9.3. Using Samba to Share Resources with Windows
NFS and lpd are file and print sharing services for Unix systems, and are both native TCP/IP applications. Microsoft Windows printer and file sharing applications are based on NetBIOS (Network Basic Input Output System). Samba bridges these two worlds, providing file and print sharing for Unix and Windows systems. Samba is the key to integrating Unix and Windows because it allows a Unix system to be a file and print server for Windows clients, or to be a client of a Windows server.
The protocol used between NetBIOS clients and servers is Server essage Block Protocol (SMB). Originally, NetBIOS was a monolithic protocol that took data all the way from the application to the physical network. Today, NetBIOS runs over TCP/IP, which allows NetBIOS applications to run on Unix systems that use TCP/IP.
Two things are needed to run NetBIOS on a TCP/IP network: a protocol to carry NetBIOS data over TCP/IP and a technique to map NetBIOS addresses to TCP/IP addresses. The protocol that transports NetBIOS is NetBIOS over TCP/IP (NBT), which is defined by RFCs 1001 and 1002. Address mapping is handled by a special NetBIOS name server. Samba provides both of these services.
Samba services are implemented as two daemons. The SMB daemon (smbd), the heart of Samba, provides the file and printer sharing services. The NetBIOS name server daemon (nmbd) provides NetBIOS-to-IP-address name service. NBT requires some method for mapping NetBIOS computer names, which are the addresses of a NetBIOS network, to the IP addresses of a TCP/IP network.
Samba is included in most Linux distributions and is installed during the initial system installation. On a Red Hat system, the /etc/rc.d/init.d/smb script runs at boot time, and starts both smbd and nmbd. Samba is not included in Solaris 8, but the software is available for download from the Internet. Go to http://www.samba.org to select your nearest download site.
9.3.1. Configuring a Samba Server
The Samba server is configured by the smb.conf file. Look in the startup script to see where smbd expects to find the configuration file. On a Red Hat system, it is /etc/samba/smb.conf. On a Caldera system, it is /etc/samba.d/smb.conf. The default used in most Samba documentation is /usr/local/samba/lib/smb.conf. Use find or check the startup script so you know where it is on your system.
The smb.conf file is divided into sections. Except for the global section, which defines configuration parameters for the entire server, the sections are named after shares. A share is a resource offered by the server to the clients. It can be either a filesystem or a shared printer.
The best way to learn about the smb.conf file is to look at one. Minus the printers share, which is covered later, the Red Hat smb.conf file contains these active lines:
[global] workgroup = MYGROUP server string = Samba Server printcap name = /etc/printcap load printers = yes printing = lprng log file = /var/log/samba/%m.log max log size = 0 security = user encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no [homes] comment = Home Directories browseable = no writable = yes valid users = %S create mode = 0664 directory mode = 0775
In addition to the options described above, several other parameters are commonly used in the global section; they are shown in Table 9-3.
Table 9-3. Other global section parameters
As the Red Hat sample configuration demonstrates, many servers come preconfigured with reasonable global parameters to begin running a simple server system. In addition to a preconfigured global section, the Red Hat configuration comes with a preconfigured homes section.
126.96.36.199. The smb.conf homes section
The homes section is a special share section. It tells smbd to permit users to access their home directories through SMB. Unlike other share sections, which we cover later, this section does not tell smbd the specific path of the directory being shared. Instead, smbd uses the home directory from the /etc/passwd file based on the username of the user requesting the share. The configuration parameters in the Red Hat homes section are:
188.8.131.52. Sharing directories through Samba
To share a directory through Samba, create a share section in smb.conf that describes the directory and the conditions under which it will be shared. To share a new directory named /usr/doc/pcdocs and the /home/research directory used in the NFS examples, add the following two share sections to the sample smb.conf file:
[pcdocs] comment = PC Documentation path = /usr/doc/pcdocs browseable = yes writable = no public = yes [research] comment = Research Deptment Shared Directory path = /home/research browseable = no writable = yes create mode = 0750 hosts allow = horseshoe,jerboas,crab,rodent
Each share section is labeled with a meaningful name. This name is displayed as a folder in the Network Neighborhood window on client PCs. The example contains some commands we have already covered and a few new commands. The first new command is path, which defines the path of the directory being offered by this share.
The pcdocs share also contains the command public, which grants everyone access, even if they don't have a valid username or password. These public users are granted "guest account" access to the share. On a Linux system, this means they run as user nobody and group nobody and are limited to world permissions.
