Setting up File and Print Services Using Samba with OpenLinux™ Server Release 3.1.1

by Robert Borchert

Version 1.0

Objectives
Introduction
Requirements
Installing Samba
Configuring Samba

Understanding Windows Domains
Configuring Disk Shares
Configuring Printer Shares
Configuring Users

Configuring Windows Clients to connect to Samba

Authenticating against Samba
Mapping Drives to shares
Adding Printers

Advanced Topics

Domain Controllers
WINS Services
Using SWAT
Samba Files

References and Further Reading

Samba Web Pages
Samba Documentation
O'Reilly's Samba Book

Feedback

Objectives

When you have finished reading this cookbook you should:

Know how to configure Samba to share OpenLinux resources
Understand the various roles Samba can play in a Windows Network
Be able to configure Windows clients to access Samba resources

Introduction

Samba is the open source package used by OpenLinux™ 3.1.1 to provide File and Print services to Windows clients. This Cookbook will give basic guidelines on how to configure Samba to share OpenLinux files and printer resources using Webmin™.

Requirements

In this Cookbook we assume that you have a configured and working network.

Previous knowledge helpful:

Your existing Windows Network configuration
Windows Networking, Workgroups, and Domains
TCP/IP Networking Concepts, DNS, subnets, routing

Prior configurations should include:

Apache Webserver
Webmin Administration Tool
CUPS printing

Installing Samba

Samba should be installed by default on OpenLinux 3.1.1 Server in the "File and Print" and "All Packages" installation personalities.

To verify that Samba is installed:


     [root@smblab3 samba.d]# rpm -qa|grep samba



     samba-2.2.2-4



     samba-doc-2.2.2-4







     [root@smblab3 samba.d]# rpm -V `rpm -qa|grep samba`



     S.5....T c /etc/samba.d/smb.conf



     S.5....T c /etc/samba.d/smbusers

(configuration files might be reported as being changed, this is expected)

To (re)install Samba, you can either use the RPMs on your OL311 Server media, or download them from:

ftp://ftp.caldera.com/pub/OpenLinux3.1.1/Server/RPMS/

The Samba RPMs that are shipped with OpenLinux3.1.1 Server are:

samba-2.2.2-4.i386.rpm
samba-doc-2.2.2-4.i386.rpm
smbfs-2.2.2-4.i386.rpm
swat-2.2.2-4.i386.rpm
libsmbclient-2.2.2-4.i386.rpm

Use the rpm command to install any missing packages:


     [root@smblab3 samba.d]# rpm -i samba-2.2.2-4.i386.rpm

To start Samba, either use the KDE Kontrol Center, or use the samba command:


     [root@smblab3 samba.d]# samba start

To check that Samba is running, you can check the process table for the Samba daemons nmbd and smbd:


     [root@smblab3 samba.d]# ps -ef|grep mbd



     root     10000     1  0 09:27 ?        00:00:00 smbd -D



     root     10003     1  0 09:27 ?        00:00:00 nmbd -D



     root     10005 10003  0 09:27 ?        00:00:00 nmbd -D

You can also check the status of these services with the samba command:


     [root@smblab3 samba.d]# samba status



     Checking status of samba service: nmbd smbd.

There are several ways to configure Samba, including command line configuration, SWAT - Samba Web Administration Tool and Webmin - The Web Administration Tool. For the Cookbook we will discuss how to configure Samba with Webmin (where possible).
(See the Using SWAT and Samba Files sections under Advanced Topics for more information.)

