Contents

Topics

• What is Samba?
• Configuring Samba
• Parameters
• The Global Section
• Shares
• The Homes Section
• The Printers Section
• Example
• Running Samba

Assignment

What is Samba?

The ability to do this is based on the Common Internet File System (CIFS) which is a set of protocols that Microsoft developed and originally called the Server Message Block (SMB). The Samba name can be inferred from there. It is basically a protocol stack that provides an interface between a file system and network I/O, in a manner similar to NFS, but with more capabilities. The underlying structure is SMB running over NetBIOS over TCP.

Samba is a very powerful facility and provides basic services very easily. However, it can be complicated if you want to get involved in various types of permission strategies. It does require an understanding of both Linux and Windows security and access control capabilities. permission

The basic idea is that the Microsoft interoperability protocols are based on running the Server Message Block (SMB) protocol over the NetBIOS protocol over the TCP/IP protocol. This is basically a Remote Procedure Call (RPC) mechanism supporting a distributed management environment. Recently, Microsoft has gone to Direct-hosted TCP, which does away with the NetBIOS layer.

In the SMB world, a share is simply something on one machine which is shareable with the rest of the world within certain constraints. It supports authentication of users and permission checking as well as the basic operations involved in manipulating the things that can be shared, files and printers.

Configuring Samba

The configuration information can be anywhere you want to put it, but the default is /etc/samba. There you will find a number of files:

   lmhosts       smb.conf      smbusers 
   secrets.tdb   smbpasswd
   

lmhosts

   127.0.0.1 locahost
   192.168.0.1 SAMBASERV
   

secrets.tdb

smbusers

bozo = "Bozo Clown"
spanky = "Spanky Clown" "Big Foot"

Note that you can map more than one Windows domain account to a single Linux domain account.

This file will normally contain the following lines. If you don't want to allow any of these users access, be sure and delete or comment out these lines.

root = administrator admin
nobody = guest pcguest smbguest

smbpasswd

smbpasswd		A users sets his/her password.
smbpasswd user		Root sets a users password.
smbpasswd -a user		Root adds a user and sets the password.

Normally, root adds a user and sets an initial password and then the user can change it. This can be done as part of establishing a new account if Samba is widely used, but you should avoid setting some common password for all Samba users.

smb.conf

There are three special sections:

• [global] - any parameters defined here apply to all shares.
• [homes] - connects users to their Linux home directories.
• [printers] - connects users to printers on the Linux host.

Shares always require a password for access unless they are specified as guest services. A Linux guest account is required to define access priviledges for these services.

For example:

Define a share with read only access with the given path.

   [appl]
   comment = Share for executables
   path = /usr/local/appl
   read only = yes
   

Defines a share with write access for every member of the workgroup (public = yes).

   [data]
   comment = Public data upload area
   path = /tmp/userdata
   read only = no
   public = yes
   

This defines a share that allows write access only for members of the group admin and access only for members of admin and grads. All users are mapped to the group users while accessing the share. The list of veto's shows files that will not be made visible to users accessing the share. The modes provide the file and directory permissions to be used for newly created files. browseable allows the share to be browsed by a Windows client.

   [private]
   browseable = yes
   create mode = 0660
   directory mode = 0770
   force group = +users
   path = /home/private
   read only = no
   valid users = +admin +grads
   veto files = /*.com/*.exe/*.scr/*.dll/*.{*}/
   write list = +admin
   

These are only examples and there are actually quite a few possible parameters for a Samba share.

The [global] section

The [global] section could contain any parameter you might find in a share, but it applies to all shares.

The [homes] section

The [homes] section is used to connect users to their home directories. If a request for a share is not found elsewhere in the Samba configuration, the user name is treated as a share name and looked up in the password file. If found, a share is created for that user and file system using the properties given in the [homes] section.

[printers] sections

This section works like [homes] but for printers. If a [printers] section exists, then a printer share type is automatically defined. If a request is made for a share and it is neither explicitly defined nor [homes] share, it is treated as a [printer] name and looked up in the printcap file.

The printers share must be printable and is typically a world-writeable spool directory.

Parameters

Variables

In order to make configuration fit the situation, Samaba defines a set of variables that can be used in parameters:

Variable		Meaning
%S		Name of the current service, if any.
%P		Root directory of current service, if any.
%u		User name of the current service, if any
%g		Group name of %u
%U		Session user name (what client wanted)
%G		Group name of %U.
%H		Home directory of user %u.
%h		Host name samba is running on.
%m		NetBIOS name of the client system.
%L		NetBIOS name of the server system.
%M		DNS name of the client system.
%I		IP address of the client system.
%T		The current date and time.

