Certification Objective 10.04-Samba Services | Linux Patch Management: Keeping Linux Systems Up To Date

Microsoft's CIFS was built on the Server Message Block (SMB) protocol. SMB was developed in the 1980s by IBM, Microsoft, and Intel as a way to share files and printers over a network.

As Microsoft has developed SMB into CIFS, the Samba developers have upgraded Samba accordingly. Samba services provide a stable, reliable, fast, and highly compatible file and print sharing service that allows your computer to act as a client, a member server, or even a Primary Domain Controller (PDC) or a member of an Active Directory (AD) service on Microsoft-based networks. While Samba does not include every feature built into the latest Microsoft networks, I have confidence that it will in the near future.

On the Job

I look forward to the release of Samba 4.0, which will make it possible for Linux to act as an AD controller on a Microsoft-based network. However, I don't believe you will see Samba 4.0 in Red Hat distributions until RHEL 6 is released.

SMB network communication over a Microsoft-based network is also known as NetBIOS over TCP/IP. Through the collective works of Andrew Tridgell and the Samba team, Linux systems provide transparent and reliable SMB support over TCP/IP via a package known as Samba. You can do four basic things with Samba:

Share a Linux directory tree with Windows and Linux/Unix computers
Share a Windows directory with Linux/Unix computers
Share a Linux printer with Windows and Linux/Unix computers
Share a Windows printer with Linux/Unix computers

Samba emulates many of the advanced network features and functions associated with the Win9x/Me and NT/2000/XP/2003/Vista operating systems through the SMB protocol. Complete information can be found at the official Samba Web site at www.samba.org. It is easy to configure Samba to do a number of things on a Microsoft-based network. Here are some examples:

Participate in a Microsoft Windows 9x-style workgroup or an NT/2000/XP/2003 domain as a client, member server, or even a PDC.Share user home directories.
Act as a WINS (Windows Internet Name Service) client or server.
Link to or manage a workgroup browse service.
Act as a master browser.
Provide user/password and share security databases locally, from another Samba server or from a Microsoft NT 4 PDC.
Configure local directories as shared SMB filesystems.
Synchronize passwords between Windows and Linux systems.
Support Microsoft Access Control Lists.

Samba can do more, but you get the idea. Samba features are configured through one very big file, smb.conf, in the /etc/samba directory. As this file may intimidate some users, Red Hat's Samba Server Configuration tool (system-config-samba) provides an easier interface. RHEL 5 does not include the Samba Web Administration Tool, so don't expect it to be available on the Red Hat exams.

Exam Watch

I believe that Red Hat's Samba Server Configuration utility is an effective tool. But if you know how to edit the /etc/samba/smb.conf configuration file in a text editor, you're more likely to have time to configure the other elements you need to pass the exam. But don't be afraid to use the method that is fastest for you.

Installing Samba Services

If you selected the Windows File Server package group when you installed RHEL 5, the Samba RPM packages should already be installed. These are the four Samba RPM packages that you need:

The samba RPM package includes the basic SMB server software for sharing files and printers.
The samba-client RPM package provides the utilities needed to connect to shares from Microsoft computers.
The system-config-samba package installs the Red Hat Samba Server Configuration utility.
The samba-common RPM package contains common Samba configuration files.

It's easy to start the Samba Server Configuration tool. You can do so from a command line interface in the GUI with the system-config-samba command. Alternatively, you can choose System (or KDE Main Menu) | Administration | Server Settings | Samba. Either command opens the utility shown in Figure 10-3.

image from book
Figure 10-3: Samba Server Configuration utility

Configuring SELinux Support for Samba

There are four directives associated with making a Samba server work with SELinux in targeted mode:

allow_smb_anon_write supports the writing of files to directories configured with the public_content_rw_t SELinux setting.
samba_enable_home_dirs allows Samba to share users' home directories.
samba_share_nfs allows Samba to share directories already shared via NFS.
use_samba_home_dirs supports remote access to local home directories using Samba.

