Linux and Samba – A Basic How To

Linux and Samba – A Basic How To
By Dan Evans, LCSNW
begun 4/23/2002
rev. 7/18/2002
rev. 11/4/2002
rev. 5/1/2003
Samba can be used with Linux to provide transparent access between machines running Linux
and machines running Windows. The basic architecture of Samba is that Samba itself runs on a Linux
machine and makes shared files and printers available to Windows' machines-- the Windows machines
see the shares on the Linux machine in the same way Windows machines see shares on other Windows
machines or Windows servers.
Thus, Samba has several practical applications which can generally be categorized as follows:
1. Using a Linux server as a simple peer-to-peer server (i.e., there is no user authentication
involved, no need for passwords, etc.)
2. Using a Linux server as a member server on an existing Windows NT domain that has an
existing domain controller (and relying upon the NT authentication tools to control file
permissions and access)
3. Using a Linux server as a primary domain controller (meaning that no Windows server is
required but full user authentication is provided to control permissions)
Which of these three applications of Samba is used is determined through how Samba is
configured on the Linux machine. This document presents details on configurations for all three
applications.
In all cases you must have Samba installed on the Linux server (use one of the install routines
freely available such as the RPM for a Red Hat distribution). This will install some basic scripts for
controlling Samba as well as the binary daemons smbd and nmbd. On a Red Hat machine, these are
usually installed as the script “smb” in /etc/init.d. In addition, on Red Hat a number of configuration
files are created and stored in the /etc/samba directory. You can then start/stop/restart the Samba
daemons as follows (on Red Hat):
# /etc/init.d/smb [start | stop | restart ]
The Samba logs are normally stored in /var/log/samba as log.smbd and log.nmbd.
The following sections describe how to configure Samba on the Linux server. They do not
describe detailed configuration of Windows machines used as workstations since that configuration is
the same as for a normal Windows network.
These are just samples. It is important to recognize that there are a lot of different ways to
configure and use Samba. There are undoubtedly other configuration files that would accomplish the
same things as the ones listed here, and these might not work in all similar situations. Tweak and test
if at all possible.
Linux and Samba How To
rev. 5/1/03
1
Settings/Issues Common to All Configurations
z
The permissions on any shared Linux directory must be set appropriately to provide access. In
general the world-writabe attribute should be set for general, public access. This can be done using
the following Linux command (as root):
chmod 0777 <directoryname>
z
If using Linux kernel 2.4+, be sure that ipchains/iptable is configured to permit access to ports
137-139 on the Linux server. To modify the firewall settings to allow Samba access using ipchains:
# ipchains -A input -p tcp -s 0/0 -d 0/0 137:139 -j ACCEPT
# ipchains -A input -p udp -s 0/0 -d 0/0 137:139 -j ACCEPT
The above commands can be added in the proper sequence to the ipchains file on the Linux
server (for Red Hat usually at /etc/sysconfig). (??? How to change if using iptables?)
z
Install Samba to the Linux machine and turn off the Samba daemons (on Red Hat this usually done
via /etc/init.d/smb stop).
z
Basic configuration of Samba is done in the smb.conf file which (under Red Hat) is located in
/etc/samba. Edit this file with vi or your favorite text editor to make the necessary changes.
z
After making changes to smb.conf, test its integrity using testparm and if it is OK, restart samba:
/etc/init.d/smb restart
z
If you want to prevent certain users or groups of users from accessing a Samba share, add something
like the following to the [share] portion of the smb.conf:
invalid users = user1 user2 @group
Adding Users/Setting Passwords
The peer-to-peer configuration does not require the creation of user accounts under Linux but
both of the two other configurations do. For Samba this is basically a two-step process: 1) add a user
to the basic Linux system (with their password), and 2) add the new Linux user to the Samba password
system. Note that if you have any Windows NT or later machines on your network, you must not only
add users but also machines to the Linux and Samba password systems.
Users wanting to access Samba shares on a Linux server usually must have a Linux account in
some fashion. One exception to this is when the Samba share allows for guests (guest ok = yes in
smb.conf). In this case, the user “nobody” will be used by default as the Linux user accessing the files
in the share. Otherwise Samba will try to use the userid active on the accessing Windows machine for
authentication/permissions. Samba actually consults the smbpasswd file (usually in /etc/samba for a
Red Hat installation) to authenticate a user.
Linux and Samba How To
rev. 5/1/03
2
Linux users are maintained in the passwd file which is usually stored in /etc. Whenever a user is
added to the Linux system, their userid and various other information about the account are stored in the
/etc/passwd file. Samba does not use /etc/passwd but instead uses /etc/samba/smbpasswd. The
smbpasswd file often is simply a copy of the passwd file but with the passwords encrypted. To create
the smbpasswd file from an existing passwd file, use the following command (as root):
# cat /etc/passwd | mksmbpasswd.sh \ > /etc/samba/smbpasswd
Once a user has been added to the /etc/samba/smbpasswd file, their encrypted password can be added to
the file by simply using the command:
# smbpasswd <username>
You will be prompted to enter and then confirm the new password for the user via the above command.
Users can be added manually to the smbpasswd file (instead of using the mksmbpasswd.sh script
listed above) with this command:
# smbpasswd -a <username>
If the Samba share created in smb.conf does not permit guests (e.g., guest ok = no), only
authenticated users will be allowed to access the share. If the Samba server is part of a regular NT
domain, authenticated users must have a regular NT domain account plus they must have an identical
userid on the Linux box and the user must have been added to the smbpasswd file on Linux:
a)
b)
c)
Setup the user on the NT domain as normal
Add the user to Linux using the same userid as was used on NT (via the # adduser <userid>
command). DO NOT add/create a password on the Linux machine-- just press <ENTER>
when prompted. (The user will not be able to directly log on to the Linux machine.)
Add the user to the Linux/Samba smbpasswd file:
# smbpasswd -a <username>
That's it. Now the user will be able to browse and access Samba shares on the Linux server from a
Windows machine from which they've logged on to the NT domain. As described later, Samba has been
configured to rely upon the domain for authentication (security) and it has been told which machines on
the network contain password data (are domain controllers).
(??? Don’t know what happens, if anything, when the password is changed on the NT server.)
If the Samba server is being set up as a domain controller (a PDC), all of the authentication is
handled on the Linux server itself. In this case, the user is added as a regular Linux user with a
password and then added to the smbpasswd file:
a) Add the user to Linux using the following command:
# adduser -G users -d /path/to/home -c 'First Lastname' -p <password>
<username>
The above command adds the user to the Linux security system with the specified username
Linux and Samba How To
rev. 5/1/03
3
and password. It also adds them to the group 'users' and creates their home directory.
b) Next add the user to the smbpasswd file using the following command:
# smbpasswd -a <username> <password>
This will add the user to the smbpasswd file along with an encrypted version of their Linux
password.
The two steps above can be handled via a simple script file something along the lines of:
useradd -G users -d /public/$1 -c “$3” -p $2 $1
smbpasswd -a $1 $2
Put the above in a text file and name it something like 'lcsaddme.' Then make 'lcsaddme' executable
(#chmod 0777 lcsaddme) and run it as follows:
# lcsaddme <username> <password> <'First Lastname'>
Note the quotes around the user's full name (because it has a space in it).
(??? There is some discussion on the Web about being able to run NT's “User Manager for Domains” on
a Windows desktop machine attached to a Linux server configured as as PDC. I have not tried this, but
it suggests that you might be able to use “User Manager for Domains” from a Windows machine to
manage the user accounts on the Linux/Samba server.???)
Linux as Peer-to-Peer Server
In this configuration, every Windows machine on the same network as the Linux server will be
able to access and use the Samba shares created on the Linux server, as long as the Windows machine
has the same workgroup name. With this configuration, any SMB-capable machine on the same
network should be able to see (browse to) the Linux+Samba server and see and use the shares. There is
no need to mess with adding users, groups, etc. You won't be able to easily restrict access to
subdirectories under this scenario, but it does provide a quick and easy-to-manage file server
configuration.
Here is a basic smb.conf for this configuration:
[global]
workgroup = myworkgroup
(use whatever name you want)
security = share
keep alive = 30
os level = 34
encrypt passwords = yes
local master = yes
preferred master = yes
netbios name = linuxservername
(use this machine's name)
wins support = yes
name resolve order = wins lmhosts hosts bcast
Linux and Samba How To
rev. 5/1/03
4
[netlogon]
path = /opt/local/netlogon
guest ok = yes
public = no
writeable = no
browseable = no
[public]
path = /public
browseable = yes
guest ok = yes
read only = no
guest only = yes
(be sure this directory exists)
(be sure this directory exists)
As described earlier, once the above version of smb.conf has been created, test it with testparm and if
OK, start (or restart) samba (via # /etc/init.d/smb [re]start). If it starts OK, you should now be
able to go to a Windows machine on the local network and browse the network and see the Samba
server with its publicly available shares.
Linux as Member Server
To setup a Linux server running Samba as a member server to an NT domain, the smb.conf should be
similar to:
[global]
workgroup = LSSCE
security = domain
password server = CEPDC BUSERVER
keep alive = 30
encrypt passwords = yes
os level = 2
local master = no
preferred master = no
netbios name = linuxserver
wins support = no
(this is the NT domain name)
(the NT PDC and BDC)
(keep it low to avoid battles with NT)
(name of the Linux machine)
[homes]
comment = home directory
browseable = no
read only = no
create mode = 0750
[test]
(this is for any shares on Linux)
comment = test share on linux server
path = /opt/shares/testshare
browseable = yes
guest ok = no
read only = no
1.
Setup lmhosts and hosts on the Linux server to include the NT servers (PDC, BDC). The hosts
file will be in /etc and the lmhosts file will be in /etc/samba under Linux On the NT servers be
sure to include the Linux server in both files (on an NT server these files will both be in
\winnt\system32\drivers\etc).
Linux and Samba How To
rev. 5/1/03
5
2.
3.
4.
5.
Add users to the Linux box and create the smbpasswd file and add the Linux users (as
described earlier).
Be sure to stop samba before proceeding (# /etc/init.d/smb stop).
On the domain's PDC, add the Linux server via Computer Manager
On the Linux server, join the NT domain via smbpasswd:
# smbpasswd -j <domain> -r <PDC>
6.
Start Samba (# /etc/init.d/smb start)
You should now be able to see the Samba server from a Windows machine logged on to the NT domain
and you should be able to access any shares. The Linux machine will now be treated as a full member
server on the NT domain and will rely on the NT domain controllers to handle authentication..
Linux as Primary Domain Controller
Configuring Samba on Linux as the Primary Domain Controller is little different from
configuring it as a member server. The biggest change is in what is contained in the smb.conf file:
[global]
workgroup = lcsrh
(domain name you want to use)
domain logons = yes
security = user
keep alive = 30
encrypt passwords = yes
os level = 34
(or some other high level, > 30)
local master = yes
preferred master = yes
domain master = yes
netbios name = linuxserver
(name of server machine)
wins support = yes
name resolve order = wins lmhosts hosts bcast
logon script = login.bat
(or whatever the file is)
[homes]
comment = home directory
browseable = no
read only = no
create mode = 0750
[test]
(and other shares as desired)
comment = test share on linux server
path = /opt/shares/testshare
browseable = yes
guest ok = no
read only = no
[netlogon]
comment = the domain logon service
path = /opt/samba/logon
(or wherever you want it)
guest ok = yes
public = no
writeable = no
browsable = no
Linux and Samba How To
rev. 5/1/03
6
1.
2.
3.
Setup lmhosts and hosts on the Linux server to include the Linux server itself. (The hosts file
will be in /etc and the lmhosts file will be in /etc/samba.) In lmhosts be sure to set the #DOM:
<domain> entry on the Linux entry.
Add users to the Linux box and create the smbpasswd file and add the Linux users.
For every Windows machine running Win NT WS or later (i.e., 2000 or XP) on the network,
you must create a “machine” account on the Linux server. Add the machine by adding it as a
user with a name of the NetBIOS name plus a “$”. For example, if the Windows machine
(NetBIOS) name is “itdirector,” create a user account on the Linux machine with the user
name of “ITDIRECTOR$” and a password of “itdirector”. NOTE: It seems that the case of
these two entries is significant: make the machine name all uppercase and the password all
lowercase. Remember the addition of the “$” at the end of machine's user name. Here's the
command to do this:
# adduser -d /dev/null -p <machinenamealllowercase> <MACHINENAMEUPPERCASE$>
Next, setup the machine in smbpassword:
# smbpasswd -a -m <machinename>
4.
(all uppercase with the “$”)
Start Samba (# /etc/init.d/smb start)
You should now be able to go to a Windows machine and configure it for the domain controlled by the
Linux/Samba server. To join the machine to the domain, Windows will require you to provide a
username and password that is authorized on the Linux machine to add another machine: you must use
the username 'root' for this (and the correct password for root). Once the machine has joined the
domain, you will have to reboot it and upon restart it should present a logon prompt for the domain.
Once logged on, the Windows machine should be able to access any shares on the Linux/Samba server.
If a logon script was specified (e.g., to coordinate time, to map shares to drives), it will run during logon.
Printers and Samba
To make a printer available to network users through Samba is fairly straightforward. The first
step is to get the printer installed and working from the Linux machine itself. This can be accomplished
in a number of ways including using GUI tools for adding printers, or using something like HP's
WebAdmin for JetDirect devices/cards, or adding the printer to the Linux /etc/printcap file.
Here's a sample entry in a Red Hat 7.2 /etc/printcap file for an HP LaserJet 4000 with an internal
JetDirect card with the IP address of 10.0.3.11:
hplj4 | lj4000:\
:sh:\
:sd=/var/spool/lpd/hplj4:\
:rm=10.0.3.11:\
:rw:\
:rp=raw:\
:lf=/var/log/hplj4-errors:
Linux and Samba How To
rev. 5/1/03
7
The above settings require that the folder /var/spool/lpd/hplj4 exist and be owned by user “lp”
but inaccessible to anyone else (chmod 0700). Test the above from the Linux machine using
something similar to the following:
lpr -Phplj4 /etc/samba/smb.conf
If things are configured correctly, the above command should print the /etc/samba/smb.conf file contents
on the HP LaserJet printer at 10.0.3.11.
Once the printer is installed and configured correctly under Linux, it can be added to the Samba
configuration file by adding a sectiom like the following to /etc/samba/smb.conf:
[HPLJ4000]
path=/var/spool/lpd/hplj4
printable=yes
print command=/usr/bin/lpr %s
printer=hplj4
read only=yes
guest ok=yes
printing=lprng
(whatever name you want it to show)
(or whatever path you use for the spool)
(this is Red Hat 7.2 with lprng)
(as specified above)
Once the above entry is made, restart the Samba daemon (/etc/init.d/smb restart) and machines
on the local network should be able to browse and see (and use) the Linux printer.
Printer configuration can get much more complicated and include provisions for loading printer
drivers on the Linux server for automatic installation for any new workstation attaching to the printer.
But the above should provide enough information to at least get a printer attached and working.
Linux and Samba How To
rev. 5/1/03
8