Windows Networking (A Brief History):
Microsoft LAN networking started with LAN Manager under DOS (originally from 3COM). It provided the ability to “share” printers and hardrives from a standalone PC over the network. The “shares” names were of the format \\servername\sharename. LAN Manager Drivers were installed as extensions of the BIOS over the network, hence the term NETBIOS. Because Local Area Networks were in it’s infancy, Microsoft created it’s own Ethernet frame type for NETBIOS, called the NETBIOS Extended User Interface – NETBEUI, or sometimes the Netbios Frame Type (NBF) – a non-routable LAN protocol.
NETBIOS was first integrated into Windows under Windows for Workgroups (WFW) 3.11, a server flavor of the ubiquitous Windows 3.1 Workstation. Password and later user ID and password security for network shares were added. The server and associated user workstations were called a Workgroup and shared a common WorkGroup name.
This security was integrated into the server follow-on to WFW 3.11 - Windows NT 3.1- in a file called the Security Account Management (SAM) data base This security was called NT Lan Manager or NTLM. Microsoft later extended this security from a standalone server to groups of servers called Domains. The servers containing SAM database were called Domain Controllers. There are two types of Domain Controllers – one Primary (PDC) with a Read/Write copty of the SAM and Backup (BDC) with a Read/Only copy of the SAM. The domain construct remained thru Windows NT 4.0.
TCP/IP protocol stacks were first integrated into WFW 3.11 and later Windows 95, Windows NT Server and Workstation with NETBIOS support running over IP using TCP/UDP ports 135, 137 and 139.
Windows 2000 introduced an add’l layer on top of the NETBIOS / Domain construct called Active Directory. Active Directory is an LDAP compliant network directory structure that utilizes Dynamic DNS instead of NETBIOS broadcasts for server name resolution. Domains are grouped under Active Directory “trees” within AD “forests”. Though Domain Controllers exist under AD, they all contain R/W copies of their Domain information and synchronize among themselves. Security no longer relies on NTLM, but instead uses a certificate based security called Kerberos. Note AD still supports NETBIOS Domains and Workgroups in backwards format using NTLM.
TCP/IP became the default protocol for Windows 2000 with Active Directory using TCP/UDP ports 445 and LDAP using port 389. Native Windows file and print sharing over IP without NETBIOS is referrred to as SMB (Server Message Block – the native server language) over IP or as the Common Internet File Service or CIFS; both use port 445.
LDAP is a directory interface protocol derived from the old (and obsolete) CCITT X.400 and X.500 E-Mail interface standard and uses a naming structure of the form: CN=Donna_James,OU=Sales,DC=MYCOMPANY,DC=COM. CN means Common Name, OU means Organization Unit, DC means Domain Component. LDAP names map to DNS names of the form Donna_James@sales.mycompany.com; in NETBIOS form usually user Donna_James in NETBIOS domain Sales with the tree name of mycompany.com.
Samba Introduction:
Samba is a suite of utilities that allows your Linux box to share files and other resources, such as printer, using Windows Networking as either a workstation or a server. The following describes how you can make your Linux box into a Windows Primary Domain Controller (PDC) in an NT Domain or standalone Workgroup. Either configuration will allow everyone at home to have access to data on the LINUX box. LINUX can also be configured to act as a Windows client (workstation) to a Windows server. Note that although LINUX can participate in Domains as a PDC or relay security requests to an AD Domain Controller, it cannot currently participate directly in an AD network as an AD aware Domain Controller. This capability is under development by the Samba Working Group.
This chapter describes how you can make your Linux box into a Windows Primary Domain Controller (PDC) or a server for a Windows Workgroup. Either configuration will allow everyone at home to have:
their own logins on all the home windows boxes while having their files on the Linux box appear to be located on a new Windows drive
shared access to printers on the Linux box
shared files accessible only to members of their Linux user group.
What's the difference between a PDC and Windows Workgroup member? A detailed description is beyond the scope of this chapter, but this simple explanation should be enough:
A PDC stores the login information in a central database on its hard drive. This allows each user to have a universal username and password when logging in from all PCs on the network.
In a Windows Workgroup, each PC stores the usernames and passwords locally so that they are unique for each PC.
This chapter will only cover the much more popular PDC methodology used at home. By default, Samba mimics a Windows PDC in almost every way needed for simple file sharing. Linux functionality doesn't disappear when you do this. Samba Domains and Linux share the same usernames so you can log into the Samba based Windows domain using your Linux password and immediately gain access to files in your Linux user's home directory. For added security you can make your Samba and Linux passwords different.
When it starts up, and with every client request, the Samba daemon reads the configuration file /etc/samba/smb.conf to determine its various modes of operation. You can create your own smb.conf using a text editor, the Web-based SWAT or the Samba config utility which is easier. Keep in mind, however, that if you create /etc/samba/smb.conf with a text editor then subsequently use SWAT or samba-config to edit the file, you will lose all the comments you inserted with the text editor.
Download and Install Packages
Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. .
Samba is comprised of a suite of RPMs that come on the Fedora CDs. The files are named:
samba
samba-common
samba-client
samba-swat (Samba Web interface, obsolete under Fedora)
samba-config
When searching for the file, remember that the RPM's filename usually starts with the RPM name followed by a version number as in samba-client-3.0.0-15.i386.
