Samba administrators working with Windows XP in the enterprise will find most of their challenges arise with sharing and domains. I’ll explain how to correctly enable sharing in Windows XP so that you can attach to shares on XP boxes and join a Windows XP client to a Samba-hosted domain.
You may need an upgrade
If you’re running the Home version of Windows XP and can’t figure out why you can’t connect to a Samba server, here is the only solution: Upgrade to XP Professional. The Home version cannot attach to and use a domain and other network services.
My Samba setup
For the examples here, I’ll be using Samba 2.2.3a, configured in a couple of ways. The first configuration will be as a stand-alone server. (The Samba daemons are not initiated by parent processes.) In the second configuration, Samba will be a Domain Controller in a domain named LINUX.
I’m running on Red Hat Linux 7.2 with a NetBIOS name of YELLOW. My Windows client (named VMXP) is running Windows XP and is a member of a Workgroup not joined to any domain. I have made sure that there is an account in common between the Windows XP machine and the Samba 2.2.3a server. The XP user, SLOWE, is a member of the Administrators group, and the Linux user, SLOWE, has the same password as the XP user of the same name. The only Samba shares that I’m configuring are the [homes] share and the [samba] share. The [samba] share points to /usr/local/samba, which is where my Samba installation resides.
No connection without configuring
I recently moved to Samba 2.2.3a on a new machine and Windows XP on a new machine (with all of the latest updates applied), and I decided to test connectivity between the two boxes without having any domain functionality in place. Attaching to a share on the Samba server from the Windows XP box using the Universal Naming Convention (UNC) notation \\YELLOW was no problem, as shown in Figure A.
|A listing of the shares on the Samba server from Windows XP|
Attempting to attach to one of the administrative shares on the Windows XP box did not turn out as well.
When I issued the smbclient command, I received the following results.
Since the same command had no problems connecting to a Windows NT 4.0 server (as shown in this output), I could see that the problem was with the XP server.
Enabling sharing in Windows XP
I solved my problem by correctly enabling sharing in XP, which is not enabled by default as it was with Windows 2000 and Windows NT, even for the administrative shares. In this example, I’ll show you how to do it, step-by-step. I’ll share drive C: out as an administrative share. First, I select Start | My Computer. I right-click C: and choose Sharing And Security to get the dialog box shown in Figure B.
|Warning! Sharing the root of a drive is dangerous.|
Since I understand the risk of sharing the root drive, I click on the blue text to get the actual sharing options as shown in Figure C.
|The Windows XP Sharing tab offers local and network options.|
I don’t need to do anything on the Sharing tab except click OK to allow Windows XP to set the proper file and folder permissions. (C$ is shared automatically.)
Now it should work, right?
To test the configuration, I run this command.
This test resulted in an access denied error, as shown here.
This error doesn’t make a lot of sense. The user SLOWE is a member of the Administrators group, and there is an Administrative share named C$ on the Windows XP server. I can get around this by disabling another new Windows XP feature: Simple File Sharing (SFS), which allows less technically inclined users to share files with less risk. Directories like Windows, Program Files, and the Administrative shares are inaccessible when SFS is active. SFS also prevents granular security administration, so a share is either used by everyone or no one.
To shut down SFS, I select Start | Control Panel | Switch To Classic View | Folder Options | View, uncheck the Use Simple File Sharing option at the bottom of the list, and click Apply. Then, when I attempt to browse to the C$ Administrative share using the SLOWE account, I get this information indicating that the connection was successful.
It works! To prove it, I’ll issue a dir command, which will return a listing of the C$ share, as shown here.
Joining a Windows XP client to a Samba-hosted domain
In Windows 2000, joining a client to a domain just took a few mouse clicks. With Windows XP, the process of joining a domain is just as easy, except when the domain is hosted on a Samba server.
To join a Samba domain, browse to Start and right-click My Computer. On the Shortcut menu, choose Properties to open the System Properties dialog box, where you click the Change button, choose the Domain option, and type in the name of the Samba domain (which in my case is LINUX). From the Windows XP Logon screen, press [Ctrl][Alt][[Delete] to log on to the domain (rather than the local machine) and you’ll receive the error message shown in Figure D.
|An error occurred during logon.|
To fix this problem, you must make a change to the Windows XP registry. Windows XP expects to be joined to a Windows 2000 domain, which allows for the signing and sealing of netlogon packets across the network. Since Samba emulates a Windows NT 4.0 PDC (which is not enabled in XP by default), you must use this Registry hack. When you set the following registry value to 0 (false), signing and sealing is negotiated with the Domain Controller, which in my case is my Samba server.
After I made this change, I rebooted my Windows XP box and tried again. Then, when I attempted to log in as SLOWE to the LINUX domain, everything worked exactly as it should have, as shown in Figure E.
|User SLOWE logged in to the LINUX domain.|
TechProGuild has plenty of Samba coverage. To read more about how to configure, secure, and administer Samba, check out the following TechProGuild articles:
- · “Call SWAT or Webmin to administer your Samba 2.2.2”
- · "Share files and control your domains in a heterogeneous network with Samba 2.2.2"
- · "An intermediate lesson in better Samba security"
- · "Easy Samba user administration with winbind"