Building Tablet PC Applications (Pro-Developer)

There are three default Samba configuration files, all located in the /etc/samba directory. Two of them, lmhosts and smbusers , are fairly simple. The third, smb.conf , is the main Samba configuration file and the one we ll focus on in this section.

Note  

You may also find a secrets.tdb file in this directory, which normally includes the security identifier (SID) used on a Microsoft Windows network.

If you re going to follow along with this book, we suggest that you back up these files in another directory. That way, if you lose track of your changes, you can restore these files without reinstalling the applicable packages.

The smb.conf file especially includes a substantial number of useful comments that help you learn to configure Samba. If you re just learning Samba, you should back up smb.conf for three reasons:

Samba Daemons

There are two basic Samba daemons: smbd and nmbd . After changing any configuration file, you should at least reload Samba. When you edit the main Samba configuration file, /etc/samba/smb.conf , you need to make Samba read your changes with the service smb reload command. However, if you ve made any major changes, it s useful to restart both daemons. Restarting the smbd daemon with the following command stops and starts both smbd and nmbd automatically:

# service smb restart

Other Samba Configuration Files

The other files in the /etc/samba directory are lmhosts and smbusers . As we mentioned earlier, they are fairly simple files. Other files may be added during the Samba configuration process.

lmhosts

Similar to /etc/ hosts , the lmhosts file is a database of IP addresses and NetBIOS names . A NetBIOS name is a name of a Microsoft Windows computer, typically limited to 15 alphanumeric characters . The default lmhosts file includes one line; Microsoft operating systems also use the localhost name to refer to the local computer:

127.0.0.1 localhost

smbusers

The smbusers file is a database of Linux and Microsoft Windows usernames. By default, it includes two lines:

root = administrator admin nobody = guest pcguest smbguest

In other words, the Linux root user is mapped to the Microsoft accounts administrator and admin; the Linux nobody user is mapped to the Microsoft accounts guest, pcguest, and smbguest.

You can add to this file by using the smbadduser command. For example, say you have a Linux user jp and a Windows user Jean-Paul on your network. The commands shown in Figure 29.5 allow your Linux user jp to access user Jean-Paul s files on a Microsoft computer on your LAN.

Figure 29.5: Adding a Samba user

The commands shown in Figure 29.5 add a simple line to /etc/samba/smbusers :

jp = Jean-Paul

This database won t work until you activate the following line in smb.conf :

; username map = /etc/samba/smbusers

In Samba configuration, the hash mark (#) and the semicolon (;) are both used to start comment lines. To activate this line, open /etc/samba/smb.conf in a text editor and delete the semicolon from the front of this line. A number of other lines in smb.conf include the semicolon; the rest of this chapter explains what happens if you delete various semicolons to activate specific commands.

Once you begin adding Samba users, Linux adds an smbpasswd file to the /etc/samba directory. It includes the Microsoft Windows passwords that you ve added, in encrypted format.

The Main Samba File: smb.conf

The default Samba configuration file, /etc/samba/smb.conf , includes a number of comments that make it a rich source of information. However, the comments may be cryptic to those of you who are less familiar with the Samba service. If you haven t already done so, save a copy of this file in another directory.

Note  

If you ve already configured Samba, you may not have the original smb.conf file with comments. You can get another copy by backing up and then removing your current Samba configuration files from /etc/samba , then reinstalling the samba-common-* package with the rpm -Uvh --force samba-common-* command. Don t forget to restore your original Samba configuration files when you re done.

The smb.conf file includes global settings for connecting to a desired Microsoft Windows “based network. It also includes share definitions for any directories and printers that you might want to share with other computers on your LAN. Different groups of settings help you work in a LAN that s configured as a Microsoft workgroup , as a member server, or even as a primary or backup domain controller.

The following sections include a basic analysis of the standard settings in /etc/samba/smb.conf , in order. Later in this chapter, you ll use SWAT and redhat-config-samba to configure smb.conf .

The following section analyzes the smb.conf file from the Red Hat samba-* RPM package. Many of the settings in this version of smb.conf vary from the Samba defaults.

