Beyond Linux® From Scratch - Version 2012-01-16

Chapter 14. Networking Programs

Samba-3.6.1

Introduction to Samba

The Samba package provides file and print services to SMB/CIFS clients and Windows networking to Linux clients. Samba can also be configured as a Windows NT 4.0 Domain Controller replacement (with caveats working with NT PDC's and BDC's), a file/print server acting as a member of a Windows NT 4.0 or Active Directory domain and a NetBIOS (rfc1001/1002) nameserver (which amongst other things provides LAN browsing support).

This package is known to build and work properly using an LFS-7.0 platform.

Package Information

Samba Dependencies

Optional

popt-1.16, Linux-PAM-1.1.5, Cups-1.5.0, OpenLDAP-2.4.23, Gamin-0.1.10, acl-2.2.51, XFS-2.9.7, Heimdal-1.4 or MIT Kerberos V5-1.6, Python-2.7.2 (used only in parts of the test suite), tdb (version 1.2.1), libcap2-2.22, libunwind, avahi-0.6.25, OpenAFS, and Valgrind (optionally used by the test suite)

You will need to install one of the kerberos packages if you plan on using your system to join a Windows NT domain.

Optional for Samba4 Support

GnuTLS-3.0.7 (recommended), Python-2.7.2, and SQLite-3.7.8

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/samba3

Installation of Samba

[Note]

Note

If you wish to run the test suite after the binaries are built, you must add the --enable-socket-wrapper parameter to the configure script below. You may want to run configure with the --help parameter first. There may be other parameters needed to take advantage of optional dependencies.

Install Samba by running the following commands: 

cd source3 &&

./configure                            \
    --prefix=/usr                      \
    --sysconfdir=/etc                  \
    --localstatedir=/var               \
    --with-piddir=/run                 \
    --with-pammodulesdir=/lib/security \
    --with-fhs                         \
    --enable-nss-wrapper               \
    --enable-socket-wrapper            &&
make

To test the results, issue: make test. If you have Linux-PAM installed and built the PAM library modules, you can perform a dlopen test by issuing: make test_pam_modules.

Now, as the root user: 

make install &&

install -v -m755 ../nsswitch/libnss_win{s,bind}.so /lib   &&
ln -v -sf libnss_winbind.so /lib/libnss_winbind.so.2      &&
ln -v -sf libnss_wins.so    /lib/libnss_wins.so.2         &&

install -v -m644 ../examples/smb.conf.default /etc/samba  &&

if [ -d /etc/openldap/schema ]; then
    install -v -m644    ../examples/LDAP/README              \
                        /etc/openldap/schema/README.LDAP     &&
    install -v -m644    ../examples/LDAP/samba*              \
                        /etc/openldap/schema                 &&
    install -v -m755    ../examples/LDAP/{convert*,get*,ol*} \
                        /etc/openldap/schema                 && 
fi &&

install -v -m755 -d /usr/share/doc/samba-3.6.1 &&
install -v -m644    ../docs/*.pdf \
                    /usr/share/doc/samba-3.6.1 &&
ln -v -s ../../samba/swat  /usr/share/doc/samba-3.6.1

Command Explanations

--enable-merged-build: Use this parameter to build the (alpha) Samba4 components (GnuTLS is recommended).

--sysconfdir=/etc: Sets the configuration file directory to avoid the default of /usr/etc.

--localstatedir=/var: Sets the variable data directory to avoid the default of /usr/var.

--with-fhs: Assigns all other file paths in a manner compliant with the Filesystem Hierarchy Standard (FHS).

--enable-nss-wrapper: Builds the nss-wrapper library.

--enable-socket-wrapper: This options is required to run the test suite.

install -v -m755 nsswitch/libnss_win{s,bind}.so /lib: The nss libraries are not installed by default. If you intend to use winbindd for Windows NT domain authentication, and/or WINS name resolution, you need these libraries.

ln -v -sf libnss_winbind.so /lib/libnss_winbind.so.2 and ln -v -sf libnss_wins.so /lib/libnss_wins.so.2: These symlinks are required by Glibc to use the NSS libraries.

if [ -d /etc/openldap/schema ]; then ...; fi: These commands are used to see if you have an OpenLDAP installation, and if so, they copy sample Samba schemas to the OpenLDAP schema directory.

install -v -m644 ../examples/smb.conf.default /etc/samba: This copies a default smb.conf file into /etc/samba. This sample configuration will not work until you copy it to /etc/samba/smb.conf and make the appropriate changes for your installation. See the configuration section for minimum values which must be set.

Configuring Samba

Config Files

/etc/samba/smb.conf

Printing to SMB Clients

If you use CUPS for print services, and you wish to print to a printer attached to an SMB client, you need to create an SMB backend device. To create the device, issue the following command as the root user: 

ln -v -sf /usr/bin/smbspool /usr/lib/cups/backend/smb

Configuration Information

Due to the complexity and the many various uses for Samba, complete configuration for all the package's capabilities is well beyond the scope of the BLFS book. This section provides instructions to configure the /etc/samba/smb.conf file for two common scenarios. The complete contents of /etc/samba/smb.conf will depend on the purpose of Samba installation.

[Note]

Note

You may find it easier to copy the configuration parameters shown below into an empty /etc/samba/smb.conf file instead of copying and editing the default file as mentioned in the “Command Explanations” section. How you create/edit the /etc/samba/smb.conf file will be left up to you. Do ensure the file is only writeable by the root user (mode 644).

Scenario 1: Minimal Standalone Client-Only Installation

Choose this variant if you only want to transfer files using smbclient, mount Windows shares and print to Windows printers, and don't want to share your files and printers to Windows machines.

A /etc/samba/smb.conf file with the following three parameters is sufficient: 

[global]
    workgroup = MYGROUP
    dos charset = cp850
    unix charset = ISO-8859-1

The values in this example specify that the computer belongs to a Windows workgroup named “MYGROUP”, uses the “cp850” character set on the wire when talking to MS-DOS and MS Windows 9x, and that the filenames are stored in the “ISO-8859-1” encoding on the disk. Adjust these values appropriately for your installation. The “unix charset” value must be the same as the output of locale charmap when executed with the LANG variable set to your preferred locale, otherwise the ls command may not display correct filenames of downloaded files.

There is no need to run any Samba servers in this scenario, thus you don't need to install the provided bootscripts.

Scenario 2: Standalone File/Print Server

Choose this variant if you want to share your files and printers to Windows machines in your workgroup in addition to the capabilities described in Scenario 1.

In this case, the /etc/samba/smb.conf.default file may be a good template to start from. Also add “dos charset” and “unix charset” parameters to the “[global]” section as described in Scenario 1 in order to prevent filename corruption.

The following configuration file creates a separate share for each user's home directory and also makes all printers available to Windows machines: 

[global]
    workgroup = MYGROUP
    dos charset = cp850
    unix charset = ISO-8859-1

[homes]
    comment = Home Directories
    browseable = no
    writable = yes

[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = no
    printable = yes

Other parameters you may wish to customize in the “[global]” section include: 

    server string =
    security =
    hosts allow =
    load printers =
    log file =
    max log size =
    socket options =
    local master =

Reference the comments in the /etc/samba/smb.conf.default file for information regarding these parameters.

Since the smbd and nmbd daemons are needed in this case, install the samba bootscript. Be sure to run smbpasswd (with the -a option to add users) to enable and set passwords for all accounts that need Samba access, or use the SWAT web interface (see below) to do the same. Using the default Samba passdb backend, any user you attempt to add will also be required to exist in the /etc/passwd file.

Advanced Requirements

More complex scenarios involving domain control or membership are possible if the right flags are passed to the ./configure script when the package is built. Such setups are advanced topics and cannot be adequately covered in BLFS. Many complete books have been written on these topics alone. It should be noted, however, that a Samba BDC cannot be used as a fallback for a Windows PDC, and conversely, a Windows BDC cannot be used as a fallback for a Samba PDC. Also in some domain membership scenarios, the winbindd daemon and the corresponding bootscript are needed.

There is quite a bit of documentation available which covers many of these advanced configurations. Point your web browser to the links below to view some of the documentation included with the Samba package:

Boot Script

For your convenience, boot scripts have been provided for Samba. There are two included in the blfs-bootscripts-20111226 package. The first, samba, will start the smbd and nmbd daemons needed to provide SMB/CIFS services. The second script, winbind, starts the winbindd daemon, used for providing Windows domain services to Linux clients.

The default Samba installation uses the nobody user for guest access to the server. This can be overridden by setting the guest account = parameter in the /etc/samba/smb.conf file. If you utilize the guest account = parameter, ensure this user exists in the /etc/passwd file. To use the default user, issue the following commands as the root user: 

groupadd -g 99 nogroup &&
useradd -c "Unprivileged Nobody" -d /dev/null -g nogroup \
    -s /bin/false -u 99 nobody

Install the samba script with the following command issued as the root user: 

make install-samba

If you also need the winbind script: 

make install-winbind

Configuring SWAT

The SWAT (Samba Web Administration Tool) utility can be used for configuration of the Samba installation.

Setting up SWAT using inetd
[Warning]

Warning

BLFS does not recommend using these procedures because of the security risk involved. However, in a home network environment and disclosure of the root password is an acceptable risk, the following instructions are provided for your convenience.

First you must add an entry to /etc/services and modify the inetd configuration. Add this entry with the following command issued as the root user: 

echo "swat            905/tcp" >> /etc/services

Now add this entry to the /etc/inetd.conf file, again as the root user: 

echo "swat stream tcp nowait.5 root /usr/sbin/swat swat >> /etc/inetd.conf

Issue a killall -HUP inetd to reread the changed inetd.conf file.

SWAT can be launched by pointing your web browser to http://localhost:905.

Setting up SWAT using xinetd

If not already done, add an entry to /etc/services file as the root user: 

echo "swat            905/tcp" >> /etc/services

Create the Samba xinetd-2.3.14 file as /etc/xinetd.d/swat.

[Warning]

Warning

You may modify or remove the “only_from” line below to include other host(s). BLFS does not recommend doing this because of the security risk involved. However, in a home network environment, disclosure of the root password may be an acceptable risk. 

cat >> /etc/xinetd.d/swat << "EOF"
# Begin /etc/xinetd.d/swat

service swat
{
    port            = 905
    socket_type     = stream
    wait            = no
    instances       = 5
    only_from       = 127.0.0.1
    user            = root
    server          = /usr/sbin/swat
    log_on_failure += USERID
}

# End /etc/xinetd.d/swat
EOF

Issue a killall -HUP xinetd to read the new /etc/xinetd.d/swat file.

[Note]

Note

If you linked Linux-PAM into the Samba build, you'll need to create an /etc/pam.d/samba file.

SWAT can now be launched by pointing your web browser to http://localhost:905.

Setting up SWAT using stunnel

A better way to set up SWAT for network access is through Stunnel-4.46. For convenience, a boot scripts has been provided for SWAT via stunnel. First, create the stunnel configuration file: 

cat >> /etc/stunnel/swat.conf << "EOF"
; File: /etc/stunnel/swat.conf

pid    = /run/stunnel-swat.pid
setuid = root
setgid = root
cert   = /etc/stunnel/stunnel.pem

[swat]
accept = swat
exec   = /usr/sbin/swat

EOF

Next, install the swat bootscript: 

make install-swat

After starting the SWAT boot script the tool can be accessed by pointing your web browser to https://localhost:905. Note: https. If access to the tool needs to be further restricted, then iptables-1.4.12 can be used.

Contents

Installed Programs: cifs.upcall, eventlogadm, findsmb, ldbadd, ldbdel, ldbedit, ldbmodify, ldbrename, ldbsearch, net, nmbd, nmblookup, ntlm_auth, pdbedit, profiles, rpcclient, sharesec, smbcacls, smbclient, smbcontrol, smbcquotas, smbd, smbget, smbpasswd, smbspool, smbstatus, smbtar, smbtree, swat, testparm, wbinfo, winbindd, and (if not using system TDB) tdbbackup, tdbdump, and tdbtool
Installed Libraries: libnss_winbind.so, libnss_wins.so, libnetapi.so, libsmbclient.so, libsmbsharemodes.so, libtalloc.so, libwbclient.so, the pam_winbind.so and pam_smbpass.so PAM libraries, and assorted character set, filesystem and support modules.
Installed Directories: /etc/samba, /usr/lib/samba, /usr/share/doc/samba-3.6.1, /usr/share/samba, /var/lib/samba and (if configured) /var/log/samba

Short Descriptions

cifs.upcall

is a userspace upcall helper for Common Internet File Systems (CIFS)

eventlogadm

is used to write records to eventlogs from STDIN, add the specified source and DLL eventlog registry entries and display the active eventlog names (from smb.conf).

findsmb

lists information about machines that respond to SMB name queries on a subnet.

ldbadd

is a command-line utility for adding records to an LDB database.

ldbdel

is a command-line program for deleting LDB database records.

ldbedit

allows you to edit LDB databases using your preferred editor.

ldbmodify

allows you to modify records in an LDB database.

ldbrename

allows you to edit LDB databases using your preferred editor.

ldbsearch

searches an LDB database for records matching a specified expression.

net

is a tool for administration of Samba and remote CIFS servers, similar to the net utility for DOS/Windows.

nmbd

is the Samba NetBIOS name server.

nmblookup

is used to query NetBIOS names and map them to IP addresses.

ntlm_auth

is a tool to allow external access to Winbind's NTLM authentication function.

pdbedit

is a tool used to manage the SAM database.

profiles

is a utility that reports and changes SIDs in Windows registry files. It currently only supports Windows NT.

rpcclient

is used to execute MS-RPC client side functions.

sharesec

manipulates share ACL permissions on SMB file shares.

smbcacls

is used to manipulate Windows NT access control lists.

smbclient

is a SMB/CIFS access utility, similar to FTP.

smbcontrol

is used to control running smbd, nmbd and winbindd daemons.

smbcquotas

is used to manipulate Windows NT quotas on SMB file shares.

smbd

is the main Samba daemon which provides SMB/CIFS services to clients.

smbget

is a simple utility with wget-like semantics, that can download files from SMB servers. You can specify the files you would like to download on the command-line.

smbpasswd

changes a user's Samba password.

smbspool

sends a print job to an SMB printer.

smbstatus

reports current Samba connections.

smbtar

is a shell script used for backing up SMB/CIFS shares directly to Linux tape drives or a file.

smbtree

is a text-based SMB network browser.

swat

is the Samba Web Administration Tool.

tdbbackup

is a tool for backing up or validating the integrity of Samba .tdb files.

tdbdump

is a tool used to print the contents of a Samba .tdb file.

tdbtool

is a tool which allows simple database manipulation from the command line.

testparm

checks an smb.conf file for proper syntax.

wbinfo

queries a running winbindd daemon.

winbindd

resolves names from Windows NT servers.

libnss_winbind.so

provides Name Service Switch API functions for resolving names from NT servers.

libnss_wins.so

provides API functions for Samba's implementation of the Windows Internet Naming Service.

libnetapi.so

provides the API functions for the administration tools used for Samba and remote CIFS servers.

libsmbclient.so

provides the API functions for the Samba SMB client tools.

libsmbsharemodes.so

provides API functions for accessing SMB share modes (locks etc.)

libwbclient.so

provides API functions for Windows domain client services.

Last updated on 2011-11-13 02:22:21 +0000