Linux Networking: Exploring Samba

By: William Wong
Monday, July 10, 2000 08:36:03 AM EST
URL: http://www.linuxplanet.com/linuxplanet/tutorials/2047/1/

The Samba Essentials

Server Message Block (SMB), also known as Common Internet File System (CIFS), is one of the most common protocols for sharing files on a network. It is used with Microsoft Windows and, through Samba, a variety of other operating systems include Linux. Samba provides a way to share the contents of Linux directories with other computers and to access shared directories on a remote computer. The type of remote computer does not matter. It could be a computer running Sun Solaris or Windows NT.

This article assumes that the Linux computer has a network adapter installed as described in the previous section and that the network adapter is assigned a unique IP address. Likewise, the Samba software is installed. With Red Hat and many other Linux distributions, this is done via an rpm package. This can be done when Linux is installed or afterwards. Installing Samba only loads the software and enables the Samba daemon. No sharing will occur until Samba is configured. This article addresses the configuration of Samba as well as issues related to the use of Samba, such as security.

Samba also supports printer sharing. This uses the same SMB protocol as the file sharing support. Samba can be used to provide either or both services.

Samba is an open source project like Apache. Most users will find Samba on their Linux distribution CD-ROM. The latest version of Samba can also be downloaded from the Samba Web site.

Samba Components
Figure 1 shows the Samba components. There are two client applications and one server application. The applications that are used depend upon the type of sharing to be done.

The Samba server application, smbd, is a daemon that runs in the background. It provides access to those directories and printers that are to be shared. Access can be controlled by user name and password.

The two client applications serve different purposes. The smbfs application allows a remote directory to be mounted just as a device like a CD-ROM or hard disk can be mounted in Linux. Any application can then access files on the remote device via this mounted directory. The smbfs application runs as a daemon like the smbd application.

The smbclient is similar in form and function to the ftp application that works with an FTP server like the ftpd daemon on Linux. The difference is that the smbclient works with any SMB server such as smbd or Windows 95 with File And Printer Sharing For Microsoft Networks loaded. The smbclient can only move files to and from an SMB server. It does not allow another application to access these files until they are transferred by smbclient.

Shares, Universal Naming Convention (UNC) And IP Addressing
SMB provides a single level hierarchy of shared resources or "shares" for each computer providing resources to other computers on the network. The computer name and share name are required to access a shared resource.

Share names are essentially the same as directory names. Computer names under Samba can be either a NetBIOS computer name, an IP address, or a domain name that resolves to an IP address. NetBIOS protocol is an underlying part of SMB. Users do not have to be concerned with the underlying details but they will need to know what a computer's name is so its shares can be accessed.

The nmblookup application provides a way to browse the network to discover the names of computers that can be accessed using Samba. The command:

nmblookup *

lists all accessible computers. The nmblookup program has a number of options but these will not be explored here. For small networks, the names of the computers will be known and nmblookup may not be needed.

The nmbd daemon is used to broadcast NetBIOS name information to other computers on the network. The nmbd program will work with a Windows Internet Naming Service (WINS) server that normally runs on a Windows NT computer. In general, small networks can forego configuration of nmbd.

UNC is a naming convention used by Microsoft. It allows a file name to specify the computer that the file is located in addition to any subdirectories. A typical Windows path name looks like \dir1\dir2\filename.txt. A UNC with a computer name and share name looks like \\computer1\share1\dir1\dir2\filename.txt. The UNC name can also be entered with the Samba tools using a slash to separate directory names as in //computer1/share1/dir1/dir2/filename.txt. This will not work on Windows but it can be used to access a Windows-based resource.

Server Configuration For Sharing Files Using smbd

The Samba server daemon, smbd, will be running in the background after Samba is installed and the system has been rebooted. The nmbd service falls into the same category. The services can also be started manually if you do not want to reboot the computer.

When the service starts, it reads the /etc/smb.conf file that specifies a variety of attributes such as the computer name in addition to a list of shared resources that include shared directories and printers. Each shared directory has a number of attributes associated with it including what local directory is to be shared, who can access the share and who can view the share. A shared printer has similar attributes although there is no directory associated with the attributes.

