Chapter 19
Samba - The Server Message Block Protocol (SMB)
|
|
|
|
| |
In this chapter: |
|
| |
|
Setting up SAMBA as the SMB server for the local network
|
|
An overview of the SuSE's default configuration
|
|
Pointers to more detailed information on SAMBA
|
|
|
|
|
|
Samba is a free SMB (Server Message Block) and CIFS (Common Internet
Filesystem) client and server for Unix, as well as other operating
systems. SMB is the protocol by which a lot of PC-related machines
share files, printers, and network information such as lists of
available files and printers. Operating systems that natively support
SMB include Windows 95, Windows 98, Windows NT, and OS/2. Packages
that achieve the same result are available for DOS, other versions of
Windows, VMS, Unix of all flavors, MVS, and more. The Apple Macintosh,
as well as some Web browsers, can also speak this protocol. CIFS is
the name of the new SMB initiative.
You can use Samba to integrate your Microsoft or IBM-style desktop
machines with your Linux machines. This works in both ways. You can
access file systems located on Windows machines from your Linux boxes
and mount file systems exported by a Linux server on your Windows
workstation. In addition to the file systems service, Samba allows you
to share printers between these machines.
Samba provides a fairly complete replacement for Windows NT, Warp, NFS
or Netware servers. It implements a SMB server to provide Windows NT
and LAN Manager-style file and print services to SMB clients such as
Windows 95, Warp Server, smbfs, and others. You get a NetBIOS
(RFC1001/1002) nameserver. Among other things, it offers browsing
support. Samba can be the master browser on your LAN if you
wish. Samba includes a ftp-like SMB client so you can access PC
resources (disks and printers) from Linux.
This is only a short excerpt of the things you can do with Samba. For
a much better overview, have a look at the web site at
http://samba.org/samba, and browse the user survey.
SuSE Linux ships with everything you need to set up a SMB server,
client, or both. The configuration file for the Samba server is
/etc/smb.conf. The server will be started at boot time by
the rc-script /sbin/init.d/smb, if the variable
START_SMB in /etc/rc.config is set to
yes.
Samba is very powerful, and has a wide range of configuration
options. In this chapter, we will discuss the standard configuration
SuSE provides in it's default setting
/etc/smb.conf.
For more complex configurations I will refer you to either the man
pages, the online documentation (http://www.samba.org),
or one of the books published on Samba, such as SAMBA: Integrating
Unix and Windows by John D. Blair and the Samba team, ISBN
1-57831-006-7.
For most cases, the online documentation should be enough to set up
Samba to fit your needs. Here is the /etc/smb.conf file
just as you'll find it on your system after installing the Samba
package:
| | [global]
workgroup = arbeitsgruppe
guest account = nobody
keep alive = 30
os level = 2
security = user
printing = bsd
printcap name = /etc/printcap
load printers = yes
; Please uncomment the following entry and replace the
; ip number and netmask with the correct numbers for
; your ethernet interface.
; interfaces = 192.168.1.1/255.255.255.0
; If you want Samba to act as a wins server, please set
; 'wins support = yes'
wins support = no
; If you want Samba to use an existing wins server,
; please uncomment the following line and replace
; the dummy with the wins server's ip number.
; wins server = 192.168.1.1
[homes]
comment = Heimatverzeichnis
browseable = no
read only = no
create mode = 0750
; The following share gives all users access to the Server's CD drive,
; assuming it is mounted under /cdrom.
[cdrom]
comment = Linux CD-ROM
path = /cdrom
read only = yes
locking = no
[printers]
comment = All Printers
browseable = no
printable = yes
public = no
read only = yes
create mode = 0700
directory = /tmp
|
|
The file consists of sections and parameters. A section begins with
the section name in square brackets and continues with information
related to it until the next section begins. Sections contain
parameters of the form name=
value. The file is line-based - that is, each
newline-terminated line represents either a comment, a section name,
or a parameter. Section and parameter names are not case sensitive.
Only the first equal sign in a parameter is significant. White space
before or after the first equal sign is discarded. Leading, trailing,
and internal white space in section and parameter names are
irrelevant. Leading and trailing white space in a parameter value are
discarded. Internal white space within a parameter value is retained
verbatim.
Any line beginning with a semicolon (;) is ignored, as are
lines containing only white space. Any line ending in a backslash
is continued on the next line in the customary Unix fashion.
There are four sections in the sample configurations:
global, homes, cdrom and
printers. The cdrom section is commented
out in the file provided by SuSE. If you want to activate it, simply
remove the semicolons.
Each section in the configuration file describes a service. The
section name is the service name and the parameters within the section
define the service's attributes. However, the three predefined
sections are so-called special sections. The global section specifies
parameters which apply to the server as a whole, or are defaults for
services which do not specifically define certain items. The
home and printer sections generate services
on the fly, which we'll see later in this chapter.
A service consists of a directory to which access is being granted,
plus a description of the access rights bestowd to the user of the
service. Services are either file space services (used by the client
as an extension of their native file systems) or printable services
(used by the client to access print services on the host running the
server). Services may be guest services, in which case no password is
required to access them. In this case, a previously specified guest
account is used to define access privileges.
Services other than guest services will require a password to access
them. The client provides the username. Since many clients only
provide passwords and not usernames, you may specify a list of
usernames to check against the password using the user=
option in the service definition.
|
|
Note that the access rights granted by the server are masked by the
access rights granted to the specified or guest user by the host
system. The server does not grant more access than the host system
grants.
|
|
The section cdrom in the example shown defines a file
space service. The user has read-only access to the path
/cdrom. The service is accessed via the service name
cdrom. The printers section defines
printable services. The services are read-only, but printable. That
means that the only write-access permitted is via calls to open, write
to, and close a spool file. Earlier, I mentioned that this section was
special. For the printers section, this means that it not
only defines one single service, but it also allows users to connect
to any printer specified in the local host's printcap file.
When a connection request is made, the existing services are
scanned. If a match is found, it is used. Otherwise, the requested
service name is treated as a printer name and the appropriate printcap
file is scanned to see if the requested service name is a valid
printer name. If a match is found, a new service is created by cloning
the printer's section. Note that the printers service
must be printable - if you specify otherwise, the server will refuse
to load the configuration file.
The homes section allows services that connect clients to
their home directories to be created on the fly by the server, a
feature similar to the printers section. When the
connection request is made, the existing services are scanned. If a
match is found, it is used. If no match is found, the requested
service name is treated as a user name and searched for in the
/etc/passwords file. If the name exists and the correct
password has been given, a service is created by cloning the
homes section so that it exports the home directory of
the user making the request.
|
|
This is a fast and simple way to give a large number of clients access
to their home directories with a minimum of fuss. An important point
to remember is that if guest access is specified in this section, all
home directories will be accessible to all clients without a
password. In the very unlikely event that this is desirable, it would
be wise to also specify read-only access.
|
|
|
|
Note that the browseable flag for auto home directories will be
inherited from the global browseable flag, not the homes browseable
flag. This is useful as browseable=no will hide the
homes service but will make any auto home directories
visible.
|
|
Let's go over the parameters (like browseable). Like
section names, parameter names are not case sensitive. Only the first
equal sign in a parameter is significant. White space before or after
the first equal sign is discarded. Leading, trailing and internal
white space in section and parameter names are irrelevant. Leading and
trailing white space in a parameter value are discarded. Internal
white space within a parameter value is retained verbatim. The values
following the equal sign in parameters are all either a string (no
quotes needed) or a boolean, which may be given as
yes/no, 0/1 or
true/false. Case is not significant in
boolean values, but is preserved in string values. Some items, such as
create modes, are numeric.
Samba supports far too many parameters to list here. I'll explain the
those used in the sample configuration. For a complete list, refer to
the man page smb.conf(5).
First let's look at parameters used in the global section:
| |
|
workgroup = arbeitsgruppe
This controls which workgroup your server will appear to be in when
queried by clients. SuSE sets it to 'arbeitsgruppe', which is the
German word for workgroup.
|
|
guest account = nobody
This is a username which will be used for access to services which are
specified as "guest ok". The user nobody, as defined in SuSE systems, has
very few permissions, and is a common setting. Note
that as of version 1.9 of Samba, this option may be set differently for
each service.
|
|
os level = 2
This integer value controls the level that Samba can "nominate" itself
in the system's browser elections. These elections determine which
program becomes the master browser. By default, Samba uses a very low
value, and so loses elections to just about every other browser
application. If you want Samba to be selected, just set the os level
to a higher number.
An os level of 2 allows it to beat Windows for Workgroups (WfWg) and
Win 95, but not NTAS. A NTAS domain controller uses level 32. The
maximum os level is 255.
|
|
security = user
This option affects how clients respond to Samba. The option sets the
"security mode bit" in replies to protocol negotiations to turn share
level security on or off. Clients decide based on this bit whether
(and how) to transfer user and password information to the server. The
alternatives are user, server and
share.
If your PCs have usernames that are the same as the usernames on your
Linux machine, you'll want to use user. If you mostly have
usernames that don't exist on the Linux box, use share.
There is a bug in WfWg that may affect your decision. When in user
level security, a WfWg client will completely ignore the password you type
in the connect drive dialog box. This makes it very difficult (if not
impossible) to connect to a Samba service as anyone other than the user
that you are logged into WfWg as.
If you use server, Samba will try to validate the
username/password by passing it to another SMB server, such as an NT
box. If this fails, it will revert to user. Note that if encrypted
passwords have been negotiated, Samba cannot switch gears and resort to
checking the Linux password file. It must have a valid smb-passwd file
to check users against.
See the documentation /usr/doc/packages/samba/ENCRYPTION.txt for details on how to set this
up.
|
|
printing = bsd
This parameter controls how printer status information is interpreted
on your system, and also affects the default values for the print
command, the lpq command, and the lprm
command. Currently, six printing styles are supported. They are
bsd, sysv, hpux,
aix, qnx and plp. The default
printing sytem installed with SuSE Linux is the lprold
package, which supports BSD-style printing. You may choose to install
the plp package, which is also included on the SuSE
CDs. If you do this, you will have to change this setting to
plp.
|
|
printcap name = /etc/printcap
The name of the printer definition file.
|
|
load printers = yes
A boolean variable that controls whether all printers in the named
printcap will be loaded for browsing by default.
|
|
|
You can set far more options in the global section. In most cases, this
should be sufficient and require little customization. In the service sections
we will find more options. Definitions for each follow:
| |
|
comment
This is a text field that is seen next to share when a client performs a
net view to list what shares are available. If you want to set the
string that is displayed next to the machine name, see the server
string command.
|
|
browseable
This controls whether this share is seen in the list of available
shares in a net view and in the browse list.
|
|
read only
If this parameter is yes, users of a service may not create or
modify files in the service's directory. Note that a printable service
(printable = yes) will always allow writing to the directory (user
privileges permitting), but only via spooling operations.
|
|
create mode
When a file is created, the necessary permissions are calculated
according to the mapping concerning DOS modes to Linux permissions, and the
resulting Linux mode is then bit-wise anded with this parameter. This
parameter may be thought of as a bit-wise MASK for the Linux modes of
a file. Any bit not set here will be removed from the modes set on a
file when it is created.
The default value for this parameter removes the group and other write
and execute bits from the Linux modes. A value of 0750 will affect
group-execute permissions. Subsequently Samba will bit-wise 'OR' the
Unix mode created from this parameter with the value of the force
create mode parameter, which by default is set to 000.
This parameter doesn't affect directory modes. This is handled by
the parameter directory mode.
|
|
path
This parameter specifies the directory that the user will be given access to.
With printable services, this is where print data will spool prior to being
submitted to the host for printing.
For a printable service offering guest access, the service should be
read-only and the path should be world-writable and have the sticky bit
set. This is not mandatory, but if you do otherwise, you probably won't get the
results you expect.
Any occurrences of %u in the path will be replaced with the
username that the client is using to connect to the service. Any occurrences of
%m will be replaced by the name of the machine they are
connecting from. These replacements are very useful for setting up
pseudo home directories for users.
|
|
locking
This controls whether or not locking will be performed by the server
in response to lock requests from the client.
If locking = no, all lock and unlock requests will appear to succeed
and all lock queries will indicate that the queried lock is clear. If
locking = yes, real locking will be performed by the server. This
option may be particularly useful for read-only filesystems which do
not need locking (such as cdrom drives).
Be careful about disabling locking whether globally or in a specific
service, not locking may result in data corruption. Undesirable
situations may arise, such as two people writing to the file at the
same time.
|
|
printable
If this parameter is set to yes, then clients may open, write to, and
submit spool files on the directory specified for the service. Note
that a printable service will always allow writing to the service
path (user privileges permitting) via the spooling of print data. The
read-only parameter controls only non-printing access to the resource.
|
|
public
If this parameter is set to "yes" for a service, then no password is required
to connect to the service. Privileges will be those of the guest
account (nobody for SuSE Linux)
|
|
directory
A synonym for path. See the description above.
|
|
|
Plenty of other options can be found in the man page
smb.conf(5). If you want to act as a fileserver in a
Windows environment, the few options I've listed will apply to some
common situations. To see another example, I will add a section that
allows you to share data between Linux and Windows clients in a common
directory, and mountable by all systems in the network, given the
client has a valid user login at the server:
| | [shared]
comment = Windows Shared
browseable = yes
read only = no
path = /Windows-Shared
|
|
Nothing here we haven't seen before. The service is shared, and
exports the directory /Windows-Shared with read and write
permissions to clients.
|
|
Summary: |
|
Samba is a free implementation of the Server Message Block
(SMB) protocol suite. It can be used to provide file and print
services to a wide range of workstations, and runs on a wide variety of
operating systems.
Samba's default setup is a reasonable configuration and can be applied
in most cases. More detailed information on Samba can be found at the
Samba home page http://samba.org or in a book dedicated to this
service.
|
|
|
| |