20.3 About Samba

20.3.1 Configuring a Samba Server
20.3.2 About Samba Configuration for Windows Workgroups and Domains
20.3.3 Accessing Samba Shares from a Windows Client
20.3.4 Accessing Samba Shares from an Oracle Linux Client

Samba is an open-source implementation of the Server Message Block (SMB) protocol that allows Oracle Linux to interoperate with Windows systems as both a server and a client. Samba can share Oracle Linux files and printers with Windows systems, and it enables Oracle Linux users to access files on Windows systems. Samba uses the NetBIOS over TCP/IP protocol that allows computer applications that depend on the NetBIOS API to work on TCP/IP networks.

20.3.1 Configuring a Samba Server

To configure a Samba server:

  1. Install the samba and samba-winbind packages:

    # yum install samba samba-winbind
  2. Edit /etc/samba/smb.conf and configure the sections to support the required services, for example:

    [global]
    security = ADS
    realm = MYDOM.REALM
    password server = krbsvr.mydom.com
    load printers = yes
    printing = cups
    printcap name = cups
    
    [printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = yes
    writable = no
    printable = yes
    printer admin = root, @ntadmins, @smbprintadm
    
    [homes]
    comment = User home directories
    valid users = @smbusers
    browsable = no
    writable = yes
    guest ok = no
    
    [apps]
    comment = Shared /usr/local/apps directory
    path = /usr/local/apps
    browsable = yes
    writable = no
    guest ok = yes

    The [global] section contains settings for the Samba server. In this example, the server is assumed to be a member of an Active Directory (AD) domain that is running in native mode. Samba relies on tickets issued by the Kerberos server to authenticate clients who want to access local services.

    For more information, see Section 20.3.2, “About Samba Configuration for Windows Workgroups and Domains”.

    The [printers] section specifies support for print services. The path parameter specifies the location of a spooling directory that receives print jobs from Windows clients before submitting them to the local print spooler. Samba advertises all locally configured printers on the server.

    The [homes] section provide a personal share for each user in the smbusers group. The settings for browsable and writable prevent other users from browsing home directories, while allowing full access to valid users.

    The [apps] section specifies a share named apps, which grants Windows users browsing and read-only permission to the /usr/local/apps directory.

  3. Allow incoming TCP connections to ports 139 and 445, and incoming UDP datagrams on ports 137 and 138 from the local network:

    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp –-dport 139 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp –-dport 445 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p udp \
      -m udp –-dport 137 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p udp \
      -m udp –-dport 138 -j ACCEPT
    # service iptables save

    where subnet_addr/prefix_length specifies the network address, for example 192.168.2.0/24.

    Add similar rules for other networks from which Samba clients can connect.

    The nmdb daemon services NetBIOS Name Service requests on UDP port 137 and NetBIOS Datagram Service requests on UDP port 138.

    The smbd daemon services NetBIOS Session Service requests on TCP port 139 and Microsoft Directory Service requests on TCP port 445.

  4. Start the smb service, and configure the service to start following a system reboot:

    # service smb start
    # chkconfig smb on

If you change the /etc/samba/smb.conf file and any files that it references, the smb service will reload its configuration automatically after a delay of up to one minute. You can force smb to reload its configuration by sending a SIGHUP signal to the service daemon:

# killall -SIGHUP smbd

Making smb reload its configuration has no effect on established connections. You must restart the smb service or the existing users of the service must disconnect and then reconnect.

To restart the smb service, use the following command:

# service smb restart

For more information, see the smb.conf(5) and smbd(8) manual pages and http://www.samba.org/samba/docs/.

20.3.2 About Samba Configuration for Windows Workgroups and Domains

Windows systems on an enterprise network usually belong either to a workgroup or to a domain.

Workgroups are usually only configured on networks that connect a small number of computers. A workgroup environment is a peer-to-peer network where systems do not rely on each other for services and there is no centralized management. User accounts, access control, and system resources are configured independently on each system. Such systems can share resources only if configured to do so.

A Samba server can act as a standalone server within a workgroup.

More typically, corporate networks configure domains to allow large numbers of networked systems to be administered centrally. A domain is a group of trusted computers that share security and access control. Systems known as domain controllers provides centralized management and security. Windows domains are usually configured to use Active Directory (AD), which uses the Lightweight Directory Access Protocol (LDAP) to implement versions of Kerberos and DNS providing authentication, access control to domain resources, and name service. Some Windows domains use Windows NT4 security, which does not use Kerberos to perform authentication.

A Samba server can be a member of an AD or NT4 security domain, but it cannot operate as a domain controller. As domain member Samba server must authenticate itself with a domain controller and so is controlled by the security rules of the domain. The domain controller authenticates clients, and the Samba server controls access to printers and network shares.

20.3.2.1 Configuring Samba as a Standalone Server

A standalone Samba server can be a member of a workgroup. The following [global] section from /etc/samba/smb.conf shows an example of how to configure a standalone server using share-level security:

[global]
security = share
workgroup = workgroup_name
netbios name = netbios_name

The client provides only a password and not a user name to the server. Typically, each share is associated with a valid users parameter and the server validates the password against the hashed passwords stored in /etc/passwd, /etc/shadow, NIS, or LDAP for the listed users. Using share-level security is discouraged in favor of user-level security, for example:

[global]
security = user
workgroup = workgroup_name
netbios name = netbios_name

In the user security model, a client must supply a valid user name and password. This model supports encrypted passwords. If the server successfully validates the client's user name and password, the client can mount multiple shares without being required to specify a password. Use the smbpasswd command to create an entry for a user in the Samba password file, for example:

# smbpasswd –a guest
New SMB password: password
Retype new SMB password: password
Added user guest.

The user must already exist as a user on the system. If a user is permitted to log into the server, he or she can use the smbpasswd command to change his or her password.

If a Windows user has a different user name from his or her user name on the Samba server, create a mapping between the names in the /etc/samba/smbusers file, for example:

root = admin administrator root
nobody = guest nobody pcguest smbguest
eddie = ejones
fiona = fchau

The first entry on each line is the user name on the Samba server. The entries after the equals sign (=) are the equivalent Windows user names.

Note

Only the user security model uses Samba passwords.

The server security model, where the Samba server relies on another server to authenticate user names and passwords, is deprecated as it has numerous security and interoperability issues.

20.3.2.2 Configuring Samba as a Member of an ADS Domain

In the Activity Directory Server (ADS) security model, Samba acts as a domain member server in an ADS realm, and clients use Kerberos tickets for Active Directory authentication. You must configure Kerberos and join the server to the domain, which creates a machine account for your server on the domain controller.

To add a Samba server to an Active Directory domain:

  1. Edit /etc/samba/smb.conf and configure the [global] section to use ADS:

    [global]
    security = ADS
    realm = KERBEROS.REALM

    It might also be necessary to specify the password server explicitly if different servers support AD services and Kerberos authentication:

    password server = kerberos_server.your_domain
  2. Install the krb5-server package:

    # yum install krb5-server
  3. Create a Kerberos ticket for the Administrator account in the Kerberos domain, for example:

    # kinit Administrator@MYDOMAIN.COM

    This command creates the Kerberos ticket that is required to join the server to the AD domain.

  4. Join the server to the AD domain:

    # net ads join -S winads.mydom.com -U Administrator%password

    In this example, the AD server is winads.mydom.com and password is the password for the Administrator account.

    The command creates a machine account in Active Directory for the Samba server and allows it to join the domain.

  5. Restart the smb service:

    # service smb restart

20.3.2.3 Configuring Samba as a Member of a Windows NT4 Security Domain

Note

If the Samba server acts as a Primary or Backup Domain Controller, do not use the domain security model. Configure the system as a standalone server that uses the user security model instead. See Section 20.3.2.1, “Configuring Samba as a Standalone Server”.

The domain security model is used with domains that implement Windows NT4 security. The Samba server must have a machine account in the domain (a domain security trust account). Samba authenticates user names and passwords with either a primary or a secondary domain controller.

To add a Samba server to an NT4 domain:

  1. On the primary domain controller, use the Server Manager to add a machine account for the Samba server.

  2. Edit /etc/samba/smb.conf and configure the [global] section to use ADS:

    [global]
    security = domain
    workgroup = DOMAIN
    netbios name = SERVERNAME 
  3. Join the server to the domain:

    # net rpc join -S winpdc.mydom.com -U Administrator%password

    In this example, the primary domain controller is winpdc.mydom.com and password is the password for the Administrator account.

  4. Restart the smb service:

    # service smb restart
  5. Create an account for each user who is allowed access to shares or printers:

    # useradd -s /sbin/nologin username
    # passwd username

    In this example, the account's login shell is set to /sbin/nologin to prevent direct logins.

20.3.3 Accessing Samba Shares from a Windows Client

To access a share on a Samba server from Windows, open Computer or Windows Explorer, and enter the host name of the Samba server and the share name using the following format:

\\server_name\share_name

If you enter \\server_name, Windows displays the directories and printers that the server is sharing. You can also use the same syntax to map a network drive to a share name.

20.3.4 Accessing Samba Shares from an Oracle Linux Client

Note

To be able to use the commands described in this section, use yum to install the samba-client and cifs-utils packages.

You can use the findsmb command to query a subnet for Samba servers. The command displays the IP address, NetBIOS name, workgroup, operating system and version for each server that it finds.

Alternatively, you can use the smbtree command, which is a text-based SMB network browser that displays the hierarchy of known domains, servers in those domains, and shares on those servers.

The GNOME and KDE desktops provide browser-based file managers that you can use to view Windows shares on the network. Enter smb: in the location bar of a file manager to browse network shares.

To connect to a Windows share from the command line, use the smbclient command:

$ smbclient //server_name/share_name [-U username]

After logging in, enter help at the smb:\> prompt to display a list of available commands.

To mount a Samba share, use a command such as the following:

# mount -t cifs //server_name/share_name mountpoint -o credentials=credfile

where the credentials file contains settings for username, password, and domain, for example:

username=eddie
password=clydenw
domain=MYDOMWKG

The argument to domain can be the name of a domain or a workgroup.

Caution

As the credentials file contains a plain-text password, use chmod to make it readable only by you, for example:

# chmod 400 credfile

If the Samba server is a domain member server in an AD domain and your current login session was authenticated by the Kerberos server in the domain, you can use your existing session credentials by specifying the sec=krb5 option instead of a credentials file:

# mount -t cifs //server_name/share_name mountpoint -o sec=krb5

For more information, see the findsmb(1), mount.cifs(8), smbclient(1), and smbtree(1) manual pages.