UNIX and NT Interoperability Made Easy

On the surface, Windows NT and UNIX seem so completely different. Even if you've seen a hot rod UNIX system running X-Windows, it still looks incredibly foreign compared to NT. Well, the truth is that they are different--but that difference doesn't mean they can't exist in harmony on the same network. In this article, I'll show you just how easy and cost effective integrating these two systems for common file and print services can be. I tried this integration on my network, and it works beautifully.A popular form of sharing services in mixed environments today is the Web--whether the Web is internal or external. But, the Web aside, perhaps the most desired form of interoperability today is for simple file and print services. Certainly UNIX systems make excellent file and print servers, as do NT systems. And any shop, large or small, might need to integrate these two different operating systems for file and print interoperability. You can accomplish this task with one of several methods, but one of the most cost-effective and easy-to-use ways is a product called Samba.

Samba, written by Andrew Tridgell from Australia, builds a multilane expressway between NT and UNIX systems. The name Samba is a play on the acronym SMB, which stands for Server Message Block. By no coincidence, SMB is the standard protocol NT uses for sharing file and print services. Samba runs on UNIX, enables a UNIX host to establish shares that Windows clients can map, and enables UNIX clients to map shares on Windows hosts (Windows for Workgroups--WFW, Windows 95, and NT). This tool is handy to have around in a mixed networking environment.

Samba is available for most common UNIX platforms, including Linux, FreeBSD, BSDI, SunOS, Solaris, AIX, IRIX, OSF1, and HP-UX. Samba is also available for Novell and VMS networks. You can download this freeware software package from the Internet. Samba is in release version 1.9.16p9, and you'll find links to common download sites right on the Samba home page at http://lake.canberra.edu.au/pub/samba/samba.html.

I'll walk you through the integration process. Once you complete this exercise, you'll have a lot more functionality on your network.

Assumptions
Now before I get started, I'll make a few assumptions known, so you know how to proceed. I'll assume that you already have a supported UNIX system installed and working correctly, complete with TCP/IP networking enabled. In this example, I'm installing Samba on one of my Linux servers --Linux is also free on the net--so pay attention to the details, and set parameters correctly for your particular UNIX operating system. Next, I'll assume that you have a C compiler installed on your UNIX system and that you are vaguely familiar with using it. And, I'll assume you know your way around your UNIX system to some extent, so I'll omit details such as commands to change directories.

Finally, I'll point out that on UNIX systems, network server-based services are daemons, and on NT, they're services--just so you know what I'm talking about later in this article. With that said, off you go!

Make It So
Create a directory for the software source code. I used /usr/src/samba. Don't forgot to set the file permissions correctly to keep unwanted users out of the source code. If you don't want to compile source code, you can download the binary executables for certain UNIX systems (not all). But, I recommend you get the source code in case you run into problems with the software or want to make enhancements.

Go to the new directory, FTP the Samba package from ftp://samba.anu.edu.au/pub/samba down to your UNIX system, and place the archived file in your new directory. If you have trouble with the first ftp site, try one of the mirror sites.

Decompress the archived file with the tar command. On my Linux system, I used

tar xvfg samba-1.9.16p9.tar.gz

to decompress the file. This command unpacks everything, re-creating the original subdirectories in the archive as necessary.

Move to the newly created /usr/src/samba/samba-1.9.16p9 directory, and with your favorite UNIX text editor (joe or vi will do just fine), open the file Makefile for editing. This file contains several switch settings and, most important, sets up the software to compile on your UNIX system--all basic C programming stuff.

Make sure the settings in the top half of Makefile are set the way you want them, per your operating system and compiler. Comments in Makefile define the switches, so look at the switches closely and check each one carefully. Next, scroll down until you see your operating system, and enable only that section, making sure no other operating systems are enabled. For Linux, the Makefile section is incredibly simple (but others are more extensive):

# Use this for Linux without shadow passwords

# contributed by Andrew.Tridgell@anu.edu.au

FLAGSM = -DLINUX

LIBSM =

After you've completed the necessary changes for your UNIX system, save Makefile to disk, and exit the editor. Now you must compile the software, so issue the make command to get the ball rolling. In typical compiler fashion, you'll see tons of messages fly by on the screen as the compiler builds the necessary files to create the two Samba executables (daemons).

Now you must install the compiled software. Issue the command

make install

This command places the correct files in the appropriate places on your file system and also installs the man pages (manual pages). Once you've installed the man pages, you read any of them with the man command, followed by a topic. For example, enter

man smbd

to display the portions of the manual that deal with the smbd daemon. You can install the binary executables and man pages separately with the make installbin and make installman commands, respectively.

