Samba - Shared Resources - Ubuntu 15.04 Server with systemd: Administration and Reference (2015)

Ubuntu 15.04 Server with systemd: Administration and Reference (2015)

Part III. Shared Resources

Chapter 12. Samba

With Samba, you can connect your Windows clients on a Microsoft Windows network to services such as shared files, systems, and printers controlled by the Linux Samba server and, at the same time, allow Linux systems to access shared files and printers on Windows systems. Samba is a collection of Linux tools that allow you to communicate with Windows systems over a Windows network. In effect, Samba allows a Linux system or network to act as if it were a Windows server, using the same protocols as used in a Windows network. Whereas most UNIX and Linux systems use the TCP/IP protocol for networking, Microsoft networking with Windows uses a different protocol, called the Server Message Block (SMB) protocol that implements a local area network (LAN) of PCs running Windows. SMB makes use of a network interface called Network Basic Input Output System (NetBIOS) that allows Windows PCs to share resources, such as printers and disk space. One Windows PC on such a network can access a folder on another Windows PC’s disk drive as if the folder were its own. SMB was originally designed for small LANs. To connect it to larger networks, including those with UNIX systems, Microsoft developed the Common Internet File System (CIFS), which still uses SMB and NetBIOS for Windows networking.

Wanting to connect his Linux system to a Windows PC, Andrew Tridgell wrote a SMB client and server that he called Samba. Samba allows UNIX and Linux systems to connect a Windows network as if they were Windows PCs. UNIX systems can share resources on Windows systems as if they were just another Windows PC. Windows PCs can also access resources on UNIX systems as if they were Windows systems. Samba, in effect, has become a professional-level, open source, and free version of CIFS. It also runs much faster than CIFS. Samba lets you use a Linux or UNIX server as a network server for a group of Windows machines operating on a Windows network. You can also use it to share files on your Linux system with other Windows PCs, or to access files on a Windows PC from your Linux system, as well as between Windows PCs. On Linux systems, the cifs file system type enables you, in effect, to mount a remote SMB-shared directory on your own file system. You can then access it as if it were a directory on your local system.

Package name

Description

samba

The Samba server

samba-common

Samba Ubuntu configuration files and support tools

samba-doc

Documentation for Samba, including examples

samba-doc-pdf

PDF versions for Samba documentation

smbclient

Samba clients for accessing Windows shares

smbfs

Mount and unmount tools for Samba shares

system-config-samba

Samba desktop configuration tool from Red Hat

kdenetwork-filesharing

Samba sharing configuration on KDE

gnome-system-tools

shares-admin Samba sharing configuration on GNOME (deprecated)

nautilus-share

Quick sharing configuration using the GNOME Nautilus file manager

Table 12-1: Samba packages on Ubuntu

You can obtain extensive documentation from the Samba Web and FTP sites at http://www.samba.org. Samba HOW-TO documentation is also available at http://www.tldp.org. Extensive documentation is provided with the software package and installed on your system in the/usr/share/doc/samba-doc directory. Be sure to install the samba-doc package. The htmldocs subdirectory holds various documentation resources. All are in Web page format. Documentation includes the HOWTO, By Example, Using Samba, and Developers Guide. The examples include sample smb.conf files for different kinds of configuration. For PDF versions install the samba-doc-pdf package, which will be located at /usr/share/doc/samba-doc-pdf.

On Ubuntu, Samba software is organized into several packages, with configuration tools such as system-config-samba in separate packages (see Table 12-1 ). By selecting the samba server package, necessary supporting packages such as smbclient and samba-common will be automatically selected. Documentation and configuration tools have to be selected manually. Samba software packages can be obtained from the Ubuntu repositories using apt-get or the Synaptic Package Manager.

Check the Ubuntu Server Guide | Windows Networking for basic configuration and management.

https://help.ubuntu.com/stable/serverguide/windows-networking.html

Samba Applications

The Samba software package consists of two server daemons and several utility programs (see Table 12-2 ). The smbd daemon provides file and printer services to SMB clients and other systems, such as Windows, that support SMB. The nmbd daemon provides NetBIOS name resolution and service browser support. Additional packages provide support tools, like smbclient which provides FTP-like access by Linux clients to Samba services. The mount.cifs and umount.cifs commands enable Linux clients to mount and unmount Samba shared directories (used by the mount command with the -t cifs option). The smbstatus utility displays the current status of the SMB server and who is using it. You use testparm to test your Samba configuration. smbtar is a shell script that backs up SMB/CIFS-shared resources directly to a Unix tape drive. Thenmblookup command will map the NetBIOS name of a Windows PC to its IP address.

Basic Samba configuration support is already provided by nautilus-share and shares-admin (GNOME). For a more complex configuration, you can use system-config-samba, a GNOME desktop tool with which you can set up secure access to Samba shares. Configuration files are kept in the /etc/samba directory.

Samba provides four main services: file and printer services, authentication and authorization, name resolution, and service announcement. The SMB daemon, smbd, provides the file and printer services, as well as authentication and authorization for those services. This means users on the network can share files and printers. You can control access to these services by requiring that users provide a password. When users try to access a shared directory, they are prompted for the password (user mode). The user mode provides a different password for each user. Samba maintains its own password file for this purpose: /etc/samba/smbpasswd.

Name resolution and service announcements are handled by the nmbd server. Name resolution essentially resolves NetBIOS names with IP addresses. Service announcements, also known as browsing, are the way a list of services available on the network is made known to the connected Windows PCs (and Linux PCs connected through Samba).

Samba also includes the winbind daemon, which allows Samba servers to use authentication services provided by a Windows domain. Instead of a Samba server maintaining its own set of users to allow access, it can make use of a Windows domain authentication service to authenticate users.

Application

Description

nautilus-share

Basic file sharing configuration built in to the GNOME Nautilus file manager

system-config-samba

Samba configuration tool (provided by Red Hat) for configuring smb.conf with a GNOME desktop interface

shares-admin

Older GNOME Samba configuration tool (deprecated), enter shares-admin in a terminal window

smbd

Samba server daemon that provides file and printer services to SMB clients

nmbd

Samba daemon that provides NetBIOS name resolution and service browser support

winbind

Uses authentication services provided by Windows domain

mount.cifs

Mounts Samba share directories on Linux clients (used by the mount command with the -t cifs option)

smbpasswd

Changes SMB-encrypted passwords on Samba servers

pdbedit

Edit the Samba users database file. This is a Secure Accounts Manager (SAM) database.

tdbbackup

Backup the Samba .tdb database files.

smbcontrol

Send the Samba servers administrative messages, like shutdown or close-share.

smbstatus

Displays the current status of the SMB network connections

testparm

Tests the Samba configuration file, smb.conf

nmblookup

Maps the NetBIOS name of a Windows PC to its IP address

/etc/default/samba

Samba startup options

Table 12-2: Samba Server Applications

Starting up and accessing Samba

Once installed, Samba is normally configured to start up automatically. You can turn this option on or off using rcconf. For a simple Samba configuration, you can use Ubuntu system-config-samba to configure your /etc/samba/smb.conf file. If you make changes, you must restart the Samba server for them to take effect. To restart Samba with your new configuration, use the service command. The start, stop, and restart options will start, stop, and restart the server. Run the following command from a terminal window to restart Samba.

sudo service smbd restart
sudo service nmbd restart

The Samba server consists of two daemons: smb and nmb. You may have to first enable and then start these daemons using the service command as the root user. At the prompt (on the desktop open a terminal window), access the root user with the sudo command, and then enter asystemctl command for the smb and nmb servers with the enable command to enable the server, and then use the service command with the start command to start it. Once enabled, the server should start automatically whenever your system starts up. Samba is managed by systemd.

sudo systemctl nmb enable
sudo systemctl smb enable
service nmb start
service smb start

In Ubuntu 15.04, Samba is managed by systemd using the smb.service and nmb.service unit files in /run/systemd/generator.late directory. These files are generated for systemd by the systemd-sysv-generator tool, which generates the unit files from the sysv init files for samba in the/etc/init.d directory. The smb.service file is shown here. Samba is started after the, networking, file system mounts, and the Cups service (After). It is started before the multi-user.target (the runlevel 2, 3, 4 targets are links to the muli-user target) (Before). On the desktop thegraphical.target is added (runlevel5.target). The service is started using the smbd script in the /etc/init.d directory (ExecStart).

smb.service

# Automatically generated by systemd-sysv-generator

[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/init.d/smbd
Description=LSB: start Samba SMB/CIFS daemon (smbd)
Before=runlevel2.target runlevel3.target runlevel4.target runlevel5.target shutdown.target
After=network-online.target local-fs.target remote-fs.target slapd.service cups.service
Wants=network-online.target
Conflicts=shutdown.target

[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
ExecStart=/etc/init.d/smbd start
ExecStop=/etc/init.d/smbd stop
ExecReload=/etc/init.d/smbd reload

The NMB daemon is started after networking (After). It starts the nmbd server using the /etc/init.d/nmbd script.

nmb.service

# Automatically generated by systemd-sysv-generator

[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/init.d/nmbd
Description=LSB: start Samba NetBIOS nameserver (nmbd)
Before=runlevel2.target runlevel3.target runlevel4.target runlevel5.target shutdown.target smbd.service
After=network-online.target local-fs.target remote-fs.target
Wants=network-online.target
Conflicts=shutdown.target

[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
ExecStart=/etc/init.d/nmbd start
ExecStop=/etc/init.d/nmbd stop

Firewall access

The IPtables firewall prevents browsing Samba and Windows shares from your Linux desktop. To work around this restriction, you need to make sure your firewall treats Samba as a trusted service. To allow firewall access to the Samba ports you should enable access using a firewall configuration tool like ufw. The Samba ports are 125/TCP, 137/UDP, and 138/UDP. In addition, Samba uses the Microsoft Service Discovery service which uses port 445/TCP.

On the command line interface, using the UFW default firewall, you would use the following ufw commands. The UFW firewall maintains its IPtables files in /etc/ufw.

ufw allow 135/tcp
ufw allow 137:138/udp
ufw allow 445/tcp

If you are working from a desktop interface, you can use the Gufw tool to set the Samba ports for the UFW firewall. You will have to add the ports as simple rules (see Chapter 17). On the desktop, the UFW firewall blocks remote file browsing from the desktop for Samba (the Places | Network window), because browsing uses additional broadcast packets that have not been allowed. You have to add a rule to allow access to anywhere from port 137/udp or enter the following command. The rule restricts broadcasts to the local network. Most private networks use the network address 192.168.0.0/24, as specified in this example (see Chapter 17).

sudo ufw allow from 192.168.0.0/24 port 137 proto udp

If you are managing your IPtables firewall directly, you could manage access by adding the following IPtables rule. This accepts input on ports 137, 138, and 139 for TCP/IP protocol packages.

iptables -A INPUT -p tcp --dport 135 -j ACCEPT
iptables -A INPUT -p udp --dport 137-138 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT

Setting Up Samba with system-config-samba (desktop)

On the Ubuntu desktop, directory shares can be set up easily using the folder sharing capability of the GNOME file manager (nautilus-share), see Chapter 3. For more complex configuration you can either edit the /etc/samba/samba.conf file or use a desktop configuration tool like system-config-samba configuration. On Ubuntu, the system-config-samba tool (see Figure 12-1 ) provides a basic configuration. The system-config-samba tool is not directly supported by Ubuntu, but is available on the Universe repository. Install the system-config-samba package using the Synaptic Package Manager or from the Ubuntu Software Center | System Tools | Samba.

Figure 12-1: Samba server configuration with system-config-samba

Note: If you have already set up file sharing for Windows systems using the Nautilus sharing capability, the configuration information for those Samba shares will be displayed by system-config-samba.

Once installed, on Unity you can open system-config-samba from the Applications | Customization or System dashes as Samba.

Samba Server Configuration

You will first have to configure the Samba server, designating users that can have access to shared resources like directories and printers. On the Samba Preferences menu, select Server Settings to open the Server Settings dialog.

On the Basic tab, enter the name of your Windows network workgroup (see Figure 12-2 ). The default names given by Windows are MSHOME or WORKGROUP. Use the workgroup name already given to your Windows network. For home networks, you can decide on your own. Just make sure all your computers use the same workgroup name. On a Windows system, the Control Panel’s System application will show you the Windows workgroup name. The description is the name you want displayed for your Samba server on your Windows systems. Windows 7 home networks will work with Samba without any special configuration.

Figure 12-2: Samba Server Settings, Basic tab

On the Security tab you can select the kind of authentication you want to use (see Figure 12-3 ). The authentication mode specifies the access level, which can be user, server (separate authentication server), ADS (Kerberos realm), or domain (Windows domain controller). User-level access restricts access by user password. Normally, you would elect to encrypt passwords, rather than have them passed over your network in plain text. The Guest user is the name of the account used to allow access to shares or printers that you want open to any user, without having to provide a password. The pop-up menu will list all your current users, with "No Guest Account" as the selected default. Unless you want to provide access by everyone to a share, you would not have a Guest account.

