< Day Day Up > 


Over the past few years, Windows-only shops have been slowly adding Unix and Unix-like systems to their server arsenal. The reason for this is a piece of software called Samba. Samba provides the Windows sharing services that you've already seen in Tiger, but is capable of much more than just sharing your home directory. It is also capable of replacing Windows NT and 200x servers on your network. Samba offers comparable performance, features, and a price that can't be beat (free, of course). To quote eWEEK:

Samba is capable, flexible, mature, and fairly well-documented; runs on several Unix operating systems; offers web-based configuration and administration; and is free.

Samba is now a viable option as a file and print server for many more Windows shops than before and earns an eWEEK Labs Analyst's Choice award for this remarkable technical accomplishment.

To add this functionality, Samba Team developers (including those who are part of the Samba: The Next Generation project) had to reverse-engineer the proprietary protocols Microsoft Corp. uses to authenticate users and systems over the network, using, in many cases, nothing but a packet sniffer.

Samba offers web-based configuration and administration. Even if you've never used a Windows computer and don't know the first thing about Windows file sharing, you'll be able to get a basic server up and running in only a few minutes.

Samba supports several advanced features, including file and printer sharing, user and share security, WINS, and emulation of a Windows domain. Best of all, it runs natively on Mac OS X. Now Windows users can come to the Mac, rather than vice versa.

Samba is a large piece of software approaching Apache in terms of complexity and number of configuration options. In this chapter, the focus is on setting up solid, general-purpose servers. High-end needs are best served by other sources, such as Sams Teach Yourself Samba in 24 Hours (ISBN: 0672316099). The Samba website is also a great source for information (


Apple has been reasonably good about including a new version of Samba with Mac OS X and keeping up with security patches. If you prefer to install from scratch and have about 30 minutes, you can easily compile and install Samba on your own. Download the latest Samba source from

Let's get down to business.

Activating the SWAT Web Interface

Although Samba can be activated and used with Apple's default configuration (stored in /etc/smb.conf), you'll be missing 99% of the functionality. Samba offers many advanced features that can be accessed only when you manually edit the setup. In its early days, Samba was configured entirely by hand by editing the smb.conf file. It worked, but wasn't really useful to anyone but the most die-hard Unix users. Today, however, configuration is handled entirely through a web-based GUI called SWAT.


Although Samba can be configured by hand (which you're welcome to do), it is recommended that SWAT be used at all times. Some small changes are easy enough to accomplish with a text editor, but the Samba configuration file is extremely sensitive to invalid settings.

If at any point in time you want to return to the original Mac OS X Samba configuration, just copy the file /etc/smb.conf.template over /etc/smb.conf, and all the changes you've made will be replaced.

SWAT is included with your system but not ready for use you must configure how launchd will start SWAT. Edit the file /System/Library/LaunchDaemons/swat.plist to include -a as one of the program arguments. This will allow any local user to make changes to the Samba configuration via SWAT. Unfortunately, this is necessary as it is currently not possible to authenticate with the SWAT process. Notice, however, that the SWAT service is Disabled in the plist file. SWAT will not launch at boot and can be used only when an administrator explicitly starts it.

The resulting file should look like this:

 <plist version="1.0"> <dict>         <key>Disabled</key>         <true/>         <key>GID</key>         <integer>0</integer>         <key>Label</key>         <string>org.samba.swat</string>         <key>ProgramArguments</key>         <array>                 <string>/usr/sbin/swat</string>                 <string>-a -d 10</string>         </array>         <key>Sockets</key>         <dict>                 <key>Listeners</key>                 <dict>                         <key>SockNodeName</key>                         <string>localhost</string>                         <key>SockServiceName</key>                         <integer>901</integer>                 </dict>         </dict>         <key>inetdCompatibility</key>         <dict>                 <key>Wait</key>                 <false/>         </dict> </dict> </plist> 

That's it; SWAT is ready to run. Type sudo /sbin/service swat start to begin using SWAT. When you've finished, you should stop SWAT by typing sudo /sbin/service swat stop.


SWAT is not related, in any way, to the Apache process. Even if Apache is not activated, you'll still be able to use a web browser to configure the Samba server. The launchd process listens on port 901 for an incoming TCP connection, and then launches /usr/sbin/swat to service the request.

Configuring Samba Sharing

To configure Samba, start a web browser and point it at port 901 of the Samba server (http://localhost:901). Because authentication is disabled, you will have full access to the SWAT controls. Figure 27.9 shows the SWAT home screen.

