Meeting 9 samba

https://github.com/syaifulahdan/
1
Computer Network Administration
Samba
1. Introduction to Samba
2. Samba Daemons and Related Services
3. Connecting to a Samba Share
4. Configuring a Samba Server
5. Starting and Stopping Samba
6. Samba Server Types and the smb.conf File
7. Samba Security Modes
8. Samba Account Information Databases
9. Samba Network Browsing
10. Samba with CUPS Printing Support
11. Samba Distribution Programs

1. Introduction to Samba
https://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/ch-samba.html#samba-rgs-overview
Samba is an open source implementation of the Server
Message Block (SMB) protocol. It allows the
networking of Microsoft Windows®, Linux, UNIX,
and other operating systems together, enabling access
to Windows-based file and printer shares. Samba's use
of SMB allows it to appear as a Windows server to
Windows clients.

Samba is a powerful and versatile server
application. Even seasoned system
administrators must know its abilities and
limitations before attempting installation and
configuration.
Samba Features

What Samba can do:
• Serve directory trees and printers to Linux, UNIX, and Windows clients
• Assist in network browsing (with or without NetBIOS)
• Authenticate Windows domain logins
• Provide Windows Internet Name Service (WINS) name server
resolution
• Act as a Windows NT®-style Primary Domain Controller (PDC)
• Act as a Backup Domain Controller (BDC) for a Samba-based PDC
• Act as an Active Directory domain member server
• Join a Windows NT/2000/2003 PDC

What Samba cannot do:
• Act as a BDC for a Windows PDC (and vice versa)
• Act as an Active Directory domain controller

The following is a brief introduction to the individual Samba
daemons and services.
2. Samba Daemons and Related Services
• Samba Daemons
Samba is comprised of three daemons (smbd, nmbd, and
winbindd). Two services (smb and windbind) control how the
daemons are started, stopped, and other service-related features.
Each daemon is listed in detail, as well as which specific service
has control over it.
https://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/s1-samba-daemons.html

• smbd
The smbd server daemon provides file sharing and printing services to
Windows clients. In addition, it is responsible for user authentication, resource
locking, and data sharing through the SMB protocol. The default ports on
which the server listens for SMB traffic are TCP ports 139 and 445.
The smbd daemon is controlled by the smb service.
• nmbd
The nmbd server daemon understands and replies to NetBIOS name service
requests such as those produced by SMB/CIFS in Windows-based systems.
These systems include Windows 95/98/ME, Windows NT, Windows 2000,
Windows XP, and LanManager clients. It also participates in the browsing
protocols that make up the Windows Network Neighborhood view. The default
port that the server listens to for NMB traffic is UDP port 137.
The nmbd daemon is controlled by the smb service.

• winbindd
The winbind service resolves user and group information on a server running
Windows NT 2000 or Windows Server 2003. This makes Windows user /
group information understandable by UNIX platforms. This is achieved by
using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the
Name Service Switch (NSS). This allows Windows NT domain users to appear
and operate as UNIX users on a UNIX machine. Though bundled with the
Samba distribution, the winbind service is controlled separately from the smb
service.
The winbindd daemon is controlled by the winbind service and does not
require the smb service to be started in order to operate. Winbindd is also used
when Samba is an Active Directory member, and may also be used on a Samba
domain controller (to implement nested groups and/or interdomain trust).
Because winbind is a client-side service used to connect to Windows NT-based
servers, further discussion of winbind is beyond the scope of this manual.

3. Connecting to a Samba Share
You can use Nautilus to view available Samba shares on your
network. Select Places (on the Panel) => Network Servers to
view a list of Samba workgroups on your network. You can also
type smb: in the File => Open Location bar of Nautilus to view
the workgroups.
https://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/s1-samba-connect-share.html

Figure 1, “SMB Workgroups in Nautilus”, an icon appears for each
available SMB workgroup on the network.

Figure 2. SMB Machines in Nautilus

3.1. Command Line
To query the network for Samba servers, use the findsmb
command. For each server found, it displays its IP address,
NetBIOS name, workgroup name, operating system, and SMB
server version.
To connect to a Samba share from a shell prompt, type the
following command:
smbclient //<hostname>/<sharename> -U <username>

Replace <hostname> with the hostname or IP address of the
Samba server you want to connect to, <sharename> with the
name of the shared directory you want to browse, and
<username> with the Samba username for the system. Enter the
correct password or press Enter if no password is required for the
user.
If you see the smb:> prompt, you have successfully logged in.
Once you are logged in, type help for a list of commands. If you
wish to browse the contents of your home directory, replace
sharename with your username. If the -U switch is not used, the
username of the current user is passed to the Samba server.
To exit smbclient, type exit at the smb:> prompt.

3.2. Mounting the Share
To query the network for Samba servers, use the findsmb
command. For each server found, it displays its IP address,
NetBIOS name, workgroup name, operating system, and SMB
server version.
To connect to a Samba share from a shell prompt, type the
following command:
smbclient //<hostname>/<sharename> -U <username>

4. Configuring a Samba Server
The default configuration file (/etc/samba/smb.conf) allows users
to view their home directories as a Samba share. It also shares all
printers configured for the system as Samba shared printers. In
other words, you can attach a printer to the system and print to it
from the Windows machines on your network.

4.1. Graphical Configuration
The Samba Server Configuration Tool is a graphical interface for
managing Samba shares, users, and basic server settings. It
modifies the configuration files in the /etc/samba/ directory. Any
changes to these files not made using the application are
preserved.
To use this application, you must be running the X Window System, have root
privileges, and have the system-config-samba RPM package installed. To start
the Samba Server Configuration Tool from the desktop, go to the System (on
the Panel) => Administration => Server Settings => Samba or type the
command system-config-samba at a shell prompt (for example, in an XTerm or
a GNOME terminal).

Figure 3. Samba Server Configuration Tool

4.1.1. Configuring Server Settings
The first step in configuring a Samba server is to configure the
basic settings for the server and a few security options. After
starting the application, select Preferences => Server Settings
from the pulldown menu. The Basic tab is displayed as shown in
Figure 4, “Configuring Basic Server Settings”.

Figure 4. Configuring Basic Server Settings
On the Basic tab, specify which workgroup the computer should
be in as well as a brief description of the computer. They
correspond to the workgroup and server string options in
smb.conf.

Figure 5. Configuring Security Server Settings

The Security tab contains the following options:
Authentication Mode — This corresponds to the security option.
Select one of the following types of authentication.
ADS — The Samba server acts as a domain member in an Active
Directory Domain (ADS) realm. For this option, Kerberos must
be installed and configured on the server, and Samba must
become a member of the ADS realm using the net utility, which is
part of the samba-client package. Refer to the net man page for
details. This option does not configure Samba to be an ADS
Controller. Specify the realm of the Kerberos server in the
Kerberos Realm field.

ADS — The Samba server acts as a domain member in an Active
Directory Domain (ADS) realm. For this option, Kerberos must
be installed and configured on the server, and Samba must
become a member of the ADS realm using the net utility, which is
part of the samba-client package. Refer to the net man page for
details. This option does not configure Samba to be an ADS
Controller. Specify the realm of the Kerberos server in the
Kerberos Realm field.

Domain — The Samba server relies on a Windows NT Primary
or Backup Domain Controller to verify the user. The server
passes the username and password to the Controller and waits for
it to return. Specify the NetBIOS name of the Primary or Backup
Domain Controller in the Authentication Server field.
The Encrypted Passwords option must be set to Yes if this is
selected.

4.1.2. Managing Samba Users
The Samba Server Configuration Tool requires that an existing
user account be active on the system acting as the Samba server
before a Samba user can be added. The Samba user is associated
with the existing user account.
Figure 6. Managing Samba Users

5. Starting and Stopping Samba
To start a Samba server, type the following command in a shell
prompt while logged in as root:
/sbin/service smb start
To stop the server, type the following command in a shell prompt
while logged in as root:
/sbin/service smb stop

The restart option is a quick way of stopping and then starting
Samba. This is the most reliable way to make configuration
changes take effect after editing the configuration file for Samba.
Note that the restart option starts the daemon even if it was not
running originally. To restart the server, type the following
command in a shell prompt while logged in as root:
/sbin/service smb restart

The condrestart (conditional restart) option only starts smb on the
condition that it is currently running. This option is useful for
scripts, because it does not start the daemon if it is not running.
To conditionally restart the server, type the following command
as root:
/sbin/service smb condrestart

A manual reload of the smb.conf file can be useful in case of a
failed automatic reload by the smb service. To ensure that the
Samba server configuration file is reloaded without restarting the
service, type the following command as root:
/sbin/service smb reload
By default, the smb service does not start automatically at boot
time. To configure Samba to start at boot time, use an initscript
utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services
Configuration Tool program. Refer to Chapter 15, Controlling
Access to Services for more information regarding these tools.

6. Samba Server Types and the smb.conf File
Samba configuration is straightforward. All modifications to
Samba are done in the /etc/samba/smb.conf configuration file.
Although the default smb.conf file is well documented, it does
not address complex topics such as LDAP, Active Directory, and
the numerous domain controller implementations.
The following sections describe the different ways a Samba
server can be configured. Keep in mind your needs and the
changes required to the smb.conf file for a successful
configuration.

A stand-alone server can be a workgroup server or a member of a
workgroup environment. A stand-alone server is not a domain
controller and does not participate in a domain in any way. The
following examples include several anonymous share-level
security configurations and one user-level security configuration.
For more information on share-level and user-level security
modes, refer to Section 19.7, “Samba Security Modes”.
6.1. Stand-alone Server

The following smb.conf file shows a sample configuration
needed to implement anonymous read-only file sharing. The
security = share parameter makes a share anonymous. Note,
security levels for a single Samba server cannot be mixed. The
security directive is a global Samba parameter located in the
[global] configuration section of the smb.conf file.
6.1.1. Anonymous Read-Only

[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = share
[data]
comment = Documentation Samba Server
path = /export
read only = Yes
guest only = Yes
a sample configuration needed to implement anonymous read-only

needed to implement anonymous read/write file sharing. To
enable anonymous read/write file sharing, set the read only
directive to no. The force user and force group directives are also
added to enforce the ownership of any newly placed files
specified in the share.
6.1.2. Anonymous Read/Write

[global]
workgroup = DOCS
security = share
[data]
comment = Data
path = /export
force user = docsbot
force group = users
read only = No
guest ok = Yes
a sample configuration needed to implement anonymous read/write

needed to implement an anonymous print server. Setting
browseable to no as shown does not list the printer in Windows
Network Neighborhood. Although hidden from browsing,
configuring the printer explicitly is possible. By connecting to
DOCS_SRV using NetBIOS, the client can have access to the
printer if the client is also part of the DOCS workgroup. It is also
assumed that the client has the correct local printer driver
installed, as the use client driver directive is set to Yes. In this
case, the Samba server has no responsibility for sharing printer
drivers to the client.
6.1.3. Anonymous Print Server

[global]
workgroup = DOCS
security = share
printcap name = cups
disable spools= Yes
show add printer wizard = No
printing = cups
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = Yes
a sample configuration needed to implement anonymous print Server

needed to implement a secure read/write print server. Setting the
security directive to user forces Samba to authenticate client
connections. Notice the [homes] share does not have a force user
or force group directive as the [public] share does. The [homes]
share uses the authenticated user details for any files created as
opposed to the force user and force group in [public].
6.1.4. Secure Read/Write File and Print Server

[global]
workgroup = DOCS
security = user
disable spools = Yes
show add printer wizard = No
printing = cups
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[public]
a sample configuration needed to implement Secure Read/Write File and Print server
comment = Data
path = /export
force user = docsbot
force group = users
guest ok = Yes
[printers]
path = /var/spool/samba
printer admin = john, ed, @admins
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = Yes

A domain member, while similar to a stand-alone server, is
logged into a domain controller (either Windows or Samba) and
is subject to the domain's security rules. An example of a domain
member server would be a departmental server running Samba
that has a machine account on the Primary Domain Controller
(PDC). All of the department's clients still authenticate with the
PDC, and desktop profiles and all network policy files are
included. The difference is that the departmental server has the
ability to control printer and network shares.
6.2. Domain Member Server

A domain controller in Windows NT is functionally similar to a
Network Information Service (NIS) server in a Linux
environment. Domain controllers and NIS servers both host
user/group information databases as well as related services.
Domain controllers are mainly used for security, including the
authentication of users accessing domain resources. The service
that maintains the user/group database integrity is called the
Security Account Manager (SAM). The SAM database is stored
differently between Windows and Linux Samba-based systems,
therefore SAM replication cannot be achieved and platforms
cannot be mixed in a PDC/BDC environment.
6.3. Domain Controller

7. Samba Security Modes
There are only two types of security modes for Samba, share-
level and user-level, which are collectively known as security
levels. Share-level security can only be implemented in one way,
while user-level security can be implemented in one of four
different ways. The different ways of implementing a security
level are called security modes.

A domain controller in Windows NT is functionally similar to a
Network Information Service (NIS) server in a Linux
environment. Domain controllers and NIS servers both host
user/group information databases as well as related services.
Domain controllers are mainly used for security, including the
authentication of users accessing domain resources. The service
that maintains the user/group database integrity is called the
Security Account Manager (SAM). The SAM database is stored
differently between Windows and Linux Samba-based systems,
therefore SAM replication cannot be achieved and platforms
cannot be mixed in a PDC/BDC environment.
7.1. User-Level Security

[GLOBAL]
...
security = user
...
In smb.conf, the security = user directive that sets user-level security is:
The following sections describe other implementations of user-level security.

In domain security mode, the Samba server has a machine
account (domain security trust account) and causes all
authentication requests to be passed through to the domain
controllers. The Samba server is made into a domain member
server by using the following directives in smb.conf:
7.1.1. Domain Security Mode (User-Level Security)

[GLOBAL]
...
security = domain
workgroup = MARKETING
...
In smb.conf, the security = user directive that sets user-level security is:
The following sections describe other implementations of user-level security.

If you have an Active Directory environment, it is possible to
join the domain as a native Active Directory member. Even if a
security policy restricts the use of NT-compatible authentication
protocols, the Samba server can join an ADS using Kerberos.
Samba in Active Directory member mode can accept Kerberos
tickets.
7.1.2. Active Directory Security Mode (User-Level
Security)

[GLOBAL]
...
security = ADS
realm = EXAMPLE.COM
password server = kerberos.example.com
...
In smb.conf, the following directives make Samba an Active Directory member server:

Server security mode was previously used when Samba was not
capable of acting as a domain member server.
7.1.3. Server Security Mode (User-Level Security)
[GLOBAL]
...
security = ADS
realm = EXAMPLE.COM
password server = kerberos.example.com
...
In smb.conf, the following directives make Samba an Active Directory member server:

[GLOBAL]
...
encrypt passwords = Yes
security = server
password server = "NetBIOS_of_Domain_Controller"
...
In smb.conf, the following directives enable Samba to operate in server security mode:

With share-level security, the server accepts only a password
without an explicit username from the client. The server expects a
password for each share, independent of the username. There
have been recent reports that Microsoft Windows clients have
compatibility issues with share-level security servers. Samba
developers strongly discourage use of share-level security.
7.2. Share-Level Security

[GLOBAL]
...
security = share
...
In smb.conf, the security = share directive that sets share-level security is:

8. Samba Account Information Databases
The latest release of Samba offers many new features including
new password database backends not previously available. Samba
version 3.0.0 fully supports all databases used in previous
versions of Samba. However, although supported, many backends
may not be suitable for production use.
The following is a list different backends you can use with Samba.
Other backends not listed here may also be available.

Plain Text
Plain text backends are nothing more than the /etc/passwd type
backends. With a plain text backend, all usernames and
passwords are sent unencrypted between the client and the Samba
server. This method is very unsecure and is not recommended for
use by any means. It is possible that different Windows clients
connecting to the Samba server with plain text passwords cannot
support such an authentication method.

smbpasswd
A popular backend used in previous Samba packages, the
smbpasswd backend utilizes a plain ASCII text layout that
includes the MS Windows LanMan and NT account, and
encrypted password information. The smbpasswd backend lacks
the storage of the Windows NT/2000/2003 SAM extended
controls. The smbpasswd backend is not recommended because it
does not scale well or hold any Windows information, such as
RIDs for NT-based groups. The tdbsam backend solves these
issues for use in a smaller database (250 users), but is still not an
enterprise-class solution.

ldapsam_compat
The ldapsam_compat backend allows continued OpenLDAP
support for use with upgraded versions of Samba. This option
normally used when migrating to Samba 3.0.

tdbsam
The tdbsam backend provides an ideal database backend for local
servers, servers that do not need built-in database replication, and
servers that do not require the scalability or complexity of LDAP.
The tdbsam backend includes all of the smbpasswd database
information as well as the previously-excluded SAM information.
The inclusion of the extended SAM data allows Samba to
implement the same account and system access controls as seen
with Windows NT/2000/2003-based systems.
The tdbsam backend is recommended for 250 users at most.
Larger organizations should require Active Directory or LDAP
integration due to scalability and possible network infrastructure
concerns.

ldapsam
The ldapsam backend provides an optimal distributed account
installation method for Samba. LDAP is optimal because of its
ability to replicate its database to any number of servers using the
OpenLDAP slurpd daemon. LDAP databases are light-weight and
scalable, and as such are preferred by large enterprises.
If you are upgrading from a previous version of Samba to 3.0,
n o t e t h a t t h e / u s r / s h a r e / d o c / s a m b a -
<version>/LDAP/samba.schema has changed. This file contains
the attribute syntax definitions and objectclass definitions that the
ldapsam backend will need in order to function properly.

mysqlsam
The mysqlsam backend uses a MySQL-based database
backend. This is useful for sites that already implement MySQL.
At present, mysqlsam is now packed in a module separate from
Samba, and as such is not officially supported by Samba.

9. Samba Network Browsing
Network browsing enables Windows and Samba servers to
appear in the Windows Network Neighborhood. Inside the
Network Neighborhood, icons are represented as servers and if
opened, the server's shares and printers that are available are
displayed.
Network browsing capabilities require NetBIOS over TCP/IP.
NetBIOS-based networking uses broadcast (UDP) messaging to
accomplish browse list management. Without NetBIOS and
WINS as the primary method for TCP/IP hostname resolution,
other methods such as static files (/etc/hosts) or DNS, must be
used.

A domain master browser collates the browse lists from local
master browsers on all subnets so that browsing can occur
between workgroups and subnets. Also, the domain master
browser should preferably be the local master browser for its own
subnet.

9.1. Domain Browsing
By default, a Windows server PDC for a domain is also the
domain master browser for that domain. A Samba server must
note be set up as a domain master server in this type of situation
For subnets that do not include the Windows server PDC, a
Samba server can be implemented as a local master browser.
Configuring the smb.conf for a local master browser (or no
browsing at all) in a domain controller environment is the same as
workgroup configuration.

9.2. Domain Browsing
Either a Samba server or a Windows NT server can function as a WINS server. When a
WINS server is used with NetBIOS enabled, UDP unicasts can be routed which allows
name resolution across networks. Without a WINS server, the UDP broadcast is limited
to the local subnet and therefore cannot be routed to other subnets, workgroups, or
domains. If WINS replication is necessary, do not use Samba as your primary WINS
server, as Samba does not currently support WINS replication.
In a mixed NT/2000/2003 server and Samba environment, it is recommended that you
use the Microsoft WINS capabilities. In a Samba-only environment, it is recommended
that you use only one Samba server for WINS.
The following is an example of the smb.conf file in which the Samba server is serving
as a WINS server:

10. Samba with CUPS Printing Support
findsmb
findsmb <subnet_broadcast_address>
The findsmb program is a Perl script which reports information about SMB-
aware systems on a specific subnet. If no subnet is specified the local subnet is
used. Items displayed include IP address, NetBIOS name, workgroup or
domain name, operating system, and version.
The following example shows the output of executing findsmb as any valid
user on a system:

10.1. Simple smb.conf Settings
The following example shows a very basic smb.conf
configuration for CUPS support:

[global]
load printers = Yes
printing = cups
[printers]
path = /var/spool/samba/print
printer = IBMInfoP
browseable = No
public = Yes
guest ok = Yes
writable = No
printable = Yes
printer admin = @ntadmins
[print$]
comment = Printer Drivers Share
path = /var/lib/samba/drivers
write list = ed, john
printer admin = ed, john
The following example shows a very basic smb.conf configuration for CUPS support:

Other printing configurations are also possible. To add additional
security and privacy for printing confidential documents, users
can have their own print spooler not located in a public path. If a
job fails, other users would not have access to the file.
The print$ share contains printer drivers for clients to access if
not available locally. The print$ share is optional and may not be
required depending on the organization.
Setting browseable to Yes enables the printer to be viewed in the
Windows Network Neighborhood, provided the Samba server is
set up correctly in the domain/workgroup.

11. Samba Distribution Programs
Either a Samba server or a Windows NT server can function as a WINS server. When a
WINS server is used with NetBIOS enabled, UDP unicasts can be routed which allows
name resolution across networks. Without a WINS server, the UDP broadcast is limited
to the local subnet and therefore cannot be routed to other subnets, workgroups, or
domains. If WINS replication is necessary, do not use Samba as your primary WINS
server, as Samba does not currently support WINS replication.
In a mixed NT/2000/2003 server and Samba environment, it is recommended that you
use the Microsoft WINS capabilities. In a Samba-only environment, it is recommended
that you use only one Samba server for WINS.
The following is an example of the smb.conf file in which the Samba server is serving
as a WINS server:

The following example shows the output of executing findsmb as any valid user on a
system:

net
net <protocol> <function> <misc_options> <target_options>
The net utility is similar to the net utility used for Windows and MS-DOS. The first
argument is used to specify the protocol to use when executing a command. The
<protocol> option can be ads, rap, or rpc for specifying the type of server connection.
Active Directory uses ads, Win9x/NT3 uses rap, and Windows NT4/2000/2003 uses rpc.
If the protocol is omitted, net automatically tries to determine it.
The following example displays a list the available shares for a host named wakko:

The following example displays a list the available shares for a host named wakko:

nmblookup
nmblookup <options> <netbios_name>
The nmblookup program resolves NetBIOS names into IP addresses. The program
broadcasts its query on the local subnet until the target machine replies.
Here is an example:

Reference
• https://web.mit.edu/rhel-doc/5/RHEL-5-
manual/Deployment_Guide-en-US/ch-
samba.html

Meeting 9 samba

More Related Content

What's hot (20)

Similar to Meeting 9 samba (20)

More from Syaiful Ahdan (20)

Recently uploaded (20)

Meeting 9 samba