TechProGuild held an online chat on October 17, 2000, in which Jacob Wilkins discussed Samba. Here’s the edited transcript from that chat.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
MODERATOR: Greetings and welcome to today’s meeting. Tonight we have Jacob Wilkins speaking on “Doing the Samba.”
JACOB WILKINS: Well, what a crowd we have gathered here.
MODERATOR: Unfortunately, with turnout like this, we’ve had to decide to cancel future guild meetings, and Thursday’s will be our last. However, I’m sure more people will show up later. After all, what can be more interesting than Samba, eh?
ARGENT: To be blunt, I can understand canceling the meetings, but that sucks. I really enjoyed these.
JACOB WILKINS: The Linux meetings usually have a good turnout.
MODERATOR: If nothing else, we’ll have a nice transcript, and I know I’ll learn something about Samba, so educate us, Jacob.
Samba heads in two directions
JACOB WILKINS: I don’t suppose either of you have heard that Samba is forking?
ARGENT: I caught a little of that, but I don’t know the particulars.
MODERATOR: Well, tell us then.
JACOB WILKINS: There are now two Samba projects, “Samba” and “Samba-TNG.” The project known as “Samba” will continue to be the stable, smooth running file/print server we all know and love. Samba-TNG is “The Next Generation.”
ARGENT: Samba-TNG will be more Windows-like and SEG fault all the time?
JACOB WILKINS: It has lofty goals in implementing a whole slew of NT services. The reason for the split is that the Samba-TNG folks need to gut out core chunks of Samba that have been stable for more than five years. TNG is going to get things like LDAP integration and some Active Directory type features.
ARGENT: It’s going to have Active Directory?
JACOB WILKINS: It’s also going to try to implement a complete Windows RPC system.
MODERATOR: Let’s see, that’s Remote Procedure Call for remote administration?
Limiting shares
ARGENT: In the Samba.conf file, where do I limit shares to a specific IP range?
JACOB WILKINS: There are two interesting directives: hosts allow and hosts deny. If you wanted only the 192.168.1.0 subnet to access you server, you’d say: hosts deny = all hosts allow = 192.168.1.0/24,local.
Setting up Samba
JACOB WILKINS: If you are going to set up Samba, the SWAT utility really is the best way to do it. SWAT is the Samba Web Administration Tool.
MODERATOR: Just type SWAT in the console?
JACOB WILKINS: No, actually you run SWAT from inetd. Most distributions should add the line, even if it’s commented out. Just look for “swat” in /etc/inetd.conf.
MODERATOR: What’s inetd?
JACOB WILKINS: Inetd is the “Internet Superserver.” It’s where things like telnet and the r* utilities are run from.
ARGENT: You can hit that through a Web browser, can’t you?
JACOB WILKINS: Yes, once it’s running, it’s a Web interface.
MODERATOR: If you’ll excuse the ignorance, you type inetd in the console to start the Web manager?
JACOB WILKINS: No, to load SWAT on your local host, you go to http://localhost:901. In order to enable SWAT, you might have to edit your inetd configuration. I’m not sure how Redhat handles SWAT, but when Debian installs it, it adds the line in /etc/inetd.conf but comments it out.
MODERATOR: Many thanks! I’ll try that tomorrow.
ARGENT: Does SWAT run in its own http server, or does it piggyback on apache?
JACOB WILKINS: SWAT is just a little program that talks http via STDIN and STDOUT, and it uses inetd for the network connectivity.
ARGENT: Thanks.
Using Samba as a PDC
MODERATOR: So as I understand it, the basic Samba (not TNG) lets you connect to Win NT computers on the network and do file and print sharing?
JACOB WILKINS: Yes, that is correct.
ARGENT: Can’t Samba pretend to be a Win NT PDC as well?
JACOB WILKINS: Samba makes a better server than it does a client.
MODERATOR: What is a PDC?
ARGENT: Primary Domain Controller.
JACOB WILKINS: You won’t find PDC functionality in the stock release of Samba, but there is fairly stable code for doing that. But the catch is it is pretty much an isolated PDC; it can’t talk to Windows BDCs. It’s hard to do SAM database replication when you don’t actually have a SAM database. Samba servers will play nicely with domains though.
MODERATOR: BDC would be backup domain controllers, right?
ARGENT: Hmm. Okay then, so I could do it, but the main question is “why would I want to?” That is, other than the NT box at work dying and my setting up a Linux box in its place and not telling anyone?
JACOB WILKINS: You would want to use Samba as a PDC to get rid of all your NT servers. And use Linux to support your Win9x clients.
ARGENT: Actually, it’s predominately a Novell network, I was joking.
MODERATOR: Doesn’t the PDC hand out IP addresses as well as do security and logons?
Tuning Samba
MODERATOR: Linux guru Jack Allen helped me set up Samba on a previous machine, but I could not browse computers on the network. Do I need something else to do that?
JACOB WILKINS: Samba can be fairly complex to set up, and tuning it properly is nearly an art.
ARGENT: All of Linux configuring is an art.
MODERATOR: Argent, it sounds like you’ve set up Samba before.
ARGENT: A little. I got it working, but not much else.
MODERATOR: Also, I wanted to know if the fact that I couldn’t browse the NT domains in Linux was because of the way I set up Samba or because I needed another tool?
JACOB WILKINS: Browsing is not something that Samba does, but I think there are tools out there for that. I don’t know; I make servers.
MODERATOR: You make servers? That’s great. Are you part of the SAMBA TNG project? Maybe I should have asked you to introduce yourself in detail.
JACOB WILKINS: I work for a Louisville-based consulting company called n + 1. We do Linux solutions. We integrate Samba into NT networks, build firewalls, set up Web servers, and even do some Web programming.
MODERATOR: Well, let’s talk about the art of tuning Samba. What are the steps?
JACOB WILKINS: Eeek, tuning. Well, first, make sure you have plenty of file descriptors available. The max default is 1024.
ARGENT: What are file descriptors?
JACOB WILKINS: The number of files/sockets that can be open at once. Each incoming connection takes one. Each file accessed takes one.
MODERATOR: Is that like the old DOS batch file files=?
JACOB WILKINS: Yeah, I think it’s mostly the same thing. You increase the file descriptors with the ULIMIT command. You’d put something like this: int /etc/profile and then use ULIMIT -n 2048 or ever how many you need.
ARGENT: Ah, that will take care of it? OK.
MODERATOR: What’s a good rule of thumb for how many you need?
JACOB WILKINS: It depends on how many users you have and how many files there are. 2048 is probably good for 200-500 users on a heavy to mildy used box.
ARGENT: What would be a good ULIMIT value for about 50 to 100 users?
JACOB WILKINS: For 50 to 100 you probably don’t have to tune too much. Tuning becomes a big issue in high volume servers.
ARGENT: We’re relatively small. About 100 users total, about 30 percent remote.
JACOB WILKINS: What amount of data? How many gigs?
ARGENT: Hmmm, probably about 50 or so.
JACOB WILKINS: On a server of that volume, just make sure you don’t have any IO bottlenecks. If it’s a dedicated file server, with a good SCSI card and drives, everything should be fine.
ARGENT: That does it. I’m ditching Gnomba in favor of Lin-neighborhood. I’m noticing that Gnomba likes to hang a bit too much for my tastes.
Setting Samba’s security
PILU21_RO: I have a small network with two computers: RedHat 6.2 and Windows 98. When I try to connect from Win98 to the Samba server from the other computer, it tells me that I need a password. I shared /tmp on RH6.2 and in smb.conf passwd=share.
ARGENT: That’s a good question: Do the Windows boxes need accounts on the Linux Samba box?
JACOB WILKINS: On the Samba machine you are connecting to, what security model are you using? Samba has four options: User, Share, Server, and Domain.
PILU21_RO: I’m using Share.
JACOB WILKINS: It sounds like Share level access is what you want. Make sure you have guest ok = yes.
ARGENT: Share level would require all users to have an account set up on the Linux box, correct?
JACOB WILKINS: Not necessarily. If you wanted to give anonymous access to the share you could. With /tmp, I would assume anonymous access would be what you are looking for.
ARGENT: That’s what I’m aiming for, but actually it was Pilu who was asking the question originally. He’s left, but go on.
JACOB WILKINS: For something like that, you’d probably want to set guest only= yes.
Getting along with Win2K
CLAUDE FERLAND: Has anyone had the chance to try Samba with Win2K yet? Are there any major differences from NT4?
JACOB WILKINS: Samba and Win2K work pretty well together in our lab. We haven’t had to go to production with it yet. So I can’t say for sure. One nice thing about Microsoft is backward compatibility.
CLAUDE FERLAND: What hardware were you using for your testing?
JACOB WILKINS: We use commodity “cream” boxes for testing. We also used laptops.
CLAUDE FERLAND: You’ll have to spell that last one out for me: commodity “cream”?
JACOB WILKINS: A “cream” box is just the standard cream-colored piece of junk you get from your local computer vendor. If you can make stuff work on those, you can make it fly anywhere.
ARGENT: Wow, that actually made them sound pretty nice. I’ll have to remember that one.
I think the latest release of Samba takes care of some issues with Win2K. I’ve managed to use Samba to mount shares off an AS400 that had some SMB shares. Pretty slick.
I set up an old desktop to use SMB to do network backups. I pulled files off an AS400, two NT boxes, and a Novell server.
JACOB WILKINS: What would be slicker is running Linux/Samba on an S/390 mainframe and having Windows map shares off of it.
ARGENT: I’m working on it. I have to get our microcode updated on our 390 first though. I’m the only Linux bigot in our shop.
Mounting SMB shares
ARGENT: Which do you prefer to mount SMB shares with? Mount -t smb or smbmount?
JACOB WILKINS: I usually use smbmount. That’s not a piece of technology we usually take into production. I’ve found it to be rather flaky at times.
ARGENT: That’s what I see most programs use, although it seems that the Samba folk would like for you to use mount -t smb.
JACOB WILKINS: We set up lots of Linux file servers that people can access from their Windows clients. Technically, it should do the same thing. It depends on your distribution.
ARGENT: I agree, but I thought the default build of Samba didn’t have it in. You had to modify the make file or something.
JACOB WILKINS: I just checked mine. On Debian, ‘smbmount’ is a shell script that wrappers the real command and does some sanity checks.
ARGENT: Ah, I hadn’t looked at that. Thanks.
Closing up shop
MODERATOR: Thanks for coming. You can keep talking for a minute while I close up shop. First of all, I think our speaker, Jacob Wilkins, did a fabulous job.
JACOB WILKINS: It’s been a good meeting. I hope everyone’s questions got answered. I just want to remind you guys to get into SWAT. It has a great “teach-as-you-go” interface. There is a link next to every option that takes you to the help on that parameter. It’s very useful.
My shameless plug for the evening is for you to visit http://nplus1.net. Go there if you need any commercial support for Samba.
MODERATOR: Second, I have to say, Argent, it wasn’t a tough decision: you win tonight’s chat!
ARGENT: Thanks, but give the meeting to Claude.
MODERATOR: Well, Claude did well too. Claude, if you send me your real name and address with your handle, I’ll send you a nice TechRepublic consolation prize! Send me your t-shirt size as well. Send it to mjackman@techrepublic.com.
JACOB WILKINS: Looks like you missed Claude.
MODERATOR: Well, that’s the breaks. One disadvantage is that I can’t see members from the speaker room!
Good night all. Argent, I have your info, I think.
JACOB WILKINS: Good night to all, and to all a good night!
MODERATOR: Our meetings are drawing to a close, but maybe one day we’ll “meet” again.
ARGENT: Hopefully. Are there going to be other ones? Bi-monthly even?
MODERATOR: Right now, Thursday is the last one, but we’ll keep the feature active in case we have occasional ones. I can’t tell what the great spirit of TechProGuild will decide to do in the future. I’ve tried reading tea leafs, entrails, and other forms of oracular prediction, but I failed.
ARGENT: Sigh, too bad. Well, I’ll talk to you later. Good night, Mike.
MODERATOR: Good night, and thanks for the feedback.