Concerns over the patent agreement reached as part of Novell and Microsoft’s deal has motivated Allison to submit his resignation to Novell. A copy of the letter posted at Groklaw highlighted the conflict Allison sees with the deal:

Samba is one of those open source works that made system administrators truly excited over the past decade. With Samba, a system running the Linux operating system could be configured to handle print and file duties for Windows desktop clients, and do so invisibly to the users on the network.

That meant older hardware could be packed with voluminous hard drives and a copy of Linux for far less expense than a newer system complete with Microsoft licenses to act in the same capacity. Samba might be the most significant project to emerge over the years, save Linux and the Apache web server.

Samba’s supporters have protested the Novell-Microsoft agreement almost since it was made public. On November 12th, the Samba team announced its strong disapproval, and called the deal an exchange of “the long term interests of the entire Free Software community for a short term advantage for Novell over their competitors.”

Allison will move on, and land at Google, as Mary Jo Foley of Microsoft Watch learned from him. It’s an interesting development, considering Google’s reputation for lengthy interviews and lead times between interviews and job offers.

But like other notable Googlers Guido van Rossum, the creator of the Python language, and Vint Cerf, the father of the Internet, Allison brings a pretty solid reputation to the mix, so fast-tracking his move to Mountain View probably became a priority for Google. It should be a win for Samba’s devotees as well.

—

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark WebProNews:

David Utter is a staff writer for WebProNews covering technology and business.

The two top search companies made some moves that were very much in the spirit of the holiday season. First, Google played Father Christmas to a pair of organizations with pledges of annual financial support for their efforts.

Developers behind the Samba project will enjoy Google’s favor to the tune of $20,000. Samba software provides file and print services across operating system platforms, allowing for example Windows clients to connect to a Linux system for those services.

“This is fantastic news for the Samba project” said team member Andrew Tridgell, “and will allow us to provide more support for developers who could not otherwise afford the travel expenses to attend conferences.”

Creative Commons received a donation from Google, in the amount of $30,000 just in time for the group’s fundraising drive. The organization develops licenses for content that creators can use to reserve some rights to their work while permitting others to use and share that content without the threat of a lawsuit.

Ryan Carter at Download Squad wrote how the donation is “a vote of confidence for the work of the chartiable CC.”

“This doesn’t surprise me too much, since Google has been at least sympathetic to the open-source camp,” Carter said. “I don’t for a minute simply dismiss the idea that Google most likely has ulterior motives, because they could, but sometimes companies do nice things for others.”

—

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark WebProNews:

David Utter is a staff writer for WebProNews covering technology and business.

You NEED to set “encrypted passwords = Yes” in smb.conf (or Swat if you prefer to use that to configure Samba). If you don’t, Samba is going to refuse modern Windows clients.

If using Swat, you can’t just fill in a name and password if the user doesn’t already exist. You have to ADD the user. If you just put in a name and password, Swat doesn’t complain, but nothing gets added to smbpassword.

User names added to Samba MUST be Unix users already.

This seems to confuse folks: you can have a file that maps Windows names to Unix/Samb logins. For example:

root = administrator
linda = lfrench

If you do that, you probably want to set the samba passwords to match what they are being mapped from. So in this case, we’d probably set root’s samba password to match the Windows “administrator”, and linda’s password would be set to match her Windows “lfrench” password. You don’t HAVE to do that (you can use “connect as a different user”) but it may make things less confusing.

If you are having confusing trouble, set “log level = 2″ and check the logs. Where are the logs? Wherever smb.conf says they are.

*Originally published at APLawrence.com

A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com

I’m going to use an example from a real situation involving an XP user and a SCO Visionfs network. The concepts of this apply to Linux, Mac, Samba: it doesn’t really matter.

The Network
The network consists of Windows 98 and XP machines and Unix/Linux servers. The major application is client/server accounting application running on the Unix box. There is a Linux mail server also. File and print services are provided by Visionfs on the Unix box.

Users need passwords for several functions here:

• Logging in to their Windows desktop
• Accessing the accounting application
• Accessing their POP email
• Accessing shared files on the Unix server
• Using shared printers on the Unix server

Logins and Passwords
Most of the machines are Windows 98 and store no data of any importance. These are set up for normal windows login (no domain controller). Anyone can walk up to any machine and create a Windows login name, so there is no security. This is actually deliberate and convenient, as it is often necessary for people to access the internet or the accounting application while not at their own desk. Some machines are Windows XP where only the administrator of that machine can create a login. These machines typically have more sensitive data and are used by managers. However, as older machines are phased out, XP is the usual replacement, and a “guest” login is used when the machine needs to have general access.

The accounting application requires a separate login name and password. These are completely unrelated to any other names or passwords. The accounting administrator assigns and maintains these.

Email also has its own names and passwords. These are maintained by the email administrator, though users are allowed to change their own passwords.

Access to files and printers on the Unix box is by Visionfs. There are other utilities that could do this: Samba and Facetwin for example. These all have different administration techniques, but the common point here is that the Windows login name and password is what will determine access to the files and printers.

The new XP user
A Windows 98 machine was replaced by a new XP box. The user set it up himself, and successfully installed the accounting application client, and configured his email. He had access to the internet, the accounting application, and email, but couldn’t access shared files or printers.

The major reason he couldn’t do this was because he didn’t realize that his Windows login name was important. On the old Windows 98 box, it had just been “bobf” and he had a password of “aM2133″. When he installed XP, he used the same password, but spelled out his name as “Bob Franklin”. Visionfs has nothing in its database that knows that “Bob Franklin” is the same as the “bobf” it does know. There is a way in Visionfs and similar products to map “Bob Franklin” to “bobf”, so I did that, but (not entirely unexpectedly) it still didn’t give him access. The problem has been seen and reported before: http://www.pcunix.com/Bofcusm/1820.html and http://www.pcunix.com/Bofcusm/1807.html

In this case, the previous name was “Administrator”, so I added another mapping of “Administrator” to “bobf”. I also renamed the XP account to “bobf”, which meant that I really didn’t need to map “Administrator”, but I felt this would just happen again somewhere down the line, and since all users have the same access permissions on the Unix box, there’s no harm in the mapping.

Incredibly enough, this STILL didn’t work. Looking more closely revealed that the Visionfs password for “bobf” apparently was not “aM2133″, so I had to reset that password (/usr/vision/bin/visionfs password –amend bobf aM2133).

Note that at this point his original Unix login of “bobf” and whatever password that was is totally unimportant: Visionfs doesn’t care, and neither does the accounting application or the Linux email server. That login is not used for anything at all. Very often that’s where the confusion comes from with programs like Visionfs or Samba – it is THEIR passwords (matched against the Windows login) that determine access. While their may or may not be procedures or software in place that keeps all these passwords consistent, the important thing to understand is that these products keep their own databases of users and passwords. It is that database that will be searched to match what the Windows machine sends.

This article appeared at APLawrence.com

Please read this disclaimer
Copyright and Reprint Info

A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com

In this appendix, we’ll tell you how to set up SMB file and printer shares, enable client user access, and monitor activity. Our specific focus is on Mac OS X Server 10.2.

Setup Procedures

The first thing to note is that the procedure described in Chapter 2 using System Preferences to enable Samba does not apply to Mac OS X Server. Unlike Mac OS X, the Sharing pane of System Preferences does not include an option to turn on Windows File Sharing. Instead, there is a set of applications to configure, activate, and monitor services: Workgroup Manager, Server Settings, Server Status, and Open Directory Assistant, all located in the directory /Applications/Utilities.

TIP: In addition to being installed with Mac OS X Server, these and other administrative applications are included on a separate installation CD-ROM sold with the operating system. They can be used to manage Mac OS X Server systems remotely from any Mac OS X machine.

For more information, refer to the Mac OS X Server Administrator’s Guide, included as a PDF file in the /Library/Documentation/MacOSXServerdirectory, and also downloadable from Apple Computer’s web site at http://www.apple.com/server/.

Briefly, the procedure for setting up SMB file and printer shares is as follows:

1. Designate share points in Workgroup Manager for file sharing.
2. Set up print queues in Server Settings for printer sharing, and activate Printer Service.
3. Configure and activate Windows Services in Server Settings.
4. Activate Password Server and enable SMB authentication in Open Directory Assistant.
5. Enable Password Server authentication for user accounts in Workgroup Manager.
6. Monitor file and print services with Server Status.

Sharing Files

The first step to enable SMB file sharing is to designate one or more share points. Share points are folders that form the root of shared volumes for any of the protocols supported by Mac OS X Server: Apple Filesharing Protocol (AFP), Network Filesystem (NFS), File Transfer Protocol (FTP), and SMB.

To designate a share point, launch Workgroup Manager. You will be prompted for the local or remote server’s hostname or IP address, as well as for a username and password; this process is required by all the Mac OS X Server administrative applications. Once Workgroup Manager is open, click the Sharing button in the toolbar. The list on the left, under the Share Points tab, displays currently defined share points. To add a new one, click the All tab, and navigate to the folder you want to share.

