using samba

LPIC-302

Mixed EnvironmentUsing Samba

Topic 310: Concepts, Architecture and Design310.1 Concepts

310.2 Samba Roles

310.3 Trivial Database Files

Topic 311: Compile and Install Samba4.2.1 311.1 Configure and Build From Source

4.2.2 311.2 Install and Upgrade Samba

Objectives

Topic 312: Samba Configuration and Usage312.1 Configure Samba

312.2 File Services

312.3 Print Services

312.4 Domain Control

312.5 SWAT Configuration

312.6 Internationalization

Objectives

Topic 313: User and Group Management 313.1 Managing User Accounts and Groups

313.2 Authentication and Authorization

313.3 Winbind

Topic 314: Working with CIFS, NetBIOS, and Active Directory 314.1 CIFS Integration

314.2 NetBIOS and WINS

314.3 Integrating with Active Directory

314.4 Working with Windows Clients

Objectives

Topic 315: Security and Performance315.1 Linux File System and Share/Service Permissions

315.2 Samba Security

315.3 Performance Tuning

Objectives

310.1 Concepts

Weight: 1

Description: Candidates should be familiar with the fundamental concepts surrounding SMB/CIFS, file sharing and print services in a mixed environment.

Topic 310
Concepts, Architecture and Design

Key Knowledge Areas:

Understand Server Message Block (SMB)/Common Internet File System (CIFS).

Understand file sharing concepts.

Understand print services concepts

Topic 310

File and print sharing

The goal of file and print sharing is to let computers use disks and printers on other computers . This functionality allows more people to use the same expensive resources and to access those resources from anywhere. As central resources, files and printers can be more tightly controlled and audited.

Topic 310

Desirable attributes of a file and print sharing solution are:

The solution should be network independent , indifferent to the type of network (Ethernet, token ring) on which it is run.

Applications should not need to know whether they are accessing a file on a local disk or a remote one or whether they are printing to an attached or remote printer.

There should be some way to mediate simultaneous requests for the same resource, such as two people trying to print to a printer at the same time.Cont --->

Topic 310

The solution should implement some type of authentication system to

understand who is asking for a resource and an authorization system to

decide whether the access should be granted.

Topic 310

There are several different ways to share files and printers. Many UNIX utilities, such as the Berkeley printing system, have been network aware since the early 1980s. Sun Microsystems introduced the Network File System (NFS) in 1984, which let UNIX computers mount file systems over the network. IBM and Microsoft came up with the SMB protocol to perform many network-sharing tasks, including sharing files and printers. File and print sharing can be performed by dedicated servers, by individual workstations, or by a combination of both.

Topic 310

Even if a file is being shared from a workstation, the device that has the disk resource to share is called the server, and the devices accessing the disk are called clients. The server is said to either export the file system (in UNIX terms) or to share the disk or directory (in Windows terms). Clients then mount the file system as a local disk or connect to the share.

The nature of the sharing relationship can be temporary or long term.

Another feature related to file sharing is the concept of browsing. Browsing allows a client to find a server on the network, usually from a dynamically populated list.

File sharing

A printer may not be attached directly to a server, so multiple levels of sharing could be occurring. When multiple clients have the same printer configured, they generally do so through a service called a spooler. The job of the spooler is to manage the list of print jobs, otherwise known as the print queue. As multiple people submit print jobs, the spooler stores the job to disk. Once the printer is unused, the spooler can send the job to the printer. Even though printers can be attached to the network, a server is usually used as the spooler, which in turn prints to the printer over the network. This is done for three reasons: first, the server is likely to have a larger spooling area than the printer. Second, the server can take care of access control. And third, the server can handle printer drivers.

Print sharing

SMB is a protocol, not an implementation. The protocol has been implemented in many different operating systems, from Windows to UNIX and even to mainframe environments.

SMB and CIFS

Andrew Tridgell developed the first version of Samba Unix in December 1991, in the early days of the PC, when IBM and Sytec co developed a simple networking system designed for building small LANs. The system included something called NetBIOS, or Network Basic Input Output System. NetBIOS was a chunk of software that was loaded into memory to provide an interface between programs and the network hardware. It included an addressing scheme that used to identify workstations and network-enabled applications. Next, Microsoft added features to DOS that allowed disk I/O to be redirected to the NetBIOS interface, which made disk space sharable over the LAN. The file-sharing protocol that they used eventually became known as SMB, and now CIFS.

History

CIFS is technically a dialect of SMB. The SMB protocol has been modified over the years,CIFS is an enhanced version of Server Message Block protocol (SMB).

SMB vs. CIFS

SMB protocol overview

NetBIOS Network Basic Input/Output System It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network.

As a client-server protocol, the client makes contact with the server. SMB started out requiring an application programming interface (API) layer called (NetBIOS), This API provided several services that SMB used as well as several services relating to name resolution and network browsing. When used in conjunction with NetBIOS

NetBIOS provides three key services to a Microsoft network:

Name services for finding hosts on the network

Session services for the reliable communication and transfers between a client and a server

Datagram distribution services for small messages and networkbroadcasts


SMB in the OSI stack

Figure 1 shows the Open Systems Interconnection (OSI) model, which is used to explain the interactions between network protocols. The OSI model describes the features necessary to have an application work over a network and breaks down the features into a series of layers. Each layer uses the services provided by the layers below it and provides services to the layers above it.

Page 5


Uniform Naming Convention

universal resource identifiers (URIs) such as http://ibm.com/developerworks. A URI identifies where you can find a particular content. In the example URI, host to ask for the content is ibm.com, and /developerworks refers to the resource on that host

Uniform Naming Convention (UNC) paths identify Windows network resources. A UNC path looks lik \\shorty\documents\public\photo.jpg. The UNC path starts with two backslashes (\\) followed by the name of the server, another backslash, and the name of the shared folder. After that is a path relative to the shared folder that specifies a path to the resource.


Samba consists of several daemons meant to run in the background and provide services as well as several command-line tools but some of the more notable binaries are:smbd. This daemon acts as the SMB file and print server.

nmbd. This daemon provides the NetBIOS naming services. mount.cifs. utility mounts SMB file system onto the local UNIX file smblient. This utility provides command-line access to SMB resources smb.conf. This is not a utility but rather the configuration file for all thetools and therefore worth mentioning in the same context as the other binaries.

Samba

Samba, like other open source software, can be compiled from the source code or downloaded as part of your distribution. It is managed through system-initialization scripts and configuration files.

Moving forwardThe next exam objective, 310.2, discusses the roles that the different Samba daemons play and the different security modes under which these daemons operate.

Samba Concepts

310.2 Samba RolesWeight: 1Description: Candidates should be aware of Samba's security modes, and the keys roles of the Samba daemonsKey Knowledge Areas:Understand Samba security modes

Identify roles of core Samba daemons

Manage Samba daemons

Topic 310
310.2 Samba Roles

Samba isn't a single program; rather, it's a series of interrelated servers and utilities, each of which has its own specific purpose. Understanding the differences between these servers and utilities will help you manage your Samba system. Furthermore, Samba implements a number of different security models.

Topic 310
310.2 Samba Roles

Identifying Samba daemonsLinux servers are often implemented as daemons, A Linux daemon runs in the background to perform some helpful task. The Samba server suite consists of several daemons, including smbd, nmbd, and winbindd.

Topic 310
310.2 Samba Roles

Understanding smbdThe smbd program provides most of the core functionality of Samba, include:Providing file and printer shares. the most important Samba feature.

Authenticating users. smbd authenticates users against a local database or passes authentication requests on to another computer. Providing time services. Samba can tell other computers what the current time is.

Topic 310
310.2 Samba Roles

By default, the smbd daemon binds to TCP ports 139 and 445. The SMB protocol uses port 139 through NetBIOS over TCP, which is the way many older clients use SMB/CIFS. Port 445 provides plain SMB over TCP services, which is how many newer clients access the Samba server.smbd can be considered the core of Samba. In fact, it's possible to connect to a computer that runs smbd alone by using a program such as Samba's own smbclient to perform file transfers.

Topic 310
310.2 Samba Roles

Understanding nmbdThe second key Samba daemon is nmbd. This server's main duty is handling name-related tasks. You can think of it as Samba's own version of the Domain Name System (DNS), although it's both simpler to configure and much less sophisticated than DNS. Specific tasks that nmbd performs include:

Topic 310
310.2 Samba Roles

Responding to name broadcasts. clients broadcast name queries to an entire network segment. The nmbd server listens for such broadcasts and, when Samba is configured to use the name being queried, responds. It also responds when it's configured to function as a proxy for another computer or network.

Registering a NetBIOS name. For NetBIOS name resolution to work, computers must register their names, either with a centralized NetBIOS name server or by broadcasting the name and negotiating rights for it with the network as a whole. nmbd is responsible for doing this and also for negotiating with other computers that register their names.

Functioning as an NBNS server. Samba can be configured as an NBNS (NetBIOS name server) system.

Topic 310
310.2 Samba Roles

Functioning as a master browser. Part of the user experience of an

SMB/CIFS network is browsingthe ability to browse through the serverson a network much as you would browse through the directories on your hard disk. As this list demonstrates, nmbd does a lot of work. Although they don't involve serving files or printers, many of these tasks are critical parts of any SMB/CIFS server, so nmbd should be considered a critical part of Samba. It's typically run along with smbd by a distribution's startup scripts.Most of nmbd's functions require it to bind to TCP port 137, but master browser duties involve User Datagram Protocol port 138.

Topic 310
310.2 Samba Roles

Understanding winbinddA third Samba daemon is the Winbind daemon, winbindd. Unlike smbd and nmbd, winbindd doesn't provide services for remote computers; it serves as an interface between a Samba domain controller and the local computer's own Pluggable Authentication Modules tools, enabling a domain controller to host Linux account information.

Topic 310
310.2 Samba Roles

Controlling SambaControlling Samba involves at least two tasks: adjusting its configuration options using its configuration file and changing its options on a temporary, on-the-fly basis. You accomplish the first task through Samba's configuration file, while the second can be done through the smbcontrol configuration tool.

Topic 310
310.2 Samba Roles

Adjusting configuration file optionsThe main Samba configuration file is called smb.conf and typically resides in /etc/samba, although it could be found in other locations. (If you build Samba from source, /usr/local/samba/lib is one common location.)The smb.conf file is composed of sections, begins with a name in square brackets ([]), such as [global] or [documents]. Most sections define file or printer shares; the [global] section holds options that affect the server as a whole or that set default values used in subsequent share definitions. Lines in smb.conf can be comment lines that begin with a hash mark (#) or a semicolon (;).parameter = Value The parameter is a keyword, such as security or create mask. Parameter names are case-insensitive.

Topic 310
310.2 Samba Roles

Controlling Samba with smbcontrolYou can use the smbcontrol program to control Samba as it runs. For example, you can tell Samba to shut down a specific share, force a master browser election, reload the configuration file, and so on. The basic syntax for this command is:smbcontrol [-i] [-s configfile]smbcontrol [destination] [message-type] [parameter]When used with the -i option, smbcontrol enters an interactive mode in which you can pass a series of commands in sequence

Topic 310
310.2 Samba Roles

The destination is the server name or a process ID numberThe message-type is a commandas summarized in Table 1. page 6The parameter is an optional parameter that some commands may require.

Topic 310
310.2 Samba Roles

Setting your security modeSamba provides a number of options related to how users are authenticated. The most important of these is the security option, which takes five possible values:Share. This mode attempts to emulate the authentication method that the Microsoft operating systems use

User. This mode, which is the default, uses a user name and password for authentication, similar to the way Linux typically works.

Server. If you want Samba to relay to another server for authentication, use this authentication method. To a client, this method looks just like user-level authentication

Topic 310
310.2 Samba Roles

Domain. You can fully join a Windows domain using this method, which looks just like user-level authentication to clients. Unlike server-level authentication, domain authentication involves a more secure domain-level password exchange.

ADS. This authentication method works much like domain authentication; however, it requires an Active Directory Domain Services domain controller.

Topic 310
310.2 Samba Roles

As a general rule, user-level authentication is the best choice if your Samba server is a member of a Windows workgroup, which is the basic form of an SMB/CIFS network. A workgroup differs from a domain mainly in that a domain provides a domain controller, which is a server that provides authentication services to the domain. To use a domain controller, you must use server, domain, or ADS-level security. Server-level security is the easiest to configure but the least secure, whereas ADS-level security is the most difficult to configure but the most secure.

Topic 310
310.2 Samba Roles

To fully join a domain for domain- or ADS-level security, you must set several options in the [global] section of the smb.conf file:

password server = DOMCONT

domain logons = No

encrypt passwords = Yes

The DOMCONT system is the domain controller. You must also type the following command on the Samba server that should join the domain:

# net join member -U adminuser

Topic 310
310.2 Samba Roles

310.3 Trivial Database Files

Weight 2

Description Candidates should understand the structure of trivial database files and know how troubleshoot problems.


* Backup TDB files

* Restore TDB files

* Identify TDB file corruption

* Edit / list TDB file content

Topic 310
Samba's Trivial Database files

Topic 310

Trivial Database (TDB)

Samba uses Trivial Database files to store both persistent and temporary data as part of its job integrating file and print sharing between Linux and Windows.

Topic 310

Overview

Backing up Samba Trivial Database (TDB) files Restoring TDB files

Identifying TDB file corruption Editing/listing TDB file content

Topic 310

Understanding TDB files

Samba stores a lot of information at run time, from local passwords to a list of clients it is expecting to hear from. Some of this data is short lived and can be discarded when Samba is restarted, but some of it is permanent and should not be lost. The data can either be too large or infrequently accessed to keep in memory, or it should persist across restarts. It is effectively a key-value store, meaning that data is stored and retrieved by means of a unique key and there is no joining of tables as in a relational database. Key-value stores and TDB in particular are designed to be fast ways t store data to disk and get it back.

Topic 310

Key-value stores

There are many alternatives to TDB, such as the GNU Database Manager (GDBM), but the Samba project had a special need for multiple processes writing to the database at the same time as well as support for locking internal pieces of data. Therefore, the team built their own database manager and called it the Trivial Database Manager. TDB has been extended to support clustered operation through the Clustered TDB (CTDB) project and is available for use by other projects.

