Linux, Unix, /etc/
$ To set up this Linux system, do I really have to type long,
cryptic, frequently inconsistent and undocumented commands with
occasional long strings of hex digits?
# Yeah. You got a problem with that?
|
Sponsored links (requires javascript):
Setting Up a A Linux File & Print Server with Samba
Introduction
One might think that, with today's standard office network being a mix
of Windows 3.11, Win95 and/or NT machines, the choices for a file server
were limited to machines running NT, or at a pinch Netware. Not so.
Linux, or any other Unix, can provide file and print services, not to
mention other services (sending and receiving faxes, for example), to a
network baed on the Microsoft OSes by using a remarkeable program called
Samba. This article looks at setting up Samba on a Linux box, so that
this machine can act as a file and print server to the local network.
I will specifically consider Windows 95 clients, as the most common case.
About Samba
Samba is designed to provide services to any Server Message Block (SMB)
client. It is compatible with all Microsoft Networking clients including
Windows 95, Windows NT Workstation and Server, Windows for Workgroups,
IBM OS/2, and smbfs for Linux. It is notable for its scalability, speed
and flexibility.
Release 1.9.17 provides support for over 2,000 clients simultaneously
per samba server. Many Samba servers of this scale can work together.
Some sites have shown that a user database of 100 000 users shared between
20 servers works. For example, The Bank of America are using 1,200 Samba
servers with 15,000 clients. Again, Hewlett Packard R&D Labs run four of
their largest multi-processor systems with samba on. They have around
500 simultaneous clients minimum per machine, peaking at around 3,000.
Interestingly, they also use samba for print sharing. There is a bug in NT
where it can't report any more than about 190 printers without truncating
the list. Samba, needless to say, does not have this feature, so they use
Samba to provide network printer services, with over 250 printers on-line.
Samab is freely distributed with source code, and has high-quality support.
Over ninety companies worldwide offering commercial support for Samba
are listed in the Samba Consultants List. Samba is also supported by
through a variety of Internet resources and a mailing list with thousands
of subscribers. See the Samba web site for details, at
http://samba.canberra.edu.au/pub/samba
http://samba.canberra.edu.au/pub/samba
Installing & Configuring Samba
Installation
Getting the Software
The official master ftp location is
ftp://samba.anu.edu.au/pub/samba/samba-latest.tar.gz
However, this site is very heavily used; so, for a faster download and to
minimise the load on the main site, try to use Samba mirror site. The list
of mirror sites is contained in
ftp://samba.anu.edu.au/pub/samba/MIRRORS.txt
Compiling Samba
First edit the file source/Makefile. You must uncomment the appropriate
entry for linux, of which there are three: 1) with shadow passwords; 2)
without shadow passwords; 3) with shadow passwords and file system quotas.
There follow a number of user-configurable options. The comments (from
the Makefile) are clear. You may tinker with these at your wish (and at
your peril!), but the defaults are suitable.
# The base manpages directory to put the man pages in
# Note: $(MANDIR)/man1, $(MANDIR)/man5 and $(MANDIR)/man8 must exist.
MANDIR = /usr/local/man
# The directories to put things in. If you use multiple
# architectures or share the samba binaries across NFS then
# you will probably want to change this layout.
BASEDIR = /usr/local
BINDIR = $(BASEDIR)/bin
SBINDIR = $(BASEDIR)/bin
LIBDIR = $(BASEDIR)/lib
VARDIR = $(BASEDIR)/var
# The permissions to give the executables
INSTALLPERMS = 0755
# set these to where to find various files
# These can be overridden by command line switches (see smbd(8))
# or in smb.conf (see smb.conf(5))
SMBLOGFILE = $(VARDIR)/log.smb
NMBLOGFILE = $(VARDIR)/log.nmb
CONFIGFILE = $(LIBDIR)/smb.conf
LMHOSTSFILE = $(LIBDIR)/lmhosts
# the directory where lock files go
LOCKDIR = $(VARDIR)/locks
# set this to the default group you want your machine to appear in
# for browsing. This can also be set in nmbd (see nmbd(8))
WORKGROUP = WORKGROUP
# set this to the name of the default account, which is the one
# to use when no username or password is specified. This can be overridden
# in the runtime configuration file (see smb.conf(5))
# NOTE: The account "nobody" may not be a good one as
# on many unixes it may not be able to print. Thus you
# might have to create a separate guest account that can print.
GUESTACCOUNT = nobody
# where you are going to have the smbrun binary. This defaults to the
# install directory. This binary is needed for correct printing
# and magic script execution. This should be an absolute path!
# Also not that this should include the name "smbrun" on the end (the
# name of the executable)
SMBRUN = $(BINDIR)/smbrun
Once finished with any alterations you feel you need to make (though
the defaults should be fine), type "make" to compile the binaries.
Once samba is successfully compiled, su to root and type make install
to install the programs and manual pages. You can separately install the
binaries and/or man pages using make installbin and make installman.
make install will not install the configuration file, smb.conf. This must
be done manually. Also, don't forget to create the path specified in the
Makefile for the logs etc, e.g. /usr/local/samba.
Configuration
Configuration File
Samba is controlled a configuration file, "smb.conf", the default location
being /usr/local/lib. There are samples in the examples subdirectory
in the distribution. The simplest useful configuration file would be
something like this:
workgroup = MYGROUP
[homes]
guest ok = no
read only = no
which would allow connections by anyone with an account on the server,
using either their login name or "homes" as the service name. Note that
I also set the workgroup of which this Samba is part.
Make sure you put the smb.conf file in the same place you specified in
the Makefile.
Configuration task can be conveniently grouped into three categories:
General, File Serving, and Print Serving.
General Configuration
First, let's take a look at the directives that are in use in an smb.conf
file from a typical working samba configuration (mine):
[global]
guest account = pcguest
hosts allow = 192.168.1.
log file = /var/local/log/samba.%m
os level = 2
password level = 1
read prediction = yes
security = user
workgroup = DUNNE
Ensure that the user specified in "guest account" exists. This should
be be a user that cannot log in and has minimal privileges. Here's how
it might look in /etc/passwd:
pcguest:*:26:6:guest account:/home:/bin/sh
Note the "*" in the password field to block logins.
Use the "hosts allow" option, unless you want everyone on the internet
to be able to access your files. Here, I'm blocking everyone save those
on the local network.
Some client/server conbinations have difficulty with mixed-case passwords.
One offending client is Windows for Workgroups. The "password level"
parameter defines the maximum number of characters that may be upper case
in passwords.
"read prediction" allows the server to attempt to pre-read data from the
last-accessed file that was opened read-only while waiting for packets.
This can improve performance.
The "security" option can be "user" or "server". If you use "security
= server" then Samba will try to validate the username/password by passing
it to another SMB server, such as an NT box. If this fails it will revert
to "security = USER".
Finally, the "workgroup" option specifies what workgroup this server
should belong to.
File Serving
Again, let's take a look at the directives that control file serving in
smb.conf from a typical working samba configuration (mine):
lock directory = /usr/local/samba/var/locks
share modes = yes
read only so as not to give people without an account write access.
[tmp]
comment = Temporary file space
path = /tmp
read only = yes
public = yes
A private directory, usable only by paul.
[paulhome]
comment = Pauls Home Directory
path = /home/paul
valid users = paul
public = no
writable = yes
printable = no
'
Make all user's home directories accessible to their owners.
[homes]
comment = Home Directories
browseable = yes
read only = no
create mode = 0750
A publicly accessible directory, but read only, except for people in
the staff group
[public]
comment = Public Stuff
path = /var/local/pub
public = yes
writable = no
printable = no
write list = @staff
A service which has a different directory for each machine that connects
this allows you to tailor configurations to incoming machines. You could
also use the %u option to tailor it by user name. The %m is the machine
name that is connecting.
[pchome]
comment = PC Directories
path = /usr/home/pc//%m
public = no
writeable = yes
A publicly accessible directory, read/write to all users. Note that all
files created in the directory by users will be owned by the default user,
so any user with access can delete any other user's files. Obviously this
directory must be writable by the default user. Another user could of course
be specified, in which case all files would be owned by that user instead.
[public]
path = /usr/home/public
public = yes
only guest = yes
writable = yes
printable = no
The following two entries demonstrate how to share a directory so that
two users can place files there that will be owned by the creator, and
accessible to all users authorised to use this share. In this setup, the
directory should be writable by both users and should have the sticky bit
set on it to prevent abuse. Obviously this could be extended to as many
users as required.
[project]
comment = Very Important Project
path = /usr/home/projects/vip
valid users = paul fred
public = no
writable = yes
printable = no
create mask = 0765
File Locking
You will need a world readable lock directory and "share modes=yes" if you
want to support the file sharing modes for multiple users of the same files
There are two types of locking which need to be performed by a SMB
server. The first is "record locking" which allows a client to lock a
range of bytes in a open file. The second is the "deny modes" that are
specified when a file is open.
By default Samba only makes locking calls when explicitly asked to by a
client, but if you set "strict locking = yes" then it will make lock
checking calls on every read and write. You can also disable by range
locking completely using "locking = no". This is useful for those shares
that don't support locking or don't need it (such as cdroms). In this
case Samba fakes the return codes of locking calls to tell clients that
everything is OK.
The second class of locking is the "deny modes". These are set by an
application when it opens a file to determine what types of access should
be allowed simultaneously with it's open. A client may ask for DENY_NONE,
DENY_READ, DENY_WRITE or DENY_ALL. There are also special compatability
modes called DENY_FCB and DENY_DOS. You can disable share modes using
"share modes = no". This may be useful on a heavily loaded server as
the share modes code is very slow.
Print Serving
Again, to start with, here are working entries for smb.conf from a typical
samba installation:
[global]
load printers = yes
printing = bsd
printcap name = /etc/printcap
[printers]
comment = All Printers
browseable = yes
printable = yes
public = no
writable = no
create mode = 0700
A private printer, usable only by fred. Spool data will be placed in
fred's home directory. Note that fred must have write access to the spool
directory, wherever it is.
[fredsprn]
comment = Freds Printer
valid users = fred
path = /homes/fred
printer = freds_printer
public = no
writable = no
printable = yes
'
Samba does not actually do any printing itself, it just acts as an honest
broker between the PC client and the Linux printing system. Samba receives
the file from the PC then passes the file to a external "print command".
What print command you use is up to you.
Samba sets reasonable defaults for these, so you should not have to specify
them in smb.conf. However, should you experience difficulties, add the
following settings to the global section of smb.conf.
print command = lpr -r -P%p %s
lpq command = lpq -P%p
lprm command = lprm -P%p %j
The % directives are macros that will be dynamically replaced with variables
when used. %s is the name of the spool file that Samba creates; %p is the
name of the printer; %j is the job number as printed by the lpq command.
Make sure the "printing =" option is set correctly. The possible values
are "sysv", "bsd" or "aix". For Linux, the usual value is "bsd".
Check the path to your printcap file. The default is /etc/printcap.
Make sure the "print command" entry is correct. This command should
submit a file (%s) to a printer (%p) for printing and should REMOVE the file
after printing. The default should be fine, as long as you get "printing
=" right. It is also a good idea to use an absolute path in the print
command as there is no guarantee the search path will be set correctly.
Make sure the "lpq command" and "lprm command" entries are correct.
Those given above should work on any Linux box.
Starting the smbd and nmbd.
You may start smbd and nmbd either as daemons or from inetd-—don't
do both! Either you can put them in inetd.conf and have them started on
demand by inetd, or you can start them as daemons either from the command
line or in /etc/rc.local. The main advantage of starting smbd and nmbd
as daemons is that they will respond slightly more quickly to an initial
connection request.
Starting from inetd.conf
Look at your /etc/services. What is defined at port 139/tcp. If
nothing is defined then add a line like this:
If port 139/tcp is not already defined, then add the following line:
netbios-ssn 139/tcp
If it is already defnined, the relevant entry will look like this already,
so no change is required.
similarly for 137/udp you should have an entry like:
netbios-ns 137/udp
Next edit your /etc/inetd.conf and add two entries similar to this:
netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
Make inetd reload the changed configuration file by sending it a HUP signal
(kill -HUP or kill -1).
starting as a daemon
To start the server as a daemon you add the following lines to one of your
start-up scripts-— /etc/rc.d/rc.local is a good choice---or make a new
script which will be called during boot-up.
# start samba
/usr/local/bin/smbd -D
/usr/local/bin/nmbd -D
echo -n " samba"
Testing the Configuration
It is important to test the the smb.conf file using the testparm program.
If testparm finds no errors, it will list the loaded services; if not,
it will give a message with information about the error(s) it has found.
Once testparm is satisifed with your config. file, there are a few basic
tests to carry out that may save you a lot of problem-solving time later on.
1
Try listing the shares available on your server)
smbclient -L yourhostname
Your should get back a list of shares available on your server. If you don't
then something is rotten in the state of your setup. Note that this method
can also be used to see what shares are available on other LanManager clients
(such as WfWg). If you choose user level security then you may find that
Samba requests a password before it will list the shares. You can force
it to list the shares without a password by adding the option -U% to the
command line, though note that this will not work with non-Samba servers.
Here is some sample output from my machine:
Added interface ip=158.152.37.217 bcast=158.152.255.255 nmask=255.255.0.0
Server time is Tue Sep 9 09:35:40 1997
Timezone is UTC+1.0
Password:
Domain=[DUNNE] OS=[Unix] Server=[Samba 1.9.16p9]
Server=[wotan] User=[paul] Workgroup=[DUNNE] Domain=[DUNNE]
Sharename Type Comment
-------— ---- ----—
dmp Printer lp
ibmpp Printer pp
IPC$ IPC IPC Service (Samba 1.9.16p9)
paulhome Disk Pauls Home Directory
printers Printer All Printers
stylus Printer
tmp Disk Temporary file space
This machine has a browse list:
Server Comment
-------— ----—
TINY1 Samba 1.9.16p9
This machine has a workgroup list:
Workgroup Master
-------— ----—
DUNNE TINY1
'
2
Try connecting with the unix client:)
smbclient \\yourhostname\service
Where "yourhostname" is the hostname of the machine running smbd, and
"service" is the name of any service defined in smb.conf. If there's a
[homes] section, try your user name. You will be prompted for your password,
then find yourself at the smbclient prompt. Try an ls: it should list he
contents of your home directory.
NOTE: The number of slashes to use depends on the type of shell you
use. You may need '\\\\bambi\\fred' with some shells.
3 Try connecting from a DOS/Win95/NT/OS2 client.
Try mounting disks. eg:
NET USE D: \\SERVERNAME\SERVICE
Try printing. eg:
NET USE LPT1: \\SERVERNAME\SPOOLSERVICE
PRINT FILENAME
Common Problems
There are some common problems that cause things not to work. Here's a
short list of some of the most familiar.
/dev/null is not world writeable.
Samba uses /dev/null as a place to discard output from external commands
like the "print command" so if /dev/null is not writeable then nothing
will work. Check that /dev/null is
crw-rw-rw- 1 root root 1
And if its not, fix it (as root) with
chmod 666 /dev/null
lpr isn't in Samba's search path
Fix this by using the full path name in the "print command" e.g.
/usr/bin/lpr
Bad Permissions
Any message grumbling about permission denied or somesuch is typically,
caused by the user that the PC is trying to print as not having permission
to print. Fix your lpr system!
extra blank page of output.
Fix this in your lpr system, probably by editing /etc/printcap.
It could also be caused by incorrect setting on your client. For example,
under Win95 there is a option
Printers|Printer Name|(Right Click)Properties|Postscript|Advanced|
that allows you to choose if a Ctrl-D is appended to all jobs.
raw postscript on the output.
Fix this either by using a "print command" that cleans up the file before
sending it to lpr or by using the "postscript" option in smb.conf.
Connecting Clients
File services
These work very simply. The easiset way to access them is through
explorer-—soemthing like the following:
Explorer
Network Neighbourhood
Entire Network
[name of network]
[name of server]
list of shares
Select the share you want, and it will be mapped to the next available drive
name, and from then on will be available to other programs. any File menu
will also do this for you, through the "Browse" option.
Print services
Again, this is simple. Just use the Add Printer wizard to add the network
printer, which can then be used as normal.
Print OR Control Panel
Add Printer
Network Printer
Network Path or Queue Name (browse..)
Driver
To support print queue reporting you may find that you have to use TCP/IP
as the default protocol under WfWg. For some reason if you leave Netbeui
as the default it may break the print queue reporting on some systems.
It is presumably a WfWg bug. This is not a problem under Win95.
A Note on Passwords
Some clients (notably WfWg) convert the password to uppercase letters before
sending it. To work around this, the server tries the password as is,
and also after changing it to lowercasing. One way to avoid this is to
use the COREPLUS protocol (see below). More flexibly, the Samba server can
also be configured to try different combinations of upper/lowercase letters.
This is controlled by the global parameter "password level". A level of N
means to try all combinations up to N uppercase characters in the password.
A high value can chew a fair bit of CPU time and can lower the security
of your system, so do not use this options unless you really need it-—the
time taken for password checking can become so high that clients time out.
A note on protocols
The SMB protocol has many dialects. Currently Samba supports 5, called CORE,
COREPLUS, LANMAN1, LANMAN2 and NT1. You can choose what maximum protocol
to support in the smb.conf file. The default is NT1 and that is the best
for the vast majority of sites. The main advantage of LANMAN2 and NT1
is support for long filenames with some clients (eg: smbclient, Windows
NT or Win95). The only advantage of COREPLUS is that for some obscure
reason WfWg preserves the case of passwords in this protocol, whereas under
LANMAN1, LANMAN2 or NT1 it uppercases all passwords before sending them.
Paul Dunne 1997
main |
scripts |
contact |
links
Sponsored links (requires javascript):