-->
Home » » Linux and Windows Integration with Samba

Linux and Windows Integration with Samba

Introducing Samba
Many computing environments today house a variety of different operating systems, including UNIX, Windows, and System 7. In these heterogeneous environments, configuring each operating system to share files and printers can be a daunting task.

Samba, which this chapter introduces, eases the administrator's burden by allowing Windows users to access Linux files and vice- versa. Emulating Windows' native file- sharing capability makes a Linux Samba server a
powerful network addition.

What Samba Does
Samba is an Open Source package that provides Common Internet File System (CIFS) functionality. CIFS is the latest incarnation of the Server Message Block (SMB) protocol, which is the primary means of sharing printers and files between Windows computers.
Linux can act as a SMB/CIFS server, providing secure access to its files and printers from Windows clients. In fact, Samba has been shown to outperform Windows NT servers in file and printer shar ing, so using Samba has not only ease- of- use but also performance benefits; as an administrator, these are qualities you strive to achieve.

Samba and NetBIOS
NetBIOS, designed originally for extending the PC BIOS, provides the following services:
• Name services allowing computers to locate others by name.
• Session services allowing computers to connect to each other and
send data.
• Datagram services providing methods of sending small amounts of
data.
NetBIOS name services
Under NetBIOS, each system has one or more NetBIOS names. A NetBIOS name service (NBNS) manages NetBIOS mappings between
host names and IP addresses. You can use Samba as a NBNS server.
The NBNS allows hosts to register NetBIOS names and allo ws look- ups to translate the NetBIOS names into an IP address. For example, after performing a Map Network Drive function, the client would use the NBNS to retrieve the selected server’s IP address before a connecting to the server.
NetBIOS classes
When a client registers or looks up a NetBIOS name, the action performed depends on the name's class:
Class Description

Unique names Only one IP address. If a system attempts to register a name that is in use an error will occur Group names Many IP addresses. When registering a group name, its IP address is added to the listing maintained for that name. When translating a group name, all the IP addresses associated with that name are returned Multihomed Unique names where the system owning the name has
multiple interfaces. All the multihomed host’s IP addresses are associated with one name Domain Associated with NT domains
SMB Protocol Overview
The SMB protocol is a client/server protocol that allows clients to request
access to a server’s resources. A client is any system that requests
resources from another system. The client sends request and the server
sends back responses.

SMB Server
SMB Client
SMB Responses
SMB Requests

Money Box 728x90
Clients access the server’s shares, which are the shared file and printer
resources the server makes available. The SMB protocol handles the
details of sending the share's information between the client and server.
You specify the path to a share in the form \\server\share, where:
• server is the server’s NetBIOS name
• share is the share’s name

Windows users refer to a share's full path as the "service name."
Security
Samba is very security conscious. Before Samba performs a client’s request, the client must be verified as a valid user. Administrators have complete control over who may access which shares by configuring security levels.

Share-level security
The server does not require user authentication, but before connecting to each share, a per-share password may be required. Though this security is share based, a valid user and password are still required; sometimes, this is achieved by using a guest account.
User-level security
The client supplies user information before Samba allows access to any shares. The Windows logon username and password are normally used, which causes a problem when different logons are used for Linux and Windows systems.

Samba Components
Samba consists of the smbd and nmbd daemons. The /etc/smb.conf file configures both of these daemons. While only these components are necessary to actually use Samba, several other pieces make Samba a more robust server.
The table below describes Samba's components.

Component Description
nmbd The NetBIOS Name Service Daemon (nmbd) handles NetBIOS name lookups and WINS requests. A properly configured Samba server requires at least one nmbd process to be running. Additional copies are required if Samba is configured as a WINS server, or if Samba is translating NetBIOS names using DNS smbd The Server Message Block Daemon (smbd) handles file and print access.

Proper configuration requires a minimum of one smbd process and an additional one for every client connected to Samba smb.conf The Samba configuration file contains all the configuration information for smbd and nmbd smbclient The SMB client program enables Linux users to access other SMB servers, such as Windows NT and Windows 9x nmblookup The NMB lookup program enables users to query servers for regis tered NetBIOS names smbstatus Administrators use the SMB status command to discover information about the system's Samba server,including who is currently accessing which shares smbprint A shell script for printing to Windows systems from Linux smbtar A shell script for backing up Windows systems under
Linux Both TCP and UDP are used when clients access Samba. TCP is used for network logins and accessing file and print shares by establishing a TCP connection to smbd on port 139. UDP is used for registering or translating NetBIOS names and browsing the network. Depending on the function being used the UDP datagrams are sent to ports 137 or 138.

