11.2 Samba

Once you've configured your hostnames, you're ready to provide services to hosts on the network. To provide printer and file sharing, Windows uses a facility known as the Server Message Block (SMB). This same facility is sometimes known as the Common Internet File System (CIFS), NetBIOS, or LanManager. Thanks to Andrew Tridgell and others, Linux systems provide support for SMB via a package known as Samba. Like SMB, Samba lets you:

Authorize users to access Samba resources
Share printers and files among Windows, OS/2, Netware, and Unix systems
Establish a simple name server for identifying systems on your LAN
Back up PC files to a Linux system and restore them

Samba has proven its reliability and high performance in many organizations. According to the online survey at http://www.samba.org/pub/samba/survey/ssstats.html, Bank of America is using Samba in a configuration that includes about 15,000 clients, and Hewlett-Packard is using Samba in a configuration that includes about 7,000 clients.

11.2.1 Installing the Samba Server

If you've never installed and configured a network server, Samba is a good place to begin; its installation and configuration are generally straightforward.

The Samba server includes the nmbd and smbd programs (which run as daemons), several utility programs, manpages and other documentation, and three configuration files: /etc/samba/smbusers, /etc/samba/smb.conf, and /etc/samba/lmhosts. The smbusers file associates several user accounts that are special to Samba with Linux user accounts; for example, it associates the Samba user IDs, administrator and admin, with root. Generally, you don't need to change smbusers. Likewise, you don't generally need to revise lmhosts. You'll learn how to configure the smb.conf file shortly.

The simplest way to install Samba is to select the Windows File Sharing package group during system installation. However, if you failed to do so, you can install Samba by using the Package Management Tool.

Whether or not you installed the Windows File Sharing package group during system installation, you should ensure that the package samba-client, associated with the System Tools package group, is also installed. Finally, to simplify configuration of Samba, you should install the samba-swat package. Unfortunately, this package does not appear on the package list provided by the Package Management Tool. To install it, mount installation CD 2, open a terminal window, and issue the following command:

redhat-install-packages /mnt/cdrom/RedHat/RPMS/samba-swat-*.rpm

11.2.2 Configuring Samba

The /etc/samba/smb.conf file lets you specify a variety of options that control Samba's operation. You can edit the file by using your favorite text editor; however, the Samba Web Administration Tool (SWAT) lets you view and change options using your web browser, which is generally much easier than using a text editor. The SWAT tool verifies the values of parameters you enter and provides online help.

To use SWAT, you must first configure xinetd to launch SWAT when you request it. To do so, launch the Service Configuration Tool by choosing Server Settings Services from the GNOME or KDE menu. Configure swat and xinetd to run at the current run level and save your changes. If xinetd is not currently running, start it by selecting the xinetd entry and clicking Start. The swat service runs under control of xinetd, so you don't need to start swat. To access SWAT, first log out of GNOME or KDE and login again, so that the menu is reloaded. Then, choose Extras Samba Configuration from the GNOME or KDE menu. Doing so launches Mozilla, pointing the browser to port 901 of the local host using the URL http://localhost:901/. Your web browser will prompt you for a user account and password; specify root as the user account and give the appropriate password. Figure 11-3 shows SWAT's main menu.

Figure 11-3. SWAT's main menu

To configure your Samba server, click the following toolbar icons:

Home: Return to the main menu (shown in Figure 11-3). The main menu also provides convenient access to Samba documentation via the links in the body of the page.
Globals: Configure Sambaglobal options, affecting all shares and printers.
Shares: Configure shared files.
Printers: Configure shared printers.
Status: View the status of the Samba server.
View: View Samba's configuration file, /etc/samba/smb.conf.
Password: Add and delete users and change user passwords.

11.2.2.1 Configuring global variables

To configure global options, click the Globals button on the toolbar. Figure 11-4 shows the Global Variables page, and Table 11-1 describes the most important options. You can access additional options by clicking Advanced View. To change an option, select or type the desired value. When you've changed all the options you want to change, click Commit Changes, and the changes take effect.

Figure 11-4. SWAT's Global Variables screen

Table 11-1. Samba's Global Variables
Option group	Option	Description
Base	workgroup	The workgroup name displayed when the server is queried by a client.
	netbios name	The NetBIOS name by which the server is known.
	server string	The text string displayed to describe the server.
	interfaces	The IP address(es) of the interface(s) through which Samba should listen. Each IP address is followed by a forward slash and a number that specifies the number of bits that pertain to the network portion of the IP address (usually 24), for example, 192.168.1.0/24. If this option is not set, Samba attempts to locate and automatically configure a primary interface. Samba lets you specify the interface name, rather than an IP address, if you prefer.
Security	security	Specifies how . Samba authenticates requests for access to shared resources. The default value, user, is helpful when the Samba server and its clients have many common user accounts. The value share can be useful when few common user accounts exist, because it allows users to access shared resources without first logging in to the server. The value server lets another SMB server perform authentication on behalf of the server. The value domain specifies that the host is integrated within a Windows NT domain; it behaves similarly to the value user. You should generally use the default value.
	encrypt passwords	Specifies whether Samba will negotiate encrypted passwords, which are expected by Windows NT 4.0 SP3 and later, 98, Me, 2000, and XP.
	update encrypted	Allows automatic updating of an encrypted password when a user logs on using a nonencrypted password. This option is useful when migrating to encrypted passwords and should otherwise be set to No. It requires that Encrypt Passwords be set to No.
	guest account	The Linux user account used to provide services for guest users.
	hosts allow	A list of hosts that can access the server. If not specified, all hosts are permitted access.
	hosts deny	A list of hosts that cannot access the server.
Browse	os level	Specifies the level at which Samba advertises itself for browse elections. A high number makes it more likely that Samba will be selected as the browser. The value 65 causes clients to prefer Samba to a Windows NT server. The default value is generally acceptable; inappropriately high values may cause browsing problems and may cause NT/2000 servers, and possibly XP servers, to become unstable.
	preferred master	Specifies whether Samba is the preferred master browser for its workgroup. Used with domain master = yes to force acceptance of the host as the master browser for its workgroup.
	local master	Specifies whether Samba will bid to become the local master browser on a subnet. Generally, the default value is acceptable.
WINS	wins server	Specifies the IP address of the WINS server with which Samba should register itself, if any. This item should be specified whenever a network includes a existing WINS server.
	wins support	Specifies that Samba should act as a WINS server. Useful when the network includes several subnets. Do not specify this option for multiple systems of a single network. Generally, the default value is acceptable.

Samba's main configuration file, /etc/samba/smb.conf, is overwritten by SWAT. The specifications contained in the file are retained and shown as initial values; however, any comments in the file are deleted.

You probably won't need to make many changes to Samba's global variables. Setting the workgroup and netbios name is sufficient for most users. If your system has more than one network adapter card, you'll also need to set the interfaces variable. If your network includes Windows 98/NT/2000/XP clients, you'll need to set encrypt passwords.

If your system is attached to the Internet�even intermittently�or otherwise available to untrusted users, you should specify security options that prevent unauthorized users from accessing your files or printer. For example, use the hosts allow option to restrict the hosts allowed to access your Samba server.

You should also place a firewall between your system and the Internet or other networks on which untrusted users reside. The inexpensive gateway routers described in Chapter 10 are ideal for this purpose.

11.2.2.2 Configuring file share parameters

To establish and maintain file shares, use the Shares button on the toolbar. Figure 11-5 shows the Share Parameters page.

Figure 11-5. SWAT's Share Parameters screen

Red Hat Linux configures a default share, homes, which lets Linux users access their Linux /home directory as a Samba share. You can create a new share by typing its name and clicking Create Share. To delete a share, choose the share name from the drop-down list and click Delete Share. To work with an existing share, choose it from the drop-down list and click Choose Share. When you click Choose Share, the page shown in Figure 11-6 appears. This page lets you view and change a variety of share options. Table 11-2 describes the principal share options. You can access additional options by clicking Advanced View. As with the global options, you may not need to change many share options. Likely candidates for change are the comment, path, and read only options.

Figure 11-6. SWAT's expanded Share Parameters screen

Table 11-2. Samba file share options
Option group	Option	Description
Base	comment	The description displayed when the file share is queried by a client.
	path	The path that is shared by the server.
Security	guest account	Account under which users can connect if they are not otherwise specified. Requires that the guest ok be true.
	valid users	Specifies users allowed to access the share.
	read only	Specifies whether the share can be written or is read-only.
	create mask	Specifies the permissions associated with created files, as an inverse value.
	directory mask	Specifies the permissions associated with created directories, as an inverse value.
	guest ok	Specifies whether guest access (access without a password) is allowed.
	hosts allow	A list of hosts that can access the file share. If not specified, all hosts are permitted access.
	hosts deny	A list of hosts that cannot access the file share.
Browse	browseable	Specifies whether the file share is visible in the list of shares made available by the server.
Miscellaneous	available	Specifies whether the share is available; by setting this option to No you can prevent access to the share.

11.2.2.3 Configuring printer share parameters

You configure printer share parameters in much the same way you configure shares. Begin by clicking the Printers toolbar button. You can use the page shown in Figure 11-7 to create a new printer share, delete a printer share, or modify an existing printer share.

Figure 11-7. SWAT's Printer Parameters screen

If you select a printer from the drop-down list and click Choose Printer, the page shown in Figure 11-8 appears. Table 11-3 describes the available print share options. You can access additional options by clicking Advanced View. As with the global options and file share options, you may not need to change many printer share options. The comment option is the most likely to be changed.

Table 11-3. Samba print share options
Option group	Option	Description
Base	comment	The description displayed when the printer share is queried by a client.
	path	Temporary directory for storing files before they are printed.
Security	guest account	Account under which users can connect if they are not otherwise specified. Requires that guest ok be true.
	guest ok	Specifies whether guest access (access without a password) is allowed.
	hosts allow	A list of hosts that can access the printer share. If not specified, all hosts are permitted access.
	hosts deny	A list of hosts that cannot access the printer share.
Printing	printable	Specifies whether printing is permitted. If this option is set to No, clients may still be able to browse the printer share.
	printing	Specifies the type of printer interface used, which determines what commands Samba issues to control the printer; lprng is generally a good choice.
Browse	browseable	Specifies whether the printer share is visible in the list of shares made available by the server.
Miscellaneous	available	Specifies whether the printer share is available; by setting this option to No, you can prevent access to the printer share.

Figure 11-8. SWAT's expanded Printer Parameters screen

11.2.3 Viewing Samba Server Status

The Status button on SWAT's toolbar lets you view the status of the Samba server. The page shown in Figure 11-9 shows the following information about the status of your Samba server:

The interval at which the page is refreshed, given in seconds
The version of Samba and the status of the server daemons (smbd and nmbd)
Any active connections
Any active file and printer shares
Any open files

Figure 11-9. Samba's Server Status page

Using the controls on the page, you can refresh the contents, set the auto refresh interval (in seconds), start and stop either daemon, and kill an active connection.

11.2.4 Viewing Samba Server Configuration

The View button on SWAT's toolbar lets you view the Samba server's main configuration file, /etc/samba/smb.conf (shown in Figure 11-10). By default, the page shows only the basic configuration options; clicking Full View causes SWAT to display every configuration option.

Figure 11-10. SWAT's Current Config screen

11.2.5 Managing Users and Passwords

You can specify user accounts authorized to access Samba resources by clicking SWAT's Password toolbar button and accessing the page shown in Figure 11-11.

Figure 11-11. The Server Password Management page

The Server Password Management page lets you:

Change the password associated with a user account (by clicking the Change Password button)
Authorize a user account to access Samba (by clicking the Add New User button)
Delete a user account (by clicking the Delete User button)
Disable or enable a user account (by clicking the Disable User or Enable User buttons, respectively)

The user accounts that you specify on the Server Password Management page are those that your Samba server recognizes as authorized to access its resources.

The bottom part of the page, titled Client/Server Password Management, lets you change the password associated with a user account on a remote system running Samba or SMB. Changing a password by using Client/Server Password Management is often more convenient than logging in to the remote host and using its password change facility.

11.2.6 Starting and Stopping Samba

If you've reconfigured Samba, you should restart the smb service so that the changes take effect. To do so, highlight the Service Configuration Tool's entry for the smb service and click Restart.

If you want Samba to start automatically when you boot your system, use the Service Configuration Tool to associate the smb service with the current runlevel.

To stop Samba, highlight the Service Configuration Tool's entry for the smb service and click Stop.

11.2.7 Troubleshooting Samba

To verify that Samba is working, use the Share Parameters screen to create a publicly accessible, read-only share. Then, use the Server Password Management screen to authorize a Linux user account to access the share. Restart the smb service to make your changes effective.

On the Windows host, launch the Explorer and choose Tools Map Network Drive. The Map Network Drive dialog box appears. Click Connect using a different username and specify a username and password that you configured Samba to accept. Click OK to return to the Map Network Drive dialog box. Specify the hostname and share name in the Folder textbox by using the Windows convention, \\server\share, where system is the hostname of your Samba system and share is the name of a share you created. You'll find more information on using Samba shares in the next section.

If you can't access the share, consider the following likely reasons:

Your host firewall is blocking access.
You specified the wrong username or password.
The username and password are not the same on the Samba and Windows hosts.
You haven't authorized the user to access Samba.
Networking isn't properly configured on the Samba or Windows host.

If your host firewall is blocking access, use the Security Level Tool to customize your firewall, allowing the following ports and protocols:

137:tcp,138:tcp,139:tcp,445:tcp,137:udp,138:udp,139:udp

If you're unable to find the problem, consult the documentation that accompanies Samba. In particular, peruse the file DIAGNOSIS.txt , which resides in the /usr/share/doc/samba-*/docs/textdocs directory or its equivalent on your system. This file includes a step-by-step procedure for verifying the operation of your Samba server. When a step fails, you can consult the file to determine the likely causes and how to go about fixing the problem. Chances are, you'll be able to administer Samba without outside help, but if not, you'll find the participants in the comp.protocols.smb newsgroup to be helpful. Another resource is O'Reilly's Using Samba, by Robert Eckstein, David Collier-Brown, and Peter Kelly. Since the book was published under the Open Publication License (OPL), Using Samba is also available online in electronic form at http://www.oreilly.com/catalog/samba/.

Like any network server, Samba provides a wealth of options and facilities. If you thoroughly explore these facilities, you're likely to break your server. To avoid problems, you should keep a backup copy of your /etc/samba/smb.conf file. Doing so can be as easy as issuing the following command after Samba is up and running:

# cp /etc/samba/smb.conf /etc/samba/smb.conf.bak

Then, if your server ceases to work, you can restore your old configuration by issuing the command:

# cp /etc/samba/smb.conf.bak /etc/samba/smb.conf

You'll also need to restart the smb service.

11.2.8 Samba Client Configuration and Use

Once you've got your Samba server up and running, you can access it via Windows and Linux. This section shows you how to access the Samba server and also how to use your Samba server to create backups of important datafiles on client systems.

SMB clients are also available for most popular operating systems, including OS/2 and Mac OS (including Mac OS X). You shouldn't expect to have trouble getting them to work with Samba. If your client seems not to work, simply follow the procedure given earlier in Section 11.2.7.

11.2.8.1 Windows client

Windows 3.11, 9x, Me, and NT�including Windows 2000 and XP, which are updated releases of Windows NT�have built-in support for the SMB protocol, so systems running these operating systems can easily access your Samba server's resources. Under Windows 9x/NT, you can access Samba resources by using the Windows Explorer. Log on with a user account that's authorized to access Samba resources, then click Network Neighborhood, and you should see a subtree that corresponds to your workgroup. Click that subtree, and you should see a subtree that corresponds to your Samba server. By expanding the subtree, you can see the browseable file and printer shares that are available. You can easily drag and drop files to and from a shared directory, assuming your user account is permitted the necessary access.

To use a shared printer, click Start Settings Printers and then double-click Add Printer. The wizard will guide you through the setup procedure. Simply choose the Network Printer option and browse to select the desired printer. If you configured the printer share without the browseable option, you cannot browse and therefore must type the name of the printer share. To do so, type two backward slashes, followed by the name of your Samba server, followed by a single backslash, followed by the name of the printer share. For example, if you want to access a printer share named lp on the Samba server known as SERVER, you'd type \\SERVER\lp.

You can map a file share to a drive letter by using the Tools Map Network Drive menu item of the Windows Explorer. Simply select an available drive letter and type the name of the file share, which consists of two backward slashes, followed by the name of your Samba server, followed by a single backslash, followed by the name of the file share. For example, if you want to access a file share named db on the Samba server known as SERVER, you'd type \\SERVER\db.

If you have difficulty connecting to your Samba server, follow the procedure given earlier in Section 11.2.7.

11.2.8.2 Linux client

The Samba package includes a simple SMB client that can access your Samba server and other SMB servers accessible to your system. To demonstrate that your client and server are working, log on using a user account that has Samba authorization and issue the following command:

$ smbclient -L localhost

You should see a list of the browseable shares available on your server. To query a different SMB server, issue the following command:

$ smbclient -L  server

where server is the name of the SMB server you want to contact. Rather than logging on using an authorized user account, you can explicitly specify a user account by using this command form:

$ smbclient -L  server  -U  userid

To actually access resources via SMB, use the following command form:

$ smbclient  ' service '  -U  userid

where service specifies the name of the SMB host and share and userid specifies the user account to be used. The name of the SMB host should be preceded by two backward slashes and followed by one backward slash; for example:

$ smbclient //server/myshare -U billmccarty

If the SMB server accepts your request, the client displays a special prompt:

smb: dir>

where dir indicates the current working directory on the SMB server. To download a file from the server, issue the command:

get  file

where file specifies the name of the file to be downloaded. To upload a file to the server, issue the command:

put  file

where file specifies the name of the file. To list the contents of the current directory, issue the command:

dir

To enter a subdirectory, issue the following command, where dir specifies the name of the subdirectory:

cd  dir

You can return to the parent directory by issuing the command:

cd ..

You can obtain a list of commands by issuing the command help or, to obtain help on a particular command, by issuing the command:

help  command

where command specifies the command that you need help with. To exit the SMB client, issue the command exit.

You can use the smbprint script included in the Samba package to print Linux files by using a printer share. However, you'll probably have to do some tweaking of configuration files and adjusting of shell scripts to get smbprint to work.

11.2.8.3 Using the Linux Samba client for file backup and recovery

One of the most practical uses of the Linux SMB client is creating backup copies of files stored on a Windows system. To do so, simply share the drive or directory containing the files you want to back up. Using the Windows Explorer, right-click the drive or directory, click Properties, click the Sharing tab, and select the desired share options. Then, access the share from Linux using smbclient. Once you have the SMB prompt, move to the directory you want to back up and issue the SMB tar command:

tar c backup.tar

The syntax of the SMB tar command resembles that of the tar command, though it supports only a handful of options. When you issue the SMB tar command with the c option, the files of the current directory and all its subdirectories will be backed up and stored in the file backup.tar on your Linux system. Of course, you can specify a filename other than backup.tar if you wish (although the .tar extension is required). Once you've created the backup file, you can write it to a tape, a writable CD-ROM, or other media. If your backup requirements are meager, it may be sufficient merely to have a copy of the file on both your Windows and Linux systems.

To restore a backup, move to the directory where you want the files restored and issue the SMB tar command:

tar x backup.tar

The SMB client restores each file from the backup.tar file. Of course, you must have write access to the shared directory in order to be able to restore files.