To most mortals on planet Earth, Samba is the name of a pleasant dancing rhythm of Brazilian origin. To Linuxers and other UNIX users the word has a completely different meaning: Samba is a software package, developed originally by Australian Andrew Tridgell, which adds Windows-style file and printer sharing capability to a Linux server.
It was possible even before Samba to view the contents of a Linux disk drive over the network and print to a printer connected to your Linux server. All you needed was some third-party software that was capable of communicating with NFS (Network File System) servers or printing to UNIX-style network printers. No problem... except that these packages were notoriously unreliable, slow, and expensive.
Samba approaches the problem from the other way around. Rather than teaching Windows how to talk to a UNIX server, it teaches the UNIX server to act like a Windows host sharing its resources. The result is a fast, highly reliable, commercial grade implementation that is recommended for everyone. Best of all, Samba is free! (But this really isn't news in the world of Linux, is it?)
You know the routine: You right-click on a drive or directory in Windows Explorer and make it a shared resource. This permits others to access the contents found here, with or without using a password, at your discretion.
If you're old-fashioned, or using a DOS machine, you can still do the same thing: if network drivers are installed, you use the net use and net share commands to access, or make accessible, resources on a network computer.
In either case, the magic behind the scenes is performed by SMB, the Server Message Block protocol. This protocol is used by Microsoft operating systems to implement most network functionality.
Samba is a UNIX implementation of the SMB protocol. The basic Samba package provides the tools necessary to share UNIX directories and printers for use by DOS and Windows machines across the network. It also contain utilities that allow you to access shared DOS and Windows resources from a UNIX machine.
In practical terms, Samba allows you to turn a Linux machine into a file and printer server on a Windows network.
NOTE: Samba uses TCP/IP networking. Because of this, on any DOS or Windows machine that you intend to use with Samba, TCP/IP networking must be installed, and NetBIOS over TCP/IP must be enabled. On Windows machines that also have a modem-based Internet connection, you might want to enable NetBIOS over TCP/IP on the local area network (LAN) interface. But, you should disable NetBIOS over TCP/IP on the serial (PPP) interface to improve security.
Samba is a suite of several programs. The two key program files are smbd and nmbd. The first of these, smbd, implements the most of the SMB services that Samba provides. The other key component, nmbd, provides NetBIOS name service; it allows other computers to browse the resources provided by the Samba server.
The most useful supplementary component of the Samba suite is smbclient. This program provides an interface similar to that of an FTP client for accessing shared resources on other computers in an SMB network. The suite also contains other components such as monitoring and configuration tools.
By default, Samba executable files are installed in the /usr/local/samba/bin directory. However, in specific distributions, the location may be different. If Samba is installed from the CD-ROM included with this book, these executables are deposited in /usr/bin.
As usual, with software packages, the first step of Samba installation is obtaining a copy of the software.
If you're installing Linux from a CD-ROM, chances are that a copy of Samba is already available on that distribution. (This is certainly the case if you are using the CD-ROM that accompanies this book.)
If you do not have a copy of Samba, or if you want to install the latest version, the best place to look is the Web site: http://www.samba.org/. Here you'll be able to find links to an FTP download site that is near you.
Samba is usually distributed in source code form. If you obtained a copy of Samba from the Internet, it might be necessary to follow the instructions in the readme files contained within to compile and install the package.
Most Samba settings are contained in a configuration file, smb.conf. By default, this file is under /usr/local/samba/lib. However, specific distributions may place the file in other locations; most notably, the version of Caldera OpenLinux that is found on the CD-ROM attached to this book places this file in /etc/samba.d.
The general format of this file should be familiar to those of you who have edited Windows .INI files. The file is divided into sections, and each section contains one or more parameters. Sections are identified by the section name, which is in square brackets; parameters appear on separate lines, with the parameter's name and value separated by the equal sign:
[section1] parameter1=value1 parameter2=value2 [section2] ...
Another similarity with Windows .INI files is that lines beginning with a semicolon are treated as comment lines; that is, these lines are ignored when the configuration file is parsed.
The Samba configuration file contains three special sections: global, homes, and printers. All other sections identify individual shared resources, with the section header serving as the resource's name.
