Windows, Linux, and Samba
Windows Networking (A Brief History):
Microsoft LAN networking started with LAN Manager under DOS (originally from 3COM). It provided the ability to “share” printers and hardrives from a standalone PC over the network. The “shares” names were of the format \\servername\sharename. LAN Manager Drivers were installed as extensions of the BIOS over the network, hence the term NETBIOS. Because Local Area Networks were in it’s infancy, Microsoft created it’s own Ethernet frame type for NETBIOS, called the NETBIOS Extended User Interface – NETBEUI, or sometimes the Netbios Frame Type (NBF) – a non-routable LAN protocol.
NETBIOS was first integrated into Windows under Windows for Workgroups (WFW) 3.11, a server flavor of the ubiquitous Windows 3.1 Workstation. Password and later user ID and password security for network shares were added. The server and associated user workstations were called a Workgroup and shared a common WorkGroup name.
This security was integrated into the server follow-on to WFW 3.11 - Windows NT 3.1- in a file called the Security Account Management (SAM) data base This security was called NT Lan Manager or NTLM. Microsoft later extended this security from a standalone server to groups of servers called Domains. The servers containing SAM database were called Domain Controllers. There are two types of Domain Controllers – one Primary (PDC) with a Read/Write copty of the SAM and Backup (BDC) with a Read/Only copy of the SAM. The domain construct remained thru Windows NT 4.0.
TCP/IP protocol stacks were first integrated into WFW 3.11 and later Windows 95, Windows NT Server and Workstation with NETBIOS support running over IP using TCP/UDP ports 135, 137 and 139.
Windows 2000 introduced an add’l layer on top of the NETBIOS / Domain construct called Active Directory. Active Directory is an LDAP compliant network directory structure that utilizes Dynamic DNS instead of NETBIOS broadcasts for server name resolution. Domains are grouped under Active Directory “trees” within AD “forests”. Though Domain Controllers exist under AD, they all contain R/W copies of their Domain information and synchronize among themselves. Security no longer relies on NTLM, but instead uses a certificate based security called Kerberos. Note AD still supports NETBIOS Domains and Workgroups in backwards format using NTLM.
TCP/IP became the default protocol for Windows 2000 with Active Directory using TCP/UDP ports 445 and LDAP using port 389. Native Windows file and print sharing over IP without NETBIOS is referrred to as SMB (Server Message Block – the native server language) over IP or as the Common Internet File Service or CIFS; both use port 445.
LDAP is a directory interface protocol derived from the old (and obsolete) CCITT X.400 and X.500 E-Mail interface standard and uses a naming structure of the form: CN=Donna_James,OU=Sales,DC=MYCOMPANY,DC=COM. CN means Common Name, OU means Organization Unit, DC means Domain Component. LDAP names map to DNS names of the form ; in NETBIOS form usually user Donna_James in NETBIOS domain Sales with the tree name of mycompany.com.
Samba Introduction:
Samba is a suite of utilities that allows your Linux box to share files and other resources, such as printer, using Windows Networking as either a workstation or a server. The following describes how you can make your Linux box into a Windows Primary Domain Controller (PDC) in an NT Domain or standalone Workgroup. Either configuration will allow everyone at home to have access to data on the LINUX box. LINUX can also be configured to act as a Windows client (workstation) to a Windows server. Note that although LINUX can participate in Domains as a PDC or relay security requests to an AD Domain Controller, it cannot currently participate directly in an AD network as an AD aware Domain Controller. This capability is under development by the Samba Working Group.
This chapter describes how you can make your Linux box into a Windows Primary Domain Controller (PDC) or a server for a Windows Workgroup. Either configuration will allow everyone at home to have:
- their own logins on all the home windows boxes while having their files on the Linux box appear to be located on a new Windows drive
- shared access to printers on the Linux box
- shared files accessible only to members of their Linux user group.
What's the difference between a PDC and Windows Workgroup member? A detailed description is beyond the scope of this chapter, but this simple explanation should be enough:
- A PDC stores the login information in a central database on its hard drive. This allows each user to have a universal username and password when logging in from all PCs on the network.
- In a Windows Workgroup, each PC stores the usernames and passwords locally so that they are unique for each PC.
This chapter will only cover the much more popular PDC methodology used at home. By default, Samba mimics a Windows PDC in almost every way needed for simple file sharing. Linux functionality doesn't disappear when you do this. Samba Domains and Linux share the same usernames so you can log into the Samba based Windows domain using your Linux password and immediately gain access to files in your Linux user's home directory. For added security you can make your Samba and Linux passwords different.
When it starts up, and with every client request, the Samba daemon reads the configuration file /etc/samba/smb.conf to determine its various modes of operation. You can create your own smb.conf using a text editor, the Web-based SWAT or the Samba config utility which is easier. Keep in mind, however, that if you create /etc/samba/smb.conf with a text editor then subsequently use SWAT or samba-config to edit the file, you will lose all the comments you inserted with the text editor.
Download and Install Packages
Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. .
Samba is comprised of a suite of RPMs that come on the Fedora CDs. The files are named:
- samba
- samba-common
- samba-client
- samba-swat (Samba Web interface, obsolete under Fedora)
- samba-config
When searching for the file, remember that the RPM's filename usually starts with the RPM name followed by a version number as in samba-client-3.0.0-15.i386.
How to Get Samba Started
- You can configure Samba to start at boot time using the chkconfig command:
[root@bigboy tmp]# chkconfig smb on
- You can start/stop/restart Samba after boot time using the smb initialization script as in the examples below:
[root@bigboy tmp]# service smb start
[root@bigboy tmp]# service smb stop
[root@bigboy tmp]# service smb restart
Note: Unlike many Linux packages, Samba does not need to be restarted after changes have been made to its configuration file, as it is read after the receipt of every client request.
- You can test whether the smb process is running with the pgrep command, you should get a response of plain old process ID numbers:
[root@bigboy tmp]# pgrep smb
The Samba Configuration File
The /etc/samba/smb.conf file is the main configuration file you'll need to edit. It is split into five major sections, which Table 10-1 outlines:
Table 10-1: File Format - smb.conf
Section / Description[global] / General Samba configuration parameters
[printers] / Used for configuring printers
[homes] / Defines treatment of user logins
[netlogon] / A share for storing logon scripts.
(Not created by default.)
[profile] / A share for storing domain logon information such as "favorites" and desktop icons.
(Not created by default.)
You can edit this file by hand, through Samba web interface (called SWAT, no longer supported under Fedora) or the Samba configuration utility.
Creating A Starter Configuration
I'll now illustrate how to configure a Samba server to be the PDC for a small network is by the GUI. Under GNOME the GUI is under System/Administratation/Servers/Samba. You'll need to edit the various sections of the smb.conf file, so I'll walk you through what you'll find in each.
The [Global] Section
The [global] section governs the general Samba settings. Table 10-2 explains the parameters you need to set in order to create a PDC.
Table 10-2: smb.conf Minimum Settings, "Global" Section
Parameter / Value / Descriptiondomain logons / Yes / Tells Samba to become the PDC
preferred master / Yes / Makes the PDC act as the central store for the names of all windows clients, servers and printers on the network. Very helpful when you need to "browse" your local network for resources. Also known as a local master browser.
domain master / Yes / Tells Samba to become the master browser across multiple networks all over the domain. The local master browsers register themselves with the domain master to learn about resources on other networks.
os level / 65 / Sets the priority the Samba server should use when negotiating to become the PDC with other Windows servers. A value of 65 will usually make the Samba server win.
wins support / Yes / Allows the Samba server to provide name services for the network. In other words keeps track of the IP addresses of all the domain's servers and clients.
time server / Yes / Lets the samba server provide time updates for the domain's clients.
workgroup / "homenet" / The name of the Windows domain we'll create. The name you select is your choice. I've decided to use "homenet".
security / user / Make domain logins query the Samba password database located on the samba server itself.
- To set the values, edit the [global] section of /etc/samba/smb.conf as follows:
[global]
workgroup = HOMENET
time server = Yes
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
Note: security = user and WINS support = yes are default settings for Samba and they may not show up in your smb.conf file.
The [homes] Section
Part of the process of adding a user to a Samba domain requires you to create a Linux user on the Samba PDC itself. When you log into the Samba PDC, you'll see a new drive, usually named Z:, added to your PC. This is actually a virtual drive that maps to the corresponding Linux users' login directories on the Linux PDC.
Samba considers all directories to be shares that can be configured with varying degrees of security. The [homes] section governs how Samba handles default login directories.
Table 10-3 explains the minimum settings you need to create a functional [Homes] section.
Table 10-3: smb.conf Minimum Settings, "Home" Section
Parameter / Value / Descriptionbrowseable / No / Doesn't allow others to browse the contents of the directory
read only / No / Allows the samba user to also write to their Samba Linux directory
create mask / 0664 / Makes new files created by the user to have "644" permissions. You want to change this to "0600" so that only the login user has access to files.
directory mask / 0775 / Makes new sub-directories created by the user to have "775" permissions. You want to change this to "0700" so that only the login user has access to directories.
- Set the values in the /etc/samba/smb.conf as follwos.
[homes]
read only = No
browseable = No
create mask = 0644
directory mask = 0755
The [netlogon] and [profiles] Share Sections
The [netlogon] share section contains scripts that the windows clients may use when they log into the domain. The [profiles] share section stores settings related to the look and feel of windows so that the user has the same settings no matter which Windows PC is logged into. The [profiles] share section stores things such as favorites and desktop icons.
Your smb.conf file should look like this when you're finished:
[netlogon]
path = /home/samba/netlogon
guest ok = Yes
[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
Remember to create these share directories from the command line afterwards.
[root@bigboy tmp]# mkdir -p /home/samba/netlogon
[root@bigboy tmp]# mkdir -p /home/samba/profile
[root@bigboy tmp]# chmod -R 0755 /home/samba
The [printers] Share Section
Samba has special shares just for printers, and these are configured in the [printers] section. There is also a share under [printers] called printers which governs common printer settings. Print shares always have the printable parameter set to yes. The default smb.conf [printers] share section looks like this:
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
Shares For Specific Groups Of Users
The default Samba Version 3 smb.conf file you saved at the beginning of this exercise has many varied examples that you may use and apply to your particular environment.
You can find the steps for creating a simple shared directory below.
Samba Passwords
You should be aware that your Linux password and Samba passwords are stored in two different locations. This provides the Samba administer the flexibility of allowing only some of the Linux users to have Samba accounts.
Use the passwd command to change Linux passwords, which are stored in the /etc/shadow file. Samba passwords are stored in the /etc/samba/smbpasswd file and can be changed smbpasswd command.
This difference is important, as you will see throughout the chapter.
How To Create A Samba PDC Administrator User
To do user administration with Samba you'll need to create administrator accounts on the Samba PDC Linux server.
Home Environment
By default, the root user is the Samba administrator, and requires you to use the Linux root password to be used. Fortunately, you can add workstations to the Windows domain by creating a Samba specific root password. This is done using the smbpasswd command.
[root@bigboy tmp]# /usr/bin/smbpasswd -a root password
Note: Remember that regular Linux logins via the console, Telnet or SSH require the Linux passwd command. Samba domain logins use the smbpasswd password. Samba passwords are stored in the /etc/samba/smbpasswd file.
Corporate Environment
In a corporate environment, you may want more than one person to administer Samba, each with their own usernames. Here are the steps to do this:
1. Create a Linux user group, such as sysadmin with the groupadd command.
2. Update your smb.conf file so that the sysadmin group is listed in the [global] parameter settings.
domain admin group = @sysadmin
admin users = @sysadmin
printer admin = @sysadmin
3. Create individual Linux users that are part of this group.
4. Use the smbpasswd command to create Samba passwords for Domain logins for this group. For security reasons this password may be different from the Linux password used to log into the Linux system from the console, via telnet or ssh. (Remember that Linux passwords are changed with the passwd command.)
How To Add Workstations To Your Samba Domain
Adding workstations to a Samba domain is a two step process involving the creation of workstation trust accounts on the Samba server and then logging into each workstation to add them to the domain.
Create Samba Trust Accounts For Each Workstation
PDCs will accept user logins only from trusted PCs that have been placed in its PC client database. Samba can create these Machine Trusts in two ways, either manually or automatically.
Manual Creation Of Machine Trust Accounts (NT Only)
The commands in this example create a special Linux group for Samba clients and then add a special machine user that's a member of the group. The password for this user is then disabled and the machine is then added to the smbpasswd file to help keep track of which devices are members of the domain. In summary, a machine trust account needs to have entries in the /etc/passwd and /etc/smbpasswd files. Pay careful attention to the dollar sign ($) at the end and replace machine_name with the name of the Windows client machine.
[root@bigboy tmp]# groupadd samba-clients
[root@bigboy tmp]# /usr/sbin/useradd -g samba-clients \
-d /dev/null -s /bin/false machine_name$
[root@bigboy tmp]# passwd -l machine_name$
[root@bigboy tmp]# smbpasswd -a -m machine_name
This is the only way to configure machine trusts using Windows NT.
Dynamic Creation of Machine Trust Accounts
Although you can use the manual method, the recommended way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the Windows clients join the domain which known as making a machine account on the fly. You can set this up by editing the /etc/samba/smb.conf file to automatically add the required users.