Originally Published: Monday, 6 November 2000 Author: Alex Pearsall
Published to: learn_articles_firststep/General Page: 1/1 - [Std View]

Learning Samba: Part II

You've finished installing Samba, but now you've got to configure it so it's ready to rock! Let Alex Pearsall lead the way in Learning Samba, Part II. Get Linux online with legacy Windows networks, and share away!

Welcome to Learning Samba, part 2. If you remember from last time, we learned how to setup and install Samba. Unless you really know your kung fu, you don't have a clue on what to do to get it working! Now, fire up a terminal, warm up a pot of coffee, and make yourself comfortable, because we're going to get this baby running.

I'm going to assume that you have Samba installed, and that everything went smoothly during install, and all you need to know is how to configure it. I've gotten many e-mails from people who decided to use the GUI tools, which make it look all pretty and simple. This isnt the way you should go. For one day, you might need to setup Samba on a box that doesn't have X-windows, or where you can't get a remote-x session running! We don't want to leave you hanging like that! We're going to do this the old-fashioned way.

Now, Samba has one main config file. In a sense, it's the heart of Samba, where most every setting is read and loaded, where all your directory and printer shares exisit. Most of everything you will need to share is right here. This config file is "smb.conf" and should be located in "/etc/smb.conf."

If you open up smb.conf with your favorite free-software text editor like jed or emacs, you'll see where there are all the configuration options for Samba (with comments) on how to setup work-groups, server-names and other stuff. We'll go into the latter one by one, later on. Just look through it briefly, just so you get an idea of what kind of beast you're working with.

I'll quickly explain the other files that Samba references to. The main one (as you now know) is /etc/smb.conf. The second file is /etc/smbusers. This is a list of all the valid users in the system that have Samba accounts as well. For example, look below at my /etc/smbusers:

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest

Now, as the comment includes, the GNU/Linux name can equal multiple Win9x names. If you made a user on your GNU/Linux system named "mp3" and you wanted to only share mp3's, you could add a line like:

mp3 = music audio tunes

and anyone could login with the login name "music" "audio" or "tunes" (entering the same password of course) and access all the files available for the user "mp3". Pretty neat eh?

There is one more main file: "/etc/smbpasswd". This is where the passwords for the Samba users are kept. And yes, all you paranoid admins, if you take a look at it the password is scrambled, so nobody can get your superuser account and swipe your private stash of MP3's on that 60 gig Raid Array!

Enough with the technical jargon, enough with the explanation. Let's get this up before your supervisor comes a-running, or wife starts yelling about printer sharing. Put on your sunglasses, crack your knuckles. It's go time.

Open up /etc/smb.conf. The very first configurable line should look something like this :

# workgroup = NT-Domain-Name or Workgroup-Name workgroup = Pearsall-Home

As you can see from what I have, my work-group is set to "Pearsall-Home". Depending on what your workgroup is, you might want to change that.

The next line you should have should be something looking like this:

# server string is the equivalent of the NT Description field server string = MP3's For all

Also, this is what your computer will come up as in the server-description field. If someone wants to see what your server is for, you might want to put it there so they know. Obviously, my Samba server is used for sharing MP3's with the rest of my family.

Now we get into the more tricky stuff. The next configurable line should look something like this:

; hosts allow = 192.168.1. 192.168.2. 127.

If you are familar with networks and such, you will notice that this restricts access to only certain networks, so any computer on 192.168.1. can access your Samba server, and any computer on 192.168.2. can as well. Anyone else won't be allowed. This is a good option for people setting up Samba in a business field where they need to restrict only certain networks to resources. But for home users, you really can just leave the ";" in front of it and it'll be un-commented.

After that you should have some stuff on printers. For these, it's best just to leave them alone. If you read the comments (highlighted in light blue in the jed text editor) you'll see what each printer option does. The next thing is the guest account. This represents which user can be used (if any) for guest. If you want a guest user, your line might look like this:

guest account = smbguest

Which would mean that the user "smbguest" on your gnu/linux system would also be a guest account for any Win9x/NT client that wants to gain access to your files. Remember to remove the ";" in front of it.The log file is self explanitory, as is the max log size. One important option you might want to look at is the security setting. You can read the secuirty_level.txt in the Samba documentation. But I have my settings on share. But the "user" level security will work fine.

The next line (this is all security stuff as you might have guessed) allows you to specify a NT Password server to verify usernames and logins on. The line should look like this:

; password server =

I have never had to use this option, as I run a GNU/Linux network, and my computer IS the password server. But If you needed to enable this, just get rid of the ";" and substitue for you NT Password Server.

The next option is another security feature. It is called "password level". There are two, a user password level, and a username level. This allows only a certain number of the same characters to appear in a username or a password. You can increase, or lower the number of characters, depending on the need for secuirty. Mine looks like this:

password level = 4
username level = 4

This means If I had the login name of "aaaalex" and the password of "xxxxxxxllllll" that the password would be rejected because there are too many repeating occurrences of the characters "x" and "l" in the password.

