How to let your Linux machine serve files and printers to Windows machines
SMB (Server Message Block) is the primary file and print sharing protocol for MS-Windows-based machines. Linux can provide services to and receive services from SMB-based machines.
The other printing and print sharing option is called Samba, developed mainly by some nice folks in Australia. TCP/IP and SMB work quite nicely together. In fact, they work so well together one could piggyback a packet of SMB data onto a TCP/IP packet.[1] This relationship is one that Samba uses to get Windows machines to talk to Linux. The latest version of Samba can be found at http://www.samba.org/.
Let's quickly go through a small network.
This is actually easy, if you have Windows 98 or Windows NT. So from here on in, we'll just say "Windows" to relate to all versions of the OS, and you'll have to do some reading to match what we tell you to your particular version of Windows.
First, get the Ethernet cards and drivers loaded. Also, install your backbone. The best available networking scheme for the money is 10-BaseT, as there are fewer problems that can cause the entire network to go down. But it's more expensive; you have to buy hubs, patch cables, patch panels, run one cable to each machine, and so on. But it is certainly worth the money.
If you want a cheaper Ethernet, or you have a very small network, you can get the very affordable 10-Base2. This is also known as " thinnet." All you have to be concerned about in a 10-Base2 network is that both ends are terminated with a 50-ohm resistor. Thinnet has the disadvantage that if one section of cable goes bad, the entire network goes down.
Check the chapter on networking for more on networking concepts and how to set up a TCP/IP network.
You'll also need to make sure that each Windows user has an account on the Linux server. If you want, make the shell something like /bin/false. If you want users to be able to change their passwords, set the shell to be /bin/passwd. Also, be sure to add /bin/true or /bin/passwd to the /etc/shells file. If you have an existing NT server that has passwords for user accounts, you can have Samba authenticate passwords against the NT server.
Once you have your network and Linux box set up, get the software working. Windows will allow you to use the Windows networking option to create a simple network. Be sure to use the same workgroup name across all the machines.
A workgroup is a logical collection of users within the same subnet. A subnet breaks users up physically, as you need a router or bridge to get from one subnet to another. A workgroup is a more logical breakdown. For example, you can have accounting, manufacturing, and sales all on the same subnet, but all in different workgroups.
Once the software has been set up, you should be able to browse the network and see all the other machines, at least those on the same subnet as you.[2] If you can't, get the software to this point. If something's wrong, you'll usually get a somewhat cryptic explanation of the problem and how to fix it.
In a workgroup, there is typically no central server. Usernames and passwords are authenticated as needed against a server.
A Windows NT domain has a central password server that authenticates users when they log into their Windows machines. Instead of checking a local password from the Windows login screen, the password gets sent to the PDC (Primary Domain Controller), which grants access to services on all the servers within that domain.
If you have a PDC on the network and choose to have Samba authenticate users off that, you can set up your network as a domain. Otherwise, choose a workgroup.
Windows 98 and Windows NT both come with a TCP/IP stack already in the installation. When Windows asks for a username and password, be sure to give the username that would work against whatever system you're authenticating.
We'll assume you know how to set up a TCP/IP network. If not, check the networking chapter for information on how to do this. Once you have the TCP/IP stack loaded on all the Windows machines, try having them ping each other, or ping the Linux box. The Linux box should also be able to ping the Windows machines.
Now that the Windows machines are set up, let's go to the Linux machine. Samba is installed if you selected DOS/Windows Connectivity on the Red Hat installation screen, and is available from the Red Hat distribution as Samba. If you don't have it, you can install an updated RPM from http://contrib.redhat.com or www.samba.org.
You can examine a sample configuration file, /etc/smb.conf, and tune it for your network. Here's a sample copy of an smb.conf file:
[global] printing = bsd printcap name = /etc/printcap # The above lists the printing method. Linux has BSD printing, so we use # BSD printing and /etc/printcap. load printers = yes guest account = nobody # If a user can connect with no authentication, the above is the username # that is connected. log file = /var/log/samba-log.%m admin users=markk # users that have full access to all files read prediction = yes dead time = 15 workgroup=WORKGROUP mangled map=(*.html,*.htm) lock directory = /var/lock/samba share modes = yes os level = 33 domain master = yes [homes] comment = Home Directories browseable = no read only = no create mode = 0750 read size = 8192 max xmit = 8192 # the two above try to write and read in 8kB blocks. [printers] comment = All Printers browseable = no # This entry expands into each printer available, we don't want this # actual entry seen in a browse list. printable = yes public = yes # We want anyone to be able to print, even without authentication. writable = no # Can't really store files on a printer, eh? create mode = 0700 [pcsoft] comment = PC Software # Comment as it shows up in a browse list path = /vol/repository # Linux directory for sharing public = no # Can users connect with no authentication? No. writable = yes printable = no create mode = 0666 # The above sets what the file permissions are on the Linux side. # It's set to owner, group, and world read and write. [accounting] path = /home/bob/shared valid users = fred bob # Only fred and bob can access this share. public = no only guest = no browseable = no writable = yes create mask = 0777
Much like the Windows system.ini, files are broken up into sections starting with a word in brackets; the smb.conf file does the same. [global], [printers], and [homes] are the only three reserved section headers. All others are assumed to be share names to be provided to SMB clients.
The [global] section sets options for the entire program. For example, the mangled map option says that all files that get to Samba that end in . htm should instead be written to the Linux server as .html. This makes writing files in Windows and sending them to a Web server easier.
Other options of note include the following.
log file—. Whensmbdfires up, this is where it will write its log file. In the above case, the name of the log file issamba-log, plus the name of the machine.dead time—. After<dead time>minutes are up with no activity, thesmbconnection goes away. This is good not only to save resources on the Linux server, but it also allows Samba to recover when a Windows machine crashes. A good choice would be around 15 minutes or so.admin users—. These users are as good as root. In fact, they have root privileges to all the shares (this should only be you or the person who is administering Samba).workgroup—. The workgroup to be a part of. This should be the same name that you set earlier in Windows.
The [homes] section will put in the browse network section of the Windows home directory for the user. The user can then click or mount that directory and it's their home directory on Linux.
Once Samba is installed on the network, you can test it by starting smbd and nmbd. If you installed from an .RPM file, you can start Samba services as /etc/rc.d/init.d/smb start. The nmbd process acts as a name server for Samba, much like named handles DNS. Once started, you can go to an SMB client and perform a network browse. You should see your Linux machine in the list of machines (see Figure 8-1).
If not, you can check through the logs located in /var/log. Each smb and nmb process has its own log files (samba-log.nmb and samba-log.smb). In addition, each client machine that connects to smb has a log file named samba-log.machinename, where machinename is the Netbios name of the machine.
Even if you see the Linux machine listed in the browse list, you still need to connect to a share. First, there are public connections that do not require a valid login. These kinds of connections are easy to make, but are very short on security, since there is no authentication. However, it is a good start for making sure you can mount shares. If you choose to do this, set the public=yes option in the configuration for the share.
Let's assume you have this working (since it's not that hard to do). Let's go into connecting to a share. To do this, you have to understand how SMB transfers passwords.
There are three methods of authenticating a user to access a share. First is user, where a username and password are authenticated against /etc/passwd. This method of connection requires that the username under Linux and the SMB client match. When a user logs into Window 98, the username and password given at the login screen are sent to Samba.
The second method is to forward authentication requests to another server. This is insecure, but allows Linux to handle encrypted passwords, such as those from NT 4 running Service Pack 3 and above. This is called server authentication, and you have to trust the machine to which you're forwarding requests.
The third method of authentication is called share and does not require that the usernames under Linux and the SMB client match. When a connection is made to a share, many SMB clients (like Windows 98 or NT) ask for a password each time the share is connected.
SMB allows for both encrypted and unencrypted passwords. The good news is that encrypted passwords increase security. The bad news is that passwords are encrypted with a one-way hash. Passwords in /etc/passwd and the Samba password file (smbpasswd) don't mix all that easily. NT 4 Service Pack 3 and above send encrypted passwords by default, and the only way to change this is to go into the Registry and change it. In our opinion, there are two ways to handle this. If you have an existing NT PDC (Primary Domain Controller), set the Linux box to forward passwords to the PDC. You can do this by setting the password server to point to the PDC and security=user (both these settings are under [Global]). The other option (if you don't have a PDC) is to set up the Linux box to handle encrypted passwords. Read the /usr/doc/samba*/ENCRYPTION.txt file to go over what you need to do to handle encrypted passwords.
So now that you have the Windows machines talking to the Linux box via Samba, how do you get access to SMB shares from Linux? Easy: by using the client side of Samba and other SMB utilities for Linux.
Linux has a Virtual File System (VFS) that provides a generic interface for mounting filesystems. One advantage of this is that it provides for mounting an SMB share like NFS or local mounting. However, instead of using mount, we use the smbmount program, which is part of the smbfs RPM, to mount SMB shares. The umount program can be used to unmount mounted shares.
Operation of smbmount is a bit more complicated than mount, but you'll get used to it after a while:
smbmount service mount-point [options]
where service is the Netbios name of the SMB share you want, replacing a character with /. A sample service is //nebula/users or //auratek/market. The mount-point is the local mount point in the Linux file hierarchy. Since you have to use smbmount as root, and you probably don't have a root user on your NT server, you'll need to make use of the options. The two we run into most are -U for what user to authenticate as, and -c to list a Netbios name for your client machine, otherwise the FQDN is sent. Since markk.wayga.net isn't quite a valid Netbios name, adding-c wayga tells the server the client's name is just wayga. If the Netbios name for the client can be resolved to a hostname, you'll get asked for a password for the given username. If you want to skip this step, add -P passwd, replacing passwd with your password on the SMB server.
There are two big drawbacks to using smbmount. Since SMB doesn't transmit UID or GID information per file, you won't get any of that information in directory listings. And, due to the nature of NFS and SMB, you won't be able to mount an SMB share and then export it via NFS. Keep these in mind, and you'll be set.
The smbclient program is part of the Samba distribution and provides an FTP-style interface to an SMB server. This is really written for use by operating systems other than Linux, or for quickly downloading a file. Since Linux already has smbfs, this program can be used in areas where multiple people may have access to a single machine. Operation of smbclient is a bit different from smbmount:
smbclient service options
where service is the Netbios name of the SMB server and its share name. Unlike smbmount, service is listed as \nebulausers or \auratekmarket. Since the is an escape character under many shells, you may need to escape it and make something like \\nebula\users or \nebulausers. Check out how your shell handles this character.
Options include -L, which lists shares available on a machine. The -M option sends text messages (remember winchat?). -U user specifies a user to connect as. If you include a percent sign (%) followed by a password, it will authenticate the user with the password, and you won't get prompted for a password.
Once connected, the commands are mostly the same as FTP. Commands like get, put, ls, cd, and del (even prom) all work the same as in FTP. Here's a description of some of the lesser known commands:
mgetandmput—. Gets or puts multiple files at once.prom—. Toggles prompt mode when usingmgetormput.cd—. Changes directory on the client side.! or !command—. Starts a shell or runs the given command.
Also part of the Samba suite is the SWAT online utility (Figure 8-2). A remote administrator with a Web browser can administer Samba configuration remotely, adding and removing shares, getting online help for configuration, and other information about the status of smb and nmb.
In order to use SWAT on a machine, you must first activate it. SWAT is started from the Internet meta-daemon (inetd) and is disabled by default under Red Hat 6.0. You must first uncomment the line starting with swat, which is the last line in the /etc/inetd.conf file. You must tell inetd to reload its database, and you can do this with /etc/rc.d/init.d/inet restart. You can then connect to the machine at port 901, giving a URL of http://localhost:901/ to connect. You must give the root user and password (this causes obvious security issues), but upon verification, you get access to the contents of /etc/smb.conf. Note that if you start making major changes to the smb.conf file by hand, SWAT may overwrite some of them or get confused. Be sure to back up your existing configuration before continuing.
As you can see on the screen, you are able to configure the Global, Printer, and Share options. Home returns you to the previous screen, and Status shows the existing status of smb, nmb, and connections from remote locations. The View button shows the raw smb.conf after being rewritten by SWAT, and the Password section allows you to change passwords for users remotely. Note that it defaults to changing the root password, so use this option with care.
These options provide a base that affects all shares, including workgroup configuration, logging, tuning, browsing, and WINS configuration (Figure 8-3).
Most of the options have already been explained, but we'll go over them again...just in case. The workgroup is the SMB workgroup to join. Set this to the same as your clients, so everyone can browse your Samba server easily.
The netbios name should be used if you want to have a shorter name that appears as the Netbios name. You probably won't need to set this, but it can be done if your Netbios name gets set to be your FQDN (see the section on smbmount for more on this). The server string sets the comment as it appears in a browse list. By default, it sets to Samba server, but you can change this to suit your needs. The interfaces field is used if your Samba server acts as a router or has multiple Ethernet interfaces on it. You can specify an IP network address and netmask as either 192.168.1.0/24, known as a bitlength since we're masking the first 24 out of 32 bits, or 192.168.1.0/255.255.255.0, known as a bitmask. Put a space between the two entries here.
Here you list the kind of security you want to have. The first security option we described under "Password Authentication" above. If you have chosen to use encrypted passwords on your machine (after reading /usr/doc/samba-2.0.3/docs/textdocs/ENCRYPTION.txt), set encrypt passwords to Yes. The update encrypted setting is used to assist in building an encrypted password database. As users log in, their password is encrypted using the SMB hash, and then it is stored. Once all accounts have been encrypted in this format, you can turn the update encrypted off. The guest account is the account to be used when no authentication is provided. Some shares have no passwords required to access them. Even in these cases, some valid Linux user must access the file on the Samba side. In this case, that user is "guest".
The hosts deny sets up a list of hosts (space-separated) to be denied access to the server. They can be either IP addresses or FQDNs, meaning an entry could have 192.168.1 or markk.wayga.net in it. In the first case, you would block off the entire 192.168.1.0 network, and in the second, you would block off access to a single machine. The hosts allow sets up hosts to be allowed access to the server. In the event of a conflict between a deny entry and an allow entry, the allow entry wins out. Going back to the example, the hosts allow could have 192.168.1.5. You would then block the entire 192.168.1.0 network, except for 192.168.1.5, which could access the server.
As the log level increases, more data is captured to the log file. Setting a log level value of 0 indicates that no logging is to be done. The logs are kept per machine, and are by default stored in /var/log/samba. If you have a host called "saturn" that uses Samba, the log file for Samba's interaction with saturn is kept in /var/log/samba/log.saturn. To keep log files from getting too large, there is a default limit of 50KB per log file. If the log file gets bigger than that, it gets backed up as an .old file and a new log file is created. A log file of 0 means that there is no upper limit on log file size.
Here you can enter OS-specific tuning options, mostly related to the TCP/IP stack. You will probably not need to change from the default of TCP_NODELAY, which is said to be one of the biggest boosts in performance for sending data to a Windows client. You can check /usr/doc/samba-2.0.3/docs/textdocs/Speed.txt for more information on tuning Samba for high-performance environments.
The printcap name contains the location of the printcap file. There should be no need to change it from the default of /etc/printcap.
These two sections are somewhat related, so we'll cover them both here. When an SMB network is set up on a local network, each of the machines in that network sees the others and has an election to see who will handle browse requests from clients. That is, when you start up the Network Neighborhood, where do you get the information? In an NT-only environment, this would be your PDC. In a Samba-only environment, this would be nmb (the Netbios name daemon). In a mixed environment, it depends on the settings you have in these sections.
The os level is a number that is really a bias in the election on the local network, and can be between 0 and 255. To give you a number to pick from, Windows 95 and 98 clients have an os level of 2, and an NT server has a level of 32. Anything higher than this will win a local election, except against other Samba servers.
