS name. Here is a sample lmhosts file:

$ cat /etc/lmhosts

172.16.12.3       horseshoe

172.16.12.1       crab

172.16.12.2       rodent

172.16.12.4       jerboas

Given this lmhosts file, the NetBIOS name rodent maps to IP address 172.16.12.2. Notice that these NetBIOS names are the same as the TCP/IP hostnames assigned to these clients. Use the same hostnames for both NetBIOS and TCP/IP. Doing otherwise limits configuration choices and creates confusion.