By: Ian Marchak
Tested on Caldera eServer 2.3 with the standard kernel binaries, all patches/updates installed. Stock SAMBA from the eServer CD.
Date Submitted: 2000-10-21
The following is a rundown of what I did to set up a SAMBA server to act as a peer to peer type client for windows file sharing on the local network. No password authentication, nothing fancy...maybe later.
Everything that follows was performed as root unless otherwise noted. Be sure you make a backup of any file you modify, unless you like the pain.
Much of what follows can be found either in the Caldera Support pages, or at www.samba.org. You can also d/l the HTML version of the O'Reilly book "Using Samba".
OK, before you go any further, I recommend making sure your box is secure a la the Security SxS documents especially now that you may be exposing windows style file sharing to the internet. In my case, the machine that serves as the gateway will also be doing the SAMBA duties.
I have already been through the Security Steps and feel reasonably confident...well not horribly paranoid...about this. The lines that I added to my ipchains config are as follows: (I am using the ipchains-save / ipchains-restore scripts)
-A input -s 0/0 -d 0/0 137:139 -i eth0 -p 6 -j DENY
-A input -s 0/0 -d 0/0 137:139 -i eth0 -p 17 -j DENY -l
-A output -s 0/0 -d 0/0 137:139 -i eth0 -p 6 -j DENY
-A output -s 0/0 -d 0/0 137:139 -i eth0 -p 17 -j DENY -l
See also: Section 4 on TCP wrappers for SWAT.
Don't just blindly do what I did and assume it's right...I am no expert.
Other than that your on your own for security.
2. USER AND GROUP
I created a group and user for the file sharing and permissions let's say group:smb and user:smbuser. Do this with COAS or webmin or whatever tool you want. Make the $HOME for smbuser /home/public.
After the user is created, you'll want to set the SGID bit on the directory so that files that are saved into that directory are automatically assigned the correct permissions to allow access by all on the network:
chmod 2777 /home/public
3. HOSTS FILES
Now make sure your /etc/hosts file has all the correct IP's and names for the machines you want to access SAMBA:
127.0.0.1 localhost localhost.localdomain
Now we need to make a /etc/lmhosts for the mapping of IP hostnames to NetBIOS computer names (Network Neighbourhood):
If you really like confusion you can
make the NetBIOS name (the right side) different from the IP
hostname (the left side)...but I wouldn't recommend
4. SWAT ∓ CONFIGURING SAMBA
SWAT (Samba Web Admin. Tool) .
SWAT should be in your /etc/inetd.conf by default (at least it was in mine). If not add:
swat stream tcp nowait.400 root /usr/sbin/tcpd swat
SWAT is now protected by tcp wrappers (man hosts.allow) make sure your /etc/hosts.allow file has the following line in it:
swat: 127.0.0.1 192.168.1.
Substitute whatever your local network IP is, add individual hosts for more control (you don't want Mom mucking up your SAMBA config do you!) You can also specify hosts.allow and hosts.deny from within the SWAT configuration windows adding another layer of security.
If you had to make any changes to /etc/inetd.conf issue the command to restart inetd:
killall -HUP inetd
OK. Now you can copy over the /etc/samba.d/smb.conf.sample and modify it manually, or just fire up SWAT (after all our hard work, why not!?) and it will create a small, tidy smb.conf file you can modify either manually or from within SWAT.
I am not getting into this step too deep, I don't understand a lot of it myself, so what I will do is post a copy of my smb.conf for you to look at/copy. (The names have been changed to protect the innocent):
# Global parameters
workgroup = MYNETWORK
netbios name = GATEWAY
server string = Samba Server on GATEWAY
interfaces = 192.168.1.1/24 127.0.0.1/24
bind interfaces only = Yes
security = SHARE
max log size = 50
time server = Yes
socket options = TCP_NODELAY
os level = 65
preferred master = Yes
# Clears up error logging about being
# unable to find domain master browser.
domain master = Yes
# DOS/Fat32 tracks filetimes in 2 sec. increments
# Linux tracks in 1 sec. Set for compatiablity with VC++
dos filetime resolution = True
dns proxy = No
wins support = Yes
guest account = smbuser
hosts allow = 192.168.1.
hosts deny = 24.
printing = lprng
comment = Home Directories
path = %H/Public
valid users = %S
read only = No
create mask = 0750
only user = Yes
browseable = No
comment = All Printers
path = /var/spool/samba
create mask = 0700
print ok = Yes
browseable = No
comment = Public
path = /home/public
write list = @users
read only = No
guest ok = Yes
create mask = 0664
directory mask = 0775
I don't know what all the entries are yet (ie: printers and
homes) but you can check these out with SWAT which has a nice
link to help for each of the various options and what they
do. As far as I can tell the only improtant ones to this
StepByStep are the Global and Public sections. All I know
is it works for me.
5. TESTING SAMBA
Now you're config files are done, directories created, user and group made...let see what happens if you type:
If you see no error messages you're probably home free!
smbclient -L localhost
If your're asked for a password just hit enter.
You should see something like the following:
Added interface ip=192.168.1.1 bcast=192.168.1.255
Added interface ip=127.0.0.1 bcast=127.0.0.255 nmask=255.255.255.0
Password: <Just Hit Enter>
Domain=[MYNETWORK] OS=[Unix] Server=[Samba 2.0.5]
--------- ---- -------
public Disk Public
IPC$ IPC IPC Service (Samba Server on Gateway)
GATEWAY Samba Server on Gateway
If you get this you're done. If you get error messages when you try and start SAMBA you'll have to do some troubleshooting, I didn't get error messages so I moved happily along (I did briefly think about the "Don't look a gift horse in the mouth" saying though)
That's it for the SAMBA side of things...now you need to
make a few changes to have the Windows machines make use of
your hard work.
6. CONFIGURING WINDOWS (Ugh!)
The following assumes you already have the machines on you network set up as a peer to peer/share level network.
Set up windows networking to make use of the SAMBA server we just started:
6a. In "Control Panel -> Network", the "Configuration" tab should have the file and printer sharing client installed, make sure you have disabled the "Browse Master" option in the Properties dialogs. This will be done by SAMBA from now on, that's what the os level = 65 setting was for in smb.conf.
6b. Still on the "Configuration" tab. Go to the TCP/IP component bound to your network card (not the one bound to your modem), and change the "Properties" of your WINS configuration and specify the SAMBA machine as a WINS server. Fist "Enable WINS Resolution" , then enter the IP of your SAMBA machine and hit enter.
6c. Now, pick the Identification tab and make sure you have a Computer Name and Workgroup that match what you have in thehosts, lmhosts and smb.conf files on the SAMBA machine.
That sould be it. The setup for NT would go differently, but you'd still do basically the same things...just in different places.
This is really a very basic setup only intended for my brother and I to swap files back and forth without having our machines on all the time. SAMBA is an amazingly powerful tool capable of much more than this little shared directory setup we just did. If you take the ball and figure out how to do password level security in a StepByStep format, by all means fire it off to myself or one of the other SxS editors, if you used or were helped by this document, others can use and be helped by your Steps.
If you specify 'timeserver = Yes' you can make a batchfile, say "nettime.bat" and add the command: 'net time \\gateway /set /yes' to it. Then insert a "run=\pathto\nettime.bat" call into the win.ini files of your windows machines and they'll always be synchronized with the SAMBA machine at startup. You may want to change the properties on the batch file, to make sure it closes after running so you aren't left with a window open when the time sync is finsihed.
Now just add 'rdate -s time.nrc.ca' as a cron job
to the SAMBA machine and you'll always be within tenths of a
second of the atomic clock at the National Research Council of
Canada. (Or whatever timeserver you want to use.)