Linux and Samba – A Basic How To By Dan Evans, LCSNW begun 4/23/2002 rev. 7/18/2002 rev. 11/4/2002 rev. 5/1/2003 Samba can be used with Linux to provide transparent access between machines running Linux and machines running Windows. The basic architecture of Samba is that Samba itself runs on a Linux machine and makes shared files and printers available to Windows' machines-- the Windows machines see the shares on the Linux machine in the same way Windows machines see shares on other Windows machines or Windows servers. Thus, Samba has several practical applications which can generally be categorized as follows: 1. Using a Linux server as a simple peer-to-peer server (i.e., there is no user authentication involved, no need for passwords, etc.) 2. Using a Linux server as a member server on an existing Windows NT domain that has an existing domain controller (and relying upon the NT authentication tools to control file permissions and access) 3. Using a Linux server as a primary domain controller (meaning that no Windows server is required but full user authentication is provided to control permissions) Which of these three applications of Samba is used is determined through how Samba is configured on the Linux machine. This document presents details on configurations for all three applications. In all cases you must have Samba installed on the Linux server (use one of the install routines freely available such as the RPM for a Red Hat distribution). This will install some basic scripts for controlling Samba as well as the binary daemons smbd and nmbd. On a Red Hat machine, these are usually installed as the script “smb” in /etc/init.d. In addition, on Red Hat a number of configuration files are created and stored in the /etc/samba directory. You can then start/stop/restart the Samba daemons as follows (on Red Hat): # /etc/init.d/smb [start | stop | restart ]

The Samba logs are normally stored in /var/log/samba as log.smbd and log.nmbd. The following sections describe how to configure Samba on the Linux server. They do not describe detailed configuration of Windows machines used as workstations since that configuration is the same as for a normal Windows network. These are just samples. It is important to recognize that there are a lot of different ways to configure and use Samba. There are undoubtedly other configuration files that would accomplish the same things as the ones listed here, and these might not work in all similar situations. Tweak and test if at all possible.

Linux and Samba How To

rev. 5/1/03

1

Settings/Issues Common to All Configurations z

The permissions on any shared Linux directory must be set appropriately to provide access. In general the world-writabe attribute should be set for general, public access. This can be done using the following Linux command (as root): chmod 0777

z

If using Linux kernel 2.4+, be sure that ipchains/iptable is configured to permit access to ports 137-139 on the Linux server. To modify the firewall settings to allow Samba access using ipchains: # ipchains -A input -p tcp -s 0/0 -d 0/0 137:139 -j ACCEPT # ipchains -A input -p udp -s 0/0 -d 0/0 137:139 -j ACCEPT

The above commands can be added in the proper sequence to the ipchains file on the Linux server (for Red Hat usually at /etc/sysconfig). (??? How to change if using iptables?) z

Install Samba to the Linux machine and turn off the Samba daemons (on Red Hat this usually done via /etc/init.d/smb stop).

z

Basic configuration of Samba is done in the smb.conf file which (under Red Hat) is located in /etc/samba. Edit this file with vi or your favorite text editor to make the necessary changes.

z

After making changes to smb.conf, test its integrity using testparm and if it is OK, restart samba: /etc/init.d/smb restart

z

If you want to prevent certain users or groups of users from accessing a Samba share, add something like the following to the [share] portion of the smb.conf: invalid users = user1 user2 @group

Adding Users/Setting Passwords The peer-to-peer configuration does not require the creation of user accounts under Linux but both of the two other configurations do. For Samba this is basically a two-step process: 1) add a user to the basic Linux system (with their password), and 2) add the new Linux user to the Samba password system. Note that if you have any Windows NT or later machines on your network, you must not only add users but also machines to the Linux and Samba password systems. Users wanting to access Samba shares on a Linux server usually must have a Linux account in some fashion. One exception to this is when the Samba share allows for guests (guest ok = yes in smb.conf). In this case, the user “nobody” will be used by default as the Linux user accessing the files in the share. Otherwise Samba will try to use the userid active on the accessing Windows machine for authentication/permissions. Samba actually consults the smbpasswd file (usually in /etc/samba for a Red Hat installation) to authenticate a user.

