Samba - An Introduction

Volker Lendecke, Stefan Wintermeyer, Frank Lemser, Edith Parzefall

With the program package Samba you can convert any UNIX machine into a powerful file and print server for DOS, Windows and OS/2 machines. The Samba-Project is run by the SAMBA TEAM and was originally developed by the Australian ANDREW TRIDGELL. Since its beginnings in 1991, Samba has proven to be a stable and reliable product which has made its way into the business environment, serving as a supplement to, or even a replacement for Windows NT servers.

Samba has now become a fully-fledged and rather complex product. We cannot cover all the details here, but just present an overview. In /usr/share/doc/packages/samba you can find many documents that will help you build complex network solutions with Samba. Samba's reference file /etc/smb.conf has its own manpage for smb.conf (man smb.conf).

Samba uses the SMB protocol (Server Message Block) from the company Microsoft, which is based on the NetBIOS services. Due to pressure from the company IBM, Microsoft released the protocol so that other software manufacturers could establish connections to a Microsoft domain network. Samba sets the SMB protocol on top of the TCP/IP protocol, i.e. the TCP/IP protocol must also be installed on all clients.

Please note: No Installation Support can be provided for a Samba connection but we would be pleased to help in the context of our Business Support.

Clients

All standard operating systems, such as DOS, Windows and OS/2 support the SMB protocol. The TCP/IP protocol must be installed on all computers. Samba can also be used with all the various UNIX "flavours". SMB servers provide hardware space to their clients by means of so-called "shares". Here, a share includes a directory and its subdirectories. It is exported by means of a name and can be accessed by its name. Of course, the share name can be set to any name. It does not have to be the name of the export directory. A printer is also assigned a name. Clients can access the printer by its name.

Installation and Configuration of the Server

First the package samba from series n should be installed. By setting the variable <START_SMB> to the value yes in the file /etc/rc.config, the SMB services are started when the computer is booted. The services can be started manually with rcsmb start, and with rcsmb stop the services can be stopped. The main configuration file of Samba is /etc/smb.conf. Here the entire service is configured. It is divided into two separate sections. In the so-called [global] section the central and general settings are made. The second section is the [share] section. Here the directories are released on a user-dependent basis and the file and directory permissions are set. If a specific value from the [share] section is to be made valid for all shares, this can be taken over into the [global] section, which thus makes it valid for all shares system-wide. This saves some work for the over-strained system administrator.

To demonstrate, there is an smb.conf. It will be explained below.

Annotation

workgroup = arbeitsgruppe

On any Windows machine, Samba is assigned just like a work group where it can be seen in the "network environment". workgroup is the default work group for Windows for Workgroups.

guest account = nobody

Samba needs a user name that is listed in /etc/password and that only has limited permissions for certain tasks. If public shares (parameter public = yes) are defined, all operations are executed with this user ID. Even if no public share is defined, the account guest account has to be defined in order for the Samba machine to appear in the networking environment.

keep alive = 30

Windows machines tend to crash from time to time. If they leave open connections behind, it could happen that the server recognizes this very much later. If you do not want Samba to waste resources, you can tell it to check whether the client is still alive by setting keep alive = 30.

os level = 2

The parameter os level = 2 specifies that Samba provide browser ser- vices to WfW and Windows 95. If there is an NT machine on the network, Samba will not provide these services to it, but use the NT machine itself.

Kernel oplocks = failed

Unfortunately, since Linux currently does not support so-called opportunistic locking via the kernel, the value [Kernel oplocks = failed] has to be set.

security = user

See section on security levels.

The entry [cdrom] is the directory name which can be seen from outside. With this name the directory is exported to the network environment. It can be reached by all users in the network, since guest ok = yes.

