Certification Objective 8.01: Samba Networking

Microsoft's CIFS was built on the Server Message Block (SMB) protocol. SMB was developed in the 1980s by IBM, Microsoft, and Intel as a way to share files and printers over a network.

As Microsoft has developed SMB into CIFS, the Samba developers have upgraded Samba accordingly. Samba services provide a stable, reliable, fast, and highly compatible file and print sharing service that allows your computer to act as a client, a member server, or even a Primary Domain Controller (PDC) on Microsoft-based networks. While Samba does not include every feature built into the latest Microsoft networks, I have confidence that it will in the near future.

SMB network communication over a Microsoft-based network is also known as NetBIOS over TCP/IP. Through the collective works of Andrew Tridgell and the Samba team, Linux systems provide transparent and reliable SMB support over TCP/IP via a package known as Samba. You can do four basic things with Samba:

• Share a Linux directory tree with Windows and Linux/Unix computers

• Share a Windows directory with Linux/Unix computers

• Share a Linux printer with Windows and Linux/Unix computers

• Share a Windows printer with Linux/Unix computers

Samba emulates many of the advanced network features and functions associated with the Win9x/ME and NT/2000/XP operating systems through the SMB protocol. Complete information can be found at the official Samba Web site at www.samba.org. It is easy to configure Samba to do a number of things on a Microsoft-based network, for example:

• Participate in a Microsoft Windows 9x-style Workgroup or an NT/2000/XP Domain as a client, member server, or even a Primary Domain Controller

• Share user home directories

• Act as a WINS (Windows Internet Name Service) client or server

• Link to or manage a workgroup browse service

• Act as a Master Browser

• Provide user/password and share security databases locally, from another Samba server, or from a Microsoft NT 4 Primary Domain Controller

• Configure local directories as shared SMB filesystems

• Synchronize passwords between Windows and Linux systems

• Support Microsoft Access Control Lists

While Samba can do more, you get the idea. Samba features are configured through one very big file, smb.conf, in the /etc/samba directory. As this file may intimidate some users, Red Hat's Samba Server Configuration tool (redhat-config-samba) provides an easier interface. RHEL 3 does not include the Samba Web Administration Tool, so don't expect it to be available on the Red Hat exams.

RHEL 3 includes the newly released Samba version 3.0. This includes a number of features over and above the version of Samba included with Red Hat Linux 9 (2.2.7). Despite this change, you can use the same basic steps (for the most part) to configure a Samba client and/or a Samba server on your computer.

Installing Samba Services

If you selected the Windows File Server package when you installed RHEL 3, then the Samba RPM packages should already be installed. These are the four Samba RPM packages that you need:

• The samba RPM package includes the basic SMB server software for sharing files and printers.

• The samba-client RPM package provides the utilities needed to connect to shares from Microsoft computers.

• The redhat-config-samba package installs the Red Hat Samba Server Configuration utility.

• The samba-common RPM package contains common Samba configuration files. While it isn't a part of the Windows File Server package group, it is installed as a dependency if you install that package group.

It's easy to start the Samba Server Configuration tool. You can do so from a command line interface in the GUI with the redhat-config-samba command. Alternatively, you could click Main Menu | System Settings | Server Settings | Samba. Either command opens the utility, as shown in Figure 8-1.

Figure 8-1: Samba Server Configuration utility

Configuring Samba to Start

Configuring Samba to start when Linux boots is a straightforward process. You'll want to configure Samba to start in runlevels 3 and 5, and then start the Samba server. You can do so with the following two commands:

# chkconfig --level 35 smb on # service smb start

Some Samba Background

Samba services provide interoperability between the Microsoft Windows and Linux /Unix computers. Before you begin configuring Samba, you need a basic understanding of how Microsoft Windows networking works with TCP/IP.

The original Microsoft Windows networks were configured with computer hostnames, known as NetBIOS names, limited to 15 characters. These unique hostnames provided a simple, flat hostname system for the computers on a LAN. All computer identification requests were made through broadcasts. This overall network transport system is known as NetBEUI, which is not 'routable.' In other words, it does not allow communication between two different LANs. As a result, the original Microsoft-based PC networks were limited in size to 255 nodes.

While Microsoft networks could use the Novell IPX/SPX protocol stack to route messages between networks, that was not enough. As the Internet grew, so did the dominance of TCP/IP. Microsoft adapted its NetBIOS system to TCP/IP with SMB. Since Microsoft published SMB as an industry-wide standard, anyone could set up their own service to work with SMB.

One of the nice features of Windows networks is the browser service. All computers register their NetBIOS names with one 'elected' master browser, the keeper of the database of network-wide services. In fact, a browse database is maintained by some 'elected' host for every protocol running on the network. For instance, if the NetBEUI, IPX/SPX, and TCP/IP protocols were installed on a host, then three duplicate browse databases were required-one per protocol, as the services available may differ between protocols.

