Many homes and small businesses have one or two old PC's lying around following upgrades. That old Pentium 166 isn't much use for running Windows XP, but it can become even more valuable to your business by running as a small network file server using Linux and Samba.
Samba is one of the great success stories of the open source movement, and has earned its original author, Andrew Tridgell, accolades such as the Bulletin Magazine's Smartest 100 in ICT award last year. Samba takes its name from the Server Message Block (SMB) protocol developed by Microsoft, IBM, Intel and 3Ccom to allow DOS, Xenix, OS/2 and Windows servers to share drives, files and printers. SMB, as implemented for MS-Net and the IBM PC LAN Program, was originally a mechanism for marshalling DOS function calls and their arguments, and transporting them over a network to a remote server, which would similarly send back an SMB packet containing the results. SMB needs underlying protocols to get itself moved across a network; in the early days, it used NetBIOS, but this is limited because NetBIOS is not routable and so the latest implementations use a related protocol called "NetBIOS over TCP/IP".
Essentially, the Microsoft Windows Networking client and server don't know and don't care what the underlying layer is, as long as it looks like and behaves like NetBIOS. Similarly, they have no way of knowing just what is at the other end of a network connection as long as it behaves "correctly", and this is what Samba does - effectively it looks and feels like a Windows NT server to the connecting clients. There are some differences in management, but to the user, there's no difference.
One important difference from the TCP/IP networking in the Unix world is that NetBIOS works on machine names, rather than IP addresses. There therefore has to be some way to map NetBIOS names - which work quite differently to fully qualified domain names- to the IP addresses used under NetBIOS over TCP/IP. This can be done in several ways (see RFC 1002 if you really want to know) but the most common is called WINS, the Windows Internet Naming Service. Despite the name, this has nothing to do with The Internet - it is a dynamic name service which allows the various services found on Windows clients and servers to register themselves.
Samba includes a WINS server, and can also function as a WINS client. A typical network should have one - and only one - WINS server.
Basic Setup
Samba is provided as a standard feature of most general-purpose Linux distributions, and one rarely encounters a machine that doesn't have it already installed. Red Hat Linux, for example, will install Samba as part of a server install.
Samba is completely configured by a text file called smb.conf, usually found as /etc/samba/smb.conf. This file consists of stanzas with square-bracket-enclosed headings, somewhat reminiscent of the Windows 3.1 win.ini file. Basic configuration is found in the [global] stanza, sharing of user home directories and printers is set up in [homes] and [printers] and other stanzas configure individual shares. Settings are controlled by "keyname = value" lines - one slightly unusual feature of Samba is that keynames can sometimes contain multiple words.
Samba does not check the syntax of the smb.conf file as it starts up, so bad syntax can be fatal. After manually editing smb.conf, you should run the testparm command, which checks the syntax. Once you have the correct basic configuration, you can start the Samba server and configure it to automatically restart on reboot. On systems that use SysVInit scripts, like Red Hat, Mandrake and SuSE, this can be done with commands like:
service smb start chkconfig smb on Once Samba is running, you should see two processes, called smbd (the SMB server) and nmbd (the WINS server).
SMB Passwords
One complication is the fact that Windows encrypts user passwords differently from Unix/Linux - it uses what's called an NTLM hash, rather than the MD5 has commonly found in Linux. Worse still, both of these are one-way algorithms - in other words, there's no way to decrypt the NTLM hash to get back the plaintext password and then re-encrypt that with MD5 to compare agains the Linux shadow password file. Instead, Samba has to have its own password file, which is called smbpasswd, and it has its own commands for managing this file. However, there are ways of avoiding having to add users twice, as you will see.