Topic 310

TDB files used in SambaSamba stores its TDB files in a few different places. The way to find these files #smbd -bSBINDIR: /usr/sbinBINDIR: /usr/binSWATDIR: /usr/share/swatCONFIGFILE: /etc/samba/smb.confLOGFILEBASE: /var/log/sambaLMHOSTSFILE: /etc/samba/lmhostsLIBDIR: /usr/libMODULESDIR: /usr/lib/sambaSHLIBE1T: soLOCKDIR: /var/lib/sambaSTATEDIR: /var/lib/sambaCACHEDIR: /var/lib/sambaPIDDIR: /var/runSMB_PASSWD_FILE: /var/lib/samba/private/smbpasswdPRIVATE_DIR: /var/lib/samba/private

Topic 310

Using TDB files

Samba comes with three tools for manipulating TDB files:

tdbdump: Print the contents of a TDB file. tdbbackup: Back up and validate TDB files. tdbtool: Create, view, and modify TDB files.

Topic 310

Using tdbdump on a TDB file

tdbdump /var/lib/samba/ntprinters.tdb

From the output of Listing 2, you can see that there are three keys in the database. The first key is 21 bytes long (the byte length is shown in parentheses [()]) and is called GLOBALS/c_setprinter followed by a NULL, which is ASCII zero. Non-printable characters are shown in hexadecimal format, which is a backslash followed by two hexadecimal characters. The value for the first key is 4 bytes long and it is entirely NULLs. The next two keys are called SECDESC/test and SECDESC/cups-pdf and are both NULL terminated. The data is entirely binary and unprintable, so it has been printed out with the non-printable characters in hexadecimal format.

Topic 310

Backing up and restoring TDB files

Like most databases, you can't just copy the file, because the copy might become corrupted. Backup corruption happens when you copy a file as it is being written so that you have a backup that is in an inconsistent state. One alternative would be to shut down the Samba daemon, and then copy the files. tdbbackup utility that comes with Samba. This utility safely copies a TDB file even if it is actively being written

tdbbackup account_policy.tdb

Topic 310

Verifying and restoring a TDB file

tdbbackup -v account_policy.tdb

The tdbbackup command is run again but with the -v flag, which verifies a TDB file. If the file is corrupted, you will see a summary of the errors followed by a note that the file has been restored

Topic 310

Changing TDB files

The tdbtool utility lets you make changes to the data inside a TDB file. This utilityalso inspects the individual keys and values within the file rather than having todump the entire file and sort through the output.

tdbtool can accept commands on the command line, or you can open aninteractive console. To accomplish your task on the command line, run tdbtoolexample.tdb command options, where example.tdb is the name of your file,command is the command, and the options to the command go at the end. To use the tdb shell, just run tdbtool by itself or pass the name of the file on the command line.

Topic 310

Using transactions

The transaction is first started with the transaction_start command. Next, akey is inserted. If another process were to be reading the database, it would not see this key, because it is not committed. The process with the transaction open does see the key. The transaction is then canceled with transaction_cancel. The key no longer appears. The process is then re-run, but the transaction is committed with transaction_commit. The key then exists to all readers. Other readers may be blocked if you are in a transaction, which means that they will hang until the transaction is finished. So be careful when using transactions on production databases! They are a great safety feature but can potentially hurt performance if overused.

Topic 310

Topic 310

Beyond TDB

User accounts can be stored in a variety of places depending on your configuration, and two tools give you a command-line interface while taking care of the back-end communication. For example, you can use the same commands even if your user data is stored in LDAP instead of TDB files.Smbpasswd, pdbedit

Topic 310

Using smbpasswd

The smbpasswd utility can add and delete user or machine accounts and change passwords. It is most commonly used to perform the latter task, either to change the current user's password or by root to change another user's password.

Microsoft clients pass passwords around the network as a Microsoft-specific hash rather than plain text or a UNIX password hash. This means that it is not possible to take a Microsoft password hash and determine whether the password is the same as the password stored in the UNIX password database. Therefore, Samba must keep a separate password database for the Microsoft hashes; this is referred to as the password back end.

Topic 310

Using pdbedit

pdbedit manages the Samba user database and the account policies. It can doanything that smbpasswd can plus manage policies and migrate accounts between different back ends.

To show all the users in the database, run pdbedit -L. You can get even moredetails about your users by passing the -v flag

Topic 310

Moving forward

This is the end of the Concepts, Architecture, and Design topic. In the next article, you will begin Topic 311 by learning how to download the Samba source code and compile it.

Topic 311: Compile and Install Samba

311.1 Configure and Build From SourceAssembling Samba from scratch

Weight: 1

Description: Candidates should be able to compile Samba from source and resolve dependencies


* Identify key Samba packages and content * Indentify and resolve dependencies * Describe Samba software structure * Knowledge of common Samba compilation options


Like most Linux software, Samba is open source, so you can obtain the originalsource code files used by its programmers, and then compile a binary package foryour own system. Doing so enables you to run newer software than your distributionmaintainers provide, adjust compile-time options, set compiler features for optimumperformance, and even modify the source code.

We will learn about these concepts:

Identify important Samba packages and their content. Locate and install depended-upon software. Describe the structure of the Samba software. Identify important Samba compilation options.


Obtaining Samba source code

Samba source code is readily available from the Samba Web site http://www.samba.org/samba/download/ If you're familiar with compiling and installing software from source code, you should have little trouble with Samba; however, because of the critical nature of Samba to many installations, you may want to take extra care to ensure that your software is what you believe it to be. To this end.You can download the Samba source code from the main Samba Web page. A link to the latest stable version appears on the main page, A download link for the next generation of Samba, version 4, also appears on the main page; however, Samba version 4 is in alpha testing and has been for years. Use it only if you must have its features or if youwant to contribute to Samba development.


Verifying the software's authenticity

It's possible to decompress, compile, install, and use Samba without verifying the software's authenticity. However, given the server's critical importance, running the handful of commands required to verify its authenticity is generally a good idea. To do so, perform the following steps:-

1. Ensure that you've downloaded the samba-version.tar.asc and samba-pubkey.asc files.2. Type gunzip samba-version.tar.gz to decompress (not untar) the package file.3.type gpg import samba-pubkey.asc to import the Samba public key into your GPG key ring.4. Type gpg --verify samba-version.tar.asc to verify the key. The program should respond with a message similar to: page 3 3011-1


The output is likely to continue with a message to the effect that the key is notcertified with a trusted signature. This message highlights a limitation of the verification procedure just described: If the main Samba Web site werecompromised, the attacker could have replaced the Samba package and both keyswith fake versions, which could fool you into accepting the bogus keys. You canprotect yourself to some extent by using the --keyserver wwwkeys.pgp.net option to gpg in step 4. This option causes gpg to retrieve a key from wwwkeys.gpg.net as part of the verification process. Somebody distributing a fake Samba package would then need to compromise this key server in addition to the Samba server.


Unpacking the tarball

Assuming that your package has passed its verification step (or if you don't want tobother with that step), you can unpack your source code tarball. Do so in your homedirectory or in a directory such as /usr/src/, which is intended to hold source code forlocally installed software. If you unpack the source code in /usr/src/, you may needto acquire root privileges to do so or change the permissions on /usr/src/ to enablean ordinary user to write to that directory.However you do it, change to the base of the directory in which you want to untar thesource code. Then, type the following command:

$ tar xvf ~/samba-version.tar$ tar xvzf ~/samba-version.tar.gz


Compiling Samba

With the source code now available, you can begin the compilation process. Before you jump in, though, check that you have the necessary prerequisite software on your system. You must then configure the software before performing the actual compilation. You may run into problems that you'll have to resolve, as well.


Installing prerequisite software

To compile Samba, a number of other software packages must be available, themost notable of which is GCC. GCCThe Samba code relies on several other libraries software packages that provide support functions for other programs' use,these libraries are already installed on your computer, but to compile a program, you need the libraries' headerfiles, which are often installed in separate packages with names that end in -dev or -devel.ensure that the libc or libc6 development libraries are installed


Configuring SambaTo configure Samba, first change to the source3 subdirectory of the main Sambasource code directory. This directory holds the source code for the main Sambapackage.Note: Other subdirectories off of the main Samba source code directory hold thesource code for ancillary programs, support programs, documentation, and so on.For instance, the client subdirectory holds files related to Linux's ability to mountSMB/CIFS shares as a client; the swat subdirectory holds source code for the Samba Web Administration Tool (SWAT). Building the main Samba package alsocompiles some of these programs, but you may need to compile others manually.Compiling the main body of Samba, in the source3 subdirectory, builds the criticalsmbd and nmbd server programs along with support libraries and many related tools.


Compiling the software

./configure --without-ldapmakemake install


Resolving problems

Unfortunately, configuration and compilation sometimes fail. The most commoncause of such problems is a missing library. If the configure step fails, you're likely to see a message near the end of the output that specifies what's missing for instance, the message may indicate that it can't find Pluggable AuthenticationModule libraries. You should then use your system's package management tools,such as Synaptic or Yumex, to search for and install the relevant software.Remember that you may need to install the development libraries separately from the main library package.


Moving forwardThe LPIC-3 311.2 objectiveand the next article in this seriesdescribe how toinstall Samba from source and from binary packages. This task necessarily includeslaunching the Samba server programs, smbd and nmbd. (Additional servers handleancillary tasks, such as SWAT for Web-based configuration.)


Install and upgrade Samba

Like most software, Samba must be installed before it can be used. Several methods of doing this exist, but they fall into two broad categories: compiling and installing from source code and installing pre-built binary packages. The former is the more difficult but also more flexible option, while the latter is quite easy on most Linux distributions but locks you into the decisions your distribution maintainer has made concerning supported versions, patches applied, compile-time options enabled, and so on.

We will learn about these concepts: Install Samba packages. Install Samba binaries you've compiled yourself. Upgrade an existing Samba installation.


Choosing an installation method

The method you use to install Samba depends on your Linux distribution, the toolsavailable to you, your needs, Although the (RPM) and (Deb) are usually the best and easiest, only installing from source code is possible on all Linux systems. the easiest way to install Samba is invariably to install a Samba binary package provided by the distribution maintainer. and the installation process usually finishes in a few seconds.

In most cases, you should install Samba from an RPM, Debian package, or otherdistribution-specific binary package. Source code installation makes sense mainly ifthis isn't possible or if you have special needs that require unusual customizationduring the build process.


Upgrading to a new version using source code

If you've previously installed Samba from source code, following the procedure justdescribed renames the old program files with the .old extension. Typing makerevert reverts to the old versions, should you decide the new version isn't workingProperly. If you want to completely remove an old version of Samba that was installed from source code, you should change into that version's source code directory and type make uninstall. This command removes the installed software. You can then install a new version (from source code or from a binary package) without fear of conflict between the two versions.


Installing an RPM

RPM is a popular and powerful package management system. You can installsoftware by downloading RPM files and using the rpm command to install them, or you can use a meta-packaging system, such the Yellowdog Updater, Modified (YUM) to handle some details,To install a package using YUM, you use the yum command as root,

yum install samba

Note: Samba package names vary from one distribution to another. It's possibleyou'll need to install the package using a name other than samba, such assamba-server. The name samba works with Fedora Linux.


Installing a Debian packageInstalling using APT

Apt similar to RPM packages, but the details of the utilities involved to manipulate the packages differ. Debian and Ubuntu are the major distributions that use Debian packages, although several others also use this package type. Installing using APT The Advanced Package Tools (APT) , similar to the YUM suite used by many RPM-based distributions. (APT is also available for many RPM-based distributions, and at least one PCLinuxO uses APT by default.) Before installing Samba, it's best to force APT to obtain the latest package lists. You can do this using apt-get and its update subcommand:

# apt-get updateapt-get install samba


Launching Samba

If you install Samba using a binary package, it will include startup script to launch Samba when you reboot. You should use your local startup management tools, such as chkconfig (common on Fedora and related distributions), rc-update

Note: Although it's possible to run Samba via a super server such as inetd orXinetd, If you've installed Samba from source code, you will have to create your own startup script or launch the server via an entry in a local startup script, such as /etc/rc.d/rc.local or /etc/init.d/rc.local. Typically, you'll want to launch both the smbd and nmbd servers and pass them both the -D option, which causes the servers to run as daemons. A minimal configuration looks like this:/usr/local/sbin/nmbd -D/usr/local/sbin/smbd -D

Topic 302 : Configure Samba

Samba uses a human-readable file to manage and store its configurationparameters, so the most sophisticated tool you'll need to configure Samba is a texteditor. Learn how the configuration file is structured, how Samba interacts with thenetwork, how to configure logging, and how to debug problems with Samba.

We will learn : Navigate the Samba server configuration file structure Use Samba variables and configuration parameters Identify key TCP/User Datagram Protocol (UDP) ports used with ServerMessage Block (SMB)/Common Internet File System (CIFS) Configure Samba logging Troubleshoot and debug problems with Samba


The Samba configuration file

Samba, like most UNIX daemons, is configured through text files that are humanreadable, rather than through a graphical tool for binary file editing. The mostimportant configuration file is called smb.conf, which contains all the parameters thatSamba needs to run in your environment.

Note: Although smb.conf was designed to be edited with a text editor, the Sambateam has come up with a web-based tool called the Samba Web AdministrationTool. Alternatives, such as webmin, also exist. It is important to remember that youcan still edit smb.conf before or after these tools have been run, because you'reoperating on a text file.


Samba's configuration file has a fairly simple format that uses three differentConstructs:

Sections. Sections group the configuration into independent areas. For

example, a file share has its own section.Parameters. Parameters are key-value pairs. The keys are well-known

attributes such as "read only."Comments. Comments let you make annotations to the configuration file

that don't affect the configuration, such as to indicate the help desk ticketthat documents the share.


