Chapter 19: Samba - The Server Message Block Protocol (SMB)

Chapter 19

Samba - The Server Message Block Protocol (SMB)

In this chapter:

	Setting up SAMBA as the SMB server for the local network
	An overview of the SuSE's default configuration
	Pointers to more detailed information on SAMBA

Samba is a free SMB (Server Message Block) and CIFS (Common Internet Filesystem) client and server for Unix, as well as other operating systems. SMB is the protocol by which a lot of PC-related machines share files, printers, and network information such as lists of available files and printers. Operating systems that natively support SMB include Windows 95, Windows 98, Windows NT, and OS/2. Packages that achieve the same result are available for DOS, other versions of Windows, VMS, Unix of all flavors, MVS, and more. The Apple Macintosh, as well as some Web browsers, can also speak this protocol. CIFS is the name of the new SMB initiative.

You can use Samba to integrate your Microsoft or IBM-style desktop machines with your Linux machines. This works in both ways. You can access file systems located on Windows machines from your Linux boxes and mount file systems exported by a Linux server on your Windows workstation. In addition to the file systems service, Samba allows you to share printers between these machines.

Samba provides a fairly complete replacement for Windows NT, Warp, NFS or Netware servers. It implements a SMB server to provide Windows NT and LAN Manager-style file and print services to SMB clients such as Windows 95, Warp Server, smbfs, and others. You get a NetBIOS (RFC1001/1002) nameserver. Among other things, it offers browsing support. Samba can be the master browser on your LAN if you wish. Samba includes a ftp-like SMB client so you can access PC resources (disks and printers) from Linux.

This is only a short excerpt of the things you can do with Samba. For a much better overview, have a look at the web site at http://samba.org/samba, and browse the user survey.

SuSE Linux ships with everything you need to set up a SMB server, client, or both. The configuration file for the Samba server is /etc/smb.conf. The server will be started at boot time by the rc-script /sbin/init.d/smb, if the variable START_SMB in /etc/rc.config is set to yes.

Samba is very powerful, and has a wide range of configuration options. In this chapter, we will discuss the standard configuration SuSE provides in it's default setting /etc/smb.conf.

For more complex configurations I will refer you to either the man pages, the online documentation (http://www.samba.org), or one of the books published on Samba, such as SAMBA: Integrating Unix and Windows by John D. Blair and the Samba team, ISBN 1-57831-006-7.

For most cases, the online documentation should be enough to set up Samba to fit your needs. Here is the /etc/smb.conf file just as you'll find it on your system after installing the Samba package:

[global]  
workgroup     = arbeitsgruppe  
guest account = nobody  
keep alive    = 30  
os level      = 2  
security      = user  
printing      = bsd  
printcap name = /etc/printcap  
load printers = yes  

 

; Please uncomment the following entry and replace the  
; ip number and netmask with the correct numbers for  
; your ethernet interface.  
; interfaces = 192.168.1.1/255.255.255.0  

 

; If you want Samba to act as a wins server, please set  
; 'wins support = yes'  
wins support  = no  

 

; If you want Samba to use an existing wins server,  
; please uncomment the following line and replace  
; the dummy with the wins server's ip number.  
; wins server = 192.168.1.1  

 

[homes]  
comment       = Heimatverzeichnis  
browseable    = no  
read only     = no  
create mode   = 0750  

 

; The following share gives all users access to the Server's CD drive,  
; assuming it is mounted under /cdrom.  

 

[cdrom]  
comment       = Linux CD-ROM  
path          = /cdrom  
read only     = yes  
locking       = no  

 

[printers]  
comment       = All Printers  
browseable    = no  
printable     = yes  
public        = no  
read only     = yes  
create mode   = 0700  
directory     = /tmp

The file consists of sections and parameters. A section begins with the section name in square brackets and continues with information related to it until the next section begins. Sections contain parameters of the form name= value. The file is line-based - that is, each newline-terminated line represents either a comment, a section name, or a parameter. Section and parameter names are not case sensitive.

Only the first equal sign in a parameter is significant. White space before or after the first equal sign is discarded. Leading, trailing, and internal white space in section and parameter names are irrelevant. Leading and trailing white space in a parameter value are discarded. Internal white space within a parameter value is retained verbatim.

Any line beginning with a semicolon (;) is ignored, as are lines containing only white space. Any line ending in a backslash is continued on the next line in the customary Unix fashion.

There are four sections in the sample configurations: global, homes, cdrom and printers. The cdrom section is commented out in the file provided by SuSE. If you want to activate it, simply remove the semicolons.

Each section in the configuration file describes a service. The section name is the service name and the parameters within the section define the service's attributes. However, the three predefined sections are so-called special sections. The global section specifies parameters which apply to the server as a whole, or are defaults for services which do not specifically define certain items. The home and printer sections generate services on the fly, which we'll see later in this chapter.

A service consists of a directory to which access is being granted, plus a description of the access rights bestowd to the user of the service. Services are either file space services (used by the client as an extension of their native file systems) or printable services (used by the client to access print services on the host running the server). Services may be guest services, in which case no password is required to access them. In this case, a previously specified guest account is used to define access privileges.

Services other than guest services will require a password to access them. The client provides the username. Since many clients only provide passwords and not usernames, you may specify a list of usernames to check against the password using the user= option in the service definition.

Note that the access rights granted by the server are masked by the access rights granted to the specified or guest user by the host system. The server does not grant more access than the host system grants.

The section cdrom in the example shown defines a file space service. The user has read-only access to the path /cdrom. The service is accessed via the service name cdrom. The printers section defines printable services. The services are read-only, but printable. That means that the only write-access permitted is via calls to open, write to, and close a spool file. Earlier, I mentioned that this section was special. For the printers section, this means that it not only defines one single service, but it also allows users to connect to any printer specified in the local host's printcap file.

When a connection request is made, the existing services are scanned. If a match is found, it is used. Otherwise, the requested service name is treated as a printer name and the appropriate printcap file is scanned to see if the requested service name is a valid printer name. If a match is found, a new service is created by cloning the printer's section. Note that the printers service must be printable - if you specify otherwise, the server will refuse to load the configuration file.

The homes section allows services that connect clients to their home directories to be created on the fly by the server, a feature similar to the printers section. When the connection request is made, the existing services are scanned. If a match is found, it is used. If no match is found, the requested service name is treated as a user name and searched for in the /etc/passwords file. If the name exists and the correct password has been given, a service is created by cloning the homes section so that it exports the home directory of the user making the request.

This is a fast and simple way to give a large number of clients access to their home directories with a minimum of fuss. An important point to remember is that if guest access is specified in this section, all home directories will be accessible to all clients without a password. In the very unlikely event that this is desirable, it would be wise to also specify read-only access.

Note that the browseable flag for auto home directories will be inherited from the global browseable flag, not the homes browseable flag. This is useful as browseable=no will hide the homes service but will make any auto home directories visible.

Let's go over the parameters (like browseable). Like section names, parameter names are not case sensitive. Only the first equal sign in a parameter is significant. White space before or after the first equal sign is discarded. Leading, trailing and internal white space in section and parameter names are irrelevant. Leading and trailing white space in a parameter value are discarded. Internal white space within a parameter value is retained verbatim. The values following the equal sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved in string values. Some items, such as create modes, are numeric.

Samba supports far too many parameters to list here. I'll explain the those used in the sample configuration. For a complete list, refer to the man page smb.conf(5).

First let's look at parameters used in the global section:

	workgroup = arbeitsgruppe This controls which workgroup your server will appear to be in when queried by clients. SuSE sets it to `'arbeitsgruppe'`, which is the German word for workgroup.
	guest account = nobody This is a username which will be used for access to services which are specified as "guest ok". The user `nobody`, as defined in SuSE systems, has very few permissions, and is a common setting. Note that as of version 1.9 of Samba, this option may be set differently for each service.
	os level = 2 This integer value controls the level that Samba can "nominate" itself in the system's browser elections. These elections determine which program becomes the master browser. By default, Samba uses a very low value, and so loses elections to just about every other browser application. If you want Samba to be selected, just set the os level to a higher number. An os level of 2 allows it to beat Windows for Workgroups (WfWg) and Win 95, but not NTAS. A NTAS domain controller uses level 32. The maximum os level is 255.
	security = user This option affects how clients respond to Samba. The option sets the "security mode bit" in replies to protocol negotiations to turn share level security on or off. Clients decide based on this bit whether (and how) to transfer user and password information to the server. The alternatives are `user`, `server` and `share`. If your PCs have usernames that are the same as the usernames on your Linux machine, you'll want to use `user`. If you mostly have usernames that don't exist on the Linux box, use `share`. There is a bug in WfWg that may affect your decision. When in user level security, a WfWg client will completely ignore the password you type in the connect drive dialog box. This makes it very difficult (if not impossible) to connect to a Samba service as anyone other than the user that you are logged into WfWg as. If you use `server`, Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails, it will revert to `user`. Note that if encrypted passwords have been negotiated, Samba cannot switch gears and resort to checking the Linux password file. It must have a valid smb-passwd file to check users against. See the documentation `/usr/doc/packages/samba/ENCRYPTION.txt` for details on how to set this up.
	printing = bsd This parameter controls how printer status information is interpreted on your system, and also affects the default values for the print command, the `lpq` command, and the `lprm` command. Currently, six printing styles are supported. They are `bsd`, `sysv`, `hpux`, `aix`, `qnx` and `plp`. The default printing sytem installed with SuSE Linux is the `lprold` package, which supports BSD-style printing. You may choose to install the `plp` package, which is also included on the SuSE CDs. If you do this, you will have to change this setting to `plp`.
	printcap name = /etc/printcap The name of the printer definition file.
	load printers = yes A boolean variable that controls whether all printers in the named printcap will be loaded for browsing by default.

You can set far more options in the global section. In most cases, this should be sufficient and require little customization. In the service sections we will find more options. Definitions for each follow:

	comment This is a text field that is seen next to `share` when a client performs a net view to list what shares are available. If you want to set the string that is displayed next to the machine name, see the server string command.
	browseable This controls whether this share is seen in the list of available shares in a net view and in the browse list.
	read only If this parameter is `yes`, users of a service may not create or modify files in the service's directory. Note that a printable service (`printable = yes`) will always allow writing to the directory (user privileges permitting), but only via spooling operations.
	create mode When a file is created, the necessary permissions are calculated according to the mapping concerning DOS modes to Linux permissions, and the resulting Linux mode is then bit-wise anded with this parameter. This parameter may be thought of as a bit-wise MASK for the Linux modes of a file. Any bit not set here will be removed from the modes set on a file when it is created. The default value for this parameter removes the group and other write and execute bits from the Linux modes. A value of `0750` will affect group-execute permissions. Subsequently Samba will bit-wise 'OR' the Unix mode created from this parameter with the value of the `force create mode` parameter, which by default is set to `000`. This parameter doesn't affect directory modes. This is handled by the parameter directory mode.
	path This parameter specifies the directory that the user will be given access to. With printable services, this is where print data will spool prior to being submitted to the host for printing. For a printable service offering guest access, the service should be read-only and the path should be world-writable and have the sticky bit set. This is not mandatory, but if you do otherwise, you probably won't get the results you expect. Any occurrences of `%u` in the path will be replaced with the username that the client is using to connect to the service. Any occurrences of `%m` will be replaced by the name of the machine they are connecting from. These replacements are very useful for setting up pseudo home directories for users.
	locking This controls whether or not locking will be performed by the server in response to lock requests from the client. If `locking = no`, all lock and unlock requests will appear to succeed and all lock queries will indicate that the queried lock is clear. If `locking = yes`, real locking will be performed by the server. This option may be particularly useful for read-only filesystems which do not need locking (such as cdrom drives). Be careful about disabling locking whether globally or in a specific service, not locking may result in data corruption. Undesirable situations may arise, such as two people writing to the file at the same time.
	printable If this parameter is set to `yes`, then clients may open, write to, and submit spool files on the directory specified for the service. Note that a printable service will always allow writing to the service path (user privileges permitting) via the spooling of print data. The read-only parameter controls only non-printing access to the resource.
	public If this parameter is set to "yes" for a service, then no password is required to connect to the service. Privileges will be those of the guest account (`nobody` for SuSE Linux)
	directory A synonym for `path`. See the description above.

Plenty of other options can be found in the man page smb.conf(5). If you want to act as a fileserver in a Windows environment, the few options I've listed will apply to some common situations. To see another example, I will add a section that allows you to share data between Linux and Windows clients in a common directory, and mountable by all systems in the network, given the client has a valid user login at the server:

[shared]  
comment    = Windows Shared  
browseable = yes  
read only  = no  
path       = /Windows-Shared

Nothing here we haven't seen before. The service is shared, and exports the directory /Windows-Shared with read and write permissions to clients.

Summary:

Samba is a free implementation of the Server Message Block (SMB) protocol suite. It can be used to provide file and print services to a wide range of workstations, and runs on a wide variety of operating systems.

Samba's default setup is a reasonable configuration and can be applied in most cases. More detailed information on Samba can be found at the Samba home page http://samba.org or in a book dedicated to this service.