Figure 12-3: Samba Server Settings, Security tab

Samba Users

For user authentication, you will want to associate a Windows user with a particular Linux account. Select Samba Users in the Preferences menu to open the Samba Users dialog (see Figure 12-4 ). Ubuntu users who were set up on your system when you installed Samba are listed already, using their user names and password for access by Windows users. If you want to add a new Samba user, click Add User to open the Create New Samba User window. There you can select the Unix Username from a pop-up menu, and then enter the Windows Username and the Samba password to be used for that user (see Figure 12-5 ). The Unix Username menu lists all the users on your Samba server. Samba maintains its own set of passwords that users on other computers will need to access a Samba share. When a Windows user wants to access a Samba share, they will have to provide their Samba password. If you use a Windows user name with spaces, enclose it within quotes.

Figure 12-4: Samba Users

Once you create a Samba user, its name will appear in the list of Samba users on the Samba Users window. To later modify or delete a Samba user, use the same Samba Users window, select the user from the list, and click the Edit User button to change entries like the password, or click the Delete User button to remove the Samba user.

Note: If a password prompt prevents you from accessing a Windows share on Windows 7 from your Ubuntu system, you may have to uninstall the "Windows Live Sign In Assistant" on your Windows 7 system.

Figure 12-5: Create a new samba user

Figure 12-6: New Samba Share, Basic tab

Samba Shares

To set up a simple share, click Add Share in the Samba Server Configuration window, which opens a Create Samba Share window (see Figure 12-6 ).

Figure 12-7: Samba share, Access tab

On the Basic tab, select the Linux directory to share (click Browse to find it), and then specify whether it will be writable and visible.

On the Access tab you can choose to open the share to everyone, or just for specific users (see Figure 12-7 ). All Samba users on your system are listed with check boxes where you can select those you want to give access.

Figure 12-8: Samba with shares

Your new share will be displayed in the Samba Server Configuration window (see Figure 12-8 ). The share's directory, share name, its visibility, read/write permissions, and description are shown. To modify a share later, click on its entry and then click on the Properties button (or double-click). This opens an Edit samba share window with the same Basic and Access tabs you used to create the share.

Configuring Samba Access from Windows

To set up a connection for a Windows client, you need to specify the Windows workgroup name and configure the password. The workgroup name is the name that appears in the My Network Places on Windows 2000, NT, and XP (or in the Entire Network window in the Network Neighborhood on earlier Windows versions). On Vista and Windows 7, this is simply called Network. To set the workgroup name on Windows XP, open System on the Control Panel, and on the Computer Name panel, click the Change button for the Rename Or Change Domain Entry. This opens a dialog with a setting for the Workgroup, where you can enter the workgroup name. The default may be WORKGROUP or MSHOME. You can set up your own workgroup name, but all your computers would have to be configured to use that name.

On your Ubuntu Samba server, you will specify the network name in the server Settings window on system-config-samba. Alternatively, you can manually enter the network name in the smb.conf file, specifying the workgroup name in the workgroup= entry in the global section. The workgroup name should be uppercase and contain no spaces. The default name used on Windows XP systems is a simple WORKGROUP. The smb.confworkgroup entry would then look like this:

workgroup = WORKGROUP

Accessing Samba Shares from Windows

On a Windows client, you will see the Samba server listed when you select View Workgroups Computers from My Network Places (network on Vista). The Samba server will have, as a name, the description you gave it in your Samba configuration. Opening the icon will display a window with all the configured shares and printers on that Samba server.

When Windows users want to access a new share on the Linux system, they open their My Network Places (network on Vista) and then "Add a network place" to add a network place entry for the share, or View workgroup computers to see computers on your Windows network. Selecting the Linux Samba server will display your Samba shares. To access the share, the user will be required to enter in the user name and the Samba password. You have the option of having the username and password remembered for automatic access.

You will also need to make sure that your Windows system has enabled TCP/IP networking. This may already be the case if your Windows client is connected to a Microsoft network. If you need to connect a Windows system directly to a TCP/IP network that your Linux Samba server is running on, you should check that TCP/IP networking is enabled on that Windows system. This involves making sure that the Microsoft Network client and the TCP/IP protocol are installed, and that your network interface card (NIC adapter) is configured to use TCP/IP. The procedures differ slightly on Windows 7, Vista, 2000 and XP.

Sharing Windows Directories and Printers with Samba Clients

To manage directory shares, open the Computer Management tool in the Administrative window in the Control Panel. Click Shared Folders and there you can see the Shares, Sessions, and Open folders. To add a new share, click the Shares folder and then click the Action menu and select New File Share. The Sessions and Open folders’ Action menus let you disconnect active sessions and folders.

Sharing Windows Directories

To share a directory, right-click the directory and select Sharing from the pop-up menu (Sharing And Security on Windows XP). Click Share This Folder and then enter the share name, the name by which the directory will be known by Samba. You can specify whether you want to allow others to change files on the share. You can also specify a user limit (maximum allowed is the default). You can further click the Permissions button to control access by users. Here, you can specify which users will have access, as well as the type of access. For example, you could allow only read access to the directory.

Sharing Windows Printers

To share a printer, locate the printer in the Printers window and right-click it, selecting the Sharing As option. This opens the Sharing panel, where you can click the Shared As button and enter the name under which the printer will be known by other hosts. For example, on the Windows client named lizard, to have a printer called Epson Stylus Color shared as myepson, the Sharing panel for this printer would have the Shared As button selected and the name myepson entered. Then when the user double-clicks the lizard icon in the Computers Near Me window, the printer icon labeled myepson will appear.

For a Linux system to use this printer, it will have be first configured as a remote Windows printer on that Linux system. You can do this easily with the system-config-printer tool (see Chapter 10).

User-Level Security

For stand alone servers, Samba provides primarily user-level security, requiring users on remote systems to log in using Samba-registered passwords. User-level security requires the use of Windows encrypted passwords. Windows uses its own methods of encryption. For Samba to handle such passwords, it has to maintain its own Windows-compatible password database. It cannot use the Linux password databases. Windows also uses additional information for the login process like where the user logged in.

