Welcome to part 2 of this two-part series on Samba, an open-source implementation of the native Windows networking protocols for Linux. To get Samba running smoothly, you need to prepare the Linux server and your Windows workstations, as I explained in “Get Samba running, part 1: Preparing Linux and Windows for Samba.” (If you haven’t read this Daily Drill Down, please do so before proceeding.) In this installment, you’ll learn how to install Samba and how to modify or create the Samba configuration file, /etc/smb.conf. You’ll also learn how to use the utilities widely distributed with Samba, smbmount and smbumount, to mount Windows shares on Linux systems.

Here’s what you’ll accomplish:

  • Windows users will be able to access their home directories on the Linux system that’s running Samba. If this system has a large hard disk, you can use this configuration as the basis of a network-based archiving and backup system, in which users’ Windows files are regularly copied to their home directories on the Linux server.
  • Linux users will be able to access shares on Windows systems.

If your network includes more than one Linux system running Samba, you can use Samba instead of NFS to implement reliable, high-speed file transfer over your network. Is there such a thing as a network with just one user? You bet, and the Samba configuration discussed in this Daily Drill Down is just the ticket for the many one-person, two-workstation (or more) networks that people are creating. For example, lots of people run Windows on a notebook computer and Linux on their desktop systems. With the Samba configuration discussed here, you can hook up your notebook to the LAN and access your Samba shares on the Linux desktop—which means you can easily transfer your documents back and forth so that your work is always up-to-date.

Obtaining and installing Samba
Before downloading Samba, make sure it’s not already running. Open a terminal window, log in as superuser, type ps aux | grep nmb,and press [Enter]. If Samba is installed, you’ll see the names of the two Samba daemons, smbd and nmbd.

No Samba? You’ll need to download it, and you need to make sure you’re getting the correct version. Here are a couple of tips:

  • Go for the binaries: To get good results with Samba, you should use a compiled (binary) version of Samba that’s designed to work with your Linux distribution. Why not compile Samba from source code? You can, but you’ll need to do a lot of configuration before you compile, and you’ll need detailed, expert knowledge of your Linux distribution’s peculiarities. You can’t just type configure, make, and make install. If you get a binary package, somebody else has already done all this work for you—and you’re much less likely to run into problems getting Samba to work.
  • Make sure you have the latest version of Samba: Each new version of Samba fixes bugs—and some of these involve serious security holes. If you’re hooking up Windows 2000 workstations to your network, you need Samba 2.0.7 or later. This is the first Samba version to work smoothly with Windows 2000. Never use a version earlier than 1.9.17p2; previous versions had a serious security flaw that enabled intruders to gain root access to the server. To get up-to-date binaries, check the Samba home page to see whether there’s a binary version of the current stable Samba distribution that’s designed to work with your Linux distribution. Currently available are packages for Slackware (version not specified), SuSE (5.1, 5.2, 5.3, 6.0, and 6.1), TurboLinux (6.0), and Red Hat (5.2, 6.0, 6.1, 6.2). If the Samba home page doesn’t have a binary that’s compatible with your Linux distribution, check your Linux distribution’s home page. Check the update or errata page to see whether there’s an updated version of Samba available for the specific version of Linux you’re running. If not, you can install Samba from your Linux distribution’s CD or download Samba from your Linux distribution’s FTP site.

Once you’ve downloaded and installed the Samba binaries, check to make sure that your system is configured to start the Samba daemons (smbd and nmbd) at system startup. Most of the binary distributions are configured to perform the necessary system modifications automatically, but you should check to make sure. On Red Hat systems, for example, you can use the text-mode setup tool (/usr/sbin/setup) to select the system services you want to start when you power up. Check your distribution’s documentation to find out how to select start-up services if you’re not sure.

Configuring Samba: An overview
To configure Samba, you’ll need to modify the default Samba configuration file, /etc/smb.conf. Most versions of Samba come with a sample configuration file that’s very well documented by means of comments placed in the file. (Samba ignores any line that begins with a semicolon or hash mark.) You can get Samba working in short order by using a text editor to make a few changes to this file. If /etc/smb.conf doesn’t exist, or is blank for some reason, you can type in the necessary information from the examples supplied in this section.

Note: Several GUI-based Samba configuration utilities are available, but I don’t recommend using them; all too often, they fail to configure Samba correctly. One of them erases the well-commented sample configuration file, so that it’s necessary to reinstall Samba to get this file back. Another inserts new lines into an existing configuration file, even if these lines conflict with existing settings. I haven’t seen one of these tools yet that I’d trust with my configuration file.

Start by taking a look at the configuration file (in a terminal window, switch to superuser, type cat /etc/smb.conf | less, and press [Enter]). The Samba configuration file is divided into two major sections, the [global] section and a subsequent portion that defines specific shares (resources made available over the network). The [global] section contains settings that affect Samba’s overall operation. The shares section defines resources on the local system, called shares, that are accessible to qualified users via network connections.

In the following section, you’ll learn how to set up a simple, effective Samba configuration for peer-to-peer networking. This configuration makes a Windows user’s Linux home directory available by means of the user’s Network Neighborhood dialog box. Users can use their Linux directories for backup and archival file storage or as an extension of their system’s hard drives. (Note that this configuration won’t work unless you’ve created accounts for these users on the Samba server; you must create these accounts with the same username, and preferably the same password, as those supplied by the user in the Windows networking login. For more information, see part 1 of this series.)

Configuring Samba: A step-by-step guide
To get a basic Samba configuration running, first log in as root user or superuser, start a text editor, and open /etc/smb.conf. In the [global] section, find the workgroup setting. Change the default name (WORKGROUP), if necessary, to the setting you typed in each Windows workstation’s Identification dialog box. Here’s an example:
workgroup = MAGICAL

It’s not strictly necessary to type the workgroup name in all caps unless you’re connecting older Windows systems, such as the early versions of Windows 95 or Windows for Workgroups. Next, locate the line that begins with server string and uncomment the line, if necessary. Type the name that will identify this server in the Network Neighborhood window on Windows systems, such as
server string = Lothlorien

(Note that the name cannot exceed 15 characters.) This name need not match the system’s host name as it is defined for TCP/IP purposes.

Now, find the line that starts with hosts allow. This setting is very important for security reasons; it specifies which hosts can access the Samba resources. The alternative is to leave the machine open to anyone who manages to gain access to the network. You can type the IP address of one machine, a comma-separated list of IP addresses, or a pattern (for example, 192.168.100. matches any computer that has an IP address starting with these numbers).

Next, look for the line that starts with hosts deny. If the line exists, uncomment it, and change it so that it reads
hosts deny = all

If the line doesn’t exist, type
hosts deny = all

Now, look for the line that starts with security. Uncomment this line, if necessary, and make sure it reads as follows:
security = user

Locate the line that begins encrypt passwords. Uncomment the line, if necessary, and do one of the following: If you decided to use plain text passwords, change this line to
encrypt passwords=no

and make sure the next line (smb passwd file) is commented out. If you decided to use encrypted passwords, change this line to

and remove the comment from the next line (smb passwd file = /etc/smbpasswd). See the section “Configuring encrypted passwords” for essential information on getting encrypted passwords to work; you’ll need to follow the steps in this section to get Samba working.

At this point, locate the line that begins with [homes]. Uncomment the following options (or add them, if they’re not present):
comment = Home Directories
browseable = no
writable = yes
available = yes
public = no

These options automatically give users the ability to access their home directories on the Samba server.

Now, save /etc/smb.conf and exit the text editor. Then, restart Samba by typing /etc/init.d/rc.d/smb restart and pressing [Enter].

Now go to one of the Windows boxes, log on with the user’s Windows networking username and password, double-click Network Neighborhood, and determine whether the Samba server shows up. If so, try opening the user’s home directory.

Troubleshooting your Samba configuration
If the Samba server doesn’t show up, check the following:

  • If you configured Samba to use plain text passwords, did you alter the registry in the Windows machines so that they’ll send plain text passwords instead of encrypted passwords? If you chose to use encrypted passwords, did you configure the Samba server to work with them? If not, see the next section, “Configuring encrypted passwords.”
  • Look at the configuration file and make sure you typed everything correctly.
  • On the Samba server, type testparm /etc/smb.confand press [Enter]. This diagnostic problem will detect certain flaws in the Samba configuration file.
  • Is your network functioning? From the Samba server, try pinging the Windows box; from the Windows box, try pinging the Samba server. (On Windows, click Start, choose Run, type ping followed by the IP address of the Samba server, and press [Enter].)
  • Is Samba running? On the Samba server, type smbclient-L followed by the server name and -N, as in smbclient-L Lothlorien-N. If Samba is installed and running correctly, you’ll see a list of all the shares available on this server.

Still having problems? Chances are you installed a version of Samba that won’t work with your Linux distribution. Make sure you’re using the version of Samba that came with your Linux distribution, or an update designed for the same distribution and no other. Reinstall Samba, if necessary.

Configuring encrypted passwords
If you chose to use encrypted passwords with Samba, you’ll need to modify your Samba system to work with the encrypted passwords the Windows clients will send. The Windows password encryption format isn’t compatible with the default password encryption system used on Linux systems. As a result, you’ll need to create an additional password file for Samba users, one that conforms to the Windows format. This isn’t an attractive solution; the two password files aren’t in sync, so you’ll need to update the files if one of the passwords changes. But it works.

