Mac OS X Unleashed

Mac OS X Unleashed

By John Ray and William C. Ray


Samba is a very large piece of software—approaching Apache in terms of complexity and number of configuration options. In this chapter, the focus will be on setting up solid, general-purpose servers. High-end needs are best served by other sources, such as Sams Teach Yourself Samba in 24 Hours (ISBN: 0672316099). The Samba Web site is also a great source for information (

Let's get down to business.

Installing Samba

There are two ways to install the Samba server software. The easiest method is to download a precompiled binary, double-click it, and go! Unfortunately, Samba is rapidly developed, and the only precompiled distribution is not an official distribution, and relies on a single person to keep it up to date. If you're interested, download a Mac OS X installer binary version of Samba from

If you have about thirty minutes and aren't afraid of the command line, you can easily compile and install Samba on your own. To get started, download the latest Samba source from, and then unarchive the server:

[primal:~/samba] jray% tar zxf samba-latest.tar.gz
[primal:~/samba] jray% cd samba-2.2.0/

Next, cd into the Samba source directory and execute the configure command. You'll need to add the option --host=powerpc to configure; otherwise, the process will fail:

./configure --host=powerpc

loading cache ./config.cache
checking for gcc... (cached) cc
checking whether the C compiler (cc -O  ) works... yes
checking whether the C compiler (cc -O  ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether cc accepts -g... (cached) yes
checking for a BSD compatible install... (cached) /usr/bin/install -c
checking for gawk... (cached) awk
checking host system type... powerpc-unknown-none

The configure process will take several minutes. When completed, use make to compile Samba:

[primal:~/samba/samba-2.2.0/source] jray% make

Using FLAGS =  -O  -Iinclude -I./include -I./ubiqx -I./smbwrapper -DLOGFILEBASE="/usr

   /local/samba/var" -DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local

   /samba/lib/lmhosts" -DSWATDIR="/usr/local/samba/swat" -DSBINDIR="/usr/local/samba/bin"

    -DLOCKDIR="/usr/local/samba/var/locks" -DCODEPAGEDIR="/usr/local/samba/lib/codepages"

    -DDRIVERFILE="/usr/local/samba/lib/printers.def" -DBINDIR="/usr/local/samba/bin"


The compilation easily took 10 minutes on a 500MHz G4, so this might be a good time to take a nap. Finally, when the compilation finishes, install the software with make install.

[primal:~/samba/samba-2.2.0/source] jray% sudo make install

/bin/sh ./install-sh -d -m 0755 /usr/local/samba /usr/local/samba/bin /usr/local/samba/bin /usr/local/samba/lib/usr/local/samba/var /usr/local/samba/lib/codepages
Installing bin/smbd as /usr/local/samba/bin/smbd
Installing bin/nmbd as /usr/local/samba/bin/nmbd
Installing bin/swat as /usr/local/samba/bin/swat
The binaries are installed. You may restore the old binaries (if there
were any) using the command "make revert". You may uninstall the binaries
using the command "make uninstallbin" or "make uninstall" to uninstall
binaries, man pages and shell scripts.

Samba is now mostly installed. The binaries are in place, but the server is not configured to start when the computer boots. Creating a new startup item easily solves this. Follow these steps closely; otherwise, Samba might not start at boot time.

  1. Check to see whether the folder /Library/StartupItems exists; if it doesn't, create it.
  2. Create a new folder named Samba within StartupItems.
  3. Create a file called StartupParameters.plist in the StartupItems folder. The file should contain these lines:
      Description     = "Samba Server";
      Provides        = ("smb");
      Requires        = ("Resolver");
      OrderPreference = "None";
      Messages =
        start = "Starting Samba server";
        stop  = "Stopping Samba server";
      } ;
  4. Create a second file named Samba (the same as the enclosing folder). This file contains a short script that will activate the SMB and WINS server:
    /usr/local/samba/bin/smbd -D
    /usr/local/samba/bin/nmbd -D

Samba is now ready to run. It is still, however, lacking one very important thing—a configuration file. In its early days, Samba was configured entirely by hand—it worked, but wasn't really useful to anyone but the most die-hard Unix users. Today, however, configuration is handled entirely through a Web-based GUI called SWAT.

