Chapter 9. File Sharing(209)

Revision $Revision: 947 $ ($Date: 2012-07-19 14:03:32 +0200 (Thu, 19 Jul 2012) $)

This objective has a weight of 8 points and contains the following objectives:

Objective 209.1; Configuring a Samba Server (4 points)

Candidates should be able to set up a SAMBA server for various clients. This objective includes setting up Samba for login clients and setting up the workgroup in which a server participates and defining shared directories and printers. Also covered is configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.

Objective 209.2; Configuring an NFS Server (4 points)

Candidates should be able to export filesystems using NFS. This objective includes access restrictions, mounting an NFS filesystem on a client and securing NFS.

Configuring a Samba Server (209.1)

Author: Willem Schreuder

Revision: $Revision: 947 $ ($Date: 2012-07-19 14:03:32 +0200 (Thu, 19 Jul 2012) $)

Resources: Sharpe01; the man pages for the various commands.

Objective 209.1; Configuring a Samba Server (4 points)

Candidates should be able to set up a SAMBA server for various clients. This objective includes setting up Samba for login clients and setting up the workgroup in which a server participates and defining shared directories and printers. Also covered is configuring a Linux client to use a Samba server. Troubleshooting installations is also tested.

Key Knowledge Areas

Samba 3 documentation

Samba configuration files

Samba tools and utilities

Mounting Samba shares on Linux

Samba daemons

Mapping Windows usernames to Linux usernames

User-Level and Share-Level security

The following is a partial list of the used files, terms and utilities:

smbd, nmbd
smbstatus, testparm, smbpasswd, nmblookup
smbclient
net
/etc/smb/*
/var/log/samba/

What is Samba?

Samba implements the Server Message Block (or SMB for short) protocol. This is the protocol used by Microsoft to implement file and printer sharing. By installing Samba on a Linux machine, machines running the Windows Operating System and other platforms for which an SMB client is available can connect to the Linux machine and thus use files and printers made available by the Linux machine.

Samba is available for many platforms including Linux, AIX, HP-UX, SunOS, FreeBSD, OS/2, AmigaOS. Consult Samba, Opening Windows To A Wider World, for further information on platforms supporting Samba and for downloading a binary or source distribution for your platform.

Installing the Samba components

Depending on your distribution, you can

  • get the sources and compile them yourself

  • install the package using rpm (Red Hat, SuSE etc.)

  • install the package using apt-get or aptitude (Debian, Ubuntu)

Samba can be run either from inetd or as daemons. When run via inetd you save some memory and you can use tcpwrappers for extra security. When run as daemons, the server is always ready and sessions are faster.

If you wish to use encrypted passwords, you will need to have a separate /etc/samba/smbpasswd file because the layout differs from /etc/passwd. During installation, you can choose to have /etc/samba/smbpasswd generated from your /etc/passwd file. If you choose not to do so, you must use smbpasswd to set individual passwords for users.

Samba consists of two daemons: nmbd and smbd.

nmbd, the NetBIOS Name Service Daemon, handles NetBIOS name lookups and WINS requests. If you've told Samba to function as a WINS Server, an extra copy of nmbd will be running. Additionally, if DNS is used to translate NetBIOS names, yet another copy of nmbd will be running.

smbd, the Server Message Block Daemon, handles file and print access. For each client connected to the server, an extra copy of smbd runs.

Samba uses both the UDP and TCP protocols.

TCP is used for file and printer sharing on port 139.

UDP is used for the registration and translation of NetBIOS names, and for browsing the network. Port 137 is used for name service requests and responses. Port 138 is used for datagram services to transmit small amounts of data, such as server announcements.

configuration

Samba is configured via /etc/samba/smbd.conf This file consists of sections containing configuration options. The name of the section is the name of the shared resource. There are three special sections [global], [homes] and [printers]. These contain configurations for global settings, home folders (a share with the same name as the authenticated user) and printers respectively.

configuration options

Unix password sync

This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. If this is set to yes the program specified in the passwd program parameter is called AS ROOT - to allow the new UNIX password to be set without access to the old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new).

Veto files

This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards. Each entry must be a unix path, not a DOS path and must not include the unix directory separator '/'.

username map

This option allows you to map the client supplied username to another username on the server. The most common usage is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses. Another usage is to map multiple users to a single username so that they can more easily share files. The usernamemap is a file where each line should contain a single UNIX username on the left then a '=' followed by a list of usernames on the right. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group. The special client name '*' is a wildcard and matches any name. Each line of the map file may be up to 1023 characters long. If any line begins with an '!' then the processing will stop after that line if a mapping was done by the line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a wildcard mapping line later in the file.

path

This parameter specifies a directory to which the user of the service is to be given access. If this is omitted in the [homes] section, it defaults to the users homedirectory. If it is used in the [homes] section the %S macro expands to the username.

Samba commands

smbstatus - report on current Samba connections smbstatus is a very simple program to list the current Samba connections.