How to Get Samba Started
You can configure Samba to start at boot time using the chkconfig command:
[root@bigboy tmp]# chkconfig smb on
You can start/stop/restart Samba after boot time using the smb initialization script as in the examples below:
[root@bigboy tmp]# service smb start
[root@bigboy tmp]# service smb stop
[root@bigboy tmp]# service smb restart
Note: Unlike many Linux packages, Samba does not need to be restarted after changes have been made to its configuration file, as it is read after the receipt of every client request.
You can test whether the smb process is running with the pgrep command, you should get a response of plain old process ID numbers:
[root@bigboy tmp]# pgrep smb
The Samba Configuration File
The /etc/samba/smb.conf file is the main configuration file you'll need to edit. It is split into five major sections, which Table 10-1 outlines:
Table 10-1 : File Format - smb.conf
Section
|
Description
|
[global]
|
General Samba configuration parameters
|
[printers]
|
Used for configuring printers
|
[homes]
|
Defines treatment of user logins
|
[netlogon]
|
A share for storing logon scripts.
(Not created by default.)
|
[profile]
|
A share for storing domain logon information such as "favorites" and desktop icons.
(Not created by default.)
|
You can edit this file by hand, through Samba web interface (called SWAT, no longer supported under Fedora) or the Samba configuration utility.
Creating A Starter Configuration
I'll now illustrate how to configure a Samba server to be the PDC for a small network is by the GUI. Under GNOME the GUI is under System/Administratation/Servers/Samba. You'll need to edit the various sections of the smb.conf file, so I'll walk you through what you'll find in each.
The [Global] Section
The [global] section governs the general Samba settings. Table 10-2 explains the parameters you need to set in order to create a PDC.
Table 10-2 : smb.conf Minimum Settings, "Global" Section
Parameter
|
Value
|
Description
|
domain logons
|
Yes
|
Tells Samba to become the PDC
|
preferred master
|
Yes
|
Makes the PDC act as the central store for the names of all windows clients, servers and printers on the network. Very helpful when you need to "browse" your local network for resources. Also known as a local master browser.
|
domain master
|
Yes
|
Tells Samba to become the master browser across multiple networks all over the domain. The local master browsers register themselves with the domain master to learn about resources on other networks.
|
os level
|
65
|
Sets the priority the Samba server should use when negotiating to become the PDC with other Windows servers. A value of 65 will usually make the Samba server win.
|
wins support
|
Yes
|
Allows the Samba server to provide name services for the network. In other words keeps track of the IP addresses of all the domain's servers and clients.
|
time server
|
Yes
|
Lets the samba server provide time updates for the domain's clients.
|
workgroup
|
"homenet"
|
The name of the Windows domain we'll create. The name you select is your choice. I've decided to use "homenet".
|
security
|
user
|
Make domain logins query the Samba password database located on the samba server itself.
|
To set the values, edit the [global] section of /etc/samba/smb.conf as follows:
[global]
workgroup = HOMENET
time server = Yes
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
Note: security = user and WINS support = yes are default settings for Samba and they may not show up in your smb.conf file.
The [homes] Section
Part of the process of adding a user to a Samba domain requires you to create a Linux user on the Samba PDC itself. When you log into the Samba PDC, you'll see a new drive, usually named Z:, added to your PC. This is actually a virtual drive that maps to the corresponding Linux users' login directories on the Linux PDC.
Samba considers all directories to be shares that can be configured with varying degrees of security. The [homes] section governs how Samba handles default login directories.
Table 10-3 explains the minimum settings you need to create a functional [Homes] section.
Table 10-3 : smb.conf Minimum Settings, "Home" Section
Parameter
|
Value
|
Description
|
browseable
|
No
|
Doesn't allow others to browse the contents of the directory
|
read only
|
No
|
Allows the samba user to also write to their Samba Linux directory
|
create mask
|
0664
|
Makes new files created by the user to have "644" permissions. You want to change this to "0600" so that only the login user has access to files.
|
directory mask
|
0775
|
Makes new sub-directories created by the user to have "775" permissions. You want to change this to "0700" so that only the login user has access to directories.
|
Set the values in the /etc/samba/smb.conf as follwos.
[homes]
read only = No
browseable = No
create mask = 0644
directory mask = 0755
The [netlogon] and [profiles] Share Sections
The [netlogon] share section contains scripts that the windows clients may use when they log into the domain. The [profiles] share section stores settings related to the look and feel of windows so that the user has the same settings no matter which Windows PC is logged into. The [profiles] share section stores things such as favorites and desktop icons.
Your smb.conf file should look like this when you're finished:
[netlogon]
path = /home/samba/netlogon
guest ok = Yes
[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
Remember to create these share directories from the command line afterwards.
