| Deployment GuideChapter 18. File and Print ServersSamba is an open source implementation of the Server Message Block (SMB) protocol. It allows the networking of Microsoft Windows®, Linux, UNIX, and other operating systems together, enabling access to Windows-based file and printer shares. Samba's use of SMB allows it to appear as a Windows server to Windows clients. In order to use Samba, first ensure the samba package is installed on your system by running, as root: ~]# yum install samba 18.1.1. Introduction to SambaThe third major release of Samba, version 3.0.0, introduced numerous improvements from prior versions, including: The ability to join an Active Directory domain by means of the Lightweight Directory Access Protocol (LDAP) and Kerberos Built in Unicode support for internationalization Support for all recent Microsoft Windows server and client versions to connect to Samba servers without needing local registry hacking Two new documents developed by the Samba.org team, which include a 400+ page reference manual, and a 300+ page implementation and integration manual. For more information about these published titles, refer to Section 18.1.12.2, "Related Books".
Samba is a powerful and versatile server application. Even seasoned system administrators must know its abilities and limitations before attempting installation and configuration. What Samba can do: Serve directory trees and printers to Linux, UNIX, and Windows clients Assist in network browsing (with or without NetBIOS) Authenticate Windows domain logins Provide Windows Internet Name Service (WINS) name server resolution Act as a Windows NT®-style Primary Domain Controller (PDC) Act as a Backup Domain Controller (BDC) for a Samba-based PDC Act as an Active Directory domain member server Join a Windows NT/2000/2003/2008 PDC
What Samba cannot do: 18.1.2. Samba Daemons and Related ServicesThe following is a brief introduction to the individual Samba daemons and services. Samba is comprised of three daemons (smbd, nmbd, and winbindd). Three services (smb, nmb, and winbind) control how the daemons are started, stopped, and other service-related features. These services act as different init scripts. Each daemon is listed in detail below, as well as which specific service has control over it. The smbd daemon is controlled by the smb service. The nmbd daemon is controlled by the nmb service. The winbindd daemon is controlled by the winbind service and does not require the smb service to be started in order to operate. winbindd is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and/or interdomain trust). Because winbind is a client-side service used to connect to Windows NT-based servers, further discussion of winbind is beyond the scope of this chapter. 18.1.3. Connecting to a Samba ShareYou can use Nautilus to view available Samba shares on your network. To view a list of Samba workgroups and domains on your network, select ⤍ from the GNOME panel, and select your desired network. You can also type smb: in the ⤍ bar of Nautilus to view the workgroups/domains. Double-click one of the workgroup/domain icons to view a list of computers within the workgroup/domain. As you can see from Figure 18.2, "SMB Machines in Nautilus", an icon exists for each machine within the workgroup. Double-click on an icon to view the Samba shares on the machine. If a username and password combination is required, you are prompted for them. Alternately, you can also specify the Samba server and sharename in the Location: bar for Nautilus using the following syntax (replace <servername> and <sharename> with the appropriate values): smb://<servername>/<sharename>
To query the network for Samba servers, use the findsmb command. For each server found, it displays its IP address, NetBIOS name, workgroup name, operating system, and SMB server version. To connect to a Samba share from a shell prompt, type the following command: ~]$ smbclient //<hostname>/<sharename> -U <username>
Replace <hostname> with the hostname or IP address of the Samba server you want to connect to, <sharename> with the name of the shared directory you want to browse, and <username> with the Samba username for the system. Enter the correct password or press Enter if no password is required for the user. If you see the smb:\> prompt, you have successfully logged in. Once you are logged in, type help for a list of commands. If you wish to browse the contents of your home directory, replace sharename with your username. If the -U switch is not used, the username of the current user is passed to the Samba server. To exit smbclient, type exit at the smb:\> prompt. 18.1.3.2. Mounting the ShareSometimes it is useful to mount a Samba share to a directory so that the files in the directory can be treated as if they are part of the local file system. To mount a Samba share to a directory, create a directory to mount it to (if it does not already exist), and execute the following command as root: ~]# mount -t cifs //<servername>/<sharename> /mnt/point/ -o username=<username>,password=<password>
