From 58b37572718ed65d1b143f44de16aa5efb512f11 Mon Sep 17 00:00:00 2001 From: vorlon Date: Wed, 21 Nov 2007 17:29:21 +0000 Subject: Load samba-3.0.27a into branches/upstream. git-svn-id: svn://svn.debian.org/svn/pkg-samba/branches/upstream@1583 fc4039ab-9d04-0410-8cac-899223bdd6b0 --- docs/htmldocs/using_samba/ch02.html | 1849 +++++++++++++++++++++++++++++++++++ 1 file changed, 1849 insertions(+) create mode 100644 docs/htmldocs/using_samba/ch02.html (limited to 'docs/htmldocs/using_samba/ch02.html') diff --git a/docs/htmldocs/using_samba/ch02.html b/docs/htmldocs/using_samba/ch02.html new file mode 100644 index 0000000000..ecefb2fb7d --- /dev/null +++ b/docs/htmldocs/using_samba/ch02.html @@ -0,0 +1,1849 @@ + + + + + +

Chapter 2. Installing Samba on a Unix System

+ +

Now +that you know what Samba can do for you and your users, +it's time to get your own network set up. +Let's start with the installation of Samba. When +dancing the samba, one learns by taking small steps. +It's just the same when installing Samba; we need to +teach it step by step. This chapter will help you start off on the +right foot.

+ +

For illustrative purposes, we will be installing the 2.2.6 version of +the Samba server on a Linux system running Version 2.4 of the kernel. +However, the installation steps are essentially the same for all the +platforms Samba supports.

+ + +
+ +

Bundled Versions

+ +

Samba is in such +popular use that many Unix distributions come with it already +installed. If you choose to use a bundled version of Samba, you can +breeze through most of this chapter, but you'll be +stuck with the Samba version and compile-time options your vendor +selected for you. That version of Samba can't be any +newer than the operating system release, so you're +likely to be pretty far behind the latest developments. On the other +hand, you can be fairly sure that a bundled version has been +installed properly, and perhaps it will take only a few simple +modifications to your smb.conf file for you to +be off and running. Samba is mature enough that you probably +don't need the latest release to meet your basic +needs, so you might be perfectly happy running a bundled version.

+ +

If you choose this option, be aware that your Samba files, including +the very important +smb.conf, might be in different places +than they would be if you were to install from a binary or source +distribution. For example, with the Red Hat, Debian, and Mandrake +Linux distributions, smb.conf and some other +Samba-related files are in the /etc/samba +directory.

+ +

If Samba is already installed on your system, you can check to see +what version you have by using the command:

+ +
$ smbd -V
+Version 2.2.6
+ +

(If this doesn't work, it might be because +smbd is not in your shell's +search path. If you have the locate or +whereis command in your Unix variant, you can +use it to locate the smbd executable.)

+ +

You might also be able to use a system-specific tool to query a +software-package maintenance utility. On Red Hat Linux, you can use +the rpm command to query the installed packages +for Samba:

+ +
$ rpm -qa | grep samba
+samba-client-2.0.8-1.7.1
+samba-2.0.8-1.7.1
+samba-common-2.0.8-1.7.1
+ +

This shows we have Samba 2.0.8, divided into three Red Hat Package +Manager (RPM) packages, bundled with Red Hat 7.1. If your version of +Samba is old, you might at the very least want to check with your +vendor for an update.

+ +

Otherwise, if you're sure you are going to install +from a binary or source distribution, you can remove the RPM packages +as follows:

+ +
# rpm -e samba
+# rpm -e samba-client
+# rpm -e samba-common
+ +

If you are not using Red Hat Linux, consult your +system's documentation to find the method that works +for you.

+ + +
+ +

Binary or Source?

+ +

Precompiled +"binary" packages are also +available for a large number of Unix platforms. These packages +contain binaries for each Samba executable, as well as the standard +Samba documentation. Note that while installing a binary distribution +can save you a fair amount of time and trouble, you should keep a +couple of issues in mind when deciding whether to use the binary or +compile the source yourself:

+ +
  • +

    The binary packages can lag behind the latest version of the software +by one or two (maybe more) minor releases, especially after a series +of small changes and for less popular platforms. Compare the release +notes for the source and binary packages to make sure there +aren't any new features that you need on your +platform.

    +
  • +

    If you use a precompiled binary that is dynamically linked, you will +need to ensure that you have the correct libraries required by the +executables. If your system does not already have the required +version of a library, you might have to install a new version. The +README file or makefile +that accompanies the binary distribution should list any special +requirements.

    + +

    Many systems with shared libraries come with a nifty tool called +ldd. This tool will tell you which libraries a +specific binary requires and which libraries on the system satisfy +that requirement. For example, checking the smbd +program on our test machine gave us:

    + +
    $ ldd smbd
+        libdl.so.2 => /lib/libdl.so.2 (0x40026000)
+        libnsl.so.1 => /lib/libnsl.so.1 (0x4002a000)
+        libpam.so.0 => /lib/libpam.so.0 (0x40041000)
+        libc.so.6 => /lib/libc.so.6 (0x40049000)
+        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
    + +

    If there are any incompatibilities between Samba and specific +libraries on your machine, the distribution-specific documentation +should highlight them.

    +
  • +

    If your precompiled binary is statically linked, it is still possible +to have problems. There have been cases in which the statically +linked C library calls in Samba programs have been out of sync with +the operating-system kernel, even though this is +"not supposed to happen."

    +
  • +

    Keep in mind that each binary distribution carries preset values +about the target platform, such as default directories and +configuration option values. Again, check the documentation and the +makefile included in the source directory to see which directives and +variables were used when the binary was compiled. In some cases, +these will not be appropriate for your situation.

    + +

    A few configuration items can be reset with command-line options at +runtime rather than at compile time. For example, if your binary +tries to place any log, lock, or status files in the +"wrong" place (for example, in +/usr/local ), you can override this without +recompiling.

    +
+

One point worth mentioning is that the Samba source requires an +ANSI C +compiler. If you are on a legacy platform with a non-ANSI compiler, +such as the cc compiler on SunOS Version 4, +you'll have to install an ANSI-compliant compiler +such as gcc before you do anything else.[1] +If installing a compiler isn't something you want to +wrestle with, you can start off with a binary package. However, for +the most flexibility and compatibility on your system, we always +recommend compiling from the latest stable or production source.

+ +

A typical installation will take about an hour to complete, including +downloading the source files and compiling them, setting up the +configuration files, and testing the server.

+ +

Here is an overview of the steps:

+ +
  1. +

    Download the source or binary files.

    +
  2. +

    Read the installation documentation.

    +
  3. +

    Configure a makefile.

    +
  4. +

    Compile the server and utility programs.

    +
  5. +

    Install the server files.

    +
  6. +

    Create a Samba configuration file.

    +
  7. +

    Test the configuration file.

    +
  8. +

    Start the Samba daemons.

    +
  9. +

    Test the Samba daemons.

    +
+ +
+ + +
+ + + +
+ +

Downloading the Samba Distribution

+ +

If +you would like to download the latest version of the Samba software, +the primary web site is http://www.samba.org. Once connected to this +page, you'll see links to several Samba mirror sites +across the world, both for the standard Samba web pages and for sites +devoted exclusively to downloading Samba. For the best performance, +choose a site that is closest to your own geographic location.

+ +

The standard Samba web sites have Samba +documentation and +tutorials, +mailing-list +archives, and the latest Samba news, as well as source and binary +distributions of Samba. The download sites (sometimes called +F T P sites) have only the source and binary +distributions. Unless you specifically want an older version of the +Samba server or are going to install a binary distribution, download +the latest source distribution from the closest mirror site. This +distribution is always named:

+ +
samba-latest.tar.gz
+ +

which for the 2.2.6 release is an approximately 5MB file.

+ +

The source distribution has been archived with +tar and then compressed with the GNU +gzip program. To unpack it, move the file to the +directory in which you want the Samba source directory to be located, +then cd to that directory and run the command:

+ +
$ tar xvfz samba-latest.tar.gz
+ +

Or, if you do not have the GNU tar program +(which also handles the unzipping):

+ +
$ gunzip samba-latest.tar.gz
+$ tar xvf samba-latest.tar
+ +

In that latter case, you might need to install the GNU +gunzip program first. While the +tar command runs, it will print out a list of +the files it installs.

+ + +
+ +

Read the Documentation

+ +

This +part might seem obvious, but at one time or other you probably +uncompressed a package, blindly typed:

+ +
$ configure; make; make install
+ +

and walked away to get another cup of coffee. Do yourself a favor and +be a little more careful this time.

+ +

In the top-level directory that you just installed, there is a file +named WHATSNEW.txt, which contains the latest +news about the release. If you are upgrading, you can find important +information about bug fixes or configuration parameters that have +been added or are no longer supported.

+ +

With both source and binary packages you'll find a +large number of documents in the docs directory, +in a variety of formats. One file is especially important:

+ +
docs/htmldocs/UNIX_INSTALL.html
+ +

This is the Samba Team's official instructions on +installing Samba on a Unix system, which you might like to use as +another perspective besides what we are telling you here.

+ +

In general, we expect you'll find to be most useful +the files in the following directories:

+ +
+
docs/faq
+
+

This is the Samba Frequently Asked Questions (FAQ) files.

+
+ + + +
docs/htmldocs
+
+

This is the miscellaneous documentation in HTML format.

+
+ + + +
docs/textdocs
+
+

Here is more documentation, in simple text format.

+
+ + + +
docs/manpages
+
+

You don't need to worry about these yet; during the +installation, the files will be installed so that you can use the +man command to read them. But you can take a +look in the directory to see which manpages are available.

+
+ +
+ + +
+ + +
+ + + +
+ +

Configuring Samba

+ +

Samba automatically configures itself +prior to compilation. This reduces the likelihood of a +machine-specific problem, but you might end up wishing for an option +after Samba has been installed.

+ +

The source distribution of Samba 2.2 and above +doesn't initially have a +makefile. Instead, one is +generated through a GNU configure +script, which is located in the samba-2.2.x +/source/ directory. The configure +script takes care of the machine-specific issues of building Samba.

+ +

NOTE

+ + + +

Before running the configure script, it is +important that you become the root user on the system. Otherwise, you +might get a warning such as:

+ + +
configure: warning: running as non-root will disable some tests
+ + +

You don't want any test to be disabled when the +Samba makefile is being created; it would leave the potential for +errors down the road when compiling or running Samba on your system.

+
+ +

When the configure script is run, it prints out +messages telling what it is doing, and error messages might be mixed +in. To make sure you see those very important error messages, we +suggest you run configure with its standard +output passed through some filter to capture the output and keep it +from scrolling out of sight. One method is using the +more command:

+ +
# ./configure | more
+ +

We will show you another in a moment.

+ +

Although you can run configure as previously +with no options, you might want to add support for extra features by +passing options on the command line. For example:

+ +
# ./configure --with-winbind
+ +

will configure the Samba makefile with support for winbind +authentication. If you would like a complete list of options, type +the following:

+ +
# ./configure --help
+ +

Each option enables or disables various features. You typically +enable a feature by specifying the +--with-feature +option, which will cause the feature to be compiled and installed. +Likewise, if you specify a +--without-feature +option, the feature will be disabled. A full list of configuration +options is provided in Appendix E, but for now we +want to point out three of them, which are features we cover later in +this book:

+ +
+
--with-msdfs
+
+

Include support for Microsoft Distributed filesystem (Dfs), which +allows dispersed network resources to be clumped together into one +easy-to-navigate directory tree. See Chapter 8.

+
+ + + +
--with-smbwrapper
+
+

Include SMB wrapper support, which allows programs running on the +Unix host to access SMB shared folders as if they were Unix +filesystems. We recommend using this option. See Chapter 5.

+
+ + + +
--with-smbmount
+
+

Include smbmount support, which allows SMB +shared folders to be mounted in the Unix filesystem. At the time of +this writing, support for this feature exists only for Linux. This is +also covered in Chapter 5.

+
+ +
+ +

Each option is disabled by default, and none of the features is +essential to Samba. However, you may want to include them in your +configuration (as we will in our example) at least to be able to try +out the options in later chapters.

