Nowadays, it is quite common to find computers running Linux and Windows on the same local network. The reasons for this symbiosis may be different: for example, the owners of an Internet cafe did not have enough funds to purchase a licensed OS for all computers, or system administrator I was simply attracted to the positive aspects of Linux. The popularity of Microsoft operating systems is largely determined by client software for Windows. It's no secret that this software sector is very developed. Many companies have made serious efforts to this and have created really good, and most importantly, easy-to-use programs that even an ordinary user can easily master. But as a server, Windows’ position is no longer so clear. A server running Unix is ​​traditionally distinguished by reliability, stability, security and often lower requirements for system resources. But in any case, simply connecting computers with different software platforms to the network will not get the expected result. The whole problem is that these two systems use different principles organizations of network resources that are incompatible with each other.
Since there is no need to wait for Microsoft's mercy, and Windows is unlikely to learn to work with the Unix network file system (NFS) standard means, and to be honest, I don’t know any third-party programs, the most popular way is to try to teach Unix to “pretend” that it is Windows NT.

Interaction in a network of computers under Windows control built on the use of the protocol SMB (Server Message Block)— blocks of server messages. It ensures that all the tasks necessary in these cases are performed: opening and closing, reading and writing, searching for files, creating and deleting directories, setting a print job and deleting it from there. All actions necessary for this are implemented in Unix-like operating systems using the package SAMBA. Its capabilities can be divided into two categories: provision of resources (by which we mean access to the printer system and files) for Windows clients and access to client resources. That is, a computer running Linux can act as both a server and a client. First, let's consider the SAMBA server option.

What should SAMBA provide for normal operation on a network of Windows machines? First, access control, which can be implemented either at the resource level (share level), when a password and corresponding usage rules are assigned to any resource on the network (for example, “read only”), while the user name has absolutely no no meaning; or a more advanced and flexible organization at the user level, when an account is created for each user, which, in addition to the name and password, contains all the necessary information about access rights to the resource. Before gaining access to the required resource, each user is authenticated, after which he is granted rights according to his accounts. Secondly, emulation of access rights determined by the file system is necessary. The thing is that the systems in question have access rights to files and directories on the disk differently. In Unix, there are traditionally three categories of file users: owner, group And the rest (other). Each of these entities may be provided read permissions, write And execution. In Windows NT, the access system is somewhat more flexible; access is granted to several groups or users, and the corresponding access rights are determined separately for each subject. Therefore, it is impossible to fully emulate the access rights inherent in NTFS using SAMBA.

With clients running Windows 9x, the situation is different. Since the time of the grandfather of DOS, due to the fact that the system is single-user and there could be no talk of any users, much less groups, only four attributes have been defined for the FAT file system - read only, system, archive and hidden. Plus, in Windows, unlike Unix, the file extension has a special meaning - those that are intended to be executed have the extensions .exe, .com or .bat. When copying files from Unix machines to Windows computers, the attributes are set like this:

only for reading— reading, writing for the owner;

archival— execution for the owner;

systemic— execution for the group;

hidden - execution for the group.

A network of Windows machines can be organized as a workgroup, when the computers are independent of each other and each has its own database of passwords and logins with its own security policy, and also as an NT domain. The entire basis for user and computer authentication is managed primary domain controller (PDC, Primary Domain Controller), i.e. centralized. Samba allows you to restrict access at all of these levels and acts as a "master browser" in the context of a workgroup or domain controller.

We have sorted out the general organizational issues. Let's now look specifically at the implementation and configuration of a SAMBA server in Linux. For the Samba server to work, two daemons must be running: smbd, which provides a print and file sharing service for Samba clients (such as Windows of all stripes), and nmbd, which powers the NetBIOS name service (it can also be used to query other name service daemons). The protocol is used to access clients TCP/IP. Typically, Samba is installed with a Linux distribution. How to check? Just give the command:

$whereis samba

and you should get something like this:

Samba: /usr/sbin/samba /etc/samba /usr/share/man/man7/samba.7.gz

If it is not included in the standard distribution, then welcome to ftp://ftp.samba.org/pub/samba/samba-latest.tar.gz or almost any server with programs for Linux. The package is easy to install, so in order not to take up space, we will assume that you have it installed. Now let's check if the daemon is running:

$ ps -aux | grep smbd root 1122 0.0 0.6 4440 380 ? S 16:36 0:00 smbd -D

As you can see, I already have it running. If you don’t have it, and you want it to start when the system boots, then in Linux Mandrake, for example, check the desired box in DrakConf— starting services or in Red HatСontrol-panel— Service Configuration, usually this is enough. Or start manually: ./etc/rc.d/init.d/smb start. The only Samba configuration file is called smb.conf and is usually located in the /etc directory (although in AltLinux, for example, it is in the /etc/samba directory). The SAMBA service reads it every 60 seconds, so changes made to the configuration take effect without rebooting, but do not apply to already established connections.

This is why I love Linux, because the configuration files are plain text (and well commented inside), and in order to use most of the parameters, you just need to uncomment the corresponding line. The smb.conf file is no exception. It consists of named sections starting with the section name enclosed in square brackets. Inside each section there are a number of parameters in the form key=value. The configuration file contains four special sections: , , and individual resources (shares). As the name suggests, the section contains the most general characteristics that will apply everywhere, but which, however, can then be overridden in sections for individual resources. Some parameters in this section are also relevant to configuring the Samba client part.

Values ​​of typical section parameters global:

Workgroup = group_name # name of the workgroup on the Windows network netbios name = name of the server on the network server string = comment that is visible in the network browsing properties window guest ok = yes # allowing guest login (guest ok = no - guest login is prohibited) guest account = nobody # name under which guest login is allowed security = user # Access level. user - at the user level, security = share - authentication based on username and password. When storing the password database on another SMB server, the values ​​security = server and password server = name_server_NT are used. If the server is a member of a domain, the value security = domain is used, the access password is specified in the file defined using the smb passwd file = /path/to/file option.

In addition, during registration you can use encrypted and unencrypted (plain-text) passwords. The latter are used in old Windows(Windows for Workgroups, Windows 95 (OSR2), all versions of Windows NT 3.x, Windows NT 4 (up to Service Pack 3)). To enable the option to use an encrypted password, use the encrypt password = yes option. Please pay special attention to this option. In older Linux distributions that were created during the Windows 95 era (and beyond), old version Samba) password encryption is disabled by default, and samba is up to version 2.0 does not support this mode at all (by the way, this option and similar ones - those that do not relate to access to specific resources - are also used in the client).

To correctly display Russian file names, the following options are needed: client code page = 866 and character set = koi8-r. In distributions with good localization, for example, derivatives from Mandrake and Russian ones, this line is already there; sometimes it’s enough just to uncomment it, but in most others you have to add it yourself.

The interfaces = 192.168.0.1/24 option specifies which network (interface) the program should run on if the server is connected to several networks at once. When setting the bind interfaces only = yes parameter, the server will only respond to requests from these networks.

hosts allow = 192.168.1. 192.168.2. 127. — defines clients for whom access to the service is allowed.

In the global section, you can use various variables for more flexible configuration of the server. After the connection is established, real values ​​are substituted instead. For example, in the log file = /var/log/samba/%m.log directive, the %m parameter helps define a separate log file for each client machine. Here are the most common variables used in the global section:

%a - OS architecture on the client machine (possible values ​​- Win95, Win NT, UNKNOWN, etc.);

%m — NetBIOS name of the client computer;

%L — NetBIOS name of the SAMBA server;

%v — SAMBA version;

%I — IP address of the client computer;

%T — date and time;

%u is the name of the user working with the service;

%H is the home directory of user %u.

Also, for more flexible configuration, the include directive is used, using the above variables. For example: include = /etc/samba/smb.conf.%m - now when you request sales from a computer and there is a file /etc/samba/smb.conf.sales, the configuration will be taken from this file. If there is no separate file for a particular machine, then a common file is used to work with it.