To set these directives, use the setsebool command. For example, to allow Samba to share local home directories with others on the network, run the following command:

 # setsebool -P samba_enable_home_dirs 1

Configuring Samba to Start

Configuring Samba to start when Linux boots is a straightforward process. Configure Samba to start in at least runlevels 3 and 5, and then start the Samba server. The following two commands activate Samba in runlevels 2, 3, 4, and 5, and start the service:

 # chkconfig smb on # service smb start

Some Samba Background

Samba services provide interoperability between Microsoft Windows and Linux/Unix computers. Before you begin configuring Samba, you need a basic understanding of how Microsoft Windows networking works with TCP/IP.

The original Microsoft Windows networks were configured with computer host names, known as NetBIOS names, limited to 15 characters. These unique host names provided a simple, flat host name system for the computers on a LAN. All computer identification requests were made through broadcasts. This overall network transport system is known as NetBEUI, which is not "routable." In other words, it does not allow communication between two different LANs. As a result, the original Microsoft-based PC networks were limited in size to 255 nodes.

While Microsoft networks could use the Novell IPX/SPX protocol stack to route messages between networks, that was not enough. As the Internet grew, so did the dominance of TCP/IP. Microsoft adapted its NetBIOS system to TCP/IP with SMB. Since Microsoft published SMB as an industry-wide standard, anyone could set up their own service to work with SMB. As Microsoft has moved toward CIFS, Samba developers have adapted well. But some fairly recent changes have affected the configuration file as well as the main command line client mount command.

One of the nice features of Windows networks is the browser service. All computers register their NetBIOS names with one "elected" master browser, the keeper of the database of network-wide services. In fact, a browse database is maintained by some elected host for every protocol running on the network. For instance, if the NetBEUI, IPX/SPX, and TCP/IP protocols were installed on a host, then three duplicate browse databases were required-one per protocol-as the services available may differ between protocols.

Name Resolution: WINS

WINS was designed as a dynamic, centralized, and robust service. It was supposed to become a viable alternative to DNS. Each WINS server maintained a central database with multiple records for all machines. On a large network, this was a big datafile.

WINS needs about three to ten data records for each computer. Naturally, this is cumbersome for larger networks. This is another reason why Microsoft is phasing out WINS.

What About Samba?

This is where Samba fits in. Samba on Linux provides all the Windows networking services available on any Windows TCP/IP client or server. To configure Samba, you simply need to know the name of your NT/2000/XP/2003/Vista domain or workgroup and configure the parameters accordingly for your Linux workstation or server to match the settings on the local Microsoft network.

Fortunately, Samba comes with extensive online documentation (with examples) available in the smb.conf configuration file. The following lists some of the key Samba commands and files:

 /usr/sbin/smbd       - main SMB service daemon /usr/sbin/nmbd       - NetBIOS name service daemon /etc/samba/smb.conf  - SAMBA's primary configuration file /usr/bin/smbclient   - connects to SMB shares, ftp-like syntax /sbin/mount.cifs     - mounts SMB shares on a designated directory /sbin/umount.cifs    - unmounts a SMB shared directory /usr/bin/testparm    - tests validity of /etc/samba/smb.conf file /etc/init.d/smb      - daemon start and stop control script cifs                 - file system extension to mount SMB shares on                        directories; use with the mount -t command. /usr/bin/smbprint    - a script to print to a printer on an SMB host /usr/bin/smbstatus   - lists current SMB connections for the local host

Samba Has Two Daemons

You need two daemons to run Samba: smbd and nmbd, both located in /usr/sbin. Both are configured through the /etc/samba/smb.conf configuration file. It's easy to check the syntax of this large configuration file with the testparm command. If problems arise, this program produces error messages to help you correct them.

Configuring Samba as a Client

You can configure two types of clients through Samba. One connects to directories shared from Microsoft Windows servers or Samba servers on Linux/Unix. The second connects to shared printers from one of the same two types of servers.

When you have installed the samba-client RPM package, you've installed the Samba client commands that you need to find browse lists and mount shared directories locally.

Checking Samba File and Print Services

If you want to browse shared directories from a Linux computer, you should know how to use smbclient. This can help you test connectivity to any SMB host on a Windows- or Samba-based Linux/Unix computer. You can use smbclient to check the shared directories and printers from remote computers on your network. For example, the smbclient command shown in Figure 10-4 checks shared directories and printers from a remote Linux-based Samba PDC.

image from book
Figure 10-4: List of shared directories and printers from a remote PDC

As you can see in the figure, I've specified two arguments with the smbclient command: -L allows you to specify the name of the Samba server, and -U allows you to specify a username on the remote computer. When the command reaches the Samba server, you're prompted for the appropriate password.

Alternatively, you can browse shared Samba directories using the graphical Nautilus client. In the GNOME desktop, choose Places | Home Folder. This opens the Nautilus file manager with a list of files in your home directory. Press CTRL-L and then, in the Location text box, enter smb:///.

If you're connected to a network with Windows and/or Samba-enabled Linux computers, you'll see an icon associated with connected workgroups and/or domains. Click the workgroup or domain of your choice. You should see a list of Windows and Samba-enabled Linux computers on that workgroup or domain.

Select the computer of your choice. You'll be prompted for a username and password on the remote computer. Once entered, you'll see a list of shared directories, as shown in Figure 10-5.

image from book
Figure 10-5: Browsing remote shared directories

Mounting Shared Samba Directories During Login

You can also configure automated mounting during the login process. Earlier in this chapter, you saw how to configure connections to shared NFS directories. You can use the same process with shared Samba directories.

There's one drawback: unless you're willing to add the shared directory to your /etc/fstab file, or you're limiting yourself to the root user, you can't use the mount command. There are other options: the mount.cifs and umount.cifs commands. Once you've set them up to be executable with the following commands, you can add them to each individual user's .bashrc and .bash_logout files:

 # chmod u+s /sbin/mount.cifs # chmod u+s /sbin/umount.cifs

On the Job

The smbmount and smbumount commands are not available for RHEL 5; they have been replaced by mount.cifs and umount.cifs.

These commands set the SUID bit, which is described briefly in Chapter 1 and used in Chapter 4. Once the SUID bit is set, regular users mount shared Samba directories. For example, if you want to mount and unmount a share named tmp from a computer named enterprise5a on the test directory, you can do so with the following commands:

 $ /sbin/mount.cifs //enterprise5a/tmp test -o username=michael $ /sbin/umount.cifs test

With the first command, you're prompted for a password for user michael on the computer named enterprise5a. Alternatively, if user michael's password is a2b3c4d5, you could use the following command:

 $ /sbin/mount.cifs //enterprise5a/tmp  test -o username=michael%a2b3c4d5

Once you've verified that the selected mount.cifs and umount.cifs commands work, you can add these commands to the user's .bashrc and .bash_logout files.

Alternatively, if your users log in through GNOME, you can set up the same mount command through the Sessions utility. As discussed in Chapter 14, you can start this utility by choosing System | Preferences | More Preferences | Sessions. Figure 10-6 illustrates the preceding command, with a password, added to the graphical startup programs list for the root user. Obviously, clear text passwords are not secure.

image from book
Figure 10-6: Using Startup Programs to connect to a shared Samba directory

Client Configuration for Print Services

There is a simple option line in the /etc/samba/smb.conf file that shares all local printer systems as if this were another Windows host.

In /etc/samba/smb.conf, printer configurations start with the section heading [printers]. Using the same share options used for directories, Samba can create a shared print service for each installed print queue. These print shares are available to Microsoft clients when users install network printers. (For more information on the [printers] share, see the next section.)

Once the printers are shared, you can use a service such as CUPS to connect to them. In fact, you learned how this was done with the Red Hat Printer Configuration utility in Chapter 7.

Configuring a Samba Server

If you want to configure a Samba server, you'll need to edit the main Samba configuration file, /etc/samba/smb.conf. This file is long and includes a number of commands that require a good understanding of Microsoft Windows networking. Fortunately, the default version of this file also includes helpful documentation with suggestions and example configurations that you can use.

You can edit this file directly, or create directory shares using Red Hat's Samba Server Configuration utility. It's useful to study the original /etc/samba/smb.conf file. Once you see how the file is structured, back it up. Try editing the file directly. Try changing the file with the Samba Server Configuration utility (described in the next section). Test the result by restarting the Samba server with the following command:

 # service smb restart

To help you with this process, I'll analyze the RHEL 5 version of this file. The code shown next is essentially a complete view of this file. I've replaced the comments in the file with my own explanations. You might want to browse your own /etc/samba/smb.conf file as well.

The smb.conf file includes two types of comment lines. The hash symbol (#) is used for a general text comment. This is typically verbiage that describes a feature. The second comment symbol is the semicolon (;), used to comment out Samba directives (which you may later wish to uncomment to enable the disabled feature).

(Note that the physical dimensions of this book limit the lengths of lines of code. In a few cases, I've modified the code lines slightly to meet this limitation, without changing the intent of any command in this configuration file. Some comments I've left out with a <comments deleted> label.)

 # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps # too many!) most of which are not shown in this example. # # <comments deleted> # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not made any basic syntactic # errors.

Exam Watch

As stated in the Red Hat Exam Prep guide, RHCEs must be able to configure various services, including Samba, for basic operation. I go into detail on the smb.conf file that, in my opinion, goes beyond basic operation.

Global Settings

While you should be aware of what you can do with all the different global settings, you should change as little as possible. The less you change, the less can go wrong. Perfect configuration files are not required. Configuration files that meet the specific requirements of your exam are.

In smb.conf, the global settings, which define the overall attributes of your server, follow the first set of comments. This section starts with the following two lines:

 #======================= Global Settings ============================ [global]

Now examine the critical global settings. First, with respect to the workgroup variable, this Samba server will become a member of that Microsoft workgroup or domain. The default Samba workgroup is WORKGROUP. If you know Microsoft Windows, you'll recognize it as the old name of the default peer-to-peer workgroup. The same variable is used if you're joining this computer to a Microsoft-style domain.

 # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH    workgroup = MYGROUP

While not included in the default version of smb.conf, it's a good idea to add a NetBIOS name for your computer to this file. This becomes what other clients see in network browse lists such as those shown from Network Neighborhood/My Network Places and the smbclient command. The command that follows becomes the comment shown with the browse list:

 # local computer NetBIOS name     netbios name = enterprise5a # server string is the equivalent of the NT Description field     server string = Samba Server

The security command may be a bit confusing. This command means that connections check the local password database. It is appropriate if you're configuring this computer as a Domain Controller (DC), specifically a PDC.

     security = user

If you want to configure this computer as a member server on a domain, use a password database from a DC. Strangely enough, in that case, you would substitute the following command:

     security = domain

On the Job

If you want to set up this computer as a workstation that happens to share directories on a Microsoft domain, you'll need to set up the computer as a member server on that domain.

If you're configuring this system as a member server on an Active Directory domain, you'd substitute the following command:

     security = ads

Alternatively, if you just want to use a database from another computer that is not a DC, you'd substitute the following command:

     security = server

Finally, if you're configuring this computer on a peer-to-peer workgroup, you want to substitute the following command:

     security = share

To summarize, there are five basic authentication options: share, user, server, domain, and ads.

Now, refocus this directive on the authentication database. The default is security = user; in this case, make sure the Samba usernames and passwords that you create match those on individual Windows NT/2000/XP/Vista systems on your network.

If you use the server authentication option, you can name another Samba server to carry the database of usernames and passwords.

If you use the domain authentication option, you can name an NT/2000/2003/ Vista domain controller. You can set up a Samba server as a domain controller as well, emulating the functionality of a Windows domain controller.

On the Job

With Samba version 3.x, you can configure a Samba-enabled Linux computer as a member server on an Active Directory network. If that's what you want, set up security = ads.

If you activate the hosts allow directive, you can limit access to the specified network. The following default would limit access to the networks with the 192.168.1.0 and 192.168.2.0 network IP addresses, as well as the local computer (127.):

 ;   hosts allow = 192.168.1. 192.168.2. 127.

These default printer settings are required to share printers from this Samba server, loading printers as defined by printcap name = /etc/printcap. If you've configured an LPD-based print server, consider the printcap name = lpstat directive. You shouldn't need to activate the printing = cups directive. The cups options = raw directive means that print jobs are already processed by the CUPS service.

    load printers = yes    printcap name = /etc/printcap ;   printing = cups cups options = raw

If you want to configure a special guest account, you can activate this command, as long as you add a pcguest user with the useradd command described in Chapter 6.

 ;  guest account = pcguest

The next command sets up separate log files for every computer that connects to this Samba server. For example, if a computer named allaccess connects to this Samba server, you can find a log of its access problems in /var/log/samba/allaccess .log. By default, the log file is limited to 50Kb.

    log file = /var/log/samba/%m.log    max log size = 50

If you've set up security = domain or share, you'll also want to activate the following directive and add the name of the password server (replace with a * to have Samba search for the password server):

 ;   password server = <NT-Server-Name>

If you've set up security = ads, you'll also want to activate the following directive to specify the Active Directory (AD) realm, substituting your actual AD realm for MY_REALM:

 ;   realm = MY_REALM

For a local password database, there are three options for the passdb backend directive. The default is still the smbpasswd file in /etc/samba, which is discussed later in this section, and is what Samba looks for unless you activate the following directive. Options include the so-called Trivial Database (tdbsam), and a LDAP database (ldapsam).

 ; passdb backend = tdbsam

You can customize the local Samba configuration by the computer (machine) client that connects by activating the following command. Configuring these computer-specific command files is complex and I suspect beyond configuring "the service for basic operation." The file suggested in the comment does not exist; I suggest /etc/samba/smb.conf.%m instead.

 ;   include = /usr/local/samba/lib/smb.conf.%m

If your computer is connected to more than one network, you can specify the networks served by your Samba server here:

 ;   interfaces = 192.168.12.2/24 192.168.13.2/24

Unless you specifically designate this computer to be a local browse master, Samba participates in browser elections like any other Microsoft Windows computer, using the os level that you designate. Alternatively, if you don't already have a Domain Controller acting as a browse master, you can give the responsibility to the Samba server. Or, if you just want to make it easier for the local computer to win the browser election, activate the preferred master command:

 ;   local master = no ;   os level = 33 ;   domain master = yes ;   preferred master = yes

If you have Windows 95 computers on your network, activate the following command, as many Windows 95 computers (pre-OSR2) can't handle encryption:

 ;   domain logons = yes

The following commands set up Microsoft command line batch files by computer and user. The command afterward stores Microsoft user profiles on the local Samba server. That means these commands can't be tested on the Red Hat exams unless you have access to a Microsoft Windows computer. Since I can't tell you what's on the Red Hat exams, I can only ask you whether Red Hat would want separate Microsoft Windows computers available during their exams.

 ;   logon script = %m.bat ;   logon script = %U.bat ;   logon path = \\%L\Profiles\%U

If you activate the following command, Samba activates a WINS server on the local computer:

 ;   wins support = yes

Alternatively, you can point the local computer to a remote WINS server on the network; of course, you'd have to substitute the IP address for w.x.y.z.

 ;   wins server = w.x.y.z

If non-WINS-capable computers are on the network, such as Linux computers without the Samba server software, you can activate this command:

 ;   wins proxy = yes

On the Job

Adding Linux to a Microsoft Windows NT/2000/2003/Vista network can be made easier by configuring the Samba service to look like another Windows host on the network. You can configure the Samba server to act as a WINS client of the WINS server, share files and printers just like all the other Windows hosts, and participate in the browser service.

If you change this setting to yes, name searches can go through available DNS databases:

    dns proxy = no

The remaining commands are fairly self-explanatory, as scripts which add and delete users, groups, and machine accounts.