Controlling Samba
Administrators control Samba with a special script. Red Hat Linux and TurboLinux administrators use the /etc/rc.d/init.d/smb script,
while administrators of other distributions use the /usr/sbin/samba script.
These scripts are identical, and consequently take the same parameters, as shown in the following table:

Parameter Description
start Start the Samba daemons, smbd and nmbd, if they’re not already running stop Stop the Samba daemons if they are running
restart Restart the Samba daemons, by executing stop and then start status Print status information about the Samba daemons
The following section of an administrator's login shows how to control Samba:
# Start the Samba server
$ /etc/rc.d/init.d/smb start
Starting SMB services: smbd nmbd

Win an Ipod Classic!

# Stop the Samba server
$ /etc/rc.d/init.d/smb stop
Shutting down SMB services: smbd nmbd

# Restart the Samba server
$ /etc/rc.d/init.d/smb restart
Restarting SMB services:
Shutting down SMB services: smbd nmbd
Starting SMB services: smbd nmbd
done

# Query Samba’s status
$ /etc/rc.d/init.d/smb status
smbd (pid 10744 2935) is running . . .
nmbd (pid 2935) is running . . .

Samba Logs
The Samba log files provide information on Samba's startup procedure and operational status.
All Linux distributions install Samba log files into the /var/log/samba directory. Within this directory are two general log
files:
• lob.nmb, the NetBIOS Name Server Daemon (nmbd) log.
• log.smb, the Server Message Block Daemon (smbd) log.
After normal startup, the following entries should be in these logs:
# Display the NetBIOS Name Server log
$ head -1 /var/log/samba/log.nmb
[2000/09/25 01:00:45, 1] nmbd/nmbd.c:main(684)
Netbios nameserver version 2.0.5a started.
copyright Andrew Tridgell 1994-1998

# Display the Server Message Block log
$ head -1 /var/log/samba/log.smb
[2000/09/25 01:00:45, 1] smbd/smbd.c:main(628)
smbd version 2.0.5a started.

Samba allows a Linux network administrator to integrate Windows into the Linux environment and vise versa. This creates a heterogeneous network where Windows and Linux can cooperate.
Samba allows an administrator to flexibly integrate Linux into a mostly Windows environment or vice- versa. This flexibility leverages a
company's growth with both operating systems, minimizing the impact of reliance on a single operating system vendor.

Samba Configuration
Samba’s configuration is very flexible and allows you to tailor it to meet your system’s needs. Samba’s entire configuration is maintained in the smb.conf file making system modification easy. Samba also incorporates the use of macros or variable substitutions that allows further customization of the system based on individual users.
Chapter Objectives
After completing this chapter, you will be able to:
• describe the smb.conf file.
• automate Samba using variable substitution, include files, and
configuration files.

You configure both the smbd and nmbd daemons configuration in /etc/smb.conf. This file houses shares and configuration parameters.
Shares
The smb.conf file is split into sections known as shares. Shares begin with a descriptive string, such as myShare, enclosed inside of brackets:
[myShare]. Once you've defined the share name, you'll declare configuration parameters in name=value format.
Standard shares include:
• [global], which defines the server's general operating
parameters.
• [homes], which defines users' home shares properties.
• [printers], which defines the shared printers' attributes.
Shares that you define for your specific needs are tied to directories within
your Linux filesystem. The Samba server then makes these shares
available for "sharing" to Windows clients.

The table below summarizes some of the common general configuration options.
Configuration Name Description
workgroup = string This sets the SMB wo rkgroup name. The string, as others in this file, does not require any quoting
server string = string This is a descriptive string for this server
This is useful for limiting the machines from which a Samba or Windows client may connect to this server. You may specify as single IP address, network numbers, or domain names hosts allow = IP address [IP address…]
guest account = username A guest account, which usually
only has read privileges on shares.
You must add the user username to your Linux system to provide guest access
security = securitytype Sets the type of security used to authenticate connecting clients. See below for an explanation of the
different types
interfaces = interface If you have more than one network interface, you must list the ones
Samba should listen to here wins support = yes Enables nmbd’s WINS server support
wins server = IP address Enables nmbd’s WINS client support
Samba server security types
There are four security types for a Samba server:
Security Description
user Has Samba act like an NT server, where access can be restricted to certain users and groups share Has Samba act like a 95 server, where each share has a password that allows either read-only or read-write access server Has Samba pass authentication on to SMB server. Specify the server location with the configuration option:
password server = IP address domain Has Samba delegate authentication to an NT domain controller
Defining Shares
Configuration blocks in /etc/smb.conf define share's attributes:
[myShare]
comment = My personal shared directory
path = /home/user06/sambashare
browsable = no
writable = yes
printable = no
Configuration blocks, which include the share name and all subsequent configuration parameters, continue until the next block's definition or the end of file.
The table below summarizes some common options:

comment = string Provides a comment for this share
path = pathtoshare Tells smbd where to find this share’s files
browseable = yes Sets whether this share can be found by
browsing available NetBIOS names
writable = no Sets whether or not users who access this
share can write files to it printable = no Sets whether or not users who access this
share can print with it. Usually all shares but [printers] will not be printable
guest ok = no Allow or deny guest access valid users =
List users who should have access to the share
username [username…]
write list =
If writable = yes and this option is given, only members of this group will be able to write to this share
groupname
create mask = #### Sets the file creation mask for files written to this share. This is not an umask, but an actual file mask

Samba Automation
Samba has a very powerful set of features that help to make the smb.conf file more co mpact and provides great flexibility in
configuring it. These include smb.conf macros, variable substitution and include files.
Samba variable substitutions
Samba maintains many variables internally, which relate to connection, services, users, and so on. Many of these are available for substitution into parameters in the smb.conf file, as long as the parameters are strings. When one or more variables appear in parameter’s string value, Samba substitutes the variable's value at that point in the string.
A percent sign (%) introduces variables, and all variables consist of a single character name. For example, the following parameter defines the share’s path:
path = /home/%U/public
The %U macro substitutes the user’s name into the string, so if the current user is jennie, then the path would be, after substitution,
/home/jennie/public.
728x90_uomo_gif
There are three general classes of variable substitution in Samba: basic, extended, and ad- hoc.
Basic substitutions
These substitutions are performed wherever they appear in the smb.conf file. They are performed regardless of whether the parameter’s value is set in the smb.conf file or by default in the source code.
The basic substitutions performed are listed in the following table.
Variable Description
%a Returns the remote architecture, when known
%d Returns the process ID of the current process
%h Returns the first component of the Samba server's hostname
%m Returns the NetBIOS name of the client
%v Returns the version number of Samba
%G Returns the group name of the user’s primary group
%I Returns the client’s IP address
%L Returns the server’s NetBIOS name
%M Returns the client’s DNS name
%N Returns the NIS home directory server for the current user
%R Returns the remote protocol
%T Returns the server’s current time
%U Returns the username for the current session

Extended substitutions
Samba applies extended substitutions after applying the basic substitutions. The extended substitution variables are:
Variable Description
%G Returns the group name of the connection or service
%U Returns the username of the connection or service
%H Returns the current user’s home directory
%P Returns the path for the current service
%S Returns the current service name
You cannot apply extended substitutions everywhere within smb.conf.
Only the parameters below allow extended substitution:
• comment
• print command
• logon script
• lpq command
• lprm command
• lppause command
• lpresume command
• path
• preexec
• postexec
• root preexec
• root postexec

iPhone_728x90.gif

Ad-hoc substitutions
Samba also does several ad-hoc substitutions that are performed as needed to support specific features in some parameters. For example, in handling the print command parameter, Samba applies the following ad-hoc substitutions:
Variable Description
%s %f Replaces the print filename
%p Replaces the printer name or the print service name if no printer name is defined
The following parameters have ad-hoc substitutions applied to them:
• add user script
• comment
• delete user script
• ldap filter
• force group
• force user
• lpq command
• lprm command
• lppause command
• lpresume command
• message command
• passwd program
• passwd chat
• print command
• read list
• valid user
• invalid users
• user, users, username
• write list

Include files
Samba allows you to include other files into smb.conf, and because the names of these included files can contain macros, Samba’s behavior can be modified at runtime.
The include file parameter is include = filename, where filename is the any system file. Since the filename can contain macros you can configure Samba’s behavio r depending on the client. If a file does not exist Samba ignores it, allowing you to include parameters that
might not work in all situations without crashing Samba.

The include parameter can aid in troubleshooting. By adding the following to the [global] share of your smb.conf file, you can affect
the behavior of Samba for individual clients because the %m in the include file parameter is replaced with the client’s NetBIOS name:
include = /var/log/samba/conf.%m
Another use is to have different include files for different client architectures or users. The following allows you to include additional
parameter for some client architecture:
include = /etc/smb.conf.%a
Then, by simply creating the file /etc/smb.conf.winNT, you can include parameters that are included only for Windows NT systems.
L'immagine “http://hst.tradedoubler.com/file/4026/728x90.gif” non può essere visualizzata poiché contiene degli errori.
Config files
The third feature that assists with automation is the config file parameter. This parameter allows you to replace the entire config
file with another config file.
Syntax
config file = filename
Since the config file parameter takes any basic substitutions, each client can have different config files. The config file option
takes advantage of variable substitution allowing you to load a special configuration file based on the client’s machine name or client’s user name that is connecting.
For example, the following line instructs Samba to use a configuration file specified by the connecting client’s NetBIOS name. If the file exists the options specified in the original configuration file are ignored. The following example attempts to lead a new configuration file based on the client’s NetBIOS name:
[global]
config file = /etc/smb.conf.%m
However, the config file parameter is not as flexible as the include parameter, because the config file parameter replaces the
entire configuration file.

