MandrakeUser.Org - Your Mandrake-Linux Knowledge Base!


 
 

*Main - DocIndex - Connectivity

SAMBA Setup II (Server)

* Preparations
* 'share' Or 'user' Level Security
* Configuring A 'share level' Samba Server
* Configuring A 'user level' Samba Server

Related Resources:

ENCRYPTION.txt
security_ level.txt
man smb.conf
Skirting common Samba problems

Revision / Modified: May 28, 2002
Author: Tom Berger

 

* Preparations

Install the 'samba' package, either via the Software Manager or as 'root' with

urpmi samba

If you prefer a browser based graphical configuration tool over a text editor, also install the 'samba-swat' package. To use this tool, point your browser to the address http://localhost:901.

If you are using MS Windows 9x to connect to Linux , make sure there's at least one user profile set and that 'Client for Microsoft Networks' is set as the 'Primary Network Logon' in 'Settings - Control Panel - Network'.

Notice that older versions of Mandrake Linux did not feature a separate sub directory for Samba configuration file in '/etc'.

Changes to Samba's configuration file usually require restarting the Samba Server to take effect.

* section index * top

* 'share' Or 'user' Level Security

Samba has two authentication models which do not rely on a third server, 'share' and 'user'. On 'share' level security, requests are authenticated per share, on 'user' level, the default, the request is authenticated before listing the shares.

While this seems to be a minor detail, it is worth considering which level you want. The 'share' level makes it easier to set up public shares on the Linux server, whereas the 'user' level provides a bit more comfort and security for authenticated logins.

In the first incarnation of this article back in '99, I described the setup using the 'share' level. In it's second incarnation in '01, I switched to 'user'. Each attempt left some people unsatisfied. So this time, I'm going to describe both, and you can choose which one you want to implement ;-).

* section index * top

* Configuring A 'share level' Samba Server

Either use SWAT or open '/etc/samba/smb.conf' in a text editor as 'root'. Change the workgroup default value to the one you are using on your network. Change security = user to security = share. Search for the [tmp] section and remove the semicolons in front of these lines:

[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes

Save and start the Samba server as 'root' with

service smb start

This allows all clients ('public = yes') in your workgroup to access the '/tmp' directory on your Linux machine and to put files there ('read-only = no').

Accessing Home Directories

Example: Your account name on the Linux machine is 'jim', your profile name on the Windows machine is 'Jim Smith'. You want to use your 'Jim Smith' profile to access your 'jim' home directory.

  1. Open '/etc/samba/smb.conf' in an editor as 'root'.
  2. Remove the semicolon in front of the line username map = /etc/samba/smbusers
  3. Open '/etc/samba/smbusers' as 'root' in an editor. Add the line jim = "Jim Smith"
  4. As 'root', run the command smbpasswd -a jim using jim's account password as the new Samba password.
  5. Restart Samba as 'root' with service samba restart
  6. Go to your Windows machine and hit the 'reload' button in the 'Network Neighbor'. A new folder ('jim') will appear. Double click on it, provide the password (not the password of the profile on the Windows machine, but the password of the 'jim' account on the Linux machine!), et voila, jim's home directory.

Explanation: In '/etc/samba/smb.conf', you'll find this entry:

[homes]
comment = Home Directories
browseable = no
writable = yes

This opens all valid home directories on the Linux machine for read / write access. In order to access a home directory, the user profile name from the Windows machine has to match the Linux account name the home directory belongs to. Otherwise the share isn't even displayed ('browseable = no').
In order to map a Windows user profile name to a Unix account name, the file '/etc/samba/smbusers' is used. Notice that you can map an arbitrary number of profile names against a Unix account name. If the profile name contains empty spaces, it has to be enclosed in quotes.
Alternatively you can create a user profile on the Windows machine with a user name which matches the Unix account name ('jim' in the given example). Then no mapping on the Linux machine has to be performed.

SMB and the Unix user account system both use one-way encrypted authentication. Since there is no way to decrypt one of these systems and thus compare hashes, Samba needs its own password file, '/etc/samba/smbpasswd'.
Notice that accounts added to that file via the 'smbpasswd' commandhave to be valid accounts on the Linux system. The passwords do not have to match, though, that is you can set a Samba password different from that account's password on the Unix machine. Using the '-n' option to 'smbpasswd', you can also 'create' passwordless accounts, but then you have to add null passwords = yes to 'smb.conf' in order to allow clients to access shares under these accounts.
Changes to the '/etc/samba/smbpasswd' file require restarting the Samba server to take effect.

* section index * top

* Configuring A 'user level' Samba Server

Open '/etc/samba/smb.conf' as 'root' in the editor of your choice:

  1. Set the 'workgroup' value to the workgroup your MS Windows machines are members of.

  2. Below that option add this line:

    map to guest = Bad User

  3. Scroll down to ; guest account = pcguest Remove the semicolon and replace 'pcguest' with 'ftp'
  4. Scroll down to [tmp] and remove the semicolons from these lines:

    ;[tmp]
    ; comment = Temporary file space
    ; path = /tmp
    ; read only = no
    ; public = yes

The first step makes the Samba server a member of the Windows workgroup. The last opens the '/tmp' directory ('path = /tmp') for read / write access ('read only = no') to every member ('public = yes') of the workgroup. The second and third step need some more elaborate explaining.

In 'user' level security mode, 'Samba' relies on '/etc/samba/smbpasswd' to decide if a connection request is granted or not. That is, authentication is performed before the available shares are listed. In 'share' level security, shares appear on the browse list without authentication (unless browseable = no is set).

If you try to connect (e.g. by clicking on the machine name in the 'Network Neighborhood' window) from a Windows machine with a user profile name / password combination not listed in '/etc/samba/smbpasswd', you will be presented with the dreaded 'IPC$' share password window. This window is bogus, you can't provide a matching password.

In order to allow non-authenticated connections from the workgroup, Samba has to be configured to treat requests with 'invalid' SMB account names as 'guest' logins and to map that 'guest' login to an existing system account. That's what you are doing in steps two and three.

Now start (or restart) the Samba server with

service smb start

Open the 'Network Neighborhood' on a Windows machine and display the workgroup. Your Linux Samba server should now appear along the other machines. Double click on it and the 'tmp' share should be displayed. Congratulations! ;-).

Accessing Home Directories

Example: Your account name on the Linux machine is 'jim', your profile name on the Windows machine is 'Jim Smith'. You want to use your 'Jim Smith' profile to access your 'jim' home directory.

  1. Open '/etc/samba/smb.conf' in an editor as 'root'.
  2. Remove the semicolon in front of the line username map = /etc/samba/smbusers
  3. Open '/etc/samba/smbusers' as 'root' in an editor. Add the line jim = "Jim Smith"
  4. As 'root', run the command smbpasswd -a jim using the password for the 'Jim Smith' Windows user profile as the new Samba password.
  5. Restart Samba as 'root' with service samba restart
  6. Hit the 'reload' button in the 'Network Neighbor'. A new folder ('jim') will appear. Double click on it, et voila, jim's home directory.

Notice that in contrast to 'share' level security, you will not receive a password request upon entering the home directory. This is because you have already been authenticated earlier.

* section index * top

* Additional configuration, non-Windows clients, resources


 
Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.