Red Hat Linux 7 Unleashed

Red Hat Linux 7 Unleashed

By William Ball

Getting a Simple Samba Setup Running

Samba can be very complex, so it's important to get the simplest possible implementation of Samba running before making major configuration changes.

CAUTION

I experienced a rare intermittent problem with Samba in which neither Linux nor Windows clients could connect to the server. The Linux clients reported the following error:

error connecting to 192.168.100.3:139 (Connection refused)
Connection to mydesk failed

After placing the following two lines in the [global] section of my smb.conf and restarting Samba, the symptom disappeared:

netbios name=mydesk
encrypt passwords=yes

Surprisingly, removing those lines and restarting Samba again did not resurrect the symptom, so with no current way to reproduce the symptom, no definitive diagnosis is possible.

If you experience a refused connection on port 139, start by verifying that the daemons are running using the following command:

$ ps ax | grep –i mbd

If the daemons are running, explicitly configure netbios name to the Samba server's hostname, and explicitly configure encrypted passwords to yes. If your clients can't use encryption, you can troubleshoot further, but getting Samba running is an important first step.

In addition, it's a good idea to check http://www.redhat.com for updates, errata, and bug fixes.

The main configuration file, smb.conf, is located in the /etc/samba directory of your Red Hat Samba server. It is used by the Samba server software (smbd) to determine directories and printers, and to determine security options for those directories and printers.

NOTE

Many changes to the smb.conf file will not be recognized until the Samba server is restarted. The command to restart the Samba server is


      $ /etc/rc.d/init.d/smb restart

The ; character at the beginning of an smb.conf line indicates that the line is a comment that is to be ignored when processed by the Samba server. The # character does the same thing. Customarily, the ; character is used to comment out option lines, whereas the # is used at the beginning of lines that are truly comments.

The smb.conf file layout consists of a series of named sections. Each section starts with its name in brackets, such as [global]. Within each section, the parameters are specified by key/value pairs, such as comment = Red Hat Samba Server.

smb.conf consists of three special sections and zero or more custom sections. The special sections are [global], [homes], and [printers]. Before I describe them in detail, let's look at getting a minimally running Samba.

CAUTION

Be sure to back up the original /etc/samba/smb.conf file before making your first modification.

First, make sure whatever username is used on the test client also exists on the Linux box. Add the user and password with the adduser and passwd commands.

NOTE

Samba works only on functioning networks. To prevent frustration, always make sure the client and server can ping each other's IP address before attempting any Samba configuration or testing. Also, attempt to ping the server's hostname from the client to determine what to expect from smbclient or smbmount commands using the hostname instead of the IP address.

Testing with a Linux Client

The default /etc/samba/smb.conf should be sufficient to run a simple Samba test with a Linux client. Run the following command:


   # smbclient '//192.168.100.1/homes'-U myuid

Note that this example uses 192.168.100.1 as the Samba server's IP address. Substitute the IP address of your Samba server. Any name resolving to that same IP address can be used in its place. The preceding example uses myuid for the username; please substitute whatever username the client is logged in under. homes represents the [homes] section of smb.conf.

You are asked for a password. Type the user's password. If the server password is different from the client password, use the server password. If all is well, you are greeted by the following prompt:

smb: \>

Type ls and press Enter. You'll get a directory listing that includes the file .bash_profile. You have proven that you have a simple Samba running.

If you get an error message that resembles the following one, it probably indicates that the smb daemon is not running on the server.

error connecting to 192.168.100.1:139 (Connection refused)

Run the daemon with this command on the Samba server:


   $ /etc/rc.d/init.d/smb restart

NOTE

For the rest of this chapter, the term "restart Samba" refers to running the preceding command, which restarts the Samba daemons.

You see a [FAILED] on smbd shutdown (it wasn't running in the first place); you'll see an [ OK ] on the subsequent smb start. Use linuxconf, choosing Control, Control Panel, Control Service Activity on the linuxconf menu to make sure the smb daemon is enabled on reboot.