[root@bigboy tmp]# mkdir -p /home/samba/netlogon
[root@bigboy tmp]# mkdir -p /home/samba/profile
[root@bigboy tmp]# chmod -R 0755 /home/samba
The [printers] Share Section
Samba has special shares just for printers, and these are configured in the [printers] section. There is also a share under [printers] called printers which governs common printer settings. Print shares always have the printable parameter set to yes. The default smb.conf [printers] share section looks like this:
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
Shares For Specific Groups Of Users
The default Samba Version 3 smb.conf file you saved at the beginning of this exercise has many varied examples that you may use and apply to your particular environment.
You can find the steps for creating a simple shared directory below.
Samba Passwords
You should be aware that your Linux password and Samba passwords are stored in two different locations. This provides the Samba administer the flexibility of allowing only some of the Linux users to have Samba accounts.
Use the passwd command to change Linux passwords, which are stored in the /etc/shadow file. Samba passwords are stored in the /etc/samba/smbpasswd file and can be changed smbpasswd command.
This difference is important, as you will see throughout the chapter.
How To Create A Samba PDC Administrator User
To do user administration with Samba you'll need to create administrator accounts on the Samba PDC Linux server.
Home Environment
By default, the root user is the Samba administrator, and requires you to use the Linux root password to be used. Fortunately, you can add workstations to the Windows domain by creating a Samba specific root password. This is done using the smbpasswd command.
[root@bigboy tmp]# /usr/bin/smbpasswd -a root password
Note: Remember that regular Linux logins via the console, Telnet or SSH require the Linux passwd command. Samba domain logins use the smbpasswd password. Samba passwords are stored in the /etc/samba/smbpasswd file.
Corporate Environment
In a corporate environment, you may want more than one person to administer Samba, each with their own usernames. Here are the steps to do this:
1. Create a Linux user group, such as sysadmin with the groupadd command.
2. Update your smb.conf file so that the sysadmin group is listed in the [global] parameter settings.
domain admin group = @sysadmin
admin users = @sysadmin
printer admin = @sysadmin
3. Create individual Linux users that are part of this group.
4. Use the smbpasswd command to create Samba passwords for Domain logins for this group. For security reasons this password may be different from the Linux password used to log into the Linux system from the console, via telnet or ssh. (Remember that Linux passwords are changed with the passwd command.)
How To Add Workstations To Your Samba Domain
Adding workstations to a Samba domain is a two step process involving the creation of workstation trust accounts on the Samba server and then logging into each workstation to add them to the domain.
Create Samba Trust Accounts For Each Workstation
PDCs will accept user logins only from trusted PCs that have been placed in its PC client database. Samba can create these Machine Trusts in two ways, either manually or automatically.
Manual Creation Of Machine Trust Accounts (NT Only)
The commands in this example create a special Linux group for Samba clients and then add a special machine user that's a member of the group. The password for this user is then disabled and the machine is then added to the smbpasswd file to help keep track of which devices are members of the domain. In summary, a machine trust account needs to have entries in the /etc/passwd and /etc/smbpasswd files. Pay careful attention to the dollar sign ($) at the end and replace machine_name with the name of the Windows client machine.
[root@bigboy tmp]# groupadd samba-clients
[root@bigboy tmp]# /usr/sbin/useradd -g samba-clients \
-d /dev/null -s /bin/false machine_name$
[root@bigboy tmp]# passwd -l machine_name$
[root@bigboy tmp]# smbpasswd -a -m machine_name
This is the only way to configure machine trusts using Windows NT.
Dynamic Creation of Machine Trust Accounts
Although you can use the manual method, the recommended way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the Windows clients join the domain which known as making a machine account on the fly. You can set this up by editing the /etc/samba/smb.conf file to automatically add the required users.
The easiest way to do this in the Global menu to modify the add machine script parameter.
[global]
# <...remainder of parameters...>
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
When you have completed the modifications, you'll need to create the samba-clients Linux group that will be used to help identify the all the domain's Windows clients listed in the /etc/passwd file.
[root@bigboy tmp]# groupadd samba-clients
In Samba version 2, you need to add the client to the smbpasswd file also
[root@bigboy tmp]# smbpasswd -a -m machine_name
Samba version 3 adds it automatically.
Make Your PC Clients Aware Of Your Samba PDC
There are many types of Windows installed on people's PCs and each version has its own procedure for joining a domain. The next sections show you how to add the most popular versions of Windows clients to your domain:
Windows 95/98/ME and Windows XP Home
Windows 9x machines do not implement full domain membership and therefore don't require machine trust accounts. Here's what you need to do:
Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network)
Select the Configuration tab
Highlight "Client for Microsoft Networks"
Click the Properties button.
Check "Log onto Windows NT Domain", and enter the domain name.
Click all the OK buttons and reboot!
Windows NT
For Windows NT, you must first create a manual Samba machine trust account as explained earlier, then follow these steps:
Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel->Network )
Select the "Identification" tab
Click the "Change" button
Enter the domain name and computer name, do not check the box Create a Computer Account in the Domain. In this case, the existing machine trust account is used to join the machine to the domain.
Click "OK". You should get "Welcome to " message as confirmation that you've been added.
Reboot.
You can now log in using any account in the /etc/smbpasswd file with your domain as the domain name.
Windows 200x and Windows XP Professional
For the 200x and XP Professional varieties of Windows, create a dynamic Samba machine trust account, then go through these steps:
Press the Windows and Break keys simultaneously to access the System Properties dialogue box.
Click on the 'Network Identification' or 'Computer Name' tab on the top.
Click the "Properties" button.
Click on the "Member of Domain" button.
Also enter your domain name and computer name and then click "OK"
You will be prompted for a user account and password with rights to join a machine to the domain. Enter the information for your Samba administrator. In this home environment scenario, the user would be root with the corresponding smbpasswd password. Now, you should get a "Welcome to " message confirming that you've been added.
Reboot.
Log in using any account in the /etc/smbpasswd file with your domain as the domain name.
Note: With Samba version 2 you may also have to make a few changes to your system's registry using the regedit command and reboot before continuing.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000
How To Add Users To Your Samba Domain
Adding users to a domain has three broad phases. The first is adding a Linux user on the Samba server, the second is creating a Samba smbpasswd that maps to the new Linux user created previously, and the third is to map a Windows drive letter to the user's Linux home directory. Let's take a closer look:
Adding The Users In Linux
First, go through the process of adding users in Linux just as you would normally. Passwords won't be necessary unless you want the users to log in to the Samba server via telnet or ssh.
Create the user
To create the user, use the command:
[root@bigboy tmp]# useradd -g 100 peter
Give them a Linux Password
Giving them a Linux password is only necessary if the user needs to log into the Samba server directly. If the user does, use this method:
[root@bigboy tmp]# passwd peter
Changing password for user peter.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@bigboy tmp]#
Mapping The Linux Users To An smbpassword
Next, you need to create Samba domain login passwords for the user
[root@bigboy tmp]# /usr/bin/smbpasswd -a username password
The -a switch adds the user to the /etc/smbpasswd file. Use a generic password then have users change it immediately from their workstations in the usual way.
Remember the smbpasswd sets the Windows Domain login password for a user, which is different from the Linux login password to log into the Samba box.
Mapping A Private Windows Drive Share
By default, Samba automatically gives each user logged into the domain an H: drive that maps to the /home/username directory on the Linux box.
Mapping Using "My Computer"
If the auto-mapping doesn't work then try:
Let the user log into the domain.
Right-click on the "My Computer" icon on the desktop.
Click on "Map Network Drive".
Select a drive letter.
Browse to the HOMENET domain, then the Samba server, then the user's home directory.
Click on the check box "Reconnect at Logon", to make the change permanent
Mapping from the Command Line
If you find the "My Computer" method too time consuming for dozens of users or if the PC doesn't have the feature available, then you can use the command-line method and possibly make it into a script.
1. Create a master logon batch file for all users
[root@bigboy tmp]# vi /home/samba/netlogon/login.bat
2. Add the following lines to mount the user's share as drive P: (for private).
REM Drive Mapping Script
net use P: \\bigboy\
3. Make the file world readable using:
[root@bigboy tmp]# chmod 644 /home/samba/netlogon/login.bat
4. Linux and Windows format text files slightly differ. As the file resides on a Linux box, but will be interpreted by a Windows machine, you'll have to convert the file to the Windows format. Use the unix2dos command.
[root@bigboy tmp]# unix2dos /home/samba/netlogon/login.bat
unix2dos: converting file /home/samba/netlogon/login.bat
to DOS format ...
[root@bigboy tmp]#
5. The final step is to edit your smb.conf file's [global] section have a valid entry for the logon script parameter.
[global]
logon script = login.bat
Now your users will have additional disk space available on a Windows P: drive whenever they login.
Samba supports domain groups that will allow users who are members of the group to be able to have Administrator rights on each PC in the domain. This enables them to add software and configure network settings. In Windows, Domain Groups also have the ability to join machines to the domain: however, Samba does not support this currently.
The domain admin group parameter specifies users who will have domain administrator rights. The argument is a space-separated list of user names or group names (group names must have an @ sign prefixed). For example:
domain admin group = USER1 USER2 @GROUP
How To Delete Users From Your Samba Domain
Deleting users from your Samba domain is a two stage process in which you have to remove the user from the Linux server and also remove the user's corresponding smbpasswd entry. Here's how:
1. Delete the users using the smbpasswd with the -x switch
[root@bigboy tmp]# smbpasswd -x john
Deleted user john.
[root@bigboy root]#
2. Delete The Linux User by following the normal deletion process. For example, to delete the user john and all john's files from the Linux server use:
[root@bigboy tmp]# userdel -r john
Sometimes you may not want to delete the user's files so that they can be accessed by other users at some other time. In this case you can just deactivate the user's account using the passwd -l username command.
How To Modify Samba Passwords
You can set your Samba server to allow users to make changes in their domain passwords and have these mirrored automatically in their Linux login passwords. Table 10-4 explains the [global] smb.conf parameters that you need to change.
Table 10-4 : smb.conf Settings, Enabling Online Password Changes
Parameter
|
Value
|
Description
|
unix passwd sync
|
Yes
|
Enables Samba/Linux password synchronization
|
passwd program
|
Use the SWAT defaults
|
Lists the location of the Linux password file which is usually /bin/passwd.
|
passwd chat
|
Use the SWAT defaults
|
A short script to change the Linux password using the Samba password
| Sharing Resources Using Samba Adding A Printer To A Samba PDC
Sharing printers amongst all your PCs is one of the advantages of creating a home network. Here's how to connect your printer directly to your PDC Not only does this method make your printer available to all your Windows workstations, it also makes your Samba PDC a print server! The only potential snag is that you need the Windows printer driver loaded on every client machine. This may be okay for a small home network but impractical for a huge corporate network.
Adding The Printer To Linux
By far, the easiest way to add a printer in Linux is to use one of the many menu-based printer utilities available. For the example, I'll use system-config-printer (Figure 11-1), which is easy to find and can be accessed from the command line:
[root@bigboy tmp]# system-config-printer
Figure 11-1 Printer Configuration Screen
Note: Sometimes the graphics in system-config-printer don't work as expected due to your environment variables. You can temporarily set the required variable to the correct the output with the command:
[root@bigboy tmp]# env LANG=C system-config-printer
Assuming your printer is locally attached to the parallel port. Here are the steps to use:
Using the tab key, move to the New button and press the Enter key.
When the "Create a New Queue" menu appears give the printer name that's easy to remember, select "Local Printer Device" and move to the "next" button before pressing Enter.
From the resulting "Setting Up Local Printer Device" menu select /dev/lp0 assuming the printer is on the parallel port as opposed to a USB port. Click the "next" button to go to the "Queue Driver" menu.
Scroll to your manufacturer's entry, press Enter. Scroll further to your model, and press again. You'll now get a choice of drivers, select the default device , which is marked with an asterisk (*). Click the "Next" button to go to the "Create a New Queue" menu.
Move to the "Finish" button and press . There will be a slight delay.
At this stage, it's wise to do a test print to make sure all is okay.
Make Samba Aware of the Printer
The easiest way to let Samba know the printer is available is via the Samba SWAT Web or samba-config utility or thru the CUPS Menu.
Configure The Printer Driver On The Workstations
With the printer ready to go on the Linux side, you now need to prepare things in Windows.
Download the appropriate Windows printer driver from the manufacturer and install it.
Go to the Add Printer menu. Click the Next button.
Select the Network Printer button to access the Local or Network Printer menu. Click the Next button, again.
You now should be on the Locate Your Printer menu. Don't enter a name, instead click Next so you can browse for your printer.
From the Browse for Printer menu, Double-click on the name of your Linux Samba server. You should see the new printer. Click on the printer name, then click Next.
You may get the message "The server on which the printer resides does not have the correct printer driver installed. If you want to install the driver on your local computer, click OK." Fortunately, you pre-installed the driver. Click the OK button.
When the "Add Printer Wizard" appears, select the manufacturer of your printer, select the printer model, and then click OK.
The "Add Printer Wizard" will ask you whether you want to use this new printer as the default printer. Select Yes or No depending on your preference. Click the Next button
From the resulting "Completing the Add Printer Wizard" menu, click the Finish button.
The new printer should now show up on the Windows Printers menu in the Control Panel. Send a test print, to be sure all is well.
Creating Group Shares in SAMBA
On occasion, subgroups of a family need a share that is fully accessible by all members of the group. For example, parents working in a home office environment may need a place where they can share, distribute, or collaboratively work on documents. Here's how it's done.
Create The Directory And User Group
As with any group activity, the first step is to get organized.
1. Create a new Linux group parents:
[root@bigboy tmp]# /usr/sbin/groupadd parents
2. Create a new directory for the group's files. If one user is designated as the leader, you might want to change the chown statement to make them owner
[root@bigboy tmp]# mkdir /home/parent-files
[root@bigboy tmp]# chgrp parents /home/parent-files
[root@bigboy tmp]# chmod 0770 /home/parent-files
3. Add the group members to the new group. For instance, the command to add a user named father to the group is:
[root@bigboy tmp]# /usr/sbin/usermod -G parents father
All your members are in the group; now they need to share.
Map The Directory Using "My Computer"
Finally, let the user log into the domain from a remote PC
Right click on the "My Computer" icon on the desktop
Click on "Map Network Drive"
Select a drive letter.
Browse to the HOMENET domain, then the Samba server, then the share named only-parents
Click on the check box "Reconnect at Logon", to make the change permanent.
Now the files located in the Linux /home/parent-files directory will be accessible to the parents only and your job is complete!
Sharing Windows Drives Using a Linux SAMBA Client
Up to this point I have focused on your Linux server being a Samba server, but it can also mimic a Windows client using Samba's client software.
For example, you can also access a CD-ROM, DVD, ZIP, floppy or hard drive installed on a Windows machine from your Linux box. In this section I'll show you how to share a CD-ROM drive.
Windows Setup
The Windows client box should be setup first as a member of a Samba domain or workgroup. The next step is to make the CD-ROM drive shared. The steps you used depend on which version of Windows you have.