If the preferred master is set, Samba will force an election on startup, and give itself a slight advantage in the election process. If local master is set, then Samba will participate in elections, with the os level specified earlier. The domain master option selects whether or not Samba will try to allocate a special Netbios name to collect workgroup information across subnets. If you have a PDC, you should set this to No, as the PDC will automatically try to allocate this special name.
WINS is the Windows Internet Name Service. It is essentially a Netbios-to-DNS conversion, so it helps if all the machines on your network have the same Netbios name as DNS. The nmb program can act as a WINS server for your local subnet. However, there can be only one WINS server per subnet. More than one will cause some problems on your network.
The shares section provides configuration of the Samba shares ( Figure 8-4). The default share available for configuration is the special Homes section. Entering a new share next to Create Share and clicking the Create Share button can create new shares. Once created, a share can be selected from the Choose Share list. Clicking Delete Share will remove the share.
Once you have a share selected, you can start to change the configuration from the defaults to what you want (Figure 8-5). The defaults are: directory is /tmp, no comment to appear in the share listing, read-only access, and guest (non-authenticated user) is denied access to the share. In addition, the share is available (authenticated users can access it) and the share will show up in browse lists.
You'll want to change these settings based on what you want your share to do. Let's say your Linux machine is a CD-ROM server to other users on the network, and the CD-ROM is mounted on /mnt/cdrom. Change the Comment to read CD-ROM service and change directory to /mnt/cdrom. Guest access depends on how secure your network is and how secure you want the data on the CD-ROM to be. If you care who accesses this share, leave the guest user as No; if it doesn't matter, set the option to Yes. Since the CD-ROM is read only to begin with, leave the read only option as is. The hosts allow and hosts deny entries are tab-, colon-, or space-separated lists of hosts to allow or deny to this share, respectively. In the case of a conflict between an allow and deny entry, the allow entry will win out. This is the same option as in the Global section, but it only applies to this share. As for the last two options, browsable means that the share shows up in browse lists of the machine. With this turned off, a user would have to manually specify the share to connect either using the net use command from Windows or smbmount on UNIX. The last option, available, indicates if a share is to be activated by Samba. If no, then the share is not available at all. If yes, the share is available to users to whom we allow access. Since we want other users to use this share, we set this to Yes.
Samba knows enough (via the printing = bsd and printcap name = /etc/printcap lines) to load in all the printers available in /etc/printcap and make them available to SMB clients. The Linux side does not require any changes, but you may want to make sure that the /etc/printcap file is set successfully and you can print. Since it uses LPD, Samba will also deal with any remote printers as well. Any printer you can get to from Linux will be available from Samba (see Figure 8-6).
The Windows side may be a bit more complicated. More sophisticated print drivers that demand to talk directly to the printer may cause you some problems. Our advice is to get a printer that supports either PCL or PostScript. This way, you can at least send data to the printer. Be aware that more printers coming out these days may be using the "Windows Printing System," which will work only with Windows. If you have a printer that accepts PCL or PostScript, you can install generic drivers in Windows to print to the Samba printers. We have had some success with using an Apple LaserWriter as a PostScript printer, and an HP LaserJet 4 as a PCL printer.[3]
We go more into using an SMB server as a print server in the previous chapter on printing.
Once the printers and shares are configured, you can let your users loose. Be sure to keep an eye on the log files to monitor any problems if they show up.
Samba is an easy way to share drive space and printers with Windows 98 and NT machines.
SWAT allows you to easily administer your Samba configuration.
[1] Which itself is piggybacked on Ethernet, FDDI, ATM, PPP, or what-have-you.
[2] You won't be able to see outside your subnet unless your bridge forwards non-TCP/IP packets. A router usually won't forward SMB packets, since it deals with TCP/IP only. But since Samba piggybacks on TCP/IP, you can still connect to machines in other subnets.
[3] Your experience may vary. Try other print drivers under Windows and see how well they work.