Chapter 21. File and Print Servers
21.1. Samba
SMB
) protocol. Modern versions of this protocol are also known as the common Internet file system (CIFS
) protocol. It allows the networking of Microsoft Windows®, Linux, UNIX, and other operating systems together, enabling access to Windows-based file and printer shares. Samba's use of SMB
allows it to appear as a Windows server to Windows clients.
Note
root
:
~]# yum install samba
21.1.1. Introduction to Samba
What Samba can do:
- Serve directory trees and printers to Linux, UNIX, and Windows clients
- Assist in network browsing (with NetBIOS)
- Authenticate Windows domain logins
- Provide Windows Internet Name Service (
WINS
) name server resolution - Act as a Windows NT®-style Primary Domain Controller (PDC)
- Act as a Backup Domain Controller (BDC) for a Samba-based PDC
- Act as an Active Directory domain member server
- Join a Windows NT/2000/2003/2008 PDC
What Samba cannot do:
- Act as a BDC for a Windows PDC (and vice versa)
- Act as an Active Directory domain controller
21.1.2. Samba Daemons and Related Services
smbd
, nmbd
, and winbindd
). Three services (smb
, nmb
, and winbind
) control how the daemons are started, stopped, and other service-related features. These services act as different init scripts. Each daemon is listed in detail below, as well as which specific service has control over it.
smbd
smbd
server daemon provides file sharing and printing services to Windows clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB
protocol. The default ports on which the server listens for SMB
traffic are TCP
ports 139
and 445
.
smbd
daemon is controlled by the smb
service.
nmbd
nmbd
server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/CIFS in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows Network Neighborhood view. The default port that the server listens to for NMB
traffic is UDP
port 137
.
nmbd
daemon is controlled by the nmb
service.
winbindd
winbind
service resolves user and group information received from a server running Windows NT, 2000, 2003, Windows Server 2008, or Windows Server 2012. This makes Windows user and group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the Name Service Switch (NSS). This allows Windows NT domain and Active Directory users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbind
service is controlled separately from the smb
service.
winbind
daemon is controlled by the winbind
service and does not require the smb
service to be started in order to operate. winbind
is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and interdomain trust). Because winbind
is a client-side service used to connect to Windows NT-based servers, further discussion of winbind
is beyond the scope of this chapter.
winbind
for authentication, see Section 13.1.2.3, “Configuring Winbind Authentication”.
Note
21.1.4. Configuring a Samba Server
/etc/samba/smb.conf
) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. You can attach a printer to the system and print to it from the Windows machines on your network.
21.1.4.1. Graphical Configuration
21.1.4.2. Command-Line Configuration
/etc/samba/smb.conf
as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the following command as root
:
~]# service smb restart
/etc/samba/smb.conf
file:
workgroup = WORKGROUPNAME server string = BRIEF COMMENT ABOUT SERVER
/etc/samba/smb.conf
file (after modifying it to reflect your needs and your system):
Example 21.1. An Example Configuration of a Samba Server
[sharename] comment = Insert a comment here path = /home/share/ valid users = tfox carole writable = yes create mask = 0765
tfox
and carole
to read and write to the directory /home/share/
, on the Samba server, from a Samba client.
21.1.5. Starting and Stopping Samba
root
:
~]# service smb start
Important
net join
command before starting the smb
service. Also it is recommended to run winbind
before smbd
.
root
:
~]# service smb stop
restart
option is a quick way of stopping and then starting Samba. This is the most reliable way to make configuration changes take effect after editing the configuration file for Samba. Note that the restart option starts the daemon even if it was not running originally.
root
:
~]# service smb restart
condrestart
(conditional restart) option only stops and starts smb
on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
Note
/etc/samba/smb.conf
file is changed, Samba automatically reloads it after a few minutes. Issuing a manual restart
or reload
is just as effective.
root
:
~]# service smb condrestart
/etc/samba/smb.conf
file can be useful in case of a failed automatic reload by the smb
service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command, as root
:
~]# service smb reload
smb
service does not start automatically at boot time. To configure Samba to start at boot time, use an initscript utility, such as /sbin/chkconfig
, /usr/sbin/ntsysv
, or the Services Configuration Tool program. See Chapter 12, Services and Daemons for more information regarding these tools.
