Partnering a Linux server with Win2K clients

The need for reliable, secure, and cost-effective file storage has long been a prime concern of network administrators. Microsoft's provision for this need was Windows NT Server, which uses NT security domains to give administrators fine-grain control over file access. This product's sophisticated security and Windows's domination of the desktop-world make using the Windows OS to meet your file-server needs a natural choice. However, Windows isn't the only choice.

Samba is an advanced suite of software that provides file- and print-sharing services and NetBIOS name-server support to clients who use the Server Message Block (SMB) protocol or the Common Internet File System (CIFS) protocol. The Free Software Foundation's GNU's Not UNIX (GNU) Public License governs this free and open-source software. Samba runs on sev-eral platforms, including MVS, UNIX, Linux, and VMS. To begin learning about Samba's remarkable capabilities, you can install and configure Samba as a simple standalone file server for your Windows 2000, NT, and Windows 9x clients.

Why would you want to run Samba instead of Windows? First, Samba will run on Linux, which means that you can run free software on a free OS. These $0 items will look good on your next budget request, especially when you consider that as your network grows, you can add users also free of charge. Another benefit of using Samba and Linux is their reliability: Uptime for Linux servers can be several years, and many application and network appliance providers already rely on Samba's stability as an integral aspect of their products.

If your clients use TCP/IP to access an NT-based file server, you can use Samba with a Linux file server to meet their file-server needs. Samba also supports domain-based authentication and authorization; however, configuring Samba to operate within the security environment of an NT domain adds a higher level of complexity to your configuration. Samba works equally well within traditional SMB/CIFS workgroups. If you don't need the security that NT domains provide, you can set up simple file services with the processes described in this article. If you do need the security, you can use this article to give you the core knowledge that you can use to configure Samba as a more complex file server.

Understanding the Linux File System
Before you proceed with Samba installation on Linux, you need to understand how the Linux file system works. The Linux file system is similar to NTFS: Both file systems have a root directory, subdirectories, and files that represent distinct units of data. However, the Linux file system doesn't use drives; Linux file systems are mounted on directories under the root directory. Permission sets and directory and file ownership determine which users have read, write, and execute privileges.

Like Windows file systems, Linux file systems use various directories for specific purposes. Some important Linux directories to know are the /etc directory, which houses most Linux service configuration files, and the /home directory, which houses users' home directories. The root user has a home directory in the /root directory. Most popular distributions of Linux use scripts that you find in the /etc/rc.d/init.d directory to start up and shut down.

Samba Installation
I run Red Hat Linux, which comes with Samba preinstalled. If this is the case with your Red Hat compatible Linux distribution (e.g., Caldera Systems, Turbolinux, SuSE Linux), to start with a clean state, you need to use the rpm command as the root user (i.e., the Linux administrator account) to uninstall Samba as follows:

# rpm -e —nodeps samba
# rpm -e —nodeps samba-common
# rpm -e —nodeps samba-client

You can download the latest version of Samba in the form of a RedHat Package Manager (RPM) file at http://us2.samba.org/samba/ftp/Binary_Packages. (RPM files are binary distribution files that ease software installation and removal. They contain all the files you need to run a given program. You use the rpm command to manage these files.) As Figure 1 shows, your Linux distribution determines which Samba distribution you'll install. After you download Samba, you need to use the rpm command as the root user to install the program, as demonstrated below:

# rpm -i samba-rpm

The installed files will include /etc/smb.conf, the configuration file; /etc/rc.d/init.d/smb, the startup file; and /usr/bin and /usr/sbin files for various programs.

This Samba installation method might differ for your Linux distribution. Look for a Samba release that your Linux vendor maintains and supports, or install Samba from source code.

Samba Configuration
The /etc/smb.conf file lets you set all Samba configurations—including security settings, workgroup settings, and share definitions—from a central location. (If your Samba distribution installs a sample smb.conf file, move the example configuration file to another location or rename it to /etc/smb.conf.bak.) The configuration file's four main section types—global, printers, homes, and user-defined—each configure a specific service.

The global section defines the global characteristics of Samba, such as its NetBIOS name and associated workgroup. Administrators employ user-defined sections, which take the section-name the administrator gives them, to share specific directories or printers. When you configure Samba to provide file services to Windows, you work in the global and user-defined sections. The printers and homes sections share all printers and home directories, respectively, but these sections don't allow much administrator customization.

All sections in the smb.conf file begin with a section name in brackets. In each section, you can use equate statements to set the values of the parameters:

\[
\]
=

Most Samba parameters have sensible defaults, so you need to specify only those parameters that you want to tune for your specific application of Samba.

Begin the configuration process by specifying the server's name (up to 15 characters) at the netbios name parameter and the server's workgroup at the workgroup parameter in the global section. These configurations get your Samba server running. For example,

\[global\]
        netbios name =
        workgroup =

Setting the netbios name parameter isn't absolutely necessary because Samba will default to the server's host name. However, you usually will want to set this parameter because NetBIOS naming conventions assume that host names are unique across subnets, and such isn't always the case for Linux host names. For testing purposes, you might want to use an unused name for the workgroup name. However, after you've configured Samba properly, you then might want to change the value of the workgroup parameter to an existing workgroup or something more appropriate for your network.

Next, you need to specify how Samba will authenticate users. Samba supports two types of authentication: share and user. Share-level authentication requires either that each user have an SMB account on the Samba server or that you set the given share to allow anonymous user access. (You use the Samba smbpasswd tool to create SMB accounts.) These requirements are the only share-level restrictions for access to shares; if users have SMB accounts, Samba, at share-level security, can't restrict these users from accessing shares. These limited restrictions differ from Win9x share-level access, which lets you assign passwords for shares.

The more powerful and secure user-level access lets administrators specify a list of users or groups that can access a share. (Share-level security grants access at the server level, whereas user-level security grants access at the share level.) Samba subdivides user-level access into user and domain for user authorization. When you specify user-level access as user, Samba refers to its account database to authorize a user. When you specify domain, Samba authorizes users against the domain's PDC. Administrators who use NT would obviously prefer user-level security to use their existing NT domain infrastructures. However, configuring user-level access with Samba is more complicated than configuring share-level access. For this article's purpose of demonstrating how easily you can create a disk share with Samba, setting security as share-level is a satisfactory configuration:

security = share

If your network uses WINS, you also need to specify the IP address of your WINS server at the wins server parameter:

wins server = <10.x.x.x>

After you configure the global section, make sure that Samba starts properly and that you can browse the server from a Windows client. When you boot your Linux server, use the following Linux command to start the init.d script that starts Samba:

# /etc/rc.d/init.d/smb start

After the init.d script reports that Samba started successfully, wait a few moments for the Samba server to register with the WINS server, then use the Net View command on a Windows client to view the Samba Server:

C:> net view \\

The command results in the following output:

Shared resources at \\
There are no entries in the list.

As you add shares, however, the output will include information about the shares Samba exports.

If the command fails, you likely have a browsing problem. Try viewing the server with the Net View command and the server's IP address. If the command with the IP address works and the command with the NetBIOS name doesn't, verify that you configured the wins and workgroup parameters correctly. If the command with the IP address also fails, double-check that Samba is running and that you've configured Linux properly.

Creating a Simple File Share
After Samba is working properly, your first task is to create the directory on your Linux server that the server will use Samba to share. Whether you're in Linux or Windows, the process is the same: Create the directory, and ensure that the appropriate user or group owns it.

As the root user, enter the following mkdir command to create the directory—which I named files—on the Linux file system:

# mkdir /home/samba/files

Notice the directory's placement under the home directory for Samba. Linux gives most services a user account and home directory. Locating directories for disk shares in the Samba home directory is a common Linux practice, although you can put your share on another disk or even a mounted network storage device. The directory's location is irrelevant if the storage medium is reliable.

You use the chown command to configure nobody (an account Linux creates automatically upon installation) to own this Linux directory. Linux administrators typically designate "nobody" as the user account for anonymous-style access.

# chown nobody /home/samba/files

Next, you configure your disk share in the user-defined section of Samba's configuration file. You first need to create a user-defined section by specifying the share name within square brackets below the global section. The name can be anything but the reserved section names—global, printers, and homes—but for simplicity's sake, name the section Files by typing

\[Files\]

Start with the comment parameter, which lets you apply a comment to the disk share. Apply a comment that will help users decipher the purpose of the share. For example,

comment = Network Files

Next, with the path parameter, specify which directory Samba will be sharing. For example, to locate the directory under the Samba home directory, you would set the parameter as follows:

path = /home/samba/files

You also need to specify whether the share is read-only or writeable. By default, Samba configures all disk shares as read-only. To let users write to shares, you need to use the writeable parameter to override the default:

writeable = yes

You can let Samba apply the read-only default—for disk shares that store drivers or other files that shouldn't be user-modifiable—either by not including this parameter or by entering the value no in the writeable parameter.

Finally, use the guest ok parameter to enable anonymous access to this share. Unless you allow anonymous access, any user who connects to the share needs to have an SMB account in Samba's local password database.

When you allow anonymous access, you also need to specify the Linux user account from which users can access the files on the disk share. (You can also specify this user account in the global section. This configuration would then serve as the default that you can override on a per-share basis.) This step is necessary because all access needs to satisfy the authorization requirements of both Samba and Linux. Use guest account to specify the user account nobody (the account with original ownership of the directory):

guest ok = yes
guest account = nobody

At this point, you have a complete and working disk share. If you followed the process model step-by-step, the /etc/smb.conf configuration file should mirror the following:

\[global\]
        netbios name =
        workgroup =
        security = share
        wins server = <10.x.x.x>
\[Files\]
        path = /home/samba/files
        comment = Network Files
        writeable = yes
        guest ok = yes
        guest user = nobody

Samba periodically scans the /etc/smb.conf file for changes and updates the configuration appropriately, so you don't need to restart Samba manually. However, after you've configured the Files section and the global section, restarting Samba makes the changes take effect immediately. Use the following commands to restart Samba on your Linux server:

# /etc/rc.d/init.d/smb stop
# /etc/rc.d/init.d/smb start

Avoid restarts after your server is in production; restarts break client connections, which can result in file corruption. Stopping Samba when it's hosting a disk share produces the same results from the client's perspective as unplugging the network cable to your server.

Make sure you can access the files disk share over the network. Perform the following test to browse \\ for the share files:

C:> net view \\

The command results in the following output:

Shared resources at \\
Samba 2.0.7
Share name Type   Used as  Comment
---------------------
Files       Disk            Network Files
The command completed successfully.

If the command completes successfully, the new disk share is accessible for browsing. You can also use Network Neighborhood to view the server.

You also need to determine whether you can connect to the share and whether you have write access. Use the Net Use command to verify access, then perform a write operation on the share to verify write access. In the example below, I tested access by making a directory:

C:> net use Z: \\

The command results in the following output:

The command completed successfully.

Use these commands to create the directory:

C:> Z:
C:> mkdir test
C:> dir

The commands result in the following output:

Volume in drive Z is Files
Volume Serial Number is 2EE5-053C

Directory of Z:
11/15/00 11:02a .
11/15/00 11:02a ..
11/15/00 11:02a test

If your version of this example shows that the share is accessible and writable, you now have a working file server, albeit a file server without the ability to authenticate or authorize access. For those services, you'll need to learn about Samba's user-level security mode. Excellent starting points for learning more about user-level security are the example configuration file many Samba distributions include, the Samba Web site (http://www.samba.org), or Samba newsgroups and publications.

Troubleshooting Samba
As you set up the share, run the tests I suggest for verifying your configurations. If any test fails, go back to the configuration file and double-check the configurations you were testing.

You can also check your settings by running Samba's testparm program to verify that the configuration file is syntactically correct. In addition, you can use Samba's two log files, log.smb and log.nmb, in /var/log/samba, to determine the cause of a problem. The log.smb file records print- and file-sharing activity. The log.nmb file records name-server activation, such as WINS registration.

Remarkable Possibilities
How far you go beyond this simple file service depends on how deeply you want to delve into Samba and Linux. You can integrate Samba into your NT domain to offer security to your users. Another powerful feature is Samba's ability to serve as a domain's PDC. You can also use Samba to enable your Linux or other UNIX OS servers as print servers for Windows clients. Samba lets users control print jobs completely (e.g., cancel and monitor print jobs, change printers), and you can configure Samba to run outside programs to monitor and log printer usage or even send faxes. For more information about Samba's capabilities, see "Related Articles in Previous Issues."

Samba's usage possibilities are remarkable. As you explore the software, you'll discover its power and flexibility. Whether you use Samba as a limited, closet deployment or as an official move toward Linux and away from NT-based file and print servers, Samba is an obvious choice for your network.

Related Articles in Previous Issues
You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com.

MICHAEL P. DEIGNAN
JIM MOHR
"Sharing and Securing Information in Mixed NT-UNIX Environments," December 1998, InstantDoc ID 4515
MARK JOSEPH EDWARDS
"Samba-UNIX and NT Interoperability Made Easy," March 1997, InstantDoc ID 471
MARK MINASI
Inside Out, "Connecting Linux Workstations to Windows 2000 Servers," May 2000, InstantDoc ID 8490
Syndicate
Publication Info