+ +

In addition, Table 2-1 shows some other parameters +that you can give the configure script if you +wish to store parts of the Samba distribution in different places, +perhaps to make use of multiple disks or partitions. Note that the +defaults sometimes refer to a prefix specified earlier in the table.

+ +

Table 2-1. Additional configure options

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

Option

+		 +

Meaning

+		 +

Default

+
+

--prefix=directory

+		 +

Install architecture-independent files at the base directory +specified.

+		 +

/usr/local/samba

+
+

--eprefix=directory

+		 +

Install architecture-dependent files at the base directory specified.

+		 +

/usr/local/samba

+
+

--bindir=directory

+		 +

Install user executables in the directory specified.

+		 +

eprefix/bin

+
+

--sbindir=directory

+		 +

Install administrator executables in the directory specified.

+		 +

eprefix/bin

+
+

--libexecdir=directory

+		 +

Install program executables in the directory specified.

+		 +

eprefix/libexec

+
+

--datadir=directory

+		 +

Install read-only architecture-independent data in the directory +specified.

+		 +

prefix/share

+
+

--libdir=directory

+		 +

Install program libraries in the directory specified.

+		 +

eprefix/lib

+
+

--includedir=directory

+		 +

Install package-include files in the directory specified.

+		 +

prefix/include

+
+

--infodir=directory

+		 +

Install additional information files in the directory specified.

+		 +

prefix/info

+
+

--mandir=directory

+		 +

Install manual pages in the directory specified.

+		 +

prefix/man

+
+ +

Here is a sample execution of the +configure +script, which creates a Samba 2.2.6 makefile for the Linux platform. +Note that you must run the configure script in the +source directory and that we are showing you yet +another way to capture the output of the script:

+ +
$ cd samba-2.2.6/source/
+$ su
+Password:
+# ./configure --with-smbwrapper --with-smbmount \
+--with-msdfs --with-syslog --with-utmp 2>&1 | tee config.my.log
+loading cache ./config.cache
+checking for gcc... (cached) gcc
+checking whether the C compiler (gcc -O ) works... yes
+checking whether the C compiler (gcc -O ) is a cross-compiler... no
+checking whether we are using GNU C... (cached) yes
+checking whether gcc accepts -g... (cached) yes
+checking for a BSD-compatible install... (cached) /usr/bin/install -c
+
+...(content omitted)...
+
+checking configure summary
+configure OK
+creating ./config.status
+creating include/stamp-h
+creating Makefile
+creating include/config.h
+ +

In general, any message from configure that +doesn't begin with the words +checking or +creating is an +error; it often helps to redirect the +output of the configure script to a file so that you can quickly +search for errors, as we did with the tee +command earlier. If there was an error during configuration, more +detailed information about it can be found in the +config.log file, which is written to the local +directory by the configure script, as well as in +the config.my.log file, which we created by +piping through the tee command. These files are +very similar in both name and content, but be careful to check both +of them for error messages before continuing!

+ +

If the configuration works, you'll see a +checking configure +summary message followed by a +configure OK message and four +or five file-creation messages. So far, so good.

+ + +
+ + + +
+ +

Compiling and Installing Samba

+ +

At this point you should be ready to build +the Samba executables. Compiling is also easy: in the +source directory, type make +on the command line. The +make utility will produce a stream of +explanatory and success messages, beginning with:

+ +
Using FLAGS = -O -Iinclude ...
+ +

This build includes compiles for both smbd and +nmbd and ends in a linking command for +bin/nmblookup. For example, here is a sample +make of Samba Version 2.2.6 on a Linux server:

+ +
# make 2>&1 | tee make.log
+Using FLAGS =  -O  -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE64
+_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE  -DLOGFILEBASE="/usr/local/samba/va
+r" -DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local/samba/
+lib/lmhosts"   -DSWATDIR="/usr/local/samba/swat" -DSBINDIR="/usr/local/samba/bin
+" -DLOCKDIR="/usr/local/samba/var/locks" -DCODEPAGEDIR="/usr/local/samba/lib/cod
+epages" -DDRIVERFILE="/usr/local/samba/lib/printers.def" -DBINDIR="/usr/local/sa
+mba/bin"  -DHAVE_INCLUDES_H -DPASSWD_PROGRAM="/bin/passwd" -DSMB_PASSWD_FILE="/u
+sr/local/samba/private/smbpasswd" -DTDB_PASSWD_FILE="/usr/local/samba/private/sm
+bpasswd.tdb"
+Using FLAGS32 =  -O  -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE
+64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE  -DLOGFILEBASE="/usr/local/samba/
+var" -DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local/samb
+a/lib/lmhosts"   -DSWATDIR="/usr/local/samba/swat" -DSBINDIR="/usr/local/samba/b
+in" -DLOCKDIR="/usr/local/samba/var/locks" -DCODEPAGEDIR="/usr/local/samba/lib/c
+odepages" -DDRIVERFILE="/usr/local/samba/lib/printers.def" -DBINDIR="/usr/local/
+samba/bin"  -DHAVE_INCLUDES_H -DPASSWD_PROGRAM="/bin/passwd" -DSMB_PASSWD_FILE="
+/usr/local/samba/private/smbpasswd" -DTDB_PASSWD_FILE="/usr/local/samba/private/
+smbpasswd.tdb"
+Using LIBS = -ldl -lnsl -lpam
+Compiling smbd/server.c
+Compiling smbd/files.c
+Compiling smbd/chgpasswd.c
+Compiling smbd/connection.c
+Compiling smbd/utmp.c
+Compiling smbd/session.c
+Compiling smbd/dfree.c
+Compiling smbd/dir.c
+
+...(content omitted)...
+
+Compiling rpc_server/srv_srvsvc.c
+Compiling rpc_server/srv_srvsvc_nt.c
+Compiling rpc_server/srv_util.c
+Compiling rpc_server/srv_wkssvc.c
+Compiling rpc_server/srv_wkssvc_nt.c
+Compiling rpc_server/srv_pipe.c
+Compiling rpc_server/srv_dfs.c
+Compiling rpc_server/srv_dfs_nt.c
+Compiling rpc_server/srv_spoolss.c
+Compiling rpc_server/srv_spoolss_nt.c
+Compiling lib/util_getent.c
+Compiling rpc_parse/parse_lsa.c
+Compiling rpc_parse/parse_net.c
+Compiling rpc_parse/parsen/smbmount
+Compiling client/smbmnt.c
+Linking bin/smbmnt
+Compiling client/smbumount.c
+Linking bin/smbumount
+Compiling utils/nmblookup.c
+Linking bin/nmblookup
+ +

If you encounter a problem when compiling, first check the Samba +documentation to see if it is easily fixable. Another possibility is +to search or post to the Samba mailing lists, which are given at the +end of Chapter 12 and on the Samba home page. Most +compilation issues are system-specific and almost always easy to +overcome.

+ +

Now that the files have been compiled, you can install them into the +directories you identified with the command:

+ +
# make install
+ +

If you happen to be upgrading, your old Samba files will be +saved with the extension +.old, and you can go back to that previous +version with the command +make revert. After doing a +make install, you should +copy the .old files (if they exist) to a new +location or name. Otherwise, the next time you install Samba, the +original .old will be overwritten without +warning and you could lose your earlier version. If you configured +Samba to use the default locations for files, the new files will be +installed in the directories listed in Table 2-2. +Remember that you need to perform the installation from an account +that has write privileges on these target directories; this is +typically the root account.

+ +

Table 2-2. Samba installation directories

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

Directory

+		 +

Description

+
+

/usr/local/samba

+		 +

Main tree

+
+

/usr/local/samba/bin

+		 +

Binaries

+
+

/usr/local/samba/lib

+		 +

smb.conf, lmhosts, +configuration files, etc.

+
+

/usr/local/samba/man

+		 +

Samba documentation

+
+

/usr/local/samba/private

+		 +

Samba-encrypted password file

+
+

/usr/local/samba/swat

+		 +

SWAT files

+
+

/usr/local/samba/var

+		 +

Samba log files, lock files, browse list info, shared memory files, +process ID files

+
+ +

Throughout the remainder of the book, we occasionally refer to the +location of the main tree as /usr/local/samba. +In most configurations, this is the base directory of the installed +Samba package; however, it can vary from system to system +.

+ +

TIP

+

Watch out if you've made /usr a +read-only partition. You will want to put the logs, locks, and +password files somewhere else.

+
+ +

Here is the installation that we performed on our machine. You can +see that we used /usr/local/samba as the base +directory for the distribution:

+ +
# make install 2>&1 | tee make-install.log
+Using FLAGS =  -O  -Iinclude -I./include -I./ubiqx -I./smbwrapper -D_LARGEFILE64
+_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE  -DLOGFILEBASE="/usr/local/samba/va
+r" -DCONFIGFILE="/usr/local/samba/lib/smb.conf"
+
+...(content omitted)...
+
+The binaries are installed. You can restore the old binaries (if there
+were any) using the command "make revert". You can uninstall the binaries
+using the command "make uninstallbin" or "make uninstall" to uninstall
+binaries, manpages and shell scripts.
+
+...(content omitted)...
+
+======================================================================
+The SWAT files have been installed. Remember to read the swat/README
+for information on enabling and using SWAT.
+======================================================================
+ +

If the last message is about SWAT, you've +successfully installed all the files. Congratulations! You now have +Samba on your system!

+ + +
+ +

Upgrading Your Installation

+ +

Eventually a new version of +Samba will be released, and you will want to upgrade. This is simple; +just repeat the same steps you used to install your current version. +Download the source distribution from the Samba web site and install +it, then run the ./configure, +make, and make +install commands as before. If +you've forgotten which options you used with the +configure +script, take a look at the +source/config.status file in your previous +version's source distribution. The first few lines +of this file show the options used the last time +configure was run.

+ +

When you run the make +install command to install your new +version, the files of the previous version are replaced with the new +ones, and then all you have to do is restart the Samba daemons to get +your new version running. See Section 2.8 later in this chapter for directions on how to do this.

+ + +
+ + +
+ +

Reconfiguring Samba

+ +

If you +have already compiled Samba and wish to recompile the same source +code with different configure options, you +should run the following three commands in the +source directory before rerunning the +configure script:

+ +
# autoconf
+# make clean
+# rm config.cache
+ +

This ensures that you are starting with a clean slate and that your +previous configure command does not leave any +data around that can affect your new build. From here, you can rerun +./configure and then make and +make install.

+ + +
+ + +
+ +

Setting Search Paths

+ +

You +will probably want to run commands included in the Samba distribution +without having to specify their full directory paths. For that to +work, the directory in which the Samba executables are located, +/usr/local/samba/bin by default, must be added +to your shell's PATH environment variable. This +environment variable is usually set in one or more of the +shell's startup files, which in the case of +bash are /etc/profile +(systemwide) and the .bash_profile and +.bashrc files in each user's +home directory.

+ +

To be able to read the Samba manual pages using the +man command, the directory where +Samba's manual pages reside, +/usr/local/samba/man by default, must be in your +MANPATH environment variable. On Red +Hat Linux, this can be accomplished by adding the following two lines +to /etc/man.config:

+ +
+MANPATH            /usr/local/samba/man
+MANPATH_MAP        /usr/local/samba/bin     /usr/local/samba/man
+ + +
+ + +
+ + + +
+ +

Enabling SWAT

+ +

The Samba +Web Administration Tool (SWAT) runs as a daemon under +inetd or xinetd and +provides a forms-based editor in your web browser for creating and +modifying Samba's +configuration file. For SWAT to work, entries must be added for it in +the /etc/services and +/etc/inetd.conf (or +/etc/xinetd.d/swat) configuration files. To add +the entries, follow these two steps:

+ +
  1. +

    Check your /etc/services file, and if it does +not contain the following line, add it to the end of the file:

    + +
    swat   901/tcp
    +
    2. +
  2. +

    Now for inetd or xinetd. +These are "Internet +super daemons" that handle starting daemons on +demand, instead of letting them sit around in memory consuming system +resources. Most systems use inetd, but +xinetd is also used in some versions of Unix, +notably the Red Hat Linux (Versions 7 and newer) that we use in our +examples. You can use the ps command to see +which of the two your system is running.

    +
+

For inetd, add a line to the +/etc/inetd.conf file. +(Check your inetd.conf manual page to see the +exact format of the inetd.conf file if it +differs from the following example.) Don't forget to +change the path to the SWAT binary if you installed it in a different +location from the default /usr/local/samba:

+ +
swat   stream  tcp  nowait  root  /usr/local/samba/bin/swat  swat
+ +

Then force inetd to reread its configuration +file by sending it a SIGHUP (hangup) signal:

+ +
# /bin/kill -HUP -a inetd
+ +

Notice that we are using a version of the kill +command that supports the -a option, so as to +allow us to specify the process by name. On FreeBSD and Linux, you +can use the killall command[2] as follows:

+ +
# killall -HUP inetd
+ +

If you are not running Linux or FreeBSD and your version of +kill doesn't have the +-a option, you will need to use the +ps command to find the process ID and then +supply that to kill:

+ +
# ps ax | grep inetd
+  780 ?        S      0:00 inetd
+ 1981 pts/4    S      0:00 grep inetd                                         
+# kill -HUP 780
+ +

If your system is using xinet, add a file named +swat in your /etc/xinetd.d +directory, containing the following:

+ +
# description: swat is the Samba Web Administration Tool, which
+#       allows an administrator to configure Samba using a web
+#       browser interface, with the URL http://localhost:901
+service swat.
+{
+        socket_type             = stream
+        wait                    = no
+        protocol                = tcp
+        only_from               = localhost
+        user                    = root
+        log_on_failure          += USERID
+        server                  = /usr/local/samba/bin/swat
+        port                    = 901
+        disable                 = no
+}
+ +

Then xinetd needs to be sent a signal[3] to make it reread its configuration files:

+ +
# /bin/kill -HUP -a xinetd
+ +

And that's pretty much it for the installation. +Before you can start up Samba, however, you need to create a +configuration file for it.

+ + +
+ + + +
+ +

A Basic Samba Configuration File

+ +

The +key to configuring Samba is its configuration file, +smb.conf. This configuration file can be very +simple or extremely complex, and the rest of this book is devoted to +helping you get deeply personal with this file. For now, however, +we'll show you how to set up a single file service, +which will allow you to fire up the Samba daemons and see that +everything is running as it should be. In later chapters, you will +see how to configure Samba for more complicated and interesting +tasks.

+ +

The installation process does not automatically create an +smb.conf configuration file, although several +example files are included in the Samba distribution. To test the +server software, though, we'll use the following +file, which you can create in a text editor. It should be named +smb.conf and placed in the +/usr/local/samba/lib directory:[4]

+ +
[global]
+    workgroup = METRAN 
+[test] 
+    comment = For testing only, please
+    path = /usr/local/samba/tmp
+    read only = no
+    guest ok = yes
+ +

This brief configuration file tells the Samba server to offer the +/usr/local/samba/tmp directory on the server as +an SMB share called test. The server also +becomes part of the METRAN workgroup, of which each client must also +be a part. If you have already chosen a name for your own workgroup, +use the name of your workgroup instead of METRAN in the previous +example. In case you are connecting your Samba system into an +existing network and need to know the workgroup name, you can ask +another system administrator or go to a Windows system in the +workgroup and follow these instructions:

+ + +

We'll use the [test] share in the +next chapter to set up the Windows clients. For now, you can complete +the setup by performing the following commands as root on your Unix +server:

+ +
# mkdir /usr/local/samba/tmp
+# chmod 777 /usr/local/samba/tmp
+ +

You might also want to put a file or two in the +/usr/local/samba/tmp directory so that after +your Windows systems are initially configured, you will have +something to use to check that everything works.

+ +

We should point out that in terms of system security, this is the +worst setup possible. For the moment, however, we only wish to test +Samba, so we'll leave security out of the picture. +In addition, we will encounter some encrypted password issues with +Windows clients later on, so this setup will afford us the least +amount of headaches.

+ + +
+ +

Encrypted Passwords

+ +

If your Windows clients are using Windows +98 or Windows NT 4 Service Pack 3 or above (including Windows 2000 +and Windows XP) and you are using a version of Samba earlier than +3.0, you must add the following entry to the +[global] section of the Samba configuration file:

+ +
[global]
+    encrypt passwords = yes
+ +

In addition, you must use the +smbpasswd program (typically located in the +directory /usr/local/samba/bin/ ) to enter the +username/password combinations of the Samba users into +Samba's encrypted password database. For example, if +you wanted to allow Unix user steve to access +shares from a client system, you would use this command:

+ +
# smbpasswd -a steve
+New SMB password:
+Retype new SMB password:
+Added user steve.
+ +

When the first user is added, the program will output a message +saying that the encrypted password database does not exist. +Don't worry: it will then create the database for +you. Make sure that the username/password combinations you add to the +encrypted database match the usernames and passwords you intend to +use on the Windows client side. You must run +smbpasswd for each client user.

+ +

In Samba 3.0, passwords are encrypted by default, so the +encrypt passwords += yes parameter in the +configuration file is optional. However, you will still need to run +the smbpasswd command to add users to the +encrypted password file.

+ + +
+ + +
+ +

Using SWAT

+ +

Creating +a configuration file with SWAT is even easier than writing a +configuration file by hand. To invoke SWAT, use your web browser to +connect to http://localhost:901, and log on as +root with the root password, as shown in Figure 2-1.

+ +

Figure 2-1. SWAT login

+ +

After logging in, click the GLOBALS button at the top of the screen. +You should see the Global Variables page shown in Figure 2-2.

+ +

Figure 2-2. SWAT Global Variables page

+ +

In this example, notice that SWAT retrieved the workgroup name from +the smb.conf file that you created. (If it +didn't, go back and perform that step correctly.) +Make sure that the security field is set to +USER.

+ +

If you are running Samba 2.2 and your Windows clients are at least +Windows 98 or Windows NT 4 SP 3 or later versions, find +encrypt passwords in the +Security Options section and select yes.

+ +

The only other option you need to change from the menu is one +determining which system on the LAN resolves NetBIOS addresses; this +system is called the WINS server. At the very +bottom of the page, set the wins +support field to Yes, unless +you already have a WINS server on your network. If you do, put the +WINS server's IP address in the +wins server field instead. Then +return to the top of the screen, and press the Commit Changes button +to write the changes out to the smb.conf file.

+ +

Next, click the SHARES icon. You should see a page similar to Figure 2-3. Select test (to the right +of the Choose Share button), and click the Choose Share button. You +will see the Share Parameters screen, as shown in Figure 2-3, with the comment and +path fields filled in from your +smb.conf file.

+ +

Figure 2-3. SWAT Share Parameters screen

+ +

If you specified that you want to use encrypted passwords on the +GLOBALS page, click the PASSWORD button. Near the top of the screen, +you will see the Server Password Management section. Enter your Unix +username and password in the spaces, and click the Add New User +button. This functions the same as the smbpasswd +utility and creates an entry in the +/usr/local/samba/private/smbpasswd file to allow +you to authenticate from a Windows client.

+ +

Now click the VIEW button at the top, and SWAT shows you the +following smb.conf file:

+ +
# Samba config file created using SWAT
+# from localhost (127.0.0.1)
+# Date: 2002/09/05 04:56:43
+
+# Global parameters
+        workgroup = METRAN
+        encrypt passwords = Yes
+        wins support = Yes
+
+[test]
+        comment = For testing only!
+        path = /usr/local/samba/tmp
+        read only = No
+ +

Once this configuration file is completed, you can skip the next step +because the output of SWAT is guaranteed to be syntactically correct. +

+ + +
+ + +
+ +

Disabling Oplocks

+ +

The smb.conf +file you have just created is certainly good enough for the purpose +of initial setup and testing, and you can use it as a starting point +from which to develop the configuration of your production Samba +server. But before you get too far with that, we want to bring one +thing to your attention.

+ +

If you are the type of administrator who is highly concerned about +data integrity, you might want to make the following modification to +your smb.conf file before continuing:

+ +
[global]
+    oplocks = no
+ +

That is, use a text editor to add the line oplocks += no to the +[global] section of your +smb.conf file. With this example, as with other +examples we will present throughout this book, you do not need to +enter the [global] line again in your +configuration file. We include it only to indicate in which section +the parameter belongs.

+ +

The oplocks = +no parameter disables opportunistic locking by +clients. This will result in significantly poorer performance, but +will help ensure that flaky Windows clients and/or unreliable network +hardware will not lead to corrupted files on the Samba server.

+ +

We will cover opportunistic locking (oplocks) in more detail in the +section "Locks and Oplocks" in +Chapter 8, and recommend that you understand the +ideas presented there before implementing a production Samba server +that serves database files or other valuable data.

+ + +
+ + +
+ +

Testing the Configuration File

+ +

If you +didn't use SWAT to create your configuration file, +you should probably test it to ensure that it is syntactically +correct. It might seem silly to run a test program against an +eight-line configuration file, but it's good +practice for the real ones that we'll be writing +later on.

+ +

The test parser, +testparm, examines an +smb.conf file for syntax errors and reports any +it finds along with a list of the services enabled on your machine. +An example follows; you'll notice that in our haste +to get the server running we mistyped workgroup as +workgrp (the output is often lengthy, so we +recommend capturing it with the tee command):

+ +
Load smb config files from smb.conf
+Unknown parameter encountered: "workgrp"
+Ignoring unknown parameter "workgrp"
+Processing section "[test]"
+Loaded services file OK.
+Press Enter to see a dump of your service definitions
+# Global parameters
+[global]
+    workgroup = WORKGROUP
+    netbios name = 
+    netbios aliases = 
+    server string = Samba 2.2.6
+    interfaces = 
+    bind interfaces only = No
+
+...(content omitted)...
+
+[test]
+    comment = For testing only!
+    path = /usr/local/samba/tmp
+    read only = No
+ +

The interesting parts are at the top and bottom. The top of the +output will flag any syntax errors that you might have made, and the +bottom lists the services that the server thinks it should offer. A +word of advice: make sure you and the server have the same +expectations.

+ + +
+ + +
+ + + +
+ +

Firewall Configuration

+ +

As +with any services that run on TCP/IP, the SMB networking services +offered by Samba can be accessed from across the Internet unless your +organization's firewall is properly configured. The +following ports are used by Samba for SMB networking and SWAT:

+ +
+
Port 137
+
+

Used for NetBIOS network browsing

+
+ + + +
Port 138
+
+

Used for NetBIOS name service

+
+ + + +
Port 139
+
+

Used for file and printer sharing and other operations

+
+ + + +
Port 445
+
+

Used by Windows 2000/XP when NetBIOS over TCP/IP is disabled

+
+ + + +
Port 901
+
+

Used by SWAT

+
+ +
+ +

At the minimum, your organization's Internet +firewall should shut down all the ports in the list to traffic in +both directions. Do not assume that preventing incoming connections +is sufficient; there are cracks that trick Windows clients into +sending data out of the local area network and into the Internet by +SMB protocol, even from a local network that uses private IP +addresses not forwarded by routers. If you want SMB traffic to travel +across the Internet to remote sites, the best way is to use a virtual +private network (VPN). See the O'Reilly book, +Virtual Private Networks, for more information +on this subject.

+ +

In addition, you might wish to configure a firewall on the Samba host +system to keep SMB packets from traveling further than necessary +within your organization's network. For example, +port 901 can be shut down for remote accesses so that SWAT can be run +only on the Samba host system. If you are using Samba to serve only a +fraction of the client systems within your organization, consider +allowing SMB packets (i.e., packets on ports 137-139 and 445) to go +to or come from only those clients.

+ +

For more information on configuring firewalls, see the +O'Reilly book Building Internet +Firewalls.

+ + +
+ + + +
+ +

Starting the Samba Daemons

+ +

Two Samba processes, +smbd and +nmbd, need to be running for Samba to work +correctly. There are three ways to start them:

+ +
  • +

    Manually

    +
  • +

    Automatically, during system boot

    +
  • +

    From inetd or xinetd

    +
+ +
+ +

Starting the Daemons Manually

+ +

If you're in a +hurry, you can start the Samba daemons by hand. As root, simply enter +the following commands:

+ +
# /usr/local/samba/bin/smbd -D
+# /usr/local/samba/bin/nmbd -D
+ +

Samba will now be running on your system and is ready to accept +connections. However, keep in mind that if either of the daemons exit +for any reason (including system reboots), they will need to be +restarted manually.

+ + +
+ + +
+ +

Automatic Startup

+ +

To have the Samba daemons +started automatically when the system boots, you need to add the +commands listed in the previous section to your standard Unix startup +scripts. The exact method varies depending on the flavor of Unix +you're using.

+ + +
+ +

BSD Unix

+ +

With a BSD-style Unix, you need to append +the following code to the rc.local file, which +is typically found in the /etc or +/etc/rc.d directories:

+ +
if [ -x /usr/local/samba/bin/smbd]; then
+    echo "Starting smbd..."
+    /usr/local/samba/bin/smbd -D
+    echo "Starting nmbd..."
+    /usr/local/samba/bin/nmbd -D
+fi
+ +

This code is very simple: it checks to see if the +smbd file exists and has execute permissions, +and if it does, it starts up both of the Samba daemons on system +boot.

+ + +
+ + + +
+ +

System V Unix

+ +

With System V, things can get a little +more complex. Depending on your Unix version, you might be able to +get away with making a simple change to an +rc.local file as with BSD Unix, but System V +typically uses directories containing links to scripts that control +daemons on the system. Hence, you need to instruct the system how to +start and stop the Samba daemons. The first step to implement this is +to modify the contents of the /etc/rc.d/init.d +directory by adding something similar to the following shell script, +which for this example we will name smb :

+ +
#!/bin/sh
+
+# Check that the Samba configuration file exists
+[ -f /usr/local/samba/lib/smb.conf ] || exit 0
+
+start(  )
+{
+        echo -n "Starting SMB services: "
+        /usr/local/samba/bin/smbd -D
+        ERROR=$?
+        echo
+
+        echo -n "Starting NMB services: "
+        /usr/local/samba/bin/nmbd -D
+        ERROR2=$?
+        if [ $ERROR2 -ne 0 ]
+        then
+                ERROR=1
+        fi
+        echo
+
+        return $ERROR
+}
+
+stop(  )
+{
+        echo -n "Shutting down SMB services: "
+        /bin/kill -TERM -a smbd
+        ERROR=$?
+        echo
+
+        echo -n "Shutting down NMB services: "
+        /bin/kill -TERM -a nmbd
+        ERROR2=$?
+        if [ $ERROR2 -ne 0 ]
+        then
+                ERROR=1
+        fi
+        echo
+
+        return $ERROR
+}
+
+case "$1" in
+  start)
+        start
+        ;;
+  stop)
+        stop
+        ;;
+  *)
+        echo "Usage: $0 {start|stop}"
+        exit 1
+esac
+
+exit $?
+ +

With this script, you can start and stop smbd +and nmbd like this:

+ +
# /etc/rc.d/init.d/smb start
+Starting SMB services:
+Starting NMB services:
+# ps ax | grep mbd
+ 1268 ?        S      0:00 /usr/local/samba/bin/smbd -D
+ 1270 ?        S      0:00 /usr/local/samba/bin/nmbd -D
+ 1465 pts/2    S      0:00 grep mbd
+# /etc/rc.d/init.d/smb stop
+Shutting down SMB services:
+Shutting down NMB services:
+ +

If you are having trouble writing a startup script for your system, +check to see if there is a packaged release of Samba (available from +your Unix vendor or the Samba FTP site). If so, you might be able to +extract a startup script from it to use as a starting point. +Typically, this script doesn't change much (if at +all) from release to release, so using a script from an older Samba +version should not be a problem. Another possibility is to check the +packaging directory in the Samba source +distribution. In that directory, there are subdirectories for many +Unix versions in which you can find a startup script for those +versions. Even if your version isn't included, you +can probably find a startup script for a similar version to use as a +starting point.

+ +

Finally, we need to add symbolic links to the +smb script in the +/etc/rc.d/rcX.d directories:

+ +
# ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc3.d/S35smb
+# ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc5.d/S35smb
+
+# ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc0.d/K35smb
+# ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc1.d/K35smb
+# ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc2.d/K35smb
+# ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc4.d/K35smb
+# ln -s /etc/rc.d/init.d/smb /etc/rc.d/rc6.d/K35smb
+ +

The first two commands, with link names starting with an +"S", cause Samba to be started when +entering runlevels 3 or 5, which are the runlevels in which network +file sharing (NFS) is normally enabled. The second group of commands, +with link names starting with a +"K", cause Samba to be shut down +when entering any of the other runlevels (0, 1, 2, 4, or 6).

+ +

The links starting with "S" are +used to start the daemons, and the links starting with +"K" are used for killing them. When +the runlevel is changed, the links starting with +"K" in the corresponding directory +(e.g., the rc3.d directory for runlevel 3) are +executed, followed by the links starting with +"S". If we wanted, we could have +Samba restarted when switching between runlevels 3 and 5 by adding a +K35smb link to each rc3.d +and rc5.d directory.

+ +

The number after the K or S in the link names is used to set the +order in which all the daemons with links in the directory are +started or killed off. Get a long listing of the +rc3.d or rc5.d directories +to see how this is set up on your system. We use 35 to match the +behavior of Red Hat's Samba RPM package. The +important thing is to make sure when starting Samba that all services +it requires are started before it. When shutting down, it is a good +idea to shut down Samba before services it requires to avoid excess +error messages in the log files, but the order is not as crucial.

+ + +
+ + + +
+ +

Darwin and Mac OS X

+ +

An installation of Samba is bundled with the +Darwin distribution, which is included in Mac OS X.[5]

+ +

The Samba daemons are started during system +boot by the script +/System/Library/StartupItems/Samba/Samba. To +trigger the execution of this script, edit the file +/etc/hostconfig and change the SMBSERVER +parameter to look like this:

+ +
SMBSERVER=-YES-
+ +

On Mac OS X, the graphical user interface (GUI) provides an +alternative to using the command line. Launch the System Preferences +application, and select Sharing (see Figure 2-4). +Under the Services tab, turn on Windows File Sharing. This will make +the aforementioned change to /etc/hostconfig and +immediately execute the startup item.

+ +

Figure 2-4. Mac OS X sharing preferences

+ +

If you decide to install Samba yourself on Mac OS X, +it's best not to stomp on the installation provided +with the OS. Use the procedures detailed earlier in this chapter to +install the software into /usr/local/samba or +some other area unaffected by OS upgrades. (Remember to set up users +with smbpasswd if you're using +encrypted passwords, as described earlier in this chapter. This step +is handled automatically with entries in +/var/db/samba/hash if you're +using the built-in server on Mac OS X.) Once you've +got that working, you can edit the Samba startup item script to refer +to your installation, like this:

+ +
    #!/bin/sh
+    # Start Samba
+
+    . /etc/rc.common
+
+    if [ "${SMBSERVER:=-NO-}" = "-YES-" ]; then
+        ConsoleMessage "Starting SMB server"
+
+        if [ -f /usr/local/samba/lib/smb.conf ]; then
+            /usr/local/samba/bin/smbd -D
+            /usr/local/samba/bin/nmbd -D
+        fi
+    fi
+ +

However, beware of OS updates, which can wipe out your changes. One +solution is to make the script immutable, like this:

+ +
# chflags uchg /System/Library/StartupItems/Samba/Samba
+ + +
+ + + +
+ +

Testing automatic startup

+ +

If you can afford a few minutes of +downtime, reboot your system and again use the +ps command to check that the +smbd and nmbd daemons are +running. And if you are managing a 24/7 server, we highly recommend +that you find some downtime in which to reboot and perform this +check. Otherwise, your next unscheduled downtime might surprise you +with a mysterious absence of SMB networking services when the system +comes up again!

+ + +
+ + +
+ + +
+ +

Starting from inetd

+ +

The inetd +[6] daemon is a Unix +system's Internet "super +daemon." It listens on ports defined in +/etc/services and executes the appropriate +program for each port, which is defined in +/etc/inetd.conf. The advantage of this scheme is +that you can have a large number of daemons ready to answer queries, +but they don't all have to be running all the time. +Instead, inetd listens for connection requests +and starts the appropriate daemon when it is needed. The penalty is a +small overhead cost of creating a new daemon process, as well as the +fact that you need to edit two files rather than one to set things +up. The inetd daemon is handy if you have only +one or two Samba users or your machine is running too many daemons +already. It's also easier to perform an upgrade +without disturbing an existing connection.

+ +

If you wish to start from inetd, first open +/etc/services in your text editor. If you +don't already have them defined, add the following +two lines:

+ +
netbios-ssn     139/tcp
+netbios-ns      137/udp
+ +

Next, edit /etc/inetd.conf. Look for the +following two lines and add them if they don't +exist. If you already have smbd and +nmbd lines in the file, edit them to point at the +new smbd and nmbd +you've installed. Your brand of Unix might use a +slightly different syntax in this file; use the existing entries and +the inetd.conf manual +page as a guide:

+ +
netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd 
+netbios-ns  dgram  udp wait   root /usr/local/samba/bin/nmbd nmbd
+ +

Finally, kill any smbd or +nmbd processes and send the +inetd process a hangup (HUP) signal to tell it +to reread its configuration file:

+ +
# /bin/kill -TERM -a smbd
+# /bin/kill -TERM -a nmbd
+# /bin/kill -HUP -a inetd
+ +

After that, Samba should be up and running.

+ +

As we've pointed out before, Red Hat and perhaps +other Unix vendors supply xinetd rather than +inetd. If you need to use +xinetd, you will need to supply a configuration +file in the /etc/xinetd.d directory. +

+ + +
+ + +
+ + + +
+ +

Testing the Samba Daemons

+ +

We're +nearly done with the Samba server setup. All that's +left to do is to make sure everything is working as we think it +should. A convenient way to do this is to use the +smbclient program to examine what the server is +offering to the network. If everything is set up properly, you should +be able to do the following:

+ +
# /usr/local/samba/bin/smbclient -U% -L localhost
+added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0
+Domain=[METRAN] OS=[Unix] Server=[Samba 2.2.6]
+
+        Sharename      Type      Comment
+        ---------      ----      -------
+        test           Disk      For testing only, please
+        IPC$           IPC       IPC Service (Samba 2.2.6)
+        ADMIN$         Disk      IPC Service (Samba 2.2.6)
+        
+        Server               Comment
+        ---------            -------
+        TOLTEC               Samba 2.2.6 on toltec
+
+        Workgroup            Master
+        ---------            -------
+        METRAN               TOLTEC
+ +

If there is a problem, don't panic! Try to start the +daemons manually, and check the system output or the debug files at +/usr/local/samba/var/log.smb to see if you can determine what happened. +If you think it might be a more serious problem, skip to Chapter 12 for help on troubleshooting the Samba daemons.

+ +

If it worked, congratulations! You now have successfully set up the +Samba server with a disk share. It's a simple one, +but we can use it to set up and test the Windows 95/98/Me and +NT/2000/XP clients in the next chapter. Then we will start making it +more interesting by adding services such as home directories, +printers, and security, and by seeing how to integrate the server +into a larger Windows domain.

+ + +
+ +

Footnotes

+

[1] gcc binaries are available for almost +every modern machine. See http://www.gnu.org/ for a list of sites with +gcc and other GNU software.

[2] Do +not confuse this with the Solaris killall +command, which performs part of the system shutdown sequence!

+ +

[3] Depending on the version of xinetd you +have and how it was compiled, you might need to send a USR1 or some +other signal rather than the HUP signal. Check the manual page for +xinetd (8) on your system for details.

+ +

[4] If you did not compile Samba, but instead downloaded a binary, +check with the documentation for the package to find out where it +expects the smb.conf file to be. Or, try running +the testparm program and look for the location +of smb.conf in the first line of output. If +Samba came preinstalled with your Unix system, an +smb.conf file is probably already somewhere on +your system.

+

[5] In this book, we cover Darwin Version 6.0 and OS X Version +10.2.

[6] With early releases of Samba 2.2, there were reports +of intermittent errors when starting from inetd. +We provide this information so that it will be available for later +releases when the problem will hopefully have been identified and +corrected.

+ + +

TOC

+ -- cgit v1.2.3