3 What is Samba? Samba is an open-source application suite that enables SMB/CIFS based services on Unix servers SMB – Server Message Block – is the underlying protocol for Windows File & Print Sharing Licensed under the GPL Maintained by the Samba Team (12-20 people) Web Site for resources – www.samba.orgwww.samba.org
4 Business Benefits of Samba Samba allows you to merge the resources of your Windows & Unix networks Provides seamless access to Unix based files from Windows clients Provides a secure & stable file server Provides an upgrade path from Windows to “big iron” Eliminates the need for Windows servers in organizations that don’t require Windows Server based applications
Samba 3 Installation
6 OSR6-Installing from Media Insert the OpenServer 6 CD Start scoadmin Select Software Manager, Software, Install New Select “From Servername” Select the media device CDROM 0 Expand SCO OpenServer Release 6.0.0 Expand Connectivity Highlight SAMBA and click on Install N.B. If Heimdal Kerberos was not installed, install it in the same manor. Run mkdev samba
7 OSR6-Installing from Downloads Download CPIO file from the SCO site to /tmp Extract the VOL files cat *.cpio | cpio – ivcd “*.*” Start scoadmin Select Software Manager, Software, Install New Select “From Servername” Select the media images option and directory /tmp Highlight samba and click Install Run mkdev samba
8 mkdev samba Run the command mkdev samba Choose 1 – Configure and Activate Samba Enter your Windows Domain or Workgroup name Accept the default machine name provided If your network has a WINS server select yes and provide its IP address If there is no WINS server on Windows this server can be set as a WINS server Select whether you want to participate in an MS Domain Provide the NetBIOS name of the PDC
9 mkdev samba command - Workgroup
10 mkdev samba command-Workgroup Defaults
11 mkdev samba command-Workgroup Changes made to /etc/samba/smb.conf workgroup = WORKGROUP netbios name = FANGORN Security = User WINS server = 192.168.0.2
12 State of Server after this mkdev samba nmbd and smbd are running The server is a member of the workgroup named WORKGROUP No shares are created and only root can connect
13 mkdev samba – Domain Member
14 mkdev samba – Domain Member Changes to /etc/samba/smb.conf workgroup = ME netbios name = FANGORN security = domain password server = RIVENDELL wins server = 192.168.0.2
15 State of Server after this mkdev samba nmbd and smbd are running The server is a member of the domain ME The only user is root/administrator Shares aren’t set-up Password backend is smbpasswd Passwords are encrypted
Introduction to SWAT
17 What is SWAT? SWAT = Samba Web Administration Tool Included and configured by default with SCO Samba implementations Swat will allow you to perform most Samba administration functions from any browser that can contact the server Alternative to command line interfaces or configuring smb.conf Available on port 901 by default Controlled by inet and services file entry
18 Issues & Concerns with SWAT Completely replaces smb.conf on each use Only stores non-default settings in intermediate file Doesn’t retain set-up comments Can be viewed as a security risk Never run in demo mode Never run outside firewalls Doesn’t like some passwords
19 SWAT Connection & Login Use your browser to connect to http://192.168.0.4:901
20 SWAT HomePage Primary use of the home page is to access the docs
21 SWAT Screens - Allows you to set all Global variables that control the servers behaviour: Server Type Security Settings Master Browser status & participation WINS Options
22 SWAT Screens - Allows you to configure File Shares on the Server, including the specific permissions and performance modifiers for the shares.
23 SWAT Screens - Allows you to set-up the Unix printers to be shared by the server and to configure the printing and security options for those printers
24 SWAT Screens - This screen allows you to re- write the smb.conf file and easily re-set the Server type, WINS status and basic security access. Probably the first screen you’ll use, but this is very dangerous as it can undo much configuration work.
25 SWAT Screens - Displays current status of the Samba Server including active connections. Can be used to shut-down or restart the server.
26 SWAT Screens - View the current smb.conf file. Note – you cannot change the file here. By default shows only the non-default entries you’ve created for the file. The Full View option shows the entire smb.conf file.
27 SWAT Screens - Add, enable and disable users as well as resetting passwords for users.
Files & Directories
29 Files & Directories /etc/samba smb.confprimary samba configuration file lmhostsfile of netbios host names & ip addresses secrets.tdbholds SID information smbusersmaps Unix to Windows account names smbpasswdEquivalent to the Unix Password file smbstabInfo about file & print shares /usr/sbin Daemons smbd and nmbd /usr/bin Executables, testparm, smbnet etc
30 smb.conf file The smb.conf file contains all non-default entries you make to configure the Samba server Other entries are automatically set to defaults by Samba Re-read on each new connection and every 60 seconds Rebuilt dynamically if you use SWAT
31 S99smbd & S99nmbd Located in /etc/rc2.d – linked to smb & nmb in /etc/init.d Created by mkdev samba or you can manually create links /etc/init.d/smb enable, /etc/init.d/nmb enable Starts and stops daemons Syntax /etc/rc2.d/S99smbd start|stop|restart|enable|disable /etc/rc2.d/S99nmbd start|stop|restart|enable|disable Can be modified to change location of Samba files Attempts to delete PID files and starts smbd and nmbd
32 Daemons Located in /usr/sbin smbd tcp/ip daemon handles all file and print requests as well as authentication and security nmbd Handles name look-up and resolution and manages network browsing Handles all UDP traffic smbd will not work without nmbd
33 Using testparm Utility to test syntax of smb.conf file Located in /usr/lib/samba/bin Usage testparm (-v) (smb.conf file location) By default only lists changes you’ve made The –v option will show all defaults added by Samba Giving smb.conf file location lets you test multiple files Besides displaying data does a very simple syntax check – Note: this doesn’t guarantee your server will work
Configuring Your Server
35 Configuring the Samba Server Decisions to be made Do you have an existing Windows Network? Is it a Workgroup or Domain? If a Domain, what security profile? What type of Server will this be? What Security Mode do you want? Will you join an existing Workgroup or Domain? Do you have a Windows Domain? Do you use Active Directory? Is the Samba Server to be a Domain Controller? Are Unix userids and network ids to be the same? What type of clients will you have, Win95, Win2K?
36 Prerequisites You need to have a running network interface DNS should be configured Optionally use /etc/hosts Test with ping & nslookup If joining an AD domain DNS should probably be running from the Win2K server i.e. nslookup fangorn.me.local returns 192.168.0.4 nslookup 192.168.0.4 should return fangorn.me.local Apache is necessary for SWAT to function Other smb services must not be operating (AFPS VFS) Ports 137,139, and 901 must be available
37 Windows Networking Issues Existing Win2K+ Domains with AD need to be configured with a Domain Functional Level of: Windows 2000 Mixed This allows servers using NT4 style Domain functionality to participate in the Domain Or Native This allows for native AD authentication using kerberos – this will require the Heimdal modules
38 Server Types Stand-alone Server A stand-alone server is a Workgroup member, but does not participate in Domain Security. Domain members may access it using local authentication. Domain Member Server A Domain Member Server participates in a Domain and provides for a Single Sign-on Environment Domain Controller Acts as either a Primary or Back-up Domain Controller
39 Security Levels User Security Security=user Client sends session request as username/password Server checks user and hostname only since no share info is available Once authenticated client “expects” to be able to mount shares with a tree connection without further authentication Client can send multiple session requests and gets a separate UID for each Share Security Security=share Each tree connection request has a password submitted Unlike NT, Unix needs a username/password combo Samba will try to resolve a username by checking the PW against possible users Not recommended – may create problems with newer Win Clients Primarily to support legacy implementations – Win9?