There is also an interesting possibility creation virtual server . To do this, use the netbios aliases parameter:

Netbios aliases = sales accounting admin

Now we tell Samba to use its own configuration file for each virtual server:

Include = /etc/samba/smb.conf.%L

Three servers will be visible in the network browser window: sales, accounting, admin.

Enabling the preserve case and short preserve case options causes the server to save all input in a case-sensitive manner (on Windows case is not case-sensitive, on all Unix systems it is the other way around).

The section allows users to connect to their working directories without explicitly describing them. When a client requests its //sambaserver/sergej directory, the machine looks for the corresponding description in the file and, if it does not find it, then looks for the presence of this section. If the partition exists, it looks through the password file to find the working directory of the user making the request and, if found, makes it available to the user.

A typical description of this section looks like this:

Comment = Home Directories # comment that is visible in the network properties window browseable = no # determines whether to display the resource in the browse list. writable = yes # allows (no - denies) writing to the home directory create mode = 0750 # access rights for newly created files directory mode = 0775 # also, but only for directories

After configuring the default settings, you can create network resources that can be accessed by a specific user or group of users. Such a resource is created from an already existing directory; for this we write in the file:

Comment = Public Stuff path = /home/samba public = yes writable = no printable = no write list = administrator, @sales

The path parameter points to the directory in which the resource is located; the public parameter specifies whether the resource can be used by a guest, and the printable parameter specifies whether the resource can be used for printing. The write list parameter allows you to define users who are allowed to write to a resource regardless of the writable value (in this example, these are the administrator user and the sales group). It is also possible to use the opposite list - read list. If there is a need to hide some files, then in Unix/Linux the file name must begin with a dot (the hide dot files parameter, which controls the display hidden files, defaults to yes). In addition, it is possible to specify templates for the names of hidden files, for which the hide files parameter is used. Each pattern begins and ends with a forward slash (/) character and can contain characters used in regular expressions. For example: hide files = /*.log/??.tmp/. Such tricks cost Windows users just by setting the “Show hidden and system files» Conductor. To confidently limit the availability (the ability to delete) a file (directory), use the veto files and delete veto files parameters.

With CD drives the situation is somewhat more complicated. The thing is that in Unix-like systems there is no concept of a disk as such, and in order to gain access to the desired device, it must first be mounted into a directory tree (# mount -t iso9660 /dev/cdrom /mnt/cdrom) , and after use, so as not to destroy file system, must be unmounted (# umount /dev/cdrom), otherwise the device simply will not give up the disk. If you have a daemon running on your server autofs, then the problem is easily solved. To automatically unmount a device that has been unused for some time, set the timeout parameter in the /etc/auto.master file to the desired value. For example:

/mnt/auto/etc/ --timeout=5

(a similar line is already there, you just need to uncomment it). Then set the options for the appropriate device in the /etc/auto.tab file:

Cdrom -fstype=auto,ro:/dev/cdrom

After all this, we write the following lines in /etc/smb.conf to make this resource available:

Path = /mnt/cdrom writable = no

The second option is to use the preexec and postexec directives, which indicate which commands must be executed when accessing a resource and after disconnecting from it (these parameters can be specified for any resource and even in the global section, which opens up great possibilities).

Path = /mnt/cdrom read only = yes root preexec = mount /mnt/cdrom # Only root has the right to mount a resource root postexec = umount /mnt/cdrom # Naturally, these mount points must be described in the /etc/fstab file, otherwise You must also provide other information.

Now, when accessing a resource, the CD-ROM is automatically mounted, and sometimes unmounted. The whole problem is that the decision to close a resource must be made by the server - clients, as a rule, do not notify about this. But usually this happens because the resource is being used by several users at the same time or is left on one computer open file on this resource (Device busy). Therefore, the CD-ROM is not automatically unmounted; the only acceptable way to free up the resource is to look using the utility smbstatus number of the process using this resource and kill it with the command # kill pid_number (or kill -s HUP pid_number).

Having established the necessary configuration, we will now create user accounts (with the exception of the guest login with minimal rights nobody). To identify SAMBA users, the file /etc/samba/smbpasswd is used, which contains user names and encrypted passwords. Since the encryption mechanism in networks of Windows machines is not compatible with standard Unix mechanisms, a separate utility is used to fill out the password file - smbpasswd.

# useradd -s /bin/false -d /home/samba/sergej -g sales sergej # smbpasswd -a sergej # smbpasswd -e sergej

This example adds a new user sergej belonging to the group sales, with a dummy shell (possible options are /sbin/nologin, /dev/null) and a home directory /home/samba/sergej. Then we create a password for the user sergej and the last step is to enable access for the user, because it is disabled by default. An interesting point that can sometimes be confusing. The fact is that when connecting to a SAMBA server on a computer with Windows NT/2000, the user is prompted to enter, as expected, a login and password, and if a computer with Windows 9x/Me is used for access, then the user is prompted to enter only the password, and The login is generated automatically based on the registration name.

You can also map multiple Windows users to one Linux/Unix user. To do this, a mapping file /etc/smbusers.map is created, in which each mapping is specified as a separate line:

User_Linux = user_win1 user_win2 user_winN

In the section, add the line username map = /etc/smbusers.map. Wherein Windows user must be registered with the password of the user it is associated with.

Using SAMBA, you can organize network printing from computers running Windows (if you are planning a separate print server, then a machine based on a 486 processor is sufficient for this).

To do this, you need to write the following lines in the section:

Printcap name = /etc/printcap # file describing printers connected to the system load printers = yes # indicates the need for automatic inclusion in the list of network resources printing = lprng # printing system (for Linux bsd can also be used).

Path = /var/spool/samba # points to the directory where print jobs are placed browseable = yes printable = yes read only = yes

After creating the file, test it using the utility testparm. Unfortunately, using this program you can only detect syntax errors, not logical ones, so there is no guarantee that the services described in the file will work correctly (during testing, all settings will be displayed, even those installed by default - so review carefully result). But if the program does not complain, you can hope that the file will be downloaded without problems when launched. You can check the correct operation of the printers listed in the /etc/printcap file with the SAMBA server using the utility testprns. Plus, don’t forget about .log files: if problems arise, you can sometimes find a solution there.

Now a little about the good stuff. Configuring Samba is quite complex, but the distribution comes with a Web-based administration tool called swat(Samba Web Administration Tool, ). Swat runs as a service or using an Apache server and is designed to edit the smb.conf file, as well as check the status, start and stop Samba daemons, and change user passwords. For it to work as a service, the /etc/services file must contain the line swat 901/tcp, and the /etc/inetd.conf file must contain swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat (this is if the network daemon is used inetd, usually in older distributions; modern distributions use a more secure option - xinetd). In order to use swat in the /etc/xinet.d directory, create a swat file with the following content:

Service swat ( disable = no port = 901 socket_type = stream wait = no only_from = 127.0.0.1 # this is a line to run only from the local machine user = root server = /usr/sbin/swat log_on_failure += USERID )

Now to launch Swat in your browser window, enter:

Http://localhost:901

But before that, be sure to create a user admin in the manner described above. And never run the SAMBA service on behalf of root.

After all the changes to the smb.conf file, you will sometimes need to restart the daemon:

Smb: /etc/rc.d/init.d/smb restart

If after all the above steps it was still not possible to organize access to SAMBA resources, then utilities such as ping(to check the availability of a node on the network), nmblookup(to query NetBIOS names), or as a last resort tcpdump. And don’t forget about access rights, because by assigning the /gde/to/w/glubine directory to the user, you will give him the ability to read (execute right) the previous directories.

Now let's talk about using the Samba client, because we (Linux users) also want to work with network Windows resources. To find out what resources are available, you must enter the command /usr/bin/smbclient -L host_name. The program will ask for a password, in response to which in most cases you just need to press Enter. Now, to connect to the required resource, enter the computer name and the required resource. For example:

# /usr/bin/smbclient \\Alex\Sound

(here we are trying to connect to the Sound folder on Alex's computer). As a result, if the command was entered correctly and the network resource exists, you should be prompted to enter a password. Enter it or press Enter if a password is not required for access. In response, you will receive a samba client prompt: smb: >. Further work occurs through a set of commands, with which you can perform all the necessary operations for working with files (copying, creating, moving, etc.). For help, enter smb: > help. This mode is somewhat inconvenient, so in most cases the module is used smbfs, part of samba; but in older distributions the kernel may be compiled without smbfs support, and then it will have to be rebuilt. To mount the required resource, type something like this:

Mount -t smbfs -o username=user,password=123456,iocharset=koi8-r,codepage=866 //alex/sound /mnt/sound.

If you do not specify a username and password, the system will ask you for it. Don't forget that by looking at the ~HOME/.bash_history file, you can find out the password based on the commands you typed. Another subtlety: if the smbclient program correctly displays files with Russian names, then the smbfs module sometimes does not pay absolutely no attention to other encoding, even if you specify it explicitly. They say this can be fixed with a patch, but I haven't found one for my Red Hat yet.

If you want the SMB share to be mounted automatically at system startup, add a line like this to your /etc/fstab file:

//guest@alex/sound /mnt/alex/sound smbfs rw, noauto 0 0.

In this example, on behalf of the user guest(if the resource supports this user and if this user has access only with a password, then do not worry: you will certainly be asked for it) the sound network resource on the alex computer is mounted in the /mnt/alex/sound folder with the ability to write to this directory. By the way, the Samba client perfectly sees hidden network resources, i.e. those who have network name ends with a $ sign.

As you can see, you have to work with command line, which modern user causes quiet horror. And here the OpenSource world met him halfway - many utilities have been created that allow you to work with Samba resources in a more familiar way, by pressing buttons in graphical shells. The most popular program, included in the distribution of Mandrake and its derivatives, as well as Debian - gnomba. In any case, it can be found on most servers with Linux software (I saw it on ftp://ftp.altlinux.ru/ for sure). This utility allows you to view available network resources () and, if necessary, mount them in the desired directory, while a mounting option is possible indicating the login and password for those resources that require it. Possible launch file manager when mounted (default gmc), creating directories for mounted resources, setting the option of automatic scanning at program startup (possible using the SMB protocol by default) and scanning by IP addresses (planned using the WINS protocol). For reasons unknown to me, in some distributions, when scanning using the SMB protocol, network resources were not displayed, so I always use the second method, since it works flawlessly, you just need to set the range of IP addresses for scanning (if you know). In order for Russian file names to be displayed correctly, do not forget to install the koi8-r fonts in the tab Options > Font selection, and also check the lines indicating the Cyrillic encoding in the smb.conf file (see above).

If gnomba can only mount and unmount resources, then the program xsmbrowser It also allows you to enter them as folders on the local computer (). True, I have not yet been able to get this program to understand files with Russian names, but there are also positive aspects: when this program is running, all mounting commands and various network requests are output to the console, which allows you to understand them well. The KDE developers also tried: through Preferences > Information utility available Samba Status, displaying all connections to/from local computer, which is also a convenient tool for viewing .log files. The utility provides similar information komba, which can be found at http://linux.tucows.com/().

As much as I would like to tell you more, a magazine is a magazine—you can’t fit everything. Next, the ubiquitous man and info will come to your aid. Also, all the necessary reference information can be obtained from the SWAT utility, and in Red Hat 7.3 there was a book Using Samba Robert"a Eckstein"a(English language - bad, completely free - good: /usr/share/swat/using_samba), also available from SWAT (). Additional documentation, FAQs, and example configuration files can be found in the /usr/share/doc/samba directory. In various forums you can find quite contradictory opinions about the work of Samba, from extremely negative to complete delight. Personally, I'm on the side of those who support this. Windows emulator NT, also based on test results with the same equipment Samba server shows performance approximately 25-30% higher than a computer running a system from Microsoft. Good luck.

