|
|
the Samba file and print server
by Jeremy Allison Jeremy Allison works at Whistle Communications where he extends and maintains Samba full-time. He has over ten years experience writing UNIX code, and has been working with Windows NT since the first public Win32 Beta.
Samba is an implementation of Microsoft's SMB file and print server protocol implemented on UNIX systems. SMB stands for "Server Message Block," newly renamed CIFS or "Common Internet File System" as part of Microsoft's attempt to make Windows "Internet friendly." Samba allows your UNIX disk and printer resources to appear as share and printer names on a Microsoft network so that users can select them as the icons that appear in the Microsoft "Network Neighborhood" window on their desktop systems. Samba can also take over much of the functionality of a Windows NT Domain system when serving Windows 95 clients and has many other interesting features. Samba is software available under the GNU General Public License (GPL) and so can be always be obtained as source code for UNIX systems. History of Samba The original author of Samba was Andrew Tridgell, a PhD student at the Australian National University, in Canberra, Australia. In December 1991, with no documentation available for a protocol in use in his laboratory (DEC Pathworks), Andrew examined the packets on the wire and from the packet dumps wrote an implementation of the protocol for his UNIX systems (he called it Server 0.1). The protocol he examined turned out to be the same protocol that Microsoft LanManager systems use. Eventually, after he made his code publicly available, there was enough interest for him to start the "Netbios for UNIX" project (in December of 1993). So he created a mailing list containing all the people who had asked him about his code in the intervening time. Samba is now a mature product at version 1.9.17 with support from over 100 commercial vendors worldwide. Many hundreds of people have contributed code to the project, which is still being developed at a very rapid pace. The code is now developed by a distributed team of people known as the Samba Team, who work in a manner similar to the Linux kernel developers. Getting and Compiling Samba The best way to get Samba is to go to the official Samba Web pages, <http://samba.anu.edu.au/samba>, and look at the "Sources" part of the Web page. The official Web pages are a very good place to bookmark if you will be doing much work with Samba, because announcements of new versions and current issues are made here. Binary versions of Samba are available for some systems (notably Linux) as well, so you may not have to compile Samba yourself. The latest sources are available as a link to <ftp://samba.anu.edu.au/pub/samba/samba-latest.tar.gz>, which always points to the current released stable version, which at the time of writing is 1.9.17p3. Download the file into a directory you will use to build the software, and then extract it (it is a tar file compressed with the GNU gzip program) by typing gzip -d -c samba-latest.tar.gz | tar xvf - If you don't have gzip on your system, you will need to download this useful utility for your system. Try a Web search for a precompiled binary for your system, or to compile gzip up from source code, you can find it in the main source repository for GNU code at : <ftp://prep.au.mit.edu.au/pub/gnu/> After extracting Samba you will find a directory called samba-<release-version> which for the current version will be samba-1.9.17p3 Change to this this directory and read the documentation. Samba ships with pages and pages of documentation, and most problems that people have had with it are documented within the docs/ directory. Because we are doing a quick tour here, I'll omit my advice and plough straight into compiling the package. The main source for Samba is found in a directory called source/ in the tree, and the Makefile within needs to be hand configured for your system. The safest way to do this is to copy the Makefile to a safe place so that you can get back to your original if things don't work. Now edit the Makefile using your favorite text editor and configure it to match your system. Examples for almost all different kinds of UNIX systems, from AIX to SCO, are included. If you are happy to install Samba into the default place (/usr/local/samba), then all you need to do is uncomment the lines containing the FLAGSM and LIBSM definitions for your system (by removing the leading "#" from the line), and you should be ready to compile. Samba should then just compile without warnings when you type make, and then install itself and all its binaries when you type make install. Note that you should install Samba as root. There are many different compile options for Samba, all of which are tunable by editing the Makefile. To understand what they all do you need to read the documentation in the docs/ directory. I cover some of the common changes you might make. Configuring Samba So you have Samba installed on your system. Now what? I'm assuming you installed Samba into the default place of /usr/local/samba, so the examples will all use this path. Samba consists of two main daemons and a client access program. The daemons are smbd (for Server Message Block daemon) this provides the main file service from the UNIX machine and nmbd (NetBIOS name daemon) this provides the NetBIOS naming services over TCP that Microsoft networking depends on. You might think they just used DNS like everyone else, but you'd be wrong. The client program, called smbclient, allows an ftp command-line-like access to Microsoft network servers. This can be used to access Windows 95 and Windows NT servers as well as Samba servers. Some people use a variation of this program, smbtar (also provided with Samba) to back up their Windows servers to a UNIX tape drive. All these programs are found in /usr/local/samba/bin (I will assume this directory is on your path for future commands). Both smbd and nmbd are configured in one file : /usr/local/samba/lib/smb.conf. It is vitally important that this file be writable only by root. Setting it otherwise could compromise your system security. This contents of this file are based on a Windows ".INI" syntax style, for example :
; comments The file is separated into sections that are surrounded by [] characters, and these are followed by a list of parameter=values pairs, one parameter per line. Comments may be entered on a line starting with a ";" character. The main section that controls the behaviors of both smbd and nmbd is the [global] section. This is followed by sections that define how the resources of the UNIX machine are to be exported to the Windows client machines. To examine this in detail I'll show a sample smb.conf file and go through it line by line to explain what each parameter means.
The first three lines in the [global] section
workgroup = PCGROUP are probably the most important. The workgroup = parameter tells nmbd what Windows workgroup the UNIX machine should announce itself as being in. If you have a Windows NT Domain you wish the UNIX machine to appear in, then you should use that name here. This must be the same as the Workgroup/Domain that the Windows machines are in, or they may be unable to see the Samba server in their network neighborhood. security=user tells smbd that all Windows users connecting to your Samba server must do so with a valid username and password. By default this is sent over the network in clear text, so you should allow this only on local networks known to be safe. Few networks can be categorized as that these days, so Samba can be compiled to support the Microsoft encrypted password negotiation which is based on a "challenge-response" protocol. In fact with Windows NT Service pack 3 Microsoft has disabled the clear text password option on NT by default, although it can still be enabled by changing the registry. To learn how to compile Samba for encrypted password support, read ENCRYPTION.txt in the Samba docs/ directory. Doing this requires access to a DES (Data Encryption Standard) library, which is not legal to export from the USA at present. This is why Samba does not use encrypted passwords by default. A DES library (in source code form) is available at the Samba ftp site. guest account = pcguest tells smbd what username to use if a Windows client doesn't present a valid username to the server. By default, such a connection is refused access, but for some services, you may wish to allow it (for public information). The account name used here must exist in the UNIX /etc/passwd file but almost certainly should not be allowed an interactive login (use a new dummy account modelled after accounts such as backup or bin, but use a high uid number). The next three options :
preserve case = yes set Samba up to present a case-insensitive but case-preserving view of the filesystem. This is exactly the same as the NTFS or FAT filesystems that Windows NT supports, and many Windows client programs expect such a filesystem. It is possible to set Samba up to be case sensitive or to map all filenames into upper- or lowercase, but the options presented previously are the most common. For NetBIOS name resolution on Microsoft networks that span TCP/IP subnets, there must be a server known as a WINS (Windows Internet Name Server) server somewhere on the network. This allows Microsoft networking clients that originally only used broadcasts to map between NetBIOS names to IP addresses to find remote servers. Samba has the capability to act as a WINS server and can also register itself with a Microsoft WINS server. The next few commented out lines allow you to choose which you require, but you must uncomment only one of the two possible options. If you have a small, unsubnetted network, you can leave them both commented out. The options commented as ; Misc options show some of the flexibility of Samba configuration. mangled map = (*.html *.htm) shows how UNIX filenames can be translated on the fly by Samba for Windows clients (to map .html files to .htm for standards-challenged Microsoft HTML programs). client code page = 850 is an internationalization option allowing the administrator to define the current code page of the Windows clients. This allows filenames containing the high bit set to be mapped correctly in case-insensitivity cases and to be correctly converted in the UNIX filesystem. veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ is a list of filenames, separated by "/" characters, that Windows clients will never be allowed to see. The given example is how you would prevent Windows clients from seeing the Macintosh metafiles used by the Netatalk AppleTalk fileserver program, afpd, popular at many UNIX sites containing Mac clients. The following two sections, [homes] and [public], are examples of disk resource shares. These are similar to lines in an /etc/exports file for NFS sharing, although they can be considerably more complicated. I'll consider the [homes] share first. The [homes] share is a "magic" share. If a Windows client tries to mount (or "net use" in Windows parlance) this share, Samba automatically connects the user to their home directory. This saves a lot of time, in that you don't have to define share points for all your users or make them connect to the directory just above the users' home directories in order to get to their files. Windows clients who connect with an invalid username are denied access to the file system (as the first parameter explicitly denies guest access this is the default but is placed here to make it clear to the administrator in this example). The line read only = no allows the users to write to the share (by default share points are read only). The final line create mask = 744 causes all files that are created by smbd on behalf of the user to have these octal permissions applied to the permissions of the file as a mask. In other words, files created by the users in this share will have write and execute permissions removed for group and other. The [public] share is an example of a publicly writable directory. The path=/tmp parameter tells smbd what part of the UNIX file system to use for this share, as previously, the read only = no parameter allows users to write into this directory, and the guest ok = True parameter tells smbd to map unknown users into the pcguest user mentioned above in the [global] section. The [printers] section specifies how Windows clients access UNIX printers (defined in /etc/printcap, but System V printing is also supported). This section is a "magic" section like [homes]. When a Windows client connects to a printer, the name is looked up in the /etc/printcap (or equivalent for System V), and the Windows client is connected to that printer. The first parameter tells Samba where to spool the printer files. The following two parameters (public, read only) we already know, but the last two are new. The printable=yes just tells smbd this is a printer share (thus denying regular file access), and the browsable=no tells smbd not to list this share when a Windows machine requests a list of available resources on a machine. All these options (and many, many more) are described in the Samba man pages that are installed into /usr/local/samba/man when you install the package. Set your MANPATH environment variable to point there, type man smb.conf and away you go (for over 30 pages of options, I'm afraid). Enough of the explanations; let's start up Samba and access some files! Starting Samba Samba services can be started in two ways, either as standalone daemons (the normal case) or via inetd. I'll leave the explanation of using inetd to the Samba documentation and show starting as standalone daemons. Starting Samba is as simple as typing (as root) :
/usr/local/bin/smbd -D Note that smbd should be started first. To make Samba available on system boot up, just put those two commands into a script, and run them from your local system startup scripts. Now go to a Windows client machine in the same workgroup and type (in a DOS command prompt window) : net view \\UNIX_MACHINE_NAME where UNIX_MACHINE_NAME is the first component of your machine's DNS name. For example, for testme.whistle.com you would type : net view \\TESTME If all is well you should see a list of the shared resources you have defined in the smb.conf file. If you get the dreaded
System Error 53 has occurred. you have some debugging to do. Check the file DIAGNOSIS.txt in the Samba docs/ directory. Assuming everything went well, your Samba server should show up in your network neighborhood within a minute or two (if not, check out the BROWSING.txt file in the docs/ directory). Try logging on to a Windows PC with a UNIX username and password (assuming that that user has been correctly set up with that password in an NT Domain if you are using NT Domains at your site); you should be able to use the Windows explorer or network neighborhood to browse right into the shared directories on the UNIX system. Using the smbclient program The smbclient program is a command line program (shell-like) that allows a UNIX user to navigate an SMB shared filesystem. Currently, only Linux allows SMB shares to be mounted directly into the filesystem via the smbmount command. All other UNIXs must use this command line to allow their users to manipulate files on an SMB share. Using smbclient is fairly simple (in 1.9.17). Just type : smbclient //server_name/resource_name You will be prompted for a password (the connection is made as the currently logged in user), type in the correct password for your username on the remote server, and you will be given a : smb: \> prompt (where \ represents the path of the directory tree being shared). For example, to connect to the public share on the Samba server we previously set up, we would type : smbclient //server_name/public Note that smbclient uses the DNS name of the server, not the NetBIOS name. So you can use a full Internet domain name to get access to a SMB server over the Internet. Typing a ? at the smbclient command prompt gives a list of commands, currently :
These are rather similar to ftp commands, with a few additions. As
usual, the Using these commands, you can manipulate files quite nicely on a Windows NT or Windows 95 server, as well as a Samba server. This is handy for remote administration when you don't have a Windows machine on your desk (as in my office). Support for Samba Samba has an active mailing list, <samba@samba.anu.edu.au>. To subscribe, check out the Web page for details. Also the newsgroup comp.protocols.smb has active Samba discussions and support. In the Samba docs/ directory there is a file Support.txt that lists over 100 commercial companies that provide paid support for Samba. Note that the Samba Team cannot guarantee the level of support provided by any of these providers. You must negotiate with the individual companies as to service and rates. Conclusion I hope this lightning tour of using Samba has whet your appetite for more information. Currently, Samba is being extended and developed in more directions than you can imagine. To keep up with the latest developments, check out the Samba Web site. All previous versions are kept there in archive form, and even the CVS (version control system) log of the development is available online, so you get to see the developers' check-in comments. Also on the Web site is a survey form Samba users can fill out to tell the world (and other Samba users) how they are using the software. Currently, there are over 1,400 survey entries and many of the USA Fortune 100 companies (and many others from all over the world) are listed there. I hope your company will be listed there soon !
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Need help? Use our Contacts page.
First posted: 3rd December 1997 efc Last changed: 3rd December 1997 efc |
|
Issue index