Using your browser, follow this key to find the main configuration page for Samba in Webmin:

     https://localhost:1000  



       -or-



     https://remote.samba.server.com:1000 (with webmin configured for remote use)







     Login with root or admin account







     Choose Servers->Samba Windows File Sharing

     Scroll down to Global Configuration section







     Choose Windows Networking

Understanding Windows Domains

There are 3 different roles Samba can play in a Windows network:

Member of a Workgroup(stand-alone)

Member of a Domain

Domain Controller

no login authentication (NOT recommended)

joining an NT Domain

replacement for an NT Domain Controller

Member of a Workgroup(stand-alone) Member of a Domain Domain Controller	no login authentication (NOT recommended) joining an NT Domain replacement for an NT Domain Controller

Which role Samba should play will depend upon your existing Windows network configuration, if you have an NT Domain to join, an NT server to replace or want to be part of an existing Workgroup. If you are setting up a new Windows network you may want Samba to be the Domain Controller.

We will discuss how to configure each role, for more information on Domains, see Advanced Topics.

In all roles it is important that the server name used by Samba is unique within the Windows network. Be aware that the term Workgroup is used to refer to either the Workgroup Name or the Domain Name. The difference between Workgroup and Domain is only the security model used within the group of machines in the Windows network. This name should be common on all machines in the same group.

In Webmin on the Windows Networking page for Samba there are only a few key items that need to be configured, while the defaults for the other parameters will work for most networks. Here is a table to help you configure Samba for the 3 common roles.

Samba Role Samba configuration in Webmin

Stand-alone
(NOT recommended)

Workgroup = Common Workgroup Name

Security = User-Level

additionally, for Windows 95/98/ME clients,
configure the smb.conf parameter
domain logons = No

Domain Member

Workgroup = NT Domain Name to join

Security = Domain

Master Browser? = No

WINS Mode = WINS server IP address

Password server = *

Machine account in that NT domain

(see Advanced Topics ) for more information
about WINS and Domains

Domain Controller

Workgroup = Domain Name to control

Security = User-Level

Master Browser? = Yes

WINS Mode = Be a WINS server

additionally, for Windows 95/98/ME clients,
configure the smb.conf parameter
domain logons = Yes

After making changes on the Windows Networking page you will need to click "Save" to write the changes to the Samba configuration file.
Additionally, it is recommended that you require encrypted passwords:

Samba Role	Samba configuration in Webmin
Stand-alone (NOT recommended)	Workgroup = Common Workgroup Name Security = User-Level additionally, for Windows 95/98/ME clients, configure the smb.conf parameter domain logons = No
Domain Member	Workgroup = NT Domain Name to join Security = Domain Master Browser? = No WINS Mode = WINS server IP address Password server = * Machine account in that NT domain (see Advanced Topics ) for more information about WINS and Domains
Domain Controller	Workgroup = Domain Name to control Security = User-Level Master Browser? = Yes WINS Mode = Be a WINS server additionally, for Windows 95/98/ME clients, configure the smb.conf parameter domain logons = Yes

Choose "Authentication" within the Global Configuration Section
Use encrypted passwords? = Yes
Allow null passwords? = No
Scroll down and click on "Save", again.

Domain Logons for Windows 95/98/ME clients
This parameter cannot be controlled through Webmin. You must add this parameter to the "[global]" section of the file /etc/samba.d/smb.conf

     domain logons = [Yes|No]

Or you can use SWAT to control this parameter:

     GLOBALS->Advanced View->Logon Options    (Commit Changes)

Configuring Disk Shares

To share files on the local disk to others in your workgroup using Webmin:

Choose the "Servers" tab and "Samba Windows File Sharing", again
Under the share list find the link "Create a new file share",
Fill in the form, associating a sharename with the directory you want to share
Click on "Create"

The sharename you choose will be used by clients to access the files in the directory you specify here.