Although Samba can still be configured by hand (which you're welcome to do!), it is recommended that SWAT be used at all times.

When Samba was installed with make install, it also included the SWAT application. SWAT, however, requires additional set up that will enable it to activate when a Web browser accesses port 901 on the Samba server. This involves editing /etc/inetd.conf and making some changes to the NetInfo database.

Open /etc/inetd.conf in your favorite browser and add the following line to the end:

swat    stream  tcp     nowait.400  root    /usr/local/samba/bin/swat swat

This tells the inetd (Internet Daemon) to start /usr/local/samba/bin/swat when it gets a request for the SWAT service. Unfortunately, Mac OS X does not know what SWAT is, so you'll have to define in it NetInfo.

First, open the NetInfo Manager from /Applications/Utilities/NetInfo Manager. NetInfo was discussed in depth in Chapter 23, so, if you haven't looked at the application yet, now would be a good time to do so.

Next, click the Lock icon so that changes will be permitted. A new service type must be added to the NetInfo database that defines the SWAT service.

With NetInfo running and changes enabled, navigate to the services properties using the NetInfo path of /services. Create a new service in this location by selecting an existing service such as finger and choosing Duplicate (Command+D) from the Edit menu, and then highlighting the duplicate in the listing.

To finish setting up the service type, set the service properties as seen in Table 30.1.

Table 30.1. Edit the Service Properties to Have These New Values

Property Value
Name swat
Port 901
Protocol tcp

Choose Save (Command+S) from the Domain menu. The new service, as defined in NetInfo, is seen in Figure 30.1.


Figure 30.1 Add a new SWAT service to the NetInfo database.

Finally, you need to install a basic configuration file. The Samba distribution comes with smb.conf.default in the examples directory. Copy this file to /usr/local/samba/ lib/smb.conf. You'll also need to update the permissions in the file. These permissions determine who will be able to administer the server. If you only want root enabled, chmod 700 should be fine. If any Mac OS X admin user should be able to control the server, use chown root:admin /usr/local/samba/lib/smb.conf, followed by chmod 775 /usr/local/samba/lib/smb.conf.

SWAT is ready to run. Rebooting Mac OS X is the easiest way to make sure that everything starts as it should. Impatient users can manually execute the /Library/StartupItems/Samba/Samba file, then kill -1 the inetd process to start Samba and prepare SWAT for execution.

Configuring Samba

To configure Samba, start a Web browser and point it at port 901 of the Samba server (http://localhost:901). If everything has gone according to plan, SWAT will prompt for an administrative username and password. All screenshots shown in this section will assume that the controlling user is root. The SWAT home screen is shown in Figure 30.2.


Figure 30.2 SWAT opens with a page providing easy access to Samba documentation.

The top of the SWAT display includes seven buttons to control the operation of the server:

  • Home— Provides links to Samba documentation and supplemental material.
  • Globals— Settings that affect the entire server, such as its name and security model.
  • Shares— Shared file resources. If you used the sample configuration file that came with the Apache distribution, there should be a single home directory share already configured.
  • Printers— Shared printers. In order to share a printer, it must first be set up so that it can be accessed from the lpr command in Unix.
  • Status— Monitor and view the status of the server. If logged in as root, you can restart or stop the server process.
  • View— View a copy of the text configuration file.
  • Password— Set and edit Samba user passwords.

Let's step through these configuration screens to see the options used in a typical sharing environment.


The Global Variables page, seen in Figure 30.3, is the starting point for setting up your Samba server. Many people jump the gun and immediately start setting up file shares. Failure to properly configure the global options might make it impossible to mount or browse shared resources.


Figure 30.3 Global options set the operating parameters for the Samba server.

Three buttons can save (Commit Changes) server settings, reset changes (Reset Values), or access advanced options (Advanced View). Choosing Advanced View shows a number of additional options that are listed in Table 30.2. If you don't see the setting you're looking for, move to the Advanced mode.

Table 30.2. Global Options and Their Purpose

Option Purpose
workgroup Sets the workgroup or domain that the server belongs to. Set this to the same value as the workgroup/domain of local Windows clients; otherwise, they will not be able to browse the server.
netbios name The Windows (NetBIOS) name of the server.
netbios aliases A list of additional NetBIOS names to which the Samba server will respond. (Advanced)
password level The number of case-changes that will be checked between the client login and the server password. Because client operating systems might transmit passwords in uppercase, they'll have to be altered to authenticate with the server. (Advanced)
username level The same as the password level, but alters the username in a similar manner. For example, if I have a Mac OS X username of jray and a Windows login of JRAY, I'll have to set this value to 4 for it to be successfully permuted into the lowercase version. (Advanced)
server string The text used to identify the server.
interfaces The network interfaces that Samba will broadcast over. For example, Mac OS X's primary interface is en0. By default, all active interfaces will be used. To limit the interfaces, enter the interface names to use, or the network address followed by a subnet mask (that is,
security The type of security model to use. User-level security bases access upon a user login. Share-level password protects individual shared resources. Domain and server security passes authentication duties to other NT or Samba servers, respectively. You'll probably want user or share-level security.
encrypt passwords Sets encrypted password negotiation with the client. If you are using Windows 98 or later, set this to Yes. Encrypted passwords also require the use of the smbpasswd file, which is configured using the SWAT Password page.
update encrypted Used when migrating from an unencrypted password on an existing server to a local encrypted smbpassword file. This shouldn't be needed unless in an advanced configuration.
guest account The local user that should be used for guest access and resource browsing. Mac OS X should use nobody.
hosts allow A list of hostnames, IP addresses, IP addresses and subnet masks (, or partial addresses (192.168.0.) that can access the server. The except keyword can create an exception to a rule. For example, except would allow any host in the subnet, except, to access the server. If left blank, all remote hosts can access the server.
hosts deny Like hosts allow but used to list servers that should not have access to the server. Configuring using the same method as allow.
log file The logfile to store server accesses in. The %m in the default path appends the name of the remote machine to the logfile name.
max log size The maximum size in kilobytes that a logfile should be allowed to reach before rolling over.
os level A number used to determine the ranking of Samba when a master browser is being elected on a Windows network. If Samba is the only server on the network, use the default 20. If NT 4.0 or 2000 machines are on the network, and you'd like Samba to be the master browser, set this to a value greater than 32.
domain logon Accept domain logins. This is part of the experimental domain controller code and should be activated only after becoming a Samba god. (Advanced)
preferred master If set to yes, the Samba server will attempt to force an election for master browser. Do not use on networks with multiple servers that want to be masters.
local master Enables Samba to try to become the master browser for the local area network. If set to no, it will not attempt to assume this role.
domain master Enables Samba's nmbd component to become a domain master browser that collects browse lists from remote subnets.
dns proxy Attempts to resolve WINS queries through DNS if they cannot be resolved from locally registered machines.
wins server A remote WINS server that Samba should query to service NetBIOS name requests.
wins support Enables Samba's WINS service. Only a single machine should act as a WINS server on a given subnet.

The default settings should be sufficient for most small networks, with the exception of the base and security options. The best rule for Samba is that if you aren't sure what something does, or whether you even need it, you shouldn't touch it!


The Share Parameters page sets up file shares that can be mounted on networked Windows-based computers. To create a new share, type a share name in the Create Share field, and then click the Create Share button. To edit an existing share, choose its name from the pop-up list, and then click Choose Share—or click Delete Share to remove it completely. With the default Samba configuration file, there should already be a single homes share available. homes is unique because it is equivalent to each user sharing his home directory with himself. This share is shown loaded in Figure 30.4.


Figure 30.4 Use the Share Parameters page to set up your Windows SMB file shares.

The basic share parameters are listed in Table 30.3. Again, a few advanced options are also included. Like the Globals Variables page, there is an Advanced button to show all possible configuration features for file sharing.

