Tux Knows It's Nice to Share, Part 6

Welcome back, one and all, to another musical column here at the "Sysadmin's Corner". Just so you know where things stand, we start today's column to the strains of the Smashing Pumpkins. This can only mean that it's another week of exploring Samba. Thanks to everyone for the feedback. Before I get rolling, here's an interesting observation. Most of the personal comments I received had to do with

Okay, quick recap. Last time around, I left you with a test on our new ROCKGROUP server that showed a list of printers, a list that you did not have to configure. That was done with the smbclient -L myserver command.

     Domain=[ROCKGROUP] OS=[Unix] Server=[Samba 2.0.7]
             Sharename      Type      Comment
             ---------      ----      -------
             IPC$           IPC       IPC Service (Marcel's Musical Samba Server)
             lp             Printer
             hp710c         Printer
             colour         Printer
             hplj5          Printer

Now, I had you do all this from another Linux client (server?). Interesting really, since this Samba stuff was originally intended to provide Windows services. Even though I had you do this with Linux, you can also use your Windows workstations to test all of this. Keep in mind you do need to have the Client for Microsoft Networks installed on the PC in question. If you are doing this on an existing network of Windows PCs, this is very likely the case. While Jewel starts her song, double-click on the Network Neighborhood icon. Then, double-click on Entire Network. You should see the workgroup you have just specified in your list. If you don't see it right away, don't despair. Windows can take a while to notice a new workgroup or server has been added to the network neighborhood. If you are in a hurry, reboot the Windows 95 PC. Seriously, I'm not just saying that <insert appropriate smiley here>.

Before we talk printers though, you should know that resources in Samba are defined as "shares", and these are usually directories with a specific set of permissions defined in a paragraph. Both shares and configuration sections are identified by a header in square brackets. Some of the ones you'll see as you look at your smb.conf file are [global] (parameters that affect the whole server), a [homes] paragraph (client home directories: more on that later) and various shared directories, [share_name].

The basics of printer definition and sharing are in a paragraph (or section) called, strangely enough, [printers]. If you installed from source and took the defaults, smb.conf would have been sitting in the /usr/local/samba/lib directory. A default Red Hat install puts it in /etc/smb.conf. Anyhow, this is what mine looks like.

             comment = My System Printers
             path = /var/spool/samba
             print ok = Yes
             guest ok = Yes
             browseable = No

For this example, make sure that you set the "print ok" and "guest ok" parameters as I have. The permissions here are pretty wide open; anybody can print to these guys. The "path =" variable is the temporary spool directory where print files are kept while they are printed. In the case of printers, "browseable" is set to no here because this isn't a share. All /etc/printcap printers will automagically appear in the browse list.

The normal method of creating a new printer in Windows is Start, Settings, followed by Printers. Then, you double-click the Add printer icon and select a network connected printer. When you click on Browse, you get the Network Neighborhood list of servers that you can navigate to find the printer you want.

From the Linux side, you can also create print queues that connect to remote Samba printers, and we'll talk about that, but first...if you are in a hurry, you can do something even simpler and quicker. If all you want to do is momentarily use a printer on the network, and it is managed by a Samba server, try this trick. Let's pretend that I am using a Linux notebook called mynotebk (with no printers configured), and I want to be able to do a quick text print to a printer on the server called myserver. The printer is called hplj5. From the command line, type this command:

     smbclient //myserver/hplj5 

Assuming we still have our printer set so that guest printing (or public access) is allowed, press return at the password prompt, and you should see this:

     Domain=[ROCKGROUP] OS=[Unix] Server=[Samba 2.0.7]
     smb: > 

At the prompt, type print, followed by the name of the file you want to print.

     print /etc/profile

When you are done, all you have to do is type quit at the smb: > prompt. Way cool, eh!

That was for the impatient readers out there. We'll talk about printing again next time when we'll create Linux print queues for these printers, but there are other things we should cover first. To make Samba really useful, we will be setting up shares. These shares will require we perform some kind of password authentication. That means it's time to look at the subject of SMB password encryption. (I don't know if this means anything, but Alanis Morisette just started singing.) Don't worry. This won't hurt a lot.

Later versions of Windows 95 through Windows 98, as well as later versions of NT, started using encrypted passwords, thus not allowing connections to or from servers that did not support SMB encryption. When a Windows workstation wanted to authenticate a server (whether NT or Samba), it used to pass plain text passwords. This didn't make for heavy duty security, but it made life very simple when setting up Samba servers. That is no longer the case. What this means is you have a decision to make. The reason you need to make a decision is Linux passwords use a different encryption method than Windows.

Here are your choices.

The first way to address this is to go back to non-encrypted passwords. If you are only talking a PC or two, then this might be the way to go. This is done with a modification to the Windows 9x registry. Here's what you do.

  • 1. Start the Registry Editor by clicking on the Start button, choosing Run and typing regedit.

  • 2. Double-click on: HKEY_LOCAL_MACHINE

  • 3. Now, walk down the registry structure and locate the following:System/CurrentControlSet/Services/VxD/VNETSUP

  • 4. Now, from the menu bar, choose Edit, then New and then DWORD Value.

  • 5. Rename this new entry from "New Value #1" to "EnablePlainTextPassword". Make sure you type it exactly. Case is important.

  • 6. Press Enter, then double-click on your new entry. You will get a dialog box that allows you to change the value of this new key. Set this value to "1". (Don't include the quotes.)

  • 7. Close the registry editor and reboot.

The other method is to have Samba use encrypted passwords. To do this, look for this section in the smb.conf file. Look for this line.

     ;  encrypt passwords = yes

The semi-colon in front denotes a comment in the smb.conf file. The default file for these new passwords is called /usr/local/samba/private/smbpasswd if you built Samba from source and used the defaults (because we like building from source) or, as is sometimes the case with distributions, /etc/smbpasswd. It is possible to override this with another parameter in the smb.conf file.

     ; smb passswd file = /etc/smbpasswd

If you want to use a different file, uncomment (or add) this line with the appropriate path to your Samba password file. To add a Samba encrypted password for a user named guitux on my system, I would use this command:

     /usr/local/samba/bin/smbpasswd -a guitux

The system will ask for a password and then ask for confirmation of that password. This part should seem quite familiar. One more thing. Bring up the smb.conf file one more time in the editor, and look for the following line in the [global] paragraph.

     security = user

Now, we are going to add a share that will allow users to access a home directory based on their user name (normally /home/user_id). If you put your users in a directory structure that starts /users, then use it as the path. Add the following paragraph:

       comment = User directories
       path = /home/%u
       public = no
       writable = yes

The "%u" will substitute the user ID on a successful login. That's pretty much it (whew!). Reset the Samba server by stopping the smbd and nmbd processes and restarting them. Now, from another workstation, try this:

     smbclient //myserver/guitux -U guitux

The -U option specifies your Samba user login. Next, you'll have to give your password. This is the Samba password you created earlier.

     Password: ********
     Domain=[ROCKGROUP] OS=[Unix] Server=[Samba 2.0.7]
     smb: > 

At the prompt, you should be able to type dir" and see the files in guitux's home directory. Just so you don't get completely bored between now and next time, type help to see what else you can do. One last thing...you could have done the same thing in the [homes] section and specified the path there.

As Santana starts to rock this home of mine, it's that time again. I'm going to wrap it up, leave you some things to play with and come back next time to take this whole thing up another notch. Until next we meet on this, the <exaggeration> sunniest corner in the whole of the world wide web </exaggeration>, remember what your Momma said, "It's nice to share". And remember Tux knows it, too.

Looking for past articles to this series? Click here for a list.


Geek Guide
The DevOps Toolbox

Tools and Technologies for Scale and Reliability
by Linux Journal Editor Bill Childers

Get your free copy today

Sponsored by IBM

Upcoming Webinar
8 Signs You're Beyond Cron

Scheduling Crontabs With an Enterprise Scheduler
11am CDT, April 29th
Moderated by Linux Journal Contributor Mike Diehl

Sign up now

Sponsored by Skybot