%\documentclass[colorBG,slideColor,troispoints,pdf]{prosper} \documentclass[colorBG,total,slideColor,pdf]{prosper} %\documentclass[colorBG,slideColor,ps]{prosper} \usepackage{alltt,key,xr,cols,rcs,acro,nick,% graphicx,varioref,explanation,booktabs,multicol,moreverb} %\usepackage[nolineno,noindent]{lgrind} %\definecolor{green}{rgb}{0,1,0} \RCS $Revision: 1.2 $ \renewcommand*{\bs}{\texttt{\char '134}} % Backslash `\' \newcommand*{\subject}{Operating Systems and Systems Integration} \newcommand*{\emphcolour}[1]{\emph{\red#1}} \providecommand*{\RPM}{\acro{RPM}\xspace} \providecommand*{\CD}{\acro{CD}\xspace} \providecommand*{\IPC}{\acro{IPC}\xspace} \providecommand*{\UID}{\acro{UID}\xspace} \providecommand*{\GID}{\acro{GID}\xspace} \providecommand*{\SMP}{\acro{SMP}\xspace} \providecommand*{\API}{\acro{API}\xspace} \providecommand*{\OK}{\acro{OK}\xspace} \providecommand*{\IETF}{\acro{OK}\xspace} \providecommand*{\MS}{\acro{MS}\xspace} \providecommand*{\IOS}{\acro{IOS}\xspace} \providecommand*{\NETBIOS}{Net\acro{BIOS}\xspace} \providecommand*{\SMTP}{\acro{SMTP}\xspace} \providecommand*{\RADIUS}{\acro{RADIUS}\xspace} \providecommand*{\NTP}{\acro{NTP}\xspace} \providecommand*{\NNTP}{\acro{NNTP}\xspace} \providecommand*{\POP}{\acro{POP}\xspace} \providecommand*{\IMAP}{\acro{IMAP}\xspace} \providecommand*{\IPX}{\acro{IPX}\xspace} \providecommand*{\CAT}{\acro{CAT}\xspace} \providecommand*{\BDC}{\acro{BDC}\xspace} \providecommand*{\ADS}{\acro{ADS}\xspace} \providecommand*{\ACL}{\acro{ACL}\xspace} \providecommand*{\NAS}{\acro{NAS}\xspace} \title{Samba} \subtitle{Interoperating with Windows} \author{Nick Urbanik \texttt{}\\ \footnotesize{}Copyright Conditions: GNU FDL (see \url{http://www.gnu.org/licenses/fdl.html})} \institution{Department of Information and Communications Technology} \slideCaption{OSSI --- Samba --- ver. \RCSRevision} \Logo{\includegraphics[width=15mm]{ict-logo-smaller}} \begin{document} \maketitle \begin{slide}{Samba} \begin{itemize} \item Implements Microsoft's \SMB protocol \item \SMB = Symmetric Message Block, gave project its name \item achieved through reverse engineering Microsoft's proprietary protocols (no help from \MS, but hindrance) \item good reputation for stability and performance outperforming \MS servers in both respects \item Current production version supports use as a Windows \NT compatible server (file sharing, printing, support for network browsing) \item Runs on many platforms, including very powerful Solaris machines \begin{itemize} \item Most powerful windows servers run Solaris, not Microsoft software! \end{itemize} \end{itemize} \end{slide} \begin{slide}{Samba 2.2.x} \begin{itemize} \item The release provided with current Linux systems \item Works as an \NT4 compatible \PDC \item \emphcolour{Winbind} (part of samba) allows Linux and \UNIX machines to join a Windows Domain \item Samba can use \LDAP to authenticate against \item Both samba 2.2.x and 3 have been put into commercial products, such as Network Attached Storage (\NAS) hardware \item Macintosh \OS X uses samba to provide services to Windows clients, and also to access Windows services. \end{itemize} \end{slide} \begin{slide}{Limitations of Samba 2.2.x --- 1} \begin{itemize} \item Does not support Active Directory in the way that a Windows 2000 server does \item Samba 2.2 cannot interact with a Microsoft Backup Domain Controller (\BDC) but it can be a \BDC for another samba server \item User information stored on a Samba \PDC is not as complete as that stored on a Windows \PDC \item Samba obeys Linux group file access permissions on the \PDC, but it does not tell the client machine about it properly. Group file permissions are hard to set from a client. \end{itemize} \end{slide} \begin{slide}{Limitations of Samba 2.2.x --- 2} \begin{itemize} \item Full support for \ACL{}s (access control lists) depends on applying a patch to the Linux kernel and recompiling the kernel, or waiting till the Linux 2.6.x kernel is released \item When samba is working as a \WINS server, it cannot replicate to other \WINS servers, whether Microsoft or samba. \item Support for Unicode is not very good (greatly improved in samba 3) \end{itemize} \end{slide} \begin{slide}{Samba Version 3 (alpha release)} \begin{itemize} \item Currently used in some commercial systems, but documentation not complete \item See {\footnotesize \url{http://us1.samba.org/samba/ftp/alpha/WHATSNEW.txt}} \item Supports Active Directory: a Samba 3 server can join an \ADS realm as a member server and authenticate users using \LDAP/kerberos \item Supports migrating from a Windows \NT 4 domain \item Supports trust relationships with Windows \NT domain controllers \item \texttt{samba-3.0alpha24-1.i386.rpm} is available since 16 May 2003 from \url{http://www.samba.org/} \end{itemize} \end{slide} \begin{slide}{Parts of Samba} \begin{itemize} \item Samba consists of two services: \begin{itemize} \item \texttt{smbd}, which does the file sharing, provides print services, and handles authentication of clients, which can be any version of Windows or Linux; \item \texttt{nmbd}, which does name resolution (the ``\WINS'' server), and provides support for browsing the network in the ``Network Neighbourhood'' \end{itemize} \item The other parts you will work with include: \begin{itemize} \item The configuration file, \texttt{/etc/samba/smb.conf} \item \texttt{testparm} which checks the syntax of \texttt{/etc/samba/smb.conf} \item The \texttt{smbpasswd} program for setting and changing samba passwords \end{itemize} \end{itemize} \end{slide} \begin{slide}{Other Samba Utilities} \begin{itemize} \item \texttt{nmblookup} is useful for troubleshooting Net\BIOS name lookup from \WINS servers or from samba \item \texttt{smbclient} is useful for testing samba and Microsoft servers \item \texttt{smbmount} mounts \SMB shares from samba or Windows servers locally. \begin{itemize} \item Usually not necessary to call this directly, you can use \texttt{mount}. \end{itemize} \item \texttt{smbtar} is useful for backing up a Windows machine over the network to a Linux or \UNIX machine. \item Many others, all with \texttt{man} pages. See \texttt{rpm -ql samba-client}. \end{itemize} \end{slide} \begin{slide}{Is samba installed? --- 1} \begin{itemize} \item On an \RPM based system, such as Red Hat Linux, do: \begin{alltt} $ \textbf{rpm -qa | grep samba} samba-swat-2.2.7-5.8.0 samba-2.2.7-5.8.0 samba-client-2.2.7-5.8.0 samba-common-2.2.7-5.8.0 \end{alltt}%$ This tells us that: \begin{itemize} \item the samba server is installed, together with \item the \texttt{swat} web configuration system, and that \item samba version 2.2.7 is installed \end{itemize} \end{itemize} \end{slide} \begin{slide}{Is samba installed? --- 2} \begin{itemize} \item You can also check on any system that samba is installed, and find the version with: \begin{alltt} $ \textbf{smbd -V} Version 2.2.7-security-rollup-fix $ \textbf{nmbd -V} Version 2.2.7-security-rollup-fix \end{alltt} Note that this is an updated version, for Red Hat version 8.0. \end{itemize} \end{slide} \begin{slide}{Starting, Stopping Samba} \begin{itemize} \item Starting, stopping the samba service is the same as with any other service on Linux. \item Here we assume that \texttt{/sbin} is on your \texttt{PATH}. If not, you can simply type \texttt{/sbin/service} instead of \texttt{service}. \item Is the service running? \begin{alltt} $ \textbf{sudo service smb status} smbd is stopped nmbd is stopped \end{alltt}%$ \end{itemize} \end{slide} \begin{slide}{Starting, Stopping Samba --- 2} \begin{itemize} \item To start the two samba daemons: \begin{alltt}\tiny $ \textbf{sudo service smb start} Starting SMB services: [ {\green{}OK} ] Starting NMB services: [ {\green{}OK} ] \end{alltt}%$ \item We can verify that they are running: \begin{alltt}\tiny $ \textbf{sudo service smb status} smbd (pid 2523) is running... nmbd (pid 2527) is running... \end{alltt}%$ \item We can stop the service in the same way as other services: \begin{alltt}\tiny $ \textbf{sudo service smb stop} Shutting down SMB services: [ {\green{}OK} ] Shutting down NMB services: [ {\green{}OK} ] \end{alltt}%$ \end{itemize} \end{slide} \begin{slide}{Starting Samba Automatically} \begin{itemize} \item To ensure samba starts when the server boots is the same as for any other service. \item Is the service configured to start on boot? \begin{alltt}\tiny $ \textbf{chkconfig smb --list} smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off \end{alltt}%$ This tells us that it is not configured to start at any runlevel. \begin{alltt}\tiny $ \textbf{sudo chkconfig smb on} \end{alltt}%$ \item Now let's check to see if we turned it on: \begin{alltt}\tiny $ \textbf{chkconfig smb --list} smb 0:off 1:off 2:on 3:on 4:on 5:on 6:off \end{alltt}%$ \item Now it will start automatically in runlevels 2, 3, 4 and 5. \end{itemize} \end{slide} \begin{slide}{Configuration: \texttt{/etc/samba/smb.conf}} \begin{itemize} \item Divided into \emphcolour{sections} \item Two kinds of sections: \begin{itemize} \item \emphcolour{global} section, holds information about the operation of the whole server \item \emphcolour{share} sections, holds information about each ``share'' or service provided by server \end{itemize} \item \emphcolour{Comments} start with either a hash `\texttt{\#}' or a semi-colon~`\texttt{;}' \item Extensive documentation in \texttt{man smb.conf} \end{itemize} \end{slide} \begin{slide}{Example \texttt{/etc/samba/smb.conf} --- 