User-level security requires that each user who wants to login to a Samba share from a Windows system have a corresponding user account on the Samba server. These are the users listed in the system-config-samba Samba Users window (see Figure 12-4 ). In addition, this account has to have a separate Samba password with which to log in to the Samba share. In effect, the user becomes a Samba user.

The account on the Samba server does not need to use the same username as that used on the Windows system. A Windows username can be specified for a Samba user. On system-config-samba, the Create New Samba User window lets you enter a Windows username in the Windows Username entry (see Figure 12-5 ). This mapping of windows users to Samba (Linux) users is listed in the /etc/smbusers file. The following maps the Windows user rpetersen to the Samba (Linux) user richard.

richard = rpetersen

When the Windows user in Windows tries to access the Samba share, the user will be prompt to login. The Windows user would then enter rpetersen as the user name and the Samba password that was set up for richard. On system-config-samba, this is the Samba password entered in the Samba Password entries in the Create New Samba Users window (see Figure 12-5 )

User-level security is managed by password back-end databases. By default, the tdbsam back-end database is used. This is a tdb database file (trivial data base) that stores Samba passwords along with Windows extended information. The tdbsam database is designed for small networks. For systems using LDAP to manage users, you can use the LDAP-enabled back-end, ldbsam. The ldbsam database is designed for larger networks. The smbpasswd file previously used is still available, but it is included only for backward compatibility. The default configuration entries for user access in the smb.conf file are shown here, though, for a standalone server, user security is used and assumed. The security option will not be listed in the smb.conf file.

security = user
passdb backend = tdbsam

The username map option specifies the file used to associate Windows and Linux users. Windows users can use the Windows user name to login as the associated user. The username map file is usually /etc/samba/smbusers.

username map = /etc/samba/smbusers

If you are using an LDAP-enabled Samba database, ldbsam, you would use special LDAP Samba tools to manage users. These are provided in the smbldap-tools package. They are prefixed with the term smbldap. There are tools for adding, modifying, and deleting users and groups like smbldap-useradd, smbldap-userdelete, and smbldap-groupmod. You use the sbmldap-passwd command to manage Samba passwords with LDAP. The smbldap-userinfo command is used to obtain information about a user. You configure your LDAP Samba tools support using the/etc/smbldap-tools/smbldap.conf file.

Samba also provides its own Samba password Pluggable Authentication Module (PAM) module, pam_smbpass.so. With this module, you provide PAM authentication support for Samba passwords, enabling the use of Windows hosts on a PAM-controlled network. The module could be used for authentication and password management configured in your PAM samba file. The following entries in the PAM samba file would implement PAM authentication and passwords using the Samba password database:

auth required pam_smbpass.so nodelay
password required pam_smbpass.so nodelay

Be sure to enable PAM in the smb.conf file:

obey pam restrictions = yes

Samba Passwords: smbpasswd

With user-level security, access to Samba server resources by a Windows client is allowed only to users on that client. The username and Samba password used to access the Samba server must be registered in the Samba password database.

Note: If you are using the older smbpasswd file, you can use the mksmbpasswd.sh script to generate a smbpasswd file made up of all the users listed in your /etc/passwd file. You pipe the contents of the passwd file to mksmbpasswd.sh and then use redirection (>) to create the file.

You can use either system-config-samba or the smbpasswd tool to manage Samba passwords. On system-config-samba you use the Samba Users window (Preferences | Samba Users) to add or edit passwords (see Figure 12-4 ). Alternatively, you can use the smbpasswd command in a terminal window to add, or later change, passwords. To add or change a password for a particular user, you use the smbpasswd command with the username:

$ smbpasswd dylan
New SMB Password: new-password
Repeat New SMB Password: new-password

Users can use smbpasswd to change their own passwords. The following example shows how you would use smbpasswd to change your Samba password. If you have no Samba password, you can press the ENTER key.

$ smbpasswd
Old SMB password: old-password
New SMB Password: new-password
Repeat New SMB Password: new-password

Should you want to use no passwords, you can use smbpasswd with the -n option. The smb.conf file will need to have the null passwords option set to yes.

If you are using the older smb passwords file, be sure that Samba is configured to use encrypted passwords. Set the encrypt passwords option to yes and specify the SMB password file.

Managing Samba Users: smbpasswd and pdbedit

To manage users you can use the smbpasswd command, the pdbedit tool, or system-config-samba. The smbpasswd command with the -a option will add a user and with the -x option will remove one. To enable or disable users you would use the -e and -d options.

smbpasswd -a aleina

The smbpasswd command will operate on either the older smbasswd file or the newer tdbsam backend database files. For the tdbsam backend database files you can use pdbedit. To add a user you would use the -a option and to remove a user you use the -x option.

pdbedit -a larisa

This is a command line tool with options for adding and removing users, as well as features like changing passwords and setting the home directory. You can also import or export the user entries to or from other back-end databases.

The pdbedit command lets you display more information about users. To display users from the back-end database you could use the -L option. Add the -v option for detailed information. For a particular user, add the user name.

pdbedit -Lv richard

For domain policies such as minimum password lengths or retries, you use the -P option.

pdbedit -P

You use the -i and -e options to import and export database entries. The following will import entries from the old smbpasswd file to the new tdbsam back-end database.

pdbedit -i smbpasswd -e tdbsam

If your system is using an LDAP-enabled Samba database, use the smbldap tools to manage users and groups.

The Samba smb.conf Configuration File

Samba configuration is held in the smb.conf file located in the /etc/samba directory. Samba configuration tools, such as system-config-samba, will maintain this file for you. Alternatively, you can manually edit the file directly, creating your own Samba configuration. You may have to do this if your Samba configuration proves to be very complex. Direct editing can provide more refined control over your shares.

You use the testparm command in a terminal window to check the syntax of any changes you have made to the /etc/samba/smb.conf file.

testparm

The file is separated into two basic parts: one for global options and the other for shared services. Shared services, also known as shares, can either be file space services (used by clients as an extension of their native file systems) or printable services (used by clients to access print services on the host running the server). The file space service is a directory to which clients are given access; they can use the space in it as an extension of their local file system. A printable service provides access by clients to print services, such as printers managed by the Samba server.

The /etc/samba/smb.conf file holds the configuration for the various shared resources, as well as global options that apply to all resources. Linux installs an smb.conf file in your /etc/samba directory. The file contains default settings used for Ubuntu. You can edit the file to customize your configuration to suit your needs. Comments are commented with a # sign and directives that are commented out to deactivate them, are commented with a semi-colon, ;. You can remove a directive's initial semi-colon symbol to make it effective. For a complete listing of the Samba configuration parameters, check the Man page for smb.conf. An extensive set of sample smb.conf files is located in the /usr/share/doc/samba-doc directory in the examples subdirectory (install the samba-doc package).

The smb.conf file is organized into two main groups, Global Settings and Share Definitions, each labeled by a comment. The Global Settings section has several subsections for different settings: Browsing/Identification, Networking, Debugging/Accounting, Authentication, Domains, Printing, and Misc. They use shorter comment lines.

In the smb.conf file, global options are set first, followed by each shared resource’s configuration. The basic organizing component of the smb.conf file is called a section. Each resource has its own section that holds its service name and definitions of its attributes. Even global options are placed in a section of their own, labeled global. For example, each section for a file space share consists of the directory and the access rights allowed to users of the file space. The section of each share is labeled with the name of the shared resource. Special sections, called printers andhomes, provide default descriptions for user directories and printers accessible on the Samba server. Following the special sections, other sections are entered for specific services, namely access to specific directories or printers.

A section begins with a section label, consisting of the name of the shared resource encased in brackets. Other than the special sections, the section label can be any name you choose. Following the section label, on separate lines, different parameters for this service are entered. The parameters define the access rights to be granted to the user of the service. For example, for a directory, you may want it to be browseable, but read-only, and use a certain printer. Parameters are entered in the format parameter name = value. You can enter a comment by placing a semicolon at the beginning of the comment line.

A simple example of a section configuration follows. The section label is encased in brackets and followed by two parameter entries. The path parameter specifies the directory to which access is allowed. The writeable parameter specifies whether the user has write access to this directory and its file space.

[mysection]
path = /home/chris
writeable = true

A printer service has the same format but requires certain other parameters. The path parameter specifies the location of the printer spool directory. The read-only and printable parameters are set to true, indicating the service is read-only and printable. public indicates anyone can access the service.

[myprinter]
path = /var/spool/samba
read only = true
printable = true
public = true

Parameter entries can be synonymous yet use different entries with the same meaning. For example, readonly = no, writeable = yes, and writeok = yes all mean the same thing, providing write access to the user.

Tip: The writeable option is an alias for the inverse of the read only option. The writeable = yes entry is the same as read only = no entry.

Variable Substitutions

For string values assigned to parameters, you can incorporate substitution operators. This provides greater flexibility in designating values that may be context-dependent, like usernames.

Variable

Description

%S

Name of the current service

%P

Root directory of the current service

%u

Username of the current service

%H

Home directory of the user

%h

Internet hostname on which Samba is running

%m

NetBIOS name of the client machine

%L

NetBIOS name of the server

%M

Internet name of the client machine

%I

IP address of the client machine

Table 12-3: Samba Substitution Variables

For example, suppose a service needs to use a separate directory for each user who logs in. The path for such directories could be specified using the %u variable that substitutes in the name of the current user. The string path = /tmp/%u would become path = /tmp/justin for the justin user and /tmp/dylan for the dylan user. lists several of the more common substitution variables.

Global Settings

The Global Settings section determines configuration for the entire server, as well as specifying default entries to be used in the home and directory segments. In this section, you will find entries for the workgroup name, password configuration, and directory settings. Several of the more important entries are discussed here.

Browsing/Identification

The Workgroup entry specifies the workgroup name you want to give to your network. This is the workgroup name that appears on the Windows client’s Network window. The default Workgroup entry in the smb.conf file is shown here:

[global]

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP

The workgroup name has to be the same for each Windows client that the Samba server supports. On a Windows client, the workgroup name is usually found on the Network Identification or General tab in the System tool located in the Control Panel. On many clients, this is defaulted to WORKGROUP. This is also the default name specified in the smb.conf file. If you want to use another name, you have to change the workgroup entry in the smb.conf file accordingly. The workgroup entry in the smb.conf file and the workgroup name on each Windows client has to be the same. In this example the workgroup name is mygroup.

workgroup = mygroup

The server string entry holds the descriptive name you want displayed for the server on the client systems. On Windows systems, this is the name displayed on the Samba server icon. The default is Samba Server, but you can change this to any name you want.

# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)

Note: You can also configure Samba to be a Primary Domain Controller (PDC) for Windows NT networks. As a PDC, Samba sets up the Windows domain that other systems will use, instead of participating in an already established workgroup.

Name service resolution is normally provided by the WINS server (Windows NetBIOS Name Service, nmbd). If your local network already has a WINS server, you can specify that instead. The commented default entry is shown here. Replace w.x.y.z with your network's WINS server name.

; wins server = w.x.y.z

WINS server support by your Samba nmbd server would have to be turned off to avoid conflicts, turning your Samba name resolution server into just a client. The commented entry to turn off WINS support is shown here.

# wins support = no

If your network also has its own Domain Name Service (DNS) server that it wants to use for name resolution, you can enable that instead. By default, this is turned off, as shown next. Change the no to yes to allow use of your network's DNS server for Windows name resolution. Also, WINS server support would have to be turned off.

dns proxy = no

Networking

This subsection has interface directives for assigning a network interface device to a particular network to use for your server. The entries are commented out by default. The commented default entry is shown here for localhost on the first Ethernet device.

; interfaces = 127.0.0.0/8 eth0

If the system your Samba server runs on is not protected by a firewall, or the firewall is running on the same system, you should also enable the following.

; bind interfaces only = yes

Debugging/Accounting

This section has directives for setting up logging for the Samba server. The log file directive is configured with the %m substitution symbol so that a separate log file is set up for each machine that connects to the server.

log file = /var/log/samba/log.%m

The maximum size of a log file is set to 1000 lines.

max log size = 1000

To have Samba log only through syslog, set the syslg only option to yes.

syslog only = yes

The syslog directive is set to 0 to just log brief information to the system logs. Detailed logging is handled by the Samba server instead.

syslog = 0

The panic action directive notifies the administrator in case of a crash.

panic action = /usr/share/samba/panic-action %d

Authentication

The server role for the Samba server can be standalone, a member server, or a domain controller (primary, backup, or active directory). Usually the server is a standalone server. The server role determines the security. For standalone server the security is user, which requires a password logon.

server role = standalone server

Windows clients use encrypted passwords for the login process. Passwords are encrypted by default and managed by the password database. In the following entries, the security is set to the user-level (user), and the password database file uses tdbsam.

passdb backend = tdbsam

You can use the security option to specify the security: user (user password), domain (Windows domain), or ads (Kerberos) security. The auto setting is the default, which derives the security from the server role. If the server role is standalone sever, then the security is user and is not specified in the smb.conf file.