Name Resolution: WINS

WINS was designed as a dynamic, centralized, and robust service. It was supposed to become a viable alternative to DNS. Each WINS server maintained a central database with multiple records for all machines. On a large network, this was a big data file.

WINS needs about three to ten data records for each computer. Naturally, this is cumbersome for larger networks. This is another reason why Microsoft is phasing out WINS.

What About Samba?

This is where Samba fits in. Samba on Linux provides all the Windows networking services available on any Windows TCP/IP client or server. To configure Samba, you simply need to know the name of your NT/2000/XP/2003 Domain or Windows 9x/ME-style Workgroup, and configure the parameters accordingly for your Linux workstation or server to match the settings on the local Microsoft network.

Fortunately, Samba comes with extensive online documentation (with examples) available in the smb.conf configuration file. The following lists some of the key Samba commands and files:

/usr/sbin/smbd       - main SMB service daemon /usr/sbin/nmbd       - NetBIOS name service daemon /etc/samba/smb.conf  - SAMBA's primary configuration file /usr/bin/smbclient   - connects to SMB shares, ftp-like syntax /usr/bin/smbmnt      - mounts SMB shares on a designated directory /usr/bin/smbumount   - unmounts a SMB shared directory /usr/bin/testparm    - tests validity of /etc/samba/smb.conf file /etc/rc.d/init.d/smb - daemon start and stop control script smbfs                - file system extension to mount SMB shares on                        directories; use with the mount -t command. /usr/bin/smbprint    - a script to print to a printer on an SMB host /usr/bin/smbstatus   - lists current SMB connections for the local host

Samba Has Two Daemons

You need two daemons to run Samba: smbd and nmbd, both located in /usr/sbin. Both are configured through the /etc/samba/smb.conf configuration file. It's easy to check the syntax of this large configuration file with the testparm command. If problems arise, this program produces error messages to help you correct them.

Configuring Samba as a Client

There are two types of clients that you can configure through Samba. One connects to directories shared from Microsoft Windows servers or Samba servers on Linux/Unix. The second connects to shared printers from one of the same two types of servers.

When you have installed the samba-common RPM package, you've installed the Samba client commands that you need to find browse lists and mount shared directories locally.

Checking Samba File and Print Services

If you want to browse shared directories from a Linux computer, you'll want to know how to use smbclient. This can help you test connectivity to any SMB host on a Windows- or Samba-based Linux/Unix computer. You can use smbclient to check the directories and printers that are shared from remote computers on your network. For example, the smbclient command shown in Figure 8-2 checks shared directories and printers from a remote Linux-based Samba PDC.

Figure 8-2: List of shared directories and printers from a remote PDC

As you can see, I've specified two arguments with the smbclient command: -L allows you to specify the name of the Samba server, and -U allows you to specify a username on the remote computer (or the PDC for the domain). If the command reaches the Samba server, you're then prompted for the appropriate password.

Alternatively, you can browse shared Samba directories using the graphical Nautilus client. In the Linux desktop, click Main Menu | Home Folder. This opens the Nautilus file manager with a list of files in your home directory. In the Location text box, enter

smb:///

If you're connected to a network with Windows and or Samba-enabled Linux computers, you'll see an icon associated with connected workgroups and or domains. Click on the workgroup or domain of your choice. You should see a list of Windows and Samba-enabled Linux computers on that workgroup or domain.

Select the computer of your choice. You'll be prompted for a username and password on the remote computer. Once entered, you'll get a list of shared directories, as shown in Figure 8-3.

Figure 8-3: Browsing remote shared directories

Mounting Shared Samba Directories During Login

You can also configure automated mounting during the login process. In the first lab of Chapter 5, you saw how to configure connections to shared NFS directories. You can use the same process with shared Samba directories.

Specifically, you can configure commands to mount a shared directory for an individual user in the .bashrc file, and set up a command to unmount that directory in the .bash_logout file. Both files are stored in each user's home directory.

There's one drawback: unless you're willing to add the shared directory to your /etc/fstab file, or you're limiting yourself to the root user, you can't use the mount command. There is an option: the smbmnt and smbumount commands. Once you've set them up to be executable for all with the following commands, you can add them to individual users' .bashrc and .bash_logout files:

# chmod u+s /usr/bin/smbmnt # chmod u+s /usr/bin/smbumount

These commands set the SUID bit, which I described briefly in Chapter 1 and use in Chapter 11. Once the SUID bit is set, you can mount shared Samba directories as a regular user. Now when you log in as a regular (not root) user, you can mount and unmount a Samba share named inst from a computer named cosmic on the /home/michael/shared directory with the following commands:

$ smbmnt //cosmicc/inst /home/michael/shared -o username=michael $ smbumount /home/michael/shared

With the first command, you're prompted for a password for user michael on the cosmicc computer. In other words, user michael gets to enter two passwords: first to log into his local account, second to authorize a connection to the shared directory. Alternatively, if user michael's password is a2b3c4d5, you could use the following command:

$ smbmnt //cosmicc/inst /home/michael/shared -o username=michael%a2b3c4d5

Once you've verified that they work, you can add these commands to user's .bashrc and .bash_logout files. If you're configuring this for the root user, you'll need to use the corresponding mount commands:

# mount -o username=michael //cosmicc/inst /root/shared  # umount /root/shared

You can add user michael's password in the same way as shown for the smbmnt command. Once you're satisfied with the result, you can add these commands to the root user's .bashrc and .bash_logout files.

