Samba offers web-based configuration and administration. Even if you've never used a Windows computer and don't know the first thing about Windows file sharing, you'll be able to get a basic server up and running in only a few minutes.
Samba is a large piece of software—approaching Apache in terms of complexity and number of configuration options. In this chapter, the focus is on setting up solid, general-purpose servers. High-end needs are best
served
by other sources, such as
Sams Teach Yourself Samba in 24 Hours
(ISBN: 0672316099). The Samba website is also a great source for information (http://www.samba.org).
Let's get down to business.
Activating the SWAT Web Interface
Although Samba can be activated and used with Apple's default configuration (stored in
/etc/smb.conf
), you'll be missing 99% of the functionality. Samba offers many advanced features that can be accessed only when you manually edit the setup. In its early days, Samba was configured entirely by hand by editing the
smb.conf
file. It worked, but wasn't really useful to
anyone
but the most die-hard Unix users. Today, however, configuration is handled entirely through a web-based GUI called SWAT.
|
Although Samba
can
be configured by hand (which you're welcome to do), it is recommended that SWAT be used at all times. Some small changes are easy enough to accomplish with a text editor, but the Samba configuration file is extremely sensitive to invalid settings.
If at any point in time you want to return to the original Mac OS X Samba configuration, just copy the file
/etc/smb.conf.template
over
/etc/smb.conf
, and all the changes you've made will be
replaced
.
|
SWAT is included with your system but not ready for use—you must configure how
launchd
will start SWAT. Edit the file
/System/Library/LaunchDaemons/swat.
plist
to include
-a
as one of the program arguments. This will allow any local user to make changes to the Samba configuration via SWAT. Unfortunately, this is necessary as it is currently not possible to authenticate with the SWAT process. Notice, however, that the SWAT service is
Disabled
in the
plist
file. SWAT will not launch at boot and can be used only when an administrator explicitly starts it.
The resulting file should look like this:
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>GID</key>
<integer>0</integer>
<key>Label</key>
<string>org.samba.swat</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/swat</string>
<string>-a -d 10</string>
</array>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockNodeName</key>
<string>localhost</string>
<key>SockServiceName</key>
<integer>901</integer>
</dict>
</dict>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
</dict>
</plist>
That's it; SWAT is ready to run. Type
sudo /sbin/service swat start
to begin using SWAT. When you've finished, you should stop SWAT by typing
sudo /sbin/service swat stop
.
|
SWAT is not
related
, in any way, to the Apache process. Even if Apache is not activated, you'll still be able to use a web browser to configure the Samba server. The
launchd
process listens on port 901 for an incoming TCP connection, and then launches
/usr/sbin/swat
to service the request.
|
Configuring Samba Sharing
To configure Samba, start a web browser and point it at port 901 of the Samba server (
http://localhost:901
). Because authentication is disabled, you will have full access to the SWAT controls. Figure 27.9 shows the SWAT home screen.
The top of the SWAT display includes eight
buttons
to control the operation of the server:
-
Home
— Provides links to Samba documentation and supplemental material.
-
Globals
— Settings that affect the entire server, such as its
name
and security model.
-
Shares
— Shared file resources. If you used the sample configuration file that comes with the Apache distribution, a single home directory share already should be configured.
-
Printers
— Shared printers. To share a printer, it must first be set up so that it can be accessed from Mac OS X. By default, all configured printers are shared.
-
Wizard
— A quick-start for configuring Samba to be a standalone server, domain controller, or domain member. Because Mac OS X already includes a standalone configuration with setup specific to Mac OS X, starting over isn't recommended.
-
Status
— Monitor and view the status of the server. If you're logged in as
root
, you can restart or stop the server process.
-
View
— View a copy of the text configuration file.
-
Password
— Set and edit Samba user passwords. Samba authenticates against Mac OS X passwords by default, so it is
unlikely
you'll need these settings.
Let's step through these configuration screens to see the options used in a typical sharing environment.
|
Samba has so many configuration options that additional resources, such as
Sams Teach Yourself Samba in 24 Hours
, are recommended for complex configurations.
|
Globals
The Global Variables page, shown in Figure 27.10, is the starting point for setting up your Samba server. Many people jump the gun and immediately start setting up file shares. Failure to properly configure the global options might make it
impossible
to mount or browse shared resources.
Two buttons can save server settings (Commit Changes) and reset changes (Reset Values). Choosing the Basic or Advanced button shows additional options—a number of which are listed in Table 27.4. If you don't see the setting you're looking for, move to the Advanced mode.
