Samba in the Home and Office
What I have done with Samba at my office with about 20 computers on the LAN is more complex, but was not difficult to set up and is very stable. If you are only going to set up a home network, you can probably skip to the end of this article. If you already administer a Windows 95 network, the Windows-specific information presented here probably isn't new to you.
The Samba server is running Linux 1.2.13 (elf) with samba-1.9.15p8 running on a 100MHZ Pentium with 16M ram, 4G SCSI disk, and a 4G DAT.
The Samba clients are running WFWG 3.11 and Win95 on various i486's with 8-16M of ram.
1. Policies via the new Win95 Registry: The registry is a new format that stores all settings for users and system specific settings. There is a Registry Editor that is needed to modify settings held within the registry.
Policies are what a user can and can't do on the system and what they can and can't do on the network. There is also a Policy Editor to edit user and computer policies from.
2. Remote logon authentication: where all Win95 client machines have all logins to the network and client machine be authenticated via Linux accounts.
This is where you would set up Samba to be the Domain Controller.
1. Log in to the Win95 workstation with domain password if in the smb.conf file you have user = security and you set up the Win95 registry to “require domain authentication before access to windows”.
2. Samba has a function to read the /etc/passwd, look up the uid and verify the password the user entered is correct.
3. If the password is correct, a result code is sent to the Win95 machine for “access granted”.
4. If there is a [netlogon] entry in the smb.conf file, this directory is checked for a config.pol file that the Win95 machine wants to read for the policies for the machine and user. This must be set up in the Win95 setup in the registry with “remote update” and “automatic path” in the Network settings of the registry.
5. If you have logon script = %U.bat in the smb.conf file, the specified batch file will be executed on the client for each user. (%U is replaced by the user name, so %U.bat becomes username.bat—you can have a separate batch file for each user). Make sure the logon scripts (which will be kept in the directory specified in the [netlogon] section) use DOS-style line endings; a good way to ensure that is to use a DOS editor on a DOS system to create the files.
The logon scripts are good if you use them. Only simple DOS commands are required:
net time /set /yes
would match up the time on the server to the workstation. It is nice to have to maintain time on only one system. Having policies stored on the server is another good idea. You can update the policy file from another workstation and the next time a user logs in, the policy file is read and the client registry is updated—automatically!
All the necessary information about these Win95 specifics is found in the Windows 95 Resource Kit. Other discussions of these topics can be found at:
comp.os.ms-windows.networking.tcp-ip for Windows and TCP/IP networking.
comp.os.ms-windows.setup.win95 for setup, hardware, and driver issues in Win95.
comp.os.ms-windows.networking.win95 for Win95 to Novell, TCP/IP, other nets.
For the larger LAN, the smb.conf file looks like this:
; --------------------------------------------- ; Service(s): [globals] [homes] [printers] ; --------------------------------------------- ; [globals] status = yes ; This enables or disables logging of ; connections to a status file that ; smbstatus can read. Yes by default. printing = bsd ; See manpage for your system. This ; one is Linux and requires BSD ; printing entries. guest account = dos ; for printing to work invalid users = root, @wheel ; don't let super-users access from ; the network browseable = yes ; By default, everything is browsable ; unless specified elsewhere in ; services sections hosts allow = 10.10.1. ; you can specify who is allowed in ; 10.10.1. is a class C network that ; never sees the internet lock directory = /var/lock/samba/locks ; Locks for sessions log file = /var/log/samba/log.%m ; Individual logfile for each client ; machine syslog = 2 ; Anything level 2 and below will also ; be sent to syslogd message command = /bin/mail -s \ 'message from %f on %m' \ pkelly < %s; rm %s ; If someone sends a "win-popup" ; message - mail it to sys admin socket options = TCP_NODELAY dead time = 30 ; Close any unused sessions after ; 30 minutes - good for big network. read prediction = yes ; Speeds up reads from disk share modes = yes ; For a 'dos share' type of use max xmit = 8192 ; This option controls the maximum ; packet size that will be negotiated ; by Samba. os level = 33 ; This integer value controls what level ; Samba advertises itself as for browse ; elections. See BROWSING.txt for details. security = user ; For /etc/passwd to be used ; for Domain Logons to work domain master = yes ; Master browser domain logons = yes ; For network authentication logon script = scripts/login.bat ; Single batch file to be executed ; when users logon to the network ; These are simple dos Batch files ; logon script = scripts/%U.bat ; individual batch files - where %U ; is the person's logon name [netlogon] comment = Network Logon Services path = /u/netlogon ; This is the default setting for ; the Win95 machines to look for ; the config.pol file and and .bat ; scripts to run for the client. writable = yes ; I make this writable so I can add ; or delete items in the config.pol ; file and update the .bat scripts guest ok = no ; guests not allowed on our network [homes] comment = Secure Home Directory for : %u path = /u/users/%u ; This will match up the user's name ; to their home directory. guest ok = no ; guests not allowed on our network read only = no ; Let people write to their own ; home directory. create mode = 640 ; This is handy! I can set this for ; each service differently. So users ; can create files people can't ; delete in their home dir. writable = yes ; The above "read only = no" does ; this, but I like to be safe :) browseable = no ; Don't let people know who's home ; directories are there. [printers] comment = HP4L in BSC Office path = /usr/spool/public printcap name = /etc/printcap ; "man printcap" for details on the ; syntax for your printer. printable = yes public = yes ; Everyone connected can print! writable = no ; Default create mode = 0700 ; Default browseable = no ; Default load printers = yes ;------------------------------------------- ; fcp Services ;------------------------------------------- [programs] comment = Shared Programs path = /u/programs ; This is where I store the shared programs ; and have only read access for people. public = yes ; Public - but not writable for all. writable = yes ; Writable for the sys admin to install ; new programs. create mode = 644 ; What the ownerships are to be [data] comment = Data Directories path = /u/data public = no ; You have to be a member of this group ; who owns these files to be able to ; work on the files create mode = 770 ; This is for all the database files that ; need to be shared and group writable. ; The 770 is needed because dir-'s are ; sometimes created and need to be ; executable in order to work right. writeable = yes ; Allow people to write and delete files volume = "Data on Fileserver"
I totally replaced a LANtastic network with Win95 and Windows for Workgroups as the clients and Linux Samba servers for the servers with that configuration. TCP/IP is the only protocol used, and the peer-to-peer networking people were used to with LANtastic is still available with the client network software.
I have totally eliminated all network-related errors I was getting from a multi-user C-Tree database written by Angus Systems Group Ltd. All disk accesses from the Samba server have dropped to about half the time they used to take, and the system as a whole performs much better than on the previous MS-DOS fileserver. The MS-DOS .EXE's load three times faster over the network.
Peter Kelly (email@example.com) is a Network Administrator for JDP Computer Systems and Systems Software. He also does database and network functions for O & Y Properties Inc.'s 1 First Canadian Place. Sometimes he does leave his Linux X-Workstation to go outside to eat or to attend part-time classes at the University of Toronto's Computer Science Facilty.
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems
Join editor Bill Childers and Bit9's Paul Riegle on April 27 at 12pm Central to learn how to keep your Linux systems secure.
Free to Linux Journal readers.Register Now!
|diff -u: What's New in Kernel Development||Aug 20, 2014|
|Security Hardening with Ansible||Aug 18, 2014|
|Monitoring Android Traffic with Wireshark||Aug 14, 2014|
|IndieBox: for Gamers Who Miss Boxes!||Aug 13, 2014|
|Non-Linux FOSS: a Virtualized Cisco Infrastructure?||Aug 11, 2014|
|Linux Security Threats on the Rise||Aug 08, 2014|
- diff -u: What's New in Kernel Development
- Security Hardening with Ansible
- NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance
- Monitoring Android Traffic with Wireshark
- Tech Tip: Really Simple HTTP Server with Python
- [<Megashare>] Watch Mrs Brown's Boys Movie Online Full Movie HD 2014
- RSS Feeds
- Readers' Choice Awards 2013
- Linux Security Threats on the Rise
- Cooking with Linux - Serious Cool, Sysadmin Style!