40 Security Levels Domain Security (NT4 Domains) Security=Domain Workgroup=ME Encrypt Passwords=Yes Server has a trust account on the domain server –gotcha! Authentication requests passed to domain server to be resolved You must join a domain after Samba is started ( you only need to do this once) As root execute: /usr/lib/samba/bin/smbnet rpc join –U Administrator%adminpw You must have a standard Unix user account for each user of the server or define acceptable users by share Populate /etc/passwd with /usr/lib/samba/bin/smbnet rpc vampire –S pdcnbname –U administrator%pw
41 Security Levels Domain Security (Native AD Domains) Security=Domain Workgroup=ME Encrypt Passwords=Yes Server has a trust account on the domain server –gotcha! Authentication requests passed to domain server to be resolved You must join a domain after Samba is started ( you only need to do this once) As root execute: /usr/lib/samba/bin/smbnet rpc join –U Administrator%adminpw You must have a standard Unix user account for each user of the server or define acceptable users by share Populate /etc/passwd with /usr/lib/samba/bin/smbnet rpc vampire –S pdcnbname –U administrator%pw
42 Security Levels Server Security smb.conf entries needed Security=Server Encrypt passwords=yes Password Server=nbnameofserver Variation of user level security – client “thinks” this is user level When the server gets a session setup request it uses the username/password combo to try to login to the password server Requires a standard Unix user account on the Samba Server You may want to block shell connections for this account May cause account lockouts on servers for failed authentications If the PW server shuts down Samba won’t work
Setting Up a Standalone Server
44 Setting up a Stand-alone Server - In the Globals Screen: Define your Workgroup name Define the netbios name Set security level Set Encrypted Passwords to Yes Set Password Backend to smbpasswd Commit changes
45 Setting up a Stand-alone Server - In the Wizard Screen: Select Stand-alone Server Configure WINS Server Expose Home Dirs? Commit changes
46 Create Machine Accounts for Workstations You need to create machine accounts for workstations running W2K or above Create a Unix Group machines groupadd machines Add an account for each machine useradd –g machines –d /var/nobody –c “Kirks Workstation” –s /bin/false bilbo$ Note $ at end of machine name
47 Add Users - In the Password Screen Add users Set passwords to match Windows PW Click Add New User for each user Click Enable User
48 Setting up a Stand-alone Server - In the Status screen: Click on Restart All to shutdown and restart the Server From a windows Workstation go to My Network Places, and select Entire Network, Microsoft Windows Network Your Domain Your Samba Server To display current shares.
54 Setting up a Domain Member In the Globals screen: Add the Domain name in the Workgroup field Add the Server’s name in the NetBIOS name Field Set Security to DOMAIN Commit changes
55 Setting up a Domain Member In the Wizard screen: Jump to Parameter Edit Configure the Server Type as Domain Member Configure WINS as Client of another Server Set security=Domain Set the IP address of your primary WINS Server Expose Home Dirs? Commit changes
56 Setting up a Domain Member In the Status screen: Click on Restart All to shutdown and restart the Server At a Unix prompt as root run the command: /usr/bin/smbnet rpc join –U administrator%password From a windows Workstation go to My Network Places, and select Entire Network, Microsoft Windows Network Your Domain Your Samba Server To display current shares.
57 smb.conf Entries [global] workgroup = ME server string = Fangorn Samba 3 Server interfaces = net0, lo0 bind interfaces only = Yes security = DOMAIN password server = rivendell log file = /var/log/samba/log.%m max log size = 50 dns proxy = No wins server = 192.168.0.2 [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No
58 ADS Authentication – Globals Screen Essentially same as a domain member, but: Add realm Set Security to ADS
59 ADS Authentication – Wizard Screen The wizard should pick up correct changes from the Globals commit Note addition of realm
60 Changes to the Globals section of smb.conf [global] workgroup = ME realm = ME.LOCAL server string = Fangorn Samba 3 Server interfaces = net0, lo0 bind interfaces only = Yes security = ADS password server = rivendell log file = /var/log/samba/log.%m max log size = 50 dns proxy = No wins server = 192.168.0.2
