What is SAMBA? Samba: installation, configuration, optimization of work Configuring samba server under Linux.

Now it is quite common to find computers running Linux and Windows on the same local network. The reasons for this symbiosis can be different: for example, the owners of Internet cafes did not have enough funds to purchase a licensed OS for all computers, or the system administrator was simply attracted by the positive aspects of Linux. The popularity of Microsoft operating systems is largely determined by the client software for Windows. It's no secret that this software sector is highly developed. Many companies have made serious efforts to this and have created really good, and most importantly, easy-to-use programs that even an ordinary user can easily master. But as a server, the position of Windows is no longer so unambiguous. A server running Unix is ​​traditionally distinguished by reliability, stability in operation, security and often lower requirements for system resources. But in any case, simply by connecting computers with different software platforms to the network, we will not get the expected result. The whole problem is that these two systems use different principles of organizing network resources, which are incompatible with each other.
Since there is no need to wait for Microsoft's grace, and Windows is unlikely to learn how to work with the Unix Network File System (NFS) by standard means, and to be honest, I don’t know third-party programs, the most popular way is to try to teach Unix to "pretend" it would be Windows NT.

Interaction in a network of computers running Windows is based on the use of the protocol SMB (Server Message Block)- blocks of server messages. It provides the performance of all the tasks necessary in these cases for opening and closing, reading and writing, searching for files, creating and deleting directories, setting a print job and deleting it from there. All the actions necessary for this are implemented in Unix-like operating systems using the package SAMBA... Its capabilities can be conditionally divided into two categories: provision of resources (which means access to the printer system and files) for Windows clients and access to client resources. That is, a Linux computer can act as both a server and a client. To begin with, let's consider the SAMBA server option.

What should SAMBA provide for normal operation in a network of Windows machines? First, access control, which can be implemented either at the share level, when a password is assigned to any resource on the network and the corresponding rules of use (for example, "read-only"), while the username does not have absolutely no value; or a more perfect and flexible organization at the user level, when an account is created for each user, which, in addition to the name and password, contains all the necessary information about the access rights to the resource. Before accessing the required resource, each user is authenticated, after which he is granted the rights according to the accounts. Secondly, it is necessary to emulate the access rights defined by the file system. The thing is that the systems under consideration have different access rights to files and directories on the disk. Traditionally, Unix has three categories of file users: owner, group and rest (other)... Each of these subjects can be provided with read permissions, write and execute... In Windows NT, the access system is somewhat more flexible, access is granted to several groups or users, and the corresponding access rights are determined separately for each subject. Therefore, it is impossible to fully emulate NTFS access rights using SAMBA.

With clients running Windows 9x, the situation is different. Since the days of DOS's grandfather, due to the fact that the system is single-user and there could be no question of any users, let alone groups, only four attributes have been defined for the FAT file system - read only, system, archive and hidden... Plus, in Windows, unlike Unix, the file extension has a special meaning - those that are intended to be executed have the extensions .exe, .com, or .bat. When copying files from Unix machines to computers running Windows, the attributes are set as follows:

only for reading- reading, writing for the owner;

archival- execution for the owner;

systemic- execution for the group;

hidden - execution for the group.

A network of Windows machines can be organized as a workgroup, when computers are independent from each other and each has its own database of passwords and logins with its own security policy, as well as an NT domain. The entire base for user and computer authentication is managed Primary Domain Controler (PDC), i.e. centralized. Samba allows you to restrict access at all of these levels and acts as a "master browser" in the context of a workgroup or domain controller.

We have dealt with general organizational issues. Let's now look specifically at the implementation and configuration of a SAMBA server in Linux. For the Samba server to work, two daemons must be running: smbd which provides a print and file sharing service for Samba clients (such as Windows of all stripes), and nmbd that provides NetBIOS naming services (it can also be used to query other naming service daemons). The protocol is used to access clients TCP / IP... Typically, Samba is installed along with the Linux distribution. How to check? Just give the command:

$ whereis samba

and you should get something like this:

Samba: / usr / sbin / samba / etc / samba /usr/share/man/man7/samba.7.gz

If it is not included in the standard distribution, then welcome to ftp://ftp.samba.org/pub/samba/samba-latest.tar.gz or to almost any server with Linux programs. The package is easy to install, so to save space, we will assume that you have it installed. Now let's check if the daemon is running:

$ ps -aux | grep smbd root 1122 0.0 0.6 4440 380? S 16:36 0:00 smbd -D

As you can see, I have it already started. If you do not have it, and you want it to start when the system boots, then in Linux Mandrake, for example, check the required item in DrakConf— starting services or in Red Hat Сontrol-panel— Servise Configuration this is usually enough. Or start manually: ./etc/rc.d/init.d/smb start. The only Samba configuration file is called smb.conf and is usually found in the / etc / directory (although in AltLinux, for example, it is located in the / etc / samba directory). The SAMBA service reads it every 60 seconds, so the changes made to the configuration take effect without reboot, but do not affect the connections already established.

This is why I love Linux, because the configuration files are plain text (besides, they are well commented inside), and in order to use most of the parameters, you just need to uncomment the corresponding line. The smb.conf file is no exception. It consists of named sections starting with the section name, enclosed in square brackets. Each section contains a number of parameters in the form key = value. The configuration file contains four special sections:,, and separate resources (shares). As the name suggests, the section contains the most general characteristics that will be applied everywhere, but which, however, can then be redefined in the sections for individual resources. Several of the options in this section are relevant to configuring the Samba client.

Values ​​of typical section parameters global:

Workgroup = group_name # workgroup name on the Windows network netbios name = server name on the network server string = comment that is visible in the network view properties window guest ok = yes # guest login permission (guest ok = no - guest login is denied) guest account = nobody # the name under which the guest logon is allowed security = user # Access level. user - at the user level, security = share - username and password based authentication. When storing the password database on another SMB server, the values ​​security = server and password server = name_server_NT are used. If the server is a member of the domain, the value security = domain is used, the password for access is specified in the file specified with the smb option passwd file = / path / to / file.

In addition, when registering, you can use encrypted and plain-text passwords... The latter are used in old Windows (Windows for Workgroups, Windows 95 (OSR2), all versions of Windows NT 3.x, Windows NT 4 (up to Service Pack 3)). To enable the option to use an encrypted password, use the encrypt password = yes option. Please pay special attention to this option. Older Linux distributions that were created in the era of Windows 95 (and with an older version of Samba) have password encryption disabled by default, and samba is up to version 2.0 does not support this mode at all (by the way, this option and similar ones - those that do not relate to access to specific resources - are also used in the client).

To display Russian filenames correctly, you need the following options: client code page = 866 and character set = koi8-r. Distributions with good localization, for example, derivatives from Mandrake and Russian, already have this line, sometimes it is enough to simply uncomment it, but in most others you have to add it yourself.

The interfaces = 192.168.0.1/24 option specifies in which network (interface) the program should work if the server is connected to several networks at once. If you set the bind interfaces only = yes parameter, the server will only respond to requests from these networks.

hosts allow = 192.168.1. 192.168.2. 127. - defines clients for whom access to the service is allowed.

In the global section, it is possible to use various variables for more flexible configuration of the server operation. After the connection is established, real values ​​are substituted for them. For example, in the directive log file = /var/log/samba/%m.log, the% m parameter helps to define a separate log file for each client machine. The most common variables used in the global section are:

% a - OS architecture on the client machine (possible values ​​- Win95, Win NT, UNKNOWN, etc.);

% m is the NetBIOS name of the client computer;

% L - SAMBA server NetBIOS name;

% v - SAMBA version;

% I is the IP address of the client's computer;

% T - date and time;

% u - the name of the user working with the service;

% H is the home directory of user% u.

Also, for more flexible customization, the include directive is used using the above variables. For example: include = /etc/samba/smb.conf.%m - now, when requesting from the computer sales if the file /etc/samba/smb.conf.sales is present, the configuration will be taken from this file. If there is no separate file for some machine, then a common file is used to work with it.

There is also an interesting opportunity creating a virtual server... The netbios aliases parameter is used for this:

Netbios aliases = sales accounting admin

Now we order Samba to use its own configuration file for each virtual server:

Include = /etc/samba/smb.conf.%L

Three servers will be visible in the network browser window: sales, accounting, admin.

Enabling the preserve case and short preserve case options force the server to store all input in a case-sensitive manner (in Windows, case does not matter, in all Unixes it is vice versa).

The section allows users to connect to their working directories without explicitly describing them. When a client requests his / her directory // sambaserver / sergej, the machine looks for the corresponding description in the file and if it does not find it, then looks for the presence of this section. If the key exists, the password file is scanned to find the working directory of the requesting user and, if found, makes it available to the user.

A typical description for this section looks like this:

Comment = Home Directories # the comment that is visible in the network properties window browseable = no # determines whether to display the resource in the browse list. writable = yes # allows (no - disallows) writing to the home directory create mode = 0750 # permissions for newly created files directory mode = 0775 # also, but only for directories

After configuring the default settings, you can create network shares that can be accessed by a specific user or group of users. Such a resource is created from an existing directory, for this we write in the file:

Comment = Public Stuff path = / home / samba public = yes writable = no printable = no write list = administrator, @sales

The path parameter points to the directory where the resource is located; the public parameter indicates whether the guest can use the resource, and printable indicates whether the given resource can be used for printing. The write list parameter allows you to define the users who are allowed to write to the resource regardless of the writable value (in this example, the user administrator and the sales group). It is also possible to use the opposite list - read list. If there is a need to hide some files, then on Unix / Linux for this, the file name must start with a dot (the hide dot files parameter, which controls the display of hidden files, by default is yes). In addition, it is possible to set templates for names of hidden files, for which the hide files parameter is used. Each pattern begins and ends with a forward slash (/) and can contain characters used in regular expressions. For example: hide files = /*.log/??.tmp/. Such tricks are bypassed for Windows users just by setting the "Show hidden and system files" mode in Explorer. Use the veto files and delete veto files parameters to reliably restrict the accessibility (ability to delete) of a file (directory).

With CD drives, the situation is somewhat more complicated. The thing is that in Unix-like systems, the concept of a disk is absent as such, and in order to access the desired device, it must first be mounted in a directory tree (# mount -t iso9660 / dev / cdrom / mnt / cdrom) , and after use, so as not to destroy the file system, it must be unmounted (# umount / dev / cdrom), otherwise the device will simply not give up the disk. If you have a daemon running on your server autofs, then the problem can be solved simply. To automatically unmount a device that has not been used for some time, set the desired value for the timeout parameter in the /etc/auto.master file. For instance:

/ mnt / auto / etc / --timeout = 5

(a similar line is already there, you just need to uncomment it). Then set the options for the appropriate device in the /etc/auto.tab file:

Cdrom -fstype = auto, ro: / dev / cdrom

After all this, we write the following lines in /etc/smb.conf to make this resource available:

Path = / mnt / cdrom writable = no

The second option is to use the preexec and postexec directives, which indicate which commands should be executed when accessing a resource and after disconnecting from it (these parameters can be specified for any resource and even in the global section, which opens up great opportunities).

Path = / mnt / cdrom read only = yes root preexec = mount / mnt / cdrom # only root can mount the resource root postexec = umount / mnt / cdrom # naturally, these mount points must be described in the / etc / fstab file, otherwise you must also specify the rest of the data.

Now, when accessing a resource, the CD-ROM is automatically mounted, and sometimes unmounted. The whole problem is that the decision to close the resource must be made by the server - clients, as a rule, do not notify about this. But usually this happens because the resource is simultaneously used by several users at once or an open file is left on the same computer on this resource (Device busy). Therefore, the CD-ROM will not automatically unmount, the only acceptable way to free the resource is to look with the utility smbstatus the number of the process using this resource and kill it with the # kill pid_number command (or kill -s HUP pid_number).

With the required configuration set up, now we will create user accounts (except for the guest login with minimal privileges nobody). To identify SAMBA users, the / etc / samba / smbpasswd file is used, which contains usernames and encrypted passwords. Since the encryption mechanism in networks of Windows machines is not compatible with standard Unix mechanisms, a separate utility is used to fill in the password file - smbpasswd.

# useradd -s / bin / false -d / home / samba / sergej -g sales sergej # smbpasswd -a sergej # smbpasswd -e sergej

This example adds a new user sergej belonging to the group sales, with a dummy shell (the options are / sbin / nologin, / dev / null) and the home directory / home / samba / sergej. Then we create a password for the user sergej and, as the last step, enable access to the user. it is disabled by default. An interesting point that can be confusing at times. The fact is that when a computer with Windows NT / 2000 is connected to the SAMBA server, the user is prompted to enter, as expected, a username and password, and if a computer with Windows 9x / Me is used for access, then the user is prompted to enter only the password, and the login is generated automatically based on the registration name.

It is also possible to map multiple Windows users to a single Linux / Unix user. To do this, a mapping file /etc/smbusers.map is created, in which each mapping is set on a separate line:

Linux_user = user_win1 user_win2 user_winN

In the section add the line username map = /etc/smbusers.map. In this case, the Windows user must be logged in with the password of the user with whom he is associated.

Using SAMBA, you can organize the ability to network printing from computers running Windows (if a separate print server is planned, then a machine based on a 486 processor may be sufficient for this).

To do this, write the following lines in the section:

Printcap name = / etc / printcap # file describing printers connected to the system load printers = yes # indicates the need for automatic inclusion in the list of network resources printing = lprng # printing system (for Linux, bsd can still be used).

Path = / var / spool / samba # points to the directory where print jobs are placed browseable = yes printable = yes read only = yes

After creating the file, test it with the utility testparm... Unfortunately, with the help of this program you can detect only syntax errors, not logical ones, so there is no guarantee that the services described in the file will work correctly (during testing, all settings will be displayed, even those that are installed by default - therefore, carefully review result). But if the program does not swear, you can hope that the file will be loaded without problems at startup. The correct operation of the printers listed in the / etc / printcap file with the SAMBA server can be checked using the utility testprns... Plus, don't forget about the .log files: if you have problems, you can sometimes find a solution there.

Now a little about the good. Configuring Samba is a rather complicated procedure, but the distribution comes with a Web-based administration tool called swat(Samba Web Administration Tool,). Swat is launched as a service or using the Apache server and is intended for editing the smb.conf file, as well as for checking the status, starting and stopping Samba daemons, and changing user passwords. For it to work as a service, the swat 901 / tcp line must be present in the / etc / services file, and swat stream tcp nowait. 400 root / usr / local / samba / bin / swat swat in the /etc/inetd.conf file (this is if a network daemon is used inetd usually in older distributions; modern distributions use a more secure option - xinetd). To use swat in the /etc/xinet.d directory, create a swat file with the following content:

Service swat (disable = no port = 901 socket_type = stream wait = no only_from = 127.0.0.1 # this is a line to run only from the local machine user = root server = / usr / sbin / swat log_on_failure + = USERID)

Now to run Swat in a browser window, enter:

Http: // localhost: 901

But before that, be sure to create a user admin as described above. And never run the SAMBA service as root.

After all the changes in the smb.conf file, you sometimes need to restart the daemon:

Smb: /etc/rc.d/init.d/smb restart

If, after all the above steps, it was still not possible to organize access to SAMBA resources, then such utilities as ping(to check the availability of a node in the network), nmblookup(to query for NetBIOS names), or as a last resort tcpdump... And do not forget about the permissions, because by assigning the directory / gde / to / w / glubine to the user, you will give him the ability to read (execute permission) and the previous directories.

Now let's talk about using the Samba client, because we (Linux users) also want to work with Windows network resources. In order to find out what resources are available, you must enter the command / usr / bin / smbclient -L host_name. The program will ask for a password, in response to which in most cases it is enough to press Enter. Now, to connect to the required resource, enter the computer name and the required resource. For instance:

# / usr / bin / smbclient \\ Alex \ Sound

(here we are trying to connect to the Sound folder on Alex's computer). As a result, if the command is entered correctly and such a network resource exists, you should receive a password prompt. Enter it or press Enter if no password is required to access. In response, you will receive a samba client prompt: smb:>. In the future, work is done by a set of commands with which you can perform all the necessary operations for working with files (copying, creating, moving, etc.). For help, enter smb:> help. This mode is somewhat inconvenient, therefore, in most cases, use the module smbfs which is part of samba; but on older distributions, the kernel can be built without smbfs support, in which case it will have to be rebuilt. To mount the required resource, type something like this:

Mount -t smbfs -o username = user, password = 123456, iocharset = koi8-r, codepage = 866 // alex / sound / mnt / sound.

If you do not specify a username and password, the system itself will ask you for it. Do not forget that by looking at the ~ HOME / .bash_history file, you can use the commands that you typed to find out the password. One more subtlety: if the smbclient program correctly displays files with Russian names, then the smbfs module sometimes pays absolutely no attention to another encoding, even if you specify it explicitly. They say it can be fixed with a patch, but I haven't found one for my Red Hat yet.

If you want the SMB share to be mounted automatically at system startup, add a line like this to the / etc / fstab file:

//[email protected]/ sound / mnt / alex / sound smbfs rw, noauto 0 0.

In this example, on behalf of the user guest(if the resource supports this user and if this user has access only by password, then do not worry: they will certainly ask you) the sound network resource on the alex computer is mounted in the / mnt / alex / sound folder with the ability to write to this directory. By the way, the Samba client perfectly sees hidden network resources, i.e. those whose network name ends with a $.

As you can see, you have to work with the command line, which causes quiet horror for the modern user. And here the world of OpenSource went to meet him - many utilities have been created that allow you to work with Samba resources in a more familiar way, by clicking buttons in graphical shells. The most popular program included in the Mandrake and derivatives distributions, as well as Debian - gnomba... In any case, it can be found on most servers with software for Linux (I saw it at ftp://ftp.altlinux.ru/ for sure). This utility allows you to view the available network resources () and, if necessary, mount to the desired directory, while the option of mounting with the indication of the login and password for those resources that require this is possible. It is possible to start the file manager when mounting (by default gmc), creating directories for mounted resources, setting the option for automatic scanning at program startup (possibly using the default SMB protocol) and scanning by IP addresses (planned using the WINS protocol). For reasons I have not clarified, in some distributions when scanning using the SMB protocol, network resources were not displayed, so I always use the second method, since it works flawlessly, you just need to set a range of IP addresses for scanning (if you know). In order to display the correct Russian file names, do not forget to install the koi8-r fonts in the tab Options> Font selection and also check the lines indicating the Cyrillic encoding in the smb.conf file (see above).

If gnomba can only mount and unmount resources, then the program xsmbrowser also allows you to enter them as folders on the local computer (). True, I have not yet been able to make this program understand files with Russian names, but there are also positive aspects: when this program is running, all mount commands and various network requests are displayed on the console, which allows you to understand them well. The KDE developers have also tried: through Preferences> Information utility available Samba Status, which displays all connections to / from the local computer, at the same time is a convenient means of viewing .log files. The utility provides similar information. komba which can be found at http://linux.tucows.com/ ().

As much as I would like to tell you more, but a magazine is a magazine - you can't fit everything. Further, the ubiquitous man and info will come to your aid. Also, all the necessary help information can be obtained from the SWAT utility, in addition, in Red Hat 7.3 there was a book Using Samba Robert "a Eckstein" a(English language - bad, completely free - good: / usr / share / swat / using_samba), also available from SWAT (). Additional documentation, FAQs, and sample configuration files can be found in the / usr / share / doc / samba directory. In various forums, you can find quite conflicting opinions about the work of Samba, from extremely negative to complete enthusiasm. Personally, I am on the side of the supporters of this Windows NT emulator, besides, according to the test results with the same hardware, the Samba server shows performance about 25-30% higher than a computer running a Microsoft system. Good luck.