21.1.6. Samba Server Types and the smb.conf
File
/etc/samba/smb.conf
configuration file. Although the default smb.conf
file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
/etc/samba/smb.conf
file for a successful configuration.
21.1.6.1. Stand-alone Server
Anonymous Read-Only
/etc/samba/smb.conf
file shows a sample configuration needed to implement anonymous read-only file sharing. Two directives are used to configure anonymous access – map to guest = Bad user
and guest account = nobody
.
Example 21.2. An Example Configuration of a Anonymous Read-Only Samba Server
[global] workgroup = DOCS netbios name = DOCS_SRV security = user guest account = nobody # default value map to guest = Bad user [data] comment = Documentation Samba Server path = /export read only = yes guest ok = yes
Anonymous Read/Write
/etc/samba/smb.conf
file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the read only
directive to no
. The force user
and force group
directives are also added to enforce the ownership of any newly placed files specified in the share.
Note
force user
) and group (force group
) in the /etc/samba/smb.conf
file.
Example 21.3. An Example Configuration of a Anonymous Read/Write Samba Server
[global] workgroup = DOCS security = user guest account = nobody # default value map to guest = Bad user [data] comment = Data path = /export guest ok = yes writeable = yes force user = user force group = group
Anonymous Print Server
/etc/samba/smb.conf
file shows a sample configuration needed to implement an anonymous print server. Setting browseable
to no
as shown does not list the printer in Windows Network Neighborhood. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV
using NetBIOS, the client can have access to the printer if the client is also part of the DOCS
workgroup. It is also assumed that the client has the correct local printer driver installed, as the use client driver
directive is set to yes
. In this case, the Samba server has no responsibility for sharing printer drivers to the client.
Example 21.4. An Example Configuration of a Anonymous Print Samba Server
[global] workgroup = DOCS netbios name = DOCS_SRV security = user map to guest = Bad user printing = cups [printers] comment = All Printers path = /var/spool/samba guest ok = yes printable = yes use client driver = yes browseable = yes
Secure Read/Write File and Print Server
/etc/samba/smb.conf
file shows a sample configuration needed to implement a secure read/write file and print server. Setting the security
directive to user
forces Samba to authenticate client connections. Notice the [homes]
share does not have a force user
or force group
directive as the [public]
share does. The [homes]
share uses the authenticated user details for any files created as opposed to the force user
and force group
in [public]
.
Example 21.5. An Example Configuration of a Secure Read/Write File and Print Samba Server
[global] workgroup = DOCS netbios name = DOCS_SRV security = user printcap name = cups disable spools = yes show add printer wizard = no printing = cups [homes] comment = Home Directories valid users = %S read only = no browseable = no [public] comment = Data path = /export force user = docsbot force group = users guest ok = yes [printers] comment = All Printers path = /var/spool/samba printer admin = john, ed, @admins create mask = 0600 guest ok = yes printable = yes use client driver = yes browseable = yes
21.1.6.2. Domain Member Server
Active Directory Domain Member Server
Procedure 21.3. Adding a Member Server to an Active Directory Domain
- Create the
/etc/samba/smb.conf
configuration file on a member server to be added to the Active Directory domain. Add the following lines to the configuration file:[global] realm = EXAMPLE.COM security = ADS encrypt passwords = yes # Optional. Use only if Samba cannot determine the Kerberos server automatically. password server = kerberos.example.com
With the above configuration, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberosrealm
parameter is shown in all caps (for examplerealm = EXAMPLE.COM
). Since Windows 2000/2003/2008 requires Kerberos for Active Directory authentication, therealm
directive is required. If Active Directory and Kerberos are running on different servers, thepassword server
directive is required to help the distinction. - Configure Kerberos on the member server. Create the
/etc/krb5.conf
configuration file with the following content:[logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = AD.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = false [realms] # Define only if DNS lookups are not working # AD.EXAMPLE.COM = { # kdc = server.ad.example.com # admin_server = server.ad.example.com # master_kdc = server.ad.example.com # } [domain_realm] # Define only if DNS lookups are not working # .ad.example.com = AD.EXAMPLE.COM # ad.example.com = AD.EXAMPLE.COM
Uncomment the[realms]
and[domain_realm]
sections if DNS lookups are not working.For more information on Kerberos, and the/etc/krb5.conf
file, see the Using Kerberos section of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards. - To join an Active Directory server, type the following command as
root
on the member server:~]#
net ads join -U administrator%password
Thenet
command authenticates asAdministrator
using the NT LAN Manager (NTLM) protocol and creates the machine account. Thennet
uses the machine account credentials to authenticate with Kerberos.Note
Sincesecurity = ads
and notsecurity = user
is used, a local password back end such assmbpasswd
is not needed. Older clients that do not supportsecurity = ads
are authenticated as ifsecurity = domain
had been set. This change does not affect functionality and allows local users not previously in the domain.
Windows NT4-based Domain Member Server
/etc/samba/smb.conf
file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the /etc/samba/smb.conf
file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.
Example 21.6. An Example Configuration of Samba Windows NT4-based Domain Member Server
[global] workgroup = DOCS netbios name = DOCS_SRV security = domain [homes] comment = Home Directories valid users = %S read only = no browseable = no [public] comment = Data path = /export force user = docsbot force group = users guest ok = yes
/etc/samba/smb.conf
file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003/2008 the /etc/samba/smb.conf
file is easily modifiable to incorporate the infrastructure change to Active Directory if needed.
Important
/etc/samba/smb.conf
file, join the domain before starting Samba by typing the following command as root
:
~]# net rpc join -U administrator%password
-S
option, which specifies the domain server host name, does not need to be stated in the net rpc join
command. Samba uses the host name specified by the workgroup
directive in the /etc/samba/smb.conf
file instead of it being stated explicitly.
21.1.6.3. Domain Controller
Important
Primary Domain Controller (PDC) Using tdbsam
tdbsam
password database back end. Replacing the aging smbpasswd
back end, tdbsam
has numerous improvements that are explained in more detail in Section 21.1.8, “Samba Account Information Databases”. The passdb backend
directive controls which back end is to be used for the PDC.
/etc/samba/smb.conf
file shows a sample configuration needed to implement a tdbsam
password database back end.
Example 21.7. An Example Configuration of Primary Domain Controller (PDC) Using tdbsam
[global] workgroup = DOCS netbios name = DOCS_SRV passdb backend = tdbsam security = user add user script = /usr/sbin/useradd -m "%u" delete user script = /usr/sbin/userdel -r "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" add user to group script = /usr/sbin/usermod -G "%g" "%u" add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines "%u" # The following specifies the default logon script # Per user logon scripts can be specified in the user # account using pdbedit logon script = logon.bat # This sets the default profile path. # Set per user paths with pdbedit logon drive = H: domain logons = yes os level = 35 preferred master = yes domain master = yes [homes] comment = Home Directories valid users = %S read only = no [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon/scripts browseable = no read only = no # For profiles to work, create a user directory under the # path shown. # mkdir -p /var/lib/samba/profiles/john [Profiles] comment = Roaming Profile Share path = /var/lib/samba/profiles read only = no browseable = no guest ok = yes profile acls = yes # Other resource shares ... ...
tdbsam
follow these steps:
- Adjust the
smb.conf
configuration file as shown in Example 21.7, “An Example Configuration of Primary Domain Controller (PDC) Usingtdbsam
”. - Add the
root
user to the Samba password database. You will be prompted to provide a new Samba password for theroot
user:~]#
smbpasswd -a root
New SMB password: - Start the
smb
service:~]#
service smb start
- Make sure all profile, user, and netlogon directories are created.
- Add groups that users can be members of:
~]#
groupadd -f users
~]#groupadd -f nobody
~]#groupadd -f ntadmins
- Associate the UNIX groups with their respective Windows groups.
~]#
net groupmap add ntgroup="Domain Users" unixgroup=users
~]#net groupmap add ntgroup="Domain Guests" unixgroup=nobody
~]#net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
- Grant access rights to a user or a group. For example, to grant the right to add client machines to the domain on a Samba domain controller, to the members to the Domain Admins group, execute the following command:
~]#
net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U root
Note
tdbsam
authentication back end. LDAP is recommended in these cases.
Primary Domain Controller (PDC) with Active Directory
21.1.7. Samba Security Modes
21.1.7.1. User-Level Security
security = user
directive is not listed in the /etc/samba/smb.conf
file, it is used by Samba. If the server accepts the client's user name and password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based user name and password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.
/etc/samba/smb.conf
file, the security = user
directive that sets user-level security is:
[GLOBAL] ... security = user ...
Samba Guest Shares
security = share
parameter, follow the procedure below:
Procedure 21.4. Configuring Samba Guest Shares
- Create a username map file, in this example
/etc/samba/smbusers
, and add the following line to it:nobody = guest
- Add the following directives to the main section in the
/etc/samba/smb.conf
file. Also, do not use thevalid users
directive:[GLOBAL] ... security = user map to guest = Bad User username map = /etc/samba/smbusers ...
Theusername map
directive provides a path to the username map file specified in the previous step. - Add the following directive to the share section in the
/ect/samba/smb.conf
file. Do not use thevalid users
directive.[SHARE] ... guest ok = yes ...
Domain Security Mode (User-Level Security)
/etc/samba/smb.conf
file:
[GLOBAL] ... security = domain workgroup = MARKETING ...
Active Directory Security Mode (User-Level Security)
/etc/samba/smb.conf
file, the following directives make Samba an Active Directory member server:
[GLOBAL] ... security = ADS realm = EXAMPLE.COM password server = kerberos.example.com ...
21.1.8. Samba Account Information Databases
- Plain Text
- Plain text back ends are nothing more than the
/etc/passwd
type back ends. With a plain text back end, all user names and passwords are sent unencrypted between the client and the Samba server. This method is very insecure and is not recommended for use by any means. It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method. smbpasswd
- The
smbpasswd
back end utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account, and encrypted password information. Thesmbpasswd
back end lacks the storage of the Windows NT/2000/2003 SAM extended controls. Thesmbpasswd
back end is not recommended because it does not scale well or hold any Windows information, such as RIDs for NT-based groups. Thetdbsam
back end solves these issues for use in a smaller database (250 users), but is still not an enterprise-class solution. ldapsam_compat
- The
ldapsam_compat
back end allows continued OpenLDAP support for use with upgraded versions of Samba. tdbsam
- The default
tdbsam
password back end provides a database back end for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. Thetdbsam
back end includes all of thesmbpasswd
database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003/2008-based systems.Thetdbsam
back end is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns. ldapsam
- The
ldapsam
back end provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers such as the Red Hat Directory Server or an OpenLDAP Server. LDAP databases are light-weight and scalable, and as such are preferred by large enterprises. Installation and configuration of directory servers is beyond the scope of this chapter. For more information on the Red Hat Directory Server, see the Red Hat Directory Server 9.0 Deployment Guide. For more information on LDAP, see Section 20.1, “OpenLDAP”.If you are upgrading from a previous version of Samba to 3.0, note that the OpenLDAP schema file (/usr/share/doc/samba-version/LDAP/samba.schema
) and the Red Hat Directory Server schema file (/usr/share/doc/samba-version/LDAP/samba-schema-FDS.ldif
) have changed. These files contain the attribute syntax definitions and objectclass definitions that theldapsam
back end needs in order to function properly.As such, if you are using theldapsam
back end for your Samba server, you will need to configureslapd
to include one of these schema file. See Section 20.1.3.3, “Extending Schema” for directions on how to do this.Note
You need to have the openldap-servers package installed if you want to use theldapsam
back end. To ensure that the package is installed, execute the following command asroots
:~]#
yum install openldap-servers
21.1.9. Samba Network Browsing
TCP
/IP
. NetBIOS-based networking uses broadcast (UDP
) messaging to accomplish browse list management. Without NetBIOS and WINS as the primary method for TCP
/IP
host name resolution, other methods such as static files (/etc/hosts
) or DNS
, must be used.
21.1.9.1. Domain Browsing
/etc/samba/smb.conf
file for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration (see Section 21.1.4, “Configuring a Samba Server”).
21.1.9.2. WINS (Windows Internet Name Server)
/etc/samba/smb.conf
file in which the Samba server is serving as a WINS server:
Example 21.8. An Example Configuration of WINS Server
[global] wins support = yes
Note
21.1.10. Samba with CUPS Printing Support
21.1.10.1. Simple smb.conf
Settings
/etc/samba/smb.conf
configuration for CUPS support:
Example 21.9. An Example Configuration of Samba with CUPS Support
[global] load printers = yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = yes writable = no printable = yes printer admin = @ntadmins [print$] comment = Printer Drivers Share path = /var/lib/samba/drivers write list = ed, john printer admin = ed, john
print$
directive contains printer drivers for clients to access if not available locally. The print$
directive is optional and may not be required depending on the organization.
browseable
to yes
enables the printer to be viewed in the Windows Network Neighborhood, provided the Samba server is set up correctly in the domain or workgroup.
21.1.11. Samba Distribution Programs
findsmb
findsmb <subnet_broadcast_address>
findsmb
program is a Perl script which reports information about SMB
-aware systems on a specific subnet. If no subnet is specified the local subnet is used. Items displayed include IP
address, NetBIOS name, workgroup or domain name, operating system, and version. The findsmb
command is used in the following format:
findsmb
as any valid user on a system:
~]$ findsmb
IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
------------------------------------------------------------------
10.1.59.25 VERVE [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.59.26 STATION22 [MYGROUP] [Unix] [Samba 3.0.2-7.FC1]
10.1.56.45 TREK +[WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.94 PIXEL [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.57.137 MOBILE001 [WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.141 JAWS +[KWIKIMART] [Unix] [Samba 2.2.7a-security-rollup-fix]
10.1.56.159 FRED +[MYGROUP] [Unix] [Samba 3.0.0-14.3E]
10.1.59.192 LEGION *[MYGROUP] [Unix] [Samba 2.2.7-security-rollup-fix]
10.1.56.205 NANCYN +[MYGROUP] [Unix] [Samba 2.2.7a-security-rollup-fix]
net
net <protocol> <function> <misc_options> <target_options>
net
utility is similar to the net
utility used for Windows and MS-DOS. The first argument is used to specify the protocol to use when executing a command. The protocol
option can be ads
, rap
, or rpc
for specifying the type of server connection. Active Directory uses ads
, Win9x/NT3 uses rap
, and Windows NT4/2000/2003/2008 uses rpc
. If the protocol is omitted, net
automatically tries to determine it.
wakko
:
~]$ net -l share -S wakko
Password:
Enumerating shared resources (exports) on remote server:
Share name Type Description
---------- ---- -----------
data Disk Wakko data share
tmp Disk Wakko tmp share
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
wakko
:
~]$ net -l user -S wakko
root password:
User name Comment
-----------------------------
andriusb Documentation
joe Marketing
lisa Sales
nmblookup
nmblookup <options> <netbios_name>
nmblookup
program resolves NetBIOS names into IP
addresses. The program broadcasts its query on the local subnet until the target machine replies.
IP
address of the NetBIOS name trek
:
~]$ nmblookup trek
querying trek on 10.1.59.255
10.1.56.45 trek<00>
pdbedit
pdbedit <options>
pdbedit
program manages accounts located in the SAM database. All back ends are supported including smbpasswd
, LDAP, and the tdb database library.
