Red Hat Linux 7 Unleashed

By William Ball

• Table of Contents
  • Copyright
  • About the Lead Authors
  • About the Contributing Authors
  • Acknowledgments
  • Tell Us What You Think!
  • Introduction
  • I. Red Hat Linux Installation and User Services
  • Chapter 1. Introduction to Red Hat Linux
  • Chapter 2. Installation of Your Red Hat System
  • Chapter 3. LILO and Other Boot Managers
  • Chapter 4. Configuring the X Window System, Version 11
  • Chapter 5. Window Managers
  • Chapter 6. Connecting to the Internet
  • Chapter 7. IRC, ICQ, and Chat Clients
  • Chapter 8. Using Multimedia and Graphics Clients
  • II. Configuring Services
  • Chapter 9. System Startup and Shutdown
  • Chapter 10. SMTP and Protocols
  • Chapter 11. FTP
  • Chapter 12. Apache Server
  • Chapter 13. Internet News
  • Chapter 14. Domain Name Service and Dynamic Host Configuration Protocol
  • Chapter 15. NIS: Network Information Service
  • Chapter 16. NFS: Network Filesystem
  • Chapter 17. Samba
    • Installing Samba
    • Getting a Simple Samba Setup Running
    • Configuring Samba
    • Configuring a Samba File Server with linuxconf
    • Sharing Files and Print Services
    • Optimizing Samba Performance
    • Testing Your Configuration
    • Running the Samba Server
    • Accessing Shares
    • Common smb.conf Options
    • Samba Resources
    • Using Samba as a Logon Server
    • Samba Troubleshooting Tips
    • Samba Security
    • Using SWAT for Web-Based Samba Configuration
    • Using Samba as a Linux Migration Tool
    • Summary
  • III. System Administration and Management
  • Chapter 18. Linux Filesystems, Disks, and Other Devices
  • Chapter 19. Printing with Linux
  • Chapter 20. TCP/IP Network Management
  • Chapter 21. Linux System Administration
  • Chapter 22. Backup and Restore
  • Chapter 23. System Security
  • IV. Red Hat Development and Productivity
  • Chapter 24. Linux C/C++ Programming Tools
  • Chapter 25. Shell Scripting
  • Chapter 26. Automating Tasks
  • Chapter 27. Configuring and Building Kernels
  • Chapter 28. Emulators, Tools, and Window Clients
  • V. Appendixes
  • A. The Linux Documentation Project
  • B. Top Linux Commands and Utilities
  • C. The GNU General Public License
  • D. Red Hat Linux RPM Package Listings

Configuring Samba

Samba has hundreds of configuration options. This chapter discusses those options most likely to be useful.

The [global] Section

The [global] section controls parameters for the entire SMB server. It also provides default values for the other sections:

[global]

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = MYGROUP

Workgroup= specifies the workgroup. Try to keep it all uppercase, fewer than nine characters, and without spaces.

# server string is the equivalent of the NT Description field
   server string = Samba Server

server string= specifies a human-readable string used to identify the server in the client's user interface. server string= goes in the [global] section. Note the similarity to the comment= option, which identifies individual shares in the client's user interface.

;   hosts allow = 192.168.1. 192.168.2. 127.

If uncommented, the hosts allow= line restricts Samba access to certain subnets: a handy security measure. Multiple subnets are separated by spaces. Class C subnets have three numbers and three dots, class B two numbers and two dots, and class A one number and one dot.

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   printcap name = /etc/printcap
   load printers = yes

The preceding enables printing without fuss, and is uncommented by default.

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
;   printing = bsd

It should not be necessary to uncomment the preceding code on a Red Hat Linux server.

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

The preceding, if uncommented, defines a guest account for clients logged in as a user not known to the Samba server.

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
;  password level = 8
;  username level = 8

Uncomment these to help troubleshoot problems with connection by Windows clients. Set to the length of the longest likely password and username, respectively. As you learned earlier in the chapter, they control non–case sensitivity. For instance, a value of 8 means the first eight characters of the password will be compared without case sensitivity to the entered password. If the problem goes away, there may be a problem with case sensitivity. Once problems have been corrected, it's best to re-comment these two lines because case-insensitive authentication is slow.