Testing with a Windows Client

Samba is what makes a Linux computer show up in a Windows Network Neighborhood. What shows up in Network Neighborhood is the workgroup name attached to workgroup= in the [global] section of the Samba server's /etc/samba/smb.conf. Samba works best with workgroup names that are all capital letters, eight characters or fewer, and do not contain spaces.

Next, in the [global] section, temporarily uncomment password level and username level. Make password level equal to the longest likely password on this system, and username level equal to the longest likely username. These specify how many characters are non–case-sensitive, which is very important with non–case-sensitive SMB clients such as Windows.

NOTE

The changes to username and password levels are typically not required, and significantly slow authentication. The preceding suggestion is simply to temporarily eliminate any possible case sensitivity problems. Once the system is working perfectly, you'll want to re-comment the password and user levels.

Whenever there's a troubleshooting question involving case sensitivity for users and passwords, you can once again uncomment them and re-comment them upon resolution.

Now decide whether to use clear passwords or encrypted passwords and how to implement that decision. Early Windows SMB clients defaulted to clear text passwords. Beginning with Windows 95 OEM Service Release 2, Windows defaulted to encrypted passwords. All Windows 98 clients default to encrypted. Likewise, the default behavior changed from clear text to encrypted in Windows NT 4 Service Pack 3.

Encrypted passwords are not enabled in the Red Hat Linux 7 default smb.conf. For Windows versions 95-OSR2 and later, and Windows NT version 4 Service Pack 3, either each encrypted text client must be changed to clear-text passwords, or the server's smb.conf must be changed to enable encrypted passwords. In addition, any clear-text clients must be changed to encrypted passwords. A discussion of each technique follows.

NOTE

The documentation packaged with Red Hat 7 contains detailed discussions of plain versus encrypted passwords and their ramifications. See these documents:

/usr/share/doc/samba-2.0.7/docs/textdocs/Win95.txt

/usr/share/doc/samba-2.0.7/docs/textdocs/WinNT.txt

/usr/share/doc/samba-2.0.7/docs/textdocs/ENCRYPTION.txt

Windows NT users, please note that NT SMB clients present some additional challenges. Be sure to read these three documents carefully if you are having problems with Windows NT SMB clients.

For Windows 2000, be sure to see http://us1.samba.org/samba/ftp/docs/win2000_plainpassword.reg.

Enabling Encrypted Passwords on the Server

In the [global] section, uncomment encrypt passwords = yes. Assuming the client username is myuid, perform the following command:


   # smbpasswd -a myuid

NOTE

The preceding command fails unless the SMB password file, /etc/samba/ smbpasswd, exists. The easiest way to use the touch command is as follows:


      # touch /etc/samba/smbpasswd

Note that in other Linux distributions, or in Samba implementations compiled from source, the location of smbpasswd may be different.

Type in the password. If the password is not the same as it is on the client, the user will be prompted for the password the first time he accesses the Samba server.

You can even enable or disable password encryption on a client-by-client basis. To do so, you need to make a small include file for each client. The config file must contain the client's netbios name in the filename, and must contain an encrypt parameter in the file. For instance, if there are two clients, win98box and win95box, and win95box does not use encryption, here's the proper win95box.encrypt:

encrypt passwords=no

Likewise, win98box.encrypt looks like this:

encrypt passwords=yes

Finally, place the following statement in the [global] section of smb.conf:

include=%m.encrypt

The client's netbios name is substituted for %m. Restart Samba, and note that the win95box client doesn't use encryption, but the win98box client does.

Disabling Encrypted Passwords on the Windows Client

If your situation precludes enabling encrypted passwords on the server, they can also be disabled on the client to match the server.

CAUTION

This technique requires editing the Windows Registry, which involves significant risk, including risk of data loss and OS inoperability. If possible, it's preferable to handle this issue on the server, as explained previously.

