Using samba

[Appendix C] Samba Configuration Option Quick Reference (42 of 45) [6/27/2000 11:54:29 AM] •write list = comma-separated list Default: NULL (everyone) Allowable values: comma-separated list of users List of users that are given read-write access to a read-only share. See also read list. • write ok = boolean Default: YES Allowable values: YES, NO Synonym of the writable configuration option. • [global] write raw = boolean Default: YES Allowable values: YES, NO Allows fast streaming writes over TCP, using 64KB buffers. Recommended. Glossary of Configuration Values Address list A space-separated list of IP addresses in ###.###.###.### format. Comma-separated list A list of items separated by commas. Command A Unix command, with full path and parameters. Host list A space-separated list of hosts. Allows IP addresses, address masks, domain names, ALL, and EXCEPT Interface list A space-separated list of interfaces, in either address/netmask or address/n-bits format. For example, 192.168.2.10/24 or 192.168.2.10/255.255.255.0 Map list [Appendix C] Samba Configuration Option Quick Reference (43 of 45) [6/27/2000 11:54:29 AM] A space-separated list of file-remapping strings such as (*.html *.htm). Remote list A space-separated list of subnet-broadcast-address/workgroup pairs. For example, 192.168.2.255/SERVERS 192.168.4.255/STAFF. Service (share) list A space-separated list of share names, without the enclosing square brackets. Slash-list A list of filenames, separated by "/" characters to allow embedded spaces. For example, /.*/fred flintstone/*.frk/. Text One line of text. User list A space-separated list of usernames. In Samba 1.9, @group-name will include everyone in Unix group group-name. In Samba 2.0, @group-name includes whomever is in the NIS netgroup group_name if one exists, otherwise whomever is in the Unix group group_name. In addition, + group_name is a Unix group, & group_name is an NIS netgroup, and &+ and +& cause an ordered search of both Unix and NIS groups. Configuration File Variables Table C.1 lists of Samba configuration file variables. Table C.1: Variables in Alphabetic Order Name Meaning %a Client's architecture (one of Samba, WfWg, WinNT, Win95, or UNKNOWN) %d Current server process's processID %f Print-spool file as a relative path (printing only) %f User from which a message was sent (messages only) %G Primary group name of %U (requested username) %g Primary group name of %u (actual username) %H Home directory of %u (actual username) %h Samba server's (Internet) hostname %I Client's IP address [Appendix C] Samba Configuration Option Quick Reference (44 of 45) [6/27/2000 11:54:29 AM] %j Print job number (printing only) %L Samba server's NetBIOS name (virtual servers have multiple names) %M Client's (Internet) hostname %m Client's NetBIOS name %n New password (password change only) %N Name of the NIS home directory server (without NIS, same as %L) %o Old password (password change only) %P Current share's root directory (actual) %p Current share's root directory (in an NIS homedir map) %p Print filename (printing only) %R Protocol level in use (one of CORE, COREPLUS, LANMAN1, LANMAN2, or NT1) %S Current share's name %s Filename the message is in (messages only) %s Print-spool file name (printing only) %T Current date and time %t Destination machine (messages only) %u Current share's username %U Requested username for current share %v Samba version B.3 Sizing Samba Servers D. Summary of Samba Daemons and Commands Back to: Using Samba O'Reilly Home | O'Reilly Bookstores | How to Order | O'Reilly Contacts International | About O'Reilly | Affiliated Companies © 1999, O'Reilly & Associates, Inc. [Appendix C] Samba Configuration Option Quick Reference (45 of 45) [6/27/2000 11:54:29 AM] Using Samba Robert Eckstein, David Collier-Brown, Peter Kelly 1st Edition November 1999 1-56592-449-5, Order Number: 4495 416 pages, $34.95 Appendix D • Appendix D Summary of Samba Daemons and Commands This appendix is a reference listing of command-line options and other information to help you use the executables that come with Samba distribution. Samba Distribution Programs The following sections provide information about the command-line parameters for Samba programs. smbd The smbd program provides Samba's file and printer services, using one TCP/IP stream and one daemon per client. It is controlled from the default configuration file, samba_dir /lib/smb.conf , and can be overridden by command-line options. The configuration file is automatically re-evaluated every minute. If it has changed, most new options are immediately effective. You can force Samba to immediately reload the configuration file if you send a SIGHUP to smbd . Reloading the configuration file, Appendix D (1 of 24) [6/27/2000 11:54:34 AM] however, will not affect any clients that are already connected. To escape this "grandfather" configuration, a client would need to disconnect and reconnect, or the server itself would have to be restarted, forcing all clients to reconnect. Other signals To shut down a smbd process, send it the termination signal SIGTERM (-15) which allows it to die gracefully instead of a SIGKILL (-9). To increment the debug logging level of smbd at runtime, send the program a SIGUSR1 signal. To decrement it at runtime, send the program a SIGUSR2 signal. Command-line options -D The smbd program is run as a daemon. This is the recommended way to use smbd (it is also the default action). In addition, smbd can also be run from inetd . l -d debuglevel Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; levels 3 and above are primarily for debugging and slow smbd considerably. l -h Prints command-line usage information for the smbd program.l Testing/debugging options -a If this is specified, each new connection to the Samba server will append all logging messages to the log file. This option is the opposite of -o , and is the default. l -i scope •l This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backwards compatibility. l -l log_file Send the log messages to somewhere other than the location compiled in or specified in the smb.conf file. The default is often /usr/local/samba/var/log.smb , l Appendix D (2 of 24) [6/27/2000 11:54:34 AM] /usr/samba/var/log.smb, or /var/log/log.smb . The first two are strongly discouraged on Linux, where /usr may be a read-only filesystem. -O socket_options This sets the TCP/IP socket options, using the same parameters as the socket options configuration option. It is often used for performance tuning and testing. l -o This option is the opposite of -a . It causes log files to be overwritten when opened. Using this option saves hunting for the right log entries if you are performing a series of tests and inspecting the log file each time. l -P This option forces smbd not to send any network data out. This option is typically used only by Samba developers. l -P This option forces smbd not to send any network data out. This option is typically used only by Samba developers. l -p port_number This sets the TCP/IP port number that the server will accept requests from. Currently, all Microsoft clients send only to the default port: 139. l -s configuration_file Specifies the location of the Samba configuration file. Although the file defaults to /usr/local/samba/lib/smb.conf , you can override it here on the command line, typically for debugging. l nmbd The nmbd program is Samba's NetBIOS name and browsing daemon. It replies to broadcast NetBIOS over TCP/IP (NBT) name-service requests from SMB clients and optionally to Microsoft's Windows Internet Name Service (WINS) requests. Both of these are versions of the name-to-address lookup required by SMB clients. The broadcast version uses UDP/IP broadcast on the local subnet only, while WINS uses TCP/IP, which may be routed. If running as a WINS server, nmbd keeps a current name and address database in the file wins.dat in the samba_dir /var/locks directory. An active nmbd program can also respond to browsing protocol requests used by the Windows Network Neighborhood. Browsing is a combined advertising, service Appendix D (3 of 24) [6/27/2000 11:54:34 AM] announcement, and active directory protocol. This protocol provides a dynamic directory of servers and the disks and printers that the servers are providing. As with WINS, this was initially done by making UDP/IP broadcasts on the local subnet. Now, with the concept of a local master browser, it is done by making TCP/IP connections to a server. If nmbd is acting as a local master browser, it stores the browsing database in the file browse.dat in the samba_dir /var/locks directory. Signals Like smbd , the nmbd program responds to several Unix signals. Sending nmbd a SIGHUP signal will cause it to dump the names it knows about to the file namelist.debug in the samba_dir /locks directory and its browsing database to the browse.dat file in the same directory. To shut down a nmbd process send it a SIGTERM (-15) signal instead of a SIGKILL (-9) to allow it to die gracefully. You can increment the debug logging level of nmbd by sending it a SIGUSR1 signal; you can decrement it by sending a SIGUSR2 signal. Command-line options -D Instructs the nmbd program to run as a daemon. This is the recommended way to use nmbd . In addition, nmbd can also be run from inetd . l -d debuglevel Sets the debug (sometimes called logging) level. The level can range from 0, all the way to 10. Specifying the value on the command line overrides the value specified in the smb.conf file. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging, and slow nmbd considerably. l -h Prints command-line usage information for the nmbd program (also -? ).l Testing/debugging options -a If this is specified, each new connection to the Samba server will append all logging messages to the log file. This option is the opposite of -o , and is the default. l -H hosts_ file This option loads a standard hosts file for name resolution.l -i scope This sets a NetBIOS scope identifier. Only machines with the same identifier willl Appendix D (4 of 24) [6/27/2000 11:54:34 AM] communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward compatibility. -l log_file Sends the log messages to somewhere other than the location compiled-in or specified in the smb.conf file. The default is often /usr/local/samba/var/log.nmb , /usr/samba/var/log.nmb, or /var/log/log.nmb . The first two are strongly discouraged on Linux, where /usr may be a read-only filesystem. l -n NetBIOS_name This option allows you to override the NetBIOS name by which the daemon will advertise itself. Specifying the option on the command line overrides the netbios name option in the Samba configuration file. l -O socket_options This sets the TCP/IP socket options, using the same parameters as the socket options configuration option. It is often used for performance tuning and testing. l -o This option is the opposite of -a . It causes log files to be overwritten when opened. Using this option saves hunting for the right log entries if you are performing a series of tests and inspecting the log file each time. l -p port_number This sets the UDP/IP port number from which the server will accept requests. Currently, all Microsoft clients send only to the default port: 137. l -s configuration_file Specifies the location of the Samba configuration file. Although the file defaults to /usr/local/samba/lib/smb.conf , you can override it here on the command line, typically for debugging. l -v This option prints the current version of Samba.l Samba Startup File Samba is normally started by running it from your Unix system's rc files at boot time. For systems with a System V-like set of /etc/rcN.d directories, this can be done by placing a suitably named script in the /rc directory. Usually, the script starting Samba is called Appendix D (5 of 24) [6/27/2000 11:54:34 AM] S91samba , while the script stopping or "killing" Samba is called K91samba. On Linux, the usual subdirectory for the scripts is /etc/rc2.d. On Solaris, the directory is /etc/rc3.d . For machines with /etc/rc.local files, you would normally add the following lines to that file: /usr/local/samba/bin/smbd -D /usr/local/samba/bin/nmbd -D The following example script supports two extra commands, status and restart , in addition to the normal start and stop for System V machines: #!/bin/sh # # /etc/rc2.d./S91Samba --manage the SMB server in a System V manner # OPTS="-D" #DEBUG=-d3 PS="ps ax" SAMBA_DIR=/usr/local/samba case "$1" in 'start') echo "samba " $SAMBA_DIR/bin/smbd $OPTS $DEBUG $SAMBA_DIR/bin/nmbd $OPTS $DEBUG ;; 'stop') echo "Stopping samba" $PS | awk '/usr.local.samba.bin/ { print $1}' |\ xargs kill ;; 'status') x=`$PS | grep -v grep | grep '$SAMBA_DIR/bin'` if [ ! "$x" ]; then Appendix D (6 of 24) [6/27/2000 11:54:34 AM] echo "No samba processes running" else echo " PID TT STAT TIME COMMAND" echo "$x" fi ;; 'restart') /etc/rc2.d/S91samba stop /etc/rc2.d/S91samba start /etc/rc2.d/S91samba status ;; *) echo "$0: Usage error -- you must say $0 start, stop, status or restart ." ;; esac exit You'll need to set the actual paths and ps options to suit the machine you're using. In addition, you might want to add additional commands to tell Samba to reload its smb.conf file or dump its nmbd tables, depending on your actual needs. smbsh The smbsh program lets you use a remote Windows share on your Samba server as if the share was a regular Unix directory. When it's run, it provides an extra directory tree under /smb . Subdirectories of /smb are servers, and subdirectories of the servers are their individual disk and printer shares. Commands run by smbsh treat the /smb filesystem as if it were local to Unix. This means that you don't need smbmount in your kernel to mount Windows filesystems the way you mount with NFS filesystems. However, you do need to configure Samba with the --with-smbwrappers option to enable smbsh . Options -d debuglevel Sets the debug (sometimes called logging) level. The level can range from 0, the default, all the way to 10. Debug level 0 logs only the most important messages; level l Appendix D (7 of 24) [6/27/2000 11:54:34 AM] 1 is normal; level 3 and above are primarily for debugging, and slow smbsh considerably. -l logfile Sets the name of the logfile to use.l -P prefix Sets the root directory to mount the SMB filesystem. The default is /smb .l -R resolve order Sets the resolve order of the name servers. This option is similar to the resolve order configuration option, and can take any of the four parameters, lmhosts , host , wins , and bcast , in any order. l -U user Supports user%password.l -W workgroup Sets the NetBIOS workgroup to which the client will connect.l smbclient The smbclient program is the maid-of-all-work of the Samba suite. Initially intended as a testing tool, it has become a full command-line Unix client, with an FTP-like interactive client. Some of its options are still used for testing and tuning, and it makes a simple tool for ensuring that Samba is running on a server. It's convenient to look at smbclient as a suite of programs: FTP-like interactive file transfer programl Interactive printing programl Interactive tar programl Command-line message programl Command-line tar program (but see smbtar later)l "What services do you have" query programl Command-line debugging programl General command-line options The program has the usual set of smbd -like options, which apply to all the interactive and command-line use. The syntax is: Appendix D (8 of 24) [6/27/2000 11:54:34 AM] smbclient //server_name /share_name [password ] [-options ] Here is an explanation of each of the command-line options: -d debug_level Sets the debug (logging) level, from 0 to 10, with A for all. Overrides the value in smb.conf . Debug level 0 logs only the most important messages; level 1 is normal; debug level 3 and above are for debugging, and slow smbclient considerably. l -h Prints the command-line help information (usage) for smbclient.l -n NetBIOS_name Allows you to override the NetBIOS name by which the program will advertise itself. Smbclient operations Running smbclient // server_name / share will cause it to prompt you for a username and password. If the login is successful, it will connect to the share and give you a prompt much like an FTP prompt (the backslash in the prompt will be replaced by the current directory within the share as you move around the filesystem): smb:\> From this command line, you can use several FTP-like commands, as listed in Table D-1. Arguments in square brackets are optional. • Table D-1. smbclient Commands Command Description ? command Provides list of commands or help on specified command. help [command ] Provides list of commands or help on specified command. ! [command ] If a command is specified, it will be run in a local shell. If not,you will be placed into a local shell on the client. dir [filename ] Displays any files matching filename in the current directory onthe server, or all files if filename is omitted. ls [filename ] Displays any files matching filename in the current directory onthe server, or all files if filename is omitted. cd [directory ] If directory is specified, changes to the specified directory on the remote server. If not, reports the current directory on the remote machine. Appendix D (9 of 24) [6/27/2000 11:54:34 AM] lcd [director y ] If directory is specified, the current directory on the local machine will be changed. If not, the name of the current directory on the local machine will be reported. get remotefile [localfile ] Copies the file remotefile to the local machine. If a localfile is specified, uses that name to copy the file to. Treats the file as binary; does not do LF to CR/LF conversions. put localfile [remotefile ] Copies localfile to the remote machine. If a remotefile is specified, uses that as the name to copy to on the remote server. Treats the file as binary; does not do LF to CR/LF conversions. mget pattern Gets all files matching pattern from the remote machine. mput pattern Places all local files matching pattern on the remote machine. prompt Toggles interactive prompting on and off for mget and mput . lowercase ON (or OFF ) If lowercase is on, smbclient will convert filenames to lowercase during an mget or get (but not a mput or put ). del filename Delete a file on the remote machine. md directory Create a directory on the remote machine. mkdir directory Create a directory on the remote machine. rd directory Remove the specified directory on the remote machine. rmdir directory Remove the specified directory on the remote machine. setmode filename [+|-]rsha Set DOS filesystem attribute bits, using Unix-like modes. r is read-only, s is system, h is hidden, and a is archive. exit Exits smbclient . quit Exits smbclient . There are also mask and recursive commands for large copies; see the smbclient manual page for details on how to use these. With the exception of mask, recursive, and the lack of an ASCII transfer mode, smbclient works exactly the same as FTP. Note that because it does binary transfers, Windows files copied to Unix will have lines ending in carriage-return and linefeed (\r\n ), not Unix's linefeed (\n ). Printing commands The smbclient program can also be used for access to a printer by connecting to a print share. Once connected, the commands shown in Table D-2 can be used to print. • Table D-2. smbclient Printing Commands Command Description print filename Prints the file by copying it from the local machine to the remote one and then submitting it as a print job there. Appendix D (10 of 24) [6/27/2000 11:54:34 AM] printmode text | graphics Instructs the server that the following files will be plain text (ASCII) or the binary graphics format that the printer requires. It's up to the user to ensure that the file is indeed the right kind. queue Displays the queue for the print share you're connected to, showing job ID, name, size, and status. Finally, to print from the smbclient , use the -c option: cat printfile | smbclient //server /printer_name -c "print -" Tar commands smbclient can tar up files from a file share. This is normally done from the command line using the smbtar command, but the commands shown in Table D-3 are also available interactively. • Table D-3. smbclient Printing Commands Command Description tar c|x[IXbgNa] operands Performs a creation or extraction tar similar to the command-lineprogram. blocksize size Sets the block size to be used by tar , in 512-byte blocks. tarmode full|inc|reset| noreset Makes tar pay attention to DOS archive bit for all following commands. In full mode (the default), tar will back up everything. In inc (incremental) mode, tar will back up only those files with the archive bit set. In reset mode, tar will reset the archive bit on all files it backs up. (this requires the share to be writable), and in noreset mode the archive bit will not be reset even after the file has been backed up. Command-line message program options -M NetBIOS_machine_name This option allows you to send immediate messages using the WinPopup protocol to another computer. Once a connection is established, you can type your message, pressing control-D to end. If WinPopup is not running on the receiving machine, the program returns an error. l -U user This option allows you to indirectly control the FROM part of the message.l Command-line tar program options Appendix D (11 of 24) [6/27/2000 11:54:34 AM] The -T (tar), -D (starting directory), and -c (command) options are used together to tar up files interactively. This is better done with smbtar , which will be discussed shortly. We don't recommend using smbclient directly as a tar program. -D initial_directory Changes to initial directory before starting.l -c command_string Passes a command string to the smbclient command interpreter, which treats it as a semicolon-separated list of commands to be executed. This is handy to say things such as tarmode inc , for example, which forces smbclient -T to back up only files with the archive bit set. l -T command filename Runs the tar driver, which is gtar compatible. The two main commands are: c (create) and x (extract), which may be followed by any of: l a Resets archive bits once files are saved. b size Sets blocksize in 512-byte units. g Backs up only files with the archive bit set. I file Includes files and directories (this is the default). Does not do pattern-matching. N filename Backs up only those files newer than filename. q Does not produce diagnostics. X file Excludes files. Appendix D (12 of 24) [6/27/2000 11:54:34 AM] Command-line query program If smbclient is run as: smbclient -L server_name it will list the shares and other services that machine provides. This is handy if you don't have smbwrappers . It can also be helpful as a testing program in its own right. Command-line debugging /diagnostic program options Any of the various modes of operation of smbclient can be used with the debugging and testing command-line options: -B IP_addr Sets the broadcast address.l -d debug_level Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. In addition, you can specify A for all debugging options. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow operations considerably. l -E Sends all messages to stderr instead of stdout.l -I IP_address Sets the IP address of the server to which it connects.l -i scope This sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward compatibility. l -l log_file Sends the log messages to the specified file.l -N Suppresses the password prompt. Unless a password is specified on the command line or this parameter is specified, the client will prompt for a password. l -n NetBIOS_name Appendix D (13 of 24) [6/27/2000 11:54:34 AM] This option allows you to override the NetBIOS name by which the daemon will advertise itself. -O socket_options Sets the TCP/IP socket options using the same parameters as the socket options configuration option. It is often used for performance tuning and testing. l -p port_number Sets the port number from which the client will accept requests.l -R resolve_order Sets the resolve order of the name servers. This option is similar to the resolve order configuration option, and can take any of the four parameters, lmhosts , host , wins , and bcast , in any order . l -s configuration_file Specifies the location of the Samba configuration file. Used for debugging.l -t terminal_code Sets the terminal code for Asian languages.l -U username Sets the username and optionally password (e.g., -U fred%secret ).l -W workgroup Specifies the workgroup that you want the client to connect as.l If you want to test a particular name service, run smbclient with -R and just the name of the service. This will force smbclient to use only the service you gave. smbstatus The smbstatus program lists the current connections on a Samba server. There are three separate sections. The first section lists various shares that are in use by specific users. The second section lists the locked files that Samba currently has on all of its shares. Finally, the third section lists the amount of memory usage for each of the shares. For example: # smbstatus Samba version 2.0.3 Service uid gid pid machine Appendix D (14 of 24) [6/27/2000 11:54:34 AM] ---------------------------------------------- network davecb davecb 7470 phoenix (192.168.220.101) Sun May 16 network davecb davecb 7589 chimaera (192.168.220.102) Sun May 16 • Locked files: Pid DenyMode R/W Oplock Name -------------------------------------------------- 7589 DENY_NONE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/inet/common/system/help.bmp Sun May 16 21:23:40 1999 7470 DENY_WRITE RDONLY NONE /home/samba/word/office/findfast.exe Sun May 16 20:51:08 1999 7589 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/lfbmp70n.dll Sun May 16 21:23:39 1999 7589 DENY_WRITE RDWR EXCLUSIVE+BATCH /home/samba/quicken/inet/qdata/runtime.dat Sun May 16 21:23:41 1999 7470 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/word/office/osa.exe Sun May 16 20:51:09 1999 7589 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll Sun May 16 21:20:33 1999 7470 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll Sun May 16 20:51:11 1999 • Share mode memory usage (bytes): 1043432(99%) free + 4312(0%) used + 832(0%) overhead = 1048576(100%) total Options -b Forces smbstatus to produce brief output. This includes the version of Samba and auditing information about the users that have logged into the server. l -d Gives verbose output, including each of the three reporting sections listed in thel Appendix D (15 of 24) [6/27/2000 11:54:34 AM] previous example. This is the default. -L Forces smbstatus to print only the current file locks it has. This corresponds to the second section in a verbose output. l -p Prints a list of smbd process IDs only. This is often used for scripts.l -S Prints only a list of shares and their connections. This corresponds to the first section in a verbose output. l -s configuration_file Sets the Samba configuration file to use when processing this command.l -u username Limits the smbstatus report to the activity of a single user.l smbtar The smbtar program is a shell script on top of smbclient that gives the program more intelligible options when doing tar operations. Functionally, it is equivalent to the Unix tar program. Options -a Resets the archive bit model -b blocksize Blocking size. Defaults to 20.l -d directory Changes to initial directory before restoring or backing up files.l -i Incremental mode; tar files are backed up only if they have the DOS archive bit set. The archive bit is reset after each file is read. l Appendix D (16 of 24) [6/27/2000 11:54:34 AM] -l log_level Sets the logging level.l -N filename Backs up only the files newer than the last modification date of filename . For incremental backups. l -p password Specifies the password to use to access a share.l -r Restores files to the share from the tar file.l -s server Specifies the SMB/CIFS server in which the share resides.l -t tape Tape device or file. Default is the value of the environment variable $TAPE , or tar.out if $TAPE isn't set. l -u user Specifies the user to connect to the share as. You can specify the password as well, in the format username % password . l -v Specifies the use of verbose mode.l -X file Tells smbtar to exclude the specified file from the tar create or restore.l -x share States the share name on the server to connect to. The default is backup , which is a common share name to perform backups with. l For example, a trivial backup command to archive the data for user sue is: # smbtar -s pc_name -x sue -u sue -p secret -t sue.tar Appendix D (17 of 24) [6/27/2000 11:54:34 AM] nmblookup The nmblookup program is a client program that exercises the NetBIOS-over-UDP/IP name service for resolving NBT machine names into IP addresses. The command works by broadcasting its queries on the local subnet until a machine with that name responds. You can think of it as a Windows nslookup(1) or dig(1). This is useful for looking up both normal NetBIOS names, and the odd ones like _ _MSBROWSE_ _ that the Windows name services use to provide directory-like services. If you wish to query for a particular type of NetBIOS name, add the NetBIOS to the end of the name. The command line is: nmblookup [-options] name The options supported are: -A Interprets name as an IP address and do a node-status query on this address.l -B broadcast _address Sends the query to the given broadcast address. The default is to send the query to the broadcast address of the primary network interface. l -d debuglevel Sets the debug (sometimes called logging) level. The level can range from 0 all the way to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow the program considerably. l -h Prints command-line usage information for the program.l -i scope Sets a NetBIOS scope identifier. Only machines with the same identifier will communicate with the server. The scope identifier was a predecessor to workgroups, and this option is included only for backward compatibility. l -M Searches for a local master browser. This is done with a broadcast searching for a machine that will respond to the special name _ _MSBROWSE_ _ , and then asking that machine for information, instead of broadcasting the query itself. l -R Appendix D (18 of 24) [6/27/2000 11:54:34 AM] Sets the recursion desired bit in the packet. This will cause the machine that responds to try to do a WINS lookup and return the address and any other information the WINS server has saved. l -r Use the root port of 137 for Windows 95 machines.l -S Once the name query has returned an IP address, does a node status query as well. This returns all the resource types that the machine knows about, with their numeric attributes. For example: l % nmblookup -d 4 -S elsbeth received 6 names ELSBETH - B ELSBETH - B ELSBETH - B ELSBETH - B ELSBETH - B .._ _MSBROWSE_ _.. - B -s configuration_file Specifies the location of the Samba configuration file. Although the file defaults to /usr/local/samba/lib/smb.conf , you can override it here on the command-line, normally for debugging. l -T This option can be used to translate IP addresses into resolved names.l -U unicast_address Performs a unicast query to the specified address. Used with -R to query WINS servers. l Note that there is no workgroup option for nmblookup ; you can get around this by putting workgroup = workgroup_name in a file and passing it to nmblookup with the -s smb.conf_file option. Appendix D (19 of 24) [6/27/2000 11:54:34 AM] smbpasswd The smbpasswd password has two distinct sets of functions. When run by users, it changes their encrypted passwords. When run by root , it updates the encrypted password file. When run by an ordinary user with no options, it connects to the primary domain controller and changes his or her Windows password. The program will fail if smbd is not operating, if the hosts allow or hosts deny configuration options will not permit connections from localhost (IP address 127.0.0.1), or the encrypted passwords = no option is set. Regular user options -D debug_level Sets the debug (also called logging) level. The level can range from 0 to 10. Debug level 0 logs only the most important messages; level 1 is normal; level 3 and above are primarily for debugging and slow the program considerably. l -h Prints command-line usage information for the program.l -r remote_machine_name Specifies on which machine the password should change. The remote machine must be a primary domain controller (PDC). l -R resolve_order Sets the resolve order of the name servers. This option is similar to the resolve order configuration option, and can take any of the four parameters, lmhosts , host , wins , and bcast , in any order. l -U username Used only with -r , to modify a username that is spelled differently on the remote machine. l Root-only options -a username Adds a user to the encrypted password file.l -d username Disables a user in the encrypted password file.l Appendix D (20 of 24) [6/27/2000 11:54:34 AM] -e username Enables a disabled user in the encrypted password file.l -m machine_name Changes a machine account's password. The machine accounts are used to authenticate machines when they connect to a primary or backup domain controller. l -j domain_name Adds a Samba server to a Windows NT Domain.l -n Sets no password for the user.l -s username Causes smbpasswd to be silent and to read its old and new passwords from standard input, rather than from /dev/tty . This is useful for writing scripts. l testparm The testparm program checks an smb.conf file for obvious errors and self-consistency. Its command line is: testparm [options] configfile_name [hostname IP_addr] If the configuration file is not specified, the file at samba_dir /lib/smb.conf is checked by default. If you specify a hostname and an IP address, an extra check will be made to ensure that the specified machine would be allowed to connect to Samba. If a hostname is specified, an IP address should be present as well. Options -h Prints command-line information for the program.l -L server_name Resets the %L configuration variable to the specified server name.l -s This option prevents the testparm program from prompting the user to press the Enter key before printing a list of the configuration options for the server. l Appendix D (21 of 24) [6/27/2000 11:54:34 AM] testprns The testprns program checks a specified printer name against the system printer capabilities (printcap ) file. Its command line is: testprns printername [printcapname ] If the printcapname isn't specified, Samba attempts to use one located in the smb.conf file. If one isn't specified there, Samba will try /etc/printcap . If that fails, the program will generate an error. rpcclient This is a new client that exercises the RPC (remote procedure call) interfaces of an SMB server. Like smbclient , rpcclient started its life as a test program for the Samba developers and will likely stay that way for a while. Its command line is: rpcclient //server /share The command-line options are the same as the Samba 2.0 smbclient , and the operations you can try are listed in Table D-4. • Table D-4. rpcclient commands Command Description regenum keyname Registry Enumeration (keys, values) regdeletekey keyname Registry Key Delete regcreatekey keyname [keyvalue] Registry Key Create regquerykey keyname Registry Key Query regdeleteval valname Registry Value Delete regcreateval valname valtype value Registry Key Create reggetsec keyname Registry Key Security regtestsec keyname Test Registry Key Security ntlogin [username] [password] NT Domain Login Test wksinfo Workstation Query Info srvinfo Server Query Info srvsessions List Sessions on a Server srvshares List shares on a server srvconnections List connections on a server srvfiles List files on a server lsaquery Query Info Policy (domain member or server) lookupsids Resolve names from SIDs Appendix D (22 of 24) [6/27/2000 11:54:34 AM] ntpass NT SAM Password Change tcpdump The tcpdump utility, a classic system administration tool, dumps all the packet headers it sees on an interface that match an expression. The version included in the Samba distribution is enhanced to understand the SMB protocol. The expression is a logical expression with "and," "or," and "not," although sometimes it's very simple. For example, host escrime would select every packet going to or from escrime . The expression is normally one or more of: host namel ne t network_numberl port numberl src namel dst namel The most common options are src (source), dst (destination), and port . For example, in the book we used the command: tcpdump port not telnet This dumps all the packets except telnet; we were logged-in via telnet and wanted to see only the SMB packets. Another tcpdump example is selecting traffic between server and either sue or joe : tcpdump host server and \( sue or joe \) We recommend using the -s 1500 option so that you capture all of the SMB messages sent, instead of just the header information. Options There are many options, and many other kinds of expressions that can be used with tcpdump . See the manual page for details on the advanced options. The most common options are as follows: -c count Forces the program to exit after receiving the specified number of packets.l -F file Reads the expression from the specified file and ignores expressions on the command line. l -i interface Appendix D (23 of 24) [6/27/2000 11:54:34 AM] Forces the program to listen on the specified interface.l -r file Reads packets from the specified file (captured with -w ).l -s length Saves the specified number of bytes of data from each packet (rather than 68 bytes).l -w file Writes the packets to the specified file.l C. Samba Configuration Option Quick Reference E. Downloading Samba with CVS Back to: Using Samba O'Reilly Home | O'Reilly Bookstores | How to Order | O'Reilly Contacts International | About O'Reilly | Affiliated Companies © 1999, O'Reilly & Associates, Inc. Appendix D (24 of 24) [6/27/2000 11:54:34 AM] Using Samba Robert Eckstein, David Collier-Brown, Peter Kelly 1st Edition November 1999 1-56592-449-5, Order Number: 4495 416 pages, $34.95 Appendix E • Appendix E. Downloading Samba with CVS This appendix contains information on how to download the latest source version of Samba using the Concurrent Versions System (CVS). CVS is a freely available configuration management tool available from Cyclic Software and is distributed under the GNU General Public License. You can download the latest copy from CVS works on top of the GNU Revision Control System (RCS). Many Unix systems come preinstalled with RCS. However, if you want to download the latest version of RCS, you can find it at One of the nicest things about CVS is its ability to handle remote logins. This means that people across the globe on the Internet can download and update various source files for any project that uses a CVS repository. Such is the case with Samba. Once you have RCS and CVS installed on your system, you must first log in to the Samba source server with the following command: cvs -d :pserver:cvs@cvs.samba.org:/cvsroot login This tells CVS to connect to the CVS server at cvs.samba.org. Once you are connected, you can download the latest source tree with the following command: [Appendix E] Downloading Samba with CVS (1 of 2) [6/27/2000 11:54:36 AM] cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co samba This will download the entire Samba distribution (file by file) into a directory entitled /samba, which it will create on your hard drive. This directory will have the same structure as the Samba source distribution described in Chapter 2, Installing Samba on a Unix System. It includes source and header files, documentation, and sample configuration files to help get you started. After that is completed, you can follow the instructions in Chapter 2 to configure and compile Samba on your server. D. Samba Configuration Option Quick Reference F. Sample Configuration File Back to: Using Samba O'Reilly Home | O'Reilly Bookstores | How to Order | O'Reilly Contacts International | About O'Reilly | Affiliated Companies © 1999, O'Reilly & Associates, Inc. [Appendix E] Downloading Samba with CVS (2 of 2) [6/27/2000 11:54:36 AM] Using Samba Robert Eckstein, David Collier-Brown, Peter Kelly 1st Edition November 1999 1-56592-449-5, Order Number: 4495 416 pages, $34.95 Appendix E • • Appendix F. Sample Configuration File This appendix gives an example of a production smb.conf file and looks at how many of the options are used in practice. The following is a slightly disguised version of one we used at a corporation with five Linux servers, five Windows for Workgroups clients and three NT Workstation clients: # smb.conf -- File Server System for: 1 Example.COM BSC & Management Office [globals] workgroup = 1EG_BSC interfaces = 10.10.1.14/24 We provide this service on only one of the machine's interfaces. The interfaces option sets its address and netmask, where /24 is the same as using the netmask 255.255.255.0: comment = Samba ver. %v preexec = csh -c `echo /usr/samba/bin/smbclient \ -M %m -I %I` & We use the preexec command to log information about all connections by machine name ( %m) and IP address ( %I): # smbstatus will output various info on current status status = yes browseable = yes printing = bsd # the username that will be used for access to services # specified with 'guest = ok' [Appendix F] Sample Configuration File (1 of 6) [6/27/2000 11:54:38 AM] guest account = samba The default guest account was nobody, uid -1, which produced log messages on one of our machines saying "your server is being unfriendly," so we created a specific Samba guest account for browsing and printing: # superuser account - admin privilages to shares, with no # restrictions # WARNING - use this with care: files can be modified, # regardless of file permissions admin users = root # who is NOT allowed to connect to ANY service invalid users = @wheel, mail, deamon, adt Daemons can't use Samba, only people. The invalid users option closes a security hole; it prevents intruders from breaking in by pretending to be a daemon process. # hosts that are ALLOWED or DENIED from connecting to ANY service hosts allow = 10.10.1. hosts deny = 10.10.1.6 # where the lock files will be located lock directory = /var/lock/samba/locks # debug log files # %m = separate log for each NetBIOS name (each machine) log file = /var/log/samba/log.%m # We send priority 0, 1 and 2 messages to the system logs syslog = 2 # If a WinPopup message is sent to the server, # redirect it to a user via e-mail message command = /bin/mail -s 'message from #% on %m' \ pkelly < %s; rm %s # --------------------------------------------------- # [globals] Performance Tuning # --------------------------------------------------- # caching algorithm to reduce time doing getwd() calls. getwd cache = yes socket options = TCP_NODELAY # tell the server whether the client is present and # responding in seconds keep alive = 60 [Appendix F] Sample Configuration File (2 of 6) [6/27/2000 11:54:38 AM] # num minutes of inactivity before a connection is # considered dead dead time = 30 read prediction = yes share modes = yes max xmit = 17384 read size = 512 The share modes, max, xinit, and read size options are machine-specific (see Appendix B, Samba Performance Tuning): # locking is done by the server locking = yes # control whether dos style attributes should be mapped # to unix execute bits map hidden = yes map archive = yes map system = yes The three map options will work only on shares with a create mode that includes the execute bits (0111). Our homes and printers shares won't honor them, but the [ www] share will: # --------------------------------------------------------- # [globals] Security and Domain Logon Services # --------------------------------------------------------- # connections are made with UID and GID, not as shares security = user # boolean variable that controls whether passwords # will be encrypted encrypt passwords = yes passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*" passwd program = /usr/bin/passwd %u # Always become the local master browser domain master = yes preferred master = yes os level = 34 # For domain logons to work correctly. Samba acts as a # primary domain controller. domain logons = yes # Logon script to run for user off the server each time # username (%U) logs in. Set the time, connect to shares, # virus checks, etc. logon script = scripts\%U.bat [Appendix F] Sample Configuration File (3 of 6) [6/27/2000 11:54:38 AM] [netlogon] comment = "Domain Logon Services" path = /u/netlogon writable = yes create mode = 444 guest ok = no volume = "Network" This share, discussed in Chapter 6, Users, Security, and Domains , is required for Samba to work smoothly in a Windows NT domain: # ----------------------------------------------------------- # [homes] User Home Directories # ----------------------------------------------------------- [homes] comment = "Home Directory for : %u " path = /u/users/%u The password file of the Samba server specifies each person's home directory as /home/ machine_name / person, which NFS converts to point to the actual physicl location under /u/users. The path option in the [homes] share tells Samba the actual (non-NFS) location: guest ok = no read only = no create mode = 644 writable = yes browseable = no # ----------------------------------------------------------- # [printers] System Printers # ----------------------------------------------------------- [printers] comment = "Printers" path = /var/spool/lpd/samba printcap name = /etc/printcap printable = yes public = no writable = no lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j lppause command = /usr/sbin/lpc stop %p lpresume command = /usr/sbin/lpc start %p create mode = 0700 browseable = no load printers = yes # ----------------------------------------------------------- # Specific Descriptions: [programs] [data] [retail] [Appendix F] Sample Configuration File (4 of 6) [6/27/2000 11:54:38 AM] # ----------------------------------------------------------- [programs] comment = "Shared Programs %T" volume = "programs" Shared Programs shows up in the Network Neighborhood, and programs is the volume name you specify when an installation program wants to know the label of the CD-ROM from which it thinks it's loading: path = /u/programs public = yes writeable = yes printable = no create mode = 664 [cdrom] comment = "Unix CDROM" path = /u/cdrom public = no writeable = no printable = no volume = "cdrom" [data] comment = "Data Directories %T" path = /u/data public = no create mode = 770 writeable = yes volume = "data" [nt4] comment = "NT4 Server" path = /u/systems/nt4 public = yes create mode = 770 writeable = yes volume = "nt4_server" [www] comment = "WWW System" path = /usr/www/http public = yes create mode = 775 writeable = yes volume = "www_system" The [www] share is the directory used on the Unix server to serve web pages. Samba makes the directory available to local PC users so the art department can update web pages. • D. Downloading Samba with CVS • [Appendix F] Sample Configuration File (5 of 6) [6/27/2000 11:54:38 AM] Back to: Using Samba O'Reilly Home | O'Reilly Bookstores | How to Order | O'Reilly Contacts International | About O'Reilly | Affiliated Companies © 1999, O'Reilly & Associates, Inc. [Appendix F] Sample Configuration File (6 of 6) [6/27/2000 11:54:38 AM]