Product SiteDocumentation Site

Chapter 17. File and Print Servers

17.1. Samba
17.1.1. Introduction to Samba
17.1.2. Samba Daemons and Related Services
17.1.3. Connecting to a Samba Share
17.1.4. Configuring a Samba Server
17.1.5. Starting and Stopping Samba
17.1.6. Samba Server Types and the smb.conf File
17.1.7. Samba Security Modes
17.1.8. Samba Account Information Databases
17.1.9. Samba Network Browsing
17.1.10. Samba with CUPS Printing Support
17.1.11. Samba Distribution Programs
17.1.12. Additional Resources
17.2. FTP
17.2.1. The File Transfer Protocol
17.2.2. FTP Servers
17.2.3. Files Installed with vsftpd
17.2.4. Starting and Stopping vsftpd
17.2.5. vsftpd Configuration Options
17.2.6. Additional Resources
17.3. Printer Configuration
17.3.1. Starting the Printer Configuration Tool
17.3.2. Starting Printer Setup
17.3.3. Adding a Local Printer
17.3.4. Adding an AppSocket/HP JetDirect printer
17.3.5. Adding an IPP Printer
17.3.6. Adding an LPD/LPR Host or Printer
17.3.7. Adding a Samba (SMB) printer
17.3.8. Selecting the Printer Model and Finishing
17.3.9. Printing a test page
17.3.10. Modifying Existing Printers
17.3.11. Additional Resources
This chapter guides you through the installation and configuration of Samba, an open source implementation of the Server Message Block (SMB) protocol, and vsftpd, the primary FTP server shipped with Fedora. Additionally, it explains how to use the Printer Configuration tool to configure printers.

17.1. Samba

Samba is an open source implementation of the Server Message Block (SMB) protocol. It allows the networking of Microsoft Windows®, Linux, UNIX, and other operating systems together, enabling access to Windows-based file and printer shares. Samba's use of SMB allows it to appear as a Windows server to Windows clients.

Installing the samba package

In order to use Samba, first ensure the samba package is installed on your system by running, as root:
yum install samba
For more information on installing packages with Yum, refer to Section 5.2.4, “Installing Packages”.

17.1.1. Introduction to Samba

The third major release of Samba, version 3.0.0, introduced numerous improvements from prior versions, including:
  • The ability to join an Active Directory domain by means of the Lightweight Directory Access Protocol (LDAP) and Kerberos
  • Built in Unicode support for internationalization
  • Support for all recent Microsoft Windows server and client versions to connect to Samba servers without needing local registry hacking
  • Two new documents developed by the Samba.org team, which include a 400+ page reference manual, and a 300+ page implementation and integration manual. For more information about these published titles, refer to Section 17.1.12.2, “Related Books”.

17.1.1.1. Samba Features

Samba is a powerful and versatile server application. Even seasoned system administrators must know its abilities and limitations before attempting installation and configuration.
What Samba can do:
  • Serve directory trees and printers to Linux, UNIX, and Windows clients
  • Assist in network browsing (with or without NetBIOS)
  • Authenticate Windows domain logins
  • Provide Windows Internet Name Service (WINS) name server resolution
  • Act as a Windows NT®-style Primary Domain Controller (PDC)
  • Act as a Backup Domain Controller (BDC) for a Samba-based PDC
  • Act as an Active Directory domain member server
  • Join a Windows NT/2000/2003/2008 PDC
What Samba cannot do:
  • Act as a BDC for a Windows PDC (and vice versa)
  • Act as an Active Directory domain controller

17.1.2. Samba Daemons and Related Services

The following is a brief introduction to the individual Samba daemons and services.

17.1.2.1. Samba Daemons

Samba is comprised of three daemons (smbd, nmbd, and winbindd). Three services (smb, nmb, and winbind) control how the daemons are started, stopped, and other service-related features. These services act as different init scripts. Each daemon is listed in detail below, as well as which specific service has control over it.
smbd
The smbd server daemon provides file sharing and printing services to Windows clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol. The default ports on which the server listens for SMB traffic are TCP ports 139 and 445.
The smbd daemon is controlled by the smb service.
nmbd
The nmbd server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/Common Internet File System (CIFS) in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows Network Neighborhood view. The default port that the server listens to for NMB traffic is UDP port 137.
The nmbd daemon is controlled by the nmb service.
winbindd
The winbind service resolves user and group information on a server running Windows NT, 2000, 2003 or Windows Server 2008. This makes Windows user / group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the Name Service Switch (NSS). This allows Windows NT domain users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbind service is controlled separately from the smb service.
The winbindd daemon is controlled by the winbind service and does not require the smb service to be started in order to operate. winbindd is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and/or interdomain trust). Because winbind is a client-side service used to connect to Windows NT-based servers, further discussion of winbind is beyond the scope of this chapter.