The only mandatory section of the Samba configuration file is the global section. This section, as its name implies, contains general configuration parameters that govern the behavior of Samba. These settings are critical for the correct operation of Samba. They are also used to ensure that Samba operates securely, allowing access to shared resources only by authorized users.
In the rest of this section, some of the most important global parameters are described. For a more complete description, please refer to the Samba documentation (in particular, the smb.conf manual page is very informative).
The workgroup parameter specifies the name of the Windows workgroup that this computer will be a member of. The server string parameter specifies the machine's human readable name; this string will appear as the computer's name when you browse the network from other workstations.
Note that it is also possible to make a Linux Samba server a member of a Windows NT domain.
When you run a Samba server, obviously you don't want the whole world to access the files that it has. This problem was less prominent on Windows networks, which traditionally didn't use TCP/IP as the underlying network transport for SMB transactions. With Samba and TCP/IP, restricting access to your server becomes a real concern because, in principle, anybody in the world can interrogate your Samba server if it is connected to the Internet.
As a matter of course, Samba implements the password security found in Windows networks. However, the degree of security offered by this feature is weak; moreover, shared resources are often not password protected on an internal network. Let's examine Samba parameters and their roles:
Samba can log many events. The log file parameter specifies the name of the file where these log entries are placed. The size of the file can be limited using the max log size parameter.
Samba can send and receive passwords (used for logging on to Samba or to another server and access resources) in encrypted form. This feature is used in one of two cases: Either you're using Windows NT and having trouble logging in (more about this situation in a moment) or you don't want anyone equipped with the right software tools on your LAN to be able to snoop passwords.
Password encryption is turned on using the encrypt password parameter. Samba maintains its own password file where passwords can be set using the smbpasswd utility. The password file's name is specified using the smb passwd file parameter.
Oftentimes user identifiers differ on Windows and Linux systems. The obvious example is the root user of UNIX; the system administrator account is called Administrator on Windows NT. To resolve such differences, Samba can make use of an auxiliary file that maps usernames. The name of this file is specified through the username map parameter.
On most UNIX systems (Linux is no exception) the printers attached to the computer are enumerated in the file /etc/printcap. With the load printers parameter, Samba can be instructed to make the printers listed in this file automatically available to authorized users. The printcap name parameter specifies the name of the printcap file (if different from the default, usually /etc/printcap). Other printer-related parameters such as print command and printing specify how printers will be accessed.
On my test system, the smb.conf file is located in the /etc/samba.d directory. Its global section contains the following settings:
[global] workgroup = VTTOTH server string = Caldera Samba Server hosts allow = 192.168.1. 127. printing = bsd printcap name = /etc/printcap print command = /usr/bin/lpr 3h 3r 3s 3P%p %s load printers = yes guest account = nobody log file = /var/log/samba.d/smb.%m max log size = 50 security = user encrypt passwords = yes smb passwd file = /etc/samba.d/smbpasswd username map = /etc/samba.d/smbusers interfaces = 192.168.1.1/24
The workgroup name happens to be the workgroup name in use on the LAN to which the test machine is attached. The hosts allow parameter lists, in addition to the network address in use for the LAN, the loopback address as well. Also, note the format of the log file parameter; the %m part at the end instructs Samba to append the connecting machine's name to the log filename. This way, accesses from different computers are logged to different files.
I also enabled encryption, which allows me to access the Samba server from recent versions of Windows NT without difficulty. More about this in the following sections.
So how do you make shared directories available through a Samba server?
First, Samba can make users' home directories available automatically. Second, you can specify individual shared directories by adding the appropriate entries to the Samba configuration file.
Users can access their own home directories via Samba if the homes section is present in the Samba configuration file. On larger systems, this saves you the trouble of having to explicitly share each individual user's directory in the Samba configuration file.
The homes section should contain at least four parameters. The public parameter determines whether the directories can be accessed anonymously. Except for rare circumstances, you'd want to set this parameter to no; otherwise, everybody will be able to read everybody else's files on the server.
The read only parameter determines whether files can be written to. Again, set it to no unless you don't want users to be able to modify files in their Linux directory via Samba.