This command mounts <sharename> from <servername> in the local directory /mnt/point/. The mount.cifs utility is a separate RPM (independent from Samba). In order to use mount.cifs, first ensure the cifs-utils package is installed on your system by running, as root: ~]# yum install cifs-utils Note that the cifs-utils package also contains the cifs.upcall binary called by the kernel in order to perform kerberized CIFS mounts. For more information on cifs.upcall, refer to man cifs.upcall. For more information about mounting a samba share, refer to man mount.cifs. Some CIFS servers require plain text passwords for authentication. Support for plain text password authentication can be enabled using the following command: ~]# echo 0x37 > /proc/fs/cifs/SecurityFlags WARNING: This operation can expose passwords by removing password encryption. 18.1.4. Configuring a Samba ServerThe default configuration file (/etc/samba/smb.conf) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. In other words, you can attach a printer to the system and print to it from the Windows machines on your network. 18.1.4.1. Graphical ConfigurationTo configure Samba using a graphical interface, use one of the available Samba graphical user interfaces. A list of available GUIs can be found at http://www.samba.org/samba/GUI/. 18.1.4.2. Command Line ConfigurationSamba uses /etc/samba/smb.conf as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the following command, as root: ~]# service smb restart To specify the Windows workgroup and a brief description of the Samba server, edit the following lines in your /etc/samba/smb.conf file: workgroup = WORKGROUPNAMEserver string = BRIEF COMMENT ABOUT SERVER Replace WORKGROUPNAME with the name of the Windows workgroup to which this machine should belong. The BRIEF COMMENT ABOUT SERVER is optional and is used as the Windows comment about the Samba system. To create a Samba share directory on your Linux system, add the following section to your /etc/samba/smb.conf file (after modifying it to reflect your needs and your system): [sharename]comment = Insert a comment herepath = /home/share/valid users = tfox carolepublic = nowritable = yesprintable = nocreate mask = 0765 The above example allows the users tfox and carole to read and write to the directory /home/share, on the Samba server, from a Samba client. 18.1.4.3. Encrypted PasswordsEncrypted passwords are enabled by default because it is more secure to do so. To create a user with an encrypted password, use the command smbpasswd -a <username>. 18.1.5. Starting and Stopping SambaTo start a Samba server, type the following command in a shell prompt, as root: ~]# service smb start To set up a domain member server, you must first join the domain or Active Directory using the net join command before starting the smb service. To stop the server, type the following command in a shell prompt, as root: ~]# service smb stop The restart option is a quick way of stopping and then starting Samba. This is the most reliable way to make configuration changes take effect after editing the configuration file for Samba. Note that the restart option starts the daemon even if it was not running originally. To restart the server, type the following command in a shell prompt, as root: ~]# service smb restart The condrestart (conditional restart) option only starts smb on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running. When the /etc/samba/smb.conf file is changed, Samba automatically reloads it after a few minutes. Issuing a manual restart or reload is just as effective. To conditionally restart the server, type the following command, as root: ~]# service smb condrestart A manual reload of the /etc/samba/smb.conf file can be useful in case of a failed automatic reload by the smb service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command, as root: ~]# service smb reload By default, the smb service does not start automatically at boot time. To configure Samba to start at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to Chapter 10, Services and Daemons for more information regarding these tools. 18.1.6. Samba Server Types and the smb.conf FileSamba configuration is straightforward. All modifications to Samba are done in the /etc/samba/smb.conf configuration file. Although the default smb.conf file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations. The following sections describe the different ways a Samba server can be configured. Keep in mind your needs and the changes required to the /etc/samba/smb.conf file for a successful configuration. 18.1.6.1. Stand-alone ServerA stand-alone server can be a workgroup server or a member of a workgroup environment. A stand-alone server is not a domain controller and does not participate in a domain in any way. The following examples include several anonymous share-level security configurations and one user-level security configuration. For more information on share-level and user-level security modes, refer to Section 18.1.7, "Samba Security Modes". 