Alternatively, if your users log in through GNOME, you can set up the same mount command through the Sessions utility. As discussed in Chapter 6, you can start this utility by clicking Main Menu | Preferences | More Preferences | Sessions. Figure 8-4 illustrates the previous command, with a password, added to the graphical startup programs list for the root user.

Figure 8-4: Using Startup Programs to connect to a shared Samba directory

Client Configuration for Print Services

There is a simple option line in the /etc/samba/smb.conf file that shares all local printer systems as if this were another Windows host.

In /etc/samba/smb.conf, printer configurations start with the section heading named [printers]. Using the same share options used for directories, Samba can create a shared print service for each installed print queue. These print shares are available to Microsoft clients when users install network printers. For more information on the [printers] share, please read the next section.

Once shared, you can use a service such as CUPS to connect to these shared printers. In fact, I'll show you how this is done with the Red Hat Printer Configuration utility later in this chapter.

Configuring a Samba Server

If you want to configure a Samba server, you'll need to edit the main Samba configuration file, /etc/samba/smb.conf. This file is long and includes a number of commands that require a good understanding of Microsoft Windows networking. Fortunately, the default version of this file also includes helpful documentation with suggestions and example configurations that you can use.

You can edit this file directly, or you can create directory shares using Red Hat's Samba Server Configuration utility. It's useful to study the original /etc/samba/smb.conf file. Once you see how the file is structured, back it up. Try editing the file directly. Try changing the file with the Samba Server Configuration utility (which I describe in the next section). Test the result by restarting the Samba server with the following command:

# service smb restart

To help you with this process, I've copied the RHEL 3 version of this file. The following code is essentially a complete view of this file. I've replaced the comments in the file with my own explanations. You might want to browse your own /etc/samba/smb.conf file as well.

The smb.conf file includes two types of comment lines. The hash symbol (#) is used for a general text comment. This is typically verbiage that describes a feature. The second comment symbol is the semicolon (;), used to comment out Samba directives (which you may later wish to uncomment in order to enable the disabled feature).

# This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps  # too many!) most of which are not shown in this example  # # comments deleted # NOTE: Whenever you modify this file you should run the command  # "testparm" to check that you have not made any basic syntactic  # errors. 

Global Settings

Remember, time is of the essence on the RHCE exam. While you should be aware of what you can do with all of the different global settings, change as little as possible. The less you change, the less that can go wrong. Perfect configuration files are not required. Configuration files that meet the specific requirements of your exam are.

In smb.conf, the global settings, which define the overall attributes of your server, follow the first set of comments. This section starts with the following two lines:

#======================= Global Settings ============================ [global]

Now we'll examine the critical global settings. First, with respect to the workgroup variable, this Samba server will become a member of that Microsoft Workgroup or Domain. The default Samba workgroup is Workgroup. If you know Microsoft Windows, you'll recognize it as the name of the default peer-to-peer workgroup. The same variable is used if you're joining this computer to a Microsoft-style Domain.

# workgroup = NT-Domain-Name or Workgroup-Name    workgroup = MYGROUP

Next, it's a good idea to add a NetBIOS name for your computer to this file. This becomes what other clients see in network browse lists such as those shown from Network Neighborhood/My Network Places and the smbclient command. The command that follows becomes the comment shown with the browse list:

# local computer NetBIOS name     netbios name = cosmicc # server string is the equivalent of the NT Description field     server string = Samba Server

If you activate the hosts allow command, you can limit access to the specified network. The following default would limit access to the networks with the 192.168.1.0 and 192.168.2.0 network IP addresses, as well as the local computer (127.):

;   hosts allow = 192.168.1. 192.168.2. 127. 

These default printer settings are required to share printers from this Samba server. You'll want to change the printing command as shown to enable cooperation with CUPS, as shown. (CUPS is an allowed value despite the comments in the default RHEL 3 version of this file.)

   printcap name = /etc/printcap    load printers = yes ;   printing = bsd    printing = cups

If you want to configure a special guest account, you can activate this command, as long as you add a pcguest user with the useradd command described in Chapter 4.

