Microsoft

Share files and control your domains in a heterogeneous network with Samba 2.2.2

Follow these steps for installing and configuring Samba, and learn how to set it up as a domain controller.


Almost every networked environment contains Windows servers and workstations. Many organizations are also actively using Linux, or at least considering it for inclusion in their enterprise. Connecting these seemingly opposite operating systems seems to be a difficult task. You could use NFS for your file sharing, but you would lose a great deal of control and flexibility, as well as security. NFS clients notwithstanding, what can you do?

In this Daily Drill Down, I’ll go over the installation of the Samba software and walk you through a sample configuration. Once that’s complete, I’ll test the installation and go over configuring a Samba server to act as a domain controller.

Install Samba
Samba is a set of utilities that provides access between Windows machines and a variety of other operating systems, including Linux. It allows a Windows workstation to transparently access a Linux server and the resources attached to it as if it were a Windows server. Likewise, some of the tools within the Samba distribution (smbmount, for instance) allow you to do the reverse and share Windows files and resources with Linux machines. These resources can include files, folders, and printers.

To use Samba, you need to download it from the Samba Web site and install it. The latest release of the software is samba-latest.tar.gz and, as of this writing, that was version 2.2.2. Once it’s downloaded, installed, and configured, you’ll have a server message block (SMB) server all set up and running that can be used by your Windows clients to share files, printers, and serial ports.

For this Daily Drill Down, I installed Samba on the following:
  • ·        A VMware 3.0 partition running under Windows 2000
  • ·        Red Hat Linux 7.1
  • ·        192 MB of RAM
  • ·        4 GB of allocated drive space (via VMware)

Before you begin the installation, make sure of a couple of things so that you don't run into trouble. First, since this is a sample Samba installation, I suggest that you do this work on a lab server rather than a production server. Second, either log in as root or become root before continuing. Finally, copy the samba-latest.tar.gz file to the /usr/local directory so that all of the instructions I’ll be giving you in this Daily Drill Down will work properly.

The first step in the installation of Samba is to expand the distribution you downloaded from the Samba Web site. First, change to the /usr/local directory by typing cd /usr/local at the command line. Then, type gunzip -dc ./samba-latest.tar.gz | tar xvf -and press [Enter]. (That is a dash at the end of the command.) This will expand the distribution and place it in the /usr/local/samba-2.2.2 directory on your server. Next, switch to the source directory under this directory, which is where the Samba installation files are located. Type cd /usr/local/samba-2.2.2/source.

Now you need to configure your installation to suit your needs. For most people, a standard configuration will suffice. However, I suggest providing the prefix parameter to the configure command to make sure that Samba is installed to /usr/local/samba, which is where you’ll want it for this example. Additionally, you’ll enable support for the smbwrapper feature, which allows you to use SMB/CIFS shares on Windows machines like UNIX mounts.

Smbwrapper
If you’re interested in learning more about smbwrapper, take a look at this Linux Magazine article on the subject.

To begin this process, type ./configure - -prefix=/usr/local/samba - -with-smbwrapper and then press [Enter]. You’ll see the configuration files building for your configuration. Once this is done, you’ll be back at a prompt.

The next step is to make the binaries out of the files that you created in the configuration step. To do this, simply type make at the command line and then press [Enter]. This step will take some time.

Now you need to install these binaries so that they can run properly. Type make install and press [Enter]. This step installs the man pages for Samba and also takes quite some time to complete. When it’s finished, you should be back at your command prompt with Samba installed.

Configuring Samba for real use
Once Samba is installed, only the files to make it run are present. It’s then up to you to build configuration files that actually make Samba do what it was designed to do: make your Linux server understand SMB requests from the network and share its resources with Windows machines.

The first file that needs to be created is the SMB configuration file, smb.conf. To start, create the /usr/local/samba/lib/smb.conf file using your favorite text editor. (I use pico, for example.) Place the following lines in this file, save it, and then exit back to the command prompt:
[global]
 security = user
 encrypt passwords = yes
 smb passwd file = /usr/local/samba/private/smbpasswd
 workgroup = SWG

[homes]
 guest ok = no
 read only = no


This configuration file will provide you with a very simple Samba setup that allows a user to attach to the server and view the contents of his or her home directory. It uses Windows user-based security, which provides for username/password authentication. Passwords sent from the Windows workstations are likely to be encrypted—this is the default since Windows NT 4.0 Service Pack 3 and later—so you need to tell Samba to expect this. Next, you’ll provide the location for the Samba password file. Samba passwords are kept separate from the UNIX passwords. Next, you’ll provide the name of the Windows workgroup that this Samba server will join. Finally, in the homes sections, you tell Samba to disallow guests and to provide read/write access to shares.

You now need to create a locking directory (where Samba’s lock files will be stored) for the Samba service to use. Type mkdir /usr/local/samba/var/locks and give it the appropriate permissions for Samba by issuing a chmod 0755 /usr/local/samba/var/locks command.

At this point, Samba is installed and you have a basic configuration. Now you need to start the Samba services and create an initial Samba user. It would be useful to have matching Windows and UNIX logins and passwords to make things work a little more smoothly.

I’ll show you how to create a quick script to start Samba. I put this script in my home directory (remember, this is a development/test server) and called it startsamba. Once you’ve added this script to your installation, and it tests correctly, you should move the script to an appropriate location, such as /usr/local/ or /etc/rc.d/.

In this script, put the following lines:
#!/bin/sh
/usr/local/samba/sbin/smbd –D
/usr/local/samba/sbin/nmbd -D


Once you’re finished with this script, use chmod +x startsamba to add the execute privilege to it.

Your script is now executable, so execute it. For my installation, I type /home/slowe/startsamba to do this. If everything starts normally, you’ll be brought immediately back to a system prompt. If there are errors, such as /usr/local/samba/sbin/smbd command not found, in which case your distribution has located the smbd executable in a different location, you'll find out here.

There’s one last step in this section: Make sure that you’ve created an SMB user account. Type /usr/local/samba/bin/smbpasswd -A username (where username will be replaced with a real username) and then follow the instructions on the screen. For simplicity in this example, you should use an ID that is common to both your Windows machine and your UNIX machine.

Testing, testing
Testing is always important, and with Samba, you can test your installation in a couple of ways to make sure that it's properly configured. For Samba to be declared as working, it must be able to accept an SMB connection from a Windows machine as well as initiate one to a Windows machine.

For starters, make sure that you can locally connect to the Samba server. Type /usr/local/samba/bin/smbclient //localhost/slowe at your command line (where slowe is replaced with the name of a user account that you created). If all goes well, you’ll be presented with a password prompt and end up at an SMB prompt where you can get directory listings, etc.

Next, connect from your Windows machine to your Linux/Samba machine. My machine name is pear, so from my Windows 2000 Professional machine, I click Start | Run and type \\pear\slowe.

As a final test for this step, try to connect from your Linux/Samba server to your Windows machine. At the command prompt on your Linux machine, type /usr/local/samba/bin/smbclient -L slowe-nb (where slowe-nb is the name of your Windows machine). If everything is successful, you’ll get a password prompt and then a list of details about your Windows machine.

In this output, you can see the two workgroups, SWG and WORKGROUP, and details about the SMB server you connected to. The -L parameter in the smbclient utility lists the available shares. You now have a working, tested Samba system that can be used to share files with Windows machines.

Authentication, anyone?
One of the best new features in recent versions of Samba is its ability to act as an authentication mechanism, or basically as a domain controller. It's not quite as easy to use Samba as a domain controller as it is with a Windows box, but it’s much less expensive.

The type of clients you serve dictates the steps you must take in Samba to properly set it up for domain authentication. I’m going to focus on Windows NT and Windows 2000 Professional clients as opposed to Windows 95/98 and Me clients. I’ll also go through the steps required to authenticate Windows NT and 2000 Pro machines; these steps will also work for Windows XP.

The first step is to create a computer account on the Samba machine, known in Samba as a trust account, before users from a machine can log on. Once a computer has logged in to the Samba domain controller using this account, Samba then trusts all user connections from that computer.

Adding root
Before I started configuring Samba for domain control, I added my Linux root user as a Samba user by typing /usr/local/samba/bin/smbpasswd root at the command line and providing my root password when prompted. You’ll want to use the root user with caution because it could open up a wealth of security issues.

My Windows 2000 Server machine name is scott-2ks, so that is the name that I’d use to create the computer account, with a dollar sign ($) appended to it. The rule of thumb is this: account name = machine name$. To create the account, I typed this line on my Linux server. In your environment, you’ll replace "scott-2ks" with your client's machine name.

Next, I added this account's encrypted password to the smbpasswd database by typing the following:
/usr/local/samba/bin/smbpasswd -a -m slowe-2ks

The -m parameter specifies a machine trust account. Once you’ve completed this step, you’ll get a response from Samba that the user has been added. Notice that I didn’t put a dollar sign character on the machine name; Samba handles this when it adds the machine name.

Next, you need to provide a proper smb.conf file. Here’s a copy of the smb.conf file, which typically resides in /etc/samba/, that I used for a successful installation of a Samba domain controller:
[global]
 netbios name = pear
 netbios aliases = pear
 server string = Samba process on Pear
 domain logons = yes
 security = user
 encrypt passwords = yes
 smb passwd file = /usr/local/samba/private/smbpasswd
 workgroup = SWG
 os level = 34
 local master = yes
 preferred master = yes
 domain master = yes

[netlogon]
 comment = Domain logon
 path = /usr/local/samba/netlogon
 public = no
 writeable = no
 browsable = no

[homes]
 guest ok = no
 read only = no

[samba-dist]
 comment = Samba distribution files
 path = /usr/local/samba-2.2.2
 guest = no
 read only = no
 browseable = yes

[samba]
 comment = Samba installation
 path = /usr/local/samba
 guest = no
 read only = no
 browseable = yes


That's it. Now you need to create the /usr/local/samba/netlogon directory as specified in this configuration file. The netlogon share is used by Windows clients but has no files.

Once all of this is done, switch to your Windows NT, 2000, or XP machine and join it to the domain that’s specified in the workgroup line of your smb.conf file. When prompted for a password, type in your root user and password combination. If everything is set up correctly, you’ll be greeted with a message welcoming you to the domain.

Conclusion
It’s impossible to go over the plethora of features available with Samba here. This Daily Drill Down provides you with a basic Samba installation in both a standalone fashion and as a domain controller, along with a few sample configurations.

Samba is bridging the divide between Windows and Linux users and is a must-have utility for anyone supporting both environments or for smaller workgroups that need some of the functionality of a Windows domain controller but can't afford the cost of yet another Win2K server license and the larger hardware requirements needed for the Win2K server operating system.

Editor's Picks