18.1.6.1.1. Anonymous Read-OnlyThe following /etc/samba/smb.conf file shows a sample configuration needed to implement anonymous read-only file sharing. The security = share parameter makes a share anonymous. Note, security levels for a single Samba server cannot be mixed. The security directive is a global Samba parameter located in the [global] configuration section of the /etc/samba/smb.conf file. [global]workgroup = DOCSnetbios name = DOCS_SRVsecurity = share[data]comment = Documentation Samba Serverpath = /exportread only = Yesguest only = Yes 18.1.6.1.2. Anonymous Read/WriteThe following /etc/samba/smb.conf file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the read only directive to no. The force user and force group directives are also added to enforce the ownership of any newly placed files specified in the share. Although having an anonymous read/write server is possible, it is not recommended. Any files placed in the share space, regardless of user, are assigned the user/group combination as specified by a generic user (force user) and group (force group) in the /etc/samba/smb.conf file. [global]workgroup = DOCSnetbios name = DOCS_SRVsecurity = share[data]comment = Datapath = /exportforce user = docsbotforce group = usersread only = Noguest ok = Yes 18.1.6.1.3. Anonymous Print ServerThe following /etc/samba/smb.conf file shows a sample configuration needed to implement an anonymous print server. Setting browseable to no as shown does not list the printer in Windows Network Neighborhood. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV using NetBIOS, the client can have access to the printer if the client is also part of the DOCS workgroup. It is also assumed that the client has the correct local printer driver installed, as the use client driver directive is set to Yes. In this case, the Samba server has no responsibility for sharing printer drivers to the client. [global]workgroup = DOCSnetbios name = DOCS_SRVsecurity = shareprintcap name = cupsdisable spools= Yesshow add printer wizard = Noprinting = cups[printers]comment = All Printerspath = /var/spool/sambaguest ok = Yesprintable = Yesuse client driver = Yesbrowseable = Yes 18.1.6.1.4. Secure Read/Write File and Print ServerThe following /etc/samba/smb.conf file shows a sample configuration needed to implement a secure read/write file and print server. Setting the security directive to user forces Samba to authenticate client connections. Notice the [homes] share does not have a force user or force group directive as the [public] share does. The [homes] share uses the authenticated user details for any files created as opposed to the force user and force group in [public]. [global]workgroup = DOCSnetbios name = DOCS_SRVsecurity = userprintcap name = cupsdisable spools = Yesshow add printer wizard = Noprinting = cups[homes]comment = Home Directoriesvalid users = %Sread only = Nobrowseable = No[public]comment = Datapath = /exportforce user = docsbotforce group = usersguest ok = Yes[printers]comment = All Printerspath = /var/spool/sambaprinter admin = john, ed, @adminscreate mask = 0600guest ok = Yesprintable = Yesuse client driver = Yesbrowseable = Yes 18.1.6.2. Domain Member ServerA domain member, while similar to a stand-alone server, is logged into a domain controller (either Windows or Samba) and is subject to the domain's security rules. An example of a domain member server would be a departmental server running Samba that has a machine account on the Primary Domain Controller (PDC). All of the department's clients still authenticate with the PDC, and desktop profiles and all network policy files are included. The difference is that the departmental server has the ability to control printer and network shares. 18.1.6.2.1. Active Directory Domain Member ServerThe following /etc/samba/smb.conf file shows a sample configuration needed to implement an Active Directory domain member server. In this example, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos realm parameter is shown in all caps (for example realm = EXAMPLE.COM). Since Windows 2000/2003/2008 requires Kerberos for Active Directory authentication, the realm directive is required. If Active Directory and Kerberos are running on different servers, the password server directive may be required to help the distinction. [global]realm = EXAMPLE.COMsecurity = ADSencrypt passwords = yes# Optional. Use only if Samba cannot determine the Kerberos server automatically.password server = kerberos.example.com In order to join a member server to an Active Directory domain, the following steps must be completed: Configuration of the /etc/samba/smb.conf file on the member server Configuration of Kerberos, including the /etc/krb5.conf file, on the member server Creation of the machine account on the Active Directory domain server Association of the member server to the Active Directory domain
To create the machine account and join the Windows 2000/2003/2008 Active Directory, Kerberos must first be initialized for the member server wishing to join the Active Directory domain. To create an administrative Kerberos ticket, type the following command as root on the member server: kinit [email protected]
The kinit command is a Kerberos initialization script that references the Active Directory administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets, kinit obtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more information on Kerberos, the /etc/krb5.conf file, and the kinit command, refer to the Using Kerberos section of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards guide. To join an Active Directory server (windows1.example.com), type the following command as root on the member server: net ads join -S windows1.example.com -U administrator%password