A Stand-Alone Server
Setting up a stand-alone Samba server is very simple. In fact, your distribution may already have a default smb.conf file that will work immediately, or with only minor changes. The key values to edit are:
workgroup = MSHOME server string = A suitable comment goes here. Here's a sample setup for a stand-alone server:
[global] workgroup = PCUSER server string = Test Samba Server security = user encrypt passwords = Yes obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins support = Yes printing = cups [homes] comment = Home Directories valid users = %S read only = No create mask = 0664 directory mask = 0775 browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No This setup should work "out of the box", with only the workgroup name and server string changed. It provides automatic sharing of all users' home directories, which users can browse to using "Network Neighborhood" or "My Network Places", as well as sharing of all the printers defined in the Linux box's /etc/printcap file.
You can add users and set their passwords with the smbpasswd command. To add a user, use smbadd -a username, like this
[root@sleipnir samba]# smbpasswd -a les New SMB password: Retype new SMB password: Added user les. [root@sleipnir samba]# Thanks to the "unix password sync", "passwd chat" and "passwd program" entries in the example above, users can now change their password from a Windows desktop, by pressing Ctrl+Alt+Del once logged on, and clicking on "Change Password...". Samba will change the password in the smbpasswd file, but it will also run the passwd command for the user, and feed it the new password, so that the Linux password is changed at the same time.
Sharing Access to Directories
As well as sharing home directories, which are only available on a user-by-user basis, you might want to have directories for shared access. You can created additional shares by name in smb.conf. For example:
[office] comment = Shared Office Documents path = /home/office read only = No browseable = Yes # Use the next line if you want to restrict access to members of a Unix group valid users = +users # Use the next line if you want created files to be owned by that group force group = users # Use the next four lines if you want members of that group but not others # to be able to write to each others' files and folders in this share create mask = 0770 force create mode = 0660 directory mask = 0770 force directory mode = 0770 The "browseable = yes" setting controls whether shares appear in Network Neighborhood / My Network Places.
Access Control
You can restrict access to members of a group - for example, I restrict access to our accounts files to just the members of a group called accounts. When using group names in a smb.conf statement that expects a list of user names - e.g. the valid users example above - you should prefix the group name with a plus sign (e.g. +accounts).
You can force files which are created from Windows workstations to have specific Unix permissions by using the create mask, force create mode, directory mask and force directory mode options. Basically, the mask settings are AND'ed with the file permissions, so that any 0 bits in the mask will be turned off in the resultant permissions. Next the force settings are OR'ed with the permissions, so that any 1 bits in the force field will be turned on in the resultant file permissions.
You can also control which permissions Windows users can change from the various Windows Properties -> Security dialogs by using the security mask and directory security mask settings.
All these options are documented in the Samba man pages, of course, but you can also access them via a browser, as we shall see.
Sharing Printers
Typically, the default smb.conf file will have a [printers] section. This automatically shares all the printers that are set up in the /etc/printcap file:
[printers] comment = All Printers path = /var/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print guest ok = no writable = no printable = yes The settings are similar to a directory share, except for the "printable = yes" entry.
GUI Configuration
Synchronizing passwords between UNIX and Linux is a major pain; the Unix passwd command only changes the Linux login password and smbpasswd only changes the Samba password. There are several ways around this problem; one of the most powerful is to use LDAP (Lightweight Directory Access Protocol) to store user account information, but that is overkill for simple setups like we are discussing here. A much simpler approach - and one that is particularly appropriate for the novice - is to use Webmin to manage both user accounts and the Samba server itself.
Webmin provides a browser-based administration tool for Linux systems, and has modules for all the major subsystems and server applications of the Linux world. But an extra-nice feature is its ability to simultaneously change a user's Linux and Samba passwords (and also do this for MySQL, PAP/CHAP dial-in, etc.). Once this has been turned on, as long as you manage users through Webmin, there's no need to deal with the smbpasswd command.
Webmin also provides pages to create new shares - both flie and print - as well as to control global configuration options such as the workgroup/domain name, WINS server mode, default configurations for new shares, etc.
Webmin can be downloaded from http://www.webmin.com, and I often recommend it to novice administrators as a terrific set of "training wheels".
