9.8. The Windows Computers on My Network Don't Show Up
When you make Linux and Microsoft Windows work together through Samba, you're configuring a Linux system on a Microsoft network. If you're having trouble finding Windows computers on a network, you may need to use Microsoft tools. And that can be supremely annoying to a Linux administrator.
This annoyance is essentially a skeletal troubleshooting primer on Samba. For more information on Samba, see Using Samba by Jay Ts et al. (O'Reilly).
When you're responsible for a network of Linux and Microsoft Windows computers, you're at the mercy of the vagaries of NetBIOS broadcasts. For example, Microsoft computers may not show up on a Samba network until they have a chance to broadcast their presence on the network. So after you bring up a system, wait about 15 minutes before you worry about hosts that fail to show up when you browse the network (or worry that your new host fails to show up in the browse lists of other hosts).
Samba does not fulfill all of the functions of the latest Microsoft servers. The developers do their best to clone Microsoft features after they are brought to market. For example, Samba does not yet support Linux as a Windows 2003 Active Directory Domain Controller.
As of this writing, you can configure a Linux computer with the Samba service as:
If you have problems, read the following sections. If you're running Samba 3.x, you may be able to use the net commands described at the end of this annoyance to help troubleshoot your systems.
9.8.1. Sharing from a Microsoft Computer
Naturally, before you can connect to a Microsoft computer, you need to authorize sharing from that computer. While details vary, sharing from a Microsoft computer requires that you authorize "File and Print Sharing" in the properties associated with the network device, and then actually share a directory or a printer from that computer.
The authorized username and password database depends on whether you're in a peer-to-peer workgroup or a domain. For more information on these topics, see the Windows Annoyances series by David A. Karp (O'Reilly) (consult the edition appropriate to the Windows OS version you're running).
If you don't see a computer on a Samba network, you may not have authorized sharing. On a Linux computer, other than network connections, there are several things you should check, as described in the following subsections.
188.8.131.52. Is the Samba service running?
To share printers or directories on a Windows network, you need a running Samba server on the computer that you want to share. The following command checks to see whether the Samba service is running:
ps aux | grep smbd
Another way to check on some distributions is with the service script (the Debian Linux version of this script does not have this capability; some distributions may have a slightly different name for this script, such as samba):
184.108.40.206. Does the Samba configuration make sense?
Samba includes a configuration checker in the testparm command. Try it out for yourself. It will identify syntax errors in your Samba configuration file, which is generally smb.conf in the /etc/samba directory.
However, the problem is often in the details. For example, does the workgroup directive specified in the Linux configuration file match the workgroup or domain on each of the Windows systems? Do the shared directories have appropriate permissions? The details are as extensive as the directives available to the Samba configuration file; see the smb.conf file or the Windows Annoyances series by David A. Karp (O'Reilly) for more information.
220.127.116.11. Do you have an account on a domain?
Most larger Windows networks are configured in domains, with dedicated servers acting as controllers. You need to make sure each computer in a Windows network has an account on that domain. You can use the net join or net ads join commands described later in this annoyance to join an available domain.
18.104.22.168. Have you consolidated account databases?
Joining a Microsoft domain implies a single database of usernames and passwords. However, joining a domain is not enough. You need the winbind service to associate the Samba database with the Windows database. Once it's installed, you'll need to add appropriate mapping commands to your Samba configuration file.
One example of this from Debian Linux includes the following directives:
idmap uid = 1000020000 idmap gid = 1000020000 template shell = /bin/bash
These directives assign user and group ID numbers to those mapped from a domain authentication database. The template shell directive assigns a shell to users who log in to this system.
22.214.171.124. Is there a problem with the browse master?
Lists of computers on a Windows network, whether they be on a workgroup or a domain, are maintained by a computer known on the network as the browse master. In a Microsoft network, the browse master is chosen by "election," based on browse master values, which can range from 1255. By default, Domain Controllers have a value of 32; you can configure your system as a master browser by setting the os level directive to a higher value.
Generally, you'll want to set up at least one Samba workstation as a browse master. There are three key directives associated with this system:
If you administer more than one network, you may have more than one browse list. You can synchronize browse lists with the remote browse sync directive. For example, when I ran the following command on the computers on my networks:
nmblookup -M workgroup
I found two different master browsers, 192.168.0.15 and 192.168.1.2. To make sure their browse lists were synchronized, I added the following directive to each computer's /etc/samba/smb.conf configuration file:
remote browse sync 192.168.0.15 192.168.1.2
9.8.2. Finding Microsoft-Networked Computers
As I just noted, Microsoft networks work on the concept of a browse list. If you can find a computer on a browse list, you can find the resources that it's sharing. Once you find a shared resource, you can connect to it from a remote computer.
The command-line method for finding a browse list uses the following command:
smbclient -L computername
This produces the browse list, which comprises the directories and printers shared from the given computer. For example, I see the following, with NetBIOS names of each computer, in the output:
Server Connent -------- ------- DEBIAN debian server (Samba 3.0.14a-Debian) ENTERPRISE4A Samba Server SUSE1 Samba 3.0.13-1.1-SUSE WINXP Other PC
If you don't see the computer NetBIOS names that you expect, you may or may not have a connection problem. There is often a delay of several minutes between a change in connection status and its appearance on (or disappearance from) the browse list. If the browse list does not reflect the status of actual connections in a few minutes, you may have other problems, such as different master browsers.
You might notice that the output is identical to what you might see on a Microsoft computer, in the output to the net view command.
If you're browsing computers across networks, check your firewall. If it's blocking access to ports 137, 138, 139, and 445, you won't be able to access Samba across the network. Naturally, a firewall on a computer within a LAN can also prevent access to a computer via Samba.
9.8.3. Authorized Sharing
If you have trouble connecting to a shared directory with Samba, you may be having trouble with authentication. To isolate the problem, you need to know the five basic ways you can share directories and printers on a Microsoft network. (Much of this discussion is focused on networks with Microsoft Windows NT, 2000, and XP systems.) These methods are expressed as the directives that you'd see in the appropriate Samba configuration file:
9.8.4. The net Commands
Samba 3.x has introduced a set of net commands, which can help you troubleshoot and manage the Samba service for your network. They are somewhat different from the net commands that you might use on a Microsoft system.
If you're having trouble with connections on your network, you might check how Samba translates NetBIOS names to IP addresses with a command such as:
net lookup debian
If you need to join the local member server to a Microsoft domain named patio, you could use a command such as:
net join -S patio -U administrator
If you want to join an Active Directory domain, the command is slightly different:
net ads join -U administrator realm
In either case, you're prompted for the administrator's password on the applicable PDC or DC.
If you need to know who is connected to your shared directories, the following commands can help. The first identifies the user and client IP address; the second identifies the shared directory and connection time:
net status sessions net status shares
If you're working with an Active Directory (AD) service, you'll be interested in the net ads series of commands. For example, if you want to recheck your status on an AD domain, the following command can check:
net ads testjoin
If you're working with regular PDC or BDC, you may be interested in the net rpc series of commands. Many of the commands described for AD domains work in a similar fashion for PDCs and BDCs. For example, you may be able to join a domain administered by a PDC with the following command:
net rpc testjoin
If you want authentication information, the following command performs a raw search of the PDC database, creating a "dump" of users and groups from the domain controller:
net rpc samdump
One interesting option that can help you maintain a BDC is the following command, which synchronizes a PDC's users and groups into the local database:
net rpc vampires