| Intro | Install | Configure | Troubleshoot | Optimize | PDC | Security |
David Lechnyr <david@lechnyr.com>
Mon, 19 May 2003 09:24:02 -0700
"All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer." -- IBM maintenance manual, 1975
Samba binaries are available for many popular platforms. You can install them from your vendor's distribution CD or download them from the Samba website at http://pserver.samba.org/samba/ftp/Binary_Packages/. You'll have to substitude the package name/versions with the current ones available from your distro.
Using RPM (RedHat, Mandrake, etc.), you can install Samba with something like:
# rpm -Ivh samba-[version].rpm samba-client.rpm samba-common.rpm samba-swat.rpm
Using APT (Debian, SUSE, etc.), you can install Samba with:
# apt-get install samba samba-common smbclient smbfs swat \ winbind libsmbclient libsmbclient-dev libpam-smbpass
Using Slackware Linux, you can install Samba with:
# installpkg samba-[version].tgz
Our first goal is to download the source code, which is available in many different formats, including ftp, http, rsync, cvs, and cvsweb.
The Samba source code is available via ftp and http. The ftp site is available at ftp://pserver.samba.org/pub/samba. The http site is available at http://pserver.samba.org/samba/ftp/. A list of mirror sites for downloading Samba is available at http://pserver.samba.org/samba/.
The Samba Team uses CVS (Concurrent Versioning System) to "check-in" (also known as "commit") new source code. You can access the Samba CVS repository using the command-line cvs client or use a web browser (Cvsweb).
To gain access via anonymous cvs you'll need a recent version of the cvs client binary. If your distribution doesn't provide a cvs client, you can download one from http://www.cyclic.com/. Using the command-line cvs client gives you much more control over you can do with the repository and allows you to check out whole source trees and keep them up to date via normal cvs commands. This is the preferred method of access if you are a developer and not just a casual browser.
To access cvs, run the command:
cvs -d :pserver:cvs@samba.org:/cvsroot login
When it asks you for a password type: cvs
Now that you've accessed the cvs server, you can download the latest Samba 3.0 source code (also know as the HEAD tagged cvs branch) using:
cvs -d :pserver:cvs@samba.org:/cvsroot co samba
This will create a directory called "samba" containing the latest Samba 3.0 source code. If you'd rather download the latest 2.2 source code, you could instead use:
cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba
Regardless of which version of the release code you download, you can merge in any of the latest code changes using the following command from within the samba directory:
cvs update -d -P
You can also access the source code using a standard web browser. This allows you to access the contents of individual files in the repository and also to look at the revision history and commit logs of individual files. You can also ask for a diff listing between any two versions on the repository. To access CVS via cvsweb, simply go to http://cvs.samba.org/cgi-bin/cvsweb/.
Additional documentation on accessing Samba vis CVS is available at http://pserver.samba.org/.
pserver.samba.org also exports unpacked copies of most parts of the CVS tree at ftp://pserver.samba.org/pub/unpacked and also via anonymous rsync at rsync://pserver.samba.org/ftp/unpacked/. See the rsync homepage for more info on rsync.
The disadvantage of the unpacked trees is that they do not support automatic merging of local changes like CVS does. rsync access is most convenient for an initial install.
In these days of insecurity, it's strongly recommended that you verify the PGP signature for any source file before installing it. According to Jerry Carter of the Samba Team, only about 22% of all Samba downloads have had a corresponding PGP signature download (a very low percentage, which should be considered a bad thing). Even if you're not downloading from a mirror site, verifying PGP signatures should be a standard reflex.
You'll need a recent version of PGP or GPG in order to verify the file signatures. GPG is available at http://www.gnupg.org.