1} \label{sld:global}% \begin{listing}[1]{1} [global] netbios name = my-name workgroup = my-named add user script = /usr/sbin/useradd \ -n -g machines \ -c 'Samba Machine PDC member' \ -d /dev/null -s /bin/false -M %m$ security = user encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd username map = /etc/samba/smbusers os level = 65 domain logons = yes logon script = scripts\%U.bat wins server = 192.168.68.240 \end{listing}%$ \end{slide} \begin{slide}{Discussing Example --- 1} \begin{itemize} \item Configuration is for a Primary Domain Controller (\PDC) \item slide~\pageref{sld:global} shows global options that determine overall behaviour of samba \begin{itemize} \item lines 2 and 3 determine the ``computer name'' and domain name of this \PDC \item lines 4--7 are executed to automatically create a special account for any computer that joins the domain \item line 8 requires a username and password for someone to access resources from the server \item line 11 tells samba to use a file that maps Windows names to Linux names, e.g., \texttt{administrator} $\to$ \texttt{root} \end{itemize} \end{itemize} \end{slide} \begin{slide}{Discussion of global section --- 2} \begin{itemize} \item line 12 increases samba's chances of winning ``browser elections'' with Windows machines (see the documentation about browsing) \item line 13 says that this is a \PDC \item line 14 tells samba where to find login scripts \item line 15 tells samba to act as a \WINS client of that machine \begin{itemize} \item To make samba a \WINS server, provide a line like this: \begin{verbatim} wins support = yes \end{verbatim} \end{itemize} \end{itemize} \end{slide} \begin{slide}{Example \texttt{/etc/samba/smb.conf} --- 2} \label{sld:shares}% \begin{listing}[1]{1} [homes] comment = Home Directories browseable = no writable = yes [netlogon] comment = Network Logon Service path = /var/samba/netlogon guest ok = no share modes = no [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no printable = yes \end{listing} \end{slide} \begin{slide}{Discussing slide~\pageref{sld:shares}} \begin{itemize} \item slide~\pageref{sld:shares} shows configuration for individual shares and services offered by the server \item The \emphcolour{homes} section (lines 1--4) allow users to automatically access their Linux home directories from the client when they log into the domain. \begin{itemize} \item Will appear as a share with the same name as the Linux username. \end{itemize} \item The \emphcolour{netlogon} section (lines 5--9) is necessary to handle domain log[io]ns, which fail if this share does not exist. \begin{itemize} \item It stores log[io]n scripts and system policy files. \end{itemize} \item The \emphcolour{printers} section (lines 10--15) allows any user to print from a Windows client to a Linux printer. \end{itemize} \end{slide} \begin{slide}{profiles share} \begin{verbatim} [profiles] path = /var/samba/profiles browsable = no writeable = yes create mask = 0600 directory mask = 0700 \end{verbatim} \begin{itemize} \item Suports roaming profiles on NT/2000/XP \item The directory in \texttt{path} must exist and be writable: \begin{alltt}\footnotesize $ \textbf{sudo mkdir -p /var/samba/\{profiles,netlogon\}} $ \textbf{sudo chmod 775 /var/samba/netlogon} $ \textbf{sudo chmod 777 /var/samba/profiles} \end{alltt}%$ \end{itemize} \end{slide} \begin{slide}{Samba Accounts} \begin{itemize} \item Note that each user needs to have \emphcolour{two} account entries: \begin{itemize} \item a \POSIX account entry (i.e., an entry in \texttt{/etc/passwd}, or an \LDAP \POSIX account) \item a Samba account entry, which for samba 2.2 is generally in \texttt{/etc/samba/smbpasswd}, but can also be in an \LDAP directory. \end{itemize} \item Unless both exist, you will not get access to the samba server from any client. \item Machines that join the domain also need an entry in the \texttt{/etc/passwd} file (or in the \LDAP directory). \item This is created automatically with the \texttt{add user script} entry in your \texttt{smb.conf} file. \begin{itemize} \item See lines 4--7 of slide~\pageref{sld:global} \end{itemize} \end{itemize} \end{slide} \begin{slide}{Documentation} \begin{itemize} \item Enormous amounts of documentation in \texttt{/usr/share/doc/samba-2.2.*/} \begin{itemize} \item \texttt{Samba-HOWTO-Collection.pdf} is very helpful \end{itemize} \item The manual pages are extensive and quite complete. \texttt{man smb.conf} is helpful. \item You can visit the samba website to see more documentation: \url{http://us1.samba.org/samba/samba.html} \item The printed book, \emph{Using Samba}, 2nd Edition, O'Reilly, 2003, ISBN 0-596-00256-4 is very clear and helpful. \end{itemize} \end{slide} \end{document}