Figure 27.9. SWAT opens with a page providing easy access to Samba documentation.

The top of the SWAT display includes eight buttons to control the operation of the server:

  • Home Provides links to Samba documentation and supplemental material.

  • Globals Settings that affect the entire server, such as its name and security model.

  • Shares Shared file resources. If you used the sample configuration file that comes with the Apache distribution, a single home directory share already should be configured.

  • Printers Shared printers. To share a printer, it must first be set up so that it can be accessed from Mac OS X. By default, all configured printers are shared.

  • Wizard A quick-start for configuring Samba to be a standalone server, domain controller, or domain member. Because Mac OS X already includes a standalone configuration with setup specific to Mac OS X, starting over isn't recommended.

  • Status Monitor and view the status of the server. If you're logged in as root, you can restart or stop the server process.

  • View View a copy of the text configuration file.

  • Password Set and edit Samba user passwords. Samba authenticates against Mac OS X passwords by default, so it is unlikely you'll need these settings.

Let's step through these configuration screens to see the options used in a typical sharing environment.


Samba has so many configuration options that additional resources, such as Sams Teach Yourself Samba in 24 Hours, are recommended for complex configurations.


The Global Variables page, shown in Figure 27.10, is the starting point for setting up your Samba server. Many people jump the gun and immediately start setting up file shares. Failure to properly configure the global options might make it impossible to mount or browse shared resources.

Figure 27.10. Global options set the operating parameters for the Samba server.

Two buttons can save server settings (Commit Changes) and reset changes (Reset Values). Choosing the Basic or Advanced button shows additional options a number of which are listed in Table 27.4. If you don't see the setting you're looking for, move to the Advanced mode.

Table 27.4. Common Global Options and Their Purpose




Sets the workgroup or domain that the server belongs to. Set this to the same value as the workgroup/domain of local Windows clients; otherwise, they cannot browse the server. This is the same value that can be set in the Directory Access application.

netbios name

The Windows (NetBIOS) name of the server.

netbios aliases

A list of additional NetBIOS names to which the Samba server responds.

server string

A string used to describe the server. This is entirely arbitrary.


The network interfaces that Samba broadcasts over. For example, Mac OS X's primary interface is en0. By default, all active interfaces are used. To limit the interfaces, enter the interface names to use or the network address followed by a subnet mask (that is,

password level

The number of case-changes checked between the client login and the server password. Because client operating systems might transmit passwords in uppercase, they have to be altered to authenticate with the server. (Advanced)

username level

The same as the password level but alters the username in a similar manner. For example, if I have a Mac OS X username of jray and a Windows login of JRAY, I must set this value to 4 for it to be successfully permuted into the lowercase version. (Advanced)


The type of security model to use. User security bases access on a user login. Share password-protects individual shared resources. Domain and server security passes authentication duties to other Windows or Samba servers, respectively. You'll probably want user- or share-level security.

encrypt passwords

Sets encrypted password negotiation with the client. Encrypted passwords are required to access Samba from Windows 98 and later.

guest account

The local user that should be used for guest access and resource browsing. Mac OS X should use unknown.

hosts allow

A list of hostnames, IP addresses, IP addresses with subnet masks (, or partial addresses (192.168.0.) that can access the server. The except keyword can create an exception to a rule. For example, except would allow any host in the subnet, except, to access the server. If left blank, all remote hosts can access the server.

hosts deny

Like hosts allow but used to list servers that should not have access to the server. Configure using the same method as hosts allow.

log file

The log file to store server accesses in. The %m in the default path appends the name of the remote machine to the log file name.

max log size

The maximum size in kilobytes that a log file should be allowed to reach before rolling over.

domain logon

Accept domain logins. This allows Windows clients to recognize the Samba server as a PDC (primary domain controller). (Advanced)

preferred master

If set to Yes, the Samba server attempts to force an election for master browser. Do not use on networks with multiple servers that want to be masters.

local master

Enables Samba to try to become the master browser for the local area network. If set to No, it does not attempt to assume this role.

domain master

Enables Samba's nmbd component to become a domain master browser that collects browse lists from remote subnets.

os level

A number used to determine the ranking of Samba when a master browser is being elected on a Windows network. If Samba is the only server on the network, use the default 20. If NT/2000/XP machines are on the network and you want Samba to be the master browser, set this to a value greater than 32.

dns proxy

Attempts to resolve WINS queries through DNS if they cannot be resolved from locally registered machines.

wins server

A remote WINS server that Samba should register with.

wins support

Enables Samba's WINS service. Only a single machine should act as a WINS server on a given subnet.

The default settings should be sufficient for most small networks, with the exception of the base and security options (such as hosts allow and hosts deny). The best rule for Samba is that if you aren't sure what something does or whether you even need it, don't touch it.


The Share Parameters page sets up file shares that can be mounted on networked Windows-based computers. To create a new share, type a share name in the Create Share field and then click the Create Share button. To edit an existing share, choose its name from the pop-up list and then click Choose Share or click Delete Share to remove it completely.

With the default Tiger Samba configuration file, a single homes share should already be available. homes is unique because it is equivalent to each user sharing his home directory. Figure 27.11 shows this share loaded.

Figure 27.11. Use the Share Parameters page to set up your Windows SMB file shares.

The basic share parameters are listed in Table 27.5. A few advanced options are also included.

Table 27.5. File-Sharing Options and Values




A comment to help identify the shared resource.


The pathname of the directory to share. Be aware that in user-level security, you must make sure that the corresponding Mac OS X user accounts have access to this directory. When using share-level security, a single-user account is used usually the guest account. In that case, the next setting becomes very important.

guest account

The account used to access the share if the remote client is logged in as a guest. The default is unknown, but, if set to another username, the guest user will have the read/write permissions of that local user account. If you want to use share-level access control, you can set this value to the account whose permissions should be used when accessing the share.

force user

If entered, the force user username is used for all accesses (read/write) to the file share, regardless of the username used to log in. (Advanced)

force group

Similar to force user but forces a group rather than a user. (Advanced)

read only

When set to Yes, users cannot write to the share, regardless of the Mac OS X file permissions.

read list

A list of users that should only have read-access to the volume, regardless of any other settings.

write list

A list of users that should have read/write access regardless of any other settings.

create mask

A set of permissions that newly created files will have. By default, the mask is set to 0744. (Advanced)

guest ok

If set to Yes, guests can log in to the server without a password.

hosts allow

A list of hostnames, IP addresses, IP addresses with subnet masks (, or partial addresses (192.168.0.) that can access the share. The except keyword can create an exception to a rule. For example, except would allow any host in the subnet, except, to access the server. If left blank, all remote hosts can access the server.

hosts deny

Like hosts allow but used to list servers that should not have access to the server. Configure using the same method as allow.

max connections

Restricts the number of simultaneous users who can access the share. (Advanced)


When set to Yes, the share shows up in the Windows network browser. If no, the share still exists, but remote users cannot see its name.


If set to Yes, the share is made available over the network. Setting to No disables access to the share.

The trickiest part of setting up a share is figuring out user access rights. Regardless of whether Samba is using user-level or share-level access, a Unix user must be mapped to the incoming connection.

The easiest security model is user level (the default), which requires Windows users to log in to their computers using the same username and password set up on the Mac OS X machine. When using user-level access, Windows users are mapped directly to Samba users. The Mac OS X file permissions apply directly to the permissions of the connected user.

Assume, for example, that the Mac OS X user jray has read/write permissions to the folder /Stuff, which is also set to be a Samba share. If jray logs in to a Windows computer using the same username as on Mac OS X, he can access the Stuff share and have read/write access. The SWAT Password page can be used to map Unix users to the passwords that they will use on the remote Windows client if the Windows password doesn't match their default OS X password.


Apple's Samba implementation takes advantage of Open Directory for authentication. If, for example, a Tiger computer is bound to an active directory, AD users may authenticate with the Samba process using their windows credentials. Users that have authenticated with the domain that the Tiger machine is part of should also be able to automatically access shares to which they have permission without needing to supply an additional login or password.

Things are a bit different with share-level access. In such cases, a single password is needed to access the share for all users, and no matter who is logged in, a single account is used by Samba when interacting with the Mac OS X filesystem. To simplify share-level security, create a new Mac OS X user to use for logging in to your shares and then set the guest account for the share equal to the Mac OS X username. You should disable other login access (set the shell to /dev/null) if you do distribute a password among multiple people for the purpose of file sharing.


The Samba Wizard options configure a Samba server to act as a standalone server, domain member, or domain controller. Use the radio buttons to choose your basic server settings, how WINS will be used (as either a client, server, or not at all), and whether home directories should be enabled. Click Commit to save the changes.