Table 27.4. Common Global Options and Their Purpose
|
Option
|
Purpose
|
|
workgroup
|
Sets the workgroup or domain that the server belongs to. Set this to the same value as the workgroup/domain of local Windows
clients
;
otherwise
, they cannot browse the server. This is the same value that can be set in the Directory Access application.
|
|
netbios name
|
The Windows (NetBIOS) name of the server.
|
|
netbios aliases
|
A list of additional NetBIOS
names
to which the Samba server responds.
|
|
server string
|
A string used to describe the server. This is entirely arbitrary.
|
|
interfaces
|
The network interfaces that Samba broadcasts over. For example, Mac OS X's primary interface is
en0
. By default, all active interfaces are used. To limit the interfaces, enter the interface names to use or the network address followed by a subnet mask (that is, 192.168.0.0/255.255.255.0).
|
|
password level
|
The number of case-changes checked between the client login and the server password. Because client operating systems might transmit passwords in uppercase, they have to be
altered
to authenticate with the server. (Advanced)
|
|
username level
|
The same as the password level but alters the username in a similar manner. For example, if I have a Mac OS X username of
jray
and a Windows login of
JRAY
, I must set this value to 4 for it to be successfully permuted into the lowercase version. (Advanced)
|
|
security
|
The type of security model to use. User security bases access on a user login. Share password-protects individual shared resources. Domain and server security
passes
authentication
duties
to other Windows or Samba servers, respectively. You'll probably want user- or share-level security.
|
|
encrypt passwords
|
Sets encrypted password negotiation with the client. Encrypted passwords are required to access Samba from Windows 98 and later.
|
|
guest account
|
The local user that should be used for guest access and resource browsing. Mac OS X should use
unknown
.
|
|
hosts
allow
|
A list of hostnames, IP addresses, IP addresses with subnet masks (
192.168.0.0/255.255.255.0
), or partial addresses (
192.168.0.
) that can access the server. The
except
keyword can create an exception to a rule. For example,
192.168.0.0/255.255.255.0 except 192.168.0.5
would allow any host in the
192.168.0.0
subnet, except
192.168.0.5
, to access the server. If left blank, all remote hosts can access the server.
|
|
hosts deny
|
Like
hosts allow
but used to list servers that should not have access to the server. Configure using the same method as
hosts allow
.
|
|
log file
|
The log file to store server
accesses
in. The
%m
in the default
path
appends the name of the remote machine to the log file name.
|
|
max log
size
|
The maximum size in kilobytes that a log file should be allowed to reach before rolling over.
|
|
domain logon
|
Accept domain logins. This allows Windows clients to recognize the Samba server as a PDC (primary domain controller). (Advanced)
|
|
preferred master
|
If set to Yes, the Samba server attempts to force an election for master browser. Do not use on networks with multiple servers that want to be masters.
|
|
local master
|
Enables Samba to try to become the master browser for the local area network. If set to No, it does not attempt to assume this role.
|
|
domain master
|
Enables Samba's
nmbd
component to become a domain master browser that collects browse lists from remote subnets.
|
|
os level
|
A number used to determine the ranking of Samba when a master browser is being elected on a Windows network. If Samba is the only server on the network, use the default 20. If NT/2000/XP machines are on the network and you want Samba to be the master browser, set this to a value greater than 32.
|
|
dns proxy
|
Attempts to resolve WINS queries through DNS if they cannot be resolved from locally registered machines.
|
|
wins server
|
A remote WINS server that Samba should register with.
|
|
wins support
|
Enables Samba's WINS service. Only a single machine should act as a WINS server on a given subnet.
|
The default settings should be sufficient for most small networks, with the exception of the base and security options (such as
hosts allow
and
hosts deny
). The best rule for Samba is that if you aren't sure what something does or whether you even need it, don't touch it.
Shares
The Share Parameters page sets up file shares that can be mounted on networked Windows-based computers. To create a new share, type a share name in the Create Share field and then click the Create Share button. To edit an existing share, choose its name from the pop-up list and then click Choose Share—or click Delete Share to remove it completely.
With the default Tiger Samba configuration file, a single
homes
share should already be available.
homes
is unique because it is equivalent to each user sharing his home directory. Figure 27.11 shows this share loaded.
The basic share parameters are listed in Table 27.5. A few advanced options are also included.
Table 27.5. File-Sharing Options and Values
|
Option
|
Purpose
|
|
comment
|
A comment to help identify the shared resource.
|
|
path
|
The pathname of the directory to share. Be aware that in user-level security, you must make sure that the corresponding Mac OS X user accounts have access to this directory. When using share-level security, a single-user account is used—usually the
guest
account. In that case, the next setting becomes very important.
|
|
guest account
|
The account used to access the share if the remote client is logged in as a guest. The default is unknown, but, if set to another username, the guest user will have the read/write permissions of that local user account. If you want to use share-level access control, you can set this value to the account whose permissions should be used when accessing the share.
|
|
force user
|
If entered, the
force user
username is used for all accesses (read/write) to the file share, regardless of the username used to log in. (Advanced)
|
|
force
group
|
Similar to force user but forces a group rather than a user. (Advanced)
|
|
read only
|
When set to Yes, users cannot write to the share, regardless of the Mac OS X file permissions.
|
|
read list
|
A list of users that should only have read-access to the volume, regardless of any other settings.
|
|
write list
|
A list of users that should have read/write access regardless of any other settings.
|
|
create mask
|
A set of permissions that newly created files will have. By default, the mask is set to 0744. (Advanced)
|
|
guest ok
|
If set to Yes, guests can log in to the server without a password.
|
|
hosts allow
|
A list of hostnames, IP addresses, IP addresses with subnet masks (
192.168.0.0/255.255.255.0
), or partial addresses (
192.168.0.
) that can access the share. The
except
keyword can create an exception to a rule. For example,
192.168.0.0/255.255.255.0 except 192.168.0.5
would allow any host in the
192.168.0.0
subnet, except
192.168.0.5
, to access the server. If left blank, all remote hosts can access the server.
|
|
hosts deny
|
Like
hosts allow
but used to list servers that should not have access to the server. Configure using the same method as allow.
|
|
max connections
|
Restricts the number of simultaneous users who can access the share. (Advanced)
|
|
browseable
|
When set to Yes, the share shows up in the Windows network browser. If no, the share still exists, but remote users cannot see its name.
|
|
available
|
If set to Yes, the share is made available over the network. Setting to No disables access to the share.
|
{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}
The trickiest part of setting up a share is figuring out user access rights. Regardless of whether Samba is using user-level or share-level access, a Unix user must be mapped to the incoming connection.
The
easiest
security model is user level (the default), which requires Windows users to log in to their computers using the same username and password set up on the Mac OS X machine. When using user-level access, Windows users are mapped directly to Samba users. The Mac OS X file permissions apply directly to the permissions of the connected user.
Assume, for example, that the Mac OS X user
jray
has read/write permissions to the folder
/Stuff
, which is also set to be a Samba share. If
jray
logs in to a Windows computer using the same username as on Mac OS X, he can access the
Stuff
share and have read/write access. The SWAT Password page can be used to map Unix users to the passwords that they will use on the remote Windows client if the Windows password doesn't match their default OS X password.
|
Apple's Samba implementation takes advantage of
Open
Directory for authentication. If, for example, a Tiger computer is bound to an active directory, AD users may authenticate with the Samba process using their windows credentials. Users that have authenticated with the domain that the Tiger machine is part of should also be able to automatically access shares to which they have permission without needing to supply an additional login or password.
|
Things are a bit different with share-level access. In such cases, a single password is needed to access the share for all users, and no matter who is logged in, a single account is used by Samba when interacting with the Mac OS X filesystem. To simplify share-level security, create a new Mac OS X user to use for logging in to your shares and then set the
guest
account for the share equal to the Mac OS X username. You should disable other login access (set the shell to
/dev/null
) if you
do
distribute a password among multiple people for the purpose of file sharing.
Wizard
The Samba Wizard options configure a Samba server to act as a standalone server, domain member, or domain controller. Use the radio buttons to choose your basic server settings, how WINS will be used (as either a client, server, or not at all), and whether home directories should be enabled. Click Commit to save the changes.
|
Samba maintains the basic share settings and parameters configured before the wizard is used. The wizard feature tweaks a handful of global options to make the server more quickly adaptable to a given role.
|
Printers
Samba can act as a full print server for a Windows network. By default, all configured printers are shared through a share called
printers
that operates much like the
homes
share does for home directories. Refer to Chapter 6, "Printer, Fax, and Font Management," for information about setting up Mac OS X printers.
There are a few options for setting up printer sharing. You can go with the default of sharing every printer available through the
printers
share. You can also modify the settings of the
printers
share or any specific shared printer to control its use. A final option is to delete the
printers
share and configure each device manually. Because Mac OS X normally does most of the work for you automatically, this last option really just makes life more difficult. Shared printers can be configured using the options in Table 27.6.
Table 27.6. Printer Sharing Options
|
Option
|
Purpose
|
|
comment
|
A comment used to identify the printer share.
|
|
path
|
A directory where print spool files are saved before printing. The directory must be configured to be world-writable and have the sticky bit set.
|
|
guest ok
|
If set to Yes, guests may access the printer. This is not a wise idea on a
publicly
networked device.
|
|
hosts allow
|
A list of hostnames, IP addresses, IP addresses with subnet masks (
192.168.0.0/255.255.255.0
), or partial addresses (
192.168.0.
) that can access the share. The
except
keyword can create an exception to a rule. For example,
192.168.0.0/255.255.255.0 except 192.168.0.5
would allow any host in the
192.168.0.0
subnet, except
192.168.0.5
, to access the server. If left blank, all remote hosts can access the server.
|
|
hosts deny
|
Like
hosts allow
but used to list servers that should not have access to the server. Configure using the same method as
allow
.
|
|
printable
|
Allows authenticated clients to write to the print spool directory.
|
|
printer name
|
The CUPS
(Common Unix Printing System)
name for the printer; used if configuring the printer manually. You must switch to Advanced view to see this option. To view a list of the CUPS-recognized printers on your system, type
lpstat -p
. Any available printer can be shared.
|
|
max print jobs
|
The maximum number of print jobs that can be submitted to the print queue at one time.
|
|
browseable
|
When set to Yes, the printer shows up in the Windows network browser. If set to No, the printer share still exists but remote users cannot see its name.
|
|
available
|
If set to Yes, the printer is made available over the network. Setting to No disables access to the printer.
|
Enter the options needed to create the printer share and then click Commit Changes. Windows clients should be able to browse and print the device (with an appropriate driver) immediately.
|
An alternative means of sharing printers with Windows clients is by way of the Mac OS X CUPS subsystem. This can be helpful for printing across subnets or where IP-based printing is the only acceptable solution. An
excellent
tutorial on using CUPS in this manner is provided at http://stocksy.is-a-geek.com/information/pantherprint/pantherprintxp.php. You should be able to disregard the information on fixing CUPS because it is (at the time of this writing) working correctly in Tiger.
|
Status
The SWAT Server Status page gives a quick overview of the server's current conditions, including active connections, shares, and files. Normally, the administrator can use this screen to restart the server or disable any active connections. Unfortunately, in Tiger, Apple has
chosen
to use
launchd
to start
smbd
and
nmbd
on demand—meaning that they will not show up as active in the display regardless of whether they truly are.
-
Stop/Start/Restart
smbd
— Stops, starts, or restarts
smbd
—the Samba SMB file/print server. All active connections are
terminated
.
-
Stop/Start/Restart
nmbd
— Stops, starts, or restarts
nmbd
—the Samba NetBIOS name server. Does not affect active connections.
-
Stop/Start/Restart
winbindd
— Stops, starts, or restarts
winbindd
—A process that binds to a Windows domain to retrieve account information. Does not affect active connections.
The remaining two settings are still useful, regardless of how the daemon processes
themselves
are handled:
-
Auto Refresh
— Sets the SWAT status page to autorefresh based on the Refresh Interval field. This is useful for monitoring server activity.
-
Kill
— The Kill button (an X) appears to the right of every listed connection. Clicking the button immediately terminates the link.
|
Terminating an active connection might result in data loss for the remote user. Although
certainly
a tempting prank, it isn't a nice thing to do.
|
View
View offers a
glimpse
at the configuration file behind SWAT's GUI. Sometimes it's easier to scan through a text file to locate a problem than to work with the web interface. The View page has two modes. The Normal view (default) shows the minimum configuration file needed to implement your settings.
Switching to the Full view displays all the settings, including default options, for the Samba configuration. Each option is explicitly listed, regardless of its necessity.
Password
The Password page is used to set up Samba passwords for existing Mac OS X users, or change remote user passwords if using domain-level security and a remote host for user authentication.
If you've enabled a Mac OS X user so that she can log in to her account from Windows, you've effectively already used this feature. Because Apple has tied Samba to the Mac OS X authentication system, there is no need to touch these settings; use the Tiger Sharing preferences pane instead.
If Samba uses domain-level security, another server (such as a Windows primary domain controller) is the source for all authentication information. To change a user's password on the remote server, use the Client/Server Password Management features of the password screen:
-
User Name
— The remote user to change.
-
Old Password
— The user's existing password.
-
New Password
— The new password to set on the remote server.
-
Re-type New Password
— The same as the New Password option; used to verify typing.
-
Remote Machine
— The remote server that contains the username/password mappings.
Click the Change Password button to send the password changes to the remote server.
Creating a Simple Samba Share by Hand
Now let's go through the process of accessing a shared volume from a Windows computer. This example uses Windows XP. By the time you read this, five or six new variations of Windows will probably be available, so I apologize if the instructions don't match up entirely.
First, set up the server defaults. For my machine, POINTY, I've created a bare global configuration. Rather than including a screenshot for the share, I'm including the configuration from the
/etc/smb.conf
file. Each resource has its own block in the
config
file. Within that block, the options we've covered are listed along with their associated value. This is the global configuration block for my simple Samba server:
[global]
auth methods = guest opendirectory
passdb backend = opendirectorysam guest
guest account = unknown
workgroup = POISONTOOTH
netbios name = POINTY
server string = Poisontooth SAMBA Server
encrypt passwords = Yes
preferred master = Yes
dns proxy = No
wins support = Yes
The workgroup, NetBIOS name, and server string are personalized for my server and local area network. I've also chosen to have the server act as a WINS server and register as the preferred master browser on the network. It's important to note that encrypted passwords are enabled; otherwise,
newer
Windows clients (such as Windows 2000/XP) wouldn't be able to connect.
Next, the file share. I've created a folder
/filestorage/mp3s
on my computer to hold my library of iTunes MP3 files. My user account (
jray
) owns the folder and has read/write permission to it. This simple share, named
MyMP3s
, is defined as
[MyMP3s]
path = /filestorage/mp3
read only = No
Now, with only a few clicks of the mouse (barring Windows lockups), I'll be happily listening to my iTunes music on a Windows computer.
Mounting a Samba Share in Windows
There are a number of different ways to mount a network drive under Windows. If your Windows XP computer is set up with the same workgroup name as the Samba server, double-click My Network Places and then View Workgroup Computers. The Samba server should appear using the NetBIOS name you specified in the Global configuration.
Right-clicking My Network Places (or My Computer) and choosing Map Network Drive from the pop-up menu is the
fastest
mounting method. The screen shown in Figure 27.12 is displayed.
Choose a drive letter to use for the mounted volume and then enter the share path in the Folder field. The share path is entered as
\\<NetBIOS name>\<share name>
. For the sample share I've set up, the path is
\\pointy\MyMP3s\
. Click the Reconnect at Logon button to automatically mount the shared resource when you log in to the Windows computer. The Tiger Folder, shared through Samba, becomes usable like any other network drive on Windows.
Monitoring Samba Connections with
smbstatus
Although the SWAT interface is fully capable of telling you who is accessing your server, sometimes a web browser isn't
convenient
. In that case, the
smbstatus
utility provides information about the active connections and users. For example:
brezup:root root #
smbstatus
NOTE: Service printers is flagged unavailable.
Samba version 3.0.0beta3
PID Username Group Machine
-------------------------------------------------------------------
951 jray jray client19 (10.0.1.119)
965 jray jray painful (10.0.1.107)
Service pid machine Connected at
-------------------------------------------------------
IPC$ 965 painful Sat Mar 12 13:11:05 2005
jray 951 client19 Sat Mar 12 13:11:05 2005
jray 965 painful Sat Mar 12 13:11:05 2005
No locked files
In this example, two client computers (
client19
and
painful
) are connected using the process IDs 951 and 965, respectively. The
painful
client is using the default
IPC$
and
jray
shares, whereas
client19
is just using
jray
. You can force a connection to close by killing the associated process ID.
Table 27.7 shows the most useful
smbstatus
options.
Table 27.7.
smbstatus
Options
|
Option
|
Purpose
|
|
-b
|
Summary of connected users.
|
|
-d
|
Detailed connection listing. This is the default mode.
|
|
-L
|
Lists locked files only.
|
|
-p
|
Lists the
smbd
process IDs and exit.
|
|
-S
|
Lists connected shares only.
|
|
-s <
config file
>
|
Chooses the
smb.conf
file to use.
|
|
-u <
username
>
|
Displays only information relevant to a given username.
|
|
-v
|
Verbose output.
|