;  guest account = pcguest

This command sets up log files for every computer that connects to this Samba server. For example, if a computer named allaccess connects to this Samba server, you can find a log of its access problems in /var/log/samba/allaccess.log. The log file is limited to 50Kb.

   log file = /var/log/samba/%m.log    max log size = 50

The security command may be a bit confusing. This command means that connections check the local password database. It is appropriate if you're configuring this computer as a PDC.

   security = user

If you want to configure this computer as a member server on a Domain, you'll want to use a password database from a PDC. Strangely enough, in that case, you would substitute the following command:

   security = domain

Alternatively, if you just want to use a database from another computer that is not a PDC, you'd substitute the following command:

   security = server 

Finally, if you're configuring this computer on a peer-to-peer workgroup, you want to substitute the following command:

   security = share

There are four basic authentication options: share, user, server, and domain. The default is user; in this case, you'll want to make sure the Samba usernames and passwords that you create match those on individual Windows NT/2000/XP systems on your network.

If you use the server authentication option, you can name another Samba server to carry the database of usernames and passwords.

If you use the domain authentication option, you can name an NT/2000/XP domain controller. You can set up a Samba server as a domain controller as well, emulating the functionality of a Windows domain controller.

If you've set up security = domain or share, you'll want to activate this command with the name of the password server:

;   password server = <NT-Server-Name>

Linux is case sensitive. If you want to disable the case sensitivity for usernames and passwords of up to eight characters, activate these commands:

;  password level = 8 ;  username level = 8

Encryption is enabled by default for Microsoft Windows computers, unless you have a network with operating systems older than Windows 95 (pre-OSR2) or Windows NT 4 (before Service Pack 3). Therefore, you'll want to activate these commands. I'll describe how you can set up the Samba password file later in this chapter.

;  encrypt passwords = yes ;  smb passwd file = /etc/samba/smbpasswd 

If you've configured the same usernames for your Microsoft and Linux computers, activate the following commands. They help synchronize the passwords on the different accounts.

;  unix password sync = Yes ;  passwd program = /usr/bin/passwd %u ;  passwd chat = *New*UNIX*password* %n\n \ ; *ReType*new*UNIX*password* %n\n \  *passwd:*all*authentication*tokens*updated*successfully*

If the usernames on your Linux computers aren't identical to your Windows usernames, you'll need to activate a database of matching usernames in the following database:

;  username map = /etc/samba/smbusers

You can customize the local Samba configuration by the computer (machine) client that connects by activating the following command. Configuring these computer-specific command files is complex, and I suspect is beyond configuring 'the service for basic operation.'

;   include = /etc/samba/smb.conf.%m

Configuring socket options also takes trial and error and requires more than the 'basic operation' configuration skills specified in the Red Hat Exam Prep guide.

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

If your computer is connected to more than one network, you can specify the networks served by your Samba server here:

;   interfaces = 192.168.12.2/24 192.168.13.2/24

If you want to keep your browse list synchronized with other LANs, you can specify those computers or networks here:

;   remote browse sync = 192.168.3.25 192.168.5.255

If other computers are having trouble finding the browse list, you can tell Samba to share the list with specific computers or subnets:

;   remote announce = 192.168.1.255 192.168.2.44

Unless you specifically designate this computer to be a local master, Samba participates in browser elections like any other Microsoft Windows computer, using the os level that you designate. Alternatively, if you don't already have a Domain Controller acting as a browse master, you can give the responsibility to the Samba server. Or if you just want to make it easier for the local computer to win the browser election, activate the preferred master command.

;   local master = no ;   os level = 33 ;   domain master = yes  ;   preferred master = yes 

If you have Windows 95 computers on your network, you'll want to activate this command. Remember, many Windows 95 computers can't handle encryption.

;   domain logons = yes

The following commands set up Microsoft command line batch files by computer and user. The command afterwards stores Microsoft user profiles on the local Samba server. That means these commands can't be tested on the Red Hat exams unless you have access to a Microsoft Windows computer. Since I can't tell you what's on the Red Hat exams, it is up to you to determine whether it's practical to have separate Microsoft Windows computers available during those exams.

;   logon script = %m.bat ;   logon script = %U.bat ;   logon path = \\%L\Profiles\%U

If you have multiple browse methods, you can set the order used by your Samba server to search for other computers. This particular command looks to the WINS (Windows Internet Name Service) server first, followed by any available lmhosts file; if both options fail, a broadcast request for names is sent to the network.

; name resolve order = wins lmhosts bcast

If you activate the following command, Samba activates a WINS server on the local computer:

;   wins support = yes

Alternatively, you can point the local computer to a remote WINS server on the network; of course, you'd have to substitute the IP address for w.x.y.z.

;   wins server = w.x.y.z

If there are non-WINS capable computers on the network, such as Linux computers without the Samba server software, you can activate this command:

;   wins proxy = yes 

If you change this setting to yes, name searches can go through available DNS databases.

   dns proxy = no

The remaining commands are fairly self-explanatory; however, I've never changed these settings, as changes to these variables can cause trouble with file transfers.

