Beyond Linux From Scratch - Version 6.2.0

Chapter 21. Major Servers

Samba-3.0.23d

Introduction to Samba

The Samba package provides file and print services to SMB/CIFS clients and Windows networking to Linux clients. Samba can also be configured as a Windows NT 4.0 Domain Controller replacement (with caveats working with NT PDC's and BDC's), a file/print server acting as a member of a Windows NT 4.0 or Active Directory domain and a NetBIOS (rfc1001/1002) nameserver (which amongst other things provides LAN browsing support).

Package Information

Samba Dependencies

Optional

popt-1.10.4, Linux-PAM-0.99.4.0, CUPS-1.2.7, OpenLDAP-2.3.27, Gamin-0.1.7, Heimdal-0.7.2 or MIT Kerberos V5-1.6, Python-2.4.4 (to build Samba API bindings for the Python installation), libacl (requires libattr), and Valgrind (optionally used by the test suite)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/samba3

Installation of Samba

Install Samba by running the following commands:

[Note]

Note

If you wish to run the test suite after the binaries are built, you must add the --enable-socket-wrapper parameter to the configure script below. You may want to run configure with the --help parameter first. There may be other parameters needed to take advantage of optional dependencies. 

cd source &&
./configure \
    --prefix=/usr \
    --sysconfdir=/etc \
    --localstatedir=/var \
    --with-piddir=/var/run \
    --with-fhs \
    --with-smbmount &&
make

You must become the root user to run the test framework. To run the tests, issue: make test. If you have Linux-PAM installed and built the PAM library modules, you can perform a dlopen test by issuing: make test_pam_modules.

Now, as the root user: 

make install &&
mv -v /usr/lib/samba/libsmbclient.so /usr/lib &&
ln -v -sf ../libsmbclient.so /usr/lib/samba &&
ln -v -sf libsmbclient.so /usr/lib/libsmbclient.so.0 &&

chmod -v 644 /usr/include/lib{smbclient,msrpc}.h &&

install -v -m755 nsswitch/libnss_win{s,bind}.so /lib &&
ln -v -sf libnss_winbind.so /lib/libnss_winbind.so.2 &&
ln -v -sf libnss_wins.so /lib/libnss_wins.so.2 &&

install -v -m644 ../examples/smb.conf.default /etc/samba &&

install -v -m755 -d /usr/share/doc/samba-3.0.23d &&
install -v -m644 ../docs/*.pdf /usr/share/doc/samba-3.0.23d &&
ln -v -s ../../samba/swat  /usr/share/doc/samba-3.0.23d

If you passed the --with-python option to the configure script, issue the following command as the root user to install the Python extensions: 

make python_install

Command Explanations

--sysconfdir=/etc: Sets the configuration file directory to avoid the default of /usr/etc.

--localstatedir=/var: Sets the variable data directory to avoid the default of /usr/var.

--with-fhs: Assigns all other file paths in a manner compliant with the Filesystem Hierarchy Standard (FHS).

--with-smbmount: Orders the creation of an extra binary for use by the mount command so that mounting remote SMB (Windows) shares becomes no more complex than mounting remote NFS shares.

--with-pam: Use this parameter to link Linux-PAM into the build. This also builds the pam_winbind.so and pam_smbpass.so PAM modules. You can find instructions on how to configure and use the pam_winbind.somodule by running man winbindd.

mv -v /usr/lib/samba/libsmbclient.so ...; ln -v -sf ../libsmbclient.so ...: The libsmbclient.so library is needed by other packages. This command moves it to a location where other packages can find it.

install -v -m755 nsswitch/libnss_win{s,bind}.so /lib: The nss libraries are not installed by default. If you intend to use winbindd for domain auth, and/or WINS name resolution, you need these libraries.

ln -v -sf libnss_winbind.so /lib/libnss_winbind.so.2 and ln -v -sf libnss_wins.so /lib/libnss_wins.so.2: These symlinks are required by glibc to use the NSS libraries.

install -v -m644 ../examples/smb.conf.default /etc/samba: This copies a default smb.conf file into /etc/samba. This sample configuration will not work until you copy it to /etc/samba/smb.conf and make the appropriate changes for your installation. See the configuration section for minimum values which must be set.

