Samba is one of those things that isn't that hard to set up for the home network. Both at home and at work, I primarily use samba to store files and as print server on a *nix box for MS clients. Therefore, most of this article is about accessing the *nix box from Windows.
Additionally, you'll see that I don't mention Swat, the graphic tool to manage Samba. I'm used to editing configuration files, and have found (not with Swat, but in other cases) that GUIs don't always work the way they're supposed to work. I guess I'm getting more traditional in my old age.
There is a good deal of documentation available at samba.org. Most distributions also install documentation.I primarily use samba 3.x on FreeBSD. I will mention a few of the changes between samba 2.x and 3.x in the course of the article. FreeBSD puts most things in /usr/local. Your system might be different. For example, in most Linux distibutions, samba configuration files are in /etc or /etc/samba. It might be called smb.conf, smb.conf.sample, or something similar. The file that samba will actually use is smb.conf, so if it has some sort of other name such as sample, default or the like, make a copy and call the copy smb.conf.
Much of the file will have samples and reasonable defaults. Comments are either done by prefacing the line with a semicolon or # sign.>p>
We already have the /tmp directory, which is mode 777 (everyone can read and write to it) by default. Let's create a directory called samba that we can use for testing. We can do a 777 on this one too, for the moment--at this point, we're just trying to get Samba working
mkdir /tmp/samba
chmod 777 /tmp/samba
Ok, we now have a directory called samba. For the moment, let's assume you have the user john on the Windows box. His password is password. So, the next step is to create the user john on the samba box. As root
adduser john
Depending upon your distro, you'll be asked for various things---you can usually settle for the defaults. The password can be different than his password on the MS box.
Next, we have to add john to the smbpasswd file.
This is one change between samba 2 and 3. In samba 2, the usual method was
|
The first time you add a user with smbpasswd you'll get some sort of error message that the file doesn't exist--this can safely be ignored. You'll be asked for confirmation of the password. This password has to be the same as his password on the MS box. It can be different than his usual Linux password.
The biggest change that I've noted from my own fairly simple use of samba is that smbpasswd is deprecated. In smb.conf there is an entry passdb backend = The comments explain it fairly well. You can still use smbpasswd and put it there, use the default of tdbsam or use ldapsam. If using the suggested tdbsam you can leave the line alone.To use tdbsam instead of smbpasswd -a you would use
| pdbedit -a -u john |
This will add username john's MS password. There are various ways to migrate your smbpasswd data base to tdbsam but that's beyond the scope of this simple article.
As user john, place a file in the /tmp/samba directory. Open up your favorite text editor and type something profound like hello world. Save it as /tmp/samba/hello.txt
Ok, we're ready to start playing with smb.conf Look at the line in [global]
workgroup = MYGROUP
That is Samba's default--Windows' default is WORKGROUP. You can
change smb.conf to read WORKGROUP or change MS's to read MYGROUP,
which will probably involve a restart. I usually change the MS
name--don't remember when I got into that habit, but it's my habit.
(I recently noticed that Mark Minasi, well known MS author, in his
book about Linux for the NT Admin also agrees with that.)
Gentoo, at least at one point, changed the default to the MS
default WORKGROUP. I don't know if that's still the case.
For the home network, there's a good chance that that's all you'll have to edit. I think Samba rereads smb.conf every 60 seconds or so, but have also heard that it can be problematic, so let's force it to reread it by restarting it. First, however, we type, at a command prompt
testparm
That will take a glance at smb.conf for us and make sure that we haven't committed any grievous syntax errors. Hopefully, it'll tell you that it's ok. Now to restart Samba
In FreeBSD, assuming you've enabled Samba in /etc/rc.conf
/usr/local/etc/rc.d/samba restart |
You should see that both smbd and nmbd are stopping and restarting.
Next we'll try
smbstatus
Once again try smbstatus. We want to get something like
Samba version 2.2.0a Service uid gid pid machine ---------------------------------------------- No locked files |
Many default filewalls, usually chosen during installation, won't allow Samba to go over the network. To fix this, we now have to modify pf, iptables or whatever you're using. For pf, you can see my pf page.
Almost all Linux distributions now have a graphic interface for modifying iptables, but if not, this might help
Do a listing of iptables with line numbers
|
See where the first rejection is, it's usually around line 4 or 5. So, if your network is one of 192.168.1.x and the first line rejecting things is at line 5 at a command prompt type
iptables -I INPUT 5 -s 192.168.1.0/24 -p udp -d 0/0 --dport 137:139 -j ACCEPT |
If you're going to be using Samba all the time, you'll want to make these changes permanent. In RH, it used to be (not sure if this this still the case in Fedora)
>iptables-save > /etc/sysconfig/iptables |
However, keep in mind that this does open port 139, used for RPC (remote procedure calls) and considered, according to grc's website a security risk.
Another thing that sometimes becomes necessary is to go to your /etc/hosts file and add your machine's name to it. So, let's say that john's Linux box is called john.localhost. If we open /etc/hosts with a text editor we'll see something like
# $FreeBSD: src/etc/hosts,v 1.16 2003/01/28 21:29:23 dbaker Exp $ # # Host Database # # This file should contain the addresses and aliases for local hosts that # share this file. Replace 'my.domain' below with the domainname of your # machine. # # In the presence of the domain name service or NIS, this file may # not be consulted at all; see /etc/nsswitch.conf for the resolution order. # # ::1 localhost localhost.my.domain 127.0.0.1 localhost localhost.my.domain # # Imaginary network. #10.0.0.2 myname.my.domain myname #10.0.0.3 myfriend.my.domain myfriend # # According to RFC 1918, you can use the following IP networks for # private nets which will never be connected to the Internet: # # 10.0.0.0 - 10.255.255.255 # 172.16.0.0 - 172.31.255.255 # 192.168.0.0 - 192.168.255.255 # # In case you want to be able to connect to the Internet, you need # real official assigned numbers. Do not try to invent your own network # numbers but instead get one from your network provider (if any) or # from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.) |
Under that 127.0.0.1 line we add the machine's IP address. If for example, it's 192.168.1.101 we add
192.168.1.101 john.localdomain john
The entry is the IP address, the machine's full name and then the alias (which is what Windows will be using.)
Next let's try smbclient -L john -N
If a username and password are required, then the syntax would be, if the username was robert
smbclient -L john -U robert |
It will then ask for robert's password.
(This might have the same effect as adding that "john" entry to /etc/hosts.) Hopefully, you'll get a message showing sharename, etc.
Now, let's go over to the Windows box. We'll start with, again assuming that the machine john is 192.168.1.101
nbtstat -a 192.168.1.101
With luck you'll get back something like:
-------------------------------------------- JOHN <00> UNIQUE Registered JOHN <03> UNIQUE Registered JOHN <20> UNIQUE Registered MYGROUP <00> GROUP Registered MYGROUP <1E> GROUP Registered MAC Address = 00-00-00-00-00-00 |
If we do, that's a good sign that things are going well.
Try net view \\john
If you see
Shared resources at \\john Samba Server Share name Type Used as Comment ------------------------------------- tmp Disk The command completed successfully. |
then you're in good shape.
Now, go into Network Neighborhood, or My Network Places and see if the Samba server is visible. You might see John's home directory, but it may be inaccessible. You should, however, also see one tmp on Samba Server (john) that should be accessible. Double click on it and see if you see your hello.txt. If so, see if you can open it and write to it. If so, you're done.
There used to be, in the samba docs, (usually in /usr/share/doc (this depends upon OS and distro--for example, in FreeBSD it's in /usr/local/share/doc/samba) a very helpful document called DIAGNOSIS.txt. It gave several troubleshooting tips. This seems to have been replaced by a Trouble Shooting section in the Samba-HOWTO-Collection.pdf. You'll need xpdf or another pdf reader for it. The Howto collection can also be found online at samba.org. The troubleshooting guide is here at time of writing. (March 2008)Hopefully, your Samba is now working. Now that we've tested it successfully, we can get rid of that /tmp/samba directory that is open to all.
rm -r /tmp/samba
After doing this, I usually go back into /etc/samba/smb.conf and recomment the /tmp section, replacing the semicolons in front of the lines. Next, I uncomment the homes section. (I leave the browseable = no ). This allows user John to use the /home/john directory on the Samba box.
Running testparm will give a message that there's no /tmp path, and it is using the default /tmp but I haven't found this to be a problem
So, first share the directory--errr, folder, on your Windows box. For this example, on the Windows box, which will be named john1, we're sharing a folder called downloads. So, first share the folder. In Win9x, right click Network Neighborhood, left click Properties click the file and print sharing button, and you'll get a dialog box saying I want to give others access to my files. Click it, set up the password for the files, click Ok, and possibly apply. You'll have to restart.
On NT, 2K and XP you right click the folder in My Computer, click sharing and security, and the rest is pretty obvious. If you have any trouble with it, then look at the 2K or XP help files, which are far less obscure than the Linux man pages, under file sharing.
Now, on the Linux box
smbclient //john1/downloads
This can also be done with backslashes as in standard MS UNC (Universal Naming Convention) paths. However, if done that way, each backslash has to be doubled, since Unix treats it as an escape character, meaning a character that tells you to ignore the special characteristics of the following character. So, if you really want to use backslashes
smbclient \\\\john1\\downloads
You should get something back like
Unknown parameter encountered: "ssl CA certFile" Ignoring unknown parameter "ssl CA certFile" added interface ip=192.168.1.101 bcast=192.168.1.255 nmask=255.255.255.0 Got a positive name query response from 192.168.1.100 ( 192.168.1.100 ) Password: Domain=[MYGROUP] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
The part about the ssl CA certfile can be ignored on a home network--this has to do with security certificates.
You're now connected to the windows box. In this case, we're simply copying a file to user john's home directory. So, let's say the file is file.tar.gz.
get file.tar.gz
This will copy the file over to the directory that you were in when you started this command. So, if you logged in as user john, the file will now be in /home/john
Keep in mind that the user john must have an account on the john1 Windows box. Suppose John's friend Bob also has an account on the Linux box but no account on the Windows one. If he tries to connect the Windows box this way, once he types in the password, even if it's the correct password, he'll still get an access denied error if he logged onto the Linux machine as bob.