	$ smbstatus

	Samba version 3.5.6
	PID     Username      Group         Machine
	-------------------------------------------------------------------
	
	Service      pid     machine       Connected at
	-------------------------------------------------------
	
	No locked files
	

testparm - check an smb.conf configuration file for internal correctness If testparm finds an error in the smb.conf file it returns an exit code of 1 to the calling program, else it returns an exit code of 0. This allows shell scripts to test the output from testparm.

smbpasswd - change a user´s SMB password By default (when run with no arguments) it will attempt to change the current user´s SMB password on the local machine. This is similar to the way the passwd(1) program works.

smbpasswd (5) - The Samba encrypted password file smbpasswd is the Samba encrypted password file. It contains the username, Unix user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed. This file format has been evolving with Samba and has had several different formats in the past.

nmblookup - NetBIOS over TCP/IP client used to lookup NetBIOS names nmblookup is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine. All queries are done over UDP.

smbclient - ftp−like client to access SMB/CIFS resources on servers smbclient is a client that can 'talk' to an SMB/CIFS server. It offers an interface similar to that of the ftp program (see ftp(1)). Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.

net - Tool for administration of Samba and remote CIFS servers. The Samba net utility is meant to work just like the net utility available for windows and DOS. The first argument should be used to specify the protocol to use when executing a certain command. ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and RPC can be used for NT4 and Windows 2000. If this argument is omitted, net will try to determine it automatically. Not all commands are available on all protocols.

Samba configuration directory /etc/smb or /etc/samba.

The LPI objectives ask for knowledge about /etc/smb/*. In some distributions /etc/samba is used instead. Files and folders that exist in /etc/smb or /etc/samba are: lmhosts - The Samba NetBIOS hosts file; smb.conf - The configuration file for the Samba suite; and netlogon - Is the logon directory for user logon

Samba logging in /var/log/samba directory.

The /var/log/samba directory contains different log files, such as log.nmbd and log.smbd. In the smb.conf file some parameters are available to tune the logging of samba. Below are some log parameters as seen in a samba 3 smb.conf file.

	#### Debugging/Accounting ####
		
	# This tells Samba to use a separate log file for each machine
	# that connects
   	log file = /var/log/samba/log.%m
		
	# Cap the size of the individual log files (in KiB).
   	max log size = 1000
		
	# If you want Samba to only log through syslog then set the following
	# parameter to 'yes'.
	#   syslog only = no
		
	# We want Samba to log a minimum amount of information to syslog. Everything
	# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
	# through syslog you should set the following parameter to something higher.
   	syslog = 0
		
	# Do something sensible when Samba crashes: mail the admin a backtrace
   	panic action = /usr/share/samba/panic-action %d
  

An example of the functionality we wish to achieve

Example below is configured with Samba2. In the LPI objectives, Samba3 is mentioned.

We've got three machines connected via a network. The machines Yoda and windoosje contain files the other machines must be able to manipulate. Also, the machines must be able to use each other's printers. Yoda is running Linux and has Samba installed. windoosje is running Microsoft Windows 2000 and pug is running Linux and has smbclient installed to be able to function as a Samba client.

We want to share just parts of the filesystems on Yoda and windoosje.

The public share on Yoda should be available to everyone.

The img0 share on Yoda should be available to the user willem only.

The img1 share on Yoda should be available to both the users willem and rc564.

The home directories on Yoda should be available to their respective users.

On the Windows 2000 machine we've got some generic files in the directories f:\winshare1 and f:\winshare2 we wish to make available to the Linux machine running Samba.

Accessing Samba shares from Windows 2000

Since I am using the Windows 2000 machine as a workstation, I didn't feel the need for domains, primary or otherwise. Instead, I have told the Windows 2000 machine that it is part of the workgroup falcon.

I have included the /etc/samba/smb.conf file that contains the settings to make directories accessible from Windows 2000. Note that case doesn't matter to Microsoft Windows but does matter to Linux when writing workgroup names and machine names. Please read the comments before continuing:

        
#------------------------------------------------------------ 
# This is: /etc/samba/smb.conf
#
#------------------------------------------------------------ 

[global]
#------------------------------------------------------------ 
# This section contains the global server settings and the
# defaults that will be used for the parameters of the other
# sections if they are not specifically assigned other values 
# in those other sections.
#
# Samba joins the FALCON workgroup
#------------------------------------------------------------ 
        workgroup = FALCON

# Describe the server to the clients
#------------------------------------------------------------ 
        server string = Linux Samba Server %L

# Only allow connections from machines on our LAN
#------------------------------------------------------------ 
        hosts allow = 192.168.2.0/255.255.255.0

# Windows 2000 uses encrypted passwords, so do we
#------------------------------------------------------------ 
        encrypt passwords = yes

# Tell Samba to use smbpasswd file for user validation
#------------------------------------------------------------ 
        security = user
        smb passwd file = /etc/samba/smbpasswd