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
;  encrypt passwords = yes
;  smb passwd file = /etc/samba/smbpasswd

Passwords are encrypted by default for Windows 95 OSR2 and beyond, but are clear text for earlier versions. To allow Windows-encrypted passwords to work with Samba, the encrypt passwords=yes line must be uncommented, and smb encrypted passwords added on the server with the smbpasswd -a command. Here is an example:

   # smbpasswd -a valerie

The preceding command adds SMB user valerie (who should already have a Linux user ID) to the smb-encrypted password file, and allows you to give Valerie a password.

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
;   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

The preceding deals with giving users individual login scripts and making Samba a domain server for Windows 9x clients. Windows NT and 2000 clients can also log in to Samba servers if the Samba server is set up as a PDC (Primary Domain Controller). Note, however, that the version of Samba included with Red Hat 7 cannot be effectively set up as a PDC, so a different version would need to be downloaded. Samba Unleashed offers the complete procedures to set up a Samba server as a PDC.

The [homes] Section

The [homes] section allows network clients to connect to a user's home directory on your server without having an explicit entry in the smb.conf file. When a service request is made, the Samba server searches the smb.conf file for the specific section corresponding to the service request. If the service is not found, Samba checks whether there is a [homes] section. If the [homes] section exists, the password file is searched to find the home directory for the user making the request. Once this directory is found, the system shares it with the network:

 [homes]
   browseable = no
   writable = yes

The preceding is the simplest usable [homes] share. The browseable=no entry instructs the SMB client not to list the share in a browser (such as Windows Explorer). However, [homes] is a special case. The user share it represents will be visible in the client browse list even if [homes] contains browseable=no. If [homes] were to contain browseable=yes, a share called homes would actually appear in the client browse list. The writable=yes entry enables the user to write to the directory, which is typically the desired situation in home directories.

  writable=yes

  writeable=yes

  write ok=yes

  read only=no

In general, Samba has excellent defaults, making the preceding [homes] configuration practical. The following [homes] share contains additional parameters:

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   path = %H/smbtree
   create mode = 0750

The comment entry is a human-readable share identification string to be displayed by the client user interface. Note that comment= is similar to server string=, but the latter is only valid in the [global] section. The read only= parameter is an inverse synonym of writable=, and was explained previously. Also explained previously was the browseable= parameter.

Note the path= entry. Because Samba is primarily a file server, it's probably undesirable to have the user access config files in his home directory (.bash_profile, for instance). %H is a macro indicating the user's home directory, while smbtree is a directory under the user's home directory. To implement this as a policy, the system administrator must, of course, create a script to create the subdirectory upon addition of each new user. The directory can also be created by a root preexec=script parameter, which is explained in the smb.conf man page.

The final entry sets the file permissions for any files created on the shared directory.

The [printers] Section

There are two ways Samba can make printers available. One is to create a specific share section with a print ok=yes line, a specific printcap printer specified by a printer name= line, and possibly a list of valid users. The other way is to let the [printers] section do most of the work, and list all printcap-defined printers to the client.

The following two lines sufficiently allow use of all printcap-defined printers on SMB clients:

[printers]
path = /var/spool/samba

The simplest case of a dedicated print share follows:

[vals_lp]
print ok = yes
printer name = lp_mine
path = /home/everyone

In the dedicated print share, print ok=yes (or the printable=yes synonym) is necessary. It's also necessary to name the printer with the printer name= line. The intent of [printers] is accessibility to all users with valid IDs. The intent of a special printer is typically to restrict access to a user or group, implying that it would be a good idea to add a valid users= line to the dedicated printer share. Beyond that, the [printers] section and dedicated print shares function pretty much the same.

The [printers] section defines how printing services are controlled if no specific entries are found in the smb.conf file. As with the [homes] section, if no specific entry is found for a printing service, Samba uses the [printers] section (if it's present) to allow a user to connect to any printer defined in /etc/printcap:

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   printable = yes
# Set public = yes to allow user 'guest account'to print
   public = no
   writable = no
   create mode = 0700

The comment, browseable, and create mode entries mean the same as those discussed earlier in the [homes] section. Note that browseable=no applies to the [printers] section, not to the printcap printers, which are listed in the SMB client's front end as a consequence of the [printers] section. If browseable= were yes, a share called printers would be listed on the client. That's clearly not what's needed.

The path entry indicates the location of the spool directory to be used when servicing a print request via SMB. Print files are stored there prior to transfer to the printcap-defined printer's spool directory.

The printable value, if yes, indicates that this printer resource can be used to print. It must be set to yes in any printer share, including [printers]. The public entry controls whether the guest account can print. The writable=no entry assures that the only things written to the spool directory are spool files handled by printing functions.

The create mode=0700 specifies that all files are created with all rights for the user, and not for anyone else. This prevents different print jobs having the same filename from inadvertently overwriting each other.

Samba Printer Troubleshooting Tips

Samba printer shares (including [printers]) usually work the first time. When they don't, it's important to remember a printer share won't work without a working Samba [global] section and a working printcap printer, and Samba won't work without a working network.

Therefore, before troubleshooting any printer share including [printers], make sure the client and server machines can ping each other's IP address. If not, troubleshoot the network.

Next, make sure you can see the [global] defined workgroup in the client listing (Network Neighborhood or smbclient -NL Ipaddress ). If not, troubleshoot Samba as a whole before working on the printer. Use testparm (discussed later this chapter) to verify that smb.conf is internally consistent.

Next, make sure the printcap printer works properly. The printcap name can be deduced from the share's printer name= option. If there's no printer name= in the share, it can be deduced from the client request. Perform the following:

   # lpr -P printcap_printer_name /etc/fstab

This should print /etc/fstab to the physical printer defined as printcap_printer_name in /etc/printcap. /etc/fstab is an ideal test file because it's short and exists on all Red Hat Linux machines. Once the machines can ping each other, the client can see the workgroup defined in the [global] section, and you can print to the printcap printer, you're ready to troubleshoot the Samba printer share.

Many Samba printer problems occur because the default printer command doesn't work. This is especially true if the printcap printer is a network printer instead of a local printer. First try putting the following line in the printer share:

   print command = lpr -P %p %s; rm %s

The command will print the file %s (the spool file passed from the client) to printer %p (the printer name passed from the client). You'll notice this is the same command done in the printcap printer test described previously, so it should work.

If it still doesn't work, verify that the path= entry points to a directory to which the user has read and write access. Make sure that any printer name= entry points to a working printer defined in /etc/printcap. Make sure the entry has a printable=yes or print ok=yes entry; otherwise, it's not a Samba printer share. If the printer share has a valid users= entry, make sure the user in question is one of those users.

If it still isn't working, it's time to install your own test point. Temporarily create directory /home/freeall with mode 777 (all can read, write, and execute), comment out any print command= line in smb.conf, and add the following line:

   print command = cp %s /home/freeall/%p.tst;rm %s

This copies the file to be printed to a file in /home/freeall with the same filename as the printcap printer with the extension .tst. This gives several pieces of information. First, the filename tells you what printer it's trying to print to. You can check /etc/printcap or printtool for the existence of that printer. You can print that file and see if it comes out properly.

If the file does not exist, you know something's wrong on the client side of the print command. Be sure to check the queue on the client to see if it's getting stuck. Sometimes a single failure on the server can jam the client queue. Also be sure that all users can read, write, and execute directory /home/freeall; the print will otherwise bomb on permissions. Once the problem is resolved, be sure to remove the /home/freeall test directory you created for security reasons.

Another handy troubleshooting tool is checking the Samba logs. They usually contain useful error messages. If the log file is not defined in the [global] section of smb.conf, look in the /var/log/samba directory.

Beyond these tips, remember that troubleshooting is simply a matter of keeping a cool head and narrowing the scope of the problem.

Share This