 ;  add user script = /usr/sbin/useradd %u ;  add group script = /usr/sbin/groupadd %g ;  add machine script = /usr/sbin/adduser -n -g \      machines -c Machine -d /dev/null -s /bin/false %u ;  delete user script = /usr/sbin/userdel %u ;  delete user from group script = /usr/sbin/deluser %u %g ;  delete group script = /usr/sbin/groupdel %g

On the Job

If you want to set up a Samba server to use a Microsoft Windows database of usernames and passwords, you'll need to activate the winbindd daemon. With the appropriate commands in smb.conf, you can also set up Microsoft users and groups with the UIDs and GIDs of your choice on your Linux system.

Share Settings

Share settings are organized into stanzas, which are groups of commands associated with a share name. (Stanza doesn't seem like a technical term, but some believe that well-constructed configuration code is like good poetry.) The first four lines in this section define the [homes] share, which automatically shares the home directory of the logged-in user. Every user gets access to their own home directory; the browseable = no command keeps users away from each other's home directory.

There is no default /homes directory. It's just a label. You don't need to supply a home directory, because Samba will read the user's account record in /etc/passwd to determine the directory to be shared.

By default, this does not allow access to unknown users (guest ok = no). If you prefer, you can limit the systems that can use this share (hosts allow = ?, and hosts deny = ?). The effects of the hosts allow and hosts deny directives are as described earlier but are limited to the stanza where they are used.

 #============================ Share Definitions ============= [homes]    comment = Home Directories    browseable = no    writable = yes

If you activate the commands in the following stanza, you can set up a [netlogon] share for Microsoft Windows workstations. As there are no [netlogon] shares even for Samba-enabled Linux workstations, this section requires a Microsoft Windows computer to verify functionality. If you believe that you'll have access to a Microsoft Windows computer during the Red Hat exams, you should study this section carefully.

Exam Watch

If you forget the meaning of a specific Samba variable, you can find information in the Samba man page; just run the man smb.conf command.

 # Un-comment the following and create the netlogon directory for # Domain Logons ; [netlogon] ;   comment = Network Logon Service ;   path = /usr/local/samba/lib/netlogon ;   guest ok = yes ;   writable = no ;   share modes = no

This next stanza configures profiles for Microsoft Windows workstations. As these profiles become a part of a Microsoft Windows registry when you log on to one of those workstations, you're unlikely to configure this section in a network of Linux-only computers. Make your own judgment on whether you might have to configure this section during the RHCE exam.

 # Un-comment the following to provide a specific roving profile # share; the default is to use the user's home directory ;[Profiles] ;    path = /usr/local/samba/profiles ;    browseable = no ;    guest ok = yes

The [printers] stanza normally works as is, to allow access by all users with accounts on your computer or domain. If you want to limit access to specific users, review the [fredsprn] stanza later in this default file. While the spool directory (/usr/spool/samba) is not browsable, the associated printers are browsable by their NetBIOS names. In fact, the spool directory doesn't even exist; you should change it to /var/spool/samba. When you configure a printer later in this chapter, the name you designate automatically becomes the NetBIOS name.

 # NOTE: If you have a BSD-style print system there is no need to # specifically define each individual printer [printers]    comment = All Printers    path = /usr/spool/samba    browseable = no # Set public = yes to allow user 'guest account' to print    guest ok = no    writable = no    printable = yes

If you activate the [tmp] share, it's a standard location for people to download and share files; all users get write access to this share.

 # This one is useful for people to share files ;[tmp] ;   comment = Temporary file space ;   path = /tmp ;   read only = no ;   public = yes

The following stanza, as suggested by the comment, configures the /home/samba directory to be shared by the group named staff. You can configure this group in /etc/group or through the Network Information Service (Chapter 6). And you need to configure special ownership and permissions for /home/samba, as described in the User Private Group model, also in Chapter 6.

 # A publicly accessible directory, but read only, except for # people in the "staff" group ;[public] ;   comment = Public Stuff ;   path = /home/samba ;   public = yes ;   writable = yes ;   printable = no ;   write list = @staff

If you activate the following stanza, it would configure a printer exclusively for one user. The default smb.conf file has an error; it lists the path to Fred's home directory as /homes/fred. (Of course, it should be /home/fred.)

 # A private printer, usable only by fred. Spool data will be # placed in fred's home directory. Note that fred must have # write access to the spool directory, # wherever it is. ;[fredsprn] ;   comment = Fred's Printer ;   valid users = fred ;   path = /homes/fred ;   printer = freds_printer ;   public = no ;   writable = no ;   printable = yes

This stanza configures a directory for Fred's exclusive use. If you need to limit printer use to specific users, these directives can help. A better location for the path, which you need to create, is within the /home directory.

 # A private directory, usable only by fred. Note that fred # requires write access to the directory. ;[fredsdir] ;   comment = Fred's Service ;   path = /usr/somewhere/private ;   valid users = fred ;   public = no ;   writable = yes ;   printable = no

You can also set up directories by workstation; the %m variable is replaced by the name of the computer (machine) that connects to the Samba server. In my opinion, a better location for the path is the /home/pc/%m directory.

 # The %m gets replaced with the machine name that is connecting. ;[pchome] ;  comment = PC Directories ;  path = /usr/pc/%m ;  public = no ;  writable = yes

The following stanza is slightly different from the [tmp] share. Once connected, the only user that connects is a guest. Unless you've configured a guest user, this defaults to the user named nobody.

 # A publicly accessible directory, read/write to all users. Note # that all files created in the directory by users will be owned # by the default user, so any user with access can delete any # other user's files. Obviously this directory must be writable # by the default user. Another user could of course be specified, # in which case all files would be owned by that user instead. ;[public] ;   path = /usr/somewhere/else/public ;   public = yes ;   only guest = yes ;   writable = yes ;   printable = no

Finally, this is another variation on the User Private Group scheme, which creates a group directory. Unlike the [public] stanza, this share is private.

 # The following two entries demonstrate how to share a directory so # that two users can place files there that will be owned by the # specific users. In this setup, the directory should be writable # by both users and should have the sticky bit set on it to prevent # abuse. Obviously this could be extended to as many users as required. ;[myshare] ;   comment = Mary's and Fred's stuff ;   path = /usr/somewhere/shared ;   valid users = mary fred ;   public = no ;   writable = yes ;   printable = no ;   create mask = 0765

To summarize, the settings for each shared directory start with a section name, such as [tmp]. This section name contains the name that will be seen by Microsoft clients only if the service is set to be browsable (browseable = yes).

On the Job

There are a number of variables in smb.conf that are not spelled correctly, such as browseable. In many cases, the correct spelling (browsable) also works. They are still accepted Samba variables and generally should be spelled per the Samba defaults, not standard written English.

Joining a Domain

If you've configured a Samba server, and it's not the DC for your network, you'll need to set it to join the domain. Essentially, you're configuring an account on the DC for the network. As long as there's one domain on this network, it's easy to do with the following command:

 # net rpc join -U root

(If you have more than one domain, substitute the name of the controller for DC in the net rpc join -S DC -U root command.) This assumes that root is the administrative user on the DC; if you're joining a domain governed by a Microsoft Windows computer, the administrative user is administrator. If successful, you're prompted for the root password on the remote DC. An account for the local computer is added to the DC's user database in /etc/passwd.

Configuring Samba Users

You could set up identical usernames and passwords for your Microsoft Windows and Samba-enabled Linux computers. However, this is not always possible, especially when there are preexisting databases. In that case, set up a database of Samba users and passwords that correspond to current Microsoft usernames and passwords on your network. A template is available in /etc/samba/smbusers.

If you're comfortable with the command line interface, the quickest way to set up Samba users is with the smbpasswd command. Remember that you can create a new Samba user only from valid accounts on your Linux computer.

