Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

NETWORK APPLICATIONS

Samba

  • Samba server

    Samba can run as a WINS Server or a WINS Client, but NOT both.

    There are several server types:

    Samba Server Types
    Domain Controller
    Primary Domain Controller (PDC)
    Backup Domain Controller (BDC)
    ADS Domain Controller
    Domain Member Server
    Active Directory Domain Server
    NT4 Style Domain Domain Server
    Standalone Server
    Samba protocol Description
    SMB Service Message Block - communication protocol
    WINS Windows Internet Name Service (maps windows system names to IP addresses)
    Samba daemon Description
    /usr/sbin/nmbd Handles WINS - windows internet name service (maps windows system names to ip addresses), NetBios name server. Handles all UDP based protocols.
    /usr/sbin/smbd Handles all connection requests, print and file sharing. Started straight after nmbd. Spawns a new process for each client connection made. Well-known port for SMB over TCP is 139
    /usr/sbin/winbindd Should be started when Samba is a member of a Windows NT4 or ADS domain. One or two daemons, two if running in split mode

    Samba can function as a server in a Windows WORKGROUP as well as Primary Domain Controller.

    When Samba is running as a WINS server there will be two instances one to handle the WINS requests. When it is not there will be one single instance of 'nmbd' running on your system.

    Key Samba files:

    File Description
    /etc/samba/smb.conf Samba default configuration file
    /usr/bin/smbpasswd Create, modify a Windows user
    /usr/bin/testparm Checks syntax of smb.conf
    /usr/bin/smbstatus Lists connection information and open files
    /usr/bin/smbmount Mounts a windows share with linux
    /etc/lmhosts Maps NetBios names to IP addresses
  • SMB/CIFS server daemon
    /usr/sbin/smbd

    Server to provide SMB/CIFS services to clients.

    smbd [options] 
         [-d debuglevel] [-l logfile] 
         [-p port] [-O socket options]
         [-s conffile] [-i scope]
    
    Options:
     -D             Operate as a daemon, runs in the background, fielding requests on
                    the appropriate port.  Default: server will NOT run as a daemon.
     -a             New connection log messages appended to log file. The default.
     -o             Overwrite log files when opened. Default is '-a' append.
     -P             Passive option. Causes smbd not to send any network traffic out.
     -h             Prints the help information (usage) for smbd.
     -V             Prints the version number for smbd.
     -i scope       NetBIOS scope for server to for communication when generating
                    NetBIOS names, rarely used
    

    Start, Stop

    # /etc/init.d/smb [start | stop | restart | status | condrestart]
                                   (or)
    # /usr/sbin/smbd -D            (Typically run as a stand alone daemon)
    # /usr/sbin/nmbd -D            (Typically run as a stand alone daemon)
    
  • Persistent TDB files

    TDB files located in /var/lib/samba/. Not all are listed here, those that are should be backed up regularly.

    File name Description
    group_mapping.tdb Mapping table for Windows groups/SID to UNIX groups
    ntdrivers.tdb Stores per-printer installed driver information
    ntforms.tdb Stores per-printer installed forms information
    ntprinters.tdb Stores per-printer devmode configuration settings
    private/passdb.tdb Exists only when the tdbsam passwd backend is used, stores the Samba SAM Account information
    private/secrets.tdb Stores the Workgroup/Domain/Machine SID, the LDAP directory update password. Contains very sensitive information
    registry.tdb ReadOnly db of a Win reg skel that provides support for exporting various db tables via Winreg's RPC
    share_info.tdb Stores per-share ACL information
    winbindd_privileged/ Winbindd's local IDMAP registry

    Storage for confidential tdb files

    # smbd -b | grep PRIVATE_DIR
       PRIVATE_DIR: /var/lib/samba/private
    

    Storage for smb.conf

    # smbd -b | grep smb.conf
       CONFIGFILE: /etc/samba/smb.conf
    

    Storage for remaining control files

    # smbd -b | grep LOCKDIR
     LOCKDIR: /var/lib/samba
    

    Storage for Windows users Window's passwords

    # smbd -b | grep PASSWD
      SMB_PASSWD_FILE: /var/lib/samba/private/smbpasswd
    
  • Some samba commands

    All commands in /usr/bin/ and begin with smb.

    smbcacls            Manipulates NT Access Control Lists on SMB file shares
    smbclient           ftp-like client to access SMB/CIFS resources
    smbcontrol          Sends control messages to running smbd or nmbd daemons
    smbcquotas          Manipulates NT Quotas on SMB file shares
    smbget              Download files from SMB servers
    smbpasswd           Change user's encrypted smb password stored in the smbpasswd file
    smbprint            Print files to a specified smb-based server and service
    smbspool            Sends a print file to an SMB printer
    smbstatus           List current Samba connections
    smbtar              Back up SMB shares to UNIX tape drive. (script)
    smbtree             A smb text mode browser
    
  • Minimal server configuration
    /etc/samba/smb.conf

    Just three smb.conf entries are required to get a basic share going. This is the minimum configuration required to use Samba.

    A minimal configuration example - etc/samba/smb.conf

    [global]
    workgroup = wrkgrp
    server string = samba 3.0.28-0.fc7       # May wish to obfuscate this info.
    
    [share1]
    path = /tmp
    
  • A Samba server example

    Scenario

    • The server will only allow access from hosts on the internal network and members of MARYWRKG workgroup.
    • Windows user mary does not have an account on the linux Samba server.
    • Mary will be able to use mark's linux account, access /share directory and use printing (CUPS).

    **Set up Windows computer name to IP mapping - /etc/samba/lmhosts

    # Maps windows computer name to its IP
    127.0.0.1    localhost
    192.168.0.4  mary
    

    Map Window's user accounts to linux accounts - /etc/samba/smbusers

    # Unix_name = SMB_name1 SMB_name2 ...
    root = administrator admin
    nobody = guest pcguest smbguest
    mark = mary                              # Windows user mary maps to linux user mark
    

    **Configure shares, printing and the Samba server - /etc/samba/smb.conf

    [global]
    # Network Related Options
      netbios name = MYSERVER
      interfaces = lo eth0                   # Which interfaces to listen on.
      hosts allow = 127. 192.168.0.          # Who can/cannot access, can be done on a per share option.
    
    # Filesystem Options
      workgroup = MARYWRKG                   # Workgroup = NT-Domain-Name or Workgroup-Name
                                             # needs to be enabled for a win client to browse its
                                             # local network, using this server for NetBios.
      server string = f86local:samba3        # Server string is the equivalent of the NT Description field.
      username map = /etc/samba/smbusers     # Mapping of linux user names to windows users - the windows user
                                             # does not have an account of the same name on the linux box.
    # Standalone Server Options
      os level = 1
      preferred master = Yes
      security = user                        # Security can be set to user (share or server deprecated).
      passdb backend = tdbsam                # either tdbsam or ldapsam. smbpasswd (backwards compatibility)
                                             # tdbsam requires no further configuration.
    # Logging Options
      log file = /var/log/samba/log.%m       # Where to put logs. %m => a log per system/client.
      max log size = 50                      # Max 50KB per log file, then rotate.
    
    # Name Resolution                        # Can be a WINS Server, or a WINS Client, but NOT both.
      wins support = yes                     # Tells the NMBD component of Samba to enable it's WINS Server.
    ; wins server = w.x.y.z                  # Tells the NMBD components of Samba to be a WINS Client.
    ; wins proxy = yes                       # Act as a proxy for non WINS capable clients, there must be
                                             # a WINS server on network.
      dns proxy = no                         # Try or not to resolve NetBios names.
    
    # Printing Options
    ; load printers = yes                    # Load list of printers automatically instead of setting
                                             # up individually.
    ; printing = BSD                         # Comment out cups and uncomment this to use BSD printing,
      printing = cups                        # Selects a non default printing system.
      cups options = raw                     # Choose cups lib options, 'raw' allows drivers on windows
                                             # clients to be used.
    [homes]                                  # Allows users to access their (local) home directories from
      comment = Home Directories             # remote Samba clients using either their login name or 'homes'
      guest ok = no                          # as the service name.
      read only = no
      browseable = no
    ; writable = yes
    ; valid users = %S
    ; valid users = MYDOMAIN\%S
    
    [printers]
      comment = All Printers
    ; printcap name = /etc/printcap          # For BSD printing.  Can specify an alternative printcap file
    ; print command = /usr/bin/lpr -r %s     # Command to use.
      path = /var/spool/samba
      browseable = no
      public = yes
      guest ok = yes
      writable = no
      printable = yes
      printer admin = root
    
    [print$]
      comment = Printer Drivers
      path = /etc/samba/drivers
      browseable = yes
      guest ok = no
      read only = yes
      write list = root
    
    [myshare]                                # A shared resource.
      comment = samba share
      path = /share
      valid users = mark
      read only = no
    

    Test changes made to smb.conf

    # testparm /etc/samba/smb.conf
    Load smb config files from /etc/samba/smb.conf
    Processing section "[homes]"
    Processing section "[printers]"
    Processing section "[myshare]"
    Loaded services file OK.
    Server role: ROLE_STANDALONE
    

    Run after changes to smb.conf.

  • Connect to server
    smbclient

    Possible error

    # smbclient -L `hostname`
    Error connecting to 192.168.0.2 (Connection refused)
    Connection to f64local failed (Error NT_STATUS_CONNECTION_REFUSED)
    

    To correct - enable 'interfaces = lo eth0' in '/etc/smb/smb.conf'.

    Connect to server configured in previous article

    # smbclient -L `hostname`
    Password:
    Anonymous login successful
    Domain=[MARYWRKG] OS=[Unix] Server=[Samba 3.0.28-0.fc7]
            Sharename       Type      Comment
          ------     -    ----
            homes           Disk
            myshare         Disk      samba share
            IPC$            IPC       IPC Service (Samba 3.0.28-0.fc7)
            Stylus_C46      Printer   Epson Stylus C46 \
                                      Foomatic/gutenprint-ijs-simplified.5.0
    Anonymous login successful
    Domain=[MARYWRKG] OS=[Unix] Server=[Samba 3.0.28-0.fc7]
            Server               Comment
          ------          ----
            F64LOCAL             Samba 3.0.28-0.fc7
            MARY                 MARY
            Workgroup            Master
          ------          ----
            MARYWRKG             MARY
    
  • Determine server status
    /usr/bin/smbstatus

    Display server status information

    # smbstatus
    Samba version 3.0.28-0.fc7
    PID     Username      Group         Machine
    -------------------------------------------------------------------
     5627   mark          mark          mary         (192.168.0.4)
    Service      pid     machine       Connected at
    -------------------------------------------------------------------
    IPC$         5627   mary          Mon Dec 31 18:17:31 2007
    mark         5627   mary          Mon Dec 31 18:17:34 2007
    myshare      5627   mary          Mon Dec 31 18:17:31 2007
    No locked files
    
  • Get IP of a WINs server
    /usr/bin/nmblookup

    Queries a WINs server and returns IP of a Wins machine name.

    Get IP address of Windows client Mary

    # nmblookup mary
    querying mary on 127.255.255.255
    querying mary on 192.168.0.7
    192.168.0.4 mary
    
  • Connect to a SMB share from linux

    Requires that the smb_server be running 'smbd'.

    /usr/bin/smbclient

    smbclient //smb_server/a_service
    

    Where 'a_service' represents a share name [a_service] in 'smb.conf'.

    $ smbclient //`hostname`/mark
    Password:
    Domain=[MYSERVER] OS=[Unix] Server=[Samba 3.0.28-0.fc7]
    smb: \> ?
    ?                altname         archive        blocksize      cancel
    case_sensitive   cd              chmod          chown          close
    del              dir             du             exit           get
    getfacl          hardlink        help           history        lcd
    link             lock            lowercase      ls             mask
    md               mget            mkdir          more           mput
    newer            open            posix          posix_open     posix_mkdir
    posix_rmdir      posix_unlink    print          prompt         put
    pwd              q               queue          quit           rd
    recurse          reget           rename         reput          rm
    rmdir            showacls        setmode        stat           symlink
    tar              tarmode         translate      unlock         volume
    vuid             wdel            logon          listconnect    showconnect
    !
    smb: \>
    

    This demonstrates that samba is working locally.

  • Connecting from a Windows remote client

    Within a few minutes, the Samba host should be listed in the Network Neighbourhood on all Windows clients on its subnet.

    C:\> net use m: \\servername\service             (Mounts a share onto drive m: of a Windows/OS2 client)
    C:\> net use lpt1: \\servername\spoolservice     ('spoolservice' - name of the printer queue on the server)
    

    To see, work with files on the shared directory on the windows client - use a browser with a url like

    smb://mary@mary/SAMBA_SHARE
    
  • Mount an smbfs filesystem
    /usr/bin/smbmount
    • It is usually invoked as 'mount.smbfs' by the 'mount' command when using the '-t smbfs' option.
    • Command only works in Linux and the kernel must support the smbfs filesystem.
    smbmount {service} {mount-point} [-o options]
    

    Mount a windows share on Linux

    # smbmount //server/share /mnt/directory -o username=abcd, password=????
    
  • Windows, Linux users' passwords
    • Linux and Windows use different algorithms for password encryption.
    • Windows users accessing Linux resources/services authenticated by users passwords, need to have their Windows passwords stored on the Linux samba server.

    Location of windows users passwords on Linux samba server

    # smbd -b | grep PASSWD
      SMB_PASSWD_FILE: /var/lib/samba/private/smbpasswd
    
    • Usually a window's client user has a home account (same name) on the Linux samba server.
    • If this is not the case, as in the earlier configuration example where WIN user mary maps to linux user mark, mark's account will need a smbpassword for /home/mark to be accessible from the WIN client.

    Manage samba passwords - /usr/bin/smbpasswd

    smbpasswd [options] [user]
    
    Options:
     -a [user]                   Add user account (run by root), change password (run by user). If the username
                                 following already exists in the smbpasswd file it is treated like a regular
                                 change password command. Default passdb backends require the user to already
                                 exist in /etc/passwd), else request to add the user will fail.
     -x [user]                   Delete a user (only available to root)
     -d [user]                   Disable user account (only available to root)
     -e [user]                   Enable user account (only available to root)
     -n [user]                   User password set to null. "NO PASSWORD" is written in the smbpasswd file.
                                 To allow users to logon with no password the follwing variable must be set in
                                 the [global] section of smb.conf 'null passwords = yes'
     -r [remote NetBios name]    User (currently logged in) can change their password on a remote machine.
                                 Use -U [username] to change other than the logged in user passwd. If changing a
                                 Windows NT Domain password the remote machine specified must be the Primary
                                 Domain Controller for the domain. 
    

    Change a user's password

    # smbpasswd -a mark
    New SMB password:
    Retype new SMB password:
    Added user mark.
    

    Enable a users's account

    # smbpasswd -e mark
    Enabled user mark
    
  • Samba security

    SMB also known as CIFS (common internet filesystem) protocol has only two types of security

    1. user-level
    2. share-level

    and several security modes.

    As to the difference between a level and a mode ...

    Security mode - Share

    A Client authenticates itself for EACH share using a password - NO username is provided, Samba has to figure it out.

    Many clients send a session setup request that includes username, even if server is in share-level mode, Samba keeps a record of these usernames. Attempts are made to match any subsequent passwords to those of users already in the list or in smb.conf.

    If no list exists Samba tries for a match against linux user accounts using /etc/nsswitch or /etc/hosts.conf ordering e.g.

    Configure to use share mode - /etc/nsswitch.conf

    passwd:      files nis ldap
    shadow:      files nis ldap
    group:       files nis ldap
    

    In /etc/samba/smb.conf

    security = share
    
    Security mode - User

    Server accepts/rejects request based on username/password supplied in the client connection request and the name of the client machine.

    If accepted no further authentication required for subsequent service requests/mounts within the tree.

    Configure to use user mode - /etc/samba/smb.conf

    security = user
    
    Security mode - Domain

    Domain security provides a mechanism for storing all user and group accounts in a central, shared, account repository.

    Servers that act as domain controllers provide authentication and validation services to all machines that participate in the security context for the domain.

    Configure to use domain mode - /etc/samba/smb.conf

    security = domain
    workgroup = <WORKGROUP>
    
    Security mode - ADS

    Both Samba-2.2, and Samba-3 can join an Active Directory domain using NT4 style RPC based security. This is possible if the domain is run in native mode as Active Directory in native mode allows NT4-style domain members. Samba in AD-member mode can accept Kerberos tickets.

    Configure to use ADS mode - /etc/samba/smb.conf

    realm = <your.kerberos.REALM>
    security = ADS
    
    Security mode - Server

    Server security mode is a left-over from the time when Samba was not capable of acting as a domain member server. It is highly recommended not to use this feature.

    The parameter security = server means that Samba reports to clients that it is running in user mode but actually passes off all authentication requests to another user mode server.

    Configure to use server mode - /etc/samba/smb.conf

    encrypt passwords = yes
    security = server
    password server = <name of DC>
    
  • Some SELINUX notes

    To use the useradd/groupadd family of binaries

    # setsebool -P samba_domain_controller on
    

    To share home directories via samba run

    # setsebool -P samba_enable_home_dirs on
    

    To see which context a directory has

    # ls -ldZ /path
    

    Set context labels on created dirs so selinux allows rw

    # chcon -t samba_share_t /dir path
    

    NOT on system directories (may already been marked)

    Set exported shares to read only

    # setsebool -P samba_export_all_ro on
    

    Set exported shares to read write

    # setsebool -P samba_export_all_rw on
    
  • Two common errors

    When smbd is started get ..

    One possible error

    open_oplock_ipc: Failed to get local UDP socket for \
    address 100007f. Error was Cannot assign requested
    

    Cause: loopback device isn't working correctly.

    Another possible error

    The network name cannot be found
    

    Cause(s):

    • Non-existent path for the share in 'smb.conf'
    • The user you are trying to access the share with does not have sufficient permissions to access the path for the share. Both read (r) and access (x) should be set.
    • The share you are trying to access does not exist.
  • SWAT
    Web based Samba configuration tool

    A web based configuration tool which writes to /etc/samba/smb.conf.

    Configure the swat service to run - /etc/inetd.conf

    .....
    swat stream tcp nowait.400 root /usr/sbin/swat swat
    

    Ensure port 901 is in '/etc/services', point browser at http://localhost:901 or http://server_IP:901