For Windows 98/ME
Double click 'My Computer'
Right click on the CD-ROM drive and choose 'Sharing'
Set the Share Name as 'cdrom' with the appropriate access control
Restart windows
For Windows 2000
Double click 'My Computer'
Right click on the CD-ROM drive and choose 'Sharing'
Set the Share Name as 'cdrom' and the appropriate access control
Logout and login again as normal using your current login
For Windows XP
Double click 'My Computer'
Right click on the CD-ROM drive and choose 'Sharing and Properties'
Set the Share Name as 'cdrom' and the appropriate access control
Logout and login again as normal using your current login
After you have completed this task, you'll have to go to the next step of testing your configuration.
Test Your Windows Client Configuration
Use the smbclient command to test your share. You should substitute the name of your Windows client PC for "WinClient," and in place of "username" provide a valid workgroup/domain username that normally has access to the Windows client. You should get output like this when using the username's corresponding password:
[root@bigboy tmp]# smbclient -L WinClient -U username
added interface ip=192.168.1.100 bcast=192.168.1.255 nmask=255.255.255.0
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Got a positive name query response from 192.168.1.253 ( 192.168.1.253 )
Password:
Domain=[HOMENET] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Sharename Type Comment
--------- ---- -------
IPC$ IPC Remote IPC
D$ Disk Default share
print$ Disk Printer Drivers
SharedDocs Disk
cdrom Disk
Printer2 Printer Acrobat PDFWriter
ADMIN$ Disk Remote Admin
C$ Disk Default share
Server Comment
--------- -------
Workgroup Master
--------- -------
Note: You can get the result with
[root@bigboy tmp]# smbclient -L WinClient -U username%password
But this method is less secure as your password is echoed on the screen.
You'll now need to create the mount point on the Linux server to mount and access the CD-ROM drive. In this case, I've named it /mnt/winclient-cdrom, and you'll use the mount command to get access to this device from the Linux server.
Password Prompt Method
The Linux mount command will try to access the CD-ROM device as user "username" by using the "username=" option. You will be prompted for a password.
[root@bigboy tmp]# mkdir /mnt/winclient-cdrom
[root@bigboy tmp]# mount -t smbfs -o username=username \
//winclient/cdrom /mnt/winclient-cdrom
No Prompt Method
Linux won't prompt you for a password if you embed the access password into the mount command string along with username as in the example below.
[root@bigboy tmp]# mkdir /mnt/winclient-cdrom
[root@bigboy tmp]# mount -t smbfs -o \
username=username,password=password \
//winclient/cdrom /mnt/cdrom
Using The smbmount Command Method
Some versions of Linux support the smbmount command to mount the remote drive. Incompatible versions will give errors like this:
[root@bigboy tmp]# smbmount //winclient/cdrom \
/mnt/winclient-cdrom -o username=username
Password:
27875: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
SMB connection failed
To be safe, stick with using the Linux mount command.
Automating Mounting With Linux SAMBA Clients
You can also automate the mounting of shares by placing entries in your /etc/fstab file. In the example below the home directory of user peter on server 192.168.1.100 will be mounted on the /mnt/smb mount point as a samba filesystem (smbfs) using the login information in the file named /etc/cred.
#
# File: /etc/fstab
#
//192.168.1.100/peter /mnt/smb smbfs credentials=/etc/cred 0 0
The contents of the /etc/cred file needs to have the username and password for the account in this format:
#
# File: /etc/cred
#
username = peter
password = peterspassword
Once finished you can use the mount -a to mount the new /etc/fstab entry, and the /mnt/smb directory will now contain the contents of the share.
[root@smallfry tmp]# mount -a
[root@smallfry tmp]# ls /mnt/smb
backups profile docs data music
[root@smallfry tmp]#
Samba Security and Troubleshooting
Configuring Samba for your office or home can provide many advantages. By encouraging users to store files on a central file server, you can simplify data backup and in some cases, software installation and maintenance.
Unfortunately, the initial configuration of Samba can be tricky. Many simple steps need to be executed in the correct order, and one small slip up can have big repercussions. This chapter explores the ways in which you can recover from those mistakes that you couldn't avoid.
Testing The smb.conf file
Samba has a test utility called testparm that alerts you to errors in the smb.conf file:
[root@bigboy tmp]# testparm -s
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
...
...
[root@bigboy tmp]#
A successful test only means that Samba will load the configuration file. There are other causes for Samba problems.
Note: You can use testparm to test a file that's different from the default /etc/samba/smb.conf configuration file. Simply provide the filename as the first argument like this:
[root@bigboy tmp]# testparm -s filename
Samba and Firewall Software
Firewall software installed both on your Windows PCs and on the Samba server itself may prevent Samba from functioning. Two popular firewall packages, iptables and ZoneAlarm offer solutions.
Linux iptables
The Fedora installation process configures the iptables firewall package by default. You two options working with it. You can ensure that it is deactivated which may be desirable on a secured network. Or, you can configure it to allow through such Microsoft protocols as NetBIOS (UDP ports 137 and 138, TCP ports 139) and TCP port 445 for SMB file sharing without NetBIOS. Here is sample script snippet:
#!/bin/bash
SAMBA_SERVER="192.168.1.100 "
NETWORK="192.168.1.0/24" # Local area network
BROADCAST="192.168.255.255" # Local area network Broadcast Address
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER \
-m multiport --dports 137,138 -j ACCEPT
iptables -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport \
--dports 139,445 -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 \
-j ACCEPT
iptables -A INPUT -p udp -d $SAMBA_SERVER -m multiport \
--dports 137,138 -j DROP
iptables -A INPUT -p tcp -d $SAMBA_SERVER -m multiport \
--dports 139,445 -j DROP
iptables -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state \
ESTABLISHED,RELATED -j ACCEPT
Windows-based Zone Alarm
The default installation of Zone Alarm assumes that your PC is directly connected to the Internet. This means that the software will deny all inbound connections that attempt to connect with your PC. The NetBIOS traffic that Samba uses to communicate with the PCs on the network therefore is considered as hostile traffic.