On the right, under the General tab, check the box labeled Share this item and its contents, change the ownership and permissions if desired, then click the Save button. Next, under the Protocols tab, select Windows File Settings from the pop-up menu, and ensure that the box labeled Share this item using SMB is checked. At this point, you can also decide whether to allow guest access to the share, change the name of the share displayed to SMB clients, or set permissions for files and folders created by SMB clients. Click the Save button when you’re finished making changes. See Figure F-1.

Figure F-1. Workgroup Manager: Share Points and Windows File Settings

Sharing Printers

Printer shares are set up differently. First, launch Server Settings; under the File & Print tab, select Print, then Configure Print Service…. Check the box labeled Automatically share new queues for Windows printing. Next, click the Print icon again and then Show Print Monitor. Make sure the printers you want to share are listed. Printers directly attached to the server should have queues created automatically, but remote printers you wish to reshare must be added by clicking New Queue and discovering or specifying the printers. When you’re finished, click Save, select the Print icon one more time, and select Start Print Service. See Figure F-2.

Figure F-2. Server Settings: Print Service

TIP: Server Settings will make local printers available for sharing only if they’re PostScript compatible. Unfortunately, many printers, including consumer-grade USB inkjet printers, aren’t. If you want to make one of these printers available to SMB clients, you can still add the share to /etc/smb.conf yourself with a text editor. See “Rolling Your Own” later in this chapter for instructions and caveats related to making manual changes to smb.conf.

Configuring and Activating Services

At this point, neither the file shares nor the printer shares are available to SMB clients. To activate them, click the Windows icon in Server Settings, and click Configure Windows Services…. Under the General tab, you can set the server’s NetBIOS hostname, the workgroup or Windows NT domain in which the server resides, and the description that gets displayed in a browse list. You can also specify the code page for an alternate character set. Finally, you can enable boot-time startup of Samba. See Figure F-3.

Figure F-3. Server Settings: Windows Services

The Windows Services Access tab offers options to enable guest access and limit the number of simultaneous client connections; under the Logging tab, you can specify the verbosity of your logging. With options under the Neighborhood tab, you can configure your machine as a WINS client or server or have it provide browser services locally or across subnets.

When you’ve finished configuring Windows Services, click the Save button, then click the Windows icon in Server Settings, and select Start Windows Services. This starts the Samba daemons, enabling access from SMB clients.

Activating Password Server

Now that you’ve set up file and printer shares, you need to make sure users can properly authenticate to access them. In Mac OS X Server, this is accomplished with the Open Directory Password Server, a service based on the Simple Authentication and Security Layer (SASL) standard and usable with many different authentication protocols, including the LAN Manager and Windows NT LAN Manager (NTLM) protocols. This section describes how to support SMB client authentication, but for more information on what Password Server does and how it works, see the Mac OS X Server Administrator’s Guide.

To enable Password Server or merely check its settings, start the Open Directory Assistant. Unless you wish to change any of the settings, just click the right arrow button in the lower-right corner of the window until you get to the first Security step. At this point, activate Password Server by selecting the option marked Password and authentication information will be provided to other systems. The next step displays the main administrative account, and the one after that gives you a choice of authentication protocols to enable (see Figure F-4). Make sure that SMB-NT is checked, and check SMB-Lan Manager if you have Windows 95/98/Me or older clients. The final step saves the Password Server configuration and prompts you to reboot.

Figure F-4. Password Server authentication protocols

Enabling Password Server

To enable the use of Password Server for a user account, launch Workgroup Manager, and click the Accounts button in the toolbar. Under the Users tab on the far left (with the silhouette of a single person), select the account, and under the Advanced tab on the right, select Password Server for the User Password Type (see Figure F-5). You are prompted to enter a new user password to be stored in the Password Server database. After saving the account configuration, the user can authenticate and access shares from an SMB client.

Figure F-5. Workgroup Manager: Enabling Password Server authentication

Monitoring Services

Once you’ve got everything working, you’ll want to keep an eye on things. The Server Status application gives you views into the various services provided by Mac OS X Server. For Windows Services, you can see the current state of the service, browse the logs (located in the directory /Library/Logs/WindowsServices), display and terminate individual connections, and view a graph of connections over time (see Figure F-6). Similar information is provided for Print Service.

Figure F-6. Server Status: Windows Services

Configuration Details

Underneath the GUI, a lot of activity takes place to offer Windows Services. In the non-Server version of Mac OS X, selecting Windows File Sharing sets the SMBSERVER parameter in /etc/hostconfig and triggers the Samba startup item. In Mac OS X Server, under normal circumstances the Samba startup item and the SMBSERVER parameter are never used.