The create mode parameter specifies the file permissions that Samba will use on files it creates. The format is identical to the numeric format used with the chmod command (see man chmod for more). Setting this parameter to 0700 ensures that any newly created files will only be readable or writable by the file's owner.
Finally, the map archive parameter determines how Samba handles the DOS/Windows "archive" bit. DOS and Windows mark files that have been written to with this flag; the flag is usually cleared when a backup program creates a copy of the file. UNIX has no similar flag, so Samba has the capability to map it to the UNIX executable flag (which has no equivalent under DOS). The downside is that a file written to a Samba shared directory will automatically become marked as an executable program, so it's best to leave this option turned off.
To share a directory over the network, create a new section in the Samba configuration file. The section's name will be the name of the share on the network. The actual location of the shared directory is determined by the path parameter.
The type of access to the shared directory is determined by a set of parameters. These include public (when set to yes, it allows anonymous access to the share), writable (when set to no, disallows write access to the directory), printable (set to no unless the shared resource is a printer), and map archive (as described earlier).
On my test system, I allow access to users' home directories (given that I am the only user on this system, it was an easy choice to make). Additionally, I also share the test system's CD-ROM drive. To do this, I have the following sections in my Samba configuration file:
[homes] public = no read only = no create mode = 0700 map archive = no [cdrom] path = /mount/cdrom public = no writable = no printable = no map archive = no
There are two ways to share a printer on a Samba-equipped Linux server. You can instruct the server to share any printers it finds in the /etc/printcap file automatically; or, you can explicitly share individual printers by adding sections to the Samba configuration file.
Linux, like most versions of UNIX, has an advanced background printing facility. At the core of this facility is lpd, the line printer daemon. This program is usually started when the system boots and runs in the background monitoring print spool directories.
The file /etc/printcap describes all the printers attached to your Linux machine. This file can get quite complicated if advanced features are used, but for a single general-purpose printer, a single line can suffice. For instance
This entry describes a line printer attached the /dev/lp1. (What is known as LPT1 under MS-DOS appears as either lp0 or lp1 under Linux systems, depending on your actual hardware configuration.) It also assigns the spool directory /sr/spool/lp1 to this printer; when files are being printed, this directory is used for temporary storage.
NOTE: If the Linux distribution you use has a graphical configuration tool, you might want to use that tool to set up printers instead of editing /etc/printcap by hand. For instance, if you installed Caldera OpenLinux from the attached CD-ROM along with the X Window System, you may be able to use the Caldera's configuration tool for printer setup.
Once a printer is properly configured, you can send print jobs to the print spooler using the lpr command. For example, to print your /etc/inittab file you'd type
The lpq command can be used to examine the current contents of the print queue. Typing lpq will list all pending print jobs.
Typically, printers on a Samba server are shared by adding a [printers] section to the Samba configuration file. This allows any printers listed in /etc/printcap to be shared via Samba.
Settings in this section are similar to those used when sharing directories. Most importantly, make sure that you include printable = yes . The path parameter specifies the temporary location of the files being spooled to the printer.
To share printers this way, you may also need several settings in the global section of the Samba configuration file, as discussed earlier.
It is also possible to share printers by creating individual sections in the Samba configuration file. However, this method is rarely used and isn't recommended.
First a confession: My test system has no printer attached. The following example is real enough, but it is from a "production" Linux machine that I use as a server on my network. This machine uses an older version of Linux from a Slackware distribution. However, the version of Samba in use is fairly recent, and is almost identical to the version on the CD-ROM included with this book.
The printer attached to this server is an HP LaserJet 6L. I have installed the appropriate printer drivers on my Windows machines, so ideally, Samba and the Linux line printer daemon will pass through print data without any change. To make sure that this is the case, my /etc/printcap file contains the following entry:
NOTE: While on this subject, I'd like to bring to your attention a peculiarity. I've been using a shared printer via Samba for ages; ever since, I've had a problem of an extra blank page being printed at the end of each print run. This was quite annoying, and I could not find a solution. Fortunately, since I print very little, I wasn't bothered by this issue too much.
Now, as I was preparing to write this chapter, I revisited this problem. What I found was an apparent bug in the version of the line printer daemon on this server, which caused a form feed character to be added at the end of each print run even when the file was specified as one that requires no form feed. Therefore, no matter how I configured Samba, when Windows sent a print job to the server, an extra form feed was added in addition to the form feed added at the end of a print job by Windows. This caused the extra blank page to be ejected. Because I was unable to turn off the extra form feed, I had to find another solution: I set the value of the form feed string to an empty value. This is the explanation behind the last element of the printer definition line shown above ( ff=).
This printer on this test system is shared on my Windows network via Samba. The global section of my Samba configuration file contains the following entry:
print command = /usr/bin/lpr 3h 3r 3s 3P%p %s
This entry differs from the default in one key aspect: The 3s flag instructs the line printer daemon to not create a copy of the file being printed but use a UNIX-style soft link instead. The 3r file tells the daemon to delete the original file when printing is finished. Together, these two settings eliminate an extra copying phase and also make it possible to have print jobs of arbitrary length.
The printers section on this system looks like this:
[printers] path = /tmp public = no writable = no printable = yes create mask = 0700
No surprises here. Temporary files are placed in the /tmp directory, the share is marked with the printable flag, and it is only accessible to authorized users ( public = no ). Note that shared printers do not need to be made writable.
As mentioned earlier in this chapter, Samba supports encrypted Windows passwords. This feature becomes especially important if your network has machines running Windows NT Service Pack 3 or later from which you are trying to access a Samba server.
Starting with Windows NT Service Pack 3, Microsoft modified the behavior of Windows NT systems on a LAN. Previously, when a Windows NT system accessed a shared resource across the network, it attempted to communicate password information in encrypted form first, but if failed, it re-sent the password without encryption. Beginning with the Service Pack 3, Windows NT no longer behaves this way; instead, it reports an authentication failure if the encrypted password cannot be used to access the desired resource. The reason for this change was improved security, preventing passwords from being transmitted in cleartext form without the user's knowledge.
Unfortunately, this was bad news for Samba users. Until recently, Samba did not support encrypted passwords unless you acquired an extension module and recompiled the software yourself. In essence, this meant that it was no longer possible to access a Samba shared resource from Windows NT without reconfiguring Windows NT or going through the non-trivial process of compiling your own patched version of Samba.
As it turns out, changing the behavior of Windows NT is fairly easy; all you need to do is to set the Registry value EnablePlainTextPassword under the Registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Rdr\Parameters to a value of 1 (a DWORD value). However, you might want to take advantage of the encrypted password facility instead. After all, it is never a bad idea to protect passwords in any way you can!
Enabling encryption is easy with newer versions of Samba. These versions support encrypted passwords "out of the box," with no need for patching or recompiling the software. All you need to do is change a few settings in the configuration file and create a Samba password file.
Here are, once again, the settings that are used to enable encrypted passwords:
encrypt passwords = yes smb passwd file = location of password file username map = location of user name map file
The password and username map files require a special format.
The password file contains one line for each user who can access Samba resources using a password. Although some versions of the smbpasswd utility program can create entries in the password file, most of the time it is still the case that entries must be added by hand initially. A typical blank password file entry will look like this:
user:uid:NO PASSWORD:NO PASSWORD:::
The user field contains the name that the user will use to log on to the Samba server. The uid field must correspond with a valid numeric user identifier as found in the /etc/passwd file.
Immediately after these entries are created, you should use the smbpasswd utility to set the new users' passwords to some meaningful initial value. Without this step, the new accounts will remain passwordless, allowing access by anyone. The smbpasswd utility replaces the two occurrences of the NO PASSWORD string with 32-digit numeric values that represent the password using two different forms of encryption.
WARNING: Unauthorized access to the Samba password file must not be allowed; once the password file is obtained, the encrypted passwords found within are immediately usable with the proper software tools. For this reason, always make sure that this file is readable to the root user only! (Use chmod 0700 smbpasswd and chown root.root smbpasswd to set this file's permissions.)
The username map file can be used to create aliases for any user identifier on the system. As mentioned earlier, this file can be used to resolve differences in usernames on Linux and Windows systems. The format of the file is simple: Each line contains a Linux user identifier, followed by the equal sign, and a list of Windows usernames separated by spaces:
userid = username1 username2 ...
On my test system, the Samba password file, located at /etc/samba.d/smbpasswd, contains the following:
# Samba SMB password file vttoth:100:00000000000000000000000000000000:00000000000000000000000000000000:::
The first line, beginning with the pound sign ( #), is a comment line that will be ignored by Samba. The second line contains my user identifier and password.
The username map file, /etc/samba.d/smbusers, on this system looks like this:
# Unix_name = SMB_name1 SMB_name2 ... vttoth = administrator admin nobody = guest pcguest smbguest
Once again, the first line is a comment. The second line allows me to log on using my own user identifier, even when I am connecting from a Windows NT system on which I am the administrator. The third line identifies the designated guest user identifier ( nobody) with guest usernames that are often used under Windows networking.
You've set up a Samba server and it functions beautifully. So how do you access it from Windows machines? What are the instructions that you need to provide to other users of the network in order to let them access your Samba shared resources?
When everything is properly configured on your Samba server, the server should show up as part of your "Network Neighborhood" on Windows systems. For instance, Figure 13.1 shows a Samba server as it appears on a Windows NT computer.
FIGURE 13.1 Browsing Samba from Windows NT.
You can also connect to Samba shares or examine the contents of a Samba server from the DOS command line. The advantage of this method is that command-line commands can also be included in DOS batch files, in case you want to automate tasks. To examine the contents of a Samba server, use the net view command; to connect to a specific share, type net use .
To access my test system from my Windows NT workstation and see the shared resources there, I use the following command:
C:\>net view \\linux Shared resources at \\linux Caldera Samba Server Share name Type Used as Comment -------------------------------------------------------------------------- cdrom Disk homes Disk printers Print vttoth Disk Home directory of vttoth The command completed successfully.
To connect to the shared cdrom directory as drive Q: under MS-DOS, I type the following:
C:\>net use Q: \\linux\vttoth The command completed successfully. C:\>dir q: Volume in drive Q is vttoth Volume Serial Number is 052E-0876 Directory of Q:\ 03/08/99 06:22a <DIR> mail 04/12/99 10:53p <DIR> public_html 2 File(s) 0 bytes 676,708,352 bytes free
Finally, here is how I view existing connections and delete an established network connection:
C:\>net use New connections will be remembered. Status Local Remote Network -------------------------------------------------------------------------- OK Q: \\linux\vttoth Microsoft Windows Network The command completed successfully. C:\>net use q: /del q: was deleted successfully.
When you share a Samba printer over the network, you can add it as a Windows printer on any Windows computer that is connected to the network. What is important to keep in mind is that many advanced printer drivers that require bidirectional communication will not work with a network printer. Since most of these printers come with alternative drivers that can be used when the printer is being networked, this is not usually a problem. However, some printers exist that cannot be shared this way (or indeed, may not be usable with Linux at all!)
You can set up a shared printer on a Windows computer using the Add Printer Wizard, or alternatively, using the net use command. The latter method is also available on networked DOS machines. You can also identify the shared printer with an LPT printer port, making it possible to print from older (16-bit) DOS and Windows applications.
On my test system, the printer in use is an HP LaserJet 6L. To add support for this printer on my Windows NT workstation, it was first necessary to install HP's Windows NT drivers on this computer from floppy disks supplied with the printer. (This is the case regardless of the fact that the printer is physically connected to the Linux machine, not to the Windows NT workstation.)
When the proper driver is installed, you can add the specific printer using the Add Printer Wizard. Figure 13.2 shows a snapshot of the Add Printer Wizard under Windows NT.
FIGURE 13.2 Adding a Samba printer under Windows NT.
I was also able to add this printer from the Windows command line:
C:\>net use lpt1: \\linux\lp The command completed successfully. C:\>net use New connections will be remembered. Status Local Remote Network -------------------------------------------------------------------------- OK LPT1 \\LINUX\lp Microsoft Windows Network The command completed successfully. C:\>
In addition to being able to provide shared resources on a Linux server, it is also possible to access shared resources found on a DOS/Windows network from a Linux server. There are two methods available for this: the smbclient tool and the SMB file system.
The smbclient utility is a command-line tool that can be used to transfer files to or from a DOS/Windows network share and perform a few other simple functions. In appearance, this utility is very similar to the ftp program.
To connect to a Samba share on my test system with smbclient and list the files there, I used the following commands:
$ smbclient \\\\192.168.1.1\\vttoth Server time is Sat Apr 17 16:32:40 1999 Timezone is UTC-4.0 Password: Domain=[VTTOTH] OS=[Unix] Server=[Samba 1.9.18p8] smb: \> ls .kshrc H 186 Wed Sep 2 00:39:30 1998 .profile.ksh H 182 Wed Sep 2 00:39:30 1998 .bash_logout H 49 Tue Nov 25 18:03:05 1997 .bashrc H 913 Mon Nov 24 06:04:32 1997 .cshrc H 650 Mon Nov 24 06:03:03 1997 .inputrc H 111 Mon Nov 3 11:29:05 1997 .login H 392 Wed Jan 7 10:20:15 1998 .logout H 51 Tue Nov 25 18:03:11 1997 .profile H 341 Mon Oct 13 18:08:59 1997 .bash_history H 1199 Fri Apr 16 16:39:10 1999 mail D 0 Mon Mar 8 06:22:34 1999 .pinerc H 11427 Mon Mar 8 06:22:34 1999 public_html D 0 Mon Apr 12 22:53:54 1999 55748 blocks of size 16384. 41303 blocks available smb: \> exit
Note the extra number of backslash characters in the smbclient command line. These are necessary because the backslash character is interpreted by the Linux shell as a special character; two backslashes, however, are passed on as a single backslash. If you find so many backslash characters confusing, you can enclose the string in quotes instead.
That said, newer versions of smbclient also accept the forward slash character in the place of a backslash. When using the forward slash, it is no longer necessary to type it twice:
While not part of the Samba suite itself, the SMB file system deserves mention here. Simply put, this extension to the Linux kernel makes it possible to mount a shared directory over a Windows network as though it was just another UNIX-compatible file system.
The SMB file system is a capability that is compiled into the Linux kernel. Many Linux distributions contain precompiled kernels that already support this option. (The modular kernel found on the CD-ROM that accompanies this book is one such example.) If your kernel does not support the SMB file system, you might need to recompile it; for more information, please refer to Appendix A, "Configuring the Kernel."
If kernel support for the SMB file system is present, remote shares can be mounted using the smbmount command. This command is usually distributed with Samba, even though it is not actually considered a part of the Samba suite.
A Windows share can be mounted as a file system using the smbmount command. To unmount, use smbumount.
To mount a Samba share as a file system on my test machine, list the files there, and then unmount the share, I used the following commands:
# smbmount //192.168.1.1/vttoth /mnt/smb Password: # ls /mnt/smb mail public_html # smbumount /mnt/smb
Samba is a set of software tools that make it possible to share Linux directories and printers over a DOS or Windows network. The name of the package is derived from SMB, the Server Message Block protocol, which is used by Windows networking.
Samba is available as part of most Linux distributions. The package's two main components are smbd and nmbd, which implement SMB services and NetBIOS name service, respectively. The latter is used to announce a Samba server over the Windows network and handle NetBIOS name resolution requests.
Samba operates over the TCP/IP protocol. Therefore, NetBIOS over TCP/IP must be installed on Windows machines from which you intend to access Samba servers.
The most important step of configuring Samba is setting up its main configuration file, smb.conf. This file contains global setup parameters as well as sections that control individual shared resources.
Samba can be configured to automatically share users' home directories. It can also share all UNIX printers that have been configured to work with the line printer daemon, lpd.
Samba can utilize encrypted Windows passwords. This not only improves network security, but also makes Samba interoperate better with later versions of Windows NT.
It is possible to access shared Windows resources from a Linux computer using the smbclient utility, which is an FTP-like command-line tool. An alternative is the SMB file system; when compiled with the Linux kernel, it makes it possible to mount shared Windows directories as UNIX-style file systems.
For additional information on topics discussed in this chapter, please refer to the following manual pages.