Server Resources - Your one stop for server help

Samba for Servers

If you work in a normal company, you'll find one thing all around you in a network....bunches of windows boxes. Besides the stability problems and whatever other complains you may have against it, windows is not too bad as a workstation system (at least NTWS is not bad), so it sort of makes sense to have that when you don't have enough time and resources to retrain your people so they can use a more robust OS. There is, then, the need to share files and printers between your linux server(s) and your windows workstation(s).

There's two ways to do this that I'd recommend: NFS and SMB.

The real beauty of NFS shines when you are sharing files between linux/unix boxes, where you'll see the proper permissions saved, fast response times and very good transfer rates. But the windows implementation (at least the last I tried) is buggy and slow as all hell, so...if windows is in the equation, NFS is not fast enough.

This leaves us with one option, SMB. SMB is the MS version of the NFS functionality, but obviously with a very MS/Windows bias. If you try to use SMB between linux/unix boxes, you'll notice that the permissions of the files get twisted all out of whack, which is bad news some times. But when it comes to interfacing with windows, the best option there is for linux/unix is samba, the Open Source implementation of Microsoft's SMB protocol.

* An important note. Samba is a very good password authentication server when your LAN is only made up of windows95/98 workstations, but it can NOT authenticate NT Workstation/Server boxes, so...if your LAN has NT boxes in it and you need password authentication ala windows domain, use an NT Primary Domain Controller (PDC). Samba PDC functionality will be here eventually, but MS keeps moving the target without warning, so it is slow and hard work.

To get a samba server going is easy. First of all, you'll need to install samba (http://www.samba.org) in your box, though most distributions already come with samba in them. Check the version you have ("smbd -V" will tell you) and make sure you have the latest available stable (2.0.7 is the latest stable at the time of this writing, May/2000). If you need to upgrade, go to samba.org and grab it from one of their mirrors. Once you have it installed; it's time to get it working.

To make sure we are talking the same language, let me tell you that I use Mandrake (7.0 right now), so things may be different for you in some small details if you use a different distro (RedHat is extremely similar, so all of this should apply there).

Samba services are implemented through two daemons, smbd and nmbd, which together do all of the SMB networking stuff that you need.

Samba's main configuration file is /etc/smb.conf which is where you tell samba how to talk to your windows network and what to offer to it, in terms of shares. If you ever mungled with an INI file in the windows world, the smb.conf structure will look familiar to you. If you never had to deal with those, you'll find samba a bit out-of-the-norm for unix configuration files, but even so easy to work with.

The smb.conf is separated in sections, each of them with a header between square brackets like "[header]" Each section is composed of a series of variable=value options, like "encrypt passwords = yes" which tell samba what to do and how to do it.

The section that tells samba how to behave in the network is the [global] section, in which you tell it what domain/workgroup it belongs to, what name should the computer be known under, who the PDC is (if there's one) who can or can't connect to the server and other similar general things. In smb.conf all everything that goes after a # sign will be thought of as a comment and won't be parsed by smbd. A pretty basic [global] section may look like this:

# This is the global section of my basic smb.conf
[global]
# This is the workgroup or domain my server belongs to.
workgroup = mygroup.com
# this is the name I want other boxes in the workgroup/domain to see my computer under
netbios name = samba207
# This is what they will see in the description of my computer when they use the Details view in NetNeigh.
server string = My samba 2.0.7 box
# This says who can connect to my samba server. The dot at the end of the incomplete IP means "whatever goes after this doesn't matter"
hosts allow = 192.168.1. 127.
# This tells samba to have a log per computer that connects, instead of lumping all logs together.
log file = /var/log/samba/log.%m
# This tells samba what's the biggest size the log file can have (in Kbytes)
max log size = 50
# This selects the security type we'll use. The options can be share, user, server or domain. The most used ones are share (for when you want to keep precise control over who can grab each share) and domain (for when you have a PDC somewhere that can authenticate users for you). Since this is a basic smb.conf, we'll go the share way.
security = share
# This is a *very* important option. Win98 and SP3 of NT (and above) use what MS calls encrypted passwords (a bit better than the silly plain text they were using before, I guess :) and samba needs to be told what to use, plain text as with windows 95 and NTpreSP3 or encrypted for the others.
encrypt passwords = yes
# This is a make-samba-faster option which I stole from the example smb.conf from samba long ago...still haven't tried to decode it...keep it there :)
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Who should I ask about who is in the LAN? This is where you tell samba who to ask...the .255 at the end of the mask means "everybody in this IP range"
remote browse sync = 192.168.1.255
# Who should I tell that I'm here? This is where you tell samba...again, the .255 at the end means "everybody in the IP range"
remote announce = 192.168.1.255
# MS gives each OS they create an OS level, which tells the rest of the pack who is the boss. NT4.0's level is 32, and since samba makes windows believe it is NT4.2, it goes up one in the level scale. The level influences some internal working of the network that you may want to be aware of.
os level = 33
# This part tells samba if it should try to resolve names in the windows way. Good bet is to use yes.
wins support = yes
# This tells samba if it should or not try to resolve NetBIOS names with DNS lookups. The smart option is no, until you know you do need it :)
dns proxy = no

As you can see, it's nothing but variable=value pairs :) This basic smb.conf file should make it so your windows boxes can see your linux box in the NetNeigh without a problem (once you change the workgroup/domain to the right one, of course :).

After you got the [global] section set, you have to setup the sections for your shares, which is what we'll see next.

The most basic share section is the [homes] section, which lets each user that has an account in the samba server to have direct full access to his/her files in his/her home directory. This share looks like this:

[homes]
comment = Home Directories
browseable = no
writable = yes

The comment variable lets you add a description for the share; the browseable option tells samba if it should allow everybody to see that share exists (in this case the no means "only show home shares to their owners"); the writable option is the one that lets you have full control over your share. If you don't want users to be able to write stuff to their home dirs unless they are sitting at the console or telneted in, set this option to no.

Then you may want to share your printer with the windows boxes in your lan. This is the way to do it:

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes

The path is the path to the spooling directory in your samba server, it can be a special samba spool or your normal general printer pool. In this case, you don't want people to be able to read into the directory, so you set browseable to no, that way nobody will be able to look at the raw spool. The guest ok option defines if an unknown user can print to that printer (can't in this case), while the writable option tells samba to allow (or not, as in this case) people to write to the directory...we don't want people copying files directly to the spool dir :) And, of course, the printable option is the one that tells samba that this is a printer and that it should allow users to print to it. If you want to allow anybody to print to your shared printer, even if they are not authenticated, use "public = yes" and "guest ok = yes" and it'll be wide open for anybody to use.

In the company I work at every computer has what we call the Open dir (we even use that as the name :) which we all use to send stuff around to other users in the company or to do backups of things or other misc things. A directory with that purpose can be shared in samba with a section that looks like this:

[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
The read only variable is another way to tell samba if the share is writable. Since this is, in a way, a scratch directory, we set it to no, making it writable. We could use "writable = yes" and it'll work exactly the same way. The public variable tells samba that anybody can access this directory.

Now, there's times when we need to have a public directory, in which anybody can read stuff but only some people can write. I have a tech stuff' directory in my samba box at work, so I can tell users to grab this document, or that patch, or the other thing from it, without worring about they borking up my stuff :) This directory is only writable to by those that are in the techies group.

[public]
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
printable = no
write list = @techies

So, here we see that anybody can come in, and that the directory is not printable, but that it can be written to. The secret here is that the write list variable tells samba *who* can write to it; in this case it's only the people who belong to the group called techies. You can put usernames there, instead of the @group thing, and the result is that only the users mentioned can write to that dir, but this can become a maintainance nightmare if you have people moving in and out of the group that can/should write to that share.

With this basic sections, you'll have a working samba server in your LAN, with some different styles of shares, according to different needs. This is just the begining, you can do more complex stuff, according to your needs, but that's beyond the scope of this article. I really recommend you to get The Samba book (http://samba.he.net/) either in electronic form or in the treeware version (help some starving programmers, buy the book :)

Any ideas, acclarations or bugfixes for this article, send em my way Vox <vox@the-vox.com> or show up at #linuxhelp in Undernet, where I hang out most of the time if you have questions about samba or any other linux problem. BTW, I do *not* answer tech support questions by email, so save yourself the time and don't write asking me to look over your logs or your smb.conf file. And thanks to Gaia, MoonFalln and Kuma for the help with my english :)