Samba runs on most Unix-like systems, such as GNU/Linux, POSIX-compliant Solaris and Mac OS X Server, various BSD variants, OS/2, Windows. Samba included in almost all GNU/Linux distributions, including, of course, Ubuntu.

Installation

To make a shared folder in Ubuntu Desktop, just right-click on the folder and select the “Publish Folder” menu item. There is no need to edit any configuration files. Everything described below applies only to manual configuration, for example, in the case of creating a file server.

To install, just open a terminal and enter:

Sudo apt-get install samba

The application will be automatically downloaded and installed.

Settings

Using the terminal, we will make a backup copy of the initial configuration file:

Sudo cp /etc/samba/smb.conf(,.bak)

Now you can edit the settings file /etc/samba/smb.conf; to do this, open it in any text editor with superuser rights. For example, like this:

Sudo nano /etc/samba/smb.conf

What is written below is generally speaking just one specific scenario for using Samba, and in a huge number of cases everything is configured absolutely wrong. The article needs to be corrected, focusing on the capabilities of Samba, and not just on the use of this program as a file storage with local authorization. It is better to include the example with file storage in a separate detailed article.

An example of setting up Samba as a standalone file server with authorization:

; Global server settings; General server settings ; Computer name that will be displayed in the network environment netbios name = main-server server string = ; Client workgroup workgroup = WORKGROUP announce version = 5.0 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 passdb backend = tdbsam security = user null passwords = true ; File for user name aliases username map = /etc/samba/smbusers name resolve order = hosts wins bcast ; wins support is set to yes if your nmbd(8) in Samba is a WINS server. Do not set this parameter to yes unless you have multiple subnets and do not want your nmbd to act as a WINS server. Never set this parameter to yes on more than one machine within the same subnet. wins support = no ; Printer support printing = CUPS printcap name = CUPS ; Logs log file = /var/log/samba/log.%m syslog = 0 syslog only = no ; Configuring binding to which interfaces to listen on, if listens on all interfaces are not specified; interfaces = lo, eth0 ; bind interfaces only = true ; ; ; path = /var/lib/samba/printers ; browseable = yes ; guest ok = yes ; read only = yes ; write list = root ; create mask = 0664 ; directory mask = 0775 ; ; ; path = /tmp ; printable = yes ; guest ok = yes ; browseable = no ; ; ;path = /media/cdrom ;browseable = yes ;read only = yes ;guest ok = yes ; Hard drive ball; The name of the balls is visible from clients; Path to the shared disk path = /media/sda1 ; Is it possible to browse browseable = yes read only = no guest ok = no create mask = 0644 directory mask = 0755 ; Binding to a specific user name or group, names separated by a space; force user = user1 user2 ; force group = group1 group2 ; Another hard drive, similar to the one above path = /media/sde1 browseable = yes read only = no guest ok = no create mask = 0644 directory mask = 0755

Now we need to deal with the users.

Samba uses users that are already in the system, let’s take the name user as an example, let’s say that it is already in the system, we need to add it to the SMB database and assign a password to access shared resources, we’ll do this with the command:

Smbpasswd -a user

You will be prompted to enter a password, the user will be added to the database, now you need to enable this user.

Smbpasswd -e user

Next, let's create an alias for the username user to make it easier for us to access from a Windows machine on which we have, for example, a user named Admin. To do this, we'll create and edit the file /etc/samba/smbusers:

Sudo touch /etc/samba/smbusers sudo gedit /etc/samba/smbusers

Write a couple of lines into the file

# Unix_name = SMB_name1 SMB_name2 user = Admin

This completes the setup, restart Samba.

You can install the simplest GUI for Samba with the command:

Sudo apt-get install system-config-samba

It is launched with the command:

Sudo system-config-samba

It writes all changes to the samba configuration file.

Perfect for remote administration of Samba as a web interface for Samba