The so-called [home] share is of special importance here. If the user has a valid account and password for the Linux file server as well as his own home directory, then he can be connected to this.

path = /cdrom

The directory /cdrom is exported by means of path.

comment = Linux CD-ROM

Every share with SMB servers can be provided with a comment describing the share.

browsable = yes

This setting enables the share cdrom to be visible in the network environment.

read only = yes

By default, Samba prohibits write access on exported shares. Users logged in should have permission to write in their home directories, so read only = no has to be set.

create mode = 750

Windows machines do not understand the concept of UNIX permissions. Thus they cannot assign permissions when creating a file. The parameter create mode assigns what permissions are to be used when a new file is created. This, of course, only applies to shares with write-permissions.

public = yes

Guest users have access to this share. It does not request a password! The user simply appears as user nobody.

Security Levels

The SMB protocol comes from the DOS/Windows world and directly takes into consideration the problem of security. Each share access can be protected with a password. SMB has three possible ways of achieving this:

Share Level Security:

in the Share Level Security a password is firmly allocated to a share. Everyone who knows this password has access to that share.

User Level Security:

this variation introduces the concept of the user in the SMB. Each user must register with the server, with his own password. After registering, the server can grant access to individual exported shares independently of user names.

Server Level Security:

Samba insists that its clients work in User Level Mode. However it passes on all password queries to another User Level Mode Server, which takes care of authentication. This setting expects a further parameter (password server =).

The differentiation between share, user and server level security must be made for the entire server. It is not possible to export some shares by Share Level Security and others by User Level Security. For further information on this subject, please read the file /usr/share/doc/packages/samba/textdocs/security_level.txt.

For simple administration tasks with the Samba server there is also the program swat. It provides a simple web interface with which you can conveniently configure the Samba server. In a Web browser, call up http: //localhost:901 and log in as user root. Please note that swat is also activated in the files /etc/inetd.conf and /etc/services. Further information on swat can be found in the manpage for swat (man swat).

Samba as Registration Server

In networks where predominantly Windows clients are to be found, it is often preferable that users may only register with a valid account and password. This can be brought about with the help of a Samba server. In a pure Windows network, a Windows NT server takes on this task. This is configured as a so-called Primary Domain Controller (PDC). The following entries must be made in the [global] section of the smb.conf.
If encrypted passwords are used for verification purposes, then the Samba server must be configured so that it can handle these. For this, you have to make the entry encrypt passwords = yes in the [global] section. In addition it is necessary to prepare user accounts and passwords in a Windows-conform encryption format. This is done with the command smbpasswd -a name. Since,

[global]
  workgroup = TUI-NET
  domain logons = yes
  domain master = yes

useradd -m machinename

$
smbpasswd -a -m machinename

With the useradd command a dollar sign, masked by a backslash, is added. The command smbpasswd includes this automatically when the -m parameter is used.

Installation of Clients

First it should be mentioned that clients can only access the Samba server via TCP/IP. NetBEUI and NetBIOS via IPX are not available at the moment. Since TCP/IP is becoming more and more popular, even with Novell and Microsoft, it is not certain whether this is going to change in the near future.

Windows 95/98 already has built-in support for TCP/IP. As with Windows for Workgroups, however, this is not installed as the default. To add TCP/IP, go to `Control Panel', `System' and choose `Add', `Protocols' `TCP/IP from Microsoft'. Be sure to enter your network address and network mask correctly (see Section 5 page 149)! After re-booting your Windows machine you will find the properly configured samba server in networks (double-click on the network icon on your desktop).

To use a printer on the samba server, you should install the standard, or Apple-PostScript printer driver from the corresponding Windows version; it is best to link this to the Linux printer queue, which includes an automatic apsfilter recognition.

Detailed instructions about the installation of Windows 95/98 clients will be described in the next sequel on the samba topic.

Optimization

It should first be pointed out here that Samba, in its default version, is prepared for handling a Windows NT server. It is therefore actually not necessary to carry out optimizations, since the many tuning options only result in a minimal difference in terms of speed. The standard configuration in /etc/smb.conf is of course not tuned to every network and the way the network is used, so that this can also be optimized. Since this fine-tuning is dependent on many factors, no universal solution can be provided. You should therefore look at the help files and the many tips on optimization in the files /usr/share/doc/packages/samba/textdocs/Speed.txt and /usr/share/doc/packages/samba/textdocs/Speed2.txt.