11.5. Setting Up Windows Shares with Samba

Samba is a suite of tools handling the SMB protocol (also known as “CIFS”) on Linux. This protocol is used by Windows for network shares and shared printers.

Samba can also act as an Windows domain controller. This is an outstanding tool for ensuring seamless integration of Linux servers and the office desktop machines still running Windows.

11.5.1. Samba Server

The samba package contains the main two servers of Samba 3, smbd and nmbd.

TOOL Administrating Samba with SWAT

SWAT (Samba Web Administration Tool) is a web interface that allows configuring the Samba service. Since the swat package does not enable its configuration interface by default, it must be enabled manually with update-inetd --enable swat.

SWAT then becomes available at the http://localhost:901 URL. Accessing it means using the root account (and its usual password). Note that SWAT rewrites the smb.conf in its own idiom, so it makes sense to make a backup copy beforehand if you're only interested in testing this tool.

SWAT is very user-friendly; its interface includes an assistant that allows defining the server's role in three questions. All global options can still be configured, as well as those for all the existing shares, and of course new shares can be added. Each option comes with a link to the relevant documentation.

Unfortunately SWAT is no longer actively maintained and will be dropped from the next version of Debian, known as Jessie.

DOCUMENTATION Going further

The Samba server is extremely configurable and versatile, and can address a great many different use cases matching very different requirements and network architectures. This book only focuses on the use case where Samba is used as main domain controller, but it can also be a simple server on the domain and delegate authentication to the main controller (which could be a Windows server).

The documentation available in the samba-doc package is very well written. In particular, the Samba 3 By Example document (available as /usr/share/doc/samba-doc/htmldocs/Samba3-ByExample/index.html) deals with a concrete use case that evolves alongside the growing company.

11.5.1.1. Configuring with `debconf`

The package sets up a minimal configuration based on the answers to a few Debconf questions asked during the initial installation; this configuration step can be replayed later with dpkg-reconfigure samba-common samba.

The first piece of required information is the name of the workgroup where the Samba server will belong (the answer is FALCOTNET in our case). Another question asks whether passwords should be encrypted. The answer is that they should, because it's a requirement for the most recent Windows clients; besides, this increases security. The counterpart is that this required managing Samba passwords separately from the Unix passwords.

The package also proposes identifying the WINS server from the information provided by the DHCP daemon. The Falcot Corp administrators rejected this option, since they intend to use the Samba server itself as the WINS server.

The last question is about whether servers should be started by inetd or as stand-alone daemons. Using inetd is only interesting when Samba is rarely used; the Falcot administrators therefore picked stand-alone daemons.

11.5.1.2. Configuring Manually

11.5.1.2.1. Changes to `smb.conf`

The requirements at Falcot require other options to be modified in the /etc/samba/smb.conf configuration file. The following excerpts summarize the changes that were effected in the [global] section.

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = FALCOTNET

# server string is the equivalent of the NT Description field
   server string = %h server (Samba %v)

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
   wins support = yes 

[...]

####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html 
# in the samba-doc package for details.
   security = user 

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
   passdb backend = tdbsam

[...]

########## Printing ##########

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes 

# lpr(ng) printing. You may wish to override the location of the
# printcap file
;   printing = bsd
;   printcap name = /etc/printcap

# CUPS printing.  See also the cupsaddsmb(8) manpage in the
# cups-client package.
   printing = cups 
   printcap name = cups

	Indicates that Samba should act as a Netbios name server (WINS) for the local network.
	This is the default value for this parameter; however, since it is central to the Samba configuration, filling it explicitly is recommended. Each user must authenticate before accessing any share.
	Tells Samba to automatically share all local printers that exist in the CUPS configuration. Restricting access to these printers is still possible, by adding appropriate sections.
	Specifies the printing system in use; in our case, CUPS.

11.5.1.2.2. Adding Users

Each Samba user needs an account on the server; the Unix accounts must be created first, then the user needs to be registered in Samba's database. The Unix step is done quite normally (using adduser for instance).

Adding an existing user to the Samba database is a matter of running the smbpasswd -a user command; this command asks for the password interactively.

A user can be deleted with the smbpasswd -x user command. A Samba account can also be temporarily disabled (with smbpasswd -d user) and re-enabled later (with smbpasswd -e user).

11.5.1.2.3. Switching to Domain Controller

This section documents how the Falcot administrators went even further, by turning the Samba server into a domain controller providing roaming profiles (which allow users to find their desktop no matter what machine they connect to).

They first added a few extra directives in the [global] section of the configuration file:

domain logons = yes              
preferred master = yes           
logon path = \\%L\profiles\%U    
logon script = scripts/logon.bat

	Enables the domain controller functionality.
	Specifies the location of the users' home directories. These are stored on a dedicated share, which allows enabling specific options (in particular, `profile acls`, a requirement for compatibility with Windows 2000, XP and Vista).
	Specifies the batch (non-interactive) script that is to be run on the client Windows machine every time a session is opened. In this case, `/var/lib/samba/netlogon/scripts/logon.bat`. The script needs to be in DOS format, where the lines are separated by a carriage-return character and a line-feed character; if the file was created on Linux, running `unix2dos` will convert it. The commands used most widely in these scripts allow the automatic creation of network drives and synchronizing the system time. Example 11.27. The `logon.bat` file net time \\ARRAKIS /set /yes net use H: /home net use U: \\ARRAKIS\utils

Two extra shares, and their associated directories, were also created:

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

The home directories for all users must also be created (as /var/lib/samba/profiles/user), and each of them must be owned by the matching user.

11.5.2. Samba Client

The client features in Samba allow a Linux machine to access Windows shares and shared printers. The required programs are available in the cifs-utils and smbclient packages.

11.5.2.1. The `smbclient` Program

The smbclient program queries SMB servers. It accepts a -U user option, for connecting to the server under a specific identity. smbclient //server/share accesses the share in an interactive way similar to the command-line FTP client. smbclient -L server lists all available (and visible) shares on a server.

11.5.2.2. Mounting Windows Shares

The mount command allows mounting a Windows share into the Linux filesystem hierarchy (with the help of mount.cifs provided by cifs-utils).

Example 11.28. Mounting a Windows share

mount -t cifs //arrakis/shared /shared \
      -o credentials=/etc/smb-credentials

The /etc/smb-credentials file (which must not be readable by users) has the following format:

username = user
password = password

Other options can be specified on the command-line; their full list is available in the mount.cifs(1) manual page. Two options in particular can be interesting: uid and gid allow forcing the owner and group of files available on the mount, so as not to restrict access to root.

A mount of a Windows share can also be configured in /etc/fstab:

//server/shared /shared cifs credentials=/etc/smb-credentials

Unmounting a SMB/CIFS share is done with the standard umount command.

11.5.2.3. Printing on a Shared Printer

CUPS is an elegant solution for printing from a Linux workstation to a printer shared by a Windows machine. When the smbclient is installed, CUPS allows installing Windows shared printers automatically.

Here are the required steps:

Enter the CUPS configuration interface: http://localhost:631/admin
Click on “Add Printer”.
Choose the printer device, pick “Windows Printer via SAMBA”.
Enter the connection URI for the network printer. It should look like the following:
smb://user:password@server/printer.
Enter the name that will uniquely identify this printer. Then enter the description and location of the printer. Those are the strings that will be shown to end users to help them identify the printers.
Indicate the manufacturer/model of the printer, or directly provide a working printer description file (PPD).

Voilà, the printer is operational!