Tobi Waves

A tutorial by Gerald Carter.

General Things

The big accomplishment of the Samba team is, that they document stuff which MS does not document.

In October 2004, support for Samba 2.x will be dropped.

The configuration parameters parsing and the autoconf files in samba 3 are larger than the whole samba distribution of 13 years ago.

Samba 4 is a complete rewrite from ground up. Don't wait for it!

Samba 3.2 will get backports of some 4.0 features like their RPC code. Better ACL support. Make sure Samba servers look even more like Windows Servers.

There are about 3 people working on Samba 3.x and 3 people working on Samba 4.

A further goal for Samba 4 is to make CIFS protocol as a viable alternative NFS. Unix extensions are being worked on to workout the wrinkles with non unified UIDs.

Samba 3 tibits

The big underestimated tool in samba 3 is net. It is similar to its windows namesake. Unfortunately there is not much documentation on it. But if you start it without parameters it will tell you what it does.

If you run samba without netbios support and you want to use several different configurations on the same server you can add virtual interfaces and then use the %I option for loading different configurations depending on the interface the client connected to.

Samba always tells its version number. This is not a security issue, because if knowing the samba version allows someone to hack into a samba server, this means that there is a bug in samba which needs to be fixed.

Per-service parameters, set in the [global] section will become the default for all services which do not set the parameter explicitly

To reduce the load on your samba server, use the deadtime option in the [global] section. It is set to 0 by default. If you set it to 15 samba will kill seemingly dead connections (happens a lot with print clients) after 15 minutes without negative effects on the client side in general.

In the samba config file you can access environment variables using the %$(ENVVAR) syntax.

SWAT the samba administration GUI will probably be integrated into samba by letting smbd execute swat for connections on port 901.

Windows will not show any shares ending in $. This is only cosmetic though, it does not prevent connections to the share. Using the 'browseable' setting may make more sense as this will prevent listing of the share from the server side (still no security, but you are free to choose the name).

Configuring samba for guest access

[global]
map to guest = bad user
guest ok     = yes
username map = /file
...

And make /file contain

# map everyone to an invalid share 
foo = *

Samba Authentication

Windows uses a challenge response system when authenticating users. This requires both ends to share a common secret. Windows does not store plain text passwords, it does encrypt them, but there is no salt in lanman hashes (windows encrypted passwords). Even worse due to the challenge response system, anyone who is able to get a copy of a encrypted password can use this with a properly hacked smbclient to access the corresponding windows account. Lanman v2 hashes added some measures to prevent 'man in the middle' attacks, but the base problem remains. This means you have to be much more careful to prevent 3rd parties from accessing encrypted windows passwords as they do not even have to be cracked before they can be used.

There is also a positive side to this, because due to the challenge response approach, a hostile (hacked) server will not be able collect passwords from users trying to log on.

Samba can use multiple passdb backends. If several passdb backends are defined in smb.conf, samba will search all backends. If a password gets changed, samba will change it in the passdb backend where the password came from. If a new user is added it gets added to the first passdb backend defined in passdb backend

For storing additional information per user, use at least the tdbsam backend. The text based smbpasswd can only store the most basic information.

Quote: LDAP is not that difficult, but the problem is that people try to walk before they crawl.

Samba needs a Unix account for every user.

Note that smbpasswd does not allow entering the password on the commandline anymore, but it can take input from stdin now:

(echo pass;echo pass)|smbpasswd -a user -s

Access

If users have problems with the fact that they can connect to other users home directories, put the following in your [homes] share.

[homes]
valid users = %S

Instead of using complex mask settings for files and directories, you can set the inherit permissions parameter and manage the permissions on the Unix directory level. This allows to have only one group share with different access permissions down the tree.

Share-level ACLs are done internally in samba, so they do not require any filesystem acl support.

MS-DFS

With MS-DFS, a server can send a transparent referral to a client so that it queries a different server. To make it work the client password must work on both servers.

In smb.conf:

[global]
host msdfs = yes

[dfs]
msdfs root = yes
path = /export/dfs

In /export/dfs do:

ln -s 'msdfs:server1\share1,server2\share2,...' directory

This will cause requests for \\server\dfs to be transparently redirected to \\server1\share1 or \\server2\share2 is the first one is missing.

Smaba can even do DFS proxies. In smb.conf on sever1 do:

[proxyshare]
msdfs proxy = \\server2\anothershare

Printing

On a printer share you can define how much space must be left (in kb) before a new job is accepted:

min print space = 5000

In RPC based printing the %c value contains the number of pages to print.

If using samba as a printer server, you may want to be able to define the default configuration data which is installed together with a printer driver. For this install one printer (lets call it seedprinter) with the driver you are interested in, and change the printer defaults from windows and then call rpcclient with the magic setprinterdata value _p_f_a_n_t_0_m_ this will copy the printer configuration data of 'seedprinter' as the default for all printers who are using the same printer driver as well as for any new printer which is associated with this driver.

rpcclient -U printadmin -c "setprinterdata seedprinter _p_f_a_n_t_0_m_ xxx" server

The xxx argument is ignored, so use just any string ...

The caveat about this is, that when we tried it during the talk it did not work.

NetBIOS

Samba 3 works fine with netbios disabled. Just don't start nmbd, make sure all your servers are in DNS and use the following in your smb.conf file:

[global]
...
name resolve order = host
disable netbios = yes

Several Samba Servers using the same authentication source

To have several Samba servers authenticate against the same user database you can setup one samba server as a PDC and make the other Samba instances into clients of the samba server. Make sure you do not provide winbind with a user id or group id mapping range config so that it falls back to using the user and group ids provided by the Unix host.

Windows Integration

When storing user profiles on samba you may want to use the patch %H/.winprofile/%a as logon path this will store the users profile on a 'per windows release' basis. Note the logon path is not your home!

A PDC requires a machine trust account for each host who is using it. These accounts get created when a machine joins the domain. This means that samba must have appropriate scripts defined to be able to run these scripts, machines must join using the 'root' account of the samba server. This means you need a samba password for root, and the whole setup may make you feel rather edgy :-). The samba folks are working on this.

If you ever want to migrate a Windows NT4 PDC to a Samba domain controller the command net rpc vampire is your friend as it will suck all the account information out of an existing PDC. This relies on the availability of the scripts mentioned in the previous paragraph.