Samba in the Home and Office

A Linux computer can be a great server, not only for other Linux computers, but also for computers running other operating systems. Peter gives an example of how to do this effectively.
Office Networks

What I have done with Samba at my office with about 20 computers on the LAN is more complex, but was not difficult to set up and is very stable. If you are only going to set up a home network, you can probably skip to the end of this article. If you already administer a Windows 95 network, the Windows-specific information presented here probably isn't new to you.

The Samba server is running Linux 1.2.13 (elf) with samba-1.9.15p8 running on a 100MHZ Pentium with 16M ram, 4G SCSI disk, and a 4G DAT.

The Samba clients are running WFWG 3.11 and Win95 on various i486's with 8-16M of ram.

Win95 Features

1. Policies via the new Win95 Registry: The registry is a new format that stores all settings for users and system specific settings. There is a Registry Editor that is needed to modify settings held within the registry.

Policies are what a user can and can't do on the system and what they can and can't do on the network. There is also a Policy Editor to edit user and computer policies from.

2. Remote logon authentication: where all Win95 client machines have all logins to the network and client machine be authenticated via Linux accounts.

This is where you would set up Samba to be the Domain Controller.

1. Log in to the Win95 workstation with domain password if in the smb.conf file you have user = security and you set up the Win95 registry to “require domain authentication before access to windows”.

2. Samba has a function to read the /etc/passwd, look up the uid and verify the password the user entered is correct.

3. If the password is correct, a result code is sent to the Win95 machine for “access granted”.

4. If there is a [netlogon] entry in the smb.conf file, this directory is checked for a config.pol file that the Win95 machine wants to read for the policies for the machine and user. This must be set up in the Win95 setup in the registry with “remote update” and “automatic path” in the Network settings of the registry.

5. If you have logon script = %U.bat in the smb.conf file, the specified batch file will be executed on the client for each user. (%U is replaced by the user name, so %U.bat becomes username.bat—you can have a separate batch file for each user). Make sure the logon scripts (which will be kept in the directory specified in the [netlogon] section) use DOS-style line endings; a good way to ensure that is to use a DOS editor on a DOS system to create the files.

The logon scripts are good if you use them. Only simple DOS commands are required:

net time /set /yes

would match up the time on the server to the workstation. It is nice to have to maintain time on only one system. Having policies stored on the server is another good idea. You can update the policy file from another workstation and the next time a user logs in, the policy file is read and the client registry is updated—automatically!

All the necessary information about these Win95 specifics is found in the Windows 95 Resource Kit. Other discussions of these topics can be found at:

  • comp.os.ms-windows.networking.tcp-ip for Windows and TCP/IP networking.

  • comp.os.ms-windows.setup.win95 for setup, hardware, and driver issues in Win95.

  • comp.os.ms-windows.networking.win95 for Win95 to Novell, TCP/IP, other nets.

For the larger LAN, the smb.conf file looks like this:

; ---------------------------------------------
; Service(s): [globals] [homes] [printers]
; ---------------------------------------------
;
[globals]
    status = yes
;    This enables or disables logging of
;    connections to a status file that
;    smbstatus can read. Yes by default.
    printing = bsd
;    See manpage for your system.  This
;    one is Linux and requires BSD
;    printing entries.
    guest account = dos
;    for printing to work
    invalid users = root, @wheel
;    don't let super-users access from
;    the network
    browseable = yes
;    By default, everything is browsable
;    unless specified elsewhere in
;    services sections
    hosts allow = 10.10.1.
;    you can specify who is allowed in
;    10.10.1. is a class C network that
;    never sees the internet
    lock directory = /var/lock/samba/locks
;    Locks for sessions
    log file = /var/log/samba/log.%m
;    Individual logfile for each client
;    machine
    syslog = 2
;    Anything level 2 and below will also
;    be sent to syslogd
    message command = /bin/mail -s  \
        'message from %f on %m' \
         pkelly < %s; rm %s
;    If someone sends a "win-popup"
;    message - mail it to sys admin
    socket options = TCP_NODELAY
    dead time = 30
;    Close any unused sessions after
;    30 minutes - good for big network.
    read prediction = yes
;    Speeds up reads from disk
    share modes = yes
;    For a 'dos share' type of use
    max xmit = 8192
;    This  option controls the maximum
;    packet size that will be negotiated
;    by Samba.
    os level = 33
;    This integer value controls what level
;    Samba advertises itself as for  browse
;    elections. See BROWSING.txt for details.
    security = user
;    For /etc/passwd to be used
;    for Domain Logons to work
    domain master = yes
;    Master browser
    domain logons = yes
;    For network authentication
    logon script = scripts/login.bat
;    Single batch file to be executed
;    when users logon to the network
;    These are simple dos Batch files
;    logon script = scripts/%U.bat
;    individual batch files - where %U
;    is the person's logon name
[netlogon]
    comment = Network Logon Services
    path = /u/netlogon
;    This is the default setting for
;    the Win95 machines to look for
;    the config.pol file and and .bat
;    scripts to run for the client.
    writable = yes
;    I make this writable so I can add
;    or delete items in the config.pol
;    file and update the .bat scripts
    guest ok = no
;    guests not allowed on our network
[homes]
    comment = Secure Home Directory for : %u
    path = /u/users/%u
;    This will match up the user's name
;    to their home directory.
    guest ok = no
;    guests not allowed on our network
    read only = no
;    Let people write to their own
;    home directory.
    create mode = 640
;    This is handy!  I can set this for
;    each service differently.  So users
;    can create files people can't
;    delete in their home dir.
    writable = yes
;    The above "read only = no" does
;    this, but I like to be safe :)
    browseable = no
;    Don't let people know who's home
;    directories are there.
[printers]
    comment = HP4L in BSC Office
    path = /usr/spool/public
    printcap name = /etc/printcap
;    "man printcap" for details on the
;    syntax for your printer.
    printable = yes
    public = yes
;    Everyone connected can print!
    writable = no
;    Default
    create mode = 0700
;    Default
    browseable = no
;    Default
    load printers = yes
;-------------------------------------------
; fcp Services
;-------------------------------------------
[programs]
    comment = Shared Programs
    path = /u/programs
;    This is where I store the shared programs
;    and have only read access for people.
    public = yes
;    Public - but not writable for all.
    writable = yes
;    Writable for the sys admin to install
;    new programs.
    create mode = 644
;    What the ownerships are to be
[data]
    comment =  Data Directories
    path = /u/data
    public = no
;    You have to be a member of this group
;    who owns these files to be able to
;    work on the files
    create mode = 770
;    This is for all the database files that
;    need to be shared and group writable.
;    The 770 is needed because dir-'s are
;    sometimes created and need to be
;    executable in order to work right.
    writeable = yes
;    Allow people to write and delete files
    volume = "Data on Fileserver"

I totally replaced a LANtastic network with Win95 and Windows for Workgroups as the clients and Linux Samba servers for the servers with that configuration. TCP/IP is the only protocol used, and the peer-to-peer networking people were used to with LANtastic is still available with the client network software.

I have totally eliminated all network-related errors I was getting from a multi-user C-Tree database written by Angus Systems Group Ltd. All disk accesses from the Samba server have dropped to about half the time they used to take, and the system as a whole performs much better than on the previous MS-DOS fileserver. The MS-DOS .EXE's load three times faster over the network.

Peter Kelly (pkelly@ets.net) is a Network Administrator for JDP Computer Systems and Systems Software. He also does database and network functions for O & Y Properties Inc.'s 1 First Canadian Place. Sometimes he does leave his Linux X-Workstation to go outside to eat or to attend part-time classes at the University of Toronto's Computer Science Facilty.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix