[Chapter 10] 10.3 Samba

10.3 Samba

Available since version 3.11 of Microsoft Windows, printer and file sharing are two of Window's most useful features. For example, outfitting each computer in a large office with a laser printer would be quite expensive. But printer sharing lets you reduce the cost of providing every user with printing capability; with printer sharing, each computer system in the office can print to a single printer.

Just as printer sharing lets your computer access a printer attached to another computer, file sharing lets your computer access files stored on another computer. File sharing makes it quick and easy to transfer data from one system to another and avoids the confusion that results when everyone has their own - possibly out of date or inconsistent - copy of important data files they could not otherwise access.

To provide printer and file sharing, Microsoft Windows uses a facility known as SMB (Server Message Block). This same facility is sometimes known as NetBIOS or LanManager. Thanks to Andrew Tridgell and others, Linux systems provide support for SMB via a package known as Samba. Like SMB, Samba lets you:

Share printers and files among Microsoft Windows, OS/2, Netware, and Unix systems
Establish a simple nameserver for identifying systems on your local area network
Backup PC files to a Linux system and restore them
Administer users and passwords

Samba has proven its reliability and high performance in many organizations. According to the online survey at http://www.samba.org/pub/samba/survey/ssstats.html, Bank of America is using Samba in a configuration that includes about 15,000 clients, and Hewlett-Packard is using Samba in a configuration that includes about 7,000 clients.

10.3.1 Samba Server Installation

If you've never installed and configured a network server, Samba's a good place to begin; its installation and configuration are generally simple and straightforward.

Samba includes the smbd program, which runs as a daemon, several utility programs, man pages and other documentation, and the configuration file: /etc/smb.conf. You'll learn how to configure the /etc/smb.conf file in the next subsection.

NOTE: The pending unstable version of Samba places its configuration files in /etc/samba, rather than /etc. If you install a recent version of Samba, you should look in /etc/samba for the Samba configuration files.

10.3.2 Configuring Samba

The /etc/smb.conf file lets you specify a variety of options that control Samba's operation. The install script for Samba establishes a simple /etc/sbm.conf that may meet your requirements.

You can edit the /etc/sbm.conf file to suit your special needs by using your favorite text editor. However, Samba includes a tool called swat that lets you view and change options by using your Web browser, which is generally much easier than using a text editor. The swat tool verifies the values of parameters you enter and provides online help. To access swat, point your browser to port 901 of your system. For example, you can use the URL http://localhost:901/. Your web browser will prompt you for a userid and password; specify root as the userid and give the appropriate password. Figure 10.1 shows swat's main menu, accessed by using the system's IP address in place of its hostname.

Figure 10.1: The Samba main menu

To configure your Samba server, you click on simulated tool bar entries:

Globals lets you configure global Samba variables (options)
Shares lets you configure file shares
Printers lets you configure shared printers
Status lets you view the status of the Samba server
View lets you view the smb.conf file
Password lets you add and delete users and change user passwords

The main menu also provides convenient access to Samba documentation.

10.3.2.1 Configuring global variables

To configure global options, click on the Globals button on the tool bar. Figure 10.2 shows the Global Variables page and Table 10.2 describes the most important options. You can access additional options by clicking on Advanced View. To change an option, select or type the desired value. When you've changed all the options you want to change, click on Commit Changes, which causes the changes to take effect.

Figure 10.2: Samba global variables

Table 10.2: Samba Global Variables
Option group	Option	Description
Base	workgroup	The workgroup name displayed when the server is queried by a client.
	netbios name	The name by which the server is known to the NetBIOS nameserver.
	server string	The text string displayed to describe the server.
Base (cont.)	interfaces	The IP address of the interface or the IP addresses of the interfaces through which Samba should listen. Each IP address is followed by a forward slash and a number that specifies the number of bits that pertain to the network portion of the IP address (usually 24). If this option is not set, Samba attempts to locate and automatically configure a primary interface.
Security	security	Specifies how Samba authenticates requests for access to shared resources. The default value, `user`, is helpful when the Samba server and its clients have many common userids. The value `share` can be useful when few common userids exist. The value `system` lets another SMB server perform authentication on behalf of the server. You should generally use the default value; see the Samba documentation for details.
	encrypt passwords	Specifies whether Samba will negotiate encrypted passwords, which are expected by Windows NT 4.0 SP3 and Windows 98.
	update encrypted	Allows automatic updating of an encrypted password when a user logs on using a non-encrypted password. This option is useful when migrating to encrypted passwords and should otherwise be set `off`.
	map to guest	Specifies Samba's action when a user attempts to log on using an invalid password. The `Bad User` option is generally appropriate.
	guest account	The Linux account used to provide services for guest users.
	hosts allow	A list of hosts that can access the server. If not specified, all hosts are permitted access.
	hosts deny	A list of hosts that cannot access the server.
Logging	log level	An integer that specifies the verbosity of log messages. A low value (such as 0) specifies that few messages are written to the log.
	log file	Specifies the name of Samba's log file.
	max log size	The maximum size of the log file in kilobytes (kb). When the specified size is exceeded, Samba begins a new log file. A value of zero lets the log file grow indefinitely large.
Tuning	read prediction	Specifies whether Samba will attempt to pre-read data from files, in order to speed data transfer. This code is disabled in Samba 2.0.
	socket options	Specifies TCP options that can improve performance. See the Samba documentation for details.
Printing	printcap name	Specifies the name of the printcap file used by the server.
	printing	Specifies how Samba interprets printer status information. Generally, `SYSV` is an appropriate choice for a Linux system.
Logon	logon script	Specifies the path of a BAT file that is downloaded from the server and run when a user logs on to Samba.
	domain logons	Specifies whether Samba will serve Windows 9x domain logons for its workgroup. Note: Samba cannot yet serve Windows NT domain logons, which require a Primary Domain Controller (PDC).
Browse	os level	Specifies the level at which Samba advertises itself for browse elections. A high number makes it more likely that Samba will be selected as the browser. The value 65 will cause clients to prefer Samba to a Windows NT server.
	preferred master	Specifies whether the NetBIOS name server is the preferred master browser for its workgroup.
	local master	Specifies whether the NetBIOS name server will bid to become the local master browser on a subnet.
	domain master	Specifies collation of browse lists across a wide-area network (WAN). May result in strange behavior when a workgroup includes a Windows NT Primary Domain Controller (PDC).
WINS	wins server	Specifies the IP address of the WINS server with which the NetBIOS nameserver should register itself, if any.
	wins support	Specifies that the NetBIOS nameserver should act as a WINS server. Useful when the network includes several subnets. Do not specify this option for multiple systems of a single network.
Locking	strict locking	Specifies whether the server will automatically lock files and check locks when files are accessed. Enabling this option may slow performance.

You probably won't need to make many changes to Samba's global variables. Setting the workgroup and netbios name is sufficient for most users. If your system has more than one network adapter card, you'll also need to set the interfaces variable.

WARNING: If your system is attached to a cable modem or other interface that makes it available to other network users, you should consider specifying security options that prevent unauthorized users from accessing your files or printer. Like other Samba users, the author has had a rogue system (in Pakistan) repeatedly attempt to access his shared files. To ensure that such attempts are unsuccessful, you might (for example) use the hosts allow option to restrict the hosts allowed to access your Samba server.

10.3.2.2 Configuring file share parameters

To establish and maintain file shares, you use the Shares button on the tool bar. Figure 10.3 shows the Share Parameters page.

Figure 10.3: Samba file share parameters

You can create a new share by typing its name and clicking on Create Share. To delete a share, choose it from the drop-down list, and click on Delete Share. To work with an existing share, choose it from the drop-down list, and click on Choose Share. When you click on Choose Share, the page shown in Figure 10.4 appears. This page lets you view and change a variety of share options. Table 10.3 describes the available share options. You can access additional options by clicking on Advanced View. As with the global options, you may not need to change many (if any) share options. Likely candidates for change are the comment, path, read only, and create mask options.

Figure 10.4: Samba file share parameters

Table 10.3: Samba File Share Options
Option Group	Option	Description
Base	comment	The description displayed when the file share is queried by a client.
	path	The path (directory or file) that is shared by the server.
Security	guest account	The Linux account used to provide services for guest users.
	read only	Specifies whether access to the share is read-only.
	create mask	The default mode assigned to a newly created file within a shared directory.
	guest ok	Specifies whether guest access (access without a password) is allowed.
	hosts allow	A list of hosts that can access the file share. If not specified, all hosts are permitted access.
	hosts deny	A list of hosts that cannot access the file share.
Browse	browseable	Specifies whether the file share is visible in the list of shares made available by the server.
Locking	strict locking	Specifies whether the server will automatically lock files and check locks when files are accessed. Enabling this option may slow performance.
Miscellaneous	available	Specifies whether the share is available; by setting this option to "no" you can prevent access to the share.
	volume	The volume label returned for the share.