Linux and Samba How To

rev. 5/1/03

2

Linux users are maintained in the passwd file which is usually stored in /etc. Whenever a user is added to the Linux system, their userid and various other information about the account are stored in the /etc/passwd file. Samba does not use /etc/passwd but instead uses /etc/samba/smbpasswd. The smbpasswd file often is simply a copy of the passwd file but with the passwords encrypted. To create the smbpasswd file from an existing passwd file, use the following command (as root): # cat /etc/passwd | mksmbpasswd.sh \ > /etc/samba/smbpasswd

Once a user has been added to the /etc/samba/smbpasswd file, their encrypted password can be added to the file by simply using the command: # smbpasswd

You will be prompted to enter and then confirm the new password for the user via the above command. Users can be added manually to the smbpasswd file (instead of using the mksmbpasswd.sh script listed above) with this command: # smbpasswd -a

If the Samba share created in smb.conf does not permit guests (e.g., guest ok = no), only authenticated users will be allowed to access the share. If the Samba server is part of a regular NT domain, authenticated users must have a regular NT domain account plus they must have an identical userid on the Linux box and the user must have been added to the smbpasswd file on Linux: a) b) c)

Setup the user on the NT domain as normal Add the user to Linux using the same userid as was used on NT (via the # adduser command). DO NOT add/create a password on the Linux machine-- just press when prompted. (The user will not be able to directly log on to the Linux machine.) Add the user to the Linux/Samba smbpasswd file: # smbpasswd -a

That's it. Now the user will be able to browse and access Samba shares on the Linux server from a Windows machine from which they've logged on to the NT domain. As described later, Samba has been configured to rely upon the domain for authentication (security) and it has been told which machines on the network contain password data (are domain controllers). (??? Don’t know what happens, if anything, when the password is changed on the NT server.) If the Samba server is being set up as a domain controller (a PDC), all of the authentication is handled on the Linux server itself. In this case, the user is added as a regular Linux user with a password and then added to the smbpasswd file: a) Add the user to Linux using the following command: # adduser -G users -d /path/to/home -c 'First Lastname' -p

The above command adds the user to the Linux security system with the specified username

Linux and Samba How To

rev. 5/1/03

3

and password. It also adds them to the group 'users' and creates their home directory. b) Next add the user to the smbpasswd file using the following command: # smbpasswd -a

This will add the user to the smbpasswd file along with an encrypted version of their Linux password. The two steps above can be handled via a simple script file something along the lines of: useradd -G users -d /public/$1 -c “$3” -p $2 $1 smbpasswd -a $1 $2

Put the above in a text file and name it something like 'lcsaddme.' Then make 'lcsaddme' executable (#chmod 0777 lcsaddme) and run it as follows: # lcsaddme

Note the quotes around the user's full name (because it has a space in it). (??? There is some discussion on the Web about being able to run NT's “User Manager for Domains” on a Windows desktop machine attached to a Linux server configured as as PDC. I have not tried this, but it suggests that you might be able to use “User Manager for Domains” from a Windows machine to manage the user accounts on the Linux/Samba server.???)

Linux as Peer-to-Peer Server In this configuration, every Windows machine on the same network as the Linux server will be able to access and use the Samba shares created on the Linux server, as long as the Windows machine has the same workgroup name. With this configuration, any SMB-capable machine on the same network should be able to see (browse to) the Linux+Samba server and see and use the shares. There is no need to mess with adding users, groups, etc. You won't be able to easily restrict access to subdirectories under this scenario, but it does provide a quick and easy-to-manage file server configuration. Here is a basic smb.conf for this configuration: [global] workgroup = myworkgroup (use whatever name you want) security = share keep alive = 30 os level = 34 encrypt passwords = yes local master = yes preferred master = yes netbios name = linuxservername (use this machine's name) wins support = yes name resolve order = wins lmhosts hosts bcast

Linux and Samba How To

rev. 5/1/03

4

[netlogon] path = /opt/local/netlogon guest ok = yes public = no writeable = no browseable = no [public] path = /public browseable = yes guest ok = yes read only = no guest only = yes

(be sure this directory exists)

(be sure this directory exists)

As described earlier, once the above version of smb.conf has been created, test it with testparm and if OK, start (or restart) samba (via # /etc/init.d/smb [re]start). If it starts OK, you should now be able to go to a Windows machine on the local network and browse the network and see the Samba server with its publicly available shares.

Linux as Member Server To setup a Linux server running Samba as a member server to an NT domain, the smb.conf should be similar to: [global] workgroup = LSSCE security = domain password server = CEPDC BUSERVER keep alive = 30 encrypt passwords = yes os level = 2 local master = no preferred master = no netbios name = linuxserver wins support = no

(this is the NT domain name) (the NT PDC and BDC) (keep it low to avoid battles with NT) (name of the Linux machine)

[homes] comment = home directory browseable = no read only = no create mode = 0750 [test] (this is for any shares on Linux) comment = test share on linux server path = /opt/shares/testshare browseable = yes guest ok = no read only = no

1.

Setup lmhosts and hosts on the Linux server to include the NT servers (PDC, BDC). The hosts file will be in /etc and the lmhosts file will be in /etc/samba under Linux On the NT servers be sure to include the Linux server in both files (on an NT server these files will both be in \winnt\system32\drivers\etc).

Linux and Samba How To

rev. 5/1/03

5

2. 3. 4. 5.