Configuring Samba is made easy by only having one file, the smb.conf file, that needs to be modified in order to incorporate changes. Through the use of macros or variable substitutions you can create a system that is customized by many variables, including users, machines.
Samba provides an enormous number of configuration options, which you can use to tailor it to meet your needs. Samba's configuration man page (man smb.conf), describes most of Samba's configuration options.

Samba File Shares
Sharing files is one of the main functions of Samba, and file shares can be configured at a detailed level. A Samba administrator can create guest shares that can be accessible to all users or she can limit access to specific users or workstations.
Chapter Objectives
After completing this chapter, you will be able to:
• find and access shares.
• configure file shares.
• restrict access to shares.
• use Samba to map UNIX permissions.
• use Samba to map NT permissions.
• describe the advanced smb.conf file parameters.

Locating and Accessing Shares
There are a couple ways a user can request share access:
• Use the net use command from a DOS window:
net use h: \\server\share
• Use the "Map Network Drive" dialog box from Windows. Right-click either the Network Neighborhood or My Computer to locate
the box.
• Browse the network and find a server, then select the shares.
Determining a share’s existence
Before connecting a client, Samba determines whether the req uested share exists by completing the following process:
1. Look for a section corresponding to the requested share name in the smb.conf file. If found return it; otherwise go to step 2.
2. Look for a [homes] share in the smb.conf file. If found, verify the share name matches the username by using the /etc/passwd file. If it matches clone the [homes] share and return the new share, otherwise go to step 3.
3. Look for a [printers] share in the smb.conf file. If found, check the /etc/printcap file to determine whe ther the requested share is listed. If it is clone the [printers] share and return it, otherwise go to step 4.
4. Look for a default service. If one is found, change it to match the requested service and return it, otherwise return an invalid network
name error to the client.
If Samba is unable to access the directory specified, an invalid network name error is returned to the client. There are a couple reasons why Samba might not be able to find the share because of misspellings, forgetting to create the share, or the necessary permissions are not set.
L'immagine “http://hst.tradedoubler.com/file/77661/new/728x90.gif” non può essere visualizzata poiché contiene degli errori.
Caveats with Samba's share search order
Because of Samba's share search order, some share names might not be available. A smb.conf file’s share name has priority over any entries in the /etc/passwd file or the /etc/printcap file, even if [homes] and [printers] sections are defined. This means that john’s home
share will not be found if the smb.conf file contains a share named john.
Home shares have priority over printer shares. If a printer called john is defined in the /etc/printcap file, it will not be found if a user named john is in the /etc/passwd file and the [homes] share has been defined, or if the smb.conf file contains a share named john.

User verification
After Samba knows the share exists, it determines if the user has share access. The following process determines whom the user accessing the share is recorded as:
1. If the client has submitted a username/password pair previously that validates, the validated user is recorded as the user seeking
access.
2. If the client has already submitted a valid username and now supplies a correct password, the validated user is recorded as the
user seeking access.
3. The client’s NetBIOS name and any previously used usernames are validated using the operating system’s standard mechanisms
with the supplied password. If any validate successfully, the validated user is recorded as the user seeking access.
4. If the client has previously validated a username/password pair with the server and the client passed the validation token in the
share access request, the previously the validated user is recorded as the user seeking access.
5. If a user = list has been specified on the share, the client has supplied a password, and the combination of username specified in
the share and the password validates, the validated user is recorded as the user seeking access.
After Samba determines the local user accessing the share, it checks the various parameters to determine whether that user can access the requested share. If that user is no t allowed share access, Samba returns an access denied error.

However, even if Samba gives a user share access, two more sets of checks are completed before he or she can access the share’s files:
1. To write to files in the share, the share must be writable.
2. Normal Linux file permissions must be satisfied.
Configuring File Shares
To create a file share, place a share name in the smb.conf file. Enclose the share name in square brackets and then add all applicable parameters.
All smb.conf file parameters are share parameters, unless specified as global in the [global] share. Placing share parameters in the global
section causes them to be the defaults for all shares.
Basic share properties
Within the smb.conf file, several parameters defining the share’s basic properties may be specified. These include a share's write status, a share’s visibility status to other workstations, and the share’s text description that appears in browser lists.
The following table describes the basic share parameters.
Name Default Description
read only true Specifies the share cannot be written to. Users specified in the write list parameter are given write access writable false If set to true and the user has the correct permissions then the files on the share can be changed comment Describes the share’s purpose and appears next to the share name volume Allows the volume label of the share to be changed.