On Windows 9x machines, in regedit, navigate to [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP]. If it contains an object called EnablePlainTextPassword, set that object's value to 1. If it does not contain that object, create that object as a DWORD and give it a value of 1. Exit regedit and reboot the Windows machine. For Windows NT and Windows 2000 machines, see NT4_PlainPassword.reg and Win2000_PlainPassword.reg, respectively, in the /usr/share/doc/samba-2.0.7/docs directory.

The Proof: Network Neighborhood

Restart Samba with this command:


   # /etc/rc.d/init.d/smb restart

Ideally, once you've completed configuration and rebooted, the server's workgroup (defined in [global], workgroup=) should simply appear inside the Entire Network folder of Network Neighborhood. Double-clicking the workgroup should produce an icon for the server, which, if double-clicked, produces an icon for the user directory described in the [homes] section. Files in that directory should appear when that directory's icon is double-clicked. Note that files beginning with a dot (such as .bash_profile) are considered hidden by Windows and can be viewed only if the folder's Windows Explorer view properties are set to see all files.

The preceding paragraph describes the ideal outcome. Often there are difficulties—even if you've set up everything exactly right. First, it can take Windows over a minute (sometimes several minutes) to find out that the server's Samba configuration has been changed and restarted. Sites with an NT PDC/Samba combo have been known to take upwards of an hour to recognize smb.conf Samba server changes. There are often password difficulties resulting from Windows being non–case sensitive and Linux being case sensitive. There may be problems with name resolution. Of course, there could be a basic network problem.

None of this presents a major obstacle. Take a few minutes' break to make sure Windows has gotten the word. You may want to reboot Windows. Make sure you have a network by confirming that the client and server can ping each other's IP address.

It's often helpful to use Start, Find, Computer to try to find the server's IP address. Note that the capability to find the server is not absolutely essential to complete Samba use; find is not equivalent to ping. Remember to refresh the various Network Neighborhood screens often (with F5).

It's often easier to access a Samba server from the Windows command line. Assuming server mainserv, workgroup MYGROUP, try the net view and net use commands:

N:\>net view \\mainserv
Shared resources at \\MAINSERV

Sharename    Type         Comment
------------------------------------------
slitt        Disk         Home Directories
The command was completed successfully.

N:\>

The preceding command browses the Samba server for shares, a sort of command-line equivalent to Network Neighborhood.

N:\>net use x: \\mainserv\homes
The command was completed successfully.

N:\>

The preceding command maps drive x: to the user's home share. This can be verified with a directory listing of x:.

N:\>net use x: /delete
The command was completed successfully.

N:\>

The preceding deletes the drive mapping, once again verified by a directory listing, which gives an "Invalid drive specification" error.

N:\>net view /workgroup:MYGROUP
Servers available in workgroup MYGROUP.
Server name            Remark
---------------------------------------
\\MAINSERV             Samba Server
\\MYDESK               Mydesk, Mandrake
The command was completed successfully

N:\>

The preceding browses the entire workgroup for servers. This is an important command because often it triggers a browser election. Browser elections are beyond the scope of this chapter, but if you can't see your Samba server in Network Neighborhood, issuing the preceding command can sometimes fix that problem by triggering a browser election.

If problems continue, temporarily set username level and password level to 128 (overkill) and make sure they're uncommented. Make sure your client and server agree on the use of encrypted or clear-text passwords, as described earlier this chapter. Restart Samba on the server:


   # /etc/rc.d/init.d/smb restart

In case of persistent problems, always remember you can use the smbclient utility on the server to deduce whether it's a problem on the Samba server or somewhere else (network or Windows). Remember to consider password encryption.

If problems continue, it's time to view the documentation in the /usr/share/doc/ samba-2.0.7/docs/ tree. It's important to have a simple Samba working before attempting serious configuration. Once a working Samba has been established, it's a good idea to back up /etc/samba/smb.conf (but be sure not to overwrite the backup of the original that came with Red Hat Linux 7).

Share ThisShare This

Informit Network