Add users to the Linux box and create the smbpasswd file and add the Linux users (as described earlier). Be sure to stop samba before proceeding (# /etc/init.d/smb stop). On the domain's PDC, add the Linux server via Computer Manager On the Linux server, join the NT domain via smbpasswd: # smbpasswd -j -r

6.

Start Samba (# /etc/init.d/smb start)

You should now be able to see the Samba server from a Windows machine logged on to the NT domain and you should be able to access any shares. The Linux machine will now be treated as a full member server on the NT domain and will rely on the NT domain controllers to handle authentication..

Linux as Primary Domain Controller Configuring Samba on Linux as the Primary Domain Controller is little different from configuring it as a member server. The biggest change is in what is contained in the smb.conf file: [global] workgroup = lcsrh (domain name you want to use) domain logons = yes security = user keep alive = 30 encrypt passwords = yes os level = 34 (or some other high level, > 30) local master = yes preferred master = yes domain master = yes netbios name = linuxserver (name of server machine) wins support = yes name resolve order = wins lmhosts hosts bcast logon script = login.bat (or whatever the file is) [homes] comment = home directory browseable = no read only = no create mode = 0750 [test] (and other shares as desired) comment = test share on linux server path = /opt/shares/testshare browseable = yes guest ok = no read only = no [netlogon] comment = the domain logon service path = /opt/samba/logon (or wherever you want it) guest ok = yes public = no writeable = no browsable = no

Linux and Samba How To

rev. 5/1/03

6

1. 2. 3.

Setup lmhosts and hosts on the Linux server to include the Linux server itself. (The hosts file will be in /etc and the lmhosts file will be in /etc/samba.) In lmhosts be sure to set the #DOM: entry on the Linux entry. Add users to the Linux box and create the smbpasswd file and add the Linux users. For every Windows machine running Win NT WS or later (i.e., 2000 or XP) on the network, you must create a “machine” account on the Linux server. Add the machine by adding it as a user with a name of the NetBIOS name plus a “$”. For example, if the Windows machine (NetBIOS) name is “itdirector,” create a user account on the Linux machine with the user name of “ITDIRECTOR$” and a password of “itdirector”. NOTE: It seems that the case of these two entries is significant: make the machine name all uppercase and the password all lowercase. Remember the addition of the “$” at the end of machine's user name. Here's the command to do this: # adduser -d /dev/null -p

Next, setup the machine in smbpassword: # smbpasswd -a -m

4.

(all uppercase with the “$”)

Start Samba (# /etc/init.d/smb start)

You should now be able to go to a Windows machine and configure it for the domain controlled by the Linux/Samba server. To join the machine to the domain, Windows will require you to provide a username and password that is authorized on the Linux machine to add another machine: you must use the username 'root' for this (and the correct password for root). Once the machine has joined the domain, you will have to reboot it and upon restart it should present a logon prompt for the domain. Once logged on, the Windows machine should be able to access any shares on the Linux/Samba server. If a logon script was specified (e.g., to coordinate time, to map shares to drives), it will run during logon.

Printers and Samba To make a printer available to network users through Samba is fairly straightforward. The first step is to get the printer installed and working from the Linux machine itself. This can be accomplished in a number of ways including using GUI tools for adding printers, or using something like HP's WebAdmin for JetDirect devices/cards, or adding the printer to the Linux /etc/printcap file. Here's a sample entry in a Red Hat 7.2 /etc/printcap file for an HP LaserJet 4000 with an internal JetDirect card with the IP address of 10.0.3.11: hplj4 | lj4000:\ :sh:\ :sd=/var/spool/lpd/hplj4:\ :rm=10.0.3.11:\ :rw:\ :rp=raw:\ :lf=/var/log/hplj4-errors:

Linux and Samba How To

rev. 5/1/03

7

The above settings require that the folder /var/spool/lpd/hplj4 exist and be owned by user “lp” but inaccessible to anyone else (chmod 0700). Test the above from the Linux machine using something similar to the following: lpr -Phplj4 /etc/samba/smb.conf

If things are configured correctly, the above command should print the /etc/samba/smb.conf file contents on the HP LaserJet printer at 10.0.3.11. Once the printer is installed and configured correctly under Linux, it can be added to the Samba configuration file by adding a sectiom like the following to /etc/samba/smb.conf: [HPLJ4000] path=/var/spool/lpd/hplj4 printable=yes print command=/usr/bin/lpr %s printer=hplj4 read only=yes guest ok=yes printing=lprng

(whatever name you want it to show) (or whatever path you use for the spool) (this is Red Hat 7.2 with lprng) (as specified above)

Once the above entry is made, restart the Samba daemon (/etc/init.d/smb restart) and machines on the local network should be able to browse and see (and use) the Linux printer. Printer configuration can get much more complicated and include provisions for loading printer drivers on the Linux server for automatic installation for any new workstation attaching to the printer. But the above should provide enough information to at least get a printer attached and working.

Linux and Samba How To

rev. 5/1/03

8