Since the machine windows1 was automatically found in the corresponding Kerberos realm (the kinit command succeeded), the net command connects to the Active Directory server using its required administrator account and password. This creates the appropriate machine account on the Active Directory and grants permissions to the Samba domain member server to join the domain. Since security = ads and not security = user is used, a local password back end such as smbpasswd is not needed. Older clients that do not support security = ads are authenticated as if security = domain had been set. This change does not affect functionality and allows local users not previously in the domain. 18.1.6.2.2. Windows NT4-based Domain Member ServerThe following /etc/samba/smb.conf file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the /etc/samba/smb.conf file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server. [global]workgroup = DOCSnetbios name = DOCS_SRVsecurity = domain[homes]comment = Home Directoriesvalid users = %Sread only = Nobrowseable = No[public]comment = Datapath = /exportforce user = docsbotforce group = usersguest ok = Yes Having Samba as a domain member server can be useful in many situations. There are times where the Samba server can have other uses besides file and printer sharing. It may be beneficial to make Samba a domain member server in instances where Linux-only applications are required for use in the domain environment. Administrators appreciate keeping track of all machines in the domain, even if not Windows-based. In the event the Windows-based server hardware is deprecated, it is quite easy to modify the /etc/samba/smb.conf file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003/2008, the /etc/samba/smb.conf file is easily modifiable to incorporate the infrastructure change to Active Directory if needed. After configuring the /etc/samba/smb.conf file, join the domain before starting Samba by typing the following command as root: net rpc join -U administrator%password
Note that the -S option, which specifies the domain server hostname, does not need to be stated in the net rpc join command. Samba uses the hostname specified by the workgroup directive in the /etc/samba/smb.conf file instead of it being stated explicitly. 18.1.6.3. Domain ControllerA domain controller in Windows NT is functionally similar to a Network Information Service (NIS) server in a Linux environment. Domain controllers and NIS servers both host user/group information databases as well as related services. Domain controllers are mainly used for security, including the authentication of users accessing domain resources. The service that maintains the user/group database integrity is called the Security Account Manager (SAM). The SAM database is stored differently between Windows and Linux Samba-based systems, therefore SAM replication cannot be achieved and platforms cannot be mixed in a PDC/BDC environment. In a Samba environment, there can be only one PDC and zero or more BDCs. Samba cannot exist in a mixed Samba/Windows domain controller environment (Samba cannot be a BDC of a Windows PDC or vice versa). Alternatively, Samba PDCs and BDCs can coexist. 18.1.6.3.1. Primary Domain Controller (PDC) using tdbsamThe simplest and most common implementation of a Samba PDC uses the new default tdbsam password database back end. Replacing the aging smbpasswd back end, tdbsam has numerous improvements that are explained in more detail in Section 18.1.8, "Samba Account Information Databases". The passdb backend directive controls which back end is to be used for the PDC. The following /etc/samba/smb.conf file shows a sample configuration needed to implement a tdbsam password database back end. [global]workgroup = DOCSnetbios name = DOCS_SRVpassdb backend = tdbsamsecurity = useradd user script = /usr/sbin/useradd -m "%u"delete user script = /usr/sbin/userdel -r "%u"add group script = /usr/sbin/groupadd "%g"delete group script = /usr/sbin/groupdel "%g"add user to group script = /usr/sbin/usermod -G "%g" "%u"add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines "%u"# The following specifies the default logon script# Per user logon scripts can be specified in the user# account using pdbedit logon script = logon.bat# This sets the default profile path.# Set per user paths with pdbeditlogon drive = H:domain logons = Yesos level = 35preferred master = Yesdomain master = Yes[homes]comment = Home Directoriesvalid users = %Sread only = No[netlogon]comment = Network Logon Servicepath = /var/lib/samba/netlogon/scriptsbrowseable = Noread only = No# For profiles to work, create a user directory under the# path shown.mkdir -p /var/lib/samba/profiles/john[Profiles]comment = Roaming Profile Sharepath = /var/lib/samba/profilesread only = Nobrowseable = Noguest ok = Yesprofile acls = Yes# Other resource shares ... ... To provide a functional PDC system which uses the tdbsam follow these steps: Use a configuration of the smb.conf file as shown in the example above. Add the root user to the Samba password database. ~]# smbpasswd -a rootProvide the password here.