It is possible to edit the smb.conf file directly. Many network administrators prefer this method but the average desktop user will prefer a more interactive graphical interface. With Red Hat, and its derivatives such as Linux Mandrake, there is a configuration tool called linuxconf. The linuxconf program is used to configure all sorts of things in Linux, including the Samba server as shown in Figure 2.

There are a number of attributes that must be configured for Samba to operate properly. These include the server's NetBIOS name and the workgroup name. The workgroup name is also known as the Windows domain name, not be confused with the computer's domain name used with DNS. The type of security should also be selected--but more on security later. At this point the Samba server is configured but no shares have been created.

Disk shares can also be created using linuxconf. Each share is given a name. It also needs the path name of the directory that will be shared. The share has its own security settings, too. The share can be marked browsable, in which case it can be viewed from another computer using a network browser. Connections to a nonbrowsable share must be made using the UNC.

The smb.conf configuration is a text file that can be edited. The linuxconf program actually changes this file. The following is an excerpt from the file just in case you want to edit the file directly:

#=== Global Settings ===
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
    workgroup = bill-pa
# server string is the equivalent of the NT Description field
    server string = Linux

The word global in brackets is a section name. The lines with pound signs, #, are comments. The other lines are attributes with associated values. In this case the workgroup name is bill-pa.

If Samba is already running, changes made using linuxconf will be noted when linuxconf signals the daemon to recheck the configuration file. Use the Samba online help if you want to do this after editing the configuration file. The easy alternative is to reboot.

Another way to configure the Samba server is to use the Samba Web Administration Tool, or SWAT, shown in Figure 3. SWAT works with a web server such as Apache. Both run on the same computer as Samba. SWAT tends to be used with servers and is overkill for most workstation environments.

There are a number of other configuration tools available for Samba. These range from configuration scripts to graphical interfaces like SWAT. Links to many of these tools can be found on the Samba web site.

Once the Samba server or a Windows server is configured, the Samba client software can be used to access these services from another Linux computer.

Accessing Files Using Samba smbfs

The smbfs daemon is used to map remote disk shares on Samba- or Windows-based servers to a local directory. This operates in the same fashion as mapping a local device like a CD-ROM to a local directory. Typically, the /mnt directory is where mapped directories are placed although they can actually be setup anywhere in the Linux directory tree. A good convention to follow for smbfs mapped directories is to create a directory in the /mnt directory that matches the server name. Directories can then be created that match the share names so a shared disk named //wong1/public would map to /mnt/wong1/public.

Shares can be mounted, or mapped in Windows-speak, and unmounted at any time. There are two files that keep track of these operations: /etc/mtab and /etc/fstab. The mtab file contains a list of mounted devices and it is maintained by Linux. The fstab indicates how a device should be mounted. The following are examples of the files:

mtab

/dev/sda3 / ext2 rw 0 0
none      /proc proc rw 0 0
none      /dev/pts devpts rw,gid=5,mode=620 0 0
//wong1/u /mnt/wong1/u smbfs  0 0
//wong1/t /mnt/wong1/t smbfs  0 0
//123.123.123.8/s /mnt/wong1/s smbfs  0 0

fstab

/dev/sda3      /             ext2     defaults  1 1
/dev/cdrom     /mnt/cdrom    iso9660  noauto,owner,ro 0 0
/dev/fd0       /mnt/floppy   ext2     noauto,owner 0 0
none           /proc         proc     defaults  0 0
none           /dev/pts      devpts   gid=5,mode=620  0 0
/dev/sda2      swap          swap     defaults  0 0
//wong1/u      /mnt/wong1/u  smb      username=admin,password=pass 0 0
//wong1/t      /mnt/wong1/t  smb      username=admin,password=pass 0 0
//123.123.123.8/s  /mnt/wong1/s  smb  username=admin,password=pass 0 0

Normally the fstab file will be configured by the user. Each line contains six items. The first is the device description, the second is the directory where the device will be mounted, the third is the file system type. The fourth is the list of parameters given to the file system daemon. The last two are normally 0 for all but the main disk partition.

Note, in the prior examples, the server's domain name, wong1, and the server's IP address, 123.123.123.8, are used to refer to the same computer. Typically only one of these will be used.