Samba maintains the basic share settings and parameters configured before the wizard is used. The wizard feature tweaks a handful of global options to make the server more quickly adaptable to a given role.


Samba can act as a full print server for a Windows network. By default, all configured printers are shared through a share called printers that operates much like the homes share does for home directories. Refer to Chapter 6, "Printer, Fax, and Font Management," for information about setting up Mac OS X printers.

There are a few options for setting up printer sharing. You can go with the default of sharing every printer available through the printers share. You can also modify the settings of the printers share or any specific shared printer to control its use. A final option is to delete the printers share and configure each device manually. Because Mac OS X normally does most of the work for you automatically, this last option really just makes life more difficult. Shared printers can be configured using the options in Table 27.6.

Table 27.6. Printer Sharing Options




A comment used to identify the printer share.


A directory where print spool files are saved before printing. The directory must be configured to be world-writable and have the sticky bit set.

guest ok

If set to Yes, guests may access the printer. This is not a wise idea on a publicly networked device.

hosts allow

A list of hostnames, IP addresses, IP addresses with subnet masks (, or partial addresses (192.168.0.) that can access the share. The except keyword can create an exception to a rule. For example, except would allow any host in the subnet, except, to access the server. If left blank, all remote hosts can access the server.

hosts deny

Like hosts allow but used to list servers that should not have access to the server. Configure using the same method as allow.


Allows authenticated clients to write to the print spool directory.

printer name

The CUPS (Common Unix Printing System) name for the printer; used if configuring the printer manually. You must switch to Advanced view to see this option. To view a list of the CUPS-recognized printers on your system, type lpstat -p. Any available printer can be shared.

max print jobs

The maximum number of print jobs that can be submitted to the print queue at one time.


When set to Yes, the printer shows up in the Windows network browser. If set to No, the printer share still exists but remote users cannot see its name.


If set to Yes, the printer is made available over the network. Setting to No disables access to the printer.

Enter the options needed to create the printer share and then click Commit Changes. Windows clients should be able to browse and print the device (with an appropriate driver) immediately.


An alternative means of sharing printers with Windows clients is by way of the Mac OS X CUPS subsystem. This can be helpful for printing across subnets or where IP-based printing is the only acceptable solution. An excellent tutorial on using CUPS in this manner is provided at You should be able to disregard the information on fixing CUPS because it is (at the time of this writing) working correctly in Tiger.


The SWAT Server Status page gives a quick overview of the server's current conditions, including active connections, shares, and files. Normally, the administrator can use this screen to restart the server or disable any active connections. Unfortunately, in Tiger, Apple has chosen to use launchd to start smbd and nmbd on demand meaning that they will not show up as active in the display regardless of whether they truly are.

  • Stop/Start/Restart smbd Stops, starts, or restarts smbd the Samba SMB file/print server. All active connections are terminated.

  • Stop/Start/Restart nmbd Stops, starts, or restarts nmbd the Samba NetBIOS name server. Does not affect active connections.

  • Stop/Start/Restart winbindd Stops, starts, or restarts winbindd A process that binds to a Windows domain to retrieve account information. Does not affect active connections.

The remaining two settings are still useful, regardless of how the daemon processes themselves are handled:

  • Auto Refresh Sets the SWAT status page to autorefresh based on the Refresh Interval field. This is useful for monitoring server activity.

  • Kill The Kill button (an X) appears to the right of every listed connection. Clicking the button immediately terminates the link.


Terminating an active connection might result in data loss for the remote user. Although certainly a tempting prank, it isn't a nice thing to do.


View offers a glimpse at the configuration file behind SWAT's GUI. Sometimes it's easier to scan through a text file to locate a problem than to work with the web interface. The View page has two modes. The Normal view (default) shows the minimum configuration file needed to implement your settings.

Switching to the Full view displays all the settings, including default options, for the Samba configuration. Each option is explicitly listed, regardless of its necessity.


The Password page is used to set up Samba passwords for existing Mac OS X users, or change remote user passwords if using domain-level security and a remote host for user authentication.

If you've enabled a Mac OS X user so that she can log in to her account from Windows, you've effectively already used this feature. Because Apple has tied Samba to the Mac OS X authentication system, there is no need to touch these settings; use the Tiger Sharing preferences pane instead.

If Samba uses domain-level security, another server (such as a Windows primary domain controller) is the source for all authentication information. To change a user's password on the remote server, use the Client/Server Password Management features of the password screen:

  • User Name The remote user to change.

  • Old Password The user's existing password.

  • New Password The new password to set on the remote server.

  • Re-type New Password The same as the New Password option; used to verify typing.

  • Remote Machine The remote server that contains the username/password mappings.

Click the Change Password button to send the password changes to the remote server.

Creating a Simple Samba Share by Hand

Now let's go through the process of accessing a shared volume from a Windows computer. This example uses Windows XP. By the time you read this, five or six new variations of Windows will probably be available, so I apologize if the instructions don't match up entirely.

First, set up the server defaults. For my machine, POINTY, I've created a bare global configuration. Rather than including a screenshot for the share, I'm including the configuration from the /etc/smb.conf file. Each resource has its own block in the config file. Within that block, the options we've covered are listed along with their associated value. This is the global configuration block for my simple Samba server:

 [global]     auth methods = guest opendirectory     passdb backend = opendirectorysam guest     guest account = unknown     workgroup = POISONTOOTH     netbios name = POINTY     server string = Poisontooth SAMBA Server     encrypt passwords = Yes     preferred master = Yes     dns proxy = No     wins support = Yes 

The workgroup, NetBIOS name, and server string are personalized for my server and local area network. I've also chosen to have the server act as a WINS server and register as the preferred master browser on the network. It's important to note that encrypted passwords are enabled; otherwise, newer Windows clients (such as Windows 2000/XP) wouldn't be able to connect.

Next, the file share. I've created a folder /filestorage/mp3s on my computer to hold my library of iTunes MP3 files. My user account (jray) owns the folder and has read/write permission to it. This simple share, named MyMP3s, is defined as

 [MyMP3s]       path = /filestorage/mp3       read only = No 

Now, with only a few clicks of the mouse (barring Windows lockups), I'll be happily listening to my iTunes music on a Windows computer.

Mounting a Samba Share in Windows

There are a number of different ways to mount a network drive under Windows. If your Windows XP computer is set up with the same workgroup name as the Samba server, double-click My Network Places and then View Workgroup Computers. The Samba server should appear using the NetBIOS name you specified in the Global configuration.

Right-clicking My Network Places (or My Computer) and choosing Map Network Drive from the pop-up menu is the fastest mounting method. The screen shown in Figure 27.12 is displayed.

Figure 27.12. Map the shared folder in one simple step.

Choose a drive letter to use for the mounted volume and then enter the share path in the Folder field. The share path is entered as \\<NetBIOS name>\<share name>. For the sample share I've set up, the path is \\pointy\MyMP3s\. Click the Reconnect at Logon button to automatically mount the shared resource when you log in to the Windows computer. The Tiger Folder, shared through Samba, becomes usable like any other network drive on Windows.

Monitoring Samba Connections with smbstatus

Although the SWAT interface is fully capable of telling you who is accessing your server, sometimes a web browser isn't convenient. In that case, the smbstatus utility provides information about the active connections and users. For example:

 brezup:root root # smbstatus NOTE: Service printers is flagged unavailable. Samba version 3.0.0beta3 PID   Username   Group     Machine -------------------------------------------------------------------  951  jray     jray     client19   (  965  jray     jray     painful    ( Service   pid   machine    Connected at ------------------------------------------------------- IPC$      965  painful    Sat Mar 12 13:11:05 2005 jray      951  client19   Sat Mar 12 13:11:05 2005 jray      965  painful    Sat Mar 12 13:11:05 2005 No locked files 

In this example, two client computers (client19 and painful) are connected using the process IDs 951 and 965, respectively. The painful client is using the default IPC$ and jray shares, whereas client19 is just using jray. You can force a connection to close by killing the associated process ID.

Table 27.7 shows the most useful smbstatus options.

Table 27.7. smbstatus Options




Summary of connected users.


Detailed connection listing. This is the default mode.


Lists locked files only.


Lists the smbd process IDs and exit.


Lists connected shares only.

-s <config file>

Chooses the smb.conf file to use.

-u <username>

Displays only information relevant to a given username.


Verbose output.

     < Day Day Up > 

    Mac OS X Tiger Unleashed
    Mac OS X Tiger Unleashed
    ISBN: 0672327465
    EAN: 2147483647
    Year: 2005
    Pages: 251 © 2008-2017.
    If you may any questions please contact us: