Tux Knows It's Nice to Share, Part 6
Okay, quick recap. Last time around, I left you with a test on our new ROCKGROUP server that showed a list of printers, a list that you did not have to configure. That was done with the smbclient -L myserver command.
Domain=[ROCKGROUP] OS=[Unix] Server=[Samba 2.0.7] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Marcel's Musical Samba Server) lp Printer hp710c Printer colour Printer hplj5 Printer
Now, I had you do all this from another Linux client (server?). Interesting really, since this Samba stuff was originally intended to provide Windows services. Even though I had you do this with Linux, you can also use your Windows workstations to test all of this. Keep in mind you do need to have the Client for Microsoft Networks installed on the PC in question. If you are doing this on an existing network of Windows PCs, this is very likely the case. While Jewel starts her song, double-click on the Network Neighborhood icon. Then, double-click on Entire Network. You should see the workgroup you have just specified in your list. If you don't see it right away, don't despair. Windows can take a while to notice a new workgroup or server has been added to the network neighborhood. If you are in a hurry, reboot the Windows 95 PC. Seriously, I'm not just saying that <insert appropriate smiley here>.
Before we talk printers though, you should know that resources in Samba are defined as "shares", and these are usually directories with a specific set of permissions defined in a paragraph. Both shares and configuration sections are identified by a header in square brackets. Some of the ones you'll see as you look at your smb.conf file are [global] (parameters that affect the whole server), a [homes] paragraph (client home directories: more on that later) and various shared directories, [share_name].
The basics of printer definition and sharing are in a paragraph (or section) called, strangely enough, [printers]. If you installed from source and took the defaults, smb.conf would have been sitting in the /usr/local/samba/lib directory. A default Red Hat install puts it in /etc/smb.conf. Anyhow, this is what mine looks like.
[printers] comment = My System Printers path = /var/spool/samba print ok = Yes guest ok = Yes browseable = No
For this example, make sure that you set the "print ok" and "guest ok" parameters as I have. The permissions here are pretty wide open; anybody can print to these guys. The "path =" variable is the temporary spool directory where print files are kept while they are printed. In the case of printers, "browseable" is set to no here because this isn't a share. All /etc/printcap printers will automagically appear in the browse list.
The normal method of creating a new printer in Windows is Start, Settings, followed by Printers. Then, you double-click the Add printer icon and select a network connected printer. When you click on Browse, you get the Network Neighborhood list of servers that you can navigate to find the printer you want.
From the Linux side, you can also create print queues that connect to remote Samba printers, and we'll talk about that, but first...if you are in a hurry, you can do something even simpler and quicker. If all you want to do is momentarily use a printer on the network, and it is managed by a Samba server, try this trick. Let's pretend that I am using a Linux notebook called mynotebk (with no printers configured), and I want to be able to do a quick text print to a printer on the server called myserver. The printer is called hplj5. From the command line, type this command:
Assuming we still have our printer set so that guest printing (or public access) is allowed, press return at the password prompt, and you should see this:
Password: Domain=[ROCKGROUP] OS=[Unix] Server=[Samba 2.0.7] smb: >
At the prompt, type print, followed by the name of the file you want to print.
When you are done, all you have to do is type quit at the smb: > prompt. Way cool, eh!
That was for the impatient readers out there. We'll talk about printing again next time when we'll create Linux print queues for these printers, but there are other things we should cover first. To make Samba really useful, we will be setting up shares. These shares will require we perform some kind of password authentication. That means it's time to look at the subject of SMB password encryption. (I don't know if this means anything, but Alanis Morisette just started singing.) Don't worry. This won't hurt a lot.
Later versions of Windows 95 through Windows 98, as well as later versions of NT, started using encrypted passwords, thus not allowing connections to or from servers that did not support SMB encryption. When a Windows workstation wanted to authenticate a server (whether NT or Samba), it used to pass plain text passwords. This didn't make for heavy duty security, but it made life very simple when setting up Samba servers. That is no longer the case. What this means is you have a decision to make. The reason you need to make a decision is Linux passwords use a different encryption method than Windows.
Here are your choices.
The first way to address this is to go back to non-encrypted passwords. If you are only talking a PC or two, then this might be the way to go. This is done with a modification to the Windows 9x registry. Here's what you do.
1. Start the Registry Editor by clicking on the Start button, choosing Run and typing regedit.
2. Double-click on: HKEY_LOCAL_MACHINE
3. Now, walk down the registry structure and locate the following:System/CurrentControlSet/Services/VxD/VNETSUP
4. Now, from the menu bar, choose Edit, then New and then DWORD Value.
5. Rename this new entry from "New Value #1" to "EnablePlainTextPassword". Make sure you type it exactly. Case is important.
6. Press Enter, then double-click on your new entry. You will get a dialog box that allows you to change the value of this new key. Set this value to "1". (Don't include the quotes.)
7. Close the registry editor and reboot.
The other method is to have Samba use encrypted passwords. To do this, look for this section in the smb.conf file. Look for this line.
; encrypt passwords = yes
The semi-colon in front denotes a comment in the smb.conf file. The default file for these new passwords is called /usr/local/samba/private/smbpasswd if you built Samba from source and used the defaults (because we like building from source) or, as is sometimes the case with distributions, /etc/smbpasswd. It is possible to override this with another parameter in the smb.conf file.
; smb passswd file = /etc/smbpasswd
If you want to use a different file, uncomment (or add) this line with the appropriate path to your Samba password file. To add a Samba encrypted password for a user named guitux on my system, I would use this command:
/usr/local/samba/bin/smbpasswd -a guitux
The system will ask for a password and then ask for confirmation of that password. This part should seem quite familiar. One more thing. Bring up the smb.conf file one more time in the editor, and look for the following line in the [global] paragraph.
security = user
Now, we are going to add a share that will allow users to access a home directory based on their user name (normally /home/user_id). If you put your users in a directory structure that starts /users, then use it as the path. Add the following paragraph:
[pchome] comment = User directories path = /home/%u public = no writable = yes
The "%u" will substitute the user ID on a successful login. That's pretty much it (whew!). Reset the Samba server by stopping the smbd and nmbd processes and restarting them. Now, from another workstation, try this:
smbclient //myserver/guitux -U guitux
The -U option specifies your Samba user login. Next, you'll have to give your password. This is the Samba password you created earlier.
Password: ******** Domain=[ROCKGROUP] OS=[Unix] Server=[Samba 2.0.7] smb: >
At the prompt, you should be able to type dir" and see the files in guitux's home directory. Just so you don't get completely bored between now and next time, type help to see what else you can do. One last thing...you could have done the same thing in the [homes] section and specified the path there.
As Santana starts to rock this home of mine, it's that time again. I'm going to wrap it up, leave you some things to play with and come back next time to take this whole thing up another notch. Until next we meet on this, the <exaggeration> sunniest corner in the whole of the world wide web </exaggeration>, remember what your Momma said, "It's nice to share". And remember Tux knows it, too.
Looking for past articles to this series? Click here for a list.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Humble Hacker?
- The US Government and Open-Source Software
- The Death of RoboVM
- BitTorrent Inc.'s Sync
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- ACI Worldwide's UP Retail Payments
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide