LinuxQuestions.org - Samba and Win2K

Quote:

Originally posted by synecdoche
On the Windows machine I have shared my C drive, and it is currently named C$.

No, you haven't. That is the administrative share, and it will not be accessible via Samba under normal circumstances. And since you don't have a public share on either computer, neither computer will show up in Network Places (that's normal behaviour).

The first thing you need to do is to create a regular share (right click on the folder you want to share, choose "Sharing" and then click the "New Share" button at the bottom of the dialog).

Give the share a name. Right now "Everyone" will have full permissions to control it (which is bad), but there's another step we'd have to do to change that (if you want to; it's optional, but highly recommended).

In any case, we now have a public share. Let's talk about how to connect to it first, before attempting to secure it to what small extent we can in fact secure it.

First, you must be sure that the Samba daemons (services) are running. They are called smbd and nmbd. They hopefully are set to run at startup, but you can always type smbd start and nmbd start in a console as root (do you know how to su to root? Fast tutorial further on, if not) to start them. Some distros also recognize samba start, but that seems to be distro-specific (as that's a script to start both daemons).

--------------------------------------------------------------------------------------------
Fast tutorial on how to gain root access from a user login (commonly called "su-ing to root"):

1) Open a terminal.

2) Type su and hit enter.

3) Type the root password at the Password: prompt and hit Enter. The password will not be echoed to the screen, even with stars, so type carefully.

4) If the password was correctly typed, the prompt should change from a "$" which indicates user access, to a "#" which indicates root access. All commands typed into this terminal window from this point on will be performed as if root had requested them. If this does not work (and you have correctly entered the root password), the problem is that the user is not a member of the wheel group; go to SuSE's User Management tool and add the user to that group, then try steps 2 and 3 again.

This is the most useful command in the entire Linux repository for a regular user, and is the reason why you should never have to log in as root under normal circumstances, as any command can be run after su-ing to root. The only times you should actually need to login as root are when your user login is broken, or the system as a whole will not boot.

-----------------------------------------------------------------------------------------------------------------------------

Once Samba is running, you need to tell it that your regular user is allowed to use it to connect to other servers. You do this by su-ing to root and typing smbpasswd -a -e <username_of_regular_user> <password_of_regular_user>. This will add and enable (-a, -e) your regular user to connect via Samba. If you intend to share files back to the Windows box (because you have a FAT32 partition on the Linux box that you mount to your $HOME directory), you will have to add the normal Windows user as a Linux user using the useradd command (read man useradd for more information), and then add them to smbpasswd as above. /etc/Samba/smb.conf will need additional entries to create shares on the Linux box, but that does not seem to be what you're trying to do atm, so we won't go into it.

Now that Samba is running and it knows that you can use it, we need to discuss the various ways to connect to the share, and decide if we want to secure it somewhat.

The thing is, Windows 2000 and XP are going to need a valid (Windows) username and password to allow connections to this share. That's not such a big deal-- unless you are going to try to connect to a printer on the Windows box. If so, the user who needs to connect to the printer needs admin privileges on the Windows box to connect to the printer, but Samba is going to send the printer authentication u/p in cleartext. Which means that if you were hacked, the hacker potentially has access to a valid Windows u/p which has admin privileges. That is kind of a big deal (imo), but maybe you don't need to do this.

But you still want to limit the access that any hacker (or unscrupulous person who has physical access to your computer) might have to the other boxes on the network. And since your normal Windows user will be logged in to the other computer (it has to be on and logged in for you to connect to it via SAMBA, after all), you (as the Windows Administrator) will have to create one or more new users to the Windows box and set the permissions for any shared folders to limit that new user's access to only those folders (insofar as Windows limits access at all, which it really doesn't. But let's pretend). For this reason, I would suggest not creating your normal Linux user as a Windows user (any unscrupulous person who manages to hack the u/p would then have access to both boxes), and certainly not using the root user (as then any unscrupulous person would have complete access to the Linux box and a fair amount of access to the Windows box as well).

So create 2 "junk" users (if you're going to be using a Windows printer; only one if you aren't). If you are going to be using a Windows printer, one user needs to have Admin privileges; iirc the one who connects to the share does not (or you could use the "guest" account to connect to the share). If you are creating a user with Admin privileges, go back to the Share configuration of the shared folder(s) and change the "Permissions" for the share from the default of "Everyone" (remove that setting) and Add the specific user who will be connecting (meaning the other one, who will be listed in the lower half of the dialog). Give the user as much control as you feel necessary.

This will not protect you all that much, as Windows user privilege separation flatly sucks, but one does what one can. At least any hackers will have to work for it a little, and it will hopefully eliminate many script kiddies or casual pranksters who don't actually know what they're doing :) .

OK, let's connect to the share.

You can do this via several different command-line tools (mount, smbclient), through boot configuration (editing /etc/fstab, or through D(esktop)E(nvironment) GUI tools such as the Nautilus SMB browser (kinda broken), the GNOME Samba browser, or Konqueror, but I prefer to mount the shared network drives at startup using LinNeighborhood, so that's what I'll tell you about.

You most likely have LinNeighborhood installed, SuSE being a big commercial distro (Mandrake at least installs it with both GNOME and KDE-- if not, install it with YAST).

Run it from the menu or by running LinNeighborhood in a terminal. Before mounting any shares, configure the program by going to Edit=>Preferences. Set the Workgroup name to the correct workgroup, and I would suggest checking the "Always scan as user", "Groups scan as user" and "ask user/password once" checkboxes. Go to the "Miscellaneous" tab and set the default user to the "junk" username you created earlier (or guest if you're using that), put that user's password in the default password box (or leave it blank if you're using the guest account), and check the "Save Default Password" box.

You will most likely want to mount the share to your $HOME$ directory (so you don't have to be browsing all through the filetree whenever you want to play an MP3), so you might want to 1) check the "Use RootMountDir/machine/share as default mount point" checkbox, and also 2) edit the RootMountDir in the edit field below that. If that seems like it's going to be a good mount point for your purposes, then you can also check the "Don't show mount dialog, use defaults" checkbox, but I like to use it anyway since I want to have the mount point as RootMountDir/share, without the machine name interfering (I know the machine name), but depending on how many machines or shares you connect to, it might be useful to group them in this way.

"Replace spaces with underscores in mount path" is a useful option (Linux doesn't like spaces in pathnames all that much, but it is an optional setting), as is "Delete mount points on unmount", but the most important option here is "Memorize mounted shares and remount on startup". This is the one that makes it all worthwhile, as you'll see shortly.

Save your settings, get out of the dialog, and close and reopen LinNeighborhood so the new settings are implemented. You should see your workgroup displayed. Double-click it, and a u/p dialog should pop up, already filled in (if the password is not filled in, fill it in). Hit OK and the other machine(s) should come up, click on one to display the shares for that machine.

Select one of the shares, right-click it, and choose "mount". If you did not select "Don't show mount dialog, use defaults", the mount dialog will appear, giving you the opportunity to adjust the mount point, change the ownership and group ownership if desired, and also change the permissions for newly created files and folders within the mount point. When finished editing, click OK, and the drive/partition/folder will be mounted.

So at this point, you're good to go except for one little thing-- that "Memorize mounted shares and remount on startup" refers to LinNeigborhood startup, not system startup, so we'll need to add LinNeighborhood -m to our startup programs to run LinNeighborhood minimized, so it will remount the shares, and then exit.

If you use KDE, go to ~/.kde/Autostart (the .kde folder is hidden-- that's what the dot in front of the name means-- so turn on "Show hidden files and folders in Konqueror to see it), right-click and create a new launcher pointing to LinNeighborhood -m.

If you use GNOME, go to the Gnome Control Center=>Desktop Preferences=>Advanced=>Sessions and in the third tab (Startup Programs), Add LinNeigborhood -m.

If you use another DE or WM, you likely know already how to set a startup program for it, besides, I can't tell you without knowing what it is. However, I will say that I use Openbox, and I just have a little script that runs all my startup programs when I select Openbox from the login manager, so that would likely be the solution for you as well, if you needed it.

Anyway, that's it, you never have to configure or mount your network files manually again, they will be mounted invisibly on login and you can use them normally, just as if they were on your own drive.

Hope this answers your question and solves your problem :D .