For example, if you are downloading Samba 2.2.8a, you will want to download the file's corresponding PGP key along with the main Samba Distribution Key:
$ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc
The first file is the PGP signature for the Samba source file; the other is the Samba public PGP key itself. Import the main Samba Distribution Key with:
$ gpg --import samba-pubkey.asc
Next, you can verify the Samba source code integrity with:
$ gzip -d samba-2.2.8a.tar.gz $ gpg --verify samba-2.2.8a.tar.asc
If you receive a message like, "Good signature from Samba Distribution Verification Key..." then all is well. The warnings about trust relationships can be ignored. An example of what you would not want to see would be:
Since we've verified the file's PGP signature, we need to now untar the remaining archive:
$ tar xf samba-[version].tar $ cd samba-[version] $ cd source
Next, you need to configure the Samba package for your operating system. To see what additional options are available, you can run:
$ ./configure --help
Most people will just want to simply run:
$ ./configure
This will configure Samba to be installed in /usr/local/samba, which requires a brief explanation. The current file locations for Samba are steeped in historical precedence. Developers tend to prefer to have everything in one place (/usr/local/packagename) as they tend to "blow away" the directory several times during a day as part of development. It also allows administrators to consolidate the locations of individual software packages and to easily locate the files needed to back up prior to upgrading. For these reasons, it's generally considered a good idea to avoid the lofty ideals of the GNU/FHS filesystem layouts and to install all compiled software in /usr/local/ instead (i.e., not /usr).
For those still interested in configuring Samba using the FHS (Filesystem Hierarchy Standard) layout, you can use:
$ ./configure --with-fhs --prefix=/usr --sysconfdir=/etc --localstatedir=/var
For the more experienced administrator, you might be interested in trying something like:
$ CFLAGS="-O2 -march=pentium3 -fomit-frame-pointers -pip3" \ ./configure --with-smbmount
The info(1) page on gcc 3.2 has this to say about architecture:
`-mcpu=CPU-TYPE' Tune to CPU-TYPE everything applicable about the generated code, except for the ABI and the set of available instructions. The choices for CPU-TYPE are `i386', `i486', `i586', `i686', `pentium', `pentium-mmx', `pentiumpro', `pentium2', `pentium3', `pentium4', `k6', `k6-2', `k6-3', `athlon', `athlon-tbird', `athlon-4', `athlon-xp' and `athlon-mp'. While picking a specific CPU-TYPE will schedule things appropriately for that particular chip, the compiler will not generate any code that does not run on the i386 without the `-march=CPU-TYPE' option being used. `i586' is equivalent to `pentium' and `i686' is equivalent to `pentiumpro'. `k6' and `athlon' are the AMD chips as opposed to the Intel ones. `-march=CPU-TYPE' Generate instructions for the machine type CPU-TYPE. The choices for CPU-TYPE are the same as for `-mcpu'. Moreover, specifying `-march=CPU-TYPE' implies `-mcpu=CPU-TYPE'.
The info page on gcc 3.2 has this to say about optimization:
`-O',`-O1' Optimize. Optimizing compilation takes somewhat more time, and a lot more memory for a large function. Without `-O', the compiler's goal is to reduce the cost of compilation and to make debugging produce the expected results. Statements are independent: if you stop the program with a breakpoint between statements, you can then assign a new value to any variable or change the program counter to any other statement in the function and get exactly the results you would expect from the source code. With `-O', the compiler tries to reduce code size and execution time, without performing any optimizations that take a great deal of compilation time. `-O2' Optimize even more. GCC performs nearly all supported optimizations that do not involve a space-speed tradeoff. The compiler does not perform loop unrolling or function inlining when you specify `-O2'. As compared to `-O', this option increases both compilation time and the performance of the generated code. `-O2' turns on all optional optimizations except for loop unrolling, function inlining, and register renaming. It also turns on the `-fforce-mem' option on all machines and frame pointer elimination on machines where doing so does not interfere with debugging. Please note the warning under `-fgcse' about invoking `-O2' on programs that use computed gotos. `-O3' Optimize yet more. `-O3' turns on all optimizations specified by `-O2' and also turns on the `-finline-functions' and `-frename-registers' options. `-O0' Do not optimize. `-Os' Optimize for size. `-Os' enables all `-O2' optimizations that do not typically increase code size. It also performs further optimizations designed to reduce code size. If you use multiple `-O' options, with or without level numbers, the last such option is the one that is effective.
The info page on gcc 3.2 has this to say about pipes:
`-pipe' Use pipes rather than temporary files for communication between the various stages of compilation. This fails to work on some systems where the assembler is unable to read from a pipe; but the GNU assembler has no trouble.
The info page on gcc 3.2 has this to say about frame pointers:
`-fomit-frame-pointer' Don't keep the frame pointer in a register for functions that don't need one. This avoids the instructions to save, set up and restore frame pointers; it also makes an extra register available in many functions. *It also makes debugging impossible on some machines.*
If you want to compile Samba with Active Directory support, you need to use Samba 3.0 and the MIT kerberos development libraries (the heimdal libraries will not work) and the OpenLDAP development libraries. If your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR. After you run configure make sure that
#define HAVE_KRB5 1 #define HAVE_LDAP 1
If it doesn't then configure did not find your krb5 libraries or your ldap libraries.
Look in
Regardless of the configuration options you choose, it's worth noting that if you get the error message:
bash: ./configure: No such file or directory
...then you're in the wrong directory. Change into the "source" subdirectory of the Samba package and run "./configure" again.
Once you have run "./configure", you're ready to build and install the binaries:
$ make # make install
Note that if you are upgrading for a previous version of Samba you might like to know that the old versions of the binaries will be renamed with a ".old" extension. You can go back to the previous version with
# make revert
In keeping with good practice, you should make sure that you keep a copy of all the Samba documentation:
# cd samba-[version] # mkdir -p /usr/local/doc/samba-[version] # echo cp -fau `ls -1Ab | egrep "^[A-Z]"` /usr/local/doc/samba-[version]/ | sh # cp -fa docs /usr/local/doc/samba-[version]/
You must choose to start smbd and nmbd either as daemons or from
To run Samba as a Daemon, make sure your
netbios-ns 137/udp #NETBIOS Name Service (used by nmbd) netbios-dgm 138/udp #NETBIOS Datagram Service (used by nmbd) netbios-ssn 139/tcp #NETBIOS Session Service (used by smbd) microsoft-ds 445/tcp #Direct-Hosted Service (used by smbd)
And launch the daemons with:
# /usr/local/samba/bin/smbd -D # /usr/local/samba/bin/nmbd -D
The main advantage of starting
If you'd like to automate this process with a startup script, you can try:
#!/bin/sh
# Start/stop/restart samba
samba_start() {
if [ -r /usr/local/samba/lib/smb.conf ]; then
echo -n "Starting: smbd"
/usr/local/samba/bin/smbd -D
echo " nmbd"
/usr/local/samba/bin/nmbd -D
else
echo "$0: Cannot start Samba"
fi
}
samba_stop() {
echo "Stopping: smbd nmbd"
killall smbd nmbd
}
samba_restart() {
samba_stop
sleep 1
samba_start
}
case "$1" in
'start')
samba_start
;;
'stop')
samba_stop
;;
'restart')
samba_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
Make sure to
To run Samba from inetd, modify your
netbios-ssn stream tcp nowait.400 root /usr/local/samba/bin/smbd smbd netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
If you're feeling daring, you can try running Samba via port 445/tcp only using a
method called "Direct-Hosted". Note that this method is not as widely tested (or supported)
as running a traditional install of Samba. Note that only Windows 2000/XP/2003 support this
method of connecting to Samba, so if you have other clients this option is not one that you
should use. Modify your
microsoft-ds stream tcp nowait.400 root /usr/local/samba/bin/smbd smbd
Please be aware that using Direct-Hosted 445/tcp excludes the use of NetBIOS naming conventions! Instead, you must use the explicit IP address of the server instead. For example:
NET USE * \\192.168.1.1\sharename
A few other items to be aware of when using Samba to listen to port 445/tcp:
Shortcuts to programs on the network will issue a security warning when run, as Windows believes you are trying to run a program across the Internet.
The Samba variable %L will no longer resolve to the NetBIOS name of the server
...Probably many others...
Regardless of the options you use for
# killall -HUP inetd
You can modify your xinetd configuration file to include:
service netbios-ns
{
socket_type = dgram
protocol = udp
wait = yes
user = root
group = root
server = /usr/local/samba/bin/nmbd
}
service netbios-ssn
{
socket_type = stream
protocol = tcp
wait = no
user = root
group = root
server = /usr/local/samba/bin/smbd
}
Copyright © 2003 David Lechnyr <david@lechnyr.com>
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free
Software Foundation. A copy of the license is available at http://www.gnu.org/licenses/fdl.txt.
| Intro | Install | Configure | Troubleshoot | Optimize | PDC | Security |