The default is the share's name browsable true Appears in the visible share’s list when browsing the Samba server available true Allows connection to the share and access to its resources path /tmp Specifies the Samba server’s path to the file share time offset
0 Number of seconds added to each
file’s access timestamp on the share
Example
[tmp]
comment = temporary space
path = /tmp
browsable = true
writable = true
L'immagine “http://www.belliobrutti.it/tradedoubler/registrazione_eu/728x90_banner_EU.gif” non può essere visualizzata poiché contiene degli errori.
File selection
When creating a file share, you can allow the visibility of only certain files or directories. Using the DOS hidden attribute, you can mark files as inaccessible.
Controlling the use of symbolic links in file shares can enhance security.
The following table lists the parameters that are available:
Name Default Description
hide files Specify a hidden file listing
hide dot files
true Specifies whether dot files are
hidden
veto files Contains a listing of files and directories that are invisible and inaccessible
delete veto
files
false Disallows the deletion of a directory that contains a veto file dont descend Contains a comma-separated list
of directories Samba can’t enter
follow
symlinks
true Follows the file share’s symbolic
links only when the links are
within the share's directory
wide links true Follows the links pointing outside the file share being accessed
Example
Continue the temporary share defined above, adding some security:
[tmp]
comment = temporary space
path = /tmp
browsable = true
writable = true
follow symlinks = false

Guest shares
If you have a share you want to allow access without managing usernames and accounts, you can set up a guest share, also called an anonymous share. A guest share provides access without requiring a username and password. Access to the share will be allowed by anyone who can make a network connection to your Samba server.
The following table shows the parameters available in setting up guest access:
Name Default Description
guest ok false Specifies whether guest access to the share is allowed guest account nobody Linux username if the guest ok parameter is set to true guest only false If set to true only guest connection are allowed
Example
Again, a continuation from the previous example, making the share completely anonymous:
[tmp]
comment = temporary space
path = /temporary
browsable = true
writable = true
follow symlinks = false
guest ok = true
guest only = true
TIP:
Some older Windows clients do not send more than 8 characters for a share name. If you intend to use Samba in an environment with older clients (such as Windows 3.1), you should restrict share names to no more than 8 characters.
L'immagine “http://adservingit.77agency.com/Barclay/TD/TD/728x90/728x90.gif” non può essere visualizzata poiché contiene degli errori.
Restricting Access to Shares
Creating a completely anonymous share is fine as long as limitations are enabled on who can access the share. One way you can control access to a share is by restricting connecting hosts.
Restricting access by host
Samba uses a syntax similar to TCP wrapper's to set share access restrictions.
The following table lists the parameters available to restrict hosts:
Name Default Description
hosts allow Listing of hosts that are permitted share access hosts deny Listing of hosts that are denied share access use rhosts false Specifies whether hosts can access without passwords using the rhosts mechanism hosts equiv Set the hosts that should be
considered equivalent (in the security sense) to the Samba server There are several rules for specifying hosts:
• Separate multiple hosts with commas or whitespace.
• Specify a host by either name or IP address.
• Specify IP address ranges in either network/netmask format
or by partial IP address.
• If your system supports NIS net- groups, then specify a group of
hosts using @.
• The ALL keyword matches all IP addresses.
• The EXCEPT keyword excludes addresses from a range.

Configuring security policies
Using the hosts allow and host deny parameters allows two, mutually exclusive, types of access policies to file shares:
1. A “mostly open” policy consists of setting hosts allow to ALL and explicitly denying workstations by adding them to the hosts
deny list.
2. A “mostly closed” policy consists of denying access to all workstations by setting hosts deny to ALL and explicitly enabling access by adding workstations to the hosts allow list.
Your organization's security requirements will determine the type of policy used, if any. A mostly closed policy is appropriate for a business network where confidential information is stored, whereas a mostly open policy works better within an educational environment.