Samba Global Settings

The smb.conf file contains a substantial number of [global] variables . If you don t use a variable, Samba will assume the default for that variable.

With different global variables, you can:

Linux is case sensitive and Windows is not; Samba helps you bridge the difference.

Basic Network Type

The first global variable describes the type of network that you re trying to join. While the name of the variable is workgroup , you can set it to the name of your Microsoft network s workgroup or domain. For example, if your network s domain is named bignet, substitute the following line in smb.conf :

workgroup=BIGNET

Samba also can include a description of your computer; Figure 29.6 reflects the following command for the computer named RH9test:

server string = Mikes Samba Server

Figure 29.6: A Microsoft Windows view of a shared Samba server

IP Address Limits

You can limit access to Samba through the iptables commands described in Chapter 22 . You can further limit access with the hosts allow command. For example, either of the following commands limits access to the local computer and the 10.122.33.0 network:

hosts allow = 10.122.33. 127. hosts allow = 10.122.33.0/255.255.255.0 127.

Samba and Printers

By default, printers are included in the list of shared, browsable items. The following commands load the list of printers from /etc/printcap for a standard CUPS-based system:

printcap name = /etc/printcap load printers = yes printing = cups

Note  

There are a number of parameters in Samba that look like they are misspelled . They may still be good. For example, browsable works as well as browseable and writable works as well as writeable .

Alternatively, if you re using LPD (see Chapter 25 ), substitute the following values:

printcap name = /etc/printcap load printers = yes printing = lprng

Guest Accounts

Samba lets you create a standard guest account. For example, if you re setting up a workstation for people in a lobby, you may want them to access your advertising but nothing else. If you activate the standard below, make sure that pcguest is a real user on your Linux system:

; guest account = pcguest

Log Files

The following option configures different log files for each computer that connects to your Samba server. For example, if you have a Windows computer named Havel, the following line means that you can find debugging information in havel.log in the noted directory. A max log size of 0 means that there is no limit on the size of these log files; other limits are in kilobytes.

log file = /var/log/samba/%m.log max log size = 0

Note  

Any expression in smb.conf that starts with a % can vary. For example, %m represents the name of the client computer, and thus changes depending on the client.

Security Modes

There are several basic security modes on Microsoft Windows networks. Generally, what you select is based on the conditions for the shared directory and the type of shared network. The options are described in Table 29.4.

security = share security = user security = server security = domain

Table 29.4: Samba Security Modes

Mode

Description

share

For systems where shared directories do not require anything more than a password for access; most common for workgroups of peer-to-peer computers without any dedicated servers.

user

For systems where shared directories are limited by usernames and passwords; common to server-level computers such as Windows 2000, Windows XP, and yes, Linux, on a peer-to-peer workgroup network.

server

For systems where usernames and passwords prefer a centralized database; if such a database cannot be found, this reverts to security = user .

domain

For systems that are connecting to a Windows-style domain; requires smbuser and smbpasswd database files in /etc/samba .

Password Settings

Several password settings are available in Samba. If you re configuring a central server for Microsoft Windows usernames and passwords, you can specify it here. The PDC can even be located on a Samba-enabled Linux computer.

If you have set security = share or security = domain , you should also specify the password servers for the network. For example, if you know that the names of your PDC and BDC are ntserv1 and ntserv2, you could insert the following command:

password server = ntserv1 ntserv2

Or, if you don t know the names of your PDC or BDC, the following command sets your Samba server on a search for domain controllers:

password server = *

Several Microsoft Windows operating systems don t work very well on passwords with mixed upper- and lowercase characters. The commands, if active, try all combinations of upper- and lowercase characters on an eight-character password and username:

; password level = 8 ; username level = 8

Normally, Samba is configured to send encrypted passwords from the standard Samba passwords file. Remember, this password file includes Microsoft Windows usernames and passwords that you added with the smbadduser command. However, not all Microsoft Windows computers can handle encrypted passwords.

encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd

Without these commands, Samba would revert to the default, sending passwords over the network in clear text. That s still required for the first versions of Microsoft Windows 95 and earlier Microsoft operating systems.

If you ve configured Samba with Secure Socket Layer (SSL) libraries, activate the following command:

; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt

If users change their passwords on a Microsoft Windows computer, the following commands synchronize the corresponding Linux password:

unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd: ? *all*authentication*tokens*updated*successfully*

Finally, you can use Pluggable Authentication Modules (PAM) to help secure your passwords (see Chapter 22 ); a PAM command supersedes the password program variable:

pam password change = yes

There s one more PAM command a few lines away. If you do set up clear-text passwords, the following command uses PAM to control access to your system:

obey pam restrictions = yes

Mapping Linux and Windows Users

As described earlier, you can match your Linux and Windows users with different usernames. When you use the smbadduser command, the result is stored in a database in /etc/samba/smbusers . You can also edit this file directly. If you plan to use this database, activate the following command:

; username map = /etc/samba/smbusers

Customizing Samba by Computer

You can configure Samba servers on remote computers. If you activate the following command, each computer will look for a specific configuration file. For example, if your Windows computer name is Chirac, the %m variable makes it look for the /etc/samba/smb.conf.Chirac configuration file when it connects.

; include = /etc/samba/smb.conf.%m

Performance Management

When you re more comfortable with Samba, you ll learn to optimize network performance. What you do depends on the size and traffic on your network. In the following command, TCP_NODELAY often doubles Samba performance. The SO_RCVBUF and SO_SNDBUF variables are buffers for data coming in and out of Samba. Optimal settings vary with the load on your Samba server. If you want to experiment, adjust each by 1KB (e.g., SO_RCVBUF=7168 or SO_RCVBUF=9216 ):

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

Network Interfaces

Servers can be configured with multiple network interface cards. You can limit Samba access to one network card, or you can set a Samba server to work with a specific remote network. For example, the following line sets Samba to work with the eth1 network interface card and the 172.168.33.0 IP network address:

interfaces eth1 172.168.33.0/24

Browsing

On a Microsoft Windows “based network, browsing is the ability of computers to see available shared directories and printers. One computer is selected as a browse master; other computers with shares send their information to that computer.

You can even set your Samba server to send its shares to a remote network. If you don t know the IP address of the master browser on that network, just use the broadcast address. For example, the following command synchronizes browse lists between your LAN and the 192.168.1.0 network:

remote browse sync = 192.168.1.255

This command just sends your Samba server s browse information to that network (alternatively, you can specify the IP address of the browse master computer):

remote announce = 192.168.1.255

One computer on a Microsoft network keeps the browse list. An election is held to determine that computer; even a Samba server can be elected to maintain the browse list. However, the following command keeps the Samba server out of the election:

; local master = no

If you want your Samba server to participate in a browse election, you can fix its chances with the following command. At this level, Samba will normally win a browse election against any computer but a domain controller or a Microsoft Windows NT server:

; os level = 33

If you don t want to leave anything to chance, you can set Samba to be the master browser for your domain:

; domain master = yes

If your Samba server is underworked, you may want to set it to be the preferred master browser with the following command:

; preferred master = yes

Logon Management

If you have a Linux computer and Microsoft Windows computers on your network, you can set Samba to control the username and password database as a PDC for that network by activating the following command:

; domain logons = yes

Note  

This also requires user level security and a [netlogon] directory, which are described in other parts of this file.

A Microsoft network lets you configure logons by user or by computer. Each is configured by a logon script, which you can store on your Samba server. %m corresponds to each computer (machine) and %U corresponds to each user:

; logon script = %m.bat ; logon script = %U.bat

With a centralized profile, logons by user can provide a consistent look and feel for that user on any Microsoft computer on that network. You can store the profiles on your Samba server, in the logon path . %L represents the name of the server; while %U is the username:

; logon path = \%L\Profiles\%U

WINS and DNS

The Windows Internet Name Service (WINS) is similar to DNS, except that it is a database of NetBIOS names and IP addresses. If Samba isn t able to find the name of a computer in /etc/hosts , WINS and DNS provide two alternative databases.

The following command sets up WINS on the local Samba server:

; wins support = yes

Alternatively, you can look to a different WINS server on a specific IP address (the address shown is arbitrary; substitute appropriately). In this case, your Samba server becomes a WINS client:

; wins server = 192.168.0.22

If your Microsoft-based network includes older computers, you may want to activate this command to allow all computers access to the WINS database:

; wins proxy = yes

Or, if the computer is not in the WINS database, you can set up your DNS server as an alternate database by activating this command:

; dns proxy = yes

Case Management

Linux is a case-sensitive operating system; Microsoft operating systems are not. Normally, Samba preserves the case of transferred files. You can force everything into lower case; the following commands affect long filenames and filenames that follow the old Microsoft 8.3 filename format (e.g., abcdefgh.123):

; preserve case = no ; short preserve case = no

In contrast, you can set all files to default to uppercase with the following command:

; default case = upper

If all of your users are disciplined about case-sensitive filenames on all computers on your network, you may be able to make your Samba server case-sensitive too with this command:

; case sensitive = yes

Remember, Microsoft Windows is not a case-sensitive operating system; if you activate case-sensitivity , any mistakes in the case of various filenames can cause problems.

Note  

Configuring Samba as a PDC is a rich and complex topic, which itself could fill a book this size. For more information, review the latest Samba HOWTO, available online at us1.samba.org/samba/docs/Samba-HOWTO-Collection.html .

Default Global Settings

Default settings for global variables are listed in Table 29.5. Remember, if you use a default parameter, you don t even need to include it in smb.conf; tools such as SWAT and redhat-config-samba will delete it when you use them to update smb.conf .

Table 29.5: Default smb.conf Global Settings

Variable

Default

case sensitive

no

default case

lower

dns proxy

yes

domain logons

no

encrypt passwords

no

guest account

nobody

hosts allow

All hosts allowed access

include

No default

interfaces

All active interfaces except 127.0.0.1 (if you can send a broadcast message to that address)

load printers

yes

local master

yes

log file

No default

logon path

\\%N\%U\profile , where %N is the NIS server and %U is the username

logon script

No default

max log size

5000 (KB)

obey pam restrictions

no

pam password change

no

passwd chat

*new*password* %n\n *new*password* %n\n* changed

passwd program

/bin/passwd

passwd server

No default

password level

preferred master

auto

preserve case

yes

printcap name

/etc/printcap

printing

No default

remote announce

No default

remote browse sync

No default

security

user

server string

Samba %v , where %v = version number

short preserve case

yes

smb password file

No default

socket options

TCP_NODELAY

ssl CA certFile

/usr/local/ssl/certs/trustedCAs.pem

unix password sync

no

username level

username map

No default

wins proxy

no

wins server

Not enabled

wins support

no

workgroup

WORKGROUP

Configuring a Share

Now it s time to analyze the way directories are shared from the packaged smb.conf configuration file. There are seven examples of shared directories in the standard smb.conf file; once we examine each of these examples, you ll have a much better idea of how to configure your own shared directories.

The [ homes ] Share

Microsoft Windows users with accounts on your Linux computer can get read and write access to their own home directories. All you need is the following standard commands in smb.conf :

[homes] comment = Home Directories browseable = no writeable = yes valid users = %S create mode = 0664 directory mode = 0775

These commands are explained in Table 29.6.

Table 29.6: Typical Samba Home Directory Share Commands

Command

Description

[homes]

This is a standard special section in smb.conf .

comment = Home Directories

This command describes the share for Windows Network Neighborhood, My Network Places, or smbclient -L \\hostname .

browseable = no

Normally, browseable=no keeps the shared directory from being shown in Network Neighborhood or My Network Places; this does not apply for users own home directories.

writeable = yes

This command allows users to write to that directory; you can also use read only=no .

valid users = %S

The %S is the name of the service, which in this case is associated with the user\.

create mode = 0644

This command sets rw-r--r-- permissions on new files. It does not override permissions set on Windows NT/2000/XP computers. It s also known as create mask .

directory mode = 0775

This command sets rwxr-xr-x permissions on new directories. It does not override permissions set on Windows NT/2000/XP computers. It s also known as directory mask .

