|< Day Day Up >|
Over the past few years, Windows-only shops have been slowly adding Unix and Unix-like systems to their server arsenal. The reason for this is a piece of software called Samba. Samba provides the Windows sharing services that you've already seen in Tiger, but is capable of much more than just sharing your home directory. It is also capable of replacing Windows NT and 200x servers on your network. Samba offers comparable performance, features, and a price that can't be beat (free, of course). To quote eWEEK:
Samba offers web-based configuration and administration. Even if you've never used a Windows computer and don't know the first thing about Windows file sharing, you'll be able to get a basic server up and running in only a few minutes.
Samba supports several advanced features, including file and printer sharing, user and share security, WINS, and emulation of a Windows domain. Best of all, it runs natively on Mac OS X. Now Windows users can come to the Mac, rather than vice versa.
Samba is a large piece of software approaching Apache in terms of complexity and number of configuration options. In this chapter, the focus is on setting up solid, general-purpose servers. High-end needs are best served by other sources, such as Sams Teach Yourself Samba in 24 Hours (ISBN: 0672316099). The Samba website is also a great source for information (http://www.samba.org).
Let's get down to business.
Activating the SWAT Web Interface
Although Samba can be activated and used with Apple's default configuration (stored in /etc/smb.conf), you'll be missing 99% of the functionality. Samba offers many advanced features that can be accessed only when you manually edit the setup. In its early days, Samba was configured entirely by hand by editing the smb.conf file. It worked, but wasn't really useful to anyone but the most die-hard Unix users. Today, however, configuration is handled entirely through a web-based GUI called SWAT.
SWAT is included with your system but not ready for use you must configure how launchd will start SWAT. Edit the file /System/Library/LaunchDaemons/swat.plist to include -a as one of the program arguments. This will allow any local user to make changes to the Samba configuration via SWAT. Unfortunately, this is necessary as it is currently not possible to authenticate with the SWAT process. Notice, however, that the SWAT service is Disabled in the plist file. SWAT will not launch at boot and can be used only when an administrator explicitly starts it.
The resulting file should look like this:
<plist version="1.0"> <dict> <key>Disabled</key> <true/> <key>GID</key> <integer>0</integer> <key>Label</key> <string>org.samba.swat</string> <key>ProgramArguments</key> <array> <string>/usr/sbin/swat</string> <string>-a -d 10</string> </array> <key>Sockets</key> <dict> <key>Listeners</key> <dict> <key>SockNodeName</key> <string>localhost</string> <key>SockServiceName</key> <integer>901</integer> </dict> </dict> <key>inetdCompatibility</key> <dict> <key>Wait</key> <false/> </dict> </dict> </plist>
That's it; SWAT is ready to run. Type sudo /sbin/service swat start to begin using SWAT. When you've finished, you should stop SWAT by typing sudo /sbin/service swat stop.
Configuring Samba Sharing
To configure Samba, start a web browser and point it at port 901 of the Samba server (http://localhost:901). Because authentication is disabled, you will have full access to the SWAT controls. Figure 27.9 shows the SWAT home screen.
Figure 27.9. SWAT opens with a page providing easy access to Samba documentation.
The top of the SWAT display includes eight buttons to control the operation of the server:
Let's step through these configuration screens to see the options used in a typical sharing environment.
The Global Variables page, shown in Figure 27.10, is the starting point for setting up your Samba server. Many people jump the gun and immediately start setting up file shares. Failure to properly configure the global options might make it impossible to mount or browse shared resources.
Figure 27.10. Global options set the operating parameters for the Samba server.
Two buttons can save server settings (Commit Changes) and reset changes (Reset Values). Choosing the Basic or Advanced button shows additional options a number of which are listed in Table 27.4. If you don't see the setting you're looking for, move to the Advanced mode.
The default settings should be sufficient for most small networks, with the exception of the base and security options (such as hosts allow and hosts deny). The best rule for Samba is that if you aren't sure what something does or whether you even need it, don't touch it.
The Share Parameters page sets up file shares that can be mounted on networked Windows-based computers. To create a new share, type a share name in the Create Share field and then click the Create Share button. To edit an existing share, choose its name from the pop-up list and then click Choose Share or click Delete Share to remove it completely.
With the default Tiger Samba configuration file, a single homes share should already be available. homes is unique because it is equivalent to each user sharing his home directory. Figure 27.11 shows this share loaded.
Figure 27.11. Use the Share Parameters page to set up your Windows SMB file shares.
The basic share parameters are listed in Table 27.5. A few advanced options are also included.
The trickiest part of setting up a share is figuring out user access rights. Regardless of whether Samba is using user-level or share-level access, a Unix user must be mapped to the incoming connection.
The easiest security model is user level (the default), which requires Windows users to log in to their computers using the same username and password set up on the Mac OS X machine. When using user-level access, Windows users are mapped directly to Samba users. The Mac OS X file permissions apply directly to the permissions of the connected user.
Assume, for example, that the Mac OS X user jray has read/write permissions to the folder /Stuff, which is also set to be a Samba share. If jray logs in to a Windows computer using the same username as on Mac OS X, he can access the Stuff share and have read/write access. The SWAT Password page can be used to map Unix users to the passwords that they will use on the remote Windows client if the Windows password doesn't match their default OS X password.
Things are a bit different with share-level access. In such cases, a single password is needed to access the share for all users, and no matter who is logged in, a single account is used by Samba when interacting with the Mac OS X filesystem. To simplify share-level security, create a new Mac OS X user to use for logging in to your shares and then set the guest account for the share equal to the Mac OS X username. You should disable other login access (set the shell to /dev/null) if you do distribute a password among multiple people for the purpose of file sharing.
The Samba Wizard options configure a Samba server to act as a standalone server, domain member, or domain controller. Use the radio buttons to choose your basic server settings, how WINS will be used (as either a client, server, or not at all), and whether home directories should be enabled. Click Commit to save the changes.
Samba can act as a full print server for a Windows network. By default, all configured printers are shared through a share called printers that operates much like the homes share does for home directories. Refer to Chapter 6, "Printer, Fax, and Font Management," for information about setting up Mac OS X printers.
There are a few options for setting up printer sharing. You can go with the default of sharing every printer available through the printers share. You can also modify the settings of the printers share or any specific shared printer to control its use. A final option is to delete the printers share and configure each device manually. Because Mac OS X normally does most of the work for you automatically, this last option really just makes life more difficult. Shared printers can be configured using the options in Table 27.6.
Enter the options needed to create the printer share and then click Commit Changes. Windows clients should be able to browse and print the device (with an appropriate driver) immediately.
The SWAT Server Status page gives a quick overview of the server's current conditions, including active connections, shares, and files. Normally, the administrator can use this screen to restart the server or disable any active connections. Unfortunately, in Tiger, Apple has chosen to use launchd to start smbd and nmbd on demand meaning that they will not show up as active in the display regardless of whether they truly are.
The remaining two settings are still useful, regardless of how the daemon processes themselves are handled:
View offers a glimpse at the configuration file behind SWAT's GUI. Sometimes it's easier to scan through a text file to locate a problem than to work with the web interface. The View page has two modes. The Normal view (default) shows the minimum configuration file needed to implement your settings.
Switching to the Full view displays all the settings, including default options, for the Samba configuration. Each option is explicitly listed, regardless of its necessity.
The Password page is used to set up Samba passwords for existing Mac OS X users, or change remote user passwords if using domain-level security and a remote host for user authentication.
If you've enabled a Mac OS X user so that she can log in to her account from Windows, you've effectively already used this feature. Because Apple has tied Samba to the Mac OS X authentication system, there is no need to touch these settings; use the Tiger Sharing preferences pane instead.
If Samba uses domain-level security, another server (such as a Windows primary domain controller) is the source for all authentication information. To change a user's password on the remote server, use the Client/Server Password Management features of the password screen:
Click the Change Password button to send the password changes to the remote server.
Creating a Simple Samba Share by Hand
Now let's go through the process of accessing a shared volume from a Windows computer. This example uses Windows XP. By the time you read this, five or six new variations of Windows will probably be available, so I apologize if the instructions don't match up entirely.
First, set up the server defaults. For my machine, POINTY, I've created a bare global configuration. Rather than including a screenshot for the share, I'm including the configuration from the /etc/smb.conf file. Each resource has its own block in the config file. Within that block, the options we've covered are listed along with their associated value. This is the global configuration block for my simple Samba server:
[global] auth methods = guest opendirectory passdb backend = opendirectorysam guest guest account = unknown workgroup = POISONTOOTH netbios name = POINTY server string = Poisontooth SAMBA Server encrypt passwords = Yes preferred master = Yes dns proxy = No wins support = Yes
The workgroup, NetBIOS name, and server string are personalized for my server and local area network. I've also chosen to have the server act as a WINS server and register as the preferred master browser on the network. It's important to note that encrypted passwords are enabled; otherwise, newer Windows clients (such as Windows 2000/XP) wouldn't be able to connect.
Next, the file share. I've created a folder /filestorage/mp3s on my computer to hold my library of iTunes MP3 files. My user account (jray) owns the folder and has read/write permission to it. This simple share, named MyMP3s, is defined as
[MyMP3s] path = /filestorage/mp3 read only = No
Now, with only a few clicks of the mouse (barring Windows lockups), I'll be happily listening to my iTunes music on a Windows computer.
Mounting a Samba Share in Windows
There are a number of different ways to mount a network drive under Windows. If your Windows XP computer is set up with the same workgroup name as the Samba server, double-click My Network Places and then View Workgroup Computers. The Samba server should appear using the NetBIOS name you specified in the Global configuration.
Right-clicking My Network Places (or My Computer) and choosing Map Network Drive from the pop-up menu is the fastest mounting method. The screen shown in Figure 27.12 is displayed.
Figure 27.12. Map the shared folder in one simple step.
Choose a drive letter to use for the mounted volume and then enter the share path in the Folder field. The share path is entered as \\<NetBIOS name>\<share name>. For the sample share I've set up, the path is \\pointy\MyMP3s\. Click the Reconnect at Logon button to automatically mount the shared resource when you log in to the Windows computer. The Tiger Folder, shared through Samba, becomes usable like any other network drive on Windows.
Monitoring Samba Connections with smbstatus
Although the SWAT interface is fully capable of telling you who is accessing your server, sometimes a web browser isn't convenient. In that case, the smbstatus utility provides information about the active connections and users. For example:
brezup:root root # smbstatus NOTE: Service printers is flagged unavailable. Samba version 3.0.0beta3 PID Username Group Machine ------------------------------------------------------------------- 951 jray jray client19 (10.0.1.119) 965 jray jray painful (10.0.1.107) Service pid machine Connected at ------------------------------------------------------- IPC$ 965 painful Sat Mar 12 13:11:05 2005 jray 951 client19 Sat Mar 12 13:11:05 2005 jray 965 painful Sat Mar 12 13:11:05 2005 No locked files
In this example, two client computers (client19 and painful) are connected using the process IDs 951 and 965, respectively. The painful client is using the default IPC$ and jray shares, whereas client19 is just using jray. You can force a connection to close by killing the associated process ID.
Table 27.7 shows the most useful smbstatus options.
|< Day Day Up >|