Chapter 37. Samba

Chapter 37. Samba¶

Contents

37.1. Terminology
37.2. Starting and Stopping Samba
37.3. Configuring a Samba Server
37.4. Configuring Clients
37.5. Samba as Login Server
37.6. Samba Server in the Network with Active Directorysles
37.7. Migrating a Windows NT Server to Sambasles
37.8. For More Information

Abstract

Using Samba, a Unix machine can be configured as a file and print server for DOS, Windows, and OS/2 machines. Samba has developed into a fully-fledged and rather complex product. Configure Samba with YaST, SWAT (a Web interface), or the configuration file.

37.1. Terminology¶

The following are some terms used in Samba documentation and in the YaST module.

SMB protocol

Samba uses the SMB (server message block) protocol that is based on the NetBIOS services. Due to pressure from IBM, Microsoft released the protocol so other software manufacturers could establish connections to a Microsoft domain network. With Samba, the SMB protocol works on top of the TCP/IP protocol, so the TCP/IP protocol must be installed on all clients.

	IBM System z: NetBIOS Support
IBM System z merely support SMB over TCP/IP. NetBIOS support is not available on these systems.

CIFS protocol

CIFS (common Internet file system) protocol is another protocol supported by Samba. CIFS defines a standard remote file system access protocol for use over the network, enabling groups of users to work together and share documents across the network.

NetBIOS

NetBIOS is a software interface (API) designed for communication between machines. Here, a name service is provided. It enables machines connected to the network to reserve names for themselves. After reservation, these machines can be addressed by name. There is no central process that checks names. Any machine on the network can reserve as many names as it wants as long as the names are not already in use. The NetBIOS interface can now be implemented for different network architectures. An implementation that works relatively closely with network hardware is called NetBEUI, but this is often referred to as NetBIOS. Network protocols implemented with NetBIOS are IPX from Novell (NetBIOS via TCP/IP) and TCP/IP.

The NetBIOS names sent via TCP/IP have nothing in common with the names used in /etc/hosts or those defined by DNS. NetBIOS uses its own, completely independent naming convention. However, it is recommended to use names that correspond to DNS hostnames to make administration easier. This is the default used by Samba.

Samba server

Samba server is a server that provides SMB/CIFS services and NetBIOS over IP naming services to clients. For Linux, there are two daemons for Samba server: smnd for SMB/CIFS services and nmbd for naming services.

Samba client

Samba client is a system that uses Samba services from a Samba server over the SMB protocol. All common operating systems, such as Mac OS X, Windows, and OS/2, support the SMB protocol. The TCP/IP protocol must be installed on all computers. Samba provides a client for the different UNIX flavors. For Linux, there is a kernel module for SMB that allows the integration of SMB resources on the Linux system level. You do not need run any daemon for Samba client.

Shares

SMB servers provide hardware space to their clients by means of shares. Shares are printers and directories with their subdirectories on the server. It is exported by means of a name and can be accessed by its name. The share name can be set to any name—it does not have to be the name of the export directory. A printer is also assigned a name. Clients can access the printer by its name.

37.2. Starting and Stopping Samba¶

You can start or stop the Samba server automatically during boot or manually. Starting and stopping policy is a part of the YaST Samba server configuration described in Section 37.3.1, “Configuring a Samba Server with YaST”.

To stop or start running Samba services with YaST, use System+System Services (Runlevel). From a command line, stop services required for Samba with rcsmb stop && rcnmb stop and start them with rcnmb start && rcsmb start.

37.3. Configuring a Samba Server¶

A samba server in SUSE Linux Enterprise® can be configured in two different ways: with YaST or manually. Manual configuration offers a higher level of detail, but lacks the convenience of the YaST GUI.

37.3.1. Configuring a Samba Server with YaST¶

To configure a Samba server, start YaST and select Network Services+Samba Server. When starting the module for the first time, the Samba Server Installation dialog starts, prompting you to make just a few basic decisions concerning administration of the server then at the end of the configuration prompts for the password of Samba root. For later starts, the Samba Server Configuration dialog appears.

The Samba Server Installation dialog consists of two steps:

Workgroup or Domain Name: Select an existing name from Workgroup or Domain Name or enter a new one and click Next.
Samba Server Type: In the next step, specify whether your server should act as PDC and click Next.

You can change all settings from Samba Server Installation later in the Samba Server Configuration dialog with the Identity tab.

37.3.1.1. Advanced Samba Configuration with YaST¶

During first start of Samba server module the Samba Server Configuration dialog appears directly after Samba Server Installation dialog. Use it to adjust your Samba server configuration.

After editing your configuration, click Finish to close the configuration.

37.3.1.1.1. Starting the Server¶

In the Start Up tab, configure the start of the Samba server. To start the service every time your system boots, select During Boot. To activate manual start, choose Manually. More information about starting a Samba server is provided in Section 37.2, “Starting and Stopping Samba”.

In this tab, you can also open ports in your firewall. To do so, select Open Port in Firewall. If you have multiple network interfaces, select the network interface for Samba services by clicking Firewall Details, selecting the interfaces, and clicking OK.

37.3.1.1.2. Shares¶

In the Shares tab, determine the Samba shares to activate. There are some predefined shares, like homes and printers. Use Toggle Status to switch between Active and Inactive. Click Add to add new shares and Delete to delete the selected share.

37.3.1.1.3. Identity¶

In the Identity tab, you can determine the domain with which the host is associated (Base Settings) and whether to use an alternative hostname in the network (NetBIOS Host Name). To set expert global settings or set user authentication, for example LDAP, click Advanced Settings.

37.3.1.1.4. Users from Other Domains¶

To enable users from other domains to access your domain, make the appropriate settings in the Trusted Domains tab. To add a new domain, click Add. To remove the selected domain, click Delete.

37.3.1.1.5. Using LDAP¶

In the tab LDAP Settings, you can determine the LDAP server to use for authentication. To test the connection to your LDAP server, click Test Connection. To set expert LDAP settings or use default values, click Advanced Settings.

Find more information about LDAP configuration in Chapter 36, LDAP—A Directory Service.

37.3.2. Web Administration with SWAT¶

An alternative tool for Samba server administration is SWAT (Samba Web Administration Tool). It provides a simple Web interface with which to configure the Samba server. To use SWAT, open http://localhost:901 in a Web browser and log in as user root. If you do not have a special Samba root account, use the system root account.

	Activating SWAT
After Samba server installation, SWAT is not activated. To activate it, open Network Services+Network Services (xinetd) in YaST, enable the network services configuration, select swat from the table, and click Toggle Status (On or Off).

37.3.3. Configuring the Server Manually¶

If you intend to use Samba as a server, install samba. The main configuration file of Samba is /etc/samba/smb.conf. This file can be divided into two logical parts. The [global] section contains the central and global settings. The [share] sections contain the individual file and printer shares. By means of this approach, details regarding the shares can be set differently or globally in the [global] section, which enhances the structural transparency of the configuration file.

37.3.3.1. The global Section¶

The following parameters of the [global] section need some adjustment to match the requirements of your network setup so other machines can access your Samba server via SMB in a Windows environment.

workgroup = TUX-NET

This line assigns the Samba server to a workgroup. Replace TUX-NET with an appropriate workgroup of your networking environment. Your Samba server appears under its DNS name unless this name has been assigned to any other machine in the network. If the DNS name is not available, set the server name using netbiosname=MYNAME. See mansmb.conf for more details about this parameter.

os level = 2

This parameter triggers whether your Samba server tries to become LMB (local master browser) for its workgroup. Choose a very low value to spare the existing Windows network from any disturbances caused by a misconfigured Samba server. More information about this important topic can be found in the files BROWSING.txt and BROWSING-Config.txt under the textdocs subdirectory of the package documentation.

If no other SMB server is present in your network (such as a Windows NT or 2000 server) and you want the Samba server to keep a list of all systems present in the local environment, set the os level to a higher value (for example, 65). Your Samba server is then chosen as LMB for your local network.

When changing this setting, consider carefully how this could affect an existing Windows network environment. First test the changes in an isolated network or at a noncritical time of day.

wins support and wins server

To integrate your Samba server into an existing Windows network with an active WINS server, enable the wins server option and set its value to the IP address of that WINS server.

If your Windows machines are connected to separate subnets and should still be aware of each other, you need to set up a WINS server. To turn a Samba server into such a WINS server, set the option wins support = Yes. Make sure that only one Samba server of the network has this setting enabled. The options wins server and wins support must never be enabled at the same time in your smb.conf file.

37.3.3.2. Shares¶

The following examples illustrate how a CD-ROM drive and the user directories (homes) are made available to the SMB clients.

[cdrom]

To avoid having the CD-ROM drive accidentally made available, these lines are deactivated with comment marks (semicolons in this case). Remove the semicolons in the first column to share the CD-ROM drive with Samba.

Example 37.1. A CD-ROM Share¶

;[cdrom]
;       comment = Linux CD-ROM
;       path = /media/cdrom
;       locking = No

[cdrom] and comment: The entry [cdrom] is the name of the share that can be seen by all SMB clients on the network. An additional comment can be added to further describe the share.
path = /media/cdrom: path exports the directory /media/cdrom.

By means of a very restrictive default configuration, this kind of share is only made available to the users present on this system. If this share should be made available to everybody, add a line guest ok = yes to the configuration. This setting gives read permissions to anyone on the network. It is recommended to handle this parameter with great care. This applies even more to the use of this parameter in the [global] section.

[homes]

The [home] share is of special importance here. If the user has a valid account and password for the Linux file server and his own home directory, he can be connected to it.

Example 37.2. homes Share¶

[homes]
	comment = Home Directories
	valid users = %S
	browseable = No
	read only = No
	create mask = 0640
	directory mask = 0750

[homes]: As long as there is no other share using the share name of the user connecting to the SMB server, a share is dynamically generated using the [homes] share directives. The resulting name of the share is the username.
valid users = %S: %S is replaced with the concrete name of the share as soon as a connection has been successfully established. For a [homes] share, this is always the username. As a consequence, access rights to a user's share are restricted exclusively to the user.
browseable = No: This setting makes the share invisible in the network environment.
read only = No: By default, Samba prohibits write access to any exported share by means of the read only = Yes parameter. To make a share writable, set the value read only = No, which is synonymous with writable = Yes.
create mask = 0640: Systems that are not based on MS Windows NT do not understand the concept of UNIX permissions, so they cannot assign permissions when creating a file. The parameter create mask defines the access permissions assigned to newly created files. This only applies to writable shares. In effect, this setting means the owner has read and write permissions and the members of the owner's primary group have read permissions. valid users = %S prevents read access even if the group has read permissions. For the group to have read or write access, deactivate the line valid users = %S.

37.3.3.3. Security Levels¶

To improve security, each share access can be protected with a password. SMB has three possible ways of checking the permissions:

Share Level Security (security = share): A password is firmly assigned to a share. Everyone who knows this password has access to that share.
User Level Security (security = user): This variation introduces the concept of the user to SMB. Each user must register with the server with his own password. After registration, the server can grant access to individual exported shares dependent on usernames.
Server Level Security (security = server):: To its clients, Samba pretends to be working in user level mode. However, it passes all password queries to another user level mode server, which takes care of authentication. This setting expects an additional parameter (password server).

The selection of share, user, or server level security applies to the entire server. It is not possible to offer individual shares of a server configuration with share level security and others with user level security. However, you can run a separate Samba server for each configured IP address on a system.

More information about this subject can be found in the Samba HOWTO Collection. For multiple servers on one system, pay attention to the options interfaces and bind interfaces only.

