In this article, learn about these concepts:
- Samba security modes
- Roles of core Samba daemons
- Management of Samba daemons
This article helps you prepare for Objective 310.2 in Topic 310 of the LPI's Mixed Environment speciality exam (302). The objective has a weight of 1.
To get the most from the articles in this series, you should have an advanced knowledge of Linux and a working Linux system on which you can practice the commands covered in this article. In particular, this article assumes that you have a working knowledge of Linux command-line functions and at least a general understanding of the purpose of Samba as covered in "Learn Linux, 302 (Mixed environments): Concepts". To perform the actions described in this article, you must have the Samba software installed. Some actions require that you have a working Server Message Block (SMB)/Common Internet File System (CIFS) network at your disposal.
Linux servers are often implemented as daemons, a word derived
from Greek mythology, in which daemons were helpful supernatural beings. A
Linux daemon runs in the background to perform some helpful task. The
Samba server suite consists of several daemons, including
program is another Samba server, but it is typically run from a super
server and so is not technically a daemon.
smbd program provides most of the core
functionality of Samba. Its duties include:
- Providing file and printer shares. This feature is
arguably the single most important Samba duty, and
- Authenticating users.
smbdauthenticates users against a local database or passes authentication requests on to another computer. If your Samba server is configured as a domain controller,
smbdalso responds to authentication requests from other computers. (Workgroup and domain configurations are described shortly, in Setting your security mode).
- Providing time services. Samba can tell other
computers what the current time is;
smbdhandles this detail.
By default, the
smbd daemon binds to TCP ports
139 and 445. The SMB protocol uses port 139 through NetBIOS over TCP,
which is the way many older clients use SMB/CIFS. Port 445 provides plain
SMB over TCP services, which is how many newer clients access the Samba
Because of the critical nature of these duties (in particular, providing
file and printer shares and authentication),
smbd can be considered the core of Samba. In
fact, it's possible to connect to a computer that runs
smbd alone by using a program such as Samba's
smbclient to perform file transfers. Some
clients, though, rely on services provided by other Samba daemons.
The second key Samba daemon is
server's main duty is handling name-related tasks. You can think of it as
Samba's own version of the Domain Name System (DNS), although it's both
simpler to configure and much less sophisticated than DNS. Specific tasks
nmbd performs include:
- Responding to name broadcasts. In one common mode of
operation, clients broadcast name queries to an entire network
nmbdserver listens for such broadcasts and, when Samba is configured to use the name being queried, responds. It also responds when it's configured to function as a proxy for another computer or network.
- Registering a NetBIOS name. For NetBIOS name
resolution to work, computers must register their names, either with a
centralized NetBIOS name server (NBNS; aka Windows Internet Name
Service [WINS] server) or by broadcasting the name and negotiating
rights for it with the network as a whole.
nmbdis responsible for doing this and also for negotiating with other computers that register their names.
- Functioning as an NBNS server. Samba can be
configured as an NBNS system, in which case
nmbdhandles these duties.
- Functioning as a master browser. Part of the user
experience of an SMB/CIFS network is browsing—the
ability to browse through the servers on a network much as you would
browse through the directories on your hard disk. This feature relies
on the presence of a master browser, which collects and
disseminates browse lists. When Samba functions as a master browser,
nmbdthat does the work.
As this list demonstrates,
nmbd does a lot of
work. Although they don't involve serving files or printers, many of these
tasks are critical parts of any SMB/CIFS server, so
nmbd should be considered a critical part of
Samba. It's typically run along with
smbd by a
distribution's startup scripts.
nmbd's functions require it to bind to
TCP port 137, but master browser duties involve User Datagram Protocol
A third Samba daemon is the Winbind daemon,
winbindd doesn't provide services for remote
computers; instead, it serves as an interface between a Windows® (or
Samba) domain controller and the local computer's own Pluggable
Authentication Modules tools, enabling a domain controller to host Linux
On many distributions,
winbindd is installed in
a separate package from the rest of Samba—typically in a package
winbindd. It's also usually launched
separately. In principle, you can run
on a computer that doesn't run a Samba server or even function as an
SMB/CIFS client, except to the extend that
winbindd is an SMB/CIFS client. In practice,
though, you're likely to run a Samba server or use a Linux computer as an
SMB/CIFS client if it's running
Controlling Samba involves at least two tasks: adjusting its configuration
options using its configuration file and changing its options on a
temporary, on-the-fly basis. You accomplish the first task through Samba's
configuration file, while the second can be done through the
smbcontrol configuration tool.
The main Samba configuration file is called smb.conf and typically resides in /etc/samba, although it could be found in other locations. (If you build Samba from source, /usr/local/samba/lib is one common location.)
The smb.conf file is composed of sections, each of which begins with a name
in square brackets (
), such as
[documents]. Most sections define file or
printer shares; however, the
is special: It holds options that affect the server as a whole or that set
default values used in subsequent share definitions. (The
[global] section typically appears first in the
Lines in smb.conf can be comment lines that begin with a hash mark
#) or a semicolon
;); they may be section names; or they may be
lines that set Samba parameters. This last type of line takes the
parameter = Value
parameter is a keyword, such as
create mask. Parameter names are
case-insensitive. Some common parameters have synonyms, and a few have
antonyms. For instance,
writeable are synonyms, and
read only is an antonym for these—that
read only = Yes is equivalent to
writable = No.
Value you specify with a parameter
can be a free-form string, a number (including specialized numeric values,
such as IP addresses), a Boolean value, a variable, or a list. Boolean
values can take either of two truth values:
1 are synonyms, as are
Variables begin with a percent symbol (
stand in for information that can't be known when the configuration file
was written. For instance,
%D refers to the
server's workgroup or domain name;
%h refers to
the server's DNS name;
%H refers to the user's
%L refers to the server's
NetBIOS name; and
%u refers to the user's user
Some parameters take lists of several values, such as lists of user names.
In such cases, list elements are separated by commas, as in
george, mary to refer to both
the most part, the smb.conf file is blind to white space. If you need to
include white space in a value, enclose it in quotation marks.
The smb.conf file contains options for
other Samba servers and programs. Options for the different programs are
not separated or clearly differentiated, although sometimes the name makes
it obvious to which daemon a parameter applies.
You can use the
smbcontrol program to control
Samba as it runs. For example, you can tell Samba to shut down a specific
share, force a master browser election, reload the configuration file, and
so on. The basic syntax for this command is:
smbcontrol [-i] [-s configfile] smbcontrol [destination] [message-type] [parameter]
When used with the
smbcontrol enters an interactive mode in which
you can pass a series of commands in sequence, saving you from having to
smbcontrol in front of each command. The
destination is the server name
send the message to all the daemons or a process ID number. The
message-type is a command, as
summarized in Table 1. The
is an optional parameter that some commands may require.
Table 1. File system volume and size limits
|Close the share that the parameter specifies.|
|Set the debug level to the value the parameter specifies.|
|Forces a new master browser election.|
|Displays the current debug level of a daemon.|
|Sends a message to clients connected to a printer share, forcing a change in the clients' queue status.|
|Synchronize the user database with a domain controller. (Official documentation indicates that this function is not currently working; test it before you rely on it.)|
|Shuts down the specified daemon.|
|Displays memory use information for the specified daemon.|
|Notify clients that a new printer driver is available. The command takes a printer share name as a parameter.|
|Forces the server to reload the smb.conf file.|
Samba provides a number of options related to how users are authenticated.
The most important of these is the
option, which takes five possible values:
Share. This security mode attempts to emulate the authentication method that the Microsoft® Windows 9x/Windows Me operating systems use, in which user names were ignored and passwords were associated with shares. To do this, Samba tries the password provided by the client with a variety of user names.
User. This security mode, which is the default, uses a user name and password for authentication, similar to the way Linux typically works. In most cases on modern systems, though, the password is stored in an encrypted Samba-only password database.
Server. If you want Samba to defer to another server for authentication, use this authentication method. To a client, this method looks just like user-level authentication, but Samba contacts the server specified with the
password serverparameter to do the actual authentication.
Domain. You can fully join a Windows domain using this method, which looks just like user-level authentication to clients. Unlike server-level authentication, domain authentication involves a more secure domain-level password exchange. Fully joining the domain requires running extra commands on the Samba system and possibly on the domain controller, as well.
ADS. This authentication method works much like domain authentication; however, it requires an Active Directory® Domain Services domain controller.
As a general rule, user-level authentication is the best choice if your
Samba server is a member of a Windows workgroup, which is the basic form
of an SMB/CIFS network. A workgroup differs from a domain mainly in that a
domain provides a domain controller, which is a server that provides
authentication services to the domain. To use a domain controller, you
must use server-, domain-, or ADS-level
security. Server-level security is the easiest
to configure but the least secure, whereas ADS-level security is the most
difficult to configure but the most secure.
To fully join a domain for domain- or ADS-level security, you must set
several options in the
[global] section of the
password server = DOMCONT domain logons = No encrypt passwords = Yes
DOMCONT system is the domain
controller. You must also type the following command on the Samba server
that should join the domain:
# net join member -U adminuser
You may also need to configure the domain controller to accept the Samba server into the domain. (Objective 312.4 covers this topic for Samba servers.)
Share-level security is largely outmoded; it exists mainly to provide compatibility for very old clients that don't understand user names. It can also be useful for some share types that you might want to make available with minimal security, such as printer shares. Because Linux requires that an account be used for all accesses, Samba tries the provided password against a series of accounts until one matches or they've all failed. These accounts include:
- The guest account (set via the
guest accountparameter) if
guest only = Yes
- The user name the client provides (not all clients provide one, but some do)
- The user name used for the last access from the client computer
- The name of the share being accessed
- The client's NetBIOS name
- Any user names specified via the
Because most clients in use today understand user names, there's seldom a need to support share-level security. Using it only creates confusion and increases the security risk—with passwords being checked against so many accounts, a single password that falls into the wrong hands could become a significant risk to your server.
The LPIC-3 310.3 objective—and the next article in this series—describes the Samba Trivial Database (TDB)file format, which Samba uses to store account information.
- At the LPIC
Program site, find detailed objectives, task lists, and sample
questions for the three levels of the LPI's Linux systems administration
certification. In particular, look at the LPI-302 detailed objectives and the tasks and sample questions.
- Use the
roadmap for LPIC-302
to find more developerWorks articles to help you study for the Linux Professional Institute Certification
elective specialty exam LPI-302.
- Review the entire LPI exam
prep series on developerWorks to learn Linux fundamentals and
prepare for systems administrator certification.
Exam Preparation Resources for Revised LPIC Exams provides a list
of other certification training resources maintained by LPI.
In the developerWorks Linux zone,
find hundreds of how-to
and tutorials, as well as downloads, discussion forums,
and a wealth of other resources for Linux developers and administrators.
Stay current with
developerWorks technical events and webcasts focused on a variety of IBM products and IT industry topics.
Attend a free developerWorks Live!
briefing to get up-to-speed quickly on IBM products and tools, as well as IT industry trends.
Watch developerWorks on-demand demos
ranging from product installation and setup demos for beginners, to advanced functionality for experienced developers.
Follow developerWorks on Twitter, or subscribe
feed of Linux tweets on developerWorks.
Get products and technologies
- The Samba Web site has Samba downloads
Evaluate IBM products
in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the
learning how to implement Service Oriented Architecture efficiently.
Get involved in the My developerWorks community.
Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.
Roderick W. Smith is a consultant and author of over a dozen books on UNIX and Linux, including The Definitive Guide to Samba 3, Linux in a Windows World, and Linux Professional Institute Certification Study Guide. He is also the author of the GPT fdisk partitioning software. He currently resides in Woonsocket, Rhode Island.