61 Getting Kerberos to Work To authenticate natively to AD you need kerberos services to work In smb.conf Globals section we need security = ADS(use AD for Authentication) realm = ME.LOCAL (the realm is your local DNS domain name) password server = RIVENDELL (Netbios name of the Windows PDC) SID must be correct If errors show in SID use smbnet getlocalsid domainname smbnet setlocalsid S-1-5-21-x-y-z Run smbnet ads status –U administrator (you should get a big dump of data) Re-run smbnet ads join –U administrator
63 Sharing Directories In SWAT Shares screen Enter a new share name & click on Create Share
64 Sharing Directories Fill in options for this share Optionally Add special user conditions Turn on/off Guest Access Control host access Set Browseable NB- blank entry for valid users means anyone can access the share If hosts are allowed then only those hosts are allowed Click on Commit Changes when done
65 smb.conf Entries This will create a section in smb.conf for this share [U Filesystem] path = /u valid users = kirk, @Administrators hosts deny = 192.168.0.5
Sharing Unix Printers
67 Configuring the Print Server By default Samba will load all of the printers in the /etc/printcap file This is done by the Global option Load Printers=yes Printing mode is sysv Optionally on Legend you can use CUPS In the Globals screen/Advanced View you can set print spooler options (defaults work well)
68 Sharing all printers In the Printers tab: Choose “printers” Note Browseable option Set Hosts to allow & Deny
69 Adding a Specific Printer Enter Printer Name Click on Create Printer Make printer specific settings Set Browseable to Yes Commit changes
70 Accessing the Printer from Windows To use this printer from Windows: Start Printers Add a Printer Choose a Network Printer Choose connect to this Printer (leave name blank) Drill down to printer
Setting Up Windows Clients
72 Configuring the Windows Clients From the Control panel select Networking-Local Area Connetion Select Properties Ensure File & Print Sharing for Microsoft Networks is installed Select Internet Protocol (TCP/IP) and then Properties
73 Configuring the Windows Clients Select Control Panel-System Choose the Network Identification Wizard (Network ID button) and enter your machine name and Domain Name or Workgroup You will be prompted for an admin user name and password on the domain controller
74 Configuring the Windows Clients If using DHCP select “Obtain Address Automatically” Otherwise populate all fields Select the Advanced tab
75 Configuring the Windows Clients If not using DHCP you must add the IP Address and Gateway Likewise, DHCP will automatically add DNS & WINS information
76 Configuring the Windows Clients If not using DHCP populate DNS & WINS Screens
77 Configuring Windows Clients From the Desktop -My Network Places -Microsoft Windows Network Choose your Domain (ME) The Samba Server should be displayed (FANGORN) Expand the Server and Shares should appear Double click on the Server’s name to see Shares Alt-click on a Share to consume it Double click on it to Browse
Using Windows Resources
79 Using smbclient smbclient is a CIFS client that allows the Samba system to consume resources from other CIFS servers Usage: [-?EgVNkP] [--usage] [-R NAME-RESOLVE-ORDER] [-M HOST] [-I IP] [-L HOST] [-t CODE] [-m LEVEL] [-T IXFqgbNan] [-D DIR] [-c ARG] [-b BYTES] [-p PORT] [-d DEBUGLEVEL] [-s CONFIGFILE] [-l LOGFILEBASE] [-O SOCKETOPTIONS] [-n NETBIOSNAME] [-W WORKGROUP] [-i SCOPE] [-U USERNAME] [-A FILE] [-S on|off|required] service
80 smbclient - L Use to list shared resources on a server rohan:~$ smbclient -L bilbo Password: Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------- ---- ------- E$ Disk Default share IPC$ IPC Remote IPC D$ Disk Default share downloads Disk ADMIN$ Disk Remote Admin C$ Disk Default share ExchangeData Disk Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Server Comment --------- ------- Workgroup Master --------- ------- rohan:~$
81 Accessing Windows Files Use smbclient to connect to a File Share and get an FTP-like interface rohan:~$ smbclient //bilbo/downloads -Ukirk Password: Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \> At the smb prompt you can use commands similar to FTP, cd, dir, get, mget etc.
