Samba

Revision / Modified: June 05, 2002
Author: Tom Berger

Original documents:
http://www.mandrakeuser.org/docs/connect/csamba.html
http://www.mandrakeuser.org/docs/connect/csamba2.html
http://www.mandrakeuser.org/docs/connect/csamba3.html

Introduction And Preparations

The SMB (Server Message Block) protocol is Microsoft's proprietary network resource sharing protocol, just like AppleTalk for Macs or SUN's NFS for UNIX machines.
SAMBA is a reverse engineered implementation of that protocol: basically those guys are looking at what SMB does and write code which emulates the observed behavior.
More background information on Samba can be found in Christopher R. Hertel's Understanding the Network Neighborhood Linux Magazine feature .

Basically, SAMBA allows you to

1. access shared resources as an SMB client on MS Windows machines;
2. provide resources as an SMB server to MS Windows machines;
3. act as a client / server in a network of MS Windows machines.

This article will discuss each of these capabilities in this order.

I assume that your local network is up and running, i.e. you can ping any other machine on the network. If not, have a look at the article about Building A Small Mixed Network. It doesn't matter if you are using 'hosts' files or DHCP to assign dynamic IPs.

Accessing Shared Directories On MS Windows Systems

I will not elaborate on how to configure the MS Windows machines for SMB. If you need help with this topic, check out these illustrated guides for MS Windows 98 or MS Windows XP.
How to configure remote printers via SMB is explained in the article on CUPS.

Install the 'samba-client' package via the Software Manager or from a command line as 'root' with

urpmi samba-client

For demonstration purposes I assume that the SMB machine name of the MS Windows system is 'win' and that there's a shared directory on that system with the name 'export'.

Choices

1. Browsing them with the KDE 'Konqueror' file manager;
2. using applications like 'Komba2' or 'LinNeighboorhood'; or
3. configuring smb mount points in '/etc/fstab' via the 'Mandrake Control Center' or by hand.

Using 'Konqueror'

In order to access the shared directory 'export' on the machine 'win', you type

smb://win/export

into the location bar and press the 'Enter' key. If the share is password protected, you will be prompted for the password. After some seconds, the directory should appear.

Although this method is very comfortable when you are using Konqueror as your file manager, it currently has several - rather annoying - disadvantages:

1. It's s l o w. Simple operations like copying files from the Windows machine to the Linux machine can take for ages.
2. It's tedious. Konqueror will keep asking you for your share password for every action. Although you can set a default password in Configuration - KDE - Network - Windows Shares, this is only convenient when you are always accessing the same share or if your shares are all protected by the same password.
3. No MIME type detection.
4. Resource waste. I'm not sure if this is a local problem, but it looks like Konqueror does not care about cleaning up started 'smbclient' processes. So, every time you access that share via Konqueror, a new 'smbclient' process is started with the old one still running. Not good.

Komba2 and LinNeighboorhood

Possibly the most flexible and easy way to access a Windows share is via one of these applications. Both come with the 3 CD set of Mandrake Linux 8.2 and once installed can be started via 'Networking - Other'.

Komba2 detects and displays available shares on startup, . If your share is password protected, you have to click the 'lock' icon first and enter your SMB user name and password for that share. If you don't do that, mounting the share will fail with a generic error message.

Mark the share you want to mount and click on the 'mount' icon. By default, Komba will mount shares to '~/komba/MACHINE/SHARE', in our example '~/komba/WIN/EXPORT'. It will also start up the Konqueror file manager in that directory. Both options and more can be configured.

To unmount the share (highly recommended since Linux sometimes doesn't take kindly to 'dead' Samba shares on shutdown), close the Konqueror window first and then click the 'unmount' button.

LinNeighboorhood works in a similar fashion. After first startup configure the 'workgroup' setting in the 'Preferences' window. Now right-click the entry for your machine in the window below and choose 'rescan group'. This might take a while, especially if there's a Windows XP machine in the workgroup (dunno why, maybe local problem).

Once you've reached a share, double-click it and a mount preferences window will appear where you can configure - if you want - some nifty options. By default, the share will be mounted under '~/mnt/MACHINE/share', in our example '~/mnt/WIN/export'.