Obtaining a list of utilities that are shipped with Samba

You may refer to Section 17.1.11, “Samba Distribution Programs” for a list of utilities included in the Samba distribution.

17.1.3. Connecting to a Samba Share

You can use Nautilus to view available Samba shares on your network. To view a list of Samba workgroups and domains on your network, select ApplicationsAccessoriesFiles from the Activities menu, and click Browse Network at the sidebar.
Browsing a network in Nautilus
Browsing a network in Nautilus
Figure 17.1. Browsing a network in Nautilus

An icon appears for each available SMB workgroup or domain on the network. Double-click one of the workgroup/domain icons to view a list of computers within the workgroup/domain.
Each machine within the workgroup is represented by its own icon. Double-click on an icon to view the Samba shares on the machine. If a username and password combination is required, you are prompted for them.
Alternately, you can also specify the Samba server and sharename in the Location: bar for Nautilus using the following syntax (replace servername and sharename with the appropriate values):
smb://servername/sharename

17.1.3.1. Command Line

To query the network for Samba servers, use the findsmb command. For each server found, it displays its IP address, NetBIOS name, workgroup name, operating system, and SMB server version.
To connect to a Samba share from a shell prompt, type the following command:
smbclient //hostname/sharename -U username
Replace hostname with the hostname or IP address of the Samba server you want to connect to, sharename with the name of the shared directory you want to browse, and username with the Samba username for the system. Enter the correct password or press Enter if no password is required for the user.
If you see the smb:\> prompt, you have successfully logged in. Once you are logged in, type help for a list of commands. If you wish to browse the contents of your home directory, replace sharename with your username. If the -U switch is not used, the username of the current user is passed to the Samba server.
To exit smbclient, type exit at the smb:\> prompt.

17.1.3.2. Mounting the Share

Sometimes it is useful to mount a Samba share to a directory so that the files in the directory can be treated as if they are part of the local file system.
To mount a Samba share to a directory, create a directory to mount it to (if it does not already exist), and execute the following command as root:
mount -t cifs //servername/sharename /mnt/point/ -o username=username,password=password
This command mounts sharename from servername in the local directory /mnt/point/.

Installing cifs-utils package

The mount.cifs utility is a separate RPM (independent from Samba). In order to use mount.cifs, first ensure the cifs-utils package is installed on your system by running, as root:
yum install cifs-utils
For more information on installing packages with Yum, refer to Section 5.2.4, “Installing Packages”.
Note that the cifs-utils package also contains the cifs.upcall binary called by the kernel in order to perform kerberized CIFS mounts. For more information on cifs.upcall, refer to man cifs.upcall.
For more information about mounting a samba share, refer to man mount.cifs.

CIFS servers that require plain text passwords

Some CIFS servers require plain text passwords for authentication. Support for plain text password authentication can be enabled using the following command as root:
echo 0x37 > /proc/fs/cifs/SecurityFlags
WARNING: This operation can expose passwords by removing password encryption.

17.1.4. Configuring a Samba Server

The default configuration file (/etc/samba/smb.conf) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. In other words, you can attach a printer to the system and print to it from the Windows machines on your network.

17.1.4.1. Graphical Configuration

To configure Samba using a graphical interface, use one of the available Samba graphical user interfaces. A list of available GUIs can be found at http://www.samba.org/samba/GUI/.

17.1.4.2. Command Line Configuration

Samba uses /etc/samba/smb.conf as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the following command, as root:
systemctl restart smb.service
To specify the Windows workgroup and a brief description of the Samba server, edit the following lines in your /etc/samba/smb.conf file:
workgroup = WORKGROUPNAME
server string = BRIEF COMMENT ABOUT SERVER
Replace WORKGROUPNAME with the name of the Windows workgroup to which this machine should belong. The BRIEF COMMENT ABOUT SERVER is optional and is used as the Windows comment about the Samba system.
To create a Samba share directory on your Linux system, add the following section to your /etc/samba/smb.conf file (after modifying it to reflect your needs and your system):
[sharename]
comment = Insert a comment here
path = /home/share/
valid users = tfox carole
public = no
writable = yes
printable = no
create mask = 0765
The above example allows the users tfox and carole to read and write to the directory /home/share, on the Samba server, from a Samba client.

17.1.4.3. Encrypted Passwords

Encrypted passwords are enabled by default because it is more secure to do so. To create a user with an encrypted password, use the command smbpasswd -a username .

