Samba is the UNIX service for Microsoft Windows File and Print serving. The funny thing is, a well tuned Linux Samba server is a FASTER NT server than a well tuned NT server itself! As of Samba 2.0, it still doesn't offer full PDC/BDC support yet but it's coming in version 3.x.
* Please note that these installation docs are for Samba 1.9.x and might be somewhat different for a Samba 2.x distribution.
You should be running Samba 2.2.8a as all previous versions of Samba have serious security vunerabilities in dealing with issues like encrypted passwords, buffer overflows, etc. It is HIGHLY recommended that you make sure you are running 2.2.8a or better.
To find out what version you are running, do the following:
whereis smbd /usr/sbin/smbd -V
Download the newest Samba source code /and/ the PGP signatures of the Samba
archives from the URL given in
Section 5. I recommend
to put them into a directory such as /usr/src/archive/samba.
NOTE: These compiling installation instructions assume that you are running a Linux OS with a SHADOW password system. You really should be!
gpg --import samba-pubkey.asc
cd /usr/src/archive/samba
bzip2 -d samba-x.y.z.tar.bz2
gpg --verify samba-x.y.z.tar.asc
Make sure it says "Good Signature" at the top. There might be some trust warnings but don't worry about that.
tar -xvf samba-x.y.z.tar
cd samba-x.y.z
cd source
./configure --help if you want to mess with any of
this. Basically, Samba offers a LOT of features now. It can be a
WINS BDC (soon a full PDC), it supports client printer driver
installation, database locking mechanisms, etc.
- Please note that various Linux distributions (even different versions of the SAME distro) put the Samba binaries in different places. Samba does support the use of the emerging Linux file layout standard (FHS) but few comply today.
- I recommend the use of the following tags until distros fully support FHS (good for Mandrake 7.2):
./configure --prefix=/usr --with-privatedir=/etc --with-lockdir=/var/lock/samba \
--with-configdir=/etc --with-smbmount --with-msdfs --with-smbwrapper
make; make install
For some of you, you might have received a compile error of
Compiling smbwrapper/wrapped.c with -fPIC smbwrapper/wrapped.c:473: conflicting types for `utimes' /usr/include/sys/time.h:112: previous declaration of `utimes'
This issue is due to the Samba code not properly recognizing that this code is conflicting with Linux's libraries. To fix this specific problem, disable the Samba version of the "utimes" code. To do this, edit the "src/smbwrapper/wrapped.c" file, goto line 472, and change the code from:
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#else
#include <time.h>
#endif
int utimes(const char *name, const struct timeval *tvp)
{
if (smbw_path(name)) {
return smbw_utimes(name, tvp);
}
return real_utimes(name, tvp);
}
#endif
to the following:
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#else
#include <time.h>
#endif
/*
int utimes(const char *name, const struct timeval *tvp)
{
if (smbw_path(name)) {
return smbw_utimes(name, tvp);
}
return real_utimes(name, tvp);
}
*/
#endif
Once this change is complete, run a "make clean" and re-run the "make"
For others Samba source code users:
- cd into the Samba directory and then "cd sources"
- Edit the "Makefile"
- Find the lines:
"# The permissions to give the executables INSTALLPERMS = 0755"
and change them to 0750"
- Redhat users: find the following lines and un-#ed out the last two lines:
"# This is for PAM authentication. RedHat Linux uses PAM.
# If you use PAM, then uncomment the following lines:
# PAM_FLAGS = -DUSE_PAM
# PAM_LIBS = -ldl -lpam"
Ditto here:
"# FLAGSM = -DLINUX -DAXPROC -DFAST_SHARE_MODES
# FLAGSM = -DLINUX -DFAST_SHARE_MODES
# LIBSM ="
Same here:
"# FLAGSM = -DLINUX -DNETGROUP -DALLOW_CHANGE_PASSWORD -DFAST_SHARE_MODES -DNO_AS MSIGNALH -DGLIBC2
# LIBSM = -lnsl -lcrypt"
- Save the changes and then run "make all; make install"
- Security: Post from the Samba team on 11/20/98, you should do the following:
rm /usr/sbin/wsmbconf
chmod +t /var/spool/samba
The /etc/smb.conf file is the master file for Samba to both act as a server and as a client (connecting to remote SMB servers). So, edit the /etc/smb.conf file. If you need more information, run "man smb.conf" to read an exceptionally well written and detailed MAN page (it's much better than what you're probably thinking). For TrinityOS, this example shows how to create a few file shares and printer shares as well.
- Under the [Global] Section:
- Edit the "WORKGROUP" line to reflect the name of the workgroup you want
WORKGROUP = ACME123
- Edit the "server string" line to reflect the name of the machine
server string = TrinityOS Roadrunner Samba Server
- Edit the "hosts" allow line to ONLY reflect:
hosts allow = 192.168.0. 127.
- Make sure that printing is enabled:
printcap name = /etc/printcap
load printers = no
printing = bsd
- Make sure the GUEST account is disabled by having a ";" in the front of:
"; guest account = pcguest"
- For Windows 95/98/NT viewing, turn on "user level" security
"security = user"
- Windows XP, NT, Windows98, and patched Windows95 require ENCRYPTED SMB passwords. So, make sure you have the follow lines in your smb.conf file (or remove the ";"s if the lines are already there):
encrypt passwords = yes
smb passwd file = /etc/smbpasswd
- Since the Samba server and all clients are on the same LAN segment, add the following:
"socket options = IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192"
- Since we have multiple Ethernet cards in the Roadrunner server, set the following:
"interfaces = 192.168.0.1/24 127.0.0.0/8"
- Add the line:
"bind interfaces only = true"
- Also set the following:
"remote announce = 192.168.0.255 "
- Allow Samba to be a subnet master browser
"local master = yes"
- Enable Samba to always win the Subnet Master Browser election
"preferred master = yes"
- Enable full Win95 login support:
"domain logons = yes"
- Fix Samba permissions so when you create a file/directory, the UNIX permissions are correct too!
"create mask = 0770"
"directory mask = 0750"
- **OPTIONAL / POSSIBLY an OLD config** Since my Samba server is only used by me, I can essentially disable file write locking on all shares. If you are going to have a lot of users editing the same file, you should NOT enable this option.
"fake oplocks = yes"
- **OPTIONAL** Since I have a CD-ROM changer on my machine, I don't need to enable file write locking on those file systems so I'll disable it here.
"veto oplock files = /home/hpe/CDROMs/Cdrom*"
- Set or verify the setting of follow shares for each user's home DIR and a central Hp Laserjet IIp printer.
* NOTE: The printer name CANNOT be any longer than -8 characters-!
[homes]
comment = Home Directories
# Making this NON-BROWSABLE gets rid of the duplicated "username" and
# "homes" shares
browseable = no
writable = yes
# Allows only the current Samba user into their home directory
user = %S
[Hp_Lj2p]
printer = raw
comment = Hp LaserJet IIp on RoadRunner
path = /var/spool/samba
browseable = yes
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
print command = /usr/bin/lpr -b -r -PHp_Lj2p %s
lpq command = lpq -PHp_Lj2p
lprm command = lprm -PHp_Lj2p %j
[Epson_S]
printer = raw
comment = Epson Stylus 500 Color on RoadRunner
path = /var/spool/samba
browseable = yes
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
print command = /usr/bin/lpr -b -r -PEpson_S %s
lpq command = lpq -PEpson_S
lprm command = lprm -PEpson_S %j
- The /home/hpe directory is a common directory and SMB share for ALL users. Since ALL the files in this dir should be readable by all other users, I want all files/dirs to be created with the WHEEL group.
[hpe]
comment = Hpe
path = /home/hpe
read only = no
public = no
force group = wheel
--
- Next, you need to test that your /etc/smb.conf file is correct. To do this, simply run the "testparm" program without any additional command line argments and it will check it for you and tell you everything it understands. Browse over this real quick but don't expect to understand much of it! Hehehe..
- Now start up Samba, run
- Redhat:
/etc/rc.d/init.d/smb start
- Slackware:
/usr/local/samba/bin/smbd -D
/usr/local/samba/bin/nmbd -D
- Lastly, we need to add your login to the Samba username file. Yes, it's separate from the normal /etc/password file. Though this is initially a pain, you can have it auto-syncronise with the UNIX password file (Not covered in the TrinityOS doc..yet) though it is covered in the Samba documentation.
--- All of this is covered in /usr/doc/samba-*/ENCRYPTION.txt file ---
- Ok, to create the /etc/smbpasswd file: run the following command:
cat /etc/passwd | mksmbpasswd.sh >/etc/smbpasswd
- Next, fix the permissions of the file:
chmod 500 /etc/smbpasswd
- With this command, all users defined in the /etc/passwd file will have a SMB entry put into the /etc/smbpasswd file. Please note that if desired, users can log in via a different SMB username/passwd than their Unix username/password. Please be aware that though the user is now defined in the smbpasswd file, the user will be LOCKED out until they actually CHANGE their SMB password. To do this, run the following command PER user:
smbpasswd johndoe
smbpasswd metarzan
. . .
- A few things to do on your Windows 95/NT box:
- One thing that you might not be used to doing is acutally logging into your Windows. You absolutely NEED to create a username AND a password on your Windows box to correspond to a username/password in the /etc/smbpasswd file on the Linux machine.
- You need to re-configure your Windows95 or WindowsNT servers to use the correct WORKGROUP (ACME123).
Windows 95 and NT: Set the Windows machine(s) to use a WORKGROUP of "acme123" (not a DOMAIN) and use "Share Level" protection.
NOTE: Verify that your Windows95/NT machine does NOT have the NetBEUI protocol installed. If it does, DELETE that protocol.
- Whew! Ok, the home stretch. Reboot your Windows boxes with the new WORKGROUP setting from the smb.conf file and when prompted, login with the configured Windows username and password from the above smbpasswd file. Once logged into the Windows machine, go to the "Network Neighborhood" and see if you see the ROADRUNNER server listed. If everything goes well, you should see your home UNIX directory!
So go for it and see if you can create, delete, move files, etc from File Explorer on your Windows machine. Cool huh?
If you want to do printing, check out Section 47
** If you canot get Samba to run right, please read the Samba Diagnostic docs:
/usr/doc/samba-*/docs/DIAGNOSIS.txt
- If everything went ok... Excellent! Congratulations! Now make sure that Samba or SMB is enabled to load upon boot.
- To do this, UN-DO all edits for SMB lines in Section 8 - Specifically, run the command:
On the flip side, you can mount your Windows95/NT shares onto your Linux box too. Cool huh!
- Assuming that everything worked above, you should be able get a list of shares from your Windows XP/2k/NT/Me/98/95 box, do:
"smbclient -L //your-windows-boxs-name -U johndoe"
When prompted for a password, enter in the same password that you use to log into your Windows95/NT machine. You should then see something like:
Added interface ip=192.168.0.1 bcast=192.168.0.255 nmask=255.255.255.0
Server time is Tue Jan 12 17:22:36 1999
Timezone is UTC-8.0
Password: <enter in the password of the Windows file share>
Domain=[ACME123] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
security=user
Server=[your-nt-boxs-name] User=[] Workgroup=[ACME123] Domain=[]
Sharename Type Comment
--------- ---- -------
C$ Disk
IPC$ IPC Remote IPC
- If the above step worked ok, you should be able to mount your Windows95/NT share directly onto your linux box. To do this, run the following:
mkdir /mnt/smb-c /usr/sbin/smbmount //your-nt-box-name/c$ /mnt/smb \ -o username=johndoe