The other way to do this is to mount the share. I think you can configure /etc/fstab to do this automatically, but as I have small use for it, I haven't looked into it. As long as you have support for smbfs compiled into your kernel you could first make a directory for it
mkdir /mnt/smb
Then you can mount the share
mount -t smbfs -o username=john,password=password //john1/downloads /mnt/smb
Of course, you usually have to be root to mount something, so that raises other nuisances--therefore, I've only done it this way once. I suspect that if you had a real need for it, the easiest way would be to edit /etc/fstab, which I haven't investigated. I've heard that you can get around this using smbmount instead of mount, but again, I haven't played with it.
FreeBSD has slightly different syntax. With that, I've only used it to mount shares in an NT domain. I've always found using NETBIOS names with this to be a bit iffy, so I usually use the IP address. (However, for the user name, I use the NETBIOS name as shown in the example below)
So, say I want to mount a share called common, on an NT server that has the IP address of 192.168.8.10. The server's NETBIOS name is BDC2. I have a directory in my home directory called common. My user name on the NT domain is john and my password is 1234.
| mount_smbfs -I 192.168.8.10 //john@BDC2/common common |
You can view the man mount_smbfs page for more information on other options, but this works for me.
In Linux, the syntax would be somewhat different. The simplest is probably
mount -t smbfs -o username=john,password=1234 //192.168.8.10/common common |
If your browser broke that, it should be on one line. You can leave out the password and simply be prompted for it after typing the command. Note that if you do include both the username and password in the -o section, it should be typed as I have it, with no space between the comma separating john and password. If the samba server is in your /etc/hosts, that is, if you can ping it by name (rather than IP) you can substitute the machine name for the IP address in the above example.
I've done very little with printing and samba. At work, we're still using NT servers, although I've set up a few folks on some FreeBSD servers that we're going to use.
In RedHat, it pretty much worked out of the box. I installed the cups RPM, added the printer (a locally connected HP Deskjet 840c) through the web interface, and I think it worked. (It was quite awhile ago, so I'm not sure of the exact details). These days, however, I just use FreeBSD as a print server. For the basic setup, I'm going to send you to The excellent Gentoo Desktop Guide. In the printing section, although it's specific to Gentoo Linux, he gives the basic configurations using cups and samba. One thing to keep in mind is that cups uses port 631, so you may have to add an iptables rule that allows it. Follow the same syntax given above, for allowing ports 137:139 (although with cups, just allowing protocol -tcp should be sufficient).
I've also sometimes gotten a message on the MS box that access
will be denied, though you will still be able to print. Some who
saw this article sent me a quick email (To the person who sent it,
I'm sorry I didn't follow up at the time, and therefore cannot give
you proper credit.)
He pointed out that adding the lines
| use client driver = yes |
to smb.conf gets rid of that access denied error message.
The last thing I'll mention has to do with the 840c HP Deskjet. For some reason (I never researched this thoroughly, just found out about it and found that it worked) it doesn't work with the 840c driver on Win2k. However, if you install it as a 660c everything works as it should. Recently, I had to reinstall Win2k, had forgotten about this, and spent two days examining cups and samba logs, trying to figure out what was wrong. Reinstalling it as a 660c fixed the problem immediately. This also holds for WinXP.
There are a few options in smb.conf to take care of this. They are user mask, directory mask, force create mode and force directory mode. In this case, I find that what works best for me is adding the lines
force create mode = 0770 force directory mode = 0770 |
This way, if jsmith creates a file or directory in the smiths directory, everyone can write to it. (In this particular situation, this is what we want, if you don't want that, you can leave things at the default and only jsmith can write to his own files and directories.)
wins support = yes |
Believe it or not, if all the clients are MS clients, that's all that has to be done. In our case, the only trouble was with the other samba servers. According to the samba docs, one can add them to the wins.dat database (in FreeBSD, found in /var/db/samba) but it didn't seem to be working. Rather than research it, as all the samba boxes have all the others in their /etc/hosts, I just added the line
name resolve order = wins host |
to smb.conf. This fixed it so that the MS clients were able to find the samba servers.
For example, I had a situation where I wanted a directory where two people could write, delete and alter files. There were a few other people who had to have read access. We wanted everyone else kept out.
A quick look at man(5) smb.conf showed me the read list option. In this case, suppose the directory was called accounting. I wanted the two accountants to have full control of files in the directory and I also wanted the 5 people in sales to have read access. So, I created the directory with 770 permissions, full control for owner and group. I left the owner at root. I created a group called acctsales and added the 2 accountants and 5 salespeople. Now, I add the read list option to that share's section in smb.conf. In our example, the salespeople have user names of bob, carol, ted, alice and john. We add their names, separated with commas, to the read list for the acctsales share.
read list = bob, carol, ted, alice, john |
Now, even though the directory has 770 permissions, bob, carol, ted, alice and john can only read files in the directory, they can't write to them.
Well, that's about it. Hopefully, this will enable you to get your Samba network up and running. For more sophisticated uses, there is a great deal of documentation, but it is my hope that this page gets you started.