Chapter 7 Let's Dance the Samba . . . By using samba (developed by ANDREW TRIDGELL from Australia), you can convert any UNIX machine into a powerful file and print server for DOS and Windows machines. Since its beginnings in 1991, Samba has proven to be a stable and reliable product which has made its way into companies,serving as a supplement to, or even a replacement for, NetWare and Windows NT servers. 7.1 Introduction Samba has now become a fully-fledged, and rather complex product. We can- not cover all the details in this book, but only present an overview. In /usr/ doc/packages/samba you can find many documents that will help you build complex network solutions with Samba. Samba's reference file /etc/ smb.conf has its own manpage for smb.conf (man smb.conf)). Samba uses the SMB (Server Message Block) protocol from Microsoft. All clients, however, (e.g. Windows 95 / 98 or NT machines) must have the TCP/IP protocol activated. Samba places the SMB protocol on top of the TCP/IP protocol. TCP/IP is installed by default on all Windows machines which have Internet access. The SMB protocol (Server Message Block) makes file and print services in Windows and LAN Manager available. The SMB protocol is based on NetBIOS services, and is comparable to NFS. Here, there is no difference from other protocols, such as the NetWare Core protocol. In contrast to Novell, Microsoft has released the specifications of the SMB protocols so that others may now support SMB as well. The extent of Installation Support does not include samba configuration (see Section H.1.2 page 493); we will be pleased to help you, however, within the framework of our cost-effective Professional Services (see Section H.3 page 497). NetBIOS NetBIOS is a software interface (API) which has been designed for commu- nication between machines. Here a so-called name service is provided. This enables machines connected to the net to reserve names for themselves. After reservation, these machines can be addressed by their names. There is no 197 7. Let's Dance the Samba . . . central process that checks names. Any machine on the network can reserve as many names as it wants, provided the name is not already in use. The NetBIOS interface can now be implemented for different network ar- chitectures. An implementation that works relatively closely with network hardware is called NetBEUI, but this is often referred to as NetBIOS. When addressing single packets, NetBEUI works with the hardware address of the adapter. In contrast to IPX or IP addresses, you cannot get routing information from it. It is not possible to transfer NetBEUI packets via routers. A network running NetBEUI is reduced to the range that can be reached by repeaters and bridges. Network protocols that have been implemented with NetBIOS are IPX from Novell and TCP/IP. The protocol which layers NetBIOS onto TCP/IP is de- scribed in RFCs 1001 and 1002. RFC 1001 contains a good and understand- able introduction to NetBIOS concepts, which is of much help when trying to understand services such as WINS.1 The NetBIOS names that are sent via TCP/IP have nothing in common with the names used in /etc/hosts or those defined by DNS. NetBIOS uses its own, completely independent naming convention. It is recommended, however, that you use names that correspond to DNS hostnames to make administration easier. This is the default used by Samba. Clients Except for DOS and Windows 3.1, every current PC operating system sup- ports the SMB protocol for importing and exporting. Windows for Work- groups supports SMB in its standard installation only via IPX and NetBEUI. In order to use Samba, which can only provide SMB via TCP/IP, addi- tional software has to be installed, which (if needed) may be obtained from ftp://ftp.microsoft.com/bussys/Clients. SMB servers provide hardware space to their clients by means of so-called shares. Here, a share includes a directory and its subdirectories. It is exported by means of a name and can be accessed by its name. Of course, the share name can be set to any name. It does not have to be the name of the export directory. A printer is also assigned a name. Clients can access the printer by its name. Permissions An NFS server is configured via /etc/exports. Access restrictions are only possible at a machine level. In NFS, this makes sense, since it was designed for UNIX workstations that themselves check permissions and au- thentication. But on Windows, where any user can get "root" permission, the NFS protocol is no longer suitable. NFS clients for DOS must be regarded as immense security holes! The SMB protocol comes from within the DOS world and directly covers the security issues. Any access to a share can be protected by a password. SMB now has two alternatives for providing this: 1 WINS is nothing more than an extended NetBIOS name server and not an idea of Microsoft ­ only the name is new! 198 7.2. Installation of the Server * Share Level Security A password is directly assigned to any share. Anybody who knows this password can access the share. * User Level Security This variation introduces the user concept in SMB. Every user has to log in on the server, using his login and password. After a successful login, the server can now grant access, depending on the user's permissions. The distinction between share-level and user-level security has to be set for the server as a whole. It is not possible to export some shares as share-level security, and others as user-level security. By default, Samba is set to share-level security. Here, the home direc- tories of the users are protected by the normal user password. For other shares, a user has to be entered by giving the user option, which is pro- tected by the user password. The parameter security may be given as security = user in smb.conf. Then users are validated as normal in UNIX, using /etc/passwd and /etc/group. Samba also offers a third possibility by providing security = server. If this option is activated, Samba validates the user on another (NT) server, which has to be set by the option password server. 7.2 Installation of the Server To start the SMB services, set the variable to the value yes in /etc/rc.config (cf. Section 3.6.11 page 101). Almost anything that can be configured is done in smb.conf. This file re- sembles a Windows .INI file. It is separated into different sections which each contain specific parameters. Generally, one share is described per section, and is defined by the section name. There are three special sec- tions as well. These are [globals], [homes] and [printers]. In [globals], parameters are set that are not specific to a certain share. If the option [homes] is set, any user on the server can access their home direc- tory without having to define a home-share for each user. The same applies to printers. All printers in /etc/printcap are accessible, without having to be set separately. smb.conf A simple example file can be seen in File contents 7.2.1 on the following page. This /etc/smb.conf provides access to the home directories of the users as well as all printers listed in /etc/printcap. * workgroup = workgroup On any Windows machine, Samba is assigned just like a work group where it can be seen in the "network environment". workgroup is the default work group for Windows for Workgroups. 199 7. Let's Dance the Samba . . . [global] workgroup = workgoup guest account = nobody keep alive = 30 os level = 2 security = share printing = bsd printcap name = /etc/printcap load printers = yes [sample] path = /home/sample comment = sample directory read only = no browseable = yes public = yes create mode = 0750 [cdrom] path = /cdrom comment = cdrom volume = "CD_ROM_label" read only = yes available = yes share modes = no browseable = yes public = yes [printers] comment = All Printers browseable = no printable = yes public = no read only = yes create mode = 0700 directory = /tmp File contents 7.2.1: Example for /etc/smb.conf 200 7.2. Installation of the Server * guest account = nobody Samba needs a user name that is listed in /etc/password and that only has limited permissions for certain tasks. If public shares (parameter public = yes) are defined, all operations are executed with this user ID. Even if no public share is defined, the account guest account has to be defined in order for the Samba machine to appear in the networking environment. * keep alive = 30 Windows machines tend to crash from time to time. If they leave open connections behind, it could happen that the server recognizes this very much later. If you do not want Samba to waste resources, you can tell it to look whether the client is still alive by setting keep alive = 30. * os level = 2 The parameter os level = 2 specifies that Samba provide browser services to WfW and Windows 95. If there is an NT machine on the network, Samba will not provide these services to it, but use the NT machine itself. * security = share See section on permissions. The section [sample] defines parameters for the directory to be ex- ported. This directory is accessible to all users in the network, because public = yes. The same is true for the exported /cdrom (in this way, for example, a low-cost jukebox can be set up). The following three parameters serve to read /etc/printcap and to ex- port any printer specified. The section [homes] assigns parameters for the home directories. These directories can be reached via the user's name. * path = /home/sample The directory /home/sample is exported by means of path. * comment = Sample Every share with SMB servers can be provided with a comment describ- ing the share. * browsable = yes This setting enables the share sample to be visible in the network envi- ronment. * read only = no By default, Samba prohibits write access on exported shares. Users logged in should have permission to write in their home directories, so read only = no has to be set. * create mode = 750 Windows machines do not understand the concept of UNIX permissions. Thus they cannot assign permissions when creating a file. The parameter create mode assigns which permissions should be used when creating a new file. 201 7. Let's Dance the Samba . . . There is also the program swat for the administration of the Samba server. It provides a simple web interface with which you can configure the Samba server comfortably. Information on the program can be found in /usr/doc/packages/samba/htmldocs/swat.8.html or in the manpage for swat (man swat). 7.3 Installation of Clients DOS, Windows for Workgroups and Windows 95 are important clients. Clients can access Samba only via TCP/IP. NetBEUI and NetBIOS via IPX are not available at the moment. Since TCP/IP is becoming more and more popular, even with Novell and Microsoft, it is not certain whether this is going to change in the near future. Windows 95/98 Windows 95/98 already has built-in support for TCP/IP. As with Windows for Workgroups, however, this is not installed as the default. To add TCP/IP, go to `Control Panel', `System' and choose `Add', `Protocols' `TCP/IP from Microsoft'. Be sure to enter your network address and network mask correctly (see Section 5 page 133)! After re-booting your Windows machine you will find the properly configured samba server in net- works (double-click on the network icon on your desktop). To use a printer on the samba server, you should install the standard, or Apple-PostScript printer driver from the corresponding Windows version; it is best to link this to the Linux printer queue, which includes an auto- matic apsfilter recognition. 7.4 Optimization At this point we would like to point out once again that the configuration outlined here is suitable for a private user, but not for business solutions. Our Professional Services will be pleased to help you with questions on this subject (see Section H.3 page 497). The standard configuration in /etc/smb.conf is very slow. Here are a few suggestions to improve it. * socket options = TCP NODELAY The TCP/IP protocol always tries to incorporate a number of small data blocks. Because samba operates on these small data blocks, in practice it is useful to switch off this behavior with the option socket options = TCP NODELAY. * oplocks = yes With this option, write accesses to modified files are only carried out when another client wants to read the same file. In this way, it behaves like a write cache. 202 7.4. Optimization * write raw = yes Raw write allows 65535 bytes to be sent in each package and can, under certain circumstances, provide a significant boost in performance. With cheaper network cards, however, it is probably better to set this option to write raw = no. * read raw = yes Has the same effect as write raw = yes but is only responsible for reading files. Further help and many tips on optimizing can be found in the files /usr/ doc/packages/samba/textdocs/Speed.txt and /usr/doc/ packages/samba/textdocs/Speed2.txt. 203 7. Let's Dance the Samba . . . 204