356 lines
17 KiB
HTML
356 lines
17 KiB
HTML
<!--startcut ==========================================================-->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<title>Introducing Samba LG #36</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
|
ALINK="#FF0000">
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4>
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
<font color="navy">A <I>Linux Journal</I> Review</font>:
|
|
This article appeared first in the July 1998 issue of <I>Linux
|
|
Journal</I>.
|
|
<P> <HR> <P>
|
|
|
|
<center>
|
|
<H1><font color="maroon">Introducing Samba</font></H1>
|
|
<H4>By <a href="mailto:john.blair@brainwell.com">John Blair</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
The whole point of networking is to allow computers to easily share
|
|
information. Sharing information with other Linux boxes, or any UNIX
|
|
host, is easy--tools such as FTP and NFS are readily available and
|
|
frequently set up easily ``out of the box''. Unfortunately, even the most
|
|
die-hard Linux fanatic has to admit the operating system most of the PCs
|
|
in the world are running is one of the various types of Windows.
|
|
Unless you use your Linux box in a particularly isolated environment,
|
|
you will almost certainly need to exchange information with machines
|
|
running Windows. Assuming you're not planning on moving all of your
|
|
files using floppy disks, the tool you need is Samba.
|
|
<p>
|
|
Samba is a suite of programs that gives your Linux box the ability to speak
|
|
SMB (Server Message Block). SMB is the protocol used to implement
|
|
file sharing and printer services between computers running OS/2,
|
|
Windows NT, Windows 95 and Windows for Workgroups. The protocol is
|
|
analogous to a combination of NFS (Network File System), <b>lpd</b> (the
|
|
standard UNIX printer server) and a distributed authentication
|
|
framework such as NIS or Kerberos. If you are familiar with Netatalk,
|
|
Samba does for Windows what Netatalk does for the Macintosh. While
|
|
running the Samba server programs, your Linux box appears in the
|
|
``Network Neighborhood'' as if it were just another Windows machine.
|
|
Users of Windows machines can ``log into'' your Linux server and,
|
|
depending on the rights they are granted, copy files to and from parts
|
|
of the UNIX file system, submit print jobs and even send you WinPopup
|
|
messages. If you use your Linux box in an environment that
|
|
consists almost completely of Windows NT and Windows 95 machines,
|
|
Samba is an invaluable tool.
|
|
<p><center>
|
|
<img src="./gx/blair/2716f1.gif">
|
|
<p>
|
|
<h4>Figure 1. The Network Neighborhood, Showing the Samba Server</h4></center>
|
|
<p>
|
|
Samba also has the ability to do things that normally require the
|
|
Windows NT Server to act as a WINS server and process ``network
|
|
logons'' from Windows 95 machines. A PAM module derived from Samba
|
|
code allows you to authenticate UNIX logins using a Windows NT Server.
|
|
A current Samba project seeks to reverse engineer the proprietary
|
|
Windows NT domain-controller protocol and re-implement it as a
|
|
component of Samba. This code, while still very experimental, can already
|
|
successfully process a logon request from a Windows NT Workstation
|
|
computer. It shouldn't be long before it will act as a full-fledged
|
|
Primary Domain Controller (PDC), storing user account information and
|
|
establishing trust relationships with other NT domains. Best of all,
|
|
Samba is freely available under the GNU public license, just
|
|
as Linux is. In many environments the Windows NT Server is required
|
|
only to provide file services, printer spools and
|
|
access control to a collection of Windows 95 machines. The combination
|
|
of Linux and Samba provides a powerful low-cost alternative to the
|
|
typical Microsoft solution.
|
|
<p>
|
|
<h3>Windows Networking</h3>
|
|
<p>
|
|
Understanding how Samba does its job is easier if you know a little
|
|
about how Windows networking works. Windows clients use file and
|
|
printer resources on a server by transmitting ``Server Message
|
|
Block''
|
|
over a NetBIOS session. NetBIOS was originally developed by IBM to
|
|
define a networking interface for software running on MS-DOS or
|
|
PC-DOS. It defines a set of networking services and the software
|
|
interface for accessing those services, but does not specify the actual protocol
|
|
used to move bits on the network.
|
|
<p>
|
|
Three major flavors of
|
|
NetBIOS have emerged since it was first implemented, each differing in
|
|
the transport protocol used. The original implementation was referred
|
|
to as NetBEUI (NetBIOS Extended User Interface), which is a
|
|
low-overhead transport protocol designed for single segment networks.
|
|
NetBIOS over IPX, the protocol used by Novell, is also popular. Samba
|
|
uses NetBIOS over TCP/IP, which has multiple advantages.
|
|
<p>
|
|
TCP/IP is already implemented on every operating system worth its salt,
|
|
so it has been relatively easy to port Samba to virtually every flavor of
|
|
UNIX, as well as OS/2, VMS, AmigaOS, Apple's Rhapsody (which is really
|
|
NextSTEP) and (amazingly) mainframe operating systems like CMS. Samba
|
|
is also used in embedded systems, such as stand-alone printer servers and
|
|
Whistle's InterJet Internet appliance. Using TCP/IP also means that
|
|
Samba fits in nicely on large TCP/IP networks, such as the Internet.
|
|
Recognizing these advantages, Microsoft has renamed the combination of
|
|
SMB and NetBIOS over TCP/IP the Common Internet Filesystem (CIFS).
|
|
Microsoft is currently working to have CIFS accepted as an Internet
|
|
standard for file transfer.
|
|
<p><center>
|
|
<img src="./gx/blair/2716f2.gif">
|
|
<p>
|
|
<h4>Figure 2. SMB's Network View compared to OSI Networking
|
|
Reference Model</h4></center>
|
|
<p>
|
|
<h3>Samba's Components</h3>
|
|
<p>
|
|
A Samba server actually consists of two server programs:
|
|
<b>smbd</b> and <b>nmbd</b>. <b>smbd</b> is the core of Samba.
|
|
It establishes sessions, authenticates clients and provides access to
|
|
the file system and printers. <b>nmbd</b> implements the ``network
|
|
browser''. Its role is to advertise the services that the Samba server
|
|
has to offer. <b>nmbd</b> causes the Samba server to
|
|
appear in the ``Network Neighborhood'' of Windows NT and Windows 95
|
|
machines and allows users to browse the list of available
|
|
resources. It would be possible to run a Samba server without
|
|
nmbd, but users would need to know ahead
|
|
of time the NetBIOS name of the server and the resource on it they
|
|
wish to access. <b>nmbd</b> implements the Microsoft network
|
|
browser protocol, which means it participates in browser elections
|
|
(sometimes called ``browser wars''), and can act as a master or
|
|
back-up browser. <b>nmbd</b> can also function as a WINS (Windows Internet
|
|
Name Service) server, which is necessary if your network spans more
|
|
than one TCP/IP subnet.
|
|
<p>
|
|
Samba also includes a collection of other tools.
|
|
<b>smbclient</b> is an SMB client with a shell-based user interface,
|
|
similar to FTP, that allows you to copy files to and from other SMB
|
|
servers, as well as allowing you to access SMB printer resources and
|
|
send WinPopup messages. For users of Linux, there is also an SMB
|
|
file system that allows you to attach a directory shared from a
|
|
Windows machine into your Linux file system. <b>smbtar</b> is a
|
|
shell script that uses smbclient to store a remote Windows
|
|
file share to, or restore a Windows file share from a standard UNIX tar
|
|
file.
|
|
<p>
|
|
The <b>testparm</b> command, which parses and describes the
|
|
contents of your smb.conf file, is particularly useful since
|
|
it provides an easy way to detect configuration mistakes. Other
|
|
commands are used to administer Samba's encrypted password file,
|
|
configure alternate character sets for international use and
|
|
diagnose problems.
|
|
<p>
|
|
<h3>Configuring Samba</h3>
|
|
<p>
|
|
As usual, the best way to explain what a program can do is to show
|
|
some examples. For two reasons, these examples assume that you already
|
|
have Samba installed. First, explaining how to build and install
|
|
Samba would be enough material for an article of its own. Second, since Samba is
|
|
available as Red Hat and Debian packages shortly after each new stable
|
|
release is announced, installation under Linux is a snap. Further,
|
|
most ``base'' installations of popular distributions already
|
|
automatically install Samba.
|
|
<p>
|
|
Before Samba version 1.9.18 it was necessary to compile Samba
|
|
yourself if you wished to use encrypted password
|
|
authentication. This was true because Samba used a DES library to implement
|
|
encryption, making it technically classified as a munition by the
|
|
U.S. government. Binary versions of Samba with encrypted password
|
|
support could not be legally exported from the United States, which
|
|
led mirror sites to avoid distributing pre-compiled copies of Samba
|
|
with encryption enabled. Starting with version 1.9.18, Samba uses a
|
|
modified DES algorithm not subject to export restrictions.
