Basic network access: servers

The [global] section

As the name suggests, the [global] section defines parameters that either apply to the server as a whole, or that are defaults for the other services. The interesting ones for us are:

• The workgroup parameter defines the Microsoft workgroup to which this server belongs. Set it to match the Microsoft environment. In these examples, we'll assume:

  workgroup = EXAMPLE
  
• The printing entry specifies what kind of printer support Samba provides. Current versions of Samba support CUPS. If you are using CUPS (not described in this book), you don't need to do anything. Otherwise set:

  printcap name = /etc/printcap
  printing = bsd
  
• guest account is the account (in UNIX terms: user ID) to use if no password is supplied. You probably want to define a guest account, since many Microsoft clients don't use user IDs. Ensure that the privileges are set appropriately. Alternatively, alter the parameter to point to an existing user.
• Modern versions of Microsoft use a simple form of password encryption; older versions used none. Currently, Samba defaults to no encryption. Set encrypt passwords to yes.
• Microsoft uses its own version of host name resolution, which doesn't involve DNS. Optionally, Samba will map Microsoft names to DNS. To enable this option, set dns proxy to yes.
• By default, the log file is specified as /var/log/log. The text replaced by the name of the remote machine, so you get one log file per machine. Unfortunately, the name doesn't make it clear that this is a Samba log file. It's better to change this entry to:

  log file = /var/log/samba.log.%m
  
• socket options is hardly mentioned in the documentation, but it's very important: many Microsoft implementations of TCP/IP are inefficient and establish a new TCP connection more often than necessary. Select the socket options TCP_NODELAY and IPTOS_LOWDELAY, which can speed up the response time of such applications by over 95%.

The [homes] section

The [homes] section allows clients to connect to their home directories without needing an entry in the configuration file. If this section is present, and an incoming request specifies a service that is not defined in the configuration file, Samba checks if it matches a user ID. If it does, and if the specified password is correct, Samba creates a service that supplies the user's home directory.

The following options are of interest in the [homes] section:

• writeable can be yes or no, and specifies whether the user is allowed to write to the directory.
• create mode specifies the permission bits (in octal) to set for files that are created.
• public specifies whether other users are allowed access to this directory. In combination with a guest user, this can be a serious security liability.

The [printers] section

The [printers] section describes printing services. It doesn't need the names of the printers: if it doesn't find the specified service, either in the configuration file or in the [homes] section, if it exists, it looks for them in the /etc/printcap file.

The Samba documentation claims that Samba can recognize BSD printing system automatically, but this is not always correct. Ensure that you have the following entries:

printing = bsd                      in the [global] sectionW
print command = lpr -r -P'%p' '%s'  in the [printers] sectionW

Note the printable option in the [printers] section: this is the option that distinguishes between printers ("yes")and file shares ("no").

Other sections: service descriptions

Samba takes any section name except for [global], [homes] or [printers] as the definition of a service. A typical example might be:

[ftp]
  comment = ftp server file area
  path = /var/spool/ftp/pub
  read only = yes
  public = yes
  write list = grog

This entry defines access to the anonymous ftp section. Anybody can read it, but only user grog can write to it.

Setting passwords

Samba uses a separate password file, /usr/local/private/secrets.tdb. To set up users, use the smbpasswd command, which copies the information from the system password file:

# smbpasswd -a grog
New SMB password:
Retype new SMB password:         as usual, no echo
Password changed for user grog.

Testing the installation

Once you have performed the steps described above, you can proceed to test the installation. First, run testparm to check the correctness of the configuration file:

$ testparm
Load smb config files from /usr/local/etc/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[ftp]"
Processing section "[src]"
Processing section "[grog]"
Loaded services file OK.
Press enter to see a dump of your service definitions    Press Enter

Global parameters:
lots of information which could be of use in debugging

[homes]
  comment = Home Directories
  read only = No

[printers]
  comment = All Printers
  path = /var/spool/samba
  guest ok = Yes
  printable = Yes
  browseable = No

[ftp]
  comment = ftp server file area
  path = /var/spool/ftp/pub
  write list = grog
  guest ok = Yes

[grog]
  path = /home/grog
  valid users = grog
  read only = No

As you see, testparm spells out all the parameters that have been created, whether explicitly or by default. If you run into problems, this is the first place to which to return.

Next, check that you can log in with smbclient. If you're running the servers as daemons, start them now. If you're starting them from inetd, you don't need to do anything.

$ smbclient -L freebie -U grog
added interface ip=223.147.37.1 bcast=223.147.37.255 nmask=255.255.255.0
Password:               as usual, no echo
Domain=[EXAMPLE]  OS=[Unix]  Server=[Samba 2.2.7a]

Sharename  Type  Comment
---------  ----  -------
homes      Disk  Home Directories
ftp        Disk  ftp server file area
grog       Disk
IPC$       IPC   IPC Service (Samba Server)
ADMIN$     Disk  IPC Service (Samba Server)

Server   Comment
------   -------
FREEBIE  Samba Server
PRESTO   Samba Server

Workgroup  Master
---------  ------
EXAMPLE    PRESTO

If you get this far, your password authentication is working. Finally, try to access the shares. Samba services are specified in Microsoft format: \\system\service. To make this worse, UNIX interprets the \ character specially, so you would need to repeat the character. For example, to access the ftp service on freebie, you would have to enter \\\\freebie\\ftp. Fortunately, smbclient understands UNIX-like names, so you can write //freebie/ftp instead.

To test, start smbclient from another system:

$ smbclient //freebie/ftp -U grog
added interface ip=223.147.37.1 bcast=223.147.37.255 nmask=255.255.255.0
Password:           as usual, no echo
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 2.2.7a]
smb: \> ls
  .                               DR      0  Wed Jan 29 12:06:29 2003
  ..                               D      0  Sat Oct 26 10:36:29 2002
  instant-workstation-1.0.tar.gz       9952  Mon Mar 19 11:49:01 2001
xtset-1.0.tar.gz                       4239  Mon Aug  5 16:44:14 2002
gpart-0.1h.tbz.tgz                    27112  Tue Aug 27 10:07:59 2002

If you get this far, Samba is working. The next step is to attach to the services from the Microsoft machines. That's not a topic for this book. Note, however, that Samba only works with TCP/IP transport, not with NetBEUI.

Displaying Samba status

You can display the status of Samba connections with smbstatus. For example,

$ smbstatus
Samba version 2.2.7a
Service  uid   gid      pid    machine
--------------------------------------
ftp      grog  example  37390  freebie  (223.147.37.1) Mon Mar 31 13:48:13 2003

No locked files