# Case Preservation can be handy - system default is _no_ # NOTE: These can be set on a per share basis ;  preserve case = no ;  short preserve case = no # Default case is normally upper case for all DOS files ;  default case = lower # Be very careful with case sensitivity - it can break things! ;  case sensitive = no

Share Settings

Share settings are organized into stanzas, which are groups of commands associated with a share name. (With respect to stanzas, some believe that well-constructed configuration code is like good poetry.) The first four lines in this section define the [homes] share, which automatically shares the home directory of the logged in user. Remember, RHEL 3 includes Samba version 3.0. Every user gets access to their own home directory; the browsable = no command keeps users away from each other's home directory.

There is no default /homes directory. It's just a label. You don't need to supply a home directory, because Samba will read the user's account record in /etc/passwd and /etc/shadow to determine the directory to be shared.

By default, this does not allow access to unknown users (guest ok = no). If you prefer, you can limit the systems that can use this share (hosts allow = ?, and hosts deny = ?).

#============================ Share Definitions ============= [homes]    comment = Home Directories    browseable = no    writable = yes

Those of you who are familiar with Red Hat Linux 9 may note that it supports Samba version 2.2.7. The basic [homes] directory share is the same; however, you may notice that the Samba version 2.2.7 version of this file in Red Hat Linux 9 includes three more variables:

• valid users = %S By default, all users with a local account can access their home directory using this share; this command adds the name of the service.

• create mode = 664 Sets permissions when you create or copy files to your home directory through this share. The default, and thus what happens in the default RHEL 3 smb.conf file, corresponds to a create mode of 744. This gives the file owner rwx permissions, and other users on that computer read-only permissions. I explain the concept of Linux file permissions briefly in Chapter 1.

• directory mode = 775 Similar to create mode; sets permissions when you create directories through this share. The default for RHEL 3 if you don't specify a directory mode is 755.

If you activate the commands in the following stanza, you can set up a netlogon share for Microsoft Windows workstations. As there are no netlogon shares even for Samba-enabled Linux workstations, this section requires a Microsoft Windows computer to verify functionality. If you believe that you'll have access to a Microsoft Windows computer during the Red Hat exams, you'll want to study this section carefully.

# Un-comment the following and create the netlogon directory for # Domain Logons ; [netlogon] ;   comment = Network Logon Service ;   path = /home/netlogon ;   guest ok = yes ;   writable = no ;   share modes = no 

This next stanza configures profiles for Microsoft Windows workstations. As these profiles become a part of a Microsoft Windows registry when you log on to one of those workstations, you're unlikely to configure this section in a network of Linux-only computers. Make your own judgment on whether you might have to configure this section during the RHCE exam.

# Un-comment the following to provide a specific roving profile  # share; the default is to use the user's home directory ;[Profiles] ;    path = /home/profiles ;    browseable = no  ;    guest ok = yes

The [printers] stanza normally works as is, to allow access by all users with accounts on your computer or domain. If you want to limit access to specific users, see the [fredsprn] stanza later in this default file. While the spool directory (/var/spool/samba) is not browsable, the associated printers are browsable by their NetBIOS names. When you configure a printer later in this chapter, the name you designate automatically becomes the NetBIOS name.

# NOTE: If you have a BSD-style print system there is no need to  # specifically define each individual printer [printers]    comment = All Printers    path = /var/spool/samba    browseable = no # Set public = yes to allow user 'guest account' to print    guest ok = no    writable = no    printable = yes

If you activate the [tmp] share, it's a standard location for people to download and share files; all users get write access to this share.

# This one is useful for people to share files ;[tmp] ;   comment = Temporary file space ;   path = /tmp ;   read only = no ;   public = yes 

The following stanza, as suggested by the comment, configures the /home/samba directory to be shared by the group named staff. You can configure this group in /etc/group or through the Network Information System (Chapter 10). And you need to configure special ownership and permissions for /home/samba, as described in the User Private Group scheme in Chapter 11.

# A publicly accessible directory, but read only, except for people  # in the "staff" group ;[public] ;   comment = Public Stuff ;   path = /home/samba ;   public = yes ;   read only = yes ;   write list = @staff

If you activate the following stanza, it would configure a printer exclusively for one user. The default RHEL 3 smb.conf file has an error in this file; it lists the path to Fred's home directory as /homes/fred.

# A private printer, usable only by fred. Spool data will be  # placed in fred's home directory. Note that fred must have # write access to the spool directory, # wherever it is. ;[fredsprn] ;   comment = Fred's Printer ;   valid users = fred ;   path = /home/fred ;   printer = freds_printer ;   public = no ;   writable = no ;   printable = yes

This stanza configures a directory for Fred's exclusive use. I'm not sure why it's included in the Samba configuration file, as the user fred would already have a home directory on this computer. A better location for the path, which you need to create, is within the /home directory.

# A private directory, usable only by fred. Note that fred  # requires write access to the directory. ;[fredsdir] ;   comment = Fred's Service ;   path = /usr/somewhere/private ;   valid users = fred ;   public = no ;   writable = yes ;   printable = no 

You can also set up directories by workstation; the %m variable is replaced by the name of the computer (machine) that connects to the Samba server. A better location for the path is the /home/pc/%m directory.

# The %m gets replaced with the machine name that is connecting. ;[pchome] ;  comment = PC Directories ;  path = /usr/pc/%m ;  public = no ;  writable = yes

The following stanza is slightly different from the [tmp] share. Once connected, the only user that connects is a guest. Unless you've configured a guest user, this defaults to the user nobody.

# A publicly accessible directory, read/write to all users. Note  # that all files created in the directory by users will be owned  # by the default user, so any user with access can delete any  # other user's files. Obviously this directory must be writable  # by the default user. Another user could of course be specified,  # in which case all files would be owned by that user instead. ;[public] ;   path = /usr/somewhere/else/public ;   public = yes ;   only guest = yes ;   writable = yes ;   printable = no

Finally, this is another variation on the User Private Group scheme, which creates a group directory. Unlike the [public] stanza, this share is private.

# The following two entries demonstrate how to share a directory so  # that two users can place files there that will be owned by the # specific users. In this setup, the directory should be writable  # by both users and should have the sticky bit set on it to prevent  # abuse. Obviously this could be extended to as many users as required. ;[myshare] ;   comment = Mary's and Fred's stuff ;   path = /usr/somewhere/shared ;   valid users = mary fred ;   public = no ;   writable = yes ;   printable = no ;   create mask = 0765

To summarize, the settings for each shared directory start with a section name, such as [tmp]. This section name contains the name that will be seen by Microsoft clients only if the service is set to be browseable (browseable = yes).

Joining a Domain

If you've configured a Samba server, and it's not the PDC for your network, you'll need to set it to join the domain. Essentially, you're configuring an account on the Domain Controller for the network. As long as there's one domain on this network, it's easy to do with the following command:

# net rpc join -U root

This assumes that root is the administrative user on the PDC; if you're joining a domain governed by a Microsoft Windows computer, the administrative user is administrator. If successful, you're prompted for the root password on the remote PDC. An account for the local computer is added to the PDC's user database in /etc/password.

Configuring Samba Users

You could set up identical usernames and passwords for your Microsoft Windows and Samba-enabled Linux computers. However, this is not always possible. For example, Microsoft usernames often start with a capital letter, which is not allowed for a Linux username. In that case, you'll want to set up a database of Samba users and passwords which correspond to current Microsoft usernames and passwords on your network.

If you're comfortable with the command line interface, the quickest way to set up Samba users is with the smbadduser and smbpasswd commands. Remember, you can create a new Samba user only from valid accounts on your Linux computer.

Managing Samba Users

You can set up Samba users on a list independent from your Linux users who have accounts on your Linux system. The Samba development team chose to do this because

• There is no reason to grant Samba access to all Linux users.

• You may wish to manage user access via Windows NT/2000/XP, so Linux wouldn't necessarily even know about your Samba users.

• Samba user authentication may involve clear text passwords (for compatibility with Windows 95 and Windows 3.1). This could potentially compromise your Linux system.

To support these features, you can set up separate user accounts in the /etc/samba directory, in the smbusers and smbpasswd files. Two steps are required to make and enable a new Samba user:

1. Create a Samba user entry by name and add a password for the user. Samba users can be created only from the current users on your Linux system.

2. Enable Samba access for the new user.

If the username that you want does not yet exist, create it with the useradd username command. Then you can set that user up as a Samba user with the smbpasswd command. Use the following command; you're prompted to enter a password. That password can be different from the password used to log in directly to that Linux computer.

# smbpasswd -a newUser New SMB password: Retype SMB password: #

Next, to enable Samba access for this user, run the following command:

# smbpasswd -e newUser Enabled user newUser #

Changes made by smbpasswd are passed to the Samba server to be copied to the system with the username and password database for your network.

If you've configured Samba as a PDC for your network, the /etc/passwd file should govern the basic usernames and passwords for your system. You can use the mksmbpasswd.sh script to add all passwords to the /etc/samba/smbpasswd configuration file.

The smbpasswd command is powerful in RHEL 3; it includes a number of switches that you should learn, as described in Table 8-1.

If you need to configure different usernames and passwords for your Linux and Microsoft computers, you'll need to edit them directly into the /etc/samba/smbusers file-or you can use the Samba Server Configuration utility which I describe shortly.

Exercise 8-1: Using Home Directories

In this exercise, you'll learn about the basic home directory share. You'll need at least two computers, one of which should be a Samba server. The other can be a Linux or Microsoft Windows workstation. You'll connect to the Samba server from the workstation, and access the files in your home directory on the Samba server.

1. Install and configure Samba to start using the methods described earlier in this chapter.

2. Open the /etc/samba/smb.conf configuration file. Look for the current value of workgroup.

3. Make sure that the computers on your network have the same value of workgroup. If your computer is on a domain, set workgroup to the name of the domain. If you don't already have a WINS server on this network, you'll also want to activate the wins support = yes command.

4. Test the syntax of your Samba configuration file with the testparm command (I'll describe how this works shortly).

5. Read and address any problems that you might see in the output from the testparm command. Fix any syntax problems with your smb.conf configuration file.

6. Set up the root user on the server in the Samba database with the following commands (enter an appropriate password when prompted):

   # smbpasswd -a root # smbpasswd -e root

7. Make Samba reread the smb.conf file with the following command:

   # service smb reload

8. Now go to a remote Linux or Microsoft Windows workstation on the same Domain or Workgroup.

9. If you can browse the list of computers from the Samba server with the following command, browsing and probably WINS is working properly. (Alternatively, from a Microsoft Windows computer, you should see a list of computers in the Network Neighborhood or My Network Places window.)

   # smbclient -L sambaserver -U root

10. Enter the root username on the remote Samba server.

11. If you're on a Linux computer, use the smbmnt or mount command (depending on whether you're regular or a root user) to configure the remote [homes] directory share on an empty local directory. For example, as the root user, you could mount on the local /mnt/share directory with the following command:

    # mount -o username=root "//sambaserver/homes" /mnt/share

12. Test the result. Can you browse your home directory on the remote computer?

The Red Hat Samba Server Configuration Utility

RHEL 3 includes Red Hat's graphical configuration tool for Samba, redhat-config-samba, which you can install from the RPM of the same name. Before you use this tool to modify your configuration, back up the files in your /etc/samba directory.

Also known as the Samba Server Configuration utility, you can use this tool to set basic global parameters and configure shared directories. You can start it from a GUI command line with the redhat-config-samba command, or you can click Main Menu | System Settings | Server Settings | Samba. You've seen the basic tool back in Figure 8-1.

Figure 8-5: Samba Server basic settings

You will find that this tool is straightforward to use. You can configure general Samba settings such as security level and workgroup through the Preferences | Server Settings command. The Add button enables you to set up a new share. The Preferences | Samba Users command allows you to modify the smbusers and smbpasswd files in the /etc/samba directory.

You can also use this tool to configure Samba usernames and passwords. In other words, you can use this tool to configure your smb.conf file as well as Samba usernames and passwords through the smbusers and smbpasswd files. Naturally, these files are stored in the /etc/samba directory.

There are drawbacks to the Samba Server Configuration utility. For example, you can't use it to edit all global parameters or share printers. You can't use it to set a Samba member server to join a domain.

Global Settings

To see what the Samba Server Configuration utility can do to the global settings in the smb.conf configuration file, click Preferences | Server Settings. As you can probably guess from Figure 8-5, the basic settings set the workgroup and server string variables. The workgroup variable can represent the name of a Workgroup or Domain; in this case, Grateful is the name of my network domain.

Figure 8-6: Samba Server security settings

When you use this utility and assign default variables, it erases the variable from your smb.conf file. For example, if you set the workgroup name to Workgroup, this utility erases the workgroup command line from smb.conf. Therefore, it's an excellent idea to back up smb.conf before using the Samba Server Configuration utility.

In contrast, the Security tab supports a few more settings, as you can see in Figure 8-6. The entries are fairly straightforward. If you want more information on these variables, refer to the discussion on smb.conf earlier in this chapter:

• Authentication Mode sets the security value in /etc/samba/smb.conf. The default is user.

• Authentication Server sets up the location of the password server. There is no default.

• Encrypt Passwords is associated with the variable of the same name. The default is yes.

• Guest Account is associated with the variable of the same name. The default in RHEL 3 is nobody.

  On The Job

  If you've selected a default, you may still see the variable in the smb.conf file in comments. Alternatively, you may see the variable in an unexpected location relative to the default comments.

Share Settings

Click the Add button. This opens the Create Samba Share window shown in Figure 8-7. The Basic tab helps you define the basic parameters associated with the share:

Figure 8-7: Basic components of Create Samba Share

• Directory defines the directory that you want to share, using the path variable. The share name is taken from the last part of the directory name. For example, if you're sharing the /usr/share/to/path1, Samba designates [path1] as the share name.

• Description allows you to define the comment that users can see in the browse list.

• Basic permissions lets you set writable as yes or no; read only (writable=no) is the default. (This is another case where two spellings for the same variable are acceptable; writeable is also an acceptable spelling in smb.conf.)

The Access tab is simpler; it allows you to limit access to specific users from the smbpasswd configuration file. In other words, you can only limit access to users from the Samba password database. Once you've clicked OK, the Samba Server Configuration tool automatically updates the smb.conf configuration file.

Samba Users

The Samba Server Configuration tool also allows you to configure Samba users, based on the users already present in your /etc/passwd configuration file. Unfortunately, it can only use local password databases as of this writing. However, that's good enough to configure Microsoft usernames on this computer. To add Samba users from the Samba Server Configuration tool, click Preferences | Samba Users. This opens the Samba Users window shown in Figure 8-8.

