Linux optimize

Administering Samba using SWAT for Windows admins

Here is a detailed tutorial that shows how to set up and use the SWAT interface for administering Samba.

For a Windows Server administrator, being asked to start administering Linux servers can be a frightening experience. For the most part, Linux would be considered a completely foreign environment. What you may not realize, though, is that by installing Samba on your Linux servers, you can actually make a Linux server emulate a Windows file and print server. In fact, some distributions of Samba can even emulate a Windows domain controller.

Using a Linux server to emulate a Windows server is a great way for your company to save money. After all, if you only need a file and print server, why shell out $4,000 for a copy of Windows Server 2003 when Linux will get the job done at a fraction of the cost? Of course, the cost savings alone are of little comfort to the would-be administrator who has worked only with Windows until now. The good news is that there's a utility for Samba called SWAT that allows you to manage Samba in an easy-to-use GUI environment.

The SWAT utility
SWAT stands for Samba Web Administration Tool. As the name implies, SWAT is a Web-based interface for a Samba server. You can use a Web browser to add and remove shares, manage print queues, and take care of a slew of other tasks.

Activating SWAT
Although some implementations of Samba are starting to enable SWAT by default, many do not. Before you can use SWAT, you may have to activate it. The procedure for enabling or disabling SWAT depends on the version of Linux you're using. For the purposes of this article, I'll use Red Hat 9.0. In this version, you can enable SWAT by modifying the /etc/xinetd.d/swat file. Locate the line that says Disable=Yes and change it to Disable=No.

Another change that you may want to make involves the machine that can access SWAT. There's a line in the configuration file that reads only_from= This line tells Linux to load SWAT only from the local host. If you plan to access SWAT remotely, you must remove this line. For security reasons, SWAT is disabled and confined to the local machine by default. If you choose to allow SWAT access from a remote machine, the remote user must know your root password to gain access to SWAT. After enabling SWAT, you must either tell the Internet Meta Daemon (INTED) to reload its databases or reboot the system.

Configuring SWAT
After you've activated SWAT, it’s time to begin configuring it. The steps that I'm about to show you will write configuration changes to the /etcf file. This file will have some default settings that you can change. Keep in mind, though, that depending on what changes you make, you could really confuse SWAT, or SWAT could end up overwriting your changes. Therefore, it’s very important to back up the /etcf file before making any changes to the SWAT configuration.

With that said, the easiest way to access the SWAT configuration is through your Web browser. You must supply your Web browser with a URL that will allow it to connect to the local host through port 901. To do so, you might enter a URL such as http://localhost:901/. Your Web browser will prompt you to enter the computer’s root user and password. This should be perfectly safe if you're accessing SWAT locally, but think twice before inputting this information from a remote machine. If you access SWAT from a remote machine, simply replace the localhost portion of the URL with the remote machine’s IP address or Fully Qualified Domain Name (FQDN).

After entering the login credentials, you'll arrive at the main SWAT configuration screen. This screen’s primary purpose is to allow you to configure the Global, Printer, and Share options. There are also options for viewing the smb.conf file in text format, and an option for modifying passwords.

As you might expect, the Globals section includes configuration options, such as Base, Security, Logging, and Tuning, that apply globally to all the shares on the server. I'll discuss these options in the sections that follow.

The Base options are basically a set of configuration options related to the server’s identity and TCP/IP configuration. In most cases, you can get away without configuring anything in this section, but there are four configuration options you can set if you want (see Figure A).

Figure A
The Base options are related to your server's network identity and TCP/IP configuration.

First, you can set a workgroup name. If you're running a Windows workgroup, the workgroup name should match that used by Windows. Your next option is NetBIOS Name. Remember that the server has already been assigned a FQDN. Since the server is accessible via its FQDN, you really don’t have to set a NetBIOS name unless you want a shorter name by which to access the server.

The third field, Server String, is basically a comment field that you can use to type something related to the server’s identity or purpose. This field is set to Samba Server by default.

The last Base option is the Interfaces field, which specifies the network interface Samba should use. Normally, you would configure this option only if the server were acting as a router or if it had multiple NICs. You would enter the IP address and the subnet mask of the desired adapter using one of two formats. The usual format is; the other format is147.100.100.1/16. In this format, the 16 tells Samba that the first 16 bits of the 32-bit subnet mask designate the network address.

The first two Security options deal with password encryption. The first option lets you choose whether to encrypt passwords; the next asks whether you want to update encrypted passwords.

When you tell Samba to encrypt the passwords, Linux creates an encrypted hash of the passwords. The Update Encrypted option allows the hashes to be saved to a database. Once all of the accounts have had their passwords encrypted, you can turn off the Update Encrypted option if you want.

The next configuration option is Guest Account. This option illustrates one of the key differences between Linux and Windows. Suppose you have a share point on a Linux machine that you’d like anyone to be able to access. Even though you aren’t requiring authentication for access to the share, Linux must still use an account to gain access to the share. Whichever account you designate as the guest account is the one that is used.

The last two fields are Hosts Allow and Hosts Deny. Hosts Deny is used to build a list of those who are not allowed access to the server, while Hosts Allow lets you build a list of those who are allowed access. You can specify an entry by using either a computer’s IP address or FQDN. You can also block an entire domain by IP range or FQDN.

This is another area where Samba differs from Windows. In Windows, if there's a conflict between two access control lists, an explicit denial always overrides an explicit permission. In a conflict situation in Samba, however, it’s the approval that always wins out.

This method of conflict resolution isn’t necessarily bad. It allows you to do some interesting things. For example, suppose you had a class B network where all IP addresses started with 147.100. You could block the entire network by entering 147.100 in the Hosts Deny list. If there were a single machine out of the IP address range that you wanted to give access to, you could enter that machine’s IP address into the Hosts Allow list and the machine would be allowed, despite the fact that you denied access to the entire address range.

The next configuration section is Logging, shown in Figure B. By default, the logging level is set to 0, which disables logging completely. If you want to enable logging, set this number to 1, the lowest logging level in which data is actually logged. As you increase this number, the logging becomes more verbose.

Figure B
The Logging Options section controls the amount of detail in the Samba logs.

Each Samba server maintains and stores its own logs. The logs are stored in the /var/log/samba folder. The name of the log file is based on the server’s name. For example, if the server’s name were snake, you would find the Samba logs in the /var/log/samba folder in a file named log.snake.

The Logging options also allow you to limit the size of the log file. By default, this limit is set to 50 KB. If the log file exceeds the allowed size, the file receives an .old extension and a new log file is created. If you'd rather not have size limitations to your log files, set the maximum log file size to zero.

Tuning and printing
The Tuning and printing section lets you set tuning options related to the TCP/IP protocol. You can change the location of the PRINTCAP file. Normally, you shouldn’t have to change anything in this section. The PRINTCAP file should point to the correct location by default. Likewise, TCP/IP is set to use TCP_NODELAY, which is usually perfect for coexisting with a Windows environment.

If you're in the habit of using Windows clients, you're probably used to being able to open Network Neighborhood or My Network Places and see a list of all the computers on the network. This list of computers isn’t usually compiled at the time you open Network Neighborhood, but is pulled from a browser.

In Windows, a browser is a computer that maintains the browse list for a network. Like Windows, Samba also makes use of a browse list. When the machines on the network come online, they have a browser election to determine which machine will act as the master browser. A lot of elaborate rules dictate which machine wins the master browser election, but in a pure Samba environment, the RMB (the machine running the NetBIOS name Daemon) will always win the browser election.

In Samba, you can set two options for dealing with browser elections. The first option, which is shown in Figure B, is the OS level. In Windows, the operating system level is one of the criteria for determining which machine wins a browser election. Windows browser elections are complicated, but generally speaking, the higher the OS level, the better the chance the machine has of winning a browser election (although a lot of other factors are considered). Samba allows you to set an OS level ranging from 0 to 255 and has a default OS level of 20.

The other option lets you configure the machine’s preferred status as a browser. You can make the machine a preferred master browser, which will give it a slight advantage over other machines in a browser election. You can also set the Local Master option, which will cause Samba to look at the OS level when deciding the outcome of a browser election. The Domain Master option is used to designate the machine as the master browser for the entire domain. This option should not be used if there is a Windows PDC (or PDC emulator) for the domain.

If you're coming from a Windows administrative background, you should feel right at home in the WINS Options section. WINS is a mechanism that uses a database to link NetBIOS names to IP addresses. In Linux, the RMB program can act as the WINS server for a subnet. Unlike Windows, which can have multiple WINS servers in a subnet, Linux allows only one WINS (RMB) server per subnet. Any more than that will cause some messy network problems.

The Shares section, shown in Figure C, allows you to create and manage network shares. When you initially install Samba, the installation program will automatically create a share called Homes. It's likely that you'll want to create additional network share points on the server.

Figure C
The Shares section allows you to create and manage network shares.

To create a new share, enter its name in the text box next to the Create Share button and then click the button. Deleting a share point is just as easy. On the Share Parameters screen, select the desired share from the drop-down list, click the Choose Share button, and click the Delete Share button.

When you create or edit a share, you'll see a screen that asks lots of questions designed to help you configure the share point. These questions are divided into Base Options, Security Options, Browse Options, and Miscellaneous Options (see Figure D).

Figure D
When you create a new share, SWAT displays this screen.

The Base Options section is pretty self-explanatory. It allows you to enter the path that the share will connect to and lets you enter a comment about the share’s purpose. The Security Options section gives you control of who can and can’t access the share point. This portion is completely different from a Windows access control list. Initially, you must specify the name of the account that will be used as the guest account. Supplying an account name is mandatory, but it doesn’t mean that you're granting guest access to the share.

Below the Guest Account field are two drop-down lists you can use to control whether the share is read-only and whether guests have access to the share. At the end of the Security Options section is Hosts Allow and Hosts Deny. This works like the Hosts Allow and Hosts Deny options that I discussed earlier but controls access only to the share, not to the server as a whole.

The last two sections are Browse and Miscellaneous. Browsable allows you to control whether users can browse the share point. Miscellaneous contains an option you can use to control whether the share is active (Available).

Setting up printers in Samba is easy. The general rule is that if a printer is available to Linux, it's also available to Samba. The only catch is that you must be careful when selecting which types of printers you want to use with the server. Some of the more sophisticated printer drivers require direct access to the printer, which simply won’t work in this situation. As long as you can communicate with a printer using either PCL or PostScript, the printer should be fine for use with Samba. You can see the Printer Parameters screen in Figure E.

Figure E
Samba helps you work with shared printers.

See? It's not that bad
Having to go from supporting Windows servers to suddenly supporting Linux servers can be scary. However, SWAT makes administering a Samba server a lot easier for administrators with a purely Windows background.