A Bit More Configuration
Now that you've installed the software, you must decide how you'll run it. But, you need to do a bit more configuration before you start it up and test it.

You establish shared UNIX resources with Samba through a standard text configuration file, smb.conf. This file contains a list of each directory and printer that you want to share with the Windows user community. It also establishes user access permissions for those shares, and user rights, such as read and write privileges. In fact, this file controls almost every aspect of Samba operation. Once you've compiled and installed the software, the file will be in the /usr/local/samba/lib directory, and you can easily modify it with any text editor.

Open the file and look around. Notice that this configuration file isn't complicated. First, examine the \[global\] section at the top of the file. You'll see several entries, so make sure you set them to your liking. The default entries are self-explanatory, and you can find additional switches with the man smbd.conf command.

With Samba, you can add some really cool functionality: Samba can authenticate users by passing the request on to another SMB server, such as an NT system. Without this function, you have to add an account to the UNIX system for each user connecting to the UNIX shares. Adding accounts can be time consuming and tedious. Simply insert the following two lines in the \[global\] section:

security = server

password server = NTBOX

The security parameter tells Samba that you want to use an external server to authenticate, and the password server parameter defines the NetBIOS name of the SMB server to use for authentication (NTBOX in this example).

After you make these entries in the \[global\] section, be sure to add a line to your /etc/hosts file on your UNIX system that points to the Windows NetBIOS name (NTBOX in this example). You add this line so the Samba server can find the matching IP address, which it needs to locate the SMB server on the network. Here is an example entry for the /etc/hosts file:

251.249.101.204NTBOX

Be sure to use your SMB server's IP address and NetBIOS machine name instead of the sample entry shown here.

Now, let's look at an example directory share. Examine the following extract, located at the bottom of the smb.conf file and modified for my network:

\[new-share\]

comment = Mark's Test Share

path = /usr/local

valid users = mark

public = no

writable = yes

printable = no

create mask = 0765

browseable = yes

hosts allow = 247.252.251.0/255.255.255.0

This small block of instructions defines a shared directory on the UNIX system called new-share (this is the share name that appears when you browse the network), with access granted only to the user named mark. Although you can add quite a few parameters here (detailed in the smb.conf man pages), I used the field definitions shown in Table 1.

Next, set up a printer share, assuming that you have a printer installed on your UNIX system. The example below defines a printer share for my HP DeskJet printer, granting access only to user mark:

\[printer1\]

comment = Office DeskJet

valid users = mark

path = /home/mark

printer = HPDJ_printer

public = no

writable = no

printable = yes

The parameters that define this UNIX-based printer share are identical to the parameters that define the directory share. Therefore, I'll explain only the single additional parameter, printer, which specifies the name of the printer that spooled jobs will be sent to. Keep in mind that the printer name used here is the name given to the printer on the UNIX system and that you'll need to manually load the corresponding printer drivers on your Windows systems in order to use the printer successfully. Also keep in mind that when you print from a PC to a Samba server, Samba does not handle the printing; it merely acts as an intermediary, passing the information along to your UNIX print command. Therefore, you'll need to make sure you've configured the print command, the lpq command, and lprm command in the top part of the smbd.conf file. Set these commands exactly the same way as you would to print on your UNIX system. On my system, I use the following settings (yours may differ), and you can reference the Printing.txt file for further information if you need it:

print command = lpr ­r ­P%p %s

lpq command = lpq ­P%p

lprm command = lprm ­P%p %j

Now that you've modified the entries in smbd.conf file to your liking, use the Samba tool testparm (included with the distribution media) to test these entries for any errors. Enter

testparm

and check the ensuing report for any errors. If all is well, testparm will list the loadable shares as you've defined them.

Samba Server
Now let's crank up the Samba server and try it out! To start the server, simply enter

smbd -D

and then

nmbd -D

This sequence starts the Samba daemon (smbd) and the supporting daemon (nmbd), which answers NetBIOS name service requests and acts just like a Windows Internet Name Service (WINS) server running on NT. In fact, you can use nmbd as an additional WINS server for your network if you configure your Windows clients with the Samba server's IP address in the WINS parameter of the TCP/IP properties (nmbd does not support all the WINS functionality, such as Push-Pull Partners and Static Mappings; if your network doesn't need this type of functionality, nmbd will work just fine for you).

The ­D switch tells Samba to run as a network daemon. In other words, Samba won't stop running once you log off the UNIX system, unless your UNIX system is configured to kill all user processes on logoff.

