The word is out. Using Samba to set up a Linux file server in a Windows NT domain offers network administrators some great options. Linux Samba brings excellent stability, performance, integration, and a significant cost savings over a Windows NT server doing the same tasks. However, a successful Samba implementation into an NT domain depends upon using the best Samba settings for NT integration and avoiding common configuration errors.
Mastering the basics
In this article, I’ll go step-by-step through the process of setting up a Samba file server on Linux and optimizing it for security and performance in a Windows NT domain. I’ll also explain how to avoid common configuration errors and show you how to set up shares. Although Samba can also be used as an excellent print server, this article will focus primarily on configuring a file server. Nevertheless, once you set up your Samba configuration, you can easily add printing services by learning the Linux method of setting up network printers.
This article assumes that you have a solid understanding of Windows NT domains but are a beginning to intermediate Linux user. The only assumptions from the Linux side are that you have a Linux distribution installed on your target machine and that you have a basic understanding of the Linux file system and know how to use a text editor.
Preliminary Linux configuration
Samba comes preinstalled on many Linux distributions, and it’s available as an installation option on all the major distributions. If you’re running an older distribution, I would recommend that you go to Samba’s Web site, download the latest version of Samba, and install it on your Linux machine.
Once you have Samba installed, log in to your Linux system as the root user. Before you begin configuration, you will need to stop the Samba daemons (services) if they are currently running. You can issue the following command to display all of the currently running daemons:
ps aux | more
Look for smbd -D and nmbd –D. (These are the two Samba daemons.) Locate the PID numbers for these two daemons in the second column from the left. Issue the following command (replace 1010 with the smbd PID number):
kill -9 1010
Next, issue this command (again replacing the 0101 with the nmbd PID number):
kill -9 0101
Before digging into the Samba configuration itself, you’ll need to set up users and groups on the Linux machine to correspond to the users and groups in your Windows NT domain. To set up groups in Linux, issue the following command for each group:
Then, set up users by issuing the following command for each user:
adduser username –g groupname
For an enterprise environment with a large number of users, I would recommend using a product such as Microsoft’s NT Services for UNIX or MKS Toolkit to set up username/password
synchronization between Linux and Windows NT. Both solutions work well, but Microsoft’s product is more economical, and MKS Toolkit is more robust.
You also need to set up the main directory that you’ll share to the Windows NT network. Issue the following commands:
followed by this command:
chmod 777 winshare
This creates the share /winshare and provides read/write/execute ability to anyone who gains permission to mount the share.
|Doing More with Less|
Do you need creative solutions for stretching your IT dollars and making wise purchasing decisions?
Do you need creative solutions for stretching your IT dollars and making wise purchasing decisions?
Down to business
Now you’re ready to tackle Samba itself. Like most configuration activities in Linux, Samba is configured using a text file, smb.conf, in the /etc directory. However, before you begin editing this file to meet your needs, let’s make a copy of it. Issue the following command:
cp smb.conf /usr/doc/samba-2.x
Replace x with your version of Samba.
The second command above copied your smb.conf file into the directory that contains the documentation files included with Samba. Now you can dig in to smb.conf. From the /etc directory, you’ll use a text editor to open the file by issuing the following command:
For this article, I’ll use the text editor pico for the examples because I feel it is the best one for beginners; however, you can use any text editor for these tasks.
Once you open smb.conf, you’ll notice several types of text lines in this file. The lines with a # preceding them contain comments on the configuration options. Lines that are preceded by a semicolon (;) indicate configuration variables that have been “turned off.” Both symbols do the same thing: They keep the information that follows them from being parsed for configuration data.
To simplify the Samba configuration and make smb.conf easier to work with, use your text editor to delete all the lines that begin with a #. In pico, you can do this by using the arrows to place the cursor at the beginning of the line and then pressing [Ctrl]K to delete the entire line. Do this for each of the commented lines in the smb.conf file. Remember that if you want to go back and refer to these comments, you can look at the copy of smb.conf that we copied to the /usr/doc/samba-2.x directory.
Optimizing Samba for Linux-NT integration
Now that you’ve cleaned up the smb.conf file, you’ll notice numerous bracketed fields such as [global] and [printers] and lines such as workgroup = MYDOMAIN underneath them. The bracketed fields represent share and printer names, with a few exceptions, and the variable = value lines are the configuration options for those shares and printers.
The crux of a good Samba configuration centers on properly setting the [global] variables. While most other bracketed fields refer to one share, this one manages the settings that govern all the shares. It can be a little intimidating at first because of the number of variables; however, I’ll walk you through the settings of the most important variables, and we’ll delete the nonessential ones.
The following is an example of a file with [global] settings that are optimized for basic integration of a Linux Samba file server in a Windows NT domain:
security = domain
password server = NTServer, NTServer2
workgroup = AAC
netbios name = LINUX1
server string = Testing Samba
nt acl support = yes
wins server = 10.1.10.5
dns proxy = no
name resolve order = wins lmhosts bcast
encrypt passwords = yes
log file = /var/log/samba/log.%m
max log size = 50
remote announce = 10.1.10.255
remote browse sync = 10.1.10.255 10.1.20.255
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
load printers = yes
Of all the setting variables listed above, the most important is security = domain. This setting tells Samba how to authenticate users. There are four available options:
You’ll often see administrators use the security setting server when setting up Samba in a Windows NT domain. But since Samba version 2.x, the domain option has been available.
Domain security makes Samba authenticate users like an NT machine, while server security makes Samba authenticate like a Windows 95/98 machine. Domain security gives Samba the advantage of participating in NT domain trusts in an enterprise environment. It also cuts down on PDC/BDC connection resources because, unlike server security, which always keeps an RPC connection open with the PDC or BDC as long as the daemon is running, domain security connects to the PDC or BDC only when authenticating a user. This conserves valuable resources on the NT domain controllers.
As far as the other smb.conf variables go, the workgroup variable lets you specify the name of your NT domain (in CAPS). The netbios name is just that (also in CAPS). The server string is the comment you see in Network Neighborhood. The nt acl support setting maps UNIX permissions to NT access control lists. The wins server setting is the WINS server that Samba will use. The dns proxy setting tells Samba whether or not to attempt to resolve NetBIOS names with DNS lookups. Set it to no. The default name resolve order listed above is the standard and the best to use in almost all cases.
The encrypt passwords setting must be set to yes if you have clients running Windows 95 with SR2 or later, Windows 98, or Windows NT with Service Pack 3 or later. If your clients don’t meet these standards, I recommend upgrading them because encrypted passwords are very important for network security. The log file and max log size settings can simply be left at the defaults.
In the remote announce variable, put the IP broadcast address of the local network this server is on. In the remote browser sync settings, put the IP broadcast address of the subnets that connect with this server so that you can have browse list synchronization. You can leave the socket options setting at the default value for best performance. The printcap and load printers settings are left at default values and included in active settings so that you can easily add print servers to Samba in the future if you choose.
Avoiding common errors
The settings local master, domain master, and preferred master, should all be set to no or deleted, along with their partner os level. These settings involve making the Samba server the master browser on the NT network. You don’t want to let this happen because it can cause numerous errors on your NT machines. At best, it will cause some annoying Event Viewer messages. At worst, it will bring down your domain controller.
You also want to delete the domain logons setting. If this is set to yes, Samba will try to act like a domain controller, and it could bring down your real PDC. While theoretically, a Samba server can be set up as a PDC in an NT domain, in practice, it still has a number of problems using the current release of Samba. However, it does hold great potential in future Samba releases.
As a rule, you can safely delete any of the global settings that are not listed above. Settings can always be added back in as you learn more about Samba and want to tweak it according to your needs and specifications. You can also delete [homes], [netlogon], [tmp], [profiles], [public], and any other sample shares. But save the [printers] share, because it’s for general printer functionality.
Also, remember that you’ve set up Samba to authenticate users through the NT domain controller. This means that Linux looks to NT to see who is allowed to mount and access Samba shares. However, the read/write/execute permissions for working with files on those shares are still managed on the Linux machine using the standard Linux methods for setting file and directory permissions. By default, when we set up the /winshare, we set the directory and all of its files to have read/write/execute access for anyone that can mount the share. Nevertheless, you must learn Linux file and directory permissions in order to properly manage the security on your Samba file server. Once you have a share mounted, problems accessing, reading, and copying files to and from a Samba server are usually the result of improper configuration of permissions.
Setting up shares
Now you’re ready to set up a directory for sharing files with clients on the network. Set up a share that looks like the following:
comment = Windows Share
path = /winshare
browseable = yes
The name in brackets is the name of the share as you’ll see it from Windows. The comment is just that—a comment for net admins to see. The path is the Linux file path to the directory you want to share. Setting the share as browseable means that it can be viewed using the net view command and the browse list.
As we mentioned, you should leave the [printers] share in the smb.conf file so that Samba will be prepared to act as a print server as well. The [printers] share should look like this:
path = /usr/spool/public
guest ok = yes
printable = yes
At this point, you’re finished with the smb.conf file. Press [Ctrl]X to close the file (assuming that you’re using pico), press Y to save it, and keep the name of the file smb.conf by pressing [Enter]. Once you get back to the command prompt, issue this command:
This will test the smb.conf file for configuration errors and tell you if you have any bad parameters in the file. If you get something that says unknown parameter, you need to check it out. If it returns a line at the bottom that says Loaded services file OK, you should be ready to go.
Pull it all together
It’s time to bring Samba online. To do this, you need to join Samba to the Windows NT domain. First, go to the PDC, call up the Server Manager, and add the Samba server as a Windows NT Workstation or Server using the netbios name specified in the smb.conf file. Then, at the Linux command prompt, type
smbpasswd –j DOMAIN –r PDCSERVER
Insert the name of your domain and PDC for DOMAIN and PDCSERVER, respectively. This should return the message smbpasswd: Joined domain DOMAIN.
Now, restart the Samba daemons by typing these commands:
To make sure that the Samba daemons automatically start when the computer boots, issue this command:
ln –s /etc/rc.d/init.d/smb /etc/rc.d/rc3.d/S91smb
You can now go to a Windows computer and pull up Network Neighborhood, and you should see your Linux machine in there. If you double-click on it, you should see the WinShare that you created. It’s magic!
Since Linux will be acting as a file server, you’ll need a way to run reliable backups. If the Linux box will be serving a large number of files in an enterprise environment, I would recommend putting a tape drive in the Linux server itself. The other option is to use some shell scripting to create a compressed archive of all the files on the Linux file server, ship those files over to one of your NT servers each night using the cron daemon, and back up this archive with the rest of the mission-critical files in your daily Windows NT backup.
While I do not advocate moving a whole NT network to Linux, using Linux Samba for file and print services in an NT network offers many advantages, especially cost. A basic Windows NT Server costs $800 for one machine, and the hardware is usually a minimum of $2,000. Linux server software costs a maximum of $200, and you can load it on as many machines as you want. Because it requires less hardware resources, that cost is lower as well.
With these cost savings, an administrator can more easily place a Samba file and print server in each departmental domain and/or subnet in order to keep resources local to the users. This move, coupled with the speed gain from an optimized Samba server, will increase file and printer access times and thus, employee productivity. Also, the stability of a Samba server on Linux is reliable enough that you’ll rarely have to look at it once it’s configured correctly, let alone reboot it!
What do you think about Linux?
How are you using Samba on your NT network? If you’d like to share your opinion, please join the discussion below or send the editor an e-mail.