SectionsSections group the configuration file into different areas. You start a section byenclosing the name of the section in square brackets ([]). The section continuesuntil the next section is defined or the end of the file is reached.Three section names have special meaning: global. Anything in this section applies to the whole server. Configuration items in the global section can be overridden at the share level, if needed. homes. The homes section serves as a template for all user shares, andSamba takes care of mapping a user name to the configuration in this section, virtually eliminating the need to configure a separate share each time you want to let a user into his or her home directory. printers. similar to homes, except that it's used for printers. If the section name used is not one of the above, it is considered a file or printer share.


If the section name used is not one of the above, it is considered a file or printerShare.

When a connection request comes in to Samba for a particular share name, thedaemon looks for a section with that name that would define the properties of thatshare. If the section is not found, Samba looks through the list of users on thesystem to see whether the connection refers to a user. If not, Samba consults the listof system printers to see if a printer by that name exists. If the connection matched auser, the configuration for the homes sections is used. If the printer was matched,the printers section is used. In all cases, the section-level configuration overridesthe global configuration section. If none of the above cases is matched, there is one final check. If a default service is configured, that service is used. If not, an error is passed back to the client. By default, the default service is not configured, so incorrect share names will result in an error.


Parameters

Parameters take the form key = value, which assigns the value to the key. Thekeys are all documented in the smb.conf man page. Samba configuration is largelyan exercise in understanding which keys are needed to achieve the behavior youwant and determining the appropriate value to use.Parameters generally take strings as values. Samba does support macros, which allow you to vary the value of the parameter according to items like the share name or input from the user. For example, the homes section defaults to the user's UNIX home directory, but you can use macros to make this parameter use any location and substitute the user name into the file path at the time of connection. Macros start with the % character and will be discussed as they are required. If a parameter's value must extend over two or more lines, all lines except the last must end in a backslash (\), just like a UNIX shell.


Comments

Comments begin with a semicolon (;) or octothorpe (hash, or #). Comments can beused to explain the reason for items, to track changes, or to indicate sectionboundaries.


An example configuration

See Page 4 lpic-312-1

Some special things to note about this example configuration are: Two different styles of comments are used. One begins with a hash, the other begins with a semicolon. This file defines one share called projecta. Any other shares will be automatically created from the users and printers defined on the system. The server string parameter uses the %v macro for part of its value. At run time, %v will be replaced with the version of Samba. hide dot files is set to yes at the global level but set to no inside the projecta share. Home directories use the configuration from the homessection and so will have their dot files (such as .profile) hidden. Files inprojecta will have their dot files visible.


Samba network interactionSamba is a network service that runs over IP, which allows it to communicate withother hosts on the network that are also using IP. As a Samba administrator, youneed to understand how the Samba services behave on the network to troubleshoot connectivity problems.At a high level, you can look at Samba as offering three different kinds of networkservices: File and print sharing. Offering files and printers to other network devices and using those services on other machines Name services. Name resolution services necessary to participate in a Microsoft network Domain services. Samba can replace various Microsoft server roles such as a legacy domain controller and integrates with newer Active Directory Domain Services (AD DS) servers


File and print sharing

File and print sharing are implemented within smbd, which is one of the Sambadaemons. Microsoft file sharing used network basic input/output system (NetBIOS)over TCP when it first moved into the IP world. This method encapsulated NetBIOScontent inside a TCP session using TCP port 139. The NetBIOS protocol encompasses several features. TCP port 139 is used only for the session services, which are file transfer and message passing. The name lookup services are not handled on this port. NetBIOS over TCP works, but there is overlap between the session and reliability features provided by NetBIOS and those provided by TCP. With some subtle changes, it became possible to run SMB/CIFS right on top of TCP. This method is known as direct hosting and is used to simplify the protocol. Direct hosting occurs on TCP port 445.


Name services

NetBIOS provides a name services layer responsible for network browsing andname lookups. For example, the host SERVER1 is resolved to an IP address byusing NetBIOS name service requests on UDP port 137. Support for browsing andelection of support roles such as the master browser happens on UDP port 138,otherwise known as the datagram services port. Name services are implementedwithin the nmbd daemon. It is important to note that the name services use UDP instead of TCP. UDP packets are connectionless and can be broadcast to all hosts instead of a single unicast stream. With UDP's broadcast functionality, NetBIOS name services can be made easier to process on the network. Samba version 3 does not have any parameters to control which ports nmbd listens on, but Samba version 4 implements the nbt port and dgram port global parameters, which control the name service and datagram services ports, respectively


Domain services

The Samba team is constantly updating the software to make it integrate moreclosely with Microsoft networks and to replace Microsoft infrastructure. To do so,Samba must emulate these infrastructure services on the network. Most of these services involve Kerberos and the Lightweight Directory Access Protocol (LDAP) in some way. These are advanced topics and will be covered in more depth in later articles. For the moment, just be aware that Samba can do more than just file sharing

Summary of the ports that Samba uses see page 8 312-1


Troubleshooting Samba problems

Samba is not immune to problems. Sometimes, these problems are caused by thesystem administrator; sometimes they're caused by the user. Your job as the system administrator is to figure out where the problem lies, then how to solve it.Testing the configuration file If Samba won't start or you want to check your configuration file for correctness, then the testparm utility will help

testparm /etc/samba/smb.conf

see page 8 312-1


Connecting as a client

The first and easiest test is to make sure that you can connect to the Samba port. The easiest way to do this is with the telnet command.

Telnet 10.10.5.30 139Performing a NetBIOS name query for bobNmblookup master

Checking access with testparmtestparm /etc/samba/smb.confsee page 11 312-1


Showing a machine's shares

smbclient -L '\\bob'see page 12 312-1Connecting to a share with a different user name and domain

see page 12 312-1Logging and debuggingsee page 13-14-15 312-1


Learn how to create and configure file shares in a mixed environment

We will learn to:

Create and configure file sharing. Plan a file service migration. Hide the administrative share. Create scripts for user and group handling of file shares. Use command-line tools relating to file shares.


Creating file shares

Recall from the previous article that Samba understands any section inside smb.conf other than homes, printers, and global to be a share name. Besides the name of the share, mapping the share name to a location on disk is the other important piece of information. Here is the simplest useful share:

[tmpdir]path = /var/tmp

This code defines a share called tmpdir that maps to /var/tmp on the Samba server. For example, if the server were named phoenix, then users would be able to access that file share with the Universal Naming Convention (UNC) path \\phoenix\tmpdir. This sparse configuration is not useful, however: The default setting for a share is to be read-only, so the share above would not be writable.