82 Listing Files rohan:~$ smbclient //bilbo/downloads -Ukirk Password: Domain=[ME] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \> dir. D 0 Mon May 30 14:46:16 2005.. D 0 Mon May 30 14:46:16 2005 AdbeRdr60_enu_full.exe A 16706160 Wed Apr 13 16:40:49 2005 bilbo01_1024x768.jpg A 317087 Tue Jul 6 12:59:22 2004 casedge D 0 Tue Nov 30 16:20:08 2004 genica D 0 Tue Nov 30 14:26:54 2004 gn788.zip A 565618 Thu Oct 14 14:58:33 2004 ISA2004Enterprise.iso A 114960384 Sun Apr 24 18:50:35 2005 iTunesSetup.exe A 21904216 Mon May 30 14:46:16 2005 ppviewer.exe A 1951432 Wed Apr 13 16:26:26 2005 Product_Training_April_v_4.ppt A 4551680 Wed Apr 13 16:30:37 2005 RealPlayer10-5GOLD.exe A 10827296 Thu Apr 21 23:25:11 2005 RiskFilter_403.ISO A 376932352 Mon Jan 10 15:21:51 2005 threatdetector.exe A 17345027 Mon May 16 16:02:34 2005 W2KSP2.exe A 106278016 Tue Nov 30 16:33:23 2004 W2Ksp3.exe A 32913953 Tue Dec 14 14:42:37 2004 51740 blocks of size 524288. 44090 blocks available smb: \>
83 Getting a file smb: \> cd casedge smb: \casedge\> dir. D 0 Tue Nov 30 16:20:08 2004.. D 0 Tue Nov 30 16:20:08 2004 audio D 0 Tue Nov 30 16:23:03 2004 audio_0050.exe A 19342431 Tue Nov 30 16:22:32 2004 lan D 0 Tue Nov 30 14:19:29 2004 usb D 0 Tue Nov 30 14:21:29 2004 video D 0 Tue Nov 30 14:20:39 2004 51740 blocks of size 524288. 44090 blocks available smb: \casedge\> cd video smb: \casedge\video\> dir. D 0 Tue Nov 30 14:20:39 2004.. D 0 Tue Nov 30 14:20:39 2004 autorun.inf A 34 Thu Jul 11 16:07:42 2002 Graphics D 0 Tue Nov 30 14:20:39 2004 ReadMe.txt A 27090 Thu Jul 11 18:02:00 2002 51740 blocks of size 524288. 44090 blocks available smb: \casedge\video\> get ReadMe.txt getting file \casedge\video\ReadMe.txt of size 27090 as ReadMe.txt (464.1 kb/s) (average 464.1 kb/s) smb: \casedge\video\>
84 Using a Printer Configure CUPS printing on the Unix Server Use smbclient –L servername to identify the sharename of the available printers Create a PPD file for the Windows printer Install the printer to CUPS root#lpadmin –p winprinter –v smb: //frodo/psc2200 \ -P /path/to/PPDfile
86 Special Considerations Real Time updates of smb.conf The smb.conf file is reread on each new connection and every 60 seconds Manually changing smb.conf can interrupt existing connections Sharing datafiles with Windows & Unix Apps By default Samba enables Opportunistic locking for local data caching This should only be used where shares are used exclusively In the Globals-Advanced View-Locking set the oplocks and level2 oplocks to No You can also disable oplocks on a per share basis in Shares-Share Properties-Advanced-Locking
87 Securing your Samba Server If possible Samba servers should be behind the firewall Host-Based Protection You can restrict access to certain systems in the Globals- Host Allow/Deny options to create entries hosts allow = 127.0.0.1, 192.168.0.0/24 hosts deny = 0.0.0.0/0 These entries allow only local and from the 192.168.0 net and deny everyone else User Based Protection You can restrict access to certain users or groups from Globals-(in)valid users option
88 Securing your Samba Server You can control access by Interface with Globals-Interfaces eth0 lo as an example will only listen on the loopback and eth0, but not on eth1, eth2 etc You must set Bind Interfaces Only in the Advanced screen for this to work Useful on dual-homed systems Blocking IPC$ Shares Cannot be done from SWAT Add lines to smb.conf [IPC$] Hosts Allow = 127.0.0.1, 192.168.0.0/24 Hosts Deny = 0.0.0.0/0 NB – this will be overwritten if you use SWAT to rebuild smb.conf
89 Resources http://www.samba.org http://us1.samba.org/samba/docs/man/samba.7.html The Official Samba-3 HOWTO and Reference Guide by John Terpstra and and Jelmer R. Vernooij Samba – Installation & Configuration