One drawback of using fstab is that user names and passwords must be included. The alternative is to have users use the smbmount command or one of the browser programs. There are many browser programs. Two graphical ones are KWMount by Gazer Zoser for KDE and gnomba by Chris Rogers for Gnome.

The following is a sample of the smbmount program:

smbmount //wong1/u /mnt/wong1/u -o username=admin,password=pass

The arguments are very similar to the contents of the fstab file. The password can be omitted from the command line, in which case the program prompts for a password if needed. The smbmount program accepts a number of other parameters that the online help describes.

File Transfers Using smbclient

The smbclient program operates like the ftp program. The difference is the former uses a Samba-compatible server while the latter uses an ftp server. Operationally the two client applications are very similar. Both make a connection, allow files to be exchanged, and then terminate. No directories are mounted as with smbfs, so local applications can only use remote files once they are copied. Likewise, changes are only made to the local copy.

As with the ftp program, the smbclient program operates in command line mode or interactive mode. The former uses command line arguments to specify the share to use and the files to transfer. The latter prompts for commands and executes them until an exit command is encountered. A file with commands can also be executed.

The smbclient requires at least a UNC for the share to be accessed. Arguments include attributes like user name and password. These may not be required depending upon the security method used by the share. If the -c option is used then it is followed by the command to be executed, otherwise the interactive mode is entered. The following prompt is then presented:

     smb\ >

Familiar ftp commands like ls, cd, get, put, mget and mput can be used. There is no distinction between text and binary transfers. With smbclient, all transfers are binary.

The choice between using smbfs and smbclient is usually simple. Use smbfs when other programs will be used to access remote files. Use smbclient if files need to be moved from one computer to another. It is faster to use smbclient for this type of transfer than using smbmount, cp followed by umount.

Samba Printer Support
Samba print server support is part of the Samba server, smbd. The Samba print client is implemented using smbprint, a utility installed with Samba.

The linuxconf program does not do as well with printer share configuration as with disk share configuration, although this is improving with each new release of linuxconf. Editing the smb.conf file may be necessary if multiple printers are to be shared using different settings. In general, linuxconf can allow access to all or none.

The printer configuration is found in the [printers] group in the smb.conf file. Check out the online help via man smb.conf for more details. Make sure the printer to be shared is already set up before making changes to smb.conf.

Configuration under Red Hat for the smbprint program is easier. It uses the linuxconf program; a screen for accessing a Samba-compatible printer is shown in Figure 4. This does two things. First it creates an entry in /etc/printcap. Second, it creates a directory in the /var/spool/lpd directory with the name of the printer. This is true even for local printers. In this printer directory, the file .config is created. For the sample shown in the figure, the contents of the .config file are:

share='\\wong1\xerox'
hostip=
user='admin'
password=''
workgroup='bill-pa'

Having a password in this file can be a problem in some environments. The lines added to the /etc/printcap file are:

lp:\
:sd=/var/spool/lpd/lp:\
:mx#0:\
:sh:\
:af=/var/spool/lpd/lp/acct:\
:lp=/dev/null:\
:if=/usr/lib/rhs/rhs-printfilters//smbprint:

Note the smbprint program listed in the last line.

Samba Security

Samba can operate without any security or it can utilize any of a variety of security mechanisms integrated with Linux and Windows. This section presents the major options, but does not delve into all the details, as this is beyond the scope of this article. In general, a home or small business network may operate without any security. Security can be added later if necessary.

There are different ways to secure access to Samba resources. The first is with no security, so anyone can access resources. The second is to use account names. The third is to use names and passwords. In addition, the names and passwords can be maintained by Samba, Samba can use Linux names and passwords, or names and passwords from a Windows NT domain controller. It can also act as a Windows NT domain controller.

Resources can be managed at the user, share, server, or domain level. For small networks, the share level is often sufficient. In this case the shares have their own access passwords. User level management tends to be the easiest to manage.

What Else?
There are many other features within Samba not covered in this article. For example, the NETLOGON support allows scripts to be executed on clients when they log onto the server to access resources. This is a necessary feature for larger networks, but it is often unused on smaller ones.