The aim of this project is to establish a secured file sever for a branch office of the company. Samba is chosen to implement this task.
My job is to test, evaluate and document the Samba server in testing environment. The goals are:
1. To built the Samba server in a Ubuntu box;
2. To let Windows get access to the Samba server;
3. To achieve the best performance and security of sharing;
4. To add the Samba server to Active Directory
I will use the following settings in this document:
Samba server : Ubuntu box (version 10.04 LTS)
Server CN : TEST-SAMBA
Client computer : Windows box (XP Professional SP2)
Client CN : MFHK-RIVERLIU
User account : MFCHINA/riverliu
User group : tester
Samba's configuration file smb.conf usually resides in /etc/samba/smb.conf or /usr/local/samba/lib/smb.conf. It is a plaintext file.
Each file consists of various sections, which are started by putting the section name between brackets ([]) on a new line. Each contains zero or more key/value pairs separated by an equality sign (=).
Each section in the smb.conf file represents either a share or a meta-service on the Samba server. The section [global] is special, since it contains settings that apply to the whole Samba server. Samba supports a number of meta-services, each of which serves its own purpose. For example, the [homes] share is a meta-service that causes Samba to provide a personal home share for each user. The [printers] share is a meta-service that establishes print queue support and that specifies the location of the intermediate spool directory into which print jobs are received from Windows clients prior to being dispatched to the UNIX/Linux print spooler.
The directory in which Samba stores the tdb files is determined by compile-time directives. Samba-3 stores tdb files in two locations. The best way to determine these locations is to execute the following command:
PRIVATE_DIR: /etc/samba/private
Samba-3 also uses a number of tdb files that contain more mundane data.
The location of these files can be found by executing:
LOCKDIR: /var/lib/samba
Samba essentially consists of two or three daemons. A daemon is a UNIX application that runs in the background and provides services. An example of a service is the Apache Web server for which the daemon is called httpd. In the case of Samba there are three daemons, two of which are needed as a minimum.
The Samba server is made up of the following daemons:
| nmbd | This daemon handles all name registration and resolution requests. It is the primary vehicle involved in network browsing. It handles all UDP-based protocols. The nmbd daemon should be the first command started as part of the Samba startup process. |
| smbd | This daemon handles all TCP/IP-based connection services for file- and print-based operations. It also manages local authentication. It should be started immediately following the startup of nmbd. |
| winbindd | This daemon should be started when Samba is a member of a Windows NT4 or ADS domain. It is also needed when Samba has trust relationships with another domain. The winbindd daemon will check the smb.conf file for the presence of the idmap uid and idmap gid parameters. If they are are found, winbindd will use the values specified for for UID and GID allocation. If these parameters are not specified, winbindd will start but it will not be able to allocate UIDs or GIDs. |
The basic configuration process and example can be found in one of my Samba project documents: Project - Samba: Configuration.
To find the correct location of smb.conf by executing:
To test the calidation of the smb.conf by executing:
To generate a fully optimized smb.conf file from this master configuration and documentation file by executing:
SWAT is a Web-based interface that can be used to facilitate the configuration of Samba. SWAT might not be available in the Samba package that shipped with your platform, but in a separate package. If you need to build SWAT please read the SWAT man page regarding compilation, installation, and configuration of SWAT from the source code.
To launch SWAT, just run your favorite Web browser and point it to http://localhost:901/. Replace localhost with the name of the computer on which Samba is running if that is a different computer than your browser.
SWAT can be used from a browser on any IP-connected machine, but be aware that connecting from a remote machine leaves your connection open to password sniffing because passwords will be sent over the wire in the clear.Please note that re-writing the configuration file using SWAT will remove all comments!
To list shares that are available from the configured Samba server, execute the following command:
You should see a list of shares available on your server. If you do not, then something is incorrectly configured. This method can also be used to see what shares are available on other SMB servers, such as Windows 2000.
If you choose user-level security, you may find that Samba requests a password before it will list the shares. See the smbclient man page for details. You can force it to list the shares without a password by adding the option -N to the command line.
Enter the following command:
The aservice is any service that has been defined in the smb.conf file. Try your username instead if you just have a [homes] section in the smb.conf file, like:
you can try to access it from other clients. The Samba host should be listed in the Network Neighborhood on all Windows clients of its subnet. Try browsing the server from another client or "mounting" it.
You can view the services list on a specific Samba server by:Mounting disks from a DOS, Windows, or OS/2 client can be done by running a command like:
Where the drive letter m: is any available drive letter. It is important to double-check that the service (share) name that you used does actually exist.
Try printing, for example,
The spoolservice is the name of the printer (actually the print queue) on the target server. This will permit all print jobs that are captured by the lpt1: port on the Windows client to be sent to the printer that owns the spoolservice that has been specified.
0 comments:
Post a Comment