Configuring Samba

Config Files

/etc/samba/smb.conf

Mounting Shares by Unprivileged Users

If it is desired for unprivileged users to directly mount (and unmount) SMB and CIFS shares, the smbmnt, smbumount, mount.cifs and umount.cifs commands must be setuid root. Note that users can only mount SMB/CIFS shares on a mount point owned by that user (requires write access also). If desired, change these programs to setuid root by issuing the following command as the root user: 

chmod -v 4755 /usr/bin/smb{mnt,umount}
              /usr/sbin/{,u}mount.cifs

Printing to SMB Clients

If you use CUPS for print services, and you wish to print to a printer attached to an SMB client, you need to create an SMB backend device. To create the device, issue the following command as the root user: 

ln -v -sf /usr/bin/smbspool /usr/lib/cups/backend/smb

Configuration Information

Due to the complexity and the many various uses for Samba, complete configuration for all the package's capabilities is well beyond the scope of the BLFS book. This section provides instructions to configure the /etc/samba/smb.conf file for two common scenarios. The complete contents of /etc/samba/smb.conf will depend on the purpose of Samba installation.

[Note]

Note

You may find it easier to copy the configuration parameters shown below into an empty /etc/samba/smb.conf file instead of copying and editing the default file as mentioned in the “Command Explanations” section. How you create/edit the /etc/samba/smb.conf file will be left up to you. Do ensure the file is only writeable by the root user (mode 644).

Scenario 1: Minimal Standalone Client-Only Installation

Choose this variant if you only want to transfer files using smbclient, mount Windows shares and print to Windows printers, and don't want to share your files and printers to Windows machines.

A /etc/samba/smb.conf file with the following three parameters is sufficient: 

[global]
    workgroup = MYGROUP
    dos charset = cp850
    unix charset = ISO-8859-1

The values in this example specify that the computer belongs to a Windows workgroup named “MYGROUP”, uses the “cp850” character set on the wire when talking to MS-DOS and MS Windows 9x, and that the filenames are stored in the “ISO-8859-1” encoding on the disk. Adjust these values appropriately for your installation. The “unix charset” value must be the same as the output of locale charmap when executed with the LANG variable set to your preferred locale, otherwise the ls command may not display correct filenames of downloaded files.

There is no need to run any Samba servers in this scenario, thus you don't need to install the provided bootscripts.

Scenario 2: Standalone File/Print Server

Choose this variant if you want to share your files and printers to Windows machines in your workgroup in addition to the capabilities described in Scenario 1.

In this case, the /etc/samba/smb.conf.default file may be a good template to start from. Also add “dos charset” and “unix charset” parameters to the “[global]” section as described in Scenario 1 in order to prevent filename corruption.

The following configuration file creates a separate share for each user's home directory and also makes all printers available to Windows machines: 

[global]
    workgroup = MYGROUP
    dos charset = cp850
    unix charset = ISO-8859-1

[homes]
    comment = Home Directories
    browseable = no
    writable = yes

[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = no
    printable = yes

Other parameters you may wish to customize in the “[global]” section include: 

    server string =
    security =
    hosts allow =
    load printers =
    log file =
    max log size =
    socket options =
    local master =

Reference the comments in the /etc/samba/smb.conf.default file for information regarding these parameters.

Since the smbd and nmbd daemons are needed in this case, install the samba bootscript. Be sure to run smbpasswd (with the -a option to add users) to enable and set passwords for all accounts that need Samba access, or use the SWAT web interface (see below) to do the same. Using the default Samba passdb backend, any user you attempt to add will also be required to exist in the /etc/passwd file.

Advanced Requirements

More complex scenarios involving domain control or membership are possible if the right flags are passed to the ./configure script when the package is built. Such setups are advanced topics and cannot be adequately covered in BLFS. Many complete books have been written on these topics alone. It should be noted, however, that a Samba BDC cannot be used as a fallback for a Windows PDC, and conversely, a Windows BDC cannot be used as a fallback for a Samba PDC. Also in some domain membership scenarios, the winbindd daemon and the corresponding bootscript are needed.