|
|
Now the only reason to build Samba yourself is if you like to test the
|
|
latest alpha releases or you wish to build Samba with non-standard
|
|
features.
|
|
<p>
|
|
Since SMB is a large and complex protocol, configuring Samba can be
|
|
daunting. Over 170 different configuration options can
|
|
appear in the smb.conf file, Samba's configuration file. In
|
|
spite of this, have no fear. Like nearly all aspects of UNIX, it is
|
|
pretty easy to get a simple configuration up and running. You can
|
|
then refine this configuration over time as you learn the function of each
|
|
parameter. Last, the latest version of Samba, when this article
|
|
was written in late January, was 1.9.18p1. It is possible that the behavior of some of
|
|
these options will have changed by the time this is printed. As usual,
|
|
the documentation included with the Samba distribution (especially the
|
|
README file) is the definitive source of information.
|
|
<p>
|
|
The smb.conf file is stored by the Red Hat and Debian
|
|
distributions in the /etc directory. If you have built Samba
|
|
yourself and haven't modified any of the installation paths, it is
|
|
probably stored in /usr/local/samba/lib/smb.conf. All of the
|
|
programs in the Samba suite read this one file, which is structured
|
|
like a Windows *.INI file, for configuration information.
|
|
Each section in the file begins with a name surrounded by square brackets
|
|
and either the name of a service or one of the special sections:
|
|
<tt>[global]</tt>, <tt>[homes]</tt> or <tt>[printers]</tt>.
|
|
<p>
|
|
Each configuration parameter is either a global parameter, which means
|
|
it controls something that affects the entire server, or a service
|
|
parameter, which means it controls something specific to each service.
|
|
The <tt>[global]</tt> section is used to set all the global
|
|
configuration options, as well as the default service settings.
|
|
The <tt>[homes]</tt> section is a special service section
|
|
dynamically mapped to each user's home directory. The
|
|
<tt>[printers]</tt> section provides an easy way to share every
|
|
printer defined in the system's <tt>printcap</tt> file.
|
|
<p>
|
|
<h3>A Simple Configuration</h3>
|
|
<p>
|
|
The following smb.conf file describes a simple and
|
|
useful Samba configuration that makes every user's home directory on
|
|
my Linux box available over the network.
|
|
<p>
|
|
<pre>
|
|
[global]
|
|
netbios name = FRODO
|
|
workgroup = UAB-TUCC
|
|
server string = John Blair's Linux Box
|
|
security = user
|
|
printing = lprng
|
|
|
|
[homes]
|
|
comment = Home Directory
|
|
browseable = no
|
|
read only = no
|
|
</pre>
|
|
The settings in the <tt>[global]</tt> section set the name of the
|
|
host, the workgroup of the host and the string that appears
|
|
next to the host in the browse list. The security parameter
|
|
tells Samba to use ``user level'' security. SMB has two modes of
|
|
security: share, which associates passwords with specific resources,
|
|
and user, which assigns access rights to specific users. There isn't
|
|
enough space here to describe the subtleties of the two modes, but
|
|
in nearly every case you will want to use user-level security.
|
|
<p>
|
|
The printing command describes the local
|
|
printing system type, which tells Samba exactly how to submit print jobs,
|
|
display the print queue, delete print jobs and other operations.
|
|
If your printing system is one that Samba doesn't already know how
|
|
to use, you can specify the commands to invoke for each print
|
|
operation.
|
|
<p>
|
|
Since no encryption mode is specified, Samba will default to using
|
|
plaintext password authentication to verify every connection
|
|
using the standard UNIX password utilities. Remember, if your
|
|
Linux distributions uses PAM, the PAM configuration must be modified
|
|
to allow Samba to authenticate against the password database. The
|
|
Red Hat package handles this automatically. Obviously, in many
|
|
situations, using plaintext authentication is foolish. Configuring
|
|
Samba to support encrypted passwords is outside the scope of this
|
|
article, but is not difficult. See the file ENCRYPTION.txt in
|
|
the /docs directory of the Samba distribution for details.
|
|
<p>
|
|
The settings in the <tt>[homes]</tt> section control the behavior
|
|
of each user's home directory share. The comment parameter
|
|
sets the string that appears next to the resource in the browse list.
