Personal Mind of ASEP

Sepercik Rasa yang Tercurah

Samba – sharing Files and Printers with MS Windows on OpenBSD

Table of Contents

  • Introduction
  • Installing the Packaged Version
  • Starting samba with each reboot
    • Starting through inetd
  • Testing the installation
  • SWAT – The Samba Web Administration Tool
  • Adding Users
  • Co-habiting with Windows NT PDC
    • Adding the Samba Server to the Primary Domain Controller
    • Joining the Samba server to the Primary Domain Controller
    • Updating the /etc/samba/smb.conf
  • Authentication for NT, Win9X Workstations
    • Configuration File settings
    • Machine Account Creation
  • Using stunnel to secure SWAT password communications
  • Author and Copyright

Introduction

The Samba Suite of programs allows you to share Unix resources with SMB Clients (in many cases MS Windows clients.) This significantly simplifies client access to OpenBSD printing and file resources. Users on client machines access Samba resources as they would any other (file/print) resource available from SMB servers such as Windows NT or Windows 9x.

We use OpenBSD/Samba to allow our network users to use the same tools for accessing their files on the OpenBSD/Samba box as they previously did when the same resources were on the Win NT boxes. Users can open their files from within their applications or use Windows Explorer to browse through the OpenBSD/Samba shares.

Installing the Packaged Version

[package: samba-2.0.7.tgz (available on cd-distribution and OpenBSD ftp mirrors)]
[ref: Samba Book available from http://www.samba.org]

Install the package using pkg_add

# pkg_add /[path-to-package]/samba-2.0.7.tgz

The samba package will be installed and you may wish to copy one of the sample configuration files as a starter for your samba setup. For example:

# cp /usr/local/lib/samba/smb.conf.sample /etc/samba/smb.conf

The quickest way to start samba is to launch the daemons manually:

# /usr/local/sbin/smbd -D
# /usr/local/sbin/nmbd -D

Although we don’t want to be frustrated with having to do that manually everytime we start the computer, it is a good way to test whether the installation files did get installed.

(note that samba-2.2.1a in OpenBSD 3.0 locates the smbd/nmbd files in /usr/local/libexec)

Starting samba as a server service

[ref: ../ports/net/samba/files/README.OpenBSD]

There are at least three different methods available for starting the samba daemons (smbd, and nmbd) The two most appropriate for starting the server at each boot process is a scripting addition or configuring inetd. The BSDish scripting is adding instructions to the /etc/rc.local file, System V’sh solutions create a separate startup script.

Edit the /etc/rc.conf.local file to include in Section 2 the following lines:

smbd=YES
nmbd=YES

Edit: /etc/rc.local.

After the ‘starting local daemons’ and before the following echo ‘.’, Insert the following instructions to the /etc/rc.local file:

echo -n ‘starting local daemons:’
# [ … stuff left out … ]

if [ -f /etc/samba/smb.conf ]; then
if [ X”${smbd}” != X”NO” -a -x /usr/local/libexec/smbd ]; then
echo -n ‘ smbd’; /usr/local/libexec/smbd -D
fi
if [ X”${nmbd}” != X”NO” -a -x /usr/local/libexec/nmbd ]; then
echo -n ‘ nmbd’; /usr/local/libexec/nmbd -D
fi
fi

# [ … stuff left out … ]

echo ‘.’

Now each restart of the machine will automatically check to see whether we have enabled samba in the configuration file (rc.conf.local) and then start the smbd, and nmbd daemons. If we wish to disable samba we can simply change smbd=YES to smbd=NO ; nmbd=YES to nmbd=NO

Starting samba as an inetd service

If you chose the inetd path then two files /etc/services and /etc/inetd.conf need to be updated. Note that to only use the rc.local update or this configuration but do not use both as it may cause problems further down the line for you.

/etc/services : change this file to include the following lines

netbios-ssn 139/tcp
netbios-ns 137/udp

/etc/inetd.conf : change this file to update the lines referring to the above ports

netbios-ssn stream tcp nowait root /usr/local/libexec/smbd
netbios-ns dgram udp wait root /usr/local/libexec/nmbd

Of course one advantage of inetd is you don’t have to restart the computer to get things up and running. Just send a -HUP signal to inetd and samba will be started.

Testing the installation

[Config file: /etc/samba/smb.conf ]
[Utility: smbclient]

A quick diagnostic test to verify whether the nmbd/smbd daemons are working is to use the smbclient program, one of the tools supplied with the samba suite of programs. smbclient attempts a client connection to an smb server, so one simple test is to attempt a connection to our localhost smb server.

