Basic samba server configuration

On Windows XP

1. Either disable windows firewall or Create exception for file and printer sharing in windows firewall.
2. Disable all virtual network interfaces created by VMWare, Virtual Box, Hyper-V, openVPN etc.
3. Change computer name by choosing properties window from My Computer. Change workgroup to something other than "Workgroup" so that machines with default workgroup do not show up in the created workgroup. Restart computer.
4. It takes four / five minutes for computer to search for workgroups and computers in that workgroup. Hence wait for some time after rebooting machine before testing new settings.
5. Go to "My network places" directly or Go to "Network Connections" and from there go to "My network places". In "My Network places" use option "View workgroup computers". The computers part of your workgroup should be visible in 5 to 10 seconds if things are fine. Note that even if one computer in the workgroup has bad firewall configuration, "View workgroup computers" on all machines would work slow. Hence it is important to use some other custom workgroup name and not default name "workgroup" to avoid problems from machines which are not under our control in heterogenous environments.

   There is also option titled "Microsoft Windows Network" that allows you to see names of other workgroups that exist in same LAN in "View Workgroup Computers" window.

6. Open Windows explorer and goto "Tools" -> "Folder Options". Here in view tab disable "Simple file sharing" if you want to access drive shares C$, D$ etc. using administrator username and password. This way one does not need to share any folder explicitly and all drives are shared and require administrator username / password for access.
7. Try to open other computers from Run using IP address as "\\<other computer IP>". If prompted for username / password enter windows administrator username / password. You can then type names C$, D$, etc. on address bar and open desired drives. The share names that end with $ are hidden and will not show automatically while browsing. One needs to manually enter this names in address bar to use these shares.

   Within same LAN one can also use "\\<computer_name>" instead of IP address to browse other computer. But if other computer is not in same LAN then a WINS server is required to use names to access computer.

8. To see folders shared on given computer, how many users are connected to various shares and which files they are accessing currently. Right click on "My computer" and choose "Manage". In "Computer Management" window see sub-options "Shares", "Sessions" and "Open Files" under "Shared Folders" option. One can see if someone is using files/folders shared on current computer and also see using which users credentials has other person logged in. We also have option of closing session from here.

Linux - Cent OS 5.5

Disable SELinux

To configure samba server on Linux machine first disable SELinux. Configuration of Samba with SELinux will be explored later.

Ensure samba packages have been installed

• Use command "rpm -qa | grep samba" to see which packages related to Samba are installed on current machine. At least samba-client and samba-common should be installed if you want to connect to Samba shares of Windows XP machines. For Windows 7 or Windows server 2008 one needs to upgrade to samba3x packages. Again if you also want to share files then 'samba3x' package is also required along with 'samba3x-client' client package. It makes sense to download 'samba3x-doc' package so that one can refer to samba documentation as and when required.

Using smbclient command line samba client

• To obtain list of shares shared by particular server use:

  smbclient -U <username> -L <IP_address>

  For example to see list of files shared by machine with IP 10.3.3.145 use 'smbclient -U saurabh -L 10.3.3.145'

• To Access files shared on windows machine using command:

  smbclient -U <administrator_username> //<IP>/<sharename>

  For example to access drive share named 'C$' on machine with IP 10.3.3.145 using administrator username as saurabh' use 'smbclient -U saurabh //10.3.3.145/C$ '. Note that windows usernames are case-insensitive, so any case is fine for typing username.

• Once you are connected you will get prompt like 'smb>'. On this prompt you can use "help" command to see what commands are available.
• To download directories first go to parent directory using cd commands. Then use 'ls' command to see proper full name of directory you want to download. Then use commands:

  prompt
  recurse
  mget "<Directory to download>"

  to download complete directory along with sub-folders and files without any prompting. Then use 'recurse' as soon as download is finished. This is because recurse applies to all commands and not just to mget. Hence if you forget to switch of recurse and try to do 'ls' then you would end up seeing all sub-directories and files inside them to when trying to run 'ls' on any parent directory.

• We can use command

  smbclient -L localhost -U%

  to check that local samba server is running and that it is allowing users to connect without supplying any username or password.

Using nmblookup

• To find IP address of computer given its computer name we can use nmblookup. Normally large windows networks have WINS (Windows Name Server) to resolve name to IP addresses and vice-versa. But within same LAN we can resolve name to IP addresses without using WINS server. To find IP address of computer in same LAN, using its computer name use:

  nmblookup '<computer name>'

• To also find group to which this computer belongs and its MAC address use:

  nmblookup -S '<computer name>'

• In the "nmblookup -S" output look for lines that contain code '<00>'. For example

  CR0100017       <00> -         B <ACTIVE>
  LAB320          <00> - <GROUP> B <ACTIVE>

  In this case the computer name is 'CR0100017' and it belongs to workgroup named 'lab320'.

• To find IPs of all computers in a workgroup we can use:

  nmblookup '<workgroup name>'

  For example to find all computers in workgroup named lab320 we can use nmblookup 'lab320'

• If we want computer names along with IP addresses then we can use:

  nmblookup -S 'lab320'

Samba server configuration

• In order to share files using "Samba server" on linux edit file '/etc/samba/smb.conf' and enter values for following parameters:

  workgroup = <workgroup to join>
  server string = <description of computer>
  netbios name = <name for computer>

• You can optionally comment 'server string' using ';' or '#' if you do not want to provide any description. Except parameters

  log file
  max log size
  security

  which are defined in [global] section comment everything else. Set security to 'share' and use default values for log file and its size.

• Create a folder which would be shared using samba. Do not create this folder in /home or in /root. You can create something like /samba_shared. Use 'chmod 755 <folder_path>'.
• Add following lines at end of smb.conf file:

  [<share_name>]
  path=<full_path_to_folder>
  read only = yes
  guest ok = yes

• For example:

  [samba_shared]
  path=/samba_shared
  read only = yes
  guest ok = yes

• Then use "service smb start" to start samba service.
• To test setup from Windows machine, go to windows machine and type "\\<IP address>" in run window. You should be able to see share with name you have specified in configuration file. You can go inside that folder without entering any username / password. But you would not be able to create any file or folder inside that share.
• To make a writable folder first use 'chmod 777 <folder_path>' and then edit 'smb.conf' to make

  read only = no".

  Then use 'service smb restart'. Now you should be able to create files in the shared folder.

• You can enable samba service to automatically run on start-up using 'chkconfig smb on'.
• Note that all this is alone not enough to make samba server appear when someone uses 'View Workgroup Computers' or tries 'nmblookup domain_name'. To make samba server respond to nmb queries we need to start nmb service.

  Note that there are two services 'smb' and 'nmb'. 'smb' listens on TCP port 139 and 445 and 'nmb' listens on UDP port 137 and 138. 'smb' service is required for sharing folders and 'nmb' is required to list server along with other workgroup computers and to be able to open computer using '\\<netbios_name>' instead of IP address.

  Hence you can also use 'service nmb start' and 'chkconfig nmb on'.

• Note that by default guest account has value nobody. That is by default samba guest users are mapped to Linux user nobody. If for some reason you want to change this then you can use configuration parameter

  guest account = <linux_user_name_to_use_for_guest_account>

  'guest ok' parameter is same as 'public' parameter and are significant only when 'security' parameter is set to value 'share'.

• We can use command

  testparm /etc/samba/smb.conf

  to check samba configuration file for syntax errors after modifying it and before restarting smb service.

• We can also install package named 'samba3x-swat' which provides GUI interface for configuring samba server. After installing 'samba3x-swat' we need to change 'disable' to 'no' in file '/etc/xinetd.d/swat'. We also need to start xinetd service and enable it on start-up using 'service xinetd start' and 'chkconfig xinetd on' respectively.

  Then we can open http://localhost:901/ in web browser and enter Linux root username and password to change samba configuration using samba swat interface from network.

• Requiring username, password for file access. For authentication the 'security' parameter in global section should have value 'user' and not 'share'. 'user' is also default value for 'security' parameter in smb.conf configuration file. The password file is specified using 'passdb backend' parameter for which default value is 'smbpasswd'. If one wants we can explicity define these two default values in smb.conf file using:

  security = user
  passwd backend = smbpasswd

• To restrict access to a share for a particular user we can use 'valid users' configuration parameter. In this we can specify names of samba users who are allowed to access particular share. Note that this names are of 'samba' users and not of Linux users. Samba user to Linux user mapping is defined in file 'smbusers' in format

  unix_user_name = smb_username1  smb_username2   smb_username3 ...

• For example to restrict access to share named 'samba_shared' using samba username 'root' we can use

  valid users = root

  to specify that only 'root' Linux user is allowed to access this share. Then we need to set password for samba usernames linked with Linux user named root using 'smbpasswd -a root' command.

• Note that '-a' option is required when setting password for first time to add user to smbpasswd database. In subsequent calls we can just use 'smbpasswd root' to change root password. Now use 'testparm' command to test configuration and if everything is fine then use 'service smb restart' to make new settings take effect.
• Now test from a windows machine using username 'root' and password that you have set using 'smbpasswd' command.
• Now if we want a Samba user named test then we can create first Linux user named test using

  useradd test

• Change shell of user test to /sbin/nologin for security

  usermod -s /sbin/nologin test

• Then add user test to smbpasswd database using

  smbpasswd -a test

• Then we can specify 'valid users=test' for shares that we want only to be accessible from user test.

This are very basic samba configuration tools. Samba can be connected to Windows domains or ldap servers. It can be used to share printers and can support very complex authentication / security settings. More can be explored by reading man pages and samba3x documentation available in /usr/share/doc/samb3x-doc-<version> folder.