The easiest way around this is to configure Zone Alarm to consider your home network as a trusted network too. To do so click on the firewall tab and edit the settings for your home network; it will most likely have a 192.168.x.x/255.255.255.0 type entry. Make this network a trusted network, instead of an Internet network, and ZoneAlarm should cease to interfere with Samba.
The Windows XP Built In Firewall
You may also need to disable the firewall feature of Windows XP. Follow these steps:
Bring up the Control Panel
Double-click on the Network Connections icon.
Right-click your on your LAN connection icon and select Properties
Click on the Advanced tab and then on the Windows Firewall Settings button.
Turn off the Internet Connection Firewall by clearing its check box. You may also leave the firewall on, but allow Windows file sharing traffic through this connection. This can be done by clicking on the Exceptions tab of the Windows Firewall dialog box and clicking on the File and Printer Sharing check box.
After you get SAMBA to work, you may want to experiment with the firewall software settings to optimize your security, keeping in mind the need to maintain a valid relationship with the Samba server.
Testing Basic Client / Server Network Connectivity
You can perform several tests to ensure that the Samba server and all its workstations can do basic communication with each other.
From the Samba Server
Ping the server's IP address and loopback address (127.0.0.1)
Ping the client's IP address
Ping the client using its DNS name
Telnet to all the IP addresses on the server on port 139
Next, from the Samba Client
Ping the client's IP address and loopback address (127.0.0.1)
Ping the server's IP address
Ping the server using its DNS name
Telnet to all the IP addresses on the server on port 139
If either of these fail, check your cabling, routing or the presence of a firewall running on either the server or client.
Testing Samba Client / Server Connectivity
After configuring basic network connectivity, you need to go through a variety tests to determine whether Samba has been configured correctly both on the server and client. As part of a thorough troubleshooting procedure:
1. Make sure your Samba server can see all the shares available on the network with the smbclient -l samba_server command. Press the Enter key when prompted for a password.
Failure of this test may mean that Samba isn't running on the server at all and may need to be started.
[root@bigboy tmp]# smbclient -L bigboy
Password:
Anonymous login successful
Domain=[HOMENET] OS=[Unix] Server=[Samba 3.0.2-7.FC1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Anonymous login successful
Domain=[HOMENET] OS=[Unix] Server=[Samba 3.0.2-7.FC1]
Server Comment
--------- -------
SILENT Samba Server
Workgroup Master
--------- -------
HOMENET BIGBOY
OTHERNET SILENT
[root@bigboy tmp]#
2. Use the nmblookup -B samba-server-IP-address _SAMBA_ command on the server to determine if the samba software is running correctly. This should return the server's IP address if is running correctly.
[root@bigboy tmp]# nmblookup -B 192.168.1.100 __SAMBA__
querying __SAMBA__ on 192.168.1.100
192.168.1.100 __SAMBA__<00>
[root@bigboy tmp]#
3. Use the nmblookup -B client-IP-address "*"command on the server to determine whether the client is accepting Samba queries. This should return the client's IP address if is running correctly. If the test fails, check to see whether the client is running firewall software that could prevent communication. Another source of the problem could be that the "Client for Microsoft Windows" or "File and Printer Sharing for Microsoft Networks" settings on the client's NIC card haven't been selected. You also could have entered an incorrect IP address.
[root@bigboy tmp]# nmblookup -B 192.168.1.103 "*"
querying * on 192.168.1.103
192.168.1.103 *<00>
[root@bigboy tmp]#
4. Use the nmblookup -d 2 "*" command on the server to tell it to broadcast a query message to the network. This should return answers from all locally connected clients and servers. This test actually sends out a broadcasted request for information, it usually fails if either your client or server has an incorrect subnet mask configured on their NIC cards.
[root@bigboy tmp]# nmblookup -d 2 '*'
added interface ip=192.168.1.100 bcast=192.168.1.255 nmask=255.255.255.0
added interface ip=192.168.1.100 bcast=192.168.1.255 nmask=255.255.255.0
querying * on 192.168.1.255
Got a positive name query response from 192.168.1.100 ( 192.168.1.100 )
Got a positive name query response from 192.168.1.103 ( 192.168.1.103 )
Got a positive name query response from 192.168.1.100 ( 192.168.1.100 )
192.168.1.100 *<00>
192.168.1.103 *<00>
192.168.1.100 *<00>
[root@bigboy tmp]#
5. Use the smbclient //samba-server/tmp command to attempt a command-line login to the Samba server. When prompted for a password, use the Linux password of the account with which you logged in. You can test other accounts can be achieved by adding the -U accountname option at the end of the command line. This should return message that the login was login successful. If you are doing this as user root, press the key when prompted for a password.
[root@bigboy tmp]# smbclient //bigboy/TMP
Password:
Anonymous login successful
Domain=[HOMENET] OS=[Unix] Server=[Samba 3.0.2-7.FC1]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
[root@bigboy tmp]#
A message that warns of an invalid or bad network name could mean that the tmp service on the Samba server isn't correctly configured.
Messages related to bad passwords could mean that the user's account doesn't exist, that their smbpasswd wasn't created, or that the password entered is incorrect.
6. Log into the Windows workstation as a Samba user. (In the example below, the username is peter). Use the net view \\samba-server command to log into the Samba server from the command line and get a listing of your shares.
If it fails, then make sure your hosts allow, hosts deny and invalid users parameters are set correctly in your smb.conf file.
This test attempts to login using the username and password with which you logged into the PC. Make sure the corresponding Samba user has been created.
A "Network name not found" message usually points to an incorrect NetBIOS configuration on the client. Add the IP address of the Samba server to the WINS server settings, and enable Windows name resolution via DNS using the advanced TCP/IP settings menu on the PC. You can get to this menu using this method:
Click on the Network Connections icon in the Windows Control Panel.
Right-click on the network connection, and select Properties.
Click on the Internet Properties (TCP/IP) menu option and then click on the Properties button.
Click on the Advanced button and then on the WINS tab.
You may also need to add the name of the samba server to the PC's C:\WINDOWS\system32\drivers\etclmhosts file.
If you're successful you should see
C:\>net view \\bigboy
Shared resources at \\bigboy
Samba Server
Share name Type Used as Comment
------------------------------------------------
peter Disk Home Directories
The command completed successfully.
C:\>
If there is no user account, the test will fail and you will see
C:\> net view \\bigboy
System error 5 has occurred.
Access is denied.
C:\>
7. Log into the Windows workstation as a Samba user. Try to map a drive letter to the user's default login directory on the Samba server. This is done with the net use x: \\samba-server\share command. Here we want user peter to have a DOS drive X: map to Peter's Linux home directory on the Samba server.
C:\>net use x: \\bigboy\peter
The command completed successfully.
C:\>
Make sure your password encryption is set correctly in the smb.conf file. Newer versions of Windows send encrypted passwords only. Make sure you have correctly configured the "encrypt passwords" option in the [global] section of smb.conf.
Failure could also mean that the server's smb.conf file hasn't been configured to automatically use the PC user's user name as the Samba login name. You can do this by setting the user=username option in the [tmp] section of the smb.conf file.
8. From the Samba server issue the nmblookup -M domain command to ensure that there is a master browser for the domain. Successful attempts should list the IP address of the master browser server. If not, you'll need to make sure that the preferred master parameter is set to yes in the [global] section of smb.conf.
[root@bigboy home]# nmblookup -M homenet
querying fedora on 192.168.1.255
192.168.1.100 homenet<1d>
[root@bigboy home]#
This may fail with some Windows NT clients if the Samba server has been configured not to use encrypted passwords. You will need to set the encrypt passwords option in the [global] section of the smb.conf file to yes. Remember that doing so may make logins from Windows 95/98/ME clients fail. As you can see, it is sometimes best to make all your clients run similar versions of the Windows operating system.
Once all this has tested positively, you should be able to see your domain under Windows' "My Network Places" located in file manager or in the Start Menu. You should also be able to browse through the shares as well.
Checking the Samba Logs
Samba stores all its log files in the /var/log/samba directory. If you find yourself having difficulties, try searching the nmbd.log and smbd.log files for clues.
Samba Network Troubleshooting
It is always a good idea to use such network troubleshooting tools as tcpdump to do detailed troubleshooting, especially if you're not sure whether there is any bidirectional connectivity between the Samba server and the workstation.
Basic Samba Security
You can restrict connections to your server on both a per-interface and a per-network basis in the [global] section of the smb.conf file. Always remember to include your loopback interface lo and the loopback interface's network 127.0.0.0/8 in your configuration.
This type of security is activated by:
Setting the bind interfaces only parameter to yes.
Configuring Samba to deny all connections by default and then allowing specified hosts through with the hosts allow and hosts deny settings. In this case the 192.168.1.0/24 has been included as a valid network. You also can include the IP addresses of individual hosts in this list.
Specifying the interfaces on which Samba will be active. Interface eth0 is on the 192.168.1.0/24 network, so we have included it here.
[global]
...
bind interfaces only = Yes
hosts deny = ALL
hosts allow = 192.168.1.0/24 127.
interfaces = eth0 lo
Samba Command Summary
LINUX/UNIX
/etc/rc.d.init.d/smb start|stop|restart – strart/stop the samba service.
smbpasswd – define users, workstations
nmblookup – resolve Samba names
smbclient – act as a Windows workstation
smbmount – mount Windows directories (obsolete, now done under smbclient)
Windows
net use \\servername\sharename
net view
nbtstat (NETBIOS equivalent to NETSTAT under LINUX/UNIX)1d>00>00>00>00>00>
|