There is quite a bit of documentation available which covers many of these advanced configurations. Point your web browser to the links below to view some of the documentation included with the Samba package:

Configuring SWAT

The built in SWAT (Samba Web Administration Tool) utility can be used for basic configuration of the Samba installation, but because it may be inconvenient, undesirable or perhaps even impossible to gain access to the console, BLFS recommends setting up access to SWAT using Stunnel. Without Stunnel, the root password is transmitted in clear text over the wire, and is considered an unacceptable security risk. After considering the security implications of using SWAT without Stunnel, and you still wish to implement SWAT without it, instructions are provided at this end of this section.

Setting up SWAT using Stunnel

First install, or ensure you have already installed, the Stunnel-4.15 package.

Next you must add entries to /etc/services and modify the inetd/xinetd configuration.

Add swat and swat_tunnel entries to /etc/services with the following commands issued as the root user: 

echo "swat            904/tcp" >> /etc/services &&
echo "swat_tunnel     905/tcp" >> /etc/services

If inetd is used, the following command will add the swat_tunnel entry to /etc/inetd.conf (as user root): 

echo "swat_tunnel stream tcp nowait.400 root /usr/sbin/swat swat" \
    >> /etc/inetd.conf

Issue a killall -HUP inetd to reread the changed inetd.conf file.

If you use xinetd, the following command will create the Samba file as /etc/xinetd.d/swat_tunnel (you may need to modify or remove the “only_from” line to include the desired host[s]): 

cat >> /etc/xinetd.d/swat_tunnel << "EOF"
# Begin /etc/xinetd.d/swat_tunnel

service swat_tunnel
{
    port            = 905
    socket_type     = stream
    wait            = no
    only_from       = 127.0.0.1
    user            = root
    server          = /usr/sbin/swat
    log_on_failure  += USERID
}

# End /etc/xinetd.d/swat_tunnel
EOF

Issue a killall -HUP xinetd to read the new /etc/xinetd.d/swat_tunnel file.

Next, you must add an entry for the swat service to the /etc/stunnel/stunnel.conf file (as user root): 

cat >> /etc/stunnel/stunnel.conf << "EOF"
[swat]
accept  = 904
connect = 905
TIMEOUTclose = 1

EOF

Restart the stunnel daemon using the following command as the root user: 

/etc/rc.d/init.d/stunnel restart

SWAT can be launched by pointing your web browser to https://<CA_DN_field>:904. Substitute the hostname listed in the DN field of the CA certificate used with Stunnel for <CA_DN_field>.

Setting up SWAT without Stunnel
[Warning]

Warning

BLFS does not recommend using these procedures because of the security risk involved. However, in a home network environment and disclosure of the root password is an acceptable risk, the following instructions are provided for your convenience.

Add a swat entry to /etc/services with the following command issued as the root user: 

echo "swat            904/tcp" >> /etc/services

If inetd is used, the following command issued as the root user will add a swat entry to the /etc/inetd.conf file: 

echo "swat stream tcp nowait.400 root /usr/sbin/swat swat" \
    >> /etc/inetd.conf

Issue a killall -HUP inetd to reread the changed inetd.conf file.

If xinetd is used, the following command issued as the root user will create an /etc/xinetd.d/swat file: 

cat >> /etc/xinetd.d/swat << "EOF"
# Begin /etc/xinetd.d/swat

service swat
{
    port            = 904
    socket_type     = stream
    wait            = no
    only_from       = 127.0.0.1
    user            = root
    server          = /usr/sbin/swat
    log_on_failure  += USERID
}

# End /etc/xinetd.d/swat
EOF

Issue a killall -HUP xinetd to read the new /etc/xinetd.d/swat file.

SWAT can be launched by pointing your web browser to http://localhost:904.

[Note]

Note

If you linked Linux-PAM into the Samba build, you'll need to create an /etc/pam.d/samba file.

Boot Script

For your convenience, boot scripts have been provided for Samba. There are two included in the blfs-bootscripts-20060910 package. The first, samba, will start the smbd and nmbd daemons needed to provide SMB/CIFS services. The second script, winbind, starts the winbindd daemon, used for providing Windows domain services to Linux clients.

The default Samba installation uses the nobody user for guest access to the server. This can be overridden by setting the guest account = parameter in the /etc/samba/smb.conf file. If you utilize the guest account = parameter, ensure this user exists in the /etc/passwd file. To use the default user, issue the following commands as the root user: 

groupadd -g 99 nogroup &&
useradd -c "Unprivileged Nobody" -d /dev/null -g nogroup \
    -s /bin/false -u 99 nobody

Install the samba script with the following command issued as the root user: 

make install-samba

If you also need the winbind script: 

make install-winbind

Contents

Installed Programs: eventlogadm, findsmb, mount.cifs, mount.smbfs, net, nmbd, nmblookup, ntlm_auth, pdbedit, profiles, rpcclient, smbcacls, smbclient, smbcontrol, smbcquotas, smbd, smbget, smbmnt, smbmount, smbpasswd, smbspool, smbstatus, smbtar, smbtree, smbumount, swat, tdbbackup, tdbdump, tdbtool, testparm, unmount.cifs, wbinfo and winbindd
Installed Libraries: libnss_winbind.so, libnss_wins.so, libsmbclient.so, libmsrpc.so, the pam_winbind.so and pam_smbpass.so PAM libraries, and assorted character set, filesystem and support modules.
Installed Directories: /etc/samba, /usr/lib/python2.4/site-packages/samba, /usr/lib/samba, /usr/share/doc/samba-3.0.23d, /usr/share/samba, /var/lib/samba and /var/log/samba

Short Descriptions

eventlogadm

is used to write records to eventlogs from STDIN, add the specified source and DLL eventlog registry entries and display the active eventlog names (from smb.conf).

findsmb

lists information about machines that respond to SMB name queries on a subnet.

mount.cifs

mounts a Linux CIFS filesystem. It is usually invoked indirectly by the mount command when using the -t cifs option.

mount.smbfs

is a symlink to smbmount which provides /bin/mount with a way to mount remote Windows (or Samba) fileshares.

net

is a tool for administration of Samba and remote CIFS servers, similar to the net utility for DOS/Windows.

nmbd

is the Samba NetBIOS name server.

nmblookup

is used to query NetBIOS names and map them to IP addresses.

ntlm_auth

is a tool to allow external access to Winbind's NTLM authentication function.

pdbedit

is a tool used to manage the SAM database.

profiles

is a utility that reports and changes SIDs in Windows registry files. It currently only supports Windows NT.

rpcclient

is used to execute MS-RPC client side functions.

smbcacls

is used to manipulate Windows NT access control lists.

smbclient

is a SMB/CIFS access utility, similar to FTP.

smbcontrol

is used to control running smbd, nmbd and winbindd daemons.

smbcquotas

is used to manipulate Windows NT quotas on SMB file shares.

smbd

is the main Samba daemon which provides SMB/CIFS services to clients.

smbget

is a simple utility with wget-like semantics, that can download files from SMB servers. You can specify the files you would like to download on the command-line.

smbmnt

is a helper application used by the smbmount program to do the actual mounting of SMB shares. It can be installed setuid root if you want unprivileged users to be able to mount their SMB shares.

smbmount

is usually invoked as mount.smbfs by the mount command when using the -t smbfs option, mounts a Linux SMB filesystem.

smbpasswd

changes a user's Samba password.

smbspool

sends a print job to an SMB printer.

smbstatus

reports current Samba connections.

smbtar

is a shell script used for backing up SMB/CIFS shares directly to Linux tape drives or a file.

smbtree

is a text-based SMB network browser.

smbumount

is used by unprivileged users to unmount SMB filesystems, provided that it is setuid root.

swat

is the Samba Web Administration Tool.

tdbbackup

is a tool for backing up or validating the integrity of Samba .tdb files.

tdbdump

is a tool used to print the contents of a Samba .tdb file.

tdbtool

is a tool which allows simple database manipulation from the command line.

testparm

checks an smb.conf file for proper syntax.

umount.cifs

is used by normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts.

wbinfo

queries a running winbindd daemon.

winbindd

resolves names from Windows NT servers.

Last updated on 2007-01-15 18:08:14 -0600