Managing Samba Users

You can set up Samba users on a list independent from your Linux users who have accounts on your Linux system. The Samba development team chose to do this for the following reasons:

There is no reason to grant Samba access to all Linux users.
You may wish to manage user access via some form of Microsoft Windows, so Linux wouldn't necessarily even know about your Samba users.
Samba user authentication may involve clear text passwords (for compatibility with Windows 95 and Windows 3.1). This could potentially compromise your Linux system.

To support these features, you can set up separate user accounts in the /etc/samba directory, in the smbusers and smbpasswd files. Two steps are required to make and enable a new Samba user:

Create a Samba user entry by name and add a password for the user. Samba users can be created only from the current users on your Linux system.
Enable Samba access for the new user.

If the username that you want does not yet exist, create it with the useradd username command. Then you can set that user up as a Samba user with the smbpasswd command. Use the following command; you're prompted to enter a password. That password can be different from the password used to log in directly to that Linux computer.

 # smbpasswd -a newUser New SMB password: Retype SMB password: #

Changes made by smbpasswd are passed to the Samba server to be copied to the system with the username and password database for your network.

If you've configured Samba as a DC for your network, the /etc/passwd file should govern the basic usernames and passwords for your system. You can use the mksmbpasswd.sh script in the /user/bin/ directory to add all passwords to the /etc/ samba/smbpasswd configuration file.

The smbpasswd command is powerful; it includes a number of switches that you should learn, as described in Table 10-4.

Table 10-4: Various *smbpasswd* Commands
smbpasswd Switch	Description
-a username	Adds the specified username to /etc/samba/smbpasswd.
-d username	Disables the specified username; thus disables that password from Microsoft networking.
-e username	Enables the specified username; opposite of -d.
-r computername	Allows you to change your Windows or Samba password on a remote computer. Normally goes with -U.
-U username	Normally changes the username on a remote computer, if specified with the -r switch.
-x username	Deletes the specified username from /etc/samba/smbpasswd.

If you need to configure different usernames and passwords for your Linux and Microsoft computers, you'll need to edit them directly into the /etc/samba/smbusers file-or you can use the Samba Server Configuration utility.

Exercise 10-4: Using Home Directories

In this exercise, you'll learn about the basic home directory share. You'll need at least two computers, one of which should be a Samba server. The other can be a Linux or Microsoft Windows workstation. You'll connect to the Samba server from the workstation and access the files in your home directory on the Samba server.

Install and configure Samba to start using the methods described earlier in this chapter.
Open the /etc/samba/smb.conf configuration file. Look for the current value of workgroup.
Make sure that the computers on your network have the same value for workgroup. If your computer is on a domain, set workgroup to the name of the domain. If you don't already have a WINS server on this network, you'll also want to activate the wins support = yes command.
Test the syntax of your Samba configuration file with the testparm command (I'll describe how this works shortly).
Read and address any problems that you might see in the output from the testparm command. Fix any syntax problems with your smb.conf configuration file.
Set up the root user on the server in the Samba database with the following command (enter an appropriate password when prompted):
```
 # smbpasswd -a root 
```
Make Samba reread the smb.conf file with the following command:
```
 # service smb reload 
```
Now go to a remote Linux or Microsoft Windows workstation on the same domain or workgroup.
If you can browse the list of computers from the Samba server with the following command, browsing and probably WINS is working properly. (Alternatively, from a Microsoft Windows computer, you should see a list of computers in the Network Neighborhood or My Network Places window.) Substitute the name of the configured computer for sambaserver.
```
 # smbclient -L sambaserver -U root 
```
Enter the root username on the remote Samba server.
If you're on a Linux computer, use the /sbin/mount.cifs or mount command (depending on whether you're regular or a root user) to configure the remote [homes] directory share on an empty local directory. For example, as the root user, you could mount on the local /share directory (create it if required) with the following command:
```
 # mount -o username=root "//sambaserver/homes" /share 
```
Test the result. Can you browse your home directory on the remote computer?

Think about this a bit. Do you really want to allow access to the administrative account over the network via Samba? What happens when you disable the administrative password in /etc/samba/smbpasswd? Look up the invalid users directive in the man page for smb.conf; could that help?