Files may be written to the research share. The create mode command controls the Unix permissions used when a client writes a file to the share. In the example, the permission 0750 specifies that files will be created as read/write/execute for the owner, read/execute for the group, and no permissions for the world. A related command, directory mode, defines the permission used when a client creates a directory within a share. For example:
directory mode = 0744
This sets the permissions for new directories to read/write/execute for the owner, read/execute for the group, and read/execute for the world. This is a reasonable setting that allows cd and ls to work as expected.
The research share section also contains a hosts allow command, which defines the clients that are allowed to access this share. Even if a user has the correct username and password, that user is allowed to access this share only from the specified hosts. By default, all hosts are granted access, and specific access is controlled by the username and password.
In addition to the hosts allow command, there is a hosts deny command that defines computers that are explicitly denied access to the share. Its syntax is similar to that of the hosts allow command.
Combining these two new share sections with the section that came with the Red Hat configuration creates a server that provides access to user home directories, to public directories, and to private directories limited to members of a group. This provides the same services as NFS in a manner that is simpler for Microsoft Windows clients to use. Samba can also be used to share printers with Windows clients.
184.108.40.206. Sharing printers through Samba
Shared printers are configured through the smb.conf file. The Red Hat system comes with a smb.conf file that is preconfigured for sharing printers. The following lines occur right after the global and homes sections in the Red Hat smb.conf file:
[printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes
The printcap and load printers lines in the global section prepare the server to share the printers defined in the printcap file. This printers section makes those printers available to the clients in a manner similar to the way the homes section makes every home directory available to the appropriate user. The Red Hat printers share section contains five parameters.
Three of the parameters, comment, browseable, and path, were explained previously. Here, however, path does not define the path of a shared file. Instead, it defines the path of the spool directory for the SMB printers.
We introduce two new parameters in this configuration, the first of which is printable, which identifies this share as a printer. The default for this option is no, meaning that by default, shares are considered to be file shares instead of printer shares. To create a printer share, set this option to yes. Setting printable = yes permits clients to write printer files to the spool directory defined by the path option. Use a create mode command to limit the permissions of the files created by clients in the spool directory. For example, create mode = 0700.
The other new line, guest ok, defines whether or not guest accounts are permitted access to the resource. This is exactly the same as the public option discussed earlier, so these two options are used interchangeably. no means that the user nobody cannot send a print job to the printer. A user must have a valid user account to use the printer. This is designed to prevent guest users from abusing the printer, but it is also useful to have a valid username for sorting out print jobs if you use banner pages and accounting on the server.
Generally, a print server offers all of its printers to all of its clients. However, individual share sections can be created for each printer in the same way that they are created for file sharing. If you don't want to share every printer, remove the printers section, set the load printers option to no, and add individual share sections for just those printers that you want to share.
An smb.conf file with a share section for a specific printer might contain:
[global] workgroup = BOOKS server string = Print Server load printers = no security = user [homes] comment = Home Directories browseable = no writable = yes [hp5m] comment = PostScript Laser Printer path = /var/spool/samba browseable = no public = no create mode = 0700 printable = yes printer = lp
This sample file has no printers section. Instead, a share section named hp5m is added that shares a printer named lp. The printer name must be found in the printcap file for this to work. The printcap option is allowed to default to /etc/printcap.
9.3.2. NetBIOS Name Service
The NetBIOS name server daemon (nmbd) is the part of the basic Samba software distribution that turns a Unix server into a NetBIOS name server (NBNS). nmbd can handle queries from LanManager clients, and it can be configured to act as a Windows Internet Name Server (WINS).
The NetBIOS name server is generally started at boot time with the following command:
When started with the -D option, nmbd runs continuously as a daemon listening for NetBIOS name service requests on port 137. The server answers requests using registration data collected from its clients and the NetBIOS name-to-address mappings it has learned from other servers.
The lmhosts file is used to manually map addresses when that is necessary. Most WINS servers do not need an lmhosts file because the servers learn address mappings dynamically from clients and other servers. NetBIOS names are self-registered; clients register their NetBIOS names with the server when they boot. The addresses and names are stored in the WINS database, wins.dat. The lmhosts file is only a small part of the total database.
The lmhosts file is similar to the hosts file described in Chapter 4, "Getting Started". Each entry begins with an IP address that is followed by a hostname. However, this time, the hostname is the NetBIOS name. Here is a sample lmhosts file:
$ cat /etc/lmhosts 172.16.12.3 horseshoe 172.16.12.1 crab 172.16.12.2 rodent 172.16.12.4 jerboas
Given this lmhosts file, the NetBIOS name rodent maps to IP address 172.16.12.2. Notice that these NetBIOS names are the same as the TCP/IP hostnames assigned to these clients. Use the same hostnames for both NetBIOS and TCP/IP. Doing otherwise limits configuration choices and creates confusion.
Copyright © 2002 O'Reilly & Associates. All rights reserved.