# smbclient -U% -L localhost

The -U% specifies attempt the connection with User % (% expands to be root, or current login) -L specifies the hostname to connect to (localhost.) The above command should show the Shares available on the localhost server (ipc$ et. al.) as well as other machines in the Work-group.

Sharename Type Comment
———- —– ——-
IPC$ IPC IPC Service (Samba Server)Server Comment
——— ——-
OPENBSDBOX Samba Server

In the above example, the returned displays the Server OPENBSDBOX as being in the smb workgroup. OPENBSDBOX is the short-name for this sample localhost.

Basic configuration file settings that can be used to approximate the initial part of what your samba server should look like to to set the following settings in the configuration file /etc/samba/smb.conf

workgroup = myworkgroup
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
unix password sync = yes
passwd program = /usr/bin/passwd %u
interfaces ip_for_eth0 ip_for_eth1

ip_for_eth0 and ip_for_eth1 – These are the ip-addresses for the Ethernet cards on your server that you wish Samba to service through. For example, if you had one ethernet card for your LAN (eth0:192.168.101.5) and one ethernet card for your external connection (ISP eth1:202.123.44.1) then you can specify something like:

interfaces 192.168.101.5

This would allow machines on your local LAN access to the samba server, but not machines connected through any other devices.

Encrypt Passwords: All the clients i am using with my samba server will be Win98 or Win2000 and i want passwords encrypted when passed between the server and machines in preparation for when the sites go live on the internet. Likewise, i don’t want to spend the time setting up the script to modify all the clients to send clear-text passwords.

Setting up SWAT – the Samba Web Administration Tool

[Config file: /etc/services ]
[Config file: /etc/inetd.conf ]

SWAT provides a GUI based tool for modifying samba’s configuration file /etc/samba/smb.conf. Unfortunately it can also cause disastrous things such as wipe the configuration file (actual experience.) Following are the steps required to configure swat, which is installed but not enabled by the samba installation.

Edit /etc/services to include the following line

swat 901/tcp # Samba Web Administration Tool

Edit /etc/inetd.conf to include the following lines

swat stream tcp nowait.400 root /usr/local/sbin/swat swat

Restart the inetd daemon so it can re-read the changes you have made to the /etc/inetd.conf file.

# kill -HUP `cat /var/run/inetd.pid`

You should now be able to point a browser (for example Windows/Internet Explorer) at your webserver:901 to configure samba using the SWAT GUI interface instead of having to manually edit through the smb.conf file.

Security Concern. I think swat sends passwords cleartext. You should be aware of this problem if concerned about potential security compromises by using swat.

Adding Users

[Config file: /etc/samba/smbusers ]
[Config file: /etc/samba/smbpasswd]
[Utility: /usr/local/bin/smbpasswd ]

To make sure that you can access the smb shares from other clients, make sure you add the smb access users to the /etc/samba/smbusers and the /etc/samba/smbpasswd file. I find this necessary because I specify the use of encrypted passwords for authentication.

smbpasswd -a login-id

For example:

# smbpasswd -a samt

More Information:

Run by root, the smbpasswd program can “-a” add a new user to the smbpasswd file. This is also a neat trick for finding out where the smbpasswd is ‘supposed’ to be located.

Other useful options:

-x delete the user information
-d disable the user account
-e enable a disabled account, no effect if account currently enabled
-r remote machine on which smb access is to be changed.

Controlling the Server

The following shell script (based on ndc.sh) is a quick hack for starting/stopping the Samba servers. As I have had to play around a lot with the configuration files, restarting the servers, it is somewhat useful to have a script to cut down the number of keystrokes.

#!/bin/sh
# /usr/sbin/sambactl
#	based on $OpenBSD: ndc.sh,v 1.11 1998/07/07 22:05:15 millert Exp $
USAGE='echo
"usage: $0
(start|stop|restart)
...
"; exit 1'
PATH=/usr/sbin:/bin:/usr/bin:$PATH
RUNNINGS=0
RUNNINGN=0
PIDS=0
PIDN=0
SMBD_CMD="/usr/local/libexec/smbd -D"
NMBD_CMD="/usr/local/libexec/nmbd -D"
PS="Unknown"
PS="Samba is NOT Running"
test `ps ax | grep smbd | grep -v grep | wc -l` != 0 &'`
PS="Samba is Running"
}

test `ps ax | grep nmbd | grep -v grep | wc -l` != 0 &'`
PS="Samba is Running"
}

#case $ARG in
#start|stop|restart|status)
#	;;
#*)
#	[ $RUNNINGS -ne 0 -o $RUNNINGN -ne 0 ] &#esac

for ARG
do

case $ARG in
status)	echo "$PS smbd:$PIDS nmbd:$PIDN";;
start)
[ $RUNNINGS -eq 1 -a $RUNNINGN -eq 1 ] &$NMBD_CMD && $SMBD_CMD &;
stop)
[ $RUNNINGS -eq 0 -a $RUNNINGN -eq 0 ] &kill $PIDS && kill $PIDN &;
restart)
[ $RUNNINGN -eq 1 -a $RUNNINGS -eq 1 ] &echo "Samba Server Starting ..."
$SMBD_CMD && $NMBD_CMD &;
*)	eval "$USAGE";;
esac
done
test -z "$ARG" &exit 0

Co-habiting with NT Server – Primary Domain Controller

As my environments is OpenBSD/Samba joining an existing Windows NT Primary Domain Controller (PDC) I need to maintain authentication on one server to minimise work-load. For this discussion we will use DEMO_DOMAIN as the domain and PDC_SERVER as the name of the Primary Domain Controller (Windows NT 4.0x server) server.

The following are the basic steps for enabling NT Domain authentication for Samba connections.

  1. On the PDC, Manually add the Samba Server netbios name as an NT Server/Workstation
  2. Join the Domain from the samba server using smbpasswd -j DEMO_DOMAIN -r PDC_SERVER
  3. Modify smb.conf to specify encrypted passwords and security=domain
  4. Restart the Samba Server

Adding the Samba Server to the Primary Domain Controller

On the Win NT (4.0 ) PDC Server, start the Administrator -> Server Manager program. Add the OpenBSD/Samba server you have installed as a “Windows NT Workstation or Server”

On the Win2000 Advanced Server PDC, start the Administrator -> Active Directory Users and Computers. Select the Domain you will be adding the OpenBSD/Samba server to. Add a new computer and make sure you select the check-box “Allow pre-Windows 2000 computers to use this account”

For the name of the OpenBSD/Samba server, use the NetBIOS name you have either specified in /etc/samba/smb.conf, or use the short-name of the server (OPENBSDBOX for this example).

Joining the Samba server to the Primary Domain Controller

This only works if the OpenBSD/Samba server has been ‘installed’ into the domain as mentioned above, so make sure that you have followed the above step and verified the OpenBSD/Samba server is a valid ‘NT Workstation or Server.’

From the OpenBSD/Samba machine join the Primary Domain by using the smbpasswd “join” facility

# smbpasswd -j DEMO_DOMAIN -r PDC_SERVER

Updating /etc/samba/smb.conf

To complete joining the Domain, we need to make a few configuration changes. (a) we need to tell Samba to use the Primary Domain Controller for authentication, and (b) We need to use encrypted passwords. Windows NT sp3 and greater default to using encrypted password transmission.

File /etc/samba/smb.conf

domain controller = PDC_SERVER
encrypt passwords = yes

Restart the samba server and user connections will now be verified through the Windows NT Domain Controller. Note that users still need a valid account on the server if user directories are expected.

Authentication for NT, Win9X Workstations

[ref: Samba-2.2.2/docs/Samba-HOWTO-Collection.pdf]

With later versions of Samba (2.2.2) we are able to use the OpenBSD/Samba combination to authenticate users for a LAN comprising Windows NT and Win9X clients. In this scenario, your OpenBSD/Samba server is the Primary Domain Controller (Windows Speak) and provides authentication for your Windows clients.

By configuring your clients to forcibly join the domain, you can ensure all workstation users must be validated from the OpenBSD/Samba server.

We may want to do this if we do not have a legitimate (Microsoft) Windows Server that can authenticate as the primary domain controller.

The Samba distribution actually comes with a HOWTO for this task (Chapter 8. How to Configure Samba 2.2 as a Primary Domain Controller)

In short, we set the configurations (in a working Samba system):

  • Configuration File settings
  • Machine Account Creation

Configuration File settings

To configure your Samba server to provide user authentication you will need to include the following.

[global]
workgroup = myworkgroup

security = user
domain master = yes
local master = yes
domain logons = yes

add user script = /etc/samba/my_add_user %u
Diagram – portion of [global]

Security is set to user (not domain as you would initially expect.) The server is set to be the domain master and service domain logons which is where we will configure user authentication.

Machine Account Creation.

