Section 9.8. The Windows Computers on My Network Don t Show Up

9.8. The Windows Computers on My Network Don't Show Up

When you make Linux and Microsoft Windows work together through Samba, you're configuring a Linux system on a Microsoft network. If you're having trouble finding Windows computers on a network, you may need to use Microsoft tools. And that can be supremely annoying to a Linux administrator.

This annoyance is essentially a skeletal troubleshooting primer on Samba. For more information on Samba, see Using Samba by Jay Ts et al. (O'Reilly).

When diagnosing a problem on a Microsoft/Samba network, the first thing to check is the network, which may lead to a different set of annoyances, described in "I'm Having Trouble Connecting to an Existing Network" in Chapter 7.

When you're responsible for a network of Linux and Microsoft Windows computers, you're at the mercy of the vagaries of NetBIOS broadcasts. For example, Microsoft computers may not show up on a Samba network until they have a chance to broadcast their presence on the network. So after you bring up a system, wait about 15 minutes before you worry about hosts that fail to show up when you browse the network (or worry that your new host fails to show up in the browse lists of other hosts).

One key point about Microsoft networks is that they can be organized into workgroups or domains. Workgroups are peer-to-peer networks, where sharing can be authorized by passwords alone or by usernames and passwords from the sharing server. Domains are hierarchical networks, where sharing can be authorized from the Domain Controller.

Samba does not fulfill all of the functions of the latest Microsoft servers. The developers do their best to clone Microsoft features after they are brought to market. For example, Samba does not yet support Linux as a Windows 2003 Active Directory Domain Controller.

As of this writing, you can configure a Linux computer with the Samba service as:

  • A member of a Microsoft workgroup

  • A member server of a Microsoft domain, with or without an Active Directory server

  • A Primary Domain Controller (PDC)

  • A Backup Domain Controller (BDC)

  • A browse master, which maintains the list of computers on the workgroup or domain

If you have problems, read the following sections. If you're running Samba 3.x, you may be able to use the net commands described at the end of this annoyance to help troubleshoot your systems.

9.8.1. Sharing from a Microsoft Computer

Naturally, before you can connect to a Microsoft computer, you need to authorize sharing from that computer. While details vary, sharing from a Microsoft computer requires that you authorize "File and Print Sharing" in the properties associated with the network device, and then actually share a directory or a printer from that computer.

The authorized username and password database depends on whether you're in a peer-to-peer workgroup or a domain. For more information on these topics, see the Windows Annoyances series by David A. Karp (O'Reilly) (consult the edition appropriate to the Windows OS version you're running).

If you don't see a computer on a Samba network, you may not have authorized sharing. On a Linux computer, other than network connections, there are several things you should check, as described in the following subsections. Is the Samba service running?

To share printers or directories on a Windows network, you need a running Samba server on the computer that you want to share. The following command checks to see whether the Samba service is running:

 ps aux | grep smbd 

Another way to check on some distributions is with the service script (the Debian Linux version of this script does not have this capability; some distributions may have a slightly different name for this script, such as samba):

 /etc/init.d/smb status Does the Samba configuration make sense?

Samba includes a configuration checker in the testparm command. Try it out for yourself. It will identify syntax errors in your Samba configuration file, which is generally smb.conf in the /etc/samba directory.

However, the problem is often in the details. For example, does the workgroup directive specified in the Linux configuration file match the workgroup or domain on each of the Windows systems? Do the shared directories have appropriate permissions? The details are as extensive as the directives available to the Samba configuration file; see the smb.conf file or the Windows Annoyances series by David A. Karp (O'Reilly) for more information. Do you have an account on a domain?

Most larger Windows networks are configured in domains, with dedicated servers acting as controllers. You need to make sure each computer in a Windows network has an account on that domain. You can use the net join or net ads join commands described later in this annoyance to join an available domain. Have you consolidated account databases?

Joining a Microsoft domain implies a single database of usernames and passwords. However, joining a domain is not enough. You need the winbind service to associate the Samba database with the Windows database. Once it's installed, you'll need to add appropriate mapping commands to your Samba configuration file.

One example of this from Debian Linux includes the following directives:

 idmap uid = 1000020000 idmap gid = 1000020000 template shell = /bin/bash 

These directives assign user and group ID numbers to those mapped from a domain authentication database. The template shell directive assigns a shell to users who log in to this system. Is there a problem with the browse master?

Lists of computers on a Windows network, whether they be on a workgroup or a domain, are maintained by a computer known on the network as the browse master. In a Microsoft network, the browse master is chosen by "election," based on browse master values, which can range from 1255. By default, Domain Controllers have a value of 32; you can configure your system as a master browser by setting the os level directive to a higher value.

Generally, you'll want to set up at least one Samba workstation as a browse master. There are three key directives associated with this system:

local master

Specifies whether the system will participate in browse master elections; this directive can be local master = yes or local master = no.

os level

Specifies the value associated with this system in a browser election; it may range from 1 to 255. Unless defaults have been changed on other systems, a value of 33 or higher is sufficient to establish the current system as the master browser.

preferred master

You should set no more than one computer with the preferred master = yes directive; otherwise, browser elections may take some time, and browse lists may be delayed.

If you administer more than one network, you may have more than one browse list. You can synchronize browse lists with the remote browse sync directive. For example, when I ran the following command on the computers on my networks:

 nmblookup -M workgroup 

I found two different master browsers, and To make sure their browse lists were synchronized, I added the following directive to each computer's /etc/samba/smb.conf configuration file:

 remote browse sync 

9.8.2. Finding Microsoft-Networked Computers

As I just noted, Microsoft networks work on the concept of a browse list. If you can find a computer on a browse list, you can find the resources that it's sharing. Once you find a shared resource, you can connect to it from a remote computer.

The command-line method for finding a browse list uses the following command:

 smbclient -L computername 

This produces the browse list, which comprises the directories and printers shared from the given computer. For example, I see the following, with NetBIOS names of each computer, in the output:

 Server          Connent --------        ------- DEBIAN          debian server (Samba 3.0.14a-Debian) ENTERPRISE4A    Samba Server SUSE1           Samba 3.0.13-1.1-SUSE WINXP           Other PC 

If you don't see the computer NetBIOS names that you expect, you may or may not have a connection problem. There is often a delay of several minutes between a change in connection status and its appearance on (or disappearance from) the browse list. If the browse list does not reflect the status of actual connections in a few minutes, you may have other problems, such as different master browsers.

You might notice that the output is identical to what you might see on a Microsoft computer, in the output to the net view command.

If you're browsing computers across networks, check your firewall. If it's blocking access to ports 137, 138, 139, and 445, you won't be able to access Samba across the network. Naturally, a firewall on a computer within a LAN can also prevent access to a computer via Samba.

9.8.3. Authorized Sharing

If you have trouble connecting to a shared directory with Samba, you may be having trouble with authentication. To isolate the problem, you need to know the five basic ways you can share directories and printers on a Microsoft network. (Much of this discussion is focused on networks with Microsoft Windows NT, 2000, and XP systems.) These methods are expressed as the directives that you'd see in the appropriate Samba configuration file:

security = share

Share-level security requires only a password for access to a shared directory. This is typical for workgroups of Windows 95/98/ME computers.

security = user

User-level security is the standard and is what you'll see on a Linux computer configured as a Domain Controller. This directive performs lookups in the local authentication database.

security = server

This directive passes authentication requests to another server. Requires that you include the Authentication Server directive to identify the computer with the authentication database.

security = domain

Domain-level security, contrary to expectation, is what you would see on a Samba server configured as a member server on a Microsoft domain. Requires that you include the Authentication Server directive to identify the PDC, BDC, or DC for the authentication database.

An account is also required on the PDC, BDC, or DC. If you're using Samba 2.x and are connecting to a PDC or BDC, use the smbpasswd -j domainame -r computername command. This should automatically create an account on the PDC or BDC. If you're connecting with a Samba 3.x system, use the net rpc join command described in the next section.

security = ads

Similar to security = domain, this directive allows a Samba 2.x or 3.x server to become a member server on an active directory network. You'll also need a directive to identify the password and Kerberos servers for this domain. For example, if the password and Kerberos server are the same as, you'd include the following directives in your Samba configuration file:

 realm = kerberos.example.REALM password server = 

9.8.4. The net Commands

Samba 3.x has introduced a set of net commands, which can help you troubleshoot and manage the Samba service for your network. They are somewhat different from the net commands that you might use on a Microsoft system.

If you're having trouble with connections on your network, you might check how Samba translates NetBIOS names to IP addresses with a command such as:

 net lookup debian 

If you need to join the local member server to a Microsoft domain named patio, you could use a command such as:

 net join -S patio -U administrator 

If you want to join an Active Directory domain, the command is slightly different:

 net ads join -U administrator realm 

In either case, you're prompted for the administrator's password on the applicable PDC or DC.

If you need to know who is connected to your shared directories, the following commands can help. The first identifies the user and client IP address; the second identifies the shared directory and connection time:

 net status sessions net status shares 

If you're working with an Active Directory (AD) service, you'll be interested in the net ads series of commands. For example, if you want to recheck your status on an AD domain, the following command can check:

 net ads testjoin 

If you're working with regular PDC or BDC, you may be interested in the net rpc series of commands. Many of the commands described for AD domains work in a similar fashion for PDCs and BDCs. For example, you may be able to join a domain administered by a PDC with the following command:

 net rpc testjoin 

If you want authentication information, the following command performs a raw search of the PDC database, creating a "dump" of users and groups from the domain controller:

 net rpc samdump 

One interesting option that can help you maintain a BDC is the following command, which synchronizes a PDC's users and groups into the local database:

 net rpc vampires 

Linux Annoyances for Geeks
Linux Annoyances for Geeks: Getting the Most Flexible System in the World Just the Way You Want It
ISBN: 0596008015
EAN: 2147483647
Year: 2004
Pages: 144
Authors: Michael Jang

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: