39. smbd -- Samba NT Server (2024)

Purchase	Copyright©2002Paul Sheer. Click here for copying permissions.	Home

• 39.1 Samba: An Introduction by Christopher R. Hertel
  • History -- the (hopefully) Untedious Version
  • Meanwhile, on the Other Side of the Planet...
  • What Samba Does
  • Other Stuff
  • SMB Filesystems for Linux
  • Setup and Management
  • The Present
  • The Future
• 39.2 Configuring Samba
• 39.3 Configuring Windows
• 39.4 Configuring a Windows Printer
• 39.5 Configuring swat
• 39.6 Windows NT Caveats

A lot of emphasis has been placed on peaceful coexistence between UNIXand Windows.Unfortunately,the two systems come from very different cultures and they havedifficulty getting along without mediation. ...and that, of course,is Samba's job.Samba <http://samba.org/> runs on UNIX platforms, but speaks to Windowsclients like a native. It allows a UNIX system to move into a Windows``Network Neighborhood'' without causing a stir.Windows users can happilyaccess file and print services without knowing or caring that thoseservices are being offered by a UNIX host.

All of this is managed through a protocol suite which is currently knownas the ``Common Internet File System,'' or CIFS <http://www.cifs.com>. This name was introducedby Microsoft, and provides some insight into their hopes for the future.At the heart of CIFS is the latest incarnation of the Server MessageBlock (SMB) protocol, which has a long and tedious history. Samba is anopen source CIFS implementation, and is available for free from thehttp://samba.org/ mirror sites.

Samba and Windows are not the only ones to provide CIFS networking. OS/2supports SMB fileand print sharing, and there are commercial CIFSproducts for Macintosh and other platforms (including several others forUNIX). Samba has been ported to a variety of non-UNIX operating systems,including VMS, AmigaOS, and NetWare.CIFS is also supported on dedicatedfile server platforms from a variety of vendors. In other words, thisstuff is all over the place.

History -- the (hopefully) Untedious Version

It started a long time ago, in the early days of the PC, when IBM andSytec co-developed a simple networking system designed for buildingsmall LANs. The system included something called NetBIOS, or NetworkBasic Input Output System. NetBIOS was a chunk of software that wasloaded into memory to provide an interface between programs and thenetwork hardware. It included an addressing scheme that used 16-bytenames to identify workstations and network-enabled applications. Next,Microsoft added features to DOS that allowed disk I/O to be redirectedto the NetBIOS interface, which made disk space sharable over the LAN.The file-sharing protocol that they used eventually became known as SMB,and now CIFS.

Lots of other software was also written to use the NetBIOS API(Application Programmer's Interface), which meant that it would never,ever, ever go away. Instead, the workings beneath the API were cleverlygutted and replaced. NetBEUI (NetBIOS Enhanced User Interface),introduced by IBM, provided a mechanism for passing NetBIOS packets overToken Ring and Ethernet. Othersdeveloped NetBIOS LAN emulation overhigher-level protocols including DECnet,IPX/SPX and, of course, TCP/IP.

NetBIOS and TCP/IP made an interesting team. The latter could be routedbetween interconnected networks (internetworks), but NetBIOS wasdesigned for isolated LANs. The trick was to map the 16-byte NetBIOSnames to IP addresses so that messages could actually find their waythrough a routed IP network. A mechanism for doing just that wasdescribed in the Internet RFC1001 and RFC1002 documents. As Windowsevolved, Microsoft added two additional pieces to the SMB package. Thesewere service announcement, which is called ``browsing,'' and a centralauthentication and authorization service known as Windows NT DomainControl.

Meanwhile, on the Other Side of the Planet...

Andrew Tridgell, who is both tall and Australian, had a bit of aproblem. He needed to mount disk space from a UNIX server on his DOS PC.Actually, this wasn't the problem at all because he had an NFS (NetworkFile System) client for DOS and it worked just fine. Unfortunately, healso had an application that required the NetBIOS interface. Anyone whohas ever tried to run multiple protocols under DOS knows that it canbe...er...quirky.

So Andrew chose the obvious solution. He wrote a packet sniffer, reverseengineered the SMB protocol, and implemented it on the UNIX box. Thus,he made the UNIX system appear to be a PC file server, which allowed himto mount shared filesystems from the UNIX server while concurrentlyrunning NetBIOS applications. Andrew published his code in early 1992.There was a quick, but short succession of bug-fix releases, and then heput the project aside. Occasionally he would get email about it, but heotherwise ignored it. Then one day, almost two years later, he decidedto link his wife's Windows PC with his own Linux system. Lacking anybetter options, he used his own server code. He was actually surprisedwhen it worked.

Through his email contacts, Andrew discovered that NetBIOS and SMB wereactually (though nominally) documented. With this new information at hisfingertips he set to work again, but soon ran into another problem. Hewas contacted by a company claiming trademark on the name that he hadchosen for his server software. Rather than cause a fuss, Andrew did aquick scan against a spell-checker dictionary, looking for wordscontaining the letters ``smb''. ``Samba'' was in the list. Curiously, thatsame word is not in the dictionary file that he uses today. (Perhapsthey know it's been taken.)

The Samba project has grown mightily since then. Andrew now has a wholeteam of programmers, scattered around the world, to help with Sambadevelopment. When a new release is announced, thousands of copies aredownloaded within days. Commercial systems vendors, including SiliconGraphics, bundle Samba with their products. There are even SambaT-shirts available. Perhaps one of the best measures of the success ofSamba is that it was listed in the ``Halloween Documents'', a pair ofinternal Microsoft memos that were leaked to the Open Source community.These memos list Open Source products which Microsoft considers to becompetitive threats. The absolutely best measure of success, though, isthat Andrew can still share the printer with his wife.

What Samba Does

Samba consists of two key programs, plus a bunch of other stuff thatwe'll get to later. The two key programs aresmbd and nmbd. Their job isto implement the four basic modern-day CIFS services, which are:

• File and print services
• Authentication and Authorization
• Name resolution
• Service announcement (browsing)

File and print services are, of course, the cornerstone of the CIFSsuite. These are provided by smbd, the SMB daemon. Smbd also handles``share mode'' and ``user mode'' authentication and authorization. That is,you can protect shared file and print services by requiring passwords.In share mode, the simplest and least recommended scheme, a password canbe assigned to a shared directory or printer (simply called a ``share'').This single password is then given to everyone who is allowed to use theshare. With user mode authentication, each user has their own usernameand password and the System Administrator can grant or deny access on anindividual basis.

The Windows NT Domain system provides a further level of authenticationrefinement for CIFS. The basic idea is that a user should only have tolog in once to have access to all of the authorized services on thenetwork. The NT Domain system handles this with an authenticationserver, called a Domain Controller. An NT Domain (which should not beconfused with a Domain Name System(DNS) Domain) is basically a group ofmachines which share the same Domain Controller.

The NT Domain system deserves special mention because, until the releaseof Samba version 2, only Microsoft owned code to implement the NT Domainauthentication protocols. With version 2, Samba introduced the firstnon-Microsoft-derived NT Domain authentication code. The eventual goal,of course, it to completely mimic a Windows NT Domain Controller.

The other two CIFS pieces, name resolution and browsing, are handled bynmbd. These two services basically involve the management anddistribution of lists of NetBIOS names.

Name resolution takes two forms: broadcastand point-to-point. A machinemay use either or both of these methods, depending upon itsconfiguration. Broadcast resolution is the closest to the originalNetBIOS mechanism. Basically, a client looking for a service namedTrillian will call out ``Yo! Trillian! Where are you?'', and wait for themachine with that name to answer with an IP address. This can generate abit of broadcast traffic (a lot of shouting in the streets), but it isrestricted to the local LAN so it doesn't cause too much trouble.

The other type of name resolution involves the use of an NBNS (NetBIOSName Service) server. (Microsoft called their NBNS implementation WINS,for Windows Internet Name Service, and that acronym is more commonlyused today.) The NBNS works something like the wall of an old-fashionedtelephone booth. (Remember those?) Machines can leave their name andnumber (IP address) for others to see.

Hi, I'm node Voomba. Call me for a good time! 192.168.100.101

It works like this: The clients send their NetBIOS names and IP addressesto the NBNS server, which keeps the information in a simple database.When a client wants to talk to another client, it sends the otherclient's name to the NBNS server. If the name is on the list, the NBNShands back an IP address. You've got the name, look up the number.

Clients on different subnets can all share the same NBNS server so,unlike broadcast, the point-to-point mechanism is not limited to thelocal LAN. In many ways the NBNS is similar to the DNS, but the NBNSname list is almost completely dynamic and there are few controls toensure that only authorized clients can register names. Conflicts can,and do, occur fairly easily.

Finally, there's browsing. This is a whole 'nother kettle of worms, butSamba's nmbd handles it anyway. This is not the web browsing we know andlove, but a browsable list of services (file and print shares) offeredby the computers on a network.

On a LAN, the participating computers hold an election to decide whichof them will become the Local Master Browser (LMB). The ``winner'' thenidentifies itself by claiming a special NetBIOS name (in addition to anyother names it may have). The LMB's job is to keep a list of availableservices, and it is this list that appears when you click on the Windows``Network Neighborhood'' icon.

In addition to LMBs, there are Domain Master Browsers (DMBs). DMBscoordinate browse lists across NT Domains, even on routed networks.Using the NBNS, an LMB will locate its DMB to exchange and combinebrowse lists. Thus, the browse list is propagated to all hosts in the NTDomain. Unfortunately, the synchronization times are spread apart a bit.It can take more than an hour for a change on a remote subnet to appearin the Network Neighborhood.

Other Stuff

Samba comes with a variety of utilities. The most commonly used are:

smbclient

A simple SMB client, with an interface similar to that of the FTP utility. It can be used from a UNIX system to connect to a remote SMB share, transfer files, and send files to remote print shares (printers).

nmblookup

A NetBIOS name service client. Nmblookup can be used to find NetBIOS names on a network, look up their IP addresses, and query a remote machine for the list of names the machine believes it owns.

swat

The Samba Web Administration Tool. Swat allows you to configure Samba remotely, using a web browser.

There are more, of course, but describing them would require explainingeven more bits and pieces of CIFS, SMB, and Samba. That's where thingsreally get tedious, so we'll leave it alone for now.

SMB Filesystems for Linux

One of the cool things that you can do with a Windows box is use an SMBfile share as if it were a hard disk on your own machine. The N: drivecan look, smell, feel, and act like your own disk space, but it's reallydisk space on some other computer somewhere else on the network.

Linux systems can do this too, using the smbfs filesystem. Built fromSamba code, smbfs (which stands for SMB Filesystem) allows Linux to mapa remote SMB share into its directory structure. So, for example, the/mnt/zarquon directory might actually be an SMB share, yet you can read,write, edit, delete, and copy the files in that directory just as youwould local files.

The smbfs is nifty, but it only works with Linux. In fact, it's not evenpart of the Samba suite. It is distributed with Samba as a courtesy andconvenience. A more general solution is the new smbsh (SMB shell, whichis still under development at the time of this writing). This is a coolgadget. It is run like a UNIX shell, but it does some funky fiddlingwith calls to UNIX libraries. By intercepting these calls, smbsh canmake it look as though SMB shares are mounted. All of the read, write,etc. operations are available to the smbsh user. Another feature ofsmbsh is that it works on a per user, per shell basis, while mounting afilesystem is a system-wide operation. This allows for muchfiner-grained access controls.

Setup and Management

Samba is configured using the smb.conf file. This is a simple text filedesigned to look a lot like those *.ini files used in Windows. The goal,of course, is to give network administrators familiar with Windowssomething comfortable to play with. Over time, though, the number ofthings that can be configured in Samba has grown, and the percentage ofNetwork Admins willing to edit a Windows *.ini file has shrunk. For somepeople, that makes managing the smb.conf file a bit daunting.

Still, learning the ins and outs of smb.conf is a worthwhile penance.Each of the smb.conf variables has a purpose, and a lot of fine-tuningcan be accomplished. The file structure contents are fully documented,so as to give administrators a running head start, and smb.conf can bemanipulated using swat, which at least makes it nicer to look at.

The Present

Samba 2.0 was released in January 1999. One of the most significant andcool features of the 2.0 release was improved speed. Ziff-DavisPublishing used their Netbench software to benchmark Samba 2.0 on Linuxagainst Windows NT4. They ran all of their tests on the same PChardware, and their results showed Samba's throughput under load to beat least twice that of NT. Samba is shipped with all major Linuxdistributions, and Ziff-Davis tested three of those.

Another milestone was reached when Silicon Graphics (SGI) became thefirst commercial UNIX vendor to support Samba. In their December 1998press release, they claimed that their Origin series servers runningSamba 2.0 were the most powerful line of file servers for Windowsclients available. SGI now offers commercial support for Samba as doseveral other providers, many of which are listed on the Samba web site(see http://samba.org/). Traditional Internet support is, of course,still available via the comp.protocols.smb newsgroup and thesamba@samba.org mailing list.

The Samba Team continues to work on new goodies. Current interestsinclude NT ACLs (Access Control Lists),support for LDAP (the Lightweight Directory Access Protocol), NT Domain Control, andMicrosoft's DFS (Distributed File System).

The Future

Windows 2000 looms on the horizon like a lazy animal peeking its headover the edge of its burrow while trying to decide whether or not tocome out. No one is exactly sure about the kind of animal it will bewhen it does appear, but folks are fairly certain that it will haveteeth.

Because of their dominance on the desktop, Microsoft gets to decide howCIFS will grow. Windows 2000, like previous major operating systemreleases, will give us a whole new critter to study. Based on the betacopies and the things that Microsoft has said, here are some things towatch for:

CIFS Without NetBIOS

Microsoft will attempt to decouple CIFS and NetBIOS. NetBIOS won't go away, mind you, but it won't be required for CIFS networking either. Instead, the SMB protocol will be carried natively over TCP/IP. Name lookups will occur via the DNS.

Dynamic DNS

Microsoft will implement Dynamic DNS, a still-evolving system designed by the IETF (Internet Engineering Task Force). Dynamic DNS allows names to be added to a DNS server on-the-fly.

Kerberos V

Microsoft has plans to use Kerberos V. The Microsoft K5 tickets are supposed to contain a Privilege Attribute Certificate (PAC) <http://www.usenix.org/publications/login/1997-11/embraces.html>, which will include user and group ID information from the Active Directory. Servers will be looking for this PAC when they grant access to the services that they provide. Thus, Kerberos may be used for both authentication and authorization.

Active Directory

The Active Directory appears to be at the heart of Windows 2000 networking. It is likely that legacy NetBIOS services will register their names in the Active Directory.

Hierarchical NT Domains

Instead of isolated Domain Controllers, the NT Domain system will become hierarchical. The naming system will change to one that is remarkably similar to that of the DNS.

One certainty is that W2K (as it is often called) is, and will be, underclose scrutiny. Windows has already attracted the attention of some ofthe Internet Wonderland's more curious inhabitants, including securityanalysts, standards groups, crackers dens, and general all-purposegeeks. The business world, which has finally gotten a taste of thefreedom of Open Source Software, may be reluctant to return to the worldof proprietary, single-vendor solutions. Having the code in your handsis both reassuring and empowering.

Whatever the next Windows animal looks like, it will be Samba's job tohelp it get along with its peers in the diverse world of the Internet.The Samba Team, a microcosm of the Internet community, are among thosewatching W2K to see how it develops. Watching does not go hand-in-handwith waiting, though, and Samba is an on-going and open effort. Visitthe Samba web site, join the mailing lists, and see what's going on.

That said, configuring smbd is really easy. A typical LANwill require a UNIX machine that can share /home/*directories to Windows clients, where each user can log in as the name oftheir home directory. It must also act as a print share that redirectsprint jobs through lpr; and then in PostScript, the way we like it.Consider a Windows machine divinian.cranzgot.co.za on a local LAN192.168.3.0/24. The user of that machine would have a UNIX loginpsheer on the server cericon.cranzgot.co.za.

The usual place for Samba's configuration file is/etc/samba/smb.conf on most distributions. A minimalistconfigurationfile to perform the above functions might be:

The SMB protocol stores passwords differently from UNIX. Ittherefore needs its own password file, usually/etc/samba/smbpasswd. There is also a mapping between UNIXlogins and Samba logins in /etc/samba/smbusers, but for simplicity we willuse the same UNIX name as the Samba login name. We can add anew UNIX user and Samba user and set both their passwords with

Note that with SMB there are all sorts of issues with caseinterpretation--an incorrectly typed password could still workwith Samba but obviously won't with UNIX.

To start Samba, run the familiar

For good measure, there should also be a proper DNS configurationwith forward and reverse lookups for all client machines.

At this point you can test your Samba server from the UNIXside. LINUX has native support for SMB shares with the smbfsfile system. Try mounting a share served by the local machine:

You can now run tail-f/var/log/samba/cericon.log. It shouldcontain messages like:

where a ``service'' means either a directory share or a print share.

The useful utility smbclient is a generic tool forrunning SMB requests, but is mostly useful for printing. Make sureyour printer daemon is running (and working) and then try

which will create a small entry in the lp printqueue. Your log file will be appended with:

Configuration from Windows begins with a working TCP/IPconfiguration:

Finally, go to Run... in the Start menuand enter \\cericon\psheer.You will be prompted for a password, which you should enter asfor the smbpasswd program above.

Under Settings in your Start menu, you canadd new printers. Your UNIX lp print queue is visible as the\\cericon\lp networkprinter and should be entered as such in the configuration wizard. Fora printer driver, you should choose ``Apple Color Laserwriter,'' sincethis driver just produces regular PostScript output. In the printer driveroptions you should also select to optimize for ``portability.''

swat is a service, run from inetd, that listens for HTTPconnections on port 901. It allows complete remote management ofSamba from a web browser. To configure, add the serviceswat901/tcp to your /etc/services file, and thefollowing to your /etc/inetd.conf file.

being very careful who you allow connections from.If you are running xinetd, create a file/etc/xinetd.d/swat:

After restarting inetd (or xinetd), you can point your webbrowser to http://cericon:901/. Netscape will request a user andpassword. You should login as root (swat does not use smbpasswdto authenticate this login). The web page interface is extremely easy to use--

Windows SMB servers compete to be the name server of their domain byversion number and uptime. By this we again mean the Windows nameservice and not the DNS service. How exactly this works I will not coverhere, [Probably because I have no idea what I am talking about.]but do be aware that configuring a Samba server on a network of many NTmachines and getting it to work can be a nightmare. A solution onceattempted was to shut down all machines on the LAN, then pick one as thedomain server, then bring it up first after waiting an hour for allpossible timeouts to have elapsed. After verifying that it was workingproperly, the rest of the machines were booted.

Then of course, don't forget your nmblookup command.