Using security parameters

Samba has many security-related parameters that control access Many of these parameters affect the interaction between Samba and the underlying UNIX file permissions and are not discussed in this article. However, a few more general parameters are discussed here. Server Message Block (SMB) servers, including native Microsoft implementations, have a share called IPC$, which is the interprocess communication share and is used to execute software functions over a network. A share ending in a dollar sign ($) is considered hidden and not shown in Microsoft clients, even thought the server will advertise the existence of the share. Samba creates the IPC$ share even though it may not exist in smb.conf. If you create the share, you can control access to it. Here is an example of a restricted IPC$ share:[IPC$]hosts allow = 192.168.1.0/255.255.255.0browsable = no


Home shares

It is common to give users a home directory for their personal files. Each user in the UNIX password file has a home directory assigned. You can easily export anynumber of home directories through Samba without having to type a separateconfiguration section by using the [homes] section. When someone requests ashare called joe, Samba looks for a configured share called joe; if Samba doesn'tfind that share, it looks for a user by the same name. If the user is found, Sambathen uses the configuration in the [homes] section as a template for this share.[homes]comment = Home Directorieswritable = yesbrowsable = yesvalid users = %S


The configuration in Listing 1 performs these tasks:

Begins the configuration of the homes section Assigns a comment, which is shown to people looking at the details of available file shares on that server Marks the share as writable so that users can make changes to their home directory Indicates that the share can be seen when users browses for a list of shares; they will see both homes and a share with their user name Limits the users who can connect to this share to the user who owns the share

Note the use of the %S macro in Listing 1: This macro expands to the name of theshare. Because the user name is the same as the share, the valid users


Dealing with mixed caseThe case of a file or directory name does not matter in the Microsoft realm. That is,FILE, file, and FiLe all refer to the same file. In Linux, however, case is important, so those three files would all be different. Samba needs to know how to map between these two worlds to resolve any conflicts. This case-mapping process is part of a larger process called name mangling. A few parameters affect mangling of file name case. The most important parameter is case sensitive, which can be yes, no, or auto. If case sensitive is enabled, Samba uses whatever case the client requests. If this setting is disabled, Samba looks through the directory for a case-insensitive match. One problem with case sensitivity is that set incorrectly, you might not be able to access some files. Consider a directory with two filesone called test and the other called TEST. If Samba doesn't use case-sensitive access, then it is unable to differentiate between the two files. The default for this setting is auto,


The default case and preserve case parameters work with each other. Ifpreserve case is set to yes, then whatever the client sets is used. If preservecase is set to no, then the value of default case is used to determine the case ofthe newly created file.


Enabling UsershareUsers can create their own shares without having to modify smb.conf by using afeature called Usershare. After the administrator enables the Usershare feature,regular users use a command-line tool to export directories of their choosing. Userscan also delete their shares when they are done. The first step to using Usershare is to enable the feature at the global level. [global]usershareusershareusershareusersharepath = /var/lib/samba/usersharesmax shares = 5prefix allow list = /homeprefix deny list = /var, /usr


in the [global] section. First, the usershare path defines a directory that Samba uses for the configuration related to the user share. There are several restrictions on this directory that will be explained later. Next, a limit on the number of user shares is imposed. The last two parameters show how to restrict the directories that can be shared. usershare prefix allow list restricts all the shares to the given directoriesin this case, the shares must come from under /home. usershare prefix deny list takes the opposite approach and allows anything except the given directories. Samba imposes two other restrictions on user shares. First, the usershare path must be writable by the user creating the share, and the directory must have the sticky bit set (1000 or +t). Second, the user must own the directory being shared unless usershare owner only is set to false.


# mkdir -p /var/lib/samba/usershares# chown root:usershares /var/lib/samba/usershares# chmod 1770 /var/lib/samba/usershares

The first command creates the directory and any required parent directories. Thenext command sets the user and group ownership of the directory to root andusershares, respectively. The final command sets the owner and group permissionsof the directory to Read/Write/Execute, denies access to everyone else, and sets the sticky bit. Thus, only root and members of the usershares group can use thisdirectory; by virtue of the sticky bit, only the owner of a file can delete the file.


Setting up the share is perhaps the most difficult part of the exercise. A user can run:

The above command exports /home/me/Documents as a share called docs with FullControl for everyone. Other commands allowed are:

net usershare list lists the user shares the user has created. net usershare info docs shows the configuration of the docs share. net usershare delete docs removes the docs share.


Command-line tools

Samba comes with several command-line tools. Through the libsmbclient thatSamba provides, other people have made SMB/Common Internet File System(CIFS) utilities that are in common use. One striking difference between UNIX and Windows is that UNIX has one big file system, where Windows has a series of drive letters. The smbclient utility lets you browse a remote Windows share in an File Transfer Protocol (FTP)-like interface, but to be transparent to applications, a remote Windows share should be mountable like any other file system. Samba comes with a utility called smbmount, which is sometimes repackaged asmount.cifs. You can call this command directly or through the mount command.Listing 3 shows a Linux system mounting a remote CIFS share onto the regular file system


Mounting a remote CIFS share

# mount -t cifs '\\192.168.1.134\docs' /mnt -o user=myuserPassword:# mount

The first command mounts a CIFS file system on the given UNC path and places iton /mnt. Other than the UNC path, this looks like a standard mount invocation.Options are passed with the -o option. The only option needed here is the username. The mount.cifs man page outlines all the other options, which can include apassword and a domain. If you don't specify a password, you will be prompted forone. Finally, the mount command shows the mounted file system.


Migrating file shares

When you move file services from one server to another, users may forget to access the new server. Samba allows you to have your server respond to another name. For example, if you move file shares from a server called phoenix to a server called fs2, you can have fs2 respond to requests for phoenix. You will, of course, have to make sure that phoenix doesn't respond, either by turning it off or renaming it. To add an alias to a server, use the netbios aliases global parameter. If youwant to change the name of a Samba server to something other than the UNIXname of the server, use the netbios name parameter. The commands you have learned so far about mounting file systems will also be helpful in copying files from one server to another in preparation for a migration. You may also wish to use UNIX utilities like rsync to help out.

Topic 312: Samba Configuration and Usage

312.3 Print ServicesWeight: 2 Description: able to create and manage print shares in a mixed environment.Key Knowledge Areas:Create and configure printer sharing.

Configure integration between Samba and CUPS.

Manage Windows print drivers and configure downloading of print drivers.

Configure [print$]

Understand security concerns with printer sharing

Setup and manage print accounting


Print Services

File serving is considered by most to be Sambas bread and butter. However, pulling up a close second in justifications for deploying Samba is its capability to centrally manage printers and to make them available across a network to Windows clients. We will focuses on the steps necessary to add print services to Sambas configuration as well as the details for sending print jobs from Unix and Linux clients to remote SMB/CIFS printers via smbclient.Because Samba relies on a functioning, underlying print system, we will concentrate on sharing printers that have previously been configured on the server.


Print Shares

Samba at heart is not a printing system, but rather a spooling system. Its mantra is, If Unix can print to it, so can I. To implement this philosophy, it must define a mechanism an external commands or software library to use when performing operations such as printing spooled jobs, retrieving a list of jobs in a queue, or pausing a printer.


The process of sending a print job to a Samba printer.

The client opens the spool file on the server, writes the file in its entirety, and then closes the file, indicating that the job is ready to be printed.

This series of events has some important implications:

The smbd daemon can hand the spooled job over to the servers printing systemonly after the entire file has been transmitted. The spooled job must be in a format that can be sent directly to the Unix printqueue. Generally, this means no special Windows meta formats.


312.4 Domain ControlWeight: 4 Description: able to setup and maintain primary and backup domain controllers, and manage Windows/Linux clients' access to the domain Key Knowledge Areas: * Understand domain membership * Create and maintain a primary domain controller * Create and maintain a backup domain controller * Add computers to an existing domain * Configure logon scripts, Configure roaming profiles, Configure system policies


Our discussion of Samba up to this point has focused on file and print servers thatauthenticate users against a local set of accounts; these accounts had to previously be added to the system hosting Samba using either pdbedit or smbpasswd. Standalone servers (also called workgroup servers) have the advantages of being easy to set up and possessing no dependencies on external services. However, managing user accounts on more than two or three of these servers quickly becomes onerous.Our systems administration mantra is, Reduce redundancy through consolidation. Creating a Samba domain removes duplicate users and groups from each standalone server by consolidating these accounts onto a small set of domain controllers that can process authentication requests on behalf of domain member servers. Coupled with Microsofts networking facility that allows a user to log in to her local workstation via a domain account, a Samba domain provides a means to centrally manage all authentication, not just access to file and print services.


we show you how to configure Samba as a Primary Domain Control-ler (PDC) with one or more Samba Backup Domain Controllers (BDC), and how tojoin Windows clients to this domain. Domains by themselves have little relevancewithout users and groups, so we also explore the mechanisms to manage and storeuser and group accounts. After you have a solid understanding of how to configureSambas domain controller functionality, we explain how to migrate a Windows NT4.0 domain to a Samba domain and retain the complete list of accounts and user set-tings. We conclude with a discussion of remotely monitoring and managing Sambahosts using tools such as the Windows Event Viewer, the Service Control Manager,and the Performance Monitor.


Chapter 9

Topic 313: User and Group Management

313.1 Managing User Accounts and GroupsWeight: 4Description : manage user and group accounts in a mixed environment Key Knowledge Areas: * Manager user and group accounts * Understand user and group mapping * Knowledge of user account management tools * Use of the smbpasswd program * Force ownership of file and directory objects


Authentication is proving that you are who you say you are. You do this every day, during such activities as printing a document or saving a file to a network drive. When things are working correctly, the steps taken by a server to authenticate a request are often taken for granted. You enter a password, and it is used whenever the client machine needs to access a network resource on your behalf. Authentication is a prerequiste to authorization. Authorization is what the server does to verify that the authenticated user should (or should not) gain access to the requested resource (such as the printer or file share).


Security Modes

The SMB/CIFS protocol has two security levels: user and share. Samba implements these levels across five security modes defined by the global security parameter in smb.conf.* Only three of these values are relevant to modern Samba servers

User [Default]adsdomainshare (deprecated)server (deprecated)


smbpasswd file format

The format of the smbpasswd file used by Samba 2.2 is very similar to the familiar Unix passwd(5) file. It is an ASCII file containing one line for each user. Each field ithin each line is separated from the next by a colon. Any entry beginning with '#' is ignored. The smbpasswd file contains the following information for each user:

Name: This is the user name. It must be a name that already exists in the standard UNIX passwd file. Uid: This is the UNIX uid. It must match the uid field for the same user entry in the standard UNIX passwd file. If this does not match then Samba will refuse to recognize this smbpasswd file entry as being valid for a user.


Lanman Password Hash: This is the LANMAN hash of the user's password.NT Password Hash: This is the Windows NT hash of the user's password, encoded as 32 hex digits. The Windows NT hash is created by taking the user's password as represented in 16-bit, little-endian UNICODE and then applying the MD4 (internet rfc1321) hashing algorithm to it. Account Flags: This section contains flags that describe the attributes of the users account. U - This means this is a "User" account, i.e. an ordinary user.N - This means the account has no password.Last Change Time: This field consists of the time the account was last modified.


Synchronizing PasswordsThe complaint with Samba in regard to user accounts is that its user passwords must be maintained separately from the from the Unix or Linux system passwords. To help alleviate the pain of managing multiple passwords for each user, Samba provides a mechanism to synchronize the users Unix password entry when a CIFS client requests that the LanMan and NT password hashes be changed. Of course, this solution does not help when the user changes the password by means other than the SMB/CIFS protocol, such as using the passwd command or writing to the passdb storage directly using pdbedit.The only prerequisite of using this feature is for the root user to able to reset a users password without knowing the old password. The reason for this requirement is that the client encrypts the new password with the old password hash as the key. The clear text of the old password is never sent. Password hashes are one-way, so there is no way to derive the clear text of the password from the old password hash.


The smbd daemon currently supports three mechanisms for changing a users UnixPassword:

Communicating with an external password program Utilizing the PAM password change API Requesting that the LDAP Directory service do the work on its behalf

The simplest option of the three, the ldap password sync option (sometimes calledldap passwd sync), instructs smbd to send a ModifyPassword extended request to the directory service, which then updates the userPassword attribute on behalf of the user. This option currently works only when Samba is using the ldapsam passdbmodule and when the LDAP directory service is running a recent version of OpenLDAP. To enable password synchronization, with all these prerequisites in place, add ldap password sync = yes to the [global] section of smb.conf.


alternative backend storage for passwords

Samba can store account data in a TDB Using TDB does not require any additional configuration. This backend is recommended for new installations that do not require LDAP. we does not recommend using the TDB backend for sites that have 250 or more users. , TDB is not capable of scaling for use in sites that require replication of the account database. The high growth rates projected are a good reason to use the tdbsam passdb backend. The use of smbpasswd for the backend may result in performance problems. The tdbsam passdb backend offers features that are not available with the older, flat ASCII-based smbpasswd database.http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-samba-account-info-dbs.html


Integrate Samba with LDAPSamba exposes Unix objectsfiles, printers, users and groupsin a way that Windows clients understand. It is necessary, however, for Samba to store some additional attributes for users beyond the information in /etc/passwd. These attributes,such as the LanMan and NT password hashes, the users SID, and a home directory UNC path, are maintained in what is referred to as a passdb backend. This storage facility can currently take one of three forms: A flat text file A trivial database (tdb) file An LDAP directory servicehttp://www.howtoforge.com/samba_active_directory


313.3 WinbindWeight : 2Description: Candidates should be able to install and configure the Winbind serviceKey Knowledge Areas: * Install Winbind * Configure Winbind


winbindd is a daemon that provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitrary applications via PAM to Samba itself.Even if winbind is not used for nsswitch, it still provides a service to smbd and the pam_winbind.so PAM module, by managing connections to domain controllers.The Name Service Switch allows user and system information to be obtained from different databases services such as NIS or DNS. The exact behaviour can be configured through the /etc/nsswitch.conf file. Users and groups are allocated as they are resolved to a range of user and group ids specified by the administrator of the Samba system. The service provided by winbindd is called `winbind' and can be used to resolve user and group information from a Windows NT server. The service can also provide authentication services via an associated PAM module.


install and configure Winbind on centos

http://wiki.centos.org/TipsAndTricks/WinbindADS

Topic 314: Working with CIFS, NetBIOS, and Active Directory






314.1 CIFS IntegrationWeight: 3Description: Candidates should be comfortable working with CIFS in a mixed environmentKey Knowledge Areas: * Understand SMB/CIFS concepts * Mount remote CIFS shares from a Linux client * Understand features and benefits of CIFS


Sambas popularity come from its ability to serve Microsoft Windows clients, but SMB/CIFS clients are also available on a wide variety of platforms running your choice of Windows, Linux, Mac OS X, or any other operating systems. By providingSMB/CIFS support , you can standardize your local area network, allowing everybody to use Files can be shared by saving them to the SMB/CIFS share just as if it were a local hard disk. This method can also be part of a migration strategy for moving users from one operating system to another. The most transparent means of accessing SMB/CIFS file shares is to provide a filesystem that understands the protocol. we explore the native SMB/CIFSfilesystem support available on Linux, OS X, and FreeBSD systems.

Sambas tools that can help you to perform remote administration tasks from Unix clients. One example is the net tool, which can perform common tasks such as managing users and groups, restarting services, and rebooting servers.


The Linux CIFS Filesystem

CIFS filesystem included in the Linux 2.6 kernel. A patch for 2.4 kernels is available Linuxs original SMB/CIFS filesystem client, named smbfs, was written by Volker Lendecke, an active Samba developer. The smbfs kernel module and user space tools (smbmount, smbumount, and smbmnt) will likely continue to be included in Linux and Samba for some time, If you have Linux systems that are currently set up to use smbfs, now is a good time to begin thinking about migrating them to use the cifs module instead.


Mounting a SMB/CIFS File Share

to mount a SMB/CIFS share as part of your local filesystem. Mounting filesystems is normally restricted to the root account. Well show you how to allow users to mount and unmount SMB/CIFS shares shortly. For the moment, make sure to run the mount and umount commands as root. The general syntax for accessing a SMB/CIFS file share is:

$ mount -t cifs //server/share mount_point [-o options]

The -t option specifies the filesystem type (cifs) The mount_point is the path to a local directory where the share will be mounted. Numerous options can be specified with the -o flag. the account used to connect to the remote server: user=name.

307


314.2 NetBIOS and WINSWeight: 7Description: should be familiar with NetBIOS/WINS concepts and understand network browsingKey Knowledge Areas: * Understand WINS concepts and Understand NetBIOS concepts and Understand the role of a local master browser and the role of a domain master browser* Understand the role of Samba as a WINS server and Understand name resolution * Configure Samba as a WINS server and WINS replication * Understand NetBIOS browsing, service announcements and elections


Understand WINS concepts Windows Internet Name Service (WINS) provides a distributed database for registering and querying dynamic mappings of NetBIOS names for computers and groups used on your network. WINS maps NetBIOS names to IP addresses and was designed to solve the problems arising from NetBIOS name resolution in routed environments. WINS is the best choice for NetBIOS name resolution in routed networks that use NetBIOS over TCP/IPhttp://technet.microsoft.com/en-us/library/cc784707%28WS.10%29.aspx


Understand NetBIOS concepts NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applications. In its strictest sense, NetBIOS is an interface specification for acessing networking services.

http://www.nwo.net/osall/Methodology/Novice/NetBios/netbios.html


Understand the role of a local master browser

Master Browser - Maintains the main or master list of computers and shared resources. All workgroups or domains have one master browser. A new resource list is sent to the backup browsers every 15 minutes. A client will not be removed from the resource list for 3, 12 minute periods. Another domain master will wait 3 15 minute periods of no response from a domain master browser before removing the domain resources from its list. The client will first go to the master browser which will give the client a list of backup browsers.Domain Master Browser - The master browser for a domain. The primary domain controller (PDC) in a domain network .


Understand the role of a domain master browser the Primary Domain Controller (PDC) acts as the domain master browser (DMB), which ties subnets together and allows browse lists to be shared between master and backup browsers on separate subnets. This is how browsing is extended to function beyond the local subnet. Each subnet functions as a separate browsing entity, and the domain master browser synchronizes the master browsers of each subnet. In a Windows-only network, browsing cannot function across subnets unless a PDC exists on the network. By default, each computer that participates in a browse election is considered a potential browser. It can be ordered by the browse master to become a backup browser or can identify itself as a backup browser and accept the role on its own.


Understand the role of Samba as a WINS server You can set up Samba as a WINS server by setting two global options in the configuration file, as shown below:[global]wins support = yesname resolve order = wins lmhosts hosts bcastThe wins support option turns Samba into a WINS server. Samba handles the rest of the details behind the scenes


If Samba is acting as a WINS server, you should probably get familiar with the name resolve order option mentioned earlier. This option tells Samba the order of methods in which it tries to resolve a NetBIOS name. It can take up to four values:Lmhosts: Uses a LAN Manager LMHOSTS fileHosts: Uses the standard name resolution methods of the Unix system, /etc/hosts, DNS, NIS, or a combination (as configured for the system)Wins: Uses the WINS serverBcast : Uses a broadcast method


Understand name resolution Name resolution is critical to Samba's operation because names are used to find the servers that share files or printers. Browsing takes the task of finding servers to a new level of sophistication by allowing a user to delve down into a hierarchy of networks, domains, hosts, and services offered by each server.While name resolution and browsing are not difficult to configure, some complexity is introduced by the variety of available name-resolution systems. Historically, Unix and other TCP/IP users have moved from a flat hosts file to the Domain Name System, with the Network Information System being another popular choice. Meanwhile, Microsoft has moved from a broadcasting system to a simple, LAN-only name server called WINS and ultimately to DNS.http://www.samba.org/samba/docs/using_samba/ch07.html


Configure Samba as a WINS server

Either a Samba server or a Windows NT server machine may be set up as a WINS server. To configure a Samba server to be a WINS server, you must add to the smb.conf file on the selected Server the following line to the [global] section:

wins support = yes


WINS replication Samba-3 does not support native WINS replication. There was an approach to implement it, called wrepld, but it was never ready for action and the development is now discontinued.Meanwhile, there is a project named samba4WINS, which makes it possible to run the Samba-4 WINS server parallel to Samba-3 since version 3.0.21


Understand NetBIOS browsing, service announcements and electionsEach server on the network announces itself to the network to allow the master and backup browsers to build their browse lists. When first joining the network, a host sends server announcements every minute, but the interval is gradually stretched out to every 12 minutes. When a server is shut down gracefully, it sends an announcement that it is going offline to allow the master and backup browsers to remove it from the browse list. However, when a server goes offline by crashing or by some other failure, the master browser notices its disappearance only because it stops receiving server announcements. The master browser waits for three of the servers announcement periods before deciding that it is offline, which can take up to 36 minutes. Because backup browsers have their browse lists updated from the master browser once every 15 minutes, it can take up to 51 minutes for clients to be informed of a failed server.


314.3 Integrating with Active DirectoryWeight: 2Description: Candidates should be able to integrate Linux servers into an environment where Active Directory is present.Key Knowledge Areas: * List remove Active Directory / LDAP users * Configure Samba in ADS security mode * Knowledge of the DNS requirements for Active Directory










Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline Level

Ninth Outline LevelClick to edit Master subtitle style

8/3/11

Click to edit the title text formatClick to edit Master title style

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline Level

Ninth Outline LevelClick to edit Master text styles

8/3/11

Click to edit the title text formatClick to edit Master title style

using samba

Technology