The add user script will be used by Samba to add a machine account for joining NT Workstations to the domain. This script will create an /etc/passwd entry using the client workstation’s netbios name. At this writing (Samba 2.2.2) Samba requires the /etc/passwd entry before it can create a Samba account for the workstation.

Since OpenBSD typically does not allow workstations to have the dollar character “$” in a user-id we need to modify the useradd source to allow the dollar character “$”. Of course, you can manually create the accounts and not need to change the source code. Unix, including OpenBSD, readily allows the $ sign, but the user creation programs do not normally allow the use of dollar signs for a number of practical reasons.

Using stunnel to secure SWAT password communication

package: stunnel-3.8.tgz
package: openssl (installed either as source build or ssl2?)
[ref: OpenBSD FAQ 10.6 Setting up a Secure HTTP Server with SSL]
[local: openss# – Secured Communications]
[ref: Samba Book]

Samba can be set up to communicate exclusively through SSL, which is great but seems to be problematically difficult (as in real difficult) to roll out on a WinX environment. By at least forcing SWAT communications to use SSL then we add one level of security ? Using information available from the Samba site and the OpenBSD FAQ, I have generated this step-by-step list for using SSL with SWAT under OpenBSD (installation with 2.7)

1. install the stunnel package

# pkg_add /[location-of-packages]/stunnel-3.8.tgz

After stunnel is installed, you have to create a server certificate and put the result in /etc/ssl/private/stunnel.pem. For more information on how to create certificates, read ssl(8). For more information on stunnel, read stunnel(8).

2. Prepare certificate for stunnel. According to samba doc’s stunnel documentation says that a blank line is needed between private key and certificate and another blank line at the end of the file (make sure you have created the server certificates per references above.)

# echo “” > ~/blankline.txt
# cat /etc/ssl/private/server.key ~/blankline.txt /etc/ssl/server.crt \
~/blankline.txt > /etc/ssl/stunnel.pem

3. Move the stunnel.pem file to a standardised location

# mv /etc/ssl/stunnel.pem /etc/ssl/private

4. Set the file permissions so no root have no access to the file

# chmod 700 /etc/ssl/private/stunnel.pem

5. Remove swat entry from inetd.conf (restart inetd)

# kill -HUP `cat /var/run/inetd.pid`

6. Start stunnel

# /usr/local/sbin/stunnel -p /etc/ssl/private/stunnel.pem -d 901 -l /usr/local/sbin/swat — swat

7. We now include stunnel into the configuration for SWAT

Edit the /etc/rc.conf.local file to include the following line:

stunnel_swat=YES

Edit: /etc/rc.local.

After the ‘starting local daemons’ and before the following echo ‘.’, Insert the following instructions to the /etc/rc.local file:

echo -n ‘starting local daemons:’
# [ … stuff left out … ]

if [ -f /etc/samba/smb.conf ]; then
if [ X”${smbd}” = X”YES” -a X”${nmbd}” = X”YES” -a X”${stunnel_swat}” = X”YES” -a -x /usr/local/sbin/stunnel ]; then
echo -n ‘ stunnel_swat’;
/usr/local/sbin/stunnel -p /etc/ssl/private/stunnel.pem -d 901 -l /usr/local/sbin/swat — swat
fi
fi

# [ … stuff left out … ]

echo ‘.’

Now each restart of the machine will automatically check to see whether we have enabled stunnel for swat in the configuration file (rc.conf) and then start the stunnel. If we wish to disable stunnel for swat we can simply change stunnel_swat=YES to stunnel_swat=NO.

Connect to the SSL enabled site using https://your_sambaserver:901 and accept the certificate.

Optimizing the Kernel

[ref: afterboot(8), config(8), options(4), boot_config(8), OpenBSD FAQ: Kernel Configuration]
[ref: CD1:src.tar.gz]

This is not necessary to get samba running. Kernel optimization is only if you percieve some performance problem with your samba configuration and you don’t have a critical configuration while you experiment.

I’ve seen a number of discussions recommending that you can improve the performance of OpenBSD with Samba by increasing the number of NMBCLUSTERS for the Kernel. The specific option is noted here and I go into further discussions on making the changes. It seems that the GENERIC kernel is more optimised for streaming based protocol communication than packet/ack protocols.

option “NMBCLUSTERS=8192”

From the man page:

option NMBCLUSTERS=value

Size of kernel mbuf cluster map, mb_map, in CLBYTES-sized logical pages. Default on most ports is 256 (512 with “option GATEWAY”). See /usr/include/machine/param.h for exact default information. Increase this value if “mb_map full” messages appear.

Note that the quotation marks are significant (use them) as the option is actually a compiler directive.

A simplified process is listed below, for more details see the man and FAQ references above (config 8, options 4).

After decompressing the OpenBSD source tree onto your hard-disk (/usr/src), do the following:

# cd /usr/src/sys/arch/[$ARCH]/conf

This moves us into the custom configurations for your hardware architecture. Doing a listing in this directory will give you a sample of machine configurations. On my I386 architecture an ls will indicate

# ls -al
CVS GANDALF LUCIFIER OPRAH RAMDISKB SARUMAN
DISKLESS GENERIC Makefile.i386 PETRA RAMDISKC WALDORF
ELBERETH HERMES NETTAN RAMDISK RAMDISK_CD

Make a copy of the Generic kernel configuration. Remember that this is the most tested configuration, so lets not stray too far from ‘working’ configuration.

# cp GENERIC MYCUSTOMKERNEL

We can now edit the configuration file MYCUSTOMKERNEL to include the directive for NMBCLUSTERS.

Edit: /usr/src/arch/[architecture]/conf/MYCUSTOMKERNEL to include:

option “NMBCLUSTERS=8192”

After you have saved the above modifications we can now configure the kernel compilation, and make the kernel.

# config MYCUSTOMKERNEL
Don’t forget to run “make depend”
# cd ../compile/MYCUSTOMKERNEL
# make depend && make

To use the kernel copy the kernel to the root directory and make it available during boot time.

# cp /bsd /bsd.working
# cp /usr/arch/[architecture]/compile/MYCUSTOMKERNEL/bsd /bsd.nmb

We first make a backup of the existing/generic kernel (the docs says that most use a sequence like bsd.1 bsd.2 and I’m only using named kernels above as a demonstration.)

Next I copy the customised kernel into the root partition so boot can find it. In our experimental case I do not make it the default kernel.

When you restart your server and get to the boot prompt, we can specify the new kernel we wish to try.

>> OpenBSD i386 BOOT 1.36

boot > bsd.nmb

The boot messages will scroll through your screen and you get to the login prompt. After login in you should see a display of your new kernel.

Last login: (date) from (ip-address)
OpenBSD 2.8 (MYCUSTOMKERNEL) #1: (date-of-compilation)
Welcome to OpenBSD: The proactively secure Unix-like operating system.

If you find the new kernel behaves as expected, without causing other problems on your system, then you can copy the new kernel over the default boot kernel. (Remember to have first backed up your working kernel)

# cp /bsd.nmb /bsd

Please take the time to read the FAQ and afterboot(8) man pages before you continue.

More Kernel Options ?

The below kernel options may be of interest to you, remember that I’m as much in the dark about these things as you are and you’re as likely to kill your machine with my advice as you are to get things working.

From the man page:

option BUFCACHEPERCENT=integer

Percentage of RAM to use as a file system buffer. It defaults to 5.

option QUOTA

Enables kernel support for file system quotas. See quotaon(8), edquota(8), repquota(8), and quota(1) for details. Note that quotas only work on “ffs” file systems, although rpc.rquotad(8) permits them to be accessed over NFS.

Note that option QUOTA is already configured in the /usr/src/sys/conf/GENERIC file which is ‘included’ in the GENERIC configuration. BUFCACHEPERCENT is of interest in my configuration where the OpenBSD Samba server is primarily functioning as a file server and we wish to increase responsiveness to a plethora of multimedia files used by our students.

Getting at Windows Shares

package: Sharity-light_1_2.tgz

Sometimes you want to access the Windows (eg. Win95, Win98, Win2000, WinNT) file share from within the Unix box. Sharity-Light is similar to the Linux only smbfs (smbmount, smbumount) which allows the user to mount a Windows file-share onto your unix file-system.

http://www.obdev.at/Products/Sharity.html

Check out the developer’s website above for more information on the “light” version and their commercial product.

Author and Copyright

Copyright (c) 2000/1/2 Samiuela LV Taufa. All Rights Reserved.

I reserve the right to be totally incorrect even at the best advice of betters. In other words, I’m probably wrong in enough places for you to call me an idiot, but don’t ’cause you’ll hurt my sensibilities, just tell me where I went wrong and I’ll try again.

You are permitted and encouraged to use this guide for fun or for profit as you see fit. If you republish this work in what-ever form, it would be nice (though not enforceable) to be credited.

Samba – sharing Files and Printers with Microsoft Windows

February 10, 2006 - Posted by | Uncategorized

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: