book

Using Samba, Second Edition

by Jay Ts, Robert Eckstein, David Collier-Brown

February 2003

Intermediate to advanced

560 pages

23h 11m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Using Samba, 2nd Edition
Preface
Audience for This Book
Organization
Conventions Used in This Book
How to Contact Us
Acknowledgments
Jay TsRobert EcksteinDavid Collier-BrownAll
1. Learning the Samba
What Is Samba?
What Can Samba Do for Me?
Sharing a Disk ServiceSharing a PrinterSeeing things from the Unix side
Getting Familiar with an SMB Network
Understanding NetBIOSGetting a NameNode TypesWhat’s in a Name?Resource names and typesGroup names and typesScope IDDatagrams and Sessions
An Introduction to the SMB Protocol
SMB FormatSMB header formatSMB command formatSMB variationsSMB Clients and ServersA Simple SMB ConnectionEstablishing a NetBIOS SessionNegotiating the Protocol VariantSet Session and Login Parameters

Windows Workgroups and Domains
Windows WorkgroupsBrowsingBrowsing electionsWindows 95/98/Me authenticationWindows NT DomainsDomain controllersPrimary and backup domain controllersAuthenticationName service with WINS and DNSTrust relationshipsActive Directory DomainsCan a Windows Workgroup Span Multiple Subnets?
What’s New in Samba 2.2?
PDC Support for Windows 2000/XP ClientsMicrosoft Dfs SupportWindows NT/2000/XP Printing SupportACLsSupport for Windows Client Administration ToolsIntegration with WinbindUnix CIFS ExtensionsAnd More...
What’s New in Samba 3.0?
What Can Samba Do?
An Overview of the Samba Distribution
How Can I Get Samba?
2. Installing Samba on a Unix System
Bundled VersionsBinary or Source?
Downloading the Samba Distribution
Read the Documentation
Configuring Samba
Compiling and Installing Samba
Upgrading Your InstallationReconfiguring SambaSetting Search Paths
Enabling SWAT
A Basic Samba Configuration File
Encrypted PasswordsUsing SWATDisabling OplocksTesting the Configuration File
Firewall Configuration
Starting the Samba Daemons
Starting the Daemons ManuallyAutomatic StartupBSD UnixSystem V UnixDarwin and Mac OS XTesting automatic startupStarting from inetd
Testing the Samba Daemons
3. Configuring Windows Clients
Windows Networking ConceptsComponentsBindingsIP AddressName ResolutionBroadcast name resolutionWINSLMHOSTSDNSHOSTSPasswords
Setting Up Windows 95/98/Me Computers
Setting Up the NetworkAdding TCP/IPConfiguring TCP/IPIP Address tabWINS Configuration tabDNS Configuration tabLMHOSTS fileNetBIOS tabBindings tabSetting the Computer Name and WorkgroupUsername and PasswordLogging in for the first timeAccessing the Samba Server from Windows 95/98Accessing the Samba Server from Windows Me
Setting Up Windows NT 4.0 Computers
Basic ConfigurationInstalling the TCP/IP protocolInstalling the Workstation serviceConfiguring TCP/IPIP Address tabWINS Address tabDNS tabThe LMHOSTS fileBindingsComputer Name and WorkgroupAdding a UserConnecting to the Samba Server
Setting Up Windows 2000 Computers
Networking ComponentsBindingsConfiguring TCP/IPIP addressDNS serverWINS serverThe LMHOSTS fileComputer and Workgroup NamesAdding a Samba-Enabled UserConnecting to the Samba Server
Setting Up Windows XP Computers
Networking ComponentsBindingsConfiguring TCP/IPIP addressDNS serverWINS serverThe LMHOSTS fileComputer and Workgroup NamesAdding a Samba-Enabled UserConnecting to the Samba Server
4. Windows NT Domains
Samba as the Primary Domain ControllerModifying smb.confCreating Directories on the Samba ServerRestarting the Samba Server
Adding Computer Accounts
Configuring Windows Clients for Domain Logons
Windows 95/98/MeUser-Level Security for Windows 95/98/MeWindows NT 4.0Windows 2000Windows XP HomeWindows XP Professional
Logon Scripts
Creating a Logon Script
Roaming Profiles
How Roaming Profiles workConfiguring Samba for Roaming ProfilesConfiguring Windows 95/98/Me for Roaming ProfilesConfiguring Windows NT/2000/XP for Roaming ProfilesMandatory ProfilesLogon Script and Roaming-Profile Optionslogon scriptlogon pathlogon drivelogon home
System Policies
Samba as a Domain Member Server
Windows NT Domain Options
domain logonsdomain masteradd user scriptdelete user scriptdomain admin grouppassword servermachine password timeout
5. Unix Clients
Sharing Files on Windows 95/98/Me
Sharing Files on Windows NT/2000/XP
smbclient
Listing ServicesAuthenticating with smbclientAn Interactive smbclient SessionProgramming with smbclientBackups with smbclient
smbfs
Mounting an smbfs FilesystemMounting smbfs Filesystems AutomaticallyCommon smbmount Options
smbsh
An Interactive Session with smbsh
smbutil and mount_smbfs
smbutilmount_smbfsMac OS X
6. The Samba Configuration File
The Samba Configuration FileConfiguration File StructureWhitespace, quotes, and commasCapitalizationLine continuationCommentsChanges at runtimeVariables
Special Sections
The [ global] SectionThe [ homes] SectionThe [printers] Section
Configuration Options
Configuration File Optionsconfig fileincludecopy
Server Configuration
Server Configuration Optionsnetbios nameworkgroupserver string
Disk Share Configuration
Disk Share Configuration Optionspathcommentvolumeread only, writable
Networking Options with Samba
Networking Optionshosts allowhosts denyinterfacesbind interfaces only
Virtual Servers
Virtual Server Configuration Optionsnetbios aliases
Logging Configuration Options
Using syslogLogging Configuration Optionslog filelog levelmax log sizedebug timestamp or timestamp logssyslogsyslog only
7. Name Resolution and Browsing
Name ResolutionWINS Clients and Server InteractionThe lmhosts FileConfiguring Name Resolution for the Samba SuiteSetting Up Samba as a WINS ServerConfiguring a DNS proxySetting Up Samba to Use Another WINS ServerConfiguring a WINS proxyName-Resolution Configuration Optionswins supportwins serverwins proxywins hookdns proxyname resolve ordermax ttlmax wins ttlmin wins ttl
Browsing
Browsing in a Windows NetworkBrowser ElectionsServer AnnouncementsConfiguring Samba for BrowsingSamba as the Domain Master BrowserMultiple subnetsMaking a Share InvisibleBrowsing Optionsannounce asannounce versionbrowsablebrowse listauto servicesdefault servicelocal masterlm announcelm intervalpreferred masterdomain masteros levelremote browse syncremote announce
8. Advanced Disk Shares
Filesystem DifferencesHiding and Vetoing FilesLinksFilesystem Optionsdont descendfollow symlinksgetwd cachewide linkshide dot fileshide filesveto filesdelete veto files
File Permissions and Attributes on MS-DOS and Unix
Creation MasksFile and Directory Permission Optionscreate maskdirectory maskforce create modeforce directory modeforce groupforce userdelete readonlymap archivemap systemmap hiddeninherit permissions
Windows NT/2000/XP ACLs
Unix ACLsConfiguration Options for ACLsnt acl supportsecurity maskforce security modedirectory security maskforce directory security mode
Name Mangling and Case
The Samba Mangling OperationRepresenting and resolving filenames with SambaMangling Optionscase sensitivedefault casepreserve caseshort preserve casemangled namesmangle casemangling charmangled stackmangled map
Locks and Oplocks
Opportunistic LockingUnix and OplocksLocks and Oplocks Configuration Optionslockingstrict lockingposix lockingoplockskernel oplockslevel2 oplocksfake oplocksblocking locksveto oplock fileslock directory
Connection Scripts
Connection Script Optionsroot preexecroot preexec closepreexecpreexec closepostexecroot postexec
Microsoft Distributed Filesystems
Windows Dfs ClientsConfiguring Samba for DfsSetting up the Dfs rootLoad balancing
Working with NIS
NIS Configuration Optionsnis homedir, homedir map
9. Users and Security
Users and GroupsHandling Multiple Individual Users
Controlling Access to Shares
Guest AccessAccess Control Optionsadmin usersvalid users, invalid usersread list, write listmax connectionsguest onlyguest accountUsername Optionsusername mapusername level
Authentication of Clients
Share-Level SecurityShare-Level Security Optionsonly userusernameUser-Level SecurityServer-Level SecurityDomain-Level Security
Passwords
Disabling Encrypted Passwords on the ClientThe smbpasswd FilePassword SynchronizationPassword Configuration Optionsencrypt passwordsunix password syncpasswd chatpasswd chat debugpasswd programpassword levelupdate encryptednull passwordssmb passwd filehosts equivuse rhosts
Authentication with winbind
Installing winbindConfiguring nsswitchModifying smb.confConfiguring PAMwinbind Configuration Optionswinbind separatorwinbind uidwinbind gidwinbind cache timetemplate homedirtemplate shell
10. Printing
Sending Print Jobs to SambaPrint CommandsA Minimal Printing SetupThe [printers] ShareTesting the ConfigurationEnabling SMB Printer Sharing in Mac OS XSetting Up and Testing a Windows Client
Printing to Windows Printers
Sharing Windows PrintersAdding a Unix PrinterBSD printersSystem V printersCUPS printersSamba Printing Optionsprintingprintableprinterlpq cache timepostscriptload printersprint command, lpq command, lprm command,lppause command, lpresume commandprintcap namemin print spacequeuepause commandqueueresume command
11. Additional Samba Information
Time SynchronizationTime-Synchronization Optionstime servertime offsetdos filetimesdos filetime resolutionfake directory create times
Magic Scripts
Magic Script Optionsmagic scriptmagic output
Internationalization
Internationalization Optionsclient code pagecharacter setcoding systemvalid chars
Windows Messenger Service
Windows Messenger Service Configuration Optionmessage command
Miscellaneous Options
deadtimedfree commandfstypekeepalivemax disk sizemax muxmax open filesmax xmitnt pipe supportnt smb supportole locking compatibilitypanic actionset directorystatusstrict syncsync alwaysstrip dotchange notify timeoutstat cachestat cache size
12. Troubleshooting Samba
The Tool BoxSamba LogsLog levelsActivating and deactivating loggingLogging by individual client systems or usersSamba Test UtilitiesUnix UtilitiesUsing traceUsing tcpdumpUsing Ethereal
The Fault Tree
How to Use the Fault TreeTroubleshooting Low-Level IPTesting the networking software with pingTesting local name services with pingTesting the networking hardware with pingTesting connections with pingTroubleshooting TCPTesting TCP with FTPTroubleshooting Server DaemonsTracking daemon startupLooking for daemon processes with psLooking for daemons bound to portsChecking smbd with telnetTesting daemons with testparmTroubleshooting SMB ConnectionsA minimal smb.conf fileTesting locally with smbclientTesting connections with smbclientTesting connections with net useTesting connections with Windows ExplorerTroubleshooting BrowsingTesting browsing with smbclientTesting the server with nmblookupTesting the client with nmblookupTesting the network with nmblookupTesting client browsing with net viewBrowsing the server from the clientTroubleshooting Name ServicesIdentifying what’s in useCannot look up hostnamesLong and short hostnamesUnusual delaysLocalhost issuesTroubleshooting Network AddressesNetmasksBroadcast addressesNetwork address rangesFinding your network addressTroubleshooting NetBIOS Names
Extra Resources
Documentation and FAQsSamba NewsgroupsSamba Mailing ListsFurther Reading
A. Example Configuration Files
Samba in a WorkgroupAuthentication and WINS ServerWorkgroup Server
Samba in a Windows NT Domain
Primary Domain ControllerDomain Member Server
B. Samba Configuration Option Quick Reference
Configuration File Options
abort shutdown script = command
add printer command = command
add machine script = command
add share command = command
add user script = command
admin users = user list
ads server = value
algorithmic rid base = number
allow hosts = host list
allow trusted domains = boolean
announce as = value
announce version = value
auth methods = list
auto services = service list
available = boolean
bind interfaces only = boolean
block size = number
blocking locks = boolean
browsable = boolean
browse list = boolean
browseable = boolean
case sensitive = boolean
casesignames = boolean
change notify timeout = number
change share command = command
character set = name
client code page = name
code page directory = directory
coding system = value
comment = string
config file = filename
copy = section name
create mask = value
create mode = value
csc policy = value
deadtime = number
debug hires timestamp = boolean
debug pid = boolean
debug timestamp = boolean
debug uid = boolean
debuglevel = number
default = service name
default case = value
default devmode = boolean
default service = share name
delete printer command = command
delete readonly = boolean
delete share command = command
delete user script = command
delete veto files = boolean
deny hosts = host list
dfree command = command
directory = directory
directory mask = value
directory mode = value
directory security mask = value
disable spools = boolean
dns proxy = boolean
domain admin group = user list
domain guest group = user/group list
domain logons = boolean
domain master = boolean
dont descend = list
dos filemode = boolean
dos filetime resolution = boolean
dos filetimes = boolean
encrypt passwords = boolean
enhanced browsing = boolean
enumports command = command
exec = command
fake directory create times = boolean
fake oplocks = boolean
follow symlinks = boolean
force create mode = value
force directory mode = value
force directory security mode = value
force group = value
force security mode = value
force unknown acl user = boolean
force user = value
fstype = string
getwd cache = boolean
group = value
guest account = value
guest ok = boolean
guest only = boolean
hide dot files = boolean
hide files = slash-separated list
hide local users = boolean
hide unreadable = boolean
homedir map = name
host msdfs = boolean
hosts allow = host list
hosts deny = host list
hosts equiv = filename
include = filename
inherit acls = boolean
inherit permissions = boolean
interfaces = interface list
invalid users = user list
keepalive = number
kernel oplocks = boolean
lanman auth = boolean
large readwrite = boolean
ldap admin dn = string
ldap filter = string
ldap port = number
ldap server = value
ldap ssl = value
ldap suffix = string
level2 oplocks = boolean
lm announce = value
lm interval = number
load printers = boolean
local master = boolean
lock dir = directory
lock directory = directory
lock spin count = number
lock spin time = number
locking = boolean
log file = filename
log level = number
logon drive = value
logon home = directory
logon path = directory
logon script = directory
lppause command = command
lpq cache time = number
lpq command = command
lpresume command = command
lprm command = command
machine password timeout = number
magic output = filename
magic script = filename
mangle case = boolean
mangled map = map list
mangled names = boolean
mangled stack = number
mangling char = character
mangling method = string
map archive = boolean
map hidden = boolean
map system = boolean
map to guest = value
max connections = number
max disk size = number
max log size = number
max mux = number
max open files = number
max print jobs = number
max protocol = name
max smbd processes = number
max ttl = number
max wins ttl = number
max xmit = number
message command = command
min passwd length = number
min password length = number
min print space = number
min protocol = name
min wins ttl = number
msdfs root = boolean
name resolve order = list
netbios aliases = list
netbios name = value
netbios scope = string
nis homedir = boolean
non unix account range = numeric range
nt acl support = boolean
nt pipe support = boolean
nt smb support = boolean
nt status support = boolean
null passwords = boolean
obey pam restrictions = boolean
only guest = boolean
only user = boolean
oplock break wait time = number
oplock contention limit = number
oplocks = boolean
os level = number
os2 driver map = filename
pam password change = boolean
panic action = command
passdb backend = list
passwd chat = string
passwd chat debug = boolean
passwd program = command
password level = number
password server = list
path = directory
pid directory = directory
posix locking = boolean
postexec = command
postscript = boolean
preexec = command
preexec close = boolean
preferred master = boolean
prefered master = boolean
preload = service list
preserve case = boolean
printable = boolean
printcap name = filename
print command = command
printer = name
printer admin = user list
printer driver = name
printer driver file = filename
printer driver location = directory
printer name = name
printing = value
print ok = boolean
private directory = directory
protocol = name
public = boolean
queuepause command = command
queueresume command = command
read bmpx = boolean
read list = list
read only = boolean
read raw = boolean
read size = number
realm = string
remote announce = remote list
remote browse sync = list
restrict anonymous = boolean
root = directory
root dir = directory
root directory = directory
root postexec = command
root preexec = command
root preexec close = boolean
security = value
security mask = value
server string = string
set directory = boolean
share modes = boolean
short preserve case = boolean
show add printer wizard = boolean
shutdown script = command
smb passwd file = filename
socket address = value
socket options = list
source environment = filename
ssl = boolean
ssl CA certDir = directory
ssl CA certFile = filename
ssl ciphers = list
ssl client cert = filename
ssl client key = filename
ssl compatibility = boolean
ssl hosts = host list
ssl hosts resign = host list
ssl require clientcert = boolean
ssl require servercert = boolean
ssl server cert = filename
ssl server key = filename
ssl version = string
stat cache = boolean
stat cache size = number
status = boolean
strict allocate = boolean
strict locking = boolean
strict sync = boolean
strip dot = boolean
sync always = boolean
syslog = number
syslog only = boolean
template homedir = path
template shell = filename
time offset = number
time server = boolean
timestamp logs = boolean
total print jobs = number
unix extensions = boolean
unix password sync = boolean
update encrypted = boolean
use client driver = boolean
use mmap = boolean
use rhosts = boolean
use sendfile = boolean
user = user list
username = user list
username level = number
username map = filename
users = user list
utmp = boolean
utmp directory = directory
valid chars = list
valid users = user list
veto files = slash-separated list
veto oplock files = slash-separated list
vfs object = filename
vfs options = string
volume = string
wide links = boolean
winbind cache time = number
winbind enum users = boolean
winbind enum groups = boolean
winbind gid = numeric range
winbind separator = character
winbind uid = numeric range
wins hook = command
wins proxy = boolean
wins server = value
wins support = boolean
workgroup = name
writable = boolean
writeable = boolean
write cache size = number
write list = user list
write ok = boolean
write raw = boolean
Glossary of Configuration Value Types
Configuration File Variables
C. Summary of Samba Daemons and Commands
Samba Daemons
smbd
smbd
nmbd
nmbd
winbindd
winbindd
Samba Distribution Programs
findsmb
findsmb
make_smbcodepage
make_smbcodepage
make_unicodemap
make_unicodemap
net
net
nmblookup
nmblookup
pdbedit
pdbedit
rpcclient
rpcclient
rpcclient commands
rpcclient commands
smbcacls
smbcacls
smbclient
smbclient
smbcontrol
smbcontrol
smbgroupedit
smbgroupedit
smbmnt
smbmnt
smbmount
smbmount
smbpasswd
smbpasswd
smbsh
smbsh
smbspool
smbspool
smbstatus
smbstatus
smbtar
smbtar
smbumount
smbumount
testparm
testparm
testprns
testprns
wbinfo
wbinfo
D. Downloading Samba with CVS
E. Configure Options
F. Running Samba on Mac OS X Server
Setup ProceduresSharing FilesSharing PrintersConfiguring and Activating ServicesActivating Password ServerEnabling Password ServerMonitoring Services
Configuration Details
Rolling Your Own
G. GNU Free Documentation License
GNU Free Documentation LicenseVersion 1.2, November 20020. PREAMBLE1. APPLICABILITY AND DEFINITIONS2. VERBATIM COPYING3. COPYING IN QUANTITY4. MODIFICATIONS5. COMBINING DOCUMENTS6. COLLECTIONS OF DOCUMENTS7. AGGREGATION WITH INDEPENDENT WORKS8. TRANSLATION9. TERMINATION10. FUTURE REVISIONS OF THIS LICENSE
Index
Colophon

Content preview from Using Samba, Second Edition

Authentication with winbind

In Chapter 3, we showed you how to add Windows clients to a network in which user accounts were maintained on the Samba server. We added a user account to the Windows client using the same username and password as an account on the Unix system. This method works well in many computing environments. However, if a Samba server is added to a Windows network that already has a Windows NT/2000 primary domain controller, the PDC has a preexisting database of user accounts and group information that is used for authentication. It can be a big chore to transfer that database manually to the Unix server, and later maintain and synchronize the Unix and Windows databases.

In Chapter 4, we showed you how to add a Samba server as a domain member server to a network having a Windows NT/2000 primary domain controller. We set security = domain in the Samba configuration file to have the Samba server hand off authentication to the Windows PDC. Using that method, passwords are kept only on the PDC, but it is still necessary to set up user accounts on the Unix side to make sure each client has a valid Unix UID and group ID (GID). This is necessary for maintaining the file ownerships and permissions of the Unix security model. Whenever Samba performs an operation on the Unix filesystem on behalf of the Windows client, the user must have a valid UID and GID on the local Unix system.

A facility that has recently been added to Samba, winbind, allows the Windows PDC to handle ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0596002564Catalog Page Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Using Samba, Second Edition

by Jay Ts, Robert Eckstein, David Collier-Brown

Authentication with winbind

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Implementing Samba 4

Implementing CIFS: The Common Internet File System

Linux Server Hacks, Volume Two

Linux in a Windows World

Publisher Resources