You can also access Windows disk shares from OpenLinux. To connect the Windows share to a OpenLinux directory (mount point), use the commands:

     [root@smblab3 root]# mkdir /MOUNTPOINT



     [root@smblab3 root]# smbmount //WINDOWS_CLIENT/SHARENAME /MOUNTPOINT



     [root@smblab3 root]# cd /MOUNTPOINT



     [root@smblab3 root]# ls -l

Configuring Printer Shares

To Configure OpenLinux Printers in Webmin

It is recommended that you use CUPS to configure your OpenLinux printers

KDE->Kontrol_Center->System->Printer_Manager
Click on the "Magic Wand" for the printer wizard
Choose the type of printer and provide specific information

Choose the "Hardware" tab and click on "Printer Administration"
Find the link "Add a new printer", this will bring up a "Create Printer" page
Fill in the form, providing a printer name, destination and driver information
Click on "Create"

To Configure Samba to share a OpenLinux printer with Windows clients

By default Samba is configured to share all printers through the "All Printers" share. However, you may want more control over your printers.

To add additional printer share definitions

Choose the "Servers" tab and "Samba Windows File Sharing", again
Under the share list find the link "Create a printer share",
Fill in the form, choosing a sharename and associate it with the printer you want to share
Use the spool directory "/var/spool/samba"
Click on "Create"

To Configure OpenLinux to access a Windows shared printer

Follow the steps above to get to the "Create Printer" page in Webmin
This time choose "Remote Windows Server" as the destination, and
Provide the Windows server name, printer name and authentication info

Configuring Users

All users need both local system accounts and Samba accounts to access Samba shares.

If you have a lot of existing OpenLinux users that you wish to add to Samba, you may want to use the "Convert Unix® users to Samba users." link below Samba's Global Configuration section in Webmin to automatically add Samba accounts for those users.

User synchronization can also be configured through the link, "Configure automatic Unix and Samba user synchronisation". Here you can choose to have a Samba account automatically created when an OpenLinux user is added.

Adding users can also be done at the command line.

To add a local system account that allows OpenLinux logins:

     [root@smblab3 samba.d]# useradd -m -s /bin/sh smbuser3



     [root@smblab3 samba.d]# passwd smbuser3



     New user password:



     Retype new user password:



     [root@smblab3 samba.d]#

Or if you want to create Samba-Only Users that don't allow direct logins into OpenLinux, set the shell for the system account to /bin/false:

     [root@smblab3 samba.d]# useradd -m -s /bin/false smbuser3



     [root@smblab3 samba.d]# passwd smbuser3



     New user password:



     Retype new user password:



     [root@smblab3 samba.d]#

Set the default shell for the useradd command in the file, /etc/default/useradd.

To add the Samba account:

     [root@smblab3 samba.d]# smbpasswd -a smbuser3



     New SMB password:



     Retype new SMB password:



     Added user smbuser3.



     [root@smblab3 samba.d]#

We suggest that you use the same password for both accounts.
Samba account information is stored in the file /etc/samba.d/smbpasswd. For a list of Samba users you could use the command:

     [root@smblab3 samba.d]# cat /etc/samba.d/smbpasswd|cut -f1 -d:

Restarting Samba
After changing the configuration of Samba, you must restart the server for the changes to take effect. In Webmin, simply scroll down and click on "Restart Samba Servers". You can also restart Samba with the samba command:


     [root@smblab3 samba.d]# samba restart

KDE->Kontrol_Center->System->Startup->Services
Scroll down in the list to find Samba
Click the Samba Box and "Apply"

This will modfiy the ONBOOT parameter in the file /etc/sysconfig/daemons/samba.

Configuring Windows Clients to connect to Samba

Authenticating against Samba
Mapping Drives to shares
Adding Printers

There are several versions of Windows clients, too many to describe in detail how to configure each one for each type of Windows network. So we will assume that you know where to modify your Windows configuration data for your version. Typically this data can be changed under:

     Control Panel->Network->Indentification



     Control Panel->Network->Client for Microsoft Networks->Properties



     Network Neighborhood->Properties->Client for Microsoft Networks->Properties

As there were different roles for Samba to play in the Windows network, Windows systems can also play different roles. Windows 95/98/ME can be clients of workgroups or domains, but not domain controllers. While Windows NT/2000/XP can be, either domain members or controllers. All Windows clients need to be configured to match the network and server that they wish to connect to.

Authenticating against Samba

For the Windows client to be able to access the File and Print resources being shared by Samba, the client must first provide the appropriate credentials. Credentials define the level of authorization, authentication and access-control for requests of the Samba server. The clients' configuration must match the security level of the server.
Here is a table showing which client configuration is needed to access Samba shares in each of the three roles.


Samba Role	Windows client configuration
Stand-alone	Unique name identification Matching Workgroup Name WINS server set to the Samba server NOT configured to log on to NT domain Accounts on the Samba server *
Domain Member	Unique name identification Matching Domain Name WINS server set to the Domain's WINS server Configured to log on to that NT domain name Accounts in that NT domain
Domain Controller	Unique name identification Matching Domain Name WINS server set to the Samba server Configured to log on to that domain name Accounts on the Samba server *
* NT/2000/XP Systems also need machine accounts on the Samba server * (see Advanced Topics ) for more information about WINS and Domains

After restarting Windows and logging in you should find the Samba shares available under:

     Network Neighborhood->Entire Network->DOMAIN_NAME->SAMBA_SERVER_NAME

Mapping Drives to shares

You could access the Samba shares through Network Neighborhood, but for convenience you may want to map a drive letter to a Samba share. Use Windows Explorer (not Internet Explorer):

      Explorer->Tools->Map Network Drive.

Choose an available drive letter and associate it with the Samba share and pathname with this syntax:

     \\SAMBA_SERVER_NAME\SHARENAME\PATHNAME

Adding Printers

You can make Samba printers available to Windows clients through:

      Control Panel->Printers->Add Printers

Add a Network printer which points to the Samba shared printer with this syntax:

     \\SAMBA_SERVER_NAME\PRINTER_SHARENAME

Continue and choose the matching driver for the printer

Advanced Topics

Domain Controllers
WINS Services
Using SWAT
Samba Files

Windows networking is based around the NetBIOS and SMB protocols.

NetBIOS runs on top of TCP/IP and uses a system of name registration. This system requires that machines register with, their IP address, a unique name, and a common domain or workgroup name to communicate with each other. The NetBIOS protocol regulates that this registration happens over IP broadcast. Registration is allowed unless another machine responds to the broadcast claiming the same name.

SMB or Server Message Block protocol runs on top of NetBIOS. SMB controls the authenticating of clients when they request access to resources. In domain security networks, a database of ACLs (Access Control Lists) are stored and checked before access to a resource is allowed This database contains entries for users, machines, and specific resources that are shared within a domain
NETBEUI is another protocol that is sometimes used for Windows networking. NETBEUI (NetBIOS Enabled User Interface) is similar to NetBIOS, but without TCP/IP. Without TCP/IP, NETBEUI is not routable and not currently supported by Samba.

Domain Controllers

Domain Controllers provide the authentication and access control services that protect network resources. These services have 2 aspects:

The authentication and access control processes

Samba provides these protocols and is fully compatible with Windows 95/98/ME/NT/2000/XP. Samba can be a Domain Controller but it's most common role is to be a member of an existing Windows security domain.

The location of the authentication databases

Samba can be configured to store these locally or access a remote authentication server, hosted by either another Samba server, or more commonly by a Windows NT/2000/XP domain controllers.
Samba does not currently provide the facilities to replicate the authentication databases. This replication was the purpose for MS NT4 Primary and Backup Domain Controllers.

Samba can also be configured to provide any of these services:


Local Master Browser Domain Master Browser Netlogon Server WINS Services	Provides clients with a view of domain resources available Coordinater of views for Local Master Browsers Provides logon authentication Provides NetBIOS name resolution

Domain Controllers require Domain Members (Windows NT/2000/XP not 95/98/ME) to have machine accounts.
If Samba is acting as the Domain Controller, Domain Members need accounts in both the SMB database and the OpenLinux password database.