Name Mangling

DOS and Windows client can't always use full length filenames, so Samba will handle name mangling if desired. The parameters are:

• mangling method = [hash hash2]
  
• mangling case = [yes no]
  
• case sensitive = [yes no]
  
• default case = [upper lower]
  
• preserve case = [yes no]
  
• short preserve case = [yes no]
  

Shares

Here are some examples of shares:

A Public Share

[mypublic]

browseable = yes
public = yes
guest account = smbguest
path = /home/public
writeable = no
hide = /*.com/*.exe/*.scr/*.dll


This share is browseable and allows anonymous logins (no password required) which are logged in as smbguest, which must be a valid user. The path for the data is /home/public and the directory is readable, but not writable. Files ending in .com, .exe, .scr or .dll are not visible (but they could be accessed). If you wanted the same basic setup but with the share writable, you might use this:

A Writable Public Share

[mywrite]

browseable = yes
public = yes
guest account = smbguest
path = /home/public
writeable = yes
hide = /*.com/*.exe/*.scr/*.dll
create mode = 0666
directory mode = 0777


Files are created with permissions rw-rw-rw- and directories with permissions rwxrwxrwx.

If you want to create shares with limited access, you might create a share with these properties:

A Private Share

[privstuf]

browseable = no
public = no
path = /home/private
writeable = no
veto files = /*.com/*.exe/*.scr/*.dll
valid users = +staff bob admin

This is very private and allows only read access for the users who are part of the Linux group staff, bob and admin. veto files similar to hide, but it not only hides the files but also allows no other access (read, execute).

You might also like to create a partially writable share:

A Writable Private Share

[secrets]

browseable = no
public = no
path = /home/secrets
writeable = no
force group = spies valid users = +staff bob admin write list = joanne marshall bob create mode = 0660
directory mode = 0770


Here, the share is not writeable, but the write list gives some users write privileges. Also, the permissions are set so that the owner and the group have access, but not others.

This last point is important. When you create the secrets directory, you will specify an owner and group. When someone accesses the share and creates a file, it will have their normal user and group ownership. For example, suppose you create a user secrets and a group secrets and make that the user and group of /home/secrets. If bob logs in with user = bob and group = bob and creates a file, it will have the correct permissions (rw-rw----), so only bob can access the files. If you want to allow access to other members, you need to specify a default group for anyone logging in to the share. In this case, spies, which has to be created and anyone that logs in to the share is assigned to this group for the session. When bob creates the file, it will be have uid = bob and gid = spies. The permissions would allow read/write access to anyone able to log in.

Of course, if you wanted to allow read access only to non-owners, you can change the create permissions for files to 0640. You can also specify the force group with a + symbol (force group = +staff) so that anyone logging in that is in that group will get their group reassigned to spies, but others (bob and admin) will maintain there normal group assignment. This provides quite a bit of flexibility in providing access to the contents of the share.

There is also a method for forcing a user with the force user parameter. The use of these depends largely on the situation with regard to file access.

The Global Section

Parameter		Meaning		Example
encrypt passwords		Force password encryption		encrypt passwords = yes
guest account		User for a Samba guest		guest account = smbguest
hide unreadable		Hide files that are not readable		hide unreadable = yes
hide dotfiles		Hide files begin with a "."		hide dotfiles = yes
hosts allow		Hosts allowed to connect		hosts allow = 153.90. bug.myisp.net
hosts deny		Hosts not allowed to connect		hosts deny = 172.16.128.0/24
load printers		Automatically load printer list		load printers = yes
log level		Set the logging level (default 0)		log level = 3
log file		Set the log file path		log file = /var/log/samba
netbios name		Set the NetBIOS name which is by default the DNS hostname		netbios name = termites
printcap name		File of printer definitions		printcap name = /etc/printcap
security		Sets the type of client response authentication; this is a complex setting so see the documentation		security = user
server string		The id string displayed by print manager and net view		server string = "My Little System"
smb passwd file		The name of the Samba password file to use		smb passwd file = /etc/smbpasswd
time server		Should nmbd advertise time services		time server = yes
wins support		Should nmbd act as a WINS server; only one in a domain		wins support = no
workgroup		What workgroup your server will appear to be in		workgroup = CLOWNS

For example,

   [global]
   workgroup = MYGROUP       # Where I will be found browsing
   netbios name = MYSERVER   # My external name
   netbios aliases = bugs    # Another name that can be used
   hosts allow = isp.com     # who can connect
   hosts deny =  dog.isp.com # except for
   encrypt passwords = yes   # use encryption a la newer Windows
   log level = 3             # higher level logging
   log file = /var/log/samba # where to log
   hide dotfiles = yes       # don't show filenames beginning with "."
   

The Homes Section

As with [global] any parameter can be used, but a typical [homes] definition might be:

[homes]
comment = Home Directories
browseable = no
writable = yes     # the same as read only = no
create mode = 0640
directory mode = 0750

This simply says that the displayed name for the home directories will be Home Directories when a client queries the server. However, we don't want users to be able to browse home directories as it could be a temptation for potential trouble-makers. Users should be able to write to their directories and the default mode for files created is rw-r----- and the default mode for directories created is rwxr-x---.

If you specify public = yes or guest ok you are giving anyone access to user home directories without a password. If you have a directory for the homes that is not the same as the home directory, you will need to specify it like this:

path = /home/%S/smbshare

So each user has a specific subdirectory where their samba share is located.

The Printers Section

[printers]
comment = All Printers
path = /var/spool/samba
guest ok = no
printable = yes
browseable = no

You need a path for the printer temporary files to be located and it must be world writable. You may or may not want to allow printing by anonymous users, printable must be true and finally, you may or may not want to allow your printers to be browsed.

If you have a BSD-style printing system (lpd, printcap, etc.), this configuration works fine. If you have some other type of printing system, you will have to define your printers explicitly. This might also apply is you want to limit the printers available to Samba to a subset of all printers.

[PublicPrinter]
comment = HP5 in Office
path = /var/spool/samba
public = yes
printable = yes
browseable = yes
printing = CUPS
print command = lpr.cups -P%p %s
lpq command = lpq.cups -P%p
lprm command = lprm.cups -P%p %j


[PrivatePrinter]

comment = Color Oki
path = /var/spool/samba
public = no
printable = yes
browseable = no
valid users = +bosses printing = CUPS
print command = lpr.cups -P%p %s
lpq command = lpq.cups -P%p
lprm command = lprm.cups -P%p %j

Example

Running Samba

netbios-ns 137/udp # NetBIOS name service
netbios-dgm 138/udp # NetBIOS datagram service
netbios-ssn 139/udp # NetBIOS session service

For the time being, direct-hosted services are experimental and probably to be avoided.

To run samba, you need to run two services, smbd and nmbd (name services). These are usually configured automatically in the init.d directory under the smb service where the run as smbd -D and nmbd -D.

So how do you use Samba? There are two major choices: connecting to your Samba shares from a Windows host; connecting to your Samba shares from a Samba server; and connecting to Windows shares from a Samba server.

If you are talking about an up-to-date Windows system (2000, NT, XP), you would access shares by Mapping a Network Drive from the My Computer -> Tools menu. When presented with the opportunity to specify the share, you give the name of the server and the name of the share. For example, if the Linux server is bebop and the share name is alula, you would enter:

\\bebop\alula

One tricky part is to remember that Windows will try to log you into that share (if not a public share) by using the name and password that you used to log into Windows. If you are using a different name or password, choose the Connect using a different user name offering and enter the user name and password you need to connect on the Samba server.

Another way to connect is through the network neighborhood. If you have browsable shares, they should show up in the browse lists. If not, you will have to connect directly using the Mapping a Network Drive from the Network Neighborhood -> Tools menu.

You can also connect directly from a command prompt or a dos window from a Microsoft OS like this:

net use M: \\bebop\alula
   or
net use M: \\bebop\alula mypassword /USER:username

where M: is replaced with the appropriate drive moniker for your situation. Windows remembers passwords unless you turn that service off, so if you connect to a share, it may connect you the next time without having to enter the password. BE CAREFUL if you connect to a share on a system that other use.

To connect to Samba share or a Windows share from a Linux system use the smbclient command. For example

smbclient //bebop/alula
   or
smbclient //bebop/alula -U buddy

Where buddy is a name different than your current login user name. You can enter the password after the share name (also called the service name) or it will ask for you to enter it and it will be unechoed.

smbfs

You can also mount a share as a file system so that all of your normal Linux commands can be used to access the files. The command to use is smbmount and has the syntax:

smbmount service mount-point [options]

For example,

smbmount //bepop/alula /mnt/bepop

Useful options include

username=username		to specify the username for the connection
ro		to make the mount read-only
uid=uid		set uid for the filesystem
gid=uid		set gid for the filesystem
guest		use guest priviledges and no password

Other commands

There are other commands that you might find useful in dealing with Samba including:

testparm		A syntax checker for smb.conf.
testprns		For testing printer names.
smbstatus		To see the current status of any smb connections
nmblookup		To perform NetBIOS queries directly
smbpasswd		To create samba users and passwords

Of particular interest is smbpasswd. Normally, no user can utilize a non-public Samba share unless they have a Samba password. So when a user is given that priviledge, you normally, from root, create an entry like this:

smbpasswd -a username

Which adds user username to the smbpasswd file and prompts for the password. Once in the smbpasswd file, the password can be changed like this:

smbpasswd username

and then entering the new password.

Passwords (users) can be disabled/enabled/deleted with:

smbpasswd -d username
smbpasswd -e username
smbpasswd -x username

and then entering the new password.

Users can also change their own password by simply entering the command as with the passwd command. There are also options to allow users to change their password on remote machines and to specify other user names where appropriate.

Finally, Samba can also be used as a domain controller for a Windows domain. This is just a bit beyond a first pass at Samba.

Assignment