Support for Pluggable Authentication Modules (PAM) security is then turned on.

obey pam restrictions = yes

Sync unix password with smb password changes.

unix password sync = yes

When Samba passwords are changed, they need to be synced with UNIX passwords. The unixpassword sync directive turns on syncing, and the passwdprogram and passwd chat directives use the passwd command and specified prompts to change the password.

unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\successfully* .

PAM is also used for password changes by Samba clients.

pam password change = yes

As a security measure, you can restrict access to SMB services to certain specified local networks. On the host’s network, type the network addresses of the local networks for which you want to permit access. To deny access to everyone in a network except a few particular hosts, you can use the EXCEPT option after the network address with the IP addresses of those hosts. The localhost (127) is always automatically included. The next example allows access to two local networks:

hosts allow = 192.168.1. 192.168.2.

The map to guest directive is set to bad user. This will allow any unknown users to login as guests. Samba users that fail to login though will not be allowed access, even as guests.

map to guest = bad user

Domains

The Domains subsection configures your Samba server as a Microsoft Public Domain Controller (PDC). All of these directives are commented out by default. See the section later in this chapter on Public Domain Controller on how to set up your Samba server as a PDC on a Microsoft network.

Printing

The load printers directive will automatically load your printer list..

load printers = yes

The printing directive specifies the printing server (CUPS is the default), and the printcap name directives designates the name of the printer configuration file.

printing = cups
printcap name = cups

There is a separate set of entries for LPRng and CUPS printing, with a printing and printcap name directive for each. Most systems now use CUPS, but some other systems may still use LPRng.

Misc

The Misc subsection has entries used to customize your server. Most are commented out, except for the usershare directive that allows users to create public shares. An include directive lets you set up configuration files for particular machines in the /home/samba/etc directory, that are then read when the machine connects.

; include = /home/samba/etc/smb.conf.%m

The domain master directive is only used if your server operates as a PDC.

# domain master = auto

There are also entries for those using the Winbind server, specifying the user and group id ranges, and the shell to use.

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash

The usershare directives allow non-root users to share folders. A commented entry for user max shares can be use to limit the number of shares a user can set up.

; usershare max shares = 100

The user allow guests directive permits users to create public shares, allowing guests to access the shares.

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes

You can use a guest user login to make resources available to anyone without requiring a password. A guest user login would handle any users who log in without a specific account. Samba is usually set up to use the nobody user as the guest user. Alternatively, you can set up and designate a specific user to use as the guest user. You can designate the guest user with the guest ok and guest account entries in the smb.conf file. Be sure to add the guest user to the password file (you can also set up the guest user on the system-config-samba Server Settings dialog, Security tab, Guest Account menu).

guest ok = yes
guest account = nobody

In addition, this section provides several performance tweaks, such as setting socket options for Linux systems.

Share Definitions

The Share Definitions part will hold sections for the definition of commonly used shares, as well as any shares you have set up yourself, like shared directories or printers. There are three special sections: homes, netlogon, and profiles that are used for special purposes.

Homes Section

The Homes section specifies default controls for accessing a user home directory through the SMB protocols by remote users. Setting the browseable entry to no prevents the client from listing the files in a file browser. The read only entry specifies whether users have read access to files in their home directories. The create mask and directory mask entries set default permissions for new files and directories. The permission is 0700, which allows owner read/write/ execute permission. The valid users entry uses the %S macro to map to the current service. You can add the writeabledirective to allow write access.

writeable = yes

All these entries are commented out, disabling access to user home directories by default. To enable access to home directories, remove the semi-colon comment in front of each entry in the smb.conf file.

If you are setting up a PDC and chose to save user profiles in the user home directories, then the homes section and its entries have to be un-commented.

[homes]
comment = Home Directories
browseable = no
read only = yes
valid users = %S
create mask = 0700
directory mask = 0700

The printers and print$ Sections

The printers section specifies the default controls for accessing printers. These are used for printers for which no specific sections exist. Setting browseable to no simply hides the Printers section from the client, not the printers. The path entry specifies the location of the spool directory Samba will use for printer files. To enable printing at all, the printable entry must be set to yes. To allow guest users to print, set the guest ok entry to yes. The standard implementation of the Printers section is shown here:

[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
guest ok = no
printable = yes
read only = yes
create mask = 0700

The print$ section, shown next, specifies where a Windows client can find a print driver on your Samba server. The printer drivers are located in the /var/lib/samba/printers directory and are read-only. The browseable, read-only, and guest directives are commented out. They can be enabled to allow browsing of the drivers. The write list directive would allow you to remotely administer the Windows print drivers. lpadmin is the name of your administrator group.

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
; write list = root, @lpadmin

Shares

Sections for specific shared resources, such as directories on your system, are placed after the Homes and Printers sections. For a section defining a shared directory, enter a label for the share. Then, on separate lines, enter options for its pathname and the different permissions you want to set. In the path = option, specify the full pathname for the directory. The comment = option holds the label to be given the share. You can make a directory writeable, public, or read-only. You can control access to the directory with the validusers entry, which you can use to list those users permitted access. For those options not set, the defaults entered in the Global, Homes, and Printers segments are used.

The following example is the myprojects share. Here the /myprojects directory is defined as a share resource that is open to any user with guest access.

[myprojects]
comment = Great Project Ideas
path = /myprojects
read only = no
guest ok = yes

To limit access to certain users, you can list a set of valid users. Setting the guest ok option to no closes it off from access by others.

[mynewmusic]
comment = New Music
path = /home/specialprojects
valid users = mark, richard
guest ok = no
read only = no

The following example makes the Documents folder accessible and writeable to the georgep and richard users.

[Documents]
path = /home/richard/Documents
writeable = yes
browseable = yes
valid users = georgep, richard

To allow complete public access, set the guest ok entry to yes, with no valid users entry.

[newdocs]
comment = New Documents
path = /home/newdocs
guest ok = yes
read only = no

To set up a directory that can be shared by more than one user, where each user has control of the files he or she creates, simply list the users in the Valid Users entry. Permissions for any created files are specified in the Advanced mode by the Create Mask entry (same as create mode). In this example, the permissions are set to 765, which provides read/write/execute access to owners, read/write access to members of the group, and only read/execute access to all others (the default is 744, read-only for group and other permission):

[myshare]
comment = Writer’s projects
path = /usr/local/drafts
valid users = Justin, chris, dylan
guest ok = no
read only = no
create mask = 0765

Printer shares

Access to specific printers is defined in the Printers section of the smb.conf file. For a printer, you need to include the Printer and Printable entries, as well as specify the type of Printing server used. With the Printer entry, you name the printer, and by setting the Printable entry to yes, you allow it to print. You can control access to specific users with the validusers entry and by setting the Public entry to no. For public access, set the public entry to yes. For the CUPS server, set the printing option to cups.

The following example sets up a printer accessible to guest users. This opens the printer to use by any user on the network. Users need to have write-access to the printer’s spool directory, located in /var/spool/samba. Keep in mind that any printer has to first be installed on your system. The following printer was already installed as myhp. You use the CUPS administrative tool to set up printers for the CUPS server. The Printing option can be inherited from the Printers share.

[myhp]
path = /var/spool/samba
read only = no
guest ok = yes
printable = yes
printer = myhp
oplocks = no
share modes = no
printing = cups

As with shares, you can restrict printer use to certain users, denying it to public access. The following example sets up a printer accessible only by the users larisa and aleina (you could add other users if you want). Users need to have write access to the printer’s spool directory.

[larisalaser]

path = /var/spool/samba
read only = no
valid users = larisa aleina
guest ok = no
printable = yes
printing = cups
printer = larisalaser
oplocks = no
share modes = no

Testing the Samba Configuration

After you make your changes to the smb.conf file, you can then use the testparm program to see if the entries are correctly entered. testparm checks the syntax and validity of Samba entries. By default, testparm checks the /etc/samba/smb.conf file. If you are using a different file as your configuration file, you can specify it as an argument to testparm. You can also have testparm check to see if a particular host has access to the service set up by the configuration file.

To check the real-time operation of your Samba server, you can log in to a user account on the Linux system running the Samba server and connect to the server.

Samba Public Domain Controller: Samba PDC

Samba can also operate as a Public Domain Controller (PDC). The domain controller will be registered and advertised on the network as the domain controller. The PDC provides a much more centralized way to control access to Samba shares. It provides the netlogon service and a NETLOGON share. The PDC will set up machine trust accounts for each Windows and Samba client. Though you can do this manually, Samba will do it for you automatically. Keep in mind that Samba cannot emulate a Microsoft Active PDC, but can emulate a Windows NT4 PDC. You can find out more about Samba PDC at:

http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html

For basic configuration check the Ubuntu Server Guide | Windows Networking | Samba as a Domain Controller.

https://help.ubuntu.com/stable/serverguide/samba-dc.html

You will, of course, have to have the Samba server installed. Also make sure that libpam-smbpass is also installed.

Microsoft Domain Security

As noted in the Samba documentation, the primary benefit of Microsoft domain security is single-sign-on (SSO). In effect, logging into your user account also logs you into access to your entire network's shared resources. Instead of having to be separately authenticated any time you try to access a shared network resource, you are already authenticated. Authentication is managed using Security IDs (SID) that consists of a network ID (NID) and a relative ID (RID). The RID references your personal account. A separate RID is assigned to every account, even those for groups or system services. The SID is use to set up access control lists (ACL) the different shared resources on your network, allowing a resource to automatically identify you.

Essential Samba PDC configuration options

To configure your PDC, edit the Domains section in the smb.conf file. Here you will find entries for configuring your Samba PDC options. Certain other entries are found elsewhere. The domain master entry is located in the Misc section.

The essential PDC options are shown here.

workgroup = myworkgroup
domain logons = yes
domain master = yes
security = user

If the netbios name is different from the host name on which the server is run, you can add a netbios name option to specify it.

netbios name = myserver

Basic configuration

Like most Samba configurations, the PDC requires a Samba back-end. The tdbsam is already configured for you. The security level should be user. This is normally the default and should already be set. The smb.conf entries are shown here:

security = user
passdb backend = tdbsam

The PDC must also be designated the domain master. This entry is located in the Misc section, and is set to auto by default. For a PDC, set it to yes, and for a BDC (backup domain controller) set it to no.

domain master = yes

The PDC has browser functionality, with which it locates systems and shares on your network. These features are not present in the Ubuntu smb.conf file, but you can add them if needed. The local master option is use only if you already have another PDC that you want to operate as the local master. You could have several domain controllers operating on your network. Your Microsoft network holds an election to choose which should be the master. The os level sets the precedence for this PDC. It should be higher than 32 to gain preference over other domain controllers on your network, insuring this PDC's election as the primary master controller. The preferred master option starts the browser election on start up.

; local master = no
os level = 33
preferred master = yes

Domain Logon configuration

Samba PDC uses the domain logons service whereby a user can log on to the network. The domain logon service is called the netlogon service by Microsoft. The samba share it uses is also called netlogon. To configure the domain logon service you set the domain logons option to yes, or if you set the server role option to "primary classic domain controller" or to "backup domain controller."

domain logons = yes

The logon path references the profile used for a user. The %N will be the server name, and the %U references the user name. Profiles can be set up either in a separate profiles share or in the user home directories. The following would reference user profiles in the profiles share. You would also have to define the profiles share by un-commenting the profiles share entries in the smb.conf file.

logon path = \\%N\Profiles\%U

If the profile is stored in the user's home directory instead of the Profiles share, you would uncomment the following entry instead. You will also have to allow access to user home directories, un-commenting the homes share entries.

logon path = \\%N\%U\profile

The logon drive and logon home specify the location of the user's home directory. The logon drive is set as the H: drive. The %N evaluates to the server name and %U to the user.

logon drive = H:
logon home = \\%N\%U

The login script can be one set by the system or by users.

# the login script name depends on the machine name
logon script = logon.cmd

You can then enable user add operations for adding users, groups, and machines to the PDC. The add machine entry allows Samba to automatically add trusted machine accounts for Windows systems when they first join the PDC controlled network.

add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
add group script = /usr/sbin/addgroup --force-badname %g

You then need to set up a netlogon share in the smb.conf file. This share holds the netlogon scripts—in this case, the /var/lib/samba/netlogon directory—which should not be writable, but should be accessible by all users (Guest OK). In the share definitions section of the smb.conf file you will find the [netlogon] section commented. Remove the semi-colon comments from the entry, as shown here.

# Un-comment the following and create the netlogon directory for Domain Logon
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
read only = yes

If you choose to use a profiles share to store user profiles in, then you should enable the profiles share. Un-comment the following to define a profiles share. The entries are located just after the netlogon shares.

[profiles]
comment = Users profiles
path = /home/samba/profiles
guest ok = no
browseable = no
create mask = 0600
directory mask = 0700

The profile share is where user netlogon profiles are stored. If, instead, you are using the user's home directories to store their profiles, you will not need to define and use a profiles share. If you choose to store user profiles in the user home directories, you would un-comment thehomes share entries instead.

Accessing Samba Services with Clients

Client systems connected to the SMB network can access the shared services provided by the Samba server. Windows clients should be able to access shared directories and services automatically through the My Network Places or Network on a Windows desktop. For Linux systems connected to the same network, Samba services can be accessed using the GNOME Nautilus file manager and KDE file manager, as well as special Samba client programs.

With the Samba smbclient, a command line client, a local Linux system can connect to a shared directory on the Samba server and transfer files and run shell programs. Using the mount command with the -t cifs option, directories on the Samba server can be mounted to local directories on the Linux client. The cifs option invokes mount.cifs to mount the directory.

Accessing Windows Samba Shares from GNOME

You can use Nautilus (the GNOME file manager) to access your Samba shares. Select Places | Network to open the Network window, displays the icons for your network. In this window, open the Windows Network folder to list folders for your Windows network groups, such as WORKGROUP. Opening up a Windows group folder will list the hosts in that group. These will show host icons for your shared Windows hosts. Clicking a host icon will list all the shared resources on it.

Alternatively, you can start Nautilus in browser mode and enter the smb: protocol in the Location box to display all the Samba and Windows networks, from which you can access the Samba and Windows shares.

smbclient

The smbclient utility operates like FTP to access systems using the SMB protocols. With smbclient you can access SMB-shared services, either on the Samba server or on Windows systems. Many smbclient commands are similar to those of FTP, such as mget to transfer a file or del to delete a file. The smbclient program has several options for querying a remote system, as well as connecting to it. See the smbclient Man page for a complete list of options and commands. The smbclient program takes as its argument a server name and the service you want to access on that server. A double slash precedes the server name, and a single slash denotes the service. The service can be any shared resource, such as a directory or a printer. The server name is its NetBIOS name, which may or may not be the same as its IP name. For example, to specify the myreportsshared directory on the server named turtle.mytrek.com, use //turtle.mytrek.com/myreports. If you must specify a pathname, use backslashes for Windows files and forward slashes for Unix/Linux files:

//server-name/service

You can also supply the password for accessing the service. Enter it as an argument following the service name. If you do not supply the password, you are prompted to enter it.

You can then add several options to access shares, such as the remote username or the list of services available. With the -I option, you can specify the system using its IP address. You use the -U option and a login name for the remote login name you want to use on the remote system. Attach % with the password if a password is required. With the -L option, you can obtain a list of the services provided on a server, such as shared directories or printers. The following command will list the shares available on the host turtle.mytrek.com:

smbclient -L turtle.mytrek.com

To access a particular directory on a remote system, enter the directory as an argument to the smbclient command, followed by any options. For Windows files, you use backslashes for the pathnames, and for Unix/Linux files, you use forward slashes. Once connected, an SMB prompt is displayed and you can use smbclient commands such as get and put to transfer files. The quit and exit commands quit the smbclient program. In the following example, smbclient accesses the directory myreports on the turtle.mytrek.com system, using the dylan login name:

smbclient //turtle.mytrek.com/myreports -I 192.168.0.1 -U dylan

In most cases, you can simply use the server name to reference the server, as shown here:

smbclient //turtle.mytrek.com/myreports -U dylan

If you are accessing the home directory of a particular account on the Samba server, you can simply specify the homes service. In the next example, the user accesses the home directory of the aleina account on the Samba server, after being prompted to enter that account’s password:

smbclient //turtle.mytrek.com/homes -U aleina

You can also use smbclient to access shared resources located on Windows clients. Specify the computer name of the Windows client along with its shared folder. In the next example, the user accesses the windata folder on the Windows client named lizard. The folder is configured to allow access by anyone, so the user just presses the ENTER key at the password prompt.

$ smbclient //lizard/windata

Once logged in, you can execute smbclient commands to manage files and change directories. Shell commands can be executed with the ! operator. To transfer files, you can use the mget and mput commands, much as they are used in the FTP program. The recurse command enables you to turn on recursion to copy whole subdirectories at a time. You can use file-matching operators, referred to here as masks, to select a certain collection of files. The file-matching (mask) operators are *, [], and ? (see Chapter 19). The default mask is *, which matches everything. The following example uses mget to copy all files with a .c suffix, as in myprog.c:

smb> mget *.c

mount.cifs: mount -t cifs

Using the mount command with the -t cifs option, a Linux client can mount a shared directory onto its local system. The cifs option invokes the mount.cifs command to perform the mount operation. The syntax for the mount.cifs command is similar to that for the smbclient command, with many corresponding options. The mount.cifs command takes as its arguments the Samba server and shared directory, followed by the local directory where you want to mount the directory. Instead of using mount.cifs explicitly, you use the mount command with the file system type cifs. The mountcommand will then run the /sbin/mount.cifs command, which will invoke smbclient to mount the file system. The following example mounts the myreports directory onto the /mnt/myreps directory on the local system::

mount -t cifs //turtle.mytrek.com/myreports /mnt/myreps -U dylan

To unmount the directory, use the umount command with the -t cifs option and the directory name. This will invoke the umount.cifs command which performs the unmount operation.

umount -t cifs /mnt/myreps

To mount the home directory of a particular user on the server, specify the homes service and the user’s login name. The following example mounts the home directory of the user larisa to the /home/chris/larisastuff directory on the local system:

mount -t cifs //turtle.mytrek.com/homes /home/chris/larisastuff -U larisa

You can also mount shared folders on Windows clients. Specify the computer name of the Windows client along with its folder. If the folder name contains spaces, enclose it in single quotes. In the following example, the user mounts the windata folder on lizard as the /mylinuxdirectory. For a folder with access to anyone, just press ENTER at the password prompt:

$ mount -t cifs //lizard/windata /mylinux
Password:
$ ls /mylinux
_hi_mynewdoc.doc_myreport.txt

To unmount the shared folder when you are finished with it, use the umount command and the -t cifs option.

umount –t cifs /mylinux

You could also specify a username and password as options, if user-level access is required:

mount -t cifs -o userhris passwd=mypass //lizard/windata /mylinux

You can also use the cifs type in an /etc/fstab entry to have a Samba file system mounted automatically:

//lizard/windata /mylinux cifs defaults 0 0