You can also run the Samba daemons either by placing them in your inetd.conf file, which causes the inetd daemon to start the Samba daemons on demand, or by placing them in your /etc/rc.local file. This placement causes them to start during the system boot process. For more information about using either of these methods to run Samba, refer to the Samba installation tips (INSTALL.txt file).

As soon as the daemons are running--verifiable with the UNIX ps ax command--go to your Windows machine and browse the Network Neighborhood. You will see the host name of your UNIX system, and you will be able to list the newly established shares (new-share and printer1) under your UNIX system host name. If you see the shares, Samba is working. Of course, you might be prompted for a password to connect to a share if the account name you're using doesn't match the password on the password server specified in the share definition (e.g., you're logged on to an NT domain other than the NT domain of the server specified in the password server definition). So if you've used the \[global\] settings (security and password server) that I recommend, you'll need to enter the corresponding NT password (used on that password server) for proper authentication. If you're not using the security and password server options, use the password for your UNIX user account. Once the system authenticates you, you'll have complete access to the resource.

UNIX to PC Printing
Now before I continue, I'll point out that printing from the UNIX system to a Windows-based shared printer is slightly different and a little more complex to configure. You'll need some experience setting up printers on UNIX, and you can read the examples/printing/smbprint document included with Samba to learn all the details. In a nutshell, here's what you'll do:

1. Make sure you have a filter established in your UNIX /etc/printcap file. Here's an example entry:

smb:lp=/dev/null:sd=/usr/spool/smb:sh:if=/usr/local/samba/smbprint

This entry establishes a printer named smb on your UNIX system. You'll also need to create the spool directory /usr/spool/smb with the appropriate permissions and ownership for your system. The permissions are unique to your particular network and control who can access the print spool.

2. Define the printer in the printcap file. Here's an example for an IBM Color Jetprinter:

# For this to work, the /etc/printcap entry must include an accounting file (af=...) entry

#

cdcolour:

:cm=CD IBM Color Jetprinter on 10th floor:

:sd=/var/spool/lpd/cdcolour:

:af=/var/spool/lpd/cdcolour/acct:

:if=/usr/local/etc/smbprint:

:mx=0:

:lp=/dev/null:

3. Establish a configuration file (.config) for the printer in the /usr/spool/lpd/PRINTNAME directory, with the following entries:

server=MARKS_PC

service=CJET_10

password=""

In the preceding example .config file, the server= entry is the NetBIOS name of the Windows machine; the service= entry is the Windows printer share name, and the password= entry is the password required to access the shared printer. As I said, this process can be rather complex as a whole if you don't know what you're doing, so be sure to refer to the examples/printing/smbprint document for help.

Smbclient
Now that the UNIX system shares resources with Windows clients, have you considered using UNIX to mount Windows-based shares as well? Smbclient, an easy-to-use program in the Samba package, maps Windows shares so that a UNIX system can access them. You'll use two basic commands quite a bit. The first one lists available shares, as follows:

smbclient -L ­-I host.domain.com

This command lists the shareable resources on the machine located at the address represented by host.domain.com. In other words, if you're looking at an NT system with the fully qualified TCP/IP domain name srv1.ntshop.net, enter that name in place of host.domain.com:

smbclient -L -I srv1.ntshop.net

Table 2 is an example of the output you can expect. If you add your Windows system's IP addresses to the UNIX /etc/hosts file, you can omit the ­I parameter and type your Windows host's NetBIOS name instead. Otherwise you'll have to use the ­I parameter so Samba can resolve the Windows NetBIOS name to an IP address. Take note here that if your network doesn't use at least one DNS server, you'll have to add your systems to the /etc/hosts file anyway.

The next command you'll use frequently is the command to mount a Windows shared resource. Here's the proper syntax:

smbclient '\\servername\sharename' -I host.domain.com ­U username

Suppose you're trying to mount a share, DOCS, on a Windows host, SERVER1. The fully qualified domain name is srv1.ntshop.net, and your Windows username is RobHill. Enter the following command:

smbclient '\\server1\docs' -I srv1.ntshop.net -U RobHill

Pay attention to the single quotes around the \\server1\docs parameter; they are a required part of the command. Also, remember that you can be prompted for a password. If the share is on a WFW machine, you must enter the share password as defined on that system. And likewise, if the share is on an NT Server or NT Workstation machine, or a Win95 system with user-level access configured, use your matching NT user password. In this example, it is the password assigned to user RobHill.

Remembering Smbclient syntax is no more difficult than remembering the Microsoft NET USE command syntax. By now, you're probably thinking, "Samba can't be this simple. What's the catch?" Read on.

Gotchas
As you can guess, Samba has its downsides. A few gotchas can lead to problems and frustration if you don't pay attention ahead of time.

First, Samba opens up your UNIX system to SMB attacks from the Internet, so if you can, make sure you block UDP ports 137 and 138 and TCP port 139 on your routers or firewalls that serve your Internet connections. This block stops intruders on the Internet from mounting your shared resources using smbclient or a Windows client. Also, use the hosts allow tag to your advantage because it limits which IP addresses connections can originate from.

Also, Samba can easily mount shares on Windows 3.x and Win95 machines--especially those that are not password protected. Always use passwords on your Windows 3.x-based shares, and when possible, establish user-level access for Win95 shares.

WFW and Win95 both have a problem securing shares properly when you use these OSs with Samba connections. When these systems share a folder, bugs in Microsoft's SMB implementation over any networking protocol allow access to the entire drive, using the same permissions granted to the share. These shares are advertised on the network browse lists and available to any client on the local network. They are also available to anyone on the Internet who can determine the machine's correct IP address or fully qualified domain name.

Microsoft has released patches for this problem. The Win95 patch is on the Win95 Product Updates page at http://www.microsoft.com/windows/common/contentw95uga.com, and the WFW patch is on the Microsoft FTP site at ftp://ftp.microsoft.com/softlib/mslfiles/wfwvsrvr.exe. When I wrote this article, the Win95 patch worked only on the US/English version, and all non-English versions of Win95 were still vulnerable to the problem. You can find more information about securing Microsoft systems at http://www.ntshop.net.

If you use Samba from a Windows client, filename case sensitivity can be a big problem. UNIX systems pay attention to character case. In other words, test.txt and Test.txt are entirely different files. Case sensitivity can be a problem when you're using some applications, such as text editors and decompression programs from a Windows client, to write data to a UNIX server. Some client packages don't pay attention to case sensitivity in filenames, and others do. Typically, software "Designed for Windows 95 and NT" works best. As people say on the Internet, YMMV (your mileage may vary), depending on the client OS and software you use. Be sure to test carefully.

UNIX and NT Integrated
So you see, integrating UNIX and NT for simple file and print services isn't very difficult. Keep in mind that you can do lots of other functional things with Samba--I've only scratched the surface here. So make sure you read all the manual pages and text files, and be aware of the pitfalls I pointed out. One final note, you can locate information on where to get help using Samba in the included Support.txt file. So, now that you've gotten UNIX and NT integrated to some extent, perhaps it's a good time to tackle that Novell or VMS server.

Samba builds a multilane expressway between NT and UNIX systems.

TABLE 1: Field Definitions
FieldDefinition

commentAppears in the network browse list next to the share name.

pathDirectory to be shared.

valid usersList of users allowed to access this share. If this field is defined and blank, anyone can connect to the share. If you omit the field, no one can connect to this share.

publicDetermines whether a password is required to access the share. Yes means anyone can connect without a password, and no means users are authenticated (validated) before being granted access.

writableDetermines whether users can create files and directories in this share.

printableDetermines whether a user can open and write print spool files to the directory.

create maskSets file permissions used for converting from DOS mode to UNIX mode. Leave this field set as is, unless you know what you're doing. UNIX administrators know how to set this field correctly for their environment. Use the man chmod UNIX command for further information on file permissions.

hosts allowLists host IP addresses used to control where users may connect from. For example, an IP address pool defined by the IP network address 247.252.251.0 with the subnet mask 255.255.255.0 includes all addresses from 247.252.251.0 through 247.252.251.254--thus allowing access from a pool of 255 addresses.

browseableDetermines whether the new-share is visible in a network browse list (Network Neighborhood on Win95 and NT). The default is yes, so you don't necessarily have to add this line.

TABLE 2: Shares on a Windows Host
SharenameTypeComment
ADMIN$DiskRemote Admin
C$DiskDefault Share
D$DiskDefault Share
HP660CPrinterHP Deskjet 660C
SharenameTypeComment
IPC$IPCRemote IPC
NETLOGONDiskLogon Server Share
print$DiskPrinter Drivers

Samba
Author: Andrew Tridgell
Email: andrew.tridgell@anu.edu.au
Web: http://lake.canberra.edu.au/pub/ samba/samba.html
Price: Download for free at Samba's Web site
System Requirements: Runs on most UNIX varieties, and supports Microsoft, Novell, and VMS networks.

Samba runs on UNIX, enables a UNIX host to establish shares that Windows clients can map, and enables UNIX clients to map shares on Windows hosts.