Learn Linux, 302 (Mixed environments)

Samba roles

Concepts, architecture, and design

Content series: This content is part # of # in the series: Learn Linux, 302 (Mixed environments) Stay tuned for additional content in this series. This content is part of the series: Learn Linux, 302 (Mixed environments) Stay tuned for additional content in this series.

About this series This series of articles helps you learn Linux systems administration tasks. You can also use the material in these articles to prepare for the Linux Professional Institute Certification level 3 (LPIC-3) exams. See our developerWorks roadmap for LPIC-3 for a description of and link to each article in this series. The roadmap is in progress and reflects the current objectives (November 2010) for the LPIC-3 exams. As each article is completed, it is added to the roadmap.

Overview

In this article, learn about these concepts:

Samba security modes

Roles of core Samba daemons

Management of Samba daemons

This article helps you prepare for Objective 310.2 in Topic 310 of the LPI's Mixed Environment speciality exam (302). The objective has a weight of 1.

Prerequisites

To get the most from the articles in this series, you should have an advanced knowledge of Linux and a working Linux system on which you can practice the commands covered in this article. In particular, this article assumes that you have a working knowledge of Linux command-line functions and at least a general understanding of the purpose of Samba as covered in "Learn Linux, 302 (Mixed environments): Concepts". To perform the actions described in this article, you must have the Samba software installed. Some actions require that you have a working Server Message Block (SMB)/Common Internet File System (CIFS) network at your disposal.

Identifying Samba daemons

About the elective LPI-302 exam Linux Professional Institute Certification (LPIC) is like many other certifications in that different levels are offered, with each level requiring more knowledge and experience than the previous one. The LPI-302 exam is an elective specialty exam in the third level of the LPIC hierarchy and requires an advanced level of Linux system administration knowledge. To get your LPIC level 3 (LPIC-3) certification, you must pass the two first-level exams (101 and 102), the two second-level exams (201 and 202), and the LPIC-3 core exam (301). After you have achieved this level, you can take the elective specialty exams, such as LPI-302.

Linux servers are often implemented as daemons, a word derived from Greek mythology, in which daemons were helpful supernatural beings. A Linux daemon runs in the background to perform some helpful task. The Samba server suite consists of several daemons, including smbd , nmbd , and winbindd . The swat program is another Samba server, but it is typically run from a super server and so is not technically a daemon.

Understanding smbd

The smbd program provides most of the core functionality of Samba. Its duties include:

Providing file and printer shares. This feature is arguably the single most important Samba duty, and smbd does it.

This feature is arguably the single most important Samba duty, and does it. Authenticating users. smbd authenticates users against a local database or passes authentication requests on to another computer. If your Samba server is configured as a domain controller, smbd also responds to authentication requests from other computers. (Workgroup and domain configurations are described shortly, in Setting your security mode).

authenticates users against a local database or passes authentication requests on to another computer. If your Samba server is configured as a domain controller, also responds to authentication requests from other computers. (Workgroup and domain configurations are described shortly, in Setting your security mode). Providing time services. Samba can tell other computers what the current time is; smbd handles this detail.

Build your own feed You can build a custom RSS, Atom, or HTML feed so you will be notified as we add new articles or update content. Go to developerWorks RSS feeds. Select Linux for the zone and Articles for the type, and type Linux Professional Institute for the keywords. Then, choose your preferred feed type.

By default, the smbd daemon binds to TCP ports 139 and 445. The SMB protocol uses port 139 through NetBIOS over TCP, which is the way many older clients use SMB/CIFS. Port 445 provides plain SMB over TCP services, which is how many newer clients access the Samba server.

Because of the critical nature of these duties (in particular, providing file and printer shares and authentication), smbd can be considered the core of Samba. In fact, it's possible to connect to a computer that runs smbd alone by using a program such as Samba's own smbclient to perform file transfers. Some clients, though, rely on services provided by other Samba daemons.

Understanding nmbd

The second key Samba daemon is nmbd . This server's main duty is handling name-related tasks. You can think of it as Samba's own version of the Domain Name System (DNS), although it's both simpler to configure and much less sophisticated than DNS. Specific tasks that nmbd performs include:

Responding to name broadcasts. In one common mode of operation, clients broadcast name queries to an entire network segment. The nmbd server listens for such broadcasts and, when Samba is configured to use the name being queried, responds. It also responds when it's configured to function as a proxy for another computer or network.

In one common mode of operation, clients broadcast name queries to an entire network segment. The server listens for such broadcasts and, when Samba is configured to use the name being queried, responds. It also responds when it's configured to function as a proxy for another computer or network. Registering a NetBIOS name. For NetBIOS name resolution to work, computers must register their names, either with a centralized NetBIOS name server (NBNS; aka Windows Internet Name Service [WINS] server) or by broadcasting the name and negotiating rights for it with the network as a whole. nmbd is responsible for doing this and also for negotiating with other computers that register their names.

For NetBIOS name resolution to work, computers must register their names, either with a centralized NetBIOS name server (NBNS; aka Windows Internet Name Service [WINS] server) or by broadcasting the name and negotiating rights for it with the network as a whole. is responsible for doing this and also for negotiating with other computers that register their names. Functioning as an NBNS server. Samba can be configured as an NBNS system, in which case nmbd handles these duties.

Samba can be configured as an NBNS system, in which case handles these duties. Functioning as a master browser. Part of the user experience of an SMB/CIFS network is browsing—the ability to browse through the servers on a network much as you would browse through the directories on your hard disk. This feature relies on the presence of a master browser, which collects and disseminates browse lists. When Samba functions as a master browser, it's nmbd that does the work.

As this list demonstrates, nmbd does a lot of work. Although they don't involve serving files or printers, many of these tasks are critical parts of any SMB/CIFS server, so nmbd should be considered a critical part of Samba. It's typically run along with smbd by a distribution's startup scripts.

Most of nmbd 's functions require it to bind to TCP port 137, but master browser duties involve User Datagram Protocol port 138.

Understanding winbindd

A third Samba daemon is the Winbind daemon, winbindd . Unlike smbd and nmbd , winbindd doesn't provide services for remote computers; instead, it serves as an interface between a Windows® (or Samba) domain controller and the local computer's own Pluggable Authentication Modules tools, enabling a domain controller to host Linux account information.

On many distributions, winbindd is installed in a separate package from the rest of Samba—typically in a package called winbind or winbindd . It's also usually launched separately. In principle, you can run winbindd on a computer that doesn't run a Samba server or even function as an SMB/CIFS client, except to the extend that winbindd is an SMB/CIFS client. In practice, though, you're likely to run a Samba server or use a Linux computer as an SMB/CIFS client if it's running winbindd .

Controlling Samba

Controlling Samba involves at least two tasks: adjusting its configuration options using its configuration file and changing its options on a temporary, on-the-fly basis. You accomplish the first task through Samba's configuration file, while the second can be done through the smbcontrol configuration tool.

Adjusting configuration file options

The main Samba configuration file is called smb.conf and typically resides in /etc/samba, although it could be found in other locations. (If you build Samba from source, /usr/local/samba/lib is one common location.)

The smb.conf file is composed of sections, each of which begins with a name in square brackets ( [] ), such as [global] or [documents] . Most sections define file or printer shares; however, the [global] section is special: It holds options that affect the server as a whole or that set default values used in subsequent share definitions. (The [global] section typically appears first in the file.)

Lines in smb.conf can be comment lines that begin with a hash mark ( # ) or a semicolon ( ; ); they may be section names; or they may be lines that set Samba parameters. This last type of line takes the following form:

parameter = Value

The parameter is a keyword, such as security or create mask . Parameter names are case-insensitive. Some common parameters have synonyms, and a few have antonyms. For instance, writable and writeable are synonyms, and read only is an antonym for these—that is, read only = Yes is equivalent to writable = No .

The Value you specify with a parameter can be a free-form string, a number (including specialized numeric values, such as IP addresses), a Boolean value, a variable, or a list. Boolean values can take either of two truth values: Yes , True , and 1 are synonyms, as are No , False , and 0 .

Variables begin with a percent symbol ( % ) and stand in for information that can't be known when the configuration file was written. For instance, %D refers to the server's workgroup or domain name; %h refers to the server's DNS name; %H refers to the user's home directory; %L refers to the server's NetBIOS name; and %u refers to the user's user name.

Some parameters take lists of several values, such as lists of user names. In such cases, list elements are separated by commas, as in george, mary to refer to both george and mary . For the most part, the smb.conf file is blind to white space. If you need to include white space in a value, enclose it in quotation marks.

The smb.conf file contains options for smbd , nmbd , winbindd , and other Samba servers and programs. Options for the different programs are not separated or clearly differentiated, although sometimes the name makes it obvious to which daemon a parameter applies.