Figure 8-8: Current Samba users

As you can see, this window includes a list of currently configured Samba users. Click Add User. This opens the Create New Samba User window shown in Figure 8-9, where you can:

Figure 8-9: Adding another Samba user

• Select an existing username from /etc/passwd.

• Enter the corresponding Microsoft Windows username.

• Set up a password for that Samba user. It can be different from that user's Linux password.

Click OK when you're done. Naturally, you can also change the Windows username and password for each Samba user, or even delete Samba users with the Edit User and Delete User buttons. Click OK to exit from the Samba Users window.

Creating a Public Share

Now let's create a public access share for use with the entire network. First, create the /home/PublicShare directory for this purpose. Click Add to open the Create Samba Share window. Enter the directory that you want to share, /home/PublicShare, in the directory text box. Enter an appropriate description and select Read/Write access. In the Access tab, select the Allow Access To Everyone option. Click OK and exit from the Samba Server Configuration tool with the File | Quit command.

Now, you'll have to finish the task directly from the text editor. The instructions so far add the following commands in the /etc/samba/smb.conf configuration file:

[PublicShare]      comment= Shared Public Directory      path = /home/PublicShare      writeable = yes      guest ok = yes

Now you want to modify these commands. The [PublicShare] should be accessible to all users with a Linux account on your computer. It should also deny access to guest users and others. You want to provide access to anyone in your domain (.myCompany.com), and you want to deny access to everyone in the suspect domain (which we'll call evil.crackers.com). Finally, your shares should be browseable to valid users.

You'll want to change the last command in this stanza. As guest ok = no is the default, you can just erase the command, or replace it as shown:

guest ok = no

To provide access to all users in the given domain, I'd add the following command:

hosts allow = .myCompany.com

If you wanted to deny access to one specific computer on that network, you could add EXCEPT guest.myCompany.com to the end of this command. Alternatively, if this domain is on the 192.168.99.0 network, you could use one of the following commands:

hosts allow = 192.168.99. hosts allow = 192.168.99.0/255.255.255.0

You could specifically deny access to computers with a command such as the following:

hosts deny = evil.crackers.com

Or you could substitute IP addresses in the same format as with the hosts allow command. You've defined the share attributes in the Samba smb.conf configuration file. But you need to modify the directory associated with the share with the following command, which includes the 'sticky bit':

# chmod 1777 /home/PublicShare

Testing Changes to /etc/samba/smb.conf

After making any changes to /etc/samba/smb.conf, it is always a good idea to test your system before putting it into production. You can do a simple syntax check on the Samba configuration file with the testparm test utility, as shown in Figure 8-10. This does not actually check to see if the service is running or functioning correctly, it checks only basic text syntax and command stanzas.

Figure 8-10: Testing smb.conf syntax

Exercise 8-2: Configuring Samba with Shares

In this exercise, you'll be configuring Samba to do something useful, sharing a directory and any configured printers. For this purpose, you can't do anything with the Samba Server Configuration tool; therefore, you'll need to edit the /etc/samba/smb.conf file directly in a text editor.

1. Install the Samba RPMs or Windows File Server Package Group as described earlier in this chapter.

2. Create a /home/ftp/public directory. Change ownership to the ftp user and group, with full permissions (770).

3. Open the /etc/samba/smb.conf file in a text editor.

4. Configure Samba to share all installed print queues to all users. Normally, the default [printers] stanza in smb.conf should suffice. However, as you're about to create a guest account, you'll want to add the last command shown here:

   [printers]      comment = All printers      path = /var/spool/samba      browseable = no      printable = yes      guest ok = yes 

5. Configure Samba to share as public, in read-only mode, the /home/ftp/pub directory tree. In the Share Definitions section, you could add the following commands:

   [pub]      comment = shared FTP directory      path = /home/ftp/pub

6. Allow guest access to all public shares. In smb.conf, this means adding the following line to the [pub] stanza:

        guest ok = yes

7. Since you're about to create a guest account, you'll need to activate the following command in smb.conf:

   ; guest account = pcguest 

8. Create a guest account for pcguest, associate it with an unused UID and GID 600. Set the password to be 'anonymous.' While you can do this with the Red Hat User Manager discussed in Chapter 4, the quickest way to do this is with the following commands:

   # useradd pcguest -u 600 # passwd pcguest

9. Create separate log files for each computer host that connects. This is already active by default with the following command:

   log file = /var/log/samba/%m.log

10. If you have a WINS server configured, authorize Samba to participate as a WINS client. Use the IP of that WINS server. While you don't want to enable the wins support command, you do want to point the wins server command to the IP address of your WINS server (I've added a random IP address):

    wins server = 10.11.12.13

11. Write and save your changes to the smb.conf file.

12. You can see if Samba is already running with the service smb status command. If it's stopped, you can start it with the service smb start command. If it's running, you can make Samba reread your configuration file with the following command:

    # service smb reload

This final option allows you to change your Samba configuration without disconnecting users from your Samba server.