Table 30.3. File-Sharing Options and Values

Option Purpose
comment A comment to help identify the shared resource.
path The pathname of the directory to share. Be aware that in user-level security, you must make sure that the corresponding Mac OS X user accounts have access to this directory. When using share-level security, a single-user account is used—usually the guest account. In that case, the next setting becomes very important.
guest account The account used to access the share if the remote client is logged in as a guest. The default is nobody, but, if set to another username, the guest user will have the read/write permissions of that local user account. If you want to use share-level access control, you can set this value to the account whose permissions should be used when accessing the share.
force user If entered, the force user username will be used for all accesses (read/write) to the file share, regardless of the username used to log in. (Advanced)
force group Similar to force user but forces a group rather than a user. (Advanced)
read only When set to Yes, users cannot write to the share, regardless of the Mac OS X file permissions.
create mask A set of permissions that newly created files will have. By default, the mask is set to 0744. (Advanced)
guest ok If set to Yes, guests can log into the server without a password.
hosts allow A list of hostnames, IP addresses, IP addresses and subnet masks (, or partial addresses (192.168.0.) that can access the share. The except keyword can create an exception to a rule. For example, except would allow any host in the subnet, except, to access the server. If left blank, all remote hosts can access the server.
hosts deny Like hosts allow but used to list servers that should not have access to the server. Configure using the same method as allow.
max connections Restricts the number of simultaneous users who can access the share. (Advanced)
browseable When set to Yes, the share will show up in the Windows network browser. If no, the share still exists, but remote users cannot see its name.
available If set to Yes, the share will be made available over the network. Setting to No will disable access to the share.

The trickiest part of setting up a share is figuring out user access rights. Regardless of whether Samba is using user-level or share-level access, a Unix user must be mapped to the incoming connection.

The easiest security model is user-level, which requires Windows users to log in to their computers using the same username set up on the Mac OS X machine and a password determined by the smbpasswd file (set using the Password SWAT screen). When using user-level access, Windows users are mapped directly to Samba users. The Mac OS X file permissions apply directly to the permissions of the connected user. Assume, for example, the Mac OS X user jray has read/write permissions to the folder /Stuff, which is also set to be a Samba share. If jray logs in to a Windows computer using the same username as on Mac OS X, he will be able to access the Stuff share and have read/write access. The SWAT Password page must be used to map Unix users to the passwords that they will use on the remote Windows client.

Things are a bit different with share-level access. In these cases, a single password is needed to access the share, but a valid user account must be used by Samba when interacting with the Mac OS X file system. To simplify share-level security, create a Mac OS X user and set a password for a user with the SWAT Password page. Then set the guest account for the share equal to the Mac OS X username.


Samba can act as a full print server for a Windows network. The one small catch is that your printers must first be accessible via lpr at the command line, which involves some NetInfo configuration. You might want to check out the NetInfo and printer chapters before setting up any printer shares. You'll also want to use the advanced features during set up; otherwise, some information will be missing.

To create a new shared printer, enter its name in the Create Printer field, and then click the Create Printer button. An existing printer can be selected from the pop-up menu, and edited by clicking Choose Printer or Delete Printer to remove it from the Samba configuration. A printer configuration screen is displayed in Figure 30.5.


Figure 30.5 To use Samba's printer sharing, you must first configure the printer using NetInfo.

By default, Mac OS X users will see two printers already defined: printers and lp[*]. The printers selection operates much like homes—it automatically attempts to share out all the printers found on your system. These printers are then listed with their own separate share names appended with [*]. Unfortunately, Samba searches /etc/printcap to locate printers, whereas Mac OS X stores printer configuration in the NetInfo database. Because of this, the two initial shared resources (printers/lp) are harmless, but cannot be used for printing.

To create a new printer share, first configure it for use from the command line, and then create a new printer and set the options shown in Table 30.4.

Table 30.4. Printer Sharing Options

Option Purpose
comment A comment used to identify the printer share.
path A directory where print spool files will be saved before printing. The directory must be configured to be world-writable and have the sticky bit set.
guest account The guest account used to access the printer resource, if guest access is enabled.
guest ok If set to Yes, guests may access the printer. This is not a wise idea on a publicly networked device.
hosts allow A list of hostnames, IP addresses, IP addresses and subnet masks (, or partial addresses (192.168.0.) that can access the share. The except keyword can create an exception to a rule. For example, except would allow any host in the subnet, except, to access the server. If left blank, all remote hosts can access the server.
hosts deny Like hosts allow but used to list servers that should not have access to the server. Configure using the same method as allow.
printable Allows authenticated clients to write to the print spool directory.
printer name The NetInfo name for the printer. You must switch to Advanced View to see this option.
browseable When set to Yes, the printer will show up in the Windows network browser. If no, the printer share still exists, but remote users cannot see its name.
available If set to Yes, the printer will be made available over the network. Setting to No will disable access to the printer.


The SWAT Status page is shown in Figure 30.6. This page gives a quick overview of the server's current conditions, including active connections, shares, and files. The administrator can use this screen to restart the server or disable any active connections.


Figure 30.6 Use the Status page to monitor active connections.

Each of the visible buttons affects a change on the server:

  • Auto Refresh— Sets the SWAT status page to auto-refresh based on the Refresh Interval field. This is useful for monitoring server activity.
  • Stop/Start/Restart smbd— Stops, starts, or restarts smbd—the Samba SMB file/print server. All active connections are terminated.
  • Stop/Start/Restart nmbd— Stops, starts, or restarts nmbd—the Samba NetBIOS name server. Does not affect active connections.
  • Kill— The Kill button appears to the right of every listed connection. Clicking the button immediately terminates the link.


View offers a glimpse at the configuration file behind SWAT's GUI. Sometimes it's easier to scan through a text file to locate a problem than to work with the Web interface. There are two modes in the View page. The Normal view shows the minimum configuration file needed to implement your settings. An example of this view is demonstrated in Figure 30.7.


Figure 30.7 The Normal view contains the bare configuration.

Switching to the Full View displays all the settings, including default options, for the Samba configuration. Each option is explicitly listed, regardless of its necessity.


The Password page is used to set up Samba passwords for existing Mac OS X users, or change remote user passwords if using domain-level security and a remote host for user authentication (Windows NT/2000 Server). The password page can be seen in Figure 30.8.


Figure 30.8 Set local and remote user passwords.

The Server Password portion of the screen configures local users and passwords. Be aware that these options do not affect the actual Mac OS X usernames and passwords, but must be based on a valid local username.

  • User Name— The Mac OS X username to add to the smbpassword file.
  • New Password— The Samba password to set for that user.
  • Re-type New Password— The same as the New Password option; used to verify typing.
  • Change Password— Changes the password for the specified user.
  • Add New User— Adds the new username/password mapping to the smbpasswd file.
  • Delete User— Deletes the named user from smbpasswd. This does not affect the Mac OS X user.
  • Disable User— Disables a user's ability to access Samba. Again, Mac OS X does not alter its user account whatsoever.
  • Enable User— Enables a disabled user account.

If Samba is using domain-level security, another server (such as a Windows primary domain controller) is the source for all authentication information. To change a user's password on the remote server, use the Client/Server Password Management features of the Password screen:

  • User Name— The remote user to change.
  • Old Password— The user's existing password.
  • New Password— The new password to set on the remote server.
  • Re-type New Password— The same as the New Password option; used to verify typing.
  • Remote Machine— The remote server that contains the username/password mappings.

Click the Change Password button to send the password changes to the server.

Accessing a Share from Windows

Now let's go through the process of accessing a shared volume from a Windows computer. This example will use Windows 2000. By the time you read this, there will probably be five or six new versions of Windows available, so I apologize if the instructions don't match up entirely.

Creating a Sample Share

First, set up the server defaults. For my machine, POINTY, I've created a very bare global configuration. Rather than including a screenshot for the share, I'm including the configuration from the /usr/local/samba/lib/smb.conf file. Each resource has its own block in the config file. Within that block, the options we've covered are listed, along with their associated value. This is the global configuration block for my simple Samba server:

           workgroup = POISONTOOTH
           netbios name = POINTY
           server string = Poisontooth SAMBA Server
           encrypt passwords = Yes
           log file = /var/log/samba/log.%m
           max log size = 50
           preferred master = Yes
           dns proxy = No
           wins support = Yes

The workgroup, NetBIOS name, and server string are personalized for my server and local area network. I've also chosen to have the server act as a WINS server and register as the preferred master browser on the network. It's important to note that encrypted passwords are enabled; otherwise, new Windows clients (such as Windows 2000) wouldn't be able to connect.

