Setting up File and Print Services Using Samba with OpenLinux™ Server Release 3.1.1

by Robert Borchert

Version 1.0


Contents

  1. Objectives
  2. Introduction
  3. Requirements
  4. Installing Samba
  5. Configuring Samba
    1. Understanding Windows Domains
    2. Configuring Disk Shares
    3. Configuring Printer Shares
    4. Configuring Users
  6. Configuring Windows Clients to connect to Samba
    1. Authenticating against Samba
    2. Mapping Drives to shares
    3. Adding Printers
  7. Advanced Topics
    1. Domain Controllers
    2. WINS Services
    3. Using SWAT
    4. Samba Files
  8. References and Further Reading
    1. Samba Web Pages
    2. Samba Documentation
    3. O'Reilly's Samba Book
  9. Feedback

Objectives

When you have finished reading this cookbook you should:

Introduction

Samba is the open source package used by OpenLinux™ 3.1.1 to provide File and Print services to Windows clients. This Cookbook will give basic guidelines on how to configure Samba to share OpenLinux files and printer resources using Webmin™.


Requirements

In this Cookbook we assume that you have a configured and working network.

Installing Samba

Samba should be installed by default on OpenLinux 3.1.1 Server in the "File and Print" and "All Packages" installation personalities.
 

To verify that Samba is installed:


     [root@smblab3 samba.d]# rpm -qa|grep samba



     samba-2.2.2-4



     samba-doc-2.2.2-4







     [root@smblab3 samba.d]# rpm -V `rpm -qa|grep samba`



     S.5....T c /etc/samba.d/smb.conf



     S.5....T c /etc/samba.d/smbusers
(configuration files might be reported as being changed, this is expected)
 
 

To (re)install Samba, you can either use the RPMs on your OL311 Server media, or download them from:

ftp://ftp.caldera.com/pub/OpenLinux3.1.1/Server/RPMS/

The Samba RPMs that are shipped with OpenLinux3.1.1 Server are:


Use the rpm command to install any missing packages:


     [root@smblab3 samba.d]# rpm -i samba-2.2.2-4.i386.rpm











To start Samba, either use the KDE Kontrol Center, or use the samba command:

     [root@smblab3 samba.d]# samba start











To check that Samba is running, you can check the process table for the Samba daemons nmbd and smbd:

     [root@smblab3 samba.d]# ps -ef|grep mbd



     root     10000     1  0 09:27 ?        00:00:00 smbd -D



     root     10003     1  0 09:27 ?        00:00:00 nmbd -D



     root     10005 10003  0 09:27 ?        00:00:00 nmbd -D







You can also check the status of these services with the samba command:

     [root@smblab3 samba.d]# samba status



     Checking status of samba service: nmbd smbd.








Configuring Samba with Webmin

  1. Understanding Windows Domains
  2. Configuring Disk Shares
  3. Configuring Printer Shares
  4. Configuring Users


There are several ways to configure Samba, including command line configuration, SWAT - Samba Web Administration Tool and Webmin - The Web Administration Tool. For the Cookbook we will discuss how to configure Samba with Webmin (where possible).
(See the Using SWAT and Samba Files sections under Advanced Topics for more information.)

Using your browser, follow this key to find the main configuration page for Samba in Webmin:

     https://localhost:1000  



       -or-



     https://remote.samba.server.com:1000 (with webmin configured for remote use)







     Login with root or admin account







     Choose Servers->Samba Windows File Sharing







     Scroll down to Global Configuration section







     Choose Windows Networking







Understanding Windows Domains


There are 3 different roles Samba can play in a Windows network:
  1. Member of a Workgroup(stand-alone) 
  2. Member of a Domain 
  3. Domain Controller 
  • no login authentication (NOT recommended) 
  • joining an NT Domain 
  • replacement for an NT Domain Controller 

Which role Samba should play will depend upon your existing Windows network configuration, if you have an NT Domain to join, an NT server to replace or want to be part of an existing Workgroup. If you are setting up a new Windows network you may want Samba to be the Domain Controller.

We will discuss how to configure each role, for more information on Domains, see Advanced Topics.

In all roles it is important that the server name used by Samba is unique within the Windows network. Be aware that the term Workgroup is used to refer to either the Workgroup Name or the Domain Name. The difference between Workgroup and Domain is only the security model used within the group of machines in the Windows network. This name should be common on all machines in the same group.

In Webmin on the Windows Networking page for Samba there are only a few key items that need to be configured, while the defaults for the other parameters will work for most networks. Here is a table to help you configure Samba for the 3 common roles.
Samba Role Samba configuration in Webmin
Stand-alone 
(NOT recommended)
  • Workgroup = Common Workgroup Name 
  • Security = User-Level 

  • additionally, for Windows 95/98/ME clients, 
    configure the smb.conf parameter 
    domain logons = No
Domain Member
  • Workgroup = NT Domain Name to join 
  • Security = Domain 
  • Master Browser? = No 
  • WINS Mode = WINS server IP address 
  • Password server = * 
  • Machine account in that NT domain 

  • (see Advanced Topics ) for more information
    about WINS and Domains
Domain Controller
  • Workgroup = Domain Name to control 
  • Security = User-Level 
  • Master Browser? = Yes 
  • WINS Mode = Be a WINS server 

  • additionally, for Windows 95/98/ME clients, 
    configure the smb.conf parameter 
    domain logons = Yes
After making changes on the Windows Networking page you will need to click "Save" to write the changes to the Samba configuration file.
Additionally, it is recommended that you require encrypted passwords:



Domain Logons for Windows 95/98/ME clients


This parameter cannot be controlled through Webmin. You must add this parameter to the "[global]" section of the file /etc/samba.d/smb.conf
     domain logons = [Yes|No]
Or you can use SWAT to control this parameter:
     GLOBALS->Advanced View->Logon Options    (Commit Changes)











Configuring Disk Shares

To share files on the local disk to others in your workgroup using Webmin: The sharename you choose will be used by clients to access the files in the directory you specify here.

You can also access Windows disk shares from OpenLinux. To connect the Windows share to a OpenLinux directory (mount point), use the commands:

     [root@smblab3 root]# mkdir /MOUNTPOINT



     [root@smblab3 root]# smbmount //WINDOWS_CLIENT/SHARENAME /MOUNTPOINT



     [root@smblab3 root]# cd /MOUNTPOINT



     [root@smblab3 root]# ls -l



















Configuring Printer Shares

To Configure OpenLinux Printers in Webmin To Configure Samba to share a OpenLinux printer with Windows clients To Configure OpenLinux to access a Windows shared printer









Configuring Users

All users need both local system accounts and Samba accounts to access Samba shares.

If you have a lot of existing OpenLinux users that you wish to add to Samba, you may want to use the "Convert Unix® users to Samba users." link below Samba's Global Configuration section in Webmin to automatically add Samba accounts for those users.

User synchronization can also be configured through the link, "Configure automatic Unix and Samba user synchronisation". Here you can choose to have a Samba account automatically created when an OpenLinux user is added.

Adding users can also be done at the command line.

To add a local system account that allows OpenLinux logins:

     [root@smblab3 samba.d]# useradd -m -s /bin/sh smbuser3



     [root@smblab3 samba.d]# passwd smbuser3



     New user password:



     Retype new user password:



     [root@smblab3 samba.d]#
Or if you want to create Samba-Only Users that don't allow direct logins into OpenLinux, set the shell for the system account to /bin/false:
     [root@smblab3 samba.d]# useradd -m -s /bin/false smbuser3



     [root@smblab3 samba.d]# passwd smbuser3



     New user password:



     Retype new user password:



     [root@smblab3 samba.d]#
Set the default shell for the useradd command in the file, /etc/default/useradd.

To add the Samba account:

     [root@smblab3 samba.d]# smbpasswd -a smbuser3



     New SMB password:



     Retype new SMB password:



     Added user smbuser3.



     [root@smblab3 samba.d]#
We suggest that you use the same password for both accounts.
Samba account information is stored in the file /etc/samba.d/smbpasswd. For a list of Samba users you could use the command:
     [root@smblab3 samba.d]# cat /etc/samba.d/smbpasswd|cut -f1 -d:











Restarting Samba
After changing the configuration of Samba, you must restart the server for the changes to take effect. In Webmin, simply scroll down and click on "Restart Samba Servers". You can also restart Samba with the samba command:

     [root@smblab3 samba.d]# samba restart















This will modfiy the ONBOOT parameter in the file /etc/sysconfig/daemons/samba.










Configuring Windows Clients to connect to Samba

  1. Authenticating against Samba
  2. Mapping Drives to shares
  3. Adding Printers
There are several versions of Windows clients, too many to describe in detail how to configure each one for each type of Windows network. So we will assume that you know where to modify your Windows configuration data for your version. Typically this data can be changed under:
     Control Panel->Network->Indentification



     Control Panel->Network->Client for Microsoft Networks->Properties



     Network Neighborhood->Properties->Client for Microsoft Networks->Properties



As there were different roles for Samba to play in the Windows network, Windows systems can also play different roles. Windows 95/98/ME can be clients of workgroups or domains, but not domain controllers. While Windows NT/2000/XP can be, either domain members or controllers. All Windows clients need to be configured to match the network and server that they wish to connect to.





Authenticating against Samba

For the Windows client to be able to access the File and Print resources being shared by Samba, the client must first provide the appropriate credentials. Credentials define the level of authorization, authentication and access-control for requests of the Samba server. The clients' configuration must match the security level of the server.
Here is a table showing which client configuration is needed to access Samba shares in each of the three roles.
Samba Role Windows client configuration
Stand-alone
  • Unique name identification 
  • Matching Workgroup Name 
  • WINS server set to the Samba server 
  • NOT configured to log on to NT domain 
  • Accounts on the Samba server * 
Domain Member
  • Unique name identification 
  • Matching Domain Name 
  • WINS server set to the Domain's WINS server 
  • Configured to log on to that NT domain name 
  • Accounts in that NT domain 
Domain Controller
  • Unique name identification 
  • Matching Domain Name 
  • WINS server set to the Samba server 
  • Configured to log on to that domain name 
  • Accounts on the Samba server * 
* NT/2000/XP Systems also need machine accounts on the Samba server
(see Advanced Topics ) for more information about WINS and Domains

After restarting Windows and logging in you should find the Samba shares available under:

     Network Neighborhood->Entire Network->DOMAIN_NAME->SAMBA_SERVER_NAME















Mapping Drives to shares

You could access the Samba shares through Network Neighborhood, but for convenience you may want to map a drive letter to a Samba share. Use Windows Explorer (not Internet Explorer):
      Explorer->Tools->Map Network Drive.
Choose an available drive letter and associate it with the Samba share and pathname with this syntax:
     \\SAMBA_SERVER_NAME\SHARENAME\PATHNAME



















Adding Printers

You can make Samba printers available to Windows clients through:
      Control Panel->Printers->Add Printers
Add a Network printer which points to the Samba shared printer with this syntax:
     \\SAMBA_SERVER_NAME\PRINTER_SHARENAME
Continue and choose the matching driver for the printer






Advanced Topics

  1. Domain Controllers
  2. WINS Services
  3. Using SWAT
  4. Samba Files
Windows networking is based around the NetBIOS and SMB protocols.









Domain Controllers

Domain Controllers provide the authentication and access control services that protect network resources. These services have 2 aspects:
  1. The authentication and access control processes

  2. Samba provides these protocols and is fully compatible with Windows 95/98/ME/NT/2000/XP. Samba can be a Domain Controller but it's most common role is to be a member of an existing Windows security domain.

  3. The location of the authentication databases

  4. Samba can be configured to store these locally or access a remote authentication server, hosted by either another Samba server, or more commonly by a Windows NT/2000/XP domain controllers.
    Samba does not currently provide the facilities to replicate the authentication databases. This replication was the purpose for MS NT4 Primary and Backup Domain Controllers.

Samba can also be configured to provide any of these services:
  • Local Master Browser 
  • Domain Master Browser 
  • Netlogon Server 
  • WINS Services 
  • Provides clients with a view of domain resources available 
  • Coordinater of views for Local Master Browsers 
  • Provides logon authentication 
  • Provides NetBIOS name resolution 

Domain Controllers require Domain Members (Windows NT/2000/XP not 95/98/ME) to have machine accounts.
If Samba is acting as the Domain Controller, Domain Members need accounts in both the SMB database and the OpenLinux password database.

You can add machine accounts to OpenLinux, using the commands:

     [root@smblab3 root]# useradd -d /dev/null -s /bin/false smblab4\$



     [root@smblab3 root]# passwd -l smblab4\$



     Password changed.



     [root@smblab3 root]#
NOTE: The "$" suffix is required for machine accounts.

You can add machine accounts to Samba's SMB database with the command:

     [root@smblab3 root]# smbpasswd -a -m smblab4



     Added user smblab4$.



     [root@smblab3 root]#
If Samba is playing the role of a Domain Member it requires an machine account in the Domain Controller's database

There are 2 steps to joining an existing NT Domain

WINS Services

Not only does each client, domain member and domain controller need to register it's name with NetBIOS, but each service that a machine provides must also be registered with NetBIOS names.

Because many NetBIOS names can be for the same machine, there are additional codes which identify what the name is registering. And since some names must be unique and others aren't, names are registered as either "Unique" or "Group" names.

These names are being registered, queried, and re-registered frequently. With the default behavior being to use broadcasts, it doesn't take too many machines to cause a lot of name resolution traffic on the network.

Since broadcast are not allowed to cross subnets, any Domain that spans multiple subnets, requires WINS. The Domain Master Browser needs WINS to be able to coordinate a list of available resources for the Local Master Browsers, so they can provide a consistant "Network Neighborhood" view to the clients in the domain.

Using WINS helps busy Windows networks tremendously. Since clients can ask the WINS server directly for name resolution information, the extra broadcasts traffic is eliminated.

Once a WINS server is designated, all clients should be configured to point to it. For Windows clients provide the IP address of the WINS server under the client's networking configuration section.

To configure Samba for WINS in Webmin:

If the Samba server is the Domain Controller or working in Stand-Alone mode, you probably want Samba to be the WINS server also, otherwise, point to the WINS server for the Domain that Samba is joining.













Using SWAT

SWAT is the Samba Web Administration Tool. It is developed by the same team that develops Samba, while Webmin is developed separately. It is important to realize that Webmin may not be in sync with all of the options available in newer versions of Samba, while SWAT is updated in conjunction with Samba. If you update Samba you should also update SWAT and use it as a configuration tool. In OpenLinux 3.1.1, we have shipped versions that are in sync, although not all options for Samba are configurable through Webmin. While we believe that most common configurations will be satisfied through Webmin, you may want to use SWAT to see the many options available for Samba, which make it very configurable.
Both tools update the same configuration file.

There are 2 ways to get to SWAT, through Webmin use the SWAT icon in Samba's Global Configuration section or use the URL:

     http://localhost:901



Once you've logged into SWAT you will find links to documentation and icons to modify the various configuration parameters for Samba. You should recognize the parameters that we have discussed under the "GLOBALS" icon. All of these parameters may be a bit overwhelming, perhaps making SWAT a more difficult interface to use for first time administrator.
Note that there is a problem using SWAT to add users, this problem will be fixed in the next release of SWAT. Use the methods described above in the Configuring Users section of this document to add users.













Samba Files

Use the Samba man pages for detailed information on Samba's commands and files. Here's a table listing the location and description of some of the more important Samba files:
Configuration Files
  • /etc/samba.d/smb.conf 
  • /etc/samba.d/smb.conf.sample 
  • /etc/samba.d/smbpasswd 
  • /etc/samba.d/smbusers 
  • Main configuration file 
  • Helpful comments and sample settings 
  • Accounts database 
  • User Mappings 
Log Files
  • /var/log/samba.d/log.smbd 
  • /var/log/samba.d/log.nmbd 
  • /var/log/samba.d/smb.CLIENTNAME 
  • Log file for smbd daemon 
  • Log file for nmbd daemon 
  • Log file for Client connections 
Daemons
  • /usr/sbin/smbd 
  • /usr/sbin/nmbd 
  • SMB Server 
  • NetBIOS Name Server 
Commands
  • /usr/sbin/samba 
  • /usr/bin/smbpasswd 
  • /usr/bin/smbmount 
  • /usr/bin/smbstatus 
  • /usr/bin/smbclient 
  • /usr/bin/nmblookup 
  • /usr/bin/findsmb 
  • /usr/bin/testparm 
  • Control Samba daemons 
  • Update account databases 
  • Connect Disk shares 
  • Report current connections 
  • ftp-like client to SMB shares 
  • NetBIOS Name querries 
  • SMB Machine querries 
  • Configuration file verification 









Sample configuration for Samba as the Domain Controller for the Cookbook Domain:
# Global parameters



[global]



        workgroup = COOKBOOK



        netbios name = SMBLAB3



        server string = Samba Server on Caldera OpenLinux



        null passwords = Yes



        username map = /etc/samba.d/smbusers



        password level = 8



        username level = 8



        log file = /var/log/samba.d/smb.%m



        max log size = 200



        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192



        logon path = \\%L\Profiles\%U



        logon home = \\%L\Profiles\%U



        domain logons = Yes



        os level = 35



        preferred master = True



        domain master = True



        dns proxy = No



        wins support = Yes



        printing = cups



        printer name = printer1







[homes]



        comment = Home Directories



        path = %H/Samba



        username = %S



        valid users = %S



        read only = No



        create mask = 0750



        only user = Yes



        browseable = No







[netlogon]



        comment = Samba Network Logon Service



        path = /srv/samba/netlogon



        guest ok = Yes







[profiles]



        path = /srv/samba/profiles



        admin users = root



        read only = No



        guest ok = Yes



        browseable = No







[printers]



        comment = All Printers



        path = /var/spool/cups



        read only = No



        create mask = 0700



        guest ok = Yes



        printable = Yes



        browseable = No







[public]



        comment = Public Stuff



        path = /srv/samba/Public



        write list = @users







[smbprt]



        comment = Samba shared cups printer smbprt



        path = /var/spool/cups



        read only = No



        create mask = 0700



        guest ok = Yes



        printable = Yes



        postscript = Yes



 
















References and Further Reading












Feedback

What did you find particularly helpful in this cookbook? Are there mistakes in this documentation? Could it be organized to be more useful? Did we leave out information you need, or include unnecessary material? If so, please tell us.

To help us implement your suggestions please email relevant details, such as cookbook title and section name to:

olbo@caldera.com

NOTE: We cannot provide technical support via the above alias. For answers to technical questions, please contact your Caldera Support Provider or visit http://www.caldera.com/support for details of support offerings that are available to you.

Thank you.


Copyright © 2002, Caldera International. All Rights Reserved Worldwide. Caldera International assumes no responsibility for the accuracy or completeness of the information in this document. The use of this information or the implementation of any of these techniques is a customer responsibility and depends upon the customer's ability to evaluate and integrate them into the customer's operational environment. Information in this document is subject to change without notice, and does not imply a commitment on the part of Caldera.

Caldera, the Caldera logos, OpenLinux, and Webmin are trademarks or registered trademarks of Caldera International, Inc. in the USA and other countries. Linux is a registered trademark of Linux Torvaldsl Netscape and Netscape Navigator are trademarks or registered trademarks of Netscape Communications Corporation. All other brand and product names are trademarks or registered marks of the respective owners.

Copyright © 2002, Caldera International, Inc. All Rights Reserved Worldwide.

Caldera Legal: http://www.caldera.com/company/legal/