For fine-grained control, the best tool is SWAT, the Samba Web Administration Tool. This is part of the Samba project, but is often not installed as part of a Linux distribution - for example, on Red Hat 9, it can be found on CD 3, in the file samba-swat-2.2.7a-8.9.0.i386.rpm. Once installed, you should edit /etc/xinetd.d/swat and set disable = no, and comment out the only_from line, then restart xinetd. SWAT runs as a specialized web server, listening on port 901, so you can connect to it from your Windows desktop browser with a URL like http://servername:901.
On the SWAT home page, you will discover a neat bonus: all the Samba man pages, plus the Samba HOWTO collection in HTML form, as well as the complete text of the book "Using Samba" from O'Reilly. Even if you never use SWAT in itself, this alone is worth the effort of installation!
But if you click on the "Globals" button at the top of the page, you'll get a form which lets you edit the global configuration options. You'll notice three buttons at the top - "Commit Changes" (use this after changing any entries), "Reset Values" (to go back to the original values) and "Advanced View", which you won't need for typical setups. Notice also the "Help" link beside each field in the form - clciking this will jump to the appropriate entry in an HTML version of the man page for smb.conf (5). Using this, you can usually sort out each entry, and learn a lot about the minutiae of Samba configuration.
The "Shares" button initially leads to an all-but-blank page. Select a share from the pull-down list, then click on the "Choose Share" button to its left or, to create a new share, enter the share name below and click on the "Create Share" button to its left. The page will reload, showing settings for the share. Again, there's an "Advanced View" button, which you will need more often to set options like the create masks and modes.
The "Printers" button leads to a similar page with a combo-box for selection of the [printers] share (auto-sharing of the printers in /etc/printcap) or of individual printers.
The "Wizard" button leads to a page which will create a new smb.conf file for either a stand-alone machine, a member of a domain or a domain controller, with or without WINS support. The "Edit Parameter Values" button allows you to configure basic global parameters such as the workgroup name.
The "Status" page shows active connections and shares, and can be set up to auto-refresh if you want to monitor a server. The "View" page displays the full text of the smb.conf file, with optional display of values which default because they are not set in the file. Finally, the "Password" page lets you change passwords, add and delete users, disable accounts, etc.
Setting Up a Domain
Once you have more than a single server, complications start to arise: each has its own password database and a user who changes his password on one but not others is going to run into trouble. Setting up a domain has several advantages:
domain logons = Yes os level = 64 preferred master = Yes domain master = Yes local master = Yes You will also need to create a [netlogon] share, like this:
[netlogon] path = /var/netlogon writable = no public = no You will also need to add a machine trust account for each workstation. To do this manually, stop the Samba service, and add each machine with the following commands, and then restart the Samba service:
useradd -g 300 -d /dev/null -c "Machine Comment" -s /bin/false -M machine_name$ passwd -l machine_name$ smbpasswd -a -m machine_name You can also let the Samba server create the machine trust account automatically when a machine joins the domain, with the following setting in the [globals] section of smb.conf:
add user script = /usr/sbin/useradd -g 300 -d /dev/null -c "%U" -s /bin/false -M %u Now, you need to make sure that the root account has an entry in /etc/samba/smbpasswd:
smbpasswd -a root Make sure that the password used here is different from root's real password for the machine! Having set this up, you will now have to join the workstations to the domain. The technique for doing this varies from version to version of Windows; with Windows NT you use Control Panel -> Network -> Identification -> Change..., then click on the "Member of Domain" radio button and enter the domain name. Check "Create a Computer Account in the Domain" and enter the name "root" and root's SMB password (the account that is used to add the computer to the domain must have uid = 0). Now click on "OK" and a few seconds later you should be welcomed to the domain.
On Windows 2000, the procedure is similar, but is found at Control Panel -> System -> Network Identification -> Properties, while on Windows XP Professional (XP Home cannot join a domain), you may have to wade through Control Panel -> Performance & Maintenance -> See basic information about your computer -> Computer Name -> Change..., etc. To work with Samba 2.2, XP Pro also requires a registry patch, which you can save as a text file on floppy disk and apply with a few mouse clicks:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "requiresignorseal"=dword:00000000 Roaming Profiles
If you want to support roaming profiles (i.e. automatic downloading of user settings from the server when a user logs on, so that the user gets the same desktop, favorites, etc. no matter where they are), then add this:
logon path = \\%N\profiles\%u logon drive = H: logon home = \\%N\%u This also gives the users their home directory mounted as drive H: on the Windows workstation. Warning: using roaming profiles with a mixture of Windows NT/2K and Windows XP can be "interesting" to say the least, since on the former, the menu entry for the Windows Explorer points to c:\winnt\explorer.exe, while on the latter it is c:\windows\explorer.exe. You'll need to edit the properties of the menu shortcuts to read "%SystemRoot%\explorer.exe" - and do this for everything in Accessories and a few other places - in order for users' menus to work correctly on all versions of Windows.
Finally, if you want workstations to run a logon script as users log on, place the logon script in the [netlogon] share, then add something like this in the [globals] section of smb.conf:
logon script = logon.bat Remember that the logon script is a DOS-style batch file. If you are going to edit it with vi, use the :set tx command before saving it, so that lines are terminated with CR/LF pairs.
Sharing Printer Drivers
New machines connecting to your domain may need to download and install printer drivers for the printers on your domain, and Samba supports "point-and-print" installation of printer drivers. The procedure for setting this up is documented in the Samba HOW-TO documents, specifically Chapter 18 (Classical Printing Support) and Chapter 19 (CUPS Printing Support). The basic technique involves setting up a [print$] share with the correct directory tree structure underneath it, and then using the "Add Printer" Wizard in Windows to install the printer driver files onto the Samba server. I've done this a few times now, but still spent a frustrating couple of hours trying to get it done recently at a client site. In the end, I got it to work correctly from an NT workstation, but never did figure it out with XP.
Other Advanced Techniques
If all of this has whetted your appetite for larger and more complex implementations, Samba has plenty to keep you interested. Version 2.2 - which I've been describing here - can be integrated with OpenLDAP, allowing for single sign-on with other LDAP-aware applications (including Linux itself). You can also have either Samba or a Windows server authenticate Linux logins, using an add-on called Winbind.
Samba Version 3 provides even more functionality. For the first time, Samba can function as both a Primary Domain Controller and as a Backup Domain Controller, and can also integrate with Microsoft's Active Directory, with Kerberos 5 authentication and other new security features.
Caveats
I started this article by suggesting that a small and old PC can be used to implement a small server. And so it can; but you would be unwise to trust your vital data and business processes to an ancient and potentially unreliable piece of hardware. At the very least, make sure you have some way of backing up the data. And if you really need reliable access to the data, then you should consider investing in new(er) hardware and possibly using techniques like RAID (Redundant Array of Independent/Inexpensive Drives) to ensure the reliability of your operations.
The good news is that while the techniques here do work on quite small and old computers, they work even better on top-of-the-range boxes. For example, IBM - which is where Andrew Tridgell now works - has replaced most of its Windows servers worldwide with Samba, and has tens of thousands of users sharing files via Linux boxes, all day every day.
References and Further Reading
Free Software Shuffles to a Different Beat: http://bulletin.ninemsn.com.au/bulletin/eddesk.nsf/All/A3D81BA516ADC523CA256DB7000A6606
Special Report: The Birth of Samba: http://www.zdnet.com.au/news/software/0,2000061733,20280072,00.htm
The Samba HOWTO Collection: http://samba.mirror.aarnet.edu.au/samba/docs/man/ within Australia or http://us1.samba.org/samba/docs/man/ outside
Page last updated: 04/Jan/2005 Back to Home Copyright © 1987-2010 Les Bell and Associates Pty Ltd. All rights reserved. webmaster@lesbell.com.au