~]$pdbedit -a kristin
new password: retype new password: Unix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]$pdbedit -v -L kristin
Unix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]$pdbedit -L
andriusb:505: joe:503: lisa:504: kristin:506: ~]$pdbedit -x joe
~]$pdbedit -L
andriusb:505: lisa:504: kristin:506:
rpcclient
rpcclient <server> <options>
rpcclient
program issues administrative commands using Microsoft RPCs, which provide access to the Windows administration graphical user interfaces (GUIs) for systems management. This is most often used by advanced users that understand the full complexity of Microsoft RPCs.
smbcacls
smbcacls <//server/share> <filename> <options>
smbcacls
program modifies Windows ACLs on files and directories shared by a Samba server or a Windows server.
smbclient
smbclient <//server/share> <password> <options>
smbclient
program is a versatile UNIX client which provides functionality similar to the ftp
utility.
smbcontrol
smbcontrol -i <options>
smbcontrol <options> <destination> <messagetype> <parameters>
smbcontrol
program sends control messages to running smbd
, nmbd
, or winbindd
daemons. Executing smbcontrol -i
runs commands interactively until a blank line or a 'q'
is entered.
smbpasswd
smbpasswd <options> <username> <password>
smbpasswd
program manages encrypted passwords. This program can be run by a superuser to change any user's password and also by an ordinary user to change their own Samba password.
smbspool
smbspool <job> <user> <title> <copies> <options> <filename>
smbspool
program is a CUPS-compatible printing interface to Samba. Although designed for use with CUPS printers, smbspool
can work with non-CUPS printers as well.
smbstatus
smbstatus <options>
smbstatus
program displays the status of current connections to a Samba server.
smbtar
smbtar <options>
smbtar
program performs backup and restores of Windows-based share files and directories to a local tape archive. Though similar to the tar
utility, the two are not compatible.
testparm
testparm <options> <filename> <hostname IP_address>
testparm
program checks the syntax of the /etc/samba/smb.conf
file. If your smb.conf
file is in the default location (/etc/samba/smb.conf
) you do not need to specify the location. Specifying the host name and IP
address to the testparm
program verifies that the hosts.allow
and host.deny
files are configured correctly. The testparm
program also displays a summary of your smb.conf
file and the server's role (stand-alone, domain, etc.) after testing. This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read. For example:
~]$testparm
Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[tmp]" Processing section "[html]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions<enter>
# Global parameters [global] workgroup = MYGROUP server string = Samba Server security = SHARE log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no [homes] comment = Home Directories read only = no browseable = no [printers] comment = All Printers path = /var/spool/samba printable = yes browseable = no [tmp] comment = Wakko tmp path = /tmp guest only = yes [html] comment = Wakko www path = /var/www/html force user = andriusb force group = users read only = no guest only = yes
wbinfo
wbinfo <options>
wbinfo
program displays information from the winbindd
daemon. The winbindd
daemon must be running for wbinfo
to work.
21.1.12. Additional Resources
Installed Documentation
/usr/share/doc/samba-<version-number>/
— All additional files included with the Samba distribution. This includes all helper scripts, sample configuration files, and documentation.- See the following man pages for detailed information specific Samba features:
- smb.conf(5)
- samba(7)
- smbd(8)
- nmbd(8)
- winbindd(8)
Related Books
- The Official Samba-3 HOWTO-Collection by John H. Terpstra and Jelmer R. Vernooij; Prentice Hall — The official Samba-3 documentation as issued by the Samba development team. This is more of a reference guide than a step-by-step guide.
- Samba-3 by Example by John H. Terpstra; Prentice Hall — This is another official release issued by the Samba development team which discusses detailed examples of OpenLDAP, DNS, DHCP, and printing configuration files. This has step-by-step related information that helps in real-world implementations.
- Using Samba, 2nd Edition by Jay Ts, Robert Eckstein, and David Collier-Brown; O'Reilly — A good resource for novice to advanced users, which includes comprehensive reference material.
Useful Websites
- http://www.samba.org/ — Homepage for the Samba distribution and all official documentation created by the Samba development team. Many resources are available in HTML and PDF formats, while others are only available for purchase. Although many of these links are not Red Hat Enterprise Linux specific, some concepts may apply.
- http://samba.org/samba/archives.html — Active email lists for the Samba community. Enabling digest mode is recommended due to high levels of list activity.
- Samba newsgroups — Samba threaded newsgroups, such as www.gmane.org, that use the
NNTP
protocol are also available. This an alternative to receiving mailing list emails.