You can add machine accounts to OpenLinux, using the commands:

     [root@smblab3 root]# useradd -d /dev/null -s /bin/false smblab4\$



     [root@smblab3 root]# passwd -l smblab4\$



     Password changed.



     [root@smblab3 root]#

NOTE: The "$" suffix is required for machine accounts.

You can add machine accounts to Samba's SMB database with the command:

     [root@smblab3 root]# smbpasswd -a -m smblab4



     Added user smblab4$.



     [root@smblab3 root]#

If Samba is playing the role of a Domain Member it requires an machine account in the Domain Controller's database

There are 2 steps to joining an existing NT Domain

On a Domain Controller, use the server manager to add a machine account for the Samba server as if it were an NT Workstation/Server
On the Samba server, BEFORE! starting Samba, issue the command:

     [root@smblab3 samba.d]# smbpasswd -r PDC_NAME -j DOMAIN_NAME







     [root@smblab3 samba.d]# samba start

WINS Services

Not only does each client, domain member and domain controller need to register it's name with NetBIOS, but each service that a machine provides must also be registered with NetBIOS names.

Because many NetBIOS names can be for the same machine, there are additional codes which identify what the name is registering. And since some names must be unique and others aren't, names are registered as either "Unique" or "Group" names.

These names are being registered, queried, and re-registered frequently. With the default behavior being to use broadcasts, it doesn't take too many machines to cause a lot of name resolution traffic on the network.

Since broadcast are not allowed to cross subnets, any Domain that spans multiple subnets, requires WINS. The Domain Master Browser needs WINS to be able to coordinate a list of available resources for the Local Master Browsers, so they can provide a consistant "Network Neighborhood" view to the clients in the domain.

Using WINS helps busy Windows networks tremendously. Since clients can ask the WINS server directly for name resolution information, the extra broadcasts traffic is eliminated.

Once a WINS server is designated, all clients should be configured to point to it. For Windows clients provide the IP address of the WINS server under the client's networking configuration section.

To configure Samba for WINS in Webmin:

Choose the "Servers" tab and "Samba Windows File Sharing", again
Scroll down to Global Configuration section
Choose Windows Networking

Be a WINS server
Use a WINS server (specify WINS server's IP address)
Neither

If the Samba server is the Domain Controller or working in Stand-Alone mode, you probably want Samba to be the WINS server also, otherwise, point to the WINS server for the Domain that Samba is joining.

Using SWAT

SWAT is the Samba Web Administration Tool. It is developed by the same team that develops Samba, while Webmin is developed separately. It is important to realize that Webmin may not be in sync with all of the options available in newer versions of Samba, while SWAT is updated in conjunction with Samba. If you update Samba you should also update SWAT and use it as a configuration tool. In OpenLinux 3.1.1, we have shipped versions that are in sync, although not all options for Samba are configurable through Webmin. While we believe that most common configurations will be satisfied through Webmin, you may want to use SWAT to see the many options available for Samba, which make it very configurable.
Both tools update the same configuration file.

There are 2 ways to get to SWAT, through Webmin use the SWAT icon in Samba's Global Configuration section or use the URL:

     http://localhost:901

Once you've logged into SWAT you will find links to documentation and icons to modify the various configuration parameters for Samba. You should recognize the parameters that we have discussed under the "GLOBALS" icon. All of these parameters may be a bit overwhelming, perhaps making SWAT a more difficult interface to use for first time administrator.
Note that there is a problem using SWAT to add users, this problem will be fixed in the next release of SWAT. Use the methods described above in the Configuring Users section of this document to add users.

Samba Files

Use the Samba man pages for detailed information on Samba's commands and files. Here's a table listing the location and description of some of the more important Samba files:


Configuration Files
/etc/samba.d/smb.conf /etc/samba.d/smb.conf.sample /etc/samba.d/smbpasswd /etc/samba.d/smbusers	Main configuration file Helpful comments and sample settings Accounts database User Mappings
Log Files
/var/log/samba.d/log.smbd /var/log/samba.d/log.nmbd /var/log/samba.d/smb.CLIENTNAME	Log file for smbd daemon Log file for nmbd daemon Log file for Client connections
Daemons
/usr/sbin/smbd /usr/sbin/nmbd	SMB Server NetBIOS Name Server
Commands
/usr/sbin/samba /usr/bin/smbpasswd /usr/bin/smbmount /usr/bin/smbstatus /usr/bin/smbclient /usr/bin/nmblookup /usr/bin/findsmb /usr/bin/testparm	Control Samba daemons Update account databases Connect Disk shares Report current connections ftp-like client to SMB shares NetBIOS Name querries SMB Machine querries Configuration file verification

/etc/samba.d/smb.conf

Sample configuration for Samba as the Domain Controller for the Cookbook Domain:

# Global parameters



[global]



        workgroup = COOKBOOK



        netbios name = SMBLAB3



        server string = Samba Server on Caldera OpenLinux



        null passwords = Yes



        username map = /etc/samba.d/smbusers



        password level = 8



        username level = 8



        log file = /var/log/samba.d/smb.%m



        max log size = 200



        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192



        logon path = \\%L\Profiles\%U



        logon home = \\%L\Profiles\%U



        domain logons = Yes



        os level = 35



        preferred master = True



        domain master = True



        dns proxy = No



        wins support = Yes



        printing = cups



        printer name = printer1







[homes]



        comment = Home Directories



        path = %H/Samba



        username = %S



        valid users = %S



        read only = No



        create mask = 0750



        only user = Yes



        browseable = No







[netlogon]



        comment = Samba Network Logon Service



        path = /srv/samba/netlogon



        guest ok = Yes







[profiles]



        path = /srv/samba/profiles



        admin users = root



        read only = No



        guest ok = Yes



        browseable = No







[printers]



        comment = All Printers



        path = /var/spool/cups



        read only = No



        create mask = 0700



        guest ok = Yes



        printable = Yes



        browseable = No







[public]



        comment = Public Stuff



        path = /srv/samba/Public



        write list = @users







[smbprt]



        comment = Samba shared cups printer smbprt



        path = /var/spool/cups



        read only = No



        create mask = 0700



        guest ok = Yes



        printable = Yes



        postscript = Yes

References and Further Reading

Samba Web Pages

Samba Documentation

Webmin
SWAT
command line (man pages)
Samba's Web Pages

O'Reilly's Samba Book

http://www.oreilly.com/catalog/samba/chapter/book/

Robert Eckstein, David Collier-Brown, Peter Kelly
1st Edition November 1999
1-56592-449-5, Order Number: 4495

Feedback

What did you find particularly helpful in this cookbook? Are there mistakes in this documentation? Could it be organized to be more useful? Did we leave out information you need, or include unnecessary material? If so, please tell us.

To help us implement your suggestions please email relevant details, such as cookbook title and section name to:

olbo@caldera.com

NOTE: We cannot provide technical support via the above alias. For answers to technical questions, please contact your Caldera Support Provider or visit http://www.caldera.com/support for details of support offerings that are available to you.

Thank you.

Copyright © 2002, Caldera International. All Rights Reserved Worldwide. Caldera International assumes no responsibility for the accuracy or completeness of the information in this document. The use of this information or the implementation of any of these techniques is a customer responsibility and depends upon the customer's ability to evaluate and integrate them into the customer's operational environment. Information in this document is subject to change without notice, and does not imply a commitment on the part of Caldera.

Caldera, the Caldera logos, OpenLinux, and Webmin are trademarks or registered trademarks of Caldera International, Inc. in the USA and other countries. Linux is a registered trademark of Linux Torvaldsl Netscape and Netscape Navigator are trademarks or registered trademarks of Netscape Communications Corporation. All other brand and product names are trademarks or registered marks of the respective owners.

Caldera Legal: http://www.caldera.com/company/legal/