About SMB protocol.
SMB (short for Server Message Block) is a protocol, the level of presentation of the OSI model of TCP / IP, created in 1985 by IBM. It is sometimes also referred to as CIFS (acronym for Common Internet File Syste m, http://samba.org/cifs/) after being renamed by Microsoft in 1998. Among other things, Microsoft said the protocol support for symbolic links and hard, as well as support for large files.By coincidence this happened at the same time that Sun Microsystems was the launch of WebNFS (an extended version of NFS,http://www.sun.com/software/ webnfs/overview.xml).
SMB was originally designed to work through protoclo NetBIOS, which in turn works on NetBEUI (acronym for NetBIOS EXtended UbeInterf ace, which translates as Extended User Interface NetBIOS), IPX / SPX (an acronym for Internet Packet Exchange /SequencedPacket Exchange, which translates as interred Packet Exchange / Sequential Packet Exchange) or NBT, but also can work directly on TCP / IP.
About Samba.
SAMBA is a suite of software, originally created by Andrew Tridgell and currently maintained by The Samba Team under the GNU General Public License, and implemented in UNIX ® systems based on the protocol SMB. Serves as a complete replacement for Windows ® NT, Warp ®, NFS ® and Netware ® servers.
The procedures in this manual have been tested to be applicable to systems with Red Hat ™ Enterprise Linux 4 or equivalent or later, and at least Samba 3.0.10 or later.
You need to have installed the following packages, which certainly are included in the installation disks of your favorite distribution:
• | samba: | SMB server. |
• | samba-client: | Several customers for the SMB protoclo. |
• | samba-common: | Files needed for client and serve |
yum-y install samba samba-client |
Added user accounts.
It is important to synchronize accounts between the Samba server and Windows ® stations. That is, if on a machine with Windows ® user entered as "paco" with password "elpatito16"in the Samba server must also exist that have the same name and same password.Like most user accounts to be used for access to samba not require access to the system command interpreter, you do not assign password to the mandate passwd and should be defined / sbin / nologin or / bin / false command interpreter for the user account is involved.
useradd-s / sbin / nologin -windows user smbpasswd-a user-windows |
No need to be assigned an access code on the system with the mandate passwd, since the account has no access to the command interpreter.
If you need that the accounts can be used for access to other services such would Telnet, SSH, etc, ie to allow access to the command interpreter, you must specify / bin / bash as interpreter and also mandates should be assigned a password on the system with the mandate passwd:
useradd-s / bin / bash -windows user passwd user-windows smbpasswd-a user-windows |
Main parameters of the smb.conf file.
Edit the file / etc / samba / smb.conf with any text editor. Within this you will notice that the information will be useful is annotated with a symbol # and the examples ; (semicolon), being the last ones we will use as reference.
We begin by establishing the working group by editing the parameter workgroup assigning a desired working group:
workgroup = mygroup |
Optionally you can set the parameter netbios name different name for the server if at all necessary, but always taking into account that the name must correspond with the set in the file / etc / samba / lmhosts:
netbios name = maquinalinux |
The parameter server string is descriptive. You can use a brief comment with a description of the server.
server string = Samba Server% v on% L |
Useful parameters for safety.
Security is important and it can be established first by setting the access control list that defines which machines or networks will have access to the server. The parameter hosts allow is used to determine this. If the network consists of machines IP address from 192.168.1.1 to 192.168.1.254, the IP address range that is defined in hosts allow 192.168.1. so that only allow access to the machines. Please note the period at the end of each range. Modify it so that it is as follows:
hosts allow = 192.168.1. 127. |
The parameter interfaces can set from which the system's network interfaces will hear petitions. Samba will not respond to requests coming from any interface not specified. This is useful when running on a Samba server that also serves as a gateway for local network, preventing the establishment of connections from outside the local network.
interfaces = 192.168.1.254/24 |
Sharing directories via Samba.
For directories or volumes that will be to share in the same configuration file you will find various examples for different situations. In general, you can use the following example will work for the majority:
[Lo_que_sea] comment = comment that comes to mind path = / any / path / you / want / share |
The volume can use any of the following options:
Option | Description |
---|---|
guest ok | Defines whether to be allowed access as a guest user. The value can be Yes orNo. |
public | It is an equivalent parameter guest ok, that is defined if being allowed access as a guest user. The value can be Yes or No. |
browseable | Sets whether this resource will show in the list of shared resources. The value can be Yes or No. |
writable | Defines whether the writing be allowed. Unlike the parameter is read only.The value can be Yes or No. Examples: " |
valid users | Define which users or groups can access the share. The values can be usernames separated by commas or group names preceded by an @.Example: guy, such-, @ managers |
write list | Define which users or groups can access with write permission. The values can be usernames separated by commas or group names preceded by an @.Example: guy, such-, @ managers |
admin users | Define which users or groups can access with administrative permissions for the resource. That is, will have access to the resource by all operations as super-users. The values can be usernames separated by commas or group names preceded by an @. Example: guy, such-, @ managers |
directory mask | It's the same directory mode. Define what the system will permit the subdirectories created within the resort. Examples: 1777 |
create mask | Define what the system will permit the new files created within the resort.Example: 0644 |
The following example will be shared through Samba resource named ftp, which is located in the directory / var / ftp / pub on the hard disk. Be allowed access to any resource but it will be read only, except for the manager and fellow users. All new directory that is created will be allowed inside 755 and all files to be placed inside will be allowed 644.
[Ftp] comment = FTP Server Directory path = / var / ftp / pub guest ok = Yes read only = Yes write list = guy, administrator directory mask = 0755 create mask = 0644 |
Specific options for primary domain controller (PDC).
Whether to configure Samba as primary domain controller, you must specify all the parameters described below.
If you want the access key system and Windows are kept synchronized, you must uncomment the following Lien:
unix password sync = Yes passwd program = / usr / bin / passwd% u passwd chat = * New * UNIX * password *% nn * Retype * new * UNIX * password *% nn * Passwd: * all * authentication * tokens * updated * successfully * |
The parameter local master browser set the server as the domain (or master browser), the parameter domain master defines the domain master server, the parameter preferred master teacher defines the domino server as preferred servers if there are more present in the same domain and domain controllers; The parameter time server is used to set the stations must synchronize the time with the server join the domain, the parameter domain logons defines that the server will allow stations to authenticate against Samba.
local master = Yes domain master = Yes preferred master = Yes time server = Yes domain logons = Yes |
Setting primary domain controller is also required to define where to store the user profiles. Windows 95, 98 and ME require defining the parameter logon home, while Windows NT, 2000 and XP require is made with the parameter logon path. For practical purposes and forecasting, using both parameters and define the H for this volume:
logon path =% LProfiles% U logon home =% L% U.profile logon drive = H: |
If you are using Samba as primary domain controller, you must set the script to run the Windows machines to connect to the server.This is done through parameter logon script which can be defined or a script to use for each user (% U.bat) or by each machine (% m.bat) or in general for all (logon.cmd .) To keep things simple, set initially a general script for all the following:
logon script = logon.cmd |
The primary domain controller will also need to define the scripts to run for various tasks such as high machines, users and groups and the low of them.
add user script = / usr / sbin / useradd% u add machine script = / usr / sbin / useradd-d / dev / null-g 100-s / bin / false-c "Machine Account"-M% u delete user script = / usr / sbin / userdel% u delete group script = / usr / sbin / groupdel% g add user to group script = / usr / bin / gpasswd-a% u% g September primary group script = / usr / sbin / usermod-g% g% u |
The parameter add user script is used to define what is to be executed in the background on the system to create a new user account. The parameter add machine script is particularly important because it is the command used to enlist machine accounts(trust accounts or trust accounts) automatically. The parameter delete user script is to define the same for delete users, delete group script to remove groups, add user to group to add users to groups and set primary group script to establish a group as the key to a user.
AFTER STARTING THE SERVICE AND ADD IT TO BOOT.
Samba If you start first do the following:
/ Sbin / service smb start |
If you restart the service, do the following:
/ Sbin / service smb restart |
To make Samba start automatically every time you start the server just run the following command:
/ Sbin / chkconfig smb on |
Accessing to Samba.
Text mode.
Smbclient.
Undoubtedly, the most practical and safe is the command smbclient. This allows access to any Samba or Windows ® server as if the mandate ftp in text mode.
To access any resource in a Windows ® machine or SAMBA server, first determine what volumes or shares it owns. Use the commandsmbclient as follows:
smbclient-U user-L alguna_maquina |
Which will return more or less as follows:
Domain = [MI-DOMAIN] OS = [Unix] Server = [Samba 3.0.7-1.3E] Comment Type sharename --------- ---- ------- homes Disk Home Directories netlogon Disk Network Logon Service Disk ftp ftp IPC $ IPC IPC Service (Samba Server 3.0.7-1.3E on my-server) ADMIN $ IPC IPC Service (Samba Server 3.0.7-1.3E on my-server) epl5900 Printer Created by redhat-config-printer 0.6.x hp2550bw Printer Created by redhat-config-printer 0.6.x Anonymous Login successful Domain = [MI-DOMAIN] OS = [Unix] Server = [Samba 3.0.7-1.3E] Server Comment ------- --------- Samba server my-server-3.0.7-1.3E on my server Workgroup Master ------- --------- MI-MI-SERVER DOMAIN |
The following corresponds to the basic syntax to browse the resources shared by Windows ® machine or server SAMBA:
smbclient / / alguna_maquina / resource-U user |
Example:
smbclient / / LINUX / FTP-U jbarrios |
After running the above, the system is asked to provide the user password jbarrios on the computer named LINUX.
smbclient / / LINUX / FTP-U jbarrios added interface ip = 192.168.1.254 192.168.1.255 nmask BCAST = = 255.255.255.0 Password: Domain = [myusername] OS = [Unix] Server = [Samba 2.2.1a] smb:> |
Can be used virtually the same mandates that the interpreter ftp, as they would get, mget, put, of, etc.
For mounting of network drives.
If you need to view from GNU / Linux machines with Windows ® and interact with these shared directories, you need to do some additional steps. By default, and for security reasons, only root can use the mandates smbmnt and smbumount. You should then set SUID permissions to those mandates. You can do this by running as root as follows:
chmod 4755 / usr / bin / smbmnt chmod 4755 / usr / bin / smbumount |
For access to a Windows ® machine, first determine what volumes or shares it owns. Use the command smbclient as follows:
smbclient-N-L alguna_maquina |
Which will return more or less as follows:
Anonymous Login successful Domain = [MI-DOMAIN] OS = [Unix] Server = [Samba 3.0.7-1.3E] Comment Type sharename --------- ---- ------- homes Disk Home Directories netlogon Disk Network Logon Service Disk ftp ftp IPC $ IPC IPC Service (Samba Server 3.0.7-1.3E on my-server) ADMIN $ IPC IPC Service (Samba Server 3.0.7-1.3E on my-server) epl5900 Printer Created by redhat-config-printer 0.6.x hp2550bw Printer Created by redhat-config-printer 0.6.x Anonymous Login successful Domain = [MI-DOMAIN] OS = [Unix] Server = [Samba 3.0.7-1.3E] Server Comment ------- --------- Samba server my-server-3.0.7-1.3E on my server Workgroup Master ------- --------- MI-MI-SERVER DOMAIN |
In the above example is a shared volume called algún_volumen. If we want to ride it, we must create a mount point. This can be created in any directory on which we write permissions. To install, then use the following command line:
smbmount / / alguna_maquina / algún_volumen / point / of / mount / |
If the machine is Windows ® requires a username and password, you can add to the above options = el_necesario-username-password = el_requerido-workgroup = mygroup
If the distribution of GNU / Linux used is recent, you can also use the familiar command mount as follows:
mount-t smbfs-o username = el_necesario, password = el_requerido / / alguna_maquina / algún_volumen / point / of / mount / |
If an account is generated pcguest, similar to the account nobody, we can mount SMB volumes without entering a password but with restricted privileges, or those that define a volume accessed by a guest user. This would be the method of choice for shared volumes in a local area network. It can generate an account pcguest or let the system take the user nobody. If you opt for the former, only high the account, NOT assign a password. Mount remote volumes as a guest user is very simple. A real example would be:
mount-t smbfs-o guest / / LINUX / FTP / / var / ftp |
This volume mounts SAMBA machines with GNU / Linux on another machine with GNU / Linux.
You can also add an entry in / etc / fstab so you only have to be typed mount / point / of / mount. This line would be similar to the following:
/ / LINUX / FTP / var / ftp smbfs user, auto, guest, ro, gid = 100 0 0 |
Remember that the shared volume must be configured to allow guest users:
[FTP] comment = free software equipment (RPMS) path = / var / ftp / pub public = Yes guest ok = Yes |