17.1.5. Starting and Stopping Samba

To start a Samba server, type the following command in a shell prompt, as root:
systemctl start smb.service

Setting up a domain member server

To set up a domain member server, you must first join the domain or Active Directory using the net join command before starting the smb service.
To stop the server, type the following command in a shell prompt, as root:
systemctl stop smb.service
The restart option is a quick way of stopping and then starting Samba. This is the most reliable way to make configuration changes take effect after editing the configuration file for Samba. Note that the restart option starts the daemon even if it was not running originally.
To restart the server, type the following command in a shell prompt, as root:
systemctl restart smb.service
The condrestart (conditional restart) option only starts smb on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.

Applying the changes to the configuration

When the /etc/samba/smb.conf file is changed, Samba automatically reloads it after a few minutes. Issuing a manual restart or reload is just as effective.
To conditionally restart the server, type the following command, as root:
systemctl condrestart smb.service
A manual reload of the /etc/samba/smb.conf file can be useful in case of a failed automatic reload by the smb service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command, as root:
systemctl reload smb.service
By default, the smb service does not start automatically at boot time. To configure Samba to start at boot time, use a service manager such as systemctl. Refer to Chapter 9, Services and Daemons for more information regarding this tool.

17.1.6. Samba Server Types and the smb.conf File

Samba configuration is straightforward. All modifications to Samba are done in the /etc/samba/smb.conf configuration file. Although the default smb.conf file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
The following sections describe the different ways a Samba server can be configured. Keep in mind your needs and the changes required to the /etc/samba/smb.conf file for a successful configuration.

17.1.6.1. Stand-alone Server

A stand-alone server can be a workgroup server or a member of a workgroup environment. A stand-alone server is not a domain controller and does not participate in a domain in any way. The following examples include several anonymous share-level security configurations and one user-level security configuration. For more information on share-level and user-level security modes, refer to Section 17.1.7, “Samba Security Modes”.
17.1.6.1.1. Anonymous Read-Only
The following /etc/samba/smb.conf file shows a sample configuration needed to implement anonymous read-only file sharing. The security = share parameter makes a share anonymous. Note, security levels for a single Samba server cannot be mixed. The security directive is a global Samba parameter located in the [global] configuration section of the /etc/samba/smb.conf file.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = share
[data]
comment = Documentation Samba Server
path = /export
read only = Yes
guest only = Yes
17.1.6.1.2. Anonymous Read/Write
The following /etc/samba/smb.conf file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the read only directive to no. The force user and force group directives are also added to enforce the ownership of any newly placed files specified in the share.

Do not use anonymous read/write servers

Although having an anonymous read/write server is possible, it is not recommended. Any files placed in the share space, regardless of user, are assigned the user/group combination as specified by a generic user (force user) and group (force group) in the /etc/samba/smb.conf file.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = share
[data]
comment = Data
path = /export
force user = docsbot
force group = users
read only = No
guest ok = Yes
17.1.6.1.3. Anonymous Print Server
The following /etc/samba/smb.conf file shows a sample configuration needed to implement an anonymous print server. Setting browseable to no as shown does not list the printer in Windows Network Neighborhood. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV using NetBIOS, the client can have access to the printer if the client is also part of the DOCS workgroup. It is also assumed that the client has the correct local printer driver installed, as the use client driver directive is set to Yes. In this case, the Samba server has no responsibility for sharing printer drivers to the client.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = share
printcap name = cups
disable spools= Yes
show add printer wizard = No
printing = cups
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = Yes
17.1.6.1.4. Secure Read/Write File and Print Server
The following /etc/samba/smb.conf file shows a sample configuration needed to implement a secure read/write print server. Setting the security directive to user forces Samba to authenticate client connections. Notice the [homes] share does not have a force user or force group directive as the [public] share does. The [homes] share uses the authenticated user details for any files created as opposed to the force user and force group in [public].
[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = user
printcap name = cups
disable spools = Yes
show add printer wizard = No
printing = cups
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[public]
comment = Data
path = /export
force user = docsbot
force group = users
guest ok = Yes
[printers]
comment = All Printers
path = /var/spool/samba
printer admin = john, ed, @admins
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = Yes

17.1.6.2. Domain Member Server

A domain member, while similar to a stand-alone server, is logged into a domain controller (either Windows or Samba) and is subject to the domain's security rules. An example of a domain member server would be a departmental server running Samba that has a machine account on the Primary Domain Controller (PDC). All of the department's clients still authenticate with the PDC, and desktop profiles and all network policy files are included. The difference is that the departmental server has the ability to control printer and network shares.
17.1.6.2.1. Active Directory Domain Member Server
The following /etc/samba/smb.conf file shows a sample configuration needed to implement an Active Directory domain member server. In this example, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos realm parameter is shown in all caps (for example realm = EXAMPLE.COM). Since Windows 2000/2003/2008 requires Kerberos for Active Directory authentication, the realm directive is required. If Active Directory and Kerberos are running on different servers, the password server directive may be required to help the distinction.
[global]
realm = EXAMPLE.COM
security = ADS
encrypt passwords = yes
# Optional. Use only if Samba cannot determine the Kerberos server automatically.
password server = kerberos.example.com
In order to join a member server to an Active Directory domain, the following steps must be completed:
  • Configuration of the /etc/samba/smb.conf file on the member server
  • Configuration of Kerberos, including the /etc/krb5.conf file, on the member server
  • Creation of the machine account on the Active Directory domain server
  • Association of the member server to the Active Directory domain
To create the machine account and join the Windows 2000/2003/2008 Active Directory, Kerberos must first be initialized for the member server wishing to join the Active Directory domain. To create an administrative Kerberos ticket, type the following command as root on the member server:
kinit administrator@EXAMPLE.COM
The kinit command is a Kerberos initialization script that references the Active Directory administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets, kinit obtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more information on Kerberos, the /etc/krb5.conf file, and the kinit command, refer to the Using Kerberos section of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards guide.
To join an Active Directory server (windows1.example.com), type the following command as root on the member server:
net ads join -S windows1.example.com -U administrator%password
Since the machine windows1 was automatically found in the corresponding Kerberos realm (the kinit command succeeded), the net command connects to the Active Directory server using its required administrator account and password. This creates the appropriate machine account on the Active Directory and grants permissions to the Samba domain member server to join the domain.

The security option

Since security = ads and not security = user is used, a local password back end such as smbpasswd is not needed. Older clients that do not support security = ads are authenticated as if security = domain had been set. This change does not affect functionality and allows local users not previously in the domain.
17.1.6.2.2. Windows NT4-based Domain Member Server
The following /etc/samba/smb.conf file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the /etc/samba/smb.conf file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = domain
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[public]
comment = Data
path = /export
force user = docsbot
force group = users
guest ok = Yes
Having Samba as a domain member server can be useful in many situations. There are times where the Samba server can have other uses besides file and printer sharing. It may be beneficial to make Samba a domain member server in instances where Linux-only applications are required for use in the domain environment. Administrators appreciate keeping track of all machines in the domain, even if not Windows-based. In the event the Windows-based server hardware is deprecated, it is quite easy to modify the /etc/samba/smb.conf file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003/2008, the /etc/samba/smb.conf file is easily modifiable to incorporate the infrastructure change to Active Directory if needed.

Make sure you join the domain before starting Samba

After configuring the /etc/samba/smb.conf file, join the domain before starting Samba by typing the following command as root:
net rpc join -U administrator%password
Note that the -S option, which specifies the domain server hostname, does not need to be stated in the net rpc join command. Samba uses the hostname specified by the workgroup directive in the /etc/samba/smb.conf file instead of it being stated explicitly.

17.1.6.3. Domain Controller

A domain controller in Windows NT is functionally similar to a Network Information Service (NIS) server in a Linux environment. Domain controllers and NIS servers both host user/group information databases as well as related services. Domain controllers are mainly used for security, including the authentication of users accessing domain resources. The service that maintains the user/group database integrity is called the Security Account Manager (SAM). The SAM database is stored differently between Windows and Linux Samba-based systems, therefore SAM replication cannot be achieved and platforms cannot be mixed in a PDC/BDC environment.
In a Samba environment, there can be only one PDC and zero or more BDCs.

A mixed Samba/Windows domain controller environment

Samba cannot exist in a mixed Samba/Windows domain controller environment (Samba cannot be a BDC of a Windows PDC or vice versa). Alternatively, Samba PDCs and BDCs can coexist.
17.1.6.3.1. Primary Domain Controller (PDC) using tdbsam
The simplest and most common implementation of a Samba PDC uses the new default tdbsam password database back end. Replacing the aging smbpasswd back end, tdbsam has numerous improvements that are explained in more detail in Section 17.1.8, “Samba Account Information Databases”. The passdb backend directive controls which back end is to be used for the PDC.
The following /etc/samba/smb.conf file shows a sample configuration needed to implement a tdbsam password database back end.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
passdb backend = tdbsam
security = user
add user script = /usr/sbin/useradd -m "%u"
delete user script = /usr/sbin/userdel -r "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
add user to group script = /usr/sbin/usermod -G "%g" "%u"
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null  -g machines "%u"
# The following specifies the default logon script
# Per user logon scripts can be specified in the user
# account using pdbedit logon script = logon.bat
# This sets the default profile path.
# Set per user paths with pdbedit
logon drive = H:
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
[homes]
	comment = Home Directories
	valid users = %S
	read only = No
[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon/scripts
	browseable = No
	read only = No
# For profiles to work, create a user directory under the
# path shown.
mkdir -p /var/lib/samba/profiles/john
[Profiles]
	comment = Roaming Profile Share
	path = /var/lib/samba/profiles
	read only = No
	browseable = No
	guest ok = Yes
	profile acls = Yes
# Other resource shares ... ...
To provide a functional PDC system which uses the tdbsam follow these steps:
  1. Use a configuration of the smb.conf file as shown in the example above.
  2. Add the root user to the Samba password database:
    smbpasswd -a root
  3. Start the smb service.
  4. Make sure all profile, user, and netlogon directories are created.
  5. Add groups that users can be members of:
    groupadd -f users
    groupadd -f nobody
    groupadd -f ntadmins
  6. Associate the UNIX groups with their respective Windows groups:
    net groupmap add ntgroup="Domain Users" unixgroup=users
    net groupmap add ntgroup="Domain Guests" unixgroup=nobody
    net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
  7. Grant access rights to a user or a group. For example, to grant the right to add client machines to the domain on a Samba domain controller, to the members to the Domain Admins group, execute the following command:
    net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U root
Keep in mind that Windows systems prefer to have a primary group which is mapped to a domain group such as Domain Users.
Windows groups and users use the same namespace thus not allowing the existence of a group and a user with the same name like in UNIX.

Limitations of the tdbsam authentication back end

If you need more than one domain controller or have more than 250 users, do not use a tdbsam authentication back end. LDAP is recommended in these cases.
17.1.6.3.2. Primary Domain Controller (PDC) with Active Directory
Although it is possible for Samba to be a member of an Active Directory, it is not possible for Samba to operate as an Active Directory domain controller.

17.1.7. Samba Security Modes

There are only two types of security modes for Samba, share-level and user-level, which are collectively known as security levels . Share-level security can only be implemented in one way, while user-level security can be implemented in one of four different ways. The different ways of implementing a security level are called security modes.

17.1.7.1. User-Level Security

User-level security is the default setting for Samba. Even if the security = user directive is not listed in the /etc/samba/smb.conf file, it is used by Samba. If the server accepts the client's username/password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based username/password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.
In the /etc/samba/smb.conf file, the security = user directive that sets user-level security is:
[GLOBAL]
...
security = user
...
The following sections describe other implementations of user-level security.
17.1.7.1.1. Domain Security Mode (User-Level Security)
In domain security mode, the Samba server has a machine account (domain security trust account) and causes all authentication requests to be passed through to the domain controllers. The Samba server is made into a domain member server by using the following directives in the /etc/samba/smb.conf file:
[GLOBAL]
...
security = domain
workgroup = MARKETING
...
17.1.7.1.2. Active Directory Security Mode (User-Level Security)
If you have an Active Directory environment, it is possible to join the domain as a native Active Directory member. Even if a security policy restricts the use of NT-compatible authentication protocols, the Samba server can join an ADS using Kerberos. Samba in Active Directory member mode can accept Kerberos tickets.
In the /etc/samba/smb.conf file, the following directives make Samba an Active Directory member server:
[GLOBAL]
...
security = ADS
realm = EXAMPLE.COM
password server = kerberos.example.com
...
17.1.7.1.3. Server Security Mode (User-Level Security)
Server security mode was previously used when Samba was not capable of acting as a domain member server.

Avoid using the server security mode

It is highly recommended to not use this mode since there are numerous security drawbacks.
In the /etc/samba/smb.conf, the following directives enable Samba to operate in server security mode:
[GLOBAL]
...
encrypt passwords = Yes
security = server
password server = "NetBIOS_of_Domain_Controller"
...

17.1.7.2. Share-Level Security

With share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security.
In the /etc/samba/smb.conf file, the security = share directive that sets share-level security is:
[GLOBAL]
...
security = share
...

17.1.8. Samba Account Information Databases

The latest release of Samba offers many new features including new password database back ends not previously available. Samba version 3.0.0 fully supports all databases used in previous versions of Samba. However, although supported, many back ends may not be suitable for production use.
The following is a list different back ends you can use with Samba. Other back ends not listed here may also be available.
Plain Text
Plain text back ends are nothing more than the /etc/passwd type back ends. With a plain text back end, all usernames and passwords are sent unencrypted between the client and the Samba server. This method is very unsecure and is not recommended for use by any means. It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method.
smbpasswd
A popular back end used in previous Samba packages, the smbpasswd back end utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account, and encrypted password information. The smbpasswd back end lacks the storage of the Windows NT/2000/2003 SAM extended controls. The smbpasswd back end is not recommended because it does not scale well or hold any Windows information, such as RIDs for NT-based groups. The tdbsam back end solves these issues for use in a smaller database (250 users), but is still not an enterprise-class solution.
ldapsam_compat
The ldapsam_compat back end allows continued OpenLDAP support for use with upgraded versions of Samba. This option is normally used when migrating to Samba 3.0.
tdbsam
The new default tdbsam password back end provides an ideal database back end for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. The tdbsam back end includes all of the smbpasswd database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003/2008-based systems.
The tdbsam back end is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns.
ldapsam
The ldapsam back end provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers such as the Red Hat Directory Server or an OpenLDAP Server. LDAP databases are light-weight and scalable, and as such are preferred by large enterprises. Installation and configuration of directory servers is beyond the scope of this chapter. For more information on the Red Hat Directory Server, refer to the Red Hat Directory Server 8.2 Deployment Guide. For more information on LDAP, refer to Section 16.1, “OpenLDAP”.
If you are upgrading from a previous version of Samba to 3.0, note that the OpenLDAP schema file (/usr/share/doc/samba-version/LDAP/samba.schema) and the Red Hat Directory Server schema file (/usr/share/doc/samba-version/LDAP/samba-schema-FDS.ldif) have changed. These files contain the attribute syntax definitions and objectclass definitions that the ldapsam back end needs in order to function properly.
As such, if you are using the ldapsam back end for your Samba server, you will need to configure slapd to include one of these schema file. Refer to Section 16.1.3.3, “Extending Schema” for directions on how to do this.

Make sure the openldap-server package is installed

You need to have the openldap-server package installed if you want to use the ldapsam back end.

17.1.9. Samba Network Browsing

Network browsing enables Windows and Samba servers to appear in the Windows Network Neighborhood. Inside the Network Neighborhood, icons are represented as servers and if opened, the server's shares and printers that are available are displayed.
Network browsing capabilities require NetBIOS over TCP/IP. NetBIOS-based networking uses broadcast (UDP) messaging to accomplish browse list management. Without NetBIOS and WINS as the primary method for TCP/IP hostname resolution, other methods such as static files (/etc/hosts) or DNS, must be used.
A domain master browser collates the browse lists from local master browsers on all subnets so that browsing can occur between workgroups and subnets. Also, the domain master browser should preferably be the local master browser for its own subnet.

17.1.9.1. Domain Browsing

By default, a Windows server PDC for a domain is also the domain master browser for that domain. A Samba server must not be set up as a domain master server in this type of situation
For subnets that do not include the Windows server PDC, a Samba server can be implemented as a local master browser. Configuring the /etc/samba/smb.conf file for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration.

17.1.9.2. WINS (Windows Internet Name Server)

Either a Samba server or a Windows NT server can function as a WINS server. When a WINS server is used with NetBIOS enabled, UDP unicasts can be routed which allows name resolution across networks. Without a WINS server, the UDP broadcast is limited to the local subnet and therefore cannot be routed to other subnets, workgroups, or domains. If WINS replication is necessary, do not use Samba as your primary WINS server, as Samba does not currently support WINS replication.
In a mixed NT/2000/2003/2008 server and Samba environment, it is recommended that you use the Microsoft WINS capabilities. In a Samba-only environment, it is recommended that you use only one Samba server for WINS.
The following is an example of the /etc/samba/smb.conf file in which the Samba server is serving as a WINS server:
[global]
wins support = Yes

Using WINS

All servers (including Samba) should connect to a WINS server to resolve NetBIOS names. Without WINS, browsing only occurs on the local subnet. Furthermore, even if a domain-wide list is somehow obtained, hosts cannot be resolved for the client without WINS.

17.1.10. Samba with CUPS Printing Support

Samba allows client machines to share printers connected to the Samba server. In addition, Samba also allows client machines to send documents built in Linux to Windows printer shares. Although there are other printing systems that function with Fedora, CUPS (Common UNIX Print System) is the recommended printing system due to its close integration with Samba.

17.1.10.1. Simple smb.conf Settings

The following example shows a very basic /etc/samba/smb.conf configuration for CUPS support:
[global]
load printers = Yes
printing = cups
printcap name = cups
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
public = Yes
guest ok = Yes
writable = No
printable = Yes
printer admin = @ntadmins
[print$]
comment = Printer Drivers Share
path = /var/lib/samba/drivers
write list = ed, john
printer admin = ed, john
Other printing configurations are also possible. To add additional security and privacy for printing confidential documents, users can have their own print spooler not located in a public path. If a job fails, other users would not have access to the file.
The print$ directive contains printer drivers for clients to access if not available locally. The print$ directive is optional and may not be required depending on the organization.
Setting browseable to Yes enables the printer to be viewed in the Windows Network Neighborhood, provided the Samba server is set up correctly in the domain/workgroup.

17.1.11. Samba Distribution Programs

findsmb

findsmb subnet_broadcast_address
The findsmb program is a Perl script which reports information about SMB-aware systems on a specific subnet. If no subnet is specified the local subnet is used. Items displayed include IP address, NetBIOS name, workgroup or domain name, operating system, and version.
The following example shows the output of executing findsmb as any valid user on a system:
~]$ findsmb
IP ADDR       NETBIOS NAME  WORKGROUP/OS/VERSION
------------------------------------------------------------------
10.1.59.25    VERVE         [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.59.26    STATION22     [MYGROUP] [Unix] [Samba 3.0.2-7.FC1]
10.1.56.45    TREK         +[WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.94    PIXEL         [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.57.137   MOBILE001     [WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.141   JAWS         +[KWIKIMART] [Unix] [Samba 2.2.7a-security-rollup-fix]
10.1.56.159   FRED         +[MYGROUP] [Unix] [Samba 3.0.0-14.3E]
10.1.59.192   LEGION       *[MYGROUP] [Unix] [Samba 2.2.7-security-rollup-fix]
10.1.56.205   NANCYN       +[MYGROUP] [Unix] [Samba 2.2.7a-security-rollup-fix]

net

net protocol function misc_options target_options
The net utility is similar to the net utility used for Windows and MS-DOS. The first argument is used to specify the protocol to use when executing a command. The protocol option can be ads, rap, or rpc for specifying the type of server connection. Active Directory uses ads, Win9x/NT3 uses rap, and Windows NT4/2000/2003/2008 uses rpc. If the protocol is omitted, net automatically tries to determine it.
The following example displays a list the available shares for a host named wakko:
~]$ net -l share -S wakko
Password:
Enumerating shared resources (exports) on remote server:
Share name   Type     Description
----------   ----     -----------
data         Disk     Wakko data share
tmp          Disk     Wakko tmp share
IPC$         IPC      IPC Service (Samba Server)
ADMIN$       IPC      IPC Service (Samba Server)
The following example displays a list of Samba users for a host named wakko:
~]$ net -l user -S wakko
root password:
User name             Comment
-----------------------------
andriusb              Documentation
joe                   Marketing
lisa                  Sales

nmblookup

nmblookup options netbios_name
The nmblookup program resolves NetBIOS names into IP addresses. The program broadcasts its query on the local subnet until the target machine replies.
Here is an example:
~]$ nmblookup trek
querying trek on 10.1.59.255
10.1.56.45 trek<00>

pdbedit

pdbedit options
The pdbedit program manages accounts located in the SAM database. All back ends are supported including smbpasswd, LDAP, and the tdb database library.
The following are examples of adding, deleting, and listing users:
~]$ pdbedit -a kristin
new password:
retype new password:
Unix username:        kristin
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1210235352-3804200048-1474496110-2012
Primary Group SID:    S-1-5-21-1210235352-3804200048-1474496110-2077
Full Name: Home Directory:       \\wakko\kristin
HomeDir Drive:
Logon Script:
Profile Path:         \\wakko\kristin\profile
Domain:               WAKKO
Account desc:
Workstations: Munged
dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 22:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 22:14:07 GMT
Password last set:    Thu, 29 Jan 2004 08:29:28
GMT Password can change:  Thu, 29 Jan 2004 08:29:28 GMT
Password must change: Mon, 18 Jan 2038 22:14:07 GMT
~]$ pdbedit -v -L kristin
Unix username:        kristin
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1210235352-3804200048-1474496110-2012
Primary Group SID:    S-1-5-21-1210235352-3804200048-1474496110-2077
Full Name:
Home Directory:       \\wakko\kristin
HomeDir Drive:
Logon Script:
Profile Path:         \\wakko\kristin\profile
Domain:               WAKKO
Account desc:
Workstations: Munged
dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 22:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 22:14:07 GMT
Password last set:    Thu, 29 Jan 2004 08:29:28 GMT
Password can change:  Thu, 29 Jan 2004 08:29:28 GMT
Password must change: Mon, 18 Jan 2038 22:14:07 GMT
~]$ pdbedit -L
andriusb:505:
joe:503:
lisa:504:
kristin:506:
~]$ pdbedit -x joe
~]$ pdbedit -L
andriusb:505: lisa:504: kristin:506:

rpcclient

rpcclient server options
The rpcclient program issues administrative commands using Microsoft RPCs, which provide access to the Windows administration graphical user interfaces (GUIs) for systems management. This is most often used by advanced users that understand the full complexity of Microsoft RPCs.

smbcacls

smbcacls //server/share filename options
The smbcacls program modifies Windows ACLs on files and directories shared by a Samba server or a Windows server.

smbclient

smbclient //server/share password options
The smbclient program is a versatile UNIX client which provides functionality similar to ftp.

smbcontrol

smbcontrol -i options
smbcontrol options destination messagetype parameters
The smbcontrol program sends control messages to running smbd, nmbd, or winbindd daemons. Executing smbcontrol -i runs commands interactively until a blank line or a 'q' is entered.

smbpasswd

smbpasswd options username password
The smbpasswd program manages encrypted passwords. This program can be run by a superuser to change any user's password as well as by an ordinary user to change their own Samba password.

smbspool

smbspool job user title copies options filename
The smbspool program is a CUPS-compatible printing interface to Samba. Although designed for use with CUPS printers, smbspool can work with non-CUPS printers as well.

smbstatus

smbstatus options
The smbstatus program displays the status of current connections to a Samba server.

smbtar

smbtar options
The smbtar program performs backup and restores of Windows-based share files and directories to a local tape archive. Though similar to the tar command, the two are not compatible.

testparm

testparm options filename hostname IP_address
The testparm program checks the syntax of the /etc/samba/smb.conf file. If your /etc/samba/smb.conf file is in the default location (/etc/samba/smb.conf) you do not need to specify the location. Specifying the hostname and IP address to the testparm program verifies that the hosts.allow and host.deny files are configured correctly. The testparm program also displays a summary of your /etc/samba/smb.conf file and the server's role (stand-alone, domain, etc.) after testing. This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read.
For example:
~]$ testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[tmp]"
Processing section "[html]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
<enter>
# Global parameters
[global]
	workgroup = MYGROUP
	server string = Samba Server
	security = SHARE
	log file = /var/log/samba/%m.log
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	dns proxy = No
[homes]
	comment = Home Directories
	read only = No
	browseable = No
[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No
[tmp]
	comment = Wakko tmp
	path = /tmp
	guest only = Yes
[html]
	comment = Wakko www
	path = /var/www/html
	force user = andriusb
	force group = users
	read only = No
	guest only = Yes

wbinfo

wbinfo options
The wbinfo program displays information from the winbindd daemon. The winbindd daemon must be running for wbinfo to work.

17.1.12. Additional Resources

The following sections give you the means to explore Samba in greater detail.

17.1.12.1. Installed Documentation

  • /usr/share/doc/samba-version-number/ — All additional files included with the Samba distribution. This includes all helper scripts, sample configuration files, and documentation. This directory also contains online versions of The Official Samba-3 HOWTO-Collection and Samba-3 by Example, both of which are cited below.

    Make sure you have the samba-doc package installed

    In order to use the Samba documentation, first ensure the samba-doc package is installed on your system by running, as root:
    yum install samba-doc
    For more information on installing packages with Yum, refer to Section 5.2.4, “Installing Packages”.
Refer to the following manual pages for detailed information specific Samba features:
  • smb.conf
  • samba
  • smbd
  • nmbd
  • winbind

17.1.12.2. Related Books

  • The Official Samba-3 HOWTO-Collection by John H. Terpstra and Jelmer R. Vernooij; Prentice Hall — The official Samba-3 documentation as issued by the Samba development team. This is more of a reference guide than a step-by-step guide.
  • Samba-3 by Example by John H. Terpstra; Prentice Hall — This is another official release issued by the Samba development team which discusses detailed examples of OpenLDAP, DNS, DHCP, and printing configuration files. This has step-by-step related information that helps in real-world implementations.
  • Using Samba, 2nd Edition by Jay T's, Robert Eckstein, and David Collier-Brown; O'Reilly — A good resource for novice to advanced users, which includes comprehensive reference material.

17.1.12.3. Useful Websites

  • http://www.samba.org/ — Homepage for the Samba distribution and all official documentation created by the Samba development team. Many resources are available in HTML and PDF formats, while others are only available for purchase. Although many of these links are not Fedora specific, some concepts may apply.
  • http://samba.org/samba/archives.html — Active email lists for the Samba community. Enabling digest mode is recommended due to high levels of list activity.
  • Samba newsgroups — Samba threaded newsgroups, such as gmane.org, that use the NNTP protocol are also available. This an alternative to receiving mailing list emails.