Samba - sharing Files and Printers with MS Windows


Table of Contents


Introduction

The Samba Suite of programs allows you to share Unix resources with SMB Clients (in many cases MS Windows clients.) This significantly simplifies client access to OpenBSD printing and file resources. Users on client machines access Samba resources as they would any other (file/print) resource available from SMB servers such as Windows NT or Windows 9x.

We use OpenBSD/Samba to allow our network users to use the same tools for accessing their files on the OpenBSD/Samba box as they previously did when the same resources were on the Win NT boxes. Users can open their files from within their applications or use Windows Explorer to browse through the OpenBSD/Samba shares.

Installing the Packaged Version

[OpenBSD 3.6 snapshot(Jan 2005)]
[package: samba-3.0.11.tgz ]
[ref: Samba Book available from http://www.samba.org]

Install the package using pkg_add

# pkg_add /[path-to-package]/samba-3.0.11.tgz

The samba package will be installed and you may wish to copy one of the sample configuration files as a starter for your samba setup. For example:

# cp /usr/local/lib/samba/smb.conf.sample /etc/samba/smb.conf

The quickest way to start samba is to launch the daemons manually:

# /usr/local/libexec/smbd -D
# /usr/local/libexec/nmbd -D

Although we don't want to be frustrated with having to do that manually everytime we start the computer, it is a good way to test whether the installation files did get installed.

Starting samba as a server service

[ref: ../ports/net/samba/files/README.OpenBSD]

There are at least three different methods available for starting the samba daemons (smbd, and nmbd) The two most appropriate for starting the server at each boot process is a scripting addition or configuring inetd. The BSDish scripting is adding instructions to the /etc/rc.local file, System V'sh solutions create a separate startup script.

Edit the /etc/rc.conf.local file to include in Section 2 the following lines:

smbd=YES
nmbd=YES

Edit: /etc/rc.local.

After the 'starting local daemons' and before the following echo '.', Insert the following instructions to the /etc/rc.local file:

   echo -n 'starting local daemons:'
  # [ ... stuff left out ... ]


   if [ -f /etc/samba/smb.conf ]; then
       if [ X"${smbd}" = X"YES" -a -x /usr/local/libexec/smbd ]; then
           echo -n ' smbd';    /usr/local/libexec/smbd -D
       fi
       if [ X"${nmbd}" = X"YES" -a -x /usr/local/libexec/nmbd ]; then
           echo -n ' nmbd';    /usr/local/libexec/nmbd -D
       fi
   fi

 

  # [ ... stuff left out ... ]

   echo '.'

 

Now each restart of the machine will automatically check to see whether we have enabled samba in the configuration file (rc.conf.local) and then start the smbd, and nmbd daemons. If we wish to disable samba we can simply change smbd=YES to smbd=NO ; nmbd=YES to nmbd=NO

Starting samba as an inetd service

If you chose the inetd path then two files /etc/services and /etc/inetd.conf need to be updated. Note that to only use the rc.local update or this configuration but do not use both as it may cause problems further down the line for you.

/etc/services : change this file to include the following lines

netbios-ssn    139/tcp
netbios-ns     137/udp

/etc/inetd.conf : change this file to update the lines referring to the above ports

netbios-ssn    stream tcp nowait root /usr/local/libexec/smbd
netbios-ns     dgram udp wait root /usr/local/libexec/nmbd

Of course one advantage of inetd is you don't have to restart the computer to get things up and running. Just send a -HUP signal to inetd and samba will be started.

Testing the installation

[Config file: /etc/samba/smb.conf ]
[Utility: smbclient]

A quick diagnostic test to verify whether the nmbd/smbd daemons are working is to use the smbclient program, one of the tools supplied with the samba suite of programs. smbclient attempts a client connection to an smb server, so one simple test is to attempt a connection to our localhost smb server.

# smbclient -U% -L localhost

The -U% specifies attempt the connection with User % (% expands to be root, or current login) -L specifies the hostname to connect to (localhost.) The above command should show the Shares available on the localhost server (ipc$ et. al.) as well as other machines in the Work-group.

Sharename      Type        Comment
----------     -----       -------
IPC$           IPC         IPC Service (Samba Server)
 
Server               Comment
---------            -------
OPENBSDBOX           Samba Server
 

In the above example, the returned displays the Server OPENBSDBOX as being in the smb workgroup. OPENBSDBOX is the short-name for this sample localhost.

Basic configuration file settings that can be used to approximate the initial part of what your samba server should look like to to set the following settings in the configuration file /etc/samba/smb.conf

workgroup             = myworkgroup
encrypt passwords  = yes
smb passwd file     = /etc/samba/smbpasswd
unix password sync = yes
passwd program     = /usr/bin/passwd %u
interfaces                   ip_for_eth0 ip_for_eth1

ip_for_eth0 and ip_for_eth1 - These are the ip-addresses for the Ethernet cards on your server that you wish Samba to service through. For example, if you had one ethernet card for your LAN (eth0:192.168.101.5) and one ethernet card for your external connection (ISP eth1:202.123.44.1) then you can specify something like:

interfaces 192.168.101.5

This would allow machines on your local LAN access to the samba server, but not machines connected through any other devices.

Encrypt Passwords: All the clients i am using with my samba server will be Win98 or Win2000 and i want passwords encrypted when passed between the server and machines in preparation for when the sites go live on the internet. Likewise, i don't want to spend the time setting up the script to modify all the clients to send clear-text passwords.

Setting up SWAT - the Samba Web Administration Tool

[Config file: /etc/services ]
[Config file: /etc/inetd.conf ]

SWAT provides a GUI based tool for modifying samba's configuration file /etc/samba/smb.conf. Unfortunately it can also cause disastrous things such as wipe the configuration file (actual experience.) Following are the steps required to configure swat, which is installed but not enabled by the samba installation.

Edit /etc/services to include the following line

swat     901/tcp                                  # Samba Web Administration Tool

Edit /etc/inetd.conf to include the following lines

swat      stream    tcp      nowait.400             root     /usr/local/sbin/swat     swat

Restart the inetd daemon so it can re-read the changes you have made to the /etc/inetd.conf file.

# kill -HUP `cat /var/run/inetd.pid`

You should now be able to point a browser (for example Windows/Internet Explorer) at your webserver:901 to configure samba using the SWAT GUI interface instead of having to manually edit through the smb.conf file.

Security Concern. I think swat sends passwords cleartext. You should be aware of this problem if concerned about potential security compromises by using swat.

Adding Users

[Config file: /etc/samba/smbusers ]
[Config file: /etc/samba/smbpasswd]
[Utility: /usr/local/bin/smbpasswd ]

To make sure that you can access the smb shares from other clients, make sure you add the smb access users to the /etc/samba/smbusers and the /etc/samba/smbpasswd file. I find this necessary because I specify the use of encrypted passwords for authentication.

smbpasswd -a login-id

For example:

# smbpasswd -a samt

More Information:

Run by root, the smbpasswd program can "-a" add a new user to the smbpasswd file. This is also a neat trick for finding out where the smbpasswd is 'supposed' to be located.

Other useful options:

-x         delete the user information
-d         disable the user account
-e         enable a disabled account, no effect if account currently enabled
-r          remote machine on which smb access is to be changed.

Co-habiting with NT Server - Primary Domain Controller

As my environments is OpenBSD/Samba joining an existing Windows NT Primary Domain Controller (PDC) I need to maintain authentication on one server to minimise work-load. For this discussion we will use DEMO_DOMAIN as the domain and PDC_SERVER as the name of the Primary Domain Controller (Windows NT 4.0x server) server.

The following are the basic steps for enabling NT Domain authentication for Samba connections.

  1. On the PDC, Manually add the Samba Server netbios name as an NT Server/Workstation
  2. Join the Domain from the samba server using smbpasswd -j DEMO_DOMAIN -r PDC_SERVER
  3. Modify smb.conf to specify encrypted passwords and security=domain
  4. Restart the Samba Server

Adding the Samba Server to the Primary Domain Controller

On the Win NT (4.0 ) PDC Server, start the Administrator -> Server Manager program. Add the OpenBSD/Samba server you have installed as a "Windows NT Workstation or Server"

On the Win2000 Advanced Server PDC, start the Administrator -> Active Directory Users and Computers. Select the Domain you will be adding the OpenBSD/Samba server to. Add a new computer and make sure you select the check-box "Allow pre-Windows 2000 computers to use this account"

For the name of the OpenBSD/Samba server, use the NetBIOS name you have either specified in /etc/samba/smb.conf, or use the short-name of the server (OPENBSDBOX for this example).

Joining the Samba server to the Primary Domain Controller

This only works if the OpenBSD/Samba server has been 'installed' into the domain as mentioned above, so make sure that you have followed the above step and verified the OpenBSD/Samba server is a valid 'NT Workstation or Server.'

From the OpenBSD/Samba machine join the Primary Domain by using the smbpasswd "join" facility

# smbpasswd -j DEMO_DOMAIN -r PDC_SERVER

Updating /etc/samba/smb.conf

To complete joining the Domain, we need to make a few configuration changes. (a) we need to tell Samba to use the Primary Domain Controller for authentication, and (b) We need to use encrypted passwords. Windows NT sp3 and greater default to using encrypted password transmission.

File /etc/samba/smb.conf

domain controller = PDC_SERVER
encrypt passwords = yes

Restart the samba server and user connections will now be verified through the Windows NT Domain Controller. Note that users still need a valid account on the server if user directories are expected.

Authentication for NT, Win9X Workstations

[ref: Samba-2.2.2/docs/Samba-HOWTO-Collection.pdf]

With later versions of Samba (2.2.2) we are able to use the OpenBSD/Samba combination to authenticate users for a LAN comprising Windows NT and Win9X clients. In this scenario, your OpenBSD/Samba server is the Primary Domain Controller (Windows Speak) and provides authentication for your Windows clients.

By configuring your clients to forcibly join the domain, you can ensure all workstation users must be validated from the OpenBSD/Samba server.

We may want to do this if we do not have a legitimate (Microsoft) Windows Server that can authenticate as the primary domain controller.

The Samba distribution actually comes with a HOWTO for this task (Chapter 8. How to Configure Samba 2.2 as a Primary Domain Controller)

In short, we set the configurations (in a working Samba system):

Configuration File settings

To configure your Samba server to provide user authentication you will need to include the following.

[global]
workgroup = myworkgroup

security = user
domain master = yes
local master = yes
domain logons = yes
add user script = /etc/samba/my_add_user %u
Diagram - portion of [global]

Security is set to user (not domain as you would initially expect.) The server is set to be the domain master and service domain logons which is where we will configure user authentication.

Machine Account Creation.

The add user script will be used by Samba to add a machine account for joining NT Workstations to the domain. This script will create an /etc/passwd entry using the client workstation's netbios name. At this writing (Samba 2.2.2) Samba requires the /etc/passwd entry before it can create a Samba account for the workstation.

Since OpenBSD typically does not allow workstations to have the dollar character "$" in a user-id we need to modify the useradd source to allow the dollar character "$". Of course, you can manually create the accounts and not need to change the source code. Unix, including OpenBSD, readily allows the $ sign, but the user creation programs do not normally allow the use of dollar signs for a number of practical reasons.

Using stunnel to secure SWAT password communication

package: stunnel-3.8.tgz
package: openssl (installed either as source build or ssl2?)
[ref: OpenBSD FAQ 10.6 Setting up a Secure HTTP Server with SSL]
[local: openss# - Secured Communications]
[ref: Samba Book]

Samba can be set up to communicate exclusively through SSL, which is great but seems to be problematically difficult (as in real difficult) to roll out on a WinX environment. By at least forcing SWAT communications to use SSL then we add one level of security ? Using information available from the Samba site and the OpenBSD FAQ, I have generated this step-by-step list for using SSL with SWAT under OpenBSD (installation with 2.7)

1. install the stunnel package

# pkg_add /[location-of-packages]/stunnel-3.8.tgz

After stunnel is installed, you have to create a server certificate and put the result in /etc/ssl/private/stunnel.pem. For more information on how to create certificates, read ssl(8). For more information on stunnel, read stunnel(8).

2. Prepare certificate for stunnel. According to samba doc's stunnel documentation says that a blank line is needed between private key and certificate and another blank line at the end of the file (make sure you have created the server certificates per references above.)

# echo "" > ~/blankline.txt
# cat /etc/ssl/private/server.key ~/blankline.txt /etc/ssl/server.crt \
  ~/blankline.txt > /etc/ssl/stunnel.pem

3. Move the stunnel.pem file to a standardised location

# mv /etc/ssl/stunnel.pem /etc/ssl/private

4. Set the file permissions so no root have no access to the file

# chmod 700 /etc/ssl/private/stunnel.pem

5. Remove swat entry from inetd.conf (restart inetd)

# kill -HUP `cat /var/run/inetd.pid`

6. Start stunnel

# /usr/local/sbin/stunnel -p /etc/ssl/private/stunnel.pem -d 901 -l  /usr/local/sbin/swat -- swat

7. We now include stunnel into the configuration for SWAT

Edit the /etc/rc.conf.local file to include the following line:

stunnel_swat=YES

Edit: /etc/rc.local.

After the 'starting local daemons' and before the following echo '.', Insert the following instructions to the /etc/rc.local file:

  echo -n 'starting local daemons:'
  # [ ... stuff left out ... ]


   if [ -f /etc/samba/smb.conf ]; then
       if [ X"${smbd}" = X"YES" -a X"${nmbd}" = X"YES" -a X"${stunnel_swat}" = X"YES" -a -x /usr/local/sbin/stunnel ]; then
           echo -n ' stunnel_swat';   
           /usr/local/sbin/stunnel -p /etc/ssl/private/stunnel.pem -d 901 -l  /usr/local/sbin/swat -- swat
       fi
   fi

  # [ ... stuff left out ... ]

   echo '.'

Now each restart of the machine will automatically check to see whether we have enabled stunnel for swat in the configuration file (rc.conf) and then start the stunnel. If we wish to disable stunnel for swat we can simply change stunnel_swat=YES to stunnel_swat=NO.

Connect to the SSL enabled site using https://your_sambaserver:901 and accept the certificate.

Getting at Windows Shares

package: Sharity-light_1_2.tgz

Sometimes you want to access the Windows (eg. Win95, Win98, Win2000, WinNT) file share from within the Unix box. Sharity-Light is similar to the Linux only smbfs (smbmount, smbumount) which allows the user to mount a Windows file-share onto your unix file-system.

http://www.obdev.at/Products/Sharity.html

Check out the developer's website above for more information on the "light" version and their commercial product.

Author and Copyright

Copyright (c) 2005 Samiuela LV Taufa. All Rights Reserved.

I reserve the right to be totally incorrect even at the best advice of betters. In other words, I'm probably wrong in enough places for you to call me an idiot, but don't 'cause you'll hurt my sensibilities, just tell me where I went wrong and I'll try again.

You are permitted and encouraged to use this guide for fun or for profit as you see fit. If you republish this work in what-ever form, it would be nice (though not enforceable) to be credited.

Samba - sharing Files and Printers with Microsoft Windows

Copyright  © 2000/1/2 NoMoa.COM All rights reserved.