Administration Guide Draft/Samba

Introduction
Samba is an open source implementation of the  (Server Message Block) protocol. Samba provides the means for resource sharing between networked computers that run different operating systems. As a client, Samba allows Linux/UNIX machines to access resources on Windows or Samba servers. As a server, Samba provides shared resources for Windows or other Samba clients. Historically, Samba provided access to shared resources through the  - SMB File System. More recently,  has been replaced by the more advanced   (Common Internet File System), SMB compliant virtual file system. utilizes advanced network file system features such as locking, Unicode, hardlinks support and others. With, all network functions, including authentication, are provided in the kernel.

Fedora includes version 3.x of Samba. This version is capable of the following:


 * Acts as a Windows NT-style  (Primary Domain Controller)
 * Provides authentication for Windows domain logins
 * Acts as a  (Backup Domain Controller) for Samba
 * Joins Windows NT, Windows 2000/2003 and Samba domain as a member server
 * Provides  (Windows Internet Name Service) name resolution with the   component
 * Enhances network browsing services
 * Joins Windows AD (Active Directory) domain by utilizing  and Kerberos services
 * Acts as a Windows Workgroup server, providing directory trees, files and printers to Windows and Linux/UNIX clients
 * Contains built-in Unicode support for internationalization

Current development version (4.x) will address existing limitations of Samba, the most important being the ability of Samba to act as a Windows Active Directory.

How Samba Works
Samba is composed of multiple applications each of which provide a part of Sambas functionality. Three daemons -,  , and   are the main components of Samba. Some of the most commonly used command line Samba tools are,  ,  ,  ,  ,  ,  , and.

Samba Daemons
smbd:: The  daemon is responsible for the management of all shared resources on the Samba server. It provides file, print and browse services for  clients including authentication and resource locking.

nmbd:: The  daemon is the naming service component. provides WINS functionality to Windows clients, browse lists in the Network Neighborhood and participates in browser elections on the network.

winbindd:: Together with, the   service provides access to user and group information stored on the Windows server and is capable of passing a Samba client's authentication requests to the Windows server.

Commonly Used Command Line Utilities
smbstatus:: Reports current connections to shares on a Samba server.

smbpasswd:: Used to set or modify passwords for Samba users.

findsmb:: Used to provide information about SMB/CIFS enabled computers on the network.

nmblookup:: Uses NetBIOS over TCP/IP to translate computer names to IP addresses.

net:: Used for remote administration of Samba servers.

smbclient:: Used by UNIX/Linux client computers to connect to Samba or Windows shared resources.

smbtar:: Utility used to backup data that resides on Samba shares.

testparm:: Utility used to check the syntax of the Samba configuration file (smb.conf).

Instaling Samba Server
The default Fedora installation does not include Samba server. To install Samba, run:

su -c "yum install samba"

and enter the  password when prompted. This command will install the two packages needed to run a Samba server:


 * samba-common
 * samba

The  package installs the actual Samba server, while the   package includes additional files needed by the Samba server and Samba client. There are two additional optional packages that can also be installed:


 * samba-client
 * system-config-samba

The  package provides client-side Samba functionality to a Fedora machine. The package allows connectivity to remote Samba or Windows shares with the  command line utility. The  package provides a graphical interface to aid with Samba server configuration. This utility is capable of configuring a very limited set of Samba server options and is not covered in this document.

smb.conf
The main configuration file is. It includes a sensible set of configuration options which should be able to cover most, if not all, scenarios. The  file accepts two types of comments:


 * hash symbol is usually used to denote actual comments
 * semicolon is usually used to denote unused configuration options

Configuration options are in the format:

name = value

Lines that contain only whitespace are ignored.

file is divided into sections. Each section begins with the section name in brackets and continues until the beginning of the next section. There are three special sections:

[global] section:: Contains configuration parameters for the entire Samba server. [homes] section:: When defined in the configuration file, this section allows clients to quickly access their home directories. [printers] section:: When defined allows users to connect to printers specified in the Samba server's local printcap file.

Samba Configuration
Samba configuration can be customized based on network requirements. This section provides some sample configurations for various Samba implementations, including:


 * Standalone workgroup server
 * Domain member server (Windows NT-style)
 * Primary Domain Controller (Windows NT-style)
 * Domain member server in the Windows AD domain

Samba Security Modes
A good understanding of how Samba implements security is essential for proper deployment of a Samba server. Windows NT/2000/2003 SMB (CIFS) only implements two security levels, user-level and share-level security, Samba provides more flexibility by extending Windows-based SMB/CIFS security through its Security Modes. Samba security modes are configured through the smb.conf parameter:

security =

The available modes are:

share:: In this mode, client must authenticate against each share. In a Windows world, the share password is set on the share itself. This means that client does not have to pass the username along with the connection request. Samba always uses the username/password combination, provided through the underlying Linux authentication method - /etc/passwd or /etc/nsswitch.conf. For this mode the smb.conf entry is:

security = share

user:: This is Samba's default security mode. In this mode, authentication is based on the username/password combination. When a client makes a request for a shared resource, the Samba server doesn't "know" which share an authenticating client is allowed to access. For this mode the smb.conf entry is:

security = user

server:: Although still valid, the server security mode is a "legacy" mode, a leftover from times when the Samba software was not able to become a domain member server. This mode allows a Samba server to authenticate connecting clients against the Windows NT-style PDC. There are many shortcomings, the possibility of "account lockout" on the Windows PDC, no assurance that the PDC is the actual machine specified, no support for winbindd/remote user profiles, etc. In this mode, Samba appears to be in a user security mode to the clients, while actually passing all the authentication to the PDC. For server security mode to work, two additional parameters must be specified in an smb.conf file:

encrypt passwords = yes security = server password server = PDC-NetBIOS-name

domain:: Domain security mode is the mechanism that provides a central database for all user, group and machine account information. This database is stored on the machines that participate in a domain as Domain Controllers. The PDC is responsible for maintaining the integrity of the database and sending regular updates to servers that act as Backup Domain Controllers. The  is used for performing account authentication, thus offloading a significant amount of work from the Primary Domain Controller. This is very important for redundancy of large environments, particularly those where a single domain spreads across different physical locations. Having a  allows for uninterrupted logins even if the network link to PDC is "down". Samba participates in a domain security mode by virtue of a machine trust account stored in a domain accounts database. This allows a Samba server configured as a  to authenticate clients or pass the authentication to the Domain Controller if it is configured as a Domain Member Server. Samba servers must join a Windows based domain before it can be configured for domain security mode. To configure Samba for Domain security mode:

To /etc/samba/smb.conf add:

security = domain workgroup = 

On a Windows PDC, use Server Manager to add the Samba server's machine account to the domain database. On the Samba server run:

net rpc join -U administrator%password

It is not necessary to specify the actual domain name using the previous command - this information is retrieved from a smb.conf file. ADS:: ADS security mode dictates that Samba server must join Windows Active Directory domain. To join ADS domain, create Samba server's account in a ADS:

net ads join -U Administrator

Samba is able to join AD domain as an either NT-style AD domain member using NT style security (if AD is running in a native mode) or as a native AD domain member, which requires Kerberos based authentication services. The latter may be required for domains where security policy prohibits RPC based authentication (NT-style). smb.conf entry is:

security = ADS realm =  encrypt passwords = yes

Samba is sometimes not able to identify the authentication server from its Kerberos realm name. This often happens on networks with Linux/UNIX style DNS servers if they are not configured to handle the non-standard DNS requirements of the Windows AD DNS implementation. In this case, add the following parameter to the smb.conf:

password server = 

Important Notes For Systems With SELinux Enabled
To achieve proper operation of Samba on SELinux enabled systems follow these few rules:


 * If you create a directory that you want to share, label it with the  context:

chcon -R -t samba_share_t /home/newdir

To check what context a system directory has, use:

ls -lZd /path-to-systemdir


 * To share a system directory, use one of the following:

setsebool -P samba_export_all_ro on

... to provide read-only shares or ...

setsebool -P samba_export_all_rw on

... to provide read-write access to shares.


 * SELinux disables by default sharing home directories. To enable sharing of home directories, run:

setsebool -P samba_enable_home_dirs on


 * To enable the correct operation of Fedora user account command line utilities such as, which allows Samba to run as a domain controller, run:

setsebool -P samba_domain_controller on

Security Considerations
There are several ways to address the security of a Samba server:


 * Interface protection
 * Host based protection
 * User based protection
 * Firewall protection

Interface Protection
Add the following parameters to the smb.conf to define which interfaces the Samba services listen on:

interfaces = eth0 lo bind interfaces only = yes

In the example above, Samba will only listen on the loopback interface and the first Ethernet NIC and ignores all other network interfaces that might be present on the system.

Host Based Protection
Samba by default, accepts connections from all hosts. To restrict access to a Samba server from only the desired hosts or subnets, configure the following paarmeters:

hosts allow = 127.0.0.1 192.168.1.0/24 hosts deny = 0.0.0.0/0

This will allow access to the Samba server only to localhost and hosts on the 192.168.1. subnet.

User Based Protection
To restrict user access to Samba shares globally, use the following parameter in the [global]  section of the smb.conf file:

valid users = user1, otheruser, @smballowed

The above configuration allows access to a Samba server to users user1, otheruser, and users who are members of the smballowed user group.

Firewall Protection
A good practice for securing a Samba server is to use firewall protection combined with Samba-specific protection as described in the previous section. To configure  firewall access to a Samba server from the 192.168.1.0/24 subnet, add the following rules:

iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 138 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 139 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 445 -j ACCEPT

Samba communicates through:


 * 137/UDP port - used by nmbd for NetBIOS name resolution
 * 138/UDP port - used by nmbd for NetBIOS network browsing
 * 139/TCP port - used by smbd for NetBIOS session service
 * 445/TCP port - used by smbd for Microsoft Active Directory services

Inbound traffic on high-order ports [1024:65535] should be denied except for established connections.

Samba And CUPS (Common Unix Printing System)
For detailed CUPS printing instructions, see Using the Common UNIX Printing System. This section covers some capabilities of the CUPS printing system related to Samba.

Basic Features
Samba is pre-compiled with support for CUPS printing. This integration simplifies print serving to SMB/CIFS clients. In a simple scenario, Samba presents CUPS printer queues to the SMB/CIFS clients and passes received print jobs directly to the CUPS for printing. This scenario assumes the SMB/CIFS clients have the appropriate printer drivers installed and are capable of producing print jobs in a format that the printer device understands. In this scenario, the [global]  section of the smb.conf file requires only two parameters:

printing = cups printcap = cups

Printer devices are configured in the [printers]  section. For small environments with few printer devices that do not have any specific printing requirements the default [printers]  section be sufficients. Samba and CUPS provide a lot of flexibility and each individual printer can be configured through its own [printer]  which overrides settings in the [global] . One common example is the need to allow only a set of users or user groups in the organization to print to a device:

[global] printing = cups printcap = cups

[printers] comment = all printers path = /var/spool/samba printable = yes guest ok = yes use client driver = yes

[restricted_printer] comment = color laser path = /var/spool/samba browseable = no printable = yes guest ok = no valid users = @marketing, boss use client driver = yes

In the above example, only the user boss and members of the marketing group are allowed to print to the color laser printer.

Advanced Features
Integration of Samba and CUPS printing allows for advanced configurations that provide robust printing solutions, suitable for enterprise environments. For detailed guides and tutorials about the advanced features, refer to the Additional Information section at the bottom of the page.

Samba Linux Client Utilities
To view the list of SMB/CIFS shares on a particular host, run:

smbclient -L

To connect to the Samba share on a particular host, run:

smbclient // /

...and enter the Samba password when prompted. To connect to the Samba share as a different user, specify the user name as an argument to the -U command option:

smbclient -U  // /

...and enter userX's samba password when prompted. To mount the Samba share on the local directory, as root run:

mount -t cifs // / / -o user=userX

...and enter userX's samba password when prompted. If mounting Samba share in this fashion, userX will likely encounter various issues with file permissions on the mounted / . To avoid these issues, pass the additional options to the  command:

mount -t cifs // / / -o user=userX,uid=,file_mode=0644

...where  is a numerical user ID of the userX's local account on the client machine. It is also possible to pass the userX's Samba password as an option to the  command:

mount -t cifs // / / -o user=userX,password= ,uid=,file_mode=0644

...and avoid the password prompt on every  attempt. However, this is not recommended, since the actual password might be visible to the others. The recommended way is to use the credentials option:

mount -t cifs // / / -o credentials=,uid=,file_mode=0644

The credentials file is an ASCII text file of the format:

username= password=

The root is the only user with a permission to run the  utility. To enable non-privileged users to mount and unmount Samba shares, set SUID on  and. As root, run:

chmod u+s /sbin/mount.cifs /sbin/umount.cifs

Once set, user can use  to mount Samba shares:

/sbin/mount.cifs // / / -o credentials=,uid=,file_mode=0644

...or  to unmount the share:

/sbin/umount.cifs /

To mount Samba shares at boot time, edit the /etc/fstab file and add the line:

// / / cifs, ,..., 0 0

Read-only shared directory
Requirement: Allow all users to view company's policies on Internet and Email usage, without the ability to alter files.

Solution:


 * 1) Create directory /home/common/policies
 * 2) Copy all related documents to /home/common/policies
 * 3) Create [policies]  section in smb.conf that allows anonymous access

Use the following smb.conf to achieve this:

[global] workgroup = BIGBROTHER security = share

[policies] path = /home/common/policies read only = yes guest ok = yes

Small Office Network
Environment: Translation services office with three client PCs (Windows XP) networked in an OFFICESPACE workgroup. MS Word documents and MS Excel spreadsheets are shared from each PC. Network-capable laser printer that accepts direct printing from workstations.

Requirements: Provide central storage for documents, writable for all users and centrally managed raw print queue, with print drivers locally installed on each workstation.

Solution:

1. Install Fedora and Samba server on a new server 1. Create group officespace on the server: groupadd officespace 1.#3 Create user milton on the server: useradd milton passwd milton Changing password for user milton. New UNIX password: ******** Retype new UNIX password: ******** passwd: all authentication tokens updated successfully. 1.#4 Create directory structure that will contain documentation and be shared via Samba: mkdir -p /data/documents/{translations,spreadsheets} chown -R milton.officespace /data/documents chmod -R ug+rwxs,o+rx,o-w /datadocuments 1.#5 Create accounts for three users in the office and add all of them to officespace group.

1.#6 Create CUPS print queue on the server: lpadmin -p prn1 -v socket://192.168.1.11:9100 -E ...and enable CUPS queue for raw printing by uncommenting the line: ...in a /etc/cups/mime.convs file and uncommenting the line: ...in a /etc/cups/mime.types file.
 * 1) application/octet-stream    application/vnd.cups-raw      0     -
 * 1) application/octet-stream

1.#7 Create the following /etc/smb.conf file: [global] workgroup = OFFICESPACE netbios name = Stapler server string = Office Samba Server security = share load printers = yes printing = CUPS printcap name = CUPS

[documents] comment = Office Documentation path = /data/documents read only = no force user = milton force group = officespace

[printers] comment = Laser Print Spool path = /var/spool/samba printable = yes guest ok = yes use client driver = yes

1.#8 Enable Samba and print daemons at boot time: chkconfig smb on chkconfig cups on ...and start both services: service smb start service cups start

1.#9 Reconfigure workstations to become members of the OFFICESPACE workgroup and to use Samba-shared printer.

NT-style Domain
Environment: Corporate headquarters, with 50 users, 60 Windows XP and Fedora client computers, used in Sales and Marketing, Finance, Information Services and Management departments. Several HP Laser Jet printers and a color laser printer. Subnet address is 192.168.1.0/24. IP addresses 192.168.1.2 - 192.168.1.10 are reserved for various servers, .10 for Samba server. IP addresses 192.168.1.11-192.168.1.20 are reserved for network printers. DHCP server assigns host address from the address pool 192.168.1.101 - 192.168.1.200 to client computers.

Requirements:
 * NT Domain-like logon services, using encrypted passwords
 * Each department has own file storage area, writable only by users from that department and accessible read-only by Management
 * Each user has own home drive, accessible only by user and not visible by anybody else
 * Common file storage area, writable for all users
 * Server-based user profiles for Windows users, providing the ability to use any Windows PC on the network, while retaining access to their own settings and data
 * Dedicated printers for Management and Finance, not accessible to other departments
 * Dedicated color printer for Marketing

Solution: 1. Install Fedora and Samba server on a dedicated server computer 1. Configure network interface eth0 with the IP address 192.168.1.10/24 1. Configure  firewall to deny access to all services, except for ports 137, 138 (UDP) and 139, 445 (TCP) 1. Create the following directories for Samba shares: mkdir /home/{management,finance,technical,sales,general} ...and the directory for storing user profiles: mkdir -p /home/samba/profiles 1.#5 Create user groups: management, sales, finance, technical, general: for i in management sales finance technical general do groupadd $i done ...and corresponding user accounts, needed for simplified management of file permissions on shared directories: for i in management sales finance technical general do useradd -g $i $i done 1.#6 Create Linux accounts for users, so that a user's primary group is the user's department group and a secondary group is general. Windows users do not need a shell environment on a Samba server while IS team members all use Fedora clients and often require access to the Samba server through terminal based SSH sessions, thus need full a shell environment on the server. Examples: useradd -g finance -G general -d /home/users/payroll_guy -s /bin/false payroll_guy useradd -g technical -G general -d /home/users/stickster -s /bin/bash stickster 1.#7 Set Linux passwords for each user: passwd

1.#8 Set the appropriate file and directory permissions on shared directories: chown -R finance.finance /home/finance chmod -R ug+rwxs,o+rx,o-w /home/finance chown -R management.management /home/management chmod -R ug+rwxs,o-rwx /home/management chown -R sales.sales /home/sales chmod -R ug+rwxs,o+rx,o-w /home/sales chown -R technical.technical /home/technical chmod -R ug+rwxs,o+rx,o-w /home/technical chown -R general.general /home/general chmod -R ug+rwxs,o+rx,o-w /home/general chmod o+rwt /home/samba/profiles

1.#8 Create appropriate CUPS print queues: lpadmin -p prn1 -v socket://192.168.1.11:9100 -E lpadmin -p prn2 -v socket://192.168.1.12:9100 -E lpadmin -p prn3 -v socket://192.168.1.13:9100 -E lpadmin -p prn4 -v socket://192.168.1.14:9100 -E

for i in prn{1,2,3,4} do cupsenable $i done

for i in prn{1,2,3,4} do cupsaccept $i done

1.#9 Configure SELinux to allow Samba shares. Allow sharing of previously created directories: for dir in management finance technical sales general; do chcon -R -t samba_share_t /home/$dir; done Enable sharing of home directories: setsebool -P samba_enable_home_dirs on Enable Samba Domain operations: setsebool -P samba_domain_controller on

1.#10 Move default smb.conf file and use it as a help reference: mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

1.#11 Create new /etc/samba/smb.conf file:

[global]

workgroup = CORPHQ netbios name = WEREWOLF server string = Corporate Samba Domain Controller

admin users = root, stickster

hosts allow = 127.0.0.1 192.168.1.0/24

printing = cups printcap name = cups load printers = yes

log file = /var/log/samba/%m.log

max log size = 50

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

security = user passdb backend = tdbsam domain logons = yes domain master = yes

logon path = \\%L\Profiles\%U

logon drive = H:

add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

name resolve order = wins lmhosts bcast

wins support = yes

wins proxy = no

hide dot files = yes

[homes] comment = Home Directories browseable = no writable = yes

[Profiles] path = /home/samba/profiles read only = No create mask = 0700 directory mask = 0700

[printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no printable = yes use client driver = yes

[management] comment = Managment Share browseable = yes writable = yes path = /home/management valid users = @management force user = management force group = management create mask = 0770 directory mask = 0770

[finance] comment = Finance Share browseable = yes writable = yes path = /home/finance valid users = @finance read list = @management force user = finance force group = finance create mask = 0770 directory mask = 0770

[general] comment = General Share browseable = yes writable = yes path = /home/groups/general valid users = @general read list = @management force user = general force group = general create mask = 0770 directory mask = 0770

[technical] comment = Technical Share browseable = yes writable = yes path = /home/groups/technical valid users = @technical read list = @management write list = @technical force user = technical force group = technical create mask = 0775 directory mask = 0775

[Sales] comment = Sales And Marketing Share browseable = yes writable = yes path = /home/groups/sales valid users = @sales read list = @management force user = sales force group = sales create mask = 0770 directory mask = 0770

[prn1] comment = Management Department Printer path = /var/spool/samba browseable = no printable = yes guest ok = no valid users = @management use client driver = yes

[prn2] comment = Finance Department Printer path = /var/spool/samba browseable = no printable = yes guest ok = no valid users = @finance use client driver = yes

[prn3] comment = Sales Department Printer path = /var/spool/samba browseable = no printable = yes guest ok = no valid users = @sales use client driver = yes 1.#12 Create Samba accounts for all users: smbpasswd -a Enter the user's password when prompted.

1.#13 Enable the Samba and print daemons at boot time: chkconfig smb on chkconfig cups on ...and start both services: service smb start service cups start

Additional Information
Detailed Samba documentation, tutorials and FAQs are located at:

Related Web Sites

 * The official Samba web site
 * The Official Samba HOWTO
 * Samba and CUPS

Related Manuals
Find more about specific Samba daemons and client-side utilities from the man pages included with Samba installation:


 * smbd(8)
 * nmbd(8)
 * winbindd(8)
 * samba_selinux(8)
 * smb.conf(5)
 * smbclient(1)
 * smbstatus(1)
 * smbpasswd(8)
 * findsmb(1)
 * nmblookup(1)
 * net(8)
 * smbtar(1)
 * testparm(1)