10.3.2.3 Configuring printer share parameters

You configure printer share parameters in much the same way you configure file shares. Begin by clicking on the Printers tool bar button. The page shown in Figure 10.5 appears. You can use the page to create a new printer share, delete a printer share, or modify an existing printer share.

Figure 10.5: Samba printer parameters

If you select a printer from the drop-down list and click on Choose Printer, the page shown in Figure 10.6 appears. Table 10.4 describes the available print share options. You can access additional options by clicking on Advanced View. As with the global options and file share options, you may not need to change many (if any) printer share options. Likely candidates for change are the comment, path, read only, and create mask options.

Figure 10.6: Samba printer parameters

Table 10.4: Samba Print Share Options
Option Group	Option	Description
Base	comment	The description displayed when the printer share is queried by a client.
	path	The print spooling directory.
Security	guest account	The Linux account used to provide services for guest users.
	guest ok	Specifies whether guest access (access without a password) is allowed.
	hosts allow	A list of hosts that can access the printer share. If not specified, all hosts are permitted access.
	hosts deny	A list of hosts that cannot access the printer share.
Printing	print ok	Specifies whether printing is permitted. If this option is set to "no," clients may still be able to browse the printer share.
Printing (cont.)	printing	Specifies the type of printer interface used, which determines what commands Samba issues to control the printer. "BSD" is generally a good choice.
	printer name	Specifies the name of the printer to which the printer share corresponds; "lp" is generally a good choice.
Browse	browseable	Specifies whether the printer share is visible in the list of shares made available by the server.
Miscellaneous	available	Specifies whether the printer share is available; by setting this option to "no" you can prevent access to the printer share.

10.3.3 Viewing Samba Server Status

The Status button on swat's tool bar lets you view the status of the Samba server. Figure 10.7 shows the page that appears when you click on Status. The page shows:

the status of the server daemons ( smbd and nmbd) and the version of Samba
active connections
active file and printer shares
open files

Using the controls on the page, you can refresh the page contents, set the auto refresh interval, start and stop either daemon, or kill an active connection.

Figure 10.7: Samba status page

10.3.4 Viewing Samba Server Configuration

The View button on swat's tool bar lets you view the Samba server's main configuration file, /etc/smb.conf. Figure 10.8 shows the page that appears when you click on View. By default, the page shows only the basic configuration options; clicking on Full View causes swat to display every configuration option.

Figure 10.8: The Samba /etc/smb.conf file

10.3.5 Managing Users and Passwords

You can create userids for accessing Samba resources by clicking on swat's Password tool bar button. Figure 10.9 shows the Password page that appears.

Figure 10.9: The password page

The top part of the page, titled Server Password Management, lets you:

Create a new userid
Delete a userid
Change the password associated with a userid
Enable or disable a userid

The userids you specify using Server Password Management are those that your Samba server recognizes as authorized to access its resources.

The bottom part of the page, titled Client/Server Password Management, lets you change the password associated with a userid on a remote system running Samba or SMB. Changing a password by using Client/Server Password Management is often more convenient than logging in to the remote host and using its password change facility.

10.3.6 Troubleshooting Samba

Like any network server, Samba provides a wealth of options and facilities. If you thoroughly explore these facilities, you're likely to break your server. To avoid problems, you should keep a backup copy of your /etc/smb.conf file. Doing so can be as easy as issuing the following command after Samba is up and running:

 cp /etc/smb.conf /etc/smb.conf.SAVE

Then, if your server ceases to work, you can restore your old configuration by issuing the command:

 cp /etc/smb.conf.SAVE /etc/smb.conf

You'll also need to restart your system (or at least the Samba daemons).

On the other hand, you may have difficulty in getting Samba to operate correctly in the first place. Or, you may need to change Samba's configuration and therefore be unwilling to simply restore its previous status.

In such cases, you can consult the documentation that accompanies Samba. In particular, peruse the file DIAGNOSIS.txt, which should be in the /usr/doc/ Samba-2.0.3/docs/textdocs directory, or its equivalent on your system. This file includes a step-by-step procedure for verifying the operation of your Samba server. When a step fails, you can consult the file to determine the likely causes and how to go about fixing the problem. Chances are, you'll be able to administer Samba without outside help; but, if you can't, you'll find the participants of the comp.protocols.smb newsgroup to be helpful.

NOTE: Some versions of the Samba package do not include the file DIAGNOSIS.txt. If your system lacks the file, you can obtain it from the Samba web site, http://www.samba.org/.