Next, the file share. I've created a folder /filestorage/mp3s on my Mac OS X computer to hold my library of iTunes (Napster? never heard of it) MP3 files. My user account (jray) owns the folder and has read/write permission to it. This very simple share, named My MP3s, is defined as

[My MP3s]
           path = /filestorage/mp3
           read only = No

As a final step, using the Password page within SWAT, I register the user jray with the password I use to log in to my Windows computer.

With only a few clicks of the mouse, I'll be happily listening to my iTunes music on a Windows computer.

Mapping the Share in Windows

There are a number of different ways to mount a network drive under Windows. If your Windows computer is set up with the same workgroup name as the Samba server, you can simply double-click My Network Places, and then Computers Near Me. The Samba server should appear using the NetBIOS name you specified in the Global configuration.

Right-clicking My Network Places (or My Computer) and choosing Map Network Drive from the pop-up menu is the fastest mounting method. The screen shown in Figure 30.9 will be displayed.


Figure 30.9 Map the shared folder in one simple step.

Choose a drive letter to use for the mounted volume, and then enter the share path in the Folder field. The share path is entered as \\ <NetBIOS name> \ <share name> . For the sample share I've set up, the path is \\pointy\My MP3s\. Click Reconnect at logon to automatically mount the shared resource when you log in to the Windows computer.

The Mac OS X Folder, shared through Samba, is now accessible like any other network drive on Windows. Figure 30.10 shows the mounted drive.


Figure 30.10 Access your Mac OS X files from a Windows computer.

It's too bad that Windows doesn't play as nicely, isn't it?

Samba Command-Line Utilities

Samba comes with a few command-line utilities that you might find useful when interacting with your server. Personally, I've always found SWAT to be more than sufficient, but if you've become a guru of the terminal prompt, you might appreciate this information.


The smbstatus utility provides information about the active connections and users. This is equivalent to the Status page within the SWAT management tool. For example:

[primal:~] jray% /usr/local/samba/bin/smbstatus

Samba version 2.2.0
Service    uid    gid    pid     machine
Programs  jray jray  12746   brushedtooth ( Sat Jun 2 23:56:47 2001
My MP3s   jray jray  12746   brushedtooth ( Sat Jun 2 23:47:05 2001

No locked files

Share mode memory usage (bytes):
   1048464(99%) free + 56(0%) used + 56(0%) overhead = 1048576(100%) total

The available smbstatus options are shown in Table 30.5.

Table 30.5. smbstatus Options

Option Purpose
-b Summary of connected users.
-d Detailed connection listing. This is the default mode.
-L Lists locked files only.
-p Lists the smbd process IDs and exit.
-S Lists connected shares only.
-s <config file> Chooses the smb.conf file to use.
-s <username> Displays only information relevant to a given username.


The smbpasswd command is used to alter user information in the /usr/local/samba/ lib/smbpasswd file. This can be used to set up Samba user account passwords from the command line or shell scripts.

By default, the smbpasswd command will change the Samba password for the currently logged in Mac OS X user:

[primal:~] jray% /usr/local/samba/bin/smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user jray

As an administrative user, you can perform several additional functions with the command. The complete syntax for the smbpasswd is smbpasswd <options> <username> <password> . Table 30.6 shows the available options.

Table 30.6. smbpasswd Options

Option Purpose
-a Adds a new username to the local smbpasswd file.
-d Disables the named user.
-e Enables the named user.
-D <0-10> Sets a debug level between 0 and 10 to control the verbosity of error reporting.
-n Sets a user's password to null.
-r < remote host > Sets the remote host to send password changes.
-j < domain name > Joins a domain.
-U < username > The username to send to the remote host when using -r.
-h Displays a command summary.
-s Silent output. Accept all input from standard input. This is useful for scripting smbpasswd.

+ Share This