Sabtu, 27 Maret 2010

Setting UP SAMBA

What is SAMBA
Samba is an implementation of the SMB/CIFS protocol for Unix systems, providing support for cross-platform file and printer sharing with Microsoft Windows, OS X, and other Unix systems.
Samba can be used to:
•Act as a server for SMB clients: share folders and printers, including PDF pseudo-printers so all the computers in your network may write PDF files •Act as a domain controller in a Windows network (authenticating users, etc.) •Do some more complex things, such as using a Windows domain controller to authenticate the users of a Linux/UNIX machine Samba is freely available under the GNU General Public License. More information be found at http://www.samba.org.

Back to top
Client Access - Browsing SMB shares
The samba package is a meta-package intended to be installed on file and printer sharing servers. Clients do not need this meta-package (you are acting as a client if you need to access files on another computer). For example, installing samba is not necessary if you only need your Ubuntu system to do any of the following:
•Access shared folders, drives and printers on a Windows computer (that is, act as a client with Windows servers). To do this, you only need the smbfs plugin. See MountWindowsSharesPermanently for more information.
•Have your Windows computer use (via a network) a printer that is attached to a Linux computer. CUPS can be configured to make the printer accessible to the network. •Share directories between two Linux computers. You can use NFS or setup an SSH server on one computer and access it from other computers using an scp or sftp client, or Places -> Connect to Server... and choose "SSH" as the service type.

Ubuntu Clients
Ubuntu and Gnome make it easy to access files on a Windows network share. Open the Places Menu, then click on Network. You will see a Windows network icon. Double-click to open it. The next window shows all the domains/workgroups found on your network. Inside each domain/workgroup you will see all the computers on the domain/workgroup with sharing enabled. Double-click on a computer icon to access its shares and files.
•If you want to be able to share folders with nautilus (the file browser), install the nautilus-share package (installed by default in Ubuntu 9.10 Desktop edition):

sudo apt-get install nautilus-shareAlternate: From the menu at the top select "Location" -> "Connect to a server". In the "Service type" pull down select "Windows share". Enter the server ip address in the "Server:" box and the share name in the "Share:" box. Click "Connect" and then "Connect" again on the second dialog box
Note: The default installation of Samba does not synchronize passwords. You may have to run "smbpasswd" for each user that needs to have access to his Ubuntu home directory from Microsoft Windows.

Windows Clients (XP,Server,Vista, Win7)
Microsoft Windows clients connect and browse through their corresponding network interface.
Example: XP clients can open Windows Network Neighborhood or My Network Places to browse available SMB shares.
Back to top
Samba Client - Manual Configuration
This section covers how to manually configure and connect to a SMB file server from an Ubuntu client. smbclient is a command line tool similar to a ftp connection while smbfs allows you to mount a SMB file share. Once a SMB share is mounted it acts similar to a local hard drive (you can access the SMB share with your file browser (nautilus, konqueror, thunar, other).

Connecting to a Samba File Server from the command line
Connecting from the command line is similar to a ftp connection.
List public SMB shares with

smbclient -L //server -U userConnect to a SMB share with

smbclient //server/share -U userEnter you user password.
You can connect directly with

smbclient //server/share -U user%passwordbut your password will show on the screen (less secure).
Once connected you will get a prompt that looks like this :

smb: \>Type "help" , without quotes, at the prompt for a list of available commands.
Back to top

Connecting using CIFS
CIFS is included in the smbfs package and is a replacement for smbfs (I know, the terminology here is a little confusing).
Reference : http://linux-cifs.samba.org/
As above, install by any method, smbfs.

Allow non-root users to mount SMB shares
By default only root may mount SMB shares on the command line. To allow non-root users to mount SMB shares you could set the SUID, but I advise you configure sudo. You should configure sudo with visudo
You may either allow the gruop "users" to mount SMB shares, or add a group, samba, and add users you wish to allow to mount SMB shares to the samba group.

sudo groupadd samba
sudo adduser user sambaChange "user" to the username you wish to add to the samba group.

sudo visudoIn the "group" section add your group you wish to allow to mount SMB shares

Add a line in the "group" section :
## Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%samba ALL=(ALL) /bin/mount,/bin/umount,/sbin/mount.cifs,/sbin/umount.cifsChange "%samba" to "%users" if you wish to allow members of the users group to mount SMB shares.
The following will mount the myshare folder on myserver to ~/mnt (it will be in your home directory):

mkdir ~/mnt
sudo mount -t cifs //myserver_ip_address/myshare ~/mnt -o username=samb_user,noexecNote: "samba_user" = the user name on the samba server (may be different from your log-in name on the client).
The "noexec" option prevents executable scripts running from the SMB share.
You will be asked for BOTH your sudo and then your samba_user password.
To umount,
sudo umount ~/mnt
Automagically mount SMB shares
In order to have a share mounted automatically every time you reboot, you need to do the following:
With any editor, create a file containing your Windows/Samba user account details:

gksu gedit /etc/samba/userKDE users must use kdesu rather than gksu and instead of Gedit they can use Kwrite as editor.
... it should contain two lines as follows:

username=samba_user
password=samba_user_passwordNote: "samba_user" = the user name on the samba server (may be different from your log-in name on the client). "samba_user_password" is the password you assigned to the samba_user on the samba server.
Save the file and exit gedit.
Change the permissions on the file for security:

sudo chmod 0400 /etc/samba/user # permissions of 0400 = read onlyNow create a directory where you want to mount your share (e.g. /media/samba_share):

sudo mkdir /media/samba_shareNow, using any editor, and add a line to /etc/fstab for your SMB share as follows:

sudo cp /etc/fstab /etc/fstab.bak
gksu gedit /etc/fstabAdd a line for your SMB share:

//myserver_ip_address/myshare /media/samba_share cifs credentials=/etc/samba/user,noexec 0 0The share will mount automatically when you boot. The "noexec" option prevents executable scripts running from the SMB share.
To mount the share now, without rebooting,

sudo mount /media/samba_shareYou can unmount the share with :

sudo umount /media/samba_shareIf you wish to increase security at the expense of convenience, use this line in /etc/fstab

//myserver_ip_address/myshare /media/samba_share cifs noauto,credentials=/etc/samba/user,noexec 0 0The noexec" option prevents executable scripts running from the SMB share.
Edit /etc/samba/user, remove the password (leave just the samba user).
Now the share will NOT automatically mount when you boot and you will be asked for your samba password.
Mount the share with :

sudo mount /media/samba_shareCIFS may cause a shutdown error.
CIFS VFS: Server not responding.There is a fix in the troubleshooting section of this forum post.
Back to top

Connecting using SMBFS (deprecated)
Note: This method still works, but as outlined under the "CIFS" section above is "deprecated" (no longer maintained and pending removal from the kernel).
Mounting a share on the local filesystem allows you to work around programs that do not yet use GnomeVFS to browse remote shares transparently. To mount a SMB share, first install smbfs:

sudo apt-get update
sudo apt-get install smbfsTo allow non root accounts to mount shares, change the permissions on the smbmnt program thus:

sudo chmod u+s /usr/bin/smbmnt /usr/bin/smbumount

--------------------------------------------------------------------------------


Note: This may be a security risk as after setting the SUID bit anyone can mount a SMB share. I advise you configure sudo, as above.
The working line in /etc/sudoers is as follows (see CIFS section above):

%samba ALL=(ALL) /bin/mount,/bin/umount,/sbin/mount.cifs,/sbin/umount.cifs,/usr/bin/smbmount,/usr/bin/smbumountThis allows any user in the samba group to mount SMB shares (you will need to create a samba group and add users).
The following will mount the myshare folder on myserver to ~/mnt (it will be in your home directory):


--------------------------------------------------------------------------------



mkdir ~/mnt
smbmount //myserver/myshare ~/mntTo umount,
smbumount ~/mntIn order to have a share mounted automatically every time you reboot, you need to do the following:
Open a shell as root

sudo -sCreate a file containing your Windows/Samba user account details:

vi /etc/samba/user...it should contain two lines as follows:
username=george
password=secretChange the permissions on the file for security:

chmod 0600 /etc/samba/userNow create a directory where you want to mount your share (e.g. /mnt/data):

mkdir /mnt/dataNow edit the file system table (/etc/fstab) and add a line as follows:

//server/share /mnt/data smbfs credentials=/etc/samba/user,rw,uid=bob 0 0...where 'bob' is the non-root user you log into ubuntu with, 'server' is the name or address of the Windows machine and 'share' is the name of the share.
To mount the share now, just use the following command as root. It will mount automatically on subsequent reboots.

mount /mnt/datato be continued...

Ubuntu Client
On the Ubuntu client using the menu at the top, go to "Places" -> "Network". You will see an icon "Windows network" and should be able to browse to your shared folder. You will be asked for a password, leave it blank. Click the "Connect button.
(no need for a password).
If you would like to mount your SMB share using your (server) hostname rather than the IP Address, edit /etc/hosts and add your samba server (syntax IP Address hostname).

192.168.1.100 hostnameWhere "hostname" = the name of your samba server.

Windows Client
On Windows open "My Computer" and navigate to "My Network Places". Navigate to your Ubuntu server and your share will be available without a password.
Alternate : From the menu at the top select "Tools" -> "Map Network Drive". Select an available letter for your SMB share (Default is z: ). In the "Folder:" box enter \\samba_server_ipaddress\share. Tic (Select with the mouse) the option "Reconnect at login" if you want the share to be automatically mounted when you boot Windows. Click the "Finish" box. A dialog box will appear, enter your samba user name and password. Click "OK".
If you would like to mount your SMB share using your (server) hostname rather than the IP Address, edit C:\WINDOWS\system32\drivers\etc\hosts and add your samba server (syntax IP Address hostname).

192.168.1.100 hostnameWhere "hostname" = the name of your samba server. Back to top
Samba Server Configuration - Graphical
Note: For Ubuntu 8.04 (Hardy) and later, shared folders are created directly from the folder. Browse to the location of the folder you would like to share, right-click the folder, and choose Sharing Options. Click the Share this folder.
This section should allow you to "quick start" SMB shares between Ubuntu and either Ubuntu or Windows servers. The gui method is easier to work with, because:
1.Shares are Public (browsable in Network Places) 2.A password is not set for shares (they can be mounted by anyone). However, remember that this is less secure.
Be warned you are installing a service (server) and you may wish to install a Firewall management utility to help prevent undesired access. See also the manual configuration sections below to learn how to "hide" your shares from browsing and set a password for access.

Ubuntu Server
This section enables Ubuntu as a samba file server.

Sharing a Folder
To share a directory you must have permission to access the directory. Go to your home directory ( Places -> Home folder). Right click on the "Documents" directory and in the pop up menu select "Share Folder".
If samba is not installed you will get a pop up menu "Sharing services are not installed". Select "Install Windows networks support (SMB)" and deselect "Install Unix networks support (NFS)" -> then click "Install services".
If you get an error message that the samba .deb could not be found, open a terminal and update apt-get.

sudo apt-get updateTry again and Ubuntu will download and install samba. Right click on the "Documents" directory and in the pop up menu select "Share Folder". You will get a pop up menu "Share Folder". Select "Windows networks (SMB)" in the pull down menu and give your share a name in the "Name" box. Unselect the "Read only" check box if you want read/write access to the share. Click the "Share" button.

Windows XP Server
This section enables Windows XP as a samba file server.

Sharing a Folder
1. On the Windows server, browse in explorer ("My Computer") to the location of the folder you wish to share (C:\Documents and Settings for example). Next right click on the folder to share and select "Sharing and Security...". In the pop-up dialog box click the "Sharing" tab. Click the "Network Setup Wizard" to configure your network to allow shares. Work your way through the wizard. Note the default workgroup is MSHOME. You may change this value if you like but all your computers should be in the same workgroup. Eventually you will be given the option to "Turn on file and printer sharing". This is the option you want, continue with the network wizard. You will have to restart your computer for the settings to take effect -> Restart Windows.
2. After rebooting, again open explorer ("My Computer") and navigate to the folder you wish to share. Again right click on the folder and select "Sharing and Security...". In the pop-up dialog box click the "Sharing" tab. In the "Network sharing and security" box, tic (select with the mouse) the "Share this folder on the network" box. Give the folder a share name. This will give read only access to Ubuntu computers via samba. To allow read/write access tic (select with the mouse) the "Allow network users to change my files" box. Click the "Apply" button and close the dialog box.
Back to top

Samba Server Configuration - Manual
Configuration is performed by reading and editing /etc/samba/smb.conf, the configuration file for the samba server.
There are a few graphical tools available such as "kdenetwork-filesharing" and "Swat".
A fairly comprehensive graphical Samba configuration tool is available for KDE, by installing the "kdenetwork-filesharing" package. Once install, you can find it by launching the KDE Control Center. (Alt-F2 and then type kcontrol). Browse to Internet & Network > Samba. It is fairly easy to use.
A less friendly but also graphical tool is Swat, a web-based interface.
The following tips show how to do some basic things without installing additional software, using the command line. It is not difficult, just be careful with typos.
First open a terminal: Applications > System Tools > Terminal and open the file smb.conf

sudo nano -w /etc/samba/smb.confHow to Save: To save in nano use "CTRL-O", then "CTRL-X".
Tip: Replacing nano with gedit gives you a nice graphical editor.
The file *smb.conf* is divided in several sections:

Global Settings
Debugging/Accounting
Authentication
Printing
File sharing
Misc
Share DefinitionsComments may start with either a # or a ;

Global Settings
Let's start with Global Settings. Here you will see several lines, which you can also see in the graphical networktool like workgroup and wins server. If you changed everything to your liking already then you can skip this section, if not change to what you need. If you do not know what items mean, leave them be and read the relevant part in the real Samba-howto instead of randomly changing them. It will save you trouble-shooting later.

File Sharing (Basics)
The important part for us is File sharing. Samba shares are named in brackets, [ ], and configured by adding options in the lines that follow. Most options are boolean (yes / no).
We need to change:

[homes]
comment = Home Directories
browseable = no

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = noThis describes your /home folder. Usually you want to share this folder in a home-environment, because these are the files you want to share. To do so, make the following changes:

[homes]
comment = Home Directories
browseable = yes

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = noThis finishes sharing your /home folder. The last thing we need to do is fixing a user.
Add users who can access your shares with the 'smbpasswd' command.

sudo smbpasswd -a username

New SMB password:
Retype new SMB password:
Added user username.NOTE: the username used here should be a real user setup on your PC/Server. Reload Samba for every change to users/passwords or 'smb.conf'

sudo /etc/init.d/samba reloadThat's the basis of Samba file-sharing. Please leave your comments about what else is needed here.
- Can/should the SMB password be different from the user's system password? MartinSpacek - 2007-11-19
Back to top
File Sharing (Advanced)
We started with the base of Samba file-sharing. The above-mentioned items should be enough to get you started. Next we will add details that you might or might not need.

If you have more than one network card
If you have more than one network card (or interface) then you have to define where you want Samba to run. In smb.conf under the [global] section, add:

interfaces = 127.0.0.1, 192.168.0.31/24
bind interfaces only = yesThe first address (127.0.0.1), is a loopback network connection (it's your own machine). The second address (192.168.0.31), is the address of the card you want Samba to run on, the second number (24) is the subnet default for a CLASS-C network. It may vary depending on your network.
With "bind interfaces only" you limit which interfaces on a machine will serve SMB requests.
You can limit which IP address can connect to your Samba server adding these lines:

hosts allow = 127.0.0.1, 192.168.0.31, 192.168.0.32
hosts deny = 0.0.0.0/0The loopback address must be present in the first line. The second line deny access from all IP address not in the first line.
Back to top

Private and public shares in same config
First you'll want to set this up in the [global] section of your smb.conf

[global]
security = user
encrypt passwords = true
map to guest = bad user
guest account = nobodysecurity = user restricts logins to users on your server. encrypt passwords = true is necessary for most modern versions of Windows to login to your shares. map to guest = bad user will map login attempts with bad user names to the guest account you specify with guest account = nobody. That is, if you attempt to login to the share with a user name not set up with smbpasswd the you will be logged in as the user nobody.
Next the private share

[private]
comment = Private Share
path = /path/to/share/point
browseable = no
read only = noIf browsable is set to no the share will not show up on graphical browsers such a "My Network Places" on Windows or Places -> Network on Ubuntu.
path is the path to the directory that you want to share out. browseable = no will have the share not show up when users browse the network. read only = no will let you, as an authenticated user, write to the share.
Finally, the public share

[public]
comment = Public Share
path = /path/to/share/point
read only = no
guest only = yes
guest ok = yesAgain, path is the path to the directory that you want to share out. read only = no will allow users to write to this share. guest only = yes and guest ok = yes will allow guest logins and also force users to login as guests. The user you specified with guest account in the [global] section must have write permissions on /path/to/share/point in order to write files to the share.
Note: When Windows attempts to access a SMB share it will use the current Windows user name and password. The map to guest = bad user trick above allows access to the public share only if you give Samba an incorrect user name. If you give it a valid user name, but a bad password, the login will fail and Windows will give you a password prompt when you try to access the share. If you have the same user name for your Windows machine and your Ubuntu machine, you could be unwittingly giving the Samba server a valid user name, but invalid password. To resolve this you will either have to change the Windows user name, or to remove that user name from the Samba password file with sudo smbpasswd -x [username].
Note: The above uses security = user. To access the private shares you will have to make sure the user exists in smbpasswd. These users must also already exist as normal users on your machine. You add users to smbpasswd simply by running sudo smbpasswd -a [username] and giving a password.

Setting permissions
To set permissions of newly created documents / files edit /etc/samba/smb.conf and in the [global] section add :

create mask = 0644
directory mask = 0755Back to top

Sharing CUPS Printers

Graphical Configuration

Setup Ubuntu Print Server
1.In your menu go to System -> Administration -> Printing
2.Under "Local Printers" on the left, select the printer you wish to share. Select the "Policies" tab on the right and make sure the "Shared" box is selected.
Ubuntu Client
1.Again go to System -> Administration -> Printing
2.Click "New Printer" in the upper right. In the next menu select "Windows Printer via SAMBA". Now enter your Ubuntu Samba Print Server (set up as above) IP address in the box on the left titled "smb://". Click the "Browse" button. 3.Select the printer in the "SMB Browser" window (Click on the little arrows). Once you have selected your printer, check the "Authentication required" and enter your samba user name and password. Then click the "Verify" button. You should see confirmation that the share is available. 4.Click the "Forward" button and install the drivers for your printer as you would for any other printer.
Windows Client
1.Go to Control Panel -> Printers
2.Click "Add a printer" on the upper left. The printer wizard will start -> click forward. Select Network Printer and click "Next". Select "Browse for a printer" (Top button) and click "Next". In the next window, navigate to your Ubuntu Samba Print Server and click "Next". Continue with the printer and driver installation.
For more information, see NetworkPrintingFromWinXP.
Back to top

Manual Server Configuration
If You would like to share Your printers make the following changes to Samba:
If not already done create the Samba-user You want the share to be used by.
In smb.conf uncomment and change the lines ending up with the following configuration:

########## Printing ##########

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = yes

# [...] // Some BSD printing stuff, do not edit if You do not need to

# CUPS printing. See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
printing = cups
printcap name = cupsand in the Share Definitions section append and/or modify the [printers] part ending up like this:

# ======================= Share Definitions =======================
# [...] // File and Folder sharing, do not edit if You do not need to

[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = yes
writable = no
create mode = 0700
printcap name = /etc/printcap
print command = /usr/bin/lpr -P%p -r %s
printing = cupsSome explanation what is done:
the [printers] part defines the default-behavior for all the printers that are mentioned in "printcap name". A sort of template how to create shares for these printers. This template is applied if "load printers" is set to true. For more detailed explanation refer to the Samba documentation.
And do not forget to reload Samba:

sudo /etc/init.d/samba reloadBack to top

Securing Samba
This section was started to give some general advise on security considerations and is not an exhaustive review of samba security.

/etc/samba/smb.conf
•Networking Section - use "hosts allow" and "hosts deny"
# hosts allow = 127.0.0.1 192.168.1.0/24
hostal allow = 127.0.0.1 192.168.1.1 192.168.1.2
hosts deny = 0.0.0.0/0hosts deny 0.0.0.0/0 = all others. •Shares ◦When defining a share, consider the following options : 1.browseable = no ~ Shares will not show up when browsing your network. 2.users = user1 user2 ~ List of users able to access the share When setting up a Samba share, you can limit the users who have access to your share

[private]
comment = Private Share
path = /path/to/share/point
browseable = no
read only = no
valid users = user1 user2 user3Now only samba users user1, user2, and user3 will have access to the share "private".

Firewall
Configure your firewall (iptables) to limit access to your server. Samba uses ports
•UDP ports 137 and 138 •TCP ports 139 and 445


https://help.ubuntu.com/community/SettingUpSamba