Which one to choose? Well, 'Komba2' is faster, whereas 'LinNeighboorhood' offers more options. 'Komba2' uses Qt, the KDE widget set, whereas 'LinNeighboorhood' uses 'GTK' which makes for a more uniform look in GNOME. Try for yourself ;-)

Configuring smb mount points via the Mandrake Control Center or by hand

This is the 'old-fashioned' way of configuring static mount points. If you configure shares this way, you can mount them during boot, or even use something fancy like autofs to mount and unmount those shares automatically.

Open the Mandrake Control Center and choose 'Mount Points - Samba Mount Points'. Wait, scanning can take quite a while. If no machines appear, click on the 'Search Servers' tab in the upper left corner. Once the machines appear, double click their entries to display their shares.
For some reason (local problem?) MCC won't display shares on a Windows XP machine here, but maybe you are more lucky.

Mark the share and click 'Mount point'. Specify a mount directory (if it doesn't exist, it will be created). Next click on 'Options' and on 'Advanced'.

The 'user' option might be useful when you want normal users to be able to mount the share. 'noauto' is useful when the share usually isn't available on boot time.
You can specify your SMB user name and share password in the 'advanced' options. It should be obvious that this might be a security risk, since both will appear in clear text in '/etc/fstab'. But if you're sure no one except you has access to that file or you just don't care, go ahead.

When finished, press 'OK' and 'Done'. The new entry will be written to '/etc/fstab' and you can mount that file system like every other local file system.

An 'fstab' entry for an SMB share for the shared directory 'export' on our 'win' example machine would look like this:

//win/EXPORT /mnt/vmsmb smbfs user,noauto 0 0

The scheme is:

//SMB_server/share local_mount_dir smbfs options 0 0

You see, it's not that different from entries for local mounts. 'smbfs' is the file system of the SMB protocol. This overlay file system allows you to write to file systems which have no write support in Linux, like NTFS.

Preparations

Install the 'samba' package, either via the Software Manager or as 'root' with

urpmi samba

If you prefer a browser based graphical configuration tool over a text editor, also install the 'samba-swat' package. To use this tool, point your browser to the address http://localhost:901.

If you are using MS Windows 9x to connect to Linux , make sure there's at least one user profile set and that 'Client for Microsoft Networks' is set as the 'Primary Network Logon' in 'Settings - Control Panel - Network'.

Notice that older versions of Mandrake Linux did not feature a separate sub directory for Samba configuration file in '/etc'.

Changes to Samba's configuration file usually require restarting the Samba Server to take effect.

'share' Or 'user' Level Security

Samba has two authentication models which do not rely on a third server, 'share' and 'user'. On 'share' level security, requests are authenticated per share, on 'user' level, the default, the request is authenticated before listing the shares.

While this seems to be a minor detail, it is worth considering which level you want. The 'share' level makes it easier to set up public shares on the Linux server, whereas the 'user' level provides a bit more comfort and security for authenticated logins.

In the first incarnation of this article back in '99, I described the setup using the 'share' level. In it's second incarnation in '01, I switched to 'user'. Each attempt left some people unsatisfied. So this time, I'm going to describe both, and you can choose which one you want to implement ;-).

Configuring A 'share level' Samba Server

Either use SWAT or open '/etc/samba/smb.conf' in a text editor as 'root'. Change the workgroup default value to the one you are using on your network. Change security = user to security = share. Search for the [tmp] section and remove the semicolons in front of these lines:

[tmp]
   comment = Temporary file space
   path = /tmp
   read only = no
   public = yes

Save and start the Samba server as 'root' with

service smb start

This allows all clients ('public = yes') in your workgroup to access the '/tmp' directory on your Linux machine and to put files there ('read-only = no').

Accessing Home Directories

Example: Your account name on the Linux machine is 'jim', your profile name on the Windows machine is 'Jim Smith'. You want to use your 'Jim Smith' profile to access your 'jim' home directory.

1. Open '/etc/samba/smb.conf' in an editor as 'root'.
2. Remove the semicolon in front of the line username map = /etc/samba/smbusers
3. Open '/etc/samba/smbusers' as 'root' in an editor. Add the line jim = "Jim Smith"
4. As 'root', run the command smbpasswd -a jim using jim's account password as the new Samba password.
5. Restart Samba as 'root' with service samba restart
6. Go to your Windows machine and hit the 'reload' button in the 'Network Neighbor'. A new folder ('jim') will appear. Double click on it, provide the password (not the password of the profile on the Windows machine, but the password of the 'jim' account on the Linux machine!), et voila, jim's home directory.

Explanation: In '/etc/samba/smb.conf', you'll find this entry:

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

This opens all valid home directories on the Linux machine for read / write access. In order to access a home directory, the user profile name from the Windows machine has to match the Linux account name the home directory belongs to. Otherwise the share isn't even displayed ('browseable = no').
In order to map a Windows user profile name to a Unix account name, the file '/etc/samba/smbusers' is used. Notice that you can map an arbitrary number of profile names against a Unix account name. If the profile name contains empty spaces, it has to be enclosed in quotes.
Alternatively you can create a user profile on the Windows machine with a user name which matches the Unix account name ('jim' in the given example). Then no mapping on the Linux machine has to be performed.

SMB and the Unix user account system both use one-way encrypted authentication. Since there is no way to decrypt one of these systems and thus compare hashes, Samba needs its own password file, '/etc/samba/smbpasswd'.
Notice that accounts added to that file via the 'smbpasswd' command have to be valid accounts on the Linux system. The passwords do not have to match, though, that is you can set a Samba password different from that account's password on the Unix machine. Using the '-n' option to 'smbpasswd', you can also 'create' passwordless accounts, but then you have to add null passwords = yes to 'smb.conf' in order to allow clients to access shares under these accounts.
Changes to the '/etc/samba/smbpasswd' file require restarting the Samba server to take effect.

Configuring A 'user level' Samba Server

Open '/etc/samba/smb.conf' as 'root' in the editor of your choice:

1. Set the 'workgroup' value to the workgroup your MS Windows machines are members of.

2. Below that option add this line:

   map to guest = Bad User

3. Scroll down to ; guest account = pcguest Remove the semicolon and replace 'pcguest' with 'ftp'

4. Scroll down to [tmp] and remove the semicolons from these lines:

   ;[tmp]
   ;   comment = Temporary file space
   ;   path = /tmp
   ;   read only = no
   ;   public = yes
   

The first step makes the Samba server a member of the Windows workgroup. The last opens the '/tmp' directory ('path = /tmp') for read / write access ('read only = no') to every member ('public = yes') of the workgroup. The second and third step need some more elaborate explaining.

In 'user' level security mode, 'Samba' relies on '/etc/samba/smbpasswd' to decide if a connection request is granted or not. That is, authentication is performed before the available shares are listed. In 'share' level security, shares appear on the browse list without authentication (unless browseable = no is set).

If you try to connect (e.g. by clicking on the machine name in the 'Network Neighborhood' window) from a Windows machine with a user profile name / password combination not listed in '/etc/samba/smbpasswd', you will be presented with the dreaded 'IPC$' share password window. This window is bogus, you can't provide a matching password.

In order to allow non-authenticated connections from the workgroup, Samba has to be configured to treat requests with 'invalid' SMB account names as 'guest' logins and to map that 'guest' login to an existing system account. That's what you are doing in steps two and three.

Now start (or restart) the Samba server with

service smb start

Open the 'Network Neighborhood' on a Windows machine and display the workgroup. Your Linux Samba server should now appear along the other machines. Double click on it and the 'tmp' share should be displayed. Congratulations! ;-).

Accessing Home Directories

Example: Your account name on the Linux machine is 'jim', your profile name on the Windows machine is 'Jim Smith'. You want to use your 'Jim Smith' profile to access your 'jim' home directory.

1. Open '/etc/samba/smb.conf' in an editor as 'root'.
2. Remove the semicolon in front of the line username map = /etc/samba/smbusers
3. Open '/etc/samba/smbusers' as 'root' in an editor. Add the line jim = "Jim Smith"
4. As 'root', run the command smbpasswd -a jim using the password for the 'Jim Smith' Windows user profile as the new Samba password.
5. Restart Samba as 'root' with service samba restart
6. Hit the 'reload' button in the 'Network Neighbor'. A new folder ('jim') will appear. Double click on it, et voila, jim's home directory.

Notice that in contrast to 'share' level security, you will not receive a password request upon entering the home directory. This is because you have already been authenticated earlier.

Some Samba Options

man smb.conf lists several dozens of available options. I've picked out a few which might be interesting even for the casual Samba user.

Displaying non-English Characters

Samba allows you to configure code pages in order to display non-English characters correctly. The options are client code page and character set. You'll find a commented example in 'smb.conf', just above the share definitions.

Restricting Access by Network

The options hosts allow = and hosts deny = allow you to specify machines or networks which are allowed (or denied) to access the server. By default, all machines and networks are allowed to connect. This option can be set by share.

Assigning a NetBIOS host name

By default, the Samba server uses the machine's DNS hostname as the NetBIOS name (i.e. the machine name which appears on the browse list). If you prefer another name, set the option netbios name =. You can specify aliases for that name with the netbios aliases = option.

Passwordless Access to All Services for Specific Users / Machines

The option hosts equiv = allows you to specify a file (usually called '/etc/hosts.equiv') which contains the profile and NetBIOS names of users allowed to use all services without having to provide a password. Quote 'man smb.conf':

I recommend that the hosts equiv option be only used if you really know what you are doing, or perhaps on a home network where you trust your spouse and kids. And only if you really trust them :-).

See man hosts.equiv for the structure of the 'hosts.equiv' file.

Restrict Maximum Number of Connections to the Server

By default no limit on the number of connections to the Samba server is set. You can change this with the max connections = option.

Instant LAN Messaging

MS Windows 9x comes with 'WinPopUp', a small tool to send and receive messages over the local network of SMB machines. You can take part in the fun, just remove the semicolon in front of the message command = option in 'smb.conf' and install 'LinPopUp' (included in Mandrake Linux 8.2). Start 'WinPopUp' on the Windows machine and 'LinPopUp' on the Linux machine and start messaging.

'WinPopUp' is a rather basic utility and not part of the NT/2k/XP line of Ms Windows. You might want to consider going for a more powerful equivalent like the freeware RealPopup.

Acting as a Time Server

If the option time server = yes is set, the Samba server will act as a time server to MS Windows clients.

Restrict Share Access on per User Basis

Using the valid users = option in a share definition, you can decide which users might access this share.

Right-Click Sharing Directories

Once the basic setup for anonymous logins works, you can share directories you own on your Mandrake Linux 8.2 system by right-clicking on them in KDE's Konqueror or GNOME's Nautilus. First, you have to enable this feature via 'Properties - Share - Configure File Sharing'. Once you have enabled it, you can share directories via the new 'Share' field at the bottom of the directory's context menu.

By default, these directories are set 'read only'. In order to change this, open 'smb.conf' as 'root' in an editor, scroll down to the entry of the share and set writable to 'yes'. Restart Samba.

Make sure shared directories have the proper permissions (world readable for read only, world writable for read / write). You can adjust those permissions from the context menus in Konqueror or Nautilus.

Non-Windows Samba Clients

A Linux system running a Samba server can be accessed by about every other system which understands the SMB protocol. Samba runs on every Unix operating system, including Mac OS X, and ports exist for a variety of non-Unix operating systems like OS/2 or even AmigaOS.

Linux clients can employ the methods introduced on the first page. Mac OS X clients can either use the Finder or - preferably, since much more convenient - the freeware SMB Browse which works very much like its Linux equivalents.
Non-Windows clients actually enjoy an added bonus, since they can choose their login name upon connect.

Resources

Of course, this basic setup is just a start. Read the next two pages kindly provided by Mandrake Linux user Buchan Milne which introduce you to advanced topics like using Winbind or running the Samba server as a Primary Domain Controller.

If you run into trouble along the way, there's a very nice document on Troubleshooting Techniques (PDF) for Samba. This document introduces all the tools needed to diagnose Samba problems and ways to solve these problems.
Be aware that there's a somewhat confusing line on page 7:

Both POGO and WIN-CLIENT should be using a network mask of 255.255.255.0 and a broadcast address of 192.168.255.

More information can be gathered by installing the 'samba-doc' package. This package includes a complete book on Samba ('Using Samba' by Eckstein, Collier-Brown, Kelly) as well as FAQs, HOWTOs, HTML versions of the manual pages and documents on special features.

If you prefer dead tree manuals, check out the Samba books page.