Instead, a process named sambadmind generates /etc/smb.conffrom the configuration specified in Server Settings and Workgroup Manager and handles starting and restarting the Samba daemons as necessary. The sambadmind process is in turn monitored by watchdog, which keeps an eye on certain processes and restarts those which fail. The watchdog utility is configured in /etc/watchdog.conf, a file similar to a System V inittab, which specifies how the services under watchdog’s purview are to be treated. For example, the line for sambadmind looks like this:

sambadmin:respawn:/usr/sbin/sambadmind -d # SMB Admin daemon

Using a watchdog-monitored process such as sambadmind to start the Samba daemons, instead of a one-time execution of a startup item, results in more reliable service. In Mac OS X Server, if a Samba daemon dies unexpectedly, it is quickly restarted. (Examples of other services monitored by watchdog are Password Server, Print Service, and the Server Settings daemon that allows remote management.)

There’s another wrinkle in Mac OS X Server: the Samba configuration settings are not written directly to /etc/smb.conf, as they are in the non-Server version of Mac OS X. Instead, they’re stored in the server’s local Open Directory domain, [1] from which sambadmind retrieves them and regenerates smb.conf. For example, the Samba global parameters are stored in /config/SMBServer (see Figure F-7). Share point information is also kept in Open Directory, under /config/SharePoints, while CUPS takes responsibility for printer configuration in /etc/cups/printers.conf (also creating stub entries used by Samba in /etc/printcap).

Figure F-7. NetInfo Manager: SMBServer properties

Table F-1 summarizes the association of Windows Services settings in the Server Settings application, properties stored in Open Directory, and parameters in /etc/smb.conf.

Table F-1: Samba configuration settings in Mac OS X Server

Rolling Your Own

When making manual changes to the Samba configuration file, take care to block changes initiated from graphical applications by invoking this command:

# chflags uchg /etc/smb.conf

From that point on, the GUI will be useful only for starting, stopping, and monitoring the service–not for configuring it.

If you install your own version of Samba, you can still manage it from Server Settings by changing some of the Open Directory properties in /config/SMBServer.

To do this, open NetInfo Manager and modify the samba_sbindir and samba_bindir properties to match the location of your Samba installation. Optionally, you can modify samba_libdir, samba_vardir, and samba_lockdir. Assuming a default Samba installation, you can also change these at the command line with the following commands:

# nicl . -create /config/SMBServer samba_sbindir /usr/local/samba/bin
# nicl . -create /config/SMBServer samba_bindir /usr/local/samba/bin
# nicl . -create /config/SMBServer samba_libdir /usr/local/samba/lib
# nicl . -create /config/SMBServer samba_vardir /usr/local/samba/var
# nicl . -create /config/SMBServer samba_lockdir /usr/local/samba/var/locks

You can check your settings with this command:

# nicl . -read /config/SMBServer

In Server Settings, select Stop Windows Services, then run this command:

# killall sambadmind

The watchdog utility restarts sambadmind within seconds. Finally, go back to Server Settings, and select Start Windows Services.

If you don’t modify Open Directory properties to match your active Samba installation (because you wish to manage your configuration another way), be sure never to activate Windows Services from the Server Settings application, or you’ll wind up with two sets of Samba daemons running concurrently.

1. In versions of Mac OS X prior to 10.2, Open Directory domains were called NetInfo domains. NetInfo Manager (located in /Applications/Utilities) provides a graphical interface to view and modify the contents of Open Directory databases. For more information, see the Mac OS X Server Administrator’s Guide, as well as Understanding and Using NetInfo, downloadable from the Mac OS X Server resources web page at http://www.apple.com/server/resources.html.

Note: Leon Towns-von Stauber contributed the material in this excerpt on “Running Samba on the Mac OS X Server” for Appendix F of Using Samba, 2nd Edition.

Originally appeared at ONLamp.com (http://www.onlamp.com/pub/a/onlamp/excerpt/samba_appendix/index.html)

Using Samba, Second Edition – Using Samba, Second Edition is a comprehensive guide to Samba administration. This new edition covers all versions of Samba from 2.0 to 2.2, including selected features from an alpha version of 3.0, as well as the SWAT graphical configuration tool. Updated for Windows 2000, ME, and XP, the book also explores Samba’s new role as a primary domain controller and domain member server, its support for the use of Windows NT/2000/XP authentication and filesystem security on the host Unix system, and accessing shared files and printers from Unix clients.