The next option deals with encrypting passwords to be sent over the network. And it looks like this:

; encrypt passwords = yes
; smb passwd file = /etc/smbpasswd

Now, a normal geek like you and me would say "Hell, yes! I want encrypted passwords; I dont want cleartext passwords going thru MY network!" But if you're unfortunate enough to have to use outdated Windows 95 computers, you HAVE to have it send plaintext passwords. However, with Windows 98/2000, you can indeed enable encrypted passwords. The smb passwd file is just where all the encrypted passwords are stored for reading.

The next section deals with GNU/Linux password syncing. Password syncing is when I change my system password (telnet or ssh) for my GNU/Linux server, it also updates the password for me in /etc/smbpasswd as well. This also relates to if I happen to change my smb password, it will change my GNU/Linux telnet, or ssh password for me as well.

Below that is where you can map GNU/Linux users to change and map different usernames to different system accounts. (/etc/smbusers). This part of the config file looks like this:

; username map = /etc/smbusers

After username mapping is the the machine specific configuration files. This is useful if you need to have a separate smb.conf file. Say that Win95 computer that needs cleartext passwords, but you don't want ALL the smb authentification to be in cleartext. This allows you to specify a machine name and have it reference a differnt smb.conf . It would work like this, If you had a Win95 machine named "gorewin" and you wanted it to load a differnt smb.conf file so that it could access the shares using non-encrypted passwords, you could do this:

include = /etc/smb.conf.gorewin

In this, when a machine with the NetBIOS name of "gorewin" tries to access the resources, it references the /etc/smb.conf.gorewin file instead of the /etc/smb.conf file.

Much of what you will see are advanced things that most normal users won't need. And if you think you do, you can read the comments, or e-mail me for help on a certain part of it. There are so many options and parts though, that I couldn't explain them in less than a 50-page article.

Next we come to the share definitions. Share definitions define (duhh) the shares that your system or systems will offer to SMB clients. You can define printers, home directories, folders on your system and other goodies. For example, here is a share definition of what I use to share MP3's with my GNU/Linux and Win9x/NT clients:

[mp3]

comment = Loads of music
available = yes
browseable = yes
path = /mnt/MP3/
public = yes
guest only = no
writable = no
user = /etc/smbusers
only user = no
admin users = root

This will allow any valid user (guest included) to browse my Mp3's located in /mnt/MP3 . The "comment" field is what the share is commented as under.

The "browseable" feature allows people to point and click and browse their way through it with no problem. This means they're not locked into a single directory or folder. This can be a good and a bad thing, but in my case, a good thing.

The "path" field will export the path to the actual file(s) that you want to share. The "public" field allows guest users and others to view the files. "Guest only" means that people BESIDES guest users can browse it as well. "Writeable" means that nobody can write anything to it, or write OVER anything.

The "user" field shows where a list of valid smb-style users are. As discussed before above, /etc/smbusers works well for this. The "admin users" field is exactly that. It specifies which local users (on the system) are considered adminstrators and can change or add or modify to the exported directory.

Next, after we are done editing the /etc/smb.conf file, we want to add Samba users to the system with a nice little tool called "smbadduser". If you just run smbadduser at the root prompt, you should see something like this:

----------------------------------------------------------

Written: Mike Zakharoff email: michael.j.zakharoff@boeing.com

1) Updates /etc/smbpasswd
2) Updates /etc/smbusers
3) Executes smbpasswd for each new user

smbadduser unixid:ntid unixid:ntid ...

Example: smbadduser zak:zakharoffm johns:smithj
----------------------------------------------------------

Wow! it's like documentation from the command. As you can plainly see, adding a Samba user is easy. For example, if you had a user "Darwin" on your GNU/Linux system, and you wanted to add him as a Samba user named "darw1n" you would simply issue this command without the quotes:

"smbadduser Darwin:darw1n"

And then it would add the username to /etc/smbpasswd and /etc/smbusers and then ask you for a new SMB password for the SMB user darw1n! Sound pretty easy, no? Well it is!

If you've set everything as you wish to, then it's time to test this configured Samba beast out! Switch to a root (#) prompt, and type "service smb restart" (if you're in Linux-Mandrake or Red Hat anyways). Otherwise, you'll have to kill the old smb daemon and start it up again.

Flip up your sunglasses, slurp down another cup of coffee, and wheel over to your Win9x machine. Login in through the network with a valid username and password you put into your system, and fire open network neighborhood. If all goes well, you should see your GNU/Linux Samba server and be able to browse whatever file shares you have open!

Now when your boss demands to know where his files are, you can tell him to check his home directory, and when he sees that he has his own home directory on his GNU/Linux machine, and he sees that his files are all there, displayed perfectly, he pats you on the back, and gives you a $30,000 raise! Or.. well.. something like that.


E-mail Alex at rebelpacket@linux.com with any questions or ideas.