The following procedure creates a Samba password file located in /usr/local/samba/private, which you’ll modify so that it cannot be viewed by anyone except the root user. You’ll then use a script provided with the Samba distribution, called mksmbpasswd, to extract the usernames from the default Linux password file—/etc/passwd—and write them, in the Windows encryption format, to /usr/local/samba/private/smbpasswd. Although this file contains all the usernames of the users on your system, it doesn’t contain passwords, so you’ll need to supply these using the smbpasswd utility, which is also provided with the Samba distribution.
Be sure to log in as root user or superuser.
Create a directory to store the encrypted password file by typing mkdir /usr/local/samba/private and pressing [Enter]. Change the permissions on this directory so that it is invisible to all users except root. To do so, type chmod 500 /usr/local/samba/private and press [Enter]. Now you’ll extract the Linux passwords from /etc/passwd, the default password file on Linux systems, and write them to a new file named /usr/local/samba/private/smbpasswd. You’ll do so with the mksmbpasswd.sh script, which is provided with Samba.

Find out where the script is installed by typing mksmbpasswd.sh and pressing [Enter]. If the script isn’t on the default path, be sure to include the pathname in the next step’s command.

Launch the script using the following command:
cat /etc/passwd | mksmbpasswd.sh > /usr/local/samba/private/smbpasswd

Then, open /usr/local/samba/private/smbpasswd with a text editor. As you’ll see, each user’s password is defined on a single (rather lengthy) line. Enlarge the window’s size, if necessary, so you can see the whole line. Now delete all the entries except the ones for the users to whom you’re granting access. In particular, be sure to delete root, cron, and daemon!

Finally, save the file, and exit the text editor. The file you’ve just created contains usernames, but the password fields are blank. You must now define passwords for each of your users. Be sure to use the same password that these users supply when they log into Windows using the Windows Networking dialog box, which appears when Windows starts. To use smbpasswd, type smbpasswd followed by a space and the user’s name. You’ll be prompted to type and repeat the user’s password.

Mounting shares automatically
Now that you’ve got your basic Samba installation working, you’ll want to configure the Windows systems, and possibly the Linux system, to load shares automatically.

Mapping Linux shares to a Windows network drive
On the Windows clients, you can mount the user’s Linux share automatically by opening the Network Neighborhood window, right-clicking the share you want to mount, and choosing Map To Network Drive. In the Map To Network Drive dialog box, select a drive letter and select Reconnect At Logon. Click OK to confirm the network drive.

Mounting Windows shares to a Linux directory
If you’re using the Samba server as a workstation, you may wish to access your shares on your Windows system. This is a handy configuration for a one-person, two-computer (or more) network in which you’re using Linux and Windows.

To mount and unmount your Windows shares on your Linux workstation, you can use the utilities supplied with Samba (smbmount and smbumount). You’ll want to make these utilities accessible to ordinary users by turning the SUID (set user ID) bit on for both of these utilities. Note that this procedure entails a security risk if you’re configuring a workstation on a wide-open network, such as a university network, but it shouldn’t pose unacceptable risks in a small, private network.

To modify smbmount and smbumount so that you can access these utilities from your ordinary user account, first open a terminal window and log in as superuser. Next, type chmod u+s /usr/sbin/smbmount and press [Enter]. Then, type chmod u+s /usr/sbin/smbumount and press [Enter].

For the next step, you’ll need to know the exact name of the share you want to mount. To do so, type smbclient -L followed by two slashes and the name of the computer that contains your Windows share (such as //lothlorien). You’ll be asked to supply your password. When you’ve done so successfully, you’ll see a list of the available shares. From this list, identify the share that you want to mount, such as //lothlorien/suzanne.

Before you can mount the Windows share on your Linux system, you’ll need to create a mount directory. It’s convenient to place this directory within your home directory, where it’s easily accessible.

To create the mount directory, log off the superuser account (type exit and press [Enter]). In your home directory, create a directory that you’ll use to mount the share. To create /home/suzanne/lothlorien, for example, you’d type mkdir /home/suzanne/rivendell and press [Enter].

Now that you’ve created the mount directory, you can use smbmount to mount the share to this directory. To do so, log into your ordinary user account and open a terminal window. Type smbmount followed by the share’s name (such as //lothlorien/suzanne) and the name of the mount point (such as /home/suzanne/lothlorien), and press [Enter]. Note that the mount point—a directory—must exist in order for this command to succeed. Here’s an example:
smbmount //lothlorien/suzanne /home/suzanne/lothlorien

You’ll be prompted to supply this user’s password. Do so, and press [Enter]. If you’d like to unmount the share, just type smbumount followed by the name of the mount point (for example, smbumount /home/suzanne/lothlorien). Like to mount this share automatically every time you log in? Just add the smbmount command to .bash_profile in your home directory.

In this two-part series, I’ve walked you through all the procedures you need to follow in order to configure Samba file exchange on your network.

Bryan Pfaffenberger, a UNIX user since 1985, is a University of Virginia professor, an author, and a passionate advocate of Linux and open source software. A Linux Journal columnist, his recent Linux-related books include Linux Clearly Explained (Morgan-Kaufmann) and Mastering Gnome (Sybex; in press). His hobbies include messing around with his home LAN and sailing the southern Chesapeake Bay. He lives in Charlottesville, VA. If you’d like to contact Bryan, send him an e-mail.

The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.