Start the smb service. Make sure all profile, user, and netlogon directories are created. Add groups that users can be members of. ~]# groupadd -f users~]# groupadd -f nobody~]# groupadd -f ntadmins
Associate the UNIX groups with their respective Windows groups. ~]# net groupmap add ntgroup="Domain Users" unixgroup=users~]# net groupmap add ntgroup="Domain Guests" unixgroup=nobody~]# net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
Grant access rights to a user or a group. For example, to grant the right to add client machines to the domain on a Samba domain controller, to the members to the Domain Admins group, execute the following command: ~]# net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U root
Keep in mind that Windows systems prefer to have a primary group which is mapped to a domain group such as Domain Users. Windows groups and users use the same namespace thus not allowing the existence of a group and a user with the same name like in UNIX. If you need more than one domain controller or have more than 250 users, do not use a tdbsam authentication back end. LDAP is recommended in these cases. 18.1.6.3.2. Primary Domain Controller (PDC) with Active DirectoryAlthough it is possible for Samba to be a member of an Active Directory, it is not possible for Samba to operate as an Active Directory domain controller. 18.1.7. Samba Security ModesThere are only two types of security modes for Samba, share-level and user-level, which are collectively known as security levels. Share-level security can only be implemented in one way, while user-level security can be implemented in one of four different ways. The different ways of implementing a security level are called security modes. 18.1.7.1. User-Level SecurityUser-level security is the default setting for Samba. Even if the security = user directive is not listed in the /etc/samba/smb.conf file, it is used by Samba. If the server accepts the client's username/password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based username/password requests. The client maintains multiple authentication contexts by using a unique UID for each logon. In the /etc/samba/smb.conf file, the security = user directive that sets user-level security is: [GLOBAL]...security = user... The following sections describe other implementations of user-level security. 18.1.7.1.1. Domain Security Mode (User-Level Security)In domain security mode, the Samba server has a machine account (domain security trust account) and causes all authentication requests to be passed through to the domain controllers. The Samba server is made into a domain member server by using the following directives in the /etc/samba/smb.conf file: [GLOBAL]...security = domainworkgroup = MARKETING... 18.1.7.1.2. Active Directory Security Mode (User-Level Security)If you have an Active Directory environment, it is possible to join the domain as a native Active Directory member. Even if a security policy restricts the use of NT-compatible authentication protocols, the Samba server can join an ADS using Kerberos. Samba in Active Directory member mode can accept Kerberos tickets. In the /etc/samba/smb.conf file, the following directives make Samba an Active Directory member server: [GLOBAL]...security = ADSrealm = EXAMPLE.COMpassword server = kerberos.example.com... 18.1.7.1.3. Server Security Mode (User-Level Security)Server security mode was previously used when Samba was not capable of acting as a domain member server. It is highly recommended to not use this mode since there are numerous security drawbacks. In the /etc/samba/smb.conf, the following directives enable Samba to operate in server security mode: [GLOBAL]...encrypt passwords = Yessecurity = serverpassword server = "NetBIOS_of_Domain_Controller"... 18.1.7.2. Share-Level SecurityWith share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security. In the /etc/samba/smb.conf file, the security = share directive that sets share-level security is: [GLOBAL]...security = share... 18.1.8. Samba Account Information DatabasesThe latest release of Samba offers many new features including new password database back ends not previously available. Samba version 3.0.0 fully supports all databases used in previous versions of Samba. However, although supported, many back ends may not be suitable for production use. The following is a list different back ends you can use with Samba. Other back ends not listed here may also be available. - Plain Text
Plain text back ends are nothing more than the /etc/passwd type back ends. With a plain text back end, all usernames and passwords are sent unencrypted between the client and the Samba server. This method is very insecure and is not recommended for use by any means. It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method. -
smbpasswd A popular back end used in previous Samba packages, the smbpasswd back end utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account, and encrypted password information. The smbpasswd back end lacks the storage of the Windows NT/2000/2003 SAM extended controls. The smbpasswd back end is not recommended because it does not scale well or hold any Windows information, such as RIDs for NT-based groups. The tdbsam back end solves these issues for use in a smaller database (250 users), but is still not an enterprise-class solution. -
ldapsam_compat The ldapsam_compat back end allows continued OpenLDAP support for use with upgraded versions of Samba. This option is normally used when migrating to Samba 3.0. -
tdbsam The new default tdbsam password back end provides an ideal database back end for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. The tdbsam back end includes all of the smbpasswd database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003/2008-based systems. The tdbsam back end is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns. -
ldapsam The ldapsam back end provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers such as the Red Hat Directory Server or an OpenLDAP Server. LDAP databases are light-weight and scalable, and as such are preferred by large enterprises. Installation and configuration of directory servers is beyond the scope of this chapter. For more information on the Red Hat Directory Server, refer to the Red Hat Directory Server 9.0 Deployment Guide. For more information on LDAP, refer to Section 17.1, "OpenLDAP". If you are upgrading from a previous version of Samba to 3.0, note that the OpenLDAP schema file (/usr/share/doc/samba-<version>/LDAP/samba.schema) and the Red Hat Directory Server schema file (/usr/share/doc/samba-<version>/LDAP/samba-schema-FDS.ldif) have changed. These files contain the attribute syntax definitions and objectclass definitions that the ldapsam back end needs in order to function properly. As such, if you are using the ldapsam back end for your Samba server, you will need to configure slapd to include one of these schema file. Refer to Section 17.1.3.3, "Extending Schema" for directions on how to do this. You need to have the openldap-server package installed if you want to use the ldapsam back end.
18.1.9. Samba Network BrowsingNetwork browsing enables Windows and Samba servers to appear in the Windows Network Neighborhood. Inside the Network Neighborhood, icons are represented as servers and if opened, the server's shares and printers that are available are displayed. Network browsing capabilities require NetBIOS over TCP/IP. NetBIOS-based networking uses broadcast (UDP) messaging to accomplish browse list management. Without NetBIOS and WINS as the primary method for TCP/IP hostname resolution, other methods such as static files (/etc/hosts) or DNS, must be used. A domain master browser collates the browse lists from local master browsers on all subnets so that browsing can occur between workgroups and subnets. Also, the domain master browser should preferably be the local master browser for its own subnet. 18.1.9.1. Domain BrowsingBy default, a Windows server PDC for a domain is also the domain master browser for that domain. A Samba server must not be set up as a domain master server in this type of situation For subnets that do not include the Windows server PDC, a Samba server can be implemented as a local master browser. Configuring the /etc/samba/smb.conf file for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration (see Section 18.1.4, "Configuring a Samba Server"). 18.1.9.2. WINS (Windows Internet Name Server)Either a Samba server or a Windows NT server can function as a WINS server. When a WINS server is used with NetBIOS enabled, UDP unicasts can be routed which allows name resolution across networks. Without a WINS server, the UDP broadcast is limited to the local subnet and therefore cannot be routed to other subnets, workgroups, or domains. If WINS replication is necessary, do not use Samba as your primary WINS server, as Samba does not currently support WINS replication. In a mixed NT/2000/2003/2008 server and Samba environment, it is recommended that you use the Microsoft WINS capabilities. In a Samba-only environment, it is recommended that you use only one Samba server for WINS. The following is an example of the /etc/samba/smb.conf file in which the Samba server is serving as a WINS server: [global]wins support = Yes All servers (including Samba) should connect to a WINS server to resolve NetBIOS names. Without WINS, browsing only occurs on the local subnet. Furthermore, even if a domain-wide list is somehow obtained, hosts cannot be resolved for the client without WINS. 18.1.10. Samba with CUPS Printing SupportSamba allows client machines to share printers connected to the Samba server. In addition, Samba also allows client machines to send documents built in Linux to Windows printer shares. Although there are other printing systems that function with Red Hat Enterprise Linux, CUPS (Common UNIX Print System) is the recommended printing system due to its close integration with Samba. 