Ubuntu Server Succinctly®
CHAPTER 7
Sharing Network Resources with Windows
Introduction
In many cases, computer networks are comprised of diverse systems. While operating a network made up of Ubuntu Desktop and Ubuntu Server computers would be a good idea, some network environments consist of both Ubuntu and Microsoft Windows systems, and must work together in harmony. This chapter explains principles and tools used to configure Ubuntu Server to share network resources with Windows.
Successfully networking Ubuntu systems with Windows clients involves providing and integrating with services common to Windows environments. Such services assist the sharing of data and information about the computers and users involved in the network. One of the principle pieces of software that Ubuntu Server includes for Windows networking is Samba suite. The following sections will explain some of the common Samba use cases and how to install and configure the necessary software.
File server
One of the most common ways to network Ubuntu and Windows computers is to configure Samba as a file server. This section covers setting up a Samba server to share files with Windows clients.
Installation
To install Samba in the server, the following command must be entered.
Code Listing 109
$ sudo apt-get install samba |
This command will download all necessary packages to install Samba, including software dependencies. When it is done, Samba will be ready to be configured.
Configuration
The main Samba configuration file is located in /etc/samba/smb.conf. The file has a significant number of comments to document various configuration directives. This file consists of sections and parameters. Each section is identified with a name enclosed in brackets. There are three special sections, global (which allows parameters for the whole Samba server operation to be defined), homes, and printers. Each subsequent section in the file describes a shared resource, known as share. The section name corresponds to the name assigned to the shared resource, and the parameters within the section define the shared resource’s attributes. A typical /etc/samba/smb.conf file should look like the following example.
Code Listing 110
[global] workgroup = WORKGROUP security = user netbios name = ubuntuserver server string = %h server (Samba, Ubuntu) %v [sharedfolder] comment = Ubuntu File Server Share path = /srv/samba/sharedfolder browsable = yes guest ok = yes read only = no create mask = 0777 |
The meaning of the parameters included in the global section are explained in the following list:
- workgroup: This is the name of the Windows workgroup to which the server will be attached.
- security: This is the security level for all connections made from a Windows client.
- netbios name: This is the name that will be addressed by Windows to identify the server in the network.
- server string: This is a descriptive name that will appear in browse lists next to the machine name. %h will show the hostname, and %v will show the server version.
The section named sharedfolder refers to a shared folder that will be visible to Windows clients. The parameters for this section are explained in the following list:
- comment: A description that will appear in browsing lists, next to the resource name
- path: The absolute path to the folder that will be shared by the server. It’s recommended to assign the ownership of this folder to the nobody.nogroup group.
- browsable: The folder can be browsed by Windows clients (yes).
- guest ok: The folder can be accessed by any user (yes).
- read only: The client user can add new files or folders (no).
- create mask: The default permissions that will be granted to every new file or folder created (according to the permissions rules for Ubuntu).
There must be a shared resource section for every folder that the user wants to be available for Windows clients. The same parameters apply for each subsequent section that is declared.
After the file /etc/samba/smb.conf is edited, all Samba services must be restarted to enable the new configuration. The following commands must be issued.
Code Listing 111
$ sudo smbd restart $ sudo nmbd restart |
Now, the user should be able to browse the folder located in the server by typing \\ubuntuserver (the NetBIOS name) or \\<ipaddress> (e.g., \\192.168.0.23) at the address bar of the Windows File Explorer.
Print server
Samba can be used to share printers installed on an Ubuntu server.
Installation
Before configuring Samba to share printers, a working CUPS (Common UNIX Printing System) installation must be in the server. To install CUPS, the user must type the following command.
Code Listing 112
$ sudo apt-get install cups |
Once CUPS is installed, the service will be started automatically.
Behavior of CUPS may be configured by editing the /etc/cups/cupsd.conf file. This file contains the directives needed to establish the appropriate settings to fit the user’s needs.
By default on Ubuntu Server, the CUPS server installation listens only in the loopback interface; that is, at IP address 127.0.0.1. It’s necessary to instruct CUPS to listen on the actual network interface’s IP address. For example, if the CUPS server resides in a computer whose network adapter has the IP address 192.168.0.35, the following example instructs CUPS server to listen on that address to make the server accessible to other computers on the network.
Code Listing 113
Listen 127.0.0.1:631 # existing loopback Listen Listen /var/run/cups/cups.sock # existing socket Listen Listen 192.168.10.250:631 # Listen on the LAN interface, Port 631 |
Then, the CUPS server needs to be restarted.
Code Listing 114
$ sudo systemctl restart cups |
Installing a local printer
To install a local printer, the user needs to download a printer driver package (.ppd, PostScript® Printer Description) file from the manufacturer’s website. Once the package is copied in a filesystem location, it can be installed using the CUPS lpadmin command, like in the following sample.
Code Listing 115
$ sudo /usr/sbin/lpadmin -p LaserJet -v parallel:/dev/lp1 -P /home/ubuntu-user/laserket.ppd |
The previous command will install a LaserJet printer (-p) in the parallel port LPT1 (-v), which is identified as /dev/lp1 in Ubuntu. The driver package laserjet.ppd (-P) will be used. This package is stored in the user’s home directory. The sample assumes that the user logged in is named buntu-user.
Configuration
In order to share the printers in the server, the file /etc/samba/smb.conf must be edited to modify the printers section. The following sample configures Samba to allow any client on the local network to use the installed printers in the server, without prompting for a username and password.
Code Listing 116
[global] workgroup = WORKGROUP security = user netbios name = ubuntuserver server string = %h server (Samba, Ubuntu) %v [printers] browsable = yes guest ok = yes |
After the file /etc/samba/smb.conf is edited, all Samba services must be restarted to enable the new configuration.
Code Listing 117
$ sudo smbd restart $ sudo nmbd restart |
Securing file and print server
Security modes
According to the Common Internet Filesystem (CIFS) network protocol, two security levels are available: user-level and share-level. These modes are referenced in the Samba configuration file as follows:
- security = user (user-level): Requires clients to supply a username and password to connect to shares. To sync Samba user accounts with system accounts, the libpam-smbpass package must be installed.
- security = domain: Requires clients to supply a username and password to connect to shares. This is almost the same as security = user, with the exception that the username must exist in a Windows Primary or Backup Domain Controller located in the same network.
- security = ads: Active Directory support, which allows a computer running Samba to join as a member server for user authentication using LDAP/Kerberos.
Security = user
To implement user-level security mode, the libpam-smbpass package must be installed to sync the system users to the Samba user database.
Code Listing 118
$ sudo apt-get install libpam-smbpass |
Then, the file /etc/samba/smb.conf must be edited and the parameter guest ok of every section needs to be changed. Also, the configuration must establish that Ubuntu passwords and Samba passwords must be synchronized so the users can access the shares in the server.
Code Listing 119
[global] workgroup = WORKGROUP security = user netbios name = ubuntuserver server string = %h server (Samba, Ubuntu) %v obey pam restrictions = yes pam password change = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = yes [sharedfolder] comment = Ubuntu File Server Share path = /srv/samba/sharedfolder browsable = yes guest ok = no read only = no create mask = 0777 [printers] browsable = yes guest ok = no |
The previous example shows how the /etc/samba/smb.conf file should look in order to implement user-level security mode. The parameters added after server string ensure that the passwords for all server users match Samba user passwords. This must be configured so that connections are accepted when a Windows client attempts to connect to a share, and the password prompt dialog appears asking for credentials. Also, these parameters ensure that every time the user password is changed in Ubuntu Server, it is also changed in Samba.
Any time configuration changes, Samba services must be restarted.
Code Listing 120
$ sudo smbd restart $ sudo nmbd restart |
Now, every time a user tries to connect to the shared directories or printers, they will be prompted for a username and password and must supply its credentials to make the connection.
Security = domain
This security option allows the authentication of users against the Windows security infrastructure, so Samba reads the user’s database information from a Windows domain controller.
The first step is to install Winbind, the part of Samba that is responsible for integrating Windows authentication and the user database into Ubuntu.
Code Listing 121
$ sudo apt-get install samba winbind |
Now, the /etc/samba/smb.conf needs to be edited.
Code Listing 122
[global] workgroup = WINDOWSDOMAIN security = DOMAIN netbios name = ubuntuserver server string = %h server (Samba, Ubuntu) %v idmap uid = 10000-20000 idmap gid = 10000-20000 windbind use default domain = Yes [sharedfolder] comment = Ubuntu File Server Share path = /srv/samba/sharedfolder browsable = yes guest ok = no read only = no create mask = 0777 [printers] browsable = yes guest ok = no |
The workgroup setting of the previous configuration file is set to indicate the Windows domain (WINDOWSDOMAIN) that will be used. The security option instructs Samba to use the domain for its user and group database.
The Windows users and groups need to be mapped to Ubuntu Server, so winbind needs to be instructed which IDs can be used. This is accomplished by specifying a range for both user and group IDs. The idmap uid and the idmap gid settings establish the ranges for users and groups. These ranges can’t overlap those specified in the /etc/passwd and /etc/group files. In the previous configuration file, a range starting with 10,000 and ending with 20,000 is used for user and group IDs.
The windbind use default domain setting tells Samba that it won’t need to prefix usernames with the domain (i.e. WINDOWSDOMAIN\username) from within Ubuntu, because the default domain will be assumed by default.
After saving the smb.conf file and before restarting Samba services, the user needs to join the server to the Windows domain. This can be done with the following command, where password corresponds to the Windows domain controller’s administrator password.
Code Listing 123
$ sudo net rpc join -Uadministrator%’password’ |
Now, the Samba services must be restarted.
Code Listing 124
$ sudo smbd restart $ sudo nmbd restart |
In order to make Ubuntu use winbind in addition to the standard files (/etc/password and /etc/group) as a user and group database, the file /etc/nsswitch.conf must be edited, as in the following sample.
Code Listing 125
passwd: compat winbind group: compat winbind hosts: files dns winbind |
After saving the file, winbind needs to know which user will initiate sessions in the domain controller. This can be set by issuing the following command, where password corresponds to the Windows domain controller’s administrator password.
Code Listing 126
$ sudo net setauthuser -U Administrator%'password' |
The following command will display a list with the users of the Windows domain.
Code Listing 127
$ sudo wbinfo -u |
Security=ADS
This security type allows a computer with Ubuntu and Samba to participate in a Windows Active Directory domain as a member server, using Kerberos authentication.
First, the user needs to install Kerberos V5 in the system. The following commands accomplish this.
Code Listing 128
$ sudo apt-get install krb5-libs $ sudo apt-get install krb5-workstation $ sudo apt-get install krb5-server $ sudo apt-get install krb5-user |
Kerberos needs to be set up after installation. To do that, the /etc/krb5.conf file must be edited as in the following example (assuming the Active Directory domain name is buntuion.com and Kerberos domain controller is installed in the computer with the IP 192.168.0.35).
Code Listing 129
[libdefaults] ticket_lifetime = 24h default_realm = SYNCFUSION.COM forwardable = true [realms] SYNCFUSION.COM = { kdc = 192.168.0.35 default_domain = SYNCFUSION.COM } [domain_realm] .SYNCFUSION.COM = SYNCFUSION.COM SYNCFUSION.COM = SYNCFUSION.COM [kdc] profile = /etc/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log |
After that, the user needs to get a ticket for the Active Directory administrator user with the following command.
Code Listing 130
$ kinit Administrator |
The system will ask for the administrator user password before executing this command. The following command can be used to check to see if a valid ticket was issued.
Code Listing 131
$ klist |
The output for this command should look like the following.
Code Listing 132
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 27/03/2016 07:17 27/03/2016 17:17 krbtgt/[email protected] renew until 28/03/2016 07:17 |
The file /etc/nsswitch.conf must be edited to tell Ubuntu that Active Directory users are valid users, too. The passwd, shadow, and group lines should look like the following sample.
Code Listing 133
passwd: compat winbind group: compat winbind shadow: compat winbind |
Now, the user needs to set up Samba to support the domain by editing the /etc/samba/smb.conf file. This file should look like the following sample.
Code Listing 134
[global] workgroup = SYNCFUSION # Active Directory System security = ads realm = SYNCFUSION.COM # Just a member server domain master = no local master = no preferred master = no # Disable printing error log messages when CUPS is not installed. Printcap name = /etc/printcap load printers = no idmap uid = 10000-99999 idmap gid = 10000-99999 idmap config SYNCFUSION:backend = rid idmap config SYNCFUSION:range = 10000-9999 winbind enum users = yes winbind enum groups = yes # This way users log in with username instead of [email protected] winbind use default domain = yes # Inherit groups in groups winbind nested groups = yes winbind refresh tickets = yes winbind offline logon = true # Becomes /home/syncfusion/username template homedir = /home/%D/%U # No shell access template shell = /bin/false client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/samba.log log level = 2 |
Now, all services must be restarted after saving the file.
Code Listing 135
$ sudo winbind restart $ sudo smbd restart $ sudo nmbd restart |
The server needs to join the domain. Having a valid Kerberos ticket, the following command should be executed.
Code Listing 136
$ sudo net ads joing -U Administrator |
The output for the previous command should look like the following.
Code Listing 137
Enter Administrator's password: Using short domain name – SYNCFUSION Joined 'HOSTNAME' to realm 'Syncfusion.com' |
All services need to be restarted again.
Code Listing 138
$ sudo winbind restart $ sudo smbd restart $ sudo nmbd restart |
The following commands can be entered to list the domain users and groups.
Code Listing 139
$ sudo wbinfo -u # lists all the users in the domain $ sudo wbinfo -g # lists all the groups in the domain |
The following commands can be used to check if winbind is working correctly.
Code Listing 140
$ sudo getent passwd | # should return a list with all users on the local # system and from the active directory |
$ sudo getent group | # should return a list with all groups and their # members, both from the local system and the # active directory |
Chapter summary
In most scenarios, computer networks work with both Ubuntu Server or desktop computers and Windows computers. It’s necessary to make them work in harmony. One of the principal pieces of software that Ubuntu Server includes for Windows networking is Samba suite. One of the most common ways to network Ubuntu and Windows computers is to configure Samba as a file server. This can be accomplished by executing the sudo apt-get install samba command.
After installation, Samba can be configured by editing the /etc/samba/smb.conf file. This file consists of sections and parameters. Each section is identified with a name enclosed in brackets. There are three special sections named global, (which allows parameters to be defined for the whole Samba server operation), homes, and printers. Every additional section is known as a share and is intended to define a shared network resource, which will be accessed by Windows client computers. The name given to each of these additional sections corresponds to the name of the shared resource, and must be enclosed in brackets.
Each section in the /etc/samba/smb.conf file contains parameters. A parameter is a value that tells Samba how to behave according to the purpose of the section in which it is defined. An example of a parameter is workgroup, which indicates the name for the group of computers that belong to the network (e.g., softwareved), and it’s declared in the global section of the file.
The printers section of the /etc/samba/smb.conf file contains the parameters needed to browse and access all the printers installed in Ubuntu Server from a Windows client. In order to work with printers, a working CUPS (Common UNIX Printing System) installation must be in the server.
Finally, secure access to files and printers can be configured in Samba. There are three security levels to do that: user-level, domain, and ADS. User-level security mode forces every user who wants to access a shared resource to supply credentials (username and password) in order to be authenticated. Domain security level authenticates users against the Windows security infrastructure, so Samba reads users’ database information from a Windows domain controller. To use this security level, winbind must be installed and configured to tell Ubuntu that domain controller’s users are also valid users. Also, the /etc/samba/smb.conf needs to be edited to tell Samba that the domain security level will be used. The ADS security level allows a computer with Ubuntu and Samba to participate in a Windows Active Directory domain as a member server, using Kerberos authentication. Kerberos must be installed in the Ubuntu computer and configured by editing the /etc/krb5.conf file. Also, winbind and Samba must be configured to support the domain.
- 1800+ high-performance UI components.
- Includes popular controls such as Grid, Chart, Scheduler, and more.
- 24x5 unlimited support by developers.