Getting the NT Out—And the Linux In

An overview of configuring Linux using Samba to replace the services provided from Windows NT servers.
Global Parameters

security = user is the default security setting for Samba 2.x. This configures Samba to require a user to provide authentication to access the server. To understand how Samba works with NT domains and servers, see “Security = Domain” in the Samba documentation.

iworkgroup = MyGroup controls which workgroup your server will appear to be in when queried by clients.

encrypt passwords = Yes controls whether encrypted passwords will be negotiated with the client. Windows NT 4SP3+ and Windows 98 will expect an encrypted password by default.

min passwd length = 6 sets the minimum length in characters of a plaintext password that smbd will accept when performing UNIX password changing.

smb passwd file = /etc/smbpasswd sets the path to the encrypted smbpasswd file. By default, the path to the smbpasswd file is compiled into Samba. I always add this to reduce confusion.

logon script = STARTUP.BAT specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. The file must contain the DOS-style cr/lf (carriage return/line feed) line endings.

If domain logons = Yes is set to true, the Samba server will serve Windows 95/98 domain logons for the workgroup it is in. For more details on setting up this feature, see the file DOMAINS.txt in the Samba documentation.

domain master = Yes enables WAN-wide (wide area network) browse list collation. Setting this option causes nmbd to claim a special domain-specific NetBIOS name that identifies it as a domain master browser for its given workgroup. Local master browsers in the same workgroup on broadcast-isolated subnets will give this nmbd their local browse lists, and will then ask smbd for a complete copy of the browse list for the entire WAN. Browser clients will then contact their local master browser and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.

preferred master = Yes is a Boolean parameter which controls whether nmbd is a preferred master browser for its workgroup.

Setting Up Network Shares

That's it for our global parameters. We can now move on to creating network shares. By setting up a [homes] section, our server can create home-directory mappings on the fly:

comment = Home Directories
read only = No
create mask = 0750
browseable = No

Now let's create some shares for users to access. The share definition should include the path, who can access the share (valid or invalid) and whether the share is writeable. By default, if no valid user or group is defined, the share is open to any client, so keep this in mind when creating your shares. In the apps share, I chose to create the UNIX group all_users containing just my local users.

comment = Apps Directory
path = /shares/apps
valid users = @all_users
read only = No
comment = Project 1 Directory
path = /shares/proj1
valid users = dcsmith kholmes joe katie redpup
read only = No
Last, I set up my netlogon home. This will be set to the relative path for my netlogon scripts. In this example, my login script is located at /etc/netlogon/STARTUP.BAT.
path = /etc/netlogon
The full Samba configuration script is shown in Listing 1.

Listing 1

Samba Dæmons

The next step is to start the Samba dæmons. After checking everything out, you will probably want to add this to your system startup procedures.

/usr/local/samba/bin/smbd -D -s
/usr/local/samba/bin/nmbd -D

If everything went well, both smbd and nmbd were started successfully. If not, start troubleshooting by reading the log files at /var/adm/logs and review the FAQs from the Samba site.

Troubleshooting utilities, located in the Samba bin directory, are testparm, which will parse your smb.conf for errors, smbstatus, and nmblookup for NetBIOS name issues.

Setting Up the Samba Password File

Now it's time to add your users and passwords to your smbpassword file. One item to note is that users must have a UNIX account password as well. There are many options regarding passwords, such as remote password sync and NT domain and pass-through authentication, to help you with larger administration issues. In our case, user accounts are on our local Linux box. This command will create a SMB account and then prompt you to change your password.

/usr/local/samba/bin/smbpasswd -a testuser

You should now be able to log in as testuser and get authenticated from your Windows machines and access network shares. Great fun, eh? Once you get up and running, you will want to use some of the tools and utilities that Samba provides. One of the more useful utilities available is SWAT, a web-based administration tool that helps monitor and configure almost all Samba configurations. If SWAT is not available on your system, you can find it and more on the Samba home page.