# Make the server also available as Yoda1 to enable connection
# from Windows as another user
#------------------------------------------------------------ 
        netbios name = Yoda
        netbios aliases = Yoda1

# Access from clients will be logged in log.<NetBIOS name>
#------------------------------------------------------------ 
        log file = /var/log/samba/log.%m

[homes]
#------------------------------------------------------------ 
# This section enables the users that have an account and a
# homedirectory on the Linux Samba Server to access and modify
# the contents of that directory from a Samba client.
#
# Describe the share to the user
#------------------------------------------------------------ 
        comment = %U's homedirectory on %L from %m

# Do not show the homes share itself when browsing
#------------------------------------------------------------ 
        browsable = no

# Allow the user to write in his home directory
#------------------------------------------------------------ 
        writeable = yes

[public]
#------------------------------------------------------------ 
# This section defines a public share available for reading
# and writing for anyone on our LAN
#------------------------------------------------------------ 
        comment = Public Storage on %L
        path = /home/samba

# Show the public share when browsing
#------------------------------------------------------------ 
        browsable = yes

# Allow everyone to write in this directory
#------------------------------------------------------------ 
        writeable = yes

[img0]
#------------------------------------------------------------ 
# This section defines imaging share #0
#
# Describe the share to the user
#------------------------------------------------------------ 
        path = /img0
        comment = %U's Imaging Share #0 on %L from %m

# Show the img0 share itself when browsing
#------------------------------------------------------------ 
        browsable = yes

# Allow the user to write in this directory
#------------------------------------------------------------ 
        writeable = yes

# Restrict access to valid users
#------------------------------------------------------------ 
        valid users = willem

[img1]
#------------------------------------------------------------ 
# This section defines imaging share #1
#
# Describe the share to the user
#------------------------------------------------------------ 
        path = /img1
        comment = %U's Imaging Share #1 on %L from %m

# Show the img1 share itself when browsing
#------------------------------------------------------------ 
        browsable = yes

# Allow the user to write in this directory
#------------------------------------------------------------ 
        writeable = yes

# Restrict access to valid users
#------------------------------------------------------------ 
        valid users = willem,rc564

The sections [global], [homes] and [printers] are so called special sections.

The [global] section contains the parameters that are applicable for the whole server and the defaults that will be used for the parameters that are not mentioned in other sections.

The [homes] section makes it possible for users to connect to their home directories. The share name homes is changed by the server to the username. If you want to use some other directory instead of the user's home directory, you can do this by specifying the path. If you want to use the directory /home/sambahomes/<user> as the home directory, for instance, you can do this by setting the path parameter as follows:

path=/home/sambahomes/%S
                        

The %S macro will be substituted by the user's name. Please consult the man page of smb.conf (man smb.conf) for information on the other macros that are available.

The [printers] section is used for giving access to the printers and will be described later in this chapter.

After creating the /etc/samba/smb.conf file, Samba must be restarted if it's already running or started if it's not:

# /etc/init.d/samba restart or
# /etc/init.d/samba start
                        

Now the samba passwords, which do not have to be identical to the Linux passwords, must be set. If a user already exists in the samba password file, you can use the command without the -a flag.

# smbpasswd [-a] user
                        

Making the first connection from Windows 2000

Let's say you are the user willem on the Windows 2000 machine, and you enter \\yoda in the browser. You will be presented with a dialog - (illustrated below, which you probably won't be able to read because it's in Dutch) - asking you to enter your username and accompanying password.

After entering the correct username and password, you will have access to your shares as shown below:

After opening the img0 share, another smbd process will be started by the already running smbd process:

# ps x -o pid,ppid,command

  PID  PPID COMMAND
    1     0 init [2] 
...
26750     1 /usr/sbin/smbd -D
26753 26750 /usr/sbin/smbd -D
...
                                

As you can see by looking at the process id (PID), the last /usr/sbin/smbd started is 26753 which has a process parent id (PPID) of 26750, also a /usr/sbin/smbd, and whose parent has a PPID of 1, which is the init process.

You can also use the smbstatus command to ask the system who is using which shares and which files are locked at the moment:

# smbstatus

Samba version 2.0.8
Service      uid      gid      pid     machine
----------------------------------------------
img0         willem   willem   26753   windoosje (192.168.2.11) Sat Feb 16 
12:17:05 2002

No locked files

Share mode memory usage (bytes):
   1048464(99%) free + 56(0%) used + 56(0%) overhead = 1048576(100%) total
                                

As you can see, the user willem is accessing the img0 share and has no files locked. You will probably almost never see file locks because their lifespan is so short. The file is only locked during saving. If you don't believe me, try this out with a file that takes several seconds to transport over the network, or drag and drop a complete directory, as I've done in the example that follows, to the img0 share while running the command smbstatus -L. The -L option will tell smbstatus to only show the locks:

# while true; do smbstatus -L; sleep 1; done

No locked files

No locked files

No locked files

Locked files:
Pid    DenyMode   R/W        Oplock           Name
--------------------------------------------------
26753  DENY_ALL   WRONLY     EXCLUSIVE+BATCH  /img0/Biljarten/2001-2002/
JoSterkRoosters.exe   Sat Feb 16 13:12:51 2002

Locked files:
Pid    DenyMode   R/W        Oplock           Name
--------------------------------------------------
26753  DENY_ALL   WRONLY     EXCLUSIVE+BATCH  /img0/Biljarten/2000-2001/
Arbiters.PX   Sat Feb 16 13:12:52 2002

Locked files:
Pid    DenyMode   R/W        Oplock           Name
--------------------------------------------------
26753  DENY_ALL   WRONLY     EXCLUSIVE+BATCH  /img0/Biljarten/2000-2001/
BasisForm112.~dfm   Sat Feb 16 13:12:53 2002

... 

No locked files
                                

Making the second connection from Windows 2000

Now let's see if the same works for the user rc564 by logging in to Windows 2000 as that user and entering \\Yoda in the browser:

After entering the correct user and password combination, you will have access to your shares as shown below:

If everything is as it should be, the user rc564 should not be able to write to the img0 share and should be able to write to the img1 share.

If you try to access the img0 share, a window will appear saying the password is wrong or that the username is unknown for the share. You will then have the opportunity to enter a username and password:

As expected, this doesn't work because the user rc564 is not authorized to do this. But there is more to this than meets the eye. What if we were to connect as the user willem with the correct password? That should work, shouldn't it? Well, let's see:

After hitting the OK button, we get the following response:

Which, translated, says that the share \\yoda\img0 is not accessible because the submitted set of references (username and password) is in conflict with an existing set of references.

The cause of this seems to be that there already is a connection as rc564 to Yoda. To prove it, let's connect to the server as the user willem by using the alias \\Yoda1, which is a NetBios alias for \\Yoda, while keeping the connection as the user rc564 alive:

After hitting the OK button the next window appears showing that we've got a connection:

To prove that we also have write access, we create a text file:

Finally we use the command smbstatus to show that we really have two simultaneous connections:

Samba version 2.0.8
Service      uid      gid      pid     machine
----------------------------------------------
public       rc564    rc564    28305   windoosje (192.168.2.11) Sat Feb 16 
13:48:35 2002
img0         willem   willem   28357   windoosje (192.168.2.11) Sat Feb 16 
14:19:02 2002
                                

Whether this is a Windows quirk or not will be demonstrated in the next section, where we'll try the same sequence from a Linux Samba client.

Accessing Windows or Samba shares from a Linux Samba client

With smbclient

The command smbclient implements an ftp like interface to the Samba shares.

You can use smbclient to find out which shares are available on the Windows machine (\\windoosje) by issuing the following command:

pug:~# smbclient -L windoosje -W falcon -U rc564
Password: ******
Domain=[FALCON] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

        Sharename      Type      Comment
        ---------      ----      -------
        IPC$           IPC       Externe IPC
        F$             Disk      Standardshare
        ADMIN$         Disk      Remote Management
        C$             Disk      Standardshare
        WinShare#1     Disk      Word Documents
        WinShare#2     Disk      Excel Sheets
                                

And on the Linux Samba Server \\Yoda as well:

pug:~# smbclient -L \\yoda -W falcon -U rc564
Password:  ******
Domain=[FALCON] OS=[Unix] Server=[Samba 2.0.8]

        Sharename      Type      Comment
        ---------      ----      -------
        public         Disk      Public Storage on yoda
        img0           Disk      rc564's Imaging Share #0 on yoda from pug
        img1           Disk      rc564's Imaging Share #1 on yoda from pug
        IPC$           IPC       IPC Service (Linux Samba Server yoda)
        rc564          Disk      rc564's homedirectory on yoda from pug

        Server               Comment
        ---------            -------
        YODA                 Linux Samba Server yoda
        YODA1                Linux Samba Server yoda
                                

Let's connect to \\windoosje\WinShare#1 to get a file:

pug:~# smbclient //windoosje/WinShare#1 -W falcon -U rc564
Password:  ******
Domain=[FALCON] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> 
                                

We've now got a connection. As with the ftp client, you can type help to find out which commands are available:

smb: \> help
?              altname        archive        blocksize      cancel         
cd             chmod          chown          del            dir            
du             exit           get            help           history        
lcd            link           lowercase      ls             mask           
md             mget           mkdir          more           mput           
newer          open           print          printmode      prompt         
put            pwd            q              queue          quit           
rd             recurse        rename         rm             rmdir          
setmode        symlink        tar            tarmode        translate      
!              
                                

Finding out which files are available is done by issuing either the ls or the dir command:

smb: \> ls
  .                                   D        0  Tue Feb 19 10:54:12 2002
  ..                                  D        0  Tue Feb 19 10:54:12 2002
  Jo Sterk - Sponsoring.doc           A   107008  Sat Jul  7 11:05:34 2001
  Contributie_2001.doc                A    27648  Thu Jan 11 16:50:52 2001

                38461 blocks of size 262144. 37673 blocks available
smb: \> 
                                

As with an ftp client, you can download a file with the get or mget command:

smb: \> mget contr*
Get file Contributie_2001.doc? y
getting file Contributie_2001.doc of size 27648 as Contributie_2001.doc (52.9 kb/s) (average 52.9 kb/s)
smb: \> 
                                

As you can see, the command is case insensitive and wildcards can be used.

With smbmount

You can also mount the share as you would any other filesystem. This is done with the smbmount command. To be able to use the command smbmount, support for the SMB filesystem must be compiled into the kernel. You'll find the smbfs option in the filesystems section.

In the previous section, I promised to make connections from a Linux Samba client to the Linux Samba server as two different users to see if this can be done without using aliases. We'll try to make a connection as the user willem to his home directory on \\Yoda and as the user rc564 to the public share. Here we go:

# mkdir /mnt/sh1          mountpoint for the first share
# mkdir /mnt/sh2          mountpoint for the second share
# smbmount //yoda/willem /mnt/sh1 -o username=willem
Password: *******
# smbmount //yoda/public /mnt/sh2 -o username=rc564
Password: ******
# mount
...
//yoda/willem on /mnt/sh1 type smbfs (0)
//yoda/public on /mnt/sh2 type smbfs (0)
                                

So, this worked nicely. Let's ask the Samba Server which shares are in use at the moment:

# smbstatus

Samba version 2.0.8
Service      uid      gid      pid     machine
----------------------------------------------
willem       willem   willem   31345   pug      (192.168.2.8) Sun Feb 17 
20:43:39 2002
public       rc564    rc564    31346   pug      (192.168.2.8) Sun Feb 17 
20:44:30 2002

No locked files
                                

As you can see, there are two connections being served by two separate processes. But, there is also a difference in how file-locking is handled. Remember that, when opening a file from Windows, there was no lock visible while the file was open - the lock was only present during the saving of the file. This is not the case when the Samba share is mounted by a Linux client. Opening the file hallo.txt in vi gives the following smbstatus result:

Samba version 2.0.8
Service      uid      gid      pid     machine
----------------------------------------------
willem       willem   willem   31345   pug      (192.168.2.8) Sun Feb 17 
20:43:39 2002
public       rc564    rc564    31346   pug      (192.168.2.8) Sun Feb 17 
20:44:30 2002

Locked files:
Pid    DenyMode   R/W        Oplock           Name
--------------------------------------------------
31346  DENY_NONE  RDONLY     NONE             /home/samba/hallo.txt   Sun Feb 
17 20:58:18 2002
                                

As you can see, the file is immediately locked when opened.

Sending a message with smbclient

Any machine running WinPopup can receive a message sent via the Winpopup protocol.

Assume, for a moment, that we've got to do maintenance on \\Yoda, and we wish to tell the user on \\windoosje that his shares will not be available during a certain period of time. Make a text file containing the message — I used vi to create a file called msg.txt — and use smbclient to send it as follows:

# cat msg.txt | smbclient -M windoosje -U IT-ops
                        

The user on \\windoosje is presented with the following message:

Using a Linux Samba printer from Windows 2000

Using Samba

To instruct Samba to share all printers defined in /etc/printcap, you may add a [printers] section to /etc/samba/smb.conf:

[printers]
  comment = Printer %p on Yoda
  path = /var/spool/samba
  printable = yes
                                

After restarting Samba by issuing the command /etc/init.d/samba restart we connect from Windows 2000 using the user rc564 - which also exists on the Samba Server and must have the same password - to \\Yoda and get the following result:

Oops! That gave us four printers, and we've only got one. This happened because of the aliases in /etc/printcap. Our purpose was to get just one printer. This can be achieved by removing the [printers] section and replacing it with a printer-specific section:

[HP LaserJet 5]
  printer name = lp
  comment = HP LaserJet 5 on Yoda
  path = /var/spool/lpd/samba
  printable = yes
  writeable =  no
                                

After restarting Samba we reconnect to \\Yoda and get the following result:

Now double-click on HP LaserJet 5 and Windows will tell you that the printer has to be installed before you can use it and offers to go ahead with this. Allow Windows to install the printer.

Windows then says that there is a wrong printer driver installed on the machine to which the printer is connected and asks if the driver should be installed on the local computer. Allow Windows to do so.

Windows shows a dialog with manufacturers and printers, we choose HP and HP LaserJet 5, after which Windows installs the driver, and we are done.

Now let's see if it works. Open a document, for instance in MS Word, activate the print dialog to select the printer:

After hitting the OK button, the output will be sent to the printer.

If this doesn't work, chances are that the user has no write permissions in the /var/spool/lpd/samba directory. I experienced this problem myself and had the choice to either add all users able to print to the lp group or give all users write-access in the directory /var/spool/lpd/samba. I chose the latter, which is fine because the parameter setting writeable = no in the [printers] section of the Samba configuration file /etc/samba/smb.conf makes sure that no non-printing process can write in that directory.

What actually takes place is that the output is spooled to the directory set by the path = parameter which in this case is the directory /var/spool/lpd/samba. From there the output is spooled to the real spool directory of the printer as set by /etc/printcap. In this case, /var/spool/lpd. Check this out by capturing the spooled file as follows:

# while true; do ls -l samba >> t; ls -l lp >> t; echo "---" >> t ; done
The /var/spool/lpd/samba directory:
-rwxr--r--    1 rc564    lp           7480 Feb 19 17:35 RC564.aCKx75

The /var/spool/lpd/lp directory:
-rw-rw----    1 lp       lp             78 Feb 19 17:35 cfA002yoda
-rw-rw----    1 rc564    lp           7480 Feb 19 17:35 dfA002yoda
                                

Issuing the smbstatus command shows the access to the share:

yoda:/var/spool/lpd# smbstatus

Samba version 2.0.8
Service      uid      gid      pid     machine
----------------------------------------------
HP LaserJe   rc564    rc564    31391   windoosje (192.168.2.11) Tue Feb 19 17:46:03 2002
                                

Using lpr

Although this is not part of the exam, I feel that to be complete it is necessary to show you that a Linux printer can also be used from Windows 2000 without the need for Samba.

On the Windows machine the first thing to do is install an extra network component called Print Services For Unix. This adds the ability to print to an lpr port.

The next thing to do is add a local printer — yes, you read it right: not a network printer.

When Windows asks you to select the port, select the option that enables you to create a new port and select the type LPR Port. You will then be presented with the next dialog which asks you to give the address of the lpd server and the name of the printer. Enter the Fully Qualified Domain Name of the printer.

Since I've called my local domain falcon and the machine to which my HP LaserJet 5 is connected is called Yoda, this becomes yoda.falcon. The queue is called lp so that's what we enter for the printer name.

Then select the appropriate printer driver and give the printer a name. Let's call the printer REMOTE HP LaserJet 5.

We are then presented with the possibility of sharing the printer under Windows. If you choose to do so and there are other Windows machines in the same workgroup such as Windows 98 for instance, they will see this printer as a Windows shared printer and can print to it. Windows 2000 will then send the output to the lp queue on Yoda. We don't need this functionality.

After printing a test page, we're done. Now have a look at the printers Windows 2000 knows:

The choice is yours: Samba printing or lpr printing. If printing is all you want to do, and you don't need the other functionality of Samba, and Print Services For Unix comes with your Windows OS, lpr printing may be the best choice for you.

Using a Windows printer from Linux

Although it is not in the topics I felt the need to describe this. Imagine a situation, for instance, where there are lots of Windows users and just a few Linux users. Wouldn't it be nice to be able to use the Windows printer from Linux without having to move the printer to a Samba server ?

Be careful with the sharename you define for the printer under Windows 2000. If Windows 2000 tells you that the printer might not be available to MS-DOS clients, shorten the name of the share until Windows 2000 does not complain anymore.

smbclient did not report the printer when it was called HP DeskJet 890 C, but it did report the printer as soon as I called it DeskJet_890C.

I have tried several utilities to accomplish this, amongst which are: smbclient, smbprint, smbspool and apsfilter.

And the winner is .... apsfilter for its ease of installation. The author, Andreas Klemm, only asks that you send him a postcard because he's interested in who is using apsfilter. I'll walk you through the installation:

# apsfilterconfig
      _/_/                         _/_/ _/ _/   _/
   _/    _/ _/_/_/     _/_/_/   _/        _/ _/_/_/_/   _/_/   _/  _/_/
  _/_/_/_/ _/    _/ _/_/     _/_/_/_/ _/ _/   _/     _/_/_/_/ _/_/
 _/    _/ _/    _/     _/_/   _/     _/ _/   _/     _/       _/
_/    _/ _/_/_/   _/_/_/     _/     _/ _/     _/_/   _/_/_/ _/
        _/
       _/

... 

Accept license [Y|y|J|j|N|n] ?
                        

Type Y, hit enter and read the informational screens that follow.

Now we are checking file permissions in spooldir

Your line printer scheduler's spooldir seems to be: /var/spool/lpd

drwxrwsr-x    9 lp       lp           4096 Feb 20 13:53 /var/spool/lpd

The Owner of your spooldir seems to be: lp
The Group of your spooldir seems to be: lp

Is this correct? [y/n] 
                        

Type y and hit enter.

creating a working copy of printcap -> /etc/printcap.old

It seems you have configured a printer with this script before.

Do you want to (a)dd another printer entry or
            to (o)verwrite the existing entries?
a/o? 
                        

If you've already defined other printers, as I have, type a and hit enter.

        ==================================================================
          A P S F I L T E R   S E T U P                   -- MAIN MENUE --
        ==================================================================

                                                        currently selected
        ------------------------------------------------------------------
        (D)     Available Device Drivers in your gs binary
        (R)     Read Ghostscript driver documentation        (devices.txt)
        (1)     Printer Driver Selection                     []
        (2)     Interface Setup                              []

        For printing the test page:
        (3)     Paper Format (mandatory)                [a4]
        (4)     Print Resolution in "dots per inch"     [default]
        (5)     Toggle Monochrome/Color (1bpp=b&w)      [default]
        (T)     Print Test Page, on local or Windows remote prt.(after 1-5)
        (V)     View perf.log (times of print attempts)

        (A)     Abort installation (don't do anything)
        (I)     ==> Install printer with values shown above - repeat this
                    step for installing multiple printers
        (Q)     ==> Finish installation

        Your choice? 
                        

First, we have to select a driver for the HP DeskJet 890C. Type 1 and hit enter.

    ================================================================
                        PRINTER DRIVER SELECTION
    ================================================================

    Please select the type of printer you want to install:

    1) PostScript printer
    2) printer driver natively supported by ghostscript

    3) gimp-print / stp
    4) hpdj
    5) pcl3 (successor to hpdj, experimental)
    6) IBM Omni
    7) cdj880, cdj970
    8) PPA printer, needs ghostscript "ppmraw" device and pnm2ppa

    0) return to main menu

Your choice: 
                        

Choose 4 and hit enter. You can then browse through a list of printer drivers. Remember the number of the correct driver (in my case, 131, comes closest to my printer). Hit q to close the list, type the number you remembered and hit return which takes us back to the main menu.

The next thing to do is to set up the interface — choose 2 and hit return

        ----------------------------------------------------------------
        A P S F I L T E R   S E T U P              -- Interface Setup --
        ----------------------------------------------------------------

        The easiest way to connect a printer to your computer is by
        using the parallel interface, because it's usually *faster*,
        more standardized and therefore much easier to configure.

        When configuring a serial printer, the installation dialogue
        asks you many questions about how to configure the serial
        interface of your computer, so that it works well with your
        printers current settings.

        When using the serial interface, then you have to choose special
        cables, depending on the communication protocol between computer
        and printer (hardware/software handshaking). Many pitfalls here !

        currently selected:               Interface:  [samba]
                                          Device:     [windoosje]
        configure local / remote printer
        1) local parallel/USB           2) local serial
        3) Unix/network printer (lpd)   4) Windows / NT (samba)
        5) AppleTalk

Your choice? 
                        

As you can see, there is a separate option for Samba. Choose 4 and hit return. You will then be asked several questions as shown below:

        ----------------------------------------------------------------
        A P S F I L T E R   Samba Printer SETUP
        ----------------------------------------------------------------

        Take care that smbclient is in apsfilters search path.
        You can fine tune paths in /etc/apsfilter/apsfilterrc.
        See smbclient manual page for more options if needed.

        currently selected:
        NetBIOS name of Windows Server  : [  ]
        Windows Server IP               : [  ]
        Printer Share  Name             : [  ]
        Workgroup                       : [  ]
        Windows Username                : [  ]
        Windows Password                : [  ]

        (you can fine tune some more values in the smbclient.conf
        file in the printers spool directory later)

NetBIOS name of Windows Server: windoosje
Windows Server IP Address     : 192.168.2.11
Printer Share Name            : DeskJet_890C
Workgroup Name                : falcon
Print as Windows GUEST user (no: use real account)? [y/n] n
Windows Username              : rc564
Windows Password              : thepassword
                        

Now, the default papertype must be set. Choose 3, hit return, and you'll be presented with a list from which you can choose:

        ----------------------------------------------------------------
        A P S F I L T E R   S E T U P                 -- Paper Format --
        ----------------------------------------------------------------

        What paper format do you want to use for printing?

        1) DIN A4
        2) DIN A3
        3) US letter
        4) US legal
        5) US ledger

Your choice? 
                        

I chose 1, DIN A4. Now we are ready to print a test page. Choose T, and hit return, read the information and choose T again. You will then be asked if it is ok to print the testpage:

Printing Test page using: cat setup/test.ps | gs -q -sDEVICE=cdj890        \
-sPAPERSIZE=a4 -dNOPAUSE -dSAFER -sOutputFile='/tmp/aps_testout.iESShW'  -
Ok to print testpage? [y/n] 
                        

Type y and hit return. The testpage will be created — which may take some time — and sent to the printer. If the output looks ok, choose I, followed by return, to install the printer with the values shown in the menu:

    ======================================================================
                    Filter installation -- final steps
    ======================================================================

It's recommended to have one 'raw' entry for each physical printer.
If you're not sure, say 'y' -- it won't hurt.

Do you want me to create one for printer at windoosje? (y/n) 
                        

A Ok, let say y here.

Please enter a printer queue name for printer 'cdj890'.
The default name is 'auto3'.

Your choice: 
                        

Let's call the printer dj890c.

** creating printcap entry for printer dj890c...
   creating spooldir ...
   creating samba config file ...
   read protect password information...
   remember SETUP settings in printers apsfilterrc file...

Please enter a printer queue name for printer 'cdj890'.
The default name is 'raw3'.

Your choice: 
                        

And rawdj890c.

** creating printcap entry for printer rawdj890c...
   creating spooldir ...
   creating samba config file ...
   read protect password information...
   remember SETUP settings in printers apsfilterrc file...
** done.

[ press <RETURN> to continue ] 
                        

We're done, choose Q and hit return. Read through the informational screens that follow. apsfilter has created the directories that are necessary and has modified the file /etc/printcap by adding the following information:

# APS3_BEGIN:printer3
# - don't delete start label for apsfilter printer3
# - no other printer defines between BEGIN and END LABEL
dj890c|Printer3 auto:\
    :lp=/dev/null:\
    :if=/etc/apsfilter/basedir/bin/apsfilter:\
    :sd=/var/spool/lpd/dj890c:\
    :lf=/var/spool/lpd/dj890c/log:\
    :af=/var/spool/lpd/dj890c/acct:\
    :mx#0:\
    :sh:
rawdj890c|Printer3 raw:\
    :lp=/dev/null:\
    :if=/etc/apsfilter/basedir/bin/apsfilter:\
    :sd=/var/spool/lpd/rawdj890c:\
    :lf=/var/spool/lpd/rawdj890c/log:\
    :af=/var/spool/lpd/rawdj890c/acct:\
    :mx#0:\
    :sf:\
    :sh:
# APS3_END - don't delete this
                        

Let's try it out with lpr by sending a postscript file to the printer. There is a very nice picture of a tiger's head that comes with ghostcript:

# lpr -Pdeskjet /usr/share/doc/gs/examples/tiger.ps.gz
                        

Even a compressed postscript file gets printed nicely.

Setting up an nmbd WINS server

What is a WINS Server?

WINS stands for Windows Internet Name Service. This is a name service used to translate NetBIOS names to ip addresses by using NetBIOS over TCP/IP queries. It is done using UDP packets.

Using Samba as a WINS Server

To tell Samba that it should also play the role of WINS Server, add the following line to the [global] section of the Samba configuration file /etc/samba/smb.conf:

[global]
wins support = yes
                                

Be careful, there should not be more than one WINS Server on a network and you should not set any of the other WINS parameters, such as wins server, when enabling wins support.

Using nmblookup to test the WINS Server

nmblookup is a Linux client that facilitates the lookup of NetBIOS names over TCP/IP.

Let's see if it works by asking nmblookup to find us the ip address for Yoda1:

pug:~# nmblookup Yoda1  
querying Yoda1 on 192.168.2.255
192.168.2.21 Yoda1<00>
                                

And let's prove that this is the same machine as Yoda:

pug:~# nmblookup Yoda 
querying Yoda on 192.168.2.255
192.168.2.21 Yoda<00>
                                

Another way to do this is with the host command:

pug:~# host 192.168.2.21
Name: yoda.falcon
Address: 192.168.2.21
                                

To prove that yoda1 does not have a DNS entry:

pug:~# host yoda1
yoda1.falcon does not exist (Authoritative answer)
                                

Another example: let's use nmblookup to find out which machine is the master browser for the falcon workgroup:

pug:~# nmblookup -M falcon
192.168.2.21 falcon<1d>
                                

This proves that Yoda is the master browser for the falcon workgroup.

Creating logon scripts for clients

Logon scripts can be very handy. So for example, if every user needs his home directory mapped to drive H: automatically, a logon script can take care of that. The user is then presented with an extra hard-drive which gives you, as an administrator, the freedom to move home directories to another server should the need arise. To the user it remains drive H:, and all you have to do is change one line in the logon script.

The same goes for printers and processes that should be accessible or run when a specific user logs on or when a certain machine logs on.

The batch file must be a Windows-style batch file and should thus have both a carriage return and a line feed at the end of each line.

The first thing to do is enable logon support. This is done by adding the following line to the [global] section of the Samba configuration file /etc/samba/smb.conf:

[global]
logon server = yes
                        

The second thing to do is create a share called [netlogon] where the logon scripts will reside and which is readable to all users:

[netlogon]
  Comment = Netlogon for Windows clients
  path = /home/netlogon
  browseable = no
  guest ok = no
  writeable = no
                        

The definition of the logon script depends on whether you want a script per user or per client.

Based on the user's name

Add the following line to the [netlogon] section:

logon script = %U.bat
                                

and, assuming the user is rc564, create a file called /home/netlogon/rc564.bat.

Based on the client's name

Add the following line to the [netlogon] section:

logon script = %m.bat
                                

and, assuming the machine is called xyz, create a file called /home/netlogon/xyz.bat.

Copyright Snow B.V. The Netherlands