|
|
The <tt>browseable</tt> parameter controls whether or not a service
|
|
will appear in the browse list. Something non-intuitive about the
|
|
<tt>[homes]</tt> section is that setting <tt>browseable = no</tt>
|
|
still means that a user's home directory will appear as a directory
|
|
with its name set to the authenticated user's username. For example,
|
|
with <tt>browseable = no</tt>, when I browse this Samba server I will see a share called
|
|
<tt>jdblair</tt>. If <tt>browseable = yes</tt>, both a share
|
|
called <tt>homes</tt> and <tt>jdblair</tt> would appear in the browse
|
|
list. Setting <tt>read only = no</tt> means that users should be able
|
|
to write to their home directory if they are properly authenticated.
|
|
They would not, however, be able to write to their home directory if the UNIX
|
|
access rights on their home directory prevented them from doing so.
|
|
Setting <tt>read only = yes</tt> would mean that the user would not be
|
|
able to write to their home directory regardless of the actual UNIX
|
|
permissions.
|
|
<p>
|
|
The following configuration section would grant access to every
|
|
printer that appears in the printcap file to any user that
|
|
can log into the Samba server. Note that the <tt>guest ok = yes</tt>
|
|
normally doesn't grant access to every user when the server is using
|
|
user-level security. Every print service must define <tt>printable =
|
|
yes</tt>.
|
|
<p>
|
|
<pre>
|
|
[printers]
|
|
browseable = no
|
|
guest ok = yes
|
|
printable = yes
|
|
</pre>
|
|
This last configuration snippet adds a server share called
|
|
public that grants read-only access to the anonymous ftp
|
|
directory. You will have to set up the printer driver on the client
|
|
machine. You can use the <b>printer name</b> and <b>printer driver</b>
|
|
commands to automate the process of setting up the printer
|
|
client on Windows 95 and Windows NT clients.
|
|
<p>
|
|
<pre>
|
|
[public]
|
|
comment = Public FTP Directory
|
|
path = /home/ftp/pub
|
|
browseable = yes
|
|
read only = yes
|
|
guest ok = yes
|
|
</pre>
|
|
<p><center>
|
|
<img src="./gx/blair/2716f3.gif">
|
|
<p>
|
|
<h4>Figure 3. Appearance of Samba Configuration in Windows Explorer</h4></center>
|
|
<p>
|
|
Be aware that this description doesn't explain some subtle issues,
|
|
such as the difference between user and share level security and
|
|
other authentication issues. It also barely scratches the surface of
|
|
what Samba can do. On the other hand, it's a good example of how easy
|
|
it can be to create a simple but working smb.conf file.
|
|
<p>
|
|
<h3>Conclusions</h3>
|
|
<p>
|
|
Samba is the tool of choice for bridging the gap between UNIX and
|
|
Windows systems. This article discussed using Samba on Linux in
|
|
particular, but it is also an excellent tool for providing access to
|
|
more traditional UNIX systems like Sun and RS/6000 servers. Further,
|
|
Samba exemplifies the best features of free software, especially when
|
|
compared to commercial offerings. Samba is powerful, well supported
|
|
and under continuous active improvement by the Samba Team.
|
|
<p>
|
|
<h3>Resources</h3>
|
|
<p>
|
|
The Samba home page, at http://samba.anu.edu.au/samba/, is the
|
|
definitive source for news and information about Samba. The
|
|
documentation distributed with Samba is relatively
|
|
unorganized, but covers every aspect of server configuration. If you
|
|
have questions about Samba, first consult the FAQ, then try the
|
|
Samba Mailing List. The location of both can be found on the Samba
|
|
home page.
|
|
<p>
|
|
The book <i>Samba: Integrating UNIX and
|
|
Windows</i>, by John Blair and published by SSC, covers all aspects of
|
|
installation, configuration and maintenance of a Samba server.
|
|
|
|
<!--===================================================================-->
|
|
<P> <hr> <P>
|
|
<center><H5>Copyright © 1999, John Blair <BR>
|
|
Published in Issue 36 of <i>Linux Gazette</i>, January 1999</H5></center>
|
|
|
|
<!--===================================================================-->
|
|
<P> <hr> <P>
|
|
<A HREF="./index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif"
|
|
ALT="[ TABLE OF CONTENTS ]"></A>
|
|
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
|
|
ALT="[ FRONT PAGE ]"></A>
|
|
<A HREF="./defurne2.html"><IMG SRC="../gx/back2.gif"
|
|
ALT=" Back "></A>
|
|
<A HREF="./jenkins5.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
|
|
<P> <hr> <P>
|
|
<!--startcut ==========================================================-->
|
|
</BODY>
|
|
</HTML>
|
|
<!--endcut ============================================================-->
|