Friday, November 20, 2009

Samba your way to network file sharing success

Need a solid Windows-compatible file and print server? Consider, if you will, Samba on top of Linux for your networking needs.

Getting a little tired of one Windows SMB (Server Message Block) security problem after another? Want a reliable and fast file and print server without the Windows server headaches?

Then, may I strongly recommend that you give Samba on Linux a try? Samba is an open-source program that had provided file and print services to SMB/CIFS (Common Internet File System) clients for more than a decade.

This is the same core functionality that Windows Server had provided since NT roamed the Earth. Thus, Samba can provide file and printer services for any version of Windows.

Samba runs on essentially all Linux/Unix servers. Indeed, it's a rare Linux distribution that doesn't include the Samba server as a ready-to-run option.

Why Samba

Why would you bother? There are several good reasons to move to Samba. The first is cost. Not only is Samba free, it can run on hardware that Windows Server 2008 R2 would roll over and die on.

In addition, there are no CAL (client access license) fees.

Samba is also fast. When I first tested Samba in 1999, it was already delivering files faster than NT. It's only gotten better since then.

In informal tests at my office, I've found Samba 3.4.3, the latest version to be as fast as Server 2008 R2 on the same servers at delivering files.

Samba, AD, and Domains
You don't have to make an either/or decision if you want to try Samba on your network. Samba can work with AD (Active Directory) servers.

If you're still using the older-style Windows Domain system for your network, Samba can be used with Domains or even dropped in a replacement for a Windows PDCs (Primary Domain Controllers).

At this time, you still can't run Samba as a standalone AD domain controller. That won't happen until Samba 4.0 appears, hopefully sometime in 2010.

Since Samba now has legal access to Windows networking protocols, that's only a matter of time. Samba will also be delivering support for Microsoft's SMB2.

In theory, SMB2, available on Vista and later versions of Windows, delivers better network performance, but it's been troubled with security problems.

In the meantime, you can join Samba servers to an AD tree as a member server in Windows 2000 native-mode.

This is a backwards compatible mode, which enables you to run run Samba 3.x, W2K (Windows 2000) server, Server 2003, and Server 2008 on the same LAN.

For authentication purposes, your AD server must support LDAP (Lightweight Directory Access Protocol) and Kerberos.

Once you have Kerberos working, either MIT or Heimdal Kerberos on the Linux side, you must manually enter the Samba 3 Server information into AD.

For full details on how to do that, check out Join Samba 3 to Your Active Directory Domain. With that done, your Samba's file shares and printers should then appear in the AD management consoles and to Windows clients.

Solo Samba
Of course, you don't have to go to all that trouble. Whether you're running a SOHO (small office/home office) or a Fortune 50 company, you can just use Samba for all your file and print needs.

For your basic Samba setup, simply install Samba on your Linux server. Once in place, turn it on, make sure your firewall doesn't get in the way of the SMB/CIFS protocols, and you're ready to start setting it up.

Most server-oriented Linux distributions, like Novell's openSUSE and SUSE Linux Server and Red Hat's Fedora and RHEL (Red Hat Enterprise Linux), come with GUIs (graphical user interfaces) to help you set Samba up. Use them. They'll make your life much easier.

You can also use the Web-based SWAT (Samba Web Based Administration Tool) or Webmin for your basic setup.

You won't want to use these tools once you're past your initial installation though if you do any manual tuning to your Samba set-up.

That's because these programs tend to replace the master Samba configuration file, smb.conf, with their own optimized version of the file. That, in turn, will lose any hand-made changes you've made to the file.

Chances are though you won't need to do much of that. While you can spend a lot of time optimizing Samba, for basic bread and butter file and print sharing, the easy-to-use front-end programs do a fine job.

If you want, of course, you can set Samba up the old fashioned manual way. With recipes like Red Hat Magazine's How to build a dirt easy home NAS server using Samba and Debian Admin's File Server Configuration in Debian Using Samba, you won't need to be a Linux or a networking genius to set up a good, basic standalone Samba server.

If you do need to get fancy your one-stop information site for setting up Samba is The Official Samba 3.2.x HOWTO and Reference Guide. While a bit dated, most of the information is still current.

The one noteworthy exception is that, starting with Samba 3.4, the default passdb password backend has been changed to 'tdbsam.'

If you're still using the old password setup with the 'smbpasswd' backend this will break it. If you've been using a standalone Samba server, chances are good that's what you've been using for security.

If you want to stick with it, simply enter the line: passdb backend = smbpasswd
in your smb.conf.

You're better off in the long run though if you convert your smbpasswd entries into tbdsam by running

# pdbedit -i smbpasswd -e tdbsam

from a Linux shell. The tdbsam offers you more options for users setting, and there are some advanced server commands which won't work with the 'smbpasswd' backend.

Samba from the desktop
For desktop users, none of this matters. Whether you're using Samba as a complete replacement or as part of a Windows Server-based network, once set up properly, Samba drives and printers work exactly like any other network drive or printer as they're concerned.

Indeed, if you're using a NAS (Network Attached Storage) device, chances are you're already using Samba. Linux and Samba lies at the heart of almost this kind of hardware.

There are, however, a pair of related problems that might get in your way with Vista or Windows 7.

On some of these systems, a pair of networking settings are set so that they won't work properly with Samba or, for that matter, older versions of Windows Server.

If you've set up your Samba boxes properly--e.g. you can reach your shared drives just fine from an XP box or a Mac - but you still can't see them from Windows 7, you'll need to do fixing. Go to your Windows 7 box and try going to: Control Panel - Administrative Tools - Local Security Policy Local Policies - Security Options.

Once there, set "Network security: LAN Manager authentication level" to "Send LM & NTLM responses" and the "Minimum session security for NTLM SSP" to "Disable Require 128-bit encryption."

On Vista, it's a little more complicated. Here, you'll need to click "Start -> Run." Once you're at Vista's idea of a command line, type in the Run field: "secpol.msc."

That will bring you to Vista’s security policy system. Once there, use "Go to: Local Policies > Security Options" and then find "Network Security: LAN Manager" authentication level.

Find it? Now change the Setting from "Send NTLMv2 response only" to "Send LM & NTLM - use NTLMv2 session security if negotiated."

Once set up and running, I think you'll find Samba does an excellent job as a file/print server. For basic network services it's hard to beat.

I've been using it for Windows clients from Windows 95—the horror! The horror!--to Windows 7, as well as for supplying file and print services to other Linux distributions and Macs, and it's always done the job.

From just having a server to keep your video-collection in or providing file and print services to hundreds of workstations, Samba and Linux does the job for a fraction of the cost of Windows.

Give it a try in your own network, I think you'll like it.

No comments:

Post a Comment