SAMBA
1. Overview
Samba is a suite of UNIX applications that
communicate via the Server Message Block (SMB) protocol. Many operating
systems, including Microsoft (MS) Windows and Macintosh OS/2, use SMB to
perform client-server networking. By supporting this protocol, Samba allows
UNIX servers to communicate with the same networking protocol as MS Windows
products. A Samba-enabled UNIX machine can masquerade as a server on your MS
network, and offer the following services:
|
Role
|
Can Perform
|
|
File
Server
|
Yes
|
|
Printer
Server
|
Yes
|
|
Primary
Domain Controller
|
Yes
|
|
Back-up
Domain Controller
|
Yes
|
|
Windows
2000/95/98 Authentication
|
Yes
|
|
Local
Master Browser
|
Yes
|
|
Local
Back-up Browser
|
No
|
|
Domain
Master Browser
|
Yes
|
|
Primary
WINS Server
|
Yes
|
|
Secondary
WINS Server
|
No
|
The Samba suite revolves around a pair of
UNIX daemons that provide shared resources. These daemons are:
- smbd: The smbd daemon is responsible for managing the shared resources between the Samba server machine and its clients. It provides file, print, and browser services to SMB clients across one or more networks. smbd handles all the notifications between the Samba server and the network clients. It is also responsible for user authentication, resource-locking, and data-sharing through the SMB protocol.nmbd.
- nmbd: The nmbd daemon is a nameserver that mimics the WINS and NetBIOS name server functionality, as you might expect to encounter with a LAN Manager package. This daemon listens for nameserver requests, and, when called upon, provides the appropriate information. It also provides browsing lists for the Network Neighborhood, and participates in browsing elections.
Samba also comes with a small set of UNIX
command-line tools:
- nmblookup: A program that provides NetBIOS over TCP/IP name look-ups
- smbclient: An FTP-like UNIX client that can be used to connect to Samba shares
- smbpasswd: A program that allows an administrator to change the encrypted passwords used by Samba
- smbstatus: A program for reporting the current network connections to the shares on a Samba server
- smbtar: A program for backing up the data in the shares, similar to the UNIX tar command
- testparm: A program to validate the Samba configuration file
- testprns: A program that tests whether various printers are recognized by the smbd daemon
2. Configuring Samba
smb.conf
is at the heart of the Samba server. When the Samba package is installed, a
default configuration file is installed in /etc/samba/smb.conf.
The smb.conf file is
divided into two main sections:
1.
Global
Settings – Defines connection parameters.
2.
Share
Definitions – Defines shares.
A
share is a directory on the server that is accessible over the network, and
which is shared among users. This section has three sub-sections:
1.
Homes
- Defines the user’s home directories
2.
Printers
- Defines the available printers
3.
Shares
- Have an entry for each share you would like to define
2.1. Setting the NetBIOS parameters
The smb.conf file
begins with the global settings for setting up the NetBIOS parameters of the
Samba server:
|
#===================
Global Settings =====================
[global]
netbios name = NF5000
workgroup = LINUX
server string =
Samba Server
|
The parameters are
described in Table 2.
|
Table 2. NetBIOS parameters
|
|
|
Parameter
|
Description
|
|
netbios
name
|
This
is the name by which the Samba server is known on the network. This parameter
has the same meaning as a Windows NT computer’s name. If you do not specify
its name, it defaults to the server’s hostname.
|
|
workgroup
|
This
parameter specifies in which Windows NT workgroup the Samba server will
participate. It is equivalent to the Windows NT domain or workgroup’s name.
|
|
server
string
|
This
is the description string of the Samba server. It performs the same role as
the Windows NT description’s field.
|
2.2. Global printing settings
The global printing
parameters are given below:
load
printers = yes
printcap
name = /etc/printcap
printing
= lprng
The parameters are
described in Table 3.
|
Table 3. Printing parameters
|
|
|
Parameter
|
Description
|
|
load
printers
|
This
parameter controls if Samba loads all the printers in the printcap file for
browsing.
|
|
Printcap
name
|
This
parameter tells Samba the location of the printcap file. The default value is
/etc/printcap.
|
|
Printing
|
This
parameter tells Samba which printing style to use on your server. Samba uses
the LPRNG printing style by default.
|
2.3. Global security settings
The global security
parameters are given below:
security = user
;
password server = <NT-Server-Name>
encrypt
passwords = yes
smb passwd
file = /etc/samba.d/smbpasswd
|
Table 4. Printing parameters
|
|
|
Parameter
|
Description
|
|
Security
|
This
parameter has four possible values: domain, server, share, and user.
|
|
Password
server
|
This
server is used for authorization at the server or domain security level. Use
the server’s NetBIOS name for the parameter value.
|
|
encrypt
passwords
|
Setting
this parameter to “Yes” will enable Samba to use an encrypted password
protocol. This is used in the MS Windows NT Service Pack 3, and in MS Windows
98, and is required in order to communicate with these clients.
|
|
Smb
passwd file
|
This
parameter tells Samba the location of the encrypted password file.
|
2.4. Global name resolution settings
The global name
resolution parameters are given below:
name
resolve order = wins lmhosts bcast
wins
support = yes
; wins
server = w.x.y.z
These parameters are
described in Table 5.
|
Table 5. Name resolution parameters
|
|
|
Parameter
|
Description
|
|
name
resolve order
|
This
parameter specifies how the Samba server will resolve NetBIOS names into IP
addresses. The preferred value is wins lmhosts bcast.
|
|
wins
support
|
If
this option is enabled, the Samba server will also act as a WINS server.
|
|
wins
server
|
This
parameter tells Samba which WINS server to use.
|
Note: Samba can be either a
WINS server or a WINS client, but not both. Only one of the WINS support and
WINS server parameters can be set at a time. If you specify the IP address of a
WINS server, then the WINS support must be set to “No”.
2.5. Creating shares
A share can be
defined in the smb.conf file as given below:
|
[redbook]
comment = Redbook
files
path = /redbook
browseable = yes
printable = no
writable = yes
write list = @users
|
Table 6 explains some
of the parameters used for creating shares.
|
Table 6. Share parameters
|
|
|
Parameter
|
Description
|
|
comment
|
This
parameter describes the function of a share.
|
|
admin
users
|
This
parameter is used to specify the users who have administrative privileges to
the share. When they access the share, they perform all operations as root.
|
|
Path
|
Defines
the full path to the directory you are sharing.
|
|
Browseable
|
If
this parameter is set to “Yes”, you can see the share when you are browsing
the resources on the Samba server. The value can be “Yes”, or “No”.
|
|
Printable
|
This
parameter is used to specify if the share is a print share. The value can be
“Yes”, or “No”.
|
|
write
list
|
Users
specified in this list have write access to the share. If the name begins
with @ it indicates a group name.
|
|
Writable
|
This
parameter specifies if the share is writable. The value can be “Yes”, or
“No”.
|
|
read
list
|
Users
specified in this list have read access to the share. If the name begins with
@ it indicates a group name.
|
|
read
only
|
If
this parameter is set to “Yes”, the share is read-only. The value can be
“Yes”, or “No”.
|
|
valid
users
|
This
parameter specifies which users can access the share.
|
2.6. Share permissions
Although you can
control the share permissions with share parameters, UNIX permissions are
applied before share permissions. Ensure that the UNIX permissions let the
users access the share directory in the UNIX environment. When a user creates a
new file on the shared directory, the default create mask used is 0744. For
directory creation, the default create mask is 0755. You can force a different
creation mask by using the parameters explained in Table 7:
|
Table 7. Create mask parameters
|
|
|
Parameter
|
Description
|
|
create
mask
|
This
is used for file creation to mask against the UNIX mask calculated from the
DOS mode.
|
|
directory
mask
|
This
is used for directory creation to mask against the UNIX mask calculated from
the DOS mode.
|
2.7. Creating shares for home directories
smb.conf has a
special share section called [homes] for handling home directories. This share
definition is used for all home directories, so you will need to create
separate shares for each user. When a client requests a connection to a share,
the existing shares are scanned. If a match is found, that share is used. If no
match is found, the requested share is treated as the username, and is
validated by security. If the name exists and the password is correct, a share
with that name is created by cloning the [homes] section. Home share
definitions use the same parameters as normal shares. The following is an
example of a [homes] share definition in the smb.conf file:
|
[homes]
comment = Home
Directories
path = %H
valid users = %S
browseable = no
writable = yes
create mode = 0700
directory mode =
0700
|
Table 8 explains the
use of certain variables in the [homes] share definition:
|
Table 8. Variable description
|
|
|
Parameter
|
Description
|
|
%H
|
This
variable represents the user’s home directory.
|
|
%S
|
The
name of the current service, which is, in the case of [home] shares, equal to
the username.
|
2.8. Creating a printer share
A Samba server
follows the same procedure for [printer] shares that applies to [home] shares.
The share definitions and user names are tested against the requested share
name. If a match is found in the [printers] share section, a share with that name
is cloned with the name of the requested service. The following is an example
of a [printers] definition in the smb.conf file:
|
[printers]
comment = All
Printers
path =
/var/spool/samba
browseable = no
# Set public = yes
to allow user ’guest account’ to print
guest ok = no
writable = no
printable = yes
create mask = 0700
|
The [printers]
section is just like the other share definitions. When a user prints, Samba
copies the data into the spool directory, after which it is handled by the
local printing system. The only major difference between a printer share and
other share definitions is that the printable parameter is set to “Yes”. This
means that a user can write a spool file to the directory specified under the
share definition. If the share is printable, then it is also writable by
default.
3. Starting and stopping the Samba server
Start the Samba
server by executing the following command:
/etc/rc.d/init.d/smb
start
You will see:
Starting
SMB services:
Starting
NMB services:
Two daemons have been
started: smbd and nmbd. smbd is the Samba server, and nmbd is the WINS server.
The Samba server can
be stopped by executing the command:
/etc/rc.d/init.d/smb
stop
Restart the Samba
server whenever you modify the smb.conf configuration file.
4. Step-by-step Configuration Guide
4.1. Samba as Primary Domain Controller
Add
the following lines to the global section of the smb.conf file:
|
# The domain you
want to be a PDC for
workgroup = osrc
encrypt passwords =
yes
smb passwd file =
/etc/samba/smbpasswd
# Tell Samba to use
domain logons
domain logons = yes
# User-level
security. Users must
# authenticate
themselves with
# valid username
and password
security = user
# Set to yes so
that nmbd participates
# in local master
browser
# elections
local master = yes
# Set Os level
value to make sure nmbd
# wins local browse
master
# elections. 65
should beat everyone
# according to the
man page
os level = 65
# Give nmbd an
advantage in local
# master browser
elections
preferred master =
yes
# Set so that nmbd
claims a unique
# NetBIOS name
identifying it as
# a domain master
domain master = yes
# run a specific
logon batch file per username
logon script =
%U.bat
[homes]
comment = Home Directories
browseable = no
writeable = yes
# The following
share is required to support
# domain logons.
The directory may be
# created anywhere
on your system. Make
# sure the share is
non-writeable and also
# not a public
share.
[netlogon]
comment = The
domain logon service
path = /usr/local/samba/netlogon
public = no
writeable = no
|
Add
Samba password for the user root:
# smbpasswd -a root
Create
a MS Windows machine account. The name of your Windows workstation, for
example, which is to join this domain, is “ws01”.
# groupadd machines
# useradd -g machines –d /dev/null –s /bin/false ws01$
# smbpasswd –a –m ws01
# useradd -g machines –d /dev/null –s /bin/false ws01$
# smbpasswd –a –m ws01
Note:
Domain users are created in two steps:
·
Add
a Linux user
# useradd bakar
# useradd bakar
·
Add
this user to smbpasswd
# smbpasswd -a bakar
# smbpasswd -a bakar
4.2. Join Domain
Logging
in as an administrator in MS Windows, right-click “My Computer”. Go to
“Properties” -> “Computer Name” -> “Change”. In “Domain”, type the domain
name you want to join. In this example, that would be osrc, and press the
“Enter” key. When asked for authentication, enter root and its password, which
you kept with the smbpasswd command. A message window, “Welcome to osrc”, will
pop-up. Click “OK”, and restart the machine.
On
the login screen, select the domain, osrc, from the drop-down menu, and login
with the domain user.
No comments:
Post a Comment