To get to their directory from a Microsoft Windows computer, users simply must enter their Linux username and password in the Connect To Computername window, shown in Figure 29.7.

Figure 29.7: Connecting to a shared Samba home directory

The [tmp] share

You can set up the /tmp directory as a common place for users on your network to share files. The following commands set it up as accessible for any user:

[tmp] comment = Temporary file space path = /tmp read only = no public = yes

These commands are straightforward; the comment is added to the Windows Network Neighborhood or My Network Places view of /tmp; any valid user can write to this directory. The public = yes command is new and is synonymous with guest ok = yes . In other words, a password is not even required.

The [public] Share

You don t need to share directories with everyone. Similar to the User Private Group scheme described in Chapter 09 , you can set up a directory that s readable to all, but writeable only by users in the group named staff:

[public] comment = Public Stuff path = /home/samba public = yes writable = yes printable = no write list = @staff

Before you set up this particular share, you need to make sure there is a /home/samba directory, as well as a staff group, in /etc/groups .

Another [public] Share

One variation may be useful for more public situations; the commands that follow configure a directory where all files are readable and writeable by all users. However, the only guest = yes command means that any user who connects to this directory has only the privileges of the guest user. Of course, you need to make sure that the path directory ”in this case, /usr/somewhere/else/public ”actually exists.

[public] path = /usr/somewhere/else/public public = yes only guest = yes writable = yes printable = no

A Share for Two

One more variation configures a share with just two valid users ”in this case, Mary and Fred. While it isn t a public share, you ll see later that browseable = yes by default. In other words, other users can see Mary and Fred s share, but they can t access their shared directory unless they have one of their usernames and passwords:

[myshare] comment = Marys and Freds stuff path = /usr/somewhere/shared valid users = mary fred public = no writable = yes printable = no create mask = 0765

Remember, the items noted have to exist on the Samba server. In this case, that includes the /usr/somewhere/shared directory and the users named mary and fred.

A Private Directory

You can configure a private directory other than their home directory for individual users. For example, the following commands sets up a private directory, /usr/somewhere/private , for the Linux user named fred. Since public = no , guest users are not allowed to access this directory.

[fredsdir] comment = Freds Service path = /usr/somewhere/private valid users = fred public = no writable = yes printable = no

A Shared Directory for a Computer

You can configure a directory just for a specific computer. This can be quite useful for different users on the same computer. For example, it s a good place for someone in a factory to leave information for his or her counterpart on a different shift:

[pchome] comment = PC Directories path = /usr/local/pc/%m public = no writable = yes

You just need to create the directory listed as the path . Remember, %m represents the name of the computer. For example, if a computer named factory1 is trying to connect, the previous path command means that you need to create a /usr/local/pc/factory1 directory.

Sharing a Printer

If you ve configured CUPS printers, you still need to configure the basic share. Even though the standard smb.conf file suggests the BSD-style print system, the following commands work with CUPS printers as well:

[printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes

If you have a single LPD printer you want to share, a different preconfigured share is available in the standard smb.conf file to provide exclusive use ”in this case, to the user named fred:

[fredsprn] comment = Freds Printer valid users = fred path = /home/fred printer = freds_printer public = no writable = no printable = yes

The limit implied by writable = no does not affect print spool directories; your computer can still send print spool files to the print server.

Configuring Logon Directories

When you use Samba to configure your Linux computer as a domain controller (PDC or BDC) on a Microsoft network, you need to configure logon and profile paths for each user. As before, the directories shown must already exist.

The following commands can configure logons to a Microsoft Windows “style domain, based on the directory specified by path :

[netlogon] comment = Network Logon Service path = /usr/local/samba/lib/netlogon guest ok = yes writable = no share modes = no

This is one directory where you want share modes = no; otherwise , a cracker might figure out how to get every user s logon information.

The following commands can configure profiles locally for users who log in to your Samba server as if it were a Microsoft Windows server:

[Profiles] path = /usr/local/samba/profiles browseable = no guest ok = yes

Default Share Settings

Default settings for shared directories and printers are listed in Table 29.7. Remember, if you use a default parameter, you don t even need to include it in smb.conf; tools such as SWAT and redhat-config-samba delete default settings in smb.conf .

Table 29.7: Default smb.conf Share Settings

Variable

Default

browseable

yes

comment

No default

create mode

a.k.a. create mask = 0744

directory mode

a.k.a. directory mask = 0755

guest ok

no

path

No default

printable

no

public

a.k.a. guest ok = no

read only

yes

writable

no (the true default is read only = yes )

write list

No default

valid users

No default (any standard user can log in)

A Samba Troubleshooting Checklist

Samba configuration files, especially smb.conf , can be quite large. Small errors can throw a monkey wrench into your service. It s easy to spend a few hours revising your configuration when the problem is as simple as an extra firewall.

When troubleshooting, the first thing you should do is check the syntax of the smb.conf file. Pay particular attention to comments; it s common to accidentally delete a comment code such as ; or # . Next, you should check the browse list from the local Samba server. If the local browse list is good, take a careful look at your network. And there are a number of valid smb.conf settings that can cause problems.

Testing smb.conf

Once you ve configured smb.conf , it s easy to test. The testparm command acts as a syntax checker for your Samba configuration file. If you don t specify the location, testparm automatically checks the smb.conf file in the /etc/samba directory.

Before restarting or reloading the smb daemon, run testparm . If you ve made a small mistake in editing, it can point you right to the source of the problem smb.conf , which can save you a lot of grief .

Checking the Local Samba Browse List

Once you ve restarted Samba, check the list of what you re sharing by using the smbclient command. If you see the right list on the Samba server, you should be able to see the same list on Microsoft Windows computers on your network, barring a network- or firewall- related problem. For example, the following command checks the list on the computer named RH9test; mj is a user on that computer:

# smbclient -L \RH9test -U mj

You re prompted for mj s password, then you should see the browse list for the RH9test computer. In the example shown in Figure 29.8, you can also see the members of the workgroup s named WORKGROUP and MYGROP.

Figure 29.8: Checking a local Samba server

Note  

Don t forget that the samba user should be in the /etc/samba/smbusers file; we did this earlier with the smbadduser command.

Checking Your Network

As discussed in Chapter 21 , most network problems are physical; you may have a problem with a loose cable, no power on a hub, or a similar issue. We examined a number of commands in Chapter 21 , such as ping and netstat , that help you check the status of a network.

One problem I often run into is firewalls. If there s a firewall on the Samba server, it can block communication with clients. If your Samba server can t see clients , you won t be able to log onto a shared Samba directory or printer.

Other Samba Issues

I ve encountered other problems with Samba, mostly related to mistakes that I ve made in the smb.conf configuration file. Some mistakes are valid options, as they ll pass a testparm syntax check, but they won t represent your Samba server properly on your LAN. Sometimes you can get clues from the applicable log file. As described earlier, there are default log files specific to each Samba client. For example, Figure 29.9 lists connections from the computer named laptop2.

Figure 29.9: Samba log file problems for a specific client

Common mistakes you can make in smb.conf fall into the following areas:

The wrong workgroup The Samba workgroup specified in the default smb.conf file is MYGROUP. This differs from the default value of workgroup , which is WORKGROUP. The problems get worse if you re setting up this computer on a domain and don t enter the right domain name for this variable.

browsable = no If you set browsable = no , users normally will not be able to see your shared directory or printer in their Windows Network Neighborhood or My Network Places.

Improperly configured sharing As you ve seen in previous sections, there are a number of ways to share ”with users, guests, groups, or everyone. If sharing is not properly configured, your users may not be able to get to the directories or printers that they need.

writable = no Samba shared directories are read-only by default. If you don t specify otherwise, your users won t be able to write to appropriate shared directories.

Improperly configured firewalls Standard Red Hat Linux firewalls block Samba communication. If you have a hosts allow variable, computers not on the list can t get to your Samba server.

 

Категории