18.1.10.1. Simple smb.conf SettingsThe following example shows a very basic /etc/samba/smb.conf configuration for CUPS support: [global]load printers = Yesprinting = cupsprintcap name = cups[printers]comment = All Printerspath = /var/spool/sambabrowseable = Nopublic = Yesguest ok = Yeswritable = Noprintable = Yesprinter admin = @ntadmins[print$]comment = Printer Drivers Sharepath = /var/lib/samba/driverswrite list = ed, johnprinter admin = ed, john Other printing configurations are also possible. To add additional security and privacy for printing confidential documents, users can have their own print spooler not located in a public path. If a job fails, other users would not have access to the file. The print$ directive contains printer drivers for clients to access if not available locally. The print$ directive is optional and may not be required depending on the organization. Setting browseable to Yes enables the printer to be viewed in the Windows Network Neighborhood, provided the Samba server is set up correctly in the domain/workgroup. 18.1.11. Samba Distribution ProgramsThe findsmb program is a Perl script which reports information about SMB-aware systems on a specific subnet. If no subnet is specified the local subnet is used. Items displayed include IP address, NetBIOS name, workgroup or domain name, operating system, and version. The following example shows the output of executing findsmb as any valid user on a system: ~]$ findsmbIP ADDR NETBIOS NAME WORKGROUP/OS/VERSION------------------------------------------------------------------10.1.59.25 VERVE [MYGROUP] [Unix] [Samba 3.0.0-15]10.1.59.26 STATION22 [MYGROUP] [Unix] [Samba 3.0.2-7.FC1]10.1.56.45 TREK +[WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]10.1.57.94 PIXEL [MYGROUP] [Unix] [Samba 3.0.0-15]10.1.57.137 MOBILE001 [WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]10.1.57.141 JAWS +[KWIKIMART] [Unix] [Samba 2.2.7a-security-rollup-fix]10.1.56.159 FRED +[MYGROUP] [Unix] [Samba 3.0.0-14.3E]10.1.59.192 LEGION *[MYGROUP] [Unix] [Samba 2.2.7-security-rollup-fix]10.1.56.205 NANCYN +[MYGROUP] [Unix] [Samba 2.2.7a-security-rollup-fix]
The net utility is similar to the net utility used for Windows and MS-DOS. The first argument is used to specify the protocol to use when executing a command. The <protocol> ads, rap, or rpc for specifying the type of server connection. Active Directory uses ads, Win9x/NT3 uses rap, and Windows NT4/2000/2003/2008 uses rpc. If the protocol is omitted, net automatically tries to determine it. The following example displays a list the available shares for a host named wakko: ~]$ net -l share -S wakkoPassword:Enumerating shared resources (exports) on remote server:Share name Type Description---------- ---- -----------data Disk Wakko data sharetmp Disk Wakko tmp shareIPC$ IPC IPC Service (Samba Server)ADMIN$ IPC IPC Service (Samba Server)
The following example displays a list of Samba users for a host named wakko: ~]$ net -l user -S wakkoroot password:User name Comment-----------------------------andriusb Documentationjoe Marketinglisa Sales
The nmblookup program resolves NetBIOS names into IP addresses. The program broadcasts its query on the local subnet until the target machine replies. The following example displays the IP address of the NetBIOS name trek: ~]$ nmblookup trekquerying trek on 10.1.59.25510.1.56.45 trek<00>
The pdbedit program manages accounts located in the SAM database. All back ends are supported including smbpasswd, LDAP, and the tdb database library. The following are examples of adding, deleting, and listing users: ~]$ pdbedit -a kristinnew password:retype new password:Unix username: kristinNT username:Account Flags: [U ]User SID: S-1-5-21-1210235352-3804200048-1474496110-2012Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077Full Name: Home Directory: \\wakko\kristinHomeDir Drive:Logon Script:Profile Path: \\wakko\kristin\profileDomain: WAKKOAccount desc:Workstations: Mungeddial:Logon time: 0Logoff time: Mon, 18 Jan 2038 22:14:07 GMTKickoff time: Mon, 18 Jan 2038 22:14:07 GMTPassword last set: Thu, 29 Jan 2004 08:29:28GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMTPassword must change: Mon, 18 Jan 2038 22:14:07 GMT~]$ pdbedit -v -L kristinUnix username: kristinNT username:Account Flags: [U ]User SID: S-1-5-21-1210235352-3804200048-1474496110-2012Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077Full Name:Home Directory: \\wakko\kristinHomeDir Drive:Logon Script:Profile Path: \\wakko\kristin\profileDomain: WAKKOAccount desc:Workstations: Mungeddial:Logon time: 0Logoff time: Mon, 18 Jan 2038 22:14:07 GMTKickoff time: Mon, 18 Jan 2038 22:14:07 GMTPassword last set: Thu, 29 Jan 2004 08:29:28 GMTPassword can change: Thu, 29 Jan 2004 08:29:28 GMTPassword must change: Mon, 18 Jan 2038 22:14:07 GMT~]$ pdbedit -Landriusb:505:joe:503:lisa:504:kristin:506:~]$ pdbedit -x joe~]$ pdbedit -Landriusb:505: lisa:504: kristin:506:
The rpcclient program issues administrative commands using Microsoft RPCs, which provide access to the Windows administration graphical user interfaces (GUIs) for systems management. This is most often used by advanced users that understand the full complexity of Microsoft RPCs. The smbcacls program modifies Windows ACLs on files and directories shared by a Samba server or a Windows server. The smbclient program is a versatile UNIX client which provides functionality similar to ftp. smbcontrol <options> <destination> <messagetype> <parameters>
The smbcontrol program sends control messages to running smbd, nmbd, or winbindd daemons. Executing smbcontrol -i runs commands interactively until a blank line or a 'q' is entered. The smbpasswd program manages encrypted passwords. This program can be run by a superuser to change any user's password as well as by an ordinary user to change their own Samba password. The smbspool program is a CUPS-compatible printing interface to Samba. Although designed for use with CUPS printers, smbspool can work with non-CUPS printers as well. The smbstatus program displays the status of current connections to a Samba server. The smbtar program performs backup and restores of Windows-based share files and directories to a local tape archive. Though similar to the tar command, the two are not compatible. The testparm program checks the syntax of the /etc/samba/smb.conf file. If your /etc/samba/smb.conf file is in the default location (/etc/samba/smb.conf) you do not need to specify the location. Specifying the hostname and IP address to the testparm program verifies that the hosts.allow and host.deny files are configured correctly. The testparm program also displays a summary of your /etc/samba/smb.conf file and the server's role (stand-alone, domain, etc.) after testing. This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read. For example: ~]$ testparmLoad smb config files from /etc/samba/smb.confProcessing section "[homes]"Processing section "[printers]"Processing section "[tmp]"Processing section "[html]"Loaded services file OK.Server role: ROLE_STANDALONEPress enter to see a dump of your service definitions<enter># Global parameters[global]workgroup = MYGROUPserver string = Samba Serversecurity = SHARElog file = /var/log/samba/%m.logmax log size = 50socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192dns proxy = No[homes]comment = Home Directoriesread only = Nobrowseable = No[printers]comment = All Printerspath = /var/spool/sambaprintable = Yesbrowseable = No[tmp]comment = Wakko tmppath = /tmpguest only = Yes[html]comment = Wakko wwwpath = /var/www/htmlforce user = andriusbforce group = usersread only = Noguest only = Yes
The wbinfo program displays information from the winbindd daemon. The winbindd daemon must be running for wbinfo to work. 18.1.12. Additional ResourcesThe following sections give you the means to explore Samba in greater detail. 18.1.12.1. Installed DocumentationIn order to use the Samba documentation, first ensure the samba-doc package is installed on your system by running, as root: ~]# yum install samba-doc /usr/share/doc/samba-<version-number>/ - All additional files included with the Samba distribution. This includes all helper scripts, sample configuration files, and documentation. This directory also contains online versions of The Official Samba-3 HOWTO-Collection and Samba-3 by Example, both of which are cited below.
Refer to the following man pages for detailed information specific Samba features: smb.conf
samba
smbd
nmbd
winbind
The Official Samba-3 HOWTO-Collection by John H. Terpstra and Jelmer R. Vernooij; Prentice Hall - The official Samba-3 documentation as issued by the Samba development team. This is more of a reference guide than a step-by-step guide. Samba-3 by Example by John H. Terpstra; Prentice Hall - This is another official release issued by the Samba development team which discusses detailed examples of OpenLDAP, DNS, DHCP, and printing configuration files. This has step-by-step related information that helps in real-world implementations. Using Samba, 2nd Edition by Jay Ts, Robert Eckstein, and David Collier-Brown; O'Reilly - A good resource for novice to advanced users, which includes comprehensive reference material.
18.1.12.3. Useful Websites |
| |