Controlling Samba with smbcontrol

You can use the smbcontrol program to control Samba as it runs. For example, you can tell Samba to shut down a specific share, force a master browser election, reload the configuration file, and so on. The basic syntax for this command is:

smbcontrol [-i] [-s configfile] smbcontrol [destination] [message-type] [parameter]

When used with the -i option, smbcontrol enters an interactive mode in which you can pass a series of commands in sequence, saving you from having to type smbcontrol in front of each command. The destination is the server name ( smbd , nmbd , or winbindd ), all to send the message to all the daemons or a process ID number. The message-type is a command, as summarized in Table 1. The parameter is an optional parameter that some commands may require.

Table 1. File system volume and size limits

Command (message-type) Meaning close-share Close the share that the parameter specifies. debug Set the debug level to the value the parameter specifies. force-election Forces a new master browser election. debuglevel Displays the current debug level of a daemon. printnotify Sends a message to clients connected to a printer share, forcing a change in the clients' queue status. samsync Synchronize the user database with a domain controller. (Official documentation indicates that this function is not currently working; test it before you rely on it.) shutdown Shuts down the specified daemon. pool-usage Displays memory use information for the specified daemon. drvupgrade Notify clients that a new printer driver is available. The command takes a printer share name as a parameter. reload-config Forces the server to reload the smb.conf file.

Setting your security mode

Samba provides a number of options related to how users are authenticated. The most important of these is the security option, which takes five possible values:

Share . This security mode attempts to emulate the authentication method that the Microsoft® Windows 9x/Windows Me operating systems use, in which user names were ignored and passwords were associated with shares. To do this, Samba tries the password provided by the client with a variety of user names.

This security mode attempts to emulate the authentication method that the Microsoft® Windows 9x/Windows Me operating systems use, in which user names were ignored and passwords were associated with shares. To do this, Samba tries the password provided by the client with a variety of user names. User . This security mode, which is the default, uses a user name and password for authentication, similar to the way Linux typically works. In most cases on modern systems, though, the password is stored in an encrypted Samba-only password database.

This security mode, which is the default, uses a user name and password for authentication, similar to the way Linux typically works. In most cases on modern systems, though, the password is stored in an encrypted Samba-only password database. Server . If you want Samba to defer to another server for authentication, use this authentication method. To a client, this method looks just like user-level authentication, but Samba contacts the server specified with the password server parameter to do the actual authentication.

If you want Samba to defer to another server for authentication, use this authentication method. To a client, this method looks just like user-level authentication, but Samba contacts the server specified with the parameter to do the actual authentication. Domain . You can fully join a Windows domain using this method, which looks just like user-level authentication to clients. Unlike server-level authentication, domain authentication involves a more secure domain-level password exchange. Fully joining the domain requires running extra commands on the Samba system and possibly on the domain controller, as well.

You can fully join a Windows domain using this method, which looks just like user-level authentication to clients. Unlike server-level authentication, domain authentication involves a more secure domain-level password exchange. Fully joining the domain requires running extra commands on the Samba system and possibly on the domain controller, as well. ADS . This authentication method works much like domain authentication; however, it requires an Active Directory® Domain Services domain controller.

As a general rule, user-level authentication is the best choice if your Samba server is a member of a Windows workgroup, which is the basic form of an SMB/CIFS network. A workgroup differs from a domain mainly in that a domain provides a domain controller, which is a server that provides authentication services to the domain. To use a domain controller, you must use server-, domain-, or ADS-level security . Server-level security is the easiest to configure but the least secure, whereas ADS-level security is the most difficult to configure but the most secure.

To fully join a domain for domain- or ADS-level security, you must set several options in the [global] section of the smb.conf file:

password server = DOMCONT domain logons = No encrypt passwords = Yes

The DOMCONT system is the domain controller. You must also type the following command on the Samba server that should join the domain:

# net join member -U

You may also need to configure the domain controller to accept the Samba server into the domain. (Objective 312.4 covers this topic for Samba servers.)

Share-level security is largely outmoded; it exists mainly to provide compatibility for very old clients that don't understand user names. It can also be useful for some share types that you might want to make available with minimal security, such as printer shares. Because Linux requires that an account be used for all accesses, Samba tries the provided password against a series of accounts until one matches or they've all failed. These accounts include:

The guest account (set via the guest account parameter) if guest only = Yes

parameter) if The user name the client provides (not all clients provide one, but some do)

The user name used for the last access from the client computer

The name of the share being accessed

The client's NetBIOS name

Any user names specified via the username parameter

Because most clients in use today understand user names, there's seldom a need to support share-level security. Using it only creates confusion and increases the security risk—with passwords being checked against so many accounts, a single password that falls into the wrong hands could become a significant risk to your server.

Moving forward

The LPIC-3 310.3 objective—and the next article in this series—describes the Samba Trivial Database (TDB)file format, which Samba uses to store account information.

Downloadable resources

Related topics