The following code, which further restricts the temporary area, limits the access to only a couple workstations:
[tmp]
comment = temporary space
path = /tmp
browsable = true
writable = true
follow symlinks = false
guest ok = true
guest only = true
hosts deny = ALL
hosts allow = work01, work02

Restricting Access by User
If users do not use the same machine all the time, it might be easier to restrict share access by specifying usernames instead of workstation names.
Samba allows you to secure a share by user and group. These parameters can be combined with the host restriction parameters to provide flexible share access control.
The table below lists the user- level access restriction parameters:
Name Default Description
read list User listing of those who have read- only access
write list User listing of those allowed to write to the share's files
valid users User listing of those allowed share access
invalid users User listing of those denied share access

The valid users and invalid users parameters supercede the read list and write list. If a user is not allowed share access, then he or she will not be able to read from or write to files, even if he or she is in the read or write lists.
L'immagine “http://www.estrogeniservice.net/wind2/infostrada/banner/absolute_nuoto/no_data/728x90/728x90.jpg” non può essere visualizzata poiché contiene degli errori.
Linux Filesystem Permissions
Since Samba's shared files are stored on a Linux filesystem, you must
manage file and directory access permission because they influence how
the files are ultimately accessed.
The table below lists the parameters related to file creation and access:
Name Default Description
create mask 0744
Set the mode to logically OR with a file's creation permissions. This is similar to a file's umask directory mask
0755 Set the mode to logically OR with a directory's creation permissions. This is similar to a file's umask force create mode
000 Explicitly set created file's
permissions to the given value. This value is logically OR'd with the create mask force directory mode
000 Explicitly set created directory's
permissio ns to the given value. This value is logically OR'd with the directory mask force user Forces all file operations performed
on the share to be done as the specified Linux user force group Forces all file operations on the share to be performed as the specified
Linux group
Using Windows to Modify Permissions
Windows 2000 and NT 4.0 users can change file and directory permissions on a Samba server through the Properties dialog box.
Because the archive and hidden attribute do not exist, per se, in Linux, selecting either of these attributes has no effect.

Username Mapping
Sometimes, you may need to map a Windows username, such as "Administrator" to a Linux user, such as "root". You could do this by
creating a Linux user named as your Windows user, but sometimes that is not feasible.
Samba allows you to map Windows' usernames to Linux usernames with a username map.
Create the map, usually /etc/username.map, and set the username map parameter to the file, as in:
username map = /etc/username.map
The username information format is a Linux username followed by an equal sign and then a list of Windows or Linux usernames. Only one entry is permitted per line. There are some additional points about username mapping including:
• Text after a # or a ; are ignored
• You can match any username with a * after the equal sign
• Specify Linux or NIS groups using the @ after the equal sign
• Surround Windows usernames containing spaces with double
quotes
With username mapping, you can group multiple Windows users into a single name. This allows you to preserve your Linux system's native
grouping (in /etc/group), but still have the ability to conglomerate users.
Example
The users john, mike, and rick map to the username proj:
proj = john mike rick
TIP:
If you specify a mapping that contains all users, such as with guest = * , then you need to precede all other group declarations
that follow with an exclamation point (!).

User Home Directories
When a user connecting to a file share has a Linux account on the Samba server, the user ’s home directory can be made accessible automatically with the [homes] share.
The [homes] share can use all the smb.conf file parameters that are applicable to normal file shares.
The following code listing is a sample configuration for user home directories:
[homes]
browsable = false
guest ok = false
read only = false
create mask = 0744
directory mask = 0750
No path is needed, because Samba retrieves this information from the /etc/passwd file. This is a feature available only for the homes share; for all other shares you must explicitly declare the path.

Advanced smb.conf Parameters
There are many more parameters available to configure Samba. A few of them will be discussed here. A complete listing is available in Samba's man page: man smb.conf.
Security
There are several parameters that can enhance the security of a Samba share. These include:
• determining who may have root access when connected to a file share.
• denying any anonymous logons.
• rejecting any accounts that have null passwords.
Opportunistic locks
The SMB protocol used by Samba and clients connecting to it contains a method of file locking called opportunistic locks or oplocks. This is a client- side protocol that allows SMB clients to cache file data instead of re- reading it from the server, resulting in significant performance improvement.

Unfortunately, oplocks only work correctly when all users access the share through the oplock mechanism provided by Samba. Users accessing files on a Samba share must do so through the SMB protocol or caching problems and data corruption can occur.
A Samba user may change the file’s content, but when the file is accessed locally, the changes do not appear. This problem can occur if a file share refers to a directory that is accessibly through NFS as well as from a Samba share. This can be especially true of Linux user home directories.
TIP:
By default oplocks are not enabled. If you do not have any outside access to the share's files (other than through Samba) or the share is
completely read-only, enable oplocks with oplocks = true to reap a significant performance gain.
L'immagine “http://abbonati.tiscali.it/media/tradedoubler/sept08_wdyn_a8m/banner_728X90_green.gif” non può essere visualizzata poiché contiene degli errori.
Magic scripts
Samba allows shell scripts and other commands to execute when certain events occur. This functionality allows for handling unusual situations such as mounting CDROM devices or performing post-processing of files copied to Samba file shares.
Internationalization
Samba supports the use of non- English characters in filenames through its internationalization features. Several of the international character sets defined by the ISO Standard 8859 are supported. This covers most of Western and Eastern European languages as well as Russian Cyrillic and Japanese.

Maintaining and configuring Samba file shares is accomplished through the smb.conf file. This file lets you set which files can be accessed, who can access the files, how permissions are determined and if home directories should be mounted.
You learned about the importance of search order and how some shares might be unexpectedly available. You may restrict access to shares by host or by user. Also, remember that Windows and Linux do not have identical access permissions (such as the archive attribute).

Samba Printer Shares
Configuring and managing printers for a Samba server is necessary for a
successful system. All of your users need to be able to print jobs to local
printers and also may require the access to special purpose printers.
Samba provides quick and easy methods o f configuration, management,
and troubleshooting to aid you in this task.

After completing this chapter, you will be able to:
• configure printers under Samba.
• manage print jobs.
• troubleshoot printing problems.
Configuring Printers under Samba
By default, Samba uses the Linux system's /etc/printcap file to know what printers are available. Any printer you define in
/etc/printcap is immediately available to Samba through the [printers] share in smb.conf.

Globally configuring printers
All printers available to Samba follow the parameters set in the [printers] share. This allows administrators to set global parameters
across all print shares.
Exa mple
[printers]
comment = Linux printer
path = /var/spool/samba/
printable = true
The [printers] share must, obviously, have the printable parameter set to true; otherwise, Samba will not offer any printer
services.
Macros substitutions are allowed, and several related to printing are listed below:
• %s and %f are replaced with the spool file name.
• %p is replaced with the primary printer name.
• %j is replaced with the Linux job number.

Customizing individual printers
You can also set parameters that apply only to a specific printer. This may be useful for printers that need to be restricted to a certain set of users, such as a color printer or a printer in a restricted location.
To specify additional parameters for a printer, create a section in the smb.conf file using the primary printer name as the share's name, then add any additional parameters.
Example
If your /etc/printcap had entries such as:
lp|standard|bw-laser:\
:sd=/var/spool/lpd/standard:\
:mx#0:\
:sh:\
:rm=peepy:\
:rp=raw:\
:if=/var/spool/lpd/standard/filter:

color|color-laser:\
:sd=/var/spool/lpd/color:\
:mx#0:\
:sh:\
:rm=peepy:\
:rp=raw:\
:if=/var/spool/lpd/color/filter:

Then you could configure these printers individually as:
[lp]
comment = Basic black and white printer
guest ok = true
L'immagine “http://www.tele2.it/partners/banners/voice_728x90.gif” non può essere visualizzata poiché contiene degli errori.
[color]
comment = Restricted color laser
guest ok = false
valid users = manager leads

Managing Print Jobs
Though print job management is the responsibility of the administrator outside of Samba, Samba administrators should be aware that Samba can also manage print jobs. Print job management includes tasks such as pausing, resuming, and removing jobs from the print queue. The table below shows the smb.conf file parameters used to implement this functionality:
Name Default Description
printing
Sets the system's
printing subsystem
type. Linux will use
either BSD or
LPRNG
print
command
lpr -r –P %p %s Command to print a file once the Windows client has spooled the entire file to the Samba server
lpresume
command
lpr -i %p -%j -H
resume
Continues the printing of a previously stopped or suspended job
lprm
command

The command used to remove a completed print job.
Sometimes
unnecessary when the print command removes the job Samba is not responsible for removing printer spool files once the job completes; that is the responsibility of the print command.

Configuring and managing printers under Samba can be accomplished at either a global or individual level. This allows you to set the majority of your printers up quickly and also allows you to override the global parameters for special purpose printers. Samba may also be used to manage print jobs.

Password Management
Because Samba is used in environments with many different password management facilities, it can manage passwords in many different ways. You will find this flexibility very useful because Samba can grow with you as your use of Samba grows.
Chapter Objectives
After completing this chapter, you will be able to:
• describe how the SMB protocol provides password authentication.
• configure Samba to authenticate against the /etc/passwd file.
• configure Samba to use encrypted passwords.
• configure Samba to allow password changes from Windows
clients.
• configure Samba to authenticate against another SMB server.
• configure password synchronization between Samba and Linux.
• configure your system to use the /etc/smbpasswd for all
authentication.

The SMB Protocol and Passwords
When a client accesses your server, the SMB protocol transfers the client’s authentication in a SMB request. This request carrie s the client’s username and password in plain text, which is very insecure since anyone with a sniffer can capture your passwords.
The SMB protocol also supports encrypted passwords in later versions, such as found in Windows 98, NT 4.0, and 2000. Encrypted passwords use a challenge-response procedure, which Samba emulates faithfully.
In the final count, Windows supports four types of authentication:
Method Description
Plain- text The client sends a plain-text password
LMHash The client computes the LAN Manager hash of the user’s password and encrypts all server challenges with that hash
NTLM, NTLMv1 The client computes the NT hash of the user’s password and encrypts all server challenges with that hash
NTLMv2 The client computes the HMAC_MD4 hash of the user’s username and domain name (encrypted with the NT hash of the user’s password) and encrypts all server challenges with that hash
TIP:
Samba fully supports changing passwords from Windows clients. You can change passwords from Windows 95/98, NT, and with the newest versions of Samba, 2000. You can change your password when the Samba server is receiving plain text and encrypted passwords.

Standard Authentication
By default, Samba supports plain- text passwords. In all but the smallest networks, this is a definite security hazard.
With this method, Samba receives the user's password from the SMB protocol and encrypts it using the system's encryption scheme. The
encrypted value is then compared against the value stored in /etc/passwd for authenticatio n.
This mode is useful because all passwords are kept in the single /etc/passwd file. Unfortunately, this method also requires all users to
have an account on the system, so username maps can't be used with any real benefit.

Samba and Encrypted Passwords
Configuring Samba to use encrypted passwords is easily accomplished:
1. Add the following to the smb.conf file’s global share:
encrypt passwords = yes
smb passwd file = /etc/smbpasswd
2. Create the /etc/smbpasswd file with the mksmbpasswd.sh
script. This file translates the /etc/passwd file into the correct format for Samba to use:
$ mksmbpasswd.sh < /etc/passwd > /etc/smbpasswd
When you translate the passwords into Samba's format, you must be aware of several important factors:
• The encryption used in the Samba password file is different than used in the system password file. Therefore, it's impossible to
simply copy the encrypted password over, so you'll need to have Samba users create and update their Samba passwords.
• The script moves entries from /etc/passwd over directly, including special and non- user accounts like root, bin , and daemon. You should remove these entries.
TIP:
It might not be appropriate to migrate all your users from the /etc/passwd file and reset their passwords in one day.
This method is probably only appropriate for small systems or newly created systems.
Extracting hashed passwords from NT
It is possible to extract NT and LM password hashes kept in the Windows NT registry with a tool called pwdump2.
After you have downloaded and extracted the file, you will need to run the command on an existing Windows NT server:
[C:\] pwdump2 pid > smbpasswd
You must replace "pid" with the process ID of the lsass.exe program running on the NT password server. Then transfer the created
smbpasswd file to your Samba server and your users will not lose their passwords.


juega al Solitario ahora


Authentication Against Another SMB Server
Samba can be integrated into NT-based networks in two different ways. It can act as an SMB server doing pass-through authentication or it can be a domain member, with a primary or backup domain controller performing all authentication.
The following diagram shows a Samba server operating in either of these modes:

The following steps that must be followed for both methods:
Samba SMB
Authentication request Passthrough
Client
Server
Response
Authentication Response
1. Your Samba server must be configured for encrypted passwords. You will need to add the following parameter to the global share of your smb.conf file: encrypt passwords = yes
2. If you are using security = domain, you must also ensure that your Samba server is in the same domain or workgroup as the server you are authenticating against. You will need to include the appropriate workgroup parameter in the global share of your smb.conf file.
workgroup = the-workgroup
3. The password server parameter must be set up, which specifies the NetBIOS names of one or more password servers your Samba server will authenticate. For example:
password server = server1 server2

Pass-through authentication configuration
To pass authentication on to another server, you must use the security = server parameter in the global share.
Example
[global]
workgroup = myworkgroup
security = server
encrypt passwords = yes
password server = server1 server2
Domain controller configuration
In order for Samba to authenticate against domain controllers, your Samba server must be a domain member in the domain in which the controllers
exist. This is a two- step process on the Samba server:
1. Use domain security, as below:
[global]
workgroup = mydomain
security = domain
encrypt passwords = yes
password server = my-pdc, my-bdc
2. Join the domain in which the domain controllers exist with the
smbpasswd command:
$ smbpasswd –j mydomain
In addition, you must have added your Samba server as a domain member, by using either User Manager for Domains if your domain controllers are Windows NT servers or the following if your domain controller is a Samba server:
# note: Windows requires the ending $
$ useradd machine$
$ smbpasswd –a –m machine

Latest Post



Yahoo!    Personals


123inkjets.com    - Printer Ink, Toner, & More


  • Get Paid     to Blog About the Things You Love


iPowerWeb    Web Hosting


Linux Links


0 commenti:

Post a Comment

Random Posts

Recent Posts

Recent Posts Widget

Popular Posts

Labels

Archive

page counter follow us in feedly
 
Copyright © 2014 Linuxlandit & The Conqueror Penguin
-->