37.4. Configuring Clients¶

Clients can only access the Samba server via TCP/IP. NetBEUI and NetBIOS via IPX cannot be used with Samba.

37.4.1. Configuring a Samba Client with YaST¶

Configure a Samba client to access resources (files or printers) on the Samba server. Enter the domain or workgroup in the dialog Network Services+Windows Domain Membership. Click Browse to display all available groups and domains, which can be selected with the mouse. If you activate Also Use SMB Information for Linux Authentication, the user authentication runs over the Samba server. After completing all settings, click Finish to finish the configuration.

37.4.2. Windows 9x and ME¶

Windows 9x and ME already have built-in support for TCP/IP. However, this is not installed as the default. To add TCP/IP, go to Control Panel+System and choose Add+Protocols+TCP/IP from Microsoft. After rebooting your Windows machine, find the Samba server by double-clicking the desktop icon for the network environment.


To use a printer on the Samba server, install the standard or Apple-PostScript printer driver from the corresponding Windows version. It is best to link this to the Linux printer queue, which accepts Postscript as an input format.

To use a printer on the Samba server, install the standard or Apple-PostScript printer driver from the corresponding Windows version. It is best to link this to the Linux printer queue, which accepts Postscript as an input format.

37.5. Samba as Login Server¶

In networks where predominantly Windows clients are found, it is often preferable that users may only register with a valid account and password. In a Windows-based network, this task is handled by a primary domain controller (PDC). You can use a Windows NT server configured as PDC, but this task can also be done with the help of a Samba server. The entries that must be made in the [global] section of smb.conf are shown in Example 37.3, “Global Section in smb.conf”.

Example 37.3. Global Section in smb.conf¶

       [global]
       workgroup = TUX-NET
       domain logons = Yes
       domain master = Yes

If encrypted passwords are used for verification purposes—this is the default setting with well-maintained MS Windows 9x installations, MS Windows NT 4.0 from service pack 3, and all later products—the Samba server must be able to handle these. The entry encrypt passwords = yes in the [global] section enables this (with Samba version 3, this is now the default). In addition, it is necessary to prepare user accounts and passwords in an encryption format that conforms with Windows. Do this with the command smbpasswd -a name. Create the domain account for the computers, required by the Windows NT domain concept, with the following commands:

Example 37.4. Setting Up a Machine Account¶

useradd hostname\$
smbpasswd -a -m hostname

With the useradd command, a dollar sign is added. The command smbpasswd inserts this automatically when the parameter -m is used. The commented configuration example (/usr/share/doc/packages/Samba/examples/smb.conf.SuSE) contains settings that automate this task.

Example 37.5. Automated Setup of a Machine Account¶

add machine script = /usr/sbin/useradd -g nogroup -c "NT Machine Account" \
-s /bin/false %m\$

To make sure that Samba can execute this script correctly, choose a Samba user with the required administrator permissions. To do so, select one user and add it to the ntadmin group. After that, all users belonging to this Linux group can be assigned Domain Admin status with the command:

     net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin

More information about this topic is provided in Chapter 12 of the Samba HOWTO Collection, found in /usr/share/doc/packages/samba/Samba-HOWTO-Collection.pdf.

37.6. Samba Server in the Network with Active Directory¶

If you run Linux servers and Windows servers together, you can build two independent authentication systems and networks or connect servers to one network with one central authentication system. Because Samba can cooperate with an active directory domain, you can join your SUSE Linux Enterprise Server to Active Directory (AD).

Join an existing AD domain during installation or by later activating SMB user authentication with YaST in the installed system. Domain join during installation is covered in Section 3.14.7, “Users”.

To join an AD domain in a running system, proceed as follows:

Log in as root and start YaST.
Start Network Services+Windows Domain Membership.
Enter the domain to join at Domain or Workgroup in the Windows Domain Membership screen. Alternately, use Browse to get a list of all available domains and select one.
Figure 37.1. Determining Windows Domain Membership
Check Also Use SMB Information for Linux Authentication to use the SMB source for Linux authentication on your SUSE Linux Enterprise Server.
Click Finish and confirm the domain join when prompted for it.
Provide the password for the Windows Administrator on the AD server and click OK.
Figure 37.2. Providing Administrator Credentials

Your server is now set up to pull in all authentication data from the Active Directory domain controller.

37.7. Migrating a Windows NT Server to Samba¶

Apart from the Samba and LDAP configuration, the migration of a Windows NT server to a SUSE Linux Enterprise Server Samba server consists of two basic steps. First, migrate profiles then migrate accounts.

37.7.1. Preparing the LDAP Server¶

The first step of your migration should be the configuration of the LDAP server. You need to add base DN information and entries for accounts of your software clients with passwords. Detailed information about LDAP configuration is provided in Chapter 36, LDAP—A Directory Service.

It is not necessary to configure it all manually. You can use scripts from smbldap-tools. These scripts are part of the package samba-doc and, after installation of the package, are available in /usr/share/doc/packages/samba/examples/LDAP.

	LDAP and Security
The LDAP administration DN should be an account other than Root DN. To make the network more secure, you can also use a secure connection with TSL.

37.7.2. Preparing the Samba Server¶

Before you start migration, configure your Samba server. Find configuration of profile, netlogon, and home shares in the Shares tab of the YaST Samba Server module. To do the default value, select the share and click Edit.

To add LDAP configuration for your Samba server and the credentials of the LDAP administrator, use the LDAP Settings tab of the YaST Samba Server module. The LDAP administration DN (label Administration DN) and password are essential to add or modify accounts stored in the LDAP directory.

37.7.3. Migrating the Windows Profiles¶

For every profile to migrate, complete these steps:

Procedure 37.1. Migrating a Profile

On your NT4 domain controller, right-click My Computer then select Properties. Select the User Profiles tab.
Select a user profile you to migrate and click it.
Click Copy To.
In Copy Profile, add your new path, for example, c:\temp\profiles.
Click Change in Permitted.
Click Everyone. To close the box, click OK.
To finish saving the profile, click OK.
Copy saved profiles to the appropriate profile directories on your Samba server.

37.7.4. Migrating the Windows Accounts¶

Procedure 37.2. The Account Migration Process

Create a BDC account in the old NT4 domain for the Samba server using NT Server Manager. Samba must not be running.

      net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd net \
        rpc vampire
      -S NT4PDC -U administrator%passwd pdbedit -L

Assign each of the UNIX groups to NT groups:

Example 37.6. Example Script initGroups.sh

 #!/bin/bash #### Keep this as a shell script for future re-use #
       Known domain global groups net groupmap modify ntgroup="Domain Admins"
       unixgroup=root net groupmap modify ntgroup="Domain Users"
       unixgroup=users net groupmap modify ntgroup="Domain Guests"
       unixgroup=nobody # Our domain global groups net groupmap add
       ntgroup="Operation" unixgroup=operation type=d net groupmap add
       ntgroup="Shipping" unixgroup=shipping type=d

Check that all groups are recognized:
```
net groupmap list
```

37.8. For More Information¶

Detailed Samba information is available in the digital documentation. Enter apropos samba at the command line to display some manual pages or just browse the /usr/share/doc/packages/samba directory if Samba documentation is installed for more online documentation and examples. Find a commented example configuration (smb.conf.SuSE) in the examples subdirectory.

The Samba HOWTO Collection provided by the Samba team includes a section about troubleshooting. In addition to that, Part V of the document provides a step-by-step guide to checking your configuration. You can find Samba HOWTO Collection in /usr/share/doc/packages/samba/Samba-HOWTO-Collection.pdf after installing the package samba-doc.

Find detailed information about LDAP and migration from Windows NT or 2000 in /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-*/doc, where * is your smbldap-tools version.